Baseline Configuration

Defining Expected System State

The baseline file (baseline.yaml) defines what "compliant" looks like for your systems. It maps ISO 27002:2022 controls to specific checks executed by collectors.

Structure

meta:
  version: "1.0"
  standard: "ISO 27002:2022"
  organization: "Your Org"
  last_reviewed: "2026-01-18"
  auditor: "Clotho Engine v1.0"

nodes:
  # Remote systems to audit
  athena:
    host: "athena.local"
    port: 22
    user: "auditor"
    description: "Primary application server"

controls:
  # ISO control mappings
  "8.20":
    title: "Network Security"
    collectors:
      ports:
        allowed: [22, 443]
        forbidden: [21, 23]

audit:
  timeout_seconds: 30
  parallel_nodes: true
  fail_on_first_delta: false
  evidence_retention_days: 90

Metadata Block

Field	Description
`version`	Baseline version string
`standard`	Compliance standard (e.g., ISO 27002:2022)
`organization`	Organization name for reports
`last_reviewed`	Date baseline was last reviewed
`auditor`	Tool identifier

Node Definitions

Each node represents a remote system to audit:

nodes:
  athena:
    host: "192.168.1.10"  # IP or hostname
    port: 22              # SSH port
    user: "auditor"       # SSH user
    description: "Primary application server"

SSH authentication uses the key specified via --key-file or the default SSH agent.

ISO 27002:2022 Control Mappings

Controls map standard requirements to collector checks:

5.15 - Access Control

"5.15":
  title: "Access Control"
  description: "Rules to control access to information"
  collectors:
    users:
      allowed: [root, leo, www-data]
      forbidden: [guest, test, temp]

5.17 - Authentication Information

"5.17":
  title: "Authentication Information"
  collectors:
    files:
      - path: "/etc/ssh/sshd_config"
        sha256: null  # Will capture on first run
      - path: "/etc/pam.d/common-auth"
        sha256: null

8.20 - Network Security

"8.20":
  title: "Network Security"
  collectors:
    ports:
      allowed: [22, 80, 443]
      forbidden: [21, 23, 25, 3389, 5900]

8.21 - Security of Network Services

"8.21":
  title: "Security of Network Services"
  collectors:
    processes:
      allowed: [sshd, systemd, cron]
      forbidden: [telnetd, rshd, fingerd]

Audit Parameters

Parameter	Default	Description
`timeout_seconds`	30	SSH command timeout
`parallel_nodes`	true	Audit nodes concurrently
`fail_on_first_delta`	false	Stop on first finding
`evidence_retention_days`	90	Days to keep old audits

Validation

Always validate your baseline before running audits:

python clotho.py --validate-only

This checks for YAML syntax errors and ensures all referenced collectors exist.