diff --git a/cli/reporter/junit.go b/cli/reporter/junit.go index eb452e23..3b75faf1 100644 --- a/cli/reporter/junit.go +++ b/cli/reporter/junit.go @@ -24,42 +24,45 @@ func ReportCollectionToJunit(r *policy.ReportCollection, out shared.OutputHelper suites := junit.Testsuites{} // render asset errors - for assetMrn, errMsg := range r.Errors { - a := r.Assets[assetMrn] - - properties := []junit.Property{} - ts := junit.Testsuite{ - Tests: 1, - Failures: 1, - Time: "", - Name: "Report for " + a.Name, - Properties: &properties, - Testcases: []junit.Testcase{ - { - Classname: "scan", - Name: "Scan " + a.Name, - Failure: &junit.Result{ - Type: "error", - Message: errMsg, + // r is nil if no assets were scanned + if r != nil { + for assetMrn, errMsg := range r.Errors { + a := r.Assets[assetMrn] + + properties := []junit.Property{} + ts := junit.Testsuite{ + Tests: 1, + Failures: 1, + Time: "", + Name: "Report for " + a.Name, + Properties: &properties, + Testcases: []junit.Testcase{ + { + Classname: "scan", + Name: "Scan " + a.Name, + Failure: &junit.Result{ + Type: "error", + Message: errMsg, + }, }, }, - }, + } + suites.Suites = append(suites.Suites, ts) } - suites.Suites = append(suites.Suites, ts) - } - bundle := r.Bundle.ToMap() - queries := bundle.QueryMap() + bundle := r.Bundle.ToMap() + queries := bundle.QueryMap() - // iterate over asset mrns - for assetMrn, assetObj := range r.Assets { - // add check results - ts := assetPolicyTests(r, assetMrn, assetObj, queries) - suites.Suites = append(suites.Suites, ts) + // iterate over asset mrns + for assetMrn, assetObj := range r.Assets { + // add check results + ts := assetPolicyTests(r, assetMrn, assetObj, queries) + suites.Suites = append(suites.Suites, ts) - vulernabilityTests := assetMvdTests(r, assetMrn, assetObj) - if vulernabilityTests != nil { - suites.Suites = append(suites.Suites, *vulernabilityTests) + vulernabilityTests := assetMvdTests(r, assetMrn, assetObj) + if vulernabilityTests != nil { + suites.Suites = append(suites.Suites, *vulernabilityTests) + } } } diff --git a/cli/reporter/junit_test.go b/cli/reporter/junit_test.go index 87a75b4c..cfac82c3 100644 --- a/cli/reporter/junit_test.go +++ b/cli/reporter/junit_test.go @@ -3,18 +3,111 @@ package reporter -//func TestJunitConverter(t *testing.T) { -// reportCollectionRaw, err := os.ReadFile("./testdata/report-debian.json") -// require.NoError(t, err) -// -// yr := &policy.ReportCollection{} -// err = json.Unmarshal(reportCollectionRaw, yr) -// require.NoError(t, err) -// -// buf := bytes.Buffer{} -// writer := shared.IOWriter{Writer: &buf} -// err = ReportCollectionToJunit(yr, &writer) -// require.NoError(t, err) -// -// assert.Contains(t, buf.String(), ``) -//} +import ( + "bytes" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "go.mondoo.com/cnquery/v9/explorer" + "go.mondoo.com/cnquery/v9/providers-sdk/v1/inventory" + "go.mondoo.com/cnquery/v9/shared" + "go.mondoo.com/cnspec/v9/policy" + "testing" +) + +func TestJunitConverter(t *testing.T) { + yr := &policy.ReportCollection{ + Assets: map[string]*inventory.Asset{ + "//assets.api.mondoo.app/spaces/dazzling-golick-767384/assets/2DRZ1cCWFyTYCArycAXHwvn1oU2": { + Name: "X1", + PlatformIds: []string{"//platformid.api.mondoo.app/hostname/X1"}, + State: inventory.State_STATE_ONLINE, + Platform: &inventory.Platform{ + Name: "ubuntu", + Arch: "amd64", + Kind: "baremetal", + Version: "22.04", + Family: []string{"debian", "linux", "unix", "os"}, + }, + }, + }, + ResolvedPolicies: map[string]*policy.ResolvedPolicy{ + "//assets.api.mondoo.app/spaces/dazzling-golick-767384/assets/2DRZ1cCWFyTYCArycAXHwvn1oU2": { + CollectorJob: &policy.CollectorJob{ + ReportingQueries: map[string]*policy.StringArray{ + "+u6doYoYG5E=": nil, + "057itYF8s30=": nil, + "GyJVAziB/tU=": nil, + }, + }, + }, + }, + Bundle: &policy.Bundle{ + Policies: nil, // not needed for this test since junit does not sort by policy + Queries: []*explorer.Mquery{ + { + Mrn: "//policy.api.mondoo.app/queries/mondoo-linux-security-snmp-server-is-not-enabled", + CodeId: "+u6doYoYG5E=", + Title: "Ensure SNMP server is stopped and not enabled", + }, + { + Mrn: "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-kubelet-event-record-qps", + CodeId: "057itYF8s30=", + Title: "Configure kubelet to capture all event creation", + }, + { + Mrn: "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-secure-scheduler_conf", + CodeId: "GyJVAziB/tU=", + Title: "Set secure file permissions on the scheduler.conf file", + }, + }, + }, + Reports: map[string]*policy.Report{ + "//assets.api.mondoo.app/spaces/dazzling-golick-767384/assets/2DRZ1cCWFyTYCArycAXHwvn1oU2": { + ScoringMrn: "//assets.api.mondoo.app/spaces/dazzling-golick-767384/assets/2DRZ1cCWFyTYCArycAXHwvn1oU2", + EntityMrn: "//assets.api.mondoo.app/spaces/dazzling-golick-767384/assets/2DRZ1cCWFyTYCArycAXHwvn1oU2", + Score: &policy.Score{ + Value: 29, + ScoreCompletion: 100, + DataCompletion: 100, + }, + // add passed, failed and skipped test + Scores: map[string]*policy.Score{ + "+u6doYoYG5E=": &policy.Score{ + Type: 2, // result + Value: 100, + }, + "057itYF8s30=": &policy.Score{ + Type: 4, // error + Value: 0, + }, + "GyJVAziB/tU=": { + Type: 8, // skip + Value: 0, + }, + }, + }, + }, + } + + buf := bytes.Buffer{} + writer := shared.IOWriter{Writer: &buf} + err := ReportCollectionToJunit(yr, &writer) + require.NoError(t, err) + + junitReport := buf.String() + assert.Contains(t, junitReport, "name=\"Policy Report for X1\"") + assert.Contains(t, junitReport, "") + assert.Contains(t, junitReport, "\n\t\t\t\n\t\t") + assert.Contains(t, junitReport, "\n\t\t\t\n\t\t") +} + +func TestJunitNilReport(t *testing.T) { + var yr *policy.ReportCollection + + buf := bytes.Buffer{} + writer := shared.IOWriter{Writer: &buf} + err := ReportCollectionToJunit(yr, &writer) + require.NoError(t, err) + + assert.Equal(t, "\n\n", buf.String()) +} diff --git a/cli/reporter/reporter_test.go b/cli/reporter/reporter_test.go index f906c5c7..69616c08 100644 --- a/cli/reporter/reporter_test.go +++ b/cli/reporter/reporter_test.go @@ -18,7 +18,7 @@ import ( "go.mondoo.com/cnspec/v9/policy" ) -func TestJunitConverter(t *testing.T) { +func TestCompactReporter(t *testing.T) { reportCollectionRaw, err := os.ReadFile("./testdata/report-ubuntu.json") require.NoError(t, err) diff --git a/cli/reporter/testdata/report-debian.json b/cli/reporter/testdata/report-debian.json deleted file mode 100644 index 00547090..00000000 --- a/cli/reporter/testdata/report-debian.json +++ /dev/null @@ -1,35396 +0,0 @@ -{ - "assets": { - "//policy.api.mondoo.com/assets/2KgCZg1j6OABQbEutHyDe3ui4p2": { - "mrn": "//policy.api.mondoo.com/assets/2KgCZg1j6OABQbEutHyDe3ui4p2", - "name": "debian:10@edcf96f9d9d9", - "platformName": "Debian GNU/Linux 10 (buster)" - } - }, - "bundle": { - "owner_mrn": "//policy.api.mondoo.app", - "policies": [ - { - "mrn": "//local.cnspec.io/run/local-execution/policies/mondoo-linux-security", - "name": "Linux Security by Mondoo", - "version": "1.3.0", - "local_content_checksum": "UJ7zCJh0DH4=", - "graph_content_checksum": "Bdyv31kMoqA=", - "local_execution_checksum": "ytKlIVvTSSA=", - "graph_execution_checksum": "xmlRE+GJVD8=", - "specs": [ - { - "scoring_queries": { - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline--window-system-is-not-installed": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-address-space-layout-randomization-aslr-is-enabled": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-aide-is-installed": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-avahi-server-is-not-enabled": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-bogus-icmp-responses-are-ignored": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-broadcast-icmp-requests-are-ignored": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-core-dumps-are-restricted": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-cups-is-not-enabled": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-dhcp-server-is-not-enabled": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-dns-server-is-not-enabled": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-filesystem-integrity-is-regularly-checked": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-ftp-server-is-not-enabled": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-http-proxy-server-is-not-enabled": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-http-server-is-not-enabled": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-icmp-redirects-are-not-accepted": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-imap-and-pop3-server-is-not-enabled": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-ip-forwarding-is-disabled": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-ipv6-router-advertisements-are-not-accepted": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-ldap-server-is-not-enabled": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-mail-transfer-agent-is-configured-for-local-only-mode": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-nfs-and-rpc-are-not-enabled": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-nis-server-is-not-enabled": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-packet-redirect-sending-is-disabled": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-permissions-on-etcgroup--are-configured": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-permissions-on-etcgroup-are-configured": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-permissions-on-etcgshadow--are-configured": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-permissions-on-etcgshadow-are-configured": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-permissions-on-etcpasswd--are-configured": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-permissions-on-etcpasswd-are-configured": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-permissions-on-etcshadow--are-configured": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-permissions-on-etcshadow-are-configured": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-prelink-is-disabled": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-reverse-path-filtering-is-enabled": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-rsh-server-is-not-enabled": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-rsync-service-is-not-enabled": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-samba-is-not-enabled": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-secure-icmp-redirects-are-not-accepted": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-snmp-server-is-not-enabled": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-source-routed-packets-are-not-accepted": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-suspicious-packets-are-logged": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-talk-server-is-not-enabled": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-tcp-syn-cookies-is-enabled": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-telnet-server-is-not-enabled": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-tftp-server-is-not-enabled": null - }, - "asset_filter": { - "query": "platform.family.contains(_ == 'linux')\n", - "code_id": "hp6oNZD/wBk=", - "checksum": "GNAUUh4R3kM=", - "mrn": "//local.cnspec.io/run/local-execution/policies/mondoo-linux-security/assetfilter/hp6oNZD/wBk=", - "type": "\u0004", - "title": "platform.family.contains(_ == 'linux')\n" - }, - "title": "Core" - }, - { - "scoring_queries": { - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-only-strong-ciphers-are-used": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-only-strong-kex-algorithms-are-used": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-only-strong-mac-algorithms-are-used": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-permissions-on-etcsshsshd-config-are-configured": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-permissions-on-ssh-private-host-key-files-are-configured": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-permissions-on-ssh-public-host-key-files-are-configured": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-ssh-hostbasedauthentication-is-disabled": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-ssh-idle-timeout-interval-is-configured": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-ssh-ignorerhosts-is-enabled": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-ssh-logingracetime-is-set-to-one-minute-or-less": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-ssh-loglevel-is-appropriate": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-ssh-maxauthtries-is-set-to-4-or-less": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-ssh-permitemptypasswords-is-disabled": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-ssh-permituserenvironment-is-disabled": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-ssh-protocol-is-set-to-2": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-ssh-root-login-is-disabled": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-ssh-warning-banner-is-configured": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-ssh-x11-forwarding-is-disabled": null - }, - "asset_filter": { - "query": "platform.family.contains(_ == 'linux')\npackage('openssh-server').installed\n", - "code_id": "couR4EsVIAo=", - "checksum": "3wXX5Lxvom8=", - "mrn": "//local.cnspec.io/run/local-execution/policies/mondoo-linux-security/assetfilter/couR4EsVIAo=", - "type": "\u0001", - "title": "platform.family.contains(_ == 'linux')\npackage('openssh-server').installed\n" - }, - "title": "Configure SSH Server" - }, - { - "scoring_queries": { - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-audit-log-storage-size-is-configured": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-audit-logs-are-not-automatically-deleted": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-auditd-is-installed": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-auditd-service-is-enabled": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-auditing-for-processes-that-start-prior-to-auditd-is-enabled": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-changes-to-system-administration-scope-sudoers-is-collected": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-discretionary-access-control-permission-modification-events-are-collected": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-events-that-modify-date-and-time-information-are-collected": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-events-that-modify-the-systems-mandatory-access-controls-are-collected": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-events-that-modify-the-systems-network-environment-are-collected": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-events-that-modify-usergroup-information-are-collected": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-file-deletion-events-by-users-are-collected": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-journald-is-configured-to-compress-large-log-files": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-journald-is-configured-to-send-logs-to-rsyslog": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-journald-is-configured-to-write-logfiles-to-persistent-disk": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-kernel-module-loading-and-unloading-is-collected": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-login-and-logout-events-are-collected": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-permissions-on-all-logfiles-are-configured": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-rsyslog-default-file-permissions-configured": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-rsyslog-is-installed": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-rsyslog-service-is-enabled": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-session-initiation-information-is-collected": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-successful-file-system-mounts-are-collected": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-sudo-logging-is-enabled": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-system-administrator-actions-sudolog-are-collected": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-system-is-disabled-when-audit-logs-are-full": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-the-audit-configuration-is-immutable": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-unsuccessful-unauthorized-file-access-attempts-are-collected": null - }, - "asset_filter": { - "query": "platform.family.contains(_ == 'linux')\n", - "code_id": "hp6oNZD/wBk=", - "checksum": "GNAUUh4R3kM=", - "mrn": "//local.cnspec.io/run/local-execution/policies/mondoo-linux-security/assetfilter/hp6oNZD/wBk=", - "type": "\u0004", - "title": "platform.family.contains(_ == 'linux')\n" - }, - "title": "Logging" - }, - { - "scoring_queries": { - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-access-to-the-su-command-is-restricted": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-default-group-for-the-root-account-is-gid-0": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-each-user-member-of-a-group": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-gid-in-passwd-exists-in-group": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-no-duplicate-gids-exist": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-no-duplicate-group-names-exist": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-no-duplicate-uids-exist": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-no-duplicate-user-names-exist": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-root-group-is-empty": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-shadow-group-is-empty": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-system-accounts-are-non-login": null, - "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-uid-min-is-set-to-1000": null - }, - "asset_filter": { - "query": "platform.family.contains(_ == 'linux')\n", - "code_id": "hp6oNZD/wBk=", - "checksum": "Iyxn7Gcpra0=", - "mrn": "//local.cnspec.io/run/local-execution/policies/mondoo-linux-security/assetfilter/hp6oNZD/wBk=", - "type": "\u0004", - "title": "platform.family.contains(_ == 'linux')\n" - }, - "title": "Users and groups" - } - ], - "asset_filters": { - "couR4EsVIAo=": { - "query": "platform.family.contains(_ == 'linux')\npackage('openssh-server').installed\n", - "code_id": "couR4EsVIAo=", - "checksum": "3wXX5Lxvom8=", - "mrn": "//local.cnspec.io/run/local-execution/policies/mondoo-linux-security/assetfilter/couR4EsVIAo=", - "type": "\u0001", - "title": "platform.family.contains(_ == 'linux')\npackage('openssh-server').installed\n" - }, - "hp6oNZD/wBk=": { - "query": "platform.family.contains(_ == 'linux')\n", - "code_id": "hp6oNZD/wBk=", - "checksum": "Iyxn7Gcpra0=", - "mrn": "//local.cnspec.io/run/local-execution/policies/mondoo-linux-security/assetfilter/hp6oNZD/wBk=", - "type": "\u0004", - "title": "platform.family.contains(_ == 'linux')\n" - } - }, - "scoring_system": 2, - "authors": [ - { - "name": "Mondoo, Inc", - "email": "hello@mondoo.com" - } - ], - "tags": { - "mondoo.com/category": "security", - "mondoo.com/platform": "linux,host" - }, - "props": { - "//local.cnspec.io/run/local-execution/queries/MondooKexAlgos": "", - "//local.cnspec.io/run/local-execution/queries/MondooMacAlgos": "", - "//local.cnspec.io/run/local-execution/queries/MondooSshdCiphers": "", - "//local.cnspec.io/run/local-execution/queries/MondooSudoGroup": "" - }, - "docs": { - "desc": "## Overview\n\nThe Linux Security by Mondoo provides guidance for establishing a secure baseline configuration for Linux systems running on x86 and x64 platforms.\n\nThis policy includes queries to help harden Linux systems by:\n - Identifying problematic services that may be running\n - Identifying loose permissions on sensitive system configuration files\n - Ensuring logging and auditing services are properly configured and running\n - Hardening SSH configurations\n - Ensure users and groups are securely configured\n - Identifying misconfigured Kernel networking configurations\n\nThis policy has been developed for Red Hat (RHEL), Debian, Ubuntu, and SUSE (SLES) derivative distributions running on x86 and x64 architectures.\nSome queries may be skipped depending on your particular distribution, installation type, or underlying infrastructure.\nThe overall guidance within this policy broadly assumes that operations are being performed as the root user.\nOperations performed using sudo instead of the root user may produce unexpected results or fail to make the intended changes to the system.\nNon-root users may not be able to access certain areas of the system, especially after remediation has been performed. It is advisable to verify\nroot users path integrity and the integrity of any programs being run prior to execution of commands and scripts included in this benchmark.\n\n### Intended Audience\n\nThis benchmark is intended for system and application administrators, security specialists, auditors, help desk, and platform deployment personnel\nwho plan to develop, deploy, assess, or secure solutions that incorporate Linux on x86 or x64 platforms.\n\n## Local scan\n\nLocal scan refer to scans of files and operating systems where `cnspec` is installed.\n\nTo scan the `localhost` against this policy:\n\n```bash\ncnspec scan local\n```\n\n## Remote scan\n\nRemote scans use native transports in `cnspec` to provide on demand scan results without the need to install any agents, or integration.\n\nFor a complete list of native transports run:\n\n```bash\ncnspec scan --help\n```\n\n### Prerequisites\n\nRemote scans of Linux hosts requires authentication such as SSH keys.\n\n### Scan a remote Linux host (SSH authentication)\n\n```bash\ncnspec scan ssh \u003cuser\u003e@\u003cIP_ADDRESS\u003e -i /path/to/ssh_key\n```\n\n### Scan AWS EC2 instance (AWS SSM)\n\n```bash\ncnspec scan ssh \u003cuser\u003e@\u003cIP_ADDRESS\u003e -i /path/to/ssh_key\n```\n\n## Join the community!\n\nOur goal is to build policies that are simple to deploy, accurate, and actionable.\n\nIf you have any suggestions on how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions." - } - }, - { - "mrn": "//local.cnspec.io/run/local-execution/policies/mondoo-openssl-vulnerability", - "name": "OpenSSL Vulnerability Policy by Mondoo", - "version": "1.0.0", - "local_content_checksum": "Yyfej9NKgJU=", - "graph_content_checksum": "u9eg/tHKvjU=", - "local_execution_checksum": "l1TEzhuMqXg=", - "graph_execution_checksum": "hBhea4JSOt0=", - "specs": [ - { - "scoring_queries": { - "//local.cnspec.io/run/local-execution/queries/mondoo-openssl-vulnerability": null - }, - "asset_filter": { - "query": "platform.family.contains(_ == 'unix')", - "code_id": "WFCqHzOvysM=", - "checksum": "P+95g+Urehg=", - "mrn": "//local.cnspec.io/run/local-execution/policies/mondoo-openssl-vulnerability/assetfilter/WFCqHzOvysM=", - "type": "\u0004", - "title": "platform.family.contains(_ == 'unix')" - } - } - ], - "asset_filters": { - "WFCqHzOvysM=": { - "query": "platform.family.contains(_ == 'unix')", - "code_id": "WFCqHzOvysM=", - "checksum": "P+95g+Urehg=", - "mrn": "//local.cnspec.io/run/local-execution/policies/mondoo-openssl-vulnerability/assetfilter/WFCqHzOvysM=", - "type": "\u0004", - "title": "platform.family.contains(_ == 'unix')" - } - }, - "scoring_system": 3, - "authors": [ - { - "name": "Mondoo, Inc", - "email": "hello@mondoo.com" - } - ], - "tags": { - "mondoo.com/category": "security", - "mondoo.com/platform": "linux,unix,host" - }, - "docs": { - "desc": "## Overview\n\nOpenSSL Vulnerability Policy by Mondoo checks for vulnerable OpenSSL installation on Unix/ Linux system.\n\n## Remote scan\n\nRemote scans use native providers in `cnspec` to provide on demand scan results without the need to install any agents, or integration.\n\nFor a complete list of native providers run:\n\n```bash\ncnspec scan --help\n```\n\n### Scan a machine via ssh\n\nOpen a terminal and cnspec scan:\n\n```bash\ncnspec scan ssh vagrant@192.168.56.244 -i \u003cssh-key-file\u003e -f mondoo-unix-openssl-vulnerability.mql.yaml\n```\n\n### Scan a container\n\n```bash\ncnspec scan container ubuntu:22.04 -f mondoo-unix-openssl-vulnerability.mql.yaml\n```\n\n## Join the community!\n\nOur goal is to build policies that are simple to deploy, accurate, and actionable.\n\nIf you have any suggestions on how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions.\n" - } - }, - { - "mrn": "//policy.api.mondoo.com/assets/2KgCZg1j6OABQbEutHyDe3ui4p2", - "name": "2KgCZg1j6OABQbEutHyDe3ui4p2", - "local_content_checksum": "Dz2Ig4ZtFfY=", - "graph_content_checksum": "HMn6X3Cqv7I=", - "local_execution_checksum": "fO8jQW5pRU4=", - "graph_execution_checksum": "dc2TBGYylFE=", - "specs": [ - { - "policies": { - "//local.cnspec.io/run/local-execution/policies/mondoo-linux-security": null, - "//local.cnspec.io/run/local-execution/policies/mondoo-openssl-vulnerability": null - } - } - ], - "asset_filters": { - "WFCqHzOvysM=": { - "query": "platform.family.contains(_ == 'unix')", - "code_id": "WFCqHzOvysM=", - "checksum": "P+95g+Urehg=", - "mrn": "//local.cnspec.io/run/local-execution/policies/mondoo-openssl-vulnerability/assetfilter/WFCqHzOvysM=", - "type": "\u0004", - "title": "platform.family.contains(_ == 'unix')" - }, - "couR4EsVIAo=": { - "query": "platform.family.contains(_ == 'linux')\npackage('openssh-server').installed\n", - "code_id": "couR4EsVIAo=", - "checksum": "3wXX5Lxvom8=", - "mrn": "//local.cnspec.io/run/local-execution/policies/mondoo-linux-security/assetfilter/couR4EsVIAo=", - "type": "\u0001", - "title": "platform.family.contains(_ == 'linux')\npackage('openssh-server').installed\n" - }, - "hp6oNZD/wBk=": { - "query": "platform.family.contains(_ == 'linux')\n", - "code_id": "hp6oNZD/wBk=", - "checksum": "Iyxn7Gcpra0=", - "mrn": "//local.cnspec.io/run/local-execution/policies/mondoo-linux-security/assetfilter/hp6oNZD/wBk=", - "type": "\u0004", - "title": "platform.family.contains(_ == 'linux')\n" - } - }, - "owner_mrn": "//policy.api.mondoo.app", - "scoring_system": 3 - } - ], - "props": [ - { - "query": "if( package('openssh-server').version == /6./ || package('openssh-server').version == /7./ ) {\n return [\"curve25519-sha256@libssh.org\",\"diffie-hellman-group-exchange-sha256\"]\n}\nif( package('openssh-server').version == /8\\.[0|1|2|3|4|5]/ ) {\n return [\"sntrup4591761x25519-sha512@tinyssh.org\",\"curve25519-sha256@libssh.org\",\"diffie-hellman-group-exchange-sha256\"]\n}\nreturn [\"sntrup761x25519-sha512@openssh.com\",\"curve25519-sha256@libssh.org\",\"diffie-hellman-group-exchange-sha256\"]\n", - "code_id": "7h09h2mCsc8=", - "checksum": "rNGJ3Kr+K8Q=", - "mrn": "//local.cnspec.io/run/local-execution/queries/MondooKexAlgos", - "type": "\u0019\u0007", - "title": "Define the hardened key exchange algorithms for all SSH configurations" - }, - { - "query": "if( package('openssh-server').version == /6./ ) {\n return [\"hmac-sha2-512\",\"hmac-sha2-256\",\"hmac-ripemd160\"]\n}\nreturn [\"hmac-sha2-512-etm@openssh.com\",\"hmac-sha2-256-etm@openssh.com\",\"umac-128-etm@openssh.com\",\"hmac-sha2-512\",\"hmac-sha2-256\"]\n", - "code_id": "utcugjmdtZA=", - "checksum": "hx7gzv+j7OE=", - "mrn": "//local.cnspec.io/run/local-execution/queries/MondooMacAlgos", - "type": "\u0019\u0007", - "title": "Define the accepted MAC algorithms" - }, - { - "query": "if( package('openssh-server').version == /6./ ) {\n return [\"aes256-ctr\", \"aes192-ctr\", \"aes128-ctr\"]\n}\nreturn [\"chacha20-poly1305@openssh.com\",\"aes256-gcm@openssh.com\",\"aes128-gcm@openssh.com\",\"aes256-ctr\",\"aes192-ctr\",\"aes128-ctr\"]\n", - "code_id": "4nWvWDkZCBw=", - "checksum": "sdIJ660ps4A=", - "mrn": "//local.cnspec.io/run/local-execution/queries/MondooSshdCiphers", - "type": "\u0019\u0007", - "title": "Define the hardened ciphers for all SSH configurations" - }, - { - "query": "return /root|ec2-user|centos|ubuntu/\n", - "code_id": "ojEjpKAUshk=", - "checksum": "Ww3i5ht0MfQ=", - "mrn": "//local.cnspec.io/run/local-execution/queries/MondooSudoGroup", - "type": "\u0008", - "title": "Define the members of the sudo or wheel group" - } - ], - "queries": [ - { - "query": "package(\"xserver-xorg\").installed == false\n", - "code_id": "f3DZtMTsQJc=", - "checksum": "fpevj25jT9Y=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline--window-system-is-not-installed", - "type": "\u0004", - "severity": { - "value": 100 - }, - "title": "Ensure X Window System is not installed", - "docs": { - "desc": "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows to run programs and various add-ons. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login.", - "remediation": "Run the following command to remove the X Windows System packages:\n\n### RHEL/Fedora/Amazon Linux and derivatives\n```\nyum remove xorg-x11*\n```\n\n### Debian/Ubuntu and derivatives\n```\napt-get remove xserver-xorg\n```" - } - }, - { - "query": "pam.conf.entries[\"/etc/pam.d/su\"].where(pamType == \"auth\" \u0026\u0026 module == \"pam_wheel.so\").any(options.contains(\"use_uid\"))\nif( groups.where( name == \"wheel\" ).list != [] ) {\n groups.where( name == \"wheel\" ).list { members {\n name\n name == props.MondooSudoGroup\n }\n }\n} else {\n groups.where( name == \"sudo\" ).list { members {\n name\n name == props.MondooSudoGroup\n }\n }\n}\n# To assert a specific user list, you can use a query like:\n# groups.where( name == \"wheel\" ).list { members{ name == /ec2-user|root/} }\n# where the list of users is pipe separated like \"ec2-user|root\"\n", - "code_id": "Ieziwg178sw=", - "checksum": "GlfHxmmqdcw=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-access-to-the-su-command-is-restricted", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure access to the su command is restricted", - "docs": { - "desc": "The `su` command allows a user to run a command or shell as another user. Typically, the `su` command can be executed by any user, which is a security concern. Users should instead rely on the`sudo` command, which allows for more granular control over privileged access.", - "audit": "Run the following command and verify output includes matching line:\n\n```\n# grep pam_wheel.so /etc/pam.d/su\nauth required pam_wheel.so use_uid\n```\n\nRun the following command and verify users in wheel group match site policy:\n\n```\n# grep wheel /etc/group\nwheel:x:10:root,\u003cuser list\u003e\n```", - "remediation": "Add the following line to the `/etc/pam.d/su` file:\n\n```\nauth required pam_wheel.so use_uid\n```\n\nIf users need su access, add their username to the comma-separated list of users in the `wheel` group within the `/etc/group` file:\n\n```\nwheel:x:10:root,\u003cuser list\u003e\n```\nNOTE: The users allowed in the wheel group are defined in the properties `props.MondooSudoGroup` field of this policy. By default the users \"root\", \"ec2-user\", \"centos\" and \"ubuntu\" are included. To include custom users you need to manually modify this policy. Otherwise the check will fail.\n\nIf you want to lock down the use of the command `su` entirely instead, you need to create an empty group, for example `sugroup`:\n\n```\ngroupadd sugroup\n```\n\nThen add the following line to the `/etc/pam.d/su` file:\n\n```\nauth required pam_wheel.so use_uid group=sugroup\n```" - } - }, - { - "query": "kernel.parameters[\"kernel.randomize_va_space\"] == 2\n", - "code_id": "dVk74tk32xs=", - "checksum": "BVIj1R9iyPg=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-address-space-layout-randomization-aslr-is-enabled", - "type": "\u0004", - "severity": { - "value": 100 - }, - "title": "Ensure address space layout randomization (ASLR) is enabled", - "docs": { - "desc": "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process.", - "remediation": "Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/\\*` file:\n\n```\nkernel.randomize_va_space = 2\n```\n\nRun the following command to set the active kernel parameter:\n\n```\nsysctl -w kernel.randomize_va_space=2\n```" - } - }, - { - "query": "package(\"aide\").installed\n", - "code_id": "vVtLCflAlII=", - "checksum": "U7g4qtYX5vY=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-aide-is-installed", - "type": "\u0004", - "severity": { - "value": 60 - }, - "title": "Ensure Advanced Intrusion Detection Environment (AIDE) is installed", - "docs": { - "desc": "Advanced Intrusion Detection Environment (AIDE) takes a snapshot of the filesystem state, including modification times, permissions, and file hashes. Administrators can then use this to compare against the current state of the filesystem to detect modifications to the system.", - "remediation": "Run the following command to install `aide` :\n\n# RHEL/Fedora/Amazon Linux and derivatives\n```\nyum install aide\n```\n\n# Ubuntu\n```\napt-get install aide\n```\n\n# Debian\n```\napt install aide\n```\n\n# SLES and openSUSE\n```\nzypper install aide\n```\n\nConfigure AIDE as appropriate for your environment. Consult the AIDE documentation for options.\n\nInitialize AIDE:\n\n```\naide --init\n\nmv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz\n```" - } - }, - { - "query": "file(\"/etc/audit/auditd.conf\").exists\nif (file(\"/etc/audit/auditd.conf\").exists) {\n parse.ini(\"/etc/audit/auditd.conf\").params[\"max_log_file\"] != \"\"\n}\n", - "code_id": "SCin1z5hBLk=", - "checksum": "A+vB+H996x8=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-audit-log-storage-size-is-configured", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Ensure audit log storage size is configured", - "docs": { - "desc": "Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started.", - "remediation": "Set the following parameter in `/etc/audit/auditd.conf`\nin accordance with site policy:\n\n```\nmax_log_file = \u003cMB\u003e\n```" - } - }, - { - "query": "file(\"/etc/audit/auditd.conf\").exists\nif (file(\"/etc/audit/auditd.conf\").exists) {\n parse.ini(\"/etc/audit/auditd.conf\").params[\"max_log_file_action\"].downcase == \"keep_logs\"\n}\n", - "code_id": "H74IPb4kjoI=", - "checksum": "uPBAuRWHx84=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-audit-logs-are-not-automatically-deleted", - "type": "\u0001", - "title": "Ensure audit logs are not automatically deleted", - "docs": { - "desc": "The `max_log_file_action`\nsetting determines how to handle the audit log file reaching the max file size. A value of `keep_logs`\nwill rotate the logs but never delete old logs.", - "remediation": "Set the following parameter in `/etc/audit/auditd.conf:`\n\n```\nmax_log_file_action = keep_logs\n```" - } - }, - { - "query": "if( platform.name == 'arch' ) {\n package(\"audit\").installed\n} else {\n package(\"auditd\").installed \u0026\u0026 package(\"audispd-plugins\").installed || package(\"audit\").installed \u0026\u0026 package(\"audit-libs\").installed\n}\n", - "code_id": "wFoBEVblMLk=", - "checksum": "X9xEkSxUBE4=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-auditd-is-installed", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Ensure auditd is installed", - "docs": { - "desc": "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk", - "remediation": "Run the following command to install auditd with dnf\n\n```\ndnf install audit audit-libs\n```\n\nRun the following command to install auditd with apt\n\n```\napt install auditd audispd-plugins\n```" - } - }, - { - "query": "service(\"auditd\").enabled\n", - "code_id": "cYHRR9+gDKI=", - "checksum": "dur0BatBm5c=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-auditd-service-is-enabled", - "type": "\u0004", - "severity": { - "value": 80 - }, - "title": "Ensure auditd service is enabled", - "docs": { - "desc": "Turn on the `auditd`\ndaemon to record system events.", - "remediation": "Run the following command to enable `auditd`\n:\n\n```\nsystemctl --now enable auditd\n```" - } - }, - { - "query": "if( file(\"/boot/grub2/grub.cfg\" ).exists) {\n file(\"/boot/grub2/grub.cfg\").content.lines.where( _ == /^[^#]/ ).contains(\"audit\\=(\\s+)?1\")\n}\nif( file(\"/boot/grub/grub.cfg\").exists ) {\n file(\"/boot/grub/grub.cfg\").content.lines.where( _ == /^[^#]/ ).contains(\"audit\\=(\\s+)?1\")\n}\nif( file(\"/boot/grub/grub.conf\").exists ) {\n file(\"/boot/grub/grub.conf\").content.lines.where( _ == /^[^#]/ ).contains(\"audit\\=(\\s+)?1\")\n}\nif( file('/etc/secboot/config.json').exists ) {\n parse.json('/etc/secboot/config.json').params['kernel-params'].contains('audit\\=(\\s+)?1')\n}\n", - "code_id": "OCysW6/A17Y=", - "checksum": "zjwJZJpf/uY=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-auditing-for-processes-that-start-prior-to-auditd-is-enabled", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Ensure auditing for processes that start prior to auditd is enabled", - "docs": { - "desc": "Configure `grub2`\nso that processes that are capable of being audited can be audited even if they start up prior to `auditd`\nstartup.", - "remediation": "Edit `/etc/default/grub` and add `audit=1`\nto `GRUB_CMDLINE_LINUX`:\n\n```\nGRUB_CMDLINE_LINUX=\"audit=1\"\n```\n\nRun the following command to update the `grub2`\nconfiguration:\n\n### RHEL/Fedora/Amazon Linux and derivatives\n```\nsudo grub2-mkconfig -o /boot/grub2/grub.cfg\n```\n**Note:**\nThe path looks different for UEFI systems.\n\n### Debian/Ubuntu and derivatives\n```\nsudo update-grub\n```" - } - }, - { - "query": "service(\"avahi-daemon\").enabled == false\nservice(\"avahi-daemon\").running == false\n", - "code_id": "3QL3VcmScCM=", - "checksum": "JyCxDgoR+cs=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-avahi-server-is-not-enabled", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure Avahi server is stopped and not enabled", - "docs": { - "desc": "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine.", - "remediation": "Run the following command to stop and disable `avahi-daemon` :\n\n```\nsystemctl stop avahi-daemon\nsystemctl disable avahi-daemon\n```" - } - }, - { - "query": "kernel.parameters['net.ipv4.icmp_ignore_bogus_error_responses'] == 1\n", - "code_id": "H2ZH2J+F/yo=", - "checksum": "QG8TmdpYja4=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-bogus-icmp-responses-are-ignored", - "type": "\u0004", - "severity": { - "value": 100 - }, - "title": "Ensure bogus ICMP responses are ignored", - "docs": { - "desc": "Setting `icmp_ignore_bogus_error_responses` to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages.", - "remediation": "Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/\\*` file:\n\n```\nnet.ipv4.icmp_ignore_bogus_error_responses = 1\n```\n\nRun the following commands to set the active kernel parameters:\n\n```\nsysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1\n\nsysctl -w net.ipv4.route.flush=1\n```" - } - }, - { - "query": "kernel.parameters['net.ipv4.icmp_echo_ignore_broadcasts'] == 1\n", - "code_id": "7wuHGnsUApE=", - "checksum": "Kf4ARYjYz/o=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-broadcast-icmp-requests-are-ignored", - "type": "\u0004", - "severity": { - "value": 100 - }, - "title": "Ensure broadcast ICMP requests are ignored", - "docs": { - "desc": "Setting `net.ipv4.icmp_echo_ignore_broadcasts` to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses.", - "remediation": "Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/\\*` file:\n\n```\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\n```\n\nRun the following commands to set the active kernel parameters:\n\n```\nsysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1\n\nsysctl -w net.ipv4.route.flush=1\n```" - } - }, - { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/sudoers\\s+\\-p\\s+wa\\s+\\-k\\s+scope(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/sudoers\\.d\\s+\\-p\\s+wa\\s+\\-k\\s+scope(\\s+)?$/)\n}\n", - "code_id": "eWpIdiIAryk=", - "checksum": "pnB8bkXeOWk=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-changes-to-system-administration-scope-sudoers-is-collected", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Ensure changes to system administration scope (sudoers) is collected", - "docs": { - "desc": "Monitor scope changes for system administrators. If the system has been properly configured to force system administrators to log in as themselves first and then use the `sudo`\ncommand to execute privileged commands, it is possible to monitor changes in scope. The file `/etc/sudoers`\nwill be written to when the file or its attributes have changed. The audit records will be tagged with the identifier \"scope.\"", - "remediation": "Edit or create a file in the `/etc/audit/rules.d/`\ndirectory ending in `.rules`\n\nExample: `vi /etc/audit/rules.d/50-scope.rules`\n\nAdd the following lines:\n\n```\n-w /etc/sudoers -p wa -k scope\n\n-w /etc/sudoers.d -p wa -k scope\n```\n\nTo load the newly added rules into the running configuration:\n\n```\naugenrules --load\n```\nThis command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.\n\nCheck if a reboot is required, in case the running configuration is set to be immutable:\n\n```\nif [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi\n```" - } - }, - { - "query": "file(\"/etc/security/limits.conf\").content.lines.where( _ == /^[^#]/ ).where( _.contains(\"core\") ) {\n _ == /\\*\\s+hard\\s+core\\s+0/\n}\nkernel.parameters['fs.suid_dumpable'] == 0\nif(service(\"coredump\").enabled || service(\"coredump\").running) {\n parse.ini(\"/etc/systemd/coredump.conf\").sections['Coredump']['ProcessSizeMax'] == 0\n parse.ini(\"/etc/systemd/coredump.conf\").sections['Coredump']['Storage'] == 'none'\n}\n", - "code_id": "Gjj6ZTcWK1M=", - "checksum": "GVQ1BM6gWsk=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-core-dumps-are-restricted", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure core dumps are restricted", - "docs": { - "desc": "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user.", - "remediation": "Add the following line to `/etc/security/limits.conf` or a `/etc/security/limits.d/\\*` file:\n\n```\n* hard core 0\n```\n\nSet the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/\\*` file:\n\n```\nfs.suid_dumpable = 0\n```\n\nRun the following command to set the active kernel parameter:\n\n```\nsysctl -w fs.suid_dumpable=0\n```\n\nIf systemd-coredump is installed:\n\nedit `/etc/systemd/coredump.conf` and add/modify the following lines:\n\n```\nStorage=none\nProcessSizeMax=0\n```\n\nRun the command:\n\n```\nsystemctl daemon-reload\n```" - } - }, - { - "query": "service(\"cups\").enabled == false\nservice(\"cups\").running == false\n", - "code_id": "MCCspWdD2Vk=", - "checksum": "O/g9JdFLuVg=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-cups-is-not-enabled", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure CUPS is stopped and not enabled", - "docs": { - "desc": "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability.", - "remediation": "Run the following command to stop and disable `cups` :\n\n```\nsystemctl stop cups\nsystemctl disable cups\n```\n\n**Impact:**\n\nDisabling CUPS will prevent printing from the system, a common task for workstation systems." - } - }, - { - "query": "users.where( name == \"root\" ).list { gid == 0 }\n", - "code_id": "JIe+57K3g/w=", - "checksum": "IO/zM3tBKzU=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-default-group-for-the-root-account-is-gid-0", - "type": "\u0019\u000c", - "severity": { - "value": 100 - }, - "title": "Ensure default group for the root account is GID 0", - "docs": { - "desc": "The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user.", - "remediation": "Run the following command to set the `root` user default group to GID `0` :\n\n```\nusermod -g 0 root\n```" - } - }, - { - "query": "service(\"dhcpd\").enabled == false\nservice(\"dhcpd\").running == false\n", - "code_id": "pG8C4AikOeo=", - "checksum": "upAJ8HocazU=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-dhcp-server-is-not-enabled", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure DHCP server is stopped and not enabled", - "docs": { - "desc": "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses.", - "remediation": "Run the following command to stop and disable `dhcpd` :\n\n```\nsystemctl stop dhcpd\nsystemctl disable dhcpd\n```" - } - }, - { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+chmod\\s+\\-S\\s+fchmod\\s+\\-S\\s+fchmodat\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+perm\\_mod/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+chmod\\,fchmod\\,fchmodat\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=perm\\_mod/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+chmod\\s+\\-S\\s+fchmod\\s+\\-S\\s+fchmodat\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+perm\\_mod/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+chmod\\,fchmod\\,fchmodat\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=perm\\_mod/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+chown\\s+\\-S\\s+fchown\\s+\\-S\\s+fchownat\\s+\\-S\\s+lchown\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+perm\\_mod/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+chown\\,fchown\\,lchown\\,fchownat\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=perm\\_mod/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+chown\\s+\\-S\\s+fchown\\s+\\-S\\s+fchownat\\s+\\-S\\s+lchown\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+perm\\_mod/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+lchown\\,fchown\\,chown\\,fchownat\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=perm\\_mod/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+setxattr\\s+\\-S\\s+lsetxattr\\s+\\-S\\s+fsetxattr\\s+\\-S\\s+removexattr\\s+\\-S\\s+lremovexattr\\s+\\-S\\s+fremovexattr\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+perm\\_mod/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+setxattr\\,lsetxattr\\,fsetxattr\\,removexattr\\,lremovexattr\\,fremovexattr\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=perm\\_mod/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+setxattr\\s+\\-S\\s+lsetxattr\\s+\\-S\\s+fsetxattr\\s+\\-S\\s+removexattr\\s+\\-S\\s+lremovexattr\\s+\\-S\\s+fremovexattr\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+perm\\_mod/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+setxattr\\,lsetxattr\\,fsetxattr\\,removexattr\\,lremovexattr\\,fremovexattr\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=perm\\_mod/)\n}\n", - "code_id": "MfV32r62IQE=", - "checksum": "kI61cIM8IlQ=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-discretionary-access-control-permission-modification-events-are-collected", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Ensure discretionary access control permission modification events are collected", - "docs": { - "desc": "Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. \nThe `chmod`, `fchmod` and `fchmodat` system calls affect the permissions associated with a file. The `chown`, `fchown`, `fchownat` and `lchown`\nsystem calls affect owner and group attributes on a file. The `setxattr`, `lsetxattr`, `fsetxattr` (set extended file attributes) and `removexattr`, \n`lremovexattr`, `fremovexattr` (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written \nfor non-system user ids (auid \u003e= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier \"perm_mod.\"\n\n**Note:**\nSystems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n```\nawk '/^\\s*UID_MIN/{print $2}' /etc/login.defs\n```\n\nIf your systems' UID_MIN is not `1000`, replace `audit\u003e=1000` with `audit\u003e=\u003cUID_MIN for your system\u003e` in the Audit and Remediation procedures.", - "remediation": "For 32-bit systems edit or create a file in the `/etc/audit/rules.d/`\ndirectory ending in `.rules`\n\nExample: `vi /etc/audit/rules.d/50-perm_mod.rules`\n\nAdd the following lines:\n\n```\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid\u003e=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid\u003e=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid\u003e=1000 -F auid!=4294967295 -k perm_mod\n```\n\nFor 64-bit systems edit or create a file in the `/etc/audit/rules.d/` directory ending in `.rules`\n\nExample: `vi /etc/audit/rules.d/50-perm_mod.rules`\n\nAdd the following lines:\n\n```\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid\u003e=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid\u003e=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid\u003e=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid\u003e=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid\u003e=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid\u003e=1000 -F auid!=4294967295 -k perm_mod\n```\n\nTo load the newly added rules into the running configuration:\n\n```\naugenrules --load\n```\nThis command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.\n\n\nCheck if a reboot is required, in case the running configuration is set to be immutable:\n\n```\nif [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi\n```" - } - }, - { - "query": "service(\"named\").enabled == false\nservice(\"named\").running == false\n", - "code_id": "v4D2MQ0juoo=", - "checksum": "ys9Tc5OfQt8=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-dns-server-is-not-enabled", - "type": "\u0001", - "severity": { - "value": 60 - }, - "title": "Ensure DNS server is stopped and not enabled", - "docs": { - "desc": "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network.", - "remediation": "Run the following command to stop and disable `named` :\n\n```\nsystemctl stop named\nsystemctl disable named\n```" - } - }, - { - "query": "users.list { name gid != null }\n", - "code_id": "uzWGcrUQbCU=", - "checksum": "t3O9LxKBdmc=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-each-user-member-of-a-group", - "type": "\u0019\u000c", - "severity": { - "value": 80 - }, - "title": "Ensure each user is a member of a group", - "docs": { - "desc": "Each user MUST be a member of at least one group.", - "remediation": "Based on the results of the query output, add the user to a primary group.\n\nRun the following command to set the primary group of a user:\n\n```\nusermod -G \u003cprimary group\u003e\n```" - } - }, - { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+adjtimex\\s+\\-S\\s+settimeofday\\s+\\-k\\s+time\\-change(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+adjtimex\\,settimeofday\\s+\\-F\\s+key\\=time\\-change(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+adjtimex\\s+\\-S\\s+settimeofday\\s+\\-S\\s+stime\\s+\\-k\\s+time\\-change(\\s+)?$/)\n ||file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+stime\\,settimeofday\\,adjtimex\\s+\\-F\\s+key\\=time\\-change(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+clock\\_settime\\s+\\-k\\s+time\\-change(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+clock\\_settime\\s+\\-F\\s+key\\=time\\-change(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+clock\\_settime\\s+\\-k\\s+time\\-change(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+clock\\_settime\\s+\\-F\\s+key\\=time\\-change(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/localtime\\s+\\-p\\s+wa\\s+\\-k\\s+time\\-change/)\n}\n", - "code_id": "I/fSLFpoIJA=", - "checksum": "BrtnDJQ7rho=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-events-that-modify-date-and-time-information-are-collected", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Ensure events that modify date and time information are collected", - "docs": { - "desc": "Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the `adjtimex`\n(tune kernel clock), `settimeofday`\n(Set time, using timeval and timezone structures) `stime`\n(using seconds since 1/1/1970) or `clock_settime`\n(allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the `/var/log/audit.log`\nfile upon exit, tagging the records with the identifier \"time-change\"", - "remediation": "For 32-bit systems edit or create a file in the `/etc/audit/rules.d/`\ndirectory ending in `.rules`_\n\nExample: `vi /etc/audit/rules.d/50-time_change.rules`\n\nAdd the following lines:\n\n```\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n\n-w /etc/localtime -p wa -k time-change\n```\n\nFor 64-bit systems edit or create a file in the `/etc/audit/rules.d/`\ndirectory ending in `.rules`\n\nExample: `vi /etc/audit/rules.d/50-time_change.rules`\n\nAdd the following lines:\n\n```\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n\n-w /etc/localtime -p wa -k time-change\n```\n\nTo load the newly added rules into the running configuration:\n\n```\naugenrules --load\n```\nThis command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.\n\n\nCheck if a reboot is required, in case the running configuration is set to be immutable:\n\n```\nif [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi\n```" - } - }, - { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/selinux\\s+\\-p\\s+\\wa\\s+\\-k\\s+MAC\\-policy(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/usr\\/share\\/selinux\\s+\\-p\\s+\\wa\\s+\\-k\\s+MAC\\-policy(\\s+)?$/)\n}\n", - "code_id": "d6AyzyIg+ow=", - "checksum": "0WPnJXw69EA=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-events-that-modify-the-systems-mandatory-access-controls-are-collected", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Ensure events that modify the system's Mandatory Access Controls are collected", - "docs": { - "desc": "Monitor SELinux/AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, \ndeletion or modification of files in the directory) or attribute changes to the /etc/selinux or /etc/apparmor and /etc/apparmor.d directories.", - "remediation": "Edit or create a file in the `/etc/audit/rules.d/`\ndirectory ending in `.rules`\n\nExample: `vi /etc/audit/rules.d/50-MAC_policy.rules`\n\nAdd the following lines:\n\n```\n-w /etc/selinux/ -p wa -k MAC-policy\n\n-w /usr/share/selinux/ -p wa -k MAC-policy\n```\n\nTo load the newly added rules into the running configuration:\n\n```\naugenrules --load\n```\nThis command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.\n\n\nCheck if a reboot is required, in case the running configuration is set to be immutable:\n\n```\nif [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi\n```" - } - }, - { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+sethostname\\s+\\-S\\s+setdomainname\\s+\\-k\\s+system\\-locale(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+sethostname\\,setdomainname\\s+\\-F\\s+key\\=system\\-locale(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+sethostname\\s+\\-S\\s+setdomainname\\s+\\-k\\s+system\\-locale(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+sethostname\\,setdomainname\\s+\\-F\\s+key\\=system\\-locale(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/issue\\s+\\-p\\s+wa\\s+\\-k\\s+system-locale(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/issue\\.net\\s+\\-p\\s+wa\\s+\\-k\\s+system-locale(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/hosts\\s+\\-p\\s+wa\\s+\\-k\\s+system-locale(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/sysconfig\\/network\\s+\\-p\\s+wa\\s+\\-k\\s+system-locale(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/netctl\\s+\\-p\\s+wa\\s+\\-k\\s+system-locale(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/network\\s+\\-p\\s+wa\\s+\\-k\\s+system-locale(\\s+)?$/)\n}\n", - "code_id": "3JYJkYI8d0U=", - "checksum": "4Es4Kjv5E3g=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-events-that-modify-the-systems-network-environment-are-collected", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Ensure events that modify the system's network environment are collected", - "docs": { - "desc": "Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) \nor setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the `/etc/issue`\nand `/etc/issue.net` files (messages displayed pre-login), `/etc/hosts` (file containing host names and associated IP addresses) and `/etc/sysconfig/network`\n(directory containing network interface scripts and configurations) files.", - "remediation": "For 32-bit systems edit or create a file in the `/etc/audit/rules.d/` directory ending in `.rules`\n\nExample: `vi /etc/audit/rules.d/50-system_local.rules`\n\nAdd the following lines:\n\n```\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n\n-w /etc/issue -p wa -k system-locale\n\n-w /etc/issue.net -p wa -k system-locale\n\n-w /etc/hosts -p wa -k system-locale\n```\n\nAdd the following line on Red Hat based systems:\n\n```\n-w /etc/sysconfig/network -p wa -k system-locale\n```\n\nAdd the following line for Debian/Ubuntu based systems:\n\n```\n-w /etc/network -p wa -k system-locale\n```\n\nFor 64-bit systems edit or create a file in the `/etc/audit/rules.d/`\ndirectory ending in `.rules`\n\nExample: `vi /etc/audit/rules.d/50-system_local.rules`\n\nAdd the following lines:\n\n```\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n\n-w /etc/issue -p wa -k system-locale\n\n-w /etc/issue.net -p wa -k system-locale\n\n-w /etc/hosts -p wa -k system-locale\n```\n\nAdd the following line for Red Hat based systems:\n\n```\n-w /etc/sysconfig/network -p wa -k system-locale\n```\n\nAdd the following line for Debian/Ubuntu based systems:\n\n```\n-w /etc/network -p wa -k system-locale\n```\n\nTo load the newly added rules into the running configuration:\n\n```\naugenrules --load\n```\nThis command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.\n\n\nCheck if a reboot is required, in case the running configuration is set to be immutable:\n\n```\nif [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi\n```" - } - }, - { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/group\\s+\\-p\\s+wa\\s+\\-k\\s+identity/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/passwd\\s+\\-p\\s+wa\\s+\\-k\\s+identity/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/gshadow\\s+\\-p\\s+wa\\s+\\-k\\s+identity/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/shadow\\s+\\-p\\s+wa\\s+\\-k\\s+identity/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/security\\/opasswd\\s+\\-p\\s+wa\\s+\\-k\\s+identity/)\n}\n", - "code_id": "IQ/r00/mLRg=", - "checksum": "q7uk7UWXT1M=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-events-that-modify-usergroup-information-are-collected", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Ensure events that modify user/group information are collected", - "docs": { - "desc": "Record events affecting the `group`, `passwd` (user IDs), `shadow` and `gshadow` (passwords) or `/etc/security/opasswd`\n(old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch \nthe files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier \"identity\" in the audit log file.", - "remediation": "Edit or create a file in the `/etc/audit/rules.d/` directory ending in `.rules`\n\nExample: `vi /etc/audit/rules.d/50-identity.rules`\n\nAdd the following lines:\n\n```\n-w /etc/group -p wa -k identity\n\n-w /etc/passwd -p wa -k identity\n\n-w /etc/gshadow -p wa -k identity\n\n-w /etc/shadow -p wa -k identity\n\n-w /etc/security/opasswd -p wa -k identity\n```\n\nTo load the newly added rules into the running configuration:\n\n```\naugenrules --load\n```\nThis command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.\n\n\nCheck if a reboot is required, in case the running configuration is set to be immutable:\n\n```\nif [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi\n```" - } - }, - { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.where( _ == /^[^#]/ ).contains(/\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+unlink\\s+\\-S\\s+unlinkat\\s+\\-S\\s+rename\\s+\\-S\\s+renameat\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+delete/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+rename\\,unlink\\,unlinkat\\,renameat\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=delete/)\n file('/etc/audit/audit.rules').content.lines.where( _ == /^[^#]/ ).contains(/\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+unlink\\s+\\-S\\s+unlinkat\\s+\\-S\\s+rename\\s+\\-S\\s+renameat\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+delete/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+unlink\\,rename\\,unlinkat\\,renameat\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=delete/)\n}\n", - "code_id": "9kZGL9b/izQ=", - "checksum": "NFHH/gzo8eY=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-file-deletion-events-by-users-are-collected", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Ensure file deletion events by users are collected", - "docs": { - "desc": "Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the `unlink`\n(remove a file), `unlinkat` (remove a file attribute), `rename` (rename a file) and `renameat` (rename a file attribute) system calls and tags them with the identifier \"delete\".\n\n**Note:**\nSystems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n```\nawk '/^\\s*UID_MIN/{print $2}' /etc/login.defs\n```\n\nIf your systems' UID_MIN is not `1000`, replace `audit\u003e=1000` with `audit\u003e=\u003cUID_MIN for your system\u003e` in the Audit and Remediation procedures.", - "remediation": "For 32-bit systems edit or create a file in the `/etc/audit/rules.d/` directory ending in `.rules`\n\nExample: `vi /etc/audit/rules.d/50-deletion.rules`\n\nAdd the following lines:\n\n```\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid\u003e=1000 -F auid!=4294967295 -k delete\n```\n\nFor 64-bit systems edit or create a file in the `/etc/audit/rules.d/` directory ending in `.rules`\n\nExample: `vi /etc/audit/rules.d/50-deletion.rules`\n\nAdd the following lines:\n\n```\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid\u003e=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid\u003e=1000 -F auid!=4294967295 -k delete\n```\n\nTo load the newly added rules into the running configuration:\n\n```\naugenrules --load\n```\nThis command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.\n\n\nCheck if a reboot is required, in case the running configuration is set to be immutable:\n\n```\nif [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi\n```" - } - }, - { - "query": "command(\"crontab -u root -l | grep aide\").stdout.contains(\"aide --check\") || command(\"crontab -u root -l | grep aide\").stdout.contains(\"aide.conf --check\") || service('aidecheck').enabled || parse.ini(\"/etc/default/aide\").params[\"CRON_DAILY_RUN\"] == \"yes\"\n", - "code_id": "8xqHW7YCDEw=", - "checksum": "Hxsdr8Qhmj8=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-filesystem-integrity-is-regularly-checked", - "type": "\u0004", - "severity": { - "value": 60 - }, - "title": "Ensure filesystem integrity is regularly checked", - "docs": { - "desc": "Periodic checking of the filesystem integrity is needed to detect changes to the filesystem.", - "remediation": "_If cron will be used to schedule and run aide check_\n\nRun the following command:\n\n```\ncrontab -u root -e\n```\n\nAdd the following line to the crontab:\n\n```\n0 5 * * * /usr/sbin/aide --check\n```\n\n_OR if aidecheck.service and aidecheck.timer will be used to schedule and run aide check:_\n\nCreate or edit the file `/etc/systemd/system/aidecheck.service` and add the following lines:\n\n```\n[Unit]\nDescription=Aide Check\n\n[Service]\nType=simple\nExecStart=/usr/sbin/aide --check\n\n[Install]\nWantedBy=multi-user.target\n```\n\nCreate or edit the file `/etc/systemd/system/aidecheck.timer` and add the following lines:\n\n```\n[Unit]\nDescription=Aide check every day at 5AM\n\n[Timer]\nOnCalendar=*-*-* 05:00:00\nUnit=aidecheck.service\n\n[Install]\nWantedBy=multi-user.target\n```\n\nRun the following commands:\n\n```\nchown root:root /etc/systemd/system/aidecheck.*\nchmod 0644 /etc/systemd/system/aidecheck.*\n\nsystemctl daemon-reload\n\nsystemctl enable aidecheck.service\nsystemctl --now enable aidecheck.timer\n```" - } - }, - { - "query": "service(\"vsftpd\").enabled == false\nservice(\"vsftpd\").running == false\n", - "code_id": "jqO4q2mBu9M=", - "checksum": "OlBp884+2lI=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-ftp-server-is-not-enabled", - "type": "\u0001", - "severity": { - "value": 60 - }, - "title": "Ensure FTP server is stopped and not enabled", - "docs": { - "desc": "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files.", - "remediation": "Run the following command to stop and disable `vsftpd` :\n\n```\nsystemctl stop vsftpd\nsystemctl disable vsftpd\n```" - } - }, - { - "query": "users.list { name group != null }\n", - "code_id": "XbnrBNXgCwA=", - "checksum": "eLlcjObyYe4=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-gid-in-passwd-exists-in-group", - "type": "\u0019\u000c", - "severity": { - "value": 80 - }, - "title": "Ensure all GIDs in /etc/passwd exist in /etc/group", - "docs": { - "desc": "Every GID mentioned in the /etc/passwd file must be defined in the /etc/group file.", - "remediation": "Based on the results of the query output, correct the GIDs in `/etc/passwd` and `/etc/group`." - } - }, - { - "query": "service(\"squid\").enabled == false\nservice(\"squid\").running == false\nservice(\"tinyproxy\").enabled == false\nservice(\"tinyproxy\").running == false\n", - "code_id": "f5q/EiRn95Q=", - "checksum": "SDxsdGKJSg4=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-http-proxy-server-is-not-enabled", - "type": "\u0001", - "severity": { - "value": 60 - }, - "title": "Ensure HTTP Proxy server is stopped and not enabled", - "docs": { - "desc": "Squid and Tinyproxy are HTTP proxy servers used to proxy and potentially anonymize HTTP traffic through other hosts.", - "remediation": "Run the following command to stop and disable `squid` and `tinyproxy`:\n\n```\nsystemctl stop squid\nsystemctl stop tinyproxy\n\nsystemctl disable squid\nsystemctl disable tinyproxy\n```" - } - }, - { - "query": "service(\"httpd\").enabled == false\nservice(\"httpd\").running == false\nservice(\"apache2\").enabled == false\nservice(\"apache2\").running == false\nservice(\"nginx\").enabled == false\nservice(\"nginx\").running == false\n", - "code_id": "gxsrJvn0Hag=", - "checksum": "2H0tAKAwzvc=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-http-server-is-not-enabled", - "type": "\u0001", - "severity": { - "value": 60 - }, - "title": "Ensure HTTP servers are stopped and not enabled", - "docs": { - "desc": "HTTP or web servers provide the ability to host web site content.", - "remediation": "Run the following commands to stop and disable webservers:\n\n```\nsystemctl stop httpd\nsystemctl disable httpd\n\nsystemctl stop apache2\nsystemctl disable apache2\n\nsystemctl stop nginx\nsystemctl disable nginx\n```" - } - }, - { - "query": "kernel.parameters['net.ipv4.conf.all.accept_redirects'] == 0\nkernel.parameters['net.ipv4.conf.default.accept_redirects'] == 0\nkernel.parameters['net.ipv6.conf.all.accept_redirects'] == 0\nkernel.parameters['net.ipv6.conf.default.accept_redirects'] == 0\n", - "code_id": "rZN1LNm5r7E=", - "checksum": "7YIjsWrqZqU=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-icmp-redirects-are-not-accepted", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure ICMP redirects are not accepted", - "docs": { - "desc": "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting `net.ipv4.conf.all.accept_redirects` and `net.ipv6.conf.all.accept_redirects` to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables.", - "remediation": "Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/\\*` file:\n\n```\nnet.ipv4.conf.all.accept_redirects = 0\n\nnet.ipv4.conf.default.accept_redirects = 0\n\nnet.ipv6.conf.all.accept_redirects = 0\n\nnet.ipv6.conf.default.accept_redirects = 0\n```\n\nRun the following commands to set the active kernel parameters:\n\n```\nsysctl -w net.ipv4.conf.all.accept_redirects=0\n\nsysctl -w net.ipv4.conf.default.accept_redirects=0\n\nsysctl -w net.ipv6.conf.all.accept_redirects=0\n\nsysctl -w net.ipv6.conf.default.accept_redirects=0\n\nsysctl -w net.ipv4.route.flush=1\n\nsysctl -w net.ipv6.route.flush=1\n```" - } - }, - { - "query": "service(\"dovecot\").enabled == false\nservice(\"dovecot\").running == false\n", - "code_id": "IlhV0oVPhJk=", - "checksum": "fB/7WCWvB+M=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-imap-and-pop3-server-is-not-enabled", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure IMAP and POP3 server is stopped and not enabled", - "docs": { - "desc": "`dovecot` is an open source IMAP and POP3 server for Linux based systems.", - "remediation": "Run the following command to stop and disable `dovecot` :\n\n```\nsystemctl stop dovecot\nsystemctl disable dovecot\n```" - } - }, - { - "query": "kernel.parameters['net.ipv4.ip_forward'] == 0\nkernel.parameters['net.ipv6.conf.all.forwarding'] == 0\n", - "code_id": "Ty2iKIfHjno=", - "checksum": "a6noEJKSatk=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-ip-forwarding-is-disabled", - "type": "\u0001", - "severity": { - "value": 60 - }, - "title": "Ensure IP forwarding is disabled", - "docs": { - "desc": "The `net.ipv4.ip_forward` and `net.ipv6.conf.all.forwarding` flags are used to tell the system whether it can forward packets or not.", - "remediation": "Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/\\*` file:\n\n```\nnet.ipv4.ip_forward = 0\n\nnet.ipv6.conf.all.forwarding = 0\n```\n\nRun the following commands to set the active kernel parameters:\n\n```\nsysctl -w net.ipv4.ip_forward=0\n\nsysctl -w net.ipv6.conf.all.forwarding=0\n\nsysctl -w net.ipv4.route.flush=1\n\nsysctl -w net.ipv6.route.flush=1\n```" - } - }, - { - "query": "kernel.parameters['net.ipv6.conf.all.accept_ra'] == 0\nkernel.parameters['net.ipv6.conf.default.accept_ra'] == 0\n", - "code_id": "9Frfyu3HqwY=", - "checksum": "/d0q1Gx0IVw=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-ipv6-router-advertisements-are-not-accepted", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure IPv6 router advertisements are not accepted", - "docs": { - "desc": "This setting disables the system's ability to accept IPv6 router advertisements.", - "remediation": "Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/\\*` file:\n\n```\nnet.ipv6.conf.all.accept_ra = 0\n\nnet.ipv6.conf.default.accept_ra = 0\n```\n\nRun the following commands to set the active kernel parameters:\n\n```\nsysctl -w net.ipv6.conf.all.accept_ra=0\n\nsysctl -w net.ipv6.conf.default.accept_ra=0\n\nsysctl -w net.ipv6.route.flush=1\n```" - } - }, - { - "query": "if (file(\"/etc/systemd/journald.conf\").exists) {\n parse.ini(\"/etc/systemd/journald.conf\").sections[\"Journal\"][\"Compress\"] == \"yes\"\n}\n", - "code_id": "rDqQzgrxmug=", - "checksum": "Yl143mh8fMM=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-journald-is-configured-to-compress-large-log-files", - "type": "\u000c", - "severity": { - "value": 40 - }, - "title": "Ensure journald is configured to compress large log files", - "docs": { - "desc": "The journald system includes the capability of compressing overly large files to avoid filling up the system with logs or making the logs unmanageably large.", - "remediation": "Edit the `/etc/systemd/journald.conf` file and add the following line:\n\n```\nCompress=yes\n```" - } - }, - { - "query": "if (file(\"/etc/systemd/journald.conf\").exists) {\n parse.ini(\"/etc/systemd/journald.conf\").sections[\"Journal\"][\"ForwardToSyslog\"] == \"yes\"\n}\n", - "code_id": "LxiiosuqdEw=", - "checksum": "gTykO2QNN9Q=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-journald-is-configured-to-send-logs-to-rsyslog", - "type": "\u000c", - "severity": { - "value": 60 - }, - "title": "Ensure journald is configured to send logs to rsyslog", - "docs": { - "desc": "Data from journald may be stored in volatile memory or persisted locally on the server. Utilities exist to accept remote export of journald logs, \nhowever, use of the rsyslog service provides a consistent means of log collection and export.", - "remediation": "Edit the `/etc/systemd/journald.conf` file and add the following line:\n\n```\nForwardToSyslog=yes\n```" - } - }, - { - "query": "if (file(\"/etc/systemd/journald.conf\").exists) {\n parse.ini(\"/etc/systemd/journald.conf\").sections[\"Journal\"][\"Storage\"] == \"persistent\"\n}\n", - "code_id": "5q5EG7AkY6k=", - "checksum": "bqijDjToYNc=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-journald-is-configured-to-write-logfiles-to-persistent-disk", - "type": "\u000c", - "severity": { - "value": 60 - }, - "title": "Ensure journald is configured to write logfiles to persistent disk", - "docs": { - "desc": "Data from journald may be stored in volatile memory or persisted locally on the server. Logs in memory will be lost upon a system reboot. Persisting logs to a local disk on the server protects logs loss.", - "remediation": "Edit the `/etc/systemd/journald.conf` file and add the following line:\n\n```\nStorage=persistent\n```" - } - }, - { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/sbin\\/insmod\\s+\\-p\\s+x\\s+\\-k\\s+modules/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/sbin\\/rmmod\\s+\\-p\\s+x\\s+\\-k\\s+modules/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/sbin\\/modprobe\\s+\\-p\\s+x\\s+\\-k\\s+modules/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+init\\_module\\s+\\-S\\s+delete\\_module\\s+\\-k\\s+modules/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+init\\_module\\,delete\\_module\\s+\\-F\\s+key\\=modules/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+init\\_module\\s+\\-S\\s+delete\\_module\\s+\\-k\\s+modules/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+init\\_module\\,delete\\_module\\s+\\-F\\s+key\\=modules/)\n}\n", - "code_id": "HhVqF0tMxvA=", - "checksum": "Ol/tyld6Eek=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-kernel-module-loading-and-unloading-is-collected", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Ensure kernel module loading and unloading is collected", - "docs": { - "desc": "Monitor the loading and unloading of kernel modules. The programs `insmod`\n(install a kernel module), `rmmod`\n(remove a kernel module), and `modprobe`\n(a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The `init_module`\n(load a module) and `delete_module`\n(delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of \"modules\".", - "remediation": "For 32-bit systems edit or create a file in the `/etc/audit/rules.d/` directory ending in `.rules`\n\nExample: `vi /etc/audit/rules.d/50-modules.rules`\n\nAdd the following lines:\n\n```\n-w /sbin/insmod -p x -k modules\n\n-w /sbin/rmmod -p x -k modules\n\n-w /sbin/modprobe -p x -k modules\n\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n```\n\nFor 64-bit systems edit or create a file in the `/etc/audit/rules.d/` directory ending in `.rules`\n\nExample: `vi /etc/audit/rules.d/50-modules.rules`\n\nAdd the following lines:\n\n```\n-w /sbin/insmod -p x -k modules\n\n-w /sbin/rmmod -p x -k modules\n\n-w /sbin/modprobe -p x -k modules\n\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n```\n\nTo load the newly added rules into the running configuration:\n\n```\naugenrules --load\n```\nThis command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.\n\n\nCheck if a reboot is required, in case the running configuration is set to be immutable:\n\n```\nif [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi\n```" - } - }, - { - "query": "service(\"slapd\").enabled == false\nservice(\"slapd\").running == false\n", - "code_id": "QTN+NYX439o=", - "checksum": "cMA84MCFFpU=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-ldap-server-is-not-enabled", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure LDAP server is stopped and not enabled", - "docs": { - "desc": "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database.", - "remediation": "Run the following command to stop and disable `slapd` :\n\n```\nsystemctl stop slapd\nsystemctl disable slapd\n```" - } - }, - { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n if( platform.family.contains('debian') ) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/var\\/log\\/faillog\\s+\\-p\\s+wa\\s+\\-k\\s+logins(\\s+)?$/)\n } else {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/var\\/run\\/faillock\\s+\\-p\\s+wa\\s+\\-k\\s+logins(\\s+)?$/)\n }\nfile('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/var\\/log\\/lastlog\\s+\\-p\\s+wa\\s+\\-k\\s+logins(\\s+)?$/)\nfile('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/var\\/log\\/tallylog\\s+\\-p\\s+wa\\s+\\-k\\s+logins(\\s+)?$/)\n}\n", - "code_id": "sbKG4w+lkaA=", - "checksum": "LdMvsEglVMw=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-login-and-logout-events-are-collected", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Ensure login and logout events are collected", - "docs": { - "desc": "Monitor login and logout events. The parameters below track changes to files associated with login/logout events.\n\n- The file `/var/log/lastlog` maintain records of the last time a user successfully logged in.\n- The `/var/run/faillog/` directory maintains records of login failures via the `pam_faillog` module.", - "remediation": "Edit or create a file in the `/etc/audit/rules.d/` directory ending in `.rules`\n\nExample: `vi /etc/audit/rules.d/50-logins.rules`\n\nAdd the following lines:\n\n```\n-w /var/log/lastlog -p wa -k logins\n\n-w /var/log/tallylog -p wa -k logins\n```\n\n### Add the following additional line for Debian/Ubuntu based systems:\n\n```\n-w /var/log/faillog -p wa -k logins\n```\n\n### Add the following additional line for Red Hat/Fedora/Amazon Linux based systems:\n\n```\n-w /var/run/faillock -p wa -k logins\n```\n\nTo load the newly added rules into the running configuration:\n\n```\naugenrules --load\n```\nThis command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.\n\n\nCheck if a reboot is required, in case the running configuration is set to be immutable:\n\n```\nif [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi\n```" - } - }, - { - "query": "if( package(\"postfix\").installed ) {\n parse.ini(\"/etc/postfix/main.cf\").params[\"inet_interfaces\"] == \"localhost\" || parse.ini(\"/etc/postfix/main.cf\").params[\"inet_interfaces\"] == \"loopback-only\"\n}\nif( package(\"exim4\").installed ) {\n parse.ini(\"/etc/exim4/update-exim4.conf.conf\").params[\"dc_local_interfaces\"] == \"'127.0.0.1 ; ::1'\"\n}\nsocketstats.openPorts.none(25)\n", - "code_id": "BJ3P14TOMTU=", - "checksum": "Lt3mMhZUFf4=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-mail-transfer-agent-is-configured-for-local-only-mode", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure mail transfer agent is configured for local-only mode", - "docs": { - "desc": "Mail Transfer Agents (MTA), such as Sendmail and Postfix, listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail.", - "remediation": "Edit `/etc/postfix/main.cf` and add the following line to the RECEIVING MAIL section. If the line already exists, change it to look like the line below:\n\n```\ninet_interfaces = loopback-only\n```\n\nRestart postfix:\n\n```\nsystemctl restart postfix\n```" - } - }, - { - "query": "service(\"nfs\").enabled == false\nservice(\"nfs\").running == false\nservice(\"rpcbind\").enabled == false\nservice(\"rpcbind\").running == false\n", - "code_id": "HKo0vfMZsRE=", - "checksum": "cmgcVrqQOQw=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-nfs-and-rpc-are-not-enabled", - "type": "\u0001", - "severity": { - "value": 60 - }, - "title": "Ensure NFS and RPC are stopped and not enabled", - "docs": { - "desc": "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network.", - "remediation": "Run the following commands to stop and disable `nfs`, `nfs-server`, and `rpcbind`:\n\n```\nsystemctl stop nfs\nsystemctl stop rpcbind\n\nsystemctl disable nfs\nsystemctl disable rpcbind\n```" - } - }, - { - "query": "service(\"ypserv\").enabled == false\nservice(\"ypserv\").running == false\n", - "code_id": "Au17Pta3l0A=", - "checksum": "5egvrxHVWlA=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-nis-server-is-not-enabled", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure NIS server is stopped and not enabled", - "docs": { - "desc": "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files.", - "remediation": "Run the following command to stop and disable `ypserv` :\n\n```\nsystemctl stop ypserv\nsystemctl disable ypserv\n```" - } - }, - { - "query": "groups.list.duplicates(gid).none()\n", - "code_id": "gu8eYJ6C7Ag=", - "checksum": "6pHk/rFGhhQ=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-no-duplicate-gids-exist", - "type": "\u0004", - "severity": { - "value": 100 - }, - "title": "Ensure no duplicate GIDs exist", - "docs": { - "desc": "Each login name, each user ID (UID), and each group ID (GID) MUST ONLY be used once. Every user MUST be a member of at least one group. Every GID mentioned in the /etc/passwd file MUST be defined in the /etc/group file. Every group SHOULD only contain the users that are absolutely necessary. In networked systems, care MUST also be taken to ensure that user and group names (UIDs and GIDs) are assigned consistently in the system network if there is a possibility that the same UIDs or GIDs could be assigned to different user or group names on the systems during cross-system access.\n\nThe `groupadd` program does not let you create a duplicate group ID (GID), but for an administrator it is possible to manually edit the `/etc/group` file and create a duplicated GID entry.", - "remediation": "Based on the results of the query output, establish unique GIDs and review all files owned by the shared GID to determine which group they are supposed to belong to." - } - }, - { - "query": "groups.list.duplicates(name).none()\n", - "code_id": "fSgcywHks9g=", - "checksum": "Pbm9v2OeoOg=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-no-duplicate-group-names-exist", - "type": "\u0004", - "severity": { - "value": 100 - }, - "title": "Ensure no duplicate group names exist", - "docs": { - "desc": "Each login name, each user ID (UID), and each group ID (GID) MUST ONLY be used once. Every user MUST be a member of at least one group. Every GID mentioned in the /etc/passwd file MUST be defined in the /etc/group file. Every group SHOULD only contain the users that are absolutely necessary. In networked systems, care MUST also be taken to ensure that user and group names (UIDs and GIDs) are assigned consistently in the system network if there is a possibility that the same UIDs or GIDs could be assigned to different user or group names on the systems during cross-system access.\n\nThe `groupadd` program does not let you create a duplicate group name, but for an administrator it is possible to manually edit the `/etc/group` file and create a duplicated group name entry.", - "remediation": "Based on the results of the query output, establish unique names for the user groups. File group ownerships will automatically reflect the change as long as the groups have unique GIDs.\n\nRun the following command to set the new group name:\n\n```\ngroupmod -n \u003cnew group name\u003e \u003cold groupname\u003e\n```" - } - }, - { - "query": "users.list.duplicates(uid).none()\n", - "code_id": "Ps0zOyqhecE=", - "checksum": "FzjtcetUN5Y=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-no-duplicate-uids-exist", - "type": "\u0004", - "severity": { - "value": 100 - }, - "title": "Ensure no duplicate UIDs exist", - "docs": { - "desc": "Each login name, each user ID (UID), and each group ID (GID) MUST ONLY be used once. Every user MUST be a member of at least one group. Every GID mentioned in the /etc/passwd file MUST be defined in the /etc/group file. Every group SHOULD only contain the users that are absolutely necessary. In networked systems, care MUST also be taken to ensure that user and group names (UIDs and GIDs) are assigned consistently in the system network if there is a possibility that the same UIDs or GIDs could be assigned to different user or group names on the systems during cross-system access.\n\nThe `useradd` program does not let you create duplicate user IDs (UID), but for an administrator it is possible to manually edit the `/etc/passwd` and create a duplicate UID entry.", - "remediation": "Based on the results of the query output, establish unique UIDs and review all files owned by the shared UIDs to determine which UID they are supposed to belong to.\n\nRun the following command to set the new UID of a user:\n\n```\nusermod -u \u003cnew uid\u003e \u003cuser\u003e\n```" - } - }, - { - "query": "users.list.duplicates(name).none()\n", - "code_id": "VrgV5/9So/8=", - "checksum": "HAEm691M02s=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-no-duplicate-user-names-exist", - "type": "\u0004", - "severity": { - "value": 100 - }, - "title": "Ensure no duplicate user names exist", - "docs": { - "desc": "Each login name, each user ID (UID), and each group ID (GID) MUST ONLY be used once. Every user MUST be a member of at least one group. Every GID mentioned in the /etc/passwd file MUST be defined in the /etc/group file. Every group SHOULD only contain the users that are absolutely necessary. In networked systems, care MUST also be taken to ensure that user and group names (UIDs and GIDs) are assigned consistently in the system network if there is a possibility that the same UIDs or GIDs could be assigned to different user or group names on the systems during cross-system access.\n\nThe `useradd` program does not let you create a duplicate user name, but for an administrator it is possible to manually edit the `/etc/passwd` file and create a duplicated username entry.", - "remediation": "Based on the results of the query output, establish unique user names for the users. File ownerships will automatically reflect the change as long as the users have unique UIDs.\n\nRun the following command to set the new user name:\n\n```\nusermod -l \u003cnew login-name\u003e \u003cold username\u003e\n```" - } - }, - { - "query": "sshd.config.ciphers != null\nsshd.config.ciphers.containsOnly(props.MondooSshdCiphers)\n", - "code_id": "kIc0/kMdiMQ=", - "checksum": "dWNA+6j2MRs=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-only-strong-ciphers-are-used", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure only strong ciphers are used", - "docs": { - "desc": "This variable limits the ciphers that SSH can use during communication.", - "remediation": "Edit the `/etc/ssh/sshd_config` file to add or modify the `Ciphers` parameter so that it contains a comma-separated list of the site approved ciphers\n\nExample:\n\n```\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\n```" - } - }, - { - "query": "sshd.config.kexs != null\nsshd.config.kexs.containsOnly(props.MondooKexAlgos)\n", - "code_id": "Lnr8+OPIpwc=", - "checksum": "lxfLPlrFpPE=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-only-strong-kex-algorithms-are-used", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure that strong Key Exchange algorithms are used", - "docs": { - "desc": "Key exchange is any method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm. If the sender and receiver wish to exchange encrypted messages, each must be equipped to encrypt messages to be sent and decrypt messages received", - "remediation": "Edit the `/etc/ssh/sshd_config` file to add or modify the `KexAlgorithms` parameter so that it contains a comma-separated list of the site approved key exchange algorithms\n\nopenssh-server version 6.x or 7.x:\n\n```\nKexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\n```\n\nopenssh-server version 8.0 to 8.5:\n\n```\nKexAlgorithms sntrup4591761x25519-sha512@tinyssh.org,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\n```\n\nopenssh-server version 8.6 to 9:\n\n```\nKexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\n```\n\nNOTE:\nTo quickly find out what openssh-server version you are using, run this command:\n\n```bash\ncnquery run -c \"package('openssh-server').version\"\n```" - } - }, - { - "query": "sshd.config.macs != null\nsshd.config.macs.containsOnly(props.MondooMacAlgos)\n", - "code_id": "O2I4BuM7B9w=", - "checksum": "0hGGs2UOrKk=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-only-strong-mac-algorithms-are-used", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure only strong MAC algorithms are used", - "docs": { - "desc": "This variable limits the types of MAC algorithms that SSH can use during communication.", - "remediation": "Edit the `/etc/ssh/sshd_config` file to add or modify the `MACs` parameter so that it contains a comma-separated list of the site approved MACs\n\nExample:\n\n```\nMACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256\n```" - } - }, - { - "query": "kernel.parameters['net.ipv4.conf.all.send_redirects'] == 0\nkernel.parameters['net.ipv4.conf.default.send_redirects'] == 0\n", - "code_id": "n9dXQh6Dchs=", - "checksum": "0hvp7Rimepc=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-packet-redirect-sending-is-disabled", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure packet redirect sending is disabled", - "docs": { - "desc": "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host-only configuration), there is no need to send redirects.", - "remediation": "Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/\\*` file:\n\n```\nnet.ipv4.conf.all.send_redirects = 0\n\nnet.ipv4.conf.default.send_redirects = 0\n```\n\nRun the following commands to set the active kernel parameters:\n\n```\nsysctl -w net.ipv4.conf.all.send_redirects=0\n\nsysctl -w net.ipv4.conf.default.send_redirects=0\n\nsysctl -w net.ipv4.route.flush=1\n```" - } - }, - { - "query": "files.find(from: \"/var/log\", type: \"file\").list {\n # @msg Please adjust file permissions for ${ basename } in folder ${ dirname }\n path\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_readable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n}\n", - "code_id": "FbII7up+bkQ=", - "checksum": "EC2QFcB0peY=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-permissions-on-all-logfiles-are-configured", - "type": "\u0019\u000c", - "severity": { - "value": 80 - }, - "title": "Ensure secure permissions on all log files are set", - "docs": { - "desc": "Log files stored in /var/log/ contain logged information from many services on the system. If the host is a log aggregation server, these logs may collect sensitive data from large numbers of systems in your environment.", - "remediation": "Run the following commands to set permissions on all existing log files:\n\n```\nfind /var/log/ -type f -perm /g+wx,o+rwx -exec chmod g-wx,o-rwx \"{}\" +\n```\n\n_Note: The configuration for your logging software or services may need to also be modified for any logs that had incorrect permissions, otherwise, the permissions may be reverted to the incorrect permissions_\n\n_rsyslog.conf_\n\n```\nvi /etc/rsyslog.conf\n..\n$FileCreateMode 0640\n$umask 0077\n```\n\nConfiguration for creation, deletion and cleaning of volatile and temporary files:\n\n```\nvi /usr/lib/tmpfiles.d/var.conf\n..\nf /var/log/faillog 0640 root root -\nf /var/log/wtmp 0640 root utmp -\nf /var/log/btmp 0640 root utmp -\nf /var/log/lastlog 0640 root utmp -\n```" - } - }, - { - "query": "if (file(\"/etc/group-\").exists) {\n file(\"/etc/group-\") {\n permissions.user_executable == false\n permissions.group_readable == false\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_readable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n }\n}\n", - "code_id": "Kd0nC0U7dfs=", - "checksum": "J2IUVszkgYg=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-permissions-on-etcgroup--are-configured", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Ensure secure permissions on /etc/group- are set", - "docs": { - "desc": "The `/etc/group-` file contains a backup list of all the valid groups defined in the system. Only the root user should have read and write permissions on this file so that group names an user membership is not available to non-administrative users on the system.", - "remediation": "Run the following command to set permissions on `/etc/group-` :\n\n```\nchown root:root /etc/group-\n\nchmod 600 /etc/group-\n```" - } - }, - { - "query": "file(\"/etc/group\") {\n permissions.user_executable == false\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n}\n", - "code_id": "m7DAOFbL9Qg=", - "checksum": "4IKIRT+W5BE=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-permissions-on-etcgroup-are-configured", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Ensure secure permissions on /etc/group are set", - "docs": { - "desc": "The `/etc/group` file contains a list of all the valid groups defined in the system. This file should have read/write access for root and read access for all other users to prevent non-administrative users from modifying groups.", - "remediation": "Run the following command to set permissions on `/etc/group` :\n\n```\nchown root:root /etc/group\n\nchmod 644 /etc/group\n```" - } - }, - { - "query": "if (file(\"/etc/gshadow-\").exists) {\n file(\"/etc/gshadow-\") {\n permissions.user_executable == false\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_readable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n }\n}\n", - "code_id": "vdDFAY9Qxko=", - "checksum": "zDow0ugJPfs=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-permissions-on-etcgshadow--are-configured", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Ensure secure permissions on /etc/gshadow- are set", - "docs": { - "desc": "The `/etc/gshadow-` file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information.", - "remediation": "Run the following commands to set permissions on `/etc/gshadow-` :\n\n```\nchown root:root /etc/gshadow-\n\nchmod 640 /etc/gshadow-\n```" - } - }, - { - "query": "if (file(\"/etc/gshadow\").exists) {\n file(\"/etc/gshadow\") {\n permissions.user_executable == false\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_readable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n }\n}\n", - "code_id": "FrdMe+1q6Bc=", - "checksum": "Rg2szNDV7Co=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-permissions-on-etcgshadow-are-configured", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Ensure secure permissions on /etc/gshadow are set", - "docs": { - "desc": "The `/etc/gshadow` file is used to store the information about groups that is critical to the security of those accounts, such as the hashed password and other security information.", - "remediation": "Run the following chown to set permissions on `/etc/gshadow` :\n\n```\nchown root:root /etc/gshadow\n\nchmod 640 /etc/gshadow\n```" - } - }, - { - "query": "if (file(\"/etc/passwd-\").exists) {\n file(\"/etc/passwd-\") {\n permissions.user_executable == false\n permissions.group_readable == false\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_readable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n }\n}\n", - "code_id": "Gjm+13rDf3o=", - "checksum": "oQHjQWIi6es=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-permissions-on-etcpasswd--are-configured", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Ensure secure permissions on /etc/passwd- are set", - "docs": { - "desc": "The `/etc/passwd-` file contains backup user account information.", - "remediation": "Run the following command to set permissions on `/etc/passwd-` :\n\n```\nchown root:root /etc/passwd-\n\nchmod 600 /etc/passwd-\n```" - } - }, - { - "query": "file(\"/etc/passwd\") {\n permissions.user_executable == false\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n}\n", - "code_id": "OFWIXTzBv00=", - "checksum": "uQJM/ILtP7U=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-permissions-on-etcpasswd-are-configured", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Ensure secure permissions on /etc/passwd are set", - "docs": { - "desc": "The `/etc/passwd` file contains user account information used by many system utilities and therefore must be readable for these utilities to operate.", - "remediation": "Run the following command to set permissions on `/etc/passwd`:\n\n```\nchown root:root /etc/passwd\n\nchmod 644 /etc/passwd\n```" - } - }, - { - "query": "if (file(\"/etc/shadow-\").exists) {\n file(\"/etc/shadow-\") {\n permissions.user_executable == false\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_readable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n }\n}\n", - "code_id": "Xs984txmLXk=", - "checksum": "Z99NDqngipI=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-permissions-on-etcshadow--are-configured", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Ensure secure permissions on /etc/shadow- are set", - "docs": { - "desc": "The `/etc/shadow-` file is used to store backup information about user accounts, such as the hashed password and other security information. Only the root user should have read and write permissions on this file so that sensitive user information is not available to non-administrative users on the system.", - "remediation": "Run the following commands to set permissions on `/etc/shadow-`:\n\n```\nchown root:root /etc/shadow-\n\nchmod 640 /etc/shadow-\n```" - } - }, - { - "query": "if (file(\"/etc/shadow\").exists) {\n file(\"/etc/shadow\") {\n permissions.user_executable == false\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_readable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n }\n}\n", - "code_id": "htUqKZYa860=", - "checksum": "85QJzMSvy9c=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-permissions-on-etcshadow-are-configured", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Ensure secure permissions on /etc/shadow are set", - "docs": { - "desc": "The `/etc/shadow` file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information.", - "remediation": "Run the following commands to set permissions on `/etc/shadow` :\n\n```\nchown root:root /etc/shadow\n\nchmod 640 /etc/shadow\n```" - } - }, - { - "query": "file(\"/etc/ssh/sshd_config\") {\n permissions.user_executable == false\n permissions.group_readable == false\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_readable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n}\n", - "code_id": "r8nmUDlrGVc=", - "checksum": "kbPumtsyzuc=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-permissions-on-etcsshsshd-config-are-configured", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Ensure secure permissions on /etc/ssh/sshd_config are set", - "docs": { - "desc": "The `/etc/ssh/sshd_config` file contains configuration specifications for `sshd`. The command below sets the owner and group of the file to root.", - "remediation": "Run the following commands to set ownership and permissions on `/etc/ssh/sshd_config`:\n\n```\nchown root:root /etc/ssh/sshd_config\n\nchmod og-rwx /etc/ssh/sshd_config\n```" - } - }, - { - "query": "files.\nfind(from: \"/etc/ssh\", type: \"file\").\nwhere(path == /ssh_host_.*key$/).list {\n permissions.user_executable == false\n permissions.group_readable == false\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_readable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n}\n", - "code_id": "x7jUqDgSbuM=", - "checksum": "114F13c8oDg=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-permissions-on-ssh-private-host-key-files-are-configured", - "type": "\u0019\u000c", - "severity": { - "value": 100 - }, - "title": "Ensure secure permissions on SSH private host key files are set", - "docs": { - "desc": "An SSH private key is one of two files used in SSH public key authentication. In this authentication method, The possession of the private key is proof of identity. Only a private key corresponding to a public key can authenticate successfully. The private keys need to be stored and handled carefully, and no copies of the private key should be distributed.", - "remediation": "Run the following commands to set ownership and permissions on the private SSH host key files\n\n```\nfind /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec chown root:ssh_keys {} \\;\n```\n\n```\nfind /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec chmod 0600 {} \\;\n```" - } - }, - { - "query": "files.\nfind(from: \"/etc/ssh\", type: \"file\").\nwhere(path == /ssh_host_.*key.pub$/).list {\n permissions.user_executable == false\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n}\n", - "code_id": "mQG2kdC1CYg=", - "checksum": "3/mZivYvEOQ=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-permissions-on-ssh-public-host-key-files-are-configured", - "type": "\u0019\u000c", - "severity": { - "value": 80 - }, - "title": "Ensure secure permissions on SSH public host key files are set", - "docs": { - "desc": "An SSH public key is one of two files used in SSH public key authentication. In this authentication method, a public key is a key that can be used for verifying digital signatures generated using a corresponding private key. Only a public key corresponding to a private key can authenticate successfully.", - "remediation": "Run the following commands to set permissions and ownership on the SSH host public key files\n\n```\nfind /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chmod 0644 {} \\;\n```\n\n```\nfind /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chown root:root {} \\;\n```" - } - }, - { - "query": "package(\"prelink\").installed == false\n", - "code_id": "aS95c8UVV00=", - "checksum": "JbSDY2GqhWo=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-prelink-is-disabled", - "type": "\u0004", - "severity": { - "value": 100 - }, - "title": "Ensure prelink is disabled", - "docs": { - "desc": "The `prelink` command changes binaries in an attempt to decrease their startup time. Prelinking can interfere with the operation of AIDE, because it changes binaries. Prelinking can also increase the vulnerability of the system if a malicious user is able to compromise a common library such as libc.", - "remediation": "Run the following commands to restore binaries to normal and uninstall `prelink`:\n\n### RHEL/Fedora/Amazon Linux and derivatives\n```\nprelink -ua\n\nyum remove prelink\n```\n\n### Ubuntu/Debian\n```\nprelink -ua\n\napt-get remove prelink\n```" - } - }, - { - "query": "kernel.parameters['net.ipv4.conf.all.rp_filter'] == 1\nkernel.parameters['net.ipv4.conf.default.rp_filter'] == 1\n", - "code_id": "THw+yxDZOpw=", - "checksum": "VU0dS4+C3iE=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-reverse-path-filtering-is-enabled", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure Reverse Path Filtering is enabled", - "docs": { - "desc": "Setting `net.ipv4.conf.all.rp_filter`and `net.ipv4.conf.default.rp_filter` to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if `log_martians` is set).", - "remediation": "Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/\\*` file:\n\n```\nnet.ipv4.conf.all.rp_filter = 1\n\nnet.ipv4.conf.default.rp_filter = 1\n```\n\nRun the following commands to set the active kernel parameters:\n\n```\nsysctl -w net.ipv4.conf.all.rp_filter=1\n\nsysctl -w net.ipv4.conf.default.rp_filter=1\n\nsysctl -w net.ipv4.route.flush=1\n```" - } - }, - { - "query": "groups.where( name == \"root\").list { members.length == 0 }\n", - "code_id": "N0L20kz+NNw=", - "checksum": "+zGfPvA9WFc=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-root-group-is-empty", - "type": "\u0019\u000c", - "severity": { - "value": 100 - }, - "title": "Ensure root group is empty", - "docs": { - "desc": "The root group allows system programs or defined users the ability to read and write configurations and files on the system. No users should be assigned to the root group.", - "remediation": "Remove all users from the shadow group in `/etc/group`, and change the primary group of any users with root as their primary group, except the root user." - } - }, - { - "query": "service(\"rsh.socket\").enabled == false\nservice(\"rlogin.socket\").enabled == false\nservice(\"rexec.socket\").enabled == false\nservice(\"rsh.socket\").running == false\nservice(\"rlogin.socket\").running == false\nservice(\"rexec.socket\").running == false\n", - "code_id": "lSnkpvWD+i0=", - "checksum": "b9Iw5ZjgTpQ=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-rsh-server-is-not-enabled", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure rsh server is stopped and not enabled", - "docs": { - "desc": "The Berkeley `rsh-server` ( `rsh` , `rlogin` , `rexec` ) package contains legacy services that exchange credentials in clear-text.", - "remediation": "Run the following commands to stop and disable `rsh` , `rlogin` , and `rexec` :\n\n```\nsystemctl stop rsh.socket\nsystemctl stop rlogin.socket\nsystemctl stop rexec.socket\n\nsystemctl disable rsh.socket\nsystemctl disable rlogin.socket\nsystemctl disable rexec.socket\n```" - } - }, - { - "query": "service(\"rsyncd\").enabled == false\nservice(\"rsyncd\").running == false\n", - "code_id": "NoJQoV63siE=", - "checksum": "JuAwPJTcH50=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-rsync-service-is-not-enabled", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure rsync service is stopped and not enabled", - "docs": { - "desc": "The `rsyncd` service can be used to synchronize files between systems over network links.", - "remediation": "Run the following command to stop and disable `rsync` :\n\n```\nsystemctl stop rsyncd\nsystemctl disable rsyncd\n```" - } - }, - { - "query": "rsyslog.conf.settings.contains(\"$FileCreateMode 0640\")\n", - "code_id": "nxVlUWzBV1c=", - "checksum": "ozKwmEYzeco=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-rsyslog-default-file-permissions-configured", - "type": "\u0004", - "severity": { - "value": 60 - }, - "title": "Ensure rsyslog default file permissions configured", - "docs": { - "desc": "rsyslog will create log files that do not already exist on the system. This setting controls what permissions will be applied to these newly created files.", - "remediation": "Edit the `/etc/rsyslog.conf` and `/etc/rsyslog.d/*.conf`\nfiles and set `$FileCreateMode` to `0640` or more restrictive:\n\n```\n$FileCreateMode 0640\n```" - } - }, - { - "query": "package(\"rsyslog\").installed\n", - "code_id": "WkL8wViksRw=", - "checksum": "RPe767UANDI=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-rsyslog-is-installed", - "type": "\u0004", - "severity": { - "value": 60 - }, - "title": "Ensure rsyslog is installed", - "docs": { - "desc": "The `rsyslog`\nsoftware is a recommended replacement to the original `syslogd`\ndaemon which provide improvements over `syslogd`\n, such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server.", - "remediation": "Run the following command to install rsyslog:\n\n```\ndnf install rsyslog\n```" - } - }, - { - "query": "service(\"rsyslog\").enabled\n", - "code_id": "ctwaZkpRtPo=", - "checksum": "vn9F+I6RcUo=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-rsyslog-service-is-enabled", - "type": "\u0004", - "severity": { - "value": 60 - }, - "title": "Ensure rsyslog Service is enabled", - "docs": { - "desc": "Once the `rsyslog` package is installed it needs to be enabled.", - "remediation": "Run the following command to enable `rsyslog`:\n\n```\nsystemctl --now enable rsyslog\n```" - } - }, - { - "query": "service(\"smb\").enabled == false\nservice(\"smbd\").enabled == false\nservice(\"smb\").running == false\nservice(\"smbd\").running == false\n", - "code_id": "jb3wqU5HpR8=", - "checksum": "TMRpPIXVpMQ=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-samba-is-not-enabled", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure Samba is stopped and not enabled", - "docs": { - "desc": "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users can mount these directories and file systems as letter drives on their systems.", - "remediation": "Run the following command to stop and disable `smb` and `smbd` services :\n\n```\nsystemctl stop smb\nsystemctl stop smbd\nsystemctl disable smb\nsystemctl disable smbd\n```" - } - }, - { - "query": "kernel.parameters['net.ipv4.conf.all.secure_redirects'] == 0\nkernel.parameters['net.ipv4.conf.default.secure_redirects'] == 0\n", - "code_id": "o38RkOShiq4=", - "checksum": "D8LXdB1mAGw=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-secure-icmp-redirects-are-not-accepted", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure secure ICMP redirects are not accepted", - "docs": { - "desc": "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system and are likely to be secure.", - "remediation": "Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/\\*` file:\n\n```\nnet.ipv4.conf.all.secure_redirects = 0\n\nnet.ipv4.conf.default.secure_redirects = 0\n```\n\nRun the following commands to set the active kernel parameters:\n\n```\nsysctl -w net.ipv4.conf.all.secure_redirects=0\n\nsysctl -w net.ipv4.conf.default.secure_redirects=0\n\nsysctl -w net.ipv4.route.flush=1\n```" - } - }, - { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/var\\/run\\/utmp\\s+\\-p\\s+wa\\s+\\-k\\s+session(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/var\\/log\\/wtmp\\s+\\-p\\s+wa\\s+\\-k\\s+logins(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/var\\/log\\/btmp\\s+\\-p\\s+wa\\s+\\-k\\s+logins(\\s+)?$/)\n}\n", - "code_id": "O1tAHbKLcI8=", - "checksum": "DoXZPyPUV+Q=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-session-initiation-information-is-collected", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Ensure session initiation information is collected", - "docs": { - "desc": "Monitor session initiation events. The parameters in this section track changes to the files associated with session events. \nThe file `/var/run/utmp` tracks all currently logged in users. All audit records will be tagged with the identifier \"session.\" \nThe `/var/log/wtmp` file tracks logins, logouts, shutdown, and reboot events. The file `/var/log/btmp` keeps track of failed \nlogin attempts and can be read by entering the command `/usr/bin/last -f /var/log/btmp`. All audit records will be tagged with \nthe identifier \"logins.\"", - "remediation": "Edit or create a file in the `/etc/audit/rules.d/`\ndirectory ending in `.rules`\n\nExample: `vi /etc/audit/rules.d/50-session.rules`\n\nAdd the following lines:\n\n```\n-w /var/run/utmp -p wa -k session\n\n-w /var/log/wtmp -p wa -k logins\n\n-w /var/log/btmp -p wa -k logins\n```\n\nTo load the newly added rules into the running configuration:\n\n```\naugenrules --load\n```\nThis command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.\n\n\nCheck if a reboot is required, in case the running configuration is set to be immutable:\n\n```\nif [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi\n```" - } - }, - { - "query": "groups.where( name == \"shadow\").list { members.length == 0 }\n", - "code_id": "v8xZOX1QRJQ=", - "checksum": "xhbn+4IbP7M=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-shadow-group-is-empty", - "type": "\u0019\u000c", - "severity": { - "value": 100 - }, - "title": "Ensure shadow group is empty", - "docs": { - "desc": "The shadow group allows system programs or defined users the ability to read the `/etc/shadow` file. No users should be assigned to the shadow group.", - "remediation": "Remove all users from the shadow group in `/etc/group`, and change the primary group of any users with shadow as their primary group." - } - }, - { - "query": "service(\"snmpd\").enabled == false\nservice(\"snmpd\").running == false\n", - "code_id": "+u6doYoYG5E=", - "checksum": "5ZESftAi7ag=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-snmp-server-is-not-enabled", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure SNMP server is stopped and not enabled", - "docs": { - "desc": "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system.", - "remediation": "Run the following command to stop and disable `snmpd`:\n\n```\nsystemctl stop snmpd\nsystemctl disable snmpd\n```" - } - }, - { - "query": "kernel.parameters['net.ipv4.conf.all.accept_source_route'] == 0\nkernel.parameters['net.ipv4.conf.default.accept_source_route'] == 0\nkernel.parameters['net.ipv6.conf.all.accept_source_route'] == 0\nkernel.parameters['net.ipv6.conf.default.accept_source_route'] == 0\n", - "code_id": "KehuxCXphps=", - "checksum": "GLS/+UG3roY=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-source-routed-packets-are-not-accepted", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure source routed packets are not accepted", - "docs": { - "desc": "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used.", - "remediation": "Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/\\*` file:\n\n```\nnet.ipv4.conf.all.accept_source_route = 0\n\nnet.ipv4.conf.default.accept_source_route = 0\n\nnet.ipv6.conf.all.accept_source_route = 0\n\nnet.ipv6.conf.default.accept_source_route = 0\n```\n\nRun the following commands to set the active kernel parameters:\n\n```\nsysctl -w net.ipv4.conf.all.accept_source_route=0\n\nsysctl -w net.ipv4.conf.default.accept_source_route=0\n\nsysctl -w net.ipv6.conf.all.accept_source_route=0\n\nsysctl -w net.ipv6.conf.default.accept_source_route=0\n\nsysctl -w net.ipv4.route.flush=1\n\nsysctl -w net.ipv6.route.flush=1\n```" - } - }, - { - "query": "sshd.config.params[\"HostbasedAuthentication\"] == \"no\"\n", - "code_id": "YiaSSdvN0BM=", - "checksum": "1eMib72u4dI=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-ssh-hostbasedauthentication-is-disabled", - "type": "\u0004", - "severity": { - "value": 100 - }, - "title": "Ensure SSH HostbasedAuthentication is disabled", - "docs": { - "desc": "The `HostbasedAuthentication` parameter specifies if authentication is allowed through trusted hosts via the user of `.rhosts`, or `/etc/hosts.equiv` , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2.", - "remediation": "Edit the `/etc/ssh/sshd_config` file to set the `HostbasedAuthentication` parameter as follows:\n\n```\nHostbasedAuthentication no\n```" - } - }, - { - "query": "sshd.config.params {\n _[\"ClientAliveInterval\"] \u003e= 1\n _[\"ClientAliveInterval\"] \u003c= 300\n _[\"ClientAliveCountMax\"] \u003c= 3\n}\n", - "code_id": "BfEDQj6MJvc=", - "checksum": "+0L3Tqc3bEA=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-ssh-idle-timeout-interval-is-configured", - "type": "\u000c", - "severity": { - "value": 60 - }, - "title": "Ensure SSH Idle Timeout Interval is configured", - "docs": { - "desc": "The two options `ClientAliveInterval` and `ClientAliveCountMax` control the timeout of ssh sessions. When the `ClientAliveInterval` variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the `ClientAliveCountMax` variable is set, `sshd` will send client alive messages at every `ClientAliveInterval` interval. When the number of consecutive client alive messages are sent with no response from the client, the `ssh` session is terminated. For example, if the `ClientAliveInterval` is set to 15 seconds and the `ClientAliveCountMax` is set to 3, the client `ssh` session will be terminated after 45 seconds of idle time.", - "remediation": "Edit the `/etc/ssh/sshd_config` file to set the `ClientAliveInterval` and `ClientAliveCountMax` parameters according to site policy:\n\n```\nClientAliveInterval 300\nClientAliveCountMax 0\n```" - } - }, - { - "query": "sshd.config.params[\"IgnoreRhosts\"] == \"yes\"\n", - "code_id": "Daaqa///pts=", - "checksum": "5jBtpquMgg8=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-ssh-ignorerhosts-is-enabled", - "type": "\u0004", - "severity": { - "value": 100 - }, - "title": "Ensure SSH IgnoreRhosts is enabled", - "docs": { - "desc": "The `IgnoreRhosts` parameter specifies that `.rhosts` and `.shosts` files will not be used in `RhostsRSAAuthentication` or `HostbasedAuthentication` .", - "remediation": "Edit the `/etc/ssh/sshd_config` file to set the `IgnoreRhosts` parameter as follows:\n\n```\nIgnoreRhosts yes\n```" - } - }, - { - "query": "sshd.config.params {\n _[\"LoginGraceTime\"] \u003e= 1\n _[\"LoginGraceTime\"] \u003c= 60\n}\n", - "code_id": "b+fB/tLcWzs=", - "checksum": "x6kn0b7gQ/A=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-ssh-logingracetime-is-set-to-one-minute-or-less", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Ensure SSH LoginGraceTime is set to one minute or less", - "docs": { - "desc": "The `LoginGraceTime` parameter specifies the time allowed for successful authentication to the SSH server. The longer the grace period is, the more open unauthenticated connections can exist. Like other session controls, the grace period should be limited to appropriate organizational limits to ensure the service is available for needed access.", - "remediation": "Edit the `/etc/ssh/sshd_config` file to set the `LoginGraceTime` parameter as follows:\n\n```\nLoginGraceTime 60\n```" - } - }, - { - "query": "sshd.config.params[\"LogLevel\"] == /INFO|VERBOSE/\n", - "code_id": "lzX+6GYw7S0=", - "checksum": "MDZppkoRkJA=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-ssh-loglevel-is-appropriate", - "type": "\u0004", - "severity": { - "value": 80 - }, - "title": "Ensure SSH LogLevel is appropriate", - "docs": { - "desc": "`INFO` level is the basic level that only records the login activity of SSH users. In many situations, such as incident response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field.\n\n`VERBOSE` level specifies that login and logout activity as well as the key fingerprint for any SSH key used for login will be logged. This information is important for SSH key management, especially in legacy environments.", - "remediation": "Edit the `/etc/ssh/sshd_config` file to set the `LogLevel` parameter as follows:\n\n```\nLogLevel VERBOSE\n```\n\nor\n\n```\nLogLevel INFO\n```" - } - }, - { - "query": "sshd.config.params[\"MaxAuthTries\"] \u003c= 4\n", - "code_id": "/Su2a1bp8TA=", - "checksum": "kj3XBRCEd3s=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-ssh-maxauthtries-is-set-to-4-or-less", - "type": "\u0004", - "severity": { - "value": 80 - }, - "title": "Ensure SSH MaxAuthTries is set to 4 or less", - "docs": { - "desc": "The `MaxAuthTries` parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half this maximum value, error messages will be written to the `syslog` file detailing the login failure.", - "remediation": "Edit the `/etc/ssh/sshd_config` file to set the `MaxAuthTries` parameter as follows:\n\n```\nMaxAuthTries 4\n```" - } - }, - { - "query": "sshd.config.params[\"PermitEmptyPasswords\"] == \"no\"\n", - "code_id": "ubafkKyRPyY=", - "checksum": "O+nU6xt9+TA=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-ssh-permitemptypasswords-is-disabled", - "type": "\u0004", - "severity": { - "value": 100 - }, - "title": "Ensure SSH PermitEmptyPasswords is disabled", - "docs": { - "desc": "The `PermitEmptyPasswords` parameter specifies if the SSH server allows login to accounts with empty password strings.", - "remediation": "Edit the `/etc/ssh/sshd_config` file to set the `PermitEmptyPasswords` parameter as follows:\n\n```\nPermitEmptyPasswords no\n```" - } - }, - { - "query": "sshd.config.params[\"PermitUserEnvironment\"] == \"no\"\n", - "code_id": "tLcO8I/iXyk=", - "checksum": "JLJ53K4X1Qs=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-ssh-permituserenvironment-is-disabled", - "type": "\u0004", - "severity": { - "value": 70 - }, - "title": "Ensure SSH PermitUserEnvironment is disabled", - "docs": { - "desc": "The `PermitUserEnvironment` option allows users to present environment options to the `ssh` daemon.", - "remediation": "Edit the `/etc/ssh/sshd_config` file to set the `PermitUserEnvironment` parameter as follows:\n\n```\nPermitUserEnvironment no\n```" - } - }, - { - "query": "sshd.config.params[\"Protocol\"] == 2\n", - "code_id": "wM8ZVC/LDTg=", - "checksum": "AZ3Knhl5ToM=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-ssh-protocol-is-set-to-2", - "type": "\u0004", - "severity": { - "value": 100 - }, - "title": "Ensure SSH Protocol is set to 2", - "docs": { - "desc": "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure.", - "remediation": "Edit the `/etc/ssh/sshd_config` file to set the `Protocol`parameter as follows:\n\n```\nProtocol 2\n```" - } - }, - { - "query": "sshd.config.params[\"PermitRootLogin\"] == \"no\" || sshd.config.params[\"PermitRootLogin\"] == \"prohibit-password\"\n", - "code_id": "DnuQprpq4Eg=", - "checksum": "vGxsgtixUbY=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-ssh-root-login-is-disabled", - "type": "\u0004", - "severity": { - "value": 100 - }, - "title": "Ensure SSH root login is disabled or set to prohibit-password", - "docs": { - "desc": "The `PermitRootLogin` parameter specifies if the root user can log in using ssh(1). The default is no.", - "remediation": "Edit the `/etc/ssh/sshd_config` file to set the `PermitRootLogin` parameter as follows:\n\n```\nPermitRootLogin no\n```" - } - }, - { - "query": "sshd.config.params[\"Banner\"] != \"\"\n", - "code_id": "ISWAS8ZYXus=", - "checksum": "B7O3ridoPJU=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-ssh-warning-banner-is-configured", - "type": "\u0004", - "severity": { - "value": 40 - }, - "title": "Ensure SSH warning banner is configured", - "docs": { - "desc": "The `Banner` parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed.", - "remediation": "Edit the `/etc/ssh/sshd_config` file to set the `Banner` parameter as follows:\n\n```\nBanner /etc/issue.net\n```" - } - }, - { - "query": "sshd.config.params[\"X11Forwarding\"] == \"no\"\n", - "code_id": "VAMnKimEy50=", - "checksum": "S9dj2LdYAhk=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-ssh-x11-forwarding-is-disabled", - "type": "\u0004", - "severity": { - "value": 50 - }, - "title": "Ensure SSH X11 forwarding is disabled", - "docs": { - "desc": "The X11Forwarding parameter allows tunneling X11 traffic through the connection to enable remote graphic connections.", - "remediation": "Edit the `/etc/ssh/sshd_config` file to set the `X11Forwarding` parameter as follows:\n\n```\nX11Forwarding no\n```" - } - }, - { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+mount\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+mounts/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+mount\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=mounts/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+mount\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+mounts/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+mount\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=mounts/)\n}\n", - "code_id": "7dzfqFlvkAk=", - "checksum": "bjWRr8RDP6s=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-successful-file-system-mounts-are-collected", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Ensure successful file system mounts are collected", - "docs": { - "desc": "Monitor the use of the `mount`\nsystem call. The `mount`\n(and `umount`\n) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user", - "remediation": "For 32-bit systems edit or create a file in the `/etc/audit/rules.d/` directory ending in `.rules`\n\nExample: `vi /etc/audit/rules.d/50-mounts.rules`\n\nAdd the following lines:\n\n```\n-a always,exit -F arch=b32 -S mount -F auid\u003e=1000 -F auid!=4294967295 -k mounts\n```\n\nFor 64-bit systems edit or create a file in the `/etc/audit/rules.d/` directory ending in `.rules`\n\nExample: `vi /etc/audit/rules.d/50-mounts.rules`\n\nAdd the following lines:\n\n```\n-a always,exit -F arch=b64 -S mount -F auid\u003e=1000 -F auid!=4294967295 -k mounts\n\n-a always,exit -F arch=b32 -S mount -F auid\u003e=1000 -F auid!=4294967295 -k mounts\n```\n\nTo load the newly added rules into the running configuration:\n\n```\naugenrules --load\n```\nThis command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.\n\n\nCheck if a reboot is required, in case the running configuration is set to be immutable:\n\n```\nif [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi\n```" - } - }, - { - "query": "file('/etc/sudoers').content.lines.where( _ == /^[^#]/ ).contains(/logfile\\=\\\"\\/var\\/log\\/sudo\\.log\\\"/)\n", - "code_id": "piWj+cXXr7k=", - "checksum": "bm3GGLBV8nw=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-sudo-logging-is-enabled", - "type": "\u0004", - "severity": { - "value": 80 - }, - "title": "Ensure sudo logging is enabled", - "docs": { - "desc": "By default, sudo logs all events in the /var/log/auth.log file. This log file contains all authentication events system-wide, making it difficult to audit sudo failures. To reduce the chances of sudo failures going unnoticed, administrations should configure sudo to log to a dedicated log file location.", - "remediation": "Using the `visudo` command, add the following line to the `/etc/sudoers` configuration file.\n\n```\nDefaults log_host, log_year, logfile=\"/var/log/sudo.log\"\n```" - } - }, - { - "query": "kernel.parameters['net.ipv4.conf.all.log_martians'] == 1\nkernel.parameters['net.ipv4.conf.default.log_martians'] == 1\n", - "code_id": "Hwqs1IZPO4c=", - "checksum": "gk3AYriRXoE=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-suspicious-packets-are-logged", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Ensure suspicious packets are logged", - "docs": { - "desc": "When enabled, this feature logs packets with un-routable source addresses to the kernel log.", - "remediation": "Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/\\*` file:\n\n```\nnet.ipv4.conf.all.log_martians = 1\n\nnet.ipv4.conf.default.log_martians = 1\n```\n\nRun the following commands to set the active kernel parameters:\n\n```\nsysctl -w net.ipv4.conf.all.log_martians=1\n\nsysctl -w net.ipv4.conf.default.log_martians=1\n\nsysctl -w net.ipv4.route.flush=1\n```" - } - }, - { - "query": "users.where( name != \"root\" \u0026\u0026 name != \"sync\" \u0026\u0026 name != \"shutdown\" \u0026\u0026 name != \"halt\" ).where( uid \u003c 1000 ).list {\n name\n shell == \"/usr/bin/nologin\" || shell == \"/sbin/nologin\" || shell == \"/usr/sbin/nologin\"\n}\n", - "code_id": "RLX6/DpoDuE=", - "checksum": "1e/QhiXBXww=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-system-accounts-are-non-login", - "type": "\u0019\u000c", - "severity": { - "value": 80 - }, - "title": "Ensure system accounts are non-login", - "docs": { - "desc": "There are a number of accounts on Linux systems that are used to manage applications and services. These accounts are not intended for interactive use and do not require a shell.", - "remediation": "Set the shell for any accounts returned by the audit script to `/sbin/nologin`:\n\n```\nusermod -s /sbin/nologin \u003cem\u003e\u003cuser\u003e\u003c/em\u003e\n```\n\nThe following script will automatically set all user shells required to `/sbin/nologin` and lock the `sync`, `shutdown`, and `halt` users:\n\n```\n#!/bin/bash\n\nfor user in `awk -F: '($3 \u003c 1000) {print $1 }' /etc/passwd`; do\nif [ $user != \"root\" ]; then\n if [ \"$(passwd -S $user| cut -d ' ' -f 2)\" = \"P\" ]; then\n echo \"Lock $user account\"\n usermod -L $user\n fi\n if [ $user != \"sync\" ] \u0026\u0026 [ $user != \"shutdown\" ] \u0026\u0026 [ $user != \"halt\" ]; then\n echo \"Set /sbin/nologin shell for user $user\"\n usermod -s /sbin/nologin $user\n fi\nfi\ndone\n```\n\nnologin is a per-user method of disabling interactive logins (usually used for system accounts like http or ftp). nologin uses /etc/nologin.txt as an optional source for a non-default message, the login access is always refused independently of the file." - } - }, - { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/var\\/log\\/sudo\\.log\\s+\\-p\\s+wa\\s+\\-k\\s+actions(\\s+)?$/)\n}\n", - "code_id": "gCDGOw9QK4Q=", - "checksum": "PMqD/H+VGgg=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-system-administrator-actions-sudolog-are-collected", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Ensure system administrator actions (sudolog) are collected", - "docs": { - "desc": "Monitor the `sudo` log file. If the system has been properly configured to disable the use of the `su`\ncommand and force all administrators to have to log in first and then use `sudo`\nto execute privileged commands, then all administrator commands will be logged to `/var/log/sudo.log`\n. Any time a command is executed, an audit event will be triggered as the `/var/log/sudo.log`\nfile will be opened for write and the executed administration command will be written to the log.", - "remediation": "Edit or create a file in the `/etc/audit/rules.d/` directory ending in `.rules` and add the following line:\n\n```\n-w \u003cPath to sudo logfile\u003e -p wa -k actions\n```\n\nExample: `vi /etc/audit/rules.d/actions.rules`\n\nand add the following line:\n\n```\n-w /var/log/sudo.log -p wa -k actions\n```\n\nTo load the newly added rules into the running configuration:\n\n```\naugenrules --load\n```\nThis command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.\n\n\nCheck if a reboot is required, in case the running configuration is set to be immutable:\n\n```\nif [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi\n```" - } - }, - { - "query": "file(\"/etc/audit/auditd.conf\").exists\nif (file(\"/etc/audit/auditd.conf\").exists) {\n parse.ini(\"/etc/audit/auditd.conf\") {\n params[\"space_left_action\"].downcase == \"email\"\n params[\"action_mail_acct\"].downcase == \"root\"\n params[\"admin_space_left_action\"].downcase == \"halt\"\n }\n}\n", - "code_id": "sefeJd4La70=", - "checksum": "B6DxulMJbRg=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-system-is-disabled-when-audit-logs-are-full", - "type": "\u0001", - "severity": { - "value": 60 - }, - "title": "Ensure system is disabled when audit logs are full", - "docs": { - "desc": "The `auditd`\ndaemon can be configured to halt the system when the audit logs are full.", - "remediation": "Set the following parameters in `/etc/audit/auditd.conf:`\n\n```\nspace_left_action = email\n\naction_mail_acct = root\n\nadmin_space_left_action = halt\n```" - } - }, - { - "query": "service(\"ntalk\").enabled == false\nservice(\"ntalk\").running == false\n", - "code_id": "yYCqsWpfXqE=", - "checksum": "jrUjEDUEPso=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-talk-server-is-not-enabled", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure talk server is stopped and not enabled", - "docs": { - "desc": "The talk software allows users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default.", - "remediation": "Run the following command to stop and disable talk:\n\n```\nsystemctl stop ntalk\nsystemctl disable ntalk\n```" - } - }, - { - "query": "kernel.parameters['net.ipv4.tcp_syncookies'] == 1\n", - "code_id": "w44ayUe5r2M=", - "checksum": "YFDEzG/eo50=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-tcp-syn-cookies-is-enabled", - "type": "\u0004", - "severity": { - "value": 100 - }, - "title": "Ensure TCP SYN Cookies is enabled", - "docs": { - "desc": "When `tcp_syncookies` is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN\\|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the system to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue.", - "remediation": "Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/\\*` file:\n\n```\nnet.ipv4.tcp_syncookies = 1\n```\n\nRun the following commands to set the active kernel parameters:\n\n```\nsysctl -w net.ipv4.tcp_syncookies=1\n\nsysctl -w net.ipv4.route.flush=1\n```" - } - }, - { - "query": "service(\"telnet.socket\").enabled == false\nservice(\"telnet.socket\").running == false\n", - "code_id": "727yzVm9jYQ=", - "checksum": "ZDEqpbTNjXA=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-telnet-server-is-not-enabled", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure telnet server is stopped and not enabled", - "docs": { - "desc": "The `telnet-server` package contains the `telnet` daemon, which accepts connections from users from other systems via the `telnet` protocol.", - "remediation": "Run the following command to stop and disable telnet:\n\n```\nsystemctl stop telnet.socket\nsystemctl disable telnet.socket\n```" - } - }, - { - "query": "service(\"tftp.socket\").enabled == false\nservice(\"tftp.socket\").running == false\n", - "code_id": "AjsJ60JDOuU=", - "checksum": "3DGQcFZWyRo=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-tftp-server-is-not-enabled", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure tftp server is stopped and not enabled", - "docs": { - "desc": "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The package `tftp-server` is used to define and support a TFTP server.", - "remediation": "Run the following command to stop and disable tftp:\n\n```\nsystemctl stop tftp.socket\nsystemctl disable tftp.socket\n```" - } - }, - { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-e\\s+2(\\s+)?$/)\n}\n", - "code_id": "5YLhhd+c3KY=", - "checksum": "eOob0t/F+FU=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-the-audit-configuration-is-immutable", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Ensure the audit configuration is immutable", - "docs": { - "desc": "Set system audit so that audit rules cannot be modified with `auditctl`\n. Setting the flag \"-e 2\" forces audit to be put in immutable mode. Audit changes can only be made on system reboot.", - "remediation": "Edit or create the file `/etc/audit/audit.rules` and add the following line at the end of the file:\n\n```\n-e 2\n```\n\nTo load the newly added rules into the running configuration:\n\n```\naugenrules --load\n```\nThis command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.\n\n\nCheck if a reboot is required, in case the running configuration is set to be immutable:\n\n```\nif [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi\n```" - } - }, - { - "query": "logindefs.params{ _['UID_MIN'] == 1000 }\n", - "code_id": "ZydIs1lDnr8=", - "checksum": "s/mXXm9fQZ8=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-uid-min-is-set-to-1000", - "type": "\u000c", - "severity": { - "value": 60 - }, - "title": "Ensure UID_MIN is set to 1000", - "docs": { - "desc": "User ID or UID is used to identify a Linux user with an ID or number. The start number for newly created users can be set with this configuration.", - "remediation": "Edit the `login.defs` file and set UID_MIN.\n\n```\nsudo vim /etc/login.defs\n\n\nUID_MIN 1000\n```" - } - }, - { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+creat\\s+\\-S\\s+open\\s+\\-S\\s+openat\\s+\\-S\\s+truncate\\s+\\-S\\s+ftruncate\\s+\\-F\\s+exit\\=\\-EACCES\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+access(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+open\\,truncate\\,ftruncate\\,creat\\,openat\\s+\\-F\\s+exit\\=\\-EACCES\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=access(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+creat\\s+\\-S\\s+open\\s+\\-S\\s+openat\\s+\\-S\\s+truncate\\s+\\-S\\s+ftruncate\\s+\\-F\\s+exit\\=\\-EACCES\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+access(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+open\\,creat\\,truncate\\,ftruncate\\,openat\\s+\\-F\\s+exit\\=\\-EACCES\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=access(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+creat\\s+\\-S\\s+open\\s+\\-S\\s+openat\\s+\\-S\\s+truncate\\s+\\-S\\s+ftruncate\\s+\\-F\\s+exit\\=\\-EPERM\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+access(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+open\\,truncate\\,ftruncate\\,creat\\,openat\\s+\\-F\\s+exit\\=\\-EPERM\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=-1\\s+\\-F\\s+key\\=access(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+creat\\s+\\-S\\s+open\\s+\\-S\\s+openat\\s+\\-S\\s+truncate\\s+\\-S\\s+ftruncate\\s+\\-F\\s+exit\\=\\-EPERM\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+access(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+open\\,creat\\,truncate\\,ftruncate\\,openat\\s+\\-F\\s+exit\\=\\-EPERM\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=-1\\s+\\-F\\s+key\\=access(\\s+)?$/)\n}\n", - "code_id": "AjCxN3eZtsA=", - "checksum": "UQc/pjrBvzI=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-linux-security-baseline-unsuccessful-unauthorized-file-access-attempts-are-collected", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Ensure unsuccessful unauthorized file access attempts are collected", - "docs": { - "desc": "Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( `creat` ), opening ( `open`, `openat` ) and \ntruncation ( `truncate`, `ftruncate` ) of files. An audit log record will only be written if the user is a non-privileged user (auid \u003e = 1000), is not a Daemon event \n(auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). \nAll audit records will be tagged with the identifier \"access.\"\n\n**Note:**\nSystems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n```\nawk '/^\\s*UID_MIN/{print $2}' /etc/login.defs\n```\n\nIf your systems' UID_MIN is not `1000`, replace `audit\u003e=1000` with `audit\u003e=\u003cUID_MIN for your system\u003e` in the Audit and Remediation procedures.", - "remediation": "For 32-bit systems edit or create a file in the `/etc/audit/rules.d/`\ndirectory ending in `.rules`\n\nExample: `vi /etc/audit/rules.d/50-access.rules`\n\nAdd the following lines:\n\n```\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid\u003e=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid\u003e=1000 -F auid!=4294967295 -k access\n```\n\nFor 64-bit systems edit or create a file in the `/etc/audit/rules.d/`\ndirectory ending in `.rules`\n\nExample: `vi /etc/audit/rules.d/50-access.rules`\n\nAdd the following lines:\n\n```\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid\u003e=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid\u003e=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid\u003e=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid\u003e=1000 -F auid!=4294967295 -k access\n```\n\nTo load the newly added rules into the running configuration:\n\n```\naugenrules --load\n```\nThis command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.\n\n\nCheck if a reboot is required, in case the running configuration is set to be immutable:\n\n```\nif [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi\n```" - } - }, - { - "query": "packages.where(name == /ssl/).all( version != /3.0.[0123456]/ )", - "code_id": "lEVQGwKxvPY=", - "checksum": "1Oovzyxu4Bw=", - "mrn": "//local.cnspec.io/run/local-execution/queries/mondoo-openssl-vulnerability", - "type": "\u0004", - "title": "Ensure vulnerable OpenSSL version 3.0.0 - 3.0.6 are not installed", - "docs": { - "desc": "The OpenSSL Project released a security fix (OpenSSL version 3.0.7) for a new-and-disclosed CVE-2022-3602 and CVE-2022-3786 on Tuesday, November 1, 2022. This CVE is categorized as \"HIGH\" and affects OpenSSL versions from 3.0.0 to 3.0.6.\n\nOpenSSL [Issue severity](https://www.openssl.org/policies/general/security-policy.html):\n\nThis includes issues that are of a lower risk than critical, perhaps due to affecting less common configurations, or which are less likely to be exploitable. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to keep the time these issues are private to a minimum; our aim would be no longer than a month where this is something under our control.\n\nOpenSSL is the most popular open source cryptography and SSL/TLS toolkit. It's used by most HTTPS websites and is the crucial mechanism to encrypt connections to servers. Since OpenSSL is so fundamental to our infrastructure, such a critical vulnerability represents a severe threat to a wide range of businesses and individuals.\n\n[OpenSSL Security Advisory 2022-11-01](https://www.openssl.org/news/secadv/20221101.txt)", - "audit": "__cnspec shell__\n\n1. Open a Terminal.\n2. Type `cnspec shell`\n3. Run the following query \n\n```mql\npackages.where(name == /ssl/).all( version != /3.0.[0123456]/ )\n```\n\nExample output\n\n```mql\n[failed] packages.all()\n actual: [\n 0: package id = deb://libssl3/3.0.1-0ubuntu1/amd64\n 1: package id = deb://openssl/3.0.1-0ubuntu1/amd64\n ]\n```", - "remediation": "## Update via shell\n\nRun the following command to update the openssl version:\n\n### Debian / Ubuntu\n\n```bash\napt update \u0026\u0026 apt --only-upgrade install -y libssl3\n```\n\n### RHEL/Fedora/Amazon Linux and derivatives\n\n```bash\ndnf update openssl-libs\n```\n\n## Update via Ansible\n\n### Debian / Ubuntu\n\n```yaml\n- hosts: \u003cdefine hosts\u003e\n tasks:\n - name: Update openssl package for Debian based OS\n ansible.builtin.apt:\n name: libssl3\n state: latest\n update_cache: yes\n only_upgrade: yes\n become: yes\n```\n\n### RHEL/Fedora/Amazon Linux and derivatives\n\n```yaml\n- hosts: \u003cdefine hosts\u003e\n tasks:\n - name: Update openssl package for Red Hat based OS\n ansible.builtin.dnf:\n name: openssl-libs\n state: latest\n update_only: yes\n become: yes\n```" - }, - "refs": [ - { - "title": "OpenSSL mailing list", - "url": "https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html" - }, - { - "title": "OpenSSL Security Advisory [01 November 2022]", - "url": "https://www.openssl.org/news/secadv/20221101.txt" - } - ] - } - ] - }, - "reports": { - "//policy.api.mondoo.com/assets/2KgCZg1j6OABQbEutHyDe3ui4p2": { - "scoring_mrn": "//policy.api.mondoo.com/assets/2KgCZg1j6OABQbEutHyDe3ui4p2", - "entity_mrn": "//policy.api.mondoo.com/assets/2KgCZg1j6OABQbEutHyDe3ui4p2", - "score": { - "qr_id": "//policy.api.mondoo.com/assets/2KgCZg1j6OABQbEutHyDe3ui4p2", - "type": 2, - "value": 50, - "weight": 77, - "score_completion": 100, - "data_total": 238, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "scores": { - "+u6doYoYG5E=": { - "qr_id": "+u6doYoYG5E=", - "type": 2, - "value": 100, - "weight": 1, - "score_completion": 100, - "data_total": 4, - "data_completion": 100, - "value_modified_time": 1674386903 - }, - "//local.cnspec.io/run/local-execution/policies/mondoo-linux-security": { - "qr_id": "//local.cnspec.io/run/local-execution/policies/mondoo-linux-security", - "type": 2, - "weight": 76, - "score_completion": 100, - "data_total": 236, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "//local.cnspec.io/run/local-execution/policies/mondoo-openssl-vulnerability": { - "qr_id": "//local.cnspec.io/run/local-execution/policies/mondoo-openssl-vulnerability", - "type": 2, - "value": 100, - "weight": 1, - "score_completion": 100, - "data_total": 2, - "data_completion": 100, - "value_modified_time": 1674386903 - }, - "//policy.api.mondoo.com/assets/2KgCZg1j6OABQbEutHyDe3ui4p2": { - "qr_id": "//policy.api.mondoo.com/assets/2KgCZg1j6OABQbEutHyDe3ui4p2", - "type": 2, - "value": 50, - "weight": 77, - "score_completion": 100, - "data_total": 238, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "3JYJkYI8d0U=": { - "qr_id": "3JYJkYI8d0U=", - "type": 2, - "weight": 1, - "score_completion": 100, - "data_total": 2, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "3QL3VcmScCM=": { - "qr_id": "3QL3VcmScCM=", - "type": 2, - "value": 100, - "weight": 1, - "score_completion": 100, - "data_total": 4, - "data_completion": 100, - "value_modified_time": 1674386903 - }, - "5YLhhd+c3KY=": { - "qr_id": "5YLhhd+c3KY=", - "type": 2, - "weight": 1, - "score_completion": 100, - "data_total": 2, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "5q5EG7AkY6k=": { - "qr_id": "5q5EG7AkY6k=", - "type": 8, - "weight": 1, - "score_completion": 100, - "data_total": 1, - "data_completion": 100 - }, - "727yzVm9jYQ=": { - "qr_id": "727yzVm9jYQ=", - "type": 2, - "value": 100, - "weight": 1, - "score_completion": 100, - "data_total": 4, - "data_completion": 100, - "value_modified_time": 1674386903 - }, - "7dzfqFlvkAk=": { - "qr_id": "7dzfqFlvkAk=", - "type": 2, - "weight": 1, - "score_completion": 100, - "data_total": 2, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "7wuHGnsUApE=": { - "qr_id": "7wuHGnsUApE=", - "type": 2, - "weight": 1, - "score_completion": 100, - "data_total": 2, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "8xqHW7YCDEw=": { - "qr_id": "8xqHW7YCDEw=", - "type": 4, - "weight": 1, - "score_completion": 100, - "data_total": 3, - "data_completion": 100, - "message": "run command not supported on this provider" - }, - "9Frfyu3HqwY=": { - "qr_id": "9Frfyu3HqwY=", - "type": 2, - "weight": 1, - "score_completion": 100, - "data_total": 4, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "9kZGL9b/izQ=": { - "qr_id": "9kZGL9b/izQ=", - "type": 2, - "weight": 1, - "score_completion": 100, - "data_total": 2, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "AjCxN3eZtsA=": { - "qr_id": "AjCxN3eZtsA=", - "type": 2, - "weight": 1, - "score_completion": 100, - "data_total": 2, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "AjsJ60JDOuU=": { - "qr_id": "AjsJ60JDOuU=", - "type": 2, - "value": 100, - "weight": 1, - "score_completion": 100, - "data_total": 4, - "data_completion": 100, - "value_modified_time": 1674386903 - }, - "Au17Pta3l0A=": { - "qr_id": "Au17Pta3l0A=", - "type": 2, - "value": 100, - "weight": 1, - "score_completion": 100, - "data_total": 4, - "data_completion": 100, - "value_modified_time": 1674386903 - }, - "BJ3P14TOMTU=": { - "qr_id": "BJ3P14TOMTU=", - "type": 4, - "weight": 1, - "score_completion": 100, - "data_total": 4, - "data_completion": 100, - "message": "socketStats not supported on this provider" - }, - "FbII7up+bkQ=": { - "qr_id": "FbII7up+bkQ=", - "type": 2, - "weight": 1, - "score_completion": 100, - "data_total": 1, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "FrdMe+1q6Bc=": { - "qr_id": "FrdMe+1q6Bc=", - "type": 2, - "value": 100, - "weight": 1, - "score_completion": 100, - "data_total": 1, - "data_completion": 100, - "value_modified_time": 1674386903 - }, - "Gjj6ZTcWK1M=": { - "qr_id": "Gjj6ZTcWK1M=", - "type": 2, - "weight": 1, - "score_completion": 100, - "data_total": 6, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "Gjm+13rDf3o=": { - "qr_id": "Gjm+13rDf3o=", - "type": 2, - "weight": 1, - "score_completion": 100, - "data_total": 1, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "H2ZH2J+F/yo=": { - "qr_id": "H2ZH2J+F/yo=", - "type": 2, - "weight": 1, - "score_completion": 100, - "data_total": 2, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "H74IPb4kjoI=": { - "qr_id": "H74IPb4kjoI=", - "type": 2, - "weight": 1, - "score_completion": 100, - "data_total": 2, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "HKo0vfMZsRE=": { - "qr_id": "HKo0vfMZsRE=", - "type": 2, - "value": 100, - "weight": 1, - "score_completion": 100, - "data_total": 8, - "data_completion": 100, - "value_modified_time": 1674386903 - }, - "HhVqF0tMxvA=": { - "qr_id": "HhVqF0tMxvA=", - "type": 2, - "weight": 1, - "score_completion": 100, - "data_total": 2, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "Hwqs1IZPO4c=": { - "qr_id": "Hwqs1IZPO4c=", - "type": 2, - "weight": 1, - "score_completion": 100, - "data_total": 4, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "I/fSLFpoIJA=": { - "qr_id": "I/fSLFpoIJA=", - "type": 2, - "weight": 1, - "score_completion": 100, - "data_total": 2, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "IQ/r00/mLRg=": { - "qr_id": "IQ/r00/mLRg=", - "type": 2, - "weight": 1, - "score_completion": 100, - "data_total": 2, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "Ieziwg178sw=": { - "qr_id": "Ieziwg178sw=", - "type": 2, - "weight": 1, - "score_completion": 100, - "data_total": 4, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "IlhV0oVPhJk=": { - "qr_id": "IlhV0oVPhJk=", - "type": 2, - "value": 100, - "weight": 1, - "score_completion": 100, - "data_total": 4, - "data_completion": 100, - "value_modified_time": 1674386903 - }, - "JIe+57K3g/w=": { - "qr_id": "JIe+57K3g/w=", - "type": 2, - "value": 100, - "weight": 1, - "score_completion": 100, - "data_total": 1, - "data_completion": 100, - "value_modified_time": 1674386903 - }, - "Kd0nC0U7dfs=": { - "qr_id": "Kd0nC0U7dfs=", - "type": 2, - "weight": 1, - "score_completion": 100, - "data_total": 1, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "KehuxCXphps=": { - "qr_id": "KehuxCXphps=", - "type": 2, - "weight": 1, - "score_completion": 100, - "data_total": 8, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "LxiiosuqdEw=": { - "qr_id": "LxiiosuqdEw=", - "type": 8, - "weight": 1, - "score_completion": 100, - "data_total": 1, - "data_completion": 100 - }, - "MCCspWdD2Vk=": { - "qr_id": "MCCspWdD2Vk=", - "type": 2, - "value": 100, - "weight": 1, - "score_completion": 100, - "data_total": 4, - "data_completion": 100, - "value_modified_time": 1674386903 - }, - "MfV32r62IQE=": { - "qr_id": "MfV32r62IQE=", - "type": 2, - "weight": 1, - "score_completion": 100, - "data_total": 2, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "N0L20kz+NNw=": { - "qr_id": "N0L20kz+NNw=", - "type": 2, - "value": 100, - "weight": 1, - "score_completion": 100, - "data_total": 1, - "data_completion": 100, - "value_modified_time": 1674386903 - }, - "NoJQoV63siE=": { - "qr_id": "NoJQoV63siE=", - "type": 2, - "value": 100, - "weight": 1, - "score_completion": 100, - "data_total": 4, - "data_completion": 100, - "value_modified_time": 1674386903 - }, - "O1tAHbKLcI8=": { - "qr_id": "O1tAHbKLcI8=", - "type": 2, - "weight": 1, - "score_completion": 100, - "data_total": 2, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "OCysW6/A17Y=": { - "qr_id": "OCysW6/A17Y=", - "type": 8, - "weight": 1, - "score_completion": 100, - "data_total": 4, - "data_completion": 100 - }, - "OFWIXTzBv00=": { - "qr_id": "OFWIXTzBv00=", - "type": 2, - "value": 100, - "weight": 1, - "score_completion": 100, - "data_total": 1, - "data_completion": 100, - "value_modified_time": 1674386903 - }, - "Ps0zOyqhecE=": { - "qr_id": "Ps0zOyqhecE=", - "type": 2, - "value": 100, - "weight": 1, - "score_completion": 100, - "data_total": 2, - "data_completion": 100, - "value_modified_time": 1674386903 - }, - "QTN+NYX439o=": { - "qr_id": "QTN+NYX439o=", - "type": 2, - "value": 100, - "weight": 1, - "score_completion": 100, - "data_total": 4, - "data_completion": 100, - "value_modified_time": 1674386903 - }, - "RLX6/DpoDuE=": { - "qr_id": "RLX6/DpoDuE=", - "type": 2, - "value": 100, - "weight": 1, - "score_completion": 100, - "data_total": 1, - "data_completion": 100, - "value_modified_time": 1674386903 - }, - "SCin1z5hBLk=": { - "qr_id": "SCin1z5hBLk=", - "type": 2, - "weight": 1, - "score_completion": 100, - "data_total": 2, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "THw+yxDZOpw=": { - "qr_id": "THw+yxDZOpw=", - "type": 2, - "weight": 1, - "score_completion": 100, - "data_total": 4, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "Ty2iKIfHjno=": { - "qr_id": "Ty2iKIfHjno=", - "type": 2, - "weight": 1, - "score_completion": 100, - "data_total": 4, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "VrgV5/9So/8=": { - "qr_id": "VrgV5/9So/8=", - "type": 2, - "value": 100, - "weight": 1, - "score_completion": 100, - "data_total": 2, - "data_completion": 100, - "value_modified_time": 1674386903 - }, - "WkL8wViksRw=": { - "qr_id": "WkL8wViksRw=", - "type": 2, - "weight": 1, - "score_completion": 100, - "data_total": 1, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "XbnrBNXgCwA=": { - "qr_id": "XbnrBNXgCwA=", - "type": 2, - "value": 100, - "weight": 1, - "score_completion": 100, - "data_total": 1, - "data_completion": 100, - "value_modified_time": 1674386903 - }, - "Xs984txmLXk=": { - "qr_id": "Xs984txmLXk=", - "type": 2, - "value": 100, - "weight": 1, - "score_completion": 100, - "data_total": 1, - "data_completion": 100, - "value_modified_time": 1674386903 - }, - "ZydIs1lDnr8=": { - "qr_id": "ZydIs1lDnr8=", - "type": 2, - "value": 100, - "weight": 1, - "score_completion": 100, - "data_total": 1, - "data_completion": 100, - "value_modified_time": 1674386903 - }, - "aS95c8UVV00=": { - "qr_id": "aS95c8UVV00=", - "type": 2, - "value": 100, - "weight": 1, - "score_completion": 100, - "data_total": 2, - "data_completion": 100, - "value_modified_time": 1674386903 - }, - "cYHRR9+gDKI=": { - "qr_id": "cYHRR9+gDKI=", - "type": 2, - "weight": 1, - "score_completion": 100, - "data_total": 1, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "ctwaZkpRtPo=": { - "qr_id": "ctwaZkpRtPo=", - "type": 2, - "weight": 1, - "score_completion": 100, - "data_total": 1, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "d6AyzyIg+ow=": { - "qr_id": "d6AyzyIg+ow=", - "type": 2, - "weight": 1, - "score_completion": 100, - "data_total": 2, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "dVk74tk32xs=": { - "qr_id": "dVk74tk32xs=", - "type": 2, - "weight": 1, - "score_completion": 100, - "data_total": 2, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "eWpIdiIAryk=": { - "qr_id": "eWpIdiIAryk=", - "type": 2, - "weight": 1, - "score_completion": 100, - "data_total": 2, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "f3DZtMTsQJc=": { - "qr_id": "f3DZtMTsQJc=", - "type": 2, - "value": 100, - "weight": 1, - "score_completion": 100, - "data_total": 2, - "data_completion": 100, - "value_modified_time": 1674386903 - }, - "f5q/EiRn95Q=": { - "qr_id": "f5q/EiRn95Q=", - "type": 2, - "value": 100, - "weight": 1, - "score_completion": 100, - "data_total": 8, - "data_completion": 100, - "value_modified_time": 1674386903 - }, - "fSgcywHks9g=": { - "qr_id": "fSgcywHks9g=", - "type": 2, - "value": 100, - "weight": 1, - "score_completion": 100, - "data_total": 2, - "data_completion": 100, - "value_modified_time": 1674386903 - }, - "gCDGOw9QK4Q=": { - "qr_id": "gCDGOw9QK4Q=", - "type": 2, - "weight": 1, - "score_completion": 100, - "data_total": 2, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "gu8eYJ6C7Ag=": { - "qr_id": "gu8eYJ6C7Ag=", - "type": 2, - "value": 100, - "weight": 1, - "score_completion": 100, - "data_total": 2, - "data_completion": 100, - "value_modified_time": 1674386903 - }, - "gxsrJvn0Hag=": { - "qr_id": "gxsrJvn0Hag=", - "type": 2, - "value": 100, - "weight": 1, - "score_completion": 100, - "data_total": 12, - "data_completion": 100, - "value_modified_time": 1674386903 - }, - "htUqKZYa860=": { - "qr_id": "htUqKZYa860=", - "type": 2, - "value": 100, - "weight": 1, - "score_completion": 100, - "data_total": 1, - "data_completion": 100, - "value_modified_time": 1674386903 - }, - "jb3wqU5HpR8=": { - "qr_id": "jb3wqU5HpR8=", - "type": 2, - "value": 100, - "weight": 1, - "score_completion": 100, - "data_total": 8, - "data_completion": 100, - "value_modified_time": 1674386903 - }, - "jqO4q2mBu9M=": { - "qr_id": "jqO4q2mBu9M=", - "type": 2, - "value": 100, - "weight": 1, - "score_completion": 100, - "data_total": 4, - "data_completion": 100, - "value_modified_time": 1674386903 - }, - "lEVQGwKxvPY=": { - "qr_id": "lEVQGwKxvPY=", - "type": 2, - "value": 100, - "weight": 1, - "score_completion": 100, - "data_total": 2, - "data_completion": 100, - "value_modified_time": 1674386903 - }, - "lSnkpvWD+i0=": { - "qr_id": "lSnkpvWD+i0=", - "type": 2, - "value": 100, - "weight": 1, - "score_completion": 100, - "data_total": 12, - "data_completion": 100, - "value_modified_time": 1674386903 - }, - "m7DAOFbL9Qg=": { - "qr_id": "m7DAOFbL9Qg=", - "type": 2, - "value": 100, - "weight": 1, - "score_completion": 100, - "data_total": 1, - "data_completion": 100, - "value_modified_time": 1674386903 - }, - "n9dXQh6Dchs=": { - "qr_id": "n9dXQh6Dchs=", - "type": 2, - "weight": 1, - "score_completion": 100, - "data_total": 4, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "nxVlUWzBV1c=": { - "qr_id": "nxVlUWzBV1c=", - "type": 2, - "weight": 1, - "score_completion": 100, - "data_total": 2, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "o38RkOShiq4=": { - "qr_id": "o38RkOShiq4=", - "type": 2, - "weight": 1, - "score_completion": 100, - "data_total": 4, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "pG8C4AikOeo=": { - "qr_id": "pG8C4AikOeo=", - "type": 2, - "value": 100, - "weight": 1, - "score_completion": 100, - "data_total": 4, - "data_completion": 100, - "value_modified_time": 1674386903 - }, - "piWj+cXXr7k=": { - "qr_id": "piWj+cXXr7k=", - "type": 4, - "weight": 1, - "score_completion": 100, - "data_total": 2, - "data_completion": 100, - "message": "file not found: '/etc/sudoers' does not exist" - }, - "rDqQzgrxmug=": { - "qr_id": "rDqQzgrxmug=", - "type": 8, - "weight": 1, - "score_completion": 100, - "data_total": 1, - "data_completion": 100 - }, - "rZN1LNm5r7E=": { - "qr_id": "rZN1LNm5r7E=", - "type": 2, - "weight": 1, - "score_completion": 100, - "data_total": 8, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "sbKG4w+lkaA=": { - "qr_id": "sbKG4w+lkaA=", - "type": 2, - "weight": 1, - "score_completion": 100, - "data_total": 2, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "sefeJd4La70=": { - "qr_id": "sefeJd4La70=", - "type": 2, - "weight": 1, - "score_completion": 100, - "data_total": 2, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "uzWGcrUQbCU=": { - "qr_id": "uzWGcrUQbCU=", - "type": 2, - "value": 100, - "weight": 1, - "score_completion": 100, - "data_total": 1, - "data_completion": 100, - "value_modified_time": 1674386903 - }, - "v4D2MQ0juoo=": { - "qr_id": "v4D2MQ0juoo=", - "type": 2, - "value": 100, - "weight": 1, - "score_completion": 100, - "data_total": 4, - "data_completion": 100, - "value_modified_time": 1674386903 - }, - "v8xZOX1QRJQ=": { - "qr_id": "v8xZOX1QRJQ=", - "type": 2, - "value": 100, - "weight": 1, - "score_completion": 100, - "data_total": 1, - "data_completion": 100, - "value_modified_time": 1674386903 - }, - "vVtLCflAlII=": { - "qr_id": "vVtLCflAlII=", - "type": 2, - "weight": 1, - "score_completion": 100, - "data_total": 1, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "vdDFAY9Qxko=": { - "qr_id": "vdDFAY9Qxko=", - "type": 8, - "weight": 1, - "score_completion": 100, - "data_total": 1, - "data_completion": 100 - }, - "w44ayUe5r2M=": { - "qr_id": "w44ayUe5r2M=", - "type": 2, - "weight": 1, - "score_completion": 100, - "data_total": 2, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "wFoBEVblMLk=": { - "qr_id": "wFoBEVblMLk=", - "type": 2, - "weight": 1, - "score_completion": 100, - "data_total": 2, - "data_completion": 100, - "value_modified_time": 1674386903, - "failure_time": 1674386903 - }, - "yYCqsWpfXqE=": { - "qr_id": "yYCqsWpfXqE=", - "type": 2, - "value": 100, - "weight": 1, - "score_completion": 100, - "data_total": 4, - "data_completion": 100, - "value_modified_time": 1674386903 - } - }, - "data": { - "+FLpKZQ5lewX56gNaJAKM7NhBsa3WmNYfqaROv/jOzDGfHOC5Uryi8JaW3urN+9WeZPGYMJuxq7IR7oCsynbTw==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "+FLpKZQ5lewX56gNaJAKM7NhBsa3WmNYfqaROv/jOzDGfHOC5Uryi8JaW3urN+9WeZPGYMJuxq7IR7oCsynbTw==" - }, - "+NdW/fk8nPBkRteAY3/MkPS0Zn4M1rLmrxf/kBuTUexTIPfxxRbPmJxEU7QaUidgfYjeo03xXeI51li9MA7LPw==": { - "data": { - "type": "\u0002" - }, - "code_id": "+NdW/fk8nPBkRteAY3/MkPS0Zn4M1rLmrxf/kBuTUexTIPfxxRbPmJxEU7QaUidgfYjeo03xXeI51li9MA7LPw==" - }, - "+Yh9XVql1G1HH/9F/LCDp/e9FqqjDBLx9OIY6JzbsKlUpJPX38MsHsa5HBQTrlEP8kZtoXj9XCz4hXwAOJ/nFw==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "+Yh9XVql1G1HH/9F/LCDp/e9FqqjDBLx9OIY6JzbsKlUpJPX38MsHsa5HBQTrlEP8kZtoXj9XCz4hXwAOJ/nFw==" - }, - "+gbnZ3JYps5zNor0/aGoxejEPCY6MgH8w/vEtzacWeHsqeCcvG1LeHHLMCJOaM0ka9Iq61Rj6mNxoJ2kM16pQA==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "+gbnZ3JYps5zNor0/aGoxejEPCY6MgH8w/vEtzacWeHsqeCcvG1LeHHLMCJOaM0ka9Iq61Rj6mNxoJ2kM16pQA==" - }, - "+llpC38ET/j9HEpm5ekVgLiQcUIVXubatylVEKr1nIjdBGZU92qO48KSozCyCbghqkX6H5sT2r7K+Cgxxr9zgA==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "+llpC38ET/j9HEpm5ekVgLiQcUIVXubatylVEKr1nIjdBGZU92qO48KSozCyCbghqkX6H5sT2r7K+Cgxxr9zgA==" - }, - "/Mn6ZAskf4jBqw4FNL0xwA3aItnkIrJSuPwzeVOF6fyum6fJbQX+du5oSSmx95Z6KIihRTnM4uN3fCgduoXrrg==": { - "data": { - "type": "\u0002" - }, - "code_id": "/Mn6ZAskf4jBqw4FNL0xwA3aItnkIrJSuPwzeVOF6fyum6fJbQX+du5oSSmx95Z6KIihRTnM4uN3fCgduoXrrg==" - }, - "0Hw1frr2Ghy1qXs3zWoEYyxXZ8NBDZDORtz2QfV6HpWmUejk+s93KGPaV6vfzs8JnYZQyele1UTt1mJ657W2HQ==": { - "data": { - "type": "\u0019\u001bgroup" - }, - "code_id": "0Hw1frr2Ghy1qXs3zWoEYyxXZ8NBDZDORtz2QfV6HpWmUejk+s93KGPaV6vfzs8JnYZQyele1UTt1mJ657W2HQ==" - }, - "0Rnmvnd72Vhm4CEPubvEcGHgC/SARCNQNZwX+KJ9fZSyyewXok/sDC8Hb78Fcx8+vWL8ocr/pw03AUPjpqXmew==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "0Rnmvnd72Vhm4CEPubvEcGHgC/SARCNQNZwX+KJ9fZSyyewXok/sDC8Hb78Fcx8+vWL8ocr/pw03AUPjpqXmew==" - }, - "0zq768H7DheLJNj4rWweij/bMFrmVbz73klzg5ciUEI5IiX2fWPlcNDdsnTXncZuyyyd6Hucqp9EG7B0j/fiVQ==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "0zq768H7DheLJNj4rWweij/bMFrmVbz73klzg5ciUEI5IiX2fWPlcNDdsnTXncZuyyyd6Hucqp9EG7B0j/fiVQ==" - }, - "0zrmJvG2MXakh2YxerlEkLULyOXTHiqK5C3/HGBueJg0MpCGGQwD1dEwh04xZcZt3gDrCRBR/JMx/yePP6OWIA==": { - "data": { - "type": "\u0019\u001buser" - }, - "code_id": "0zrmJvG2MXakh2YxerlEkLULyOXTHiqK5C3/HGBueJg0MpCGGQwD1dEwh04xZcZt3gDrCRBR/JMx/yePP6OWIA==" - }, - "1Q484HqqPwh+LfSDHxxJP+nT+CSncv9oJlJu/jnR4ggy/64N68fQIZgnAGQIQ73jwc9/TXy53Uys0HYPKHT0iw==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "1Q484HqqPwh+LfSDHxxJP+nT+CSncv9oJlJu/jnR4ggy/64N68fQIZgnAGQIQ73jwc9/TXy53Uys0HYPKHT0iw==" - }, - "1orSZYqsG5mohjQsCQ5e1wc5bNUYmm9gr0EM6ba3QgpEv0JC7D3y9S0DHh3yBnIQANp+jPbYbktd/LVFQTKxfQ==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "1orSZYqsG5mohjQsCQ5e1wc5bNUYmm9gr0EM6ba3QgpEv0JC7D3y9S0DHh3yBnIQANp+jPbYbktd/LVFQTKxfQ==" - }, - "1z4JS3g6P93IbkULMTOi80I4VMZvhQPHFPbe1P7eAhBd5P7STKCxOlrGjpYLMkYJdJw5m9ruVHm69KktG0SG+w==": { - "data": { - "type": "\u0002" - }, - "code_id": "1z4JS3g6P93IbkULMTOi80I4VMZvhQPHFPbe1P7eAhBd5P7STKCxOlrGjpYLMkYJdJw5m9ruVHm69KktG0SG+w==" - }, - "2SzXOY0CMXn/0XchefuBMMcleHxtsgNaVxWCxCDNSE8wCM8VekLLFX8YlOvhv3NTjsp1mjUOeTTABrJp8oTD/A==": { - "data": { - "type": "\u0002" - }, - "code_id": "2SzXOY0CMXn/0XchefuBMMcleHxtsgNaVxWCxCDNSE8wCM8VekLLFX8YlOvhv3NTjsp1mjUOeTTABrJp8oTD/A==" - }, - "2TEMIfVdcaC1ynlc1s+2E2CZjhC+bTA3Mb5GIZ/2S1p1n4mumZ8W2JWBQop1NL0ZiKbxNdG/PEnJM8lAnVJVlQ==": { - "data": { - "type": "\u0002" - }, - "code_id": "2TEMIfVdcaC1ynlc1s+2E2CZjhC+bTA3Mb5GIZ/2S1p1n4mumZ8W2JWBQop1NL0ZiKbxNdG/PEnJM8lAnVJVlQ==" - }, - "2X7q9ADuALzT15wpysiQ2laqNEIyQ0i+LbC9gtuBkDRPz6qxQmEsxB1f+4BiNM/P+DPm6Cru1LiE5jizq9k/Ig==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "2X7q9ADuALzT15wpysiQ2laqNEIyQ0i+LbC9gtuBkDRPz6qxQmEsxB1f+4BiNM/P+DPm6Cru1LiE5jizq9k/Ig==" - }, - "2ep4H3GDpqTR0NBAiPvRK8yJoEhTH7ikMCU4ufFyQbsDWOmWHUH75jVgJmT2AtHcEOEiELTtux8t8EBH1Ogaqw==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "2ep4H3GDpqTR0NBAiPvRK8yJoEhTH7ikMCU4ufFyQbsDWOmWHUH75jVgJmT2AtHcEOEiELTtux8t8EBH1Ogaqw==" - }, - "2hZ3z+3H/QD+mlekH8q+XJI8LKLWCorG6amoVQPvfWzaq07JXZgflggDlzI/ysKXy1pKUdzt+483lluQXxsJ4Q==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "2hZ3z+3H/QD+mlekH8q+XJI8LKLWCorG6amoVQPvfWzaq07JXZgflggDlzI/ysKXy1pKUdzt+483lluQXxsJ4Q==" - }, - "2hl44nrMAPCP4jtrUfFeLQoCYn9EhVWdTyQhIKgj243cUZK4ApMnTp0Y6R7ZnT5cvuGy5zOmzzMi8s1iRx78Fg==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "2hl44nrMAPCP4jtrUfFeLQoCYn9EhVWdTyQhIKgj243cUZK4ApMnTp0Y6R7ZnT5cvuGy5zOmzzMi8s1iRx78Fg==" - }, - "3/Q5tVgPR3+fTUVL7lk872dPByOYdBJcDaXePxF3jvfGqPPyLFm+NpH0iOssj2B5sfpTxUlSquZXjwfsGEg74g==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "3/Q5tVgPR3+fTUVL7lk872dPByOYdBJcDaXePxF3jvfGqPPyLFm+NpH0iOssj2B5sfpTxUlSquZXjwfsGEg74g==" - }, - "33G76prk7g5rAFUk9qH56UER2TMY81Ojpz+e5Z57XiqoT1WVMwV2T91Zr/+pL9zdWHl3sxsnjddK5f8nGP5Omw==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "33G76prk7g5rAFUk9qH56UER2TMY81Ojpz+e5Z57XiqoT1WVMwV2T91Zr/+pL9zdWHl3sxsnjddK5f8nGP5Omw==" - }, - "3oAY0vr6jLCvS4ss/e1XbulE3OvfT8TlXNeoElkPJD7QpWfF6X0U0A1CfGQ6EPAdeR5vtVqFsX2jJ0yyZ16ATw==": { - "data": {}, - "error": "file not found: '/etc/sudoers' does not exist", - "code_id": "3oAY0vr6jLCvS4ss/e1XbulE3OvfT8TlXNeoElkPJD7QpWfF6X0U0A1CfGQ6EPAdeR5vtVqFsX2jJ0yyZ16ATw==" - }, - "4KDugS+gx6N/Z/kDWOAoHYh0oj+3WMemzu1XIKjuG0WiUGaBfw4Q0/xSSSBq78qnySGYXykNQUddOUEYDnypxA==": null, - "4QqlCBUEJZYfyBp3vIYWFQiH2KO38aDKZlHHZFBR9c+UECZwLFrakyPGkcFtZisnQZJHGBw2+x0De1Acsn6fyQ==": { - "data": { - "type": "\u000c", - "map": { - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "daiOnK/mDY8dycKTQFCwMOfTYj/nKCXGiK0l/cNLlsCp+QwzTtZ7CU9xQy9pquDnkSIcqtyyHkm+5ZaAXK2OIQ==": { - "type": "\u0004", - "value": "AQ==" - } - } - }, - "code_id": "4QqlCBUEJZYfyBp3vIYWFQiH2KO38aDKZlHHZFBR9c+UECZwLFrakyPGkcFtZisnQZJHGBw2+x0De1Acsn6fyQ==" - }, - "4awOHxBIrhJpNXgMkCZGW2j+1IG3Pm3adFARFtow4uVIuuOEM95Ajymlt++h97lox5e8nQTEYS9ZqaAzr/HloQ==": null, - "4pkeR9aVMoyHrsgUBSk/hLbvFvQRO7xO/m/UsK2fvbAGQNaAtrngGcgXBu6R3pDLT+xl1BBllCbOD9FqZkNUMQ==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "4pkeR9aVMoyHrsgUBSk/hLbvFvQRO7xO/m/UsK2fvbAGQNaAtrngGcgXBu6R3pDLT+xl1BBllCbOD9FqZkNUMQ==" - }, - "4rBR+Mg2JY7TGnEGSWo0bAveLE8dQ2B6cgXjd9K5KCr58oNDFqhQ/tZWUHTMxOxmBDApjW1tTC8R3ZbKRQcRhA==": { - "data": { - "type": "\u0005", - "value": "AA==" - }, - "code_id": "4rBR+Mg2JY7TGnEGSWo0bAveLE8dQ2B6cgXjd9K5KCr58oNDFqhQ/tZWUHTMxOxmBDApjW1tTC8R3ZbKRQcRhA==" - }, - "5EmJyvB3lckgKydrg+ZDaIG8c0S6YIb6dbVu/iZwioF3O5RSdHB5zi5KA7TmcVHW9SAaFdF6DjpYL5kExYACfA==": { - "data": { - "type": "\u0002" - }, - "code_id": "5EmJyvB3lckgKydrg+ZDaIG8c0S6YIb6dbVu/iZwioF3O5RSdHB5zi5KA7TmcVHW9SAaFdF6DjpYL5kExYACfA==" - }, - "5OtvSFEzBwdqphuXjDliNh72Rk5bjHOJNaSSCU6FLyLhHAtJP78O6YuC7NCVaqP2Wh5H5XQad8clFJqtFUWwyQ==": { - "data": { - "type": "\u0002" - }, - "code_id": "5OtvSFEzBwdqphuXjDliNh72Rk5bjHOJNaSSCU6FLyLhHAtJP78O6YuC7NCVaqP2Wh5H5XQad8clFJqtFUWwyQ==" - }, - "6CPJmhBW/Yi8SBDCAjarzRy+hRft0zC6GycQOr6t+AXwy7ubZ2p5PaxEkFEaX1AkYaMX2Zv6Nd032+lYvImqrA==": { - "data": { - "type": "\u0002" - }, - "code_id": "6CPJmhBW/Yi8SBDCAjarzRy+hRft0zC6GycQOr6t+AXwy7ubZ2p5PaxEkFEaX1AkYaMX2Zv6Nd032+lYvImqrA==" - }, - "6GV7OiQSU1fwRwmB2MtE0u8IG8j6PQJTDKj3GqbPCWek07rjs0E4nE2JNttpY+0OuGo2gk8KUE/saFGxeq2gYQ==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "6GV7OiQSU1fwRwmB2MtE0u8IG8j6PQJTDKj3GqbPCWek07rjs0E4nE2JNttpY+0OuGo2gk8KUE/saFGxeq2gYQ==" - }, - "6HmGwaXMa5JPppuR4h4o86nPijZ5l6FMM6A0Rv0GoN14xK+6EKUo2k8ye2MLRFOdWNQqGKsiV9iByeGom0nyww==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "6HmGwaXMa5JPppuR4h4o86nPijZ5l6FMM6A0Rv0GoN14xK+6EKUo2k8ye2MLRFOdWNQqGKsiV9iByeGom0nyww==" - }, - "6bO3xwKkWGozKNUTPkyL8PV3ZVKJgiAZehWr+ad9ftkSgZvziTNs+ViRhuUYBFBqY5VT7VXNUQW7bbJAhzXhWA==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "6bO3xwKkWGozKNUTPkyL8PV3ZVKJgiAZehWr+ad9ftkSgZvziTNs+ViRhuUYBFBqY5VT7VXNUQW7bbJAhzXhWA==" - }, - "6tnI+IODYzgiF4YAt4QqVSYk2z7xAr4xCpKEVabbuxvAWYggnOwGkzNl4AzvgsKklzi5JghpRhIVNO1dcDCE1w==": null, - "7cojqQWwSbgz0Z6Yo7f8eWU2sHhmSUMdzK3Suz6jtoAAFplC8I5SLonXZAMMaIbwHMLsGoHCLJZQVYKDRHZqZg==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "7cojqQWwSbgz0Z6Yo7f8eWU2sHhmSUMdzK3Suz6jtoAAFplC8I5SLonXZAMMaIbwHMLsGoHCLJZQVYKDRHZqZg==" - }, - "86UNhhHIcs7lnQ4PR5rktsVF+LYRw6ZLJDqVThmUXyTBOIVjtC1oNryS/PQwFmBaA4DdcSLn4DSZmhh5gMZ1Nw==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "86UNhhHIcs7lnQ4PR5rktsVF+LYRw6ZLJDqVThmUXyTBOIVjtC1oNryS/PQwFmBaA4DdcSLn4DSZmhh5gMZ1Nw==" - }, - "8SGe/eAOByVX8k8M4VoKtmLMczryv0UnPQnarp5qNL7QNl1dl3TFM8ikYa5UydfgiuNRV5bAwmtwi4V5Ns2MYg==": { - "data": { - "type": "\u0002" - }, - "code_id": "8SGe/eAOByVX8k8M4VoKtmLMczryv0UnPQnarp5qNL7QNl1dl3TFM8ikYa5UydfgiuNRV5bAwmtwi4V5Ns2MYg==" - }, - "8UFMaOXC4SMhWK+Vx/3T7dr6xt0crU2tSRurKy4l3M/pETdqnDy2+5XZAVoyskOku7hIGVb7HJ06XzuQhgvjMQ==": { - "data": { - "type": "\u000c", - "map": { - "6xZ89WVFuqscxnATOLIf93cAiphgXQm3aFRplZQdBKNsN0+1bGQRqSG+1GQSi+d/W65JGC4jaOLkL7oMwyr7KQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "T6kVTKTUvH0kjW+0kDeqTJTGJWILlpfw3sxAIroDmYm+OgirCMfAzsHyM8lBkfG0pw9B4KBua8mQOseeDSa7Ew==": { - "type": "\u0004", - "value": "AQ==" - }, - "_": { - "type": "\u001bfile", - "value": "L2V0Yy9ncm91cA==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "czp3D0B37jHqcHlbZKW2DYWYZzL905MPXgIha6oFjvv/pZIdZ3ir4voQLdWCrrACm2ufUKPNOmXt18mQ8dDOWQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "eJl6q+RojEp/oX7PfaKudFsvb8nEpO53+CSN4V2hXsE1Zlk1rl40eGlGPzZJ9ZpRGpwOo95zkhD/zRzNerPZTQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "n1Y5HxvVA9Di2gH3v9VAr9xdvpkZyCrLwj955fjcqfkY9rOXyo2wuYQRiH7CuQ77ZOmZgHDixTFrGXXworT2jw==": { - "type": "\u0004", - "value": "AQ==" - } - } - }, - "code_id": "8UFMaOXC4SMhWK+Vx/3T7dr6xt0crU2tSRurKy4l3M/pETdqnDy2+5XZAVoyskOku7hIGVb7HJ06XzuQhgvjMQ==" - }, - "8bIrokkMmd6QBJZE+Or6CMcpiATUqRpKY8z3DiFVmf4jThbd3WWuk45nkNSd2pUhk8Oy7sI4IJO+iTJRVklcCQ==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "8bIrokkMmd6QBJZE+Or6CMcpiATUqRpKY8z3DiFVmf4jThbd3WWuk45nkNSd2pUhk8Oy7sI4IJO+iTJRVklcCQ==" - }, - "8cUjHaPePynVeh6gBJ7ifMRU4um+gxZrAlCE+OoDhScL6m8RipZNA758R2VcFkv7hVTdHKQEkZ+Wu9XUckKH2g==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "8cUjHaPePynVeh6gBJ7ifMRU4um+gxZrAlCE+OoDhScL6m8RipZNA758R2VcFkv7hVTdHKQEkZ+Wu9XUckKH2g==" - }, - "8ceZv4nMJ6CyIXdLGefaYS1pBYzTfJhIWYcuhsmOD8vUKbz19mpzmEJqxkoyKSPzKRLuaoKuacXqRvWBi8SHjg==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "8ceZv4nMJ6CyIXdLGefaYS1pBYzTfJhIWYcuhsmOD8vUKbz19mpzmEJqxkoyKSPzKRLuaoKuacXqRvWBi8SHjg==" - }, - "8dunMlc+mqgrLPexSr0BjQzRsY3H5KxgRLMNPWl7dqU7u7AuMGYCcL/59LzDxTU6v52s+sfNelCjln9pTEeoaw==": { - "data": { - "type": "\u0002" - }, - "code_id": "8dunMlc+mqgrLPexSr0BjQzRsY3H5KxgRLMNPWl7dqU7u7AuMGYCcL/59LzDxTU6v52s+sfNelCjln9pTEeoaw==" - }, - "8e5F0Uss/rzCSa4Vaw8urUDQzIUN8criFQm+HhE88ybs2Zx13aiYa+E3Yszo9UCKNOycCubjdogZksg9s99yug==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "8e5F0Uss/rzCSa4Vaw8urUDQzIUN8criFQm+HhE88ybs2Zx13aiYa+E3Yszo9UCKNOycCubjdogZksg9s99yug==" - }, - "8ktE5j8gq7ZzcaTFCB2Pe+39AD5jirL1jh2VoBTEoDSYO+uDhx+7jtuNFrkG3wTOzVrc5MXl7A9lh6ebit617A==": { - "data": { - "type": "\u0002" - }, - "code_id": "8ktE5j8gq7ZzcaTFCB2Pe+39AD5jirL1jh2VoBTEoDSYO+uDhx+7jtuNFrkG3wTOzVrc5MXl7A9lh6ebit617A==" - }, - "8uBTTkCJgjxtNfUKrXgdKcN3FsUaXVTuWlhZDb4zj7Aptyie5G2XwxlnIXUCZidQwpp+l+nXzp5ERezyW3xDSQ==": { - "data": { - "type": "\u0002" - }, - "code_id": "8uBTTkCJgjxtNfUKrXgdKcN3FsUaXVTuWlhZDb4zj7Aptyie5G2XwxlnIXUCZidQwpp+l+nXzp5ERezyW3xDSQ==" - }, - "8uoZI/+B98JF1ttRd+mEEbqYc0Sazop0p9nP0KhvkApxInNpxIPDfVfaCF+SUVlovZcuJSokGz9DBrcL6n8pUw==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "8uoZI/+B98JF1ttRd+mEEbqYc0Sazop0p9nP0KhvkApxInNpxIPDfVfaCF+SUVlovZcuJSokGz9DBrcL6n8pUw==" - }, - "96T4zynKszgc6jaxx20OhnDDECatfT4yFBuyb3seoNwNLqlA6L6Oxpr8KK/Mpu37LgaqKaTHAcOXiEREYPheZw==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "96T4zynKszgc6jaxx20OhnDDECatfT4yFBuyb3seoNwNLqlA6L6Oxpr8KK/Mpu37LgaqKaTHAcOXiEREYPheZw==" - }, - "9JRnRD0qcwHdUJtCGMTAJe3H1iY2xdZ5QNY+Bji5zt7EG1rgcxmWYBO6pOuPOvrDsHa8dnSx9hbE92vZlnyJQg==": { - "data": { - "type": "\u000c", - "map": { - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "n4KRoHNl8xqOuyifPurxhLP5QsLCNcTlMZ0U4dSeeR+4yp8qZoMYKxxsmU7gjewTvfHbXhNOU4jR4K0KqtKM6w==": { - "type": "\u000c", - "map": { - "/Kc60GU9syUEKHHmwJhFtiMLTYVF8h5zuvQ4JJ6FRc+ewxjALxDWp5INzonjnhbjoJgE4pcRYk2rw3/Kv0Fowg==": { - "type": "\u0004", - "value": "AQ==" - }, - "2PISPaY9Uv/h/6bWIzaOCPZuNXOWm8h4ABDmViLOG63YzZY4u2XtbVVm2B0RRTtx00beK5hPg/g+gxPfCekYsg==": { - "type": "\u0004", - "value": "AQ==" - }, - "2gTIdScsz/z/cI8rVNqrquYzF736LBDvofiD6oegZcqudNlSp3dXKpOQ0EGoI9GphjcvIfETqiR6pse30oM2ng==": { - "type": "\u0004", - "value": "AQ==" - }, - "47Q+jq9hct6ndHS9YMHNeIZqHlSAzS1M2hkKbcwqfRxEO8oeec8OE2a78oc2mAEl+5n6o59/+1uh93iqk7Qr+A==": { - "type": "\u0004", - "value": "AQ==" - }, - "RumXTcMvN9dHtJVMf4m7JoxrM9gvdqn5vv29bm4X+P5MIiox6oWzC3T+rJM3fqWV+g0Sn4KJaSa/9R5wlMJqBw==": { - "type": "\u0004", - "value": "AQ==" - }, - "_": { - "type": "\u001bfile", - "value": "L2V0Yy9zaGFkb3ct" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "m5y0p0bVYz7XxVWgXUaxPqZxy9PAtjuwoSNsr3YjZaPyXs+d9PKjEvXsBKikGOB5KBQc+7GIbWkUdWUs0BNLgw==": { - "type": "\u0004", - "value": "AQ==" - } - } - } - } - }, - "code_id": "9JRnRD0qcwHdUJtCGMTAJe3H1iY2xdZ5QNY+Bji5zt7EG1rgcxmWYBO6pOuPOvrDsHa8dnSx9hbE92vZlnyJQg==" - }, - "9ftsS7H8oR+l67+D+pUEq0XzsQwNzkagbXl2p6Z56usINgPigMLUic3gcqT4u2/9RFkPXyhy2ZJfaScNMsJsTQ==": { - "data": { - "type": "\u0002" - }, - "code_id": "9ftsS7H8oR+l67+D+pUEq0XzsQwNzkagbXl2p6Z56usINgPigMLUic3gcqT4u2/9RFkPXyhy2ZJfaScNMsJsTQ==" - }, - "9jlRg9Aw1Ow0qOGynHMTlYbgY2tTDEQk9StXZkP2PrjSHhs2vkqwUMP5aavknve2K083MBMcgQiavFMTrF4/8Q==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "9jlRg9Aw1Ow0qOGynHMTlYbgY2tTDEQk9StXZkP2PrjSHhs2vkqwUMP5aavknve2K083MBMcgQiavFMTrF4/8Q==" - }, - "9kZ+qapWVmr6z54Lk2WG4mgsKRwbMYaf4Kz8++WFlLc8qpX8aUbjY3Md8sLN7w9Ovq0DXA9kwamGBX2623m/mA==": { - "data": { - "type": "\u000c", - "map": { - "__s": { - "type": "\u0002" - }, - "__t": { - "type": "\u0004", - "value": "AA==" - }, - "h3Smksu3S/QS8l8dnrgKzx0FXmmL/pmtF/QnkG9RvNU1s0hiPfYGCW0FGoCJIFjNCVXE+JdwtxOzrHoOC3I/Jw==": { - "type": "\u0019\u000c", - "array": [ - { - "type": "\u000c", - "map": { - "0Fh+Phs1maWZgEk0J9nry7SIMAR39D7S1lEUXE8cFuKWU4+FqVwYU4t6IPr5OpbWPWVsA8rHit0cyvH0C6j6sw==": { - "type": "\u0019\u000c" - }, - "__s": { - "type": "\u0002" - }, - "__t": { - "type": "\u0004", - "value": "AA==" - } - } - } - ] - } - } - }, - "code_id": "9kZ+qapWVmr6z54Lk2WG4mgsKRwbMYaf4Kz8++WFlLc8qpX8aUbjY3Md8sLN7w9Ovq0DXA9kwamGBX2623m/mA==" - }, - "A/mDhp8Ke4EcDup0G/Jzg90Rt7qzEbagKaFF7Pp0/+DPPqEnqml9pxH8Fi0HeS4whb+W4KFu33rB+AU2fcZPRg==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "A/mDhp8Ke4EcDup0G/Jzg90Rt7qzEbagKaFF7Pp0/+DPPqEnqml9pxH8Fi0HeS4whb+W4KFu33rB+AU2fcZPRg==" - }, - "A3wWcqtvJW1cs60VNjT0Ln7Z1T5hv52l/nxz0MVyZdlOEixzc7tA3aTqz/Cou4TmnGZFsLx8NhNEue/S8LojGg==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "A3wWcqtvJW1cs60VNjT0Ln7Z1T5hv52l/nxz0MVyZdlOEixzc7tA3aTqz/Cou4TmnGZFsLx8NhNEue/S8LojGg==" - }, - "A4oy+4vsBhvr9q6X77MUAMkDQP6TKnETFKGw2w0FAPvhCpKaaTFe8Cp3Dry9e+D04RJoOkvcbMoDlwcCkftD/A==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "A4oy+4vsBhvr9q6X77MUAMkDQP6TKnETFKGw2w0FAPvhCpKaaTFe8Cp3Dry9e+D04RJoOkvcbMoDlwcCkftD/A==" - }, - "A8+p4Jy+yla6aHQONQE6tISwJJWFK6it96i6B+YG1LyY7nxE9Q5blZIOC9dvh+fQ0x7sHaD81udAeMWT0/H4jA==": { - "data": { - "type": "\u0002" - }, - "code_id": "A8+p4Jy+yla6aHQONQE6tISwJJWFK6it96i6B+YG1LyY7nxE9Q5blZIOC9dvh+fQ0x7sHaD81udAeMWT0/H4jA==" - }, - "AC64T+x2vscRVx8c9QEqh8ehAPg1xWVtTrUDS92Qv2RaMdmrhEcQ2DJXtIgdLaHLLH9w5ghhkg38n0wmSZ6oBA==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "AC64T+x2vscRVx8c9QEqh8ehAPg1xWVtTrUDS92Qv2RaMdmrhEcQ2DJXtIgdLaHLLH9w5ghhkg38n0wmSZ6oBA==" - }, - "APYPrm+W1UGigbN5TlVzrDO+Hrlq6CfVKbx1kiafXbXiK35C2LpbMuUlQ/p5kzyRIFT8Mvq3u0SVe3O4bbj1jQ==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "APYPrm+W1UGigbN5TlVzrDO+Hrlq6CfVKbx1kiafXbXiK35C2LpbMuUlQ/p5kzyRIFT8Mvq3u0SVe3O4bbj1jQ==" - }, - "AS51uFGJMW53h7ob3GRlxwwmCFMJFF6NGwRzh8R87HpKTjLr6KdPAJrLSAZsfm2BlkYRMP0YEDvna3CYJpFN9g==": { - "data": { - "type": "\u0002" - }, - "code_id": "AS51uFGJMW53h7ob3GRlxwwmCFMJFF6NGwRzh8R87HpKTjLr6KdPAJrLSAZsfm2BlkYRMP0YEDvna3CYJpFN9g==" - }, - "BK/Ej9OdyT4fNf/5esApfszzyNmFbjDkFO5VpTijt8M1OMe1JH3vW3cBcLBpTdhhDtUErzpyEvkLbT4kIb85tw==": { - "data": {}, - "error": "socketStats not supported on this provider", - "code_id": "BK/Ej9OdyT4fNf/5esApfszzyNmFbjDkFO5VpTijt8M1OMe1JH3vW3cBcLBpTdhhDtUErzpyEvkLbT4kIb85tw==" - }, - "BMlXXUssbX2RHZ4d6xMhQ++WbjJyVSkXOukbMgQVonKMWAyyOUty8UE75eK4RxKsXYw4KJNuru/fahfZ+jOx+g==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "BMlXXUssbX2RHZ4d6xMhQ++WbjJyVSkXOukbMgQVonKMWAyyOUty8UE75eK4RxKsXYw4KJNuru/fahfZ+jOx+g==" - }, - "Bew26+9I2JcH1dcMA+xlT5ywGJbbtZ1Wz6Ir8uELosiokrGBGS4klcu1zPVoJARqm/ujph6o2RTWkxFj7rZ89w==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "Bew26+9I2JcH1dcMA+xlT5ywGJbbtZ1Wz6Ir8uELosiokrGBGS4klcu1zPVoJARqm/ujph6o2RTWkxFj7rZ89w==" - }, - "BgLeA99Goi7kQbICYeXMt9yRHy0gd0WI/OWhADS73Gx3xonVgnAi/qiiuTtTIJ4Knx3tNZbE9TPJAySzEN502Q==": { - "data": { - "type": "\u0002" - }, - "code_id": "BgLeA99Goi7kQbICYeXMt9yRHy0gd0WI/OWhADS73Gx3xonVgnAi/qiiuTtTIJ4Knx3tNZbE9TPJAySzEN502Q==" - }, - "BiPs5zSGEKUw+XVkVzfGqCp+ZzefmPic62b/oP2u355YUvBNL+ZATaRIV/kna2PELc0wx3koCiL16cWxLlnhog==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "BiPs5zSGEKUw+XVkVzfGqCp+ZzefmPic62b/oP2u355YUvBNL+ZATaRIV/kna2PELc0wx3koCiL16cWxLlnhog==" - }, - "Bl3G5VLXwc+NXi+z3kq91yIMzYD4h3GmAUNdubcmhT4Q13LAxuoTofW8K7S7qpM4cLBvjElF3KOJs8Cwm+3zDA==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "Bl3G5VLXwc+NXi+z3kq91yIMzYD4h3GmAUNdubcmhT4Q13LAxuoTofW8K7S7qpM4cLBvjElF3KOJs8Cwm+3zDA==" - }, - "BvOP/FwD7axNz4mGuKzXL5SNFY8PiX0mpcRiY5QdJBDg4MUhjx9Ff+uDjs4ZWh6rdlKPKgfbJVWUWS5/BABqyw==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "BvOP/FwD7axNz4mGuKzXL5SNFY8PiX0mpcRiY5QdJBDg4MUhjx9Ff+uDjs4ZWh6rdlKPKgfbJVWUWS5/BABqyw==" - }, - "CQXUv/QbKcO1F5LvHFZ2NWFYNovHloaexe9lAEkpEll9s03HI4ecB5bwGd/DasLoHdaNambHL/g4zkz1siZb7w==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "CQXUv/QbKcO1F5LvHFZ2NWFYNovHloaexe9lAEkpEll9s03HI4ecB5bwGd/DasLoHdaNambHL/g4zkz1siZb7w==" - }, - "CmBXM6HeIi4Z/inHihR4JaWbgp86LudWIwNvCeFDlJ6Co5NC/SJVv5nUyydTHwFF5O1pRLP+NQoEGAueAYy2YQ==": { - "data": { - "type": "\u0002" - }, - "code_id": "CmBXM6HeIi4Z/inHihR4JaWbgp86LudWIwNvCeFDlJ6Co5NC/SJVv5nUyydTHwFF5O1pRLP+NQoEGAueAYy2YQ==" - }, - "CzgWIO2USd4DO07LRlGgQSwlbJfkcyaEqBjXlXlKrMMdSkLUZDETAxXcFfbro+OR5MigUzyQhrzPsa8kA2G++w==": { - "data": { - "type": "\u0002" - }, - "code_id": "CzgWIO2USd4DO07LRlGgQSwlbJfkcyaEqBjXlXlKrMMdSkLUZDETAxXcFfbro+OR5MigUzyQhrzPsa8kA2G++w==" - }, - "DA/NnsalQYlID5llgp+8IQXiVmQNajMgNa2ZDrpEz93xSs4m8s/phKXqsSf6gzrsPjh+G4sK5kGNaWcwdwTEMQ==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "DA/NnsalQYlID5llgp+8IQXiVmQNajMgNa2ZDrpEz93xSs4m8s/phKXqsSf6gzrsPjh+G4sK5kGNaWcwdwTEMQ==" - }, - "DcN60pVnUfRbi8gRNMwfr/9ZjtBwPAJerpntqVm5B/QY4sSszzHKGJkiUooAOC2vP/qvlN3lOWCPRgS6f/O18A==": { - "data": { - "type": "\u0002" - }, - "code_id": "DcN60pVnUfRbi8gRNMwfr/9ZjtBwPAJerpntqVm5B/QY4sSszzHKGJkiUooAOC2vP/qvlN3lOWCPRgS6f/O18A==" - }, - "DeWBHFFMGrfuvC8xfY6tlz3tDWwE0Mj+kpZidZdke1R3HgkbvOzrZJcQtLGGmF0ud4C1f3wMcaegqMhkhznj3g==": { - "data": { - "type": "\u0002" - }, - "code_id": "DeWBHFFMGrfuvC8xfY6tlz3tDWwE0Mj+kpZidZdke1R3HgkbvOzrZJcQtLGGmF0ud4C1f3wMcaegqMhkhznj3g==" - }, - "Du9pIpUoqm70Hbkk8MN4QKib35zuHmPRHjPC99qQyzN/WyImA+6x4gpaODsnDQNp545XqXx/EjY1vSWhYwIrOw==": { - "data": { - "type": "\u0002" - }, - "code_id": "Du9pIpUoqm70Hbkk8MN4QKib35zuHmPRHjPC99qQyzN/WyImA+6x4gpaODsnDQNp545XqXx/EjY1vSWhYwIrOw==" - }, - "EpnHIF31KeNgY/3Z4KyBuKHQ0kk/i+MyYbTX+ZWiQIAvK6lv4P2Nlf9CKAIrn2KOfCWICteI96BN1e8GA6sNZA==": { - "data": { - "type": "\u0007", - "value": "ZGViaWFu" - }, - "code_id": "EpnHIF31KeNgY/3Z4KyBuKHQ0kk/i+MyYbTX+ZWiQIAvK6lv4P2Nlf9CKAIrn2KOfCWICteI96BN1e8GA6sNZA==" - }, - "EqswKoHu8at6YVIKhPqhmCGbVPCv0n9KIodeAxtQfIP1V4ufJM8fLiC0bFhsFCS3IK8vs89fTjhOkwvOxOxpgw==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "EqswKoHu8at6YVIKhPqhmCGbVPCv0n9KIodeAxtQfIP1V4ufJM8fLiC0bFhsFCS3IK8vs89fTjhOkwvOxOxpgw==" - }, - "EtsjaSPX+U/fgbbv3ortUdR+TlT8rJSkOpA08BbfSF3DzzR+iBKSyZtjvsGJK3SZVSaprKfHWbo85myP2VB3ZQ==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "EtsjaSPX+U/fgbbv3ortUdR+TlT8rJSkOpA08BbfSF3DzzR+iBKSyZtjvsGJK3SZVSaprKfHWbo85myP2VB3ZQ==" - }, - "F2gP+Hvti8Jum+RBqHYUPDrdIL6ptKFlsPHzSgeNSE8XbASqQxScL7VID2ujLZ2JbMfARhqNhDmZbkgBEbMvgA==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "F2gP+Hvti8Jum+RBqHYUPDrdIL6ptKFlsPHzSgeNSE8XbASqQxScL7VID2ujLZ2JbMfARhqNhDmZbkgBEbMvgA==" - }, - "FO+22zAmYLrJJqSGmoWWCaSYrYwcrqpvxFjm/D/YuxBrxts+nfr5EHuXERXOJGrYHTsTOSKFeTz4qQ7jZhlLbA==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "FO+22zAmYLrJJqSGmoWWCaSYrYwcrqpvxFjm/D/YuxBrxts+nfr5EHuXERXOJGrYHTsTOSKFeTz4qQ7jZhlLbA==" - }, - "FUnkOJnRVrw86y1SUZ6M2MMV5pZVCsUZF0Oe6VeUvKpqHn9hOtK78fsp/ykiTr84hWUpqNU8ql9oSADUdzLdYQ==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "FUnkOJnRVrw86y1SUZ6M2MMV5pZVCsUZF0Oe6VeUvKpqHn9hOtK78fsp/ykiTr84hWUpqNU8ql9oSADUdzLdYQ==" - }, - "FVG+Mf0F1AZbC0Hc+4nD0WCwsZNgIwN0eUILSf+Qp/YHOGwHEemQvXKia+t/XE4wNAgf8fUXDgHsemAOThuAtw==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "FVG+Mf0F1AZbC0Hc+4nD0WCwsZNgIwN0eUILSf+Qp/YHOGwHEemQvXKia+t/XE4wNAgf8fUXDgHsemAOThuAtw==" - }, - "FmSawyiUiZmNev6poHywTYW8Mke4Ef38RKXGrCEaAhNqTXywzgqYIj9C7PBm5jMbetZP2Ok6c3jLmkNy+975PA==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "FmSawyiUiZmNev6poHywTYW8Mke4Ef38RKXGrCEaAhNqTXywzgqYIj9C7PBm5jMbetZP2Ok6c3jLmkNy+975PA==" - }, - "G0bUwMGEwUqkQiCcj4R04tMFYAp3dSRhbU6dBPoLeX2lyTqPVGvreUvu5qov/OCoWc/Q5eaLopy2nQF9xeDEHw==": { - "data": { - "type": "\u000c", - "map": { - "5TG5GEKblq+ttGkiE1lMOQxjulbMyDggsG3PWnpIhQIj68oVLuRMmFe5EYmopK0/wz3CkekBuu2c1kgFDXHaZg==": { - "type": "\u000c", - "map": { - "0pxJeDkriyq9idLPJaqRTP9bfa1ViMGu7KVAOpZMY1CNKofnlhJQCT2grvMCwbPz4acH4taX5g8M9M/DO44AZA==": { - "type": "\u0004", - "value": "AQ==" - }, - "A/Kxpo2No6qHIK8y3iyan/kBdTZmAtQPBOrf1JgoGBqjMHuZ/FLlWE5Sk9FBtGQnJnPuskggUGe7t3elQqELow==": { - "type": "\u0004", - "value": "AQ==" - }, - "_": { - "type": "\u001bfile", - "value": "L2V0Yy9zaGFkb3c=" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "fPxp9r43dRMA5Y3s7lp6FRgBD5THqzKEpnQYwU8BKrV+cIO3z4qfj1/GXyphKESuj1Psk8DW0O3eKTGFqaAg0Q==": { - "type": "\u0004", - "value": "AQ==" - }, - "kWbgQFfIrpQaDEj3+XSBLZGUPG/eB6GtxaYCf4YlRl/hddqo4vHaCdMY+WZ2otW3R8tvUELqQayN4aipFshQog==": { - "type": "\u0004", - "value": "AQ==" - }, - "p8o6NFZzHcIj97gcUggk5dVy/wcEr+2QX0uzWWDykcqjLwWOMGXg6pRnx7OnDi0kA4vWCOuZRUQ8Ks8WDo9dsw==": { - "type": "\u0004", - "value": "AQ==" - }, - "qpqUt1t7A3jv4MD7gaUkjvH8uvEEAYRPAGMynYAnhIjrisJbxqURv+87cPlbv7oOhgkORMJLw26vkm5IEuz0Og==": { - "type": "\u0004", - "value": "AQ==" - } - } - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - } - } - }, - "code_id": "G0bUwMGEwUqkQiCcj4R04tMFYAp3dSRhbU6dBPoLeX2lyTqPVGvreUvu5qov/OCoWc/Q5eaLopy2nQF9xeDEHw==" - }, - "GJooG+LdPop+U+Vbp5DxdgrnR+z79QT1TbkyyUhWfRDBTd1SgwYiKqZbpoSj0JMhbd7ellBT98zy/5VyezkxXw==": null, - "GZ7LrOSbsY8Te595l40qSCgJlEHDh8yQ19clxbEUcvnBDqSqFtk084PsIIwwZ7bjVEyCcWIaBK4zyE8ijn/X8w==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "GZ7LrOSbsY8Te595l40qSCgJlEHDh8yQ19clxbEUcvnBDqSqFtk084PsIIwwZ7bjVEyCcWIaBK4zyE8ijn/X8w==" - }, - "Gar/zZa0uhvKteQUSwTc6Vd4oR0s73LLK/1P5WvkirK+y4sQMe3Xg1ky3fb50zdL/0e22C+9MiTt66gCJnmOSA==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "Gar/zZa0uhvKteQUSwTc6Vd4oR0s73LLK/1P5WvkirK+y4sQMe3Xg1ky3fb50zdL/0e22C+9MiTt66gCJnmOSA==" - }, - "Gi5t2U3DUPy8J70hGESQ/b0THs3nSzau7IWwKpIQwoMz05HXYKv4POsfDMzMMo954vLLq9w6aaNsM2Zu31JR3g==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "Gi5t2U3DUPy8J70hGESQ/b0THs3nSzau7IWwKpIQwoMz05HXYKv4POsfDMzMMo954vLLq9w6aaNsM2Zu31JR3g==" - }, - "Gj9+usVcjqfIAI6RcsRxLyzn1O6tiwA8hMnv3PnPdeHu0fr7Q+3pvDYU7N2W+AXjkrCILhAqROq6kmIuTQ0ONw==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "Gj9+usVcjqfIAI6RcsRxLyzn1O6tiwA8hMnv3PnPdeHu0fr7Q+3pvDYU7N2W+AXjkrCILhAqROq6kmIuTQ0ONw==" - }, - "H7H0YG5evkzzLDZSd6Ayb6abAXcrzwkoCcfUXx1AmiAOybkTo7ujzAM6rwO63/MF8k+IkPNQz4cLNqT/1KnYnw==": { - "data": { - "type": "\u000c", - "map": { - "__s": { - "type": "\u0004", - "value": "AA==" - }, - "__t": { - "type": "\u0004", - "value": "AA==" - }, - "nejEMwnyzoC+DWwlUCNzNFDDHajwUeUUGwR+EozGbRxV8cRAFhdjAMrZgiZyf4eKK6qh6/vt1HUkHG77NeP2yQ==": { - "type": "\u000c", - "map": { - "CeR3ALOhQCiPEZUyBpm8HsBcuoPuzRff77XEG4Qy2ABc7kH+p08QoyTWllM++rQ8gj560p+J/jUnsBJDxJZ87w==": { - "type": "\u0004", - "value": "AQ==" - }, - "JCwHI5yV/EcpG2Q+uwOhdQROlBDwFM4815yNUXfhZHes+4oaiXseSzH7Pjv2dvj9/udENUhOQopFlzFWsj6Q7A==": { - "type": "\u0004", - "value": "AQ==" - }, - "U0z00NpVJB4jfdP6xnW7hMbuemGcPtEEa7ezr4HWzsst64Y/TOLifvgTVku6H7xPovz8L3DFolXOA/bty0zdsw==": { - "type": "\u0004", - "value": "AQ==" - }, - "_": { - "type": "\u001bfile", - "value": "L2V0Yy9ncm91cC0=" - }, - "__s": { - "type": "\u0004", - "value": "AA==" - }, - "__t": { - "type": "\u0004", - "value": "AA==" - }, - "mJjdh3msCoEM6whx4fB8q6weex1iAyJRCYsuV2U/Ko5ByYVnA7pInX0LLPnbcaAlpg1+0N20Afh3B5ZcTH3XPw==": { - "type": "\u0004", - "value": "AA==" - }, - "sXY88/8z6GFGA+APMdzkmeGonHgoyyAdQfIJspyPnLyLMyLynMr9Umom/mBzs+lH5Ujfr6kY5qm8OP5n7YRwzg==": { - "type": "\u0004", - "value": "AQ==" - }, - "w51bPOWfXCFdsYMzBzclLic89nbXKN63iKbFxUxDF+AacpUmPOTxusDN/836WzmmYmK9KK1KvIKFBJf5YtOl9A==": { - "type": "\u0004", - "value": "AA==" - }, - "zYc3XCZ5mTROndMS4qMgClHpfQ9dsWss/4VvNVNmqBkyTZUetIhdkGiWvDB81xGOn8Gag2q4Rqbty9t8QUNy4A==": { - "type": "\u0004", - "value": "AQ==" - } - } - } - } - }, - "code_id": "H7H0YG5evkzzLDZSd6Ayb6abAXcrzwkoCcfUXx1AmiAOybkTo7ujzAM6rwO63/MF8k+IkPNQz4cLNqT/1KnYnw==" - }, - "HNtymDAlppcjoO5qKUQJ8H2VuJj8i2nTxOEHIDJpEQpROM0y5O6f/EBWqvPAFeN8w9IWIVYbQsQLYgVstVrZbA==": { - "data": { - "type": "\u0019\u000c", - "array": [ - { - "type": "\u000c", - "map": { - "SPxDUzq7hTlX9jrJ8or3BNWOxKS2p75pILkrO27TAN0KXd8c1dJQwtDDFREtZheN4IIaN5L9I75Y1COlvOM8RQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==": { - "type": "\u0007", - "value": "cm9vdA==" - } - } - }, - { - "type": "\u000c", - "map": { - "SPxDUzq7hTlX9jrJ8or3BNWOxKS2p75pILkrO27TAN0KXd8c1dJQwtDDFREtZheN4IIaN5L9I75Y1COlvOM8RQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==": { - "type": "\u0007", - "value": "ZGFlbW9u" - } - } - }, - { - "type": "\u000c", - "map": { - "SPxDUzq7hTlX9jrJ8or3BNWOxKS2p75pILkrO27TAN0KXd8c1dJQwtDDFREtZheN4IIaN5L9I75Y1COlvOM8RQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==": { - "type": "\u0007", - "value": "Ymlu" - } - } - }, - { - "type": "\u000c", - "map": { - "SPxDUzq7hTlX9jrJ8or3BNWOxKS2p75pILkrO27TAN0KXd8c1dJQwtDDFREtZheN4IIaN5L9I75Y1COlvOM8RQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==": { - "type": "\u0007", - "value": "c3lz" - } - } - }, - { - "type": "\u000c", - "map": { - "SPxDUzq7hTlX9jrJ8or3BNWOxKS2p75pILkrO27TAN0KXd8c1dJQwtDDFREtZheN4IIaN5L9I75Y1COlvOM8RQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==": { - "type": "\u0007", - "value": "c3luYw==" - } - } - }, - { - "type": "\u000c", - "map": { - "SPxDUzq7hTlX9jrJ8or3BNWOxKS2p75pILkrO27TAN0KXd8c1dJQwtDDFREtZheN4IIaN5L9I75Y1COlvOM8RQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==": { - "type": "\u0007", - "value": "Z2FtZXM=" - } - } - }, - { - "type": "\u000c", - "map": { - "SPxDUzq7hTlX9jrJ8or3BNWOxKS2p75pILkrO27TAN0KXd8c1dJQwtDDFREtZheN4IIaN5L9I75Y1COlvOM8RQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==": { - "type": "\u0007", - "value": "bWFu" - } - } - }, - { - "type": "\u000c", - "map": { - "SPxDUzq7hTlX9jrJ8or3BNWOxKS2p75pILkrO27TAN0KXd8c1dJQwtDDFREtZheN4IIaN5L9I75Y1COlvOM8RQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==": { - "type": "\u0007", - "value": "bHA=" - } - } - }, - { - "type": "\u000c", - "map": { - "SPxDUzq7hTlX9jrJ8or3BNWOxKS2p75pILkrO27TAN0KXd8c1dJQwtDDFREtZheN4IIaN5L9I75Y1COlvOM8RQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==": { - "type": "\u0007", - "value": "bWFpbA==" - } - } - }, - { - "type": "\u000c", - "map": { - "SPxDUzq7hTlX9jrJ8or3BNWOxKS2p75pILkrO27TAN0KXd8c1dJQwtDDFREtZheN4IIaN5L9I75Y1COlvOM8RQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==": { - "type": "\u0007", - "value": "bmV3cw==" - } - } - }, - { - "type": "\u000c", - "map": { - "SPxDUzq7hTlX9jrJ8or3BNWOxKS2p75pILkrO27TAN0KXd8c1dJQwtDDFREtZheN4IIaN5L9I75Y1COlvOM8RQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==": { - "type": "\u0007", - "value": "dXVjcA==" - } - } - }, - { - "type": "\u000c", - "map": { - "SPxDUzq7hTlX9jrJ8or3BNWOxKS2p75pILkrO27TAN0KXd8c1dJQwtDDFREtZheN4IIaN5L9I75Y1COlvOM8RQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==": { - "type": "\u0007", - "value": "cHJveHk=" - } - } - }, - { - "type": "\u000c", - "map": { - "SPxDUzq7hTlX9jrJ8or3BNWOxKS2p75pILkrO27TAN0KXd8c1dJQwtDDFREtZheN4IIaN5L9I75Y1COlvOM8RQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==": { - "type": "\u0007", - "value": "d3d3LWRhdGE=" - } - } - }, - { - "type": "\u000c", - "map": { - "SPxDUzq7hTlX9jrJ8or3BNWOxKS2p75pILkrO27TAN0KXd8c1dJQwtDDFREtZheN4IIaN5L9I75Y1COlvOM8RQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==": { - "type": "\u0007", - "value": "YmFja3Vw" - } - } - }, - { - "type": "\u000c", - "map": { - "SPxDUzq7hTlX9jrJ8or3BNWOxKS2p75pILkrO27TAN0KXd8c1dJQwtDDFREtZheN4IIaN5L9I75Y1COlvOM8RQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==": { - "type": "\u0007", - "value": "bGlzdA==" - } - } - }, - { - "type": "\u000c", - "map": { - "SPxDUzq7hTlX9jrJ8or3BNWOxKS2p75pILkrO27TAN0KXd8c1dJQwtDDFREtZheN4IIaN5L9I75Y1COlvOM8RQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==": { - "type": "\u0007", - "value": "aXJj" - } - } - }, - { - "type": "\u000c", - "map": { - "SPxDUzq7hTlX9jrJ8or3BNWOxKS2p75pILkrO27TAN0KXd8c1dJQwtDDFREtZheN4IIaN5L9I75Y1COlvOM8RQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==": { - "type": "\u0007", - "value": "Z25hdHM=" - } - } - }, - { - "type": "\u000c", - "map": { - "SPxDUzq7hTlX9jrJ8or3BNWOxKS2p75pILkrO27TAN0KXd8c1dJQwtDDFREtZheN4IIaN5L9I75Y1COlvOM8RQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==": { - "type": "\u0007", - "value": "bm9ib2R5" - } - } - }, - { - "type": "\u000c", - "map": { - "SPxDUzq7hTlX9jrJ8or3BNWOxKS2p75pILkrO27TAN0KXd8c1dJQwtDDFREtZheN4IIaN5L9I75Y1COlvOM8RQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==": { - "type": "\u0007", - "value": "X2FwdA==" - } - } - } - ] - }, - "code_id": "HNtymDAlppcjoO5qKUQJ8H2VuJj8i2nTxOEHIDJpEQpROM0y5O6f/EBWqvPAFeN8w9IWIVYbQsQLYgVstVrZbA==" - }, - "HTqFwiLA1CVihrm2lHQw3RPXDqVeAn7rdfG/xVYcVPeg1uPowJqyvlLmMpVTqOzC94oBNNjfLAFrrdnZuIQxtg==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "HTqFwiLA1CVihrm2lHQw3RPXDqVeAn7rdfG/xVYcVPeg1uPowJqyvlLmMpVTqOzC94oBNNjfLAFrrdnZuIQxtg==" - }, - "HiRsCn4BtfM/kOrcrqt0KhkRzvayAL6Ujv45DEVZFOBpnI1lrDyBTD/zrUnhZgtJEph3504F7jnTh9DL/Szgiw==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "HiRsCn4BtfM/kOrcrqt0KhkRzvayAL6Ujv45DEVZFOBpnI1lrDyBTD/zrUnhZgtJEph3504F7jnTh9DL/Szgiw==" - }, - "I0hjyBsckneqviNyxZvm40SXzWfrkVK8aUraeyhrlbWULlyXqkqZ/5fCdIqVk33Bw2xv4kScY4wpTaFXUrVHXA==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "I0hjyBsckneqviNyxZvm40SXzWfrkVK8aUraeyhrlbWULlyXqkqZ/5fCdIqVk33Bw2xv4kScY4wpTaFXUrVHXA==" - }, - "IDsUDSDDEY2G7uuP6yOX2DgME5Ok3xNxMZ4RxZcyohVb2kmzpjFG4mRII0r2DTu6+HyvdmIZAfA7mfc/YtibSQ==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "IDsUDSDDEY2G7uuP6yOX2DgME5Ok3xNxMZ4RxZcyohVb2kmzpjFG4mRII0r2DTu6+HyvdmIZAfA7mfc/YtibSQ==" - }, - "IH9+YJrb2/NAQcKqnSKgY/usvm47+Z1WJMykcUwLcAp4n+YZgMDS1sRuFPg7RDMy4+IVi6HSALbguCRC54gKHw==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "IH9+YJrb2/NAQcKqnSKgY/usvm47+Z1WJMykcUwLcAp4n+YZgMDS1sRuFPg7RDMy4+IVi6HSALbguCRC54gKHw==" - }, - "IHg959aO8XIUu5D7yIqIkBZWkovtA0z2zHICs2B66FNxr5k7YjVfHnTy5GJ62oAhnW5eCmDcQ1rg+B5DwcKpuA==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "IHg959aO8XIUu5D7yIqIkBZWkovtA0z2zHICs2B66FNxr5k7YjVfHnTy5GJ62oAhnW5eCmDcQ1rg+B5DwcKpuA==" - }, - "ILZLlydnU83Qutf3Jxf5qVeZVxovo9CbteXyPqGcc30Ylw7GkHi8DJlfAidOaXMlzcWYNUedvMmTl541mQnicQ==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "ILZLlydnU83Qutf3Jxf5qVeZVxovo9CbteXyPqGcc30Ylw7GkHi8DJlfAidOaXMlzcWYNUedvMmTl541mQnicQ==" - }, - "IST1ZdvDsDGjKuLYOXs65bC12j7ZdGqtG7i2IHJ3agA+CYQI7qGrLdARfg9kbEiAm5Mj25LMSJ4Jg0TVOuYZoQ==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "IST1ZdvDsDGjKuLYOXs65bC12j7ZdGqtG7i2IHJ3agA+CYQI7qGrLdARfg9kbEiAm5Mj25LMSJ4Jg0TVOuYZoQ==" - }, - "ITQGQayBesQeWSIP+pSl4l7PewePex4n6NeW8mQ4dYj0RZmkyHJMSntT7JMmnPzIDbx08Npy9muLiJ1iCeWuyg==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "ITQGQayBesQeWSIP+pSl4l7PewePex4n6NeW8mQ4dYj0RZmkyHJMSntT7JMmnPzIDbx08Npy9muLiJ1iCeWuyg==" - }, - "IUi8QP3v31aGPWF2y6MbvKwopOM+vyJaiI7bEd3YtxNehCOILFVcwfTB5qey/NIJrsRm0+U1u1OmBWmeSfheJQ==": null, - "Ir2l+ERpDqnBWcYsdKRiCThOfFbijW4rx0n7u0skYd2rChq+xu6dzijBQotLvG/9bABGeOhKa3zyngBRjDbQGg==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "Ir2l+ERpDqnBWcYsdKRiCThOfFbijW4rx0n7u0skYd2rChq+xu6dzijBQotLvG/9bABGeOhKa3zyngBRjDbQGg==" - }, - "JH8cNO69T5qeURT11c1Lxp8k50E+YMuTID2aLfQDIrrVerGFOnKFekVyH7t9h/q0D27ULF+QnDiDPz3BMXkQ0g==": { - "data": { - "type": "\u0002" - }, - "code_id": "JH8cNO69T5qeURT11c1Lxp8k50E+YMuTID2aLfQDIrrVerGFOnKFekVyH7t9h/q0D27ULF+QnDiDPz3BMXkQ0g==" - }, - "LDbUkumzzPbLp7/pDckgsILWn3KZ7ObhQYSlrXhIFOx/mT3sCkFESEkblFMrxP1gKqlZC79GyPjX01RmTwhMjQ==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "LDbUkumzzPbLp7/pDckgsILWn3KZ7ObhQYSlrXhIFOx/mT3sCkFESEkblFMrxP1gKqlZC79GyPjX01RmTwhMjQ==" - }, - "LIa61qtxHtFYHfQVJ2Dv5wHakCDoFzq8QGy7nQmjZimSHhmlu1QvdBf03I60m/ysrhrOz9nu45hLjv/MQZ83Cw==": null, - "LQI4kSyEWe0b+loFuW81yjOLS9ZR7GfI95ip+OjaslpcFOsyWoqYNQFKwfPeVSo990hscaZrfYskDfSjsmewhA==": { - "data": { - "type": "\u0002" - }, - "code_id": "LQI4kSyEWe0b+loFuW81yjOLS9ZR7GfI95ip+OjaslpcFOsyWoqYNQFKwfPeVSo990hscaZrfYskDfSjsmewhA==" - }, - "LZn2A4hFxS9SIwnrhbdO23/FsDqYloIFeq/TIGsFRMtAjZIQNyN3rys+D+K+jk8+YCCDxvOK2S7YKtLK3pnxqw==": { - "data": { - "type": "\u0002" - }, - "code_id": "LZn2A4hFxS9SIwnrhbdO23/FsDqYloIFeq/TIGsFRMtAjZIQNyN3rys+D+K+jk8+YCCDxvOK2S7YKtLK3pnxqw==" - }, - "LwG6xJU9JZX6iZWKClMIAiSdOCOK2eYRjkSek6p35RchB24m4lBNEtdQ3yfFsT0mHQWzB2oHklPacXM//2fzCA==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "LwG6xJU9JZX6iZWKClMIAiSdOCOK2eYRjkSek6p35RchB24m4lBNEtdQ3yfFsT0mHQWzB2oHklPacXM//2fzCA==" - }, - "M90p1SlYy8aGJqaPLQDAjGwSIqtlVQT7mhuB4TN3b3wRCiqVmcK2mj8Plmd6m7iJRaPgXfWYfldOICh1fkAlow==": { - "data": { - "type": "\u0002" - }, - "code_id": "M90p1SlYy8aGJqaPLQDAjGwSIqtlVQT7mhuB4TN3b3wRCiqVmcK2mj8Plmd6m7iJRaPgXfWYfldOICh1fkAlow==" - }, - "MSCn0tYZSDbDWTtqkdNMIjnf4dqaXrXq082iZS8kENUHR+ipTf331ToMU/3KVj1u21A6kqKPhadwtLDe3QD4tA==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "MSCn0tYZSDbDWTtqkdNMIjnf4dqaXrXq082iZS8kENUHR+ipTf331ToMU/3KVj1u21A6kqKPhadwtLDe3QD4tA==" - }, - "MW+3iYLfzJOV6LheuCXO7XrsHQ7RK8rwvq90y/cN3MF0E3p5NoZbNw54OZFsAUh2IfzkzEv+mSUbi0yMfLNbAg==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "MW+3iYLfzJOV6LheuCXO7XrsHQ7RK8rwvq90y/cN3MF0E3p5NoZbNw54OZFsAUh2IfzkzEv+mSUbi0yMfLNbAg==" - }, - "NwVTOxC7KUWOY7jrSRoToyQi+IIyZ4w/t709WpL/kOSsXILju9FaLVvIoVvhjSEBTuz/Bh0crl07oEndqIEiIg==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "NwVTOxC7KUWOY7jrSRoToyQi+IIyZ4w/t709WpL/kOSsXILju9FaLVvIoVvhjSEBTuz/Bh0crl07oEndqIEiIg==" - }, - "O0TM2WX21Mn5KWqEGYXzD+L+hz2s+gzuEJ/K96MOraWtctcUCKxCIcT7s072si+Ow88078gNgt1t4D29UR1ACA==": { - "data": { - "type": "\u0002" - }, - "code_id": "O0TM2WX21Mn5KWqEGYXzD+L+hz2s+gzuEJ/K96MOraWtctcUCKxCIcT7s072si+Ow88078gNgt1t4D29UR1ACA==" - }, - "OEKbMgyOZAHhOy62hpEKCXuj5FvXJpqwCH3QQ+bv2//APoMsncnk6rwVzuexbX7BxCDy8JKoP8zWeh5uu7h0LQ==": { - "data": { - "type": "\u0002" - }, - "code_id": "OEKbMgyOZAHhOy62hpEKCXuj5FvXJpqwCH3QQ+bv2//APoMsncnk6rwVzuexbX7BxCDy8JKoP8zWeh5uu7h0LQ==" - }, - "OUJ6AqspS9kHdFfta+yMblV6pLJv30L0LeM2w+b8V7GeyErnRHogKvG5sOA5+k9lBVicaJDHx9+aUdGM4aAfRQ==": { - "data": { - "type": "\u0002" - }, - "code_id": "OUJ6AqspS9kHdFfta+yMblV6pLJv30L0LeM2w+b8V7GeyErnRHogKvG5sOA5+k9lBVicaJDHx9+aUdGM4aAfRQ==" - }, - "OcxjyMNzPsQob5d23efk6/D/qbV2XftiD+stAvXITuJOOmdoVb4hcGjt+IT0AldkoHCFowQ2mx+Yhdj0ktI5AA==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "OcxjyMNzPsQob5d23efk6/D/qbV2XftiD+stAvXITuJOOmdoVb4hcGjt+IT0AldkoHCFowQ2mx+Yhdj0ktI5AA==" - }, - "P04l/SVZ8q37LNV+3S23i++GVfIIERbWiu/BQ3eO/YMAj61XnujoRqFwn7ewWNYyGGaQWln/A4nS0QysMJemIQ==": { - "data": { - "type": "\u0019\u001buser" - }, - "code_id": "P04l/SVZ8q37LNV+3S23i++GVfIIERbWiu/BQ3eO/YMAj61XnujoRqFwn7ewWNYyGGaQWln/A4nS0QysMJemIQ==" - }, - "P7NCsha4tc0uJsw18p7lShizvrPkjDEPTYHcpmkvNxVsknAsDCopYTyqWHUKYCttXnVJl+YNPcHTMFCgAfaGsQ==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "P7NCsha4tc0uJsw18p7lShizvrPkjDEPTYHcpmkvNxVsknAsDCopYTyqWHUKYCttXnVJl+YNPcHTMFCgAfaGsQ==" - }, - "PS/glCWsGexFLW7Nhgox/z1A5qkdidgcxlMRAeKKeKxH2vf+iWqGt9aGLdNfr+vLlRUV+6aYa2qdrmnLKsESsQ==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "PS/glCWsGexFLW7Nhgox/z1A5qkdidgcxlMRAeKKeKxH2vf+iWqGt9aGLdNfr+vLlRUV+6aYa2qdrmnLKsESsQ==" - }, - "PTY+FI8gohl54qYCfktH+iDEdCbz9/RNm6yBWDiS0yk/PHBZ0OIVhtrUrOcThQHcHqEMTC4fh1zP30KlfMUhpA==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "PTY+FI8gohl54qYCfktH+iDEdCbz9/RNm6yBWDiS0yk/PHBZ0OIVhtrUrOcThQHcHqEMTC4fh1zP30KlfMUhpA==" - }, - "Psg3WACh4u236x5BUCKYrxVyBbR5tVirhN71jyV48L8yTB0r1aVVWd5ZwDo0/mLLpMCch69rCGBbBouKK80QLQ==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "Psg3WACh4u236x5BUCKYrxVyBbR5tVirhN71jyV48L8yTB0r1aVVWd5ZwDo0/mLLpMCch69rCGBbBouKK80QLQ==" - }, - "QOFfSIbWLTwpCLpo+1GAxVdsGnsJZqOET2xTkNl7+uKpj37GCf5UTlSUsS9j50hC2DWgW5x3uK56ebTZOFp8IQ==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "QOFfSIbWLTwpCLpo+1GAxVdsGnsJZqOET2xTkNl7+uKpj37GCf5UTlSUsS9j50hC2DWgW5x3uK56ebTZOFp8IQ==" - }, - "Qg23cE59V3fbsxZHV6hb++orVpZRDndy16raKIga8KcVZEnh9zCHPIkq0ROjKr6pihCAiV5bZGXFafD7sb/LYw==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "Qg23cE59V3fbsxZHV6hb++orVpZRDndy16raKIga8KcVZEnh9zCHPIkq0ROjKr6pihCAiV5bZGXFafD7sb/LYw==" - }, - "Qls4K6b2lNRR7kYRgufwRTNo0pJb+ZeHPeNevpcDzVBegMTpq/pB2ZwZb8M/JEWCFgPyJ4c9zVeKrYyjNVxvXg==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "Qls4K6b2lNRR7kYRgufwRTNo0pJb+ZeHPeNevpcDzVBegMTpq/pB2ZwZb8M/JEWCFgPyJ4c9zVeKrYyjNVxvXg==" - }, - "R9CbwgrZtf3mdDd3B38lp+I4YSj9+eLNixkV/LX6xZtHHmVArOZ4oq+SzG7zq4eoG+h+M0ZUJVXgZJf8EHqJLA==": { - "data": { - "type": "\u0002" - }, - "code_id": "R9CbwgrZtf3mdDd3B38lp+I4YSj9+eLNixkV/LX6xZtHHmVArOZ4oq+SzG7zq4eoG+h+M0ZUJVXgZJf8EHqJLA==" - }, - "RGLi9L+1KOoE89RZUjYiX5A7mQcnzOdJfemDJwkmeXCW+g80VH8ckvotI69iGUBBOg7pKcpujQiqqREZUnyNNA==": { - "data": { - "type": "\u0002" - }, - "code_id": "RGLi9L+1KOoE89RZUjYiX5A7mQcnzOdJfemDJwkmeXCW+g80VH8ckvotI69iGUBBOg7pKcpujQiqqREZUnyNNA==" - }, - "RIXqENazJEYi3UKFGKE7D3YtgWXPysCYDrgFuJoGJL0xxS4CpWEk87GkV+8mr2Qro6LhzTENSEjWWq4LdJ2Gvg==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "RIXqENazJEYi3UKFGKE7D3YtgWXPysCYDrgFuJoGJL0xxS4CpWEk87GkV+8mr2Qro6LhzTENSEjWWq4LdJ2Gvg==" - }, - "S0pi0XR2kSuGxhNT7T1roRClJpvyWDf2tbqf4WiaICdLeN4J+5clf8CQzREt32vqpf9puBNedCGXo27OvRaflw==": { - "data": { - "type": "\u000c", - "map": { - "Cf2l7PDCC2h4yANCi73Lfy11aKE3EhXk69X/5E5ZqfCWgej1s8VN4FAAK7e55EZi8veCvNOIMSUcT7DOMsp0Dg==": { - "type": "\u0004", - "value": "AQ==" - }, - "X7psqDI09AB+V2NjUgsb9EfD6mkz7QxYph6eCCG9Ccf6QcWdm3Kgn9d8pwi5cZFpRM7BjmoGISDutHNpXnz7wQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "_": { - "type": "\u001bfile", - "value": "L2V0Yy9wYXNzd2Q=" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "osNGhRH+o4glAV1iiPZSi+JDPrQfbzWrzkjU0CUaP0nCQE/DLK/1Ndc11iw2OOeOrBP/npXLSypVS4KKcHEgLA==": { - "type": "\u0004", - "value": "AQ==" - }, - "vkTIPy/xlXHkOXH+XuQujtNwKsPEx+wLDiTq8bfvYjpNAYqachWVVWOiAPkmw/3zZA3CyDbY8az0wL291URTDA==": { - "type": "\u0004", - "value": "AQ==" - }, - "vvwHpgwmhqZdnvo/P/PE8hClY21iJZJsnplXbz+WkLfruLlzjzZSpVrSxBvTDcEloRTzniNLhraMi4xo+tZNkQ==": { - "type": "\u0004", - "value": "AQ==" - } - } - }, - "code_id": "S0pi0XR2kSuGxhNT7T1roRClJpvyWDf2tbqf4WiaICdLeN4J+5clf8CQzREt32vqpf9puBNedCGXo27OvRaflw==" - }, - "S15ke1jyhUQZU7RJoaUCzkC9PSGcsJF0TapDgdbFeZJCkDecPE9y+xTCCioVyL+8MrhsH8fypYGH5jspOQwlHw==": { - "data": { - "type": "\u0002" - }, - "code_id": "S15ke1jyhUQZU7RJoaUCzkC9PSGcsJF0TapDgdbFeZJCkDecPE9y+xTCCioVyL+8MrhsH8fypYGH5jspOQwlHw==" - }, - "S8lNhwOSBd9n30VQv2cNk5GAxZVGCpO7qwxlA/icmV9fDENhtEIIxpZTtYD0SHwg/byzphUaSjhsCX5g3AYaYA==": { - "data": { - "type": "\u0002" - }, - "code_id": "S8lNhwOSBd9n30VQv2cNk5GAxZVGCpO7qwxlA/icmV9fDENhtEIIxpZTtYD0SHwg/byzphUaSjhsCX5g3AYaYA==" - }, - "SK/o4xUKS07SVHcJ8c7HyiveAf3mx66Ch7KCFYBhRndmQNGzRMM0CuSXN3dT9ofnlswBzVn/6N2SbIcfXN6GMg==": { - "data": { - "type": "\u0019\u001bgroup" - }, - "code_id": "SK/o4xUKS07SVHcJ8c7HyiveAf3mx66Ch7KCFYBhRndmQNGzRMM0CuSXN3dT9ofnlswBzVn/6N2SbIcfXN6GMg==" - }, - "T7fMhFYEhLaVsDOxq5g7abILl3jGU2uY2rYt/Qs9FSy4g59OUlk9ZduzUqpZsvxaJR/jsUHmmFS07FCgmOyh7A==": { - "data": { - "type": "\u0019\u001bpackage" - }, - "code_id": "T7fMhFYEhLaVsDOxq5g7abILl3jGU2uY2rYt/Qs9FSy4g59OUlk9ZduzUqpZsvxaJR/jsUHmmFS07FCgmOyh7A==" - }, - "U4jpoVeHCFHM+c1bdYWYdibzIPmWF2ooOkcDTP0zCLegLUTpUFkHfqXYVrZUNtiiAlIir0YAZIXCImKLaG0gWA==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "U4jpoVeHCFHM+c1bdYWYdibzIPmWF2ooOkcDTP0zCLegLUTpUFkHfqXYVrZUNtiiAlIir0YAZIXCImKLaG0gWA==" - }, - "UW3LUd8B1sSUCcmxCP5UK00uu07zfy8hJ60t4b9gIkO7Xb0iniP4ZueKNNqMQcp//QzU+2gN3UjvA7dwzkEZ0g==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "UW3LUd8B1sSUCcmxCP5UK00uu07zfy8hJ60t4b9gIkO7Xb0iniP4ZueKNNqMQcp//QzU+2gN3UjvA7dwzkEZ0g==" - }, - "VDF2BqBgRO0jAcc7xNXWPgEvYibW0IYDBziUPrjj48T+pW8kgbGgzHoD6KT5vte6lwk5Lbfdvm+/gQR1b2MSwQ==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "VDF2BqBgRO0jAcc7xNXWPgEvYibW0IYDBziUPrjj48T+pW8kgbGgzHoD6KT5vte6lwk5Lbfdvm+/gQR1b2MSwQ==" - }, - "VPya7C/SUB3zkyI9G/PHS1fMpKB/mwlZFTacUTvGcaJpKKm2Z1pk8rnlOWoBirIXB/uwatCDXZhHm4hkYRA1Ig==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "VPya7C/SUB3zkyI9G/PHS1fMpKB/mwlZFTacUTvGcaJpKKm2Z1pk8rnlOWoBirIXB/uwatCDXZhHm4hkYRA1Ig==" - }, - "VVnYhVXVAnU+veH4gJoFS0giCDBaRxUfTeMCVuvd3506oR6a8XtnznTaJdq79Q4PSgmRouM5CQF5GD5GxSRuVg==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "VVnYhVXVAnU+veH4gJoFS0giCDBaRxUfTeMCVuvd3506oR6a8XtnznTaJdq79Q4PSgmRouM5CQF5GD5GxSRuVg==" - }, - "WxnxFhZSt/9sHXVH3/sOcVkg3cy0iYQYFPH0j0dLE1HKYHo0ek4x0b27UN55YRUxIAlEAQHvuigZOfE2Q7Vn7Q==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "WxnxFhZSt/9sHXVH3/sOcVkg3cy0iYQYFPH0j0dLE1HKYHo0ek4x0b27UN55YRUxIAlEAQHvuigZOfE2Q7Vn7Q==" - }, - "XJelsmn2fxcKhtzns+v5RW5ToKmYNchfQaXLHp7J7oq1MC0gOmLh3vP14JCubDNYLDbrcsgJlGq7r2ifeWRP4w==": { - "data": { - "type": "\u0002" - }, - "code_id": "XJelsmn2fxcKhtzns+v5RW5ToKmYNchfQaXLHp7J7oq1MC0gOmLh3vP14JCubDNYLDbrcsgJlGq7r2ifeWRP4w==" - }, - "YKybcqFlSVq5e53ktJl2i6YwuQWu7rwnw6Vgkfatia72QRz7X2UxgxH/ykyIZkBN0yEQeKzdZfs+CONljF3kVA==": { - "data": { - "type": "\u0002" - }, - "code_id": "YKybcqFlSVq5e53ktJl2i6YwuQWu7rwnw6Vgkfatia72QRz7X2UxgxH/ykyIZkBN0yEQeKzdZfs+CONljF3kVA==" - }, - "YYAK4Icx9FsHldCezgriP+T0ZNqtxiEzJASBFGl2LVQWIV42JaztEw2YCpRI5yqSg7i8aMkgFLXahfcyO8AXJQ==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "YYAK4Icx9FsHldCezgriP+T0ZNqtxiEzJASBFGl2LVQWIV42JaztEw2YCpRI5yqSg7i8aMkgFLXahfcyO8AXJQ==" - }, - "Yf0tllxJIfamfaKoK717rOjxx/WUa/BVS7MBf7usG0wJS0x1BOxDau9XsChJD7UFaMSF6Slmkn5okupQ0ynNLg==": { - "data": { - "type": "\u0002" - }, - "code_id": "Yf0tllxJIfamfaKoK717rOjxx/WUa/BVS7MBf7usG0wJS0x1BOxDau9XsChJD7UFaMSF6Slmkn5okupQ0ynNLg==" - }, - "YnnnuDaHNjIagC93pwvniy5mz1x5nj4HOSgqY6Z/nlOGjHnwomQcoW8C7oitKk6BwWRaZLGq7J12VR8dpviL7g==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "YnnnuDaHNjIagC93pwvniy5mz1x5nj4HOSgqY6Z/nlOGjHnwomQcoW8C7oitKk6BwWRaZLGq7J12VR8dpviL7g==" - }, - "Zb9JKktYY15FaJD/VY/lLG4HnO+Pg7lJnO9A+FNmdpwm9QSwPGyUQg/QJ++MI2eDXlFidS9Y4b+zU8pCQ6z+4w==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "Zb9JKktYY15FaJD/VY/lLG4HnO+Pg7lJnO9A+FNmdpwm9QSwPGyUQg/QJ++MI2eDXlFidS9Y4b+zU8pCQ6z+4w==" - }, - "ZxGX5CeatMRX5xdzIKKmx+BoaNQMHrx3r2lq0XUqjTnvTNe+WNBUgXzCZx6jQ8zO0X1CgPNjVT8q7rFRjByxyA==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "ZxGX5CeatMRX5xdzIKKmx+BoaNQMHrx3r2lq0XUqjTnvTNe+WNBUgXzCZx6jQ8zO0X1CgPNjVT8q7rFRjByxyA==" - }, - "aE+97TpJoHCNA2psM/rBw/Hm56LB4UZ31yK4u8ud/oWjHCFXUPkAoVsasyY0W5g5AwE6vobp3ePPkjox9/TZsA==": { - "data": { - "type": "\u0019\u000c", - "array": [ - { - "type": "\u000c", - "map": { - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "ytOUfV4UyOjY0C6HKzQ8GcA/hshrh2ahRySNG41RbFt3TNNf+6gBuHvs2hGTNDPUZR/oN8WH0QFIYYm/Vj3pGQ==": { - "type": "\u0004", - "value": "AQ==" - } - } - } - ] - }, - "code_id": "aE+97TpJoHCNA2psM/rBw/Hm56LB4UZ31yK4u8ud/oWjHCFXUPkAoVsasyY0W5g5AwE6vobp3ePPkjox9/TZsA==" - }, - "aG7oUlIyH0BK4klvDQqsSbeRERfPhyfR1CvToYn4IPcrWZ2bsEkv4nTkHsDHTXrpQmqJRX4jye0IibRgTFLbCg==": { - "data": { - "type": "\u000c", - "map": { - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "ifp9Oy2txSgf83mD3FLqCsGOe7VxiWsnarmDmSIPpxkIqPdii54Apl5aoJ4SCESxTUyhAxnxrHtZ2GeGvsMQfA==": { - "type": "\u000c", - "map": { - "GBU9R8Ym/GyFLF+1f+mfvA5gwZNQlyycfdFZKJxkDtv2Md6DxZHDvlFFgwWsIUHy/PA5LDk0c5I5PUFuoCo1Rw==": { - "type": "\u0004", - "value": "AQ==" - }, - "GeCVZqQA+yvyXH7SRzjhJzdzoXrsJ9pJiUcquKKnXCadr9Y6qSy6ullFgx4/wINba2tJe/72wSNdsmVA47DaTg==": { - "type": "\u0004", - "value": "AQ==" - }, - "MzZC2uAEtImax9N96uDzfTsdvvs43XOvHoTpDHl0X7NUFuCkDeYCbb7YwWYLOdOtyGJUSuKN8tvTgZBOToZsug==": { - "type": "\u0004", - "value": "AQ==" - }, - "X9YH3CGS2BOipTc7pxRAaJGJivLhKA0IiBkU1bnBRAHn+8jHv0uYWni8j0N0TJ40iFLyvsvaSmKbZFKtgchxjQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "_": { - "type": "\u001bfile", - "value": "L2V0Yy9nc2hhZG93" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "s0Oz0HkByctrSaRZaisAt4j5RiIzxuXSWgoTm7rfZhh8mR8L/BBM/7eQ64Y9VRzS3nU2hcJ36ZwrGwV0fTiMDQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "uFgtM4VqHdGZrtL04zcQ+QZRo74Q+RZlPs1veWuZunMNPsMExVN+NG+qJ35VkPmxrT7GAoE6dukWqFjNWgVSFg==": { - "type": "\u0004", - "value": "AQ==" - } - } - } - } - }, - "code_id": "aG7oUlIyH0BK4klvDQqsSbeRERfPhyfR1CvToYn4IPcrWZ2bsEkv4nTkHsDHTXrpQmqJRX4jye0IibRgTFLbCg==" - }, - "aqYNhAltcEb8Us9rrSndGyONs5+/eu8zKLjtc3MhT1V9wzIHoZniQylGNL6k9+ftj8MnoMI/18dd3mMzIxBBhA==": { - "data": { - "type": "\u0002" - }, - "code_id": "aqYNhAltcEb8Us9rrSndGyONs5+/eu8zKLjtc3MhT1V9wzIHoZniQylGNL6k9+ftj8MnoMI/18dd3mMzIxBBhA==" - }, - "axLv6u+XdIU4xf475n9moiwlqjmc7rQM9FoBeoOqdubJN7a6jgPagSLaaDkSdCbfhvChgqY/hgLrCr1nbJOAMg==": { - "data": { - "type": "\u0002" - }, - "code_id": "axLv6u+XdIU4xf475n9moiwlqjmc7rQM9FoBeoOqdubJN7a6jgPagSLaaDkSdCbfhvChgqY/hgLrCr1nbJOAMg==" - }, - "b2aHj4i8ElsTVzjhQHkFoBO2wb0wwg6oV86TQkwyvceZ6/ODwBOxEmFV5VBy1sABOuo8/3rx7AboacbbYX7t+Q==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "b2aHj4i8ElsTVzjhQHkFoBO2wb0wwg6oV86TQkwyvceZ6/ODwBOxEmFV5VBy1sABOuo8/3rx7AboacbbYX7t+Q==" - }, - "bGMTWjS8G8F38yCeXzCDHKy8EvB/bRtPE028HBzKvXDZWtR/GJPldJE35GVsdpBfuQ7lKBH5CBN+CkwKzWRvqA==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "bGMTWjS8G8F38yCeXzCDHKy8EvB/bRtPE028HBzKvXDZWtR/GJPldJE35GVsdpBfuQ7lKBH5CBN+CkwKzWRvqA==" - }, - "bMaURaBtAc6Jj7yvI7R21BMGzeFTGBQ+IzVys++98Na10i8k5c1bGoI+XJn6TdjG/wjuDRefkC9YCsZv2tlY6Q==": { - "data": {}, - "error": "file not found: '/etc/sudoers' does not exist", - "code_id": "bMaURaBtAc6Jj7yvI7R21BMGzeFTGBQ+IzVys++98Na10i8k5c1bGoI+XJn6TdjG/wjuDRefkC9YCsZv2tlY6Q==" - }, - "bRLNP8PQtpuGWh4o70+s6qYPjGK67tt21tAYdjYmz/8E4Fc0i1lQt2FBYeOjO+yP6uD4E4yVTJcaHOXWjrr1WQ==": null, - "bTC8XOSslLmdTVa8aoLAVHLzWTW8NUMWiboO6NmLn7jkfkf7WVFW4J4jsxyCcToaFSma2sfvUVqvIJ2N87TDHQ==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "bTC8XOSslLmdTVa8aoLAVHLzWTW8NUMWiboO6NmLn7jkfkf7WVFW4J4jsxyCcToaFSma2sfvUVqvIJ2N87TDHQ==" - }, - "bhGy2REVqCNiJpsR0UBE/BeYtFO4NEA/MFuPk4+oxk9WffIXtIvfoiuv9vhtDgIbhgjxkgYyhTiN71WJXXmdMQ==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "bhGy2REVqCNiJpsR0UBE/BeYtFO4NEA/MFuPk4+oxk9WffIXtIvfoiuv9vhtDgIbhgjxkgYyhTiN71WJXXmdMQ==" - }, - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==" - }, - "c5/3LWjS8cISVkA4BHjobYGj+nEVD7Bx8v5lSN66900QhWObHCXkaoD1aREVWEMOUgOhbznuM9kP4yruR1IE/Q==": { - "data": { - "type": "\u0002" - }, - "code_id": "c5/3LWjS8cISVkA4BHjobYGj+nEVD7Bx8v5lSN66900QhWObHCXkaoD1aREVWEMOUgOhbznuM9kP4yruR1IE/Q==" - }, - "c8caaEkbopMInAMKW3eQS8Gb9nm0n+YiyaYC9sv/aNmmiXClKX7XBTXsZ0T0m7J49wlGVkWNnxERfqoieAFE4w==": { - "data": {}, - "error": "socketStats not supported on this provider", - "code_id": "c8caaEkbopMInAMKW3eQS8Gb9nm0n+YiyaYC9sv/aNmmiXClKX7XBTXsZ0T0m7J49wlGVkWNnxERfqoieAFE4w==" - }, - "cECmHAL/CDvWg2HwJHvv9eutCRWVXOH+NcmshZ5rPOp0Bm0dbC6MFfrS3jr4xHqL0GRYQZ85zLSYCt1FaUuoJQ==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "cECmHAL/CDvWg2HwJHvv9eutCRWVXOH+NcmshZ5rPOp0Bm0dbC6MFfrS3jr4xHqL0GRYQZ85zLSYCt1FaUuoJQ==" - }, - "cF+tsnDWG2CvuAeBD4gRVzVuG37TWQY4n2KrJydeBfal9f0GPjBtrsvUH2rgjisiRJ7WJyPU2DZ9bDM501M0Mg==": { - "data": {}, - "error": "run command not supported on this provider", - "code_id": "cF+tsnDWG2CvuAeBD4gRVzVuG37TWQY4n2KrJydeBfal9f0GPjBtrsvUH2rgjisiRJ7WJyPU2DZ9bDM501M0Mg==" - }, - "cO77IKw5EkPqToY7apbUwCulN+7JxfM2cHWtX0ktw3WdohHDHwLnXbijDIHOdfcBERqbCjONpXQmQFuDtiP4zA==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "cO77IKw5EkPqToY7apbUwCulN+7JxfM2cHWtX0ktw3WdohHDHwLnXbijDIHOdfcBERqbCjONpXQmQFuDtiP4zA==" - }, - "ckDgsvvxeDY8SW4iynyWZJwvin5Q10LZC8FNmo8bUESGsqN6tDpzL86bg/VAc3lryB1b76Po6i9H3oPAIzEx0A==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "ckDgsvvxeDY8SW4iynyWZJwvin5Q10LZC8FNmo8bUESGsqN6tDpzL86bg/VAc3lryB1b76Po6i9H3oPAIzEx0A==" - }, - "cm7An16B+A5QMckP/ANRZg4l9d+xkLoI/2WlmSuh7aY/waN4LvuR3CX51PlRjWCDSVe+12C7ZBmctsS2t5Gsuw==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "cm7An16B+A5QMckP/ANRZg4l9d+xkLoI/2WlmSuh7aY/waN4LvuR3CX51PlRjWCDSVe+12C7ZBmctsS2t5Gsuw==" - }, - "css39sWQMO6tTsWz3+RuOHiJ4PGSGC+SMU6xj6NZpFgc9P0dVnpo7z+LKvHimTFj+JmbmG3wuz/zJgAvOHsaaA==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "css39sWQMO6tTsWz3+RuOHiJ4PGSGC+SMU6xj6NZpFgc9P0dVnpo7z+LKvHimTFj+JmbmG3wuz/zJgAvOHsaaA==" - }, - "cuoKzxoXtROWmUOnqcpuBoRKmPijpMoj8XG9ORlkjfW3g7t9w9S1f6Uc+OFZns2ERdZKKQ9WIpfq4Wb72c5sBA==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "cuoKzxoXtROWmUOnqcpuBoRKmPijpMoj8XG9ORlkjfW3g7t9w9S1f6Uc+OFZns2ERdZKKQ9WIpfq4Wb72c5sBA==" - }, - "dGWI13GNtjPo+JUEvza+zezln68HGoTb31IuKMHn2cQOls6vuacUlbSe/domV3y6i5Cts72rA+f5v2D2dIGLeQ==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "dGWI13GNtjPo+JUEvza+zezln68HGoTb31IuKMHn2cQOls6vuacUlbSe/domV3y6i5Cts72rA+f5v2D2dIGLeQ==" - }, - "e8NU35DTutWpipxRd59KyBjdEwIIjABAyM8lAo1vmGf7oVqqXBI3sX0iLW1AyyRCcohaJs6Jyv/GgjYoYYXe9w==": { - "data": { - "type": "\u0002" - }, - "code_id": "e8NU35DTutWpipxRd59KyBjdEwIIjABAyM8lAo1vmGf7oVqqXBI3sX0iLW1AyyRCcohaJs6Jyv/GgjYoYYXe9w==" - }, - "eCAQoxHoz5Q6JByhB8uwBxApChkW/Oijwn3EFj/RleSCbkjwXx0xCyxxZNXeGtuEQ4YSa8Q4vNWfhbR9gQzGqA==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "eCAQoxHoz5Q6JByhB8uwBxApChkW/Oijwn3EFj/RleSCbkjwXx0xCyxxZNXeGtuEQ4YSa8Q4vNWfhbR9gQzGqA==" - }, - "eDoYMDFnVFpyI8L9OND1alTXuARvT0V/VbEztMhrV4P7DxNi2s3ek4j9/JwNwNHwh5dC0f62NCjhcBQTHNFSGQ==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "eDoYMDFnVFpyI8L9OND1alTXuARvT0V/VbEztMhrV4P7DxNi2s3ek4j9/JwNwNHwh5dC0f62NCjhcBQTHNFSGQ==" - }, - "eHR1t4BEPJ/j+W5hbPutTgHaEGmJ9HDUEyxZr1F6KWyhHncOMtLqdsML1uTL1St7vUvUQ1Xwzpbdb4rXqcyqtg==": { - "data": { - "type": "\u0019\u001bpam.conf.serviceEntry" - }, - "code_id": "eHR1t4BEPJ/j+W5hbPutTgHaEGmJ9HDUEyxZr1F6KWyhHncOMtLqdsML1uTL1St7vUvUQ1Xwzpbdb4rXqcyqtg==" - }, - "ee9c3YakPa9Aa2nbcI+Q4z1qlw7Ffu76GEjJneNybkQnVRX68n/SZYOcqgZJzWrJJk2xUrD0WfhB/qtWdoiISA==": { - "data": { - "type": "\u0002" - }, - "code_id": "ee9c3YakPa9Aa2nbcI+Q4z1qlw7Ffu76GEjJneNybkQnVRX68n/SZYOcqgZJzWrJJk2xUrD0WfhB/qtWdoiISA==" - }, - "ekR8u0hhKZVtyDM8cTZoUBlpUiX73J5Vdk0iq7KxPdzpQ/htnmjTxMlDQzQRq5D2tSiSe2lUEqOmJi9n7hB3Fg==": { - "data": { - "type": "\u0002" - }, - "code_id": "ekR8u0hhKZVtyDM8cTZoUBlpUiX73J5Vdk0iq7KxPdzpQ/htnmjTxMlDQzQRq5D2tSiSe2lUEqOmJi9n7hB3Fg==" - }, - "fG6usPd0YnrgIfRmvw+JtIyTIm6gRx7rUspU9WjpN2NxLhmBu23gM61Rnb8UYwZU/5T/29W+NZwdFtqwszz2gg==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "fG6usPd0YnrgIfRmvw+JtIyTIm6gRx7rUspU9WjpN2NxLhmBu23gM61Rnb8UYwZU/5T/29W+NZwdFtqwszz2gg==" - }, - "fdiITVkkL7djTy+vzAEZEah0OX8kyBLAc2cX4/Ct3ydPoageCCEnHeE0HSK0BCpY+CHpPQ5++3zb2G2mRMkotg==": { - "data": { - "type": "\u0002" - }, - "code_id": "fdiITVkkL7djTy+vzAEZEah0OX8kyBLAc2cX4/Ct3ydPoageCCEnHeE0HSK0BCpY+CHpPQ5++3zb2G2mRMkotg==" - }, - "ftWI+tQ7kr7aS8pCKdvh36d+Xf8P1tHlgdYgKCF9Cat9aTM8/QTanMCL207XWPevmTTc/cr7qcETVvsLbezJ5g==": { - "data": { - "type": "\u0002" - }, - "code_id": "ftWI+tQ7kr7aS8pCKdvh36d+Xf8P1tHlgdYgKCF9Cat9aTM8/QTanMCL207XWPevmTTc/cr7qcETVvsLbezJ5g==" - }, - "g/FdeJsry0Iob3YFq+ADQ/HoaF2XvPZVC5r7wLFtH+aK1/8b2PctWYMmXYQUoqpWNvcYrne9fT4NbuRj1UeYyQ==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "g/FdeJsry0Iob3YFq+ADQ/HoaF2XvPZVC5r7wLFtH+aK1/8b2PctWYMmXYQUoqpWNvcYrne9fT4NbuRj1UeYyQ==" - }, - "g4mvK7a72NmW+ikuFqlbSIUKktKkEZPp14ybdznUdSto3A1G5wXNk/0jtBZb4GqVlgl/40I5K1hXLg/Uwq6XBw==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "g4mvK7a72NmW+ikuFqlbSIUKktKkEZPp14ybdznUdSto3A1G5wXNk/0jtBZb4GqVlgl/40I5K1hXLg/Uwq6XBw==" - }, - "gCv1HOcfAqZONuizxGcTskMQOzHPwWdlXlh+X3sddJPvFCPQVnCPsvUQTj0WPKX27mxcAlMGcY01eRvfjl3tTg==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "gCv1HOcfAqZONuizxGcTskMQOzHPwWdlXlh+X3sddJPvFCPQVnCPsvUQTj0WPKX27mxcAlMGcY01eRvfjl3tTg==" - }, - "gIecnntwy9LA1uepNDXli/u6f1vosRP2gHeQfmGMVZZfWB+mW+Add+x/BNULNRsn3PXT3sjDmczHmIm/rKfrZQ==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "gIecnntwy9LA1uepNDXli/u6f1vosRP2gHeQfmGMVZZfWB+mW+Add+x/BNULNRsn3PXT3sjDmczHmIm/rKfrZQ==" - }, - "gUAmmB7CV/8tcMAf3tfmUs8W443zD9zdEFfIv4ApV8+MP9dCLkPE3Z6SdFNdHXnGI0bIAUrVYhPbMcgyO3djMw==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "gUAmmB7CV/8tcMAf3tfmUs8W443zD9zdEFfIv4ApV8+MP9dCLkPE3Z6SdFNdHXnGI0bIAUrVYhPbMcgyO3djMw==" - }, - "gnQzZeSAHrQV35V8XMTtz9hHVuRLLkmvsgmgVe93eDzEWW9NrV/hP7Wu409x5z0m+ZibsdLlck3xAamyu7arLw==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "gnQzZeSAHrQV35V8XMTtz9hHVuRLLkmvsgmgVe93eDzEWW9NrV/hP7Wu409x5z0m+ZibsdLlck3xAamyu7arLw==" - }, - "h4/M/y9CzKUQs557Hav4wXcwivYv8MBFAhKqkpe5LQK7hh25IM/c/wOezOY5AItW//UvKEEGYoRxAkMuyHbkNA==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "h4/M/y9CzKUQs557Hav4wXcwivYv8MBFAhKqkpe5LQK7hh25IM/c/wOezOY5AItW//UvKEEGYoRxAkMuyHbkNA==" - }, - "hFV0aTvVoeOeZGjZ609/dqTrm1U0BNM5wrd8dDxpeg8b2TQ2SQZm7gSfxYekFOGUcBaxtFXCQJ6lOvYEpAtPJQ==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "hFV0aTvVoeOeZGjZ609/dqTrm1U0BNM5wrd8dDxpeg8b2TQ2SQZm7gSfxYekFOGUcBaxtFXCQJ6lOvYEpAtPJQ==" - }, - "hHTMpuhNT8Svi1v+HYkGybFolkjy8o8iSK6Ly+ni5BgMVHjdmwsmUcOv5Xm8UD6L+8GRaAfLj5IguZLXNq32iw==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "hHTMpuhNT8Svi1v+HYkGybFolkjy8o8iSK6Ly+ni5BgMVHjdmwsmUcOv5Xm8UD6L+8GRaAfLj5IguZLXNq32iw==" - }, - "hWapq7Vs/8xUp8H3ROntjhDB51/ESkKuht/gm3QC9PvwKETBbLFXVMqz7wqqy4xszM/Hcl335ytzedk5Mr023g==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "hWapq7Vs/8xUp8H3ROntjhDB51/ESkKuht/gm3QC9PvwKETBbLFXVMqz7wqqy4xszM/Hcl335ytzedk5Mr023g==" - }, - "hrm3ER6hV6ZNUj5VR8YNdibq6mFjn3sPiwTZs9/hbV0GpRMVu7cRFBxin8qzPVABTQNC5oIMYwAulU8xsKDwkQ==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "hrm3ER6hV6ZNUj5VR8YNdibq6mFjn3sPiwTZs9/hbV0GpRMVu7cRFBxin8qzPVABTQNC5oIMYwAulU8xsKDwkQ==" - }, - "hvlUvYbt+VSP7fXSlUN3KZBoMZxiaU34yuELARGRy5FX/QnZGyRahDTqg/Vn1vu4Ykisgvek1k5Nfufyjw9jZQ==": { - "data": { - "type": "\u0019\u000c", - "array": [ - { - "type": "\u000c", - "map": { - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "x8/NSmIlHbEl846sMWZc1p6W9SxS6ML7Mf5M/MfhdSYY1AZ9F0EOKsh+21o1MZWY/7kCE3WIgk303GPWlt7MrA==": { - "type": "\u0004", - "value": "AQ==" - } - } - } - ] - }, - "code_id": "hvlUvYbt+VSP7fXSlUN3KZBoMZxiaU34yuELARGRy5FX/QnZGyRahDTqg/Vn1vu4Ykisgvek1k5Nfufyjw9jZQ==" - }, - "iAIBOgoeH/oEga9gmV7CijCXdIgyrTVEoqCzFVQ9Z0Fw053lti878j1bZ7bt7OWs1XFL9wsCAIIceJj6Hd0KUg==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "iAIBOgoeH/oEga9gmV7CijCXdIgyrTVEoqCzFVQ9Z0Fw053lti878j1bZ7bt7OWs1XFL9wsCAIIceJj6Hd0KUg==" - }, - "imjB1X/SFmyvCGxCbQe6hVyOwuk12ReJysp9/5D+tLqHoKQ7oDgpEt20wrOdCuNEiHt+uVESq9MDXu27PmTe9g==": { - "data": { - "type": "\u0002" - }, - "code_id": "imjB1X/SFmyvCGxCbQe6hVyOwuk12ReJysp9/5D+tLqHoKQ7oDgpEt20wrOdCuNEiHt+uVESq9MDXu27PmTe9g==" - }, - "iykh1W5pyKwek4E6kvkmmNfNkhspQ/rb38V/ZGdJkb+sMPOlJ36BCByOYxoJWxUHOrF5rwe6fj6N4nPNhp2zdQ==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "iykh1W5pyKwek4E6kvkmmNfNkhspQ/rb38V/ZGdJkb+sMPOlJ36BCByOYxoJWxUHOrF5rwe6fj6N4nPNhp2zdQ==" - }, - "kDT7tazDf6/cVbc0GfeWtCPyLzywXsyhYxTslwIGBb+NXKYCMJ7PFAUUCeYu8vJ2qlySfA2XcdNuR8HlfOz/Ew==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "kDT7tazDf6/cVbc0GfeWtCPyLzywXsyhYxTslwIGBb+NXKYCMJ7PFAUUCeYu8vJ2qlySfA2XcdNuR8HlfOz/Ew==" - }, - "mPEGs2WidZ99bMnb40TuzCEuXKG1SwjvYrbndoATAL883HKUtGdEao2JZMC2fgYy9GqT+RErVyj2+7q3QYJdyw==": { - "data": { - "type": "\u0002" - }, - "code_id": "mPEGs2WidZ99bMnb40TuzCEuXKG1SwjvYrbndoATAL883HKUtGdEao2JZMC2fgYy9GqT+RErVyj2+7q3QYJdyw==" - }, - "monNXjgCTWD+LFMcjPnay0oMaVs8w8PoMcB+1d+Y6Kw2dw6MzptF1CeOsKmc6MDr+TNxss10S9Kt+jKDH1/5aQ==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "monNXjgCTWD+LFMcjPnay0oMaVs8w8PoMcB+1d+Y6Kw2dw6MzptF1CeOsKmc6MDr+TNxss10S9Kt+jKDH1/5aQ==" - }, - "mrLRYbwe3OPQiVQRrOdjnLdDbFSxPgEp21QsWRJNHRKljQp1YQ8c57yix1rxNOVJRKLLrRDbJ4QMpfjT+FT1Cw==": { - "data": { - "type": "\u0002" - }, - "code_id": "mrLRYbwe3OPQiVQRrOdjnLdDbFSxPgEp21QsWRJNHRKljQp1YQ8c57yix1rxNOVJRKLLrRDbJ4QMpfjT+FT1Cw==" - }, - "muV4jN4TFTiuWJB/g6ii93olYgu6SPnoyUT2Wo//MYVeEiJQBIgecIlsisoLidGrvrm4fwbZwNVZzYxxME45SA==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "muV4jN4TFTiuWJB/g6ii93olYgu6SPnoyUT2Wo//MYVeEiJQBIgecIlsisoLidGrvrm4fwbZwNVZzYxxME45SA==" - }, - "nKA2V8XilTkhsXf29Lb3Se/BvaoF/GUKQo2905GRiDXdFetqS2hQC0SHj27rxPNmn9Pknkz4mc/L+D5pcfTysw==": { - "data": {}, - "error": "file not found: '/etc/default/aide' does not exist", - "code_id": "nKA2V8XilTkhsXf29Lb3Se/BvaoF/GUKQo2905GRiDXdFetqS2hQC0SHj27rxPNmn9Pknkz4mc/L+D5pcfTysw==" - }, - "nMIXrJy6379mDHCqk62PPnQ8Db7Jk9wRIjXZTH+2gyM1tgDOI+nUx6V8/ZF77XdT4K1DxU6gRpQdRgylQCr/hg==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "nMIXrJy6379mDHCqk62PPnQ8Db7Jk9wRIjXZTH+2gyM1tgDOI+nUx6V8/ZF77XdT4K1DxU6gRpQdRgylQCr/hg==" - }, - "nOJq7YRzsF+rUkXm0tdEt/vEHBVi5XGSI3xGFr2Q/wmrxnNlLVBapmZHPY1VtAZ9+JPXb4mwdrU5hZqCC/TWQg==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "nOJq7YRzsF+rUkXm0tdEt/vEHBVi5XGSI3xGFr2Q/wmrxnNlLVBapmZHPY1VtAZ9+JPXb4mwdrU5hZqCC/TWQg==" - }, - "njtujCiYsraOMuKhSZRhpLcBwu4m7Zc+DmQfYok+vwgqhLmhWpskTVAG/OwcxCZX47FpThQxeWI5Q99UieY/iw==": { - "data": { - "type": "\u0002" - }, - "code_id": "njtujCiYsraOMuKhSZRhpLcBwu4m7Zc+DmQfYok+vwgqhLmhWpskTVAG/OwcxCZX47FpThQxeWI5Q99UieY/iw==" - }, - "noIPvQvXBfHpIrSV6FTP/mbj6PA6oisRfSw0ycYqbqNCzL8gJWe7/WJzegWiHtRVqZTFz9i84ET0bXYHYU6heQ==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "noIPvQvXBfHpIrSV6FTP/mbj6PA6oisRfSw0ycYqbqNCzL8gJWe7/WJzegWiHtRVqZTFz9i84ET0bXYHYU6heQ==" - }, - "oOzRmEmFcbFFs5zfJmdhslXZqc59DvavlFAyU7uNmcIu9aZae6wA+xuD4PKTv/dPo2ulugJyP5faPRPEVBwloQ==": { - "data": { - "type": "\u0002" - }, - "code_id": "oOzRmEmFcbFFs5zfJmdhslXZqc59DvavlFAyU7uNmcIu9aZae6wA+xuD4PKTv/dPo2ulugJyP5faPRPEVBwloQ==" - }, - "oVgYUs+UjAhHjAX3/+J3LUtAAyNDWzy1GWDAjY7A6Z4DNKXR2cqSDUcFzp2D55mOgkATFHCTFQbNBxxmWSSHfQ==": { - "data": { - "type": "\u0002" - }, - "code_id": "oVgYUs+UjAhHjAX3/+J3LUtAAyNDWzy1GWDAjY7A6Z4DNKXR2cqSDUcFzp2D55mOgkATFHCTFQbNBxxmWSSHfQ==" - }, - "ovQ4B6zwpM55WtaXIMTsN/zUyOKgJWVAIPkhxbac+9DFbVrfV5lo9bWJlXjBLko8z+/9YakmOxruwOfr09PPdA==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "ovQ4B6zwpM55WtaXIMTsN/zUyOKgJWVAIPkhxbac+9DFbVrfV5lo9bWJlXjBLko8z+/9YakmOxruwOfr09PPdA==" - }, - "p1JrZX0HeoIB0UOxjea3ENHaM+Br7HY2T8ciIwmq7S5bS9euVYzxy2U9C6yIszGPYziFKJFnPQfU4OmPcD37KA==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "p1JrZX0HeoIB0UOxjea3ENHaM+Br7HY2T8ciIwmq7S5bS9euVYzxy2U9C6yIszGPYziFKJFnPQfU4OmPcD37KA==" - }, - "p3F/KpWS4xZ6/b2tTruTSlkzuCMB3Eb4eczHjyBRhos3UkUgCACpXsERvMsLR6VXN+87I/OuPDcHYOrspmWqvw==": { - "data": { - "type": "\u0019\u001bgroup" - }, - "code_id": "p3F/KpWS4xZ6/b2tTruTSlkzuCMB3Eb4eczHjyBRhos3UkUgCACpXsERvMsLR6VXN+87I/OuPDcHYOrspmWqvw==" - }, - "pn0dnCrSmSDr37lX+RuadWwHGCcttcVpaGWPR+n3fCWghgjCwLZUaXwEj1Uxlt7L8t4DZ+RbV3JicgH+PbEp+Q==": { - "data": { - "type": "\u0019\u000c", - "array": [ - { - "type": "\u000c", - "map": { - "EJjK1OVz8q3wXDnLEf/z0myCECzabI5TRjIfyBC8WPxgkLC/yGg/D2CZY0MMWD1U2S9/znPSjB+iG72Fa7UFBQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==": { - "type": "\u0007", - "value": "cm9vdA==" - } - } - }, - { - "type": "\u000c", - "map": { - "EJjK1OVz8q3wXDnLEf/z0myCECzabI5TRjIfyBC8WPxgkLC/yGg/D2CZY0MMWD1U2S9/znPSjB+iG72Fa7UFBQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==": { - "type": "\u0007", - "value": "ZGFlbW9u" - } - } - }, - { - "type": "\u000c", - "map": { - "EJjK1OVz8q3wXDnLEf/z0myCECzabI5TRjIfyBC8WPxgkLC/yGg/D2CZY0MMWD1U2S9/znPSjB+iG72Fa7UFBQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==": { - "type": "\u0007", - "value": "Ymlu" - } - } - }, - { - "type": "\u000c", - "map": { - "EJjK1OVz8q3wXDnLEf/z0myCECzabI5TRjIfyBC8WPxgkLC/yGg/D2CZY0MMWD1U2S9/znPSjB+iG72Fa7UFBQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==": { - "type": "\u0007", - "value": "c3lz" - } - } - }, - { - "type": "\u000c", - "map": { - "EJjK1OVz8q3wXDnLEf/z0myCECzabI5TRjIfyBC8WPxgkLC/yGg/D2CZY0MMWD1U2S9/znPSjB+iG72Fa7UFBQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==": { - "type": "\u0007", - "value": "c3luYw==" - } - } - }, - { - "type": "\u000c", - "map": { - "EJjK1OVz8q3wXDnLEf/z0myCECzabI5TRjIfyBC8WPxgkLC/yGg/D2CZY0MMWD1U2S9/znPSjB+iG72Fa7UFBQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==": { - "type": "\u0007", - "value": "Z2FtZXM=" - } - } - }, - { - "type": "\u000c", - "map": { - "EJjK1OVz8q3wXDnLEf/z0myCECzabI5TRjIfyBC8WPxgkLC/yGg/D2CZY0MMWD1U2S9/znPSjB+iG72Fa7UFBQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==": { - "type": "\u0007", - "value": "bWFu" - } - } - }, - { - "type": "\u000c", - "map": { - "EJjK1OVz8q3wXDnLEf/z0myCECzabI5TRjIfyBC8WPxgkLC/yGg/D2CZY0MMWD1U2S9/znPSjB+iG72Fa7UFBQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==": { - "type": "\u0007", - "value": "bHA=" - } - } - }, - { - "type": "\u000c", - "map": { - "EJjK1OVz8q3wXDnLEf/z0myCECzabI5TRjIfyBC8WPxgkLC/yGg/D2CZY0MMWD1U2S9/znPSjB+iG72Fa7UFBQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==": { - "type": "\u0007", - "value": "bWFpbA==" - } - } - }, - { - "type": "\u000c", - "map": { - "EJjK1OVz8q3wXDnLEf/z0myCECzabI5TRjIfyBC8WPxgkLC/yGg/D2CZY0MMWD1U2S9/znPSjB+iG72Fa7UFBQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==": { - "type": "\u0007", - "value": "bmV3cw==" - } - } - }, - { - "type": "\u000c", - "map": { - "EJjK1OVz8q3wXDnLEf/z0myCECzabI5TRjIfyBC8WPxgkLC/yGg/D2CZY0MMWD1U2S9/znPSjB+iG72Fa7UFBQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==": { - "type": "\u0007", - "value": "dXVjcA==" - } - } - }, - { - "type": "\u000c", - "map": { - "EJjK1OVz8q3wXDnLEf/z0myCECzabI5TRjIfyBC8WPxgkLC/yGg/D2CZY0MMWD1U2S9/znPSjB+iG72Fa7UFBQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==": { - "type": "\u0007", - "value": "cHJveHk=" - } - } - }, - { - "type": "\u000c", - "map": { - "EJjK1OVz8q3wXDnLEf/z0myCECzabI5TRjIfyBC8WPxgkLC/yGg/D2CZY0MMWD1U2S9/znPSjB+iG72Fa7UFBQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==": { - "type": "\u0007", - "value": "d3d3LWRhdGE=" - } - } - }, - { - "type": "\u000c", - "map": { - "EJjK1OVz8q3wXDnLEf/z0myCECzabI5TRjIfyBC8WPxgkLC/yGg/D2CZY0MMWD1U2S9/znPSjB+iG72Fa7UFBQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==": { - "type": "\u0007", - "value": "YmFja3Vw" - } - } - }, - { - "type": "\u000c", - "map": { - "EJjK1OVz8q3wXDnLEf/z0myCECzabI5TRjIfyBC8WPxgkLC/yGg/D2CZY0MMWD1U2S9/znPSjB+iG72Fa7UFBQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==": { - "type": "\u0007", - "value": "bGlzdA==" - } - } - }, - { - "type": "\u000c", - "map": { - "EJjK1OVz8q3wXDnLEf/z0myCECzabI5TRjIfyBC8WPxgkLC/yGg/D2CZY0MMWD1U2S9/znPSjB+iG72Fa7UFBQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==": { - "type": "\u0007", - "value": "aXJj" - } - } - }, - { - "type": "\u000c", - "map": { - "EJjK1OVz8q3wXDnLEf/z0myCECzabI5TRjIfyBC8WPxgkLC/yGg/D2CZY0MMWD1U2S9/znPSjB+iG72Fa7UFBQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==": { - "type": "\u0007", - "value": "Z25hdHM=" - } - } - }, - { - "type": "\u000c", - "map": { - "EJjK1OVz8q3wXDnLEf/z0myCECzabI5TRjIfyBC8WPxgkLC/yGg/D2CZY0MMWD1U2S9/znPSjB+iG72Fa7UFBQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==": { - "type": "\u0007", - "value": "bm9ib2R5" - } - } - }, - { - "type": "\u000c", - "map": { - "EJjK1OVz8q3wXDnLEf/z0myCECzabI5TRjIfyBC8WPxgkLC/yGg/D2CZY0MMWD1U2S9/znPSjB+iG72Fa7UFBQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - }, - "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==": { - "type": "\u0007", - "value": "X2FwdA==" - } - } - } - ] - }, - "code_id": "pn0dnCrSmSDr37lX+RuadWwHGCcttcVpaGWPR+n3fCWghgjCwLZUaXwEj1Uxlt7L8t4DZ+RbV3JicgH+PbEp+Q==" - }, - "pnGXwr3IchwDKSyJ9qAc9CQZ80zFnWLTWPXF9COdLofK3PhSVuvZCVuoDfEuCuMrkdePxpwhREBjb/1zh9cECg==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "pnGXwr3IchwDKSyJ9qAc9CQZ80zFnWLTWPXF9COdLofK3PhSVuvZCVuoDfEuCuMrkdePxpwhREBjb/1zh9cECg==" - }, - "qc9zR33NhGkZ7XXzeBx6YXQGvJ4X3YUHtodIUfpHayleyzPT3UtJ/8ymYYqK/gOFrARY4bnENGvGCmJFW38rRw==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "qc9zR33NhGkZ7XXzeBx6YXQGvJ4X3YUHtodIUfpHayleyzPT3UtJ/8ymYYqK/gOFrARY4bnENGvGCmJFW38rRw==" - }, - "qsphraTZngyQKJh0BN8mX14uihYWBgvhddZTAd2CFdjUnDG4J07NfaHRxHNp14hbyu0gt1haoG8rD0zzR4gnYA==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "qsphraTZngyQKJh0BN8mX14uihYWBgvhddZTAd2CFdjUnDG4J07NfaHRxHNp14hbyu0gt1haoG8rD0zzR4gnYA==" - }, - "r6sClZDPvHtxuniKuJ5UlesbFgLrX7H+vMiSu2rDkyIvyRBBgTEtA4lB9EYWXi4oSqhIkteDZz3podMi9oYwSQ==": { - "data": {}, - "error": "run command not supported on this provider", - "code_id": "r6sClZDPvHtxuniKuJ5UlesbFgLrX7H+vMiSu2rDkyIvyRBBgTEtA4lB9EYWXi4oSqhIkteDZz3podMi9oYwSQ==" - }, - "rJc7Vd+PhcM4THV9otvMSE9KEVCM18wzndDk3YoSzOWGTGBKF902cfYTXARkogUHlM0gkV7ewNl48Cfx+xmpwQ==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "rJc7Vd+PhcM4THV9otvMSE9KEVCM18wzndDk3YoSzOWGTGBKF902cfYTXARkogUHlM0gkV7ewNl48Cfx+xmpwQ==" - }, - "sBDKNFp+Gg5jaCnXhQ9cVq8DfefywbuThBn8dv5sND+5uPmTDVW6KatpqZVsO/pzC507v7OQ+Xnb187+KlSA5g==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "sBDKNFp+Gg5jaCnXhQ9cVq8DfefywbuThBn8dv5sND+5uPmTDVW6KatpqZVsO/pzC507v7OQ+Xnb187+KlSA5g==" - }, - "sPvekYU/Nw3lqBLGhP8yLhSQBCL1M3psnu28wOVtDFt9IykJgbDcfmijOsYxBp5PgpsrfWfugVP1RciVp24ibw==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "sPvekYU/Nw3lqBLGhP8yLhSQBCL1M3psnu28wOVtDFt9IykJgbDcfmijOsYxBp5PgpsrfWfugVP1RciVp24ibw==" - }, - "tMZHi+jlTKI5EnemHVDVjKeFjAPMWatZmnf9/t3vnRsXE/FL74Wm5n790OsrD+MrXXYr6kBWL6jAFWYuLEWYCg==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "tMZHi+jlTKI5EnemHVDVjKeFjAPMWatZmnf9/t3vnRsXE/FL74Wm5n790OsrD+MrXXYr6kBWL6jAFWYuLEWYCg==" - }, - "ti7hCRw84/H2JY4BAPf7DEkA2PjQyb47e/xmjNi47NX245E/xIVlpGdsyd6KeuNAhAnmSaDCpxpxt3Z+aapULg==": { - "data": { - "type": "\u000c", - "map": { - "ZuVRB29jWeNb/lVtouZzqe68zaAFNLlBDfJ5Ds78VBA4fo7etRb15/bF+dXPnFI+UM+5djNEWhJw2j1d8YcgsA==": { - "type": "\u000c", - "map": { - "ADxZ6Ef0QR4Nl1QrLeuHlXVwLkCZkQgi4QrqrUhtqNhmxpufVydt6z94I0JjfrtehEe2V1/xIBTNAk3j54NtKg==": { - "type": "\u0004", - "value": "AQ==" - }, - "F+beOvkTkg1/aI7g+OqS2edsgIJWZsfv8EOT8reqXthVtoTiFkHd0WALUHTgINviGnROydYwBqRxluAUaxODmg==": { - "type": "\u0004", - "value": "AQ==" - }, - "GIIl7IreWfE/D6Vn4mj52rIJjPcUTWewWP/ErAJyzB0IUhbsUJPsEt7t137uHzZ9yzKasckoyaVx38BGw7J0Sw==": { - "type": "\u0004", - "value": "AQ==" - }, - "HOK3Bss2DP91LBon0YoSPT/aE6UU9r03Hdvdwqc/QVboy3Kk1vLOVXmQB7XyYUtYSvcJ8J0roQaXwf0FV1lwHw==": { - "type": "\u0004", - "value": "AQ==" - }, - "_": { - "type": "\u001bfile", - "value": "L2V0Yy9wYXNzd2Qt" - }, - "__s": { - "type": "\u0004", - "value": "AA==" - }, - "__t": { - "type": "\u0004", - "value": "AA==" - }, - "fnW/PyESVitHy8orJg+G1QSK4R7itynS1h0cjAgcISgnJFTkc/Rg+hAYcYdnyOkRtufxlHZomcRcpCIS++Yb6Q==": { - "type": "\u0004", - "value": "AA==" - }, - "i8ACRicbdRL/5KuJ56Jl5CkKSg1On7fdlKvMTzknFxI9NFJWySwPCbmHaPDE0D1uO1Jk7KSbCfOvhOB0ZIE+VQ==": { - "type": "\u0004", - "value": "AA==" - }, - "mfkNI8OTRDvYTCa2VnLqzxZKxPU28+Z/Rv0zdSRTrlv0gTWdFEi/RTSmhTFSNhcYdpIYVizLi6TGVxIHv9GBbw==": { - "type": "\u0004", - "value": "AQ==" - } - } - }, - "__s": { - "type": "\u0004", - "value": "AA==" - }, - "__t": { - "type": "\u0004", - "value": "AA==" - } - } - }, - "code_id": "ti7hCRw84/H2JY4BAPf7DEkA2PjQyb47e/xmjNi47NX245E/xIVlpGdsyd6KeuNAhAnmSaDCpxpxt3Z+aapULg==" - }, - "tjKo/7kDlAORSuB7uznVp3g6or1qpEVbVd7tqQuvplRmPsiF9V37G7Gs548aCEYSrW3eMEe2KGdAOUVKDq9yRA==": { - "data": { - "type": "\u0002" - }, - "code_id": "tjKo/7kDlAORSuB7uznVp3g6or1qpEVbVd7tqQuvplRmPsiF9V37G7Gs548aCEYSrW3eMEe2KGdAOUVKDq9yRA==" - }, - "tkoo9GfWIg/KptFPrpjYI5JzZ49mY1OQwoqgajO6P1tLRhyhFB7FNwUM+FRP+K/LxAgjeDUCfpOEF8imcQX+DQ==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "tkoo9GfWIg/KptFPrpjYI5JzZ49mY1OQwoqgajO6P1tLRhyhFB7FNwUM+FRP+K/LxAgjeDUCfpOEF8imcQX+DQ==" - }, - "u5fX3GE1kXn7uGnLr/z+QSvYbKF4wjsm8SOIGQGfjeziJ3mXZSi47jV5HZL7PoA1jUloqAkM+Y5D0/awz0AJHA==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "u5fX3GE1kXn7uGnLr/z+QSvYbKF4wjsm8SOIGQGfjeziJ3mXZSi47jV5HZL7PoA1jUloqAkM+Y5D0/awz0AJHA==" - }, - "uQsWzvmSel4qZ5n6dUz/EBq7otC6wbVUkPdPtCaX6Axen0HoPyPTNUxQRheyFRRY2MDOrjQa5CMK2MzDFFkWow==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "uQsWzvmSel4qZ5n6dUz/EBq7otC6wbVUkPdPtCaX6Axen0HoPyPTNUxQRheyFRRY2MDOrjQa5CMK2MzDFFkWow==" - }, - "un2p+xm0p5du3IjLbkWf7UsSqJb1O3mnIo0YCAFJp4trmrFLLOHQhR+JKu6xevTXl2SeDmmPbBINMItB34OCzg==": { - "data": { - "type": "\u000c", - "map": { - "9XuAr40y7ZpKHokq50FnFRla9BLEs8AYr/1Ni3RPLnyEl0cvrhB+gjMqAReapKzKDzPVpNKp6i2wFvoYgYLGew==": { - "type": "\u0004", - "value": "AA==" - }, - "__s": { - "type": "\u0004", - "value": "AA==" - }, - "__t": { - "type": "\u0004", - "value": "AA==" - } - } - }, - "code_id": "un2p+xm0p5du3IjLbkWf7UsSqJb1O3mnIo0YCAFJp4trmrFLLOHQhR+JKu6xevTXl2SeDmmPbBINMItB34OCzg==" - }, - "v9pGXwX27XHZhRjNOfUFDU/CcgXdX/7HjWjFlEOG0KhYrE7CHeQmqpuOCfrz9RrnUX9WLu6/bYBylHAoINKz0Q==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "v9pGXwX27XHZhRjNOfUFDU/CcgXdX/7HjWjFlEOG0KhYrE7CHeQmqpuOCfrz9RrnUX9WLu6/bYBylHAoINKz0Q==" - }, - "vEVKTC2TP3C7Jvel//1fOtROW7A0zUcYlgoWRepOrkcVLxfb2+4d6fgg9kNFAUzwQUDeSnVUVoMbgRWOGdRQUQ==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "vEVKTC2TP3C7Jvel//1fOtROW7A0zUcYlgoWRepOrkcVLxfb2+4d6fgg9kNFAUzwQUDeSnVUVoMbgRWOGdRQUQ==" - }, - "vRUMv0na34ThNna09zkBGZDcDoRQRf+eevIEaf/JeFt4WgYkNjIUHmvLoO4r3t4CDMn7pqSRliFH8wTomo14HQ==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "vRUMv0na34ThNna09zkBGZDcDoRQRf+eevIEaf/JeFt4WgYkNjIUHmvLoO4r3t4CDMn7pqSRliFH8wTomo14HQ==" - }, - "vW8PqR7bp+VOLfpuu+2u4hKUGI2zGGpDL+H2+KgAazvGJh/KDkYaGMO2fRdeqt2K+Er5SMAvt3KCbCFmGRgOGQ==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "vW8PqR7bp+VOLfpuu+2u4hKUGI2zGGpDL+H2+KgAazvGJh/KDkYaGMO2fRdeqt2K+Er5SMAvt3KCbCFmGRgOGQ==" - }, - "vf5Kj9VTr3nVyGcZXnq6AAqiwQBuC0xmH7tIe7u3GZvOqHee0x3YRyfR7oNzW0k0rYSetdqf6v1QLjhJ72Q7cA==": { - "data": { - "type": "\u0019\u000c", - "array": [ - { - "type": "\u000c", - "map": { - "NKtNJ3PbnjvS0gAhMoKfBMpStZTKqX+glzIHobGtAiaEgoE/FOyN2VLntgHZZuR4XhgW6WxKCefWqLzwbnL3oQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "OT+WWC6gANffZCO/qOLUVOaKdOz7OjXzFQ2dntskpKqq+Lv/cyS/n3XuiIiZrk4yvBBbwc7WTgNaN10Vd7gN2Q==": { - "type": "\u0007", - "value": "ZGFlbW9u" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - } - } - }, - { - "type": "\u000c", - "map": { - "NKtNJ3PbnjvS0gAhMoKfBMpStZTKqX+glzIHobGtAiaEgoE/FOyN2VLntgHZZuR4XhgW6WxKCefWqLzwbnL3oQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "OT+WWC6gANffZCO/qOLUVOaKdOz7OjXzFQ2dntskpKqq+Lv/cyS/n3XuiIiZrk4yvBBbwc7WTgNaN10Vd7gN2Q==": { - "type": "\u0007", - "value": "Ymlu" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - } - } - }, - { - "type": "\u000c", - "map": { - "NKtNJ3PbnjvS0gAhMoKfBMpStZTKqX+glzIHobGtAiaEgoE/FOyN2VLntgHZZuR4XhgW6WxKCefWqLzwbnL3oQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "OT+WWC6gANffZCO/qOLUVOaKdOz7OjXzFQ2dntskpKqq+Lv/cyS/n3XuiIiZrk4yvBBbwc7WTgNaN10Vd7gN2Q==": { - "type": "\u0007", - "value": "c3lz" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - } - } - }, - { - "type": "\u000c", - "map": { - "NKtNJ3PbnjvS0gAhMoKfBMpStZTKqX+glzIHobGtAiaEgoE/FOyN2VLntgHZZuR4XhgW6WxKCefWqLzwbnL3oQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "OT+WWC6gANffZCO/qOLUVOaKdOz7OjXzFQ2dntskpKqq+Lv/cyS/n3XuiIiZrk4yvBBbwc7WTgNaN10Vd7gN2Q==": { - "type": "\u0007", - "value": "Z2FtZXM=" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - } - } - }, - { - "type": "\u000c", - "map": { - "NKtNJ3PbnjvS0gAhMoKfBMpStZTKqX+glzIHobGtAiaEgoE/FOyN2VLntgHZZuR4XhgW6WxKCefWqLzwbnL3oQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "OT+WWC6gANffZCO/qOLUVOaKdOz7OjXzFQ2dntskpKqq+Lv/cyS/n3XuiIiZrk4yvBBbwc7WTgNaN10Vd7gN2Q==": { - "type": "\u0007", - "value": "bWFu" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - } - } - }, - { - "type": "\u000c", - "map": { - "NKtNJ3PbnjvS0gAhMoKfBMpStZTKqX+glzIHobGtAiaEgoE/FOyN2VLntgHZZuR4XhgW6WxKCefWqLzwbnL3oQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "OT+WWC6gANffZCO/qOLUVOaKdOz7OjXzFQ2dntskpKqq+Lv/cyS/n3XuiIiZrk4yvBBbwc7WTgNaN10Vd7gN2Q==": { - "type": "\u0007", - "value": "bHA=" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - } - } - }, - { - "type": "\u000c", - "map": { - "NKtNJ3PbnjvS0gAhMoKfBMpStZTKqX+glzIHobGtAiaEgoE/FOyN2VLntgHZZuR4XhgW6WxKCefWqLzwbnL3oQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "OT+WWC6gANffZCO/qOLUVOaKdOz7OjXzFQ2dntskpKqq+Lv/cyS/n3XuiIiZrk4yvBBbwc7WTgNaN10Vd7gN2Q==": { - "type": "\u0007", - "value": "bWFpbA==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - } - } - }, - { - "type": "\u000c", - "map": { - "NKtNJ3PbnjvS0gAhMoKfBMpStZTKqX+glzIHobGtAiaEgoE/FOyN2VLntgHZZuR4XhgW6WxKCefWqLzwbnL3oQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "OT+WWC6gANffZCO/qOLUVOaKdOz7OjXzFQ2dntskpKqq+Lv/cyS/n3XuiIiZrk4yvBBbwc7WTgNaN10Vd7gN2Q==": { - "type": "\u0007", - "value": "bmV3cw==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - } - } - }, - { - "type": "\u000c", - "map": { - "NKtNJ3PbnjvS0gAhMoKfBMpStZTKqX+glzIHobGtAiaEgoE/FOyN2VLntgHZZuR4XhgW6WxKCefWqLzwbnL3oQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "OT+WWC6gANffZCO/qOLUVOaKdOz7OjXzFQ2dntskpKqq+Lv/cyS/n3XuiIiZrk4yvBBbwc7WTgNaN10Vd7gN2Q==": { - "type": "\u0007", - "value": "dXVjcA==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - } - } - }, - { - "type": "\u000c", - "map": { - "NKtNJ3PbnjvS0gAhMoKfBMpStZTKqX+glzIHobGtAiaEgoE/FOyN2VLntgHZZuR4XhgW6WxKCefWqLzwbnL3oQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "OT+WWC6gANffZCO/qOLUVOaKdOz7OjXzFQ2dntskpKqq+Lv/cyS/n3XuiIiZrk4yvBBbwc7WTgNaN10Vd7gN2Q==": { - "type": "\u0007", - "value": "cHJveHk=" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - } - } - }, - { - "type": "\u000c", - "map": { - "NKtNJ3PbnjvS0gAhMoKfBMpStZTKqX+glzIHobGtAiaEgoE/FOyN2VLntgHZZuR4XhgW6WxKCefWqLzwbnL3oQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "OT+WWC6gANffZCO/qOLUVOaKdOz7OjXzFQ2dntskpKqq+Lv/cyS/n3XuiIiZrk4yvBBbwc7WTgNaN10Vd7gN2Q==": { - "type": "\u0007", - "value": "d3d3LWRhdGE=" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - } - } - }, - { - "type": "\u000c", - "map": { - "NKtNJ3PbnjvS0gAhMoKfBMpStZTKqX+glzIHobGtAiaEgoE/FOyN2VLntgHZZuR4XhgW6WxKCefWqLzwbnL3oQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "OT+WWC6gANffZCO/qOLUVOaKdOz7OjXzFQ2dntskpKqq+Lv/cyS/n3XuiIiZrk4yvBBbwc7WTgNaN10Vd7gN2Q==": { - "type": "\u0007", - "value": "YmFja3Vw" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - } - } - }, - { - "type": "\u000c", - "map": { - "NKtNJ3PbnjvS0gAhMoKfBMpStZTKqX+glzIHobGtAiaEgoE/FOyN2VLntgHZZuR4XhgW6WxKCefWqLzwbnL3oQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "OT+WWC6gANffZCO/qOLUVOaKdOz7OjXzFQ2dntskpKqq+Lv/cyS/n3XuiIiZrk4yvBBbwc7WTgNaN10Vd7gN2Q==": { - "type": "\u0007", - "value": "bGlzdA==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - } - } - }, - { - "type": "\u000c", - "map": { - "NKtNJ3PbnjvS0gAhMoKfBMpStZTKqX+glzIHobGtAiaEgoE/FOyN2VLntgHZZuR4XhgW6WxKCefWqLzwbnL3oQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "OT+WWC6gANffZCO/qOLUVOaKdOz7OjXzFQ2dntskpKqq+Lv/cyS/n3XuiIiZrk4yvBBbwc7WTgNaN10Vd7gN2Q==": { - "type": "\u0007", - "value": "aXJj" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - } - } - }, - { - "type": "\u000c", - "map": { - "NKtNJ3PbnjvS0gAhMoKfBMpStZTKqX+glzIHobGtAiaEgoE/FOyN2VLntgHZZuR4XhgW6WxKCefWqLzwbnL3oQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "OT+WWC6gANffZCO/qOLUVOaKdOz7OjXzFQ2dntskpKqq+Lv/cyS/n3XuiIiZrk4yvBBbwc7WTgNaN10Vd7gN2Q==": { - "type": "\u0007", - "value": "Z25hdHM=" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - } - } - }, - { - "type": "\u000c", - "map": { - "NKtNJ3PbnjvS0gAhMoKfBMpStZTKqX+glzIHobGtAiaEgoE/FOyN2VLntgHZZuR4XhgW6WxKCefWqLzwbnL3oQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "OT+WWC6gANffZCO/qOLUVOaKdOz7OjXzFQ2dntskpKqq+Lv/cyS/n3XuiIiZrk4yvBBbwc7WTgNaN10Vd7gN2Q==": { - "type": "\u0007", - "value": "X2FwdA==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - } - } - } - ] - }, - "code_id": "vf5Kj9VTr3nVyGcZXnq6AAqiwQBuC0xmH7tIe7u3GZvOqHee0x3YRyfR7oNzW0k0rYSetdqf6v1QLjhJ72Q7cA==" - }, - "vs6dGzezS8Q9d9pk6/holAnUqMEQBHYhdLXr+RjvvTwuhmmsbAxngmcFVe+CXbZ58SyG2ZEi7M1atb1ee40bXg==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "vs6dGzezS8Q9d9pk6/holAnUqMEQBHYhdLXr+RjvvTwuhmmsbAxngmcFVe+CXbZ58SyG2ZEi7M1atb1ee40bXg==" - }, - "w2o34Xwc5kpkV3aVCj78d7P4CzoAnJ80C6GCxC5OG2LDC6CxnDjcmsPnSte5IsOsXyPJwtrynrsF5c465w0xhw==": { - "data": { - "type": "\u0002" - }, - "code_id": "w2o34Xwc5kpkV3aVCj78d7P4CzoAnJ80C6GCxC5OG2LDC6CxnDjcmsPnSte5IsOsXyPJwtrynrsF5c465w0xhw==" - }, - "wbU1vQGWC7TkTLY0oZKFF4r3+jQKrCY8Ln+Kt6IyKXeEQv5F/HWbBLOcYoBA+59G7X4WYp3Mcx6a5NkPLktjMg==": { - "data": { - "type": "\u0002" - }, - "code_id": "wbU1vQGWC7TkTLY0oZKFF4r3+jQKrCY8Ln+Kt6IyKXeEQv5F/HWbBLOcYoBA+59G7X4WYp3Mcx6a5NkPLktjMg==" - }, - "wdW78uXiN3QTCM6jFE99COgAkS3NOeWF8ZcR2dVX/co86AacY1IsTx3aWh9vbCzNa9Y7WnIwx0KBgoVnBMWy5A==": { - "data": { - "type": "\u0019\u000c", - "array": [ - { - "type": "\u000c", - "map": { - "H+TlYlE9/O7h+IfPba8FdB7lpOko8ZenR9W6m8oOncMVQcd/BPCV6H6xIsgWLg/O5IMBXdfBTEpBOiJJlzE7GQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "__s": { - "type": "\u0004", - "value": "AQ==" - }, - "__t": { - "type": "\u0004", - "value": "AQ==" - } - } - } - ] - }, - "code_id": "wdW78uXiN3QTCM6jFE99COgAkS3NOeWF8ZcR2dVX/co86AacY1IsTx3aWh9vbCzNa9Y7WnIwx0KBgoVnBMWy5A==" - }, - "wmwLi7+OiU0E4R6ZOHfjWu7z7r/dAmd/eWFdMH9fdq+nGVnOruW4efz8knp2RtiYqbwj/rWOUrInsGqMmWrP3w==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "wmwLi7+OiU0E4R6ZOHfjWu7z7r/dAmd/eWFdMH9fdq+nGVnOruW4efz8knp2RtiYqbwj/rWOUrInsGqMmWrP3w==" - }, - "wqBMlXbmQSD5agbjcVBO765mJg9Fzk/jOE/5PQtEu4HX/IOZ/DbSqCkml6Gb16wcJn0O3ePnfI/AqgtJz0nWbg==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "wqBMlXbmQSD5agbjcVBO765mJg9Fzk/jOE/5PQtEu4HX/IOZ/DbSqCkml6Gb16wcJn0O3ePnfI/AqgtJz0nWbg==" - }, - "wz0Bw/T20g63omggpbFTohs6+3Oot1FyHIMgKZ6SbPDyY2pUsttCCTrRZP+ObWLbBGa5ZSgRr6JQDxnf8a3jbg==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "wz0Bw/T20g63omggpbFTohs6+3Oot1FyHIMgKZ6SbPDyY2pUsttCCTrRZP+ObWLbBGa5ZSgRr6JQDxnf8a3jbg==" - }, - "x7GfGmBGlN+lelITt2dS0cT6KJgFP7KMZ5ADJPyJw5HoxlEXW4fjc92ikc1sg2NlkVtcdxrV0dBLf8fjwbiqzA==": { - "data": { - "type": "\u0019\u000c", - "array": [ - { - "type": "\u000c", - "map": { - "1FqHLx40s/JtsY+oWvmeHcby/n0oRNIk4plA1zHQDdbJA2vJr2c6TK6w9FgPu85za9RMWWr94Vg3MhT83ncPyA==": { - "type": "\u0004", - "value": "AQ==" - }, - "2VTYs6hPuMTVl7ppXmlkm5IG6HD5mQF/F9s/cxYk0aNUYl2dQv6wMwmlvQe2JOSkRffWDoktBr9WIjhhSCBh0w==": { - "type": "\u0004", - "value": "AQ==" - }, - "9XLYETvA1r98yVBGS4G2Vu7I17+RcSFmmNJ0YEzdi3WWABt6IIZn7/XoJoVy3SGuuAjHC964YnTDK06tsHfYlA==": { - "type": "\u0004", - "value": "AA==" - }, - "__s": { - "type": "\u0004", - "value": "AA==" - }, - "__t": { - "type": "\u0004", - "value": "AA==" - }, - "fkvj15sxTFfEd1KPONy4H4UByH2UbUzV7E+WfMi4EdlzR0RKhaLDHJyB+Fr3V+RwugWT6olpvZ/Gxa2hZPw25Q==": { - "type": "\u0007", - "value": "L3Zhci9sb2cvd3RtcA==" - }, - "nX/obD4mzYEQN9Fa36a0b+dSoqXgcZnJ4dzctdo2qhrQ90cqvJ02jRswjHmwZVmtrNk9o7yg2YTdXhsfHM5LMQ==": { - "type": "\u0004", - "value": "AA==" - }, - "q+hFH3JaZ+MhN+eeMsYN4xGRuQjvPXsib9X1Aso5TvQ+l0QiVnn97XBJqpOmHVwo6WpzWAJCnut5zyUq7al7hA==": { - "type": "\u0004", - "value": "AQ==" - } - } - }, - { - "type": "\u000c", - "map": { - "1FqHLx40s/JtsY+oWvmeHcby/n0oRNIk4plA1zHQDdbJA2vJr2c6TK6w9FgPu85za9RMWWr94Vg3MhT83ncPyA==": { - "type": "\u0004", - "value": "AQ==" - }, - "2VTYs6hPuMTVl7ppXmlkm5IG6HD5mQF/F9s/cxYk0aNUYl2dQv6wMwmlvQe2JOSkRffWDoktBr9WIjhhSCBh0w==": { - "type": "\u0004", - "value": "AQ==" - }, - "9XLYETvA1r98yVBGS4G2Vu7I17+RcSFmmNJ0YEzdi3WWABt6IIZn7/XoJoVy3SGuuAjHC964YnTDK06tsHfYlA==": { - "type": "\u0004", - "value": "AA==" - }, - "__s": { - "type": "\u0004", - "value": "AA==" - }, - "__t": { - "type": "\u0004", - "value": "AA==" - }, - "fkvj15sxTFfEd1KPONy4H4UByH2UbUzV7E+WfMi4EdlzR0RKhaLDHJyB+Fr3V+RwugWT6olpvZ/Gxa2hZPw25Q==": { - "type": "\u0007", - "value": "L3Zhci9sb2cvYnRtcA==" - }, - "nX/obD4mzYEQN9Fa36a0b+dSoqXgcZnJ4dzctdo2qhrQ90cqvJ02jRswjHmwZVmtrNk9o7yg2YTdXhsfHM5LMQ==": { - "type": "\u0004", - "value": "AQ==" - }, - "q+hFH3JaZ+MhN+eeMsYN4xGRuQjvPXsib9X1Aso5TvQ+l0QiVnn97XBJqpOmHVwo6WpzWAJCnut5zyUq7al7hA==": { - "type": "\u0004", - "value": "AQ==" - } - } - }, - { - "type": "\u000c", - "map": { - "1FqHLx40s/JtsY+oWvmeHcby/n0oRNIk4plA1zHQDdbJA2vJr2c6TK6w9FgPu85za9RMWWr94Vg3MhT83ncPyA==": { - "type": "\u0004", - "value": "AQ==" - }, - "2VTYs6hPuMTVl7ppXmlkm5IG6HD5mQF/F9s/cxYk0aNUYl2dQv6wMwmlvQe2JOSkRffWDoktBr9WIjhhSCBh0w==": { - "type": "\u0004", - "value": "AQ==" - }, - "9XLYETvA1r98yVBGS4G2Vu7I17+RcSFmmNJ0YEzdi3WWABt6IIZn7/XoJoVy3SGuuAjHC964YnTDK06tsHfYlA==": { - "type": "\u0004", - "value": "AA==" - }, - "__s": { - "type": "\u0004", - "value": "AA==" - }, - "__t": { - "type": "\u0004", - "value": "AA==" - }, - "fkvj15sxTFfEd1KPONy4H4UByH2UbUzV7E+WfMi4EdlzR0RKhaLDHJyB+Fr3V+RwugWT6olpvZ/Gxa2hZPw25Q==": { - "type": "\u0007", - "value": "L3Zhci9sb2cvbGFzdGxvZw==" - }, - "nX/obD4mzYEQN9Fa36a0b+dSoqXgcZnJ4dzctdo2qhrQ90cqvJ02jRswjHmwZVmtrNk9o7yg2YTdXhsfHM5LMQ==": { - "type": "\u0004", - "value": "AA==" - }, - "q+hFH3JaZ+MhN+eeMsYN4xGRuQjvPXsib9X1Aso5TvQ+l0QiVnn97XBJqpOmHVwo6WpzWAJCnut5zyUq7al7hA==": { - "type": "\u0004", - "value": "AQ==" - } - } - }, - { - "type": "\u000c", - "map": { - "1FqHLx40s/JtsY+oWvmeHcby/n0oRNIk4plA1zHQDdbJA2vJr2c6TK6w9FgPu85za9RMWWr94Vg3MhT83ncPyA==": { - "type": "\u0004", - "value": "AQ==" - }, - "2VTYs6hPuMTVl7ppXmlkm5IG6HD5mQF/F9s/cxYk0aNUYl2dQv6wMwmlvQe2JOSkRffWDoktBr9WIjhhSCBh0w==": { - "type": "\u0004", - "value": "AQ==" - }, - "9XLYETvA1r98yVBGS4G2Vu7I17+RcSFmmNJ0YEzdi3WWABt6IIZn7/XoJoVy3SGuuAjHC964YnTDK06tsHfYlA==": { - "type": "\u0004", - "value": "AQ==" - }, - "__s": { - "type": "\u0004", - "value": "AA==" - }, - "__t": { - "type": "\u0004", - "value": "AA==" - }, - "fkvj15sxTFfEd1KPONy4H4UByH2UbUzV7E+WfMi4EdlzR0RKhaLDHJyB+Fr3V+RwugWT6olpvZ/Gxa2hZPw25Q==": { - "type": "\u0007", - "value": "L3Zhci9sb2cvYXB0L2VpcHAubG9nLnh6" - }, - "nX/obD4mzYEQN9Fa36a0b+dSoqXgcZnJ4dzctdo2qhrQ90cqvJ02jRswjHmwZVmtrNk9o7yg2YTdXhsfHM5LMQ==": { - "type": "\u0004", - "value": "AA==" - }, - "q+hFH3JaZ+MhN+eeMsYN4xGRuQjvPXsib9X1Aso5TvQ+l0QiVnn97XBJqpOmHVwo6WpzWAJCnut5zyUq7al7hA==": { - "type": "\u0004", - "value": "AQ==" - } - } - }, - { - "type": "\u000c", - "map": { - "1FqHLx40s/JtsY+oWvmeHcby/n0oRNIk4plA1zHQDdbJA2vJr2c6TK6w9FgPu85za9RMWWr94Vg3MhT83ncPyA==": { - "type": "\u0004", - "value": "AQ==" - }, - "2VTYs6hPuMTVl7ppXmlkm5IG6HD5mQF/F9s/cxYk0aNUYl2dQv6wMwmlvQe2JOSkRffWDoktBr9WIjhhSCBh0w==": { - "type": "\u0004", - "value": "AQ==" - }, - "9XLYETvA1r98yVBGS4G2Vu7I17+RcSFmmNJ0YEzdi3WWABt6IIZn7/XoJoVy3SGuuAjHC964YnTDK06tsHfYlA==": { - "type": "\u0004", - "value": "AQ==" - }, - "__s": { - "type": "\u0004", - "value": "AA==" - }, - "__t": { - "type": "\u0004", - "value": "AA==" - }, - "fkvj15sxTFfEd1KPONy4H4UByH2UbUzV7E+WfMi4EdlzR0RKhaLDHJyB+Fr3V+RwugWT6olpvZ/Gxa2hZPw25Q==": { - "type": "\u0007", - "value": "L3Zhci9sb2cvZmFpbGxvZw==" - }, - "nX/obD4mzYEQN9Fa36a0b+dSoqXgcZnJ4dzctdo2qhrQ90cqvJ02jRswjHmwZVmtrNk9o7yg2YTdXhsfHM5LMQ==": { - "type": "\u0004", - "value": "AA==" - }, - "q+hFH3JaZ+MhN+eeMsYN4xGRuQjvPXsib9X1Aso5TvQ+l0QiVnn97XBJqpOmHVwo6WpzWAJCnut5zyUq7al7hA==": { - "type": "\u0004", - "value": "AQ==" - } - } - } - ] - }, - "code_id": "x7GfGmBGlN+lelITt2dS0cT6KJgFP7KMZ5ADJPyJw5HoxlEXW4fjc92ikc1sg2NlkVtcdxrV0dBLf8fjwbiqzA==" - }, - "xCJZxIcWgbHwl5vpYMSZWerIyNvymJLWD6Wo62sm/AzaE7lNEh7Jnai54Izor+2DzwPv43oHMTpwJRJqKcsHQA==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "xCJZxIcWgbHwl5vpYMSZWerIyNvymJLWD6Wo62sm/AzaE7lNEh7Jnai54Izor+2DzwPv43oHMTpwJRJqKcsHQA==" - }, - "xj5i41CpATBlYItuRrsgnH3hHsQDjj6+/T/I4QNofVEuEXFo8TBNKytriUx/i9X9Y14DEILU6IVmlmAZfRxrvA==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "xj5i41CpATBlYItuRrsgnH3hHsQDjj6+/T/I4QNofVEuEXFo8TBNKytriUx/i9X9Y14DEILU6IVmlmAZfRxrvA==" - }, - "yBNYCCB9ERbYxHmlpCWBzhu3+WVc6RgRwCGd4tJTsfo63mviqCa5MEcFvG+S1XN+jeMiNHW0ilYZiBHFzrX1Dw==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "yBNYCCB9ERbYxHmlpCWBzhu3+WVc6RgRwCGd4tJTsfo63mviqCa5MEcFvG+S1XN+jeMiNHW0ilYZiBHFzrX1Dw==" - }, - "yD0jZNn4zIjrqrQH+1d5PCO9+Iu2leQlsTdlPY6F1q/LU3H9HONyNKtb4Ra5Bqel/44Cq8U4ErqpIVKycTB0Ig==": { - "data": { - "type": "\u0019\u000c" - }, - "code_id": "yD0jZNn4zIjrqrQH+1d5PCO9+Iu2leQlsTdlPY6F1q/LU3H9HONyNKtb4Ra5Bqel/44Cq8U4ErqpIVKycTB0Ig==" - }, - "ynq6oIBQE3gBVBXHMELi3CzC50RGXtaImsVRLvdXrOPzaEP33IeQpNq8PGSQu4hP610ryHXSOmT0VmmAUFw9HQ==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "ynq6oIBQE3gBVBXHMELi3CzC50RGXtaImsVRLvdXrOPzaEP33IeQpNq8PGSQu4hP610ryHXSOmT0VmmAUFw9HQ==" - }, - "yycm9bE4sSmD+R6mg7lewvhXufFnIoJ5iYCfIALCsr873LvrNlANPWps8YWBnw1LUmrHYVAdQqBiTFh+nBtXYw==": { - "data": { - "type": "\u0002" - }, - "code_id": "yycm9bE4sSmD+R6mg7lewvhXufFnIoJ5iYCfIALCsr873LvrNlANPWps8YWBnw1LUmrHYVAdQqBiTFh+nBtXYw==" - }, - "zavPuowz9HArxQYPuD17lVx7MA6i7lPpD+6CzLD6tiuDs+xTL/alYbkkKik/75Y80mTVjEa187kUNKUW0nxa6A==": { - "data": { - "type": "\u0004", - "value": "AA==" - }, - "code_id": "zavPuowz9HArxQYPuD17lVx7MA6i7lPpD+6CzLD6tiuDs+xTL/alYbkkKik/75Y80mTVjEa187kUNKUW0nxa6A==" - }, - "zuqTdvPqcKolV1uD5lJmoX1IQ75UXJJWgqDKEKW/2aK6RuhVatla2znfXD8tjCa7kUFdNX5AQsVMUGdFMVr7SQ==": { - "data": { - "type": "\u0004", - "value": "AQ==" - }, - "code_id": "zuqTdvPqcKolV1uD5lJmoX1IQ75UXJJWgqDKEKW/2aK6RuhVatla2znfXD8tjCa7kUFdNX5AQsVMUGdFMVr7SQ==" - } - }, - "resolved_policy_version": "v2" - } - }, - "resolved_policies": { - "//policy.api.mondoo.com/assets/2KgCZg1j6OABQbEutHyDe3ui4p2": { - "execution_job": { - "checksum": "l9ZeNIPDJc8=", - "queries": { - "+u6doYoYG5E=": { - "query": "service(\"snmpd\").enabled == false\nservice(\"snmpd\").running == false\n", - "checksum": "5ZESftAi7ag=", - "datapoints": [ - "vs6dGzezS8Q9d9pk6/holAnUqMEQBHYhdLXr+RjvvTwuhmmsbAxngmcFVe+CXbZ58SyG2ZEi7M1atb1ee40bXg==", - "hrm3ER6hV6ZNUj5VR8YNdibq6mFjn3sPiwTZs9/hbV0GpRMVu7cRFBxin8qzPVABTQNC5oIMYwAulU8xsKDwkQ==", - "yBNYCCB9ERbYxHmlpCWBzhu3+WVc6RgRwCGd4tJTsfo63mviqCa5MEcFvG+S1XN+jeMiNHW0ilYZiBHFzrX1Dw==", - "cO77IKw5EkPqToY7apbUwCulN+7JxfM2cHWtX0ktw3WdohHDHwLnXbijDIHOdfcBERqbCjONpXQmQFuDtiP4zA==" - ], - "code": { - "code_v2": { - "id": "+u6doYoYG5E=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "c25tcGQ=" - } - ] - } - }, - { - "call": 1, - "id": "enabled", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "c25tcGQ=" - } - ] - } - }, - { - "call": 1, - "id": "running", - "function": { - "type": "\u0004", - "binding": 4294967300 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967301 - } - } - ], - "entrypoints": [ - 4294967299, - 4294967302 - ], - "datapoints": [ - 4294967298, - 4294967301 - ] - } - ], - "checksums": { - "4294967297": "+iYP/eEc7AhYszg0kdjwVGUWX5kW5CUmz4H3k/EybF9SelUhEBL2DfEabs7KSSpMXQTDIR75wKesHZTRHPnfvw==", - "4294967298": "vs6dGzezS8Q9d9pk6/holAnUqMEQBHYhdLXr+RjvvTwuhmmsbAxngmcFVe+CXbZ58SyG2ZEi7M1atb1ee40bXg==", - "4294967299": "yBNYCCB9ERbYxHmlpCWBzhu3+WVc6RgRwCGd4tJTsfo63mviqCa5MEcFvG+S1XN+jeMiNHW0ilYZiBHFzrX1Dw==", - "4294967300": "+iYP/eEc7AhYszg0kdjwVGUWX5kW5CUmz4H3k/EybF9SelUhEBL2DfEabs7KSSpMXQTDIR75wKesHZTRHPnfvw==", - "4294967301": "hrm3ER6hV6ZNUj5VR8YNdibq6mFjn3sPiwTZs9/hbV0GpRMVu7cRFBxin8qzPVABTQNC5oIMYwAulU8xsKDwkQ==", - "4294967302": "cO77IKw5EkPqToY7apbUwCulN+7JxfM2cHWtX0ktw3WdohHDHwLnXbijDIHOdfcBERqbCjONpXQmQFuDtiP4zA==" - } - }, - "source": "service(\"snmpd\").enabled == false\nservice(\"snmpd\").running == false\n", - "labels": { - "labels": { - "cO77IKw5EkPqToY7apbUwCulN+7JxfM2cHWtX0ktw3WdohHDHwLnXbijDIHOdfcBERqbCjONpXQmQFuDtiP4zA==": "service.running == false", - "hrm3ER6hV6ZNUj5VR8YNdibq6mFjn3sPiwTZs9/hbV0GpRMVu7cRFBxin8qzPVABTQNC5oIMYwAulU8xsKDwkQ==": "service.running", - "vs6dGzezS8Q9d9pk6/holAnUqMEQBHYhdLXr+RjvvTwuhmmsbAxngmcFVe+CXbZ58SyG2ZEi7M1atb1ee40bXg==": "service.enabled", - "yBNYCCB9ERbYxHmlpCWBzhu3+WVc6RgRwCGd4tJTsfo63mviqCa5MEcFvG+S1XN+jeMiNHW0ilYZiBHFzrX1Dw==": "service.enabled == false" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "3JYJkYI8d0U=": { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+sethostname\\s+\\-S\\s+setdomainname\\s+\\-k\\s+system\\-locale(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+sethostname\\,setdomainname\\s+\\-F\\s+key\\=system\\-locale(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+sethostname\\s+\\-S\\s+setdomainname\\s+\\-k\\s+system\\-locale(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+sethostname\\,setdomainname\\s+\\-F\\s+key\\=system\\-locale(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/issue\\s+\\-p\\s+wa\\s+\\-k\\s+system-locale(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/issue\\.net\\s+\\-p\\s+wa\\s+\\-k\\s+system-locale(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/hosts\\s+\\-p\\s+wa\\s+\\-k\\s+system-locale(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/sysconfig\\/network\\s+\\-p\\s+wa\\s+\\-k\\s+system-locale(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/netctl\\s+\\-p\\s+wa\\s+\\-k\\s+system-locale(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/network\\s+\\-p\\s+wa\\s+\\-k\\s+system-locale(\\s+)?$/)\n}\n", - "checksum": "4Es4Kjv5E3g=", - "datapoints": [ - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "ee9c3YakPa9Aa2nbcI+Q4z1qlw7Ffu76GEjJneNybkQnVRX68n/SZYOcqgZJzWrJJk2xUrD0WfhB/qtWdoiISA==" - ], - "code": { - "code_v2": { - "id": "3JYJkYI8d0U=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967299 - } - }, - { - "call": 1, - "id": "if", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u0003", - "value": "iICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - }, - { - "type": "\u0019\u0003" - } - ] - } - } - ], - "entrypoints": [ - 4294967298, - 4294967301 - ] - }, - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934594 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "hoCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgGA=" - } - ], - "binding": 8589934595 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934596 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934597 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934599 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934600 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "koCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgIAB" - } - ], - "binding": 8589934601 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934602 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934603 - } - }, - { - "call": 1, - "id": "||\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "mICAgEA=" - } - ], - "binding": 8589934598 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934606 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934607 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "oICAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgKAB" - } - ], - "binding": 8589934608 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934609 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934610 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934612 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934613 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "rICAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgMAB" - } - ], - "binding": 8589934614 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934615 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934616 - } - }, - { - "call": 1, - "id": "||\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "soCAgEA=" - } - ], - "binding": 8589934611 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934619 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934620 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "uoCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgOAB" - } - ], - "binding": 8589934621 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934622 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934623 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934625 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934626 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "xoCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgIAC" - } - ], - "binding": 8589934627 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934628 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934629 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934631 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934632 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "0oCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgKAC" - } - ], - "binding": 8589934633 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934634 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934635 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934637 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934638 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "3oCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgMAC" - } - ], - "binding": 8589934639 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934640 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934641 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934643 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934644 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "6oCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgOAC" - } - ], - "binding": 8589934645 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934646 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934647 - } - }, - { - "call": 1, - "id": "||\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "8ICAgEA=" - } - ], - "binding": 8589934642 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934650 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934651 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "+ICAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgIAD" - } - ], - "binding": 8589934652 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934653 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934654 - } - }, - { - "call": 1, - "id": "||\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "/oCAgEA=" - } - ], - "binding": 8589934649 - } - } - ], - "entrypoints": [ - 8589934605, - 8589934618, - 8589934624, - 8589934630, - 8589934636, - 8589934656 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWI2NFxzK1wtU1xzK3NldGhvc3RuYW1lXHMrXC1TXHMrc2V0ZG9tYWlubmFtZVxzK1wta1xzK3N5c3RlbVwtbG9jYWxlKFxzKyk/JA==" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgGA=" - } - ], - "binding": 12884901889 - } - } - ], - "parameters": 1, - "entrypoints": [ - 12884901891 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWI2NFxzK1wtU1xzK3NldGhvc3RuYW1lXCxzZXRkb21haW5uYW1lXHMrXC1GXHMra2V5XD1zeXN0ZW1cLWxvY2FsZShccyspPyQ=" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgIAB" - } - ], - "binding": 17179869185 - } - } - ], - "parameters": 1, - "entrypoints": [ - 17179869187 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWIzMlxzK1wtU1xzK3NldGhvc3RuYW1lXHMrXC1TXHMrc2V0ZG9tYWlubmFtZVxzK1wta1xzK3N5c3RlbVwtbG9jYWxlKFxzKyk/JA==" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgKAB" - } - ], - "binding": 21474836481 - } - } - ], - "parameters": 1, - "entrypoints": [ - 21474836483 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWI2NFxzK1wtU1xzK3NldGhvc3RuYW1lXCxzZXRkb21haW5uYW1lXHMrXC1GXHMra2V5XD1zeXN0ZW1cLWxvY2FsZShccyspPyQ=" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgMAB" - } - ], - "binding": 25769803777 - } - } - ], - "parameters": 1, - "entrypoints": [ - 25769803779 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtd1xzK1wvZXRjXC9pc3N1ZVxzK1wtcFxzK3dhXHMrXC1rXHMrc3lzdGVtLWxvY2FsZShccyspPyQ=" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgOAB" - } - ], - "binding": 30064771073 - } - } - ], - "parameters": 1, - "entrypoints": [ - 30064771075 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtd1xzK1wvZXRjXC9pc3N1ZVwubmV0XHMrXC1wXHMrd2FccytcLWtccytzeXN0ZW0tbG9jYWxlKFxzKyk/JA==" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgIAC" - } - ], - "binding": 34359738369 - } - } - ], - "parameters": 1, - "entrypoints": [ - 34359738371 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtd1xzK1wvZXRjXC9ob3N0c1xzK1wtcFxzK3dhXHMrXC1rXHMrc3lzdGVtLWxvY2FsZShccyspPyQ=" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgKAC" - } - ], - "binding": 38654705665 - } - } - ], - "parameters": 1, - "entrypoints": [ - 38654705667 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtd1xzK1wvZXRjXC9zeXNjb25maWdcL25ldHdvcmtccytcLXBccyt3YVxzK1wta1xzK3N5c3RlbS1sb2NhbGUoXHMrKT8k" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgMAC" - } - ], - "binding": 42949672961 - } - } - ], - "parameters": 1, - "entrypoints": [ - 42949672963 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtd1xzK1wvZXRjXC9uZXRjdGxccytcLXBccyt3YVxzK1wta1xzK3N5c3RlbS1sb2NhbGUoXHMrKT8k" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgOAC" - } - ], - "binding": 47244640257 - } - } - ], - "parameters": 1, - "entrypoints": [ - 47244640259 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtd1xzK1wvZXRjXC9uZXR3b3JrXHMrXC1wXHMrd2FccytcLWtccytzeXN0ZW0tbG9jYWxlKFxzKyk/JA==" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgIAD" - } - ], - "binding": 51539607553 - } - } - ], - "parameters": 1, - "entrypoints": [ - 51539607555 - ] - } - ], - "checksums": { - "12884901889": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "12884901890": "dL99q/PdojW7xlE0xnA8gdKS/JrS1aDcBKOLJWzLabrCcxQcg5mnjNTy+/wnIganI71p68JGcNZ6QW3V+wM2Xg==", - "12884901891": "LzDgW++r57R4Do/luafCkaicf1jJUuLV71jvufoD76wPQtGh9CPqj1lFmmkV/ju5jN2Gx5l/CDBxIhwMoeVXxg==", - "17179869185": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "17179869186": "GZknr+Sa+OIuTooA9sivyacHTQlGcWadPbVr78wAD/7DIIwCnUqh/6r2vhz2peSJ52naxoyd6g+xUo1kzzKonQ==", - "17179869187": "Bi3P++8afDI7gLpKgTdGw2E4VrUS0wdY/q+zGyv7+Cf8GB32W9+C3e2Z6h97D/MIN51XtuaJ+vgbAfq/juolug==", - "21474836481": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "21474836482": "TggRGPlQ3p/0rSG8C087gAttVcJW97fBUHn8JIXJnRYsfQSI7+R7vWUU9/UtY94hzWxf3YcZgQx1abgOK9kk4Q==", - "21474836483": "C49XYCkJeCml7XXlKsv3NcFgno4+sp07AlIJQb02fetruHCQAjvBre2JhgkSUjidK5UN7yg4eNUPm+GCyEcGhA==", - "25769803777": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "25769803778": "GZknr+Sa+OIuTooA9sivyacHTQlGcWadPbVr78wAD/7DIIwCnUqh/6r2vhz2peSJ52naxoyd6g+xUo1kzzKonQ==", - "25769803779": "Bi3P++8afDI7gLpKgTdGw2E4VrUS0wdY/q+zGyv7+Cf8GB32W9+C3e2Z6h97D/MIN51XtuaJ+vgbAfq/juolug==", - "30064771073": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "30064771074": "VdTxS76u1FrIHoCmeqEHqPUA9XPg/SyQCqezTOaeRT7EUKcDIHn7vpzcIaS85sEmhbe9WMvdYh4MRSX4JCZPAg==", - "30064771075": "54CjwkViEeSbERU9YEFApHtTI0Y1P3Bng8Xcuhzf3vOttm5Mh8304lqhQcjMwnw4Gk5SRd9XwvclFOUjHj5oEQ==", - "34359738369": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "34359738370": "uMAhjO/Sm7QVg5VwsO9gfkb/2/2/Yn6XzV99RmDAe7sAoU3nJ7EzNFP32EXj0pwp1LDacxEHF0fpb2b0a7dGkg==", - "34359738371": "QaggJlneG1EcPDASPaAcfaVSVruTVKZ+vKtFpMGhsqRNAi9nEmXsVh0tzU2F/niYwo4i4ADJlVpdpZ7bk1+lGQ==", - "38654705665": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "38654705666": "TaBuBFEH/OhR1PtryX+6DkiSp8GV1F4TL4J1bw9wvlgW914KFcRT81UbhNl5PWPi/99xltVT4tOm9fJe6bdQ2A==", - "38654705667": "H5XByquJu/M3E0y/50QS69CVSbz9ElxiiVKItAV852tbday3Hm1QTiNO6vcvlQ06O41pibIyxcfyjXOqvl/PhQ==", - "42949672961": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "42949672962": "8mT/ocVRQ4L58IOov/HMwyK+i8sDO2/QpxOu7EXPY4XIkGoUCbIZ84QeFDUH6TVHGFZzvV9y6ouTKI0CGvrDgA==", - "42949672963": "NaKFct8qOjE67mXkQM5eRWTdp6bl7BeAEYn5tAzZ+AKVQwZfMYJzVFSW2os6ZrKlS2gsEbPhoVcJWtIJrPpSzQ==", - "4294967297": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "4294967298": "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "4294967299": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "4294967300": "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "4294967301": "ee9c3YakPa9Aa2nbcI+Q4z1qlw7Ffu76GEjJneNybkQnVRX68n/SZYOcqgZJzWrJJk2xUrD0WfhB/qtWdoiISA==", - "47244640257": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "47244640258": "3N0JVj91jIyns8SONNg3ayVPUzij4I/YufE4ZVli82vzNvJntvzgJopVwHRP4Vl7fK6GDa1mmHavFbPwjzSQnw==", - "47244640259": "ru903kYX/XbpZ7g0j7jgRswdd4ms0S60UQ2J+Y9+yfB6gVOn1tp6sShL9jhJGN7fUFR00hfWmwFzWyIJLYjrgQ==", - "51539607553": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "51539607554": "EG/WfLBoWhbpK8rWkUz5NEtVql4K2DaE2co3dMEnv8t3ENT6F8/R9FZMFZeoul+r8OtjhxCLYeUPtvBBNCcgOA==", - "51539607555": "i6BlKLyHzt7iyLlBjNp1mI3o7oorYyHiKk1oNAmAZrXYeiXksk/MotSzIZAvJiD6c3uyHwp0XxZhntnMmBJ46g==", - "8589934593": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934594": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934595": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934596": "N5/xElUOZjLSP8IFuiKZsa7PBsgUCc7UcXngDVDQBYk8jOFF0iv5a8ll/NpLDIIQRGP9CsDKQylZEgNUSFnXkA==", - "8589934597": "PstMWeIUgJ08vkM8CZ0AHeU6X5gw1mELHtMu2+F18BO0ObyTfW6ylkUU4hnUzyP7u/EFTbv0XoXKAXBW6an7qg==", - "8589934598": "fNsRk7lvsT0RkThVV/QEXA/BoEQXB0T7X1QCPt4RqMLdR2o5Mu5/jhfPLiR0jhITht8ZfKUy0nNYaI2imQFeHQ==", - "8589934599": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934600": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934601": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934602": "0/4XCkKFkeCi6upTxXXVvDmYkCKIyAdP6aX522SXWFyvek9eXpXbPpyN+wUyc3EBUG/u3UZqw1cMDlLDgEvQ3w==", - "8589934603": "Td3foniwSbVoINeK9NXFzj9dmtmMcGJAV42gxiGXD7AgsRG082ESSO6Zag7cfYEe5aGyJ/UHjPjZxwlOBMy5hg==", - "8589934604": "tKpbrUNUAH80cihulqkbh5EYsiEDnXAU1Fn60j2I8wer/kWahlsI/MkoKJOaWyNrn0fPiXg1L02UVsVyL4dVoQ==", - "8589934605": "a13gJg0xepVtLhpWaODp9tnkUTlXiHplybfBFPeNvtmmi4zCsEOiRv6Q6i+tev8d5Oh9JFDMUx94GWKaLQd0CA==", - "8589934606": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934607": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934608": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934609": "iBamOdG9PG7/k5esTwIml+7rsaHvSQTtm6AvrAXS6Md0fjN4IlTc/EkC/WhAkmL9/WA2+5ZPCsqw+k1V6uIE8A==", - "8589934610": "Yz4fz1kF5Z0XstUvnaAN7ew36dQv1Q+ZeY4R1LePFrRcteYLAP5GaZrfOA4CYJP+UUq1crdFsYDGH74iwlwNqw==", - "8589934611": "2p0AQ4mvdOGCF+UZnpH4nHyhsvMoDdHggkkREGjasSnDvmdYjjMWG6Vh+wXFEUNWyXBDA8wk6sUa3tLQof4KJw==", - "8589934612": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934613": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934614": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934615": "0/4XCkKFkeCi6upTxXXVvDmYkCKIyAdP6aX522SXWFyvek9eXpXbPpyN+wUyc3EBUG/u3UZqw1cMDlLDgEvQ3w==", - "8589934616": "Td3foniwSbVoINeK9NXFzj9dmtmMcGJAV42gxiGXD7AgsRG082ESSO6Zag7cfYEe5aGyJ/UHjPjZxwlOBMy5hg==", - "8589934617": "tKpbrUNUAH80cihulqkbh5EYsiEDnXAU1Fn60j2I8wer/kWahlsI/MkoKJOaWyNrn0fPiXg1L02UVsVyL4dVoQ==", - "8589934618": "FVi2YsKzzm2WVCZZvjDO79g1CCAmRLu5FA3k0i/3LrQx93cbWGZglxlpj9IFisPSmXznAvh/hUFBXBKW6TS+pQ==", - "8589934619": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934620": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934621": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934622": "Au2T5DkQAV94DCFdFkIZvAnCCs24z7JLnBOdeYnCnezp71XcsFy8Wo9BwqpeDw45xmJS9Ozk1bNFHFEQgNKLLw==", - "8589934623": "qxNzGrumIVkSriy+wpgdPhfs/M7NUwQWleKNonTR/IWRY91apggci5T4HpTpXLmYTmj2ROCc/Gsv3y1QrO8zgw==", - "8589934624": "zMDbBaqzEigSBMeQQEDs7k6MikAOX60eup+ZQIOjp1gIbp9la1ZK3AYPbNfLKFDGPPWvVFaGyPyVQQCU2dQI9g==", - "8589934625": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934626": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934627": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934628": "7vZWwDhE1Ia19vzYUX2irTzwCIzOzZQK0TXpAv+xPWaV9qdpyaclQLOWfUQ/gY0TsNt7RE7X3A/wB6GH4QCdYg==", - "8589934629": "uY2KbK+dWACYNXBVN1PQc8syGtE2W43jRAS0Nq0lIDBO2DmOq9/ySTQqmuHF59+nntYrtWNtJT9Shc6HdexM1g==", - "8589934630": "DBEOAEzFIJBZD2P1jloxW4tmHA1sAIJx0RTJ+MA5matpgXicDWdZskiQ1HDUg/mPBvuLEsQNt8G+izs7Olu5LQ==", - "8589934631": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934632": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934633": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934634": "gE4U2xQiD/SYKW2y7sKMB6UcI9fd9gy7Ej2leWAcGygTjdmHJKt0Br1UjcjLjhJwSqdKuiJv83CNIHU3Dr1UOQ==", - "8589934635": "Dp8NS5O8jevw0ddxFTG0PWxn1QmNq5F+6Rt0KJbEFkYtILdct4cBPORNmwVOy2WmOpR1HvIYsCS4nqQILYujZw==", - "8589934636": "5wmioWmdcr272vH5m/r6M/Q6m+gW5L6SVCe5ygkODrJ5CDqZ8gqY4uFHTvhdv3oKQNdIKlDNZ3feePVYkIXnmg==", - "8589934637": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934638": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934639": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934640": "yJ/FIIq93KZgKYOAdJDLS3QsxRdWnJUWnQwVpiH9Gl8QNMjSmsJ+7Gmp2oILk2K+NkHmJSONkjYkGaFD6JaGZA==", - "8589934641": "umzRctpIsDltjDjLkL4N+kNjj9/MhiK5HlNAkj4e1XnPOzBE8qF5rcupWEX0yfn1EO9ggdXZSybObWa38YOgKA==", - "8589934642": "9CaZbACqfDrOUFgNwiToJTiRFx7LmeYF58jMB2VSakpZZMyAzP/4Gmz1epcuOScKFM+fwFDImV32a27on1PslQ==", - "8589934643": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934644": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934645": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934646": "0aJJiDcXmGhZvUtDUkTeh9EFixGyYOdP4C09CWYX84UIuXshvM2pGLJ5OPgYaMy1+AoVuOaNKTE9z535xQtIgA==", - "8589934647": "pbzIu0T1wLJLTWk5n0zOvvjyKqSKBUWegljdiSBJdxHBavcoRfCx3UvEawSp8hmv4jeT1N+FghAsYf/9U4LFTQ==", - "8589934648": "kXAkkBLdQsUcNq1UF2WBZbEJB/6F6Q7GjHajlWl0uNd+QUYE3+FNlUw0aZgCyYndnnMEGuY0kJepy6sU4aWMMg==", - "8589934649": "ABTUukO0N2ST6x12ePB777UP/TfTiZem+r9cbl7iYfvxeqKp4geChplgcqKeIedcUAwZ+/qJVtXnM62la8xlww==", - "8589934650": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934651": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934652": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934653": "k++YOiwSKh6HFP7ekEUT4zl5OzR40CEYtjl7PBKu4dnr3iBOapGeazusYl3mb2o/DFQkfE2/Hc/lWCQjIAcSwA==", - "8589934654": "p4pgayRq7AbZFkMTk1ENihwH1v3mNDGeDgzY5P1N3LKWN+5Nxll37b3mjIUP7MLukc2aXZ6fhOiKtpyGoiewgw==", - "8589934655": "z0yjmWrvpgq+lU0B3XiYAlEeI+eKmqZBYI2Dlp9ozJHA4u314jSsH2xbmWp7q6NP2Zri90qjo3iCYSGT26l0Yg==", - "8589934656": "F0U1UIAeJAWsB2JngeKhsFq02/ID0w/gGupQcuk5ycS3GzU0YJufaLgBHcX4S9TIsiD4kxNujsHY/6QUGhSP5A==" - } - }, - "source": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+sethostname\\s+\\-S\\s+setdomainname\\s+\\-k\\s+system\\-locale(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+sethostname\\,setdomainname\\s+\\-F\\s+key\\=system\\-locale(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+sethostname\\s+\\-S\\s+setdomainname\\s+\\-k\\s+system\\-locale(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+sethostname\\,setdomainname\\s+\\-F\\s+key\\=system\\-locale(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/issue\\s+\\-p\\s+wa\\s+\\-k\\s+system-locale(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/issue\\.net\\s+\\-p\\s+wa\\s+\\-k\\s+system-locale(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/hosts\\s+\\-p\\s+wa\\s+\\-k\\s+system-locale(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/sysconfig\\/network\\s+\\-p\\s+wa\\s+\\-k\\s+system-locale(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/netctl\\s+\\-p\\s+wa\\s+\\-k\\s+system-locale(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/network\\s+\\-p\\s+wa\\s+\\-k\\s+system-locale(\\s+)?$/)\n}\n", - "labels": { - "labels": { - "2p0AQ4mvdOGCF+UZnpH4nHyhsvMoDdHggkkREGjasSnDvmdYjjMWG6Vh+wXFEUNWyXBDA8wk6sUa3tLQof4KJw==": "[].contains()", - "54CjwkViEeSbERU9YEFApHtTI0Y1P3Bng8Xcuhzf3vOttm5Mh8304lqhQcjMwnw4Gk5SRd9XwvclFOUjHj5oEQ==": " == \u003cref\u003e", - "5wmioWmdcr272vH5m/r6M/Q6m+gW5L6SVCe5ygkODrJ5CDqZ8gqY4uFHTvhdv3oKQNdIKlDNZ3feePVYkIXnmg==": "[].contains()", - "9CaZbACqfDrOUFgNwiToJTiRFx7LmeYF58jMB2VSakpZZMyAzP/4Gmz1epcuOScKFM+fwFDImV32a27on1PslQ==": "[].contains()", - "Bi3P++8afDI7gLpKgTdGw2E4VrUS0wdY/q+zGyv7+Cf8GB32W9+C3e2Z6h97D/MIN51XtuaJ+vgbAfq/juolug==": " == \u003cref\u003e", - "C49XYCkJeCml7XXlKsv3NcFgno4+sp07AlIJQb02fetruHCQAjvBre2JhgkSUjidK5UN7yg4eNUPm+GCyEcGhA==": " == \u003cref\u003e", - "DBEOAEzFIJBZD2P1jloxW4tmHA1sAIJx0RTJ+MA5matpgXicDWdZskiQ1HDUg/mPBvuLEsQNt8G+izs7Olu5LQ==": "[].contains()", - "F0U1UIAeJAWsB2JngeKhsFq02/ID0w/gGupQcuk5ycS3GzU0YJufaLgBHcX4S9TIsiD4kxNujsHY/6QUGhSP5A==": "file.content.lines.where.length \u003e 0 || \u003cref\u003e || \u003cref\u003e", - "FVi2YsKzzm2WVCZZvjDO79g1CCAmRLu5FA3k0i/3LrQx93cbWGZglxlpj9IFisPSmXznAvh/hUFBXBKW6TS+pQ==": "file.content.lines.where.length \u003e 0 || \u003cref\u003e", - "H5XByquJu/M3E0y/50QS69CVSbz9ElxiiVKItAV852tbday3Hm1QTiNO6vcvlQ06O41pibIyxcfyjXOqvl/PhQ==": " == \u003cref\u003e", - "LzDgW++r57R4Do/luafCkaicf1jJUuLV71jvufoD76wPQtGh9CPqj1lFmmkV/ju5jN2Gx5l/CDBxIhwMoeVXxg==": " == \u003cref\u003e", - "NaKFct8qOjE67mXkQM5eRWTdp6bl7BeAEYn5tAzZ+AKVQwZfMYJzVFSW2os6ZrKlS2gsEbPhoVcJWtIJrPpSzQ==": " == \u003cref\u003e", - "QaggJlneG1EcPDASPaAcfaVSVruTVKZ+vKtFpMGhsqRNAi9nEmXsVh0tzU2F/niYwo4i4ADJlVpdpZ7bk1+lGQ==": " == \u003cref\u003e", - "a13gJg0xepVtLhpWaODp9tnkUTlXiHplybfBFPeNvtmmi4zCsEOiRv6Q6i+tev8d5Oh9JFDMUx94GWKaLQd0CA==": "file.content.lines.where.length \u003e 0 || \u003cref\u003e", - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==": "file.exists", - "ee9c3YakPa9Aa2nbcI+Q4z1qlw7Ffu76GEjJneNybkQnVRX68n/SZYOcqgZJzWrJJk2xUrD0WfhB/qtWdoiISA==": "if", - "fNsRk7lvsT0RkThVV/QEXA/BoEQXB0T7X1QCPt4RqMLdR2o5Mu5/jhfPLiR0jhITht8ZfKUy0nNYaI2imQFeHQ==": "[].contains()", - "i6BlKLyHzt7iyLlBjNp1mI3o7oorYyHiKk1oNAmAZrXYeiXksk/MotSzIZAvJiD6c3uyHwp0XxZhntnMmBJ46g==": " == \u003cref\u003e", - "kXAkkBLdQsUcNq1UF2WBZbEJB/6F6Q7GjHajlWl0uNd+QUYE3+FNlUw0aZgCyYndnnMEGuY0kJepy6sU4aWMMg==": "[].contains()", - "ru903kYX/XbpZ7g0j7jgRswdd4ms0S60UQ2J+Y9+yfB6gVOn1tp6sShL9jhJGN7fUFR00hfWmwFzWyIJLYjrgQ==": " == \u003cref\u003e", - "tKpbrUNUAH80cihulqkbh5EYsiEDnXAU1Fn60j2I8wer/kWahlsI/MkoKJOaWyNrn0fPiXg1L02UVsVyL4dVoQ==": "[].contains()", - "z0yjmWrvpgq+lU0B3XiYAlEeI+eKmqZBYI2Dlp9ozJHA4u314jSsH2xbmWp7q6NP2Zri90qjo3iCYSGT26l0Yg==": "[].contains()", - "zMDbBaqzEigSBMeQQEDs7k6MikAOX60eup+ZQIOjp1gIbp9la1ZK3AYPbNfLKFDGPPWvVFaGyPyVQQCU2dQI9g==": "[].contains()" - } - }, - "version": "unstable", - "min_mondoo_version": "5.0.0" - } - }, - "3QL3VcmScCM=": { - "query": "service(\"avahi-daemon\").enabled == false\nservice(\"avahi-daemon\").running == false\n", - "checksum": "JyCxDgoR+cs=", - "datapoints": [ - "cm7An16B+A5QMckP/ANRZg4l9d+xkLoI/2WlmSuh7aY/waN4LvuR3CX51PlRjWCDSVe+12C7ZBmctsS2t5Gsuw==", - "Qls4K6b2lNRR7kYRgufwRTNo0pJb+ZeHPeNevpcDzVBegMTpq/pB2ZwZb8M/JEWCFgPyJ4c9zVeKrYyjNVxvXg==", - "1orSZYqsG5mohjQsCQ5e1wc5bNUYmm9gr0EM6ba3QgpEv0JC7D3y9S0DHh3yBnIQANp+jPbYbktd/LVFQTKxfQ==", - "WxnxFhZSt/9sHXVH3/sOcVkg3cy0iYQYFPH0j0dLE1HKYHo0ek4x0b27UN55YRUxIAlEAQHvuigZOfE2Q7Vn7Q==" - ], - "code": { - "code_v2": { - "id": "3QL3VcmScCM=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "YXZhaGktZGFlbW9u" - } - ] - } - }, - { - "call": 1, - "id": "enabled", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "YXZhaGktZGFlbW9u" - } - ] - } - }, - { - "call": 1, - "id": "running", - "function": { - "type": "\u0004", - "binding": 4294967300 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967301 - } - } - ], - "entrypoints": [ - 4294967299, - 4294967302 - ], - "datapoints": [ - 4294967298, - 4294967301 - ] - } - ], - "checksums": { - "4294967297": "cu/AuPYr096qJwh4Tz/zZFRPn1y8scM7HFLBGznVvwd6LnPUQ84jB86rXL3cIcnExQWNxuCsAKaD2dOTBM/wSw==", - "4294967298": "cm7An16B+A5QMckP/ANRZg4l9d+xkLoI/2WlmSuh7aY/waN4LvuR3CX51PlRjWCDSVe+12C7ZBmctsS2t5Gsuw==", - "4294967299": "1orSZYqsG5mohjQsCQ5e1wc5bNUYmm9gr0EM6ba3QgpEv0JC7D3y9S0DHh3yBnIQANp+jPbYbktd/LVFQTKxfQ==", - "4294967300": "cu/AuPYr096qJwh4Tz/zZFRPn1y8scM7HFLBGznVvwd6LnPUQ84jB86rXL3cIcnExQWNxuCsAKaD2dOTBM/wSw==", - "4294967301": "Qls4K6b2lNRR7kYRgufwRTNo0pJb+ZeHPeNevpcDzVBegMTpq/pB2ZwZb8M/JEWCFgPyJ4c9zVeKrYyjNVxvXg==", - "4294967302": "WxnxFhZSt/9sHXVH3/sOcVkg3cy0iYQYFPH0j0dLE1HKYHo0ek4x0b27UN55YRUxIAlEAQHvuigZOfE2Q7Vn7Q==" - } - }, - "source": "service(\"avahi-daemon\").enabled == false\nservice(\"avahi-daemon\").running == false\n", - "labels": { - "labels": { - "1orSZYqsG5mohjQsCQ5e1wc5bNUYmm9gr0EM6ba3QgpEv0JC7D3y9S0DHh3yBnIQANp+jPbYbktd/LVFQTKxfQ==": "service.enabled == false", - "Qls4K6b2lNRR7kYRgufwRTNo0pJb+ZeHPeNevpcDzVBegMTpq/pB2ZwZb8M/JEWCFgPyJ4c9zVeKrYyjNVxvXg==": "service.running", - "WxnxFhZSt/9sHXVH3/sOcVkg3cy0iYQYFPH0j0dLE1HKYHo0ek4x0b27UN55YRUxIAlEAQHvuigZOfE2Q7Vn7Q==": "service.running == false", - "cm7An16B+A5QMckP/ANRZg4l9d+xkLoI/2WlmSuh7aY/waN4LvuR3CX51PlRjWCDSVe+12C7ZBmctsS2t5Gsuw==": "service.enabled" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "4nWvWDkZCBw=": { - "query": "if( package('openssh-server').version == /6./ ) {\n return [\"aes256-ctr\", \"aes192-ctr\", \"aes128-ctr\"]\n}\nreturn [\"chacha20-poly1305@openssh.com\",\"aes256-gcm@openssh.com\",\"aes128-gcm@openssh.com\",\"aes256-ctr\",\"aes192-ctr\",\"aes128-ctr\"]\n", - "checksum": "sdIJ660ps4A=", - "datapoints": [ - "GJooG+LdPop+U+Vbp5DxdgrnR+z79QT1TbkyyUhWfRDBTd1SgwYiKqZbpoSj0JMhbd7ellBT98zy/5VyezkxXw==", - "LIa61qtxHtFYHfQVJ2Dv5wHakCDoFzq8QGy7nQmjZimSHhmlu1QvdBf03I60m/ysrhrOz9nu45hLjv/MQZ83Cw==" - ], - "code": { - "code_v2": { - "id": "4nWvWDkZCBw=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "package", - "function": { - "type": "\u001bpackage", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "b3BlbnNzaC1zZXJ2ZXI=" - } - ] - } - }, - { - "call": 1, - "id": "version", - "function": { - "type": "\u0007", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0008", - "value": "Ni4=" - } - ], - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "if", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "hoCAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - }, - { - "type": "\u0019\u0003" - }, - { - "type": "\u001c\u0000", - "value": "gICAgGA=" - }, - { - "type": "\u0019\u0003" - } - ] - } - } - ], - "singleValue": true, - "entrypoints": [ - 4294967300 - ], - "datapoints": [ - 4294967298 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0019\u0007", - "array": [ - { - "type": "\u0007", - "value": "YWVzMjU2LWN0cg==" - }, - { - "type": "\u0007", - "value": "YWVzMTkyLWN0cg==" - }, - { - "type": "\u0007", - "value": "YWVzMTI4LWN0cg==" - } - ] - } - }, - { - "call": 1, - "id": "return", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "goCAgEA=" - } - ] - } - } - ], - "singleValue": true, - "entrypoints": [ - 8589934594 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0019\u0007", - "array": [ - { - "type": "\u0007", - "value": "Y2hhY2hhMjAtcG9seTEzMDVAb3BlbnNzaC5jb20=" - }, - { - "type": "\u0007", - "value": "YWVzMjU2LWdjbUBvcGVuc3NoLmNvbQ==" - }, - { - "type": "\u0007", - "value": "YWVzMTI4LWdjbUBvcGVuc3NoLmNvbQ==" - }, - { - "type": "\u0007", - "value": "YWVzMjU2LWN0cg==" - }, - { - "type": "\u0007", - "value": "YWVzMTkyLWN0cg==" - }, - { - "type": "\u0007", - "value": "YWVzMTI4LWN0cg==" - } - ] - } - }, - { - "call": 1, - "id": "return", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "goCAgGA=" - } - ] - } - } - ], - "singleValue": true, - "entrypoints": [ - 12884901890 - ] - } - ], - "checksums": { - "12884901889": "JBWJ2GDBBnlBXrzgmu5zRhIxSqFYoonbQel7Y+eC5zqzhC0icolV6Uef+sIMmQMaRbO6z+L9INPkNGQ2Mkz5dw==", - "12884901890": "nVZ08yAhjlKHGJ7FSiL8d4EEZ27W7JrAtXQPp8y84Yw71NrNYz4yp20RrOAsIdYO1Uw+4SzvoYI+EtkP//oXuQ==", - "4294967297": "LU6AZgqoDxeiDN/6xz50NkA4xqsnnvmU10r9hxgnpIosAGloOKaVOFzDW41QV1E47L0vlpuDvtFXS77xS/0lfw==", - "4294967298": "GJooG+LdPop+U+Vbp5DxdgrnR+z79QT1TbkyyUhWfRDBTd1SgwYiKqZbpoSj0JMhbd7ellBT98zy/5VyezkxXw==", - "4294967299": "4KDugS+gx6N/Z/kDWOAoHYh0oj+3WMemzu1XIKjuG0WiUGaBfw4Q0/xSSSBq78qnySGYXykNQUddOUEYDnypxA==", - "4294967300": "LIa61qtxHtFYHfQVJ2Dv5wHakCDoFzq8QGy7nQmjZimSHhmlu1QvdBf03I60m/ysrhrOz9nu45hLjv/MQZ83Cw==", - "8589934593": "C0fhQPzQAJT3qubQZhuA0n5ItFKsh2eoi7RBlWoRqE0uCjbte8esVEkY9Hz89XIIw5tD1hA/jRHnKDJXQvyejg==", - "8589934594": "nYiOaK8tGSbYFIljYNbWufmM2j0W7DAjhGcj7x8fShWOz3K5F+/+Q1g+T0pIvMYNQfQd/Pv2ljQfm3N7x/KGuw==" - } - }, - "source": "if( package('openssh-server').version == /6./ ) {\n return [\"aes256-ctr\", \"aes192-ctr\", \"aes128-ctr\"]\n}\nreturn [\"chacha20-poly1305@openssh.com\",\"aes256-gcm@openssh.com\",\"aes128-gcm@openssh.com\",\"aes256-ctr\",\"aes192-ctr\",\"aes128-ctr\"]\n", - "labels": { - "labels": { - "GJooG+LdPop+U+Vbp5DxdgrnR+z79QT1TbkyyUhWfRDBTd1SgwYiKqZbpoSj0JMhbd7ellBT98zy/5VyezkxXw==": "package.version", - "LIa61qtxHtFYHfQVJ2Dv5wHakCDoFzq8QGy7nQmjZimSHhmlu1QvdBf03I60m/ysrhrOz9nu45hLjv/MQZ83Cw==": "if", - "nVZ08yAhjlKHGJ7FSiL8d4EEZ27W7JrAtXQPp8y84Yw71NrNYz4yp20RrOAsIdYO1Uw+4SzvoYI+EtkP//oXuQ==": "return", - "nYiOaK8tGSbYFIljYNbWufmM2j0W7DAjhGcj7x8fShWOz3K5F+/+Q1g+T0pIvMYNQfQd/Pv2ljQfm3N7x/KGuw==": "return" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "5YLhhd+c3KY=": { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-e\\s+2(\\s+)?$/)\n}\n", - "checksum": "eOob0t/F+FU=", - "datapoints": [ - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "R9CbwgrZtf3mdDd3B38lp+I4YSj9+eLNixkV/LX6xZtHHmVArOZ4oq+SzG7zq4eoG+h+M0ZUJVXgZJf8EHqJLA==" - ], - "code": { - "code_v2": { - "id": "5YLhhd+c3KY=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967299 - } - }, - { - "call": 1, - "id": "if", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u0003", - "value": "iICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - }, - { - "type": "\u0019\u0003" - } - ] - } - } - ], - "entrypoints": [ - 4294967298, - 4294967301 - ] - }, - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934594 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "hoCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgGA=" - } - ], - "binding": 8589934595 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934596 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934597 - } - } - ], - "entrypoints": [ - 8589934598 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtZVxzKzIoXHMrKT8k" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgGA=" - } - ], - "binding": 12884901889 - } - } - ], - "parameters": 1, - "entrypoints": [ - 12884901891 - ] - } - ], - "checksums": { - "12884901889": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "12884901890": "tMBnDG36CiPRUxcurz6ozm15aFVqLCB8O7kw+D6Hn2GfNZHhc3F+xchowuzyEqaNTw5Xkjz2/lUPQSdrM2osvQ==", - "12884901891": "q8J1Q/tYYbNZ1k2ONEIHjw3U3zeZLFG62kgbiDI023914Nf7T4peS2X1OGOfNW/Q7TNZ0kTvdKGRqhhJL0lPxA==", - "4294967297": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "4294967298": "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "4294967299": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "4294967300": "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "4294967301": "R9CbwgrZtf3mdDd3B38lp+I4YSj9+eLNixkV/LX6xZtHHmVArOZ4oq+SzG7zq4eoG+h+M0ZUJVXgZJf8EHqJLA==", - "8589934593": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934594": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934595": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934596": "NU9KnAj6qbVbnN7ER3P2H/giECQXc73wQDSdht9XvfG45bbzS9jo2Pf+PdOVpdFHjeHm+46mqx0ZQFntHEc3/w==", - "8589934597": "ft6zgh8dnJa21hnT9NMBDEA8DOhxzJeOUqreHqYGu9pE1xWVVx+JZzaiZgU9My7LoUL2Kg2/vGxPe8LDBuoZQg==", - "8589934598": "gD8rh2XrDHrOXoG+L21jJR1RlrMyJ5dNs3KTO69s2LeTr6Pvtt7Qjn93qmFOu9j3ObkzkmYUwAsN00SRuWNPLA==" - } - }, - "source": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-e\\s+2(\\s+)?$/)\n}\n", - "labels": { - "labels": { - "R9CbwgrZtf3mdDd3B38lp+I4YSj9+eLNixkV/LX6xZtHHmVArOZ4oq+SzG7zq4eoG+h+M0ZUJVXgZJf8EHqJLA==": "if", - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==": "file.exists", - "gD8rh2XrDHrOXoG+L21jJR1RlrMyJ5dNs3KTO69s2LeTr6Pvtt7Qjn93qmFOu9j3ObkzkmYUwAsN00SRuWNPLA==": "[].contains()", - "q8J1Q/tYYbNZ1k2ONEIHjw3U3zeZLFG62kgbiDI023914Nf7T4peS2X1OGOfNW/Q7TNZ0kTvdKGRqhhJL0lPxA==": " == \u003cref\u003e" - } - }, - "version": "unstable", - "min_mondoo_version": "5.0.0" - } - }, - "5q5EG7AkY6k=": { - "query": "if (file(\"/etc/systemd/journald.conf\").exists) {\n parse.ini(\"/etc/systemd/journald.conf\").sections[\"Journal\"][\"Storage\"] == \"persistent\"\n}\n", - "checksum": "bqijDjToYNc=", - "datapoints": [ - "2TEMIfVdcaC1ynlc1s+2E2CZjhC+bTA3Mb5GIZ/2S1p1n4mumZ8W2JWBQop1NL0ZiKbxNdG/PEnJM8lAnVJVlQ==" - ], - "code": { - "code_v2": { - "id": "5q5EG7AkY6k=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9zeXN0ZW1kL2pvdXJuYWxkLmNvbmY=" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "if", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u0003", - "value": "hICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - }, - { - "type": "\u0019\u0003" - } - ] - } - } - ], - "entrypoints": [ - 4294967299 - ] - }, - { - "chunks": [ - { - "call": 1, - "id": "parse.ini", - "function": { - "type": "\u001bparse.ini", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9zeXN0ZW1kL2pvdXJuYWxkLmNvbmY=" - } - ] - } - }, - { - "call": 1, - "id": "sections", - "function": { - "type": "\u001a\u0007\u001a\u0007\u0007", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u001a\u0007\u0007", - "args": [ - { - "type": "\u0007", - "value": "Sm91cm5hbA==" - } - ], - "binding": 8589934594 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u0007", - "args": [ - { - "type": "\u0007", - "value": "U3RvcmFnZQ==" - } - ], - "binding": 8589934595 - } - }, - { - "call": 1, - "id": "==\u0007", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0007", - "value": "cGVyc2lzdGVudA==" - } - ], - "binding": 8589934596 - } - } - ], - "entrypoints": [ - 8589934597 - ] - } - ], - "checksums": { - "4294967297": "l3sxgiTYcAto50UNy+D684uigPx/G30b7SG/TWHLjH+jXQD4FWgvImzrlMz7n5EQSF9XOqSyUVabvTtb2fkmig==", - "4294967298": "hyKZR+nZQdqGesYFceMXztsluQuJfHBH1w+ZuVGc2YtJPyXf1ucl93BWKMdIlXyfP+iCKqtAgBBDFi6bZs9GTg==", - "4294967299": "2TEMIfVdcaC1ynlc1s+2E2CZjhC+bTA3Mb5GIZ/2S1p1n4mumZ8W2JWBQop1NL0ZiKbxNdG/PEnJM8lAnVJVlQ==", - "8589934593": "VkFIYHwLWA2DN+cGp2/nva3JpKEuj+ekzZ7e4Cy3zfltZm0aULkKY1/7Qb9o6/kTEdIE4P/HDgJGeUqDxRn/zQ==", - "8589934594": "q4O50spt2INk/0CEDeRESLie7000Xsd0lukCdNJc5IAz1lp0/nnsU2LsCxSShL++e6RRxgUSIU5e1WzU82S+aw==", - "8589934595": "YLk+U8kFCMJXfWriUOowuBOIXxQGWS9or5z8DS/BwTT3QpLwTJj8BtrR9KDsdJYXUkgMxVh1dMr5lo/Wmu7LpQ==", - "8589934596": "6LN4yFhUzlTLBIu9qZrAgGJcIWTUAzKP1BrGz+/of6ciiBjWsM2C1qlAxIiTlTRKkL6cz5K99zUtWGO36IP0Rw==", - "8589934597": "vu43o2EhdlaAkdOs6Y43nwoQo3S+6Bl6gTmH4MT9T9YkUa/RTeCUQU9SgZEleKh6P9M7h5wxKdHGe+MWWh8nPQ==" - } - }, - "source": "if (file(\"/etc/systemd/journald.conf\").exists) {\n parse.ini(\"/etc/systemd/journald.conf\").sections[\"Journal\"][\"Storage\"] == \"persistent\"\n}\n", - "labels": { - "labels": { - "2TEMIfVdcaC1ynlc1s+2E2CZjhC+bTA3Mb5GIZ/2S1p1n4mumZ8W2JWBQop1NL0ZiKbxNdG/PEnJM8lAnVJVlQ==": "if", - "vu43o2EhdlaAkdOs6Y43nwoQo3S+6Bl6gTmH4MT9T9YkUa/RTeCUQU9SgZEleKh6P9M7h5wxKdHGe+MWWh8nPQ==": "parse.ini.sections[Journal][Storage] == \"persistent\"" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "727yzVm9jYQ=": { - "query": "service(\"telnet.socket\").enabled == false\nservice(\"telnet.socket\").running == false\n", - "checksum": "ZDEqpbTNjXA=", - "datapoints": [ - "Psg3WACh4u236x5BUCKYrxVyBbR5tVirhN71jyV48L8yTB0r1aVVWd5ZwDo0/mLLpMCch69rCGBbBouKK80QLQ==", - "bTC8XOSslLmdTVa8aoLAVHLzWTW8NUMWiboO6NmLn7jkfkf7WVFW4J4jsxyCcToaFSma2sfvUVqvIJ2N87TDHQ==", - "GZ7LrOSbsY8Te595l40qSCgJlEHDh8yQ19clxbEUcvnBDqSqFtk084PsIIwwZ7bjVEyCcWIaBK4zyE8ijn/X8w==", - "wmwLi7+OiU0E4R6ZOHfjWu7z7r/dAmd/eWFdMH9fdq+nGVnOruW4efz8knp2RtiYqbwj/rWOUrInsGqMmWrP3w==" - ], - "code": { - "code_v2": { - "id": "727yzVm9jYQ=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "dGVsbmV0LnNvY2tldA==" - } - ] - } - }, - { - "call": 1, - "id": "enabled", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "dGVsbmV0LnNvY2tldA==" - } - ] - } - }, - { - "call": 1, - "id": "running", - "function": { - "type": "\u0004", - "binding": 4294967300 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967301 - } - } - ], - "entrypoints": [ - 4294967299, - 4294967302 - ], - "datapoints": [ - 4294967298, - 4294967301 - ] - } - ], - "checksums": { - "4294967297": "9R/S5PSKs2Qo6fYXlQ3lIoAGo1fqF/JlIcFhij6OIFvFbrFPKauREp+YKj9cRHvBs/8+gMTqPWnhRP0ix8eYpA==", - "4294967298": "Psg3WACh4u236x5BUCKYrxVyBbR5tVirhN71jyV48L8yTB0r1aVVWd5ZwDo0/mLLpMCch69rCGBbBouKK80QLQ==", - "4294967299": "GZ7LrOSbsY8Te595l40qSCgJlEHDh8yQ19clxbEUcvnBDqSqFtk084PsIIwwZ7bjVEyCcWIaBK4zyE8ijn/X8w==", - "4294967300": "9R/S5PSKs2Qo6fYXlQ3lIoAGo1fqF/JlIcFhij6OIFvFbrFPKauREp+YKj9cRHvBs/8+gMTqPWnhRP0ix8eYpA==", - "4294967301": "bTC8XOSslLmdTVa8aoLAVHLzWTW8NUMWiboO6NmLn7jkfkf7WVFW4J4jsxyCcToaFSma2sfvUVqvIJ2N87TDHQ==", - "4294967302": "wmwLi7+OiU0E4R6ZOHfjWu7z7r/dAmd/eWFdMH9fdq+nGVnOruW4efz8knp2RtiYqbwj/rWOUrInsGqMmWrP3w==" - } - }, - "source": "service(\"telnet.socket\").enabled == false\nservice(\"telnet.socket\").running == false\n", - "labels": { - "labels": { - "GZ7LrOSbsY8Te595l40qSCgJlEHDh8yQ19clxbEUcvnBDqSqFtk084PsIIwwZ7bjVEyCcWIaBK4zyE8ijn/X8w==": "service.enabled == false", - "Psg3WACh4u236x5BUCKYrxVyBbR5tVirhN71jyV48L8yTB0r1aVVWd5ZwDo0/mLLpMCch69rCGBbBouKK80QLQ==": "service.enabled", - "bTC8XOSslLmdTVa8aoLAVHLzWTW8NUMWiboO6NmLn7jkfkf7WVFW4J4jsxyCcToaFSma2sfvUVqvIJ2N87TDHQ==": "service.running", - "wmwLi7+OiU0E4R6ZOHfjWu7z7r/dAmd/eWFdMH9fdq+nGVnOruW4efz8knp2RtiYqbwj/rWOUrInsGqMmWrP3w==": "service.running == false" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "7dzfqFlvkAk=": { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+mount\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+mounts/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+mount\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=mounts/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+mount\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+mounts/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+mount\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=mounts/)\n}\n", - "checksum": "bjWRr8RDP6s=", - "datapoints": [ - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "njtujCiYsraOMuKhSZRhpLcBwu4m7Zc+DmQfYok+vwgqhLmhWpskTVAG/OwcxCZX47FpThQxeWI5Q99UieY/iw==" - ], - "code": { - "code_v2": { - "id": "7dzfqFlvkAk=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967299 - } - }, - { - "call": 1, - "id": "if", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u0003", - "value": "iICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - }, - { - "type": "\u0019\u0003" - } - ] - } - } - ], - "entrypoints": [ - 4294967298, - 4294967301 - ] - }, - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934594 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "hoCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgGA=" - } - ], - "binding": 8589934595 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934596 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934597 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934599 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934600 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "koCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgIAB" - } - ], - "binding": 8589934601 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934602 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934603 - } - }, - { - "call": 1, - "id": "||\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "mICAgEA=" - } - ], - "binding": 8589934598 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934606 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934607 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "oICAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgKAB" - } - ], - "binding": 8589934608 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934609 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934610 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934612 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934613 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "rICAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgMAB" - } - ], - "binding": 8589934614 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934615 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934616 - } - }, - { - "call": 1, - "id": "||\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "soCAgEA=" - } - ], - "binding": 8589934611 - } - } - ], - "entrypoints": [ - 8589934605, - 8589934618 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWI2NFxzK1wtU1xzK21vdW50XHMrXC1GXHMrYXVpZFw+XD0xMDAwXHMrXC1GXHMrYXVpZFwhXD00Mjk0OTY3Mjk1XHMrXC1rXHMrbW91bnRz" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgGA=" - } - ], - "binding": 12884901889 - } - } - ], - "parameters": 1, - "entrypoints": [ - 12884901891 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWI2NFxzK1wtU1xzK21vdW50XHMrXC1GXHMrYXVpZFw+XD0xMDAwXHMrXC1GXHMrYXVpZFwhXD1cLTFccytcLUZccytrZXlcPW1vdW50cw==" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgIAB" - } - ], - "binding": 17179869185 - } - } - ], - "parameters": 1, - "entrypoints": [ - 17179869187 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWIzMlxzK1wtU1xzK21vdW50XHMrXC1GXHMrYXVpZFw+XD0xMDAwXHMrXC1GXHMrYXVpZFwhXD00Mjk0OTY3Mjk1XHMrXC1rXHMrbW91bnRz" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgKAB" - } - ], - "binding": 21474836481 - } - } - ], - "parameters": 1, - "entrypoints": [ - 21474836483 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWIzMlxzK1wtU1xzK21vdW50XHMrXC1GXHMrYXVpZFw+XD0xMDAwXHMrXC1GXHMrYXVpZFwhXD1cLTFccytcLUZccytrZXlcPW1vdW50cw==" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgMAB" - } - ], - "binding": 25769803777 - } - } - ], - "parameters": 1, - "entrypoints": [ - 25769803779 - ] - } - ], - "checksums": { - "12884901889": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "12884901890": "hq2WqQ+l6W10Yjzi7GA2xiBG2jij75FZA/psXlEl0kVTxQ/vQJexCdr1E5VjjqVKInCLhYuiit7YLVwBmVjnZQ==", - "12884901891": "ozhkDQmSSC9+xWrfSmfbXA53HSFKWvDJmlvLCZYGwqtkZPHFwiqNN7N2qA+MzQNt4M7/pLZtD3DMOhEMszncLQ==", - "17179869185": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "17179869186": "ZhWrAkC4vZIgzhV9pCQ4/mzb/s5BxfZZ5F6p+Hp8QTQkx9NpHONudg6Qw+g7dwf5VYpI8RJ6lZtdRRJR7TnKgw==", - "17179869187": "OK2rJ3/f45kiBU1mrT4mvP+INePBAie/LDR7RMQPkqSf9rRtTMZVlmKumQXGC5P6JesLTjy/01v5i6C8+1S4QQ==", - "21474836481": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "21474836482": "YQIufehsFkZ0M1EqqzG9C5u2Gv2tkjt1KPalzxrwVScqUE/lJUdZC9uQfl/8jIs5Ue7fGE9OUodlsO0O3rmtUg==", - "21474836483": "BlgHnJ5Oyagk7gVKyi4hzBxZE37pqBbFcr/BLSEXF9iYv77vkQVDidorLM/ThWRDxLFyt7+clN5+FKZSjQTQJg==", - "25769803777": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "25769803778": "uuPJ06HIUx5OvKhwc7j+P63AXp6MtV7NHuOUJQGvqPjbTqaZCV+7jqdh+stN1oQ2n51VulghQohb8bsTY6JsHA==", - "25769803779": "WDQD79w3mFmZv4VxzdmXYfw38lGNSXIqcNzzBn9+ldPueY7gdlVHiTWFzuDZOd2zn6XWykrth2mxDni9M2bLVw==", - "4294967297": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "4294967298": "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "4294967299": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "4294967300": "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "4294967301": "njtujCiYsraOMuKhSZRhpLcBwu4m7Zc+DmQfYok+vwgqhLmhWpskTVAG/OwcxCZX47FpThQxeWI5Q99UieY/iw==", - "8589934593": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934594": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934595": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934596": "f9Z2d2GdBeLbZTUM9FYvTooiRHO/2Nffp6YxIogu5Oamgv5Vv2rQeXytEGKTkJgTa/0lUyXKBSBOfgut5spWnw==", - "8589934597": "bq/7oEWYUREvDVJut9zqGCuDKtmLEYfJ/4fAuZbHgBorIizEBmYv5d2K5Bi98al6MnztXoJsZeNQw9c1Y36u5A==", - "8589934598": "szNSsD/VsxgTenP3yURWkLJsTn5GWFM8f/KxXWsTpg3Vq4/ls0EGvh8L5j/EKSGtjt+6znvmVG+VZgwKApKRrA==", - "8589934599": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934600": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934601": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934602": "OExCIP3Uox2P81ErBLrPNdW8Zsqthba4xsDlx2ZJq5wTLl1Z0rcaaDr+9OkHRtXDS8DqOsTGkvPw/h6GbFRl/A==", - "8589934603": "LKu6NNaOGWD+IKao/VItbjJcJvQOVDyaq/FEddigshaRrNZ0CK/jQuWojBmusTQL8UFei4QvBBDxwXE9ZYjL5A==", - "8589934604": "mmLa+57CkGkdsR7jQWfbwf6UmwtmCdS8vwJ/NwwB7Kdzu6JOmhty4kFDpryuO/hlusXnZmykn4BMKa/HDC1XXA==", - "8589934605": "HwOnZcQKhxIWNiz6Bm02W8sxMpQAbzumTywdZUtjKX0ZmbT/6uro/xfmgJfQA1TpaHwUY3qje6zBcfgd9Qhhyg==", - "8589934606": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934607": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934608": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934609": "xmYpuUjKZR+cE+4z+LS0QLCtXzuOY1Z4T8Z3Ue8W5zalJkhIL9ODLY+yTNcOYzphwKBFhMKP63az+OZ8YIJCWQ==", - "8589934610": "tAonsXFW1ccoVvnq3FOwrWzhxNqC/MwH1Wad3NlM40EJ0m9wiGR/vHqKI+VY/1+z32Pa5gE7unVp7zbhFtP97A==", - "8589934611": "CTx3CFlrKnToOmNcQpFgOeSu7PQ5jFtVRdao2kf1r7YETb0/isiSXdZWAYHFTLI3G92EQ7YumyT2QTE+57X43w==", - "8589934612": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934613": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934614": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934615": "KTS73iQcsSqGpyRXPVv2ljvYWB8GHP3CKjpQio7YmRLiTLu+/Q+9a+eVZdd6SyPddmXutxZMfM7RY/XP0BMbgg==", - "8589934616": "Tfa1NLam3OmM4arBKBLumAN7vP2vP/GvhDKwLJ6FfbNO2kyAAL9UX85Paf/sah6YtGL94EOsDzxfs3qM2wJCgA==", - "8589934617": "AQaNiIldKMhXV27A7OLjAP5PDSWeOw1exIL/0qVRzofKPdCpxD83F1MMvqsMj0aQwyeh6GJePvG/ruPs3CvVnA==", - "8589934618": "FCOAD+m0BYTFEk3t1m6JM0OkgTaPqjrhEQQLkFRxfeE4uNh3UEA5TiQ0EKxG3GJSTF6rv1Imq6+7kai8sX3wZA==" - } - }, - "source": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+mount\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+mounts/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+mount\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=mounts/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+mount\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+mounts/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+mount\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=mounts/)\n}\n", - "labels": { - "labels": { - "AQaNiIldKMhXV27A7OLjAP5PDSWeOw1exIL/0qVRzofKPdCpxD83F1MMvqsMj0aQwyeh6GJePvG/ruPs3CvVnA==": "[].contains()", - "BlgHnJ5Oyagk7gVKyi4hzBxZE37pqBbFcr/BLSEXF9iYv77vkQVDidorLM/ThWRDxLFyt7+clN5+FKZSjQTQJg==": " == \u003cref\u003e", - "CTx3CFlrKnToOmNcQpFgOeSu7PQ5jFtVRdao2kf1r7YETb0/isiSXdZWAYHFTLI3G92EQ7YumyT2QTE+57X43w==": "[].contains()", - "FCOAD+m0BYTFEk3t1m6JM0OkgTaPqjrhEQQLkFRxfeE4uNh3UEA5TiQ0EKxG3GJSTF6rv1Imq6+7kai8sX3wZA==": "file.content.lines.where.length \u003e 0 || \u003cref\u003e", - "HwOnZcQKhxIWNiz6Bm02W8sxMpQAbzumTywdZUtjKX0ZmbT/6uro/xfmgJfQA1TpaHwUY3qje6zBcfgd9Qhhyg==": "file.content.lines.where.length \u003e 0 || \u003cref\u003e", - "OK2rJ3/f45kiBU1mrT4mvP+INePBAie/LDR7RMQPkqSf9rRtTMZVlmKumQXGC5P6JesLTjy/01v5i6C8+1S4QQ==": " == \u003cref\u003e", - "WDQD79w3mFmZv4VxzdmXYfw38lGNSXIqcNzzBn9+ldPueY7gdlVHiTWFzuDZOd2zn6XWykrth2mxDni9M2bLVw==": " == \u003cref\u003e", - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==": "file.exists", - "mmLa+57CkGkdsR7jQWfbwf6UmwtmCdS8vwJ/NwwB7Kdzu6JOmhty4kFDpryuO/hlusXnZmykn4BMKa/HDC1XXA==": "[].contains()", - "njtujCiYsraOMuKhSZRhpLcBwu4m7Zc+DmQfYok+vwgqhLmhWpskTVAG/OwcxCZX47FpThQxeWI5Q99UieY/iw==": "if", - "ozhkDQmSSC9+xWrfSmfbXA53HSFKWvDJmlvLCZYGwqtkZPHFwiqNN7N2qA+MzQNt4M7/pLZtD3DMOhEMszncLQ==": " == \u003cref\u003e", - "szNSsD/VsxgTenP3yURWkLJsTn5GWFM8f/KxXWsTpg3Vq4/ls0EGvh8L5j/EKSGtjt+6znvmVG+VZgwKApKRrA==": "[].contains()" - } - }, - "version": "unstable", - "min_mondoo_version": "5.0.0" - } - }, - "7h09h2mCsc8=": { - "query": "if( package('openssh-server').version == /6./ || package('openssh-server').version == /7./ ) {\n return [\"curve25519-sha256@libssh.org\",\"diffie-hellman-group-exchange-sha256\"]\n}\nif( package('openssh-server').version == /8\\.[0|1|2|3|4|5]/ ) {\n return [\"sntrup4591761x25519-sha512@tinyssh.org\",\"curve25519-sha256@libssh.org\",\"diffie-hellman-group-exchange-sha256\"]\n}\nreturn [\"sntrup761x25519-sha512@openssh.com\",\"curve25519-sha256@libssh.org\",\"diffie-hellman-group-exchange-sha256\"]\n", - "checksum": "rNGJ3Kr+K8Q=", - "datapoints": [ - "4KDugS+gx6N/Z/kDWOAoHYh0oj+3WMemzu1XIKjuG0WiUGaBfw4Q0/xSSSBq78qnySGYXykNQUddOUEYDnypxA==", - "4awOHxBIrhJpNXgMkCZGW2j+1IG3Pm3adFARFtow4uVIuuOEM95Ajymlt++h97lox5e8nQTEYS9ZqaAzr/HloQ==", - "6tnI+IODYzgiF4YAt4QqVSYk2z7xAr4xCpKEVabbuxvAWYggnOwGkzNl4AzvgsKklzi5JghpRhIVNO1dcDCE1w==" - ], - "code": { - "code_v2": { - "id": "7h09h2mCsc8=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "package", - "function": { - "type": "\u001bpackage", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "b3BlbnNzaC1zZXJ2ZXI=" - } - ] - } - }, - { - "call": 1, - "id": "version", - "function": { - "type": "\u0007", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0008", - "value": "Ni4=" - } - ], - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "package", - "function": { - "type": "\u001bpackage", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "b3BlbnNzaC1zZXJ2ZXI=" - } - ] - } - }, - { - "call": 1, - "id": "version", - "function": { - "type": "\u0007", - "binding": 4294967300 - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0008", - "value": "Ny4=" - } - ], - "binding": 4294967301 - } - }, - { - "call": 1, - "id": "||\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "jICAgCA=" - } - ], - "binding": 4294967299 - } - }, - { - "call": 1, - "id": "if", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "joCAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - }, - { - "type": "\u0019\u0003" - }, - { - "type": "\u001c\u0000", - "value": "gICAgGA=" - }, - { - "type": "\u0019\u0003" - } - ] - } - } - ], - "singleValue": true, - "entrypoints": [ - 4294967304 - ], - "datapoints": [ - 4294967299, - 4294967302 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0019\u0007", - "array": [ - { - "type": "\u0007", - "value": "Y3VydmUyNTUxOS1zaGEyNTZAbGlic3NoLm9yZw==" - }, - { - "type": "\u0007", - "value": "ZGlmZmllLWhlbGxtYW4tZ3JvdXAtZXhjaGFuZ2Utc2hhMjU2" - } - ] - } - }, - { - "call": 1, - "id": "return", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "goCAgEA=" - } - ] - } - } - ], - "singleValue": true, - "entrypoints": [ - 8589934594 - ] - }, - { - "chunks": [ - { - "call": 1, - "id": "package", - "function": { - "type": "\u001bpackage", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "b3BlbnNzaC1zZXJ2ZXI=" - } - ] - } - }, - { - "call": 1, - "id": "version", - "function": { - "type": "\u0007", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0008", - "value": "OFwuWzB8MXwyfDN8NHw1XQ==" - } - ], - "binding": 12884901890 - } - }, - { - "call": 1, - "id": "if", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "hoCAgGA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgIAB" - }, - { - "type": "\u0019\u0003" - }, - { - "type": "\u001c\u0000", - "value": "gICAgKAB" - }, - { - "type": "\u0019\u0003" - } - ] - } - } - ], - "singleValue": true, - "entrypoints": [ - 12884901892 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0019\u0007", - "array": [ - { - "type": "\u0007", - "value": "c250cnVwNDU5MTc2MXgyNTUxOS1zaGE1MTJAdGlueXNzaC5vcmc=" - }, - { - "type": "\u0007", - "value": "Y3VydmUyNTUxOS1zaGEyNTZAbGlic3NoLm9yZw==" - }, - { - "type": "\u0007", - "value": "ZGlmZmllLWhlbGxtYW4tZ3JvdXAtZXhjaGFuZ2Utc2hhMjU2" - } - ] - } - }, - { - "call": 1, - "id": "return", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "goCAgIAB" - } - ] - } - } - ], - "singleValue": true, - "entrypoints": [ - 17179869186 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0019\u0007", - "array": [ - { - "type": "\u0007", - "value": "c250cnVwNzYxeDI1NTE5LXNoYTUxMkBvcGVuc3NoLmNvbQ==" - }, - { - "type": "\u0007", - "value": "Y3VydmUyNTUxOS1zaGEyNTZAbGlic3NoLm9yZw==" - }, - { - "type": "\u0007", - "value": "ZGlmZmllLWhlbGxtYW4tZ3JvdXAtZXhjaGFuZ2Utc2hhMjU2" - } - ] - } - }, - { - "call": 1, - "id": "return", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "goCAgKAB" - } - ] - } - } - ], - "singleValue": true, - "entrypoints": [ - 21474836482 - ] - } - ], - "checksums": { - "12884901889": "LU6AZgqoDxeiDN/6xz50NkA4xqsnnvmU10r9hxgnpIosAGloOKaVOFzDW41QV1E47L0vlpuDvtFXS77xS/0lfw==", - "12884901890": "GJooG+LdPop+U+Vbp5DxdgrnR+z79QT1TbkyyUhWfRDBTd1SgwYiKqZbpoSj0JMhbd7ellBT98zy/5VyezkxXw==", - "12884901891": "Jo/dUDDB8RE+o2wr1idBbQ/krl/nN9tUaXtIbjrz9I1pCtL5TOxr59Usj6Ymrt+t5IjEqa6abg36jcOkwDYn3Q==", - "12884901892": "cerOGsEluQiLFF6CjFZb40i4u5l5ap9+pa6H40y7+yIQqiL/N7rXm9PR7cu4IU+iVtl48Jm7L79KigriXVoj5g==", - "17179869185": "LD+wf6aFYOHEyTKq4AW3gONeMr+9K2pLaIBjj0/hmVPnRl/qeUXd3RL5hUJSdcIE1h10lRz1zUWG5hgE6lbZ3w==", - "17179869186": "i72gwZ3WTouzOxA/QEzgXnmxBon4AD2ITOKSPzi3yBfQALLnbaWa7iAsqnOzg5DmL3UCI2LXhMfpg1/cJXEeyg==", - "21474836481": "8rAc6frJgmx5/pzPCFpZh6aZMS2/6MtAaLOgOHxMofi1V02R+DhOEwGziNTnGYGc3mL6M0BxUQhOPPtcIaoiuw==", - "21474836482": "TF2KuUFhaehTVc0zzlOWumFc4JTWu+tfy4aVFx467hIgHBfAdGJ4csZqUPexpEGpwbkjC7rECvA/mMqRVBfrLQ==", - "4294967297": "LU6AZgqoDxeiDN/6xz50NkA4xqsnnvmU10r9hxgnpIosAGloOKaVOFzDW41QV1E47L0vlpuDvtFXS77xS/0lfw==", - "4294967298": "GJooG+LdPop+U+Vbp5DxdgrnR+z79QT1TbkyyUhWfRDBTd1SgwYiKqZbpoSj0JMhbd7ellBT98zy/5VyezkxXw==", - "4294967299": "4KDugS+gx6N/Z/kDWOAoHYh0oj+3WMemzu1XIKjuG0WiUGaBfw4Q0/xSSSBq78qnySGYXykNQUddOUEYDnypxA==", - "4294967300": "LU6AZgqoDxeiDN/6xz50NkA4xqsnnvmU10r9hxgnpIosAGloOKaVOFzDW41QV1E47L0vlpuDvtFXS77xS/0lfw==", - "4294967301": "GJooG+LdPop+U+Vbp5DxdgrnR+z79QT1TbkyyUhWfRDBTd1SgwYiKqZbpoSj0JMhbd7ellBT98zy/5VyezkxXw==", - "4294967302": "4awOHxBIrhJpNXgMkCZGW2j+1IG3Pm3adFARFtow4uVIuuOEM95Ajymlt++h97lox5e8nQTEYS9ZqaAzr/HloQ==", - "4294967303": "/tmF6db9D75tOPQNKq1Rrij2rDlt0D7c7ufJsF8qePXE9ZNj5kJIbqF6UVtuu/HYASwDpksLeD0050pcNUMSQA==", - "4294967304": "6tnI+IODYzgiF4YAt4QqVSYk2z7xAr4xCpKEVabbuxvAWYggnOwGkzNl4AzvgsKklzi5JghpRhIVNO1dcDCE1w==", - "8589934593": "+iPoE/DMXx/4rjfnQrIl07QRTtTZ2EbsA1SvpfaxitdQfiEiGdRsmNKp5ETDNY0cfHkfyE5jDh2J2I5PsQIQww==", - "8589934594": "F/aigOr/zZoIBKS5ijWkqyJt6PGgWHFLC2evvCczY9KtmBOpAC3S6uoU873xln2DGWKY/hr7f3yUd7cPzw9HKw==" - } - }, - "source": "if( package('openssh-server').version == /6./ || package('openssh-server').version == /7./ ) {\n return [\"curve25519-sha256@libssh.org\",\"diffie-hellman-group-exchange-sha256\"]\n}\nif( package('openssh-server').version == /8\\.[0|1|2|3|4|5]/ ) {\n return [\"sntrup4591761x25519-sha512@tinyssh.org\",\"curve25519-sha256@libssh.org\",\"diffie-hellman-group-exchange-sha256\"]\n}\nreturn [\"sntrup761x25519-sha512@openssh.com\",\"curve25519-sha256@libssh.org\",\"diffie-hellman-group-exchange-sha256\"]\n", - "labels": { - "labels": { - "4KDugS+gx6N/Z/kDWOAoHYh0oj+3WMemzu1XIKjuG0WiUGaBfw4Q0/xSSSBq78qnySGYXykNQUddOUEYDnypxA==": "package.version == /6./", - "4awOHxBIrhJpNXgMkCZGW2j+1IG3Pm3adFARFtow4uVIuuOEM95Ajymlt++h97lox5e8nQTEYS9ZqaAzr/HloQ==": "package.version == /7./", - "6tnI+IODYzgiF4YAt4QqVSYk2z7xAr4xCpKEVabbuxvAWYggnOwGkzNl4AzvgsKklzi5JghpRhIVNO1dcDCE1w==": "if", - "F/aigOr/zZoIBKS5ijWkqyJt6PGgWHFLC2evvCczY9KtmBOpAC3S6uoU873xln2DGWKY/hr7f3yUd7cPzw9HKw==": "return", - "TF2KuUFhaehTVc0zzlOWumFc4JTWu+tfy4aVFx467hIgHBfAdGJ4csZqUPexpEGpwbkjC7rECvA/mMqRVBfrLQ==": "return", - "cerOGsEluQiLFF6CjFZb40i4u5l5ap9+pa6H40y7+yIQqiL/N7rXm9PR7cu4IU+iVtl48Jm7L79KigriXVoj5g==": "if", - "i72gwZ3WTouzOxA/QEzgXnmxBon4AD2ITOKSPzi3yBfQALLnbaWa7iAsqnOzg5DmL3UCI2LXhMfpg1/cJXEeyg==": "return" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "7wuHGnsUApE=": { - "query": "kernel.parameters['net.ipv4.icmp_echo_ignore_broadcasts'] == 1\n", - "checksum": "Kf4ARYjYz/o=", - "datapoints": [ - "CzgWIO2USd4DO07LRlGgQSwlbJfkcyaEqBjXlXlKrMMdSkLUZDETAxXcFfbro+OR5MigUzyQhrzPsa8kA2G++w==", - "9jlRg9Aw1Ow0qOGynHMTlYbgY2tTDEQk9StXZkP2PrjSHhs2vkqwUMP5aavknve2K083MBMcgQiavFMTrF4/8Q==" - ], - "code": { - "code_v2": { - "id": "7wuHGnsUApE=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "kernel" - }, - { - "call": 1, - "id": "parameters", - "function": { - "type": "\u001a\u0007\u0007", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u0007", - "args": [ - { - "type": "\u0007", - "value": "bmV0LmlwdjQuaWNtcF9lY2hvX2lnbm9yZV9icm9hZGNhc3Rz" - } - ], - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "==\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "Ag==" - } - ], - "binding": 4294967299 - } - } - ], - "entrypoints": [ - 4294967300 - ], - "datapoints": [ - 4294967299 - ] - } - ], - "checksums": { - "4294967297": "RXV+1el3VK2oK0ytvuWZ6oRu95oJxvcqbHGw5Wq5LfAbGvjLmiHYndQw+dDOPQiIqBhor40mICUenGaUlny8Lg==", - "4294967298": "dM9qEfUwWr0DHz2QFJ5GwuX9ELsnO1Us4rTlLu63r3mnIduFn0tmuQqThf7ul4pd0wPoMSZIB/RxVPGcU9xORQ==", - "4294967299": "CzgWIO2USd4DO07LRlGgQSwlbJfkcyaEqBjXlXlKrMMdSkLUZDETAxXcFfbro+OR5MigUzyQhrzPsa8kA2G++w==", - "4294967300": "9jlRg9Aw1Ow0qOGynHMTlYbgY2tTDEQk9StXZkP2PrjSHhs2vkqwUMP5aavknve2K083MBMcgQiavFMTrF4/8Q==" - } - }, - "source": "kernel.parameters['net.ipv4.icmp_echo_ignore_broadcasts'] == 1\n", - "labels": { - "labels": { - "9jlRg9Aw1Ow0qOGynHMTlYbgY2tTDEQk9StXZkP2PrjSHhs2vkqwUMP5aavknve2K083MBMcgQiavFMTrF4/8Q==": "kernel.parameters[net.ipv4.icmp_echo_ignore_broadcasts] == 1", - "CzgWIO2USd4DO07LRlGgQSwlbJfkcyaEqBjXlXlKrMMdSkLUZDETAxXcFfbro+OR5MigUzyQhrzPsa8kA2G++w==": "kernel.parameters[net.ipv4.icmp_echo_ignore_broadcasts]" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "8xqHW7YCDEw=": { - "query": "command(\"crontab -u root -l | grep aide\").stdout.contains(\"aide --check\") || command(\"crontab -u root -l | grep aide\").stdout.contains(\"aide.conf --check\") || service('aidecheck').enabled || parse.ini(\"/etc/default/aide\").params[\"CRON_DAILY_RUN\"] == \"yes\"\n", - "checksum": "Hxsdr8Qhmj8=", - "datapoints": [ - "cF+tsnDWG2CvuAeBD4gRVzVuG37TWQY4n2KrJydeBfal9f0GPjBtrsvUH2rgjisiRJ7WJyPU2DZ9bDM501M0Mg==", - "nKA2V8XilTkhsXf29Lb3Se/BvaoF/GUKQo2905GRiDXdFetqS2hQC0SHj27rxPNmn9Pknkz4mc/L+D5pcfTysw==", - "r6sClZDPvHtxuniKuJ5UlesbFgLrX7H+vMiSu2rDkyIvyRBBgTEtA4lB9EYWXi4oSqhIkteDZz3podMi9oYwSQ==" - ], - "code": { - "code_v2": { - "id": "8xqHW7YCDEw=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "command", - "function": { - "type": "\u001bcommand", - "args": [ - { - "type": "\u0007", - "value": "Y29tbWFuZA==" - }, - { - "type": "\u0007", - "value": "Y3JvbnRhYiAtdSByb290IC1sIHwgZ3JlcCBhaWRl" - } - ] - } - }, - { - "call": 1, - "id": "stdout", - "function": { - "type": "\u0007", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "contains\u0007", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0007", - "value": "YWlkZSAtLWNoZWNr" - } - ], - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "command", - "function": { - "type": "\u001bcommand", - "args": [ - { - "type": "\u0007", - "value": "Y29tbWFuZA==" - }, - { - "type": "\u0007", - "value": "Y3JvbnRhYiAtdSByb290IC1sIHwgZ3JlcCBhaWRl" - } - ] - } - }, - { - "call": 1, - "id": "stdout", - "function": { - "type": "\u0007", - "binding": 4294967300 - } - }, - { - "call": 1, - "id": "contains\u0007", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0007", - "value": "YWlkZS5jb25mIC0tY2hlY2s=" - } - ], - "binding": 4294967301 - } - }, - { - "call": 1, - "id": "||\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "jICAgCA=" - } - ], - "binding": 4294967299 - } - }, - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "YWlkZWNoZWNr" - } - ] - } - }, - { - "call": 1, - "id": "enabled", - "function": { - "type": "\u0004", - "binding": 4294967304 - } - }, - { - "call": 1, - "id": "||\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "koCAgCA=" - } - ], - "binding": 4294967303 - } - }, - { - "call": 1, - "id": "parse.ini", - "function": { - "type": "\u001bparse.ini", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9kZWZhdWx0L2FpZGU=" - } - ] - } - }, - { - "call": 1, - "id": "params", - "function": { - "type": "\u001a\u0007\u0007", - "binding": 4294967307 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u0007", - "args": [ - { - "type": "\u0007", - "value": "Q1JPTl9EQUlMWV9SVU4=" - } - ], - "binding": 4294967308 - } - }, - { - "call": 1, - "id": "==\u0007", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0007", - "value": "eWVz" - } - ], - "binding": 4294967309 - } - }, - { - "call": 1, - "id": "||\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "nICAgCA=" - } - ], - "binding": 4294967306 - } - } - ], - "entrypoints": [ - 4294967311 - ], - "datapoints": [ - 4294967306, - 4294967310 - ] - } - ], - "checksums": { - "4294967297": "1j1eWuR9s5X2jDlu9G6S6nQ5ziY7yUyOzwGsbXiJywo8/MmX7dO3zcLApQkBqjxFF8upQjVmk/OHcL28jpANfA==", - "4294967298": "F63SuhAkhhVAZf24uKNpbgdNF6E89U5R2yPGGo65Na05unL7WIzcHvfzBOs9N5l65AlTfdEPJ4NsQDJm0nuPpw==", - "4294967299": "LN4WZrP6q8CPzpbn9i+E9XUsN1laIQgiw5hTpXjhlF7QRQHY78Vh8v5gcw0ps5qZ59vyyr1lBJoGlWM6H2wElA==", - "4294967300": "1j1eWuR9s5X2jDlu9G6S6nQ5ziY7yUyOzwGsbXiJywo8/MmX7dO3zcLApQkBqjxFF8upQjVmk/OHcL28jpANfA==", - "4294967301": "F63SuhAkhhVAZf24uKNpbgdNF6E89U5R2yPGGo65Na05unL7WIzcHvfzBOs9N5l65AlTfdEPJ4NsQDJm0nuPpw==", - "4294967302": "wIYVcQQXMv+Ikp+pAA7LCsjlwQdtHiJQFxFvChue6vW57wf1aB22yTspz1riTHGS78W/16D+6gf2EA3LPk9vng==", - "4294967303": "vYu0tdhyaGjym8eQ5mtAUdSyQKsZgojZaRhzO+3akcFq1+bg2ZlL8NZuTuIpfT6nhYw9CZsGoH2rCnwkVQbwEg==", - "4294967304": "7r/vT7AydlU18UXj6r5bUkc1hSVneU/K85GnaA7/35iSJPrwLmaJrNqXckh8S/ujOljViClY7RcNF0l1bpe82g==", - "4294967305": "OQLnq30H4wIliORxkGUr+buRBFiGC0z3+SoZzNELjoXS9rMUBr79ZYFhlhNwaCF3tKxRKwdnUoAhs/BRub/LjA==", - "4294967306": "cF+tsnDWG2CvuAeBD4gRVzVuG37TWQY4n2KrJydeBfal9f0GPjBtrsvUH2rgjisiRJ7WJyPU2DZ9bDM501M0Mg==", - "4294967307": "2xUziCN8KNAmi9JU8zZfnTMmQ5WyH3grx3u+7OcaGrBrVy2UWbCI9Vxrvcij60zeapUHRYX29wCiIUqMhdW+zA==", - "4294967308": "W1BQOZLhqYxaC9oIZcF806NyvSbVNO66O+jT9q3JVE5es4v1SWkOC65HdmaSwtorLI6MIwOVx3NvLuEw8sw38A==", - "4294967309": "L5PS8ywfIpk/3fHR6ki7NnZIcuXFfegpKf9WOxNWq7nQounthN3UhWbyYXyBnhNT+a/7qLENu+IRJAb2UPciCg==", - "4294967310": "nKA2V8XilTkhsXf29Lb3Se/BvaoF/GUKQo2905GRiDXdFetqS2hQC0SHj27rxPNmn9Pknkz4mc/L+D5pcfTysw==", - "4294967311": "r6sClZDPvHtxuniKuJ5UlesbFgLrX7H+vMiSu2rDkyIvyRBBgTEtA4lB9EYWXi4oSqhIkteDZz3podMi9oYwSQ==" - } - }, - "source": "command(\"crontab -u root -l | grep aide\").stdout.contains(\"aide --check\") || command(\"crontab -u root -l | grep aide\").stdout.contains(\"aide.conf --check\") || service('aidecheck').enabled || parse.ini(\"/etc/default/aide\").params[\"CRON_DAILY_RUN\"] == \"yes\"\n", - "labels": { - "labels": { - "cF+tsnDWG2CvuAeBD4gRVzVuG37TWQY4n2KrJydeBfal9f0GPjBtrsvUH2rgjisiRJ7WJyPU2DZ9bDM501M0Mg==": "command.stdout.contains || \u003cref\u003e || \u003cref\u003e", - "nKA2V8XilTkhsXf29Lb3Se/BvaoF/GUKQo2905GRiDXdFetqS2hQC0SHj27rxPNmn9Pknkz4mc/L+D5pcfTysw==": "parse.ini.params[CRON_DAILY_RUN] == \"yes\"", - "r6sClZDPvHtxuniKuJ5UlesbFgLrX7H+vMiSu2rDkyIvyRBBgTEtA4lB9EYWXi4oSqhIkteDZz3podMi9oYwSQ==": "command.stdout.contains || \u003cref\u003e || \u003cref\u003e || \u003cref\u003e" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "9Frfyu3HqwY=": { - "query": "kernel.parameters['net.ipv6.conf.all.accept_ra'] == 0\nkernel.parameters['net.ipv6.conf.default.accept_ra'] == 0\n", - "checksum": "/d0q1Gx0IVw=", - "datapoints": [ - "Yf0tllxJIfamfaKoK717rOjxx/WUa/BVS7MBf7usG0wJS0x1BOxDau9XsChJD7UFaMSF6Slmkn5okupQ0ynNLg==", - "ftWI+tQ7kr7aS8pCKdvh36d+Xf8P1tHlgdYgKCF9Cat9aTM8/QTanMCL207XWPevmTTc/cr7qcETVvsLbezJ5g==", - "6HmGwaXMa5JPppuR4h4o86nPijZ5l6FMM6A0Rv0GoN14xK+6EKUo2k8ye2MLRFOdWNQqGKsiV9iByeGom0nyww==", - "h4/M/y9CzKUQs557Hav4wXcwivYv8MBFAhKqkpe5LQK7hh25IM/c/wOezOY5AItW//UvKEEGYoRxAkMuyHbkNA==" - ], - "code": { - "code_v2": { - "id": "9Frfyu3HqwY=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "kernel" - }, - { - "call": 1, - "id": "parameters", - "function": { - "type": "\u001a\u0007\u0007", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u0007", - "args": [ - { - "type": "\u0007", - "value": "bmV0LmlwdjYuY29uZi5hbGwuYWNjZXB0X3Jh" - } - ], - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "==\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 4294967299 - } - }, - { - "call": 1, - "id": "kernel" - }, - { - "call": 1, - "id": "parameters", - "function": { - "type": "\u001a\u0007\u0007", - "binding": 4294967301 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u0007", - "args": [ - { - "type": "\u0007", - "value": "bmV0LmlwdjYuY29uZi5kZWZhdWx0LmFjY2VwdF9yYQ==" - } - ], - "binding": 4294967302 - } - }, - { - "call": 1, - "id": "==\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 4294967303 - } - } - ], - "entrypoints": [ - 4294967300, - 4294967304 - ], - "datapoints": [ - 4294967299, - 4294967303 - ] - } - ], - "checksums": { - "4294967297": "RXV+1el3VK2oK0ytvuWZ6oRu95oJxvcqbHGw5Wq5LfAbGvjLmiHYndQw+dDOPQiIqBhor40mICUenGaUlny8Lg==", - "4294967298": "dM9qEfUwWr0DHz2QFJ5GwuX9ELsnO1Us4rTlLu63r3mnIduFn0tmuQqThf7ul4pd0wPoMSZIB/RxVPGcU9xORQ==", - "4294967299": "Yf0tllxJIfamfaKoK717rOjxx/WUa/BVS7MBf7usG0wJS0x1BOxDau9XsChJD7UFaMSF6Slmkn5okupQ0ynNLg==", - "4294967300": "6HmGwaXMa5JPppuR4h4o86nPijZ5l6FMM6A0Rv0GoN14xK+6EKUo2k8ye2MLRFOdWNQqGKsiV9iByeGom0nyww==", - "4294967301": "RXV+1el3VK2oK0ytvuWZ6oRu95oJxvcqbHGw5Wq5LfAbGvjLmiHYndQw+dDOPQiIqBhor40mICUenGaUlny8Lg==", - "4294967302": "dM9qEfUwWr0DHz2QFJ5GwuX9ELsnO1Us4rTlLu63r3mnIduFn0tmuQqThf7ul4pd0wPoMSZIB/RxVPGcU9xORQ==", - "4294967303": "ftWI+tQ7kr7aS8pCKdvh36d+Xf8P1tHlgdYgKCF9Cat9aTM8/QTanMCL207XWPevmTTc/cr7qcETVvsLbezJ5g==", - "4294967304": "h4/M/y9CzKUQs557Hav4wXcwivYv8MBFAhKqkpe5LQK7hh25IM/c/wOezOY5AItW//UvKEEGYoRxAkMuyHbkNA==" - } - }, - "source": "kernel.parameters['net.ipv6.conf.all.accept_ra'] == 0\nkernel.parameters['net.ipv6.conf.default.accept_ra'] == 0\n", - "labels": { - "labels": { - "6HmGwaXMa5JPppuR4h4o86nPijZ5l6FMM6A0Rv0GoN14xK+6EKUo2k8ye2MLRFOdWNQqGKsiV9iByeGom0nyww==": "kernel.parameters[net.ipv6.conf.all.accept_ra] == 0", - "Yf0tllxJIfamfaKoK717rOjxx/WUa/BVS7MBf7usG0wJS0x1BOxDau9XsChJD7UFaMSF6Slmkn5okupQ0ynNLg==": "kernel.parameters[net.ipv6.conf.all.accept_ra]", - "ftWI+tQ7kr7aS8pCKdvh36d+Xf8P1tHlgdYgKCF9Cat9aTM8/QTanMCL207XWPevmTTc/cr7qcETVvsLbezJ5g==": "kernel.parameters[net.ipv6.conf.default.accept_ra]", - "h4/M/y9CzKUQs557Hav4wXcwivYv8MBFAhKqkpe5LQK7hh25IM/c/wOezOY5AItW//UvKEEGYoRxAkMuyHbkNA==": "kernel.parameters[net.ipv6.conf.default.accept_ra] == 0" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "9kZGL9b/izQ=": { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.where( _ == /^[^#]/ ).contains(/\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+unlink\\s+\\-S\\s+unlinkat\\s+\\-S\\s+rename\\s+\\-S\\s+renameat\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+delete/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+rename\\,unlink\\,unlinkat\\,renameat\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=delete/)\n file('/etc/audit/audit.rules').content.lines.where( _ == /^[^#]/ ).contains(/\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+unlink\\s+\\-S\\s+unlinkat\\s+\\-S\\s+rename\\s+\\-S\\s+renameat\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+delete/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+unlink\\,rename\\,unlinkat\\,renameat\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=delete/)\n}\n", - "checksum": "NFHH/gzo8eY=", - "datapoints": [ - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "mrLRYbwe3OPQiVQRrOdjnLdDbFSxPgEp21QsWRJNHRKljQp1YQ8c57yix1rxNOVJRKLLrRDbJ4QMpfjT+FT1Cw==" - ], - "code": { - "code_v2": { - "id": "9kZGL9b/izQ=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967299 - } - }, - { - "call": 1, - "id": "if", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u0003", - "value": "iICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - }, - { - "type": "\u0019\u0003" - } - ] - } - } - ], - "entrypoints": [ - 4294967298, - 4294967301 - ] - }, - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934594 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "hoCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgGA=" - } - ], - "binding": 8589934595 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "iICAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgIAB" - } - ], - "binding": 8589934596 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934597 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934598 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934600 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934601 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "lICAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgKAB" - } - ], - "binding": 8589934602 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934603 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934604 - } - }, - { - "call": 1, - "id": "||\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "moCAgEA=" - } - ], - "binding": 8589934599 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934607 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934608 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "ooCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgMAB" - } - ], - "binding": 8589934609 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "pICAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgOAB" - } - ], - "binding": 8589934610 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934611 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934612 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934614 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934615 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "sICAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgIAC" - } - ], - "binding": 8589934616 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934617 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934618 - } - }, - { - "call": 1, - "id": "||\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "toCAgEA=" - } - ], - "binding": 8589934613 - } - } - ], - "entrypoints": [ - 8589934606, - 8589934620 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0008", - "value": "XlteI10=" - } - ], - "binding": 12884901889 - } - } - ], - "parameters": 1, - "entrypoints": [ - 12884901890 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XC1hXHMrYWx3YXlzXCxleGl0XHMrXC1GXHMrYXJjaFw9YjY0XHMrXC1TXHMrdW5saW5rXHMrXC1TXHMrdW5saW5rYXRccytcLVNccytyZW5hbWVccytcLVNccytyZW5hbWVhdFxzK1wtRlxzK2F1aWRcPlw9MTAwMFxzK1wtRlxzK2F1aWRcIVw9NDI5NDk2NzI5NVxzK1wta1xzK2RlbGV0ZQ==" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgIAB" - } - ], - "binding": 17179869185 - } - } - ], - "parameters": 1, - "entrypoints": [ - 17179869187 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWI2NFxzK1wtU1xzK3JlbmFtZVwsdW5saW5rXCx1bmxpbmthdFwscmVuYW1lYXRccytcLUZccythdWlkXD5cPTEwMDBccytcLUZccythdWlkXCFcPVwtMVxzK1wtRlxzK2tleVw9ZGVsZXRl" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgKAB" - } - ], - "binding": 21474836481 - } - } - ], - "parameters": 1, - "entrypoints": [ - 21474836483 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0008", - "value": "XlteI10=" - } - ], - "binding": 25769803777 - } - } - ], - "parameters": 1, - "entrypoints": [ - 25769803778 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XC1hXHMrYWx3YXlzXCxleGl0XHMrXC1GXHMrYXJjaFw9YjMyXHMrXC1TXHMrdW5saW5rXHMrXC1TXHMrdW5saW5rYXRccytcLVNccytyZW5hbWVccytcLVNccytyZW5hbWVhdFxzK1wtRlxzK2F1aWRcPlw9MTAwMFxzK1wtRlxzK2F1aWRcIVw9NDI5NDk2NzI5NVxzK1wta1xzK2RlbGV0ZQ==" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgOAB" - } - ], - "binding": 30064771073 - } - } - ], - "parameters": 1, - "entrypoints": [ - 30064771075 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWIzMlxzK1wtU1xzK3VubGlua1wscmVuYW1lXCx1bmxpbmthdFwscmVuYW1lYXRccytcLUZccythdWlkXD5cPTEwMDBccytcLUZccythdWlkXCFcPVwtMVxzK1wtRlxzK2tleVw9ZGVsZXRl" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgIAC" - } - ], - "binding": 34359738369 - } - } - ], - "parameters": 1, - "entrypoints": [ - 34359738371 - ] - } - ], - "checksums": { - "12884901889": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "12884901890": "ic3sT7IFTN65mSij6syknoTtLUFMbYRVLHZeKzR84vWwYYydEf6m/6wLZoRiXskcxVylnrOp9ia4kOzwvpzEMA==", - "17179869185": "LP7QATJvv7MF/UbIVVVZvSzfXOb4RHoT8BGZPO0hnrmdgwNTNGo7pHgPtSse10SZsmppFQu9rAb8Qfmg6givDQ==", - "17179869186": "FoSF604vymI6L7na8XcB1t1f0nrlynWxakwXGP0/68vU4w3kZB/5r9p/ri25VAC2FPXkBp09oQ/G8+GQ+vvO5Q==", - "17179869187": "/eyUW/F+75+bRelw5Odr4VUTVUo9l0BDi2BO7tkbHuixqpWherP/jYBGoQ6M8aQct8scj95zEPj+YoNKB6BBjg==", - "21474836481": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "21474836482": "ru0BncpK0dzt4vQ6EjN3PWiTNC0w1wrYswp8WMNIsiCTa7ehcs0P4vRB7mUD0p16DlYbhHOhfmNtXBrhu343sg==", - "21474836483": "gTrIug6UGWPJ8GQXFcOqQR08ke1E3K47LCx5ODHTO0/UhjbI+uSBQ3GI4qYPFyc/vDS4THGiD2aSUk9qbikkXA==", - "25769803777": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "25769803778": "ic3sT7IFTN65mSij6syknoTtLUFMbYRVLHZeKzR84vWwYYydEf6m/6wLZoRiXskcxVylnrOp9ia4kOzwvpzEMA==", - "30064771073": "LP7QATJvv7MF/UbIVVVZvSzfXOb4RHoT8BGZPO0hnrmdgwNTNGo7pHgPtSse10SZsmppFQu9rAb8Qfmg6givDQ==", - "30064771074": "jglZpKf/0iA96zOmRNtNsGc2sCGDaeeZJonf3wRnOh1Alu6hTZAbAVzZsJ4seVQ/oaDRpQ0YwBuUXOgWG9lixA==", - "30064771075": "IKYUskvP1kKKeGgwBwKy2ZtiIsBwZpgs52MFyS5S7FS/hpK1Louyeya+NVLS+yqUaN2GwQVWgwvAMB5KHT+HCw==", - "34359738369": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "34359738370": "PzjZ+xgNrCStT8TTHO4315GTKvQ55eovtIwiOvBE4Z7QSdDlNG1rHQpv4tACnGkreKCgB4rxfpc2k6/w7ajFuQ==", - "34359738371": "U07Us/N1UELF8XXJ25s5jAJCx1pXrAVCqBCIuHWUshZE0ZZOk58hGcJ/dAoNEoQT/b1P6LkD0Z31awW0etxaqg==", - "4294967297": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "4294967298": "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "4294967299": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "4294967300": "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "4294967301": "mrLRYbwe3OPQiVQRrOdjnLdDbFSxPgEp21QsWRJNHRKljQp1YQ8c57yix1rxNOVJRKLLrRDbJ4QMpfjT+FT1Cw==", - "8589934593": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934594": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934595": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934596": "LP7QATJvv7MF/UbIVVVZvSzfXOb4RHoT8BGZPO0hnrmdgwNTNGo7pHgPtSse10SZsmppFQu9rAb8Qfmg6givDQ==", - "8589934597": "xc0q2/rqqaU7MSY+kwXoPnHDVGBy8xIBNJ8IStSw61cP0Da8kuEaCZT7JxddLhbe5vXCrr8gBLeOf8nYxP3BvQ==", - "8589934598": "IGQSMdui4lzAIHHhqntJ/LQIgA7t1SvFbMAbKSggKHcUOyMnvtTH3ZRZr25nj/RnKZeVXikTRCx6CXlNZlHFdw==", - "8589934599": "a8f3muZA/0Lf560KToMb7fIfkqBXWsJwmkxpE6NNbJU3VXTPo+CpNNm2fhZkJg6nkhQj8vw4iaXVg/9kY4g6sw==", - "8589934600": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934601": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934602": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934603": "389T796kqLYSkx7a508rNAc8Pdi4+yNG9wNQvQJuNj92s805NhlzU8C0f94JHC0hmj4mQYlhQJVj+rth/Zxf2g==", - "8589934604": "6z6rGfsDlMgvy2L00pG7V/sUdYgRdF70MWRijlphONHakTUIav/0P6/x3d7wKBBFTjEM6XdEKdes18EnRK/L0A==", - "8589934605": "caRt3M8F9m0JX9P1E7b0jd4whcNUBs+vTxyjNkHvNsQiK7IuUWwFILYDlX1yPsJ0pM4er5HInD7H0YNfgPpPKA==", - "8589934606": "Zk3XX/rKDbXZY4pEFrhIZlhD7LfhAvosTZBDa+t63pPVmtZ/jhrYROoGivFRDGmYwlIEDU+VVsFBGfq3UZhN0A==", - "8589934607": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934608": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934609": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934610": "LP7QATJvv7MF/UbIVVVZvSzfXOb4RHoT8BGZPO0hnrmdgwNTNGo7pHgPtSse10SZsmppFQu9rAb8Qfmg6givDQ==", - "8589934611": "C1lZl3NHXdD4R3RSujDIDu5twozLCwwZoz4tcFvrrJ6CYzvDQzbIOmXthGX9lOOb1ZAr9k8k6f6OXx/oEvLRwQ==", - "8589934612": "tQaUOmfEY5GSxLRKDaBGLci1Mccjostd/aZfqE24eOeHeUGBpyEpQU03VifkNCJetBkOcwBotHUBmK7gRhdq5w==", - "8589934613": "swcXFmVrxZiWSggLnv4gf1fBmZhcccptsqeJwmDqYqvcQvDF530xsTQ5Ppn+6ITghrXvOZB1K3GrfyFjIBBndQ==", - "8589934614": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934615": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934616": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934617": "CZ6i5T7u3E3pEsOnUMExt2e0Ose2oRIzsbCJg593hMRez8+uFy2iEgCZEannD7T/0TYifdAbcgYFYyB+MsF4Sg==", - "8589934618": "ufRyZ0jHd66jvHUE3/WvmoHRY+EZdlAKz5YS/gPHujZCKFcHTqe7xN+RphWHH+5AayE2TMwWYtRole4NMPSZqQ==", - "8589934619": "3BTt0bqXz5kXpQPRHToGF/zGKmNmRFygg4KX+N+rhpfrTxepcn/3vRw+XfBqSzTMrYGGnkV57vDKRUwpwrKrdQ==", - "8589934620": "QvYnf6hKtP0FhHwGL5Cv+tmCBcYIdplR2wy6mFBoZ3RTuegrnnXaB7RB1tN0dJGpSXZldSRZN+OgQm7UjhlMlg==" - } - }, - "source": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.where( _ == /^[^#]/ ).contains(/\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+unlink\\s+\\-S\\s+unlinkat\\s+\\-S\\s+rename\\s+\\-S\\s+renameat\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+delete/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+rename\\,unlink\\,unlinkat\\,renameat\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=delete/)\n file('/etc/audit/audit.rules').content.lines.where( _ == /^[^#]/ ).contains(/\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+unlink\\s+\\-S\\s+unlinkat\\s+\\-S\\s+rename\\s+\\-S\\s+renameat\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+delete/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+unlink\\,rename\\,unlinkat\\,renameat\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=delete/)\n}\n", - "labels": { - "labels": { - "/eyUW/F+75+bRelw5Odr4VUTVUo9l0BDi2BO7tkbHuixqpWherP/jYBGoQ6M8aQct8scj95zEPj+YoNKB6BBjg==": " == \u003cref\u003e", - "3BTt0bqXz5kXpQPRHToGF/zGKmNmRFygg4KX+N+rhpfrTxepcn/3vRw+XfBqSzTMrYGGnkV57vDKRUwpwrKrdQ==": "[].contains()", - "IKYUskvP1kKKeGgwBwKy2ZtiIsBwZpgs52MFyS5S7FS/hpK1Louyeya+NVLS+yqUaN2GwQVWgwvAMB5KHT+HCw==": " == \u003cref\u003e", - "QvYnf6hKtP0FhHwGL5Cv+tmCBcYIdplR2wy6mFBoZ3RTuegrnnXaB7RB1tN0dJGpSXZldSRZN+OgQm7UjhlMlg==": "file.content.lines.where.where.length \u003e 0 || \u003cref\u003e", - "U07Us/N1UELF8XXJ25s5jAJCx1pXrAVCqBCIuHWUshZE0ZZOk58hGcJ/dAoNEoQT/b1P6LkD0Z31awW0etxaqg==": " == \u003cref\u003e", - "Zk3XX/rKDbXZY4pEFrhIZlhD7LfhAvosTZBDa+t63pPVmtZ/jhrYROoGivFRDGmYwlIEDU+VVsFBGfq3UZhN0A==": "file.content.lines.where.where.length \u003e 0 || \u003cref\u003e", - "a8f3muZA/0Lf560KToMb7fIfkqBXWsJwmkxpE6NNbJU3VXTPo+CpNNm2fhZkJg6nkhQj8vw4iaXVg/9kY4g6sw==": "[].contains()", - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==": "file.exists", - "caRt3M8F9m0JX9P1E7b0jd4whcNUBs+vTxyjNkHvNsQiK7IuUWwFILYDlX1yPsJ0pM4er5HInD7H0YNfgPpPKA==": "[].contains()", - "gTrIug6UGWPJ8GQXFcOqQR08ke1E3K47LCx5ODHTO0/UhjbI+uSBQ3GI4qYPFyc/vDS4THGiD2aSUk9qbikkXA==": " == \u003cref\u003e", - "ic3sT7IFTN65mSij6syknoTtLUFMbYRVLHZeKzR84vWwYYydEf6m/6wLZoRiXskcxVylnrOp9ia4kOzwvpzEMA==": " == /^[^#]/", - "mrLRYbwe3OPQiVQRrOdjnLdDbFSxPgEp21QsWRJNHRKljQp1YQ8c57yix1rxNOVJRKLLrRDbJ4QMpfjT+FT1Cw==": "if", - "swcXFmVrxZiWSggLnv4gf1fBmZhcccptsqeJwmDqYqvcQvDF530xsTQ5Ppn+6ITghrXvOZB1K3GrfyFjIBBndQ==": "[].contains()" - } - }, - "version": "unstable", - "min_mondoo_version": "5.0.0" - } - }, - "AjCxN3eZtsA=": { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+creat\\s+\\-S\\s+open\\s+\\-S\\s+openat\\s+\\-S\\s+truncate\\s+\\-S\\s+ftruncate\\s+\\-F\\s+exit\\=\\-EACCES\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+access(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+open\\,truncate\\,ftruncate\\,creat\\,openat\\s+\\-F\\s+exit\\=\\-EACCES\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=access(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+creat\\s+\\-S\\s+open\\s+\\-S\\s+openat\\s+\\-S\\s+truncate\\s+\\-S\\s+ftruncate\\s+\\-F\\s+exit\\=\\-EACCES\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+access(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+open\\,creat\\,truncate\\,ftruncate\\,openat\\s+\\-F\\s+exit\\=\\-EACCES\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=access(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+creat\\s+\\-S\\s+open\\s+\\-S\\s+openat\\s+\\-S\\s+truncate\\s+\\-S\\s+ftruncate\\s+\\-F\\s+exit\\=\\-EPERM\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+access(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+open\\,truncate\\,ftruncate\\,creat\\,openat\\s+\\-F\\s+exit\\=\\-EPERM\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=-1\\s+\\-F\\s+key\\=access(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+creat\\s+\\-S\\s+open\\s+\\-S\\s+openat\\s+\\-S\\s+truncate\\s+\\-S\\s+ftruncate\\s+\\-F\\s+exit\\=\\-EPERM\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+access(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+open\\,creat\\,truncate\\,ftruncate\\,openat\\s+\\-F\\s+exit\\=\\-EPERM\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=-1\\s+\\-F\\s+key\\=access(\\s+)?$/)\n}\n", - "checksum": "UQc/pjrBvzI=", - "datapoints": [ - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "S8lNhwOSBd9n30VQv2cNk5GAxZVGCpO7qwxlA/icmV9fDENhtEIIxpZTtYD0SHwg/byzphUaSjhsCX5g3AYaYA==" - ], - "code": { - "code_v2": { - "id": "AjCxN3eZtsA=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967299 - } - }, - { - "call": 1, - "id": "if", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u0003", - "value": "iICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - }, - { - "type": "\u0019\u0003" - } - ] - } - } - ], - "entrypoints": [ - 4294967298, - 4294967301 - ] - }, - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934594 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "hoCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgGA=" - } - ], - "binding": 8589934595 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934596 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934597 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934599 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934600 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "koCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgIAB" - } - ], - "binding": 8589934601 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934602 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934603 - } - }, - { - "call": 1, - "id": "||\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "mICAgEA=" - } - ], - "binding": 8589934598 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934606 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934607 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "oICAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgKAB" - } - ], - "binding": 8589934608 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934609 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934610 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934612 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934613 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "rICAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgMAB" - } - ], - "binding": 8589934614 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934615 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934616 - } - }, - { - "call": 1, - "id": "||\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "soCAgEA=" - } - ], - "binding": 8589934611 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934619 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934620 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "uoCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgOAB" - } - ], - "binding": 8589934621 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934622 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934623 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934625 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934626 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "xoCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgIAC" - } - ], - "binding": 8589934627 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934628 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934629 - } - }, - { - "call": 1, - "id": "||\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "zICAgEA=" - } - ], - "binding": 8589934624 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934632 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934633 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "1ICAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgKAC" - } - ], - "binding": 8589934634 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934635 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934636 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934638 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934639 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "4ICAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgMAC" - } - ], - "binding": 8589934640 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934641 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934642 - } - }, - { - "call": 1, - "id": "||\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "5oCAgEA=" - } - ], - "binding": 8589934637 - } - } - ], - "entrypoints": [ - 8589934605, - 8589934618, - 8589934631, - 8589934644 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWI2NFxzK1wtU1xzK2NyZWF0XHMrXC1TXHMrb3BlblxzK1wtU1xzK29wZW5hdFxzK1wtU1xzK3RydW5jYXRlXHMrXC1TXHMrZnRydW5jYXRlXHMrXC1GXHMrZXhpdFw9XC1FQUNDRVNccytcLUZccythdWlkXD5cPTEwMDBccytcLUZccythdWlkXCFcPTQyOTQ5NjcyOTVccytcLWtccythY2Nlc3MoXHMrKT8k" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgGA=" - } - ], - "binding": 12884901889 - } - } - ], - "parameters": 1, - "entrypoints": [ - 12884901891 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWI2NFxzK1wtU1xzK29wZW5cLHRydW5jYXRlXCxmdHJ1bmNhdGVcLGNyZWF0XCxvcGVuYXRccytcLUZccytleGl0XD1cLUVBQ0NFU1xzK1wtRlxzK2F1aWRcPlw9MTAwMFxzK1wtRlxzK2F1aWRcIVw9XC0xXHMrXC1GXHMra2V5XD1hY2Nlc3MoXHMrKT8k" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgIAB" - } - ], - "binding": 17179869185 - } - } - ], - "parameters": 1, - "entrypoints": [ - 17179869187 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWIzMlxzK1wtU1xzK2NyZWF0XHMrXC1TXHMrb3BlblxzK1wtU1xzK29wZW5hdFxzK1wtU1xzK3RydW5jYXRlXHMrXC1TXHMrZnRydW5jYXRlXHMrXC1GXHMrZXhpdFw9XC1FQUNDRVNccytcLUZccythdWlkXD5cPTEwMDBccytcLUZccythdWlkXCFcPTQyOTQ5NjcyOTVccytcLWtccythY2Nlc3MoXHMrKT8k" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgKAB" - } - ], - "binding": 21474836481 - } - } - ], - "parameters": 1, - "entrypoints": [ - 21474836483 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWIzMlxzK1wtU1xzK29wZW5cLGNyZWF0XCx0cnVuY2F0ZVwsZnRydW5jYXRlXCxvcGVuYXRccytcLUZccytleGl0XD1cLUVBQ0NFU1xzK1wtRlxzK2F1aWRcPlw9MTAwMFxzK1wtRlxzK2F1aWRcIVw9XC0xXHMrXC1GXHMra2V5XD1hY2Nlc3MoXHMrKT8k" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgMAB" - } - ], - "binding": 25769803777 - } - } - ], - "parameters": 1, - "entrypoints": [ - 25769803779 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWI2NFxzK1wtU1xzK2NyZWF0XHMrXC1TXHMrb3BlblxzK1wtU1xzK29wZW5hdFxzK1wtU1xzK3RydW5jYXRlXHMrXC1TXHMrZnRydW5jYXRlXHMrXC1GXHMrZXhpdFw9XC1FUEVSTVxzK1wtRlxzK2F1aWRcPlw9MTAwMFxzK1wtRlxzK2F1aWRcIVw9NDI5NDk2NzI5NVxzK1wta1xzK2FjY2VzcyhccyspPyQ=" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgOAB" - } - ], - "binding": 30064771073 - } - } - ], - "parameters": 1, - "entrypoints": [ - 30064771075 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWI2NFxzK1wtU1xzK29wZW5cLHRydW5jYXRlXCxmdHJ1bmNhdGVcLGNyZWF0XCxvcGVuYXRccytcLUZccytleGl0XD1cLUVQRVJNXHMrXC1GXHMrYXVpZFw+XD0xMDAwXHMrXC1GXHMrYXVpZFwhXD0tMVxzK1wtRlxzK2tleVw9YWNjZXNzKFxzKyk/JA==" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgIAC" - } - ], - "binding": 34359738369 - } - } - ], - "parameters": 1, - "entrypoints": [ - 34359738371 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWIzMlxzK1wtU1xzK2NyZWF0XHMrXC1TXHMrb3BlblxzK1wtU1xzK29wZW5hdFxzK1wtU1xzK3RydW5jYXRlXHMrXC1TXHMrZnRydW5jYXRlXHMrXC1GXHMrZXhpdFw9XC1FUEVSTVxzK1wtRlxzK2F1aWRcPlw9MTAwMFxzK1wtRlxzK2F1aWRcIVw9NDI5NDk2NzI5NVxzK1wta1xzK2FjY2VzcyhccyspPyQ=" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgKAC" - } - ], - "binding": 38654705665 - } - } - ], - "parameters": 1, - "entrypoints": [ - 38654705667 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWIzMlxzK1wtU1xzK29wZW5cLGNyZWF0XCx0cnVuY2F0ZVwsZnRydW5jYXRlXCxvcGVuYXRccytcLUZccytleGl0XD1cLUVQRVJNXHMrXC1GXHMrYXVpZFw+XD0xMDAwXHMrXC1GXHMrYXVpZFwhXD0tMVxzK1wtRlxzK2tleVw9YWNjZXNzKFxzKyk/JA==" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgMAC" - } - ], - "binding": 42949672961 - } - } - ], - "parameters": 1, - "entrypoints": [ - 42949672963 - ] - } - ], - "checksums": { - "12884901889": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "12884901890": "8gzkvOie5HmGONOr87mfXYKqaB4bvTxJ6klZOD2CUk+W4sE2siQOIYrms1/cyUQpYWx12k3T/FZQyDZpjGVn4w==", - "12884901891": "IPpmMDGk9/lzdHCn38J9Qnw4W2vUcJ5DoXayqnA4bDb+mnoLgGtFV5j6+uta/mp3RErKNetMXAhT2nMsquPs3A==", - "17179869185": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "17179869186": "6QHGzDYppIQH/M0gZ2RCpzhDZvUP/XLUWUd9Q9qJ50lPYJyfR/DzpBJeKylg0SfPpCLo36WE7kQ7WXtGa5LrNg==", - "17179869187": "W0olGmhu2tynHedsZVoJtaAWOE5KSbFiJlauEfzvp/hyVDy1v3y1E9Y+XuEIiy76ZTtPvdvyzJeu55dySNMHRw==", - "21474836481": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "21474836482": "bwrlsLw1FbkLgaMOSekEfXNFCw5sqCPAG1mvMkE4Okfe6FZtIcWBzH5kN+ep7kIMjASFSZw1mTaX5TbZfL0IAw==", - "21474836483": "GrbLm/gHDvfp3rmCF1HFsLdXeCw/ilCW6305iCTSQ7RvARKO4HTmIU6PLAyw26mCPjJeBBKi78lNKHxWIoDJmA==", - "25769803777": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "25769803778": "T/94KORZD0oHh+80AGX2c7YHaQO3vFvOwHrdqUFlDyYYPXEMqMoShyJd+NPn3n4ep8u4n0gWK2zTkrN410TpVQ==", - "25769803779": "TqAyy2fCwcUD5NLLWaymYZ2vQVJd3bRDkN7nde3YQPXZvOG9MOTZxcBVZRe+P6Dehn3Kmnr8MEqnoczEb2qfIw==", - "30064771073": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "30064771074": "4C6+feS/5AyM1YjE22TG9nBH+KpE1yhxjX7ZTOCoIkRYY2sHoIISJuL32Xw+S0fyoj2HHGFxohHjhoEZrRG5FA==", - "30064771075": "y7SpYihxP+5VWVGpXgeniBz+tvctV677tgWNdU8op3VRMe6Gu0t8MnZ+bEjLvwjcjIuL590KVAYd92HtVOp9Fw==", - "34359738369": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "34359738370": "Lwfsiiyfq8+T5z5MgeoFoXna4s7uJHhb6v1/aAUBs9ru+mE8FuThfWUijGC3L7VAqklrm1WaxV0Cc8wGS/1WUw==", - "34359738371": "VwnTnREGdeY8HgXf5xXuc6a2Px2amyTQiaoyFmKce+Q/fkP78x0BHgbbA9uFkLCVOJ9bxeO2r/Ux/Ef36IQ9sA==", - "38654705665": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "38654705666": "jyp5KCBLYGPZXkQvTJ1L5eU7u1KRMB4Qyk8aUvG0kcMoS5Wokg4zVTFJyN+Ycf3chtmeFHE4W93rRBIbI+doQQ==", - "38654705667": "Es+wSRa7bX3VMr808FG/EjPZJY9LYrbPq4sQetTwW180VS7Vdcbf23Yt6JJcDT9UeLXiYdrgXf1JE+dMTXU3GQ==", - "42949672961": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "42949672962": "12xI/QXPL9miaIqGFPB/lnkkhD7y9Ut363BgQ6fAtgjCwSyyl5J9JDooG3+prmBMeNS/XpKTtjQrBHILEiT6Cg==", - "42949672963": "mwAkfIjpwmBJ05r0l6K8ZWQyuTGH4ODzK7Ns6LO8Tz5ABBlUp6wcqEldBMaGcwdLjQasmD1lpcJtmvAQoj6t/A==", - "4294967297": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "4294967298": "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "4294967299": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "4294967300": "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "4294967301": "S8lNhwOSBd9n30VQv2cNk5GAxZVGCpO7qwxlA/icmV9fDENhtEIIxpZTtYD0SHwg/byzphUaSjhsCX5g3AYaYA==", - "8589934593": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934594": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934595": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934596": "l/VFyVg7a+16BXEc3UVNBbj8j/tlgTu5h400MNhM3V111lvl65aDaVAcWLEXJjQLcqeNvlUSre0LCM1NNU4aSg==", - "8589934597": "pGl4PgXQWfXzrL3RGYgUQq4gIbXF+dVYuHpySm5L2cyMRnqyzzyLCQsjMenVpaq96C0j5m27tF0rkXmS4knCvA==", - "8589934598": "14Alvy7RagG+S/ObxfLCadzBdWydbB/GuR9qgVvrZ91OY3MFuNwrZ9N154MFGEyTC5D8g5FbbCfDuIBf7LgBKQ==", - "8589934599": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934600": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934601": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934602": "6zLMCQwlWdx9j+j/P486y+xUVvNSmMbeLT5DOEd9vcedRwoujogqkWXTp//UtJa3EgSxEluV/EwcIUgVH5+wJw==", - "8589934603": "LvJMOg+5LeeIK4nXaVEkyYRZUywFSQtATPsRuVJW2ZvrSG0P4Dn6g8BDq3ZkqkUE8bxqTr7wNo4KhFaC2Qwe3w==", - "8589934604": "EoAJGsyw6JhqDzOMtjQuCUDeOCs9vYo+U9J0EKz+zPnvVX24SDr0J/93dAhtnftwmeUildlaz6ke+m1MCudUhA==", - "8589934605": "eSXFBKYk0ShXrLbkDeCKortMnTd81nxDDHbRRZbm+AI5kd6ZPQSgprXFR6yMFPIhPNYCtekl/PlXIn0dlKo2Bg==", - "8589934606": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934607": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934608": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934609": "QnNiJ3C5BmSUDLltrTFZmk7JHBh4g+gUd+cDZEyzuV7LVD62DQRUOPkBATWctbUocQ9wpwnB0+49RPe62xWXIg==", - "8589934610": "ZbkZhWDMO3/TIikf/yEJPRAA3C0OhW5VIG9VWICL7CpxGNlUejAPMWrM010F9eirNgpYSYk++vAyVwesKu0Kxw==", - "8589934611": "dkeJoSk/0O5+4/W+zxR+1KbY3Ly8Iat2nBz+14pBBSuX5PQ/fY0c6loHg4I3p9/G+JUxGdgTHsFtyy28CGC5kQ==", - "8589934612": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934613": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934614": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934615": "8r4NESTFiFa+aKXOYibsZVC6sW1RGTzUfu8Wan01SNJfbQ6XEwx1LWH11yCfeIhxYEejXnKvjluCmRK9dldJbQ==", - "8589934616": "vs0JBDEdmt1GQ5ORwwGH5pux4Evag3exs3iueRKW4PXAGqnypQPioS694DJzgV8lWzsTZ8oxCpdKaQqjM7oBjA==", - "8589934617": "zQEb+9Q14duJhXu65rip2DofpTPOGhFChiiogabjncK1/Np+gKKh8/PoN4iCBMZxgFomNzX+Xfqw3PUb1zoDoQ==", - "8589934618": "R0HmKHjHKlvxOulABs/IH8JpEa/GnkSsNPE3OjV/Aajcd/bNLoZM0gm9dgjcM/W7UQmr+/kMCHkF2yWL91Wcmw==", - "8589934619": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934620": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934621": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934622": "7hIfNbJAIqkP1XqlXjeYB7tisd9vW3hclGszFA2UjpoBeVUffwkPqQi7g+eRNmdNK3856Qjo2oYHF4qo1clxxw==", - "8589934623": "+TB6l6dFgEwq2DrgC6gFxjsXzFwHOiJ3EvMbijWwOItWsPruJHf/C8+4Rkey/DM8QdfFQFRefXF8q17NxiOCCA==", - "8589934624": "lJ1RT6afhE8DIDa4snZ9n5xUbcS6Ux6xWls9eh45bSn+kLGXwMejgX9TQZd4CSMtUjvT0eF17cKX/OvD3HauTA==", - "8589934625": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934626": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934627": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934628": "c/gI4H9nIpTtopmYS1QQE8YhL1D3EsyWc1TDXZwDLZgxXkoi7d62RA3ygNoE9/Qx1gLc5T8Kv1YyJZsoJqvtmw==", - "8589934629": "VUU0/l1RTeLReIxQa5/LmYHdyTZopGf8O10YKmwT20K3Ig/GFRkqf76ya9nTkwoeCHfv6saZysWFI9yrxXh2Xw==", - "8589934630": "yCt165VvVakEvW8Ke8vURHGUfIhpwHtQ50l657A4fWcJJ6e8GJz7bL5JbYeXUtMShvFdd4JPmV89Dp35QwzWyg==", - "8589934631": "l/qwKqVjc+WI5SDpy6kM0DWDWVmKiAnaxp7/qLhFVQx4A10Cwgt4cIAU2me9FHCm/dS3EhTK8FJPNE1diEre3Q==", - "8589934632": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934633": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934634": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934635": "n5hR8A6R0x4ZFCiL34wW/iJq+TRlFvBKLLKVPCvej/Q1qxOHjiHVIdZAeqGJ2VBpp6lgo9VlLBPmttxkq07W5w==", - "8589934636": "Y+E5nWdgN3Dc147Deo25ynLAObqGm6biYi8DThwlNMs3RgkNx9jINX8YXv1ldK1H7AyKlpT8aA+ClLFrLLrDiw==", - "8589934637": "L9EXHPOgZeEB6s2i0pylljf5h8xBn2UccOiTfmHYun+stS8wIttT9D4idqscd7E/TvGEUBgtKVUuavMNkdO78w==", - "8589934638": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934639": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934640": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934641": "asiDSCAOcjnKxDjNYj4wrjbrtZE5gaQwqH5xQQDeNTXlJz7kaFaoabADPUn+aQ8dE6AMdQe0o7upsftn3j9T+g==", - "8589934642": "MQ2IPvSX9T0TzHOYxhxFN5vM9vs4gQwRgrJ1Y3o6EUwUN7m2vWZc39AJfKDrd+WfYb5waifklbjVC32PaH1VCw==", - "8589934643": "vwD+bw8dbcGLaopI6s0KE9lAKwwMzHT4Jx1pXNYkkvckqKvkTIdouy4qAo8mXRFHLM6Wp07AzDC53nb43To2uw==", - "8589934644": "clVo2GLXUkBQXsFoFo2QUwLqURriwKEnDH50Me4oScXRCeB993OhZwCcgJo0QHU8gYD3oS+ThJTbXdT53yIyjw==" - } - }, - "source": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+creat\\s+\\-S\\s+open\\s+\\-S\\s+openat\\s+\\-S\\s+truncate\\s+\\-S\\s+ftruncate\\s+\\-F\\s+exit\\=\\-EACCES\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+access(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+open\\,truncate\\,ftruncate\\,creat\\,openat\\s+\\-F\\s+exit\\=\\-EACCES\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=access(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+creat\\s+\\-S\\s+open\\s+\\-S\\s+openat\\s+\\-S\\s+truncate\\s+\\-S\\s+ftruncate\\s+\\-F\\s+exit\\=\\-EACCES\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+access(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+open\\,creat\\,truncate\\,ftruncate\\,openat\\s+\\-F\\s+exit\\=\\-EACCES\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=access(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+creat\\s+\\-S\\s+open\\s+\\-S\\s+openat\\s+\\-S\\s+truncate\\s+\\-S\\s+ftruncate\\s+\\-F\\s+exit\\=\\-EPERM\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+access(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+open\\,truncate\\,ftruncate\\,creat\\,openat\\s+\\-F\\s+exit\\=\\-EPERM\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=-1\\s+\\-F\\s+key\\=access(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+creat\\s+\\-S\\s+open\\s+\\-S\\s+openat\\s+\\-S\\s+truncate\\s+\\-S\\s+ftruncate\\s+\\-F\\s+exit\\=\\-EPERM\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+access(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+open\\,creat\\,truncate\\,ftruncate\\,openat\\s+\\-F\\s+exit\\=\\-EPERM\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=-1\\s+\\-F\\s+key\\=access(\\s+)?$/)\n}\n", - "labels": { - "labels": { - "14Alvy7RagG+S/ObxfLCadzBdWydbB/GuR9qgVvrZ91OY3MFuNwrZ9N154MFGEyTC5D8g5FbbCfDuIBf7LgBKQ==": "[].contains()", - "EoAJGsyw6JhqDzOMtjQuCUDeOCs9vYo+U9J0EKz+zPnvVX24SDr0J/93dAhtnftwmeUildlaz6ke+m1MCudUhA==": "[].contains()", - "Es+wSRa7bX3VMr808FG/EjPZJY9LYrbPq4sQetTwW180VS7Vdcbf23Yt6JJcDT9UeLXiYdrgXf1JE+dMTXU3GQ==": " == \u003cref\u003e", - "GrbLm/gHDvfp3rmCF1HFsLdXeCw/ilCW6305iCTSQ7RvARKO4HTmIU6PLAyw26mCPjJeBBKi78lNKHxWIoDJmA==": " == \u003cref\u003e", - "IPpmMDGk9/lzdHCn38J9Qnw4W2vUcJ5DoXayqnA4bDb+mnoLgGtFV5j6+uta/mp3RErKNetMXAhT2nMsquPs3A==": " == \u003cref\u003e", - "L9EXHPOgZeEB6s2i0pylljf5h8xBn2UccOiTfmHYun+stS8wIttT9D4idqscd7E/TvGEUBgtKVUuavMNkdO78w==": "[].contains()", - "R0HmKHjHKlvxOulABs/IH8JpEa/GnkSsNPE3OjV/Aajcd/bNLoZM0gm9dgjcM/W7UQmr+/kMCHkF2yWL91Wcmw==": "file.content.lines.where.length \u003e 0 || \u003cref\u003e", - "S8lNhwOSBd9n30VQv2cNk5GAxZVGCpO7qwxlA/icmV9fDENhtEIIxpZTtYD0SHwg/byzphUaSjhsCX5g3AYaYA==": "if", - "TqAyy2fCwcUD5NLLWaymYZ2vQVJd3bRDkN7nde3YQPXZvOG9MOTZxcBVZRe+P6Dehn3Kmnr8MEqnoczEb2qfIw==": " == \u003cref\u003e", - "VwnTnREGdeY8HgXf5xXuc6a2Px2amyTQiaoyFmKce+Q/fkP78x0BHgbbA9uFkLCVOJ9bxeO2r/Ux/Ef36IQ9sA==": " == \u003cref\u003e", - "W0olGmhu2tynHedsZVoJtaAWOE5KSbFiJlauEfzvp/hyVDy1v3y1E9Y+XuEIiy76ZTtPvdvyzJeu55dySNMHRw==": " == \u003cref\u003e", - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==": "file.exists", - "clVo2GLXUkBQXsFoFo2QUwLqURriwKEnDH50Me4oScXRCeB993OhZwCcgJo0QHU8gYD3oS+ThJTbXdT53yIyjw==": "file.content.lines.where.length \u003e 0 || \u003cref\u003e", - "dkeJoSk/0O5+4/W+zxR+1KbY3Ly8Iat2nBz+14pBBSuX5PQ/fY0c6loHg4I3p9/G+JUxGdgTHsFtyy28CGC5kQ==": "[].contains()", - "eSXFBKYk0ShXrLbkDeCKortMnTd81nxDDHbRRZbm+AI5kd6ZPQSgprXFR6yMFPIhPNYCtekl/PlXIn0dlKo2Bg==": "file.content.lines.where.length \u003e 0 || \u003cref\u003e", - "l/qwKqVjc+WI5SDpy6kM0DWDWVmKiAnaxp7/qLhFVQx4A10Cwgt4cIAU2me9FHCm/dS3EhTK8FJPNE1diEre3Q==": "file.content.lines.where.length \u003e 0 || \u003cref\u003e", - "lJ1RT6afhE8DIDa4snZ9n5xUbcS6Ux6xWls9eh45bSn+kLGXwMejgX9TQZd4CSMtUjvT0eF17cKX/OvD3HauTA==": "[].contains()", - "mwAkfIjpwmBJ05r0l6K8ZWQyuTGH4ODzK7Ns6LO8Tz5ABBlUp6wcqEldBMaGcwdLjQasmD1lpcJtmvAQoj6t/A==": " == \u003cref\u003e", - "vwD+bw8dbcGLaopI6s0KE9lAKwwMzHT4Jx1pXNYkkvckqKvkTIdouy4qAo8mXRFHLM6Wp07AzDC53nb43To2uw==": "[].contains()", - "y7SpYihxP+5VWVGpXgeniBz+tvctV677tgWNdU8op3VRMe6Gu0t8MnZ+bEjLvwjcjIuL590KVAYd92HtVOp9Fw==": " == \u003cref\u003e", - "yCt165VvVakEvW8Ke8vURHGUfIhpwHtQ50l657A4fWcJJ6e8GJz7bL5JbYeXUtMShvFdd4JPmV89Dp35QwzWyg==": "[].contains()", - "zQEb+9Q14duJhXu65rip2DofpTPOGhFChiiogabjncK1/Np+gKKh8/PoN4iCBMZxgFomNzX+Xfqw3PUb1zoDoQ==": "[].contains()" - } - }, - "version": "unstable", - "min_mondoo_version": "5.0.0" - } - }, - "AjsJ60JDOuU=": { - "query": "service(\"tftp.socket\").enabled == false\nservice(\"tftp.socket\").running == false\n", - "checksum": "3DGQcFZWyRo=", - "datapoints": [ - "+gbnZ3JYps5zNor0/aGoxejEPCY6MgH8w/vEtzacWeHsqeCcvG1LeHHLMCJOaM0ka9Iq61Rj6mNxoJ2kM16pQA==", - "VVnYhVXVAnU+veH4gJoFS0giCDBaRxUfTeMCVuvd3506oR6a8XtnznTaJdq79Q4PSgmRouM5CQF5GD5GxSRuVg==", - "+llpC38ET/j9HEpm5ekVgLiQcUIVXubatylVEKr1nIjdBGZU92qO48KSozCyCbghqkX6H5sT2r7K+Cgxxr9zgA==", - "MW+3iYLfzJOV6LheuCXO7XrsHQ7RK8rwvq90y/cN3MF0E3p5NoZbNw54OZFsAUh2IfzkzEv+mSUbi0yMfLNbAg==" - ], - "code": { - "code_v2": { - "id": "AjsJ60JDOuU=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "dGZ0cC5zb2NrZXQ=" - } - ] - } - }, - { - "call": 1, - "id": "enabled", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "dGZ0cC5zb2NrZXQ=" - } - ] - } - }, - { - "call": 1, - "id": "running", - "function": { - "type": "\u0004", - "binding": 4294967300 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967301 - } - } - ], - "entrypoints": [ - 4294967299, - 4294967302 - ], - "datapoints": [ - 4294967298, - 4294967301 - ] - } - ], - "checksums": { - "4294967297": "cM7YhiANU1TI5BNXUwBXFWOyWZHKx+GR/YPm/hhHAEtGlWvvOhGzFXntb8bOHt+RZoOKpgIiruUVQfygTYu63g==", - "4294967298": "+gbnZ3JYps5zNor0/aGoxejEPCY6MgH8w/vEtzacWeHsqeCcvG1LeHHLMCJOaM0ka9Iq61Rj6mNxoJ2kM16pQA==", - "4294967299": "+llpC38ET/j9HEpm5ekVgLiQcUIVXubatylVEKr1nIjdBGZU92qO48KSozCyCbghqkX6H5sT2r7K+Cgxxr9zgA==", - "4294967300": "cM7YhiANU1TI5BNXUwBXFWOyWZHKx+GR/YPm/hhHAEtGlWvvOhGzFXntb8bOHt+RZoOKpgIiruUVQfygTYu63g==", - "4294967301": "VVnYhVXVAnU+veH4gJoFS0giCDBaRxUfTeMCVuvd3506oR6a8XtnznTaJdq79Q4PSgmRouM5CQF5GD5GxSRuVg==", - "4294967302": "MW+3iYLfzJOV6LheuCXO7XrsHQ7RK8rwvq90y/cN3MF0E3p5NoZbNw54OZFsAUh2IfzkzEv+mSUbi0yMfLNbAg==" - } - }, - "source": "service(\"tftp.socket\").enabled == false\nservice(\"tftp.socket\").running == false\n", - "labels": { - "labels": { - "+gbnZ3JYps5zNor0/aGoxejEPCY6MgH8w/vEtzacWeHsqeCcvG1LeHHLMCJOaM0ka9Iq61Rj6mNxoJ2kM16pQA==": "service.enabled", - "+llpC38ET/j9HEpm5ekVgLiQcUIVXubatylVEKr1nIjdBGZU92qO48KSozCyCbghqkX6H5sT2r7K+Cgxxr9zgA==": "service.enabled == false", - "MW+3iYLfzJOV6LheuCXO7XrsHQ7RK8rwvq90y/cN3MF0E3p5NoZbNw54OZFsAUh2IfzkzEv+mSUbi0yMfLNbAg==": "service.running == false", - "VVnYhVXVAnU+veH4gJoFS0giCDBaRxUfTeMCVuvd3506oR6a8XtnznTaJdq79Q4PSgmRouM5CQF5GD5GxSRuVg==": "service.running" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "Au17Pta3l0A=": { - "query": "service(\"ypserv\").enabled == false\nservice(\"ypserv\").running == false\n", - "checksum": "5egvrxHVWlA=", - "datapoints": [ - "noIPvQvXBfHpIrSV6FTP/mbj6PA6oisRfSw0ycYqbqNCzL8gJWe7/WJzegWiHtRVqZTFz9i84ET0bXYHYU6heQ==", - "vW8PqR7bp+VOLfpuu+2u4hKUGI2zGGpDL+H2+KgAazvGJh/KDkYaGMO2fRdeqt2K+Er5SMAvt3KCbCFmGRgOGQ==", - "tMZHi+jlTKI5EnemHVDVjKeFjAPMWatZmnf9/t3vnRsXE/FL74Wm5n790OsrD+MrXXYr6kBWL6jAFWYuLEWYCg==", - "b2aHj4i8ElsTVzjhQHkFoBO2wb0wwg6oV86TQkwyvceZ6/ODwBOxEmFV5VBy1sABOuo8/3rx7AboacbbYX7t+Q==" - ], - "code": { - "code_v2": { - "id": "Au17Pta3l0A=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "eXBzZXJ2" - } - ] - } - }, - { - "call": 1, - "id": "enabled", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "eXBzZXJ2" - } - ] - } - }, - { - "call": 1, - "id": "running", - "function": { - "type": "\u0004", - "binding": 4294967300 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967301 - } - } - ], - "entrypoints": [ - 4294967299, - 4294967302 - ], - "datapoints": [ - 4294967298, - 4294967301 - ] - } - ], - "checksums": { - "4294967297": "MLAo6t6rvaJ6T+A9f1jhL3S8rexgBlrK2x2aFT67o3dOgNrnIJkdgoAx4X81Q8bK5ddFs6oyTMIVFWMdU+dHDg==", - "4294967298": "noIPvQvXBfHpIrSV6FTP/mbj6PA6oisRfSw0ycYqbqNCzL8gJWe7/WJzegWiHtRVqZTFz9i84ET0bXYHYU6heQ==", - "4294967299": "tMZHi+jlTKI5EnemHVDVjKeFjAPMWatZmnf9/t3vnRsXE/FL74Wm5n790OsrD+MrXXYr6kBWL6jAFWYuLEWYCg==", - "4294967300": "MLAo6t6rvaJ6T+A9f1jhL3S8rexgBlrK2x2aFT67o3dOgNrnIJkdgoAx4X81Q8bK5ddFs6oyTMIVFWMdU+dHDg==", - "4294967301": "vW8PqR7bp+VOLfpuu+2u4hKUGI2zGGpDL+H2+KgAazvGJh/KDkYaGMO2fRdeqt2K+Er5SMAvt3KCbCFmGRgOGQ==", - "4294967302": "b2aHj4i8ElsTVzjhQHkFoBO2wb0wwg6oV86TQkwyvceZ6/ODwBOxEmFV5VBy1sABOuo8/3rx7AboacbbYX7t+Q==" - } - }, - "source": "service(\"ypserv\").enabled == false\nservice(\"ypserv\").running == false\n", - "labels": { - "labels": { - "b2aHj4i8ElsTVzjhQHkFoBO2wb0wwg6oV86TQkwyvceZ6/ODwBOxEmFV5VBy1sABOuo8/3rx7AboacbbYX7t+Q==": "service.running == false", - "noIPvQvXBfHpIrSV6FTP/mbj6PA6oisRfSw0ycYqbqNCzL8gJWe7/WJzegWiHtRVqZTFz9i84ET0bXYHYU6heQ==": "service.enabled", - "tMZHi+jlTKI5EnemHVDVjKeFjAPMWatZmnf9/t3vnRsXE/FL74Wm5n790OsrD+MrXXYr6kBWL6jAFWYuLEWYCg==": "service.enabled == false", - "vW8PqR7bp+VOLfpuu+2u4hKUGI2zGGpDL+H2+KgAazvGJh/KDkYaGMO2fRdeqt2K+Er5SMAvt3KCbCFmGRgOGQ==": "service.running" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "BJ3P14TOMTU=": { - "query": "if( package(\"postfix\").installed ) {\n parse.ini(\"/etc/postfix/main.cf\").params[\"inet_interfaces\"] == \"localhost\" || parse.ini(\"/etc/postfix/main.cf\").params[\"inet_interfaces\"] == \"loopback-only\"\n}\nif( package(\"exim4\").installed ) {\n parse.ini(\"/etc/exim4/update-exim4.conf.conf\").params[\"dc_local_interfaces\"] == \"'127.0.0.1 ; ::1'\"\n}\nsocketstats.openPorts.none(25)\n", - "checksum": "Lt3mMhZUFf4=", - "datapoints": [ - "c8caaEkbopMInAMKW3eQS8Gb9nm0n+YiyaYC9sv/aNmmiXClKX7XBTXsZ0T0m7J49wlGVkWNnxERfqoieAFE4w==", - "YKybcqFlSVq5e53ktJl2i6YwuQWu7rwnw6Vgkfatia72QRz7X2UxgxH/ykyIZkBN0yEQeKzdZfs+CONljF3kVA==", - "AS51uFGJMW53h7ob3GRlxwwmCFMJFF6NGwRzh8R87HpKTjLr6KdPAJrLSAZsfm2BlkYRMP0YEDvna3CYJpFN9g==", - "BK/Ej9OdyT4fNf/5esApfszzyNmFbjDkFO5VpTijt8M1OMe1JH3vW3cBcLBpTdhhDtUErzpyEvkLbT4kIb85tw==" - ], - "code": { - "code_v2": { - "id": "BJ3P14TOMTU=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "package", - "function": { - "type": "\u001bpackage", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "cG9zdGZpeA==" - } - ] - } - }, - { - "call": 1, - "id": "installed", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "if", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u0003", - "value": "hICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - }, - { - "type": "\u0019\u0003" - } - ] - } - }, - { - "call": 1, - "id": "package", - "function": { - "type": "\u001bpackage", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "ZXhpbTQ=" - } - ] - } - }, - { - "call": 1, - "id": "installed", - "function": { - "type": "\u0004", - "binding": 4294967300 - } - }, - { - "call": 1, - "id": "if", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u0003", - "value": "ioCAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgGA=" - }, - { - "type": "\u0019\u0003" - } - ] - } - }, - { - "call": 1, - "id": "socketstats" - }, - { - "call": 1, - "id": "openPorts", - "function": { - "type": "\u0019\u0007", - "binding": 4294967303 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "kICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgIAB" - } - ], - "binding": 4294967304 - } - }, - { - "call": 1, - "id": "$none", - "function": { - "type": "\u0004", - "binding": 4294967305 - } - } - ], - "entrypoints": [ - 4294967299, - 4294967302, - 4294967306 - ], - "datapoints": [ - 4294967305 - ] - }, - { - "chunks": [ - { - "call": 1, - "id": "parse.ini", - "function": { - "type": "\u001bparse.ini", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9wb3N0Zml4L21haW4uY2Y=" - } - ] - } - }, - { - "call": 1, - "id": "params", - "function": { - "type": "\u001a\u0007\u0007", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u0007", - "args": [ - { - "type": "\u0007", - "value": "aW5ldF9pbnRlcmZhY2Vz" - } - ], - "binding": 8589934594 - } - }, - { - "call": 1, - "id": "==\u0007", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0007", - "value": "bG9jYWxob3N0" - } - ], - "binding": 8589934595 - } - }, - { - "call": 1, - "id": "parse.ini", - "function": { - "type": "\u001bparse.ini", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9wb3N0Zml4L21haW4uY2Y=" - } - ] - } - }, - { - "call": 1, - "id": "params", - "function": { - "type": "\u001a\u0007\u0007", - "binding": 8589934597 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u0007", - "args": [ - { - "type": "\u0007", - "value": "aW5ldF9pbnRlcmZhY2Vz" - } - ], - "binding": 8589934598 - } - }, - { - "call": 1, - "id": "==\u0007", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0007", - "value": "bG9vcGJhY2stb25seQ==" - } - ], - "binding": 8589934599 - } - }, - { - "call": 1, - "id": "||\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "kICAgEA=" - } - ], - "binding": 8589934596 - } - } - ], - "entrypoints": [ - 8589934601 - ] - }, - { - "chunks": [ - { - "call": 1, - "id": "parse.ini", - "function": { - "type": "\u001bparse.ini", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9leGltNC91cGRhdGUtZXhpbTQuY29uZi5jb25m" - } - ] - } - }, - { - "call": 1, - "id": "params", - "function": { - "type": "\u001a\u0007\u0007", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u0007", - "args": [ - { - "type": "\u0007", - "value": "ZGNfbG9jYWxfaW50ZXJmYWNlcw==" - } - ], - "binding": 12884901890 - } - }, - { - "call": 1, - "id": "==\u0007", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0007", - "value": "JzEyNy4wLjAuMSA7IDo6MSc=" - } - ], - "binding": 12884901891 - } - } - ], - "entrypoints": [ - 12884901892 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0005", - "value": "Mg==" - } - }, - { - "call": 1, - "id": "==\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgIAB" - } - ], - "binding": 17179869185 - } - } - ], - "parameters": 1, - "entrypoints": [ - 17179869187 - ] - } - ], - "checksums": { - "12884901889": "G9ot4zCiaUzA190teq1kWZS6RFOTfg5Iy6D7kjUKzsmh5/NyIax6/LVFx5yyTu2jTrvfJ2lHIPEWn956bLAVBA==", - "12884901890": "PpKKOKEi2pwnvbNk44xeoFmbDhHxKuDxCsmK1Loo5IAK7Zs+AbTnzQ50s9N8QkG9S40H0N8H4hkTV1m8rjNzJQ==", - "12884901891": "fKzxo9CrEty+QkUUsD7aUvvjYPW4mxf2uE95wjtFT6Uxvi6lGjyUc8bBC0/u5DD7aoDIq9Zv1USQ1tycE3oagg==", - "12884901892": "ACwB9ZCeRCXeG5TKhUIdF2EZc3jJRbnj0/E7uqcUuSDWDayD0V+b/OU+RK/4DS8jWC50G+HURrItqzeUeO8BHw==", - "17179869185": "vo+WWIbzqq2zo9osnHvW9XbJgJCJpCYXOh08ZTrQuISlkzt3XkceAz369R/cynP92sV8cExzzUA1aRRNIO6Nqw==", - "17179869186": "J/dEqmewbOIJjnzXfDC9dSwapJSLYnMnMq9vJsFMnl4jBvAVlDm8FhXwytqfA1viX8p1Qd010oJGWLnXETiSaQ==", - "17179869187": "ikwf53idvBYkmApnBA2pgGff4TVlABkt9e/CDafAKox1oKkKXntJ5nFjMExQ5iM3OB7JgcEUV7AxhEF9XxjOCA==", - "4294967297": "mpQhlEDvP3WtwPQKLWXlRBMNgsobmWK6gHqSg7w1r+US1xCxXW4yj/blMpr5SyDiFMD8KjJf/kJbtDYCKJyGiQ==", - "4294967298": "wwKDpVa6FUX+G9iF0lXPMBgaA2IX7I9UV5O3eilC6aA2Prx/jiCDbnMV8DpfuD8rxauq06I3YQm+Pps/brsUeg==", - "4294967299": "YKybcqFlSVq5e53ktJl2i6YwuQWu7rwnw6Vgkfatia72QRz7X2UxgxH/ykyIZkBN0yEQeKzdZfs+CONljF3kVA==", - "4294967300": "5DxsinEZ/b9QjIK9qO5txH2pLpHgRVlOj3XPNSBGvL2nuP068wW7hGot2csgLXdk34k7BL9TJIIkeAOBOdloFg==", - "4294967301": "synqhyg3dj1yqICC2Voc7dqymQ0++gmPyltzTbrhJGPY+aPVTXBTEiWHS1cO+V5plkwyN8CUs+apoZnyIiqbKw==", - "4294967302": "AS51uFGJMW53h7ob3GRlxwwmCFMJFF6NGwRzh8R87HpKTjLr6KdPAJrLSAZsfm2BlkYRMP0YEDvna3CYJpFN9g==", - "4294967303": "FWNGNzqV62y1Tx4czZ2X/Bs6z3nvc2evKXXivs6Faw5q2/bPTWBIN8IGHxK9EqFZF3qNd24b+rTPPoET+JoG6g==", - "4294967304": "vo+WWIbzqq2zo9osnHvW9XbJgJCJpCYXOh08ZTrQuISlkzt3XkceAz369R/cynP92sV8cExzzUA1aRRNIO6Nqw==", - "4294967305": "c8caaEkbopMInAMKW3eQS8Gb9nm0n+YiyaYC9sv/aNmmiXClKX7XBTXsZ0T0m7J49wlGVkWNnxERfqoieAFE4w==", - "4294967306": "BK/Ej9OdyT4fNf/5esApfszzyNmFbjDkFO5VpTijt8M1OMe1JH3vW3cBcLBpTdhhDtUErzpyEvkLbT4kIb85tw==", - "8589934593": "3X0A97XzPqV/1F8EezOJT9MmpR2R2UcbOzYg91NctGIYAJvrQWGaQaFZa3aC+BcEsWEudS6787i6ycfItuQfXg==", - "8589934594": "zuhYeM04tAhsyRXS+dQKg/edav2Ax70pu/Ftm8h4O2ND2gNoFWaeNmUDeL1cUrdncYvRDe4RZYPrYma+X+oBxg==", - "8589934595": "KTRbW1NpF+w/ebxxR+7kas6S3KcTC/uDe80zyoxv+814yaTRlCm1J26L1rSZ8It11bnqfeDRyE+AVbsLQckdTw==", - "8589934596": "EmXkKKAr1r4MIFzbe5E1WQuecwuXG6rfz+fTjVGZGJZLurjv57t8R1LnMHbKi5DlY3jqQuuV3G1uEgnF9Ya5PQ==", - "8589934597": "3X0A97XzPqV/1F8EezOJT9MmpR2R2UcbOzYg91NctGIYAJvrQWGaQaFZa3aC+BcEsWEudS6787i6ycfItuQfXg==", - "8589934598": "zuhYeM04tAhsyRXS+dQKg/edav2Ax70pu/Ftm8h4O2ND2gNoFWaeNmUDeL1cUrdncYvRDe4RZYPrYma+X+oBxg==", - "8589934599": "KTRbW1NpF+w/ebxxR+7kas6S3KcTC/uDe80zyoxv+814yaTRlCm1J26L1rSZ8It11bnqfeDRyE+AVbsLQckdTw==", - "8589934600": "2LX9AlTQi89O58Xs8HOPtDRIFcSXEXR8yub9jg8mZ/+Z5xeRL7tkOkxuGLBdiHhkXhVYIiWRaYZwGRmwAi7T8Q==", - "8589934601": "dr+tUBSXYzribfht3oidFvDV/hKXbzxMiAzbUVuOJo+Qsf/Mq4zROWeHbZ8F8Pt3ACbhAScuuw3mbzptIVi53w==" - } - }, - "source": "if( package(\"postfix\").installed ) {\n parse.ini(\"/etc/postfix/main.cf\").params[\"inet_interfaces\"] == \"localhost\" || parse.ini(\"/etc/postfix/main.cf\").params[\"inet_interfaces\"] == \"loopback-only\"\n}\nif( package(\"exim4\").installed ) {\n parse.ini(\"/etc/exim4/update-exim4.conf.conf\").params[\"dc_local_interfaces\"] == \"'127.0.0.1 ; ::1'\"\n}\nsocketstats.openPorts.none(25)\n", - "labels": { - "labels": { - "ACwB9ZCeRCXeG5TKhUIdF2EZc3jJRbnj0/E7uqcUuSDWDayD0V+b/OU+RK/4DS8jWC50G+HURrItqzeUeO8BHw==": "parse.ini.params[dc_local_interfaces] == \"'127.0.0.1 ; ::1'\"", - "AS51uFGJMW53h7ob3GRlxwwmCFMJFF6NGwRzh8R87HpKTjLr6KdPAJrLSAZsfm2BlkYRMP0YEDvna3CYJpFN9g==": "if", - "BK/Ej9OdyT4fNf/5esApfszzyNmFbjDkFO5VpTijt8M1OMe1JH3vW3cBcLBpTdhhDtUErzpyEvkLbT4kIb85tw==": "[].none()", - "YKybcqFlSVq5e53ktJl2i6YwuQWu7rwnw6Vgkfatia72QRz7X2UxgxH/ykyIZkBN0yEQeKzdZfs+CONljF3kVA==": "if", - "c8caaEkbopMInAMKW3eQS8Gb9nm0n+YiyaYC9sv/aNmmiXClKX7XBTXsZ0T0m7J49wlGVkWNnxERfqoieAFE4w==": "socketstats.openPorts.where", - "dr+tUBSXYzribfht3oidFvDV/hKXbzxMiAzbUVuOJo+Qsf/Mq4zROWeHbZ8F8Pt3ACbhAScuuw3mbzptIVi53w==": "parse.ini.params[inet_interfaces] == \"localhost\" || \u003cref\u003e", - "ikwf53idvBYkmApnBA2pgGff4TVlABkt9e/CDafAKox1oKkKXntJ5nFjMExQ5iM3OB7JgcEUV7AxhEF9XxjOCA==": " == \u003cref\u003e" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "FbII7up+bkQ=": { - "query": "files.find(from: \"/var/log\", type: \"file\").list {\n # @msg Please adjust file permissions for ${ basename } in folder ${ dirname }\n path\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_readable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n}\n", - "checksum": "EC2QFcB0peY=", - "datapoints": [ - "x7GfGmBGlN+lelITt2dS0cT6KJgFP7KMZ5ADJPyJw5HoxlEXW4fjc92ikc1sg2NlkVtcdxrV0dBLf8fjwbiqzA==" - ], - "code": { - "code_v2": { - "id": "FbII7up+bkQ=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "files.find", - "function": { - "type": "\u001bfiles.find", - "args": [ - { - "type": "\u0007", - "value": "ZnJvbQ==" - }, - { - "type": "\u0007", - "value": "L3Zhci9sb2c=" - }, - { - "type": "\u0007", - "value": "dHlwZQ==" - }, - { - "type": "\u0007", - "value": "ZmlsZQ==" - } - ] - } - }, - { - "call": 1, - "id": "list", - "function": { - "type": "\u0019\u001bfile", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "{}", - "function": { - "type": "\u0019\u000c", - "args": [ - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - } - ], - "binding": 4294967298 - } - } - ], - "entrypoints": [ - 4294967299 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u001bfile" - } - }, - { - "call": 1, - "id": "path", - "function": { - "type": "\u0007", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "group_writeable", - "function": { - "type": "\u0004", - "binding": 8589934595 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 8589934596 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "group_executable", - "function": { - "type": "\u0004", - "binding": 8589934598 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 8589934599 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "other_readable", - "function": { - "type": "\u0004", - "binding": 8589934601 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 8589934602 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "other_writeable", - "function": { - "type": "\u0004", - "binding": 8589934604 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 8589934605 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "other_executable", - "function": { - "type": "\u0004", - "binding": 8589934607 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 8589934608 - } - } - ], - "parameters": 1, - "entrypoints": [ - 8589934594, - 8589934597, - 8589934600, - 8589934603, - 8589934606, - 8589934609 - ] - } - ], - "checksums": { - "4294967297": "zOK0G443jgVjJNPgqrdBco10xt3ttnJIL+JIvanv0oQCzuBCK2KM0tby08uJCsr37lVylIrOChbwhuFiz12TPQ==", - "4294967298": "HFZi7PbJBgo+qm5sYbSB5HLucBZCtaFrDfPWC1B//vPbdZkeFqlqDUzCgoRcEfgv+oeKvuGKxyyIY4UOVYyDqg==", - "4294967299": "x7GfGmBGlN+lelITt2dS0cT6KJgFP7KMZ5ADJPyJw5HoxlEXW4fjc92ikc1sg2NlkVtcdxrV0dBLf8fjwbiqzA==", - "8589934593": "HFZi7PbJBgo+qm5sYbSB5HLucBZCtaFrDfPWC1B//vPbdZkeFqlqDUzCgoRcEfgv+oeKvuGKxyyIY4UOVYyDqg==", - "8589934594": "fkvj15sxTFfEd1KPONy4H4UByH2UbUzV7E+WfMi4EdlzR0RKhaLDHJyB+Fr3V+RwugWT6olpvZ/Gxa2hZPw25Q==", - "8589934595": "R50y19ygin8xIfjSRdoX8YWkK5nf9Uhn+uYfvCddrZAz+AUqzBnrFn+8HPRK39up2bsrckEeI+uiClE35enqzw==", - "8589934596": "tcVxHNkmrUMO6+eP0MqLO9zjkvSibUEOU1FX8sRgBk/VUa5/IfeFeHTbu+e+LJ/u/JGK8JxRcoE/eYReyHhTUw==", - "8589934597": "9XLYETvA1r98yVBGS4G2Vu7I17+RcSFmmNJ0YEzdi3WWABt6IIZn7/XoJoVy3SGuuAjHC964YnTDK06tsHfYlA==", - "8589934598": "R50y19ygin8xIfjSRdoX8YWkK5nf9Uhn+uYfvCddrZAz+AUqzBnrFn+8HPRK39up2bsrckEeI+uiClE35enqzw==", - "8589934599": "+ceFIrAEUYz7zGAGMJsEkbdF0V4ba7+cAu+GJm3/bVoBPdXJ84PZHMHl7kZls4UHN1Rhwr3I7A6zhXuS9nB7oA==", - "8589934600": "2VTYs6hPuMTVl7ppXmlkm5IG6HD5mQF/F9s/cxYk0aNUYl2dQv6wMwmlvQe2JOSkRffWDoktBr9WIjhhSCBh0w==", - "8589934601": "R50y19ygin8xIfjSRdoX8YWkK5nf9Uhn+uYfvCddrZAz+AUqzBnrFn+8HPRK39up2bsrckEeI+uiClE35enqzw==", - "8589934602": "buDzPzc91juRKQBuOwCRyQCc7slN/5EhfkQd1hGq/dng6W/pLGpMWCgxCbU/N9SkAAcDw+6lUE85H5BkCipRRg==", - "8589934603": "nX/obD4mzYEQN9Fa36a0b+dSoqXgcZnJ4dzctdo2qhrQ90cqvJ02jRswjHmwZVmtrNk9o7yg2YTdXhsfHM5LMQ==", - "8589934604": "R50y19ygin8xIfjSRdoX8YWkK5nf9Uhn+uYfvCddrZAz+AUqzBnrFn+8HPRK39up2bsrckEeI+uiClE35enqzw==", - "8589934605": "WtY+I2M0mnNx3JmGFe6TRTMDxM/gzovTz0h035ltEIhP7mXz/01eDgs/yDEAey/LZDgABW/B4gV1F9a3XrYZ4Q==", - "8589934606": "1FqHLx40s/JtsY+oWvmeHcby/n0oRNIk4plA1zHQDdbJA2vJr2c6TK6w9FgPu85za9RMWWr94Vg3MhT83ncPyA==", - "8589934607": "R50y19ygin8xIfjSRdoX8YWkK5nf9Uhn+uYfvCddrZAz+AUqzBnrFn+8HPRK39up2bsrckEeI+uiClE35enqzw==", - "8589934608": "lidMFo/CZ7ihhS5GUqnW62lFdOy1DoFqQbTIlrKe8BfMApzcjga5UNQZquKLWJAp/StwqN+oX4UiWM5Lvtbyow==", - "8589934609": "q+hFH3JaZ+MhN+eeMsYN4xGRuQjvPXsib9X1Aso5TvQ+l0QiVnn97XBJqpOmHVwo6WpzWAJCnut5zyUq7al7hA==" - } - }, - "source": "files.find(from: \"/var/log\", type: \"file\").list {\n # @msg Please adjust file permissions for ${ basename } in folder ${ dirname }\n path\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_readable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n}\n", - "labels": { - "labels": { - "1FqHLx40s/JtsY+oWvmeHcby/n0oRNIk4plA1zHQDdbJA2vJr2c6TK6w9FgPu85za9RMWWr94Vg3MhT83ncPyA==": "permissions.other_writeable == false", - "2VTYs6hPuMTVl7ppXmlkm5IG6HD5mQF/F9s/cxYk0aNUYl2dQv6wMwmlvQe2JOSkRffWDoktBr9WIjhhSCBh0w==": "permissions.group_executable == false", - "9XLYETvA1r98yVBGS4G2Vu7I17+RcSFmmNJ0YEzdi3WWABt6IIZn7/XoJoVy3SGuuAjHC964YnTDK06tsHfYlA==": "permissions.group_writeable == false", - "fkvj15sxTFfEd1KPONy4H4UByH2UbUzV7E+WfMi4EdlzR0RKhaLDHJyB+Fr3V+RwugWT6olpvZ/Gxa2hZPw25Q==": "path", - "nX/obD4mzYEQN9Fa36a0b+dSoqXgcZnJ4dzctdo2qhrQ90cqvJ02jRswjHmwZVmtrNk9o7yg2YTdXhsfHM5LMQ==": "permissions.other_readable == false", - "q+hFH3JaZ+MhN+eeMsYN4xGRuQjvPXsib9X1Aso5TvQ+l0QiVnn97XBJqpOmHVwo6WpzWAJCnut5zyUq7al7hA==": "permissions.other_executable == false", - "x7GfGmBGlN+lelITt2dS0cT6KJgFP7KMZ5ADJPyJw5HoxlEXW4fjc92ikc1sg2NlkVtcdxrV0dBLf8fjwbiqzA==": "files.find.list" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "FrdMe+1q6Bc=": { - "query": "if (file(\"/etc/gshadow\").exists) {\n file(\"/etc/gshadow\") {\n permissions.user_executable == false\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_readable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n }\n}\n", - "checksum": "Rg2szNDV7Co=", - "datapoints": [ - "aG7oUlIyH0BK4klvDQqsSbeRERfPhyfR1CvToYn4IPcrWZ2bsEkv4nTkHsDHTXrpQmqJRX4jye0IibRgTFLbCg==" - ], - "code": { - "code_v2": { - "id": "FrdMe+1q6Bc=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9nc2hhZG93" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "if", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u0003", - "value": "hICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - }, - { - "type": "\u0019\u0003" - } - ] - } - } - ], - "entrypoints": [ - 4294967299 - ] - }, - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9nc2hhZG93" - } - ] - } - }, - { - "call": 1, - "id": "{}", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u001c\u0000", - "value": "gICAgGA=" - } - ], - "binding": 8589934593 - } - } - ], - "entrypoints": [ - 8589934594 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u001bfile" - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "user_executable", - "function": { - "type": "\u0004", - "binding": 12884901890 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 12884901891 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "group_writeable", - "function": { - "type": "\u0004", - "binding": 12884901893 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 12884901894 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "group_executable", - "function": { - "type": "\u0004", - "binding": 12884901896 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 12884901897 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "other_readable", - "function": { - "type": "\u0004", - "binding": 12884901899 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 12884901900 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "other_writeable", - "function": { - "type": "\u0004", - "binding": 12884901902 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 12884901903 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "other_executable", - "function": { - "type": "\u0004", - "binding": 12884901905 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 12884901906 - } - } - ], - "parameters": 1, - "entrypoints": [ - 12884901892, - 12884901895, - 12884901898, - 12884901901, - 12884901904, - 12884901907 - ] - } - ], - "checksums": { - "12884901889": "27yj1h+sIjvDhAlnEcneMmbS9uEK01npYAa5c96ye4ZeQP1IUQeWvlqgNy1ystGKS6H5dcbXATPvu7YoQylAwQ==", - "12884901890": "nwTRwd9l1oKN5tB1++OkOWZ9JwGMw2umIWXYtD3c5bFQ3uRzoCLEDB5RZ0TeJ7DuOWdd8IECQj7noBxL6Dib9g==", - "12884901891": "LCeNHHkv9SNp4kBT+osLihoL/Ycbgu2KkIevZ8F2lR9GyOARH3mULivP99ibp512UR0R1QhX1V7+qyA42SOr8w==", - "12884901892": "X9YH3CGS2BOipTc7pxRAaJGJivLhKA0IiBkU1bnBRAHn+8jHv0uYWni8j0N0TJ40iFLyvsvaSmKbZFKtgchxjQ==", - "12884901893": "nwTRwd9l1oKN5tB1++OkOWZ9JwGMw2umIWXYtD3c5bFQ3uRzoCLEDB5RZ0TeJ7DuOWdd8IECQj7noBxL6Dib9g==", - "12884901894": "PBsj62qaqlmZGoOfZkh0iAN00L0GGF5jDbKOntO5xmvF7xHJikM/48ZJBmpqEbDHlDTiQjzgbOiJvueNqgFraw==", - "12884901895": "MzZC2uAEtImax9N96uDzfTsdvvs43XOvHoTpDHl0X7NUFuCkDeYCbb7YwWYLOdOtyGJUSuKN8tvTgZBOToZsug==", - "12884901896": "nwTRwd9l1oKN5tB1++OkOWZ9JwGMw2umIWXYtD3c5bFQ3uRzoCLEDB5RZ0TeJ7DuOWdd8IECQj7noBxL6Dib9g==", - "12884901897": "mGHpeHJfGco6qFUXT19BfxsSNfUVdY7iNwsYeGFHSVrkJH6AarQEhJP5qJXR9JIkoMV+T1v/+6lKd1BgqUk3XQ==", - "12884901898": "GBU9R8Ym/GyFLF+1f+mfvA5gwZNQlyycfdFZKJxkDtv2Md6DxZHDvlFFgwWsIUHy/PA5LDk0c5I5PUFuoCo1Rw==", - "12884901899": "nwTRwd9l1oKN5tB1++OkOWZ9JwGMw2umIWXYtD3c5bFQ3uRzoCLEDB5RZ0TeJ7DuOWdd8IECQj7noBxL6Dib9g==", - "12884901900": "0y3/vje9T9rLulAmiAZzcScDyuZRvm4iRrmyDGb+WaVf+6sm6KpTIiFrH10tiBjHHZVw4Z+8slaqXtGYSa95lQ==", - "12884901901": "uFgtM4VqHdGZrtL04zcQ+QZRo74Q+RZlPs1veWuZunMNPsMExVN+NG+qJ35VkPmxrT7GAoE6dukWqFjNWgVSFg==", - "12884901902": "nwTRwd9l1oKN5tB1++OkOWZ9JwGMw2umIWXYtD3c5bFQ3uRzoCLEDB5RZ0TeJ7DuOWdd8IECQj7noBxL6Dib9g==", - "12884901903": "YCs7gX1LC7Szahq9JuaQM/AEV63K1hMd/RdRtIxPIIO0zsTebZzOjuc8wXMop12oEyoPDeXKD0mM/Lae/5FcfA==", - "12884901904": "s0Oz0HkByctrSaRZaisAt4j5RiIzxuXSWgoTm7rfZhh8mR8L/BBM/7eQ64Y9VRzS3nU2hcJ36ZwrGwV0fTiMDQ==", - "12884901905": "nwTRwd9l1oKN5tB1++OkOWZ9JwGMw2umIWXYtD3c5bFQ3uRzoCLEDB5RZ0TeJ7DuOWdd8IECQj7noBxL6Dib9g==", - "12884901906": "d/OqUBiXBq9LzQ/MblhEuUA/SDORcBQgXXrPQjL1Gv/D/IVMgMBgCA/ytnWex9/w/1pJJftm6+Weozs+U4WdAA==", - "12884901907": "GeCVZqQA+yvyXH7SRzjhJzdzoXrsJ9pJiUcquKKnXCadr9Y6qSy6ullFgx4/wINba2tJe/72wSNdsmVA47DaTg==", - "4294967297": "27yj1h+sIjvDhAlnEcneMmbS9uEK01npYAa5c96ye4ZeQP1IUQeWvlqgNy1ystGKS6H5dcbXATPvu7YoQylAwQ==", - "4294967298": "1tda+FTxTrJCfsDjV6EHFoa4A9T3Yl7gMW987xoNPi/Jy/j84XeIqbcF3FkULbiKWjkCaXneAzNK8o1ZUZwraA==", - "4294967299": "aG7oUlIyH0BK4klvDQqsSbeRERfPhyfR1CvToYn4IPcrWZ2bsEkv4nTkHsDHTXrpQmqJRX4jye0IibRgTFLbCg==", - "8589934593": "27yj1h+sIjvDhAlnEcneMmbS9uEK01npYAa5c96ye4ZeQP1IUQeWvlqgNy1ystGKS6H5dcbXATPvu7YoQylAwQ==", - "8589934594": "ifp9Oy2txSgf83mD3FLqCsGOe7VxiWsnarmDmSIPpxkIqPdii54Apl5aoJ4SCESxTUyhAxnxrHtZ2GeGvsMQfA==" - } - }, - "source": "if (file(\"/etc/gshadow\").exists) {\n file(\"/etc/gshadow\") {\n permissions.user_executable == false\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_readable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n }\n}\n", - "labels": { - "labels": { - "GBU9R8Ym/GyFLF+1f+mfvA5gwZNQlyycfdFZKJxkDtv2Md6DxZHDvlFFgwWsIUHy/PA5LDk0c5I5PUFuoCo1Rw==": "permissions.group_executable == false", - "GeCVZqQA+yvyXH7SRzjhJzdzoXrsJ9pJiUcquKKnXCadr9Y6qSy6ullFgx4/wINba2tJe/72wSNdsmVA47DaTg==": "permissions.other_executable == false", - "MzZC2uAEtImax9N96uDzfTsdvvs43XOvHoTpDHl0X7NUFuCkDeYCbb7YwWYLOdOtyGJUSuKN8tvTgZBOToZsug==": "permissions.group_writeable == false", - "X9YH3CGS2BOipTc7pxRAaJGJivLhKA0IiBkU1bnBRAHn+8jHv0uYWni8j0N0TJ40iFLyvsvaSmKbZFKtgchxjQ==": "permissions.user_executable == false", - "aG7oUlIyH0BK4klvDQqsSbeRERfPhyfR1CvToYn4IPcrWZ2bsEkv4nTkHsDHTXrpQmqJRX4jye0IibRgTFLbCg==": "if", - "ifp9Oy2txSgf83mD3FLqCsGOe7VxiWsnarmDmSIPpxkIqPdii54Apl5aoJ4SCESxTUyhAxnxrHtZ2GeGvsMQfA==": "file", - "s0Oz0HkByctrSaRZaisAt4j5RiIzxuXSWgoTm7rfZhh8mR8L/BBM/7eQ64Y9VRzS3nU2hcJ36ZwrGwV0fTiMDQ==": "permissions.other_writeable == false", - "uFgtM4VqHdGZrtL04zcQ+QZRo74Q+RZlPs1veWuZunMNPsMExVN+NG+qJ35VkPmxrT7GAoE6dukWqFjNWgVSFg==": "permissions.other_readable == false" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "Gjj6ZTcWK1M=": { - "query": "file(\"/etc/security/limits.conf\").content.lines.where( _ == /^[^#]/ ).where( _.contains(\"core\") ) {\n _ == /\\*\\s+hard\\s+core\\s+0/\n}\nkernel.parameters['fs.suid_dumpable'] == 0\nif(service(\"coredump\").enabled || service(\"coredump\").running) {\n parse.ini(\"/etc/systemd/coredump.conf\").sections['Coredump']['ProcessSizeMax'] == 0\n parse.ini(\"/etc/systemd/coredump.conf\").sections['Coredump']['Storage'] == 'none'\n}\n", - "checksum": "GVQ1BM6gWsk=", - "datapoints": [ - "fdiITVkkL7djTy+vzAEZEah0OX8kyBLAc2cX4/Ct3ydPoageCCEnHeE0HSK0BCpY+CHpPQ5++3zb2G2mRMkotg==", - "HTqFwiLA1CVihrm2lHQw3RPXDqVeAn7rdfG/xVYcVPeg1uPowJqyvlLmMpVTqOzC94oBNNjfLAFrrdnZuIQxtg==", - "DA/NnsalQYlID5llgp+8IQXiVmQNajMgNa2ZDrpEz93xSs4m8s/phKXqsSf6gzrsPjh+G4sK5kGNaWcwdwTEMQ==", - "yD0jZNn4zIjrqrQH+1d5PCO9+Iu2leQlsTdlPY6F1q/LU3H9HONyNKtb4Ra5Bqel/44Cq8U4ErqpIVKycTB0Ig==", - "A3wWcqtvJW1cs60VNjT0Ln7Z1T5hv52l/nxz0MVyZdlOEixzc7tA3aTqz/Cou4TmnGZFsLx8NhNEue/S8LojGg==", - "aqYNhAltcEb8Us9rrSndGyONs5+/eu8zKLjtc3MhT1V9wzIHoZniQylGNL6k9+ftj8MnoMI/18dd3mMzIxBBhA==" - ], - "code": { - "code_v2": { - "id": "Gjj6ZTcWK1M=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9zZWN1cml0eS9saW1pdHMuY29uZg==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "hoCAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - } - ], - "binding": 4294967299 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "iICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgGA=" - } - ], - "binding": 4294967300 - } - }, - { - "call": 1, - "id": "{}", - "function": { - "type": "\u0019\u000c", - "args": [ - { - "type": "\u001c\u0000", - "value": "gICAgIAB" - } - ], - "binding": 4294967301 - } - }, - { - "call": 1, - "id": "kernel" - }, - { - "call": 1, - "id": "parameters", - "function": { - "type": "\u001a\u0007\u0007", - "binding": 4294967303 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u0007", - "args": [ - { - "type": "\u0007", - "value": "ZnMuc3VpZF9kdW1wYWJsZQ==" - } - ], - "binding": 4294967304 - } - }, - { - "call": 1, - "id": "==\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 4294967305 - } - }, - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "Y29yZWR1bXA=" - } - ] - } - }, - { - "call": 1, - "id": "enabled", - "function": { - "type": "\u0004", - "binding": 4294967307 - } - }, - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "Y29yZWR1bXA=" - } - ] - } - }, - { - "call": 1, - "id": "running", - "function": { - "type": "\u0004", - "binding": 4294967309 - } - }, - { - "call": 1, - "id": "||\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "nICAgCA=" - } - ], - "binding": 4294967308 - } - }, - { - "call": 1, - "id": "if", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u0003", - "value": "noCAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgKAB" - }, - { - "type": "\u0019\u0003" - } - ] - } - } - ], - "entrypoints": [ - 4294967302, - 4294967306, - 4294967312 - ], - "datapoints": [ - 4294967305, - 4294967308, - 4294967310 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0008", - "value": "XlteI10=" - } - ], - "binding": 8589934593 - } - } - ], - "parameters": 1, - "entrypoints": [ - 8589934594 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "call": 1, - "id": "contains\u0007", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0007", - "value": "Y29yZQ==" - } - ], - "binding": 12884901889 - } - } - ], - "parameters": 1, - "entrypoints": [ - 12884901890 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0008", - "value": "XCpccytoYXJkXHMrY29yZVxzKzA=" - } - ], - "binding": 17179869185 - } - } - ], - "parameters": 1, - "entrypoints": [ - 17179869186 - ] - }, - { - "chunks": [ - { - "call": 1, - "id": "parse.ini", - "function": { - "type": "\u001bparse.ini", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9zeXN0ZW1kL2NvcmVkdW1wLmNvbmY=" - } - ] - } - }, - { - "call": 1, - "id": "sections", - "function": { - "type": "\u001a\u0007\u001a\u0007\u0007", - "binding": 21474836481 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u001a\u0007\u0007", - "args": [ - { - "type": "\u0007", - "value": "Q29yZWR1bXA=" - } - ], - "binding": 21474836482 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u0007", - "args": [ - { - "type": "\u0007", - "value": "UHJvY2Vzc1NpemVNYXg=" - } - ], - "binding": 21474836483 - } - }, - { - "call": 1, - "id": "==\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 21474836484 - } - }, - { - "call": 1, - "id": "parse.ini", - "function": { - "type": "\u001bparse.ini", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9zeXN0ZW1kL2NvcmVkdW1wLmNvbmY=" - } - ] - } - }, - { - "call": 1, - "id": "sections", - "function": { - "type": "\u001a\u0007\u001a\u0007\u0007", - "binding": 21474836486 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u001a\u0007\u0007", - "args": [ - { - "type": "\u0007", - "value": "Q29yZWR1bXA=" - } - ], - "binding": 21474836487 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u0007", - "args": [ - { - "type": "\u0007", - "value": "U3RvcmFnZQ==" - } - ], - "binding": 21474836488 - } - }, - { - "call": 1, - "id": "==\u0007", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0007", - "value": "bm9uZQ==" - } - ], - "binding": 21474836489 - } - } - ], - "entrypoints": [ - 21474836485, - 21474836490 - ] - } - ], - "checksums": { - "12884901889": "7x0KWbIcSIIDxv1mHxrr2Hu6mkYiwjwUgu04JKiGcMg966URbntTLjd3srUgIsrsIhN2l2I382g9Hy+hhAqDpg==", - "12884901890": "2x4qL0qOix/mtXA31Lm4zT28kyiRfhLXb74dK91fpW60Kp8R88wqm02kyqBoBi7OVpv4MaI/cWa0tYjxjtGnbg==", - "17179869185": "kTPCIh7cZFqTsr/wKmN+aN8+WHMYkmp++F8MV9N7ZWMCk3gx1xRSFKABmgguw0s6cIxXqV75wNZW/Vhvr4GVjQ==", - "17179869186": "7FKZ18i/jVw3e/KVinlh5AAkxC0k5MWJYYrK2Gri6tMR/3sNKtUJ8SomriSPs24YLr2ffBTp9DgIOwagUDXKfg==", - "21474836481": "Qht5ga+qC3aZFMXBnORhr+sTc7oAcQmDCKf0zkEJ48GMNtiKBRXdQFWlTLWyMyQI0Dge098aIfFC6xz2AkLlhQ==", - "21474836482": "k/cw4cad3tbxWxZXx0TI7/s7V277ytOll28l5/xqt0gsCCSVYezaJbFHqowUz7Dx2teENgi0CtULLZsjzyq8TQ==", - "21474836483": "V9LDRX7QNc1dI6eQPcUeIa5Yayz0L9AeYHqJE1PRxjuNA0CWRA8D2xYpmkYN4venic18pk+iZRcP7CFxCrGJNg==", - "21474836484": "i8wMlMN/N1r2eMI4CfttcQuUS/LnvY8DyYXLYIQGhakv3Rzn7z7rGXYN0kDSpJWlKh3LJLfR/Eej2A/2VXSdUg==", - "21474836485": "oszj9hkRRjAqWNHhBL4iPjHFS3ytcRGNMB6XqZATdXlmLVxtKLOnGbJ8nqgc6neUYMrqR1x50UlUvirJUvRR7w==", - "21474836486": "Qht5ga+qC3aZFMXBnORhr+sTc7oAcQmDCKf0zkEJ48GMNtiKBRXdQFWlTLWyMyQI0Dge098aIfFC6xz2AkLlhQ==", - "21474836487": "k/cw4cad3tbxWxZXx0TI7/s7V277ytOll28l5/xqt0gsCCSVYezaJbFHqowUz7Dx2teENgi0CtULLZsjzyq8TQ==", - "21474836488": "V9LDRX7QNc1dI6eQPcUeIa5Yayz0L9AeYHqJE1PRxjuNA0CWRA8D2xYpmkYN4venic18pk+iZRcP7CFxCrGJNg==", - "21474836489": "AgP79spcWxOQAQdDLS7yHPFfOxPgih2TzlfuA+Dpw2Lg0D4D/Bx/tu4Vn40Pmte64wwTAxGrSgPQcVemcmdqzw==", - "21474836490": "9tPJ1bD/NosGIfu3fYAvaZwrc7gJjThLnLAufOduHLhwcis+7uI4OyxCveIfP6L2HNmq42EGyZCsDvN032MdKg==", - "4294967297": "S81C6HO5lGRyAsFNAZLTwnAE9ymNomllRhS8wCgwKbc42DbYZzoR7el+llmiEdPVOSshPEUqLgDNoAtWaAuwVQ==", - "4294967298": "JJXnU+9921XWwrJrysgtUKqlYeEKCn5YsEbX67xKFB/u8iGSpLsSQRMZCCDagyKvb3SoqfXKjiEFN0CwrzWgPw==", - "4294967299": "Wu7owx2C74bEyvy+QlEW95PGRwEIOFE5zF7BeGxzrhwck7+7+JmV1/1MMlLDG7CuRUIHdmndUlCZmpCAOOvCsw==", - "4294967300": "7x0KWbIcSIIDxv1mHxrr2Hu6mkYiwjwUgu04JKiGcMg966URbntTLjd3srUgIsrsIhN2l2I382g9Hy+hhAqDpg==", - "4294967301": "kTPCIh7cZFqTsr/wKmN+aN8+WHMYkmp++F8MV9N7ZWMCk3gx1xRSFKABmgguw0s6cIxXqV75wNZW/Vhvr4GVjQ==", - "4294967302": "yD0jZNn4zIjrqrQH+1d5PCO9+Iu2leQlsTdlPY6F1q/LU3H9HONyNKtb4Ra5Bqel/44Cq8U4ErqpIVKycTB0Ig==", - "4294967303": "RXV+1el3VK2oK0ytvuWZ6oRu95oJxvcqbHGw5Wq5LfAbGvjLmiHYndQw+dDOPQiIqBhor40mICUenGaUlny8Lg==", - "4294967304": "dM9qEfUwWr0DHz2QFJ5GwuX9ELsnO1Us4rTlLu63r3mnIduFn0tmuQqThf7ul4pd0wPoMSZIB/RxVPGcU9xORQ==", - "4294967305": "fdiITVkkL7djTy+vzAEZEah0OX8kyBLAc2cX4/Ct3ydPoageCCEnHeE0HSK0BCpY+CHpPQ5++3zb2G2mRMkotg==", - "4294967306": "A3wWcqtvJW1cs60VNjT0Ln7Z1T5hv52l/nxz0MVyZdlOEixzc7tA3aTqz/Cou4TmnGZFsLx8NhNEue/S8LojGg==", - "4294967307": "T5BbmjOPoCeGuGCAwDi1tHQICYesexKlgD82gVtZbsCAjazqIBnNEqfx3pNr5xrddTqiN/SAI5f4YakCIraTdg==", - "4294967308": "HTqFwiLA1CVihrm2lHQw3RPXDqVeAn7rdfG/xVYcVPeg1uPowJqyvlLmMpVTqOzC94oBNNjfLAFrrdnZuIQxtg==", - "4294967309": "T5BbmjOPoCeGuGCAwDi1tHQICYesexKlgD82gVtZbsCAjazqIBnNEqfx3pNr5xrddTqiN/SAI5f4YakCIraTdg==", - "4294967310": "DA/NnsalQYlID5llgp+8IQXiVmQNajMgNa2ZDrpEz93xSs4m8s/phKXqsSf6gzrsPjh+G4sK5kGNaWcwdwTEMQ==", - "4294967311": "i3Y2WTVqEaN28hSJ8SkdKl5nkHCDegQBe8XECNVM2g7YvUFJUQOBX34KzDIJYM6vzTBPG/UrzlZHZ96LtqqGfA==", - "4294967312": "aqYNhAltcEb8Us9rrSndGyONs5+/eu8zKLjtc3MhT1V9wzIHoZniQylGNL6k9+ftj8MnoMI/18dd3mMzIxBBhA==", - "8589934593": "Wu7owx2C74bEyvy+QlEW95PGRwEIOFE5zF7BeGxzrhwck7+7+JmV1/1MMlLDG7CuRUIHdmndUlCZmpCAOOvCsw==", - "8589934594": "iOFvmWeWSwnn7Z+SNt4RxXSdk1QB8qqjgtivglT70d0YxnV4AOyDil8GHlhgu3s3M3vXTF0i178D0KOXnAzZZQ==" - } - }, - "source": "file(\"/etc/security/limits.conf\").content.lines.where( _ == /^[^#]/ ).where( _.contains(\"core\") ) {\n _ == /\\*\\s+hard\\s+core\\s+0/\n}\nkernel.parameters['fs.suid_dumpable'] == 0\nif(service(\"coredump\").enabled || service(\"coredump\").running) {\n parse.ini(\"/etc/systemd/coredump.conf\").sections['Coredump']['ProcessSizeMax'] == 0\n parse.ini(\"/etc/systemd/coredump.conf\").sections['Coredump']['Storage'] == 'none'\n}\n", - "labels": { - "labels": { - "2x4qL0qOix/mtXA31Lm4zT28kyiRfhLXb74dK91fpW60Kp8R88wqm02kyqBoBi7OVpv4MaI/cWa0tYjxjtGnbg==": "contains", - "7FKZ18i/jVw3e/KVinlh5AAkxC0k5MWJYYrK2Gri6tMR/3sNKtUJ8SomriSPs24YLr2ffBTp9DgIOwagUDXKfg==": " == /\\*\\s+hard\\s+core\\s+0/", - "9tPJ1bD/NosGIfu3fYAvaZwrc7gJjThLnLAufOduHLhwcis+7uI4OyxCveIfP6L2HNmq42EGyZCsDvN032MdKg==": "parse.ini.sections[Coredump][Storage] == \"none\"", - "A3wWcqtvJW1cs60VNjT0Ln7Z1T5hv52l/nxz0MVyZdlOEixzc7tA3aTqz/Cou4TmnGZFsLx8NhNEue/S8LojGg==": "kernel.parameters[fs.suid_dumpable] == 0", - "DA/NnsalQYlID5llgp+8IQXiVmQNajMgNa2ZDrpEz93xSs4m8s/phKXqsSf6gzrsPjh+G4sK5kGNaWcwdwTEMQ==": "service.running", - "HTqFwiLA1CVihrm2lHQw3RPXDqVeAn7rdfG/xVYcVPeg1uPowJqyvlLmMpVTqOzC94oBNNjfLAFrrdnZuIQxtg==": "service.enabled", - "aqYNhAltcEb8Us9rrSndGyONs5+/eu8zKLjtc3MhT1V9wzIHoZniQylGNL6k9+ftj8MnoMI/18dd3mMzIxBBhA==": "if", - "fdiITVkkL7djTy+vzAEZEah0OX8kyBLAc2cX4/Ct3ydPoageCCEnHeE0HSK0BCpY+CHpPQ5++3zb2G2mRMkotg==": "kernel.parameters[fs.suid_dumpable]", - "iOFvmWeWSwnn7Z+SNt4RxXSdk1QB8qqjgtivglT70d0YxnV4AOyDil8GHlhgu3s3M3vXTF0i178D0KOXnAzZZQ==": " == /^[^#]/", - "oszj9hkRRjAqWNHhBL4iPjHFS3ytcRGNMB6XqZATdXlmLVxtKLOnGbJ8nqgc6neUYMrqR1x50UlUvirJUvRR7w==": "parse.ini.sections[Coredump][ProcessSizeMax] == 0", - "yD0jZNn4zIjrqrQH+1d5PCO9+Iu2leQlsTdlPY6F1q/LU3H9HONyNKtb4Ra5Bqel/44Cq8U4ErqpIVKycTB0Ig==": "file.content.lines.where.where" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "Gjm+13rDf3o=": { - "query": "if (file(\"/etc/passwd-\").exists) {\n file(\"/etc/passwd-\") {\n permissions.user_executable == false\n permissions.group_readable == false\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_readable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n }\n}\n", - "checksum": "oQHjQWIi6es=", - "datapoints": [ - "ti7hCRw84/H2JY4BAPf7DEkA2PjQyb47e/xmjNi47NX245E/xIVlpGdsyd6KeuNAhAnmSaDCpxpxt3Z+aapULg==" - ], - "code": { - "code_v2": { - "id": "Gjm+13rDf3o=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9wYXNzd2Qt" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "if", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u0003", - "value": "hICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - }, - { - "type": "\u0019\u0003" - } - ] - } - } - ], - "entrypoints": [ - 4294967299 - ] - }, - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9wYXNzd2Qt" - } - ] - } - }, - { - "call": 1, - "id": "{}", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u001c\u0000", - "value": "gICAgGA=" - } - ], - "binding": 8589934593 - } - } - ], - "entrypoints": [ - 8589934594 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u001bfile" - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "user_executable", - "function": { - "type": "\u0004", - "binding": 12884901890 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 12884901891 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "group_readable", - "function": { - "type": "\u0004", - "binding": 12884901893 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 12884901894 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "group_writeable", - "function": { - "type": "\u0004", - "binding": 12884901896 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 12884901897 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "group_executable", - "function": { - "type": "\u0004", - "binding": 12884901899 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 12884901900 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "other_readable", - "function": { - "type": "\u0004", - "binding": 12884901902 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 12884901903 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "other_writeable", - "function": { - "type": "\u0004", - "binding": 12884901905 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 12884901906 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "other_executable", - "function": { - "type": "\u0004", - "binding": 12884901908 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 12884901909 - } - } - ], - "parameters": 1, - "entrypoints": [ - 12884901892, - 12884901895, - 12884901898, - 12884901901, - 12884901904, - 12884901907, - 12884901910 - ] - } - ], - "checksums": { - "12884901889": "iTjmLCIgd6eNCoUIK/4fCCGDrPbEYkviuACFOKGvbsbuND0fQmM+DncdThQnhhtTk1ncIzqIYa1dr9Dv1hFbNg==", - "12884901890": "/lT6UC5LVyD2u0/7yT1OZHsduv56OOBGLjrRZR0lFQ0nxO46Rc3r1z5i/Cm4mZMd+PaL+RAWIAdmmiO3rsIV/g==", - "12884901891": "uQdV36fsHDe+1afNTN4pwpQJTF8zdParOl3WGg/B2G6ZMnumsvsc5z0/ot1FqIlbhI0kwt3hugPZtvzXn1TDQw==", - "12884901892": "F+beOvkTkg1/aI7g+OqS2edsgIJWZsfv8EOT8reqXthVtoTiFkHd0WALUHTgINviGnROydYwBqRxluAUaxODmg==", - "12884901893": "/lT6UC5LVyD2u0/7yT1OZHsduv56OOBGLjrRZR0lFQ0nxO46Rc3r1z5i/Cm4mZMd+PaL+RAWIAdmmiO3rsIV/g==", - "12884901894": "+1qRtx9kFko8zs0Bbc7O03wstVmkK4iDDnW5FMHJMZRjZA8T//KPUEBWK4h9e6Zs46Pf8RyAype4Hu29krAdNA==", - "12884901895": "i8ACRicbdRL/5KuJ56Jl5CkKSg1On7fdlKvMTzknFxI9NFJWySwPCbmHaPDE0D1uO1Jk7KSbCfOvhOB0ZIE+VQ==", - "12884901896": "/lT6UC5LVyD2u0/7yT1OZHsduv56OOBGLjrRZR0lFQ0nxO46Rc3r1z5i/Cm4mZMd+PaL+RAWIAdmmiO3rsIV/g==", - "12884901897": "Hpunw14isjrYl/8T+Q+luQXL7g4qKGZ1utsVgX7sJRiTw/mzPozGhTnbg6KKwxhZfLD7/qPIV/k0ACneu7jBVQ==", - "12884901898": "mfkNI8OTRDvYTCa2VnLqzxZKxPU28+Z/Rv0zdSRTrlv0gTWdFEi/RTSmhTFSNhcYdpIYVizLi6TGVxIHv9GBbw==", - "12884901899": "/lT6UC5LVyD2u0/7yT1OZHsduv56OOBGLjrRZR0lFQ0nxO46Rc3r1z5i/Cm4mZMd+PaL+RAWIAdmmiO3rsIV/g==", - "12884901900": "fTyHIWUX+stNc7O+VNmVvGnXK/dy1Px4ETXpMpP5HneAONKVkzGn354IcjyjB1ATIEl0Lwa2tlRM1WLsmGqJhA==", - "12884901901": "ADxZ6Ef0QR4Nl1QrLeuHlXVwLkCZkQgi4QrqrUhtqNhmxpufVydt6z94I0JjfrtehEe2V1/xIBTNAk3j54NtKg==", - "12884901902": "/lT6UC5LVyD2u0/7yT1OZHsduv56OOBGLjrRZR0lFQ0nxO46Rc3r1z5i/Cm4mZMd+PaL+RAWIAdmmiO3rsIV/g==", - "12884901903": "xHUIx0KSyf3iADBrRiq+C8y/KAnLZMXiys4nBSkg91jKl8uDxTUXLbRgtWp5KGZu+1kQEmunfPx14ZoDBb9AUA==", - "12884901904": "fnW/PyESVitHy8orJg+G1QSK4R7itynS1h0cjAgcISgnJFTkc/Rg+hAYcYdnyOkRtufxlHZomcRcpCIS++Yb6Q==", - "12884901905": "/lT6UC5LVyD2u0/7yT1OZHsduv56OOBGLjrRZR0lFQ0nxO46Rc3r1z5i/Cm4mZMd+PaL+RAWIAdmmiO3rsIV/g==", - "12884901906": "TtkI4uJ+68OHkeR39WTl7sgPmSQMTv/PH3EL+oR8h3IR1EQzgii6/9uMvZqzP798SSZ+Xs87ekcfIBsg+wOq6A==", - "12884901907": "HOK3Bss2DP91LBon0YoSPT/aE6UU9r03Hdvdwqc/QVboy3Kk1vLOVXmQB7XyYUtYSvcJ8J0roQaXwf0FV1lwHw==", - "12884901908": "/lT6UC5LVyD2u0/7yT1OZHsduv56OOBGLjrRZR0lFQ0nxO46Rc3r1z5i/Cm4mZMd+PaL+RAWIAdmmiO3rsIV/g==", - "12884901909": "+qHp9Cg8nmtICCtJGViDjpJmAs56bU13WHeBPlF0SqO+dKSUVafJnt4PN8j5zlYRjSg+Sg19cnPyK04K+F3jxQ==", - "12884901910": "GIIl7IreWfE/D6Vn4mj52rIJjPcUTWewWP/ErAJyzB0IUhbsUJPsEt7t137uHzZ9yzKasckoyaVx38BGw7J0Sw==", - "4294967297": "iTjmLCIgd6eNCoUIK/4fCCGDrPbEYkviuACFOKGvbsbuND0fQmM+DncdThQnhhtTk1ncIzqIYa1dr9Dv1hFbNg==", - "4294967298": "Gc7kZ4NKcK/z5eUJATH1zwoR8KoeZOO2cVQDXT5QXKPZ1Nyc2zu5FLZctVMGai06wkG6GK6IsW7QpZ4LC41/6g==", - "4294967299": "ti7hCRw84/H2JY4BAPf7DEkA2PjQyb47e/xmjNi47NX245E/xIVlpGdsyd6KeuNAhAnmSaDCpxpxt3Z+aapULg==", - "8589934593": "iTjmLCIgd6eNCoUIK/4fCCGDrPbEYkviuACFOKGvbsbuND0fQmM+DncdThQnhhtTk1ncIzqIYa1dr9Dv1hFbNg==", - "8589934594": "ZuVRB29jWeNb/lVtouZzqe68zaAFNLlBDfJ5Ds78VBA4fo7etRb15/bF+dXPnFI+UM+5djNEWhJw2j1d8YcgsA==" - } - }, - "source": "if (file(\"/etc/passwd-\").exists) {\n file(\"/etc/passwd-\") {\n permissions.user_executable == false\n permissions.group_readable == false\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_readable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n }\n}\n", - "labels": { - "labels": { - "ADxZ6Ef0QR4Nl1QrLeuHlXVwLkCZkQgi4QrqrUhtqNhmxpufVydt6z94I0JjfrtehEe2V1/xIBTNAk3j54NtKg==": "permissions.group_executable == false", - "F+beOvkTkg1/aI7g+OqS2edsgIJWZsfv8EOT8reqXthVtoTiFkHd0WALUHTgINviGnROydYwBqRxluAUaxODmg==": "permissions.user_executable == false", - "GIIl7IreWfE/D6Vn4mj52rIJjPcUTWewWP/ErAJyzB0IUhbsUJPsEt7t137uHzZ9yzKasckoyaVx38BGw7J0Sw==": "permissions.other_executable == false", - "HOK3Bss2DP91LBon0YoSPT/aE6UU9r03Hdvdwqc/QVboy3Kk1vLOVXmQB7XyYUtYSvcJ8J0roQaXwf0FV1lwHw==": "permissions.other_writeable == false", - "ZuVRB29jWeNb/lVtouZzqe68zaAFNLlBDfJ5Ds78VBA4fo7etRb15/bF+dXPnFI+UM+5djNEWhJw2j1d8YcgsA==": "file", - "fnW/PyESVitHy8orJg+G1QSK4R7itynS1h0cjAgcISgnJFTkc/Rg+hAYcYdnyOkRtufxlHZomcRcpCIS++Yb6Q==": "permissions.other_readable == false", - "i8ACRicbdRL/5KuJ56Jl5CkKSg1On7fdlKvMTzknFxI9NFJWySwPCbmHaPDE0D1uO1Jk7KSbCfOvhOB0ZIE+VQ==": "permissions.group_readable == false", - "mfkNI8OTRDvYTCa2VnLqzxZKxPU28+Z/Rv0zdSRTrlv0gTWdFEi/RTSmhTFSNhcYdpIYVizLi6TGVxIHv9GBbw==": "permissions.group_writeable == false", - "ti7hCRw84/H2JY4BAPf7DEkA2PjQyb47e/xmjNi47NX245E/xIVlpGdsyd6KeuNAhAnmSaDCpxpxt3Z+aapULg==": "if" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "H2ZH2J+F/yo=": { - "query": "kernel.parameters['net.ipv4.icmp_ignore_bogus_error_responses'] == 1\n", - "checksum": "QG8TmdpYja4=", - "datapoints": [ - "5OtvSFEzBwdqphuXjDliNh72Rk5bjHOJNaSSCU6FLyLhHAtJP78O6YuC7NCVaqP2Wh5H5XQad8clFJqtFUWwyQ==", - "6bO3xwKkWGozKNUTPkyL8PV3ZVKJgiAZehWr+ad9ftkSgZvziTNs+ViRhuUYBFBqY5VT7VXNUQW7bbJAhzXhWA==" - ], - "code": { - "code_v2": { - "id": "H2ZH2J+F/yo=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "kernel" - }, - { - "call": 1, - "id": "parameters", - "function": { - "type": "\u001a\u0007\u0007", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u0007", - "args": [ - { - "type": "\u0007", - "value": "bmV0LmlwdjQuaWNtcF9pZ25vcmVfYm9ndXNfZXJyb3JfcmVzcG9uc2Vz" - } - ], - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "==\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "Ag==" - } - ], - "binding": 4294967299 - } - } - ], - "entrypoints": [ - 4294967300 - ], - "datapoints": [ - 4294967299 - ] - } - ], - "checksums": { - "4294967297": "RXV+1el3VK2oK0ytvuWZ6oRu95oJxvcqbHGw5Wq5LfAbGvjLmiHYndQw+dDOPQiIqBhor40mICUenGaUlny8Lg==", - "4294967298": "dM9qEfUwWr0DHz2QFJ5GwuX9ELsnO1Us4rTlLu63r3mnIduFn0tmuQqThf7ul4pd0wPoMSZIB/RxVPGcU9xORQ==", - "4294967299": "5OtvSFEzBwdqphuXjDliNh72Rk5bjHOJNaSSCU6FLyLhHAtJP78O6YuC7NCVaqP2Wh5H5XQad8clFJqtFUWwyQ==", - "4294967300": "6bO3xwKkWGozKNUTPkyL8PV3ZVKJgiAZehWr+ad9ftkSgZvziTNs+ViRhuUYBFBqY5VT7VXNUQW7bbJAhzXhWA==" - } - }, - "source": "kernel.parameters['net.ipv4.icmp_ignore_bogus_error_responses'] == 1\n", - "labels": { - "labels": { - "5OtvSFEzBwdqphuXjDliNh72Rk5bjHOJNaSSCU6FLyLhHAtJP78O6YuC7NCVaqP2Wh5H5XQad8clFJqtFUWwyQ==": "kernel.parameters[net.ipv4.icmp_ignore_bogus_error_responses]", - "6bO3xwKkWGozKNUTPkyL8PV3ZVKJgiAZehWr+ad9ftkSgZvziTNs+ViRhuUYBFBqY5VT7VXNUQW7bbJAhzXhWA==": "kernel.parameters[net.ipv4.icmp_ignore_bogus_error_responses] == 1" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "H74IPb4kjoI=": { - "query": "file(\"/etc/audit/auditd.conf\").exists\nif (file(\"/etc/audit/auditd.conf\").exists) {\n parse.ini(\"/etc/audit/auditd.conf\").params[\"max_log_file_action\"].downcase == \"keep_logs\"\n}\n", - "checksum": "uPBAuRWHx84=", - "datapoints": [ - "bhGy2REVqCNiJpsR0UBE/BeYtFO4NEA/MFuPk4+oxk9WffIXtIvfoiuv9vhtDgIbhgjxkgYyhTiN71WJXXmdMQ==", - "DeWBHFFMGrfuvC8xfY6tlz3tDWwE0Mj+kpZidZdke1R3HgkbvOzrZJcQtLGGmF0ud4C1f3wMcaegqMhkhznj3g==" - ], - "code": { - "code_v2": { - "id": "H74IPb4kjoI=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdGQuY29uZg==" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdGQuY29uZg==" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967299 - } - }, - { - "call": 1, - "id": "if", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u0003", - "value": "iICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - }, - { - "type": "\u0019\u0003" - } - ] - } - } - ], - "entrypoints": [ - 4294967298, - 4294967301 - ] - }, - { - "chunks": [ - { - "call": 1, - "id": "parse.ini", - "function": { - "type": "\u001bparse.ini", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdGQuY29uZg==" - } - ] - } - }, - { - "call": 1, - "id": "params", - "function": { - "type": "\u001a\u0007\u0007", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u0007", - "args": [ - { - "type": "\u0007", - "value": "bWF4X2xvZ19maWxlX2FjdGlvbg==" - } - ], - "binding": 8589934594 - } - }, - { - "call": 1, - "id": "downcase", - "function": { - "type": "\u0007", - "binding": 8589934595 - } - }, - { - "call": 1, - "id": "==\u0007", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0007", - "value": "a2VlcF9sb2dz" - } - ], - "binding": 8589934596 - } - } - ], - "entrypoints": [ - 8589934597 - ] - } - ], - "checksums": { - "4294967297": "N4KZTcd6DUruTEhP1t5bwgyUv3mpQJvZKgj/taSiAOB9kKNe/2/bGCAzkwh0rPhDWLK4XZzUWmBHq6rgVCnZKg==", - "4294967298": "bhGy2REVqCNiJpsR0UBE/BeYtFO4NEA/MFuPk4+oxk9WffIXtIvfoiuv9vhtDgIbhgjxkgYyhTiN71WJXXmdMQ==", - "4294967299": "N4KZTcd6DUruTEhP1t5bwgyUv3mpQJvZKgj/taSiAOB9kKNe/2/bGCAzkwh0rPhDWLK4XZzUWmBHq6rgVCnZKg==", - "4294967300": "bhGy2REVqCNiJpsR0UBE/BeYtFO4NEA/MFuPk4+oxk9WffIXtIvfoiuv9vhtDgIbhgjxkgYyhTiN71WJXXmdMQ==", - "4294967301": "DeWBHFFMGrfuvC8xfY6tlz3tDWwE0Mj+kpZidZdke1R3HgkbvOzrZJcQtLGGmF0ud4C1f3wMcaegqMhkhznj3g==", - "8589934593": "+I3CQJa1E3mvGrqDdKoMyuQ04sdJZQ2EXu9qdqKWnO+bq0yoONJrwE8fGjqA5z/JAB93Is+SQHzph6QgSQ9mIg==", - "8589934594": "1gNeZz6IhN77JStqn/C+u0sVtnzV9RGjFVcniG86xFA96JH/ZXnwd189KZfaQmjdms8QiYB7Y9C+MXnYLvd4Lg==", - "8589934595": "lyzp3a2MLm02JTqoc2oiyPY0jsYeL5rhjT49J4mhKq9WDUJyAkO466iqi6Q13DwCHlZSdzff1IqW2HW7UUS59w==", - "8589934596": "3PdsMSuCu8koX4k8GIZyinGDuZa6wH7VTdTShhql+8r6YzjQvPxoirz2r/Ftn7P0KPbG62d2K++aUTD7QOPsQQ==", - "8589934597": "3bcl3qHCXcXh4dIWlV5B9S7LRbo8PLuL/f2x2tDTmLuUen4TfaQ/qOAQBQSuBNaPFfpVeLMziVOUpX8tmwe2lg==" - } - }, - "source": "file(\"/etc/audit/auditd.conf\").exists\nif (file(\"/etc/audit/auditd.conf\").exists) {\n parse.ini(\"/etc/audit/auditd.conf\").params[\"max_log_file_action\"].downcase == \"keep_logs\"\n}\n", - "labels": { - "labels": { - "3bcl3qHCXcXh4dIWlV5B9S7LRbo8PLuL/f2x2tDTmLuUen4TfaQ/qOAQBQSuBNaPFfpVeLMziVOUpX8tmwe2lg==": "parse.ini.params[max_log_file_action].downcase == \"keep_logs\"", - "DeWBHFFMGrfuvC8xfY6tlz3tDWwE0Mj+kpZidZdke1R3HgkbvOzrZJcQtLGGmF0ud4C1f3wMcaegqMhkhznj3g==": "if", - "bhGy2REVqCNiJpsR0UBE/BeYtFO4NEA/MFuPk4+oxk9WffIXtIvfoiuv9vhtDgIbhgjxkgYyhTiN71WJXXmdMQ==": "file.exists" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "HKo0vfMZsRE=": { - "query": "service(\"nfs\").enabled == false\nservice(\"nfs\").running == false\nservice(\"rpcbind\").enabled == false\nservice(\"rpcbind\").running == false\n", - "checksum": "cmgcVrqQOQw=", - "datapoints": [ - "APYPrm+W1UGigbN5TlVzrDO+Hrlq6CfVKbx1kiafXbXiK35C2LpbMuUlQ/p5kzyRIFT8Mvq3u0SVe3O4bbj1jQ==", - "vEVKTC2TP3C7Jvel//1fOtROW7A0zUcYlgoWRepOrkcVLxfb2+4d6fgg9kNFAUzwQUDeSnVUVoMbgRWOGdRQUQ==", - "FVG+Mf0F1AZbC0Hc+4nD0WCwsZNgIwN0eUILSf+Qp/YHOGwHEemQvXKia+t/XE4wNAgf8fUXDgHsemAOThuAtw==", - "eCAQoxHoz5Q6JByhB8uwBxApChkW/Oijwn3EFj/RleSCbkjwXx0xCyxxZNXeGtuEQ4YSa8Q4vNWfhbR9gQzGqA==", - "tkoo9GfWIg/KptFPrpjYI5JzZ49mY1OQwoqgajO6P1tLRhyhFB7FNwUM+FRP+K/LxAgjeDUCfpOEF8imcQX+DQ==", - "g4mvK7a72NmW+ikuFqlbSIUKktKkEZPp14ybdznUdSto3A1G5wXNk/0jtBZb4GqVlgl/40I5K1hXLg/Uwq6XBw==", - "PS/glCWsGexFLW7Nhgox/z1A5qkdidgcxlMRAeKKeKxH2vf+iWqGt9aGLdNfr+vLlRUV+6aYa2qdrmnLKsESsQ==", - "BiPs5zSGEKUw+XVkVzfGqCp+ZzefmPic62b/oP2u355YUvBNL+ZATaRIV/kna2PELc0wx3koCiL16cWxLlnhog==" - ], - "code": { - "code_v2": { - "id": "HKo0vfMZsRE=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "bmZz" - } - ] - } - }, - { - "call": 1, - "id": "enabled", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "bmZz" - } - ] - } - }, - { - "call": 1, - "id": "running", - "function": { - "type": "\u0004", - "binding": 4294967300 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967301 - } - }, - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "cnBjYmluZA==" - } - ] - } - }, - { - "call": 1, - "id": "enabled", - "function": { - "type": "\u0004", - "binding": 4294967303 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967304 - } - }, - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "cnBjYmluZA==" - } - ] - } - }, - { - "call": 1, - "id": "running", - "function": { - "type": "\u0004", - "binding": 4294967306 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967307 - } - } - ], - "entrypoints": [ - 4294967299, - 4294967302, - 4294967305, - 4294967308 - ], - "datapoints": [ - 4294967298, - 4294967301, - 4294967304, - 4294967307 - ] - } - ], - "checksums": { - "4294967297": "tjveqO1u0wSPDO2OUkBFtKngXzu59Y4DQf41d/oHhTXWplKv8nJsERGgTuWqpebKetnPTkRflXauxZU7ZbyLPg==", - "4294967298": "APYPrm+W1UGigbN5TlVzrDO+Hrlq6CfVKbx1kiafXbXiK35C2LpbMuUlQ/p5kzyRIFT8Mvq3u0SVe3O4bbj1jQ==", - "4294967299": "tkoo9GfWIg/KptFPrpjYI5JzZ49mY1OQwoqgajO6P1tLRhyhFB7FNwUM+FRP+K/LxAgjeDUCfpOEF8imcQX+DQ==", - "4294967300": "tjveqO1u0wSPDO2OUkBFtKngXzu59Y4DQf41d/oHhTXWplKv8nJsERGgTuWqpebKetnPTkRflXauxZU7ZbyLPg==", - "4294967301": "vEVKTC2TP3C7Jvel//1fOtROW7A0zUcYlgoWRepOrkcVLxfb2+4d6fgg9kNFAUzwQUDeSnVUVoMbgRWOGdRQUQ==", - "4294967302": "g4mvK7a72NmW+ikuFqlbSIUKktKkEZPp14ybdznUdSto3A1G5wXNk/0jtBZb4GqVlgl/40I5K1hXLg/Uwq6XBw==", - "4294967303": "SnkSmmKUsvzsdp25HS4CWu2JB0g6RG3R9GMQg7QejP4ysbfRJ23YCbJZWuEzU4FNqv3bqFUI5JrRRNcKC5mudA==", - "4294967304": "FVG+Mf0F1AZbC0Hc+4nD0WCwsZNgIwN0eUILSf+Qp/YHOGwHEemQvXKia+t/XE4wNAgf8fUXDgHsemAOThuAtw==", - "4294967305": "PS/glCWsGexFLW7Nhgox/z1A5qkdidgcxlMRAeKKeKxH2vf+iWqGt9aGLdNfr+vLlRUV+6aYa2qdrmnLKsESsQ==", - "4294967306": "SnkSmmKUsvzsdp25HS4CWu2JB0g6RG3R9GMQg7QejP4ysbfRJ23YCbJZWuEzU4FNqv3bqFUI5JrRRNcKC5mudA==", - "4294967307": "eCAQoxHoz5Q6JByhB8uwBxApChkW/Oijwn3EFj/RleSCbkjwXx0xCyxxZNXeGtuEQ4YSa8Q4vNWfhbR9gQzGqA==", - "4294967308": "BiPs5zSGEKUw+XVkVzfGqCp+ZzefmPic62b/oP2u355YUvBNL+ZATaRIV/kna2PELc0wx3koCiL16cWxLlnhog==" - } - }, - "source": "service(\"nfs\").enabled == false\nservice(\"nfs\").running == false\nservice(\"rpcbind\").enabled == false\nservice(\"rpcbind\").running == false\n", - "labels": { - "labels": { - "APYPrm+W1UGigbN5TlVzrDO+Hrlq6CfVKbx1kiafXbXiK35C2LpbMuUlQ/p5kzyRIFT8Mvq3u0SVe3O4bbj1jQ==": "service.enabled", - "BiPs5zSGEKUw+XVkVzfGqCp+ZzefmPic62b/oP2u355YUvBNL+ZATaRIV/kna2PELc0wx3koCiL16cWxLlnhog==": "service.running == false", - "FVG+Mf0F1AZbC0Hc+4nD0WCwsZNgIwN0eUILSf+Qp/YHOGwHEemQvXKia+t/XE4wNAgf8fUXDgHsemAOThuAtw==": "service.enabled", - "PS/glCWsGexFLW7Nhgox/z1A5qkdidgcxlMRAeKKeKxH2vf+iWqGt9aGLdNfr+vLlRUV+6aYa2qdrmnLKsESsQ==": "service.enabled == false", - "eCAQoxHoz5Q6JByhB8uwBxApChkW/Oijwn3EFj/RleSCbkjwXx0xCyxxZNXeGtuEQ4YSa8Q4vNWfhbR9gQzGqA==": "service.running", - "g4mvK7a72NmW+ikuFqlbSIUKktKkEZPp14ybdznUdSto3A1G5wXNk/0jtBZb4GqVlgl/40I5K1hXLg/Uwq6XBw==": "service.running == false", - "tkoo9GfWIg/KptFPrpjYI5JzZ49mY1OQwoqgajO6P1tLRhyhFB7FNwUM+FRP+K/LxAgjeDUCfpOEF8imcQX+DQ==": "service.enabled == false", - "vEVKTC2TP3C7Jvel//1fOtROW7A0zUcYlgoWRepOrkcVLxfb2+4d6fgg9kNFAUzwQUDeSnVUVoMbgRWOGdRQUQ==": "service.running" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "HhVqF0tMxvA=": { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/sbin\\/insmod\\s+\\-p\\s+x\\s+\\-k\\s+modules/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/sbin\\/rmmod\\s+\\-p\\s+x\\s+\\-k\\s+modules/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/sbin\\/modprobe\\s+\\-p\\s+x\\s+\\-k\\s+modules/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+init\\_module\\s+\\-S\\s+delete\\_module\\s+\\-k\\s+modules/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+init\\_module\\,delete\\_module\\s+\\-F\\s+key\\=modules/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+init\\_module\\s+\\-S\\s+delete\\_module\\s+\\-k\\s+modules/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+init\\_module\\,delete\\_module\\s+\\-F\\s+key\\=modules/)\n}\n", - "checksum": "Ol/tyld6Eek=", - "datapoints": [ - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "8dunMlc+mqgrLPexSr0BjQzRsY3H5KxgRLMNPWl7dqU7u7AuMGYCcL/59LzDxTU6v52s+sfNelCjln9pTEeoaw==" - ], - "code": { - "code_v2": { - "id": "HhVqF0tMxvA=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967299 - } - }, - { - "call": 1, - "id": "if", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u0003", - "value": "iICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - }, - { - "type": "\u0019\u0003" - } - ] - } - } - ], - "entrypoints": [ - 4294967298, - 4294967301 - ] - }, - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934594 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "hoCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgGA=" - } - ], - "binding": 8589934595 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934596 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934597 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934599 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934600 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "koCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgIAB" - } - ], - "binding": 8589934601 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934602 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934603 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934605 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934606 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "noCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgKAB" - } - ], - "binding": 8589934607 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934608 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934609 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934611 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934612 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "qoCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgMAB" - } - ], - "binding": 8589934613 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934614 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934615 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934617 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934618 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "toCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgOAB" - } - ], - "binding": 8589934619 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934620 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934621 - } - }, - { - "call": 1, - "id": "||\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "vICAgEA=" - } - ], - "binding": 8589934616 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934624 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934625 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "xICAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgIAC" - } - ], - "binding": 8589934626 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934627 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934628 - } - }, - { - "call": 1, - "id": "||\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "yoCAgEA=" - } - ], - "binding": 8589934623 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934631 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934632 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "0oCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgKAC" - } - ], - "binding": 8589934633 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934634 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934635 - } - }, - { - "call": 1, - "id": "||\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "2ICAgEA=" - } - ], - "binding": 8589934630 - } - } - ], - "entrypoints": [ - 8589934598, - 8589934604, - 8589934610, - 8589934637 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtd1xzK1wvc2JpblwvaW5zbW9kXHMrXC1wXHMreFxzK1wta1xzK21vZHVsZXM=" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgGA=" - } - ], - "binding": 12884901889 - } - } - ], - "parameters": 1, - "entrypoints": [ - 12884901891 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtd1xzK1wvc2Jpblwvcm1tb2RccytcLXBccyt4XHMrXC1rXHMrbW9kdWxlcw==" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgIAB" - } - ], - "binding": 17179869185 - } - } - ], - "parameters": 1, - "entrypoints": [ - 17179869187 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtd1xzK1wvc2JpblwvbW9kcHJvYmVccytcLXBccyt4XHMrXC1rXHMrbW9kdWxlcw==" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgKAB" - } - ], - "binding": 21474836481 - } - } - ], - "parameters": 1, - "entrypoints": [ - 21474836483 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWI2NFxzK1wtU1xzK2luaXRcX21vZHVsZVxzK1wtU1xzK2RlbGV0ZVxfbW9kdWxlXHMrXC1rXHMrbW9kdWxlcw==" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgMAB" - } - ], - "binding": 25769803777 - } - } - ], - "parameters": 1, - "entrypoints": [ - 25769803779 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWI2NFxzK1wtU1xzK2luaXRcX21vZHVsZVwsZGVsZXRlXF9tb2R1bGVccytcLUZccytrZXlcPW1vZHVsZXM=" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgOAB" - } - ], - "binding": 30064771073 - } - } - ], - "parameters": 1, - "entrypoints": [ - 30064771075 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWIzMlxzK1wtU1xzK2luaXRcX21vZHVsZVxzK1wtU1xzK2RlbGV0ZVxfbW9kdWxlXHMrXC1rXHMrbW9kdWxlcw==" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgIAC" - } - ], - "binding": 34359738369 - } - } - ], - "parameters": 1, - "entrypoints": [ - 34359738371 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWIzMlxzK1wtU1xzK2luaXRcX21vZHVsZVwsZGVsZXRlXF9tb2R1bGVccytcLUZccytrZXlcPW1vZHVsZXM=" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgKAC" - } - ], - "binding": 38654705665 - } - } - ], - "parameters": 1, - "entrypoints": [ - 38654705667 - ] - } - ], - "checksums": { - "12884901889": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "12884901890": "HOiAogBpZTDHcaleQsu31ulnv7pj/wYwYDuXVVEpsUycIm+WzaYs4ue7rUWhW2iP7zMIose4j0sVBiGcu3qynA==", - "12884901891": "Mn1L+Nc9gPPyU2ju0ereZ7i4TK2gRarxFzlQk5f4+HtfDSqgSZrFwMcA7T8nNUqQsJWFOiZDz4ZdNBFsBuPMZw==", - "17179869185": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "17179869186": "54jfg74qi8wM6+FfHLZkyz/GtKS1fKN7iNZEdXrs+sST6g2WZngFjwlIqZTWCRIRWdxTV4KPvcm1Md9qyC2Aig==", - "17179869187": "TFnR5UU0ECZpG0tBlE8QVKylyTPPX1VJ6L5MdQOrfGXN5pp3lA3bITqZ2dp3XqvBpQQxQn1df4CJL9Cb3re7Ig==", - "21474836481": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "21474836482": "Zpkw7q41Jb0Y97yqtTLnbnrpfJBA8ShPd0gtZctNLUoOORRYXE8ei4oes2E2khDyR8oKWxHRpL9NkN+LmTPmOQ==", - "21474836483": "7OJH75G8fDqK8QpfsIqDgwXDj/2uHLG/LBUmcS/+mMJvF5UGRb50JeBZGCEJrUc820t+I+A8oAuAWPzQPC9nPg==", - "25769803777": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "25769803778": "QCB3T11IyHLWK1EbMQuG0Bc8Y+LNWQ2dgI78mhH55ZOdKaUpqfRKuMtoA4yt7RIk7q0K+JpfVqSrIRmpBc1SWQ==", - "25769803779": "XMEN4vt7+dpKWHnhr+mAElZoXwpO6he9nEKzED7+QVTxJ8SrHAhkLO4MI6gRHXWvgO15iNOOhzqIPDMFzRB9lw==", - "30064771073": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "30064771074": "sxb2fyg8C0S3LzJHYRklycMBMGwNr9cUTaPZzqASqMBxrJQ4vqilF3VFni1BlX0npRRIqI0LyeF/TuUKthpgoA==", - "30064771075": "sw8P7sUpteUpuRGf7bW5S05MqhqJtV3jfQAy2uk5X0XYEDXmT/WCzF0fK4r6KcqLrveRYnNnHxsaKyxeWea+0g==", - "34359738369": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "34359738370": "PkWByL6k5WWJVXmMZZLZnpgybs6AFt2E7lv3XvXJu/B+BJCOaIuq12YShprwKhX9Ti0hcOOQd5qIBtvllJNKBQ==", - "34359738371": "SpRshYG6DphAMt7aBqq51RAzk5x2+1Re7ZsvbjojHgwf8XoKYf0cmzsMHjVLm2KAUOayoCabliim/A+xAyGRGQ==", - "38654705665": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "38654705666": "kZugsfgYOThvMr5Bv+4+oeKus+tAdsjV3FDXXe/9S5fP1Np+maC6AsCSNTxRR9XkeMWYo3JRXrlZJySX/KAfZg==", - "38654705667": "P3FZmmF3dAZL9ZHQ4ygcC4Nb6N/0O7G0jwdL8Vrbv6VkCKNMNEsXcb/fnTp6toR/ZV/Fhql8es6A6F6yJpf8Ig==", - "4294967297": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "4294967298": "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "4294967299": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "4294967300": "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "4294967301": "8dunMlc+mqgrLPexSr0BjQzRsY3H5KxgRLMNPWl7dqU7u7AuMGYCcL/59LzDxTU6v52s+sfNelCjln9pTEeoaw==", - "8589934593": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934594": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934595": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934596": "wgDlAk0KQSRkjcIHaS/9e1BwfHfNzuUr93c4Jy8KOMQRr9nHWMd0uCZr9wj6iem7mAL8xUPG5N8arQR6S4elFA==", - "8589934597": "OxAHOIY94rFINu9x/bBFifPWWfO8fCk6YlzqjWJZKsZ/lpI4Y1lKLBJmCOAvgl6yLcRCNU53T5cUk5igCGT7ZA==", - "8589934598": "8IQ9W+DHkgmOEyHOop4721GYs3DpolxJEkhb75yAmwKOWYycqT1ZQo4rerIWXdJUsvIDfhzipIiFu4VFSPuOiA==", - "8589934599": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934600": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934601": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934602": "/xY8szNdKeau+9xYWl0MeJF8E7bkET5twRvWHDVu5W7Y0Er68vaaTjFJez4L+s8/gQ2dSO3o/HJwlEbZ7BqRWQ==", - "8589934603": "xL5+Sv8/e1s9Zrs1ieLFJnti5ScuhoiX4pxITtmHJ31kSkm6eHWF4NdVB15HgOlje64ZfXpdJSTVj5fjFq9G9A==", - "8589934604": "a8tZcEVgs+5dPIc7USMB2QLlfiK4/6gGLPHyd+PzJ6rzNHCbDPy14MjRG41EKz10YlelWLsUJHXlsTudlzPTeA==", - "8589934605": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934606": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934607": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934608": "c+iwoMDSdUxnN+cByYgmpuHUuy3h51iv5XCbZksOP99IEsT1r1fGRIQ8CtfS2th2m7UM0yBnfvj9N9l0V9EC4g==", - "8589934609": "Kt6LZKr+iwq7GmTGU8u47GCT8rWDc+dlZyWHnVWTB/Klt4Oyvmb91Ny1sH56qVkhHHd/WXXcCM0kWxI+oIwK2w==", - "8589934610": "GP4FAdaKkoL0EardoSjaosWl8W336FPMZE54THUxR+ILDyvpfpHc+w1/5hbAm35UeNjPyn00cQ0YMsqh48HFcg==", - "8589934611": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934612": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934613": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934614": "/KQLcSSsKc1yFPiv3+j7EjInnRNja2PDuMJU57nIw5ZBXD6h4v06MfKMxfv1QEzRzQMfluMk4r+BD3gqq98eAQ==", - "8589934615": "fNTW77n1NBXRXIu1RDETVYTxyn2b6cm5ugjzHKsGSSSA0c94/Zumt2I/JfMc5GqBXOqHY0HKF15oFEs7ooyHPw==", - "8589934616": "NjAX4v0Henq/n0K5Os57z1IMWzxaXY41UdtHjTHq5ASSPY/xhmCbPV5ajyQc/7P0zC+MAGQfeLd/Qxr4o7o6sw==", - "8589934617": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934618": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934619": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934620": "ffGcllDFaj/NFlI981c3oxtWO4uh3Q2Yj13K2QvTwIE8DP6Cvrsug5UnwqB0fSGR3EjNscO6FafEur88Vous3g==", - "8589934621": "br0NQKWjig+X76So1ifNh/C71UTCEbvyTve9bew691r8ZMIgOLEhk2RvJ2CFe0avy3Lls65N9HfonbjMo1c7+g==", - "8589934622": "tO39kJdlllBDdpCZW/pz/6hHebO6B0dz2AlNmXYtLjW05KvIgF1+D9cIy0LQv6NOpwCHOGioEtqOd5LewEaf8w==", - "8589934623": "j5EP+75ISLDXwvsBrsvQBD3TgInRgF28+nbw1IrRrUb5jluvt0OxY6FXLeHeB53iDitqNFq/ZUg4uhQc+7436g==", - "8589934624": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934625": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934626": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934627": "6QPKqqOjxlm8gwlzG8bzsDWDTEGtM9NjMoSnPUeSRF1YX9LHcKKbxZ6peNBzeWlMwxd86LL5OIwNTM1bfRXmhA==", - "8589934628": "hKfxsdScNK6HD6teRgHT83IsgxViH087AoVGj8UoAG9ob1rWNQ6uw/aZ4LN53jGe6ajlMDFWHnPdxnc5jz65ow==", - "8589934629": "AHC6posHikQsCkshCj/9mt+R+dg/FDXopc1gXllUancFM7p37YhH2XbR5vXBX0YYI3VRm3oENRc/TgWHVInORQ==", - "8589934630": "JejZiPkcs3/6gaaf7yS/UOcrYKDSD8PlwCMIXoY0rOWGzZd7kzJeaci4liO1mq3lfeExY2mdizCrRcFkH4D7Bg==", - "8589934631": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934632": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934633": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934634": "H+c2gDIwBRQMAL1viIC+MMoAX1nypI5DC+ag9/LmzkpO5B2JL1fQ5yq0Fyzv1Z6otH1009AMAuoUWDUu5Id7Hw==", - "8589934635": "xcvnFXTSompQUXGZnypYmwdIlrtAe0r1DGP9h3N4S7NOs761CJwGE+lRbd03Ti0pnAJeI+kYWBTY5pWHC6Iipw==", - "8589934636": "qtk/WEPpLE4lz+ZnsEI5TlYUAFjOKClq0rAR4eXu6WMDLzuNiYuztFYsPm0ZNpdR2yUwP4BexUrDRU3tOs3XcQ==", - "8589934637": "VpfScR3gpbmMq6dkzqiwZO/vYRLke8vHoS4iREK1JMUh6dC/uLp8gyklN8aQhAdf8DjWJ2u7d0I5EdiV84EdDg==" - } - }, - "source": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/sbin\\/insmod\\s+\\-p\\s+x\\s+\\-k\\s+modules/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/sbin\\/rmmod\\s+\\-p\\s+x\\s+\\-k\\s+modules/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/sbin\\/modprobe\\s+\\-p\\s+x\\s+\\-k\\s+modules/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+init\\_module\\s+\\-S\\s+delete\\_module\\s+\\-k\\s+modules/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+init\\_module\\,delete\\_module\\s+\\-F\\s+key\\=modules/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+init\\_module\\s+\\-S\\s+delete\\_module\\s+\\-k\\s+modules/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+init\\_module\\,delete\\_module\\s+\\-F\\s+key\\=modules/)\n}\n", - "labels": { - "labels": { - "7OJH75G8fDqK8QpfsIqDgwXDj/2uHLG/LBUmcS/+mMJvF5UGRb50JeBZGCEJrUc820t+I+A8oAuAWPzQPC9nPg==": " == \u003cref\u003e", - "8IQ9W+DHkgmOEyHOop4721GYs3DpolxJEkhb75yAmwKOWYycqT1ZQo4rerIWXdJUsvIDfhzipIiFu4VFSPuOiA==": "[].contains()", - "8dunMlc+mqgrLPexSr0BjQzRsY3H5KxgRLMNPWl7dqU7u7AuMGYCcL/59LzDxTU6v52s+sfNelCjln9pTEeoaw==": "if", - "AHC6posHikQsCkshCj/9mt+R+dg/FDXopc1gXllUancFM7p37YhH2XbR5vXBX0YYI3VRm3oENRc/TgWHVInORQ==": "[].contains()", - "GP4FAdaKkoL0EardoSjaosWl8W336FPMZE54THUxR+ILDyvpfpHc+w1/5hbAm35UeNjPyn00cQ0YMsqh48HFcg==": "[].contains()", - "Mn1L+Nc9gPPyU2ju0ereZ7i4TK2gRarxFzlQk5f4+HtfDSqgSZrFwMcA7T8nNUqQsJWFOiZDz4ZdNBFsBuPMZw==": " == \u003cref\u003e", - "NjAX4v0Henq/n0K5Os57z1IMWzxaXY41UdtHjTHq5ASSPY/xhmCbPV5ajyQc/7P0zC+MAGQfeLd/Qxr4o7o6sw==": "[].contains()", - "P3FZmmF3dAZL9ZHQ4ygcC4Nb6N/0O7G0jwdL8Vrbv6VkCKNMNEsXcb/fnTp6toR/ZV/Fhql8es6A6F6yJpf8Ig==": " == \u003cref\u003e", - "SpRshYG6DphAMt7aBqq51RAzk5x2+1Re7ZsvbjojHgwf8XoKYf0cmzsMHjVLm2KAUOayoCabliim/A+xAyGRGQ==": " == \u003cref\u003e", - "TFnR5UU0ECZpG0tBlE8QVKylyTPPX1VJ6L5MdQOrfGXN5pp3lA3bITqZ2dp3XqvBpQQxQn1df4CJL9Cb3re7Ig==": " == \u003cref\u003e", - "VpfScR3gpbmMq6dkzqiwZO/vYRLke8vHoS4iREK1JMUh6dC/uLp8gyklN8aQhAdf8DjWJ2u7d0I5EdiV84EdDg==": "file.content.lines.where.length \u003e 0 || \u003cref\u003e || \u003cref\u003e || \u003cref\u003e", - "XMEN4vt7+dpKWHnhr+mAElZoXwpO6he9nEKzED7+QVTxJ8SrHAhkLO4MI6gRHXWvgO15iNOOhzqIPDMFzRB9lw==": " == \u003cref\u003e", - "a8tZcEVgs+5dPIc7USMB2QLlfiK4/6gGLPHyd+PzJ6rzNHCbDPy14MjRG41EKz10YlelWLsUJHXlsTudlzPTeA==": "[].contains()", - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==": "file.exists", - "qtk/WEPpLE4lz+ZnsEI5TlYUAFjOKClq0rAR4eXu6WMDLzuNiYuztFYsPm0ZNpdR2yUwP4BexUrDRU3tOs3XcQ==": "[].contains()", - "sw8P7sUpteUpuRGf7bW5S05MqhqJtV3jfQAy2uk5X0XYEDXmT/WCzF0fK4r6KcqLrveRYnNnHxsaKyxeWea+0g==": " == \u003cref\u003e", - "tO39kJdlllBDdpCZW/pz/6hHebO6B0dz2AlNmXYtLjW05KvIgF1+D9cIy0LQv6NOpwCHOGioEtqOd5LewEaf8w==": "[].contains()" - } - }, - "version": "unstable", - "min_mondoo_version": "5.0.0" - } - }, - "Hwqs1IZPO4c=": { - "query": "kernel.parameters['net.ipv4.conf.all.log_martians'] == 1\nkernel.parameters['net.ipv4.conf.default.log_martians'] == 1\n", - "checksum": "gk3AYriRXoE=", - "datapoints": [ - "8ktE5j8gq7ZzcaTFCB2Pe+39AD5jirL1jh2VoBTEoDSYO+uDhx+7jtuNFrkG3wTOzVrc5MXl7A9lh6ebit617A==", - "6CPJmhBW/Yi8SBDCAjarzRy+hRft0zC6GycQOr6t+AXwy7ubZ2p5PaxEkFEaX1AkYaMX2Zv6Nd032+lYvImqrA==", - "VDF2BqBgRO0jAcc7xNXWPgEvYibW0IYDBziUPrjj48T+pW8kgbGgzHoD6KT5vte6lwk5Lbfdvm+/gQR1b2MSwQ==", - "p1JrZX0HeoIB0UOxjea3ENHaM+Br7HY2T8ciIwmq7S5bS9euVYzxy2U9C6yIszGPYziFKJFnPQfU4OmPcD37KA==" - ], - "code": { - "code_v2": { - "id": "Hwqs1IZPO4c=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "kernel" - }, - { - "call": 1, - "id": "parameters", - "function": { - "type": "\u001a\u0007\u0007", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u0007", - "args": [ - { - "type": "\u0007", - "value": "bmV0LmlwdjQuY29uZi5hbGwubG9nX21hcnRpYW5z" - } - ], - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "==\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "Ag==" - } - ], - "binding": 4294967299 - } - }, - { - "call": 1, - "id": "kernel" - }, - { - "call": 1, - "id": "parameters", - "function": { - "type": "\u001a\u0007\u0007", - "binding": 4294967301 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u0007", - "args": [ - { - "type": "\u0007", - "value": "bmV0LmlwdjQuY29uZi5kZWZhdWx0LmxvZ19tYXJ0aWFucw==" - } - ], - "binding": 4294967302 - } - }, - { - "call": 1, - "id": "==\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "Ag==" - } - ], - "binding": 4294967303 - } - } - ], - "entrypoints": [ - 4294967300, - 4294967304 - ], - "datapoints": [ - 4294967299, - 4294967303 - ] - } - ], - "checksums": { - "4294967297": "RXV+1el3VK2oK0ytvuWZ6oRu95oJxvcqbHGw5Wq5LfAbGvjLmiHYndQw+dDOPQiIqBhor40mICUenGaUlny8Lg==", - "4294967298": "dM9qEfUwWr0DHz2QFJ5GwuX9ELsnO1Us4rTlLu63r3mnIduFn0tmuQqThf7ul4pd0wPoMSZIB/RxVPGcU9xORQ==", - "4294967299": "8ktE5j8gq7ZzcaTFCB2Pe+39AD5jirL1jh2VoBTEoDSYO+uDhx+7jtuNFrkG3wTOzVrc5MXl7A9lh6ebit617A==", - "4294967300": "VDF2BqBgRO0jAcc7xNXWPgEvYibW0IYDBziUPrjj48T+pW8kgbGgzHoD6KT5vte6lwk5Lbfdvm+/gQR1b2MSwQ==", - "4294967301": "RXV+1el3VK2oK0ytvuWZ6oRu95oJxvcqbHGw5Wq5LfAbGvjLmiHYndQw+dDOPQiIqBhor40mICUenGaUlny8Lg==", - "4294967302": "dM9qEfUwWr0DHz2QFJ5GwuX9ELsnO1Us4rTlLu63r3mnIduFn0tmuQqThf7ul4pd0wPoMSZIB/RxVPGcU9xORQ==", - "4294967303": "6CPJmhBW/Yi8SBDCAjarzRy+hRft0zC6GycQOr6t+AXwy7ubZ2p5PaxEkFEaX1AkYaMX2Zv6Nd032+lYvImqrA==", - "4294967304": "p1JrZX0HeoIB0UOxjea3ENHaM+Br7HY2T8ciIwmq7S5bS9euVYzxy2U9C6yIszGPYziFKJFnPQfU4OmPcD37KA==" - } - }, - "source": "kernel.parameters['net.ipv4.conf.all.log_martians'] == 1\nkernel.parameters['net.ipv4.conf.default.log_martians'] == 1\n", - "labels": { - "labels": { - "6CPJmhBW/Yi8SBDCAjarzRy+hRft0zC6GycQOr6t+AXwy7ubZ2p5PaxEkFEaX1AkYaMX2Zv6Nd032+lYvImqrA==": "kernel.parameters[net.ipv4.conf.default.log_martians]", - "8ktE5j8gq7ZzcaTFCB2Pe+39AD5jirL1jh2VoBTEoDSYO+uDhx+7jtuNFrkG3wTOzVrc5MXl7A9lh6ebit617A==": "kernel.parameters[net.ipv4.conf.all.log_martians]", - "VDF2BqBgRO0jAcc7xNXWPgEvYibW0IYDBziUPrjj48T+pW8kgbGgzHoD6KT5vte6lwk5Lbfdvm+/gQR1b2MSwQ==": "kernel.parameters[net.ipv4.conf.all.log_martians] == 1", - "p1JrZX0HeoIB0UOxjea3ENHaM+Br7HY2T8ciIwmq7S5bS9euVYzxy2U9C6yIszGPYziFKJFnPQfU4OmPcD37KA==": "kernel.parameters[net.ipv4.conf.default.log_martians] == 1" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "I/fSLFpoIJA=": { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+adjtimex\\s+\\-S\\s+settimeofday\\s+\\-k\\s+time\\-change(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+adjtimex\\,settimeofday\\s+\\-F\\s+key\\=time\\-change(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+adjtimex\\s+\\-S\\s+settimeofday\\s+\\-S\\s+stime\\s+\\-k\\s+time\\-change(\\s+)?$/)\n ||file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+stime\\,settimeofday\\,adjtimex\\s+\\-F\\s+key\\=time\\-change(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+clock\\_settime\\s+\\-k\\s+time\\-change(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+clock\\_settime\\s+\\-F\\s+key\\=time\\-change(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+clock\\_settime\\s+\\-k\\s+time\\-change(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+clock\\_settime\\s+\\-F\\s+key\\=time\\-change(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/localtime\\s+\\-p\\s+wa\\s+\\-k\\s+time\\-change/)\n}\n", - "checksum": "BrtnDJQ7rho=", - "datapoints": [ - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "ekR8u0hhKZVtyDM8cTZoUBlpUiX73J5Vdk0iq7KxPdzpQ/htnmjTxMlDQzQRq5D2tSiSe2lUEqOmJi9n7hB3Fg==" - ], - "code": { - "code_v2": { - "id": "I/fSLFpoIJA=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967299 - } - }, - { - "call": 1, - "id": "if", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u0003", - "value": "iICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - }, - { - "type": "\u0019\u0003" - } - ] - } - } - ], - "entrypoints": [ - 4294967298, - 4294967301 - ] - }, - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934594 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "hoCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgGA=" - } - ], - "binding": 8589934595 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934596 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934597 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934599 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934600 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "koCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgIAB" - } - ], - "binding": 8589934601 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934602 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934603 - } - }, - { - "call": 1, - "id": "||\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "mICAgEA=" - } - ], - "binding": 8589934598 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934606 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934607 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "oICAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgKAB" - } - ], - "binding": 8589934608 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934609 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934610 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934612 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934613 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "rICAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgMAB" - } - ], - "binding": 8589934614 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934615 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934616 - } - }, - { - "call": 1, - "id": "||\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "soCAgEA=" - } - ], - "binding": 8589934611 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934619 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934620 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "uoCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgOAB" - } - ], - "binding": 8589934621 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934622 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934623 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934625 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934626 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "xoCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgIAC" - } - ], - "binding": 8589934627 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934628 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934629 - } - }, - { - "call": 1, - "id": "||\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "zICAgEA=" - } - ], - "binding": 8589934624 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934632 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934633 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "1ICAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgKAC" - } - ], - "binding": 8589934634 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934635 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934636 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934638 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934639 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "4ICAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgMAC" - } - ], - "binding": 8589934640 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934641 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934642 - } - }, - { - "call": 1, - "id": "||\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "5oCAgEA=" - } - ], - "binding": 8589934637 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934645 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934646 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "7oCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgOAC" - } - ], - "binding": 8589934647 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934648 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934649 - } - } - ], - "entrypoints": [ - 8589934605, - 8589934618, - 8589934631, - 8589934644, - 8589934650 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWI2NFxzK1wtU1xzK2FkanRpbWV4XHMrXC1TXHMrc2V0dGltZW9mZGF5XHMrXC1rXHMrdGltZVwtY2hhbmdlKFxzKyk/JA==" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgGA=" - } - ], - "binding": 12884901889 - } - } - ], - "parameters": 1, - "entrypoints": [ - 12884901891 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWI2NFxzK1wtU1xzK2FkanRpbWV4XCxzZXR0aW1lb2ZkYXlccytcLUZccytrZXlcPXRpbWVcLWNoYW5nZShccyspPyQ=" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgIAB" - } - ], - "binding": 17179869185 - } - } - ], - "parameters": 1, - "entrypoints": [ - 17179869187 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWIzMlxzK1wtU1xzK2FkanRpbWV4XHMrXC1TXHMrc2V0dGltZW9mZGF5XHMrXC1TXHMrc3RpbWVccytcLWtccyt0aW1lXC1jaGFuZ2UoXHMrKT8k" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgKAB" - } - ], - "binding": 21474836481 - } - } - ], - "parameters": 1, - "entrypoints": [ - 21474836483 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWIzMlxzK1wtU1xzK3N0aW1lXCxzZXR0aW1lb2ZkYXlcLGFkanRpbWV4XHMrXC1GXHMra2V5XD10aW1lXC1jaGFuZ2UoXHMrKT8k" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgMAB" - } - ], - "binding": 25769803777 - } - } - ], - "parameters": 1, - "entrypoints": [ - 25769803779 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWI2NFxzK1wtU1xzK2Nsb2NrXF9zZXR0aW1lXHMrXC1rXHMrdGltZVwtY2hhbmdlKFxzKyk/JA==" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgOAB" - } - ], - "binding": 30064771073 - } - } - ], - "parameters": 1, - "entrypoints": [ - 30064771075 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWI2NFxzK1wtU1xzK2Nsb2NrXF9zZXR0aW1lXHMrXC1GXHMra2V5XD10aW1lXC1jaGFuZ2UoXHMrKT8k" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgIAC" - } - ], - "binding": 34359738369 - } - } - ], - "parameters": 1, - "entrypoints": [ - 34359738371 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWIzMlxzK1wtU1xzK2Nsb2NrXF9zZXR0aW1lXHMrXC1rXHMrdGltZVwtY2hhbmdlKFxzKyk/JA==" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgKAC" - } - ], - "binding": 38654705665 - } - } - ], - "parameters": 1, - "entrypoints": [ - 38654705667 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWIzMlxzK1wtU1xzK2Nsb2NrXF9zZXR0aW1lXHMrXC1GXHMra2V5XD10aW1lXC1jaGFuZ2UoXHMrKT8k" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgMAC" - } - ], - "binding": 42949672961 - } - } - ], - "parameters": 1, - "entrypoints": [ - 42949672963 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtd1xzK1wvZXRjXC9sb2NhbHRpbWVccytcLXBccyt3YVxzK1wta1xzK3RpbWVcLWNoYW5nZQ==" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgOAC" - } - ], - "binding": 47244640257 - } - } - ], - "parameters": 1, - "entrypoints": [ - 47244640259 - ] - } - ], - "checksums": { - "12884901889": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "12884901890": "tOCtx7J8kOqxLUD8R4AxsLhj9waVRaWeKZWycG/sCMdmy+qpxTXz35SFZhrtNIKZpNANFcEuT6X5pKW4Tt9tMw==", - "12884901891": "3hEJC9mHc+TUjarSLPMtk2J0XZDkcmZLu77gySmvc4VuVkCmVngbhdA1La8CplsBbd+OsqV0I1aN0Y+T+itI0w==", - "17179869185": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "17179869186": "ne4Prl0F84jqrO4xtxoQ4Wxa1dB6YxAZK3r2sIiR8DxQcrSqUoElDl96E9ncRMjHjt8ClJfOMjLDSZRh4B7rlw==", - "17179869187": "MRmeAMUl/OjyylEHHNoid32G3TDbS0ITsZn8+QocKvhE9CKbDNKVC6OF1ymWAK5PZ+AQfd4zHboNFJAINd834w==", - "21474836481": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "21474836482": "qLoY1L4tg29rKr27PA1IlbJLRG7Dx4K+CFESaCsahVMrK+snfIZ9kvOmXiXSPLsRmrbf1+dIIPgzvEi6tQMAEA==", - "21474836483": "a5HRdKIrERdkz6sgIki9M3M/kYlV/+iafs0QNBji9zdfeIGEUggXgN7R/SWzgOD4roxcFT3YuLFN+wzEL9CMpg==", - "25769803777": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "25769803778": "53M1CqZhV1Q09SDHJNnd1sR6hekNMGL+tsK31AaRgl/BLX6WaGXu25cQIYBqrQM16gWmBCVgND4c/K0uwZ8cDA==", - "25769803779": "Kw49IERy4jqltEpClf/tlpQu4CkEL9WrjF/3E0HmTNAX7gWuPyOcfIP/aA/w0Ba9Ue2Dkk8cpoQB9kGantIjJQ==", - "30064771073": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "30064771074": "ZCtnEm6/jNSxccgS08udTN8GRFAVdl653+XdiZ7BcTYgqEyiDI+Zcq/V+Su2BgLuNPS3Hs8Pua3UGvWlG4/ldA==", - "30064771075": "bOf70kpgRa56cfaU4mJRLfi8zdvnbmgnggJQG94EkKjsWNar90iEhaFJ0sDFvVEuoM2EhsdKqYU02tB9APw8Vw==", - "34359738369": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "34359738370": "tSYshWRjGhLSmj9UflGTCEyBF5RE3SatJBP4fPwT7keqdhqpLd47RjZuOwW6iN3CUx+BocHa2U1xA3hpaPOHDQ==", - "34359738371": "1kt3CkUyZrWFM3EqCjYg0TKiy1dBx9QJDUwFzi4nPRaeaW3HTWWDZDWwQRMrc+oxUtrOlpDR5ELyb9AhcFnvyg==", - "38654705665": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "38654705666": "jy5wsEGspFQ2ci06ocspesi9uIl6gLYXs9Es8rkChI2UFNbYlkz/yiqkZIoaqs69gaPcEVUBHu5Qi0EZTDr7jA==", - "38654705667": "AiZous1m6FMXI7Mu7+DESIID0Wl6D53Rn4ZnNzkzmLyK/bjudTkG7vrvOtgSO9+MF+bBsSet2cr80rC0Q9nKrg==", - "42949672961": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "42949672962": "rluoE1/wG7HzbkKGORaBwx5xuM5Vu+Vggo7sm+OsAeYqnlKmDk/h1AAQPFfBPbAcTg/jXcJHdJM8q/2bH7kcwg==", - "42949672963": "2ZNNQYrJoIKciRjreHpifYF052maxG4KE8kGna3DPiYLv9zHkyxroMz3z0yxYluN07JzsKStzwsZO0F9Fs3aGg==", - "4294967297": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "4294967298": "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "4294967299": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "4294967300": "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "4294967301": "ekR8u0hhKZVtyDM8cTZoUBlpUiX73J5Vdk0iq7KxPdzpQ/htnmjTxMlDQzQRq5D2tSiSe2lUEqOmJi9n7hB3Fg==", - "47244640257": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "47244640258": "g8pnq8y4Dv/abK28oo9ykF0xm/6NF6CzL9ec1Kqcetki8CiEYravDy79oKW51aNRk8vqfWUcjYPO2luammh7MA==", - "47244640259": "FfjeYxUgmi1D4zP1kpDq2+9ysE4oinI5FN/VOGJ8lADtEwCU0Hs1ve2DK0OeXiEa88DSGhXLgkcWMMxxiyoALA==", - "8589934593": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934594": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934595": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934596": "cmSg5zH5Pi/fyKDTRf2Ixr/QfxY8dDIYpfLra+9wCLbYtNnpTtf4IhzBxj/h6znFIqSvI+GNTsIqeMNcwt0C1A==", - "8589934597": "0sFschz7evtysK03qmYyPa5pGzhJtyBSIzEzk0Z0jAcGoMdKIBCPgultCu0J+hLqjaPxjJxyAEAiExx0IdmJXA==", - "8589934598": "MR0cWalwkrypS6SQPn6pzBXuMLqMZuo6DKqc+yXWDJDaE86KF2+VT4OapxPnsdo2iKIvA7qXAiAIdJ9mfRe5bA==", - "8589934599": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934600": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934601": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934602": "kqYJeGvavg0uBOuwSjlMGtqGIviiI0Cz/Q/1FL65xPggMwqCvNMu0sDLgjyc9aReBvS2F0pS3wDGHwdTl7Oj7A==", - "8589934603": "kfw3B+gqO/ACLmtdo69Kot8YvLfxwNKo0TU8MtUghyK1pFoVUvx7CuSiZZYGJ/yaYqUVp7daY5xauDJEqAYrIg==", - "8589934604": "n7JGLFkvlqrMA9bzWKOJ/DcQwnffzFv0fEuHhprrIVhVJkdeayTQivlm0KV/9OBEi2rISlzqu+ujDAp6DaOy6A==", - "8589934605": "6RyckYQY7IckJhKLLxoh5g5veHMnyvuxe0GlPJoDU65NxQKmTmI/SOJVpAECByQKh5CHKm88qzaxmT2rKzQY+Q==", - "8589934606": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934607": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934608": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934609": "eBBKFUXALEyRhx1WOrnnp6BOTXeJhChwyIs5cRR+Ge861rwDb4Crz6m3HoCrsqFsmgEiWApdqP3XuecVAuYYSQ==", - "8589934610": "N7Q2zby+i4d1In0xelwxJvatrudQf0iNWMQeCyDpmccJQZRadRpap8tL3IUMqCmzsJq1vgqX4ooubm4E8jH5bw==", - "8589934611": "HZSMw4t6ymRjqjo0NlPhpDxBktpaFVMc8BI6MdmJ0UGsr9j8e+XI8v63LjRQMSRQoiFGnM5oWHStD89ANZz1wA==", - "8589934612": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934613": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934614": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934615": "bwVnyUkK6Hg5pD7Iepez/t64ELiBNkldiRT9h8UpzhkOZWTPEzPK6cCILdwjBV16E+Uek3Z+4aCJQaL7VFM9Mw==", - "8589934616": "1GuBfOmVkTUNaKg2tHRXC0ljZfIyb6EbTyUOjHQoOt0ciPOM4IbhHzX1xsfQb19P0O45bNkXtQk1Cax26nNp3w==", - "8589934617": "lN4GSEOayzlg7Co2owVR2Qr/gnxjYJ+/rFtZHFYAIJ++VCfraEpjiSEJV3SHfQyupbjSzn+gTzoMQFH6N12iYQ==", - "8589934618": "KI+wiIMESc157yiORGL+5UpUTiArNpXrAu/JT/CwVcIIV+86xaIqz12cja0aXgYeDQvgom8pA+1Pk5D7esMmDg==", - "8589934619": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934620": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934621": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934622": "ELA6/Hkp1GajR76kOeWGVOgSxbKfKgT0rsiU7OyhClc6KJuavbvhypj7uYBspO6Qx882ayT/YOhrbqpda1EHKg==", - "8589934623": "zVWFgJyOzGYDN5M8rRbnDqTqjOTTgFSLq4PzdmvYbl6nUH4oy1rqbMAKzqtTJwawpuBkZyFZwPnPGIdV7XgHew==", - "8589934624": "GhjDE7AztAYPRJJ3oQNuxDrR6tKYz1dih19mQ5aR0pChidfM0VeE756Im7fApdbBCxaYzY7tnOqNmdqqxhgXvw==", - "8589934625": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934626": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934627": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934628": "BBHtKUVQ4Gl5WfK+eECu9joTmnG+vSyQhOohKcovijWDMWubOVgHFqZ4X8dasdKsxGumjiaC/AZ5i5elCgB6Dw==", - "8589934629": "0yyRyblj9Ky9i7J6CXUZp8wakQfdjmhO5QDesiGXuc41eioP6aY8DmQnPAYqCfKy7a2i2Q1tiAh8s1wCpl9Twg==", - "8589934630": "xr9IQ3n//IZqlS+ziIu9v9cIJVN2DcaWjI4EjrC6wNsQ3m51rm9XqJ1e07O7n+N7r8GM+w3fIpiOr/sTrh5z0A==", - "8589934631": "Lb7/FsmnxB2LvW/u4VCRf44k2iJJUHjdpY+NHq441kWPqF4w2Cuogy193nK/ssrqREDGIINOp1wOSZdtWWh5yA==", - "8589934632": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934633": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934634": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934635": "mnTzWvGb4bq2Voov5O8cdWfwmNN1xQQv5fX6vRt6PD5VbsnETwvfA6NPJ1kiQR80uPzVfeVT/P58ObkiBHC9iQ==", - "8589934636": "PxwZzpvlEftXCbov+u9VCzRV2/EzLXpGIm00aBM3yw769PQ2i1COVB2AnlHW7rxUfeBMh4XM5mduTQiGlTSzfA==", - "8589934637": "Sy8RmyCRnPWHuFNwX3Z0LjMniNtAWDV2d48NsG0C5e7dQ+9UdLcGDFH+u6FahrHq7ka2QD13STrXScMPQsq3nQ==", - "8589934638": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934639": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934640": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934641": "EGhmMm52wAncgek6QmoVFAqF4cULO5+82UybcUyS+mTj63o9/HRmJv7nlzAjKZbnjrK2nBaqzrOCueBDABXb0A==", - "8589934642": "86eCo7iWDHMYovlx+xO0msn94+ztaJFi4769EDrxhk6bLqRYTbqIcvAV8NupoPWR5038nUA3sDUoWw6siGUwsA==", - "8589934643": "dQ36+5M6ii+8RHKrWNMcVsjXrJQxpp2CuI8jis++ZSGxYs9KUe01vqpnoKGsoZZiWscMB/C1vTud5L8xotlkTg==", - "8589934644": "YbWeWZubYLhx2rsi/4rD/H2ioQYeAYgjQu8Ep3BgonDo+fQgaoXO9WXGHsyJdz6/OurYwc33WwAdfziotgiOpQ==", - "8589934645": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934646": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934647": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934648": "dKqy9QZI3FBI2/c6oV1TjLRRnYGgaf1FSDQGgYVI5MIyFndYNJrdO+TwmvzQrKfvKGpQgnjsBlIk4s1gWT0GZQ==", - "8589934649": "zUr9jVZ8W/wmsRvbFxIyE2U3HWL71hqFTVhaaEGRurXOHdj3BZ7IsBgvfCRbtofW3O9J7Yl6NUAP/e8xV5+o8Q==", - "8589934650": "KsHC103FY+vi1nDFc+Ajuqat4ZBi3vZpNuhWyWVEApw/lbVJAkI1JjyJYf21gwAOyPeycTQ6tQfoOhxjy6oBSQ==" - } - }, - "source": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+adjtimex\\s+\\-S\\s+settimeofday\\s+\\-k\\s+time\\-change(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+adjtimex\\,settimeofday\\s+\\-F\\s+key\\=time\\-change(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+adjtimex\\s+\\-S\\s+settimeofday\\s+\\-S\\s+stime\\s+\\-k\\s+time\\-change(\\s+)?$/)\n ||file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+stime\\,settimeofday\\,adjtimex\\s+\\-F\\s+key\\=time\\-change(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+clock\\_settime\\s+\\-k\\s+time\\-change(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+clock\\_settime\\s+\\-F\\s+key\\=time\\-change(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+clock\\_settime\\s+\\-k\\s+time\\-change(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+clock\\_settime\\s+\\-F\\s+key\\=time\\-change(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/localtime\\s+\\-p\\s+wa\\s+\\-k\\s+time\\-change/)\n}\n", - "labels": { - "labels": { - "1kt3CkUyZrWFM3EqCjYg0TKiy1dBx9QJDUwFzi4nPRaeaW3HTWWDZDWwQRMrc+oxUtrOlpDR5ELyb9AhcFnvyg==": " == \u003cref\u003e", - "2ZNNQYrJoIKciRjreHpifYF052maxG4KE8kGna3DPiYLv9zHkyxroMz3z0yxYluN07JzsKStzwsZO0F9Fs3aGg==": " == \u003cref\u003e", - "3hEJC9mHc+TUjarSLPMtk2J0XZDkcmZLu77gySmvc4VuVkCmVngbhdA1La8CplsBbd+OsqV0I1aN0Y+T+itI0w==": " == \u003cref\u003e", - "6RyckYQY7IckJhKLLxoh5g5veHMnyvuxe0GlPJoDU65NxQKmTmI/SOJVpAECByQKh5CHKm88qzaxmT2rKzQY+Q==": "file.content.lines.where.length \u003e 0 || \u003cref\u003e", - "AiZous1m6FMXI7Mu7+DESIID0Wl6D53Rn4ZnNzkzmLyK/bjudTkG7vrvOtgSO9+MF+bBsSet2cr80rC0Q9nKrg==": " == \u003cref\u003e", - "FfjeYxUgmi1D4zP1kpDq2+9ysE4oinI5FN/VOGJ8lADtEwCU0Hs1ve2DK0OeXiEa88DSGhXLgkcWMMxxiyoALA==": " == \u003cref\u003e", - "GhjDE7AztAYPRJJ3oQNuxDrR6tKYz1dih19mQ5aR0pChidfM0VeE756Im7fApdbBCxaYzY7tnOqNmdqqxhgXvw==": "[].contains()", - "HZSMw4t6ymRjqjo0NlPhpDxBktpaFVMc8BI6MdmJ0UGsr9j8e+XI8v63LjRQMSRQoiFGnM5oWHStD89ANZz1wA==": "[].contains()", - "KI+wiIMESc157yiORGL+5UpUTiArNpXrAu/JT/CwVcIIV+86xaIqz12cja0aXgYeDQvgom8pA+1Pk5D7esMmDg==": "file.content.lines.where.length \u003e 0 || \u003cref\u003e", - "KsHC103FY+vi1nDFc+Ajuqat4ZBi3vZpNuhWyWVEApw/lbVJAkI1JjyJYf21gwAOyPeycTQ6tQfoOhxjy6oBSQ==": "[].contains()", - "Kw49IERy4jqltEpClf/tlpQu4CkEL9WrjF/3E0HmTNAX7gWuPyOcfIP/aA/w0Ba9Ue2Dkk8cpoQB9kGantIjJQ==": " == \u003cref\u003e", - "Lb7/FsmnxB2LvW/u4VCRf44k2iJJUHjdpY+NHq441kWPqF4w2Cuogy193nK/ssrqREDGIINOp1wOSZdtWWh5yA==": "file.content.lines.where.length \u003e 0 || \u003cref\u003e", - "MR0cWalwkrypS6SQPn6pzBXuMLqMZuo6DKqc+yXWDJDaE86KF2+VT4OapxPnsdo2iKIvA7qXAiAIdJ9mfRe5bA==": "[].contains()", - "MRmeAMUl/OjyylEHHNoid32G3TDbS0ITsZn8+QocKvhE9CKbDNKVC6OF1ymWAK5PZ+AQfd4zHboNFJAINd834w==": " == \u003cref\u003e", - "Sy8RmyCRnPWHuFNwX3Z0LjMniNtAWDV2d48NsG0C5e7dQ+9UdLcGDFH+u6FahrHq7ka2QD13STrXScMPQsq3nQ==": "[].contains()", - "YbWeWZubYLhx2rsi/4rD/H2ioQYeAYgjQu8Ep3BgonDo+fQgaoXO9WXGHsyJdz6/OurYwc33WwAdfziotgiOpQ==": "file.content.lines.where.length \u003e 0 || \u003cref\u003e", - "a5HRdKIrERdkz6sgIki9M3M/kYlV/+iafs0QNBji9zdfeIGEUggXgN7R/SWzgOD4roxcFT3YuLFN+wzEL9CMpg==": " == \u003cref\u003e", - "bOf70kpgRa56cfaU4mJRLfi8zdvnbmgnggJQG94EkKjsWNar90iEhaFJ0sDFvVEuoM2EhsdKqYU02tB9APw8Vw==": " == \u003cref\u003e", - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==": "file.exists", - "dQ36+5M6ii+8RHKrWNMcVsjXrJQxpp2CuI8jis++ZSGxYs9KUe01vqpnoKGsoZZiWscMB/C1vTud5L8xotlkTg==": "[].contains()", - "ekR8u0hhKZVtyDM8cTZoUBlpUiX73J5Vdk0iq7KxPdzpQ/htnmjTxMlDQzQRq5D2tSiSe2lUEqOmJi9n7hB3Fg==": "if", - "lN4GSEOayzlg7Co2owVR2Qr/gnxjYJ+/rFtZHFYAIJ++VCfraEpjiSEJV3SHfQyupbjSzn+gTzoMQFH6N12iYQ==": "[].contains()", - "n7JGLFkvlqrMA9bzWKOJ/DcQwnffzFv0fEuHhprrIVhVJkdeayTQivlm0KV/9OBEi2rISlzqu+ujDAp6DaOy6A==": "[].contains()", - "xr9IQ3n//IZqlS+ziIu9v9cIJVN2DcaWjI4EjrC6wNsQ3m51rm9XqJ1e07O7n+N7r8GM+w3fIpiOr/sTrh5z0A==": "[].contains()" - } - }, - "version": "unstable", - "min_mondoo_version": "5.0.0" - } - }, - "IQ/r00/mLRg=": { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/group\\s+\\-p\\s+wa\\s+\\-k\\s+identity/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/passwd\\s+\\-p\\s+wa\\s+\\-k\\s+identity/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/gshadow\\s+\\-p\\s+wa\\s+\\-k\\s+identity/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/shadow\\s+\\-p\\s+wa\\s+\\-k\\s+identity/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/security\\/opasswd\\s+\\-p\\s+wa\\s+\\-k\\s+identity/)\n}\n", - "checksum": "q7uk7UWXT1M=", - "datapoints": [ - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "imjB1X/SFmyvCGxCbQe6hVyOwuk12ReJysp9/5D+tLqHoKQ7oDgpEt20wrOdCuNEiHt+uVESq9MDXu27PmTe9g==" - ], - "code": { - "code_v2": { - "id": "IQ/r00/mLRg=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967299 - } - }, - { - "call": 1, - "id": "if", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u0003", - "value": "iICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - }, - { - "type": "\u0019\u0003" - } - ] - } - } - ], - "entrypoints": [ - 4294967298, - 4294967301 - ] - }, - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934594 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "hoCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgGA=" - } - ], - "binding": 8589934595 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934596 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934597 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934599 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934600 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "koCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgIAB" - } - ], - "binding": 8589934601 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934602 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934603 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934605 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934606 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "noCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgKAB" - } - ], - "binding": 8589934607 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934608 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934609 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934611 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934612 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "qoCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgMAB" - } - ], - "binding": 8589934613 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934614 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934615 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934617 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934618 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "toCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgOAB" - } - ], - "binding": 8589934619 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934620 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934621 - } - } - ], - "entrypoints": [ - 8589934598, - 8589934604, - 8589934610, - 8589934616, - 8589934622 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtd1xzK1wvZXRjXC9ncm91cFxzK1wtcFxzK3dhXHMrXC1rXHMraWRlbnRpdHk=" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgGA=" - } - ], - "binding": 12884901889 - } - } - ], - "parameters": 1, - "entrypoints": [ - 12884901891 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtd1xzK1wvZXRjXC9wYXNzd2RccytcLXBccyt3YVxzK1wta1xzK2lkZW50aXR5" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgIAB" - } - ], - "binding": 17179869185 - } - } - ], - "parameters": 1, - "entrypoints": [ - 17179869187 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtd1xzK1wvZXRjXC9nc2hhZG93XHMrXC1wXHMrd2FccytcLWtccytpZGVudGl0eQ==" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgKAB" - } - ], - "binding": 21474836481 - } - } - ], - "parameters": 1, - "entrypoints": [ - 21474836483 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtd1xzK1wvZXRjXC9zaGFkb3dccytcLXBccyt3YVxzK1wta1xzK2lkZW50aXR5" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgMAB" - } - ], - "binding": 25769803777 - } - } - ], - "parameters": 1, - "entrypoints": [ - 25769803779 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtd1xzK1wvZXRjXC9zZWN1cml0eVwvb3Bhc3N3ZFxzK1wtcFxzK3dhXHMrXC1rXHMraWRlbnRpdHk=" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgOAB" - } - ], - "binding": 30064771073 - } - } - ], - "parameters": 1, - "entrypoints": [ - 30064771075 - ] - } - ], - "checksums": { - "12884901889": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "12884901890": "PA3O+KasmBH0hbta/5JBteEam80WF2sxfBsCO2Y2mFXkwBOr7Z2LbP/08bsPgQ40SZEUPeV1GjxYWuGITox5cA==", - "12884901891": "H3RRaGDniISrrmTBsN6v5MGIefWHw/CE5xJt28r8EvZbxpfbiCXwo//W3zWc/UUrjdTH+rGJANRBVEYQvAbD4A==", - "17179869185": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "17179869186": "s1OFiqvdscts+hf0g+o5QIcD65jz6/jeJGYiksCopRd2SheaTUFXVqbuQGcSg5s8zokNw2qIToKb3E6PDcruMQ==", - "17179869187": "r8hIwI0JlhHJlBVETB2nRzdflDhdOjf/BR73tmn01kCeci3xJNOXq/XTU+CgTxVMxA5ceny7k6gCxlWZtUjJTg==", - "21474836481": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "21474836482": "iON8kkOCjDumOhjlcgFOzpxDzS+NJyW2/4N7fy0rOJ/wqQ6Nkf8uGOZ+RtVUqPF8oE6MxJKC989VtqvnJSP7VA==", - "21474836483": "MgP53ATqpE0iesByyCzQUBm6gURRltQL6kfXfZ/HZrB7UR7c4sBSMAp5SqOsmwnyJqziunNP1XTm9a6S4HNqlA==", - "25769803777": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "25769803778": "APmEdwQsCDOc67Mm47ZHtpcjfyb7W3fLGHMqFeoZeI3x1uPr9h0YopMEGvUJo2U5VNT0ZvPe7pl/a5+qCjwvUA==", - "25769803779": "+sNyqoKVfiLINviQSUxoeMdzg1KoR+oB3nj0Im6E3K9c9VA87c67H8qGHFkfNA5gDKmCqf1/Mbt3XADRz7HyPQ==", - "30064771073": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "30064771074": "iLLAOULTy1Y37/zbslezvHo6+Mhzibx6MsMwMPEP17HC4tIuELslBnNPIILKiszmO/QU3h7SY3b9r2Z6H6JojA==", - "30064771075": "0TyfHPrSs7M5+pEQMrMsr8icvyk4gaxvOiANJyAFGRvkcxDAVocSmPT3wqBhqAnTc5DVQqUBzvd/J2bp2PC18A==", - "4294967297": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "4294967298": "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "4294967299": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "4294967300": "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "4294967301": "imjB1X/SFmyvCGxCbQe6hVyOwuk12ReJysp9/5D+tLqHoKQ7oDgpEt20wrOdCuNEiHt+uVESq9MDXu27PmTe9g==", - "8589934593": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934594": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934595": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934596": "7LDM4zgOCyOBu0+P99AAJFiuULi5YAM4+lFA3bjj6usyM0XOGp6qh4BbfHPzQk9EXBXNodK0AwU1LhZUSf1g4A==", - "8589934597": "VAdUmi6cHTnNZGReRIrdzJi57zZl7WyCbMVOx7nI3Duhr0gFtiffy2wFNiGx4TqIc8q6cauQJCERdl1sn5kbRg==", - "8589934598": "oREt/09QCeI41P72GC7IOlsQMjeI7anbC0pphD2W2F1huDGc9dMmzzv4IdRz7dfd/5Tel0IGZvex1LKUIKYQnw==", - "8589934599": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934600": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934601": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934602": "fQsbEj9puhgQdJUncNeeNDVW7iYXXN5j4ZJY1R/0r5MIekFT99KW4laShJ2y9Hy3cPOGM2JbJIwzuxuqf1LXMQ==", - "8589934603": "WwUhbjcuhPTsdmiKCd9c+tuxJJaTzA3Z2DTyrgWDJNMH2DDn/Ane0OrjlYOonzfozMlQYBcYZzUaqR56VqWmkQ==", - "8589934604": "q7wHVHitn+vwkddXuwBR71XqubWyAq0z5NIkgrQxk1rnFkNz7p5Gagh8RtuSEKgyrGCN68Uex/BAsxL7+jbowQ==", - "8589934605": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934606": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934607": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934608": "KUG2PhjMLLt7yucaS7zrhOOKf2Q/y8e0iL3I6J10fNxJmEjNvda2O3JYuQWF8wPt6yJ9sy2EfAqqPy7thgPAqg==", - "8589934609": "yqCYp/od46kFWfsL4zEbqYE9pQ4ZjJDQeQxyJB+WPoJZ5U06XfP0Ltz5C1Uvf5YQb3qw16uwXQgtzPvVQecrwA==", - "8589934610": "3vCRDSdYVWZ5S2cPqKM0/YddlZShIb8FzNxTMYrJiSDagysYGQV/V2Ox8p6O9niS+gyFnrygdVMJuBoDQccaoA==", - "8589934611": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934612": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934613": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934614": "VohGCYxlV4LZt3Y87B8mVYYei+OCKC/3OiXRMSEXt5M7qmKc8cPEnGiaPLK+bCySI0zgoeEzwX9p98J+baJDgQ==", - "8589934615": "eNAligA/PlrxpmPqax7KOUuaVah19DCQXzAu0xis5lbhGhLhWlflPvThtXH/uqCe2igiGy/eMQRCTSmKerlrDg==", - "8589934616": "QWOGehiIOceWHGc4akYfZOEMtxVo64xckx4ZArYWJDRLOB/e4YebKi6F+SFf2HZCEyJ0sJRI6deqg1xNLV7EIQ==", - "8589934617": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934618": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934619": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934620": "ZHHGQikC/+Q4TYDB8/vNXyFhgD04BMyxzLhxMYo4QkoPECNS65PBWmdrFdzU2rFvVK5SDSYhwFBwRfz/ADHu6g==", - "8589934621": "+ot7iDuTbZ+ASEVex1UTbNES8qx0ccwTpXu+oTlgiZL5909FCcOqLAv1pnx01ZW+X/droQ4i0zvSDrldRJQPJg==", - "8589934622": "WfD1uUi/a9GgySfkL5Mgcw8yeVu/Qg1xJDw4S5Z/CE6b6VH7gesm3PESEaavrgqgG11rIFsxgSZJZLCZ+xOQpQ==" - } - }, - "source": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/group\\s+\\-p\\s+wa\\s+\\-k\\s+identity/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/passwd\\s+\\-p\\s+wa\\s+\\-k\\s+identity/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/gshadow\\s+\\-p\\s+wa\\s+\\-k\\s+identity/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/shadow\\s+\\-p\\s+wa\\s+\\-k\\s+identity/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/security\\/opasswd\\s+\\-p\\s+wa\\s+\\-k\\s+identity/)\n}\n", - "labels": { - "labels": { - "+sNyqoKVfiLINviQSUxoeMdzg1KoR+oB3nj0Im6E3K9c9VA87c67H8qGHFkfNA5gDKmCqf1/Mbt3XADRz7HyPQ==": " == \u003cref\u003e", - "0TyfHPrSs7M5+pEQMrMsr8icvyk4gaxvOiANJyAFGRvkcxDAVocSmPT3wqBhqAnTc5DVQqUBzvd/J2bp2PC18A==": " == \u003cref\u003e", - "3vCRDSdYVWZ5S2cPqKM0/YddlZShIb8FzNxTMYrJiSDagysYGQV/V2Ox8p6O9niS+gyFnrygdVMJuBoDQccaoA==": "[].contains()", - "H3RRaGDniISrrmTBsN6v5MGIefWHw/CE5xJt28r8EvZbxpfbiCXwo//W3zWc/UUrjdTH+rGJANRBVEYQvAbD4A==": " == \u003cref\u003e", - "MgP53ATqpE0iesByyCzQUBm6gURRltQL6kfXfZ/HZrB7UR7c4sBSMAp5SqOsmwnyJqziunNP1XTm9a6S4HNqlA==": " == \u003cref\u003e", - "QWOGehiIOceWHGc4akYfZOEMtxVo64xckx4ZArYWJDRLOB/e4YebKi6F+SFf2HZCEyJ0sJRI6deqg1xNLV7EIQ==": "[].contains()", - "WfD1uUi/a9GgySfkL5Mgcw8yeVu/Qg1xJDw4S5Z/CE6b6VH7gesm3PESEaavrgqgG11rIFsxgSZJZLCZ+xOQpQ==": "[].contains()", - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==": "file.exists", - "imjB1X/SFmyvCGxCbQe6hVyOwuk12ReJysp9/5D+tLqHoKQ7oDgpEt20wrOdCuNEiHt+uVESq9MDXu27PmTe9g==": "if", - "oREt/09QCeI41P72GC7IOlsQMjeI7anbC0pphD2W2F1huDGc9dMmzzv4IdRz7dfd/5Tel0IGZvex1LKUIKYQnw==": "[].contains()", - "q7wHVHitn+vwkddXuwBR71XqubWyAq0z5NIkgrQxk1rnFkNz7p5Gagh8RtuSEKgyrGCN68Uex/BAsxL7+jbowQ==": "[].contains()", - "r8hIwI0JlhHJlBVETB2nRzdflDhdOjf/BR73tmn01kCeci3xJNOXq/XTU+CgTxVMxA5ceny7k6gCxlWZtUjJTg==": " == \u003cref\u003e" - } - }, - "version": "unstable", - "min_mondoo_version": "5.0.0" - } - }, - "Ieziwg178sw=": { - "query": "pam.conf.entries[\"/etc/pam.d/su\"].where(pamType == \"auth\" \u0026\u0026 module == \"pam_wheel.so\").any(options.contains(\"use_uid\"))\nif( groups.where( name == \"wheel\" ).list != [] ) {\n groups.where( name == \"wheel\" ).list { members {\n name\n name == props.MondooSudoGroup\n }\n }\n} else {\n groups.where( name == \"sudo\" ).list { members {\n name\n name == props.MondooSudoGroup\n }\n }\n}\n# To assert a specific user list, you can use a query like:\n# groups.where( name == \"wheel\" ).list { members{ name == /ec2-user|root/} }\n# where the list of users is pipe separated like \"ec2-user|root\"\n", - "checksum": "GlfHxmmqdcw=", - "properties": { - "MondooSudoGroup": "IUi8QP3v31aGPWF2y6MbvKwopOM+vyJaiI7bEd3YtxNehCOILFVcwfTB5qey/NIJrsRm0+U1u1OmBWmeSfheJQ==" - }, - "datapoints": [ - "eHR1t4BEPJ/j+W5hbPutTgHaEGmJ9HDUEyxZr1F6KWyhHncOMtLqdsML1uTL1St7vUvUQ1Xwzpbdb4rXqcyqtg==", - "p3F/KpWS4xZ6/b2tTruTSlkzuCMB3Eb4eczHjyBRhos3UkUgCACpXsERvMsLR6VXN+87I/OuPDcHYOrspmWqvw==", - "2X7q9ADuALzT15wpysiQ2laqNEIyQ0i+LbC9gtuBkDRPz6qxQmEsxB1f+4BiNM/P+DPm6Cru1LiE5jizq9k/Ig==", - "9kZ+qapWVmr6z54Lk2WG4mgsKRwbMYaf4Kz8++WFlLc8qpX8aUbjY3Md8sLN7w9Ovq0DXA9kwamGBX2623m/mA==" - ], - "code": { - "code_v2": { - "id": "Ieziwg178sw=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "pam.conf" - }, - { - "call": 1, - "id": "entries", - "function": { - "type": "\u001a\u0007\u0019\u001bpam.conf.serviceEntry", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u0019\u001bpam.conf.serviceEntry", - "args": [ - { - "type": "\u0007", - "value": "L2V0Yy9wYW0uZC9zdQ==" - } - ], - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u001bpam.conf.serviceEntry", - "args": [ - { - "type": "\u0003", - "value": "hoCAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - } - ], - "binding": 4294967299 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u001bpam.conf.serviceEntry", - "args": [ - { - "type": "\u0003", - "value": "iICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgGA=" - } - ], - "binding": 4294967300 - } - }, - { - "call": 1, - "id": "$any", - "function": { - "type": "\u0004", - "binding": 4294967301 - } - }, - { - "call": 1, - "id": "groups" - }, - { - "call": 1, - "id": "list", - "function": { - "type": "\u0019\u001bgroup", - "binding": 4294967303 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u001bgroups", - "args": [ - { - "type": "\u0003", - "value": "kICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgKAB" - } - ], - "binding": 4294967303 - } - }, - { - "call": 1, - "id": "list", - "function": { - "type": "\u0019\u001bgroup", - "binding": 4294967305 - } - }, - { - "call": 1, - "id": "!=", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0019\u0000" - } - ], - "binding": 4294967306 - } - }, - { - "call": 1, - "id": "if", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u0003", - "value": "loCAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgMAB" - }, - { - "type": "\u0019\u0003" - }, - { - "type": "\u001c\u0000", - "value": "gICAgMAC" - }, - { - "type": "\u0019\u0003" - } - ] - } - } - ], - "entrypoints": [ - 4294967302, - 4294967308 - ], - "datapoints": [ - 4294967301, - 4294967306 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u001bpam.conf.serviceEntry" - } - }, - { - "call": 1, - "id": "pamType", - "function": { - "type": "\u0007", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "==\u0007", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0007", - "value": "YXV0aA==" - } - ], - "binding": 8589934594 - } - }, - { - "call": 1, - "id": "module", - "function": { - "type": "\u0007", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "==\u0007", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0007", - "value": "cGFtX3doZWVsLnNv" - } - ], - "binding": 8589934596 - } - }, - { - "call": 1, - "id": "\u0026\u0026\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "ioCAgEA=" - } - ], - "binding": 8589934595 - } - } - ], - "parameters": 1, - "entrypoints": [ - 8589934598 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u001bpam.conf.serviceEntry" - } - }, - { - "call": 1, - "id": "options", - "function": { - "type": "\u0019\u0007", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "hICAgGA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgIAB" - } - ], - "binding": 12884901890 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 12884901891 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 12884901892 - } - } - ], - "parameters": 1, - "entrypoints": [ - 12884901893 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0007", - "value": "dXNlX3VpZA==" - } - }, - { - "call": 1, - "id": "==\u0007", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgIAB" - } - ], - "binding": 17179869185 - } - } - ], - "parameters": 1, - "entrypoints": [ - 17179869187 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u001bgroup" - } - }, - { - "call": 1, - "id": "name", - "function": { - "type": "\u0007", - "binding": 21474836481 - } - }, - { - "call": 1, - "id": "==\u0007", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0007", - "value": "d2hlZWw=" - } - ], - "binding": 21474836482 - } - } - ], - "parameters": 1, - "entrypoints": [ - 21474836483 - ] - }, - { - "chunks": [ - { - "call": 1, - "id": "groups" - }, - { - "call": 1, - "id": "list", - "function": { - "type": "\u0019\u001bgroup", - "binding": 25769803777 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u001bgroups", - "args": [ - { - "type": "\u0003", - "value": "hICAgMAB" - }, - { - "type": "\u001c\u0000", - "value": "gICAgOAB" - } - ], - "binding": 25769803777 - } - }, - { - "call": 1, - "id": "list", - "function": { - "type": "\u0019\u001bgroup", - "binding": 25769803779 - } - }, - { - "call": 1, - "id": "{}", - "function": { - "type": "\u0019\u000c", - "args": [ - { - "type": "\u001c\u0000", - "value": "gICAgIAC" - } - ], - "binding": 25769803780 - } - } - ], - "entrypoints": [ - 25769803781 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u001bgroup" - } - }, - { - "call": 1, - "id": "name", - "function": { - "type": "\u0007", - "binding": 30064771073 - } - }, - { - "call": 1, - "id": "==\u0007", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0007", - "value": "d2hlZWw=" - } - ], - "binding": 30064771074 - } - } - ], - "parameters": 1, - "entrypoints": [ - 30064771075 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u001bgroup" - } - }, - { - "call": 1, - "id": "members", - "function": { - "type": "\u0019\u001buser", - "binding": 34359738369 - } - }, - { - "call": 1, - "id": "{}", - "function": { - "type": "\u0019\u000c", - "args": [ - { - "type": "\u001c\u0000", - "value": "gICAgKAC" - } - ], - "binding": 34359738370 - } - } - ], - "parameters": 1, - "entrypoints": [ - 34359738371 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u001buser" - } - }, - { - "call": 1, - "id": "name", - "function": { - "type": "\u0007", - "binding": 38654705665 - } - }, - { - "call": 1, - "id": "name", - "function": { - "type": "\u0007", - "binding": 38654705665 - } - }, - { - "call": 2, - "id": "MondooSudoGroup", - "primitive": { - "type": "\u0008" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "iICAgKAC" - } - ], - "binding": 38654705667 - } - } - ], - "parameters": 1, - "entrypoints": [ - 38654705666, - 38654705669 - ] - }, - { - "chunks": [ - { - "call": 1, - "id": "groups" - }, - { - "call": 1, - "id": "list", - "function": { - "type": "\u0019\u001bgroup", - "binding": 42949672961 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u001bgroups", - "args": [ - { - "type": "\u0003", - "value": "hICAgMAC" - }, - { - "type": "\u001c\u0000", - "value": "gICAgOAC" - } - ], - "binding": 42949672961 - } - }, - { - "call": 1, - "id": "list", - "function": { - "type": "\u0019\u001bgroup", - "binding": 42949672963 - } - }, - { - "call": 1, - "id": "{}", - "function": { - "type": "\u0019\u000c", - "args": [ - { - "type": "\u001c\u0000", - "value": "gICAgIAD" - } - ], - "binding": 42949672964 - } - } - ], - "entrypoints": [ - 42949672965 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u001bgroup" - } - }, - { - "call": 1, - "id": "name", - "function": { - "type": "\u0007", - "binding": 47244640257 - } - }, - { - "call": 1, - "id": "==\u0007", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0007", - "value": "c3Vkbw==" - } - ], - "binding": 47244640258 - } - } - ], - "parameters": 1, - "entrypoints": [ - 47244640259 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u001bgroup" - } - }, - { - "call": 1, - "id": "members", - "function": { - "type": "\u0019\u001buser", - "binding": 51539607553 - } - }, - { - "call": 1, - "id": "{}", - "function": { - "type": "\u0019\u000c", - "args": [ - { - "type": "\u001c\u0000", - "value": "gICAgKAD" - } - ], - "binding": 51539607554 - } - } - ], - "parameters": 1, - "entrypoints": [ - 51539607555 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u001buser" - } - }, - { - "call": 1, - "id": "name", - "function": { - "type": "\u0007", - "binding": 55834574849 - } - }, - { - "call": 1, - "id": "name", - "function": { - "type": "\u0007", - "binding": 55834574849 - } - }, - { - "call": 2, - "id": "MondooSudoGroup", - "primitive": { - "type": "\u0008" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "iICAgKAD" - } - ], - "binding": 55834574851 - } - } - ], - "parameters": 1, - "entrypoints": [ - 55834574850, - 55834574853 - ] - } - ], - "checksums": { - "12884901889": "8peH3pZErOIzrcrvnN/i39IfLoYOUFv8hlelf8k6CNDcfy1sjC6X4vZbuqgF0tCgZ92pakdeEDq2u1qxtIUOlw==", - "12884901890": "S8Lz9nDDB31YzOcvfS+YRq/f22zy5fSKjNFk7PLOWiurzQRGyU2xG4PcuTLB+IuSgpnJ8q5iXg4HeGa/WuvVHA==", - "12884901891": "dPMxgGyHYw0cahWwUFPNxur5coUVRad5Rcx5W0HT8Jvv7GxrDDSMjqTr82J2uSlwISEdabPcE/g2O6K1EJFvsg==", - "12884901892": "vqhhk1TCHeHcJuVZcxIiOjBfQHqEhiaXXtCbvu/q9GdSINKS8eriVaxDLpPiz4iniYMxkWonDc2ElD4E/oX0SQ==", - "12884901893": "hZ8ywLpd0w35gR1ipfVYqjGYFoMkLbfvzqeFEkNQ+JnYmvz0/OxEwKZghJlGmzm35ayNT1zqMgjItaH7onT87w==", - "17179869185": "S8Lz9nDDB31YzOcvfS+YRq/f22zy5fSKjNFk7PLOWiurzQRGyU2xG4PcuTLB+IuSgpnJ8q5iXg4HeGa/WuvVHA==", - "17179869186": "wzuh8IjpgCxGaQCApVTrtyGfSNLmgoDWtfT8WXuoNXPfbM9KSJYV1Cqt/N01QISrZgsBvtJAMSORlRSISg2rpw==", - "17179869187": "o5XN0ZB4WMo4DewXzzjYpxyaJ9P39su271Xvp1N1oYBFyGwEDiHOsps8uYy7elOGH5/CD4+cXnPfG69gnnAbGg==", - "21474836481": "hN+zdlS1zCr2uSYHuDkFrlkQSlfFEr7Zmtmo19E4oNY7ikyHr/Sib1zktPVfYSEC2503pPKnD3hcWyZm3b/uyQ==", - "21474836482": "TB+NQaeDBXcImznyzXliCCTj/JeiWkz/CvSKyjTKGsC3tbheYJUt5GRuIrpXw0z5LJMQzj+QJplF1RgaAcrrww==", - "21474836483": "i7qdse6XArieZjALSqeqIGkRE81xuD4L/DIL8HLOFA8hOiqBf7rPE332X13INvZPE3GQ5Cl5H5Dqw/0UaFELdw==", - "25769803777": "hN+zdlS1zCr2uSYHuDkFrlkQSlfFEr7Zmtmo19E4oNY7ikyHr/Sib1zktPVfYSEC2503pPKnD3hcWyZm3b/uyQ==", - "25769803778": "NIEHm9kmH9Dzz0fqfrQWcSNNntroglgakmg+r5TZd2szBtUd/n1TukpBYKYy6vBd3w4umvEVa4gPlkHyeldBNw==", - "25769803779": "Dz445J1lxYao8AgWtnBAr/79H+B6Xj+uUBpAiuRyoGU+nXqj7rriTnLjfKC65NCnKJeRAsUyWNqmNNZHB68ZkA==", - "25769803780": "p3F/KpWS4xZ6/b2tTruTSlkzuCMB3Eb4eczHjyBRhos3UkUgCACpXsERvMsLR6VXN+87I/OuPDcHYOrspmWqvw==", - "25769803781": "t4Bcwj/bdszho5mvVZopGJe4YkPYmcXOPSCPLU92uWW15kOZaZze0yVkR21osnplqLtuS8XJ38iGPpA0cXqD8g==", - "30064771073": "hN+zdlS1zCr2uSYHuDkFrlkQSlfFEr7Zmtmo19E4oNY7ikyHr/Sib1zktPVfYSEC2503pPKnD3hcWyZm3b/uyQ==", - "30064771074": "TB+NQaeDBXcImznyzXliCCTj/JeiWkz/CvSKyjTKGsC3tbheYJUt5GRuIrpXw0z5LJMQzj+QJplF1RgaAcrrww==", - "30064771075": "i7qdse6XArieZjALSqeqIGkRE81xuD4L/DIL8HLOFA8hOiqBf7rPE332X13INvZPE3GQ5Cl5H5Dqw/0UaFELdw==", - "34359738369": "p3F/KpWS4xZ6/b2tTruTSlkzuCMB3Eb4eczHjyBRhos3UkUgCACpXsERvMsLR6VXN+87I/OuPDcHYOrspmWqvw==", - "34359738370": "fLikDuPp8Y5/ZnZ5U/vUwSFIoImYcYmI+rbJa7BkHECgAfqRI1orbW7TLX/qzOB8WN0MVv1uculwNeFWkbjfNA==", - "34359738371": "Az9uFsFzwQ9tcis7ibdcd+fBB0ea2Vp4oxB8/mM2OX7vfC/27GptT89qxhZh5JyEEmnkPpnoiU5ni73iKsGoig==", - "38654705665": "fLikDuPp8Y5/ZnZ5U/vUwSFIoImYcYmI+rbJa7BkHECgAfqRI1orbW7TLX/qzOB8WN0MVv1uculwNeFWkbjfNA==", - "38654705666": "Wn4RjbkUW0KSh3NXlLS4ErrfpSM4xTjUejFxwfIXgJemYj/Pw+CZZcCfnNVLZWYYtSa2WJvV43cekHUmoPpNtw==", - "38654705667": "Wn4RjbkUW0KSh3NXlLS4ErrfpSM4xTjUejFxwfIXgJemYj/Pw+CZZcCfnNVLZWYYtSa2WJvV43cekHUmoPpNtw==", - "38654705668": "5BhZ4hYHtEyc5vJr4o8i3sU8FdjQQ5Pv4j7GekD6JLaDOCSWcyBkEw+IDPzpPGSGICEURXI3aE/EQVpLXklASw==", - "38654705669": "Qz3MJbj76jrugm4pSPc1d1fMbMrAYUiHM5uQnACJux+WXFwfVU2naifDbv+Dx3ZAm3jKagP+c9AVCmkwNUYMAQ==", - "42949672961": "hN+zdlS1zCr2uSYHuDkFrlkQSlfFEr7Zmtmo19E4oNY7ikyHr/Sib1zktPVfYSEC2503pPKnD3hcWyZm3b/uyQ==", - "42949672962": "NIEHm9kmH9Dzz0fqfrQWcSNNntroglgakmg+r5TZd2szBtUd/n1TukpBYKYy6vBd3w4umvEVa4gPlkHyeldBNw==", - "42949672963": "SBF1ZOxQkb7FFeor5nyf0iji6ARveYQofSBvETrQsafPdf1CBVlXN3MQO5MAas4ZijvBdbR3LpeoCgRjEBvoNw==", - "42949672964": "fc1e6Q4WNFs2RkJj2h5ZwGfKup+IBS2Er8/maZSku23Eqox0xIzBFd/RcHn8nOwhQqf6Zxle0YolRvninIi1qA==", - "42949672965": "h3Smksu3S/QS8l8dnrgKzx0FXmmL/pmtF/QnkG9RvNU1s0hiPfYGCW0FGoCJIFjNCVXE+JdwtxOzrHoOC3I/Jw==", - "4294967297": "OKi/iZP7wo/fuvUH/c6xysWmY1T1poaU7IhwU81/pBMLaV2ZG7Yw9Qbf+a8cWWxc5O2lEaHqPg/px0+jfqwf7A==", - "4294967298": "qE4Is9OxelTav2HX6Te/oIeYp2Y3tvk/tE1EjSxTilC/NFe5mrl/zCiBdTtWh/95vDwfbEIHTzv+Tv9qKy5zUw==", - "4294967299": "HuN+foIL+k0qheRwrqrx5iYqbLZMLiqFVTHcfpGArr05ID6RaEtqOTTjNRBYC7IhRri+dRhEHV5mLoh2M0NFqA==", - "4294967300": "8peH3pZErOIzrcrvnN/i39IfLoYOUFv8hlelf8k6CNDcfy1sjC6X4vZbuqgF0tCgZ92pakdeEDq2u1qxtIUOlw==", - "4294967301": "eHR1t4BEPJ/j+W5hbPutTgHaEGmJ9HDUEyxZr1F6KWyhHncOMtLqdsML1uTL1St7vUvUQ1Xwzpbdb4rXqcyqtg==", - "4294967302": "2X7q9ADuALzT15wpysiQ2laqNEIyQ0i+LbC9gtuBkDRPz6qxQmEsxB1f+4BiNM/P+DPm6Cru1LiE5jizq9k/Ig==", - "4294967303": "hN+zdlS1zCr2uSYHuDkFrlkQSlfFEr7Zmtmo19E4oNY7ikyHr/Sib1zktPVfYSEC2503pPKnD3hcWyZm3b/uyQ==", - "4294967304": "NIEHm9kmH9Dzz0fqfrQWcSNNntroglgakmg+r5TZd2szBtUd/n1TukpBYKYy6vBd3w4umvEVa4gPlkHyeldBNw==", - "4294967305": "Dz445J1lxYao8AgWtnBAr/79H+B6Xj+uUBpAiuRyoGU+nXqj7rriTnLjfKC65NCnKJeRAsUyWNqmNNZHB68ZkA==", - "4294967306": "p3F/KpWS4xZ6/b2tTruTSlkzuCMB3Eb4eczHjyBRhos3UkUgCACpXsERvMsLR6VXN+87I/OuPDcHYOrspmWqvw==", - "4294967307": "9kp3T3CiCWFEc5XZ/0kEM4M6jmPORuT9qgYG32OzCEjZB9YJVDSs+RqKkJzCXub0xKildQYQ84W4D0TGNK7bGQ==", - "4294967308": "9kZ+qapWVmr6z54Lk2WG4mgsKRwbMYaf4Kz8++WFlLc8qpX8aUbjY3Md8sLN7w9Ovq0DXA9kwamGBX2623m/mA==", - "47244640257": "hN+zdlS1zCr2uSYHuDkFrlkQSlfFEr7Zmtmo19E4oNY7ikyHr/Sib1zktPVfYSEC2503pPKnD3hcWyZm3b/uyQ==", - "47244640258": "TB+NQaeDBXcImznyzXliCCTj/JeiWkz/CvSKyjTKGsC3tbheYJUt5GRuIrpXw0z5LJMQzj+QJplF1RgaAcrrww==", - "47244640259": "AMb5gzjz98F2SKQp85pu/QVbnFfomibIj7FaFoGMW6DXPA9hGy8bQJoJwRXQ3zNnBk7iePjTGxLRSDXPcObY9Q==", - "51539607553": "fc1e6Q4WNFs2RkJj2h5ZwGfKup+IBS2Er8/maZSku23Eqox0xIzBFd/RcHn8nOwhQqf6Zxle0YolRvninIi1qA==", - "51539607554": "VdeOF/kN4eIorvKFKgDen+IaN6ZXebQWgxQTIqow6Zudqn6zFl5lftKDsgCgmJiNWlh0SfLLJm101PvbBxReQw==", - "51539607555": "0Fh+Phs1maWZgEk0J9nry7SIMAR39D7S1lEUXE8cFuKWU4+FqVwYU4t6IPr5OpbWPWVsA8rHit0cyvH0C6j6sw==", - "55834574849": "VdeOF/kN4eIorvKFKgDen+IaN6ZXebQWgxQTIqow6Zudqn6zFl5lftKDsgCgmJiNWlh0SfLLJm101PvbBxReQw==", - "55834574850": "QfycnoNGfVZkxVdT5Gn/I3IXt5GiEjQ3481zi2vj8uBjyZITnYaxUIBiCSSMu2DHVc14CYzeSjyaWJFDuT9n5A==", - "55834574851": "QfycnoNGfVZkxVdT5Gn/I3IXt5GiEjQ3481zi2vj8uBjyZITnYaxUIBiCSSMu2DHVc14CYzeSjyaWJFDuT9n5A==", - "55834574852": "5BhZ4hYHtEyc5vJr4o8i3sU8FdjQQ5Pv4j7GekD6JLaDOCSWcyBkEw+IDPzpPGSGICEURXI3aE/EQVpLXklASw==", - "55834574853": "nsvh2b8JjPwS2EJrSJhSjmZ+Be6KVfUUTvFbvUvlG6QVdnhtOjE2kYhV2TXFrJwbCW0IZixXg6Zl/ywq06VGlQ==", - "8589934593": "HuN+foIL+k0qheRwrqrx5iYqbLZMLiqFVTHcfpGArr05ID6RaEtqOTTjNRBYC7IhRri+dRhEHV5mLoh2M0NFqA==", - "8589934594": "420XfyP5pfgdnswHdMA06Yo5Y/GIap1bi9Gb7sCBo7QEi9UNWpcCpEXcx4bNdxEsuPTYJw8OjMfBcFKf98E1/g==", - "8589934595": "SpVh09vyUXhDb/dRbCtYuyE1Tfv4RGMlmza0FlkUCgaztIVr6Pj7KjjD0PnvcxLRfCqpeTI7wjuXz5nXyMtHKA==", - "8589934596": "RJlsr8JGb6Q1ztXObo1VOlZ66hVP6qOwxMmrfkV3hyrMGeqo8DqCSHd9zsn3epkApUM+TTTy4ctwC+kD/Zk0MQ==", - "8589934597": "nIEnr+rzI0N+iZk0PLKcMHVeo1T6C/yiZsWQnF+ApjI+sEnAyi11cErGtAbFUCWpmGg63eToNwX0NsAyxkQTQg==", - "8589934598": "GWeS/870XqOpz8ezlweTOjHfrJTTcpjCa2ffVO9fcCmCE8eiMdsg7r/BeJ0M5SFl4nTq4AL/NSHNWlzQovvgVA==" - } - }, - "source": "pam.conf.entries[\"/etc/pam.d/su\"].where(pamType == \"auth\" \u0026\u0026 module == \"pam_wheel.so\").any(options.contains(\"use_uid\"))\nif( groups.where( name == \"wheel\" ).list != [] ) {\n groups.where( name == \"wheel\" ).list { members {\n name\n name == props.MondooSudoGroup\n }\n }\n} else {\n groups.where( name == \"sudo\" ).list { members {\n name\n name == props.MondooSudoGroup\n }\n }\n}\n# To assert a specific user list, you can use a query like:\n# groups.where( name == \"wheel\" ).list { members{ name == /ec2-user|root/} }\n# where the list of users is pipe separated like \"ec2-user|root\"\n", - "labels": { - "labels": { - "0Fh+Phs1maWZgEk0J9nry7SIMAR39D7S1lEUXE8cFuKWU4+FqVwYU4t6IPr5OpbWPWVsA8rHit0cyvH0C6j6sw==": "members", - "2X7q9ADuALzT15wpysiQ2laqNEIyQ0i+LbC9gtuBkDRPz6qxQmEsxB1f+4BiNM/P+DPm6Cru1LiE5jizq9k/Ig==": "[].any()", - "9kZ+qapWVmr6z54Lk2WG4mgsKRwbMYaf4Kz8++WFlLc8qpX8aUbjY3Md8sLN7w9Ovq0DXA9kwamGBX2623m/mA==": "if", - "AMb5gzjz98F2SKQp85pu/QVbnFfomibIj7FaFoGMW6DXPA9hGy8bQJoJwRXQ3zNnBk7iePjTGxLRSDXPcObY9Q==": "name == \"sudo\"", - "Az9uFsFzwQ9tcis7ibdcd+fBB0ea2Vp4oxB8/mM2OX7vfC/27GptT89qxhZh5JyEEmnkPpnoiU5ni73iKsGoig==": "members", - "GWeS/870XqOpz8ezlweTOjHfrJTTcpjCa2ffVO9fcCmCE8eiMdsg7r/BeJ0M5SFl4nTq4AL/NSHNWlzQovvgVA==": "pamType == \"auth\" \u0026\u0026 \u003cref\u003e", - "QfycnoNGfVZkxVdT5Gn/I3IXt5GiEjQ3481zi2vj8uBjyZITnYaxUIBiCSSMu2DHVc14CYzeSjyaWJFDuT9n5A==": "name", - "Qz3MJbj76jrugm4pSPc1d1fMbMrAYUiHM5uQnACJux+WXFwfVU2naifDbv+Dx3ZAm3jKagP+c9AVCmkwNUYMAQ==": "name == \u003cref\u003e", - "Wn4RjbkUW0KSh3NXlLS4ErrfpSM4xTjUejFxwfIXgJemYj/Pw+CZZcCfnNVLZWYYtSa2WJvV43cekHUmoPpNtw==": "name", - "eHR1t4BEPJ/j+W5hbPutTgHaEGmJ9HDUEyxZr1F6KWyhHncOMtLqdsML1uTL1St7vUvUQ1Xwzpbdb4rXqcyqtg==": "pam.conf.entries[/etc/pam.d/su].where.where", - "h3Smksu3S/QS8l8dnrgKzx0FXmmL/pmtF/QnkG9RvNU1s0hiPfYGCW0FGoCJIFjNCVXE+JdwtxOzrHoOC3I/Jw==": "groups.where.list", - "hZ8ywLpd0w35gR1ipfVYqjGYFoMkLbfvzqeFEkNQ+JnYmvz0/OxEwKZghJlGmzm35ayNT1zqMgjItaH7onT87w==": "[].contains()", - "i7qdse6XArieZjALSqeqIGkRE81xuD4L/DIL8HLOFA8hOiqBf7rPE332X13INvZPE3GQ5Cl5H5Dqw/0UaFELdw==": "name == \"wheel\"", - "nsvh2b8JjPwS2EJrSJhSjmZ+Be6KVfUUTvFbvUvlG6QVdnhtOjE2kYhV2TXFrJwbCW0IZixXg6Zl/ywq06VGlQ==": "name == \u003cref\u003e", - "o5XN0ZB4WMo4DewXzzjYpxyaJ9P39su271Xvp1N1oYBFyGwEDiHOsps8uYy7elOGH5/CD4+cXnPfG69gnnAbGg==": " == \u003cref\u003e", - "p3F/KpWS4xZ6/b2tTruTSlkzuCMB3Eb4eczHjyBRhos3UkUgCACpXsERvMsLR6VXN+87I/OuPDcHYOrspmWqvw==": "groups.where.list", - "t4Bcwj/bdszho5mvVZopGJe4YkPYmcXOPSCPLU92uWW15kOZaZze0yVkR21osnplqLtuS8XJ38iGPpA0cXqD8g==": "groups.where.list" - } - }, - "props": { - "MondooSudoGroup": "\u0008" - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "IlhV0oVPhJk=": { - "query": "service(\"dovecot\").enabled == false\nservice(\"dovecot\").running == false\n", - "checksum": "fB/7WCWvB+M=", - "datapoints": [ - "gIecnntwy9LA1uepNDXli/u6f1vosRP2gHeQfmGMVZZfWB+mW+Add+x/BNULNRsn3PXT3sjDmczHmIm/rKfrZQ==", - "A/mDhp8Ke4EcDup0G/Jzg90Rt7qzEbagKaFF7Pp0/+DPPqEnqml9pxH8Fi0HeS4whb+W4KFu33rB+AU2fcZPRg==", - "sBDKNFp+Gg5jaCnXhQ9cVq8DfefywbuThBn8dv5sND+5uPmTDVW6KatpqZVsO/pzC507v7OQ+Xnb187+KlSA5g==", - "Bew26+9I2JcH1dcMA+xlT5ywGJbbtZ1Wz6Ir8uELosiokrGBGS4klcu1zPVoJARqm/ujph6o2RTWkxFj7rZ89w==" - ], - "code": { - "code_v2": { - "id": "IlhV0oVPhJk=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "ZG92ZWNvdA==" - } - ] - } - }, - { - "call": 1, - "id": "enabled", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "ZG92ZWNvdA==" - } - ] - } - }, - { - "call": 1, - "id": "running", - "function": { - "type": "\u0004", - "binding": 4294967300 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967301 - } - } - ], - "entrypoints": [ - 4294967299, - 4294967302 - ], - "datapoints": [ - 4294967298, - 4294967301 - ] - } - ], - "checksums": { - "4294967297": "VU/jvpLZAGvaLPJJV/6rrNsnpk1C9p3ePZdYYm5DtA9+iVzy8jBgHAnu55aEjLcYq5inWfrW9URisucB7LnMSA==", - "4294967298": "gIecnntwy9LA1uepNDXli/u6f1vosRP2gHeQfmGMVZZfWB+mW+Add+x/BNULNRsn3PXT3sjDmczHmIm/rKfrZQ==", - "4294967299": "sBDKNFp+Gg5jaCnXhQ9cVq8DfefywbuThBn8dv5sND+5uPmTDVW6KatpqZVsO/pzC507v7OQ+Xnb187+KlSA5g==", - "4294967300": "VU/jvpLZAGvaLPJJV/6rrNsnpk1C9p3ePZdYYm5DtA9+iVzy8jBgHAnu55aEjLcYq5inWfrW9URisucB7LnMSA==", - "4294967301": "A/mDhp8Ke4EcDup0G/Jzg90Rt7qzEbagKaFF7Pp0/+DPPqEnqml9pxH8Fi0HeS4whb+W4KFu33rB+AU2fcZPRg==", - "4294967302": "Bew26+9I2JcH1dcMA+xlT5ywGJbbtZ1Wz6Ir8uELosiokrGBGS4klcu1zPVoJARqm/ujph6o2RTWkxFj7rZ89w==" - } - }, - "source": "service(\"dovecot\").enabled == false\nservice(\"dovecot\").running == false\n", - "labels": { - "labels": { - "A/mDhp8Ke4EcDup0G/Jzg90Rt7qzEbagKaFF7Pp0/+DPPqEnqml9pxH8Fi0HeS4whb+W4KFu33rB+AU2fcZPRg==": "service.running", - "Bew26+9I2JcH1dcMA+xlT5ywGJbbtZ1Wz6Ir8uELosiokrGBGS4klcu1zPVoJARqm/ujph6o2RTWkxFj7rZ89w==": "service.running == false", - "gIecnntwy9LA1uepNDXli/u6f1vosRP2gHeQfmGMVZZfWB+mW+Add+x/BNULNRsn3PXT3sjDmczHmIm/rKfrZQ==": "service.enabled", - "sBDKNFp+Gg5jaCnXhQ9cVq8DfefywbuThBn8dv5sND+5uPmTDVW6KatpqZVsO/pzC507v7OQ+Xnb187+KlSA5g==": "service.enabled == false" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "JIe+57K3g/w=": { - "query": "users.where( name == \"root\" ).list { gid == 0 }\n", - "checksum": "IO/zM3tBKzU=", - "datapoints": [ - "aE+97TpJoHCNA2psM/rBw/Hm56LB4UZ31yK4u8ud/oWjHCFXUPkAoVsasyY0W5g5AwE6vobp3ePPkjox9/TZsA==" - ], - "code": { - "code_v2": { - "id": "JIe+57K3g/w=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "users" - }, - { - "call": 1, - "id": "list", - "function": { - "type": "\u0019\u001buser", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u001busers", - "args": [ - { - "type": "\u0003", - "value": "hICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - } - ], - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "list", - "function": { - "type": "\u0019\u001buser", - "binding": 4294967299 - } - }, - { - "call": 1, - "id": "{}", - "function": { - "type": "\u0019\u000c", - "args": [ - { - "type": "\u001c\u0000", - "value": "gICAgGA=" - } - ], - "binding": 4294967300 - } - } - ], - "entrypoints": [ - 4294967301 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u001buser" - } - }, - { - "call": 1, - "id": "name", - "function": { - "type": "\u0007", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "==\u0007", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0007", - "value": "cm9vdA==" - } - ], - "binding": 8589934594 - } - } - ], - "parameters": 1, - "entrypoints": [ - 8589934595 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u001buser" - } - }, - { - "call": 1, - "id": "gid", - "function": { - "type": "\u0005", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "==\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 12884901890 - } - } - ], - "parameters": 1, - "entrypoints": [ - 12884901891 - ] - } - ], - "checksums": { - "12884901889": "yfhDwkrWsSDQyT0DZR0Gb+WRVF6TlHvZlm5SdIU1YJgSYEERGutcwM1bXnDRGfYRd9zaNJEbuZtapJDYkBJb3Q==", - "12884901890": "aBOtIXBPoe9nWUDBl9sr+N5w+QLjyg8Vsr5dDM1hapmEyb4hX9KM2Q87iKM2mFWBHve+BMe/lARHrXwwyfvOxA==", - "12884901891": "ytOUfV4UyOjY0C6HKzQ8GcA/hshrh2ahRySNG41RbFt3TNNf+6gBuHvs2hGTNDPUZR/oN8WH0QFIYYm/Vj3pGQ==", - "4294967297": "MmwyAliLU+YHlkNS5w5jjZaNgU/VFTCxTIM8hMTKVg4MeUJVR6eoJlRuJ79SoVk2seEIK6XTN6Wkm2w9mJMB/A==", - "4294967298": "PgyAmAEuGG6aKDiVDz6niqDRQ0oRYJ7OSUroU9u1Svkt2xD3WOPS8uE5sXPO5K3Miy+MAEt8VWHWKZ58RPV+Kw==", - "4294967299": "rd1ECm3SGP7C8IsoIPOsXzDN4uvG7NLAMuDBEYhQ58JBbFd6ZizTVIAO5k/PUtaQ0jhwo26WQpUP2xhAvZ9spQ==", - "4294967300": "yfhDwkrWsSDQyT0DZR0Gb+WRVF6TlHvZlm5SdIU1YJgSYEERGutcwM1bXnDRGfYRd9zaNJEbuZtapJDYkBJb3Q==", - "4294967301": "aE+97TpJoHCNA2psM/rBw/Hm56LB4UZ31yK4u8ud/oWjHCFXUPkAoVsasyY0W5g5AwE6vobp3ePPkjox9/TZsA==", - "8589934593": "MmwyAliLU+YHlkNS5w5jjZaNgU/VFTCxTIM8hMTKVg4MeUJVR6eoJlRuJ79SoVk2seEIK6XTN6Wkm2w9mJMB/A==", - "8589934594": "aLOs60Bp+9XAh+qeKj3wkHCOG2MJ1sctbsELR4mqoTDIaWwIL8mpSwMxgZw73uVkh6FiV12I/8sT9UJdyIvNXA==", - "8589934595": "U589bJpf8u7c2pIN5qJ8xXFBubZEtQ0eYU9C6g87/lGZLkVD02X5DgroJF082O0ek5tt6Q05chLymT/4nE8Zfg==" - } - }, - "source": "users.where( name == \"root\" ).list { gid == 0 }\n", - "labels": { - "labels": { - "U589bJpf8u7c2pIN5qJ8xXFBubZEtQ0eYU9C6g87/lGZLkVD02X5DgroJF082O0ek5tt6Q05chLymT/4nE8Zfg==": "name == \"root\"", - "aE+97TpJoHCNA2psM/rBw/Hm56LB4UZ31yK4u8ud/oWjHCFXUPkAoVsasyY0W5g5AwE6vobp3ePPkjox9/TZsA==": "users.where.list", - "ytOUfV4UyOjY0C6HKzQ8GcA/hshrh2ahRySNG41RbFt3TNNf+6gBuHvs2hGTNDPUZR/oN8WH0QFIYYm/Vj3pGQ==": "gid == 0" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "Kd0nC0U7dfs=": { - "query": "if (file(\"/etc/group-\").exists) {\n file(\"/etc/group-\") {\n permissions.user_executable == false\n permissions.group_readable == false\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_readable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n }\n}\n", - "checksum": "J2IUVszkgYg=", - "datapoints": [ - "H7H0YG5evkzzLDZSd6Ayb6abAXcrzwkoCcfUXx1AmiAOybkTo7ujzAM6rwO63/MF8k+IkPNQz4cLNqT/1KnYnw==" - ], - "code": { - "code_v2": { - "id": "Kd0nC0U7dfs=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9ncm91cC0=" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "if", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u0003", - "value": "hICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - }, - { - "type": "\u0019\u0003" - } - ] - } - } - ], - "entrypoints": [ - 4294967299 - ] - }, - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9ncm91cC0=" - } - ] - } - }, - { - "call": 1, - "id": "{}", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u001c\u0000", - "value": "gICAgGA=" - } - ], - "binding": 8589934593 - } - } - ], - "entrypoints": [ - 8589934594 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u001bfile" - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "user_executable", - "function": { - "type": "\u0004", - "binding": 12884901890 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 12884901891 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "group_readable", - "function": { - "type": "\u0004", - "binding": 12884901893 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 12884901894 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "group_writeable", - "function": { - "type": "\u0004", - "binding": 12884901896 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 12884901897 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "group_executable", - "function": { - "type": "\u0004", - "binding": 12884901899 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 12884901900 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "other_readable", - "function": { - "type": "\u0004", - "binding": 12884901902 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 12884901903 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "other_writeable", - "function": { - "type": "\u0004", - "binding": 12884901905 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 12884901906 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "other_executable", - "function": { - "type": "\u0004", - "binding": 12884901908 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 12884901909 - } - } - ], - "parameters": 1, - "entrypoints": [ - 12884901892, - 12884901895, - 12884901898, - 12884901901, - 12884901904, - 12884901907, - 12884901910 - ] - } - ], - "checksums": { - "12884901889": "lMwGAQBDcE4AaOkJSGDEIim9laiZNnT5tlySheKsDDzi0n5flFidmKWAlj1DHvmoSgrRS3mF1UOGu7u9z06RCg==", - "12884901890": "gA7uU0hFzga8YTdepuc3a7HYZbhAynVAjUoHBI6F6VC4UWz5fib/TEBsIT3pp9LRNoUoV0X5SdryvXaOCOzSyA==", - "12884901891": "Df76xaVD+GFSxBkELrgRCRPmC8dGYKZ2a0G6xOr9QgP6L2UcRceUDjevYypxDL8yHV+OJv/YUd5PeucdBH8/kQ==", - "12884901892": "sXY88/8z6GFGA+APMdzkmeGonHgoyyAdQfIJspyPnLyLMyLynMr9Umom/mBzs+lH5Ujfr6kY5qm8OP5n7YRwzg==", - "12884901893": "gA7uU0hFzga8YTdepuc3a7HYZbhAynVAjUoHBI6F6VC4UWz5fib/TEBsIT3pp9LRNoUoV0X5SdryvXaOCOzSyA==", - "12884901894": "ulxglDOxsJX2VX0QK8GkAQDe9Q6JqhkYaFjUatsswGe3NdK7pXIhwU0zWn7ueXUUnNLSagdP6JVHvLwG/KBD5A==", - "12884901895": "mJjdh3msCoEM6whx4fB8q6weex1iAyJRCYsuV2U/Ko5ByYVnA7pInX0LLPnbcaAlpg1+0N20Afh3B5ZcTH3XPw==", - "12884901896": "gA7uU0hFzga8YTdepuc3a7HYZbhAynVAjUoHBI6F6VC4UWz5fib/TEBsIT3pp9LRNoUoV0X5SdryvXaOCOzSyA==", - "12884901897": "E600qpnwvQv7JqSPMook4to3ifmk8Yv+RC8ej/qquDZywkrBArsLZOXs+9Xt7+3zwmYcvz94HcTmA153UWiI7g==", - "12884901898": "CeR3ALOhQCiPEZUyBpm8HsBcuoPuzRff77XEG4Qy2ABc7kH+p08QoyTWllM++rQ8gj560p+J/jUnsBJDxJZ87w==", - "12884901899": "gA7uU0hFzga8YTdepuc3a7HYZbhAynVAjUoHBI6F6VC4UWz5fib/TEBsIT3pp9LRNoUoV0X5SdryvXaOCOzSyA==", - "12884901900": "DPIcY9Gwp14cliRF5ZX2uUu6LZBKB6gwclhfjxqgoMGmaAwmaSkMIK9Wl5VCfwZ6/7Pf6xaniRHCaCP9EFU3oQ==", - "12884901901": "JCwHI5yV/EcpG2Q+uwOhdQROlBDwFM4815yNUXfhZHes+4oaiXseSzH7Pjv2dvj9/udENUhOQopFlzFWsj6Q7A==", - "12884901902": "gA7uU0hFzga8YTdepuc3a7HYZbhAynVAjUoHBI6F6VC4UWz5fib/TEBsIT3pp9LRNoUoV0X5SdryvXaOCOzSyA==", - "12884901903": "vNz/SbciWriPGYNiMxLp6lOxgIaiFG7+NekLs17Nng7YlDsLgxJlADT14xZBpauZCf/V9wqDTE7iq6I7BUu2ZA==", - "12884901904": "w51bPOWfXCFdsYMzBzclLic89nbXKN63iKbFxUxDF+AacpUmPOTxusDN/836WzmmYmK9KK1KvIKFBJf5YtOl9A==", - "12884901905": "gA7uU0hFzga8YTdepuc3a7HYZbhAynVAjUoHBI6F6VC4UWz5fib/TEBsIT3pp9LRNoUoV0X5SdryvXaOCOzSyA==", - "12884901906": "MF5F9AzapMELQibHcx5vddVUdrURzbdUoIWmZO5B5fk6tRL3j6tznfA9skHj3MVKkjk9ykMIsKE9M2NvSbMUCA==", - "12884901907": "zYc3XCZ5mTROndMS4qMgClHpfQ9dsWss/4VvNVNmqBkyTZUetIhdkGiWvDB81xGOn8Gag2q4Rqbty9t8QUNy4A==", - "12884901908": "gA7uU0hFzga8YTdepuc3a7HYZbhAynVAjUoHBI6F6VC4UWz5fib/TEBsIT3pp9LRNoUoV0X5SdryvXaOCOzSyA==", - "12884901909": "QN460uWP4S//0iDDoSIRTf3Nx8H+aHor1SSttfGL+chRSwzpKrxDS2KTRnjhLdZhjHbuOlGxbV061EFYFiLGrg==", - "12884901910": "U0z00NpVJB4jfdP6xnW7hMbuemGcPtEEa7ezr4HWzsst64Y/TOLifvgTVku6H7xPovz8L3DFolXOA/bty0zdsw==", - "4294967297": "lMwGAQBDcE4AaOkJSGDEIim9laiZNnT5tlySheKsDDzi0n5flFidmKWAlj1DHvmoSgrRS3mF1UOGu7u9z06RCg==", - "4294967298": "8i2gIQ90RZD0R/m4hCypdhkJHuw2eyJOTswzMriZ/ruhNHpUVhVk3JxtAuZVUyuE4Q7xyiM/nfCQYBtn2LeDIA==", - "4294967299": "H7H0YG5evkzzLDZSd6Ayb6abAXcrzwkoCcfUXx1AmiAOybkTo7ujzAM6rwO63/MF8k+IkPNQz4cLNqT/1KnYnw==", - "8589934593": "lMwGAQBDcE4AaOkJSGDEIim9laiZNnT5tlySheKsDDzi0n5flFidmKWAlj1DHvmoSgrRS3mF1UOGu7u9z06RCg==", - "8589934594": "nejEMwnyzoC+DWwlUCNzNFDDHajwUeUUGwR+EozGbRxV8cRAFhdjAMrZgiZyf4eKK6qh6/vt1HUkHG77NeP2yQ==" - } - }, - "source": "if (file(\"/etc/group-\").exists) {\n file(\"/etc/group-\") {\n permissions.user_executable == false\n permissions.group_readable == false\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_readable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n }\n}\n", - "labels": { - "labels": { - "CeR3ALOhQCiPEZUyBpm8HsBcuoPuzRff77XEG4Qy2ABc7kH+p08QoyTWllM++rQ8gj560p+J/jUnsBJDxJZ87w==": "permissions.group_writeable == false", - "H7H0YG5evkzzLDZSd6Ayb6abAXcrzwkoCcfUXx1AmiAOybkTo7ujzAM6rwO63/MF8k+IkPNQz4cLNqT/1KnYnw==": "if", - "JCwHI5yV/EcpG2Q+uwOhdQROlBDwFM4815yNUXfhZHes+4oaiXseSzH7Pjv2dvj9/udENUhOQopFlzFWsj6Q7A==": "permissions.group_executable == false", - "U0z00NpVJB4jfdP6xnW7hMbuemGcPtEEa7ezr4HWzsst64Y/TOLifvgTVku6H7xPovz8L3DFolXOA/bty0zdsw==": "permissions.other_executable == false", - "mJjdh3msCoEM6whx4fB8q6weex1iAyJRCYsuV2U/Ko5ByYVnA7pInX0LLPnbcaAlpg1+0N20Afh3B5ZcTH3XPw==": "permissions.group_readable == false", - "nejEMwnyzoC+DWwlUCNzNFDDHajwUeUUGwR+EozGbRxV8cRAFhdjAMrZgiZyf4eKK6qh6/vt1HUkHG77NeP2yQ==": "file", - "sXY88/8z6GFGA+APMdzkmeGonHgoyyAdQfIJspyPnLyLMyLynMr9Umom/mBzs+lH5Ujfr6kY5qm8OP5n7YRwzg==": "permissions.user_executable == false", - "w51bPOWfXCFdsYMzBzclLic89nbXKN63iKbFxUxDF+AacpUmPOTxusDN/836WzmmYmK9KK1KvIKFBJf5YtOl9A==": "permissions.other_readable == false", - "zYc3XCZ5mTROndMS4qMgClHpfQ9dsWss/4VvNVNmqBkyTZUetIhdkGiWvDB81xGOn8Gag2q4Rqbty9t8QUNy4A==": "permissions.other_writeable == false" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "KehuxCXphps=": { - "query": "kernel.parameters['net.ipv4.conf.all.accept_source_route'] == 0\nkernel.parameters['net.ipv4.conf.default.accept_source_route'] == 0\nkernel.parameters['net.ipv6.conf.all.accept_source_route'] == 0\nkernel.parameters['net.ipv6.conf.default.accept_source_route'] == 0\n", - "checksum": "GLS/+UG3roY=", - "datapoints": [ - "JH8cNO69T5qeURT11c1Lxp8k50E+YMuTID2aLfQDIrrVerGFOnKFekVyH7t9h/q0D27ULF+QnDiDPz3BMXkQ0g==", - "5EmJyvB3lckgKydrg+ZDaIG8c0S6YIb6dbVu/iZwioF3O5RSdHB5zi5KA7TmcVHW9SAaFdF6DjpYL5kExYACfA==", - "OUJ6AqspS9kHdFfta+yMblV6pLJv30L0LeM2w+b8V7GeyErnRHogKvG5sOA5+k9lBVicaJDHx9+aUdGM4aAfRQ==", - "DcN60pVnUfRbi8gRNMwfr/9ZjtBwPAJerpntqVm5B/QY4sSszzHKGJkiUooAOC2vP/qvlN3lOWCPRgS6f/O18A==", - "AC64T+x2vscRVx8c9QEqh8ehAPg1xWVtTrUDS92Qv2RaMdmrhEcQ2DJXtIgdLaHLLH9w5ghhkg38n0wmSZ6oBA==", - "BMlXXUssbX2RHZ4d6xMhQ++WbjJyVSkXOukbMgQVonKMWAyyOUty8UE75eK4RxKsXYw4KJNuru/fahfZ+jOx+g==", - "ckDgsvvxeDY8SW4iynyWZJwvin5Q10LZC8FNmo8bUESGsqN6tDpzL86bg/VAc3lryB1b76Po6i9H3oPAIzEx0A==", - "Gi5t2U3DUPy8J70hGESQ/b0THs3nSzau7IWwKpIQwoMz05HXYKv4POsfDMzMMo954vLLq9w6aaNsM2Zu31JR3g==" - ], - "code": { - "code_v2": { - "id": "KehuxCXphps=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "kernel" - }, - { - "call": 1, - "id": "parameters", - "function": { - "type": "\u001a\u0007\u0007", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u0007", - "args": [ - { - "type": "\u0007", - "value": "bmV0LmlwdjQuY29uZi5hbGwuYWNjZXB0X3NvdXJjZV9yb3V0ZQ==" - } - ], - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "==\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 4294967299 - } - }, - { - "call": 1, - "id": "kernel" - }, - { - "call": 1, - "id": "parameters", - "function": { - "type": "\u001a\u0007\u0007", - "binding": 4294967301 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u0007", - "args": [ - { - "type": "\u0007", - "value": "bmV0LmlwdjQuY29uZi5kZWZhdWx0LmFjY2VwdF9zb3VyY2Vfcm91dGU=" - } - ], - "binding": 4294967302 - } - }, - { - "call": 1, - "id": "==\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 4294967303 - } - }, - { - "call": 1, - "id": "kernel" - }, - { - "call": 1, - "id": "parameters", - "function": { - "type": "\u001a\u0007\u0007", - "binding": 4294967305 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u0007", - "args": [ - { - "type": "\u0007", - "value": "bmV0LmlwdjYuY29uZi5hbGwuYWNjZXB0X3NvdXJjZV9yb3V0ZQ==" - } - ], - "binding": 4294967306 - } - }, - { - "call": 1, - "id": "==\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 4294967307 - } - }, - { - "call": 1, - "id": "kernel" - }, - { - "call": 1, - "id": "parameters", - "function": { - "type": "\u001a\u0007\u0007", - "binding": 4294967309 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u0007", - "args": [ - { - "type": "\u0007", - "value": "bmV0LmlwdjYuY29uZi5kZWZhdWx0LmFjY2VwdF9zb3VyY2Vfcm91dGU=" - } - ], - "binding": 4294967310 - } - }, - { - "call": 1, - "id": "==\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 4294967311 - } - } - ], - "entrypoints": [ - 4294967300, - 4294967304, - 4294967308, - 4294967312 - ], - "datapoints": [ - 4294967299, - 4294967303, - 4294967307, - 4294967311 - ] - } - ], - "checksums": { - "4294967297": "RXV+1el3VK2oK0ytvuWZ6oRu95oJxvcqbHGw5Wq5LfAbGvjLmiHYndQw+dDOPQiIqBhor40mICUenGaUlny8Lg==", - "4294967298": "dM9qEfUwWr0DHz2QFJ5GwuX9ELsnO1Us4rTlLu63r3mnIduFn0tmuQqThf7ul4pd0wPoMSZIB/RxVPGcU9xORQ==", - "4294967299": "JH8cNO69T5qeURT11c1Lxp8k50E+YMuTID2aLfQDIrrVerGFOnKFekVyH7t9h/q0D27ULF+QnDiDPz3BMXkQ0g==", - "4294967300": "AC64T+x2vscRVx8c9QEqh8ehAPg1xWVtTrUDS92Qv2RaMdmrhEcQ2DJXtIgdLaHLLH9w5ghhkg38n0wmSZ6oBA==", - "4294967301": "RXV+1el3VK2oK0ytvuWZ6oRu95oJxvcqbHGw5Wq5LfAbGvjLmiHYndQw+dDOPQiIqBhor40mICUenGaUlny8Lg==", - "4294967302": "dM9qEfUwWr0DHz2QFJ5GwuX9ELsnO1Us4rTlLu63r3mnIduFn0tmuQqThf7ul4pd0wPoMSZIB/RxVPGcU9xORQ==", - "4294967303": "5EmJyvB3lckgKydrg+ZDaIG8c0S6YIb6dbVu/iZwioF3O5RSdHB5zi5KA7TmcVHW9SAaFdF6DjpYL5kExYACfA==", - "4294967304": "BMlXXUssbX2RHZ4d6xMhQ++WbjJyVSkXOukbMgQVonKMWAyyOUty8UE75eK4RxKsXYw4KJNuru/fahfZ+jOx+g==", - "4294967305": "RXV+1el3VK2oK0ytvuWZ6oRu95oJxvcqbHGw5Wq5LfAbGvjLmiHYndQw+dDOPQiIqBhor40mICUenGaUlny8Lg==", - "4294967306": "dM9qEfUwWr0DHz2QFJ5GwuX9ELsnO1Us4rTlLu63r3mnIduFn0tmuQqThf7ul4pd0wPoMSZIB/RxVPGcU9xORQ==", - "4294967307": "OUJ6AqspS9kHdFfta+yMblV6pLJv30L0LeM2w+b8V7GeyErnRHogKvG5sOA5+k9lBVicaJDHx9+aUdGM4aAfRQ==", - "4294967308": "ckDgsvvxeDY8SW4iynyWZJwvin5Q10LZC8FNmo8bUESGsqN6tDpzL86bg/VAc3lryB1b76Po6i9H3oPAIzEx0A==", - "4294967309": "RXV+1el3VK2oK0ytvuWZ6oRu95oJxvcqbHGw5Wq5LfAbGvjLmiHYndQw+dDOPQiIqBhor40mICUenGaUlny8Lg==", - "4294967310": "dM9qEfUwWr0DHz2QFJ5GwuX9ELsnO1Us4rTlLu63r3mnIduFn0tmuQqThf7ul4pd0wPoMSZIB/RxVPGcU9xORQ==", - "4294967311": "DcN60pVnUfRbi8gRNMwfr/9ZjtBwPAJerpntqVm5B/QY4sSszzHKGJkiUooAOC2vP/qvlN3lOWCPRgS6f/O18A==", - "4294967312": "Gi5t2U3DUPy8J70hGESQ/b0THs3nSzau7IWwKpIQwoMz05HXYKv4POsfDMzMMo954vLLq9w6aaNsM2Zu31JR3g==" - } - }, - "source": "kernel.parameters['net.ipv4.conf.all.accept_source_route'] == 0\nkernel.parameters['net.ipv4.conf.default.accept_source_route'] == 0\nkernel.parameters['net.ipv6.conf.all.accept_source_route'] == 0\nkernel.parameters['net.ipv6.conf.default.accept_source_route'] == 0\n", - "labels": { - "labels": { - "5EmJyvB3lckgKydrg+ZDaIG8c0S6YIb6dbVu/iZwioF3O5RSdHB5zi5KA7TmcVHW9SAaFdF6DjpYL5kExYACfA==": "kernel.parameters[net.ipv4.conf.default.accept_source_route]", - "AC64T+x2vscRVx8c9QEqh8ehAPg1xWVtTrUDS92Qv2RaMdmrhEcQ2DJXtIgdLaHLLH9w5ghhkg38n0wmSZ6oBA==": "kernel.parameters[net.ipv4.conf.all.accept_source_route] == 0", - "BMlXXUssbX2RHZ4d6xMhQ++WbjJyVSkXOukbMgQVonKMWAyyOUty8UE75eK4RxKsXYw4KJNuru/fahfZ+jOx+g==": "kernel.parameters[net.ipv4.conf.default.accept_source_route] == 0", - "DcN60pVnUfRbi8gRNMwfr/9ZjtBwPAJerpntqVm5B/QY4sSszzHKGJkiUooAOC2vP/qvlN3lOWCPRgS6f/O18A==": "kernel.parameters[net.ipv6.conf.default.accept_source_route]", - "Gi5t2U3DUPy8J70hGESQ/b0THs3nSzau7IWwKpIQwoMz05HXYKv4POsfDMzMMo954vLLq9w6aaNsM2Zu31JR3g==": "kernel.parameters[net.ipv6.conf.default.accept_source_route] == 0", - "JH8cNO69T5qeURT11c1Lxp8k50E+YMuTID2aLfQDIrrVerGFOnKFekVyH7t9h/q0D27ULF+QnDiDPz3BMXkQ0g==": "kernel.parameters[net.ipv4.conf.all.accept_source_route]", - "OUJ6AqspS9kHdFfta+yMblV6pLJv30L0LeM2w+b8V7GeyErnRHogKvG5sOA5+k9lBVicaJDHx9+aUdGM4aAfRQ==": "kernel.parameters[net.ipv6.conf.all.accept_source_route]", - "ckDgsvvxeDY8SW4iynyWZJwvin5Q10LZC8FNmo8bUESGsqN6tDpzL86bg/VAc3lryB1b76Po6i9H3oPAIzEx0A==": "kernel.parameters[net.ipv6.conf.all.accept_source_route] == 0" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "LxiiosuqdEw=": { - "query": "if (file(\"/etc/systemd/journald.conf\").exists) {\n parse.ini(\"/etc/systemd/journald.conf\").sections[\"Journal\"][\"ForwardToSyslog\"] == \"yes\"\n}\n", - "checksum": "gTykO2QNN9Q=", - "datapoints": [ - "c5/3LWjS8cISVkA4BHjobYGj+nEVD7Bx8v5lSN66900QhWObHCXkaoD1aREVWEMOUgOhbznuM9kP4yruR1IE/Q==" - ], - "code": { - "code_v2": { - "id": "LxiiosuqdEw=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9zeXN0ZW1kL2pvdXJuYWxkLmNvbmY=" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "if", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u0003", - "value": "hICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - }, - { - "type": "\u0019\u0003" - } - ] - } - } - ], - "entrypoints": [ - 4294967299 - ] - }, - { - "chunks": [ - { - "call": 1, - "id": "parse.ini", - "function": { - "type": "\u001bparse.ini", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9zeXN0ZW1kL2pvdXJuYWxkLmNvbmY=" - } - ] - } - }, - { - "call": 1, - "id": "sections", - "function": { - "type": "\u001a\u0007\u001a\u0007\u0007", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u001a\u0007\u0007", - "args": [ - { - "type": "\u0007", - "value": "Sm91cm5hbA==" - } - ], - "binding": 8589934594 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u0007", - "args": [ - { - "type": "\u0007", - "value": "Rm9yd2FyZFRvU3lzbG9n" - } - ], - "binding": 8589934595 - } - }, - { - "call": 1, - "id": "==\u0007", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0007", - "value": "eWVz" - } - ], - "binding": 8589934596 - } - } - ], - "entrypoints": [ - 8589934597 - ] - } - ], - "checksums": { - "4294967297": "l3sxgiTYcAto50UNy+D684uigPx/G30b7SG/TWHLjH+jXQD4FWgvImzrlMz7n5EQSF9XOqSyUVabvTtb2fkmig==", - "4294967298": "hyKZR+nZQdqGesYFceMXztsluQuJfHBH1w+ZuVGc2YtJPyXf1ucl93BWKMdIlXyfP+iCKqtAgBBDFi6bZs9GTg==", - "4294967299": "c5/3LWjS8cISVkA4BHjobYGj+nEVD7Bx8v5lSN66900QhWObHCXkaoD1aREVWEMOUgOhbznuM9kP4yruR1IE/Q==", - "8589934593": "VkFIYHwLWA2DN+cGp2/nva3JpKEuj+ekzZ7e4Cy3zfltZm0aULkKY1/7Qb9o6/kTEdIE4P/HDgJGeUqDxRn/zQ==", - "8589934594": "q4O50spt2INk/0CEDeRESLie7000Xsd0lukCdNJc5IAz1lp0/nnsU2LsCxSShL++e6RRxgUSIU5e1WzU82S+aw==", - "8589934595": "YLk+U8kFCMJXfWriUOowuBOIXxQGWS9or5z8DS/BwTT3QpLwTJj8BtrR9KDsdJYXUkgMxVh1dMr5lo/Wmu7LpQ==", - "8589934596": "jkbH3mwBOgCIvXMYjFs11zP3KouUHn2jgOD2QMJh+uyaG5Jy6r+4Te+GRIB4yyUqlKQiV3jO5atv7EurZzbm/A==", - "8589934597": "Pk79jm7hPLr5syOVY0kXbExfo2nEznLhaWeY+KKrLm+nqGS8fKz2+T0dDnevbky36P0QvX2h06kfZdTTcMtH7w==" - } - }, - "source": "if (file(\"/etc/systemd/journald.conf\").exists) {\n parse.ini(\"/etc/systemd/journald.conf\").sections[\"Journal\"][\"ForwardToSyslog\"] == \"yes\"\n}\n", - "labels": { - "labels": { - "Pk79jm7hPLr5syOVY0kXbExfo2nEznLhaWeY+KKrLm+nqGS8fKz2+T0dDnevbky36P0QvX2h06kfZdTTcMtH7w==": "parse.ini.sections[Journal][ForwardToSyslog] == \"yes\"", - "c5/3LWjS8cISVkA4BHjobYGj+nEVD7Bx8v5lSN66900QhWObHCXkaoD1aREVWEMOUgOhbznuM9kP4yruR1IE/Q==": "if" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "MCCspWdD2Vk=": { - "query": "service(\"cups\").enabled == false\nservice(\"cups\").running == false\n", - "checksum": "O/g9JdFLuVg=", - "datapoints": [ - "U4jpoVeHCFHM+c1bdYWYdibzIPmWF2ooOkcDTP0zCLegLUTpUFkHfqXYVrZUNtiiAlIir0YAZIXCImKLaG0gWA==", - "YnnnuDaHNjIagC93pwvniy5mz1x5nj4HOSgqY6Z/nlOGjHnwomQcoW8C7oitKk6BwWRaZLGq7J12VR8dpviL7g==", - "qc9zR33NhGkZ7XXzeBx6YXQGvJ4X3YUHtodIUfpHayleyzPT3UtJ/8ymYYqK/gOFrARY4bnENGvGCmJFW38rRw==", - "2hl44nrMAPCP4jtrUfFeLQoCYn9EhVWdTyQhIKgj243cUZK4ApMnTp0Y6R7ZnT5cvuGy5zOmzzMi8s1iRx78Fg==" - ], - "code": { - "code_v2": { - "id": "MCCspWdD2Vk=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "Y3Vwcw==" - } - ] - } - }, - { - "call": 1, - "id": "enabled", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "Y3Vwcw==" - } - ] - } - }, - { - "call": 1, - "id": "running", - "function": { - "type": "\u0004", - "binding": 4294967300 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967301 - } - } - ], - "entrypoints": [ - 4294967299, - 4294967302 - ], - "datapoints": [ - 4294967298, - 4294967301 - ] - } - ], - "checksums": { - "4294967297": "mmkBPyQqA7UKmkfkYJTtX/aYU/ginTy21zp3G2Vq6vkZsvq6RFB7pTyNOXmgs5LmXYmgRq3yp4pf9z5ttOFfpQ==", - "4294967298": "U4jpoVeHCFHM+c1bdYWYdibzIPmWF2ooOkcDTP0zCLegLUTpUFkHfqXYVrZUNtiiAlIir0YAZIXCImKLaG0gWA==", - "4294967299": "qc9zR33NhGkZ7XXzeBx6YXQGvJ4X3YUHtodIUfpHayleyzPT3UtJ/8ymYYqK/gOFrARY4bnENGvGCmJFW38rRw==", - "4294967300": "mmkBPyQqA7UKmkfkYJTtX/aYU/ginTy21zp3G2Vq6vkZsvq6RFB7pTyNOXmgs5LmXYmgRq3yp4pf9z5ttOFfpQ==", - "4294967301": "YnnnuDaHNjIagC93pwvniy5mz1x5nj4HOSgqY6Z/nlOGjHnwomQcoW8C7oitKk6BwWRaZLGq7J12VR8dpviL7g==", - "4294967302": "2hl44nrMAPCP4jtrUfFeLQoCYn9EhVWdTyQhIKgj243cUZK4ApMnTp0Y6R7ZnT5cvuGy5zOmzzMi8s1iRx78Fg==" - } - }, - "source": "service(\"cups\").enabled == false\nservice(\"cups\").running == false\n", - "labels": { - "labels": { - "2hl44nrMAPCP4jtrUfFeLQoCYn9EhVWdTyQhIKgj243cUZK4ApMnTp0Y6R7ZnT5cvuGy5zOmzzMi8s1iRx78Fg==": "service.running == false", - "U4jpoVeHCFHM+c1bdYWYdibzIPmWF2ooOkcDTP0zCLegLUTpUFkHfqXYVrZUNtiiAlIir0YAZIXCImKLaG0gWA==": "service.enabled", - "YnnnuDaHNjIagC93pwvniy5mz1x5nj4HOSgqY6Z/nlOGjHnwomQcoW8C7oitKk6BwWRaZLGq7J12VR8dpviL7g==": "service.running", - "qc9zR33NhGkZ7XXzeBx6YXQGvJ4X3YUHtodIUfpHayleyzPT3UtJ/8ymYYqK/gOFrARY4bnENGvGCmJFW38rRw==": "service.enabled == false" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "MfV32r62IQE=": { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+chmod\\s+\\-S\\s+fchmod\\s+\\-S\\s+fchmodat\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+perm\\_mod/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+chmod\\,fchmod\\,fchmodat\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=perm\\_mod/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+chmod\\s+\\-S\\s+fchmod\\s+\\-S\\s+fchmodat\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+perm\\_mod/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+chmod\\,fchmod\\,fchmodat\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=perm\\_mod/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+chown\\s+\\-S\\s+fchown\\s+\\-S\\s+fchownat\\s+\\-S\\s+lchown\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+perm\\_mod/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+chown\\,fchown\\,lchown\\,fchownat\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=perm\\_mod/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+chown\\s+\\-S\\s+fchown\\s+\\-S\\s+fchownat\\s+\\-S\\s+lchown\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+perm\\_mod/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+lchown\\,fchown\\,chown\\,fchownat\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=perm\\_mod/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+setxattr\\s+\\-S\\s+lsetxattr\\s+\\-S\\s+fsetxattr\\s+\\-S\\s+removexattr\\s+\\-S\\s+lremovexattr\\s+\\-S\\s+fremovexattr\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+perm\\_mod/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+setxattr\\,lsetxattr\\,fsetxattr\\,removexattr\\,lremovexattr\\,fremovexattr\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=perm\\_mod/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+setxattr\\s+\\-S\\s+lsetxattr\\s+\\-S\\s+fsetxattr\\s+\\-S\\s+removexattr\\s+\\-S\\s+lremovexattr\\s+\\-S\\s+fremovexattr\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+perm\\_mod/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+setxattr\\,lsetxattr\\,fsetxattr\\,removexattr\\,lremovexattr\\,fremovexattr\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=perm\\_mod/)\n}\n", - "checksum": "kI61cIM8IlQ=", - "datapoints": [ - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "8uBTTkCJgjxtNfUKrXgdKcN3FsUaXVTuWlhZDb4zj7Aptyie5G2XwxlnIXUCZidQwpp+l+nXzp5ERezyW3xDSQ==" - ], - "code": { - "code_v2": { - "id": "MfV32r62IQE=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967299 - } - }, - { - "call": 1, - "id": "if", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u0003", - "value": "iICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - }, - { - "type": "\u0019\u0003" - } - ] - } - } - ], - "entrypoints": [ - 4294967298, - 4294967301 - ] - }, - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934594 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "hoCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgGA=" - } - ], - "binding": 8589934595 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934596 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934597 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934599 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934600 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "koCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgIAB" - } - ], - "binding": 8589934601 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934602 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934603 - } - }, - { - "call": 1, - "id": "||\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "mICAgEA=" - } - ], - "binding": 8589934598 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934606 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934607 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "oICAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgKAB" - } - ], - "binding": 8589934608 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934609 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934610 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934612 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934613 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "rICAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgMAB" - } - ], - "binding": 8589934614 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934615 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934616 - } - }, - { - "call": 1, - "id": "||\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "soCAgEA=" - } - ], - "binding": 8589934611 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934619 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934620 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "uoCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgOAB" - } - ], - "binding": 8589934621 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934622 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934623 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934625 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934626 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "xoCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgIAC" - } - ], - "binding": 8589934627 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934628 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934629 - } - }, - { - "call": 1, - "id": "||\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "zICAgEA=" - } - ], - "binding": 8589934624 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934632 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934633 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "1ICAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgKAC" - } - ], - "binding": 8589934634 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934635 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934636 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934638 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934639 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "4ICAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgMAC" - } - ], - "binding": 8589934640 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934641 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934642 - } - }, - { - "call": 1, - "id": "||\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "5oCAgEA=" - } - ], - "binding": 8589934637 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934645 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934646 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "7oCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgOAC" - } - ], - "binding": 8589934647 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934648 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934649 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934651 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934652 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "+oCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgIAD" - } - ], - "binding": 8589934653 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934654 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934655 - } - }, - { - "call": 1, - "id": "||\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "gIGAgEA=" - } - ], - "binding": 8589934650 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934658 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934659 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "iIGAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgKAD" - } - ], - "binding": 8589934660 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934661 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934662 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934664 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934665 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "lIGAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgMAD" - } - ], - "binding": 8589934666 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934667 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934668 - } - }, - { - "call": 1, - "id": "||\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "moGAgEA=" - } - ], - "binding": 8589934663 - } - } - ], - "entrypoints": [ - 8589934605, - 8589934618, - 8589934631, - 8589934644, - 8589934657, - 8589934670 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWI2NFxzK1wtU1xzK2NobW9kXHMrXC1TXHMrZmNobW9kXHMrXC1TXHMrZmNobW9kYXRccytcLUZccythdWlkXD5cPTEwMDBccytcLUZccythdWlkXCFcPTQyOTQ5NjcyOTVccytcLWtccytwZXJtXF9tb2Q=" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgGA=" - } - ], - "binding": 12884901889 - } - } - ], - "parameters": 1, - "entrypoints": [ - 12884901891 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWI2NFxzK1wtU1xzK2NobW9kXCxmY2htb2RcLGZjaG1vZGF0XHMrXC1GXHMrYXVpZFw+XD0xMDAwXHMrXC1GXHMrYXVpZFwhXD1cLTFccytcLUZccytrZXlcPXBlcm1cX21vZA==" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgIAB" - } - ], - "binding": 17179869185 - } - } - ], - "parameters": 1, - "entrypoints": [ - 17179869187 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWIzMlxzK1wtU1xzK2NobW9kXHMrXC1TXHMrZmNobW9kXHMrXC1TXHMrZmNobW9kYXRccytcLUZccythdWlkXD5cPTEwMDBccytcLUZccythdWlkXCFcPTQyOTQ5NjcyOTVccytcLWtccytwZXJtXF9tb2Q=" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgKAB" - } - ], - "binding": 21474836481 - } - } - ], - "parameters": 1, - "entrypoints": [ - 21474836483 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWIzMlxzK1wtU1xzK2NobW9kXCxmY2htb2RcLGZjaG1vZGF0XHMrXC1GXHMrYXVpZFw+XD0xMDAwXHMrXC1GXHMrYXVpZFwhXD1cLTFccytcLUZccytrZXlcPXBlcm1cX21vZA==" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgMAB" - } - ], - "binding": 25769803777 - } - } - ], - "parameters": 1, - "entrypoints": [ - 25769803779 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWI2NFxzK1wtU1xzK2Nob3duXHMrXC1TXHMrZmNob3duXHMrXC1TXHMrZmNob3duYXRccytcLVNccytsY2hvd25ccytcLUZccythdWlkXD5cPTEwMDBccytcLUZccythdWlkXCFcPTQyOTQ5NjcyOTVccytcLWtccytwZXJtXF9tb2Q=" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgOAB" - } - ], - "binding": 30064771073 - } - } - ], - "parameters": 1, - "entrypoints": [ - 30064771075 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWI2NFxzK1wtU1xzK2Nob3duXCxmY2hvd25cLGxjaG93blwsZmNob3duYXRccytcLUZccythdWlkXD5cPTEwMDBccytcLUZccythdWlkXCFcPVwtMVxzK1wtRlxzK2tleVw9cGVybVxfbW9k" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgIAC" - } - ], - "binding": 34359738369 - } - } - ], - "parameters": 1, - "entrypoints": [ - 34359738371 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWIzMlxzK1wtU1xzK2Nob3duXHMrXC1TXHMrZmNob3duXHMrXC1TXHMrZmNob3duYXRccytcLVNccytsY2hvd25ccytcLUZccythdWlkXD5cPTEwMDBccytcLUZccythdWlkXCFcPTQyOTQ5NjcyOTVccytcLWtccytwZXJtXF9tb2Q=" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgKAC" - } - ], - "binding": 38654705665 - } - } - ], - "parameters": 1, - "entrypoints": [ - 38654705667 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWIzMlxzK1wtU1xzK2xjaG93blwsZmNob3duXCxjaG93blwsZmNob3duYXRccytcLUZccythdWlkXD5cPTEwMDBccytcLUZccythdWlkXCFcPVwtMVxzK1wtRlxzK2tleVw9cGVybVxfbW9k" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgMAC" - } - ], - "binding": 42949672961 - } - } - ], - "parameters": 1, - "entrypoints": [ - 42949672963 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWI2NFxzK1wtU1xzK3NldHhhdHRyXHMrXC1TXHMrbHNldHhhdHRyXHMrXC1TXHMrZnNldHhhdHRyXHMrXC1TXHMrcmVtb3ZleGF0dHJccytcLVNccytscmVtb3ZleGF0dHJccytcLVNccytmcmVtb3ZleGF0dHJccytcLUZccythdWlkXD5cPTEwMDBccytcLUZccythdWlkXCFcPTQyOTQ5NjcyOTVccytcLWtccytwZXJtXF9tb2Q=" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgOAC" - } - ], - "binding": 47244640257 - } - } - ], - "parameters": 1, - "entrypoints": [ - 47244640259 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWI2NFxzK1wtU1xzK3NldHhhdHRyXCxsc2V0eGF0dHJcLGZzZXR4YXR0clwscmVtb3ZleGF0dHJcLGxyZW1vdmV4YXR0clwsZnJlbW92ZXhhdHRyXHMrXC1GXHMrYXVpZFw+XD0xMDAwXHMrXC1GXHMrYXVpZFwhXD1cLTFccytcLUZccytrZXlcPXBlcm1cX21vZA==" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgIAD" - } - ], - "binding": 51539607553 - } - } - ], - "parameters": 1, - "entrypoints": [ - 51539607555 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWIzMlxzK1wtU1xzK3NldHhhdHRyXHMrXC1TXHMrbHNldHhhdHRyXHMrXC1TXHMrZnNldHhhdHRyXHMrXC1TXHMrcmVtb3ZleGF0dHJccytcLVNccytscmVtb3ZleGF0dHJccytcLVNccytmcmVtb3ZleGF0dHJccytcLUZccythdWlkXD5cPTEwMDBccytcLUZccythdWlkXCFcPTQyOTQ5NjcyOTVccytcLWtccytwZXJtXF9tb2Q=" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgKAD" - } - ], - "binding": 55834574849 - } - } - ], - "parameters": 1, - "entrypoints": [ - 55834574851 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtYVxzK2Fsd2F5c1wsZXhpdFxzK1wtRlxzK2FyY2hcPWIzMlxzK1wtU1xzK3NldHhhdHRyXCxsc2V0eGF0dHJcLGZzZXR4YXR0clwscmVtb3ZleGF0dHJcLGxyZW1vdmV4YXR0clwsZnJlbW92ZXhhdHRyXHMrXC1GXHMrYXVpZFw+XD0xMDAwXHMrXC1GXHMrYXVpZFwhXD1cLTFccytcLUZccytrZXlcPXBlcm1cX21vZA==" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgMAD" - } - ], - "binding": 60129542145 - } - } - ], - "parameters": 1, - "entrypoints": [ - 60129542147 - ] - } - ], - "checksums": { - "12884901889": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "12884901890": "K6SxI3O+NPbJ2NUwJsWS5oObzWjvJsbVGoAGqNNEx7CzHvd8YbVBIRJFu0R69lrTJsaJfcyv2GvDmCuj7cA1pg==", - "12884901891": "+zPROtobBb0FoUZcYwaceyLuYAIc/OdU0uWCp7T7BQdlr+cW9oqWQEHzL1ys2lWBAD7UYBCt3mZZAqtrfnhZHA==", - "17179869185": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "17179869186": "LffMu6ikF9bpE4xKhav7fprF20t8XktUPt9EeS4wPhxCdY8NzWuVeMPhSova0ESSVOh6mtCezwniKqKuO4qLqw==", - "17179869187": "qdHmatSAXKxzNab+aN6wHLLXnnl617USPhyfOa6qLavpYFTYgJI0ryb9Wv+RZJfwbt4bFQBPzQgh2VqLU5ETCQ==", - "21474836481": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "21474836482": "DkUKasrkUc+rTR3MaHX/dyBIZe6B/MoI3MfYefJjQZkOKDe79rOoc+Bwdr2XQHEQBHdNdrNLXP3hz1JEeNSfpA==", - "21474836483": "uRFH5MFqf7cNmD8s4oezNsEQnnVD8e0NIHQp+tFfta5lqLTAXNTCjP9NpmnGFO/Wlk4B59KCF68Qms0xio7UxQ==", - "25769803777": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "25769803778": "rAKdnB4ykcosPvGHev2Xausqtf7OW3j9q9FDUzq4ErZTeBjd5gJbqvt44MWiTPD9XvwvbH60OVnQOdsxu3Ponw==", - "25769803779": "6g8OroKRy6ow6/u2FBC0INTMx4Ueau8ZKt9P6ILjnqiJ03K2KLBaXdMDjwxBtOSchvnqorO8pndgRhgPrkRGTA==", - "30064771073": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "30064771074": "ZDi/KDdkJF2V/yZl9fRPvAfKYkwPO4RnSC9lzauZH9O34LmGdcXJMSzuhwbpzRrmSmrSUiS2exA4kMry+R+3cg==", - "30064771075": "t+NDoj5mtdzjws19lFJ9+f9sxVR3iRLsZJpb6T3d7S2F+8wWfkgsoju9vWQKGUcUNqtHRfiohkcY2o4H0hgeIA==", - "34359738369": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "34359738370": "YTaXGEFQFaKgnH9jZjuGsYolGMiaOHqrAnW+rHLSwDbr+Tvan6biOyPL9Tlz7XrJqIGj7+3uPs7chX/RlUA7gA==", - "34359738371": "SFEhTWHMtLI7V5Bb/SLrPSXFGnG5rqGkWmfU9ztLu1VRz2uH7fPA0oLCtIaYLTdhYocZNL7bYdzt6XOLNkqd5Q==", - "38654705665": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "38654705666": "x9QnzrjwzyD6FqZsZJ85hsohPKsNpIkTnhnoqPsO7GE2eVerycQpViO1pd0LBVNXnvyviwoachjkqpofzRncMA==", - "38654705667": "wMw5nEzvlsThqADug5f0FGr/PioS05YaEipzWdK+UAt+AtZtP7mbM9a98eljcrqtxQrGOGz1+mzG3r+FcRhTFw==", - "42949672961": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "42949672962": "bWTw36sbyJfy6thMV9kDxBuAQrkytyMuiSIBNglyzZEitoBpCF/cQlGGYhht1v76JhjLv5poi+PO6yBy0fFxWQ==", - "42949672963": "FZu66MzpjdRHgQkCgRkx0Ttrm+MGIQDgqrvGJeKNQoiyFLMXcFyw91z/4YvLfnFee/Uk1PUD8lAO2X//NzH0Zg==", - "4294967297": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "4294967298": "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "4294967299": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "4294967300": "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "4294967301": "8uBTTkCJgjxtNfUKrXgdKcN3FsUaXVTuWlhZDb4zj7Aptyie5G2XwxlnIXUCZidQwpp+l+nXzp5ERezyW3xDSQ==", - "47244640257": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "47244640258": "Uuk5Eg7kT5nSvpjAS4UBMt0u2wIrX2fe2zyRo16u0yRuk9hHp7nkhRXtZV24lMMFW90Na4Uk5X0Rior6nr7cOg==", - "47244640259": "jvUtLH4O/2su2vYHFEZ8DGFwh8RUBdJ7AwuIA59ET8SGBcKrQJMtAxuv9QcFDYrmSwWPsviTVoia+N/whYMS3A==", - "51539607553": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "51539607554": "XIskAyEPOuhcSdKpXNACqkoZn7OB477XNnbc2eOw6DvJDyY0DGxv3dqI3A9Lm7g7R507Tam+nO8bc5TwxL0Lkg==", - "51539607555": "EQf4ootXretxr9QXJWbWOyFhU2eMdHHcCDJ7xUy268Ud9WCs71dWxPoEk4G20cr/Nr7exPlFDNNGdg7KsA2sMQ==", - "55834574849": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "55834574850": "ckdBmhUxbgr3OL1O5/nO8ubX8OQL8c5XqWalutEUOaiH2aK/fDY2E+JpMLWqcXiMV0+u3iBA5V1m4WjO7pXUYg==", - "55834574851": "S8Xzi740XhmzLNq/U4QIbTbsHSUY0RBZwTCKhGxskpZuYBgRXwG7x9GBx9z5QMGuCCEsCJG6OW+bHdLKCr/09Q==", - "60129542145": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "60129542146": "nf4NwsXYguFDVaCwi9GaB+RIM2dUfrroLhp7JBe8DwgSu/1VpvCRswFM1ItZCurNzM3Y7xxiP+wG2sVm0ndvsQ==", - "60129542147": "IoTmZVfoZ7gNtstELoj/zotQ5294/RjuaIJGTLJz2/xFd6Unuw/WjEHYjvd8Air+cT0g3wjvWf0WPye/4AzoOw==", - "8589934593": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934594": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934595": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934596": "8vd51+YbTBOsbrlWMJ4kpNUaeWPf8DX0N+z4oHxsAUp4freIXnuO1kg2GnVM+2oxHomRZVnc9AjgoP3ROZfOBQ==", - "8589934597": "gPDcMibDxzJuc5bjuTgE+hRp/pjcyaYmGkmrZHf54ke2tjTBvSDzGESdToy+pLwBGQMuXUg3NelhHl8W1RLnsA==", - "8589934598": "HSXMXZrwy1CYKl6ROavZIodhjb1XMtm4l6OCMccXotkcu2eEb9fxhUHLaB93wRxy0/jarY/vfVYoILmoVi2KxA==", - "8589934599": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934600": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934601": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934602": "8oTz862ObCP32PgWr3pujVCcooWTrNtv46amoorOc6OyUEkNHNxrJr4Bodsqu4VpQQpNxWUqIHJBZCmurLg7Gg==", - "8589934603": "pUIto1HWqSRJeFPG3C+/5wW9mICBi6M56y8+/0peDix5FcFeEpFHeh1z2fDBDb8BlszlpqsQ2BhMmQEZEfaykQ==", - "8589934604": "+DWyxfvNYABUoDZaydpr08GKKFsz8OfKQl1Pc/TevdaHVvYLIBlXO8w9SAWjxrBPsRD52tdMSUlv/lJGZ6k3EQ==", - "8589934605": "Asp3PCdUsKc63tRa5M44XGZxStRtgrPRPxXwNOXa5uK2e4TKvLvDGuL5V4oOkTsL54PK5jnad4fHs/FdovOCNg==", - "8589934606": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934607": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934608": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934609": "HlLr/5Ln0PmkFgjO1Vmq2emxct5fIcnbB3ESsov63HyOB/EbyKIqVumsA3fco5wtZZFAVJ5bYg5rFAR7lLKQqw==", - "8589934610": "xJS70iGYy5dAwH+bhIijmSrfnBE6Eyzk+079ySQ3jM3a46L5y7T3j2p3tq/nHt8MNs4HAgUXGEVilZbCdAgNcA==", - "8589934611": "/rxBY5/SS0FnRHLbQo1OrCACYusTNqp9Ez1lKJp+IW3u09xaerFwzFxgFSaoQpkpNViEBuyD1webEBxz64tEOQ==", - "8589934612": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934613": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934614": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934615": "K6PuQMFQc30BiSwjQoR5RrrGhEFmeik7apN06kuKri3e1G1eHJBj3GpZN0aWcyY8A48dj1JpuirpTMJeqp+OKw==", - "8589934616": "mfCDu0/sfqtRSb5iKIfnE3uFqvE3HGlAXejkN9jmXYv9ghLc+EOd/Lq0oePFCYybXjNDvCRaF3JDsx8ce6Duig==", - "8589934617": "ExRqKbThWJq+4/cCiaEucB0q5rwB+yhF3fFn4MmT7u0YiTYb5/RQfSlwsE0hYYpCKOS8wwgu5YEB2KYoKNoJjA==", - "8589934618": "B/cHSy5d8Jv5wUxEWJ9CzU4tPDXAFzD2AbkFUmnxSryp0/jhDHs3tHTkgmkKZHQb61EqzOljzyYf9Th6v319yg==", - "8589934619": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934620": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934621": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934622": "iYuHZ6+7qMjkYOx1TUNOviVNQX9GEcC6u+kDBsNji8XnyUrlAyslqst6sD8hq0hEzKfe5LG7OeVgp3/AU5qnVA==", - "8589934623": "13puEDILcnQBZ11HcdbLk9tR2qpLIT62pz3/F8Jv7VkRo5pR00vYs/bX6uTMV6mU6ruwfAkdg8Pm5dlA1OaIKA==", - "8589934624": "eS06at/HN0ebTnx8CKGl2Ob8QfIjTD114DwskMFhWdpzYn4ph7hyahHgvjNQ+wZPNzxgaBuydVgNFlQ3cL4CTg==", - "8589934625": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934626": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934627": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934628": "gmlI/3zqAdXXiAucYwupBk/AV7P3f/8fb/cyaFU1/5smsyw0tWdnJAAgIL7hFlfiWuYopDeKy3c7qavB+JWFmA==", - "8589934629": "kTCB1CuDCDzSebJIOtbtZoZRAi1ldOkgNm4qTIV//JyBIFcQCiwD6KxA9Lq3aWsEKCqXeEP/JqybKZ6wf8oK8Q==", - "8589934630": "5sjWR8PASUuIOcMcXyidOh5YpmRCeK4NkMUdW3aavDH5p6wPEDMRtI7yogjC40Rrk1kKOjv8+TxAXKm6cqQuPQ==", - "8589934631": "WNHcwuiwcfz7bQusmMdwiUhNCrifBZSshNRvsfWgxXU4S+dqacESUWfDMaifDNaK0pGZyzcvdICPPRa5pwBPDA==", - "8589934632": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934633": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934634": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934635": "phgagySZrAo9AdPXj3ZWgoZufla07+GVgAh3RgW2E5sT62lOyUpiErt2zdA6+USfUXCKUzej9jjJ+FMIDeu70g==", - "8589934636": "pS1pE5/TN8fJg4LOn/dq/M+h8BlmHQfpMOCtDxpeVW5Lf+zk68jQNR23rnzjYnwL7FuiCswVxy140PFUJnOxmA==", - "8589934637": "kDdiZl57RtL0XgZOPkwWMfBRcNVswvYcD9IloSddbEXybrVPcCmrQw7R5SRMaWupuTSTrjQI0g5sQ0lOhkoDyw==", - "8589934638": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934639": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934640": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934641": "s53K1qj2Hrdzdmttyjqw+plkAYjefMN10Z1/eRidoZLX9iUIQhEpijoyQ5rlyHk310CDwqASftUFxq1BMI1miA==", - "8589934642": "pD4UxzJqy/XLr0yDYOttzBnCuWOPF16f2PiFRtxiIOZrO87f7D+LNz7JxnmspqQT/hGb9ebUS5YceEkCnF0qOQ==", - "8589934643": "TgVbznv/xHfBgNkIsLlI6FiBmYXxDBBsCSki8059GiPHBSs1KSoquvXrSIMGrJnaHB9rrEa5qDpHtGY2mmu4cw==", - "8589934644": "cV6HhJK0OULqZXoEY/jJV17pr2yVoSHYqyM+PhB16xZUv8zSd3GPE3+y+KcRmbh05GJRI631pOfte29Qo43Ofw==", - "8589934645": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934646": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934647": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934648": "mQBhE9cYsC5F/yTDEFsYGGdoZuwlLFX8RvVZV4GAJNNEqVIIUvOjvbRcxRc/9bd3IYevAe53t2JKX3cryYBbtA==", - "8589934649": "2FVhehpZ9vcFXWIpLLNnf+3o3tGwRuO8ZlxQZstgg5vt552WWW2ym8YVrXxEna2ybF2F2ROelz9YDLcxZ44N8w==", - "8589934650": "FoYOX2KRgSNalJyKgXLru32nRAdBRC3sDxgoFx9LqX/xZi2fkN3P2zflngwvCUcevsrjeB67JvFxbFjQ76VxAw==", - "8589934651": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934652": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934653": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934654": "9cBaG3du/s8D337WdzlVD+XJ5uDVHq8H53VFqjnU06RR8aN+1epRiLygBFBS5pHisV/zmlNZagpjSSnsAlGOyw==", - "8589934655": "KYAHM+QdH4ebbGoREMbc7Yom7rGUkl3F1qlq7wg3B0GgkX2f3aCxn2/l6zU7u2mtpmNOW5KbmgVwyu03blrfXw==", - "8589934656": "atb/lCDswbcqDLUA7yps33FvxLXlkQogsotcuL8E7GOHoT77w8k6XKTdjqXfQEb6ebQSMSCNVqxmpEiV5oPKSg==", - "8589934657": "W4JT1Ci8bUdaruQuUe7Faa87yMzrarlQMHLA+cEzlDSg77ktyyH9VxXBUcD9oBYnxUbU89X7yaI270pl8oBQqA==", - "8589934658": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934659": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934660": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934661": "eQQm5BHk5Dj2e56ahBF4G+uxIpLSjXWDR+2mzLqfjHiQKZvea1z9ZfvyQvYIjOUk1wEuu//RZHj885x+0sIxNA==", - "8589934662": "gtPZDiYDTAmQJ4uNW5y/BJwhb9MAc7zL5JSb9xEdiJ2dC+ni1TulFeVc0f1JNE0PjCNlbjK7Ri91t1bkmca+0A==", - "8589934663": "HWtVBv8uzOmgbl739ZQaBD5PzvVdrtOyj0q+2dEp8v9t96D0xew7lrWzaU+CMsaeA84hC/MTiWiZ93YuL3Z5iQ==", - "8589934664": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934665": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934666": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934667": "QsdkverM5CJZulnCL7Nzy9I0W2XFsogBgsxONAeTS3wVKWudFlTJhhdcUxbeJug+tt3o5giEPuc61wLr8A91xw==", - "8589934668": "/eTJsnWd+YNXbPPvc7cKn88pk91z6y2SePeeTKaSjph91DyexXyfgFrAGfirdqK8P6KOXce1mIiPyPdC+ly+XA==", - "8589934669": "RmZ3Y/vuZP2R7UNKOqo6lBhHIlCZJANipom+IneFHiI11pkfsYYYnEXOTaemJNSohW/fvt8406IpBw22FG9EHw==", - "8589934670": "9RBVll7dpsYP3/yPdrHaqSt1aSnQIzAS7vDrKiYhsKVgD1vD08ipValLEcWhU7AUtmz9dVH/53tDZVQW10PREA==" - } - }, - "source": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+chmod\\s+\\-S\\s+fchmod\\s+\\-S\\s+fchmodat\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+perm\\_mod/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+chmod\\,fchmod\\,fchmodat\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=perm\\_mod/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+chmod\\s+\\-S\\s+fchmod\\s+\\-S\\s+fchmodat\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+perm\\_mod/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+chmod\\,fchmod\\,fchmodat\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=perm\\_mod/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+chown\\s+\\-S\\s+fchown\\s+\\-S\\s+fchownat\\s+\\-S\\s+lchown\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+perm\\_mod/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+chown\\,fchown\\,lchown\\,fchownat\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=perm\\_mod/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+chown\\s+\\-S\\s+fchown\\s+\\-S\\s+fchownat\\s+\\-S\\s+lchown\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+perm\\_mod/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+lchown\\,fchown\\,chown\\,fchownat\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=perm\\_mod/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+setxattr\\s+\\-S\\s+lsetxattr\\s+\\-S\\s+fsetxattr\\s+\\-S\\s+removexattr\\s+\\-S\\s+lremovexattr\\s+\\-S\\s+fremovexattr\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+perm\\_mod/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+setxattr\\,lsetxattr\\,fsetxattr\\,removexattr\\,lremovexattr\\,fremovexattr\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=perm\\_mod/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+setxattr\\s+\\-S\\s+lsetxattr\\s+\\-S\\s+fsetxattr\\s+\\-S\\s+removexattr\\s+\\-S\\s+lremovexattr\\s+\\-S\\s+fremovexattr\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+perm\\_mod/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+setxattr\\,lsetxattr\\,fsetxattr\\,removexattr\\,lremovexattr\\,fremovexattr\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=perm\\_mod/)\n}\n", - "labels": { - "labels": { - "+DWyxfvNYABUoDZaydpr08GKKFsz8OfKQl1Pc/TevdaHVvYLIBlXO8w9SAWjxrBPsRD52tdMSUlv/lJGZ6k3EQ==": "[].contains()", - "+zPROtobBb0FoUZcYwaceyLuYAIc/OdU0uWCp7T7BQdlr+cW9oqWQEHzL1ys2lWBAD7UYBCt3mZZAqtrfnhZHA==": " == \u003cref\u003e", - "/rxBY5/SS0FnRHLbQo1OrCACYusTNqp9Ez1lKJp+IW3u09xaerFwzFxgFSaoQpkpNViEBuyD1webEBxz64tEOQ==": "[].contains()", - "5sjWR8PASUuIOcMcXyidOh5YpmRCeK4NkMUdW3aavDH5p6wPEDMRtI7yogjC40Rrk1kKOjv8+TxAXKm6cqQuPQ==": "[].contains()", - "6g8OroKRy6ow6/u2FBC0INTMx4Ueau8ZKt9P6ILjnqiJ03K2KLBaXdMDjwxBtOSchvnqorO8pndgRhgPrkRGTA==": " == \u003cref\u003e", - "8uBTTkCJgjxtNfUKrXgdKcN3FsUaXVTuWlhZDb4zj7Aptyie5G2XwxlnIXUCZidQwpp+l+nXzp5ERezyW3xDSQ==": "if", - "9RBVll7dpsYP3/yPdrHaqSt1aSnQIzAS7vDrKiYhsKVgD1vD08ipValLEcWhU7AUtmz9dVH/53tDZVQW10PREA==": "file.content.lines.where.length \u003e 0 || \u003cref\u003e", - "Asp3PCdUsKc63tRa5M44XGZxStRtgrPRPxXwNOXa5uK2e4TKvLvDGuL5V4oOkTsL54PK5jnad4fHs/FdovOCNg==": "file.content.lines.where.length \u003e 0 || \u003cref\u003e", - "B/cHSy5d8Jv5wUxEWJ9CzU4tPDXAFzD2AbkFUmnxSryp0/jhDHs3tHTkgmkKZHQb61EqzOljzyYf9Th6v319yg==": "file.content.lines.where.length \u003e 0 || \u003cref\u003e", - "EQf4ootXretxr9QXJWbWOyFhU2eMdHHcCDJ7xUy268Ud9WCs71dWxPoEk4G20cr/Nr7exPlFDNNGdg7KsA2sMQ==": " == \u003cref\u003e", - "ExRqKbThWJq+4/cCiaEucB0q5rwB+yhF3fFn4MmT7u0YiTYb5/RQfSlwsE0hYYpCKOS8wwgu5YEB2KYoKNoJjA==": "[].contains()", - "FZu66MzpjdRHgQkCgRkx0Ttrm+MGIQDgqrvGJeKNQoiyFLMXcFyw91z/4YvLfnFee/Uk1PUD8lAO2X//NzH0Zg==": " == \u003cref\u003e", - "FoYOX2KRgSNalJyKgXLru32nRAdBRC3sDxgoFx9LqX/xZi2fkN3P2zflngwvCUcevsrjeB67JvFxbFjQ76VxAw==": "[].contains()", - "HSXMXZrwy1CYKl6ROavZIodhjb1XMtm4l6OCMccXotkcu2eEb9fxhUHLaB93wRxy0/jarY/vfVYoILmoVi2KxA==": "[].contains()", - "HWtVBv8uzOmgbl739ZQaBD5PzvVdrtOyj0q+2dEp8v9t96D0xew7lrWzaU+CMsaeA84hC/MTiWiZ93YuL3Z5iQ==": "[].contains()", - "IoTmZVfoZ7gNtstELoj/zotQ5294/RjuaIJGTLJz2/xFd6Unuw/WjEHYjvd8Air+cT0g3wjvWf0WPye/4AzoOw==": " == \u003cref\u003e", - "RmZ3Y/vuZP2R7UNKOqo6lBhHIlCZJANipom+IneFHiI11pkfsYYYnEXOTaemJNSohW/fvt8406IpBw22FG9EHw==": "[].contains()", - "S8Xzi740XhmzLNq/U4QIbTbsHSUY0RBZwTCKhGxskpZuYBgRXwG7x9GBx9z5QMGuCCEsCJG6OW+bHdLKCr/09Q==": " == \u003cref\u003e", - "SFEhTWHMtLI7V5Bb/SLrPSXFGnG5rqGkWmfU9ztLu1VRz2uH7fPA0oLCtIaYLTdhYocZNL7bYdzt6XOLNkqd5Q==": " == \u003cref\u003e", - "TgVbznv/xHfBgNkIsLlI6FiBmYXxDBBsCSki8059GiPHBSs1KSoquvXrSIMGrJnaHB9rrEa5qDpHtGY2mmu4cw==": "[].contains()", - "W4JT1Ci8bUdaruQuUe7Faa87yMzrarlQMHLA+cEzlDSg77ktyyH9VxXBUcD9oBYnxUbU89X7yaI270pl8oBQqA==": "file.content.lines.where.length \u003e 0 || \u003cref\u003e", - "WNHcwuiwcfz7bQusmMdwiUhNCrifBZSshNRvsfWgxXU4S+dqacESUWfDMaifDNaK0pGZyzcvdICPPRa5pwBPDA==": "file.content.lines.where.length \u003e 0 || \u003cref\u003e", - "atb/lCDswbcqDLUA7yps33FvxLXlkQogsotcuL8E7GOHoT77w8k6XKTdjqXfQEb6ebQSMSCNVqxmpEiV5oPKSg==": "[].contains()", - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==": "file.exists", - "cV6HhJK0OULqZXoEY/jJV17pr2yVoSHYqyM+PhB16xZUv8zSd3GPE3+y+KcRmbh05GJRI631pOfte29Qo43Ofw==": "file.content.lines.where.length \u003e 0 || \u003cref\u003e", - "eS06at/HN0ebTnx8CKGl2Ob8QfIjTD114DwskMFhWdpzYn4ph7hyahHgvjNQ+wZPNzxgaBuydVgNFlQ3cL4CTg==": "[].contains()", - "jvUtLH4O/2su2vYHFEZ8DGFwh8RUBdJ7AwuIA59ET8SGBcKrQJMtAxuv9QcFDYrmSwWPsviTVoia+N/whYMS3A==": " == \u003cref\u003e", - "kDdiZl57RtL0XgZOPkwWMfBRcNVswvYcD9IloSddbEXybrVPcCmrQw7R5SRMaWupuTSTrjQI0g5sQ0lOhkoDyw==": "[].contains()", - "qdHmatSAXKxzNab+aN6wHLLXnnl617USPhyfOa6qLavpYFTYgJI0ryb9Wv+RZJfwbt4bFQBPzQgh2VqLU5ETCQ==": " == \u003cref\u003e", - "t+NDoj5mtdzjws19lFJ9+f9sxVR3iRLsZJpb6T3d7S2F+8wWfkgsoju9vWQKGUcUNqtHRfiohkcY2o4H0hgeIA==": " == \u003cref\u003e", - "uRFH5MFqf7cNmD8s4oezNsEQnnVD8e0NIHQp+tFfta5lqLTAXNTCjP9NpmnGFO/Wlk4B59KCF68Qms0xio7UxQ==": " == \u003cref\u003e", - "wMw5nEzvlsThqADug5f0FGr/PioS05YaEipzWdK+UAt+AtZtP7mbM9a98eljcrqtxQrGOGz1+mzG3r+FcRhTFw==": " == \u003cref\u003e" - } - }, - "version": "unstable", - "min_mondoo_version": "5.0.0" - } - }, - "N0L20kz+NNw=": { - "query": "groups.where( name == \"root\").list { members.length == 0 }\n", - "checksum": "+zGfPvA9WFc=", - "datapoints": [ - "wdW78uXiN3QTCM6jFE99COgAkS3NOeWF8ZcR2dVX/co86AacY1IsTx3aWh9vbCzNa9Y7WnIwx0KBgoVnBMWy5A==" - ], - "code": { - "code_v2": { - "id": "N0L20kz+NNw=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "groups" - }, - { - "call": 1, - "id": "list", - "function": { - "type": "\u0019\u001bgroup", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u001bgroups", - "args": [ - { - "type": "\u0003", - "value": "hICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - } - ], - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "list", - "function": { - "type": "\u0019\u001bgroup", - "binding": 4294967299 - } - }, - { - "call": 1, - "id": "{}", - "function": { - "type": "\u0019\u000c", - "args": [ - { - "type": "\u001c\u0000", - "value": "gICAgGA=" - } - ], - "binding": 4294967300 - } - } - ], - "entrypoints": [ - 4294967301 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u001bgroup" - } - }, - { - "call": 1, - "id": "name", - "function": { - "type": "\u0007", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "==\u0007", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0007", - "value": "cm9vdA==" - } - ], - "binding": 8589934594 - } - } - ], - "parameters": 1, - "entrypoints": [ - 8589934595 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u001bgroup" - } - }, - { - "call": 1, - "id": "members", - "function": { - "type": "\u0019\u001buser", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 12884901890 - } - }, - { - "call": 1, - "id": "==\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 12884901891 - } - } - ], - "parameters": 1, - "entrypoints": [ - 12884901892 - ] - } - ], - "checksums": { - "12884901889": "JQil8RuEAUqvSThHg+w7lLp6IHWKG19VQDB74rhLqzYNbKDLxabsSunEwp+ANtkx2gmW1/eP2CvKap5wcgV+KQ==", - "12884901890": "Ko3c4YCREbV2nFcesGGzgUJXPXm1E6De6YVZX8qyoII8WKdoZe6bVE/n5i24/P5lmq25Ckh++1bHbO5pVJeOnA==", - "12884901891": "wwcmIj2sFoaVArhB4m/lmixCunupwVeQn6FdX0SORNKQZMRdkLmr2aAErWQ28Y0bi0tnXjcT1IL2o3VIPt9gzA==", - "12884901892": "H+TlYlE9/O7h+IfPba8FdB7lpOko8ZenR9W6m8oOncMVQcd/BPCV6H6xIsgWLg/O5IMBXdfBTEpBOiJJlzE7GQ==", - "4294967297": "hN+zdlS1zCr2uSYHuDkFrlkQSlfFEr7Zmtmo19E4oNY7ikyHr/Sib1zktPVfYSEC2503pPKnD3hcWyZm3b/uyQ==", - "4294967298": "NIEHm9kmH9Dzz0fqfrQWcSNNntroglgakmg+r5TZd2szBtUd/n1TukpBYKYy6vBd3w4umvEVa4gPlkHyeldBNw==", - "4294967299": "JOlDtj9le5/HG/IkV1yElHXl3usN9A43NfYSknycSKTd6q55qVMDamhX3Vq9xjqnW46DOu/bddYRsaO9zAAw6w==", - "4294967300": "JQil8RuEAUqvSThHg+w7lLp6IHWKG19VQDB74rhLqzYNbKDLxabsSunEwp+ANtkx2gmW1/eP2CvKap5wcgV+KQ==", - "4294967301": "wdW78uXiN3QTCM6jFE99COgAkS3NOeWF8ZcR2dVX/co86AacY1IsTx3aWh9vbCzNa9Y7WnIwx0KBgoVnBMWy5A==", - "8589934593": "hN+zdlS1zCr2uSYHuDkFrlkQSlfFEr7Zmtmo19E4oNY7ikyHr/Sib1zktPVfYSEC2503pPKnD3hcWyZm3b/uyQ==", - "8589934594": "TB+NQaeDBXcImznyzXliCCTj/JeiWkz/CvSKyjTKGsC3tbheYJUt5GRuIrpXw0z5LJMQzj+QJplF1RgaAcrrww==", - "8589934595": "9fN32Nz+DU8ehZ1F0R4RwYBh5xVS8QH3fz2OPSmq7ICcptZxU2QyzIzdlkKR/+6RdNp+zHtZQUR+l8tdIgiImw==" - } - }, - "source": "groups.where( name == \"root\").list { members.length == 0 }\n", - "labels": { - "labels": { - "9fN32Nz+DU8ehZ1F0R4RwYBh5xVS8QH3fz2OPSmq7ICcptZxU2QyzIzdlkKR/+6RdNp+zHtZQUR+l8tdIgiImw==": "name == \"root\"", - "H+TlYlE9/O7h+IfPba8FdB7lpOko8ZenR9W6m8oOncMVQcd/BPCV6H6xIsgWLg/O5IMBXdfBTEpBOiJJlzE7GQ==": "members.length == 0", - "wdW78uXiN3QTCM6jFE99COgAkS3NOeWF8ZcR2dVX/co86AacY1IsTx3aWh9vbCzNa9Y7WnIwx0KBgoVnBMWy5A==": "groups.where.list" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "NoJQoV63siE=": { - "query": "service(\"rsyncd\").enabled == false\nservice(\"rsyncd\").running == false\n", - "checksum": "JuAwPJTcH50=", - "datapoints": [ - "MSCn0tYZSDbDWTtqkdNMIjnf4dqaXrXq082iZS8kENUHR+ipTf331ToMU/3KVj1u21A6kqKPhadwtLDe3QD4tA==", - "ITQGQayBesQeWSIP+pSl4l7PewePex4n6NeW8mQ4dYj0RZmkyHJMSntT7JMmnPzIDbx08Npy9muLiJ1iCeWuyg==", - "zuqTdvPqcKolV1uD5lJmoX1IQ75UXJJWgqDKEKW/2aK6RuhVatla2znfXD8tjCa7kUFdNX5AQsVMUGdFMVr7SQ==", - "QOFfSIbWLTwpCLpo+1GAxVdsGnsJZqOET2xTkNl7+uKpj37GCf5UTlSUsS9j50hC2DWgW5x3uK56ebTZOFp8IQ==" - ], - "code": { - "code_v2": { - "id": "NoJQoV63siE=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "cnN5bmNk" - } - ] - } - }, - { - "call": 1, - "id": "enabled", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "cnN5bmNk" - } - ] - } - }, - { - "call": 1, - "id": "running", - "function": { - "type": "\u0004", - "binding": 4294967300 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967301 - } - } - ], - "entrypoints": [ - 4294967299, - 4294967302 - ], - "datapoints": [ - 4294967298, - 4294967301 - ] - } - ], - "checksums": { - "4294967297": "xxmKK6Nj2x3IjbC1qXP2Ol5GiqL2OO5FJN72mFvI3GR5szk/5ceRAJ7K9Mjo3ohU5o1/caz4g+JOZuvR+v0ttg==", - "4294967298": "MSCn0tYZSDbDWTtqkdNMIjnf4dqaXrXq082iZS8kENUHR+ipTf331ToMU/3KVj1u21A6kqKPhadwtLDe3QD4tA==", - "4294967299": "zuqTdvPqcKolV1uD5lJmoX1IQ75UXJJWgqDKEKW/2aK6RuhVatla2znfXD8tjCa7kUFdNX5AQsVMUGdFMVr7SQ==", - "4294967300": "xxmKK6Nj2x3IjbC1qXP2Ol5GiqL2OO5FJN72mFvI3GR5szk/5ceRAJ7K9Mjo3ohU5o1/caz4g+JOZuvR+v0ttg==", - "4294967301": "ITQGQayBesQeWSIP+pSl4l7PewePex4n6NeW8mQ4dYj0RZmkyHJMSntT7JMmnPzIDbx08Npy9muLiJ1iCeWuyg==", - "4294967302": "QOFfSIbWLTwpCLpo+1GAxVdsGnsJZqOET2xTkNl7+uKpj37GCf5UTlSUsS9j50hC2DWgW5x3uK56ebTZOFp8IQ==" - } - }, - "source": "service(\"rsyncd\").enabled == false\nservice(\"rsyncd\").running == false\n", - "labels": { - "labels": { - "ITQGQayBesQeWSIP+pSl4l7PewePex4n6NeW8mQ4dYj0RZmkyHJMSntT7JMmnPzIDbx08Npy9muLiJ1iCeWuyg==": "service.running", - "MSCn0tYZSDbDWTtqkdNMIjnf4dqaXrXq082iZS8kENUHR+ipTf331ToMU/3KVj1u21A6kqKPhadwtLDe3QD4tA==": "service.enabled", - "QOFfSIbWLTwpCLpo+1GAxVdsGnsJZqOET2xTkNl7+uKpj37GCf5UTlSUsS9j50hC2DWgW5x3uK56ebTZOFp8IQ==": "service.running == false", - "zuqTdvPqcKolV1uD5lJmoX1IQ75UXJJWgqDKEKW/2aK6RuhVatla2znfXD8tjCa7kUFdNX5AQsVMUGdFMVr7SQ==": "service.enabled == false" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "O1tAHbKLcI8=": { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/var\\/run\\/utmp\\s+\\-p\\s+wa\\s+\\-k\\s+session(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/var\\/log\\/wtmp\\s+\\-p\\s+wa\\s+\\-k\\s+logins(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/var\\/log\\/btmp\\s+\\-p\\s+wa\\s+\\-k\\s+logins(\\s+)?$/)\n}\n", - "checksum": "DoXZPyPUV+Q=", - "datapoints": [ - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "A8+p4Jy+yla6aHQONQE6tISwJJWFK6it96i6B+YG1LyY7nxE9Q5blZIOC9dvh+fQ0x7sHaD81udAeMWT0/H4jA==" - ], - "code": { - "code_v2": { - "id": "O1tAHbKLcI8=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967299 - } - }, - { - "call": 1, - "id": "if", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u0003", - "value": "iICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - }, - { - "type": "\u0019\u0003" - } - ] - } - } - ], - "entrypoints": [ - 4294967298, - 4294967301 - ] - }, - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934594 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "hoCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgGA=" - } - ], - "binding": 8589934595 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934596 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934597 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934599 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934600 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "koCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgIAB" - } - ], - "binding": 8589934601 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934602 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934603 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934605 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934606 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "noCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgKAB" - } - ], - "binding": 8589934607 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934608 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934609 - } - } - ], - "entrypoints": [ - 8589934598, - 8589934604, - 8589934610 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtd1xzK1wvdmFyXC9ydW5cL3V0bXBccytcLXBccyt3YVxzK1wta1xzK3Nlc3Npb24oXHMrKT8k" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgGA=" - } - ], - "binding": 12884901889 - } - } - ], - "parameters": 1, - "entrypoints": [ - 12884901891 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtd1xzK1wvdmFyXC9sb2dcL3d0bXBccytcLXBccyt3YVxzK1wta1xzK2xvZ2lucyhccyspPyQ=" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgIAB" - } - ], - "binding": 17179869185 - } - } - ], - "parameters": 1, - "entrypoints": [ - 17179869187 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtd1xzK1wvdmFyXC9sb2dcL2J0bXBccytcLXBccyt3YVxzK1wta1xzK2xvZ2lucyhccyspPyQ=" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgKAB" - } - ], - "binding": 21474836481 - } - } - ], - "parameters": 1, - "entrypoints": [ - 21474836483 - ] - } - ], - "checksums": { - "12884901889": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "12884901890": "UAh1HY19O9785nzmVmGdVa6r0EmoSoW1FKru0fhBQLZzAvpXyqRhd3uYlFGgFYIl4F2fBM6+zrxaex8tVY6AhA==", - "12884901891": "nTrhui4XLVDhsbpuzIR4zWghB9K/huj0jVEiNwR7zwD09NQfp/zZurAcb/wkCCQVx7NtLitpWFbYbD1P6bBieg==", - "17179869185": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "17179869186": "J3k63j9HxayGKKZc0OvfhV0GQzAc8uiM90sfbj7KK35zIhGaj6Zlm2X4Xlk+7frdtcpfw91XTSMOhVO0CTT4ag==", - "17179869187": "45hWoeY3EtxZkh5tzwwEtimsFfFlAW21r1U4G6DPgTg2BDwFFGVBrBiiHcw/SIGsj0PBmSHDkIFQW3FujjDcqA==", - "21474836481": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "21474836482": "Iwm4tI408NOCu6+RwozlDi4CGkm31oA9hkHdDscsFcRbGoZaeEmNGDHtiTj79ZT//zbmVDkew6BIGYcDGhKRbQ==", - "21474836483": "EyCFpYuw2VPoOW5NNLynZwcSsGKCQSXT+Vq+E/YgEzgCBRjHaazCP94ymJoE37BbnjoxH1L1BGCr92w4F05/Mw==", - "4294967297": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "4294967298": "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "4294967299": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "4294967300": "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "4294967301": "A8+p4Jy+yla6aHQONQE6tISwJJWFK6it96i6B+YG1LyY7nxE9Q5blZIOC9dvh+fQ0x7sHaD81udAeMWT0/H4jA==", - "8589934593": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934594": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934595": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934596": "v4Ek+mvAiRaHITojYBoBNHdS1Pqxa8mVpzug6j58Xh/24lue66cuo/J2emtvlRIGHAxim0gJPP6x4v4RSkAOzw==", - "8589934597": "uIPLhcFgdqvBnH5XN/NXusE43/jdVJVnCWXF51JuDmG0QuBB+d89AA5FO1HPXmjjCqXhhEknAvDgo1cGpSTqKg==", - "8589934598": "x1/tq4aWzEz3+GRAOpYHqExzSjhb10pxZYyAVAU46GIdukkaCvHV931s666azujtYYQ7pzzYaALKuqTMVuqg7A==", - "8589934599": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934600": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934601": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934602": "MRTc6GKSEuPTQ9XtGSz/nL0P8fBNXfpjfn5Fk1gBe4BdPJgpMei9np4w9yE2PzXIGPSBYNQSa4coPmkjZV++MQ==", - "8589934603": "Rrtr+kWikbukOV3+lyG/TyyocRuHGBCPRjzQtnLC/IwRfPG6XxgIu4kHcQvzcvL+k8bdzEaxCySxia89O8R/kg==", - "8589934604": "H6e3E0U+9/B+GhoQu0/LmnnUL2maN3pG1KblurVQ4rFBJGD0Cw46WoB40IeqLRmliP4heLBCKrWrGens/WwHUg==", - "8589934605": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934606": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934607": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934608": "GbR+xX7wEN4ClUoBhNFMB6h4flcyNsS7aPOy8F+QlmHilfgyq5NC/HadsyU6BCghIDtCtzdrHoZ65JmoPUDgdQ==", - "8589934609": "BS3YJ2GCVkYpAEWhUo4mP8KM0Snv2ftKJZfWSsi+7GHKnPrd1GbWMooc6FwnOO/JB1lShe4P5ajo5aoDkhSkKQ==", - "8589934610": "L7jzYxy60oQrghX3Ud1jR/+LV5P9XxIy9XcCDe3yzRDAyfb4pSu0mVsdD9jEjFEUzVVKC8PnjLi1HThfFt9Ycg==" - } - }, - "source": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/var\\/run\\/utmp\\s+\\-p\\s+wa\\s+\\-k\\s+session(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/var\\/log\\/wtmp\\s+\\-p\\s+wa\\s+\\-k\\s+logins(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/var\\/log\\/btmp\\s+\\-p\\s+wa\\s+\\-k\\s+logins(\\s+)?$/)\n}\n", - "labels": { - "labels": { - "45hWoeY3EtxZkh5tzwwEtimsFfFlAW21r1U4G6DPgTg2BDwFFGVBrBiiHcw/SIGsj0PBmSHDkIFQW3FujjDcqA==": " == \u003cref\u003e", - "A8+p4Jy+yla6aHQONQE6tISwJJWFK6it96i6B+YG1LyY7nxE9Q5blZIOC9dvh+fQ0x7sHaD81udAeMWT0/H4jA==": "if", - "EyCFpYuw2VPoOW5NNLynZwcSsGKCQSXT+Vq+E/YgEzgCBRjHaazCP94ymJoE37BbnjoxH1L1BGCr92w4F05/Mw==": " == \u003cref\u003e", - "H6e3E0U+9/B+GhoQu0/LmnnUL2maN3pG1KblurVQ4rFBJGD0Cw46WoB40IeqLRmliP4heLBCKrWrGens/WwHUg==": "[].contains()", - "L7jzYxy60oQrghX3Ud1jR/+LV5P9XxIy9XcCDe3yzRDAyfb4pSu0mVsdD9jEjFEUzVVKC8PnjLi1HThfFt9Ycg==": "[].contains()", - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==": "file.exists", - "nTrhui4XLVDhsbpuzIR4zWghB9K/huj0jVEiNwR7zwD09NQfp/zZurAcb/wkCCQVx7NtLitpWFbYbD1P6bBieg==": " == \u003cref\u003e", - "x1/tq4aWzEz3+GRAOpYHqExzSjhb10pxZYyAVAU46GIdukkaCvHV931s666azujtYYQ7pzzYaALKuqTMVuqg7A==": "[].contains()" - } - }, - "version": "unstable", - "min_mondoo_version": "5.0.0" - } - }, - "OCysW6/A17Y=": { - "query": "if( file(\"/boot/grub2/grub.cfg\" ).exists) {\n file(\"/boot/grub2/grub.cfg\").content.lines.where( _ == /^[^#]/ ).contains(\"audit\\=(\\s+)?1\")\n}\nif( file(\"/boot/grub/grub.cfg\").exists ) {\n file(\"/boot/grub/grub.cfg\").content.lines.where( _ == /^[^#]/ ).contains(\"audit\\=(\\s+)?1\")\n}\nif( file(\"/boot/grub/grub.conf\").exists ) {\n file(\"/boot/grub/grub.conf\").content.lines.where( _ == /^[^#]/ ).contains(\"audit\\=(\\s+)?1\")\n}\nif( file('/etc/secboot/config.json').exists ) {\n parse.json('/etc/secboot/config.json').params['kernel-params'].contains('audit\\=(\\s+)?1')\n}\n", - "checksum": "zjwJZJpf/uY=", - "datapoints": [ - "oVgYUs+UjAhHjAX3/+J3LUtAAyNDWzy1GWDAjY7A6Z4DNKXR2cqSDUcFzp2D55mOgkATFHCTFQbNBxxmWSSHfQ==", - "LQI4kSyEWe0b+loFuW81yjOLS9ZR7GfI95ip+OjaslpcFOsyWoqYNQFKwfPeVSo990hscaZrfYskDfSjsmewhA==", - "RGLi9L+1KOoE89RZUjYiX5A7mQcnzOdJfemDJwkmeXCW+g80VH8ckvotI69iGUBBOg7pKcpujQiqqREZUnyNNA==", - "9ftsS7H8oR+l67+D+pUEq0XzsQwNzkagbXl2p6Z56usINgPigMLUic3gcqT4u2/9RFkPXyhy2ZJfaScNMsJsTQ==" - ], - "code": { - "code_v2": { - "id": "OCysW6/A17Y=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2Jvb3QvZ3J1YjIvZ3J1Yi5jZmc=" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "if", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u0003", - "value": "hICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - }, - { - "type": "\u0019\u0003" - } - ] - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2Jvb3QvZ3J1Yi9ncnViLmNmZw==" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967300 - } - }, - { - "call": 1, - "id": "if", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u0003", - "value": "ioCAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgKAB" - }, - { - "type": "\u0019\u0003" - } - ] - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2Jvb3QvZ3J1Yi9ncnViLmNvbmY=" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967303 - } - }, - { - "call": 1, - "id": "if", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u0003", - "value": "kICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgIAC" - }, - { - "type": "\u0019\u0003" - } - ] - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9zZWNib290L2NvbmZpZy5qc29u" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967306 - } - }, - { - "call": 1, - "id": "if", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u0003", - "value": "loCAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgOAC" - }, - { - "type": "\u0019\u0003" - } - ] - } - } - ], - "entrypoints": [ - 4294967299, - 4294967302, - 4294967305, - 4294967308 - ] - }, - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2Jvb3QvZ3J1YjIvZ3J1Yi5jZmc=" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934594 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "hoCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgGA=" - } - ], - "binding": 8589934595 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "iICAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgIAB" - } - ], - "binding": 8589934596 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934597 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934598 - } - } - ], - "entrypoints": [ - 8589934599 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0008", - "value": "XlteI10=" - } - ], - "binding": 12884901889 - } - } - ], - "parameters": 1, - "entrypoints": [ - 12884901890 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0007", - "value": "YXVkaXQ9KHMrKT8x" - } - }, - { - "call": 1, - "id": "==\u0007", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgIAB" - } - ], - "binding": 17179869185 - } - } - ], - "parameters": 1, - "entrypoints": [ - 17179869187 - ] - }, - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2Jvb3QvZ3J1Yi9ncnViLmNmZw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 21474836481 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 21474836482 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "hoCAgKAB" - }, - { - "type": "\u001c\u0000", - "value": "gICAgMAB" - } - ], - "binding": 21474836483 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "iICAgKAB" - }, - { - "type": "\u001c\u0000", - "value": "gICAgOAB" - } - ], - "binding": 21474836484 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 21474836485 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 21474836486 - } - } - ], - "entrypoints": [ - 21474836487 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0008", - "value": "XlteI10=" - } - ], - "binding": 25769803777 - } - } - ], - "parameters": 1, - "entrypoints": [ - 25769803778 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0007", - "value": "YXVkaXQ9KHMrKT8x" - } - }, - { - "call": 1, - "id": "==\u0007", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgOAB" - } - ], - "binding": 30064771073 - } - } - ], - "parameters": 1, - "entrypoints": [ - 30064771075 - ] - }, - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2Jvb3QvZ3J1Yi9ncnViLmNvbmY=" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 34359738369 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 34359738370 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "hoCAgIAC" - }, - { - "type": "\u001c\u0000", - "value": "gICAgKAC" - } - ], - "binding": 34359738371 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "iICAgIAC" - }, - { - "type": "\u001c\u0000", - "value": "gICAgMAC" - } - ], - "binding": 34359738372 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 34359738373 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 34359738374 - } - } - ], - "entrypoints": [ - 34359738375 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0008", - "value": "XlteI10=" - } - ], - "binding": 38654705665 - } - } - ], - "parameters": 1, - "entrypoints": [ - 38654705666 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0007", - "value": "YXVkaXQ9KHMrKT8x" - } - }, - { - "call": 1, - "id": "==\u0007", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgMAC" - } - ], - "binding": 42949672961 - } - } - ], - "parameters": 1, - "entrypoints": [ - 42949672963 - ] - }, - { - "chunks": [ - { - "call": 1, - "id": "parse.json", - "function": { - "type": "\u001bparse.json", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9zZWNib290L2NvbmZpZy5qc29u" - } - ] - } - }, - { - "call": 1, - "id": "params", - "function": { - "type": "\n", - "binding": 47244640257 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\n", - "args": [ - { - "type": "\u0007", - "value": "a2VybmVsLXBhcmFtcw==" - } - ], - "binding": 47244640258 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\n", - "args": [ - { - "type": "\u0003", - "value": "hoCAgOAC" - }, - { - "type": "\u001c\u0000", - "value": "gICAgIAD" - }, - { - "type": "\u0003", - "value": "hoCAgOAC" - } - ], - "binding": 47244640259 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 47244640260 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 47244640261 - } - } - ], - "entrypoints": [ - 47244640262 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\n" - } - }, - { - "primitive": { - "type": "\n" - } - }, - { - "primitive": { - "type": "\u0007", - "value": "YXVkaXRcPShccyspPzE=" - } - }, - { - "call": 1, - "id": "==\u0007", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hoCAgIAD" - } - ], - "binding": 51539607554 - } - } - ], - "parameters": 2, - "entrypoints": [ - 51539607556 - ] - } - ], - "checksums": { - "12884901889": "wGxmN9x5u/f1gBFmpsv4smDbMBD2x2/aftnJpu6fZFd4UtXtmF18TVxif1p/8aOvngn/c6IanS0r5T1mWutDfw==", - "12884901890": "R7MnmkwwgRUwVQurp72ONdEURjizFbyXig6DvLIjbTW1r4n4IgKi3Vy6N8S1LZzMCwxkGoHt5jQKnS4/nbv1lQ==", - "17179869185": "KxpMoZKDQk+uS1MNOIgQ7hZkdP2HJbrERSwgqFfnrt6Zan6v0BZeQftqhdUQWldAVZNh86uhVzOuCJtAE+JWvw==", - "17179869186": "WVyksbtMpwChiRnfabFFCxtKG8cIQxfK8AWTK3FoGc+MQyC9q4JPtCVNwjiDmf8+iK5xajOuIT6DCvqzfz9qTw==", - "17179869187": "cEW+24TpKKyf6WNBY9wockj6tvEP3nzg0/2UJ5JhQF26FjaSy2ioO0Zq8BVknAqV6QBsEIRvnDHYWevarFOK2A==", - "21474836481": "ks1d+9ijFJc5UneoXyq8m6zNCe3Nu3dG98sWcoVmVVoji57cnkYazz3OkP27yCEXpqiaen6azuKhlUjt5Kz11g==", - "21474836482": "9xY4hKqr/ehSDg+0S+u9huNlNJtlult3mfftYHoOGEuIx0JqE+RPFxRLpZ4rflEu62yQuoc7MfVgs5D0oIzYdg==", - "21474836483": "YEJQfHXJZP1wTerLryhXW3XzW9MRMU+ItKy3ikf9ssvUYGhM7MayLySb9ACwWMMaRJBw4eozROs7lvhIAAh0fg==", - "21474836484": "jAj8gf0/hQVDiXD6s4988mBUl3NhgbmAs+tpHkgDvKhajbwr6jV08YLlMR5yAzOX9rk5/YgzFaaDxDym6MVvHA==", - "21474836485": "Yi+Qw+MrDuV+VsZAGOYpOBaB72ZUpUTmc4aOTALhEictCFF+TGtiTIwoPp9kAusC2x1Sx9VgG5LzQuI/76kz8g==", - "21474836486": "ZRiKEyAUjJhltxhjHIYmjsz78Ef5CCimYQo0fKYYiI/pywvdxKKbieoXvs1WbMwCb+qENmeRdnZy1yAVnZ+aDA==", - "21474836487": "W3asQaGJok+n67pdbnigB2eIOipH3juW938fMlNtIOIkVXyO6vJqJeDIBiZtm1afz8g406fAUHaZU1wfffU42w==", - "25769803777": "YEJQfHXJZP1wTerLryhXW3XzW9MRMU+ItKy3ikf9ssvUYGhM7MayLySb9ACwWMMaRJBw4eozROs7lvhIAAh0fg==", - "25769803778": "sAs38UmjzQb6qJP4+lET7cC/tMNY+mbIvS/yRHGl8IBKOsS4kRDpTk6a6oGwxKCo5lxQEAIy4ohw4CGieO77wQ==", - "30064771073": "jAj8gf0/hQVDiXD6s4988mBUl3NhgbmAs+tpHkgDvKhajbwr6jV08YLlMR5yAzOX9rk5/YgzFaaDxDym6MVvHA==", - "30064771074": "WVyksbtMpwChiRnfabFFCxtKG8cIQxfK8AWTK3FoGc+MQyC9q4JPtCVNwjiDmf8+iK5xajOuIT6DCvqzfz9qTw==", - "30064771075": "Wx7YRxW8CS61BSPeFZE9hRjc7l92rplU7SbtWRAmrhkLwTGMhSFI4Uj+x7V7ax1hG4/L+ypZb/YuJdp0sjOZBA==", - "34359738369": "yBGzCN6Va3NHerYOBVGClMQm/dXN1uuXTcG+wpgQs/8LEoJrmV70f9khDhhnGGHY4VYosugeGByrzYEVPU/O2A==", - "34359738370": "yefgwCx3PT/2HauGeNMT6zKUkw1kucy9Ys9dXXcZSKVGr3rxQAt/eoH2uHPsFqn3eLpZj57GYREQB4ro7XlAlA==", - "34359738371": "Hlt2BgzoPbpqFJvEIL12K3g2CumdYSf6pnHvNrb6qt1mXbnVOEVs5O5oyCmMJOsnBDdjNmFwJbT374hpOu+KgQ==", - "34359738372": "r1yb2Cf/QiLNFBh0YxKi6xz+YKoBjWPzAfW3cQdK9f0RGCZqWfs8Znk/0dkooEX35ZVnbzoJajPhMak3qIXqcw==", - "34359738373": "16KtQ2YcToaDBa9QZ0DqJJ/7118RVHmUrz5JQ+NfuwtlRQ6JKmTuhvU585fCnOi4BGVUimc2PvGHY6UBNwg6fQ==", - "34359738374": "t8/7fy4Tjt2xtMzDjHXuRc2jXlRjC7NQfhSsCeVlJoHs5KEm0Io4IvsWmXO5dWPvgHxUQCe9k8tU1LsXWMUqXg==", - "34359738375": "LN3KnTVuGPGHopoi5WZJtZaeWO4AcPtCEr0+xpF+3ZCWgwPGf6xQX609wliJMjRoe9cIfGJ7Dh1FcsVWTxYFDg==", - "38654705665": "Hlt2BgzoPbpqFJvEIL12K3g2CumdYSf6pnHvNrb6qt1mXbnVOEVs5O5oyCmMJOsnBDdjNmFwJbT374hpOu+KgQ==", - "38654705666": "souJ0RWmDjVAA7dqvlK86/m4fowOC2DqxWQMB+zUTPHa6dXMF9ORztayLU6tWZQcxPGAWL7OgCQBjEsR7+GU6g==", - "42949672961": "r1yb2Cf/QiLNFBh0YxKi6xz+YKoBjWPzAfW3cQdK9f0RGCZqWfs8Znk/0dkooEX35ZVnbzoJajPhMak3qIXqcw==", - "42949672962": "WVyksbtMpwChiRnfabFFCxtKG8cIQxfK8AWTK3FoGc+MQyC9q4JPtCVNwjiDmf8+iK5xajOuIT6DCvqzfz9qTw==", - "42949672963": "4QHNmy+eLJ3XdWlc9QyKEYV1zEDWvcPAFp6FikqLAIYj4LfVx2j6VFQrbWZ3QZUydXllvT5LqT1+1RTh/ygH+A==", - "4294967297": "t0JAJKkrHvcLpiTwz90qgAul22UQbS6J7vMxrHeSp9y8RZqcyMsopNStxtrPtQ5j7Ufp+eKJ/2FKn9wBWmzLpw==", - "4294967298": "sixOz+P8BI3sqtN+sOwXnVE53h6tYOYtZtzdBKgTQ/VP90MqqN1ACJulxF1m56/TbFBSHi4xvgNfjUOFf2YuOA==", - "4294967299": "oVgYUs+UjAhHjAX3/+J3LUtAAyNDWzy1GWDAjY7A6Z4DNKXR2cqSDUcFzp2D55mOgkATFHCTFQbNBxxmWSSHfQ==", - "4294967300": "ks1d+9ijFJc5UneoXyq8m6zNCe3Nu3dG98sWcoVmVVoji57cnkYazz3OkP27yCEXpqiaen6azuKhlUjt5Kz11g==", - "4294967301": "7I1ZUw4ouVVieiyskHJskue8Jab5ZMDYtklhqWvpB9vxcNs4lOJ64PKWWZBuNI1ZVtLj5aUxPxQJldN1Qyf0pA==", - "4294967302": "LQI4kSyEWe0b+loFuW81yjOLS9ZR7GfI95ip+OjaslpcFOsyWoqYNQFKwfPeVSo990hscaZrfYskDfSjsmewhA==", - "4294967303": "yBGzCN6Va3NHerYOBVGClMQm/dXN1uuXTcG+wpgQs/8LEoJrmV70f9khDhhnGGHY4VYosugeGByrzYEVPU/O2A==", - "4294967304": "YCv4DbNzTE/r7Rsq6DH+UGGaDRDR3x529eYyPWUtmy3SKWi0eRXJylT1pDn+haolf6lxaOKEiFHMNPBIEYxZ3g==", - "4294967305": "RGLi9L+1KOoE89RZUjYiX5A7mQcnzOdJfemDJwkmeXCW+g80VH8ckvotI69iGUBBOg7pKcpujQiqqREZUnyNNA==", - "4294967306": "ep122vZLzxoTtG18e8oddq8cSs7/PWqD19icyEsezbdGHt5vq1ST7uWmXNrZWVTs6kiNDtHHcIjDlzCkAufOUw==", - "4294967307": "8+YTVaB/1Zkm6v6Sl+35XVsA17QBUeWjOt2EU6UAYggAV/08PP/pd72KXrTtgntOMDKpR+1lI3RdV2xxxFcdVQ==", - "4294967308": "9ftsS7H8oR+l67+D+pUEq0XzsQwNzkagbXl2p6Z56usINgPigMLUic3gcqT4u2/9RFkPXyhy2ZJfaScNMsJsTQ==", - "47244640257": "KAZ/XGY5hApqv1TcPMN3iz1RNZO22LNmcmkB8H+CKA3nnLdMSRYroV/nHCkFuYb+gocfqhgqDWr/+zKvpiRvyQ==", - "47244640258": "FaRrqLJcIocUgr3ybEVfyoQ50UakKrPV2koy7x9jpySmzOnTExAK4ZgzMcSPHdZNiT2voAcxdpMWx3CY7uewVw==", - "47244640259": "IaeadzUiIG9ZZcxQs1Ah4KjGd4nU8l2IqHwA40EQBrsT4wXnFSb8HtdaMkFgJnWaPJkqm3EZ7h9H6Nlb0aXxGw==", - "47244640260": "kzPBHcPsV0+KnelBuRJN4DeBMZPmfP2zdcVm2/4B9mIZXWwwhY5aBPMXSwOtaHUYHWpRvcBUVO/9EF4EzQGaYA==", - "47244640261": "PasTg8cL+Aj02EwMX+abVb+HQPNvhnP+tJRTcPL5HBOXDud5LCFtiVRfrKRexeC+v+H/h4rfwVi/cQiavt4pLQ==", - "47244640262": "GhSUKav4CLStI+PERKAN/4CRF+KRb7PJbdL3IR1+LghczTX7Rc2So9vfte/G3tqZmR4mVIgoKWVYs3AAluIoYg==", - "51539607553": "IaeadzUiIG9ZZcxQs1Ah4KjGd4nU8l2IqHwA40EQBrsT4wXnFSb8HtdaMkFgJnWaPJkqm3EZ7h9H6Nlb0aXxGw==", - "51539607554": "IaeadzUiIG9ZZcxQs1Ah4KjGd4nU8l2IqHwA40EQBrsT4wXnFSb8HtdaMkFgJnWaPJkqm3EZ7h9H6Nlb0aXxGw==", - "51539607555": "54Rvi07pxLO2OsGCZPVDx/foZT/oN9uN8BdoM82jU6kyLl+tXAS1T81x+5xCk5TtJq0htnJ4chIcQfDDkgoQYA==", - "51539607556": "HuVjt39sB4PXCjVF6xDtrlseJQUR+FY442P22QSoQWkpDZx5kWWqxjp0Mt4x1MO33ufTifoJk0N4QhLBhmHuOQ==", - "8589934593": "t0JAJKkrHvcLpiTwz90qgAul22UQbS6J7vMxrHeSp9y8RZqcyMsopNStxtrPtQ5j7Ufp+eKJ/2FKn9wBWmzLpw==", - "8589934594": "GEUP1lkc/s9I33Brq3GhPrsBvA5zuaKwREc1cyVdeR+Xd3q3xQtlGsUFqd7Irfln7/eNFZILb082KPG99j430A==", - "8589934595": "wGxmN9x5u/f1gBFmpsv4smDbMBD2x2/aftnJpu6fZFd4UtXtmF18TVxif1p/8aOvngn/c6IanS0r5T1mWutDfw==", - "8589934596": "KxpMoZKDQk+uS1MNOIgQ7hZkdP2HJbrERSwgqFfnrt6Zan6v0BZeQftqhdUQWldAVZNh86uhVzOuCJtAE+JWvw==", - "8589934597": "LvzVRsYJlAQIiL6gCnX98bgz0LDHuwjr97NfcAwbTEvC8adlzLuxxLMFGuSoeX9FC+eYwAGRK5x1KqH1mrpDzQ==", - "8589934598": "NIdpvoiQBk0FAn4rC4xBWyKLinVzSQ/d71diKTnd6+hdx1UnGoPDily2txz8h56adKz9BYCPXoRg9PUVDCgtfA==", - "8589934599": "iKTSLj7OBnrQq5/cLUxgzXzVfvK/BAVvr1yevKKvft2mPf4qGJ8evO7avRYSvzUCCM1mE5u0U1Sk39153loAtQ==" - } - }, - "source": "if( file(\"/boot/grub2/grub.cfg\" ).exists) {\n file(\"/boot/grub2/grub.cfg\").content.lines.where( _ == /^[^#]/ ).contains(\"audit\\=(\\s+)?1\")\n}\nif( file(\"/boot/grub/grub.cfg\").exists ) {\n file(\"/boot/grub/grub.cfg\").content.lines.where( _ == /^[^#]/ ).contains(\"audit\\=(\\s+)?1\")\n}\nif( file(\"/boot/grub/grub.conf\").exists ) {\n file(\"/boot/grub/grub.conf\").content.lines.where( _ == /^[^#]/ ).contains(\"audit\\=(\\s+)?1\")\n}\nif( file('/etc/secboot/config.json').exists ) {\n parse.json('/etc/secboot/config.json').params['kernel-params'].contains('audit\\=(\\s+)?1')\n}\n", - "labels": { - "labels": { - "4QHNmy+eLJ3XdWlc9QyKEYV1zEDWvcPAFp6FikqLAIYj4LfVx2j6VFQrbWZ3QZUydXllvT5LqT1+1RTh/ygH+A==": " == \u003cref\u003e", - "9ftsS7H8oR+l67+D+pUEq0XzsQwNzkagbXl2p6Z56usINgPigMLUic3gcqT4u2/9RFkPXyhy2ZJfaScNMsJsTQ==": "if", - "GhSUKav4CLStI+PERKAN/4CRF+KRb7PJbdL3IR1+LghczTX7Rc2So9vfte/G3tqZmR4mVIgoKWVYs3AAluIoYg==": "[].contains()", - "HuVjt39sB4PXCjVF6xDtrlseJQUR+FY442P22QSoQWkpDZx5kWWqxjp0Mt4x1MO33ufTifoJk0N4QhLBhmHuOQ==": " == \u003cref\u003e", - "LN3KnTVuGPGHopoi5WZJtZaeWO4AcPtCEr0+xpF+3ZCWgwPGf6xQX609wliJMjRoe9cIfGJ7Dh1FcsVWTxYFDg==": "[].contains()", - "LQI4kSyEWe0b+loFuW81yjOLS9ZR7GfI95ip+OjaslpcFOsyWoqYNQFKwfPeVSo990hscaZrfYskDfSjsmewhA==": "if", - "R7MnmkwwgRUwVQurp72ONdEURjizFbyXig6DvLIjbTW1r4n4IgKi3Vy6N8S1LZzMCwxkGoHt5jQKnS4/nbv1lQ==": " == /^[^#]/", - "RGLi9L+1KOoE89RZUjYiX5A7mQcnzOdJfemDJwkmeXCW+g80VH8ckvotI69iGUBBOg7pKcpujQiqqREZUnyNNA==": "if", - "W3asQaGJok+n67pdbnigB2eIOipH3juW938fMlNtIOIkVXyO6vJqJeDIBiZtm1afz8g406fAUHaZU1wfffU42w==": "[].contains()", - "Wx7YRxW8CS61BSPeFZE9hRjc7l92rplU7SbtWRAmrhkLwTGMhSFI4Uj+x7V7ax1hG4/L+ypZb/YuJdp0sjOZBA==": " == \u003cref\u003e", - "cEW+24TpKKyf6WNBY9wockj6tvEP3nzg0/2UJ5JhQF26FjaSy2ioO0Zq8BVknAqV6QBsEIRvnDHYWevarFOK2A==": " == \u003cref\u003e", - "iKTSLj7OBnrQq5/cLUxgzXzVfvK/BAVvr1yevKKvft2mPf4qGJ8evO7avRYSvzUCCM1mE5u0U1Sk39153loAtQ==": "[].contains()", - "oVgYUs+UjAhHjAX3/+J3LUtAAyNDWzy1GWDAjY7A6Z4DNKXR2cqSDUcFzp2D55mOgkATFHCTFQbNBxxmWSSHfQ==": "if", - "sAs38UmjzQb6qJP4+lET7cC/tMNY+mbIvS/yRHGl8IBKOsS4kRDpTk6a6oGwxKCo5lxQEAIy4ohw4CGieO77wQ==": " == /^[^#]/", - "souJ0RWmDjVAA7dqvlK86/m4fowOC2DqxWQMB+zUTPHa6dXMF9ORztayLU6tWZQcxPGAWL7OgCQBjEsR7+GU6g==": " == /^[^#]/" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "OFWIXTzBv00=": { - "query": "file(\"/etc/passwd\") {\n permissions.user_executable == false\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n}\n", - "checksum": "uQJM/ILtP7U=", - "datapoints": [ - "S0pi0XR2kSuGxhNT7T1roRClJpvyWDf2tbqf4WiaICdLeN4J+5clf8CQzREt32vqpf9puBNedCGXo27OvRaflw==" - ], - "code": { - "code_v2": { - "id": "OFWIXTzBv00=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9wYXNzd2Q=" - } - ] - } - }, - { - "call": 1, - "id": "{}", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - } - ], - "binding": 4294967297 - } - } - ], - "entrypoints": [ - 4294967298 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u001bfile" - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "user_executable", - "function": { - "type": "\u0004", - "binding": 8589934594 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 8589934595 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "group_writeable", - "function": { - "type": "\u0004", - "binding": 8589934597 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 8589934598 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "group_executable", - "function": { - "type": "\u0004", - "binding": 8589934600 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 8589934601 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "other_writeable", - "function": { - "type": "\u0004", - "binding": 8589934603 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 8589934604 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "other_executable", - "function": { - "type": "\u0004", - "binding": 8589934606 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 8589934607 - } - } - ], - "parameters": 1, - "entrypoints": [ - 8589934596, - 8589934599, - 8589934602, - 8589934605, - 8589934608 - ] - } - ], - "checksums": { - "4294967297": "hq+8nsUopPSslTPhFkeaeHt7+iJ10UZfLgRGGqdk+679fZInWSr6Q1bqqAGolAfLW/FtZTd+/aRsWXztkoWmUQ==", - "4294967298": "S0pi0XR2kSuGxhNT7T1roRClJpvyWDf2tbqf4WiaICdLeN4J+5clf8CQzREt32vqpf9puBNedCGXo27OvRaflw==", - "8589934593": "hq+8nsUopPSslTPhFkeaeHt7+iJ10UZfLgRGGqdk+679fZInWSr6Q1bqqAGolAfLW/FtZTd+/aRsWXztkoWmUQ==", - "8589934594": "WIARMVbtYMZ5/c9wb94Mpf5np7WqFBrhsIscnWYSYp9p2ShGbdOy8euKQZ9IfOrMvPX1Pitzlh5r5y751h7eLQ==", - "8589934595": "9+k2WMrjUGFKc4TT/BqUCTlPxo0nlnfRX3SNKxHDpY+Sqs85Ipfher9fceWMNXNIcut4pyRyqKtplA+AMPJh4g==", - "8589934596": "Cf2l7PDCC2h4yANCi73Lfy11aKE3EhXk69X/5E5ZqfCWgej1s8VN4FAAK7e55EZi8veCvNOIMSUcT7DOMsp0Dg==", - "8589934597": "WIARMVbtYMZ5/c9wb94Mpf5np7WqFBrhsIscnWYSYp9p2ShGbdOy8euKQZ9IfOrMvPX1Pitzlh5r5y751h7eLQ==", - "8589934598": "vQXtIxqdVDvdDbBU7IRWaKOsxsRWrwwSiJLxCTqsVquFJM+8wg03xZ40qrl/vhSRdXtvgBiPoCZ50cF17zG3Yg==", - "8589934599": "X7psqDI09AB+V2NjUgsb9EfD6mkz7QxYph6eCCG9Ccf6QcWdm3Kgn9d8pwi5cZFpRM7BjmoGISDutHNpXnz7wQ==", - "8589934600": "WIARMVbtYMZ5/c9wb94Mpf5np7WqFBrhsIscnWYSYp9p2ShGbdOy8euKQZ9IfOrMvPX1Pitzlh5r5y751h7eLQ==", - "8589934601": "UCVqFEw9trC5EMnTDMvNexUJh0zNrwonPE3dEmGXRa5pa/M74eTsT6leC1JQ5WRjhr9XhkchRNAq8o+T1jPRKA==", - "8589934602": "vkTIPy/xlXHkOXH+XuQujtNwKsPEx+wLDiTq8bfvYjpNAYqachWVVWOiAPkmw/3zZA3CyDbY8az0wL291URTDA==", - "8589934603": "WIARMVbtYMZ5/c9wb94Mpf5np7WqFBrhsIscnWYSYp9p2ShGbdOy8euKQZ9IfOrMvPX1Pitzlh5r5y751h7eLQ==", - "8589934604": "H2XtGja1ecK5KMQSPh/hk4fzt0a8dZWX28ZYjOSSUpMcd93pkCPVjuDmSCSXNCPWqj9m6C6WAJuxRiiJsxFW9w==", - "8589934605": "osNGhRH+o4glAV1iiPZSi+JDPrQfbzWrzkjU0CUaP0nCQE/DLK/1Ndc11iw2OOeOrBP/npXLSypVS4KKcHEgLA==", - "8589934606": "WIARMVbtYMZ5/c9wb94Mpf5np7WqFBrhsIscnWYSYp9p2ShGbdOy8euKQZ9IfOrMvPX1Pitzlh5r5y751h7eLQ==", - "8589934607": "uep5srE90hzklyJ1J2MrT0tCrcJLG8f8ZuHXXopNx+s2eNlVm3eLyMbi5A3mnatMeGyfb9R0ssqB7aS51/RTwg==", - "8589934608": "vvwHpgwmhqZdnvo/P/PE8hClY21iJZJsnplXbz+WkLfruLlzjzZSpVrSxBvTDcEloRTzniNLhraMi4xo+tZNkQ==" - } - }, - "source": "file(\"/etc/passwd\") {\n permissions.user_executable == false\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n}\n", - "labels": { - "labels": { - "Cf2l7PDCC2h4yANCi73Lfy11aKE3EhXk69X/5E5ZqfCWgej1s8VN4FAAK7e55EZi8veCvNOIMSUcT7DOMsp0Dg==": "permissions.user_executable == false", - "S0pi0XR2kSuGxhNT7T1roRClJpvyWDf2tbqf4WiaICdLeN4J+5clf8CQzREt32vqpf9puBNedCGXo27OvRaflw==": "file", - "X7psqDI09AB+V2NjUgsb9EfD6mkz7QxYph6eCCG9Ccf6QcWdm3Kgn9d8pwi5cZFpRM7BjmoGISDutHNpXnz7wQ==": "permissions.group_writeable == false", - "osNGhRH+o4glAV1iiPZSi+JDPrQfbzWrzkjU0CUaP0nCQE/DLK/1Ndc11iw2OOeOrBP/npXLSypVS4KKcHEgLA==": "permissions.other_writeable == false", - "vkTIPy/xlXHkOXH+XuQujtNwKsPEx+wLDiTq8bfvYjpNAYqachWVVWOiAPkmw/3zZA3CyDbY8az0wL291URTDA==": "permissions.group_executable == false", - "vvwHpgwmhqZdnvo/P/PE8hClY21iJZJsnplXbz+WkLfruLlzjzZSpVrSxBvTDcEloRTzniNLhraMi4xo+tZNkQ==": "permissions.other_executable == false" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "Ps0zOyqhecE=": { - "query": "users.list.duplicates(uid).none()\n", - "checksum": "FzjtcetUN5Y=", - "datapoints": [ - "P04l/SVZ8q37LNV+3S23i++GVfIIERbWiu/BQ3eO/YMAj61XnujoRqFwn7ewWNYyGGaQWln/A4nS0QysMJemIQ==", - "CQXUv/QbKcO1F5LvHFZ2NWFYNovHloaexe9lAEkpEll9s03HI4ecB5bwGd/DasLoHdaNambHL/g4zkz1siZb7w==" - ], - "code": { - "code_v2": { - "id": "Ps0zOyqhecE=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "users" - }, - { - "call": 1, - "id": "list", - "function": { - "type": "\u0019\u001buser", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "fieldDuplicates", - "function": { - "type": "\u0019\u001buser", - "args": [ - { - "type": "\u0003", - "value": "hICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - } - ], - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "$none", - "function": { - "type": "\u0004", - "binding": 4294967299 - } - } - ], - "entrypoints": [ - 4294967300 - ], - "datapoints": [ - 4294967299 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u001buser" - } - }, - { - "call": 1, - "id": "uid", - "function": { - "type": "\u0005", - "binding": 8589934593 - } - } - ], - "parameters": 1, - "entrypoints": [ - 8589934594 - ] - } - ], - "checksums": { - "4294967297": "MmwyAliLU+YHlkNS5w5jjZaNgU/VFTCxTIM8hMTKVg4MeUJVR6eoJlRuJ79SoVk2seEIK6XTN6Wkm2w9mJMB/A==", - "4294967298": "PgyAmAEuGG6aKDiVDz6niqDRQ0oRYJ7OSUroU9u1Svkt2xD3WOPS8uE5sXPO5K3Miy+MAEt8VWHWKZ58RPV+Kw==", - "4294967299": "P04l/SVZ8q37LNV+3S23i++GVfIIERbWiu/BQ3eO/YMAj61XnujoRqFwn7ewWNYyGGaQWln/A4nS0QysMJemIQ==", - "4294967300": "CQXUv/QbKcO1F5LvHFZ2NWFYNovHloaexe9lAEkpEll9s03HI4ecB5bwGd/DasLoHdaNambHL/g4zkz1siZb7w==", - "8589934593": "PgyAmAEuGG6aKDiVDz6niqDRQ0oRYJ7OSUroU9u1Svkt2xD3WOPS8uE5sXPO5K3Miy+MAEt8VWHWKZ58RPV+Kw==", - "8589934594": "kijfKPV0fU/MBdcby4ng65mWcsH/kOn5PcVmYvbDBfUlSSSqGKiyhy1Qte+BO/GqMfL62iaaIRP8LgfRZ0/3pg==" - } - }, - "source": "users.list.duplicates(uid).none()\n", - "labels": { - "labels": { - "CQXUv/QbKcO1F5LvHFZ2NWFYNovHloaexe9lAEkpEll9s03HI4ecB5bwGd/DasLoHdaNambHL/g4zkz1siZb7w==": "[].none()", - "P04l/SVZ8q37LNV+3S23i++GVfIIERbWiu/BQ3eO/YMAj61XnujoRqFwn7ewWNYyGGaQWln/A4nS0QysMJemIQ==": "users.list.fieldDuplicates", - "kijfKPV0fU/MBdcby4ng65mWcsH/kOn5PcVmYvbDBfUlSSSqGKiyhy1Qte+BO/GqMfL62iaaIRP8LgfRZ0/3pg==": "uid" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "QTN+NYX439o=": { - "query": "service(\"slapd\").enabled == false\nservice(\"slapd\").running == false\n", - "checksum": "cMA84MCFFpU=", - "datapoints": [ - "Zb9JKktYY15FaJD/VY/lLG4HnO+Pg7lJnO9A+FNmdpwm9QSwPGyUQg/QJ++MI2eDXlFidS9Y4b+zU8pCQ6z+4w==", - "zavPuowz9HArxQYPuD17lVx7MA6i7lPpD+6CzLD6tiuDs+xTL/alYbkkKik/75Y80mTVjEa187kUNKUW0nxa6A==", - "IDsUDSDDEY2G7uuP6yOX2DgME5Ok3xNxMZ4RxZcyohVb2kmzpjFG4mRII0r2DTu6+HyvdmIZAfA7mfc/YtibSQ==", - "33G76prk7g5rAFUk9qH56UER2TMY81Ojpz+e5Z57XiqoT1WVMwV2T91Zr/+pL9zdWHl3sxsnjddK5f8nGP5Omw==" - ], - "code": { - "code_v2": { - "id": "QTN+NYX439o=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "c2xhcGQ=" - } - ] - } - }, - { - "call": 1, - "id": "enabled", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "c2xhcGQ=" - } - ] - } - }, - { - "call": 1, - "id": "running", - "function": { - "type": "\u0004", - "binding": 4294967300 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967301 - } - } - ], - "entrypoints": [ - 4294967299, - 4294967302 - ], - "datapoints": [ - 4294967298, - 4294967301 - ] - } - ], - "checksums": { - "4294967297": "hnznk2W0bmhwywCZgdqPLVdR4heMSSjt07cMwmI7ubCqX6H4t5bOkAWb5FJHx0YbbxSgcKgiJdjEWaRcmY4l4w==", - "4294967298": "Zb9JKktYY15FaJD/VY/lLG4HnO+Pg7lJnO9A+FNmdpwm9QSwPGyUQg/QJ++MI2eDXlFidS9Y4b+zU8pCQ6z+4w==", - "4294967299": "IDsUDSDDEY2G7uuP6yOX2DgME5Ok3xNxMZ4RxZcyohVb2kmzpjFG4mRII0r2DTu6+HyvdmIZAfA7mfc/YtibSQ==", - "4294967300": "hnznk2W0bmhwywCZgdqPLVdR4heMSSjt07cMwmI7ubCqX6H4t5bOkAWb5FJHx0YbbxSgcKgiJdjEWaRcmY4l4w==", - "4294967301": "zavPuowz9HArxQYPuD17lVx7MA6i7lPpD+6CzLD6tiuDs+xTL/alYbkkKik/75Y80mTVjEa187kUNKUW0nxa6A==", - "4294967302": "33G76prk7g5rAFUk9qH56UER2TMY81Ojpz+e5Z57XiqoT1WVMwV2T91Zr/+pL9zdWHl3sxsnjddK5f8nGP5Omw==" - } - }, - "source": "service(\"slapd\").enabled == false\nservice(\"slapd\").running == false\n", - "labels": { - "labels": { - "33G76prk7g5rAFUk9qH56UER2TMY81Ojpz+e5Z57XiqoT1WVMwV2T91Zr/+pL9zdWHl3sxsnjddK5f8nGP5Omw==": "service.running == false", - "IDsUDSDDEY2G7uuP6yOX2DgME5Ok3xNxMZ4RxZcyohVb2kmzpjFG4mRII0r2DTu6+HyvdmIZAfA7mfc/YtibSQ==": "service.enabled == false", - "Zb9JKktYY15FaJD/VY/lLG4HnO+Pg7lJnO9A+FNmdpwm9QSwPGyUQg/QJ++MI2eDXlFidS9Y4b+zU8pCQ6z+4w==": "service.enabled", - "zavPuowz9HArxQYPuD17lVx7MA6i7lPpD+6CzLD6tiuDs+xTL/alYbkkKik/75Y80mTVjEa187kUNKUW0nxa6A==": "service.running" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "RLX6/DpoDuE=": { - "query": "users.where( name != \"root\" \u0026\u0026 name != \"sync\" \u0026\u0026 name != \"shutdown\" \u0026\u0026 name != \"halt\" ).where( uid \u003c 1000 ).list {\n name\n shell == \"/usr/bin/nologin\" || shell == \"/sbin/nologin\" || shell == \"/usr/sbin/nologin\"\n}\n", - "checksum": "1e/QhiXBXww=", - "datapoints": [ - "vf5Kj9VTr3nVyGcZXnq6AAqiwQBuC0xmH7tIe7u3GZvOqHee0x3YRyfR7oNzW0k0rYSetdqf6v1QLjhJ72Q7cA==" - ], - "code": { - "code_v2": { - "id": "RLX6/DpoDuE=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "users" - }, - { - "call": 1, - "id": "list", - "function": { - "type": "\u0019\u001buser", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u001busers", - "args": [ - { - "type": "\u0003", - "value": "hICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - } - ], - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "list", - "function": { - "type": "\u0019\u001buser", - "binding": 4294967299 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u001busers", - "args": [ - { - "type": "\u0003", - "value": "iICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgGA=" - } - ], - "binding": 4294967299 - } - }, - { - "call": 1, - "id": "list", - "function": { - "type": "\u0019\u001buser", - "binding": 4294967301 - } - }, - { - "call": 1, - "id": "{}", - "function": { - "type": "\u0019\u000c", - "args": [ - { - "type": "\u001c\u0000", - "value": "gICAgIAB" - } - ], - "binding": 4294967302 - } - } - ], - "entrypoints": [ - 4294967303 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u001buser" - } - }, - { - "call": 1, - "id": "name", - "function": { - "type": "\u0007", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "!=\u0007", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0007", - "value": "cm9vdA==" - } - ], - "binding": 8589934594 - } - }, - { - "call": 1, - "id": "name", - "function": { - "type": "\u0007", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "!=\u0007", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0007", - "value": "c3luYw==" - } - ], - "binding": 8589934596 - } - }, - { - "call": 1, - "id": "\u0026\u0026\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "ioCAgEA=" - } - ], - "binding": 8589934595 - } - }, - { - "call": 1, - "id": "name", - "function": { - "type": "\u0007", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "!=\u0007", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0007", - "value": "c2h1dGRvd24=" - } - ], - "binding": 8589934599 - } - }, - { - "call": 1, - "id": "\u0026\u0026\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "kICAgEA=" - } - ], - "binding": 8589934598 - } - }, - { - "call": 1, - "id": "name", - "function": { - "type": "\u0007", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "!=\u0007", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0007", - "value": "aGFsdA==" - } - ], - "binding": 8589934602 - } - }, - { - "call": 1, - "id": "\u0026\u0026\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "loCAgEA=" - } - ], - "binding": 8589934601 - } - } - ], - "parameters": 1, - "entrypoints": [ - 8589934604 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u001buser" - } - }, - { - "call": 1, - "id": "uid", - "function": { - "type": "\u0005", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "\u003c\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "0A8=" - } - ], - "binding": 12884901890 - } - } - ], - "parameters": 1, - "entrypoints": [ - 12884901891 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u001buser" - } - }, - { - "call": 1, - "id": "name", - "function": { - "type": "\u0007", - "binding": 17179869185 - } - }, - { - "call": 1, - "id": "shell", - "function": { - "type": "\u0007", - "binding": 17179869185 - } - }, - { - "call": 1, - "id": "==\u0007", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0007", - "value": "L3Vzci9iaW4vbm9sb2dpbg==" - } - ], - "binding": 17179869187 - } - }, - { - "call": 1, - "id": "shell", - "function": { - "type": "\u0007", - "binding": 17179869185 - } - }, - { - "call": 1, - "id": "==\u0007", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0007", - "value": "L3NiaW4vbm9sb2dpbg==" - } - ], - "binding": 17179869189 - } - }, - { - "call": 1, - "id": "||\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "jICAgIAB" - } - ], - "binding": 17179869188 - } - }, - { - "call": 1, - "id": "shell", - "function": { - "type": "\u0007", - "binding": 17179869185 - } - }, - { - "call": 1, - "id": "==\u0007", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0007", - "value": "L3Vzci9zYmluL25vbG9naW4=" - } - ], - "binding": 17179869192 - } - }, - { - "call": 1, - "id": "||\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "koCAgIAB" - } - ], - "binding": 17179869191 - } - } - ], - "parameters": 1, - "entrypoints": [ - 17179869186, - 17179869194 - ] - } - ], - "checksums": { - "12884901889": "l6DKLClRlu0No1I8jW1mfLntRBlW7Uz0UTtZXATwc9b5GxZamdUOEKjoVUEQ7CEW4N+/490Z8Mv5VGgNJCB2Vg==", - "12884901890": "O3/6TccZ1tGzOqKjR9Rib7MR/QrItPtajw4mZ0nwNO/XYNaDpPpp2Qf+qNB/BNn86KSeBB0KdtJNCrCk2rW4Cw==", - "12884901891": "xPk5uHkoOcpEltnu7oZMqFsousKcUq/YvTV+o9887t01y+FXF6tUbYJPoyeJlUF0eSqhuhfXlDlJkNHCW7DOOg==", - "17179869185": "2xk6ZUiXx3ZFJSwXdKkA8GL2PQwRw/Jv7aFVK3rBC4tlIqA+8BikEe5PK7a0G6smap/CsWqHZsRxrQ1NlqB8nQ==", - "17179869186": "OT+WWC6gANffZCO/qOLUVOaKdOz7OjXzFQ2dntskpKqq+Lv/cyS/n3XuiIiZrk4yvBBbwc7WTgNaN10Vd7gN2Q==", - "17179869187": "EwMj4aGq5ekGGmU5VKoJUX8JMFxgRmHiKW1JKZxSgk5K4J8I0lw4ZcqiufDRoJBF6or27BqCODweoJwqmyTdQw==", - "17179869188": "QcAxvLYFnSLafB2FtwOFGGKcIermNyAY/tbsnwoJCLzhctzd9j3rvRMt1KALowunAmeL5awInxZuzWc8SHpR3A==", - "17179869189": "EwMj4aGq5ekGGmU5VKoJUX8JMFxgRmHiKW1JKZxSgk5K4J8I0lw4ZcqiufDRoJBF6or27BqCODweoJwqmyTdQw==", - "17179869190": "VNUiL8e09Iu0BjWvc1x43bhLryvjGlZ5tv7H0j9099AEKWxxdt7l45wkTVKjgDDfncmdNcXOYqWD+4yohtHjGQ==", - "17179869191": "OTITuX2RcXyInC3/0vXULuQY0h7jd2QOBKOK+saQ2yk3mpFaI7SEitPMdODFoRtASynUQUUtgsDo1PuqPfMoGA==", - "17179869192": "EwMj4aGq5ekGGmU5VKoJUX8JMFxgRmHiKW1JKZxSgk5K4J8I0lw4ZcqiufDRoJBF6or27BqCODweoJwqmyTdQw==", - "17179869193": "J5BnEmsKONF9PCnlHBIYGHbBRZWj8kSXFNLstCUgaCemdZZiCCZvmtq9InGBxNGBd/rEITNA4JTCOxoH9ZvvPw==", - "17179869194": "NKtNJ3PbnjvS0gAhMoKfBMpStZTKqX+glzIHobGtAiaEgoE/FOyN2VLntgHZZuR4XhgW6WxKCefWqLzwbnL3oQ==", - "4294967297": "MmwyAliLU+YHlkNS5w5jjZaNgU/VFTCxTIM8hMTKVg4MeUJVR6eoJlRuJ79SoVk2seEIK6XTN6Wkm2w9mJMB/A==", - "4294967298": "PgyAmAEuGG6aKDiVDz6niqDRQ0oRYJ7OSUroU9u1Svkt2xD3WOPS8uE5sXPO5K3Miy+MAEt8VWHWKZ58RPV+Kw==", - "4294967299": "l6DKLClRlu0No1I8jW1mfLntRBlW7Uz0UTtZXATwc9b5GxZamdUOEKjoVUEQ7CEW4N+/490Z8Mv5VGgNJCB2Vg==", - "4294967300": "gdi2D5AhNvZHuVEMe04ffReSBynCqp34kBuW7mpXomAuFU+10KMnyVaqDDbOq6X5lFuay5AJHURXJ8xwt9X0yw==", - "4294967301": "aHIUr+h2LDmBv2LCoi5lV5WBeO2jDQ76hD/dOkBR7TPb4PgU4vhgDdZD9bGnhaAWW4unymW7uHLv4BadGP/EtQ==", - "4294967302": "2xk6ZUiXx3ZFJSwXdKkA8GL2PQwRw/Jv7aFVK3rBC4tlIqA+8BikEe5PK7a0G6smap/CsWqHZsRxrQ1NlqB8nQ==", - "4294967303": "vf5Kj9VTr3nVyGcZXnq6AAqiwQBuC0xmH7tIe7u3GZvOqHee0x3YRyfR7oNzW0k0rYSetdqf6v1QLjhJ72Q7cA==", - "8589934593": "MmwyAliLU+YHlkNS5w5jjZaNgU/VFTCxTIM8hMTKVg4MeUJVR6eoJlRuJ79SoVk2seEIK6XTN6Wkm2w9mJMB/A==", - "8589934594": "aLOs60Bp+9XAh+qeKj3wkHCOG2MJ1sctbsELR4mqoTDIaWwIL8mpSwMxgZw73uVkh6FiV12I/8sT9UJdyIvNXA==", - "8589934595": "vvgloGIoYrYP+6zMENGl8naDUGgxiHuxNKTWFvP4CAtNC98XRYHVZwBFkf0Kulm1oV45RlVHm1oTT2GOhpzYFw==", - "8589934596": "aLOs60Bp+9XAh+qeKj3wkHCOG2MJ1sctbsELR4mqoTDIaWwIL8mpSwMxgZw73uVkh6FiV12I/8sT9UJdyIvNXA==", - "8589934597": "1p9rDDV3zOYyZI6QJDFV6FYW4+4MjUNMFNLsJ4AvMRalxzu1X5vDIiSDQRq5h4rWXcd1Wv71vuXH+PX+f/dIoQ==", - "8589934598": "kJishvWuL81vg2Dr3JP/8MhtSatYkzWR1xQl5aLRkoqRXNAykhxozn7v9aBQM0Zn8RV1p7lwUBWuuLPQiwknhw==", - "8589934599": "aLOs60Bp+9XAh+qeKj3wkHCOG2MJ1sctbsELR4mqoTDIaWwIL8mpSwMxgZw73uVkh6FiV12I/8sT9UJdyIvNXA==", - "8589934600": "0E71c1Vpc+L4pwkEI5A2QnyzznhWKRhQpDmSTU+0/N/qdbdNGAKt5eA0tqkyyS6VT29amrFQ5woIAD+5sS3nKw==", - "8589934601": "FiEs7J0mA3+L05o/5O+q3YL+i9mU2Mv2zxJrf871nvbl0N1alY+qXH6X4qQvG/R0tmcvjWjnai6IO1M9v9LdZQ==", - "8589934602": "aLOs60Bp+9XAh+qeKj3wkHCOG2MJ1sctbsELR4mqoTDIaWwIL8mpSwMxgZw73uVkh6FiV12I/8sT9UJdyIvNXA==", - "8589934603": "vo08tMyPTonkye/RH09X7fDhU6fl10/qbcXiaCZDBiO+iYyoAEgf1aMTR+mnlljxSZwjHp/rdkh3Ec7yD2krjw==", - "8589934604": "cLhn8+EXSdnuD2VvsLp1pG8vsX6IH8t38ys/31B6QTo8Dd1YA9Vi+EdEvvTbPvnpSodAKqlh324drWm7cNXvpw==" - } - }, - "source": "users.where( name != \"root\" \u0026\u0026 name != \"sync\" \u0026\u0026 name != \"shutdown\" \u0026\u0026 name != \"halt\" ).where( uid \u003c 1000 ).list {\n name\n shell == \"/usr/bin/nologin\" || shell == \"/sbin/nologin\" || shell == \"/usr/sbin/nologin\"\n}\n", - "labels": { - "labels": { - "NKtNJ3PbnjvS0gAhMoKfBMpStZTKqX+glzIHobGtAiaEgoE/FOyN2VLntgHZZuR4XhgW6WxKCefWqLzwbnL3oQ==": "shell == \"/usr/bin/nologin\" || \u003cref\u003e || \u003cref\u003e", - "OT+WWC6gANffZCO/qOLUVOaKdOz7OjXzFQ2dntskpKqq+Lv/cyS/n3XuiIiZrk4yvBBbwc7WTgNaN10Vd7gN2Q==": "name", - "cLhn8+EXSdnuD2VvsLp1pG8vsX6IH8t38ys/31B6QTo8Dd1YA9Vi+EdEvvTbPvnpSodAKqlh324drWm7cNXvpw==": "name != \"root\" \u0026\u0026 \u003cref\u003e \u0026\u0026 \u003cref\u003e \u0026\u0026 \u003cref\u003e", - "vf5Kj9VTr3nVyGcZXnq6AAqiwQBuC0xmH7tIe7u3GZvOqHee0x3YRyfR7oNzW0k0rYSetdqf6v1QLjhJ72Q7cA==": "users.where.where.list", - "xPk5uHkoOcpEltnu7oZMqFsousKcUq/YvTV+o9887t01y+FXF6tUbYJPoyeJlUF0eSqhuhfXlDlJkNHCW7DOOg==": "uid \u003c 1000" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "SCin1z5hBLk=": { - "query": "file(\"/etc/audit/auditd.conf\").exists\nif (file(\"/etc/audit/auditd.conf\").exists) {\n parse.ini(\"/etc/audit/auditd.conf\").params[\"max_log_file\"] != \"\"\n}\n", - "checksum": "A+vB+H996x8=", - "datapoints": [ - "bhGy2REVqCNiJpsR0UBE/BeYtFO4NEA/MFuPk4+oxk9WffIXtIvfoiuv9vhtDgIbhgjxkgYyhTiN71WJXXmdMQ==", - "+NdW/fk8nPBkRteAY3/MkPS0Zn4M1rLmrxf/kBuTUexTIPfxxRbPmJxEU7QaUidgfYjeo03xXeI51li9MA7LPw==" - ], - "code": { - "code_v2": { - "id": "SCin1z5hBLk=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdGQuY29uZg==" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdGQuY29uZg==" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967299 - } - }, - { - "call": 1, - "id": "if", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u0003", - "value": "iICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - }, - { - "type": "\u0019\u0003" - } - ] - } - } - ], - "entrypoints": [ - 4294967298, - 4294967301 - ] - }, - { - "chunks": [ - { - "call": 1, - "id": "parse.ini", - "function": { - "type": "\u001bparse.ini", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdGQuY29uZg==" - } - ] - } - }, - { - "call": 1, - "id": "params", - "function": { - "type": "\u001a\u0007\u0007", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u0007", - "args": [ - { - "type": "\u0007", - "value": "bWF4X2xvZ19maWxl" - } - ], - "binding": 8589934594 - } - }, - { - "call": 1, - "id": "!=\u0007", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0007" - } - ], - "binding": 8589934595 - } - } - ], - "entrypoints": [ - 8589934596 - ] - } - ], - "checksums": { - "4294967297": "N4KZTcd6DUruTEhP1t5bwgyUv3mpQJvZKgj/taSiAOB9kKNe/2/bGCAzkwh0rPhDWLK4XZzUWmBHq6rgVCnZKg==", - "4294967298": "bhGy2REVqCNiJpsR0UBE/BeYtFO4NEA/MFuPk4+oxk9WffIXtIvfoiuv9vhtDgIbhgjxkgYyhTiN71WJXXmdMQ==", - "4294967299": "N4KZTcd6DUruTEhP1t5bwgyUv3mpQJvZKgj/taSiAOB9kKNe/2/bGCAzkwh0rPhDWLK4XZzUWmBHq6rgVCnZKg==", - "4294967300": "bhGy2REVqCNiJpsR0UBE/BeYtFO4NEA/MFuPk4+oxk9WffIXtIvfoiuv9vhtDgIbhgjxkgYyhTiN71WJXXmdMQ==", - "4294967301": "+NdW/fk8nPBkRteAY3/MkPS0Zn4M1rLmrxf/kBuTUexTIPfxxRbPmJxEU7QaUidgfYjeo03xXeI51li9MA7LPw==", - "8589934593": "+I3CQJa1E3mvGrqDdKoMyuQ04sdJZQ2EXu9qdqKWnO+bq0yoONJrwE8fGjqA5z/JAB93Is+SQHzph6QgSQ9mIg==", - "8589934594": "1gNeZz6IhN77JStqn/C+u0sVtnzV9RGjFVcniG86xFA96JH/ZXnwd189KZfaQmjdms8QiYB7Y9C+MXnYLvd4Lg==", - "8589934595": "NOb+mNVa/GI/Hj6bwn3/DbDr3a+0apoyq2BuTw3MI3CFu/aOM3fI3lor5ILpLUuhNnntYjLLp+X+prwwHEv+sw==", - "8589934596": "UhM9mHKKJo1Ey2IayLuVteJiJKXNUTmQxcDH+lt+rI27mGkEWzSCCE5qtRn4sGExJgJNSkNW0iZMxxAut+eK2Q==" - } - }, - "source": "file(\"/etc/audit/auditd.conf\").exists\nif (file(\"/etc/audit/auditd.conf\").exists) {\n parse.ini(\"/etc/audit/auditd.conf\").params[\"max_log_file\"] != \"\"\n}\n", - "labels": { - "labels": { - "+NdW/fk8nPBkRteAY3/MkPS0Zn4M1rLmrxf/kBuTUexTIPfxxRbPmJxEU7QaUidgfYjeo03xXeI51li9MA7LPw==": "if", - "UhM9mHKKJo1Ey2IayLuVteJiJKXNUTmQxcDH+lt+rI27mGkEWzSCCE5qtRn4sGExJgJNSkNW0iZMxxAut+eK2Q==": "parse.ini.params[max_log_file] != null", - "bhGy2REVqCNiJpsR0UBE/BeYtFO4NEA/MFuPk4+oxk9WffIXtIvfoiuv9vhtDgIbhgjxkgYyhTiN71WJXXmdMQ==": "file.exists" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "THw+yxDZOpw=": { - "query": "kernel.parameters['net.ipv4.conf.all.rp_filter'] == 1\nkernel.parameters['net.ipv4.conf.default.rp_filter'] == 1\n", - "checksum": "VU0dS4+C3iE=", - "datapoints": [ - "yycm9bE4sSmD+R6mg7lewvhXufFnIoJ5iYCfIALCsr873LvrNlANPWps8YWBnw1LUmrHYVAdQqBiTFh+nBtXYw==", - "axLv6u+XdIU4xf475n9moiwlqjmc7rQM9FoBeoOqdubJN7a6jgPagSLaaDkSdCbfhvChgqY/hgLrCr1nbJOAMg==", - "NwVTOxC7KUWOY7jrSRoToyQi+IIyZ4w/t709WpL/kOSsXILju9FaLVvIoVvhjSEBTuz/Bh0crl07oEndqIEiIg==", - "qsphraTZngyQKJh0BN8mX14uihYWBgvhddZTAd2CFdjUnDG4J07NfaHRxHNp14hbyu0gt1haoG8rD0zzR4gnYA==" - ], - "code": { - "code_v2": { - "id": "THw+yxDZOpw=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "kernel" - }, - { - "call": 1, - "id": "parameters", - "function": { - "type": "\u001a\u0007\u0007", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u0007", - "args": [ - { - "type": "\u0007", - "value": "bmV0LmlwdjQuY29uZi5hbGwucnBfZmlsdGVy" - } - ], - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "==\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "Ag==" - } - ], - "binding": 4294967299 - } - }, - { - "call": 1, - "id": "kernel" - }, - { - "call": 1, - "id": "parameters", - "function": { - "type": "\u001a\u0007\u0007", - "binding": 4294967301 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u0007", - "args": [ - { - "type": "\u0007", - "value": "bmV0LmlwdjQuY29uZi5kZWZhdWx0LnJwX2ZpbHRlcg==" - } - ], - "binding": 4294967302 - } - }, - { - "call": 1, - "id": "==\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "Ag==" - } - ], - "binding": 4294967303 - } - } - ], - "entrypoints": [ - 4294967300, - 4294967304 - ], - "datapoints": [ - 4294967299, - 4294967303 - ] - } - ], - "checksums": { - "4294967297": "RXV+1el3VK2oK0ytvuWZ6oRu95oJxvcqbHGw5Wq5LfAbGvjLmiHYndQw+dDOPQiIqBhor40mICUenGaUlny8Lg==", - "4294967298": "dM9qEfUwWr0DHz2QFJ5GwuX9ELsnO1Us4rTlLu63r3mnIduFn0tmuQqThf7ul4pd0wPoMSZIB/RxVPGcU9xORQ==", - "4294967299": "yycm9bE4sSmD+R6mg7lewvhXufFnIoJ5iYCfIALCsr873LvrNlANPWps8YWBnw1LUmrHYVAdQqBiTFh+nBtXYw==", - "4294967300": "NwVTOxC7KUWOY7jrSRoToyQi+IIyZ4w/t709WpL/kOSsXILju9FaLVvIoVvhjSEBTuz/Bh0crl07oEndqIEiIg==", - "4294967301": "RXV+1el3VK2oK0ytvuWZ6oRu95oJxvcqbHGw5Wq5LfAbGvjLmiHYndQw+dDOPQiIqBhor40mICUenGaUlny8Lg==", - "4294967302": "dM9qEfUwWr0DHz2QFJ5GwuX9ELsnO1Us4rTlLu63r3mnIduFn0tmuQqThf7ul4pd0wPoMSZIB/RxVPGcU9xORQ==", - "4294967303": "axLv6u+XdIU4xf475n9moiwlqjmc7rQM9FoBeoOqdubJN7a6jgPagSLaaDkSdCbfhvChgqY/hgLrCr1nbJOAMg==", - "4294967304": "qsphraTZngyQKJh0BN8mX14uihYWBgvhddZTAd2CFdjUnDG4J07NfaHRxHNp14hbyu0gt1haoG8rD0zzR4gnYA==" - } - }, - "source": "kernel.parameters['net.ipv4.conf.all.rp_filter'] == 1\nkernel.parameters['net.ipv4.conf.default.rp_filter'] == 1\n", - "labels": { - "labels": { - "NwVTOxC7KUWOY7jrSRoToyQi+IIyZ4w/t709WpL/kOSsXILju9FaLVvIoVvhjSEBTuz/Bh0crl07oEndqIEiIg==": "kernel.parameters[net.ipv4.conf.all.rp_filter] == 1", - "axLv6u+XdIU4xf475n9moiwlqjmc7rQM9FoBeoOqdubJN7a6jgPagSLaaDkSdCbfhvChgqY/hgLrCr1nbJOAMg==": "kernel.parameters[net.ipv4.conf.default.rp_filter]", - "qsphraTZngyQKJh0BN8mX14uihYWBgvhddZTAd2CFdjUnDG4J07NfaHRxHNp14hbyu0gt1haoG8rD0zzR4gnYA==": "kernel.parameters[net.ipv4.conf.default.rp_filter] == 1", - "yycm9bE4sSmD+R6mg7lewvhXufFnIoJ5iYCfIALCsr873LvrNlANPWps8YWBnw1LUmrHYVAdQqBiTFh+nBtXYw==": "kernel.parameters[net.ipv4.conf.all.rp_filter]" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "Ty2iKIfHjno=": { - "query": "kernel.parameters['net.ipv4.ip_forward'] == 0\nkernel.parameters['net.ipv6.conf.all.forwarding'] == 0\n", - "checksum": "a6noEJKSatk=", - "datapoints": [ - "CmBXM6HeIi4Z/inHihR4JaWbgp86LudWIwNvCeFDlJ6Co5NC/SJVv5nUyydTHwFF5O1pRLP+NQoEGAueAYy2YQ==", - "S15ke1jyhUQZU7RJoaUCzkC9PSGcsJF0TapDgdbFeZJCkDecPE9y+xTCCioVyL+8MrhsH8fypYGH5jspOQwlHw==", - "bGMTWjS8G8F38yCeXzCDHKy8EvB/bRtPE028HBzKvXDZWtR/GJPldJE35GVsdpBfuQ7lKBH5CBN+CkwKzWRvqA==", - "8uoZI/+B98JF1ttRd+mEEbqYc0Sazop0p9nP0KhvkApxInNpxIPDfVfaCF+SUVlovZcuJSokGz9DBrcL6n8pUw==" - ], - "code": { - "code_v2": { - "id": "Ty2iKIfHjno=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "kernel" - }, - { - "call": 1, - "id": "parameters", - "function": { - "type": "\u001a\u0007\u0007", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u0007", - "args": [ - { - "type": "\u0007", - "value": "bmV0LmlwdjQuaXBfZm9yd2FyZA==" - } - ], - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "==\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 4294967299 - } - }, - { - "call": 1, - "id": "kernel" - }, - { - "call": 1, - "id": "parameters", - "function": { - "type": "\u001a\u0007\u0007", - "binding": 4294967301 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u0007", - "args": [ - { - "type": "\u0007", - "value": "bmV0LmlwdjYuY29uZi5hbGwuZm9yd2FyZGluZw==" - } - ], - "binding": 4294967302 - } - }, - { - "call": 1, - "id": "==\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 4294967303 - } - } - ], - "entrypoints": [ - 4294967300, - 4294967304 - ], - "datapoints": [ - 4294967299, - 4294967303 - ] - } - ], - "checksums": { - "4294967297": "RXV+1el3VK2oK0ytvuWZ6oRu95oJxvcqbHGw5Wq5LfAbGvjLmiHYndQw+dDOPQiIqBhor40mICUenGaUlny8Lg==", - "4294967298": "dM9qEfUwWr0DHz2QFJ5GwuX9ELsnO1Us4rTlLu63r3mnIduFn0tmuQqThf7ul4pd0wPoMSZIB/RxVPGcU9xORQ==", - "4294967299": "CmBXM6HeIi4Z/inHihR4JaWbgp86LudWIwNvCeFDlJ6Co5NC/SJVv5nUyydTHwFF5O1pRLP+NQoEGAueAYy2YQ==", - "4294967300": "bGMTWjS8G8F38yCeXzCDHKy8EvB/bRtPE028HBzKvXDZWtR/GJPldJE35GVsdpBfuQ7lKBH5CBN+CkwKzWRvqA==", - "4294967301": "RXV+1el3VK2oK0ytvuWZ6oRu95oJxvcqbHGw5Wq5LfAbGvjLmiHYndQw+dDOPQiIqBhor40mICUenGaUlny8Lg==", - "4294967302": "dM9qEfUwWr0DHz2QFJ5GwuX9ELsnO1Us4rTlLu63r3mnIduFn0tmuQqThf7ul4pd0wPoMSZIB/RxVPGcU9xORQ==", - "4294967303": "S15ke1jyhUQZU7RJoaUCzkC9PSGcsJF0TapDgdbFeZJCkDecPE9y+xTCCioVyL+8MrhsH8fypYGH5jspOQwlHw==", - "4294967304": "8uoZI/+B98JF1ttRd+mEEbqYc0Sazop0p9nP0KhvkApxInNpxIPDfVfaCF+SUVlovZcuJSokGz9DBrcL6n8pUw==" - } - }, - "source": "kernel.parameters['net.ipv4.ip_forward'] == 0\nkernel.parameters['net.ipv6.conf.all.forwarding'] == 0\n", - "labels": { - "labels": { - "8uoZI/+B98JF1ttRd+mEEbqYc0Sazop0p9nP0KhvkApxInNpxIPDfVfaCF+SUVlovZcuJSokGz9DBrcL6n8pUw==": "kernel.parameters[net.ipv6.conf.all.forwarding] == 0", - "CmBXM6HeIi4Z/inHihR4JaWbgp86LudWIwNvCeFDlJ6Co5NC/SJVv5nUyydTHwFF5O1pRLP+NQoEGAueAYy2YQ==": "kernel.parameters[net.ipv4.ip_forward]", - "S15ke1jyhUQZU7RJoaUCzkC9PSGcsJF0TapDgdbFeZJCkDecPE9y+xTCCioVyL+8MrhsH8fypYGH5jspOQwlHw==": "kernel.parameters[net.ipv6.conf.all.forwarding]", - "bGMTWjS8G8F38yCeXzCDHKy8EvB/bRtPE028HBzKvXDZWtR/GJPldJE35GVsdpBfuQ7lKBH5CBN+CkwKzWRvqA==": "kernel.parameters[net.ipv4.ip_forward] == 0" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "VrgV5/9So/8=": { - "query": "users.list.duplicates(name).none()\n", - "checksum": "HAEm691M02s=", - "datapoints": [ - "0zrmJvG2MXakh2YxerlEkLULyOXTHiqK5C3/HGBueJg0MpCGGQwD1dEwh04xZcZt3gDrCRBR/JMx/yePP6OWIA==", - "OcxjyMNzPsQob5d23efk6/D/qbV2XftiD+stAvXITuJOOmdoVb4hcGjt+IT0AldkoHCFowQ2mx+Yhdj0ktI5AA==" - ], - "code": { - "code_v2": { - "id": "VrgV5/9So/8=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "users" - }, - { - "call": 1, - "id": "list", - "function": { - "type": "\u0019\u001buser", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "fieldDuplicates", - "function": { - "type": "\u0019\u001buser", - "args": [ - { - "type": "\u0003", - "value": "hICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - } - ], - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "$none", - "function": { - "type": "\u0004", - "binding": 4294967299 - } - } - ], - "entrypoints": [ - 4294967300 - ], - "datapoints": [ - 4294967299 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u001buser" - } - }, - { - "call": 1, - "id": "name", - "function": { - "type": "\u0007", - "binding": 8589934593 - } - } - ], - "parameters": 1, - "entrypoints": [ - 8589934594 - ] - } - ], - "checksums": { - "4294967297": "MmwyAliLU+YHlkNS5w5jjZaNgU/VFTCxTIM8hMTKVg4MeUJVR6eoJlRuJ79SoVk2seEIK6XTN6Wkm2w9mJMB/A==", - "4294967298": "PgyAmAEuGG6aKDiVDz6niqDRQ0oRYJ7OSUroU9u1Svkt2xD3WOPS8uE5sXPO5K3Miy+MAEt8VWHWKZ58RPV+Kw==", - "4294967299": "0zrmJvG2MXakh2YxerlEkLULyOXTHiqK5C3/HGBueJg0MpCGGQwD1dEwh04xZcZt3gDrCRBR/JMx/yePP6OWIA==", - "4294967300": "OcxjyMNzPsQob5d23efk6/D/qbV2XftiD+stAvXITuJOOmdoVb4hcGjt+IT0AldkoHCFowQ2mx+Yhdj0ktI5AA==", - "8589934593": "PgyAmAEuGG6aKDiVDz6niqDRQ0oRYJ7OSUroU9u1Svkt2xD3WOPS8uE5sXPO5K3Miy+MAEt8VWHWKZ58RPV+Kw==", - "8589934594": "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==" - } - }, - "source": "users.list.duplicates(name).none()\n", - "labels": { - "labels": { - "0zrmJvG2MXakh2YxerlEkLULyOXTHiqK5C3/HGBueJg0MpCGGQwD1dEwh04xZcZt3gDrCRBR/JMx/yePP6OWIA==": "users.list.fieldDuplicates", - "OcxjyMNzPsQob5d23efk6/D/qbV2XftiD+stAvXITuJOOmdoVb4hcGjt+IT0AldkoHCFowQ2mx+Yhdj0ktI5AA==": "[].none()", - "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==": "name" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "WkL8wViksRw=": { - "query": "package(\"rsyslog\").installed\n", - "checksum": "RPe767UANDI=", - "datapoints": [ - "xj5i41CpATBlYItuRrsgnH3hHsQDjj6+/T/I4QNofVEuEXFo8TBNKytriUx/i9X9Y14DEILU6IVmlmAZfRxrvA==" - ], - "code": { - "code_v2": { - "id": "WkL8wViksRw=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "package", - "function": { - "type": "\u001bpackage", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "cnN5c2xvZw==" - } - ] - } - }, - { - "call": 1, - "id": "installed", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - } - ], - "entrypoints": [ - 4294967298 - ] - } - ], - "checksums": { - "4294967297": "lGxSFE+E+76qaGgEP4HliHl5Yrd9w1yh+nb/4O1q3GjFccuj1i+AwmLbmORiasCOabfJx3oHC6TlJwO3GL2VDA==", - "4294967298": "xj5i41CpATBlYItuRrsgnH3hHsQDjj6+/T/I4QNofVEuEXFo8TBNKytriUx/i9X9Y14DEILU6IVmlmAZfRxrvA==" - } - }, - "source": "package(\"rsyslog\").installed\n", - "labels": { - "labels": { - "xj5i41CpATBlYItuRrsgnH3hHsQDjj6+/T/I4QNofVEuEXFo8TBNKytriUx/i9X9Y14DEILU6IVmlmAZfRxrvA==": "package.installed" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "XbnrBNXgCwA=": { - "query": "users.list { name group != null }\n", - "checksum": "eLlcjObyYe4=", - "datapoints": [ - "HNtymDAlppcjoO5qKUQJ8H2VuJj8i2nTxOEHIDJpEQpROM0y5O6f/EBWqvPAFeN8w9IWIVYbQsQLYgVstVrZbA==" - ], - "code": { - "code_v2": { - "id": "XbnrBNXgCwA=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "users" - }, - { - "call": 1, - "id": "list", - "function": { - "type": "\u0019\u001buser", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "{}", - "function": { - "type": "\u0019\u000c", - "args": [ - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - } - ], - "binding": 4294967298 - } - } - ], - "entrypoints": [ - 4294967299 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u001buser" - } - }, - { - "call": 1, - "id": "name", - "function": { - "type": "\u0007", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "group", - "function": { - "type": "\u001bgroup", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "!=\u0002", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0002" - } - ], - "binding": 8589934595 - } - } - ], - "parameters": 1, - "entrypoints": [ - 8589934594, - 8589934596 - ] - } - ], - "checksums": { - "4294967297": "MmwyAliLU+YHlkNS5w5jjZaNgU/VFTCxTIM8hMTKVg4MeUJVR6eoJlRuJ79SoVk2seEIK6XTN6Wkm2w9mJMB/A==", - "4294967298": "PgyAmAEuGG6aKDiVDz6niqDRQ0oRYJ7OSUroU9u1Svkt2xD3WOPS8uE5sXPO5K3Miy+MAEt8VWHWKZ58RPV+Kw==", - "4294967299": "HNtymDAlppcjoO5qKUQJ8H2VuJj8i2nTxOEHIDJpEQpROM0y5O6f/EBWqvPAFeN8w9IWIVYbQsQLYgVstVrZbA==", - "8589934593": "PgyAmAEuGG6aKDiVDz6niqDRQ0oRYJ7OSUroU9u1Svkt2xD3WOPS8uE5sXPO5K3Miy+MAEt8VWHWKZ58RPV+Kw==", - "8589934594": "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==", - "8589934595": "NYIenh+Gmd0LZMT9t6lLmb/zQbSakyO+GgoKt97a6MnqQdxxUVejZD6CHlcfqsYuKVbUM683V0x7MhTFltVbHQ==", - "8589934596": "SPxDUzq7hTlX9jrJ8or3BNWOxKS2p75pILkrO27TAN0KXd8c1dJQwtDDFREtZheN4IIaN5L9I75Y1COlvOM8RQ==" - } - }, - "source": "users.list { name group != null }\n", - "labels": { - "labels": { - "HNtymDAlppcjoO5qKUQJ8H2VuJj8i2nTxOEHIDJpEQpROM0y5O6f/EBWqvPAFeN8w9IWIVYbQsQLYgVstVrZbA==": "users.list", - "SPxDUzq7hTlX9jrJ8or3BNWOxKS2p75pILkrO27TAN0KXd8c1dJQwtDDFREtZheN4IIaN5L9I75Y1COlvOM8RQ==": "group != null", - "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==": "name" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "Xs984txmLXk=": { - "query": "if (file(\"/etc/shadow-\").exists) {\n file(\"/etc/shadow-\") {\n permissions.user_executable == false\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_readable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n }\n}\n", - "checksum": "Z99NDqngipI=", - "datapoints": [ - "9JRnRD0qcwHdUJtCGMTAJe3H1iY2xdZ5QNY+Bji5zt7EG1rgcxmWYBO6pOuPOvrDsHa8dnSx9hbE92vZlnyJQg==" - ], - "code": { - "code_v2": { - "id": "Xs984txmLXk=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9zaGFkb3ct" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "if", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u0003", - "value": "hICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - }, - { - "type": "\u0019\u0003" - } - ] - } - } - ], - "entrypoints": [ - 4294967299 - ] - }, - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9zaGFkb3ct" - } - ] - } - }, - { - "call": 1, - "id": "{}", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u001c\u0000", - "value": "gICAgGA=" - } - ], - "binding": 8589934593 - } - } - ], - "entrypoints": [ - 8589934594 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u001bfile" - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "user_executable", - "function": { - "type": "\u0004", - "binding": 12884901890 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 12884901891 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "group_writeable", - "function": { - "type": "\u0004", - "binding": 12884901893 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 12884901894 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "group_executable", - "function": { - "type": "\u0004", - "binding": 12884901896 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 12884901897 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "other_readable", - "function": { - "type": "\u0004", - "binding": 12884901899 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 12884901900 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "other_writeable", - "function": { - "type": "\u0004", - "binding": 12884901902 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 12884901903 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "other_executable", - "function": { - "type": "\u0004", - "binding": 12884901905 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 12884901906 - } - } - ], - "parameters": 1, - "entrypoints": [ - 12884901892, - 12884901895, - 12884901898, - 12884901901, - 12884901904, - 12884901907 - ] - } - ], - "checksums": { - "12884901889": "NV1q5yWPXGLidLG6c/S0X6jNNvfPciD97Z/dBwc3KwYXJL18Hkeh2Rw8hHOg/4/nDPXb272uyPKeAC/jbt8rJg==", - "12884901890": "QQ1587asm8MZ0xu0fcT5AK3hSixnpXhnaCKzdlF8fYLys7ReB7bYka4SmZD9XsJ7F8L2tFR/nSSn22EOFMdpFg==", - "12884901891": "npnBXr3vh/op7nHyF9ijTDerNdwF2ToHLXKLO/rnokcNCU8hhRBDEYdjWuIxZHCfoI29BGTupDNSP1ENjXtEaQ==", - "12884901892": "47Q+jq9hct6ndHS9YMHNeIZqHlSAzS1M2hkKbcwqfRxEO8oeec8OE2a78oc2mAEl+5n6o59/+1uh93iqk7Qr+A==", - "12884901893": "QQ1587asm8MZ0xu0fcT5AK3hSixnpXhnaCKzdlF8fYLys7ReB7bYka4SmZD9XsJ7F8L2tFR/nSSn22EOFMdpFg==", - "12884901894": "saOFVO4htAVvItkz7Cnxr66im8VId3fLTb1gsL5kWcClVkkPDx5yW9VJMp5+aVj3uHCoZ9/+Oaq+ng0q0Npg9g==", - "12884901895": "RumXTcMvN9dHtJVMf4m7JoxrM9gvdqn5vv29bm4X+P5MIiox6oWzC3T+rJM3fqWV+g0Sn4KJaSa/9R5wlMJqBw==", - "12884901896": "QQ1587asm8MZ0xu0fcT5AK3hSixnpXhnaCKzdlF8fYLys7ReB7bYka4SmZD9XsJ7F8L2tFR/nSSn22EOFMdpFg==", - "12884901897": "5GGFVPFNlUbLWmc+pSsxJCr8Mp7HrLpA29hNcLkMNyIs5pGC2oqxIjZKp74Rdn+OOAQkmIWleMTNPageicUG1w==", - "12884901898": "2gTIdScsz/z/cI8rVNqrquYzF736LBDvofiD6oegZcqudNlSp3dXKpOQ0EGoI9GphjcvIfETqiR6pse30oM2ng==", - "12884901899": "QQ1587asm8MZ0xu0fcT5AK3hSixnpXhnaCKzdlF8fYLys7ReB7bYka4SmZD9XsJ7F8L2tFR/nSSn22EOFMdpFg==", - "12884901900": "G58pftY6Zl/SD9lBbWr0/K8xjZDrQD7kEaUD4m1LtrAgpMZjeJ1vGYPlhVz/tSgbszqExXtOIpxWWd00+EvjKw==", - "12884901901": "2PISPaY9Uv/h/6bWIzaOCPZuNXOWm8h4ABDmViLOG63YzZY4u2XtbVVm2B0RRTtx00beK5hPg/g+gxPfCekYsg==", - "12884901902": "QQ1587asm8MZ0xu0fcT5AK3hSixnpXhnaCKzdlF8fYLys7ReB7bYka4SmZD9XsJ7F8L2tFR/nSSn22EOFMdpFg==", - "12884901903": "W2b4P6NB1PbyxiP0bQjAlA+h78C3cn3hDV+24sWyY5wBM8rPt3rNbK6VbJXXQQrf62ARstftXH7iSRmmMtOA/w==", - "12884901904": "/Kc60GU9syUEKHHmwJhFtiMLTYVF8h5zuvQ4JJ6FRc+ewxjALxDWp5INzonjnhbjoJgE4pcRYk2rw3/Kv0Fowg==", - "12884901905": "QQ1587asm8MZ0xu0fcT5AK3hSixnpXhnaCKzdlF8fYLys7ReB7bYka4SmZD9XsJ7F8L2tFR/nSSn22EOFMdpFg==", - "12884901906": "xV6qIR5Nav8qHRPmEr9s9PwbpE/8tnx+vQ3Ugaz4flT6rTbDg3Mifv9OxuTtVF4Xr9Sj2WXDCQiGRG6rBg0ZJw==", - "12884901907": "m5y0p0bVYz7XxVWgXUaxPqZxy9PAtjuwoSNsr3YjZaPyXs+d9PKjEvXsBKikGOB5KBQc+7GIbWkUdWUs0BNLgw==", - "4294967297": "NV1q5yWPXGLidLG6c/S0X6jNNvfPciD97Z/dBwc3KwYXJL18Hkeh2Rw8hHOg/4/nDPXb272uyPKeAC/jbt8rJg==", - "4294967298": "XPurpygmyn96M3gUExpn/qHHMtB7n+4Q8F06uC3mhsz99IgZINBvqVUEPKyuzkL3FwkV4A7JapRW8DWKkaS8hg==", - "4294967299": "9JRnRD0qcwHdUJtCGMTAJe3H1iY2xdZ5QNY+Bji5zt7EG1rgcxmWYBO6pOuPOvrDsHa8dnSx9hbE92vZlnyJQg==", - "8589934593": "NV1q5yWPXGLidLG6c/S0X6jNNvfPciD97Z/dBwc3KwYXJL18Hkeh2Rw8hHOg/4/nDPXb272uyPKeAC/jbt8rJg==", - "8589934594": "n4KRoHNl8xqOuyifPurxhLP5QsLCNcTlMZ0U4dSeeR+4yp8qZoMYKxxsmU7gjewTvfHbXhNOU4jR4K0KqtKM6w==" - } - }, - "source": "if (file(\"/etc/shadow-\").exists) {\n file(\"/etc/shadow-\") {\n permissions.user_executable == false\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_readable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n }\n}\n", - "labels": { - "labels": { - "/Kc60GU9syUEKHHmwJhFtiMLTYVF8h5zuvQ4JJ6FRc+ewxjALxDWp5INzonjnhbjoJgE4pcRYk2rw3/Kv0Fowg==": "permissions.other_writeable == false", - "2PISPaY9Uv/h/6bWIzaOCPZuNXOWm8h4ABDmViLOG63YzZY4u2XtbVVm2B0RRTtx00beK5hPg/g+gxPfCekYsg==": "permissions.other_readable == false", - "2gTIdScsz/z/cI8rVNqrquYzF736LBDvofiD6oegZcqudNlSp3dXKpOQ0EGoI9GphjcvIfETqiR6pse30oM2ng==": "permissions.group_executable == false", - "47Q+jq9hct6ndHS9YMHNeIZqHlSAzS1M2hkKbcwqfRxEO8oeec8OE2a78oc2mAEl+5n6o59/+1uh93iqk7Qr+A==": "permissions.user_executable == false", - "9JRnRD0qcwHdUJtCGMTAJe3H1iY2xdZ5QNY+Bji5zt7EG1rgcxmWYBO6pOuPOvrDsHa8dnSx9hbE92vZlnyJQg==": "if", - "RumXTcMvN9dHtJVMf4m7JoxrM9gvdqn5vv29bm4X+P5MIiox6oWzC3T+rJM3fqWV+g0Sn4KJaSa/9R5wlMJqBw==": "permissions.group_writeable == false", - "m5y0p0bVYz7XxVWgXUaxPqZxy9PAtjuwoSNsr3YjZaPyXs+d9PKjEvXsBKikGOB5KBQc+7GIbWkUdWUs0BNLgw==": "permissions.other_executable == false", - "n4KRoHNl8xqOuyifPurxhLP5QsLCNcTlMZ0U4dSeeR+4yp8qZoMYKxxsmU7gjewTvfHbXhNOU4jR4K0KqtKM6w==": "file" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "ZydIs1lDnr8=": { - "query": "logindefs.params{ _['UID_MIN'] == 1000 }\n", - "checksum": "s/mXXm9fQZ8=", - "datapoints": [ - "4QqlCBUEJZYfyBp3vIYWFQiH2KO38aDKZlHHZFBR9c+UECZwLFrakyPGkcFtZisnQZJHGBw2+x0De1Acsn6fyQ==" - ], - "code": { - "code_v2": { - "id": "ZydIs1lDnr8=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "logindefs" - }, - { - "call": 1, - "id": "params", - "function": { - "type": "\u001a\u0007\u0007", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "{}", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - } - ], - "binding": 4294967298 - } - } - ], - "entrypoints": [ - 4294967299 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u001a\u0007\u0007" - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u0007", - "args": [ - { - "type": "\u0007", - "value": "VUlEX01JTg==" - } - ], - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "==\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "0A8=" - } - ], - "binding": 8589934594 - } - } - ], - "parameters": 1, - "entrypoints": [ - 8589934595 - ] - } - ], - "checksums": { - "4294967297": "GDW03d3c4lMGEnmoicNhqlQdaREQvPX1vNPWJzYOQIY3xIdJ4TwjIP0m5IzqpNiM53uIGvdU6NOy2+HgqFIOWA==", - "4294967298": "hCKGp+pLVsgXknexmARsAOUv8BlLZVS9BvQjso4sWz9HQEWyXsBqiGddHNI/7ho8gAzhpBYW3r1cr75lvsfjoA==", - "4294967299": "4QqlCBUEJZYfyBp3vIYWFQiH2KO38aDKZlHHZFBR9c+UECZwLFrakyPGkcFtZisnQZJHGBw2+x0De1Acsn6fyQ==", - "8589934593": "hCKGp+pLVsgXknexmARsAOUv8BlLZVS9BvQjso4sWz9HQEWyXsBqiGddHNI/7ho8gAzhpBYW3r1cr75lvsfjoA==", - "8589934594": "Ob3JnDm5tBfjRupNGtUiInZjtu1FGMZndJ3TaheQdnsfyOLgOptxGEZF4RvnNfSlPxPG9Le7G6J2m6W99M8U9Q==", - "8589934595": "daiOnK/mDY8dycKTQFCwMOfTYj/nKCXGiK0l/cNLlsCp+QwzTtZ7CU9xQy9pquDnkSIcqtyyHkm+5ZaAXK2OIQ==" - } - }, - "source": "logindefs.params{ _['UID_MIN'] == 1000 }\n", - "labels": { - "labels": { - "4QqlCBUEJZYfyBp3vIYWFQiH2KO38aDKZlHHZFBR9c+UECZwLFrakyPGkcFtZisnQZJHGBw2+x0De1Acsn6fyQ==": "logindefs.params", - "daiOnK/mDY8dycKTQFCwMOfTYj/nKCXGiK0l/cNLlsCp+QwzTtZ7CU9xQy9pquDnkSIcqtyyHkm+5ZaAXK2OIQ==": "[UID_MIN] == 1000" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "aS95c8UVV00=": { - "query": "package(\"prelink\").installed == false\n", - "checksum": "JbSDY2GqhWo=", - "datapoints": [ - "2hZ3z+3H/QD+mlekH8q+XJI8LKLWCorG6amoVQPvfWzaq07JXZgflggDlzI/ysKXy1pKUdzt+483lluQXxsJ4Q==", - "6GV7OiQSU1fwRwmB2MtE0u8IG8j6PQJTDKj3GqbPCWek07rjs0E4nE2JNttpY+0OuGo2gk8KUE/saFGxeq2gYQ==" - ], - "code": { - "code_v2": { - "id": "aS95c8UVV00=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "package", - "function": { - "type": "\u001bpackage", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "cHJlbGluaw==" - } - ] - } - }, - { - "call": 1, - "id": "installed", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967298 - } - } - ], - "entrypoints": [ - 4294967299 - ], - "datapoints": [ - 4294967298 - ] - } - ], - "checksums": { - "4294967297": "uixMB/TYnjUfKLs+me68h5dJrwQtEhXb5v/LaGzPGyKoF3siLGMRMU1rtzYf98k7Dva/nfpDwfldMrwDvXEANw==", - "4294967298": "2hZ3z+3H/QD+mlekH8q+XJI8LKLWCorG6amoVQPvfWzaq07JXZgflggDlzI/ysKXy1pKUdzt+483lluQXxsJ4Q==", - "4294967299": "6GV7OiQSU1fwRwmB2MtE0u8IG8j6PQJTDKj3GqbPCWek07rjs0E4nE2JNttpY+0OuGo2gk8KUE/saFGxeq2gYQ==" - } - }, - "source": "package(\"prelink\").installed == false\n", - "labels": { - "labels": { - "2hZ3z+3H/QD+mlekH8q+XJI8LKLWCorG6amoVQPvfWzaq07JXZgflggDlzI/ysKXy1pKUdzt+483lluQXxsJ4Q==": "package.installed", - "6GV7OiQSU1fwRwmB2MtE0u8IG8j6PQJTDKj3GqbPCWek07rjs0E4nE2JNttpY+0OuGo2gk8KUE/saFGxeq2gYQ==": "package.installed == false" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "cYHRR9+gDKI=": { - "query": "service(\"auditd\").enabled\n", - "checksum": "dur0BatBm5c=", - "datapoints": [ - "BvOP/FwD7axNz4mGuKzXL5SNFY8PiX0mpcRiY5QdJBDg4MUhjx9Ff+uDjs4ZWh6rdlKPKgfbJVWUWS5/BABqyw==" - ], - "code": { - "code_v2": { - "id": "cYHRR9+gDKI=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "YXVkaXRk" - } - ] - } - }, - { - "call": 1, - "id": "enabled", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - } - ], - "entrypoints": [ - 4294967298 - ] - } - ], - "checksums": { - "4294967297": "lgi4PE11ywudA+BjWIWeZiBNUD5BdD7jmG+eUHUqhtJeRlXLG9D4/xJFo/4pK/HeWZeMDmvBY/TyzX8DZC2E4Q==", - "4294967298": "BvOP/FwD7axNz4mGuKzXL5SNFY8PiX0mpcRiY5QdJBDg4MUhjx9Ff+uDjs4ZWh6rdlKPKgfbJVWUWS5/BABqyw==" - } - }, - "source": "service(\"auditd\").enabled\n", - "labels": { - "labels": { - "BvOP/FwD7axNz4mGuKzXL5SNFY8PiX0mpcRiY5QdJBDg4MUhjx9Ff+uDjs4ZWh6rdlKPKgfbJVWUWS5/BABqyw==": "service.enabled" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "ctwaZkpRtPo=": { - "query": "service(\"rsyslog\").enabled\n", - "checksum": "vn9F+I6RcUo=", - "datapoints": [ - "Qg23cE59V3fbsxZHV6hb++orVpZRDndy16raKIga8KcVZEnh9zCHPIkq0ROjKr6pihCAiV5bZGXFafD7sb/LYw==" - ], - "code": { - "code_v2": { - "id": "ctwaZkpRtPo=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "cnN5c2xvZw==" - } - ] - } - }, - { - "call": 1, - "id": "enabled", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - } - ], - "entrypoints": [ - 4294967298 - ] - } - ], - "checksums": { - "4294967297": "WxybOBgVLiJQ1GurPFPwuVypCRLeN/MRJuQ8DmRu8jgZzEyvBBESUNOlxWmOUdEixaePATVg+xSWePFPrGVSfA==", - "4294967298": "Qg23cE59V3fbsxZHV6hb++orVpZRDndy16raKIga8KcVZEnh9zCHPIkq0ROjKr6pihCAiV5bZGXFafD7sb/LYw==" - } - }, - "source": "service(\"rsyslog\").enabled\n", - "labels": { - "labels": { - "Qg23cE59V3fbsxZHV6hb++orVpZRDndy16raKIga8KcVZEnh9zCHPIkq0ROjKr6pihCAiV5bZGXFafD7sb/LYw==": "service.enabled" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "d6AyzyIg+ow=": { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/selinux\\s+\\-p\\s+\\wa\\s+\\-k\\s+MAC\\-policy(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/usr\\/share\\/selinux\\s+\\-p\\s+\\wa\\s+\\-k\\s+MAC\\-policy(\\s+)?$/)\n}\n", - "checksum": "0WPnJXw69EA=", - "datapoints": [ - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "/Mn6ZAskf4jBqw4FNL0xwA3aItnkIrJSuPwzeVOF6fyum6fJbQX+du5oSSmx95Z6KIihRTnM4uN3fCgduoXrrg==" - ], - "code": { - "code_v2": { - "id": "d6AyzyIg+ow=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967299 - } - }, - { - "call": 1, - "id": "if", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u0003", - "value": "iICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - }, - { - "type": "\u0019\u0003" - } - ] - } - } - ], - "entrypoints": [ - 4294967298, - 4294967301 - ] - }, - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934594 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "hoCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgGA=" - } - ], - "binding": 8589934595 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934596 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934597 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934599 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934600 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "koCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgIAB" - } - ], - "binding": 8589934601 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934602 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934603 - } - } - ], - "entrypoints": [ - 8589934598, - 8589934604 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtd1xzK1wvZXRjXC9zZWxpbnV4XHMrXC1wXHMrXHdhXHMrXC1rXHMrTUFDXC1wb2xpY3koXHMrKT8k" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgGA=" - } - ], - "binding": 12884901889 - } - } - ], - "parameters": 1, - "entrypoints": [ - 12884901891 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtd1xzK1wvdXNyXC9zaGFyZVwvc2VsaW51eFxzK1wtcFxzK1x3YVxzK1wta1xzK01BQ1wtcG9saWN5KFxzKyk/JA==" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgIAB" - } - ], - "binding": 17179869185 - } - } - ], - "parameters": 1, - "entrypoints": [ - 17179869187 - ] - } - ], - "checksums": { - "12884901889": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "12884901890": "SmkrHrL8L9Ldwd3dGDYILmEbom+0YC0mSCnA/TSWZeZblWxXMRyc/nASjk44tZ0dJqEG0hMY50L4AUPAe8C/Dw==", - "12884901891": "ZDO/uHkNBYwDZZQanpnMU9WyNQM4Sdj2wJh+RlJgVx7RlIS6SnENcXa2WcHI3LlXAba+oV5Qs7WCOV7Nv2aS/A==", - "17179869185": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "17179869186": "qVR/NqyUgbskvRQmu+hCymhudxx9aT/pRFq+DCUQIEyoCLlbKqZKJ38IuMxMFQWs/gdsYKg7DuekW1fuNnjcpA==", - "17179869187": "PT0Xm/3UPL3IsmrG31TCMYrlC2P0CCONfO9Bt7Dtgf3er3UGvt76ABt1pEqyllBcXR7kWqYgQvr3rVmdrNP9GQ==", - "4294967297": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "4294967298": "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "4294967299": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "4294967300": "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "4294967301": "/Mn6ZAskf4jBqw4FNL0xwA3aItnkIrJSuPwzeVOF6fyum6fJbQX+du5oSSmx95Z6KIihRTnM4uN3fCgduoXrrg==", - "8589934593": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934594": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934595": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934596": "Bo/OPbo0MYqHTow2QDW6enS8fQrPKbqyk7nd3TbSbe9oHGPL/1JtxdqVJfCCSsaUHzXz2wutWDXmiAelxyOEOw==", - "8589934597": "l0h4+ybcklX2vB1SV5VM7UipiWiGHDdMy/HPUi08prhOxEJpIXxEoTHqjN761uwHwc+8YyYTM21VPEgh61S03A==", - "8589934598": "JR4HDIhOUHtuq4g1nm40Bcj85I1ePstgJmhsGD0owmJjVK+uzVAHr5m/MwzXyn8xcKuAvJeFKNaiki8h8ZIz+w==", - "8589934599": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934600": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934601": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934602": "HrQgHnshkeiGK0ZsmRTLO+5odBDSLApH+p5Ts043SsLS0iLwDWLgaAS0OxUgX0mS+fyId4JT7NgSrxtlRLEbcw==", - "8589934603": "VCLw6TMXq1xD909VVsPpcrYuDOezO4unsr2xorSm22Xim8ObJnxuzWzeVott6FAX6Oth11SHGVmgoGB/i+ESVg==", - "8589934604": "+/tNPt1sItITsUQKXLzg/mGi2glh9/SH5EnT1CpTJwUr7srLmL/cDdbKDE4bHfp0xcKkzqQS8Bh15EDqdN/cuA==" - } - }, - "source": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/selinux\\s+\\-p\\s+\\wa\\s+\\-k\\s+MAC\\-policy(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/usr\\/share\\/selinux\\s+\\-p\\s+\\wa\\s+\\-k\\s+MAC\\-policy(\\s+)?$/)\n}\n", - "labels": { - "labels": { - "+/tNPt1sItITsUQKXLzg/mGi2glh9/SH5EnT1CpTJwUr7srLmL/cDdbKDE4bHfp0xcKkzqQS8Bh15EDqdN/cuA==": "[].contains()", - "/Mn6ZAskf4jBqw4FNL0xwA3aItnkIrJSuPwzeVOF6fyum6fJbQX+du5oSSmx95Z6KIihRTnM4uN3fCgduoXrrg==": "if", - "JR4HDIhOUHtuq4g1nm40Bcj85I1ePstgJmhsGD0owmJjVK+uzVAHr5m/MwzXyn8xcKuAvJeFKNaiki8h8ZIz+w==": "[].contains()", - "PT0Xm/3UPL3IsmrG31TCMYrlC2P0CCONfO9Bt7Dtgf3er3UGvt76ABt1pEqyllBcXR7kWqYgQvr3rVmdrNP9GQ==": " == \u003cref\u003e", - "ZDO/uHkNBYwDZZQanpnMU9WyNQM4Sdj2wJh+RlJgVx7RlIS6SnENcXa2WcHI3LlXAba+oV5Qs7WCOV7Nv2aS/A==": " == \u003cref\u003e", - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==": "file.exists" - } - }, - "version": "unstable", - "min_mondoo_version": "5.0.0" - } - }, - "dVk74tk32xs=": { - "query": "kernel.parameters[\"kernel.randomize_va_space\"] == 2\n", - "checksum": "BVIj1R9iyPg=", - "datapoints": [ - "M90p1SlYy8aGJqaPLQDAjGwSIqtlVQT7mhuB4TN3b3wRCiqVmcK2mj8Plmd6m7iJRaPgXfWYfldOICh1fkAlow==", - "IH9+YJrb2/NAQcKqnSKgY/usvm47+Z1WJMykcUwLcAp4n+YZgMDS1sRuFPg7RDMy4+IVi6HSALbguCRC54gKHw==" - ], - "code": { - "code_v2": { - "id": "dVk74tk32xs=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "kernel" - }, - { - "call": 1, - "id": "parameters", - "function": { - "type": "\u001a\u0007\u0007", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u0007", - "args": [ - { - "type": "\u0007", - "value": "a2VybmVsLnJhbmRvbWl6ZV92YV9zcGFjZQ==" - } - ], - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "==\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "BA==" - } - ], - "binding": 4294967299 - } - } - ], - "entrypoints": [ - 4294967300 - ], - "datapoints": [ - 4294967299 - ] - } - ], - "checksums": { - "4294967297": "RXV+1el3VK2oK0ytvuWZ6oRu95oJxvcqbHGw5Wq5LfAbGvjLmiHYndQw+dDOPQiIqBhor40mICUenGaUlny8Lg==", - "4294967298": "dM9qEfUwWr0DHz2QFJ5GwuX9ELsnO1Us4rTlLu63r3mnIduFn0tmuQqThf7ul4pd0wPoMSZIB/RxVPGcU9xORQ==", - "4294967299": "M90p1SlYy8aGJqaPLQDAjGwSIqtlVQT7mhuB4TN3b3wRCiqVmcK2mj8Plmd6m7iJRaPgXfWYfldOICh1fkAlow==", - "4294967300": "IH9+YJrb2/NAQcKqnSKgY/usvm47+Z1WJMykcUwLcAp4n+YZgMDS1sRuFPg7RDMy4+IVi6HSALbguCRC54gKHw==" - } - }, - "source": "kernel.parameters[\"kernel.randomize_va_space\"] == 2\n", - "labels": { - "labels": { - "IH9+YJrb2/NAQcKqnSKgY/usvm47+Z1WJMykcUwLcAp4n+YZgMDS1sRuFPg7RDMy4+IVi6HSALbguCRC54gKHw==": "kernel.parameters[kernel.randomize_va_space] == 2", - "M90p1SlYy8aGJqaPLQDAjGwSIqtlVQT7mhuB4TN3b3wRCiqVmcK2mj8Plmd6m7iJRaPgXfWYfldOICh1fkAlow==": "kernel.parameters[kernel.randomize_va_space]" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "eWpIdiIAryk=": { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/sudoers\\s+\\-p\\s+wa\\s+\\-k\\s+scope(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/sudoers\\.d\\s+\\-p\\s+wa\\s+\\-k\\s+scope(\\s+)?$/)\n}\n", - "checksum": "pnB8bkXeOWk=", - "datapoints": [ - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "XJelsmn2fxcKhtzns+v5RW5ToKmYNchfQaXLHp7J7oq1MC0gOmLh3vP14JCubDNYLDbrcsgJlGq7r2ifeWRP4w==" - ], - "code": { - "code_v2": { - "id": "eWpIdiIAryk=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967299 - } - }, - { - "call": 1, - "id": "if", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u0003", - "value": "iICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - }, - { - "type": "\u0019\u0003" - } - ] - } - } - ], - "entrypoints": [ - 4294967298, - 4294967301 - ] - }, - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934594 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "hoCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgGA=" - } - ], - "binding": 8589934595 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934596 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934597 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934599 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934600 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "koCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgIAB" - } - ], - "binding": 8589934601 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934602 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934603 - } - } - ], - "entrypoints": [ - 8589934598, - 8589934604 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtd1xzK1wvZXRjXC9zdWRvZXJzXHMrXC1wXHMrd2FccytcLWtccytzY29wZShccyspPyQ=" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgGA=" - } - ], - "binding": 12884901889 - } - } - ], - "parameters": 1, - "entrypoints": [ - 12884901891 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtd1xzK1wvZXRjXC9zdWRvZXJzXC5kXHMrXC1wXHMrd2FccytcLWtccytzY29wZShccyspPyQ=" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgIAB" - } - ], - "binding": 17179869185 - } - } - ], - "parameters": 1, - "entrypoints": [ - 17179869187 - ] - } - ], - "checksums": { - "12884901889": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "12884901890": "iIZMmjQnRSrxDjJYEUNuXcGdvh1RmZg3yZRW+s1NmWKvTiMDo9hoAbJNw2LTz+KfjC/SmYJp9WGWEQPLl7A9bQ==", - "12884901891": "uXyFyi7tprUM8HSHQjVnHyE6/tBUJ4TmzqknqbGXyo8Dt574VVMq9T1EFqgNG+jYfFKdn53/AbMS/2gOf/h1dw==", - "17179869185": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "17179869186": "PMGa4/iXeq2ogkIgYofcvPg3wUQZzqnNIP5lkZpSqzFPJFkhngQ6shnQeCE7A8EHuEe9K863h4oDs8FODAAXiw==", - "17179869187": "x0/7DTlKIwknzdA7ZBTpT8f+jSR7cgxYrCR9pPY7gy3ylUVBMafa5cFVZO1NmZ2WBCS3nyaN1rWuENwl/pAUIQ==", - "4294967297": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "4294967298": "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "4294967299": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "4294967300": "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "4294967301": "XJelsmn2fxcKhtzns+v5RW5ToKmYNchfQaXLHp7J7oq1MC0gOmLh3vP14JCubDNYLDbrcsgJlGq7r2ifeWRP4w==", - "8589934593": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934594": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934595": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934596": "5NfH0DLk6pR/zY3Z+GqkrcA64IHy4VkrmNdKLfUXTUqwnQ8GecjRjyLwQTcUidOgxE57sjA9Z4GGE6dbnG8aWw==", - "8589934597": "0s9Mi86FU6JzF++XQOXScsfz4GzGK1zAGBAMkWb/JkERgjlRszMd/e3wQW7QNeU9xJHFcWBl0G2BO2VxjzdhCQ==", - "8589934598": "8ov+GKGjPnoa+/+zg8NnGM8HVbqrvkP8aBN04dxMpKf+U9adkMCFmrvIXpO18+0NFmzloHF7KhORFVgMvc0RMA==", - "8589934599": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934600": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934601": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934602": "6eLNq/3XfQmeMSdmz9x/P7xeooumzM1LrKybgXNRX7vlznWBBywgjmeEMZcwM14QyP0EBji9g1ofZmfnUSmrvw==", - "8589934603": "bR9v3APBVEXCgTZ2PBi4+KuSkSo7lnxLYS+THcwvshRD8jFV5vhesF5JgLMRHD986AzQsWcS7Zn5EzZtkqmcMA==", - "8589934604": "XcdK1HVrWHGdwvlLbdNWEtQyFJ370wUvb2DfGZXXQUPuwX25nT2aZC+TMsqJL0mL37XryTvQadVyvHM66OyTCg==" - } - }, - "source": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/sudoers\\s+\\-p\\s+wa\\s+\\-k\\s+scope(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/sudoers\\.d\\s+\\-p\\s+wa\\s+\\-k\\s+scope(\\s+)?$/)\n}\n", - "labels": { - "labels": { - "8ov+GKGjPnoa+/+zg8NnGM8HVbqrvkP8aBN04dxMpKf+U9adkMCFmrvIXpO18+0NFmzloHF7KhORFVgMvc0RMA==": "[].contains()", - "XJelsmn2fxcKhtzns+v5RW5ToKmYNchfQaXLHp7J7oq1MC0gOmLh3vP14JCubDNYLDbrcsgJlGq7r2ifeWRP4w==": "if", - "XcdK1HVrWHGdwvlLbdNWEtQyFJ370wUvb2DfGZXXQUPuwX25nT2aZC+TMsqJL0mL37XryTvQadVyvHM66OyTCg==": "[].contains()", - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==": "file.exists", - "uXyFyi7tprUM8HSHQjVnHyE6/tBUJ4TmzqknqbGXyo8Dt574VVMq9T1EFqgNG+jYfFKdn53/AbMS/2gOf/h1dw==": " == \u003cref\u003e", - "x0/7DTlKIwknzdA7ZBTpT8f+jSR7cgxYrCR9pPY7gy3ylUVBMafa5cFVZO1NmZ2WBCS3nyaN1rWuENwl/pAUIQ==": " == \u003cref\u003e" - } - }, - "version": "unstable", - "min_mondoo_version": "5.0.0" - } - }, - "f3DZtMTsQJc=": { - "query": "package(\"xserver-xorg\").installed == false\n", - "checksum": "fpevj25jT9Y=", - "datapoints": [ - "A4oy+4vsBhvr9q6X77MUAMkDQP6TKnETFKGw2w0FAPvhCpKaaTFe8Cp3Dry9e+D04RJoOkvcbMoDlwcCkftD/A==", - "gUAmmB7CV/8tcMAf3tfmUs8W443zD9zdEFfIv4ApV8+MP9dCLkPE3Z6SdFNdHXnGI0bIAUrVYhPbMcgyO3djMw==" - ], - "code": { - "code_v2": { - "id": "f3DZtMTsQJc=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "package", - "function": { - "type": "\u001bpackage", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "eHNlcnZlci14b3Jn" - } - ] - } - }, - { - "call": 1, - "id": "installed", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967298 - } - } - ], - "entrypoints": [ - 4294967299 - ], - "datapoints": [ - 4294967298 - ] - } - ], - "checksums": { - "4294967297": "x3XYacX+IRNUGf761kZF3p4zgy5n/D4yeNrSUZP5a1qlgmd0zjRUPgo8k7ddGPSTHGX9QcuCjdSyQptwYjcg3g==", - "4294967298": "A4oy+4vsBhvr9q6X77MUAMkDQP6TKnETFKGw2w0FAPvhCpKaaTFe8Cp3Dry9e+D04RJoOkvcbMoDlwcCkftD/A==", - "4294967299": "gUAmmB7CV/8tcMAf3tfmUs8W443zD9zdEFfIv4ApV8+MP9dCLkPE3Z6SdFNdHXnGI0bIAUrVYhPbMcgyO3djMw==" - } - }, - "source": "package(\"xserver-xorg\").installed == false\n", - "labels": { - "labels": { - "A4oy+4vsBhvr9q6X77MUAMkDQP6TKnETFKGw2w0FAPvhCpKaaTFe8Cp3Dry9e+D04RJoOkvcbMoDlwcCkftD/A==": "package.installed", - "gUAmmB7CV/8tcMAf3tfmUs8W443zD9zdEFfIv4ApV8+MP9dCLkPE3Z6SdFNdHXnGI0bIAUrVYhPbMcgyO3djMw==": "package.installed == false" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "f5q/EiRn95Q=": { - "query": "service(\"squid\").enabled == false\nservice(\"squid\").running == false\nservice(\"tinyproxy\").enabled == false\nservice(\"tinyproxy\").running == false\n", - "checksum": "SDxsdGKJSg4=", - "datapoints": [ - "cECmHAL/CDvWg2HwJHvv9eutCRWVXOH+NcmshZ5rPOp0Bm0dbC6MFfrS3jr4xHqL0GRYQZ85zLSYCt1FaUuoJQ==", - "Ir2l+ERpDqnBWcYsdKRiCThOfFbijW4rx0n7u0skYd2rChq+xu6dzijBQotLvG/9bABGeOhKa3zyngBRjDbQGg==", - "wz0Bw/T20g63omggpbFTohs6+3Oot1FyHIMgKZ6SbPDyY2pUsttCCTrRZP+ObWLbBGa5ZSgRr6JQDxnf8a3jbg==", - "4pkeR9aVMoyHrsgUBSk/hLbvFvQRO7xO/m/UsK2fvbAGQNaAtrngGcgXBu6R3pDLT+xl1BBllCbOD9FqZkNUMQ==", - "EtsjaSPX+U/fgbbv3ortUdR+TlT8rJSkOpA08BbfSF3DzzR+iBKSyZtjvsGJK3SZVSaprKfHWbo85myP2VB3ZQ==", - "I0hjyBsckneqviNyxZvm40SXzWfrkVK8aUraeyhrlbWULlyXqkqZ/5fCdIqVk33Bw2xv4kScY4wpTaFXUrVHXA==", - "LDbUkumzzPbLp7/pDckgsILWn3KZ7ObhQYSlrXhIFOx/mT3sCkFESEkblFMrxP1gKqlZC79GyPjX01RmTwhMjQ==", - "iykh1W5pyKwek4E6kvkmmNfNkhspQ/rb38V/ZGdJkb+sMPOlJ36BCByOYxoJWxUHOrF5rwe6fj6N4nPNhp2zdQ==" - ], - "code": { - "code_v2": { - "id": "f5q/EiRn95Q=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "c3F1aWQ=" - } - ] - } - }, - { - "call": 1, - "id": "enabled", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "c3F1aWQ=" - } - ] - } - }, - { - "call": 1, - "id": "running", - "function": { - "type": "\u0004", - "binding": 4294967300 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967301 - } - }, - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "dGlueXByb3h5" - } - ] - } - }, - { - "call": 1, - "id": "enabled", - "function": { - "type": "\u0004", - "binding": 4294967303 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967304 - } - }, - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "dGlueXByb3h5" - } - ] - } - }, - { - "call": 1, - "id": "running", - "function": { - "type": "\u0004", - "binding": 4294967306 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967307 - } - } - ], - "entrypoints": [ - 4294967299, - 4294967302, - 4294967305, - 4294967308 - ], - "datapoints": [ - 4294967298, - 4294967301, - 4294967304, - 4294967307 - ] - } - ], - "checksums": { - "4294967297": "IBK6waYhNTe2/d/PBgdFmwC+dLlcA0CIniXT7PoBI9dbVp944WhWvdYy06GVQZJe78gq/b8NW3h/s/SNwmk+Sw==", - "4294967298": "cECmHAL/CDvWg2HwJHvv9eutCRWVXOH+NcmshZ5rPOp0Bm0dbC6MFfrS3jr4xHqL0GRYQZ85zLSYCt1FaUuoJQ==", - "4294967299": "EtsjaSPX+U/fgbbv3ortUdR+TlT8rJSkOpA08BbfSF3DzzR+iBKSyZtjvsGJK3SZVSaprKfHWbo85myP2VB3ZQ==", - "4294967300": "IBK6waYhNTe2/d/PBgdFmwC+dLlcA0CIniXT7PoBI9dbVp944WhWvdYy06GVQZJe78gq/b8NW3h/s/SNwmk+Sw==", - "4294967301": "Ir2l+ERpDqnBWcYsdKRiCThOfFbijW4rx0n7u0skYd2rChq+xu6dzijBQotLvG/9bABGeOhKa3zyngBRjDbQGg==", - "4294967302": "I0hjyBsckneqviNyxZvm40SXzWfrkVK8aUraeyhrlbWULlyXqkqZ/5fCdIqVk33Bw2xv4kScY4wpTaFXUrVHXA==", - "4294967303": "altem4BKFM8FuKUHPuGjnyDyD56tfiSUYVOmuAEpuHdku5RGwSLJPZiXZ3SXbTs8pPgeYhDVLtxFnVJAsvAkKA==", - "4294967304": "wz0Bw/T20g63omggpbFTohs6+3Oot1FyHIMgKZ6SbPDyY2pUsttCCTrRZP+ObWLbBGa5ZSgRr6JQDxnf8a3jbg==", - "4294967305": "LDbUkumzzPbLp7/pDckgsILWn3KZ7ObhQYSlrXhIFOx/mT3sCkFESEkblFMrxP1gKqlZC79GyPjX01RmTwhMjQ==", - "4294967306": "altem4BKFM8FuKUHPuGjnyDyD56tfiSUYVOmuAEpuHdku5RGwSLJPZiXZ3SXbTs8pPgeYhDVLtxFnVJAsvAkKA==", - "4294967307": "4pkeR9aVMoyHrsgUBSk/hLbvFvQRO7xO/m/UsK2fvbAGQNaAtrngGcgXBu6R3pDLT+xl1BBllCbOD9FqZkNUMQ==", - "4294967308": "iykh1W5pyKwek4E6kvkmmNfNkhspQ/rb38V/ZGdJkb+sMPOlJ36BCByOYxoJWxUHOrF5rwe6fj6N4nPNhp2zdQ==" - } - }, - "source": "service(\"squid\").enabled == false\nservice(\"squid\").running == false\nservice(\"tinyproxy\").enabled == false\nservice(\"tinyproxy\").running == false\n", - "labels": { - "labels": { - "4pkeR9aVMoyHrsgUBSk/hLbvFvQRO7xO/m/UsK2fvbAGQNaAtrngGcgXBu6R3pDLT+xl1BBllCbOD9FqZkNUMQ==": "service.running", - "EtsjaSPX+U/fgbbv3ortUdR+TlT8rJSkOpA08BbfSF3DzzR+iBKSyZtjvsGJK3SZVSaprKfHWbo85myP2VB3ZQ==": "service.enabled == false", - "I0hjyBsckneqviNyxZvm40SXzWfrkVK8aUraeyhrlbWULlyXqkqZ/5fCdIqVk33Bw2xv4kScY4wpTaFXUrVHXA==": "service.running == false", - "Ir2l+ERpDqnBWcYsdKRiCThOfFbijW4rx0n7u0skYd2rChq+xu6dzijBQotLvG/9bABGeOhKa3zyngBRjDbQGg==": "service.running", - "LDbUkumzzPbLp7/pDckgsILWn3KZ7ObhQYSlrXhIFOx/mT3sCkFESEkblFMrxP1gKqlZC79GyPjX01RmTwhMjQ==": "service.enabled == false", - "cECmHAL/CDvWg2HwJHvv9eutCRWVXOH+NcmshZ5rPOp0Bm0dbC6MFfrS3jr4xHqL0GRYQZ85zLSYCt1FaUuoJQ==": "service.enabled", - "iykh1W5pyKwek4E6kvkmmNfNkhspQ/rb38V/ZGdJkb+sMPOlJ36BCByOYxoJWxUHOrF5rwe6fj6N4nPNhp2zdQ==": "service.running == false", - "wz0Bw/T20g63omggpbFTohs6+3Oot1FyHIMgKZ6SbPDyY2pUsttCCTrRZP+ObWLbBGa5ZSgRr6JQDxnf8a3jbg==": "service.enabled" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "fSgcywHks9g=": { - "query": "groups.list.duplicates(name).none()\n", - "checksum": "Pbm9v2OeoOg=", - "datapoints": [ - "0Hw1frr2Ghy1qXs3zWoEYyxXZ8NBDZDORtz2QfV6HpWmUejk+s93KGPaV6vfzs8JnYZQyele1UTt1mJ657W2HQ==", - "gnQzZeSAHrQV35V8XMTtz9hHVuRLLkmvsgmgVe93eDzEWW9NrV/hP7Wu409x5z0m+ZibsdLlck3xAamyu7arLw==" - ], - "code": { - "code_v2": { - "id": "fSgcywHks9g=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "groups" - }, - { - "call": 1, - "id": "list", - "function": { - "type": "\u0019\u001bgroup", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "fieldDuplicates", - "function": { - "type": "\u0019\u001bgroup", - "args": [ - { - "type": "\u0003", - "value": "hICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - } - ], - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "$none", - "function": { - "type": "\u0004", - "binding": 4294967299 - } - } - ], - "entrypoints": [ - 4294967300 - ], - "datapoints": [ - 4294967299 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u001bgroup" - } - }, - { - "call": 1, - "id": "name", - "function": { - "type": "\u0007", - "binding": 8589934593 - } - } - ], - "parameters": 1, - "entrypoints": [ - 8589934594 - ] - } - ], - "checksums": { - "4294967297": "hN+zdlS1zCr2uSYHuDkFrlkQSlfFEr7Zmtmo19E4oNY7ikyHr/Sib1zktPVfYSEC2503pPKnD3hcWyZm3b/uyQ==", - "4294967298": "NIEHm9kmH9Dzz0fqfrQWcSNNntroglgakmg+r5TZd2szBtUd/n1TukpBYKYy6vBd3w4umvEVa4gPlkHyeldBNw==", - "4294967299": "0Hw1frr2Ghy1qXs3zWoEYyxXZ8NBDZDORtz2QfV6HpWmUejk+s93KGPaV6vfzs8JnYZQyele1UTt1mJ657W2HQ==", - "4294967300": "gnQzZeSAHrQV35V8XMTtz9hHVuRLLkmvsgmgVe93eDzEWW9NrV/hP7Wu409x5z0m+ZibsdLlck3xAamyu7arLw==", - "8589934593": "NIEHm9kmH9Dzz0fqfrQWcSNNntroglgakmg+r5TZd2szBtUd/n1TukpBYKYy6vBd3w4umvEVa4gPlkHyeldBNw==", - "8589934594": "FGunmw8dgXyRl+asusKnP7tYFpgi9HYqCPltkMExlMCdugsmQbUwp8Tv8hYWyen3KOZgyCmOwcU57FJzmshUFQ==" - } - }, - "source": "groups.list.duplicates(name).none()\n", - "labels": { - "labels": { - "0Hw1frr2Ghy1qXs3zWoEYyxXZ8NBDZDORtz2QfV6HpWmUejk+s93KGPaV6vfzs8JnYZQyele1UTt1mJ657W2HQ==": "groups.list.fieldDuplicates", - "FGunmw8dgXyRl+asusKnP7tYFpgi9HYqCPltkMExlMCdugsmQbUwp8Tv8hYWyen3KOZgyCmOwcU57FJzmshUFQ==": "name", - "gnQzZeSAHrQV35V8XMTtz9hHVuRLLkmvsgmgVe93eDzEWW9NrV/hP7Wu409x5z0m+ZibsdLlck3xAamyu7arLw==": "[].none()" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "gCDGOw9QK4Q=": { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/var\\/log\\/sudo\\.log\\s+\\-p\\s+wa\\s+\\-k\\s+actions(\\s+)?$/)\n}\n", - "checksum": "PMqD/H+VGgg=", - "datapoints": [ - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "w2o34Xwc5kpkV3aVCj78d7P4CzoAnJ80C6GCxC5OG2LDC6CxnDjcmsPnSte5IsOsXyPJwtrynrsF5c465w0xhw==" - ], - "code": { - "code_v2": { - "id": "gCDGOw9QK4Q=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967299 - } - }, - { - "call": 1, - "id": "if", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u0003", - "value": "iICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - }, - { - "type": "\u0019\u0003" - } - ] - } - } - ], - "entrypoints": [ - 4294967298, - 4294967301 - ] - }, - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934594 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "hoCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgGA=" - } - ], - "binding": 8589934595 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934596 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934597 - } - } - ], - "entrypoints": [ - 8589934598 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtd1xzK1wvdmFyXC9sb2dcL3N1ZG9cLmxvZ1xzK1wtcFxzK3dhXHMrXC1rXHMrYWN0aW9ucyhccyspPyQ=" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgGA=" - } - ], - "binding": 12884901889 - } - } - ], - "parameters": 1, - "entrypoints": [ - 12884901891 - ] - } - ], - "checksums": { - "12884901889": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "12884901890": "cRI3sHGyCILwhfmZjZ30K1mKC9u0KR82aFul6SBbDIrLI6xC/PlyXnj/plEWFkUxrfLhrFzSfW4QnvlpcCINig==", - "12884901891": "7aGwAi9rFaUdEIBX8oZaJE0wC609AvhPaf9qZjGnPFXo5hwunEehft8QGZL2gtN4EP22BkFXmJb/OQ07Wjjieg==", - "4294967297": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "4294967298": "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "4294967299": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "4294967300": "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "4294967301": "w2o34Xwc5kpkV3aVCj78d7P4CzoAnJ80C6GCxC5OG2LDC6CxnDjcmsPnSte5IsOsXyPJwtrynrsF5c465w0xhw==", - "8589934593": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934594": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934595": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934596": "QBhFhvJzlIC01V/Edk2+hQgDIUkJNjTnsqMW+ypSWcVxZQrZqPC4CgeMiCrwy6uVG5GAZG+vgwX8KIQ9EYwUkw==", - "8589934597": "KcG8LTxvxnFVUBidUAr8hAkPRZIIEfhqgTUf4OWGtbrRCUYC+GAmtP3qcqv4Zs4RaXtpQkyoa2hagBDHonfdSA==", - "8589934598": "d1nioSzt6v8A8HCiEmIfbQqkFyTiS6T+rURDK+kPIWBbrHpDzQcp50vPfoSMQOTGpVMMttKD4Bzj8jNDhb4eSg==" - } - }, - "source": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/var\\/log\\/sudo\\.log\\s+\\-p\\s+wa\\s+\\-k\\s+actions(\\s+)?$/)\n}\n", - "labels": { - "labels": { - "7aGwAi9rFaUdEIBX8oZaJE0wC609AvhPaf9qZjGnPFXo5hwunEehft8QGZL2gtN4EP22BkFXmJb/OQ07Wjjieg==": " == \u003cref\u003e", - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==": "file.exists", - "d1nioSzt6v8A8HCiEmIfbQqkFyTiS6T+rURDK+kPIWBbrHpDzQcp50vPfoSMQOTGpVMMttKD4Bzj8jNDhb4eSg==": "[].contains()", - "w2o34Xwc5kpkV3aVCj78d7P4CzoAnJ80C6GCxC5OG2LDC6CxnDjcmsPnSte5IsOsXyPJwtrynrsF5c465w0xhw==": "if" - } - }, - "version": "unstable", - "min_mondoo_version": "5.0.0" - } - }, - "gu8eYJ6C7Ag=": { - "query": "groups.list.duplicates(gid).none()\n", - "checksum": "6pHk/rFGhhQ=", - "datapoints": [ - "SK/o4xUKS07SVHcJ8c7HyiveAf3mx66Ch7KCFYBhRndmQNGzRMM0CuSXN3dT9ofnlswBzVn/6N2SbIcfXN6GMg==", - "wqBMlXbmQSD5agbjcVBO765mJg9Fzk/jOE/5PQtEu4HX/IOZ/DbSqCkml6Gb16wcJn0O3ePnfI/AqgtJz0nWbg==" - ], - "code": { - "code_v2": { - "id": "gu8eYJ6C7Ag=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "groups" - }, - { - "call": 1, - "id": "list", - "function": { - "type": "\u0019\u001bgroup", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "fieldDuplicates", - "function": { - "type": "\u0019\u001bgroup", - "args": [ - { - "type": "\u0003", - "value": "hICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - } - ], - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "$none", - "function": { - "type": "\u0004", - "binding": 4294967299 - } - } - ], - "entrypoints": [ - 4294967300 - ], - "datapoints": [ - 4294967299 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u001bgroup" - } - }, - { - "call": 1, - "id": "gid", - "function": { - "type": "\u0005", - "binding": 8589934593 - } - } - ], - "parameters": 1, - "entrypoints": [ - 8589934594 - ] - } - ], - "checksums": { - "4294967297": "hN+zdlS1zCr2uSYHuDkFrlkQSlfFEr7Zmtmo19E4oNY7ikyHr/Sib1zktPVfYSEC2503pPKnD3hcWyZm3b/uyQ==", - "4294967298": "NIEHm9kmH9Dzz0fqfrQWcSNNntroglgakmg+r5TZd2szBtUd/n1TukpBYKYy6vBd3w4umvEVa4gPlkHyeldBNw==", - "4294967299": "SK/o4xUKS07SVHcJ8c7HyiveAf3mx66Ch7KCFYBhRndmQNGzRMM0CuSXN3dT9ofnlswBzVn/6N2SbIcfXN6GMg==", - "4294967300": "wqBMlXbmQSD5agbjcVBO765mJg9Fzk/jOE/5PQtEu4HX/IOZ/DbSqCkml6Gb16wcJn0O3ePnfI/AqgtJz0nWbg==", - "8589934593": "NIEHm9kmH9Dzz0fqfrQWcSNNntroglgakmg+r5TZd2szBtUd/n1TukpBYKYy6vBd3w4umvEVa4gPlkHyeldBNw==", - "8589934594": "0BgIsZsix94mgi6S0XWEsTVpEr43Toa23lodR1fMxp8mwaAAiaEx6l6B8nbwZQdka4Jfba21v5U6MATpO0ao0w==" - } - }, - "source": "groups.list.duplicates(gid).none()\n", - "labels": { - "labels": { - "0BgIsZsix94mgi6S0XWEsTVpEr43Toa23lodR1fMxp8mwaAAiaEx6l6B8nbwZQdka4Jfba21v5U6MATpO0ao0w==": "gid", - "SK/o4xUKS07SVHcJ8c7HyiveAf3mx66Ch7KCFYBhRndmQNGzRMM0CuSXN3dT9ofnlswBzVn/6N2SbIcfXN6GMg==": "groups.list.fieldDuplicates", - "wqBMlXbmQSD5agbjcVBO765mJg9Fzk/jOE/5PQtEu4HX/IOZ/DbSqCkml6Gb16wcJn0O3ePnfI/AqgtJz0nWbg==": "[].none()" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "gxsrJvn0Hag=": { - "query": "service(\"httpd\").enabled == false\nservice(\"httpd\").running == false\nservice(\"apache2\").enabled == false\nservice(\"apache2\").running == false\nservice(\"nginx\").enabled == false\nservice(\"nginx\").running == false\n", - "checksum": "2H0tAKAwzvc=", - "datapoints": [ - "8e5F0Uss/rzCSa4Vaw8urUDQzIUN8criFQm+HhE88ybs2Zx13aiYa+E3Yszo9UCKNOycCubjdogZksg9s99yug==", - "nMIXrJy6379mDHCqk62PPnQ8Db7Jk9wRIjXZTH+2gyM1tgDOI+nUx6V8/ZF77XdT4K1DxU6gRpQdRgylQCr/hg==", - "EqswKoHu8at6YVIKhPqhmCGbVPCv0n9KIodeAxtQfIP1V4ufJM8fLiC0bFhsFCS3IK8vs89fTjhOkwvOxOxpgw==", - "sPvekYU/Nw3lqBLGhP8yLhSQBCL1M3psnu28wOVtDFt9IykJgbDcfmijOsYxBp5PgpsrfWfugVP1RciVp24ibw==", - "YYAK4Icx9FsHldCezgriP+T0ZNqtxiEzJASBFGl2LVQWIV42JaztEw2YCpRI5yqSg7i8aMkgFLXahfcyO8AXJQ==", - "7cojqQWwSbgz0Z6Yo7f8eWU2sHhmSUMdzK3Suz6jtoAAFplC8I5SLonXZAMMaIbwHMLsGoHCLJZQVYKDRHZqZg==", - "g/FdeJsry0Iob3YFq+ADQ/HoaF2XvPZVC5r7wLFtH+aK1/8b2PctWYMmXYQUoqpWNvcYrne9fT4NbuRj1UeYyQ==", - "nOJq7YRzsF+rUkXm0tdEt/vEHBVi5XGSI3xGFr2Q/wmrxnNlLVBapmZHPY1VtAZ9+JPXb4mwdrU5hZqCC/TWQg==", - "0Rnmvnd72Vhm4CEPubvEcGHgC/SARCNQNZwX+KJ9fZSyyewXok/sDC8Hb78Fcx8+vWL8ocr/pw03AUPjpqXmew==", - "hWapq7Vs/8xUp8H3ROntjhDB51/ESkKuht/gm3QC9PvwKETBbLFXVMqz7wqqy4xszM/Hcl335ytzedk5Mr023g==", - "FUnkOJnRVrw86y1SUZ6M2MMV5pZVCsUZF0Oe6VeUvKpqHn9hOtK78fsp/ykiTr84hWUpqNU8ql9oSADUdzLdYQ==", - "FmSawyiUiZmNev6poHywTYW8Mke4Ef38RKXGrCEaAhNqTXywzgqYIj9C7PBm5jMbetZP2Ok6c3jLmkNy+975PA==" - ], - "code": { - "code_v2": { - "id": "gxsrJvn0Hag=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "aHR0cGQ=" - } - ] - } - }, - { - "call": 1, - "id": "enabled", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "aHR0cGQ=" - } - ] - } - }, - { - "call": 1, - "id": "running", - "function": { - "type": "\u0004", - "binding": 4294967300 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967301 - } - }, - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "YXBhY2hlMg==" - } - ] - } - }, - { - "call": 1, - "id": "enabled", - "function": { - "type": "\u0004", - "binding": 4294967303 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967304 - } - }, - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "YXBhY2hlMg==" - } - ] - } - }, - { - "call": 1, - "id": "running", - "function": { - "type": "\u0004", - "binding": 4294967306 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967307 - } - }, - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "bmdpbng=" - } - ] - } - }, - { - "call": 1, - "id": "enabled", - "function": { - "type": "\u0004", - "binding": 4294967309 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967310 - } - }, - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "bmdpbng=" - } - ] - } - }, - { - "call": 1, - "id": "running", - "function": { - "type": "\u0004", - "binding": 4294967312 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967313 - } - } - ], - "entrypoints": [ - 4294967299, - 4294967302, - 4294967305, - 4294967308, - 4294967311, - 4294967314 - ], - "datapoints": [ - 4294967298, - 4294967301, - 4294967304, - 4294967307, - 4294967310, - 4294967313 - ] - } - ], - "checksums": { - "4294967297": "dCVabDk7JZnaNjQKP3XELBafzhwNj1VcUZFtByjvPhr+hMH0I9sp5DuH/YcZVDuwvn5Qblda1QMpABX3v38UnA==", - "4294967298": "8e5F0Uss/rzCSa4Vaw8urUDQzIUN8criFQm+HhE88ybs2Zx13aiYa+E3Yszo9UCKNOycCubjdogZksg9s99yug==", - "4294967299": "g/FdeJsry0Iob3YFq+ADQ/HoaF2XvPZVC5r7wLFtH+aK1/8b2PctWYMmXYQUoqpWNvcYrne9fT4NbuRj1UeYyQ==", - "4294967300": "dCVabDk7JZnaNjQKP3XELBafzhwNj1VcUZFtByjvPhr+hMH0I9sp5DuH/YcZVDuwvn5Qblda1QMpABX3v38UnA==", - "4294967301": "nMIXrJy6379mDHCqk62PPnQ8Db7Jk9wRIjXZTH+2gyM1tgDOI+nUx6V8/ZF77XdT4K1DxU6gRpQdRgylQCr/hg==", - "4294967302": "nOJq7YRzsF+rUkXm0tdEt/vEHBVi5XGSI3xGFr2Q/wmrxnNlLVBapmZHPY1VtAZ9+JPXb4mwdrU5hZqCC/TWQg==", - "4294967303": "ZzpTuB+wVcIs6L/zM3bljIAW6t6e8yElmCCfmZ+LVk/uzO00tzMccfXMXgDKGU8k1gz5XtpBJaKvbyd6HylxBg==", - "4294967304": "EqswKoHu8at6YVIKhPqhmCGbVPCv0n9KIodeAxtQfIP1V4ufJM8fLiC0bFhsFCS3IK8vs89fTjhOkwvOxOxpgw==", - "4294967305": "0Rnmvnd72Vhm4CEPubvEcGHgC/SARCNQNZwX+KJ9fZSyyewXok/sDC8Hb78Fcx8+vWL8ocr/pw03AUPjpqXmew==", - "4294967306": "ZzpTuB+wVcIs6L/zM3bljIAW6t6e8yElmCCfmZ+LVk/uzO00tzMccfXMXgDKGU8k1gz5XtpBJaKvbyd6HylxBg==", - "4294967307": "sPvekYU/Nw3lqBLGhP8yLhSQBCL1M3psnu28wOVtDFt9IykJgbDcfmijOsYxBp5PgpsrfWfugVP1RciVp24ibw==", - "4294967308": "hWapq7Vs/8xUp8H3ROntjhDB51/ESkKuht/gm3QC9PvwKETBbLFXVMqz7wqqy4xszM/Hcl335ytzedk5Mr023g==", - "4294967309": "yv+WF56BZ1Ar0uO7HXdpDdiBy/T+rqsLh6sgQ8b85QIX+IkfpP6THCm9QXnUFhL4zybm7u7gTHrWgUvByjZLSg==", - "4294967310": "YYAK4Icx9FsHldCezgriP+T0ZNqtxiEzJASBFGl2LVQWIV42JaztEw2YCpRI5yqSg7i8aMkgFLXahfcyO8AXJQ==", - "4294967311": "FUnkOJnRVrw86y1SUZ6M2MMV5pZVCsUZF0Oe6VeUvKpqHn9hOtK78fsp/ykiTr84hWUpqNU8ql9oSADUdzLdYQ==", - "4294967312": "yv+WF56BZ1Ar0uO7HXdpDdiBy/T+rqsLh6sgQ8b85QIX+IkfpP6THCm9QXnUFhL4zybm7u7gTHrWgUvByjZLSg==", - "4294967313": "7cojqQWwSbgz0Z6Yo7f8eWU2sHhmSUMdzK3Suz6jtoAAFplC8I5SLonXZAMMaIbwHMLsGoHCLJZQVYKDRHZqZg==", - "4294967314": "FmSawyiUiZmNev6poHywTYW8Mke4Ef38RKXGrCEaAhNqTXywzgqYIj9C7PBm5jMbetZP2Ok6c3jLmkNy+975PA==" - } - }, - "source": "service(\"httpd\").enabled == false\nservice(\"httpd\").running == false\nservice(\"apache2\").enabled == false\nservice(\"apache2\").running == false\nservice(\"nginx\").enabled == false\nservice(\"nginx\").running == false\n", - "labels": { - "labels": { - "0Rnmvnd72Vhm4CEPubvEcGHgC/SARCNQNZwX+KJ9fZSyyewXok/sDC8Hb78Fcx8+vWL8ocr/pw03AUPjpqXmew==": "service.enabled == false", - "7cojqQWwSbgz0Z6Yo7f8eWU2sHhmSUMdzK3Suz6jtoAAFplC8I5SLonXZAMMaIbwHMLsGoHCLJZQVYKDRHZqZg==": "service.running", - "8e5F0Uss/rzCSa4Vaw8urUDQzIUN8criFQm+HhE88ybs2Zx13aiYa+E3Yszo9UCKNOycCubjdogZksg9s99yug==": "service.enabled", - "EqswKoHu8at6YVIKhPqhmCGbVPCv0n9KIodeAxtQfIP1V4ufJM8fLiC0bFhsFCS3IK8vs89fTjhOkwvOxOxpgw==": "service.enabled", - "FUnkOJnRVrw86y1SUZ6M2MMV5pZVCsUZF0Oe6VeUvKpqHn9hOtK78fsp/ykiTr84hWUpqNU8ql9oSADUdzLdYQ==": "service.enabled == false", - "FmSawyiUiZmNev6poHywTYW8Mke4Ef38RKXGrCEaAhNqTXywzgqYIj9C7PBm5jMbetZP2Ok6c3jLmkNy+975PA==": "service.running == false", - "YYAK4Icx9FsHldCezgriP+T0ZNqtxiEzJASBFGl2LVQWIV42JaztEw2YCpRI5yqSg7i8aMkgFLXahfcyO8AXJQ==": "service.enabled", - "g/FdeJsry0Iob3YFq+ADQ/HoaF2XvPZVC5r7wLFtH+aK1/8b2PctWYMmXYQUoqpWNvcYrne9fT4NbuRj1UeYyQ==": "service.enabled == false", - "hWapq7Vs/8xUp8H3ROntjhDB51/ESkKuht/gm3QC9PvwKETBbLFXVMqz7wqqy4xszM/Hcl335ytzedk5Mr023g==": "service.running == false", - "nMIXrJy6379mDHCqk62PPnQ8Db7Jk9wRIjXZTH+2gyM1tgDOI+nUx6V8/ZF77XdT4K1DxU6gRpQdRgylQCr/hg==": "service.running", - "nOJq7YRzsF+rUkXm0tdEt/vEHBVi5XGSI3xGFr2Q/wmrxnNlLVBapmZHPY1VtAZ9+JPXb4mwdrU5hZqCC/TWQg==": "service.running == false", - "sPvekYU/Nw3lqBLGhP8yLhSQBCL1M3psnu28wOVtDFt9IykJgbDcfmijOsYxBp5PgpsrfWfugVP1RciVp24ibw==": "service.running" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "htUqKZYa860=": { - "query": "if (file(\"/etc/shadow\").exists) {\n file(\"/etc/shadow\") {\n permissions.user_executable == false\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_readable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n }\n}\n", - "checksum": "85QJzMSvy9c=", - "datapoints": [ - "G0bUwMGEwUqkQiCcj4R04tMFYAp3dSRhbU6dBPoLeX2lyTqPVGvreUvu5qov/OCoWc/Q5eaLopy2nQF9xeDEHw==" - ], - "code": { - "code_v2": { - "id": "htUqKZYa860=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9zaGFkb3c=" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "if", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u0003", - "value": "hICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - }, - { - "type": "\u0019\u0003" - } - ] - } - } - ], - "entrypoints": [ - 4294967299 - ] - }, - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9zaGFkb3c=" - } - ] - } - }, - { - "call": 1, - "id": "{}", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u001c\u0000", - "value": "gICAgGA=" - } - ], - "binding": 8589934593 - } - } - ], - "entrypoints": [ - 8589934594 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u001bfile" - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "user_executable", - "function": { - "type": "\u0004", - "binding": 12884901890 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 12884901891 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "group_writeable", - "function": { - "type": "\u0004", - "binding": 12884901893 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 12884901894 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "group_executable", - "function": { - "type": "\u0004", - "binding": 12884901896 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 12884901897 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "other_readable", - "function": { - "type": "\u0004", - "binding": 12884901899 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 12884901900 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "other_writeable", - "function": { - "type": "\u0004", - "binding": 12884901902 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 12884901903 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "other_executable", - "function": { - "type": "\u0004", - "binding": 12884901905 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 12884901906 - } - } - ], - "parameters": 1, - "entrypoints": [ - 12884901892, - 12884901895, - 12884901898, - 12884901901, - 12884901904, - 12884901907 - ] - } - ], - "checksums": { - "12884901889": "KP29GeZnm1Au1aBNyMifVKKFnmOzd0QN6yvHFqB/n9vx4Mk3qrJlGg5qitm2nmE5X9wBRyklaq5hS00SF6+X4g==", - "12884901890": "M6T1N14pCCdAJV2t2eZRVg0eqZF/fgSC9batJObnfEzyjvCbijzSgLKzbRAhdsBowSxYCUBy/M5NmMBFz2vDuA==", - "12884901891": "sThimaticGQ3LM8EJPJ7Og+mMn4Eg0lhE57VfMbcwNZRWyV2js6S0+Lvze1xvus67IQDMQqyHXrrBzJfw4N/1g==", - "12884901892": "qpqUt1t7A3jv4MD7gaUkjvH8uvEEAYRPAGMynYAnhIjrisJbxqURv+87cPlbv7oOhgkORMJLw26vkm5IEuz0Og==", - "12884901893": "M6T1N14pCCdAJV2t2eZRVg0eqZF/fgSC9batJObnfEzyjvCbijzSgLKzbRAhdsBowSxYCUBy/M5NmMBFz2vDuA==", - "12884901894": "zEDstma6VqQ5il6qPRsKZbyWOL8/23sYYCThUsGe9WQwNUhcqbHam0aUuwWrerVrNcGHfMgKUKyW0149GS2FBg==", - "12884901895": "p8o6NFZzHcIj97gcUggk5dVy/wcEr+2QX0uzWWDykcqjLwWOMGXg6pRnx7OnDi0kA4vWCOuZRUQ8Ks8WDo9dsw==", - "12884901896": "M6T1N14pCCdAJV2t2eZRVg0eqZF/fgSC9batJObnfEzyjvCbijzSgLKzbRAhdsBowSxYCUBy/M5NmMBFz2vDuA==", - "12884901897": "dObeCRg/MstAZuEWYB2hvLCLvEC+feZnCCfkEJOaPxA8FDDj7Xe5TxzZ7dOt5MrKunqbrxWe8wxXsdL0JXrxIw==", - "12884901898": "0pxJeDkriyq9idLPJaqRTP9bfa1ViMGu7KVAOpZMY1CNKofnlhJQCT2grvMCwbPz4acH4taX5g8M9M/DO44AZA==", - "12884901899": "M6T1N14pCCdAJV2t2eZRVg0eqZF/fgSC9batJObnfEzyjvCbijzSgLKzbRAhdsBowSxYCUBy/M5NmMBFz2vDuA==", - "12884901900": "nZyRjNj6jJZqhPkUA5+c4+1WJOJboCXTuXNQC55NWhGC7hztLABbBtZjtXUBvrIeOANYZtc/rwHkqrxY5sIdlg==", - "12884901901": "A/Kxpo2No6qHIK8y3iyan/kBdTZmAtQPBOrf1JgoGBqjMHuZ/FLlWE5Sk9FBtGQnJnPuskggUGe7t3elQqELow==", - "12884901902": "M6T1N14pCCdAJV2t2eZRVg0eqZF/fgSC9batJObnfEzyjvCbijzSgLKzbRAhdsBowSxYCUBy/M5NmMBFz2vDuA==", - "12884901903": "L/KrfhrpvYRxX6bGiT0lL6NZDMICREUzG8WuWhGqdLa1UdBFvzrpZT/FmfrMHeqxvaQJhDNOtPkWAn0ff8YdNw==", - "12884901904": "fPxp9r43dRMA5Y3s7lp6FRgBD5THqzKEpnQYwU8BKrV+cIO3z4qfj1/GXyphKESuj1Psk8DW0O3eKTGFqaAg0Q==", - "12884901905": "M6T1N14pCCdAJV2t2eZRVg0eqZF/fgSC9batJObnfEzyjvCbijzSgLKzbRAhdsBowSxYCUBy/M5NmMBFz2vDuA==", - "12884901906": "W1EQ27IdrlJRN/yKo3uvBi0ojcXTPKihG9GMEdwjqu1U83sIYkshlrwR7VYriB7b2sSxoXGiJDXoxbic3kg2Zg==", - "12884901907": "kWbgQFfIrpQaDEj3+XSBLZGUPG/eB6GtxaYCf4YlRl/hddqo4vHaCdMY+WZ2otW3R8tvUELqQayN4aipFshQog==", - "4294967297": "KP29GeZnm1Au1aBNyMifVKKFnmOzd0QN6yvHFqB/n9vx4Mk3qrJlGg5qitm2nmE5X9wBRyklaq5hS00SF6+X4g==", - "4294967298": "Qd7Ujfzo8pgdN7LnieAiVVDt1QDw3QJyqBP5dXX/4PlvQnsnJpGXsr5ynGFgqX+9t67bQA8Eaobf+agIMn+GJg==", - "4294967299": "G0bUwMGEwUqkQiCcj4R04tMFYAp3dSRhbU6dBPoLeX2lyTqPVGvreUvu5qov/OCoWc/Q5eaLopy2nQF9xeDEHw==", - "8589934593": "KP29GeZnm1Au1aBNyMifVKKFnmOzd0QN6yvHFqB/n9vx4Mk3qrJlGg5qitm2nmE5X9wBRyklaq5hS00SF6+X4g==", - "8589934594": "5TG5GEKblq+ttGkiE1lMOQxjulbMyDggsG3PWnpIhQIj68oVLuRMmFe5EYmopK0/wz3CkekBuu2c1kgFDXHaZg==" - } - }, - "source": "if (file(\"/etc/shadow\").exists) {\n file(\"/etc/shadow\") {\n permissions.user_executable == false\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_readable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n }\n}\n", - "labels": { - "labels": { - "0pxJeDkriyq9idLPJaqRTP9bfa1ViMGu7KVAOpZMY1CNKofnlhJQCT2grvMCwbPz4acH4taX5g8M9M/DO44AZA==": "permissions.group_executable == false", - "5TG5GEKblq+ttGkiE1lMOQxjulbMyDggsG3PWnpIhQIj68oVLuRMmFe5EYmopK0/wz3CkekBuu2c1kgFDXHaZg==": "file", - "A/Kxpo2No6qHIK8y3iyan/kBdTZmAtQPBOrf1JgoGBqjMHuZ/FLlWE5Sk9FBtGQnJnPuskggUGe7t3elQqELow==": "permissions.other_readable == false", - "G0bUwMGEwUqkQiCcj4R04tMFYAp3dSRhbU6dBPoLeX2lyTqPVGvreUvu5qov/OCoWc/Q5eaLopy2nQF9xeDEHw==": "if", - "fPxp9r43dRMA5Y3s7lp6FRgBD5THqzKEpnQYwU8BKrV+cIO3z4qfj1/GXyphKESuj1Psk8DW0O3eKTGFqaAg0Q==": "permissions.other_writeable == false", - "kWbgQFfIrpQaDEj3+XSBLZGUPG/eB6GtxaYCf4YlRl/hddqo4vHaCdMY+WZ2otW3R8tvUELqQayN4aipFshQog==": "permissions.other_executable == false", - "p8o6NFZzHcIj97gcUggk5dVy/wcEr+2QX0uzWWDykcqjLwWOMGXg6pRnx7OnDi0kA4vWCOuZRUQ8Ks8WDo9dsw==": "permissions.group_writeable == false", - "qpqUt1t7A3jv4MD7gaUkjvH8uvEEAYRPAGMynYAnhIjrisJbxqURv+87cPlbv7oOhgkORMJLw26vkm5IEuz0Og==": "permissions.user_executable == false" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "jb3wqU5HpR8=": { - "query": "service(\"smb\").enabled == false\nservice(\"smbd\").enabled == false\nservice(\"smb\").running == false\nservice(\"smbd\").running == false\n", - "checksum": "TMRpPIXVpMQ=", - "datapoints": [ - "FO+22zAmYLrJJqSGmoWWCaSYrYwcrqpvxFjm/D/YuxBrxts+nfr5EHuXERXOJGrYHTsTOSKFeTz4qQ7jZhlLbA==", - "+Yh9XVql1G1HH/9F/LCDp/e9FqqjDBLx9OIY6JzbsKlUpJPX38MsHsa5HBQTrlEP8kZtoXj9XCz4hXwAOJ/nFw==", - "cuoKzxoXtROWmUOnqcpuBoRKmPijpMoj8XG9ORlkjfW3g7t9w9S1f6Uc+OFZns2ERdZKKQ9WIpfq4Wb72c5sBA==", - "iAIBOgoeH/oEga9gmV7CijCXdIgyrTVEoqCzFVQ9Z0Fw053lti878j1bZ7bt7OWs1XFL9wsCAIIceJj6Hd0KUg==", - "muV4jN4TFTiuWJB/g6ii93olYgu6SPnoyUT2Wo//MYVeEiJQBIgecIlsisoLidGrvrm4fwbZwNVZzYxxME45SA==", - "Gar/zZa0uhvKteQUSwTc6Vd4oR0s73LLK/1P5WvkirK+y4sQMe3Xg1ky3fb50zdL/0e22C+9MiTt66gCJnmOSA==", - "css39sWQMO6tTsWz3+RuOHiJ4PGSGC+SMU6xj6NZpFgc9P0dVnpo7z+LKvHimTFj+JmbmG3wuz/zJgAvOHsaaA==", - "8cUjHaPePynVeh6gBJ7ifMRU4um+gxZrAlCE+OoDhScL6m8RipZNA758R2VcFkv7hVTdHKQEkZ+Wu9XUckKH2g==" - ], - "code": { - "code_v2": { - "id": "jb3wqU5HpR8=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "c21i" - } - ] - } - }, - { - "call": 1, - "id": "enabled", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "c21iZA==" - } - ] - } - }, - { - "call": 1, - "id": "enabled", - "function": { - "type": "\u0004", - "binding": 4294967300 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967301 - } - }, - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "c21i" - } - ] - } - }, - { - "call": 1, - "id": "running", - "function": { - "type": "\u0004", - "binding": 4294967303 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967304 - } - }, - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "c21iZA==" - } - ] - } - }, - { - "call": 1, - "id": "running", - "function": { - "type": "\u0004", - "binding": 4294967306 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967307 - } - } - ], - "entrypoints": [ - 4294967299, - 4294967302, - 4294967305, - 4294967308 - ], - "datapoints": [ - 4294967298, - 4294967301, - 4294967304, - 4294967307 - ] - } - ], - "checksums": { - "4294967297": "c/64QizXFcZgcokMKTVMIalEZY1QC3vJdCpYMOjdTxsM2yrcsGFJU9TK31EwHIr8ROEG1xdOpiMhZS2E18uOfg==", - "4294967298": "FO+22zAmYLrJJqSGmoWWCaSYrYwcrqpvxFjm/D/YuxBrxts+nfr5EHuXERXOJGrYHTsTOSKFeTz4qQ7jZhlLbA==", - "4294967299": "muV4jN4TFTiuWJB/g6ii93olYgu6SPnoyUT2Wo//MYVeEiJQBIgecIlsisoLidGrvrm4fwbZwNVZzYxxME45SA==", - "4294967300": "gxomVeO9SI8TwzFG9XMse6RBKllGqCJ8OsP8g5pL4pY4F5QsH4PcRZvY3yXfdA+kmAFbv+y850WSMZrnTjiN2A==", - "4294967301": "+Yh9XVql1G1HH/9F/LCDp/e9FqqjDBLx9OIY6JzbsKlUpJPX38MsHsa5HBQTrlEP8kZtoXj9XCz4hXwAOJ/nFw==", - "4294967302": "Gar/zZa0uhvKteQUSwTc6Vd4oR0s73LLK/1P5WvkirK+y4sQMe3Xg1ky3fb50zdL/0e22C+9MiTt66gCJnmOSA==", - "4294967303": "c/64QizXFcZgcokMKTVMIalEZY1QC3vJdCpYMOjdTxsM2yrcsGFJU9TK31EwHIr8ROEG1xdOpiMhZS2E18uOfg==", - "4294967304": "cuoKzxoXtROWmUOnqcpuBoRKmPijpMoj8XG9ORlkjfW3g7t9w9S1f6Uc+OFZns2ERdZKKQ9WIpfq4Wb72c5sBA==", - "4294967305": "css39sWQMO6tTsWz3+RuOHiJ4PGSGC+SMU6xj6NZpFgc9P0dVnpo7z+LKvHimTFj+JmbmG3wuz/zJgAvOHsaaA==", - "4294967306": "gxomVeO9SI8TwzFG9XMse6RBKllGqCJ8OsP8g5pL4pY4F5QsH4PcRZvY3yXfdA+kmAFbv+y850WSMZrnTjiN2A==", - "4294967307": "iAIBOgoeH/oEga9gmV7CijCXdIgyrTVEoqCzFVQ9Z0Fw053lti878j1bZ7bt7OWs1XFL9wsCAIIceJj6Hd0KUg==", - "4294967308": "8cUjHaPePynVeh6gBJ7ifMRU4um+gxZrAlCE+OoDhScL6m8RipZNA758R2VcFkv7hVTdHKQEkZ+Wu9XUckKH2g==" - } - }, - "source": "service(\"smb\").enabled == false\nservice(\"smbd\").enabled == false\nservice(\"smb\").running == false\nservice(\"smbd\").running == false\n", - "labels": { - "labels": { - "+Yh9XVql1G1HH/9F/LCDp/e9FqqjDBLx9OIY6JzbsKlUpJPX38MsHsa5HBQTrlEP8kZtoXj9XCz4hXwAOJ/nFw==": "service.enabled", - "8cUjHaPePynVeh6gBJ7ifMRU4um+gxZrAlCE+OoDhScL6m8RipZNA758R2VcFkv7hVTdHKQEkZ+Wu9XUckKH2g==": "service.running == false", - "FO+22zAmYLrJJqSGmoWWCaSYrYwcrqpvxFjm/D/YuxBrxts+nfr5EHuXERXOJGrYHTsTOSKFeTz4qQ7jZhlLbA==": "service.enabled", - "Gar/zZa0uhvKteQUSwTc6Vd4oR0s73LLK/1P5WvkirK+y4sQMe3Xg1ky3fb50zdL/0e22C+9MiTt66gCJnmOSA==": "service.enabled == false", - "css39sWQMO6tTsWz3+RuOHiJ4PGSGC+SMU6xj6NZpFgc9P0dVnpo7z+LKvHimTFj+JmbmG3wuz/zJgAvOHsaaA==": "service.running == false", - "cuoKzxoXtROWmUOnqcpuBoRKmPijpMoj8XG9ORlkjfW3g7t9w9S1f6Uc+OFZns2ERdZKKQ9WIpfq4Wb72c5sBA==": "service.running", - "iAIBOgoeH/oEga9gmV7CijCXdIgyrTVEoqCzFVQ9Z0Fw053lti878j1bZ7bt7OWs1XFL9wsCAIIceJj6Hd0KUg==": "service.running", - "muV4jN4TFTiuWJB/g6ii93olYgu6SPnoyUT2Wo//MYVeEiJQBIgecIlsisoLidGrvrm4fwbZwNVZzYxxME45SA==": "service.enabled == false" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "jqO4q2mBu9M=": { - "query": "service(\"vsftpd\").enabled == false\nservice(\"vsftpd\").running == false\n", - "checksum": "OlBp884+2lI=", - "datapoints": [ - "+FLpKZQ5lewX56gNaJAKM7NhBsa3WmNYfqaROv/jOzDGfHOC5Uryi8JaW3urN+9WeZPGYMJuxq7IR7oCsynbTw==", - "1Q484HqqPwh+LfSDHxxJP+nT+CSncv9oJlJu/jnR4ggy/64N68fQIZgnAGQIQ73jwc9/TXy53Uys0HYPKHT0iw==", - "hHTMpuhNT8Svi1v+HYkGybFolkjy8o8iSK6Ly+ni5BgMVHjdmwsmUcOv5Xm8UD6L+8GRaAfLj5IguZLXNq32iw==", - "ILZLlydnU83Qutf3Jxf5qVeZVxovo9CbteXyPqGcc30Ylw7GkHi8DJlfAidOaXMlzcWYNUedvMmTl541mQnicQ==" - ], - "code": { - "code_v2": { - "id": "jqO4q2mBu9M=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "dnNmdHBk" - } - ] - } - }, - { - "call": 1, - "id": "enabled", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "dnNmdHBk" - } - ] - } - }, - { - "call": 1, - "id": "running", - "function": { - "type": "\u0004", - "binding": 4294967300 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967301 - } - } - ], - "entrypoints": [ - 4294967299, - 4294967302 - ], - "datapoints": [ - 4294967298, - 4294967301 - ] - } - ], - "checksums": { - "4294967297": "R1PLAaliA4GG94Q+tCTOV3zwTqsxZDvLZ4CahLmC6t0j5UkStTHL9nXfbdqW1QzUYIfZ6mK/9DgGXWT3ssYVWA==", - "4294967298": "+FLpKZQ5lewX56gNaJAKM7NhBsa3WmNYfqaROv/jOzDGfHOC5Uryi8JaW3urN+9WeZPGYMJuxq7IR7oCsynbTw==", - "4294967299": "hHTMpuhNT8Svi1v+HYkGybFolkjy8o8iSK6Ly+ni5BgMVHjdmwsmUcOv5Xm8UD6L+8GRaAfLj5IguZLXNq32iw==", - "4294967300": "R1PLAaliA4GG94Q+tCTOV3zwTqsxZDvLZ4CahLmC6t0j5UkStTHL9nXfbdqW1QzUYIfZ6mK/9DgGXWT3ssYVWA==", - "4294967301": "1Q484HqqPwh+LfSDHxxJP+nT+CSncv9oJlJu/jnR4ggy/64N68fQIZgnAGQIQ73jwc9/TXy53Uys0HYPKHT0iw==", - "4294967302": "ILZLlydnU83Qutf3Jxf5qVeZVxovo9CbteXyPqGcc30Ylw7GkHi8DJlfAidOaXMlzcWYNUedvMmTl541mQnicQ==" - } - }, - "source": "service(\"vsftpd\").enabled == false\nservice(\"vsftpd\").running == false\n", - "labels": { - "labels": { - "+FLpKZQ5lewX56gNaJAKM7NhBsa3WmNYfqaROv/jOzDGfHOC5Uryi8JaW3urN+9WeZPGYMJuxq7IR7oCsynbTw==": "service.enabled", - "1Q484HqqPwh+LfSDHxxJP+nT+CSncv9oJlJu/jnR4ggy/64N68fQIZgnAGQIQ73jwc9/TXy53Uys0HYPKHT0iw==": "service.running", - "ILZLlydnU83Qutf3Jxf5qVeZVxovo9CbteXyPqGcc30Ylw7GkHi8DJlfAidOaXMlzcWYNUedvMmTl541mQnicQ==": "service.running == false", - "hHTMpuhNT8Svi1v+HYkGybFolkjy8o8iSK6Ly+ni5BgMVHjdmwsmUcOv5Xm8UD6L+8GRaAfLj5IguZLXNq32iw==": "service.enabled == false" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "lEVQGwKxvPY=": { - "query": "packages.where(name == /ssl/).all( version != /3.0.[0123456]/ )", - "checksum": "1Oovzyxu4Bw=", - "datapoints": [ - "T7fMhFYEhLaVsDOxq5g7abILl3jGU2uY2rYt/Qs9FSy4g59OUlk9ZduzUqpZsvxaJR/jsUHmmFS07FCgmOyh7A==", - "Bl3G5VLXwc+NXi+z3kq91yIMzYD4h3GmAUNdubcmhT4Q13LAxuoTofW8K7S7qpM4cLBvjElF3KOJs8Cwm+3zDA==" - ], - "code": { - "code_v2": { - "id": "lEVQGwKxvPY=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "packages" - }, - { - "call": 1, - "id": "list", - "function": { - "type": "\u0019\u001bpackage", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u001bpackages", - "args": [ - { - "type": "\u0003", - "value": "hICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - } - ], - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "list", - "function": { - "type": "\u0019\u001bpackage", - "binding": 4294967299 - } - }, - { - "call": 1, - "id": "$whereNot", - "function": { - "type": "\u001bpackages", - "args": [ - { - "type": "\u0003", - "value": "iICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgGA=" - } - ], - "binding": 4294967299 - } - }, - { - "call": 1, - "id": "list", - "function": { - "type": "\u0019\u001bpackage", - "binding": 4294967301 - } - }, - { - "call": 1, - "id": "$all", - "function": { - "type": "\u0004", - "binding": 4294967302 - } - } - ], - "entrypoints": [ - 4294967303 - ], - "datapoints": [ - 4294967302 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u001bpackage" - } - }, - { - "call": 1, - "id": "name", - "function": { - "type": "\u0007", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0008", - "value": "c3Ns" - } - ], - "binding": 8589934594 - } - } - ], - "parameters": 1, - "entrypoints": [ - 8589934595 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u001bpackage" - } - }, - { - "call": 1, - "id": "version", - "function": { - "type": "\u0007", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "!=\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0008", - "value": "My4wLlswMTIzNDU2XQ==" - } - ], - "binding": 12884901890 - } - } - ], - "parameters": 1, - "entrypoints": [ - 12884901891 - ] - } - ], - "checksums": { - "12884901889": "uhdkLdbZ82hgRgPh+wSvMlqpSiy3TiZeud0/z9R9CZSL7TzhaKmY8F2yqcaDHBNkOGwTD1x7Y/XKNlWO2lLS6g==", - "12884901890": "K4Ms0L+e3p5Zx5f+xbpdMOIUkvR+xqvuqvaRuAmFZK0JxGaOZEtD/BbcPywxYYjIZL6zgP4H4z6bNaxmuooO/g==", - "12884901891": "s8AZK3WcED5n+EyTrn/ixZJxGBC1kLD6ANfTYjXjXV4p4wtO+Dz39sZrOpZdz4Qo20vMm8haTqSElzvkgdfjJQ==", - "4294967297": "nc5UOrIapsVDWsNQPi9UMROkMUjnpIzanSxQGmqWP9qnzmreR9txrbattEM8aUVnbbzt/cLaFCXnFnrSNz3b7w==", - "4294967298": "TRoNpEaXdtENGclai17vNxVsY5Y2DG6WB500iCLFm2lF/0iMyyzJWGTkXDZ1E+swwxmwH+/NFofQYmgV/SPPeg==", - "4294967299": "uhdkLdbZ82hgRgPh+wSvMlqpSiy3TiZeud0/z9R9CZSL7TzhaKmY8F2yqcaDHBNkOGwTD1x7Y/XKNlWO2lLS6g==", - "4294967300": "8JffGgPjX158hAazFDH5YZv9k0PJUwE6eyxQRxN6W6aE+P7XuiUBwuFvmHlETKmQJyMJ2DR0lJN3eUNvHc/uNA==", - "4294967301": "gLozb35WzhHjigrJOEQurqtJJqq1Ap/Ufy+av1ptdVs3bjwmaGFW26jpzqtFCdGVMaQR4GD8Bx4SFiBwh97dHg==", - "4294967302": "T7fMhFYEhLaVsDOxq5g7abILl3jGU2uY2rYt/Qs9FSy4g59OUlk9ZduzUqpZsvxaJR/jsUHmmFS07FCgmOyh7A==", - "4294967303": "Bl3G5VLXwc+NXi+z3kq91yIMzYD4h3GmAUNdubcmhT4Q13LAxuoTofW8K7S7qpM4cLBvjElF3KOJs8Cwm+3zDA==", - "8589934593": "nc5UOrIapsVDWsNQPi9UMROkMUjnpIzanSxQGmqWP9qnzmreR9txrbattEM8aUVnbbzt/cLaFCXnFnrSNz3b7w==", - "8589934594": "1lbUeoc4wCkf5/EjOOHInBxyScsuDIYNUsO47phrYLgv5G3GmJDiUdrcmO3HZ0xNn3lpIHt3p3mkh1h40kGXzg==", - "8589934595": "fhp9QpDdJUbhVkwnO8mSg+hMOhTWf1OzvIFEsa8tGSDdVVoG5yQxwTFqWhg+8yJYr1jEx9/uKeReLO9zxdpIpg==" - } - }, - "source": "packages.where(name == /ssl/).all( version != /3.0.[0123456]/ )", - "labels": { - "labels": { - "Bl3G5VLXwc+NXi+z3kq91yIMzYD4h3GmAUNdubcmhT4Q13LAxuoTofW8K7S7qpM4cLBvjElF3KOJs8Cwm+3zDA==": "packages.all()", - "T7fMhFYEhLaVsDOxq5g7abILl3jGU2uY2rYt/Qs9FSy4g59OUlk9ZduzUqpZsvxaJR/jsUHmmFS07FCgmOyh7A==": "packages.where.$whereNot.list", - "fhp9QpDdJUbhVkwnO8mSg+hMOhTWf1OzvIFEsa8tGSDdVVoG5yQxwTFqWhg+8yJYr1jEx9/uKeReLO9zxdpIpg==": "name == /ssl/", - "s8AZK3WcED5n+EyTrn/ixZJxGBC1kLD6ANfTYjXjXV4p4wtO+Dz39sZrOpZdz4Qo20vMm8haTqSElzvkgdfjJQ==": "version != /3.0.[0123456]/" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "lSnkpvWD+i0=": { - "query": "service(\"rsh.socket\").enabled == false\nservice(\"rlogin.socket\").enabled == false\nservice(\"rexec.socket\").enabled == false\nservice(\"rsh.socket\").running == false\nservice(\"rlogin.socket\").running == false\nservice(\"rexec.socket\").running == false\n", - "checksum": "b9Iw5ZjgTpQ=", - "datapoints": [ - "Gj9+usVcjqfIAI6RcsRxLyzn1O6tiwA8hMnv3PnPdeHu0fr7Q+3pvDYU7N2W+AXjkrCILhAqROq6kmIuTQ0ONw==", - "IST1ZdvDsDGjKuLYOXs65bC12j7ZdGqtG7i2IHJ3agA+CYQI7qGrLdARfg9kbEiAm5Mj25LMSJ4Jg0TVOuYZoQ==", - "ZxGX5CeatMRX5xdzIKKmx+BoaNQMHrx3r2lq0XUqjTnvTNe+WNBUgXzCZx6jQ8zO0X1CgPNjVT8q7rFRjByxyA==", - "8bIrokkMmd6QBJZE+Or6CMcpiATUqRpKY8z3DiFVmf4jThbd3WWuk45nkNSd2pUhk8Oy7sI4IJO+iTJRVklcCQ==", - "u5fX3GE1kXn7uGnLr/z+QSvYbKF4wjsm8SOIGQGfjeziJ3mXZSi47jV5HZL7PoA1jUloqAkM+Y5D0/awz0AJHA==", - "96T4zynKszgc6jaxx20OhnDDECatfT4yFBuyb3seoNwNLqlA6L6Oxpr8KK/Mpu37LgaqKaTHAcOXiEREYPheZw==", - "gCv1HOcfAqZONuizxGcTskMQOzHPwWdlXlh+X3sddJPvFCPQVnCPsvUQTj0WPKX27mxcAlMGcY01eRvfjl3tTg==", - "ovQ4B6zwpM55WtaXIMTsN/zUyOKgJWVAIPkhxbac+9DFbVrfV5lo9bWJlXjBLko8z+/9YakmOxruwOfr09PPdA==", - "8ceZv4nMJ6CyIXdLGefaYS1pBYzTfJhIWYcuhsmOD8vUKbz19mpzmEJqxkoyKSPzKRLuaoKuacXqRvWBi8SHjg==", - "UW3LUd8B1sSUCcmxCP5UK00uu07zfy8hJ60t4b9gIkO7Xb0iniP4ZueKNNqMQcp//QzU+2gN3UjvA7dwzkEZ0g==", - "IHg959aO8XIUu5D7yIqIkBZWkovtA0z2zHICs2B66FNxr5k7YjVfHnTy5GJ62oAhnW5eCmDcQ1rg+B5DwcKpuA==", - "rJc7Vd+PhcM4THV9otvMSE9KEVCM18wzndDk3YoSzOWGTGBKF902cfYTXARkogUHlM0gkV7ewNl48Cfx+xmpwQ==" - ], - "code": { - "code_v2": { - "id": "lSnkpvWD+i0=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "cnNoLnNvY2tldA==" - } - ] - } - }, - { - "call": 1, - "id": "enabled", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "cmxvZ2luLnNvY2tldA==" - } - ] - } - }, - { - "call": 1, - "id": "enabled", - "function": { - "type": "\u0004", - "binding": 4294967300 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967301 - } - }, - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "cmV4ZWMuc29ja2V0" - } - ] - } - }, - { - "call": 1, - "id": "enabled", - "function": { - "type": "\u0004", - "binding": 4294967303 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967304 - } - }, - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "cnNoLnNvY2tldA==" - } - ] - } - }, - { - "call": 1, - "id": "running", - "function": { - "type": "\u0004", - "binding": 4294967306 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967307 - } - }, - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "cmxvZ2luLnNvY2tldA==" - } - ] - } - }, - { - "call": 1, - "id": "running", - "function": { - "type": "\u0004", - "binding": 4294967309 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967310 - } - }, - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "cmV4ZWMuc29ja2V0" - } - ] - } - }, - { - "call": 1, - "id": "running", - "function": { - "type": "\u0004", - "binding": 4294967312 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967313 - } - } - ], - "entrypoints": [ - 4294967299, - 4294967302, - 4294967305, - 4294967308, - 4294967311, - 4294967314 - ], - "datapoints": [ - 4294967298, - 4294967301, - 4294967304, - 4294967307, - 4294967310, - 4294967313 - ] - } - ], - "checksums": { - "4294967297": "NSSqCoHzlUDOzEyCddmvRwdrlFlC/NIdYWByUQp7BX7UHFZRRGbKyW9XsrHfNdaRKspuGaTB5ZOKg5eJox00fA==", - "4294967298": "Gj9+usVcjqfIAI6RcsRxLyzn1O6tiwA8hMnv3PnPdeHu0fr7Q+3pvDYU7N2W+AXjkrCILhAqROq6kmIuTQ0ONw==", - "4294967299": "gCv1HOcfAqZONuizxGcTskMQOzHPwWdlXlh+X3sddJPvFCPQVnCPsvUQTj0WPKX27mxcAlMGcY01eRvfjl3tTg==", - "4294967300": "COf6svkUMtylSG6TC1hJRRNu+GtEh3y95q5qV/EtCwlno4UYJPMV+WdhA9hWbs2VETot6E/fzIGbke/KbH+erA==", - "4294967301": "IST1ZdvDsDGjKuLYOXs65bC12j7ZdGqtG7i2IHJ3agA+CYQI7qGrLdARfg9kbEiAm5Mj25LMSJ4Jg0TVOuYZoQ==", - "4294967302": "ovQ4B6zwpM55WtaXIMTsN/zUyOKgJWVAIPkhxbac+9DFbVrfV5lo9bWJlXjBLko8z+/9YakmOxruwOfr09PPdA==", - "4294967303": "+27MqLPZkwMBTMvQl5loSh2Z/wb4PzVWN2/m3zjdCpHVsX9P5W73sWWgqparoLg/q+GVDTiO3oCDkgSpwN7rFQ==", - "4294967304": "ZxGX5CeatMRX5xdzIKKmx+BoaNQMHrx3r2lq0XUqjTnvTNe+WNBUgXzCZx6jQ8zO0X1CgPNjVT8q7rFRjByxyA==", - "4294967305": "8ceZv4nMJ6CyIXdLGefaYS1pBYzTfJhIWYcuhsmOD8vUKbz19mpzmEJqxkoyKSPzKRLuaoKuacXqRvWBi8SHjg==", - "4294967306": "NSSqCoHzlUDOzEyCddmvRwdrlFlC/NIdYWByUQp7BX7UHFZRRGbKyW9XsrHfNdaRKspuGaTB5ZOKg5eJox00fA==", - "4294967307": "8bIrokkMmd6QBJZE+Or6CMcpiATUqRpKY8z3DiFVmf4jThbd3WWuk45nkNSd2pUhk8Oy7sI4IJO+iTJRVklcCQ==", - "4294967308": "UW3LUd8B1sSUCcmxCP5UK00uu07zfy8hJ60t4b9gIkO7Xb0iniP4ZueKNNqMQcp//QzU+2gN3UjvA7dwzkEZ0g==", - "4294967309": "COf6svkUMtylSG6TC1hJRRNu+GtEh3y95q5qV/EtCwlno4UYJPMV+WdhA9hWbs2VETot6E/fzIGbke/KbH+erA==", - "4294967310": "u5fX3GE1kXn7uGnLr/z+QSvYbKF4wjsm8SOIGQGfjeziJ3mXZSi47jV5HZL7PoA1jUloqAkM+Y5D0/awz0AJHA==", - "4294967311": "IHg959aO8XIUu5D7yIqIkBZWkovtA0z2zHICs2B66FNxr5k7YjVfHnTy5GJ62oAhnW5eCmDcQ1rg+B5DwcKpuA==", - "4294967312": "+27MqLPZkwMBTMvQl5loSh2Z/wb4PzVWN2/m3zjdCpHVsX9P5W73sWWgqparoLg/q+GVDTiO3oCDkgSpwN7rFQ==", - "4294967313": "96T4zynKszgc6jaxx20OhnDDECatfT4yFBuyb3seoNwNLqlA6L6Oxpr8KK/Mpu37LgaqKaTHAcOXiEREYPheZw==", - "4294967314": "rJc7Vd+PhcM4THV9otvMSE9KEVCM18wzndDk3YoSzOWGTGBKF902cfYTXARkogUHlM0gkV7ewNl48Cfx+xmpwQ==" - } - }, - "source": "service(\"rsh.socket\").enabled == false\nservice(\"rlogin.socket\").enabled == false\nservice(\"rexec.socket\").enabled == false\nservice(\"rsh.socket\").running == false\nservice(\"rlogin.socket\").running == false\nservice(\"rexec.socket\").running == false\n", - "labels": { - "labels": { - "8bIrokkMmd6QBJZE+Or6CMcpiATUqRpKY8z3DiFVmf4jThbd3WWuk45nkNSd2pUhk8Oy7sI4IJO+iTJRVklcCQ==": "service.running", - "8ceZv4nMJ6CyIXdLGefaYS1pBYzTfJhIWYcuhsmOD8vUKbz19mpzmEJqxkoyKSPzKRLuaoKuacXqRvWBi8SHjg==": "service.enabled == false", - "96T4zynKszgc6jaxx20OhnDDECatfT4yFBuyb3seoNwNLqlA6L6Oxpr8KK/Mpu37LgaqKaTHAcOXiEREYPheZw==": "service.running", - "Gj9+usVcjqfIAI6RcsRxLyzn1O6tiwA8hMnv3PnPdeHu0fr7Q+3pvDYU7N2W+AXjkrCILhAqROq6kmIuTQ0ONw==": "service.enabled", - "IHg959aO8XIUu5D7yIqIkBZWkovtA0z2zHICs2B66FNxr5k7YjVfHnTy5GJ62oAhnW5eCmDcQ1rg+B5DwcKpuA==": "service.running == false", - "IST1ZdvDsDGjKuLYOXs65bC12j7ZdGqtG7i2IHJ3agA+CYQI7qGrLdARfg9kbEiAm5Mj25LMSJ4Jg0TVOuYZoQ==": "service.enabled", - "UW3LUd8B1sSUCcmxCP5UK00uu07zfy8hJ60t4b9gIkO7Xb0iniP4ZueKNNqMQcp//QzU+2gN3UjvA7dwzkEZ0g==": "service.running == false", - "ZxGX5CeatMRX5xdzIKKmx+BoaNQMHrx3r2lq0XUqjTnvTNe+WNBUgXzCZx6jQ8zO0X1CgPNjVT8q7rFRjByxyA==": "service.enabled", - "gCv1HOcfAqZONuizxGcTskMQOzHPwWdlXlh+X3sddJPvFCPQVnCPsvUQTj0WPKX27mxcAlMGcY01eRvfjl3tTg==": "service.enabled == false", - "ovQ4B6zwpM55WtaXIMTsN/zUyOKgJWVAIPkhxbac+9DFbVrfV5lo9bWJlXjBLko8z+/9YakmOxruwOfr09PPdA==": "service.enabled == false", - "rJc7Vd+PhcM4THV9otvMSE9KEVCM18wzndDk3YoSzOWGTGBKF902cfYTXARkogUHlM0gkV7ewNl48Cfx+xmpwQ==": "service.running == false", - "u5fX3GE1kXn7uGnLr/z+QSvYbKF4wjsm8SOIGQGfjeziJ3mXZSi47jV5HZL7PoA1jUloqAkM+Y5D0/awz0AJHA==": "service.running" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "m7DAOFbL9Qg=": { - "query": "file(\"/etc/group\") {\n permissions.user_executable == false\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n}\n", - "checksum": "4IKIRT+W5BE=", - "datapoints": [ - "8UFMaOXC4SMhWK+Vx/3T7dr6xt0crU2tSRurKy4l3M/pETdqnDy2+5XZAVoyskOku7hIGVb7HJ06XzuQhgvjMQ==" - ], - "code": { - "code_v2": { - "id": "m7DAOFbL9Qg=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9ncm91cA==" - } - ] - } - }, - { - "call": 1, - "id": "{}", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - } - ], - "binding": 4294967297 - } - } - ], - "entrypoints": [ - 4294967298 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u001bfile" - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "user_executable", - "function": { - "type": "\u0004", - "binding": 8589934594 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 8589934595 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "group_writeable", - "function": { - "type": "\u0004", - "binding": 8589934597 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 8589934598 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "group_executable", - "function": { - "type": "\u0004", - "binding": 8589934600 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 8589934601 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "other_writeable", - "function": { - "type": "\u0004", - "binding": 8589934603 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 8589934604 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "other_executable", - "function": { - "type": "\u0004", - "binding": 8589934606 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 8589934607 - } - } - ], - "parameters": 1, - "entrypoints": [ - 8589934596, - 8589934599, - 8589934602, - 8589934605, - 8589934608 - ] - } - ], - "checksums": { - "4294967297": "47lUbMVcohV9T0n0OjMaDM1giwq0yVDE6WeFPDj8KY2bLdAwNvcPV7ALAoKUH6mWHuf3MiGbZEd9KbIiWEqx9g==", - "4294967298": "8UFMaOXC4SMhWK+Vx/3T7dr6xt0crU2tSRurKy4l3M/pETdqnDy2+5XZAVoyskOku7hIGVb7HJ06XzuQhgvjMQ==", - "8589934593": "47lUbMVcohV9T0n0OjMaDM1giwq0yVDE6WeFPDj8KY2bLdAwNvcPV7ALAoKUH6mWHuf3MiGbZEd9KbIiWEqx9g==", - "8589934594": "t0qfAWbHamxxFdhROfxtB19Na0PK9BZ3ir/HuiZAkpLtP4Dumg2BCcPoqIszI1Kwcsb+gcKpHwt59/nyiSNJxA==", - "8589934595": "U/0lCzJXhHmlwWA3Yd2VdSdbSD2GqcpgmWMVyGzU99piPzcjLWjzopMFY86h4y4W8K1multe4oaQni3sMvkINQ==", - "8589934596": "T6kVTKTUvH0kjW+0kDeqTJTGJWILlpfw3sxAIroDmYm+OgirCMfAzsHyM8lBkfG0pw9B4KBua8mQOseeDSa7Ew==", - "8589934597": "t0qfAWbHamxxFdhROfxtB19Na0PK9BZ3ir/HuiZAkpLtP4Dumg2BCcPoqIszI1Kwcsb+gcKpHwt59/nyiSNJxA==", - "8589934598": "ftoYhbtKsjW1ZLoWBsvUmiH1hfmuomkWDKX8mIpXLPpBt37Bj4HuoGeked9/xPTk8CEjNOhv0ULZNp2GLVS/Kw==", - "8589934599": "6xZ89WVFuqscxnATOLIf93cAiphgXQm3aFRplZQdBKNsN0+1bGQRqSG+1GQSi+d/W65JGC4jaOLkL7oMwyr7KQ==", - "8589934600": "t0qfAWbHamxxFdhROfxtB19Na0PK9BZ3ir/HuiZAkpLtP4Dumg2BCcPoqIszI1Kwcsb+gcKpHwt59/nyiSNJxA==", - "8589934601": "nZoGbZs9SaPZYGCnxWhQ8Sq8H0hZVUJRIwmIl51zPbnRgU28fRNpS67dUcw28qaN3A2uGrc0hiFOp6A/gkhRqw==", - "8589934602": "eJl6q+RojEp/oX7PfaKudFsvb8nEpO53+CSN4V2hXsE1Zlk1rl40eGlGPzZJ9ZpRGpwOo95zkhD/zRzNerPZTQ==", - "8589934603": "t0qfAWbHamxxFdhROfxtB19Na0PK9BZ3ir/HuiZAkpLtP4Dumg2BCcPoqIszI1Kwcsb+gcKpHwt59/nyiSNJxA==", - "8589934604": "OkLKzMT8hZFVQ9XZah4DLQhOyu7kly0+q2qy0qqA7AzMXgO5D2V4eK1fyP21N5tOmjpZZtYiOT4fpQ78ME0fAg==", - "8589934605": "n1Y5HxvVA9Di2gH3v9VAr9xdvpkZyCrLwj955fjcqfkY9rOXyo2wuYQRiH7CuQ77ZOmZgHDixTFrGXXworT2jw==", - "8589934606": "t0qfAWbHamxxFdhROfxtB19Na0PK9BZ3ir/HuiZAkpLtP4Dumg2BCcPoqIszI1Kwcsb+gcKpHwt59/nyiSNJxA==", - "8589934607": "e7Bm90fa7qsmouQ+GC8Lg+uBIQDXXGOGRjBKP2Jj16bbdf03XB8Y+IwFprvfwHz9rYROCeccHlA47Va74Ywfog==", - "8589934608": "czp3D0B37jHqcHlbZKW2DYWYZzL905MPXgIha6oFjvv/pZIdZ3ir4voQLdWCrrACm2ufUKPNOmXt18mQ8dDOWQ==" - } - }, - "source": "file(\"/etc/group\") {\n permissions.user_executable == false\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n}\n", - "labels": { - "labels": { - "6xZ89WVFuqscxnATOLIf93cAiphgXQm3aFRplZQdBKNsN0+1bGQRqSG+1GQSi+d/W65JGC4jaOLkL7oMwyr7KQ==": "permissions.group_writeable == false", - "8UFMaOXC4SMhWK+Vx/3T7dr6xt0crU2tSRurKy4l3M/pETdqnDy2+5XZAVoyskOku7hIGVb7HJ06XzuQhgvjMQ==": "file", - "T6kVTKTUvH0kjW+0kDeqTJTGJWILlpfw3sxAIroDmYm+OgirCMfAzsHyM8lBkfG0pw9B4KBua8mQOseeDSa7Ew==": "permissions.user_executable == false", - "czp3D0B37jHqcHlbZKW2DYWYZzL905MPXgIha6oFjvv/pZIdZ3ir4voQLdWCrrACm2ufUKPNOmXt18mQ8dDOWQ==": "permissions.other_executable == false", - "eJl6q+RojEp/oX7PfaKudFsvb8nEpO53+CSN4V2hXsE1Zlk1rl40eGlGPzZJ9ZpRGpwOo95zkhD/zRzNerPZTQ==": "permissions.group_executable == false", - "n1Y5HxvVA9Di2gH3v9VAr9xdvpkZyCrLwj955fjcqfkY9rOXyo2wuYQRiH7CuQ77ZOmZgHDixTFrGXXworT2jw==": "permissions.other_writeable == false" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "n9dXQh6Dchs=": { - "query": "kernel.parameters['net.ipv4.conf.all.send_redirects'] == 0\nkernel.parameters['net.ipv4.conf.default.send_redirects'] == 0\n", - "checksum": "0hvp7Rimepc=", - "datapoints": [ - "BgLeA99Goi7kQbICYeXMt9yRHy0gd0WI/OWhADS73Gx3xonVgnAi/qiiuTtTIJ4Knx3tNZbE9TPJAySzEN502Q==", - "OEKbMgyOZAHhOy62hpEKCXuj5FvXJpqwCH3QQ+bv2//APoMsncnk6rwVzuexbX7BxCDy8JKoP8zWeh5uu7h0LQ==", - "dGWI13GNtjPo+JUEvza+zezln68HGoTb31IuKMHn2cQOls6vuacUlbSe/domV3y6i5Cts72rA+f5v2D2dIGLeQ==", - "F2gP+Hvti8Jum+RBqHYUPDrdIL6ptKFlsPHzSgeNSE8XbASqQxScL7VID2ujLZ2JbMfARhqNhDmZbkgBEbMvgA==" - ], - "code": { - "code_v2": { - "id": "n9dXQh6Dchs=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "kernel" - }, - { - "call": 1, - "id": "parameters", - "function": { - "type": "\u001a\u0007\u0007", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u0007", - "args": [ - { - "type": "\u0007", - "value": "bmV0LmlwdjQuY29uZi5hbGwuc2VuZF9yZWRpcmVjdHM=" - } - ], - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "==\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 4294967299 - } - }, - { - "call": 1, - "id": "kernel" - }, - { - "call": 1, - "id": "parameters", - "function": { - "type": "\u001a\u0007\u0007", - "binding": 4294967301 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u0007", - "args": [ - { - "type": "\u0007", - "value": "bmV0LmlwdjQuY29uZi5kZWZhdWx0LnNlbmRfcmVkaXJlY3Rz" - } - ], - "binding": 4294967302 - } - }, - { - "call": 1, - "id": "==\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 4294967303 - } - } - ], - "entrypoints": [ - 4294967300, - 4294967304 - ], - "datapoints": [ - 4294967299, - 4294967303 - ] - } - ], - "checksums": { - "4294967297": "RXV+1el3VK2oK0ytvuWZ6oRu95oJxvcqbHGw5Wq5LfAbGvjLmiHYndQw+dDOPQiIqBhor40mICUenGaUlny8Lg==", - "4294967298": "dM9qEfUwWr0DHz2QFJ5GwuX9ELsnO1Us4rTlLu63r3mnIduFn0tmuQqThf7ul4pd0wPoMSZIB/RxVPGcU9xORQ==", - "4294967299": "BgLeA99Goi7kQbICYeXMt9yRHy0gd0WI/OWhADS73Gx3xonVgnAi/qiiuTtTIJ4Knx3tNZbE9TPJAySzEN502Q==", - "4294967300": "dGWI13GNtjPo+JUEvza+zezln68HGoTb31IuKMHn2cQOls6vuacUlbSe/domV3y6i5Cts72rA+f5v2D2dIGLeQ==", - "4294967301": "RXV+1el3VK2oK0ytvuWZ6oRu95oJxvcqbHGw5Wq5LfAbGvjLmiHYndQw+dDOPQiIqBhor40mICUenGaUlny8Lg==", - "4294967302": "dM9qEfUwWr0DHz2QFJ5GwuX9ELsnO1Us4rTlLu63r3mnIduFn0tmuQqThf7ul4pd0wPoMSZIB/RxVPGcU9xORQ==", - "4294967303": "OEKbMgyOZAHhOy62hpEKCXuj5FvXJpqwCH3QQ+bv2//APoMsncnk6rwVzuexbX7BxCDy8JKoP8zWeh5uu7h0LQ==", - "4294967304": "F2gP+Hvti8Jum+RBqHYUPDrdIL6ptKFlsPHzSgeNSE8XbASqQxScL7VID2ujLZ2JbMfARhqNhDmZbkgBEbMvgA==" - } - }, - "source": "kernel.parameters['net.ipv4.conf.all.send_redirects'] == 0\nkernel.parameters['net.ipv4.conf.default.send_redirects'] == 0\n", - "labels": { - "labels": { - "BgLeA99Goi7kQbICYeXMt9yRHy0gd0WI/OWhADS73Gx3xonVgnAi/qiiuTtTIJ4Knx3tNZbE9TPJAySzEN502Q==": "kernel.parameters[net.ipv4.conf.all.send_redirects]", - "F2gP+Hvti8Jum+RBqHYUPDrdIL6ptKFlsPHzSgeNSE8XbASqQxScL7VID2ujLZ2JbMfARhqNhDmZbkgBEbMvgA==": "kernel.parameters[net.ipv4.conf.default.send_redirects] == 0", - "OEKbMgyOZAHhOy62hpEKCXuj5FvXJpqwCH3QQ+bv2//APoMsncnk6rwVzuexbX7BxCDy8JKoP8zWeh5uu7h0LQ==": "kernel.parameters[net.ipv4.conf.default.send_redirects]", - "dGWI13GNtjPo+JUEvza+zezln68HGoTb31IuKMHn2cQOls6vuacUlbSe/domV3y6i5Cts72rA+f5v2D2dIGLeQ==": "kernel.parameters[net.ipv4.conf.all.send_redirects] == 0" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "nxVlUWzBV1c=": { - "query": "rsyslog.conf.settings.contains(\"$FileCreateMode 0640\")\n", - "checksum": "ozKwmEYzeco=", - "datapoints": [ - "4rBR+Mg2JY7TGnEGSWo0bAveLE8dQ2B6cgXjd9K5KCr58oNDFqhQ/tZWUHTMxOxmBDApjW1tTC8R3ZbKRQcRhA==", - "eDoYMDFnVFpyI8L9OND1alTXuARvT0V/VbEztMhrV4P7DxNi2s3ek4j9/JwNwNHwh5dC0f62NCjhcBQTHNFSGQ==" - ], - "code": { - "code_v2": { - "id": "nxVlUWzBV1c=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "rsyslog.conf" - }, - { - "call": 1, - "id": "settings", - "function": { - "type": "\u0019\u0007", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "hICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - } - ], - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 4294967299 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 4294967300 - } - } - ], - "entrypoints": [ - 4294967301 - ], - "datapoints": [ - 4294967300 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0007", - "value": "JEZpbGVDcmVhdGVNb2RlIDA2NDA=" - } - }, - { - "call": 1, - "id": "==\u0007", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgEA=" - } - ], - "binding": 8589934593 - } - } - ], - "parameters": 1, - "entrypoints": [ - 8589934595 - ] - } - ], - "checksums": { - "4294967297": "qcLO7J24X8z5pa6yA/xST7eZ29gA93jM1TkfglIL1GzYwxlQCG/JGJVXWPM3I2wQ3qO1di+tDqKHXt703YntJw==", - "4294967298": "fiB8qXtBGkE9lvKui5R/e4dEOsTsoXmlzjzbpPw25jL0dG2WrM4X1c6OvP78hl6gZzdxKhUBRJ2oTrmqbOkr9w==", - "4294967299": "5g4AJvvPTSMCBrQhdXmM5hG2N/u3NLYQpVAU5xPdMSzY0YSrynsRjF2o80I1FYw/5Ki407QjpvNaSLMyXk62SQ==", - "4294967300": "4rBR+Mg2JY7TGnEGSWo0bAveLE8dQ2B6cgXjd9K5KCr58oNDFqhQ/tZWUHTMxOxmBDApjW1tTC8R3ZbKRQcRhA==", - "4294967301": "eDoYMDFnVFpyI8L9OND1alTXuARvT0V/VbEztMhrV4P7DxNi2s3ek4j9/JwNwNHwh5dC0f62NCjhcBQTHNFSGQ==", - "8589934593": "fiB8qXtBGkE9lvKui5R/e4dEOsTsoXmlzjzbpPw25jL0dG2WrM4X1c6OvP78hl6gZzdxKhUBRJ2oTrmqbOkr9w==", - "8589934594": "p4z0rhKbKWbR7HyhCAcsHsE0+jq+SFvoBi4lLobdtubsWVwVAREVECAIeBiyoGqVXvVZnYYHx73eVrwHYtiVWQ==", - "8589934595": "neq/ieEjeHfqChGWgZLT/0S7vPgRDZJfOnztLjpdBX3UX8+2il4yjDlZ8fQWTJlE36REx05+t+euQ3eCuOdh5A==" - } - }, - "source": "rsyslog.conf.settings.contains(\"$FileCreateMode 0640\")\n", - "labels": { - "labels": { - "4rBR+Mg2JY7TGnEGSWo0bAveLE8dQ2B6cgXjd9K5KCr58oNDFqhQ/tZWUHTMxOxmBDApjW1tTC8R3ZbKRQcRhA==": "rsyslog.conf.settings.where.length", - "eDoYMDFnVFpyI8L9OND1alTXuARvT0V/VbEztMhrV4P7DxNi2s3ek4j9/JwNwNHwh5dC0f62NCjhcBQTHNFSGQ==": "[].contains()", - "neq/ieEjeHfqChGWgZLT/0S7vPgRDZJfOnztLjpdBX3UX8+2il4yjDlZ8fQWTJlE36REx05+t+euQ3eCuOdh5A==": " == \u003cref\u003e" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "o38RkOShiq4=": { - "query": "kernel.parameters['net.ipv4.conf.all.secure_redirects'] == 0\nkernel.parameters['net.ipv4.conf.default.secure_redirects'] == 0\n", - "checksum": "D8LXdB1mAGw=", - "datapoints": [ - "tjKo/7kDlAORSuB7uznVp3g6or1qpEVbVd7tqQuvplRmPsiF9V37G7Gs548aCEYSrW3eMEe2KGdAOUVKDq9yRA==", - "e8NU35DTutWpipxRd59KyBjdEwIIjABAyM8lAo1vmGf7oVqqXBI3sX0iLW1AyyRCcohaJs6Jyv/GgjYoYYXe9w==", - "2ep4H3GDpqTR0NBAiPvRK8yJoEhTH7ikMCU4ufFyQbsDWOmWHUH75jVgJmT2AtHcEOEiELTtux8t8EBH1Ogaqw==", - "RIXqENazJEYi3UKFGKE7D3YtgWXPysCYDrgFuJoGJL0xxS4CpWEk87GkV+8mr2Qro6LhzTENSEjWWq4LdJ2Gvg==" - ], - "code": { - "code_v2": { - "id": "o38RkOShiq4=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "kernel" - }, - { - "call": 1, - "id": "parameters", - "function": { - "type": "\u001a\u0007\u0007", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u0007", - "args": [ - { - "type": "\u0007", - "value": "bmV0LmlwdjQuY29uZi5hbGwuc2VjdXJlX3JlZGlyZWN0cw==" - } - ], - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "==\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 4294967299 - } - }, - { - "call": 1, - "id": "kernel" - }, - { - "call": 1, - "id": "parameters", - "function": { - "type": "\u001a\u0007\u0007", - "binding": 4294967301 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u0007", - "args": [ - { - "type": "\u0007", - "value": "bmV0LmlwdjQuY29uZi5kZWZhdWx0LnNlY3VyZV9yZWRpcmVjdHM=" - } - ], - "binding": 4294967302 - } - }, - { - "call": 1, - "id": "==\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 4294967303 - } - } - ], - "entrypoints": [ - 4294967300, - 4294967304 - ], - "datapoints": [ - 4294967299, - 4294967303 - ] - } - ], - "checksums": { - "4294967297": "RXV+1el3VK2oK0ytvuWZ6oRu95oJxvcqbHGw5Wq5LfAbGvjLmiHYndQw+dDOPQiIqBhor40mICUenGaUlny8Lg==", - "4294967298": "dM9qEfUwWr0DHz2QFJ5GwuX9ELsnO1Us4rTlLu63r3mnIduFn0tmuQqThf7ul4pd0wPoMSZIB/RxVPGcU9xORQ==", - "4294967299": "tjKo/7kDlAORSuB7uznVp3g6or1qpEVbVd7tqQuvplRmPsiF9V37G7Gs548aCEYSrW3eMEe2KGdAOUVKDq9yRA==", - "4294967300": "2ep4H3GDpqTR0NBAiPvRK8yJoEhTH7ikMCU4ufFyQbsDWOmWHUH75jVgJmT2AtHcEOEiELTtux8t8EBH1Ogaqw==", - "4294967301": "RXV+1el3VK2oK0ytvuWZ6oRu95oJxvcqbHGw5Wq5LfAbGvjLmiHYndQw+dDOPQiIqBhor40mICUenGaUlny8Lg==", - "4294967302": "dM9qEfUwWr0DHz2QFJ5GwuX9ELsnO1Us4rTlLu63r3mnIduFn0tmuQqThf7ul4pd0wPoMSZIB/RxVPGcU9xORQ==", - "4294967303": "e8NU35DTutWpipxRd59KyBjdEwIIjABAyM8lAo1vmGf7oVqqXBI3sX0iLW1AyyRCcohaJs6Jyv/GgjYoYYXe9w==", - "4294967304": "RIXqENazJEYi3UKFGKE7D3YtgWXPysCYDrgFuJoGJL0xxS4CpWEk87GkV+8mr2Qro6LhzTENSEjWWq4LdJ2Gvg==" - } - }, - "source": "kernel.parameters['net.ipv4.conf.all.secure_redirects'] == 0\nkernel.parameters['net.ipv4.conf.default.secure_redirects'] == 0\n", - "labels": { - "labels": { - "2ep4H3GDpqTR0NBAiPvRK8yJoEhTH7ikMCU4ufFyQbsDWOmWHUH75jVgJmT2AtHcEOEiELTtux8t8EBH1Ogaqw==": "kernel.parameters[net.ipv4.conf.all.secure_redirects] == 0", - "RIXqENazJEYi3UKFGKE7D3YtgWXPysCYDrgFuJoGJL0xxS4CpWEk87GkV+8mr2Qro6LhzTENSEjWWq4LdJ2Gvg==": "kernel.parameters[net.ipv4.conf.default.secure_redirects] == 0", - "e8NU35DTutWpipxRd59KyBjdEwIIjABAyM8lAo1vmGf7oVqqXBI3sX0iLW1AyyRCcohaJs6Jyv/GgjYoYYXe9w==": "kernel.parameters[net.ipv4.conf.default.secure_redirects]", - "tjKo/7kDlAORSuB7uznVp3g6or1qpEVbVd7tqQuvplRmPsiF9V37G7Gs548aCEYSrW3eMEe2KGdAOUVKDq9yRA==": "kernel.parameters[net.ipv4.conf.all.secure_redirects]" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "ojEjpKAUshk=": { - "query": "return /root|ec2-user|centos|ubuntu/\n", - "checksum": "Ww3i5ht0MfQ=", - "datapoints": [ - "IUi8QP3v31aGPWF2y6MbvKwopOM+vyJaiI7bEd3YtxNehCOILFVcwfTB5qey/NIJrsRm0+U1u1OmBWmeSfheJQ==" - ], - "code": { - "code_v2": { - "id": "ojEjpKAUshk=", - "blocks": [ - { - "chunks": [ - { - "primitive": { - "type": "\u0008", - "value": "cm9vdHxlYzItdXNlcnxjZW50b3N8dWJ1bnR1" - } - }, - { - "call": 1, - "id": "return", - "function": { - "type": "\u0008", - "args": [ - { - "type": "\u0003", - "value": "goCAgCA=" - } - ] - } - } - ], - "singleValue": true, - "entrypoints": [ - 4294967298 - ] - } - ], - "checksums": { - "4294967297": "yFGuqfbgj6hPIw47+B1XMfe2U6AyEzEmdS1IQ/OoEnMghQsPQEbQfF3Bva5prDMvrsNW/o6MbIRyMum/Kc5BEA==", - "4294967298": "IUi8QP3v31aGPWF2y6MbvKwopOM+vyJaiI7bEd3YtxNehCOILFVcwfTB5qey/NIJrsRm0+U1u1OmBWmeSfheJQ==" - } - }, - "source": "return /root|ec2-user|centos|ubuntu/\n", - "labels": { - "labels": { - "IUi8QP3v31aGPWF2y6MbvKwopOM+vyJaiI7bEd3YtxNehCOILFVcwfTB5qey/NIJrsRm0+U1u1OmBWmeSfheJQ==": "return" - } - }, - "version": "unstable" - } - }, - "pG8C4AikOeo=": { - "query": "service(\"dhcpd\").enabled == false\nservice(\"dhcpd\").running == false\n", - "checksum": "upAJ8HocazU=", - "datapoints": [ - "PTY+FI8gohl54qYCfktH+iDEdCbz9/RNm6yBWDiS0yk/PHBZ0OIVhtrUrOcThQHcHqEMTC4fh1zP30KlfMUhpA==", - "86UNhhHIcs7lnQ4PR5rktsVF+LYRw6ZLJDqVThmUXyTBOIVjtC1oNryS/PQwFmBaA4DdcSLn4DSZmhh5gMZ1Nw==", - "kDT7tazDf6/cVbc0GfeWtCPyLzywXsyhYxTslwIGBb+NXKYCMJ7PFAUUCeYu8vJ2qlySfA2XcdNuR8HlfOz/Ew==", - "ynq6oIBQE3gBVBXHMELi3CzC50RGXtaImsVRLvdXrOPzaEP33IeQpNq8PGSQu4hP610ryHXSOmT0VmmAUFw9HQ==" - ], - "code": { - "code_v2": { - "id": "pG8C4AikOeo=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "ZGhjcGQ=" - } - ] - } - }, - { - "call": 1, - "id": "enabled", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "ZGhjcGQ=" - } - ] - } - }, - { - "call": 1, - "id": "running", - "function": { - "type": "\u0004", - "binding": 4294967300 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967301 - } - } - ], - "entrypoints": [ - 4294967299, - 4294967302 - ], - "datapoints": [ - 4294967298, - 4294967301 - ] - } - ], - "checksums": { - "4294967297": "aye5mue/oTs0R/s46jfvyy1xw6ldL3OXZ429vICiIUvQNV/y2SsfJHqh3AZMKU/vr0OZ1ZFxGAXdAca3dlNbXA==", - "4294967298": "PTY+FI8gohl54qYCfktH+iDEdCbz9/RNm6yBWDiS0yk/PHBZ0OIVhtrUrOcThQHcHqEMTC4fh1zP30KlfMUhpA==", - "4294967299": "kDT7tazDf6/cVbc0GfeWtCPyLzywXsyhYxTslwIGBb+NXKYCMJ7PFAUUCeYu8vJ2qlySfA2XcdNuR8HlfOz/Ew==", - "4294967300": "aye5mue/oTs0R/s46jfvyy1xw6ldL3OXZ429vICiIUvQNV/y2SsfJHqh3AZMKU/vr0OZ1ZFxGAXdAca3dlNbXA==", - "4294967301": "86UNhhHIcs7lnQ4PR5rktsVF+LYRw6ZLJDqVThmUXyTBOIVjtC1oNryS/PQwFmBaA4DdcSLn4DSZmhh5gMZ1Nw==", - "4294967302": "ynq6oIBQE3gBVBXHMELi3CzC50RGXtaImsVRLvdXrOPzaEP33IeQpNq8PGSQu4hP610ryHXSOmT0VmmAUFw9HQ==" - } - }, - "source": "service(\"dhcpd\").enabled == false\nservice(\"dhcpd\").running == false\n", - "labels": { - "labels": { - "86UNhhHIcs7lnQ4PR5rktsVF+LYRw6ZLJDqVThmUXyTBOIVjtC1oNryS/PQwFmBaA4DdcSLn4DSZmhh5gMZ1Nw==": "service.running", - "PTY+FI8gohl54qYCfktH+iDEdCbz9/RNm6yBWDiS0yk/PHBZ0OIVhtrUrOcThQHcHqEMTC4fh1zP30KlfMUhpA==": "service.enabled", - "kDT7tazDf6/cVbc0GfeWtCPyLzywXsyhYxTslwIGBb+NXKYCMJ7PFAUUCeYu8vJ2qlySfA2XcdNuR8HlfOz/Ew==": "service.enabled == false", - "ynq6oIBQE3gBVBXHMELi3CzC50RGXtaImsVRLvdXrOPzaEP33IeQpNq8PGSQu4hP610ryHXSOmT0VmmAUFw9HQ==": "service.running == false" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "piWj+cXXr7k=": { - "query": "file('/etc/sudoers').content.lines.where( _ == /^[^#]/ ).contains(/logfile\\=\\\"\\/var\\/log\\/sudo\\.log\\\"/)\n", - "checksum": "bm3GGLBV8nw=", - "datapoints": [ - "bMaURaBtAc6Jj7yvI7R21BMGzeFTGBQ+IzVys++98Na10i8k5c1bGoI+XJn6TdjG/wjuDRefkC9YCsZv2tlY6Q==", - "3oAY0vr6jLCvS4ss/e1XbulE3OvfT8TlXNeoElkPJD7QpWfF6X0U0A1CfGQ6EPAdeR5vtVqFsX2jJ0yyZ16ATw==" - ], - "code": { - "code_v2": { - "id": "piWj+cXXr7k=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9zdWRvZXJz" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "hoCAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - } - ], - "binding": 4294967299 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "iICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgGA=" - } - ], - "binding": 4294967300 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 4294967301 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 4294967302 - } - } - ], - "entrypoints": [ - 4294967303 - ], - "datapoints": [ - 4294967302 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0008", - "value": "XlteI10=" - } - ], - "binding": 8589934593 - } - } - ], - "parameters": 1, - "entrypoints": [ - 8589934594 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "bG9nZmlsZVw9XCJcL3ZhclwvbG9nXC9zdWRvXC5sb2dcIg==" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgGA=" - } - ], - "binding": 12884901889 - } - } - ], - "parameters": 1, - "entrypoints": [ - 12884901891 - ] - } - ], - "checksums": { - "12884901889": "KV4S2tpqPDHOH56DVAh5D1vFpEJEZxZZx+YHcKBcGckuglNnJ8oIXzAMXTdo0KNMvUwbb2LjLFw9Z/D4QB6ejg==", - "12884901890": "Jc5XPYSCHldraa3be+SgemovkpYTwIQuvrIW3ykyOxlFj+U/2RCy3pq8o0IemuN2tzGIQs6IwFfL3PumApPxnw==", - "12884901891": "PvcrT/FV4yXFdCD8wiavF4jHhWVAFrw4NmDiMx/yeQCENTJVilYVbo/vKcW1S2R6z3Q0+/iaEvyPPjAW3UZhQA==", - "4294967297": "5NFUO30fZcjgxOJEo2tkKWTXXhAPsHUDuXgtW3M1a/6V2MKrLkD7GytozCbi9NikQkJcNP9jhcFI+ibBimEFmA==", - "4294967298": "sA/iSOGwo/xp076iqworgeK+cmTqOJL37gZ1mOW2Xh/apsKQuJgwm9CwtxRul3qzUxZIOFF1lMc2boSCKsRHLA==", - "4294967299": "UUCfAb3L57s3VocmarVKpp5fNB/O173HavmcK4OHu5jJUQf1E66wBs2SW3AGp37n4+RKXQfX5AgF9zvLUcAlGA==", - "4294967300": "KV4S2tpqPDHOH56DVAh5D1vFpEJEZxZZx+YHcKBcGckuglNnJ8oIXzAMXTdo0KNMvUwbb2LjLFw9Z/D4QB6ejg==", - "4294967301": "nLjiBmLiHThE1ac1nNzGHjKPx6GFG7QZnL7tO6LQqG1n03g+xos+mnXLsFZx5wP5gES/kN/A2qeQKBezhWRXWA==", - "4294967302": "bMaURaBtAc6Jj7yvI7R21BMGzeFTGBQ+IzVys++98Na10i8k5c1bGoI+XJn6TdjG/wjuDRefkC9YCsZv2tlY6Q==", - "4294967303": "3oAY0vr6jLCvS4ss/e1XbulE3OvfT8TlXNeoElkPJD7QpWfF6X0U0A1CfGQ6EPAdeR5vtVqFsX2jJ0yyZ16ATw==", - "8589934593": "UUCfAb3L57s3VocmarVKpp5fNB/O173HavmcK4OHu5jJUQf1E66wBs2SW3AGp37n4+RKXQfX5AgF9zvLUcAlGA==", - "8589934594": "5f2Bq/ezuyDfkZ2EDGazzBAzfx8+6lsL38UIFNDlR3HDCne9xdzh75tnSCtG1jUDDW3C0KJViTBvbtUGG7cB8Q==" - } - }, - "source": "file('/etc/sudoers').content.lines.where( _ == /^[^#]/ ).contains(/logfile\\=\\\"\\/var\\/log\\/sudo\\.log\\\"/)\n", - "labels": { - "labels": { - "3oAY0vr6jLCvS4ss/e1XbulE3OvfT8TlXNeoElkPJD7QpWfF6X0U0A1CfGQ6EPAdeR5vtVqFsX2jJ0yyZ16ATw==": "[].contains()", - "5f2Bq/ezuyDfkZ2EDGazzBAzfx8+6lsL38UIFNDlR3HDCne9xdzh75tnSCtG1jUDDW3C0KJViTBvbtUGG7cB8Q==": " == /^[^#]/", - "PvcrT/FV4yXFdCD8wiavF4jHhWVAFrw4NmDiMx/yeQCENTJVilYVbo/vKcW1S2R6z3Q0+/iaEvyPPjAW3UZhQA==": " == \u003cref\u003e", - "bMaURaBtAc6Jj7yvI7R21BMGzeFTGBQ+IzVys++98Na10i8k5c1bGoI+XJn6TdjG/wjuDRefkC9YCsZv2tlY6Q==": "file.content.lines.where.where.length" - } - }, - "version": "unstable", - "min_mondoo_version": "5.0.0" - } - }, - "rDqQzgrxmug=": { - "query": "if (file(\"/etc/systemd/journald.conf\").exists) {\n parse.ini(\"/etc/systemd/journald.conf\").sections[\"Journal\"][\"Compress\"] == \"yes\"\n}\n", - "checksum": "Yl143mh8fMM=", - "datapoints": [ - "8SGe/eAOByVX8k8M4VoKtmLMczryv0UnPQnarp5qNL7QNl1dl3TFM8ikYa5UydfgiuNRV5bAwmtwi4V5Ns2MYg==" - ], - "code": { - "code_v2": { - "id": "rDqQzgrxmug=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9zeXN0ZW1kL2pvdXJuYWxkLmNvbmY=" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "if", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u0003", - "value": "hICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - }, - { - "type": "\u0019\u0003" - } - ] - } - } - ], - "entrypoints": [ - 4294967299 - ] - }, - { - "chunks": [ - { - "call": 1, - "id": "parse.ini", - "function": { - "type": "\u001bparse.ini", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9zeXN0ZW1kL2pvdXJuYWxkLmNvbmY=" - } - ] - } - }, - { - "call": 1, - "id": "sections", - "function": { - "type": "\u001a\u0007\u001a\u0007\u0007", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u001a\u0007\u0007", - "args": [ - { - "type": "\u0007", - "value": "Sm91cm5hbA==" - } - ], - "binding": 8589934594 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u0007", - "args": [ - { - "type": "\u0007", - "value": "Q29tcHJlc3M=" - } - ], - "binding": 8589934595 - } - }, - { - "call": 1, - "id": "==\u0007", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0007", - "value": "eWVz" - } - ], - "binding": 8589934596 - } - } - ], - "entrypoints": [ - 8589934597 - ] - } - ], - "checksums": { - "4294967297": "l3sxgiTYcAto50UNy+D684uigPx/G30b7SG/TWHLjH+jXQD4FWgvImzrlMz7n5EQSF9XOqSyUVabvTtb2fkmig==", - "4294967298": "hyKZR+nZQdqGesYFceMXztsluQuJfHBH1w+ZuVGc2YtJPyXf1ucl93BWKMdIlXyfP+iCKqtAgBBDFi6bZs9GTg==", - "4294967299": "8SGe/eAOByVX8k8M4VoKtmLMczryv0UnPQnarp5qNL7QNl1dl3TFM8ikYa5UydfgiuNRV5bAwmtwi4V5Ns2MYg==", - "8589934593": "VkFIYHwLWA2DN+cGp2/nva3JpKEuj+ekzZ7e4Cy3zfltZm0aULkKY1/7Qb9o6/kTEdIE4P/HDgJGeUqDxRn/zQ==", - "8589934594": "q4O50spt2INk/0CEDeRESLie7000Xsd0lukCdNJc5IAz1lp0/nnsU2LsCxSShL++e6RRxgUSIU5e1WzU82S+aw==", - "8589934595": "YLk+U8kFCMJXfWriUOowuBOIXxQGWS9or5z8DS/BwTT3QpLwTJj8BtrR9KDsdJYXUkgMxVh1dMr5lo/Wmu7LpQ==", - "8589934596": "9YtFzuYcEafuhpxZgizxz+L1bgR6i5NzbKjiB96GdwzXfrhyEZNPRxtyWSO1yhWKJnFZtK2kujtbVa6HL9YKfw==", - "8589934597": "Nv8boH8+7gfE1x1soilDyvGqRv7FYW+jRZWVpGNbv9EegqVRt+C4bMK6q3L5+Pcl9O0/3S7cpSNNqMVRbg209w==" - } - }, - "source": "if (file(\"/etc/systemd/journald.conf\").exists) {\n parse.ini(\"/etc/systemd/journald.conf\").sections[\"Journal\"][\"Compress\"] == \"yes\"\n}\n", - "labels": { - "labels": { - "8SGe/eAOByVX8k8M4VoKtmLMczryv0UnPQnarp5qNL7QNl1dl3TFM8ikYa5UydfgiuNRV5bAwmtwi4V5Ns2MYg==": "if", - "Nv8boH8+7gfE1x1soilDyvGqRv7FYW+jRZWVpGNbv9EegqVRt+C4bMK6q3L5+Pcl9O0/3S7cpSNNqMVRbg209w==": "parse.ini.sections[Journal][Compress] == \"yes\"" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "rZN1LNm5r7E=": { - "query": "kernel.parameters['net.ipv4.conf.all.accept_redirects'] == 0\nkernel.parameters['net.ipv4.conf.default.accept_redirects'] == 0\nkernel.parameters['net.ipv6.conf.all.accept_redirects'] == 0\nkernel.parameters['net.ipv6.conf.default.accept_redirects'] == 0\n", - "checksum": "7YIjsWrqZqU=", - "datapoints": [ - "2SzXOY0CMXn/0XchefuBMMcleHxtsgNaVxWCxCDNSE8wCM8VekLLFX8YlOvhv3NTjsp1mjUOeTTABrJp8oTD/A==", - "LZn2A4hFxS9SIwnrhbdO23/FsDqYloIFeq/TIGsFRMtAjZIQNyN3rys+D+K+jk8+YCCDxvOK2S7YKtLK3pnxqw==", - "mPEGs2WidZ99bMnb40TuzCEuXKG1SwjvYrbndoATAL883HKUtGdEao2JZMC2fgYy9GqT+RErVyj2+7q3QYJdyw==", - "wbU1vQGWC7TkTLY0oZKFF4r3+jQKrCY8Ln+Kt6IyKXeEQv5F/HWbBLOcYoBA+59G7X4WYp3Mcx6a5NkPLktjMg==", - "hFV0aTvVoeOeZGjZ609/dqTrm1U0BNM5wrd8dDxpeg8b2TQ2SQZm7gSfxYekFOGUcBaxtFXCQJ6lOvYEpAtPJQ==", - "HiRsCn4BtfM/kOrcrqt0KhkRzvayAL6Ujv45DEVZFOBpnI1lrDyBTD/zrUnhZgtJEph3504F7jnTh9DL/Szgiw==", - "3/Q5tVgPR3+fTUVL7lk872dPByOYdBJcDaXePxF3jvfGqPPyLFm+NpH0iOssj2B5sfpTxUlSquZXjwfsGEg74g==", - "VPya7C/SUB3zkyI9G/PHS1fMpKB/mwlZFTacUTvGcaJpKKm2Z1pk8rnlOWoBirIXB/uwatCDXZhHm4hkYRA1Ig==" - ], - "code": { - "code_v2": { - "id": "rZN1LNm5r7E=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "kernel" - }, - { - "call": 1, - "id": "parameters", - "function": { - "type": "\u001a\u0007\u0007", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u0007", - "args": [ - { - "type": "\u0007", - "value": "bmV0LmlwdjQuY29uZi5hbGwuYWNjZXB0X3JlZGlyZWN0cw==" - } - ], - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "==\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 4294967299 - } - }, - { - "call": 1, - "id": "kernel" - }, - { - "call": 1, - "id": "parameters", - "function": { - "type": "\u001a\u0007\u0007", - "binding": 4294967301 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u0007", - "args": [ - { - "type": "\u0007", - "value": "bmV0LmlwdjQuY29uZi5kZWZhdWx0LmFjY2VwdF9yZWRpcmVjdHM=" - } - ], - "binding": 4294967302 - } - }, - { - "call": 1, - "id": "==\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 4294967303 - } - }, - { - "call": 1, - "id": "kernel" - }, - { - "call": 1, - "id": "parameters", - "function": { - "type": "\u001a\u0007\u0007", - "binding": 4294967305 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u0007", - "args": [ - { - "type": "\u0007", - "value": "bmV0LmlwdjYuY29uZi5hbGwuYWNjZXB0X3JlZGlyZWN0cw==" - } - ], - "binding": 4294967306 - } - }, - { - "call": 1, - "id": "==\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 4294967307 - } - }, - { - "call": 1, - "id": "kernel" - }, - { - "call": 1, - "id": "parameters", - "function": { - "type": "\u001a\u0007\u0007", - "binding": 4294967309 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u0007", - "args": [ - { - "type": "\u0007", - "value": "bmV0LmlwdjYuY29uZi5kZWZhdWx0LmFjY2VwdF9yZWRpcmVjdHM=" - } - ], - "binding": 4294967310 - } - }, - { - "call": 1, - "id": "==\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 4294967311 - } - } - ], - "entrypoints": [ - 4294967300, - 4294967304, - 4294967308, - 4294967312 - ], - "datapoints": [ - 4294967299, - 4294967303, - 4294967307, - 4294967311 - ] - } - ], - "checksums": { - "4294967297": "RXV+1el3VK2oK0ytvuWZ6oRu95oJxvcqbHGw5Wq5LfAbGvjLmiHYndQw+dDOPQiIqBhor40mICUenGaUlny8Lg==", - "4294967298": "dM9qEfUwWr0DHz2QFJ5GwuX9ELsnO1Us4rTlLu63r3mnIduFn0tmuQqThf7ul4pd0wPoMSZIB/RxVPGcU9xORQ==", - "4294967299": "2SzXOY0CMXn/0XchefuBMMcleHxtsgNaVxWCxCDNSE8wCM8VekLLFX8YlOvhv3NTjsp1mjUOeTTABrJp8oTD/A==", - "4294967300": "hFV0aTvVoeOeZGjZ609/dqTrm1U0BNM5wrd8dDxpeg8b2TQ2SQZm7gSfxYekFOGUcBaxtFXCQJ6lOvYEpAtPJQ==", - "4294967301": "RXV+1el3VK2oK0ytvuWZ6oRu95oJxvcqbHGw5Wq5LfAbGvjLmiHYndQw+dDOPQiIqBhor40mICUenGaUlny8Lg==", - "4294967302": "dM9qEfUwWr0DHz2QFJ5GwuX9ELsnO1Us4rTlLu63r3mnIduFn0tmuQqThf7ul4pd0wPoMSZIB/RxVPGcU9xORQ==", - "4294967303": "LZn2A4hFxS9SIwnrhbdO23/FsDqYloIFeq/TIGsFRMtAjZIQNyN3rys+D+K+jk8+YCCDxvOK2S7YKtLK3pnxqw==", - "4294967304": "HiRsCn4BtfM/kOrcrqt0KhkRzvayAL6Ujv45DEVZFOBpnI1lrDyBTD/zrUnhZgtJEph3504F7jnTh9DL/Szgiw==", - "4294967305": "RXV+1el3VK2oK0ytvuWZ6oRu95oJxvcqbHGw5Wq5LfAbGvjLmiHYndQw+dDOPQiIqBhor40mICUenGaUlny8Lg==", - "4294967306": "dM9qEfUwWr0DHz2QFJ5GwuX9ELsnO1Us4rTlLu63r3mnIduFn0tmuQqThf7ul4pd0wPoMSZIB/RxVPGcU9xORQ==", - "4294967307": "mPEGs2WidZ99bMnb40TuzCEuXKG1SwjvYrbndoATAL883HKUtGdEao2JZMC2fgYy9GqT+RErVyj2+7q3QYJdyw==", - "4294967308": "3/Q5tVgPR3+fTUVL7lk872dPByOYdBJcDaXePxF3jvfGqPPyLFm+NpH0iOssj2B5sfpTxUlSquZXjwfsGEg74g==", - "4294967309": "RXV+1el3VK2oK0ytvuWZ6oRu95oJxvcqbHGw5Wq5LfAbGvjLmiHYndQw+dDOPQiIqBhor40mICUenGaUlny8Lg==", - "4294967310": "dM9qEfUwWr0DHz2QFJ5GwuX9ELsnO1Us4rTlLu63r3mnIduFn0tmuQqThf7ul4pd0wPoMSZIB/RxVPGcU9xORQ==", - "4294967311": "wbU1vQGWC7TkTLY0oZKFF4r3+jQKrCY8Ln+Kt6IyKXeEQv5F/HWbBLOcYoBA+59G7X4WYp3Mcx6a5NkPLktjMg==", - "4294967312": "VPya7C/SUB3zkyI9G/PHS1fMpKB/mwlZFTacUTvGcaJpKKm2Z1pk8rnlOWoBirIXB/uwatCDXZhHm4hkYRA1Ig==" - } - }, - "source": "kernel.parameters['net.ipv4.conf.all.accept_redirects'] == 0\nkernel.parameters['net.ipv4.conf.default.accept_redirects'] == 0\nkernel.parameters['net.ipv6.conf.all.accept_redirects'] == 0\nkernel.parameters['net.ipv6.conf.default.accept_redirects'] == 0\n", - "labels": { - "labels": { - "2SzXOY0CMXn/0XchefuBMMcleHxtsgNaVxWCxCDNSE8wCM8VekLLFX8YlOvhv3NTjsp1mjUOeTTABrJp8oTD/A==": "kernel.parameters[net.ipv4.conf.all.accept_redirects]", - "3/Q5tVgPR3+fTUVL7lk872dPByOYdBJcDaXePxF3jvfGqPPyLFm+NpH0iOssj2B5sfpTxUlSquZXjwfsGEg74g==": "kernel.parameters[net.ipv6.conf.all.accept_redirects] == 0", - "HiRsCn4BtfM/kOrcrqt0KhkRzvayAL6Ujv45DEVZFOBpnI1lrDyBTD/zrUnhZgtJEph3504F7jnTh9DL/Szgiw==": "kernel.parameters[net.ipv4.conf.default.accept_redirects] == 0", - "LZn2A4hFxS9SIwnrhbdO23/FsDqYloIFeq/TIGsFRMtAjZIQNyN3rys+D+K+jk8+YCCDxvOK2S7YKtLK3pnxqw==": "kernel.parameters[net.ipv4.conf.default.accept_redirects]", - "VPya7C/SUB3zkyI9G/PHS1fMpKB/mwlZFTacUTvGcaJpKKm2Z1pk8rnlOWoBirIXB/uwatCDXZhHm4hkYRA1Ig==": "kernel.parameters[net.ipv6.conf.default.accept_redirects] == 0", - "hFV0aTvVoeOeZGjZ609/dqTrm1U0BNM5wrd8dDxpeg8b2TQ2SQZm7gSfxYekFOGUcBaxtFXCQJ6lOvYEpAtPJQ==": "kernel.parameters[net.ipv4.conf.all.accept_redirects] == 0", - "mPEGs2WidZ99bMnb40TuzCEuXKG1SwjvYrbndoATAL883HKUtGdEao2JZMC2fgYy9GqT+RErVyj2+7q3QYJdyw==": "kernel.parameters[net.ipv6.conf.all.accept_redirects]", - "wbU1vQGWC7TkTLY0oZKFF4r3+jQKrCY8Ln+Kt6IyKXeEQv5F/HWbBLOcYoBA+59G7X4WYp3Mcx6a5NkPLktjMg==": "kernel.parameters[net.ipv6.conf.default.accept_redirects]" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "sbKG4w+lkaA=": { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n if( platform.family.contains('debian') ) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/var\\/log\\/faillog\\s+\\-p\\s+wa\\s+\\-k\\s+logins(\\s+)?$/)\n } else {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/var\\/run\\/faillock\\s+\\-p\\s+wa\\s+\\-k\\s+logins(\\s+)?$/)\n }\nfile('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/var\\/log\\/lastlog\\s+\\-p\\s+wa\\s+\\-k\\s+logins(\\s+)?$/)\nfile('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/var\\/log\\/tallylog\\s+\\-p\\s+wa\\s+\\-k\\s+logins(\\s+)?$/)\n}\n", - "checksum": "LdMvsEglVMw=", - "datapoints": [ - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "O0TM2WX21Mn5KWqEGYXzD+L+hz2s+gzuEJ/K96MOraWtctcUCKxCIcT7s072si+Ow88078gNgt1t4D29UR1ACA==" - ], - "code": { - "code_v2": { - "id": "sbKG4w+lkaA=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967299 - } - }, - { - "call": 1, - "id": "if", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u0003", - "value": "iICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - }, - { - "type": "\u0019\u0003" - } - ] - } - } - ], - "entrypoints": [ - 4294967298, - 4294967301 - ] - }, - { - "chunks": [ - { - "call": 1, - "id": "platform" - }, - { - "call": 1, - "id": "family", - "function": { - "type": "\u0019\u0007", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "hICAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgGA=" - } - ], - "binding": 8589934594 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934595 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934596 - } - }, - { - "call": 1, - "id": "if", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u0003", - "value": "ioCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgIAB" - }, - { - "type": "\u0019\u0003" - }, - { - "type": "\u001c\u0000", - "value": "gICAgMAB" - }, - { - "type": "\u0019\u0003" - } - ] - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934599 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934600 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "koCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgIAC" - } - ], - "binding": 8589934601 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934602 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934603 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 8589934605 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 8589934606 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "noCAgEA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgKAC" - } - ], - "binding": 8589934607 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 8589934608 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 8589934609 - } - } - ], - "entrypoints": [ - 8589934598, - 8589934604, - 8589934610 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0007", - "value": "ZGViaWFu" - } - }, - { - "call": 1, - "id": "==\u0007", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgGA=" - } - ], - "binding": 12884901889 - } - } - ], - "parameters": 1, - "entrypoints": [ - 12884901891 - ] - }, - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 17179869185 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 17179869186 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "hoCAgIAB" - }, - { - "type": "\u001c\u0000", - "value": "gICAgKAB" - } - ], - "binding": 17179869187 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 17179869188 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 17179869189 - } - } - ], - "entrypoints": [ - 17179869190 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtd1xzK1wvdmFyXC9sb2dcL2ZhaWxsb2dccytcLXBccyt3YVxzK1wta1xzK2xvZ2lucyhccyspPyQ=" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgKAB" - } - ], - "binding": 21474836481 - } - } - ], - "parameters": 1, - "entrypoints": [ - 21474836483 - ] - }, - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdC5ydWxlcw==" - } - ] - } - }, - { - "call": 1, - "id": "content", - "function": { - "type": "\u0007", - "binding": 25769803777 - } - }, - { - "call": 1, - "id": "lines", - "function": { - "type": "\u0019\u0007", - "binding": 25769803778 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "hoCAgMAB" - }, - { - "type": "\u001c\u0000", - "value": "gICAgOAB" - } - ], - "binding": 25769803779 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 25769803780 - } - }, - { - "call": 1, - "id": "\u003e\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 25769803781 - } - } - ], - "entrypoints": [ - 25769803782 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtd1xzK1wvdmFyXC9ydW5cL2ZhaWxsb2NrXHMrXC1wXHMrd2FccytcLWtccytsb2dpbnMoXHMrKT8k" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgOAB" - } - ], - "binding": 30064771073 - } - } - ], - "parameters": 1, - "entrypoints": [ - 30064771075 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtd1xzK1wvdmFyXC9sb2dcL2xhc3Rsb2dccytcLXBccyt3YVxzK1wta1xzK2xvZ2lucyhccyspPyQ=" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgIAC" - } - ], - "binding": 34359738369 - } - } - ], - "parameters": 1, - "entrypoints": [ - 34359738371 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0007" - } - }, - { - "primitive": { - "type": "\u0008", - "value": "XihccyspP1wtd1xzK1wvdmFyXC9sb2dcL3RhbGx5bG9nXHMrXC1wXHMrd2FccytcLWtccytsb2dpbnMoXHMrKT8k" - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "hICAgKAC" - } - ], - "binding": 38654705665 - } - } - ], - "parameters": 1, - "entrypoints": [ - 38654705667 - ] - } - ], - "checksums": { - "12884901889": "ia3/qF6aR95XQCDfxyyZ2n7bBotYOBOFJDaDYGmB3ttXHnXKMHgnD7Z/5tHIPRLtfHtvBdlGsWf7j6mA/E9UIQ==", - "12884901890": "UyWIjp9+9HdCpvLFYmYbkZZYpuUOZ5wjUv499yScfQhRdGWYxhM0RyXZsDp9WZXZv8dphmx5v9OKm/93oynP2g==", - "12884901891": "EB0is0EqpaERw4VcjKNIjZ9mBXbztIzUXdeImJfSYBJUfrQZdszKyZfmT1nLk3E+NlrEzINvx/3KMuFC8JUs4A==", - "17179869185": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "17179869186": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "17179869187": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "17179869188": "XXgstkQk5aC48nMGvyZDEUz9omwUhFfGXDfgghJDOum8t60PYvKjkhkng5oOZld764X3A5IBqwFQNFjBBM9rqg==", - "17179869189": "fKIs95wofi87lExacIHO93ldCNMFsh8X+cP9yQZk4MQO5VtXu9db/+D/IJyCBXYH7snDexgQ4a8YYw8ar7fg0w==", - "17179869190": "UnekGOV2hJEJE6USj8xLs5UH4XMafHYY59aLVEnX2qxNtk29W79LCzKd8gXaTl7EcZrgsMP0ejjOhtqg2cd2pg==", - "21474836481": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "21474836482": "ZqkWSo1/faX6XYiEBKIwWb3Sinyv+LGmhERJ19cviX5acqJOmgtpIeBKAc5KivLg+Y/CYhaipfw074hVmMw6DQ==", - "21474836483": "xRUBsopKEg/OzfdloPOcU7VSTTaJAwqXqCrlSxEJ+pJt+6Zn1DpSVtPx4/BrnOYF1/AMEqeQQGnCCLtfUfgdwg==", - "25769803777": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "25769803778": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "25769803779": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "25769803780": "tPBHOdnHw8+0ibjCn7tvrNy0gz7PFJ7bdC7IscZ/LzT5X7lr2askPBGzkFuXoPh0t3KSDcterb1DlnEksh1EwA==", - "25769803781": "afU2UiDtP+WTzrPgw2nOlpnJHYRuYdVxz4f3M8SPDKvZMzdZdBEKvCvvi7OrkLNQ0fNZxx7KL8XxPdvH2K1oug==", - "25769803782": "ptUfhlRmvGL+xBTxsd0RfXy9HIRoAECcrVw4KSF6eA1SfSLUHh1ZwwpQ4JBtBItKkYExZyuVnYDhaocZsX5YYw==", - "30064771073": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "30064771074": "Iqvbzm5WsHxhZlMMG7ATBFiqpztpcAB3KvgHQfdR7PqhT21gzzYXh96Hg3V+mYco81EOFdT0KSnD5OlJwVOlLg==", - "30064771075": "eeym0h3PoE3Ts5SeRL6/vRVPF+tMFO2TJM6IvRY4x1J/g+JJN1V+gp8GFNtdBO6sRN9XNiVxrujsBrqOVngKhw==", - "34359738369": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "34359738370": "8JJpJJlcxS9EQkH/bvFAcMea8Kpjr67GI03dJEsgDp5rDrDrj4C7QAe/3ySUQpLodxfJhSkHJ2ZrDR6vhwdqlA==", - "34359738371": "/T+z0zDnY9hwJ5XzBINSnGLAzTfwBuhaq60vcYw3F/ypg4yObKYIHrl991IEjSP1nojbkVZpUCzmkFjc91Me2Q==", - "38654705665": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "38654705666": "sSXnNalBVUjpWFrYuMJO61YA1cCWXyonfUsPXvgpOIzljZzcB1ED65CWf+Zd6KiYTstG9456gtiS+oxlSG4cuw==", - "38654705667": "u5MGufwidmT9uhYoCkdqhMcDk8uFNOTDcMEwP6KlbtD7aSMurHljtmRLFAJIp3kV9al2ii0PYYPe/Ky2M4PWlQ==", - "4294967297": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "4294967298": "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "4294967299": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "4294967300": "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==", - "4294967301": "O0TM2WX21Mn5KWqEGYXzD+L+hz2s+gzuEJ/K96MOraWtctcUCKxCIcT7s072si+Ow88078gNgt1t4D29UR1ACA==", - "8589934593": "/qhUSF3PG7h1Z76I+pKLFJi3ymxF2Nh7NVQ2ensEOyTliwiwWP9rIANzze33zayPNu9v8iPn2Alc94crV4+5Jg==", - "8589934594": "ia3/qF6aR95XQCDfxyyZ2n7bBotYOBOFJDaDYGmB3ttXHnXKMHgnD7Z/5tHIPRLtfHtvBdlGsWf7j6mA/E9UIQ==", - "8589934595": "VSB/2jESyFJAFCVvA1HwBKC5UGfYqrfyDGu2wvBUXbQu3/5Ok1ae8AN9IRr5bk4uRhFWSwsahxR0g8Fum9uviw==", - "8589934596": "fPqpMBcMvBCDRVdu8Q/SUjmHgfMb8SQp0RxvqkfNl3gOvmDoJY65s+/gDEFn1Dsiy+47zssQBMr/gavpsJb7NQ==", - "8589934597": "/G0fYJq847mUeh4JkUuT8jzJ5v85XC4YVbEd970prikbLsxnNUorXTBphgfNVHluwqiKihJJ8520N1FqDQ++tg==", - "8589934598": "zHsPhQwUjD0Q8hWuURRNY5eKR7QSmCJFCpxMk0ibpUVDUipoiw95KIqY6JIf+Jo5Gz0Aa0VYrMEpnrDVxlCTlA==", - "8589934599": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934600": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934601": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934602": "vzu0dzB74mMm2BSHHi/lV9HbYbDWA+oMlmUaQdGCzs4mxwMKl4M4eceo3j548NbehBnIAshM+ZvgOv1YvxxVGg==", - "8589934603": "gQOHBeEJv6VILXE9Zc0Z2R2mBea4CWQ/Q3KdC1xJrsvgtVMpX/s77RHtjQREin9wvRFuPyGsykOhAQ1KwzUhkg==", - "8589934604": "Xywvvgq78/9mRHNSHMRsxOVjz/idqHzWRMwfFh3s8ECG5Aemk4FczjjXsty1q/pzSfNESNph9gMpLmqdRqScnA==", - "8589934605": "Rm4SNt4Ah717HHHo7TDkg50sHZn5bFKKonxLRPYESokCzz+N9eWV6w2qKwC0i7+qYMfRkP+0VxAhjkfZ41GANg==", - "8589934606": "d0zEO+AOL1GD6NzObvCUJoO44gSLRVJtqH6OYYdFsEEWP2U0/s622VTlEsh1IgC9guVy4PkdDi7fJuVEaNQHUw==", - "8589934607": "LnzFHGW/ILi5YLYil8AOcr3k8ct/SY+tBaisfVl9Os+s3LXglbxRxyfFCxwgJfe2g2UVUvdNf4Ftgk8AuFl5OA==", - "8589934608": "pt8kzI1FayxVSErrJIUNtTGUUpVla1iXj2BkSRfLGSQUJsLxYIlNOF0Xrg42xmtuJtNZLJSmHTod3OwyiFHNlQ==", - "8589934609": "z0aikb3fw7y/OieYlJkddiEnNT2pcU98t7ImbhmYkHu9tVS+2NDBJ2SjEAxwTPxXuHCSb3wmm9fl5WMO7qAU5w==", - "8589934610": "weeABGRdVaA8t0Khv6BoiKSeAT85EW+PoQQwBGjol9f9/wyEOG64wnfZYooCTCrv3n2QMud/XlMtE18perBpWw==" - } - }, - "source": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n if( platform.family.contains('debian') ) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/var\\/log\\/faillog\\s+\\-p\\s+wa\\s+\\-k\\s+logins(\\s+)?$/)\n } else {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/var\\/run\\/faillock\\s+\\-p\\s+wa\\s+\\-k\\s+logins(\\s+)?$/)\n }\nfile('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/var\\/log\\/lastlog\\s+\\-p\\s+wa\\s+\\-k\\s+logins(\\s+)?$/)\nfile('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/var\\/log\\/tallylog\\s+\\-p\\s+wa\\s+\\-k\\s+logins(\\s+)?$/)\n}\n", - "labels": { - "labels": { - "/G0fYJq847mUeh4JkUuT8jzJ5v85XC4YVbEd970prikbLsxnNUorXTBphgfNVHluwqiKihJJ8520N1FqDQ++tg==": "[].contains()", - "/T+z0zDnY9hwJ5XzBINSnGLAzTfwBuhaq60vcYw3F/ypg4yObKYIHrl991IEjSP1nojbkVZpUCzmkFjc91Me2Q==": " == \u003cref\u003e", - "EB0is0EqpaERw4VcjKNIjZ9mBXbztIzUXdeImJfSYBJUfrQZdszKyZfmT1nLk3E+NlrEzINvx/3KMuFC8JUs4A==": " == \u003cref\u003e", - "O0TM2WX21Mn5KWqEGYXzD+L+hz2s+gzuEJ/K96MOraWtctcUCKxCIcT7s072si+Ow88078gNgt1t4D29UR1ACA==": "if", - "UnekGOV2hJEJE6USj8xLs5UH4XMafHYY59aLVEnX2qxNtk29W79LCzKd8gXaTl7EcZrgsMP0ejjOhtqg2cd2pg==": "[].contains()", - "Xywvvgq78/9mRHNSHMRsxOVjz/idqHzWRMwfFh3s8ECG5Aemk4FczjjXsty1q/pzSfNESNph9gMpLmqdRqScnA==": "[].contains()", - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==": "file.exists", - "eeym0h3PoE3Ts5SeRL6/vRVPF+tMFO2TJM6IvRY4x1J/g+JJN1V+gp8GFNtdBO6sRN9XNiVxrujsBrqOVngKhw==": " == \u003cref\u003e", - "ptUfhlRmvGL+xBTxsd0RfXy9HIRoAECcrVw4KSF6eA1SfSLUHh1ZwwpQ4JBtBItKkYExZyuVnYDhaocZsX5YYw==": "[].contains()", - "u5MGufwidmT9uhYoCkdqhMcDk8uFNOTDcMEwP6KlbtD7aSMurHljtmRLFAJIp3kV9al2ii0PYYPe/Ky2M4PWlQ==": " == \u003cref\u003e", - "weeABGRdVaA8t0Khv6BoiKSeAT85EW+PoQQwBGjol9f9/wyEOG64wnfZYooCTCrv3n2QMud/XlMtE18perBpWw==": "[].contains()", - "xRUBsopKEg/OzfdloPOcU7VSTTaJAwqXqCrlSxEJ+pJt+6Zn1DpSVtPx4/BrnOYF1/AMEqeQQGnCCLtfUfgdwg==": " == \u003cref\u003e", - "zHsPhQwUjD0Q8hWuURRNY5eKR7QSmCJFCpxMk0ibpUVDUipoiw95KIqY6JIf+Jo5Gz0Aa0VYrMEpnrDVxlCTlA==": "if" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "sefeJd4La70=": { - "query": "file(\"/etc/audit/auditd.conf\").exists\nif (file(\"/etc/audit/auditd.conf\").exists) {\n parse.ini(\"/etc/audit/auditd.conf\") {\n params[\"space_left_action\"].downcase == \"email\"\n params[\"action_mail_acct\"].downcase == \"root\"\n params[\"admin_space_left_action\"].downcase == \"halt\"\n }\n}\n", - "checksum": "B6DxulMJbRg=", - "datapoints": [ - "bhGy2REVqCNiJpsR0UBE/BeYtFO4NEA/MFuPk4+oxk9WffIXtIvfoiuv9vhtDgIbhgjxkgYyhTiN71WJXXmdMQ==", - "oOzRmEmFcbFFs5zfJmdhslXZqc59DvavlFAyU7uNmcIu9aZae6wA+xuD4PKTv/dPo2ulugJyP5faPRPEVBwloQ==" - ], - "code": { - "code_v2": { - "id": "sefeJd4La70=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdGQuY29uZg==" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdGQuY29uZg==" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967299 - } - }, - { - "call": 1, - "id": "if", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u0003", - "value": "iICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - }, - { - "type": "\u0019\u0003" - } - ] - } - } - ], - "entrypoints": [ - 4294967298, - 4294967301 - ] - }, - { - "chunks": [ - { - "call": 1, - "id": "parse.ini", - "function": { - "type": "\u001bparse.ini", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9hdWRpdC9hdWRpdGQuY29uZg==" - } - ] - } - }, - { - "call": 1, - "id": "{}", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u001c\u0000", - "value": "gICAgGA=" - } - ], - "binding": 8589934593 - } - } - ], - "entrypoints": [ - 8589934594 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u001bparse.ini" - } - }, - { - "call": 1, - "id": "params", - "function": { - "type": "\u001a\u0007\u0007", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u0007", - "args": [ - { - "type": "\u0007", - "value": "c3BhY2VfbGVmdF9hY3Rpb24=" - } - ], - "binding": 12884901890 - } - }, - { - "call": 1, - "id": "downcase", - "function": { - "type": "\u0007", - "binding": 12884901891 - } - }, - { - "call": 1, - "id": "==\u0007", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0007", - "value": "ZW1haWw=" - } - ], - "binding": 12884901892 - } - }, - { - "call": 1, - "id": "params", - "function": { - "type": "\u001a\u0007\u0007", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u0007", - "args": [ - { - "type": "\u0007", - "value": "YWN0aW9uX21haWxfYWNjdA==" - } - ], - "binding": 12884901894 - } - }, - { - "call": 1, - "id": "downcase", - "function": { - "type": "\u0007", - "binding": 12884901895 - } - }, - { - "call": 1, - "id": "==\u0007", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0007", - "value": "cm9vdA==" - } - ], - "binding": 12884901896 - } - }, - { - "call": 1, - "id": "params", - "function": { - "type": "\u001a\u0007\u0007", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u0007", - "args": [ - { - "type": "\u0007", - "value": "YWRtaW5fc3BhY2VfbGVmdF9hY3Rpb24=" - } - ], - "binding": 12884901898 - } - }, - { - "call": 1, - "id": "downcase", - "function": { - "type": "\u0007", - "binding": 12884901899 - } - }, - { - "call": 1, - "id": "==\u0007", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0007", - "value": "aGFsdA==" - } - ], - "binding": 12884901900 - } - } - ], - "parameters": 1, - "entrypoints": [ - 12884901893, - 12884901897, - 12884901901 - ] - } - ], - "checksums": { - "12884901889": "+I3CQJa1E3mvGrqDdKoMyuQ04sdJZQ2EXu9qdqKWnO+bq0yoONJrwE8fGjqA5z/JAB93Is+SQHzph6QgSQ9mIg==", - "12884901890": "1gNeZz6IhN77JStqn/C+u0sVtnzV9RGjFVcniG86xFA96JH/ZXnwd189KZfaQmjdms8QiYB7Y9C+MXnYLvd4Lg==", - "12884901891": "ogHrGAN20+qmHyOpaiZrYb2Skq+z2hX6z7gX6gN91RgL8+T7fRVe1kufq/ZgYYRpsR9qBkEW2rtjaSU4QH5g9Q==", - "12884901892": "SMK6wiaWywkUWyKB3bdUpv3YQrHB9sT+kjp6ONJ7jrvvdfzIumjEUMvlFPmoTjazxuR7lRCEKUJxf0IGBRj3GQ==", - "12884901893": "LWKdJQ6wZM0v64YzNfQmjUGtIhrXKVLaFq8IwYmYF7R8fVepDg5+tmAEptz8GmifPidq9/xZ9U/uLCugdiHpQg==", - "12884901894": "1gNeZz6IhN77JStqn/C+u0sVtnzV9RGjFVcniG86xFA96JH/ZXnwd189KZfaQmjdms8QiYB7Y9C+MXnYLvd4Lg==", - "12884901895": "TBUZRB0yMoukVmzrtE75JOBmAkRMuYCaNywJ7vlKFdqV1E75qnuAulEh1DGMZ7kCOHoYnv2XyWVPsOWcBQzYdw==", - "12884901896": "UNP7XR+h+pID7TbqN7FjLMcnifpNVACLi3saQnTUh5JkO5OjbL8FPG+PLpjjeuGAr5BgObCuzbblDa40Q/qyYw==", - "12884901897": "dpZk6OLFQmfHA7DDrkv9TeAeQF5Ahms/NQcLZfMWTlMXd5K8urCtD+Zf2uYHz2X61XLLavX4VFuvui55BpaF8A==", - "12884901898": "1gNeZz6IhN77JStqn/C+u0sVtnzV9RGjFVcniG86xFA96JH/ZXnwd189KZfaQmjdms8QiYB7Y9C+MXnYLvd4Lg==", - "12884901899": "vSqbLgZxD4VPOTwAbkPZjYh7m6TGIz7XiIyKsb07e2w265xlIB+od73AHiR94BgrvUZL5N5cH/plsskbCroDrg==", - "12884901900": "UHEjIP7VbEPqJU20jYnqmBHaAR6jJbT8fdZsuz8Z9Kh7D0h2m8OemmzErxfLobdFPvyRqHcUapQzkPcGZwyvxg==", - "12884901901": "RiL9gYRFlZZGrNY5/pcweNkmES8PSz5hr5xfMFzW1/TbO78A7kzxivg8/mhzMeInWzh+5vMwkb96z6kfPR/I+g==", - "4294967297": "N4KZTcd6DUruTEhP1t5bwgyUv3mpQJvZKgj/taSiAOB9kKNe/2/bGCAzkwh0rPhDWLK4XZzUWmBHq6rgVCnZKg==", - "4294967298": "bhGy2REVqCNiJpsR0UBE/BeYtFO4NEA/MFuPk4+oxk9WffIXtIvfoiuv9vhtDgIbhgjxkgYyhTiN71WJXXmdMQ==", - "4294967299": "N4KZTcd6DUruTEhP1t5bwgyUv3mpQJvZKgj/taSiAOB9kKNe/2/bGCAzkwh0rPhDWLK4XZzUWmBHq6rgVCnZKg==", - "4294967300": "bhGy2REVqCNiJpsR0UBE/BeYtFO4NEA/MFuPk4+oxk9WffIXtIvfoiuv9vhtDgIbhgjxkgYyhTiN71WJXXmdMQ==", - "4294967301": "oOzRmEmFcbFFs5zfJmdhslXZqc59DvavlFAyU7uNmcIu9aZae6wA+xuD4PKTv/dPo2ulugJyP5faPRPEVBwloQ==", - "8589934593": "+I3CQJa1E3mvGrqDdKoMyuQ04sdJZQ2EXu9qdqKWnO+bq0yoONJrwE8fGjqA5z/JAB93Is+SQHzph6QgSQ9mIg==", - "8589934594": "cyM7Mv9bakICFFpFnzjgVDw1zM2b7z3Vs2zkoNS7igImkCDHa6eKPmrT/EzcKsr8w76wCZwpzBi0tG8AVU2/LA==" - } - }, - "source": "file(\"/etc/audit/auditd.conf\").exists\nif (file(\"/etc/audit/auditd.conf\").exists) {\n parse.ini(\"/etc/audit/auditd.conf\") {\n params[\"space_left_action\"].downcase == \"email\"\n params[\"action_mail_acct\"].downcase == \"root\"\n params[\"admin_space_left_action\"].downcase == \"halt\"\n }\n}\n", - "labels": { - "labels": { - "LWKdJQ6wZM0v64YzNfQmjUGtIhrXKVLaFq8IwYmYF7R8fVepDg5+tmAEptz8GmifPidq9/xZ9U/uLCugdiHpQg==": "params[space_left_action].downcase == \"email\"", - "RiL9gYRFlZZGrNY5/pcweNkmES8PSz5hr5xfMFzW1/TbO78A7kzxivg8/mhzMeInWzh+5vMwkb96z6kfPR/I+g==": "params[admin_space_left_action].downcase == \"halt\"", - "bhGy2REVqCNiJpsR0UBE/BeYtFO4NEA/MFuPk4+oxk9WffIXtIvfoiuv9vhtDgIbhgjxkgYyhTiN71WJXXmdMQ==": "file.exists", - "cyM7Mv9bakICFFpFnzjgVDw1zM2b7z3Vs2zkoNS7igImkCDHa6eKPmrT/EzcKsr8w76wCZwpzBi0tG8AVU2/LA==": "parse.ini", - "dpZk6OLFQmfHA7DDrkv9TeAeQF5Ahms/NQcLZfMWTlMXd5K8urCtD+Zf2uYHz2X61XLLavX4VFuvui55BpaF8A==": "params[action_mail_acct].downcase == \"root\"", - "oOzRmEmFcbFFs5zfJmdhslXZqc59DvavlFAyU7uNmcIu9aZae6wA+xuD4PKTv/dPo2ulugJyP5faPRPEVBwloQ==": "if" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "utcugjmdtZA=": { - "query": "if( package('openssh-server').version == /6./ ) {\n return [\"hmac-sha2-512\",\"hmac-sha2-256\",\"hmac-ripemd160\"]\n}\nreturn [\"hmac-sha2-512-etm@openssh.com\",\"hmac-sha2-256-etm@openssh.com\",\"umac-128-etm@openssh.com\",\"hmac-sha2-512\",\"hmac-sha2-256\"]\n", - "checksum": "hx7gzv+j7OE=", - "datapoints": [ - "GJooG+LdPop+U+Vbp5DxdgrnR+z79QT1TbkyyUhWfRDBTd1SgwYiKqZbpoSj0JMhbd7ellBT98zy/5VyezkxXw==", - "bRLNP8PQtpuGWh4o70+s6qYPjGK67tt21tAYdjYmz/8E4Fc0i1lQt2FBYeOjO+yP6uD4E4yVTJcaHOXWjrr1WQ==" - ], - "code": { - "code_v2": { - "id": "utcugjmdtZA=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "package", - "function": { - "type": "\u001bpackage", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "b3BlbnNzaC1zZXJ2ZXI=" - } - ] - } - }, - { - "call": 1, - "id": "version", - "function": { - "type": "\u0007", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "==\u0008", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0008", - "value": "Ni4=" - } - ], - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "if", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "hoCAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - }, - { - "type": "\u0019\u0003" - }, - { - "type": "\u001c\u0000", - "value": "gICAgGA=" - }, - { - "type": "\u0019\u0003" - } - ] - } - } - ], - "singleValue": true, - "entrypoints": [ - 4294967300 - ], - "datapoints": [ - 4294967298 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0019\u0007", - "array": [ - { - "type": "\u0007", - "value": "aG1hYy1zaGEyLTUxMg==" - }, - { - "type": "\u0007", - "value": "aG1hYy1zaGEyLTI1Ng==" - }, - { - "type": "\u0007", - "value": "aG1hYy1yaXBlbWQxNjA=" - } - ] - } - }, - { - "call": 1, - "id": "return", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "goCAgEA=" - } - ] - } - } - ], - "singleValue": true, - "entrypoints": [ - 8589934594 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u0019\u0007", - "array": [ - { - "type": "\u0007", - "value": "aG1hYy1zaGEyLTUxMi1ldG1Ab3BlbnNzaC5jb20=" - }, - { - "type": "\u0007", - "value": "aG1hYy1zaGEyLTI1Ni1ldG1Ab3BlbnNzaC5jb20=" - }, - { - "type": "\u0007", - "value": "dW1hYy0xMjgtZXRtQG9wZW5zc2guY29t" - }, - { - "type": "\u0007", - "value": "aG1hYy1zaGEyLTUxMg==" - }, - { - "type": "\u0007", - "value": "aG1hYy1zaGEyLTI1Ng==" - } - ] - } - }, - { - "call": 1, - "id": "return", - "function": { - "type": "\u0019\u0007", - "args": [ - { - "type": "\u0003", - "value": "goCAgGA=" - } - ] - } - } - ], - "singleValue": true, - "entrypoints": [ - 12884901890 - ] - } - ], - "checksums": { - "12884901889": "NuESMyGZ7KZhO8SE8E/sWPRp4zhoeQSAVMejbOgc+AESSZ88x1abLN342NfHgfpaIeT2RcpFt/k/PCGSHXqlPg==", - "12884901890": "DzIbssMVVxbUv1hasFkCWFh2vY12If7CyYgWfzXle3A+kd5wTEUYnmouS6EAY4yxNgTpuydm8GizHX90M+goZg==", - "4294967297": "LU6AZgqoDxeiDN/6xz50NkA4xqsnnvmU10r9hxgnpIosAGloOKaVOFzDW41QV1E47L0vlpuDvtFXS77xS/0lfw==", - "4294967298": "GJooG+LdPop+U+Vbp5DxdgrnR+z79QT1TbkyyUhWfRDBTd1SgwYiKqZbpoSj0JMhbd7ellBT98zy/5VyezkxXw==", - "4294967299": "4KDugS+gx6N/Z/kDWOAoHYh0oj+3WMemzu1XIKjuG0WiUGaBfw4Q0/xSSSBq78qnySGYXykNQUddOUEYDnypxA==", - "4294967300": "bRLNP8PQtpuGWh4o70+s6qYPjGK67tt21tAYdjYmz/8E4Fc0i1lQt2FBYeOjO+yP6uD4E4yVTJcaHOXWjrr1WQ==", - "8589934593": "po9d7pGD91ciQg4gta2E1/YEVbu5/lX3U2mRgDxMILPm4yl4sC1tQOuGhp+IhTPIJF9jIuEyzUttzs0f9TeCAw==", - "8589934594": "CQa2mRSO2/xN2MF86qABK52/yuxG71OSg97KtutkNe37DvnVXiHeoga4RXYHk8KbUH0vS72uDz0iU6/tytZuLA==" - } - }, - "source": "if( package('openssh-server').version == /6./ ) {\n return [\"hmac-sha2-512\",\"hmac-sha2-256\",\"hmac-ripemd160\"]\n}\nreturn [\"hmac-sha2-512-etm@openssh.com\",\"hmac-sha2-256-etm@openssh.com\",\"umac-128-etm@openssh.com\",\"hmac-sha2-512\",\"hmac-sha2-256\"]\n", - "labels": { - "labels": { - "CQa2mRSO2/xN2MF86qABK52/yuxG71OSg97KtutkNe37DvnVXiHeoga4RXYHk8KbUH0vS72uDz0iU6/tytZuLA==": "return", - "DzIbssMVVxbUv1hasFkCWFh2vY12If7CyYgWfzXle3A+kd5wTEUYnmouS6EAY4yxNgTpuydm8GizHX90M+goZg==": "return", - "GJooG+LdPop+U+Vbp5DxdgrnR+z79QT1TbkyyUhWfRDBTd1SgwYiKqZbpoSj0JMhbd7ellBT98zy/5VyezkxXw==": "package.version", - "bRLNP8PQtpuGWh4o70+s6qYPjGK67tt21tAYdjYmz/8E4Fc0i1lQt2FBYeOjO+yP6uD4E4yVTJcaHOXWjrr1WQ==": "if" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "uzWGcrUQbCU=": { - "query": "users.list { name gid != null }\n", - "checksum": "t3O9LxKBdmc=", - "datapoints": [ - "pn0dnCrSmSDr37lX+RuadWwHGCcttcVpaGWPR+n3fCWghgjCwLZUaXwEj1Uxlt7L8t4DZ+RbV3JicgH+PbEp+Q==" - ], - "code": { - "code_v2": { - "id": "uzWGcrUQbCU=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "users" - }, - { - "call": 1, - "id": "list", - "function": { - "type": "\u0019\u001buser", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "{}", - "function": { - "type": "\u0019\u000c", - "args": [ - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - } - ], - "binding": 4294967298 - } - } - ], - "entrypoints": [ - 4294967299 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u001buser" - } - }, - { - "call": 1, - "id": "name", - "function": { - "type": "\u0007", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "gid", - "function": { - "type": "\u0005", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "!=\u0002", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0002" - } - ], - "binding": 8589934595 - } - } - ], - "parameters": 1, - "entrypoints": [ - 8589934594, - 8589934596 - ] - } - ], - "checksums": { - "4294967297": "MmwyAliLU+YHlkNS5w5jjZaNgU/VFTCxTIM8hMTKVg4MeUJVR6eoJlRuJ79SoVk2seEIK6XTN6Wkm2w9mJMB/A==", - "4294967298": "PgyAmAEuGG6aKDiVDz6niqDRQ0oRYJ7OSUroU9u1Svkt2xD3WOPS8uE5sXPO5K3Miy+MAEt8VWHWKZ58RPV+Kw==", - "4294967299": "pn0dnCrSmSDr37lX+RuadWwHGCcttcVpaGWPR+n3fCWghgjCwLZUaXwEj1Uxlt7L8t4DZ+RbV3JicgH+PbEp+Q==", - "8589934593": "PgyAmAEuGG6aKDiVDz6niqDRQ0oRYJ7OSUroU9u1Svkt2xD3WOPS8uE5sXPO5K3Miy+MAEt8VWHWKZ58RPV+Kw==", - "8589934594": "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==", - "8589934595": "SHPCRJncDncAy3v77tMRWltHfskikaMCqzncLl89tLCmd1UHNLkvrNCvY2i+7AhNh31pndexgVonthQf/EM6zQ==", - "8589934596": "EJjK1OVz8q3wXDnLEf/z0myCECzabI5TRjIfyBC8WPxgkLC/yGg/D2CZY0MMWD1U2S9/znPSjB+iG72Fa7UFBQ==" - } - }, - "source": "users.list { name gid != null }\n", - "labels": { - "labels": { - "EJjK1OVz8q3wXDnLEf/z0myCECzabI5TRjIfyBC8WPxgkLC/yGg/D2CZY0MMWD1U2S9/znPSjB+iG72Fa7UFBQ==": "gid != null", - "pn0dnCrSmSDr37lX+RuadWwHGCcttcVpaGWPR+n3fCWghgjCwLZUaXwEj1Uxlt7L8t4DZ+RbV3JicgH+PbEp+Q==": "users.list", - "qdXufI4W1NH2SB78Ngad9uuKPIAOM24lCWCUXORutf/gCVmcHwaLmj9joEWHYHbCB2hVjDPvXGrw4U4qtUwWDQ==": "name" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "v4D2MQ0juoo=": { - "query": "service(\"named\").enabled == false\nservice(\"named\").running == false\n", - "checksum": "ys9Tc5OfQt8=", - "datapoints": [ - "xCJZxIcWgbHwl5vpYMSZWerIyNvymJLWD6Wo62sm/AzaE7lNEh7Jnai54Izor+2DzwPv43oHMTpwJRJqKcsHQA==", - "LwG6xJU9JZX6iZWKClMIAiSdOCOK2eYRjkSek6p35RchB24m4lBNEtdQ3yfFsT0mHQWzB2oHklPacXM//2fzCA==", - "0zq768H7DheLJNj4rWweij/bMFrmVbz73klzg5ciUEI5IiX2fWPlcNDdsnTXncZuyyyd6Hucqp9EG7B0j/fiVQ==", - "pnGXwr3IchwDKSyJ9qAc9CQZ80zFnWLTWPXF9COdLofK3PhSVuvZCVuoDfEuCuMrkdePxpwhREBjb/1zh9cECg==" - ], - "code": { - "code_v2": { - "id": "v4D2MQ0juoo=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "bmFtZWQ=" - } - ] - } - }, - { - "call": 1, - "id": "enabled", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "bmFtZWQ=" - } - ] - } - }, - { - "call": 1, - "id": "running", - "function": { - "type": "\u0004", - "binding": 4294967300 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967301 - } - } - ], - "entrypoints": [ - 4294967299, - 4294967302 - ], - "datapoints": [ - 4294967298, - 4294967301 - ] - } - ], - "checksums": { - "4294967297": "zhLF8BmLcitfDL15CD8ttnZ1BvQMh0/aAt2q9APw/lhh3ieM2J2ZgIPm5cXWW868W8nUuf0SMvjxR/oDqnT2/Q==", - "4294967298": "xCJZxIcWgbHwl5vpYMSZWerIyNvymJLWD6Wo62sm/AzaE7lNEh7Jnai54Izor+2DzwPv43oHMTpwJRJqKcsHQA==", - "4294967299": "0zq768H7DheLJNj4rWweij/bMFrmVbz73klzg5ciUEI5IiX2fWPlcNDdsnTXncZuyyyd6Hucqp9EG7B0j/fiVQ==", - "4294967300": "zhLF8BmLcitfDL15CD8ttnZ1BvQMh0/aAt2q9APw/lhh3ieM2J2ZgIPm5cXWW868W8nUuf0SMvjxR/oDqnT2/Q==", - "4294967301": "LwG6xJU9JZX6iZWKClMIAiSdOCOK2eYRjkSek6p35RchB24m4lBNEtdQ3yfFsT0mHQWzB2oHklPacXM//2fzCA==", - "4294967302": "pnGXwr3IchwDKSyJ9qAc9CQZ80zFnWLTWPXF9COdLofK3PhSVuvZCVuoDfEuCuMrkdePxpwhREBjb/1zh9cECg==" - } - }, - "source": "service(\"named\").enabled == false\nservice(\"named\").running == false\n", - "labels": { - "labels": { - "0zq768H7DheLJNj4rWweij/bMFrmVbz73klzg5ciUEI5IiX2fWPlcNDdsnTXncZuyyyd6Hucqp9EG7B0j/fiVQ==": "service.enabled == false", - "LwG6xJU9JZX6iZWKClMIAiSdOCOK2eYRjkSek6p35RchB24m4lBNEtdQ3yfFsT0mHQWzB2oHklPacXM//2fzCA==": "service.running", - "pnGXwr3IchwDKSyJ9qAc9CQZ80zFnWLTWPXF9COdLofK3PhSVuvZCVuoDfEuCuMrkdePxpwhREBjb/1zh9cECg==": "service.running == false", - "xCJZxIcWgbHwl5vpYMSZWerIyNvymJLWD6Wo62sm/AzaE7lNEh7Jnai54Izor+2DzwPv43oHMTpwJRJqKcsHQA==": "service.enabled" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "v8xZOX1QRJQ=": { - "query": "groups.where( name == \"shadow\").list { members.length == 0 }\n", - "checksum": "xhbn+4IbP7M=", - "datapoints": [ - "hvlUvYbt+VSP7fXSlUN3KZBoMZxiaU34yuELARGRy5FX/QnZGyRahDTqg/Vn1vu4Ykisgvek1k5Nfufyjw9jZQ==" - ], - "code": { - "code_v2": { - "id": "v8xZOX1QRJQ=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "groups" - }, - { - "call": 1, - "id": "list", - "function": { - "type": "\u0019\u001bgroup", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "where", - "function": { - "type": "\u001bgroups", - "args": [ - { - "type": "\u0003", - "value": "hICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - } - ], - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "list", - "function": { - "type": "\u0019\u001bgroup", - "binding": 4294967299 - } - }, - { - "call": 1, - "id": "{}", - "function": { - "type": "\u0019\u000c", - "args": [ - { - "type": "\u001c\u0000", - "value": "gICAgGA=" - } - ], - "binding": 4294967300 - } - } - ], - "entrypoints": [ - 4294967301 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u001bgroup" - } - }, - { - "call": 1, - "id": "name", - "function": { - "type": "\u0007", - "binding": 8589934593 - } - }, - { - "call": 1, - "id": "==\u0007", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0007", - "value": "c2hhZG93" - } - ], - "binding": 8589934594 - } - } - ], - "parameters": 1, - "entrypoints": [ - 8589934595 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u001bgroup" - } - }, - { - "call": 1, - "id": "members", - "function": { - "type": "\u0019\u001buser", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "length", - "function": { - "type": "\u0005", - "binding": 12884901890 - } - }, - { - "call": 1, - "id": "==\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "AA==" - } - ], - "binding": 12884901891 - } - } - ], - "parameters": 1, - "entrypoints": [ - 12884901892 - ] - } - ], - "checksums": { - "12884901889": "S7XyeOfBMM0E+mnJ/bQ5Sbwc+kk83DVMDU3bzZlp9Md2x2RyezO71T0Gx2j42aoy7AxRulj1puKUMkx3+LW+Ng==", - "12884901890": "OZujcx070uj1paC904WMYanLQa1/3SklPV/EWTRZLFZIQBWhM7oIm81nY3wY6UvD6SMY7bgesPJKialfGyM9+g==", - "12884901891": "gaeBH/H3BLvLWRjAdP2wmKFxidWwtcYN54cHiV8IlazQHEelFzsDn49YFUgoEmzRZnv4XL8QfZjdCZsckcQiRQ==", - "12884901892": "x8/NSmIlHbEl846sMWZc1p6W9SxS6ML7Mf5M/MfhdSYY1AZ9F0EOKsh+21o1MZWY/7kCE3WIgk303GPWlt7MrA==", - "4294967297": "hN+zdlS1zCr2uSYHuDkFrlkQSlfFEr7Zmtmo19E4oNY7ikyHr/Sib1zktPVfYSEC2503pPKnD3hcWyZm3b/uyQ==", - "4294967298": "NIEHm9kmH9Dzz0fqfrQWcSNNntroglgakmg+r5TZd2szBtUd/n1TukpBYKYy6vBd3w4umvEVa4gPlkHyeldBNw==", - "4294967299": "XcX5zD04LpU2vPJlQYWKElWRxS8mg1mSOkSE/gWcJ6hMr8sAmosnTZXIGgUF0jXsdpbiPi7oVBTrCdItTS9upw==", - "4294967300": "S7XyeOfBMM0E+mnJ/bQ5Sbwc+kk83DVMDU3bzZlp9Md2x2RyezO71T0Gx2j42aoy7AxRulj1puKUMkx3+LW+Ng==", - "4294967301": "hvlUvYbt+VSP7fXSlUN3KZBoMZxiaU34yuELARGRy5FX/QnZGyRahDTqg/Vn1vu4Ykisgvek1k5Nfufyjw9jZQ==", - "8589934593": "hN+zdlS1zCr2uSYHuDkFrlkQSlfFEr7Zmtmo19E4oNY7ikyHr/Sib1zktPVfYSEC2503pPKnD3hcWyZm3b/uyQ==", - "8589934594": "TB+NQaeDBXcImznyzXliCCTj/JeiWkz/CvSKyjTKGsC3tbheYJUt5GRuIrpXw0z5LJMQzj+QJplF1RgaAcrrww==", - "8589934595": "UrqZTWXaHiE/QHi1lKzR8G7HY26+DCaMZkeiGxzErSFhmQv+xHhXuHCeacpy1vC5tvhPGa00TG6yDnJMaxG9lg==" - } - }, - "source": "groups.where( name == \"shadow\").list { members.length == 0 }\n", - "labels": { - "labels": { - "UrqZTWXaHiE/QHi1lKzR8G7HY26+DCaMZkeiGxzErSFhmQv+xHhXuHCeacpy1vC5tvhPGa00TG6yDnJMaxG9lg==": "name == \"shadow\"", - "hvlUvYbt+VSP7fXSlUN3KZBoMZxiaU34yuELARGRy5FX/QnZGyRahDTqg/Vn1vu4Ykisgvek1k5Nfufyjw9jZQ==": "groups.where.list", - "x8/NSmIlHbEl846sMWZc1p6W9SxS6ML7Mf5M/MfhdSYY1AZ9F0EOKsh+21o1MZWY/7kCE3WIgk303GPWlt7MrA==": "members.length == 0" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "vVtLCflAlII=": { - "query": "package(\"aide\").installed\n", - "checksum": "U7g4qtYX5vY=", - "datapoints": [ - "P7NCsha4tc0uJsw18p7lShizvrPkjDEPTYHcpmkvNxVsknAsDCopYTyqWHUKYCttXnVJl+YNPcHTMFCgAfaGsQ==" - ], - "code": { - "code_v2": { - "id": "vVtLCflAlII=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "package", - "function": { - "type": "\u001bpackage", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "YWlkZQ==" - } - ] - } - }, - { - "call": 1, - "id": "installed", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - } - ], - "entrypoints": [ - 4294967298 - ] - } - ], - "checksums": { - "4294967297": "78TL1x6yYWxh18Z+5d6neXu/XH081LGPQ6Rm1ePznby0DZ5aVWUPc/Vb4cmXXBlxQ33JTAYdly/00vXyE8t/6g==", - "4294967298": "P7NCsha4tc0uJsw18p7lShizvrPkjDEPTYHcpmkvNxVsknAsDCopYTyqWHUKYCttXnVJl+YNPcHTMFCgAfaGsQ==" - } - }, - "source": "package(\"aide\").installed\n", - "labels": { - "labels": { - "P7NCsha4tc0uJsw18p7lShizvrPkjDEPTYHcpmkvNxVsknAsDCopYTyqWHUKYCttXnVJl+YNPcHTMFCgAfaGsQ==": "package.installed" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "vdDFAY9Qxko=": { - "query": "if (file(\"/etc/gshadow-\").exists) {\n file(\"/etc/gshadow-\") {\n permissions.user_executable == false\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_readable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n }\n}\n", - "checksum": "zDow0ugJPfs=", - "datapoints": [ - "Du9pIpUoqm70Hbkk8MN4QKib35zuHmPRHjPC99qQyzN/WyImA+6x4gpaODsnDQNp545XqXx/EjY1vSWhYwIrOw==" - ], - "code": { - "code_v2": { - "id": "vdDFAY9Qxko=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9nc2hhZG93LQ==" - } - ] - } - }, - { - "call": 1, - "id": "exists", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "if", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u0003", - "value": "hICAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - }, - { - "type": "\u0019\u0003" - } - ] - } - } - ], - "entrypoints": [ - 4294967299 - ] - }, - { - "chunks": [ - { - "call": 1, - "id": "file", - "function": { - "type": "\u001bfile", - "args": [ - { - "type": "\u0007", - "value": "cGF0aA==" - }, - { - "type": "\u0007", - "value": "L2V0Yy9nc2hhZG93LQ==" - } - ] - } - }, - { - "call": 1, - "id": "{}", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u001c\u0000", - "value": "gICAgGA=" - } - ], - "binding": 8589934593 - } - } - ], - "entrypoints": [ - 8589934594 - ] - }, - { - "chunks": [ - { - "primitive": { - "type": "\u001bfile" - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "user_executable", - "function": { - "type": "\u0004", - "binding": 12884901890 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 12884901891 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "group_writeable", - "function": { - "type": "\u0004", - "binding": 12884901893 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 12884901894 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "group_executable", - "function": { - "type": "\u0004", - "binding": 12884901896 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 12884901897 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "other_readable", - "function": { - "type": "\u0004", - "binding": 12884901899 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 12884901900 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "other_writeable", - "function": { - "type": "\u0004", - "binding": 12884901902 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 12884901903 - } - }, - { - "call": 1, - "id": "permissions", - "function": { - "type": "\u001bfile.permissions", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "other_executable", - "function": { - "type": "\u0004", - "binding": 12884901905 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 12884901906 - } - } - ], - "parameters": 1, - "entrypoints": [ - 12884901892, - 12884901895, - 12884901898, - 12884901901, - 12884901904, - 12884901907 - ] - } - ], - "checksums": { - "12884901889": "fpkfDGp61nGYJYARIHZDYSfGKhto1XPbp2ChGzXLCb7wVqIiAw7tmn7rXxr5Vg5XS/FMqs8WSR+xpg1uPA/UfQ==", - "12884901890": "0zmkozib3O+K8n7gctyhzIuCV6vNgYUKkrRUiMsjcXhvpROhxCzQQudEH2do5VwbUyjaF7Z1Oa2/OMQXlkJ+Pg==", - "12884901891": "JZ9Floko4xuZWaQ6MfJ3UpwFlAheC8XiO0hYCKCGGXa04YxVeUhwYjGfglCRNbmJnZHHVLTLdPUc8KR2lIErIQ==", - "12884901892": "GFbwLVOxQMOCwP9vI4mj+437bIHi1jEihUM0LC+/51CMFlpuZ1dsIFQQMZrxJEdqUdLvHlD4W1YCreqRP1PPYg==", - "12884901893": "0zmkozib3O+K8n7gctyhzIuCV6vNgYUKkrRUiMsjcXhvpROhxCzQQudEH2do5VwbUyjaF7Z1Oa2/OMQXlkJ+Pg==", - "12884901894": "+TKnIXLxiVkYDcrdFH/V/rCu/hwCY2bU3WJWtSKRHR7xxBj/YOI9sFT9k4HE5NBN+oqJ8ur4ojYPVVq4PtrhmA==", - "12884901895": "tJpX5XEphcQLluFTJIbRp12uGSJtPIxjMaoIwi++EJjQcEtWPmqTRlIfR+yq7WoO70jFXwTkEdrZrDIFKJH5ig==", - "12884901896": "0zmkozib3O+K8n7gctyhzIuCV6vNgYUKkrRUiMsjcXhvpROhxCzQQudEH2do5VwbUyjaF7Z1Oa2/OMQXlkJ+Pg==", - "12884901897": "olsuTbO9ZkxN00zLp83ZFULblu+VQWhfq/k/OfP0c3639H5Cbe3QOaBGDeFNNZxYu6UZ20Wh+jLXOsGsSmH5jQ==", - "12884901898": "usfVVcXyLjhf3+zaGAFt2qqIVA4y0m0RzTHBvOUhPWhRzWl63LMWb+l5RxbJ+MiwNQb77QkQrODM2trAoKl5+g==", - "12884901899": "0zmkozib3O+K8n7gctyhzIuCV6vNgYUKkrRUiMsjcXhvpROhxCzQQudEH2do5VwbUyjaF7Z1Oa2/OMQXlkJ+Pg==", - "12884901900": "+Oii9J9Qmgg64zGEFeHWbsH3cextdzt9vZj77B9Pa/m+FJ0OBzPtLteo2KR+q+KDzHrJWuqIZDp3sYyBcfwdJQ==", - "12884901901": "vhwRx1EzASN38Sf53EbfXebyqrsciV02siM3eXPcfl6StjAY6Lq2F4b7Uwbbhdu9A+F3MVpEjH4BuvsH7v7lpw==", - "12884901902": "0zmkozib3O+K8n7gctyhzIuCV6vNgYUKkrRUiMsjcXhvpROhxCzQQudEH2do5VwbUyjaF7Z1Oa2/OMQXlkJ+Pg==", - "12884901903": "vCNuRUL0hAqH3FZ0RAiDfYceWDVtIFkKbzF4/iXXrLPtjIDfqRjhmTo4BKB1CUFYyyrZL9/0y49S6dUjBT+ewg==", - "12884901904": "kXoTf3+4XxQt80h3j0zXw3BRjgmGWMxZHZ7Yz/CIN4wgmTYg17DGCyVD/3L+vr0tPBenzomspkLkWjCq3u+67g==", - "12884901905": "0zmkozib3O+K8n7gctyhzIuCV6vNgYUKkrRUiMsjcXhvpROhxCzQQudEH2do5VwbUyjaF7Z1Oa2/OMQXlkJ+Pg==", - "12884901906": "HCEMReh2eMg/DtGRFziD87SUUCYDO1gv0YY8QQmlkPtipOtfOsK99usIRILBhRa21tqdTl2twcbheD1sYfvjSg==", - "12884901907": "dsn9lk+Kw0cUH2+LTVZZ4ofmkzY4EBcKcYDgAQj8Rd+U0IJ+bTdDKPPrG9r4m+iIQ3v5s78IwxY11jxdwi+QRA==", - "4294967297": "fpkfDGp61nGYJYARIHZDYSfGKhto1XPbp2ChGzXLCb7wVqIiAw7tmn7rXxr5Vg5XS/FMqs8WSR+xpg1uPA/UfQ==", - "4294967298": "yMS+RmTLTYQelRzF3SDe7cng23YFGxh4iBIpvrjMBhgDNYCk8ThCLD1RVMbhzKzJUxHm5wKxV64JIiVXK/nKpA==", - "4294967299": "Du9pIpUoqm70Hbkk8MN4QKib35zuHmPRHjPC99qQyzN/WyImA+6x4gpaODsnDQNp545XqXx/EjY1vSWhYwIrOw==", - "8589934593": "fpkfDGp61nGYJYARIHZDYSfGKhto1XPbp2ChGzXLCb7wVqIiAw7tmn7rXxr5Vg5XS/FMqs8WSR+xpg1uPA/UfQ==", - "8589934594": "Z7yy8WEpZNXv+MN3IfLXfzDV6VNdI7G+hnCtf9kABXbMVw/TPe76uYbqYWN0661+tGZgV3rJOngT/DAu6cT6tA==" - } - }, - "source": "if (file(\"/etc/gshadow-\").exists) {\n file(\"/etc/gshadow-\") {\n permissions.user_executable == false\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_readable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n }\n}\n", - "labels": { - "labels": { - "Du9pIpUoqm70Hbkk8MN4QKib35zuHmPRHjPC99qQyzN/WyImA+6x4gpaODsnDQNp545XqXx/EjY1vSWhYwIrOw==": "if", - "GFbwLVOxQMOCwP9vI4mj+437bIHi1jEihUM0LC+/51CMFlpuZ1dsIFQQMZrxJEdqUdLvHlD4W1YCreqRP1PPYg==": "permissions.user_executable == false", - "Z7yy8WEpZNXv+MN3IfLXfzDV6VNdI7G+hnCtf9kABXbMVw/TPe76uYbqYWN0661+tGZgV3rJOngT/DAu6cT6tA==": "file", - "dsn9lk+Kw0cUH2+LTVZZ4ofmkzY4EBcKcYDgAQj8Rd+U0IJ+bTdDKPPrG9r4m+iIQ3v5s78IwxY11jxdwi+QRA==": "permissions.other_executable == false", - "kXoTf3+4XxQt80h3j0zXw3BRjgmGWMxZHZ7Yz/CIN4wgmTYg17DGCyVD/3L+vr0tPBenzomspkLkWjCq3u+67g==": "permissions.other_writeable == false", - "tJpX5XEphcQLluFTJIbRp12uGSJtPIxjMaoIwi++EJjQcEtWPmqTRlIfR+yq7WoO70jFXwTkEdrZrDIFKJH5ig==": "permissions.group_writeable == false", - "usfVVcXyLjhf3+zaGAFt2qqIVA4y0m0RzTHBvOUhPWhRzWl63LMWb+l5RxbJ+MiwNQb77QkQrODM2trAoKl5+g==": "permissions.group_executable == false", - "vhwRx1EzASN38Sf53EbfXebyqrsciV02siM3eXPcfl6StjAY6Lq2F4b7Uwbbhdu9A+F3MVpEjH4BuvsH7v7lpw==": "permissions.other_readable == false" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "w44ayUe5r2M=": { - "query": "kernel.parameters['net.ipv4.tcp_syncookies'] == 1\n", - "checksum": "YFDEzG/eo50=", - "datapoints": [ - "1z4JS3g6P93IbkULMTOi80I4VMZvhQPHFPbe1P7eAhBd5P7STKCxOlrGjpYLMkYJdJw5m9ruVHm69KktG0SG+w==", - "monNXjgCTWD+LFMcjPnay0oMaVs8w8PoMcB+1d+Y6Kw2dw6MzptF1CeOsKmc6MDr+TNxss10S9Kt+jKDH1/5aQ==" - ], - "code": { - "code_v2": { - "id": "w44ayUe5r2M=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "kernel" - }, - { - "call": 1, - "id": "parameters", - "function": { - "type": "\u001a\u0007\u0007", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "[]", - "function": { - "type": "\u0007", - "args": [ - { - "type": "\u0007", - "value": "bmV0LmlwdjQudGNwX3N5bmNvb2tpZXM=" - } - ], - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "==\u0005", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0005", - "value": "Ag==" - } - ], - "binding": 4294967299 - } - } - ], - "entrypoints": [ - 4294967300 - ], - "datapoints": [ - 4294967299 - ] - } - ], - "checksums": { - "4294967297": "RXV+1el3VK2oK0ytvuWZ6oRu95oJxvcqbHGw5Wq5LfAbGvjLmiHYndQw+dDOPQiIqBhor40mICUenGaUlny8Lg==", - "4294967298": "dM9qEfUwWr0DHz2QFJ5GwuX9ELsnO1Us4rTlLu63r3mnIduFn0tmuQqThf7ul4pd0wPoMSZIB/RxVPGcU9xORQ==", - "4294967299": "1z4JS3g6P93IbkULMTOi80I4VMZvhQPHFPbe1P7eAhBd5P7STKCxOlrGjpYLMkYJdJw5m9ruVHm69KktG0SG+w==", - "4294967300": "monNXjgCTWD+LFMcjPnay0oMaVs8w8PoMcB+1d+Y6Kw2dw6MzptF1CeOsKmc6MDr+TNxss10S9Kt+jKDH1/5aQ==" - } - }, - "source": "kernel.parameters['net.ipv4.tcp_syncookies'] == 1\n", - "labels": { - "labels": { - "1z4JS3g6P93IbkULMTOi80I4VMZvhQPHFPbe1P7eAhBd5P7STKCxOlrGjpYLMkYJdJw5m9ruVHm69KktG0SG+w==": "kernel.parameters[net.ipv4.tcp_syncookies]", - "monNXjgCTWD+LFMcjPnay0oMaVs8w8PoMcB+1d+Y6Kw2dw6MzptF1CeOsKmc6MDr+TNxss10S9Kt+jKDH1/5aQ==": "kernel.parameters[net.ipv4.tcp_syncookies] == 1" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "wFoBEVblMLk=": { - "query": "if( platform.name == 'arch' ) {\n package(\"audit\").installed\n} else {\n package(\"auditd\").installed \u0026\u0026 package(\"audispd-plugins\").installed || package(\"audit\").installed \u0026\u0026 package(\"audit-libs\").installed\n}\n", - "checksum": "X9xEkSxUBE4=", - "datapoints": [ - "EpnHIF31KeNgY/3Z4KyBuKHQ0kk/i+MyYbTX+ZWiQIAvK6lv4P2Nlf9CKAIrn2KOfCWICteI96BN1e8GA6sNZA==", - "un2p+xm0p5du3IjLbkWf7UsSqJb1O3mnIo0YCAFJp4trmrFLLOHQhR+JKu6xevTXl2SeDmmPbBINMItB34OCzg==" - ], - "code": { - "code_v2": { - "id": "wFoBEVblMLk=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "platform" - }, - { - "call": 1, - "id": "name", - "function": { - "type": "\u0007", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "==\u0007", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0007", - "value": "YXJjaA==" - } - ], - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "if", - "function": { - "type": "\u000c", - "args": [ - { - "type": "\u0003", - "value": "hoCAgCA=" - }, - { - "type": "\u001c\u0000", - "value": "gICAgEA=" - }, - { - "type": "\u0019\u0003" - }, - { - "type": "\u001c\u0000", - "value": "gICAgGA=" - }, - { - "type": "\u0019\u0003" - } - ] - } - } - ], - "entrypoints": [ - 4294967300 - ], - "datapoints": [ - 4294967298 - ] - }, - { - "chunks": [ - { - "call": 1, - "id": "package", - "function": { - "type": "\u001bpackage", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "YXVkaXQ=" - } - ] - } - }, - { - "call": 1, - "id": "installed", - "function": { - "type": "\u0004", - "binding": 8589934593 - } - } - ], - "entrypoints": [ - 8589934594 - ] - }, - { - "chunks": [ - { - "call": 1, - "id": "package", - "function": { - "type": "\u001bpackage", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "YXVkaXRk" - } - ] - } - }, - { - "call": 1, - "id": "installed", - "function": { - "type": "\u0004", - "binding": 12884901889 - } - }, - { - "call": 1, - "id": "package", - "function": { - "type": "\u001bpackage", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "YXVkaXNwZC1wbHVnaW5z" - } - ] - } - }, - { - "call": 1, - "id": "installed", - "function": { - "type": "\u0004", - "binding": 12884901891 - } - }, - { - "call": 1, - "id": "\u0026\u0026\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "iICAgGA=" - } - ], - "binding": 12884901890 - } - }, - { - "call": 1, - "id": "package", - "function": { - "type": "\u001bpackage", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "YXVkaXQ=" - } - ] - } - }, - { - "call": 1, - "id": "installed", - "function": { - "type": "\u0004", - "binding": 12884901894 - } - }, - { - "call": 1, - "id": "package", - "function": { - "type": "\u001bpackage", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "YXVkaXQtbGlicw==" - } - ] - } - }, - { - "call": 1, - "id": "installed", - "function": { - "type": "\u0004", - "binding": 12884901896 - } - }, - { - "call": 1, - "id": "\u0026\u0026\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "koCAgGA=" - } - ], - "binding": 12884901895 - } - }, - { - "call": 1, - "id": "||\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0003", - "value": "lICAgGA=" - } - ], - "binding": 12884901893 - } - } - ], - "entrypoints": [ - 12884901899 - ] - } - ], - "checksums": { - "12884901889": "Pr3fM6k0c2d+OZoUAhEl4NhvBkIzd8Md9uYBG00Bm67Gz0oGN16N/1xuph6EzzOK2CUTNgHnSqXWWoyW0uJHNw==", - "12884901890": "kWCvo5pxQC3aPGd1/6OKdqi58gmnAq9fCxWen7kPJtzBpScOLRNBhgiZJFj2/rxpOe9sm+8Remmuu0/f4pKazQ==", - "12884901891": "1BiGspzfnHMvR35h/XkBOdt8uPmmIkpaPpXECbRumc0ASDEUl2McCDu9qsmMHfsK4aeQWQhKfJkYjdWlkzJccA==", - "12884901892": "TX9xUW8BLrn+p7L9Qx8YpeD7dwfzS1zkYZNf+s2WYT/107nw6OQa/BMMAbGpYQDVb4Gqqy9YcgLpDLd4J0OlYw==", - "12884901893": "vpMslLoEq0lrhSI5PY1UO3O1A409JWw7cvCqK/3DP7P/TWrjUPR+AfcF2Z7iaZC0L52fWXpCfUD4r8YLYl9P7Q==", - "12884901894": "CNaCohyCQwnXL08uBRloVveMq1TU9XDqrD9WTuiDLqmDB+IEE4e1Ni94hkGhvlCw8iI+4gCNKoSYjm/esGHtqA==", - "12884901895": "iQvYlLVnZ5KExeB3rGzKlyaujN3B+mQsaD0QUHnxFcj8wH0q5seYdNPfwAibZ3kzCgyyUl4kv3+AXjWy0CE1bQ==", - "12884901896": "0LCpbX1SNEJqVhsXIvD+KKcdUgiL3yt2JpjbvHr5v+GjpL4LcmeaDCJnBXWdx/XErkp8RDNYYO5FnADsfQKgKg==", - "12884901897": "DJkeGvjsYgKM248z0W86My+Px3jgX9kSWSY2K+UxP8vYpEgTMWJbUC7PqXeNh2KI76IVk6EcsCc2a+b/5941rQ==", - "12884901898": "ZgUu84uuHdWbHD7yz8dtN9Fy86jkNgACM1G802xz6pLh2BY3HS2gUy2ACGDNXSTSRcgIWoVgJE3dFEhl2cPs0Q==", - "12884901899": "9XuAr40y7ZpKHokq50FnFRla9BLEs8AYr/1Ni3RPLnyEl0cvrhB+gjMqAReapKzKDzPVpNKp6i2wFvoYgYLGew==", - "4294967297": "/qhUSF3PG7h1Z76I+pKLFJi3ymxF2Nh7NVQ2ensEOyTliwiwWP9rIANzze33zayPNu9v8iPn2Alc94crV4+5Jg==", - "4294967298": "EpnHIF31KeNgY/3Z4KyBuKHQ0kk/i+MyYbTX+ZWiQIAvK6lv4P2Nlf9CKAIrn2KOfCWICteI96BN1e8GA6sNZA==", - "4294967299": "RBZKQDTTM3vz8KYVJy5mryWDLedLNA49Z1MlpzH8AQg1+c/9VZG2eo9SCBmbsD2AYkN3TOF7232ST0r8Yb+pnA==", - "4294967300": "un2p+xm0p5du3IjLbkWf7UsSqJb1O3mnIo0YCAFJp4trmrFLLOHQhR+JKu6xevTXl2SeDmmPbBINMItB34OCzg==", - "8589934593": "CNaCohyCQwnXL08uBRloVveMq1TU9XDqrD9WTuiDLqmDB+IEE4e1Ni94hkGhvlCw8iI+4gCNKoSYjm/esGHtqA==", - "8589934594": "iQvYlLVnZ5KExeB3rGzKlyaujN3B+mQsaD0QUHnxFcj8wH0q5seYdNPfwAibZ3kzCgyyUl4kv3+AXjWy0CE1bQ==" - } - }, - "source": "if( platform.name == 'arch' ) {\n package(\"audit\").installed\n} else {\n package(\"auditd\").installed \u0026\u0026 package(\"audispd-plugins\").installed || package(\"audit\").installed \u0026\u0026 package(\"audit-libs\").installed\n}\n", - "labels": { - "labels": { - "9XuAr40y7ZpKHokq50FnFRla9BLEs8AYr/1Ni3RPLnyEl0cvrhB+gjMqAReapKzKDzPVpNKp6i2wFvoYgYLGew==": "package.installed \u0026\u0026 \u003cref\u003e || \u003cref\u003e", - "EpnHIF31KeNgY/3Z4KyBuKHQ0kk/i+MyYbTX+ZWiQIAvK6lv4P2Nlf9CKAIrn2KOfCWICteI96BN1e8GA6sNZA==": "platform.name", - "iQvYlLVnZ5KExeB3rGzKlyaujN3B+mQsaD0QUHnxFcj8wH0q5seYdNPfwAibZ3kzCgyyUl4kv3+AXjWy0CE1bQ==": "package.installed", - "un2p+xm0p5du3IjLbkWf7UsSqJb1O3mnIo0YCAFJp4trmrFLLOHQhR+JKu6xevTXl2SeDmmPbBINMItB34OCzg==": "if" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - }, - "yYCqsWpfXqE=": { - "query": "service(\"ntalk\").enabled == false\nservice(\"ntalk\").running == false\n", - "checksum": "jrUjEDUEPso=", - "datapoints": [ - "fG6usPd0YnrgIfRmvw+JtIyTIm6gRx7rUspU9WjpN2NxLhmBu23gM61Rnb8UYwZU/5T/29W+NZwdFtqwszz2gg==", - "uQsWzvmSel4qZ5n6dUz/EBq7otC6wbVUkPdPtCaX6Axen0HoPyPTNUxQRheyFRRY2MDOrjQa5CMK2MzDFFkWow==", - "v9pGXwX27XHZhRjNOfUFDU/CcgXdX/7HjWjFlEOG0KhYrE7CHeQmqpuOCfrz9RrnUX9WLu6/bYBylHAoINKz0Q==", - "vRUMv0na34ThNna09zkBGZDcDoRQRf+eevIEaf/JeFt4WgYkNjIUHmvLoO4r3t4CDMn7pqSRliFH8wTomo14HQ==" - ], - "code": { - "code_v2": { - "id": "yYCqsWpfXqE=", - "blocks": [ - { - "chunks": [ - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "bnRhbGs=" - } - ] - } - }, - { - "call": 1, - "id": "enabled", - "function": { - "type": "\u0004", - "binding": 4294967297 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967298 - } - }, - { - "call": 1, - "id": "service", - "function": { - "type": "\u001bservice", - "args": [ - { - "type": "\u0007", - "value": "bmFtZQ==" - }, - { - "type": "\u0007", - "value": "bnRhbGs=" - } - ] - } - }, - { - "call": 1, - "id": "running", - "function": { - "type": "\u0004", - "binding": 4294967300 - } - }, - { - "call": 1, - "id": "==\u0004", - "function": { - "type": "\u0004", - "args": [ - { - "type": "\u0004", - "value": "AA==" - } - ], - "binding": 4294967301 - } - } - ], - "entrypoints": [ - 4294967299, - 4294967302 - ], - "datapoints": [ - 4294967298, - 4294967301 - ] - } - ], - "checksums": { - "4294967297": "n19W1UnnUcOjkjh0xsKI1o97MlKE1L1wEN/t1KWXf4j1BK9q1cjt/bS+8hFN0E+nhS+8oC2UfWGsXZISP9l/CQ==", - "4294967298": "fG6usPd0YnrgIfRmvw+JtIyTIm6gRx7rUspU9WjpN2NxLhmBu23gM61Rnb8UYwZU/5T/29W+NZwdFtqwszz2gg==", - "4294967299": "v9pGXwX27XHZhRjNOfUFDU/CcgXdX/7HjWjFlEOG0KhYrE7CHeQmqpuOCfrz9RrnUX9WLu6/bYBylHAoINKz0Q==", - "4294967300": "n19W1UnnUcOjkjh0xsKI1o97MlKE1L1wEN/t1KWXf4j1BK9q1cjt/bS+8hFN0E+nhS+8oC2UfWGsXZISP9l/CQ==", - "4294967301": "uQsWzvmSel4qZ5n6dUz/EBq7otC6wbVUkPdPtCaX6Axen0HoPyPTNUxQRheyFRRY2MDOrjQa5CMK2MzDFFkWow==", - "4294967302": "vRUMv0na34ThNna09zkBGZDcDoRQRf+eevIEaf/JeFt4WgYkNjIUHmvLoO4r3t4CDMn7pqSRliFH8wTomo14HQ==" - } - }, - "source": "service(\"ntalk\").enabled == false\nservice(\"ntalk\").running == false\n", - "labels": { - "labels": { - "fG6usPd0YnrgIfRmvw+JtIyTIm6gRx7rUspU9WjpN2NxLhmBu23gM61Rnb8UYwZU/5T/29W+NZwdFtqwszz2gg==": "service.enabled", - "uQsWzvmSel4qZ5n6dUz/EBq7otC6wbVUkPdPtCaX6Axen0HoPyPTNUxQRheyFRRY2MDOrjQa5CMK2MzDFFkWow==": "service.running", - "v9pGXwX27XHZhRjNOfUFDU/CcgXdX/7HjWjFlEOG0KhYrE7CHeQmqpuOCfrz9RrnUX9WLu6/bYBylHAoINKz0Q==": "service.enabled == false", - "vRUMv0na34ThNna09zkBGZDcDoRQRf+eevIEaf/JeFt4WgYkNjIUHmvLoO4r3t4CDMn7pqSRliFH8wTomo14HQ==": "service.running == false" - } - }, - "version": "unstable", - "min_mondoo_version": "5.15.0" - } - } - } - }, - "collector_job": { - "checksum": "po5kcjTzXdo=", - "reporting_jobs": { - "+7sAxPVt2ik=": { - "checksum": "WYkMnA4DH7g=", - "qr_id": "yYCqsWpfXqE=", - "uuid": "+7sAxPVt2ik=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "fG6usPd0YnrgIfRmvw+JtIyTIm6gRx7rUspU9WjpN2NxLhmBu23gM61Rnb8UYwZU/5T/29W+NZwdFtqwszz2gg==": true, - "uQsWzvmSel4qZ5n6dUz/EBq7otC6wbVUkPdPtCaX6Axen0HoPyPTNUxQRheyFRRY2MDOrjQa5CMK2MzDFFkWow==": true, - "v9pGXwX27XHZhRjNOfUFDU/CcgXdX/7HjWjFlEOG0KhYrE7CHeQmqpuOCfrz9RrnUX9WLu6/bYBylHAoINKz0Q==": true, - "vRUMv0na34ThNna09zkBGZDcDoRQRf+eevIEaf/JeFt4WgYkNjIUHmvLoO4r3t4CDMn7pqSRliFH8wTomo14HQ==": true - } - }, - "+DsYiqNPUEo=": { - "checksum": "+8uMhi4CPm0=", - "qr_id": "OCysW6/A17Y=", - "uuid": "+DsYiqNPUEo=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "9ftsS7H8oR+l67+D+pUEq0XzsQwNzkagbXl2p6Z56usINgPigMLUic3gcqT4u2/9RFkPXyhy2ZJfaScNMsJsTQ==": true, - "LQI4kSyEWe0b+loFuW81yjOLS9ZR7GfI95ip+OjaslpcFOsyWoqYNQFKwfPeVSo990hscaZrfYskDfSjsmewhA==": true, - "RGLi9L+1KOoE89RZUjYiX5A7mQcnzOdJfemDJwkmeXCW+g80VH8ckvotI69iGUBBOg7pKcpujQiqqREZUnyNNA==": true, - "oVgYUs+UjAhHjAX3/+J3LUtAAyNDWzy1GWDAjY7A6Z4DNKXR2cqSDUcFzp2D55mOgkATFHCTFQbNBxxmWSSHfQ==": true - } - }, - "/fHoNZrC5V0=": { - "checksum": "HI/XEunbyRQ=", - "qr_id": "+u6doYoYG5E=", - "uuid": "/fHoNZrC5V0=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "cO77IKw5EkPqToY7apbUwCulN+7JxfM2cHWtX0ktw3WdohHDHwLnXbijDIHOdfcBERqbCjONpXQmQFuDtiP4zA==": true, - "hrm3ER6hV6ZNUj5VR8YNdibq6mFjn3sPiwTZs9/hbV0GpRMVu7cRFBxin8qzPVABTQNC5oIMYwAulU8xsKDwkQ==": true, - "vs6dGzezS8Q9d9pk6/holAnUqMEQBHYhdLXr+RjvvTwuhmmsbAxngmcFVe+CXbZ58SyG2ZEi7M1atb1ee40bXg==": true, - "yBNYCCB9ERbYxHmlpCWBzhu3+WVc6RgRwCGd4tJTsfo63mviqCa5MEcFvG+S1XN+jeMiNHW0ilYZiBHFzrX1Dw==": true - } - }, - "194wRisFHoE=": { - "checksum": "iVl3DWjMe7s=", - "qr_id": "N0L20kz+NNw=", - "uuid": "194wRisFHoE=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "wdW78uXiN3QTCM6jFE99COgAkS3NOeWF8ZcR2dVX/co86AacY1IsTx3aWh9vbCzNa9Y7WnIwx0KBgoVnBMWy5A==": true - } - }, - "26czA478iYU=": { - "checksum": "iZB6FvhEb0s=", - "qr_id": "3JYJkYI8d0U=", - "uuid": "26czA478iYU=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==": true, - "ee9c3YakPa9Aa2nbcI+Q4z1qlw7Ffu76GEjJneNybkQnVRX68n/SZYOcqgZJzWrJJk2xUrD0WfhB/qtWdoiISA==": true - } - }, - "2vq3t9uIHqQ=": { - "checksum": "Y0QNRgvt/bI=", - "qr_id": "v4D2MQ0juoo=", - "uuid": "2vq3t9uIHqQ=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "0zq768H7DheLJNj4rWweij/bMFrmVbz73klzg5ciUEI5IiX2fWPlcNDdsnTXncZuyyyd6Hucqp9EG7B0j/fiVQ==": true, - "LwG6xJU9JZX6iZWKClMIAiSdOCOK2eYRjkSek6p35RchB24m4lBNEtdQ3yfFsT0mHQWzB2oHklPacXM//2fzCA==": true, - "pnGXwr3IchwDKSyJ9qAc9CQZ80zFnWLTWPXF9COdLofK3PhSVuvZCVuoDfEuCuMrkdePxpwhREBjb/1zh9cECg==": true, - "xCJZxIcWgbHwl5vpYMSZWerIyNvymJLWD6Wo62sm/AzaE7lNEh7Jnai54Izor+2DzwPv43oHMTpwJRJqKcsHQA==": true - } - }, - "2wf8u5wH2Vg=": { - "checksum": "F0KRuLrd5co=", - "qr_id": "Ty2iKIfHjno=", - "uuid": "2wf8u5wH2Vg=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "8uoZI/+B98JF1ttRd+mEEbqYc0Sazop0p9nP0KhvkApxInNpxIPDfVfaCF+SUVlovZcuJSokGz9DBrcL6n8pUw==": true, - "CmBXM6HeIi4Z/inHihR4JaWbgp86LudWIwNvCeFDlJ6Co5NC/SJVv5nUyydTHwFF5O1pRLP+NQoEGAueAYy2YQ==": true, - "S15ke1jyhUQZU7RJoaUCzkC9PSGcsJF0TapDgdbFeZJCkDecPE9y+xTCCioVyL+8MrhsH8fypYGH5jspOQwlHw==": true, - "bGMTWjS8G8F38yCeXzCDHKy8EvB/bRtPE028HBzKvXDZWtR/GJPldJE35GVsdpBfuQ7lKBH5CBN+CkwKzWRvqA==": true - } - }, - "37g0aaJLTm4=": { - "checksum": "jvOZhlyv9Cg=", - "qr_id": "AjsJ60JDOuU=", - "uuid": "37g0aaJLTm4=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "+gbnZ3JYps5zNor0/aGoxejEPCY6MgH8w/vEtzacWeHsqeCcvG1LeHHLMCJOaM0ka9Iq61Rj6mNxoJ2kM16pQA==": true, - "+llpC38ET/j9HEpm5ekVgLiQcUIVXubatylVEKr1nIjdBGZU92qO48KSozCyCbghqkX6H5sT2r7K+Cgxxr9zgA==": true, - "MW+3iYLfzJOV6LheuCXO7XrsHQ7RK8rwvq90y/cN3MF0E3p5NoZbNw54OZFsAUh2IfzkzEv+mSUbi0yMfLNbAg==": true, - "VVnYhVXVAnU+veH4gJoFS0giCDBaRxUfTeMCVuvd3506oR6a8XtnznTaJdq79Q4PSgmRouM5CQF5GD5GxSRuVg==": true - } - }, - "3fiQ9klyAhw=": { - "checksum": "Mr9y/D31yJQ=", - "qr_id": "wFoBEVblMLk=", - "uuid": "3fiQ9klyAhw=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "EpnHIF31KeNgY/3Z4KyBuKHQ0kk/i+MyYbTX+ZWiQIAvK6lv4P2Nlf9CKAIrn2KOfCWICteI96BN1e8GA6sNZA==": true, - "un2p+xm0p5du3IjLbkWf7UsSqJb1O3mnIo0YCAFJp4trmrFLLOHQhR+JKu6xevTXl2SeDmmPbBINMItB34OCzg==": true - } - }, - "5AiFtY/ZJMM=": { - "checksum": "c+8omC13ndE=", - "qr_id": "H74IPb4kjoI=", - "uuid": "5AiFtY/ZJMM=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "DeWBHFFMGrfuvC8xfY6tlz3tDWwE0Mj+kpZidZdke1R3HgkbvOzrZJcQtLGGmF0ud4C1f3wMcaegqMhkhznj3g==": true, - "bhGy2REVqCNiJpsR0UBE/BeYtFO4NEA/MFuPk4+oxk9WffIXtIvfoiuv9vhtDgIbhgjxkgYyhTiN71WJXXmdMQ==": true - } - }, - "6rYTCE3mFMs=": { - "checksum": "EheiaCshIg8=", - "qr_id": "LxiiosuqdEw=", - "uuid": "6rYTCE3mFMs=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "c5/3LWjS8cISVkA4BHjobYGj+nEVD7Bx8v5lSN66900QhWObHCXkaoD1aREVWEMOUgOhbznuM9kP4yruR1IE/Q==": true - } - }, - "7tgb/KdY6hI=": { - "checksum": "HdGXsy65kk8=", - "qr_id": "7wuHGnsUApE=", - "uuid": "7tgb/KdY6hI=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "9jlRg9Aw1Ow0qOGynHMTlYbgY2tTDEQk9StXZkP2PrjSHhs2vkqwUMP5aavknve2K083MBMcgQiavFMTrF4/8Q==": true, - "CzgWIO2USd4DO07LRlGgQSwlbJfkcyaEqBjXlXlKrMMdSkLUZDETAxXcFfbro+OR5MigUzyQhrzPsa8kA2G++w==": true - } - }, - "8BUb4aTsrqw=": { - "checksum": "bVSiC9q7Ae4=", - "qr_id": "VrgV5/9So/8=", - "uuid": "8BUb4aTsrqw=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "0zrmJvG2MXakh2YxerlEkLULyOXTHiqK5C3/HGBueJg0MpCGGQwD1dEwh04xZcZt3gDrCRBR/JMx/yePP6OWIA==": true, - "OcxjyMNzPsQob5d23efk6/D/qbV2XftiD+stAvXITuJOOmdoVb4hcGjt+IT0AldkoHCFowQ2mx+Yhdj0ktI5AA==": true - } - }, - "ADa6kaPcpVc=": { - "checksum": "sqDOyaxyEno=", - "qr_id": "8xqHW7YCDEw=", - "uuid": "ADa6kaPcpVc=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "cF+tsnDWG2CvuAeBD4gRVzVuG37TWQY4n2KrJydeBfal9f0GPjBtrsvUH2rgjisiRJ7WJyPU2DZ9bDM501M0Mg==": true, - "nKA2V8XilTkhsXf29Lb3Se/BvaoF/GUKQo2905GRiDXdFetqS2hQC0SHj27rxPNmn9Pknkz4mc/L+D5pcfTysw==": true, - "r6sClZDPvHtxuniKuJ5UlesbFgLrX7H+vMiSu2rDkyIvyRBBgTEtA4lB9EYWXi4oSqhIkteDZz3podMi9oYwSQ==": true - } - }, - "B+SrUp9v8vs=": { - "checksum": "OkKizZgT04Y=", - "qr_id": "gu8eYJ6C7Ag=", - "uuid": "B+SrUp9v8vs=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "SK/o4xUKS07SVHcJ8c7HyiveAf3mx66Ch7KCFYBhRndmQNGzRMM0CuSXN3dT9ofnlswBzVn/6N2SbIcfXN6GMg==": true, - "wqBMlXbmQSD5agbjcVBO765mJg9Fzk/jOE/5PQtEu4HX/IOZ/DbSqCkml6Gb16wcJn0O3ePnfI/AqgtJz0nWbg==": true - } - }, - "BIUZzaFLoAA=": { - "checksum": "ZPXyJuWTNr8=", - "qr_id": "lSnkpvWD+i0=", - "uuid": "BIUZzaFLoAA=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "8bIrokkMmd6QBJZE+Or6CMcpiATUqRpKY8z3DiFVmf4jThbd3WWuk45nkNSd2pUhk8Oy7sI4IJO+iTJRVklcCQ==": true, - "8ceZv4nMJ6CyIXdLGefaYS1pBYzTfJhIWYcuhsmOD8vUKbz19mpzmEJqxkoyKSPzKRLuaoKuacXqRvWBi8SHjg==": true, - "96T4zynKszgc6jaxx20OhnDDECatfT4yFBuyb3seoNwNLqlA6L6Oxpr8KK/Mpu37LgaqKaTHAcOXiEREYPheZw==": true, - "Gj9+usVcjqfIAI6RcsRxLyzn1O6tiwA8hMnv3PnPdeHu0fr7Q+3pvDYU7N2W+AXjkrCILhAqROq6kmIuTQ0ONw==": true, - "IHg959aO8XIUu5D7yIqIkBZWkovtA0z2zHICs2B66FNxr5k7YjVfHnTy5GJ62oAhnW5eCmDcQ1rg+B5DwcKpuA==": true, - "IST1ZdvDsDGjKuLYOXs65bC12j7ZdGqtG7i2IHJ3agA+CYQI7qGrLdARfg9kbEiAm5Mj25LMSJ4Jg0TVOuYZoQ==": true, - "UW3LUd8B1sSUCcmxCP5UK00uu07zfy8hJ60t4b9gIkO7Xb0iniP4ZueKNNqMQcp//QzU+2gN3UjvA7dwzkEZ0g==": true, - "ZxGX5CeatMRX5xdzIKKmx+BoaNQMHrx3r2lq0XUqjTnvTNe+WNBUgXzCZx6jQ8zO0X1CgPNjVT8q7rFRjByxyA==": true, - "gCv1HOcfAqZONuizxGcTskMQOzHPwWdlXlh+X3sddJPvFCPQVnCPsvUQTj0WPKX27mxcAlMGcY01eRvfjl3tTg==": true, - "ovQ4B6zwpM55WtaXIMTsN/zUyOKgJWVAIPkhxbac+9DFbVrfV5lo9bWJlXjBLko8z+/9YakmOxruwOfr09PPdA==": true, - "rJc7Vd+PhcM4THV9otvMSE9KEVCM18wzndDk3YoSzOWGTGBKF902cfYTXARkogUHlM0gkV7ewNl48Cfx+xmpwQ==": true, - "u5fX3GE1kXn7uGnLr/z+QSvYbKF4wjsm8SOIGQGfjeziJ3mXZSi47jV5HZL7PoA1jUloqAkM+Y5D0/awz0AJHA==": true - } - }, - "Bo1PbOhOl/E=": { - "checksum": "QDlRdWQ1w/s=", - "qr_id": "o38RkOShiq4=", - "uuid": "Bo1PbOhOl/E=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "2ep4H3GDpqTR0NBAiPvRK8yJoEhTH7ikMCU4ufFyQbsDWOmWHUH75jVgJmT2AtHcEOEiELTtux8t8EBH1Ogaqw==": true, - "RIXqENazJEYi3UKFGKE7D3YtgWXPysCYDrgFuJoGJL0xxS4CpWEk87GkV+8mr2Qro6LhzTENSEjWWq4LdJ2Gvg==": true, - "e8NU35DTutWpipxRd59KyBjdEwIIjABAyM8lAo1vmGf7oVqqXBI3sX0iLW1AyyRCcohaJs6Jyv/GgjYoYYXe9w==": true, - "tjKo/7kDlAORSuB7uznVp3g6or1qpEVbVd7tqQuvplRmPsiF9V37G7Gs548aCEYSrW3eMEe2KGdAOUVKDq9yRA==": true - } - }, - "DlnglU9AfpM=": { - "checksum": "pEvk0K4NNZ8=", - "qr_id": "nxVlUWzBV1c=", - "uuid": "DlnglU9AfpM=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "4rBR+Mg2JY7TGnEGSWo0bAveLE8dQ2B6cgXjd9K5KCr58oNDFqhQ/tZWUHTMxOxmBDApjW1tTC8R3ZbKRQcRhA==": true, - "eDoYMDFnVFpyI8L9OND1alTXuARvT0V/VbEztMhrV4P7DxNi2s3ek4j9/JwNwNHwh5dC0f62NCjhcBQTHNFSGQ==": true - } - }, - "ExXVbFjvhKg=": { - "checksum": "NLhHY0wWNgY=", - "qr_id": "lEVQGwKxvPY=", - "uuid": "ExXVbFjvhKg=", - "notify": [ - "vdLfQXhMCkc=" - ], - "datapoints": { - "Bl3G5VLXwc+NXi+z3kq91yIMzYD4h3GmAUNdubcmhT4Q13LAxuoTofW8K7S7qpM4cLBvjElF3KOJs8Cwm+3zDA==": true, - "T7fMhFYEhLaVsDOxq5g7abILl3jGU2uY2rYt/Qs9FSy4g59OUlk9ZduzUqpZsvxaJR/jsUHmmFS07FCgmOyh7A==": true - } - }, - "F6+YzMIB3Ko=": { - "checksum": "bRlHPLheRFU=", - "qr_id": "IlhV0oVPhJk=", - "uuid": "F6+YzMIB3Ko=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "A/mDhp8Ke4EcDup0G/Jzg90Rt7qzEbagKaFF7Pp0/+DPPqEnqml9pxH8Fi0HeS4whb+W4KFu33rB+AU2fcZPRg==": true, - "Bew26+9I2JcH1dcMA+xlT5ywGJbbtZ1Wz6Ir8uELosiokrGBGS4klcu1zPVoJARqm/ujph6o2RTWkxFj7rZ89w==": true, - "gIecnntwy9LA1uepNDXli/u6f1vosRP2gHeQfmGMVZZfWB+mW+Add+x/BNULNRsn3PXT3sjDmczHmIm/rKfrZQ==": true, - "sBDKNFp+Gg5jaCnXhQ9cVq8DfefywbuThBn8dv5sND+5uPmTDVW6KatpqZVsO/pzC507v7OQ+Xnb187+KlSA5g==": true - } - }, - "F9dO2WbRZkY=": { - "checksum": "5vm7+rH/G/c=", - "qr_id": "rDqQzgrxmug=", - "uuid": "F9dO2WbRZkY=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "8SGe/eAOByVX8k8M4VoKtmLMczryv0UnPQnarp5qNL7QNl1dl3TFM8ikYa5UydfgiuNRV5bAwmtwi4V5Ns2MYg==": true - } - }, - "FaOlCtWE4uU=": { - "checksum": "y4LqOBR3LHw=", - "qr_id": "Ps0zOyqhecE=", - "uuid": "FaOlCtWE4uU=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "CQXUv/QbKcO1F5LvHFZ2NWFYNovHloaexe9lAEkpEll9s03HI4ecB5bwGd/DasLoHdaNambHL/g4zkz1siZb7w==": true, - "P04l/SVZ8q37LNV+3S23i++GVfIIERbWiu/BQ3eO/YMAj61XnujoRqFwn7ewWNYyGGaQWln/A4nS0QysMJemIQ==": true - } - }, - "Fk08BM7hZzI=": { - "checksum": "KzpZ2xnihes=", - "qr_id": "MCCspWdD2Vk=", - "uuid": "Fk08BM7hZzI=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "2hl44nrMAPCP4jtrUfFeLQoCYn9EhVWdTyQhIKgj243cUZK4ApMnTp0Y6R7ZnT5cvuGy5zOmzzMi8s1iRx78Fg==": true, - "U4jpoVeHCFHM+c1bdYWYdibzIPmWF2ooOkcDTP0zCLegLUTpUFkHfqXYVrZUNtiiAlIir0YAZIXCImKLaG0gWA==": true, - "YnnnuDaHNjIagC93pwvniy5mz1x5nj4HOSgqY6Z/nlOGjHnwomQcoW8C7oitKk6BwWRaZLGq7J12VR8dpviL7g==": true, - "qc9zR33NhGkZ7XXzeBx6YXQGvJ4X3YUHtodIUfpHayleyzPT3UtJ/8ymYYqK/gOFrARY4bnENGvGCmJFW38rRw==": true - } - }, - "GRTb9+snT/s=": { - "checksum": "yW0zzGQvRYQ=", - "qr_id": "ZydIs1lDnr8=", - "uuid": "GRTb9+snT/s=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "4QqlCBUEJZYfyBp3vIYWFQiH2KO38aDKZlHHZFBR9c+UECZwLFrakyPGkcFtZisnQZJHGBw2+x0De1Acsn6fyQ==": true - } - }, - "Gpe1pDxHTmI=": { - "checksum": "QoCc6OJxM3g=", - "qr_id": "FrdMe+1q6Bc=", - "uuid": "Gpe1pDxHTmI=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "aG7oUlIyH0BK4klvDQqsSbeRERfPhyfR1CvToYn4IPcrWZ2bsEkv4nTkHsDHTXrpQmqJRX4jye0IibRgTFLbCg==": true - } - }, - "HB2SFqn2Fyk=": { - "checksum": "pmwtrVjh8Ko=", - "qr_id": "HhVqF0tMxvA=", - "uuid": "HB2SFqn2Fyk=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "8dunMlc+mqgrLPexSr0BjQzRsY3H5KxgRLMNPWl7dqU7u7AuMGYCcL/59LzDxTU6v52s+sfNelCjln9pTEeoaw==": true, - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==": true - } - }, - "HCvHXvHI/SE=": { - "checksum": "xm7OQa1Wwvk=", - "qr_id": "f5q/EiRn95Q=", - "uuid": "HCvHXvHI/SE=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "4pkeR9aVMoyHrsgUBSk/hLbvFvQRO7xO/m/UsK2fvbAGQNaAtrngGcgXBu6R3pDLT+xl1BBllCbOD9FqZkNUMQ==": true, - "EtsjaSPX+U/fgbbv3ortUdR+TlT8rJSkOpA08BbfSF3DzzR+iBKSyZtjvsGJK3SZVSaprKfHWbo85myP2VB3ZQ==": true, - "I0hjyBsckneqviNyxZvm40SXzWfrkVK8aUraeyhrlbWULlyXqkqZ/5fCdIqVk33Bw2xv4kScY4wpTaFXUrVHXA==": true, - "Ir2l+ERpDqnBWcYsdKRiCThOfFbijW4rx0n7u0skYd2rChq+xu6dzijBQotLvG/9bABGeOhKa3zyngBRjDbQGg==": true, - "LDbUkumzzPbLp7/pDckgsILWn3KZ7ObhQYSlrXhIFOx/mT3sCkFESEkblFMrxP1gKqlZC79GyPjX01RmTwhMjQ==": true, - "cECmHAL/CDvWg2HwJHvv9eutCRWVXOH+NcmshZ5rPOp0Bm0dbC6MFfrS3jr4xHqL0GRYQZ85zLSYCt1FaUuoJQ==": true, - "iykh1W5pyKwek4E6kvkmmNfNkhspQ/rb38V/ZGdJkb+sMPOlJ36BCByOYxoJWxUHOrF5rwe6fj6N4nPNhp2zdQ==": true, - "wz0Bw/T20g63omggpbFTohs6+3Oot1FyHIMgKZ6SbPDyY2pUsttCCTrRZP+ObWLbBGa5ZSgRr6JQDxnf8a3jbg==": true - } - }, - "HrdLwxAG9S8=": { - "checksum": "YQpbMJ3AuZ0=", - "qr_id": "5YLhhd+c3KY=", - "uuid": "HrdLwxAG9S8=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "R9CbwgrZtf3mdDd3B38lp+I4YSj9+eLNixkV/LX6xZtHHmVArOZ4oq+SzG7zq4eoG+h+M0ZUJVXgZJf8EHqJLA==": true, - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==": true - } - }, - "IJFviUyRy/Y=": { - "checksum": "aRnN9i9TTmU=", - "qr_id": "3QL3VcmScCM=", - "uuid": "IJFviUyRy/Y=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "1orSZYqsG5mohjQsCQ5e1wc5bNUYmm9gr0EM6ba3QgpEv0JC7D3y9S0DHh3yBnIQANp+jPbYbktd/LVFQTKxfQ==": true, - "Qls4K6b2lNRR7kYRgufwRTNo0pJb+ZeHPeNevpcDzVBegMTpq/pB2ZwZb8M/JEWCFgPyJ4c9zVeKrYyjNVxvXg==": true, - "WxnxFhZSt/9sHXVH3/sOcVkg3cy0iYQYFPH0j0dLE1HKYHo0ek4x0b27UN55YRUxIAlEAQHvuigZOfE2Q7Vn7Q==": true, - "cm7An16B+A5QMckP/ANRZg4l9d+xkLoI/2WlmSuh7aY/waN4LvuR3CX51PlRjWCDSVe+12C7ZBmctsS2t5Gsuw==": true - } - }, - "J6hJxGFbIbM=": { - "checksum": "kSkwqkXXzTQ=", - "qr_id": "9Frfyu3HqwY=", - "uuid": "J6hJxGFbIbM=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "6HmGwaXMa5JPppuR4h4o86nPijZ5l6FMM6A0Rv0GoN14xK+6EKUo2k8ye2MLRFOdWNQqGKsiV9iByeGom0nyww==": true, - "Yf0tllxJIfamfaKoK717rOjxx/WUa/BVS7MBf7usG0wJS0x1BOxDau9XsChJD7UFaMSF6Slmkn5okupQ0ynNLg==": true, - "ftWI+tQ7kr7aS8pCKdvh36d+Xf8P1tHlgdYgKCF9Cat9aTM8/QTanMCL207XWPevmTTc/cr7qcETVvsLbezJ5g==": true, - "h4/M/y9CzKUQs557Hav4wXcwivYv8MBFAhKqkpe5LQK7hh25IM/c/wOezOY5AItW//UvKEEGYoRxAkMuyHbkNA==": true - } - }, - "JI8L9SWXsXU=": { - "checksum": "+nhWB+PbNT4=", - "qr_id": "gCDGOw9QK4Q=", - "uuid": "JI8L9SWXsXU=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==": true, - "w2o34Xwc5kpkV3aVCj78d7P4CzoAnJ80C6GCxC5OG2LDC6CxnDjcmsPnSte5IsOsXyPJwtrynrsF5c465w0xhw==": true - } - }, - "JwHo91MSDuw=": { - "checksum": "m+IgAVwUDXU=", - "qr_id": "RLX6/DpoDuE=", - "uuid": "JwHo91MSDuw=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "vf5Kj9VTr3nVyGcZXnq6AAqiwQBuC0xmH7tIe7u3GZvOqHee0x3YRyfR7oNzW0k0rYSetdqf6v1QLjhJ72Q7cA==": true - } - }, - "LOfvwFzXH0k=": { - "checksum": "GpP4uSeNDss=", - "qr_id": "XbnrBNXgCwA=", - "uuid": "LOfvwFzXH0k=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "HNtymDAlppcjoO5qKUQJ8H2VuJj8i2nTxOEHIDJpEQpROM0y5O6f/EBWqvPAFeN8w9IWIVYbQsQLYgVstVrZbA==": true - } - }, - "M72GpAmvSUE=": { - "checksum": "ekERIjw9sWQ=", - "qr_id": "jb3wqU5HpR8=", - "uuid": "M72GpAmvSUE=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "+Yh9XVql1G1HH/9F/LCDp/e9FqqjDBLx9OIY6JzbsKlUpJPX38MsHsa5HBQTrlEP8kZtoXj9XCz4hXwAOJ/nFw==": true, - "8cUjHaPePynVeh6gBJ7ifMRU4um+gxZrAlCE+OoDhScL6m8RipZNA758R2VcFkv7hVTdHKQEkZ+Wu9XUckKH2g==": true, - "FO+22zAmYLrJJqSGmoWWCaSYrYwcrqpvxFjm/D/YuxBrxts+nfr5EHuXERXOJGrYHTsTOSKFeTz4qQ7jZhlLbA==": true, - "Gar/zZa0uhvKteQUSwTc6Vd4oR0s73LLK/1P5WvkirK+y4sQMe3Xg1ky3fb50zdL/0e22C+9MiTt66gCJnmOSA==": true, - "css39sWQMO6tTsWz3+RuOHiJ4PGSGC+SMU6xj6NZpFgc9P0dVnpo7z+LKvHimTFj+JmbmG3wuz/zJgAvOHsaaA==": true, - "cuoKzxoXtROWmUOnqcpuBoRKmPijpMoj8XG9ORlkjfW3g7t9w9S1f6Uc+OFZns2ERdZKKQ9WIpfq4Wb72c5sBA==": true, - "iAIBOgoeH/oEga9gmV7CijCXdIgyrTVEoqCzFVQ9Z0Fw053lti878j1bZ7bt7OWs1XFL9wsCAIIceJj6Hd0KUg==": true, - "muV4jN4TFTiuWJB/g6ii93olYgu6SPnoyUT2Wo//MYVeEiJQBIgecIlsisoLidGrvrm4fwbZwNVZzYxxME45SA==": true - } - }, - "MH3QfVxvZdk=": { - "checksum": "5EWJQrI35ws=", - "qr_id": "KehuxCXphps=", - "uuid": "MH3QfVxvZdk=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "5EmJyvB3lckgKydrg+ZDaIG8c0S6YIb6dbVu/iZwioF3O5RSdHB5zi5KA7TmcVHW9SAaFdF6DjpYL5kExYACfA==": true, - "AC64T+x2vscRVx8c9QEqh8ehAPg1xWVtTrUDS92Qv2RaMdmrhEcQ2DJXtIgdLaHLLH9w5ghhkg38n0wmSZ6oBA==": true, - "BMlXXUssbX2RHZ4d6xMhQ++WbjJyVSkXOukbMgQVonKMWAyyOUty8UE75eK4RxKsXYw4KJNuru/fahfZ+jOx+g==": true, - "DcN60pVnUfRbi8gRNMwfr/9ZjtBwPAJerpntqVm5B/QY4sSszzHKGJkiUooAOC2vP/qvlN3lOWCPRgS6f/O18A==": true, - "Gi5t2U3DUPy8J70hGESQ/b0THs3nSzau7IWwKpIQwoMz05HXYKv4POsfDMzMMo954vLLq9w6aaNsM2Zu31JR3g==": true, - "JH8cNO69T5qeURT11c1Lxp8k50E+YMuTID2aLfQDIrrVerGFOnKFekVyH7t9h/q0D27ULF+QnDiDPz3BMXkQ0g==": true, - "OUJ6AqspS9kHdFfta+yMblV6pLJv30L0LeM2w+b8V7GeyErnRHogKvG5sOA5+k9lBVicaJDHx9+aUdGM4aAfRQ==": true, - "ckDgsvvxeDY8SW4iynyWZJwvin5Q10LZC8FNmo8bUESGsqN6tDpzL86bg/VAc3lryB1b76Po6i9H3oPAIzEx0A==": true - } - }, - "Nf+2bmMwWoI=": { - "checksum": "mbv4lMBWsOU=", - "qr_id": "9kZGL9b/izQ=", - "uuid": "Nf+2bmMwWoI=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==": true, - "mrLRYbwe3OPQiVQRrOdjnLdDbFSxPgEp21QsWRJNHRKljQp1YQ8c57yix1rxNOVJRKLLrRDbJ4QMpfjT+FT1Cw==": true - } - }, - "OCEygOhiuJo=": { - "checksum": "16dI1UnquHE=", - "qr_id": "cYHRR9+gDKI=", - "uuid": "OCEygOhiuJo=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "BvOP/FwD7axNz4mGuKzXL5SNFY8PiX0mpcRiY5QdJBDg4MUhjx9Ff+uDjs4ZWh6rdlKPKgfbJVWUWS5/BABqyw==": true - } - }, - "QhQrcu+f6Dw=": { - "checksum": "Nj1x0rc/vxc=", - "qr_id": "Gjm+13rDf3o=", - "uuid": "QhQrcu+f6Dw=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "ti7hCRw84/H2JY4BAPf7DEkA2PjQyb47e/xmjNi47NX245E/xIVlpGdsyd6KeuNAhAnmSaDCpxpxt3Z+aapULg==": true - } - }, - "SXcatTHDkzA=": { - "checksum": "NvPNzhJBJXM=", - "qr_id": "I/fSLFpoIJA=", - "uuid": "SXcatTHDkzA=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==": true, - "ekR8u0hhKZVtyDM8cTZoUBlpUiX73J5Vdk0iq7KxPdzpQ/htnmjTxMlDQzQRq5D2tSiSe2lUEqOmJi9n7hB3Fg==": true - } - }, - "SwBOSpwuh0s=": { - "checksum": "FTczRFvZ/gw=", - "qr_id": "Au17Pta3l0A=", - "uuid": "SwBOSpwuh0s=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "b2aHj4i8ElsTVzjhQHkFoBO2wb0wwg6oV86TQkwyvceZ6/ODwBOxEmFV5VBy1sABOuo8/3rx7AboacbbYX7t+Q==": true, - "noIPvQvXBfHpIrSV6FTP/mbj6PA6oisRfSw0ycYqbqNCzL8gJWe7/WJzegWiHtRVqZTFz9i84ET0bXYHYU6heQ==": true, - "tMZHi+jlTKI5EnemHVDVjKeFjAPMWatZmnf9/t3vnRsXE/FL74Wm5n790OsrD+MrXXYr6kBWL6jAFWYuLEWYCg==": true, - "vW8PqR7bp+VOLfpuu+2u4hKUGI2zGGpDL+H2+KgAazvGJh/KDkYaGMO2fRdeqt2K+Er5SMAvt3KCbCFmGRgOGQ==": true - } - }, - "TgsnO18jnk0=": { - "checksum": "1juVFfMY2so=", - "qr_id": "Gjj6ZTcWK1M=", - "uuid": "TgsnO18jnk0=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "A3wWcqtvJW1cs60VNjT0Ln7Z1T5hv52l/nxz0MVyZdlOEixzc7tA3aTqz/Cou4TmnGZFsLx8NhNEue/S8LojGg==": true, - "DA/NnsalQYlID5llgp+8IQXiVmQNajMgNa2ZDrpEz93xSs4m8s/phKXqsSf6gzrsPjh+G4sK5kGNaWcwdwTEMQ==": true, - "HTqFwiLA1CVihrm2lHQw3RPXDqVeAn7rdfG/xVYcVPeg1uPowJqyvlLmMpVTqOzC94oBNNjfLAFrrdnZuIQxtg==": true, - "aqYNhAltcEb8Us9rrSndGyONs5+/eu8zKLjtc3MhT1V9wzIHoZniQylGNL6k9+ftj8MnoMI/18dd3mMzIxBBhA==": true, - "fdiITVkkL7djTy+vzAEZEah0OX8kyBLAc2cX4/Ct3ydPoageCCEnHeE0HSK0BCpY+CHpPQ5++3zb2G2mRMkotg==": true, - "yD0jZNn4zIjrqrQH+1d5PCO9+Iu2leQlsTdlPY6F1q/LU3H9HONyNKtb4Ra5Bqel/44Cq8U4ErqpIVKycTB0Ig==": true - } - }, - "UF+KvCWmqjc=": { - "checksum": "4XCR3przzBE=", - "qr_id": "uzWGcrUQbCU=", - "uuid": "UF+KvCWmqjc=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "pn0dnCrSmSDr37lX+RuadWwHGCcttcVpaGWPR+n3fCWghgjCwLZUaXwEj1Uxlt7L8t4DZ+RbV3JicgH+PbEp+Q==": true - } - }, - "WWqsPEuVd20=": { - "checksum": "ZMxeN2H8kmA=", - "qr_id": "727yzVm9jYQ=", - "uuid": "WWqsPEuVd20=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "GZ7LrOSbsY8Te595l40qSCgJlEHDh8yQ19clxbEUcvnBDqSqFtk084PsIIwwZ7bjVEyCcWIaBK4zyE8ijn/X8w==": true, - "Psg3WACh4u236x5BUCKYrxVyBbR5tVirhN71jyV48L8yTB0r1aVVWd5ZwDo0/mLLpMCch69rCGBbBouKK80QLQ==": true, - "bTC8XOSslLmdTVa8aoLAVHLzWTW8NUMWiboO6NmLn7jkfkf7WVFW4J4jsxyCcToaFSma2sfvUVqvIJ2N87TDHQ==": true, - "wmwLi7+OiU0E4R6ZOHfjWu7z7r/dAmd/eWFdMH9fdq+nGVnOruW4efz8knp2RtiYqbwj/rWOUrInsGqMmWrP3w==": true - } - }, - "Wk3oqgABlrQ=": { - "checksum": "R3IabOlv6hw=", - "qr_id": "AjCxN3eZtsA=", - "uuid": "Wk3oqgABlrQ=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "S8lNhwOSBd9n30VQv2cNk5GAxZVGCpO7qwxlA/icmV9fDENhtEIIxpZTtYD0SHwg/byzphUaSjhsCX5g3AYaYA==": true, - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==": true - } - }, - "XIWzHxrQD78=": { - "checksum": "7fEZXV7EoFk=", - "qr_id": "eWpIdiIAryk=", - "uuid": "XIWzHxrQD78=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "XJelsmn2fxcKhtzns+v5RW5ToKmYNchfQaXLHp7J7oq1MC0gOmLh3vP14JCubDNYLDbrcsgJlGq7r2ifeWRP4w==": true, - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==": true - } - }, - "XWslwNstrcY=": { - "checksum": "mfmcwa78AWM=", - "qr_id": "gxsrJvn0Hag=", - "uuid": "XWslwNstrcY=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "0Rnmvnd72Vhm4CEPubvEcGHgC/SARCNQNZwX+KJ9fZSyyewXok/sDC8Hb78Fcx8+vWL8ocr/pw03AUPjpqXmew==": true, - "7cojqQWwSbgz0Z6Yo7f8eWU2sHhmSUMdzK3Suz6jtoAAFplC8I5SLonXZAMMaIbwHMLsGoHCLJZQVYKDRHZqZg==": true, - "8e5F0Uss/rzCSa4Vaw8urUDQzIUN8criFQm+HhE88ybs2Zx13aiYa+E3Yszo9UCKNOycCubjdogZksg9s99yug==": true, - "EqswKoHu8at6YVIKhPqhmCGbVPCv0n9KIodeAxtQfIP1V4ufJM8fLiC0bFhsFCS3IK8vs89fTjhOkwvOxOxpgw==": true, - "FUnkOJnRVrw86y1SUZ6M2MMV5pZVCsUZF0Oe6VeUvKpqHn9hOtK78fsp/ykiTr84hWUpqNU8ql9oSADUdzLdYQ==": true, - "FmSawyiUiZmNev6poHywTYW8Mke4Ef38RKXGrCEaAhNqTXywzgqYIj9C7PBm5jMbetZP2Ok6c3jLmkNy+975PA==": true, - "YYAK4Icx9FsHldCezgriP+T0ZNqtxiEzJASBFGl2LVQWIV42JaztEw2YCpRI5yqSg7i8aMkgFLXahfcyO8AXJQ==": true, - "g/FdeJsry0Iob3YFq+ADQ/HoaF2XvPZVC5r7wLFtH+aK1/8b2PctWYMmXYQUoqpWNvcYrne9fT4NbuRj1UeYyQ==": true, - "hWapq7Vs/8xUp8H3ROntjhDB51/ESkKuht/gm3QC9PvwKETBbLFXVMqz7wqqy4xszM/Hcl335ytzedk5Mr023g==": true, - "nMIXrJy6379mDHCqk62PPnQ8Db7Jk9wRIjXZTH+2gyM1tgDOI+nUx6V8/ZF77XdT4K1DxU6gRpQdRgylQCr/hg==": true, - "nOJq7YRzsF+rUkXm0tdEt/vEHBVi5XGSI3xGFr2Q/wmrxnNlLVBapmZHPY1VtAZ9+JPXb4mwdrU5hZqCC/TWQg==": true, - "sPvekYU/Nw3lqBLGhP8yLhSQBCL1M3psnu28wOVtDFt9IykJgbDcfmijOsYxBp5PgpsrfWfugVP1RciVp24ibw==": true - } - }, - "YcVynDftNDs=": { - "checksum": "RF00RtcU3dw=", - "qr_id": "sefeJd4La70=", - "uuid": "YcVynDftNDs=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "bhGy2REVqCNiJpsR0UBE/BeYtFO4NEA/MFuPk4+oxk9WffIXtIvfoiuv9vhtDgIbhgjxkgYyhTiN71WJXXmdMQ==": true, - "oOzRmEmFcbFFs5zfJmdhslXZqc59DvavlFAyU7uNmcIu9aZae6wA+xuD4PKTv/dPo2ulugJyP5faPRPEVBwloQ==": true - } - }, - "Yjlih5OMwQM=": { - "checksum": "qIBigtbihKs=", - "qr_id": "THw+yxDZOpw=", - "uuid": "Yjlih5OMwQM=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "NwVTOxC7KUWOY7jrSRoToyQi+IIyZ4w/t709WpL/kOSsXILju9FaLVvIoVvhjSEBTuz/Bh0crl07oEndqIEiIg==": true, - "axLv6u+XdIU4xf475n9moiwlqjmc7rQM9FoBeoOqdubJN7a6jgPagSLaaDkSdCbfhvChgqY/hgLrCr1nbJOAMg==": true, - "qsphraTZngyQKJh0BN8mX14uihYWBgvhddZTAd2CFdjUnDG4J07NfaHRxHNp14hbyu0gt1haoG8rD0zzR4gnYA==": true, - "yycm9bE4sSmD+R6mg7lewvhXufFnIoJ5iYCfIALCsr873LvrNlANPWps8YWBnw1LUmrHYVAdQqBiTFh+nBtXYw==": true - } - }, - "YncB6VYFcUE=": { - "checksum": "2m67V5WD9HQ=", - "qr_id": "ctwaZkpRtPo=", - "uuid": "YncB6VYFcUE=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "Qg23cE59V3fbsxZHV6hb++orVpZRDndy16raKIga8KcVZEnh9zCHPIkq0ROjKr6pihCAiV5bZGXFafD7sb/LYw==": true - } - }, - "YzKm6qvXpF8=": { - "checksum": "cGvdg/I2/wQ=", - "qr_id": "Hwqs1IZPO4c=", - "uuid": "YzKm6qvXpF8=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "6CPJmhBW/Yi8SBDCAjarzRy+hRft0zC6GycQOr6t+AXwy7ubZ2p5PaxEkFEaX1AkYaMX2Zv6Nd032+lYvImqrA==": true, - "8ktE5j8gq7ZzcaTFCB2Pe+39AD5jirL1jh2VoBTEoDSYO+uDhx+7jtuNFrkG3wTOzVrc5MXl7A9lh6ebit617A==": true, - "VDF2BqBgRO0jAcc7xNXWPgEvYibW0IYDBziUPrjj48T+pW8kgbGgzHoD6KT5vte6lwk5Lbfdvm+/gQR1b2MSwQ==": true, - "p1JrZX0HeoIB0UOxjea3ENHaM+Br7HY2T8ciIwmq7S5bS9euVYzxy2U9C6yIszGPYziFKJFnPQfU4OmPcD37KA==": true - } - }, - "a1t11xBocoY=": { - "checksum": "k1bsjkNMdxE=", - "qr_id": "v8xZOX1QRJQ=", - "uuid": "a1t11xBocoY=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "hvlUvYbt+VSP7fXSlUN3KZBoMZxiaU34yuELARGRy5FX/QnZGyRahDTqg/Vn1vu4Ykisgvek1k5Nfufyjw9jZQ==": true - } - }, - "asY/92SNBzI=": { - "checksum": "Lrz+0W83aak=", - "qr_id": "SCin1z5hBLk=", - "uuid": "asY/92SNBzI=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "+NdW/fk8nPBkRteAY3/MkPS0Zn4M1rLmrxf/kBuTUexTIPfxxRbPmJxEU7QaUidgfYjeo03xXeI51li9MA7LPw==": true, - "bhGy2REVqCNiJpsR0UBE/BeYtFO4NEA/MFuPk4+oxk9WffIXtIvfoiuv9vhtDgIbhgjxkgYyhTiN71WJXXmdMQ==": true - } - }, - "b/U0hDuvTjs=": { - "checksum": "nn7GnB/BJXM=", - "qr_id": "jqO4q2mBu9M=", - "uuid": "b/U0hDuvTjs=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "+FLpKZQ5lewX56gNaJAKM7NhBsa3WmNYfqaROv/jOzDGfHOC5Uryi8JaW3urN+9WeZPGYMJuxq7IR7oCsynbTw==": true, - "1Q484HqqPwh+LfSDHxxJP+nT+CSncv9oJlJu/jnR4ggy/64N68fQIZgnAGQIQ73jwc9/TXy53Uys0HYPKHT0iw==": true, - "ILZLlydnU83Qutf3Jxf5qVeZVxovo9CbteXyPqGcc30Ylw7GkHi8DJlfAidOaXMlzcWYNUedvMmTl541mQnicQ==": true, - "hHTMpuhNT8Svi1v+HYkGybFolkjy8o8iSK6Ly+ni5BgMVHjdmwsmUcOv5Xm8UD6L+8GRaAfLj5IguZLXNq32iw==": true - } - }, - "bp3otqYqTKE=": { - "checksum": "Ctn08fdd5dQ=", - "qr_id": "piWj+cXXr7k=", - "uuid": "bp3otqYqTKE=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "3oAY0vr6jLCvS4ss/e1XbulE3OvfT8TlXNeoElkPJD7QpWfF6X0U0A1CfGQ6EPAdeR5vtVqFsX2jJ0yyZ16ATw==": true, - "bMaURaBtAc6Jj7yvI7R21BMGzeFTGBQ+IzVys++98Na10i8k5c1bGoI+XJn6TdjG/wjuDRefkC9YCsZv2tlY6Q==": true - } - }, - "cHKgOQqeh9k=": { - "checksum": "expD8itCJCQ=", - "qr_id": "fSgcywHks9g=", - "uuid": "cHKgOQqeh9k=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "0Hw1frr2Ghy1qXs3zWoEYyxXZ8NBDZDORtz2QfV6HpWmUejk+s93KGPaV6vfzs8JnYZQyele1UTt1mJ657W2HQ==": true, - "gnQzZeSAHrQV35V8XMTtz9hHVuRLLkmvsgmgVe93eDzEWW9NrV/hP7Wu409x5z0m+ZibsdLlck3xAamyu7arLw==": true - } - }, - "caqgyF1OfnU=": { - "checksum": "u+U6iZAj5OM=", - "qr_id": "JIe+57K3g/w=", - "uuid": "caqgyF1OfnU=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "aE+97TpJoHCNA2psM/rBw/Hm56LB4UZ31yK4u8ud/oWjHCFXUPkAoVsasyY0W5g5AwE6vobp3ePPkjox9/TZsA==": true - } - }, - "f6mYo4y90UI=": { - "checksum": "eewVvOq7UOk=", - "qr_id": "htUqKZYa860=", - "uuid": "f6mYo4y90UI=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "G0bUwMGEwUqkQiCcj4R04tMFYAp3dSRhbU6dBPoLeX2lyTqPVGvreUvu5qov/OCoWc/Q5eaLopy2nQF9xeDEHw==": true - } - }, - "gc/KYwABUHo=": { - "checksum": "WUw2m2njDuc=", - "qr_id": "OFWIXTzBv00=", - "uuid": "gc/KYwABUHo=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "S0pi0XR2kSuGxhNT7T1roRClJpvyWDf2tbqf4WiaICdLeN4J+5clf8CQzREt32vqpf9puBNedCGXo27OvRaflw==": true - } - }, - "gfAMlogoHtc=": { - "checksum": "u3oPq9nMu7U=", - "qr_id": "Kd0nC0U7dfs=", - "uuid": "gfAMlogoHtc=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "H7H0YG5evkzzLDZSd6Ayb6abAXcrzwkoCcfUXx1AmiAOybkTo7ujzAM6rwO63/MF8k+IkPNQz4cLNqT/1KnYnw==": true - } - }, - "h2HjazFh7Q4=": { - "checksum": "f0yxUtOfPto=", - "qr_id": "//local.cnspec.io/run/local-execution/policies/mondoo-linux-security", - "uuid": "h2HjazFh7Q4=", - "spec": { - "+7sAxPVt2ik=": { - "severity": { - "value": 100 - } - }, - "+DsYiqNPUEo=": { - "severity": { - "value": 80 - } - }, - "/fHoNZrC5V0=": { - "severity": { - "value": 100 - } - }, - "194wRisFHoE=": { - "severity": { - "value": 100 - } - }, - "26czA478iYU=": { - "severity": { - "value": 80 - } - }, - "2vq3t9uIHqQ=": { - "severity": { - "value": 60 - } - }, - "2wf8u5wH2Vg=": { - "severity": { - "value": 60 - } - }, - "37g0aaJLTm4=": { - "severity": { - "value": 100 - } - }, - "3fiQ9klyAhw=": { - "severity": { - "value": 80 - } - }, - "5AiFtY/ZJMM=": null, - "6rYTCE3mFMs=": { - "severity": { - "value": 60 - } - }, - "7tgb/KdY6hI=": { - "severity": { - "value": 100 - } - }, - "8BUb4aTsrqw=": { - "severity": { - "value": 100 - } - }, - "ADa6kaPcpVc=": { - "severity": { - "value": 60 - } - }, - "B+SrUp9v8vs=": { - "severity": { - "value": 100 - } - }, - "BIUZzaFLoAA=": { - "severity": { - "value": 100 - } - }, - "Bo1PbOhOl/E=": { - "severity": { - "value": 100 - } - }, - "DlnglU9AfpM=": { - "severity": { - "value": 60 - } - }, - "F6+YzMIB3Ko=": { - "severity": { - "value": 100 - } - }, - "F9dO2WbRZkY=": { - "severity": { - "value": 40 - } - }, - "FaOlCtWE4uU=": { - "severity": { - "value": 100 - } - }, - "Fk08BM7hZzI=": { - "severity": { - "value": 100 - } - }, - "GRTb9+snT/s=": { - "severity": { - "value": 60 - } - }, - "Gpe1pDxHTmI=": { - "severity": { - "value": 100 - } - }, - "HB2SFqn2Fyk=": { - "severity": { - "value": 80 - } - }, - "HCvHXvHI/SE=": { - "severity": { - "value": 60 - } - }, - "HrdLwxAG9S8=": { - "severity": { - "value": 80 - } - }, - "IJFviUyRy/Y=": { - "severity": { - "value": 100 - } - }, - "J6hJxGFbIbM=": { - "severity": { - "value": 100 - } - }, - "JI8L9SWXsXU=": { - "severity": { - "value": 80 - } - }, - "JwHo91MSDuw=": { - "severity": { - "value": 80 - } - }, - "LOfvwFzXH0k=": { - "severity": { - "value": 80 - } - }, - "M72GpAmvSUE=": { - "severity": { - "value": 100 - } - }, - "MH3QfVxvZdk=": { - "severity": { - "value": 100 - } - }, - "Nf+2bmMwWoI=": { - "severity": { - "value": 80 - } - }, - "OCEygOhiuJo=": { - "severity": { - "value": 80 - } - }, - "QhQrcu+f6Dw=": { - "severity": { - "value": 100 - } - }, - "SXcatTHDkzA=": { - "severity": { - "value": 80 - } - }, - "SwBOSpwuh0s=": { - "severity": { - "value": 100 - } - }, - "TgsnO18jnk0=": { - "severity": { - "value": 100 - } - }, - "UF+KvCWmqjc=": { - "severity": { - "value": 80 - } - }, - "WWqsPEuVd20=": { - "severity": { - "value": 100 - } - }, - "Wk3oqgABlrQ=": { - "severity": { - "value": 80 - } - }, - "XIWzHxrQD78=": { - "severity": { - "value": 80 - } - }, - "XWslwNstrcY=": { - "severity": { - "value": 60 - } - }, - "YcVynDftNDs=": { - "severity": { - "value": 60 - } - }, - "Yjlih5OMwQM=": { - "severity": { - "value": 100 - } - }, - "YncB6VYFcUE=": { - "severity": { - "value": 60 - } - }, - "YzKm6qvXpF8=": { - "severity": { - "value": 80 - } - }, - "a1t11xBocoY=": { - "severity": { - "value": 100 - } - }, - "asY/92SNBzI=": { - "severity": { - "value": 80 - } - }, - "b/U0hDuvTjs=": { - "severity": { - "value": 60 - } - }, - "bp3otqYqTKE=": { - "severity": { - "value": 80 - } - }, - "cHKgOQqeh9k=": { - "severity": { - "value": 100 - } - }, - "caqgyF1OfnU=": { - "severity": { - "value": 100 - } - }, - "f6mYo4y90UI=": { - "severity": { - "value": 100 - } - }, - "gc/KYwABUHo=": { - "severity": { - "value": 100 - } - }, - "gfAMlogoHtc=": { - "severity": { - "value": 100 - } - }, - "hOHkafTLjVw=": { - "severity": { - "value": 100 - } - }, - "hkWuLfitv7M=": { - "severity": { - "value": 60 - } - }, - "hoIR5YttHSs=": { - "severity": { - "value": 100 - } - }, - "i6NRidZtzoI=": { - "severity": { - "value": 80 - } - }, - "ipWPgGu1OIY=": { - "severity": { - "value": 100 - } - }, - "ktBhFcQFHd0=": { - "severity": { - "value": 100 - } - }, - "kxOf8Qj7/Ng=": { - "severity": { - "value": 100 - } - }, - "l5stUy8svoc=": { - "severity": { - "value": 60 - } - }, - "mCIBj/nyVUs=": { - "severity": { - "value": 80 - } - }, - "odklnGewArs=": { - "severity": { - "value": 100 - } - }, - "okOmp7wZAPg=": { - "severity": { - "value": 80 - } - }, - "q1T8EHrv0XI=": { - "severity": { - "value": 100 - } - }, - "q9hCkzYVk8E=": { - "severity": { - "value": 80 - } - }, - "qVxxPgyBfPw=": { - "severity": { - "value": 80 - } - }, - "r8qj9bSt58c=": { - "severity": { - "value": 80 - } - }, - "rBwzICz8kyQ=": { - "severity": { - "value": 100 - } - }, - "rdiYu9YBrxs=": { - "severity": { - "value": 100 - } - }, - "rf2B8kOsbjs=": { - "severity": { - "value": 60 - } - }, - "t8/nOVhdd0A=": { - "severity": { - "value": 60 - } - }, - "tInwDt/OfHw=": { - "severity": { - "value": 100 - } - }, - "trMPY/m1Uf4=": { - "severity": { - "value": 100 - } - }, - "wCLClynKKCg=": { - "severity": { - "value": 100 - } - }, - "wNzGhwCy+54=": { - "severity": { - "value": 100 - } - }, - "x6EPNPHuyA0=": { - "severity": { - "value": 100 - } - }, - "xC65NlhGaQI=": { - "severity": { - "value": 100 - } - }, - "xSmnkDOzk7o=": { - "severity": { - "value": 80 - } - } - }, - "notify": [ - "i2eCUCfSN+I=" - ], - "scoring_system": 2 - }, - "hOHkafTLjVw=": { - "checksum": "E160uj2fNPM=", - "qr_id": "QTN+NYX439o=", - "uuid": "hOHkafTLjVw=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "33G76prk7g5rAFUk9qH56UER2TMY81Ojpz+e5Z57XiqoT1WVMwV2T91Zr/+pL9zdWHl3sxsnjddK5f8nGP5Omw==": true, - "IDsUDSDDEY2G7uuP6yOX2DgME5Ok3xNxMZ4RxZcyohVb2kmzpjFG4mRII0r2DTu6+HyvdmIZAfA7mfc/YtibSQ==": true, - "Zb9JKktYY15FaJD/VY/lLG4HnO+Pg7lJnO9A+FNmdpwm9QSwPGyUQg/QJ++MI2eDXlFidS9Y4b+zU8pCQ6z+4w==": true, - "zavPuowz9HArxQYPuD17lVx7MA6i7lPpD+6CzLD6tiuDs+xTL/alYbkkKik/75Y80mTVjEa187kUNKUW0nxa6A==": true - } - }, - "hkWuLfitv7M=": { - "checksum": "+qXGaPKgvI4=", - "qr_id": "HKo0vfMZsRE=", - "uuid": "hkWuLfitv7M=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "APYPrm+W1UGigbN5TlVzrDO+Hrlq6CfVKbx1kiafXbXiK35C2LpbMuUlQ/p5kzyRIFT8Mvq3u0SVe3O4bbj1jQ==": true, - "BiPs5zSGEKUw+XVkVzfGqCp+ZzefmPic62b/oP2u355YUvBNL+ZATaRIV/kna2PELc0wx3koCiL16cWxLlnhog==": true, - "FVG+Mf0F1AZbC0Hc+4nD0WCwsZNgIwN0eUILSf+Qp/YHOGwHEemQvXKia+t/XE4wNAgf8fUXDgHsemAOThuAtw==": true, - "PS/glCWsGexFLW7Nhgox/z1A5qkdidgcxlMRAeKKeKxH2vf+iWqGt9aGLdNfr+vLlRUV+6aYa2qdrmnLKsESsQ==": true, - "eCAQoxHoz5Q6JByhB8uwBxApChkW/Oijwn3EFj/RleSCbkjwXx0xCyxxZNXeGtuEQ4YSa8Q4vNWfhbR9gQzGqA==": true, - "g4mvK7a72NmW+ikuFqlbSIUKktKkEZPp14ybdznUdSto3A1G5wXNk/0jtBZb4GqVlgl/40I5K1hXLg/Uwq6XBw==": true, - "tkoo9GfWIg/KptFPrpjYI5JzZ49mY1OQwoqgajO6P1tLRhyhFB7FNwUM+FRP+K/LxAgjeDUCfpOEF8imcQX+DQ==": true, - "vEVKTC2TP3C7Jvel//1fOtROW7A0zUcYlgoWRepOrkcVLxfb2+4d6fgg9kNFAUzwQUDeSnVUVoMbgRWOGdRQUQ==": true - } - }, - "hoIR5YttHSs=": { - "checksum": "InIJ8AN8dpM=", - "qr_id": "dVk74tk32xs=", - "uuid": "hoIR5YttHSs=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "IH9+YJrb2/NAQcKqnSKgY/usvm47+Z1WJMykcUwLcAp4n+YZgMDS1sRuFPg7RDMy4+IVi6HSALbguCRC54gKHw==": true, - "M90p1SlYy8aGJqaPLQDAjGwSIqtlVQT7mhuB4TN3b3wRCiqVmcK2mj8Plmd6m7iJRaPgXfWYfldOICh1fkAlow==": true - } - }, - "i2eCUCfSN+I=": { - "checksum": "qi3Y5NqVvb4=", - "qr_id": "root", - "uuid": "i2eCUCfSN+I=", - "spec": { - "h2HjazFh7Q4=": null, - "vdLfQXhMCkc=": null - } - }, - "i6NRidZtzoI=": { - "checksum": "iG5vIAqmhf4=", - "qr_id": "7dzfqFlvkAk=", - "uuid": "i6NRidZtzoI=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==": true, - "njtujCiYsraOMuKhSZRhpLcBwu4m7Zc+DmQfYok+vwgqhLmhWpskTVAG/OwcxCZX47FpThQxeWI5Q99UieY/iw==": true - } - }, - "ipWPgGu1OIY=": { - "checksum": "5Mvyjdhbw9o=", - "qr_id": "pG8C4AikOeo=", - "uuid": "ipWPgGu1OIY=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "86UNhhHIcs7lnQ4PR5rktsVF+LYRw6ZLJDqVThmUXyTBOIVjtC1oNryS/PQwFmBaA4DdcSLn4DSZmhh5gMZ1Nw==": true, - "PTY+FI8gohl54qYCfktH+iDEdCbz9/RNm6yBWDiS0yk/PHBZ0OIVhtrUrOcThQHcHqEMTC4fh1zP30KlfMUhpA==": true, - "kDT7tazDf6/cVbc0GfeWtCPyLzywXsyhYxTslwIGBb+NXKYCMJ7PFAUUCeYu8vJ2qlySfA2XcdNuR8HlfOz/Ew==": true, - "ynq6oIBQE3gBVBXHMELi3CzC50RGXtaImsVRLvdXrOPzaEP33IeQpNq8PGSQu4hP610ryHXSOmT0VmmAUFw9HQ==": true - } - }, - "ktBhFcQFHd0=": { - "checksum": "te78+yEFejk=", - "qr_id": "rZN1LNm5r7E=", - "uuid": "ktBhFcQFHd0=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "2SzXOY0CMXn/0XchefuBMMcleHxtsgNaVxWCxCDNSE8wCM8VekLLFX8YlOvhv3NTjsp1mjUOeTTABrJp8oTD/A==": true, - "3/Q5tVgPR3+fTUVL7lk872dPByOYdBJcDaXePxF3jvfGqPPyLFm+NpH0iOssj2B5sfpTxUlSquZXjwfsGEg74g==": true, - "HiRsCn4BtfM/kOrcrqt0KhkRzvayAL6Ujv45DEVZFOBpnI1lrDyBTD/zrUnhZgtJEph3504F7jnTh9DL/Szgiw==": true, - "LZn2A4hFxS9SIwnrhbdO23/FsDqYloIFeq/TIGsFRMtAjZIQNyN3rys+D+K+jk8+YCCDxvOK2S7YKtLK3pnxqw==": true, - "VPya7C/SUB3zkyI9G/PHS1fMpKB/mwlZFTacUTvGcaJpKKm2Z1pk8rnlOWoBirIXB/uwatCDXZhHm4hkYRA1Ig==": true, - "hFV0aTvVoeOeZGjZ609/dqTrm1U0BNM5wrd8dDxpeg8b2TQ2SQZm7gSfxYekFOGUcBaxtFXCQJ6lOvYEpAtPJQ==": true, - "mPEGs2WidZ99bMnb40TuzCEuXKG1SwjvYrbndoATAL883HKUtGdEao2JZMC2fgYy9GqT+RErVyj2+7q3QYJdyw==": true, - "wbU1vQGWC7TkTLY0oZKFF4r3+jQKrCY8Ln+Kt6IyKXeEQv5F/HWbBLOcYoBA+59G7X4WYp3Mcx6a5NkPLktjMg==": true - } - }, - "kxOf8Qj7/Ng=": { - "checksum": "QdFsG2k4DQU=", - "qr_id": "vdDFAY9Qxko=", - "uuid": "kxOf8Qj7/Ng=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "Du9pIpUoqm70Hbkk8MN4QKib35zuHmPRHjPC99qQyzN/WyImA+6x4gpaODsnDQNp545XqXx/EjY1vSWhYwIrOw==": true - } - }, - "l5stUy8svoc=": { - "checksum": "xnjcu83pdHY=", - "qr_id": "5q5EG7AkY6k=", - "uuid": "l5stUy8svoc=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "2TEMIfVdcaC1ynlc1s+2E2CZjhC+bTA3Mb5GIZ/2S1p1n4mumZ8W2JWBQop1NL0ZiKbxNdG/PEnJM8lAnVJVlQ==": true - } - }, - "mCIBj/nyVUs=": { - "checksum": "8OKHcCREeSE=", - "qr_id": "d6AyzyIg+ow=", - "uuid": "mCIBj/nyVUs=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "/Mn6ZAskf4jBqw4FNL0xwA3aItnkIrJSuPwzeVOF6fyum6fJbQX+du5oSSmx95Z6KIihRTnM4uN3fCgduoXrrg==": true, - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==": true - } - }, - "odklnGewArs=": { - "checksum": "CksZy5yctm0=", - "qr_id": "H2ZH2J+F/yo=", - "uuid": "odklnGewArs=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "5OtvSFEzBwdqphuXjDliNh72Rk5bjHOJNaSSCU6FLyLhHAtJP78O6YuC7NCVaqP2Wh5H5XQad8clFJqtFUWwyQ==": true, - "6bO3xwKkWGozKNUTPkyL8PV3ZVKJgiAZehWr+ad9ftkSgZvziTNs+ViRhuUYBFBqY5VT7VXNUQW7bbJAhzXhWA==": true - } - }, - "okOmp7wZAPg=": { - "checksum": "AhQWgJkUjSc=", - "qr_id": "FbII7up+bkQ=", - "uuid": "okOmp7wZAPg=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "x7GfGmBGlN+lelITt2dS0cT6KJgFP7KMZ5ADJPyJw5HoxlEXW4fjc92ikc1sg2NlkVtcdxrV0dBLf8fjwbiqzA==": true - } - }, - "q1T8EHrv0XI=": { - "checksum": "duepXAAGliU=", - "qr_id": "f3DZtMTsQJc=", - "uuid": "q1T8EHrv0XI=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "A4oy+4vsBhvr9q6X77MUAMkDQP6TKnETFKGw2w0FAPvhCpKaaTFe8Cp3Dry9e+D04RJoOkvcbMoDlwcCkftD/A==": true, - "gUAmmB7CV/8tcMAf3tfmUs8W443zD9zdEFfIv4ApV8+MP9dCLkPE3Z6SdFNdHXnGI0bIAUrVYhPbMcgyO3djMw==": true - } - }, - "q9hCkzYVk8E=": { - "checksum": "xN6EcVCK0Sw=", - "qr_id": "sbKG4w+lkaA=", - "uuid": "q9hCkzYVk8E=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "O0TM2WX21Mn5KWqEGYXzD+L+hz2s+gzuEJ/K96MOraWtctcUCKxCIcT7s072si+Ow88078gNgt1t4D29UR1ACA==": true, - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==": true - } - }, - "qVxxPgyBfPw=": { - "checksum": "yRLjUMyzytI=", - "qr_id": "O1tAHbKLcI8=", - "uuid": "qVxxPgyBfPw=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "A8+p4Jy+yla6aHQONQE6tISwJJWFK6it96i6B+YG1LyY7nxE9Q5blZIOC9dvh+fQ0x7sHaD81udAeMWT0/H4jA==": true, - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==": true - } - }, - "r8qj9bSt58c=": { - "checksum": "c7vRiowtdeg=", - "qr_id": "MfV32r62IQE=", - "uuid": "r8qj9bSt58c=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "8uBTTkCJgjxtNfUKrXgdKcN3FsUaXVTuWlhZDb4zj7Aptyie5G2XwxlnIXUCZidQwpp+l+nXzp5ERezyW3xDSQ==": true, - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==": true - } - }, - "rBwzICz8kyQ=": { - "checksum": "kSrHwkYo7Kc=", - "qr_id": "Xs984txmLXk=", - "uuid": "rBwzICz8kyQ=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "9JRnRD0qcwHdUJtCGMTAJe3H1iY2xdZ5QNY+Bji5zt7EG1rgcxmWYBO6pOuPOvrDsHa8dnSx9hbE92vZlnyJQg==": true - } - }, - "rdiYu9YBrxs=": { - "checksum": "t4tGBtvMGqw=", - "qr_id": "aS95c8UVV00=", - "uuid": "rdiYu9YBrxs=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "2hZ3z+3H/QD+mlekH8q+XJI8LKLWCorG6amoVQPvfWzaq07JXZgflggDlzI/ysKXy1pKUdzt+483lluQXxsJ4Q==": true, - "6GV7OiQSU1fwRwmB2MtE0u8IG8j6PQJTDKj3GqbPCWek07rjs0E4nE2JNttpY+0OuGo2gk8KUE/saFGxeq2gYQ==": true - } - }, - "rf2B8kOsbjs=": { - "checksum": "ByYeTNG9Fak=", - "qr_id": "vVtLCflAlII=", - "uuid": "rf2B8kOsbjs=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "P7NCsha4tc0uJsw18p7lShizvrPkjDEPTYHcpmkvNxVsknAsDCopYTyqWHUKYCttXnVJl+YNPcHTMFCgAfaGsQ==": true - } - }, - "t8/nOVhdd0A=": { - "checksum": "yw8Sqmj42iY=", - "qr_id": "WkL8wViksRw=", - "uuid": "t8/nOVhdd0A=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "xj5i41CpATBlYItuRrsgnH3hHsQDjj6+/T/I4QNofVEuEXFo8TBNKytriUx/i9X9Y14DEILU6IVmlmAZfRxrvA==": true - } - }, - "tInwDt/OfHw=": { - "checksum": "laXFw0rtFkA=", - "qr_id": "m7DAOFbL9Qg=", - "uuid": "tInwDt/OfHw=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "8UFMaOXC4SMhWK+Vx/3T7dr6xt0crU2tSRurKy4l3M/pETdqnDy2+5XZAVoyskOku7hIGVb7HJ06XzuQhgvjMQ==": true - } - }, - "trMPY/m1Uf4=": { - "checksum": "wiTiLV5mB7w=", - "qr_id": "BJ3P14TOMTU=", - "uuid": "trMPY/m1Uf4=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "AS51uFGJMW53h7ob3GRlxwwmCFMJFF6NGwRzh8R87HpKTjLr6KdPAJrLSAZsfm2BlkYRMP0YEDvna3CYJpFN9g==": true, - "BK/Ej9OdyT4fNf/5esApfszzyNmFbjDkFO5VpTijt8M1OMe1JH3vW3cBcLBpTdhhDtUErzpyEvkLbT4kIb85tw==": true, - "YKybcqFlSVq5e53ktJl2i6YwuQWu7rwnw6Vgkfatia72QRz7X2UxgxH/ykyIZkBN0yEQeKzdZfs+CONljF3kVA==": true, - "c8caaEkbopMInAMKW3eQS8Gb9nm0n+YiyaYC9sv/aNmmiXClKX7XBTXsZ0T0m7J49wlGVkWNnxERfqoieAFE4w==": true - } - }, - "vdLfQXhMCkc=": { - "checksum": "HiFfsiaZnJQ=", - "qr_id": "//local.cnspec.io/run/local-execution/policies/mondoo-openssl-vulnerability", - "uuid": "vdLfQXhMCkc=", - "spec": { - "ExXVbFjvhKg=": null - }, - "notify": [ - "i2eCUCfSN+I=" - ], - "scoring_system": 3 - }, - "wCLClynKKCg=": { - "checksum": "BnhFucySD9Q=", - "qr_id": "Ieziwg178sw=", - "uuid": "wCLClynKKCg=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "2X7q9ADuALzT15wpysiQ2laqNEIyQ0i+LbC9gtuBkDRPz6qxQmEsxB1f+4BiNM/P+DPm6Cru1LiE5jizq9k/Ig==": true, - "9kZ+qapWVmr6z54Lk2WG4mgsKRwbMYaf4Kz8++WFlLc8qpX8aUbjY3Md8sLN7w9Ovq0DXA9kwamGBX2623m/mA==": true, - "eHR1t4BEPJ/j+W5hbPutTgHaEGmJ9HDUEyxZr1F6KWyhHncOMtLqdsML1uTL1St7vUvUQ1Xwzpbdb4rXqcyqtg==": true, - "p3F/KpWS4xZ6/b2tTruTSlkzuCMB3Eb4eczHjyBRhos3UkUgCACpXsERvMsLR6VXN+87I/OuPDcHYOrspmWqvw==": true - } - }, - "wNzGhwCy+54=": { - "checksum": "UaCmXNLswd8=", - "qr_id": "NoJQoV63siE=", - "uuid": "wNzGhwCy+54=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "ITQGQayBesQeWSIP+pSl4l7PewePex4n6NeW8mQ4dYj0RZmkyHJMSntT7JMmnPzIDbx08Npy9muLiJ1iCeWuyg==": true, - "MSCn0tYZSDbDWTtqkdNMIjnf4dqaXrXq082iZS8kENUHR+ipTf331ToMU/3KVj1u21A6kqKPhadwtLDe3QD4tA==": true, - "QOFfSIbWLTwpCLpo+1GAxVdsGnsJZqOET2xTkNl7+uKpj37GCf5UTlSUsS9j50hC2DWgW5x3uK56ebTZOFp8IQ==": true, - "zuqTdvPqcKolV1uD5lJmoX1IQ75UXJJWgqDKEKW/2aK6RuhVatla2znfXD8tjCa7kUFdNX5AQsVMUGdFMVr7SQ==": true - } - }, - "x6EPNPHuyA0=": { - "checksum": "YvKjPb/E1j4=", - "qr_id": "w44ayUe5r2M=", - "uuid": "x6EPNPHuyA0=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "1z4JS3g6P93IbkULMTOi80I4VMZvhQPHFPbe1P7eAhBd5P7STKCxOlrGjpYLMkYJdJw5m9ruVHm69KktG0SG+w==": true, - "monNXjgCTWD+LFMcjPnay0oMaVs8w8PoMcB+1d+Y6Kw2dw6MzptF1CeOsKmc6MDr+TNxss10S9Kt+jKDH1/5aQ==": true - } - }, - "xC65NlhGaQI=": { - "checksum": "lR+fVfGn9UY=", - "qr_id": "n9dXQh6Dchs=", - "uuid": "xC65NlhGaQI=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "BgLeA99Goi7kQbICYeXMt9yRHy0gd0WI/OWhADS73Gx3xonVgnAi/qiiuTtTIJ4Knx3tNZbE9TPJAySzEN502Q==": true, - "F2gP+Hvti8Jum+RBqHYUPDrdIL6ptKFlsPHzSgeNSE8XbASqQxScL7VID2ujLZ2JbMfARhqNhDmZbkgBEbMvgA==": true, - "OEKbMgyOZAHhOy62hpEKCXuj5FvXJpqwCH3QQ+bv2//APoMsncnk6rwVzuexbX7BxCDy8JKoP8zWeh5uu7h0LQ==": true, - "dGWI13GNtjPo+JUEvza+zezln68HGoTb31IuKMHn2cQOls6vuacUlbSe/domV3y6i5Cts72rA+f5v2D2dIGLeQ==": true - } - }, - "xSmnkDOzk7o=": { - "checksum": "II4D4fIcOqk=", - "qr_id": "IQ/r00/mLRg=", - "uuid": "xSmnkDOzk7o=", - "notify": [ - "h2HjazFh7Q4=" - ], - "datapoints": { - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==": true, - "imjB1X/SFmyvCGxCbQe6hVyOwuk12ReJysp9/5D+tLqHoKQ7oDgpEt20wrOdCuNEiHt+uVESq9MDXu27PmTe9g==": true - } - } - }, - "reporting_queries": { - "+u6doYoYG5E=": { - "items": [ - "/fHoNZrC5V0=" - ] - }, - "3JYJkYI8d0U=": { - "items": [ - "26czA478iYU=" - ] - }, - "3QL3VcmScCM=": { - "items": [ - "IJFviUyRy/Y=" - ] - }, - "5YLhhd+c3KY=": { - "items": [ - "HrdLwxAG9S8=" - ] - }, - "5q5EG7AkY6k=": { - "items": [ - "l5stUy8svoc=" - ] - }, - "727yzVm9jYQ=": { - "items": [ - "WWqsPEuVd20=" - ] - }, - "7dzfqFlvkAk=": { - "items": [ - "i6NRidZtzoI=" - ] - }, - "7wuHGnsUApE=": { - "items": [ - "7tgb/KdY6hI=" - ] - }, - "8xqHW7YCDEw=": { - "items": [ - "ADa6kaPcpVc=" - ] - }, - "9Frfyu3HqwY=": { - "items": [ - "J6hJxGFbIbM=" - ] - }, - "9kZGL9b/izQ=": { - "items": [ - "Nf+2bmMwWoI=" - ] - }, - "AjCxN3eZtsA=": { - "items": [ - "Wk3oqgABlrQ=" - ] - }, - "AjsJ60JDOuU=": { - "items": [ - "37g0aaJLTm4=" - ] - }, - "Au17Pta3l0A=": { - "items": [ - "SwBOSpwuh0s=" - ] - }, - "BJ3P14TOMTU=": { - "items": [ - "trMPY/m1Uf4=" - ] - }, - "FbII7up+bkQ=": { - "items": [ - "okOmp7wZAPg=" - ] - }, - "FrdMe+1q6Bc=": { - "items": [ - "Gpe1pDxHTmI=" - ] - }, - "Gjj6ZTcWK1M=": { - "items": [ - "TgsnO18jnk0=" - ] - }, - "Gjm+13rDf3o=": { - "items": [ - "QhQrcu+f6Dw=" - ] - }, - "H2ZH2J+F/yo=": { - "items": [ - "odklnGewArs=" - ] - }, - "H74IPb4kjoI=": { - "items": [ - "5AiFtY/ZJMM=" - ] - }, - "HKo0vfMZsRE=": { - "items": [ - "hkWuLfitv7M=" - ] - }, - "HhVqF0tMxvA=": { - "items": [ - "HB2SFqn2Fyk=" - ] - }, - "Hwqs1IZPO4c=": { - "items": [ - "YzKm6qvXpF8=" - ] - }, - "I/fSLFpoIJA=": { - "items": [ - "SXcatTHDkzA=" - ] - }, - "IQ/r00/mLRg=": { - "items": [ - "xSmnkDOzk7o=" - ] - }, - "Ieziwg178sw=": { - "items": [ - "wCLClynKKCg=" - ] - }, - "IlhV0oVPhJk=": { - "items": [ - "F6+YzMIB3Ko=" - ] - }, - "JIe+57K3g/w=": { - "items": [ - "caqgyF1OfnU=" - ] - }, - "Kd0nC0U7dfs=": { - "items": [ - "gfAMlogoHtc=" - ] - }, - "KehuxCXphps=": { - "items": [ - "MH3QfVxvZdk=" - ] - }, - "LxiiosuqdEw=": { - "items": [ - "6rYTCE3mFMs=" - ] - }, - "MCCspWdD2Vk=": { - "items": [ - "Fk08BM7hZzI=" - ] - }, - "MfV32r62IQE=": { - "items": [ - "r8qj9bSt58c=" - ] - }, - "N0L20kz+NNw=": { - "items": [ - "194wRisFHoE=" - ] - }, - "NoJQoV63siE=": { - "items": [ - "wNzGhwCy+54=" - ] - }, - "O1tAHbKLcI8=": { - "items": [ - "qVxxPgyBfPw=" - ] - }, - "OCysW6/A17Y=": { - "items": [ - "+DsYiqNPUEo=" - ] - }, - "OFWIXTzBv00=": { - "items": [ - "gc/KYwABUHo=" - ] - }, - "Ps0zOyqhecE=": { - "items": [ - "FaOlCtWE4uU=" - ] - }, - "QTN+NYX439o=": { - "items": [ - "hOHkafTLjVw=" - ] - }, - "RLX6/DpoDuE=": { - "items": [ - "JwHo91MSDuw=" - ] - }, - "SCin1z5hBLk=": { - "items": [ - "asY/92SNBzI=" - ] - }, - "THw+yxDZOpw=": { - "items": [ - "Yjlih5OMwQM=" - ] - }, - "Ty2iKIfHjno=": { - "items": [ - "2wf8u5wH2Vg=" - ] - }, - "VrgV5/9So/8=": { - "items": [ - "8BUb4aTsrqw=" - ] - }, - "WkL8wViksRw=": { - "items": [ - "t8/nOVhdd0A=" - ] - }, - "XbnrBNXgCwA=": { - "items": [ - "LOfvwFzXH0k=" - ] - }, - "Xs984txmLXk=": { - "items": [ - "rBwzICz8kyQ=" - ] - }, - "ZydIs1lDnr8=": { - "items": [ - "GRTb9+snT/s=" - ] - }, - "aS95c8UVV00=": { - "items": [ - "rdiYu9YBrxs=" - ] - }, - "cYHRR9+gDKI=": { - "items": [ - "OCEygOhiuJo=" - ] - }, - "ctwaZkpRtPo=": { - "items": [ - "YncB6VYFcUE=" - ] - }, - "d6AyzyIg+ow=": { - "items": [ - "mCIBj/nyVUs=" - ] - }, - "dVk74tk32xs=": { - "items": [ - "hoIR5YttHSs=" - ] - }, - "eWpIdiIAryk=": { - "items": [ - "XIWzHxrQD78=" - ] - }, - "f3DZtMTsQJc=": { - "items": [ - "q1T8EHrv0XI=" - ] - }, - "f5q/EiRn95Q=": { - "items": [ - "HCvHXvHI/SE=" - ] - }, - "fSgcywHks9g=": { - "items": [ - "cHKgOQqeh9k=" - ] - }, - "gCDGOw9QK4Q=": { - "items": [ - "JI8L9SWXsXU=" - ] - }, - "gu8eYJ6C7Ag=": { - "items": [ - "B+SrUp9v8vs=" - ] - }, - "gxsrJvn0Hag=": { - "items": [ - "XWslwNstrcY=" - ] - }, - "htUqKZYa860=": { - "items": [ - "f6mYo4y90UI=" - ] - }, - "jb3wqU5HpR8=": { - "items": [ - "M72GpAmvSUE=" - ] - }, - "jqO4q2mBu9M=": { - "items": [ - "b/U0hDuvTjs=" - ] - }, - "lEVQGwKxvPY=": { - "items": [ - "ExXVbFjvhKg=" - ] - }, - "lSnkpvWD+i0=": { - "items": [ - "BIUZzaFLoAA=" - ] - }, - "m7DAOFbL9Qg=": { - "items": [ - "tInwDt/OfHw=" - ] - }, - "n9dXQh6Dchs=": { - "items": [ - "xC65NlhGaQI=" - ] - }, - "nxVlUWzBV1c=": { - "items": [ - "DlnglU9AfpM=" - ] - }, - "o38RkOShiq4=": { - "items": [ - "Bo1PbOhOl/E=" - ] - }, - "pG8C4AikOeo=": { - "items": [ - "ipWPgGu1OIY=" - ] - }, - "piWj+cXXr7k=": { - "items": [ - "bp3otqYqTKE=" - ] - }, - "rDqQzgrxmug=": { - "items": [ - "F9dO2WbRZkY=" - ] - }, - "rZN1LNm5r7E=": { - "items": [ - "ktBhFcQFHd0=" - ] - }, - "sbKG4w+lkaA=": { - "items": [ - "q9hCkzYVk8E=" - ] - }, - "sefeJd4La70=": { - "items": [ - "YcVynDftNDs=" - ] - }, - "uzWGcrUQbCU=": { - "items": [ - "UF+KvCWmqjc=" - ] - }, - "v4D2MQ0juoo=": { - "items": [ - "2vq3t9uIHqQ=" - ] - }, - "v8xZOX1QRJQ=": { - "items": [ - "a1t11xBocoY=" - ] - }, - "vVtLCflAlII=": { - "items": [ - "rf2B8kOsbjs=" - ] - }, - "vdDFAY9Qxko=": { - "items": [ - "kxOf8Qj7/Ng=" - ] - }, - "w44ayUe5r2M=": { - "items": [ - "x6EPNPHuyA0=" - ] - }, - "wFoBEVblMLk=": { - "items": [ - "3fiQ9klyAhw=" - ] - }, - "yYCqsWpfXqE=": { - "items": [ - "+7sAxPVt2ik=" - ] - } - }, - "datapoints": { - "+FLpKZQ5lewX56gNaJAKM7NhBsa3WmNYfqaROv/jOzDGfHOC5Uryi8JaW3urN+9WeZPGYMJuxq7IR7oCsynbTw==": { - "type": "\u0004", - "notify": [ - "b/U0hDuvTjs=" - ] - }, - "+NdW/fk8nPBkRteAY3/MkPS0Zn4M1rLmrxf/kBuTUexTIPfxxRbPmJxEU7QaUidgfYjeo03xXeI51li9MA7LPw==": { - "type": "\u000c", - "notify": [ - "asY/92SNBzI=" - ] - }, - "+Yh9XVql1G1HH/9F/LCDp/e9FqqjDBLx9OIY6JzbsKlUpJPX38MsHsa5HBQTrlEP8kZtoXj9XCz4hXwAOJ/nFw==": { - "type": "\u0004", - "notify": [ - "M72GpAmvSUE=" - ] - }, - "+gbnZ3JYps5zNor0/aGoxejEPCY6MgH8w/vEtzacWeHsqeCcvG1LeHHLMCJOaM0ka9Iq61Rj6mNxoJ2kM16pQA==": { - "type": "\u0004", - "notify": [ - "37g0aaJLTm4=" - ] - }, - "+llpC38ET/j9HEpm5ekVgLiQcUIVXubatylVEKr1nIjdBGZU92qO48KSozCyCbghqkX6H5sT2r7K+Cgxxr9zgA==": { - "type": "\u0004", - "notify": [ - "37g0aaJLTm4=" - ] - }, - "/Mn6ZAskf4jBqw4FNL0xwA3aItnkIrJSuPwzeVOF6fyum6fJbQX+du5oSSmx95Z6KIihRTnM4uN3fCgduoXrrg==": { - "type": "\u000c", - "notify": [ - "mCIBj/nyVUs=" - ] - }, - "0Hw1frr2Ghy1qXs3zWoEYyxXZ8NBDZDORtz2QfV6HpWmUejk+s93KGPaV6vfzs8JnYZQyele1UTt1mJ657W2HQ==": { - "type": "\u0019\u001bgroup", - "notify": [ - "cHKgOQqeh9k=" - ] - }, - "0Rnmvnd72Vhm4CEPubvEcGHgC/SARCNQNZwX+KJ9fZSyyewXok/sDC8Hb78Fcx8+vWL8ocr/pw03AUPjpqXmew==": { - "type": "\u0004", - "notify": [ - "XWslwNstrcY=" - ] - }, - "0zq768H7DheLJNj4rWweij/bMFrmVbz73klzg5ciUEI5IiX2fWPlcNDdsnTXncZuyyyd6Hucqp9EG7B0j/fiVQ==": { - "type": "\u0004", - "notify": [ - "2vq3t9uIHqQ=" - ] - }, - "0zrmJvG2MXakh2YxerlEkLULyOXTHiqK5C3/HGBueJg0MpCGGQwD1dEwh04xZcZt3gDrCRBR/JMx/yePP6OWIA==": { - "type": "\u0019\u001buser", - "notify": [ - "8BUb4aTsrqw=" - ] - }, - "1Q484HqqPwh+LfSDHxxJP+nT+CSncv9oJlJu/jnR4ggy/64N68fQIZgnAGQIQ73jwc9/TXy53Uys0HYPKHT0iw==": { - "type": "\u0004", - "notify": [ - "b/U0hDuvTjs=" - ] - }, - "1orSZYqsG5mohjQsCQ5e1wc5bNUYmm9gr0EM6ba3QgpEv0JC7D3y9S0DHh3yBnIQANp+jPbYbktd/LVFQTKxfQ==": { - "type": "\u0004", - "notify": [ - "IJFviUyRy/Y=" - ] - }, - "1z4JS3g6P93IbkULMTOi80I4VMZvhQPHFPbe1P7eAhBd5P7STKCxOlrGjpYLMkYJdJw5m9ruVHm69KktG0SG+w==": { - "type": "\u0007", - "notify": [ - "x6EPNPHuyA0=" - ] - }, - "2SzXOY0CMXn/0XchefuBMMcleHxtsgNaVxWCxCDNSE8wCM8VekLLFX8YlOvhv3NTjsp1mjUOeTTABrJp8oTD/A==": { - "type": "\u0007", - "notify": [ - "ktBhFcQFHd0=" - ] - }, - "2TEMIfVdcaC1ynlc1s+2E2CZjhC+bTA3Mb5GIZ/2S1p1n4mumZ8W2JWBQop1NL0ZiKbxNdG/PEnJM8lAnVJVlQ==": { - "type": "\u000c", - "notify": [ - "l5stUy8svoc=" - ] - }, - "2X7q9ADuALzT15wpysiQ2laqNEIyQ0i+LbC9gtuBkDRPz6qxQmEsxB1f+4BiNM/P+DPm6Cru1LiE5jizq9k/Ig==": { - "type": "\u0004", - "notify": [ - "wCLClynKKCg=" - ] - }, - "2ep4H3GDpqTR0NBAiPvRK8yJoEhTH7ikMCU4ufFyQbsDWOmWHUH75jVgJmT2AtHcEOEiELTtux8t8EBH1Ogaqw==": { - "type": "\u0004", - "notify": [ - "Bo1PbOhOl/E=" - ] - }, - "2hZ3z+3H/QD+mlekH8q+XJI8LKLWCorG6amoVQPvfWzaq07JXZgflggDlzI/ysKXy1pKUdzt+483lluQXxsJ4Q==": { - "type": "\u0004", - "notify": [ - "rdiYu9YBrxs=" - ] - }, - "2hl44nrMAPCP4jtrUfFeLQoCYn9EhVWdTyQhIKgj243cUZK4ApMnTp0Y6R7ZnT5cvuGy5zOmzzMi8s1iRx78Fg==": { - "type": "\u0004", - "notify": [ - "Fk08BM7hZzI=" - ] - }, - "3/Q5tVgPR3+fTUVL7lk872dPByOYdBJcDaXePxF3jvfGqPPyLFm+NpH0iOssj2B5sfpTxUlSquZXjwfsGEg74g==": { - "type": "\u0004", - "notify": [ - "ktBhFcQFHd0=" - ] - }, - "33G76prk7g5rAFUk9qH56UER2TMY81Ojpz+e5Z57XiqoT1WVMwV2T91Zr/+pL9zdWHl3sxsnjddK5f8nGP5Omw==": { - "type": "\u0004", - "notify": [ - "hOHkafTLjVw=" - ] - }, - "3oAY0vr6jLCvS4ss/e1XbulE3OvfT8TlXNeoElkPJD7QpWfF6X0U0A1CfGQ6EPAdeR5vtVqFsX2jJ0yyZ16ATw==": { - "type": "\u0004", - "notify": [ - "bp3otqYqTKE=" - ] - }, - "4KDugS+gx6N/Z/kDWOAoHYh0oj+3WMemzu1XIKjuG0WiUGaBfw4Q0/xSSSBq78qnySGYXykNQUddOUEYDnypxA==": { - "type": "\u0004" - }, - "4QqlCBUEJZYfyBp3vIYWFQiH2KO38aDKZlHHZFBR9c+UECZwLFrakyPGkcFtZisnQZJHGBw2+x0De1Acsn6fyQ==": { - "type": "\u000c", - "notify": [ - "GRTb9+snT/s=" - ] - }, - "4awOHxBIrhJpNXgMkCZGW2j+1IG3Pm3adFARFtow4uVIuuOEM95Ajymlt++h97lox5e8nQTEYS9ZqaAzr/HloQ==": { - "type": "\u0004" - }, - "4pkeR9aVMoyHrsgUBSk/hLbvFvQRO7xO/m/UsK2fvbAGQNaAtrngGcgXBu6R3pDLT+xl1BBllCbOD9FqZkNUMQ==": { - "type": "\u0004", - "notify": [ - "HCvHXvHI/SE=" - ] - }, - "4rBR+Mg2JY7TGnEGSWo0bAveLE8dQ2B6cgXjd9K5KCr58oNDFqhQ/tZWUHTMxOxmBDApjW1tTC8R3ZbKRQcRhA==": { - "type": "\u0005", - "notify": [ - "DlnglU9AfpM=" - ] - }, - "5EmJyvB3lckgKydrg+ZDaIG8c0S6YIb6dbVu/iZwioF3O5RSdHB5zi5KA7TmcVHW9SAaFdF6DjpYL5kExYACfA==": { - "type": "\u0007", - "notify": [ - "MH3QfVxvZdk=" - ] - }, - "5OtvSFEzBwdqphuXjDliNh72Rk5bjHOJNaSSCU6FLyLhHAtJP78O6YuC7NCVaqP2Wh5H5XQad8clFJqtFUWwyQ==": { - "type": "\u0007", - "notify": [ - "odklnGewArs=" - ] - }, - "6CPJmhBW/Yi8SBDCAjarzRy+hRft0zC6GycQOr6t+AXwy7ubZ2p5PaxEkFEaX1AkYaMX2Zv6Nd032+lYvImqrA==": { - "type": "\u0007", - "notify": [ - "YzKm6qvXpF8=" - ] - }, - "6GV7OiQSU1fwRwmB2MtE0u8IG8j6PQJTDKj3GqbPCWek07rjs0E4nE2JNttpY+0OuGo2gk8KUE/saFGxeq2gYQ==": { - "type": "\u0004", - "notify": [ - "rdiYu9YBrxs=" - ] - }, - "6HmGwaXMa5JPppuR4h4o86nPijZ5l6FMM6A0Rv0GoN14xK+6EKUo2k8ye2MLRFOdWNQqGKsiV9iByeGom0nyww==": { - "type": "\u0004", - "notify": [ - "J6hJxGFbIbM=" - ] - }, - "6bO3xwKkWGozKNUTPkyL8PV3ZVKJgiAZehWr+ad9ftkSgZvziTNs+ViRhuUYBFBqY5VT7VXNUQW7bbJAhzXhWA==": { - "type": "\u0004", - "notify": [ - "odklnGewArs=" - ] - }, - "6tnI+IODYzgiF4YAt4QqVSYk2z7xAr4xCpKEVabbuxvAWYggnOwGkzNl4AzvgsKklzi5JghpRhIVNO1dcDCE1w==": { - "type": "\u0019\u0007" - }, - "7cojqQWwSbgz0Z6Yo7f8eWU2sHhmSUMdzK3Suz6jtoAAFplC8I5SLonXZAMMaIbwHMLsGoHCLJZQVYKDRHZqZg==": { - "type": "\u0004", - "notify": [ - "XWslwNstrcY=" - ] - }, - "86UNhhHIcs7lnQ4PR5rktsVF+LYRw6ZLJDqVThmUXyTBOIVjtC1oNryS/PQwFmBaA4DdcSLn4DSZmhh5gMZ1Nw==": { - "type": "\u0004", - "notify": [ - "ipWPgGu1OIY=" - ] - }, - "8SGe/eAOByVX8k8M4VoKtmLMczryv0UnPQnarp5qNL7QNl1dl3TFM8ikYa5UydfgiuNRV5bAwmtwi4V5Ns2MYg==": { - "type": "\u000c", - "notify": [ - "F9dO2WbRZkY=" - ] - }, - "8UFMaOXC4SMhWK+Vx/3T7dr6xt0crU2tSRurKy4l3M/pETdqnDy2+5XZAVoyskOku7hIGVb7HJ06XzuQhgvjMQ==": { - "type": "\u000c", - "notify": [ - "tInwDt/OfHw=" - ] - }, - "8bIrokkMmd6QBJZE+Or6CMcpiATUqRpKY8z3DiFVmf4jThbd3WWuk45nkNSd2pUhk8Oy7sI4IJO+iTJRVklcCQ==": { - "type": "\u0004", - "notify": [ - "BIUZzaFLoAA=" - ] - }, - "8cUjHaPePynVeh6gBJ7ifMRU4um+gxZrAlCE+OoDhScL6m8RipZNA758R2VcFkv7hVTdHKQEkZ+Wu9XUckKH2g==": { - "type": "\u0004", - "notify": [ - "M72GpAmvSUE=" - ] - }, - "8ceZv4nMJ6CyIXdLGefaYS1pBYzTfJhIWYcuhsmOD8vUKbz19mpzmEJqxkoyKSPzKRLuaoKuacXqRvWBi8SHjg==": { - "type": "\u0004", - "notify": [ - "BIUZzaFLoAA=" - ] - }, - "8dunMlc+mqgrLPexSr0BjQzRsY3H5KxgRLMNPWl7dqU7u7AuMGYCcL/59LzDxTU6v52s+sfNelCjln9pTEeoaw==": { - "type": "\u000c", - "notify": [ - "HB2SFqn2Fyk=" - ] - }, - "8e5F0Uss/rzCSa4Vaw8urUDQzIUN8criFQm+HhE88ybs2Zx13aiYa+E3Yszo9UCKNOycCubjdogZksg9s99yug==": { - "type": "\u0004", - "notify": [ - "XWslwNstrcY=" - ] - }, - "8ktE5j8gq7ZzcaTFCB2Pe+39AD5jirL1jh2VoBTEoDSYO+uDhx+7jtuNFrkG3wTOzVrc5MXl7A9lh6ebit617A==": { - "type": "\u0007", - "notify": [ - "YzKm6qvXpF8=" - ] - }, - "8uBTTkCJgjxtNfUKrXgdKcN3FsUaXVTuWlhZDb4zj7Aptyie5G2XwxlnIXUCZidQwpp+l+nXzp5ERezyW3xDSQ==": { - "type": "\u000c", - "notify": [ - "r8qj9bSt58c=" - ] - }, - "8uoZI/+B98JF1ttRd+mEEbqYc0Sazop0p9nP0KhvkApxInNpxIPDfVfaCF+SUVlovZcuJSokGz9DBrcL6n8pUw==": { - "type": "\u0004", - "notify": [ - "2wf8u5wH2Vg=" - ] - }, - "96T4zynKszgc6jaxx20OhnDDECatfT4yFBuyb3seoNwNLqlA6L6Oxpr8KK/Mpu37LgaqKaTHAcOXiEREYPheZw==": { - "type": "\u0004", - "notify": [ - "BIUZzaFLoAA=" - ] - }, - "9JRnRD0qcwHdUJtCGMTAJe3H1iY2xdZ5QNY+Bji5zt7EG1rgcxmWYBO6pOuPOvrDsHa8dnSx9hbE92vZlnyJQg==": { - "type": "\u000c", - "notify": [ - "rBwzICz8kyQ=" - ] - }, - "9ftsS7H8oR+l67+D+pUEq0XzsQwNzkagbXl2p6Z56usINgPigMLUic3gcqT4u2/9RFkPXyhy2ZJfaScNMsJsTQ==": { - "type": "\u000c", - "notify": [ - "+DsYiqNPUEo=" - ] - }, - "9jlRg9Aw1Ow0qOGynHMTlYbgY2tTDEQk9StXZkP2PrjSHhs2vkqwUMP5aavknve2K083MBMcgQiavFMTrF4/8Q==": { - "type": "\u0004", - "notify": [ - "7tgb/KdY6hI=" - ] - }, - "9kZ+qapWVmr6z54Lk2WG4mgsKRwbMYaf4Kz8++WFlLc8qpX8aUbjY3Md8sLN7w9Ovq0DXA9kwamGBX2623m/mA==": { - "type": "\u000c", - "notify": [ - "wCLClynKKCg=" - ] - }, - "A/mDhp8Ke4EcDup0G/Jzg90Rt7qzEbagKaFF7Pp0/+DPPqEnqml9pxH8Fi0HeS4whb+W4KFu33rB+AU2fcZPRg==": { - "type": "\u0004", - "notify": [ - "F6+YzMIB3Ko=" - ] - }, - "A3wWcqtvJW1cs60VNjT0Ln7Z1T5hv52l/nxz0MVyZdlOEixzc7tA3aTqz/Cou4TmnGZFsLx8NhNEue/S8LojGg==": { - "type": "\u0004", - "notify": [ - "TgsnO18jnk0=" - ] - }, - "A4oy+4vsBhvr9q6X77MUAMkDQP6TKnETFKGw2w0FAPvhCpKaaTFe8Cp3Dry9e+D04RJoOkvcbMoDlwcCkftD/A==": { - "type": "\u0004", - "notify": [ - "q1T8EHrv0XI=" - ] - }, - "A8+p4Jy+yla6aHQONQE6tISwJJWFK6it96i6B+YG1LyY7nxE9Q5blZIOC9dvh+fQ0x7sHaD81udAeMWT0/H4jA==": { - "type": "\u000c", - "notify": [ - "qVxxPgyBfPw=" - ] - }, - "AC64T+x2vscRVx8c9QEqh8ehAPg1xWVtTrUDS92Qv2RaMdmrhEcQ2DJXtIgdLaHLLH9w5ghhkg38n0wmSZ6oBA==": { - "type": "\u0004", - "notify": [ - "MH3QfVxvZdk=" - ] - }, - "APYPrm+W1UGigbN5TlVzrDO+Hrlq6CfVKbx1kiafXbXiK35C2LpbMuUlQ/p5kzyRIFT8Mvq3u0SVe3O4bbj1jQ==": { - "type": "\u0004", - "notify": [ - "hkWuLfitv7M=" - ] - }, - "AS51uFGJMW53h7ob3GRlxwwmCFMJFF6NGwRzh8R87HpKTjLr6KdPAJrLSAZsfm2BlkYRMP0YEDvna3CYJpFN9g==": { - "type": "\u000c", - "notify": [ - "trMPY/m1Uf4=" - ] - }, - "BK/Ej9OdyT4fNf/5esApfszzyNmFbjDkFO5VpTijt8M1OMe1JH3vW3cBcLBpTdhhDtUErzpyEvkLbT4kIb85tw==": { - "type": "\u0004", - "notify": [ - "trMPY/m1Uf4=" - ] - }, - "BMlXXUssbX2RHZ4d6xMhQ++WbjJyVSkXOukbMgQVonKMWAyyOUty8UE75eK4RxKsXYw4KJNuru/fahfZ+jOx+g==": { - "type": "\u0004", - "notify": [ - "MH3QfVxvZdk=" - ] - }, - "Bew26+9I2JcH1dcMA+xlT5ywGJbbtZ1Wz6Ir8uELosiokrGBGS4klcu1zPVoJARqm/ujph6o2RTWkxFj7rZ89w==": { - "type": "\u0004", - "notify": [ - "F6+YzMIB3Ko=" - ] - }, - "BgLeA99Goi7kQbICYeXMt9yRHy0gd0WI/OWhADS73Gx3xonVgnAi/qiiuTtTIJ4Knx3tNZbE9TPJAySzEN502Q==": { - "type": "\u0007", - "notify": [ - "xC65NlhGaQI=" - ] - }, - "BiPs5zSGEKUw+XVkVzfGqCp+ZzefmPic62b/oP2u355YUvBNL+ZATaRIV/kna2PELc0wx3koCiL16cWxLlnhog==": { - "type": "\u0004", - "notify": [ - "hkWuLfitv7M=" - ] - }, - "Bl3G5VLXwc+NXi+z3kq91yIMzYD4h3GmAUNdubcmhT4Q13LAxuoTofW8K7S7qpM4cLBvjElF3KOJs8Cwm+3zDA==": { - "type": "\u0004", - "notify": [ - "ExXVbFjvhKg=" - ] - }, - "BvOP/FwD7axNz4mGuKzXL5SNFY8PiX0mpcRiY5QdJBDg4MUhjx9Ff+uDjs4ZWh6rdlKPKgfbJVWUWS5/BABqyw==": { - "type": "\u0004", - "notify": [ - "OCEygOhiuJo=" - ] - }, - "CQXUv/QbKcO1F5LvHFZ2NWFYNovHloaexe9lAEkpEll9s03HI4ecB5bwGd/DasLoHdaNambHL/g4zkz1siZb7w==": { - "type": "\u0004", - "notify": [ - "FaOlCtWE4uU=" - ] - }, - "CmBXM6HeIi4Z/inHihR4JaWbgp86LudWIwNvCeFDlJ6Co5NC/SJVv5nUyydTHwFF5O1pRLP+NQoEGAueAYy2YQ==": { - "type": "\u0007", - "notify": [ - "2wf8u5wH2Vg=" - ] - }, - "CzgWIO2USd4DO07LRlGgQSwlbJfkcyaEqBjXlXlKrMMdSkLUZDETAxXcFfbro+OR5MigUzyQhrzPsa8kA2G++w==": { - "type": "\u0007", - "notify": [ - "7tgb/KdY6hI=" - ] - }, - "DA/NnsalQYlID5llgp+8IQXiVmQNajMgNa2ZDrpEz93xSs4m8s/phKXqsSf6gzrsPjh+G4sK5kGNaWcwdwTEMQ==": { - "type": "\u0004", - "notify": [ - "TgsnO18jnk0=" - ] - }, - "DcN60pVnUfRbi8gRNMwfr/9ZjtBwPAJerpntqVm5B/QY4sSszzHKGJkiUooAOC2vP/qvlN3lOWCPRgS6f/O18A==": { - "type": "\u0007", - "notify": [ - "MH3QfVxvZdk=" - ] - }, - "DeWBHFFMGrfuvC8xfY6tlz3tDWwE0Mj+kpZidZdke1R3HgkbvOzrZJcQtLGGmF0ud4C1f3wMcaegqMhkhznj3g==": { - "type": "\u000c", - "notify": [ - "5AiFtY/ZJMM=" - ] - }, - "Du9pIpUoqm70Hbkk8MN4QKib35zuHmPRHjPC99qQyzN/WyImA+6x4gpaODsnDQNp545XqXx/EjY1vSWhYwIrOw==": { - "type": "\u000c", - "notify": [ - "kxOf8Qj7/Ng=" - ] - }, - "EpnHIF31KeNgY/3Z4KyBuKHQ0kk/i+MyYbTX+ZWiQIAvK6lv4P2Nlf9CKAIrn2KOfCWICteI96BN1e8GA6sNZA==": { - "type": "\u0007", - "notify": [ - "3fiQ9klyAhw=" - ] - }, - "EqswKoHu8at6YVIKhPqhmCGbVPCv0n9KIodeAxtQfIP1V4ufJM8fLiC0bFhsFCS3IK8vs89fTjhOkwvOxOxpgw==": { - "type": "\u0004", - "notify": [ - "XWslwNstrcY=" - ] - }, - "EtsjaSPX+U/fgbbv3ortUdR+TlT8rJSkOpA08BbfSF3DzzR+iBKSyZtjvsGJK3SZVSaprKfHWbo85myP2VB3ZQ==": { - "type": "\u0004", - "notify": [ - "HCvHXvHI/SE=" - ] - }, - "F2gP+Hvti8Jum+RBqHYUPDrdIL6ptKFlsPHzSgeNSE8XbASqQxScL7VID2ujLZ2JbMfARhqNhDmZbkgBEbMvgA==": { - "type": "\u0004", - "notify": [ - "xC65NlhGaQI=" - ] - }, - "FO+22zAmYLrJJqSGmoWWCaSYrYwcrqpvxFjm/D/YuxBrxts+nfr5EHuXERXOJGrYHTsTOSKFeTz4qQ7jZhlLbA==": { - "type": "\u0004", - "notify": [ - "M72GpAmvSUE=" - ] - }, - "FUnkOJnRVrw86y1SUZ6M2MMV5pZVCsUZF0Oe6VeUvKpqHn9hOtK78fsp/ykiTr84hWUpqNU8ql9oSADUdzLdYQ==": { - "type": "\u0004", - "notify": [ - "XWslwNstrcY=" - ] - }, - "FVG+Mf0F1AZbC0Hc+4nD0WCwsZNgIwN0eUILSf+Qp/YHOGwHEemQvXKia+t/XE4wNAgf8fUXDgHsemAOThuAtw==": { - "type": "\u0004", - "notify": [ - "hkWuLfitv7M=" - ] - }, - "FmSawyiUiZmNev6poHywTYW8Mke4Ef38RKXGrCEaAhNqTXywzgqYIj9C7PBm5jMbetZP2Ok6c3jLmkNy+975PA==": { - "type": "\u0004", - "notify": [ - "XWslwNstrcY=" - ] - }, - "G0bUwMGEwUqkQiCcj4R04tMFYAp3dSRhbU6dBPoLeX2lyTqPVGvreUvu5qov/OCoWc/Q5eaLopy2nQF9xeDEHw==": { - "type": "\u000c", - "notify": [ - "f6mYo4y90UI=" - ] - }, - "GJooG+LdPop+U+Vbp5DxdgrnR+z79QT1TbkyyUhWfRDBTd1SgwYiKqZbpoSj0JMhbd7ellBT98zy/5VyezkxXw==": { - "type": "\u0007" - }, - "GZ7LrOSbsY8Te595l40qSCgJlEHDh8yQ19clxbEUcvnBDqSqFtk084PsIIwwZ7bjVEyCcWIaBK4zyE8ijn/X8w==": { - "type": "\u0004", - "notify": [ - "WWqsPEuVd20=" - ] - }, - "Gar/zZa0uhvKteQUSwTc6Vd4oR0s73LLK/1P5WvkirK+y4sQMe3Xg1ky3fb50zdL/0e22C+9MiTt66gCJnmOSA==": { - "type": "\u0004", - "notify": [ - "M72GpAmvSUE=" - ] - }, - "Gi5t2U3DUPy8J70hGESQ/b0THs3nSzau7IWwKpIQwoMz05HXYKv4POsfDMzMMo954vLLq9w6aaNsM2Zu31JR3g==": { - "type": "\u0004", - "notify": [ - "MH3QfVxvZdk=" - ] - }, - "Gj9+usVcjqfIAI6RcsRxLyzn1O6tiwA8hMnv3PnPdeHu0fr7Q+3pvDYU7N2W+AXjkrCILhAqROq6kmIuTQ0ONw==": { - "type": "\u0004", - "notify": [ - "BIUZzaFLoAA=" - ] - }, - "H7H0YG5evkzzLDZSd6Ayb6abAXcrzwkoCcfUXx1AmiAOybkTo7ujzAM6rwO63/MF8k+IkPNQz4cLNqT/1KnYnw==": { - "type": "\u000c", - "notify": [ - "gfAMlogoHtc=" - ] - }, - "HNtymDAlppcjoO5qKUQJ8H2VuJj8i2nTxOEHIDJpEQpROM0y5O6f/EBWqvPAFeN8w9IWIVYbQsQLYgVstVrZbA==": { - "type": "\u0019\u000c", - "notify": [ - "LOfvwFzXH0k=" - ] - }, - "HTqFwiLA1CVihrm2lHQw3RPXDqVeAn7rdfG/xVYcVPeg1uPowJqyvlLmMpVTqOzC94oBNNjfLAFrrdnZuIQxtg==": { - "type": "\u0004", - "notify": [ - "TgsnO18jnk0=" - ] - }, - "HiRsCn4BtfM/kOrcrqt0KhkRzvayAL6Ujv45DEVZFOBpnI1lrDyBTD/zrUnhZgtJEph3504F7jnTh9DL/Szgiw==": { - "type": "\u0004", - "notify": [ - "ktBhFcQFHd0=" - ] - }, - "I0hjyBsckneqviNyxZvm40SXzWfrkVK8aUraeyhrlbWULlyXqkqZ/5fCdIqVk33Bw2xv4kScY4wpTaFXUrVHXA==": { - "type": "\u0004", - "notify": [ - "HCvHXvHI/SE=" - ] - }, - "IDsUDSDDEY2G7uuP6yOX2DgME5Ok3xNxMZ4RxZcyohVb2kmzpjFG4mRII0r2DTu6+HyvdmIZAfA7mfc/YtibSQ==": { - "type": "\u0004", - "notify": [ - "hOHkafTLjVw=" - ] - }, - "IH9+YJrb2/NAQcKqnSKgY/usvm47+Z1WJMykcUwLcAp4n+YZgMDS1sRuFPg7RDMy4+IVi6HSALbguCRC54gKHw==": { - "type": "\u0004", - "notify": [ - "hoIR5YttHSs=" - ] - }, - "IHg959aO8XIUu5D7yIqIkBZWkovtA0z2zHICs2B66FNxr5k7YjVfHnTy5GJ62oAhnW5eCmDcQ1rg+B5DwcKpuA==": { - "type": "\u0004", - "notify": [ - "BIUZzaFLoAA=" - ] - }, - "ILZLlydnU83Qutf3Jxf5qVeZVxovo9CbteXyPqGcc30Ylw7GkHi8DJlfAidOaXMlzcWYNUedvMmTl541mQnicQ==": { - "type": "\u0004", - "notify": [ - "b/U0hDuvTjs=" - ] - }, - "IST1ZdvDsDGjKuLYOXs65bC12j7ZdGqtG7i2IHJ3agA+CYQI7qGrLdARfg9kbEiAm5Mj25LMSJ4Jg0TVOuYZoQ==": { - "type": "\u0004", - "notify": [ - "BIUZzaFLoAA=" - ] - }, - "ITQGQayBesQeWSIP+pSl4l7PewePex4n6NeW8mQ4dYj0RZmkyHJMSntT7JMmnPzIDbx08Npy9muLiJ1iCeWuyg==": { - "type": "\u0004", - "notify": [ - "wNzGhwCy+54=" - ] - }, - "IUi8QP3v31aGPWF2y6MbvKwopOM+vyJaiI7bEd3YtxNehCOILFVcwfTB5qey/NIJrsRm0+U1u1OmBWmeSfheJQ==": { - "type": "\u0008" - }, - "Ir2l+ERpDqnBWcYsdKRiCThOfFbijW4rx0n7u0skYd2rChq+xu6dzijBQotLvG/9bABGeOhKa3zyngBRjDbQGg==": { - "type": "\u0004", - "notify": [ - "HCvHXvHI/SE=" - ] - }, - "JH8cNO69T5qeURT11c1Lxp8k50E+YMuTID2aLfQDIrrVerGFOnKFekVyH7t9h/q0D27ULF+QnDiDPz3BMXkQ0g==": { - "type": "\u0007", - "notify": [ - "MH3QfVxvZdk=" - ] - }, - "LDbUkumzzPbLp7/pDckgsILWn3KZ7ObhQYSlrXhIFOx/mT3sCkFESEkblFMrxP1gKqlZC79GyPjX01RmTwhMjQ==": { - "type": "\u0004", - "notify": [ - "HCvHXvHI/SE=" - ] - }, - "LIa61qtxHtFYHfQVJ2Dv5wHakCDoFzq8QGy7nQmjZimSHhmlu1QvdBf03I60m/ysrhrOz9nu45hLjv/MQZ83Cw==": { - "type": "\u0019\u0007" - }, - "LQI4kSyEWe0b+loFuW81yjOLS9ZR7GfI95ip+OjaslpcFOsyWoqYNQFKwfPeVSo990hscaZrfYskDfSjsmewhA==": { - "type": "\u000c", - "notify": [ - "+DsYiqNPUEo=" - ] - }, - "LZn2A4hFxS9SIwnrhbdO23/FsDqYloIFeq/TIGsFRMtAjZIQNyN3rys+D+K+jk8+YCCDxvOK2S7YKtLK3pnxqw==": { - "type": "\u0007", - "notify": [ - "ktBhFcQFHd0=" - ] - }, - "LwG6xJU9JZX6iZWKClMIAiSdOCOK2eYRjkSek6p35RchB24m4lBNEtdQ3yfFsT0mHQWzB2oHklPacXM//2fzCA==": { - "type": "\u0004", - "notify": [ - "2vq3t9uIHqQ=" - ] - }, - "M90p1SlYy8aGJqaPLQDAjGwSIqtlVQT7mhuB4TN3b3wRCiqVmcK2mj8Plmd6m7iJRaPgXfWYfldOICh1fkAlow==": { - "type": "\u0007", - "notify": [ - "hoIR5YttHSs=" - ] - }, - "MSCn0tYZSDbDWTtqkdNMIjnf4dqaXrXq082iZS8kENUHR+ipTf331ToMU/3KVj1u21A6kqKPhadwtLDe3QD4tA==": { - "type": "\u0004", - "notify": [ - "wNzGhwCy+54=" - ] - }, - "MW+3iYLfzJOV6LheuCXO7XrsHQ7RK8rwvq90y/cN3MF0E3p5NoZbNw54OZFsAUh2IfzkzEv+mSUbi0yMfLNbAg==": { - "type": "\u0004", - "notify": [ - "37g0aaJLTm4=" - ] - }, - "NwVTOxC7KUWOY7jrSRoToyQi+IIyZ4w/t709WpL/kOSsXILju9FaLVvIoVvhjSEBTuz/Bh0crl07oEndqIEiIg==": { - "type": "\u0004", - "notify": [ - "Yjlih5OMwQM=" - ] - }, - "O0TM2WX21Mn5KWqEGYXzD+L+hz2s+gzuEJ/K96MOraWtctcUCKxCIcT7s072si+Ow88078gNgt1t4D29UR1ACA==": { - "type": "\u000c", - "notify": [ - "q9hCkzYVk8E=" - ] - }, - "OEKbMgyOZAHhOy62hpEKCXuj5FvXJpqwCH3QQ+bv2//APoMsncnk6rwVzuexbX7BxCDy8JKoP8zWeh5uu7h0LQ==": { - "type": "\u0007", - "notify": [ - "xC65NlhGaQI=" - ] - }, - "OUJ6AqspS9kHdFfta+yMblV6pLJv30L0LeM2w+b8V7GeyErnRHogKvG5sOA5+k9lBVicaJDHx9+aUdGM4aAfRQ==": { - "type": "\u0007", - "notify": [ - "MH3QfVxvZdk=" - ] - }, - "OcxjyMNzPsQob5d23efk6/D/qbV2XftiD+stAvXITuJOOmdoVb4hcGjt+IT0AldkoHCFowQ2mx+Yhdj0ktI5AA==": { - "type": "\u0004", - "notify": [ - "8BUb4aTsrqw=" - ] - }, - "P04l/SVZ8q37LNV+3S23i++GVfIIERbWiu/BQ3eO/YMAj61XnujoRqFwn7ewWNYyGGaQWln/A4nS0QysMJemIQ==": { - "type": "\u0019\u001buser", - "notify": [ - "FaOlCtWE4uU=" - ] - }, - "P7NCsha4tc0uJsw18p7lShizvrPkjDEPTYHcpmkvNxVsknAsDCopYTyqWHUKYCttXnVJl+YNPcHTMFCgAfaGsQ==": { - "type": "\u0004", - "notify": [ - "rf2B8kOsbjs=" - ] - }, - "PS/glCWsGexFLW7Nhgox/z1A5qkdidgcxlMRAeKKeKxH2vf+iWqGt9aGLdNfr+vLlRUV+6aYa2qdrmnLKsESsQ==": { - "type": "\u0004", - "notify": [ - "hkWuLfitv7M=" - ] - }, - "PTY+FI8gohl54qYCfktH+iDEdCbz9/RNm6yBWDiS0yk/PHBZ0OIVhtrUrOcThQHcHqEMTC4fh1zP30KlfMUhpA==": { - "type": "\u0004", - "notify": [ - "ipWPgGu1OIY=" - ] - }, - "Psg3WACh4u236x5BUCKYrxVyBbR5tVirhN71jyV48L8yTB0r1aVVWd5ZwDo0/mLLpMCch69rCGBbBouKK80QLQ==": { - "type": "\u0004", - "notify": [ - "WWqsPEuVd20=" - ] - }, - "QOFfSIbWLTwpCLpo+1GAxVdsGnsJZqOET2xTkNl7+uKpj37GCf5UTlSUsS9j50hC2DWgW5x3uK56ebTZOFp8IQ==": { - "type": "\u0004", - "notify": [ - "wNzGhwCy+54=" - ] - }, - "Qg23cE59V3fbsxZHV6hb++orVpZRDndy16raKIga8KcVZEnh9zCHPIkq0ROjKr6pihCAiV5bZGXFafD7sb/LYw==": { - "type": "\u0004", - "notify": [ - "YncB6VYFcUE=" - ] - }, - "Qls4K6b2lNRR7kYRgufwRTNo0pJb+ZeHPeNevpcDzVBegMTpq/pB2ZwZb8M/JEWCFgPyJ4c9zVeKrYyjNVxvXg==": { - "type": "\u0004", - "notify": [ - "IJFviUyRy/Y=" - ] - }, - "R9CbwgrZtf3mdDd3B38lp+I4YSj9+eLNixkV/LX6xZtHHmVArOZ4oq+SzG7zq4eoG+h+M0ZUJVXgZJf8EHqJLA==": { - "type": "\u000c", - "notify": [ - "HrdLwxAG9S8=" - ] - }, - "RGLi9L+1KOoE89RZUjYiX5A7mQcnzOdJfemDJwkmeXCW+g80VH8ckvotI69iGUBBOg7pKcpujQiqqREZUnyNNA==": { - "type": "\u000c", - "notify": [ - "+DsYiqNPUEo=" - ] - }, - "RIXqENazJEYi3UKFGKE7D3YtgWXPysCYDrgFuJoGJL0xxS4CpWEk87GkV+8mr2Qro6LhzTENSEjWWq4LdJ2Gvg==": { - "type": "\u0004", - "notify": [ - "Bo1PbOhOl/E=" - ] - }, - "S0pi0XR2kSuGxhNT7T1roRClJpvyWDf2tbqf4WiaICdLeN4J+5clf8CQzREt32vqpf9puBNedCGXo27OvRaflw==": { - "type": "\u000c", - "notify": [ - "gc/KYwABUHo=" - ] - }, - "S15ke1jyhUQZU7RJoaUCzkC9PSGcsJF0TapDgdbFeZJCkDecPE9y+xTCCioVyL+8MrhsH8fypYGH5jspOQwlHw==": { - "type": "\u0007", - "notify": [ - "2wf8u5wH2Vg=" - ] - }, - "S8lNhwOSBd9n30VQv2cNk5GAxZVGCpO7qwxlA/icmV9fDENhtEIIxpZTtYD0SHwg/byzphUaSjhsCX5g3AYaYA==": { - "type": "\u000c", - "notify": [ - "Wk3oqgABlrQ=" - ] - }, - "SK/o4xUKS07SVHcJ8c7HyiveAf3mx66Ch7KCFYBhRndmQNGzRMM0CuSXN3dT9ofnlswBzVn/6N2SbIcfXN6GMg==": { - "type": "\u0019\u001bgroup", - "notify": [ - "B+SrUp9v8vs=" - ] - }, - "T7fMhFYEhLaVsDOxq5g7abILl3jGU2uY2rYt/Qs9FSy4g59OUlk9ZduzUqpZsvxaJR/jsUHmmFS07FCgmOyh7A==": { - "type": "\u0019\u001bpackage", - "notify": [ - "ExXVbFjvhKg=" - ] - }, - "U4jpoVeHCFHM+c1bdYWYdibzIPmWF2ooOkcDTP0zCLegLUTpUFkHfqXYVrZUNtiiAlIir0YAZIXCImKLaG0gWA==": { - "type": "\u0004", - "notify": [ - "Fk08BM7hZzI=" - ] - }, - "UW3LUd8B1sSUCcmxCP5UK00uu07zfy8hJ60t4b9gIkO7Xb0iniP4ZueKNNqMQcp//QzU+2gN3UjvA7dwzkEZ0g==": { - "type": "\u0004", - "notify": [ - "BIUZzaFLoAA=" - ] - }, - "VDF2BqBgRO0jAcc7xNXWPgEvYibW0IYDBziUPrjj48T+pW8kgbGgzHoD6KT5vte6lwk5Lbfdvm+/gQR1b2MSwQ==": { - "type": "\u0004", - "notify": [ - "YzKm6qvXpF8=" - ] - }, - "VPya7C/SUB3zkyI9G/PHS1fMpKB/mwlZFTacUTvGcaJpKKm2Z1pk8rnlOWoBirIXB/uwatCDXZhHm4hkYRA1Ig==": { - "type": "\u0004", - "notify": [ - "ktBhFcQFHd0=" - ] - }, - "VVnYhVXVAnU+veH4gJoFS0giCDBaRxUfTeMCVuvd3506oR6a8XtnznTaJdq79Q4PSgmRouM5CQF5GD5GxSRuVg==": { - "type": "\u0004", - "notify": [ - "37g0aaJLTm4=" - ] - }, - "WxnxFhZSt/9sHXVH3/sOcVkg3cy0iYQYFPH0j0dLE1HKYHo0ek4x0b27UN55YRUxIAlEAQHvuigZOfE2Q7Vn7Q==": { - "type": "\u0004", - "notify": [ - "IJFviUyRy/Y=" - ] - }, - "XJelsmn2fxcKhtzns+v5RW5ToKmYNchfQaXLHp7J7oq1MC0gOmLh3vP14JCubDNYLDbrcsgJlGq7r2ifeWRP4w==": { - "type": "\u000c", - "notify": [ - "XIWzHxrQD78=" - ] - }, - "YKybcqFlSVq5e53ktJl2i6YwuQWu7rwnw6Vgkfatia72QRz7X2UxgxH/ykyIZkBN0yEQeKzdZfs+CONljF3kVA==": { - "type": "\u000c", - "notify": [ - "trMPY/m1Uf4=" - ] - }, - "YYAK4Icx9FsHldCezgriP+T0ZNqtxiEzJASBFGl2LVQWIV42JaztEw2YCpRI5yqSg7i8aMkgFLXahfcyO8AXJQ==": { - "type": "\u0004", - "notify": [ - "XWslwNstrcY=" - ] - }, - "Yf0tllxJIfamfaKoK717rOjxx/WUa/BVS7MBf7usG0wJS0x1BOxDau9XsChJD7UFaMSF6Slmkn5okupQ0ynNLg==": { - "type": "\u0007", - "notify": [ - "J6hJxGFbIbM=" - ] - }, - "YnnnuDaHNjIagC93pwvniy5mz1x5nj4HOSgqY6Z/nlOGjHnwomQcoW8C7oitKk6BwWRaZLGq7J12VR8dpviL7g==": { - "type": "\u0004", - "notify": [ - "Fk08BM7hZzI=" - ] - }, - "Zb9JKktYY15FaJD/VY/lLG4HnO+Pg7lJnO9A+FNmdpwm9QSwPGyUQg/QJ++MI2eDXlFidS9Y4b+zU8pCQ6z+4w==": { - "type": "\u0004", - "notify": [ - "hOHkafTLjVw=" - ] - }, - "ZxGX5CeatMRX5xdzIKKmx+BoaNQMHrx3r2lq0XUqjTnvTNe+WNBUgXzCZx6jQ8zO0X1CgPNjVT8q7rFRjByxyA==": { - "type": "\u0004", - "notify": [ - "BIUZzaFLoAA=" - ] - }, - "aE+97TpJoHCNA2psM/rBw/Hm56LB4UZ31yK4u8ud/oWjHCFXUPkAoVsasyY0W5g5AwE6vobp3ePPkjox9/TZsA==": { - "type": "\u0019\u000c", - "notify": [ - "caqgyF1OfnU=" - ] - }, - "aG7oUlIyH0BK4klvDQqsSbeRERfPhyfR1CvToYn4IPcrWZ2bsEkv4nTkHsDHTXrpQmqJRX4jye0IibRgTFLbCg==": { - "type": "\u000c", - "notify": [ - "Gpe1pDxHTmI=" - ] - }, - "aqYNhAltcEb8Us9rrSndGyONs5+/eu8zKLjtc3MhT1V9wzIHoZniQylGNL6k9+ftj8MnoMI/18dd3mMzIxBBhA==": { - "type": "\u000c", - "notify": [ - "TgsnO18jnk0=" - ] - }, - "axLv6u+XdIU4xf475n9moiwlqjmc7rQM9FoBeoOqdubJN7a6jgPagSLaaDkSdCbfhvChgqY/hgLrCr1nbJOAMg==": { - "type": "\u0007", - "notify": [ - "Yjlih5OMwQM=" - ] - }, - "b2aHj4i8ElsTVzjhQHkFoBO2wb0wwg6oV86TQkwyvceZ6/ODwBOxEmFV5VBy1sABOuo8/3rx7AboacbbYX7t+Q==": { - "type": "\u0004", - "notify": [ - "SwBOSpwuh0s=" - ] - }, - "bGMTWjS8G8F38yCeXzCDHKy8EvB/bRtPE028HBzKvXDZWtR/GJPldJE35GVsdpBfuQ7lKBH5CBN+CkwKzWRvqA==": { - "type": "\u0004", - "notify": [ - "2wf8u5wH2Vg=" - ] - }, - "bMaURaBtAc6Jj7yvI7R21BMGzeFTGBQ+IzVys++98Na10i8k5c1bGoI+XJn6TdjG/wjuDRefkC9YCsZv2tlY6Q==": { - "type": "\u0005", - "notify": [ - "bp3otqYqTKE=" - ] - }, - "bRLNP8PQtpuGWh4o70+s6qYPjGK67tt21tAYdjYmz/8E4Fc0i1lQt2FBYeOjO+yP6uD4E4yVTJcaHOXWjrr1WQ==": { - "type": "\u0019\u0007" - }, - "bTC8XOSslLmdTVa8aoLAVHLzWTW8NUMWiboO6NmLn7jkfkf7WVFW4J4jsxyCcToaFSma2sfvUVqvIJ2N87TDHQ==": { - "type": "\u0004", - "notify": [ - "WWqsPEuVd20=" - ] - }, - "bhGy2REVqCNiJpsR0UBE/BeYtFO4NEA/MFuPk4+oxk9WffIXtIvfoiuv9vhtDgIbhgjxkgYyhTiN71WJXXmdMQ==": { - "type": "\u0004", - "notify": [ - "5AiFtY/ZJMM=" - ] - }, - "c39zkdJcvrg+Hn0dtX8E18xILw4stb2Ycmm3AJ6YyMM5zXCdEAbm4Ry6CgKcmayGB/yBJ4+2ouG8BmWG00Dn6A==": { - "type": "\u0004", - "notify": [ - "Nf+2bmMwWoI=" - ] - }, - "c5/3LWjS8cISVkA4BHjobYGj+nEVD7Bx8v5lSN66900QhWObHCXkaoD1aREVWEMOUgOhbznuM9kP4yruR1IE/Q==": { - "type": "\u000c", - "notify": [ - "6rYTCE3mFMs=" - ] - }, - "c8caaEkbopMInAMKW3eQS8Gb9nm0n+YiyaYC9sv/aNmmiXClKX7XBTXsZ0T0m7J49wlGVkWNnxERfqoieAFE4w==": { - "type": "\u0019\u0007", - "notify": [ - "trMPY/m1Uf4=" - ] - }, - "cECmHAL/CDvWg2HwJHvv9eutCRWVXOH+NcmshZ5rPOp0Bm0dbC6MFfrS3jr4xHqL0GRYQZ85zLSYCt1FaUuoJQ==": { - "type": "\u0004", - "notify": [ - "HCvHXvHI/SE=" - ] - }, - "cF+tsnDWG2CvuAeBD4gRVzVuG37TWQY4n2KrJydeBfal9f0GPjBtrsvUH2rgjisiRJ7WJyPU2DZ9bDM501M0Mg==": { - "type": "\u0004", - "notify": [ - "ADa6kaPcpVc=" - ] - }, - "cO77IKw5EkPqToY7apbUwCulN+7JxfM2cHWtX0ktw3WdohHDHwLnXbijDIHOdfcBERqbCjONpXQmQFuDtiP4zA==": { - "type": "\u0004", - "notify": [ - "/fHoNZrC5V0=" - ] - }, - "ckDgsvvxeDY8SW4iynyWZJwvin5Q10LZC8FNmo8bUESGsqN6tDpzL86bg/VAc3lryB1b76Po6i9H3oPAIzEx0A==": { - "type": "\u0004", - "notify": [ - "MH3QfVxvZdk=" - ] - }, - "cm7An16B+A5QMckP/ANRZg4l9d+xkLoI/2WlmSuh7aY/waN4LvuR3CX51PlRjWCDSVe+12C7ZBmctsS2t5Gsuw==": { - "type": "\u0004", - "notify": [ - "IJFviUyRy/Y=" - ] - }, - "css39sWQMO6tTsWz3+RuOHiJ4PGSGC+SMU6xj6NZpFgc9P0dVnpo7z+LKvHimTFj+JmbmG3wuz/zJgAvOHsaaA==": { - "type": "\u0004", - "notify": [ - "M72GpAmvSUE=" - ] - }, - "cuoKzxoXtROWmUOnqcpuBoRKmPijpMoj8XG9ORlkjfW3g7t9w9S1f6Uc+OFZns2ERdZKKQ9WIpfq4Wb72c5sBA==": { - "type": "\u0004", - "notify": [ - "M72GpAmvSUE=" - ] - }, - "dGWI13GNtjPo+JUEvza+zezln68HGoTb31IuKMHn2cQOls6vuacUlbSe/domV3y6i5Cts72rA+f5v2D2dIGLeQ==": { - "type": "\u0004", - "notify": [ - "xC65NlhGaQI=" - ] - }, - "e8NU35DTutWpipxRd59KyBjdEwIIjABAyM8lAo1vmGf7oVqqXBI3sX0iLW1AyyRCcohaJs6Jyv/GgjYoYYXe9w==": { - "type": "\u0007", - "notify": [ - "Bo1PbOhOl/E=" - ] - }, - "eCAQoxHoz5Q6JByhB8uwBxApChkW/Oijwn3EFj/RleSCbkjwXx0xCyxxZNXeGtuEQ4YSa8Q4vNWfhbR9gQzGqA==": { - "type": "\u0004", - "notify": [ - "hkWuLfitv7M=" - ] - }, - "eDoYMDFnVFpyI8L9OND1alTXuARvT0V/VbEztMhrV4P7DxNi2s3ek4j9/JwNwNHwh5dC0f62NCjhcBQTHNFSGQ==": { - "type": "\u0004", - "notify": [ - "DlnglU9AfpM=" - ] - }, - "eHR1t4BEPJ/j+W5hbPutTgHaEGmJ9HDUEyxZr1F6KWyhHncOMtLqdsML1uTL1St7vUvUQ1Xwzpbdb4rXqcyqtg==": { - "type": "\u0019\u001bpam.conf.serviceEntry", - "notify": [ - "wCLClynKKCg=" - ] - }, - "ee9c3YakPa9Aa2nbcI+Q4z1qlw7Ffu76GEjJneNybkQnVRX68n/SZYOcqgZJzWrJJk2xUrD0WfhB/qtWdoiISA==": { - "type": "\u000c", - "notify": [ - "26czA478iYU=" - ] - }, - "ekR8u0hhKZVtyDM8cTZoUBlpUiX73J5Vdk0iq7KxPdzpQ/htnmjTxMlDQzQRq5D2tSiSe2lUEqOmJi9n7hB3Fg==": { - "type": "\u000c", - "notify": [ - "SXcatTHDkzA=" - ] - }, - "fG6usPd0YnrgIfRmvw+JtIyTIm6gRx7rUspU9WjpN2NxLhmBu23gM61Rnb8UYwZU/5T/29W+NZwdFtqwszz2gg==": { - "type": "\u0004", - "notify": [ - "+7sAxPVt2ik=" - ] - }, - "fdiITVkkL7djTy+vzAEZEah0OX8kyBLAc2cX4/Ct3ydPoageCCEnHeE0HSK0BCpY+CHpPQ5++3zb2G2mRMkotg==": { - "type": "\u0007", - "notify": [ - "TgsnO18jnk0=" - ] - }, - "ftWI+tQ7kr7aS8pCKdvh36d+Xf8P1tHlgdYgKCF9Cat9aTM8/QTanMCL207XWPevmTTc/cr7qcETVvsLbezJ5g==": { - "type": "\u0007", - "notify": [ - "J6hJxGFbIbM=" - ] - }, - "g/FdeJsry0Iob3YFq+ADQ/HoaF2XvPZVC5r7wLFtH+aK1/8b2PctWYMmXYQUoqpWNvcYrne9fT4NbuRj1UeYyQ==": { - "type": "\u0004", - "notify": [ - "XWslwNstrcY=" - ] - }, - "g4mvK7a72NmW+ikuFqlbSIUKktKkEZPp14ybdznUdSto3A1G5wXNk/0jtBZb4GqVlgl/40I5K1hXLg/Uwq6XBw==": { - "type": "\u0004", - "notify": [ - "hkWuLfitv7M=" - ] - }, - "gCv1HOcfAqZONuizxGcTskMQOzHPwWdlXlh+X3sddJPvFCPQVnCPsvUQTj0WPKX27mxcAlMGcY01eRvfjl3tTg==": { - "type": "\u0004", - "notify": [ - "BIUZzaFLoAA=" - ] - }, - "gIecnntwy9LA1uepNDXli/u6f1vosRP2gHeQfmGMVZZfWB+mW+Add+x/BNULNRsn3PXT3sjDmczHmIm/rKfrZQ==": { - "type": "\u0004", - "notify": [ - "F6+YzMIB3Ko=" - ] - }, - "gUAmmB7CV/8tcMAf3tfmUs8W443zD9zdEFfIv4ApV8+MP9dCLkPE3Z6SdFNdHXnGI0bIAUrVYhPbMcgyO3djMw==": { - "type": "\u0004", - "notify": [ - "q1T8EHrv0XI=" - ] - }, - "gnQzZeSAHrQV35V8XMTtz9hHVuRLLkmvsgmgVe93eDzEWW9NrV/hP7Wu409x5z0m+ZibsdLlck3xAamyu7arLw==": { - "type": "\u0004", - "notify": [ - "cHKgOQqeh9k=" - ] - }, - "h4/M/y9CzKUQs557Hav4wXcwivYv8MBFAhKqkpe5LQK7hh25IM/c/wOezOY5AItW//UvKEEGYoRxAkMuyHbkNA==": { - "type": "\u0004", - "notify": [ - "J6hJxGFbIbM=" - ] - }, - "hFV0aTvVoeOeZGjZ609/dqTrm1U0BNM5wrd8dDxpeg8b2TQ2SQZm7gSfxYekFOGUcBaxtFXCQJ6lOvYEpAtPJQ==": { - "type": "\u0004", - "notify": [ - "ktBhFcQFHd0=" - ] - }, - "hHTMpuhNT8Svi1v+HYkGybFolkjy8o8iSK6Ly+ni5BgMVHjdmwsmUcOv5Xm8UD6L+8GRaAfLj5IguZLXNq32iw==": { - "type": "\u0004", - "notify": [ - "b/U0hDuvTjs=" - ] - }, - "hWapq7Vs/8xUp8H3ROntjhDB51/ESkKuht/gm3QC9PvwKETBbLFXVMqz7wqqy4xszM/Hcl335ytzedk5Mr023g==": { - "type": "\u0004", - "notify": [ - "XWslwNstrcY=" - ] - }, - "hrm3ER6hV6ZNUj5VR8YNdibq6mFjn3sPiwTZs9/hbV0GpRMVu7cRFBxin8qzPVABTQNC5oIMYwAulU8xsKDwkQ==": { - "type": "\u0004", - "notify": [ - "/fHoNZrC5V0=" - ] - }, - "hvlUvYbt+VSP7fXSlUN3KZBoMZxiaU34yuELARGRy5FX/QnZGyRahDTqg/Vn1vu4Ykisgvek1k5Nfufyjw9jZQ==": { - "type": "\u0019\u000c", - "notify": [ - "a1t11xBocoY=" - ] - }, - "iAIBOgoeH/oEga9gmV7CijCXdIgyrTVEoqCzFVQ9Z0Fw053lti878j1bZ7bt7OWs1XFL9wsCAIIceJj6Hd0KUg==": { - "type": "\u0004", - "notify": [ - "M72GpAmvSUE=" - ] - }, - "imjB1X/SFmyvCGxCbQe6hVyOwuk12ReJysp9/5D+tLqHoKQ7oDgpEt20wrOdCuNEiHt+uVESq9MDXu27PmTe9g==": { - "type": "\u000c", - "notify": [ - "xSmnkDOzk7o=" - ] - }, - "iykh1W5pyKwek4E6kvkmmNfNkhspQ/rb38V/ZGdJkb+sMPOlJ36BCByOYxoJWxUHOrF5rwe6fj6N4nPNhp2zdQ==": { - "type": "\u0004", - "notify": [ - "HCvHXvHI/SE=" - ] - }, - "kDT7tazDf6/cVbc0GfeWtCPyLzywXsyhYxTslwIGBb+NXKYCMJ7PFAUUCeYu8vJ2qlySfA2XcdNuR8HlfOz/Ew==": { - "type": "\u0004", - "notify": [ - "ipWPgGu1OIY=" - ] - }, - "mPEGs2WidZ99bMnb40TuzCEuXKG1SwjvYrbndoATAL883HKUtGdEao2JZMC2fgYy9GqT+RErVyj2+7q3QYJdyw==": { - "type": "\u0007", - "notify": [ - "ktBhFcQFHd0=" - ] - }, - "monNXjgCTWD+LFMcjPnay0oMaVs8w8PoMcB+1d+Y6Kw2dw6MzptF1CeOsKmc6MDr+TNxss10S9Kt+jKDH1/5aQ==": { - "type": "\u0004", - "notify": [ - "x6EPNPHuyA0=" - ] - }, - "mrLRYbwe3OPQiVQRrOdjnLdDbFSxPgEp21QsWRJNHRKljQp1YQ8c57yix1rxNOVJRKLLrRDbJ4QMpfjT+FT1Cw==": { - "type": "\u000c", - "notify": [ - "Nf+2bmMwWoI=" - ] - }, - "muV4jN4TFTiuWJB/g6ii93olYgu6SPnoyUT2Wo//MYVeEiJQBIgecIlsisoLidGrvrm4fwbZwNVZzYxxME45SA==": { - "type": "\u0004", - "notify": [ - "M72GpAmvSUE=" - ] - }, - "nKA2V8XilTkhsXf29Lb3Se/BvaoF/GUKQo2905GRiDXdFetqS2hQC0SHj27rxPNmn9Pknkz4mc/L+D5pcfTysw==": { - "type": "\u0004", - "notify": [ - "ADa6kaPcpVc=" - ] - }, - "nMIXrJy6379mDHCqk62PPnQ8Db7Jk9wRIjXZTH+2gyM1tgDOI+nUx6V8/ZF77XdT4K1DxU6gRpQdRgylQCr/hg==": { - "type": "\u0004", - "notify": [ - "XWslwNstrcY=" - ] - }, - "nOJq7YRzsF+rUkXm0tdEt/vEHBVi5XGSI3xGFr2Q/wmrxnNlLVBapmZHPY1VtAZ9+JPXb4mwdrU5hZqCC/TWQg==": { - "type": "\u0004", - "notify": [ - "XWslwNstrcY=" - ] - }, - "njtujCiYsraOMuKhSZRhpLcBwu4m7Zc+DmQfYok+vwgqhLmhWpskTVAG/OwcxCZX47FpThQxeWI5Q99UieY/iw==": { - "type": "\u000c", - "notify": [ - "i6NRidZtzoI=" - ] - }, - "noIPvQvXBfHpIrSV6FTP/mbj6PA6oisRfSw0ycYqbqNCzL8gJWe7/WJzegWiHtRVqZTFz9i84ET0bXYHYU6heQ==": { - "type": "\u0004", - "notify": [ - "SwBOSpwuh0s=" - ] - }, - "oOzRmEmFcbFFs5zfJmdhslXZqc59DvavlFAyU7uNmcIu9aZae6wA+xuD4PKTv/dPo2ulugJyP5faPRPEVBwloQ==": { - "type": "\u000c", - "notify": [ - "YcVynDftNDs=" - ] - }, - "oVgYUs+UjAhHjAX3/+J3LUtAAyNDWzy1GWDAjY7A6Z4DNKXR2cqSDUcFzp2D55mOgkATFHCTFQbNBxxmWSSHfQ==": { - "type": "\u000c", - "notify": [ - "+DsYiqNPUEo=" - ] - }, - "ovQ4B6zwpM55WtaXIMTsN/zUyOKgJWVAIPkhxbac+9DFbVrfV5lo9bWJlXjBLko8z+/9YakmOxruwOfr09PPdA==": { - "type": "\u0004", - "notify": [ - "BIUZzaFLoAA=" - ] - }, - "p1JrZX0HeoIB0UOxjea3ENHaM+Br7HY2T8ciIwmq7S5bS9euVYzxy2U9C6yIszGPYziFKJFnPQfU4OmPcD37KA==": { - "type": "\u0004", - "notify": [ - "YzKm6qvXpF8=" - ] - }, - "p3F/KpWS4xZ6/b2tTruTSlkzuCMB3Eb4eczHjyBRhos3UkUgCACpXsERvMsLR6VXN+87I/OuPDcHYOrspmWqvw==": { - "type": "\u0019\u001bgroup", - "notify": [ - "wCLClynKKCg=" - ] - }, - "pn0dnCrSmSDr37lX+RuadWwHGCcttcVpaGWPR+n3fCWghgjCwLZUaXwEj1Uxlt7L8t4DZ+RbV3JicgH+PbEp+Q==": { - "type": "\u0019\u000c", - "notify": [ - "UF+KvCWmqjc=" - ] - }, - "pnGXwr3IchwDKSyJ9qAc9CQZ80zFnWLTWPXF9COdLofK3PhSVuvZCVuoDfEuCuMrkdePxpwhREBjb/1zh9cECg==": { - "type": "\u0004", - "notify": [ - "2vq3t9uIHqQ=" - ] - }, - "qc9zR33NhGkZ7XXzeBx6YXQGvJ4X3YUHtodIUfpHayleyzPT3UtJ/8ymYYqK/gOFrARY4bnENGvGCmJFW38rRw==": { - "type": "\u0004", - "notify": [ - "Fk08BM7hZzI=" - ] - }, - "qsphraTZngyQKJh0BN8mX14uihYWBgvhddZTAd2CFdjUnDG4J07NfaHRxHNp14hbyu0gt1haoG8rD0zzR4gnYA==": { - "type": "\u0004", - "notify": [ - "Yjlih5OMwQM=" - ] - }, - "r6sClZDPvHtxuniKuJ5UlesbFgLrX7H+vMiSu2rDkyIvyRBBgTEtA4lB9EYWXi4oSqhIkteDZz3podMi9oYwSQ==": { - "type": "\u0004", - "notify": [ - "ADa6kaPcpVc=" - ] - }, - "rJc7Vd+PhcM4THV9otvMSE9KEVCM18wzndDk3YoSzOWGTGBKF902cfYTXARkogUHlM0gkV7ewNl48Cfx+xmpwQ==": { - "type": "\u0004", - "notify": [ - "BIUZzaFLoAA=" - ] - }, - "sBDKNFp+Gg5jaCnXhQ9cVq8DfefywbuThBn8dv5sND+5uPmTDVW6KatpqZVsO/pzC507v7OQ+Xnb187+KlSA5g==": { - "type": "\u0004", - "notify": [ - "F6+YzMIB3Ko=" - ] - }, - "sPvekYU/Nw3lqBLGhP8yLhSQBCL1M3psnu28wOVtDFt9IykJgbDcfmijOsYxBp5PgpsrfWfugVP1RciVp24ibw==": { - "type": "\u0004", - "notify": [ - "XWslwNstrcY=" - ] - }, - "tMZHi+jlTKI5EnemHVDVjKeFjAPMWatZmnf9/t3vnRsXE/FL74Wm5n790OsrD+MrXXYr6kBWL6jAFWYuLEWYCg==": { - "type": "\u0004", - "notify": [ - "SwBOSpwuh0s=" - ] - }, - "ti7hCRw84/H2JY4BAPf7DEkA2PjQyb47e/xmjNi47NX245E/xIVlpGdsyd6KeuNAhAnmSaDCpxpxt3Z+aapULg==": { - "type": "\u000c", - "notify": [ - "QhQrcu+f6Dw=" - ] - }, - "tjKo/7kDlAORSuB7uznVp3g6or1qpEVbVd7tqQuvplRmPsiF9V37G7Gs548aCEYSrW3eMEe2KGdAOUVKDq9yRA==": { - "type": "\u0007", - "notify": [ - "Bo1PbOhOl/E=" - ] - }, - "tkoo9GfWIg/KptFPrpjYI5JzZ49mY1OQwoqgajO6P1tLRhyhFB7FNwUM+FRP+K/LxAgjeDUCfpOEF8imcQX+DQ==": { - "type": "\u0004", - "notify": [ - "hkWuLfitv7M=" - ] - }, - "u5fX3GE1kXn7uGnLr/z+QSvYbKF4wjsm8SOIGQGfjeziJ3mXZSi47jV5HZL7PoA1jUloqAkM+Y5D0/awz0AJHA==": { - "type": "\u0004", - "notify": [ - "BIUZzaFLoAA=" - ] - }, - "uQsWzvmSel4qZ5n6dUz/EBq7otC6wbVUkPdPtCaX6Axen0HoPyPTNUxQRheyFRRY2MDOrjQa5CMK2MzDFFkWow==": { - "type": "\u0004", - "notify": [ - "+7sAxPVt2ik=" - ] - }, - "un2p+xm0p5du3IjLbkWf7UsSqJb1O3mnIo0YCAFJp4trmrFLLOHQhR+JKu6xevTXl2SeDmmPbBINMItB34OCzg==": { - "type": "\u000c", - "notify": [ - "3fiQ9klyAhw=" - ] - }, - "v9pGXwX27XHZhRjNOfUFDU/CcgXdX/7HjWjFlEOG0KhYrE7CHeQmqpuOCfrz9RrnUX9WLu6/bYBylHAoINKz0Q==": { - "type": "\u0004", - "notify": [ - "+7sAxPVt2ik=" - ] - }, - "vEVKTC2TP3C7Jvel//1fOtROW7A0zUcYlgoWRepOrkcVLxfb2+4d6fgg9kNFAUzwQUDeSnVUVoMbgRWOGdRQUQ==": { - "type": "\u0004", - "notify": [ - "hkWuLfitv7M=" - ] - }, - "vRUMv0na34ThNna09zkBGZDcDoRQRf+eevIEaf/JeFt4WgYkNjIUHmvLoO4r3t4CDMn7pqSRliFH8wTomo14HQ==": { - "type": "\u0004", - "notify": [ - "+7sAxPVt2ik=" - ] - }, - "vW8PqR7bp+VOLfpuu+2u4hKUGI2zGGpDL+H2+KgAazvGJh/KDkYaGMO2fRdeqt2K+Er5SMAvt3KCbCFmGRgOGQ==": { - "type": "\u0004", - "notify": [ - "SwBOSpwuh0s=" - ] - }, - "vf5Kj9VTr3nVyGcZXnq6AAqiwQBuC0xmH7tIe7u3GZvOqHee0x3YRyfR7oNzW0k0rYSetdqf6v1QLjhJ72Q7cA==": { - "type": "\u0019\u000c", - "notify": [ - "JwHo91MSDuw=" - ] - }, - "vs6dGzezS8Q9d9pk6/holAnUqMEQBHYhdLXr+RjvvTwuhmmsbAxngmcFVe+CXbZ58SyG2ZEi7M1atb1ee40bXg==": { - "type": "\u0004", - "notify": [ - "/fHoNZrC5V0=" - ] - }, - "w2o34Xwc5kpkV3aVCj78d7P4CzoAnJ80C6GCxC5OG2LDC6CxnDjcmsPnSte5IsOsXyPJwtrynrsF5c465w0xhw==": { - "type": "\u000c", - "notify": [ - "JI8L9SWXsXU=" - ] - }, - "wbU1vQGWC7TkTLY0oZKFF4r3+jQKrCY8Ln+Kt6IyKXeEQv5F/HWbBLOcYoBA+59G7X4WYp3Mcx6a5NkPLktjMg==": { - "type": "\u0007", - "notify": [ - "ktBhFcQFHd0=" - ] - }, - "wdW78uXiN3QTCM6jFE99COgAkS3NOeWF8ZcR2dVX/co86AacY1IsTx3aWh9vbCzNa9Y7WnIwx0KBgoVnBMWy5A==": { - "type": "\u0019\u000c", - "notify": [ - "194wRisFHoE=" - ] - }, - "wmwLi7+OiU0E4R6ZOHfjWu7z7r/dAmd/eWFdMH9fdq+nGVnOruW4efz8knp2RtiYqbwj/rWOUrInsGqMmWrP3w==": { - "type": "\u0004", - "notify": [ - "WWqsPEuVd20=" - ] - }, - "wqBMlXbmQSD5agbjcVBO765mJg9Fzk/jOE/5PQtEu4HX/IOZ/DbSqCkml6Gb16wcJn0O3ePnfI/AqgtJz0nWbg==": { - "type": "\u0004", - "notify": [ - "B+SrUp9v8vs=" - ] - }, - "wz0Bw/T20g63omggpbFTohs6+3Oot1FyHIMgKZ6SbPDyY2pUsttCCTrRZP+ObWLbBGa5ZSgRr6JQDxnf8a3jbg==": { - "type": "\u0004", - "notify": [ - "HCvHXvHI/SE=" - ] - }, - "x7GfGmBGlN+lelITt2dS0cT6KJgFP7KMZ5ADJPyJw5HoxlEXW4fjc92ikc1sg2NlkVtcdxrV0dBLf8fjwbiqzA==": { - "type": "\u0019\u000c", - "notify": [ - "okOmp7wZAPg=" - ] - }, - "xCJZxIcWgbHwl5vpYMSZWerIyNvymJLWD6Wo62sm/AzaE7lNEh7Jnai54Izor+2DzwPv43oHMTpwJRJqKcsHQA==": { - "type": "\u0004", - "notify": [ - "2vq3t9uIHqQ=" - ] - }, - "xj5i41CpATBlYItuRrsgnH3hHsQDjj6+/T/I4QNofVEuEXFo8TBNKytriUx/i9X9Y14DEILU6IVmlmAZfRxrvA==": { - "type": "\u0004", - "notify": [ - "t8/nOVhdd0A=" - ] - }, - "yBNYCCB9ERbYxHmlpCWBzhu3+WVc6RgRwCGd4tJTsfo63mviqCa5MEcFvG+S1XN+jeMiNHW0ilYZiBHFzrX1Dw==": { - "type": "\u0004", - "notify": [ - "/fHoNZrC5V0=" - ] - }, - "yD0jZNn4zIjrqrQH+1d5PCO9+Iu2leQlsTdlPY6F1q/LU3H9HONyNKtb4Ra5Bqel/44Cq8U4ErqpIVKycTB0Ig==": { - "type": "\u0019\u000c", - "notify": [ - "TgsnO18jnk0=" - ] - }, - "ynq6oIBQE3gBVBXHMELi3CzC50RGXtaImsVRLvdXrOPzaEP33IeQpNq8PGSQu4hP610ryHXSOmT0VmmAUFw9HQ==": { - "type": "\u0004", - "notify": [ - "ipWPgGu1OIY=" - ] - }, - "yycm9bE4sSmD+R6mg7lewvhXufFnIoJ5iYCfIALCsr873LvrNlANPWps8YWBnw1LUmrHYVAdQqBiTFh+nBtXYw==": { - "type": "\u0007", - "notify": [ - "Yjlih5OMwQM=" - ] - }, - "zavPuowz9HArxQYPuD17lVx7MA6i7lPpD+6CzLD6tiuDs+xTL/alYbkkKik/75Y80mTVjEa187kUNKUW0nxa6A==": { - "type": "\u0004", - "notify": [ - "hOHkafTLjVw=" - ] - }, - "zuqTdvPqcKolV1uD5lJmoX1IQ75UXJJWgqDKEKW/2aK6RuhVatla2znfXD8tjCa7kUFdNX5AQsVMUGdFMVr7SQ==": { - "type": "\u0004", - "notify": [ - "wNzGhwCy+54=" - ] - } - } - }, - "filters": [ - { - "query": "platform.family.contains(_ == 'unix')", - "code_id": "WFCqHzOvysM=", - "checksum": "kHptU112hKk=", - "mrn": "//policy.api.mondoo.com/assets/2KgCZg1j6OABQbEutHyDe3ui4p2/assetfilter/WFCqHzOvysM=", - "type": "\u0004", - "title": "platform.family.contains(_ == 'unix')" - }, - { - "query": "platform.family.contains(_ == 'linux')\n", - "code_id": "hp6oNZD/wBk=", - "checksum": "atWp4V/PtDs=", - "mrn": "//policy.api.mondoo.com/assets/2KgCZg1j6OABQbEutHyDe3ui4p2/assetfilter/hp6oNZD/wBk=", - "type": "\u0004", - "title": "platform.family.contains(_ == 'linux')\n" - } - ], - "graph_execution_checksum": "dc2TBGYylFE=", - "filters_checksum": "5tBrQg4+tPA=", - "reporting_job_uuid": "i2eCUCfSN+I=" - } - } -} \ No newline at end of file diff --git a/cli/reporter/testdata/report-ubuntu.json b/cli/reporter/testdata/report-ubuntu.json index 095020ad..c81cf66e 100644 --- a/cli/reporter/testdata/report-ubuntu.json +++ b/cli/reporter/testdata/report-ubuntu.json @@ -18026,11852 +18026,6 @@ "value": 80 } } - ], - "deprecated_v7_policies": [ - { - "mrn": "//assets.api.mondoo.app/spaces/dazzling-golick-767384/assets/2DRZ1cCWFyTYCArycAXHwvn1oU2", - "name": "2DRZ1cCWFyTYCArycAXHwvn1oU2", - "version": "n/a", - "local_content_checksum": "+6h28bFO6hw=", - "graph_content_checksum": "Ha2sIh++eug=", - "local_execution_checksum": "44qOrI8OX2A=", - "graph_execution_checksum": "KTLw0XFcOSU=", - "specs": [ - { - "policies": { - "//captain.api.mondoo.app/spaces/dazzling-golick-767384": {} - } - } - ], - "asset_filters": { - "+3lK8czbpho=": { - "query": "platform.name == \"aws-efs-filesystem\"\n", - "code_id": "+3lK8czbpho=", - "checksum": "+dKC7K27cF4=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/+3lK8czbpho=", - "type": "\u0004", - "title": "platform.name == \"aws-efs-filesystem\"\n" - }, - "/6sVDCL/lFQ=": { - "query": "platform.name == \"aws-gateway-restapi\"\n", - "code_id": "/6sVDCL/lFQ=", - "checksum": "WqQ0XHcBT+U=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter//6sVDCL/lFQ=", - "type": "\u0004", - "title": "platform.name == \"aws-gateway-restapi\"\n" - }, - "04d5600C9dA=": { - "query": "platform.name == \"aws-iam-group\"\n", - "code_id": "04d5600C9dA=", - "checksum": "+loxNdFCLVQ=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/04d5600C9dA=", - "type": "\u0004", - "title": "platform.name == \"aws-iam-group\"\n" - }, - "0zDQGiKIW/E=": { - "query": "platform.name == \"aws-account\"\nplatform.kind == \"api\"\n", - "code_id": "0zDQGiKIW/E=", - "checksum": "EHcvPX6+LNg=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/0zDQGiKIW/E=", - "type": "\u0001", - "title": "platform.name == \"aws-account\"\nplatform.kind == \"api\"\n" - }, - "2917wr1IwG8=": { - "query": "platform.name == \"macos\"\n", - "code_id": "2917wr1IwG8=", - "checksum": "jClsMrO0i44=", - "mrn": "//policy.api.mondoo.app/policies/asset-overview/filter/2917wr1IwG8=", - "type": "\u0004", - "title": "platform.name == \"macos\"\n" - }, - "3bfX6P7LDvw=": { - "query": "platform.name == \"k8s-daemonset\"", - "code_id": "3bfX6P7LDvw=", - "checksum": "tPRvcJ4mR6k=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-security/filter/3bfX6P7LDvw=", - "type": "\u0004", - "title": "platform.name == \"k8s-daemonset\"" - }, - "6L4Mx8/QL0Q=": { - "query": "asset.platform == \"github-repo\" \n", - "code_id": "6L4Mx8/QL0Q=", - "checksum": "/DryGVads5Q=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-github-repository-security/filter/6L4Mx8/QL0Q=", - "type": "\u0004", - "title": "asset.platform == \"github-repo\" \n" - }, - "7PIQIV8M0/M=": { - "query": "platform.name == \"aws-es-domain\"\n", - "code_id": "7PIQIV8M0/M=", - "checksum": "qAg9OK949So=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/7PIQIV8M0/M=", - "type": "\u0004", - "title": "platform.name == \"aws-es-domain\"\n" - }, - "Bmu4haS65aI=": { - "query": "platform.family.contains(_ == 'linux') || platform.family.contains(_ == 'windows') || platform.name == \"vmware-esxi\" || platform.name == \"vmware-vsphere\"\n", - "code_id": "Bmu4haS65aI=", - "checksum": "MofsVSknqSM=", - "mrn": "//policy.api.mondoo.app/policies/platform-vulnerability/filter/Bmu4haS65aI=", - "type": "\u0004", - "title": "platform.family.contains(_ == 'linux') || platform.family.contains(_ == 'windows') || platform.name == \"vmware-esxi\" || platform.name == \"vmware-vsphere\"\n" - }, - "CpSq126BzyA=": { - "query": "platform.name == \"aws-s3-bucket\"\n", - "code_id": "CpSq126BzyA=", - "checksum": "toXIPlxOhDI=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/CpSq126BzyA=", - "type": "\u0004", - "title": "platform.name == \"aws-s3-bucket\"\n" - }, - "CsDGvAZIwz4=": { - "query": "platform.name == \"vmware-esxi\"", - "code_id": "CsDGvAZIwz4=", - "checksum": "RbtCZj+Cms8=", - "mrn": "//policy.api.mondoo.app/policies/asset-overview/filter/CsDGvAZIwz4=", - "type": "\u0004", - "title": "platform.name == \"vmware-esxi\"" - }, - "F80YypMJCTE=": { - "query": "platform.name == \"macos\" \nplatform.release == /^10\\./ || platform.release == /^11\\./ || platform.release == /^12\\./ || platform.release == /^13\\./\n", - "code_id": "F80YypMJCTE=", - "checksum": "n4kOxIgc/5s=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-macos-security/filter/F80YypMJCTE=", - "type": "\u0001", - "title": "platform.name == \"macos\" \nplatform.release == /^10\\./ || platform.release == /^11\\./ || platform.release == /^12\\./ || platform.release == /^13\\./\n" - }, - "KEHYdEaOPa4=": { - "query": "platform.name == \"aws-iam-user\"\n", - "code_id": "KEHYdEaOPa4=", - "checksum": "fnhG6gFdEhg=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/KEHYdEaOPa4=", - "type": "\u0004", - "title": "platform.name == \"aws-iam-user\"\n" - }, - "KcQiaGsE+IA=": { - "query": "asset.platform == \"k8s-deployment\"", - "code_id": "KcQiaGsE+IA=", - "checksum": "Ek1SiCIjFuw=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-deployments-inventory/filter/KcQiaGsE+IA=", - "type": "\u0004", - "title": "asset.platform == \"k8s-deployment\"" - }, - "Kdmy6Ep7xAw=": { - "query": "platform.family.contains(_ == 'linux') || platform.family.contains(_ == 'windows') || platform.name == \"vmware-esxi\" || platform.name == \"vmware-vsphere\" || platform.name == \"freebsd\"\n", - "code_id": "Kdmy6Ep7xAw=", - "checksum": "t5dVaBUchzo=", - "mrn": "//policy.api.mondoo.app/policies/platform-eol/filter/Kdmy6Ep7xAw=", - "type": "\u0004", - "title": "platform.family.contains(_ == 'linux') || platform.family.contains(_ == 'windows') || platform.name == \"vmware-esxi\" || platform.name == \"vmware-vsphere\" || platform.name == \"freebsd\"\n" - }, - "Lo+InTRHu9g=": { - "query": "asset.platform == \"k8s-cronjob\"", - "code_id": "Lo+InTRHu9g=", - "checksum": "wtVP5/7gT3A=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-cronjobs-inventory/filter/Lo+InTRHu9g=", - "type": "\u0004", - "title": "asset.platform == \"k8s-cronjob\"" - }, - "M+A+RGoooYU=": { - "query": "platform.name == \"k8s-statefulset\"", - "code_id": "M+A+RGoooYU=", - "checksum": "bhDqMmnL81A=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-security/filter/M+A+RGoooYU=", - "type": "\u0004", - "title": "platform.name == \"k8s-statefulset\"" - }, - "NTHSxN8ETbw=": { - "query": "platform.name == \"aws\"\nplatform.kind == \"api\"\n", - "code_id": "NTHSxN8ETbw=", - "checksum": "/DqtZp6wG40=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/NTHSxN8ETbw=", - "type": "\u0001", - "title": "platform.name == \"aws\"\nplatform.kind == \"api\"\n" - }, - "OMDwxipTleI=": { - "query": "asset.platform == \"kubernetes\" || asset.platform == \"k8s-cluster\"", - "code_id": "OMDwxipTleI=", - "checksum": "4MblDUcWc8s=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-cluster-inventory/filter/OMDwxipTleI=", - "type": "\u0004", - "title": "asset.platform == \"kubernetes\" || asset.platform == \"k8s-cluster\"" - }, - "QFF/R18/81w=": { - "query": "asset.platform == \"k8s-daemonset\"", - "code_id": "QFF/R18/81w=", - "checksum": "H9U/uiOPQcs=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-daemonsets-inventory/filter/QFF/R18/81w=", - "type": "\u0004", - "title": "asset.platform == \"k8s-daemonset\"" - }, - "Row68hcsdkk=": { - "query": "platform.name == \"aws-kms-key\"\n", - "code_id": "Row68hcsdkk=", - "checksum": "0rCIZvwSKDI=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/Row68hcsdkk=", - "type": "\u0004", - "title": "platform.name == \"aws-kms-key\"\n" - }, - "SdEXDQjaeRs=": { - "query": "platform.name == \"aws-cloudwatch-loggroup\"\n", - "code_id": "SdEXDQjaeRs=", - "checksum": "K+40nuLFuy8=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/SdEXDQjaeRs=", - "type": "\u0004", - "title": "platform.name == \"aws-cloudwatch-loggroup\"\n" - }, - "U7sj3YRdFiQ=": { - "query": "platform.name == \"aws-sagemaker-notebookinstance\"\n", - "code_id": "U7sj3YRdFiQ=", - "checksum": "rE9i97tC8Lk=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/U7sj3YRdFiQ=", - "type": "\u0004", - "title": "platform.name == \"aws-sagemaker-notebookinstance\"\n" - }, - "UCSbVSWVqU0=": { - "query": "platform.family.contains(_ == 'windows')\n", - "code_id": "UCSbVSWVqU0=", - "checksum": "JDOH+OzUGZA=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-windows-security/filter/UCSbVSWVqU0=", - "type": "\u0004", - "title": "platform.family.contains(_ == 'windows')\n" - }, - "UHu+8hQv46w=": { - "query": "platform.name == \"aws-elb-loadbalancer\"\n", - "code_id": "UHu+8hQv46w=", - "checksum": "3/UX8rpG22E=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/UHu+8hQv46w=", - "type": "\u0004", - "title": "platform.name == \"aws-elb-loadbalancer\"\n" - }, - "UwJu13k/z8Y=": { - "query": "platform.name == \"aws-cloudtrail-trail\"\n", - "code_id": "UwJu13k/z8Y=", - "checksum": "lemKi4yX9aU=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/UwJu13k/z8Y=", - "type": "\u0004", - "title": "platform.name == \"aws-cloudtrail-trail\"\n" - }, - "VUb//1VUIyM=": { - "query": "platform.family.contains(_ == 'linux')\nprocesses.where( executable == /kubelet/ ).list != []\n", - "code_id": "VUb//1VUIyM=", - "checksum": "fZ594K00Z7U=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-security/filter/VUb//1VUIyM=", - "type": "\u0001", - "title": "platform.family.contains(_ == 'linux')\nprocesses.where( executable == /kubelet/ ).list != []\n" - }, - "YsfYF6RX5P8=": { - "query": "platform.name == \"aws-security-group\"\n", - "code_id": "YsfYF6RX5P8=", - "checksum": "BwB6u0vYYdU=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/YsfYF6RX5P8=", - "type": "\u0004", - "title": "platform.name == \"aws-security-group\"\n" - }, - "ZBx163hcYIE=": { - "query": "platform.name == \"aws-ec2-snapshot\"\n", - "code_id": "ZBx163hcYIE=", - "checksum": "AsiP1a0HP3o=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/ZBx163hcYIE=", - "type": "\u0004", - "title": "platform.name == \"aws-ec2-snapshot\"\n" - }, - "couR4EsVIAo=": { - "query": "platform.family.contains(_ == 'linux')\npackage('openssh-server').installed\n", - "code_id": "couR4EsVIAo=", - "checksum": "l/qVxHvq+VU=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-linux-security/filter/couR4EsVIAo=", - "type": "\u0001", - "title": "platform.family.contains(_ == 'linux')\npackage('openssh-server').installed\n" - }, - "crOg2Eb+/qw=": { - "query": "platform.family.contains(_ == 'unix') || platform.family.contains(_ == 'linux') || platform.family.contains(_ == 'windows')", - "code_id": "crOg2Eb+/qw=", - "checksum": "AkKAkPC/AqQ=", - "mrn": "//policy.api.mondoo.app/policies/asset-overview/filter/crOg2Eb+/qw=", - "type": "\u0004", - "title": "platform.family.contains(_ == 'unix') || platform.family.contains(_ == 'linux') || platform.family.contains(_ == 'windows')" - }, - "d1GFWwrumEQ=": { - "query": "platform.name == \"k8s-pod\"", - "code_id": "d1GFWwrumEQ=", - "checksum": "B98XiG65JgE=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-security/filter/d1GFWwrumEQ=", - "type": "\u0004", - "title": "platform.name == \"k8s-pod\"" - }, - "dioy4aMgIrM=": { - "query": "platform.name == \"aws\"", - "code_id": "dioy4aMgIrM=", - "checksum": "jka9YCGzFDI=", - "mrn": "//policy.api.mondoo.app/policies/asset-overview/filter/dioy4aMgIrM=", - "type": "\u0004", - "title": "platform.name == \"aws\"" - }, - "fz+8R2vPLmc=": { - "query": "platform.name == \"k8s-replicaset\"", - "code_id": "fz+8R2vPLmc=", - "checksum": "dFTclgK3i3E=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-security/filter/fz+8R2vPLmc=", - "type": "\u0004", - "title": "platform.name == \"k8s-replicaset\"" - }, - "hp6oNZD/wBk=": { - "query": "platform.family.contains(_ == 'linux')\n", - "code_id": "hp6oNZD/wBk=", - "checksum": "u+b9w6R8z6I=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-linux-security/filter/hp6oNZD/wBk=", - "type": "\u0004", - "title": "platform.family.contains(_ == 'linux')\n" - }, - "k+xEyBubRWw=": { - "query": "platform.name == \"aws-ec2-volume\"\n", - "code_id": "k+xEyBubRWw=", - "checksum": "GhvaWa5D9OQ=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/k+xEyBubRWw=", - "type": "\u0004", - "title": "platform.name == \"aws-ec2-volume\"\n" - }, - "lBIBZY6rroY=": { - "query": "platform.name == \"aws-redshift-cluster\"\n", - "code_id": "lBIBZY6rroY=", - "checksum": "hVIBYDS2y/Q=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/lBIBZY6rroY=", - "type": "\u0004", - "title": "platform.name == \"aws-redshift-cluster\"\n" - }, - "lcBOE/v/1Mw=": { - "query": "true", - "code_id": "lcBOE/v/1Mw=", - "checksum": "y05uMzinqC8=", - "mrn": "//policy.api.mondoo.app/policies/asset-overview/filter/lcBOE/v/1Mw=", - "type": "\u0004", - "title": "true" - }, - "lhVg0ANEBCU=": { - "query": "platform.name == \"arista-eos\"", - "code_id": "lhVg0ANEBCU=", - "checksum": "rVsy+4IgzTw=", - "mrn": "//policy.api.mondoo.app/policies/asset-overview/filter/lhVg0ANEBCU=", - "type": "\u0004", - "title": "platform.name == \"arista-eos\"" - }, - "luCtFGH4Mys=": { - "query": "platform.name == \"vmware-vsphere\"", - "code_id": "luCtFGH4Mys=", - "checksum": "xXQFMy3fgV4=", - "mrn": "//policy.api.mondoo.app/policies/asset-overview/filter/luCtFGH4Mys=", - "type": "\u0004", - "title": "platform.name == \"vmware-vsphere\"" - }, - "mqo+1qjR1b4=": { - "query": "platform.name == \"k8s-job\"", - "code_id": "mqo+1qjR1b4=", - "checksum": "1djDTot70OU=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-security/filter/mqo+1qjR1b4=", - "type": "\u0004", - "title": "platform.name == \"k8s-job\"" - }, - "nsY0acjU/D0=": { - "query": "platform.name == \"k8s-ingress\"", - "code_id": "nsY0acjU/D0=", - "checksum": "49PuoNLJvYs=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-best-practices/filter/nsY0acjU/D0=", - "type": "\u0004", - "title": "platform.name == \"k8s-ingress\"" - }, - "qYaiib9DQbc=": { - "query": "platform.name == \"k8s-deployment\"", - "code_id": "qYaiib9DQbc=", - "checksum": "I2c27Qikm+U=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-security/filter/qYaiib9DQbc=", - "type": "\u0004", - "title": "platform.name == \"k8s-deployment\"" - }, - "smY8TG23K9w=": { - "query": "platform.family.contains(_ == 'linux')\nprocesses.where( executable == /kube-apiserver/ ).list != []\n", - "code_id": "smY8TG23K9w=", - "checksum": "Kvcjzv/UCTA=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-security/filter/smY8TG23K9w=", - "type": "\u0001", - "title": "platform.family.contains(_ == 'linux')\nprocesses.where( executable == /kube-apiserver/ ).list != []\n" - }, - "uI+zEoIj4NQ=": { - "query": "platform.name == \"aws-dynamodb-table\"\n", - "code_id": "uI+zEoIj4NQ=", - "checksum": "VJcez7IkTCs=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/uI+zEoIj4NQ=", - "type": "\u0004", - "title": "platform.name == \"aws-dynamodb-table\"\n" - }, - "ucbjQbjd8ZM=": { - "query": "platform.name == \"k8s-cronjob\"", - "code_id": "ucbjQbjd8ZM=", - "checksum": "szzyWrJN1aM=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-security/filter/ucbjQbjd8ZM=", - "type": "\u0004", - "title": "platform.name == \"k8s-cronjob\"" - }, - "uxmIdgdI2D8=": { - "query": "platform.name == \"aws-vpc\"\n", - "code_id": "uxmIdgdI2D8=", - "checksum": "/AKqcVTLUAY=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/uxmIdgdI2D8=", - "type": "\u0004", - "title": "platform.name == \"aws-vpc\"\n" - }, - "vJ4Aq6zYqYQ=": { - "query": "platform.family.contains(_ == 'linux')\nplatform.virtualization.isContainer == false \u0026\u0026 platform.kind != 'container' \u0026\u0026 platform.kind != 'container-image'\n", - "code_id": "vJ4Aq6zYqYQ=", - "checksum": "OAcdbUYxtmg=", - "mrn": "//policy.api.mondoo.app/policies/platform-vulnerability/filter/vJ4Aq6zYqYQ=", - "type": "\u0001", - "title": "platform.family.contains(_ == 'linux')\nplatform.virtualization.isContainer == false \u0026\u0026 platform.kind != 'container' \u0026\u0026 platform.kind != 'container-image'\n" - }, - "wMbsyBy34V4=": { - "query": "platform.name == \"aws-lambda-function\"\n", - "code_id": "wMbsyBy34V4=", - "checksum": "Uzk35DvL2uI=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/wMbsyBy34V4=", - "type": "\u0004", - "title": "platform.name == \"aws-lambda-function\"\n" - }, - "ziES20zDGls=": { - "query": "platform.name == \"aws-rds-dbinstance\"\n", - "code_id": "ziES20zDGls=", - "checksum": "jkgSgQqjPCU=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/ziES20zDGls=", - "type": "\u0004", - "title": "platform.name == \"aws-rds-dbinstance\"\n" - } - }, - "owner_mrn": "//captain.api.mondoo.app/spaces/dazzling-golick-767384", - "query_counts": {} - }, - { - "mrn": "//captain.api.mondoo.app/spaces/dazzling-golick-767384", - "name": "dazzling-golick-767384", - "version": "n/a", - "local_content_checksum": "kEPBIZYm0Ik=", - "graph_content_checksum": "Z295tgDH710=", - "local_execution_checksum": "HAje41Se300=", - "graph_execution_checksum": "CyRfDiFkqcc=", - "specs": [ - { - "policies": { - "//policy.api.mondoo.app/policies/asset-overview": {}, - "//policy.api.mondoo.app/policies/mondoo-aws-security": {}, - "//policy.api.mondoo.app/policies/mondoo-github-repository-security": {}, - "//policy.api.mondoo.app/policies/mondoo-kubernetes-best-practices": {}, - "//policy.api.mondoo.app/policies/mondoo-kubernetes-cluster-inventory": {}, - "//policy.api.mondoo.app/policies/mondoo-kubernetes-cronjobs-inventory": {}, - "//policy.api.mondoo.app/policies/mondoo-kubernetes-daemonsets-inventory": {}, - "//policy.api.mondoo.app/policies/mondoo-kubernetes-deployments-inventory": {}, - "//policy.api.mondoo.app/policies/mondoo-kubernetes-security": {}, - "//policy.api.mondoo.app/policies/mondoo-linux-security": {}, - "//policy.api.mondoo.app/policies/mondoo-macos-security": {}, - "//policy.api.mondoo.app/policies/mondoo-windows-security": {}, - "//policy.api.mondoo.app/policies/platform-eol": {}, - "//policy.api.mondoo.app/policies/platform-vulnerability": {} - } - } - ], - "asset_filters": { - "+3lK8czbpho=": { - "query": "platform.name == \"aws-efs-filesystem\"\n", - "code_id": "+3lK8czbpho=", - "checksum": "+dKC7K27cF4=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/+3lK8czbpho=", - "type": "\u0004", - "title": "platform.name == \"aws-efs-filesystem\"\n" - }, - "/6sVDCL/lFQ=": { - "query": "platform.name == \"aws-gateway-restapi\"\n", - "code_id": "/6sVDCL/lFQ=", - "checksum": "WqQ0XHcBT+U=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter//6sVDCL/lFQ=", - "type": "\u0004", - "title": "platform.name == \"aws-gateway-restapi\"\n" - }, - "04d5600C9dA=": { - "query": "platform.name == \"aws-iam-group\"\n", - "code_id": "04d5600C9dA=", - "checksum": "+loxNdFCLVQ=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/04d5600C9dA=", - "type": "\u0004", - "title": "platform.name == \"aws-iam-group\"\n" - }, - "0zDQGiKIW/E=": { - "query": "platform.name == \"aws-account\"\nplatform.kind == \"api\"\n", - "code_id": "0zDQGiKIW/E=", - "checksum": "EHcvPX6+LNg=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/0zDQGiKIW/E=", - "type": "\u0001", - "title": "platform.name == \"aws-account\"\nplatform.kind == \"api\"\n" - }, - "2917wr1IwG8=": { - "query": "platform.name == \"macos\"\n", - "code_id": "2917wr1IwG8=", - "checksum": "jClsMrO0i44=", - "mrn": "//policy.api.mondoo.app/policies/asset-overview/filter/2917wr1IwG8=", - "type": "\u0004", - "title": "platform.name == \"macos\"\n" - }, - "3bfX6P7LDvw=": { - "query": "platform.name == \"k8s-daemonset\"", - "code_id": "3bfX6P7LDvw=", - "checksum": "tPRvcJ4mR6k=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-security/filter/3bfX6P7LDvw=", - "type": "\u0004", - "title": "platform.name == \"k8s-daemonset\"" - }, - "6L4Mx8/QL0Q=": { - "query": "asset.platform == \"github-repo\" \n", - "code_id": "6L4Mx8/QL0Q=", - "checksum": "/DryGVads5Q=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-github-repository-security/filter/6L4Mx8/QL0Q=", - "type": "\u0004", - "title": "asset.platform == \"github-repo\" \n" - }, - "7PIQIV8M0/M=": { - "query": "platform.name == \"aws-es-domain\"\n", - "code_id": "7PIQIV8M0/M=", - "checksum": "qAg9OK949So=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/7PIQIV8M0/M=", - "type": "\u0004", - "title": "platform.name == \"aws-es-domain\"\n" - }, - "Bmu4haS65aI=": { - "query": "platform.family.contains(_ == 'linux') || platform.family.contains(_ == 'windows') || platform.name == \"vmware-esxi\" || platform.name == \"vmware-vsphere\"\n", - "code_id": "Bmu4haS65aI=", - "checksum": "MofsVSknqSM=", - "mrn": "//policy.api.mondoo.app/policies/platform-vulnerability/filter/Bmu4haS65aI=", - "type": "\u0004", - "title": "platform.family.contains(_ == 'linux') || platform.family.contains(_ == 'windows') || platform.name == \"vmware-esxi\" || platform.name == \"vmware-vsphere\"\n" - }, - "CpSq126BzyA=": { - "query": "platform.name == \"aws-s3-bucket\"\n", - "code_id": "CpSq126BzyA=", - "checksum": "toXIPlxOhDI=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/CpSq126BzyA=", - "type": "\u0004", - "title": "platform.name == \"aws-s3-bucket\"\n" - }, - "CsDGvAZIwz4=": { - "query": "platform.name == \"vmware-esxi\"", - "code_id": "CsDGvAZIwz4=", - "checksum": "RbtCZj+Cms8=", - "mrn": "//policy.api.mondoo.app/policies/asset-overview/filter/CsDGvAZIwz4=", - "type": "\u0004", - "title": "platform.name == \"vmware-esxi\"" - }, - "F80YypMJCTE=": { - "query": "platform.name == \"macos\" \nplatform.release == /^10\\./ || platform.release == /^11\\./ || platform.release == /^12\\./ || platform.release == /^13\\./\n", - "code_id": "F80YypMJCTE=", - "checksum": "n4kOxIgc/5s=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-macos-security/filter/F80YypMJCTE=", - "type": "\u0001", - "title": "platform.name == \"macos\" \nplatform.release == /^10\\./ || platform.release == /^11\\./ || platform.release == /^12\\./ || platform.release == /^13\\./\n" - }, - "KEHYdEaOPa4=": { - "query": "platform.name == \"aws-iam-user\"\n", - "code_id": "KEHYdEaOPa4=", - "checksum": "fnhG6gFdEhg=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/KEHYdEaOPa4=", - "type": "\u0004", - "title": "platform.name == \"aws-iam-user\"\n" - }, - "KcQiaGsE+IA=": { - "query": "asset.platform == \"k8s-deployment\"", - "code_id": "KcQiaGsE+IA=", - "checksum": "Ek1SiCIjFuw=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-deployments-inventory/filter/KcQiaGsE+IA=", - "type": "\u0004", - "title": "asset.platform == \"k8s-deployment\"" - }, - "Kdmy6Ep7xAw=": { - "query": "platform.family.contains(_ == 'linux') || platform.family.contains(_ == 'windows') || platform.name == \"vmware-esxi\" || platform.name == \"vmware-vsphere\" || platform.name == \"freebsd\"\n", - "code_id": "Kdmy6Ep7xAw=", - "checksum": "t5dVaBUchzo=", - "mrn": "//policy.api.mondoo.app/policies/platform-eol/filter/Kdmy6Ep7xAw=", - "type": "\u0004", - "title": "platform.family.contains(_ == 'linux') || platform.family.contains(_ == 'windows') || platform.name == \"vmware-esxi\" || platform.name == \"vmware-vsphere\" || platform.name == \"freebsd\"\n" - }, - "Lo+InTRHu9g=": { - "query": "asset.platform == \"k8s-cronjob\"", - "code_id": "Lo+InTRHu9g=", - "checksum": "wtVP5/7gT3A=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-cronjobs-inventory/filter/Lo+InTRHu9g=", - "type": "\u0004", - "title": "asset.platform == \"k8s-cronjob\"" - }, - "M+A+RGoooYU=": { - "query": "platform.name == \"k8s-statefulset\"", - "code_id": "M+A+RGoooYU=", - "checksum": "bhDqMmnL81A=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-security/filter/M+A+RGoooYU=", - "type": "\u0004", - "title": "platform.name == \"k8s-statefulset\"" - }, - "NTHSxN8ETbw=": { - "query": "platform.name == \"aws\"\nplatform.kind == \"api\"\n", - "code_id": "NTHSxN8ETbw=", - "checksum": "/DqtZp6wG40=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/NTHSxN8ETbw=", - "type": "\u0001", - "title": "platform.name == \"aws\"\nplatform.kind == \"api\"\n" - }, - "OMDwxipTleI=": { - "query": "asset.platform == \"kubernetes\" || asset.platform == \"k8s-cluster\"", - "code_id": "OMDwxipTleI=", - "checksum": "4MblDUcWc8s=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-cluster-inventory/filter/OMDwxipTleI=", - "type": "\u0004", - "title": "asset.platform == \"kubernetes\" || asset.platform == \"k8s-cluster\"" - }, - "QFF/R18/81w=": { - "query": "asset.platform == \"k8s-daemonset\"", - "code_id": "QFF/R18/81w=", - "checksum": "H9U/uiOPQcs=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-daemonsets-inventory/filter/QFF/R18/81w=", - "type": "\u0004", - "title": "asset.platform == \"k8s-daemonset\"" - }, - "Row68hcsdkk=": { - "query": "platform.name == \"aws-kms-key\"\n", - "code_id": "Row68hcsdkk=", - "checksum": "0rCIZvwSKDI=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/Row68hcsdkk=", - "type": "\u0004", - "title": "platform.name == \"aws-kms-key\"\n" - }, - "SdEXDQjaeRs=": { - "query": "platform.name == \"aws-cloudwatch-loggroup\"\n", - "code_id": "SdEXDQjaeRs=", - "checksum": "K+40nuLFuy8=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/SdEXDQjaeRs=", - "type": "\u0004", - "title": "platform.name == \"aws-cloudwatch-loggroup\"\n" - }, - "U7sj3YRdFiQ=": { - "query": "platform.name == \"aws-sagemaker-notebookinstance\"\n", - "code_id": "U7sj3YRdFiQ=", - "checksum": "rE9i97tC8Lk=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/U7sj3YRdFiQ=", - "type": "\u0004", - "title": "platform.name == \"aws-sagemaker-notebookinstance\"\n" - }, - "UCSbVSWVqU0=": { - "query": "platform.family.contains(_ == 'windows')\n", - "code_id": "UCSbVSWVqU0=", - "checksum": "JDOH+OzUGZA=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-windows-security/filter/UCSbVSWVqU0=", - "type": "\u0004", - "title": "platform.family.contains(_ == 'windows')\n" - }, - "UHu+8hQv46w=": { - "query": "platform.name == \"aws-elb-loadbalancer\"\n", - "code_id": "UHu+8hQv46w=", - "checksum": "3/UX8rpG22E=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/UHu+8hQv46w=", - "type": "\u0004", - "title": "platform.name == \"aws-elb-loadbalancer\"\n" - }, - "UwJu13k/z8Y=": { - "query": "platform.name == \"aws-cloudtrail-trail\"\n", - "code_id": "UwJu13k/z8Y=", - "checksum": "lemKi4yX9aU=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/UwJu13k/z8Y=", - "type": "\u0004", - "title": "platform.name == \"aws-cloudtrail-trail\"\n" - }, - "VUb//1VUIyM=": { - "query": "platform.family.contains(_ == 'linux')\nprocesses.where( executable == /kubelet/ ).list != []\n", - "code_id": "VUb//1VUIyM=", - "checksum": "fZ594K00Z7U=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-security/filter/VUb//1VUIyM=", - "type": "\u0001", - "title": "platform.family.contains(_ == 'linux')\nprocesses.where( executable == /kubelet/ ).list != []\n" - }, - "YsfYF6RX5P8=": { - "query": "platform.name == \"aws-security-group\"\n", - "code_id": "YsfYF6RX5P8=", - "checksum": "BwB6u0vYYdU=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/YsfYF6RX5P8=", - "type": "\u0004", - "title": "platform.name == \"aws-security-group\"\n" - }, - "ZBx163hcYIE=": { - "query": "platform.name == \"aws-ec2-snapshot\"\n", - "code_id": "ZBx163hcYIE=", - "checksum": "AsiP1a0HP3o=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/ZBx163hcYIE=", - "type": "\u0004", - "title": "platform.name == \"aws-ec2-snapshot\"\n" - }, - "couR4EsVIAo=": { - "query": "platform.family.contains(_ == 'linux')\npackage('openssh-server').installed\n", - "code_id": "couR4EsVIAo=", - "checksum": "l/qVxHvq+VU=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-linux-security/filter/couR4EsVIAo=", - "type": "\u0001", - "title": "platform.family.contains(_ == 'linux')\npackage('openssh-server').installed\n" - }, - "crOg2Eb+/qw=": { - "query": "platform.family.contains(_ == 'unix') || platform.family.contains(_ == 'linux') || platform.family.contains(_ == 'windows')", - "code_id": "crOg2Eb+/qw=", - "checksum": "AkKAkPC/AqQ=", - "mrn": "//policy.api.mondoo.app/policies/asset-overview/filter/crOg2Eb+/qw=", - "type": "\u0004", - "title": "platform.family.contains(_ == 'unix') || platform.family.contains(_ == 'linux') || platform.family.contains(_ == 'windows')" - }, - "d1GFWwrumEQ=": { - "query": "platform.name == \"k8s-pod\"", - "code_id": "d1GFWwrumEQ=", - "checksum": "B98XiG65JgE=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-security/filter/d1GFWwrumEQ=", - "type": "\u0004", - "title": "platform.name == \"k8s-pod\"" - }, - "dioy4aMgIrM=": { - "query": "platform.name == \"aws\"", - "code_id": "dioy4aMgIrM=", - "checksum": "jka9YCGzFDI=", - "mrn": "//policy.api.mondoo.app/policies/asset-overview/filter/dioy4aMgIrM=", - "type": "\u0004", - "title": "platform.name == \"aws\"" - }, - "fz+8R2vPLmc=": { - "query": "platform.name == \"k8s-replicaset\"", - "code_id": "fz+8R2vPLmc=", - "checksum": "dFTclgK3i3E=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-security/filter/fz+8R2vPLmc=", - "type": "\u0004", - "title": "platform.name == \"k8s-replicaset\"" - }, - "hp6oNZD/wBk=": { - "query": "platform.family.contains(_ == 'linux')\n", - "code_id": "hp6oNZD/wBk=", - "checksum": "u+b9w6R8z6I=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-linux-security/filter/hp6oNZD/wBk=", - "type": "\u0004", - "title": "platform.family.contains(_ == 'linux')\n" - }, - "k+xEyBubRWw=": { - "query": "platform.name == \"aws-ec2-volume\"\n", - "code_id": "k+xEyBubRWw=", - "checksum": "GhvaWa5D9OQ=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/k+xEyBubRWw=", - "type": "\u0004", - "title": "platform.name == \"aws-ec2-volume\"\n" - }, - "lBIBZY6rroY=": { - "query": "platform.name == \"aws-redshift-cluster\"\n", - "code_id": "lBIBZY6rroY=", - "checksum": "hVIBYDS2y/Q=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/lBIBZY6rroY=", - "type": "\u0004", - "title": "platform.name == \"aws-redshift-cluster\"\n" - }, - "lcBOE/v/1Mw=": { - "query": "true", - "code_id": "lcBOE/v/1Mw=", - "checksum": "y05uMzinqC8=", - "mrn": "//policy.api.mondoo.app/policies/asset-overview/filter/lcBOE/v/1Mw=", - "type": "\u0004", - "title": "true" - }, - "lhVg0ANEBCU=": { - "query": "platform.name == \"arista-eos\"", - "code_id": "lhVg0ANEBCU=", - "checksum": "rVsy+4IgzTw=", - "mrn": "//policy.api.mondoo.app/policies/asset-overview/filter/lhVg0ANEBCU=", - "type": "\u0004", - "title": "platform.name == \"arista-eos\"" - }, - "luCtFGH4Mys=": { - "query": "platform.name == \"vmware-vsphere\"", - "code_id": "luCtFGH4Mys=", - "checksum": "xXQFMy3fgV4=", - "mrn": "//policy.api.mondoo.app/policies/asset-overview/filter/luCtFGH4Mys=", - "type": "\u0004", - "title": "platform.name == \"vmware-vsphere\"" - }, - "mqo+1qjR1b4=": { - "query": "platform.name == \"k8s-job\"", - "code_id": "mqo+1qjR1b4=", - "checksum": "1djDTot70OU=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-security/filter/mqo+1qjR1b4=", - "type": "\u0004", - "title": "platform.name == \"k8s-job\"" - }, - "nsY0acjU/D0=": { - "query": "platform.name == \"k8s-ingress\"", - "code_id": "nsY0acjU/D0=", - "checksum": "49PuoNLJvYs=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-best-practices/filter/nsY0acjU/D0=", - "type": "\u0004", - "title": "platform.name == \"k8s-ingress\"" - }, - "qYaiib9DQbc=": { - "query": "platform.name == \"k8s-deployment\"", - "code_id": "qYaiib9DQbc=", - "checksum": "I2c27Qikm+U=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-security/filter/qYaiib9DQbc=", - "type": "\u0004", - "title": "platform.name == \"k8s-deployment\"" - }, - "smY8TG23K9w=": { - "query": "platform.family.contains(_ == 'linux')\nprocesses.where( executable == /kube-apiserver/ ).list != []\n", - "code_id": "smY8TG23K9w=", - "checksum": "Kvcjzv/UCTA=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-security/filter/smY8TG23K9w=", - "type": "\u0001", - "title": "platform.family.contains(_ == 'linux')\nprocesses.where( executable == /kube-apiserver/ ).list != []\n" - }, - "uI+zEoIj4NQ=": { - "query": "platform.name == \"aws-dynamodb-table\"\n", - "code_id": "uI+zEoIj4NQ=", - "checksum": "VJcez7IkTCs=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/uI+zEoIj4NQ=", - "type": "\u0004", - "title": "platform.name == \"aws-dynamodb-table\"\n" - }, - "ucbjQbjd8ZM=": { - "query": "platform.name == \"k8s-cronjob\"", - "code_id": "ucbjQbjd8ZM=", - "checksum": "szzyWrJN1aM=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-security/filter/ucbjQbjd8ZM=", - "type": "\u0004", - "title": "platform.name == \"k8s-cronjob\"" - }, - "uxmIdgdI2D8=": { - "query": "platform.name == \"aws-vpc\"\n", - "code_id": "uxmIdgdI2D8=", - "checksum": "/AKqcVTLUAY=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/uxmIdgdI2D8=", - "type": "\u0004", - "title": "platform.name == \"aws-vpc\"\n" - }, - "vJ4Aq6zYqYQ=": { - "query": "platform.family.contains(_ == 'linux')\nplatform.virtualization.isContainer == false \u0026\u0026 platform.kind != 'container' \u0026\u0026 platform.kind != 'container-image'\n", - "code_id": "vJ4Aq6zYqYQ=", - "checksum": "OAcdbUYxtmg=", - "mrn": "//policy.api.mondoo.app/policies/platform-vulnerability/filter/vJ4Aq6zYqYQ=", - "type": "\u0001", - "title": "platform.family.contains(_ == 'linux')\nplatform.virtualization.isContainer == false \u0026\u0026 platform.kind != 'container' \u0026\u0026 platform.kind != 'container-image'\n" - }, - "wMbsyBy34V4=": { - "query": "platform.name == \"aws-lambda-function\"\n", - "code_id": "wMbsyBy34V4=", - "checksum": "Uzk35DvL2uI=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/wMbsyBy34V4=", - "type": "\u0004", - "title": "platform.name == \"aws-lambda-function\"\n" - }, - "ziES20zDGls=": { - "query": "platform.name == \"aws-rds-dbinstance\"\n", - "code_id": "ziES20zDGls=", - "checksum": "jkgSgQqjPCU=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/ziES20zDGls=", - "type": "\u0004", - "title": "platform.name == \"aws-rds-dbinstance\"\n" - } - }, - "owner_mrn": "//policy.api.mondoo.app", - "scoring_system": 3, - "query_counts": {} - }, - { - "mrn": "//policy.api.mondoo.app/policies/asset-overview", - "name": "Platform Overview Information by Mondoo", - "version": "1.2.2", - "local_content_checksum": "osfV2+771HY=", - "graph_content_checksum": "IdzAcJO3g4I=", - "local_execution_checksum": "Ae7w+cMRD5Q=", - "graph_execution_checksum": "baDhS1Dku2w=", - "specs": [ - { - "data_queries": { - "//policy.api.mondoo.app/queries/mondoo-platform-overview-job-environment": 0, - "//policy.api.mondoo.app/queries/mondoo-platform-overview-mondoo-version": 0, - "//policy.api.mondoo.app/queries/mondoo-platform-overview-platform-arch": 0, - "//policy.api.mondoo.app/queries/mondoo-platform-overview-platform-name": 0, - "//policy.api.mondoo.app/queries/mondoo-platform-overview-platform-release": 0 - }, - "asset_filter": { - "query": "true", - "code_id": "lcBOE/v/1Mw=", - "checksum": "kk/wv++ny3E=", - "mrn": "//policy.api.mondoo.app/policies/asset-overview/assetfilter/lcBOE/v/1Mw=", - "type": "\u0004", - "title": "true" - } - }, - { - "data_queries": { - "//policy.api.mondoo.app/queries/mondoo-platform-overview-mondoo-service-running-enabled": 0, - "//policy.api.mondoo.app/queries/mondoo-platform-overview-os-hostname": 0, - "//policy.api.mondoo.app/queries/mondoo-platform-overview-os-installed-packages": 0, - "//policy.api.mondoo.app/queries/mondoo-platform-overview-os-uptime": 0 - }, - "asset_filter": { - "query": "platform.family.contains(_ == 'unix') || platform.family.contains(_ == 'linux') || platform.family.contains(_ == 'windows')", - "code_id": "crOg2Eb+/qw=", - "checksum": "YzAAxq3AQIM=", - "mrn": "//policy.api.mondoo.app/policies/asset-overview/assetfilter/crOg2Eb+/qw=", - "type": "\u0004", - "title": "platform.family.contains(_ == 'unix') || platform.family.contains(_ == 'linux') || platform.family.contains(_ == 'windows')" - } - }, - { - "data_queries": { - "//policy.api.mondoo.app/queries/mondoo-platform-overview-dmidecode": 0, - "//policy.api.mondoo.app/queries/mondoo-platform-overview-linux-kernel-version": 0 - }, - "asset_filter": { - "query": "platform.family.contains(_ == 'linux')\n", - "code_id": "hp6oNZD/wBk=", - "checksum": "YnTeTKw8uFw=", - "mrn": "//policy.api.mondoo.app/policies/asset-overview/assetfilter/hp6oNZD/wBk=", - "type": "\u0004", - "title": "platform.family.contains(_ == 'linux')\n" - } - }, - { - "data_queries": { - "//policy.api.mondoo.app/queries/mondoo-platform-overview-apple-device": 0 - }, - "asset_filter": { - "query": "platform.name == \"macos\"\n", - "code_id": "2917wr1IwG8=", - "checksum": "Y84I3gKtWGY=", - "mrn": "//policy.api.mondoo.app/policies/asset-overview/assetfilter/2917wr1IwG8=", - "type": "\u0004", - "title": "platform.name == \"macos\"\n" - } - }, - { - "data_queries": { - "//policy.api.mondoo.app/queries/mondoo-platform-overview-vsphere-architecture": 0, - "//policy.api.mondoo.app/queries/mondoo-platform-overview-vsphere-product-name": 0 - }, - "asset_filter": { - "query": "platform.name == \"vmware-vsphere\"", - "code_id": "luCtFGH4Mys=", - "checksum": "0po3QDk2pkY=", - "mrn": "//policy.api.mondoo.app/policies/asset-overview/assetfilter/luCtFGH4Mys=", - "type": "\u0004", - "title": "platform.name == \"vmware-vsphere\"" - } - }, - { - "data_queries": { - "//policy.api.mondoo.app/queries/mondoo-platform-overview-esxi-architecture": 0, - "//policy.api.mondoo.app/queries/mondoo-platform-overview-esxi-bios-version": 0, - "//policy.api.mondoo.app/queries/mondoo-platform-overview-esxi-hostname": 0, - "//policy.api.mondoo.app/queries/mondoo-platform-overview-esxi-product-name": 0, - "//policy.api.mondoo.app/queries/mondoo-platform-overview-esxi-uuid": 0 - }, - "asset_filter": { - "query": "platform.name == \"vmware-esxi\"", - "code_id": "CsDGvAZIwz4=", - "checksum": "YgjePQh3Uw0=", - "mrn": "//policy.api.mondoo.app/policies/asset-overview/assetfilter/CsDGvAZIwz4=", - "type": "\u0004", - "title": "platform.name == \"vmware-esxi\"" - } - }, - { - "data_queries": { - "//policy.api.mondoo.app/queries/mondoo-platform-overview-aws-account-id": 0 - }, - "asset_filter": { - "query": "platform.name == \"aws\"", - "code_id": "dioy4aMgIrM=", - "checksum": "V9PYQ8oqVis=", - "mrn": "//policy.api.mondoo.app/policies/asset-overview/assetfilter/dioy4aMgIrM=", - "type": "\u0004", - "title": "platform.name == \"aws\"" - } - }, - { - "data_queries": { - "//policy.api.mondoo.app/queries/mondoo-platform-overview-arista-fqdn": 0, - "//policy.api.mondoo.app/queries/mondoo-platform-overview-arista-hostname": 0, - "//policy.api.mondoo.app/queries/mondoo-platform-overview-arista-version": 0 - }, - "asset_filter": { - "query": "platform.name == \"arista-eos\"", - "code_id": "lhVg0ANEBCU=", - "checksum": "l3MBGo3Ls8w=", - "mrn": "//policy.api.mondoo.app/policies/asset-overview/assetfilter/lhVg0ANEBCU=", - "type": "\u0004", - "title": "platform.name == \"arista-eos\"" - } - } - ], - "asset_filters": { - "2917wr1IwG8=": { - "query": "platform.name == \"macos\"\n", - "code_id": "2917wr1IwG8=", - "checksum": "jClsMrO0i44=", - "mrn": "//policy.api.mondoo.app/policies/asset-overview/filter/2917wr1IwG8=", - "type": "\u0004", - "title": "platform.name == \"macos\"\n" - }, - "CsDGvAZIwz4=": { - "query": "platform.name == \"vmware-esxi\"", - "code_id": "CsDGvAZIwz4=", - "checksum": "RbtCZj+Cms8=", - "mrn": "//policy.api.mondoo.app/policies/asset-overview/filter/CsDGvAZIwz4=", - "type": "\u0004", - "title": "platform.name == \"vmware-esxi\"" - }, - "crOg2Eb+/qw=": { - "query": "platform.family.contains(_ == 'unix') || platform.family.contains(_ == 'linux') || platform.family.contains(_ == 'windows')", - "code_id": "crOg2Eb+/qw=", - "checksum": "AkKAkPC/AqQ=", - "mrn": "//policy.api.mondoo.app/policies/asset-overview/filter/crOg2Eb+/qw=", - "type": "\u0004", - "title": "platform.family.contains(_ == 'unix') || platform.family.contains(_ == 'linux') || platform.family.contains(_ == 'windows')" - }, - "dioy4aMgIrM=": { - "query": "platform.name == \"aws\"", - "code_id": "dioy4aMgIrM=", - "checksum": "jka9YCGzFDI=", - "mrn": "//policy.api.mondoo.app/policies/asset-overview/filter/dioy4aMgIrM=", - "type": "\u0004", - "title": "platform.name == \"aws\"" - }, - "hp6oNZD/wBk=": { - "query": "platform.family.contains(_ == 'linux')\n", - "code_id": "hp6oNZD/wBk=", - "checksum": "u+b9w6R8z6I=", - "mrn": "//policy.api.mondoo.app/policies/asset-overview/filter/hp6oNZD/wBk=", - "type": "\u0004", - "title": "platform.family.contains(_ == 'linux')\n" - }, - "lcBOE/v/1Mw=": { - "query": "true", - "code_id": "lcBOE/v/1Mw=", - "checksum": "y05uMzinqC8=", - "mrn": "//policy.api.mondoo.app/policies/asset-overview/filter/lcBOE/v/1Mw=", - "type": "\u0004", - "title": "true" - }, - "lhVg0ANEBCU=": { - "query": "platform.name == \"arista-eos\"", - "code_id": "lhVg0ANEBCU=", - "checksum": "rVsy+4IgzTw=", - "mrn": "//policy.api.mondoo.app/policies/asset-overview/filter/lhVg0ANEBCU=", - "type": "\u0004", - "title": "platform.name == \"arista-eos\"" - }, - "luCtFGH4Mys=": { - "query": "platform.name == \"vmware-vsphere\"", - "code_id": "luCtFGH4Mys=", - "checksum": "xXQFMy3fgV4=", - "mrn": "//policy.api.mondoo.app/policies/asset-overview/filter/luCtFGH4Mys=", - "type": "\u0004", - "title": "platform.name == \"vmware-vsphere\"" - } - }, - "owner_mrn": "//policy.api.mondoo.app", - "scoring_system": 3, - "authors": [ - { - "name": "Mondoo, Inc", - "email": "hello@mondoo.com" - } - ], - "tags": { - "mondoo.com/category": "data", - "mondoo.com/platform": "linux,windows,macos,aws,azure,gcp,host" - }, - "query_counts": { - "data_count": 23, - "total_count": 23 - } - }, - { - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security", - "name": "AWS Security", - "version": "1.0.0", - "local_content_checksum": "zcJBjybB7BQ=", - "graph_content_checksum": "iG4cXa83jCY=", - "local_execution_checksum": "liB3XKXkwlU=", - "graph_execution_checksum": "hEYJMxhIEYM=", - "specs": [ - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-aws-security-access-keys-rotated": {}, - "//policy.api.mondoo.app/queries/mondoo-aws-security-ec2-ebs-encryption-by-default": {}, - "//policy.api.mondoo.app/queries/mondoo-aws-security-ec2-imdsv2-check": {}, - "//policy.api.mondoo.app/queries/mondoo-aws-security-ec2-instance-no-public-ip": {}, - "//policy.api.mondoo.app/queries/mondoo-aws-security-iam-group-has-users-check": {}, - "//policy.api.mondoo.app/queries/mondoo-aws-security-iam-password-policy": {}, - "//policy.api.mondoo.app/queries/mondoo-aws-security-iam-root-access-key-check": {}, - "//policy.api.mondoo.app/queries/mondoo-aws-security-iam-user-no-inline-policies-check": {}, - "//policy.api.mondoo.app/queries/mondoo-aws-security-iam-users-only-one-access-key": {}, - "//policy.api.mondoo.app/queries/mondoo-aws-security-mfa-enabled-for-iam-console-access": {}, - "//policy.api.mondoo.app/queries/mondoo-aws-security-root-account-mfa-enabled": {}, - "//policy.api.mondoo.app/queries/mondoo-aws-security-s3-bucket-level-public-access-prohibited": {}, - "//policy.api.mondoo.app/queries/mondoo-aws-security-s3-buckets-account-level-block-public-access": {}, - "//policy.api.mondoo.app/queries/mondoo-aws-security-vpc-default-security-group-closed": {}, - "//policy.api.mondoo.app/queries/mondoo-aws-security-vpc-flow-logs-enabled": {} - }, - "asset_filter": { - "query": "platform.name == \"aws\"\nplatform.kind == \"api\"\n", - "code_id": "NTHSxN8ETbw=", - "checksum": "+oEcuE4pw1Y=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/assetfilter/NTHSxN8ETbw=", - "type": "\u0001", - "title": "platform.name == \"aws\"\nplatform.kind == \"api\"\n" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-aws-security-access-keys-rotated": {}, - "//policy.api.mondoo.app/queries/mondoo-aws-security-ec2-ebs-encryption-by-default": {}, - "//policy.api.mondoo.app/queries/mondoo-aws-security-ec2-imdsv2-check": {}, - "//policy.api.mondoo.app/queries/mondoo-aws-security-ec2-instance-no-public-ip": {}, - "//policy.api.mondoo.app/queries/mondoo-aws-security-iam-password-policy": {}, - "//policy.api.mondoo.app/queries/mondoo-aws-security-iam-root-access-key-check": {}, - "//policy.api.mondoo.app/queries/mondoo-aws-security-iam-users-only-one-access-key": {}, - "//policy.api.mondoo.app/queries/mondoo-aws-security-mfa-enabled-for-iam-console-access": {}, - "//policy.api.mondoo.app/queries/mondoo-aws-security-root-account-mfa-enabled": {}, - "//policy.api.mondoo.app/queries/mondoo-aws-security-s3-buckets-account-level-block-public-access": {} - }, - "asset_filter": { - "query": "platform.name == \"aws-account\"\nplatform.kind == \"api\"\n", - "code_id": "0zDQGiKIW/E=", - "checksum": "R9S9bSSldBc=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/assetfilter/0zDQGiKIW/E=", - "type": "\u0001", - "title": "platform.name == \"aws-account\"\nplatform.kind == \"api\"\n" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-aws-security-lambda-concurrency-check": {} - }, - "asset_filter": { - "query": "platform.name == \"aws-lambda-function\"\n", - "code_id": "wMbsyBy34V4=", - "checksum": "0Mav7Nv189s=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/assetfilter/wMbsyBy34V4=", - "type": "\u0004", - "title": "platform.name == \"aws-lambda-function\"\n" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-aws-security-s3-bucket-level-public-access-prohibited-single-bucket": {} - }, - "asset_filter": { - "query": "platform.name == \"aws-s3-bucket\"\n", - "code_id": "CpSq126BzyA=", - "checksum": "KZ2IaSc4UCk=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/assetfilter/CpSq126BzyA=", - "type": "\u0004", - "title": "platform.name == \"aws-s3-bucket\"\n" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-aws-security-secgroup-restricted-ssh": {}, - "//policy.api.mondoo.app/queries/mondoo-aws-security-vpc-default-security-group-closed-single-secgroup": {} - }, - "asset_filter": { - "query": "platform.name == \"aws-security-group\"\n", - "code_id": "YsfYF6RX5P8=", - "checksum": "dEJNzfqPQ9k=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/assetfilter/YsfYF6RX5P8=", - "type": "\u0004", - "title": "platform.name == \"aws-security-group\"\n" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-aws-security-vpc-flow-logs-enabled-single-vpc": {} - }, - "asset_filter": { - "query": "platform.name == \"aws-vpc\"\n", - "code_id": "uxmIdgdI2D8=", - "checksum": "YIEP3LT90S0=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/assetfilter/uxmIdgdI2D8=", - "type": "\u0004", - "title": "platform.name == \"aws-vpc\"\n" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-aws-security-dynamodb-table-encrypted-kms": {} - }, - "asset_filter": { - "query": "platform.name == \"aws-dynamodb-table\"\n", - "code_id": "uI+zEoIj4NQ=", - "checksum": "lAxB3VqE2GI=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/assetfilter/uI+zEoIj4NQ=", - "type": "\u0004", - "title": "platform.name == \"aws-dynamodb-table\"\n" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-aws-security-rds-instance-public-access-check": {} - }, - "asset_filter": { - "query": "platform.name == \"aws-rds-dbinstance\"\n", - "code_id": "ziES20zDGls=", - "checksum": "+DU3gYr7iqE=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/assetfilter/ziES20zDGls=", - "type": "\u0004", - "title": "platform.name == \"aws-rds-dbinstance\"\n" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-aws-security-redshift-cluster-public-access-check": {} - }, - "asset_filter": { - "query": "platform.name == \"aws-redshift-cluster\"\n", - "code_id": "lBIBZY6rroY=", - "checksum": "am22cXkDGAo=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/assetfilter/lBIBZY6rroY=", - "type": "\u0004", - "title": "platform.name == \"aws-redshift-cluster\"\n" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-aws-security-ec2-volume-inuse-check": {} - }, - "asset_filter": { - "query": "platform.name == \"aws-ec2-volume\"\n", - "code_id": "k+xEyBubRWw=", - "checksum": "yJ0ZRumHvlc=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/assetfilter/k+xEyBubRWw=", - "type": "\u0004", - "title": "platform.name == \"aws-ec2-volume\"\n" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-aws-security-ebs-snapshot-public-restorable-check": {} - }, - "asset_filter": { - "query": "platform.name == \"aws-ec2-snapshot\"\n", - "code_id": "ZBx163hcYIE=", - "checksum": "vyK949CRGsw=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/assetfilter/ZBx163hcYIE=", - "type": "\u0004", - "title": "platform.name == \"aws-ec2-snapshot\"\n" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-aws-security-api-gw-cache-encrypted": {} - }, - "asset_filter": { - "query": "platform.name == \"aws-gateway-restapi\"\n", - "code_id": "/6sVDCL/lFQ=", - "checksum": "TnMSeWmHs40=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/assetfilter//6sVDCL/lFQ=", - "type": "\u0004", - "title": "platform.name == \"aws-gateway-restapi\"\n" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-aws-security-iam-user-no-inline-policies-check-single-user": {} - }, - "asset_filter": { - "query": "platform.name == \"aws-iam-user\"\n", - "code_id": "KEHYdEaOPa4=", - "checksum": "9n56Sw52BMI=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/assetfilter/KEHYdEaOPa4=", - "type": "\u0004", - "title": "platform.name == \"aws-iam-user\"\n" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-aws-security-efs-encrypted-check": {} - }, - "asset_filter": { - "query": "platform.name == \"aws-efs-filesystem\"\n", - "code_id": "+3lK8czbpho=", - "checksum": "ceBBMOwDpyA=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/assetfilter/+3lK8czbpho=", - "type": "\u0004", - "title": "platform.name == \"aws-efs-filesystem\"\n" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-aws-security-iam-group-has-users-check-single-group": {} - }, - "asset_filter": { - "query": "platform.name == \"aws-iam-group\"\n", - "code_id": "04d5600C9dA=", - "checksum": "aQaGK2MJY5c=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/assetfilter/04d5600C9dA=", - "type": "\u0004", - "title": "platform.name == \"aws-iam-group\"\n" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-aws-security-cloudwatch-log-group-encrypted": {} - }, - "asset_filter": { - "query": "platform.name == \"aws-cloudwatch-loggroup\"\n", - "code_id": "SdEXDQjaeRs=", - "checksum": "Cnhp1LzB8Xs=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/assetfilter/SdEXDQjaeRs=", - "type": "\u0004", - "title": "platform.name == \"aws-cloudwatch-loggroup\"\n" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-aws-security-elb-deletion-protection-enabled": {} - }, - "asset_filter": { - "query": "platform.name == \"aws-elb-loadbalancer\"\n", - "code_id": "UHu+8hQv46w=", - "checksum": "sTd9Xlscu80=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/assetfilter/UHu+8hQv46w=", - "type": "\u0004", - "title": "platform.name == \"aws-elb-loadbalancer\"\n" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-aws-security-elasticsearch-encrypted-at-rest": {} - }, - "asset_filter": { - "query": "platform.name == \"aws-es-domain\"\n", - "code_id": "7PIQIV8M0/M=", - "checksum": "Uum2to6NALA=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/assetfilter/7PIQIV8M0/M=", - "type": "\u0004", - "title": "platform.name == \"aws-es-domain\"\n" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-aws-security-rotation-customer-created-cmks-enabled": {} - }, - "asset_filter": { - "query": "platform.name == \"aws-kms-key\"\n", - "code_id": "Row68hcsdkk=", - "checksum": "B6cl557IZpg=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/assetfilter/Row68hcsdkk=", - "type": "\u0004", - "title": "platform.name == \"aws-kms-key\"\n" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-aws-security-sagemaker-notebook-instance-kms-key-configured": {} - }, - "asset_filter": { - "query": "platform.name == \"aws-sagemaker-notebookinstance\"\n", - "code_id": "U7sj3YRdFiQ=", - "checksum": "DHIG/Q3Ecj4=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/assetfilter/U7sj3YRdFiQ=", - "type": "\u0004", - "title": "platform.name == \"aws-sagemaker-notebookinstance\"\n" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-aws-security-cloud-trail-encryption-enabled": {} - }, - "asset_filter": { - "query": "platform.name == \"aws-cloudtrail-trail\"\n", - "code_id": "UwJu13k/z8Y=", - "checksum": "8G/HJFkvaQk=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/assetfilter/UwJu13k/z8Y=", - "type": "\u0004", - "title": "platform.name == \"aws-cloudtrail-trail\"\n" - } - } - ], - "asset_filters": { - "+3lK8czbpho=": { - "query": "platform.name == \"aws-efs-filesystem\"\n", - "code_id": "+3lK8czbpho=", - "checksum": "+dKC7K27cF4=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/+3lK8czbpho=", - "type": "\u0004", - "title": "platform.name == \"aws-efs-filesystem\"\n" - }, - "/6sVDCL/lFQ=": { - "query": "platform.name == \"aws-gateway-restapi\"\n", - "code_id": "/6sVDCL/lFQ=", - "checksum": "WqQ0XHcBT+U=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter//6sVDCL/lFQ=", - "type": "\u0004", - "title": "platform.name == \"aws-gateway-restapi\"\n" - }, - "04d5600C9dA=": { - "query": "platform.name == \"aws-iam-group\"\n", - "code_id": "04d5600C9dA=", - "checksum": "+loxNdFCLVQ=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/04d5600C9dA=", - "type": "\u0004", - "title": "platform.name == \"aws-iam-group\"\n" - }, - "0zDQGiKIW/E=": { - "query": "platform.name == \"aws-account\"\nplatform.kind == \"api\"\n", - "code_id": "0zDQGiKIW/E=", - "checksum": "EHcvPX6+LNg=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/0zDQGiKIW/E=", - "type": "\u0001", - "title": "platform.name == \"aws-account\"\nplatform.kind == \"api\"\n" - }, - "7PIQIV8M0/M=": { - "query": "platform.name == \"aws-es-domain\"\n", - "code_id": "7PIQIV8M0/M=", - "checksum": "qAg9OK949So=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/7PIQIV8M0/M=", - "type": "\u0004", - "title": "platform.name == \"aws-es-domain\"\n" - }, - "CpSq126BzyA=": { - "query": "platform.name == \"aws-s3-bucket\"\n", - "code_id": "CpSq126BzyA=", - "checksum": "toXIPlxOhDI=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/CpSq126BzyA=", - "type": "\u0004", - "title": "platform.name == \"aws-s3-bucket\"\n" - }, - "KEHYdEaOPa4=": { - "query": "platform.name == \"aws-iam-user\"\n", - "code_id": "KEHYdEaOPa4=", - "checksum": "fnhG6gFdEhg=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/KEHYdEaOPa4=", - "type": "\u0004", - "title": "platform.name == \"aws-iam-user\"\n" - }, - "NTHSxN8ETbw=": { - "query": "platform.name == \"aws\"\nplatform.kind == \"api\"\n", - "code_id": "NTHSxN8ETbw=", - "checksum": "/DqtZp6wG40=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/NTHSxN8ETbw=", - "type": "\u0001", - "title": "platform.name == \"aws\"\nplatform.kind == \"api\"\n" - }, - "Row68hcsdkk=": { - "query": "platform.name == \"aws-kms-key\"\n", - "code_id": "Row68hcsdkk=", - "checksum": "0rCIZvwSKDI=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/Row68hcsdkk=", - "type": "\u0004", - "title": "platform.name == \"aws-kms-key\"\n" - }, - "SdEXDQjaeRs=": { - "query": "platform.name == \"aws-cloudwatch-loggroup\"\n", - "code_id": "SdEXDQjaeRs=", - "checksum": "K+40nuLFuy8=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/SdEXDQjaeRs=", - "type": "\u0004", - "title": "platform.name == \"aws-cloudwatch-loggroup\"\n" - }, - "U7sj3YRdFiQ=": { - "query": "platform.name == \"aws-sagemaker-notebookinstance\"\n", - "code_id": "U7sj3YRdFiQ=", - "checksum": "rE9i97tC8Lk=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/U7sj3YRdFiQ=", - "type": "\u0004", - "title": "platform.name == \"aws-sagemaker-notebookinstance\"\n" - }, - "UHu+8hQv46w=": { - "query": "platform.name == \"aws-elb-loadbalancer\"\n", - "code_id": "UHu+8hQv46w=", - "checksum": "3/UX8rpG22E=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/UHu+8hQv46w=", - "type": "\u0004", - "title": "platform.name == \"aws-elb-loadbalancer\"\n" - }, - "UwJu13k/z8Y=": { - "query": "platform.name == \"aws-cloudtrail-trail\"\n", - "code_id": "UwJu13k/z8Y=", - "checksum": "lemKi4yX9aU=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/UwJu13k/z8Y=", - "type": "\u0004", - "title": "platform.name == \"aws-cloudtrail-trail\"\n" - }, - "YsfYF6RX5P8=": { - "query": "platform.name == \"aws-security-group\"\n", - "code_id": "YsfYF6RX5P8=", - "checksum": "BwB6u0vYYdU=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/YsfYF6RX5P8=", - "type": "\u0004", - "title": "platform.name == \"aws-security-group\"\n" - }, - "ZBx163hcYIE=": { - "query": "platform.name == \"aws-ec2-snapshot\"\n", - "code_id": "ZBx163hcYIE=", - "checksum": "AsiP1a0HP3o=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/ZBx163hcYIE=", - "type": "\u0004", - "title": "platform.name == \"aws-ec2-snapshot\"\n" - }, - "k+xEyBubRWw=": { - "query": "platform.name == \"aws-ec2-volume\"\n", - "code_id": "k+xEyBubRWw=", - "checksum": "GhvaWa5D9OQ=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/k+xEyBubRWw=", - "type": "\u0004", - "title": "platform.name == \"aws-ec2-volume\"\n" - }, - "lBIBZY6rroY=": { - "query": "platform.name == \"aws-redshift-cluster\"\n", - "code_id": "lBIBZY6rroY=", - "checksum": "hVIBYDS2y/Q=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/lBIBZY6rroY=", - "type": "\u0004", - "title": "platform.name == \"aws-redshift-cluster\"\n" - }, - "uI+zEoIj4NQ=": { - "query": "platform.name == \"aws-dynamodb-table\"\n", - "code_id": "uI+zEoIj4NQ=", - "checksum": "VJcez7IkTCs=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/uI+zEoIj4NQ=", - "type": "\u0004", - "title": "platform.name == \"aws-dynamodb-table\"\n" - }, - "uxmIdgdI2D8=": { - "query": "platform.name == \"aws-vpc\"\n", - "code_id": "uxmIdgdI2D8=", - "checksum": "/AKqcVTLUAY=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/uxmIdgdI2D8=", - "type": "\u0004", - "title": "platform.name == \"aws-vpc\"\n" - }, - "wMbsyBy34V4=": { - "query": "platform.name == \"aws-lambda-function\"\n", - "code_id": "wMbsyBy34V4=", - "checksum": "Uzk35DvL2uI=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/wMbsyBy34V4=", - "type": "\u0004", - "title": "platform.name == \"aws-lambda-function\"\n" - }, - "ziES20zDGls=": { - "query": "platform.name == \"aws-rds-dbinstance\"\n", - "code_id": "ziES20zDGls=", - "checksum": "jkgSgQqjPCU=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-aws-security/filter/ziES20zDGls=", - "type": "\u0004", - "title": "platform.name == \"aws-rds-dbinstance\"\n" - } - }, - "owner_mrn": "//policy.api.mondoo.app", - "scoring_system": 2, - "authors": [ - { - "name": "Mondoo, Inc", - "email": "hello@mondoo.com" - } - ], - "tags": { - "mondoo.com/category": "security", - "mondoo.com/platform": "aws,cloud" - }, - "props": { - "//policy.api.mondoo.app/queries/ebsVolumeDeleteOnTermination": "", - "//policy.api.mondoo.app/queries/iamPasswordPolicyMaxPasswordAge": "", - "//policy.api.mondoo.app/queries/iamPasswordPolicyMinimumPasswordLength": "", - "//policy.api.mondoo.app/queries/iamPasswordPolicyPasswordReusePrevention": "", - "//policy.api.mondoo.app/queries/iamPasswordPolicyRequireLowercaseCharacters": "", - "//policy.api.mondoo.app/queries/iamPasswordPolicyRequireNumbers": "", - "//policy.api.mondoo.app/queries/iamPasswordPolicyRequireSymbols": "", - "//policy.api.mondoo.app/queries/iamPasswordPolicyRequireUppercaseCharacters": "" - }, - "docs": { - "desc": "## Overview\n\nAWS Security by Mondoo provides guidance for establishing minimum recommended security and operational best practices for Amazon Web Services (AWS). The controls in this policy bundle are based on AWS's Operational Best Practices recommendations as part of the [AWS Config conformance packs](https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html).\n\n## Remote scan\n\nRemote scans use native transports in `cnspec` to provide on-demand scan results without installing any agents or integrations.\n\nFor a complete list of native transports run:\n\n```bash\ncnspec scan --help\n``` \n\n### Prerequisites\n\nRemote scanning of AWS accounts with `cnspec` relies on the access key ID and secret access key configured for the AWS CLI. For more information on configuring these keys in the AWS CLI, see [Configuring the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html).\n\n### Scan an AWS account\n\nThe following command will perform a scan of all enabled regions in an AWS account:\n\n```bash\ncnspec scan aws\n```\n\n### Scan a single AWS region\n\nTo specify a single region to scan with cnspec, use the `--region` flag with the AWS region code:\n\n```bash\ncnspec scan aws --region us-west-2\n```\n\nFor a complete list of AWS region codes, see [Regions and Zones](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html).\n\n### Scan an AWS account using a specific profile\n\nIf multiple AWS profiles are configured for the AWS CLI, `cnspec` can target a specific profile by setting the `AWS_PROFILE` environment variable or the `--profile` command line flag.\n\n```bash\nexport AWS_PROFILE=my-profile\ncnspec scan aws \n```\n\n```bash\ncnspec scan aws --profile my-profile\n```\n\n## Join the community!\n\nOur goal is to build policies that are simple to deploy, accurate, and actionable. \n\nIf you have any suggestions on improving this policy or need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. " - }, - "query_counts": { - "scoring_count": 45, - "total_count": 45 - } - }, - { - "mrn": "//policy.api.mondoo.app/policies/mondoo-github-repository-security", - "name": "GitHub Repository Security by Mondoo", - "version": "1.4.0", - "local_content_checksum": "cZK/iUBqN5c=", - "graph_content_checksum": "pOMeda16vew=", - "local_execution_checksum": "pHnaf5LqAsg=", - "graph_execution_checksum": "zv5+svgWQPg=", - "specs": [ - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-github-repository-security-binary-artifacts": {}, - "//policy.api.mondoo.app/queries/mondoo-github-repository-security-enforce-branch-protection": {}, - "//policy.api.mondoo.app/queries/mondoo-github-repository-security-ensure-default-branch-protection": {}, - "//policy.api.mondoo.app/queries/mondoo-github-repository-security-ensure-dependabot-workflow": {}, - "//policy.api.mondoo.app/queries/mondoo-github-repository-security-ensure-release-branch-protection": {}, - "//policy.api.mondoo.app/queries/mondoo-github-repository-security-prevent-force-pushes-default-branch": {}, - "//policy.api.mondoo.app/queries/mondoo-github-repository-security-prevent-force-pushes-release-branch": {}, - "//policy.api.mondoo.app/queries/mondoo-github-repository-security-require-conversation-resolution": {}, - "//policy.api.mondoo.app/queries/mondoo-github-repository-security-require-status-checks-before-merging": {}, - "//policy.api.mondoo.app/queries/mondoo-github-repository-security-required-signed-commits": {}, - "//policy.api.mondoo.app/queries/mondoo-github-repository-security-security-policy": {} - }, - "asset_filter": { - "query": "asset.platform == \"github-repo\" \n", - "code_id": "6L4Mx8/QL0Q=", - "checksum": "Z/fTl0lmzGk=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-github-repository-security/assetfilter/6L4Mx8/QL0Q=", - "type": "\u0004", - "title": "asset.platform == \"github-repo\" \n" - } - } - ], - "asset_filters": { - "6L4Mx8/QL0Q=": { - "query": "asset.platform == \"github-repo\" \n", - "code_id": "6L4Mx8/QL0Q=", - "checksum": "/DryGVads5Q=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-github-repository-security/filter/6L4Mx8/QL0Q=", - "type": "\u0004", - "title": "asset.platform == \"github-repo\" \n" - } - }, - "owner_mrn": "//policy.api.mondoo.app", - "scoring_system": 2, - "authors": [ - { - "name": "Mondoo, Inc", - "email": "hello@mondoo.com" - } - ], - "docs": { - "desc": "# Overview\n\nGitHub Repository Security by Mondoo provides security assessments of public and private GitHub repositories to ensure minimum recommended security and operational best practices. This policy is also designed to assess public repositories and open source projects your team depends on to evaluate the risk a project poses to your business. Open source projects that do not adhere to GitHub's recommended security best practices pose a higher risk of malicious code making its way into your environments.\n\n## About remote scanning\n\nRemote scans with cnspec provide on demand security assessments of infrastructure and services without installing any agents or integrations. cnspec comes with a growing list of providers to connect and scan local and remote targets. \n\nA complete list of providers can be found by running the following command: \n\n```bash\ncnspec scan --help\n``` \n\n### cnspec GitHub Provider\n\nThis policy uses the `github` provider to authenticate with GitHub's API in order to remotely scan GitHub repositories. Additional information on the `github` provider can be found by running the following command: \n\n```bash\ncnspec scan github --help\n```\n\n## Configuring the GitHub provider\n\nThe `github` provider for cnspec requires a GitHub personal access token to authenticate with GitHub's API. The personal access token is required regardless of whether you are scanning a public or a private repository. Access to private repositories is determined by the level of access the token cnspec is configured with when it runs. \n\n### Create a personal access token\n\nTo create a read-only personal access token, see [Creating a personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) on GitHub's documentation site.\n\n### Configure a GITHUB_TOKEN environment variable\n\nYou supply your personal access token to cnspec using the `GITHUB_TOKEN` environment variable. \n\n#### Linux / macOS\n\n```bash\nexport GITHUB_TOKEN=\u003cyour personal access token\u003e\n```\n\n#### Windows \n\n```powershell\n$Env:GITHUB_TOKEN = \"\u003cpersonal-access-token\u003e\"\n``` \n\n## Scanning GitHub repositories\n\nTo scan the configuration of a GitHub repository: \n\n```bash\ncnspec scan github repo \u003cORG_NAME/REPO_NAME\u003e\n```\n\n## Join the community!\n\nOur goal is to build policies that are simple to deploy, accurate, and actionable. \n\nIf you have any suggestions on how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. \n" - }, - "query_counts": { - "scoring_count": 11, - "total_count": 11 - } - }, - { - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-best-practices", - "name": "Kubernetes Best Practices", - "version": "1.0.0", - "local_content_checksum": "K5MLodZpbTs=", - "graph_content_checksum": "DwSeHlwJ0bA=", - "local_execution_checksum": "amqG/gGCGT0=", - "graph_execution_checksum": "pw8BGvFlklk=", - "specs": [ - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-cronjob-default-namespace": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-cronjob-hostalias": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-cronjob-ports-hostport": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-cronjob-requestcpu": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-cronjob-requestmemory": {} - }, - "asset_filter": { - "query": "platform.name == \"k8s-cronjob\"", - "code_id": "ucbjQbjd8ZM=", - "checksum": "QPxvjODKs5c=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-best-practices/assetfilter/ucbjQbjd8ZM=", - "type": "\u0004", - "title": "platform.name == \"k8s-cronjob\"" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-statefulset-default-namespace": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-statefulset-hostalias": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-statefulset-livenessprobe": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-statefulset-ports-hostport": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-statefulset-readinessProbe": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-statefulset-requestcpu": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-statefulset-requestmemory": {} - }, - "asset_filter": { - "query": "platform.name == \"k8s-statefulset\"", - "code_id": "M+A+RGoooYU=", - "checksum": "KQk0humCLOk=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-best-practices/assetfilter/M+A+RGoooYU=", - "type": "\u0004", - "title": "platform.name == \"k8s-statefulset\"" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-deployment-default-namespace": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-deployment-hostalias": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-deployment-livenessprobe": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-deployment-ports-hostport": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-deployment-readinessProbe": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-deployment-requestcpu": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-deployment-requestmemory": {} - }, - "asset_filter": { - "query": "platform.name == \"k8s-deployment\"", - "code_id": "qYaiib9DQbc=", - "checksum": "NKNLuqS52+Q=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-best-practices/assetfilter/qYaiib9DQbc=", - "type": "\u0004", - "title": "platform.name == \"k8s-deployment\"" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-job-default-namespace": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-job-hostalias": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-job-ports-hostport": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-job-requestcpu": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-job-requestmemory": {} - }, - "asset_filter": { - "query": "platform.name == \"k8s-job\"", - "code_id": "mqo+1qjR1b4=", - "checksum": "velUnkr8/pA=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-best-practices/assetfilter/mqo+1qjR1b4=", - "type": "\u0004", - "title": "platform.name == \"k8s-job\"" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-replicaset-default-namespace": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-replicaset-hostalias": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-replicaset-livenessprobe": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-replicaset-ports-hostport": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-replicaset-readinessProbe": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-replicaset-requestcpu": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-replicaset-requestmemory": {} - }, - "asset_filter": { - "query": "platform.name == \"k8s-replicaset\"", - "code_id": "fz+8R2vPLmc=", - "checksum": "ZhoUFFdOKjg=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-best-practices/assetfilter/fz+8R2vPLmc=", - "type": "\u0004", - "title": "platform.name == \"k8s-replicaset\"" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-daemonset-default-namespace": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-daemonset-hostalias": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-daemonset-livenessprobe": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-daemonset-ports-hostport": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-daemonset-readinessProbe": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-daemonset-requestcpu": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-daemonset-requestmemory": {} - }, - "asset_filter": { - "query": "platform.name == \"k8s-daemonset\"", - "code_id": "3bfX6P7LDvw=", - "checksum": "oPABAtxvnGE=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-best-practices/assetfilter/3bfX6P7LDvw=", - "type": "\u0004", - "title": "platform.name == \"k8s-daemonset\"" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-pod-default-namespace": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-pod-hostalias": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-pod-livenessprobe": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-pod-no-owner": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-pod-ports-hostport": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-pod-readinessProbe": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-pod-requestcpu": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-pod-requestmemory": {} - }, - "asset_filter": { - "query": "platform.name == \"k8s-pod\"", - "code_id": "d1GFWwrumEQ=", - "checksum": "oPTfFIHonIk=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-best-practices/assetfilter/d1GFWwrumEQ=", - "type": "\u0004", - "title": "platform.name == \"k8s-pod\"" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-ingress-cert-expiration": {} - }, - "asset_filter": { - "query": "platform.name == \"k8s-ingress\"", - "code_id": "nsY0acjU/D0=", - "checksum": "WtQQB08u2eo=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-best-practices/assetfilter/nsY0acjU/D0=", - "type": "\u0004", - "title": "platform.name == \"k8s-ingress\"" - } - } - ], - "asset_filters": { - "3bfX6P7LDvw=": { - "query": "platform.name == \"k8s-daemonset\"", - "code_id": "3bfX6P7LDvw=", - "checksum": "tPRvcJ4mR6k=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-best-practices/filter/3bfX6P7LDvw=", - "type": "\u0004", - "title": "platform.name == \"k8s-daemonset\"" - }, - "M+A+RGoooYU=": { - "query": "platform.name == \"k8s-statefulset\"", - "code_id": "M+A+RGoooYU=", - "checksum": "bhDqMmnL81A=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-best-practices/filter/M+A+RGoooYU=", - "type": "\u0004", - "title": "platform.name == \"k8s-statefulset\"" - }, - "d1GFWwrumEQ=": { - "query": "platform.name == \"k8s-pod\"", - "code_id": "d1GFWwrumEQ=", - "checksum": "B98XiG65JgE=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-best-practices/filter/d1GFWwrumEQ=", - "type": "\u0004", - "title": "platform.name == \"k8s-pod\"" - }, - "fz+8R2vPLmc=": { - "query": "platform.name == \"k8s-replicaset\"", - "code_id": "fz+8R2vPLmc=", - "checksum": "dFTclgK3i3E=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-best-practices/filter/fz+8R2vPLmc=", - "type": "\u0004", - "title": "platform.name == \"k8s-replicaset\"" - }, - "mqo+1qjR1b4=": { - "query": "platform.name == \"k8s-job\"", - "code_id": "mqo+1qjR1b4=", - "checksum": "1djDTot70OU=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-best-practices/filter/mqo+1qjR1b4=", - "type": "\u0004", - "title": "platform.name == \"k8s-job\"" - }, - "nsY0acjU/D0=": { - "query": "platform.name == \"k8s-ingress\"", - "code_id": "nsY0acjU/D0=", - "checksum": "49PuoNLJvYs=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-best-practices/filter/nsY0acjU/D0=", - "type": "\u0004", - "title": "platform.name == \"k8s-ingress\"" - }, - "qYaiib9DQbc=": { - "query": "platform.name == \"k8s-deployment\"", - "code_id": "qYaiib9DQbc=", - "checksum": "I2c27Qikm+U=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-best-practices/filter/qYaiib9DQbc=", - "type": "\u0004", - "title": "platform.name == \"k8s-deployment\"" - }, - "ucbjQbjd8ZM=": { - "query": "platform.name == \"k8s-cronjob\"", - "code_id": "ucbjQbjd8ZM=", - "checksum": "szzyWrJN1aM=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-best-practices/filter/ucbjQbjd8ZM=", - "type": "\u0004", - "title": "platform.name == \"k8s-cronjob\"" - } - }, - "owner_mrn": "//policy.api.mondoo.app", - "scoring_system": 2, - "authors": [ - { - "name": "Mondoo, Inc", - "email": "hello@mondoo.com" - } - ], - "tags": { - "mondoo.com/category": "best-practices", - "mondoo.com/platform": "kubernetes,k8s" - }, - "docs": { - "desc": "## Overview\n\nThe Kubernetes Best Practices by Mondoo policy bundle provides guidance for establishing reliable Kubernetes clusters by encouraging the adoption of best practices.\n\n## Remote scan\n\nRemote scans use native transports in `cnspec` to provide on demand scan results without the need to install any agents, or integration. \n\nFor a complete list of native transports run: \n\n```bash\ncnspec scan --help\n```\n\n### Prerequisites\n\nRemote scans of Kubernetes clusters requires a `KUBECONFIG` with access to the cluster you want to scan.\n\n### Scan a Kubernetes cluster\n\nOpen a terminal and configure an environment variable with the path to your `KUBECONFIG`:\n\n```bash\nexport KUBECONFIG=/path/to/kubeconfig\n```\n\nRun a scan of the Kubernetes cluster:\n\n```bash\ncnspec scan k8s\n``` \n\n## Join the community!\n\nOur goal is to build policies that are simple to deploy, accurate, and actionable. \n\nIf you have any suggestions on how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions." - }, - "query_counts": { - "scoring_count": 47, - "total_count": 47 - } - }, - { - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-cluster-inventory", - "name": "Kubernetes Cluster Inventory Pack", - "version": "1.1.0", - "local_content_checksum": "2RUXIFEMZV8=", - "graph_content_checksum": "RpFBlGnZ0tY=", - "local_execution_checksum": "zsFh8CD3tXM=", - "graph_execution_checksum": "ahu9+aDzw68=", - "specs": [ - { - "data_queries": { - "//policy.api.mondoo.app/queries/k8s-cluster-clusterroles": 0, - "//policy.api.mondoo.app/queries/k8s-cluster-namespaces": 0, - "//policy.api.mondoo.app/queries/k8s-cluster-nodes": 0, - "//policy.api.mondoo.app/queries/k8s-cluster-version": 0 - }, - "asset_filter": { - "query": "asset.platform == \"kubernetes\" || asset.platform == \"k8s-cluster\"", - "code_id": "OMDwxipTleI=", - "checksum": "v3RaJxp4zz0=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-cluster-inventory/assetfilter/OMDwxipTleI=", - "type": "\u0004", - "title": "asset.platform == \"kubernetes\" || asset.platform == \"k8s-cluster\"" - } - } - ], - "asset_filters": { - "OMDwxipTleI=": { - "query": "asset.platform == \"kubernetes\" || asset.platform == \"k8s-cluster\"", - "code_id": "OMDwxipTleI=", - "checksum": "4MblDUcWc8s=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-cluster-inventory/filter/OMDwxipTleI=", - "type": "\u0004", - "title": "asset.platform == \"kubernetes\" || asset.platform == \"k8s-cluster\"" - } - }, - "owner_mrn": "//policy.api.mondoo.app", - "scoring_system": 4, - "authors": [ - { - "name": "Mondoo, Inc", - "email": "hello@mondoo.com" - } - ], - "tags": { - "mondoo.com/category": "best-practices", - "mondoo.com/platform": "kubernetes,k8s" - }, - "docs": { - "desc": "The Kubernetes Cluster Inventory Pack by Mondoo pack is designed to retrieve data about a Kubernetes Cluster for asset inventory. \n\nTo run this pack for a Kubernetes Cluster:\n\n```bash\ncnquery scan k8s -f mondoo-kubernetes-inventory.mql.yaml\n```\n\n## Join the community!\nOur goal is to build query packs that are simple to deploy, and provide accurate and useful data. \n\nIf you have any suggestions for improving this query pack, or if you need support, [join the Mondoo community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. \n" - }, - "query_counts": { - "data_count": 4, - "total_count": 4 - } - }, - { - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-cronjobs-inventory", - "name": "Kubernetes CronJobs Inventory Pack", - "version": "1.1.0", - "local_content_checksum": "j7UCWDLJywo=", - "graph_content_checksum": "c477MF3atC8=", - "local_execution_checksum": "ZuBgmdYK8po=", - "graph_execution_checksum": "MuGFNJc2m6E=", - "specs": [ - { - "data_queries": { - "//policy.api.mondoo.app/queries/k8s-cronjob": 0, - "//policy.api.mondoo.app/queries/k8s-cronjob-container": 0 - }, - "asset_filter": { - "query": "asset.platform == \"k8s-cronjob\"", - "code_id": "Lo+InTRHu9g=", - "checksum": "KbiN1D1pEJ0=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-cronjobs-inventory/assetfilter/Lo+InTRHu9g=", - "type": "\u0004", - "title": "asset.platform == \"k8s-cronjob\"" - } - } - ], - "asset_filters": { - "Lo+InTRHu9g=": { - "query": "asset.platform == \"k8s-cronjob\"", - "code_id": "Lo+InTRHu9g=", - "checksum": "wtVP5/7gT3A=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-cronjobs-inventory/filter/Lo+InTRHu9g=", - "type": "\u0004", - "title": "asset.platform == \"k8s-cronjob\"" - } - }, - "owner_mrn": "//policy.api.mondoo.app", - "scoring_system": 4, - "authors": [ - { - "name": "Mondoo, Inc", - "email": "hello@mondoo.com" - } - ], - "tags": { - "mondoo.com/category": "best-practices", - "mondoo.com/platform": "kubernetes,k8s" - }, - "query_counts": { - "data_count": 2, - "total_count": 2 - } - }, - { - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-daemonsets-inventory", - "name": "Kubernetes DaemonSets Inventory Pack", - "version": "1.1.0", - "local_content_checksum": "Tat86GzsAxs=", - "graph_content_checksum": "+5aXmLit6j0=", - "local_execution_checksum": "Q0slfPD4zH0=", - "graph_execution_checksum": "cCtoDamQt7M=", - "specs": [ - { - "data_queries": { - "//policy.api.mondoo.app/queries/k8s-daemonset": 0, - "//policy.api.mondoo.app/queries/k8s-daemonset-container": 0 - }, - "asset_filter": { - "query": "asset.platform == \"k8s-daemonset\"", - "code_id": "QFF/R18/81w=", - "checksum": "WgPQdl7ve2c=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-daemonsets-inventory/assetfilter/QFF/R18/81w=", - "type": "\u0004", - "title": "asset.platform == \"k8s-daemonset\"" - } - } - ], - "asset_filters": { - "QFF/R18/81w=": { - "query": "asset.platform == \"k8s-daemonset\"", - "code_id": "QFF/R18/81w=", - "checksum": "H9U/uiOPQcs=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-daemonsets-inventory/filter/QFF/R18/81w=", - "type": "\u0004", - "title": "asset.platform == \"k8s-daemonset\"" - } - }, - "owner_mrn": "//policy.api.mondoo.app", - "scoring_system": 4, - "authors": [ - { - "name": "Mondoo, Inc", - "email": "hello@mondoo.com" - } - ], - "tags": { - "mondoo.com/category": "best-practices", - "mondoo.com/platform": "kubernetes,k8s" - }, - "query_counts": { - "data_count": 2, - "total_count": 2 - } - }, - { - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-deployments-inventory", - "name": "Kubernetes Deployments Inventory Pack", - "version": "1.1.0", - "local_content_checksum": "SuYtxtY/Av4=", - "graph_content_checksum": "zCcbfawhe7A=", - "local_execution_checksum": "9jygqbhRzYo=", - "graph_execution_checksum": "kt5fz4NEU3c=", - "specs": [ - { - "data_queries": { - "//policy.api.mondoo.app/queries/k8s-deployment": 0, - "//policy.api.mondoo.app/queries/k8s-deployment-container": 0 - }, - "asset_filter": { - "query": "asset.platform == \"k8s-deployment\"", - "code_id": "KcQiaGsE+IA=", - "checksum": "LCSwuzEGGhc=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-deployments-inventory/assetfilter/KcQiaGsE+IA=", - "type": "\u0004", - "title": "asset.platform == \"k8s-deployment\"" - } - } - ], - "asset_filters": { - "KcQiaGsE+IA=": { - "query": "asset.platform == \"k8s-deployment\"", - "code_id": "KcQiaGsE+IA=", - "checksum": "Ek1SiCIjFuw=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-deployments-inventory/filter/KcQiaGsE+IA=", - "type": "\u0004", - "title": "asset.platform == \"k8s-deployment\"" - } - }, - "owner_mrn": "//policy.api.mondoo.app", - "scoring_system": 4, - "authors": [ - { - "name": "Mondoo, Inc", - "email": "hello@mondoo.com" - } - ], - "tags": { - "mondoo.com/category": "best-practices", - "mondoo.com/platform": "kubernetes,k8s" - }, - "query_counts": { - "data_count": 2, - "total_count": 2 - } - }, - { - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-security", - "name": "Kubernetes Cluster and Workload Security", - "version": "1.0.2", - "local_content_checksum": "8Gok92kHLM8=", - "graph_content_checksum": "llqgLEb6S8Q=", - "local_execution_checksum": "/tl2w3Qm19U=", - "graph_execution_checksum": "LEx3Xs4UVec=", - "specs": [ - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-api-server-no-anonymous-auth": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-https-api-server": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-secure-admin-conf": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-secure-controller-manager_conf": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-secure-etcd-data-dir": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-secure-kube-apiserver-yml": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-secure-pki-directory": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-secure-scheduler_conf": {} - }, - "asset_filter": { - "query": "platform.family.contains(_ == 'linux')\nprocesses.where( executable == /kube-apiserver/ ).list != []\n", - "code_id": "smY8TG23K9w=", - "checksum": "g86vi590ffo=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-security/assetfilter/smY8TG23K9w=", - "type": "\u0001", - "title": "platform.family.contains(_ == 'linux')\nprocesses.where( executable == /kube-apiserver/ ).list != []\n" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-kubelet-anonymous-authentication": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-kubelet-authorization-mode": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-kubelet-event-record-qps": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-kubelet-iptables-util-chains": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-kubelet-protect-kernel-defaults": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-kubelet-read-only-port": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-kubelet-rotate-certificates": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-kubelet-strong-ciphers": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-kubelet-tls-certificate": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-secure-kubelet-cert-authorities": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-secure-kubelet-config": {} - }, - "asset_filter": { - "query": "platform.family.contains(_ == 'linux')\nprocesses.where( executable == /kubelet/ ).list != []\n", - "code_id": "VUb//1VUIyM=", - "checksum": "pt3OVpRWj1w=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-security/assetfilter/VUb//1VUIyM=", - "type": "\u0001", - "title": "platform.family.contains(_ == 'linux')\nprocesses.where( executable == /kubelet/ ).list != []\n" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-cronjob-allowprivilegeescalation": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-cronjob-capability-net-raw": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-cronjob-capability-sys-admin": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-cronjob-containerd-socket": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-cronjob-crio-socket": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-cronjob-docker-socket": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-cronjob-hostipc": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-cronjob-hostnetwork": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-cronjob-hostpath-readonly": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-cronjob-hostpid": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-cronjob-imagepull": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-cronjob-limitcpu": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-cronjob-limitmemory": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-cronjob-ports-hostport": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-cronjob-privilegedcontainer": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-cronjob-readonlyrootfilesystem": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-cronjob-runasnonroot": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-cronjob-serviceaccount": {} - }, - "asset_filter": { - "query": "platform.name == \"k8s-cronjob\"", - "code_id": "ucbjQbjd8ZM=", - "checksum": "QPxvjODKs5c=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-security/assetfilter/ucbjQbjd8ZM=", - "type": "\u0004", - "title": "platform.name == \"k8s-cronjob\"" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-statefulset-allowprivilegeescalation": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-statefulset-capability-net-raw": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-statefulset-capability-sys-admin": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-statefulset-containerd-socket": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-statefulset-crio-socket": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-statefulset-docker-socket": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-statefulset-hostipc": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-statefulset-hostnetwork": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-statefulset-hostpath-readonly": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-statefulset-hostpid": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-statefulset-imagepull": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-statefulset-limitcpu": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-statefulset-limitmemory": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-statefulset-ports-hostport": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-statefulset-privilegedcontainer": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-statefulset-readonlyrootfilesystem": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-statefulset-runasnonroot": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-statefulset-serviceaccount": {} - }, - "asset_filter": { - "query": "platform.name == \"k8s-statefulset\"", - "code_id": "M+A+RGoooYU=", - "checksum": "KQk0humCLOk=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-security/assetfilter/M+A+RGoooYU=", - "type": "\u0004", - "title": "platform.name == \"k8s-statefulset\"" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-deployment-allowprivilegeescalation": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-deployment-capability-net-raw": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-deployment-capability-sys-admin": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-deployment-containerd-socket": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-deployment-crio-socket": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-deployment-docker-socket": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-deployment-hostipc": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-deployment-hostnetwork": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-deployment-hostpath-readonly": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-deployment-hostpid": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-deployment-imagepull": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-deployment-k8s-dashboard": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-deployment-limitcpu": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-deployment-limitmemory": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-deployment-ports-hostport": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-deployment-privilegedcontainer": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-deployment-readonlyrootfilesystem": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-deployment-runasnonroot": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-deployment-serviceaccount": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-deployment-tiller": {} - }, - "asset_filter": { - "query": "platform.name == \"k8s-deployment\"", - "code_id": "qYaiib9DQbc=", - "checksum": "NKNLuqS52+Q=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-security/assetfilter/qYaiib9DQbc=", - "type": "\u0004", - "title": "platform.name == \"k8s-deployment\"" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-job-allowprivilegeescalation": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-job-capability-net-raw": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-job-capability-sys-admin": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-job-containerd-socket": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-job-crio-socket": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-job-docker-socket": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-job-hostipc": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-job-hostnetwork": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-job-hostpath-readonly": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-job-hostpid": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-job-imagepull": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-job-limitcpu": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-job-limitmemory": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-job-ports-hostport": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-job-privilegedcontainer": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-job-readonlyrootfilesystem": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-job-runasnonroot": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-job-serviceaccount": {} - }, - "asset_filter": { - "query": "platform.name == \"k8s-job\"", - "code_id": "mqo+1qjR1b4=", - "checksum": "velUnkr8/pA=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-security/assetfilter/mqo+1qjR1b4=", - "type": "\u0004", - "title": "platform.name == \"k8s-job\"" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-replicaset-allowprivilegeescalation": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-replicaset-capability-net-raw": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-replicaset-capability-sys-admin": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-replicaset-containerd-socket": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-replicaset-crio-socket": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-replicaset-docker-socket": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-replicaset-hostipc": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-replicaset-hostnetwork": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-replicaset-hostpath-readonly": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-replicaset-hostpid": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-replicaset-imagepull": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-replicaset-limitcpu": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-replicaset-limitmemory": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-replicaset-ports-hostport": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-replicaset-privilegedcontainer": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-replicaset-readonlyrootfilesystem": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-replicaset-runasnonroot": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-replicaset-serviceaccount": {} - }, - "asset_filter": { - "query": "platform.name == \"k8s-replicaset\"", - "code_id": "fz+8R2vPLmc=", - "checksum": "ZhoUFFdOKjg=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-security/assetfilter/fz+8R2vPLmc=", - "type": "\u0004", - "title": "platform.name == \"k8s-replicaset\"" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-daemonset-allowprivilegeescalation": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-daemonset-capability-net-raw": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-daemonset-capability-sys-admin": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-daemonset-containerd-socket": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-daemonset-crio-socket": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-daemonset-docker-socket": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-daemonset-hostipc": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-daemonset-hostnetwork": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-daemonset-hostpath-readonly": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-daemonset-hostpid": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-daemonset-imagepull": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-daemonset-limitcpu": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-daemonset-limitmemory": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-daemonset-ports-hostport": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-daemonset-privilegedcontainer": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-daemonset-readonlyrootfilesystem": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-daemonset-runasnonroot": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-daemonset-serviceaccount": {} - }, - "asset_filter": { - "query": "platform.name == \"k8s-daemonset\"", - "code_id": "3bfX6P7LDvw=", - "checksum": "oPABAtxvnGE=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-security/assetfilter/3bfX6P7LDvw=", - "type": "\u0004", - "title": "platform.name == \"k8s-daemonset\"" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-pod-allowprivilegeescalation": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-pod-capability-net-raw": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-pod-capability-sys-admin": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-pod-containerd-socket": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-pod-crio-socket": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-pod-docker-socket": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-pod-hostipc": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-pod-hostnetwork": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-pod-hostpath-readonly": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-pod-hostpid": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-pod-imagepull": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-pod-k8s-dashboard": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-pod-limitcpu": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-pod-limitmemory": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-pod-ports-hostport": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-pod-privilegedcontainer": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-pod-readonlyrootfilesystem": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-pod-runasnonroot": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-pod-serviceaccount": {}, - "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-pod-tiller": {} - }, - "asset_filter": { - "query": "platform.name == \"k8s-pod\"", - "code_id": "d1GFWwrumEQ=", - "checksum": "oPTfFIHonIk=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-security/assetfilter/d1GFWwrumEQ=", - "type": "\u0004", - "title": "platform.name == \"k8s-pod\"" - } - } - ], - "asset_filters": { - "3bfX6P7LDvw=": { - "query": "platform.name == \"k8s-daemonset\"", - "code_id": "3bfX6P7LDvw=", - "checksum": "tPRvcJ4mR6k=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-security/filter/3bfX6P7LDvw=", - "type": "\u0004", - "title": "platform.name == \"k8s-daemonset\"" - }, - "M+A+RGoooYU=": { - "query": "platform.name == \"k8s-statefulset\"", - "code_id": "M+A+RGoooYU=", - "checksum": "bhDqMmnL81A=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-security/filter/M+A+RGoooYU=", - "type": "\u0004", - "title": "platform.name == \"k8s-statefulset\"" - }, - "VUb//1VUIyM=": { - "query": "platform.family.contains(_ == 'linux')\nprocesses.where( executable == /kubelet/ ).list != []\n", - "code_id": "VUb//1VUIyM=", - "checksum": "fZ594K00Z7U=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-security/filter/VUb//1VUIyM=", - "type": "\u0001", - "title": "platform.family.contains(_ == 'linux')\nprocesses.where( executable == /kubelet/ ).list != []\n" - }, - "d1GFWwrumEQ=": { - "query": "platform.name == \"k8s-pod\"", - "code_id": "d1GFWwrumEQ=", - "checksum": "B98XiG65JgE=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-security/filter/d1GFWwrumEQ=", - "type": "\u0004", - "title": "platform.name == \"k8s-pod\"" - }, - "fz+8R2vPLmc=": { - "query": "platform.name == \"k8s-replicaset\"", - "code_id": "fz+8R2vPLmc=", - "checksum": "dFTclgK3i3E=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-security/filter/fz+8R2vPLmc=", - "type": "\u0004", - "title": "platform.name == \"k8s-replicaset\"" - }, - "mqo+1qjR1b4=": { - "query": "platform.name == \"k8s-job\"", - "code_id": "mqo+1qjR1b4=", - "checksum": "1djDTot70OU=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-security/filter/mqo+1qjR1b4=", - "type": "\u0004", - "title": "platform.name == \"k8s-job\"" - }, - "qYaiib9DQbc=": { - "query": "platform.name == \"k8s-deployment\"", - "code_id": "qYaiib9DQbc=", - "checksum": "I2c27Qikm+U=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-security/filter/qYaiib9DQbc=", - "type": "\u0004", - "title": "platform.name == \"k8s-deployment\"" - }, - "smY8TG23K9w=": { - "query": "platform.family.contains(_ == 'linux')\nprocesses.where( executable == /kube-apiserver/ ).list != []\n", - "code_id": "smY8TG23K9w=", - "checksum": "Kvcjzv/UCTA=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-security/filter/smY8TG23K9w=", - "type": "\u0001", - "title": "platform.family.contains(_ == 'linux')\nprocesses.where( executable == /kube-apiserver/ ).list != []\n" - }, - "ucbjQbjd8ZM=": { - "query": "platform.name == \"k8s-cronjob\"", - "code_id": "ucbjQbjd8ZM=", - "checksum": "szzyWrJN1aM=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-kubernetes-security/filter/ucbjQbjd8ZM=", - "type": "\u0004", - "title": "platform.name == \"k8s-cronjob\"" - } - }, - "owner_mrn": "//policy.api.mondoo.app", - "scoring_system": 2, - "authors": [ - { - "name": "Mondoo, Inc", - "email": "hello@mondoo.com" - } - ], - "tags": { - "mondoo.com/category": "security", - "mondoo.com/platform": "linux,kubernetes,k8s" - }, - "props": { - "//policy.api.mondoo.app/queries/allowedCiphers": "" - }, - "docs": { - "desc": "# Overview\n\nThe Kubernetes Cluster and Workload Security by Mondoo provides guidance for establishing secure Kubernetes cluster configurations and workload deployments.\n\nIf you have questions, comments, or have identified ways to improve this policy, please write us at hello@mondoo.com, or reach out in [GitHub Discussions](https://github.com/orgs/mondoohq/discussions).\n\n## Remote scan\n\nRemote scans use native transports in `cnspec` to provide on demand scan results without the need to install any agents, or integration. \n\nFor a complete list of native transports run: \n\n```bash\ncnspec scan --help\n```\n\n### Prerequisites\n\nRemote scans of Kubernetes clusters requires a `KUBECONFIG` with access to the cluster you want to scan.\n\n### Scan a Kubernetes cluster\n\nOpen a terminal and configure an environment variable with the path to your `KUBECONFIG`:\n\n```bash\nexport KUBECONFIG=/path/to/kubeconfig\n```\n\nRun a scan of the Kubernetes cluster:\n\n```bash\ncnspec scan k8s\n``` \n\n## Join the community!\n\nOur goal is to build policies that are simple to deploy, accurate, and actionable. \n\nIf you have any suggestions on how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions." - }, - "query_counts": { - "scoring_count": 149, - "total_count": 149 - } - }, - { - "mrn": "//policy.api.mondoo.app/policies/mondoo-linux-security", - "name": "Linux Security", - "version": "1.3.1", - "local_content_checksum": "aAjQSQ3Au/Q=", - "graph_content_checksum": "KILGPVUZyz0=", - "local_execution_checksum": "FNiPilbNwBI=", - "graph_execution_checksum": "Pvw1iu56Ukg=", - "specs": [ - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-linux-security--window-system-is-not-installed": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-address-space-layout-randomization-aslr-is-enabled": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-aide-is-installed": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-avahi-server-is-not-enabled": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-bogus-icmp-responses-are-ignored": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-broadcast-icmp-requests-are-ignored": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-core-dumps-are-restricted": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-cups-is-not-enabled": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-dhcp-server-is-not-enabled": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-dns-server-is-not-enabled": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-filesystem-integrity-is-regularly-checked": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-ftp-server-is-not-enabled": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-http-proxy-server-is-not-enabled": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-http-server-is-not-enabled": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-icmp-redirects-are-not-accepted": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-imap-and-pop3-server-is-not-enabled": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-ip-forwarding-is-disabled": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-ipv6-router-advertisements-are-not-accepted": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-ldap-server-is-not-enabled": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-mail-transfer-agent-is-configured-for-local-only-mode": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-nfs-and-rpc-are-not-enabled": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-nis-server-is-not-enabled": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-packet-redirect-sending-is-disabled": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-permissions-on-etcgroup--are-configured": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-permissions-on-etcgroup-are-configured": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-permissions-on-etcgshadow--are-configured": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-permissions-on-etcgshadow-are-configured": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-permissions-on-etcpasswd--are-configured": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-permissions-on-etcpasswd-are-configured": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-permissions-on-etcshadow--are-configured": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-permissions-on-etcshadow-are-configured": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-prelink-is-disabled": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-reverse-path-filtering-is-enabled": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-rsh-server-is-not-enabled": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-rsync-service-is-not-enabled": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-samba-is-not-enabled": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-secure-icmp-redirects-are-not-accepted": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-snmp-server-is-not-enabled": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-source-routed-packets-are-not-accepted": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-suspicious-packets-are-logged": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-talk-server-is-not-enabled": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-tcp-syn-cookies-is-enabled": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-telnet-server-is-not-enabled": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-tftp-server-is-not-enabled": {} - }, - "asset_filter": { - "query": "platform.family.contains(_ == 'linux')\n", - "code_id": "hp6oNZD/wBk=", - "checksum": "YnTeTKw8uFw=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-linux-security/assetfilter/hp6oNZD/wBk=", - "type": "\u0004", - "title": "platform.family.contains(_ == 'linux')\n" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-linux-security-only-strong-ciphers-are-used": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-only-strong-kex-algorithms-are-used": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-only-strong-mac-algorithms-are-used": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-permissions-on-etcsshsshd-config-are-configured": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-permissions-on-ssh-private-host-key-files-are-configured": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-permissions-on-ssh-public-host-key-files-are-configured": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-ssh-access-is-limited": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-ssh-hostbasedauthentication-is-disabled": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-ssh-idle-timeout-interval-is-configured": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-ssh-ignorerhosts-is-enabled": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-ssh-logingracetime-is-set-to-one-minute-or-less": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-ssh-loglevel-is-appropriate": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-ssh-maxauthtries-is-set-to-4-or-less": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-ssh-permitemptypasswords-is-disabled": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-ssh-permituserenvironment-is-disabled": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-ssh-protocol-is-set-to-2": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-ssh-root-login-is-disabled": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-ssh-warning-banner-is-configured": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-ssh-x11-forwarding-is-disabled": {} - }, - "asset_filter": { - "query": "platform.family.contains(_ == 'linux')\npackage('openssh-server').installed\n", - "code_id": "couR4EsVIAo=", - "checksum": "WsW0oL0paGA=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-linux-security/assetfilter/couR4EsVIAo=", - "type": "\u0001", - "title": "platform.family.contains(_ == 'linux')\npackage('openssh-server').installed\n" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-linux-security-audit-log-storage-size-is-configured": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-audit-logs-are-not-automatically-deleted": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-auditd-is-installed": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-auditd-service-is-enabled": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-auditing-for-processes-that-start-prior-to-auditd-is-enabled": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-changes-to-system-administration-scope-sudoers-is-collected": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-discretionary-access-control-permission-modification-events-are-collected": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-events-that-modify-date-and-time-information-are-collected": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-events-that-modify-the-systems-mandatory-access-controls-are-collected": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-events-that-modify-the-systems-network-environment-are-collected": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-events-that-modify-usergroup-information-are-collected": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-file-deletion-events-by-users-are-collected": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-journald-is-configured-to-compress-large-log-files": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-journald-is-configured-to-send-logs-to-rsyslog": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-journald-is-configured-to-write-logfiles-to-persistent-disk": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-kernel-module-loading-and-unloading-is-collected": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-login-and-logout-events-are-collected": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-permissions-on-all-logfiles-are-configured": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-rsyslog-default-file-permissions-configured": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-rsyslog-is-installed": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-rsyslog-service-is-enabled": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-session-initiation-information-is-collected": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-successful-file-system-mounts-are-collected": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-sudo-logging-is-enabled": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-system-administrator-actions-sudolog-are-collected": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-system-is-disabled-when-audit-logs-are-full": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-the-audit-configuration-is-immutable": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-unsuccessful-unauthorized-file-access-attempts-are-collected": {} - }, - "asset_filter": { - "query": "platform.family.contains(_ == 'linux')\n", - "code_id": "hp6oNZD/wBk=", - "checksum": "YnTeTKw8uFw=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-linux-security/assetfilter/hp6oNZD/wBk=", - "type": "\u0004", - "title": "platform.family.contains(_ == 'linux')\n" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-linux-security-access-to-the-su-command-is-restricted": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-default-group-for-the-root-account-is-gid-0": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-each-user-member-of-a-group": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-gid-in-passwd-exists-in-group": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-no-duplicate-gids-exist": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-no-duplicate-group-names-exist": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-no-duplicate-uids-exist": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-no-duplicate-user-names-exist": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-root-group-is-empty": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-shadow-group-is-empty": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-system-accounts-are-non-login": {}, - "//policy.api.mondoo.app/queries/mondoo-linux-security-uid-min-is-set-to-1000": {} - }, - "asset_filter": { - "query": "platform.family.contains(_ == 'linux')\n", - "code_id": "hp6oNZD/wBk=", - "checksum": "YnTeTKw8uFw=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-linux-security/assetfilter/hp6oNZD/wBk=", - "type": "\u0004", - "title": "platform.family.contains(_ == 'linux')\n" - } - } - ], - "asset_filters": { - "couR4EsVIAo=": { - "query": "platform.family.contains(_ == 'linux')\npackage('openssh-server').installed\n", - "code_id": "couR4EsVIAo=", - "checksum": "l/qVxHvq+VU=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-linux-security/filter/couR4EsVIAo=", - "type": "\u0001", - "title": "platform.family.contains(_ == 'linux')\npackage('openssh-server').installed\n" - }, - "hp6oNZD/wBk=": { - "query": "platform.family.contains(_ == 'linux')\n", - "code_id": "hp6oNZD/wBk=", - "checksum": "u+b9w6R8z6I=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-linux-security/filter/hp6oNZD/wBk=", - "type": "\u0004", - "title": "platform.family.contains(_ == 'linux')\n" - } - }, - "owner_mrn": "//policy.api.mondoo.app", - "scoring_system": 2, - "authors": [ - { - "name": "Mondoo, Inc", - "email": "hello@mondoo.com" - } - ], - "tags": { - "mondoo.com/category": "security", - "mondoo.com/platform": "linux,host" - }, - "props": { - "//policy.api.mondoo.app/queries/MondooKexAlgos": "", - "//policy.api.mondoo.app/queries/MondooMacAlgos": "", - "//policy.api.mondoo.app/queries/MondooSshdCiphers": "", - "//policy.api.mondoo.app/queries/MondooSudoGroup": "" - }, - "docs": { - "desc": "## Overview\n\nThe Linux Security by Mondoo provides guidance for establishing a secure baseline configuration for Linux systems running on x86 and x64 platforms.\n\nThis policy includes queries to help harden Linux systems by:\n - Identifying problematic services that may be running\n - Identifying loose permissions on sensitive system configuration files\n - Ensuring logging and auditing services are properly configured and running\n - Hardening SSH configurations\n - Ensure users and groups are securely configured\n - Identifying misconfigured Kernel networking configurations\n\nThis policy has been developed for Red Hat (RHEL), Debian, Ubuntu, and SUSE (SLES) derivative distributions running on x86 and x64 architectures.\nSome queries may be skipped depending on your particular distribution, installation type, or underlying infrastructure.\nThe overall guidance within this policy broadly assumes that operations are being performed as the root user.\nOperations performed using sudo instead of the root user may produce unexpected results or fail to make the intended changes to the system.\nNon-root users may not be able to access certain areas of the system, especially after remediation has been performed. It is advisable to verify\nroot users path integrity and the integrity of any programs being run prior to execution of commands and scripts included in this benchmark.\n\n### Intended Audience\n\nThis benchmark is intended for system and application administrators, security specialists, auditors, help desk, and platform deployment personnel\nwho plan to develop, deploy, assess, or secure solutions that incorporate Linux on x86 or x64 platforms.\n\n## Local scan\n\nLocal scan refer to scans of files and operating systems where `cnspec` is installed.\n\nTo scan the `localhost` against this policy:\n\n```bash\ncnspec scan local\n```\n\n## Remote scan\n\nRemote scans use native transports in `cnspec` to provide on demand scan results without the need to install any agents, or integration.\n\nFor a complete list of native transports run:\n\n```bash\ncnspec scan --help\n```\n\n### Prerequisites\n\nRemote scans of Linux hosts requires authentication such as SSH keys.\n\n### Scan a remote Linux host (SSH authentication)\n\n```bash\ncnspec scan ssh \u003cuser\u003e@\u003cIP_ADDRESS\u003e -i /path/to/ssh_key\n```\n\n## Join the community!\n\nOur goal is to build policies that are simple to deploy, accurate, and actionable.\n\nIf you have any suggestions on how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions." - }, - "query_counts": { - "scoring_count": 103, - "total_count": 103 - } - }, - { - "mrn": "//policy.api.mondoo.app/policies/mondoo-macos-security", - "name": "macOS Security", - "version": "1.0.4", - "local_content_checksum": "9TMOjvmlf/I=", - "graph_content_checksum": "SAbMSKSX3p4=", - "local_execution_checksum": "kPUujrmdYzI=", - "graph_execution_checksum": "SAxdUuknhRs=", - "specs": [ - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-macos-security-disable-bluetooth-sharing": {}, - "//policy.api.mondoo.app/queries/mondoo-macos-security-disable-bonjour-advertising-service": {}, - "//policy.api.mondoo.app/queries/mondoo-macos-security-disable-content-caching": {}, - "//policy.api.mondoo.app/queries/mondoo-macos-security-disable-dvd-or-cd-sharing": {}, - "//policy.api.mondoo.app/queries/mondoo-macos-security-disable-file-sharing": {}, - "//policy.api.mondoo.app/queries/mondoo-macos-security-disable-internet-sharing": {}, - "//policy.api.mondoo.app/queries/mondoo-macos-security-disable-media-sharing": {}, - "//policy.api.mondoo.app/queries/mondoo-macos-security-disable-printer-sharing": {}, - "//policy.api.mondoo.app/queries/mondoo-macos-security-disable-remote-apple-events": {}, - "//policy.api.mondoo.app/queries/mondoo-macos-security-disable-remote-login": {}, - "//policy.api.mondoo.app/queries/mondoo-macos-security-disable-remote-management": {}, - "//policy.api.mondoo.app/queries/mondoo-macos-security-disable-screen-sharing": {}, - "//policy.api.mondoo.app/queries/mondoo-macos-security-enable-filevault": {}, - "//policy.api.mondoo.app/queries/mondoo-macos-security-enable-firewall": {}, - "//policy.api.mondoo.app/queries/mondoo-macos-security-enable-firewall-stealth-mode": {}, - "//policy.api.mondoo.app/queries/mondoo-macos-security-enable-gatekeeper": {}, - "//policy.api.mondoo.app/queries/mondoo-macos-security-enable-show-wifi-status": {}, - "//policy.api.mondoo.app/queries/mondoo-macos-security-ensure-airdrop-is-disabled": {}, - "//policy.api.mondoo.app/queries/mondoo-macos-security-ensure-http-server-is-not-running": {}, - "//policy.api.mondoo.app/queries/mondoo-macos-security-ensure-nfs-server-is-not-running": {}, - "//policy.api.mondoo.app/queries/mondoo-macos-security-software-updates-automatic-check-enabled": {}, - "//policy.api.mondoo.app/queries/mondoo-macos-security-software-updates-automatic-download": {}, - "//policy.api.mondoo.app/queries/mondoo-macos-security-software-updates-install-critical-updates": {} - }, - "asset_filter": { - "query": "platform.name == \"macos\" \nplatform.release == /^10\\./ || platform.release == /^11\\./ || platform.release == /^12\\./ || platform.release == /^13\\./\n", - "code_id": "F80YypMJCTE=", - "checksum": "+WA7feN/Koc=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-macos-security/assetfilter/F80YypMJCTE=", - "type": "\u0001", - "title": "platform.name == \"macos\" \nplatform.release == /^10\\./ || platform.release == /^11\\./ || platform.release == /^12\\./ || platform.release == /^13\\./\n" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-macos-security-do-not-enable-the-root-account": {}, - "//policy.api.mondoo.app/queries/mondoo-macos-security-password-age": {}, - "//policy.api.mondoo.app/queries/mondoo-macos-security-password-history": {}, - "//policy.api.mondoo.app/queries/mondoo-macos-security-reduce-the-sudo-timeout-period": {}, - "//policy.api.mondoo.app/queries/mondoo-macos-security-set-a-minimum-password-length": {} - }, - "asset_filter": { - "query": "platform.name == \"macos\" \nplatform.release == /^10\\./ || platform.release == /^11\\./ || platform.release == /^12\\./ || platform.release == /^13\\./\n", - "code_id": "F80YypMJCTE=", - "checksum": "+WA7feN/Koc=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-macos-security/assetfilter/F80YypMJCTE=", - "type": "\u0001", - "title": "platform.name == \"macos\" \nplatform.release == /^10\\./ || platform.release == /^11\\./ || platform.release == /^12\\./ || platform.release == /^13\\./\n" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-macos-security-control-access-to-audit-records": {}, - "//policy.api.mondoo.app/queries/mondoo-macos-security-enable-security-auditing": {}, - "//policy.api.mondoo.app/queries/mondoo-macos-security-ensure-firewall-is-configured-to-log": {}, - "//policy.api.mondoo.app/queries/mondoo-macos-security-ensure-security-auditing-retention": {}, - "//policy.api.mondoo.app/queries/mondoo-macos-security-retain-install-log-for-365-or-more-days": {} - }, - "asset_filter": { - "query": "platform.name == \"macos\" \nplatform.release == /^10\\./ || platform.release == /^11\\./ || platform.release == /^12\\./ || platform.release == /^13\\./\n", - "code_id": "F80YypMJCTE=", - "checksum": "+WA7feN/Koc=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-macos-security/assetfilter/F80YypMJCTE=", - "type": "\u0001", - "title": "platform.name == \"macos\" \nplatform.release == /^10\\./ || platform.release == /^11\\./ || platform.release == /^12\\./ || platform.release == /^13\\./\n" - } - } - ], - "asset_filters": { - "F80YypMJCTE=": { - "query": "platform.name == \"macos\" \nplatform.release == /^10\\./ || platform.release == /^11\\./ || platform.release == /^12\\./ || platform.release == /^13\\./\n", - "code_id": "F80YypMJCTE=", - "checksum": "n4kOxIgc/5s=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-macos-security/filter/F80YypMJCTE=", - "type": "\u0001", - "title": "platform.name == \"macos\" \nplatform.release == /^10\\./ || platform.release == /^11\\./ || platform.release == /^12\\./ || platform.release == /^13\\./\n" - } - }, - "owner_mrn": "//policy.api.mondoo.app", - "scoring_system": 3, - "authors": [ - { - "name": "Mondoo, Inc", - "email": "hello@mondoo.com" - } - ], - "tags": { - "mondoo.com/category": "security", - "mondoo.com/platform": "macos,host" - }, - "docs": { - "desc": "## Overview\n\nThis policy provides prescriptive guidance for establishing a secure configuration posture for Apple macOS. This guide was tested against Apple macOS 10, 11, 12, and 13.\n\n## Local scan\n\nLocal scan refer to scans of files and operating systems where `cnspec` is installed.\n\nTo scan the `localhost` against this policy: \n\n```bash\ncnspec scan local \n```\n\n## Remote scan\n\nRemote scans use native transports in `cnspec` to provide on demand scan results without the need to install any agents, or integration. \n\nFor a complete list of native transports run: \n\n```bash\ncnspec scan --help\n```\n\n### Prerequisites\n\nRemote scans of macOS hosts requires **Remote login** to be enabled in the System Preferences, along with a suitable authentication method such as SSH keys.\n\n### Scan a remote macOS (SSH authentication)\n\n```bash\ncnspec scan ssh \u003cuser\u003e@\u003cIP_ADDRESS\u003e -i /path/to/ssh_key \n```\n\n## Join the community!\n\nOur goal is to build policies that are simple to deploy, accurate, and actionable. \n\nIf you have any suggestions on how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. " - }, - "query_counts": { - "scoring_count": 33, - "total_count": 33 - } - }, - { - "mrn": "//policy.api.mondoo.app/policies/mondoo-windows-security", - "name": "Windows Security", - "version": "1.0.0", - "local_content_checksum": "36m2WEBuSts=", - "graph_content_checksum": "Vd9NubZVR7w=", - "local_execution_checksum": "THxHB4YF0y0=", - "graph_execution_checksum": "aLg9u/oeNRI=", - "specs": [ - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-windows-security-additional-LSA-protection": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-allow-users-to-connect-remotely-by-using-remote-desktop-services-is-set-to-": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-always-prompt-for-password-upon-connection-is-set-to-enabled": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-apply-uac-restrictions-to-local-accounts-on-network-logons-is-set-to-enabled": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-account-lockout-is-set-to-include-failure": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-application-group-management-is-set-to-success-and-failure": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-audit-policy-change-is-set-to-include-success": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-authentication-policy-change-is-set-to-include-success": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-authorization-policy-change-is-set-to-include-success": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-credential-validation-is-set-to-success-and-failure": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-detailed-file-share-is-set-to-include-failure": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-file-share-is-set-to-success-and-failure": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-force-audit-policy-subcategory-settings-windows-vista-or-later-to-override": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-group-membership-is-set-to-include-success": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-ipsec-driver-is-set-to-success-and-failure": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-logoff-is-set-to-include-success": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-logon-is-set-to-success-and-failure": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-mpssvc-rule-level-policy-change-is-set-to-success-and-failure": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-other-logonlogoff-events-is-set-to-success-and-failure": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-other-object-access-events-is-set-to-success-and-failure": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-other-policy-change-events-is-set-to-include-failure": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-other-system-events-is-set-to-success-and-failure": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-pnp-activity-is-set-to-include-success": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-process-creation-is-set-to-include-success": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-removable-storage-is-set-to-success-and-failure": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-security-group-management-is-set-to-include-success": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-security-state-change-is-set-to-include-success": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-security-system-extension-is-set-to-include-success": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-sensitive-privilege-use-is-set-to-success-and-failure": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-shut-down-system-immediately-if-unable-to-log-security-audits": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-special-logon-is-set-to-include-success": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-system-integrity-is-set-to-success-and-failure": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-user-account-management-is-set-to-success-and-failure": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-configure-smb-v1-client-driver-is-set-to-enabled-disable-driver-recommended": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-configure-smb-v1-server-is-set-to-disabled": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-do-not-allow-com-port-redirection-is-set-to-enabled": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-do-not-allow-drive-redirection-is-set-to-enabled": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-do-not-allow-lpt-port-redirection-is-set-to-enabled": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-do-not-allow-passwords-to-be-saved-is-set-to-enabled": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-do-not-allow-supported-plug-and-play-device-redirection-is-set-to-enabled": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-do-not-delete-temp-folders-upon-exit-is-set-to-disabled": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-enable-structured-exception-handling-overwrite-protection-sehop-is-set-to-enabled": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-enforce-password-history-is-set-to-24-or-more-passwords": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-maximum-password-age-is-set-to-365-or-fewer-days-but-not-0": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-minimum-password-age-is-set-to-1-or-more-days": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-minimum-password-length-is-set-to-14-or-more-characters": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-netbt-nodetype-configuration-is-set-to-enabled-p-node-recommended": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-network-access-allow-anonymous-sidname-translation-is-set-to-disabled": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-network-access-do-not-allow-anonymous-enumeration-of-sam-accounts": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-auth": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-network-access-let-everyone-permissions-apply-to-anonymous-users-is-set-to-disabled": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-network-access-named-pipes-that-can-be-accessed-anonymously-is-set-to-none": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-network-access-restrict-anonymous-access-to-named-pipes-and-shares": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-network-access-restrict-clients-allowed-to-make-remote-calls-to-sam": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-network-access-shares-that-can-be-accessed-anonymously-is-set-to-none": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-network-access-sharing-and-security-model-for-local-accounts-is-set-to-classic": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-network-security-allow-local-system-to-use-computer-identity-for-ntlm": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-network-security-allow-localsystem-null-session-fallback-is-set-to-disabled": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-network-security-allow-pku2u-authentication-requests-is-set-to-disabled": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-network-security-configure-encryption-types-allowed-for-kerberos-is-set-to-aes12": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-network-security-do-not-store-lan-manager-hash-value-on-next-password-change": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-network-security-lan-manager-authentication-level-is-set-to-send-ntlmv2-response": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-network-security-ldap-client-signing-requirements-is-set-to-negotiate-signing": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-network-security-minimum-session-security-for-ntlm-ssp-based-servers-is-set-to-ntlmv2": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-network-security-minimum-session-security-for-ntlm-ssp-clients-is-set-to-ntlmv2": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-password-must-meet-complexity-requirements-is-set-to-enabled": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-relax-minimum-password-length-limits-is-set-to-enabled": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-require-secure-rpc-communication-is-set-to-enabled": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-require-use-of-specific-security-layer-for-remote-rdp-connections-is-set-to": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-require-user-authentication-for-remote-connections-by-using-network-level-a": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-set-client-connection-encryption-level-is-set-to-enabled-high-level": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-set-time-limit-for-active-but-idle-remote-desktop-services-sessions-is-set": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-set-time-limit-for-disconnected-sessions-is-set-to-enabled-1-minute": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-store-passwords-using-reversible-encryption-is-set-to-disabled": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-turn-off-multicast-name-resolution-is-set-to-enabled": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-wdigest-authentication-is-set-to-disabled": {} - }, - "asset_filter": { - "query": "platform.family.contains(_ == 'windows')\n", - "code_id": "UCSbVSWVqU0=", - "checksum": "8pgBkb3jVdY=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-windows-security/assetfilter/UCSbVSWVqU0=", - "type": "\u0004", - "title": "platform.family.contains(_ == 'windows')\n" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-windows-security-application-control-event-log-behavior-when-the-log-file-reaches-its-maximum": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-application-specify-the-maximum-log-file-size-kb-is-set-to-enabled-32768": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-security-control-event-log-behavior-when-the-log-file-reaches-its-maximum-size": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-security-specify-the-maximum-log-file-size-kb-is-set-to-enabled-196608": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-setup-control-event-log-behavior-when-the-log-file-reaches-its-maximum-size": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-setup-specify-the-maximum-log-file-size-kb-is-set-to-enabled-32768": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-system-control-event-log-behavior-when-the-log-file-reaches-its-maximum-size": {}, - "//policy.api.mondoo.app/queries/mondoo-windows-security-system-specify-the-maximum-log-file-size-kb-is-set-to-enabled-32768": {} - }, - "asset_filter": { - "query": "platform.family.contains(_ == 'windows')\n", - "code_id": "UCSbVSWVqU0=", - "checksum": "8pgBkb3jVdY=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-windows-security/assetfilter/UCSbVSWVqU0=", - "type": "\u0004", - "title": "platform.family.contains(_ == 'windows')\n" - } - }, - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-windows-security-2.2.19-l1-ensure-debug-programs-is-empty": {} - }, - "asset_filter": { - "query": "platform.family.contains(_ == 'windows')\n", - "code_id": "UCSbVSWVqU0=", - "checksum": "8pgBkb3jVdY=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-windows-security/assetfilter/UCSbVSWVqU0=", - "type": "\u0004", - "title": "platform.family.contains(_ == 'windows')\n" - } - } - ], - "asset_filters": { - "UCSbVSWVqU0=": { - "query": "platform.family.contains(_ == 'windows')\n", - "code_id": "UCSbVSWVqU0=", - "checksum": "JDOH+OzUGZA=", - "mrn": "//policy.api.mondoo.app/policies/mondoo-windows-security/filter/UCSbVSWVqU0=", - "type": "\u0004", - "title": "platform.family.contains(_ == 'windows')\n" - } - }, - "owner_mrn": "//policy.api.mondoo.app", - "scoring_system": 3, - "authors": [ - { - "name": "Mondoo, Inc", - "email": "hello@mondoo.com" - } - ], - "tags": { - "mondoo.com/category": "security", - "mondoo.com/platform": "windows,host" - }, - "docs": { - "desc": "## Overview\n\nThis policy provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows. This guide was tested against Microsoft Windows 10 Release 20H2 Enterprise. \n\n## Local scan\n\nLocal scan refer to scans of files and operating systems where `cnspec` is installed.\n\nTo scan the `localhost` against this policy: \n\n```bash\ncnspec scan local \n```\n\n## Remote scan\n\nRemote scans use native transports in `cnspec` to provide on demand scan results without the need to install any agents, or integration. \n\nFor a complete list of native transports run: \n\n```bash\ncnspec scan --help\n```\n\n### Prerequisites\n\nRemote scans of windows hosts suitable authentication method such as winRM enabled or SSH keys.\n\n### Scan a remote Windows (SSH authentication)\n\n```bash\ncnspec scan ssh \u003cuser\u003e@\u003cIP_ADDRESS\u003e -i /path/to/ssh_key \n```\n\n## Join the community!\n\nOur goal is to build policies that are simple to deploy, accurate, and actionable. \n\nIf you have any suggestions on how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. " - }, - "query_counts": { - "scoring_count": 86, - "total_count": 86 - } - }, - { - "mrn": "//policy.api.mondoo.app/policies/platform-eol", - "name": "Platform End-of-Life Policy by Mondoo", - "version": "1.0.0", - "local_content_checksum": "d1N3z/zFQR4=", - "graph_content_checksum": "xo4HHSyzyGE=", - "local_execution_checksum": "eOGVGFjJ/dM=", - "graph_execution_checksum": "aIVzY+xULpU=", - "specs": [ - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-platform-vulnerability-check-platform-eol": {} - }, - "data_queries": { - "//policy.api.mondoo.app/queries/mondoo-platform-vulnerability-platform-eol-date": 0 - }, - "asset_filter": { - "query": "platform.family.contains(_ == 'linux') || platform.family.contains(_ == 'windows') || platform.name == \"vmware-esxi\" || platform.name == \"vmware-vsphere\" || platform.name == \"freebsd\"\n", - "code_id": "Kdmy6Ep7xAw=", - "checksum": "p+E9hanz5sw=", - "mrn": "//policy.api.mondoo.app/policies/platform-eol/assetfilter/Kdmy6Ep7xAw=", - "type": "\u0004", - "title": "platform.family.contains(_ == 'linux') || platform.family.contains(_ == 'windows') || platform.name == \"vmware-esxi\" || platform.name == \"vmware-vsphere\" || platform.name == \"freebsd\"\n" - } - } - ], - "asset_filters": { - "Kdmy6Ep7xAw=": { - "query": "platform.family.contains(_ == 'linux') || platform.family.contains(_ == 'windows') || platform.name == \"vmware-esxi\" || platform.name == \"vmware-vsphere\" || platform.name == \"freebsd\"\n", - "code_id": "Kdmy6Ep7xAw=", - "checksum": "t5dVaBUchzo=", - "mrn": "//policy.api.mondoo.app/policies/platform-eol/filter/Kdmy6Ep7xAw=", - "type": "\u0004", - "title": "platform.family.contains(_ == 'linux') || platform.family.contains(_ == 'windows') || platform.name == \"vmware-esxi\" || platform.name == \"vmware-vsphere\" || platform.name == \"freebsd\"\n" - } - }, - "owner_mrn": "//policy.api.mondoo.app", - "scoring_system": 2, - "authors": [ - { - "name": "Mondoo, Inc.", - "email": "hello@mondoo.com" - } - ], - "docs": { - "desc": "The Platform End-of-Life Policy by Mondoo scans Linux, Windows, FreeBSD, VMware ESXi, and VMware vSphere hosts to validate whether the platform version is end-of-life. Vendors set strict end-of-life dates for an operating system – after which official support, including fixes for security vulnerabilities, stops. \n" - }, - "query_counts": { - "scoring_count": 1, - "data_count": 1, - "total_count": 2 - } - }, - { - "mrn": "//policy.api.mondoo.app/policies/platform-vulnerability", - "name": "Platform Vulnerability Policy by Mondoo", - "version": "1.0.0", - "local_content_checksum": "JrCeWyjPJEw=", - "graph_content_checksum": "ikM5b7RUGbY=", - "local_execution_checksum": "zxIgYRZDtC0=", - "graph_execution_checksum": "aMuRZ/5HchA=", - "specs": [ - { - "scoring_queries": { - "//policy.api.mondoo.app/queries/mondoo-platform-vulnerability-no-platform-advisories": {}, - "//policy.api.mondoo.app/queries/mondoo-platform-vulnerability-no-platform-cves": {}, - "//policy.api.mondoo.app/queries/mondoo-platform-vulnerability-no-platform-eol": {} - }, - "data_queries": { - "//policy.api.mondoo.app/queries/mondoo-platform-vulnerability-platform-advisories-report": 0 - }, - "asset_filter": { - "query": "platform.family.contains(_ == 'linux') || platform.family.contains(_ == 'windows') || platform.name == \"vmware-esxi\" || platform.name == \"vmware-vsphere\"\n", - "code_id": "Bmu4haS65aI=", - "checksum": "uFl9ciw0NB0=", - "mrn": "//policy.api.mondoo.app/policies/platform-vulnerability/assetfilter/Bmu4haS65aI=", - "type": "\u0004", - "title": "platform.family.contains(_ == 'linux') || platform.family.contains(_ == 'windows') || platform.name == \"vmware-esxi\" || platform.name == \"vmware-vsphere\"\n" - } - }, - { - "data_queries": { - "//policy.api.mondoo.app/queries/mondoo-platform-vulnerability-installed-kernels": 0 - }, - "asset_filter": { - "query": "platform.family.contains(_ == 'linux')\nplatform.virtualization.isContainer == false \u0026\u0026 platform.kind != 'container' \u0026\u0026 platform.kind != 'container-image'\n", - "code_id": "vJ4Aq6zYqYQ=", - "checksum": "gx380iymygQ=", - "mrn": "//policy.api.mondoo.app/policies/platform-vulnerability/assetfilter/vJ4Aq6zYqYQ=", - "type": "\u0001", - "title": "platform.family.contains(_ == 'linux')\nplatform.virtualization.isContainer == false \u0026\u0026 platform.kind != 'container' \u0026\u0026 platform.kind != 'container-image'\n" - } - } - ], - "asset_filters": { - "Bmu4haS65aI=": { - "query": "platform.family.contains(_ == 'linux') || platform.family.contains(_ == 'windows') || platform.name == \"vmware-esxi\" || platform.name == \"vmware-vsphere\"\n", - "code_id": "Bmu4haS65aI=", - "checksum": "MofsVSknqSM=", - "mrn": "//policy.api.mondoo.app/policies/platform-vulnerability/filter/Bmu4haS65aI=", - "type": "\u0004", - "title": "platform.family.contains(_ == 'linux') || platform.family.contains(_ == 'windows') || platform.name == \"vmware-esxi\" || platform.name == \"vmware-vsphere\"\n" - }, - "vJ4Aq6zYqYQ=": { - "query": "platform.family.contains(_ == 'linux')\nplatform.virtualization.isContainer == false \u0026\u0026 platform.kind != 'container' \u0026\u0026 platform.kind != 'container-image'\n", - "code_id": "vJ4Aq6zYqYQ=", - "checksum": "OAcdbUYxtmg=", - "mrn": "//policy.api.mondoo.app/policies/platform-vulnerability/filter/vJ4Aq6zYqYQ=", - "type": "\u0001", - "title": "platform.family.contains(_ == 'linux')\nplatform.virtualization.isContainer == false \u0026\u0026 platform.kind != 'container' \u0026\u0026 platform.kind != 'container-image'\n" - } - }, - "owner_mrn": "//policy.api.mondoo.app", - "scoring_system": 2, - "authors": [ - { - "name": "Mondoo, Inc", - "email": "hello@mondoo.com" - } - ], - "tags": { - "mondoo.com/category": "security", - "mondoo.com/platform": "linux,windows,host" - }, - "docs": { - "desc": "## Overview\n\nThe Platform Vulnerability Policy by Mondoo scans Linux, Windows, VMware ESXi, and VMware vSphere instances for known vulnerabilities and advisories. This policy can be used to test servers, Docker container images, and active Docker containers running supported operating systems.\n\n## Local scan\n\n```bash\ncnspec scan local # scan local system\n```\n\n## Remote scan\n\n```bash\ncnspec scan ssh USER@IP_ADDRESS # scan remote host \ncnspec scan container b62b276baab6 # scan docker container\ncnspec scan container image REGISTRY/OWNER/IMAGE_NAME:TAG # scan container registry\n```\n\n__Example Results__ \n\n```bash\nControls:\n✕ Fail: Ensure that we have no known platform advisories\n✕ Fail: Ensure that we have no known platform cves\n✕ Fail: Platform is not end-of-life\n\n\nVulnerabilities:\n ■ SCORE PACKAGE INSTALLED FIXED AVAILABLE\n ■ 3.6 libdbi-perl 1.636-1+deb9u1 1.636-1+deb9u2 1.636-1+b1\n ■ 5 libglib2.0-data 2.50.3-2+deb9u2 2.50.3-2+deb9u3 2.50.3-2+deb9u3\n ■ 5 libglib2.0-0 2.50.3-2+deb9u2 2.50.3-2+deb9u3 2.50.3-2+deb9u2\n ■ 7.2 policykit-1 0.105-18+deb9u1 0.105-18+deb9u2 0.105-18+deb9u1\n ■ 7.2 libpolkit-gobject-1-0 0.105-18+deb9u1 0.105-18+deb9u2 0.105-18+deb9u1\n ■ 7.2 libpolkit-backend-1-0 0.105-18+deb9u1 0.105-18+deb9u2 0.105-18+deb9u1\n ■ 7.2 libpolkit-agent-1-0 0.105-18+deb9u1 0.105-18+deb9u2 0.105-18+deb9u1\n ■ 7.5 dpkg 1.18.25 1.18.26 1.18.25\n ■ 9.3 libjpeg62-turbo 1:1.5.1-2+deb9u1 1:1.5.1-2+deb9u2 1:1.5.1-2\n\nOverall CVSS score: 9.3\n```\n\n## Scoring \n\nCVEs and Security Advisories are rated using the Common Vulnerability Scoring System (CVSS) v3.1 provides the following textual ratings:\n\n- **Info** - `(0)`\n- **Low** - `(0.1-3.9)`\n- **Medium** - `(4.0-6.9)`\n- **High** - `(7.0-8.9)`\n- **Critical** - `(9.0-10.0)`\n\nCVSS scores are translated into the Mondoo Scoring system, which provides both a letter grade (`0 (F) - 100 (A+)`). CVSS scores are translated to the Mondoo scoring system as follows:\n\n```\ncvss_score = [0.0 - 10.0]\ncvss_score = 10.0 - (score / 10.0)\nMondoo Score = ( 10.0 - cvss_score ) * 10.0\n```\n\n#### Translating CVSS scores to Mondoo scoring system\n\n```\nCVSS 9.3 =\u003e critical\nMondoo: F score: 7/100\n\nCVSS 9.5 =\u003e critical\nMondoo: F score: 5/100\n\nCVSS 9.6 =\u003e critical\nMondoo: F score: 4/100\n\nCVSS 7.8 =\u003e high\nMondoo: D score: 22/100\n```\n\nFor more information, see [Policy Scoring](https://mondoo.com/docs/platform/policies/scoring) in the Mondoo documentation.\n\n\n### CVE and Advisory Data\n\nThe Mondoo Platform Vulnerability Database is updated multiple times each day with the latest CVEs and advisories to ensure the latest data is available for scans of your infrastructure. \n\n#### Sources \n\n- [Amazon Linux Security Center](https://alas.aws.amazon.com/)\n- [AlmaLinux Errata](https://errata.almalinux.org/)\n- [Alpine Security Issue Tracker](https://security.alpinelinux.org/)\n- [Arch Linux Security](https://security.archlinux.org/)\n- [CentOS Security Advisories](https://lists.centos.org/mailman/listinfo/centos-announce)\n- [Debian Security Bug Tracker](https://security-tracker.debian.org/tracker/)\n- [Fedora Security](https://lists.fedoraproject.org/admin/lists/security@lists.fedoraproject.org/)\n- [Microsoft Security Response Center](https://www.microsoft.com/en-us/msrc)\n- [Oracle Linux Security](https://linux.oracle.com/security/)\n- [Photon Security Advisories](https://vmware.github.io/photon/docs/security-advisories/)\n- [Red Hat Security Advisories](https://access.redhat.com/security/security-updates)\n- [Suse Security](https://www.suse.com/support/security/)\n- [Ubuntu Security](https://ubuntu.com/security)\n- [VMware Security Advisories](https://www.vmware.com/security.html) \n" - }, - "query_counts": { - "scoring_count": 3, - "data_count": 2, - "total_count": 5 - } - } - ], - "deprecated_v7_queries": [ - { - "query": "k8s.clusterroles { * } \n", - "code_id": "xMwLYkaPIdk=", - "checksum": "h/78C5P6ahI=", - "mrn": "//policy.api.mondoo.app/queries/k8s-cluster-clusterroles", - "type": "\u0019\u000c", - "title": "Retrieve cluster RBAC ClusterRoles" - }, - { - "query": "k8s.namespaces{ * }\n", - "code_id": "l9lE/vQppHA=", - "checksum": "pg1eT9vFpUs=", - "mrn": "//policy.api.mondoo.app/queries/k8s-cluster-namespaces", - "type": "\u0019\u000c", - "title": "Retrieve Kubernetes cluster namespaces" - }, - { - "query": "k8s.nodes { * }\n", - "code_id": "IiUQwq+0LZM=", - "checksum": "/U0Zp9h/FVM=", - "mrn": "//policy.api.mondoo.app/queries/k8s-cluster-nodes", - "type": "\u0019\u000c", - "title": "Retrieve cluster modes" - }, - { - "query": "k8s.serverVersion\n", - "code_id": "DruaZGDPTNI=", - "checksum": "j+s0hj31HB4=", - "mrn": "//policy.api.mondoo.app/queries/k8s-cluster-version", - "type": "\n", - "title": "Retrieve Kubernetes cluster version" - }, - { - "query": "k8s.cronjob { * }\n", - "code_id": "9+XIGM5xWl0=", - "checksum": "pZm3EWD6IWs=", - "mrn": "//policy.api.mondoo.app/queries/k8s-cronjob", - "type": "\u000c", - "title": "Retrieve CronJob information" - }, - { - "query": "k8s.cronjob.containers { * }\n", - "code_id": "N4z869vlk8I=", - "checksum": "+jaS00WrFqs=", - "mrn": "//policy.api.mondoo.app/queries/k8s-cronjob-container", - "type": "\u0019\u000c", - "title": "Retrieve container information" - }, - { - "query": "k8s.daemonset { * }\n", - "code_id": "j3JI5TGRKZI=", - "checksum": "8d6OFVI3NiU=", - "mrn": "//policy.api.mondoo.app/queries/k8s-daemonset", - "type": "\u000c", - "title": "Retrieve DaemonSet information" - }, - { - "query": "k8s.daemonset.containers { * }\n", - "code_id": "q02uXHFM+Ug=", - "checksum": "yfEM8J5dyDE=", - "mrn": "//policy.api.mondoo.app/queries/k8s-daemonset-container", - "type": "\u0019\u000c", - "title": "Retrieve container information" - }, - { - "query": "k8s.deployment { * }\n", - "code_id": "apSGKZKCeRk=", - "checksum": "EMDpbRtHTPQ=", - "mrn": "//policy.api.mondoo.app/queries/k8s-deployment", - "type": "\u000c", - "title": "Retrieve deployment information" - }, - { - "query": "k8s.deployment.containers { * }\n", - "code_id": "nGDdNrxZ16k=", - "checksum": "JAxZZMw+Zas=", - "mrn": "//policy.api.mondoo.app/queries/k8s-deployment-container", - "type": "\u0019\u000c", - "title": "Retrieve container information" - }, - { - "query": "aws.iam.credentialReport.where( accessKey1Active == true ) { time.now - accessKey1LastRotated \u003c 90 * time.day }\n\naws.iam.credentialReport.where( accessKey2Active == true ) { time.now - accessKey2LastRotated \u003c 90 * time.day }\n", - "code_id": "2Zzzb+5/Cqs=", - "checksum": "iVNk6xM0iI8=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-aws-security-access-keys-rotated", - "type": "\u0001", - "severity": { - "value": 30 - }, - "title": "Checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge (default 90)", - "docs": { - "desc": "It is highly recommended that you regularly rotate (change) IAM user access keys to reduce the risk of unwanted access to your account.", - "audit": "__cnspec shell__\n\n1. Open a Terminal.\n2. Connect cnspec shell to your AWS environment `cnspec shell aws`\n3. Run the following query \n\n ```mql\n aws.iam.credentialReport.where( accessKey1Active == true || accessKey2Active == true ) { properties['user'] accessKey1Active accessKey2Active accessKey1LastRotated accessKey2LastRotated }\n ```\n \n Example output\n\n ```mql\n aws.iam.credentialReport.where: [\n 0: {\n accessKey1LastRotated: 2021-09-01 01:32:29 +0000 +0000\n accessKey2LastRotated: Never\n accessKey1Active: true\n accessKey2Active: false\n properties[user]: \"jimmy\"\n }\n 1: {\n accessKey1LastRotated: 2021-09-09 19:16:35 +0000 +0000\n accessKey2LastRotated: Never\n accessKey1Active: true\n accessKey2Active: false\n properties[user]: \"robert\"\n }\n 2: {\n accessKey1LastRotated: 2021-06-15 07:18:34 +0000 +0000\n accessKey2LastRotated: Never\n accessKey1Active: true\n accessKey2Active: false\n properties[user]: \"johnpaul\"\n }\n 3: {\n accessKey1LastRotated: 2021-09-29 21:53:04 +0000 +0000\n accessKey2LastRotated: Never\n accessKey1Active: true\n accessKey2Active: false\n properties[user]: \"bonzo\"\n }\n ]\n ```", - "remediation": "To learn how to rotate AWS access keys, see [Rotating access keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_RotateAccessKey) in the AWS documentation." - }, - "refs": [ - { - "title": "AWS Documentation - Managing access keys for IAM users", - "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html" - } - ] - }, - { - "query": "# @msg Found ${length} API Gateway(s) containing stage(s) with cache encryption disabled:\n#\n# ${{ arn name }}\naws.apigateway.restapi {\n stages.all(\n methodSettings.values.all(\n _[\"CachingEnabled\"] == false\n ||\n _[\"CachingEnabled\"] == true\n \u0026\u0026\n _[\"CacheDataEncrypted\"] == true\n ) \n )\n}\n", - "code_id": "UII5Yc0eP9Q=", - "checksum": "jEsL25w6X+o=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-aws-security-api-gw-cache-encrypted", - "type": "\u000c", - "severity": { - "value": 30 - }, - "title": "Checks that all methods in Amazon API Gateway have caching enabled and encrypted", - "docs": { - "desc": "This check ensures all methods in API Gateway REST API stages that have cache enabled are encrypted. The control fails if any method in an API Gateway REST API stage is configured to cache and the cache is not encrypted.\n\nAPI Gateway REST API caches should be encrypted at rest for an added layer of security.", - "audit": "__cnspec Shell__\n\n1. Open a Terminal.\n2. Connect to your AWS environment with cnspec shell: `cnspec shell aws`\n3. Run the following query \n\n ```mql\n aws.apigateway.restApis.all(\n stages.all(\n methodSettings.values.all(\n _[\"CachingEnabled\"] == false\n ||\n _[\"CachingEnabled\"] == true\n \u0026\u0026\n _[\"CacheDataEncrypted\"] == true\n ) \n )\n )\n ```\n\n Example output\n\n ```mql\n [failed] [].all()\n actual: [\n 0: aws.apigateway.restapi id = arn:aws:apigateway:us-east-1:053121068929::/apis/dvs21vajtg\n ]\n ```", - "remediation": "__Terraform__\n\n```hcl\n# ... other configuration ...\n\nresource \"aws_api_gateway_method_settings\" \"example\" {\n rest_api_id = aws_api_gateway_rest_api.example.id\n stage_name = aws_api_gateway_stage.example.stage_name\n method_path = \"*/*\"\n\n settings {\n cache_data_encrypted = true\n caching_enabled = true\n }\n}\n```\n\n__AWS Console__\n\nTo configure API caching for a given stage\n\n1. Open the API Gateway console at https://console.aws.amazon.com/apigateway/.\n2. Choose the API.\n3. Choose Stages.\n4. In the Stages list for the API, choose the stage to add caching to.\n5. Choose Settings.\n6. Choose Enable API cache.\n7. Update the desired settings, then select Encrypt cache data.\n8. Choose Save Changes." - }, - "refs": [ - { - "title": "AWS Documentation - Security Hub Standards", - "url": "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html" - } - ] - }, - { - "query": "# @msg Found ${length} CloudTrail trail(s) with kms encryption disabled:\n#\n# ${{ arn name }}\naws.cloudtrail.trail {\n kmsKey != null\n}\n", - "code_id": "b8TVEE4ukNU=", - "checksum": "+E17cQi47Sw=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-aws-security-cloud-trail-encryption-enabled", - "type": "\u000c", - "severity": { - "value": 30 - }, - "title": "Checks that all CloudTrail trails are configured to use the server side encryption KMS", - "docs": { - "desc": "This check ensures CloudTrail is configured to use the server-side encryption (SSE) AWS KMS key encryption. The check passes if the KmsKeyId is defined.\n\nFor more information on CloudTrail encryption at rest, please see:\n\n 1. [Server Side Encryption with AWS KMS-managed key (SSE-KMS)](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html)\n 2. [Amazon Server Side Encryption with Amazon S3-managed encryption keys (SSE-S3)](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html)", - "audit": "__cnspec Shell__\n\n1. Open a Terminal.\n2. Connect to your AWS environment with cnspec shell: `cnspec shell aws`\n3. Run the following query \n\n ```mql\n aws.cloudtrail.trails.all(\n kmsKey != null\n )\n ```\n\n Example output\n\n ```mql\n [failed] [].all()\n actual: [\n 0: aws.cloudtrail.trail id = arn:aws:cloudtrail:us-east-1:053121068929:trail/s3-data-events\n ]\n ```", - "remediation": "__Terraform__\n\n```hcl\nTODO\n```\n\n__AWS Console__\n\nTo enable encryption for CloudTrail logs\n\n 1. Open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/.\n 2. Choose Trails.\n 3. Choose the trail to update.\n 4. Under General details, choose Edit.\n 5. For Log file SSE-KMS encryption, select Enabled.\n 6. For Create a new KMS key, do one of the following:\n \n * To create a key, choose New. Then in AWS KMS alias, enter an alias for the key. The key is created in the same Region as the S3 bucket.\n * To use an existing key, choose Existing, then from AWS KMS alias, choose the key.\n * The AWS KMS key and S3 bucket must be in the same Region.\n\n 7. Choose Save.\n\n__AWS CLI__\n\n```bash\nTODO\n```" - } - }, - { - "query": "aws.cloudwatch.loggroup { kmsKey != null }", - "code_id": "KpMS5q59Mew=", - "checksum": "cRbyoxbyK18=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-aws-security-cloudwatch-log-group-encrypted", - "type": "\u000c", - "title": "Checks that all log groups in Amazon CloudWatch Logs are encrypted with KMS" - }, - { - "query": "# @msg Found ${length} DynamoDB tables not using KMS encryption.\n#\n# ${{name arn region sseDescription}}\naws.dynamodb.table {\n sseDescription[\"SSEType\"] == \"KMS\" \n \u0026\u0026 sseDescription[\"Status\"] == \"ENABLED\"\n}\n", - "code_id": "OtEkNmf8QW0=", - "checksum": "Td2ftRVyyIE=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-aws-security-dynamodb-table-encrypted-kms", - "type": "\u000c", - "severity": { - "value": 30 - }, - "title": "Checks that all DynamoDB tables are encrypted with AWS Key Management Service (KMS)", - "docs": { - "desc": "Checks whether all DynamoDB tables are encrypted with a customer managed KMS key (non-default).", - "audit": "__cnspec Shell__\n\n1. Open a Terminal.\n2. Connect to your AWS environment with cnspec shell: `cnspec shell aws`\n3. Run the following query \n\n ```mql\n aws.dynamodb.tables.where(\n sseDescription.length == 0\n ){*}\n ```\n\n Example output\n\n ```mql\n aws.dynamodb.tables.where: [\n 0: {\n tags: {}\n backups: []\n arn: \"arn:aws:dynamodb:us-east-1:053121068929:table/GameScoresAutoscale\"\n region: \"us-east-1\"\n continuousBackups: {\n ContinuousBackupsStatus: \"ENABLED\"\n PointInTimeRecoveryDescription: {\n EarliestRestorableDateTime: \"2022-08-02T18:54:51Z\"\n LatestRestorableDateTime: \"2022-08-03T15:38:43.954Z\"\n PointInTimeRecoveryStatus: \"ENABLED\"\n }\n }\n sseDescription: {}\n name: \"GameScoresAutoscale\"\n provisionedThroughput: {\n LastDecreaseDateTime: null\n LastIncreaseDateTime: null\n NumberOfDecreasesToday: 0.000000\n ReadCapacityUnits: 1.000000\n WriteCapacityUnits: 1.000000\n }\n }\n ]\n ```", - "remediation": "__Terraform__\n\nTo remediate this check, create an AWS KMS Key and use it to encrypt the violating DynamoDB resource.\n\n```hcl\nresource \"aws_kms_key\" \"dynamodb_encryption\" {\n description = \"Used for DynamoDB encryption configuration\"\n enable_key_rotation = true\n}\n\nresource \"aws_dynamodb_table\" \"example\" {\n # ... other configuration ...\n server_side_encryption {\n enabled = true\n kms_key_arn = aws_kms_key.dynamodb_encryption.arn\n }\n}\n```\n\n__AWS Console__\n\nAssuming there is an existing AWS KMS key available to encrypt DynamoDB.\n\nTo change a DynamoDB table encryption to a customer managed and owned KMS key.\n\n1. Open the DynamoDB console at https://console.aws.amazon.com/dynamodb/.\n2. Choose the table that you want to work with, and then choose Additional settings.\n3. Under Encryption, choose Manage encryption.\n4. For Encryption at rest, choose Stored in your account, and owned and managed by you.\n5. Select the AWS Key to use. Save changes.\n\n__AWS CLI__\n\n```bash\naws dynamodb update-table \\\n --table-name \u003cvalue\u003e \\\n --sse-specification \"Enabled=true,SSEType=KMS,KMSMasterKeyId=\u003ckms_key_arn\u003e\"\n```" - }, - "refs": [ - { - "title": "AWS Documentation - Security Hub Standards", - "url": "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html" - }, - { - "title": "AWS Documentation - AWS CLI Command Reference - DynamoDB", - "url": "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/dynamodb/index.html#cli-aws-dynamodb" - }, - { - "title": "Terraform Documentation - AWS Provider", - "url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs" - }, - { - "title": "AWS Documentation - DynamoDB encryption at rest", - "url": "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html" - } - ] - }, - { - "query": "aws.ec2.snapshot { createVolumePermission.none(_['Group'] == \"all\" ) }", - "code_id": "0NhNLToJ5Oo=", - "checksum": "YPG/N1qRwLo=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-aws-security-ebs-snapshot-public-restorable-check", - "type": "\u000c", - "title": "Checks that all EBS snapshots are not publicly restorable" - }, - { - "query": "aws.ec2.ebsEncryptionByDefault.values.all(_ == true)\n", - "code_id": "J+U+b4X2yFc=", - "checksum": "/mU5iNxfbLI=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-aws-security-ec2-ebs-encryption-by-default", - "type": "\u0004", - "severity": { - "value": 30 - }, - "title": "Ensure EBS volume encryption is enabled by default", - "docs": { - "desc": "New Amazon EBS volumes aren't encrypted by default. However, there is a setting in the Amazon Elastic Compute Cloud (Amazon EC2) console that turns on encryption by default for all new Amazon EBS volumes and snapshot copies created within a specified Region.", - "audit": "__cnspec shell__\n\n1. Open a Terminal.\n2. Connect cnspec shell to your AWS environment `cnspec shell aws`\n3. Run the following query:\n\n ```mql\n aws.ec2.ebsEncryptionByDefault\n ```\n\n Example output:\n\n ```mql\n aws.ec2.ebsEncryptionByDefault\n aws.ec2.ebsEncryptionByDefault: {\n ap-northeast-1: false\n ap-northeast-2: false\n ap-northeast-3: false\n ap-south-1: false\n ap-southeast-1: false\n ap-southeast-2: false\n ca-central-1: false\n eu-central-1: false\n eu-north-1: false\n eu-west-1: false\n eu-west-2: false\n eu-west-3: false\n sa-east-1: false\n us-east-1: true\n us-east-2: true\n us-west-1: false\n us-west-2: false\n }\n ```", - "remediation": "__Terraform__\n\nThe `aws_ebs_encryption_by_default` resource can be used to enable EBS encryption by default. This must be applied to each region.\n\n```hcl\nprovider \"aws\" {\n region = var.region\n}\n\nresource \"aws_ebs_encryption_by_default\" \"example\" {\n enabled = true\n}\n```\n__AWS Console__\n\n1. Open the [Amazon EC2 console](https://console.aws.amazon.com/ec2/).\n2. Select the **Region** from the drop-down menu.\n3. On the **EC2 Dashboard**, under **Account Attributes**, select **Settings**.\n4. Under **EBS Storage**, select **Always encrypt new EBS volumes**.\n5. Select **Change the default key** and choose any of your keys ([default/KMS Keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys)) as the **Default encryption key**.\n6. Select **Save Settings**.\n\n__AWS CLI__\n\nThe following `enable-ebs-encryption-by-default` example enables EBS encryption for your AWS account in the current region by default.\n\n```bash\naws ec2 enable-ebs-encryption-by-default\n```" - }, - "refs": [ - { - "title": "AWS Documentation - Encryption by default", - "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default" - } - ] - }, - { - "query": "aws.ec2.instances.all(\n httpTokens == \"required\"\n)\n", - "code_id": "Uj3Gp6sT1Dw=", - "checksum": "Gvh5LmlR6Ng=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-aws-security-ec2-imdsv2-check", - "type": "\u0004", - "severity": { - "value": 80 - }, - "title": "Checks whether the instance metadata version is configured with IMDSv2 (http tokens required)", - "docs": { - "desc": "EC2 instances should be configured to use IMDSv2 to prevent unauthorized access to instance metadata from application vulnerabilities such as Server Side Request Forgery (SSRF). IMDSv1 has been involved in security exploits.\n\nBy default, you can use either IMDSv1 or IMDSv2, or both. The instance metadata service distinguishes between IMDSv1 and IMDSv2 requests based on whether, for any given request, either the PUT or GET headers, which are unique to IMDSv2, are present in that request. For more information, see [Add defense in depth against open firewalls, reverse proxies, and SSRF vulnerabilities with enhancements to the EC2 Instance Metadata Service](https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/).", - "audit": "__cnspec shell__\n\n1. Open a Terminal.\n2. Connect cnspec shell to your AWS environment `cnspec shell aws`\n3. Run the following query\n\n ```bash\n aws.ec2.instances.where( httpTokens != \"required\" ) { arn instanceId region tags httpTokens }\n ```\n\n Example Output\n\n ```mql\n aws.ec2.instances.where: [\n 0: {\n instanceId: \"i-0070af411a515f14a\"\n region: \"us-east-1\"\n arn: \"arn:aws:ec2:us-east-1:1234375555:instance/i-0070af411a515f14a\"\n httpTokens: \"optional\"\n tags: {\n Environment: \"windows-development-vpc\"\n Name: \"win19-dev-workstation-106e1f1c\"\n Terraform: \"true\"\n }\n }\n ]\n ```", - "remediation": "In order to remediate this check, there are a series of steps necessary to transition to IMDSv2. The steps include both configuring existing instances (such as changing your Terraform EC2 resources), and updating CLIs, SDKs, and software that uses role credentials.\n\nIf your existing EC2 instance uses IMDSv1, you can reconfigure it to use IMDSv2. To learn how, see: [Transition to using Instance Metadata Service Version 2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html#instance-metadata-transition-to-version-2)\n\n__Terraform__\n\nUse the `metadata_options` block to configure `http_tokens = \"required\"`\n\n```hcl\nresource \"aws_instance\" \"web_host\" {\n metadata_options {\n http_tokens = \"required\"\n }\n}\n```\n\n__AWS Console__\n\nTo configure your new EC2 instance with IMDSv2 from the console\n1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.\n2. Choose Launch instance and then choose Launch instance.\n3. In the Configure Instance Details step, under Advanced Details, for Metadata version, choose V2 (token required).\n4. Choose Review and Launch.\n\n__AWS CLI__\n\nIn order to modify a running instance\n\n```bash\naws ec2 modify-instance-metadata-options \\\n--instance-id \u003cvalue\u003e\n--http-tokens required \\\n--http-endpoint enabled\n```\n\nIn order to create a new instance\n\n```bash\naws ec2 run-instances \\\n--image-id \u003cami_id\u003e \\\n--instance-type \u003cinstance_flavor\u003e \\\n--metadata-options \"HttpEndpoint=enabled,HttpTokens=required\"\n```" - } - }, - { - "query": "aws.ec2.instances.all( \n publicIp.length == 0 \n)\n", - "code_id": "+SZ/g0vEZ58=", - "checksum": "LvjJ8nY2bh8=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-aws-security-ec2-instance-no-public-ip", - "type": "\u0004", - "severity": { - "value": 80 - }, - "title": "Ensures no instances have a public IP", - "docs": { - "desc": "EC2 instances with a public IP address are at an increased risk of compromise. It is recommended that EC2 instances not be configured with a public IP address.", - "audit": "__cnspec shell__\n\n1. Open a Terminal.\n2. Connect cnspec shell to your AWS environment `cnspec shell aws`\n3. Run the following query to return a list of all running EC2 instances across all enabled regions that along with the `instanceId`, `region`, and the configured `publicIp`\n\n ```mql\n aws.ec2.instances.where( state = \"running\" \u0026\u0026 publicIp != \"\" ) { instanceId region tags publicIp } \n ```\n \n Example output\n\n ```mql\n aws.ec2.instances.where: [\n 0: {\n instanceId: \"i-0070af411a515f14a\"\n tags: {\n Environment: \"windows-development-vpc\"\n Name: \"win19-dev-workstation-106e1f1c\"\n Terraform: \"true\"\n }\n publicIp: \"54.55.222.9\"\n region: \"us-east-1\"\n }\n ]\n ```", - "remediation": "__Terraform__\n\nUse the `associate_public_ip_address = false` argument with the `aws_instance` resource to ensure EC2 instances are provisioned without a public IP address\n\n```hcl \nresource \"aws_instance\" \"no_public_ip\" {\n ...\n associate_public_ip_address = false\n}\n```\n__AWS Console__\n\nBy default, non-default subnets have the IPv4 public addressing attribute set to false, and default subnets have this attribute set to true. An exception is a non-default subnet created by the Amazon EC2 launch instance wizard — the wizard sets the attribute to true. You can modify this attribute using the Amazon VPC console.\n\nTo modify your subnet's public IPv4 addressing behavior:\n\n1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.\n2. In the navigation pane, choose **Subnets**.\n3. Select your subnet and choose **Actions, Edit subnet settings**.\n4. The **Enable auto-assign public IPv4 address** check box, if selected, requests a public IPv4 address for all instances launched into the selected subnet. Select or clear the check box as required, and then choose **Save**.\n\n__AWS CLI__\n\nThe following command runs an EC2 Instance in a default subnet without associating a public IP address to it.\n\n```bash\naws ec2 run-instances \\\n--image-id \u003cami_id\u003e \\\n--instance-type \u003cinstance_flavor\u003e \\\n--no-associate-public-ip-address \\\n--key-name MyKeyPair\n```" - }, - "refs": [ - { - "title": "AWS Documentation - Modify the IP addressing behavior of your subnets", - "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-ip-addressing.html" - }, - { - "title": "Terraform Registry - aws_instance", - "url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance" - } - ] - }, - { - "query": "# @msg Found ${length} EBS volumes not attached to an instance:\n# \n# ${{ arn id volumeType availabilityZone tags }} \naws.ec2.volume { attachments.length \u003e 0 }\n\n# @msg Found ${length} EC2 instances that are not configured to delete volume on termination:\n# \n# ${{ arn instanceId region tags }} \nif (props.ebsVolumeDeleteOnTermination) {\n aws.ec2.instances.all(deviceMappings.all(deleteOnTermination == true ))\n}\n", - "code_id": "rYqkqvM+U4Y=", - "checksum": "Wq3uPG5am8g=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-aws-security-ec2-volume-inuse-check", - "type": "\u0001", - "severity": { - "value": 30 - }, - "title": "Checks whether EBS volumes are attached to EC2 instances and configured for deletion on instance termination", - "docs": { - "desc": "Identifying and removing unattached (unused) Elastic Block Store (EBS) volumes in your AWS account can lower the cost of your monthly AWS bill. Deleting unused EBS volumes also reduces the risk of confidential or sensitive data leaving your premises. This check ensures there are no EBS volumes that are not attached to an instance. Additionally, it checks whether archived EC2 instances are configured to delete volumes on termination.\n\nBy default, EC2 instances are configured to delete the data in any EBS volumes associated with the instance, and to delete the root EBS volume of the instance. However, any non-root EBS volumes attached to the instance, at launch or during execution, get persisted after termination by default.", - "audit": "__cnspec Shell__\n\n1. Open a Terminal.\n2. Connect to your AWS environment with cnspec shell: `cnspec shell aws`\n3. Run the following query \n\n ```mql\n aws.ec2.volumes.where( attachments.length == 0 ) {*}\n ```\n\n Example output\n\n ```mql\n mondoo\u003e aws.ec2.volumes.where( attachments.length == 0 ) {*}\n aws.ec2.volumes.where: [\n 0: {\n volumeType: \"gp2\"\n attachments: []\n availabilityZone: \"us-west-2a\"\n encrypted: false\n id: \"vol-0f5661d9f9db6dd3a\"\n arn: \"arn:aws:ec2:us-west-2:187043755555:volume/vol-0f5661d9f9db6dd3a\"\n state: \"available\"\n tags: {\n Name: \"Unattached Test\"\n }\n }\n ] \n ```", - "remediation": "__Terraform__\n\nIn order to prevent this scenario using Terraform, create EC2 instances with embedded EBS blocks. This ensures that any EBS blocks associated with the instance (not only the root) will be deleted on instance termination by having the attribute `ebs_block_device.delete_on_termination` defaulted to `true`.\n\n```hcl\nresource \"aws_instance\" \"web\" {\n ami = \u003cami_id\u003e\n instance_type = \u003cinstance_flavor\u003e\n ebs_block_device {\n delete_on_termination = true # Default\n device_name = \"/dev/sdh\"\n }\n```\n\n__AWS Console__\n\nTo delete an EBS volume using the console\n\n1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.\n2. In the navigation pane, choose **Volumes**.\n3. Select the volume to delete and choose **Actions, Delete volume**.\n4. Note: If Delete volume is greyed out, the volume is attached to an instance. You must detach the volume from the instance before it can be deleted.\n5. In the confirmation dialog box, choose **Delete**.\n\n__AWS CLI__\n\nThis example command deletes an available volume with the volume ID of vol-049df61146c4d7901. If the command succeeds, no output is returned.\n\n```bash\naws ec2 delete-volume --volume-id vol-049df61146c4d7901\n```" - }, - "refs": [ - { - "title": "AWS Documentation - Delete an Amazon EBS volume", - "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-deleting-volume.html" - } - ] - }, - { - "query": "# @msg Found ${length} EFS file systems that are not encrypted:\n# \n# ${{ name arn id region tags }} \naws.efs.filesystem {\n encrypted == true \u0026\u0026 kmsKey != null \n}\n", - "code_id": "3m+8zuU42HA=", - "checksum": "OR9JEhTG55U=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-aws-security-efs-encrypted-check", - "type": "\u000c", - "severity": { - "value": 30 - }, - "title": "Checks whether EFS is configured to encrypt file data using KMS", - "docs": { - "desc": "Amazon EFS supports two forms of encryption for file systems, encryption of data in transit and encryption at rest. This check ensures that all EFS file systems are configured with encryption at rest across all enabled regions in the account.", - "audit": "__cnspec Shell__\n\n1. Open a Terminal.\n2. Connect to your AWS environment with cnspec shell: `cnspec shell aws`\n3. Run the following query \n\n ```mql\n aws.efs.filesystems.where( encrypted == false ) {*}\n ```\n\n Example output\n\n ```mql\n aws.efs.filesystems.where: [\n 0: {\n tags: {\n Name: \"12344375555-mondoo-demo-efs\"\n git_file: \"terraform/aws/efs.tf\"\n git_org: \"mondoolabs\"\n git_repo: \"mondoo-demo-environment\"\n }\n id: \"fs-0a73947e541509f0e\"\n region: \"us-west-2\"\n name: \"12344375555-mondoo-demo-efs\"\n kmsKey: null\n encrypted: false\n arn: \"arn:aws:elasticfilesystem:us-west-2:12344375555:file-system/fs-0a73947e541509f0e\"\n }\n ] \n ```", - "remediation": "__Terraform__\n\nThe following code snippet can be used to create a KMS encrypted EFS (Note: `kms_key_id` attribute is optional, and a key will be created if no kms key id is passed)\n\n```hcl\nresource \"aws_efs_file_system\" \"encrypted-efs\" {\n creation_token = \"my-kms-encrypted-efs\"\n encrypted = true\n kms_key_id = \"arn:aws:kms:us-west-2:12344375555:key/16393ebd-3348-483f-b162-99b6648azz23\"\n\n tags = {\n Name = \"MyProduct\"\n }\n}\n``` \n\n__AWS Console__\n\nTo configure EFS with encryption using the AWS console, see [Encrypting a file system at rest using the console](https://docs.aws.amazon.com/efs/latest/ug/encryption-at-rest.html).\n\n__AWS CLI__\n\nIt is important to notice that while creating EFS from the console enables encryption at rest by default, that is not true for EFS created using the CLI, API or SDK. The following example allows you to create an encrypted file system in your infrastructure.\n\n```bash\naws efs create-file-system \\\n--backup \\\n--encrypted \\\n--region us-east-1 \\\n```" - }, - "refs": [ - { - "title": "AWS Documentation - Security in Amazon EFS", - "url": "https://docs.aws.amazon.com/efs/latest/ug/security-considerations.html" - }, - { - "title": "Terraform Registry - aws_efs_file_system resource", - "url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system" - }, - { - "title": "AWS Documentation - Creating a file system using the AWS CLI", - "url": "https://docs.aws.amazon.com/efs/latest/ug/creating-using-create-fs.html#creating-using-fs-part1-cli" - } - ] - }, - { - "query": "aws.es.domain { encryptionAtRestEnabled == true }", - "code_id": "JOZxrgluxOA=", - "checksum": "i1BTIl2j6VI=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-aws-security-elasticsearch-encrypted-at-rest", - "type": "\u000c", - "title": "Checks that all ES domains have encryption at rest configuration enabled" - }, - { - "query": "aws.elb.loadbalancer { attributes \n { _['Key'] == \"deletion_protection.enabled\" \u0026\u0026 _['Value'] == true} \n}\n", - "code_id": "XldyduJWTCI=", - "checksum": "gYAkZJCvcI0=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-aws-security-elb-deletion-protection-enabled", - "type": "\u000c", - "title": "Checks whether elastic load balancing has deletion protection enabled" - }, - { - "query": "aws.iam.groups.all(usernames.length \u003e 0)\n", - "code_id": "md9xKQwImek=", - "checksum": "jk8yH+O98fg=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-aws-security-iam-group-has-users-check", - "type": "\u0004", - "title": "Checks whether IAM groups have at least one IAM user", - "docs": { - "desc": "AWS Identity and Access Management (IAM) can help you incorporate the principles of least privilege and separation of duties with access permissions and authorizations by ensuring that IAM groups have at least one IAM user. Placing IAM users in groups based on their associated permissions or job function is one way to incorporate least privilege.", - "audit": "__cnspec shell__\n\n1. Open a Terminal.\n2. Connect cnspec shell to your AWS environment `cnspec shell aws`\n3. Run the following query \n\n ```mql\n aws.iam.groups.where( usernames.length == 0 ) {*}\n ```\n\n Example output\n\n ```mql\n aws.iam.groups.where: [\n 0: {\n name: \"MyUserGroup\"\n id: \"AGPASSOFBMF7OMHVGHACB\"\n createDate: 2022-01-11 18:19:26 +0000 UTC\n usernames: []\n arn: \"arn:aws:iam::177043759486:group/MyUserGroup\"\n }\n ]\n ```", - "remediation": "To delete empty IAM groups, see [Deleting an IAM user group](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_delete.html) in the AWS documentation." - }, - "refs": [ - { - "title": "AWS Documentation -Managing IAM user groups", - "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage.html" - } - ] - }, - { - "query": "aws.iam.group { usernames.length \u003e 0 }\n", - "code_id": "UQ4ssww0T6c=", - "checksum": "7A+NNvX55nY=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-aws-security-iam-group-has-users-check-single-group", - "type": "\u000c", - "title": "Checks whether IAM groups have at least one IAM user", - "docs": { - "desc": "AWS Identity and Access Management (IAM) can help you incorporate the principles of least privilege and separation of duties with access permissions and authorizations by ensuring that IAM groups have at least one IAM user. Placing IAM users in groups based on their associated permissions or job function is one way to incorporate least privilege.", - "audit": "__cnspec shell__\n\n1. Open a Terminal.\n2. Connect cnspec shell to your AWS environment `cnspec shell aws`\n3. Run the following query \n\n ```mql\n aws.iam.groups.where( usernames.length == 0 ) {*}\n ```\n\n Example output\n\n ```mql\n aws.iam.groups.where: [\n 0: {\n name: \"MyUserGroup\"\n id: \"AGPASSOFBMF7OMHVGHACB\"\n createDate: 2022-01-11 18:19:26 +0000 UTC\n usernames: []\n arn: \"arn:aws:iam::177043759486:group/MyUserGroup\"\n }\n ]\n ```", - "remediation": "To delete empty IAM groups, see [Deleting an IAM user group](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_delete.html) in the AWS documentation." - }, - "refs": [ - { - "title": "AWS Documentation -Managing IAM user groups", - "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage.html" - } - ] - }, - { - "query": "aws.iam.accountPasswordPolicy['RequireUppercaseCharacters'] == props.iamPasswordPolicyRequireUppercaseCharacters\naws.iam.accountPasswordPolicy['RequireLowercaseCharacters'] == props.iamPasswordPolicyRequireLowercaseCharacters\naws.iam.accountPasswordPolicy['RequireSymbols'] == props.iamPasswordPolicyRequireSymbols\naws.iam.accountPasswordPolicy['RequireNumbers'] == props.iamPasswordPolicyRequireNumbers\naws.iam.accountPasswordPolicy['MinimumPasswordLength'] \u003e= props.iamPasswordPolicyMinimumPasswordLength\naws.iam.accountPasswordPolicy['PasswordReusePrevention'] == props.iamPasswordPolicyPasswordReusePrevention\naws.iam.accountPasswordPolicy['MaxPasswordAge'] \u003c= props.iamPasswordPolicyMaxPasswordAge\n", - "code_id": "hK/sVpTRxPo=", - "checksum": "oP58pHCVa3s=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-aws-security-iam-password-policy", - "type": "\u0001", - "severity": { - "value": 30 - }, - "title": "Checks whether the account password policy for IAM users meets the specified requirements", - "docs": { - "desc": "AWS allows for custom password policies on your AWS account to specify complexity requirements and mandatory rotation periods for your IAM users' passwords. IAM user passwords must meet the default AWS password policy if you don't set a custom password policy. AWS security best practices recommends the following password complexity requirements:\n\n- Require at least one uppercase character in passwords.\n- Require at least one lowercase character in passwords.\n- Require at least one symbol in passwords.\n- Require at least one number in passwords.\n- Require a minimum password length of at least 14 characters.\n- Require at least 24 passwords before allowing reuse.\n- Require at least 90 before password expiration.\nThis check ensures all of the specified password policy requirements.", - "audit": "__cnspec shell__\n\n1. Open a Terminal.\n2. Connect cnspec shell to your AWS environment `cnspec shell aws`\n3. Run the following query:\n\n ```mql\n aws.iam.accountPasswordPolicy\n ```\n\n Example output:\n\n ```mql\n aws.iam.accountPasswordPolicy: {\n AllowUsersToChangePassword: true\n ExpirePasswords: true\n HardExpiry: false\n MaxPasswordAge: \"180\"\n MinimumPasswordLength: \"14\"\n PasswordReusePrevention: \"24\"\n RequireLowercaseCharacters: true\n RequireNumbers: true\n RequireSymbols: true\n RequireUppercaseCharacters: true\n }\n ```", - "remediation": "__Terraform__\n\n```hcl\nresource \"aws_iam_account_password_policy\" \"strict\" {\n allow_users_to_change_password = true\n require_uppercase_characters = true\n require_lowercase_characters = true\n require_symbols = true\n require_numbers = true\n minimum_password_length = 14\n password_reuse_prevention = 24\n max_password_age = 90\n}\n```\n\n__AWS Console__\n\nTo create a custom password policy: \n\n1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.\n2. In the navigation pane, choose Account settings.\n3. In the Password policy section, choose Change password policy.\n4. Select the options you want to apply to your password policy and choose Save changes.\n\nTo change a custom password policy: \n\n1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.\n2. In the navigation pane, choose Account settings.\n3. In the Password policy section, choose Change.\n4. Select the options you want to apply to your password policy and choose Save changes.\n\n__AWS CLI__\n\n```bash\naws iam update-account-password-policy \\\n--allow-users-to-change-password \\\n--require-uppercase-characters \\\n--require-lowercase-characters \\\n--require-symbols \\\n--require-numbers \\\n--minimum-password-length 14 \\\n--password-reuse-prevention 24 \\\n--max-password-age 90\n```" - }, - "refs": [ - { - "title": "Managing user passwords in AWS", - "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords.html" - }, - { - "title": "Setting an account password policy for IAM users", - "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html" - } - ] - }, - { - "query": "aws.iam.credentialReport.where( properties[\"user\"] == \"\u003croot_account\u003e\") {\n accessKey1Active == false \n accessKey2Active == false \n}\n", - "code_id": "whgiiBFKrjY=", - "checksum": "NelfGQZeDm4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-aws-security-iam-root-access-key-check", - "type": "\u0019\u000c", - "title": "Ensure no root user account access key exists", - "docs": { - "desc": "AWS strongly recommends that you not use the root user for your everyday tasks, even administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks. Anyone with root user credentials for your AWS account has unrestricted access to all the resources in your account, including billing information.", - "audit": "__cnspec shell__\n\n1. Open a Terminal.\n2. Connect cnspec shell to your AWS environment `cnspec shell aws`\n3. Run the following query \n\n ```mql\n aws.iam.credentialReport.where( properties[\"user\"] == \"\u003croot_account\u003e\") { accessKey1Active accessKey2Active }\n ```\n\n Example output\n\n ```mql\n aws.iam.credentialReport.where: [\n 0: {\n accessKey1Active: false\n accessKey2Active: false\n }\n ]\n ```", - "remediation": "If any access keys exist for the root user, see [Deleting access keys for the root user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_delete-key) in the AWS documentation." - }, - "refs": [ - { - "title": "AWS Documentation - AWS account root user", - "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html" - } - ] - }, - { - "query": "aws.iam.users.all( attachedPolicies.length == 0 )\n\naws.iam.users.all( policies.length == 0 )\n", - "code_id": "d0DwOrKfy2s=", - "checksum": "9P1cfSpKcYc=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-aws-security-iam-user-no-inline-policies-check", - "type": "\u0001", - "title": "Ensure IAM Users Receive Permissions Only Through Groups", - "docs": { - "desc": "AWS that IAM users must inherit permissions from IAM groups or roles. This policy checks that none of your IAM users have policies attached directly to the user. The rule is NONCOMPLIANT if there is at least one IAM user with policies attached.", - "audit": "__cnspec shell__\n\n1. Open a Terminal.\n2. Connect cnspec shell to your AWS environment `cnspec shell aws`\n3. Run the following query \n\n ```mql\n aws.iam.users.where( policies.length != 0 || attachedPolicies.length != 0 ) { name arn policies attachedPolicies }\n ```\n\n Example output\n\n ```mql\n aws.iam.users.where: [\n 0: {\n arn: \"arn:aws:iam::1234567890987:user/1234567890987-alice\"\n name: \"1234567890987-alice\"\n attachedPolicies: []\n policies: [\n 0: \"excess_policy\"\n ]\n }\n 1: {\n arn: \"arn:aws:iam::1234567890987:user/maria\"\n name: \"maria\"\n attachedPolicies: [\n 0: aws.iam.policy id = arn:aws:iam::1234567890987:policy/ec2-instance-connect-sendssh\n ]\n policies: []\n }\n 2: {\n arn: \"arn:aws:iam::1234567890987:user/bobby\"\n name: \"bobby\"\n attachedPolicies: [\n 0: aws.iam.policy id = arn:aws:iam::1234567890987:policy/terraform20210901011436036200000004\n ]\n policies: []\n }\n ]\n ```", - "remediation": "To learn how to remove inline policies from IAM users, see [Removing a permissions policy from a user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-remove-policy-console) in the AWS documentation." - }, - "refs": [ - { - "title": "Managed policies and inline policies", - "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html" - } - ] - }, - { - "query": "aws.iam.user { attachedPolicies.length == 0 }\n\naws.iam.user { policies.length == 0 }\n", - "code_id": "Zw6saefTWh4=", - "checksum": "idSZmDSofO0=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-aws-security-iam-user-no-inline-policies-check-single-user", - "type": "\u0001", - "title": "Ensure IAM Users Receive Permissions Only Through Groups", - "docs": { - "desc": "AWS that IAM users must inherit permissions from IAM groups or roles. This policy checks that none of your IAM users have policies attached directly to the user. The rule is NONCOMPLIANT if there is at least one IAM user with policies attached.", - "audit": "__cnspec shell__\n\n1. Open a Terminal.\n2. Connect cnspec shell to your AWS environment `cnspec shell aws`\n3. Run the following query \n\n ```mql\n aws.iam.users.where( policies.length != 0 || attachedPolicies.length != 0 ) { name arn policies attachedPolicies }\n ```\n\n Example output\n\n ```mql\n aws.iam.users.where: [\n 0: {\n arn: \"arn:aws:iam::1234567890987:user/1234567890987-alice\"\n name: \"1234567890987-alice\"\n attachedPolicies: []\n policies: [\n 0: \"excess_policy\"\n ]\n }\n 1: {\n arn: \"arn:aws:iam::1234567890987:user/maria\"\n name: \"maria\"\n attachedPolicies: [\n 0: aws.iam.policy id = arn:aws:iam::1234567890987:policy/ec2-instance-connect-sendssh\n ]\n policies: []\n }\n 2: {\n arn: \"arn:aws:iam::1234567890987:user/bobby\"\n name: \"bobby\"\n attachedPolicies: [\n 0: aws.iam.policy id = arn:aws:iam::1234567890987:policy/terraform20210901011436036200000004\n ]\n policies: []\n }\n ]\n ```", - "remediation": "To learn how to remove inline policies from IAM users, see [Removing a permissions policy from a user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-remove-policy-console) in the AWS documentation." - }, - "refs": [ - { - "title": "Managed policies and inline policies", - "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html" - } - ] - }, - { - "query": "aws.iam.credentialReport.none( accessKey1Active == true \u0026\u0026 accessKey2Active == true )", - "code_id": "LxwvC2dhWBw=", - "checksum": "RFob/PV4p/Y=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-aws-security-iam-users-only-one-access-key", - "type": "\u0004", - "title": "Ensure there is only one active access key available for any single IAM user", - "docs": { - "desc": "This check ensures for the existence of more than one access key for each user within an AWS account. Each AWS key within an account is something that must be protected, and rotated regularly. Since AWS access keys are long-term credentials, one of the best ways to protect your account is to not allow users to have multiple access keys, which reduces the overall number of keys, reducing the risk of exposure.", - "audit": "__cnspec shell__\n\n1. Open a Terminal.\n2. Connect cnspec shell to your AWS environment `cnspec shell aws`\n3. Run the following query:\n \n ```mql\n aws.iam.users.where(accessKeys[0].length \u003e= 1) \n ```", - "remediation": "__From Console:__\n\n1. Sign in to the AWS Management Console and navigate to IAM dashboard at https://console.aws.amazon.com/iam/.\n2. In the left navigation panel, choose **Users**.\n3. Select the IAM user name that you want to examine.\n4. On the IAM user configuration page, select **Security Credentials** tab.\n5. In the Access Keys section, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working.\n6. In the same Access Keys section, identify your non-operational access keys (other than the chosen one) and deactivate it by selecting the Make Inactive link.\n\nIf you receive the Change Key Status confirmation box, select **Deactivate** to switch off the selected key.\n\nRepeat steps no. 3 - 7 for each IAM user in your AWS account.\n\n__From Command Line:__\n\nUsing the IAM user and access key information provided in the Audit CLI, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working.\n\nRun the `update-access-key`` command below using the IAM user name and the non-operational access key IDs to deactivate the unnecessary key(s). Refer to the Audit section to identify the unnecessary access key ID for the selected IAM user\n\n**Note:** The following command does not return any output:\n\n```bash\naws iam update-access-key --access-key-id \u003caccess-key-id\u003e --status Inactive --user-name \u003cuser-name\u003e\n```\n\nTo confirm that the selected access key pair has been successfully deactivated run the list-access-keys audit command again for that IAM User:\n\n```bash\naws iam list-access-keys --user-name \u003cuser-name\u003e\n```\n\nThe command output should expose the metadata for each access key associated with the IAM user. If the non-operational key pair(s) Status is set to Inactive, the key has been successfully deactivated and the IAM user access configuration adheres now to this recommendation.\n\nRepeat steps no. 1 - 3 for each IAM user in your AWS account." - } - }, - { - "query": "aws.lambda.function { concurrency \u003e 0 }", - "code_id": "3CL5HnMI3C0=", - "checksum": "IVelpg/d0bM=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-aws-security-lambda-concurrency-check", - "type": "\u000c", - "title": "Checks whether lambda functions are configured with function-level concurrent execution limit" - }, - { - "query": "aws.iam.credentialReport.all(\n mfaActive == true\n)\n", - "code_id": "ZinRczY6hZ0=", - "checksum": "66nUpjTaEDQ=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-aws-security-mfa-enabled-for-iam-console-access", - "type": "\u0004", - "severity": { - "value": 95 - }, - "title": "Checks whether the AWS IAM users have multi-factor authentication (MFA) enabled", - "docs": { - "desc": "Multi-factor authentication (MFA) is a best practice that adds an extra layer of protection on top of user names and passwords. With MFA, when a user signs in to the AWS Management Console, they are required to provide a time-sensitive authentication code provided by a registered virtual or physical device.", - "audit": "__cnspec shell__\n\n1. Open a Terminal.\n2. Run the command `cnspec shell aws`.\n3. Run the following query: \n\n ```mql\n aws.iam.credentialReport.where(\n mfaActive != true\n ) {arn properties[\"user\"]}\n ```\n Example output:\n\n ```mql\n aws.iam.credentialReport.where: [\n 0: {\n properties[user]: \"test-iam-user\"\n arn: \"arn:aws:iam::053121068929:user/users/test-iam-user\"\n }\n ]\n ```", - "remediation": "Note: This check uses the AWS Credential Report, which has a grace period of 4 hours before changes to credentials take effect.\n\n__Terraform__\n\nWhen it comes to Terraform, there are a few options to remediate the absence of MFA devices. You probably already have a sensible structure for organizing your users into groups and restrictive policies.\n\nThe following example shows how to:\n1. Create users.\n2. Create users' login profiles with a PGP public key.\n3. Create a group and group policy that allows self-management of IAM profiles.\n4. Attach users to a group.\n5. Create Virtual MFA devices for users.\n6. Provide each user with the output QR Code and password.\n\n```hcl\nvariable \"users\" {\n type = set(string)\n default = [\n \"mondoo-test@mondoo.com\",\n \"mondoo-test2@mondoo.com\"\n ]\n}\n\nresource \"aws_iam_user\" \"mondoo_test_users\" {\n for_each = toset(var.users)\n name = each.key\n}\n\nresource \"aws_iam_user_login_profile\" \"mondoo_test_users_profile\" {\n for_each = var.users\n user = each.key\n # Key pair created using GnuPG. This is the public key\n pgp_key = file(\"path/to/gpg_pub_key_base64.pem\")\n password_reset_required = true\n lifecycle {\n ignore_changes = [\n password_length,\n password_reset_required,\n pgp_key,\n ]\n }\n}\n\nresource \"aws_iam_virtual_mfa_device\" \"mondoo_test_mfa\" {\n for_each = toset(var.users)\n virtual_mfa_device_name = each.key\n}\n\nresource \"aws_iam_group\" \"enforce_mfa_group\" {\n name = \"EnforceMFAGroup\"\n}\n\nresource \"aws_iam_group_membership\" \"enforce_mfa_group_membership\" {\n name = \"EnforceMFAGroupMembership\"\n group = aws_iam_group.enforce_mfa_group.name\n users = [for k in aws_iam_user.mondoo_test_users : k.name]\n}\n\nresource \"aws_iam_group_policy\" \"enforce_mfa_policy\" {\n name = \"EnforceMFAGroupPolicy\"\n group = aws_iam_group.enforce_mfa_group.id\n policy = \u003c\u003cPOLICY\n{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"AllowViewAccountInfo\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"iam:GetAccountPasswordPolicy\",\n \"iam:ListVirtualMFADevices\"\n ],\n \"Resource\": \"*\"\n }, \n {\n \"Sid\": \"AllowManageOwnPasswords\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"iam:ChangePassword\",\n \"iam:GetUser\"\n ],\n \"Resource\": \"arn:aws:iam::*:user/$${aws:username}\"\n },\n {\n \"Sid\": \"AllowManageOwnAccessKeys\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"iam:CreateAccessKey\",\n \"iam:DeleteAccessKey\",\n \"iam:ListAccessKeys\",\n \"iam:UpdateAccessKey\"\n ],\n \"Resource\": \"arn:aws:iam::*:user/$${aws:username}\"\n },\n {\n \"Sid\": \"AllowManageOwnSigningCertificates\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"iam:DeleteSigningCertificate\",\n \"iam:ListSigningCertificates\",\n \"iam:UpdateSigningCertificate\",\n \"iam:UploadSigningCertificate\"\n ],\n \"Resource\": \"arn:aws:iam::*:user/$${aws:username}\"\n },\n {\n \"Sid\": \"AllowManageOwnSSHPublicKeys\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"iam:DeleteSSHPublicKey\",\n \"iam:GetSSHPublicKey\",\n \"iam:ListSSHPublicKeys\",\n \"iam:UpdateSSHPublicKey\",\n \"iam:UploadSSHPublicKey\"\n ],\n \"Resource\": \"arn:aws:iam::*:user/$${aws:username}\"\n },\n {\n \"Sid\": \"AllowManageOwnGitCredentials\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"iam:CreateServiceSpecificCredential\",\n \"iam:DeleteServiceSpecificCredential\",\n \"iam:ListServiceSpecificCredentials\",\n \"iam:ResetServiceSpecificCredential\",\n \"iam:UpdateServiceSpecificCredential\"\n ],\n \"Resource\": \"arn:aws:iam::*:user/$${aws:username}\"\n },\n {\n \"Sid\": \"AllowManageOwnVirtualMFADevice\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"iam:CreateVirtualMFADevice\",\n \"iam:DeleteVirtualMFADevice\"\n ],\n \"Resource\": \"arn:aws:iam::*:mfa/$${aws:username}\"\n },\n {\n \"Sid\": \"AllowManageOwnUserMFA\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"iam:DeactivateMFADevice\",\n \"iam:EnableMFADevice\",\n \"iam:ListMFADevices\",\n \"iam:ResyncMFADevice\"\n ],\n \"Resource\": \"arn:aws:iam::*:user/$${aws:username}\"\n },\n {\n \"Sid\": \"DenyAllExceptListedIfNoMFA\",\n \"Effect\": \"Deny\",\n \"NotAction\": [\n \"iam:CreateVirtualMFADevice\",\n \"iam:EnableMFADevice\",\n \"iam:GetUser\",\n \"iam:ListMFADevices\",\n \"iam:ListVirtualMFADevices\",\n \"iam:ResyncMFADevice\",\n \"sts:GetSessionToken\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"BoolIfExists\": {\n \"aws:MultiFactorAuthPresent\": \"false\"\n }\n }\n }\n ]\n}\nPOLICY\n}\n\noutput \"user_password_map\" {\n # Outputs a map in the format {\"mondoo-test@mondoo.com\": \u003cPGPEncryptedPassword\u003e, \"mondoo-test2@mondoo.com\": \u003cPGPEncryptedPassword\u003e}\n value = { for k, v in aws_iam_user_login_profile.mondoo_test_users_profile : k =\u003e v.password }\n}\n\noutput \"user_qr_map\" {\n # Outputs a map in the format {\"mondoo-test@mondoo.com\": \u003cQRCode\u003e, \"mondoo-test2@mondoo.com\": \u003cQRCode\u003e}\n value = { for k, v in aws_iam_virtual_mfa_device.mondoo_test_mfa : k =\u003e v.qr_code_png }\n}\n\n__AWS Console__\n\nTo enable MFA for any user accounts with AWS console access, see [Enabling a virtual multi-factor authentication (MFA) device (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html) in the AWS documentation.\n\n**To enable a virtual MFA device for an IAM user (console)**\n\n1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.\n2. In the navigation pane, choose Users.\n3. In the User Name list, choose the name of the intended MFA user.\n4. Choose the Security credentials tab. Next to Assigned MFA device, choose Manage.\n5. In the Manage MFA Device wizard, choose Virtual MFA device and then choose Continue.\n6. IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic represents the \"secret configuration key\" available for manual entry on devices that do not support QR codes.\n7. Open your virtual MFA app. For a list of apps you can use to host virtual MFA devices, see [Multi-Factor Authentication](https://aws.amazon.com/iam/features/mfa/).\n8. If the virtual MFA app supports multiple virtual MFA devices or accounts, choose the option to create a new virtual MFA device or account.\n9. Determine whether the MFA app supports QR codes, and then do one of the following:\n\n * From the wizard, choose Show QR code, and then use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.\n * In the Manage MFA Device wizard, choose Show secret key, and then type the secret key into your MFA app.\n\n10. When you finish, the virtual MFA device generates one-time passwords.\n11. In the Manage MFA Device wizard, in the MFA code 1 box, type the one-time password that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into the MFA code 2 box. \n12. Choose Assign MFA.\n\n__AWS CLI__\n\nCreate an MFA device: \n\n```bash\naws iam create-virtual-mfa-device \\\n --virtual-mfa-device-name \"mondoo.test@mondoo.com\" \\\n --outfile ./QRCode.png \\\n --bootstrap-method QRCodePNG\n```\n\nEnable MFA device for existing user:\n\n```bash\naws iam enable-mfa-device \\\n --user-name \"mondoo.test@mondoo.com\" \\\n --serial-number \"arn:aws:iam::123456976749:mfa/mondoo.test@mondoo.com\" \\\n --authentication-code1 123456 \\\n --authentication-code2 654321\n```" - }, - "refs": [ - { - "title": "Using multi-factor authentication (MFA) in AWS", - "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html" - }, - { - "title": "Enabling a virtual multi-factor authentication (MFA) device (console)", - "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html" - }, - { - "title": "Terraform Documentation - AWS Provider", - "url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs" - } - ] - }, - { - "query": "# @msg Found ${length} RDS instance(s) that are publicly accessible:\n# \n# ${{arn name region dbInstanceIdentifier tags}}\naws.rds.dbinstance { publiclyAccessible == false }\n", - "code_id": "3uGVktJ7s38=", - "checksum": "OQV1kjS9om8=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-aws-security-rds-instance-public-access-check", - "type": "\u000c", - "severity": { - "value": 95 - }, - "title": "Checks that all RDS instances are not publicly accessible", - "docs": { - "desc": "Check whether the Amazon Relational Database Service instances are not publicly accessible. The rule is NON_COMPLIANT if the publiclyAccessible field is true in the instance configuration item.\n\nThe default behavior varies depending on whether `DBSubnetGroupName` is specified.", - "audit": "__cnspec Shell__\n\n1. Open a Terminal.\n2. Connect to your AWS environment with cnspec shell: `cnspec shell aws`\n3. Run the following query \n\n ```mql\n aws.rds.dbInstances.where(publiclyAccessible == true) {arn name region dbInstanceIdentifier tags}\n ```\n\n Example output\n\n ```mql\n aws.rds.dbInstances.where: [\n 0: {\n arn: \"arn:aws:rds:us-moonbase-2:12345:db:rds-12345-mondoo-demo\"\n tags: {\n Environment: \"12345-mondoo-demo\"\n Name: \"12345-mondoo-demo-rds\"\n git_file: \"terraform/aws/db-app.tf\"\n git_repo: \"mondoo-demo-environment\"\n }\n region: \"us-moonbase-2\"\n dbInstanceIdentifier: \"rds-12345-mondoo-demo\"\n name: \"db1\"\n }\n ]\n ```", - "remediation": "__Terraform__\n\nUse the `aws_db_instance` resource to explicitly state that publicly_accessible = false. \n\n```hcl\nresource \"aws_db_instance\" \"pass_public_accessible\" {\n allocated_storage = 10\n engine = \"mysql\"\n engine_version = \"5.7\"\n instance_class = \"db.t3.micro\"\n name = \"mydb\"\n username = \"foo\"\n password = \"foobarbaz\"\n parameter_group_name = \"default.mysql5.7\"\n skip_final_snapshot = true\n publicly_accessible = false\n}\n```\n\n__AWS Console__\n\nTo remediate this issue, update your RDS DB instances to remove public access.\n\n**To remove public access from RDS DB instances**\n\n1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.\n2. Navigate to Databases and then choose your public database.\n3. Choose Modify.\n4. Under Connectivity, expand Additional connectivity configuration.\n5. Under Public access, choose Not publicly accessible.\n6. Choose Continue.\n7. Under Scheduling of modifications, choose Apply immediately.\n8. Choose Modify DB Instance.\n\n__AWS CLI__\n\nThe following example demonstrates how to remediate publicly accessible RDS instances. Running this command can render your instance unassessable if you rely on the public access for your operations. Make sure you review your architecture before applying this remediation.\n\n**In order to modify an existing RDS instance**\n\n```bash\naws rds modify-db-instance \\\n --db-instance-identifier \u003crds_instance_id\u003e \\\n --no-publicly-accessible\n```\n\n**In order to create a new RDS instance without public access**\n\n```bash\naws rds create-db-instance \\\n --db-name \"production\" \\\n --db-instance-identifier \"production-mysql-5-7\" \\\n --db-instance-class \"db.t3.micro\" \\\n --db-parameter-group-name \"default.mysql5.7\" \\\n --engine \"mysql\" \\\n --engine-version \"5.7\" \\\n --allocated-storage 10 \\\n --master-username \"mymasteruser\" \\\n --master-user-password \"mysupersecretpasswordforthemasteruser\"\n```" - }, - "refs": [ - { - "title": "AWS CLI Command Reference - create-db-cluster", - "url": "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-cluster.html" - }, - { - "title": "AWS CLI Command Reference - modify-db-instance", - "url": "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/modify-db-instance.html" - }, - { - "title": "Terraform Registry - aws_db_instance", - "url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#publicly_accessible" - }, - { - "title": "AWS Documentation - Security Hub controls reference", - "url": "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-controls-reference.html" - } - ] - }, - { - "query": "# @msg Found ${length} publicly accessible Redshift clusters.\n#\n# ${{name arn region publiclyAccessible}}\naws.redshift.cluster {\n publiclyAccessible == false\n}\n", - "code_id": "H/GR99X1NVs=", - "checksum": "ZYdyr9BK+6w=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-aws-security-redshift-cluster-public-access-check", - "type": "\u000c", - "severity": { - "value": 95 - }, - "title": "Checks whether Redshift clusters are publicly accessible", - "docs": { - "desc": "The PubliclyAccessible attribute of the Amazon Redshift cluster configuration indicates whether the cluster is publicly accessible. When the cluster is configured with PubliclyAccessible set to true, it is an Internet-facing instance that has a publicly resolvable DNS name, which resolves to a public IP address.\n\nWhen the cluster is not publicly accessible, it is an internal instance with a DNS name that resolves to a private IP address. Unless you intend for your cluster to be publicly accessible, the cluster should not be configured with PubliclyAccessible set to true.", - "audit": "__cnspec Shell__\n\n1. Open a Terminal.\n2. Connect to your AWS environment with cnspec shell: `cnspec shell aws`\n3. Run the following query \n\n ```mql\n aws.redshift.clusters.where(\n publiclyAccessible != false\n ){name arn region publiclyAccessible}\n ```\n\n Example output\n\n ```mql\n aws.redshift.clusters.where: [\n 0: {\n region: \"us-east-1\"\n publiclyAccessible: true\n name: \"test-redshift-cluster\"\n arn: \"arn:aws:redshift:us-east-1:053121068929:cluster/test-redshift-cluster\"\n }\n ]\n ```", - "remediation": "__Terraform__\n\nTo remediate this check, it is necessary to modify the redshift cluster resource and set `publicly_accessible` to `false`, the default value is `true`.\n\n```hcl\nresource \"aws_redshift_cluster\" \"example\" {\n # ... other configuration ...\n publicly_accessible = false\n}\n```\n\n__AWS Console__\n\nTo disable public access to an Amazon Redshift cluster\n\n1. Open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.\n2. In the navigation menu, choose Clusters, then choose the name of the cluster with the security group to modify.\n3. Choose Actions, then choose Modify publicly accessible setting.\n4. Under Allow instances and devices outside the VPC to connect to your database through the cluster endpoint, choose No.\n5. Choose Confirm.\n\n__AWS CLI__\n\nUse the `modify-cluster` command to set `--no-publicly-accessible`.\n\n```bash\naws redshift modify-cluster \\\n --cluster-identifier \"test-redshift-cluster\" \\\n --no-publicly-accessible\n```" - }, - "refs": [ - { - "title": "AWS Documentation - Security Hub Standards", - "url": "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html" - }, - { - "title": "AWS Documentation - AWS CLI Command Reference - Redshift", - "url": "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/index.html" - }, - { - "title": "Terraform Documentation - AWS Provider", - "url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs" - } - ] - }, - { - "query": "aws.iam.credentialReport.where(\n properties[\"user\"] == \"\u003croot_account\u003e\"\n) { mfaActive == true }\n", - "code_id": "piRqXek+tDc=", - "checksum": "uQrjOTFuOXc=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-aws-security-root-account-mfa-enabled", - "type": "\u0019\u000c", - "severity": { - "value": 95 - }, - "title": "Ensure MFA is enabled for the \"root user\" account", - "docs": { - "desc": "AWS highly recommends that you follow the security best practice to enable multi-factor authentication (MFA) for your root account. Because your root user can perform sensitive operations in your account, adding an additional layer of authentication helps you to better secure your account. Multiple types of MFA are available.", - "audit": "__cnspec shell__\n\n1. Open a Terminal.\n2. Connect cnspec shell to your AWS environment `cnspec shell aws`\n3. Run the following query:\n\n ```mql\n aws.iam.credentialReport.where( properties[\"user\"] == \"\u003croot_account\u003e\") { mfaActive passwordLastChanged passwordLastUsed }\n ```\n\n Example output:\n\n ```mql\n aws.iam.credentialReport.where: [\n 0: {\n mfaActive: true\n }\n ]\n ```", - "remediation": "Note: This check uses the AWS Credential Report, which has a grace period of 4 hours before changes to credentials take effect.\n\n__Terraform__\n\nThe following snippet demonstrates creating a virtual device for the root user and returning the QRCode.\nAfter creating the virtual MFA device, the root user can follow the procedure described under the AWS Console section.\n\n```hcl\nresource \"aws_iam_virtual_mfa_device\" \"root_mfa\" {\n virtual_mfa_device_name = \"root\"\n}\noutput \"root_qr_code\" {\n value = tomap({\n (aws_iam_virtual_mfa_device.root_mfa.virtual_mfa_device_name) = aws_iam_virtual_mfa_device.root_mfa.qr_code_png\n })\n}\n```\n__AWS Console__\n\nMFA devices in AWS can be either hardware-based or virtual. To enable an MFA device for the root user, choose one of the following:\n\n1. [Enable a virtual MFA device for your AWS account root user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-root)\n2. [Enable a hardware MFA device for the AWS account root user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_physical.html#enable-hw-mfa-for-root)\n\n__AWS CLI__\n\nSimilarly to non-root users, you can use the AWS CLI to: \n\nCreate a virtual MFA device:\n\n```bash\naws iam create-virtual-mfa-device \\\n --virtual-mfa-device-name \"root\" \\\n --outfile ./QRCode.png \\\n --bootstrap-method QRCodePNG\n```\n\nActivate MFA device\n\n```bash\naws iam enable-mfa-device \\\n --user-name \"root\" \\\n --serial-number \"arn:aws:iam::123456976749:mfa/root\" \\\n --authentication-code1 123456 \\\n --authentication-code2 654321\n```" - }, - "refs": [ - { - "title": "Enable a virtual MFA device for your AWS account root user (console)", - "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa" - } - ] - }, - { - "query": "aws.kms.key { if (metadata['KeyState'] == \"Enabled\") { keyRotationEnabled == true } }", - "code_id": "pXTHmuNov9Y=", - "checksum": "G5KXg1opG4M=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-aws-security-rotation-customer-created-cmks-enabled", - "type": "\u000c", - "title": "Ensure rotation for customer created CMKs is enabled" - }, - { - "query": "aws.s3.buckets.all( \n publicAccessBlock != null \n \u0026\u0026 publicAccessBlock.values.all(_ == true)\n)\n", - "code_id": "jl9ki7cL7+o=", - "checksum": "xqeQsqBnM+I=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-aws-security-s3-bucket-level-public-access-prohibited", - "type": "\u0004", - "severity": { - "value": 80 - }, - "title": "Checks if Amazon Simple Storage Service (S3) has bucket-level public access restrictions at the bucket level", - "docs": { - "desc": "This check ensures S3 buckets have bucket-level public access blocks applied. This check fails if any of the following settings are set to false:\n\n1. ignorePublicAcls\n2. blockPublicPolicy\n3. blockPublicAcls\n4. restrictPublicBuckets\n\nBlock Public Access at the S3 bucket level provides controls to ensure that objects never have public access. Public access is granted to buckets and objects through access control lists (ACLs), bucket policies, or both.\nUnless you intend to have your S3 buckets publicly accessible, you should configure the bucket-level Amazon S3 Block Public Access feature.", - "audit": "__cnspec shell__\n\n1. Open a Terminal.\n2. Connect cnspec shell to your AWS environment `cnspec shell aws`\n3. Run the following query \n\n ```mql\n aws.s3.buckets.all( \n publicAccessBlock != null \n \u0026\u0026 publicAccessBlock.values.all(_ == true)\n )\n ```\n\n Example output\n\n ```mql\n [failed] [].all()\n actual: [\n 0: aws.s3.bucket id = arn:aws:s3:::mondoo-test2.policies.test-ui\n ]\n ```", - "remediation": "__Terraform__\n\nThe following resource will create a Public Access Block resource and apply it to the specific bucket.\n\n```hcl\nresource \"aws_s3_bucket_public_access_block\" \"example\" {\n bucket = aws_s3.bucket.example.id\n block_public_acls = true\n block_public_policy = true\n ignore_public_acls = true\n restrict_public_buckets = true\n}\n```\n\n__AWS Console__\n\nTo understand how to use the AWS Console to block public access on a bucket level, see:\n* [Blocking public access to your Amazon S3 storage](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html)\n\n__AWS CLI__\n\n```bash\naws s3api put-public-access-block \\\n --bucket \u003cvalue\u003e\n --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true\n```" - }, - "refs": [ - { - "title": "AWS Documentation - Security Hub Standards", - "url": "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html" - }, - { - "title": "AWS Documentation - Blocking public access to your Amazon S3 storage", - "url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html" - }, - { - "title": "AWS CLI Command Reference - aws s3api put-public-access-block", - "url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html" - }, - { - "title": "Terraform Documentation - AWS Provider - aws_s3bucket_public_access_block", - "url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block" - } - ] - }, - { - "query": "aws.s3.bucket { \n publicAccessBlock != null \n \u0026\u0026 publicAccessBlock.values.all(_ == true)\n}\n", - "code_id": "XKwQcTMmyF8=", - "checksum": "gNqYdfwCJGQ=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-aws-security-s3-bucket-level-public-access-prohibited-single-bucket", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Checks if Amazon Simple Storage Service (S3) has bucket-level public access restrictions at the bucket level", - "docs": { - "desc": "This check ensures S3 buckets have bucket-level public access blocks applied. this check fails if any of the following settings are set to false:\n\n1. ignorePublicAcls\n2. blockPublicPolicy\n3. blockPublicAcls\n4. restrictPublicBuckets\n\nBlock Public Access at the S3 bucket level provides controls to ensure that objects never have public access. Public access is granted to buckets and objects through access control lists (ACLs), bucket policies, or both.\nUnless you intend to have your S3 buckets publicly accessible, you should configure the bucket-level Amazon S3 Block Public Access feature.", - "audit": "__cnspec shell__\n\n1. Open a Terminal.\n2. Connect cnspec shell to your AWS environment `cnspec shell aws`\n3. Run the following query \n\n ```mql\n aws.s3.buckets.all( \n publicAccessBlock != null \n \u0026\u0026 publicAccessBlock.values.all(_ == true)\n )\n ```\n\n Example output\n\n ```mql\n [failed] [].all()\n actual: [\n 0: aws.s3.bucket id = arn:aws:s3:::mondoo-test2.policies.test-ui\n ]\n ```", - "remediation": "__Terraform__\n\nThe following resource will create a Public Access Block resource and apply it to the specific bucket.\n\n```hcl\nresource \"aws_s3_bucket_public_access_block\" \"example\" {\n bucket = aws_s3.bucket.example.id\n block_public_acls = true\n block_public_policy = true\n ignore_public_acls = true\n restrict_public_buckets = true\n}\n```\n\n__AWS Console__\n\nTo understand how to use the AWS Console to block public access on a bucket level, see:\n* [Blocking public access to your Amazon S3 storage](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html)\n\n__AWS CLI__\n\n```bash\naws s3api put-public-access-block \\\n --bucket \u003cvalue\u003e\n --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true\n```" - }, - "refs": [ - { - "title": "AWS Documentation - Security Hub Standards", - "url": "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html" - }, - { - "title": "AWS Documentation - Blocking public access to your Amazon S3 storage", - "url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html" - }, - { - "title": "AWS CLI Command Reference - aws s3api put-public-access-block", - "url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html" - }, - { - "title": "Terraform Documentation - AWS Provider - aws_s3bucket_public_access_block", - "url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block" - } - ] - }, - { - "query": "aws.s3control.accountPublicAccessBlock.values.all( _ == true )\n", - "code_id": "FB90eXx/mw8=", - "checksum": "Cn6DqR99/j8=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-aws-security-s3-buckets-account-level-block-public-access", - "type": "\u0004", - "severity": { - "value": 30 - }, - "title": "Checks if the required S3 public access block settings are configured from the account level", - "docs": { - "desc": "Amazon S3 Block Public Access provides settings for access points, buckets, and accounts to help you manage public access to Amazon S3 resources. By default, new buckets, access points, and objects do not allow public access.", - "audit": "__cnspec shell__\n\n1. Open a Terminal.\n2. Connect cnspec shell to your AWS environment `cnspec shell aws`\n3. Run the following query: \n\n```mql\naws.s3control.accountPublicAccessBlock\n```\n\nExample output:\n\n```mql\naws.s3control.accountPublicAccessBlock: null\n```", - "remediation": "__Terraform__\n\nThe following Terraform resource configures account level access to S3:\n\n```hcl\nresource \"aws_s3_account_public_access_block\" \"s3_control\" {\n block_public_acls = true\n block_public_policy = true\n ignore_public_acls = true\n restrict_public_buckets = true\n}\n```\n\n__AWS Console__\n\nTo edit block public access settings for all the S3 buckets in an AWS account.\n\n1. Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.\n2. Choose Block Public Access settings for this account.\n3. Choose Edit to change the block public access settings for all the buckets in your AWS account.\n4. Choose the settings you want to change, then choose Save changes.\n5. When you're asked for confirmation, enter confirm. Then choose Confirm to save your changes.\n\n__AWS CLI__\n\n```bash\naws s3control put-public-access-block \\\n--account-id \u003cvalue\u003e \\\n--public-access-block-configuration '{\"BlockPublicAcls\": true, \"BlockPublicPolicy\": true, \"IgnorePublicAcls\": true, \"RestrictPublicBuckets\": true}'\n```" - }, - "refs": [ - { - "title": "Blocking public access to your Amazon S3 storage", - "url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html" - }, - { - "title": "Configuring block public access settings for your account", - "url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/configuring-block-public-access-account.html" - } - ] - }, - { - "query": "aws.sagemaker.notebookinstance { details.kmsKey != null }", - "code_id": "l3xRBM1YEPU=", - "checksum": "+JM+5MluiQU=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-aws-security-sagemaker-notebook-instance-kms-key-configured", - "type": "\u000c", - "title": "Checks that all SageMaker notebook instances are configured to use KMS" - }, - { - "query": "aws.ec2.securitygroup { ipPermissions.all(ipRanges.length == 0 \u0026\u0026 fromPort == 0 \u0026\u0026 toPort == 0)}", - "code_id": "7rUWROElf18=", - "checksum": "H6tLyJ4MPPM=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-aws-security-secgroup-restricted-ssh", - "type": "\u000c", - "title": "Checks that all incoming SSH traffic for the security groups is restricted" - }, - { - "query": "aws.ec2.securityGroups.where(name == \"default\").all(\n ipPermissions.length == 0\n \u0026\u0026 ipPermissionsEgress.length == 0\n)\n", - "code_id": "EghYLq/5CJc=", - "checksum": "1QlkWX3s6M8=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-aws-security-vpc-default-security-group-closed", - "type": "\u0004", - "severity": { - "value": 80 - }, - "title": "Ensure the default security group of every VPC restricts all traffic", - "docs": { - "desc": "The rules for a default security group allow all ingress and egress traffic. To keep users from using the default security group (which cannot be deleted) of a VPC, delete all ingress and egress rules to block all traffic.", - "audit": "__cnspec shell__\n\n1. Open a Terminal.\n2. Connect cnspec shell to your AWS environment `cnspec shell aws`\n3. Run the following query: \n\n ```mql\n aws.ec2.securityGroups.where(\n name == \"default\"\n ).where(\n ipPermissions.length != 0\n || ipPermissionsEgress.length != 0\n ){id name region ipPermissions{*} ipPermissionsEgress{*}}\n ```\n\n Example output:\n\n ```mql\n aws.ec2.securityGroups.where.where: [\n 0: {\n ipPermissions: [\n 0: {\n id: \"sg-0bd4b1ef47132d3de-0\"\n fromPort: 0\n toPort: 0\n ipProtocol: \"-1\"\n ipv6Ranges: []\n ipRanges: []\n }\n ]\n ipPermissionsEgress: []\n name: \"default\"\n region: \"eu-north-1\"\n id: \"sg-0bd4b1ef47132d3de\"\n }\n ]\n ```", - "remediation": "__Terraform__\n\nTerraform provides the resource `aws_default_security_group`, which differently from other Terraform resources, has the following effects in the state of the infrastructure.\n\n1. \"Adopts\" the default security group for the provided `vpc_id`.\n2. Removes all inbound (ingress) and outbound (egress) rules for the security group.\n\nIn order to remediate this check using Terraform, apply the following logic for every region the account has access to by aliasing the providers. \n\n**Notice:** it is necessary to create a new security group for all VPCs in order to reassign any resources created and previously using the default security groups.\n\n```hcl\nprovider \"aws\" {\n alias = \"us_east_1\"\n region = \"us-east-1\"\n}\n\ndata \"aws_vpcs\" \"us_east_1\" {\n provider = aws.us_east_1\n}\n\nresource \"aws_security_group\" \"replacement_for_default\" {\n name = \"AllowOrDenySomething\"\n for_each = toset(data.aws_vpcs.us_east_1.ids)\n vpc_id = each.value\n ingress {\n # ... other configuration ...\n }\n egress {\n # ... other configuration ...\n }\n}\n\nresource \"aws_default_security_group\" \"us_east_1\" {\n for_each = toset(data.aws_vpcs.us_east_1.ids)\n vpc_id = each.value\n provider = aws.us_east_1\n}\n```\n\n__AWS Console__\n\nTo remediate this issue, create new security groups and assign those security groups to your resources (if needed). To prevent the default security groups from being used, remove their inbound and outbound rules.\nTo create new security groups and assign them to your resources:\n\n1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.\n2. In the navigation pane, choose Security groups. View the default security groups details to see the resources that are assigned to them.\n3. Create a set of least-privilege security groups for the resources. For details on how to create security groups, see [Creating a security group](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#CreatingSecurityGroups) in the Amazon VPC User Guide.\n4. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.\n5. On the Amazon EC2 console, change the security group for the resources that use the default security groups to the least-privilege security group you created. See [Changing an instance's security groups](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SG_Changing_Group_Membership) in the Amazon VPC User Guide.\n\nAfter you assign the new security groups to the resources, remove the inbound and outbound rules from the default security groups. This ensures that the default security groups are not used.\n\nTo remove the rules from the default security group:\n\n1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.\n2. In the navigation pane, choose Security groups.\n3. Select a default security group and choose the Inbound rules tab. Choose Edit inbound rules. Then delete all inbound rules. Choose Save rules.\n4. Repeat the previous step for each default security group.\n5. Select a default security group and choose the Outbound rule tab. Choose Edit outbound rules. Then delete all outbound rules. Choose Save rules.\n6. Repeat the previous step for each default security group.\nFor more information, see [Working with security groups](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#WorkingWithSecurityGroups) in the Amazon VPC User Guide.\n\n__AWS CLI__\n\nApply the same logic to the AWS CLI to remediate this check.\n\n**Notice:** Run this against all regions your account has access to.\n\n1. Get the security groups in the region.\n```bash\naws ec2 describe-security-groups\n```\n2. Create a new security group to replace the default in every VPC (if needed).\n```bash\naws ec2 create-security-group \\\n --description \"AllowOrDenySomething\" \\\n --group-name \"AllowOrDenySomething\" \\\n --vpc-id \u003cvalue\u003e\n```\n3. Modify security group to provide inbound and outbound rules.\n```bash\naws ec2 modify-security-group-rules \\\n --group-id \u003cvalue\u003e \\\n --security-group-rules \u003crules\u003e\n```\n4. Revoke security group rules from default security groups\n```bash\naws ec2 revoke-security-group-egress \\\n --group-id \u003cid_default_sg\u003e\naws ec2 revoke-security-group-ingress \\\n --group-id \u003cid_default_sg\u003e\n```" - }, - "refs": [ - { - "title": "AWS Documentation - Security Hub Standards", - "url": "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html" - }, - { - "title": "AWS Documentation - AWS CLI Reference - EC2", - "url": "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/index.html#cli-aws-ec2" - }, - { - "title": "Terraform Documentation - AWS Provider", - "url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs" - } - ] - }, - { - "query": "aws.ec2.securitygroup { if (name == \"default\") {\n ipPermissions.length == 0\n \u0026\u0026 ipPermissionsEgress.length == 0\n}}\n", - "code_id": "ut8EOBlD2rA=", - "checksum": "mG20h8Bc9PI=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-aws-security-vpc-default-security-group-closed-single-secgroup", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Ensure the default security group of every VPC restricts all traffic", - "docs": { - "desc": "The rules for a default security group allow all ingress and egress traffic. To keep users from using the default security group (which cannot be deleted) of a VPC, delete all ingress and egress rules to block all traffic.", - "audit": "__cnspec shell__\n\n1. Open a Terminal.\n2. Connect cnspec shell to your AWS environment `cnspec shell aws`\n3. Run the following query: \n\n ```mql\n aws.ec2.securityGroups.where(\n name == \"default\"\n ).where(\n ipPermissions.length != 0\n || ipPermissionsEgress.length != 0\n ){id name region ipPermissions{*} ipPermissionsEgress{*}}\n ```\n\n Example output:\n\n ```mql\n aws.ec2.securityGroups.where.where: [\n 0: {\n ipPermissions: [\n 0: {\n id: \"sg-0bd4b1ef47132d3de-0\"\n fromPort: 0\n toPort: 0\n ipProtocol: \"-1\"\n ipv6Ranges: []\n ipRanges: []\n }\n ]\n ipPermissionsEgress: []\n name: \"default\"\n region: \"eu-north-1\"\n id: \"sg-0bd4b1ef47132d3de\"\n }\n ]\n ```", - "remediation": "__Terraform__\n\nTerraform provides the resource `aws_default_security_group`, which differently from other Terraform resources, has the following effects in the state of the infrastructure.\n\n1. \"Adopts\" the default security group for the provided `vpc_id`.\n2. Removes all inbound (ingress) and outbound (egress) rules for the security group.\n\nIn order to remediate this check using Terraform, please apply the following for every region the account has access to by aliasing the providers. \n\n**Notice:** it is necessary to create a new security group for all VPCs in order to reassign any resources created and previously using the default security groups.\n\n```hcl\nprovider \"aws\" {\n alias = \"us_east_1\"\n region = \"us-east-1\"\n}\n\ndata \"aws_vpcs\" \"us_east_1\" {\n provider = aws.us_east_1\n}\n\nresource \"aws_security_group\" \"replacement_for_default\" {\n name = \"AllowOrDenySomething\"\n for_each = toset(data.aws_vpcs.us_east_1.ids)\n vpc_id = each.value\n ingress {\n # ... other configuration ...\n }\n egress {\n # ... other configuration ...\n }\n}\n\nresource \"aws_default_security_group\" \"us_east_1\" {\n for_each = toset(data.aws_vpcs.us_east_1.ids)\n vpc_id = each.value\n provider = aws.us_east_1\n}\n```\n\n__AWS Console__\n\nTo remediate this issue, create new security groups and assign those security groups to your resources (if needed). To prevent the default security groups from being used, remove their inbound and outbound rules.\nTo create new security groups and assign them to your resources:\n\n1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.\n2. In the navigation pane, choose Security groups. View the default security groups details to see the resources that are assigned to them.\n3. Create a set of least-privilege security groups for the resources. For details on how to create security groups, see [Creating a security group](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#CreatingSecurityGroups) in the Amazon VPC User Guide.\n4. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.\n5. On the Amazon EC2 console, change the security group for the resources that use the default security groups to the least-privilege security group you created. See [Changing an instance's security groups](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SG_Changing_Group_Membership) in the Amazon VPC User Guide.\n\nAfter you assign the new security groups to the resources, remove the inbound and outbound rules from the default security groups. This ensures that the default security groups are not used.\n\nTo remove the rules from the default security group:\n\n1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.\n2. In the navigation pane, choose Security groups.\n3. Select a default security group and choose the Inbound rules tab. Choose Edit inbound rules. Then delete all inbound rules. Choose Save rules.\n4. Repeat the previous step for each default security group.\n5. Select a default security group and choose the Outbound rule tab. Choose Edit outbound rules. Then delete all outbound rules. Choose Save rules.\n6. Repeat the previous step for each default security group.\nFor more information, see [Working with security groups](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#WorkingWithSecurityGroups) in the Amazon VPC User Guide.\n\n__AWS CLI__\n\nApply the same logic to the AWS CLI to remediate this check.\n\n**Notice:** Run this against all regions your account has access to.\n\n1. Get the security groups in the region.\n```bash\naws ec2 describe-security-groups\n```\n2. Create a new security group to replace the default in every VPC (if needed).\n```bash\naws ec2 create-security-group \\\n --description \"AllowOrDenySomething\" \\\n --group-name \"AllowOrDenySomething\" \\\n --vpc-id \u003cvalue\u003e\n```\n3. Modify security group to provide inbound and outbound rules.\n```bash\naws ec2 modify-security-group-rules \\\n --group-id \u003cvalue\u003e \\\n --security-group-rules \u003crules\u003e\n```\n4. Revoke security group rules from default security groups\n```bash\naws ec2 revoke-security-group-egress \\\n --group-id \u003cid_default_sg\u003e\naws ec2 revoke-security-group-ingress \\\n --group-id \u003cid_default_sg\u003e\n```" - }, - "refs": [ - { - "title": "AWS Documentation - Security Hub Standards", - "url": "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html" - }, - { - "title": "AWS Documentation - AWS CLI Reference - EC2", - "url": "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/index.html#cli-aws-ec2" - }, - { - "title": "Terraform Documentation - AWS Provider", - "url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs" - } - ] - }, - { - "query": "aws.vpcs.all(\n flowLogs.any(\n status == \"ACTIVE\"\n )\n)\n", - "code_id": "adKrQddEz4k=", - "checksum": "IvDrZiSNpp4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-aws-security-vpc-flow-logs-enabled", - "type": "\u0004", - "severity": { - "value": 30 - }, - "title": "Ensure VPC flow logging is enabled in all VPCs", - "docs": { - "desc": "This check ensures Amazon VPC Flow Logs are found and enabled for all VPCs. Default VPCs should always fail this check as they do not come with flow logs activated.", - "audit": "__cnspec Shell__\n\n1. Open a Terminal.\n2. Connect cnspec Shell to your AWS environment `cnspec shell aws`\n3. Run the following query \n\n ```mql\n aws.vpcs.where(\n flowLogs.length == 0\n ){id arn region state isDefault flowLogs tags}\n ```\n\n Example output: only showing 1 VPC, but default VPCs in all regions will fail this check.\n\n ```mql\n aws.vpcs.where: [\n 0: {\n arn: \"arn:aws:vpc:eu-north-1:053121068929:id/vpc-0c3955e3d04d2e09a\"\n flowLogs: []\n id: \"vpc-0c3955e3d04d2e09a\"\n isDefault: true\n region: \"eu-north-1\"\n state: \"available\"\n tags: {}\n }\n ...\n ]\n ```", - "remediation": "There are a few considerations while remediating this check:\n\n1. Default VPCs should not be used, therefore they should be deleted to avoid enabling flow logs for them.\n2. Any default or non-default VPC must have flow logs activated.\n3. Therefore the best way to remediate this check is to: \n \n * Migrate resources from default to non-default VPCs.\n * Delete default VPCs.\n * Enable flow logs for the non-default VPCs.\n\nWe recommend using either Terraform or the AWS console as there is automation to delete VPC and its dependencies in place.\n\n__Terraform__\n\nOpen source Terraform modules can help us obtain this result by providing ways to delete VPCs and children dependencies.\n\n**Notice:** The following example is destructive and irreversible. It destroys all child dependencies of default VPCs, including:\n\n1. Subnets\n2. Route tables\n3. NACLs\n4. Internet Gateways\n\nThis module execution will fail for VPCs containing resources attached to the network interfaces. In this case, review the resources and redeploy them to a non-default VPC.\n\n```hcl\nterraform {\n required_providers {\n awsutils = {\n source = \"cloudposse/awsutils\"\n }\n }\n}\n\n# Create one for each region\nprovider \"awsutils\" {\n alias = \"ap_northeast_1\"\n region = \"ap-northeast-1\"\n}\n\n# Create one for each region - the creation of this resource will delete the default resources\nresource \"awsutils_default_vpc_deletion\" \"us_east_1\" {\n provider = awsutils.us_east_1\n}\n```\n\nTo enable Flow logs for VPCs with customer-managed KMS keys:\n\n```hcl\ndata \"aws_caller_identity\" \"current\" {}\n\nresource \"aws_kms_key\" \"vpc_flowlog\" {\n description = \"Key to provide encryption to VPC Flow Logs\"\n enable_key_rotation = true\n policy = jsonencode({\n Version = \"2012-10-17\"\n Statement = [\n {\n Effect = \"Allow\"\n Action = [\n \"kms:Encrypt*\",\n \"kms:Decrypt*\",\n \"kms:ReEncrypt*\",\n \"kms:GenerateDataKey*\",\n \"kms:Describe*\"\n ]\n Principal = {\n Service = \"logs.\u003cregion\u003e.amazonaws.com\"\n }\n Resource = \"arn:aws:kms:*:${data.aws_caller_identity.current.account_id}:key/*\"\n },\n {\n Sid = \"Enable IAM User Permissions\"\n Effect = \"Allow\"\n Principal = {\n \"AWS\" : \"arn:aws:iam::${data.aws_caller_identity.current.account_id}:root\"\n }\n Action = \"kms:*\"\n Resource = \"*\"\n }\n ]\n })\n}\n\nresource \"aws_cloudwatch_log_group\" \"vpc_flowlog\" {\n name = \"VPCFlowLog\"\n kms_key_id = aws_kms_key.vpc_flowlog.arn\n retention_in_days = \u003cvalue\u003e\n}\n\nresource \"aws_iam_role\" \"vpc_flowlog\" {\n name = \"VPCFlowLog\"\n\n assume_role_policy = jsonencode({\n Version = \"2012-10-17\"\n Statement = [\n {\n Sid = \"VPCFlowLog\"\n Effect = \"Allow\"\n Principal = {\n Service = \"vpc-flow-logs.amazonaws.com\"\n }\n Action = \"sts:AssumeRole\"\n }\n ]\n })\n}\n\nresource \"aws_iam_policy\" \"vpc_flowlog\" {\n name = \"VpcFlowLog\"\n policy = jsonencode({\n Version = \"2012-10-17\"\n Statement = [\n {\n Action = [\n \"logs:CreateLogGroup\",\n \"logs:CreateLogStream\",\n \"logs:PutLogEvents\",\n \"logs:DescribeLogGroups\",\n \"logs:DescribeLogStreams\",\n ],\n Effect = \"Allow\",\n Resource = \"*\"\n }\n ]\n })\n}\n\nresource \"aws_iam_policy_attachment\" \"vpc_flowlog\" {\n name = \"${aws_iam_policy.vpc_flowlog.name}Attachment\"\n roles = [aws_iam_role.vpc_flowlog.id]\n policy_arn = aws_iam_policy.vpc_flowlog.arn\n}\n\nresource \"aws_flow_log\" \"example\" {\n iam_role_arn = aws_iam_role.vpc_flowlog.arn\n log_destination = aws_cloudwatch_log_group.vpc_flowlog.arn\n traffic_type = \"ALL\"\n vpc_id = aws_vpc.example.id\n}\n```\n\n__AWS Console__\n\nTo delete the default VPCs:\n\n1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.\n2. Under Resources by Region, VPCs, choose See all regions.\n3. For each region with a default VPC, choose the region to open the VPC home page for that region in another tab.\n4. Under Your VPCs, check the default VPC.\n5. Under Actions, choose Delete VPC.\n6. In the Delete VPC form, acknowledge that you want to delete the default VPC.\n7. Choose Delete VPC.\n8. In case there are resources deployed to that VPC, an error will be sent back. In that case:\n \n * Create a VPC to hold the resources in the default VPC.\n * Redeploy your resources to the non-default VPC.\n * Try deleting the VPC again.\n\nTo enable VPC flow logging:\n\n1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.\n2. Under Virtual Private Cloud, choose Your VPCs.\n3. Select a VPC to update.\n4. At the bottom of the page, choose Flow Logs.\n5. Choose Create flow log.\n6. For Filter, choose Reject.\n7. For Destination log group, choose the log group to use.\n8. For IAM role, choose the IAM role to use.\n9. Choose Create.\n\n__AWS CLI__\n\nDeleting default VPCs using the CLI is discouraged. In order to maintain the idempotency of commands, there is no automated deletion of children resources in place.\n\nWe advise that AWS customers delete default VPCs using either Terraform or the AWS Console (see above).\n\nTo create flow logs for non-default VPCs and send them to CloudWatch (recommended), proceed as follows:\n\n1. Create a policy (`key-policy.json`) to allow the CloudWatch principal access to KMS keys, replace `\u003caccount_id\u003e`\n\n```javascript\n{\n \"Version\": \"2012-10-17\"\n \"Statement\": [\n {\n \"Effect\": \"Allow\"\n \"Action\": [\n \"kms:Encrypt*\",\n \"kms:Decrypt*\",\n \"kms:ReEncrypt*\",\n \"kms:GenerateDataKey*\",\n \"kms:Describe*\"\n ]\n \"Principal\": {\n \"Service\": \"logs.us-east-1.amazonaws.com\"\n }\n \"Resource\": \"arn:aws:kms:*:\u003caccount_id\u003e:key/*\"\n },\n {\n \"Sid\": \"Enable IAM User Permissions\"\n \"Effect\": \"Allow\"\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::\u003caccount_id\u003e:root\"\n }\n \"Action\": \"kms:*\"\n \"Resource\": \"*\"\n }\n ]\n}\n```\n\n```bash\naws kms create-key \\\n --description \"Key to provide encryption to VPC Flow Logs\" \\\n --policy file://key-policy.json\n```\n\n2. Enable key rotation\n\n```bash\naws kms enable-key-rotation \\\n --key-id \u003cvalue\u003e\n```\n\n3. Create a policy (`role-policy.json`) to allow CloudWatch to manage log groups\n\n```javascript\n{\n \"Version\": \"2012-10-17\"\n \"Statement\": [\n {\n \"Action\": [\n \"logs:CreateLogGroup\",\n \"logs:CreateLogStream\",\n \"logs:PutLogEvents\",\n \"logs:DescribeLogGroups\",\n \"logs:DescribeLogStreams\"\n ],\n \"Effect\": \"Allow\",\n \"Resource\": \"*\"\n }\n ]\n}\n```\n\n4. Create a role\n\n```bash\naws iam create-role \\\n --path \"/\" \\\n --role-name \"VPCFlowLog\"\n```\n\n5. Attach the policy to the role\n\n```bash\naws iam attach-role-policy \\\n --role-name \u003cvalue\u003e \\\n --policy-arn \u003cvalue\u003e\n```\n\n6. Create a CloudWatch log group\n\n```bash\naws logs create-log-group \\\n --log-group-name \u003cvalue\u003e \\\n --kms-key-id \u003cvalue\u003e\n```\n\n7. Create a CloudWatch log flow\n\n```bash\naws ec2 create-flow-logs \\\n --deliver-logs-permission-arn \u003ciam_role_arn\u003e \\\n --traffic-type \"ALL\" \\\n --resource-ids \"\u003clist\u003e\" \"\u003cvpcs\u003e\" \"\u003cids\u003e\" \\\n --resource-type \"VPC\" \\\n --log-destination-type \"cloud-watch-logs\" \\\n --log-destination \u003carn_cloudwatch_log_group\u003e\n```" - }, - "refs": [ - { - "title": "AWS Documentation - Security Hub Standards", - "url": "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html" - }, - { - "title": "AWS Documentation - AWS CLI Command Reference - logs", - "url": "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/index.html" - }, - { - "title": "AWS Documentation - AWS CLI Command Reference - ec2", - "url": "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/index.html" - }, - { - "title": "Terraform registry - Cloud Posse AWS Utils Provider", - "url": "https://registry.terraform.io/providers/cloudposse/awsutils/latest/docs" - }, - { - "title": "Terraform Documentation - AWS Provider", - "url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs" - } - ] - }, - { - "query": "aws.vpc {\n flowLogs.any(\n status == \"ACTIVE\"\n )\n}\n", - "code_id": "m51k6AabwjU=", - "checksum": "wwkuiEAiHBk=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-aws-security-vpc-flow-logs-enabled-single-vpc", - "type": "\u000c", - "severity": { - "value": 30 - }, - "title": "Ensure VPC flow logging is enabled in all VPCs", - "docs": { - "desc": "This check ensures Amazon VPC Flow Logs are found and enabled for all VPCs. Default VPCs should always fail this check as they do not come with flow logs activated.", - "audit": "__cnspec Shell__\n\n1. Open a Terminal.\n2. Connect cnspec Shell to your AWS environment `cnspec shell aws`\n3. Run the following query \n\n ```mql\n aws.vpcs.where(\n flowLogs.length == 0\n ){id arn region state isDefault flowLogs tags}\n ```\n\n Example output: only showing 1 VPC, but default VPCs in all regions will fail this check.\n\n ```mql\n aws.vpcs.where: [\n 0: {\n arn: \"arn:aws:vpc:eu-north-1:053121068929:id/vpc-0c3955e3d04d2e09a\"\n flowLogs: []\n id: \"vpc-0c3955e3d04d2e09a\"\n isDefault: true\n region: \"eu-north-1\"\n state: \"available\"\n tags: {}\n }\n ...\n ]\n ```", - "remediation": "There are a few considerations while remediating this check:\n\n1. Default VPCs should not be used, therefore they should be deleted to avoid enabling flow logs for them.\n2. Any default or non-default VPC must have flow logs activated.\n3. Therefore the best way to remediate this check is to: \n \n * Migrate resources from default to non-default VPCs.\n * Delete default VPCs.\n * Enable flow logs for the non-default VPCs.\n\nWe recommend using either Terraform or the AWS console as there is automation to delete VPC and its dependencies in place.\n\n__Terraform__\n\nOpen source Terraform modules can help us obtain this result by providing ways to delete VPCs and children dependencies.\n\n**Notice:** The following example is destructive and irreversible. It destroys all child dependencies of default VPCs, including:\n\n1. Subnets\n2. Route tables\n3. NACLs\n4. Internet Gateways\n\nThis module execution will fail for VPCs containing resources attached to the network interfaces. In this case, review the resources and redeploy them to a non-default VPC.\n\n```hcl\nterraform {\n required_providers {\n awsutils = {\n source = \"cloudposse/awsutils\"\n }\n }\n}\n\n# Create one for each region\nprovider \"awsutils\" {\n alias = \"ap_northeast_1\"\n region = \"ap-northeast-1\"\n}\n\n# Create one for each region - the creation of this resource will delete the default resources\nresource \"awsutils_default_vpc_deletion\" \"us_east_1\" {\n provider = awsutils.us_east_1\n}\n```\n\nTo enable Flow logs for VPCs with customer-managed KMS keys:\n\n```hcl\ndata \"aws_caller_identity\" \"current\" {}\n\nresource \"aws_kms_key\" \"vpc_flowlog\" {\n description = \"Key to provide encryption to VPC Flow Logs\"\n enable_key_rotation = true\n policy = jsonencode({\n Version = \"2012-10-17\"\n Statement = [\n {\n Effect = \"Allow\"\n Action = [\n \"kms:Encrypt*\",\n \"kms:Decrypt*\",\n \"kms:ReEncrypt*\",\n \"kms:GenerateDataKey*\",\n \"kms:Describe*\"\n ]\n Principal = {\n Service = \"logs.\u003cregion\u003e.amazonaws.com\"\n }\n Resource = \"arn:aws:kms:*:${data.aws_caller_identity.current.account_id}:key/*\"\n },\n {\n Sid = \"Enable IAM User Permissions\"\n Effect = \"Allow\"\n Principal = {\n \"AWS\" : \"arn:aws:iam::${data.aws_caller_identity.current.account_id}:root\"\n }\n Action = \"kms:*\"\n Resource = \"*\"\n }\n ]\n })\n}\n\nresource \"aws_cloudwatch_log_group\" \"vpc_flowlog\" {\n name = \"VPCFlowLog\"\n kms_key_id = aws_kms_key.vpc_flowlog.arn\n retention_in_days = \u003cvalue\u003e\n}\n\nresource \"aws_iam_role\" \"vpc_flowlog\" {\n name = \"VPCFlowLog\"\n\n assume_role_policy = jsonencode({\n Version = \"2012-10-17\"\n Statement = [\n {\n Sid = \"VPCFlowLog\"\n Effect = \"Allow\"\n Principal = {\n Service = \"vpc-flow-logs.amazonaws.com\"\n }\n Action = \"sts:AssumeRole\"\n }\n ]\n })\n}\n\nresource \"aws_iam_policy\" \"vpc_flowlog\" {\n name = \"VpcFlowLog\"\n policy = jsonencode({\n Version = \"2012-10-17\"\n Statement = [\n {\n Action = [\n \"logs:CreateLogGroup\",\n \"logs:CreateLogStream\",\n \"logs:PutLogEvents\",\n \"logs:DescribeLogGroups\",\n \"logs:DescribeLogStreams\",\n ],\n Effect = \"Allow\",\n Resource = \"*\"\n }\n ]\n })\n}\n\nresource \"aws_iam_policy_attachment\" \"vpc_flowlog\" {\n name = \"${aws_iam_policy.vpc_flowlog.name}Attachment\"\n roles = [aws_iam_role.vpc_flowlog.id]\n policy_arn = aws_iam_policy.vpc_flowlog.arn\n}\n\nresource \"aws_flow_log\" \"example\" {\n iam_role_arn = aws_iam_role.vpc_flowlog.arn\n log_destination = aws_cloudwatch_log_group.vpc_flowlog.arn\n traffic_type = \"ALL\"\n vpc_id = aws_vpc.example.id\n}\n```\n\n__AWS Console__\n\nTo delete the default VPCs:\n\n1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.\n2. Under Resources by Region, VPCs, choose See all regions.\n3. For each region with a default VPC, choose the region to open the VPC home page for that region in another tab.\n4. Under Your VPCs, check the default VPC.\n5. Under Actions, choose Delete VPC.\n6. In the Delete VPC form, acknowledge that you want to delete the default VPC.\n7. Choose Delete VPC.\n8. In case there are resources deployed to that VPC, an error will be sent back. In that case:\n \n * Create a VPC to hold the resources in the default VPC.\n * Redeploy your resources to the non-default VPC.\n * Try deleting the VPC again.\n\nTo enable VPC flow logging:\n\n1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.\n2. Under Virtual Private Cloud, choose Your VPCs.\n3. Select a VPC to update.\n4. At the bottom of the page, choose Flow Logs.\n5. Choose Create flow log.\n6. For Filter, choose Reject.\n7. For Destination log group, choose the log group to use.\n8. For IAM role, choose the IAM role to use.\n9. Choose Create.\n\n__AWS CLI__\n\nDeleting default VPCs using the CLI is discouraged. In order to maintain the idempotency of commands, there is no automated deletion of children resources in place.\n\nWe advise that AWS customers delete default VPCs using either Terraform or the AWS Console (see above).\n\nTo create flow logs for non-default VPCs and send them to CloudWatch (recommended), proceed as follows:\n\n1. Create a policy (`key-policy.json`) to allow the CloudWatch principal access to KMS keys, replace `\u003caccount_id\u003e`\n\n```javascript\n{\n \"Version\": \"2012-10-17\"\n \"Statement\": [\n {\n \"Effect\": \"Allow\"\n \"Action\": [\n \"kms:Encrypt*\",\n \"kms:Decrypt*\",\n \"kms:ReEncrypt*\",\n \"kms:GenerateDataKey*\",\n \"kms:Describe*\"\n ]\n \"Principal\": {\n \"Service\": \"logs.us-east-1.amazonaws.com\"\n }\n \"Resource\": \"arn:aws:kms:*:\u003caccount_id\u003e:key/*\"\n },\n {\n \"Sid\": \"Enable IAM User Permissions\"\n \"Effect\": \"Allow\"\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::\u003caccount_id\u003e:root\"\n }\n \"Action\": \"kms:*\"\n \"Resource\": \"*\"\n }\n ]\n}\n```\n\n```bash\naws kms create-key \\\n --description \"Key to provide encryption to VPC Flow Logs\" \\\n --policy file://key-policy.json\n```\n\n2. Enable key rotation\n\n```bash\naws kms enable-key-rotation \\\n --key-id \u003cvalue\u003e\n```\n\n3. Create a policy (`role-policy.json`) to allow CloudWatch to manage log groups\n\n```javascript\n{\n \"Version\": \"2012-10-17\"\n \"Statement\": [\n {\n \"Action\": [\n \"logs:CreateLogGroup\",\n \"logs:CreateLogStream\",\n \"logs:PutLogEvents\",\n \"logs:DescribeLogGroups\",\n \"logs:DescribeLogStreams\"\n ],\n \"Effect\": \"Allow\",\n \"Resource\": \"*\"\n }\n ]\n}\n```\n\n4. Create a role\n\n```bash\naws iam create-role \\\n --path \"/\" \\\n --role-name \"VPCFlowLog\"\n```\n\n5. Attach the policy to the role\n\n```bash\naws iam attach-role-policy \\\n --role-name \u003cvalue\u003e \\\n --policy-arn \u003cvalue\u003e\n```\n\n6. Create a CloudWatch log group\n\n```bash\naws logs create-log-group \\\n --log-group-name \u003cvalue\u003e \\\n --kms-key-id \u003cvalue\u003e\n```\n\n7. Create a CloudWatch log flow\n\n```bash\naws ec2 create-flow-logs \\\n --deliver-logs-permission-arn \u003ciam_role_arn\u003e \\\n --traffic-type \"ALL\" \\\n --resource-ids \"\u003clist\u003e\" \"\u003cvpcs\u003e\" \"\u003cids\u003e\" \\\n --resource-type \"VPC\" \\\n --log-destination-type \"cloud-watch-logs\" \\\n --log-destination \u003carn_cloudwatch_log_group\u003e\n```" - }, - "refs": [ - { - "title": "AWS Documentation - Security Hub Standards", - "url": "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html" - }, - { - "title": "AWS Documentation - AWS CLI Command Reference - logs", - "url": "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/index.html" - }, - { - "title": "AWS Documentation - AWS CLI Command Reference - ec2", - "url": "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/index.html" - }, - { - "title": "Terraform registry - Cloud Posse AWS Utils Provider", - "url": "https://registry.terraform.io/providers/cloudposse/awsutils/latest/docs" - }, - { - "title": "Terraform Documentation - AWS Provider", - "url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs" - } - ] - }, - { - "query": "github.repository.files\n.all( isBinary == false )\ngithub.repository.files\n.where( type == \"dir\" )\n.all( files.where( type != \"dir\").all( isBinary == false) )\n", - "code_id": "T/64kjqCYM8=", - "checksum": "axu5hV5Xkvo=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-github-repository-security-binary-artifacts", - "type": "\u0001", - "severity": { - "value": 90 - }, - "title": "Ensure repository does not generate binary artifacts", - "docs": { - "desc": "This check determines whether the project has generated executable (binary) artifacts in the source repository. Binary artifacts pose security challenges because they cannot be reviewed, and users will often directly use executables if they are included in the source repository, leading to many dangerous behaviors.", - "audit": "__cnspec shell__\n\n1. Open a Terminal.\n2. Connect cnspec shell to GitHub `cnspec shell github repo \u003corg/repo_name\u003e --token $GITHUB_TOKEN`\n3. Run the following query\n\n ```mql\n github.repository { files { isBinary } files {files { isBinary } } }\n ```", - "remediation": "Remove the generated executable artifacts from the repository, and then build from source." - }, - "refs": [ - { - "title": "OSSF Scorecard - Binary Artifacts", - "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#binary-artifacts" - } - ] - }, - { - "query": "github.repository.branches\n.where( isDefault == true )\n.all( protected == true )\ngithub.repository.branches\n.where( isDefault == true )\n.all( protectionRules.enforceAdmins['enabled'] == true )\n", - "code_id": "0t+4rErrHDU=", - "checksum": "BznEhDWF2lY=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-github-repository-security-enforce-branch-protection", - "type": "\u0001", - "severity": { - "value": 70 - }, - "title": "Ensure repository does not allow bypassing of branch protections rules", - "docs": { - "desc": "This check ensures branch protection rules cannot be bypassed. By default, the restrictions of a branch protection rule do not apply to people with admin permissions to the repository or custom roles with the \"bypass branch protections\" permission in a repository.", - "audit": "__cnspec shell__\n\n1. Open a Terminal.\n2. Connect cnspec shell to GitHub `cnspec shell github repo \u003corg/repo_name\u003e --token $GITHUB_TOKEN`\n3. Run the following query\n\n ```mql\n github.repository.branches.where( isDefault == true) { protected protectionRules { enforceAdmins['enabled'] } }\n ```", - "remediation": "To enable branch protection, see [About protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches) on the GitHub documentation site. Once branch protection is enabled, see [Do not allow bypassing the above settings](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#do-not-allow-bypassing-the-above-settings) on the GitHub documentation site." - }, - "refs": [ - { - "title": "GitHub Docs - About protected branches", - "url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches" - } - ] - }, - { - "query": "github.repository.branches\n.where( isDefault == true )\n.all( protected == true )\n", - "code_id": "9Jh8gyhDX8M=", - "checksum": "4MUvUG3LR3A=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-github-repository-security-ensure-default-branch-protection", - "type": "\u0004", - "severity": { - "value": 90 - }, - "title": "Ensure GitHub repository default branch is protected", - "docs": { - "desc": "This check ensures that the default branch for the repository has branch protection enabled. Branch protection enforces certain workflows or requirements are met before a collaborator can push changes to a branch in a repository. It is highly recommended that the default branch has branch protection enabled, with branch protection rules applied.", - "remediation": "To enable branch protection, see [About protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches) on the GitHub documentation site." - }, - "refs": [ - { - "title": "About Branch protection", - "url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches" - }, - { - "title": "Changing the default branch", - "url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-branches-in-your-repository/changing-the-default-branch" - } - ] - }, - { - "query": "github.repository.files\n.one( name == \".github\" \u0026\u0026 type == \"dir\" )\ngithub.repository.files\n.where( path == \".github\" )\n.all( files.one( name == \"dependabot.yaml\" || name == \"dependabot.yml\" ) )", - "code_id": "a29OLfothKg=", - "checksum": "ERAsURwPVt8=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-github-repository-security-ensure-dependabot-workflow", - "type": "\u0001", - "severity": { - "value": 70 - }, - "title": "Ensure a GitHub Actions workflow exists for Dependabot", - "docs": { - "desc": "This check ensures the existence of a GitHub Actions workflow to run Dependabot checks on the repository by looking for the existence of a `.github/dependabot.yml` or `.github/dependabot.yaml` configuration file.\nDependabot creates pull requests to keep your dependencies up to date, and you can use GitHub Actions to perform automated tasks when these pull requests are created. For example, fetch additional artifacts, add labels, run tests, or otherwise modifying the pull request.", - "remediation": "GitHub Actions provides many different workflows for running Dependabot checks on a project. For more information see [Automating Dependabot with GitHub Actions](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions) in the GitHub documentation site." - } - }, - { - "query": "github.repository.branches\n.where( name == /^release/ )\n.all( protected == true )\n", - "code_id": "Vkt2dtFcrmA=", - "checksum": "fX+3/EGkIR0=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-github-repository-security-ensure-release-branch-protection", - "type": "\u0004", - "severity": { - "value": 90 - }, - "title": "Ensure GitHub repository release branches are protected", - "docs": { - "desc": "This check ensures that any release branches (i.e. 'release-x.y.z') have branch protection rules enabled. Branch protection enforces certain workflows or requirements are met before a collaborator can push changes to a branch in a repository. It is recommended that any release branches have branch protection enabled, with branch protection rules applied.", - "remediation": "To enable branch protection, see [About protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches) on the GitHub documentation site." - } - }, - { - "query": "github.repository.branches\n.where( isDefault == true )\n.all( protected == true )\ngithub.repository.branches\n.where( isDefault == true )\n.all( protectionRules { allowForcePushes['enabled'] == false } )\n", - "code_id": "iKDqcJvPrbQ=", - "checksum": "EDYNk8yIZdk=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-github-repository-security-prevent-force-pushes-default-branch", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Ensure repository does not allow force pushes to the default branch", - "docs": { - "desc": "This check ensures that the default branch does not allow force pushes. Branch protection enforces certain workflows or requirements are met before a collaborator can push changes to a branch in a repository. It is highly recommended to disable force pushes to the default repository branch. By default, GitHub blocks force pushes on all protected branches. When you enable force pushes to a protected branch, you can choose one of two groups who can force push:\n\n- Allow everyone with at least write permissions to the repository to force push to the branch, including those with admin permissions.\n- Allow only specific people or teams to force push to the branch.\n\nIf someone force pushes to a branch, the force push may overwrite commits that other collaborators based their work on. People may have merge conflicts or corrupted pull requests.\n\nEnabling force pushes will not override any other branch protection rules. For example, if a branch requires a linear commit history, you cannot force push merge commits to that branch.", - "audit": "__cnspec shell__\n\n1. Open a Terminal.\n2. Connect cnspec shell to GitHub `cnspec shell github repo \u003corg/repo_name\u003e --token $GITHUB_TOKEN`\n3. Run the following query\n\n ```mql\n github.repository.branches.where( isDefault == true) { protected protectionRules { allowForcePushes['enabled'] } }\n ```", - "remediation": "To enable branch protection, see [About protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches) on the GitHub documentation site. Once branch protection is enabled, see [Allow force pushes](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#allow-force-pushes) on the GitHub documentation site, and make sure the repository is not configured to allow force pushes." - }, - "refs": [ - { - "title": "GitHub Docs - About protected branches", - "url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches" - } - ] - }, - { - "query": "github.repository.branches\n.where( name == /^release/ )\n.all( protected == true )\ngithub.repository.branches\n.where( name == /^release/ )\n.all( protectionRules { allowForcePushes['enabled'] == false } )\n", - "code_id": "TQygAve8Fa8=", - "checksum": "SuJmG6ba6R4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-github-repository-security-prevent-force-pushes-release-branch", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Ensure repository does not allow force pushes to any release branches", - "docs": { - "desc": "This check ensures that the release branch does not allow force pushes. Branch protection enforces certain workflows or requirements are met before a collaborator can push changes to a branch in a repository. It is recommended to disable force pushes to any release branches. \n\nBy default, GitHub blocks force pushes on all protected branches. When you enable force pushes to a protected branch, you can choose one of two groups who can force push:\n\n- Allow everyone with at least write permissions to the repository to force push to the branch, including those with admin permissions.\n- Allow only specific people or teams to force push to the branch.\n\nIf someone force pushes to a branch, the force push may overwrite commits that other collaborators have made. Force pushing may cause merge conflicts or corrupted pull requests for other users.\n\nEnabling force pushes will not override any other branch protection rules. For example, if a branch requires a linear commit history, you cannot force push merge commits to that branch.", - "audit": "__cnspec shell__\n\n1. Open a Terminal.\n2. Connect cnspec shell to GitHub `cnspec shell github repo \u003corg/repo_name\u003e --token $GITHUB_TOKEN`\n3. Run the following query\n\n ```mql\n github.repository.branches.where( isDefault == true) { protected protectionRules { allowForcePushes['enabled'] } }\n ```", - "remediation": "To enable branch protection, see [About protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches) on the GitHub documentation site. Once branch protection is enabled, see [Allow force pushes](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#allow-force-pushes) on the GitHub documentation site, and make sure the repository is not configured to allow force pushes." - }, - "refs": [ - { - "title": "GitHub Docs - About protected branches", - "url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches" - } - ] - }, - { - "query": "github.repository.branches\n.where( isDefault == true )\n.all( protected == true )\ngithub.repository.branches\n.where( isDefault == true )\n.all( protectionRules { requiredConversationResolution['enabled'] == true } )\n", - "code_id": "vBVQlczWtbw=", - "checksum": "2w6ex7J1lHA=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-github-repository-security-require-conversation-resolution", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Ensure branch protection requires conversation resolution before merging", - "docs": { - "desc": "This checks that a branch protection rule is configured to require all comments on the pull request to be resolved before it can be merged to a protected branch. Branch protection enforces certain workflows or requirements are met before a collaborator can push changes to a branch in a repository. It is recommended that both the default branch and any release branches have branch protection enabled, with branch protection rules applied.", - "remediation": "To enable branch protection, see [About protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches) on the GitHub documentation site. Once branch protection is enabled, see [Require conversation resolution before merging](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-conversation-resolution-before-merging) on the GitHub documentation site." - }, - "refs": [ - { - "title": "GitHub Docs - About protected branches", - "url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches" - }, - { - "title": "GitHub Documentation - Require conversation resolution before merging", - "url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-conversation-resolution-before-merging" - } - ] - }, - { - "query": "github.repository.branches\n.where( isDefault == true )\n.all( protected == true )\ngithub.repository.branches\n.where( isDefault == true )\n.all( protectionRules { requiredStatusChecks.length \u003e 0 } ) \n", - "code_id": "cIpNbBb34wg=", - "checksum": "OL+LLacUl/4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-github-repository-security-require-status-checks-before-merging", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Ensure status checks are passing before merging PRs on the default branch", - "docs": { - "desc": "This check ensures that all required CI tests pass before collaborators can merge changes to a protected branch. Branch protection enforces certain workflows or requirements are met before a collaborator can push changes to a branch in a repository. It is recommended that both the default branch and any release branches have branch protection enabled, with branch protection rules applied.", - "audit": "__cnspec shell__\n\n1. Open a Terminal.\n2. Connect cnspec shell to GitHub `cnspec shell github repo \u003corg/repo_name\u003e --token $GITHUB_TOKEN`\n3. Run the following query\n\n ```mql\n github.repository.branches.where( isDefault == true) { protected protectionRules { requiredStatusChecks.length } }\n ```", - "remediation": "To enable branch protection, see [About protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches) on the GitHub documentation site. Once branch protection is enabled, see [Require status checks before merging](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging) on the GitHub documentation site." - }, - "refs": [ - { - "title": "GitHub Docs - About protected branches", - "url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches" - }, - { - "title": "Require status checks before merging", - "url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging" - } - ] - }, - { - "query": "github.repository.branches\n.where( isDefault == true )\n.all( protected == true )\ngithub.repository.branches\n.where( isDefault == true )\n.all( protectionRules { requiredSignatures == true } )\n", - "code_id": "C9Eb4t6SqqQ=", - "checksum": "oOZ/YP16P40=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-github-repository-security-required-signed-commits", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Ensure repository branch protection requires signed commits", - "docs": { - "desc": "This check ensures a branch protection rule exists to require signed commits on the default branch. Signing commits and tags locally gives other people confidence about the origin of changes made to a project. If a commit or tag has a GPG, SSH, or S/MIME signature that is cryptographically verifiable, GitHub marks the commit or tag \"Verified\" or \"Partially verified.\"", - "audit": "__cnspec shell__\n\n1. Open a Terminal.\n2. Connect cnspec shell to GitHub `cnspec shell github repo \u003corg/repo_name\u003e --token $GITHUB_TOKEN`\n3. Run the following query\n\n ```mql\n github.repository.branches.where( isDefault == true) { protected protectionRules { requiredSignatures } }\n ```", - "remediation": "To enable branch protection, see [About protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches) on the GitHub documentation site. Once branch protection is enabled, see [Require signed commits](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-signed-commits) on the GitHub documentation site." - }, - "refs": [ - { - "title": "GitHub Docs - About protected branches", - "url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches" - }, - { - "title": "GitHub Docs - About commit signature verification", - "url": "https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification" - } - ] - }, - { - "query": "if ( github.organization.repositories.one(name == \".github\") ) {\n github.organization.repositories.where( name == \".github\").all( \n files.one( name.downcase == \"security.md\")\n ) || github.repository.files.one( name.downcase == \"security.md\")\n} else {\n github.repository.files.one( name.downcase == \"security.md\")\n}\n", - "code_id": "lIGMnR47C9U=", - "checksum": "a6JAzkZ6P9w=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-github-repository-security-security-policy", - "type": "\u000c", - "severity": { - "value": 30 - }, - "title": "Ensure repository defines a security policy", - "docs": { - "desc": "This check tries to determine that the repository defines a security policy. \n\nIt is recommended projects provide instructions for reporting a security vulnerability in your project by adding a security policy to your repository.", - "audit": "__cnspec shell__\n\n1. Open a Terminal.\n2. Connect cnspec shell to GitHub `cnspec shell github repo \u003corg/repo_name\u003e --token $GITHUB_TOKEN`\n3. Run the following query\n\n ```mql\n github.repository.files.where( name == /SECURITY.md/ )\n ```", - "remediation": "See [Adding a security policy to your repository](https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository#adding-a-security-policy-to-your-repository) on the GitHub documentation site." - }, - "refs": [ - { - "title": "GitHub Docs - Adding a security policy to your repository", - "url": "https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository" - } - ] - }, - { - "query": "k8s.cronjob {\n namespace != \"default\"\n}\n", - "code_id": "5Yu1DkWEcv4=", - "checksum": "sQk+IwHqYVg=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-cronjob-default-namespace", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "CronJobs should not run in the default namespace", - "docs": { - "desc": "Workloads should be organized by Namespace, and the default Namespace shouldn't be used.\nWith separate Namespaces, you can apply fine-grained RBAC permissions, Resource Quotas, and default limits, depending on the workload.\nSpreading workloads across namespaces also allows you to limit the network communication between them with Network Policies.", - "audit": "Check to ensure no workloads are running in the default Namespace. The following command should return no CronJobs:\n\n```yaml\nkubectl get cronjob -n default\n```", - "remediation": "For any CronJobs running in the default Namespace, update/redeploy the CronJobs to a non-default Namespace:\n\n```yaml\napiVersion:batch/v1\nkind: CronJob\nmetadata:\n name: exampleCronJob\n namespace: cronjob-namespace # \u003c--- Define a namespace for workloads\n```" - }, - "refs": [ - { - "title": "Kubernetes best practices: Organizing with Namespaces", - "url": "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-organizing-with-namespaces" - }, - { - "title": "Kubernetes Network Policies", - "url": "https://kubernetes.io/docs/concepts/services-networking/network-policies/" - }, - { - "title": "Kubernetes Limit Ranges", - "url": "https://kubernetes.io/docs/concepts/policy/limit-range/" - } - ] - }, - { - "query": "k8s.cronjob {\n manifest['spec']['jobTemplate']['spec']['template']['spec']['hostAliases'] == null\n}\n", - "code_id": "KB1ADBJbe2c=", - "checksum": "EzplDV7j/58=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-cronjob-hostalias", - "type": "\u000c", - "severity": { - "value": 60 - }, - "title": "Pod should not define hostAliases", - "docs": { - "desc": "DNS entries shouldn't be managed locally via `/etc/hosts` within Pods. This can result in unintended and/or dangerous outcomes.", - "audit": "Check for the existence of `hostAliases` setting in `spec`:\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n hostAliases: # \u003c--- Don't set DNS entries using hostAliases\n - ip: \"127.0.0.1\"\n hostnames:\n - \"foo.local\"\n - \"bar.local\"\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```" - }, - "refs": [ - { - "title": "Adding entries to Pod /etc/hosts with HostAliases", - "url": "https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/" - } - ] - }, - { - "query": "k8s.cronjob.podSpec {\n _['containers'] {\n _['name']\n _['ports'] == null || _['ports'].all(_['hostPort'] == null)\n }\n}\n", - "code_id": "tuaV/gsYljc=", - "checksum": "bcXgVIZXZiw=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-cronjob-ports-hostport", - "type": "\u000c", - "severity": { - "value": 40 - }, - "title": "CronJobs should not bind to a host port", - "docs": { - "desc": "CronJobs should not bind to the underlying host port. Containers that bind to the underlying host's port(s) can be limited regarding where they are scheduled as two containers cannot both bind to the same host port on the same node.\nHost ports also expose the Container outside the Kubernetes cluster, which might not be intended.", - "audit": "Check to ensure no CronJobs are binding any of their containers to a host port:\n\n```kubectl get cronjobs -A -o json | jq -r '.items[] | select( (.spec.jobTemplate.spec.template.spec.containers[].ports | . != null and any(.[].hostPort; . != null) ) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```", - "remediation": "For any CronJobs that bind to a host port, update the CronJobs to ensure they do not bind to a host port:\n\n```yaml\napiVersion: batch/v1\nkind: CronJob\nmetadata:\n name: example\n namespace: example-namespace\nspec:\n jobTemplate:\n spec:\n template:\n spec:\n containers:\n - ports:\n - containerPort: 80 # \u003c-- ensure no 'hostPort' is defined in any entries of the port configurations\n name: http\n protocol: TCP\n - containerPort: 443\n name: https\n protocol: TCP\n```" - }, - "refs": [ - { - "title": "Kubernetes Configuration Best Practices: hostPort", - "url": "https://kubernetes.io/docs/concepts/configuration/overview/#services" - } - ] - }, - { - "query": "k8s.cronjob {\n initContainers {\n # @msg Container ${ _.name } should set CPU requests\n resources['requests']['cpu'] != null\n }\n containers {\n # @msg Container ${ _.name } should set CPU requests\n resources['requests']['cpu'] != null\n }\n}\n", - "code_id": "hwQiDvMRF40=", - "checksum": "rRUXHgdGVus=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-cronjob-requestcpu", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "Container should request CPU", - "docs": { - "desc": "When defining a Pod, you should specify how much CPU a container needs.\nThis helps the Kubernetes scheduler to allocate resources accordingly.\nIt will also ensure the Pod will get the resources it requires.", - "audit": "Check for the existence of CPU `requests` resources.\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1\n resources:\n requests:\n cpu: \"250m\" # \u003c-- set CPU requests\n```", - "remediation": "Define the required resources for CPU `requests` in the container spec: \n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1\n resources:\n requests:\n cpu: \"250m\" # \u003c-- set CPU requests\n```" - }, - "refs": [ - { - "title": "Resource Management for Pods and Containers", - "url": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" - } - ] - }, - { - "query": "k8s.cronjob {\n initContainers { \n # @msg Container ${ _.name } should set memory requests\n resources['requests']['memory'] != null\n }\n containers { \n # @msg Container ${ _.name } should set memory requests\n resources['requests']['memory'] != null\n }\n}\n", - "code_id": "jsn3m/DDMG8=", - "checksum": "1rTjVpDekjs=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-cronjob-requestmemory", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "Container should request memory", - "docs": { - "desc": "When defining a Pod, you should specify how much memory a container needs.\nThis helps the Kubernetes scheduler to allocate resources accordingly.\nIt will also ensure the Pod will get the resources it requires.", - "audit": "Check for the existence of memory `requests` resources.\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1\n resources:\n requests:\n memory: \"1Gi\" # \u003c-- set memory requests\n```", - "remediation": "Define the required resources for memory `requests` in the container spec: \n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1\n resources:\n requests:\n memory: \"1Gi\" # \u003c-- set memory requests\n```" - }, - "refs": [ - { - "title": "Resource Management for Pods and Containers", - "url": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" - } - ] - }, - { - "query": "k8s.daemonset {\n namespace != \"default\"\n}\n", - "code_id": "MkFWoLvOF70=", - "checksum": "yNk/zl+GFEI=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-daemonset-default-namespace", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "DaemonSets should not run in the default namespace", - "docs": { - "desc": "Workloads should be organized by Namespace, and the default Namespace shouldn't be used.\nWith separate Namespaces, you can apply fine-grained RBAC permissions, Resource Quotas, and default limits, depending on the workload.\nSpreading workloads across namespaces also allows you to limit the network communication between them with Network Policies.", - "audit": "Check to ensure no workloads are running in the default Namespace. The following command should return no DaemonSets:\n\n```yaml\nkubectl get daemonsets -n default\n```", - "remediation": "For any Daemonsets running in the default Namespace, update/redeploy the DaemonSets to a non-default Namespace:\n\n```yaml\napiVersion:apps/v1\nkind: DaemonSet\nmetadata:\n name: exampleDaemonSet\n namespace: daemonset-namespace # \u003c--- Define a namespace for workloads\n```" - }, - "refs": [ - { - "title": "Kubernetes best practices: Organizing with Namespaces", - "url": "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-organizing-with-namespaces" - }, - { - "title": "Kubernetes Network Policies", - "url": "https://kubernetes.io/docs/concepts/services-networking/network-policies/" - }, - { - "title": "Kubernetes Limit Ranges", - "url": "https://kubernetes.io/docs/concepts/policy/limit-range/" - } - ] - }, - { - "query": "k8s.daemonset { \n manifest['spec']['template']['spec']['hostAliases'] == null\n}\n", - "code_id": "KLyth0H7utI=", - "checksum": "E/W4y4NtPMo=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-daemonset-hostalias", - "type": "\u000c", - "severity": { - "value": 60 - }, - "title": "Pod should not define hostAliases", - "docs": { - "desc": "DNS entries shouldn't be managed locally via `/etc/hosts` within Pods. This can result in unintended and/or dangerous outcomes.", - "audit": "Check for the existence of `hostAliases` setting in `spec`:\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n hostAliases: # \u003c--- Don't set DNS entries using hostAliases\n - ip: \"127.0.0.1\"\n hostnames:\n - \"foo.local\"\n - \"bar.local\"\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```" - }, - "refs": [ - { - "title": "Adding entries to Pod /etc/hosts with HostAliases", - "url": "https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/" - } - ] - }, - { - "query": "k8s.daemonset {\n containers { \n probeSpecified = livenessProbe['httpGet'] != null || livenessProbe['tcpSocket'] != null || livenessProbe['exec'] != null\n\n # @msg Container ${ _.name } should set a livenessProbe\n probeSpecified == true\n }\n}\n", - "code_id": "dgVbNRGkRac=", - "checksum": "03CoL+Q/nGM=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-daemonset-livenessprobe", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "Container should configure a livenessProbe", - "docs": { - "desc": "When defining a container, you should specify a livenessProbe.\nThis helps Kubernetes to check whether your container is still healthy and able to serve requests.", - "audit": "Check for the existence of `livenessProbe`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n livenessProbe: # \u003c--- Set a livenessProbe like this\n tcpSocket:\n port: 8080\n initialDelaySeconds: 5\n periodSeconds: 5\n```" - }, - "refs": [ - { - "title": "Pod Lifecycle - Container probes", - "url": "https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes" - } - ] - }, - { - "query": "k8s.daemonset.podSpec {\n _['containers'] {\n _['name']\n _['ports'] == null || _['ports'].all(_['hostPort'] == null)\n }\n}\n", - "code_id": "Y2uuKRHtxkg=", - "checksum": "TfQqrhYhCtQ=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-daemonset-ports-hostport", - "type": "\u000c", - "severity": { - "value": 40 - }, - "title": "DaemonSets should not bind to a host port", - "docs": { - "desc": "DaemonSets should not bind to the underlying host port. Containers that bind to the underlying host's port(s) can be limited regarding where they are scheduled as two containers cannot both bind to the same host port on the same node.\nHost ports also expose the Container outside the Kubernetes cluster, which might not be intended.", - "audit": "Check to ensure no DaemonSets are binding any of their containers to a host port:\n\n```kubectl get daemonsets -A -o json | jq -r '.items[] | select( (.spec.template.spec.containers[].ports | . != null and any(.[].hostPort; . != null) ) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```", - "remediation": "For any DaemonSets that bind to a host port, update the DaemonSets to ensure they do not bind to a host port:\n\n```yaml\napiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: example\n namespace: example-namespace\nspec:\n template:\n spec:\n containers:\n - ports:\n - containerPort: 80 # \u003c-- ensure no 'hostPort' is defined in any entries of the port configurations\n name: http\n protocol: TCP\n - containerPort: 443\n name: https\n protocol: TCP\n```" - }, - "refs": [ - { - "title": "Kubernetes Configuration Best Practices: hostPort", - "url": "https://kubernetes.io/docs/concepts/configuration/overview/#services" - } - ] - }, - { - "query": "k8s.daemonset {\n containers { \n probeSpecified = readinessProbe['httpGet'] != null || readinessProbe['tcpSocket'] != null || readinessProbe['exec'] != null\n\n # @msg Container ${ _.name } should set a readinessProbe\n probeSpecified == true\n }\n}\n", - "code_id": "Dc95Gh67umg=", - "checksum": "t8xbWvKTC8o=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-daemonset-readinessProbe", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "Container should configure a readinessProbe", - "docs": { - "desc": "When defining a container, you should specify a readinessProbe.\nThis helps Kubernetes to check whether your container ready to serve requests.", - "audit": "Check for the existence of `readinessProbe`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n readinessProbe: # \u003c--- Set a readinessProbe like this\n tcpSocket:\n port: 8080\n initialDelaySeconds: 5\n periodSeconds: 5\n```" - }, - "refs": [ - { - "title": "Pod Lifecycle - Container probes", - "url": "https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes" - } - ] - }, - { - "query": "k8s.daemonset {\n initContainers {\n # @msg Container ${ _.name } should set CPU requests\n resources['requests']['cpu'] != null\n }\n containers {\n # @msg Container ${ _.name } should set CPU requests\n resources['requests']['cpu'] != null\n }\n}\n", - "code_id": "ejX9yb0wz34=", - "checksum": "7FLwU6/+NUY=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-daemonset-requestcpu", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "Container should request CPU", - "docs": { - "desc": "When defining a Pod, you should specify how much CPU a container needs.\nThis helps the Kubernetes scheduler to allocate resources accordingly.\nIt will also ensure the Pod will get the resources it requires.", - "audit": "Check for the existence of CPU `requests` resources.\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1\n resources:\n requests:\n cpu: \"250m\" # \u003c-- set CPU requests\n```", - "remediation": "Define the required resources for CPU `requests` in the container spec: \n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1\n resources:\n requests:\n cpu: \"250m\" # \u003c-- set CPU requests\n```" - }, - "refs": [ - { - "title": "Resource Management for Pods and Containers", - "url": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" - } - ] - }, - { - "query": "k8s.daemonset { \n initContainers { \n # @msg Container ${ _.name } should set memory requests\n resources['requests']['memory'] != null\n }\n containers { \n # @msg Container ${ _.name } should set memory requests\n resources['requests']['memory'] != null\n }\n}\n", - "code_id": "rYda6D81jhA=", - "checksum": "TJwYKPuGuV4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-daemonset-requestmemory", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "Container should request memory", - "docs": { - "desc": "When defining a Pod, you should specify how much memory a container needs.\nThis helps the Kubernetes scheduler to allocate resources accordingly.\nIt will also ensure the Pod will get the resources it requires.", - "audit": "Check for the existence of memory `requests` resources.\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1\n resources:\n requests:\n memory: \"1Gi\" # \u003c-- set memory requests\n```", - "remediation": "Define the required resources for memory `requests` in the container spec: \n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1\n resources:\n requests:\n memory: \"1Gi\" # \u003c-- set memory requests\n```" - }, - "refs": [ - { - "title": "Resource Management for Pods and Containers", - "url": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" - } - ] - }, - { - "query": "k8s.deployment {\n namespace != \"default\"\n}\n", - "code_id": "qnu0hmzs8jY=", - "checksum": "n4KMdUT3LrQ=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-deployment-default-namespace", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "Deployments should not run in the default namespace", - "docs": { - "desc": "Workloads should be organized by Namespace, and the default Namespace shouldn't be used.\nWith separate Namespaces, you can apply fine-grained RBAC permissions, Resource Quotas, and default limits, depending on the workload.\nSpreading workloads across namespaces also allows you to limit the network communication between them with Network Policies.", - "audit": "Check to ensure no workloads are running in the default Namespace. The following command should return no Deployments:\n\n```yaml\nkubectl get deployments -n default\n```", - "remediation": "For any Deployments running in the default Namespace, update/redeploy the Deployments to a non-default Namespace:\n\n```yaml\napiVersion:apps/v1\nkind: Deployment\nmetadata:\n name: exampleDeployment\n namespace: deployment-namespace # \u003c--- Define a namespace for workloads\n```" - }, - "refs": [ - { - "title": "Kubernetes best practices: Organizing with Namespaces", - "url": "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-organizing-with-namespaces" - }, - { - "title": "Kubernetes Network Policies", - "url": "https://kubernetes.io/docs/concepts/services-networking/network-policies/" - }, - { - "title": "Kubernetes Limit Ranges", - "url": "https://kubernetes.io/docs/concepts/policy/limit-range/" - } - ] - }, - { - "query": "k8s.deployment {\n manifest['spec']['template']['spec']['hostAliases'] == null\n}\n", - "code_id": "Shrwkl1Hq/U=", - "checksum": "pEx75v/6Wbo=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-deployment-hostalias", - "type": "\u000c", - "severity": { - "value": 60 - }, - "title": "Pod should not define hostAliases", - "docs": { - "desc": "DNS entries shouldn't be managed locally via `/etc/hosts` within Pods. This can result in unintended and/or dangerous outcomes.", - "audit": "Check for the existence of `hostAliases` setting in `spec`:\n\n```yaml\napiVersion: v1\nkind: Deployment\nspec:\n ...\n spec:\n hostAliases: # \u003c--- Don't set DNS entries using hostAliases\n - ip: \"127.0.0.1\"\n hostnames:\n - \"foo.local\"\n - \"bar.local\"\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```" - }, - "refs": [ - { - "title": "Adding entries to Pod /etc/hosts with HostAliases", - "url": "https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/" - } - ] - }, - { - "query": "k8s.deployment {\n containers {\n probeSpecified = livenessProbe['httpGet'] != null || livenessProbe['tcpSocket'] != null || livenessProbe['exec'] != null\n\n # @msg Container ${ _.name } should set a livenessProbe\n probeSpecified == true\n }\n}\n", - "code_id": "EVfpds4Rtzo=", - "checksum": "W1baCPxQ2Uc=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-deployment-livenessprobe", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "Container should configure a livenessProbe", - "docs": { - "desc": "When defining a container, you should specify a livenessProbe.\nThis helps Kubernetes to check whether your container is still healthy and able to serve requests.", - "audit": "Check for the existence of `livenessProbe`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n livenessProbe: # \u003c--- Set a livenessProbe like this\n tcpSocket:\n port: 8080\n initialDelaySeconds: 5\n periodSeconds: 5\n```" - }, - "refs": [ - { - "title": "Pod Lifecycle - Container probes", - "url": "https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes" - } - ] - }, - { - "query": "k8s.deployment.podSpec {\n _['containers'] {\n _['name']\n _['ports'] == null || _['ports'].all(_['hostPort'] == null)\n }\n}\n", - "code_id": "LLYlLinKBas=", - "checksum": "pa5nuHUB+OE=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-deployment-ports-hostport", - "type": "\u000c", - "severity": { - "value": 40 - }, - "title": "Deployments should not bind to a host port", - "docs": { - "desc": "Deployments should not bind to the underlying host port. Containers that bind to the underlying host's port(s) can be limited regarding where they are scheduled as two containers cannot both bind to the same host port on the same node.\nHost ports also expose the Container outside the Kubernetes cluster, which might not be intended.", - "audit": "Check to ensure no Deployments are binding any of their containers to a host port:\n\n```kubectl get deployments -A -o json | jq -r '.items[] | select( (.spec.template.spec.containers[].ports | . != null and any(.[].hostPort; . != null) ) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```", - "remediation": "For any Deployments that bind to a host port, update the Deployments to ensure they do not bind to a host port:\n\n```yaml\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: example\n namespace: example-namespace\nspec:\n template:\n spec:\n containers:\n - ports:\n - containerPort: 80 # \u003c-- ensure no 'hostPort' is defined in any entries of the port configurations\n name: http\n protocol: TCP\n - containerPort: 443\n name: https\n protocol: TCP\n```" - }, - "refs": [ - { - "title": "Kubernetes Configuration Best Practices: hostPort", - "url": "https://kubernetes.io/docs/concepts/configuration/overview/#services" - } - ] - }, - { - "query": "k8s.deployment {\n containers {\n probeSpecified = readinessProbe['httpGet'] != null || readinessProbe['tcpSocket'] != null || readinessProbe['exec'] != null\n\n # @msg Container ${ _.name } should set a readinessProbe\n probeSpecified == true\n }\n}\n", - "code_id": "j0ZFZtn9EPk=", - "checksum": "TusEsNvr6a0=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-deployment-readinessProbe", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "Container should configure a readinessProbe", - "docs": { - "desc": "When defining a container, you should specify a readinessProbe.\nThis helps Kubernetes to check whether your container ready to serve requests.", - "audit": "Check for the existence of `readinessProbe`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n readinessProbe: # \u003c--- Set a readinessProbe like this\n tcpSocket:\n port: 8080\n initialDelaySeconds: 5\n periodSeconds: 5\n```" - }, - "refs": [ - { - "title": "Pod Lifecycle - Container probes", - "url": "https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes" - } - ] - }, - { - "query": "k8s.deployment {\n initContainers {\n # @msg Container ${ _.name } should set CPU requests\n resources['requests']['cpu'] != null\n }\n containers {\n # @msg Container ${ _.name } should set CPU requests\n resources['requests']['cpu'] != null\n }\n}\n", - "code_id": "dtv1FIY9cwQ=", - "checksum": "gkFyAOATutI=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-deployment-requestcpu", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "Container should request CPU", - "docs": { - "desc": "When defining a Pod, you should specify how much CPU a container needs.\nThis helps the Kubernetes scheduler to allocate resources accordingly.\nIt will also ensure the Pod will get the resources it requires.", - "audit": "Check for the existence of CPU `requests` resources.\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1\n resources:\n requests:\n cpu: \"250m\" # \u003c-- set CPU requests\n```", - "remediation": "Define the required resources for CPU `requests` in the container spec: \n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1\n resources:\n requests:\n cpu: \"250m\" # \u003c-- set CPU requests\n```" - }, - "refs": [ - { - "title": "Resource Management for Pods and Containers", - "url": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" - } - ] - }, - { - "query": "k8s.deployment {\n initContainers { \n # @msg Container ${ _.name } should set memory requests\n resources['requests']['memory'] != null\n }\n containers {\n # @msg Container ${ _.name } should set memory requests\n resources['requests']['memory'] != null\n }\n}\n", - "code_id": "AaR6xVFPzE4=", - "checksum": "ybFDp12oxUY=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-deployment-requestmemory", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "Container should request memory", - "docs": { - "desc": "When defining a Pod, you should specify how much memory a container needs.\nThis helps the Kubernetes scheduler to allocate resources accordingly.\nIt will also ensure the Pod will get the resources it requires.", - "audit": "Check for the existence of memory `requests` resources.\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1\n resources:\n requests:\n memory: \"1Gi\" # \u003c-- set memory requests\n```", - "remediation": "Define the required resources for memory `requests` in the container spec: \n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1\n resources:\n requests:\n memory: \"1Gi\" # \u003c-- set memory requests\n```" - }, - "refs": [ - { - "title": "Resource Management for Pods and Containers", - "url": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" - } - ] - }, - { - "query": "k8s.ingress.tls.all(\n certificates.all(\n expiresIn.days \u003e 15\n )\n)\n", - "code_id": "iQe1OTzuRzU=", - "checksum": "zqo1F+U1Dmc=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-ingress-cert-expiration", - "type": "\u0004", - "severity": { - "value": 40 - }, - "title": "Ingress certificates less than 15 days from expiration", - "docs": { - "desc": "If Ingress resources have TLS certificate Secrets, update the certificates updated before they expire.", - "audit": "Check to ensure no Ingress Secrets contain TLS certificates near expiration:\n\nDisplay all Ingress resources with TLS Secret data:\n```kubectl get ingress -A -o json | jq -r '.items[] | select(.spec.tls != null) | .metadata.namespace + \"/\" + .metadata.name'```\n\nFor each Ingress resource, check the certificate expiration dates in the Secrets (under `.spec.tls[].secretName`). Ensure that the expiration dates don't expire soon:\n```kubectl get secret --namespace NAMESPACE_OF_INGRESS NAME_OF_SECRET -o json | jq -r '.data[\"tls.crt\"]' | base64 -d | openssl x509 -noout -text | grep \"Not After\"```", - "remediation": "For all Secrets with expired or soon-to-expire certificates, update the Secret data with refreshed certificates." - } - }, - { - "query": "k8s.job {\n namespace != \"default\"\n}\n", - "code_id": "5P0FR5xKY+w=", - "checksum": "dVzyhehRB0Q=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-job-default-namespace", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "Jobs should not run in the default namespace", - "docs": { - "desc": "Workloads should be organized by Namespace, and the default Namespace shouldn't be used.\nWith separate Namespaces, you can apply fine-grained RBAC permissions, Resource Quotas, and default limits, depending on the workload.\nSpreading workloads across namespaces also allows you to limit the network communication between them with Network Policies.", - "audit": "Check to ensure no workloads are running in the default Namespace. The following command should return no Jobs:\n\n```yaml\nkubectl get jobs -n default\n```", - "remediation": "For any Jobs running in the default Namespace, update/redeploy the Jobs (or the parent CronJobs) to a non-default Namespace:\n\n```yaml\napiVersion:batch/v1\nkind: Job\nmetadata:\n name: exampleJob\n namespace: job-namespace # \u003c--- Define a namespace for workloads\n```" - }, - "refs": [ - { - "title": "Kubernetes best practices: Organizing with Namespaces", - "url": "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-organizing-with-namespaces" - }, - { - "title": "Kubernetes Network Policies", - "url": "https://kubernetes.io/docs/concepts/services-networking/network-policies/" - }, - { - "title": "Kubernetes Limit Ranges", - "url": "https://kubernetes.io/docs/concepts/policy/limit-range/" - } - ] - }, - { - "query": "k8s.job { \n manifest['spec']['template']['spec']['hostAliases'] == null\n}\n", - "code_id": "uiM7F6uhKCw=", - "checksum": "XAktJNxJM4U=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-job-hostalias", - "type": "\u000c", - "severity": { - "value": 60 - }, - "title": "Pod should not define hostAliases", - "docs": { - "desc": "DNS entries shouldn't be managed locally via `/etc/hosts` within Pods. This can result in unintended and/or dangerous outcomes.", - "audit": "Check for the existence of `hostAliases` setting in `spec`:\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n hostAliases: # \u003c--- Don't set DNS entries using hostAliases\n - ip: \"127.0.0.1\"\n hostnames:\n - \"foo.local\"\n - \"bar.local\"\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```" - }, - "refs": [ - { - "title": "Adding entries to Pod /etc/hosts with HostAliases", - "url": "https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/" - } - ] - }, - { - "query": "k8s.job.podSpec {\n _['containers'] {\n _['name']\n _['ports'] == null || _['ports'].all(_['hostPort'] == null)\n }\n}\n", - "code_id": "KV+TOXlw+e8=", - "checksum": "q7edjWoBNU0=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-job-ports-hostport", - "type": "\u000c", - "severity": { - "value": 40 - }, - "title": "Jobs should not bind to a host port", - "docs": { - "desc": "Jobs should not bind to the underlying host port. Containers that bind to the underlying host's port(s) can be limited regarding where they are scheduled as two containers cannot both bind to the same host port on the same node.\nHost ports also expose the Container outside the Kubernetes cluster, which might not be intended.", - "audit": "Check to ensure no Jobs are binding any of their containers to a host port:\n\n```kubectl get jobs -A -o json | jq -r '.items[] | select( (.spec.template.spec.containers[].ports | . != null and any(.[].hostPort; . != null) ) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```", - "remediation": "For any ReplicaSets that bind to a host port, update the Jobs to ensure they do not bind to a host port:\n\n```yaml\napiVersion: batch/v1\nkind: Job\nmetadata:\n name: example\n namespace: example-namespace\nspec:\n template:\n spec:\n containers:\n - ports:\n - containerPort: 80 # \u003c-- ensure no 'hostPort' is defined in any entries of the port configurations\n name: http\n protocol: TCP\n - containerPort: 443\n name: https\n protocol: TCP\n```" - }, - "refs": [ - { - "title": "Kubernetes Configuration Best Practices: hostPort", - "url": "https://kubernetes.io/docs/concepts/configuration/overview/#services" - } - ] - }, - { - "query": "k8s.job {\n initContainers {\n # @msg Container ${ _.name } should set CPU requests\n resources['requests']['cpu'] != null\n }\n containers {\n # @msg Container ${ _.name } should set CPU requests\n resources['requests']['cpu'] != null\n }\n}\n", - "code_id": "GJ27zjh5rs0=", - "checksum": "S1zEs9fcxdE=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-job-requestcpu", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "Container should request CPU", - "docs": { - "desc": "When defining a Pod, you should specify how much CPU a container needs.\nThis helps the Kubernetes scheduler to allocate resources accordingly.\nIt will also ensure the Pod will get the resources it requires.", - "audit": "Check for the existence of CPU `requests` resources.\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1\n resources:\n requests:\n cpu: \"250m\" # \u003c-- set CPU requests\n```", - "remediation": "Define the required resources for CPU `requests` in the container spec: \n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1\n resources:\n requests:\n cpu: \"250m\" # \u003c-- set CPU requests\n```" - }, - "refs": [ - { - "title": "Resource Management for Pods and Containers", - "url": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" - } - ] - }, - { - "query": "k8s.job {\n initContainers { \n # @msg Container ${ _.name } should set memory requests\n resources['requests']['memory'] != null\n }\n containers { \n # @msg Container ${ _.name } should set memory requests\n resources['requests']['memory'] != null\n }\n}\n", - "code_id": "Uw+cGjTY+Kk=", - "checksum": "9095iYg4dzU=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-job-requestmemory", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "Container should request memory", - "docs": { - "desc": "When defining a Pod, you should specify how much memory a container needs.\nThis helps the Kubernetes scheduler to allocate resources accordingly.\nIt will also ensure the Pod will get the resources it requires.", - "audit": "Check for the existence of memory `requests` resources.\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1\n resources:\n requests:\n memory: \"1Gi\" # \u003c-- set memory requests\n```", - "remediation": "Define the required resources for memory `requests` in the container spec: \n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1\n resources:\n requests:\n memory: \"1Gi\" # \u003c-- set memory requests\n```" - }, - "refs": [ - { - "title": "Resource Management for Pods and Containers", - "url": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" - } - ] - }, - { - "query": "k8s.pod {\n namespace != \"default\"\n}\n", - "code_id": "patluZ0PilA=", - "checksum": "vyj/8LYohJA=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-pod-default-namespace", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "Workloads should not run in default namespace", - "docs": { - "desc": "Workloads should be organized by Namespace, and the default Namespace shouldn't be used.\nWith separate Namespaces, you can apply fine-grained RBAC permissions, Resource Quotas, and default limits, depending on the workload.\nSpreading workloads across namespaces also allows you to limit the network communication between them with Network Policies.", - "audit": "Check to ensure no workloads are running in the default Namespace. The following command should return no Pods:\n\n```yaml\nkubectl get pods -n default\n```", - "remediation": "For any Pods running in the default Namespace, update/redeploy the Pods (or the parent Deployment, CronJob, etc) to a non-default Namespace:\n\n```yaml\napiVersion:v1\nkind: Pod\nmetadata:\n name: examplePod\n namespace: pod-namespace # \u003c--- Define a namespace for workloads\n```" - }, - "refs": [ - { - "title": "Kubernetes best practices: Organizing with Namespaces", - "url": "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-organizing-with-namespaces" - }, - { - "title": "Kubernetes Network Policies", - "url": "https://kubernetes.io/docs/concepts/services-networking/network-policies/" - }, - { - "title": "Kubernetes Limit Ranges", - "url": "https://kubernetes.io/docs/concepts/policy/limit-range/" - } - ] - }, - { - "query": "k8s.pod {\n podSpec['hostAliases'] == null\n}\n", - "code_id": "3rgRSpd7KAs=", - "checksum": "EAmqG5m2Ot4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-pod-hostalias", - "type": "\u000c", - "severity": { - "value": 60 - }, - "title": "Pod should not define hostAliases", - "docs": { - "desc": "DNS entries shouldn't be managed locally via `/etc/hosts` within Pods. This can result in unintended and/or dangerous outcomes.", - "audit": "Check for the existence of `hostAliases` setting in `spec`:\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n hostAliases: # \u003c--- Don't set DNS entries using hostAliases\n - ip: \"127.0.0.1\"\n hostnames:\n - \"foo.local\"\n - \"bar.local\"\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```" - }, - "refs": [ - { - "title": "Adding entries to Pod /etc/hosts with HostAliases", - "url": "https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/" - } - ] - }, - { - "query": "if (k8s.pod.manifest['metadata']['ownerReferences'].none(_['kind'] == 'Job')) {\n k8s.pod {\n containers { \n probeSpecified = livenessProbe['httpGet'] != null || livenessProbe['tcpSocket'] != null || livenessProbe['exec'] != null\n\n # @msg Container ${ _.name } should set a livenessProbe\n probeSpecified == true\n }\n }\n}\n", - "code_id": "ag5f6G+lD70=", - "checksum": "q7Fq5I0bi6I=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-pod-livenessprobe", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "Container should configure a livenessProbe", - "docs": { - "desc": "When defining a container, you should specify a livenessProbe.\nThis helps Kubernetes to check whether your container is still healthy and able to serve requests.", - "audit": "Check for the existence of `livenessProbe`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n livenessProbe: # \u003c--- Set a livenessProbe like this\n tcpSocket:\n port: 8080\n initialDelaySeconds: 5\n periodSeconds: 5\n```" - }, - "refs": [ - { - "title": "Pod Lifecycle - Container probes", - "url": "https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes" - } - ] - }, - { - "query": "# @msg Pod ${ _.name } should be managed by an appropriate Kubernetes object (eg Deployment, Job, DaemonSet, etc.)\nk8s.pod {\n manifest['metadata']['ownerReferences'] != null \u0026\u0026 manifest['metadata']['ownerReferences'].length \u003e 0\n}\n", - "code_id": "qTmQYm3P3/w=", - "checksum": "rc+pw90e2Ig=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-pod-no-owner", - "type": "\u000c", - "severity": { - "value": 50 - }, - "title": "Pods should have an owner", - "docs": { - "desc": "Pods should be created via a Deployment or other Workload type.\nPods without an owner (ie ReplicaSet, Job, etc.) will not be automatically restarted in the event of a Pod crash or Node failure.", - "audit": "Check for Pods without an owner reference. Any line of output starting with '0' will indicate a Pod that has no owner:\n\n```kubectl get pods -A -o json | jq -r '.items[] | [(.metadata.ownerReferences | length), .metadata.namespace, .metadata.name] | @tsv'```", - "remediation": "For each Pod without an owner, ensure the Pod is owned by an appropriate Kubernetes object (eg Deployment, Job, DaemonSet, etc.) that will manage relaunching the Pod in the event of a failure." - } - }, - { - "query": "k8s.pod.podSpec {\n _['containers'] {\n _['name']\n _['ports'] == null || _['ports'].all(_['hostPort'] == null)\n }\n}\n", - "code_id": "Fn+VqVs63gI=", - "checksum": "3CB+j3kFVTw=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-pod-ports-hostport", - "type": "\u000c", - "severity": { - "value": 40 - }, - "title": "Pods should not bind to a host port", - "docs": { - "desc": "Pods should not bind to the underlying host port. Containers that bind to the underlying host's port(s) can be limited regarding where they are scheduled as two containers cannot both bind to the same host port on the same node.\nHost ports also expose the Container outside the Kubernetes cluster, which might not be intended.", - "audit": "Check to ensure no Pods are binding any of their containers to a host port:\n\n```kubectl get pods -A -o json | jq -r '.items[] | select( (.spec.containers[].ports | . != null and any(.[].hostPort; . != null) ) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```", - "remediation": "For any Pods that bind to a host port, update the Pods (or the Deployments/DaemonSets/CronJobs/etc that produced the Pods) to ensure they do not bind to a host port:\n\n```yaml\napiVersion: v1\nkind: Pod\nmetadata:\n name: example\n namespace: example-namespace\nspec:\n containers:\n - ports:\n - containerPort: 80 # \u003c-- ensure no 'hostPort' is defined in any entries of the port configurations\n name: http\n protocol: TCP\n - containerPort: 443\n name: https\n protocol: TCP\n```" - }, - "refs": [ - { - "title": "Kubernetes Configuration Best Practices: hostPort", - "url": "https://kubernetes.io/docs/concepts/configuration/overview/#services" - } - ] - }, - { - "query": "if (k8s.pod.manifest['metadata']['ownerReferences'].none(_['kind'] == 'Job')) {\n k8s.pod {\n containers { \n probeSpecified = readinessProbe['httpGet'] != null || readinessProbe['tcpSocket'] != null || readinessProbe['exec'] != null\n\n # @msg Container ${ _.name } should set a readinessProbe\n probeSpecified == true\n }\n }\n}\n", - "code_id": "z5T7yRSWg6s=", - "checksum": "gX200ASh/bo=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-pod-readinessProbe", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "Container should configure a readinessProbe", - "docs": { - "desc": "When defining a container, you should specify a readinessProbe.\nThis helps Kubernetes to check whether your container ready to serve requests.", - "audit": "Check for the existence of `readinessProbe`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n readinessProbe: # \u003c--- Set a readinessProbe like this\n tcpSocket:\n port: 8080\n initialDelaySeconds: 5\n periodSeconds: 5\n```" - }, - "refs": [ - { - "title": "Pod Lifecycle - Container probes", - "url": "https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes" - } - ] - }, - { - "query": "k8s.pod {\n initContainers {\n # @msg Container ${ _.name } should set CPU requests\n resources['requests']['cpu'] != null\n }\n containers {\n # @msg Container ${ _.name } should set CPU requests\n resources['requests']['cpu'] != null\n }\n}\n", - "code_id": "GpvH+Piw/FQ=", - "checksum": "T884qjziHO0=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-pod-requestcpu", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "Container should request CPU", - "docs": { - "desc": "When defining a Pod, you should specify how much CPU a container needs.\nThis helps the Kubernetes scheduler to allocate resources accordingly.\nIt will also ensure the Pod will get the resources it requires.", - "audit": "Check for the existence of CPU `requests` resources.\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1\n resources:\n requests:\n cpu: \"250m\" # \u003c-- set CPU requests\n```", - "remediation": "Define the required resources for CPU `requests` in the container spec: \n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1\n resources:\n requests:\n cpu: \"250m\" # \u003c-- set CPU requests\n```" - }, - "refs": [ - { - "title": "Resource Management for Pods and Containers", - "url": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" - } - ] - }, - { - "query": "k8s.pod { \n initContainers { \n # @msg Container ${ _.name } should set memory requests\n resources['requests']['memory'] != null\n }\n containers { \n # @msg Container ${ _.name } should set memory requests\n resources['requests']['memory'] != null\n }\n}\n", - "code_id": "leoxs/eRnvo=", - "checksum": "km18P6vByvs=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-pod-requestmemory", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "Container should request memory", - "docs": { - "desc": "When defining a Pod, you should specify how much memory a container needs.\nThis helps the Kubernetes scheduler to allocate resources accordingly.\nIt will also ensure the Pod will get the resources it requires.", - "audit": "Check for the existence of memory `requests` resources.\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1\n resources:\n requests:\n memory: \"1Gi\" # \u003c-- set memory requests\n```", - "remediation": "Define the required resources for memory `requests` in the container spec: \n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1\n resources:\n requests:\n memory: \"1Gi\" # \u003c-- set memory requests\n```" - }, - "refs": [ - { - "title": "Resource Management for Pods and Containers", - "url": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" - } - ] - }, - { - "query": "k8s.replicaset {\n namespace != \"default\"\n}\n", - "code_id": "0zcKl1wwUTk=", - "checksum": "FRtRLfK7GMk=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-replicaset-default-namespace", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "ReplicaSets should not run in the default namespace", - "docs": { - "desc": "Workloads should be organized by Namespace, and the default Namespace shouldn't be used.\nWith separate Namespaces, you can apply fine-grained RBAC permissions, Resource Quotas, and default limits, depending on the workload.\nSpreading workloads across namespaces also allows you to limit the network communication between them with Network Policies.", - "audit": "Check to ensure no workloads are running in the default Namespace. The following command should return no ReplicaSets:\n\n```yaml\nkubectl get replicasets -n default\n```", - "remediation": "For any ReplicaSets running in the default Namespace, update/redeploy the ReplicaSets (or the parent Deployment) to a non-default Namespace:\n\n```yaml\napiVersion:apps/v1\nkind: ReplicaSet\nmetadata:\n name: exampleReplicaSet\n namespace: replicaset-namespace # \u003c--- Define a namespace for workloads\n```" - }, - "refs": [ - { - "title": "Kubernetes best practices: Organizing with Namespaces", - "url": "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-organizing-with-namespaces" - }, - { - "title": "Kubernetes Network Policies", - "url": "https://kubernetes.io/docs/concepts/services-networking/network-policies/" - }, - { - "title": "Kubernetes Limit Ranges", - "url": "https://kubernetes.io/docs/concepts/policy/limit-range/" - } - ] - }, - { - "query": "k8s.replicaset { \n manifest['spec']['template']['spec']['hostAliases'] == null\n}\n", - "code_id": "XAqFBX5DDn8=", - "checksum": "q1pWysYFDN4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-replicaset-hostalias", - "type": "\u000c", - "severity": { - "value": 60 - }, - "title": "Pod should not define hostAliases", - "docs": { - "desc": "DNS entries shouldn't be managed locally via `/etc/hosts` within Pods. This can result in unintended and/or dangerous outcomes.", - "audit": "Check for the existence of `hostAliases` setting in `spec`:\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n hostAliases: # \u003c--- Don't set DNS entries using hostAliases\n - ip: \"127.0.0.1\"\n hostnames:\n - \"foo.local\"\n - \"bar.local\"\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```" - }, - "refs": [ - { - "title": "Adding entries to Pod /etc/hosts with HostAliases", - "url": "https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/" - } - ] - }, - { - "query": "k8s.replicaset {\n containers { \n probeSpecified = livenessProbe['httpGet'] != null || livenessProbe['tcpSocket'] != null || livenessProbe['exec'] != null\n\n # @msg Container ${ _.name } should set a livenessProbe\n probeSpecified == true\n }\n}\n", - "code_id": "RoN4oIPQoa4=", - "checksum": "TpPWDbNa98g=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-replicaset-livenessprobe", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "Container should configure a livenessProbe", - "docs": { - "desc": "When defining a container, you should specify a livenessProbe.\nThis helps Kubernetes to check whether your container is still healthy and able to serve requests.", - "audit": "Check for the existence of `livenessProbe`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n livenessProbe: # \u003c--- Set a livenessProbe like this\n tcpSocket:\n port: 8080\n initialDelaySeconds: 5\n periodSeconds: 5\n```" - }, - "refs": [ - { - "title": "Pod Lifecycle - Container probes", - "url": "https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes" - } - ] - }, - { - "query": "k8s.replicaset.podSpec {\n _['containers'] {\n _['name']\n _['ports'] == null || _['ports'].all(_['hostPort'] == null)\n }\n}\n", - "code_id": "JHktJglO7qU=", - "checksum": "DXcXiuj97Jo=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-replicaset-ports-hostport", - "type": "\u000c", - "severity": { - "value": 40 - }, - "title": "ReplicaSets should not bind to a host port", - "docs": { - "desc": "ReplicaSets should not bind to the underlying host port. Containers that bind to the underlying host's port(s) can be limited regarding where they are scheduled as two containers cannot both bind to the same host port on the same node.\nHost ports also expose the Container outside the Kubernetes cluster, which might not be intended.", - "audit": "Check to ensure no ReplicaSets are binding any of their containers to a host port:\n\n```kubectl get replicasets -A -o json | jq -r '.items[] | select( (.spec.template.spec.containers[].ports | . != null and any(.[].hostPort; . != null) ) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```", - "remediation": "For any ReplicaSets that bind to a host port, update the ReplicaSets to ensure they do not bind to a host port:\n\n```yaml\napiVersion: apps/v1\nkind: ReplicaSet\nmetadata:\n name: example\n namespace: example-namespace\nspec:\n template:\n spec:\n containers:\n - ports:\n - containerPort: 80 # \u003c-- ensure no 'hostPort' is defined in any entries of the port configurations\n name: http\n protocol: TCP\n - containerPort: 443\n name: https\n protocol: TCP\n```" - }, - "refs": [ - { - "title": "Kubernetes Configuration Best Practices: hostPort", - "url": "https://kubernetes.io/docs/concepts/configuration/overview/#services" - } - ] - }, - { - "query": "k8s.replicaset {\n containers { \n probeSpecified = readinessProbe['httpGet'] != null || readinessProbe['tcpSocket'] != null || readinessProbe['exec'] != null\n\n # @msg Container ${ _.name } should set a readinessProbe\n probeSpecified == true\n }\n}\n", - "code_id": "HWnAllevUgU=", - "checksum": "y0wnC+plB3E=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-replicaset-readinessProbe", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "Container should configure a readinessProbe", - "docs": { - "desc": "When defining a container, you should specify a readinessProbe.\nThis helps Kubernetes to check whether your container ready to serve requests.", - "audit": "Check for the existence of `readinessProbe`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n readinessProbe: # \u003c--- Set a readinessProbe like this\n tcpSocket:\n port: 8080\n initialDelaySeconds: 5\n periodSeconds: 5\n```" - }, - "refs": [ - { - "title": "Pod Lifecycle - Container probes", - "url": "https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes" - } - ] - }, - { - "query": "k8s.replicaset {\n initContainers {\n # @msg Container ${ _.name } should set CPU requests\n resources['requests']['cpu'] != null\n }\n containers {\n # @msg Container ${ _.name } should set CPU requests\n resources['requests']['cpu'] != null\n }\n}\n", - "code_id": "phiYzEQqSdk=", - "checksum": "Onc4bc4k/6w=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-replicaset-requestcpu", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "Container should request CPU", - "docs": { - "desc": "When defining a Pod, you should specify how much CPU a container needs.\nThis helps the Kubernetes scheduler to allocate resources accordingly.\nIt will also ensure the Pod will get the resources it requires.", - "audit": "Check for the existence of CPU `requests` resources.\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1\n resources:\n requests:\n cpu: \"250m\" # \u003c-- set CPU requests\n```", - "remediation": "Define the required resources for CPU `requests` in the container spec: \n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1\n resources:\n requests:\n cpu: \"250m\" # \u003c-- set CPU requests\n```" - }, - "refs": [ - { - "title": "Resource Management for Pods and Containers", - "url": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" - } - ] - }, - { - "query": "k8s.replicaset {\n initContainers { \n # @msg Container ${ _.name } should set memory requests\n resources['requests']['memory'] != null\n }\n containers { \n # @msg Container ${ _.name } should set memory requests\n resources['requests']['memory'] != null\n }\n}\n", - "code_id": "ygfj4rDFt4s=", - "checksum": "3Q+RuJzG2Nk=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-replicaset-requestmemory", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "Container should request memory", - "docs": { - "desc": "When defining a Pod, you should specify how much memory a container needs.\nThis helps the Kubernetes scheduler to allocate resources accordingly.\nIt will also ensure the Pod will get the resources it requires.", - "audit": "Check for the existence of memory `requests` resources.\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1\n resources:\n requests:\n memory: \"1Gi\" # \u003c-- set memory requests\n```", - "remediation": "Define the required resources for memory `requests` in the container spec: \n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1\n resources:\n requests:\n memory: \"1Gi\" # \u003c-- set memory requests\n```" - }, - "refs": [ - { - "title": "Resource Management for Pods and Containers", - "url": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" - } - ] - }, - { - "query": "k8s.statefulset {\n namespace != \"default\"\n}\n", - "code_id": "d42Y6RB6LJ0=", - "checksum": "SbpiraDq3NM=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-statefulset-default-namespace", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "StatefulSets should not run in the default namespace", - "docs": { - "desc": "Workloads should be organized by Namespace, and the default Namespace shouldn't be used.\nWith separate Namespaces, you can apply fine-grained RBAC permissions, Resource Quotas, and default limits, depending on the workload.\nSpreading workloads across namespaces also allows you to limit the network communication between them with Network Policies.", - "audit": "Check to ensure no workloads are running in the default Namespace. The following command should return no StatefulSets:\n\n```yaml\nkubectl get statefulsets -n default\n```", - "remediation": "For any StatefulSets running in the default Namespace, update/redeploy the StatefulSets to a non-default Namespace:\n\n```yaml\napiVersion:apps/v1\nkind: StatefulSet\nmetadata:\n name: exampleStatefulset\n namespace: statefulset-namespace # \u003c--- Define a namespace for workloads\n```" - }, - "refs": [ - { - "title": "Kubernetes best practices: Organizing with Namespaces", - "url": "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-organizing-with-namespaces" - }, - { - "title": "Kubernetes Network Policies", - "url": "https://kubernetes.io/docs/concepts/services-networking/network-policies/" - }, - { - "title": "Kubernetes Limit Ranges", - "url": "https://kubernetes.io/docs/concepts/policy/limit-range/" - } - ] - }, - { - "query": "k8s.statefulset { \n manifest['spec']['template']['spec']['hostAliases'] == null\n}\n", - "code_id": "Fi/Ht1BRb0Y=", - "checksum": "wjfvd0nk1fE=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-statefulset-hostalias", - "type": "\u000c", - "severity": { - "value": 60 - }, - "title": "Pod should not define hostAliases", - "docs": { - "desc": "DNS entries shouldn't be managed locally via `/etc/hosts` within Pods. This can result in unintended and/or dangerous outcomes.", - "audit": "Check for the existence of `hostAliases` setting in `spec`:\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n hostAliases: # \u003c--- Don't set DNS entries using hostAliases\n - ip: \"127.0.0.1\"\n hostnames:\n - \"foo.local\"\n - \"bar.local\"\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```" - }, - "refs": [ - { - "title": "Adding entries to Pod /etc/hosts with HostAliases", - "url": "https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/" - } - ] - }, - { - "query": "k8s.statefulset {\n containers { \n probeSpecified = livenessProbe['httpGet'] != null || livenessProbe['tcpSocket'] != null || livenessProbe['exec'] != null\n\n # @msg Container ${ _.name } should set a livenessProbe\n probeSpecified == true\n }\n}\n", - "code_id": "Zqo0oPz700k=", - "checksum": "l2SKOCY5iHY=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-statefulset-livenessprobe", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "Container should configure a livenessProbe", - "docs": { - "desc": "When defining a container, you should specify a livenessProbe.\nThis helps Kubernetes to check whether your container is still healthy and able to serve requests.", - "audit": "Check for the existence of `livenessProbe`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n livenessProbe: # \u003c--- Set a livenessProbe like this\n tcpSocket:\n port: 8080\n initialDelaySeconds: 5\n periodSeconds: 5\n```" - }, - "refs": [ - { - "title": "Pod Lifecycle - Container probes", - "url": "https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes" - } - ] - }, - { - "query": "k8s.statefulset.podSpec {\n _['containers'] {\n _['name']\n _['ports'] == null || _['ports'].all(_['hostPort'] == null)\n }\n}\n", - "code_id": "lkBu3xh0bJ4=", - "checksum": "qIGdwFqjshk=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-statefulset-ports-hostport", - "type": "\u000c", - "severity": { - "value": 40 - }, - "title": "StatefulSets should not bind to a host port", - "docs": { - "desc": "StatefulSets should not bind to the underlying host port. Containers that bind to the underlying host's port(s) can be limited regarding where they are scheduled as two containers cannot both bind to the same host port on the same node.\nHost ports also expose the Container outside the Kubernetes cluster, which might not be intended.", - "audit": "Check to ensure no StatefulSets are binding any of their containers to a host port:\n\n```kubectl get statefulsets -A -o json | jq -r '.items[] | select( (.spec.template.spec.containers[].ports | . != null and any(.[].hostPort; . != null) ) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```", - "remediation": "For any StatefulSets that bind to a host port, update the StatefulSets to ensure they do not bind to a host port:\n\n```yaml\napiVersion: apps/v1\nkind: StatefulSet\nmetadata:\n name: example\n namespace: example-namespace\nspec:\n template:\n spec:\n containers:\n - ports:\n - containerPort: 80 # \u003c-- ensure no 'hostPort' is defined in any entries of the port configurations\n name: http\n protocol: TCP\n - containerPort: 443\n name: https\n protocol: TCP\n```" - }, - "refs": [ - { - "title": "Kubernetes Configuration Best Practices: hostPort", - "url": "https://kubernetes.io/docs/concepts/configuration/overview/#services" - } - ] - }, - { - "query": "k8s.statefulset {\n containers { \n probeSpecified = readinessProbe['httpGet'] != null || readinessProbe['tcpSocket'] != null || readinessProbe['exec'] != null\n\n # @msg Container ${ _.name } should set a readinessProbe\n probeSpecified == true\n }\n}\n", - "code_id": "aVQmbZ6aR7I=", - "checksum": "m8JeKnj0SUE=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-statefulset-readinessProbe", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "Container should configure a readinessProbe", - "docs": { - "desc": "When defining a container, you should specify a readinessProbe.\nThis helps Kubernetes to check whether your container ready to serve requests.", - "audit": "Check for the existence of `readinessProbe`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n readinessProbe: # \u003c--- Set a readinessProbe like this\n tcpSocket:\n port: 8080\n initialDelaySeconds: 5\n periodSeconds: 5\n```" - }, - "refs": [ - { - "title": "Pod Lifecycle - Container probes", - "url": "https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes" - } - ] - }, - { - "query": "k8s.statefulset {\n initContainers {\n # @msg Container ${ _.name } should set CPU requests\n resources['requests']['cpu'] != null\n }\n containers {\n # @msg Container ${ _.name } should set CPU requests\n resources['requests']['cpu'] != null\n }\n}\n", - "code_id": "CZN30kqnqX4=", - "checksum": "rHYYzGyf9Pg=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-statefulset-requestcpu", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "Container should request CPU", - "docs": { - "desc": "When defining a Pod, you should specify how much CPU a container needs.\nThis helps the Kubernetes scheduler to allocate resources accordingly.\nIt will also ensure the Pod will get the resources it requires.", - "audit": "Check for the existence of CPU `requests` resources.\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1\n resources:\n requests:\n cpu: \"250m\" # \u003c-- set CPU requests\n```", - "remediation": "Define the required resources for CPU `requests` in the container spec: \n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1\n resources:\n requests:\n cpu: \"250m\" # \u003c-- set CPU requests\n```" - }, - "refs": [ - { - "title": "Resource Management for Pods and Containers", - "url": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" - } - ] - }, - { - "query": "k8s.statefulset {\n initContainers { \n # @msg Container ${ _.name } should set memory requests\n resources['requests']['memory'] != null\n }\n containers { \n # @msg Container ${ _.name } should set memory requests\n resources['requests']['memory'] != null\n }\n}\n", - "code_id": "ayOOeelmfjM=", - "checksum": "7LqNwiwqW1I=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-best-practices-statefulset-requestmemory", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "Container should request memory", - "docs": { - "desc": "When defining a Pod, you should specify how much memory a container needs.\nThis helps the Kubernetes scheduler to allocate resources accordingly.\nIt will also ensure the Pod will get the resources it requires.", - "audit": "Check for the existence of memory `requests` resources.\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1\n resources:\n requests:\n memory: \"1Gi\" # \u003c-- set memory requests\n```", - "remediation": "Define the required resources for memory `requests` in the container spec: \n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1\n resources:\n requests:\n memory: \"1Gi\" # \u003c-- set memory requests\n```" - }, - "refs": [ - { - "title": "Resource Management for Pods and Containers", - "url": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" - } - ] - }, - { - "query": "processes.where(executable == /kube-apiserver/).list {\n flags[\"anonymous-auth\"] == \"false\"\n}\n", - "code_id": "uZtRCm3fmzk=", - "checksum": "64vmNSuBrp0=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-api-server-no-anonymous-auth", - "type": "\u0019\u000c", - "severity": { - "value": 100 - }, - "title": "Ensure the kube-apiserver does not allow anonymous authentication.\nWhen allowed, request will have the privileges of the role `system:public-info-viewer`. This might expose data to an attacker.\n", - "docs": { - "desc": "Ensure the kube-apiserver does not allow anonymous authentication.", - "remediation": "Find the kube-apiserver process and check the `--anonymous-auth` argument. If the argument is set to `false`, then the kube-apiserver does not allow anonymous authentication:\n```\nps aux | grep kube-apiserver\n```" - }, - "refs": [ - { - "title": "Anonymous requests", - "url": "https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests" - } - ] - }, - { - "query": "k8s.cronjob {\n initContainers {\n # @msg Container ${ _.name } should set allowPrivilegeEscalation to false\n securityContext['allowPrivilegeEscalation'] != true\n }\n containers {\n # @msg Container ${ _.name } should set allowPrivilegeEscalation to false\n securityContext['allowPrivilegeEscalation'] != true\n }\n}\n", - "code_id": "x4/fi1NDtAA=", - "checksum": "uJjQit8UcrI=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-cronjob-allowprivilegeescalation", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not allow privilege escalation", - "docs": { - "desc": "Do not allow privilege escalation in containers.\nEven, when the container is not running as root, it could still escalate privileges.", - "audit": "Check for the existence of `allowPrivilegeEscalation: true` setting in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n securityContext:\n allowPrivilegeEscalation: true\n```", - "remediation": "Ensure `allowPrivilegeEscalation` is set to `false` or not present in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n securityContext:\n allowPrivilegeEscalation: false\n```" - }, - "refs": [ - { - "title": "Configure a Security Context for a Pod or Container", - "url": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/" - } - ] - }, - { - "query": "k8s.cronjob {\n podSpec['containers'] {\n _['securityContext']['capabilities'] != null\n _['securityContext']['capabilities'] {\n _['add'] == null || _['add'].none(_.upcase == \"ALL\")\n _['add'] == null || _['add'].none(_.upcase == \"NET_RAW\")\n _['drop'] != null\n _['drop'].any(_.upcase == \"NET_RAW\") || _['drop'].any(_.upcase == \"ALL\")\n }\n }\n}\n", - "code_id": "3FZlqDslCN8=", - "checksum": "j9cT2Z8v9Ew=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-cronjob-capability-net-raw", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "CronJobs should not run with NET_RAW capability", - "docs": { - "desc": "CronJobs should not run with NET_RAW capability. This allows a process to write raw packets to the network interface which can allow crafting packets like malicious ARP and/or DNS responses.", - "audit": "Check to ensure no CronJobs have explicitly asked for the NET_RAW capability (or asked for ALL capabilities which includes NET_RAW):\n\n```kubectl get cronjobs -A -o json | jq -r '.items[] | select(.spec.jobTemplate.spec.template.spec.containers[].securityContext.capabilities.add | . != null and any(.[] ; ascii_upcase | test(\"ALL|NET_RAW\")) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```\n\n\nAdditionally, a CronJob that doesn't define a list of capabilities to drop at all, or that has a non-empty drop list that doesn't drop NET_RAW (or the ALL capability which includes NET_RAW) will implicitly run with NET_RAW. List these DaemonSets with:\n\n```kubectl get cronjobs -A -o json | jq -r '.items[] | select( .spec.jobTemplate.spec.template.spec.containers[].securityContext.capabilities.drop | . == null or ( any(.[] ; ascii_upcase | test(\"ALL|NET_RAW\")) | not) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```", - "remediation": "For any CronJobs that explicitly add the NET_RAW or ALL capability, update them to ensure they do not ask for the NET_RAW or ALL capability:\n\n```yaml\napiVersion: batch/v1\nkind: CronJob\nmetadata:\n name: example\n namespace: example-namespace\nspec:\n jobTemplate:\n spec:\n template:\n spec:\n containers:\n - securityContext:\n capabilities:\n add: [] # \u003c-- ensure no \"NET_RAW\" or \"ALL\" in the list of capabilities added\n```\n\nFor any CronJobs that do not define a list of capabilities to drop or that define a list but do not drop NET_RAW, update them to ensure they drop ALL or NET_RAW:\n\n```yaml\napiVersion: batch/v1\nkind: CronJob\nmetadata:\n name: example\n namespace: example-namespace\nspec:\n jobTemplate:\n spec:\n template:\n spec:\n containers:\n - securityContext:\n capabilities:\n drop: [\"NET_RAW\"] # \u003c-- or ensure \"ALL\" in the list of capabilities to drop\n```" - }, - "refs": [ - { - "title": "Kubernetes Security Standards: Capabilities", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted" - } - ] - }, - { - "query": "k8s.cronjob {\n podSpec['containers'] {\n if( _['securityContext']['capabilities'] != null ) {\n _['securityContext']['capabilities'] {\n _['add'] == null || _['add'].none(_.upcase == \"ALL\")\n _['add'] == null || _['add'].none(_.upcase == \"SYS_ADMIN\")\n }\n } else {\n true\n }\n }\n}\n", - "code_id": "yH2pxzz52Is=", - "checksum": "QoLsOrbSyiQ=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-cronjob-capability-sys-admin", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "CronJobs should not run with SYS_ADMIN capability", - "docs": { - "desc": "CronJobs should not run with SYS_ADMIN capability. The SYS_ADMIN capability enables a wide range of elevated system calls.\nIt even allows containers not running as root to run certain tasks as if the user was root.", - "audit": "Check to ensure no CronJobs have explicitly asked for the SYS_ADMIN capability (or asked for ALL capabilities which includes SYS_ADMIN):\n\n```kubectl get cronjobs -A -o json | jq -r '.items[] | select(.spec.jobTemplate.spec.template.spec.containers[].securityContext.capabilities.add | . != null and any(.[] ; ascii_upcase | test(\"ALL|SYS_ADMIN\")) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```", - "remediation": "For any CronJobs that explicitly add the SYS_ADMIN or ALL capability, update them to ensure they do not ask for the SYS_ADMIN or ALL capability:\n\n```yaml\napiVersion: batch/v1\nkind: CronJob\nmetadata:\n name: example\n namespace: example-namespace\nspec:\n jobTemplate:\n spec:\n template:\n spec:\n containers:\n - securityContext:\n capabilities:\n add: [] # \u003c-- ensure no \"SYS_ADMIN\" or \"ALL\" in the list of capabilities added\n```" - }, - "refs": [ - { - "title": "Kubernetes Security Standards: Capabilities", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline" - }, - { - "title": "Docker default capabilities", - "url": "https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities" - } - ] - }, - { - "query": "k8s.cronjob {\n podSpec['volumes'] == null || podSpec['volumes'].all(_['hostPath']['path'] != '/run/containerd/containerd.sock')\n}\n", - "code_id": "BV9rwmgBzys=", - "checksum": "8fbZ+m+GNMc=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-cronjob-containerd-socket", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not mount the containerd socket", - "docs": { - "desc": "Do not mount the container runtime socket into any container.\nThis would allow direct access to the container runtime without any authentication.\nThis would allow to create privileged containers and to access the host file system.\nOr create containers which would not show up in the Kubernetes API.", - "audit": "Check for the existence of `hostPath.path: /run/containerd/containerd.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /run/containerd/containerd.sock\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n volumeMounts:\n - mountPath: /run/containerd/containerd.sock\n name: vol\n```", - "remediation": "Ensure workloads do not have `hostPath.path: /run/containerd/containerd.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /run/containerd/containerd.sock # \u003c--- this shouldn't be there\n```" - }, - "refs": [ - { - "title": "Docker security", - "url": "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers" - } - ] - }, - { - "query": "k8s.cronjob {\n podSpec['volumes'] == null || podSpec['volumes'].all(_['hostPath']['path'] != '/var/run/crio/crio.sock')\n}\n", - "code_id": "1MOBGVNrbx4=", - "checksum": "uBmBRwImeUg=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-cronjob-crio-socket", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not mount the CRI-O socket", - "docs": { - "desc": "Do not mount the container runtime socket into any container.\nThis would allow direct access to the container runtime without any authentication.\nThis would allow to create privileged containers and to access the host file system.\nOr create containers which would not show up in the Kubernetes API.", - "audit": "Check for the existence of `hostPath.path: /var/run/crio/crio.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /var/run/crio/crio.sock\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n volumeMounts:\n - mountPath: /var/run/crio/crio.sock\n name: vol\n```", - "remediation": "Ensure workloads do not have `hostPath.path: /var/run/crio/crio.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /var/run/crio/crio.sock # \u003c--- this shouldn't be there\n```" - }, - "refs": [ - { - "title": "Docker security", - "url": "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers" - } - ] - }, - { - "query": "k8s.cronjob {\n podSpec['volumes'] == null || podSpec['volumes'].all(_['hostPath']['path'] != '/var/run/docker.sock')\n}\n", - "code_id": "rjzeiibOL+I=", - "checksum": "LcjYnURKsNs=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-cronjob-docker-socket", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not mount the Docker socket", - "docs": { - "desc": "Do not mount the container runtime socket into any container.\nThis would allow direct access to the container runtime without any authentication.\nThis would allow to create privileged containers and to access the host file system.\nOr create containers which would not show up in the Kubernetes API.", - "audit": "Check for the existence of `hostPath.path: /var/run/docker.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /var/run/docker.sock\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n volumeMounts:\n - mountPath: /var/run/docker.sock\n name: vol\n```", - "remediation": "Ensure workloads do not have `hostPath.path: /var/run/docker.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /var/run/docker.sock # \u003c--- this shouldn't be there\n```" - }, - "refs": [ - { - "title": "Docker security", - "url": "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers" - } - ] - }, - { - "query": "k8s.cronjob {\n podSpec['hostIPC'] != true\n}\n", - "code_id": "LfsZ1JS3IgE=", - "checksum": "jOc70n7JcPo=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-cronjob-hostipc", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Pod should not run with hostIPC", - "docs": { - "desc": "Enabling `hostIPC` gives containers access to the host's IPC namespace and breaks container isolation.", - "audit": "Check for the existence of `hostIPC: true` setting in `spec`:\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n hostIPC: true\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```", - "remediation": "Ensure `hostIPC` is set to `false` or not present in `spec`:\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n hostIPC: false\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```" - }, - "refs": [ - { - "title": "Host namespaces", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline" - } - ] - }, - { - "query": "k8s.cronjob {\n podSpec['hostNetwork'] != true\n}\n", - "code_id": "xafCz2KpqRo=", - "checksum": "lcVDWz9tULE=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-cronjob-hostnetwork", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Pod should not run with hostNetwork", - "docs": { - "desc": "Running pods with the `hostNetwork` namespace gives containers access to the host's network, including loopback devices. This capability can be used to intercept network traffic, including the traffic of other pods.", - "audit": "Check for the existence of `hostNetwork: true` setting in `spec`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n hostNetwork: true\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```", - "remediation": "Ensure `hostNetwork` is set to `false` or not present in `spec`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n hostNetwork: false\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```" - }, - "refs": [ - { - "title": "Host namespaces", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline" - } - ] - }, - { - "query": "k8s.cronjob.podSpec {\n hostPathVolumes = _['volumes'].where(_['hostPath'] != null).map(_['name'])\n _['containers'] {\n _['name']\n if( _['volumeMounts'] != null ) {\n _['volumeMounts'] {\n n = _['name']\n if( hostPathVolumes.contains(n) ) {\n _['readOnly'] == true\n } else {\n true\n }\n }\n } else {\n true\n }\n }\n}\n", - "code_id": "LOIkyychr4s=", - "checksum": "jGPyy1B8Cl0=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-cronjob-hostpath-readonly", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "CronJobs should mount any host path volumes as read-only", - "docs": { - "desc": "CronJobs should not mount volumes of type hostPath as read-write. Containers should not be granted the ability to mutate the underlying host they are running on.\nThis can even lead to container escapes.", - "audit": "Check to ensure no containers in a CronJob are mounting hostPath volumes as read-write:\n\n```kubectl get cronjobs -A -o json | jq -r '.items[] | [.spec.jobTemplate.spec.template.spec.volumes[] | select(.hostPath != null) | .name] as $myVar | select(.spec.jobTemplate.spec.template.spec.containers[].volumeMounts | (. != null and ( .[] | ( [.name] | inside($myVar) ) and .readOnly != true ) ) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```", - "remediation": "For any CronJob containers that mount a hostPath volume as read-write, update them:\n\n```yaml\napiVersion: batch/v1\nkind: CronJob\nmetadata:\n name: example\n namespace: example-namespace\nspec:\n template:\n spec:\n containers:\n - volumeMounts:\n - mountPath: /host\n name: hostpath-volume\n readOnly: true # \u003c-- ensure readOnly is set to true\n volumes:\n - hostPath:\n path: /etc\n name: hostpath-volume\n```" - } - }, - { - "query": "k8s.cronjob {\n podSpec['hostPID'] != true\n}\n", - "code_id": "9M7fgrqlRVw=", - "checksum": "g0Hq45c2C7M=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-cronjob-hostpid", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Pod should not run with hostPID", - "docs": { - "desc": "Running pods with the `hostPID` namespace gives containers access to the host's process ID namespace and can be used to escalate privileges outside a container.", - "audit": "Check for the existence of `hostPID: true` setting in `spec`:\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n hostPID: true\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```", - "remediation": "Ensure `hostPID` is set to `false` or not present in `spec`:\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n hostPID: false\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```" - }, - "refs": [ - { - "title": "Host namespaces", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline" - } - ] - }, - { - "query": "k8s.cronjob {\n initContainers {\n # @msg Container ${ _.name } should set imagePullPolicy to Always\n imagePullPolicy == 'Always'\n\n correctImage = image != /:latest/ \u0026\u0026 image.contains(':') == true\n\n # @msg Container ${ _.name } should set an image tag or digest\n correctImage == true\n }\n containers {\n # @msg Container ${ _.name } should set imagePullPolicy to Always\n imagePullPolicy == 'Always'\n\n correctImage = image != /:latest/ \u0026\u0026 image.contains(':') == true\n\n # @msg Container ${ _.name } should set an image tag or digest\n correctImage == true\n }\n}\n", - "code_id": "6faQu9PMMvI=", - "checksum": "nB3gok3VHaY=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-cronjob-imagepull", - "type": "\u000c", - "severity": { - "value": 60 - }, - "title": "Container image pull should be consistent", - "docs": { - "desc": "It's important that each time a pod is started the same container is pulled, so that services across pods behave the same. To ensure the same container is always used, manifests should set `imagePullPolicy: Always` and the `image` configuration should pull either a tag or a digest (SHA). \nAvoid using rolling tags like `latest` or `master` as they can change over time.", - "audit": "Check for the existence of `imagePullPolicy: Always` and ensure `image` uses either a tag or a digest (SHA):\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n imagePullPolicy: Always\n```", - "remediation": "Ensure `imagePullPolicy` is set to `Always` and ensure `image` uses either a tag or a digest (SHA):\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n imagePullPolicy: Always\n```" - }, - "refs": [ - { - "title": "Image pull policy", - "url": "https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy" - } - ] - }, - { - "query": "k8s.cronjob {\n initContainers {\n # @msg Container ${ _.name } should set CPU limits\n resources['limits']['cpu'] != null\n }\n containers {\n # @msg Container ${ _.name } should set CPU limits\n resources['limits']['cpu'] != null\n }\n}\n", - "code_id": "hkbuz3ueLxw=", - "checksum": "iZME9suOWiI=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-cronjob-limitcpu", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "Container should have a CPU limit", - "docs": { - "desc": "Kubernetes pod configurations should set CPU limits for containers defined in the manifest. This prevents the pod from exhausting the host's resources in case of an application malfunction or an attack.", - "audit": "Check for the existence of CPU resources in `limits`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n resources:\n limits:\n cpu: \"500m\"\n```", - "remediation": "Define the required resources for CPU `limits` in the manifest: \n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n resources:\n limits:\n cpu: \"500m\"\n```" - }, - "refs": [ - { - "title": "Resource Management for Pods and Containers", - "url": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" - } - ] - }, - { - "query": "k8s.cronjob {\n initContainers {\n # @msg Container ${ _.name } should set memory limits\n resources['limits']['memory'] != null\n }\n containers {\n # @msg Container ${ _.name } should set memory limits\n resources['limits']['memory'] != null\n }\n}\n", - "code_id": "Mq7X3D0iXxo=", - "checksum": "XhBEojS6DOo=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-cronjob-limitmemory", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "Container should have a memory limit", - "docs": { - "desc": "Kubernetes pod configurations should set memory limits for containers defined in the manifest. This prevents the pod from exhausting the host's resources in case of an application malfunction or an attack.", - "audit": "Check for the existence of memory resources in `limits`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n resources:\n limits:\n memory: \"1Gi\"\n```", - "remediation": "Define the required resources for memory `limits` in the manifest: \n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n resources:\n limits:\n memory: \"1Gi\"\n```" - } - }, - { - "query": "k8s.cronjob.podSpec {\n _['containers'] {\n _['name']\n _['ports'] == null || _['ports'].all(_['hostPort'] == null)\n }\n}\n", - "code_id": "tuaV/gsYljc=", - "checksum": "xvYhuQC24A8=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-cronjob-ports-hostport", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "CronJobs should not bind to a host port", - "docs": { - "desc": "CronJobs should not bind to the underlying host port. This allows bypassing certain network access control systems.\nHost ports also expose the Container outside the Kubernetes cluster, which might not be intended.", - "audit": "Check to ensure no CronJobs are binding any of their containers to a host port:\n\n```kubectl get cronjobs -A -o json | jq -r '.items[] | select( (.spec.jobTemplate.spec.template.spec.containers[].ports | . != null and any(.[].hostPort; . != null) ) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```", - "remediation": "For any CronJobs that bind to a host port, update the CronJobs to ensure they do not bind to a host port:\n\n```yaml\napiVersion: batch/v1\nkind: CronJob\nmetadata:\n name: example\n namespace: example-namespace\nspec:\n jobTemplate:\n spec:\n template:\n spec:\n containers:\n - ports:\n - containerPort: 80 # \u003c-- ensure no 'hostPort' is defined in any entries of the port configurations\n name: http\n protocol: TCP\n - containerPort: 443\n name: https\n protocol: TCP\n```" - }, - "refs": [ - { - "title": "Kubernetes Configuration Best Practices: hostPort", - "url": "https://kubernetes.io/docs/concepts/configuration/overview/#services" - }, - { - "title": "Kubernetes Security Standards: Host Ports", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline" - } - ] - }, - { - "query": "k8s.cronjob {\n initContainers {\n # @msg Container ${ _.name } should not set `privileged` to `true`\n securityContext['privileged'] != true\n }\n containers {\n # @msg Container ${ _.name } should not set `privileged` to `true`\n securityContext['privileged'] != true\n }\n}\n", - "code_id": "xV5yoU2lmTg=", - "checksum": "Zhn9WCvCgdc=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-cronjob-privilegedcontainer", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not run as a privileged container", - "docs": { - "desc": "Running a privileged container means the container has the host's capabilities, including access to all devices and the host's network.", - "audit": "Check for the existence of `privileged: true` setting in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n privileged: true\n```", - "remediation": "Remove the `privileged` setting from the container spec:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n```\n\nOr explicitly set `privileged` to `false`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n privileged: false\n```" - }, - "refs": [ - { - "title": "Configure a Security Context for a Pod or Container", - "url": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/" - } - ] - }, - { - "query": "k8s.cronjob {\n initContainers {\n # @msg Container ${ _.name } should set readOnlyRootFilesystem to true\n securityContext['readOnlyRootFilesystem'] == true\n }\n containers {\n # @msg Container ${ _.name } should set readOnlyRootFilesystem to true\n securityContext['readOnlyRootFilesystem'] == true\n }\n}\n", - "code_id": "drOD+GtWxPo=", - "checksum": "xQTGgbGaGZY=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-cronjob-readonlyrootfilesystem", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Container should use an immutable root filesystem", - "docs": { - "desc": "Running a container with an immutable (read-only) file system prevents the modification of running containers.", - "audit": "Check for the existence of `readOnlyRootFilesystem: true` setting in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n readOnlyRootFilesystem: true\n```", - "remediation": "Ensure `readOnlyRootFilesystem` is set to `true` in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n readOnlyRootFilesystem: true\n```" - }, - "refs": [ - { - "title": "Configure a Security Context for a Pod or Container", - "url": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/" - } - ] - }, - { - "query": "if (k8s.cronjob.annotations['policies.k8s.mondoo.com/mondoo-kubernetes-security-cronjob-runasnonroot'] != 'ignore') {\n k8s.cronjob {\n podSecurityContext=podSpec['securityContext']\n initContainers {\n a = podSecurityContext['runAsNonRoot'] == true \u0026\u0026 securityContext['runAsNonRoot'] == null\n res = securityContext['runAsNonRoot'] == true || a\n # @msg Container ${ _.name } should set runAsNonRoot to true\n res == true\n }\n containers {\n a = podSecurityContext['runAsNonRoot'] == true \u0026\u0026 securityContext['runAsNonRoot'] == null\n res = securityContext['runAsNonRoot'] == true || a\n # @msg Container ${ _.name } should set runAsNonRoot to true\n res == true\n }\n }\n}\n", - "code_id": "36aSXb6B+58=", - "checksum": "IQRsHEIoIVQ=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-cronjob-runasnonroot", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not run as root", - "docs": { - "desc": "Set the `runAsNonRoot: true` `securityContext` to ensure containers do not run as the root user.\nWhen containers run as the `root` user, they have the same privileges as `root` on the host system.", - "audit": "Check for the existence of `runAsNonRoot: true` setting in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n runAsNonRoot: true\n```\n\nIt is also possible to set it for all containers at the Pod level:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n securityContext:\n runAsNonRoot: true\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n```", - "remediation": "Ensure `runAsNonRoot` is set to `true` in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n runAsNonRoot: true\n```\n\nIt is also possible to set it for all containers at the Pod level:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n securityContext:\n runAsNonRoot: true\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n```" - }, - "refs": [ - { - "title": "Configure a Security Context for a Pod or Container", - "url": "https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core" - } - ] - }, - { - "query": "k8s.cronjob {\n podSpec['serviceAccount'] == null || podSpec['serviceAccount'] == podSpec['serviceAccountName']\n podSpec['serviceAccountName'] != '' || podSpec['automountServiceAccountToken'] == false\n podSpec['serviceAccountName'] != 'default' || podSpec['automountServiceAccountToken'] == false\n}\n", - "code_id": "YjatRrkFYr4=", - "checksum": "eC60lQOE4Gg=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-cronjob-serviceaccount", - "type": "\u000c", - "severity": { - "value": 30 - }, - "title": "Pod should not run with the default service account", - "docs": { - "desc": "Pods that interact with the Kubernetes API using a ServiceAccount should use specific ServiceAccounts.\nThese ServiceAccounts should only have the permissions necessary.\nThe Pods should not use the default ServiceAccount (named 'default') that is included in every Namespace.\nThe only valid use for the default ServiceAccount is for Pods that set '.spec.automountServiceAccountToken' to 'false'.\nIn this case, the Pod explicitly asks for no ServiceAccount to be mounted into the Pod's filesystem, and the Pod is therefore a ServiceAccount-less Pod.\nWhen every Pods uses the default ServiceAccount and the ServiceAccount's privileges get extended, all Pods get these permissions.\nWhen a Pod is compromised, the attacker has access to the API using the default ServiceAccount.", - "audit": "Check that Pods do not set the legacy '.spec.serviceAccount':\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n serviceAccount: some-account\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```\n\nCheck that Pods do not set the '.spec.serviceAccountName' to the empty string (which is interpreted as 'default'), or to 'default'.\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n serviceAccountName: \"\"\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```\n\nEven when the deprecated field '.spec.serviceAccount' is not specified, it will get populated by Kubernetes inside the cluster when a manifest is applied.\nBecause of that, we also need to check for the field.", - "remediation": "Create a ServiceAccount specifically for the Pod with only the permissions it needs when interacting with the Kubernetes API. Update the Pod's '.spec.serviceAccountName' to the name of the ServiceAccount created for the Pod.\n\nOr if the Pod doesn't interact with the Kubernetes API, set the Pod's `.spec.automountServiceAccountToken` field to false so that no ServiceAccount is available to the Pod." - } - }, - { - "query": "k8s.daemonset {\n initContainers {\n # @msg Container ${ _.name } should set allowPrivilegeEscalation to false\n securityContext['allowPrivilegeEscalation'] != true\n }\n containers {\n # @msg Container ${ _.name } should set allowPrivilegeEscalation to false\n securityContext['allowPrivilegeEscalation'] != true\n }\n}\n", - "code_id": "d+7G/ppUo1c=", - "checksum": "11oVI+PkIw4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-daemonset-allowprivilegeescalation", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not allow privilege escalation", - "docs": { - "desc": "Do not allow privilege escalation in containers.\nEven, when the container is not running as root, it could still escalate privileges.", - "audit": "Check for the existence of `allowPrivilegeEscalation: true` setting in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n securityContext:\n allowPrivilegeEscalation: true\n```", - "remediation": "Ensure `allowPrivilegeEscalation` is set to `false` or not present in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n securityContext:\n allowPrivilegeEscalation: false\n```" - }, - "refs": [ - { - "title": "Configure a Security Context for a Pod or Container", - "url": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/" - } - ] - }, - { - "query": "k8s.daemonset {\n podSpec['containers'] {\n _['securityContext']['capabilities'] != null\n _['securityContext']['capabilities'] {\n _['add'] == null || _['add'].none(_.upcase == \"ALL\")\n _['add'] == null || _['add'].none(_.upcase == \"NET_RAW\")\n _['drop'] != null\n _['drop'].any(_.upcase == \"NET_RAW\") || _['drop'].any(_.upcase == \"ALL\")\n }\n }\n}\n", - "code_id": "RBMU98d/aDQ=", - "checksum": "OWbIQbXigyU=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-daemonset-capability-net-raw", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "DaemonSets should not run with NET_RAW capability", - "docs": { - "desc": "DaemonSets should not run with NET_RAW capability. This allows a process to write raw packets to the network interface which can allow crafting packets like malicious ARP and/or DNS responses.", - "audit": "Check to ensure no DaemonSets have explicitly asked for the NET_RAW capability (or asked for ALL capabilities which includes NET_RAW):\n\n```kubectl get daemonsets -A -o json | jq -r '.items[] | select(.spec.template.spec.containers[].securityContext.capabilities.add | . != null and any(.[] ; ascii_upcase | test(\"ALL|NET_RAW\")) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```\n\n\nAdditionally, a DaemonSet that doesn't define a list of capabilities to drop at all, or that has a non-empty drop list that doesn't drop NET_RAW (or the ALL capability which includes NET_RAW) will implicitly run with NET_RAW. List these DaemonSets with:\n\n```kubectl get daemonsets -A -o json | jq -r '.items[] | select( .spec.template.spec.containers[].securityContext.capabilities.drop | . == null or ( any(.[] ; ascii_upcase | test(\"ALL|NET_RAW\")) | not) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```", - "remediation": "For any DaemonSets that explicitly add the NET_RAW or ALL capability, update them to ensure they do not ask for the NET_RAW or ALL capability:\n\n```yaml\napiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: example\n namespace: example-namespace\nspec:\n template:\n spec:\n containers:\n - securityContext:\n capabilities:\n add: [] # \u003c-- ensure no \"NET_RAW\" or \"ALL\" in the list of capabilities added\n```\n\nFor any DaemonSets that do not define a list of capabilities to drop or that define a list but do not drop NET_RAW, update them to ensure they drop ALL or NET_RAW:\n\n```yaml\napiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: example\n namespace: example-namespace\nspec:\n template:\n spec:\n containers:\n - securityContext:\n capabilities:\n drop: [\"NET_RAW\"] # \u003c-- or ensure \"ALL\" in the list of capabilities to drop\n```" - }, - "refs": [ - { - "title": "Kubernetes Security Standards: Capabilities", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted" - } - ] - }, - { - "query": "k8s.daemonset {\n podSpec['containers'] {\n if( _['securityContext']['capabilities'] != null ) {\n _['securityContext']['capabilities'] {\n _['add'] == null || _['add'].none(_.upcase == \"ALL\")\n _['add'] == null || _['add'].none(_.upcase == \"SYS_ADMIN\")\n }\n } else {\n true\n }\n }\n}\n", - "code_id": "8rq7UhLCYWk=", - "checksum": "f8KILpjbM2U=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-daemonset-capability-sys-admin", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "DaemonSets should not run with SYS_ADMIN capability", - "docs": { - "desc": "DaemonSets should not run with SYS_ADMIN capability. The SYS_ADMIN capability enables a wide range of elevated system calls.\nIt even allows containers not running as root to run certain tasks as if the user was root.", - "audit": "Check to ensure no DaemonSets have explicitly asked for the SYS_ADMIN capability (or asked for ALL capabilities which includes SYS_ADMIN):\n\n```kubectl get daemonsets -A -o json | jq -r '.items[] | select(.spec.template.spec.containers[].securityContext.capabilities.add | . != null and any(.[] ; ascii_upcase | test(\"ALL|SYS_ADMIN\")) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```", - "remediation": "For any DaemonSets that explicitly add the SYS_ADMIN or ALL capability, update them to ensure they do not ask for the SYS_ADMIN or ALL capability:\n\n```yaml\napiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: example\n namespace: example-namespace\nspec:\n template:\n spec:\n containers:\n - securityContext:\n capabilities:\n add: [] # \u003c-- ensure no \"SYS_ADMIN\" or \"ALL\" in the list of capabilities added\n```" - }, - "refs": [ - { - "title": "Kubernetes Security Standards: Capabilities", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline" - }, - { - "title": "Docker default capabilities", - "url": "https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities" - } - ] - }, - { - "query": "k8s.daemonset {\n podSpec['volumes'] == null || podSpec['volumes'].all(_['hostPath']['path'] != '/run/containerd/containerd.sock')\n}\n", - "code_id": "LNJ2h7a5rsI=", - "checksum": "yH7k7dAPN7s=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-daemonset-containerd-socket", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not mount the containerd socket", - "docs": { - "desc": "Do not mount the container runtime socket into any container.\nThis would allow direct access to the container runtime without any authentication.\nThis would allow to create privileged containers and to access the host file system.\nOr create containers which would not show up in the Kubernetes API.", - "audit": "Check for the existence of `hostPath.path: /run/containerd/containerd.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /run/containerd/containerd.sock\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n volumeMounts:\n - mountPath: /run/containerd/containerd.sock\n name: vol\n```", - "remediation": "Ensure workloads do not have `hostPath.path: /run/containerd/containerd.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /run/containerd/containerd.sock # \u003c--- this shouldn't be there\n```" - }, - "refs": [ - { - "title": "Docker security", - "url": "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers" - } - ] - }, - { - "query": "k8s.daemonset {\n podSpec['volumes'] == null || podSpec['volumes'].all(_['hostPath']['path'] != '/var/run/crio/crio.sock')\n}\n", - "code_id": "qJEWCpm8yB0=", - "checksum": "TmucuaQQeHk=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-daemonset-crio-socket", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not mount the CRI-O socket", - "docs": { - "desc": "Do not mount the container runtime socket into any container.\nThis would allow direct access to the container runtime without any authentication.\nThis would allow to create privileged containers and to access the host file system.\nOr create containers which would not show up in the Kubernetes API.", - "audit": "Check for the existence of `hostPath.path: /var/run/crio/crio.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /var/run/crio/crio.sock\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n volumeMounts:\n - mountPath: /var/run/crio/crio.sock\n name: vol\n```", - "remediation": "Ensure workloads do not have `hostPath.path: /var/run/crio/crio.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /var/run/crio/crio.sock # \u003c--- this shouldn't be there\n```" - }, - "refs": [ - { - "title": "Docker security", - "url": "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers" - } - ] - }, - { - "query": "k8s.daemonset {\n podSpec['volumes'] == null || podSpec['volumes'].all(_['hostPath']['path'] != '/var/run/docker.sock')\n}\n", - "code_id": "116BZ6yP5jQ=", - "checksum": "NqghzAKYTW0=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-daemonset-docker-socket", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not mount the Docker socket", - "docs": { - "desc": "Do not mount the container runtime socket into any container.\nThis would allow direct access to the container runtime without any authentication.\nThis would allow to create privileged containers and to access the host file system.\nOr create containers which would not show up in the Kubernetes API.", - "audit": "Check for the existence of `hostPath.path: /var/run/docker.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /var/run/docker.sock\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n volumeMounts:\n - mountPath: /var/run/docker.sock\n name: vol\n```", - "remediation": "Ensure workloads do not have `hostPath.path: /var/run/docker.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /var/run/docker.sock # \u003c--- this shouldn't be there\n```" - }, - "refs": [ - { - "title": "Docker security", - "url": "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers" - } - ] - }, - { - "query": "k8s.daemonset {\n podSpec['hostIPC'] != true\n}\n", - "code_id": "cRnxFlp7KUQ=", - "checksum": "Rp+c5vN/Vlk=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-daemonset-hostipc", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Pod should not run with hostIPC", - "docs": { - "desc": "Enabling `hostIPC` gives containers access to the host's IPC namespace and breaks container isolation.", - "audit": "Check for the existence of `hostIPC: true` setting in `spec`:\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n hostIPC: true\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```", - "remediation": "Ensure `hostIPC` is set to `false` or not present in `spec`:\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n hostIPC: false\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```" - }, - "refs": [ - { - "title": "Host namespaces", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline" - } - ] - }, - { - "query": "k8s.daemonset {\n podSpec['hostNetwork'] != true\n}\n", - "code_id": "Hz3WBR3DSp0=", - "checksum": "WueeUqsie5M=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-daemonset-hostnetwork", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Pod should not run with hostNetwork", - "docs": { - "desc": "Running pods with the `hostNetwork` namespace gives containers access to the host's network, including loopback devices. This capability can be used to intercept network traffic, including the traffic of other pods.", - "audit": "Check for the existence of `hostNetwork: true` setting in `spec`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n hostNetwork: true\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```", - "remediation": "Ensure `hostNetwork` is set to `false` or not present in `spec`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n hostNetwork: false\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```" - }, - "refs": [ - { - "title": "Host namespaces", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline" - } - ] - }, - { - "query": "k8s.daemonset.podSpec {\n hostPathVolumes = _['volumes'].where(_['hostPath'] != null).map(_['name'])\n _['containers'] {\n _['name']\n if( _['volumeMounts'] != null ) {\n _['volumeMounts'] {\n n = _['name']\n if( hostPathVolumes.contains(n) ) {\n _['readOnly'] == true\n } else {\n true\n }\n }\n } else {\n true\n }\n }\n}\n", - "code_id": "SWcZXd2bdsU=", - "checksum": "DHZkF6udnTk=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-daemonset-hostpath-readonly", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "DaemonSets should mount any host path volumes as read-only", - "docs": { - "desc": "DaemonSets should not mount volumes of type hostPath as read-write. Containers should not be granted the ability to mutate the underlying host they are running on.\nThis can even lead to container escapes.", - "audit": "Check to ensure no containers in a DaemonSet are mounting hostPath volumes as read-write:\n\n```kubectl get daemonsets -A -o json | jq -r '.items[] | [.spec.template.spec.volumes[] | select(.hostPath != null) | .name] as $myVar | select(.spec.template.spec.containers[].volumeMounts | (. != null and ( .[] | ( [.name] | inside($myVar) ) and .readOnly != true ) ) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```", - "remediation": "For any DaemonSet containers that mount a hostPath volume as read-write, update them:\n\n```yaml\napiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: example\n namespace: example-namespace\nspec:\n template:\n spec:\n containers:\n - volumeMounts:\n - mountPath: /host\n name: hostpath-volume\n readOnly: true # \u003c-- ensure readOnly is set to true\n volumes:\n - hostPath:\n path: /etc\n name: hostpath-volume\n```" - } - }, - { - "query": "k8s.daemonset {\n podSpec['hostPID'] != true\n}\n", - "code_id": "5FxN5loqvFo=", - "checksum": "inFCabvYqrk=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-daemonset-hostpid", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Pod should not run with hostPID", - "docs": { - "desc": "Running pods with the `hostPID` namespace gives containers access to the host's process ID namespace and can be used to escalate privileges outside a container.", - "audit": "Check for the existence of `hostPID: true` setting in `spec`:\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n hostPID: true\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```", - "remediation": "Ensure `hostPID` is set to `false` or not present in `spec`:\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n hostPID: false\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```" - }, - "refs": [ - { - "title": "Host namespaces", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline" - } - ] - }, - { - "query": "k8s.daemonset {\n initContainers {\n # @msg Container ${ _.name } should set imagePullPolicy to Always\n imagePullPolicy == 'Always'\n\n correctImage = image != /:latest/ \u0026\u0026 image.contains(':') == true\n\n # @msg Container ${ _.name } should set an image tag or digest\n correctImage == true\n }\n containers {\n # @msg Container ${ _.name } should set imagePullPolicy to Always\n imagePullPolicy == 'Always'\n\n correctImage = image != /:latest/ \u0026\u0026 image.contains(':') == true\n\n # @msg Container ${ _.name } should set an image tag or digest\n correctImage == true\n }\n}\n", - "code_id": "65N5i+A6vWQ=", - "checksum": "3oz9+nHsqZQ=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-daemonset-imagepull", - "type": "\u000c", - "severity": { - "value": 60 - }, - "title": "Container image pull should be consistent", - "docs": { - "desc": "It's important that each time a pod is started the same container is pulled, so that services across pods behave the same. To ensure the same container is always used, manifests should set `imagePullPolicy: Always` and the `image` configuration should pull either a tag or a digest (SHA). \nAvoid using rolling tags like `latest` or `master` as they can change over time.", - "audit": "Check for the existence of `imagePullPolicy: Always` and ensure `image` uses either a tag or a digest (SHA):\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n imagePullPolicy: Always\n```", - "remediation": "Ensure `imagePullPolicy` is set to `Always` and ensure `image` uses either a tag or a digest (SHA):\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n imagePullPolicy: Always\n```" - }, - "refs": [ - { - "title": "Image pull policy", - "url": "https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy" - } - ] - }, - { - "query": "k8s.daemonset {\n initContainers {\n # @msg Container ${ _.name } should set CPU limits\n resources['limits']['cpu'] != null\n }\n containers {\n # @msg Container ${ _.name } should set CPU limits\n resources['limits']['cpu'] != null\n }\n}\n", - "code_id": "UpzG/CTByd8=", - "checksum": "MHnG8hzJqRs=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-daemonset-limitcpu", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "Container should have a CPU limit", - "docs": { - "desc": "Kubernetes pod configurations should set CPU limits for containers defined in the manifest. This prevents the pod from exhausting the host's resources in case of an application malfunction or an attack.", - "audit": "Check for the existence of CPU resources in `limits`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n resources:\n limits:\n cpu: \"500m\"\n```", - "remediation": "Define the required resources for CPU `limits` in the manifest: \n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n resources:\n limits:\n cpu: \"500m\"\n```" - }, - "refs": [ - { - "title": "Resource Management for Pods and Containers", - "url": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" - } - ] - }, - { - "query": "k8s.daemonset {\n initContainers {\n # @msg Container ${ _.name } should set memory limits\n resources['limits']['memory'] != null\n }\n containers {\n # @msg Container ${ _.name } should set memory limits\n resources['limits']['memory'] != null\n }\n}\n", - "code_id": "Yx3uiLCI5xo=", - "checksum": "xCC3xOUB4YQ=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-daemonset-limitmemory", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "Container should have a memory limit", - "docs": { - "desc": "Kubernetes pod configurations should set memory limits for containers defined in the manifest. This prevents the pod from exhausting the host's resources in case of an application malfunction or an attack.", - "audit": "Check for the existence of memory resources in `limits`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n resources:\n limits:\n memory: \"1Gi\"\n```", - "remediation": "Define the required resources for memory `limits` in the manifest: \n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n resources:\n limits:\n memory: \"1Gi\"\n```" - } - }, - { - "query": "k8s.daemonset.podSpec {\n _['containers'] {\n _['name']\n _['ports'] == null || _['ports'].all(_['hostPort'] == null)\n }\n}\n", - "code_id": "Y2uuKRHtxkg=", - "checksum": "Yvc+r/NZRgk=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-daemonset-ports-hostport", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "DaemonSets should not bind to a host port", - "docs": { - "desc": "DaemonSets should not bind to the underlying host port. This allows bypassing certain network access control systems.\nHost ports also expose the Container outside the Kubernetes cluster, which might not be intended.", - "audit": "Check to ensure no DaemonSets are binding any of their containers to a host port:\n\n```kubectl get daemonsets -A -o json | jq -r '.items[] | select( (.spec.template.spec.containers[].ports | . != null and any(.[].hostPort; . != null) ) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```", - "remediation": "For any DaemonSets that bind to a host port, update the DaemonSets to ensure they do not bind to a host port:\n\n```yaml\napiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: example\n namespace: example-namespace\nspec:\n template:\n spec:\n containers:\n - ports:\n - containerPort: 80 # \u003c-- ensure no 'hostPort' is defined in any entries of the port configurations\n name: http\n protocol: TCP\n - containerPort: 443\n name: https\n protocol: TCP\n```" - }, - "refs": [ - { - "title": "Kubernetes Configuration Best Practices: hostPort", - "url": "https://kubernetes.io/docs/concepts/configuration/overview/#services" - }, - { - "title": "Kubernetes Security Standards: Host Ports", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline" - } - ] - }, - { - "query": "k8s.daemonset {\n initContainers {\n # @msg Container ${ _.name } should not set `privileged` to `true`\n securityContext['privileged'] != true\n }\n containers {\n # @msg Container ${ _.name } should not set `privileged` to `true`\n securityContext['privileged'] != true\n }\n}\n", - "code_id": "5Zk+r1UwK6I=", - "checksum": "6CR1XzELAWM=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-daemonset-privilegedcontainer", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not run as a privileged container", - "docs": { - "desc": "Running a privileged container means the container has the host's capabilities, including access to all devices and the host's network.", - "audit": "Check for the existence of `privileged: true` setting in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n privileged: true\n```", - "remediation": "Remove the `privileged` setting from the container spec:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n```\n\nOr explicitly set `privileged` to `false`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n privileged: false\n```" - }, - "refs": [ - { - "title": "Configure a Security Context for a Pod or Container", - "url": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/" - } - ] - }, - { - "query": "k8s.daemonset {\n initContainers {\n # @msg Container ${ _.name } should set readOnlyRootFilesystem to true\n securityContext['readOnlyRootFilesystem'] == true\n }\n containers {\n # @msg Container ${ _.name } should set readOnlyRootFilesystem to true\n securityContext['readOnlyRootFilesystem'] == true\n }\n}\n", - "code_id": "kS7cmYDJljw=", - "checksum": "u9SED8j8BV8=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-daemonset-readonlyrootfilesystem", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Container should use an immutable root filesystem", - "docs": { - "desc": "Running a container with an immutable (read-only) file system prevents the modification of running containers.", - "audit": "Check for the existence of `readOnlyRootFilesystem: true` setting in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n readOnlyRootFilesystem: true\n```", - "remediation": "Ensure `readOnlyRootFilesystem` is set to `true` in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n readOnlyRootFilesystem: true\n```" - }, - "refs": [ - { - "title": "Configure a Security Context for a Pod or Container", - "url": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/" - } - ] - }, - { - "query": "k8s.daemonset {\n podSecurityContext=podSpec['securityContext']\n initContainers {\n a = podSecurityContext['runAsNonRoot'] == true \u0026\u0026 securityContext['runAsNonRoot'] == null\n res = securityContext['runAsNonRoot'] == true || a\n # @msg Container ${ _.name } should set runAsNonRoot to true\n res == true\n }\n containers {\n a = podSecurityContext['runAsNonRoot'] == true \u0026\u0026 securityContext['runAsNonRoot'] == null\n res = securityContext['runAsNonRoot'] == true || a\n # @msg Container ${ _.name } should set runAsNonRoot to true\n res == true\n }\n}\n", - "code_id": "6ZqoaRRMztY=", - "checksum": "5VedXdiJQpc=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-daemonset-runasnonroot", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not run as root", - "docs": { - "desc": "Set the `runAsNonRoot: true` `securityContext` to ensure containers do not run as the root user.\nWhen containers run as the `root` user, they have the same privileges as `root` on the host system.", - "audit": "Check for the existence of `runAsNonRoot: true` setting in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n runAsNonRoot: true\n```\n\nIt is also possible to set it for all containers at the Pod level:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n securityContext:\n runAsNonRoot: true\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n```", - "remediation": "Ensure `runAsNonRoot` is set to `true` in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n runAsNonRoot: true\n```\n\nIt is also possible to set it for all containers at the Pod level:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n securityContext:\n runAsNonRoot: true\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n```" - }, - "refs": [ - { - "title": "Configure a Security Context for a Pod or Container", - "url": "https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core" - } - ] - }, - { - "query": "k8s.daemonset {\n podSpec['serviceAccount'] == null || podSpec['serviceAccount'] == podSpec['serviceAccountName']\n podSpec['serviceAccountName'] != '' || podSpec['automountServiceAccountToken'] == false\n podSpec['serviceAccountName'] != 'default' || podSpec['automountServiceAccountToken'] == false\n}\n", - "code_id": "wVFkJn6e/WA=", - "checksum": "uBwFoHGm398=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-daemonset-serviceaccount", - "type": "\u000c", - "severity": { - "value": 30 - }, - "title": "Pod should not run with the default service account", - "docs": { - "desc": "Pods that interact with the Kubernetes API using a ServiceAccount should use specific ServiceAccounts.\nThese ServiceAccounts should only have the permissions necessary.\nThe Pods should not use the default ServiceAccount (named 'default') that is included in every Namespace.\nThe only valid use for the default ServiceAccount is for Pods that set '.spec.automountServiceAccountToken' to 'false'.\nIn this case, the Pod explicitly asks for no ServiceAccount to be mounted into the Pod's filesystem, and the Pod is therefore a ServiceAccount-less Pod.\nWhen every Pods uses the default ServiceAccount and the ServiceAccount's privileges get extended, all Pods get these permissions.\nWhen a Pod is compromised, the attacker has access to the API using the default ServiceAccount.", - "audit": "Check that Pods do not set the legacy '.spec.serviceAccount':\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n serviceAccount: some-account\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```\n\nCheck that Pods do not set the '.spec.serviceAccountName' to the empty string (which is interpreted as 'default'), or to 'default'.\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n serviceAccountName: \"\"\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```\n\nEven when the deprecated field '.spec.serviceAccount' is not specified, it will get populated by Kubernetes inside the cluster when a manifest is applied.\nBecause of that, we also need to check for the field.", - "remediation": "Create a ServiceAccount specifically for the Pod with only the permissions it needs when interacting with the Kubernetes API. Update the Pod's '.spec.serviceAccountName' to the name of the ServiceAccount created for the Pod.\n\nOr if the Pod doesn't interact with the Kubernetes API, set the Pod's `.spec.automountServiceAccountToken` field to false so that no ServiceAccount is available to the Pod." - } - }, - { - "query": "k8s.deployment {\n initContainers {\n # @msg Container ${ _.name } should set allowPrivilegeEscalation to false\n securityContext['allowPrivilegeEscalation'] != true\n }\n containers {\n # @msg Container ${ _.name } should set allowPrivilegeEscalation to false\n securityContext['allowPrivilegeEscalation'] != true\n }\n}\n", - "code_id": "aOyuYCnbY0A=", - "checksum": "CxpqQCW9D/E=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-deployment-allowprivilegeescalation", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not allow privilege escalation", - "docs": { - "desc": "Do not allow privilege escalation in containers.\nEven, when the container is not running as root, it could still escalate privileges.", - "audit": "Check for the existence of `allowPrivilegeEscalation: true` setting in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n securityContext:\n allowPrivilegeEscalation: true\n```", - "remediation": "Ensure `allowPrivilegeEscalation` is set to `false` or not present in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n securityContext:\n allowPrivilegeEscalation: false\n```" - }, - "refs": [ - { - "title": "Configure a Security Context for a Pod or Container", - "url": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/" - } - ] - }, - { - "query": "k8s.deployment {\n podSpec['containers'] {\n _['securityContext']['capabilities'] != null\n _['securityContext']['capabilities'] {\n _['add'] == null || _['add'].none(_.upcase == \"ALL\")\n _['add'] == null || _['add'].none(_.upcase == \"NET_RAW\")\n _['drop'] != null\n _['drop'].any(_.upcase == \"NET_RAW\") || _['drop'].any(_.upcase == \"ALL\")\n }\n }\n}\n", - "code_id": "0tlXKVO0inE=", - "checksum": "3wwn0VVVKtg=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-deployment-capability-net-raw", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Deployments should not run with NET_RAW capability", - "docs": { - "desc": "Deployments should not run with NET_RAW capability. This allows a process to write raw packets to the network interface which can allow crafting packets like malicious ARP and/or DNS responses.", - "audit": "Check to ensure no Deployments have explicitly asked for the NET_RAW capability (or asked for ALL capabilities which includes NET_RAW):\n\n```kubectl get deployments -A -o json | jq -r '.items[] | select(.spec.template.spec.containers[].securityContext.capabilities.add | . != null and any(.[] ; ascii_upcase | test(\"ALL|NET_RAW\")) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```\n\n\nAdditionally, a Deployment that doesn't define a list of capabilities to drop at all, or that has a non-empty drop list that doesn't drop NET_RAW (or the ALL capability which includes NET_RAW) will implicitly run with NET_RAW. List these DaemonSets with:\n\n```kubectl get deployments -A -o json | jq -r '.items[] | select( .spec.template.spec.containers[].securityContext.capabilities.drop | . == null or ( any(.[] ; ascii_upcase | test(\"ALL|NET_RAW\")) | not) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```", - "remediation": "For any Deployments that explicitly add the NET_RAW or ALL capability, update them to ensure they do not ask for the NET_RAW or ALL capability:\n\n```yaml\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: example\n namespace: example-namespace\nspec:\n template:\n spec:\n containers:\n - securityContext:\n capabilities:\n add: [] # \u003c-- ensure no \"NET_RAW\" or \"ALL\" in the list of capabilities added\n```\n\nFor any Deployments that do not define a list of capabilities to drop or that define a list but do not drop NET_RAW, update them to ensure they drop ALL or NET_RAW:\n\n```yaml\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: example\n namespace: example-namespace\nspec:\n template:\n spec:\n containers:\n - securityContext:\n capabilities:\n drop: [\"NET_RAW\"] # \u003c-- or ensure \"ALL\" in the list of capabilities to drop\n```" - }, - "refs": [ - { - "title": "Kubernetes Security Standards: Capabilities", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted" - } - ] - }, - { - "query": "k8s.deployment {\n podSpec['containers'] {\n if( _['securityContext']['capabilities'] != null ) {\n _['securityContext']['capabilities'] {\n _['add'] == null || _['add'].none(_.upcase == \"ALL\")\n _['add'] == null || _['add'].none(_.upcase == \"SYS_ADMIN\")\n }\n } else {\n true\n }\n }\n}\n", - "code_id": "cjfRLdMW+I0=", - "checksum": "k4JmmOSveT0=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-deployment-capability-sys-admin", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Deployments should not run with SYS_ADMIN capability", - "docs": { - "desc": "Deployments should not run wIt even allows containers not running as root to run certain tasks as if the user was root with SYS_ADMIN capability. The SYS_ADMIN capability enables a wide range of elevated system calls.\nIt even allows containers not running as root to run certain tasks as if the user was root.", - "audit": "Check to ensure no Deployments have explicitly asked for the SYS_ADMIN capability (or asked for ALL capabilities which includes SYS_ADMIN):\n\n```kubectl get deployments -A -o json | jq -r '.items[] | select(.spec.template.spec.containers[].securityContext.capabilities.add | . != null and any(.[] ; ascii_upcase | test(\"ALL|SYS_ADMIN\")) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```", - "remediation": "For any Deployments that explicitly add the SYS_ADMIN or ALL capability, update them to ensure they do not ask for the SYS_ADMIN or ALL capability:\n\n```yaml\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: example\n namespace: example-namespace\nspec:\n template:\n spec:\n containers:\n - securityContext:\n capabilities:\n add: [] # \u003c-- ensure no \"SYS_ADMIN\" or \"ALL\" in the list of capabilities added\n```" - }, - "refs": [ - { - "title": "Kubernetes Security Standards: Capabilities", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline" - }, - { - "title": "Docker default capabilities", - "url": "https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities" - } - ] - }, - { - "query": "k8s.deployment {\n podSpec['volumes'] == null || podSpec['volumes'].all(_['hostPath']['path'] != '/run/containerd/containerd.sock')\n}\n", - "code_id": "wXXU/TLkpwQ=", - "checksum": "c8iEVV5DXeY=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-deployment-containerd-socket", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not mount the containerd socket", - "docs": { - "desc": "Do not mount the container runtime socket into any container.\nThis would allow direct access to the container runtime without any authentication.\nThis would allow to create privileged containers and to access the host file system.\nOr create containers which would not show up in the Kubernetes API.", - "audit": "Check for the existence of `hostPath.path: /run/containerd/containerd.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /run/containerd/containerd.sock\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n volumeMounts:\n - mountPath: /run/containerd/containerd.sock\n name: vol\n```", - "remediation": "Ensure workloads do not have `hostPath.path: /run/containerd/containerd.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /run/containerd/containerd.sock # \u003c--- this shouldn't be there\n```" - }, - "refs": [ - { - "title": "Docker security", - "url": "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers" - } - ] - }, - { - "query": "k8s.deployment {\n podSpec['volumes'] == null || podSpec['volumes'].all(_['hostPath']['path'] != '/var/run/crio/crio.sock')\n}\n", - "code_id": "5JCXiw1V+nk=", - "checksum": "ey9lDGAO97k=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-deployment-crio-socket", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not mount the CRI-O socket", - "docs": { - "desc": "Do not mount the container runtime socket into any container.\nThis would allow direct access to the container runtime without any authentication.\nThis would allow to create privileged containers and to access the host file system.\nOr create containers which would not show up in the Kubernetes API.", - "audit": "Check for the existence of `hostPath.path: /var/run/crio/crio.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /var/run/crio/crio.sock\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n volumeMounts:\n - mountPath: /var/run/crio/crio.sock\n name: vol\n```", - "remediation": "Ensure workloads do not have `hostPath.path: /var/run/crio/crio.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /var/run/crio/crio.sock # \u003c--- this shouldn't be there\n```" - }, - "refs": [ - { - "title": "Docker security", - "url": "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers" - } - ] - }, - { - "query": "k8s.deployment {\n podSpec['volumes'] == null || podSpec['volumes'].all(_['hostPath']['path'] != '/var/run/docker.sock')\n}\n", - "code_id": "Ujp+c1vj3C0=", - "checksum": "M9siS8KQns8=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-deployment-docker-socket", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not mount the Docker socket", - "docs": { - "desc": "Do not mount the container runtime socket into any container.\nThis would allow direct access to the container runtime without any authentication.\nThis would allow to create privileged containers and to access the host file system.\nOr create containers which would not show up in the Kubernetes API.", - "audit": "Check for the existence of `hostPath.path: /var/run/docker.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /var/run/docker.sock\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n volumeMounts:\n - mountPath: /var/run/docker.sock\n name: vol\n```", - "remediation": "Ensure workloads do not have `hostPath.path: /var/run/docker.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /var/run/docker.sock # \u003c--- this shouldn't be there\n```" - }, - "refs": [ - { - "title": "Docker security", - "url": "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers" - } - ] - }, - { - "query": "k8s.deployment {\n podSpec['hostIPC'] != true\n}\n", - "code_id": "7gtCpEA7Tws=", - "checksum": "U2Dwd2rEgpE=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-deployment-hostipc", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Pod should not run with hostIPC", - "docs": { - "desc": "Enabling `hostIPC` gives containers access to the host's IPC namespace and breaks container isolation.", - "audit": "Check for the existence of `hostIPC: true` setting in `spec`:\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n hostIPC: true\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```", - "remediation": "Ensure `hostIPC` is set to `false` or not present in `spec`:\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n hostIPC: false\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```" - }, - "refs": [ - { - "title": "Host namespaces", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline" - } - ] - }, - { - "query": "k8s.deployment {\n podSpec['hostNetwork'] != true\n}\n", - "code_id": "HxF+FGxUGuA=", - "checksum": "KNK9t92A1qE=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-deployment-hostnetwork", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Pod should not run with hostNetwork", - "docs": { - "desc": "Running pods with the `hostNetwork` namespace gives containers access to the host's network, including loopback devices. This capability can be used to intercept network traffic, including the traffic of other pods.", - "audit": "Check for the existence of `hostNetwork: true` setting in `spec`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n hostNetwork: true\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```", - "remediation": "Ensure `hostNetwork` is set to `false` or not present in `spec`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n hostNetwork: false\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```" - }, - "refs": [ - { - "title": "Host namespaces", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline" - } - ] - }, - { - "query": "k8s.deployment.podSpec {\n hostPathVolumes = _['volumes'].where(_['hostPath'] != null).map(_['name'])\n _['containers'] {\n _['name']\n if( _['volumeMounts'] != null ) {\n _['volumeMounts'] {\n n = _['name']\n if( hostPathVolumes.contains(n) ) {\n _['readOnly'] == true\n } else {\n true\n }\n }\n } else {\n true\n }\n }\n}\n", - "code_id": "KnCsw+lx5VY=", - "checksum": "nlHbUm2t9Hw=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-deployment-hostpath-readonly", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Deployments should mount any host path volumes as read-only", - "docs": { - "desc": "Deployments should not mount volumes of type hostPath as read-write. Containers should not be granted the ability to mutate the underlying host they are running on.\nThis can even lead to container escapes.", - "audit": "Check to ensure no containers in a Deployment are mounting hostPath volumes as read-write:\n\n```kubectl get deployments -A -o json | jq -r '.items[] | [.spec.template.spec.volumes[] | select(.hostPath != null) | .name] as $myVar | select(.spec.template.spec.containers[].volumeMounts | (. != null and ( .[] | ( [.name] | inside($myVar) ) and .readOnly != true ) ) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```", - "remediation": "For any Deployment containers that mount a hostPath volume as read-write, update them:\n\n```yaml\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: example\n namespace: example-namespace\nspec:\n template:\n spec:\n containers:\n - volumeMounts:\n - mountPath: /host\n name: hostpath-volume\n readOnly: true # \u003c-- ensure readOnly is set to true\n volumes:\n - hostPath:\n path: /etc\n name: hostpath-volume\n```" - } - }, - { - "query": "k8s.deployment {\n podSpec['hostPID'] != true\n}\n", - "code_id": "RDpFz3G68KM=", - "checksum": "a1vp6ZTaomU=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-deployment-hostpid", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Pod should not run with hostPID", - "docs": { - "desc": "Running pods with the `hostPID` namespace gives containers access to the host's process ID namespace and can be used to escalate privileges outside a container.", - "audit": "Check for the existence of `hostPID: true` setting in `spec`:\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n hostPID: true\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```", - "remediation": "Ensure `hostPID` is set to `false` or not present in `spec`:\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n hostPID: false\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```" - }, - "refs": [ - { - "title": "Host namespaces", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline" - } - ] - }, - { - "query": "k8s.deployment {\n initContainers {\n # @msg Container ${ _.name } should set imagePullPolicy to Always\n imagePullPolicy == 'Always'\n\n correctImage = image != /:latest/ \u0026\u0026 image.contains(':') == true\n\n # @msg Container ${ _.name } should set an image tag or digest\n correctImage == true\n }\n containers {\n # @msg Container ${ _.name } should set imagePullPolicy to Always\n imagePullPolicy == 'Always'\n\n correctImage = image != /:latest/ \u0026\u0026 image.contains(':') == true\n\n # @msg Container ${ _.name } should set an image tag or digest\n correctImage == true\n }\n}\n", - "code_id": "SA4qnKzxfuI=", - "checksum": "B3jaCILypsk=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-deployment-imagepull", - "type": "\u000c", - "severity": { - "value": 60 - }, - "title": "Container image pull should be consistent", - "docs": { - "desc": "It's important that each time a pod is started the same container is pulled, so that services across pods behave the same. To ensure the same container is always used, manifests should set `imagePullPolicy: Always` and the `image` configuration should pull either a tag or a digest (SHA). \nAvoid using rolling tags like `latest` or `master` as they can change over time.", - "audit": "Check for the existence of `imagePullPolicy: Always` and ensure `image` uses either a tag or a digest (SHA):\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n imagePullPolicy: Always\n```", - "remediation": "Ensure `imagePullPolicy` is set to `Always` and ensure `image` uses either a tag or a digest (SHA):\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n imagePullPolicy: Always\n```" - }, - "refs": [ - { - "title": "Image pull policy", - "url": "https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy" - } - ] - }, - { - "query": "k8s.deployment.podSpec[\"containers\"].none( _[\"image\"].contains(\"kubernetes-dashboard\") || _[\"image\"].contains(\"kubernetesui\") )\nk8s.deployment.labels[\"app\"] == null || k8s.pod.labels[\"app\"] != \"kubernetes-dashboard\"\nk8s.deployment.labels[\"k8s-app\"] == null || k8s.pod.labels[\"k8s-app\"] != \"kubernetes-dashboard\"\n", - "code_id": "82brXXgpd6g=", - "checksum": "3JLgi6tfCHk=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-deployment-k8s-dashboard", - "type": "\u0001", - "severity": { - "value": 40 - }, - "title": "Pods should not run Kubernetes dashboard", - "docs": { - "desc": "The Kubernetes dashboard allows browsing through cluster resources such as workloads, configmaps and secrets. In 2019 Tesla was hacked because their Kubernetes dashboard was publicly exposed. This allowed the attackers to extract credentials and deploy Bitcoin miners on the cluster.", - "audit": "Verify there are no deployments running Kubernetes dashboard:\n```kubectl get deployments -A -o=custom-columns=\"NAME:.metadata.name,IMAGE:.spec.template.spec.containers[*].image\"```", - "remediation": "Delete any deployments that are running Kubernetes dashboard." - } - }, - { - "query": "k8s.deployment {\n initContainers {\n # @msg Container ${ _.name } should set CPU limits\n resources['limits']['cpu'] != null\n }\n containers {\n # @msg Container ${ _.name } should set CPU limits\n resources['limits']['cpu'] != null\n }\n}\n", - "code_id": "jdngA/nLk/I=", - "checksum": "g37CSzuotTo=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-deployment-limitcpu", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "Container should have a CPU limit", - "docs": { - "desc": "Kubernetes pod configurations should set CPU limits for containers defined in the manifest. This prevents the pod from exhausting the host's resources in case of an application malfunction or an attack.", - "audit": "Check for the existence of CPU resources in `limits`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n resources:\n limits:\n cpu: \"500m\"\n```", - "remediation": "Define the required resources for CPU `limits` in the manifest: \n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n resources:\n limits:\n cpu: \"500m\"\n```" - }, - "refs": [ - { - "title": "Resource Management for Pods and Containers", - "url": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" - } - ] - }, - { - "query": "k8s.deployment {\n initContainers {\n # @msg Container ${ _.name } should set memory limits\n resources['limits']['memory'] != null\n }\n containers {\n # @msg Container ${ _.name } should set CPU limits\n resources['limits']['cpu'] != null\n }\n}\n", - "code_id": "Zrpv50cCJs8=", - "checksum": "qjMgRT0vNs4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-deployment-limitmemory", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "Container should have a memory limit", - "docs": { - "desc": "Kubernetes pod configurations should set memory limits for containers defined in the manifest. This prevents the pod from exhausting the host's resources in case of an application malfunction or an attack.", - "audit": "Check for the existence of memory resources in `limits`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n resources:\n limits:\n memory: \"1Gi\"\n```", - "remediation": "Define the required resources for memory `limits` in the manifest: \n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n resources:\n limits:\n memory: \"1Gi\"\n```" - } - }, - { - "query": "k8s.deployment.podSpec {\n _['containers'] {\n _['name']\n _['ports'] == null || _['ports'].all(_['hostPort'] == null)\n }\n}\n", - "code_id": "LLYlLinKBas=", - "checksum": "qk/17tSQYtw=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-deployment-ports-hostport", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Deployments should not bind to a host port", - "docs": { - "desc": "Deployments should not bind to the underlying host port. This allows bypassing certain network access control systems.\nHost ports also expose the Container outside the Kubernetes cluster, which might not be intended.", - "audit": "Check to ensure no Deployments are binding any of their containers to a host port:\n\n```kubectl get deployments -A -o json | jq -r '.items[] | select( (.spec.template.spec.containers[].ports | . != null and any(.[].hostPort; . != null) ) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```", - "remediation": "For any Deployments that bind to a host port, update the Deployments to ensure they do not bind to a host port:\n\n```yaml\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: example\n namespace: example-namespace\nspec:\n template:\n spec:\n containers:\n - ports:\n - containerPort: 80 # \u003c-- ensure no 'hostPort' is defined in any entries of the port configurations\n name: http\n protocol: TCP\n - containerPort: 443\n name: https\n protocol: TCP\n```" - }, - "refs": [ - { - "title": "Kubernetes Configuration Best Practices: hostPort", - "url": "https://kubernetes.io/docs/concepts/configuration/overview/#services" - }, - { - "title": "Kubernetes Security Standards: Host Ports", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline" - } - ] - }, - { - "query": "k8s.deployment {\n initContainers {\n # @msg Container ${ _.name } should not set `privileged` to `true`\n securityContext['privileged'] != true\n }\n containers {\n # @msg Container ${ _.name } should not set `privileged` to `true`\n securityContext['privileged'] != true\n }\n}\n", - "code_id": "ZLUNPQsrUGQ=", - "checksum": "d83JIv2E+7c=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-deployment-privilegedcontainer", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not run as a privileged container", - "docs": { - "desc": "Running a privileged container means that the container has the host's capabilities including access to all devices and the host's network.", - "audit": "Check for the existence of `privileged: true` setting in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n privileged: true\n```", - "remediation": "Remove the `privileged` setting from the container spec:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n```\n\nOr explicitly set `privileged` to `false`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n privileged: false\n```" - }, - "refs": [ - { - "title": "Configure a Security Context for a Pod or Container", - "url": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/" - } - ] - }, - { - "query": "k8s.deployment {\n initContainers {\n # @msg Container ${ _.name } should set readOnlyRootFilesystem to true\n securityContext['readOnlyRootFilesystem'] == true\n }\n containers {\n # @msg Container ${ _.name } should set readOnlyRootFilesystem to true\n securityContext['readOnlyRootFilesystem'] == true\n }\n}\n", - "code_id": "VCcvJZY2sw0=", - "checksum": "fRhiwxiQmb4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-deployment-readonlyrootfilesystem", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Container should use an immutable root filesystem", - "docs": { - "desc": "Running a container with an immutable (read-only) file system prevents the modification of running containers.", - "audit": "Check for the existence of `readOnlyRootFilesystem: true` setting in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n readOnlyRootFilesystem: true\n```", - "remediation": "Ensure `readOnlyRootFilesystem` is set to `true` in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n readOnlyRootFilesystem: true\n```" - }, - "refs": [ - { - "title": "Configure a Security Context for a Pod or Container", - "url": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/" - } - ] - }, - { - "query": "k8s.deployment {\n podSecurityContext=podSpec['securityContext']\n initContainers {\n a = podSecurityContext['runAsNonRoot'] == true \u0026\u0026 securityContext['runAsNonRoot'] == null\n res = securityContext['runAsNonRoot'] == true || a\n # @msg Container ${ _.name } should set runAsNonRoot to true\n res == true\n }\n containers {\n a = podSecurityContext['runAsNonRoot'] == true \u0026\u0026 securityContext['runAsNonRoot'] == null\n res = securityContext['runAsNonRoot'] == true || a\n # @msg Container ${ _.name } should set runAsNonRoot to true\n res == true\n }\n}\n", - "code_id": "9s5RLgxaCJE=", - "checksum": "BdQsdYaCV60=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-deployment-runasnonroot", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not run as root", - "docs": { - "desc": "Set the `runAsNonRoot: true` `securityContext` to ensure containers do not run as the root user.\nWhen containers run as the `root` user, they have the same privileges as `root` on the host system.", - "audit": "Check for the existence of `runAsNonRoot: true` setting in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n runAsNonRoot: true\n```\n\nIt is also possible to set it for all containers at the Pod level:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n securityContext:\n runAsNonRoot: true\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n```", - "remediation": "Ensure `runAsNonRoot` is set to `true` in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n runAsNonRoot: true\n```\n\nIt is also possible to set it for all containers at the Pod level:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n securityContext:\n runAsNonRoot: true\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n```" - }, - "refs": [ - { - "title": "Configure a Security Context for a Pod or Container", - "url": "https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core" - } - ] - }, - { - "query": "k8s.deployment {\n podSpec['serviceAccount'] == null || podSpec['serviceAccount'] == podSpec['serviceAccountName']\n podSpec['serviceAccountName'] != '' || podSpec['automountServiceAccountToken'] == false\n podSpec['serviceAccountName'] != 'default' || podSpec['automountServiceAccountToken'] == false\n}\n", - "code_id": "lev49U1gQV4=", - "checksum": "ZuefFhs37Q4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-deployment-serviceaccount", - "type": "\u000c", - "severity": { - "value": 30 - }, - "title": "Pod should not run with the default service account", - "docs": { - "desc": "Pods that interact with the Kubernetes API using a ServiceAccount should use specific ServiceAccounts.\nThese ServiceAccounts should only have the permissions necessary.\nThe Pods should not use the default ServiceAccount (named 'default') that is included in every Namespace.\nThe only valid use for the default ServiceAccount is for Pods that set '.spec.automountServiceAccountToken' to 'false'.\nIn this case, the Pod explicitly asks for no ServiceAccount to be mounted into the Pod's filesystem, and the Pod is therefore a ServiceAccount-less Pod.\nWhen every Pods uses the default ServiceAccount and the ServiceAccount's privileges get extended, all Pods get these permissions.\nWhen a Pod is compromised, the attacker has access to the API using the default ServiceAccount.", - "audit": "Check that Pods do not set the legacy '.spec.serviceAccount':\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n serviceAccount: some-account\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```\n\nCheck that Pods do not set the '.spec.serviceAccountName' to the empty string (which is interpreted as 'default'), or to 'default'.\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n serviceAccountName: \"\"\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```\n\nEven when the deprecated field '.spec.serviceAccount' is not specified, it will get populated by Kubernetes inside the cluster when a manifest is applied.\nBecause of that, we also need to check for the field.", - "remediation": "Create a ServiceAccount specifically for the Pod with only the permissions it needs when interacting with the Kubernetes API. Update the Pod's '.spec.serviceAccountName' to the name of the ServiceAccount created for the Pod.\n\nOr if the Pod doesn't interact with the Kubernetes API, set the Pod's `.spec.automountServiceAccountToken` field to false so that no ServiceAccount is available to the Pod." - } - }, - { - "query": "k8s.deployment.podSpec[\"containers\"].none( _[\"image\"].contains(\"tiller\") )\n", - "code_id": "IYn3HUL6uOg=", - "checksum": "aSaLhjuPwOI=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-deployment-tiller", - "type": "\u0004", - "severity": { - "value": 40 - }, - "title": "Deployments should not run Tiller (Helm v2)", - "docs": { - "desc": "Tiller is the in-cluster component for the Helm v2 package manager. It is communicating directly to the Kubernetes API and therefore it has broad RBAC permissions. An attacker can use that to get cluster-wide access.", - "audit": "Verify there are no deployments running Tiller:\n```kubectl get deployments -A -o=custom-columns=\"NAME:.metadata.name,IMAGE:.spec.template.spec.containers[*].image\"```", - "remediation": "Delete any deployments that are running Tiller." - } - }, - { - "query": "processes.where(executable == /kube-apiserver/).list {\n flags[\"insecure-port\"] == 0\n}\n", - "code_id": "mD6TTUu2lT4=", - "checksum": "0oy+2M26e3s=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-https-api-server", - "type": "\u0019\u000c", - "severity": { - "value": 70 - }, - "title": "Ensure the kube-apiserver is not listening on an insecure HTTP port", - "docs": { - "desc": "Ensure the kube-apiserver is not listening on an insecure HTTP port.\nOtherwise unencrypted traffic could be intercepted and sensitive data could be leaked.", - "remediation": "Find the kube-apiserver process and check the `insecure-port` argument. If the argument is set to `0`, then the kube-apiserver is not listening on an insecure HTTP port:\n```\nps aux | grep kube-apiserver\n```" - }, - "refs": [ - { - "title": "Controlling Access to the Kubernetes API - Transport security", - "url": "https://kubernetes.io/docs/concepts/security/controlling-access/#transport-security" - } - ] - }, - { - "query": "k8s.job {\n initContainers {\n # @msg Container ${ _.name } should set allowPrivilegeEscalation to false\n securityContext['allowPrivilegeEscalation'] != true\n }\n containers {\n # @msg Container ${ _.name } should set allowPrivilegeEscalation to false\n securityContext['allowPrivilegeEscalation'] != true\n }\n}\n", - "code_id": "Vj0zrtLiTUA=", - "checksum": "6knzlr8fwPQ=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-job-allowprivilegeescalation", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not allow privilege escalation", - "docs": { - "desc": "Do not allow privilege escalation in containers.\nEven, when the container is not running as root, it could still escalate privileges.", - "audit": "Check for the existence of `allowPrivilegeEscalation: true` setting in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n securityContext:\n allowPrivilegeEscalation: true\n```", - "remediation": "Ensure `allowPrivilegeEscalation` is set to `false` or not present in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n securityContext:\n allowPrivilegeEscalation: false\n```" - }, - "refs": [ - { - "title": "Configure a Security Context for a Pod or Container", - "url": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/" - } - ] - }, - { - "query": "k8s.job {\n podSpec['containers'] {\n _['securityContext']['capabilities'] != null\n _['securityContext']['capabilities'] {\n _['add'] == null || _['add'].none(_.upcase == \"ALL\")\n _['add'] == null || _['add'].none(_.upcase == \"NET_RAW\")\n _['drop'] != null\n _['drop'].any(_.upcase == \"NET_RAW\") || _['drop'].any(_.upcase == \"ALL\")\n }\n }\n}\n", - "code_id": "gRpWbM52BmI=", - "checksum": "Q1fkNbMkT3g=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-job-capability-net-raw", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Jobs should not run with NET_RAW capability", - "docs": { - "desc": "Jobs should not run with NET_RAW capability. This allows a process to write raw packets to the network interface which can allow crafting packets like malicious ARP and/or DNS responses.", - "audit": "Check to ensure no Jobs have explicitly asked for the NET_RAW capability (or asked for ALL capabilities which includes NET_RAW):\n\n```kubectl get jobs -A -o json | jq -r '.items[] | select(.spec.template.spec.containers[].securityContext.capabilities.add | . != null and any(.[] ; ascii_upcase | test(\"ALL|NET_RAW\")) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```\n\n\nAdditionally, a Job that doesn't define a list of capabilities to drop at all, or that has a non-empty drop list that doesn't drop NET_RAW (or the ALL capability which includes NET_RAW) will implicitly run with NET_RAW. List these DaemonSets with:\n\n```kubectl get jobs -A -o json | jq -r '.items[] | select( .spec.template.spec.containers[].securityContext.capabilities.drop | . == null or ( any(.[] ; ascii_upcase | test(\"ALL|NET_RAW\")) | not) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```", - "remediation": "For any Jobs that explicitly add the NET_RAW or ALL capability, update them to ensure they do not ask for the NET_RAW or ALL capability:\n\n```yaml\napiVersion: batch/v1\nkind: Job\nmetadata:\n name: example\n namespace: example-namespace\nspec:\n template:\n spec:\n containers:\n - securityContext:\n capabilities:\n add: [] # \u003c-- ensure no \"NET_RAW\" or \"ALL\" in the list of capabilities added\n```\n\nFor any Jobs that do not define a list of capabilities to drop or that define a list but do not drop NET_RAW, update them to ensure they drop ALL or NET_RAW:\n\n```yaml\napiVersion: batch/v1\nkind: Job\nmetadata:\n name: example\n namespace: example-namespace\nspec:\n template:\n spec:\n containers:\n - securityContext:\n capabilities:\n drop: [\"NET_RAW\"] # \u003c-- or ensure \"ALL\" in the list of capabilities to drop\n```" - }, - "refs": [ - { - "title": "Kubernetes Security Standards: Capabilities", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted" - } - ] - }, - { - "query": "k8s.job {\n podSpec['containers'] {\n if( _['securityContext']['capabilities'] != null ) {\n _['securityContext']['capabilities'] {\n _['add'] == null || _['add'].none(_.upcase == \"ALL\")\n _['add'] == null || _['add'].none(_.upcase == \"SYS_ADMIN\")\n }\n } else {\n true\n }\n }\n}\n", - "code_id": "LRF3ZmNCXpY=", - "checksum": "FGHJLuBkEzI=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-job-capability-sys-admin", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Jobs should not run with SYS_ADMIN capability", - "docs": { - "desc": "Jobs should not run with SYS_ADMIN capability. The SYS_ADMIN capability enables a wide range of elevated system calls.\nIt even allows containers not running as root to run certain tasks as if the user was root.", - "audit": "Check to ensure no Jobs have explicitly asked for the SYS_ADMIN capability (or asked for ALL capabilities which includes SYS_ADMIN):\n\n```kubectl get jobs -A -o json | jq -r '.items[] | select(.spec.template.spec.containers[].securityContext.capabilities.add | . != null and any(.[] ; ascii_upcase | test(\"ALL|SYS_ADMIN\")) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```", - "remediation": "For any Jobs that explicitly add the SYS_ADMIN or ALL capability, update them to ensure they do not ask for the SYS_ADMIN or ALL capability:\n\n```yaml\napiVersion: batch/v1\nkind: Job\nmetadata:\n name: example\n namespace: example-namespace\nspec:\n template:\n spec:\n containers:\n - securityContext:\n capabilities:\n add: [] # \u003c-- ensure no \"SYS_ADMIN\" or \"ALL\" in the list of capabilities added\n```" - }, - "refs": [ - { - "title": "Kubernetes Security Standards: Capabilities", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline" - }, - { - "title": "Docker default capabilities", - "url": "https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities" - } - ] - }, - { - "query": "k8s.job {\n podSpec['volumes'] == null || podSpec['volumes'].all(_['hostPath']['path'] != '/run/containerd/containerd.sock')\n}\n", - "code_id": "L/CO1xN9CYc=", - "checksum": "9ciwoD1ZwGM=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-job-containerd-socket", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not mount the containerd socket", - "docs": { - "desc": "Do not mount the container runtime socket into any container.\nThis would allow direct access to the container runtime without any authentication.\nThis would allow to create privileged containers and to access the host file system.\nOr create containers which would not show up in the Kubernetes API.", - "audit": "Check for the existence of `hostPath.path: /run/containerd/containerd.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /run/containerd/containerd.sock\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n volumeMounts:\n - mountPath: /run/containerd/containerd.sock\n name: vol\n```", - "remediation": "Ensure workloads do not have `hostPath.path: /run/containerd/containerd.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /run/containerd/containerd.sock # \u003c--- this shouldn't be there\n```" - }, - "refs": [ - { - "title": "Docker security", - "url": "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers" - } - ] - }, - { - "query": "k8s.job {\n podSpec['volumes'] == null || podSpec['volumes'].all(_['hostPath']['path'] != '/var/run/crio/crio.sock')\n}\n", - "code_id": "t5zIh3g9vU8=", - "checksum": "Ui2/y7wFcFE=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-job-crio-socket", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not mount the CRI-O socket", - "docs": { - "desc": "Do not mount the container runtime socket into any container.\nThis would allow direct access to the container runtime without any authentication.\nThis would allow to create privileged containers and to access the host file system.\nOr create containers which would not show up in the Kubernetes API.", - "audit": "Check for the existence of `hostPath.path: /var/run/crio/crio.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /var/run/crio/crio.sock\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n volumeMounts:\n - mountPath: /var/run/crio/crio.sock\n name: vol\n```", - "remediation": "Ensure workloads do not have `hostPath.path: /var/run/crio/crio.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /var/run/crio/crio.sock # \u003c--- this shouldn't be there\n```" - }, - "refs": [ - { - "title": "Docker security", - "url": "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers" - } - ] - }, - { - "query": "k8s.job {\n podSpec['volumes'] == null || podSpec['volumes'].all(_['hostPath']['path'] != '/var/run/docker.sock')\n}\n", - "code_id": "rEdrXagl6eY=", - "checksum": "zjtjdg/3H2Y=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-job-docker-socket", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not mount the Docker socket", - "docs": { - "desc": "Do not mount the container runtime socket into any container.\nThis would allow direct access to the container runtime without any authentication.\nThis would allow to create privileged containers and to access the host file system.\nOr create containers which would not show up in the Kubernetes API.", - "audit": "Check for the existence of `hostPath.path: /var/run/docker.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /var/run/docker.sock\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n volumeMounts:\n - mountPath: /var/run/docker.sock\n name: vol\n```", - "remediation": "Ensure workloads do not have `hostPath.path: /var/run/docker.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /var/run/docker.sock # \u003c--- this shouldn't be there\n```" - }, - "refs": [ - { - "title": "Docker security", - "url": "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers" - } - ] - }, - { - "query": "k8s.job {\n podSpec['hostIPC'] != true\n}\n", - "code_id": "ifji6rUSlAA=", - "checksum": "dfVzPWK1jX4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-job-hostipc", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Pod should not run with hostIPC", - "docs": { - "desc": "Enabling `hostIPC` gives containers access to the host's IPC namespace and breaks container isolation.", - "audit": "Check for the existence of `hostIPC: true` setting in `spec`:\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n hostIPC: true\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```", - "remediation": "Ensure `hostIPC` is set to `false` or not present in `spec`:\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n hostIPC: false\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```" - }, - "refs": [ - { - "title": "Host namespaces", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline" - } - ] - }, - { - "query": "k8s.job {\n podSpec['hostNetwork'] != true\n}\n", - "code_id": "DjcrgqVAC3k=", - "checksum": "8empW2YwFcY=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-job-hostnetwork", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Pod should not run with hostNetwork", - "docs": { - "desc": "Running pods with the `hostNetwork` namespace gives containers access to the host's network, including loopback devices. This capability can be used to intercept network traffic, including the traffic of other pods.", - "audit": "Check for the existence of `hostNetwork: true` setting in `spec`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n hostNetwork: true\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```", - "remediation": "Ensure `hostNetwork` is set to `false` or not present in `spec`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n hostNetwork: false\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```" - }, - "refs": [ - { - "title": "Host namespaces", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline" - } - ] - }, - { - "query": "k8s.job.podSpec {\n hostPathVolumes = _['volumes'].where(_['hostPath'] != null).map(_['name'])\n _['containers'] {\n _['name']\n if( _['volumeMounts'] != null ) {\n _['volumeMounts'] {\n n = _['name']\n if( hostPathVolumes.contains(n) ) {\n _['readOnly'] == true\n } else {\n true\n }\n }\n } else {\n true\n }\n }\n}\n", - "code_id": "27I19fHTSl0=", - "checksum": "wkU0YwlYKhE=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-job-hostpath-readonly", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Jobs should mount any host path volumes as read-only", - "docs": { - "desc": "Jobs should not mount volumes of type hostPath as read-write. Containers should not be granted the ability to mutate the underlying host they are running on.\nThis can even lead to container escapes.", - "audit": "Check to ensure no containers in a Job are mounting hostPath volumes as read-write:\n\n```kubectl get jobs -A -o json | jq -r '.items[] | [.spec.template.spec.volumes[] | select(.hostPath != null) | .name] as $myVar | select(.spec.template.spec.containers[].volumeMounts | (. != null and ( .[] | ( [.name] | inside($myVar) ) and .readOnly != true ) ) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```", - "remediation": "For any Job containers that mount a hostPath volume as read-write, update them:\n\n```yaml\napiVersion: batch/v1\nkind: Job\nmetadata:\n name: example\n namespace: example-namespace\nspec:\n template:\n spec:\n containers:\n - volumeMounts:\n - mountPath: /host\n name: hostpath-volume\n readOnly: true # \u003c-- ensure readOnly is set to true\n volumes:\n - hostPath:\n path: /etc\n name: hostpath-volume\n```" - } - }, - { - "query": "k8s.job {\n podSpec['hostPID'] != true\n}\n", - "code_id": "QjUKdanRL7U=", - "checksum": "y91T14zVK64=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-job-hostpid", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Pod should not run with hostPID", - "docs": { - "desc": "Running pods with the `hostPID` namespace gives containers access to the host's process ID namespace and can be used to escalate privileges outside a container.", - "audit": "Check for the existence of `hostPID: true` setting in `spec`:\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n hostPID: true\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```", - "remediation": "Ensure `hostPID` is set to `false` or not present in `spec`:\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n hostPID: false\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```" - }, - "refs": [ - { - "title": "Host namespaces", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline" - } - ] - }, - { - "query": "k8s.job {\n initContainers {\n # @msg Container ${ _.name } should set imagePullPolicy to Always\n imagePullPolicy == 'Always'\n\n correctImage = image != /:latest/ \u0026\u0026 image.contains(':') == true\n\n # @msg Container ${ _.name } should set an image tag or digest\n correctImage == true\n }\n containers {\n # @msg Container ${ _.name } should set imagePullPolicy to Always\n imagePullPolicy == 'Always'\n\n correctImage = image != /:latest/ \u0026\u0026 image.contains(':') == true\n\n # @msg Container ${ _.name } should set an image tag or digest\n correctImage == true\n }\n}\n", - "code_id": "IWXdP5jixSM=", - "checksum": "iyDa5mIlnt4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-job-imagepull", - "type": "\u000c", - "severity": { - "value": 60 - }, - "title": "Container image pull should be consistent", - "docs": { - "desc": "It's important that each time a pod is started the same container is pulled, so that services across pods behave the same. To ensure the same container is always used, manifests should set `imagePullPolicy: Always` and the `image` configuration should pull either a tag or a digest (SHA). \nAvoid using rolling tags like `latest` or `master` as they can change over time.", - "audit": "Check for the existence of `imagePullPolicy: Always` and ensure `image` uses either a tag or a digest (SHA):\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n imagePullPolicy: Always\n```", - "remediation": "Ensure `imagePullPolicy` is set to `Always` and ensure `image` uses either a tag or a digest (SHA):\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n imagePullPolicy: Always\n```" - }, - "refs": [ - { - "title": "Image pull policy", - "url": "https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy" - } - ] - }, - { - "query": "k8s.job {\n initContainers {\n # @msg Container ${ _.name } should set CPU limits\n resources['limits']['cpu'] != null\n }\n containers {\n # @msg Container ${ _.name } should set CPU limits\n resources['limits']['cpu'] != null\n }\n}\n", - "code_id": "RMdyVwiDgCI=", - "checksum": "Hr/ftm3Gk6U=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-job-limitcpu", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "Container should have a CPU limit", - "docs": { - "desc": "Kubernetes pod configurations should set CPU limits for containers defined in the manifest. This prevents the pod from exhausting the host's resources in case of an application malfunction or an attack.", - "audit": "Check for the existence of CPU resources in `limits`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n resources:\n limits:\n cpu: \"500m\"\n```", - "remediation": "Define the required resources for CPU `limits` in the manifest: \n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n resources:\n limits:\n cpu: \"500m\"\n```" - }, - "refs": [ - { - "title": "Resource Management for Pods and Containers", - "url": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" - } - ] - }, - { - "query": "k8s.job {\n initContainers {\n # @msg Container ${ _.name } should set memory limits\n resources['limits']['memory'] != null\n }\n containers {\n # @msg Container ${ _.name } should set memory limits\n resources['limits']['memory'] != null\n }\n}\n", - "code_id": "e4uVCWN6uPM=", - "checksum": "aDgRwSoIbJA=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-job-limitmemory", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "Container should have a memory limit", - "docs": { - "desc": "Kubernetes pod configurations should set memory limits for containers defined in the manifest. This prevents the pod from exhausting the host's resources in case of an application malfunction or an attack.", - "audit": "Check for the existence of memory resources in `limits`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n resources:\n limits:\n memory: \"1Gi\"\n```", - "remediation": "Define the required resources for memory `limits` in the manifest: \n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n resources:\n limits:\n memory: \"1Gi\"\n```" - } - }, - { - "query": "k8s.job.podSpec {\n _['containers'] {\n _['name']\n _['ports'] == null || _['ports'].all(_['hostPort'] == null)\n }\n}\n", - "code_id": "KV+TOXlw+e8=", - "checksum": "SL0wX1klc9w=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-job-ports-hostport", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Jobs should not bind to a host port", - "docs": { - "desc": "Jobs should not bind to the underlying host port. This allows bypassing certain network access control systems.\nHost ports also expose the Container outside the Kubernetes cluster, which might not be intended.", - "audit": "Check to ensure no Jobs are binding any of their containers to a host port:\n\n```kubectl get jobs -A -o json | jq -r '.items[] | select( (.spec.template.spec.containers[].ports | . != null and any(.[].hostPort; . != null) ) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```", - "remediation": "For any ReplicaSets that bind to a host port, update the Jobs to ensure they do not bind to a host port:\n\n```yaml\napiVersion: batch/v1\nkind: Job\nmetadata:\n name: example\n namespace: example-namespace\nspec:\n template:\n spec:\n containers:\n - ports:\n - containerPort: 80 # \u003c-- ensure no 'hostPort' is defined in any entries of the port configurations\n name: http\n protocol: TCP\n - containerPort: 443\n name: https\n protocol: TCP\n```" - }, - "refs": [ - { - "title": "Kubernetes Configuration Best Practices: hostPort", - "url": "https://kubernetes.io/docs/concepts/configuration/overview/#services" - }, - { - "title": "Kubernetes Security Standards: Host Ports", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline" - } - ] - }, - { - "query": "k8s.job {\n initContainers {\n # @msg Container ${ _.name } should not set `privileged` to `true`\n securityContext['privileged'] != true\n }\n containers {\n # @msg Container ${ _.name } should not set `privileged` to `true`\n securityContext['privileged'] != true\n }\n}\n", - "code_id": "faKSPFcWiYM=", - "checksum": "MtTu9epyVTA=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-job-privilegedcontainer", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not run as a privileged container", - "docs": { - "desc": "Running a privileged container means the container has the host's capabilities, including access to all devices and the host's network.", - "audit": "Check for the existence of `privileged: true` setting in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n privileged: true\n```", - "remediation": "Remove the `privileged` setting from the container spec:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n```\n\nOr explicitly set `privileged` to `false`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n privileged: false\n```" - }, - "refs": [ - { - "title": "Configure a Security Context for a Pod or Container", - "url": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/" - } - ] - }, - { - "query": "k8s.job {\n initContainers {\n # @msg Container ${ _.name } should set readOnlyRootFilesystem to true\n securityContext['readOnlyRootFilesystem'] == true\n }\n containers {\n # @msg Container ${ _.name } should set readOnlyRootFilesystem to true\n securityContext['readOnlyRootFilesystem'] == true\n }\n}\n", - "code_id": "vLbaDhhlh8E=", - "checksum": "aLHacmaBcgA=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-job-readonlyrootfilesystem", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Container should use an immutable root filesystem", - "docs": { - "desc": "Running a container with an immutable (read-only) file system prevents the modification of running containers.", - "audit": "Check for the existence of `readOnlyRootFilesystem: true` setting in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n readOnlyRootFilesystem: true\n```", - "remediation": "Ensure `readOnlyRootFilesystem` is set to `true` in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n readOnlyRootFilesystem: true\n```" - }, - "refs": [ - { - "title": "Configure a Security Context for a Pod or Container", - "url": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/" - } - ] - }, - { - "query": "if (k8s.job.annotations['policies.k8s.mondoo.com/mondoo-kubernetes-security-job-runasnonroot'] != 'ignore') {\n k8s.job {\n podSecurityContext=podSpec['securityContext']\n initContainers {\n a = podSecurityContext['runAsNonRoot'] == true \u0026\u0026 securityContext['runAsNonRoot'] == null\n res = securityContext['runAsNonRoot'] == true || a\n # @msg Container ${ _.name } should set runAsNonRoot to true\n res == true\n }\n containers {\n a = podSecurityContext['runAsNonRoot'] == true \u0026\u0026 securityContext['runAsNonRoot'] == null\n res = securityContext['runAsNonRoot'] == true || a\n # @msg Container ${ _.name } should set runAsNonRoot to true\n res == true\n }\n }\n}\n", - "code_id": "KdqthdgTGXA=", - "checksum": "Jfol4cfkYC8=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-job-runasnonroot", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not run as root", - "docs": { - "desc": "Set the `runAsNonRoot: true` `securityContext` to ensure containers do not run as the root user.\nWhen containers run as the `root` user, they have the same privileges as `root` on the host system.", - "audit": "Check for the existence of `runAsNonRoot: true` setting in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n runAsNonRoot: true\n```\n\nIt is also possible to set it for all containers at the Pod level:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n securityContext:\n runAsNonRoot: true\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n```", - "remediation": "Ensure `runAsNonRoot` is set to `true` in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n runAsNonRoot: true\n```\n\nIt is also possible to set it for all containers at the Pod level:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n securityContext:\n runAsNonRoot: true\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n```" - }, - "refs": [ - { - "title": "Configure a Security Context for a Pod or Container", - "url": "https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core" - } - ] - }, - { - "query": "k8s.job {\n podSpec['serviceAccount'] == null || podSpec['serviceAccount'] == podSpec['serviceAccountName']\n podSpec['serviceAccountName'] != '' || podSpec['automountServiceAccountToken'] == false\n podSpec['serviceAccountName'] != 'default' || podSpec['automountServiceAccountToken'] == false\n}\n", - "code_id": "IUHSliAb5UU=", - "checksum": "tLGdr1XC+TU=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-job-serviceaccount", - "type": "\u000c", - "severity": { - "value": 30 - }, - "title": "Pod should not run with the default service account", - "docs": { - "desc": "Pods that interact with the Kubernetes API using a ServiceAccount should use specific ServiceAccounts.\nThese ServiceAccounts should only have the permissions necessary.\nThe Pods should not use the default ServiceAccount (named 'default') that is included in every Namespace.\nThe only valid use for the default ServiceAccount is for Pods that set '.spec.automountServiceAccountToken' to 'false'.\nIn this case, the Pod explicitly asks for no ServiceAccount to be mounted into the Pod's filesystem, and the Pod is therefore a ServiceAccount-less Pod.\nWhen every Pods uses the default ServiceAccount and the ServiceAccount's privileges get extended, all Pods get these permissions.\nWhen a Pod is compromised, the attacker has access to the API using the default ServiceAccount.", - "audit": "Check that Pods do not set the legacy '.spec.serviceAccount':\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n serviceAccount: some-account\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```\n\nCheck that Pods do not set the '.spec.serviceAccountName' to the empty string (which is interpreted as 'default'), or to 'default'.\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n serviceAccountName: \"\"\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```\n\nEven when the deprecated field '.spec.serviceAccount' is not specified, it will get populated by Kubernetes inside the cluster when a manifest is applied.\nBecause of that, we also need to check for the field.", - "remediation": "Create a ServiceAccount specifically for the Pod with only the permissions it needs when interacting with the Kubernetes API. Update the Pod's '.spec.serviceAccountName' to the name of the ServiceAccount created for the Pod.\n\nOr if the Pod doesn't interact with the Kubernetes API, set the Pod's `.spec.automountServiceAccountToken` field to false so that no ServiceAccount is available to the Pod." - } - }, - { - "query": "k8s.kubelet.configuration['authentication']['anonymous']['enabled'] == false\n", - "code_id": "AE72Oh0RViU=", - "checksum": "LRl+KsNzhP0=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-kubelet-anonymous-authentication", - "type": "\u0004", - "severity": { - "value": 100 - }, - "title": "Disable anonymous authentication for kubelet", - "docs": { - "desc": "Ensure that the kubelet is configured to disable anonymous requests to the kubelet server.\nOtherwise the kubelet will allow unauthenticated access to its HTTPS endpoint. Request will have the privileges of the role `system:public-info-viewer`. This might expose data to an attacker.", - "audit": "If running the kubelet with the CLI parameter '--anonymous-auth', or running with 'authentication.anonymous.enabled' defined in the kubelet configuration file, ensure that the value is set to 'false'.", - "remediation": "Set the '--anonymous-auth' CLI parameter and/or the 'authentication.anonymous.enabled' field in the kubelet configuration file to 'false'." - }, - "refs": [ - { - "title": "Kubelet authentication", - "url": "https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/#kubelet-authentication" - } - ] - }, - { - "query": "k8s.kubelet.configuration['authorization']['mode'] != \"AlwaysAllow\"\n", - "code_id": "0s6De37YSrg=", - "checksum": "BdbFGOaOfQQ=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-kubelet-authorization-mode", - "type": "\u0004", - "severity": { - "value": 100 - }, - "title": "Ensure the kubelet is not configured with the AlwaysAllow authorization mode", - "docs": { - "desc": "Ensure the kubelet is not configured with the AlwaysAllow authorization mode.\nIt would allow all requests.", - "audit": "If running the kubelet with the CLI parameter '--authorization-mode', or running with 'authorization.mode' defined in the kubelet configuration file, ensure that the value is not set to 'AlwaysAllow'.", - "remediation": "If the kubelet is configured with the CLI parameter '--authorization-mode', set it to something that isn't 'AlwaysAllow' (eg 'Webhook').\n\nIf the kubelet is configured via the kubelet config file with the 'authorization.mode' parameter, set it to something that isn't 'AlwaysAllow' (eg. 'Webhook')." - }, - "refs": [ - { - "title": "Kubelet authorization", - "url": "https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/#kubelet-authorization" - } - ] - }, - { - "query": "k8s.kubelet.configuration['eventRecordQPS'] == 0\n", - "code_id": "057itYF8s30=", - "checksum": "PdHx+rcuuJA=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-kubelet-event-record-qps", - "type": "\u0004", - "severity": { - "value": 30 - }, - "title": "Configure kubelet to capture all event creation", - "docs": { - "desc": "Ensure that the kubelet is configured to capture all event creation so as to avoid potentially not logging important events.\nBe aware that this might expose your Cluster to a DoS risk.", - "audit": "If running the kubelet with the CLI parameter '--event-qps', or running with 'eventRecordQPS' defined in the kubelet configuration file, ensure that the value is set to '0'.", - "remediation": "Set the '--event-qps' CLI parameter and/or the 'eventRecordQPS' field in the kubelet configuration file to '0'." - }, - "refs": [ - { - "title": "Kubelet configuration", - "url": "https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/#kubelet-config-k8s-io-v1beta1-KubeletConfiguration" - } - ] - }, - { - "query": "k8s.kubelet.configuration['makeIPTablesUtilChains'] == true\n", - "code_id": "nTygCxKGWYo=", - "checksum": "vZiJVTeXhA4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-kubelet-iptables-util-chains", - "type": "\u0004", - "severity": { - "value": 30 - }, - "title": "Configure kubelet to ensure IPTables rules are set on host", - "docs": { - "desc": "Ensure that the kubelet is set up to create IPTable utility rules for various kubernetes components.", - "audit": "If running the kubelet with the CLI parameter '--make-iptables-util-chains', or running with 'makeIPTablesUtilChains' defined in the kubelet configuration file, ensure that the value is set to 'true'.", - "remediation": "Set the '--make-iptables-util-chains' CLI parameter and/or the 'makeIPTablesUtilChains' field in the kubelet configuration file to 'true'." - }, - "refs": [ - { - "title": "Kubelet configuration", - "url": "https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/#kubelet-config-k8s-io-v1beta1-KubeletConfiguration" - } - ] - }, - { - "query": "k8s.kubelet.configuration[\"protectKernelDefaults\"] == \"true\"\n", - "code_id": "TLjSPuXXtZw=", - "checksum": "N9r9O1sJj/M=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-kubelet-protect-kernel-defaults", - "type": "\u0004", - "severity": { - "value": 60 - }, - "title": "Configure kubelet to protect kernel defaults", - "docs": { - "desc": "Ensure that the kubelet is set up to error if the underlying kernel tunables are different than the kubelet defaults. By default the kubelet will attempt to modify the kernel as the kubelet starts up.", - "audit": "If running the kubelet with the CLI parameter '--protect-kernel-defaults', or running with 'protectKernelDefaults' defined in the kubelet configuration file, ensure that the value is set to 'true'.", - "remediation": "Set the '--protect-kernel-defaults' CLI parameter and/or the 'protectKernelDefaults' field in the kubelet configuration file to 'true'." - }, - "refs": [ - { - "title": "Kubelet configuration", - "url": "https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/#kubelet-config-k8s-io-v1beta1-KubeletConfiguration" - } - ] - }, - { - "query": "k8s.kubelet.configuration['readOnlyPort'] == 0 || k8s.kubelet.configuration['readOnlyPort'] == null\n", - "code_id": "6IlKYkJ/8Ic=", - "checksum": "gO0uOPwN2rg=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-kubelet-read-only-port", - "type": "\u0004", - "severity": { - "value": 60 - }, - "title": "Do not allow unauthenticated read-only port on kubelet", - "docs": { - "desc": "Ensure the kubelet is not configured to serve up unauthenticated read-only access.\nThis would expose data to unauthenticated users.", - "audit": "If running the kubelet with the CLI parameter '--read-only-port', or running with 'readOnlyPort' defined in the kubelet configuration file, ensure that the value is either '0' or simply not set ('0' is the default).", - "remediation": "Set the '--read-only-port' CLI parameter or the 'readOnlyPort' field in the kubelet configuration file to '0'." - }, - "refs": [ - { - "title": "Kubelet configuration", - "url": "https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/#kubelet-config-k8s-io-v1beta1-KubeletConfiguration" - } - ] - }, - { - "query": "k8s.kubelet.configuration[\"rotateCertificates\"] != \"false\"\n", - "code_id": "Arb6Nv/MxeA=", - "checksum": "CamWHZtSxDM=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-kubelet-rotate-certificates", - "type": "\u0004", - "severity": { - "value": 80 - }, - "title": "Run kubelet with automatic certificate rotation", - "docs": { - "desc": "Ensure the kubelet is running with automatic certificate rotation so that the kubelet will automatically renew certificates with the API server as certificates near expiration.\nOtherwise the communication between the kubelet and the API server will be interrupted.", - "audit": "Check the kubelet CLI parameters to ensure '--rotate-certificates' is not set to false, and that the kubelet config file has not set 'rotateCertificates' to false.", - "remediation": "Depending on where the configuration behavior is defined (CLI parameters override config file values), update the kubelet CLI parameters to set '--rotate-certificates' to true, and/or update the kubelet configuration to set 'rotateCertificates' to true." - }, - "refs": [ - { - "title": "Configure Certificate Rotation for the Kubelet", - "url": "https://kubernetes.io/docs/tasks/tls/certificate-rotation/" - } - ] - }, - { - "query": "k8s.kubelet.configuration['tlsCipherSuites'] != null\nif (k8s.kubelet.configuration['tlsCipherSuites'] != null) {\n k8s.kubelet.configuration['tlsCipherSuites'].map( _.trim ).containsOnly(props.allowedCiphers)\n}\n", - "code_id": "sHIyCw+8RoU=", - "checksum": "VnrvLP9BD04=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-kubelet-strong-ciphers", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Configure kubelet to use only strong cryptography", - "docs": { - "desc": "Ensure the kubelet runs with only strong cryptography support. Weak or old ciphers might expose your data.", - "audit": "If running the kubelet with the CLI parameter '--tls-cipher-suites', or running with 'tlsCipherSuites' defined in the kubelet configuration file, ensure that the list of allowed ciphers is not empty and that all included ciphers are included in the following list:\n\n\"TLS_AES_128_GCM_SHA256\", \"TLS_AES_256_GCM_SHA384\", \"TLS_CHACHA20_POLY1305_SHA256\", \"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\",\n\"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA\", \"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\", \"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305\",\n\"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256\", \"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA\", \"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA\",\n\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\", \"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\", \"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\n\"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305\", \"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\", \"TLS_RSA_WITH_3DES_EDE_CBC_SHA\",\n\"TLS_RSA_WITH_AES_128_CBC_SHA\", \"TLS_RSA_WITH_AES_128_GCM_SHA256\", \"TLS_RSA_WITH_AES_256_CBC_SHA\", \"TLS_RSA_WITH_AES_256_GCM_SHA384\"", - "remediation": "Define the list of allowed TLS ciphers to include only items from the strong list of ciphers.\n\nIf the kubelet is configured with the CLI parameter '--tls-cipher-suites', update the list (or define the parameter) to only include strong ciphers.\n\nIf the kubelet is configured via the kubelet config file with the 'tlsCipherSuites' parameter, update the list (or create an entry for 'tlsCipherSuites') to only include string ciphers." - }, - "refs": [ - { - "title": "Kubelet configuration", - "url": "https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/#kubelet-config-k8s-io-v1beta1-KubeletConfiguration" - } - ] - }, - { - "query": "k8s.kubelet.configuration[\"tlsCertFile\"] != null\nk8s.kubelet.configuration[\"tlsPrivateKeyFile\"] != null\n", - "code_id": "B4xylZ2uGbI=", - "checksum": "xMrIcJUyuNA=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-kubelet-tls-certificate", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Run kubelet with a user-provided certificate/key", - "docs": { - "desc": "Ensure that the kubelet is not running with self-signed certificates generated by the kubelet itself.", - "audit": "The kubelet CLI parameters override values in the kubelet configuration file.\n\nCheck the kubelet CLI parameters to see whether '--tls-cert-file' and '--tls-private-key' are set to a non-empty path/string.\n\nCheck the kubelet configuration file to see whether 'tlsCertFile' and 'tlsPrivateKeyFile' are set to a non-empty path/string.", - "remediation": "Configure the kubelet to use a user-provided certificate/key pair for serving up HTTPS.\n\nAfter acquiring the TLS certificate/key pair, update the kubelet configuration file\n\nOr if using the deprecated kubelet CLI parameters, update the '--tls-cert-file' and '--tls-private-key-file' parameters to use the new certificate/key." - } - }, - { - "query": "k8s.pod {\n ephemeralContainers {\n # @msg Container ${ _.name } should set allowPrivilegeEscalation to false\n securityContext['allowPrivilegeEscalation'] != true\n }\n initContainers {\n # @msg Container ${ _.name } should set allowPrivilegeEscalation to false\n securityContext['allowPrivilegeEscalation'] != true\n }\n containers {\n # @msg Container ${ _.name } should set allowPrivilegeEscalation to false\n securityContext['allowPrivilegeEscalation'] != true\n }\n}\n", - "code_id": "PPC/DSq/n4E=", - "checksum": "xaOQG7U9nBQ=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-pod-allowprivilegeescalation", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not allow privilege escalation", - "docs": { - "desc": "Do not allow privilege escalation in containers.\nEven, when the container is not running as root, it could still escalate privileges.", - "audit": "Check for the existence of `allowPrivilegeEscalation: true` setting in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n securityContext:\n allowPrivilegeEscalation: true\n```", - "remediation": "Ensure `allowPrivilegeEscalation` is set to `false` or not present in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n securityContext:\n allowPrivilegeEscalation: false\n```" - }, - "refs": [ - { - "title": "Configure a Security Context for a Pod or Container", - "url": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/" - } - ] - }, - { - "query": "k8s.pod {\n podSpec['containers'] {\n _['securityContext']['capabilities'] != null\n _['securityContext']['capabilities'] {\n _['add'] == null || _['add'].none(_.upcase == \"ALL\")\n _['add'] == null || _['add'].none(_.upcase == \"NET_RAW\")\n _['drop'] != null\n _['drop'].any(_.upcase == \"NET_RAW\") || _['drop'].any(_.upcase == \"ALL\")\n }\n }\n}\nk8s.pod {\n podSpec['ephemeralContainers'] {\n _['securityContext']['capabilities'] != null\n _['securityContext']['capabilities'] {\n _['add'] == null || _['add'].none(_.upcase == \"ALL\")\n _['add'] == null || _['add'].none(_.upcase == \"NET_RAW\")\n _['drop'] != null\n _['drop'].any(_.upcase == \"NET_RAW\") || _['drop'].any(_.upcase == \"ALL\")\n }\n }\n}\nk8s.pod {\n podSpec['initContainers'] {\n _['securityContext']['capabilities'] != null\n _['securityContext']['capabilities'] {\n _['add'] == null || _['add'].none(_.upcase == \"ALL\")\n _['add'] == null || _['add'].none(_.upcase == \"NET_RAW\")\n _['drop'] != null\n _['drop'].any(_.upcase == \"NET_RAW\") || _['drop'].any(_.upcase == \"ALL\")\n }\n }\n}\n", - "code_id": "iiVrnrB1mL0=", - "checksum": "i8O3p0hmKKA=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-pod-capability-net-raw", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Pods should not run with NET_RAW capability", - "docs": { - "desc": "Pods should not run with NET_RAW capability. This allows a process to write raw packets to the network interface which can allow crafting packets like malicious ARP and/or DNS responses.", - "audit": "Check to ensure no Pods have explicitly asked for the NET_RAW capability (or asked for ALL capabilities which includes NET_RAW):\n\n```kubectl get pods -A -o json | jq -r '.items[] | select(.spec.containers[].securityContext.capabilities.add | . != null and any(.[] ; ascii_upcase | test(\"ALL|NET_RAW\")) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```\n\n\nAdditionally, a Pod that doesn't define a list of capabilities to drop at all, or that has a non-empty drop list that doesn't drop NET_RAW (or the ALL capability which includes NET_RAW) will implicitly run with NET_RAW. List these Pods with:\n\n```kubectl get pods -A -o json | jq -r '.items[] | select( .spec.containers[].securityContext.capabilities.drop | . == null or ( any(.[] ; ascii_upcase | test(\"ALL|NET_RAW\")) | not) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```", - "remediation": "For any Pods that explicitly add the NET_RAW or ALL capability, update the Pods (or the Deployments/DaemonSets/CronJobs/etc that produced the Pods) to ensure they do not ask for the NET_RAW or ALL capability:\n\n```yaml\napiVersion: v1\nkind: Pod\nmetadata:\n name: examplePod\n namespace: example-namespace\nspec:\n containers:\n - securityContext:\n capabilities:\n add: [] # \u003c-- ensure no \"NET_RAW\" or \"ALL\" in the list of capabilities added\n```\n\nFor any Pods that do not define a list of capabilities to drop or that define a list but do not drop NET_RAW, update the Pods (or the Deployments/DaemonSets/CronJobs/etc that produced the Pods) to ensure they drop ALL or NET_RAW:\n\n```yaml\napiVersion: v1\nkind: Pod\nmetadata:\n name: example\n namespace: example-namespace\nspec:\n containers:\n - securityContext:\n capabilities:\n drop: [\"NET_RAW\"] # \u003c-- or ensure \"ALL\" in the list of capabilities to drop\n```" - }, - "refs": [ - { - "title": "Kubernetes Security Standards: Capabilities", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted" - } - ] - }, - { - "query": "k8s.pod {\n podSpec['containers'] {\n if( _['securityContext']['capabilities'] != null ) {\n _['securityContext']['capabilities'] {\n _['add'] == null || _['add'].none(_.upcase == \"ALL\")\n _['add'] == null || _['add'].none(_.upcase == \"SYS_ADMIN\")\n }\n } else {\n true\n }\n }\n}\nk8s.pod {\n podSpec['initContainers'] {\n if( _['securityContext']['capabilities'] != null ) {\n _['securityContext']['capabilities'] {\n _['add'] == null || _['add'].none(_.upcase == \"ALL\")\n _['add'] == null || _['add'].none(_.upcase == \"SYS_ADMIN\")\n }\n } else {\n true\n }\n }\n}\nk8s.pod {\n podSpec['ephemeralContainers'] {\n if( _['securityContext']['capabilities'] != null ) {\n _['securityContext']['capabilities'] {\n _['add'] == null || _['add'].none(_.upcase == \"ALL\")\n _['add'] == null || _['add'].none(_.upcase == \"SYS_ADMIN\")\n }\n } else {\n true\n }\n }\n}\n", - "code_id": "PtCQXvikwG4=", - "checksum": "IqQ2OnQSSG0=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-pod-capability-sys-admin", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Pods should not run with SYS_ADMIN capability", - "docs": { - "desc": "Pods should not run with SYS_ADMIN capability. The SYS_ADMIN capability enables a wide range of elevated system calls.\nIt even allows containers not running as root to run certain tasks as if the user was root.", - "audit": "Check to ensure no Pods have explicitly asked for the SYS_ADMIN capability (or asked for ALL capabilities which includes SYS_ADMIN):\n\n```kubectl get pods -A -o json | jq -r '.items[] | select(.spec.containers[].securityContext.capabilities.add | . != null and any(.[] ; ascii_upcase | test(\"ALL|SYS_ADMIN\")) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```", - "remediation": "For any Pods that explicitly add the SYS_ADMIN or ALL capability, update the Pods (or the Deployments/DaemonSets/CronJobs/etc that produced the Pods) to ensure they do not ask for the SYS_ADMIN or ALL capability:\n\n```yaml\napiVersion: v1\nkind: Pod\nmetadata:\n name: examplePod\n namespace: example-namespace\nspec:\n containers:\n - securityContext:\n capabilities:\n add: [] # \u003c-- ensure no \"SYS_ADMIN\" or \"ALL\" in the list of capabilities added\n```" - }, - "refs": [ - { - "title": "Kubernetes Security Standards: Capabilities", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline" - }, - { - "title": "Docker default capabilities", - "url": "https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities" - } - ] - }, - { - "query": "k8s.pod {\n podSpec['volumes'] == null || podSpec['volumes'].all(_['hostPath']['path'] != '/run/containerd/containerd.sock')\n}\n", - "code_id": "2G3IQ8yaRbg=", - "checksum": "SFxrqDMVBvc=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-pod-containerd-socket", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not mount the containerd socket", - "docs": { - "desc": "Do not mount the container runtime socket into any container.\nThis would allow direct access to the container runtime without any authentication.\nThis would allow to create privileged containers and to access the host file system.\nOr create containers which would not show up in the Kubernetes API.", - "audit": "Check for the existence of `hostPath.path: /run/containerd/containerd.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /run/containerd/containerd.sock\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n volumeMounts:\n - mountPath: /run/containerd/containerd.sock\n name: vol\n```", - "remediation": "Ensure workloads do not have `hostPath.path: /run/containerd/containerd.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /run/containerd/containerd.sock # \u003c--- this shouldn't be there\n```" - }, - "refs": [ - { - "title": "Docker security", - "url": "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers" - } - ] - }, - { - "query": "k8s.pod {\n podSpec['volumes'] == null || podSpec['volumes'].all(_['hostPath']['path'] != '/var/run/crio/crio.sock')\n}\n", - "code_id": "3mpuYiqKDGg=", - "checksum": "IycUYnyPQ98=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-pod-crio-socket", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not mount the CRI-O socket", - "docs": { - "desc": "Do not mount the container runtime socket into any container.\nThis would allow direct access to the container runtime without any authentication.\nThis would allow to create privileged containers and to access the host file system.\nOr create containers which would not show up in the Kubernetes API.", - "audit": "Check for the existence of `hostPath.path: /var/run/crio/crio.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /var/run/crio/crio.sock\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n volumeMounts:\n - mountPath: /var/run/crio/crio.sock\n name: vol\n```", - "remediation": "Ensure workloads do not have `hostPath.path: /var/run/crio/crio.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /var/run/crio/crio.sock # \u003c--- this shouldn't be there\n```" - }, - "refs": [ - { - "title": "Docker security", - "url": "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers" - } - ] - }, - { - "query": "k8s.pod {\n podSpec['volumes'] == null || podSpec['volumes'].all(_['hostPath']['path'] != '/var/run/docker.sock')\n}\n", - "code_id": "UEoNiBtcGco=", - "checksum": "KcVgAxI0CyI=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-pod-docker-socket", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not mount the Docker socket", - "docs": { - "desc": "Do not mount the container runtime socket into any container.\nThis would allow direct access to the container runtime without any authentication.\nThis would allow to create privileged containers and to access the host file system.\nOr create containers which would not show up in the Kubernetes API.", - "audit": "Check for the existence of `hostPath.path: /var/run/docker.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /var/run/docker.sock\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n volumeMounts:\n - mountPath: /var/run/docker.sock\n name: vol\n```", - "remediation": "Ensure workloads do not have `hostPath.path: /var/run/docker.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /var/run/docker.sock # \u003c--- this shouldn't be there\n```" - }, - "refs": [ - { - "title": "Docker security", - "url": "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers" - } - ] - }, - { - "query": "k8s.pod {\n podSpec['hostIPC'] != true\n}\n", - "code_id": "HC9P44Rc0To=", - "checksum": "KadYaMPhMC4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-pod-hostipc", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Pod should not run with hostIPC", - "docs": { - "desc": "Enabling `hostIPC` gives containers access to the host's IPC namespace and breaks container isolation.", - "audit": "Check for the existence of `hostIPC: true` setting in `spec`:\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n hostIPC: true\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```", - "remediation": "Ensure `hostIPC` is set to `false` or not present in `spec`:\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n hostIPC: false\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```" - }, - "refs": [ - { - "title": "Host namespaces", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline" - } - ] - }, - { - "query": "k8s.pod {\n podSpec['hostNetwork'] != true\n}\n", - "code_id": "ivk7m8oF/XU=", - "checksum": "W1NH3mFnCgk=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-pod-hostnetwork", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Pod should not run with hostNetwork", - "docs": { - "desc": "Running pods with the `hostNetwork` namespace gives containers access to the host's network including loopback devices. This capability can be used to intercept network traffic including the traffic of other pods.", - "audit": "Check for the existence of `hostNetwork: true` setting in `spec`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n hostNetwork: true\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```", - "remediation": "Ensure `hostNetwork` is set to `false` or not present in `spec`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n hostNetwork: false\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```" - }, - "refs": [ - { - "title": "Host namespaces", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline" - } - ] - }, - { - "query": "k8s.pod.podSpec {\n hostPathVolumes = _['volumes'].where(_['hostPath'] != null).map(_['name'])\n _['containers'] {\n _['name']\n if( _['volumeMounts'] != null ) {\n _['volumeMounts'] {\n n = _['name']\n if( hostPathVolumes.contains(n) ) {\n _['readOnly'] == true\n } else {\n true\n }\n }\n } else {\n true\n }\n }\n}\nk8s.pod.podSpec {\n hostPathVolumes = _['volumes'].where(_['hostPath'] != null).map(_['name'])\n _['initContainers'] {\n _['name']\n if( _['volumeMounts'] != null ) {\n _['volumeMounts'] {\n n = _['name']\n if( hostPathVolumes.contains(n) ) {\n _['readOnly'] == true\n } else {\n true\n }\n }\n } else {\n true\n }\n }\n}\nk8s.pod.podSpec {\n hostPathVolumes = _['volumes'].where(_['hostPath'] != null).map(_['name'])\n _['ephemeralContainers'] {\n _['name']\n if( _['volumeMounts'] != null ) {\n _['volumeMounts'] {\n n = _['name']\n if( hostPathVolumes.contains(n) ) {\n _['readOnly'] == true\n } else {\n true\n }\n }\n } else {\n true\n }\n }\n}\n", - "code_id": "oY17PG9g/Y0=", - "checksum": "9ZcIyNm6/K4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-pod-hostpath-readonly", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Pods should mount any host path volumes as read-only", - "docs": { - "desc": "Pods should not mount volumes of type hostPath as read-write. Containers should not be granted the ability to mutate the underlying host they are running on.\nThis can even lead to container escapes.", - "audit": "Check to ensure no containers in a Pod are mounting hostPath volumes as read-write:\n\n```kubectl get pods -A -o json | jq -r '.items[] | [.spec.volumes[] | select(.hostPath != null) | .name] as $myVar | select(.spec.containers[].volumeMounts | (. != null and ( .[] | ( [.name] | inside($myVar) ) and .readOnly != true ) ) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```", - "remediation": "For any Pod containers that mount a hostPath volume as read-write, update them (or the Deployment/StatefulSet/etc that created the Pod):\n\n```yaml\napiVersion: v1\nkind: Pod\nmetadata:\n name: example\n namespace: example-namespace\nspec:\n containers:\n - volumeMounts:\n - mountPath: /host\n name: hostpath-volume\n readOnly: true # \u003c-- ensure readOnly is set to true\n volumes:\n - hostPath:\n path: /etc\n name: hostpath-volume\n```" - } - }, - { - "query": "k8s.pod {\n podSpec['hostPID'] != true\n}\n", - "code_id": "CQrFHGsl/O8=", - "checksum": "p2ERuDJ/KCQ=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-pod-hostpid", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Pod should not run with hostPID", - "docs": { - "desc": "Running pods with the `hostPID` namespace gives containers access to the host's process ID namespace and can be used to escalate privileges outside a container.", - "audit": "Check for the existence of `hostPID: true` setting in `spec`:\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n hostPID: true\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```", - "remediation": "Ensure `hostPID` is set to `false` or not present in `spec`:\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n hostPID: false\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```" - }, - "refs": [ - { - "title": "Host namespaces", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline" - } - ] - }, - { - "query": "k8s.pod {\n ephemeralContainers {\n # @msg Container ${ _.name } should set imagePullPolicy to Always\n imagePullPolicy == 'Always'\n\n correctImage = image != /:latest/ \u0026\u0026 image.contains(':') == true\n\n # @msg Container ${ _.name } should set an image tag or digest\n correctImage == true\n }\n initContainers {\n # @msg Container ${ _.name } should set imagePullPolicy to Always\n imagePullPolicy == 'Always'\n\n correctImage = image != /:latest/ \u0026\u0026 image.contains(':') == true\n\n # @msg Container ${ _.name } should set an image tag or digest\n correctImage == true\n }\n containers {\n # @msg Container ${ _.name } should set imagePullPolicy to Always\n imagePullPolicy == 'Always'\n\n correctImage = image != /:latest/ \u0026\u0026 image.contains(':') == true\n\n # @msg Container ${ _.name } should set an image tag or digest\n correctImage == true\n }\n}\n", - "code_id": "/OsTzZGIb1s=", - "checksum": "2dhfWmPyDZM=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-pod-imagepull", - "type": "\u000c", - "severity": { - "value": 60 - }, - "title": "Container image pull should be consistent", - "docs": { - "desc": "It's important that each time a pod is started the same container is pulled, so that services across pods behave the same. To ensure the same container is always used, manifests should set `imagePullPolicy: Always` and the `image` configuration should pull either a tag or a digest (SHA).\nAvoid using rolling tags like `latest` or `master` as they can change over time.", - "audit": "Check for the existence of `imagePullPolicy: Always` and ensure `image` uses either a tag or a digest (SHA):\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n imagePullPolicy: Always\n```", - "remediation": "Ensure `imagePullPolicy` is set to `Always` and ensure `image` uses either a tag or a digest (SHA):\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n imagePullPolicy: Always\n```" - }, - "refs": [ - { - "title": "Image pull policy", - "url": "https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy" - } - ] - }, - { - "query": "k8s.pod.podSpec[\"containers\"].none( _[\"image\"].contains(\"kubernetes-dashboard\") || _[\"image\"].contains(\"kubernetesui\") )\nk8s.pod.podSpec[\"initContainers\"].none( _[\"image\"].contains(\"kubernetes-dashboard\") || _[\"image\"].contains(\"kubernetesui\") )\nk8s.pod.podSpec[\"ephemeralContainers\"].none( _[\"image\"].contains(\"kubernetes-dashboard\") || _[\"image\"].contains(\"kubernetesui\") )\nk8s.pod.labels[\"app\"] == null || k8s.pod.labels[\"app\"] != \"kubernetes-dashboard\"\nk8s.pod.labels[\"k8s-app\"] == null || k8s.pod.labels[\"k8s-app\"] != \"kubernetes-dashboard\"\n", - "code_id": "m33JzPXvzmA=", - "checksum": "9neUUqpjFiE=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-pod-k8s-dashboard", - "type": "\u0001", - "severity": { - "value": 40 - }, - "title": "Pods should not run Kubernetes dashboard", - "docs": { - "desc": "The Kubernetes dashboard allows browsing through cluster resources such as workloads, configmaps and secrets. In 2019 Tesla was hacked because their Kubernetes dashboard was publicly exposed. This allowed the attackers to extract credentials and deploy Bitcoin miners on the cluster.", - "audit": "Verify there are no pods running Kubernetes dashboard:\n```kubectl get pods -A -o=custom-columns=\"NAME:.metadata.name,IMAGE:.spec.template.spec.containers[*].image\"```", - "remediation": "Delete any pods that are running Kubernetes dashboard." - } - }, - { - "query": "k8s.pod {\n initContainers {\n # @msg Container ${ _.name } should set CPU limits\n resources['limits']['cpu'] != null\n }\n containers {\n # @msg Container ${ _.name } should set CPU limits\n resources['limits']['cpu'] != null\n }\n}\n", - "code_id": "boYB7bmYjug=", - "checksum": "aD+qTqf+iJg=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-pod-limitcpu", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "Container should have a CPU limit", - "docs": { - "desc": "Kubernetes Pod configurations should set CPU limits for containers defined in the manifest. This prevents the pod from exhausting the host's resources in case of an application malfunction or an attack.", - "audit": "Check for the existence of CPU resources in `limits`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n resources:\n limits:\n cpu: \"500m\"\n```", - "remediation": "Define the required resources for CPU `limits` in the manifest: \n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n resources:\n limits:\n cpu: \"500m\"\n```" - }, - "refs": [ - { - "title": "Resource Management for Pods and Containers", - "url": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" - } - ] - }, - { - "query": "k8s.pod {\n initContainers {\n # @msg Container ${ _.name } should set memory limits\n resources['limits']['memory'] != null\n }\n containers {\n # @msg Container ${ _.name } should set memory limits\n resources['limits']['memory'] != null\n }\n}\n", - "code_id": "4V09SePyB88=", - "checksum": "4GBgycHNXrY=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-pod-limitmemory", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "Container should have a memory limit", - "docs": { - "desc": "Kubernetes pod configurations should set memory limits for containers defined in the manifest. This prevents the pod from exhausting the host's resources in case of an application malfunction or an attack.", - "audit": "Check for the existence of memory resources in `limits`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n resources:\n limits:\n memory: \"1Gi\"\n```", - "remediation": "Define the required resources for memory `limits` in the manifest: \n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n resources:\n limits:\n memory: \"1Gi\"\n```" - } - }, - { - "query": "k8s.pod.podSpec {\n _['containers'] {\n _['name']\n _['ports'] == null || _['ports'].all(_['hostPort'] == null)\n }\n}\nk8s.pod.podSpec {\n _['initContainers'] {\n _['name']\n _['ports'] == null || _['ports'].all(_['hostPort'] == null)\n }\n}\n", - "code_id": "/ytnPS7QBmk=", - "checksum": "j5wX4qlrCjo=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-pod-ports-hostport", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Pods should not bind to a host port", - "docs": { - "desc": "Pods should not bind to the underlying host port. This allows bypassing certain network access control systems.\nHost ports also expose the Container outside the Kubernetes cluster, which might not be intended.", - "audit": "Check to ensure no Pods are binding any of their containers to a host port:\n\n```kubectl get pods -A -o json | jq -r '.items[] | select( (.spec.containers[].ports | . != null and any(.[].hostPort; . != null) ) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```", - "remediation": "For any Pods that bind to a host port, update the Pods (or the Deployments/DaemonSets/CronJobs/etc that produced the Pods) to ensure they do not bind to a host port:\n\n```yaml\napiVersion: v1\nkind: Pod\nmetadata:\n name: example\n namespace: example-namespace\nspec:\n containers:\n - ports:\n - containerPort: 80 # \u003c-- ensure no 'hostPort' is defined in any entries of the port configurations\n name: http\n protocol: TCP\n - containerPort: 443\n name: https\n protocol: TCP\n```" - }, - "refs": [ - { - "title": "Kubernetes Configuration Best Practices: hostPort", - "url": "https://kubernetes.io/docs/concepts/configuration/overview/#services" - }, - { - "title": "Kubernetes Security Standards: Host Ports", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline" - } - ] - }, - { - "query": "k8s.pod {\n ephemeralContainers {\n # @msg Container ${ _.name } should not set `privileged` to `true`\n securityContext['privileged'] != true\n }\n initContainers {\n # @msg Container ${ _.name } should not set `privileged` to `true`\n securityContext['privileged'] != true\n }\n containers {\n # @msg Container ${ _.name } should not set `privileged` to `true`\n securityContext['privileged'] != true\n }\n}\n", - "code_id": "+gfLzJbZnLc=", - "checksum": "R9du97JS5Mg=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-pod-privilegedcontainer", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not run as a privileged container", - "docs": { - "desc": "Running a privileged container means the container has the host's capabilities, including access to all devices and the host's network.", - "audit": "Check for the existence of `privileged: true` setting in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n privileged: true\n```", - "remediation": "Remove the `privileged` setting from the container spec:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n```\n\nOr explicitly set `privileged` to `false`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n privileged: false\n```" - }, - "refs": [ - { - "title": "Configure a Security Context for a Pod or Container", - "url": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/" - } - ] - }, - { - "query": "k8s.pod {\n ephemeralContainers {\n # @msg Container ${ _.name } should set readOnlyRootFilesystem to true\n securityContext['readOnlyRootFilesystem'] == true\n }\n initContainers {\n # @msg Container ${ _.name } should set readOnlyRootFilesystem to true\n securityContext['readOnlyRootFilesystem'] == true\n }\n containers {\n # @msg Container ${ _.name } should set readOnlyRootFilesystem to true\n securityContext['readOnlyRootFilesystem'] == true\n }\n}\n", - "code_id": "2lG5gYIrutI=", - "checksum": "fLzLB43ZXdQ=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-pod-readonlyrootfilesystem", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Container should use an immutable root filesystem", - "docs": { - "desc": "Running a container with an immutable (read-only) file system prevents the modification of running containers.", - "audit": "Check for the existence of `readOnlyRootFilesystem: true` setting in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n readOnlyRootFilesystem: true\n```", - "remediation": "Ensure `readOnlyRootFilesystem` is set to `true` in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n readOnlyRootFilesystem: true\n```" - }, - "refs": [ - { - "title": "Configure a Security Context for a Pod or Container", - "url": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/" - } - ] - }, - { - "query": "if (k8s.pod.annotations['policies.k8s.mondoo.com/mondoo-kubernetes-security-pod-runasnonroot'] != 'ignore') {\n k8s.pod {\n podSecurityContext=podSpec['securityContext']\n ephemeralContainers {\n a = podSecurityContext['runAsNonRoot'] == true \u0026\u0026 securityContext['runAsNonRoot'] == null\n res = securityContext['runAsNonRoot'] == true || a\n # @msg Container ${ _.name } should set runAsNonRoot to true\n res == true\n }\n initContainers {\n a = podSecurityContext['runAsNonRoot'] == true \u0026\u0026 securityContext['runAsNonRoot'] == null\n res = securityContext['runAsNonRoot'] == true || a\n # @msg Container ${ _.name } should set runAsNonRoot to true\n res == true\n }\n containers {\n a = podSecurityContext['runAsNonRoot'] == true \u0026\u0026 securityContext['runAsNonRoot'] == null\n res = securityContext['runAsNonRoot'] == true || a\n # @msg Container ${ _.name } should set runAsNonRoot to true\n res == true\n }\n }\n}\n", - "code_id": "rONqF87LoTg=", - "checksum": "bKdB2e4e3Xk=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-pod-runasnonroot", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not run as root", - "docs": { - "desc": "Set the `runAsNonRoot: true` `securityContext` to ensure containers do not run as the root user.\nWhen containers run as the `root` user, they have the same privileges as `root` on the host system.", - "audit": "Check for the existence of `runAsNonRoot: true` setting in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n runAsNonRoot: true\n```\n\nIt is also possible to set it for all containers at the Pod level:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n securityContext:\n runAsNonRoot: true\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n```", - "remediation": "Ensure `runAsNonRoot` is set to `true` in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n runAsNonRoot: true\n```\n\nIt is also possible to set it for all containers at the Pod level:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n securityContext:\n runAsNonRoot: true\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n```" - }, - "refs": [ - { - "title": "Configure a Security Context for a Pod or Container", - "url": "https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core" - } - ] - }, - { - "query": "k8s.pod {\n podSpec['serviceAccount'] == null || podSpec['serviceAccount'] == podSpec['serviceAccountName']\n podSpec['serviceAccountName'] != '' || podSpec['automountServiceAccountToken'] == false\n podSpec['serviceAccountName'] != 'default' || podSpec['automountServiceAccountToken'] == false\n}\n", - "code_id": "aEdpcGUJhmU=", - "checksum": "pw4/RKvX938=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-pod-serviceaccount", - "type": "\u000c", - "severity": { - "value": 30 - }, - "title": "Pod should not run with the default service account", - "docs": { - "desc": "Pods that interact with the Kubernetes API using a ServiceAccount should use specific ServiceAccounts.\nThese ServiceAccounts should only have the permissions necessary.\nThe Pods should not use the default ServiceAccount (named 'default') that is included in every Namespace.\nThe only valid use for the default ServiceAccount is for Pods that set '.spec.automountServiceAccountToken' to 'false'.\nIn this case, the Pod explicitly asks for no ServiceAccount to be mounted into the Pod's filesystem, and the Pod is therefore a ServiceAccount-less Pod.\nWhen every Pods uses the default ServiceAccount and the ServiceAccount's privileges get extended, all Pods get these permissions.\nWhen a Pod is compromised, the attacker has access to the API using the default ServiceAccount.", - "audit": "Check that Pods do not set the legacy '.spec.serviceAccount':\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n serviceAccount: some-account\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```\n\nCheck that Pods do not set the '.spec.serviceAccountName' to the empty string (which is interpreted as 'default'), or to 'default'.\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n serviceAccountName: \"\"\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```\n\nEven when the deprecated field '.spec.serviceAccount' is not specified, it will get populated by Kubernetes inside the cluster when a manifest is applied.\nBecause of that, we also need to check for the field.", - "remediation": "Create a ServiceAccount specifically for the Pod with only the permissions it needs when interacting with the Kubernetes API. Update the Pod's '.spec.serviceAccountName' to the name of the ServiceAccount created for the Pod.\n\nOr if the Pod doesn't interact with the Kubernetes API, set the Pod's `.spec.automountServiceAccountToken` field to false so that no ServiceAccount is available to the Pod." - } - }, - { - "query": "k8s.pod.podSpec[\"containers\"].none( _[\"image\"].contains(\"tiller\") )\nk8s.pod.podSpec[\"initContainers\"].none( _[\"image\"].contains(\"tiller\") )\nk8s.pod.podSpec[\"ephemeralContainers\"].none( _[\"image\"].contains(\"tiller\") )\n", - "code_id": "TEywXHqto6s=", - "checksum": "KC7Q10q77lQ=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-pod-tiller", - "type": "\u0001", - "severity": { - "value": 40 - }, - "title": "Pods should not run Tiller (Helm v2)", - "docs": { - "desc": "Tiller is the in-cluster component for the Helm v2 package manager. It is communicating directly to the Kubernetes API and therefore it has broad RBAC permissions. An attacker can use that to get cluster-wide access.", - "audit": "Verify there are no pods running Tiller:\n```kubectl get pods -A -o=custom-columns=\"NAME:.metadata.name,IMAGE:.spec.template.spec.containers[*].image\"```", - "remediation": "Delete any pods that are running Tiller." - } - }, - { - "query": "k8s.replicaset {\n initContainers {\n # @msg Container ${ _.name } should set allowPrivilegeEscalation to false\n securityContext['allowPrivilegeEscalation'] != true\n }\n containers {\n # @msg Container ${ _.name } should set allowPrivilegeEscalation to false\n securityContext['allowPrivilegeEscalation'] != true\n }\n}\n", - "code_id": "kk8UPqaVL1I=", - "checksum": "9ihq5KTCPL4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-replicaset-allowprivilegeescalation", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not allow privilege escalation", - "docs": { - "desc": "Do not allow privilege escalation in containers.\nEven, when the container is not running as root, it could still escalate privileges.", - "audit": "Check for the existence of `allowPrivilegeEscalation: true` setting in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n securityContext:\n allowPrivilegeEscalation: true\n```", - "remediation": "Ensure `allowPrivilegeEscalation` is set to `false` or not present in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n securityContext:\n allowPrivilegeEscalation: false\n```" - }, - "refs": [ - { - "title": "Configure a Security Context for a Pod or Container", - "url": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/" - } - ] - }, - { - "query": "k8s.replicaset {\n podSpec['containers'] {\n _['securityContext']['capabilities'] != null\n _['securityContext']['capabilities'] {\n _['add'] == null || _['add'].none(_.upcase == \"ALL\")\n _['add'] == null || _['add'].none(_.upcase == \"NET_RAW\")\n _['drop'] != null\n _['drop'].any(_.upcase == \"NET_RAW\") || _['drop'].any(_.upcase == \"ALL\")\n }\n }\n}\n", - "code_id": "F3ICbGksCQE=", - "checksum": "JoU4tzG1ubE=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-replicaset-capability-net-raw", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "ReplicaSets should not run with NET_RAW capability", - "docs": { - "desc": "ReplicaSets should not run with NET_RAW capability. This allows a process to write raw packets to the network interface which can allow crafting packets like malicious ARP and/or DNS responses.", - "audit": "Check to ensure no ReplicaSets have explicitly asked for the NET_RAW capability (or asked for ALL capabilities which includes NET_RAW):\n\n```kubectl get replicasets -A -o json | jq -r '.items[] | select(.spec.template.spec.containers[].securityContext.capabilities.add | . != null and any(.[] ; ascii_upcase | test(\"ALL|NET_RAW\")) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```\n\n\nAdditionally, a ReplicaSet that doesn't define a list of capabilities to drop at all, or that has a non-empty drop list that doesn't drop NET_RAW (or the ALL capability which includes NET_RAW) will implicitly run with NET_RAW. List these DaemonSets with:\n\n```kubectl get replicasets -A -o json | jq -r '.items[] | select( .spec.template.spec.containers[].securityContext.capabilities.drop | . == null or ( any(.[] ; ascii_upcase | test(\"ALL|NET_RAW\")) | not) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```", - "remediation": "For any ReplicaSets that explicitly add the NET_RAW or ALL capability, update them to ensure they do not ask for the NET_RAW or ALL capability:\n\n```yaml\napiVersion: apps/v1\nkind: ReplicaSet\nmetadata:\n name: example\n namespace: example-namespace\nspec:\n template:\n spec:\n containers:\n - securityContext:\n capabilities:\n add: [] # \u003c-- ensure no \"NET_RAW\" or \"ALL\" in the list of capabilities added\n```\n\nFor any ReplicaSets that do not define a list of capabilities to drop or that define a list but do not drop NET_RAW, update them to ensure they drop ALL or NET_RAW:\n\n```yaml\napiVersion: apps/v1\nkind: ReplicaSet\nmetadata:\n name: example\n namespace: example-namespace\nspec:\n template:\n spec:\n containers:\n - securityContext:\n capabilities:\n drop: [\"NET_RAW\"] # \u003c-- or ensure \"ALL\" in the list of capabilities to drop\n```" - }, - "refs": [ - { - "title": "Kubernetes Security Standards: Capabilities", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted" - } - ] - }, - { - "query": "k8s.replicaset {\n podSpec['containers'] {\n if( _['securityContext']['capabilities'] != null ) {\n _['securityContext']['capabilities'] {\n _['add'] == null || _['add'].none(_.upcase == \"ALL\")\n _['add'] == null || _['add'].none(_.upcase == \"SYS_ADMIN\")\n }\n } else {\n true\n }\n }\n}\n", - "code_id": "4ug6N2dRYP0=", - "checksum": "hSUZopho6A4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-replicaset-capability-sys-admin", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "ReplicaSets should not run with SYS_ADMIN capability", - "docs": { - "desc": "ReplicaSets should not run with SYS_ADMIN capability. The SYS_ADMIN capability enables a wide range of elevated system calls.\nIt even allows containers not running as root to run certain tasks as if the user was root.", - "audit": "Check to ensure no ReplicaSets have explicitly asked for the SYS_ADMIN capability (or asked for ALL capabilities which includes SYS_ADMIN):\n\n```kubectl get replicasets -A -o json | jq -r '.items[] | select(.spec.template.spec.containers[].securityContext.capabilities.add | . != null and any(.[] ; ascii_upcase | test(\"ALL|SYS_ADMIN\")) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```", - "remediation": "For any ReplicaSets that explicitly add the SYS_ADMIN or ALL capability, update them to ensure they do not ask for the SYS_ADMIN or ALL capability:\n\n```yaml\napiVersion: apps/v1\nkind: ReplicaSet\nmetadata:\n name: example\n namespace: example-namespace\nspec:\n template:\n spec:\n containers:\n - securityContext:\n capabilities:\n add: [] # \u003c-- ensure no \"SYS_ADMIN\" or \"ALL\" in the list of capabilities added\n```" - }, - "refs": [ - { - "title": "Kubernetes Security Standards: Capabilities", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline" - }, - { - "title": "Docker default capabilities", - "url": "https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities" - } - ] - }, - { - "query": "k8s.replicaset {\n podSpec['volumes'] == null || podSpec['volumes'].all(_['hostPath']['path'] != '/run/containerd/containerd.sock')\n}\n", - "code_id": "rXp7UF17kkw=", - "checksum": "cgwD+1IMbz4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-replicaset-containerd-socket", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not mount the containerd socket", - "docs": { - "desc": "Do not mount the container runtime socket into any container.\nThis would allow direct access to the container runtime without any authentication.\nThis would allow to create privileged containers and to access the host file system.\nOr create containers which would not show up in the Kubernetes API.", - "audit": "Check for the existence of `hostPath.path: /run/containerd/containerd.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /run/containerd/containerd.sock\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n volumeMounts:\n - mountPath: /run/containerd/containerd.sock\n name: vol\n```", - "remediation": "Ensure workloads do not have `hostPath.path: /run/containerd/containerd.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /run/containerd/containerd.sock # \u003c--- this shouldn't be there\n```" - }, - "refs": [ - { - "title": "Docker security", - "url": "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers" - } - ] - }, - { - "query": "k8s.replicaset {\n podSpec['volumes'] == null || podSpec['volumes'].all(_['hostPath']['path'] != '/var/run/crio/crio.sock')\n}\n", - "code_id": "8aBQiQZ/Glo=", - "checksum": "w/mKu/UFzZ4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-replicaset-crio-socket", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not mount the CRI-O socket", - "docs": { - "desc": "Do not mount the container runtime socket into any container.\nThis would allow direct access to the container runtime without any authentication.\nThis would allow to create privileged containers and to access the host file system.\nOr create containers which would not show up in the Kubernetes API.", - "audit": "Check for the existence of `hostPath.path: /var/run/crio/crio.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /var/run/crio/crio.sock\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n volumeMounts:\n - mountPath: /var/run/crio/crio.sock\n name: vol\n```", - "remediation": "Ensure workloads do not have `hostPath.path: /var/run/crio/crio.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /var/run/crio/crio.sock # \u003c--- this shouldn't be there\n```" - }, - "refs": [ - { - "title": "Docker security", - "url": "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers" - } - ] - }, - { - "query": "k8s.replicaset {\n podSpec['volumes'] == null || podSpec['volumes'].all(_['hostPath']['path'] != '/var/run/docker.sock')\n}\n", - "code_id": "SvhTEKx41V0=", - "checksum": "JYb/g6icIWs=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-replicaset-docker-socket", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not mount the Docker socket", - "docs": { - "desc": "Do not mount the container runtime socket into any container.\nThis would allow direct access to the container runtime without any authentication.\nThis would allow to create privileged containers and to access the host file system.\nOr create containers which would not show up in the Kubernetes API.", - "audit": "Check for the existence of `hostPath.path: /var/run/docker.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /var/run/docker.sock\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n volumeMounts:\n - mountPath: /var/run/docker.sock\n name: vol\n```", - "remediation": "Ensure workloads do not have `hostPath.path: /var/run/docker.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /var/run/docker.sock # \u003c--- this shouldn't be there\n```" - }, - "refs": [ - { - "title": "Docker security", - "url": "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers" - } - ] - }, - { - "query": "k8s.replicaset {\n podSpec['hostIPC'] != true\n}\n", - "code_id": "8V6+C4hjBpc=", - "checksum": "IjfmGsCX2zc=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-replicaset-hostipc", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Pod should not run with hostIPC", - "docs": { - "desc": "Enabling `hostIPC` gives containers access to the host's IPC namespace and breaks container isolation.", - "audit": "Check for the existence of `hostIPC: true` setting in `spec`:\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n hostIPC: true\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```", - "remediation": "Ensure `hostIPC` is set to `false` or not present in `spec`:\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n hostIPC: false\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```" - }, - "refs": [ - { - "title": "Host namespaces", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline" - } - ] - }, - { - "query": "k8s.replicaset {\n podSpec['hostNetwork'] != true\n}\n", - "code_id": "VMvpzfQOOSQ=", - "checksum": "4OvEimvTbik=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-replicaset-hostnetwork", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Pod should not run with hostNetwork", - "docs": { - "desc": "Running pods with the `hostNetwork` namespace gives containers access to the host's network, including loopback devices. This capability can be used to intercept network traffic, including the traffic of other pods.", - "audit": "Check for the existence of `hostNetwork: true` setting in `spec`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n hostNetwork: true\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```", - "remediation": "Ensure `hostNetwork` is set to `false` or not present in `spec`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n hostNetwork: false\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```" - }, - "refs": [ - { - "title": "Host namespaces", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline" - } - ] - }, - { - "query": "k8s.replicaset.podSpec {\n hostPathVolumes = _['volumes'].where(_['hostPath'] != null).map(_['name'])\n _['containers'] {\n _['name']\n if( _['volumeMounts'] != null ) {\n _['volumeMounts'] {\n n = _['name']\n if( hostPathVolumes.contains(n) ) {\n _['readOnly'] == true\n } else {\n true\n }\n }\n } else {\n true\n }\n }\n}\n", - "code_id": "rfidxzdBgGs=", - "checksum": "SbI8kio27EY=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-replicaset-hostpath-readonly", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "ReplicaSets should mount any host path volumes as read-only", - "docs": { - "desc": "ReplicaSets should not mount volumes of type hostPath as read-write. Containers should not be granted the ability to mutate the underlying host they are running on.\nThis can even lead to container escapes.", - "audit": "Check to ensure no containers in a ReplicaSet are mounting hostPath volumes as read-write:\n\n```kubectl get replicasets -A -o json | jq -r '.items[] | [.spec.template.spec.volumes[] | select(.hostPath != null) | .name] as $myVar | select(.spec.template.spec.containers[].volumeMounts | (. != null and ( .[] | ( [.name] | inside($myVar) ) and .readOnly != true ) ) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```", - "remediation": "For any ReplicaSet containers that mount a hostPath volume as read-write, update them:\n\n```yaml\napiVersion: apps/v1\nkind: ReplicaSet\nmetadata:\n name: example\n namespace: example-namespace\nspec:\n template:\n spec:\n containers:\n - volumeMounts:\n - mountPath: /host\n name: hostpath-volume\n readOnly: true # \u003c-- ensure readOnly is set to true\n volumes:\n - hostPath:\n path: /etc\n name: hostpath-volume\n```" - } - }, - { - "query": "k8s.replicaset {\n podSpec['hostPID'] != true\n}\n", - "code_id": "q1ODOd364vM=", - "checksum": "x4Gil+DFVOs=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-replicaset-hostpid", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Pod should not run with hostPID", - "docs": { - "desc": "Running pods with the `hostPID` namespace gives containers access to the host's process ID namespace and can be used to escalate privileges outside a container.", - "audit": "Check for the existence of `hostPID: true` setting in `spec`:\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n hostPID: true\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```", - "remediation": "Ensure `hostPID` is set to `false` or not present in `spec`:\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n hostPID: false\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```" - }, - "refs": [ - { - "title": "Host namespaces", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline" - } - ] - }, - { - "query": "k8s.replicaset {\n initContainers {\n # @msg Container ${ _.name } should set imagePullPolicy to Always\n imagePullPolicy == 'Always'\n\n correctImage = image != /:latest/ \u0026\u0026 image.contains(':') == true\n\n # @msg Container ${ _.name } should set an image tag or digest\n correctImage == true\n }\n containers {\n # @msg Container ${ _.name } should set imagePullPolicy to Always\n imagePullPolicy == 'Always'\n\n correctImage = image != /:latest/ \u0026\u0026 image.contains(':') == true\n\n # @msg Container ${ _.name } should set an image tag or digest\n correctImage == true\n }\n}\n", - "code_id": "ijK0Zjs3vcU=", - "checksum": "GSKuSG1XTGA=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-replicaset-imagepull", - "type": "\u000c", - "severity": { - "value": 60 - }, - "title": "Container image pull should be consistent", - "docs": { - "desc": "It's important that each time a pod is started the same container is pulled, so that services across pods behave the same. To ensure the same container is always used, manifests should set `imagePullPolicy: Always` and the `image` configuration should pull either a tag or a digest (SHA). \nAvoid using rolling tags like `latest` or `master` as they can change over time.", - "audit": "Check for the existence of `imagePullPolicy: Always` and ensure `image` uses either a tag or a digest (SHA):\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n imagePullPolicy: Always\n```", - "remediation": "Ensure `imagePullPolicy` is set to `Always` and ensure `image` uses either a tag or a digest (SHA):\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n imagePullPolicy: Always\n```" - }, - "refs": [ - { - "title": "Image pull policy", - "url": "https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy" - } - ] - }, - { - "query": "k8s.replicaset {\n initContainers {\n # @msg Container ${ _.name } should set CPU limits\n resources['limits']['cpu'] != null\n }\n containers {\n # @msg Container ${ _.name } should set CPU limits\n resources['limits']['cpu'] != null\n }\n}\n", - "code_id": "Lyl7IM22omw=", - "checksum": "1C/V34b3tos=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-replicaset-limitcpu", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "Container should have a CPU limit", - "docs": { - "desc": "Kubernetes pod configurations should set CPU limits for containers defined in the manifest. This prevents the pod from exhausting the host's resources in case of an application malfunction or an attack.", - "audit": "Check for the existence of CPU resources in `limits`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n resources:\n limits:\n cpu: \"500m\"\n```", - "remediation": "Define the required resources for CPU `limits` in the manifest: \n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n resources:\n limits:\n cpu: \"500m\"\n```" - }, - "refs": [ - { - "title": "Resource Management for Pods and Containers", - "url": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" - } - ] - }, - { - "query": "k8s.replicaset {\n initContainers {\n # @msg Container ${ _.name } should set memory limits\n resources['limits']['memory'] != null\n }\n containers {\n # @msg Container ${ _.name } should set memory limits\n resources['limits']['memory'] != null\n }\n}\n", - "code_id": "LKFzUJK/vPo=", - "checksum": "L+XCm6JklF4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-replicaset-limitmemory", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "Container should have a memory limit", - "docs": { - "desc": "Kubernetes pod configurations should set memory limits for containers defined in the manifest. This prevents the pod from exhausting the host's resources in case of an application malfunction or an attack.", - "audit": "Check for the existence of memory resources in `limits`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n resources:\n limits:\n memory: \"1Gi\"\n```", - "remediation": "Define the required resources for memory `limits` in the manifest: \n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n resources:\n limits:\n memory: \"1Gi\"\n```" - } - }, - { - "query": "k8s.replicaset.podSpec {\n _['containers'] {\n _['name']\n _['ports'] == null || _['ports'].all(_['hostPort'] == null)\n }\n}\n", - "code_id": "JHktJglO7qU=", - "checksum": "UKlt3GDyiro=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-replicaset-ports-hostport", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "ReplicaSets should not bind to a host port", - "docs": { - "desc": "ReplicaSets should not bind to the underlying host port. This allows bypassing certain network access control systems.\nHost ports also expose the Container outside the Kubernetes cluster, which might not be intended.", - "audit": "Check to ensure no ReplicaSets are binding any of their containers to a host port:\n\n```kubectl get replicasets -A -o json | jq -r '.items[] | select( (.spec.template.spec.containers[].ports | . != null and any(.[].hostPort; . != null) ) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```", - "remediation": "For any ReplicaSets that bind to a host port, update the ReplicaSets to ensure they do not bind to a host port:\n\n```yaml\napiVersion: apps/v1\nkind: ReplicaSet\nmetadata:\n name: example\n namespace: example-namespace\nspec:\n template:\n spec:\n containers:\n - ports:\n - containerPort: 80 # \u003c-- ensure no 'hostPort' is defined in any entries of the port configurations\n name: http\n protocol: TCP\n - containerPort: 443\n name: https\n protocol: TCP\n```" - }, - "refs": [ - { - "title": "Kubernetes Configuration Best Practices: hostPort", - "url": "https://kubernetes.io/docs/concepts/configuration/overview/#services" - }, - { - "title": "Kubernetes Security Standards: Host Ports", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline" - } - ] - }, - { - "query": "k8s.replicaset {\n initContainers {\n # @msg Container ${ _.name } should not set `privileged` to `true`\n securityContext['privileged'] != true\n }\n containers {\n # @msg Container ${ _.name } should not set `privileged` to `true`\n securityContext['privileged'] != true\n }\n}\n", - "code_id": "Dlf2fCiqcuk=", - "checksum": "WJvdJy3V5wU=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-replicaset-privilegedcontainer", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not run as a privileged container", - "docs": { - "desc": "Running a privileged container means the container has the host's capabilities, including access to all devices and the host's network.", - "audit": "Check for the existence of `privileged: true` setting in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n privileged: true\n```", - "remediation": "Remove the `privileged` setting from the container spec:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n```\n\nOr explicitly set `privileged` to `false`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n privileged: false\n```" - }, - "refs": [ - { - "title": "Configure a Security Context for a Pod or Container", - "url": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/" - } - ] - }, - { - "query": "k8s.replicaset {\n initContainers {\n # @msg Container ${ _.name } should set readOnlyRootFilesystem to true\n securityContext['readOnlyRootFilesystem'] == true\n }\n containers {\n # @msg Container ${ _.name } should set readOnlyRootFilesystem to true\n securityContext['readOnlyRootFilesystem'] == true\n }\n}\n", - "code_id": "/yYTSE2yJU4=", - "checksum": "iz72z/iK6XM=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-replicaset-readonlyrootfilesystem", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Container should use an immutable root filesystem", - "docs": { - "desc": "Running a container with an immutable (read-only) file system prevents the modification of running containers.", - "audit": "Check for the existence of `readOnlyRootFilesystem: true` setting in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n readOnlyRootFilesystem: true\n```", - "remediation": "Ensure `readOnlyRootFilesystem` is set to `true` in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n readOnlyRootFilesystem: true\n```" - }, - "refs": [ - { - "title": "Configure a Security Context for a Pod or Container", - "url": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/" - } - ] - }, - { - "query": "k8s.replicaset {\n podSecurityContext=podSpec['securityContext']\n initContainers {\n a = podSecurityContext['runAsNonRoot'] == true \u0026\u0026 securityContext['runAsNonRoot'] == null\n res = securityContext['runAsNonRoot'] == true || a\n # @msg Container ${ _.name } should set runAsNonRoot to true\n res == true\n }\n containers {\n a = podSecurityContext['runAsNonRoot'] == true \u0026\u0026 securityContext['runAsNonRoot'] == null\n res = securityContext['runAsNonRoot'] == true || a\n # @msg Container ${ _.name } should set runAsNonRoot to true\n res == true\n }\n}\n", - "code_id": "lyUWIfMPcFY=", - "checksum": "jTnYkTSXCeM=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-replicaset-runasnonroot", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not run as root", - "docs": { - "desc": "Set the `runAsNonRoot: true` `securityContext` to ensure containers do not run as the root user.\nWhen containers run as the `root` user, they have the same privileges as `root` on the host system.", - "audit": "Check for the existence of `runAsNonRoot: true` setting in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n runAsNonRoot: true\n```\n\nIt is also possible to set it for all containers at the Pod level:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n securityContext:\n runAsNonRoot: true\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n```", - "remediation": "Ensure `runAsNonRoot` is set to `true` in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n runAsNonRoot: true\n```\n\nIt is also possible to set it for all containers at the Pod level:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n securityContext:\n runAsNonRoot: true\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n```" - }, - "refs": [ - { - "title": "Configure a Security Context for a Pod or Container", - "url": "https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core" - } - ] - }, - { - "query": "k8s.replicaset {\n podSpec['serviceAccount'] == null || podSpec['serviceAccount'] == podSpec['serviceAccountName']\n podSpec['serviceAccountName'] != '' || podSpec['automountServiceAccountToken'] == false\n podSpec['serviceAccountName'] != 'default' || podSpec['automountServiceAccountToken'] == false\n}\n", - "code_id": "eW4zUAB8Q4Q=", - "checksum": "Cs486NNgvxo=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-replicaset-serviceaccount", - "type": "\u000c", - "severity": { - "value": 30 - }, - "title": "Pod should not run with the default service account", - "docs": { - "desc": "Pods that interact with the Kubernetes API using a ServiceAccount should use specific ServiceAccounts.\nThese ServiceAccounts should only have the permissions necessary.\nThe Pods should not use the default ServiceAccount (named 'default') that is included in every Namespace.\nThe only valid use for the default ServiceAccount is for Pods that set '.spec.automountServiceAccountToken' to 'false'.\nIn this case, the Pod explicitly asks for no ServiceAccount to be mounted into the Pod's filesystem, and the Pod is therefore a ServiceAccount-less Pod.\nWhen every Pods uses the default ServiceAccount and the ServiceAccount's privileges get extended, all Pods get these permissions.\nWhen a Pod is compromised, the attacker has access to the API using the default ServiceAccount.", - "audit": "Check that Pods do not set the legacy '.spec.serviceAccount':\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n serviceAccount: some-account\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```\n\nCheck that Pods do not set the '.spec.serviceAccountName' to the empty string (which is interpreted as 'default'), or to 'default'.\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n serviceAccountName: \"\"\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```\n\nEven when the deprecated field '.spec.serviceAccount' is not specified, it will get populated by Kubernetes inside the cluster when a manifest is applied.\nBecause of that, we also need to check for the field.", - "remediation": "Create a ServiceAccount specifically for the Pod with only the permissions it needs when interacting with the Kubernetes API. Update the Pod's '.spec.serviceAccountName' to the name of the ServiceAccount created for the Pod.\n\nOr if the Pod doesn't interact with the Kubernetes API, set the Pod's `.spec.automountServiceAccountToken` field to false so that no ServiceAccount is available to the Pod." - } - }, - { - "query": "if (file(\"/etc/kubernetes/admin.conf\").exists) {\n file(\"/etc/kubernetes/admin.conf\") {\n permissions.user_writeable == true\n permissions.group_writeable == false\n permissions.other_writeable == false\n permissions.user_readable == true\n permissions.group_readable == false\n permissions.other_readable == false\n permissions.user_executable == false\n permissions.group_executable == false\n permissions.other_executable == false\n user.name == \"root\"\n group.name == \"root\"\n }\n}\n", - "code_id": "Fb6BfUYe5Sc=", - "checksum": "ru1WYBgnqGc=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-secure-admin-conf", - "type": "\u000c", - "severity": { - "value": 60 - }, - "title": "Set secure file permissions on the admin.conf file", - "docs": { - "desc": "Ensure that the `admin.conf` file has permissions of `600` and is owned by root:root.\nOtherwise unprivileged users might get admin access to the Kubernetes API server.", - "remediation": "Run this command on the Control Plane node:\n\n```\nchmod 600 /etc/kubernetes/admin.conf\nchown root:root /etc/kubernetes/admin.conf\n```" - }, - "refs": [ - { - "title": "Kubernetes Setup", - "url": "https://kubernetes.io/docs/setup/" - } - ] - }, - { - "query": "if (file(\"/etc/kubernetes/controller-manager.conf\").exists) {\n file(\"/etc/kubernetes/controller-manager.conf\") {\n permissions.user_writeable == true\n permissions.group_writeable == false\n permissions.other_writeable == false\n permissions.user_readable == true\n permissions.group_readable == false\n permissions.other_readable == false\n permissions.user_executable == false\n permissions.group_executable == false\n permissions.other_executable == false\n user.name == \"root\"\n group.name == \"root\"\n }\n}\n", - "code_id": "kDlHXVBRH2s=", - "checksum": "ltBY/1IMIf0=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-secure-controller-manager_conf", - "type": "\u000c", - "severity": { - "value": 60 - }, - "title": "Set secure file permissions on the controller-manager.conf file", - "docs": { - "desc": "Ensure that the `controller-manager.conf` file has permissions of `600` and is owned by `root:root`.", - "remediation": "Run this command on the Control Plane node:\n\n```\nchmod 600 /etc/kubernetes/controller-manager.conf\nchown root:root /etc/kubernetes/controller-manager.conf\n```" - } - }, - { - "query": "if (file(\"/var/lib/etcd\").exists) {\n file(\"/var/lib/etcd\") {\n permissions.user_writeable == true\n permissions.group_writeable == false\n permissions.other_writeable == false\n permissions.user_readable == true\n permissions.group_readable == false\n permissions.other_readable == false\n permissions.user_executable == true\n permissions.group_executable == false\n permissions.other_executable == false\n user.name == \"etcd\"\n group.name == \"etcd\"\n }\n} else {\n dir = processes.where( executable == /etcd/ ).list[0].flags[\"data-dir\"]\n file(dir) {\n permissions.user_writeable == true\n permissions.group_writeable == false\n permissions.other_writeable == false\n permissions.user_readable == true\n permissions.group_readable == false\n permissions.other_readable == false\n permissions.user_executable == true\n permissions.group_executable == false\n permissions.other_executable == false\n user.name == \"etcd\"\n group.name == \"etcd\"\n }\n}\n", - "code_id": "F2x5Gu6MgGk=", - "checksum": "rRTJKjLZ8lI=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-secure-etcd-data-dir", - "type": "\u000c", - "severity": { - "value": 60 - }, - "title": "Set secure directory permissions on the etcd data directory.\nOtherwise unprivileged users might get access to sensitive data stored in etcd, i.e., Kubernetes Secrets.\n", - "docs": { - "desc": "Ensure that the etcd data directory has permissions of `700` and is owned by `etcd:etcd`.", - "remediation": "On the etcd server node, get the etcd data directory, passed as an argument `--data-dir`, from the below command:\n\n```\nps -ef | grep etcd\n```\n\nRun the below command:\n\n```\nchmod 700 /var/lib/etcd\n```" - }, - "refs": [ - { - "title": "Kubernetes Secrets", - "url": "https://kubernetes.io/docs/concepts/configuration/secret/" - } - ] - }, - { - "query": "if (file(\"/etc/kubernetes/manifests/kube-apiserver.yaml\").exists) {\n file(\"/etc/kubernetes/manifests/kube-apiserver.yaml\") {\n permissions.user_writeable == true\n permissions.group_writeable == false\n permissions.other_writeable == false\n permissions.user_readable == true\n permissions.group_readable == false\n permissions.other_readable == false\n permissions.user_executable == false\n permissions.group_executable == false\n permissions.other_executable == false\n user.name == \"root\"\n group.name == \"root\"\n }\n}\n", - "code_id": "hK5TK2HRs38=", - "checksum": "HkFvGSE+/MQ=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-secure-kube-apiserver-yml", - "type": "\u000c", - "severity": { - "value": 60 - }, - "title": "Set secure file permissions on the API server pod specification file", - "docs": { - "desc": "Ensure that the API server pod specification file has permissions of `600` and is owned by `root:root`.\nOtherwise unprivileged users might change it.", - "remediation": "Run this command on the Control Plane node:\n\n```\nchmod 600 /etc/kubernetes/manifests/kube-apiserver.yaml\nchown root:root /etc/kubernetes/manifests/kube-apiserver.yaml\n```" - } - }, - { - "query": "k8s.kubelet.configuration['authentication']['x509']['clientCAFile'] != null\nif (k8s.kubelet.configuration['authentication']['x509']['clientCAFile'] != null) {\n cafile = k8s.kubelet.configuration[\"authentication\"][\"x509\"][\"clientCAFile\"]\n file(cafile) {\n user.name == \"root\"\n group.name == \"root\"\n }\n file(cafile).permissions {\n user_readable == true\n user_executable == false\n group_readable == false\n group_writeable == false\n group_executable == false\n other_readable == false\n other_writeable == false\n other_executable == false\n }\n}\n", - "code_id": "25ArGe3/6F0=", - "checksum": "3664SCE64aE=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-secure-kubelet-cert-authorities", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Specify a kubelet certificate authorities file and ensure proper ownership and permissions", - "docs": { - "desc": "Ensure appropriate ownership and permissions for the kubelet's certificate authorities configuration file.", - "audit": "View the ownership and permissions:\n\n```\n$ ls -l /etc/srv/kubernetes/pki/ca-certificates.crt\n-rw------- 1 root root 1159 Sep 13 04:14 /etc/srv/kubernetes/pki/ca-certificates.crt\n```", - "remediation": "Update the ownership and permissions:\n\n```\nchown root:root /etc/srv/kubernetes/pki/ca-certificates.crt\nchmod 600 /etc/srv/kubernetes/pki/ca-certificates.crt\n```" - } - }, - { - "query": "if (k8s.kubelet.configFile != null) {\n if (k8s.kubelet.configFile.exists) {\n k8s.kubelet.configFile {\n user.name == \"root\"\n group.name == \"root\"\n }\n k8s.kubelet.configFile.permissions {\n user_readable == true\n user_executable == false\n group_readable == false\n group_writeable == false\n group_executable == false\n other_readable == false\n other_writeable == false\n other_executable == false\n }\n }\n}\n", - "code_id": "K5vpyQrFdVM=", - "checksum": "Pp2OjrqOnwg=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-secure-kubelet-config", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Ownership and permissions of kubelet configuration should be restricted", - "docs": { - "desc": "Ensure proper file ownership and read-write-execute permissions for kubelet configuration file.\nOtherwise unprivileged users might get access to sensitive information.", - "audit": "View the kubelet configuration file details:\n\n```\n$ ls -l /etc/kubernetes/kubelet.conf\n-rw-r--r-- 1 root root 1155 Sep 21 15:03 /etc/kubernetes/kubelet.conf\n```", - "remediation": "Update the ownership and permissions:\n\n```\nchown root:root /etc/kubernetes/kubelet.conf\nchmod 600 /etc/kubernetes/kubelet.conf\n```" - } - }, - { - "query": "if (processes.where(executable == /kube-apiserver/).list[0].flags[\"etcd-certfile\"] != null) {\n clientCAFile = processes.where(executable == /kube-apiserver/).list[0].flags[\"etcd-certfile\"]\n ssldir = file(clientCAFile).dirname\n file(ssldir) {\n user.name == \"root\"\n group.name == \"root\"\n }\n} else {\n file(\"/etc/kubernetes/pki/\") {\n user.name == \"root\"\n group.name == \"root\"\n }\n}\n", - "code_id": "SPMeYcJS3QA=", - "checksum": "AfN4n4jaAsA=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-secure-pki-directory", - "type": "\u000c", - "severity": { - "value": 65 - }, - "title": "Ensure that the Kubernetes PKI/SSL directory is owned by root:root", - "docs": { - "desc": "Ensure that the Kubernetes PKI/SSL directory is owned by `root:root`.\nOtherwise unprivileged users could change the PKI/SSL certificates the whole encryption of the cluster relies on.", - "remediation": "Run one of the following commands on the Control Plane node depending on the location of your PKI/SSL directory:\n\n```\nchown -R root:root /etc/kubernetes/pki/\n```\n\nor\n\n```\nchown -R root:root /etc/kubernetes/ssl/\n````" - }, - "refs": [ - { - "title": "PKI certificates and requirements", - "url": "https://kubernetes.io/docs/setup/best-practices/certificates/" - } - ] - }, - { - "query": "if (file(\"/etc/kubernetes/scheduler.conf\").exists) {\n file(\"/etc/kubernetes/scheduler.conf\") {\n permissions.user_writeable == true\n permissions.group_writeable == false\n permissions.other_writeable == false\n permissions.user_readable == true\n permissions.group_readable == false\n permissions.other_readable == false\n permissions.user_executable == false\n permissions.group_executable == false\n permissions.other_executable == false\n user.name == \"root\"\n group.name == \"root\"\n }\n}\n", - "code_id": "GyJVAziB/tU=", - "checksum": "41Ky0Yq7NGE=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-secure-scheduler_conf", - "type": "\u000c", - "severity": { - "value": 60 - }, - "title": "Set secure file permissions on the scheduler.conf file", - "docs": { - "desc": "Ensure that the `scheduler.conf` file has permissions of `600` and is owned by `root:root`.", - "remediation": "Run this command on the Control Plane node:\n\n```\nchmod 600 /etc/kubernetes/scheduler.conf\nchown root:root /etc/kubernetes/scheduler.conf\n```" - } - }, - { - "query": "k8s.statefulset {\n initContainers {\n # @msg Container ${ _.name } should set allowPrivilegeEscalation to false\n securityContext['allowPrivilegeEscalation'] != true\n }\n containers {\n # @msg Container ${ _.name } should set allowPrivilegeEscalation to false\n securityContext['allowPrivilegeEscalation'] != true\n }\n}\n", - "code_id": "NoJoMx4l0fg=", - "checksum": "K1tqaNPkThM=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-statefulset-allowprivilegeescalation", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not allow privilege escalation", - "docs": { - "desc": "Do not allow privilege escalation in containers.\nEven, when the container is not running as root, it could still escalate privileges.", - "audit": "Check for the existence of `allowPrivilegeEscalation: true` setting in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n securityContext:\n allowPrivilegeEscalation: true\n```", - "remediation": "Ensure `allowPrivilegeEscalation` is set to `false` or not present in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n securityContext:\n allowPrivilegeEscalation: false\n```" - }, - "refs": [ - { - "title": "Configure a Security Context for a Pod or Container", - "url": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/" - } - ] - }, - { - "query": "k8s.statefulset {\n podSpec['containers'] {\n _['securityContext']['capabilities'] != null\n _['securityContext']['capabilities'] {\n _['add'] == null || _['add'].none(_.upcase == \"ALL\")\n _['add'] == null || _['add'].none(_.upcase == \"NET_RAW\")\n _['drop'] != null\n _['drop'].any(_.upcase == \"NET_RAW\") || _['drop'].any(_.upcase == \"ALL\")\n }\n }\n}\n", - "code_id": "zwjVs+88qWQ=", - "checksum": "M2BXKjxxPqo=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-statefulset-capability-net-raw", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "StatefulSets should not run with NET_RAW capability", - "docs": { - "desc": "StatefulSets should not run with NET_RAW capability. This allows a process to write raw packets to the network interface which can allow crafting packets like malicious ARP and/or DNS responses.", - "audit": "Check to ensure no StatefulSets have explicitly asked for the NET_RAW capability (or asked for ALL capabilities which includes NET_RAW):\n\n```kubectl get statefulsets -A -o json | jq -r '.items[] | select(.spec.template.spec.containers[].securityContext.capabilities.add | . != null and any(.[] ; ascii_upcase | test(\"ALL|NET_RAW\")) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```\n\n\nAdditionally, a StatefulSet that doesn't define a list of capabilities to drop at all, or that has a non-empty drop list that doesn't drop NET_RAW (or the ALL capability which includes NET_RAW) will implicitly run with NET_RAW. List these DaemonSets with:\n\n```kubectl get statefulsets -A -o json | jq -r '.items[] | select( .spec.template.spec.containers[].securityContext.capabilities.drop | . == null or ( any(.[] ; ascii_upcase | test(\"ALL|NET_RAW\")) | not) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```", - "remediation": "For any StatefulSets that explicitly add the NET_RAW or ALL capability, update them to ensure they do not ask for the NET_RAW or ALL capability:\n\n```yaml\napiVersion: apps/v1\nkind: StatefulSet\nmetadata:\n name: example\n namespace: example-namespace\nspec:\n template:\n spec:\n containers:\n - securityContext:\n capabilities:\n add: [] # \u003c-- ensure no \"NET_RAW\" or \"ALL\" in the list of capabilities added\n```\n\nFor any StatefulSets that do not define a list of capabilities to drop or that define a list but do not drop NET_RAW, update them to ensure they drop ALL or NET_RAW:\n\n```yaml\napiVersion: apps/v1\nkind: StatefulSet\nmetadata:\n name: example\n namespace: example-namespace\nspec:\n template:\n spec:\n containers:\n - securityContext:\n capabilities:\n drop: [\"NET_RAW\"] # \u003c-- or ensure \"ALL\" in the list of capabilities to drop\n```" - }, - "refs": [ - { - "title": "Kubernetes Security Standards: Capabilities", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted" - } - ] - }, - { - "query": "k8s.statefulset {\n podSpec['containers'] {\n if( _['securityContext']['capabilities'] != null ) {\n _['securityContext']['capabilities'] {\n _['add'] == null || _['add'].none(_.upcase == \"ALL\")\n _['add'] == null || _['add'].none(_.upcase == \"SYS_ADMIN\")\n }\n } else {\n true\n }\n }\n}\n", - "code_id": "e/mxFARXDaY=", - "checksum": "PIG7tvfV+kw=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-statefulset-capability-sys-admin", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "StatefulSets should not run with SYS_ADMIN capability", - "docs": { - "desc": "StatefulSets should not run with SYS_ADMIN capability. The SYS_ADMIN capability enables a wide range of elevated system calls.\nIt even allows containers not running as root to run certain tasks as if the user was root.", - "audit": "Check to ensure no StatefulSets have explicitly asked for the SYS_ADMIN capability (or asked for ALL capabilities which includes SYS_ADMIN):\n\n```kubectl get statefulsets -A -o json | jq -r '.items[] | select(.spec.template.spec.containers[].securityContext.capabilities.add | . != null and any(.[] ; ascii_upcase | test(\"ALL|SYS_ADMIN\")) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```", - "remediation": "For any StatefulSets that explicitly add the SYS_ADMIN or ALL capability, update them to ensure they do not ask for the SYS_ADMIN or ALL capability:\n\n```yaml\napiVersion: apps/v1\nkind: StatefulSet\nmetadata:\n name: example\n namespace: example-namespace\nspec:\n template:\n spec:\n containers:\n - securityContext:\n capabilities:\n add: [] # \u003c-- ensure no \"SYS_ADMIN\" or \"ALL\" in the list of capabilities added\n```" - }, - "refs": [ - { - "title": "Kubernetes Security Standards: Capabilities", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline" - }, - { - "title": "Docker default capabilities", - "url": "https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities" - } - ] - }, - { - "query": "k8s.statefulset {\n podSpec['volumes'] == null || podSpec['volumes'].all(_['hostPath']['path'] != '/run/containerd/containerd.sock')\n}\n", - "code_id": "M+nf/vKOT84=", - "checksum": "FM6XuhAovvw=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-statefulset-containerd-socket", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not mount the containerd socket", - "docs": { - "desc": "Do not mount the container runtime socket into any container.\nThis would allow direct access to the container runtime without any authentication.\nThis would allow to create privileged containers and to access the host file system.\nOr create containers which would not show up in the Kubernetes API.", - "audit": "Check for the existence of `hostPath.path: /run/containerd/containerd.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /run/containerd/containerd.sock\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n volumeMounts:\n - mountPath: /run/containerd/containerd.sock\n name: vol\n```", - "remediation": "Ensure workloads do not have `hostPath.path: /run/containerd/containerd.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /run/containerd/containerd.sock # \u003c--- this shouldn't be there\n```" - }, - "refs": [ - { - "title": "Docker security", - "url": "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers" - } - ] - }, - { - "query": "k8s.statefulset {\n podSpec['volumes'] == null || podSpec['volumes'].all(_['hostPath']['path'] != '/var/run/crio/crio.sock')\n}\n", - "code_id": "JY63io3b4dI=", - "checksum": "JrHUtnxMVAw=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-statefulset-crio-socket", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not mount the CRI-O socket", - "docs": { - "desc": "Do not mount the container runtime socket into any container.\nThis would allow direct access to the container runtime without any authentication.\nThis would allow to create privileged containers and to access the host file system.\nOr create containers which would not show up in the Kubernetes API.", - "audit": "Check for the existence of `hostPath.path: /var/run/crio/crio.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /var/run/crio/crio.sock\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n volumeMounts:\n - mountPath: /var/run/crio/crio.sock\n name: vol\n```", - "remediation": "Ensure workloads do not have `hostPath.path: /var/run/crio/crio.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /var/run/crio/crio.sock # \u003c--- this shouldn't be there\n```" - }, - "refs": [ - { - "title": "Docker security", - "url": "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers" - } - ] - }, - { - "query": "k8s.statefulset {\n podSpec['volumes'] == null || podSpec['volumes'].all(_['hostPath']['path'] != '/var/run/docker.sock')\n}\n", - "code_id": "O5GyYcOIDnw=", - "checksum": "yqRTI4TT22s=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-statefulset-docker-socket", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not mount the Docker socket", - "docs": { - "desc": "Do not mount the container runtime socket into any container.\nThis would allow direct access to the container runtime without any authentication.\nThis would allow to create privileged containers and to access the host file system.\nOr create containers which would not show up in the Kubernetes API.", - "audit": "Check for the existence of `hostPath.path: /var/run/docker.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /var/run/docker.sock\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n volumeMounts:\n - mountPath: /var/run/docker.sock\n name: vol\n```", - "remediation": "Ensure workloads do not have `hostPath.path: /var/run/docker.sock` setting in the `volumes`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n volumes:\n - name: vol\n hostPath:\n - path: /var/run/docker.sock # \u003c--- this shouldn't be there\n```" - }, - "refs": [ - { - "title": "Docker security", - "url": "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers" - } - ] - }, - { - "query": "k8s.statefulset {\n podSpec['hostIPC'] != true\n}\n", - "code_id": "pDDcQu0p62k=", - "checksum": "9eLF+ShBMwY=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-statefulset-hostipc", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Pod should not run with hostIPC", - "docs": { - "desc": "Enabling `hostIPC` gives containers access to the host's IPC namespace and breaks container isolation.", - "audit": "Check for the existence of `hostIPC: true` setting in `spec`:\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n hostIPC: true\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```", - "remediation": "Ensure `hostIPC` is set to `false` or not present in `spec`:\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n hostIPC: false\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```" - }, - "refs": [ - { - "title": "Host namespaces", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline" - } - ] - }, - { - "query": "k8s.statefulset {\n podSpec['hostNetwork'] != true\n}\n", - "code_id": "cSaF0fzoxEE=", - "checksum": "kA1n9prBYv4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-statefulset-hostnetwork", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Pod should not run with hostNetwork", - "docs": { - "desc": "Running pods with the `hostNetwork` namespace gives containers access to the host's network, including loopback devices. This capability can be used to intercept network traffic, including the traffic of other pods.", - "audit": "Check for the existence of `hostNetwork: true` setting in `spec`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n hostNetwork: true\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```", - "remediation": "Ensure `hostNetwork` is set to `false` or not present in `spec`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n hostNetwork: false\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```" - }, - "refs": [ - { - "title": "Host namespaces", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline" - } - ] - }, - { - "query": "k8s.statefulset.podSpec {\n hostPathVolumes = _['volumes'].where(_['hostPath'] != null).map(_['name'])\n _['containers'] {\n _['name']\n if( _['volumeMounts'] != null ) {\n _['volumeMounts'] {\n n = _['name']\n if( hostPathVolumes.contains(n) ) {\n _['readOnly'] == true\n } else {\n true\n }\n }\n } else {\n true\n }\n }\n}\n", - "code_id": "5xbGT7HHrmQ=", - "checksum": "QJ7VN3FDjPE=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-statefulset-hostpath-readonly", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "StatefulSets should mount any host path volumes as read-only", - "docs": { - "desc": "StatefulSets should not mount volumes of type hostPath as read-write. Containers should not be granted the ability to mutate the underlying host they are running on.\nThis can even lead to container escapes.", - "audit": "Check to ensure no containers in a StatefulSet are mounting hostPath volumes as read-write:\n\n```kubectl get statefulsets -A -o json | jq -r '.items[] | [.spec.template.spec.volumes[] | select(.hostPath != null) | .name] as $myVar | select(.spec.template.spec.containers[].volumeMounts | (. != null and ( .[] | ( [.name] | inside($myVar) ) and .readOnly != true ) ) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```", - "remediation": "For any StatefulSet containers that mount a hostPath volume as read-write, update them:\n\n```yaml\napiVersion: apps/v1\nkind: StatefulSet\nmetadata:\n name: example\n namespace: example-namespace\nspec:\n template:\n spec:\n containers:\n - volumeMounts:\n - mountPath: /host\n name: hostpath-volume\n readOnly: true # \u003c-- ensure readOnly is set to true\n volumes:\n - hostPath:\n path: /etc\n name: hostpath-volume\n```" - } - }, - { - "query": "k8s.statefulset {\n podSpec['hostPID'] != true\n}\n", - "code_id": "K7bEiQ93y/8=", - "checksum": "0HX6lOULLRo=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-statefulset-hostpid", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Pod should not run with hostPID", - "docs": { - "desc": "Running pods with the `hostPID` namespace gives containers access to the host's process ID namespace and can be used to escalate privileges outside a container.", - "audit": "Check for the existence of `hostPID: true` setting in `spec`:\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n hostPID: true\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```", - "remediation": "Ensure `hostPID` is set to `false` or not present in `spec`:\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n hostPID: false\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```" - }, - "refs": [ - { - "title": "Host namespaces", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline" - } - ] - }, - { - "query": "k8s.statefulset {\n initContainers {\n # @msg Container ${ _.name } should set imagePullPolicy to Always\n imagePullPolicy == 'Always'\n\n correctImage = image != /:latest/ \u0026\u0026 image.contains(':') == true\n\n # @msg Container ${ _.name } should set an image tag or digest\n correctImage == true\n }\n containers {\n # @msg Container ${ _.name } should set imagePullPolicy to Always\n imagePullPolicy == 'Always'\n\n correctImage = image != /:latest/ \u0026\u0026 image.contains(':') == true\n\n # @msg Container ${ _.name } should set an image tag or digest\n correctImage == true\n }\n}\n", - "code_id": "1i//Ieh8t4Q=", - "checksum": "mF7Ndd6FpYw=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-statefulset-imagepull", - "type": "\u000c", - "severity": { - "value": 60 - }, - "title": "Container image pull should be consistent", - "docs": { - "desc": "It's important that each time a pod is started the same container is pulled, so that services across pods behave the same. To ensure the same container is always used, manifests should set `imagePullPolicy: Always` and the `image` configuration should pull either a tag or a digest (SHA). \nAvoid using rolling tags like `latest` or `master` as they can change over time.", - "audit": "Check for the existence of `imagePullPolicy: Always` and ensure `image` uses either a tag or a digest (SHA):\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n imagePullPolicy: Always\n```", - "remediation": "Ensure `imagePullPolicy` is set to `Always` and ensure `image` uses either a tag or a digest (SHA):\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n imagePullPolicy: Always\n```" - }, - "refs": [ - { - "title": "Image pull policy", - "url": "https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy" - } - ] - }, - { - "query": "k8s.statefulset {\n initContainers {\n # @msg Container ${ _.name } should set CPU limits\n resources['limits']['cpu'] != null\n }\n containers {\n # @msg Container ${ _.name } should set CPU limits\n resources['limits']['cpu'] != null\n }\n}\n", - "code_id": "SigdAkeaJ7g=", - "checksum": "csC7Hi+L7RA=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-statefulset-limitcpu", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "Container should have a CPU limit", - "docs": { - "desc": "Kubernetes pod configurations should set CPU limits for containers defined in the manifest. This prevents the pod from exhausting the host's resources in case of an application malfunction or an attack.", - "audit": "Check for the existence of CPU resources in `limits`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n resources:\n limits:\n cpu: \"500m\"\n```", - "remediation": "Define the required resources for CPU `limits` in the manifest: \n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n resources:\n limits:\n cpu: \"500m\"\n```" - }, - "refs": [ - { - "title": "Resource Management for Pods and Containers", - "url": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" - } - ] - }, - { - "query": "k8s.statefulset {\n initContainers {\n # @msg Container ${ _.name } should set memory limits\n resources['limits']['memory'] != null\n }\n containers {\n # @msg Container ${ _.name } should set memory limits\n resources['limits']['memory'] != null\n }\n}\n", - "code_id": "M/DXTnMIckg=", - "checksum": "ozlKOOmriuA=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-statefulset-limitmemory", - "type": "\u000c", - "severity": { - "value": 20 - }, - "title": "Container should have a memory limit", - "docs": { - "desc": "Kubernetes pod configurations should set memory limits for containers defined in the manifest. This prevents the pod from exhausting the host's resources in case of an application malfunction or an attack.", - "audit": "Check for the existence of memory resources in `limits`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n resources:\n limits:\n memory: \"1Gi\"\n```", - "remediation": "Define the required resources for memory `limits` in the manifest: \n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: app\n image: images.my-company.example/app:v1.2.3\n resources:\n limits:\n memory: \"1Gi\"\n```" - } - }, - { - "query": "k8s.statefulset.podSpec {\n _['containers'] {\n _['name']\n _['ports'] == null || _['ports'].all(_['hostPort'] == null)\n }\n}\n", - "code_id": "lkBu3xh0bJ4=", - "checksum": "Ubw/dH8HrKg=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-statefulset-ports-hostport", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "StatefulSets should not bind to a host port", - "docs": { - "desc": "StatefulSets should not bind to the underlying host port. This allows bypassing certain network access control systems.\nHost ports also expose the Container outside the Kubernetes cluster, which might not be intended.", - "audit": "Check to ensure no StatefulSets are binding any of their containers to a host port:\n\n```kubectl get statefulsets -A -o json | jq -r '.items[] | select( (.spec.template.spec.containers[].ports | . != null and any(.[].hostPort; . != null) ) ) | .metadata.namespace + \"/\" + .metadata.name' | uniq```", - "remediation": "For any StatefulSets that bind to a host port, update the StatefulSets to ensure they do not bind to a host port:\n\n```yaml\napiVersion: apps/v1\nkind: StatefulSet\nmetadata:\n name: example\n namespace: example-namespace\nspec:\n template:\n spec:\n containers:\n - ports:\n - containerPort: 80 # \u003c-- ensure no 'hostPort' is defined in any entries of the port configurations\n name: http\n protocol: TCP\n - containerPort: 443\n name: https\n protocol: TCP\n```" - }, - "refs": [ - { - "title": "Kubernetes Configuration Best Practices: hostPort", - "url": "https://kubernetes.io/docs/concepts/configuration/overview/#services" - }, - { - "title": "Kubernetes Security Standards: Host Ports", - "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline" - } - ] - }, - { - "query": "k8s.statefulset {\n initContainers {\n # @msg Container ${ _.name } should not set `privileged` to `true`\n securityContext['privileged'] != true\n }\n containers {\n # @msg Container ${ _.name } should not set `privileged` to `true`\n securityContext['privileged'] != true\n }\n}\n", - "code_id": "39D2g6HYgE0=", - "checksum": "SDdrSSX3y4c=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-statefulset-privilegedcontainer", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not run as a privileged container", - "docs": { - "desc": "Running a privileged container means the container has the host's capabilities, including access to all devices and the host's network.", - "audit": "Check for the existence of `privileged: true` setting in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n privileged: true\n```", - "remediation": "Remove the `privileged` setting from the container spec:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n```\n\nOr explicitly set `privileged` to `false`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n privileged: false\n```" - }, - "refs": [ - { - "title": "Configure a Security Context for a Pod or Container", - "url": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/" - } - ] - }, - { - "query": "k8s.statefulset {\n initContainers {\n # @msg Container ${ _.name } should set readOnlyRootFilesystem to true\n securityContext['readOnlyRootFilesystem'] == true\n }\n containers {\n # @msg Container ${ _.name } should set readOnlyRootFilesystem to true\n securityContext['readOnlyRootFilesystem'] == true\n }\n}\n", - "code_id": "KbvCXtG4Yjc=", - "checksum": "Q5vA6uE+ndo=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-statefulset-readonlyrootfilesystem", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Container should use an immutable root filesystem", - "docs": { - "desc": "Running a container with an immutable (read-only) file system prevents the modification of running containers.", - "audit": "Check for the existence of `readOnlyRootFilesystem: true` setting in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n readOnlyRootFilesystem: true\n```", - "remediation": "Ensure `readOnlyRootFilesystem` is set to `true` in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n readOnlyRootFilesystem: true\n```" - }, - "refs": [ - { - "title": "Configure a Security Context for a Pod or Container", - "url": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/" - } - ] - }, - { - "query": "k8s.statefulset {\n podSecurityContext=podSpec['securityContext']\n initContainers {\n a = podSecurityContext['runAsNonRoot'] == true \u0026\u0026 securityContext['runAsNonRoot'] == null\n res = securityContext['runAsNonRoot'] == true || a\n # @msg Container ${ _.name } should set runAsNonRoot to true\n res == true\n }\n containers {\n a = podSecurityContext['runAsNonRoot'] == true \u0026\u0026 securityContext['runAsNonRoot'] == null\n res = securityContext['runAsNonRoot'] == true || a\n # @msg Container ${ _.name } should set runAsNonRoot to true\n res == true\n }\n}\n", - "code_id": "xI1O1O8GUbA=", - "checksum": "uOkTaJmOiFA=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-statefulset-runasnonroot", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Container should not run as root", - "docs": { - "desc": "Set the `runAsNonRoot: true` `securityContext` to ensure containers do not run as the root user.\nWhen containers run as the `root` user, they have the same privileges as `root` on the host system.", - "audit": "Check for the existence of `runAsNonRoot: true` setting in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n runAsNonRoot: true\n```\n\nIt is also possible to set it for all containers at the Pod level:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n securityContext:\n runAsNonRoot: true\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n```", - "remediation": "Ensure `runAsNonRoot` is set to `true` in the `securityContext`:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n securityContext:\n runAsNonRoot: true\n```\n\nIt is also possible to set it for all containers at the Pod level:\n\n```yaml\n---\napiVersion: v1\nkind: Pod\nspec:\n securityContext:\n runAsNonRoot: true\n containers:\n - name: container-name\n image: index.docker.io/yournamespace/repository\n```" - }, - "refs": [ - { - "title": "Configure a Security Context for a Pod or Container", - "url": "https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core" - } - ] - }, - { - "query": "k8s.statefulset {\n podSpec['serviceAccount'] == null || podSpec['serviceAccount'] == podSpec['serviceAccountName']\n podSpec['serviceAccountName'] != '' || podSpec['automountServiceAccountToken'] == false\n podSpec['serviceAccountName'] != 'default' || podSpec['automountServiceAccountToken'] == false\n}\n", - "code_id": "AXWKuFjAuAc=", - "checksum": "1BZlTXd5FAo=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-kubernetes-security-statefulset-serviceaccount", - "type": "\u000c", - "severity": { - "value": 30 - }, - "title": "Pod should not run with the default service account", - "docs": { - "desc": "Pods that interact with the Kubernetes API using a ServiceAccount should use specific ServiceAccounts.\nThese ServiceAccounts should only have the permissions necessary.\nThe Pods should not use the default ServiceAccount (named 'default') that is included in every Namespace.\nThe only valid use for the default ServiceAccount is for Pods that set '.spec.automountServiceAccountToken' to 'false'.\nIn this case, the Pod explicitly asks for no ServiceAccount to be mounted into the Pod's filesystem, and the Pod is therefore a ServiceAccount-less Pod.\nWhen every Pods uses the default ServiceAccount and the ServiceAccount's privileges get extended, all Pods get these permissions.\nWhen a Pod is compromised, the attacker has access to the API using the default ServiceAccount.", - "audit": "Check that Pods do not set the legacy '.spec.serviceAccount':\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n serviceAccount: some-account\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```\n\nCheck that Pods do not set the '.spec.serviceAccountName' to the empty string (which is interpreted as 'default'), or to 'default'.\n\n```yaml\napiVersion: v1\nkind: Pod\nspec:\n serviceAccountName: \"\"\n containers:\n - name: example-app\n image: index.docker.io/yournamespace/repository\n```\n\nEven when the deprecated field '.spec.serviceAccount' is not specified, it will get populated by Kubernetes inside the cluster when a manifest is applied.\nBecause of that, we also need to check for the field.", - "remediation": "Create a ServiceAccount specifically for the Pod with only the permissions it needs when interacting with the Kubernetes API. Update the Pod's '.spec.serviceAccountName' to the name of the ServiceAccount created for the Pod.\n\nOr if the Pod doesn't interact with the Kubernetes API, set the Pod's `.spec.automountServiceAccountToken` field to false so that no ServiceAccount is available to the Pod." - } - }, - { - "query": "package(\"xserver-xorg\").installed == false\n", - "code_id": "f3DZtMTsQJc=", - "checksum": "JcUE8fQdDIM=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security--window-system-is-not-installed", - "type": "\u0004", - "severity": { - "value": 100 - }, - "title": "Ensure X Window System is not installed", - "docs": { - "desc": "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows to run programs and various add-ons. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login.", - "remediation": "Run the following command to remove the X Windows System packages:\n\n### RHEL/Fedora/Amazon Linux and derivatives\n```\nyum remove xorg-x11*\n```\n\n### Debian/Ubuntu and derivatives\n```\napt-get remove xserver-xorg\n```" - } - }, - { - "query": "pam.conf.entries[\"/etc/pam.d/su\"].where(pamType == \"auth\" \u0026\u0026 module == \"pam_wheel.so\").any(options.contains(\"use_uid\"))\nif( groups.where( name == \"wheel\" ).list != [] ) {\n groups.where( name == \"wheel\" ).list { members {\n name\n name == props.MondooSudoGroup\n }\n }\n} else {\n groups.where( name == \"sudo\" ).list { members {\n name\n name == props.MondooSudoGroup\n }\n }\n}\n# To assert a specific user list, you can use a query like:\n# groups.where( name == \"wheel\" ).list { members{ name == /ec2-user|root/} }\n# where the list of users is pipe separated like \"ec2-user|root\"\n", - "code_id": "Ieziwg178sw=", - "checksum": "DW2bIIr6yDE=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-access-to-the-su-command-is-restricted", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure access to the su command is restricted", - "docs": { - "desc": "The `su` command allows a user to run a command or shell as another user. Typically, the `su` command can be executed by any user, which is a security concern. Users should instead rely on the`sudo` command, which allows for more granular control over privileged access.", - "audit": "Run the following command and verify output includes matching line:\n\n```\n# grep pam_wheel.so /etc/pam.d/su\nauth required pam_wheel.so use_uid\n```\n\nRun the following command and verify users in wheel group match site policy:\n\n```\n# grep wheel /etc/group\nwheel:x:10:root,\u003cuser list\u003e\n```", - "remediation": "Add the following line to the `/etc/pam.d/su` file:\n\n```\nauth required pam_wheel.so use_uid\n```\n\nIf users need su access, add their username to the comma-separated list of users in the `wheel` group within the `/etc/group` file:\n\n```\nwheel:x:10:root,\u003cuser list\u003e\n```\nNOTE: The users allowed in the wheel group are defined in the properties `props.MondooSudoGroup` field of this policy. By default the users \"root\", \"ec2-user\", \"centos\" and \"ubuntu\" are included. To include custom users you need to manually modify this policy. Otherwise the check will fail.\n\nIf you want to lock down the use of the command `su` entirely instead, you need to create an empty group, for example `sugroup`:\n\n```\ngroupadd sugroup\n```\n\nThen add the following line to the `/etc/pam.d/su` file:\n\n```\nauth required pam_wheel.so use_uid group=sugroup\n```" - } - }, - { - "query": "kernel.parameters[\"kernel.randomize_va_space\"] == 2\n", - "code_id": "dVk74tk32xs=", - "checksum": "YFMlPH7DzDg=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-address-space-layout-randomization-aslr-is-enabled", - "type": "\u0004", - "severity": { - "value": 100 - }, - "title": "Ensure address space layout randomization (ASLR) is enabled", - "docs": { - "desc": "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process.", - "remediation": "Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/\\*` file:\n\n```\nkernel.randomize_va_space = 2\n```\n\nRun the following command to set the active kernel parameter:\n\n```\nsysctl -w kernel.randomize_va_space=2\n```" - } - }, - { - "query": "package(\"aide\").installed\n", - "code_id": "vVtLCflAlII=", - "checksum": "/LnZVxxoPBc=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-aide-is-installed", - "type": "\u0004", - "severity": { - "value": 60 - }, - "title": "Ensure Advanced Intrusion Detection Environment (AIDE) is installed", - "docs": { - "desc": "Advanced Intrusion Detection Environment (AIDE) takes a snapshot of the filesystem state, including modification times, permissions, and file hashes. Administrators can then use this to compare against the current state of the filesystem to detect modifications to the system.", - "remediation": "Run the following command to install `aide` :\n\n# RHEL/Fedora/Amazon Linux and derivatives\n```\nyum install aide\n```\n\n# Ubuntu\n```\napt-get install aide\n```\n\n# Debian\n```\napt install aide\n```\n\n# SLES and openSUSE\n```\nzypper install aide\n```\n\nConfigure AIDE as appropriate for your environment. Consult the AIDE documentation for options.\n\nInitialize AIDE:\n\n```\naide --init\n\nmv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz\n```" - } - }, - { - "query": "file(\"/etc/audit/auditd.conf\").exists\nif (file(\"/etc/audit/auditd.conf\").exists) {\n parse.ini(\"/etc/audit/auditd.conf\").params[\"max_log_file\"] != \"\"\n}\n", - "code_id": "SCin1z5hBLk=", - "checksum": "5LNPoOemFzU=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-audit-log-storage-size-is-configured", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Ensure audit log storage size is configured", - "docs": { - "desc": "Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started.", - "remediation": "Set the following parameter in `/etc/audit/auditd.conf`\nin accordance with site policy:\n\n```\nmax_log_file = \u003cMB\u003e\n```" - } - }, - { - "query": "file(\"/etc/audit/auditd.conf\").exists\nif (file(\"/etc/audit/auditd.conf\").exists) {\n parse.ini(\"/etc/audit/auditd.conf\").params[\"max_log_file_action\"].downcase == \"keep_logs\"\n}\n", - "code_id": "H74IPb4kjoI=", - "checksum": "S0XdlJpbg+4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-audit-logs-are-not-automatically-deleted", - "type": "\u0001", - "severity": { - "value": 70 - }, - "title": "Ensure audit logs are not automatically deleted", - "docs": { - "desc": "The `max_log_file_action`\nsetting determines how to handle the audit log file reaching the max file size. A value of `keep_logs`\nwill rotate the logs but never delete old logs.", - "remediation": "Set the following parameter in `/etc/audit/auditd.conf:`\n\n```\nmax_log_file_action = keep_logs\n```" - } - }, - { - "query": "package(\"audit\").installed || package(\"auditd\").installed \u0026\u0026 package(\"audispd-plugins\").installed || package(\"audit\").installed \u0026\u0026 package(\"audit-libs\").installed\n", - "code_id": "Xnlsv+4Z/DI=", - "checksum": "iE8+DYhTeBo=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-auditd-is-installed", - "type": "\u0004", - "severity": { - "value": 80 - }, - "title": "Ensure auditd is installed", - "docs": { - "desc": "auditd is the user space component to the Linux Auditing System. It's responsible for writing audit records to the disk", - "remediation": "Run the following command to install auditd with dnf\n\n```\ndnf install audit audit-libs\n```\n\nRun the following command to install auditd with apt\n\n```\napt install auditd audispd-plugins\n```" - } - }, - { - "query": "service(\"auditd\").enabled\n", - "code_id": "cYHRR9+gDKI=", - "checksum": "Yw4+Jo7KX+c=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-auditd-service-is-enabled", - "type": "\u0004", - "severity": { - "value": 80 - }, - "title": "Ensure auditd service is enabled", - "docs": { - "desc": "Turn on the `auditd`\ndaemon to record system events.", - "remediation": "Run the following command to enable `auditd`\n:\n\n```\nsystemctl --now enable auditd\n```" - } - }, - { - "query": "if( file(\"/boot/grub2/grub.cfg\" ).exists) {\n file(\"/boot/grub2/grub.cfg\").content.lines.where( _ == /^[^#]/ ).any(_ == /audit(\\s+)?\\=(\\s+)?1/)\n}\nif( file(\"/boot/grub/grub.cfg\").exists ) {\n file(\"/boot/grub/grub.cfg\").content.lines.where( _ == /^[^#]/ ).any(_ == /audit(\\s+)?\\=(\\s+)?1/)\n}\nif( file(\"/boot/grub/grub.conf\").exists ) {\n file(\"/boot/grub/grub.conf\").content.lines.where( _ == /^[^#]/ ).any(_ == /audit(\\s+)?\\=(\\s+)?1/)\n}\nif( file('/etc/secboot/config.json').exists ) {\n parse.json('/etc/secboot/config.json').params['kernel-params'] == /audit(\\s+)?\\=(\\s+)?1/\n}\n", - "code_id": "yg5FfNUmza0=", - "checksum": "yxRHQWSUNF4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-auditing-for-processes-that-start-prior-to-auditd-is-enabled", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Ensure auditing for processes that start prior to auditd is enabled", - "docs": { - "desc": "Configure `grub2`\nso that processes that are capable of being audited can be audited even if they start up prior to `auditd`\nstartup.", - "remediation": "Edit `/etc/default/grub` and add `audit=1`\nto `GRUB_CMDLINE_LINUX`:\n\n```\nGRUB_CMDLINE_LINUX=\"audit=1\"\n```\n\nRun the following command to update the `grub2`\nconfiguration:\n\n### RHEL/Fedora/Amazon Linux and derivatives\n```\nsudo grub2-mkconfig -o /boot/grub2/grub.cfg\n```\n**Note:**\nThe path looks different for UEFI systems.\n\n### Debian/Ubuntu and derivatives\n```\nsudo update-grub\n```" - } - }, - { - "query": "service(\"avahi-daemon\").enabled == false\nservice(\"avahi-daemon\").running == false\n", - "code_id": "3QL3VcmScCM=", - "checksum": "iMIafeecI5A=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-avahi-server-is-not-enabled", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure Avahi server is stopped and not enabled", - "docs": { - "desc": "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine.", - "remediation": "Run the following command to stop and disable `avahi-daemon` :\n\n```\nsystemctl stop avahi-daemon\nsystemctl disable avahi-daemon\n```" - } - }, - { - "query": "kernel.parameters['net.ipv4.icmp_ignore_bogus_error_responses'] == 1\n", - "code_id": "H2ZH2J+F/yo=", - "checksum": "vYzz+TN+U5w=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-bogus-icmp-responses-are-ignored", - "type": "\u0004", - "severity": { - "value": 100 - }, - "title": "Ensure bogus ICMP responses are ignored", - "docs": { - "desc": "Setting `icmp_ignore_bogus_error_responses` to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages.", - "remediation": "Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/\\*` file:\n\n```\nnet.ipv4.icmp_ignore_bogus_error_responses = 1\n```\n\nRun the following commands to set the active kernel parameters:\n\n```\nsysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1\n\nsysctl -w net.ipv4.route.flush=1\n```" - } - }, - { - "query": "kernel.parameters['net.ipv4.icmp_echo_ignore_broadcasts'] == 1\n", - "code_id": "7wuHGnsUApE=", - "checksum": "Sr6yIPZtzXQ=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-broadcast-icmp-requests-are-ignored", - "type": "\u0004", - "severity": { - "value": 100 - }, - "title": "Ensure broadcast ICMP requests are ignored", - "docs": { - "desc": "Setting `net.ipv4.icmp_echo_ignore_broadcasts` to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses.", - "remediation": "Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/\\*` file:\n\n```\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\n```\n\nRun the following commands to set the active kernel parameters:\n\n```\nsysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1\n\nsysctl -w net.ipv4.route.flush=1\n```" - } - }, - { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/sudoers\\s+\\-p\\s+wa\\s+\\-k\\s+scope(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/sudoers\\.d\\s+\\-p\\s+wa\\s+\\-k\\s+scope(\\s+)?$/)\n}\n", - "code_id": "eWpIdiIAryk=", - "checksum": "6VUktvh0r6U=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-changes-to-system-administration-scope-sudoers-is-collected", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Ensure changes to system administration scope (sudoers) is collected", - "docs": { - "desc": "Monitor scope changes for system administrators. If the system has been properly configured to force system administrators to log in as themselves first and then use the `sudo`\ncommand to execute privileged commands, it is possible to monitor changes in scope. The file `/etc/sudoers`\nwill be written to when the file or its attributes have changed. The audit records will be tagged with the identifier \"scope.\"", - "remediation": "Edit or create a file in the `/etc/audit/rules.d/`\ndirectory ending in `.rules`\n\nExample: `vi /etc/audit/rules.d/50-scope.rules`\n\nAdd the following lines:\n\n```\n-w /etc/sudoers -p wa -k scope\n\n-w /etc/sudoers.d -p wa -k scope\n```\n\nTo load the newly added rules into the running configuration:\n\n```\naugenrules --load\n```\nThis command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.\n\nCheck if a reboot is required, in case the running configuration is set to be immutable:\n\n```\nif [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi\n```" - } - }, - { - "query": "file(\"/etc/security/limits.conf\").content.lines.where( _ == /^[^#]/ ).where( _.contains(\"core\") ) {\n _ == /\\*\\s+hard\\s+core\\s+0/\n}\nkernel.parameters['fs.suid_dumpable'] == 0\nif(service(\"coredump\").enabled || service(\"coredump\").running) {\n parse.ini(\"/etc/systemd/coredump.conf\").sections['Coredump']['ProcessSizeMax'] == 0\n parse.ini(\"/etc/systemd/coredump.conf\").sections['Coredump']['Storage'] == 'none'\n}\n", - "code_id": "Gjj6ZTcWK1M=", - "checksum": "NHr8toqB3yY=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-core-dumps-are-restricted", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure core dumps are restricted", - "docs": { - "desc": "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user.", - "remediation": "Add the following line to `/etc/security/limits.conf` or a `/etc/security/limits.d/\\*` file:\n\n```\n* hard core 0\n```\n\nSet the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/\\*` file:\n\n```\nfs.suid_dumpable = 0\n```\n\nRun the following command to set the active kernel parameter:\n\n```\nsysctl -w fs.suid_dumpable=0\n```\n\nIf systemd-coredump is installed:\n\nedit `/etc/systemd/coredump.conf` and add/modify the following lines:\n\n```\nStorage=none\nProcessSizeMax=0\n```\n\nRun the command:\n\n```\nsystemctl daemon-reload\n```" - } - }, - { - "query": "service(\"cups\").enabled == false\nservice(\"cups\").running == false\n", - "code_id": "MCCspWdD2Vk=", - "checksum": "zhJS7k1i42g=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-cups-is-not-enabled", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure CUPS is stopped and not enabled", - "docs": { - "desc": "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability.", - "remediation": "Run the following command to stop and disable `cups` :\n\n```\nsystemctl stop cups\nsystemctl disable cups\n```\n\n**Impact:**\n\nDisabling CUPS will prevent printing from the system, a common task for workstation systems." - } - }, - { - "query": "users.where( name == \"root\" ).list { gid == 0 }\n", - "code_id": "JIe+57K3g/w=", - "checksum": "9UaHTXTMoMM=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-default-group-for-the-root-account-is-gid-0", - "type": "\u0019\u000c", - "severity": { - "value": 100 - }, - "title": "Ensure default group for the root account is GID 0", - "docs": { - "desc": "The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user.", - "remediation": "Run the following command to set the `root` user default group to GID `0` :\n\n```\nusermod -g 0 root\n```" - } - }, - { - "query": "service(\"dhcpd\").enabled == false\nservice(\"dhcpd\").running == false\n", - "code_id": "pG8C4AikOeo=", - "checksum": "1WZ1M6C6jPw=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-dhcp-server-is-not-enabled", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure DHCP server is stopped and not enabled", - "docs": { - "desc": "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses.", - "remediation": "Run the following command to stop and disable `dhcpd` :\n\n```\nsystemctl stop dhcpd\nsystemctl disable dhcpd\n```" - } - }, - { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+chmod\\s+\\-S\\s+fchmod\\s+\\-S\\s+fchmodat\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+perm\\_mod/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+chmod\\,fchmod\\,fchmodat\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=perm\\_mod/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+chmod\\s+\\-S\\s+fchmod\\s+\\-S\\s+fchmodat\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+perm\\_mod/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+chmod\\,fchmod\\,fchmodat\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=perm\\_mod/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+chown\\s+\\-S\\s+fchown\\s+\\-S\\s+fchownat\\s+\\-S\\s+lchown\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+perm\\_mod/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+chown\\,fchown\\,lchown\\,fchownat\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=perm\\_mod/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+chown\\s+\\-S\\s+fchown\\s+\\-S\\s+fchownat\\s+\\-S\\s+lchown\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+perm\\_mod/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+lchown\\,fchown\\,chown\\,fchownat\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=perm\\_mod/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+setxattr\\s+\\-S\\s+lsetxattr\\s+\\-S\\s+fsetxattr\\s+\\-S\\s+removexattr\\s+\\-S\\s+lremovexattr\\s+\\-S\\s+fremovexattr\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+perm\\_mod/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+setxattr\\,lsetxattr\\,fsetxattr\\,removexattr\\,lremovexattr\\,fremovexattr\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=perm\\_mod/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+setxattr\\s+\\-S\\s+lsetxattr\\s+\\-S\\s+fsetxattr\\s+\\-S\\s+removexattr\\s+\\-S\\s+lremovexattr\\s+\\-S\\s+fremovexattr\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+perm\\_mod/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+setxattr\\,lsetxattr\\,fsetxattr\\,removexattr\\,lremovexattr\\,fremovexattr\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=perm\\_mod/)\n}\n", - "code_id": "MfV32r62IQE=", - "checksum": "35ei3kL6p+U=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-discretionary-access-control-permission-modification-events-are-collected", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Ensure discretionary access control permission modification events are collected", - "docs": { - "desc": "Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. \nThe `chmod`, `fchmod` and `fchmodat` system calls affect the permissions associated with a file. The `chown`, `fchown`, `fchownat` and `lchown`\nsystem calls affect owner and group attributes on a file. The `setxattr`, `lsetxattr`, `fsetxattr` (set extended file attributes) and `removexattr`, \n`lremovexattr`, `fremovexattr` (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written \nfor non-system user ids (auid \u003e= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier \"perm_mod.\"\n\n**Note:**\nSystems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n```\nawk '/^\\s*UID_MIN/{print $2}' /etc/login.defs\n```\n\nIf your systems' UID_MIN is not `1000`, replace `audit\u003e=1000` with `audit\u003e=\u003cUID_MIN for your system\u003e` in the Audit and Remediation procedures.", - "remediation": "For 32-bit systems edit or create a file in the `/etc/audit/rules.d/`\ndirectory ending in `.rules`\n\nExample: `vi /etc/audit/rules.d/50-perm_mod.rules`\n\nAdd the following lines:\n\n```\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid\u003e=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid\u003e=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid\u003e=1000 -F auid!=4294967295 -k perm_mod\n```\n\nFor 64-bit systems edit or create a file in the `/etc/audit/rules.d/` directory ending in `.rules`\n\nExample: `vi /etc/audit/rules.d/50-perm_mod.rules`\n\nAdd the following lines:\n\n```\n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid\u003e=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid\u003e=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid\u003e=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid\u003e=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid\u003e=1000 -F auid!=4294967295 -k perm_mod\n\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid\u003e=1000 -F auid!=4294967295 -k perm_mod\n```\n\nTo load the newly added rules into the running configuration:\n\n```\naugenrules --load\n```\nThis command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.\n\n\nCheck if a reboot is required, in case the running configuration is set to be immutable:\n\n```\nif [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi\n```" - } - }, - { - "query": "service(\"named\").enabled == false\nservice(\"named\").running == false\n", - "code_id": "v4D2MQ0juoo=", - "checksum": "A96uuGBtsig=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-dns-server-is-not-enabled", - "type": "\u0001", - "severity": { - "value": 60 - }, - "title": "Ensure DNS server is stopped and not enabled", - "docs": { - "desc": "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network.", - "remediation": "Run the following command to stop and disable `named` :\n\n```\nsystemctl stop named\nsystemctl disable named\n```" - } - }, - { - "query": "users.list { name gid != null }\n", - "code_id": "uzWGcrUQbCU=", - "checksum": "EIG8QhZouMY=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-each-user-member-of-a-group", - "type": "\u0019\u000c", - "severity": { - "value": 80 - }, - "title": "Ensure each user is a member of a group", - "docs": { - "desc": "Each user MUST be a member of at least one group.", - "remediation": "Based on the results of the query output, add the user to a primary group.\n\nRun the following command to set the primary group of a user:\n\n```\nusermod -G \u003cprimary group\u003e\n```" - } - }, - { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+adjtimex\\s+\\-S\\s+settimeofday\\s+\\-k\\s+time\\-change(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+adjtimex\\,settimeofday\\s+\\-F\\s+key\\=time\\-change(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+adjtimex\\s+\\-S\\s+settimeofday\\s+\\-S\\s+stime\\s+\\-k\\s+time\\-change(\\s+)?$/)\n ||file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+stime\\,settimeofday\\,adjtimex\\s+\\-F\\s+key\\=time\\-change(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+clock\\_settime\\s+\\-k\\s+time\\-change(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+clock\\_settime\\s+\\-F\\s+key\\=time\\-change(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+clock\\_settime\\s+\\-k\\s+time\\-change(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+clock\\_settime\\s+\\-F\\s+key\\=time\\-change(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/localtime\\s+\\-p\\s+wa\\s+\\-k\\s+time\\-change/)\n}\n", - "code_id": "I/fSLFpoIJA=", - "checksum": "M8S+qxfba5U=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-events-that-modify-date-and-time-information-are-collected", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Ensure events that modify date and time information are collected", - "docs": { - "desc": "Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the `adjtimex`\n(tune kernel clock), `settimeofday`\n(Set time, using timeval and timezone structures) `stime`\n(using seconds since 1/1/1970) or `clock_settime`\n(allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the `/var/log/audit.log`\nfile upon exit, tagging the records with the identifier \"time-change\"", - "remediation": "For 32-bit systems edit or create a file in the `/etc/audit/rules.d/`\ndirectory ending in `.rules`_\n\nExample: `vi /etc/audit/rules.d/50-time_change.rules`\n\nAdd the following lines:\n\n```\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n\n-w /etc/localtime -p wa -k time-change\n```\n\nFor 64-bit systems edit or create a file in the `/etc/audit/rules.d/`\ndirectory ending in `.rules`\n\nExample: `vi /etc/audit/rules.d/50-time_change.rules`\n\nAdd the following lines:\n\n```\n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n\n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n\n-w /etc/localtime -p wa -k time-change\n```\n\nTo load the newly added rules into the running configuration:\n\n```\naugenrules --load\n```\nThis command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.\n\n\nCheck if a reboot is required, in case the running configuration is set to be immutable:\n\n```\nif [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi\n```" - } - }, - { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/selinux\\/\\s+\\-p\\s+\\wa\\s+\\-k\\s+MAC\\-policy(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/apparmor\\/\\s+\\-p\\s+\\wa\\s+\\-k\\s+MAC\\-policy(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/usr\\/share\\/selinux\\/\\s+\\-p\\s+\\wa\\s+\\-k\\s+MAC\\-policy(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/apparmor.d\\/\\s+\\-p\\s+\\wa\\s+\\-k\\s+MAC\\-policy(\\s+)?$/)\n}\n", - "code_id": "i/xNLuGKN/s=", - "checksum": "lwLtNomryOg=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-events-that-modify-the-systems-mandatory-access-controls-are-collected", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Ensure events that modify the system's Mandatory Access Controls are collected", - "docs": { - "desc": "Monitor SELinux/AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, \ndeletion or modification of files in the directory) or attribute changes to the /etc/selinux or /etc/apparmor and /etc/apparmor.d directories.", - "remediation": "Edit or create a file in the `/etc/audit/rules.d/`\ndirectory ending in `.rules`\n\nExample: `vi /etc/audit/rules.d/50-MAC_policy.rules`\n\nAdd the following lines, for SELinux:\n\n```\n-w /etc/selinux/ -p wa -k MAC-policy\n\n-w /usr/share/selinux/ -p wa -k MAC-policy\n```\n\nAdd the following lines, for AppArmor:\n\n```\n-w /etc/apparmor/ -p wa -k MAC-policy\n\n-w /etc/apparmor.d/ -p wa -k MAC-policy\n```\n\nTo load the newly added rules into the running configuration:\n\n```\naugenrules --load\n```\nThis command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.\n\n\nCheck if a reboot is required, in case the running configuration is set to be immutable:\n\n```\nif [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi\n```" - } - }, - { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+sethostname\\s+\\-S\\s+setdomainname\\s+\\-k\\s+system\\-locale(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+sethostname\\,setdomainname\\s+\\-F\\s+key\\=system\\-locale(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+sethostname\\s+\\-S\\s+setdomainname\\s+\\-k\\s+system\\-locale(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+sethostname\\,setdomainname\\s+\\-F\\s+key\\=system\\-locale(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/issue\\s+\\-p\\s+wa\\s+\\-k\\s+system-locale(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/issue\\.net\\s+\\-p\\s+wa\\s+\\-k\\s+system-locale(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/hosts\\s+\\-p\\s+wa\\s+\\-k\\s+system-locale(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/sysconfig\\/network\\s+\\-p\\s+wa\\s+\\-k\\s+system-locale(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/netctl\\s+\\-p\\s+wa\\s+\\-k\\s+system-locale(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/network\\s+\\-p\\s+wa\\s+\\-k\\s+system-locale(\\s+)?$/)\n}\n", - "code_id": "3JYJkYI8d0U=", - "checksum": "72unqI8FkUI=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-events-that-modify-the-systems-network-environment-are-collected", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Ensure events that modify the system's network environment are collected", - "docs": { - "desc": "Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) \nor setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the `/etc/issue`\nand `/etc/issue.net` files (messages displayed pre-login), `/etc/hosts` (file containing host names and associated IP addresses) and `/etc/sysconfig/network`\n(directory containing network interface scripts and configurations) files.", - "remediation": "For 32-bit systems edit or create a file in the `/etc/audit/rules.d/` directory ending in `.rules`\n\nExample: `vi /etc/audit/rules.d/50-system_local.rules`\n\nAdd the following lines:\n\n```\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n\n-w /etc/issue -p wa -k system-locale\n\n-w /etc/issue.net -p wa -k system-locale\n\n-w /etc/hosts -p wa -k system-locale\n```\n\nAdd the following line on Red Hat based systems:\n\n```\n-w /etc/sysconfig/network -p wa -k system-locale\n```\n\nAdd the following line for Debian/Ubuntu based systems:\n\n```\n-w /etc/network -p wa -k system-locale\n```\n\nFor 64-bit systems edit or create a file in the `/etc/audit/rules.d/`\ndirectory ending in `.rules`\n\nExample: `vi /etc/audit/rules.d/50-system_local.rules`\n\nAdd the following lines:\n\n```\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n\n-w /etc/issue -p wa -k system-locale\n\n-w /etc/issue.net -p wa -k system-locale\n\n-w /etc/hosts -p wa -k system-locale\n```\n\nAdd the following line for Red Hat based systems:\n\n```\n-w /etc/sysconfig/network -p wa -k system-locale\n```\n\nAdd the following line for Debian/Ubuntu based systems:\n\n```\n-w /etc/network -p wa -k system-locale\n```\n\nTo load the newly added rules into the running configuration:\n\n```\naugenrules --load\n```\nThis command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.\n\n\nCheck if a reboot is required, in case the running configuration is set to be immutable:\n\n```\nif [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi\n```" - } - }, - { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/group\\s+\\-p\\s+wa\\s+\\-k\\s+identity/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/passwd\\s+\\-p\\s+wa\\s+\\-k\\s+identity/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/gshadow\\s+\\-p\\s+wa\\s+\\-k\\s+identity/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/shadow\\s+\\-p\\s+wa\\s+\\-k\\s+identity/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/etc\\/security\\/opasswd\\s+\\-p\\s+wa\\s+\\-k\\s+identity/)\n}\n", - "code_id": "IQ/r00/mLRg=", - "checksum": "CquEAXjWPH4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-events-that-modify-usergroup-information-are-collected", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Ensure events that modify user/group information are collected", - "docs": { - "desc": "Record events affecting the `group`, `passwd` (user IDs), `shadow` and `gshadow` (passwords) or `/etc/security/opasswd`\n(old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch \nthe files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier \"identity\" in the audit log file.", - "remediation": "Edit or create a file in the `/etc/audit/rules.d/` directory ending in `.rules`\n\nExample: `vi /etc/audit/rules.d/50-identity.rules`\n\nAdd the following lines:\n\n```\n-w /etc/group -p wa -k identity\n\n-w /etc/passwd -p wa -k identity\n\n-w /etc/gshadow -p wa -k identity\n\n-w /etc/shadow -p wa -k identity\n\n-w /etc/security/opasswd -p wa -k identity\n```\n\nTo load the newly added rules into the running configuration:\n\n```\naugenrules --load\n```\nThis command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.\n\n\nCheck if a reboot is required, in case the running configuration is set to be immutable:\n\n```\nif [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi\n```" - } - }, - { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.where( _ == /^[^#]/ ).contains(/\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+unlink\\s+\\-S\\s+unlinkat\\s+\\-S\\s+rename\\s+\\-S\\s+renameat\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+delete/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+rename\\,unlink\\,unlinkat\\,renameat\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=delete/)\n file('/etc/audit/audit.rules').content.lines.where( _ == /^[^#]/ ).contains(/\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+unlink\\s+\\-S\\s+unlinkat\\s+\\-S\\s+rename\\s+\\-S\\s+renameat\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+delete/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+unlink\\,rename\\,unlinkat\\,renameat\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=delete/)\n}\n", - "code_id": "9kZGL9b/izQ=", - "checksum": "y5jW13wtgM4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-file-deletion-events-by-users-are-collected", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Ensure file deletion events by users are collected", - "docs": { - "desc": "Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the `unlink`\n(remove a file), `unlinkat` (remove a file attribute), `rename` (rename a file) and `renameat` (rename a file attribute) system calls and tags them with the identifier \"delete\".\n\n**Note:**\nSystems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n```\nawk '/^\\s*UID_MIN/{print $2}' /etc/login.defs\n```\n\nIf your systems' UID_MIN is not `1000`, replace `audit\u003e=1000` with `audit\u003e=\u003cUID_MIN for your system\u003e` in the Audit and Remediation procedures.", - "remediation": "For 32-bit systems edit or create a file in the `/etc/audit/rules.d/` directory ending in `.rules`\n\nExample: `vi /etc/audit/rules.d/50-deletion.rules`\n\nAdd the following lines:\n\n```\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid\u003e=1000 -F auid!=4294967295 -k delete\n```\n\nFor 64-bit systems edit or create a file in the `/etc/audit/rules.d/` directory ending in `.rules`\n\nExample: `vi /etc/audit/rules.d/50-deletion.rules`\n\nAdd the following lines:\n\n```\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid\u003e=1000 -F auid!=4294967295 -k delete\n\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid\u003e=1000 -F auid!=4294967295 -k delete\n```\n\nTo load the newly added rules into the running configuration:\n\n```\naugenrules --load\n```\nThis command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.\n\n\nCheck if a reboot is required, in case the running configuration is set to be immutable:\n\n```\nif [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi\n```" - } - }, - { - "query": "command(\"crontab -u root -l | grep aide\").stdout.contains(\"aide --check\") || command(\"crontab -u root -l | grep aide\").stdout.contains(\"aide.conf --check\") || service('aidecheck').enabled || parse.ini(\"/etc/default/aide\").params[\"CRON_DAILY_RUN\"] == \"yes\"\n", - "code_id": "8xqHW7YCDEw=", - "checksum": "XCJqHbwS+o8=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-filesystem-integrity-is-regularly-checked", - "type": "\u0004", - "severity": { - "value": 60 - }, - "title": "Ensure filesystem integrity is regularly checked", - "docs": { - "desc": "Periodic checking of the filesystem integrity is needed to detect changes to the filesystem.", - "remediation": "_If cron will be used to schedule and run aide check_\n\nRun the following command:\n\n```\ncrontab -u root -e\n```\n\nAdd the following line to the crontab:\n\n```\n0 5 * * * /usr/sbin/aide --check\n```\n\n_OR if aidecheck.service and aidecheck.timer will be used to schedule and run aide check:_\n\nCreate or edit the file `/etc/systemd/system/aidecheck.service` and add the following lines:\n\n```\n[Unit]\nDescription=Aide Check\n\n[Service]\nType=simple\nExecStart=/usr/sbin/aide --check\n\n[Install]\nWantedBy=multi-user.target\n```\n\nCreate or edit the file `/etc/systemd/system/aidecheck.timer` and add the following lines:\n\n```\n[Unit]\nDescription=Aide check every day at 5AM\n\n[Timer]\nOnCalendar=*-*-* 05:00:00\nUnit=aidecheck.service\n\n[Install]\nWantedBy=multi-user.target\n```\n\nRun the following commands:\n\n```\nchown root:root /etc/systemd/system/aidecheck.*\nchmod 0644 /etc/systemd/system/aidecheck.*\n\nsystemctl daemon-reload\n\nsystemctl enable aidecheck.service\nsystemctl --now enable aidecheck.timer\n```" - } - }, - { - "query": "service(\"vsftpd\").enabled == false\nservice(\"vsftpd\").running == false\n", - "code_id": "jqO4q2mBu9M=", - "checksum": "2d5SJ6V5YOQ=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-ftp-server-is-not-enabled", - "type": "\u0001", - "severity": { - "value": 60 - }, - "title": "Ensure FTP server is stopped and not enabled", - "docs": { - "desc": "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files.", - "remediation": "Run the following command to stop and disable `vsftpd` :\n\n```\nsystemctl stop vsftpd\nsystemctl disable vsftpd\n```" - } - }, - { - "query": "users.list { name group != null }\n", - "code_id": "XbnrBNXgCwA=", - "checksum": "8yTaJP6tVs8=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-gid-in-passwd-exists-in-group", - "type": "\u0019\u000c", - "severity": { - "value": 80 - }, - "title": "Ensure all GIDs in /etc/passwd exist in /etc/group", - "docs": { - "desc": "Every GID mentioned in the /etc/passwd file must be defined in the /etc/group file.", - "remediation": "Based on the results of the query output, correct the GIDs in `/etc/passwd` and `/etc/group`." - } - }, - { - "query": "service(\"squid\").enabled == false\nservice(\"squid\").running == false\nservice(\"tinyproxy\").enabled == false\nservice(\"tinyproxy\").running == false\n", - "code_id": "f5q/EiRn95Q=", - "checksum": "HQr1TG8HOcU=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-http-proxy-server-is-not-enabled", - "type": "\u0001", - "severity": { - "value": 60 - }, - "title": "Ensure HTTP Proxy server is stopped and not enabled", - "docs": { - "desc": "Squid and Tinyproxy are HTTP proxy servers used to proxy and potentially anonymize HTTP traffic through other hosts.", - "remediation": "Run the following command to stop and disable `squid` and `tinyproxy`:\n\n```\nsystemctl stop squid\nsystemctl stop tinyproxy\n\nsystemctl disable squid\nsystemctl disable tinyproxy\n```" - } - }, - { - "query": "service(\"httpd\").enabled == false\nservice(\"httpd\").running == false\nservice(\"apache2\").enabled == false\nservice(\"apache2\").running == false\nservice(\"nginx\").enabled == false\nservice(\"nginx\").running == false\n", - "code_id": "gxsrJvn0Hag=", - "checksum": "39eXW1VB+hA=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-http-server-is-not-enabled", - "type": "\u0001", - "severity": { - "value": 60 - }, - "title": "Ensure HTTP servers are stopped and not enabled", - "docs": { - "desc": "HTTP or web servers provide the ability to host web site content.", - "remediation": "Run the following commands to stop and disable web servers:\n\n```\nsystemctl stop httpd\nsystemctl disable httpd\n\nsystemctl stop apache2\nsystemctl disable apache2\n\nsystemctl stop nginx\nsystemctl disable nginx\n```" - } - }, - { - "query": "kernel.parameters['net.ipv4.conf.all.accept_redirects'] == 0\nkernel.parameters['net.ipv4.conf.default.accept_redirects'] == 0\nkernel.parameters['net.ipv6.conf.all.accept_redirects'] == 0\nkernel.parameters['net.ipv6.conf.default.accept_redirects'] == 0\n", - "code_id": "rZN1LNm5r7E=", - "checksum": "rD7d716XlKY=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-icmp-redirects-are-not-accepted", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure ICMP redirects are not accepted", - "docs": { - "desc": "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting `net.ipv4.conf.all.accept_redirects` and `net.ipv6.conf.all.accept_redirects` to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables.", - "remediation": "Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/\\*` file:\n\n```\nnet.ipv4.conf.all.accept_redirects = 0\n\nnet.ipv4.conf.default.accept_redirects = 0\n\nnet.ipv6.conf.all.accept_redirects = 0\n\nnet.ipv6.conf.default.accept_redirects = 0\n```\n\nRun the following commands to set the active kernel parameters:\n\n```\nsysctl -w net.ipv4.conf.all.accept_redirects=0\n\nsysctl -w net.ipv4.conf.default.accept_redirects=0\n\nsysctl -w net.ipv6.conf.all.accept_redirects=0\n\nsysctl -w net.ipv6.conf.default.accept_redirects=0\n\nsysctl -w net.ipv4.route.flush=1\n\nsysctl -w net.ipv6.route.flush=1\n```" - } - }, - { - "query": "service(\"dovecot\").enabled == false\nservice(\"dovecot\").running == false\n", - "code_id": "IlhV0oVPhJk=", - "checksum": "s/dv+Q7ezx4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-imap-and-pop3-server-is-not-enabled", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure IMAP and POP3 server is stopped and not enabled", - "docs": { - "desc": "`dovecot` is an open source IMAP and POP3 server for Linux based systems.", - "remediation": "Run the following command to stop and disable `dovecot` :\n\n```\nsystemctl stop dovecot\nsystemctl disable dovecot\n```" - } - }, - { - "query": "kernel.parameters['net.ipv4.ip_forward'] == 0\nkernel.parameters['net.ipv6.conf.all.forwarding'] == 0\n", - "code_id": "Ty2iKIfHjno=", - "checksum": "bKr7LhMskGM=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-ip-forwarding-is-disabled", - "type": "\u0001", - "severity": { - "value": 60 - }, - "title": "Ensure IP forwarding is disabled", - "docs": { - "desc": "The `net.ipv4.ip_forward` and `net.ipv6.conf.all.forwarding` flags are used to tell the system whether it can forward packets or not.", - "remediation": "Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/\\*` file:\n\n```\nnet.ipv4.ip_forward = 0\n\nnet.ipv6.conf.all.forwarding = 0\n```\n\nRun the following commands to set the active kernel parameters:\n\n```\nsysctl -w net.ipv4.ip_forward=0\n\nsysctl -w net.ipv6.conf.all.forwarding=0\n\nsysctl -w net.ipv4.route.flush=1\n\nsysctl -w net.ipv6.route.flush=1\n```" - } - }, - { - "query": "kernel.parameters['net.ipv6.conf.all.accept_ra'] == 0\nkernel.parameters['net.ipv6.conf.default.accept_ra'] == 0\n", - "code_id": "9Frfyu3HqwY=", - "checksum": "RquOHBiTXr4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-ipv6-router-advertisements-are-not-accepted", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure IPv6 router advertisements are not accepted", - "docs": { - "desc": "This setting disables the system's ability to accept IPv6 router advertisements.", - "remediation": "Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/\\*` file:\n\n```\nnet.ipv6.conf.all.accept_ra = 0\n\nnet.ipv6.conf.default.accept_ra = 0\n```\n\nRun the following commands to set the active kernel parameters:\n\n```\nsysctl -w net.ipv6.conf.all.accept_ra=0\n\nsysctl -w net.ipv6.conf.default.accept_ra=0\n\nsysctl -w net.ipv6.route.flush=1\n```" - } - }, - { - "query": "if (file(\"/etc/systemd/journald.conf\").exists) {\n parse.ini(\"/etc/systemd/journald.conf\").sections[\"Journal\"][\"Compress\"] == \"yes\"\n}\n", - "code_id": "rDqQzgrxmug=", - "checksum": "yJGuneK8w/Y=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-journald-is-configured-to-compress-large-log-files", - "type": "\u000c", - "severity": { - "value": 40 - }, - "title": "Ensure journald is configured to compress large log files", - "docs": { - "desc": "The journald system includes the capability of compressing overly large files to avoid filling up the system with logs or making the logs unmanageably large.", - "remediation": "Edit the `/etc/systemd/journald.conf` file and add the following line:\n\n```\nCompress=yes\n```" - } - }, - { - "query": "if (file(\"/etc/systemd/journald.conf\").exists) {\n parse.ini(\"/etc/systemd/journald.conf\").sections[\"Journal\"][\"ForwardToSyslog\"] == \"yes\"\n}\n", - "code_id": "LxiiosuqdEw=", - "checksum": "oIe1z1mdgoM=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-journald-is-configured-to-send-logs-to-rsyslog", - "type": "\u000c", - "severity": { - "value": 60 - }, - "title": "Ensure journald is configured to send logs to rsyslog", - "docs": { - "desc": "Data from journald may be stored in volatile memory or persisted locally on the server. Utilities exist to accept remote export of journald logs, \nhowever, use of the rsyslog service provides a consistent means of log collection and export.", - "remediation": "Edit the `/etc/systemd/journald.conf` file and add the following line:\n\n```\nForwardToSyslog=yes\n```" - } - }, - { - "query": "if (file(\"/etc/systemd/journald.conf\").exists) {\n parse.ini(\"/etc/systemd/journald.conf\").sections[\"Journal\"][\"Storage\"] == \"persistent\"\n}\n", - "code_id": "5q5EG7AkY6k=", - "checksum": "I/+2qo/AaCQ=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-journald-is-configured-to-write-logfiles-to-persistent-disk", - "type": "\u000c", - "severity": { - "value": 60 - }, - "title": "Ensure journald is configured to write logfiles to persistent disk", - "docs": { - "desc": "Data from journald may be stored in volatile memory or persisted locally on the server. Logs in memory will be lost upon a system reboot. Persisting logs to a local disk on the server protects logs loss.", - "remediation": "Edit the `/etc/systemd/journald.conf` file and add the following line:\n\n```\nStorage=persistent\n```" - } - }, - { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/sbin\\/insmod\\s+\\-p\\s+x\\s+\\-k\\s+modules/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/sbin\\/rmmod\\s+\\-p\\s+x\\s+\\-k\\s+modules/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/sbin\\/modprobe\\s+\\-p\\s+x\\s+\\-k\\s+modules/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+init\\_module\\s+\\-S\\s+delete\\_module\\s+\\-k\\s+modules/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+init\\_module\\,delete\\_module\\s+\\-F\\s+key\\=modules/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+init\\_module\\s+\\-S\\s+delete\\_module\\s+\\-k\\s+modules/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+init\\_module\\,delete\\_module\\s+\\-F\\s+key\\=modules/)\n}\n", - "code_id": "HhVqF0tMxvA=", - "checksum": "3QzAFBoiQYE=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-kernel-module-loading-and-unloading-is-collected", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Ensure kernel module loading and unloading is collected", - "docs": { - "desc": "Monitor the loading and unloading of kernel modules. The programs `insmod`\n(install a kernel module), `rmmod`\n(remove a kernel module), and `modprobe`\n(a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The `init_module`\n(load a module) and `delete_module`\n(delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of \"modules\".", - "remediation": "For 32-bit systems edit or create a file in the `/etc/audit/rules.d/` directory ending in `.rules`\n\nExample: `vi /etc/audit/rules.d/50-modules.rules`\n\nAdd the following lines:\n\n```\n-w /sbin/insmod -p x -k modules\n\n-w /sbin/rmmod -p x -k modules\n\n-w /sbin/modprobe -p x -k modules\n\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n```\n\nFor 64-bit systems edit or create a file in the `/etc/audit/rules.d/` directory ending in `.rules`\n\nExample: `vi /etc/audit/rules.d/50-modules.rules`\n\nAdd the following lines:\n\n```\n-w /sbin/insmod -p x -k modules\n\n-w /sbin/rmmod -p x -k modules\n\n-w /sbin/modprobe -p x -k modules\n\n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n```\n\nTo load the newly added rules into the running configuration:\n\n```\naugenrules --load\n```\nThis command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.\n\n\nCheck if a reboot is required, in case the running configuration is set to be immutable:\n\n```\nif [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi\n```" - } - }, - { - "query": "service(\"slapd\").enabled == false\nservice(\"slapd\").running == false\n", - "code_id": "QTN+NYX439o=", - "checksum": "VXpQoY093rg=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-ldap-server-is-not-enabled", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure LDAP server is stopped and not enabled", - "docs": { - "desc": "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database.", - "remediation": "Run the following command to stop and disable `slapd` :\n\n```\nsystemctl stop slapd\nsystemctl disable slapd\n```" - } - }, - { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n if( platform.family.contains('debian') ) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/var\\/log\\/faillog\\s+\\-p\\s+wa\\s+\\-k\\s+logins(\\s+)?$/)\n } else {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/var\\/run\\/faillock\\s+\\-p\\s+wa\\s+\\-k\\s+logins(\\s+)?$/)\n }\nfile('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/var\\/log\\/lastlog\\s+\\-p\\s+wa\\s+\\-k\\s+logins(\\s+)?$/)\nfile('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/var\\/log\\/tallylog\\s+\\-p\\s+wa\\s+\\-k\\s+logins(\\s+)?$/)\n}\n", - "code_id": "sbKG4w+lkaA=", - "checksum": "KvmspKQo7t8=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-login-and-logout-events-are-collected", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Ensure login and logout events are collected", - "docs": { - "desc": "Monitor login and logout events. The parameters below track changes to files associated with login/logout events.\n\n- The file `/var/log/lastlog` maintain records of the last time a user successfully logged in.\n- The `/var/run/faillog/` directory maintains records of login failures via the `pam_faillog` module.", - "remediation": "Edit or create a file in the `/etc/audit/rules.d/` directory ending in `.rules`\n\nExample: `vi /etc/audit/rules.d/50-logins.rules`\n\nAdd the following lines:\n\n```\n-w /var/log/lastlog -p wa -k logins\n\n-w /var/log/tallylog -p wa -k logins\n```\n\n### Add the following additional line for Debian/Ubuntu based systems:\n\n```\n-w /var/log/faillog -p wa -k logins\n```\n\n### Add the following additional line for Red Hat/Fedora/Amazon Linux based systems:\n\n```\n-w /var/run/faillock -p wa -k logins\n```\n\nTo load the newly added rules into the running configuration:\n\n```\naugenrules --load\n```\nThis command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.\n\n\nCheck if a reboot is required, in case the running configuration is set to be immutable:\n\n```\nif [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi\n```" - } - }, - { - "query": "if( package(\"postfix\").installed ) {\n parse.ini(\"/etc/postfix/main.cf\").params[\"inet_interfaces\"] == \"localhost\" || parse.ini(\"/etc/postfix/main.cf\").params[\"inet_interfaces\"] == \"loopback-only\"\n}\nif( package(\"exim4\").installed ) {\n parse.ini(\"/etc/exim4/update-exim4.conf.conf\").params[\"dc_local_interfaces\"] == \"'127.0.0.1 ; ::1'\"\n}\nports.listening.all( port != 25 )\n", - "code_id": "Gd2uJdxkqko=", - "checksum": "DbtviXCRbxY=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-mail-transfer-agent-is-configured-for-local-only-mode", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure mail transfer agent is configured for local-only mode", - "docs": { - "desc": "Mail Transfer Agents (MTA), such as Sendmail and Postfix, listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail.", - "remediation": "Edit `/etc/postfix/main.cf` and add the following line to the RECEIVING MAIL section. If the line already exists, change it to look like the line below:\n\n```\ninet_interfaces = loopback-only\n```\n\nRestart postfix:\n\n```\nsystemctl restart postfix\n```" - } - }, - { - "query": "service(\"nfs\").enabled == false\nservice(\"nfs\").running == false\nservice(\"rpcbind\").enabled == false\nservice(\"rpcbind\").running == false\n", - "code_id": "HKo0vfMZsRE=", - "checksum": "T59Ew7hcdHw=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-nfs-and-rpc-are-not-enabled", - "type": "\u0001", - "severity": { - "value": 60 - }, - "title": "Ensure NFS and RPC are stopped and not enabled", - "docs": { - "desc": "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network.", - "remediation": "Run the following commands to stop and disable `nfs`, `nfs-server`, and `rpcbind`:\n\n```\nsystemctl stop nfs\nsystemctl stop rpcbind\n\nsystemctl disable nfs\nsystemctl disable rpcbind\n```" - } - }, - { - "query": "service(\"ypserv\").enabled == false\nservice(\"ypserv\").running == false\n", - "code_id": "Au17Pta3l0A=", - "checksum": "OAT4tUsPIWY=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-nis-server-is-not-enabled", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure NIS server is stopped and not enabled", - "docs": { - "desc": "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files.", - "remediation": "Run the following command to stop and disable `ypserv` :\n\n```\nsystemctl stop ypserv\nsystemctl disable ypserv\n```" - } - }, - { - "query": "groups.list.duplicates(gid).none()\n", - "code_id": "gu8eYJ6C7Ag=", - "checksum": "wzNASkgN1uM=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-no-duplicate-gids-exist", - "type": "\u0004", - "severity": { - "value": 100 - }, - "title": "Ensure no duplicate GIDs exist", - "docs": { - "desc": "Each login name, each user ID (UID), and each group ID (GID) MUST ONLY be used once. Every user MUST be a member of at least one group. Every GID mentioned in the /etc/passwd file MUST be defined in the /etc/group file. Every group SHOULD only contain the users that are absolutely necessary. In networked systems, care MUST also be taken to ensure that user and group names (UIDs and GIDs) are assigned consistently in the system network if there is a possibility that the same UIDs or GIDs could be assigned to different user or group names on the systems during cross-system access.\n\nThe `groupadd` program does not let you create a duplicate group ID (GID), but for an administrator it is possible to manually edit the `/etc/group` file and create a duplicated GID entry.", - "remediation": "Based on the results of the query output, establish unique GIDs and review all files owned by the shared GID to determine which group they are supposed to belong to." - } - }, - { - "query": "groups.list.duplicates(name).none()\n", - "code_id": "fSgcywHks9g=", - "checksum": "tEM5KoIUmNU=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-no-duplicate-group-names-exist", - "type": "\u0004", - "severity": { - "value": 100 - }, - "title": "Ensure no duplicate group names exist", - "docs": { - "desc": "Each login name, each user ID (UID), and each group ID (GID) MUST ONLY be used once. Every user MUST be a member of at least one group. Every GID mentioned in the /etc/passwd file MUST be defined in the /etc/group file. Every group SHOULD only contain the users that are absolutely necessary. In networked systems, care MUST also be taken to ensure that user and group names (UIDs and GIDs) are assigned consistently in the system network if there is a possibility that the same UIDs or GIDs could be assigned to different user or group names on the systems during cross-system access.\n\nThe `groupadd` program does not let you create a duplicate group name, but for an administrator it is possible to manually edit the `/etc/group` file and create a duplicated group name entry.", - "remediation": "Based on the results of the query output, establish unique names for the user groups. File group ownerships will automatically reflect the change as long as the groups have unique GIDs.\n\nRun the following command to set the new group name:\n\n```\ngroupmod -n \u003cnew group name\u003e \u003cold groupname\u003e\n```" - } - }, - { - "query": "users.list.duplicates(uid).none()\n", - "code_id": "Ps0zOyqhecE=", - "checksum": "yuxLaREruYE=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-no-duplicate-uids-exist", - "type": "\u0004", - "severity": { - "value": 100 - }, - "title": "Ensure no duplicate UIDs exist", - "docs": { - "desc": "Each login name, each user ID (UID), and each group ID (GID) MUST ONLY be used once. Every user MUST be a member of at least one group. Every GID mentioned in the /etc/passwd file MUST be defined in the /etc/group file. Every group SHOULD only contain the users that are absolutely necessary. In networked systems, care MUST also be taken to ensure that user and group names (UIDs and GIDs) are assigned consistently in the system network if there is a possibility that the same UIDs or GIDs could be assigned to different user or group names on the systems during cross-system access.\n\nThe `useradd` program does not let you create duplicate user IDs (UID), but for an administrator it is possible to manually edit the `/etc/passwd` and create a duplicate UID entry.", - "remediation": "Based on the results of the query output, establish unique UIDs and review all files owned by the shared UIDs to determine which UID they are supposed to belong to.\n\nRun the following command to set the new UID of a user:\n\n```\nusermod -u \u003cnew uid\u003e \u003cuser\u003e\n```" - } - }, - { - "query": "users.list.duplicates(name).none()\n", - "code_id": "VrgV5/9So/8=", - "checksum": "ncjyJAP5Vzk=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-no-duplicate-user-names-exist", - "type": "\u0004", - "severity": { - "value": 100 - }, - "title": "Ensure no duplicate user names exist", - "docs": { - "desc": "Each login name, each user ID (UID), and each group ID (GID) MUST ONLY be used once. Every user MUST be a member of at least one group. Every GID mentioned in the /etc/passwd file MUST be defined in the /etc/group file. Every group SHOULD only contain the users that are absolutely necessary. In networked systems, care MUST also be taken to ensure that user and group names (UIDs and GIDs) are assigned consistently in the system network if there is a possibility that the same UIDs or GIDs could be assigned to different user or group names on the systems during cross-system access.\n\nThe `useradd` program does not let you create a duplicate user name, but for an administrator it is possible to manually edit the `/etc/passwd` file and create a duplicated username entry.", - "remediation": "Based on the results of the query output, establish unique user names for the users. File ownerships will automatically reflect the change as long as the users have unique UIDs.\n\nRun the following command to set the new user name:\n\n```\nusermod -l \u003cnew login-name\u003e \u003cold username\u003e\n```" - } - }, - { - "query": "sshd.config.ciphers != null\nsshd.config.ciphers.containsOnly(props.MondooSshdCiphers)\n", - "code_id": "kIc0/kMdiMQ=", - "checksum": "sjXIw0Cy574=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-only-strong-ciphers-are-used", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure only strong ciphers are used", - "docs": { - "desc": "This variable limits the ciphers that SSH can use during communication.", - "remediation": "Edit the `/etc/ssh/sshd_config` file to add or modify the `Ciphers` parameter so that it contains a comma-separated list of the site approved ciphers\n\nExample:\n\n```\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\n```" - } - }, - { - "query": "sshd.config.kexs != null\nsshd.config.kexs.containsOnly(props.MondooKexAlgos)\n", - "code_id": "Lnr8+OPIpwc=", - "checksum": "Ve0D7iK08Sc=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-only-strong-kex-algorithms-are-used", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure that strong Key Exchange algorithms are used", - "docs": { - "desc": "Key exchange is any method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm. If the sender and receiver wish to exchange encrypted messages, each must be equipped to encrypt messages to be sent and decrypt messages received", - "remediation": "Edit the `/etc/ssh/sshd_config` file to add or modify the `KexAlgorithms` parameter so that it contains a comma-separated list of the site approved key exchange algorithms\n\nopenssh-server version 6.x or 7.x:\n\n```\nKexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\n```\n\nopenssh-server version 8.0 to 8.5:\n\n```\nKexAlgorithms sntrup4591761x25519-sha512@tinyssh.org,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\n```\n\nopenssh-server version 8.6 to 9:\n\n```\nKexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\n```\n\nNOTE:\nTo quickly find out what openssh-server version you are using, run this command:\n\n```bash\ncnquery run -c \"package('openssh-server').version\"\n```" - } - }, - { - "query": "sshd.config.macs != null\nsshd.config.macs.containsOnly(props.MondooMacAlgos)\n", - "code_id": "O2I4BuM7B9w=", - "checksum": "NAediAhFyzQ=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-only-strong-mac-algorithms-are-used", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure only strong MAC algorithms are used", - "docs": { - "desc": "This variable limits the types of MAC algorithms that SSH can use during communication.", - "remediation": "Edit the `/etc/ssh/sshd_config` file to add or modify the `MACs` parameter so that it contains a comma-separated list of the site approved MACs\n\nExample:\n\n```\nMACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256\n```" - } - }, - { - "query": "kernel.parameters['net.ipv4.conf.all.send_redirects'] == 0\nkernel.parameters['net.ipv4.conf.default.send_redirects'] == 0\n", - "code_id": "n9dXQh6Dchs=", - "checksum": "fY3DBxwrWww=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-packet-redirect-sending-is-disabled", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure packet redirect sending is disabled", - "docs": { - "desc": "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host-only configuration), there is no need to send redirects.", - "remediation": "Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/\\*` file:\n\n```\nnet.ipv4.conf.all.send_redirects = 0\n\nnet.ipv4.conf.default.send_redirects = 0\n```\n\nRun the following commands to set the active kernel parameters:\n\n```\nsysctl -w net.ipv4.conf.all.send_redirects=0\n\nsysctl -w net.ipv4.conf.default.send_redirects=0\n\nsysctl -w net.ipv4.route.flush=1\n```" - } - }, - { - "query": "files.find(from: \"/var/log\", type: \"file\").list {\n # @msg Please adjust file permissions for ${ basename } in folder ${ dirname }\n path\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_readable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n}\n", - "code_id": "FbII7up+bkQ=", - "checksum": "+5ClpOqzTrU=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-permissions-on-all-logfiles-are-configured", - "type": "\u0019\u000c", - "severity": { - "value": 80 - }, - "title": "Ensure secure permissions on all log files are set", - "docs": { - "desc": "Log files stored in /var/log/ contain logged information from many services on the system. If the host is a log aggregation server, these logs may collect sensitive data from large numbers of systems in your environment.", - "remediation": "Run the following commands to set permissions on all existing log files:\n\n```\nfind /var/log/ -type f -perm /g+wx,o+rwx -exec chmod g-wx,o-rwx \"{}\" +\n```\n\n_Note: The configuration for your logging software or services may need to also be modified for any logs that had incorrect permissions, otherwise, the permissions may be reverted to the incorrect permissions_\n\n_rsyslog.conf_\n\n```\nvi /etc/rsyslog.conf\n..\n$FileCreateMode 0640\n$umask 0077\n```\n\nConfiguration for creation, deletion and cleaning of volatile and temporary files:\n\n```\nvi /usr/lib/tmpfiles.d/var.conf\n..\nf /var/log/faillog 0640 root root -\nf /var/log/wtmp 0640 root utmp -\nf /var/log/btmp 0640 root utmp -\nf /var/log/lastlog 0640 root utmp -\n```" - } - }, - { - "query": "if (file(\"/etc/group-\").exists) {\n file(\"/etc/group-\") {\n permissions.user_executable == false\n permissions.group_readable == false\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_readable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n }\n}\n", - "code_id": "Kd0nC0U7dfs=", - "checksum": "MhNV6gPNOlA=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-permissions-on-etcgroup--are-configured", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Ensure secure permissions on /etc/group- are set", - "docs": { - "desc": "The `/etc/group-` file contains a backup list of all the valid groups defined in the system. Only the root user should have read and write permissions on this file so that group names an user membership is not available to non-administrative users on the system.", - "remediation": "Run the following command to set permissions on `/etc/group-` :\n\n```\nchown root:root /etc/group-\n\nchmod 600 /etc/group-\n```" - } - }, - { - "query": "file(\"/etc/group\") {\n permissions.user_executable == false\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n}\n", - "code_id": "m7DAOFbL9Qg=", - "checksum": "+RksEyaMhks=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-permissions-on-etcgroup-are-configured", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Ensure secure permissions on /etc/group are set", - "docs": { - "desc": "The `/etc/group` file contains a list of all the valid groups defined in the system. This file should have read/write access for root and read access for all other users to prevent non-administrative users from modifying groups.", - "remediation": "Run the following command to set permissions on `/etc/group` :\n\n```\nchown root:root /etc/group\n\nchmod 644 /etc/group\n```" - } - }, - { - "query": "if (file(\"/etc/gshadow-\").exists) {\n file(\"/etc/gshadow-\") {\n permissions.user_executable == false\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_readable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n }\n}\n", - "code_id": "vdDFAY9Qxko=", - "checksum": "F9Y1CUSnrHk=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-permissions-on-etcgshadow--are-configured", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Ensure secure permissions on /etc/gshadow- are set", - "docs": { - "desc": "The `/etc/gshadow-` file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information.", - "remediation": "Run the following commands to set permissions on `/etc/gshadow-` :\n\n```\nchown root:root /etc/gshadow-\n\nchmod 640 /etc/gshadow-\n```" - } - }, - { - "query": "if (file(\"/etc/gshadow\").exists) {\n file(\"/etc/gshadow\") {\n permissions.user_executable == false\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_readable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n }\n}\n", - "code_id": "FrdMe+1q6Bc=", - "checksum": "BcwsMm7SD5M=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-permissions-on-etcgshadow-are-configured", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Ensure secure permissions on /etc/gshadow are set", - "docs": { - "desc": "The `/etc/gshadow` file is used to store the information about groups that is critical to the security of those accounts, such as the hashed password and other security information.", - "remediation": "Run the following chown to set permissions on `/etc/gshadow` :\n\n```\nchown root:root /etc/gshadow\n\nchmod 640 /etc/gshadow\n```" - } - }, - { - "query": "if (file(\"/etc/passwd-\").exists) {\n file(\"/etc/passwd-\") {\n permissions.user_executable == false\n permissions.group_readable == false\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_readable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n }\n}\n", - "code_id": "Gjm+13rDf3o=", - "checksum": "JG3FrQJ2KCs=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-permissions-on-etcpasswd--are-configured", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Ensure secure permissions on /etc/passwd- are set", - "docs": { - "desc": "The `/etc/passwd-` file contains backup user account information.", - "remediation": "Run the following command to set permissions on `/etc/passwd-` :\n\n```\nchown root:root /etc/passwd-\n\nchmod 600 /etc/passwd-\n```" - } - }, - { - "query": "file(\"/etc/passwd\") {\n permissions.user_executable == false\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n}\n", - "code_id": "OFWIXTzBv00=", - "checksum": "bv52R+PWz8k=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-permissions-on-etcpasswd-are-configured", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Ensure secure permissions on /etc/passwd are set", - "docs": { - "desc": "The `/etc/passwd` file contains user account information used by many system utilities and therefore must be readable for these utilities to operate.", - "remediation": "Run the following command to set permissions on `/etc/passwd`:\n\n```\nchown root:root /etc/passwd\n\nchmod 644 /etc/passwd\n```" - } - }, - { - "query": "if (file(\"/etc/shadow-\").exists) {\n file(\"/etc/shadow-\") {\n permissions.user_executable == false\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_readable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n }\n}\n", - "code_id": "Xs984txmLXk=", - "checksum": "LMEk+P4u6pE=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-permissions-on-etcshadow--are-configured", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Ensure secure permissions on /etc/shadow- are set", - "docs": { - "desc": "The `/etc/shadow-` file is used to store backup information about user accounts, such as the hashed password and other security information. Only the root user should have read and write permissions on this file so that sensitive user information is not available to non-administrative users on the system.", - "remediation": "Run the following commands to set permissions on `/etc/shadow-`:\n\n```\nchown root:root /etc/shadow-\n\nchmod 640 /etc/shadow-\n```" - } - }, - { - "query": "if (file(\"/etc/shadow\").exists) {\n file(\"/etc/shadow\") {\n permissions.user_executable == false\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_readable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n }\n}\n", - "code_id": "htUqKZYa860=", - "checksum": "IP1Rz2hPzb0=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-permissions-on-etcshadow-are-configured", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Ensure secure permissions on /etc/shadow are set", - "docs": { - "desc": "The `/etc/shadow` file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information.", - "remediation": "Run the following commands to set permissions on `/etc/shadow` :\n\n```\nchown root:root /etc/shadow\n\nchmod 640 /etc/shadow\n```" - } - }, - { - "query": "file(\"/etc/ssh/sshd_config\") {\n permissions.user_executable == false\n permissions.group_readable == false\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_readable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n}\n", - "code_id": "r8nmUDlrGVc=", - "checksum": "uItyeL+mzwA=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-permissions-on-etcsshsshd-config-are-configured", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Ensure secure permissions on /etc/ssh/sshd_config are set", - "docs": { - "desc": "The `/etc/ssh/sshd_config` file contains configuration specifications for `sshd`. The command below sets the owner and group of the file to root.", - "remediation": "Run the following commands to set ownership and permissions on `/etc/ssh/sshd_config`:\n\n```\nchown root:root /etc/ssh/sshd_config\n\nchmod og-rwx /etc/ssh/sshd_config\n```" - } - }, - { - "query": "files.\nfind(from: \"/etc/ssh\", type: \"file\").\nwhere(path == /ssh_host_.*key$/).list {\n permissions.user_executable == false\n permissions.group_readable == false\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_readable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n}\n", - "code_id": "x7jUqDgSbuM=", - "checksum": "AADpnJtnuu8=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-permissions-on-ssh-private-host-key-files-are-configured", - "type": "\u0019\u000c", - "severity": { - "value": 100 - }, - "title": "Ensure secure permissions on SSH private host key files are set", - "docs": { - "desc": "An SSH private key is one of two files used in SSH public key authentication. In this authentication method, The possession of the private key is proof of identity. Only a private key corresponding to a public key can authenticate successfully. The private keys need to be stored and handled carefully, and no copies of the private key should be distributed.", - "remediation": "Run the following commands to set ownership and permissions on the private SSH host key files\n\n```\nfind /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec chown root:ssh_keys {} \\;\n```\n\n```\nfind /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec chmod 0600 {} \\;\n```" - } - }, - { - "query": "files.\nfind(from: \"/etc/ssh\", type: \"file\").\nwhere(path == /ssh_host_.*key.pub$/).list {\n permissions.user_executable == false\n permissions.group_writeable == false\n permissions.group_executable == false\n permissions.other_writeable == false\n permissions.other_executable == false\n}\n", - "code_id": "mQG2kdC1CYg=", - "checksum": "4IAaXAyskX8=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-permissions-on-ssh-public-host-key-files-are-configured", - "type": "\u0019\u000c", - "severity": { - "value": 80 - }, - "title": "Ensure secure permissions on SSH public host key files are set", - "docs": { - "desc": "An SSH public key is one of two files used in SSH public key authentication. In this authentication method, a public key is a key that can be used for verifying digital signatures generated using a corresponding private key. Only a public key corresponding to a private key can authenticate successfully.", - "remediation": "Run the following commands to set permissions and ownership on the SSH host public key files\n\n```\nfind /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chmod 0644 {} \\;\n```\n\n```\nfind /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chown root:root {} \\;\n```" - } - }, - { - "query": "package(\"prelink\").installed == false\n", - "code_id": "aS95c8UVV00=", - "checksum": "usMgLS7fZr8=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-prelink-is-disabled", - "type": "\u0004", - "severity": { - "value": 100 - }, - "title": "Ensure prelink is disabled", - "docs": { - "desc": "The `prelink` command changes binaries in an attempt to decrease their startup time. Prelinking can interfere with the operation of AIDE, because it changes binaries. Prelinking can also increase the vulnerability of the system if a malicious user is able to compromise a common library such as libc.", - "remediation": "Run the following commands to restore binaries to normal and uninstall `prelink`:\n\n### RHEL/Fedora/Amazon Linux and derivatives\n```\nprelink -ua\n\nyum remove prelink\n```\n\n### Ubuntu/Debian\n```\nprelink -ua\n\napt-get remove prelink\n```" - } - }, - { - "query": "kernel.parameters['net.ipv4.conf.all.rp_filter'] == 1\nkernel.parameters['net.ipv4.conf.default.rp_filter'] == 1\n", - "code_id": "THw+yxDZOpw=", - "checksum": "QrCyWDckd2k=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-reverse-path-filtering-is-enabled", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure Reverse Path Filtering is enabled", - "docs": { - "desc": "Setting `net.ipv4.conf.all.rp_filter`and `net.ipv4.conf.default.rp_filter` to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if `log_martians` is set).", - "remediation": "Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/\\*` file:\n\n```\nnet.ipv4.conf.all.rp_filter = 1\n\nnet.ipv4.conf.default.rp_filter = 1\n```\n\nRun the following commands to set the active kernel parameters:\n\n```\nsysctl -w net.ipv4.conf.all.rp_filter=1\n\nsysctl -w net.ipv4.conf.default.rp_filter=1\n\nsysctl -w net.ipv4.route.flush=1\n```" - } - }, - { - "query": "groups.where( name == \"root\").list { members.length == 0 }\n", - "code_id": "N0L20kz+NNw=", - "checksum": "lkYcBb/kwoo=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-root-group-is-empty", - "type": "\u0019\u000c", - "severity": { - "value": 100 - }, - "title": "Ensure root group is empty", - "docs": { - "desc": "The root group allows system programs or defined users the ability to read and write configurations and files on the system. No users should be assigned to the root group.", - "remediation": "Remove all users from the shadow group in `/etc/group`, and change the primary group of any users with root as their primary group, except the root user." - } - }, - { - "query": "service(\"rsh.socket\").enabled == false\nservice(\"rlogin.socket\").enabled == false\nservice(\"rexec.socket\").enabled == false\nservice(\"rsh.socket\").running == false\nservice(\"rlogin.socket\").running == false\nservice(\"rexec.socket\").running == false\n", - "code_id": "lSnkpvWD+i0=", - "checksum": "/mO5VUuPGhA=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-rsh-server-is-not-enabled", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure rsh server is stopped and not enabled", - "docs": { - "desc": "The Berkeley `rsh-server` ( `rsh` , `rlogin` , `rexec` ) package contains legacy services that exchange credentials in clear-text.", - "remediation": "Run the following commands to stop and disable `rsh` , `rlogin` , and `rexec` :\n\n```\nsystemctl stop rsh.socket\nsystemctl stop rlogin.socket\nsystemctl stop rexec.socket\n\nsystemctl disable rsh.socket\nsystemctl disable rlogin.socket\nsystemctl disable rexec.socket\n```" - } - }, - { - "query": "service(\"rsyncd\").enabled == false\nservice(\"rsyncd\").running == false\n", - "code_id": "NoJQoV63siE=", - "checksum": "59FCyhP4+Iw=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-rsync-service-is-not-enabled", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure rsync service is stopped and not enabled", - "docs": { - "desc": "The `rsyncd` service can be used to synchronize files between systems over network links.", - "remediation": "Run the following command to stop and disable `rsync` :\n\n```\nsystemctl stop rsyncd\nsystemctl disable rsyncd\n```" - } - }, - { - "query": "rsyslog.conf.settings.contains(\"$FileCreateMode 0640\")\n", - "code_id": "nxVlUWzBV1c=", - "checksum": "fmWf4rfUB+I=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-rsyslog-default-file-permissions-configured", - "type": "\u0004", - "severity": { - "value": 60 - }, - "title": "Ensure rsyslog default file permissions configured", - "docs": { - "desc": "rsyslog will create log files that do not already exist on the system. This setting controls what permissions will be applied to these newly created files.", - "remediation": "Edit the `/etc/rsyslog.conf` and `/etc/rsyslog.d/*.conf`\nfiles and set `$FileCreateMode` to `0640` or more restrictive:\n\n```\n$FileCreateMode 0640\n```" - } - }, - { - "query": "package(\"rsyslog\").installed\n", - "code_id": "WkL8wViksRw=", - "checksum": "d2ai3Z2fJVc=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-rsyslog-is-installed", - "type": "\u0004", - "severity": { - "value": 60 - }, - "title": "Ensure rsyslog is installed", - "docs": { - "desc": "The `rsyslog`\nsoftware is a recommended replacement to the original `syslogd`\ndaemon which provide improvements over `syslogd`\n, such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server.", - "remediation": "Run the following command to install rsyslog:\n\n```\ndnf install rsyslog\n```" - } - }, - { - "query": "service(\"rsyslog\").enabled\n", - "code_id": "ctwaZkpRtPo=", - "checksum": "XaibUtdW9N8=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-rsyslog-service-is-enabled", - "type": "\u0004", - "severity": { - "value": 60 - }, - "title": "Ensure rsyslog Service is enabled", - "docs": { - "desc": "Once the `rsyslog` package is installed it needs to be enabled.", - "remediation": "Run the following command to enable `rsyslog`:\n\n```\nsystemctl --now enable rsyslog\n```" - } - }, - { - "query": "service(\"smb\").enabled == false\nservice(\"smbd\").enabled == false\nservice(\"smb\").running == false\nservice(\"smbd\").running == false\n", - "code_id": "jb3wqU5HpR8=", - "checksum": "azZcVpK+sXk=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-samba-is-not-enabled", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure Samba is stopped and not enabled", - "docs": { - "desc": "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users can mount these directories and file systems as letter drives on their systems.", - "remediation": "Run the following command to stop and disable `smb` and `smbd` services :\n\n```\nsystemctl stop smb\nsystemctl stop smbd\nsystemctl disable smb\nsystemctl disable smbd\n```" - } - }, - { - "query": "kernel.parameters['net.ipv4.conf.all.secure_redirects'] == 0\nkernel.parameters['net.ipv4.conf.default.secure_redirects'] == 0\n", - "code_id": "o38RkOShiq4=", - "checksum": "0IN9X8IU33k=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-secure-icmp-redirects-are-not-accepted", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure secure ICMP redirects are not accepted", - "docs": { - "desc": "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system and are likely to be secure.", - "remediation": "Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/\\*` file:\n\n```\nnet.ipv4.conf.all.secure_redirects = 0\n\nnet.ipv4.conf.default.secure_redirects = 0\n```\n\nRun the following commands to set the active kernel parameters:\n\n```\nsysctl -w net.ipv4.conf.all.secure_redirects=0\n\nsysctl -w net.ipv4.conf.default.secure_redirects=0\n\nsysctl -w net.ipv4.route.flush=1\n```" - } - }, - { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/var\\/run\\/utmp\\s+\\-p\\s+wa\\s+\\-k\\s+session(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/var\\/log\\/wtmp\\s+\\-p\\s+wa\\s+\\-k\\s+logins(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/var\\/log\\/btmp\\s+\\-p\\s+wa\\s+\\-k\\s+logins(\\s+)?$/)\n}\n", - "code_id": "O1tAHbKLcI8=", - "checksum": "ZwNFahpcJVI=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-session-initiation-information-is-collected", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Ensure session initiation information is collected", - "docs": { - "desc": "Monitor session initiation events. The parameters in this section track changes to the files associated with session events. \nThe file `/var/run/utmp` tracks all currently logged in users. All audit records will be tagged with the identifier \"session.\" \nThe `/var/log/wtmp` file tracks logins, logouts, shutdown, and reboot events. The file `/var/log/btmp` keeps track of failed \nlogin attempts and can be read by entering the command `/usr/bin/last -f /var/log/btmp`. All audit records will be tagged with \nthe identifier \"logins.\"", - "remediation": "Edit or create a file in the `/etc/audit/rules.d/`\ndirectory ending in `.rules`\n\nExample: `vi /etc/audit/rules.d/50-session.rules`\n\nAdd the following lines:\n\n```\n-w /var/run/utmp -p wa -k session\n\n-w /var/log/wtmp -p wa -k logins\n\n-w /var/log/btmp -p wa -k logins\n```\n\nTo load the newly added rules into the running configuration:\n\n```\naugenrules --load\n```\nThis command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.\n\n\nCheck if a reboot is required, in case the running configuration is set to be immutable:\n\n```\nif [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi\n```" - } - }, - { - "query": "groups.where( name == \"shadow\").list { members.length == 0 }\n", - "code_id": "v8xZOX1QRJQ=", - "checksum": "ZTYs9gI03R8=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-shadow-group-is-empty", - "type": "\u0019\u000c", - "severity": { - "value": 100 - }, - "title": "Ensure shadow group is empty", - "docs": { - "desc": "The shadow group allows system programs or defined users the ability to read the `/etc/shadow` file. No users should be assigned to the shadow group.", - "remediation": "Remove all users from the shadow group in `/etc/group`, and change the primary group of any users with shadow as their primary group." - } - }, - { - "query": "service(\"snmpd\").enabled == false\nservice(\"snmpd\").running == false\n", - "code_id": "+u6doYoYG5E=", - "checksum": "Jv1M9kP3eIo=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-snmp-server-is-not-enabled", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure SNMP server is stopped and not enabled", - "docs": { - "desc": "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system.", - "remediation": "Run the following command to stop and disable `snmpd`:\n\n```\nsystemctl stop snmpd\nsystemctl disable snmpd\n```" - } - }, - { - "query": "kernel.parameters['net.ipv4.conf.all.accept_source_route'] == 0\nkernel.parameters['net.ipv4.conf.default.accept_source_route'] == 0\nkernel.parameters['net.ipv6.conf.all.accept_source_route'] == 0\nkernel.parameters['net.ipv6.conf.default.accept_source_route'] == 0\n", - "code_id": "KehuxCXphps=", - "checksum": "D5zlId5evK4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-source-routed-packets-are-not-accepted", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure source routed packets are not accepted", - "docs": { - "desc": "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used.", - "remediation": "Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/\\*` file:\n\n```\nnet.ipv4.conf.all.accept_source_route = 0\n\nnet.ipv4.conf.default.accept_source_route = 0\n\nnet.ipv6.conf.all.accept_source_route = 0\n\nnet.ipv6.conf.default.accept_source_route = 0\n```\n\nRun the following commands to set the active kernel parameters:\n\n```\nsysctl -w net.ipv4.conf.all.accept_source_route=0\n\nsysctl -w net.ipv4.conf.default.accept_source_route=0\n\nsysctl -w net.ipv6.conf.all.accept_source_route=0\n\nsysctl -w net.ipv6.conf.default.accept_source_route=0\n\nsysctl -w net.ipv4.route.flush=1\n\nsysctl -w net.ipv6.route.flush=1\n```" - } - }, - { - "query": "sshd.config.params[\"AllowUsers\"] != \"\" || sshd.config.params[\"DenyUsers\"] != \"\"\nsshd.config.params[\"AllowGroups\"] != \"\" || sshd.config.params[\"DenyGroups\"] != \"\"\n", - "code_id": "RQmG/5b+6Rs=", - "checksum": "8gO3iwapLzU=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-ssh-access-is-limited", - "type": "\u0001", - "severity": { - "value": 60 - }, - "title": "Ensure SSH access is limited", - "docs": { - "desc": "There are several options available to limit which users and groups can access the system via SSH. It is recommended that at least one of the following options be leveraged: `AllowUsers`\n\nThe `AllowUsers` variable gives the system administrator the option of allowing specific users to `ssh` into the system. The list consists of space-separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by only allowing the allowed users to log in from a particular host, the entry can be specified in the form of user@host. `AllowGroups`\n\nThe `AllowGroups` variable gives the system administrator the option of allowing specific groups of users to `ssh` into the system. The list consists of space-separated group names. Numeric group IDs are not recognized with this variable. `DenyUsers`\n\nThe `DenyUsers` variable gives the system administrator the option of denying specific users to `ssh` into the system. The list consists of space-separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by specifically denying user access from a particular host, the entry can be specified in the form of user@host. `DenyGroups`\n\nThe `DenyGroups` variable gives the system administrator the option of denying specific groups of users to `ssh` into the system. The list consists of space-separated group names. Numeric group IDs are not recognized with this variable.", - "remediation": "Edit the `/etc/ssh/sshd_config` file and add one or more of these parameters:\n\n```\nAllowUsers \u003cuserlist\u003e\nAllowGroups \u003cgrouplist\u003e\n\nDenyUsers \u003cuserlist\u003e\nDenyGroups \u003cgrouplist\u003e\n```" - } - }, - { - "query": "sshd.config.params[\"HostbasedAuthentication\"] == \"no\"\n", - "code_id": "YiaSSdvN0BM=", - "checksum": "fP/qLQfLyR4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-ssh-hostbasedauthentication-is-disabled", - "type": "\u0004", - "severity": { - "value": 100 - }, - "title": "Ensure SSH HostbasedAuthentication is disabled", - "docs": { - "desc": "The `HostbasedAuthentication` parameter specifies if authentication is allowed through trusted hosts via the user of `.rhosts`, or `/etc/hosts.equiv` , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2.", - "remediation": "Edit the `/etc/ssh/sshd_config` file to set the `HostbasedAuthentication` parameter as follows:\n\n```\nHostbasedAuthentication no\n```" - } - }, - { - "query": "sshd.config.params {\n _[\"ClientAliveInterval\"] \u003e= 1\n _[\"ClientAliveInterval\"] \u003c= 300\n _[\"ClientAliveCountMax\"] \u003c= 3\n}\n", - "code_id": "BfEDQj6MJvc=", - "checksum": "yobEqVgCTtk=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-ssh-idle-timeout-interval-is-configured", - "type": "\u000c", - "severity": { - "value": 60 - }, - "title": "Ensure SSH Idle Timeout Interval is configured", - "docs": { - "desc": "The two options `ClientAliveInterval` and `ClientAliveCountMax` control the timeout of ssh sessions. When the `ClientAliveInterval` variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the `ClientAliveCountMax` variable is set, `sshd` will send client alive messages at every `ClientAliveInterval` interval. When the number of consecutive client alive messages are sent with no response from the client, the `ssh` session is terminated. For example, if the `ClientAliveInterval` is set to 15 seconds and the `ClientAliveCountMax` is set to 3, the client `ssh` session will be terminated after 45 seconds of idle time.", - "remediation": "Edit the `/etc/ssh/sshd_config` file to set the `ClientAliveInterval` and `ClientAliveCountMax` parameters according to site policy:\n\n```\nClientAliveInterval 300\nClientAliveCountMax 0\n```" - } - }, - { - "query": "sshd.config.params[\"IgnoreRhosts\"] == \"yes\"\n", - "code_id": "Daaqa///pts=", - "checksum": "PwmkfaueTzM=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-ssh-ignorerhosts-is-enabled", - "type": "\u0004", - "severity": { - "value": 100 - }, - "title": "Ensure SSH IgnoreRhosts is enabled", - "docs": { - "desc": "The `IgnoreRhosts` parameter specifies that `.rhosts` and `.shosts` files will not be used in `RhostsRSAAuthentication` or `HostbasedAuthentication` .", - "remediation": "Edit the `/etc/ssh/sshd_config` file to set the `IgnoreRhosts` parameter as follows:\n\n```\nIgnoreRhosts yes\n```" - } - }, - { - "query": "sshd.config.params {\n _[\"LoginGraceTime\"] \u003e= 1\n _[\"LoginGraceTime\"] \u003c= 60\n}\n", - "code_id": "b+fB/tLcWzs=", - "checksum": "zPZoZJmBzAc=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-ssh-logingracetime-is-set-to-one-minute-or-less", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Ensure SSH LoginGraceTime is set to one minute or less", - "docs": { - "desc": "The `LoginGraceTime` parameter specifies the time allowed for successful authentication to the SSH server. The longer the grace period is, the more open unauthenticated connections can exist. Like other session controls, the grace period should be limited to appropriate organizational limits to ensure the service is available for needed access.", - "remediation": "Edit the `/etc/ssh/sshd_config` file to set the `LoginGraceTime` parameter as follows:\n\n```\nLoginGraceTime 60\n```" - } - }, - { - "query": "sshd.config.params[\"LogLevel\"] == /INFO|VERBOSE/\n", - "code_id": "lzX+6GYw7S0=", - "checksum": "4yLcfb9uVzI=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-ssh-loglevel-is-appropriate", - "type": "\u0004", - "severity": { - "value": 80 - }, - "title": "Ensure SSH LogLevel is appropriate", - "docs": { - "desc": "`INFO` level is the basic level that only records the login activity of SSH users. In many situations, such as incident response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field.\n\n`VERBOSE` level specifies that login and logout activity as well as the key fingerprint for any SSH key used for login will be logged. This information is important for SSH key management, especially in legacy environments.", - "remediation": "Edit the `/etc/ssh/sshd_config` file to set the `LogLevel` parameter as follows:\n\n```\nLogLevel VERBOSE\n```\n\nor\n\n```\nLogLevel INFO\n```" - } - }, - { - "query": "sshd.config.params[\"MaxAuthTries\"] \u003c= 4\n", - "code_id": "/Su2a1bp8TA=", - "checksum": "mX8mJHNl5Rg=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-ssh-maxauthtries-is-set-to-4-or-less", - "type": "\u0004", - "severity": { - "value": 80 - }, - "title": "Ensure SSH MaxAuthTries is set to 4 or less", - "docs": { - "desc": "The `MaxAuthTries` parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half this maximum value, error messages will be written to the `syslog` file detailing the login failure.", - "remediation": "Edit the `/etc/ssh/sshd_config` file to set the `MaxAuthTries` parameter as follows:\n\n```\nMaxAuthTries 4\n```" - } - }, - { - "query": "sshd.config.params[\"PermitEmptyPasswords\"] == \"no\"\n", - "code_id": "ubafkKyRPyY=", - "checksum": "qnjshgiZlY8=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-ssh-permitemptypasswords-is-disabled", - "type": "\u0004", - "severity": { - "value": 100 - }, - "title": "Ensure SSH PermitEmptyPasswords is disabled", - "docs": { - "desc": "The `PermitEmptyPasswords` parameter specifies if the SSH server allows login to accounts with empty password strings.", - "remediation": "Edit the `/etc/ssh/sshd_config` file to set the `PermitEmptyPasswords` parameter as follows:\n\n```\nPermitEmptyPasswords no\n```" - } - }, - { - "query": "sshd.config.params[\"PermitUserEnvironment\"] == \"no\"\n", - "code_id": "tLcO8I/iXyk=", - "checksum": "Bb4lOYSlvnE=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-ssh-permituserenvironment-is-disabled", - "type": "\u0004", - "severity": { - "value": 70 - }, - "title": "Ensure SSH PermitUserEnvironment is disabled", - "docs": { - "desc": "The `PermitUserEnvironment` option allows users to present environment options to the `ssh` daemon.", - "remediation": "Edit the `/etc/ssh/sshd_config` file to set the `PermitUserEnvironment` parameter as follows:\n\n```\nPermitUserEnvironment no\n```" - } - }, - { - "query": "sshd.config.params[\"Protocol\"] == 2\n", - "code_id": "wM8ZVC/LDTg=", - "checksum": "qFVq3E4B2f8=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-ssh-protocol-is-set-to-2", - "type": "\u0004", - "severity": { - "value": 100 - }, - "title": "Ensure SSH Protocol is set to 2", - "docs": { - "desc": "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure.", - "remediation": "Edit the `/etc/ssh/sshd_config` file to set the `Protocol`parameter as follows:\n\n```\nProtocol 2\n```" - } - }, - { - "query": "sshd.config.params[\"PermitRootLogin\"] == \"no\" || sshd.config.params[\"PermitRootLogin\"] == \"prohibit-password\" || sshd.config.params[\"PermitRootLogin\"] == \"without-password\"\n", - "code_id": "gmsQpeNjdsE=", - "checksum": "2ZZWY42pbi8=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-ssh-root-login-is-disabled", - "type": "\u0004", - "severity": { - "value": 100 - }, - "title": "Ensure SSH root login is disabled or set to prohibit-password", - "docs": { - "desc": "The `PermitRootLogin` parameter specifies if the root user can log in using ssh(1). The default is no.", - "remediation": "Edit the `/etc/ssh/sshd_config` file to set the `PermitRootLogin` parameter as follows:\n\n```\nPermitRootLogin no\n```" - } - }, - { - "query": "sshd.config.params[\"Banner\"] != \"\"\n", - "code_id": "ISWAS8ZYXus=", - "checksum": "98IeJiZyWgA=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-ssh-warning-banner-is-configured", - "type": "\u0004", - "severity": { - "value": 40 - }, - "title": "Ensure SSH warning banner is configured", - "docs": { - "desc": "The `Banner` parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed.", - "remediation": "Edit the `/etc/ssh/sshd_config` file to set the `Banner` parameter as follows:\n\n```\nBanner /etc/issue.net\n```" - } - }, - { - "query": "sshd.config.params[\"X11Forwarding\"] == \"no\"\n", - "code_id": "VAMnKimEy50=", - "checksum": "9z/Cdg6NuFA=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-ssh-x11-forwarding-is-disabled", - "type": "\u0004", - "severity": { - "value": 50 - }, - "title": "Ensure SSH X11 forwarding is disabled", - "docs": { - "desc": "The X11Forwarding parameter allows tunneling X11 traffic through the connection to enable remote graphic connections.", - "remediation": "Edit the `/etc/ssh/sshd_config` file to set the `X11Forwarding` parameter as follows:\n\n```\nX11Forwarding no\n```" - } - }, - { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+mount\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+mounts/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+mount\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=mounts/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+mount\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+mounts/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+mount\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=mounts/)\n}\n", - "code_id": "7dzfqFlvkAk=", - "checksum": "a9dhHhNnOE8=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-successful-file-system-mounts-are-collected", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Ensure successful file system mounts are collected", - "docs": { - "desc": "Monitor the use of the `mount`\nsystem call. The `mount`\n(and `umount`\n) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user", - "remediation": "For 32-bit systems edit or create a file in the `/etc/audit/rules.d/` directory ending in `.rules`\n\nExample: `vi /etc/audit/rules.d/50-mounts.rules`\n\nAdd the following lines:\n\n```\n-a always,exit -F arch=b32 -S mount -F auid\u003e=1000 -F auid!=4294967295 -k mounts\n```\n\nFor 64-bit systems edit or create a file in the `/etc/audit/rules.d/` directory ending in `.rules`\n\nExample: `vi /etc/audit/rules.d/50-mounts.rules`\n\nAdd the following lines:\n\n```\n-a always,exit -F arch=b64 -S mount -F auid\u003e=1000 -F auid!=4294967295 -k mounts\n\n-a always,exit -F arch=b32 -S mount -F auid\u003e=1000 -F auid!=4294967295 -k mounts\n```\n\nTo load the newly added rules into the running configuration:\n\n```\naugenrules --load\n```\nThis command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.\n\n\nCheck if a reboot is required, in case the running configuration is set to be immutable:\n\n```\nif [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi\n```" - } - }, - { - "query": "file('/etc/sudoers').content.lines.where( _ == /^[^#]/ ).contains(/logfile\\=\\\"\\/var\\/log\\/sudo\\.log\\\"/)\n", - "code_id": "piWj+cXXr7k=", - "checksum": "16lZ/IrvqfM=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-sudo-logging-is-enabled", - "type": "\u0004", - "severity": { - "value": 80 - }, - "title": "Ensure sudo logging is enabled", - "docs": { - "desc": "By default, sudo logs all events in the /var/log/auth.log file. This log file contains all authentication events system-wide, making it difficult to audit sudo failures. To reduce the chances of sudo failures going unnoticed, administrations should configure sudo to log to a dedicated log file location.", - "remediation": "Using the `visudo` command, add the following line to the `/etc/sudoers` configuration file.\n\n```\nDefaults log_host, log_year, logfile=\"/var/log/sudo.log\"\n```" - } - }, - { - "query": "kernel.parameters['net.ipv4.conf.all.log_martians'] == 1\nkernel.parameters['net.ipv4.conf.default.log_martians'] == 1\n", - "code_id": "Hwqs1IZPO4c=", - "checksum": "+6bG2lgU2XA=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-suspicious-packets-are-logged", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Ensure suspicious packets are logged", - "docs": { - "desc": "When enabled, this feature logs packets with un-routable source addresses to the kernel log.", - "remediation": "Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/\\*` file:\n\n```\nnet.ipv4.conf.all.log_martians = 1\n\nnet.ipv4.conf.default.log_martians = 1\n```\n\nRun the following commands to set the active kernel parameters:\n\n```\nsysctl -w net.ipv4.conf.all.log_martians=1\n\nsysctl -w net.ipv4.conf.default.log_martians=1\n\nsysctl -w net.ipv4.route.flush=1\n```" - } - }, - { - "query": "users.where( name != \"root\" \u0026\u0026 name != \"sync\" \u0026\u0026 name != \"shutdown\" \u0026\u0026 name != \"halt\" ).where( uid \u003c 1000 ).list {\n name\n shell == \"/usr/bin/nologin\" || shell == \"/sbin/nologin\" || shell == \"/usr/sbin/nologin\"\n}\n", - "code_id": "RLX6/DpoDuE=", - "checksum": "fqbMs9L/lH4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-system-accounts-are-non-login", - "type": "\u0019\u000c", - "severity": { - "value": 80 - }, - "title": "Ensure system accounts are non-login", - "docs": { - "desc": "There are a number of accounts on Linux systems that are used to manage applications and services. These accounts are not intended for interactive use and do not require a shell.", - "remediation": "Set the shell for any accounts returned by the audit script to `/sbin/nologin`:\n\n```\nusermod -s /sbin/nologin \u003cem\u003e\u003cuser\u003e\u003c/em\u003e\n```\n\nThe following script will automatically set all user shells required to `/sbin/nologin` and lock the `sync`, `shutdown`, and `halt` users:\n\n```\n#!/bin/bash\n\nfor user in `awk -F: '($3 \u003c 1000) {print $1 }' /etc/passwd`; do\nif [ $user != \"root\" ]; then\n if [ \"$(passwd -S $user| cut -d ' ' -f 2)\" = \"P\" ]; then\n echo \"Lock $user account\"\n usermod -L $user\n fi\n if [ $user != \"sync\" ] \u0026\u0026 [ $user != \"shutdown\" ] \u0026\u0026 [ $user != \"halt\" ]; then\n echo \"Set /sbin/nologin shell for user $user\"\n usermod -s /sbin/nologin $user\n fi\nfi\ndone\n```\n\nnologin is a per-user method of disabling interactive logins (usually used for system accounts like http or ftp). nologin uses /etc/nologin.txt as an optional source for a non-default message, the login access is always refused independently of the file." - } - }, - { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-w\\s+\\/var\\/log\\/sudo\\.log\\s+\\-p\\s+wa\\s+\\-k\\s+actions(\\s+)?$/)\n}\n", - "code_id": "gCDGOw9QK4Q=", - "checksum": "b62taGdUKEI=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-system-administrator-actions-sudolog-are-collected", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Ensure system administrator actions (sudolog) are collected", - "docs": { - "desc": "Monitor the `sudo` log file. If the system has been properly configured to disable the use of the `su`\ncommand and force all administrators to have to log in first and then use `sudo`\nto execute privileged commands, then all administrator commands will be logged to `/var/log/sudo.log`\n. Any time a command is executed, an audit event will be triggered as the `/var/log/sudo.log`\nfile will be opened for write and the executed administration command will be written to the log.", - "remediation": "Edit or create a file in the `/etc/audit/rules.d/` directory ending in `.rules` and add the following line:\n\n```\n-w \u003cPath to sudo log file\u003e -p wa -k actions\n```\n\nExample: `vi /etc/audit/rules.d/actions.rules`\n\nand add the following line:\n\n```\n-w /var/log/sudo.log -p wa -k actions\n```\n\nTo load the newly added rules into the running configuration:\n\n```\naugenrules --load\n```\nThis command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.\n\n\nCheck if a reboot is required, in case the running configuration is set to be immutable:\n\n```\nif [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi\n```" - } - }, - { - "query": "file(\"/etc/audit/auditd.conf\").exists\nif (file(\"/etc/audit/auditd.conf\").exists) {\n parse.ini(\"/etc/audit/auditd.conf\") {\n params[\"space_left_action\"].downcase == \"email\"\n params[\"action_mail_acct\"].downcase == \"root\"\n params[\"admin_space_left_action\"].downcase == \"halt\"\n }\n}\n", - "code_id": "sefeJd4La70=", - "checksum": "RmP6aWsVIRk=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-system-is-disabled-when-audit-logs-are-full", - "type": "\u0001", - "severity": { - "value": 60 - }, - "title": "Ensure system is disabled when audit logs are full", - "docs": { - "desc": "The `auditd`\ndaemon can be configured to halt the system when the audit logs are full.", - "remediation": "Set the following parameters in `/etc/audit/auditd.conf:`\n\n```\nspace_left_action = email\n\naction_mail_acct = root\n\nadmin_space_left_action = halt\n```" - } - }, - { - "query": "service(\"ntalk\").enabled == false\nservice(\"ntalk\").running == false\n", - "code_id": "yYCqsWpfXqE=", - "checksum": "38wosMYlpVI=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-talk-server-is-not-enabled", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure talk server is stopped and not enabled", - "docs": { - "desc": "The talk software allows users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default.", - "remediation": "Run the following command to stop and disable talk:\n\n```\nsystemctl stop ntalk\nsystemctl disable ntalk\n```" - } - }, - { - "query": "kernel.parameters['net.ipv4.tcp_syncookies'] == 1\n", - "code_id": "w44ayUe5r2M=", - "checksum": "kyy0GS9laZc=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-tcp-syn-cookies-is-enabled", - "type": "\u0004", - "severity": { - "value": 100 - }, - "title": "Ensure TCP SYN Cookies is enabled", - "docs": { - "desc": "When `tcp_syncookies` is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN\\|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the system to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue.", - "remediation": "Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/\\*` file:\n\n```\nnet.ipv4.tcp_syncookies = 1\n```\n\nRun the following commands to set the active kernel parameters:\n\n```\nsysctl -w net.ipv4.tcp_syncookies=1\n\nsysctl -w net.ipv4.route.flush=1\n```" - } - }, - { - "query": "service(\"telnet.socket\").enabled == false\nservice(\"telnet.socket\").running == false\n", - "code_id": "727yzVm9jYQ=", - "checksum": "a4eg19gs9Ns=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-telnet-server-is-not-enabled", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure telnet server is stopped and not enabled", - "docs": { - "desc": "The `telnet-server` package contains the `telnet` daemon, which accepts connections from users from other systems via the `telnet` protocol.", - "remediation": "Run the following command to stop and disable telnet:\n\n```\nsystemctl stop telnet.socket\nsystemctl disable telnet.socket\n```" - } - }, - { - "query": "service(\"tftp.socket\").enabled == false\nservice(\"tftp.socket\").running == false\n", - "code_id": "AjsJ60JDOuU=", - "checksum": "N6VTfxx8IJA=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-tftp-server-is-not-enabled", - "type": "\u0001", - "severity": { - "value": 100 - }, - "title": "Ensure tftp server is stopped and not enabled", - "docs": { - "desc": "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The package `tftp-server` is used to define and support a TFTP server.", - "remediation": "Run the following command to stop and disable tftp:\n\n```\nsystemctl stop tftp.socket\nsystemctl disable tftp.socket\n```" - } - }, - { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-e\\s+2(\\s+)?$/)\n}\n", - "code_id": "5YLhhd+c3KY=", - "checksum": "6baNp/kTdao=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-the-audit-configuration-is-immutable", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Ensure the audit configuration is immutable", - "docs": { - "desc": "Set system audit so that audit rules cannot be modified with `auditctl`\n. Setting the flag \"-e 2\" forces audit to be put in immutable mode. Audit changes can only be made on system reboot.", - "remediation": "Edit or create the file `/etc/audit/audit.rules` and add the following line at the end of the file:\n\n```\n-e 2\n```\n\nTo load the newly added rules into the running configuration:\n\n```\naugenrules --load\n```\nThis command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.\n\n\nCheck if a reboot is required, in case the running configuration is set to be immutable:\n\n```\nif [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi\n```" - } - }, - { - "query": "logindefs.params{ _['UID_MIN'] == 1000 }\n", - "code_id": "ZydIs1lDnr8=", - "checksum": "BGejZTgla2k=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-uid-min-is-set-to-1000", - "type": "\u000c", - "severity": { - "value": 60 - }, - "title": "Ensure UID_MIN is set to 1000", - "docs": { - "desc": "User ID or UID is used to identify a Linux user with an ID or number. The start number for newly created users can be set with this configuration.", - "remediation": "Edit the `login.defs` file and set UID_MIN.\n\n```\nsudo vim /etc/login.defs\n\n\nUID_MIN 1000\n```" - } - }, - { - "query": "file('/etc/audit/audit.rules').exists\nif (file('/etc/audit/audit.rules').exists) {\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+creat\\s+\\-S\\s+open\\s+\\-S\\s+openat\\s+\\-S\\s+truncate\\s+\\-S\\s+ftruncate\\s+\\-F\\s+exit\\=\\-EACCES\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+access(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+open\\,truncate\\,ftruncate\\,creat\\,openat\\s+\\-F\\s+exit\\=\\-EACCES\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=access(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+creat\\s+\\-S\\s+open\\s+\\-S\\s+openat\\s+\\-S\\s+truncate\\s+\\-S\\s+ftruncate\\s+\\-F\\s+exit\\=\\-EACCES\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+access(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+open\\,creat\\,truncate\\,ftruncate\\,openat\\s+\\-F\\s+exit\\=\\-EACCES\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=\\-1\\s+\\-F\\s+key\\=access(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+creat\\s+\\-S\\s+open\\s+\\-S\\s+openat\\s+\\-S\\s+truncate\\s+\\-S\\s+ftruncate\\s+\\-F\\s+exit\\=\\-EPERM\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+access(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b64\\s+\\-S\\s+open\\,truncate\\,ftruncate\\,creat\\,openat\\s+\\-F\\s+exit\\=\\-EPERM\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=-1\\s+\\-F\\s+key\\=access(\\s+)?$/)\n file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+creat\\s+\\-S\\s+open\\s+\\-S\\s+openat\\s+\\-S\\s+truncate\\s+\\-S\\s+ftruncate\\s+\\-F\\s+exit\\=\\-EPERM\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=4294967295\\s+\\-k\\s+access(\\s+)?$/)\n || file('/etc/audit/audit.rules').content.lines.contains(/^(\\s+)?\\-a\\s+always\\,exit\\s+\\-F\\s+arch\\=b32\\s+\\-S\\s+open\\,creat\\,truncate\\,ftruncate\\,openat\\s+\\-F\\s+exit\\=\\-EPERM\\s+\\-F\\s+auid\\\u003e\\=1000\\s+\\-F\\s+auid\\!\\=-1\\s+\\-F\\s+key\\=access(\\s+)?$/)\n}\n", - "code_id": "AjCxN3eZtsA=", - "checksum": "iNHpM4pcffc=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-linux-security-unsuccessful-unauthorized-file-access-attempts-are-collected", - "type": "\u0001", - "severity": { - "value": 80 - }, - "title": "Ensure unsuccessful unauthorized file access attempts are collected", - "docs": { - "desc": "Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( `creat` ), opening ( `open`, `openat` ) and \ntruncation ( `truncate`, `ftruncate` ) of files. An audit log record will only be written if the user is a non-privileged user (auid \u003e = 1000), is not a Daemon event \n(auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). \nAll audit records will be tagged with the identifier \"access.\"\n\n**Note:**\nSystems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:\n\n```\nawk '/^\\s*UID_MIN/{print $2}' /etc/login.defs\n```\n\nIf your systems' UID_MIN is not `1000`, replace `audit\u003e=1000` with `audit\u003e=\u003cUID_MIN for your system\u003e` in the Audit and Remediation procedures.", - "remediation": "For 32-bit systems edit or create a file in the `/etc/audit/rules.d/`\ndirectory ending in `.rules`\n\nExample: `vi /etc/audit/rules.d/50-access.rules`\n\nAdd the following lines:\n\n```\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid\u003e=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid\u003e=1000 -F auid!=4294967295 -k access\n```\n\nFor 64-bit systems edit or create a file in the `/etc/audit/rules.d/`\ndirectory ending in `.rules`\n\nExample: `vi /etc/audit/rules.d/50-access.rules`\n\nAdd the following lines:\n\n```\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid\u003e=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid\u003e=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid\u003e=1000 -F auid!=4294967295 -k access\n\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid\u003e=1000 -F auid!=4294967295 -k access\n```\n\nTo load the newly added rules into the running configuration:\n\n```\naugenrules --load\n```\nThis command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.\n\n\nCheck if a reboot is required, in case the running configuration is set to be immutable:\n\n```\nif [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi\n```" - } - }, - { - "query": "file('/etc/security/audit_control').permissions {\n user_readable\n user_writeable == false\n user_executable == false\n\n group_writeable == false\n group_executable == false\n\n other_readable == false\n other_writeable == false\n other_executable == false\n}\n", - "code_id": "3vQkCf8lpSM=", - "checksum": "LniNa+t0dV0=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-macos-security-control-access-to-audit-records", - "type": "\u000c", - "title": "Control access to audit records", - "docs": { - "desc": "The audit system on macOS writes important operational and security information that can be both useful for an attacker and a place for an attacker to attempt to obfuscate unwanted changes that were recorded. As part of defense-in-depth the /etc/security/audit_control configuration and the files in /var/audit should be owned only by root with group wheel with read-only rights and no other access allowed. macOS ACLs should not be used for these files.", - "remediation": "Run the following to commands to set the audit records to the root user and wheel group:\n\n```\nsudo chown -R root:wheel /etc/security/audit_control\n\nsudo chmod -R -o-rw /etc/security/audit_control\n\nsudo chown -R root:wheel /var/audit/\n\nsudo chmod -R -o-rw /var/audit/\n```\n\n**Note:**\nIt is recommended to do a thorough verification process on why the audit logs have been changed before following the remediation steps. If the system has different access controls on the audit logs, and the changes cannot be traced, a new install may be prudent. Check for signs of file tampering as well as unapproved OS changes.\n\n**Impact:**\n\nThis check ensures that unwanted access to audit records is not available." - } - }, - { - "query": "users.where( name != /^_/ \u0026\u0026 shell != \"/usr/bin/false\" \u0026\u0026 name != \"root\" ).list {\n if (file(home + \"/Library/Preferences/ByHost/com.apple.Bluetooth.\" + os.machineid.upcase + \".plist\").exists) {\n parse.plist( home + \"/Library/Preferences/ByHost/com.apple.Bluetooth.\" + os.machineid.upcase + \".plist\") {\n params['PrefKeyServicesEnabled'] == null || params['PrefKeyServicesEnabled'] == false\n }\n } else {\n true\n }\n}\n", - "code_id": "5+xXKrjQBn8=", - "checksum": "cZmJfFX9xGA=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-macos-security-disable-bluetooth-sharing", - "type": "\u0019\u000c", - "title": "Disable Bluetooth Sharing", - "docs": { - "desc": "Bluetooth Sharing allows files to be exchanged with Bluetooth-enabled devices.", - "remediation": "Perform the following to disable Bluetooth Sharing:\n\n_Graphical Method:_\n\n1. Open System Preferences\n2. Select Sharing\n3. Uncheck Bluetooth Sharing\n\nRun the following command to disable Bluetooth Sharing is disabled:\n\n```\nsudo -u \u003cusername\u003e defaults -currentHost write com.apple.Bluetooth PrefKeyServicesEnabled -bool false\n```\n\n```\nsudo -u firstuser defaults -currentHost write com.apple.Bluetooth PrefKeyServicesEnabled -bool false\n```\n\n**Impact:**\n\nControl 2.1.1 discusses disabling Bluetooth if no paired devices exist. There is a general expectation that Bluetooth peripherals will be used by most users in Apple's ecosystem. It is possible that sharing is required and Bluetooth peripherals are not. Bluetooth must be enabled if sharing is an acceptable use case." - } - }, - { - "query": "if (file('/Library/Preferences/com.apple.mDNSResponder.plist').exists) {\n parse.plist('/Library/Preferences/com.apple.mDNSResponder.plist').params['NoMulticastAdvertisements'] != 0\n}\n", - "code_id": "TKK3QVcpZF4=", - "checksum": "Rijx8XNQsH8=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-macos-security-disable-bonjour-advertising-service", - "type": "\u000c", - "title": "Disable Bonjour advertising service", - "docs": { - "desc": "Bonjour is an auto-discovery mechanism for TCP/IP devices which enumerate devices and services within a local subnet. DNS on macOS is integrated with Bonjour and should not be turned off, but the Bonjour advertising service can be disabled.", - "remediation": "Run the following command to disable Bonjour Advertising services:\n\n```\nsudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool true\n```\n\n**Impact:**\n\nSome applications, like Final Cut Studio and AirPort Base Station management, may not operate properly if the `mDNSResponder`\nis turned off." - } - }, - { - "query": "parse.plist('/Library/Preferences/com.apple.AssetCache.plist').params['Activated'] == false\n", - "code_id": "gDSFexsXo9Q=", - "checksum": "gNLiVDu5NmA=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-macos-security-disable-content-caching", - "type": "\u0004", - "title": "Disable Content Caching", - "docs": { - "desc": "Starting with 10.13 (macOS High Sierra) Apple introduced a service to make it easier to deploy data from Apple, including software updates, where there are bandwidth constraints to the Internet and fewer constraints and greater bandwidth on the local subnet. This capability can be very valuable for organizations that have throttled and possibly metered Internet connections. In heterogeneous enterprise networks with multiple subnets the effectiveness of this capability would be determined on how many Macs were on each subnet at the time new large updates were made available upstream.\nThis capability requires the use of mac OS clients as P2P nodes for updated Apple content. Unless there is a business requirement to manage operational Internet connectivity bandwidth user endpoints should not store content and act as a cluster to provision data.\n\n[Content types supported by Content Caching in macOS](https://support.apple.com/en-us/HT204675)", - "remediation": "Perform the following to disable Content Caching:\n\n_Graphical Method:_\n\n1. Open System Preferences\n2. Select Sharing\n3. Uncheck Content Caching\n\n_Terminal Method:_\n\nRun the following command to disable Content Caching:\n\n```\nsudo AssetCacheManagerUtil deactivate\n```\n\nThe output will include `Content caching deactivated`\n\n**Impact:**\n\nThis setting will adversely affect bandwidth usage between local subnets and the Internet." - } - }, - { - "query": "service(\"com.apple.ODSAgent\" ) { \n enabled == false\n running == false\n}\n", - "code_id": "VEFJ8cembiY=", - "checksum": "orGd7WsNamI=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-macos-security-disable-dvd-or-cd-sharing", - "type": "\u000c", - "title": "Disable DVD or CD Sharing", - "docs": { - "desc": "DVD or CD Sharing allows users to access the system's optical drive remotely. While Apple does not ship Macs with built-in optical drives any longer, external optical drives are still recognized when connected. In testing the sharing of an external optical drive persists when a drive is reconnected.", - "remediation": "Perform the following to disable DVD or CD Sharing:\n\n_Graphical Method:_\n\n1. Open System Preferences\n2. Select Sharing\n3. Uncheck DVD or CD sharing\n\n_Terminal Method:_\n\nRun the following command to disable DVD or CD Sharing:\n\n```\nsudo launchctl disable system/com.apple.ODSAgent\n```\n\n**Note:**\nIf using the Terminal method, the GUI will still show the service checked until after a reboot.\n\n**Impact:**\n\nMany Apple devices are now sold without optical drives, and drive sharing may be needed for legacy optical media. The media should be explicitly re-shared as needed rather than using a persistent share. Optical drives should not be used for long term storage. To store necessary data from an optical drive, it should be copied to another form of external storage. Optionally, an image can be made of the optical drive so that it is stored in it's original form on another form of external storage" - } - }, - { - "query": "service('com.apple.smbd') {\n enabled == false\n running == false\n}\n", - "code_id": "CUh098wkVGw=", - "checksum": "epfMNDasOaE=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-macos-security-disable-file-sharing", - "type": "\u000c", - "title": "Disable File Sharing", - "docs": { - "desc": "Server Message Block (SMB), Common Internet File System (CIFS) When Windows (or possibly Linux) computers need to access file shared on a Mac, SMB/CIFS file sharing is commonly used. Apple warns that SMB sharing stores passwords is a less secure fashion than AFP sharing and anyone with system access can gain access into the password for that account. When sharing with SMB, each user that will access the Mac must have SMB enabled.", - "remediation": "Perform the following to disable File Sharing:\n\n_Graphical Method:_\n\n1. Open System Preferences\n2. Select Sharing\n3. Uncheck File Sharing\n\n_Terminal Method:_\n\nRun the following command to disable SMB file sharing:\n\n```\nsudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist\n```\n\n**Impact:**\n\nFile Sharing can be used to share documents with other users but hardened servers should be used rather than user endpoints. Turning on file sharing increases the visibility and attack surface of a system unnecessarily." - } - }, - { - "query": "file(\"/Library/Preferences/com.apple.nat.plist\").exists == false \n|| parse.plist('/Library/Preferences/SystemConfiguration/com.apple.nat.plist').params['NAT']['Enabled'] == 0\n", - "code_id": "TcnL2JAJZdQ=", - "checksum": "1jcZCdlNbWI=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-macos-security-disable-internet-sharing", - "type": "\u0004", - "title": "Disable Internet Sharing", - "docs": { - "desc": "Internet Sharing uses the open source `natd` process to share an internet connection with other computers and devices on a local network. This allows the Mac to function as a router and share the connection to other, possibly unauthorized, devices.", - "remediation": "Perform the following to disable Internet Sharing:\n\n_Graphical Method:_\n\n1. Open System Preferences\n2. Select Sharing\n3. Uncheck Internet Sharing\n\n_Terminal Method:_\n\nRun the following command to turn off Internet Sharing:\n\n```\nsudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict Enabled -int 0\n```\n\n**Note:**\nUsing the Terminal Method will not uncheck the setting in System Preferences\u003eSharing but will disable the underlying service.\n\n**Impact:**\n\nInternet Sharing allows the computer to function as a router and other computers to use it for access. This can expose both the computer itself and the networks it is accessing to unacceptable access from unapproved devices." - } - }, - { - "query": "users.where( name != /^_/ \u0026\u0026 shell != \"/usr/bin/false\" \u0026\u0026 name != \"root\" ).list {\n parse.plist(home + '/Library/Preferences/com.apple.amp.mediasharingd.plist').params['home-sharing-enabled'] == 0\n}\n", - "code_id": "gzO9EwpXfVw=", - "checksum": "Q7Uas6PLTQo=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-macos-security-disable-media-sharing", - "type": "\u0019\u000c", - "title": "Disable Media Sharing", - "docs": { - "desc": "Starting with macOS 10.15 Apple has provided a control to allow a user to share Apple downloaded content on all Apple devices that are signed in with the same Apple ID. This allows a user to share downloaded Movies, Music or TV shows with other controlled macOS, iOS and iPadOS devices as well as photos with Apple TVs.\n\nWith this capability guest users can also use media downloaded on the computer.\n\nThe recommended best practice is not to use the computer as a server but to utilize Apple's cloud storage to download and use content stored there if content stored with Apple is used on multiple devices.\n\n[https://support.apple.com/guide/mac-help/set-up-media-sharing-on-mac-mchlp13371337/mac](https://support.apple.com/guide/mac-help/set-up-media-sharing-on-mac-mchlp13371337/mac)\n\nThis capability requires the use of macOS clients as P2P nodes for updated Apple content. Unless there is a business requirement to manage operational Internet connectivity bandwidth user endpoints should not store content and act as a cluster to provision data.\n\n[Content types supported by content caching in macOS](https://support.apple.com/en-us/HT204675)", - "remediation": "Perform the following to disable Media Sharing:\n\n_Graphical Method:_\n\n1. Open System Preferences\n2. Select Sharing\n3. Uncheck Media Sharing\n\n_Terminal Method:_\n\nRun the following command to disable Media Sharing:\n\n```\nsudo -u \u003cusername\u003e defaults write com.apple.amp.mediasharingd home-sharing-enabled -int 0\n```\n\n_example_\n:\n\n```\nsudo -u test2 defaults write com.apple.amp.mediasharingd home-sharing-enabled -int 0\n```\n\n**Impact:**\n\nMedia Sharing allows for pre-downloaded content on a Mac to be available to other Apple devices on the same network. Leaving this disabled forces device users to stream or download content from each Apple authorized device. This sharing could even allow unauthorized devices on the same network media access." - } - }, - { - "query": "command('cupsctl | grep _share_printers' ) { stdout == /_share_printers=0/ }\n", - "code_id": "0cYdG2ehKhU=", - "checksum": "K9sH2rySK6Q=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-macos-security-disable-printer-sharing", - "type": "\u000c", - "title": "Disable Printer Sharing", - "docs": { - "desc": "By enabling Printer Sharing, the computer is set up as a print server to accept print jobs from other computers. Dedicated print servers or direct IP printing should be used instead.", - "remediation": "Perform the following to disable Printer Sharing:\n\n_Graphical Method:_\n\n1. Open System Preferences\n2. Select Sharing\n3. Uncheck Printer Sharing\n\n_Terminal Method:_\n\nRun the following command to disable Printer Sharing:\n\n```\nsudo cupsctl --no-share-printers\n```" - } - }, - { - "query": "macos.systemsetup.remoteAppleEvents == \"Off\"\n", - "code_id": "PUhq9Nox0SQ=", - "checksum": "HcNsAYN4ozY=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-macos-security-disable-remote-apple-events", - "type": "\u0004", - "title": "Disable Remote Apple Events", - "docs": { - "desc": "Apple Events is a technology that allows one program to communicate with other programs. Remote Apple Events allows a program on one computer to communicate with a program on a different computer.", - "remediation": "Perform the following to disable Remote Apple Events:\n\n_Graphical Method:_\n\n1. Open System Preferences\n2. Select Sharing\n3. Verify that Remote Apple Evens is not set\n\n_Terminal Method:_\n\nRun the following commands to set Remote Apple Events to Off:\n\n```\nsudo systemsetup -setremoteappleevents off\n\nsetremoteappleevents: Off\n```\n\n**Impact:**\n\nWith remote Apple events turned on, an AppleScript program running on another Mac can interact with the local computer." - } - }, - { - "query": "macos.systemsetup.remoteLogin == \"Off\"\n", - "code_id": "kGRtc8w+ap8=", - "checksum": "fgrLbUzQn+g=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-macos-security-disable-remote-login", - "type": "\u0004", - "title": "Disable Remote Login", - "docs": { - "desc": "Remote Login allows an interactive terminal connection to a computer.", - "remediation": "Perform the following to disable Remote Login:\n\n_Graphical Method:_\n\n1. Open System Preferences\n2. Select Sharing\n3. Uncheck Remote Login\n\n_Terminal Method:_\n\nRun the following command to disable Remote Login:\n\n```\nsudo systemsetup -setremotelogin off\n\nDo you really want to turn remote login off? If you do, you will lose this connection and can only turn it back on locally at the server (yes/no)?\n```\n\nEntering yes will disable remote login.\n\n**Impact:**\n\nThe SSH server built-in to macOS should not be enabled on a standard user computer, particularly one that changes locations and IP addresses. A standard user that runs local applications, including email, web browser and productivity tools, should not use the same device as a server. There are Enterprise management tool-sets that do utilize SSH. If they are in use, the computer should be locked down to only respond to known, trusted IP addresses and appropriate admin service accounts.\n\nFor macOS computers that are being used for specialized functions, there are several options to harden the SSH server to protect against unauthorized access including brute force attacks. There are some basic criteria that need to be considered:\n\n- Do not open an SSH server to the internet without controls in place to mitigate SSH brute force attacks. This is particularly important for systems bound to Directory environments. It is great to have controls in place to protect the system, but if they trigger after the user is already locked out of their account, they are not optimal. If authorization happens after authentication directory accounts for users that don't even use the system can be locked out.\n- Do not use SSH key pairs when there is no insight to the security of the client system that will authenticate into the server with a private key. If an attacker gets access to the remote system and can find the key they may not need a password or a key logger to access the SSH server.\n- Detailed instructions on hardening an SSH server, if needed, are available in the CIS Linux Benchmarks, but it is beyond the scope of this benchmark." - } - }, - { - "query": "processes.none ( command == /ARDAgent/)\n", - "code_id": "a0ffuephokY=", - "checksum": "aNySWmJ7mQA=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-macos-security-disable-remote-management", - "type": "\u0004", - "title": "Disable Remote Management", - "docs": { - "desc": "Remote Management is the client portion of Apple Remote Desktop (ARD). Remote Management can be used by remote administrators to view the current screen, install software, report on, and generally manage client Macs.\n\nThe screen sharing options in Remote Management are identical to those in the Screen Sharing section. In fact, only one of the two can be configured. If Remote Management is used, refer to the Screen Sharing section above on issues regarding screen sharing.\n\nRemote Management should only be enabled when a Directory is in place to manage the accounts with access. Computers will be available on port 5900 on a macOS System and could accept connections from untrusted hosts depending on the configuration, which is definitely a concern for mobile systems.", - "remediation": "Perform the following to disable Remote Management:\n\n_Graphical Method:_\n\n1. Open System Preferences\n2. Select Sharing\n3. Uncheck Remote Management\n\n_Terminal Method:_\n\nRun the following command to disable Remote Management:\n\n```\nsudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop\n\nStarting...\n\nRemoved preference to start ARD after reboot.\n\nDone.\n```\n\n**Impact:**\n\nMany organizations utilize ARD for client management." - } - }, - { - "query": "service(\"com.apple.screensharing\" ) {\n enabled == false\n running == false\n}\n", - "code_id": "Hl8ALMD7AtU=", - "checksum": "9ZDmFIMirZc=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-macos-security-disable-screen-sharing", - "type": "\u000c", - "title": "Disable Screen Sharing", - "docs": { - "desc": "Screen Sharing allows a computer to connect to another computer on a network and display the computer's screen. While sharing the computer's screen, the user can control what happens on that computer, such as opening documents or applications, opening, moving, or closing windows, and even shutting down the computer.", - "remediation": "Perform the following to disable Screen Sharing:\n\n_Graphical Method:_\n\n1. Open System Preferences\n2. Select Sharing\n3. Uncheck Screen Sharing\n\n_Terminal Method:_\n\nRun the following command to turn off Screen Sharing:\n\n```\nsudo launchctl disable system/com.apple.screensharing\n```" - } - }, - { - "query": "command('dscl . -read /Users/root AuthenticationAuthority') { stderr == /No such key: AuthenticationAuthority/ }\n", - "code_id": "/YVNZkGk85A=", - "checksum": "v64pcbG0VTw=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-macos-security-do-not-enable-the-root-account", - "type": "\u000c", - "title": "Do not enable the \"root\" account", - "docs": { - "desc": "The root account is a superuser account that has access privileges to perform any actions and read/write to any file on the computer. With some Linux distros the system administrator may commonly use the root account to perform administrative functions.", - "remediation": "Perform the following to ensure that the root user is disabled:\n\n_Graphical Method:_\n\n1. Open /System/Library/CoreServices/Applications/Directory Utility\n2. Select the lock icon to unlock the service\n3. Select **Edit**\n4. Select **Disable Root User**\n\n_Terminal Method:_\n\nRun the following command to disable the root user:\n\n```\nsudo dsenableroot -d\n\nusername = root\n\nuser password:\n```\n\n**Impact:**\n\nSome legacy POSIX software might expect an available root account." - } - }, - { - "query": "command('fdesetup status') { stdout == /FileVault is On/ }\n", - "code_id": "4M3LOHUnxNw=", - "checksum": "aEpdMvxabX0=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-macos-security-enable-filevault", - "type": "\u000c", - "title": "Enable FileVault", - "docs": { - "desc": "FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it.\n\nFileVault may also be enabled using command line using the `fdesetup`\ncommand. To use this functionality, consult the Der Flounder blog for more details:\n\n[https://derflounder.wordpress.com/2015/02/02/managing-yosemites-filevault-2-with-fdesetup/](https://derflounder.wordpress.com/2015/02/02/managing-yosemites-filevault-2-with-fdesetup/) [https://derflounder.wordpress.com/2019/01/15/unlock-or-decrypt-your-filevault-encrypted-boot-drive-from-the-command-line-on-macos-mojave/](https://derflounder.wordpress.com/2019/01/15/unlock-or-decrypt-your-filevault-encrypted-boot-drive-from-the-command-line-on-macos-mojave/)", - "remediation": "Perform the following to enable FileVault:\n\n_Graphical Method:_\n\n1. Open System Preferences\n2. Select Security \u0026 Privacy\n3. Select FileVault\n4. Select Turn on FileVault\n\n**Impact:**\n\nMounting a FileVaulted volume from an alternate boot source will require a valid password to decrypt it." - } - }, - { - "query": "parse.plist('/Library/Preferences/com.apple.alf.plist').params['globalstate'] == 1", - "code_id": "f8ppBsMEp9w=", - "checksum": "UkHAg04eRq4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-macos-security-enable-firewall", - "type": "\u0004", - "title": "Enable Firewall", - "docs": { - "desc": "A firewall is a piece of software that blocks unwanted incoming connections to a system. Apple has posted general documentation about the application firewall.\n\n[Block connections to your Mac with a firewall](https://support.apple.com/guide/mac-help/block-connections-to-your-mac-with-a-firewall-mh34041/mac)", - "remediation": "Perform the following to turn the firewall on:\n\n_Graphical Method:_\n\n1. Open System Preferences\n2. Select Security \u0026 Privacy\n3. Select Firewall\n4. Select Turn On Firewall\n\n_Terminal Method:_\n\nRun the following command to enable the firewall:\n\n```\nsudo defaults write /Library/Preferences/com.apple.alf globalstate -int \u003cvalue\u003e\n```\n\nFor the `\u003cvalue\u003e`\n, use either `1`\n, specific services, or `2`\n, essential services only.\n\n**Impact:**\n\nThe firewall may block legitimate traffic. Applications that are unsigned will require special handling." - } - }, - { - "query": "command('/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode') { stdout == /Stealth mode enabled/ }\n", - "code_id": "vL4UBRh6I0s=", - "checksum": "+TpPQZd/Ajo=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-macos-security-enable-firewall-stealth-mode", - "type": "\u000c", - "title": "Enable Firewall Stealth Mode", - "docs": { - "desc": "While in Stealth mode the computer will not respond to unsolicited probes, dropping that traffic.\n\n[Block connections to your Mac with a firewall](https://support.apple.com/guide/mac-help/block-connections-to-your-mac-with-a-firewall-mh34041/mac)", - "remediation": "Perform the following to enable stealth mode:\n\n_Graphical Method:_\n\n1. Open System Preferences\n2. Select Security \u0026 Privacy\n3. Select Firewall Options\n4. Turn on Enable stealth mode\n\n_Terminal Method:_\n\nRun the following command to enable stealth mode:\n\n```\nsudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on\n\nStealth mode enabled\n```\n\n**Impact:**\n\nTraditional network discovery tools like ping will not succeed. Other network tools that measure activity and approved applications will work as expected.\n\nThis check aligns with the primary macOS use case of a laptop that is often connected to untrusted networks where host segregation may not be configured. In this use case, hiding from the other inmates is likely to be important. In use cases where the device is only on trusted LANs with static IP addresses, you might not want stealth mode." - } - }, - { - "query": "command('spctl --status') { stdout == /assessments enabled/ }\n", - "code_id": "P+3EpDByOeU=", - "checksum": "9zjRyXJmndg=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-macos-security-enable-gatekeeper", - "type": "\u000c", - "title": "Enable Gatekeeper", - "docs": { - "desc": "Gatekeeper is Apple's application white-listing control that restricts downloaded applications from launching. It functions as a control to limit applications from unverified sources from running without authorization.", - "remediation": "Perform the following to implement the prescribed state:\n\n_Graphical Method:_\n\n1. Open System Preferences\n2. Select Security \u0026 Privacy\n3. Select General\n4. Set Allow apps downloaded from to App Store and identified developers\n\n_Terminal Method:_\n\nRun the following command to enable Gatekeeper to allow applications from App Store and identified developers:\n\n```\nsudo spctl --master-enable\n```" - } - }, - { - "query": "service('com.apple.auditd').enabled == true\n", - "code_id": "+UTAvlwTJSE=", - "checksum": "RpZlXMdLoJQ=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-macos-security-enable-security-auditing", - "type": "\u0004", - "title": "Enable security auditing", - "docs": { - "desc": "macOS's audit facility, `auditd`\n, receives notifications from the kernel when certain system calls, such as `open`\n, `fork`\n, and `exit`\n, are made. These notifications are captured and written to an audit log.", - "remediation": "Perform the following to enable security auditing:\n\nRun the following command to load auditd:\n\n```\nsudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist\n```" - } - }, - { - "query": "users.where( name != /^_/ \u0026\u0026 shell != \"/usr/bin/false\" \u0026\u0026 name != \"root\" ).list {\n parse.plist( home + \"/Library/Preferences/ByHost/com.apple.controlcenter.\" + os.machineid.upcase + \".plist\").params[\"WiFi\"] == 18 || 2\n}\n", - "code_id": "yrEogbS4TIc=", - "checksum": "SRggUQOzxy8=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-macos-security-enable-show-wifi-status", - "type": "\u0019\u000c", - "title": "Enable \"Show Wi-Fi status in menu bar\"", - "docs": { - "desc": "The Wi-Fi status in the menu bar indicates if the system's wireless internet capabilities are enabled. If so, the system will scan for available wireless networks to connect to. At the time of this revision all computers Apple builds have wireless network capability, which has not always been the case. This check only pertains to systems that have a wireless NIC available. Operating systems running in a virtual environment may not score as expected either.", - "remediation": "Perform the following to enable Wi-Fi status in the menu bar:\n\n_Graphical Method:_\n\n1. Open System Preferences\n2. Select Network\n3. Select Wi-Fi\n4. Set Show Wi-Fi status in menu bar\n\n_Terminal Method:_\n\nFor each user, run the following to turn the Wi-Fi status on in the menu bar\n\n```\nsudo -u \u003cusername\u003e defaults -currentHost write com.apple.controlcenter.plist WiFi -int 18\n```\n\n_example_\n:\n\n```\nsudo -u firstuser defaults -currentHost write com.apple.controlcenter.plist WiFi -int 18\n```\n\n_Please note! Both 18 and 2 are valid values for this parameter._\n\n**Impact:**\n\nThe user of the system should have a quick check on their wireless network status available." - } - }, - { - "query": "users.where( name != /^_/ \u0026\u0026 shell != \"/usr/bin/false\" \u0026\u0026 name != \"root\" ).list {\n if (file(home + '/Library/Preferences/com.apple.NetworkBrowser.plist').exists) {\n parse.plist(home + '/Library/Preferences/com.apple.NetworkBrowser.plist').params['DisableAirDrop'] == true\n } else {\n false\n }\n}\n", - "code_id": "9JNpBQTcxGA=", - "checksum": "Zd/8vPLkfz8=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-macos-security-ensure-airdrop-is-disabled", - "type": "\u0019\u000c", - "title": "Ensure AirDrop Is Disabled", - "docs": { - "desc": "AirDrop is Apple's built-in on demand ad hoc file exchange system that is compatible with both macOS and iOS. It uses Bluetooth LE for discovery that limits connectivity to Mac or iOS users that are in close proximity. Depending on the setting it allows everyone or only Contacts to share files when they are nearby to each other.\n\nIn many ways this technology is far superior to the alternatives. The file transfer is done over a TLS encrypted session, does not require any open ports that are required for file sharing, does not leave file copies on email servers or within cloud storage, and allows for the service to be mitigated so that only people already trusted and added to contacts can interact with you.\n\nWhile there are positives to AirDrop, there are privacy concerns that could expose personal information. For that reason, AirDrop should be disabled, and should only be enabled when needed and disabled afterwards.", - "remediation": "Perform the following to disable AirDrop:\n\n_Graphical Method:_\n\n1. Open Finder\n2. Select Go\n3. Select AirDrop\n4. Set Allow me to be discovered by: No One\n\n_Terminal Method:_\n\nRun the following commands to disable AirDrop:\n\n```\nsudo -u \u003cusername\u003e defaults write com.apple.NetworkBrowser DisableAirDrop -bool true\n```\n\n_example_\n:\n\n```\nsudo -u seconduser defaults write com.apple.NetworkBrowser DisableAirDrop -bool true\n```\n\n**Impact:**\n\nDisabling AirDrop can limit the ability to move files quickly over the network without using file shares." - } - }, - { - "query": "command('/usr/libexec/ApplicationFirewall/socketfilterfw --getloggingmode') { stdout == /Log mode is on/ }", - "code_id": "LwXJjUgMBzg=", - "checksum": "zv+lQvv4Ecw=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-macos-security-ensure-firewall-is-configured-to-log", - "type": "\u000c", - "title": "Ensure Firewall is configured to log", - "docs": { - "desc": "The socketfilter firewall is what is used when the firewall is turned on in the Security Preference Pane. In order to appropriately monitor what access is allowed and denied logging must be enabled.", - "remediation": "Run the following command to enable logging of the firewall:\n\n```\nsudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on\n\nTurning on log mode\n```\n\n**Impact:**\n\nDetailed logging may result in excessive storage." - } - }, - { - "query": "service('org.apache.httpd') {\n enabled == false\n running == false\n}\n", - "code_id": "mR4bkhf8hA0=", - "checksum": "9KlCc3rrMto=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-macos-security-ensure-http-server-is-not-running", - "type": "\u000c", - "title": "Ensure http server is not running", - "docs": { - "desc": "macOS used to have a graphical front-end to the embedded Apache web server in the Operating System. Personal web sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Personal web sharing from a user endpoint has long been considered questionable, and Apple has removed that capability from the GUI. Apache however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end-user computer. Web sharing should only be done through hardened web servers and appropriate cloud services.", - "remediation": "Run the following command to disable the http server services:\n\n```\nsudo launchctl disable system/org.apache.httpd\n```\n\n**Impact:**\n\nThe web server is both a point of attack for the system and a means for unauthorized file transfers." - } - }, - { - "query": "service('com.apple.nfsd') {\n enabled == false\n running == false\n}\n", - "code_id": "xnmVZAuCI2E=", - "checksum": "JE/cPBLj9S4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-macos-security-ensure-nfs-server-is-not-running", - "type": "\u000c", - "title": "Ensure NFS server is not running", - "docs": { - "desc": "macOS can act as an NFS file server. NFS sharing could be enabled to allow someone on another computer to mount shares and gain access to information from the user's computer. File sharing from a user endpoint has long been considered questionable, and Apple has removed that capability from the GUI. NFSD is still part of the Operating System and can be easily turned on to export shares and provide remote connectivity to an end-user computer.", - "remediation": "Run the following command to disable the nfsd file server services:\n\n```\nsudo nfsd disable\nsudo nfsd stop\n```\n\nRemove the exported Directory listing.\n\n```\nsudo rm /etc/exports\n```\n\n**Impact:**\n\nThe NFS server is both a point of attack for the system and a means for unauthorized file transfers." - } - }, - { - "query": "file(\"/etc/security/audit_control\").content.lines.where( _ == /^expire-after/) {\n _.split(\":\")[1] == /[6-9]\\dd|\\d{3,}d/ || _.split(\":\")[1] == /\\d+0G|[1-9G]/\n}\n", - "code_id": "gKjNEMCx0bw=", - "checksum": "oTXS3QcHGgA=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-macos-security-ensure-security-auditing-retention", - "type": "\u0019\u000c", - "title": "Ensure security auditing retention", - "docs": { - "desc": "The macOS audit capability contains important information to investigate security or operational issues. This resource is only completely useful if it is retained long enough to allow technical staff to find the root cause of anomalies in the records.\n\nRetention can be set to respect both size and longevity. To retain as much as possible under a certain size the recommendation is to use the following:\n\nexpire-after:60d OR 1G\n\nMore info in the man page\nman audit_control", - "remediation": "Perform the following to set the audit retention length:\n\nEdit the `/etc/security/audit_control` file so that `expire-after:` is at least `60d OR 1G`\n\n**Impact:**\n\nThe recommendation is that at least 60 days or 1 gigabyte of audit records are retained. Systems that have very little remaining disk space may have issues retaining sufficient data." - } - }, - { - "query": "macos.globalAccountPolicies['policyCategoryPasswordChange'] != null\nmacos.globalAccountPolicies['policyCategoryPasswordChange'].any( _['policyParameters']['policyAttributeDaysUntilExpiration'] \u003c= 365 )\n", - "code_id": "6TyVBwIw85M=", - "checksum": "gw/uDUKQwq8=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-macos-security-password-age", - "type": "\u0001", - "title": "Password Age", - "docs": { - "desc": "Over time passwords can be captured by third-parties through mistakes, phishing attacks, third party breaches or merely brute force attacks. To reduce the risk of exposure and to decrease the incentives of password reuse (passwords that are not forced to be changed periodically generally are not ever changed) users should reset passwords periodically.\nThis check uses 365 days as the acceptable value. Some organizations may be more or less restrictive. This check mainly exists to mitigate against password reuse of the macOS account password in other realms that may be more prone to compromise. Attackers take advantage of exposed information to attack other accounts.", - "remediation": "Run the following command to require that passwords expire after at most 365 days:\n\n```\nsudo pwpolicy -n /Local/Default -setglobalpolicy \"maxMinutesUntilChangePassword=\u003cvalue≤525600\u003e\"\n```\n\n_example_\n:\n\n```\nsudo pwpolicy -n /Local/Default -setglobalpolicy \"maxMinutesUntilChangePassword=43200\"\n```\n\n**Impact:**\n\nRequired password changes will lead to some locked computers requiring admin assistance." - } - }, - { - "query": "macos.globalAccountPolicies['policyCategoryPasswordContent'] != null\nmacos.globalAccountPolicies['policyCategoryPasswordContent'].any(_['policyParameters']['policyAttributePasswordHistoryDepth'] \u003e= 15 )\n", - "code_id": "Rc4cmCcg1/I=", - "checksum": "5aJzcxcoDsA=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-macos-security-password-history", - "type": "\u0001", - "title": "Password History", - "docs": { - "desc": "Over time passwords can be captured by third-parties through mistakes, phishing attacks, third party breaches or merely brute force attacks. To reduce the risk of exposure and to decrease the incentives of password reuse (passwords that are not forced to be changed periodically generally are not ever changed) users must reset passwords periodically. This check ensures that previous passwords are not reused immediately by keeping a history of previous password hashes. Ensure that password history checks are part of the password policy on the computer. This check ensures the new password is different than the previous 15.\nThe latest NIST guidance based on exploit research referenced in this section details how one of the greatest risks is password exposure rather than password cracking. Passwords should be changed to a new unique value whenever a password might have been exposed to anyone other than the account holder. Attackers have maintained persistent control based on predictable password change patterns and substantially different patterns should be used in case of a leak.", - "remediation": "Run the following command to require that the password must to be different from at least the last 15 passwords:\n\n```\nsudo pwpolicy -n /Local/Default -setglobalpolicy \"usingHistory=\u003cvalue≥15\u003e\"\n```\n\n_example_\n:\n\n```\nsudo pwpolicy -n /Local/Default -setglobalpolicy \"usingHistory=15\"\n```\n\n**Impact:**\n\nRequired password changes will lead to some locked computers requiring admin assistance." - } - }, - { - "query": "file('/etc/sudoers').content == /Defaults\\s+timestamp_timeout=0/", - "code_id": "f/MMprSuX8E=", - "checksum": "iJpAN8+vlOU=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-macos-security-reduce-the-sudo-timeout-period", - "type": "\u0004", - "title": "Reduce the sudo timeout period", - "docs": { - "desc": "The sudo command allows the user to run programs as the root user. Working as the root user allows the user an extremely high level of configurability within the system. This check along with the control to use a separate timestamp for each tty limits the window where an unauthorized user, process or attacker could utilize legitimate credentials that are valid for longer than required.", - "remediation": "Run the following command to edit the sudo settings:\n\n```\nsudo visudo\n```\n\nAdd the line `Defaults timestamp_timeout=0`\nin the `Override built-in defaults`\nsection.\n\n**Impact:**\n\nThis check has a serious impact where users often have to use sudo. It is even more of an impact where users have to use sudo multiple times in quick succession as part of normal work processes. Organizations with that common use case will likely find this check too onerous and are better to accept the risk of not requiring a 0 grace period.\n\nIn some ways the use of sudo -s, which is undesirable, is better than a long grace period since that use does change the hash to show that it is a root shell rather than a normal shell where sudo commands will be implemented without a password." - } - }, - { - "query": "file('/etc/asl/com.apple.install') {\n content != /all_max/\n content == /ttl/\n}\n", - "code_id": "GPEHNvO3VSg=", - "checksum": "wuP/wVun+gU=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-macos-security-retain-install-log-for-365-or-more-days", - "type": "\u000c", - "title": "Retain install.log for 365 or more days with no maximum size", - "docs": { - "desc": "macOS writes information pertaining to system-related events to the file `/var/log/install.log`\nand has a configurable retention policy for this file. The default logging setting limits the file size of the logs and the maximum size for all logs. The default allows for an errant application to fill the log files and does not enforce sufficient log retention. The Benchmark recommends a value based on standard use cases. The value should align with local requirements within the organization.\n\nThe default value has an \"all_max\" file limitation, no reference to a minimum retention and a less precise rotation argument.\n\nThe all_max flag control will remove old log entries based only on the size of the log files. Log size can vary widely depending on how verbose installing applications are in their log entries. The decision here is to ensure that logs go back a year and depending on the applications a size restriction could compromise the ability to store a full year.\n\nWhile this Benchmark is not scoring for a rotation flag the default rotation is sequential rather than using a timestamp. Auditors may prefer timestamps in order to simply review specific dates where event information is desired.\n\nPlease review the File Rotation section in the man page for more information.\n\n```\nman asl.conf\n```\n\n- The maximum file size limitation string should be removed \"all_max=\"\n- An organization appropriate retention should be added \"ttl=\"\n- The rotation should be set with timestamps \"rotate=utc\" or \"rotate=local\"", - "remediation": "Perform the following to ensure that install logs are retained for at least 365 days:\n\nEdit the `/etc/asl/com.apple.install` file and add or modify the `ttl` value to `365` or greater on the `file` line. Also, remove the `all_max=` setting and value from the `file` line.\n\n**Impact:**\n\nWithout log files system maintenance and security forensics cannot be properly performed." - } - }, - { - "query": "macos.globalAccountPolicies['policyCategoryPasswordContent'] != null\nmacos.globalAccountPolicies['policyCategoryPasswordContent'].any(_['policyParameters']['minimumLength'] \u003e= 15 )\n", - "code_id": "LCSM+a4r5YE=", - "checksum": "6pI2R8bOiuo=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-macos-security-set-a-minimum-password-length", - "type": "\u0001", - "title": "Set a minimum password length", - "docs": { - "desc": "A minimum password length is the fewest number of characters a password can contain to meet a system's requirements.\n\nEnsure that a minimum of a 15-character password is part of the password policy on the computer.\n\nWhere the confidentiality of encrypted information in FileVault is more of a concern requiring a longer password or passphrase may be sufficient rather than imposing additional complexity requirements that may be self-defeating.", - "remediation": "Run the following command to set the password length to greater than or equal to 15:\n\n```\nsudo pwpolicy -n /Local/Default -setglobalpolicy \"minChars=\u003cvalue≥15\u003e\"\n```\n\n_example_\n:\n\n```\nsudo pwpolicy -n /Local/Default -setglobalpolicy \"minChars=15\"\n```\n\n**Impact:**\n\nShort passwords can be easily attacked." - } - }, - { - "query": "parse.plist('/Library/Preferences/com.apple.SoftwareUpdate.plist').\nparams['AutomaticCheckEnabled'] != false\n", - "code_id": "ATy7MuN5xpc=", - "checksum": "AHetKM4MuEI=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-macos-security-software-updates-automatic-check-enabled", - "type": "\u0004", - "title": "Ensure automatic checking of software updates enabled", - "docs": { - "desc": "This check determines where automatic checking for software updates is enabled", - "remediation": "Perform the following to enable automatic checking for updates:\n\n_Graphical Method:_\n\n1. Open **System Preferences**.\n2. Select **Software Update**.\n3. Select **Advanced**.\n4. Select **Check for updates**.\n\n_Terminal Method:_\n\nRun the following command to enable auto update:\n\n```bash\nsudo /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool true\n```" - } - }, - { - "query": "parse.plist('/Library/Preferences/com.apple.SoftwareUpdate.plist').\nparams['AutomaticDownload'] != false\n", - "code_id": "NeEJkYpg9CI=", - "checksum": "JxkzMdata+Q=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-macos-security-software-updates-automatic-download", - "type": "\u0004", - "title": "Ensure automatic download of software updates enabled", - "docs": { - "desc": "This check determines whether automatic downloads of software updates is enabled", - "remediation": "Perform the following to enable automatic downloads of updates:\n\n_Graphical Method:_\n\n1. Open **System Preferences**.\n2. Select **Software Update**.\n3. Select **Advanced**.\n4. Select **Check for updates**.\n\n_Terminal Method:_\n\nRun the following command to enable auto update:\n\n```bash\nsudo /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -bool true\n```" - } - }, - { - "query": "parse.plist('/Library/Preferences/com.apple.SoftwareUpdate.plist').\nparams['CriticalUpdateInstall'] != false\n", - "code_id": "by01tUXG5nE=", - "checksum": "D9RRKoIfiFE=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-macos-security-software-updates-install-critical-updates", - "type": "\u0004", - "title": "Ensure critical updates are installed automatically", - "docs": { - "desc": "This check determines whether critical software updates are installed automatically", - "remediation": "Perform the following to enable automatic installation of critical updates:\n\n_Graphical Method:_\n\n1. Open **System Preferences**.\n2. Select **Software Update**.\n3. Select **Advanced**.\n4. Select **Check for updates**.\n\n_Terminal Method:_\n\nRun the following command to enable auto update:\n\n```bash\nsudo /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true\n```" - } - }, - { - "query": "command(\"ioreg -c IOPlatformExpertDevice -d 2\").stdout", - "code_id": "jNr758/IuxI=", - "checksum": "/jNTws8q97Y=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-platform-overview-apple-device", - "type": "\u0007", - "title": "Apple Device Information" - }, - { - "query": "arista.eos.fqdn", - "code_id": "R7C7yp7QnwU=", - "checksum": "pzBXOMSrPJM=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-platform-overview-arista-fqdn", - "type": "\u0007", - "title": "Arista FQDN" - }, - { - "query": "arista.eos.hostname", - "code_id": "bIx5/IWqTvc=", - "checksum": "uLyG5mxzT0w=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-platform-overview-arista-hostname", - "type": "\u0007", - "title": "Arista Hostname" - }, - { - "query": "arista.eos.version", - "code_id": "6oFM2r0BMAg=", - "checksum": "fgbC6cDuJxc=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-platform-overview-arista-version", - "type": "\n", - "title": "Arista Version" - }, - { - "query": "aws.account.id", - "code_id": "NqsOI2adG+Q=", - "checksum": "tRTVvJKUJo4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-platform-overview-aws-account-id", - "type": "\u0007", - "title": "AWS Account ID" - }, - { - "query": "if( command('dmidecode').stderr == \"\" ) {\n command('dmidecode').stdout\n} else {\n command('cat /sys/class/dmi/id/*').stdout\n}\n", - "code_id": "ZJZioSC1GrU=", - "checksum": "DlgeOOyn+F4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-platform-overview-dmidecode", - "type": "\u000c", - "title": "Dumping a computer's DMI" - }, - { - "query": "esxi.host.properties[\"summary\"][\"config\"][\"product\"][\"osType\"]", - "code_id": "+X2vKTNckXg=", - "checksum": "qhFizZTjoH4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-platform-overview-esxi-architecture", - "type": "\n", - "title": "ESXi Architecture" - }, - { - "query": "esxi.host.properties[\"hardware\"][\"biosInfo\"][\"biosVersion\"]", - "code_id": "uequlntj9B0=", - "checksum": "2OkvpeQ2iV4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-platform-overview-esxi-bios-version", - "type": "\n", - "title": "ESXi BIOS Version" - }, - { - "query": "esxi.host.name", - "code_id": "tGuoHkruZi4=", - "checksum": "wfBiREnehvA=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-platform-overview-esxi-hostname", - "type": "\u0007", - "title": "ESXi Hostname" - }, - { - "query": "esxi.host.properties[\"summary\"][\"config\"][\"product\"][\"fullName\"]", - "code_id": "fbNA895S2jQ=", - "checksum": "NaN0D5dseMM=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-platform-overview-esxi-product-name", - "type": "\n", - "title": "ESXi Product Name" - }, - { - "query": "esxi.host.properties[\"hardware\"][\"systemInfo\"][\"uuid\"]", - "code_id": "DDY9s3dZGgM=", - "checksum": "IfCV7r6ywk4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-platform-overview-esxi-uuid", - "type": "\n", - "title": "ESXi UUID" - }, - { - "query": "mondoo.jobEnvironment()", - "code_id": "Vuh7b3Ox4eQ=", - "checksum": "zfo9koMJ8ho=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-platform-overview-job-environment", - "type": "\n", - "title": "Mondoo Job Environment" - }, - { - "query": "kernel.installed\n", - "code_id": "oyTxcyFFxp0=", - "checksum": "y//lLer+8nc=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-platform-overview-linux-kernel-version", - "type": "\u0019\n", - "title": "Linux Kernel" - }, - { - "query": "services.where( name == /cnspec|mondoo/ ) { * }", - "code_id": "+yovg5bTe80=", - "checksum": "1dDUTg0LJTQ=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-platform-overview-mondoo-service-running-enabled", - "type": "\u0019\u000c", - "title": "Mondoo Service running and enabled" - }, - { - "query": "mondoo.version", - "code_id": "8PjpfkfABtA=", - "checksum": "JTmHybd1Pi4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-platform-overview-mondoo-version", - "type": "\u0007", - "title": "Mondoo Client Version" - }, - { - "query": "os.hostname", - "code_id": "aRSd7vfjN/s=", - "checksum": "aZba0DQBGqM=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-platform-overview-os-hostname", - "type": "\u0007", - "title": "OS Hostname" - }, - { - "query": "packages.list.length", - "code_id": "JwBey59Il44=", - "checksum": "vxpIkD7sBCA=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-platform-overview-os-installed-packages", - "type": "\u0005", - "title": "OS Packages" - }, - { - "query": "os.uptime", - "code_id": "dTMk4H4V270=", - "checksum": "LkMxJ/Eay0k=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-platform-overview-os-uptime", - "type": "\t", - "title": "OS Uptime" - }, - { - "query": "platform.arch", - "code_id": "WYoL6n/GdRY=", - "checksum": "1Bat03cZPs0=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-platform-overview-platform-arch", - "type": "\u0007", - "title": "Platform Arch" - }, - { - "query": "platform.title", - "code_id": "CRTTMrUrqmI=", - "checksum": "SsPLMwo+a6E=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-platform-overview-platform-name", - "type": "\u0007", - "title": "Platform Name" - }, - { - "query": "platform.release", - "code_id": "T9N2qxEKkfE=", - "checksum": "tyL1SUCTgF8=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-platform-overview-platform-release", - "type": "\u0007", - "title": "Platform Release" - }, - { - "query": "vsphere.about[\"osType\"]", - "code_id": "JMkPEikiY8s=", - "checksum": "wlf12uTJ064=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-platform-overview-vsphere-architecture", - "type": "\n", - "title": "vSphere Architecture" - }, - { - "query": "vsphere.about[\"fullName\"]", - "code_id": "0SHISIgNiQw=", - "checksum": "CVzaAQQdtnc=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-platform-overview-vsphere-product-name", - "type": "\n", - "title": "vSphere Product Name" - }, - { - "query": "diff = platform.eol.date - time.now\nswitch {\n case diff.days \u003e 180: score(100);\n case diff.days \u003e 30: score(60);\n case diff.days \u003e 14: score(40);\n default: score(0);\n}\nplatform.eol.date\n", - "code_id": "bPfe50jtsbk=", - "checksum": "TVi2vV5Szck=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-platform-vulnerability-check-platform-eol", - "type": "\u0001", - "title": "Ensure the platform is not End-of-Life", - "docs": { - "desc": "This control checks whether the platform version is end-of-life. Platform EOL is important because vendors do not support critical bug fixes and security issues after the platform EOL date.\n\nThis control uses the following scoring:\n\n- `0` for less than 14 days\n- `40` for less than 30 days\n- `60` for less than 180 days\n- `100` for more than 180 days", - "audit": "cnquery shell can be used to connect to supported local or remote systems to execute MQL queries. The following example connects cnquery shell to a Docker container:\n\n1. Open a terminal.\n2. Connect cnquery shell to a Docker image `cnquery shell docker image ghcr.io/OWNER/IMAGE_NAME`.\n3. Run the following query:\n\n```mql\ndiff = platform.eol.date - time.now; diff.days \u003e 0\n```\n\n__Example__ \n\n```mql\ncnquery\u003e diff = platform.eol.date - time.now; diff.days \u003e 0\n[failed] days \u003e 0\n expected: \u003e 0\n actual: -710\n```", - "remediation": "Upgrade the system to a supported version of the operating system or redeploy the host on a supported version of the operating system." - } - }, - { - "query": "kernel.installed", - "code_id": "oyTxcyFFxp0=", - "checksum": "yOKqYqZl0zU=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-platform-vulnerability-installed-kernels", - "type": "\u0019\n", - "title": "List of installed kernels", - "docs": { - "desc": "This data query gathers a list of kernels installed on Linux instances.", - "audit": "cnquery shell can be used to connect to supported local or remote systems to execute MQL queries. The following example connects cnquery shell to a Docker container:\n\n1. Open a terminal.\n2. Connect cnquery shell to a remote host `cnquery shell ssh user@\u003cPUBLIC_IP\u003e -i ~/.ssh/id_rsa`.\n3. Run the following query:\n\n```mql\nkernel.installed\n```\n\n__Example__\n\n```mql\ncnquery\u003e kernel.installed\nkernel.installed: [\n 0: {\n name: \"kernel\"\n running: true\n version: \"4.14.275-207.503.amzn2\"\n }\n]\n```" - } - }, - { - "query": "score(100 - platform.advisories.cvss.score * 10)\n", - "code_id": "hrjow1BTt3c=", - "checksum": "na2IbYK3FTk=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-platform-vulnerability-no-platform-advisories", - "type": "\u000b", - "title": "Ensure no known platform advisories exist", - "docs": { - "desc": "This query evaluates the `platform.vulnerabilityReport` data and translates platform advisory scores from the Common Vulnerability Scoring System (CVSSv3.1) to the Mondoo Scoring system. The check will fail when critical security advisories are found.", - "audit": "cnquery shell can be used to connect to supported local or remote systems to execute MQL queries. The following example connects cnquery shell to a Docker image:\n\n1. Open a terminal.\n2. Connect cnquery shell to a docker container `cnquery shell docker image ghcr.io/OWNER/IMAGE_NAME`.\n3. Run the following query:\n\n```mql\nscore(100 - platform.advisories.cvss.score * 10)\n```\n\n__Example__\n\n```mql\ncnquery\u003e score(100 - platform.advisories.cvss.score * 10)\nscore: 7\n```\n\nThis score translates from CVSSv3.1 to the Mondoo Scoring system as follows:\n\n```\nCVSS 7.8 =\u003e high\nMondoo: D score: 22/100\n```", - "remediation": "If a fix is available, scan results will include the version with the required fix:\n\n```\nVulnerabilities:\n ■ SCORE PACKAGE INSTALLED FIXED AVAILABLE\n ■ 3.6 libdbi-perl 1.636-1+deb9u1 1.636-1+deb9u2 1.636-1+b1\n ■ 5 libglib2.0-data 2.50.3-2+deb9u2 2.50.3-2+deb9u3 2.50.3-2+deb9u3\n ■ 5 libglib2.0-0 2.50.3-2+deb9u2 2.50.3-2+deb9u3 2.50.3-2+deb9u2\n ■ 7.2 policykit-1 0.105-18+deb9u1 0.105-18+deb9u2 0.105-18+deb9u1\n ■ 7.2 libpolkit-gobject-1-0 0.105-18+deb9u1 0.105-18+deb9u2 0.105-18+deb9u1\n ■ 7.2 libpolkit-backend-1-0 0.105-18+deb9u1 0.105-18+deb9u2 0.105-18+deb9u1\n ■ 7.2 libpolkit-agent-1-0 0.105-18+deb9u1 0.105-18+deb9u2 0.105-18+deb9u1\n ■ 7.5 dpkg 1.18.25 1.18.26 1.18.25\n ■ 9.3 libjpeg62-turbo 1:1.5.1-2+deb9u1 1:1.5.1-2+deb9u2 1:1.5.1-2\n\nOverall CVSS score: 9.3\n```\n\nUpgrade the vulnerable package to the fix version." - } - }, - { - "query": "score(100 - platform.cves.cvss.score * 10)\n", - "code_id": "GE0TSnwqi4c=", - "checksum": "Kz03bAgJMA0=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-platform-vulnerability-no-platform-cves", - "type": "\u000b", - "title": "Ensure no known platform CVEs exist", - "docs": { - "desc": "This query evaluates the `platform.vulnerabilityReport` data and translates platform advisory scores from the Common Vulnerability Scoring System (CVSSv3.1) to the Mondoo Scoring system. The check will fail when critical security advisories are found.", - "audit": "cnquery shell can be used to connect to supported local or remote systems to execute MQL queries. The following example connects cnquery shell to a Docker image:\n\n1. Open a terminal.\n2. Connect cnquery shell to a Docker image `cnquery shell docker image ghcr.io/OWNER/IMAGE_NAME`.\n3. Run the following query:\n\n```mql\nscore(100 - platform.cves.cvss.score * 10)\n```\n\n__Example__\n\n```mql\ncnquery\u003e score(100 - platform.cves.cvss.score * 10)\nscore: 7\n```\n\nThis score translates from CVSSv3.1 to the Mondoo Scoring system as follows:\n\n```\nCVSS 7.8 =\u003e high\nMondoo: D score: 22/100\n```", - "remediation": "If a fix is available, scan results will include the version with the required fix:\n\n```\nVulnerabilities:\n ■ SCORE PACKAGE INSTALLED FIXED AVAILABLE\n ■ 3.6 libdbi-perl 1.636-1+deb9u1 1.636-1+deb9u2 1.636-1+b1\n ■ 5 libglib2.0-data 2.50.3-2+deb9u2 2.50.3-2+deb9u3 2.50.3-2+deb9u3\n ■ 5 libglib2.0-0 2.50.3-2+deb9u2 2.50.3-2+deb9u3 2.50.3-2+deb9u2\n ■ 7.2 policykit-1 0.105-18+deb9u1 0.105-18+deb9u2 0.105-18+deb9u1\n ■ 7.2 libpolkit-gobject-1-0 0.105-18+deb9u1 0.105-18+deb9u2 0.105-18+deb9u1\n ■ 7.2 libpolkit-backend-1-0 0.105-18+deb9u1 0.105-18+deb9u2 0.105-18+deb9u1\n ■ 7.2 libpolkit-agent-1-0 0.105-18+deb9u1 0.105-18+deb9u2 0.105-18+deb9u1\n ■ 7.5 dpkg 1.18.25 1.18.26 1.18.25\n ■ 9.3 libjpeg62-turbo 1:1.5.1-2+deb9u1 1:1.5.1-2+deb9u2 1:1.5.1-2\n\nOverall CVSS score: 9.3\n```\n\nUpgrade the vulnerable package to the fix version." - } - }, - { - "query": "diff = platform.eol.date - time.now; diff.days \u003e 0\n", - "code_id": "Z4T9M7WMZOs=", - "checksum": "UiTwKC6GH+U=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-platform-vulnerability-no-platform-eol", - "type": "\u0004", - "title": "Platform is not end-of-life", - "docs": { - "desc": "The Platform End-of-Life Policy by Mondoo scans Linux, Windows, FreeBSD, VMware ESXi, and VMware vSphere hosts to validate whether the platform version is end-of-life. Platform EOL is important because vendors do not support critical bug fixes and security issues after the platform EOL date.", - "audit": "cnquery shell can be used to connect to supported local or remote systems to execute MQL queries. The following example connects cnquery shell to a Docker image:\n\n1. Open a terminal.\n2. Connect cnquery shell to a Docker image `cnquery shell docker image ghcr.io/OWNER/IMAGE_NAME`.\n3. Run the following query:\n\n```mql\ndiff = platform.eol.date - time.now; diff.days \u003e 0\n```\n\n__Example__\n\n```mql\ncnquery\u003e diff = platform.eol.date - time.now; diff.days \u003e 0\n[failed] days \u003e 0\n expected: \u003e 0\n actual: -710\n```", - "remediation": "Redeploy the host on a newer version of the operating system that is still supported by the vendor." - } - }, - { - "query": "platform.vulnerabilityReport", - "code_id": "sh0cUmgsW5Y=", - "checksum": "Sc3Sz2/+I9k=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-platform-vulnerability-platform-advisories-report", - "type": "\n", - "title": "Collect Platform Advisory Data", - "docs": { - "desc": "This control runs the `platform.vulnerabilityReport` resource, which returns data with the CVEs and Advisories for the platform.", - "audit": "cnquery shell can be used to connect to supported local or remote systems to execute MQL queries. The following example connects cnquery shell to a Docker image:\n\n1. Open a terminal.\n2. Connect cnquery shell to a Docker image `cnquery shell docker image ghcr.io/OWNER/IMAGE_NAME`.\n3. Run the following query:\n\n```mql\nplatform.vulnerabilityReport\n```\n\n__Example__\n\n```mql\ncnquery\u003e platform.vulnerabilityReport\nplatform.vulnerabilityReport: {\n advisories: [\n 0: {\n ID: \"DLA-3037-1\"\n Mrn: \"//vadvisor.api.mondoo.app/advisories/DLA-3037-1\"\n affected: [\n 0: {\n affected: true\n arch: \"arm64\"\n available: \"1:1.5.1-2\"\n format: \"deb\"\n name: \"libjpeg62-turbo\"\n origin: \"libjpeg-turbo\"\n score: 93.000000\n version: \"1:1.5.1-2+deb9u1\"\n }\n ]\n cves: [\n 0: {\n ID: \"CVE-2019-2201\"\n Mrn: \"//vadvisor.api.mondoo.app/cves/CVE-2019-2201\"\n cvss: [\n 0: {\n score: 7.800000\n source: \"cve://nvd/2019\"\n vector: \"7.8/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\"\n }\n 1: {\n score: 9.300000\n source: \"cve://nvd/2019\"\n vector: \"9.3/AV:N/AC:M/Au:N/C:C/I:C/A:C\"\n }\n 2: {\n score: 7.800000\n source: \"cve://redhat/2019\"\n vector: \"7.8/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\"\n }\n 3: {\n score: 6.300000\n source: \"cve://redhat/2019\"\n vector: \"6.3/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L\"\n }\n ]\n cwe: \"CWE-787\"\n modified: \"2022-06-02T14:15:00Z\"\n published: \"2019-11-13T18:15:00Z\"\n score: 7.800000\n summary: \"In generate_jsimd_ycc_rgb_convert_neon of jsimd_arm64_neon.S, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution in an unprivileged process with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-120551338\"\n url: \"https://nvd.nist.gov/vuln/detail/CVE-2019-2201\"\n worstScore: {\n score: 7.800000\n source: \"cve://nvd/2019\"\n vector: \"7.8/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\"\n }\n }\n ]\n...\n```", - "remediation": "If a fix is available, scan results will include the version with the required fix:\n\n```\nVulnerabilities:\n ■ SCORE PACKAGE INSTALLED FIXED AVAILABLE\n ■ 3.6 libdbi-perl 1.636-1+deb9u1 1.636-1+deb9u2 1.636-1+b1\n ■ 5 libglib2.0-data 2.50.3-2+deb9u2 2.50.3-2+deb9u3 2.50.3-2+deb9u3\n ■ 5 libglib2.0-0 2.50.3-2+deb9u2 2.50.3-2+deb9u3 2.50.3-2+deb9u2\n ■ 7.2 policykit-1 0.105-18+deb9u1 0.105-18+deb9u2 0.105-18+deb9u1\n ■ 7.2 libpolkit-gobject-1-0 0.105-18+deb9u1 0.105-18+deb9u2 0.105-18+deb9u1\n ■ 7.2 libpolkit-backend-1-0 0.105-18+deb9u1 0.105-18+deb9u2 0.105-18+deb9u1\n ■ 7.2 libpolkit-agent-1-0 0.105-18+deb9u1 0.105-18+deb9u2 0.105-18+deb9u1\n ■ 7.5 dpkg 1.18.25 1.18.26 1.18.25\n ■ 9.3 libjpeg62-turbo 1:1.5.1-2+deb9u1 1:1.5.1-2+deb9u2 1:1.5.1-2\n\nOverall CVSS score: 9.3\n```\n\nUpgrade the vulnerable package to the fixed version." - } - }, - { - "query": "platform.eol.date", - "code_id": "ngdr9sligD8=", - "checksum": "pXaWTbGl4Yw=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-platform-vulnerability-platform-eol-date", - "type": "\t", - "title": "Platform End-of-Life Date", - "docs": { - "desc": "This data query gathers the end-of-life date from the platform.", - "audit": "cnquery shell can be used to connect to supported local or remote systems to execute MQL queries. The following example connects cnquery shell to a Docker container:\n\n1. Open a terminal.\n2. Connect cnquery shell to a Docker image `cnquery shell docker image ghcr.io/OWNER/IMAGE_NAME`.\n3. Run the following query:\n\n```mql\ndiff = platform.eol.date - time.now; diff.days \u003e 0\n```\n\n__Example__\n\n```mql\ncnquery\u003e diff = platform.eol.date - time.now; diff.days \u003e 0\n[failed] days \u003e 0\n expected: \u003e 0\n actual: -710\n```", - "remediation": "N/A" - }, - "refs": [ - { - "title": "OS-EOL", - "url": "https://wiki.cs.vt.edu/wiki/OS-EOL" - } - ] - }, - { - "query": "secpol.privilegerights['SeDebugPrivilege'].length == null\n", - "code_id": "Rv6wI8Dxgz0=", - "checksum": "1ycu0vCuScI=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-2.2.19-l1-ensure-debug-programs-is-empty", - "type": "\u0004", - "severity": { - "value": 100 - }, - "title": "Ensure 'Debug programs' is set to ''", - "docs": { - "desc": "This policy setting determines which user accounts will have the right to attach a debugger to any process or to the kernel, which provides complete access to sensitive and critical operating system components. Developers who are debugging their own applications do not need to be assigned this user right; however, developers who are debugging new system components will need it.\n\nThe recommended state for this setting is empty.\n\n\u003e Note: This user right is considered a \"sensitive privilege\" for the purposes of auditing.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to \"\":\n\n```\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment\\Debug programs\n```" - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa', name: 'RunAsPPL') {\n value == 1\n}\n", - "code_id": "SnTLLkMNSfQ=", - "checksum": "HBbYLjA50HE=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-additional-LSA-protection", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Ensure additional LSA protection is enabled", - "docs": { - "desc": "Local Security Authority (LSA) protection is a security feature in Microsoft Windows operating systems that helps to prevent credential theft and other types of attacks that can compromise system security.\n\nThe LSA is responsible for enforcing security policies and managing various security-related tasks, such as authentication and authorization, on a local system. It stores sensitive information such as passwords, user account information, and security tokens.\n\nLSA protection enhances the security of these sensitive information by restricting access to the LSA subsystem to authorized processes only. It prevents malicious software from accessing or manipulating the LSA, thereby reducing the risk of credential theft and other types of attacks.\n\nLSA protection is implemented through the use of several techniques such as code integrity checks, access controls, and system call filtering. These techniques work together to prevent unauthorized access and ensure that only trusted processes can interact with the LSA subsystem.\n\nOverall, LSA protection is an important security feature that helps to secure Windows systems and protect against various types of attacks that can compromise system security.", - "remediation": "Enable LSA protection via GPO:\n\n - Open the Group Policy Management Console (GPMC).\n - Create a new GPO that is linked at the domain level or that is linked to the organizational unit that contains your computer accounts. Or you can select a GPO that is already deployed.\n - Right-click the GPO, and then click Edit to open the Group Policy Management Editor.\n - Expand Computer Configuration, expand Preferences, and then expand Windows Settings.\n - Right-click Registry, point to New, and then click Registry Item. The New Registry Properties dialog box appears.\n - In the Hive list, click HKEY_LOCAL_MACHINE.\n - In the Key Path list, browse to SYSTEM\\CurrentControlSet\\Control\\Lsa.\n - In the Value name box, type RunAsPPL.\n - In the Value type box, click the REG_DWORD.\n - In the Value data box, type 00000001.\n - Click OK." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services', name: 'fDenyTSConnections') {\n value == 1\n}\n", - "code_id": "HBW2U6ihXwc=", - "checksum": "IbjF4es4TTk=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-allow-users-to-connect-remotely-by-using-remote-desktop-services-is-set-to-", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'", - "docs": { - "desc": "This policy setting allows you to configure remote access to computers by using Remote Desktop Services.\n\nThe recommended state for this setting is: `Disabled`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Disabled`:\n\n```\nComputer Configuration\\\\Policies\\\\Administrative Templates\\\\Windows Components\\\\Remote Desktop Services\\\\Remote Desktop Session Host\\\\Connections\\\\Allow users to connect remotely by using Remote Desktop Services\n```\n\n**Note:**\nThis Group Policy path is provided by the Group Policy template `TerminalServer.admx/adml`\nthat is included with all versions of the Microsoft Windows Administrative Templates.\n\n**Note #2:**\nIn older Microsoft Windows Administrative Templates, this setting was initially named _Allow users to connect remotely using Terminal Services_\n, but it was renamed to _Allow users to connect remotely using Remote Desktop Services_\nin the Windows 7 \u0026 Server 2008 R2 Administrative Templates. It was finally renamed (again) to _Allow users to connect remotely by using Remote Desktop Services_\nstarting with the Windows 8.0 \u0026 Server 2012 (non-R2) Administrative Templates.\n\n**Impact:**\n\nNone - this is the default configuration, unless Remote Desktop Services has been manually enabled on the Remote tab in the System Properties sheet." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services', name: 'fPromptForPassword') {\n value == 1\n}\n", - "code_id": "SUCfy9XEtpU=", - "checksum": "AVcut8Q5D3c=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-always-prompt-for-password-upon-connection-is-set-to-enabled", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Ensure 'Always prompt for password upon connection' is set to 'Enabled'", - "docs": { - "desc": "This policy setting specifies whether Remote Desktop Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client.\n\nThe recommended state for this setting is: `Enabled`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Enabled`:\n\n```\nComputer Configuration\\\\Policies\\\\Administrative Templates\\\\Windows Components\\\\Remote Desktop Services\\\\Remote Desktop Session Host\\\\Security\\\\Always prompt for password upon connection\n```\n\n**Note:**\nThis Group Policy path is provided by the Group Policy template `TerminalServer.admx/adml`\nthat is included with all versions of the Microsoft Windows Administrative Templates.\n\n**Note #2:**\nIn the Microsoft Windows Vista Administrative Templates, this setting was named _Always prompt client for password upon connection_, but it was renamed starting with the Windows Server 2008 (non-R2) Administrative Templates.\n\n**Impact:**\n\nUsers cannot automatically log on to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They will be prompted for a password to log on." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\EventLog\\Application', name: 'Retention') {\n value == '0'\n}\n", - "code_id": "UEsMCNGgYpY=", - "checksum": "6FonPEVkZCQ=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-application-control-event-log-behavior-when-the-log-file-reaches-its-maximum", - "type": "\u000c", - "severity": { - "value": 30 - }, - "title": "Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'", - "docs": { - "desc": "This policy setting controls Event Log behavior when the log file reaches its maximum size.\n\nThe recommended state for this setting is: `Disabled`.\n\n**Note:**\nOld events may or may not be retained according to the _Backup log automatically when full_\npolicy setting.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Disabled`:\n\n```\nComputer Configuration\\\\Policies\\\\Administrative Templates\\\\Windows Components\\\\Event Log Service\\\\Application\\\\Control Event Log behavior when the log file reaches its maximum size\n```\n\n**Note:**\nThis Group Policy path is provided by the Group Policy template `EventLog.admx/adml`\nthat is included with all versions of the Microsoft Windows Administrative Templates.\n\n**Note #2:**\nIn older Microsoft Windows Administrative Templates, this setting was initially named _Retain old events_, but it was renamed starting with the Windows 8.0 \u0026 Server 2012 (non-R2) Administrative Templates.\n\n**Impact:**\n\nNone - this is the default behavior." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\EventLog\\Application', name: 'MaxSize') {\n value \u003e= 32768\n}\n", - "code_id": "mq20d5RjIsA=", - "checksum": "l4uULtmGyvQ=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-application-specify-the-maximum-log-file-size-kb-is-set-to-enabled-32768", - "type": "\u000c", - "severity": { - "value": 50 - }, - "title": "Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'", - "docs": { - "desc": "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments.\n\nThe recommended state for this setting is: `Enabled: 32,768 or greater`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Enabled: 32,768 or greater`:\n\n```\nComputer Configuration\\\\Policies\\\\Administrative Templates\\\\Windows Components\\\\Event Log Service\\\\Application\\\\Specify the maximum log file size (KB)\n```\n\n**Note:**\nThis Group Policy path is provided by the Group Policy template `EventLog.admx/adml`\nthat is included with all versions of the Microsoft Windows Administrative Templates.\n\n**Note #2:**\nIn older Microsoft Windows Administrative Templates, this setting was initially named _Maximum Log Size (KB)_, but it was renamed starting with the Windows 8.0 \u0026 Server 2012 (non-R2) Administrative Templates.\n\n**Impact:**\n\nWhen event logs fill to capacity, they will stop recording information unless the retention method for each is set so that the computer will overwrite the oldest entries with the most recent ones. To mitigate the risk of loss of recent data, you can configure the retention method so that older events are overwritten as needed.\n\nThe consequence of this configuration is that older events will be removed from the logs. Attackers can take advantage of such a configuration, because they can generate a large number of extraneous events to overwrite any evidence of their attack. These risks can be somewhat reduced if you automate the archival and backup of event log data.\n\nIdeally, all specifically monitored events should be sent to a server that uses Microsoft System Center Operations Manager (SCOM) or some other automated monitoring tool. Such a configuration is particularly important because an attacker who successfully compromises a server could clear the Security log. If all events are sent to a monitoring server, then you will be able to gather forensic information about the attacker's activities." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System', name: 'LocalAccountTokenFilterPolicy') {\n value == 0\n}\n", - "code_id": "4mLj5ehmzQk=", - "checksum": "iNZgj/lwUX8=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-apply-uac-restrictions-to-local-accounts-on-network-logons-is-set-to-enabled", - "type": "\u000c", - "severity": { - "value": 90 - }, - "title": "Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'", - "docs": { - "desc": "This setting controls whether local accounts can be used for remote administration via network logon (e.g., NET USE, connecting to C$, etc.). Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Enabling this policy significantly reduces that risk.\n\n**Enabled:**\nApplies UAC token-filtering to local accounts on network logons. Membership in powerful group such as Administrators is disabled and powerful privileges are removed from the resulting access token. This configures the `LocalAccountTokenFilterPolicy` registry value to `0`. This is the default behavior for Windows.\n\n**Disabled:**\nAllows local accounts to have full administrative rights when authenticating via network logon, by configuring the `LocalAccountTokenFilterPolicy` registry value to `1`.\n\nFor more information about local accounts and credential theft, review the \" [Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques](https://www.microsoft.com/en-us/download/details.aspx?id=36036)\n\" documents.\n\nFor more information about `LocalAccountTokenFilterPolicy`, see Microsoft Knowledge Base article 951016: [Description of User Account Control and remote restrictions in Windows Vista](https://learn.microsoft.com/en-US/troubleshoot/windows-server/windows-security/user-account-control-and-remote-restriction).\n\nThe recommended state for this setting is: `Enabled`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Enabled`:\n\n```\nComputer Configuration\\\\Policies\\\\Administrative Templates\\\\MS Security Guide\\\\Apply UAC restrictions to local accounts on network logons\n```\n\n**Note:**\nThis Group Policy path does not exist by default. An additional Group Policy template ( `SecGuide.admx/adml` ) is required - it is available from Microsoft at \n[this link](https://techcommunity.microsoft.com/t5/Microsoft-Security-Baselines/Security-baseline-FINAL-for-Windows-10-v1903-and-Windows-Server/ba-p/701084).\n\n**Impact:**\n\nNone - this is the default behavior." - } - }, - { - "query": "auditpol.where(subcategory == 'Account Lockout').list {\n inclusionsetting == 'Failure' || inclusionsetting == 'Success and Failure'\n}\n", - "code_id": "5dcxWMIf0hA=", - "checksum": "9FtSGNDOcvc=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-account-lockout-is-set-to-include-failure", - "type": "\u0019\u000c", - "severity": { - "value": 40 - }, - "title": "Ensure 'Audit Account Lockout' is set to include 'Failure'", - "docs": { - "desc": "This subcategory reports when a user's account is locked out as a result of too many failed logon attempts. Events for this subcategory include:\n\n- 4625: An account failed to log on.\n\nThe recommended state for this setting is to include: `Failure`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to include `Failure`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Advanced Audit Policy Configuration\\\\Audit Policies\\\\Logon/Logoff\\\\Audit Account Lockout\n```\n\n**Impact:**\n\nIf no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities." - } - }, - { - "query": "auditpol.where(subcategory == 'Application Group Management').list {\n inclusionsetting == 'Success and Failure'\n}\n", - "code_id": "7Tx/TKE5X/U=", - "checksum": "FFgBMGmtxE8=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-application-group-management-is-set-to-success-and-failure", - "type": "\u0019\u000c", - "severity": { - "value": 40 - }, - "title": "Ensure 'Audit Application Group Management' is set to 'Success and Failure'", - "docs": { - "desc": "This policy setting allows you to audit events generated by changes to application groups such as the following:\n\n- Application group is created, changed, or deleted.\n- Member is added or removed from an application group.\n\nApplication groups are utilized by Windows Authorization Manager, which is a flexible framework created by Microsoft for integrating role-based access control (RBAC) into applications. More information on Windows Authorization Manager is available at [MSDN - Windows Authorization Manager](https://msdn.microsoft.com/en-us/library/bb897401.aspx).\n\nThe recommended state for this setting is: `Success and Failure`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Success and Failure`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Advanced Audit Policy Configuration\\\\Audit Policies\\\\Account Management\\\\Audit Application Group Management\n```\n\n**Impact:**\n\nIf no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities." - } - }, - { - "query": "auditpol.where(subcategory == 'Audit Policy Change').list {\n inclusionsetting == 'Success' || inclusionsetting == 'Success and Failure'\n}\n", - "code_id": "78xMsd8EW54=", - "checksum": "/1YOgKmPiVM=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-audit-policy-change-is-set-to-include-success", - "type": "\u0019\u000c", - "severity": { - "value": 40 - }, - "title": "Ensure 'Audit Audit Policy Change' is set to include 'Success'", - "docs": { - "desc": "This subcategory reports changes in audit policy including SACL changes. Events for this subcategory include:\n\n- 4715: The audit policy (SACL) on an object was changed.\n- 4719: System audit policy was changed.\n- 4902: The Per-user audit policy table was created.\n- 4904: An attempt was made to register a security event source.\n- 4905: An attempt was made to unregister a security event source.\n- 4906: The CrashOnAuditFail value has changed.\n- 4907: Auditing settings on object were changed.\n- 4908: Special Groups Logon table modified.\n- 4912: Per User Audit Policy was changed.\n\nThe recommended state for this setting is to include: `Success`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to include `Success`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Advanced Audit Policy Configuration\\\\Audit Policies\\\\Policy Change\\\\Audit Audit Policy Change\n```\n\n**Impact:**\n\nIf no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities." - } - }, - { - "query": "auditpol.where(subcategory == 'Authentication Policy Change').list {\n inclusionsetting == 'Success' || inclusionsetting == 'Success and Failure'\n}\n", - "code_id": "yQUlLguSl+s=", - "checksum": "HDI7hGXCRL4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-authentication-policy-change-is-set-to-include-success", - "type": "\u0019\u000c", - "severity": { - "value": 40 - }, - "title": "Ensure 'Audit Authentication Policy Change' is set to include 'Success'", - "docs": { - "desc": "This subcategory reports changes in authentication policy. Events for this subcategory include:\n\n- 4706: A new trust was created to a domain.\n- 4707: A trust to a domain was removed.\n- 4713: Kerberos policy was changed.\n- 4716: Trusted domain information was modified.\n- 4717: System security access was granted to an account.\n- 4718: System security access was removed from an account.\n- 4739: Domain Policy was changed.\n- 4864: A namespace collision was detected.\n- 4865: A trusted forest information entry was added.\n- 4866: A trusted forest information entry was removed.\n- 4867: A trusted forest information entry was modified.\n\nThe recommended state for this setting is to include: `Success`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to include `Success`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Advanced Audit Policy Configuration\\\\Audit Policies\\\\Policy Change\\\\Audit Authentication Policy Change\n```\n\n**Impact:**\n\nIf no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities." - } - }, - { - "query": "auditpol.where(subcategory == 'Authorization Policy Change').list {\n inclusionsetting == 'Success' || inclusionsetting == 'Success and Failure'\n}\n", - "code_id": "6lW70q4ZCMM=", - "checksum": "WeGTyVihF6M=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-authorization-policy-change-is-set-to-include-success", - "type": "\u0019\u000c", - "severity": { - "value": 40 - }, - "title": "Ensure 'Audit Authorization Policy Change' is set to include 'Success'", - "docs": { - "desc": "This subcategory reports changes in authorization policy. Events for this subcategory include:\n\n- 4704: A user right was assigned.\n- 4705: A user right was removed.\n- 4706: A new trust was created to a domain.\n- 4707: A trust to a domain was removed.\n- 4714: Encrypted data recovery policy was changed.\n\nThe recommended state for this setting is to include: `Success`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to include `Success`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Advanced Audit Policy Configuration\\\\Audit Policies\\\\Policy Change\\\\Audit Authorization Policy Change\n```\n\n**Impact:**\n\nIf no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities." - } - }, - { - "query": "auditpol.where(subcategory == 'Credential Validation').list {\n inclusionsetting == 'Success and Failure'\n}\n", - "code_id": "U+jCPhPF98o=", - "checksum": "a+eyvkgHuqE=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-credential-validation-is-set-to-success-and-failure", - "type": "\u0019\u000c", - "severity": { - "value": 30 - }, - "title": "Ensure 'Audit Credential Validation' is set to 'Success and Failure'", - "docs": { - "desc": "This subcategory reports the results of validation tests on credentials submitted for a user account logon request. These events occur on the computer that is authoritative for the credentials. For domain accounts, the Domain Controller is authoritative, whereas for local accounts, the local computer is authoritative. In domain environments, most of the Account Logon events occur in the Security log of the Domain Controllers that are authoritative for the domain accounts. However, these events can occur on other computers in the organization when local accounts are used to log on. Events for this subcategory include:\n\n- 4774: An account was mapped for logon.\n- 4775: An account could not be mapped for logon.\n- 4776: The Domain Controller attempted to validate the credentials for an account.\n- 4777: The Domain Controller failed to validate the credentials for an account.\n\nThe recommended state for this setting is: `Success and Failure`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Success and Failure`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Advanced Audit Policy Configuration\\\\Audit Policies\\\\Account Logon\\\\Audit Credential Validation\n```\n\n**Impact:**\n\nIf no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities." - } - }, - { - "query": "auditpol.where(subcategory == 'Detailed File Share').list {\n inclusionsetting == 'Failure' || inclusionsetting == 'Success and Failure'\n}\n", - "code_id": "oxK/kv/4Yfk=", - "checksum": "DwuZwBPOQNc=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-detailed-file-share-is-set-to-include-failure", - "type": "\u0019\u000c", - "severity": { - "value": 40 - }, - "title": "Ensure 'Audit Detailed File Share' is set to include 'Failure'", - "docs": { - "desc": "This subcategory allows you to audit attempts to access files and folders on a shared folder. Events for this subcategory include:\n\n- 5145: network share object was checked to see whether client can be granted desired access.\n\nThe recommended state for this setting is to include: `Failure`", - "remediation": "To establish the recommended configuration via GP, set the following UI path to include `Failure`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Advanced Audit Policy Configuration\\\\Audit Policies\\\\Object Access\\\\Audit Detailed File Share\n```\n\n**Impact:**\n\nIf no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities." - } - }, - { - "query": "auditpol.where(subcategory == 'File Share').list {\n inclusionsetting == 'Success and Failure'\n}\n", - "code_id": "1RnqpdM9kV0=", - "checksum": "I5xAT/pFlHw=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-file-share-is-set-to-success-and-failure", - "type": "\u0019\u000c", - "severity": { - "value": 40 - }, - "title": "Ensure 'Audit File Share' is set to 'Success and Failure'", - "docs": { - "desc": "This policy setting allows you to audit attempts to access a shared folder.\n\nThe recommended state for this setting is: `Success and Failure`.\n\n**Note:**\nThere are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared folders on the system is audited.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Success and Failure`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Advanced Audit Policy Configuration\\\\Audit Policies\\\\Object Access\\\\Audit File Share\n```\n\n**Impact:**\n\nIf no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa', name: 'SCENoApplyLegacyAuditPolicy') {\n value == 1\n}\n", - "code_id": "MgXEK/4CCQM=", - "checksum": "L5AutIxsl20=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-force-audit-policy-subcategory-settings-windows-vista-or-later-to-override", - "type": "\u000c", - "severity": { - "value": 30 - }, - "title": "Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'", - "docs": { - "desc": "This policy setting allows administrators to enable the more precise auditing capabilities present in Windows Vista.\n\nThe Audit Policy settings available in Windows Server 2003 Active Directory do not yet contain settings for managing the new auditing subcategories. To properly apply the auditing policies prescribed in this baseline, the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings setting needs to be configured to Enabled.\n\nThe recommended state for this setting is: `Enabled`.\n\n**Important:**\nBe very cautious about audit settings that can generate a large volume of traffic. For example, if you enable either success or failure auditing for all of the Privilege Use subcategories, the high volume of audit events generated can make it difficult to find other types of entries in the Security log. Such a configuration could also have a significant impact on system performance.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Enabled`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Local Policies\\\\Security Options\\\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings\n```\n\n**Impact:**\n\nNone - this is the default behavior." - } - }, - { - "query": "auditpol.where(subcategory == 'Group Membership').list {\n inclusionsetting == 'Success' || inclusionsetting == 'Success and Failure'\n}\n", - "code_id": "2sx6Dpifmyg=", - "checksum": "v6yAm2gp+bA=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-group-membership-is-set-to-include-success", - "type": "\u0019\u000c", - "severity": { - "value": 40 - }, - "title": "Ensure 'Audit Group Membership' is set to include 'Success'", - "docs": { - "desc": "This policy allows you to audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.\n\nThe recommended state for this setting is to include: `Success`.\n\n**Note:**\nA Windows 10, Server 2016 or newer OS is required to access and set this value in Group Policy.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to include `Success`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Advanced Audit Policy Configuration\\\\Audit Policies\\\\Logon/Logoff\\\\Audit Group Membership\n```\n\n**Impact:**\n\nIf no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities." - } - }, - { - "query": "auditpol.where(subcategory == 'IPsec Driver').list {\n inclusionsetting == 'Success and Failure'\n}\n", - "code_id": "EUV5ji7LKtM=", - "checksum": "l9J7JRAnyg4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-ipsec-driver-is-set-to-success-and-failure", - "type": "\u0019\u000c", - "severity": { - "value": 40 - }, - "title": "Ensure 'Audit IPsec Driver' is set to 'Success and Failure'", - "docs": { - "desc": "This subcategory reports on the activities of the Internet Protocol security (IPsec) driver. Events for this subcategory include:\n\n- 4960: IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.\n- 4961: IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.\n- 4962: IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.\n- 4963: IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.\n- 4965: IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.\n- 5478: IPsec Services has started successfully.\n- 5479: IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.\n- 5480: IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.\n- 5483: IPsec Services failed to initialize RPC server. IPsec Services could not be started.\n- 5484: IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.\n- 5485: IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.\n\nThe recommended state for this setting is: `Success and Failure`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Success and Failure`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Advanced Audit Policy Configuration\\\\Audit Policies\\\\System\\\\Audit IPsec Driver\n```\n\n**Impact:**\n\nIf no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities." - } - }, - { - "query": "auditpol.where(subcategory == 'Logoff').list {\n inclusionsetting == 'Success' || inclusionsetting == 'Success and Failure'\n}\n", - "code_id": "Ye9hehHpTVA=", - "checksum": "4+fUp4cpL9U=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-logoff-is-set-to-include-success", - "type": "\u0019\u000c", - "severity": { - "value": 40 - }, - "title": "Ensure 'Audit Logoff' is set to include 'Success'", - "docs": { - "desc": "This subcategory reports when a user logs off from the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the computer that hosts the accessed resource. If you configure this setting to No auditing, it is difficult or impossible to determine which user has accessed or attempted to access organization computers. Events for this subcategory include:\n\n- 4634: An account was logged off.\n- 4647: User initiated logoff.\n\nThe recommended state for this setting is to include: `Success`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to include `Success`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Advanced Audit Policy Configuration\\\\Audit Policies\\\\Logon/Logoff\\\\Audit Logoff\n```\n\n**Impact:**\n\nIf no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities." - } - }, - { - "query": "auditpol.where(subcategory == 'Logon').list {\n inclusionsetting == 'Success and Failure'\n}\n", - "code_id": "MMXw+Jf59zY=", - "checksum": "8yn7WWULjQA=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-logon-is-set-to-success-and-failure", - "type": "\u0019\u000c", - "severity": { - "value": 40 - }, - "title": "Ensure 'Audit Logon' is set to 'Success and Failure'", - "docs": { - "desc": "This subcategory reports when a user attempts to log on to the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the computer that hosts the accessed resource. If you configure this setting to No auditing, it is difficult or impossible to determine which user has accessed or attempted to access organization computers. Events for this subcategory include:\n\n- 4624: An account was successfully logged on.\n- 4625: An account failed to log on.\n- 4648: A logon was attempted using explicit credentials.\n- 4675: SIDs were filtered.\n\nThe recommended state for this setting is: `Success and Failure`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Success and Failure`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Advanced Audit Policy Configuration\\\\Audit Policies\\\\Logon/Logoff\\\\Audit Logon\n```\n\n**Impact:**\n\nIf no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities." - } - }, - { - "query": "auditpol.where(subcategory == 'MPSSVC Rule-Level Policy Change').list {\n inclusionsetting == 'Success and Failure'\n}\n", - "code_id": "MawCtMw0sJQ=", - "checksum": "KkBHm4VyPYQ=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-mpssvc-rule-level-policy-change-is-set-to-success-and-failure", - "type": "\u0019\u000c", - "severity": { - "value": 40 - }, - "title": "Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'", - "docs": { - "desc": "This subcategory determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe). Events for this subcategory include:\n\n- 4944: The following policy was active when the Windows Firewall started.\n- 4945: A rule was listed when the Windows Firewall started.\n- 4946: A change has been made to Windows Firewall exception list. A rule was added.\n- 4947: A change has been made to Windows Firewall exception list. A rule was modified.\n- 4948: A change has been made to Windows Firewall exception list. A rule was deleted.\n- 4949: Windows Firewall settings were restored to the default values.\n- 4950: A Windows Firewall setting has changed.\n- 4951: A rule has been ignored because its major version number was not recognized by Windows Firewall.\n- 4952: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.\n- 4953: A rule has been ignored by Windows Firewall because it could not parse the rule.\n- 4954: Windows Firewall Group Policy settings have changed. The new settings have been applied.\n- 4956: Windows Firewall has changed the active profile.\n- 4957: Windows Firewall did not apply the following rule.\n- 4958: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.\n\n\nThe recommended state for this setting is : `Success and Failure`", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Success and Failure`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Advanced Audit Policy Configuration\\\\Audit Policies\\\\Policy Change\\\\Audit MPSSVC Rule-Level Policy Change\n```\n\n**Impact:**\n\nIf no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities." - } - }, - { - "query": "auditpol.where(subcategory == 'Other Logon/Logoff Events').list {\n inclusionsetting == 'Success and Failure'\n}\n", - "code_id": "DGUmKRAdlGI=", - "checksum": "B9BECDYBSwE=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-other-logonlogoff-events-is-set-to-success-and-failure", - "type": "\u0019\u000c", - "severity": { - "value": 40 - }, - "title": "Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'", - "docs": { - "desc": "This subcategory reports other logon/logoff-related events, such as Remote Desktop Services session disconnects and reconnects, using RunAs to run processes under a different account, and locking and unlocking a workstation. Events for this subcategory include:\n\n- 4649: A replay attack was detected.\n- 4778: A session was reconnected to a Window Station.\n- 4779: A session was disconnected from a Window Station.\n- 4800: The workstation was locked.\n- 4801: The workstation was unlocked.\n- 4802: The screen saver was invoked.\n- 4803: The screen saver was dismissed.\n- 5378: The requested credentials delegation was disallowed by policy.\n- 5632: A request was made to authenticate to a wireless network.\n- 5633: A request was made to authenticate to a wired network.\n\nThe recommended state for this setting is: `Success and Failure`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Success and Failure`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Advanced Audit Policy Configuration\\\\Audit Policies\\\\Logon/Logoff\\\\Audit Other Logon/Logoff Events\n```\n\n**Impact:**\n\nIf no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities." - } - }, - { - "query": "auditpol.where(subcategory == 'Other Object Access Events').list {\n inclusionsetting == 'Success and Failure'\n}\n", - "code_id": "zBUfMcWl7aE=", - "checksum": "7QtNQGXd5iM=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-other-object-access-events-is-set-to-success-and-failure", - "type": "\u0019\u000c", - "severity": { - "value": 40 - }, - "title": "Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'", - "docs": { - "desc": "This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects.\n\nFor scheduler jobs, the following are audited:\n\n- Job created.\n- Job deleted.\n- Job enabled.\n- Job disabled.\n- Job updated.\n\nFor COM+ objects, the following are audited:\n\n- Catalog object added.\n- Catalog object updated.\n- Catalog object deleted.\n\nThe recommended state for this setting is: `Success and Failure`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Success and Failure`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Advanced Audit Policy Configuration\\\\Audit Policies\\\\Object Access\\\\Audit Other Object Access Events\n```\n\n**Impact:**\n\nIf no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities." - } - }, - { - "query": "auditpol.where(subcategory == 'Other Policy Change Events').list {\n inclusionsetting == 'Failure' || inclusionsetting == 'Success and Failure'\n}\n", - "code_id": "4n5Tc79dHlA=", - "checksum": "c2Ka7unNVK8=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-other-policy-change-events-is-set-to-include-failure", - "type": "\u0019\u000c", - "severity": { - "value": 40 - }, - "title": "Ensure 'Audit Other Policy Change Events' is set to include 'Failure'", - "docs": { - "desc": "This subcategory contains events about EFS Data Recovery Agent policy changes, changes in Windows Filtering Platform filter, status on Security policy settings updates for local Group Policy settings, Central Access Policy changes, and detailed troubleshooting events for Cryptographic Next Generation (CNG) operations.\n\n- 5063: A cryptographic provider operation was attempted.\n- 5064: A cryptographic context operation was attempted.\n- 5065: A cryptographic context modification was attempted.\n- 5066: A cryptographic function operation was attempted.\n- 5067: A cryptographic function modification was attempted.\n- 5068: A cryptographic function provider operation was attempted.\n- 5069: A cryptographic function property operation was attempted.\n- 5070: A cryptographic function property modification was attempted.\n- 6145: One or more errors occurred while processing security policy in the Group Policy Objects.\n\nThe recommended state for this setting is to include: `Failure`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to include `Failure`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Advanced Audit Policy Configuration\\\\Audit Policies\\\\Policy Change\\\\Audit Other Policy Change Events\n```\n\n**Impact:**\n\nIf no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities." - } - }, - { - "query": "auditpol.where(subcategory == 'Other System Events').list {\n inclusionsetting == 'Success and Failure'\n}\n", - "code_id": "upOBa/jhjh4=", - "checksum": "I4QHKpTQwew=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-other-system-events-is-set-to-success-and-failure", - "type": "\u0019\u000c", - "severity": { - "value": 40 - }, - "title": "Ensure 'Audit Other System Events' is set to 'Success and Failure'", - "docs": { - "desc": "This subcategory reports on other system events. Events for this subcategory include:\n\n- 5024 : The Windows Firewall Service has started successfully.\n- 5025 : The Windows Firewall Service has been stopped.\n- 5027 : The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.\n- 5028 : The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.\n- 5029: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.\n- 5030: The Windows Firewall Service failed to start.\n- 5032: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.\n- 5033 : The Windows Firewall Driver has started successfully.\n- 5034 : The Windows Firewall Driver has been stopped.\n- 5035 : The Windows Firewall Driver failed to start.\n- 5037 : The Windows Firewall Driver detected critical runtime error. Terminating.\n- 5058: Key file operation.\n- 5059: Key migration operation.\n\nThe recommended state for this setting is: `Success and Failure`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Success and Failure`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Advanced Audit Policy Configuration\\\\Audit Policies\\\\System\\\\Audit Other System Events\n```\n\n**Impact:**\n\nIf no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities." - } - }, - { - "query": "auditpol.where(subcategory == 'Plug and Play Events').list {\n inclusionsetting == 'Success' || inclusionsetting == 'Success and Failure'\n}\n", - "code_id": "GTB0gMblhXA=", - "checksum": "oli8k5ZcWIY=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-pnp-activity-is-set-to-include-success", - "type": "\u0019\u000c", - "severity": { - "value": 40 - }, - "title": "Ensure 'Audit PNP Activity' is set to include 'Success'", - "docs": { - "desc": "This policy setting allows you to audit when plug and play detects an external device.\n\nThe recommended state for this setting is to include: `Success`.\n\n**Note:**\nA Windows 10, Server 2016 or newer OS is required to access and set this value in Group Policy.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to include `Success`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Advanced Audit Policy Configuration\\\\Audit Policies\\\\Detailed Tracking\\\\Audit PNP Activity\n```\n\n**Impact:**\n\nIf no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities." - } - }, - { - "query": "auditpol.where(subcategory == 'Process Creation').list {\n inclusionsetting == 'Success' || inclusionsetting == 'Success and Failure'\n}\n", - "code_id": "9A55qevWArU=", - "checksum": "jrImE3+FuvQ=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-process-creation-is-set-to-include-success", - "type": "\u0019\u000c", - "severity": { - "value": 40 - }, - "title": "Ensure 'Audit Process Creation' is set to include 'Success'", - "docs": { - "desc": "This subcategory reports the creation of a process and the name of the program or user that created it. Events for this subcategory include:\n\n- 4688: A new process has been created.\n- 4696: A primary token was assigned to process.\n\nRefer to Microsoft Knowledge Base article 947226: [Description of security events in Windows Vista and in Windows Server 2008](https://support.microsoft.com/en-us/kb/947226)\nfor the most recent information about this setting.\n\nThe recommended state for this setting is to include: `Success`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to include `Success`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Advanced Audit Policy Configuration\\\\Audit Policies\\\\Detailed Tracking\\\\Audit Process Creation\n```\n\n**Impact:**\n\nIf no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities." - } - }, - { - "query": "auditpol.where(subcategory == 'Removable Storage').list {\n inclusionsetting == 'Success and Failure'\n}\n", - "code_id": "47CaQ0SP344=", - "checksum": "hn6K/IQ0AUU=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-removable-storage-is-set-to-success-and-failure", - "type": "\u0019\u000c", - "severity": { - "value": 40 - }, - "title": "Ensure 'Audit Removable Storage' is set to 'Success and Failure'", - "docs": { - "desc": "This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. If you configure this policy setting, an audit event is generated each time an account accesses a file system object on a removable storage. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when an account accesses a file system object on a removable storage.\n\nThe recommended state for this setting is: `Success and Failure`.\n\n**Note:**\nA Windows 8.0, Server 2012 (non-R2) or newer OS is required to access and set this value in Group Policy.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Success and Failure`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Advanced Audit Policy Configuration\\\\Audit Policies\\\\Object Access\\\\Audit Removable Storage\n```\n\n**Impact:**\n\nIf no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities." - } - }, - { - "query": "auditpol.where(subcategory == 'Security Group Management').list {\n inclusionsetting == 'Success' || inclusionsetting == 'Success and Failure'\n}\n", - "code_id": "L9ffj7sRFDo=", - "checksum": "9FfrQkwlbq8=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-security-group-management-is-set-to-include-success", - "type": "\u0019\u000c", - "severity": { - "value": 40 - }, - "title": "Ensure 'Audit Security Group Management' is set to include 'Success'", - "docs": { - "desc": "This subcategory reports each event of security group management, such as when a security group is created, changed, or deleted or when a member is added to or removed from a security group. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of security group accounts. Events for this subcategory include:\n\n- 4727: A security-enabled global group was created.\n- 4728: A member was added to a security-enabled global group.\n- 4729: A member was removed from a security-enabled global group.\n- 4730: A security-enabled global group was deleted.\n- 4731: A security-enabled local group was created.\n- 4732: A member was added to a security-enabled local group.\n- 4733: A member was removed from a security-enabled local group.\n- 4734: A security-enabled local group was deleted.\n- 4735: A security-enabled local group was changed.\n- 4737: A security-enabled global group was changed.\n- 4754: A security-enabled universal group was created.\n- 4755: A security-enabled universal group was changed.\n- 4756: A member was added to a security-enabled universal group.\n- 4757: A member was removed from a security-enabled universal group.\n- 4758: A security-enabled universal group was deleted.\n- 4764: A group's type was changed.\n\nThe recommended state for this setting is to include: `Success`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to include `Success:`\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Advanced Audit Policy Configuration\\\\Audit Policies\\\\Account Management\\\\Audit Security Group Management\n```\n\n**Impact:**\n\nIf no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities." - } - }, - { - "query": "auditpol.where(subcategory == 'Security State Change').list {\n inclusionsetting == 'Success' || inclusionsetting == 'Success and Failure'\n}\n", - "code_id": "6wfyqIHs+WI=", - "checksum": "XUcpRgwrf2o=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-security-state-change-is-set-to-include-success", - "type": "\u0019\u000c", - "severity": { - "value": 40 - }, - "title": "Ensure 'Audit Security State Change' is set to include 'Success'", - "docs": { - "desc": "This subcategory reports changes in security state of the system, such as when the security subsystem starts and stops. Events for this subcategory include:\n\n- 4608: Windows is starting up.\n- 4609: Windows is shutting down.\n- 4616: The system time was changed.\n- 4621: Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some audit-able activity might not have been recorded.\n\nThe recommended state for this setting is to include: `Success`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to include `Success`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Advanced Audit Policy Configuration\\\\Audit Policies\\\\System\\\\Audit Security State Change\n```\n\n**Impact:**\n\nIf no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities." - } - }, - { - "query": "auditpol.where(subcategory == 'Security System Extension').list {\n inclusionsetting == 'Success' || inclusionsetting == 'Success and Failure'\n}\n", - "code_id": "ENQHeEV4se0=", - "checksum": "OIAE7Q1joR8=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-security-system-extension-is-set-to-include-success", - "type": "\u0019\u000c", - "severity": { - "value": 40 - }, - "title": "Ensure 'Audit Security System Extension' is set to include 'Success'", - "docs": { - "desc": "This subcategory reports the loading of extension code such as authentication packages by the security subsystem. Events for this subcategory include:\n\n- 4610: An authentication package has been loaded by the Local Security Authority.\n- 4611: A trusted logon process has been registered with the Local Security Authority.\n- 4614: A notification package has been loaded by the Security Account Manager.\n- 4622: A security package has been loaded by the Local Security Authority.\n- 4697: A service was installed in the system.\n\nThe recommended state for this setting is to include: `Success`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to include `Success`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Advanced Audit Policy Configuration\\\\Audit Policies\\\\System\\\\Audit Security System Extension\n```\n\n**Impact:**\n\nIf no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities." - } - }, - { - "query": "auditpol.where(subcategory == 'Sensitive Privilege Use').list {\n inclusionsetting == 'Success and Failure'\n}\n", - "code_id": "mGRCDRNaaCQ=", - "checksum": "OzfdQjDJxs0=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-sensitive-privilege-use-is-set-to-success-and-failure", - "type": "\u0019\u000c", - "severity": { - "value": 40 - }, - "title": "Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'", - "docs": { - "desc": "This subcategory reports when a user account or service uses a sensitive privilege. A sensitive privilege includes the following user rights:\n\n- Act as part of the operating system\n- Back up files and directories\n- Create a token object\n- Debug programs\n- Enable computer and user accounts to be trusted for delegation\n- Generate security audits\n- Impersonate a client after authentication\n- Load and unload device drivers\n- Manage auditing and security log\n- Modify firmware environment values\n- Replace a process-level token\n- Restore files and directories\n- Take ownership of files or other objects\n\nAuditing this subcategory will create a high volume of events. Events for this subcategory include:\n\n- 4672: Special privileges assigned to new logon.\n- 4673: A privileged service was called.\n- 4674: An operation was attempted on a privileged object.\n\nThe recommended state for this setting is: `Success and Failure`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Success and Failure`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Advanced Audit Policy Configuration\\\\Audit Policies\\\\Privilege Use\\\\Audit Sensitive Privilege Use\n```\n\n**Impact:**\n\nIf no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LSA', name: 'CrashOnAuditFail') {\n value == 0\n}\n", - "code_id": "nOpFd8vCovo=", - "checksum": "v2X8+tz3Qls=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-shut-down-system-immediately-if-unable-to-log-security-audits", - "type": "\u000c", - "severity": { - "value": 30 - }, - "title": "Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'", - "docs": { - "desc": "This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. Microsoft has chosen to meet this requirement by halting the system and displaying a stop message if the auditing system experiences a failure. When this policy setting is enabled, the system will be shut down if a security audit cannot be logged for any reason.\n\nIf the Audit: Shut down system immediately if unable to log security audits setting is enabled, unplanned system failures can occur. The administrative burden can be significant, especially if you also configure the Retention method for the Security log to Do not overwrite events (clear log manually). This configuration causes a repudiation threat (a backup operator could deny that they backed up or restored data) to become a denial of service (DoS) vulnerability, because a server could be forced to shut down if it is overwhelmed with logon events and other security events that are written to the Security log. Also, because the shutdown is not graceful, it is possible that irreparable damage to the operating system, applications, or data could result. Although the NTFS file system guarantees its integrity when an ungraceful computer shutdown occurs, it cannot guarantee that every data file for every application will still be in a usable form when the computer restarts.\n\nThe recommended state for this setting is: `Disabled`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Disabled`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Local Policies\\\\Security Options\\\\Audit: Shut down system immediately if unable to log security audits\n```\n\n**Impact:**\n\nNone - this is the default behavior." - } - }, - { - "query": "auditpol.where(subcategory == 'Special Logon').list {\n inclusionsetting == 'Success' || inclusionsetting == 'Success and Failure'\n}\n", - "code_id": "zMPNrD5MnoE=", - "checksum": "e/sQ32DFU5M=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-special-logon-is-set-to-include-success", - "type": "\u0019\u000c", - "severity": { - "value": 40 - }, - "title": "Ensure 'Audit Special Logon' is set to include 'Success'", - "docs": { - "desc": "This subcategory reports when a special logon is used. A special logon is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. Events for this subcategory include:\n\n- 4964 : Special groups have been assigned to a new logon.\n\nThe recommended state for this setting is to include: `Success`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to include `Success`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Advanced Audit Policy Configuration\\\\Audit Policies\\\\Logon/Logoff\\\\Audit Special Logon\n```\n\n**Impact:**\n\nIf no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities." - } - }, - { - "query": "auditpol.where(subcategory == 'System Integrity').list {\n inclusionsetting == 'Success and Failure'\n}\n", - "code_id": "EbYydBRbj6c=", - "checksum": "CqG+XwXCWPg=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-system-integrity-is-set-to-success-and-failure", - "type": "\u0019\u000c", - "severity": { - "value": 40 - }, - "title": "Ensure 'Audit System Integrity' is set to 'Success and Failure'", - "docs": { - "desc": "This subcategory reports on violations of integrity of the security subsystem. Events for this subcategory include:\n\n- 4612 : Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.\n- 4615 : Invalid use of LPC port.\n- 4618 : A monitored security event pattern has occurred.\n- 4816 : RPC detected an integrity violation while decrypting an incoming message.\n- 5038 : Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.\n- 5056: A cryptographic self test was performed.\n- 5057: A cryptographic primitive operation failed.\n- 5060: Verification operation failed.\n- 5061: Cryptographic operation.\n- 5062: A kernel-mode cryptographic self test was performed.\n\nThe recommended state for this setting is: `Success and Failure`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Success and Failure:`\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Advanced Audit Policy Configuration\\\\Audit Policies\\\\System\\\\Audit System Integrity\n```\n\n**Impact:**\n\nIf no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities." - } - }, - { - "query": "auditpol.where(subcategory == 'User Account Management').list {\n inclusionsetting == 'Success and Failure'\n}\n", - "code_id": "iKmAbnZoV28=", - "checksum": "aml4ly2z2RM=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-audit-user-account-management-is-set-to-success-and-failure", - "type": "\u0019\u000c", - "severity": { - "value": 40 - }, - "title": "Ensure 'Audit User Account Management' is set to 'Success and Failure'", - "docs": { - "desc": "This subcategory reports each event of user account management, such as when a user account is created, changed, or deleted; a user account is renamed, disabled, or enabled; or a password is set or changed. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of user accounts. Events for this subcategory include:\n\n- 4720: A user account was created.\n- 4722: A user account was enabled.\n- 4723: An attempt was made to change an account's password.\n- 4724: An attempt was made to reset an account's password.\n- 4725: A user account was disabled.\n- 4726: A user account was deleted.\n- 4738: A user account was changed.\n- 4740: A user account was locked out.\n- 4765: SID History was added to an account.\n- 4766: An attempt to add SID History to an account failed.\n- 4767: A user account was unlocked.\n- 4780: The ACL was set on accounts which are members of administrators groups.\n- 4781: The name of an account was changed:\n- 4794: An attempt was made to set the Directory Services Restore Mode.\n- 5376: Credential Manager credentials were backed up.\n- 5377: Credential Manager credentials were restored from a backup.\n\nThe recommended state for this setting is: `Success and Failure`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Success and Failure`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Advanced Audit Policy Configuration\\\\Audit Policies\\\\Account Management\\\\Audit User Account Management\n```\n\n**Impact:**\n\nIf no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\mrxsmb10', name: 'Start') {\n value == 4\n}\n", - "code_id": "3Jo9ybVwoY4=", - "checksum": "pKgh0CUTQkc=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-configure-smb-v1-client-driver-is-set-to-enabled-disable-driver-recommended", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'", - "docs": { - "desc": "This setting configures the start type for the Server Message Block version 1 (SMBv1) client driver service ( `MRxSmb10` ), which is recommended to be disabled.\n\nThe recommended state for this setting is: `Enabled: Disable driver (recommended)`.\n\n**Note:**\nDo not, _under any circumstances_, configure this overall setting as `Disabled`, as doing so will delete the underlying registry entry altogether, which will cause serious problems.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Enabled: Disable driver (recommended)`:\n\n```\nComputer Configuration\\\\Policies\\\\Administrative Templates\\\\MS Security Guide\\\\Configure SMB v1 client driver\n```\n\n**Note:**\nThis Group Policy path does not exist by default. An additional Group Policy template ( `SecGuide.admx/adml` ) is required - it is available from Microsoft at [this link](https://techcommunity.microsoft.com/t5/Microsoft-Security-Baselines/Security-baseline-FINAL-for-Windows-10-v1903-and-Windows-Server/ba-p/701084)\n\n**Impact:**\n\nSome legacy OSes (e.g. Windows XP, Server 2003 or older), applications and appliances may no longer be able to communicate with the system once SMBv1 is disabled. We recommend careful testing be performed to determine the impact prior to configuring this as a widespread control, and where possible, remediate any incompatibilities found with the vendor of the incompatible system. Microsoft is also maintaining a thorough (although not comprehensive) list of known SMBv1 incompatibilities at this link: [SMB1 Product Clearinghouse \\| Storage at Microsoft](https://blogs.technet.microsoft.com/filecab/2017/06/01/smb1-product-clearinghouse/)" - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters', name: 'SMB1') {\n value == 0\n}\n", - "code_id": "o9GzckDS9RU=", - "checksum": "445yleH9FA8=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-configure-smb-v1-server-is-set-to-disabled", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Ensure 'Configure SMB v1 server' is set to 'Disabled'", - "docs": { - "desc": "This setting configures the server-side processing of the Server Message Block version 1 (SMBv1) protocol.\n\nThe recommended state for this setting is: `Disabled`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Disabled`:\n\n```\nComputer Configuration\\\\Policies\\\\Administrative Templates\\\\MS Security Guide\\\\Configure SMB v1 server\n```\n\n**Note:**\nThis Group Policy path does not exist by default. An additional Group Policy template ( `SecGuide.admx/adml` ) is required - it is available from Microsoft at [this link](https://techcommunity.microsoft.com/t5/Microsoft-Security-Baselines/Security-baseline-FINAL-for-Windows-10-v1903-and-Windows-Server/ba-p/701084)\n\n**Impact:**\n\nSome legacy OSes (e.g. Windows XP, Server 2003 or older), applications and appliances may no longer be able to communicate with the system once SMBv1 is disabled. We recommend careful testing be performed to determine the impact prior to configuring this as a widespread control, and where possible, remediate any incompatibilities found with the vendor of the incompatible system. Microsoft is also maintaining a thorough (although not comprehensive) list of known SMBv1 incompatibilities at this link: [SMB1 Product Clearinghouse \\| Storage at Microsoft](https://blogs.technet.microsoft.com/filecab/2017/06/01/smb1-product-clearinghouse/)" - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services', name: 'fDisableCcm') {\n value == 1\n}\n", - "code_id": "j4aPwmM8jfk=", - "checksum": "b2u+VgJf8Gs=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-do-not-allow-com-port-redirection-is-set-to-enabled", - "type": "\u000c", - "severity": { - "value": 60 - }, - "title": "Ensure 'Do not allow COM port redirection' is set to 'Enabled'", - "docs": { - "desc": "This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session.\n\nThe recommended state for this setting is: `Enabled`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Enabled`:\n\n```\nComputer Configuration\\\\Policies\\\\Administrative Templates\\\\Windows Components\\\\Remote Desktop Services\\\\Remote Desktop Session Host\\\\Device and Resource Redirection\\\\Do not allow COM port redirection\n```\n\n**Note:**\nThis Group Policy path is provided by the Group Policy template `TerminalServer.admx/adml`\nthat is included with all versions of the Microsoft Windows Administrative Templates.\n\n**Impact:**\n\nUsers in a Remote Desktop Services session will not be able to redirect server data to local (client) COM ports." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services', name: 'fDisableCdm') {\n value == 1\n}\n", - "code_id": "UMoIATt0jbE=", - "checksum": "uZRYmTdjQec=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-do-not-allow-drive-redirection-is-set-to-enabled", - "type": "\u000c", - "severity": { - "value": 60 - }, - "title": "Ensure 'Do not allow drive redirection' is set to 'Enabled'", - "docs": { - "desc": "This policy setting prevents users from sharing the local drives on their client computers to Remote Desktop Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format:\n\n`\\\\\\TSClient\\\\\u003cdriveletter\u003e$`\n\nIf local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them.\n\nThe recommended state for this setting is: `Enabled`\n.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Enabled`:\n\n```\nComputer Configuration\\\\Policies\\\\Administrative Templates\\\\Windows Components\\\\Remote Desktop Services\\\\Remote Desktop Session Host\\\\Device and Resource Redirection\\\\Do not allow drive redirection\n```\n\n**Note:**\nThis Group Policy path is provided by the Group Policy template `TerminalServer.admx/adml`\nthat is included with all versions of the Microsoft Windows Administrative Templates.\n\n**Impact:**\n\nDrive redirection will not be possible. In most situations, traditional network drive mapping to file shares (including administrative shares) performed manually by the connected user will serve as a capable substitute to still allow file transfers when needed." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services', name: 'fDisableLPT') {\n value == 1\n}\n", - "code_id": "hgHutxa2PdM=", - "checksum": "PO1pI/tch2g=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-do-not-allow-lpt-port-redirection-is-set-to-enabled", - "type": "\u000c", - "severity": { - "value": 60 - }, - "title": "Ensure 'Do not allow LPT port redirection' is set to 'Enabled'", - "docs": { - "desc": "This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session.\n\nThe recommended state for this setting is: `Enabled`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Enabled`:\n\n```\nComputer Configuration\\\\Policies\\\\Administrative Templates\\\\Windows Components\\\\Remote Desktop Services\\\\Remote Desktop Session Host\\\\Device and Resource Redirection\\\\Do not allow LPT port redirection\n```\n\n**Note:**\nThis Group Policy path is provided by the Group Policy template `TerminalServer.admx/adml`\nthat is included with all versions of the Microsoft Windows Administrative Templates.\n\n**Impact:**\n\nUsers in a Remote Desktop Services session will not be able to redirect server data to local (client) LPT ports." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services', name: 'DisablePasswordSaving') {\n value == 1\n}\n", - "code_id": "LLS7i+ZxLhw=", - "checksum": "FK7HOdwuj6o=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-do-not-allow-passwords-to-be-saved-is-set-to-enabled", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Ensure 'Do not allow passwords to be saved' is set to 'Enabled'", - "docs": { - "desc": "This policy setting helps prevent Remote Desktop clients from saving passwords on a computer.\n\nThe recommended state for this setting is: `Enabled`.\n\n**Note:**\nIf this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Remote Desktop client disconnects from any server.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Enabled`:\n\n```\nComputer Configuration\\\\Policies\\\\Administrative Templates\\\\Windows Components\\\\Remote Desktop Services\\\\Remote Desktop Connection Client\\\\Do not allow passwords to be saved\n```\n\n**Note:**\nThis Group Policy path is provided by the Group Policy template `TerminalServer.admx/adml`\nthat is included with all versions of the Microsoft Windows Administrative Templates.\n\n**Impact:**\n\nThe password saving checkbox will be disabled for Remote Desktop clients and users will not be able to save passwords." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services', name: 'fDisablePNPRedir') {\n value == 1\n}\n", - "code_id": "yl2r2tt9ckI=", - "checksum": "7JAKECYPbAg=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-do-not-allow-supported-plug-and-play-device-redirection-is-set-to-enabled", - "type": "\u000c", - "severity": { - "value": 60 - }, - "title": "Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'", - "docs": { - "desc": "This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session.\n\nThe recommended state for this setting is: `Enabled`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Enabled`:\n\n```\nComputer Configuration\\\\Policies\\\\Administrative Templates\\\\Windows Components\\\\Remote Desktop Services\\\\Remote Desktop Session Host\\\\Device and Resource Redirection\\\\Do not allow supported Plug and Play device redirection\n```\n\n**Note:**\nThis Group Policy path is provided by the Group Policy template `TerminalServer.admx/adml`\nthat is included with all versions of the Microsoft Windows Administrative Templates.\n\n**Impact:**\n\nUsers in a Remote Desktop Services session will not be able to redirect their supported (local client) Plug and Play devices to the remote computer." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services', name: 'DeleteTempDirsOnExit') {\n value == 1\n}\n", - "code_id": "iuHMvJHFByU=", - "checksum": "FsZbe3VcDr8=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-do-not-delete-temp-folders-upon-exit-is-set-to-disabled", - "type": "\u000c", - "severity": { - "value": 50 - }, - "title": "Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'", - "docs": { - "desc": "This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff.\n\nThe recommended state for this setting is: `Disabled`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Disabled`:\n\n```\nComputer Configuration\\\\Policies\\\\Administrative Templates\\\\Windows Components\\\\Remote Desktop Services\\\\Remote Desktop Session Host\\\\Temporary Folders\\\\Do not delete temp folders upon exit\n```\n\n**Note:**\nThis Group Policy path is provided by the Group Policy template `TerminalServer.admx/adml`\nthat is included with all versions of the Microsoft Windows Administrative Templates.\n\n**Note #2:**\nIn older Microsoft Windows Administrative Templates, this setting was named _Do not delete temp folder upon exit_, but it was renamed starting with the Windows 8.0 \u0026 Server 2012 (non-R2) Administrative Templates.\n\n**Impact:**\n\nNone - this is the default behavior." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\kernel', name: 'DisableExceptionChainValidation') {\n value == 0\n}\n", - "code_id": "Bc8gvgYn5tU=", - "checksum": "hmyVhSwGEyc=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-enable-structured-exception-handling-overwrite-protection-sehop-is-set-to-enabled", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'", - "docs": { - "desc": "Windows includes support for Structured Exception Handling Overwrite Protection (SEHOP). We recommend enabling this feature to improve the security profile of the computer.\n\nThe recommended state for this setting is: `Enabled`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Enabled`:\n\n```\nComputer Configuration\\\\Policies\\\\Administrative Templates\\\\MS Security Guide\\\\Enable Structured Exception Handling Overwrite Protection (SEHOP)\n```\n\n**Note:**\nThis Group Policy path does not exist by default. An additional Group Policy template ( `SecGuide.admx/adml` ) is required - it is available from Microsoft at [this link](https://techcommunity.microsoft.com/t5/Microsoft-Security-Baselines/Security-baseline-FINAL-for-Windows-10-v1903-and-Windows-Server/ba-p/701084)\n\nMore information is available at [How to enable Structured Exception Handling Overwrite Protection (SEHOP) in Windows operating systems](https://support.microsoft.com/en-us/help/956607/how-to-enable-structured-exception-handling-overwrite-protection-sehop)\n\n**Impact:**\n\nAfter you enable SEHOP, existing versions of Cygwin, Skype, and Armadillo-protected applications may not work correctly." - } - }, - { - "query": "secpol.systemaccess['PasswordHistorySize'] \u003e= 24\n", - "code_id": "Ac2kohysOHs=", - "checksum": "7/X4owZmd2g=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-enforce-password-history-is-set-to-24-or-more-passwords", - "type": "\u0004", - "severity": { - "value": 80 - }, - "title": "Ensure 'Enforce password history' is set to '24 or more password(s)'", - "docs": { - "desc": "This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords. The default value for Windows Vista is 0 passwords, but the default setting in a domain is 24 passwords. To maintain the effectiveness of this policy setting, use the Minimum password age setting to prevent users from repeatedly changing their password.\n\nThe recommended state for this setting is: `24 or more password(s)`.\n\n**Note:**\nPassword Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the **Default Domain Policy**\nGPO in order to be globally in effect on **domain**\nuser accounts as their default behavior. If these settings are configured in another GPO, they will only affect **local**\nuser accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center.\n\n**Note #2:**\nAs of the publication of this benchmark, Microsoft currently has a maximum limit of 24 saved passwords. For more information, please visit [Enforce password history (Windows 10) - Windows security \\| Microsoft Docs](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/enforce-password-history#:~:text=The%20Enforce%20password%20history%20policy,a%20long%20period%20of%20time.)", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `24 or more password(s)`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Account Policies\\\\Password Policy\\\\Enforce password history\n```\n\n**Impact:**\n\nThe major impact of this configuration is that users must create a new password every time they are required to change their old one. If users are required to change their passwords to new unique values, there is an increased risk of users who write their passwords somewhere so that they do not forget them. Another risk is that users may create passwords that change incrementally (for example, password01, password02, and so on) to facilitate memorization but make them easier to guess. Also, an excessively low value for the Minimum password age setting will likely increase administrative overhead, because users who forget their passwords might ask the help desk to reset them frequently." - } - }, - { - "query": "secpol.systemaccess['MaximumPasswordAge'] \u003c= 365\nsecpol.systemaccess['MaximumPasswordAge'] \u003e 0\n", - "code_id": "nKi/99liyyw=", - "checksum": "KUWOIrQHP34=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-maximum-password-age-is-set-to-365-or-fewer-days-but-not-0", - "type": "\u0001", - "severity": { - "value": 60 - }, - "title": "Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'", - "docs": { - "desc": "This policy setting defines how long a user can use their password before it expires.\n\nValues for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire.\n\nBecause attackers can crack passwords, the more frequently you change the password the less opportunity an attacker has to use a cracked password. However, the lower this value is set, the higher the potential for an increase in calls to help desk support due to users having to change their password or forgetting which password is current.\n\nThe recommended state for this setting is `365 or fewer days, but not 0`.\n\n**Note:**\nPassword Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the **Default Domain Policy**\nGPO in order to be globally in effect on **domain**\nuser accounts as their default behavior. If these settings are configured in another GPO, they will only affect **local**\nuser accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `365 or fewer days, but not 0`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Account Policies\\\\Password Policy\\\\Maximum password age\n```\n\n**Impact:**\n\nIf the Maximum password age setting is too low, users are required to change their passwords very often. Such a configuration can reduce security in the organization, because users might write their passwords in an insecure location or lose them. If the value for this policy setting is too high, the level of security within an organization is reduced because it allows potential attackers more time in which to discover user passwords or to use compromised accounts." - } - }, - { - "query": "secpol.systemaccess['MinimumPasswordAge'] \u003e= 1\n", - "code_id": "ta+WCEW9LEk=", - "checksum": "pP4BYte+vsQ=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-minimum-password-age-is-set-to-1-or-more-days", - "type": "\u0004", - "severity": { - "value": 60 - }, - "title": "Ensure 'Minimum password age' is set to '1 or more day(s)'", - "docs": { - "desc": "This policy setting determines the number of days that you must use a password before you can change it. The range of values for this policy setting is between 1 and 999 days. (You may also set the value to 0 to allow immediate password changes.) The default value for this setting is 0 days.\n\nThe recommended state for this setting is: `1 or more day(s))`.\n\n**Note:**\nPassword Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the **Default Domain Policy**\n\nGPO in order to be globally in effect on **domain**\nuser accounts as their default behavior. If these settings are configured in another GPO, they will only affect **local**\nuser accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `1 or more day(s)`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Account Policies\\\\Password Policy\\\\Minimum password age\n```\n\n**Impact:**\n\nIf an administrator sets a password for a user but wants that user to change the password when the user first logs on, the administrator must select the User must change password at next logon check box, or the user will not be able to change the password until the next day." - } - }, - { - "query": "secpol.systemaccess['MinimumPasswordLength'] \u003e= 14\n", - "code_id": "wCIzah1JI5M=", - "checksum": "DksZwvsYRhQ=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-minimum-password-length-is-set-to-14-or-more-characters", - "type": "\u0004", - "severity": { - "value": 100 - }, - "title": "Ensure 'Minimum password length' is set to '14 or more character(s)'", - "docs": { - "desc": "This policy setting determines the least number of characters that make up a password for a user account. There are many different theories about how to determine the best password length for an organization, but perhaps \"passphrase\" is a better term than \"password.\" In Microsoft Windows 2000 and newer, passphrases can be quite long and can include spaces. Therefore, a phrase such as \"I want to drink a $5 milkshake\" is a valid passphrase; it is a considerably stronger password than an 8 or 10 character string of random numbers and letters, and yet is easier to remember. Users must be educated about the proper selection and maintenance of passwords, especially with regard to password length. In enterprise environments, the ideal value for the Minimum password length setting is 14 characters, however you should adjust this value to meet your organization's business requirements.\n\nThe recommended state for this setting is: `14 or more character(s)`.\n\n**Note:**\nIn Windows Server 2016 and older versions of Windows Server, the GUI of the Local Security Policy (LSP), Local Group Policy Editor (LGPE) and Group Policy Management Editor (GPME) would not let you set this value higher than 14 characters. However, starting with Windows Server 2019, Microsoft changed the GUI to allow up to a 20 character minimum password length.\n\n**Note #2:**\nPassword Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the **Default Domain Policy**\nGPO in order to be globally in effect on **domain**\nuser accounts as their default behavior. If these settings are configured in another GPO, they will only affect **local**\nuser accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `14 or more character(s)`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Account Policies\\\\Password Policy\\\\Minimum password length\n```\n\n**Impact:**\n\nRequirements for extremely long passwords can actually decrease the security of an organization, because users might leave the information in an insecure location or lose it. If very long passwords are required, mistyped passwords could cause account lockouts and increase the volume of help desk calls. If your organization has issues with forgotten passwords due to password length requirements, consider teaching your users about passphrases, which are often easier to remember and, due to the larger number of character combinations, much harder to discover.\n\n**Note:**\nOlder versions of Windows such as Windows 98 and Windows NT 4.0 do not support passwords that are longer than 14 characters. Computers that run these older operating systems are unable to authenticate with computers or domains that use accounts that require long passwords." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\NetBT\\Parameters', name: 'NodeType') {\n value == 2\n}\n", - "code_id": "Rz4ehR/736Q=", - "checksum": "cGBt7VF9H2M=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-netbt-nodetype-configuration-is-set-to-enabled-p-node-recommended", - "type": "\u000c", - "severity": { - "value": 60 - }, - "title": "Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)'", - "docs": { - "desc": "This setting determines which method NetBIOS over TCP/IP (NetBT) uses to register and resolve names. The available methods are:\n\n- The B-node (broadcast) method only uses broadcasts.\n- The P-node (point-to-point) method only uses name queries to a name server (WINS).\n- The M-node (mixed) method broadcasts first, then queries a name server (WINS) if broadcast failed.\n- The H-node (hybrid) method queries a name server (WINS) first, then broadcasts if the query failed.\n\nThe recommended state for this setting is: `Enabled: P-node (recommended)`\n(point-to-point).\n\n**Note:**\nResolution through LMHOSTS or DNS follows these methods. If the `NodeType` registry value is present, it overrides any `DhcpNodeType`\nregistry value. If neither `NodeType` nor `DhcpNodeType` is present, the computer uses B-node (broadcast) if there are no WINS servers\nconfigured for the network, or H-node (hybrid) if there is at least one WINS server configured.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Enabled: P-node (recommended)`:\n\n```\nComputer Configuration\\\\Policies\\\\Administrative Templates\\\\MS Security Guide\\\\NetBT NodeType configuration\n```\n\n**Note:**\nThis change does not take effect until the computer has been restarted.\n\n**Note #2:**\nThis Group Policy path does not exist by default. An additional Group Policy template ( `SecGuide.admx/adml` ) is required - it is available from Microsoft at [this link](https://techcommunity.microsoft.com/t5/Microsoft-Security-Baselines/Security-baseline-FINAL-for-Windows-10-v1903-and-Windows-Server/ba-p/701084). Please note that this setting is **only**\navailable in the _Security baseline (FINAL) for Windows 10 v1903 and Windows Server v1903_\n(or newer) release of `SecGuide.admx/adml`, so if you previously downloaded this template, you may need to update it from a newer Microsoft baseline to get this new _NetBT NodeType configuration_\nsetting.\n\n**Impact:**\n\nNetBIOS name resolution queries will require a defined and available WINS server for external NetBIOS name resolution. If a WINS server is not defined or not reachable, and the desired hostname is not defined in the local cache, local LMHOSTS or HOSTS files, NetBIOS name resolution will fail." - } - }, - { - "query": "secpol.systemaccess['LSAAnonymousNameLookup'] == 0\n", - "code_id": "LcS3AJUrLEc=", - "checksum": "zo3Lual2rDE=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-network-access-allow-anonymous-sidname-translation-is-set-to-disabled", - "type": "\u0004", - "severity": { - "value": 80 - }, - "title": "Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'", - "docs": { - "desc": "This policy setting determines whether an anonymous user can request security identifier (SID) attributes for another user, or use a SID to obtain its corresponding user name.\n\nThe recommended state for this setting is: `Disabled`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Disabled`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Local Policies\\\\Security Options\\\\Network access: Allow anonymous SID/Name translation\n```\n\n**Impact:**\n\nNone - this is the default behavior." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa', name: 'RestrictAnonymousSAM') {\n value == 1\n}\n", - "code_id": "aQt8sznZHHA=", - "checksum": "ZlrgxAXXtXs=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-network-access-do-not-allow-anonymous-enumeration-of-sam-accounts", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'", - "docs": { - "desc": "This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connections will not be able to enumerate domain account user names on the systems in your environment. This policy setting also allows additional restrictions on anonymous connections.\n\nThe recommended state for this setting is: `Enabled`.\n\n**Note:**\nThis policy has no effect on Domain Controllers.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Enabled`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Local Policies\\\\Security Options\\\\Network access: Do not allow anonymous enumeration of SAM accounts\n```\n\n**Impact:**\n\nNone - this is the default behavior. It will be impossible to establish trusts with Windows NT 4.0-based domains. Also, client computers that run older versions of the Windows operating system such as Windows NT 3.51 and Windows 95 will experience problems when they try to use resources on the server." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa', name: 'RestrictAnonymous') {\n value == 1\n}\n", - "code_id": "PwE7X/F71KQ=", - "checksum": "IIcx6mgRKzM=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'", - "docs": { - "desc": "This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to enumerate domain account user names and network share names on the systems in your environment.\n\nThe recommended state for this setting is: `Enabled`.\n\n**Note:**\nThis policy has no effect on Domain Controllers.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Enabled`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Local Policies\\\\Security Options\\\\Network access: Do not allow anonymous enumeration of SAM accounts and shares\n```\n\n**Impact:**\n\nIt will be impossible to establish trusts with Windows NT 4.0-based domains. Also, client computers that run older versions of the Windows operating system such as Windows NT 3.51 and Windows 95 will experience problems when they try to use resources on the server. Users who access file and print servers anonymously will be unable to list the shared network resources on those servers; the users will have to authenticate before they can view the lists of shared folders and printers. However, even with this policy setting enabled, anonymous users will have access to resources with permissions that explicitly include the built-in group, `ANONYMOUS LOGON`." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa', name: 'DisableDomainCreds') {\n value == 1\n}\n", - "code_id": "h3frx0U8pws=", - "checksum": "wbTHICS6yw4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-auth", - "type": "\u000c", - "severity": { - "value": 60 - }, - "title": "Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'", - "docs": { - "desc": "This policy setting determines whether Credential Manager (formerly called Stored User Names and Passwords) saves passwords or credentials for later use when it gains domain authentication.\n\nThe recommended state for this setting is: `Enabled`.\n\n**Note:**\nChanges to this setting will not take effect until Windows is restarted.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Enabled`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Local Policies\\\\Security Options\\\\Network access: Do not allow storage of passwords and credentials for network authentication\n```\n\n**Impact:**\n\nCredential Manager will not store passwords and credentials on the computer. Users will be forced to enter passwords whenever they log on to their Passport account or other network resources that aren't accessible to their domain account. Testing has shown that clients running Windows Vista or Windows Server 2008 will be unable to connect to Distributed File System (DFS) shares in untrusted domains. Enabling this setting also makes it impossible to specify alternate credentials for scheduled tasks, this can cause a variety of problems. For example, some third party backup products will no longer work. This policy setting should have no impact on users who access network resources that are configured to allow access with their Active Directory-based domain account." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa', name: 'EveryoneIncludesAnonymous') {\n value == 0\n}\n", - "code_id": "HmpRlpLF3XM=", - "checksum": "db+mFsCRQAc=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-network-access-let-everyone-permissions-apply-to-anonymous-users-is-set-to-disabled", - "type": "\u000c", - "severity": { - "value": 60 - }, - "title": "Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'", - "docs": { - "desc": "This policy setting determines what additional permissions are assigned for anonymous connections to the computer.\n\nThe recommended state for this setting is: `Disabled`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Disabled`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Local Policies\\\\Security Options\\\\Network access: Let Everyone permissions apply to anonymous users\n```\n\n**Impact:**\n\nNone - this is the default behavior." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters', name: 'NullSessionPipes') {\n value == \"\"\n}\n", - "code_id": "GM6FK8MbVuM=", - "checksum": "6o4i87mOREI=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-network-access-named-pipes-that-can-be-accessed-anonymously-is-set-to-none", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'", - "docs": { - "desc": "This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access.\n\nThe recommended state for this setting is: `\u003cblank\u003e` (i.e. None).", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `\u003cblank\u003e` (i.e. None):\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Local Policies\\\\Security Options\\\\Network access: Named Pipes that can be accessed anonymously\n```\n\n**Impact:**\n\nThis configuration will disable null session access over named pipes, and applications that rely on this feature or on unauthenticated access to named pipes will no longer function." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters', name: 'RestrictNullSessAccess') {\n value == 1\n}\n", - "code_id": "EHzgSRSb0Wo=", - "checksum": "oiqU1JXSdtE=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-network-access-restrict-anonymous-access-to-named-pipes-and-shares", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'", - "docs": { - "desc": "When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the `Network access: Named pipes that can be accessed anonymously`and `Network access: Shares that can be accessed anonymously`\nsettings. This policy setting controls null session access to shares on your computers by adding `RestrictNullSessAccess`\nwith the value `1` in the\n\n`HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\LanManServer\\\\Parameters`\n\nregistry key. This registry value toggles null session shares on or off to control whether the server service restricts unauthenticated clients' access to named resources.\n\nThe recommended state for this setting is: `Enabled`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Enabled`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Local Policies\\\\Security Options\\\\Network access: Restrict anonymous access to Named Pipes and Shares\n```\n\n**Impact:**\n\nNone - this is the default behavior. If you choose to enable this setting and are supporting Windows NT 4.0 domains, you should check if any of the named pipes are required to maintain trust relationships between the domains, and then add the pipe to the **Network access: Named pipes that can be accessed anonymously**\nlist:\n\n- COMNAP: SNA session access\n- COMNODE: SNA session access\n- SQL\\\\QUERY: SQL instance access\n- SPOOLSS: Spooler service\n- LLSRPC: License Logging service\n- NETLOGON: Net Logon service\n- LSARPC: LSA access\n- SAMR: Remote access to SAM objects\n- BROWSER: Computer Browser service\n\nPrevious to the release of Windows Server 2003 with Service Pack 1 (SP1) these named pipes were allowed anonymous access by default, but with the increased hardening in Windows Server 2003 with SP1 these pipes must be explicitly added if needed." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa', name: 'restrictremotesam') {\n value == 'O:BAG:BAD:(A;;RC;;;BA)'\n}\n", - "code_id": "PEOif1UtUeE=", - "checksum": "usXkdFM8Rzk=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-network-access-restrict-clients-allowed-to-make-remote-calls-to-sam", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'", - "docs": { - "desc": "This policy setting allows you to restrict remote RPC connections to SAM.\n\nThe recommended state for this setting is: `Administrators: Remote Access: Allow`.\n\n**Note:**\nA Windows 10 R1607, Server 2016 or newer OS is required to access and set this value in Group Policy.\n\n**Note #2:**\nIf your organization is using Azure Advanced Threat Protection (APT), the service account, “AATP Service” will need to be added to the recommendation configuration. For more information on adding the “AATP Service” account please see [Configure SAM-R to enable lateral movement path detection in Microsoft Defender for Identity \\| Microsoft Docs](https://learn.microsoft.com/en-us/defender-for-identity/install-step8-samr).", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Administrators: Remote Access: Allow`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Local Policies\\\\Security Options\\\\Network access: Restrict clients allowed to make remote calls to SAM\n```\n\n**Impact:**\n\nNone - this is the default behavior." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters', name: 'NullSessionShares') {\n value == \"\"\n}\n", - "code_id": "NthJEFH3azA=", - "checksum": "u+d/oFXrESk=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-network-access-shares-that-can-be-accessed-anonymously-is-set-to-none", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'", - "docs": { - "desc": "This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server.\n\nThe recommended state for this setting is: `\u003cblank\u003e` (i.e. None).", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `\u003cblank\u003e` (i.e. None):\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Local Policies\\\\Security Options\\\\Network access: Shares that can be accessed anonymously\n```\n\n**Impact:**\n\nNone - this is the default behavior." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa', name: 'ForceGuest') {\n value == 0\n}\n", - "code_id": "uRj7HFDDzJ4=", - "checksum": "5DwFfkZPL2o=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-network-access-sharing-and-security-model-for-local-accounts-is-set-to-classic", - "type": "\u000c", - "severity": { - "value": 30 - }, - "title": "Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'", - "docs": { - "desc": "This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource.\n\nThe recommended state for this setting is: `Classic - local users authenticate as themselves`.\n\n**Note:**\nThis setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services (formerly called Terminal Services).", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Classic - local users authenticate as themselves`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Local Policies\\\\Security Options\\\\Network access: Sharing and security model for local accounts\n```\n\n**Impact:**\n\nNone - this is the default configuration for domain-joined computers." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa', name: 'UseMachineId') {\n value == 1\n}\n", - "code_id": "iH996tv3kes=", - "checksum": "l9KC6bjBQpU=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-network-security-allow-local-system-to-use-computer-identity-for-ntlm", - "type": "\u000c", - "severity": { - "value": 30 - }, - "title": "Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'", - "docs": { - "desc": "This policy setting determines whether Local System services that use Negotiate when reverting to NTLM authentication can use the computer identity. This policy is supported on at least Windows 7 or Windows Server 2008 R2.\n\nThe recommended state for this setting is: `Enabled`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Enabled`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Local Policies\\\\Security Options\\\\Network security: Allow Local System to use computer identity for NTLM\n```\n\n**Impact:**\n\nServices running as Local System that use Negotiate when reverting to NTLM authentication will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\MSV1_0', name: 'AllowNullSessionFallback') {\n value == 0\n}\n", - "code_id": "jUay8/snmMI=", - "checksum": "5ucF5xWaiGs=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-network-security-allow-localsystem-null-session-fallback-is-set-to-disabled", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'", - "docs": { - "desc": "This policy setting determines whether NTLM is allowed to fall back to a NULL session when used with LocalSystem.\n\nThe recommended state for this setting is: `Disabled`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Disabled`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Local Policies\\\\Security Options\\\\Network security: Allow LocalSystem NULL session fallback\n```\n\n**Impact:**\n\nNone - this is the default behavior. Any applications that require NULL sessions for LocalSystem will not work as designed." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\pku2u', name: 'AllowOnlineID') {\n value == 0\n}\n", - "code_id": "4StXLSRxGHM=", - "checksum": "5M/zXcXMY1I=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-network-security-allow-pku2u-authentication-requests-is-set-to-disabled", - "type": "\u000c", - "severity": { - "value": 60 - }, - "title": "Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'", - "docs": { - "desc": "This setting determines if online identities are able to authenticate to this computer.\n\nThe Public Key Cryptography Based User-to-User (PKU2U) protocol introduced in Windows 7 and Windows Server 2008 R2 is implemented as a security support provider (SSP). The SSP enables peer-to-peer authentication, particularly through the Windows 7 media and file sharing feature called HomeGroup, which permits sharing between computers that are not members of a domain.\n\nWith PKU2U, a new extension was introduced to the Negotiate authentication package, `Spnego.dll`. In previous versions of Windows, Negotiate decided whether to use Kerberos or NTLM for authentication. The extension SSP for Negotiate, `Negoexts.dll`, which is treated as an authentication protocol by Windows, supports Microsoft SSPs including PKU2U.\n\nWhen computers are configured to accept authentication requests by using online IDs, `Negoexts.dll`\ncalls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation and associates the user's certificate to a security token and the logon process completes.\n\nThe recommended state for this setting is: `Disabled`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Disabled`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Local Policies\\\\Security Options\\\\Network Security: Allow PKU2U authentication requests to this computer to use online identities\n```\n\n**Impact:**\n\nNone - this is the default configuration for domain-joined computers." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\Parameters', name: 'SupportedEncryptionTypes') {\n value == 2147483640\n}\n", - "code_id": "qM/K9k9DhfU=", - "checksum": "DR356Jnu95o=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-network-security-configure-encryption-types-allowed-for-kerberos-is-set-to-aes12", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'", - "docs": { - "desc": "This policy setting allows you to set the encryption types that Kerberos is allowed to use.\n\nThe recommended state for this setting is: `AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types`.\n\n**Note:**\nSome legacy applications and OSes may still require `RC4_HMAC_MD5`\n\\- we recommend you test in your environment and verify whether you can safely remove it.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Local Policies\\\\Security Options\\\\Network security: Configure encryption types allowed for Kerberos\n```\n\n**Impact:**\n\nIf not selected, the encryption type will not be allowed. This setting may affect compatibility with client computers or services and applications. Multiple selections are permitted.\n\n**Note:**\nSome legacy applications and OSes may still require `RC4_HMAC_MD5`\n\\- we recommend you test in your environment and verify whether you can safely remove it.\n\n**Note #2:**\nWindows Vista and below allow DES for Kerberos by default, but later OS versions do not.\n\n**Note #3:**\nSome prerequisites might need to be met on Domain Controllers to support Kerberos AES 128 and 256 bit encryption types, as well as enabling support for Kerberos AES 128 and 256 bit on user accounts (in account options) for this recommendation to work correctly.\n\n**Note #4:**\nIf your organization uses Azure Files, please note that Microsoft did not introduce AES 256 Kerberos encryption support for it until AD DS authentication module v0.2.2. Please see this link for more information:\n\n[Azure Files on-premises AD DS Authentication support for AES 256 Kerberos encryption \\| Microsoft Docs](https://learn.microsoftcom/en-us/azure/storage/files/storage-troubleshoot-windows-file-connection-problems#azure-files-on-premises-ad-ds-authentication-support-for-aes-256-kerberos-encryption)" - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa', name: 'NoLMHash') {\n value == 1\n}\n", - "code_id": "HHJ0g5s5ifc=", - "checksum": "HC4SldgOtKE=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-network-security-do-not-store-lan-manager-hash-value-on-next-password-change", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'", - "docs": { - "desc": "This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Microsoft Windows NT hash. Since LM hashes are stored on the local computer in the security database, passwords can then be easily compromised if the database is attacked.\n\n**Note:**\nOlder operating systems and some third-party applications may fail when this policy setting is enabled. Also, note that the password will need to be changed on all accounts after you enable this setting to gain the proper benefit.\n\nThe recommended state for this setting is: `Enabled`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Enabled`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Local Policies\\\\Security Options\\\\Network security: Do not store LAN Manager hash value on next password change\n```\n\n**Impact:**\n\nNone - this is the default behavior. Earlier operating systems such as Windows 95, Windows 98, and Windows ME as well as some third-party applications will fail." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa', name: 'LmCompatibilityLevel') {\n value == 5\n}\n", - "code_id": "oP8o/YPNVhs=", - "checksum": "F/iMdsF07MM=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-network-security-lan-manager-authentication-level-is-set-to-send-ntlmv2-response", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM\u0026NTLM'", - "docs": { - "desc": "LAN Manager (LM) was a family of early Microsoft client/server software (predating Windows NT) that allowed users to link personal computers together on a single network. LM network capabilities included transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations:\n\n- Join a domain\n- Authenticate between Active Directory forests\n- Authenticate to down-level domains\n- Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP\n- Authenticate to computers that are not in the domain\n\nThe Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers.\n\nThe recommended state for this setting is: `Send NTLMv2 response only. Refuse LM \u0026 NTLM`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to: `Send NTLMv2 response only. Refuse LM \u0026 NTLM`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Local Policies\\\\Security Options\\\\Network security: LAN Manager authentication level\n```\n\n**Impact:**\n\nClients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; Domain Controllers refuse LM and NTLM (accept only NTLMv2 authentication). Clients that do not support NTLMv2 authentication will not be able to authenticate in the domain and access domain resources by using LM and NTLM." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP', name: 'LDAPClientIntegrity') {\n value \u003e= 1\n}\n", - "code_id": "V0TP7az9x8Q=", - "checksum": "SKW73LzE7Rw=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-network-security-ldap-client-signing-requirements-is-set-to-negotiate-signing", - "type": "\u000c", - "severity": { - "value": 40 - }, - "title": "Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher", - "docs": { - "desc": "This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests.\n\n**Note:**\nThis policy setting does not have any impact on LDAP simple bind ( `ldap_simple_bind`) or LDAP simple bind through SSL ( `ldap_simple_bind_s`). \nNo Microsoft LDAP clients that are included with Windows XP Professional use `ldap_simple_bind`or `ldap_simple_bind_s` to communicate with a Domain Controller.\n\nThe recommended state for this setting is: `Negotiate signing`. Configuring this setting to `Require signing` also conforms to the benchmark.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Negotiate signing` (configuring to `Require signing`\nalso conforms to the benchmark):\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Local Policies\\\\Security Options\\\\Network security: LDAP client signing requirements\n```\n\n**Impact:**\n\nNone - this is the default behavior. However, if you choose instead to configure the server to _require_LDAP signatures then you must also configure the client. \nIf you do not configure the client it will not be able to communicate with the server, which could cause many features to fail, including user authentication, \nGroup Policy, and logon scripts, because the caller will be told that the LDAP BIND command request failed." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\MSV1_0', name: 'NTLMMinServerSec') {\n value == 537395200\n}\n", - "code_id": "2dpHvS+5YTo=", - "checksum": "JO4evTdF9H0=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-network-security-minimum-session-security-for-ntlm-ssp-based-servers-is-set-to-ntlmv2", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'", - "docs": { - "desc": "This policy setting determines which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI.\n\nThe recommended state for this setting is: `Require NTLMv2 session security, Require 128-bit encryption`.\n\n**Note:**\nThese values are dependent on the _Network security: LAN Manager Authentication Level_\n(Rule 2.3.11.7) security setting value.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Require NTLMv2 session security, Require 128-bit encryption`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Local Policies\\\\Security Options\\\\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers\n```\n\n**Impact:**\n\nNTLM connections will fail if NTLMv2 protocol and strong encryption (128-bit) are not **both**\nnegotiated. Server applications that are enforcing these settings will be unable to communicate with older servers that do not support them." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\MSV1_0', name: 'NTLMMinClientSec') {\n value == 537395200\n}\n", - "code_id": "bmPUTSuoB70=", - "checksum": "N+E8wuGkJ1M=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-network-security-minimum-session-security-for-ntlm-ssp-clients-is-set-to-ntlmv2", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'", - "docs": { - "desc": "This policy setting determines which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI.\n\nThe recommended state for this setting is: `Require NTLMv2 session security, Require 128-bit encryption`.\n\n**Note:**\nThese values are dependent on the _Network security: LAN Manager Authentication Level_\n(Rule 2.3.11.7) security setting value.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Require NTLMv2 session security, Require 128-bit encryption`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Local Policies\\\\Security Options\\\\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients\n```\n\n**Impact:**\n\nNTLM connections will fail if NTLMv2 protocol and strong encryption (128-bit) are not **both**\nnegotiated. Client applications that are enforcing these settings will be unable to communicate with older servers that do not support them." - } - }, - { - "query": "secpol.systemaccess['PasswordComplexity'] == 1\n", - "code_id": "wFyu5jvI9LE=", - "checksum": "LhjCloJdZtA=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-password-must-meet-complexity-requirements-is-set-to-enabled", - "type": "\u0004", - "severity": { - "value": 100 - }, - "title": "Ensure 'Password must meet complexity requirements' is set to 'Enabled'", - "docs": { - "desc": "This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords.\n\nWhen this policy is enabled, passwords must meet the following minimum requirements:\n\n- Not contain the user's account name or parts of the user's full name that exceed two consecutive characters\n- Be at least six characters in length\n- Contain characters from three of the following categories:\n- English uppercase characters (A through Z)\n- English lowercase characters (a through z)\n- Base 10 digits (0 through 9)\n- Non-alphabetic characters (for example, !, $, #, %)\n- A catch-all category of any Unicode character that does not fall under the previous four categories. This fifth category can be regionally specific.\n\n\nEach additional character in a password increases its complexity exponentially. For instance, a seven-character, all lower-case alphabetic password would have 267 (approximately 8 x 109 or 8 billion) possible combinations. At 1,000,000 attempts per second (a capability of many password-cracking utilities), it would only take 133 minutes to crack. A seven-character alphabetic password with case sensitivity has 527 combinations. A seven-character case-sensitive alphanumeric password without punctuation has 627 combinations. An eight-character password has 268 (or 2 x 1011) possible combinations. Although this might seem to be a large number, at 1,000,000 attempts per second it would take only 59 hours to try all possible passwords. Remember, these times will significantly increase for passwords that use ALT characters and other special keyboard characters such as \"!\" or \"@\". Proper use of the password settings can help make it difficult to mount a brute force attack.\n\nThe recommended state for this setting is: `Enabled`.\n\n**Note:**\nPassword Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the **Default Domain Policy**\nGPO in order to be globally in effect on **domain**\nuser accounts as their default behavior. If these settings are configured in another GPO, they will only affect **local**\nuser accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Enabled`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Account Policies\\\\Password Policy\\\\Password must meet complexity requirements\n```\n\n**Impact:**\n\nIf the default password complexity configuration is retained, additional help desk calls for locked-out accounts could occur because users might not be accustomed to passwords that contain non-alphabetic characters. However, all users should be able to comply with the complexity requirement with minimal difficulty.\n\nIf your organization has more stringent security requirements, you can create a custom version of the Passfilt.dll file that allows the use of arbitrarily complex password strength rules. For example, a custom password filter might require the use of non-upper row characters. (Upper row characters are those that require you to hold down the SHIFT key and press any of the digits between 1 and 0.) A custom password filter might also perform a dictionary check to verify that the proposed password does not contain common dictionary words or fragments.\n\nAlso, the use of ALT key character combinations can greatly enhance the complexity of a password. However, such stringent password requirements can result in unhappy users and an extremely busy help desk. Alternatively, your organization could consider a requirement for all administrator passwords to use ALT characters in the 0128 - 0159 range. (ALT characters outside of this range can represent standard alphanumeric characters that would not add additional complexity to the password.)" - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SAM', name: 'RelaxMinimumPasswordLengthLimits') {\n value == 1\n}\n", - "code_id": "mWwn79tawQk=", - "checksum": "Z1nprKDQ3/s=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-relax-minimum-password-length-limits-is-set-to-enabled", - "type": "\u000c", - "severity": { - "value": 60 - }, - "title": "Ensure 'Relax minimum password length limits' is set to 'Enabled'", - "docs": { - "desc": "This policy setting determines whether the minimum password length setting can be increased beyond the legacy limit of 14 characters. For more information please see the following [Microsoft Security Blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-draft-windows-10-and-windows-server-version/ba-p/1419213).\n\nThe recommended state for this setting is: `Enabled`.\n\n**Note:**\nThis setting only affects _local_\naccounts on the computer. Domain accounts are only affected by settings on the Domain Controllers, because that is where domain accounts are stored.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Enabled`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Account Policies\\\\Password Policy\\\\Relax minimum password length limits\n```\n\n**Note:**\nThis setting is only available within the built-in OS security template of Windows 10 Release 2004 (or newer), and is not available via older versions of the OS, or via downloadable Administrative Templates (ADMX/ADML). Therefore, you _must_\nuse a Windows 10 Release 2004 computer (or newer) to view or edit this setting with the Group Policy Management Console (GPMC) or Group Policy Management Editor (GPME).\n\n**Impact:**\n\nThe _Minimum password length_\nsetting may be configured higher than 14 characters.\n\nIf very long passwords are required, mistyped passwords could cause account lockouts and increase the volume of help desk calls. If your organization has issues with forgotten passwords due to password length requirements, consider teaching your users about passphrases, which are often easier to remember and, due to the larger number of character combinations, much harder to discover." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services', name: 'fEncryptRPCTraffic') {\n value == 1\n}\n", - "code_id": "X7pOenDb9Dk=", - "checksum": "3hMIszzBrao=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-require-secure-rpc-communication-is-set-to-enabled", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Ensure 'Require secure RPC communication' is set to 'Enabled'", - "docs": { - "desc": "This policy setting allows you to specify whether Remote Desktop Services requires secure Remote Procedure Call (RPC) communication with all clients or allows unsecured communication.\n\nYou can use this policy setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests.\n\nThe recommended state for this setting is: `Enabled`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Enabled`:\n\n```\nComputer Configuration\\\\Policies\\\\Administrative Templates\\\\Windows Components\\\\Remote Desktop Services\\\\Remote Desktop Session Host\\\\Security\\\\Require secure RPC communication\n```\n\n**Note:**\nThis Group Policy path is provided by the Group Policy template `TerminalServer.admx/adml`\nthat is included with all versions of the Microsoft Windows Administrative Templates.\n\n**Impact:**\n\nRemote Desktop Services accepts requests from RPC clients that support secure requests, and does not allow unsecured communication with untrusted clients." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services', name: 'SecurityLayer') {\n value == 2\n}\n", - "code_id": "rg30YqBvB1c=", - "checksum": "/nGqbzQuEFE=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-require-use-of-specific-security-layer-for-remote-rdp-connections-is-set-to", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'", - "docs": { - "desc": "This policy setting specifies whether to require the use of a specific security layer to secure communications between clients and RD Session Host servers during Remote Desktop Protocol (RDP) connections.\n\nThe recommended state for this setting is: `Enabled: SSL`.\n\n**Note:**\nIn spite of this setting being labeled _SSL_, it is actually enforcing Transport Layer Security (TLS) version 1.0, not the older (and less secure) SSL protocol.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Enabled: SSL`:\n\n```\nComputer Configuration\\\\Policies\\\\Administrative Templates\\\\Windows Components\\\\Remote Desktop Services\\\\Remote Desktop Session Host\\\\Security\\\\Require use of specific security layer for remote (RDP) connections\n```\n\n**Note:**\nThis Group Policy path is provided by the Group Policy template `TerminalServer.admx/adml`\nthat is included with all versions of the Microsoft Windows Administrative Templates.\n\n**Impact:**\n\nTLS 1.0 will be required to authenticate to the RD Session Host server. If TLS is not supported, the connection fails.\n\n**Note:**\nBy default, this setting will use a self-signed certificate for RDP connections. If your organization has established the use of a Public Key Infrastructure (PKI) for SSL/TLS encryption, then we recommend that you also configure the _Server authentication certificate template_setting to instruct RDP to use a certificate from your PKI instead of a self-signed one. Note that the certificate template used for this purpose must have “Client Authentication” configured as an Intended Purpose. Note also that a valid, non-expired certificate using the specified template must already be installed on the workstation for it to work.\n\n**Note #2:**\nSome third party two-factor authentication solutions (e.g. RSA Authentication Agent) can be negatively affected by this setting, as the SSL/TLS security layer will expect the user's Windows password upon initial connection attempt (before the RDP logon screen), and once successfully authenticated, pass the credential along to that Windows session on the RDP host (to complete the login). If a two-factor agent is present and expecting a different credential at the RDP logon screen, this initial connection may result in a failed logon attempt, and also effectively cause a “double logon” requirement for each and every new RDP session." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services', name: 'UserAuthentication') {\n value == 1\n}\n", - "code_id": "1r46UeOxrGw=", - "checksum": "XgNptuTHPqM=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-require-user-authentication-for-remote-connections-by-using-network-level-a", - "type": "\u000c", - "severity": { - "value": 100 - }, - "title": "Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'", - "docs": { - "desc": "This policy setting allows you to specify whether to require user authentication for remote connections to the RD Session Host server by using Network Level Authentication.\n\nThe recommended state for this setting is: `Enabled`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Enabled`:\n\n```\nComputer Configuration\\\\Policies\\\\Administrative Templates\\\\Windows Components\\\\Remote Desktop Services\\\\Remote Desktop Session Host\\\\Security\\\\Require user authentication for remote connections by using Network Level Authentication\n```\n\n**Note:**\nThis Group Policy path is provided by the Group Policy template `TerminalServer.admx/adml`\nthat is included with all versions of the Microsoft Windows Administrative Templates.\n\n**Note #2:**\nIn the Microsoft Windows Vista Administrative Templates, this setting was initially named _Require user authentication using RDP 6.0 for remote connections_, but it was renamed starting with the Windows Server 2008 (non-R2) Administrative Templates.\n\n**Impact:**\n\nOnly client computers that support Network Level Authentication can connect to the RD Session Host server.\n\n**Note:**\nSome third party two-factor authentication solutions (e.g. RSA Authentication Agent) can be negatively affected by this setting, as Network Level Authentication will expect the user's Windows password upon initial connection attempt (before the RDP logon screen), and once successfully authenticated, pass the credential along to that Windows session on the RDP host (to complete the login). If a two-factor agent is present and expecting a different credential at the RDP logon screen, this initial connection may result in a failed logon attempt, and also effectively cause a “double logon” requirement for each and every new RDP session." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\EventLog\\Security', name: 'Retention') {\n value == '0'\n}\n", - "code_id": "BlJu9UtumVk=", - "checksum": "ZYk4h9WqC88=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-security-control-event-log-behavior-when-the-log-file-reaches-its-maximum-size", - "type": "\u000c", - "severity": { - "value": 30 - }, - "title": "Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'", - "docs": { - "desc": "This policy setting controls Event Log behavior when the log file reaches its maximum size.\n\nThe recommended state for this setting is: `Disabled`.\n\n**Note:**\nOld events may or may not be retained according to the _Backup log automatically when full_\npolicy setting.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Disabled`:\n\n```\nComputer Configuration\\\\Policies\\\\Administrative Templates\\\\Windows Components\\\\Event Log Service\\\\Security\\\\Control Event Log behavior when the log file reaches its maximum size\n```\n\n**Note:**\nThis Group Policy path is provided by the Group Policy template `EventLog.admx/adml`\nthat is included with all versions of the Microsoft Windows Administrative Templates.\n\n**Note #2:**\nIn older Microsoft Windows Administrative Templates, this setting was initially named _Retain old events_\n, but it was renamed starting with the Windows 8.0 \u0026 Server 2012 (non-R2) Administrative Templates.\n\n**Impact:**\n\nNone - this is the default behavior." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\EventLog\\Security', name: 'MaxSize') {\n value \u003e= 196608\n}\n", - "code_id": "tYdePfwO6Yo=", - "checksum": "V2NVkLsji6E=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-security-specify-the-maximum-log-file-size-kb-is-set-to-enabled-196608", - "type": "\u000c", - "severity": { - "value": 50 - }, - "title": "Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'", - "docs": { - "desc": "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments.\n\nThe recommended state for this setting is: `Enabled: 196,608 or greater`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Enabled: 196,608 or greater`:\n\n```\nComputer Configuration\\\\Policies\\\\Administrative Templates\\\\Windows Components\\\\Event Log Service\\\\Security\\\\Specify the maximum log file size (KB)\n```\n\n**Note:**\nThis Group Policy path is provided by the Group Policy template `EventLog.admx/adml`\nthat is included with all versions of the Microsoft Windows Administrative Templates.\n\n**Note #2:**\nIn older Microsoft Windows Administrative Templates, this setting was initially named _Maximum Log Size (KB)_, but it was renamed starting with the Windows 8.0 \u0026 Server 2012 (non-R2) Administrative Templates.\n\n**Impact:**\n\nWhen event logs fill to capacity, they will stop recording information unless the retention method for each is set so that the computer will overwrite the oldest entries with the most recent ones. To mitigate the risk of loss of recent data, you can configure the retention method so that older events are overwritten as needed.\n\nThe consequence of this configuration is that older events will be removed from the logs. Attackers can take advantage of such a configuration, because they can generate a large number of extraneous events to overwrite any evidence of their attack. These risks can be somewhat reduced if you automate the archival and backup of event log data.\n\nIdeally, all specifically monitored events should be sent to a server that uses Microsoft System Center Operations Manager (SCOM) or some other automated monitoring tool. Such a configuration is particularly important because an attacker who successfully compromises a server could clear the Security log. If all events are sent to a monitoring server, then you will be able to gather forensic information about the attacker's activities." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services', name: 'MinEncryptionLevel') {\n value == 3\n}\n", - "code_id": "XpkSztJc5Jw=", - "checksum": "bxPWW0RRm0U=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-set-client-connection-encryption-level-is-set-to-enabled-high-level", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'", - "docs": { - "desc": "This policy setting specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption.\n\nThe recommended state for this setting is: `Enabled: High Level`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Enabled: High Level`:\n\n```\nComputer Configuration\\\\Policies\\\\Administrative Templates\\\\Windows Components\\\\Remote Desktop Services\\\\Remote Desktop Session Host\\\\Security\\\\Set client connection encryption level\n```\n\n**Note:**\nThis Group Policy path is provided by the Group Policy template `TerminalServer.admx/adml`\nthat is included with all versions of the Microsoft Windows Administrative Templates.\n\n**Impact:**\n\nNone - this is the default behavior." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services', name: 'MaxIdleTime') {\n value \u003c= 900000\n}\nregistrykey.property(path: 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services', name: 'MaxIdleTime') {\n value != 0\n}\n", - "code_id": "NWE7C2p7EhA=", - "checksum": "5ceY9xu27Fo=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-set-time-limit-for-active-but-idle-remote-desktop-services-sessions-is-set", - "type": "\u0001", - "severity": { - "value": 60 - }, - "title": "Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less, but not Never (0)'", - "docs": { - "desc": "This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected.\n\nThe recommended state for this setting is: `Enabled: 15 minutes or less, but not Never (0)`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Enabled:``15 minutes or less, but not Never (0)`:\n\n```\nComputer Configuration\\\\Policies\\\\Administrative Templates\\\\Windows Components\\\\Remote Desktop Services\\\\Remote Desktop Session Host\\\\Session Time Limits\\\\Set time limit for active but idle Remote Desktop Services sessions\n```\n\n**Note:**\nThis Group Policy path is provided by the Group Policy template `TerminalServer.admx/adml`\nthat is included with all versions of the Microsoft Windows Administrative Templates.\n\n**Note #2:**\nIn older Microsoft Windows Administrative Templates, this setting was named _Set time limit for active but idle Terminal Services sessions_, but it was renamed starting with the Windows 7 \u0026 Server 2008 R2 Administrative Templates.\n\n**Impact:**\n\nRemote Desktop Services will automatically disconnect active but idle sessions after 15 minutes (or the specified amount of time). The user receives a warning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active. Note that idle session time limits do not apply to console sessions." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services', name: 'MaxDisconnectionTime') {\n value == 60000\n}\n", - "code_id": "qNb+Tti00x8=", - "checksum": "KHZ7Br/X6Ns=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-set-time-limit-for-disconnected-sessions-is-set-to-enabled-1-minute", - "type": "\u000c", - "severity": { - "value": 50 - }, - "title": "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'", - "docs": { - "desc": "This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions.\n\nThe recommended state for this setting is: `Enabled: 1 minute`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Enabled: 1 minute`:\n\n```\nComputer Configuration\\\\Policies\\\\Administrative Templates\\\\Windows Components\\\\Remote Desktop Services\\\\Remote Desktop Session Host\\\\Session Time Limits\\\\Set time limit for disconnected sessions\n```\n\n**Note:**\nThis Group Policy path is provided by the Group Policy template `TerminalServer.admx/adml`\nthat is included with all versions of the Microsoft Windows Administrative Templates.\n\n**Impact:**\n\nDisconnected Remote Desktop sessions are deleted from the server after 1 minute. Note that disconnected session time limits do not apply to console sessions." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\EventLog\\Setup', name: 'Retention') {\n value == '0'\n}\n", - "code_id": "loKkn01g6oE=", - "checksum": "zkb5Z7cwO38=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-setup-control-event-log-behavior-when-the-log-file-reaches-its-maximum-size", - "type": "\u000c", - "severity": { - "value": 30 - }, - "title": "Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'", - "docs": { - "desc": "This policy setting controls Event Log behavior when the log file reaches its maximum size.\n\nThe recommended state for this setting is: `Disabled`.\n\n**Note:**\nOld events may or may not be retained according to the _Backup log automatically when full_\npolicy setting.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Disabled`:\n\n```\nComputer Configuration\\\\Policies\\\\Administrative Templates\\\\Windows Components\\\\Event Log Service\\\\Setup\\\\Control Event Log behavior when the log file reaches its maximum size\n```\n\n**Note:**\nThis Group Policy path is provided by the Group Policy template `EventLog.admx/adml`\nthat is included with all versions of the Microsoft Windows Administrative Templates.\n\n**Note #2:**\nIn older Microsoft Windows Administrative Templates, this setting was initially named _Retain old events_, but it was renamed starting with the Windows 8.0 \u0026 Server 2012 (non-R2) Administrative Templates.\n\n**Impact:**\n\nNone - this is the default behavior." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\EventLog\\Setup', name: 'MaxSize') {\n value \u003e= 32768\n}\n", - "code_id": "0iu79e9Lo04=", - "checksum": "lNHi9e6YjAc=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-setup-specify-the-maximum-log-file-size-kb-is-set-to-enabled-32768", - "type": "\u000c", - "severity": { - "value": 50 - }, - "title": "Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'", - "docs": { - "desc": "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments.\n\nThe recommended state for this setting is: `Enabled: 32,768 or greater`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Enabled: 32,768 or greater`:\n\n```\nComputer Configuration\\\\Policies\\\\Administrative Templates\\\\Windows Components\\\\Event Log Service\\\\Setup\\\\Specify the maximum log file size (KB)\n```\n\n**Note:**\nThis Group Policy path is provided by the Group Policy template `EventLog.admx/adml`\nthat is included with all versions of the Microsoft Windows Administrative Templates.\n\n**Note #2:**\nIn older Microsoft Windows Administrative Templates, this setting was initially named _Maximum Log Size (KB)_, but it was renamed starting with the Windows 8.0 \u0026 Server 2012 (non-R2) Administrative Templates.\n\n**Impact:**\n\nWhen event logs fill to capacity, they will stop recording information unless the retention method for each is set so that the computer will overwrite the oldest entries with the most recent ones. To mitigate the risk of loss of recent data, you can configure the retention method so that older events are overwritten as needed.\n\nThe consequence of this configuration is that older events will be removed from the logs. Attackers can take advantage of such a configuration, because they can generate a large number of extraneous events to overwrite any evidence of their attack. These risks can be somewhat reduced if you automate the archival and backup of event log data.\n\nIdeally, all specifically monitored events should be sent to a server that uses Microsoft System Center Operations Manager (SCOM) or some other automated monitoring tool. Such a configuration is particularly important because an attacker who successfully compromises a server could clear the Security log. If all events are sent to a monitoring server, then you will be able to gather forensic information about the attacker's activities." - } - }, - { - "query": "secpol.systemaccess['ClearTextPassword'] == 0\n", - "code_id": "RopMYFmG9I0=", - "checksum": "ZPwN5/gRhf4=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-store-passwords-using-reversible-encryption-is-set-to-disabled", - "type": "\u0004", - "severity": { - "value": 100 - }, - "title": "Ensure 'Store passwords using reversible encryption' is set to 'Disabled'", - "docs": { - "desc": "This policy setting determines whether the operating system stores passwords in a way that uses reversible encryption, which provides support for application protocols that require knowledge of the user's password for authentication purposes. Passwords that are stored with reversible encryption are essentially the same as plaintext versions of the passwords.\n\nThe recommended state for this setting is: `Disabled`.\n\n**Note:**\nPassword Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the **Default Domain Policy**\nGPO in order to be globally in effect on **domain**\nuser accounts as their default behavior. If these settings are configured in another GPO, they will only affect **local**\nuser accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Disabled`:\n\n```\nComputer Configuration\\\\Policies\\\\Windows Settings\\\\Security Settings\\\\Account Policies\\\\Password Policy\\\\Store passwords using reversible encryption\n```\n\n**Impact:**\n\nIf your organization uses either the CHAP authentication protocol through remote access or IAS services or Digest Authentication in IIS, you must configure this policy setting to Enabled. This setting is extremely dangerous to apply through Group Policy on a user-by-user basis, because it requires the appropriate user account object to be opened in Active Directory Users and Computers." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\EventLog\\System', name: 'Retention') {\n value == '0'\n}\n", - "code_id": "UrB8ohZ1BC0=", - "checksum": "VYi4OeX3Z1c=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-system-control-event-log-behavior-when-the-log-file-reaches-its-maximum-size", - "type": "\u000c", - "severity": { - "value": 30 - }, - "title": "Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'", - "docs": { - "desc": "This policy setting controls Event Log behavior when the log file reaches its maximum size.\n\nThe recommended state for this setting is: `Disabled`.\n\n**Note:**\nOld events may or may not be retained according to the _Backup log automatically when full_\npolicy setting.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Disabled`:\n\n```\nComputer Configuration\\\\Policies\\\\Administrative Templates\\\\Windows Components\\\\Event Log Service\\\\System\\\\Control Event Log behavior when the log file reaches its maximum size\n```\n\n**Note:**\nThis Group Policy path is provided by the Group Policy template `EventLog.admx/adml`\nthat is included with all versions of the Microsoft Windows Administrative Templates.\n\n**Note #2:**\nIn older Microsoft Windows Administrative Templates, this setting was initially named _Retain old events_, but it was renamed starting with the Windows 8.0 \u0026 Server 2012 (non-R2) Administrative Templates.\n\n**Impact:**\n\nNone - this is the default behavior." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\EventLog\\System', name: 'MaxSize') {\n value \u003e= 32768\n}\n", - "code_id": "qshA9tgmEyc=", - "checksum": "WizBTr0g5LU=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-system-specify-the-maximum-log-file-size-kb-is-set-to-enabled-32768", - "type": "\u000c", - "severity": { - "value": 50 - }, - "title": "Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'", - "docs": { - "desc": "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments.\n\nThe recommended state for this setting is: `Enabled: 32,768 or greater`.", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Enabled: 32,768 or greater`:\n\n```\nComputer Configuration\\\\Policies\\\\Administrative Templates\\\\Windows Components\\\\Event Log Service\\\\System\\\\Specify the maximum log file size (KB)\n```\n\n**Note:**\nThis Group Policy path is provided by the Group Policy template `EventLog.admx/adml`\nthat is included with all versions of the Microsoft Windows Administrative Templates.\n\n**Note #2:**\nIn older Microsoft Windows Administrative Templates, this setting was initially named _Maximum Log Size (KB)_, but it was renamed starting with the Windows 8.0 \u0026 Server 2012 (non-R2) Administrative Templates.\n\n**Impact:**\n\nWhen event logs fill to capacity, they will stop recording information unless the retention method for each is set so that the computer will overwrite the oldest entries with the most recent ones. To mitigate the risk of loss of recent data, you can configure the retention method so that older events are overwritten as needed.\n\nThe consequence of this configuration is that older events will be removed from the logs. Attackers can take advantage of such a configuration, because they can generate a large number of extraneous events to overwrite any evidence of their attack. These risks can be somewhat reduced if you automate the archival and backup of event log data.\n\nIdeally, all specifically monitored events should be sent to a server that uses Microsoft System Center Operations Manager (SCOM) or some other automated monitoring tool. Such a configuration is particularly important because an attacker who successfully compromises a server could clear the Security log. If all events are sent to a monitoring server, then you will be able to gather forensic information about the attacker's activities." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\DNSClient', name: 'EnableMulticast') {\n value == 0\n}\n", - "code_id": "SacrPdItS9c=", - "checksum": "8OoKIcMjdl8=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-turn-off-multicast-name-resolution-is-set-to-enabled", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Ensure 'Turn off multicast name resolution' is set to 'Enabled'", - "docs": { - "desc": "LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible.\n\nThe recommended state for this setting is: `Enabled`", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Enabled`:\n\n```\nComputer Configuration\\\\Policies\\\\Administrative Templates\\\\Network\\\\DNS Client\\\\Turn off multicast name resolution\n```\n\n**Note:**\nThis Group Policy path may not exist by default. It is provided by the Group Policy template `DnsClient.admx/adml`\nthat is included with the Microsoft Windows 8.0 \u0026 Server 2012 (non-R2) Administrative Templates (or newer).\n\n**Impact:**\n\nIn the event DNS is unavailable a system will be unable to request it from other systems on the same subnet." - } - }, - { - "query": "registrykey.property(path: 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest', name: 'UseLogonCredential') {\n value == 0\n}\n", - "code_id": "XuL218rZTuc=", - "checksum": "KlH3UbfrJ7k=", - "mrn": "//policy.api.mondoo.app/queries/mondoo-windows-security-wdigest-authentication-is-set-to-disabled", - "type": "\u000c", - "severity": { - "value": 80 - }, - "title": "Ensure 'WDigest Authentication' is set to 'Disabled'", - "docs": { - "desc": "When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext password in memory, where it can be at risk of theft. If this setting is not configured, WDigest authentication is disabled in Windows 8.1 and in Windows Server 2012 R2; it is enabled by default in earlier versions of Windows and Windows Server.\n\nFor more information about local accounts and credential theft, review the \" [Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques](https://www.microsoft.com/en-us/download/details.aspx?id=36036)\" documents.\n\nFor more information about `UseLogonCredential`, see Microsoft Knowledge Base article 2871997: [Microsoft Security Advisory Update to improve credentials protection and management May 13, 2014](https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649)\n\nThe recommended state for this setting is: `Disabled`", - "remediation": "To establish the recommended configuration via GP, set the following UI path to `Disabled`:\n\n```\nComputer Configuration\\\\Policies\\\\Administrative Templates\\\\MS Security Guide\\\\WDigest Authentication (disabling may require KB2871997)\n```\n\n**Note:**\nThis Group Policy path does not exist by default. An additional Group Policy template ( `SecGuide.admx/adml` ) is required - it is available from Microsoft at [this link](https://blogs.technet.microsoft.com/secguide/2018/11/20/security-baseline-final-for-windows-10-v1809-and-windows-server-2019/)\n\n**Impact:**\n\nNone - this is also the default configuration for Windows 8.1 and newer." - } - } ] }, "reports": {