{"id":14965359,"url":"https://github.com/plus3it/ash-linux-formula","last_synced_at":"2025-10-25T11:31:39.659Z","repository":{"id":20918505,"uuid":"24206430","full_name":"plus3it/ash-linux-formula","owner":"plus3it","description":"Automated System Hardening (ash-linux) is a Salt formula to apply SCAP benchmarks to Linux systems","archived":false,"fork":false,"pushed_at":"2024-08-19T20:42:40.000Z","size":5057,"stargazers_count":17,"open_issues_count":12,"forks_count":14,"subscribers_count":11,"default_branch":"master","last_synced_at":"2024-10-30T01:03:11.784Z","etag":null,"topics":["el6","el7","enterprise-linux","linux","remediation","salt","saltstack","scap","stig"],"latest_commit_sha":null,"homepage":null,"language":"SaltStack","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/plus3it.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":".github/contributing.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2014-09-18T21:49:32.000Z","updated_at":"2024-08-19T20:42:42.000Z","dependencies_parsed_at":"2023-02-17T06:30:50.081Z","dependency_job_id":"d2ac69e9-29dd-4a4e-a406-1a5f4d4cf91a","html_url":"https://github.com/plus3it/ash-linux-formula","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/plus3it%2Fash-linux-formula","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/plus3it%2Fash-linux-formula/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/plus3it%2Fash-linux-formula/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/plus3it%2Fash-linux-formula/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/plus3it","download_url":"https://codeload.github.com/plus3it/ash-linux-formula/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":238128561,"owners_count":19421054,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["el6","el7","enterprise-linux","linux","remediation","salt","saltstack","scap","stig"],"created_at":"2024-09-24T13:34:38.454Z","updated_at":"2025-10-25T11:31:34.305Z","avatar_url":"https://github.com/plus3it.png","language":"SaltStack","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Build Status](https://travis-ci.org/plus3it/ash-linux-formula.svg)](https://travis-ci.org/plus3it/ash-linux-formula)\n# ash-linux-formula\n\nAutomated System Hardening (ASH) for Linux is a [Salt](http://saltstack.org) \nformula to apply security benchmarks to Linux systems. This specific security \nbundle primarily targets systems derived from the Red Hat Enterprise Linux 6 \ndistribution (typically RedHat Enterprise Linux, Community ENTerprise OS and \nScientific Linux).\n\nThis bundle also has partial applicability to upstream distributions of Red \nHat Enterprise Linux 6 (i.e., Fedora 12 and 13) as well as custom hybrids that\n share components with Red Hat Enterprise Linux (such as Amazon Linux and \nOracle Unbreakable Linux). The \"partial\" is a reflection that neither type of \ndistribution attempts to maintain 100% compatibility with the software \npackages or security settings prescribed by the SCAP and related documentation\n sets. This package's hardening features are \"best effort\". Some modules may \nfail to work 100% correctly and will not cover any distribution-specific \ncomponents that are not in the main EL6 distribution.\n\nThis framework primarily references security guidance is derived from [SCAP \nguidance for Red Hat Enterprise Linux 6](\nhttp://web.nvd.nist.gov/view/ncp/repository/checklist/download?id=1584). SCAP \nguidances are joint effort between the primary distribution-vendor and the \nDefense Information Systems Agency (DISA), with contributions from security \nrepositories such as the the National Vulnerability Database's Common \nVulnerabilities and Exposure repository (maintained by [MITRE](\nhttps://cve.mitre.org/)). These efforts are managed through National Institute \nof Standards and Technology's [SCAP program](http://scap.nist.gov/). THis \nprogram is managed through [NIST's Information Technology Laboratory group](\nhttp://www.nist.gov/itl/).\n\nThe SCAP-recommended tests and remediations have been verified to implement the \nreferenced guidances. This verification has resulted in some deviances from \nthe authoritative guidances. The deviances fall into three primary categories:\n- Loosening settings that would result in a system not sustainably manageable \nin an enterprise-scale system deployment (e.g., automated account-lockouts are \ntimed rather than indefinite: this prevents having to shut down systems to \nmaintenance mode to counteract certain intentional or accidental Denial of \nService scenarios)\n- Taking a \"report-only\" response-posture where automated remediation is either \nnot possible (guidance is policy-oriented rather than technical or remediation \nwould require a system rebuild - such as implementing recommended filesystem \nlayouts)\n- Hardening beyond what's prescribed by the SCAP guidance - either selecting \nthe more-secure of settings that are prescribed with more than one option or \nfixing bugs in the formal guidances.\n\nAs this Salt-based framework is adopted for wider use, additional security \nlayers will be made available. It is expected that these extensions will include \nsecurity layers to meet the [DISA IAVMs](\nhttps://powhatan.iiie.disa.mil/stigs/downloads/zip/FOUO_RedHat_6_V1R8_IAVM.zip) \nand agency-specific policy-overlays.\n\n\n# Installation\n\nIt is expected that these utilities will be installed primarily within \nenvironments that have access to RPM repositories homed on network- or \nmedia-based shares. While a stub-repo will be included in the archive \ncontaining these utilities, it is generally recommended to use a fully-updated \nRPM repository to install dependencies from.\n\n## Dependencies\n\nThis archive includes a bootstrapping script. This script is designed almost \nexclusively for use on internet-connected systems (or ones with transparent \nweb-proxying configured):\n\n- If invoked on a host attached to a public network, this script will take care \nof installing all dependencies prescribed for a masterless salt configuration \n(described below).\n- If invoked on an isolated host or a host without access to both a \nprivately-maintained, full vendor repository and a copy of the EPEL 6 \nrepository, it is recommended to manually-install the enumerated RPMs.\n- If installing to host with access to a privately-maintained, full vendor \nrepository and a copy of the EPEL 6 repository, it is critical that appropriate \n/etc/yum.repos.d/* files be configured *prior* to any attempts to run the \nbootstrap script.\n\n- Optional (one of):\n  - git and related RPMs [Already installed if this package was fetched via \n`git`]\n  - wget\n  - curl\n  - CIFS client\n  - NFS client\n  - FTP client\n- A masterless salt configuration. This is due to the path references to the \nincluded tools/utilities/content. A later version will look into caching these \nfrom a salt master.\n\nA masterless salt configuration requires the following software groups and \npackages:\n\n- EL6 (x86_64) built with \"Core\" package-group or better\n- Additional distribution-vendor RPMs:\n  - From the distribution's standard channel/repository\n    - audit-libs-python\n    - authconfig\n    - libcgroup\n    - libselinux-python\n    - libsemanage-python\n    - libyaml\n    - m2crypto\n    - pciutils\n    - policycoreutils-python\n    - python-babel\n    - python-crypto\n    - python-jinja2\n    - PyYAML\n    - setools-libs\n    - setools-libs-python\n  - From the distribution's 'Extras' channels/repositories\n    - python-backports\n    - python-backports-ssl_match_hostname\n    - python-chardet\n    - python-ordereddict\n    - python-requests\n    - python-six\n    - python-urllib3\n- From the [Extra Packages for Enterprise Linux (EPEL)](\nhttps://fedoraproject.org/wiki/EPEL) repositories:\n  - epel-release\n  - openpgm\n  - python-msgpack\n  - python-zmq\n  - salt\n  - salt-minion\n  - sshpass\n  - zeromq3\n\n## Configuration\n\nThis README assumes that the Salt packages have been downloaded via the `git` \ncommandline-utility's 'clone' operation. This will create an \n\"ash-linux-formula\" subdirectory within the directory it is run from. It is \nassumed that this bundle will also be made available via TAR or 'cpio' archive - \neach should similarly result in the creation of an \"ash-linux-formula\" \nsubdirectory somewhere on the host system.\n\nNavigate into the \"ash-linux-formula\" directory. Within this directory is a \nsetup-utility, `setup.sh`. Running this utility will take care of installing \nthe security policy modules into a file-hierarchy rooted under '/srv/salt'. \nThis is the default search-location for the 'salt-minion' service. The \n'salt-minion' service is used to run the security policy modules. This utility \nwill also install an output-filter, `outFilter.sed`, into /usr/local/bin (this \nfilter can be used to suppress some of the less-meaningful output produced by a \nrun of the Salt packages).\n\nThe `policyrun.sh` script may be left within and invoked from its default \ninstallation directory or moved elsewhere within the host system's \nfilesystem-hierarchy. This script is designed that it should work correctly \nwherever it's installed or invoked from.\n\nThe *ash-linux* formula does not currently support configuration via Salt's \n\"pillar\" functionality. Currently-expected deployment profiles did not \nnecessitate the use of pillar to govern application-behaviour beyond that \navailable through the \"run-all\" or \"individual-run\" invocation methods. As this \nsolution gains greater adoption and specific use-cases are identified, the \n*ash-linux* formulae will be updated to leverage Salt's \"pillar\" functionality \nto match those usage-profiles.\n\n\n# How to Run\n\n## Available Run-modes\n\nThis collection of modules may be applied as either a \"run-all\", \"run-category\" \nor \"run individual tests\" invocation. Use of the 'policyrun.sh' script gives a \n\"friendly\" method for running the Salt modules. This script uses flags and \noptions to define its runtime behaviours. This is the expected run-method for \nthese modules. This method will be further detailed below.\n\nNote: Individual modules or groups modules of may also be run by manually \nexecuting them via the 'salt-call' utility. However, use of manual-execution \nvia the 'salt-call' utility may create some inconsistencies within the comment- \nand other change-ordering within remediated files. See the salt-call man page \nfor usage instructions - bearing in mind the caveat regarding change-ordering.\n\n### \"Run-all\" Mode\n\nThis mode will run all of the security modules installed as part of this \narchive. To run in this mode, execute: `runpolicy.sh -a`. The script will \nindicate the run-mode and the location of logged output. The script will \ndisplay all output to the screen and log all of the remediation-related steps \nto its log file.\n\n### \"Category-run\" Mode\n\nThis mode will run all of the security modules of a given category. To run in \nthis mode, execute: `runpolicy.sh -c \u003cCATEGORY\u003e`: The script will indicate the \nrun-mode and the location of logged output. The script will display all output \nto the screen and log all of the remediation-related steps to its log file.\n\n### \"Individual-Run\" Mode\n\nThis mode will individually-selected elements of the VID files installed as \npart of this archive. To run in this mode, execute: `runpolicy.sh -v \n\u003cVulnerability ID\u003e`. The script will indicate the run-mode and the location of \nlogged output. The script will display all output to the screen and log all of \nthe remediation-related steps to its log file.\n\nRuns of multiple individual tests can be accomplished by declaring multiple '-v \n\u003cVulnerability ID\u003e' pairs (e.g., `policyrun.sh -v V38466 -v V38586 -v V38491`).\n\n### Usage-note for non-default SaltStack installation-locations:\n\nThis script assumes that the Salt software has been configured to run from the \n\"/srv/salt\" hierarchy. If the Salt software has been configured to fun from \nanother location, invoke the script with the '-h /\u003cSALT\u003e/\u003cRUN\u003e/\u003cROOT\u003e' argument\n\n## References\n\n(See links embedded above)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fplus3it%2Fash-linux-formula","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fplus3it%2Fash-linux-formula","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fplus3it%2Fash-linux-formula/lists"}