@blamejs/exceptd-skills 0.10.0 → 0.10.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +54 -0
- package/bin/exceptd.js +303 -9
- package/data/_indexes/_meta.json +2 -2
- package/data/playbooks/ai-api.json +400 -90
- package/data/playbooks/containers.json +406 -94
- package/data/playbooks/cred-stores.json +374 -89
- package/data/playbooks/crypto.json +369 -87
- package/data/playbooks/framework.json +376 -86
- package/data/playbooks/hardening.json +357 -84
- package/data/playbooks/kernel.json +324 -77
- package/data/playbooks/mcp.json +407 -92
- package/data/playbooks/runtime.json +345 -81
- package/data/playbooks/sbom.json +497 -111
- package/data/playbooks/secrets.json +352 -83
- package/lib/playbook-runner.js +77 -7
- package/lib/schemas/playbook.schema.json +5 -0
- package/manifest-snapshot.json +1 -1
- package/manifest.json +39 -39
- package/package.json +1 -1
- package/sbom.cdx.json +6 -6
|
@@ -9,11 +9,18 @@
|
|
|
9
9
|
"version": "1.0.0",
|
|
10
10
|
"date": "2026-05-11",
|
|
11
11
|
"summary": "Initial seven-phase Linux hardening posture playbook. Inventories kernel hardening flags (/proc/sys/kernel/*, /proc/cmdline), CPU mitigation status (/sys/devices/system/cpu/vulnerabilities), sysctl posture, sshd_config, sudoers structure, PAM stack, and MAC posture (SELinux/AppArmor). This is the posture corroborator that the kernel playbook references — kernel.json answers 'is the running kernel in a vulnerable affected_versions range?', hardening.json answers 'and even if it is, do the hardening flags actually permit the exploit's primitive?'.",
|
|
12
|
-
"framework_gaps_updated": [
|
|
12
|
+
"framework_gaps_updated": [
|
|
13
|
+
"nist-800-53-CM-6",
|
|
14
|
+
"nist-800-53-CM-7",
|
|
15
|
+
"iso-27001-2022-A.8.9",
|
|
16
|
+
"cmmc-cm-l2-3.4.2",
|
|
17
|
+
"au-essential-8-application-hardening"
|
|
18
|
+
]
|
|
13
19
|
}
|
|
14
20
|
],
|
|
15
21
|
"owner": "@blamejs/platform-security",
|
|
16
22
|
"air_gap_mode": false,
|
|
23
|
+
"scope": "system",
|
|
17
24
|
"preconditions": [
|
|
18
25
|
{
|
|
19
26
|
"id": "linux-platform",
|
|
@@ -40,24 +47,47 @@
|
|
|
40
47
|
}
|
|
41
48
|
]
|
|
42
49
|
},
|
|
43
|
-
|
|
44
50
|
"domain": {
|
|
45
51
|
"name": "Linux kernel + system hardening posture",
|
|
46
52
|
"attack_class": "kernel-lpe",
|
|
47
53
|
"atlas_refs": [],
|
|
48
|
-
"attack_refs": [
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
54
|
+
"attack_refs": [
|
|
55
|
+
"T1068",
|
|
56
|
+
"T1611",
|
|
57
|
+
"T1556",
|
|
58
|
+
"T1098"
|
|
59
|
+
],
|
|
60
|
+
"cve_refs": [
|
|
61
|
+
"CVE-2026-31431",
|
|
62
|
+
"CVE-2026-43284",
|
|
63
|
+
"CVE-2026-43500"
|
|
64
|
+
],
|
|
65
|
+
"cwe_refs": [
|
|
66
|
+
"CWE-732",
|
|
67
|
+
"CWE-269",
|
|
68
|
+
"CWE-426",
|
|
69
|
+
"CWE-1188"
|
|
70
|
+
],
|
|
71
|
+
"d3fend_refs": [
|
|
72
|
+
"D3-KBPI",
|
|
73
|
+
"D3-PA",
|
|
74
|
+
"D3-EI"
|
|
75
|
+
],
|
|
52
76
|
"frameworks_in_scope": [
|
|
53
|
-
"nist-800-53",
|
|
54
|
-
"
|
|
55
|
-
"
|
|
77
|
+
"nist-800-53",
|
|
78
|
+
"nist-csf-2",
|
|
79
|
+
"iso-27001-2022",
|
|
80
|
+
"soc2",
|
|
81
|
+
"pci-dss-4",
|
|
82
|
+
"nis2",
|
|
83
|
+
"dora",
|
|
84
|
+
"uk-caf",
|
|
85
|
+
"au-ism",
|
|
86
|
+
"au-essential-8",
|
|
87
|
+
"cmmc"
|
|
56
88
|
]
|
|
57
89
|
},
|
|
58
|
-
|
|
59
90
|
"phases": {
|
|
60
|
-
|
|
61
91
|
"govern": {
|
|
62
92
|
"jurisdiction_obligations": [
|
|
63
93
|
{
|
|
@@ -66,7 +96,10 @@
|
|
|
66
96
|
"obligation": "patch_critical",
|
|
67
97
|
"window_hours": 720,
|
|
68
98
|
"clock_starts": "analyze_complete",
|
|
69
|
-
"evidence_required": [
|
|
99
|
+
"evidence_required": [
|
|
100
|
+
"hardening_baseline_documented",
|
|
101
|
+
"drift_remediation_record"
|
|
102
|
+
]
|
|
70
103
|
},
|
|
71
104
|
{
|
|
72
105
|
"jurisdiction": "AU",
|
|
@@ -74,7 +107,10 @@
|
|
|
74
107
|
"obligation": "patch_critical",
|
|
75
108
|
"window_hours": 720,
|
|
76
109
|
"clock_starts": "validate_complete",
|
|
77
|
-
"evidence_required": [
|
|
110
|
+
"evidence_required": [
|
|
111
|
+
"hardening_baseline_documented",
|
|
112
|
+
"drift_remediation_record"
|
|
113
|
+
]
|
|
78
114
|
},
|
|
79
115
|
{
|
|
80
116
|
"jurisdiction": "US",
|
|
@@ -82,7 +118,10 @@
|
|
|
82
118
|
"obligation": "patch_critical",
|
|
83
119
|
"window_hours": 720,
|
|
84
120
|
"clock_starts": "validate_complete",
|
|
85
|
-
"evidence_required": [
|
|
121
|
+
"evidence_required": [
|
|
122
|
+
"baseline_configuration_document",
|
|
123
|
+
"ssp_section_update"
|
|
124
|
+
]
|
|
86
125
|
}
|
|
87
126
|
],
|
|
88
127
|
"theater_fingerprints": [
|
|
@@ -90,19 +129,29 @@
|
|
|
90
129
|
"pattern_id": "cis-benchmark-as-state",
|
|
91
130
|
"claim": "We follow the CIS Benchmark for $distro → hardening complete.",
|
|
92
131
|
"fast_detection_test": "Run the CIS Benchmark scanner today and diff against the last attested benchmark run. Drift between attested run and today is the theater margin. If the org cannot produce a benchmark run within the last 90 days OR the diff shows > 5 controls regressed, the attestation is theater.",
|
|
93
|
-
"implicated_controls": [
|
|
132
|
+
"implicated_controls": [
|
|
133
|
+
"nist-800-53-CM-6",
|
|
134
|
+
"iso-27001-2022-A.8.9",
|
|
135
|
+
"cmmc-cm-l2-3.4.1"
|
|
136
|
+
]
|
|
94
137
|
},
|
|
95
138
|
{
|
|
96
139
|
"pattern_id": "selinux-permissive-as-enabled",
|
|
97
140
|
"claim": "SELinux is enabled.",
|
|
98
141
|
"fast_detection_test": "Run `getenforce`. 'Enforcing' is real; 'Permissive' is logs-only — the MAC policy is loaded but not blocking. Treat Permissive as the same posture as Disabled for blast-radius purposes; the audit attestation often does not distinguish.",
|
|
99
|
-
"implicated_controls": [
|
|
142
|
+
"implicated_controls": [
|
|
143
|
+
"nist-800-53-AC-3",
|
|
144
|
+
"iso-27001-2022-A.8.3"
|
|
145
|
+
]
|
|
100
146
|
},
|
|
101
147
|
{
|
|
102
148
|
"pattern_id": "kptr-restrict-zero-with-kaslr-attested",
|
|
103
149
|
"claim": "KASLR is enabled, kernel address randomization mitigates kernel LPE primitives.",
|
|
104
150
|
"fast_detection_test": "Check `cat /proc/sys/kernel/kptr_restrict`. If 0, /proc/kallsyms is world-readable and KASLR is effectively defeated for any local attacker. KASLR-enabled with kptr_restrict=0 is the classic kernel-hardening theater shape.",
|
|
105
|
-
"implicated_controls": [
|
|
151
|
+
"implicated_controls": [
|
|
152
|
+
"nist-800-53-SC-30",
|
|
153
|
+
"iso-27001-2022-A.8.31"
|
|
154
|
+
]
|
|
106
155
|
}
|
|
107
156
|
],
|
|
108
157
|
"framework_context": {
|
|
@@ -135,9 +184,14 @@
|
|
|
135
184
|
}
|
|
136
185
|
]
|
|
137
186
|
},
|
|
138
|
-
"skill_preload": [
|
|
187
|
+
"skill_preload": [
|
|
188
|
+
"kernel-lpe-triage",
|
|
189
|
+
"security-maturity-tiers",
|
|
190
|
+
"framework-gap-analysis",
|
|
191
|
+
"compliance-theater",
|
|
192
|
+
"policy-exception-gen"
|
|
193
|
+
]
|
|
139
194
|
},
|
|
140
|
-
|
|
141
195
|
"direct": {
|
|
142
196
|
"threat_context": "Kernel LPE class of 2026 is exquisitely sensitive to hardening posture. CVE-2026-31431 'Copy Fail' (KEV 2026-03-15) requires unprivileged user namespaces to be enabled — `kernel.unprivileged_userns_clone = 1` is the gating flag. Distros differ on the default: Debian 12 ships it 0, Ubuntu 24.04 ships it 1, RHEL 9 ships it 0 unless explicitly enabled. Similarly, CVE-2026-43284 / CVE-2026-43500 chain through unprivileged BPF primitives — `kernel.unprivileged_bpf_disabled = 0` is the gating flag. SELinux in Enforcing mode breaks the standard exploitation chain for several LPE classes; SELinux in Permissive provides no mitigation, only logging. MAC posture is therefore decisive for blast-radius scoring even when kernel version is technically vulnerable. The combination matters: vulnerable kernel + permissive MAC + relaxed hardening flags = exploitable; vulnerable kernel + enforcing MAC + tight hardening flags = primitive broken even pre-patch.",
|
|
143
197
|
"rwep_threshold": {
|
|
@@ -147,11 +201,32 @@
|
|
|
147
201
|
},
|
|
148
202
|
"framework_lag_declaration": "NIST CM-6, ISO A.8.9, Essential 8 OS Hardening, CMMC CM.L2-3.4.1/2 all permit baseline + change-management evidence without requiring continuous attestation of the specific kernel hardening flags (kptr_restrict, unprivileged_userns_clone, unprivileged_bpf_disabled, yama.ptrace_scope, dmesg_restrict, kernel.lockdown, MAC enforcement mode) that determine whether a vulnerable kernel is actually exploitable. Gap = ~21 days at typical orgs between drift event and review. For environments using GitOps-deployed kernel parameters, drift can occur faster than monitoring catches.",
|
|
149
203
|
"skill_chain": [
|
|
150
|
-
{
|
|
151
|
-
|
|
152
|
-
|
|
153
|
-
|
|
154
|
-
|
|
204
|
+
{
|
|
205
|
+
"skill": "kernel-lpe-triage",
|
|
206
|
+
"purpose": "Identify which hardening flags gate exploitation of catalogued LPE CVEs; map flag state to per-CVE exploitability.",
|
|
207
|
+
"required": true
|
|
208
|
+
},
|
|
209
|
+
{
|
|
210
|
+
"skill": "security-maturity-tiers",
|
|
211
|
+
"purpose": "Score current hardening posture against tier model; identify gaps to next tier.",
|
|
212
|
+
"required": true
|
|
213
|
+
},
|
|
214
|
+
{
|
|
215
|
+
"skill": "framework-gap-analysis",
|
|
216
|
+
"purpose": "Map hardening drift findings to which CM-6 / A.8.9 / Essential 8 controls were attested-but-drifted.",
|
|
217
|
+
"required": true
|
|
218
|
+
},
|
|
219
|
+
{
|
|
220
|
+
"skill": "compliance-theater",
|
|
221
|
+
"purpose": "Run the theater test on the org's CIS/STIG/Essential 8 attestation.",
|
|
222
|
+
"required": true
|
|
223
|
+
},
|
|
224
|
+
{
|
|
225
|
+
"skill": "policy-exception-gen",
|
|
226
|
+
"purpose": "Generate auditor-ready exception language for hardening flags that cannot be tightened (e.g. unprivileged_userns_clone needed for legitimate container workloads).",
|
|
227
|
+
"skip_if": "close.exception_generation.trigger_condition == false",
|
|
228
|
+
"required": false
|
|
229
|
+
}
|
|
155
230
|
],
|
|
156
231
|
"token_budget": {
|
|
157
232
|
"estimated_total": 19000,
|
|
@@ -166,7 +241,6 @@
|
|
|
166
241
|
}
|
|
167
242
|
}
|
|
168
243
|
},
|
|
169
|
-
|
|
170
244
|
"look": {
|
|
171
245
|
"artifacts": [
|
|
172
246
|
{
|
|
@@ -276,17 +350,48 @@
|
|
|
276
350
|
}
|
|
277
351
|
],
|
|
278
352
|
"fallback_if_unavailable": [
|
|
279
|
-
{
|
|
280
|
-
|
|
281
|
-
|
|
282
|
-
|
|
283
|
-
|
|
284
|
-
{
|
|
285
|
-
|
|
286
|
-
|
|
353
|
+
{
|
|
354
|
+
"artifact_id": "sysctl-kernel-hardening",
|
|
355
|
+
"fallback_action": "escalate_to_human",
|
|
356
|
+
"confidence_impact": "high"
|
|
357
|
+
},
|
|
358
|
+
{
|
|
359
|
+
"artifact_id": "kernel-cmdline",
|
|
360
|
+
"fallback_action": "use_compensating_artifact",
|
|
361
|
+
"confidence_impact": "low"
|
|
362
|
+
},
|
|
363
|
+
{
|
|
364
|
+
"artifact_id": "cpu-vulnerabilities",
|
|
365
|
+
"fallback_action": "mark_inconclusive",
|
|
366
|
+
"confidence_impact": "low"
|
|
367
|
+
},
|
|
368
|
+
{
|
|
369
|
+
"artifact_id": "kernel-lockdown",
|
|
370
|
+
"fallback_action": "mark_inconclusive",
|
|
371
|
+
"confidence_impact": "medium"
|
|
372
|
+
},
|
|
373
|
+
{
|
|
374
|
+
"artifact_id": "selinux-state",
|
|
375
|
+
"fallback_action": "use_compensating_artifact",
|
|
376
|
+
"confidence_impact": "medium"
|
|
377
|
+
},
|
|
378
|
+
{
|
|
379
|
+
"artifact_id": "apparmor-state",
|
|
380
|
+
"fallback_action": "use_compensating_artifact",
|
|
381
|
+
"confidence_impact": "medium"
|
|
382
|
+
},
|
|
383
|
+
{
|
|
384
|
+
"artifact_id": "sshd-config",
|
|
385
|
+
"fallback_action": "use_compensating_artifact",
|
|
386
|
+
"confidence_impact": "medium"
|
|
387
|
+
},
|
|
388
|
+
{
|
|
389
|
+
"artifact_id": "audit-rules",
|
|
390
|
+
"fallback_action": "mark_inconclusive",
|
|
391
|
+
"confidence_impact": "low"
|
|
392
|
+
}
|
|
287
393
|
]
|
|
288
394
|
},
|
|
289
|
-
|
|
290
395
|
"detect": {
|
|
291
396
|
"indicators": [
|
|
292
397
|
{
|
|
@@ -406,26 +511,85 @@
|
|
|
406
511
|
"not_detected": "All required sysctl flags collected AND posture matches Essential 8 ML3 or CIS Level 2 baseline AND MAC layer is Enforcing AND no boot-time mitigation overrides are set."
|
|
407
512
|
}
|
|
408
513
|
},
|
|
409
|
-
|
|
410
514
|
"analyze": {
|
|
411
515
|
"rwep_inputs": [
|
|
412
|
-
{
|
|
413
|
-
|
|
414
|
-
|
|
415
|
-
|
|
416
|
-
|
|
417
|
-
|
|
418
|
-
{
|
|
419
|
-
|
|
516
|
+
{
|
|
517
|
+
"signal_id": "kptr-restrict-disabled",
|
|
518
|
+
"rwep_factor": "blast_radius",
|
|
519
|
+
"weight": 15,
|
|
520
|
+
"notes": "Decisive for kernel LPE exploitability; multiplies impact of any matched kernel CVE."
|
|
521
|
+
},
|
|
522
|
+
{
|
|
523
|
+
"signal_id": "unprivileged-userns-enabled",
|
|
524
|
+
"rwep_factor": "active_exploitation",
|
|
525
|
+
"weight": 20,
|
|
526
|
+
"notes": "Gates CVE-2026-31431 exploitability; full weight when paired with vulnerable kernel."
|
|
527
|
+
},
|
|
528
|
+
{
|
|
529
|
+
"signal_id": "unprivileged-bpf-allowed",
|
|
530
|
+
"rwep_factor": "active_exploitation",
|
|
531
|
+
"weight": 15,
|
|
532
|
+
"notes": "Gates BPF-class LPE exploitability."
|
|
533
|
+
},
|
|
534
|
+
{
|
|
535
|
+
"signal_id": "yama-ptrace-permissive",
|
|
536
|
+
"rwep_factor": "blast_radius",
|
|
537
|
+
"weight": 10,
|
|
538
|
+
"notes": "Credential-theft primitive; blast radius amplifier rather than direct LPE."
|
|
539
|
+
},
|
|
540
|
+
{
|
|
541
|
+
"signal_id": "kaslr-disabled-at-boot",
|
|
542
|
+
"rwep_factor": "active_exploitation",
|
|
543
|
+
"weight": 25,
|
|
544
|
+
"notes": "Makes kernel LPEs deterministic; full weight."
|
|
545
|
+
},
|
|
546
|
+
{
|
|
547
|
+
"signal_id": "mitigations-off",
|
|
548
|
+
"rwep_factor": "active_exploitation",
|
|
549
|
+
"weight": 20,
|
|
550
|
+
"notes": "Re-opens CPU side-channel LPE classes; full weight."
|
|
551
|
+
},
|
|
552
|
+
{
|
|
553
|
+
"signal_id": "selinux-not-enforcing",
|
|
554
|
+
"rwep_factor": "blast_radius",
|
|
555
|
+
"weight": 10,
|
|
556
|
+
"notes": "Removes a layer that would otherwise break the exploitation chain for several LPEs."
|
|
557
|
+
},
|
|
558
|
+
{
|
|
559
|
+
"signal_id": "sshd-permitrootlogin-yes",
|
|
560
|
+
"rwep_factor": "blast_radius",
|
|
561
|
+
"weight": 15,
|
|
562
|
+
"notes": "Removes the LPE step entirely if credential is obtained."
|
|
563
|
+
}
|
|
420
564
|
],
|
|
421
565
|
"blast_radius_model": {
|
|
422
566
|
"scope_question": "Given the inventoried hardening posture, what is the realistic delta between 'kernel CVE matched' and 'kernel CVE actually exploitable on this host'?",
|
|
423
567
|
"scoring_rubric": [
|
|
424
|
-
{
|
|
425
|
-
|
|
426
|
-
|
|
427
|
-
|
|
428
|
-
|
|
568
|
+
{
|
|
569
|
+
"condition": "All deterministic hardening flags hardened (kptr_restrict=2, unprivileged_userns_clone=0 or under MAC, unprivileged_bpf_disabled=1, KASLR enabled, mitigations=auto, MAC Enforcing, lockdown=integrity or confidentiality)",
|
|
570
|
+
"blast_radius_score": 1,
|
|
571
|
+
"description": "Hardening posture closes most catalogued LPE primitives. Vulnerable kernel does not mean exploitable host."
|
|
572
|
+
},
|
|
573
|
+
{
|
|
574
|
+
"condition": "One deterministic hardening flag drifted from baseline (e.g. unprivileged_userns_clone=1 due to container workload, MAC compensating) OR MAC layer compensates for drift",
|
|
575
|
+
"blast_radius_score": 2,
|
|
576
|
+
"description": "Trade-off posture. Drift is intentional and compensated; documented."
|
|
577
|
+
},
|
|
578
|
+
{
|
|
579
|
+
"condition": "Two or more deterministic hardening flags drifted AND no MAC compensation OR MAC in Permissive mode",
|
|
580
|
+
"blast_radius_score": 3,
|
|
581
|
+
"description": "Drift not compensated. Vulnerable kernel + this posture = exploitable in principle."
|
|
582
|
+
},
|
|
583
|
+
{
|
|
584
|
+
"condition": "Deterministic drift AND kernel playbook reports matched LPE with active_exploitation=confirmed AND no live-patch",
|
|
585
|
+
"blast_radius_score": 4,
|
|
586
|
+
"description": "Operational exposure. Exploitation chain is complete given foothold."
|
|
587
|
+
},
|
|
588
|
+
{
|
|
589
|
+
"condition": "Deterministic drift AND host is k8s control-plane OR identity broker OR has cross-account trust",
|
|
590
|
+
"blast_radius_score": 5,
|
|
591
|
+
"description": "Drift on a host whose compromise is org-wide. Identity boundary collapse risk."
|
|
592
|
+
}
|
|
429
593
|
]
|
|
430
594
|
},
|
|
431
595
|
"compliance_theater_check": {
|
|
@@ -465,53 +629,96 @@
|
|
|
465
629
|
}
|
|
466
630
|
],
|
|
467
631
|
"escalation_criteria": [
|
|
468
|
-
{
|
|
469
|
-
|
|
470
|
-
|
|
471
|
-
|
|
632
|
+
{
|
|
633
|
+
"condition": "deterministic_hardening_drift == true AND kernel.playbook.reports_matched_lpe == true",
|
|
634
|
+
"action": "trigger_playbook",
|
|
635
|
+
"target_playbook": "kernel"
|
|
636
|
+
},
|
|
637
|
+
{
|
|
638
|
+
"condition": "selinux_disabled AND apparmor_no_enforcing_profiles AND blast_radius_score >= 3",
|
|
639
|
+
"action": "raise_severity"
|
|
640
|
+
},
|
|
641
|
+
{
|
|
642
|
+
"condition": "sshd_permitrootlogin_yes == true",
|
|
643
|
+
"action": "page_on_call"
|
|
644
|
+
},
|
|
645
|
+
{
|
|
646
|
+
"condition": "compliance_theater_check.verdict == 'theater' AND jurisdiction_obligations contains 'EU'",
|
|
647
|
+
"action": "notify_legal"
|
|
648
|
+
}
|
|
472
649
|
]
|
|
473
650
|
},
|
|
474
|
-
|
|
475
651
|
"validate": {
|
|
476
652
|
"remediation_paths": [
|
|
477
653
|
{
|
|
478
654
|
"id": "tighten-sysctl",
|
|
479
655
|
"description": "Apply hardened sysctl values: kptr_restrict=2, unprivileged_userns_clone=0 (or compensate with MAC), unprivileged_bpf_disabled=1, yama.ptrace_scope=2, fs.suid_dumpable=0, dmesg_restrict=1. Persist via /etc/sysctl.d/99-exceptd-hardening.conf.",
|
|
480
|
-
"preconditions": [
|
|
656
|
+
"preconditions": [
|
|
657
|
+
"no_workload_requires_relaxed_flag == true OR mac_compensation_in_place == true",
|
|
658
|
+
"ops_authorization_for_sysctl_changes == true"
|
|
659
|
+
],
|
|
481
660
|
"priority": 1,
|
|
482
|
-
"compensating_controls": [
|
|
661
|
+
"compensating_controls": [
|
|
662
|
+
"change-management-ticket",
|
|
663
|
+
"regression-test-suite-passed"
|
|
664
|
+
],
|
|
483
665
|
"estimated_time_hours": 2
|
|
484
666
|
},
|
|
485
667
|
{
|
|
486
668
|
"id": "tighten-kernel-cmdline",
|
|
487
669
|
"description": "Remove `nokaslr` / `kaslr=off` / `mitigations=off` from /etc/default/grub or equivalent bootloader config; reboot to apply. Optionally add `lockdown=integrity` for kernels >= 5.4.",
|
|
488
|
-
"preconditions": [
|
|
670
|
+
"preconditions": [
|
|
671
|
+
"vendor_supports_lockdown == true OR removing_existing_override == true",
|
|
672
|
+
"reboot_window_within_72h == true"
|
|
673
|
+
],
|
|
489
674
|
"priority": 2,
|
|
490
|
-
"compensating_controls": [
|
|
675
|
+
"compensating_controls": [
|
|
676
|
+
"change-management-ticket",
|
|
677
|
+
"post-boot-cmdline-verification"
|
|
678
|
+
],
|
|
491
679
|
"estimated_time_hours": 4
|
|
492
680
|
},
|
|
493
681
|
{
|
|
494
682
|
"id": "enable-mac-enforcing",
|
|
495
683
|
"description": "Move SELinux from Permissive to Enforcing (after audit log review for would-have-denials) OR move AppArmor profiles from 'complain' to 'enforce'.",
|
|
496
|
-
"preconditions": [
|
|
684
|
+
"preconditions": [
|
|
685
|
+
"audit_log_review_complete == true",
|
|
686
|
+
"workload_compatible_with_enforcing == true"
|
|
687
|
+
],
|
|
497
688
|
"priority": 1,
|
|
498
|
-
"compensating_controls": [
|
|
689
|
+
"compensating_controls": [
|
|
690
|
+
"audit-log-baseline-captured",
|
|
691
|
+
"regression-test-suite-passed"
|
|
692
|
+
],
|
|
499
693
|
"estimated_time_hours": 4
|
|
500
694
|
},
|
|
501
695
|
{
|
|
502
696
|
"id": "tighten-sshd",
|
|
503
697
|
"description": "Set PermitRootLogin no, PasswordAuthentication no (or require MFA via PAM), MaxAuthTries 3, restrict via AllowUsers/AllowGroups. Test from a second session before logging out.",
|
|
504
|
-
"preconditions": [
|
|
698
|
+
"preconditions": [
|
|
699
|
+
"non_root_admin_account_exists == true",
|
|
700
|
+
"ssh_key_or_mfa_already_deployed == true"
|
|
701
|
+
],
|
|
505
702
|
"priority": 1,
|
|
506
|
-
"compensating_controls": [
|
|
703
|
+
"compensating_controls": [
|
|
704
|
+
"second-session-verified",
|
|
705
|
+
"break-glass-console-access-confirmed"
|
|
706
|
+
],
|
|
507
707
|
"estimated_time_hours": 1
|
|
508
708
|
},
|
|
509
709
|
{
|
|
510
710
|
"id": "policy-exception",
|
|
511
711
|
"description": "If a hardening flag cannot be tightened due to workload requirements (e.g. unprivileged_userns_clone needed for rootless containers), generate an auditor-ready exception with named compensating controls.",
|
|
512
|
-
"preconditions": [
|
|
712
|
+
"preconditions": [
|
|
713
|
+
"workload_requires_relaxed_flag == true",
|
|
714
|
+
"mac_or_alternative_compensation_documented == true"
|
|
715
|
+
],
|
|
513
716
|
"priority": 4,
|
|
514
|
-
"compensating_controls": [
|
|
717
|
+
"compensating_controls": [
|
|
718
|
+
"mac-profile-tightened",
|
|
719
|
+
"enhanced-audit-on-affected-syscall-path",
|
|
720
|
+
"ciso-acceptance-on-residual-risk"
|
|
721
|
+
],
|
|
515
722
|
"estimated_time_hours": 8
|
|
516
723
|
}
|
|
517
724
|
],
|
|
@@ -557,47 +764,89 @@
|
|
|
557
764
|
"risk": "Hardened posture still permits a kernel LPE that does not depend on any of the inventoried gating flags. New LPEs may emerge whose primitive is unrelated to userns/BPF/ptrace/kptr.",
|
|
558
765
|
"why_remains": "Hardening flags are a moving target — new CVEs name new primitives, and a host hardened against today's catalog may be exposed to tomorrow's. The compensating control is regression cadence + new-CVE-in-class trigger, not absolute hardening.",
|
|
559
766
|
"acceptance_level": "manager",
|
|
560
|
-
"compensating_controls_in_place": [
|
|
767
|
+
"compensating_controls_in_place": [
|
|
768
|
+
"mac-enforcing",
|
|
769
|
+
"monthly-hardening-diff-cadence",
|
|
770
|
+
"edr-on-syscall-anomalies",
|
|
771
|
+
"kernel-playbook-tied-to-this-baseline"
|
|
772
|
+
]
|
|
561
773
|
},
|
|
562
774
|
"evidence_requirements": [
|
|
563
775
|
{
|
|
564
776
|
"evidence_type": "scan_report",
|
|
565
777
|
"description": "Full sysctl + cmdline + MAC + sshd_config + lockdown inventory output with timestamps and host identity.",
|
|
566
778
|
"retention_period": "1_year",
|
|
567
|
-
"framework_satisfied": [
|
|
779
|
+
"framework_satisfied": [
|
|
780
|
+
"nist-800-53-CM-6",
|
|
781
|
+
"iso-27001-2022-A.8.9",
|
|
782
|
+
"cmmc-cm-l2-3.4.2",
|
|
783
|
+
"au-essential-8-os-hardening"
|
|
784
|
+
]
|
|
568
785
|
},
|
|
569
786
|
{
|
|
570
787
|
"evidence_type": "config_diff",
|
|
571
788
|
"description": "Pre/post diff of sysctl values + /etc/default/grub + sshd_config showing remediation applied.",
|
|
572
789
|
"retention_period": "7_years",
|
|
573
|
-
"framework_satisfied": [
|
|
790
|
+
"framework_satisfied": [
|
|
791
|
+
"nist-800-53-CM-3",
|
|
792
|
+
"iso-27001-2022-A.8.32"
|
|
793
|
+
]
|
|
574
794
|
},
|
|
575
795
|
{
|
|
576
796
|
"evidence_type": "exploit_replay_negative",
|
|
577
797
|
"description": "Safe-mode primitive-trigger replays for each catalogued kernel LPE with hardening-flag dependency, showing post-remediation EPERM.",
|
|
578
798
|
"retention_period": "1_year",
|
|
579
|
-
"framework_satisfied": [
|
|
799
|
+
"framework_satisfied": [
|
|
800
|
+
"soc2-cc7.1",
|
|
801
|
+
"iso-27001-2022-A.8.8"
|
|
802
|
+
]
|
|
580
803
|
},
|
|
581
804
|
{
|
|
582
805
|
"evidence_type": "attestation",
|
|
583
806
|
"description": "Signed exceptd attestation: hardening baseline hash, scan timestamp, drift count, RWEP at detection, RWEP post-remediation.",
|
|
584
807
|
"retention_period": "7_years",
|
|
585
|
-
"framework_satisfied": [
|
|
808
|
+
"framework_satisfied": [
|
|
809
|
+
"nist-800-53-CA-7",
|
|
810
|
+
"iso-27001-2022-A.5.36",
|
|
811
|
+
"nis2-art21-2c"
|
|
812
|
+
]
|
|
586
813
|
}
|
|
587
814
|
],
|
|
588
815
|
"regression_trigger": [
|
|
589
|
-
{
|
|
590
|
-
|
|
591
|
-
|
|
592
|
-
|
|
593
|
-
{
|
|
816
|
+
{
|
|
817
|
+
"condition": "new_cve_in_class == true",
|
|
818
|
+
"interval": "on_event"
|
|
819
|
+
},
|
|
820
|
+
{
|
|
821
|
+
"condition": "kernel_upgrade == true",
|
|
822
|
+
"interval": "on_event"
|
|
823
|
+
},
|
|
824
|
+
{
|
|
825
|
+
"condition": "monthly",
|
|
826
|
+
"interval": "30d"
|
|
827
|
+
},
|
|
828
|
+
{
|
|
829
|
+
"condition": "post_major_deploy",
|
|
830
|
+
"interval": "on_event"
|
|
831
|
+
},
|
|
832
|
+
{
|
|
833
|
+
"condition": "post_distro_release_upgrade",
|
|
834
|
+
"interval": "on_event"
|
|
835
|
+
}
|
|
594
836
|
]
|
|
595
837
|
},
|
|
596
|
-
|
|
597
838
|
"close": {
|
|
598
839
|
"evidence_package": {
|
|
599
840
|
"bundle_format": "csaf-2.0",
|
|
600
|
-
"contents": [
|
|
841
|
+
"contents": [
|
|
842
|
+
"scan_report",
|
|
843
|
+
"config_diff",
|
|
844
|
+
"exploit_replay_negative",
|
|
845
|
+
"attestation",
|
|
846
|
+
"framework_gap_mapping",
|
|
847
|
+
"compliance_theater_verdict",
|
|
848
|
+
"residual_risk_statement"
|
|
849
|
+
],
|
|
601
850
|
"destination": "local_only",
|
|
602
851
|
"signed": true
|
|
603
852
|
},
|
|
@@ -609,28 +858,42 @@
|
|
|
609
858
|
"framework_gap": "Baseline-attestation cadence (annual to quarterly) is structurally slower than drift cadence (per-package-install, per-kernel-parameter-change). Frameworks lag drift by ~21 days at typical orgs.",
|
|
610
859
|
"new_control_requirement": "Monthly programmatic verification of named kernel hardening flags (sysctl + cmdline + MAC + sshd effective config) against documented baseline. Drift triggers automatic regeneration of the kernel-LPE playbook scope."
|
|
611
860
|
},
|
|
612
|
-
"feeds_back_to_skills": [
|
|
861
|
+
"feeds_back_to_skills": [
|
|
862
|
+
"kernel-lpe-triage",
|
|
863
|
+
"security-maturity-tiers",
|
|
864
|
+
"framework-gap-analysis",
|
|
865
|
+
"compliance-theater"
|
|
866
|
+
]
|
|
613
867
|
},
|
|
614
868
|
"notification_actions": [
|
|
615
869
|
{
|
|
616
870
|
"obligation_ref": "EU/NIS2 Art.21 720h",
|
|
617
871
|
"deadline": "computed_at_runtime",
|
|
618
872
|
"recipient": "internal_legal",
|
|
619
|
-
"evidence_attached": [
|
|
873
|
+
"evidence_attached": [
|
|
874
|
+
"hardening_baseline_documented",
|
|
875
|
+
"drift_remediation_record"
|
|
876
|
+
],
|
|
620
877
|
"draft_notification": "NIS2 Art.21 critical-vulnerability handling record: Hardening drift identified on ${affected_host_count} host(s) gating exploitability of catalogued kernel LPE(s) ${matched_cve_ids}. Drift count: ${drift_count}. Compensating controls in place: ${compensating_controls}. Remediation completed by ${remediation_date}. Evidence: hardening baseline + drift remediation record attached."
|
|
621
878
|
},
|
|
622
879
|
{
|
|
623
880
|
"obligation_ref": "AU/Essential 8 Application Hardening 720h",
|
|
624
881
|
"deadline": "computed_at_runtime",
|
|
625
882
|
"recipient": "internal_legal",
|
|
626
|
-
"evidence_attached": [
|
|
883
|
+
"evidence_attached": [
|
|
884
|
+
"hardening_baseline_documented",
|
|
885
|
+
"drift_remediation_record"
|
|
886
|
+
],
|
|
627
887
|
"draft_notification": "Essential 8 OS Hardening evidence package: Hardening baseline verification on ${affected_host_count} host(s). Maturity Level claimed: ${ml_claimed}. Maturity Level supported by evidence: ${ml_evidence}. Drift remediation record: ${remediation_summary}."
|
|
628
888
|
},
|
|
629
889
|
{
|
|
630
890
|
"obligation_ref": "US/CMMC 2.0 CM.L2-3.4.2 720h",
|
|
631
891
|
"deadline": "computed_at_runtime",
|
|
632
892
|
"recipient": "internal_legal",
|
|
633
|
-
"evidence_attached": [
|
|
893
|
+
"evidence_attached": [
|
|
894
|
+
"baseline_configuration_document",
|
|
895
|
+
"ssp_section_update"
|
|
896
|
+
],
|
|
634
897
|
"draft_notification": "CMMC CM.L2-3.4.2 baseline configuration update: Hardening baseline diff on ${affected_host_count} host(s). SSP section to update: ${ssp_section}. Drift remediation record attached. Continuous-monitoring evidence retained for assessor review."
|
|
635
898
|
}
|
|
636
899
|
],
|
|
@@ -639,7 +902,12 @@
|
|
|
639
902
|
"exception_template": {
|
|
640
903
|
"scope": "Hardening flag(s) ${flag_list} relaxed on ${affected_host_count} host(s) due to documented workload requirement (${workload_class}).",
|
|
641
904
|
"duration": "until_next_audit",
|
|
642
|
-
"compensating_controls": [
|
|
905
|
+
"compensating_controls": [
|
|
906
|
+
"mac-profile-tightened-on-affected-syscall",
|
|
907
|
+
"enhanced-audit-on-affected-path",
|
|
908
|
+
"edr-anomaly-detection-on-affected-primitive",
|
|
909
|
+
"monthly-residual-risk-review"
|
|
910
|
+
],
|
|
643
911
|
"risk_acceptance_owner": "manager",
|
|
644
912
|
"auditor_ready_language": "Pursuant to ${framework_id} ${control_id}, the organization documents a time-bound risk acceptance for hardening flag(s) ${flag_list} on ${affected_host_count} host(s). Workload requirement: ${workload_requirement_narrative}. Compensating controls in place: ${compensating_controls}. Residual exposure post-compensation: only those kernel LPEs whose primitive specifically requires the relaxed flag AND whose mitigation path does not exist in MAC policy. Risk accepted by ${manager_name} on ${acceptance_date}. Time-bound until ${duration_expiry}. Detection coverage during the exception window is provided by ${detection_controls}. Re-evaluation triggers: (a) workload no longer requires the relaxed flag, (b) listed expiry date, (c) new exploitation indicator firing on the affected primitive — whichever is first."
|
|
645
913
|
}
|
|
@@ -651,22 +919,27 @@
|
|
|
651
919
|
}
|
|
652
920
|
}
|
|
653
921
|
},
|
|
654
|
-
|
|
655
922
|
"directives": [
|
|
656
923
|
{
|
|
657
924
|
"id": "full-hardening-posture",
|
|
658
925
|
"title": "Full hardening posture inventory — sysctl, cmdline, MAC, sshd, sudoers, PAM",
|
|
659
|
-
"applies_to": {
|
|
926
|
+
"applies_to": {
|
|
927
|
+
"always": true
|
|
928
|
+
}
|
|
660
929
|
},
|
|
661
930
|
{
|
|
662
931
|
"id": "kernel-lpe-gating-flags",
|
|
663
932
|
"title": "Targeted directive — flags that gate catalogued kernel LPE exploitability",
|
|
664
|
-
"applies_to": {
|
|
933
|
+
"applies_to": {
|
|
934
|
+
"attack_technique": "T1068"
|
|
935
|
+
}
|
|
665
936
|
},
|
|
666
937
|
{
|
|
667
938
|
"id": "userns-gating-flag",
|
|
668
939
|
"title": "Targeted directive — unprivileged_userns_clone state for CVE-2026-31431",
|
|
669
|
-
"applies_to": {
|
|
940
|
+
"applies_to": {
|
|
941
|
+
"cve": "CVE-2026-31431"
|
|
942
|
+
}
|
|
670
943
|
}
|
|
671
944
|
]
|
|
672
945
|
}
|