Grimmauld/linux-bench
1
0
Fork 0
forked from mirrors/linux-bench
Code Pull requests Activity

Merge whitespace changes

Browse source
This commit is contained in:
Liz Rice 2020-12-22 12:18:25 +00:00
parent b494df8909
commit 9fc95ff756
1 changed files with 8887 additions and 8939 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

248
cfg/2.0.0/definitions.yaml
View file

@ -5,7 +5,7 @@ id: 1
description: "Initial Setup"
type: "master"
groups:
- id: 1.1
- id: 1.1
description: "Filesystem Configuration"
checks:
- id: 1.1.1
@ -372,7 +372,6 @@ groups:
# mount -o remount,nodev /tmp
scored: true
- id: 1.1.4
description: "Ensure nosuid option set on /tmp partition"
audit: "mount | grep -E '\\s/tmp\\s' | grep -v nosuid"
@ -396,7 +395,6 @@ groups:
# mount -o remount,nosuid /tmp
scored: true
- id: 1.1.5
description: "Ensure noexec option set on /tmp partition"
audit: "mount | grep -E '\\s/tmp\\s' | grep -v noexec"
@ -455,7 +453,6 @@ groups:
scored: true
- id: 1.1.9
description: "Ensure nosuid option set on /var/tmp partition"
audit: "mount | grep -E '\\s/var/tmp\\s' | grep -v nosuid"
@ -559,7 +556,6 @@ groups:
scored: true
- id: 1.1.16
description: "Ensure nosuid option set on /dev/shm partition"
audit: "mount | grep -E '\\s/dev/shm\\s' | grep -v nosuid"
@ -737,7 +733,7 @@ groups:
Run the following command to unload the usb-storage module:
# rmmod usb-storage
scored: true
- id: 1.2
- id: 1.2
description: "Configure Software Updates"
checks:
- id: 1.2.1
@ -798,7 +794,7 @@ groups:
remediation: |
Update your package manager GPG keys in accordance with site policy.
scored: false
- id: 1.3
- id: 1.3
description: "Filesystem Integrity Checking"
checks:
- id: 1.3.1
@ -907,7 +903,7 @@ groups:
scored: true
- id: 1.4
- id: 1.4
description: "Secure Boot Settings"
checks:
- id: 1.4.1
@ -1032,7 +1028,7 @@ groups:
description: "Ensure interactive boot is not enabled"
sub_checks:
- check:
audit: "grep \"^PROMPT_FOR_CONFIRM=\" /etc/sysconfig/boot"
audit: 'grep "^PROMPT_FOR_CONFIRM=" /etc/sysconfig/boot'
constraints:
boot:
- grub
@ -1040,7 +1036,7 @@ groups:
- rhel7
tests:
test_items:
- flag: "PROMPT_FOR_CONFIRM=\"no\""
- flag: 'PROMPT_FOR_CONFIRM="no"'
set: true
remediation: |
If interactive boot is available disable it.
@ -1062,8 +1058,7 @@ groups:
If interactive boot is available disable it.
scored: false
- id: 1.5
- id: 1.5
description: "Additional Process Hardening"
checks:
- id: 1.5.1.a
@ -1316,10 +1311,10 @@ groups:
zypper remove prelink
scored: true
- id: 1.6
- id: 1.6
description: "Mandatory Access Control"
checks:
- id: 1.6.1
- id: 1.6.1
description: "Ensure Mandatory Access Control Software is Installed"
checks:
- id: 1.6.1.1
@ -1428,7 +1423,7 @@ groups:
# zypper install libselinux
The previous commands install SELinux, use the appropriate package if AppArmor is desired.
- id: 1.6.2
- id: 1.6.2
description: "Configure SELinux"
checks:
- id: 1.6.2.1
@ -1587,7 +1582,6 @@ groups:
SELINUXTYPE=targeted
scored: true
- id: 1.6.2.4
description: "Ensure SETroubleshoot is not installed"
sub_checks:
@ -1718,7 +1712,7 @@ groups:
scored: true
- id: 1.6.2.6
description: "Ensure no unconfined daemons exist"
audit: "ps -eZ | egrep \"initrc\" | grep -E -v -w \"tr|ps|egrep|bash|awk \" | tr ':' ' ' | awk '{ print $NF }'"
audit: 'ps -eZ | egrep "initrc" | grep -E -v -w "tr|ps|egrep|bash|awk " | tr '':'' '' '' | awk ''{ print $NF }'''
tests:
test_items:
- flag: ""
@ -1729,7 +1723,7 @@ groups:
remediation: |
Investigate any unconfined daemons found during the audit action. They may need to have an existing security context assigned to them or a policy built for them.
scored: true
- id: 1.6.3
- id: 1.6.3
description: "Configure AppArmor"
checks:
- id: 1.6.3.1
@ -1802,11 +1796,10 @@ groups:
Any unconfined processes may need to have a profile created or activated for them and then be restarted.
scored: true
- id: 1.7
- id: 1.7
description: "Warning Banners"
checks:
- id: 1.7.1
- id: 1.7.1
description: "Command Line Warning Banners"
checks:
- id: 1.7.1.1.a
@ -1895,7 +1888,6 @@ groups:
# chmod 644 /etc/motd
scored: true
- id: 1.7.1.5
description: "Ensure permissions on /etc/issue are configured"
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/issue"
@ -1940,7 +1932,7 @@ groups:
banner-message-text='Authorized uses only. All activity may be monitored and reported.'
scored: true
- id: 1.8
- id: 1.8
description: "Ensure updates, patches, and additional security software are installed"
sub_checks:
- check:
@ -1970,14 +1962,14 @@ groups:
Use your package manager to update all packages on the system according to site policy.
scored: false
- id: 2
- id: 2
description: "Services"
- id: 2.1
- id: 2.1
description: "inetd Services"
checks:
- id: 2.1.1.a
description: "Ensure chargen services are not enabled"
audit: "grep -R \"^chargen\" /etc/inetd.*"
audit: 'grep -R "^chargen" /etc/inetd.*'
tests:
test_items:
- flag: ""
@ -1992,7 +1984,7 @@ groups:
- id: 2.1.1.b
description: "Ensure chargen services are not enabled"
audit: "grep -R \"^chargen\" /etc/xinetd.conf /etc/xinetd.* "
audit: 'grep -R "^chargen" /etc/xinetd.conf /etc/xinetd.* '
tests:
test_items:
- flag: "disable"
@ -2007,7 +1999,7 @@ groups:
- id: 2.1.2.a
description: "Ensure daytime services are not enabled"
audit: "grep -R \"^daytime\" /etc/inetd.*"
audit: 'grep -R "^daytime" /etc/inetd.*'
tests:
test_items:
- flag: ""
@ -2022,7 +2014,7 @@ groups:
- id: 2.1.2.b
description: "Ensure daytime services are not enabled"
audit: "grep -R \"^daytime\" /etc/xinetd.conf /etc/xinetd.*"
audit: 'grep -R "^daytime" /etc/xinetd.conf /etc/xinetd.*'
tests:
test_items:
- flag: "disable"
@ -2037,7 +2029,7 @@ groups:
- id: 2.1.3.a
description: "Ensure discard services are not enabled"
audit: "grep -R \"^discard\" /etc/inetd.*"
audit: 'grep -R "^discard" /etc/inetd.*'
tests:
test_items:
- flag: ""
@ -2052,7 +2044,7 @@ groups:
- id: 2.1.3.b
description: "Ensure discard services are not enabled"
audit: "grep -R \"^discard\" /etc/xinetd.conf /etc/xinetd.*"
audit: 'grep -R "^discard" /etc/xinetd.conf /etc/xinetd.*'
tests:
test_items:
- flag: "disable"
@ -2067,7 +2059,7 @@ groups:
- id: 2.1.4.a
description: "Ensure echo services are not enabled"
audit: "grep -R \"^echo\" /etc/inetd.*"
audit: 'grep -R "^echo" /etc/inetd.*'
tests:
test_items:
- flag: ""
@ -2082,7 +2074,7 @@ groups:
- id: 2.1.4.b
description: "Ensure echo services are not enabled"
audit: "grep -R \"^echo\" /etc/xinetd.conf /etc/xinetd.*"
audit: 'grep -R "^echo" /etc/xinetd.conf /etc/xinetd.*'
tests:
test_items:
- flag: "disable"
@ -2097,7 +2089,7 @@ groups:
- id: 2.1.5.a
description: "Ensure time services are not enabled"
audit: "grep -R \"^time\" /etc/inetd.*"
audit: 'grep -R "^time" /etc/inetd.*'
tests:
test_items:
- flag: ""
@ -2112,7 +2104,7 @@ groups:
- id: 2.1.5.b
description: "Ensure time services are not enabled"
audit: "grep -R \"^time\" /etc/xinetd.conf /etc/xinetd.*"
audit: 'grep -R "^time" /etc/xinetd.conf /etc/xinetd.*'
tests:
test_items:
- flag: "disable"
@ -2127,7 +2119,7 @@ groups:
- id: 2.1.6.a
description: "Ensure rsh server is not enabled"
audit: "grep -R \"^shell\" /etc/inetd.*; grep -R \"^login\" /etc/inetd.*; grep -R \"^exec\" /etc/inetd.*"
audit: 'grep -R "^shell" /etc/inetd.*; grep -R "^login" /etc/inetd.*; grep -R "^exec" /etc/inetd.*'
tests:
test_items:
- flag: ""
@ -2142,7 +2134,7 @@ groups:
- id: 2.1.6.b
description: "Ensure rsh server is not enabled"
audit: "grep -R \"^shell\" /etc/xinetd.*; grep -R \"^login\" /etc/xinetd.*; grep -R \"^exec\" /etc/xinetd.*"
audit: 'grep -R "^shell" /etc/xinetd.*; grep -R "^login" /etc/xinetd.*; grep -R "^exec" /etc/xinetd.*'
tests:
test_items:
- flag: "disable"
@ -2157,7 +2149,7 @@ groups:
- id: 2.1.7.a
description: "Ensure talk server is not enabled"
audit: "grep -R \"^talk\" /etc/inetd.*; grep -R \"^ntalk\" /etc/inetd.*"
audit: 'grep -R "^talk" /etc/inetd.*; grep -R "^ntalk" /etc/inetd.*'
tests:
test_items:
- flag: ""
@ -2172,7 +2164,7 @@ groups:
- id: 2.1.7.b
description: "Ensure talk server is not enabled"
audit: "grep -R \"^talk\" /etc/xinetd.*; grep -R \"^ntalk\" /etc/xinetd.*"
audit: 'grep -R "^talk" /etc/xinetd.*; grep -R "^ntalk" /etc/xinetd.*'
tests:
test_items:
- flag: "disable"
@ -2187,7 +2179,7 @@ groups:
- id: 2.1.8.a
description: "Ensure telnet server is not enabled"
audit: "grep -R \"^telnet\" /etc/inetd.*"
audit: 'grep -R "^telnet" /etc/inetd.*'
tests:
test_items:
- flag: ""
@ -2202,7 +2194,7 @@ groups:
- id: 2.1.8.b
description: "Ensure telnet server is not enabled"
audit: "grep -R \"^telnet\" /etc/xinetd.*"
audit: 'grep -R "^telnet" /etc/xinetd.*'
tests:
test_items:
- flag: "disable"
@ -2217,7 +2209,7 @@ groups:
- id: 2.1.9.a
description: "Ensure tftp server is not enabled"
audit: "grep -R \"^tftp\" /etc/inetd.*"
audit: 'grep -R "^tftp" /etc/inetd.*'
tests:
test_items:
- flag: ""
@ -2232,7 +2224,7 @@ groups:
- id: 2.1.9.b
description: "Ensure tftp server is not enabled"
audit: "grep -R \"^tftp\" /etc/xinetd.*"
audit: 'grep -R "^tftp" /etc/xinetd.*'
tests:
test_items:
- flag: "disable"
@ -2310,10 +2302,10 @@ groups:
# update-rc.d xinetd disable
scored: true
- id: 2.2
- id: 2.2
description: "Special Purpose Services"
checks:
- id: 2.2.1
- id: 2.2.1
description: "Time Synchronization"
checks:
- id: 2.2.1.1.a
@ -2484,7 +2476,7 @@ groups:
- id: 2.2.1.2.b
description: "Ensure ntp is configured"
audit: "grep -E \"^(server|pool)\" /etc/ntp.conf"
audit: 'grep -E "^(server|pool)" /etc/ntp.conf'
type: manual
tests:
test_items:
@ -2525,7 +2517,7 @@ groups:
- rhel7
tests:
test_items:
- flag: "OPTIONS=\"-u ntp:ntp\""
- flag: 'OPTIONS="-u ntp:ntp"'
set: true
remediation: |
Add or edit restrict lines in `/etc/ntp.conf` to match the following:
@ -2557,7 +2549,7 @@ groups:
- ubuntu18
tests:
test_items:
- flag: "OPTIONS=\"-u ntp:ntp\""
- flag: 'OPTIONS="-u ntp:ntp"'
set: true
remediation: |
Add or edit restrict lines in `/etc/ntp.conf` to match the following:
@ -2593,7 +2585,7 @@ groups:
- rhel7
tests:
test_items:
- flag: "NTPD_OPTIONS=\"-u ntp:ntp\""
- flag: 'NTPD_OPTIONS="-u ntp:ntp"'
set: true
remediation: |
Add or edit restrict lines in `/etc/ntp.conf` to match the following:
@ -2625,7 +2617,7 @@ groups:
- ubuntu18
tests:
test_items:
- flag: "NTPD_OPTIONS=\"-u ntp:ntp\""
- flag: 'NTPD_OPTIONS="-u ntp:ntp"'
set: true
remediation: |
Add or edit restrict lines in `/etc/ntp.conf` to match the following:
@ -2688,7 +2680,7 @@ groups:
- id: 2.2.1.3.a
description: "Ensure chrony is configured"
audit: "grep -E \"^(server|pool)\" /etc/chrony.conf"
audit: 'grep -E "^(server|pool)" /etc/chrony.conf'
type: manual
tests:
test_items:
@ -2748,7 +2740,6 @@ groups:
# timedatectl set-ntp true
scored: true
- id: 2.2.2
description: "Ensure X Window System is not installed"
sub_checks:
@ -3804,7 +3795,7 @@ groups:
# update-rc.d ypserv disable
scored: true
- id: 2.3
- id: 2.3
description: "Service Clients"
checks:
- id: 2.3.1
@ -4120,9 +4111,9 @@ groups:
# zypper remove openldap-clients
scored: true
- id: 3
- id: 3
description: "Network Configuration"
- id: 3.1
- id: 3.1
description: "Network Parameters (Host Only)etwork Parameters (Host Only)"
checks:
- id: 3.1.1.a
@ -4318,7 +4309,7 @@ groups:
scored: true
- id: 3.2
- id: 3.2
description: "Network Parameters (Host and Router)"
checks:
- id: 3.2.1.a
@ -4785,7 +4776,6 @@ groups:
scored: true
- id: 3.2.3.a
description: "Ensure secure ICMP redirects are not accepted"
audit: "sysctl net.ipv4.conf.all.secure_redirects"
@ -5302,7 +5292,7 @@ groups:
scored: true
- id: 3.3
- id: 3.3
description: "TCP Wrappers"
checks:
- id: 3.3.1
@ -5385,7 +5375,6 @@ groups:
where each `/` combination (for example, "192.168.1.0/255.255.255.0") represents one network block in use by your organization that requires access to this system.
scored: false
- id: 3.3.3
description: "Ensure /etc/hosts.deny is configured"
audit: "cat /etc/hosts.deny"
@ -5400,7 +5389,6 @@ groups:
scored: false
- id: 3.3.4
description: "Ensure permissions on /etc/hosts.allow are configured"
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/hosts.allow"
@ -5416,7 +5404,6 @@ groups:
scored: true
- id: 3.3.5
description: "Ensure permissions on /etc/hosts.deny are configured"
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/hosts.deny"
@ -5432,8 +5419,7 @@ groups:
scored: true
- id: 3.4
- id: 3.4
description: "Uncommon Network Protocols"
checks:
- id: 3.4.1.a
@ -5564,9 +5550,9 @@ groups:
scored: true
- id: 3.5
- id: 3.5
description: "Firewall Configuration"
- id: 3.5.1
- id: 3.5.1
description: "Configure IPv6 ip6tables"
checks:
- id: 3.5.1.1
@ -5595,8 +5581,7 @@ groups:
type: manual
tests:
test_items:
-
flag: |
- flag: |
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
@ -5617,8 +5602,7 @@ groups:
type: manual
tests:
test_items:
-
flag: |
- flag: |
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
@ -5670,7 +5654,7 @@ groups:
scored: true
- id: 3.5.2
- id: 3.5.2
description: "Configure IPv4 iptables"
checks:
- id: 3.5.2.1
@ -5699,8 +5683,7 @@ groups:
type: manual
tests:
test_items:
-
flag: |
- flag: |
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
@ -5721,8 +5704,7 @@ groups:
type: manual
tests:
test_items:
-
flag: |
- flag: |
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
@ -5756,8 +5738,7 @@ groups:
type: manual
tests:
test_items:
-
flag: |
- flag: |
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
@ -5775,8 +5756,7 @@ groups:
type: manual
tests:
test_items:
-
flag: |
- flag: |
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
@ -5855,7 +5835,7 @@ groups:
# zypper install iptables
scored: true
- id: 3.6
- id: 3.6
description: "Ensure wireless interfaces are disabled (Not Scored)"
checks:
- id: 3.6.a
@ -5882,7 +5862,7 @@ groups:
Disable any wireless interfaces in your network configuration.
scored: false
- id: 3.7
- id: 3.7
description: "Ensure wireless interfaces are disabled (Not Scored)"
checks:
- id: 3.7
@ -5929,13 +5909,12 @@ groups:
# update-grub
scored: false
- id: 4
- id: 4
description: "Logging and Auditing"
- id: 4.1
- id: 4.1
description: "Configure System Accounting (auditd)"
checks:
- id: 4.1.1
- id: 4.1.1
description: "Configure Data Retention"
checks:
- id: 4.1.1.1
@ -6446,7 +6425,6 @@ groups:
scored: true
- id: 4.1.9.b
description: "Ensure login and logout events are collected"
audit: "auditctl -l | grep logins"
@ -6642,7 +6620,6 @@ groups:
And add all resulting lines to the file.
scored: true
- id: 4.1.14.a
description: "Ensure successful file system mounts are collected"
audit: "grep mounts /etc/audit/rules.d/*.rules"
@ -6735,6 +6712,7 @@ groups:
and add the following lines:
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope
scored: true
- id: 4.1.16.b
@ -6753,6 +6731,7 @@ groups:
and add the following lines:
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope
scored: true
- id: 4.1.17.a
@ -6770,6 +6749,7 @@ groups:
Example: vi /etc/audit/rules.d/audit.rules
and add the following lines:
-w /var/log/sudo.log -p wa -k actions
scored: true
- id: 4.1.17.b
@ -6784,6 +6764,7 @@ groups:
Example: vi /etc/audit/rules.d/audit.rules
and add the following lines:
-w /var/log/sudo.log -p wa -k actions
scored: true
- id: 4.1.18.a
@ -6808,6 +6789,7 @@ groups:
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
scored: true
- id: 4.1.18.b
@ -6847,9 +6829,9 @@ groups:
at the end of the file
scored: true
- id: 4.2
- id: 4.2
description: "Configure Logging"
- id: 4.2.1
- id: 4.2.1
description: "Configure rsyslog"
checks:
- id: 4.2.1.1
@ -7114,7 +7096,7 @@ groups:
# pkill -HUP rsyslogd
scored: false
- id: 4.2.2
- id: 4.2.2
description: "Configure journald"
checks:
- id: 4.2.2.1
@ -7168,9 +7150,9 @@ groups:
remediation: |
Edit `/etc/logrotate.conf` and `/etc/logrotate.d/*` to ensure logs are rotated according to site policy.
scored: false
- id: 5
- id: 5
description: "Access, Authentication and Authorization"
- id: 5.1
- id: 5.1
description: "Configure cron"
checks:
- id: 5.1.1
@ -7250,7 +7232,6 @@ groups:
scored: true
- id: 5.1.3
description: "Ensure permissions on /etc/cron.hourly are configured"
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.hourly"
@ -7266,7 +7247,6 @@ groups:
scored: true
- id: 5.1.4
description: "Ensure permissions on /etc/cron.daily are configured"
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.daily"
@ -7282,7 +7262,6 @@ groups:
scored: true
- id: 5.1.5
description: "Ensure permissions on /etc/cron.weekly are configured"
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.weekly"
@ -7298,7 +7277,6 @@ groups:
scored: true
- id: 5.1.6
description: "Ensure permissions on /etc/cron.monthly are configured"
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.monthly"
@ -7314,7 +7292,6 @@ groups:
scored: true
- id: 5.1.7
description: "Ensure permissions on /etc/cron.d are configured"
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.d"
@ -7330,7 +7307,6 @@ groups:
scored: true
- id: 5.1.8.a
description: "Ensure at/cron is restricted to authorized users"
audit: "stat /etc/cron.deny"
@ -7415,7 +7391,7 @@ groups:
scored: true
- id: 5.2
- id: 5.2
description: "SSH Server Configuration"
checks:
- id: 5.2.1
@ -7433,7 +7409,6 @@ groups:
scored: true
- id: 5.2.2
description: "Ensure permissions on SSH private host key files are configured"
audit: "find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec stat {} \\;"
@ -7484,7 +7459,6 @@ groups:
LogLevel INFO
scored: true
- id: 5.2.6
description: "Ensure SSH X11 forwarding is disabled"
audit: "grep ^X11Forwarding /etc/ssh/sshd_config"
@ -7499,8 +7473,6 @@ groups:
scored: true
- id: 5.2.7
description: "Ensure SSH MaxAuthTries is set to 4 or less"
audit: "sshd -T | grep maxauthtries"
@ -7532,7 +7504,6 @@ groups:
scored: true
- id: 5.2.9
description: "Ensure SSH HostbasedAuthentication is disabled"
audit: "sshd -T | grep hostbasedauthentication"
@ -7547,7 +7518,6 @@ groups:
scored: true
- id: 5.2.10
description: "Ensure SSH root login is disabled"
audit: "sshd -T | grep permitrootlogin"
@ -7562,8 +7532,6 @@ groups:
scored: true
- id: 5.2.11
description: "Ensure SSH PermitEmptyPasswords is disabled"
audit: "sshd -T | grep permitemptypasswords"
@ -7592,7 +7560,6 @@ groups:
scored: true
- id: 5.2.13
description: "Ensure only approved MAC algorithms are used"
audit: "sshd -T | grep ciphers"
@ -7626,10 +7593,9 @@ groups:
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
scored: true
- id: 5.2.14
description: "Ensure only strong MAC algorithms are used"
audit: "sshd -T | grep -i \"MACs\""
audit: 'sshd -T | grep -i "MACs"'
tests:
bin_op: and
test_items:
@ -7749,7 +7715,6 @@ groups:
scored: true
- id: 5.2.18.a
description: "Ensure SSH access is limited"
audit: "sshd -T | grep allowusers"
@ -7880,8 +7845,7 @@ groups:
MaxSessions 4
scored: true
- id: 5.3
- id: 5.3
description: "Configure PAM"
checks:
- id: 5.3.1
@ -7954,9 +7918,9 @@ groups:
scored: false
- id: 5.4
- id: 5.4
description: "User Accounts and Environment"
- id: 5.4.1
- id: 5.4.1
description: "Set Shadow Password Suite Parameters"
checks:
- id: 5.4.1.1.a
@ -8199,7 +8163,6 @@ groups:
scored: true
- id: 5.4.4.a
description: "Ensure default user umask is 027 or more restrictive"
sub_checks:
@ -8299,7 +8262,7 @@ groups:
TMOUT=600
scored: true
- id: 5.5
- id: 5.5
description: "Set Shadow Password Suite Parameters"
checks:
- id: 5.5
@ -8354,9 +8317,9 @@ groups:
scored: true
- id: 6
- id: 6
description: "System Maintenance"
- id: 6.1
- id: 6.1
description: "System File Permissions"
checks:
- id: 6.1.1
@ -8402,10 +8365,9 @@ groups:
scored: true
- id: 6.1.3
description: "Ensure permissions on /etc/shadow are configured"
audit: "stat -c \"Uid:%U/%u Gid:%G permissions=%a\" /etc/shadow"
audit: 'stat -c "Uid:%U/%u Gid:%G permissions=%a" /etc/shadow'
tests:
bin_op: and
test_items:
@ -8414,7 +8376,7 @@ groups:
- flag: "Gid"
compare:
op: regex
value: 'shadow|root'
value: "shadow|root"
set: true
- flag: "permissions"
compare:
@ -8430,10 +8392,9 @@ groups:
scored: true
- id: 6.1.4
description: "Ensure permissions on /etc/group are configured"
audit: "stat -c \"Uid:%U/%u Gid:%G/%g permissions=%a\" /etc/group"
audit: 'stat -c "Uid:%U/%u Gid:%G/%g permissions=%a" /etc/group'
tests:
test_items:
- flag: "Uid:root/0 Gid:root/0 permissions=644"
@ -8446,10 +8407,9 @@ groups:
scored: true
- id: 6.1.5
description: "Ensure permissions on /etc/gshadow are configured"
audit: "stat -c \"Uid:%U/%u Gid:%G permissions=%a\" /etc/gshadow"
audit: 'stat -c "Uid:%U/%u Gid:%G permissions=%a" /etc/gshadow'
tests:
bin_op: and
test_items:
@ -8458,7 +8418,7 @@ groups:
- flag: "Gid"
compare:
op: regex
value: 'shadow|root'
value: "shadow|root"
set: true
- flag: "permissions"
compare:
@ -8476,7 +8436,7 @@ groups:
- id: 6.1.6
description: "Ensure permissions on /etc/passwd- are configured"
audit: "stat -c \"Uid:%U/%u Gid:%G/%g permissions=%a\" /etc/passwd-"
audit: 'stat -c "Uid:%U/%u Gid:%G/%g permissions=%a" /etc/passwd-'
tests:
bin_op: and
test_items:
@ -8495,10 +8455,9 @@ groups:
scored: true
- id: 6.1.7
description: "Ensure permissions on /etc/shadow- are configured"
audit: "stat -c \"Uid:%U/%u Gid:%G permissions=%a\" /etc/shadow-"
audit: 'stat -c "Uid:%U/%u Gid:%G permissions=%a" /etc/shadow-'
tests:
bin_op: and
test_items:
@ -8507,7 +8466,7 @@ groups:
- flag: "Gid"
compare:
op: regex
value: 'shadow|root'
value: "shadow|root"
set: true
- flag: "permissions"
compare:
@ -8523,10 +8482,9 @@ groups:
scored: true
- id: 6.1.8
description: "Ensure permissions on /etc/group- are configured"
audit: "stat -c \"Uid:%U/%u Gid:%G/%g permissions=%a\" /etc/group-"
audit: 'stat -c "Uid:%U/%u Gid:%G/%g permissions=%a" /etc/group-'
tests:
bin_op: and
test_items:
@ -8545,10 +8503,9 @@ groups:
scored: true
- id: 6.1.9
description: "Ensure permissions on /etc/gshadow- are configured"
audit: "stat -c \"Uid:%U/%u Gid:%G permissions=%a\" /etc/gshadow-"
audit: 'stat -c "Uid:%U/%u Gid:%G permissions=%a" /etc/gshadow-'
tests:
bin_op: and
test_items:
@ -8557,7 +8514,7 @@ groups:
- flag: "Gid"
compare:
op: regex
value: 'shadow|root'
value: "shadow|root"
set: true
- flag: "permissions"
compare:
@ -8573,7 +8530,6 @@ groups:
scored: true
- id: 6.1.10.a
description: "Ensure no world writable files exist"
audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 | head -n 100"
@ -8686,12 +8642,12 @@ groups:
Ensure that no rogue SGID programs have been introduced into the system. Review the files returned by the action in the Audit section and confirm the integrity of these binaries.
scored: false
- id: 6.2
- id: 6.2
description: "User and Group Settings"
checks:
- id: 6.2.1
description: "Ensure password fields are not empty"
audit: "awk -F: '($2 == \"\" ) { print $1 \" does not have a password \"}' /etc/shadow"
audit: 'awk -F: ''($2 == "" ) { print $1 " does not have a password "}'' /etc/shadow'
tests:
test_items:
- flag: ""
@ -8708,7 +8664,7 @@ groups:
scored: true
- id: 6.2.2
description: "Ensure no legacy \"+\" entries exist in /etc/passwd"
description: 'Ensure no legacy "+" entries exist in /etc/passwd'
audit: "grep '^\\+:' /etc/passwd"
tests:
test_items:
@ -8721,9 +8677,8 @@ groups:
Remove any legacy '+' entries from `/etc/passwd` if they exist.
scored: true
- id: 6.2.3
description: "Ensure no legacy \"+\" entries exist in /etc/shadow"
description: 'Ensure no legacy "+" entries exist in /etc/shadow'
audit: "grep '^\\+:' /etc/shadow"
tests:
test_items:
@ -8736,9 +8691,8 @@ groups:
Remove any legacy '+' entries from `/etc/shadow` if they exist.
scored: true
- id: 6.2.4
description: "Ensure no legacy \"+\" entries exist in /etc/group"
description: 'Ensure no legacy "+" entries exist in /etc/group'
audit: "grep '^\\+:' /etc/group"
tests:
test_items:
@ -8751,7 +8705,6 @@ groups:
Remove any legacy '+' entries from `/etc/group` if they exist.
scored: true
- id: 6.2.5
description: "Ensure root is the only UID 0 account"
audit: "awk -F: '($3 == 0) { print $1 }' /etc/passwd"
@ -8810,7 +8763,6 @@ groups:
Correct or justify any items discovered in the Audit step.
scored: true
- id: 6.2.7
description: "Ensure all users' home directories exist"
audit: |
@ -8892,7 +8844,6 @@ groups:
Change the ownership of any home directories that are not owned by the defined user to the correct user.
scored: true
- id: 6.2.10
description: "Ensure users' dot files are not group or world writable"
audit: |
@ -8949,7 +8900,6 @@ groups:
Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user `.forward` files and determine the action to be taken in accordance with site policy.
scored: true
- id: 6.2.12
description: "Ensure no users have .netrc files"
audit: |
@ -9137,7 +9087,6 @@ groups:
Based on the results of the audit script, establish unique user names for the users. File ownerships will automatically reflect the change as long as the users have unique UIDs.
scored: true
- id: 6.2.19
description: "Ensure no duplicate group names exist"
audit: |
@ -9177,7 +9126,7 @@ groups:
- id: 6.2.20.b
description: "Ensure shadow group is empty"
audit: "awk -F: '($4 == \"\") { print }' /etc/passwd"
audit: 'awk -F: ''($4 == "") { print }'' /etc/passwd'
tests:
test_items:
- flag: ""
@ -9188,4 +9137,3 @@ groups:
remediation: |
Remove all users from the shadow group, and change the primary group of any users with shadow as their primary group.
scored: true