Hubble is a modular, open-source security compliance framework. The project provides on-demand profile-based auditing, real-time security event notifications, alerting, and reporting. HubbleStack is a free and open source project made possible by Adobe. https://github.com/adobe

Overview

Welcome to HubbleStack!!

You can find the docs here

You can file an issue here

Follow us on Twitter!

Development

Below are sample instructions to setup a dev environment:

  1. virtualenv myvirtualenv
  2. source myvirtualenv/bin/activate
  3. pip install -r requirements.txt
  4. sudo python setup.py develop
  5. sudo hubble hubble.audit
Comments
  • Documentation on vulners cve (since old cve profile has been deprecated)

    Documentation on vulners cve (since old cve profile has been deprecated)

    I am having trouble getting CVE scan data since the cve scan has been moved to vulners.py

    Is there documentation on this? If so, I will look it over to see if I can figure out what is wrong.

    If not here is the relevant data:

    [[email protected] cve]# pwd
    /srv/salt/hubblestack_data/hubblestack_nova_profiles/cve
    [[email protected] cve]# cat vulners.yaml
    vulners_scanner: True
    vulners_api_key: <my key>
    
    pwd; cat top.nova
    /srv/salt/hubblestack_data/hubblestack_nova_profiles
    # Default top.nova
    #
    # Subscribes to CIS, cve_scan, and misc.yaml for miscellaneous checks
    
    nova:
      '*':
        #- security.meltdown_spectre
        - security.ssh_passwordauthentication
        #- cis.distribution-independent-linux-level-1-all-v1-1-0
        - vulners
    

    Output from hubble audit:

    hubble hubble.audit
    {'Compliance': '0%',
     'Failure': [{'sshd-authenticationmethods-publickey': 'Check for explicitly configured publickey authentication method'},
                 {'sshd-passwordauthentication-no': 'Ensure password authentication is disabled in sshd_config'}]}
    

    Also, I would like to make sure the functionality in the previous scan to be able to use a local json file for CVE data was still supported.

    Bug Packaging Jira 
    opened by AfterSpencer 20
  • /modules/stat_nova.py giving error for RHEL6 minion

    /modules/stat_nova.py giving error for RHEL6 minion

    salt pj-rhel6-sensoring.lab04.local hubble.audit OS_Linux . This is only on RHEL6 VM . We have other linux VM ( Centso6 , Cetos7 , RHEL7 ) but error is specific to RHEL6 which is on Red Hat Enterprise Linux Server release 6.9 (Santiago) .

    pj-rhel6-sensoring.lab04.local:
        ----------
        Compliance:
            68%
        Errors:
            |_
              ----------
              **/modules/stat_nova.py**:
                  ----------
                  data:
                      CommandExecutionError: Path not found: /usr/local/patchagent/patchservice
                  error:
                      exception occurred
        Failure:
            |_
              ----------
              OS_Linux_v12-02:
                  Ensure timezone is set correctly
            |_
              ----------
              OS_Linux_v12-15:
                  SSH Root login disabled
            |_
              ----------
              OS_Linux_v12-16:
                  Ensure iptables modules are loaded
            |_
              ----------
              OS_Linux_v12-10:
                  Ensure sudoers file has non-default commands added to it
            |_
              ----------
              OS_Linux_v12-03:
                  Ensure patchagent services are running
            |_
              ----------
              OS_Linux_v12-05:
                  Ensure swap volume is on separate disk
        Success:
            |_
              ----------
              OS_Linux_V12-11:
                  Root passwd should be set
            |_
              ----------
              OS_Linux_v12-13:
                  No blank passwords allowed
    
    
    
    **salt-minion version**  
    [[email protected] tmp]# salt-minion -V
    Salt Version:
               Salt: 2017.7.4
    
    Dependency Versions:
               cffi: Not Installed
           cherrypy: Not Installed
           dateutil: Not Installed
          docker-py: Not Installed
              gitdb: Not Installed
          gitpython: Not Installed
              ioflo: Not Installed
             Jinja2: 2.8.1
            libgit2: Not Installed
            libnacl: Not Installed
           M2Crypto: Not Installed
               Mako: Not Installed
       msgpack-pure: Not Installed
     msgpack-python: 0.4.6
       mysql-python: Not Installed
          pycparser: Not Installed
           pycrypto: 2.6.1
       pycryptodome: Not Installed
             pygit2: Not Installed
             Python: 2.7.14 (default, Jan 31 2018, 02:12:13)
       python-gnupg: Not Installed
             PyYAML: 3.11
              PyZMQ: 14.5.0
               RAET: Not Installed
              smmap: Not Installed
            timelib: Not Installed
            Tornado: 4.2.1
                ZMQ: 4.0.5
    
    System Versions:
               dist: redhat 6.9 Santiago
             locale: UTF-8
            machine: x86_64
            release: 2.6.32-696.13.2.el6.x86_64
             system: Linux
            version: Red Hat Enterprise Linux Server 6.9 Santiago
    
    Bug P2 Modules hubble-salt Nova 
    opened by sam0104 18
  • oval_scanner.py and splunk_nova_return.py enhancements/fixes

    oval_scanner.py and splunk_nova_return.py enhancements/fixes

    oval_scanner.py has been refactored to provide more accurate package version comparison and includes some fixes. It also captures greater details about advisories, and splunk_nova_return.py has been refactored to send those details to a Splunk backend. For comparison, this is how data in Splunk looks before the refactor:

    { 
       check_id: RHSA-2015:1705: bind security update (Important)
       check_result: Failure
       description: Vulnerable Package(s): bind-libs-32:9.11.4-9.P2.el7, bind-libs-lite-32:9.11.4-9.P2.el7, bind-license-32:9.11.4-9.P2.el7, bind-utils-32:9.11.4-9.P2.el7
       dest_fqdn: <hostname>
       dest_host: <hostname>
       dest_ip: <ip address>
       job_id: <job_id>
       minion_id: <minion id>
       system_uuid: <system uuid>
    }
    

    After the refactor, the data looks like this:

    { 
       advisory: { 
         RHSA-2020:2344: https://access.redhat.com/errata/RHSA-2020:2344
       }
       check_id: RHSA-2020:2344: bind security update (Important)
       check_result: Failure
       cve: [ 
         { 
           CVE-2020-8616: https://access.redhat.com/security/cve/CVE-2020-8616
         }
         { 
           CVE-2020-8617: https://access.redhat.com/security/cve/CVE-2020-8617
         }
       ]
       description: Vulnerable Package(s): bind-export-libs-32:9.11.4-9.P2.el7, bind-libs-32:9.11.4-9.P2.el7, bind-libs-lite-32:9.11.4-9.P2.el7, bind-license-32:9.11.4-9.P2.el7, bind-utils-32:9.11.4-9.P2.el7
       dest_fqdn: <hostname>
       dest_host: <hostname>
       dest_ip: <ip address>
       impated_pkgs:
         {
           name: bind-export-libs
           version: 32:9.11.4-9.P2.el7
         }
         { 
           name: bind-libs
           version: 32:9.11.4-9.P2.el7
         }
         { 
           name: bind-libs-lite
           version: 32:9.11.4-9.P2.el7
         }
         {
           name: bind-license
           version: 32:9.11.4-9.P2.el7
         }
         {
           name: bind-utils
           version: 32:9.11.4-9.P2.el7
         }
       ]
       job_id: <job id>
       minion_id: <minion id>
       severity: Important
       system_uuid: <system uuid>
    }
    

    The more detailed data gives us the ability to make better dashboards within Splunk, as well as pivot off the specifics to give us better flexibility in reporting.

    Along with this, the oval_scanner.py vulnerability collections are now threaded for faster reporting.

    opened by buddwm 16
  • Logo Idea

    Logo Idea

    Hey there @basepi

    We met briefly at the Adobe Open Source Summit and I said I was interested in creating you a logo for this project. I think I remember you asking for something flattish design? In any case, I've come up with an idea attached here. Let me know if this is something that you're looking for.

    Large: hubble2-sized

    Small: hubble2-sized-small

    opened by timkim 15
  • Adding fdg module for certificate discovery

    Adding fdg module for certificate discovery

    This module is capable of connecting to any port and fetching certificate details for a certificate attached on it. The module is supposed to work in conjunction with fdg's osquery module. The osquery module would supply information about open ports after which this module extracts certificate information.

    Backport Complete 
    opened by MoodyMudit 13
  • splunk DRY things

    splunk DRY things

    I was talking with George Starcher about a minor issue in hubblestack/splunklogging's hec object. I fixed that minor bug, but later learned sendEvent() isn't actually used (just batch events).

    While trying to fix the non-issue I noticed there were four versions of his http_event_collector object and four ways to fetch the options for it. I've attempted to DRY those objects and their _get_options for easier ongoing maintenance. (Suppose the next bug is real, but now we have 4 variants of the HEC to modify.)

    Thoughts welcome.

    opened by jettero 13
  • I think this will sort out The Elusive Signing Bug

    I think this will sort out The Elusive Signing Bug

    For the record, the Elusive Signing Bug is a subtle bug where when a file fails the repo signing checks, it's still sometimes served to the code that was looking for it. It was extremely difficult to reproduce for some reason (even though some people could reproduce it every time).

    I spent a horrific amount of time tracking this down. I finally determined that cp.cache_dir was never meant to be a proper sync. The original authors of hubble.audit.sync provided a clean argument that would file.remove the cache dir to prevent objects deleted from the repo sticking around after being elided.

    The problem is that removing the whole cache and re-downloading it on every schedule loop is expensive, so someone disabled it later. It was probably thought that the regular file_client.channel.fs.update() (which invokes the fileserver.reap_fileserver_cache_dir()) would properly handle these cases; but it definitely does not appear to do so.

    Essentially the problem is the double cache copy situation:

    1. we first copy from the fileserver (roots, or gitfs or whatever) into roots (i.e. /var/cache/hubble/roots)
    2. cp.cache_dir then copies from roots to files (i.e. /var/cache/hubble/files)
    3. the daemon file_client.channel.fs.update() updates the roots (but never attempts to clean up the files copy).
    4. signing needs these files to not be found, which is handled in roots but not files

    It's worth noting that the unwelcome leftover files were at least downloaded in good faith. To get downloaded at all, they either had to be downloaded before signing was a thing or at some point when signing verified they were OK...

    But they should definitely get cleaned up when they fail the signing pass.

    The fix: I taught cp.cache_dir how to notice these files missing in roots that exist in files. It can now remove them automatically during what should have been a proper sync. Note that the old behavior can be restored by setting cleanup_existing=False but I can't think of a scenario where this would be desirable.

    There's still the remaining question: Why did this affect hubble.audit but not audit.run?

    Answer: hubble.audit uses cp.cache_dir to copy the whole thing all at once; but audit.run uses cp.cache_file and checks the result. Specifically checking one file, will indeed reveal the file is missing in roots even if it exists in files as a spurious older file. (module_runner.runner.make_file_available also uses cp.cache_file, so the hubble.audit issue is entirely avoided in the successor).

    my old (wrong) analysis: ~~Basically the problem is that various parts of the hubble code base read from the fileserver cache directly (rather than using the intended interfaces for such tasks). The repo signing checks are injected into the fileserver find_file() mechanisms, which normally trigger a fileserver.reap_cache_dir() hit, causing the file to be deleted from the cache.~~

    ~~But in some cases, apparently, a cache refresh isn't even part of the invocation of the execution module(s) in question. So the "reaping" never happens (at least not during the execution) and the failing file is serv^H^H^H^H read from the cache as if it was OK.~~

    ~~All this means, that it feels like a race condition to me. Eventually there would have been a cache refresh that would have cleared the failing file (via the reaping mechanism). This patch simply forces the reaping of files that fail the signing check so there's no need to wait for the reaping and no question about when it happens in the case of a signature check failure.~~

    opened by jettero 12
  • fix: sourcetype = 'hubble_fdg_' + fdg_file

    fix: sourcetype = 'hubble_fdg_' + fdg_file

    Apparently we do want to extend the sourcetype name from hubble_fdg to hubble_fdg_filename but let's choose to do that without the salt:// protocol and without the .fdg file extension; while we're at it, make sure to replace all non alphanumerics with an underscore.

    Backport Complete 
    opened by jettero 11
  • 'hubble.sync' is not available for SLES11 SP4 minions ( Specific to SUSE )

    'hubble.sync' is not available for SLES11 SP4 minions ( Specific to SUSE )

    **# salt '*' hubble.sync minion1: 'hubble.sync' is not available. minion2: 'hubble.sync' is not available.

    salt '*' hubble.audit

    minion1: 'hubble.audit' is not available. minion2: 'hubble.audit' is not available.**

    We are using hubble module for audit and it is wokring fine for RHEL and Centos but on SLES linux hubble.sycn is not working. For SLES the official salt-minion version is salt-minion-2016.11.4-13.1.x86_64 . We do not have any updated version for SLES11 SP4.

    Trouble shooting

    salt '' saltutil.clear_cache salt '' saltutil.sync_all salt '*' hubble.sync

    tried above commands still no luck for SLES11 SP4 minions.

    **Salt master version

    # salt-master --versions-report Salt Version: Salt: 2017.7.2

    Dependency Versions: cffi: Not Installed cherrypy: unknown dateutil: Not Installed docker-py: Not Installed gitdb: Not Installed gitpython: Not Installed ioflo: Not Installed Jinja2: 2.7.2 libgit2: Not Installed libnacl: Not Installed M2Crypto: Not Installed Mako: Not Installed msgpack-pure: Not Installed msgpack-python: 0.4.6 mysql-python: Not Installed pycparser: Not Installed pycrypto: 2.6.1 pycryptodome: Not Installed pygit2: Not Installed Python: 2.7.5 (default, Aug 4 2017, 00:39:18) python-gnupg: Not Installed PyYAML: 3.11 PyZMQ: 15.3.0 RAET: Not Installed smmap: Not Installed timelib: Not Installed Tornado: 4.2.1 ZMQ: 4.1.4

    System Versions: dist: centos 7.4.1708 Core locale: UTF-8 machine: x86_64 release: 3.10.0-693.11.1.el7.x86_64 system: Linux version: CentOS Linux 7.4.1708 Core

    salt minion version on SLEL11 SP4

    # /usr/bin/salt-minion --versions-report Salt Version: Salt: 2016.11.4

    Dependency Versions: cffi: Not Installed cherrypy: Not Installed dateutil: Not Installed docker-py: Not Installed gitdb: Not Installed gitpython: Not Installed ioflo: Not Installed Jinja2: 2.6 libgit2: Not Installed libnacl: Not Installed M2Crypto: 0.21.1 Mako: Not Installed msgpack-pure: Not Installed msgpack-python: 0.4.6 mysql-python: Not Installed pycparser: Not Installed pycrypto: 2.6.1 pycryptodome: Not Installed pygit2: Not Installed Python: 2.6.9 (unknown, Apr 7 2015, 08:28:12) python-gnupg: Not Installed PyYAML: 3.10 PyZMQ: 14.0.0 RAET: Not Installed smmap: Not Installed timelib: Not Installed Tornado: 4.2.1 ZMQ: 4.0.8

    System Versions: dist: SuSE 11 x86_64 machine: x86_64 release: 3.0.101-68-default system: Linux version: SUSE Linux Enterprise Server 11 x86_64

    hubble module is missing on SLES11SP4 minions while checking with sys.list_modules but on Centos6 and Centos7 I can see the hubble module without any issue.

    salt 'minion1' sys.list_modules

    minion1: - acl - aliases - alternatives - appcontrol - archive - artifactory - at - beacons - blockdev - bridge - btrfs - buildout - certificates_import - cloud - cmd - composer - config - consul - container_resource - cp - cpan - cron - data - defaults - devmap - dig - disk - django - dnsmasq - dnsutil - drbd - elasticsearch - environ - etcd - ethtool - event - extfs - file - gem - genesis - grains - group - grub - hashutil - hipchat - hosts - http - img - incron - ini - inspector - introspect - ip - iptables - iwtools - jboss7 - jboss7_cli - k8s - key - kmod - locale - locate - logrotate - lowpkg - lvm - match - mine - minion - modjk - mount - nagios_rpc - network - nfs3 - nova_loader - openscap - openstack_config - oscap - pagerduty - pam - partition - pillar - pip - pkg - pkg_resource - postfix - postgres_cfg - ps - publish - puppet - pushover - pyenv - quota - raid - random - random_org - rbenv - rest_sample_utils - restartcheck - ret - rsync - rvm - s3 - s6 - salt_proxy - saltutil - schedule - scsi - sdb - seed - sensors - service - shadow - slack - slsutil - smbios - smtp - sqlite3 - ssh - state - status - supervisord - sys - sysctl - sysfs - syslog_ng - system - temp - test - timezone - tomcat_cfg - udev - user - vbox_guest - virtualenv - x509 - xfs

    Pending Discussion hubble-salt 
    opened by sam0104 11
  • Don't tell splunk to index more things

    Don't tell splunk to index more things

    There probably isn't ever a good time to tell Splunk to index extra fields.

    The changes to the indexed fields intended by the removed code have to be accompanied by changes to the fields configuration in Splunk or oddball problems will occur (e.g., duplicate field indexing). The best plan (if you really really need extra index fields) is to ask the Splunk admins to add them to the index through their usual methods.

    This affords them the opportunity to say, "that's not a good idea because ____" and prevents the data from getting wonky in their indexes.

    There are certainly fields one might wish to add to the index. It's best to coordinate them carefully with the Splunk admins. (And these fields are more rare than you'd think if you're accustomed to traditional databases.)

    opened by jettero 10
  • running hubble.audit with salt (nitrogen - 2017.7.0rc1) asserts

    running hubble.audit with salt (nitrogen - 2017.7.0rc1) asserts

    From @jrporcaro on July 6, 2017 22:34

    I am using salt 2017.7.0rc1 (Nitrogen) with a default install of hubble 2017.4.1 on CentOS 7.2 using pygit2 and gitfs based hubble install. I did a saltutil.sync_all then a hubble.sync then a hubble.audit.

    [[email protected] ~]# salt \* hubble.audit
    master2:
        The minion function caused an exception: Traceback (most recent call last):
          File "/usr/lib/python2.7/site-packages/salt/minion.py", line 1466, in _thread_return
            return_data = executor.execute()
          File "/usr/lib/python2.7/site-packages/salt/executors/direct_call.py", line 28, in execute
            return self.func(*self.args, **self.kwargs)
          File "/var/cache/salt/minion/extmods/modules/hubble.py", line 108, in audit
            show_compliance=show_compliance)
          File "/var/cache/salt/minion/extmods/modules/hubble.py", line 406, in top
            load()
          File "/var/cache/salt/minion/extmods/modules/hubble.py", line 567, in load
            __nova__ = NovaLazyLoader()
          File "/var/cache/salt/minion/extmods/modules/hubble.py", line 667, in __init__
            self._load_all()
          File "/usr/lib/python2.7/site-packages/salt/loader.py", line 1611, in _load_all
            self._load_module(name)
          File "/var/cache/salt/minion/extmods/modules/hubble.py", line 828, in _load_module
            module_name,
        ValueError: too many values to unpack
    

    here is my versions_report:

    Salt Version:
               Salt: 2017.7.0rc1
    
    Dependency Versions:
               cffi: 1.6.0
           cherrypy: Not Installed
           dateutil: Not Installed
          docker-py: Not Installed
              gitdb: Not Installed
          gitpython: Not Installed
              ioflo: Not Installed
             Jinja2: 2.7.2
            libgit2: 0.24.6
            libnacl: Not Installed
           M2Crypto: Not Installed
               Mako: Not Installed
       msgpack-pure: Not Installed
     msgpack-python: 0.4.8
       mysql-python: Not Installed
          pycparser: 2.14
           pycrypto: 2.6.1
       pycryptodome: Not Installed
             pygit2: 0.24.2
             Python: 2.7.5 (default, Nov 20 2015, 02:00:19)
       python-gnupg: Not Installed
             PyYAML: 3.11
              PyZMQ: 15.3.0
               RAET: Not Installed
              smmap: Not Installed
            timelib: Not Installed
            Tornado: 4.2.1
                ZMQ: 4.1.4
    
    System Versions:
               dist: centos 7.2.1511 Core
             locale: UTF-8
            machine: x86_64
            release: 3.10.0-327.el7.x86_64
             system: Linux
            version: CentOS Linux 7.2.1511 Core
    

    Copied from original issue: hubblestack/hubble-salt#83

    Bug Core P1 hubble-salt hubble 
    opened by basepi 10
Releases(v4.5.5)
Owner
HubbleStack
Open-source security compliance monitoring. Free and open source software made possible by Adobe. https://github.com/adobe
HubbleStack
This a simple tool XSS Detection Suite for CTFs games

This a simple tool XSS Detection Suite for CTFs games

Mostafa 2 Nov 24, 2021
LinOTP - the open source solution for two factor authentication

LinOTP LinOTP - the Open Source solution for multi-factor authentication Copyright © 2010-2019 KeyIdentity GmbH Coypright © 2019- arxes-tolina GmbH In

LinOTP 462 Jan 02, 2023
Tools for investigating Log4j CVE-2021-44228

Log4jTools Tools for investigating Log4j CVE-2021-44228 FetchPayload.py (Get java payload from ldap path provided in JNDI lookup). Example command: Re

MalwareTech 91 Dec 29, 2022
Click-Jack - Automatic tool to find Clickjacking Vulnerability in various Web applications

CLICK-Jack It is a automatic tool to find Clickjacking Vulnerability in various

Prince Prafull 4 Jan 10, 2022
DependConfusion-X Tool is written in Python3 that scans and monitors list of hosts for Dependency Confusion

DependConfusion-X Tool is written in Python3 which allows security researcher/bug bounty hunter to scan and monitor list of hosts for Dependency Confusion.

Ali Fathi Ali Sawehli 4 Dec 21, 2021
Create a secure tunnel from a custom domain to localhost using Fly and WireGuard.

Fly Dev Tunnel Developers commonly use apps like ngrok, localtunnel, or cloudflared to expose a local web service at a publicly-accessible URL. This i

170 Dec 11, 2022
ORector - A Fast Python tool designed to detect open redirects vulnerabilities on websites

ORector is a Fast Python tool designed to detect open redirects vulnerabilities

11 Apr 02, 2022
Convert a collection of features to a fixed-dimensional matrix using the hashing trick.

FeatureHasher Convert a collection of features to a fixed-dimensional matrix using the hashing trick. Note, this requires Jina=2.2.4. Example Here I

Jina AI 5 Mar 15, 2022
The ultimate Metasploit apk binder with legit apk written in python3

Infector is a python3 based script which is officially made for linux based distro . It binds metasploit payload with original apk with avast antivirus bypassed .

27 Dec 25, 2022
Shell hunter for AF

AF-ShellHunter AF-ShellHunter: Auto shell lookup AF-ShellHunter its a script designed to automate the search of WebShell's in AF Team How to pip3 ins

Eduardo 34 May 13, 2022
LaxrFar Python Obfuscator

LaxrFar Python Obfuscator Usage First do the things from "Upload to Webserver" o

LaxrFar 5 Jul 19, 2022
Python program that generates secure passwords.

Python program that generates secure passwords. The user has the option to select the length of the password, amount of passwords,

4 Dec 07, 2021
Lite version of my Gatekeeper backdoor for public use.

MayorSec Backdoor Fully functioning bind-type backdoor This backdoor is a fully functioning bind shell and lite version of my full functioning Gatekee

Joe Helle 56 Mar 25, 2022
WebLogic T3/IIOP RCE ExternalizableHelper.class of coherence.jar

CVE-2020-14756 WebLogic T3/IIOP RCE ExternalizableHelper.class of coherence.jar README project base on https://github.com/Y4er/CVE-2020-2555 and weblo

Y4er 77 Dec 06, 2022
Signatures and IoCs from public Volexity blog posts.

threat-intel This repository contains IoCs related to Volexity public threat intelligence blog posts. They are organised by year, and within each year

Volexity 130 Dec 29, 2022
Tools for converting Nintendo DS binaries to an ELF file for Ghidra/IDA

nds2elf Requirements nds2elf.py uses LIEF and template.elf to form a new binary. LIEF is available via pip: pip3 install lief Usage DSi and DSi-enhan

Max Thomas 17 Aug 14, 2022
Python tool for enumerating directories and for fuzzing

Python tool for enumerating directories and for fuzzing

Gourab Roy 5 Feb 21, 2022
Password-Manager GUI

PASSWORD-MANAGER This repo contains all the project files. Project Description A Tkinter GUI that allows you to store website info like website name,

David .K. Danso 1 Dec 08, 2021
A Python 3 script that uploads a tasks.pickle file that enables RCE in MotionEye

MotionEye/MotionEyeOS Authenticated RCE A Python 3 script that uploads a tasks.pickle file that enables RCE in MotionEye. You need administrator crede

Matt 1 Apr 18, 2022
Web Headers Security Scanner

Web Headers Security Scanner

Emre Koybasi 3 Dec 16, 2022