diff --git a/README.md b/README.md index 1df65bd..589ac8c 100644 --- a/README.md +++ b/README.md @@ -15,16 +15,16 @@ Tests are configured with YAML files, making this tool easy to update as test sp linux-bench currently supports tests for benchmark version 1.1.0 only. linux-bench will determine the test set to run on the host machine based on the following: -##### Operating system platform - ubuntu/debian/rhel/coreos -##### Boot loader - grub/grub2 -##### System logging tool - rsyslog/syslog-ng -##### Lsm - selinux/apparmor +- **Operating system platform - ubuntu/debian/rhel/coreos** +- **Boot loader - grub/grub2** +- **System logging tool - rsyslog/syslog-ng** +- **Lsm - selinux/apparmor** ## Installation ### Installing from sources -Intall [Go](https://golang.org/doc/install), then +Install [Go](https://golang.org/doc/install), then clone this repository and run as follows (assuming your [$GOPATH is set](https://github.com/golang/go/wiki/GOPATH)): ```shell diff --git a/cfg/2.0.0/definitions.yaml b/cfg/2.0.0/definitions.yaml index 5a62c99..22af783 100644 --- a/cfg/2.0.0/definitions.yaml +++ b/cfg/2.0.0/definitions.yaml @@ -1099,7 +1099,7 @@ groups: audit: "sysctl fs.suid_dumpable" tests: test_items: - - flag: "fs.suid_dumpable =" + - flag: "fs.suid_dumpable" compare: op: eq value: "0" @@ -1126,10 +1126,10 @@ groups: - id: 1.5.1.c description: "Ensure core dumps are restricted" - audit: "grep -h \"fs\\.suid_dumpable\" /etc/sysctl.conf /etc/sysctl.d/* | head -n 1" + audit: "grep \"fs\\.suid_dumpable\" /etc/sysctl.conf /etc/sysctl.d/* | head -n 1" tests: test_items: - - flag: "fs.suid_dumpable =" + - flag: "fs.suid_dumpable" compare: op: eq value: "0" @@ -1203,7 +1203,10 @@ groups: audit: "sysctl kernel.randomize_va_space" tests: test_items: - - flag: "kernel.randomize_va_space = 2" + - flag: "kernel.randomize_va_space" + compare: + op: eq + value: "2" set: true remediation: | Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -1221,7 +1224,10 @@ groups: audit: "grep \"kernel\\.randomize_va_space\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "kernel.randomize_va_space = 2" + - flag: "kernel.randomize_va_space" + compare: + op: eq + value: "2" set: true remediation: | Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -1435,10 +1441,15 @@ groups: tests: bin_op: and test_items: - - flag: "selinux=0" + - flag: "selinux" + compare: + op: eq + value: "0" set: false - test_items: - - flag: "enforcing=0" + - flag: "enforcing" + compare: + op: eq + value: "0" set: false remediation: | For `grub` based systems edit `/boot/grub/menu.lst` and remove all instances of `selinux=0` and `enforcing=0` on all `kernel` lines. @@ -1460,10 +1471,16 @@ groups: tests: bin_op: and test_items: - - flag: "selinux=0" + - flag: "selinux" + compare: + op: eq + value: "0" set: false test_items: - - flag: "enforcing=0" + - flag: "enforcing" + compare: + op: eq + value: "0" set: false remediation: | For `grub` based systems edit `/boot/grub/menu.lst` and remove all instances of `selinux=0` and `enforcing=0` on all `kernel` lines. @@ -1725,7 +1742,10 @@ groups: - grub tests: test_items: - - flag: "apparmor=0" + - flag: "apparmor" + compare: + op: eq + value: "0" set: false remediation: | For `grub` based systems edit `/boot/grub/menu.lst` and remove all instances of `apparmor=0` on all `kernel` lines. @@ -1746,7 +1766,10 @@ groups: - grub2 tests: test_items: - - flag: "apparmor=0" + - flag: "apparmor" + compare: + op: eq + value: "0" set: false remediation: | For `grub` based systems edit `/boot/grub/menu.lst` and remove all instances of `apparmor=0` on all `kernel` lines. @@ -1898,7 +1921,7 @@ groups: scored: true - id: 1.7.2 description: "Ensure GDM login banner is configured" - audit: "cat /etc/gdm3/greeter.dconf-defaults" + audit: "grep -v ^#.* /etc/gdm3/greeter.dconf-defaults" tests: bin_op: and test_items: @@ -2246,9 +2269,10 @@ groups: audit: "systemctl is-enabled xinetd" constraints: platform: - - rhel7 - - ubuntu16 - ubuntu18 + #- rhel7 + #- ubuntu16 + #- ubuntu18 tests: test_items: - flag: "enabled" @@ -3622,7 +3646,7 @@ groups: - id: 2.2.15 description: "Ensure mail transfer agent is configured for local-only mode" audit: | - ss -lntu | grep -E ':25\\s' | grep -E -v '\\s(127.0.0.1\|::1):25\\s' + ss -lntu | grep -E ':25\\s' | grep -E -v '\\s(127.0.0.1|::1):25\\s' tests: test_items: - flag: "" @@ -4097,7 +4121,10 @@ groups: audit: "sysctl net.ipv4.ip_forward" tests: test_items: - - flag: "net.ipv4.ip_forward = 0" + - flag: "net.ipv4.ip_forward" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4116,10 +4143,13 @@ groups: - id: 3.1.1.b description: "Ensure IP forwarding is disabled" - audit: "grep \"net\\.ipv4\\.ip_forward\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv4\\.ip_forward\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv4.ip_forward = 0" + - flag: "net.ipv4.ip_forward" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4140,7 +4170,10 @@ groups: audit: "sysctl net.ipv6.conf.all.forwarding" tests: test_items: - - flag: "net.ipv6.conf.all.forwarding = 0" + - flag: "net.ipv6.conf.all.forwarding" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4158,10 +4191,13 @@ groups: scored: true - id: 3.1.1.d description: "Ensure IP forwarding is disabled" - audit: "grep \"net\\.ipv6\\.conf\\.all\\.forwarding\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv6\\.conf\\.all\\.forwarding\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv6.conf.all.forwarding = 0" + - flag: "net.ipv6.conf.all.forwarding" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4182,7 +4218,10 @@ groups: audit: "sysctl net.ipv4.conf.all.send_redirects" tests: test_items: - - flag: "net.ipv4.conf.all.send_redirects = 0" + - flag: "net.ipv4.conf.all.send_redirects" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4203,7 +4242,10 @@ groups: audit: "sysctl net.ipv4.conf.default.send_redirects" tests: test_items: - - flag: "net.ipv4.conf.default.send_redirects = 0" + - flag: "net.ipv4.conf.default.send_redirects" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4221,10 +4263,13 @@ groups: - id: 3.1.2.c description: "Ensure packet redirect sending is disabled" - audit: "grep \"net\\.ipv4\\.conf\\.all\\.send_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv4\\.conf\\.all\\.send_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv4.conf.all.send_redirects = 0" + - flag: "net.ipv4.conf.all.send_redirects" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4242,10 +4287,13 @@ groups: - id: 3.1.2.d description: "Ensure packet redirect sending is disabled" - audit: "grep \"net\\.ipv4\\.conf\\.default\\.send_redirects /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv4\\.conf\\.default\\.send_redirects /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv4.conf.default.send_redirects = 0" + - flag: "net.ipv4.conf.default.send_redirects" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4272,7 +4320,7 @@ groups: - flag: "net.ipv4.conf.all.accept_source_route" compare: op: eq - value: 0 + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4300,8 +4348,8 @@ groups: test_items: - flag: "net.ipv4.conf.default.accept_source_route" compare: - op: eq - value: 0 + op: eq + value: 0 set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4324,10 +4372,13 @@ groups: - id: 3.2.1.c description: "Ensure source routed packets are not accepted" - audit: "grep \"net\\.ipv4\\.conf\\.all\\.accept_source_route\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv4\\.conf\\.all\\.accept_source_route\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv4.conf.all.accept_source_route = 0" + - flag: "net.ipv4.conf.all.accept_source_route" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4350,10 +4401,13 @@ groups: - id: 3.2.1.d description: "Ensure source routed packets are not accepted" - audit: "grep \"net\\.ipv4\\.conf\\.default\\.accept_source_route\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv4\\.conf\\.default\\.accept_source_route\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv4.conf.default.accept_source_route = 0" + - flag: "net.ipv4.conf.default.accept_source_route" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4374,12 +4428,15 @@ groups: scored: true - - id: 3.1.2.e + - id: 3.2.1.e description: "Ensure packet redirect sending is disabled" audit: "sysctl net.ipv6.conf.all.accept_source_route" tests: test_items: - - flag: "net.ipv6.conf.all.accept_source_route = 0" + - flag: "net.ipv6.conf.all.accept_source_route" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4400,12 +4457,15 @@ groups: scored: true - - id: 3.1.2.f + - id: 3.2.1.f description: "Ensure packet redirect sending is disabled" audit: "sysctl net.ipv6.conf.default.accept_source_route" tests: test_items: - - flag: "net.ipv6.conf.default.accept_source_route = 0" + - flag: "net.ipv6.conf.default.accept_source_route" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4426,12 +4486,15 @@ groups: scored: true - - id: 3.1.2.g + - id: 3.2.1.g description: "Ensure packet redirect sending is disabled" - audit: "grep \"net\\.ipv6\\.conf\\.all\\.accept_source_route\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv6\\.conf\\.all\\.accept_source_route\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv6.conf.all.accept_source_route = 0" + - flag: "net.ipv6.conf.all.accept_source_route" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4452,12 +4515,15 @@ groups: scored: true - - id: 3.1.2.h + - id: 3.2.1.h description: "Ensure packet redirect sending is disabled" - audit: "grep \"net\\.ipv6\\.conf\\.default\\.accept_source_route\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv6\\.conf\\.default\\.accept_source_route\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv6.conf.default.accept_source_route = 0" + - flag: "net.ipv6.conf.default.accept_source_route" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4483,7 +4549,10 @@ groups: audit: "sysctl net.ipv4.conf.all.accept_redirects" tests: test_items: - - flag: "net.ipv4.conf.all.accept_redirects = 0" + - flag: "net.ipv4.conf.all.accept_redirects" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4509,7 +4578,10 @@ groups: audit: "sysctl net.ipv4.conf.default.accept_redirects" tests: test_items: - - flag: "net.ipv4.conf.default.accept_redirects = 0" + - flag: "net.ipv4.conf.default.accept_redirects" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4532,10 +4604,13 @@ groups: - id: 3.2.2.c description: "Ensure ICMP redirects are not accepted" - audit: "grep \"net\\.ipv4\\.conf\\.all\\.accept_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv4\\.conf\\.all\\.accept_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv4.conf.all.accept_redirects = 0" + - flag: "net.ipv4.conf.all.accept_redirects" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4558,10 +4633,13 @@ groups: - id: 3.2.2.d description: "Ensure ICMP redirects are not accepted" - audit: "grep \"net\\.ipv4\\.conf\\.default\\.accept_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv4\\.conf\\.default\\.accept_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv4.conf.default.accept_redirects = 0" + - flag: "net.ipv4.conf.default.accept_redirects" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4587,7 +4665,10 @@ groups: audit: "sysctl net.ipv6.conf.all.accept_redirects" tests: test_items: - - flag: "net.ipv6.conf.all.accept_redirects = 0" + - flag: "net.ipv6.conf.all.accept_redirects" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4613,7 +4694,10 @@ groups: audit: "sysctl net.ipv6.conf.default.accept_redirects" tests: test_items: - - flag: "net.ipv6.conf.default.accept_redirects = 0" + - flag: "net.ipv6.conf.default.accept_redirects" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4636,10 +4720,13 @@ groups: - id: 3.2.2.g description: "Ensure ICMP redirects are not accepted" - audit: "grep \"net\\.ipv6\\.conf\\.all\\.accept_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv6\\.conf\\.all\\.accept_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv6.conf.all.accept_redirects = 0" + - flag: "net.ipv6.conf.all.accept_redirects" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4662,10 +4749,13 @@ groups: - id: 3.2.2.h description: "Ensure ICMP redirects are not accepted" - audit: "grep \"net\\.ipv6\\.conf\\.default\\.accept_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv6\\.conf\\.default\\.accept_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv6.conf.default.accept_redirects = 0" + - flag: "net.ipv6.conf.default.accept_redirects" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4692,7 +4782,10 @@ groups: audit: "sysctl net.ipv4.conf.all.secure_redirects" tests: test_items: - - flag: "net.ipv4.conf.all.secure_redirects = 0" + - flag: "net.ipv4.conf.all.secure_redirects" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4713,7 +4806,10 @@ groups: audit: "sysctl net.ipv4.conf.default.secure_redirects" tests: test_items: - - flag: "net.ipv4.conf.default.secure_redirects = 0" + - flag: "net.ipv4.conf.default.secure_redirects" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4731,10 +4827,13 @@ groups: - id: 3.2.3.c description: "Ensure secure ICMP redirects are not accepted" - audit: "grep \"net\\.ipv4\\.conf\\.all\\.secure_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv4\\.conf\\.all\\.secure_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv4.conf.all.secure_redirects = 0" + - flag: "net.ipv4.conf.all.secure_redirects" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4752,10 +4851,13 @@ groups: - id: 3.2.3.d description: "Ensure secure ICMP redirects are not accepted" - audit: "grep \"net\\.ipv4\\.conf\\.default\\.secure_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv4\\.conf\\.default\\.secure_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv4.conf.default.secure_redirects = 0" + - flag: "net.ipv4.conf.default.secure_redirects" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4776,7 +4878,10 @@ groups: audit: "sysctl net.ipv4.conf.all.log_martians" tests: test_items: - - flag: "net.ipv4.conf.all.log_martians = 1" + - flag: "net.ipv4.conf.all.log_martians" + compare: + op: eq + value: "1" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4797,7 +4902,10 @@ groups: audit: "sysctl net.ipv4.conf.default.log_martians" tests: test_items: - - flag: "net.ipv4.conf.default.log_martians = 1" + - flag: "net.ipv4.conf.default.log_martians" + compare: + op: eq + value: "1" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4815,10 +4923,13 @@ groups: - id: 3.2.4.c description: "Ensure suspicious packets are logged" - audit: "grep \"net\\.ipv4\\.conf\\.all\\.log_martians\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv4\\.conf\\.all\\.log_martians\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv4.conf.all.log_martians = 1" + - flag: "net.ipv4.conf.all.log_martians" + compare: + op: eq + value: "1" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4836,10 +4947,13 @@ groups: - id: 3.2.4.d description: "Ensure suspicious packets are logged" - audit: "grep \"net\\.ipv4\\.conf\\.default\\.log_martians\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv4\\.conf\\.default\\.log_martians\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv4.conf.default.log_martians = 1" + - flag: "net.ipv4.conf.default.log_martians" + compare: + op: eq + value: "1" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4860,7 +4974,10 @@ groups: audit: "sysctl net.ipv4.icmp_echo_ignore_broadcasts" tests: test_items: - - flag: "net.ipv4.icmp_echo_ignore_broadcasts = 1" + - flag: "net.ipv4.icmp_echo_ignore_broadcasts" + compare: + op: eq + value: "1" set: true remediation: | Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4876,10 +4993,13 @@ groups: - id: 3.2.5.b description: "Ensure broadcast ICMP requests are ignored" - audit: "grep \"net\\.ipv4\\.icmp_echo_ignore_broadcasts\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv4\\.icmp_echo_ignore_broadcasts\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv4.icmp_echo_ignore_broadcasts = 1" + - flag: "net.ipv4.icmp_echo_ignore_broadcasts" + compare: + op: eq + value: "1" set: true remediation: | Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4898,7 +5018,10 @@ groups: audit: "sysctl net.ipv4.icmp_ignore_bogus_error_responses" tests: test_items: - - flag: "net.ipv4.icmp_ignore_bogus_error_responses = 1" + - flag: "net.ipv4.icmp_ignore_bogus_error_responses" + compare: + op: eq + value: "1" set: true remediation: | Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4914,10 +5037,13 @@ groups: - id: 3.2.6.b description: "Ensure bogus ICMP responses are ignored" - audit: "grep \"net\\.ipv4\\.icmp_ignore_bogus_error_responses\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv4\\.icmp_ignore_bogus_error_responses\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv4.icmp_ignore_bogus_error_responses = 1" + - flag: "net.ipv4.icmp_ignore_bogus_error_responses" + compare: + op: eq + value: "1" set: true remediation: | Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4936,7 +5062,10 @@ groups: audit: "sysctl net.ipv4.conf.all.rp_filter" tests: test_items: - - flag: "net.ipv4.conf.all.rp_filter = 1" + - flag: "net.ipv4.conf.all.rp_filter" + compare: + op: eq + value: "1" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4957,7 +5086,10 @@ groups: audit: "sysctl net.ipv4.conf.default.rp_filter" tests: test_items: - - flag: "net.ipv4.conf.default.rp_filter = 1" + - flag: "net.ipv4.conf.default.rp_filter" + compare: + op: eq + value: "1" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4975,10 +5107,13 @@ groups: - id: 3.2.7.c description: "Ensure Reverse Path Filtering is enabled" - audit: "grep \"net\\.ipv4\\.conf\\.all\\.rp_filter\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv4\\.conf\\.all\\.rp_filter\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv4.conf.all.rp_filter = 1" + - flag: "net.ipv4.conf.all.rp_filter" + compare: + op: eq + value: "1" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4996,10 +5131,13 @@ groups: - id: 3.2.7.d description: "Ensure Reverse Path Filtering is enabled" - audit: "grep \"net\\.ipv4\\.conf\\.default\\.rp_filter\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv4\\.conf\\.default\\.rp_filter\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv4.conf.default.rp_filter = 1" + - flag: "net.ipv4.conf.default.rp_filter" + compare: + op: eq + value: "1" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -5020,7 +5158,10 @@ groups: audit: "sysctl net.ipv4.tcp_syncookies" tests: test_items: - - flag: "net.ipv4.tcp_syncookies = 1" + - flag: "net.ipv4.tcp_syncookies" + compare: + op: eq + value: "1" set: true remediation: | Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -5036,10 +5177,13 @@ groups: - id: 3.2.8.b description: "Ensure TCP SYN Cookies is enabled" - audit: "grep \"net\\.ipv4\\.tcp_syncookies\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv4\\.tcp_syncookies\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv4.tcp_syncookies = 1" + - flag: "net.ipv4.tcp_syncookies" + compare: + op: eq + value: "1" set: true remediation: | Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -5058,7 +5202,10 @@ groups: audit: "sysctl net.ipv6.conf.all.accept_ra" tests: test_items: - - flag: "net.ipv6.conf.all.accept_ra = 0" + - flag: "net.ipv6.conf.all.accept_ra" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -5079,7 +5226,10 @@ groups: audit: "sysctl net.ipv6.conf.default.accept_ra" tests: test_items: - - flag: "net.ipv6.conf.default.accept_ra = 0" + - flag: "net.ipv6.conf.default.accept_ra" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -5097,10 +5247,13 @@ groups: - id: 3.2.9.c description: "Ensure IPv6 router advertisements are not accepted" - audit: "grep \"net\\.ipv6\\.conf\\.all\\.accept_ra\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv6\\.conf\\.all\\.accept_ra\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv6.conf.all.accept_ra = 0" + - flag: "net.ipv6.conf.all.accept_ra" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -5118,10 +5271,13 @@ groups: - id: 3.2.9.d description: "Ensure IPv6 router advertisements are not accepted" - audit: "grep \"net\\.ipv6\\.conf\\.default\\.accept_ra\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv6\\.conf\\.default\\.accept_ra\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv6.conf.default.accept_ra = 0" + - flag: "net.ipv6.conf.default.accept_ra" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -5135,48 +5291,8 @@ groups: # sysctl -w net.ipv6.conf.default.accept_ra=0 # sysctl -w net.ipv6.route.flush=1 - scored: true - + scored: true - description: "Ensure IPv6 is disabled" - sub_checks: - - check: - audit: "grep kernel /boot/grub/menu.lst" - constraints: - boot: - - grub - tests: - test_items: - - flag: "ipv6.disable=1" - set: false - remediation: | - For `grub` based systems edit `/boot/grub/menu.lst` and remove add `ipv6.disable=1` to all `kernel` lines. - For `grub2` based systems edit `/etc/default/grub` and remove add `ipv6.disable=1` to the `GRUB_CMDLINE_LINUX` parameters: - - GRUB_CMDLINE_LINUX="ipv6.disable=1" - - Run the following command to update the `grub2` configuration: - - # update-grub - - check: - audit: "grep LINUX /etc/default/grub" - constraints: - boot: - - grub2 - tests: - test_items: - - flag: "ipv6.disable=1" - set: false - remediation: | - For `grub` based systems edit `/boot/grub/menu.lst` and remove add `ipv6.disable=1` to all `kernel` lines. - For `grub2` based systems edit `/etc/default/grub` and remove add `ipv6.disable=1` to the `GRUB_CMDLINE_LINUX` parameters: - - GRUB_CMDLINE_LINUX="ipv6.disable=1" - - Run the following command to update the `grub2` configuration: - - # update-grub - scored: false - id: 3.3 description: "TCP Wrappers" checks: @@ -5462,6 +5578,8 @@ groups: # iptables -P INPUT DROP # iptables -P OUTPUT DROP # iptables -P FORWARD DROP + scored: true + - id: 3.5.1.2.a description: "Ensure IPv6 loopback traffic is configured" audit: "ip6tables -L INPUT -v -n" @@ -5504,8 +5622,6 @@ groups: # ip6tables -A INPUT -s ::1 -j DROP scored: true - - scored: true - id: 3.5.1.3 description: "Ensure IPv6 outbound and established connections are configured" audit: "ip6tables -L -v -n" @@ -5782,6 +5898,7 @@ groups: # grub2-mkconfig –o /boot/grub2/grub.cfg or # update-grub + - check: audit: "grep \"^\\s*linux\" /boot/grub2/grub.cfg | grep -v ipv6.disabled=1" constraints: @@ -7038,21 +7155,21 @@ groups: Storage=persistent scored: true -- id: 4.2.3 - description: "Ensure permissions on all logfiles are configured" - audit: "find /var/log -type f -ls" - type: manual - remediation: | - Run the following commands to set permissions on all existing log files: - find /var/log -type f -exec chmod g-wx,o-rwx "{}" + -o -type d -exec chmod g-w,o-rwx "{}" + - scored: true -- id: 4.3 - description: "Ensure logrotate is configured" - audit: "cat /etc/logrotate.conf; cat /etc/logrotate.d/* ;" - type: manual - remediation: | - Edit `/etc/logrotate.conf` and `/etc/logrotate.d/*` to ensure logs are rotated according to site policy. - scored: false + - id: 4.2.3 + description: "Ensure permissions on all logfiles are configured" + audit: "find /var/log -type f -ls" + type: manual + remediation: | + Run the following commands to set permissions on all existing log files: + find /var/log -type f -exec chmod g-wx,o-rwx "{}" + -o -type d -exec chmod g-w,o-rwx "{}" + + scored: true + - id: 4.3 + description: "Ensure logrotate is configured" + audit: "cat /etc/logrotate.conf; cat /etc/logrotate.d/* ;" + type: manual + remediation: | + Edit `/etc/logrotate.conf` and `/etc/logrotate.d/*` to ensure logs are rotated according to site policy. + scored: false - id: 5 description: "Access, Authentication and Authorization" - id: 5.1 @@ -7222,7 +7339,7 @@ groups: tests: test_items: - flag: "stat: cannot stat '/etc/cron.deny': No such file or directory" - set: true + set: true remediation: | Run the following commands to remove `/etc/cron.deny` and `/etc/at.deny` and create and set permissions and ownership for `/etc/cron.allow` and `/etc/at.allow` : @@ -7391,7 +7508,10 @@ groups: audit: "sshd -T | grep maxauthtries" tests: test_items: - - flag: "MaxAuthTries 4" + - flag: "maxauthtries" + compare: + op: lte + value: "4" set: true remediation: | Edit the `/etc/ssh/sshd_config` file to set the parameter as follows: @@ -7405,7 +7525,7 @@ groups: audit: "sshd -T | grep ignorerhosts" tests: test_items: - - flag: "IgnoreRhosts yes" + - flag: "ignorerhosts yes" set: true remediation: | Edit the `/etc/ssh/sshd_config` file to set the parameter as follows: @@ -7420,12 +7540,12 @@ groups: audit: "sshd -T | grep hostbasedauthentication" tests: test_items: - - flag: "HostbasedAuthentication no" + - flag: "hostbasedauthentication no" set: true remediation: | Edit the `/etc/ssh/sshd_config` file to set the parameter as follows: - HostbasedAuthentication no + hostbasedauthentication no scored: true @@ -7435,12 +7555,12 @@ groups: audit: "sshd -T | grep permitrootlogin" tests: test_items: - - flag: "PermitRootLogin no" + - flag: "permitrootlogin no" set: true remediation: | Edit the `/etc/ssh/sshd_config` file to set the parameter as follows: - PermitRootLogin no + permitrootlogin no scored: true @@ -7451,12 +7571,12 @@ groups: audit: "sshd -T | grep permitemptypasswords" tests: test_items: - - flag: "PermitEmptyPasswords no" + - flag: "permitemptypasswords no" set: true remediation: | Edit the `/etc/ssh/sshd_config` file to set the parameter as follows: - PermitEmptyPasswords no + permitemptypasswords no scored: true @@ -7465,12 +7585,12 @@ groups: audit: "sshd -T | grep permituserenvironment" tests: test_items: - - flag: "PermitUserEnvironment no" + - flag: "permituserenvironment no" set: true remediation: | Edit the `/etc/ssh/sshd_config` file to set the parameter as follows: - PermitUserEnvironment no + permituserenvironment no scored: true @@ -7576,14 +7696,23 @@ groups: description: "Ensure SSH Idle Timeout Interval is configured" audit: "sshd -T | grep clientaliveinterval" tests: + bin_op: and test_items: - - flag: "ClientAliveInterval 300" - set: true + - flag: "clientaliveinterval" + compare: + op: lte + value: "300" + set: true + - flag: "clientaliveinterval" + compare: + op: gte + value: "1" + set: true remediation: | Edit the `/etc/ssh/sshd_config` file to set the parameters according to site policy: - ClientAliveInterval 300 - ClientAliveCountMax 0 + clientaliveinterval 300 + clientalivecountmax 0 scored: true @@ -7592,13 +7721,16 @@ groups: audit: "sshd -T | grep clientalivecountmax" tests: test_items: - - flag: "ClientAliveCountMax 0" + - flag: "clientalivecountmax" + compare: + op: lte + value: "3" set: true remediation: | Edit the `/etc/ssh/sshd_config` file to set the parameters according to site policy: - ClientAliveInterval 300 - ClientAliveCountMax 0 + clientaliveinterval 300 + clientalivecountmax 0 scored: true @@ -7607,12 +7739,15 @@ groups: audit: "sshd -T | grep logingracetime" tests: test_items: - - flag: "LoginGraceTime 60" + - flag: "logingracetime" + compare: + op: lte + value: "60" set: true remediation: | Edit the `/etc/ssh/sshd_config` file to set the parameter as follows: - LoginGraceTime 60 + logingracetime 60 scored: true @@ -7694,12 +7829,12 @@ groups: audit: "sshd -T | grep banner" tests: test_items: - - flag: "Banner /etc/issue.net" + - flag: "banner /etc/issue.net" set: true remediation: | Edit the `/etc/ssh/sshd_config` file to set the parameter as follows: - Banner /etc/issue.net + banner /etc/issue.net scored: true - id: 5.2.20 @@ -7718,11 +7853,11 @@ groups: audit: "sshd -T | grep -i allowtcpforwarding" tests: test_items: - - flag: "AllowTcpForwarding no" + - flag: "allowtcpforwarding no" set: true remediation: | Edit the /etc/ssh/sshd_config file to set the parameter as follows: - AllowTcpForwarding no + allowtcpforwarding no scored: true - id: 5.2.22 description: "Ensure SSH MaxStartups is configured" @@ -7737,7 +7872,10 @@ groups: audit: "sshd -T | grep -i maxsessions" tests: test_items: - - flag: "maxsessions 4" + - flag: "maxsessions" + compare: + op: lte + value: "4" set: true remediation: | Edit the /etc/ssh/sshd_config file to set the parameter as follows: @@ -7827,12 +7965,12 @@ groups: description: "Ensure password expiration is 365 days or less" audit: "grep ^PASS_MAX_DAYS /etc/login.defs" tests: - bin_op: and test_items: - flag: "PASS_MAX_DAYS" - set: true - flag: "365" - set: true + compare: + op: lte + value: "365" + set: true remediation: | Set the `PASS_MAX_DAYS` parameter to conform to site policy in `/etc/login.defs` : @@ -7867,12 +8005,13 @@ groups: description: "Ensure minimum days between password changes is 7 or more" audit: "grep ^PASS_MIN_DAYS /etc/login.defs" tests: - bin_op: and test_items: - flag: "PASS_MIN_DAYS" + compare: + op: gte + value: "7" set: true - flag: "7" - set: true + remediation: | Set the `PASS_MIN_DAYS` parameter to 7 in `/etc/login.defs` : @@ -7907,11 +8046,11 @@ groups: description: "Ensure password expiration warning days is 7 or more" audit: "grep ^PASS_WARN_AGE /etc/login.defs" tests: - bin_op: and test_items: - flag: "PASS_WARN_AGE" - set: true - flag: "7" + compare: + op: gte + value: "7" set: true remediation: | Set the `PASS_WARN_AGE` parameter to 7 in `/etc/login.defs` : @@ -7988,17 +8127,17 @@ groups: tests: test_items: - flag: "" - compare: - op: eq - value: "" - set: true + compare: + op: eq + value: "" + set: true remediation: | Investigate any users with a password change date in the future and correct them. Locking the account, expiring the password, or resetting the password manually may be appropriate. scored: true - - id: 5.4.2 + - id: 5.4.2.a description: "Ensure system accounts are non-login" - audit: "egrep -v \"^\\+\" /etc/passwd | awk -F: '($1!=\"root\" && $1!=\"sync\" && $1!=\"shutdown\" && $1!=\"halt\" && $3<500 && $7!=\"/sbin/nologin\" && $7!=\"/bin/false\") {print}'" + audit: "awk -F: '($1!=\"root\" && $1!=\"sync\" && $1!=\"shutdown\" && $1!=\"halt\" && $1!~/^\\+/ && $3<'\"$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs)\"' && $7!=\"'\"$(which nologin)\"'\" && $7!=\"/bin/false\") {print}' /etc/passwd" tests: test_items: - flag: "" @@ -8007,24 +8146,39 @@ groups: value: "" set: true remediation: | - Set the shell for any accounts returned by the audit script to `/sbin/nologin` : - - # usermod -s /sbin/nologin - - The following script will automatically set all user shells required to `/sbin/nologin` and lock the `sync` , `shutdown` , and `halt` users: - - #!/bin/bash - for user in `awk -F: '($3 < 500) {print $1 }' /etc/passwd` ; do - if [ $user != "root" ]; then - usermod -L $user - if [ $user != "sync" ] && [ $user != "shutdown" ] & then - usermod -s /sbin/nologin $user - fi - fi - done + Run the commands appropriate for your distribution: + Set the shell for any accounts returned by the audit to nologin: + # usermod -s $(which nologin) + Lock any non root accounts returned by the audit: + # usermod -L + The following command will set all system accounts to a non login shell: + awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $1!~/^\+/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"' && $7!="'"$(which nologin)"'" && $7!="/bin/false") {print $1}' /etc/passwd | while read user do usermod -s $(which nologin) $user done + The following command will automatically lock not root system accounts: + awk -F: '($1!="root" && $1!~/^\+/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"') {print $1}' /etc/passwd | xargs -I '{}' passwd -S '{}' | awk '($2!="L" && $2!="LK") {print $1}' | while read user do usermod -L $user done scored: true + - id: 5.4.2.b + description: "Ensure system accounts are non-login" + audit: "awk -F: '($1!=\"root\" && $1!~/^\\+/ && $3<'\"$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs)\"') {print $1}' /etc/passwd | xargs -I '{}' passwd -S '{}' | awk '($2!=\"L\" && $2!=\"LK\") {print $1}'" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Run the commands appropriate for your distribution: + Set the shell for any accounts returned by the audit to nologin: + # usermod -s $(which nologin) + Lock any non root accounts returned by the audit: + # usermod -L + The following command will set all system accounts to a non login shell: + awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $1!~/^\+/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"' && $7!="'"$(which nologin)"'" && $7!="/bin/false") {print $1}' /etc/passwd | while read user do usermod -s $(which nologin) $user done + The following command will automatically lock not root system accounts: + awk -F: '($1!="root" && $1!~/^\+/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"') {print $1}' /etc/passwd | xargs -I '{}' passwd -S '{}' | awk '($2!="L" && $2!="LK") {print $1}' | while read user do usermod -L $user done + scored: true - id: 5.4.3 description: "Ensure default group for the root account is GID 0" audit: "grep ^root: /etc/passwd | cut -f4 -d:" @@ -8150,45 +8304,49 @@ groups: Remove entries for any consoles that are not in a physically secure location. scored: true -- id: 5.6.a - description: "Ensure access to the su command is restricted" - audit: "grep pam_wheel.so /etc/pam.d/su" - tests: - test_items: - - flag: "auth" - compare: - op: eq - value: "sufficient pam_wheel.so trust use_uid" - set: true - remediation: | - Add the following line to the `/etc/pam.d/su` file: + - id: 5.6.a + description: "Ensure access to the su command is restricted" + audit: "grep pam_wheel.so /etc/pam.d/su" + tests: + bin_op: and + test_items: + - flag: "auth" + set: true + - flag: "required" + set: true + - flag: "pam_wheel.so" + set: true + - flag: "use_uid" + set: true + remediation: | + Add the following line to the `/etc/pam.d/su` file: - auth required pam_wheel.so use_uid + auth required pam_wheel.so use_uid - Create a comma separated list of users in the wheel statement in the `/etc/group` file: + Create a comma separated list of users in the wheel statement in the `/etc/group` file: - wheel:x:10:root, + wheel:x:10:root, - scored: true + scored: true -- id: 5.6.b - description: "Ensure access to the su command is restricted" - audit: "grep wheel /etc/group" - type: manual - tests: - test_items: - - flag: "wheel:x:10:root," - set: true - remediation: | - Add the following line to the `/etc/pam.d/su` file: + - id: 5.6.b + description: "Ensure access to the su command is restricted" + audit: "grep wheel /etc/group" + type: manual + tests: + test_items: + - flag: "wheel:x:10:root," + set: true + remediation: | + Add the following line to the `/etc/pam.d/su` file: - auth required pam_wheel.so use_uid + auth required pam_wheel.so use_uid - Create a comma separated list of users in the wheel statement in the `/etc/group` file: + Create a comma separated list of users in the wheel statement in the `/etc/group` file: - wheel:x:10:root, + wheel:x:10:root, - scored: true + scored: true - id: 6 description: "System Maintenance" @@ -8305,7 +8463,7 @@ groups: Run the following command to set permissions on `/etc/passwd-` : # chown root:root /etc/passwd- - # chmod u-x,go-wx /etc/passwd- + # chmod u-x,go-rwx /etc/passwd- scored: true