Baseline

The baseline plugin detects assets through existing or custom baseline policies to determine whether the baseline security configuration is risky. The baseline plugin scans regularly once a day, and can also be executed immediately through the front end.

Platform compatibility

  • centos 6,7,8
  • debian 8,9,10
  • ubuntu 14.04-20.04
    (The rest of the versions and distributions are theoretically compatible)

Build environment required

  • Go >= 1.18

Building

rm -rf output
mkdir output
# x86_64
go build -o baseline main.go
tar -zcvf baseline-linux-x86_64.tar.gz baseline config
mv baseline-linux-x86_64.tar.gz output/
# arch64
GOARCH=arm64 go build -o baseline main.go
tar -zcvf baseline-linux-x86_64.tar.gz baseline config
mv baseline-linux-x86_64.tar.gz output/

After the compilation is successful, you should see two plg files in the output directory of the root directory, which correspond to different system architectures.

Version Upgrade

  1. If no client component has been created, please create a new component in the Elkeid Console-Component Management page.
  2. On the Elkeid Console - Component Management page, find the "collector" entry, click "Release Version" on the right, fill in the version information and upload the files corresponding to the platform and architecture, and click OK.
  3. On the Elkeid Console - Component Policy page, delete the old "collector" version policy (if any), click "New Policy", select the version just released, and click OK. Subsequent newly installed Agents will be self-upgraded to the latest version.
  4. On the Elkeid Console - Task Management page, click "New Task", select all hosts, click Next, select the "Sync Configuration" task type, and click OK. Then, find the task you just created on this page, and click Run to upgrade the old version of the Agent.

Baseline configuration

General configuration

The rules of the baseline plugin are configured through yaml files, which mainly include the following fields (it is recommended to refer to the actual configuration under the config file):

check_id:
type: 
title: 
description:
solution:
security:
type_cn:
title_cn:
description_cn:
solution_cn:
check:
    rules:
    - type: "file_line_check"
        param:
        - "/etc/login.defs"
        filter: '\s*\t*PASS_MAX_DAYS\s*\t*(\d+)'
        result: '$(<=)90'

Custom rules

The "check.rules" field in each check item configuration is the matching rule, and each field is explained below:

rules.type

Checking type, the built-in detection rules currently adapted by the baseline plugin (src/check/rules.go) include:
| Checking rule | Meaning | Parameters | Return value | | ---- | ---- | ---- | ---- | | command_check | Check commands to be executed | 1:Command
2:Special parameter(e.g. ignore_exit suggests the check is passed with commands errors) | Command result | file_line_check | Traverse file and check by line | 1:File absolute path
2:Flag(For quick filtering lines, reducing the pressure of regular matching)
3:File comments(default:#) | true/false/Regex match value | file_permission | Check whether file permissions meet the security configuration | 1: File absolute path
2: File minimum permissions(octal based,e.g. 644) | true/false | if_file_exist | Check whether file exists | 1: File absolute path | true/false | file_user_group | Check file user group | 1: File absolute path
2: User group id | true/false | file_md5_check | Check whether file MD5 is consistent | 1: File absolute path
2: MD5 | true/false | func_check | Check through special rules | 1:The function | true/false

rules.param

Array of rule parameters

rules.require

Rule Prerequisites: Some security baseline configurations may have detection prerequisites, and security risks will only exist if the prerequisites are met, such as:

rules:
  - type: "file_line_check"
    require: "allow_ssh_passwd"
    param:
        - "/etc/ssh/sshd_config"
    filter: '^\s*MaxAuthTries\s*\t*(\d+)'
    result: '$(<)5'

allow_ssh_passwd: Allow users to login through ssh passwords.

rules.result

Checking result,support int,string,bool, $() suggests special checking syntax, e.g.: | Checking syntax | Description | Example | Example description | | ---- | ---- | ---- | ---- | | $(&&) | AND | ok$(&&)success| The result is "ok" or "success" | | $(<=) | Common operators | $(<=)4| Result<=4 | | $(not) | INVERT | $(not)error| The result is not "error" |

Complex example:

$(<)8$(&&)$(not)2  :  Result<8 and result is not 2

check.condition

Since there may be multiple rules for a rule, the relationship between the rule can be defined through the condition field.
all: Check passed if all the rules are matched. any: Check passed if any of the rules is matched. none: Check passed if none of the rules is matched.

Submit a task

Task issued

{
    "baseline_id": 1200,
    "check_id_list":[1,2,3]
}

Result return

{
    "baseline_id": 1200,
    "status": "success", 
    "msg": "",
    "check_list":[
        "check_id": 1,
        "type": "",
        "title": "",
        "description": "",
        "solution": "",
        "type_cn": "",
        "title_cn": "",
        "description_cn": "",
        "solution_cn": "",
        "result": "", 
        "msg": "",
    ]
}

Result:

SuccessCode 		= 1
FailCode 		= 2
ErrorCode 		= -1
ErrorConfigWrite	= -2
ErrorFile		= -3