forked from mirrors/linux-bench
Correct broken YAML
This commit is contained in:
Liz Rice
parent
80aaa6b6e8
commit
0c3a7001d7
1 changed files with 8887 additions and 8954 deletions
|
|
@ -372,7 +372,6 @@ groups:
|
||||||
# mount -o remount,nodev /tmp
|
# mount -o remount,nodev /tmp
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 1.1.4
|
- id: 1.1.4
|
||||||
description: "Ensure nosuid option set on /tmp partition"
|
description: "Ensure nosuid option set on /tmp partition"
|
||||||
audit: "mount | grep -E '\\s/tmp\\s' | grep -v nosuid"
|
audit: "mount | grep -E '\\s/tmp\\s' | grep -v nosuid"
|
||||||
|
|
@ -396,7 +395,6 @@ groups:
|
||||||
# mount -o remount,nosuid /tmp
|
# mount -o remount,nosuid /tmp
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 1.1.5
|
- id: 1.1.5
|
||||||
description: "Ensure noexec option set on /tmp partition"
|
description: "Ensure noexec option set on /tmp partition"
|
||||||
audit: "mount | grep -E '\\s/tmp\\s' | grep -v noexec"
|
audit: "mount | grep -E '\\s/tmp\\s' | grep -v noexec"
|
||||||
|
|
@ -455,7 +453,6 @@ groups:
|
||||||
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 1.1.9
|
- id: 1.1.9
|
||||||
description: "Ensure nosuid option set on /var/tmp partition"
|
description: "Ensure nosuid option set on /var/tmp partition"
|
||||||
audit: "mount | grep -E '\\s/var/tmp\\s' | grep -v nosuid"
|
audit: "mount | grep -E '\\s/var/tmp\\s' | grep -v nosuid"
|
||||||
|
|
@ -559,7 +556,6 @@ groups:
|
||||||
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 1.1.16
|
- id: 1.1.16
|
||||||
description: "Ensure nosuid option set on /dev/shm partition"
|
description: "Ensure nosuid option set on /dev/shm partition"
|
||||||
audit: "mount | grep -E '\\s/dev/shm\\s' | grep -v nosuid"
|
audit: "mount | grep -E '\\s/dev/shm\\s' | grep -v nosuid"
|
||||||
|
|
@ -1032,7 +1028,7 @@ groups:
|
||||||
description: "Ensure interactive boot is not enabled"
|
description: "Ensure interactive boot is not enabled"
|
||||||
sub_checks:
|
sub_checks:
|
||||||
- check:
|
- check:
|
||||||
audit: "grep \"^PROMPT_FOR_CONFIRM=\" /etc/sysconfig/boot"
|
audit: 'grep "^PROMPT_FOR_CONFIRM=" /etc/sysconfig/boot'
|
||||||
constraints:
|
constraints:
|
||||||
boot:
|
boot:
|
||||||
- grub
|
- grub
|
||||||
|
|
@ -1040,7 +1036,7 @@ groups:
|
||||||
- rhel7
|
- rhel7
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "PROMPT_FOR_CONFIRM=\"no\""
|
- flag: 'PROMPT_FOR_CONFIRM="no"'
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
If interactive boot is available disable it.
|
If interactive boot is available disable it.
|
||||||
|
|
@ -1062,7 +1058,6 @@ groups:
|
||||||
If interactive boot is available disable it.
|
If interactive boot is available disable it.
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
|
|
||||||
- id: 1.5
|
- id: 1.5
|
||||||
description: "Additional Process Hardening"
|
description: "Additional Process Hardening"
|
||||||
checks:
|
checks:
|
||||||
|
|
@ -1479,7 +1474,6 @@ groups:
|
||||||
op: eq
|
op: eq
|
||||||
value: "0"
|
value: "0"
|
||||||
set: false
|
set: false
|
||||||
test_items:
|
|
||||||
- flag: "enforcing"
|
- flag: "enforcing"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
|
|
@ -1588,7 +1582,6 @@ groups:
|
||||||
SELINUXTYPE=targeted
|
SELINUXTYPE=targeted
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 1.6.2.4
|
- id: 1.6.2.4
|
||||||
description: "Ensure SETroubleshoot is not installed"
|
description: "Ensure SETroubleshoot is not installed"
|
||||||
sub_checks:
|
sub_checks:
|
||||||
|
|
@ -1719,7 +1712,7 @@ groups:
|
||||||
scored: true
|
scored: true
|
||||||
- id: 1.6.2.6
|
- id: 1.6.2.6
|
||||||
description: "Ensure no unconfined daemons exist"
|
description: "Ensure no unconfined daemons exist"
|
||||||
audit: "ps -eZ | egrep \"initrc\" | grep -E -v -w \"tr|ps|egrep|bash|awk \" | tr ':' ' ' | awk '{ print $NF }'"
|
audit: 'ps -eZ | egrep "initrc" | grep -E -v -w "tr|ps|egrep|bash|awk " | tr '':'' '' '' | awk ''{ print $NF }'''
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: ""
|
- flag: ""
|
||||||
|
|
@ -1803,7 +1796,6 @@ groups:
|
||||||
Any unconfined processes may need to have a profile created or activated for them and then be restarted.
|
Any unconfined processes may need to have a profile created or activated for them and then be restarted.
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 1.7
|
- id: 1.7
|
||||||
description: "Warning Banners"
|
description: "Warning Banners"
|
||||||
checks:
|
checks:
|
||||||
|
|
@ -1896,7 +1888,6 @@ groups:
|
||||||
# chmod 644 /etc/motd
|
# chmod 644 /etc/motd
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 1.7.1.5
|
- id: 1.7.1.5
|
||||||
description: "Ensure permissions on /etc/issue are configured"
|
description: "Ensure permissions on /etc/issue are configured"
|
||||||
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/issue"
|
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/issue"
|
||||||
|
|
@ -1978,7 +1969,7 @@ groups:
|
||||||
checks:
|
checks:
|
||||||
- id: 2.1.1.a
|
- id: 2.1.1.a
|
||||||
description: "Ensure chargen services are not enabled"
|
description: "Ensure chargen services are not enabled"
|
||||||
audit: "grep -R \"^chargen\" /etc/inetd.*"
|
audit: 'grep -R "^chargen" /etc/inetd.*'
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: ""
|
- flag: ""
|
||||||
|
|
@ -1993,7 +1984,7 @@ groups:
|
||||||
|
|
||||||
- id: 2.1.1.b
|
- id: 2.1.1.b
|
||||||
description: "Ensure chargen services are not enabled"
|
description: "Ensure chargen services are not enabled"
|
||||||
audit: "grep -R \"^chargen\" /etc/xinetd.conf /etc/xinetd.* "
|
audit: 'grep -R "^chargen" /etc/xinetd.conf /etc/xinetd.* '
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "disable"
|
- flag: "disable"
|
||||||
|
|
@ -2008,7 +1999,7 @@ groups:
|
||||||
|
|
||||||
- id: 2.1.2.a
|
- id: 2.1.2.a
|
||||||
description: "Ensure daytime services are not enabled"
|
description: "Ensure daytime services are not enabled"
|
||||||
audit: "grep -R \"^daytime\" /etc/inetd.*"
|
audit: 'grep -R "^daytime" /etc/inetd.*'
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: ""
|
- flag: ""
|
||||||
|
|
@ -2023,7 +2014,7 @@ groups:
|
||||||
|
|
||||||
- id: 2.1.2.b
|
- id: 2.1.2.b
|
||||||
description: "Ensure daytime services are not enabled"
|
description: "Ensure daytime services are not enabled"
|
||||||
audit: "grep -R \"^daytime\" /etc/xinetd.conf /etc/xinetd.*"
|
audit: 'grep -R "^daytime" /etc/xinetd.conf /etc/xinetd.*'
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "disable"
|
- flag: "disable"
|
||||||
|
|
@ -2038,7 +2029,7 @@ groups:
|
||||||
|
|
||||||
- id: 2.1.3.a
|
- id: 2.1.3.a
|
||||||
description: "Ensure discard services are not enabled"
|
description: "Ensure discard services are not enabled"
|
||||||
audit: "grep -R \"^discard\" /etc/inetd.*"
|
audit: 'grep -R "^discard" /etc/inetd.*'
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: ""
|
- flag: ""
|
||||||
|
|
@ -2053,7 +2044,7 @@ groups:
|
||||||
|
|
||||||
- id: 2.1.3.b
|
- id: 2.1.3.b
|
||||||
description: "Ensure discard services are not enabled"
|
description: "Ensure discard services are not enabled"
|
||||||
audit: "grep -R \"^discard\" /etc/xinetd.conf /etc/xinetd.*"
|
audit: 'grep -R "^discard" /etc/xinetd.conf /etc/xinetd.*'
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "disable"
|
- flag: "disable"
|
||||||
|
|
@ -2068,7 +2059,7 @@ groups:
|
||||||
|
|
||||||
- id: 2.1.4.a
|
- id: 2.1.4.a
|
||||||
description: "Ensure echo services are not enabled"
|
description: "Ensure echo services are not enabled"
|
||||||
audit: "grep -R \"^echo\" /etc/inetd.*"
|
audit: 'grep -R "^echo" /etc/inetd.*'
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: ""
|
- flag: ""
|
||||||
|
|
@ -2083,7 +2074,7 @@ groups:
|
||||||
|
|
||||||
- id: 2.1.4.b
|
- id: 2.1.4.b
|
||||||
description: "Ensure echo services are not enabled"
|
description: "Ensure echo services are not enabled"
|
||||||
audit: "grep -R \"^echo\" /etc/xinetd.conf /etc/xinetd.*"
|
audit: 'grep -R "^echo" /etc/xinetd.conf /etc/xinetd.*'
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "disable"
|
- flag: "disable"
|
||||||
|
|
@ -2098,7 +2089,7 @@ groups:
|
||||||
|
|
||||||
- id: 2.1.5.a
|
- id: 2.1.5.a
|
||||||
description: "Ensure time services are not enabled"
|
description: "Ensure time services are not enabled"
|
||||||
audit: "grep -R \"^time\" /etc/inetd.*"
|
audit: 'grep -R "^time" /etc/inetd.*'
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: ""
|
- flag: ""
|
||||||
|
|
@ -2113,7 +2104,7 @@ groups:
|
||||||
|
|
||||||
- id: 2.1.5.b
|
- id: 2.1.5.b
|
||||||
description: "Ensure time services are not enabled"
|
description: "Ensure time services are not enabled"
|
||||||
audit: "grep -R \"^time\" /etc/xinetd.conf /etc/xinetd.*"
|
audit: 'grep -R "^time" /etc/xinetd.conf /etc/xinetd.*'
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "disable"
|
- flag: "disable"
|
||||||
|
|
@ -2128,7 +2119,7 @@ groups:
|
||||||
|
|
||||||
- id: 2.1.6.a
|
- id: 2.1.6.a
|
||||||
description: "Ensure rsh server is not enabled"
|
description: "Ensure rsh server is not enabled"
|
||||||
audit: "grep -R \"^shell\" /etc/inetd.*; grep -R \"^login\" /etc/inetd.*; grep -R \"^exec\" /etc/inetd.*"
|
audit: 'grep -R "^shell" /etc/inetd.*; grep -R "^login" /etc/inetd.*; grep -R "^exec" /etc/inetd.*'
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: ""
|
- flag: ""
|
||||||
|
|
@ -2143,7 +2134,7 @@ groups:
|
||||||
|
|
||||||
- id: 2.1.6.b
|
- id: 2.1.6.b
|
||||||
description: "Ensure rsh server is not enabled"
|
description: "Ensure rsh server is not enabled"
|
||||||
audit: "grep -R \"^shell\" /etc/xinetd.*; grep -R \"^login\" /etc/xinetd.*; grep -R \"^exec\" /etc/xinetd.*"
|
audit: 'grep -R "^shell" /etc/xinetd.*; grep -R "^login" /etc/xinetd.*; grep -R "^exec" /etc/xinetd.*'
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "disable"
|
- flag: "disable"
|
||||||
|
|
@ -2158,7 +2149,7 @@ groups:
|
||||||
|
|
||||||
- id: 2.1.7.a
|
- id: 2.1.7.a
|
||||||
description: "Ensure talk server is not enabled"
|
description: "Ensure talk server is not enabled"
|
||||||
audit: "grep -R \"^talk\" /etc/inetd.*; grep -R \"^ntalk\" /etc/inetd.*"
|
audit: 'grep -R "^talk" /etc/inetd.*; grep -R "^ntalk" /etc/inetd.*'
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: ""
|
- flag: ""
|
||||||
|
|
@ -2173,7 +2164,7 @@ groups:
|
||||||
|
|
||||||
- id: 2.1.7.b
|
- id: 2.1.7.b
|
||||||
description: "Ensure talk server is not enabled"
|
description: "Ensure talk server is not enabled"
|
||||||
audit: "grep -R \"^talk\" /etc/xinetd.*; grep -R \"^ntalk\" /etc/xinetd.*"
|
audit: 'grep -R "^talk" /etc/xinetd.*; grep -R "^ntalk" /etc/xinetd.*'
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "disable"
|
- flag: "disable"
|
||||||
|
|
@ -2188,7 +2179,7 @@ groups:
|
||||||
|
|
||||||
- id: 2.1.8.a
|
- id: 2.1.8.a
|
||||||
description: "Ensure telnet server is not enabled"
|
description: "Ensure telnet server is not enabled"
|
||||||
audit: "grep -R \"^telnet\" /etc/inetd.*"
|
audit: 'grep -R "^telnet" /etc/inetd.*'
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: ""
|
- flag: ""
|
||||||
|
|
@ -2203,7 +2194,7 @@ groups:
|
||||||
|
|
||||||
- id: 2.1.8.b
|
- id: 2.1.8.b
|
||||||
description: "Ensure telnet server is not enabled"
|
description: "Ensure telnet server is not enabled"
|
||||||
audit: "grep -R \"^telnet\" /etc/xinetd.*"
|
audit: 'grep -R "^telnet" /etc/xinetd.*'
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "disable"
|
- flag: "disable"
|
||||||
|
|
@ -2218,7 +2209,7 @@ groups:
|
||||||
|
|
||||||
- id: 2.1.9.a
|
- id: 2.1.9.a
|
||||||
description: "Ensure tftp server is not enabled"
|
description: "Ensure tftp server is not enabled"
|
||||||
audit: "grep -R \"^tftp\" /etc/inetd.*"
|
audit: 'grep -R "^tftp" /etc/inetd.*'
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: ""
|
- flag: ""
|
||||||
|
|
@ -2233,7 +2224,7 @@ groups:
|
||||||
|
|
||||||
- id: 2.1.9.b
|
- id: 2.1.9.b
|
||||||
description: "Ensure tftp server is not enabled"
|
description: "Ensure tftp server is not enabled"
|
||||||
audit: "grep -R \"^tftp\" /etc/xinetd.*"
|
audit: 'grep -R "^tftp" /etc/xinetd.*'
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "disable"
|
- flag: "disable"
|
||||||
|
|
@ -2456,7 +2447,7 @@ groups:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "restrict -4 default kod nomodify notrap nopeer noquery"
|
- flag: "restrict -4 default kod nomodify notrap nopeer noquery"
|
||||||
set: true
|
set: true
|
||||||
flag: "restrict -6 default kod nomodify notrap nopeer noquery"
|
- flag: "restrict -6 default kod nomodify notrap nopeer noquery"
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Add or edit restrict lines in `/etc/ntp.conf` to match the following:
|
Add or edit restrict lines in `/etc/ntp.conf` to match the following:
|
||||||
|
|
@ -2485,7 +2476,7 @@ groups:
|
||||||
|
|
||||||
- id: 2.2.1.2.b
|
- id: 2.2.1.2.b
|
||||||
description: "Ensure ntp is configured"
|
description: "Ensure ntp is configured"
|
||||||
audit: "grep -E \"^(server|pool)\" /etc/ntp.conf"
|
audit: 'grep -E "^(server|pool)" /etc/ntp.conf'
|
||||||
type: manual
|
type: manual
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
|
|
@ -2526,7 +2517,7 @@ groups:
|
||||||
- rhel7
|
- rhel7
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "OPTIONS=\"-u ntp:ntp\""
|
- flag: 'OPTIONS="-u ntp:ntp"'
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Add or edit restrict lines in `/etc/ntp.conf` to match the following:
|
Add or edit restrict lines in `/etc/ntp.conf` to match the following:
|
||||||
|
|
@ -2558,7 +2549,7 @@ groups:
|
||||||
- ubuntu18
|
- ubuntu18
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "OPTIONS=\"-u ntp:ntp\""
|
- flag: 'OPTIONS="-u ntp:ntp"'
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Add or edit restrict lines in `/etc/ntp.conf` to match the following:
|
Add or edit restrict lines in `/etc/ntp.conf` to match the following:
|
||||||
|
|
@ -2594,7 +2585,7 @@ groups:
|
||||||
- rhel7
|
- rhel7
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "NTPD_OPTIONS=\"-u ntp:ntp\""
|
- flag: 'NTPD_OPTIONS="-u ntp:ntp"'
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Add or edit restrict lines in `/etc/ntp.conf` to match the following:
|
Add or edit restrict lines in `/etc/ntp.conf` to match the following:
|
||||||
|
|
@ -2626,7 +2617,7 @@ groups:
|
||||||
- ubuntu18
|
- ubuntu18
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "NTPD_OPTIONS=\"-u ntp:ntp\""
|
- flag: 'NTPD_OPTIONS="-u ntp:ntp"'
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Add or edit restrict lines in `/etc/ntp.conf` to match the following:
|
Add or edit restrict lines in `/etc/ntp.conf` to match the following:
|
||||||
|
|
@ -2689,7 +2680,7 @@ groups:
|
||||||
|
|
||||||
- id: 2.2.1.3.a
|
- id: 2.2.1.3.a
|
||||||
description: "Ensure chrony is configured"
|
description: "Ensure chrony is configured"
|
||||||
audit: "grep -E \"^(server|pool)\" /etc/chrony.conf"
|
audit: 'grep -E "^(server|pool)" /etc/chrony.conf'
|
||||||
type: manual
|
type: manual
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
|
|
@ -2749,7 +2740,6 @@ groups:
|
||||||
# timedatectl set-ntp true
|
# timedatectl set-ntp true
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 2.2.2
|
- id: 2.2.2
|
||||||
description: "Ensure X Window System is not installed"
|
description: "Ensure X Window System is not installed"
|
||||||
sub_checks:
|
sub_checks:
|
||||||
|
|
@ -4786,7 +4776,6 @@ groups:
|
||||||
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 3.2.3.a
|
- id: 3.2.3.a
|
||||||
description: "Ensure secure ICMP redirects are not accepted"
|
description: "Ensure secure ICMP redirects are not accepted"
|
||||||
audit: "sysctl net.ipv4.conf.all.secure_redirects"
|
audit: "sysctl net.ipv4.conf.all.secure_redirects"
|
||||||
|
|
@ -5386,7 +5375,6 @@ groups:
|
||||||
where each `/` combination (for example, "192.168.1.0/255.255.255.0") represents one network block in use by your organization that requires access to this system.
|
where each `/` combination (for example, "192.168.1.0/255.255.255.0") represents one network block in use by your organization that requires access to this system.
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
|
|
||||||
- id: 3.3.3
|
- id: 3.3.3
|
||||||
description: "Ensure /etc/hosts.deny is configured"
|
description: "Ensure /etc/hosts.deny is configured"
|
||||||
audit: "cat /etc/hosts.deny"
|
audit: "cat /etc/hosts.deny"
|
||||||
|
|
@ -5401,7 +5389,6 @@ groups:
|
||||||
|
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
|
|
||||||
- id: 3.3.4
|
- id: 3.3.4
|
||||||
description: "Ensure permissions on /etc/hosts.allow are configured"
|
description: "Ensure permissions on /etc/hosts.allow are configured"
|
||||||
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/hosts.allow"
|
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/hosts.allow"
|
||||||
|
|
@ -5417,7 +5404,6 @@ groups:
|
||||||
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 3.3.5
|
- id: 3.3.5
|
||||||
description: "Ensure permissions on /etc/hosts.deny are configured"
|
description: "Ensure permissions on /etc/hosts.deny are configured"
|
||||||
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/hosts.deny"
|
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/hosts.deny"
|
||||||
|
|
@ -5433,7 +5419,6 @@ groups:
|
||||||
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 3.4
|
- id: 3.4
|
||||||
description: "Uncommon Network Protocols"
|
description: "Uncommon Network Protocols"
|
||||||
checks:
|
checks:
|
||||||
|
|
@ -5596,8 +5581,7 @@ groups:
|
||||||
type: manual
|
type: manual
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
-
|
- flag: |
|
||||||
flag: |
|
|
||||||
Chain INPUT (policy DROP 0 packets, 0 bytes)
|
Chain INPUT (policy DROP 0 packets, 0 bytes)
|
||||||
pkts bytes target prot opt in out source destination
|
pkts bytes target prot opt in out source destination
|
||||||
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
|
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
|
||||||
|
|
@ -5618,8 +5602,7 @@ groups:
|
||||||
type: manual
|
type: manual
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
-
|
- flag: |
|
||||||
flag: |
|
|
||||||
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
|
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
|
||||||
pkts bytes target prot opt in out source destination
|
pkts bytes target prot opt in out source destination
|
||||||
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
|
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
|
||||||
|
|
@ -5700,8 +5683,7 @@ groups:
|
||||||
type: manual
|
type: manual
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
-
|
- flag: |
|
||||||
flag: |
|
|
||||||
Chain INPUT (policy DROP 0 packets, 0 bytes)
|
Chain INPUT (policy DROP 0 packets, 0 bytes)
|
||||||
pkts bytes target prot opt in out source destination
|
pkts bytes target prot opt in out source destination
|
||||||
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
|
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
|
||||||
|
|
@ -5722,8 +5704,7 @@ groups:
|
||||||
type: manual
|
type: manual
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
-
|
- flag: |
|
||||||
flag: |
|
|
||||||
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
|
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
|
||||||
pkts bytes target prot opt in out source destination
|
pkts bytes target prot opt in out source destination
|
||||||
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
|
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
|
||||||
|
|
@ -5757,8 +5738,7 @@ groups:
|
||||||
type: manual
|
type: manual
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
-
|
- flag: |
|
||||||
flag: |
|
|
||||||
Active Internet connections (only servers)
|
Active Internet connections (only servers)
|
||||||
Proto Recv-Q Send-Q Local Address Foreign Address State
|
Proto Recv-Q Send-Q Local Address Foreign Address State
|
||||||
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
|
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
|
||||||
|
|
@ -5776,8 +5756,7 @@ groups:
|
||||||
type: manual
|
type: manual
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
-
|
- flag: |
|
||||||
flag: |
|
|
||||||
Chain INPUT (policy DROP 0 packets, 0 bytes)
|
Chain INPUT (policy DROP 0 packets, 0 bytes)
|
||||||
pkts bytes target prot opt in out source destination
|
pkts bytes target prot opt in out source destination
|
||||||
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
|
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
|
||||||
|
|
@ -5930,7 +5909,6 @@ groups:
|
||||||
# update-grub
|
# update-grub
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
|
|
||||||
- id: 4
|
- id: 4
|
||||||
description: "Logging and Auditing"
|
description: "Logging and Auditing"
|
||||||
- id: 4.1
|
- id: 4.1
|
||||||
|
|
@ -6447,7 +6425,6 @@ groups:
|
||||||
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 4.1.9.b
|
- id: 4.1.9.b
|
||||||
description: "Ensure login and logout events are collected"
|
description: "Ensure login and logout events are collected"
|
||||||
audit: "auditctl -l | grep logins"
|
audit: "auditctl -l | grep logins"
|
||||||
|
|
@ -6643,7 +6620,6 @@ groups:
|
||||||
And add all resulting lines to the file.
|
And add all resulting lines to the file.
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 4.1.14.a
|
- id: 4.1.14.a
|
||||||
description: "Ensure successful file system mounts are collected"
|
description: "Ensure successful file system mounts are collected"
|
||||||
audit: "grep mounts /etc/audit/rules.d/*.rules"
|
audit: "grep mounts /etc/audit/rules.d/*.rules"
|
||||||
|
|
@ -6757,13 +6733,6 @@ groups:
|
||||||
-w /etc/sudoers.d/ -p wa -k scope
|
-w /etc/sudoers.d/ -p wa -k scope
|
||||||
|
|
||||||
scored: true
|
scored: true
|
||||||
remediation: |
|
|
||||||
Add the following line to the `/etc/audit/rules.d/*.rules` file:
|
|
||||||
|
|
||||||
-w /etc/sudoers -p wa -k scope
|
|
||||||
-w /etc/sudoers.d/ -p wa -k scope
|
|
||||||
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 4.1.17.a
|
- id: 4.1.17.a
|
||||||
description: "Ensure system administrator actions (sudolog) are collected"
|
description: "Ensure system administrator actions (sudolog) are collected"
|
||||||
|
|
@ -6845,10 +6814,8 @@ groups:
|
||||||
-w /sbin/rmmod -p x -k modules
|
-w /sbin/rmmod -p x -k modules
|
||||||
-w /sbin/modprobe -p x -k modules
|
-w /sbin/modprobe -p x -k modules
|
||||||
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
|
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
|
||||||
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
scored: true
|
|
||||||
- id: 4.1.19
|
- id: 4.1.19
|
||||||
description: "Ensure the audit configuration is immutable"
|
description: "Ensure the audit configuration is immutable"
|
||||||
audit: "grep ^\\s*[^#] /etc/audit/rules.d/*.rules | tail -1"
|
audit: "grep ^\\s*[^#] /etc/audit/rules.d/*.rules | tail -1"
|
||||||
|
|
@ -7265,7 +7232,6 @@ groups:
|
||||||
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 5.1.3
|
- id: 5.1.3
|
||||||
description: "Ensure permissions on /etc/cron.hourly are configured"
|
description: "Ensure permissions on /etc/cron.hourly are configured"
|
||||||
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.hourly"
|
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.hourly"
|
||||||
|
|
@ -7281,7 +7247,6 @@ groups:
|
||||||
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 5.1.4
|
- id: 5.1.4
|
||||||
description: "Ensure permissions on /etc/cron.daily are configured"
|
description: "Ensure permissions on /etc/cron.daily are configured"
|
||||||
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.daily"
|
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.daily"
|
||||||
|
|
@ -7297,7 +7262,6 @@ groups:
|
||||||
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 5.1.5
|
- id: 5.1.5
|
||||||
description: "Ensure permissions on /etc/cron.weekly are configured"
|
description: "Ensure permissions on /etc/cron.weekly are configured"
|
||||||
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.weekly"
|
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.weekly"
|
||||||
|
|
@ -7313,7 +7277,6 @@ groups:
|
||||||
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 5.1.6
|
- id: 5.1.6
|
||||||
description: "Ensure permissions on /etc/cron.monthly are configured"
|
description: "Ensure permissions on /etc/cron.monthly are configured"
|
||||||
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.monthly"
|
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.monthly"
|
||||||
|
|
@ -7329,7 +7292,6 @@ groups:
|
||||||
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 5.1.7
|
- id: 5.1.7
|
||||||
description: "Ensure permissions on /etc/cron.d are configured"
|
description: "Ensure permissions on /etc/cron.d are configured"
|
||||||
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.d"
|
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.d"
|
||||||
|
|
@ -7345,7 +7307,6 @@ groups:
|
||||||
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 5.1.8.a
|
- id: 5.1.8.a
|
||||||
description: "Ensure at/cron is restricted to authorized users"
|
description: "Ensure at/cron is restricted to authorized users"
|
||||||
audit: "stat /etc/cron.deny"
|
audit: "stat /etc/cron.deny"
|
||||||
|
|
@ -7448,7 +7409,6 @@ groups:
|
||||||
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 5.2.2
|
- id: 5.2.2
|
||||||
description: "Ensure permissions on SSH private host key files are configured"
|
description: "Ensure permissions on SSH private host key files are configured"
|
||||||
audit: "find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec stat {} \\;"
|
audit: "find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec stat {} \\;"
|
||||||
|
|
@ -7499,7 +7459,6 @@ groups:
|
||||||
LogLevel INFO
|
LogLevel INFO
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 5.2.6
|
- id: 5.2.6
|
||||||
description: "Ensure SSH X11 forwarding is disabled"
|
description: "Ensure SSH X11 forwarding is disabled"
|
||||||
audit: "grep ^X11Forwarding /etc/ssh/sshd_config"
|
audit: "grep ^X11Forwarding /etc/ssh/sshd_config"
|
||||||
|
|
@ -7514,8 +7473,6 @@ groups:
|
||||||
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
- id: 5.2.7
|
- id: 5.2.7
|
||||||
description: "Ensure SSH MaxAuthTries is set to 4 or less"
|
description: "Ensure SSH MaxAuthTries is set to 4 or less"
|
||||||
audit: "sshd -T | grep maxauthtries"
|
audit: "sshd -T | grep maxauthtries"
|
||||||
|
|
@ -7547,7 +7504,6 @@ groups:
|
||||||
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 5.2.9
|
- id: 5.2.9
|
||||||
description: "Ensure SSH HostbasedAuthentication is disabled"
|
description: "Ensure SSH HostbasedAuthentication is disabled"
|
||||||
audit: "sshd -T | grep hostbasedauthentication"
|
audit: "sshd -T | grep hostbasedauthentication"
|
||||||
|
|
@ -7562,7 +7518,6 @@ groups:
|
||||||
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 5.2.10
|
- id: 5.2.10
|
||||||
description: "Ensure SSH root login is disabled"
|
description: "Ensure SSH root login is disabled"
|
||||||
audit: "sshd -T | grep permitrootlogin"
|
audit: "sshd -T | grep permitrootlogin"
|
||||||
|
|
@ -7577,8 +7532,6 @@ groups:
|
||||||
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
- id: 5.2.11
|
- id: 5.2.11
|
||||||
description: "Ensure SSH PermitEmptyPasswords is disabled"
|
description: "Ensure SSH PermitEmptyPasswords is disabled"
|
||||||
audit: "sshd -T | grep permitemptypasswords"
|
audit: "sshd -T | grep permitemptypasswords"
|
||||||
|
|
@ -7607,7 +7560,6 @@ groups:
|
||||||
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 5.2.13
|
- id: 5.2.13
|
||||||
description: "Ensure only approved MAC algorithms are used"
|
description: "Ensure only approved MAC algorithms are used"
|
||||||
audit: "sshd -T | grep ciphers"
|
audit: "sshd -T | grep ciphers"
|
||||||
|
|
@ -7641,10 +7593,9 @@ groups:
|
||||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 5.2.14
|
- id: 5.2.14
|
||||||
description: "Ensure only strong MAC algorithms are used"
|
description: "Ensure only strong MAC algorithms are used"
|
||||||
audit: "sshd -T | grep -i \"MACs\""
|
audit: 'sshd -T | grep -i "MACs"'
|
||||||
tests:
|
tests:
|
||||||
bin_op: and
|
bin_op: and
|
||||||
test_items:
|
test_items:
|
||||||
|
|
@ -7764,7 +7715,6 @@ groups:
|
||||||
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 5.2.18.a
|
- id: 5.2.18.a
|
||||||
description: "Ensure SSH access is limited"
|
description: "Ensure SSH access is limited"
|
||||||
audit: "sshd -T | grep allowusers"
|
audit: "sshd -T | grep allowusers"
|
||||||
|
|
@ -7895,7 +7845,6 @@ groups:
|
||||||
MaxSessions 4
|
MaxSessions 4
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 5.3
|
- id: 5.3
|
||||||
description: "Configure PAM"
|
description: "Configure PAM"
|
||||||
checks:
|
checks:
|
||||||
|
|
@ -8214,7 +8163,6 @@ groups:
|
||||||
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 5.4.4.a
|
- id: 5.4.4.a
|
||||||
description: "Ensure default user umask is 027 or more restrictive"
|
description: "Ensure default user umask is 027 or more restrictive"
|
||||||
sub_checks:
|
sub_checks:
|
||||||
|
|
@ -8417,10 +8365,9 @@ groups:
|
||||||
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 6.1.3
|
- id: 6.1.3
|
||||||
description: "Ensure permissions on /etc/shadow are configured"
|
description: "Ensure permissions on /etc/shadow are configured"
|
||||||
audit: "stat -c \"Uid:%U/%u Gid:%G permissions=%a\" /etc/shadow"
|
audit: 'stat -c "Uid:%U/%u Gid:%G permissions=%a" /etc/shadow'
|
||||||
tests:
|
tests:
|
||||||
bin_op: and
|
bin_op: and
|
||||||
test_items:
|
test_items:
|
||||||
|
|
@ -8429,7 +8376,7 @@ groups:
|
||||||
- flag: "Gid"
|
- flag: "Gid"
|
||||||
compare:
|
compare:
|
||||||
op: regex
|
op: regex
|
||||||
value: 'shadow|root'
|
value: "shadow|root"
|
||||||
set: true
|
set: true
|
||||||
- flag: "permissions"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
|
|
@ -8445,10 +8392,9 @@ groups:
|
||||||
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 6.1.4
|
- id: 6.1.4
|
||||||
description: "Ensure permissions on /etc/group are configured"
|
description: "Ensure permissions on /etc/group are configured"
|
||||||
audit: "stat -c \"Uid:%U/%u Gid:%G/%g permissions=%a\" /etc/group"
|
audit: 'stat -c "Uid:%U/%u Gid:%G/%g permissions=%a" /etc/group'
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "Uid:root/0 Gid:root/0 permissions=644"
|
- flag: "Uid:root/0 Gid:root/0 permissions=644"
|
||||||
|
|
@ -8461,10 +8407,9 @@ groups:
|
||||||
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 6.1.5
|
- id: 6.1.5
|
||||||
description: "Ensure permissions on /etc/gshadow are configured"
|
description: "Ensure permissions on /etc/gshadow are configured"
|
||||||
audit: "stat -c \"Uid:%U/%u Gid:%G permissions=%a\" /etc/gshadow"
|
audit: 'stat -c "Uid:%U/%u Gid:%G permissions=%a" /etc/gshadow'
|
||||||
tests:
|
tests:
|
||||||
bin_op: and
|
bin_op: and
|
||||||
test_items:
|
test_items:
|
||||||
|
|
@ -8473,7 +8418,7 @@ groups:
|
||||||
- flag: "Gid"
|
- flag: "Gid"
|
||||||
compare:
|
compare:
|
||||||
op: regex
|
op: regex
|
||||||
value: 'shadow|root'
|
value: "shadow|root"
|
||||||
set: true
|
set: true
|
||||||
- flag: "permissions"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
|
|
@ -8491,7 +8436,7 @@ groups:
|
||||||
|
|
||||||
- id: 6.1.6
|
- id: 6.1.6
|
||||||
description: "Ensure permissions on /etc/passwd- are configured"
|
description: "Ensure permissions on /etc/passwd- are configured"
|
||||||
audit: "stat -c \"Uid:%U/%u Gid:%G/%g permissions=%a\" /etc/passwd-"
|
audit: 'stat -c "Uid:%U/%u Gid:%G/%g permissions=%a" /etc/passwd-'
|
||||||
tests:
|
tests:
|
||||||
bin_op: and
|
bin_op: and
|
||||||
test_items:
|
test_items:
|
||||||
|
|
@ -8510,10 +8455,9 @@ groups:
|
||||||
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 6.1.7
|
- id: 6.1.7
|
||||||
description: "Ensure permissions on /etc/shadow- are configured"
|
description: "Ensure permissions on /etc/shadow- are configured"
|
||||||
audit: "stat -c \"Uid:%U/%u Gid:%G permissions=%a\" /etc/shadow-"
|
audit: 'stat -c "Uid:%U/%u Gid:%G permissions=%a" /etc/shadow-'
|
||||||
tests:
|
tests:
|
||||||
bin_op: and
|
bin_op: and
|
||||||
test_items:
|
test_items:
|
||||||
|
|
@ -8522,7 +8466,7 @@ groups:
|
||||||
- flag: "Gid"
|
- flag: "Gid"
|
||||||
compare:
|
compare:
|
||||||
op: regex
|
op: regex
|
||||||
value: 'shadow|root'
|
value: "shadow|root"
|
||||||
set: true
|
set: true
|
||||||
- flag: "permissions"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
|
|
@ -8538,10 +8482,9 @@ groups:
|
||||||
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 6.1.8
|
- id: 6.1.8
|
||||||
description: "Ensure permissions on /etc/group- are configured"
|
description: "Ensure permissions on /etc/group- are configured"
|
||||||
audit: "stat -c \"Uid:%U/%u Gid:%G/%g permissions=%a\" /etc/group-"
|
audit: 'stat -c "Uid:%U/%u Gid:%G/%g permissions=%a" /etc/group-'
|
||||||
tests:
|
tests:
|
||||||
bin_op: and
|
bin_op: and
|
||||||
test_items:
|
test_items:
|
||||||
|
|
@ -8560,10 +8503,9 @@ groups:
|
||||||
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 6.1.9
|
- id: 6.1.9
|
||||||
description: "Ensure permissions on /etc/gshadow- are configured"
|
description: "Ensure permissions on /etc/gshadow- are configured"
|
||||||
audit: "stat -c \"Uid:%U/%u Gid:%G permissions=%a\" /etc/gshadow-"
|
audit: 'stat -c "Uid:%U/%u Gid:%G permissions=%a" /etc/gshadow-'
|
||||||
tests:
|
tests:
|
||||||
bin_op: and
|
bin_op: and
|
||||||
test_items:
|
test_items:
|
||||||
|
|
@ -8572,7 +8514,7 @@ groups:
|
||||||
- flag: "Gid"
|
- flag: "Gid"
|
||||||
compare:
|
compare:
|
||||||
op: regex
|
op: regex
|
||||||
value: 'shadow|root'
|
value: "shadow|root"
|
||||||
set: true
|
set: true
|
||||||
- flag: "permissions"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
|
|
@ -8588,7 +8530,6 @@ groups:
|
||||||
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 6.1.10.a
|
- id: 6.1.10.a
|
||||||
description: "Ensure no world writable files exist"
|
description: "Ensure no world writable files exist"
|
||||||
audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 | head -n 100"
|
audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 | head -n 100"
|
||||||
|
|
@ -8706,7 +8647,7 @@ groups:
|
||||||
checks:
|
checks:
|
||||||
- id: 6.2.1
|
- id: 6.2.1
|
||||||
description: "Ensure password fields are not empty"
|
description: "Ensure password fields are not empty"
|
||||||
audit: "awk -F: '($2 == \"\" ) { print $1 \" does not have a password \"}' /etc/shadow"
|
audit: 'awk -F: ''($2 == "" ) { print $1 " does not have a password "}'' /etc/shadow'
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: ""
|
- flag: ""
|
||||||
|
|
@ -8723,7 +8664,7 @@ groups:
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 6.2.2
|
- id: 6.2.2
|
||||||
description: "Ensure no legacy \"+\" entries exist in /etc/passwd"
|
description: 'Ensure no legacy "+" entries exist in /etc/passwd'
|
||||||
audit: "grep '^\\+:' /etc/passwd"
|
audit: "grep '^\\+:' /etc/passwd"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
|
|
@ -8736,9 +8677,8 @@ groups:
|
||||||
Remove any legacy '+' entries from `/etc/passwd` if they exist.
|
Remove any legacy '+' entries from `/etc/passwd` if they exist.
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 6.2.3
|
- id: 6.2.3
|
||||||
description: "Ensure no legacy \"+\" entries exist in /etc/shadow"
|
description: 'Ensure no legacy "+" entries exist in /etc/shadow'
|
||||||
audit: "grep '^\\+:' /etc/shadow"
|
audit: "grep '^\\+:' /etc/shadow"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
|
|
@ -8751,9 +8691,8 @@ groups:
|
||||||
Remove any legacy '+' entries from `/etc/shadow` if they exist.
|
Remove any legacy '+' entries from `/etc/shadow` if they exist.
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 6.2.4
|
- id: 6.2.4
|
||||||
description: "Ensure no legacy \"+\" entries exist in /etc/group"
|
description: 'Ensure no legacy "+" entries exist in /etc/group'
|
||||||
audit: "grep '^\\+:' /etc/group"
|
audit: "grep '^\\+:' /etc/group"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
|
|
@ -8766,7 +8705,6 @@ groups:
|
||||||
Remove any legacy '+' entries from `/etc/group` if they exist.
|
Remove any legacy '+' entries from `/etc/group` if they exist.
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 6.2.5
|
- id: 6.2.5
|
||||||
description: "Ensure root is the only UID 0 account"
|
description: "Ensure root is the only UID 0 account"
|
||||||
audit: "awk -F: '($3 == 0) { print $1 }' /etc/passwd"
|
audit: "awk -F: '($3 == 0) { print $1 }' /etc/passwd"
|
||||||
|
|
@ -8825,7 +8763,6 @@ groups:
|
||||||
Correct or justify any items discovered in the Audit step.
|
Correct or justify any items discovered in the Audit step.
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 6.2.7
|
- id: 6.2.7
|
||||||
description: "Ensure all users' home directories exist"
|
description: "Ensure all users' home directories exist"
|
||||||
audit: |
|
audit: |
|
||||||
|
|
@ -8907,7 +8844,6 @@ groups:
|
||||||
Change the ownership of any home directories that are not owned by the defined user to the correct user.
|
Change the ownership of any home directories that are not owned by the defined user to the correct user.
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 6.2.10
|
- id: 6.2.10
|
||||||
description: "Ensure users' dot files are not group or world writable"
|
description: "Ensure users' dot files are not group or world writable"
|
||||||
audit: |
|
audit: |
|
||||||
|
|
@ -8964,7 +8900,6 @@ groups:
|
||||||
Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user `.forward` files and determine the action to be taken in accordance with site policy.
|
Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user `.forward` files and determine the action to be taken in accordance with site policy.
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 6.2.12
|
- id: 6.2.12
|
||||||
description: "Ensure no users have .netrc files"
|
description: "Ensure no users have .netrc files"
|
||||||
audit: |
|
audit: |
|
||||||
|
|
@ -9152,7 +9087,6 @@ groups:
|
||||||
Based on the results of the audit script, establish unique user names for the users. File ownerships will automatically reflect the change as long as the users have unique UIDs.
|
Based on the results of the audit script, establish unique user names for the users. File ownerships will automatically reflect the change as long as the users have unique UIDs.
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 6.2.19
|
- id: 6.2.19
|
||||||
description: "Ensure no duplicate group names exist"
|
description: "Ensure no duplicate group names exist"
|
||||||
audit: |
|
audit: |
|
||||||
|
|
@ -9192,7 +9126,7 @@ groups:
|
||||||
|
|
||||||
- id: 6.2.20.b
|
- id: 6.2.20.b
|
||||||
description: "Ensure shadow group is empty"
|
description: "Ensure shadow group is empty"
|
||||||
audit: "awk -F: '($4 == \"\") { print }' /etc/passwd"
|
audit: 'awk -F: ''($4 == "") { print }'' /etc/passwd'
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: ""
|
- flag: ""
|
||||||
|
|
@ -9203,4 +9137,3 @@ groups:
|
||||||
remediation: |
|
remediation: |
|
||||||
Remove all users from the shadow group, and change the primary group of any users with shadow as their primary group.
|
Remove all users from the shadow group, and change the primary group of any users with shadow as their primary group.
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue