-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathconfig_example.yaml
84 lines (81 loc) · 2.83 KB
/
config_example.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
salt: "103bb773fc6dd2bb" # some 16-byte hex value.
# preferably, change for every new image to
# prevent brute-force attacks on the hashes.
# however, ensuring randomness/confidentiality
# of this value is not neccesary for the
# security model of the engine
prefix: "42042042" # 8-byte prefix
# this does not need to be changed ever.
# but customization is still an option
report_path: "/opt/scoring/ScoringReport.html"
checks:
- type: "FileContains"
description: "Forensics Question 1 correct"
filename: "/home/ethan/Desktop/Forensics Question 1.txt"
line: "ANSWER: 42" # any number of spaces between ":" and the answers will score.
# also is case insensitive.
points: 1
- type: "FileContains"
description: "Disabled SSH root login"
filename: "/etc/ssh/sshd_config"
line: "PermitRootLogin no" # spaces are ignored and line is case insensitive.
# lines starting with "#" or ";" are assumed to be
# comments and are thus ignored.
points: 1
- type: "FileExists"
description: "Passwd file exists"
filename: "/etc/passwd"
points: 1
- type: "UserExists"
description: "Root user exists"
user: "root"
points: 1
- type: "GroupExists"
description: "Adm group exists"
group: "adm"
points: 1
- type: "ServiceUp"
description: "OpenVPN service is running" # only works with systemd right now
service: "openvpn"
points: 1
- type: "OwnerUID"
description: "Passwd file is owned by root"
filename: "/etc/passwd"
id: "0"
points: 1
- type: "OwnerGID"
description: "Passwd file is owned by root group"
filename: "/etc/passwd"
id: "0"
points: 1
- type: "WorldReadable"
description: "Shadow file is not world readable"
filename: "/etc/shadow"
value: "0"
points: 1
- type: "WorldReadable"
description: "Passwd file is world readable"
filename: "/etc/passwd"
value: "1"
points: 1
- type: "WorldWritable"
description: "Passwd file is not world writable" # all permissions checks are negatable, but we
# won't demonstrate all of them here
filename: "/etc/passwd"
value: "0"
points: 1
- type: "SUID"
description: "Removed setuid from /usr/bin/dash" # /bin/ is a symlink and thus does not work
filename: "/usr/bin/dash"
value: "0"
points: 1
- type: "SGID"
description: "Removed setgid from /usr/bin/nano"
filename: "/usr/bin/nano"
value: "0"
points: 1
- type: "StickyBit"
description: "Directory /tmp/a/ has the sticky bit set"
filename: "/tmp/a"
value: "1"
points: 1