Cmon
NIST Information Security Continuous Monitoring (ISCM) and configuration baseline data collector
Install / Use
/learn @perlogix/CmonREADME
cmon
Table of Contents
- Overview
- Install
- Install Dependencies
- Getting Started Vagrant
- Command-Line Arguments
- Configuration
- Vagrant
- Platforms Tested On
Overview
NIST Information Security Continuous Monitoring (ISCM) and configuration baseline data collector.
Great for keeping track of elastic environments, auditing or migrating servers by storing data in ElasticSearch or outputting to STDOUT.
Resources gathered if applicable:
- Asset Type
- Auditd Rules
- Chassis Type
- Cloud / Container Detection
- CPU Count
- CPU Stats
- CPU Vulnerabilities
- ClamAV Definitions
- Crontabs
- Disk Stats
- DMesg Errors
- Docker Containers
- Docker Images
- Docker Stats
- Domain Name
- EC2 Instance Metadata
- Environment
- Expired SSL Certs
- Failed Logins
- Ruby Gems
- Hostname
- IP Address
- IPTables Rules
- IP Routes
- Kernel Version
- Load Averages
- Loaded Kernel Modules
- Memory Stats
- Network Interface Stats
- NTP Servers
- NTP Running
- RPM / Deb Packages
- Python Pip Packages
- Public
- Snap Packages
- Sysctl Kernel Parameters
- Systemd Failed Services
- Systemd Timers
- Processes
- OpenSCAP XCCDF Scan
- OS Platform
- OS Family
- OS Version
- TCP 4/6 Listening Open Ports
- Timezone
- Trivy Scan
- Uptime
- Users
- Users Logged In
- Virtualization
- Virtualization System
Example JSON Output
{
"audit_rules":[
"-w /var/log/audit/ -p wa -k LOG_audit",
"-w /etc/audit/auditd.conf -p wa -k CFG_audit",
"-w /etc/rc.d/init.d/auditd -p wa -k CFG_audit",
"-w /etc/sysconfig/auditd -p wa -k CFG_audit",
"-w /etc/audit/audit.rules -p wa -k CFG_audit",
"-w /etc/localtime -p wa -k time-change,CFG_system"
],
"chassis_type":"notebook",
"cloud":"k8s container",
"cpu_count":4,
"cpu_pct":76,
"cpu_vulns":[
"/sys/devices/system/cpu/vulnerabilities/spectre_v2:Vulnerable, IBPB: disabled, STIBP: disabled",
"/sys/devices/system/cpu/vulnerabilities/itlb_multihit:KVM: Vulnerable"
],
"clamav_defs": "ClamAV 0.102.4/26037/Sun Jan 3 12:37:28 2021",
"crontabs":[
"25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )",
"47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )",
"52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )",
"@monthly 15 cron.monthly run-parts --report /etc/cron.monthly"
],
"diskfree_gb":6,
"disktotal_gb":8,
"diskused_gb":19,
"dns_nameserver":[
"8.8.8.8",
"8.8.4.4"
],
"dmesg_errors":"ACPI BIOS Error (bug): Failure creating named object [B.PCI0.RP17.PXSX.TBDU], AE_ALREADY_EXISTS (20200717/dswload2-326) ACPI Error: AE_ALREADY_EXISTS, During name lookup/catalog (20200717/psobject-220)",
"docker_containers":[
"name=kibana image=kibana:7.4.0 command=/usr/local/bin/dumb-init -- /usr/local/bin/kibana-docker ports=[] state=running status=Up About a minute",
"name=elasticsearch image=elasticsearch:7.4.0 command=/usr/local/bin/docker-entrypoint.sh eswrapper ports=[] state=running status=Up 3 minutes",
"name=redis image=redis command=docker-entrypoint.sh redis-server ports=[{127.0.0.1 6379 6379 tcp}] state=running status=Up About an hour"
],
"docker_running":3,
"docker_images_count":3,
"docker_images":[
"name=kibana:7.4.0 size=1.097GB created=2019-09-27T05:25:49-04:00",
"name=elasticsearch:7.4.0 size=858.7MB created=2019-09-27T04:42:16-04:00",
"name=redis:latest size=95MB created=2019-03-26T20:49:00-04:00"
],
"domain":"ec2.internal",
"ec2_ami_id":"ami-bc8131d4",
"ec2_availability_zone":"us-east-1b",
"ec2_instance_id":"i-1b8cc9cc",
"ec2_instance_type":"t1.micro",
"ec2_profile":"default-paravirtual",
"ec2_public_ip4":"54.145.182.91",
"ec2_security_groups":"default",
"environment":"dev",
"expired_certs":[
"/etc/ssl/server.crt Certificate will expire",
"/etc/nginx/server.crt Certificate will expire",
"/etc/httpd/server.crt Certificate will expire"
],
"failed_logins":[
"root pts/1 Sun Jan 3 17:30 - 17:30 (00:00)"
],
"gem":[
"arr-pm-0.0.9",
"backports-3.6.4",
"cabin-0.7.1",
"childprocess-0.5.6",
"clamp-0.6.4",
"ffi-1.9.8",
"fpm-1.3.3",
"json-1.8.2"
],
"hostname":"ip-10-28-229-205",
"ipaddress":"10.28.229.205",
"iptables":[
"ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED",
"DROP all -f anywhere anywhere ",
"ACCEPT tcp -- localhost anywhere tcp dpt:webcache",
"ACCEPT tcp -- localhost anywhere tcp dpt:webcache",
"DROP tcp -- anywhere anywhere tcp dpt:webcache",
"ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,ESTABLISHED",
"ACCEPT tcp -- anywhere anywhere tcp dpt:http limit: avg 25/min burst 100",
"ACCEPT tcp -- anywhere anywhere tcp spt:http state ESTABLISHED",
"ACCEPT tcp -- anywhere anywhere tcp spt:webcache state ESTABLISHED"
],
"ip_route":[
"default via 192.168.1.1 dev eth0 ",
"172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.42.1 ",
"192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.10 "
],
"network_interfaces":[
{
"interface":"enp60s0",
"mtu":1500,
"rx_ok":0,
"rx_err":0,
"rx_drop":0,
"rx_overrun":0,
"tx_ok":0,
"tx_err":0,
"tx_drop":0,
"tx_overrun":0,
"flag":"BMU"
}
],
"kernel_version":"2.6.32-431.29.2.el6.x86_64",
"lastrun":"2015-05-21T23:29:49-04:00",
"load15":0,
"load1":0,
"load5":0,
"loaded_kernel_modules":[
"uinput 20480 0",
"binfmt_misc 16384 1"
],
"memoryfree_gb":2,
"memorytotal_gb":16,
"memoryused_gb":14,
"ntp_servers":[
"server ntp.server.com"
],
"ntp_running": true,
"os":"linux",
"packages":[
"acl-2.2.49-6.el6.x86_64",
"acpid-1.0.10-2.1.el6.x86_64",
"alsa-lib-1.0.22-3.el6.x86_64",
"atk-1.30.0-1.el6.x86_64"
],
"pip":[
"distribute-0.6.10",
"Flask-0.10.1",
"Flask-Limiter-0.7.4"
],
"pip3":[
"aiofiles-0.4.0",
"aiohttp-3.3.2",
"apturl-0.5.2"
],
"platform":"centos",
"platform_family":"rhel",
"platform_verison":"6.5",
"processes":[
"pid=1 ppid=0 name=systemd user=root cpu_pct=0 mem_pct=0",
"pid=2 ppid=0 name=kthreadd user=root cpu_pct=0 mem_pct=0"
],
"public":false,
"snaps":[
"core-16-2.31.1",
"slack-3.0.5"
],
"sysctl":[
"abi.vsyscall32=1",
"debug.exception-trace=1"
],
"systemctl_failed":[
"0 loaded units listed."
],
"systemd_timers":[
"Wed 2020-12-09 17:31:09 EST 30min left Wed 2020-12-09 16:34:56 EST 25min ago anacron.timer anacron.service",
"Wed 2020-12-09 19:56:18 EST 2h 56min left Wed 2020-12-09 13:57:56 EST 3h 2min ago fwupd-refresh.timer fwupd-refresh.service"
],
"open_ports":[
"addr=127.0.0.1 port=58494 name=code proto=tcp",
"addr=0.0.0.0 port=5601 name=node proto=tcp",
"addr=:: port=9200 name=0 proto=tcp"
],
"openscap":{
"status":false,
"checks":71,
"failed":[
{
"title":"Enable auditd Service",
"rule":"xccdf_org.ssgproject.content_rule_service_auditd_enabled",
"result":"fail"
},
{
"title":"Ensure auditd Collects System Administrator Actions",
"rule":"xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions",
"result":"fail"
}
],
"warnings":null
},
"timezone":"UTC",
"trivy":[
{
"Target":"k3s (ubuntu 20.04)",
"Type":"ubuntu",
"Vulnerabilities":[
{
"VulnerabilityID":"CVE-2012-6655",
"PkgName":"accountsservice",
"InstalledVersion":"0.6.55-0ubuntu12~20.04.1",
"Layer":{
"DiffID":"sha256:7a32807fe5359af26e10053cb110e4a7576afa4a63c26d4af5ab763d6784fae7"
},
"SeveritySource":"ubuntu",
"Title":"accountsservice: local encrypted password disclosure when changing password",
"Description":"An issue exists AccountService 0.6.37 in the user_change_password_authorized_cb() function in user.c which could let a local users obtain encrypted passwords.",
"Severity":"LOW",
"CweIDs":[
"CWE-732"
],
"VendorVectors":{
"nvd":{
"v2":"AV:L/AC:L/Au:N/C:P/I:N/A:N",
"v3":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
},
"redhat":{
"v2":"AV:L/AC:M/Au:N/C:P/I:N/A:N"
}
},
"CVSS":{
"nvd":{
"V2Vector":"AV:L/AC:L/Au:N/C:P/I:N/A:N",
"V3Vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"V2Score":2.1,
"V3Score":3.3
},
"redhat":{
"V2Vector":"AV:L/AC:M/Au:N/C:P/I:N/A:N",
"V2Score":1.9
}
},
"References":[
"http://openwall.com/lists/oss-security/2014/08/15/5",
"http://www.openwall.com/lists/oss-security/2014/08/16/7",
"http://www.securityfocus.com/bid/69245",
"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-6655",
"https://bugzilla.suse.com/show_bug.cgi?id=CVE-2012-6655",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-20
