From a2c4b70f08701375e5346a8d480fe3ccea2d4df5 Mon Sep 17 00:00:00 2001 From: Yoav Hizkiahou Date: Tue, 19 Feb 2019 18:17:54 +0200 Subject: [PATCH] Improved configuration for version 1.1.0 --- cfg/1.1.0/6.2.10.sh | 19 + cfg/1.1.0/6.2.11.sh | 11 + cfg/1.1.0/6.2.12.sh | 11 + cfg/1.1.0/6.2.13.sh | 31 + cfg/1.1.0/6.2.14.sh | 13 + cfg/1.1.0/6.2.15.sh | 8 + cfg/1.1.0/6.2.16.sh | 9 + cfg/1.1.0/6.2.17.sh | 10 + cfg/1.1.0/6.2.18.sh | 10 + cfg/1.1.0/6.2.19.sh | 10 + cfg/1.1.0/6.2.6.sh | 34 + cfg/1.1.0/6.2.7.sh | 7 + cfg/1.1.0/6.2.8.sh | 24 + cfg/1.1.0/6.2.9.sh | 12 + cfg/1.1.0/definitions.yaml | 6822 +++++++++++++++++++++++++++++++++++- 15 files changed, 7009 insertions(+), 22 deletions(-) create mode 100644 cfg/1.1.0/6.2.10.sh create mode 100644 cfg/1.1.0/6.2.11.sh create mode 100644 cfg/1.1.0/6.2.12.sh create mode 100644 cfg/1.1.0/6.2.13.sh create mode 100644 cfg/1.1.0/6.2.14.sh create mode 100644 cfg/1.1.0/6.2.15.sh create mode 100644 cfg/1.1.0/6.2.16.sh create mode 100644 cfg/1.1.0/6.2.17.sh create mode 100644 cfg/1.1.0/6.2.18.sh create mode 100644 cfg/1.1.0/6.2.19.sh create mode 100644 cfg/1.1.0/6.2.6.sh create mode 100644 cfg/1.1.0/6.2.7.sh create mode 100644 cfg/1.1.0/6.2.8.sh create mode 100644 cfg/1.1.0/6.2.9.sh diff --git a/cfg/1.1.0/6.2.10.sh b/cfg/1.1.0/6.2.10.sh new file mode 100644 index 0000000..71cceea --- /dev/null +++ b/cfg/1.1.0/6.2.10.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + for file in $dir/.[A-Za-z0-9]*; do + if [ ! -h "$file" -a -f "$file" ]; then + fileperm=`ls -ld $file | cut -f1 -d" "` + if [ `echo $fileperm | cut -c6` != "-" ]; then + echo "Group Write permission set on file $file" + fi + if [ `echo $fileperm | cut -c9` != "-" ]; then + echo "Other Write permission set on file $file" + fi + fi + done + fi +done \ No newline at end of file diff --git a/cfg/1.1.0/6.2.11.sh b/cfg/1.1.0/6.2.11.sh new file mode 100644 index 0000000..883e790 --- /dev/null +++ b/cfg/1.1.0/6.2.11.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + if [ ! -h "$dir/.forward" -a -f "$dir/.forward" ]; then + echo ".forward file $dir/.forward exists" + fi + fi +done \ No newline at end of file diff --git a/cfg/1.1.0/6.2.12.sh b/cfg/1.1.0/6.2.12.sh new file mode 100644 index 0000000..61147d7 --- /dev/null +++ b/cfg/1.1.0/6.2.12.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + if [ ! -h "$dir/.netrc" -a -f "$dir/.netrc" ]; then + echo ".netrc file $dir/.netrc exists" + fi + fi +done \ No newline at end of file diff --git a/cfg/1.1.0/6.2.13.sh b/cfg/1.1.0/6.2.13.sh new file mode 100644 index 0000000..44af2f4 --- /dev/null +++ b/cfg/1.1.0/6.2.13.sh @@ -0,0 +1,31 @@ +#!/bin/bash + +cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + for file in $dir/.netrc; do + if [ ! -h "$file" -a -f "$file" ]; then + fileperm=`ls -ld $file | cut -f1 -d" "` + if [ `echo $fileperm | cut -c5` != "-" ]; then + echo "Group Read set on $file" + fi + if [ `echo $fileperm | cut -c6` != "-" ]; then + echo "Group Write set on $file" + fi + if [ `echo $fileperm | cut -c7` != "-" ]; then + echo "Group Execute set on $file" + fi + if [ `echo $fileperm | cut -c8` != "-" ]; then + echo "Other Read set on $file" + fi + if [ `echo $fileperm | cut -c9` != "-" ]; then + echo "Other Write set on $file" + fi + if [ `echo $fileperm | cut -c10` != "-" ]; then + echo "Other Execute set on $file" + fi + fi + done + fi +done \ No newline at end of file diff --git a/cfg/1.1.0/6.2.14.sh b/cfg/1.1.0/6.2.14.sh new file mode 100644 index 0000000..2ad7f97 --- /dev/null +++ b/cfg/1.1.0/6.2.14.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + for file in $dir/.rhosts; do + if [ ! -h "$file" -a -f "$file" ]; then + echo ".rhosts file in $dir" + fi + done + fi +done \ No newline at end of file diff --git a/cfg/1.1.0/6.2.15.sh b/cfg/1.1.0/6.2.15.sh new file mode 100644 index 0000000..c6790e8 --- /dev/null +++ b/cfg/1.1.0/6.2.15.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +for i in $(cut -s -d: -f4 /etc/passwd | sort -u ); do + grep -q -P "^.*?:[^:]*:$i:" /etc/group + if [ $? -ne 0 ]; then + echo "Group $i is referenced by /etc/passwd but does not exist in /etc/group" + fi +done \ No newline at end of file diff --git a/cfg/1.1.0/6.2.16.sh b/cfg/1.1.0/6.2.16.sh new file mode 100644 index 0000000..9e4d47a --- /dev/null +++ b/cfg/1.1.0/6.2.16.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +cat /etc/passwd | cut -f3 -d":" | sort -n | uniq -c | while read x ; do + [ -z "${x}" ] && break set - $x + if [ $1 -gt 1 ]; then + users=`awk -F: '($3 == n) { print $1 }' n=$2 /etc/passwd | xargs` + echo "Duplicate UID ($2): ${users}" + fi +done \ No newline at end of file diff --git a/cfg/1.1.0/6.2.17.sh b/cfg/1.1.0/6.2.17.sh new file mode 100644 index 0000000..060d055 --- /dev/null +++ b/cfg/1.1.0/6.2.17.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +cat /etc/group | cut -f3 -d":" | sort -n | uniq -c | while read x ; do + [ -z "${x}" ] && break + set - $x + if [ $1 -gt 1 ]; then + groups=`awk -F: '($3 == n) { print $1 }' n=$2 /etc/group | xargs` + echo "Duplicate GID ($2): ${groups}" + fi +done \ No newline at end of file diff --git a/cfg/1.1.0/6.2.18.sh b/cfg/1.1.0/6.2.18.sh new file mode 100644 index 0000000..332dcf6 --- /dev/null +++ b/cfg/1.1.0/6.2.18.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +cat /etc/passwd | cut -f1 -d":" | sort -n | uniq -c | while read x ; do + [ -z "${x}" ] && break + set - $x + if [ $1 -gt 1 ]; then + uids=`awk -F: '($1 == n) { print $3 }' n=$2 /etc/passwd | xargs` + echo "Duplicate User Name ($2): ${uids}" + fi +done \ No newline at end of file diff --git a/cfg/1.1.0/6.2.19.sh b/cfg/1.1.0/6.2.19.sh new file mode 100644 index 0000000..6a0260f --- /dev/null +++ b/cfg/1.1.0/6.2.19.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +cat /etc/group | cut -f1 -d":" | sort -n | uniq -c | while read x ; do + [ -z "${x}" ] && break + set - $x + if [ $1 -gt 1 ]; then + gids=`gawk -F: '($1 == n) { print $3 }' n=$2 /etc/group | xargs` + echo "Duplicate Group Name ($2): ${gids}" + fi +done \ No newline at end of file diff --git a/cfg/1.1.0/6.2.6.sh b/cfg/1.1.0/6.2.6.sh new file mode 100644 index 0000000..68f5338 --- /dev/null +++ b/cfg/1.1.0/6.2.6.sh @@ -0,0 +1,34 @@ +#!/bin/bash +if [ "`echo $PATH | grep ::`" != "" ]; then + echo "Empty Directory in PATH (::)" +fi + +if [ "`echo $PATH | grep :$`" != "" ]; then + echo "Trailing : in PATH" +fi + +p=`echo $PATH | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g'` +set -- $p +while [ "$1" != "" ]; do + if [ "$1" = "." ]; then + echo "PATH contains ." + shift + continue + fi + if [ -d $1 ]; then + dirperm=`ls -ldH $1 | cut -f1 -d" "` + if [ `echo $dirperm | cut -c6` != "-" ]; then + echo "Group Write permission set on directory $1" + fi + if [ `echo $dirperm | cut -c9` != "-" ]; then + echo "Other Write permission set on directory $1" + fi + dirown=`ls -ldH $1 | awk '{print $3}'` + if [ "$dirown" != "root" ] ; then + echo $1 is not owned by root + fi + else + echo $1 is not a directory + fi + shift +done \ No newline at end of file diff --git a/cfg/1.1.0/6.2.7.sh b/cfg/1.1.0/6.2.7.sh new file mode 100644 index 0000000..fcfc4f4 --- /dev/null +++ b/cfg/1.1.0/6.2.7.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 !="/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + fi +done \ No newline at end of file diff --git a/cfg/1.1.0/6.2.8.sh b/cfg/1.1.0/6.2.8.sh new file mode 100644 index 0000000..36f39d9 --- /dev/null +++ b/cfg/1.1.0/6.2.8.sh @@ -0,0 +1,24 @@ +#!/bin/bash + +cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != +"/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user +dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + dirperm=`ls -ld $dir | cut -f1 -d" "` + if [ `echo $dirperm | cut -c6` != "-" ]; then + echo "Group Write permission set on the home directory ($dir) of user $user" + fi + if [ `echo $dirperm | cut -c8` != "-" ]; then + echo "Other Read permission set on the home directory ($dir) of user $user" + fi + if [ `echo $dirperm | cut -c9` != "-" ]; then + echo "Other Write permission set on the home directory ($dir) of user $user" + fi + if [ `echo $dirperm | cut -c10` != "-" ]; then + echo "Other Execute permission set on the home directory ($dir) of user $user" + fi + fi +done + \ No newline at end of file diff --git a/cfg/1.1.0/6.2.9.sh b/cfg/1.1.0/6.2.9.sh new file mode 100644 index 0000000..221c44a --- /dev/null +++ b/cfg/1.1.0/6.2.9.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + owner=$(stat -L -c "%U" "$dir") + if [ "$owner" != "$user" ]; then + echo "The home directory ($dir) of user $user is owned by $owner." + fi + fi +done \ No newline at end of file diff --git a/cfg/1.1.0/definitions.yaml b/cfg/1.1.0/definitions.yaml index 364ed71..0893992 100644 --- a/cfg/1.1.0/definitions.yaml +++ b/cfg/1.1.0/definitions.yaml @@ -5,8 +5,39 @@ id: 1 description: "Initial Setup" type: "master" groups: +- id: 1.8 + description: "Initial Setupnitial Setup" + checks: + - id: 1.8 + description: "Initial Setupnitial Setup" + sub_checks: + - check: + audit: "yum check-update" + type: manual + constraints: + platform: + - rhel7 + remediation: | + Use your package manager to update all packages on the system according to site policy. + - check: + audit: "apt-get -s upgrade" + type: manual + constraints: + platform: + - ubuntu + remediation: | + Use your package manager to update all packages on the system according to site policy. + - check: + audit: "zypper list-updates" + type: manual + constraints: + platform: + - opensuse + remediation: | + Use your package manager to update all packages on the system according to site policy. + scored: false - id: 1.1 - description: "Filesystem Configuration" + description: "Filesystem Configurationilesystem Configuration" checks: - id: 1.1.2 description: "Ensure separate partition exists for /tmp" @@ -18,7 +49,53 @@ groups: remediation: | For new installations, during installation create a custom partition setup and specify a separate partition for `/tmp` . For systems that were previously installed, create a new partition and configure `/etc/fstab` as appropriate. - scored: true + scored: true + - id: 1.1.3 + description: "Ensure nodev option set on /tmp partition" + audit: "mount | grep /tmp" + tests: + test_items: + - flag: "tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noexec,relatime)" + set: true + remediation: | + Edit the `/etc/fstab` file and add `nodev` to the fourth field (mounting options) for the `/tmp` partition. See the `fstab(5)` manual page for more information. + Run the following command to remount `/tmp` : + + # mount -o remount,nodev /tmp + + scored: true + + + - id: 1.1.4 + description: "Ensure nosuid option set on /tmp partition" + audit: "mount | grep /tmp" + tests: + test_items: + - flag: "tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noexec,relatime)" + set: true + remediation: | + Edit the `/etc/fstab` file and add `nosuid` to the fourth field (mounting options) for the `/tmp` partition. See the `fstab(5)` manual page for more information. + Run the following command to remount `/tmp` : + + # mount -o remount,nosuid /tmp + + scored: true + + + - id: 1.1.5 + description: "Ensure noexec option set on /tmp partition" + audit: "mount | grep /tmp" + tests: + test_items: + - flag: "tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noexec,relatime)" + set: true + remediation: | + Edit the `/etc/fstab` file and add `noexec` to the fourth field (mounting options) for the `/tmp` partition. See the `fstab(5)` manual page for more information. + Run the following command to remount `/tmp` : + + # mount -o remount,noexec /tmp + + scored: true - id: 1.1.6 description: "Ensure separate partition exists for /var" @@ -30,8 +107,7 @@ groups: remediation: | For new installations, during installation create a custom partition setup and specify a separate partition for `/var` . For systems that were previously installed, create a new partition and configure `/etc/fstab` as appropriate. - scored: true - + scored: true - id: 1.1.7 description: "Ensure separate partition exists for /var/tmp" audit: "mount | grep /var/tmp" @@ -42,8 +118,116 @@ groups: remediation: | For new installations, during installation create a custom partition setup and specify a separate partition for `/var/tmp` . For systems that were previously installed, create a new partition and configure `/etc/fstab` as appropriate. + scored: true + - id: 1.1.8 + description: "Ensure nodev option set on /var/tmp partition" + audit: "mount | grep /var/tmp" + tests: + test_items: + - flag: "tmpfs on /var/tmp type tmpfs (rw,nosuid,nodev,noexec,relatime)" + set: true + remediation: | + Edit the `/etc/fstab` file and add `nodev` to the fourth field (mounting options) for the `/var/tmp` partition. See the `fstab(5)` manual page for more information. + Run the following command to remount `/var/tmp` : + + # mount -o remount,nodev /var/tmp + + scored: true + + + - id: 1.1.9 + description: "Ensure nosuid option set on /var/tmp partition" + audit: "mount | grep /var/tmp" + tests: + test_items: + - flag: "tmpfs on /var/tmp type tmpfs (rw,nosuid,nodev,noexec,relatime)" + set: true + remediation: | + Edit the `/etc/fstab` file and add `nosuid` to the fourth field (mounting options) for the `/var/tmp` partition. See the `fstab(5)` manual page for more information. + Run the following command to remount `/var/tmp` : + + # mount -o remount,nosuid /var/tmp + + scored: true + + + - id: 1.1.10 + description: "Ensure noexec option set on /var/tmp partition" + audit: "mount | grep /var/tmp" + tests: + test_items: + - flag: "tmpfs on /var/tmp type tmpfs (rw,nosuid,nodev,noexec,relatime)" + set: true + remediation: | + Edit the `/etc/fstab` file and add `noexec` to the fourth field (mounting options) for the `/var/tmp` partition. See the `fstab(5)` manual page for more information. + Run the following command to remount `/var/tmp` : + + # mount -o remount,noexec /var/tmp + + scored: true + + + - id: 1.1.11 + description: "Ensure noexec option set on /var/tmp partition" + audit: "mount | grep /var/tmp" + tests: + test_items: + - flag: "tmpfs on /var/tmp type tmpfs (rw,nosuid,nodev,noexec,relatime)" + set: true + remediation: | + Edit the `/etc/fstab` file and add `noexec` to the fourth field (mounting options) for the `/var/tmp` partition. See the `fstab(5)` manual page for more information. + Run the following command to remount `/var/tmp` : + + # mount -o remount,noexec /var/tmp + + scored: true + + - id: 1.1.12 + description: "Ensure noexec option set on /var/tmp partition" + audit: "mount | grep /var/tmp" + tests: + test_items: + - flag: "tmpfs on /var/tmp type tmpfs (rw,nosuid,nodev,noexec,relatime)" + set: true + remediation: | + Edit the `/etc/fstab` file and add `noexec` to the fourth field (mounting options) for the `/var/tmp` partition. See the `fstab(5)` manual page for more information. + Run the following command to remount `/var/tmp` : + + # mount -o remount,noexec /var/tmp + scored: true + - id: 1.1.13 + description: "Ensure noexec option set on /var/tmp partition" + audit: "mount | grep /var/tmp" + tests: + test_items: + - flag: "tmpfs on /var/tmp type tmpfs (rw,nosuid,nodev,noexec,relatime)" + set: true + remediation: | + Edit the `/etc/fstab` file and add `noexec` to the fourth field (mounting options) for the `/var/tmp` partition. See the `fstab(5)` manual page for more information. + Run the following command to remount `/var/tmp` : + + # mount -o remount,noexec /var/tmp + + scored: true + + - id: 1.1.14 + description: "Ensure noexec option set on /var/tmp partition" + audit: "mount | grep /var/tmp" + tests: + test_items: + - flag: "tmpfs on /var/tmp type tmpfs (rw,nosuid,nodev,noexec,relatime)" + set: true + remediation: | + Edit the `/etc/fstab` file and add `noexec` to the fourth field (mounting options) for the `/var/tmp` partition. See the `fstab(5)` manual page for more information. + Run the following command to remount `/var/tmp` : + + # mount -o remount,noexec /var/tmp + + scored: true + + - id: 1.1.15 description: "Ensure separate partition exists for /var/log" audit: "mount | grep /var/log" @@ -55,7 +239,6 @@ groups: For new installations, during installation create a custom partition setup and specify a separate partition for `/var/log` . For systems that were previously installed, create a new partition and configure `/etc/fstab` as appropriate. scored: true - - id: 1.1.16 description: "Ensure separate partition exists for /var/log/audit" audit: "mount | grep /var/log/audit" @@ -66,9 +249,7 @@ groups: remediation: | For new installations, during installation create a custom partition setup and specify a separate partition for `/var/log/audit` . For systems that were previously installed, create a new partition and configure `/etc/fstab` as appropriate. - scored: true - - + scored: true - id: 1.1.17 description: "Ensure separate partition exists for /home" audit: "mount | grep /home" @@ -79,11 +260,457 @@ groups: remediation: | For new installations, during installation create a custom partition setup and specify a separate partition for `/home` . For systems that were previously installed, create a new partition and configure `/etc/fstab` as appropriate. + scored: true + - id: 1.1.18 + description: "Ensure nodev option set on /home partition" + audit: "mount | grep /home" + tests: + test_items: + - flag: "/dev/xvdf1 on /home type ext4 (rw,nodev,relatime,data=ordered)" + set: true + remediation: | + Edit the `/etc/fstab` file and add `nodev` to the fourth field (mounting options) for the `/home` partition. See the `fstab(5)` manual page for more information. + + # mount -o remount,nodev /home + + scored: true + + - id: 1.1.19 + description: "Ensure nodev option set on /dev/shm partition" + audit: "mount | grep /dev/shm" + tests: + test_items: + - flag: "tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime)" + set: true + remediation: | + Edit the `/etc/fstab` file and add `nodev` to the fourth field (mounting options) for the `/dev/shm` partition. See the `fstab(5)` manual page for more information. + Run the following command to remount `/dev/shm` : + + # mount -o remount,nodev /dev/shm + + scored: true + + + - id: 1.1.20 + description: "Ensure nosuid option set on /dev/shm partition" + audit: "mount | grep /dev/shm" + tests: + test_items: + - flag: "tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime)" + set: true + remediation: | + Edit the `/etc/fstab` file and add `nosuid` to the fourth field (mounting options) for the `/dev/shm` partition. See the `fstab(5)` manual page for more information. + Run the following command to remount `/dev/shm` : + + # mount -o remount,nosuid /dev/shm + scored: true + + - id: 1.1.21 + description: "Ensure noexec option set on /dev/shm partition" + audit: "mount | grep /dev/shm" + tests: + test_items: + - flag: "tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime)" + set: true + remediation: | + Edit the `/etc/fstab` file and add `noexec` to the fourth field (mounting options) for the `/dev/shm` partition. See the `fstab(5)` manual page for more information. + Run the following command to remount `/dev/shm` : + + # mount -o remount,noexec /dev/shm + + scored: true + + - id: 1.1.22 + description: "Ensure nodev option set on removable media partitions" + audit: "mount" + type: manual + remediation: | + Edit the `/etc/fstab` file and add `nodev` to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the `fstab(5)` manual page for more information. + scored: false + + - id: 1.1.23 + description: "Ensure nosuid option set on removable media partitions" + audit: "mount" + type: manual + remediation: | + Edit the `/etc/fstab` file and add `nosuid` to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the `fstab(5)` manual page for more information. + scored: false + + - id: 1.1.24 + description: "Ensure noexec option set on removable media partitions" + audit: "mount" + type: manual + remediation: | + Edit the `/etc/fstab` file and add `noexec` to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the `fstab(5)` manual page for more information. + scored: false + + - id: 1.1.25 + description: "Ensure sticky bit is set on all world-writable directories" + audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \\( -perm -0002 -a ! -perm -1000 \\) 2>/dev/null" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Run the following command to set the sticky bit on all world writable directories: + + # df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t + + scored: true + + - id: 1.1.26 + description: "Disable Automounting" + sub_checks: + - check: + audit: "chkconfig --list autofs" + constraints: + platform: + - rhel6 + tests: + test_items: + - flag: "autofs 0:off 1:off 2:off 3:off 4:off 5:off 6:off" + set: true + remediation: | + Run one of the following commands to disable `autofs` : + + # chkconfig autofs off + + + # systemctl disable autofs + + + # update-rc.d autofs disable + - check: + audit: "systemctl is-enabled autofs" + constraints: + platform: + - rhel7 + - ubuntu + tests: + test_items: + - flag: "disabled" + set: true + remediation: | + Run one of the following commands to disable `autofs` : + + # chkconfig autofs off + + + # systemctl disable autofs + + + # update-rc.d autofs disable + - check: + audit: "ls /etc/rc*.d | grep autofs" + constraints: + platform: + - ubuntuOptional + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Run one of the following commands to disable `autofs` : + + # chkconfig autofs off + + + # systemctl disable autofs + + + # update-rc.d autofs disable + scored: true - id: 1.1.1 description: "Disable unused filesystemsisable unused filesystems" checks: + - id: 1.1.1.1.a + description: "Ensure mounting of cramfs filesystems is disabled" + audit: "modprobe -n -v cramfs" + tests: + test_items: + - flag: "install /bin/true" + set: true + remediation: | + Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line: + + install cramfs /bin/true + + Run the following command to unload the `cramfs` module: + + # rmmod cramfs + + scored: true + + - id: 1.1.1.1.b + description: "Ensure mounting of cramfs filesystems is disabled" + audit: "lsmod | grep cramfs" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line: + + install cramfs /bin/true + + Run the following command to unload the `cramfs` module: + + # rmmod cramfs + + scored: true + + - id: 1.1.1.2.a + description: "Ensure mounting of freevxfs filesystems is disabled" + audit: "modprobe -n -v freevxfs" + tests: + test_items: + - flag: "install /bin/true" + set: true + remediation: | + Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line: + + install freevxfs /bin/true + + Run the following command to unload the `freevxfs` module: + + # rmmod freevxfs + + scored: true + + - id: 1.1.1.2.b + description: "Ensure mounting of freevxfs filesystems is disabled" + audit: "lsmod | grep freevxfs" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line: + + install freevxfs /bin/true + + Run the following command to unload the `freevxfs` module: + + # rmmod freevxfs + + scored: true + + - id: 1.1.1.3.a + description: "Ensure mounting of jffs2 filesystems is disabled" + audit: "modprobe -n -v jffs2" + tests: + test_items: + - flag: "install /bin/true" + set: true + remediation: | + Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line: + + install jffs2 /bin/true + + Run the following command to unload the `jffs2` module: + + # rmmod jffs2 + + scored: true + + - id: 1.1.1.3.b + description: "Ensure mounting of jffs2 filesystems is disabled" + audit: "lsmod | grep jffs2" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line: + + install jffs2 /bin/true + + Run the following command to unload the `jffs2` module: + + # rmmod jffs2 + + scored: true + + - id: 1.1.1.4.a + description: "Ensure mounting of hfs filesystems is disabled" + audit: "modprobe -n -v hfs" + tests: + test_items: + - flag: "install /bin/true" + set: true + remediation: | + Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line: + + install hfs /bin/true + + Run the following command to unload the `hfs` module: + + # rmmod hfs + + scored: true + + - id: 1.1.1.4.b + description: "Ensure mounting of hfs filesystems is disabled" + audit: "lsmod | grep hfs" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line: + + install hfs /bin/true + + Run the following command to unload the `hfs` module: + + # rmmod hfs + + scored: true + + - id: 1.1.1.5.a + description: "Ensure mounting of hfsplus filesystems is disabled" + audit: "modprobe -n -v hfsplus" + tests: + test_items: + - flag: "install /bin/true" + set: true + remediation: | + Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line: + + install hfsplus /bin/true + + Run the following command to unload the `hfsplus` module: + + # rmmod hfsplus + + scored: true + + - id: 1.1.1.5.b + description: "Ensure mounting of hfsplus filesystems is disabled" + audit: "lsmod | grep hfsplus" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line: + + install hfsplus /bin/true + + Run the following command to unload the `hfsplus` module: + + # rmmod hfsplus + + scored: true + + - id: 1.1.1.6.a + description: "Ensure mounting of squashfs filesystems is disabled" + sub_checks: + - check: + audit: "modprobe -n -v squashfs" + constraints: + platform: + - rhel7 + tests: + test_items: + - flag : "install /bin/true" + set: true + + remediation: | + Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line: + + install squashfs /bin/true + + Run the following command to unload the `squashfs` module: + + # rmmod squashfs + + scored: true + - id: 1.1.1.6.b + description: "Ensure mounting of squashfs filesystems is disabled" + sub_checks: + - check: + audit: "lsmod | grep squashfs" + constraints: + platform: + - rhel7 + tests: + test_items: + - flag : "" + set: true + + remediation: | + Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line: + + install squashfs /bin/true + + Run the following command to unload the `squashfs` module: + + # rmmod squashfs + + scored: true + + - id: 1.1.1.7.a + description: "Ensure mounting of udf filesystems is disabled" + audit: "modprobe -n -v udf" + tests: + test_items: + - flag: "install /bin/true" + set: true + remediation: | + Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line: + + install udf /bin/true + + Run the following command to unload the `udf` module: + + # rmmod udf + + scored: true + + - id: 1.1.1.7.b + description: "Ensure mounting of udf filesystems is disabled" + audit: "lsmod | grep udf" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line: + + install udf /bin/true + + Run the following command to unload the `udf` module: + + # rmmod udf + + scored: true - id: 1.1.1.8.a description: "Ensure mounting of FAT filesystems is disabled" sub_checks: @@ -129,8 +756,520 @@ groups: # rmmod vfat - scored: true - + scored: true + +- id: 1.2 + description: "Configure Software Updatesonfigure Software Updates" + checks: + - id: 1.2.1 + description: "Ensure package manager repositories are configured" + sub_checks: + - check: + audit: "yum repo-list" + constraints: + platform: + - rhel7 + type: manual + remediation: | + Configure your package manager repositories according to site policy. + - check: + audit: "apt-cache policy" + constraints: + platform: + - ubuntu + type: manual + remediation: | + Configure your package manager repositories according to site policy. + - check: + audit: "zypper repos" + constraints: + platform: + - opensuse + type: manual + remediation: | + Configure your package manager repositories according to site policy. + scored: false + - id: 1.2.2 + description: "Ensure GPG keys are configured" + sub_checks: + - check: + audit: "rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}'" + constraints: + platform: + - rhel7 + type: manual + remediation: | + Update your package manager GPG keys in accordance with site policy. + - check: + audit: "apt-key list" + constraints: + platform: + - ubuntu + type: manual + remediation: | + Update your package manager GPG keys in accordance with site policy. + - check: + audit: "zypper repos" + constraints: + platform: + - opensuse + type: manual + remediation: | + Update your package manager GPG keys in accordance with site policy. + scored: false +- id: 1.3 + description: "Filesystem Integrity Checkingilesystem Integrity Checking" + checks: + - id: 1.3.1 + description: "Ensure AIDE is installed" + sub_checks: + - check: + audit: "rpm -q aide" + constraints: + platform: + - rhel7 + tests: + test_items: + - flag: "package aide is not installed" + set: false + remediation: | + Install AIDE using the appropriate package manager or manual installation: + + # yum install aide + + + # apt-get install aide + + + # zypper install aide + + Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. + Initialize AIDE: + + # aide --init + - check: + audit: "dpkg -s aide" + constraints: + platform: + - ubuntu + tests: + test_items: + - flag: "install ok installed" + set: true + remediation: | + Install AIDE using the appropriate package manager or manual installation: + + # yum install aide + + + # apt-get install aide + + + # zypper install aide + + Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. + Initialize AIDE: + + # aide --init + scored: true + - id: 1.3.2.a + description: "Ensure filesystem integrity is regularly checked" + audit: "crontab -u root -l | grep aide" + type: manual + remediation: | + Run the following command: + + # crontab -u root -e + + Add the following line to the crontab: + + 0 5 * * * /usr/sbin/aide --check + + scored: true + + - id: 1.3.2.b + description: "Ensure filesystem integrity is regularly checked" + audit: "grep -r aide /etc/cron.* /etc/crontab" + type: manual + remediation: | + Run the following command: + + # crontab -u root -e + + Add the following line to the crontab: + + 0 5 * * * /usr/sbin/aide --check + + scored: true + +- id: 1.4 + description: "Secure Boot Settingsecure Boot Settings" + checks: + - id: 1.4.1 + description: "Ensure permissions on bootloader config are configured" + sub_checks: + - check: + audit: "stat -c %a/Uid:%U/%uGid:%G/%g /boot/grub/menu.lst" + constraints: + boot: + - grub + tests: + test_items: + - flag: "600/Uid:root/0Gid:root/0" + set: true + remediation: | + Run the following commands to set permissions on your grub configuration: + + # chown root:root /boot/grub/menu.lst + # chmod og-rwx /boot/grub/menu.lst + - check: + audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/default/grub" + constraints: + boot: + - grub2 + tests: + test_items: + - flag: "600/Uid:root/0Gid:root/0" + set: true + remediation: | + Run the following commands to set permissions on your grub configuration: + + # chown root:root /etc/default/grub + # chmod og-rwx /etc/default/grub + scored: true + + - id: 1.4.2.a + description: "Ensure bootloader password is set" + sub_checks: + - check: + audit: "grep ^password /boot/grub/menu.lst" + type: manual + constraints: + boot: + - grub + tests: + test_items: + - flag: "password --md5 " + set: true + remediation: | + For `grub` based systems create an encrypted password with `grub-md5-crypt`: + + # grub-md5-crypt + Password: + Retype Password: + + Copy and paste the `` into the global section of `/boot/grub/menu.lst`: + + password --md5 + + For `grub2` based systems create an encrypted password with `grub-mkpasswd-pbkdf2`: + + # grub-mkpasswd-pbkdf2 + Enter password: + Reenter password: + Your PBKDF2 is + + Add the following into `/etc/grub.d/00_header` or a custom `/etc/grub.d` configuration file: + + cat < + EOF + Run the following command to update the grub2 configuration: + # update-grub + - check: + audit: "grep superusers /etc/grub.d/00_header" + type: manual + constraints: + boot: + - grub2 + tests: + test_items: + - flag: "password --md5 " + set: true + remediation: | + For `grub` based systems create an encrypted password with `grub-md5-crypt`: + + # grub-md5-crypt + Password: + Retype Password: + + Copy and paste the `` into the global section of `/boot/grub/menu.lst`: + + password --md5 + + For `grub2` based systems create an encrypted password with `grub-mkpasswd-pbkdf2`: + + # grub2-mkpasswd-pbkdf2 + Enter password: + Reenter password: + Your PBKDF2 is + + Add the following into `/etc/grub.d/00_header` or a custom `/etc/grub.d` configuration file: + + cat < + EOF + Run the following command to update the grub2 configuration: + # update-grub + scored: true + - id: 1.4.2.b + description: "Ensure bootloader password is set" + sub_checks: + - check: + audit: "grep ^password /etc/grub.d/00_header" + type: manual + constraints: + boot: + - grub2 + tests: + test_items: + - flag: "password --md5 " + set: true + remediation: | + For `grub` based systems create an encrypted password with `grub-md5-crypt`: + + # grub-md5-crypt + Password: + Retype Password: + + Copy and paste the `` into the global section of `/boot/grub/menu.lst`: + + password --md5 + + For `grub2` based systems create an encrypted password with `grub-mkpasswd-pbkdf2`: + + # grub2-mkpasswd-pbkdf2 + Enter password: + Reenter password: + Your PBKDF2 is + + Add the following into `/etc/grub.d/00_header` or a custom `/etc/grub.d` configuration file: + + cat < + EOF + Run the following command to update the grub2 configuration: + # update-grub + scored: true + - id: 1.4.3 + description: "Ensure authentication required for single user mode" + type: manual + remediation: | + Consult your documentation and configure single user mode to require a password for login as appropriate. + scored: true + + - id: 1.4.4 + description: "Ensure interactive boot is not enabled" + sub_checks: + - check: + audit: "grep \"^PROMPT_FOR_CONFIRM=\" /etc/sysconfig/boot" + constraints: + boot: + - grub + platform: + - rhel7 + tests: + test_items: + - flag: "PROMPT_FOR_CONFIRM=\"no\"" + set: true + remediation: | + If interactive boot is available disable it. + - check: + audit: "grep PROMPT /etc/sysconfig/init" + constraints: + boot: + - grub2 + platform: + - rhel7 + tests: + test_items: + - flag: "PROMPT" + compare: + op: eq + value: "no" + set: true + remediation: | + If interactive boot is available disable it. + scored: false + + +- id: 1.5 + description: "Additional Process Hardeningdditional Process Hardening" + checks: + - id: 1.5.1.a + description: "Ensure core dumps are restricted" + audit: "grep -h ^* /etc/security/limits.conf /etc/security/limits.d/*" + tests: + test_items: + - flag: "hard core 0" + set: true + remediation: | + Add the following line to `/etc/security/limits.conf` or a `/etc/security/limits.d/*` file: + + * hard core 0 + + Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + fs.suid_dumpable = 0 + + Run the following command to set the active kernel parameter: + + # sysctl -w fs.suid_dumpable=0 + + scored: true + + - id: 1.5.1.b + description: "Ensure core dumps are restricted" + audit: "sysctl fs.suid_dumpable" + tests: + test_items: + - flag: "fs.suid_dumpable =" + compare: + op: eq + value: "0" + set: true + remediation: | + Add the following line to `/etc/security/limits.conf` or a `/etc/security/limits.d/*` file: + + * hard core 0 + + Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + fs.suid_dumpable = 0 + + Run the following command to set the active kernel parameter: + + # sysctl -w fs.suid_dumpable=0 + + scored: true + + - id: 1.5.1.c + description: "Ensure core dumps are restricted" + audit: "grep fs.suid_dumpable /etc/sysctl.conf /etc/sysctl.d/*" + tests: + test_items: + - flag: "fs.suid_dumpable =" + compare: + op: eq + value: "0" + set: true + remediation: | + Add the following line to `/etc/security/limits.conf` or a `/etc/security/limits.d/*` file: + + * hard core 0 + + Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + fs.suid_dumpable = 0 + + Run the following command to set the active kernel parameter: + + # sysctl -w fs.suid_dumpable=0 + + scored: true + + - id: 1.5.2 + description: "Ensure XD/NX support is enabled" + audit: 'dmesg | grep "NX (Execute Disable) protection: active" ' + tests: + test_items: + - flag: "NX" + set: true + remediation: | + On 32 bit systems install a kernel with PAE support, no installation is required on 64 bit systems: + If necessary configure your bootloader to load the new kernel and reboot the system. + You may need to enable NX or XD support in your bios. + scored: false + + - id: 1.5.3.a + description: "Ensure address space layout randomization (ASLR) is enabled" + audit: "sysctl kernel.randomize_va_space" + tests: + test_items: + - flag: "kernel.randomize_va_space = 2" + set: true + remediation: | + Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + kernel.randomize_va_space = 2 + + Run the following command to set the active kernel parameter: + + # sysctl -w kernel.randomize_va_space=2 + + scored: true + + - id: 1.5.3.b + description: "Ensure address space layout randomization (ASLR) is enabled" + audit: "grep kernel.randomize_va_space /etc/sysctl.conf /etc/sysctl.d/*" + tests: + test_items: + - flag: "kernel.randomize_va_space = 2" + set: true + remediation: | + Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + kernel.randomize_va_space = 2 + + Run the following command to set the active kernel parameter: + + # sysctl -w kernel.randomize_va_space=2 + + scored: true + + - id: 1.5.4 + description: "Ensure prelink is disabled" + sub_checks: + - check: + audit: "rpm -q prelink" + constraints: + platform: + - rhel7 + tests: + test_items: + - flag: "package prelink is not installed" + set: true + remediation: | + Run the following command to restore binaries to normal: + + # prelink -ua + + Uninstall `prelink` using the appropriate package manager or manual installation: + + # yum remove prelink + + + # apt-get remove prelink + + + # zypper remove prelink + - check: + audit: "dpkg -s prelink" + constraints: + platform: + - ubuntu + tests: + test_items: + - flag: "install ok installed" + set: false + remediation: | + Run the following command to restore binaries to normal: + + # prelink -ua + + Uninstall `prelink` using the appropriate package manager or manual installation: + + yum remove prelink + + + apt-get remove prelink + + + zypper remove prelink + scored: true - id: 1.6 description: "Mandatory Access Controlandatory Access Control" checks: @@ -215,8 +1354,8 @@ groups: - apparmor tests: test_items: - - flag: "is not installed" - set: false + - flag: "install ok installed" + set: true remediation: | Install SELinux or apparmor using the appropriate package manager or manual installation: @@ -460,8 +1599,8 @@ groups: - ubuntu tests: test_items: - - flag: "" - set: true + - flag: "install ok installed" + set: false remediation: | Uninstall `mcstrans` using the appropriate package manager or manual installation: @@ -479,6 +1618,9 @@ groups: tests: test_items: - flag: "" + compare: + op: eq + value: "" set: true remediation: | Investigate any unconfined daemons found during the audit action. They may need to have an existing security context assigned to them or a policy built for them. @@ -552,6 +1694,3589 @@ groups: Any unconfined processes may need to have a profile created or activated for them and then be restarted. scored: true + +- id: 1.7 + description: "Warning Banners" + checks: + - id: 1.7.2.a + description: "Ensure GDM login banner is configured" + audit: "cat /etc/dconf/profile/gdm" + tests: + bin_op: and + test_items: + - flag: "user-db:user" + set: true + - flag: "system-db:gdm" + set: true + - flag: "file-db:/usr/share/gdm/greeter-dconf-defaults" + set: true + remediation: | + Create the `/etc/dconf/profile/gdm` file with the following contents: + + user-db:user + system-db:gdm + file-db:/usr/share/gdm/greeter-dconf-defaults + + Create or edit the `banner-message-enable` and `banner-message-text` options in `/etc/dconf/db/gdm.d/01-banner-message`: + + [org/gnome/login-screen] + banner-message-enable=true + banner-message-text='Authorized uses only. All activity may be monitored and reported.' + + Run the following command to update the system databases: + + # dconf update + + scored: true + + - id: 1.7.2.b + description: "Ensure GDM login banner is configured" + audit: "grep -h banner /etc/dconf/db/gdm.d/01-banner-message /etc/dconf/db/gdm.d/*" + tests: + bin_op: and + test_items: + - flag: "banner-message-enable" + set: true + - flag: "banner-message-text" + set: true + remediation: | + Create the `/etc/dconf/profile/gdm` file with the following contents: + + user-db:user + system-db:gdm + file-db:/usr/share/gdm/greeter-dconf-defaults + + Create or edit the `banner-message-enable` and `banner-message-text` options in `/etc/dconf/db/gdm.d/01-banner-message`: + + [org/gnome/login-screen] + banner-message-enable=true + banner-message-text='Authorized uses only. All activity may be monitored and reported.' + + Run the following command to update the system databases: + + # dconf update + + scored: true + +- id: 1.7.1 + description: "Command Line Warning Bannersommand Line Warning Banners" + checks: + - id: 1.7.1.1.a + description: "Ensure message of the day is configured properly" + audit: "cat /etc/motd" + type: manual + remediation: | + Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of \m , \r , \s , or \v. + scored: true + + - id: 1.7.1.1.b + description: "Ensure message of the day is configured properly" + audit: 'egrep \\v /etc/motd' + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of \m , \r , \s , or \v. + scored: true + - id: 1.7.1.1.c + description: "Ensure message of the day is configured properly" + audit: 'egrep \\r /etc/motd' + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of \m , \r , \s , or \v. + scored: true + - id: 1.7.1.1.d + description: "Ensure message of the day is configured properly" + audit: 'egrep \\m /etc/motd' + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of \m , \r , \s , or \v. + scored: true + - id: 1.7.1.1.e + description: "Ensure message of the day is configured properly" + audit: 'egrep \\s /etc/motd' + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of \m , \r , \s , or \v. + scored: true + - id: 1.7.1.2.a + description: "Ensure local login warning banner is configured properly" + audit: "cat /etc/issue" + type: manual + remediation: | + Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \m , \r , \s , or \v : + # echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue + scored: false + - id: 1.7.1.2.b + description: "Ensure local login warning banner is configured properly" + audit: 'egrep \\v /etc/issue' + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \m , \r , \s , or \v : + # echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue + scored: true + - id: 1.7.1.2.c + description: "Ensure local login warning banner is configured properly" + audit: 'egrep \\r /etc/issue' + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \m , \r , \s , or \v : + # echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue + scored: true + - id: 1.7.1.2.d + description: "Ensure local login warning banner is configured properly" + audit: 'egrep \\m /etc/issue' + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \m , \r , \s , or \v : + # echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue + scored: true + - id: 1.7.1.2.e + description: "Ensure local login warning banner is configured properly" + audit: 'egrep \\s /etc/issue' + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \m , \r , \s , or \v : + # echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue + scored: true + - id: 1.7.1.3.a + description: "Ensure remote login warning banner is configured properly" + audit: "cat /etc/issue.net" + type: manual + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Edit the /etc/issue.net file with the appropriate contents according to your site policy, remove any instances of \m , \r , \s , or \v : + # echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue.net + scored: false + + - id: 1.7.1.3.b + description: "Ensure remote login warning banner is configured properly" + audit: 'egrep \\v /etc/issue.net' + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Edit the /etc/issue.net file with the appropriate contents according to your site policy, remove any instances of \m , \r , \s , or \v : + # echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue.net + scored: true + - id: 1.7.1.3.c + description: "Ensure remote login warning banner is configured properly" + audit: 'egrep \\r /etc/issue.net' + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Edit the /etc/issue.net file with the appropriate contents according to your site policy, remove any instances of \m , \r , \s , or \v : + # echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue.net + scored: true + - id: 1.7.1.3.d + description: "Ensure remote login warning banner is configured properly" + audit: 'egrep \\m /etc/issue.net' + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Edit the /etc/issue.net file with the appropriate contents according to your site policy, remove any instances of \m , \r , \s , or \v : + # echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue.net + scored: true + - id: 1.7.1.3.e + description: "Ensure remote login warning banner is configured properly" + audit: 'egrep \\s /etc/issue.net' + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Edit the /etc/issue.net file with the appropriate contents according to your site policy, remove any instances of \m , \r , \s , or \v : + # echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue.net + scored: true + + + - id: 1.7.1.4 + description: "Ensure permissions on /etc/motd are configured" + audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/motd" + tests: + test_items: + - flag: "644/Uid:root/0Gid:root/0" + set: true + remediation: | + Run the following commands to set permissions on `/etc/motd` : + # chown root:root /etc/motd + # chmod 644 /etc/motd + scored: false + + + - id: 1.7.1.5 + description: "Ensure permissions on /etc/issue are configured" + audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/issue" + tests: + test_items: + - flag: "644/Uid:root/0Gid:root/0" + set: true + remediation: | + Run the following commands to set permissions on /etc/issue : + # chown root:root /etc/issue + # chmod 644 /etc/issue + scored: true + + + - id: 1.7.1.6 + description: "Ensure permissions on /etc/issue.net are configured" + audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/issue.net" + tests: + test_items: + - flag: "644/Uid:root/0Gid:root/0" + set: true + remediation: | + Run the following commands to set permissions on /etc/issue.net : + # chown root:root /etc/issue.net + # chmod 644 /etc/issue.net + scored: false + +- id: 2 + description: "Serviceservices" +- id: 2.1 + description: "inetd Services netd Services" + checks: + - id: 2.1.1.a + description: "Ensure chargen services are not enabled" + audit: "grep -R \"^chargen\" /etc/inetd.*" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Comment out or remove any lines starting with `chargen` from `/etc/inetd.conf` and `/etc/inetd.d/*` . + Set `disable = yes` on all `chargen` services in `/etc/xinetd.conf` and `/etc/xinetd.d/*` . + scored: true + + - id: 2.1.1.b + description: "Ensure chargen services are not enabled" + audit: "grep -R \"^chargen\" /etc/xinetd.*" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Comment out or remove any lines starting with `chargen` from `/etc/inetd.conf` and `/etc/inetd.d/*` . + Set `disable = yes` on all `chargen` services in `/etc/xinetd.conf` and `/etc/xinetd.d/*` . + scored: true + + - id: 2.1.2.a + description: "Ensure daytime services are not enabled" + audit: "grep -R \"^daytime\" /etc/inetd.*" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Comment out or remove any lines starting with `daytime` from `/etc/inetd.conf` and `/etc/inetd.d/*` . + Set `disable = yes` on all `daytime` services in `/etc/xinetd.conf` and `/etc/xinetd.d/*` . + scored: true + + - id: 2.1.2.b + description: "Ensure daytime services are not enabled" + audit: "grep -R \"^daytime\" /etc/xinetd.*" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Comment out or remove any lines starting with `daytime` from `/etc/inetd.conf` and `/etc/inetd.d/*` . + Set `disable = yes` on all `daytime` services in `/etc/xinetd.conf` and `/etc/xinetd.d/*` . + scored: true + + - id: 2.1.3.a + description: "Ensure discard services are not enabled" + audit: "grep -R \"^discard\" /etc/inetd.*" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Comment out or remove any lines starting with `discard` from `/etc/inetd.conf` and `/etc/inetd.d/*` . + Set `disable = yes` on all `discard` services in `/etc/xinetd.conf` and `/etc/xinetd.d/*` . + scored: true + + - id: 2.1.3.b + description: "Ensure discard services are not enabled" + audit: "grep -R \"^discard\" /etc/xinetd.*" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Comment out or remove any lines starting with `discard` from `/etc/inetd.conf` and `/etc/inetd.d/*` . + Set `disable = yes` on all `discard` services in `/etc/xinetd.conf` and `/etc/xinetd.d/*` . + scored: true + + - id: 2.1.4.a + description: "Ensure echo services are not enabled" + audit: "grep -R \"^echo\" /etc/inetd.*" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Comment out or remove any lines starting with `echo` from `/etc/inetd.conf` and `/etc/inetd.d/*` . + Set `disable = yes` on all `echo` services in `/etc/xinetd.conf` and `/etc/xinetd.d/*` . + scored: true + + - id: 2.1.4.b + description: "Ensure echo services are not enabled" + audit: "grep -R \"^echo\" /etc/xinetd.*" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Comment out or remove any lines starting with `echo` from `/etc/inetd.conf` and `/etc/inetd.d/*` . + Set `disable = yes` on all `echo` services in `/etc/xinetd.conf` and `/etc/xinetd.d/*` . + scored: true + + - id: 2.1.5.a + description: "Ensure time services are not enabled" + audit: "grep -R \"^time\" /etc/inetd.*" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Comment out or remove any lines starting with `time` from `/etc/inetd.conf` and `/etc/inetd.d/*` . + Set `disable = yes` on all `time` services in `/etc/xinetd.conf` and `/etc/xinetd.d/*` . + scored: true + + - id: 2.1.5.b + description: "Ensure time services are not enabled" + audit: "grep -R \"^time\" /etc/xinetd.*" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Comment out or remove any lines starting with `time` from `/etc/inetd.conf` and `/etc/inetd.d/*` . + Set `disable = yes` on all `time` services in `/etc/xinetd.conf` and `/etc/xinetd.d/*` . + scored: true + + - id: 2.1.6.a + description: "Ensure rsh server is not enabled" + audit: "grep -R \"^shell\" /etc/inetd.*; grep -R \"^login\" /etc/inetd.*; grep -R \"^exec\" /etc/inetd.*" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Comment out or remove any lines starting with `shell` , `login` , or `exec` from `/etc/inetd.conf` and `/etc/inetd.d/*` . + Set `disable = yes` on all `rsh` , `rlogin` , and `rexec` services in `/etc/xinetd.conf` and `/etc/xinetd.d/*` . + scored: true + + - id: 2.1.6.b + description: "Ensure rsh server is not enabled" + audit: "grep -R \"^shell\" /etc/xinetd.*; grep -R \"^login\" /etc/xinetd.*; grep -R \"^exec\" /etc/xinetd.*" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Comment out or remove any lines starting with `shell` , `login` , or `exec` from `/etc/inetd.conf` and `/etc/inetd.d/*` . + Set `disable = yes` on all `rsh` , `rlogin` , and `rexec` services in `/etc/xinetd.conf` and `/etc/xinetd.d/*` . + scored: true + + - id: 2.1.7.a + description: "Ensure talk server is not enabled" + audit: "grep -R \"^talk\" /etc/inetd.*; grep -R \"^ntalk\" /etc/inetd.*" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Comment out or remove any lines starting with `talk` or `ntalk` from `/etc/inetd.conf` and `/etc/inetd.d/*` . + Set `disable = yes` on all `talk` services in `/etc/xinetd.conf` and `/etc/xinetd.d/*` . + scored: true + + - id: 2.1.7.b + description: "Ensure talk server is not enabled" + audit: "grep -R \"^talk\" /etc/xinetd.*; grep -R \"^ntalk\" /etc/xinetd.*" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Comment out or remove any lines starting with `talk` or `ntalk` from `/etc/inetd.conf` and `/etc/inetd.d/*` . + Set `disable = yes` on all `talk` services in `/etc/xinetd.conf` and `/etc/xinetd.d/*` . + scored: true + + - id: 2.1.8.a + description: "Ensure telnet server is not enabled" + audit: "grep -R \"^telnet\" /etc/inetd.*" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Comment out or remove any lines starting with `telnet` from `/etc/inetd.conf` and `/etc/inetd.d/*` . + Set `disable = yes` on all `telnet` services in `/etc/xinetd.conf` and `/etc/xinetd.d/*` . + scored: true + + - id: 2.1.8.b + description: "Ensure telnet server is not enabled" + audit: "grep -R \"^telnet\" /etc/xinetd.*" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Comment out or remove any lines starting with `telnet` from `/etc/inetd.conf` and `/etc/inetd.d/*` . + Set `disable = yes` on all `telnet` services in `/etc/xinetd.conf` and `/etc/xinetd.d/*` . + scored: true + + - id: 2.1.9.a + description: "Ensure tftp server is not enabled" + audit: "grep -R \"^tftp\" /etc/inetd.*" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Comment out or remove any lines starting with `tftp` from `/etc/inetd.conf` and `/etc/inetd.d/*` . + Set `disable = yes` on all `tftp` services in `/etc/xinetd.conf` and `/etc/xinetd.d/*` . + scored: true + + - id: 2.1.9.b + description: "Ensure tftp server is not enabled" + audit: "grep -R \"^tftp\" /etc/xinetd.*" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Comment out or remove any lines starting with `tftp` from `/etc/inetd.conf` and `/etc/inetd.d/*` . + Set `disable = yes` on all `tftp` services in `/etc/xinetd.conf` and `/etc/xinetd.d/*` . + scored: true + + - id: 2.1.10 + description: "Ensure xinetd service is not enabled" + sub_checks: + - check: + audit: "chkconfig --list xinetd" + constraints: + platform: + - rhel6 + tests: + test_items: + - flag: "xinetd 0:off 1:off 2:off 3:off 4:off 5:off 6:off" + set: true + remediation: | + Run one of the following commands to disable `xinetd` : + + # chkconfig xinetd off + + + # systemctl disable xinetd + + + # update-rc.d xinetd disable + - check: + audit: "systemctl is-enabled xinetd" + constraints: + platform: + - rhel7 + - ubuntu + tests: + test_items: + - flag: "enabled" + set: false + remediation: | + Run one of the following commands to disable `xinetd` : + + # chkconfig xinetd off + + + # systemctl disable xinetd + + + # update-rc.d xinetd disable + - check: + audit: "ls /etc/rc*.d | grep xinetd" + constraints: + platform: + - ubuntuOptional + tests: + test_items: + - flag: "enabled" + set: false + remediation: | + Run one of the following commands to disable `xinetd` : + + # chkconfig xinetd off + + + # systemctl disable xinetd + + + # update-rc.d xinetd disable + scored: true + +- id: 2.2 + description: "Special Purpose Servicespecial Purpose Services" + checks: + - id: 2.2.2 + description: "Ensure X Window System is not installed" + sub_checks: + - check: + audit: "rpm -q xorg-x11*" + constraints: + platform: + - rhel7 + tests: + test_items: + - flag: "is not installed" + set: true + remediation: | + Remove the X Windows System packages using the appropriate package manager or manual installation: + + yum remove xorg-x11* + + + apt-get remove xserver-xorg* + + + zypper remove xorg-x11* + - check: + audit: "dpkg -l xserver-xorg*" + constraints: + platform: + - ubuntu + tests: + test_items: + - flag: "ii" + set: false + remediation: | + Remove the X Windows System packages using the appropriate package manager or manual installation: + + yum remove xorg-x11* + + + apt-get remove xserver-xorg* + + + zypper remove xorg-x11* + scored: true + - id: 2.2.3 + description: "Ensure Avahi service is not enabled" + sub_checks: + - check: + audit: "chkconfig --list avahi-daemon" + constraints: + platform: + - rhel6 + tests: + test_items: + - flag: "avahi-daemon 0:off 1:off 2:off 3:off 4:off 5:off 6:off" + set: true + remediation: | + Run one of the following commands to disable `avahi-daemon` : + + # chkconfig avahi-daemon off + + + # systemctl disable avahi-daemon + + + # update-rc.d avahi-daemon disable + - check: + audit: "systemctl is-enabled avahi-daemon" + constraints: + platform: + - rhel7 + - ubuntu + tests: + test_items: + - flag: "enabled" + set: false + remediation: | + Run one of the following commands to disable `avahi-daemon` : + + # chkconfig avahi-daemon off + + + # systemctl disable avahi-daemon + + + # update-rc.d avahi-daemon disable + - check: + audit: "ls /etc/rc*.d | grep avahi-daemon" + type: manual + constraints: + platform: + - ubuntuOptional + tests: + test_items: + - flag: "enabled" + set: false + remediation: | + Run one of the following commands to disable `avahi-daemon` : + + # chkconfig avahi-daemon off + + + # systemctl disable avahi-daemon + + + # update-rc.d avahi-daemon disable + scored: true + - id: 2.2.4 + description: "Ensure cups service is not enabled" + sub_checks: + - check: + audit: "chkconfig --list cups" + constraints: + platform: + - rhel6 + tests: + test_items: + - flag: "cups 0:off 1:off 2:off 3:off 4:off 5:off 6:off" + set: true + remediation: | + Run one of the following commands to disable `cups` : + + # chkconfig cups off + + + # systemctl disable cups + + + # update-rc.d cups disable + - check: + audit: "systemctl is-enabled cups" + constraints: + platform: + - rhel7 + - ubuntu + tests: + test_items: + - flag: "enabled" + set: false + remediation: | + Run one of the following commands to disable `cups` : + + # chkconfig cups off + + + # systemctl disable cups + + + # update-rc.d cups disable + - check: + audit: "ls /etc/rc*.d | grep cups" + type: manual + constraints: + platform: + - ubuntuOptional + tests: + test_items: + - flag: "enabled" + set: false + remediation: | + Run one of the following commands to disable `cups` : + + # chkconfig cups off + + + # systemctl disable cups + + + # update-rc.d cups disable + scored: true + - id: 2.2.5 + description: "Ensure DHCP service is not enabled" + sub_checks: + - check: + audit: "chkconfig --list dhcpd" + constraints: + platform: + - rhel6 + tests: + test_items: + - flag: "dhcpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off" + set: true + remediation: | + Run one of the following commands to disable `dhcpd` : + + # chkconfig dhcpd off + + + # systemctl disable dhcpd + + + # update-rc.d dhcpd disable + - check: + audit: "systemctl is-enabled dhcpd" + constraints: + platform: + - rhel7 + - ubuntu + tests: + test_items: + - flag: "enabled" + set: false + remediation: | + Run one of the following commands to disable `dhcpd` : + + # chkconfig dhcpd off + + + # systemctl disable dhcpd + + + # update-rc.d dhcpd disable + - check: + audit: "ls /etc/rc*.d | grep dhcpd" + type: manual + constraints: + platform: + - ubuntuOptional + tests: + test_items: + - flag: "enabled" + set: false + remediation: | + Run one of the following commands to disable `dhcpd` : + + # chkconfig dhcpd off + + + # systemctl disable dhcpd + + + # update-rc.d dhcpd disable + scored: true + - id: 2.2.6 + description: "Ensure LDAP service is not enabled" + sub_checks: + - check: + audit: "chkconfig --list slapd" + constraints: + platform: + - rhel6 + tests: + test_items: + - flag: "slapd 0:off 1:off 2:off 3:off 4:off 5:off 6:off" + set: true + remediation: | + Run one of the following commands to disable `slapd` : + + # chkconfig slapd off + + + # systemctl disable slapd + + + # update-rc.d slapd disable + - check: + audit: "systemctl is-enabled slapd" + constraints: + platform: + - rhel7 + - ubuntu + tests: + test_items: + - flag: "enabled" + set: false + remediation: | + Run one of the following commands to disable `slapd` : + + # chkconfig slapd off + + + # systemctl disable slapd + + + # update-rc.d slapd disable + - check: + audit: "ls /etc/rc*.d | grep slapd" + type: manual + constraints: + platform: + - ubuntuOptional + tests: + test_items: + - flag: "enabled" + set: false + remediation: | + Run one of the following commands to disable `slapd` : + + # chkconfig slapd off + + + # systemctl disable slapd + + + # update-rc.d slapd disable + scored: true + + - id: 2.2.7.a + description: "Ensure NFS and RPC are not enabled" + sub_checks: + - check: + audit: "chkconfig --list nfs" + constraints: + platform: + - rhel6 + tests: + test_items: + - flag: "nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off" + set: true + remediation: | + Run one of the following commands to disable `nfs` : + + # chkconfig nfs off + + + # systemctl disable nfs + + + # update-rc.d nfs disable + - check: + audit: "systemctl is-enabled nfs" + constraints: + platform: + - rhel7 + - ubuntu + tests: + test_items: + - flag: "enabled" + set: false + remediation: | + Run one of the following commands to disable `nfs` : + + # chkconfig nfs off + + + # systemctl disable nfs + + + # update-rc.d nfs disable + - check: + audit: "ls /etc/rc*.d | grep nfs" + type: manual + constraints: + platform: + - ubuntuOptional + tests: + test_items: + - flag: "enabled" + set: false + remediation: | + Run one of the following commands to disable `nfs` : + + # chkconfig nfs off + + + # systemctl disable nfs + + + # update-rc.d nfs disable + scored: true + + - id: 2.2.7.b + description: "Ensure NFS and RPC are not enabled" + sub_checks: + - check: + audit: "chkconfig --list rpcbind" + constraints: + platform: + - rhel6 + tests: + test_items: + - flag: "rpcbind 0:off 1:off 2:off 3:off 4:off 5:off 6:off" + set: true + remediation: | + Run one of the following commands to disable `rpcbind` : + + # chkconfig rpcbind off + + + # systemctl disable rpcbind + + + # update-rc.d rpcbind disable + - check: + audit: "systemctl is-enabled rpcbind" + constraints: + platform: + - rhel7 + - ubuntu + tests: + test_items: + - flag: "enabled" + set: false + remediation: | + Run one of the following commands to disable `rpcbind` : + + # chkconfig rpcbind off + + + # systemctl disable rpcbind + + + # update-rc.d rpcbind disable + - check: + audit: "ls /etc/rc*.d | grep rpcbind" + type: manual + constraints: + platform: + - ubuntuOptional + tests: + test_items: + - flag: "rpcbind" + set: false + remediation: | + Run one of the following commands to disable `rpcbind` : + + # chkconfig rpcbind off + + + # systemctl disable rpcbind + + + # update-rc.d rpcbind disable + scored: true + + - id: 2.2.8 + description: "Ensure DNS service is not enabled" + sub_checks: + - check: + audit: "chkconfig --list named" + constraints: + platform: + - rhel6 + tests: + test_items: + - flag: "named 0:off 1:off 2:off 3:off 4:off 5:off 6:off" + set: true + remediation: | + Run one of the following commands to disable `named` : + + # chkconfig named off + + + # systemctl disable named + + + # update-rc.d named disable + - check: + audit: "systemctl is-enabled named" + constraints: + platform: + - rhel7 + - ubuntu + tests: + test_items: + - flag: "enabled" + set: false + remediation: | + Run one of the following commands to disable `named` : + + # chkconfig named off + + + # systemctl disable named + + + # update-rc.d named disable + - check: + audit: "ls /etc/rc*.d | grep named" + type: manual + constraints: + platform: + - ubuntuOptional + tests: + test_items: + - flag: "named" + set: false + remediation: | + Run one of the following commands to disable `named` : + + # chkconfig named off + + + # systemctl disable named + + + # update-rc.d named disable + scored: true + - id: 2.2.9 + description: "Ensure FTP service is not enabled" + sub_checks: + - check: + audit: "chkconfig --list vsftpd" + constraints: + platform: + - rhel6 + tests: + test_items: + - flag: "vsftpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off" + set: true + remediation: | + Run one of the following commands to disable `vsftpd` : + + # chkconfig vsftpd off + + + # systemctl disable vsftpd + + + # update-rc.d vsftpd disable + - check: + audit: "systemctl is-enabled vsftpd" + constraints: + platform: + - rhel7 + - ubuntu + tests: + test_items: + - flag: "enabled" + set: false + remediation: | + Run one of the following commands to disable `vsftpd` : + + # chkconfig vsftpd off + + + # systemctl disable vsftpd + + + # update-rc.d vsftpd disable + - check: + audit: "ls /etc/rc*.d | grep vsftpd" + type: manual + constraints: + platform: + - ubuntuOptional + tests: + test_items: + - flag: "vsftpd" + set: false + remediation: | + Run one of the following commands to disable `vsftpd` : + + # chkconfig vsftpd off + + + # systemctl disable vsftpd + + + # update-rc.d vsftpd disable + scored: true + - id: 2.2.10 + description: "Ensure HTTP service is not enabled" + sub_checks: + - check: + audit: "chkconfig --list httpd" + constraints: + platform: + - rhel6 + tests: + test_items: + - flag: "httpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off" + set: true + remediation: | + Run one of the following commands to disable `httpd` : + + # chkconfig httpd off + + + # systemctl disable httpd + + + # update-rc.d httpd disable + - check: + audit: "systemctl is-enabled httpd" + constraints: + platform: + - rhel7 + - ubuntu + tests: + test_items: + - flag: "enabled" + set: false + remediation: | + Run one of the following commands to disable `httpd` : + + # chkconfig httpd off + + + # systemctl disable httpd + + + # update-rc.d httpd disable + - check: + audit: "ls /etc/rc*.d | grep httpd" + type: manual + constraints: + platform: + - ubuntuOptional + tests: + test_items: + - flag: "httpd" + set: false + remediation: | + Run one of the following commands to disable `httpd` : + + # chkconfig httpd off + + + # systemctl disable httpd + + + # update-rc.d httpd disable + scored: true + - id: 2.2.11 + description: "Ensure IMAP and POP3 service are not enabled" + sub_checks: + - check: + audit: "chkconfig --list dovecot" + constraints: + platform: + - rhel6 + tests: + test_items: + - flag: "dovecot 0:off 1:off 2:off 3:off 4:off 5:off 6:off" + set: true + remediation: | + Run one of the following commands to disable `dovecot` : + + # chkconfig dovecot off + + + # systemctl disable dovecot + + + # update-rc.d dovecot disable + - check: + audit: "systemctl is-enabled dovecot" + constraints: + platform: + - rhel7 + - ubuntu + tests: + test_items: + - flag: "enabled" + set: false + remediation: | + Run one of the following commands to disable `dovecot` : + + # chkconfig dovecot off + + + # systemctl disable dovecot + + + # update-rc.d dovecot disable + - check: + audit: "ls /etc/rc*.d | grep dovecot" + type: manual + constraints: + platform: + - ubuntuOptional + tests: + test_items: + - flag: "dovecot" + set: false + remediation: | + Run one of the following commands to disable `dovecot` : + + # chkconfig dovecot off + + + # systemctl disable dovecot + + + # update-rc.d dovecot disable + scored: true + - id: 2.2.12 + description: "Ensure Samba is not enabled" + sub_checks: + - check: + audit: "chkconfig --list smb" + constraints: + platform: + - rhel6 + tests: + test_items: + - flag: "smb 0:off 1:off 2:off 3:off 4:off 5:off 6:off" + set: true + remediation: | + Run one of the following commands to disable `smb` : + + # chkconfig smb off + + + # systemctl disable smb + + + # update-rc.d smb disable + - check: + audit: "systemctl is-enabled smb" + constraints: + platform: + - rhel7 + - ubuntu + tests: + test_items: + - flag: "enabled" + set: false + remediation: | + Run one of the following commands to disable `smb` : + + # chkconfig smb off + + + # systemctl disable smb + + + # update-rc.d smb disable + - check: + audit: "ls /etc/rc*.d | grep smb" + type: manual + constraints: + platform: + - ubuntuOptional + tests: + test_items: + - flag: "smb" + set: false + remediation: | + Run one of the following commands to disable `smb` : + + # chkconfig smb off + + + # systemctl disable smb + + + # update-rc.d smb disable + scored: true + - id: 2.2.13 + description: "Ensure HTTP Proxy Server is not enabled" + sub_checks: + - check: + audit: "chkconfig --list squid" + constraints: + platform: + - rhel6 + tests: + test_items: + - flag: "squid 0:off 1:off 2:off 3:off 4:off 5:off 6:off" + set: true + remediation: | + Run one of the following commands to disable `squid` : + + # chkconfig squid off + + + # systemctl disable squid + + + # update-rc.d squid disable + - check: + audit: "systemctl is-enabled squid" + constraints: + platform: + - rhel7 + - ubuntu + tests: + test_items: + - flag: "enabled" + set: false + remediation: | + Run one of the following commands to disable `squid` : + + # chkconfig squid off + + + # systemctl disable squid + + + # update-rc.d squid disable + - check: + audit: "ls /etc/rc*.d | grep squid" + type: manual + constraints: + platform: + - ubuntuOptional + tests: + test_items: + - flag: "squid" + set: false + remediation: | + Run one of the following commands to disable `squid` : + + # chkconfig squid off + + + # systemctl disable squid + + + # update-rc.d squid disable + scored: true + - id: 2.2.14 + description: "Ensure SNMP Server is not enabled" + sub_checks: + - check: + audit: "chkconfig --list snmpd" + constraints: + platform: + - rhel6 + tests: + test_items: + - flag: "snmpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off" + set: true + remediation: | + Run one of the following commands to disable `snmpd` : + + # chkconfig snmpd off + + + # systemctl disable snmpd + + + # update-rc.d snmpd disable + - check: + audit: "systemctl is-enabled snmpd" + constraints: + platform: + - rhel7 + - ubuntu + tests: + test_items: + - flag: "enabled" + set: false + remediation: | + Run one of the following commands to disable `snmpd` : + + # chkconfig snmpd off + + + # systemctl disable snmpd + + + # update-rc.d snmpd disable + - check: + audit: "ls /etc/rc*.d | grep snmpd" + type: manual + constraints: + platform: + - ubuntuOptional + tests: + test_items: + - flag: "snmpd" + set: false + remediation: | + Run one of the following commands to disable `snmpd` : + + # chkconfig snmpd off + + + # systemctl disable snmpd + + + # update-rc.d snmpd disable + scored: true + - id: 2.2.15 + description: "Ensure mail transfer agent is configured for local-only mode" + audit: "netstat -an | grep LIST | grep \":25[[:space:]]\"" + tests: + bin_op: and + test_items: + - flag: "tcp" + set: true + - flag: " 0 " + set: true + - flag: "127.0.0.1:25" + set: true + - flag: "0.0.0.0:*" + set: true + - flag: "LISTEN" + set: true + remediation: | + Edit `/etc/postfix/main.cf` and add the following line to the RECEIVING MAIL section. If the line already exists, change it to look like the line below: + + inet_interfaces = loopback-only + + Restart postfix with one of the following commands: + + # service postfix restart + # systemctl restart postfix + + scored: true + + - id: 2.2.16 + description: "Ensure rsync service is not enabled" + sub_checks: + - check: + audit: "chkconfig --list rsyncd" + constraints: + platform: + - rhel6 + tests: + test_items: + - flag: "rsyncd 0:off 1:off 2:off 3:off 4:off 5:off 6:off" + set: true + remediation: | + Run one of the following commands to disable `rsyncd` : + + # chkconfig rsyncd off + + + # systemctl disable rsyncd + + + # update-rc.d rsyncd disable + - check: + audit: "systemctl is-enabled rsyncd" + constraints: + platform: + - rhel7 + - ubuntu + tests: + test_items: + - flag: "enabled" + set: false + remediation: | + Run one of the following commands to disable `rsyncd` : + + # chkconfig rsyncd off + + + # systemctl disable rsyncd + + + # update-rc.d rsyncd disable + - check: + audit: "ls /etc/rc*.d | grep rsyncd" + type: manual + constraints: + platform: + - ubuntuOptional + tests: + test_items: + - flag: "rsyncd" + set: false + remediation: | + Run one of the following commands to disable `rsyncd` : + + # chkconfig rsyncd off + + + # systemctl disable rsyncd + + + # update-rc.d rsyncd disable + scored: true + - id: 2.2.17 + description: "Ensure NIS Server is not enabled" + sub_checks: + - check: + audit: "chkconfig --list ypserv" + constraints: + platform: + - rhel6 + tests: + test_items: + - flag: "ypserv 0:off 1:off 2:off 3:off 4:off 5:off 6:off" + set: true + remediation: | + Run one of the following commands to disable `ypserv` : + + # chkconfig ypserv off + + + # systemctl disable ypserv + + + # update-rc.d ypserv disable + - check: + audit: "systemctl is-enabled ypserv" + constraints: + platform: + - rhel7 + - ubuntu + tests: + test_items: + - flag: "enabled" + set: false + remediation: | + Run one of the following commands to disable `ypserv` : + + # chkconfig ypserv off + + + # systemctl disable ypserv + + + # update-rc.d ypserv disable + - check: + audit: "ls /etc/rc*.d | grep ypserv" + type: manual + constraints: + platform: + - ubuntuOptional + tests: + test_items: + - flag: "ypserv" + set: false + remediation: | + Run one of the following commands to disable `ypserv` : + + # chkconfig ypserv off + + + # systemctl disable ypserv + + + # update-rc.d ypserv disable + scored: true + +- id: 2.2.1 + description: "Time Synchronizationime Synchronization" + checks: + - id: 2.2.1.1.a + description: "Ensure time synchronization is in use" + sub_checks: + - check: + audit: "rpm -q ntp" + constraints: + platform: + - rhel7 + tests: + test_items: + - flag: "package ntp is not installed" + set: false + remediation: | + On physical systems or virtual systems where host based time synchronization is not available install NTP or chrony using the appropriate package manager or manual installation: + + # yum install ntp + + + # apt-get install ntp + + + # zypper install ntp + + The previous commands install NTP, use the appropriate package if chrony is desired. + On virtual systems where host based time synchronization is available consult your virtualization software documentation and setup host based synchronization. + - check: + audit: "dpkg -s ntp" + constraints: + platform: + - ubuntu + tests: + test_items: + - flag: "install ok installed" + set: true + remediation: | + On physical systems or virtual systems where host based time synchronization is not available install NTP or chrony using the appropriate package manager or manual installation: + + # yum install ntp + + + # apt-get install ntp + + + # zypper install ntp + + The previous commands install NTP, use the appropriate package if chrony is desired. + On virtual systems where host based time synchronization is available consult your virtualization software documentation and setup host based synchronization. + + scored: false + + - id: 2.2.1.1.b + description: "Ensure time synchronization is in use" + sub_checks: + - check: + audit: "rpm -q chrony" + constraints: + platform: + - rhel7 + tests: + test_items: + - flag: "package chrony is not installed" + set: false + remediation: | + On physical systems or virtual systems where host based time synchronization is not available install NTP or chrony using the appropriate package manager or manual installation: + + # yum install ntp + + + # apt-get install ntp + + + # zypper install ntp + + The previous commands install NTP, use the appropriate package if chrony is desired. + On virtual systems where host based time synchronization is available consult your virtualization software documentation and setup host based synchronization. + - check: + audit: "dpkg -s chrony" + constraints: + platform: + - ubuntu + tests: + test_items: + - flag: "install ok installed" + set: true + remediation: | + On physical systems or virtual systems where host based time synchronization is not available install NTP or chrony using the appropriate package manager or manual installation: + + # yum install ntp + + + # apt-get install ntp + + + # zypper install ntp + + The previous commands install NTP, use the appropriate package if chrony is desired. + On virtual systems where host based time synchronization is available consult your virtualization software documentation and setup host based synchronization. + scored: false + - id: 2.2.1.2.a + description: "Ensure ntp is configured" + audit: "grep ^restrict /etc/ntp.conf" + tests: + bin_op: and + test_items: + - flag: "restrict -4 default kod nomodify notrap nopeer noquery" + set: true + flag: "restrict -6 default kod nomodify notrap nopeer noquery" + set: true + remediation: | + Add or edit restrict lines in `/etc/ntp.conf` to match the following: + + restrict -4 default kod nomodify notrap nopeer noquery + restrict -6 default kod nomodify notrap nopeer noquery + + Add or edit server or pool lines to `/etc/ntp.conf` as appropriate: + + server + + Configure `ntp` to run as the `ntp` user by adding or editing one of the following files as appropriate for your distribution: + `/etc/sysconfig/ntpd` : + + OPTIONS="-u ntp:ntp" + + `/etc/sysconfig/ntp` : + + NTPD_OPTIONS="-u ntp:ntp" + + `/etc/init.d/ntp`: + + RUNASUSER=ntp + + scored: true + + - id: 2.2.1.2.b + description: "Ensure ntp is configured" + audit: "grep \"^(server|pool)\" /etc/ntp.conf" + type: manual + tests: + test_items: + - flag: "server " + set: true + remediation: | + Add or edit restrict lines in `/etc/ntp.conf` to match the following: + + restrict -4 default kod nomodify notrap nopeer noquery + restrict -6 default kod nomodify notrap nopeer noquery + + Add or edit server or pool lines to `/etc/ntp.conf` as appropriate: + + server + + Configure `ntp` to run as the `ntp` user by adding or editing one of the following files as appropriate for your distribution: + `/etc/sysconfig/ntpd` : + + OPTIONS="-u ntp:ntp" + + `/etc/sysconfig/ntp` : + + NTPD_OPTIONS="-u ntp:ntp" + + `/etc/init.d/ntp`: + + RUNASUSER=ntp + + scored: true + + - id: 2.2.1.2.c + description: "Ensure ntp is configured" + sub_checks: + - check: + audit: "grep ^OPTIONS /etc/sysconfig/ntpd" + constraints: + platform: + - rhel7 + tests: + test_items: + - flag: "OPTIONS=\"-u ntp:ntp\"" + set: true + remediation: | + Add or edit restrict lines in `/etc/ntp.conf` to match the following: + + restrict -4 default kod nomodify notrap nopeer noquery + restrict -6 default kod nomodify notrap nopeer noquery + + Add or edit server or pool lines to `/etc/ntp.conf` as appropriate: + + server + + Configure `ntp` to run as the `ntp` user by adding or editing one of the following files as appropriate for your distribution: + `/etc/sysconfig/ntpd` : + + OPTIONS="-u ntp:ntp" + + `/etc/sysconfig/ntp` : + + NTPD_OPTIONS="-u ntp:ntp" + + `/etc/init.d/ntp`: + + RUNASUSER=ntp + - check: + audit: "grep ^OPTIONS /etc/default/ntp" + constraints: + platform: + - ubuntu + tests: + test_items: + - flag: "OPTIONS=\"-u ntp:ntp\"" + set: true + remediation: | + Add or edit restrict lines in `/etc/ntp.conf` to match the following: + + restrict -4 default kod nomodify notrap nopeer noquery + restrict -6 default kod nomodify notrap nopeer noquery + + Add or edit server or pool lines to `/etc/ntp.conf` as appropriate: + + server + + Configure `ntp` to run as the `ntp` user by adding or editing one of the following files as appropriate for your distribution: + `/etc/default/ntp` : + + OPTIONS="-u ntp:ntp" + + `/etc/default/ntp` : + + NTPD_OPTIONS="-u ntp:ntp" + + `/etc/init.d/ntp`: + + RUNASUSER=ntp + scored: true + + - id: 2.2.1.2.d + description: "Ensure ntp is configured" + sub_checks: + - check: + audit: "grep ^NTPD_OPTIONS /etc/sysconfig/ntp" + constraints: + platform: + - rhel7 + tests: + test_items: + - flag: "NTPD_OPTIONS=\"-u ntp:ntp\"" + set: true + remediation: | + Add or edit restrict lines in `/etc/ntp.conf` to match the following: + + restrict -4 default kod nomodify notrap nopeer noquery + restrict -6 default kod nomodify notrap nopeer noquery + + Add or edit server or pool lines to `/etc/ntp.conf` as appropriate: + + server + + Configure `ntp` to run as the `ntp` user by adding or editing one of the following files as appropriate for your distribution: + `/etc/sysconfig/ntpd` : + + OPTIONS="-u ntp:ntp" + + `/etc/sysconfig/ntp` : + + NTPD_OPTIONS="-u ntp:ntp" + + `/etc/init.d/ntp`: + + RUNASUSER=ntp + - check: + audit: "grep ^NTPD_OPTIONS /etc/default/ntp" + constraints: + platform: + - ubuntu + tests: + test_items: + - flag: "NTPD_OPTIONS=\"-u ntp:ntp\"" + set: true + remediation: | + Add or edit restrict lines in `/etc/ntp.conf` to match the following: + + restrict -4 default kod nomodify notrap nopeer noquery + restrict -6 default kod nomodify notrap nopeer noquery + + Add or edit server or pool lines to `/etc/ntp.conf` as appropriate: + + server + + Configure `ntp` to run as the `ntp` user by adding or editing one of the following files as appropriate for your distribution: + `/etc/default/ntp` : + + OPTIONS="-u ntp:ntp" + + `/etc/default/ntp` : + + NTPD_OPTIONS="-u ntp:ntp" + + `/etc/init.d/ntp`: + + RUNASUSER=ntp + scored: true + + - id: 2.2.1.2.e + description: "Ensure ntp is configured" + audit: "grep RUNASUSER=ntp /etc/init.d/ntp" + tests: + test_items: + - flag: "RUNASUSER" + compare: + op: eq + value: "ntp" + set: true + remediation: | + Add or edit restrict lines in `/etc/ntp.conf` to match the following: + + restrict -4 default kod nomodify notrap nopeer noquery + restrict -6 default kod nomodify notrap nopeer noquery + + Add or edit server or pool lines to `/etc/ntp.conf` as appropriate: + + server + + Configure `ntp` to run as the `ntp` user by adding or editing one of the following files as appropriate for your distribution: + `/etc/sysconfig/ntpd` : + + OPTIONS="-u ntp:ntp" + + `/etc/sysconfig/ntp` : + + NTPD_OPTIONS="-u ntp:ntp" + + `/etc/init.d/ntp`: + + RUNASUSER=ntp + + scored: true + + - id: 2.2.1.3.a + description: "Ensure chrony is configured" + audit: "grep \"^(server|pool)\" /etc/chrony.conf" + type: manual + tests: + test_items: + - flag: "server " + set: true + remediation: | + Add or edit server or pool lines to `/etc/chrony.conf` as appropriate: + + server + + Configure `chrony` to run as the `chrony` user by configuring the appropriate startup script for your distribution. Startup scripts are typically stored in `/etc/init.d` or `/etc/systemd`. + scored: true + + - id: 2.2.1.3.b + description: "Ensure chrony is configured" + audit: "ps -ef | grep chronyd" + type: manual + tests: + test_items: + - flag: "chrony 491 1 0 20:32 ? 00:00:00 /usr/sbin/chronyd" + set: true + remediation: | + Add or edit server or pool lines to `/etc/chrony.conf` as appropriate: + + server + + Configure `chrony` to run as the `chrony` user by configuring the appropriate startup script for your distribution. Startup scripts are typically stored in `/etc/init.d` or `/etc/systemd`. + scored: true + +- id: 2.3 + description: "Service Clients" + checks: + - id: 2.3.1 + description: "Ensure NIS Client is not installed" + sub_checks: + - check: + audit: "rpm -q ypbind" + constraints: + platform: + - rhel7 + + tests: + test_items: + - flag: "is not installed" + set: true + remediation: | + Uninstall `ypbind` using the appropriate package manager or manual installation: + + yum remove ypbind + + + apt-get remove ypbind + + + zypper remove ypbind + - check: + audit: "dpkg -s ypbind" + constraints: + platform: + - ubuntu + tests: + test_items: + - flag: "install ok installed" + set: false + remediation: | + Uninstall `ypbind` using the appropriate package manager or manual installation: + + yum remove ypbind + + + apt-get remove ypbind + + + zypper remove ypbind + set: true + + scored: true + - id: 2.3.2 + description: "Ensure rsh client is not installed" + sub_checks: + - check: + audit: "rpm -q rsh" + constraints: + platform: + - rhel7 + + tests: + test_items: + - flag: "is not installed" + set: true + remediation: | + Uninstall `rsh` using the appropriate package manager or manual installation: + + yum remove rsh + + + apt-get remove rsh + + + zypper remove rsh + - check: + audit: "dpkg -s rsh-client rsh-redone-client" + constraints: + platform: + - ubuntu + tests: + test_items: + - flag: "install ok installed" + set: false + remediation: | + Uninstall `rsh` using the appropriate package manager or manual installation: + + yum remove rsh + + + apt-get remove rsh + + + zypper remove rsh + set: true + scored: true + - id: 2.3.3 + description: "Ensure talk client is not installed" + sub_checks: + - check: + audit: "rpm -q talk" + constraints: + platform: + - rhel7 + + tests: + test_items: + - flag: "is not installed" + set: true + remediation: | + Uninstall `talk` using the appropriate package manager or manual installation: + + yum remove talk + + + apt-get remove talk + + + zypper remove talk + - check: + audit: "dpkg -s talk" + constraints: + platform: + - ubuntu + tests: + test_items: + - flag: "install ok installed" + set: false + remediation: | + Uninstall `talk` using the appropriate package manager or manual installation: + + yum remove talk + + + apt-get remove talk + + + zypper remove talk + scored: true + - id: 2.3.4 + description: "Ensure telnet client is not installed" + sub_checks: + - check: + audit: "rpm -q telnet" + constraints: + platform: + - rhel7 + + tests: + test_items: + - flag: "package telnet is not installed" + set: true + remediation: | + Uninstall `telnet` using the appropriate package manager or manual installation: + + # yum remove telnet + + + # apt-get remove telnet + + + # zypper remove telnet + - check: + audit: "dpkg -s telnet" + constraints: + platform: + - ubuntu + tests: + test_items: + - flag: "install ok installed" + set: false + remediation: | + Uninstall `telnet` using the appropriate package manager or manual installation: + + # yum remove telnet + + + # apt-get remove telnet + + + # zypper remove telnet + scored: true + - id: 2.3.5 + description: "Ensure LDAP client is not installed" + sub_checks: + - check: + audit: "rpm -q openldap-clients" + constraints: + platform: + - rhel7 + tests: + test_items: + - flag: "is not installed" + set: true + remediation: | + Uninstall `openldap-clients` using the appropriate package manager or manual installation: + + # yum remove openldap-clients + + + # apt-get remove openldap-clients + + + # zypper remove openldap-clients + - check: + audit: "dpkg -s openldap-clients" + constraints: + platform: + - ubuntu + tests: + test_items: + - flag: "install ok installed" + set: false + remediation: | + Uninstall `openldap-clients` using the appropriate package manager or manual installation: + + # yum remove openldap-clients + + + # apt-get remove openldap-clients + + + # zypper remove openldap-clients + scored: true +- id: 3 + description: "Network Configurationetwork Configuration" + checks: + - id: 3.7.a + description: "Ensure wireless interfaces are disabled" + audit: "iwconfig" + type: manual + remediation: | + Run the following command to disable any wireless interfaces: + + # ip link set down + + Disable any wireless interfaces in your network configuration. + scored: false + + - id: 3.7.b + description: "Ensure wireless interfaces are disabled" + audit: "ip link show up" + type: manual + remediation: | + Run the following command to disable any wireless interfaces: + + # ip link set down + + Disable any wireless interfaces in your network configuration. + scored: false + +- id: 3.1 + description: "Network Parameters (Host Only)etwork Parameters (Host Only)" + checks: + - id: 3.1.1.a + description: "Ensure IP forwarding is disabled" + audit: "sysctl net.ipv4.ip_forward" + tests: + test_items: + - flag: "net.ipv4.ip_forward = 0" + set: true + remediation: | + Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + net.ipv4.ip_forward = 0 + + Run the following commands to set the active kernel parameters: + + # sysctl -w net.ipv4.ip_forward=0 + # sysctl -w net.ipv4.route.flush=1 + + scored: true + + - id: 3.1.1.b + description: "Ensure IP forwarding is disabled" + audit: "grep net.ipv4.ip_forward /etc/sysctl.conf /etc/sysctl.d/*" + tests: + test_items: + - flag: "net.ipv4.ip_forward = 0" + set: true + remediation: | + Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + net.ipv4.ip_forward = 0 + + Run the following commands to set the active kernel parameters: + + # sysctl -w net.ipv4.ip_forward=0 + # sysctl -w net.ipv4.route.flush=1 + + scored: true + + - id: 3.1.2.a + description: "Ensure packet redirect sending is disabled" + audit: "sysctl net.ipv4.conf.all.send_redirects" + tests: + test_items: + - flag: "net.ipv4.conf.all.send_redirects = 0" + set: true + remediation: | + Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + net.ipv4.conf.all.send_redirects = 0 + net.ipv4.conf.default.send_redirects = 0 + + Run the following commands to set the active kernel parameters: + + # sysctl -w net.ipv4.conf.all.send_redirects=0 + # sysctl -w net.ipv4.conf.default.send_redirects=0 + # sysctl -w net.ipv4.route.flush=1 + + scored: true + + - id: 3.1.2.b + description: "Ensure packet redirect sending is disabled" + audit: "sysctl net.ipv4.conf.default.send_redirects" + tests: + test_items: + - flag: "net.ipv4.conf.default.send_redirects = 0" + set: true + remediation: | + Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + net.ipv4.conf.all.send_redirects = 0 + net.ipv4.conf.default.send_redirects = 0 + + Run the following commands to set the active kernel parameters: + + # sysctl -w net.ipv4.conf.all.send_redirects=0 + # sysctl -w net.ipv4.conf.default.send_redirects=0 + # sysctl -w net.ipv4.route.flush=1 + + scored: true + + - id: 3.1.2.c + description: "Ensure packet redirect sending is disabled" + audit: "grep net.ipv4.conf.all.send_redirects /etc/sysctl.conf /etc/sysctl.d/*" + tests: + test_items: + - flag: "net.ipv4.conf.all.send_redirects = 0" + set: true + remediation: | + Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + net.ipv4.conf.all.send_redirects = 0 + net.ipv4.conf.default.send_redirects = 0 + + Run the following commands to set the active kernel parameters: + + # sysctl -w net.ipv4.conf.all.send_redirects=0 + # sysctl -w net.ipv4.conf.default.send_redirects=0 + # sysctl -w net.ipv4.route.flush=1 + + scored: true + + - id: 3.1.2.d + description: "Ensure packet redirect sending is disabled" + audit: "grep net.ipv4.conf.default.send_redirects /etc/sysctl.conf /etc/sysctl.d/*" + tests: + test_items: + - flag: "net.ipv4.conf.default.send_redirects = 0" + set: true + remediation: | + Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + net.ipv4.conf.all.send_redirects = 0 + net.ipv4.conf.default.send_redirects = 0 + + Run the following commands to set the active kernel parameters: + + # sysctl -w net.ipv4.conf.all.send_redirects=0 + # sysctl -w net.ipv4.conf.default.send_redirects=0 + # sysctl -w net.ipv4.route.flush=1 + + scored: true + +- id: 3.2 + description: "Network Parameters (Host and Router)" + checks: + - id: 3.2.1.a + description: "Ensure source routed packets are not accepted" + audit: "sysctl net.ipv4.conf.all.accept_source_route" + tests: + test_items: + - flag: "net.ipv4.conf.all.accept_source_route" + compare: + op: eq + value: 0 + set: true + remediation: | + Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + net.ipv4.conf.all.accept_source_route = 0 + net.ipv4.conf.default.accept_source_route = 0 + + Run the following commands to set the active kernel parameters: + + # sysctl -w net.ipv4.conf.all.accept_source_route=0 + # sysctl -w net.ipv4.conf.default.accept_source_route=0 + # sysctl -w net.ipv4.route.flush=1 + + scored: true + + - id: 3.2.1.b + description: "Ensure source routed packets are not accepted" + audit: "sysctl net.ipv4.conf.default.accept_source_route" + tests: + test_items: + - flag: "net.ipv4.conf.default.accept_source_route" + compare: + op: eq + value: 0 + set: true + remediation: | + Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + net.ipv4.conf.all.accept_source_route = 0 + net.ipv4.conf.default.accept_source_route = 0 + + Run the following commands to set the active kernel parameters: + + # sysctl -w net.ipv4.conf.all.accept_source_route=0 + # sysctl -w net.ipv4.conf.default.accept_source_route=0 + # sysctl -w net.ipv4.route.flush=1 + + scored: true + + - id: 3.2.1.c + description: "Ensure source routed packets are not accepted" + audit: "grep net.ipv4.conf.all.accept_source_route /etc/sysctl.conf /etc/sysctl.d/*" + tests: + test_items: + - flag: "net.ipv4.conf.all.accept_source_route = 0" + set: true + remediation: | + Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + net.ipv4.conf.all.accept_source_route = 0 + net.ipv4.conf.default.accept_source_route = 0 + + Run the following commands to set the active kernel parameters: + + # sysctl -w net.ipv4.conf.all.accept_source_route=0 + # sysctl -w net.ipv4.conf.default.accept_source_route=0 + # sysctl -w net.ipv4.route.flush=1 + + scored: true + + - id: 3.2.1.d + description: "Ensure source routed packets are not accepted" + audit: "grep net.ipv4.conf.default.accept_source_route /etc/sysctl.conf /etc/sysctl.d/*" + tests: + test_items: + - flag: "net.ipv4.conf.default.accept_source_route = 0" + set: true + remediation: | + Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + net.ipv4.conf.all.accept_source_route = 0 + net.ipv4.conf.default.accept_source_route = 0 + + Run the following commands to set the active kernel parameters: + + # sysctl -w net.ipv4.conf.all.accept_source_route=0 + # sysctl -w net.ipv4.conf.default.accept_source_route=0 + # sysctl -w net.ipv4.route.flush=1 + + scored: true + + - id: 3.2.2.a + description: "Ensure ICMP redirects are not accepted" + audit: "sysctl net.ipv4.conf.all.accept_redirects" + tests: + test_items: + - flag: "net.ipv4.conf.all.accept_redirects = 0" + set: true + remediation: | + Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + net.ipv4.conf.all.accept_redirects = 0 + net.ipv4.conf.default.accept_redirects = 0 + + Run the following commands to set the active kernel parameters: + + # sysctl -w net.ipv4.conf.all.accept_redirects=0 + # sysctl -w net.ipv4.conf.default.accept_redirects=0 + # sysctl -w net.ipv4.route.flush=1 + + scored: true + + - id: 3.2.2.b + description: "Ensure ICMP redirects are not accepted" + audit: "sysctl net.ipv4.conf.default.accept_redirects" + tests: + test_items: + - flag: "net.ipv4.conf.default.accept_redirects = 0" + set: true + remediation: | + Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + net.ipv4.conf.all.accept_redirects = 0 + net.ipv4.conf.default.accept_redirects = 0 + + Run the following commands to set the active kernel parameters: + + # sysctl -w net.ipv4.conf.all.accept_redirects=0 + # sysctl -w net.ipv4.conf.default.accept_redirects=0 + # sysctl -w net.ipv4.route.flush=1 + + scored: true + + - id: 3.2.2.c + description: "Ensure ICMP redirects are not accepted" + audit: "grep net.ipv4.conf.all.accept_redirects /etc/sysctl.conf /etc/sysctl.d/*" + tests: + test_items: + - flag: "net.ipv4.conf.all.accept_redirects = 0" + set: true + remediation: | + Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + net.ipv4.conf.all.accept_redirects = 0 + net.ipv4.conf.default.accept_redirects = 0 + + Run the following commands to set the active kernel parameters: + + # sysctl -w net.ipv4.conf.all.accept_redirects=0 + # sysctl -w net.ipv4.conf.default.accept_redirects=0 + # sysctl -w net.ipv4.route.flush=1 + + scored: true + + - id: 3.2.2.d + description: "Ensure ICMP redirects are not accepted" + audit: "grep net.ipv4.conf.default.accept_redirects /etc/sysctl.conf /etc/sysctl.d/*" + tests: + test_items: + - flag: "net.ipv4.conf.default.accept_redirects = 0" + set: true + remediation: | + Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + net.ipv4.conf.all.accept_redirects = 0 + net.ipv4.conf.default.accept_redirects = 0 + + Run the following commands to set the active kernel parameters: + + # sysctl -w net.ipv4.conf.all.accept_redirects=0 + # sysctl -w net.ipv4.conf.default.accept_redirects=0 + # sysctl -w net.ipv4.route.flush=1 + + scored: true + + - id: 3.2.3.a + description: "Ensure secure ICMP redirects are not accepted" + audit: "sysctl net.ipv4.conf.all.secure_redirects" + tests: + test_items: + - flag: "net.ipv4.conf.all.secure_redirects = 0" + set: true + remediation: | + Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + net.ipv4.conf.all.secure_redirects = 0 + net.ipv4.conf.default.secure_redirects = 0 + + Run the following commands to set the active kernel parameters: + + # sysctl -w net.ipv4.conf.all.secure_redirects=0 + # sysctl -w net.ipv4.conf.default.secure_redirects=0 + # sysctl -w net.ipv4.route.flush=1 + + scored: true + + - id: 3.2.3.b + description: "Ensure secure ICMP redirects are not accepted" + audit: "sysctl net.ipv4.conf.default.secure_redirects" + tests: + test_items: + - flag: "net.ipv4.conf.default.secure_redirects = 0" + set: true + remediation: | + Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + net.ipv4.conf.all.secure_redirects = 0 + net.ipv4.conf.default.secure_redirects = 0 + + Run the following commands to set the active kernel parameters: + + # sysctl -w net.ipv4.conf.all.secure_redirects=0 + # sysctl -w net.ipv4.conf.default.secure_redirects=0 + # sysctl -w net.ipv4.route.flush=1 + + scored: true + + - id: 3.2.3.c + description: "Ensure secure ICMP redirects are not accepted" + audit: "grep net.ipv4.conf.all.secure_redirects /etc/sysctl.conf /etc/sysctl.d/*" + tests: + test_items: + - flag: "net.ipv4.conf.all.secure_redirects = 0" + set: true + remediation: | + Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + net.ipv4.conf.all.secure_redirects = 0 + net.ipv4.conf.default.secure_redirects = 0 + + Run the following commands to set the active kernel parameters: + + # sysctl -w net.ipv4.conf.all.secure_redirects=0 + # sysctl -w net.ipv4.conf.default.secure_redirects=0 + # sysctl -w net.ipv4.route.flush=1 + + scored: true + + - id: 3.2.3.d + description: "Ensure secure ICMP redirects are not accepted" + audit: "grep net.ipv4.conf.default.secure_redirects /etc/sysctl.conf /etc/sysctl.d/*" + tests: + test_items: + - flag: "net.ipv4.conf.default.secure_redirects = 0" + set: true + remediation: | + Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + net.ipv4.conf.all.secure_redirects = 0 + net.ipv4.conf.default.secure_redirects = 0 + + Run the following commands to set the active kernel parameters: + + # sysctl -w net.ipv4.conf.all.secure_redirects=0 + # sysctl -w net.ipv4.conf.default.secure_redirects=0 + # sysctl -w net.ipv4.route.flush=1 + + scored: true + + - id: 3.2.4.a + description: "Ensure suspicious packets are logged" + audit: "sysctl net.ipv4.conf.all.log_martians" + tests: + test_items: + - flag: "net.ipv4.conf.all.log_martians = 1" + set: true + remediation: | + Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + net.ipv4.conf.all.log_martians = 1 + net.ipv4.conf.default.log_martians = 1 + + Run the following commands to set the active kernel parameters: + + # sysctl -w net.ipv4.conf.all.log_martians=1 + # sysctl -w net.ipv4.conf.default.log_martians=1 + # sysctl -w net.ipv4.route.flush=1 + + scored: true + + - id: 3.2.4.b + description: "Ensure suspicious packets are logged" + audit: "sysctl net.ipv4.conf.default.log_martians" + tests: + test_items: + - flag: "net.ipv4.conf.default.log_martians = 1" + set: true + remediation: | + Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + net.ipv4.conf.all.log_martians = 1 + net.ipv4.conf.default.log_martians = 1 + + Run the following commands to set the active kernel parameters: + + # sysctl -w net.ipv4.conf.all.log_martians=1 + # sysctl -w net.ipv4.conf.default.log_martians=1 + # sysctl -w net.ipv4.route.flush=1 + + scored: true + + - id: 3.2.4.c + description: "Ensure suspicious packets are logged" + audit: "grep net.ipv4.conf.all.log_martians /etc/sysctl.conf /etc/sysctl.d/*" + tests: + test_items: + - flag: "net.ipv4.conf.all.log_martians = 1" + set: true + remediation: | + Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + net.ipv4.conf.all.log_martians = 1 + net.ipv4.conf.default.log_martians = 1 + + Run the following commands to set the active kernel parameters: + + # sysctl -w net.ipv4.conf.all.log_martians=1 + # sysctl -w net.ipv4.conf.default.log_martians=1 + # sysctl -w net.ipv4.route.flush=1 + + scored: true + + - id: 3.2.4.d + description: "Ensure suspicious packets are logged" + audit: "grep net.ipv4.conf.default.log_martians /etc/sysctl.conf /etc/sysctl.d/*" + tests: + test_items: + - flag: "net.ipv4.conf.default.log_martians = 1" + set: true + remediation: | + Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + net.ipv4.conf.all.log_martians = 1 + net.ipv4.conf.default.log_martians = 1 + + Run the following commands to set the active kernel parameters: + + # sysctl -w net.ipv4.conf.all.log_martians=1 + # sysctl -w net.ipv4.conf.default.log_martians=1 + # sysctl -w net.ipv4.route.flush=1 + + scored: true + + - id: 3.2.5.a + description: "Ensure broadcast ICMP requests are ignored" + audit: "sysctl net.ipv4.icmp_echo_ignore_broadcasts" + tests: + test_items: + - flag: "net.ipv4.icmp_echo_ignore_broadcasts = 1" + set: true + remediation: | + Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + net.ipv4.icmp_echo_ignore_broadcasts = 1 + + Run the following commands to set the active kernel parameters: + + # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 + # sysctl -w net.ipv4.route.flush=1 + + scored: true + + - id: 3.2.5.b + description: "Ensure broadcast ICMP requests are ignored" + audit: "grep net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d/*" + tests: + test_items: + - flag: "net.ipv4.icmp_echo_ignore_broadcasts = 1" + set: true + remediation: | + Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + net.ipv4.icmp_echo_ignore_broadcasts = 1 + + Run the following commands to set the active kernel parameters: + + # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 + # sysctl -w net.ipv4.route.flush=1 + + scored: true + + - id: 3.2.6.a + description: "Ensure bogus ICMP responses are ignored" + audit: "sysctl net.ipv4.icmp_ignore_bogus_error_responses" + tests: + test_items: + - flag: "net.ipv4.icmp_ignore_bogus_error_responses = 1" + set: true + remediation: | + Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + net.ipv4.icmp_ignore_bogus_error_responses = 1 + + Run the following commands to set the active kernel parameters: + + # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 + # sysctl -w net.ipv4.route.flush=1 + + scored: true + + - id: 3.2.6.b + description: "Ensure bogus ICMP responses are ignored" + audit: "grep net.ipv4.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d/*" + tests: + test_items: + - flag: "net.ipv4.icmp_ignore_bogus_error_responses = 1" + set: true + remediation: | + Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + net.ipv4.icmp_ignore_bogus_error_responses = 1 + + Run the following commands to set the active kernel parameters: + + # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 + # sysctl -w net.ipv4.route.flush=1 + + scored: true + + - id: 3.2.7.a + description: "Ensure Reverse Path Filtering is enabled" + audit: "sysctl net.ipv4.conf.all.rp_filter" + tests: + test_items: + - flag: "net.ipv4.conf.all.rp_filter = 1" + set: true + remediation: | + Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + net.ipv4.conf.all.rp_filter = 1 + net.ipv4.conf.default.rp_filter = 1 + + Run the following commands to set the active kernel parameters: + + # sysctl -w net.ipv4.conf.all.rp_filter=1 + # sysctl -w net.ipv4.conf.default.rp_filter=1 + # sysctl -w net.ipv4.route.flush=1 + + scored: true + + - id: 3.2.7.b + description: "Ensure Reverse Path Filtering is enabled" + audit: "sysctl net.ipv4.conf.default.rp_filter" + tests: + test_items: + - flag: "net.ipv4.conf.default.rp_filter = 1" + set: true + remediation: | + Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + net.ipv4.conf.all.rp_filter = 1 + net.ipv4.conf.default.rp_filter = 1 + + Run the following commands to set the active kernel parameters: + + # sysctl -w net.ipv4.conf.all.rp_filter=1 + # sysctl -w net.ipv4.conf.default.rp_filter=1 + # sysctl -w net.ipv4.route.flush=1 + + scored: true + + - id: 3.2.7.c + description: "Ensure Reverse Path Filtering is enabled" + audit: "grep net.ipv4.conf.all.rp_filter /etc/sysctl.conf /etc/sysctl.d/*" + tests: + test_items: + - flag: "net.ipv4.conf.all.rp_filter = 1" + set: true + remediation: | + Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + net.ipv4.conf.all.rp_filter = 1 + net.ipv4.conf.default.rp_filter = 1 + + Run the following commands to set the active kernel parameters: + + # sysctl -w net.ipv4.conf.all.rp_filter=1 + # sysctl -w net.ipv4.conf.default.rp_filter=1 + # sysctl -w net.ipv4.route.flush=1 + + scored: true + + - id: 3.2.7.d + description: "Ensure Reverse Path Filtering is enabled" + audit: "grep net.ipv4.conf.default.rp_filter /etc/sysctl.conf /etc/sysctl.d/*" + tests: + test_items: + - flag: "net.ipv4.conf.default.rp_filter = 1" + set: true + remediation: | + Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + net.ipv4.conf.all.rp_filter = 1 + net.ipv4.conf.default.rp_filter = 1 + + Run the following commands to set the active kernel parameters: + + # sysctl -w net.ipv4.conf.all.rp_filter=1 + # sysctl -w net.ipv4.conf.default.rp_filter=1 + # sysctl -w net.ipv4.route.flush=1 + + scored: true + + - id: 3.2.8.a + description: "Ensure TCP SYN Cookies is enabled" + audit: "sysctl net.ipv4.tcp_syncookies" + tests: + test_items: + - flag: "net.ipv4.tcp_syncookies = 1" + set: true + remediation: | + Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + net.ipv4.tcp_syncookies = 1 + + Run the following commands to set the active kernel parameters: + + # sysctl -w net.ipv4.tcp_syncookies=1 + # sysctl -w net.ipv4.route.flush=1 + + scored: true + + - id: 3.2.8.b + description: "Ensure TCP SYN Cookies is enabled" + audit: "grep net.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/*" + tests: + test_items: + - flag: "net.ipv4.tcp_syncookies = 1" + set: true + remediation: | + Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + net.ipv4.tcp_syncookies = 1 + + Run the following commands to set the active kernel parameters: + + # sysctl -w net.ipv4.tcp_syncookies=1 + # sysctl -w net.ipv4.route.flush=1 + + scored: true + +- id: 3.3 + description: "IPv6Pv6" + checks: + - id: 3.3.1.a + description: "Ensure IPv6 router advertisements are not accepted" + audit: "sysctl net.ipv6.conf.all.accept_ra" + tests: + test_items: + - flag: "net.ipv6.conf.all.accept_ra = 0" + set: true + remediation: | + Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + net.ipv6.conf.all.accept_ra = 0 + net.ipv6.conf.default.accept_ra = 0 + + Run the following commands to set the active kernel parameters: + + # sysctl -w net.ipv6.conf.all.accept_ra=0 + # sysctl -w net.ipv6.conf.default.accept_ra=0 + # sysctl -w net.ipv6.route.flush=1 + + scored: false + + - id: 3.3.1.b + description: "Ensure IPv6 router advertisements are not accepted" + audit: "sysctl net.ipv6.conf.default.accept_ra" + tests: + test_items: + - flag: "net.ipv6.conf.default.accept_ra = 0" + set: true + remediation: | + Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + net.ipv6.conf.all.accept_ra = 0 + net.ipv6.conf.default.accept_ra = 0 + + Run the following commands to set the active kernel parameters: + + # sysctl -w net.ipv6.conf.all.accept_ra=0 + # sysctl -w net.ipv6.conf.default.accept_ra=0 + # sysctl -w net.ipv6.route.flush=1 + + scored: false + + - id: 3.3.1.c + description: "Ensure IPv6 router advertisements are not accepted" + audit: "grep net.ipv6.conf.all.accept_ra /etc/sysctl.conf /etc/sysctl.d/*" + tests: + test_items: + - flag: "net.ipv6.conf.all.accept_ra = 0" + set: true + remediation: | + Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + net.ipv6.conf.all.accept_ra = 0 + net.ipv6.conf.default.accept_ra = 0 + + Run the following commands to set the active kernel parameters: + + # sysctl -w net.ipv6.conf.all.accept_ra=0 + # sysctl -w net.ipv6.conf.default.accept_ra=0 + # sysctl -w net.ipv6.route.flush=1 + + scored: false + + - id: 3.3.1.d + description: "Ensure IPv6 router advertisements are not accepted" + audit: "grep net.ipv6.conf.default.accept_ra /etc/sysctl.conf /etc/sysctl.d/*" + tests: + test_items: + - flag: "net.ipv6.conf.default.accept_ra = 0" + set: true + remediation: | + Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + net.ipv6.conf.all.accept_ra = 0 + net.ipv6.conf.default.accept_ra = 0 + + Run the following commands to set the active kernel parameters: + + # sysctl -w net.ipv6.conf.all.accept_ra=0 + # sysctl -w net.ipv6.conf.default.accept_ra=0 + # sysctl -w net.ipv6.route.flush=1 + + scored: false + + - id: 3.3.2.a + description: "Ensure IPv6 redirects are not accepted" + audit: "sysctl net.ipv6.conf.all.accept_redirects" + tests: + test_items: + - flag: "net.ipv6.conf.all.accept_redirects = 0" + set: true + remediation: | + Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + net.ipv6.conf.all.accept_redirects = 0 + net.ipv6.conf.default.accept_redirects = 0 + + Run the following commands to set the active kernel parameters: + + # sysctl -w net.ipv6.conf.all.accept_redirects=0 + # sysctl -w net.ipv6.conf.default.accept_redirects=0 + # sysctl -w net.ipv6.route.flush=1 + + scored: false + + - id: 3.3.2.b + description: "Ensure IPv6 redirects are not accepted" + audit: "sysctl net.ipv6.conf.default.accept_redirects" + tests: + test_items: + - flag: "net.ipv6.conf.default.accept_redirects = 0" + set: true + remediation: | + Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + net.ipv6.conf.all.accept_redirects = 0 + net.ipv6.conf.default.accept_redirects = 0 + + Run the following commands to set the active kernel parameters: + + # sysctl -w net.ipv6.conf.all.accept_redirects=0 + # sysctl -w net.ipv6.conf.default.accept_redirects=0 + # sysctl -w net.ipv6.route.flush=1 + + scored: false + + - id: 3.3.2.c + description: "Ensure IPv6 redirects are not accepted" + audit: "grep net.ipv6.conf.all.accept_redirect /etc/sysctl.conf /etc/sysctl.d/*" + tests: + test_items: + - flag: "net.ipv6.conf.all.accept_redirects = 0" + set: true + remediation: | + Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + net.ipv6.conf.all.accept_redirects = 0 + net.ipv6.conf.default.accept_redirects = 0 + + Run the following commands to set the active kernel parameters: + + # sysctl -w net.ipv6.conf.all.accept_redirects=0 + # sysctl -w net.ipv6.conf.default.accept_redirects=0 + # sysctl -w net.ipv6.route.flush=1 + + scored: false + + - id: 3.3.2.d + description: "Ensure IPv6 redirects are not accepted" + audit: "grep net.ipv6.conf.default.accept_redirect /etc/sysctl.conf /etc/sysctl.d/*" + tests: + test_items: + - flag: "net.ipv6.conf.default.accept_redirects = 0" + set: true + remediation: | + Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: + + net.ipv6.conf.all.accept_redirects = 0 + net.ipv6.conf.default.accept_redirects = 0 + + Run the following commands to set the active kernel parameters: + + # sysctl -w net.ipv6.conf.all.accept_redirects=0 + # sysctl -w net.ipv6.conf.default.accept_redirects=0 + # sysctl -w net.ipv6.route.flush=1 + + scored: false + + - id: 3.3.3 + description: "Ensure IPv6 is disabled" + sub_checks: + - check: + audit: "grep kernel /boot/grub/menu.lst" + constraints: + boot: + - grub + tests: + test_items: + - flag: "ipv6.disable=1" + set: false + remediation: | + For `grub` based systems edit `/boot/grub/menu.lst` and remove add `ipv6.disable=1` to all `kernel` lines. + For `grub2` based systems edit `/etc/default/grub` and remove add `ipv6.disable=1` to the `GRUB_CMDLINE_LINUX` parameters: + + GRUB_CMDLINE_LINUX="ipv6.disable=1" + + Run the following command to update the `grub2` configuration: + + # update-grub + - check: + audit: "grep LINUX /etc/default/grub" + constraints: + boot: + - grub2 + tests: + test_items: + - flag: "ipv6.disable=1" + set: false + remediation: | + For `grub` based systems edit `/boot/grub/menu.lst` and remove add `ipv6.disable=1` to all `kernel` lines. + For `grub2` based systems edit `/etc/default/grub` and remove add `ipv6.disable=1` to the `GRUB_CMDLINE_LINUX` parameters: + + GRUB_CMDLINE_LINUX="ipv6.disable=1" + + Run the following command to update the `grub2` configuration: + + # update-grub + scored: false +- id: 3.4 + description: "TCP WrappersCP Wrappers" + checks: + - id: 3.4.1 + description: "Ensure TCP Wrappers is installed" + sub_checks: + - check: + audit: "rpm -q tcp_wrappers" + constraints: + platform: + - rhel7 + tests: + test_items: + - flag: "is not installed" + set: false + remediation: | + Install TCP Wrappers using the appropriate package manager or manual installation: + + yum install tcp_wrappers + + + apt-get install tcpd + + + zypper install tcpd + - check: + audit: "dpkg -s tcpd" + constraints: + platform: + - ubuntu + tests: + test_items: + - flag: "install ok installed" + set: true + remediation: | + Install TCP Wrappers using the appropriate package manager or manual installation: + + yum install tcp_wrappers + + + apt-get install tcpd + + + zypper install tcpd + scored: true + - id: 3.4.2 + description: "Ensure /etc/hosts.allow is configured" + audit: "cat /etc/hosts.allow" + type: manual + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Run the following command to create `/etc/hosts.allow` : + + # echo "ALL: /, /, ..." >/etc/hosts.allow + + where each `/` combination (for example, "192.168.1.0/255.255.255.0") represents one network block in use by your organization that requires access to this system. + scored: true + + + - id: 3.4.3 + description: "Ensure /etc/hosts.deny is configured" + audit: "cat /etc/hosts.deny" + tests: + test_items: + - flag: "ALL: ALL" + set: true + remediation: | + Run the following command to create `/etc/hosts.deny` : + + # echo "ALL: ALL" >> /etc/hosts.deny + + scored: true + + + - id: 3.4.4 + description: "Ensure permissions on /etc/hosts.allow are configured" + audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/hosts.allow" + tests: + test_items: + - flag: "644/Uid:root/0Gid:root/0" + set: true + remediation: | + Run the following commands to set permissions on `/etc/hosts.allow` : + + # chown root:root /etc/hosts.allow + # chmod 644 /etc/hosts.allow + + scored: true + + + - id: 3.4.5 + description: "Ensure permissions on /etc/hosts.deny are configured" + audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/hosts.deny" + tests: + test_items: + - flag: "644/Uid:root/0Gid:root/0" + set: true + remediation: | + Run the following commands to set permissions on `/etc/hosts.deny` : + + # chown root:root /etc/hosts.deny + # chmod 644 /etc/hosts.deny + + scored: true + + +- id: 3.5 + description: "Uncommon Network Protocolsncommon Network Protocols" + checks: + - id: 3.5.1.a + description: "Ensure DCCP is disabled" + audit: "modprobe -n -v dccp" + tests: + test_items: + - flag: "install /bin/true" + set: true + remediation: | + Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line: + + install dccp /bin/true + + scored: false + + - id: 3.5.1.b + description: "Ensure DCCP is disabled" + audit: "lsmod | grep dccp" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line: + + install dccp /bin/true + + scored: false + + - id: 3.5.2.a + description: "Ensure SCTP is disabled" + audit: "modprobe -n -v sctp" + + tests: + test_items: + - flag: "install /bin/true" + set: true + remediation: | + Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line: + + install sctp /bin/true + + scored: false + + - id: 3.5.2.b + description: "Ensure SCTP is disabled" + audit: "lsmod | grep sctp" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line: + + install sctp /bin/true + + scored: false + + - id: 3.5.3.a + description: "Ensure RDS is disabled" + audit: "modprobe -n -v rds" + tests: + test_items: + - flag: "install /bin/true" + compare: + op: eq + value: "install /bin/true" + set: true + remediation: | + Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line: + + install rds /bin/true + + scored: false + + - id: 3.5.3.b + description: "Ensure RDS is disabled" + audit: "lsmod | grep rds" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line: + + install rds /bin/true + + scored: false + + - id: 3.5.4.a + description: "Ensure TIPC is disabled" + audit: "modprobe -n -v tipc" + tests: + test_items: + - flag: "install /bin/true" + set: true + remediation: | + Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line: + + install tipc /bin/true + + scored: false + + - id: 3.5.4.b + description: "Ensure TIPC is disabled" + audit: "lsmod | grep tipc" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line: + + install tipc /bin/true + + scored: false + +- id: 3.6 + description: "Firewall Configurationirewall Configuration" + checks: + - id: 3.6.1 + description: "Ensure iptables is installed" + sub_checks: + - check: + audit: "rpm -q iptables" + constraints: + platform: + - rhel7 + + tests: + test_items: + - flag: "is not installed" + set: false + remediation: | + Install `iptables` using the appropriate package manager or manual installation: + + # yum install iptables + + + # apt-get install iptables + + + # zypper install iptables + - check: + audit: "dpkg -s iptables" + constraints: + platform: + - ubuntu + + tests: + test_items: + - flag: "install ok installed" + set: true + remediation: | + Install `iptables` using the appropriate package manager or manual installation: + + # yum install iptables + + + # apt-get install iptables + + + # zypper install iptables + scored: true + - id: 3.6.2 + description: "Ensure default deny firewall policy" + audit: "iptables -L" + tests: + bin_op: and + test_items: + - flag: "Chain INPUT (policy DROP)" + set: true + - flag: "Chain FORWARD (policy DROP)" + set: true + - flag: "Chain OUTPUT (policy DROP)" + set: true + remediation: | + Run the following commands to implement a default DROP policy: + + # iptables -P INPUT DROP + # iptables -P OUTPUT DROP + # iptables -P FORWARD DROP + + scored: true + + + - id: 3.6.3.a + description: "Ensure loopback traffic is configured" + audit: "iptables -L INPUT -v -n" + type: manual + tests: + test_items: + - + flag: | + Chain INPUT (policy DROP 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination + 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 + 0 0 DROP all -- * * 127.0.0.0/8 0.0.0.0/0 + set: true + remediation: | + Run the following commands to implement the loopback rules: + + # iptables -A INPUT -i lo -j ACCEPT + # iptables -A OUTPUT -o lo -j ACCEPT + # iptables -A INPUT -s 127.0.0.0/8 -j DROP + + scored: true + + - id: 3.6.3.b + description: "Ensure loopback traffic is configured" + audit: "iptables -L OUTPUT -v -n" + type: manual + tests: + test_items: + - + flag: | + Chain OUTPUT (policy DROP 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination + 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 + set: true + remediation: | + Run the following commands to implement the loopback rules: + + # iptables -A INPUT -i lo -j ACCEPT + # iptables -A OUTPUT -o lo -j ACCEPT + # iptables -A INPUT -s 127.0.0.0/8 -j DROP + + scored: true + + - id: 3.6.4 + description: "Ensure outbound and established connections are configured" + audit: "iptables -L -v -n" + type: manual + remediation: | + Configure iptables in accordance with site policy. The following commands will implement a policy to allow all outbound connections and all established connections: + + # iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT + # iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT + # iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT + # iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT + # iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT + # iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT + + scored: false + + - id: 3.6.5.a + description: "Ensure firewall rules exist for all open ports" + audit: "netstat -ln" + type: manual + tests: + test_items: + - + flag: | + Active Internet connections (only servers) + Proto Recv-Q Send-Q Local Address Foreign Address State + tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN + set: true + remediation: | + For each port identified in the audit which does not have a firewall rule establish a proper rule for accepting inbound connections: + + # iptables -A INPUT -p --dport -m state --state NEW -j ACCEPT + + scored: true + + - id: 3.6.5.b + description: "Ensure firewall rules exist for all open ports" + audit: "iptables -L INPUT -v -n" + type: manual + tests: + test_items: + - + flag: | + Chain INPUT (policy DROP 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination + 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 + 0 0 DROP all -- * * 127.0.0.0/8 0.0.0.0/0 + 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW + + set: true + remediation: | + For each port identified in the audit which does not have a firewall rule establish a proper rule for accepting inbound connections: + + # iptables -A INPUT -p --dport -m state --state NEW -j ACCEPT + + scored: true +- id: 4 + description: "Logging and Auditingogging and Auditing" + checks: + - id: 4.3 + description: "Ensure logrotate is configured" + audit: "cat /etc/logrotate.conf; cat /etc/logrotate.d/* ;" + type: manual + remediation: | + Edit `/etc/logrotate.conf` and `/etc/logrotate.d/*` to ensure logs are rotated according to site policy. + scored: true - id: 4.1 description: "Configure System Accounting (auditd)onfigure System Accounting (auditd)" checks: @@ -582,6 +5307,7 @@ groups: constraints: platform: - rhel7 + - ubuntu tests: test_items: - flag: "enabled" @@ -601,10 +5327,13 @@ groups: type: manual constraints: platform: - - ubuntu + - ubuntuOptional tests: test_items: - flag: "" + compare: + op: eq + value: "" set: true remediation: | Run one of the following commands to enable `auditd` : @@ -1410,9 +6139,7 @@ groups: -e 2 - scored: true - - + scored: true - id: 4.1.1 description: "Configure Data Retentiononfigure Data Retention" checks: @@ -1495,9 +6222,1237 @@ groups: max_log_file_action = keep_logs scored: true + +- id: 4.2 + description: "Configure Logging" + checks: + - id: 4.2.3 + description: "Ensure rsyslog or syslog-ng is installed" + sub_checks: + - check: + audit: "rpm -q rsyslog" + constraints: + platform: + - rhel7 + syslog: + - rsyslog + tests: + test_items: + - flag: "is not installed" + set: false + remediation: | + Install rsyslog or `syslog-ng` using the appropriate package manager or manual installation: + + # yum install rsyslog + + + # apt-get install rsyslog + + + # zypper install rsyslog + + The previous commands install `rsyslog` , use the appropriate package if `syslog-ng` is desired. + - check: + audit: "rpm -q syslog-ng" + constraints: + platform: + - rhel7 + syslog: + - syslog-ng + tests: + test_items: + - flag: "is not installed" + set: false + remediation: | + Install rsyslog or `syslog-ng` using the appropriate package manager or manual installation: + + # yum install rsyslog + + + # apt-get install rsyslog + + + # zypper install rsyslog + + The previous commands install `rsyslog` , use the appropriate package if `syslog-ng` is desired. + - check: + audit: "dpkg -s rsyslog" + constraints: + platform: + - ubuntu + syslog: + - rsyslog + tests: + test_items: + - flag: "install ok installed" + set: true + remediation: | + Install rsyslog or `syslog-ng` using the appropriate package manager or manual installation: + + # yum install rsyslog + + + # apt-get install rsyslog + + + # zypper install rsyslog + + The previous commands install `rsyslog` , use the appropriate package if `syslog-ng` is desired. + - check: + audit: "dpkg -s syslog-ng" + constraints: + platform: + - ubuntu + syslog: + - syslog-ng + tests: + test_items: + - flag: "install ok installed" + set: true + remediation: | + Install rsyslog or `syslog-ng` using the appropriate package manager or manual installation: + + # yum install rsyslog + + + # apt-get install rsyslog + + + # zypper install rsyslog + + The previous commands install `rsyslog` , use the appropriate package if `syslog-ng` is desired. + scored: true + - id: 4.2.4 + description: "Ensure permissions on all logfiles are configured" + audit: "find /var/log -type f -ls" + type: manual + remediation: | + Run the following command to set permissions on all existing log files: + + # chmod -R g-wx,o-rwx /var/log/* + scored: true +- id: 4.2.1 + description: "Configure rsyslog" + checks: + - id: 4.2.1.1 + description: "Ensure rsyslog Service is enabled" + sub_checks: + - check: + audit: "chkconfig --list rsyslog" + constraints: + platform: + - rhel6 + tests: + test_items: + - flag: "rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off" + set: true + remediation: | + Run one of the following commands to enable `rsyslog` : + + # chkconfig rsyslog on + + + # systemctl enable rsyslog + + + # update-rc.d rsyslog enable + - check: + audit: "systemctl is-enabled rsyslog" + constraints: + platform: + - rhel7 + - ubuntu + tests: + test_items: + - flag: "enabled" + set: true + remediation: | + Run one of the following commands to enable `rsyslog` : + + # chkconfig rsyslog on + + + # systemctl enable rsyslog + + + # update-rc.d rsyslog enable + - check: + audit: "ls /etc/rc*.d | grep rsyslog" + type: manual + constraints: + platform: + - ubuntuOptional + tests: + test_items: + - flag: "" + set: true + remediation: | + Run one of the following commands to enable `rsyslog` : + + # chkconfig rsyslog on + + + # systemctl enable rsyslog + + + # update-rc.d rsyslog enable + scored: true + - id: 4.2.1.2 + description: "Ensure logging is configured" + sub_checks: + - check: + audit: "cat /etc/rsyslog.conf /etc/rsyslog.d/*.conf" + constraints: + syslog: + - rsyslog + type: manual + remediation: | + Edit the following lines in the `/etc/rsyslog.conf` and `/etc/rsyslog.d/*.conf` files as appropriate for your environment: + + *.emerg :omusrmsg:* + mail.* -/var/log/mail + mail.info -/var/log/mail.info + mail.warning -/var/log/mail.warn + mail.err /var/log/mail.err + news.crit -/var/log/news/news.crit + news.err -/var/log/news/news.err + news.notice -/var/log/news/news.notice + *.=warning;*.=err -/var/log/warn + *.crit /var/log/warn + *.*;mail.none;news.none -/var/log/messages + local0,local1.* -/var/log/localmessages + local2,local3.* -/var/log/localmessages + local4,local5.* -/var/log/localmessages + local6,local7.* -/var/log/localmessages + + Run the following command to reload the `rsyslogd` configuration: + + # pkill -HUP rsyslogd + scored: false + - id: 4.2.1.3 + description: "Ensure rsyslog default file permissions configured" + sub_checks: + - check: + audit: "grep ^\\$FileCreateMode /etc/rsyslog.conf /etc/rsyslog.d/*.conf" + constraints: + syslog: + - rsyslog + tests: + test_items: + - flag: "\\$FileCreateMode 0640" + set: true + remediation: | + Edit the `/etc/rsyslog.conf` and `/etc/rsyslog.d/*.conf` files and set `$FileCreateMode` to `0640` or more restrictive: + + $FileCreateMode 0640 + scored: true + - id: 4.2.1.4 + description: "Ensure rsyslog is configured to send logs to a remote log host" + sub_checks: + - check: + audit: 'grep "^*.*[^I][^I]*@" /etc/rsyslog.conf /etc/rsyslog.d/*.conf' + constraints: + syslog: + - rsyslog + type: manual + remediation: | + Edit the `/etc/rsyslog.conf` and `/etc/rsyslog.d/*.conf` files and add the following line (where `loghost.example.com` is the name of your central log host). + + *.* @@loghost.example.com + + Run the following command to reload the `rsyslogd` configuration: + + # pkill -HUP rsyslogd + scored: true + - id: 4.2.1.5.a + description: "Ensure remote rsyslog messages are only accepted on designated log hosts." + sub_checks: + - check: + audit: "grep ^\\$ModLoad /etc/rsyslog.conf /etc/rsyslog.d/*.conf" + constraints: + syslog: + - rsyslog + tests: + test_items: + - flag: "\\$ModLoad imtcp" + set: true + remediation: | + For hosts that are designated as log hosts, edit the `/etc/rsyslog.conf` file and un-comment or add the following lines: + + $ModLoad imtcp + $InputTCPServerRun 514 + + For hosts that are not designated as log hosts, edit the `/etc/rsyslog.conf` file and comment or remove the following lines: + + # $ModLoad imtcp + # $InputTCPServerRun 514 + + Run the following command to reload the `rsyslogd` configuration: + + # pkill -HUP rsyslogd + + scored: false + - id: 4.2.1.5.b + description: "Ensure remote rsyslog messages are only accepted on designated log hosts." + sub_checks: + - check: + audit: "grep ^\\$InputTCPServerRun /etc/rsyslog.conf /etc/rsyslog.d/*.conf" + constraints: + syslog: + - rsyslog + tests: + test_items: + - flag: "\\$InputTCPServerRun 514" + set: true + remediation: | + For hosts that are designated as log hosts, edit the `/etc/rsyslog.conf` file and un-comment or add the following lines: + + $ModLoad imtcp + $InputTCPServerRun 514 + + For hosts that are not designated as log hosts, edit the `/etc/rsyslog.conf` file and comment or remove the following lines: + + # $ModLoad imtcp + # $InputTCPServerRun 514 + + Run the following command to reload the `rsyslogd` configuration: + + # pkill -HUP rsyslogd + scored: false +- id: 4.2.2 + description: "Configure syslog-ng" + checks: + - id: 4.2.2.1 + description: "Ensure syslog-ng service is enabled" + sub_checks: + - check: + audit: "chkconfig --list syslog-ng" + constraints: + platform: + - rhel6 + syslog: + - syslog-ng + tests: + test_items: + - flag: "syslog-ng 0:off 1:off 2:on 3:on 4:on 5:on 6:off" + set: true + remediation: | + Run one of the following commands to enable `syslog-ng` : + + # chkconfig syslog-ng on + + + # systemctl enable syslog-ng + + + # update-rc.d syslog-ng enable + - check: + audit: "systemctl is-enabled syslog-ng" + constraints: + platform: + - rhel7 + - ubuntu + syslog: + - syslog-ng + tests: + test_items: + - flag: "enabled" + set: true + remediation: | + Run one of the following commands to enable `syslog-ng` : + + # chkconfig syslog-ng on + + + # systemctl enable syslog-ng + + + # update-rc.d syslog-ng enable + - check: + audit: "ls /etc/rc*.d | grep syslog-ng" + type: manual + constraints: + platform: + - ubuntuOptional + syslog: + - syslog-ng + tests: + bin_op: or + test_items: + - flag: "S01syslog-ng" + set: true + - flag: "K01syslog-ng" + set: true + remediation: | + Run one of the following commands to enable `syslog-ng` : + + # chkconfig syslog-ng on + + + # systemctl enable syslog-ng + + + # update-rc.d syslog-ng enable + scored: true + - id: 4.2.2.2 + description: "Ensure logging is configured" + sub_checks: + - check: + audit: "/etc/syslog-ng/syslog-ng.conf" + constraints: + syslog: + - syslog-ng + type: manual + remediation: | + Edit the log lines in the `/etc/syslog-ng/syslog-ng.conf` file as appropriate for your environment: + + log { source(src); source(chroots); filter(f_console); destination(console); }; + log { source(src); source(chroots); filter(f_console); destination(xconsole); }; + log { source(src); source(chroots); filter(f_newscrit); destination(newscrit); }; + log { source(src); source(chroots); filter(f_newserr); destination(newserr); }; + log { source(src); source(chroots); filter(f_newsnotice); destination(newsnotice); }; + log { source(src); source(chroots); filter(f_mailinfo); destination(mailinfo); }; + log { source(src); source(chroots); filter(f_mailwarn); destination(mailwarn); }; + log { source(src); source(chroots); filter(f_mailerr); destination(mailerr); }; + log { source(src); source(chroots); filter(f_mail); destination(mail); }; + log { source(src); source(chroots); filter(f_acpid); destination(acpid); flags(final); }; + log { source(src); source(chroots); filter(f_acpid_full); destination(devnull); flags(final); }; + log { source(src); source(chroots); filter(f_acpid_old); destination(acpid); flags(final); }; + log { source(src); source(chroots); filter(f_netmgm); destination(netmgm); flags(final); }; + log { source(src); source(chroots); filter(f_local); destination(localmessages); }; + log { source(src); source(chroots); filter(f_messages); destination(messages); }; + log { source(src); source(chroots); filter(f_iptables); destination(firewall); }; + log { source(src); source(chroots); filter(f_warn); destination(warn); }; + + Run the following command to reload the `syslog-ng` configuration: + + # pkill -HUP syslog-ng + + scored: false + - id: 4.2.2.3 + description: "Ensure syslog-ng default file permissions configured" + sub_checks: + - check: + audit: "egrep -h ^options .* perm\\(0640\\) /etc/syslog-ng/syslog-ng.conf" + constraints: + syslog: + - syslog-ng + tests: + test_items: + - flag: "options" + set: true + remediation: | + Edit the `/etc/syslog-ng/syslog-ng.conf` and set `perm` option to `0640` or more restrictive: + + options { chain_hostnames(off); flush_lines(0); perm(0640); stats_freq(3600); threaded(yes); }; + + scored: true + - id: 4.2.2.4 + description: "Ensure syslog-ng is configured to send logs to a remote log host" + sub_checks: + - check: + audit: "cat /etc/syslog-ng/syslog-ng.conf" + type: manual + constraints: + syslog: + - syslog-ng + remediation: | + Edit the `/etc/syslog-ng/syslog-ng.conf` file and add the following lines (where `logfile.example.com` is the name of your central log host). + + destination logserver { tcp("logfile.example.com" port(514)); }; + log { source(src); destination(logserver); }; + + Run the following command to reload the `syslog-ng` configuration: + + # pkill -HUP syslog-ng + scored: true + - id: 4.2.2.5 + description: "Ensure remote syslog-ng messages are only accepted on designated log hosts" + sub_checks: + - check: + audit: "cat /etc/syslog-ng/syslog-ng.conf" + constraints: + syslog: + - syslog-ng + type: manual + remediation: | + On designated log hosts edit the `/etc/syslog-ng/syslog-ng.conf` file and configure the following lines are appropriately: + + source net{ tcp(); }; + destination remote { file("/var/log/remote/${FULLHOST}-log"); }; + log { source(net); destination(remote); }; + + On non designated log hosts edit the `/etc/syslog-ng/syslog-ng.conf` file and remove or edit any sources that accept network sourced log messages. + Run the following command to reload the `syslog-ng` configuration: + + # pkill -HUP syslog-ng + scored: true +- id: 5 + description: "Access, Authentication and Authorizationccess, Authentication and Authorization" + checks: + - id: 5.5 + description: "Ensure root login is restricted to system console" + audit: "cat /etc/securetty" + type: manual + remediation: | + Remove entries for any consoles that are not in a physically secure location. + scored: true + + - id: 5.6.a + description: "Ensure access to the su command is restricted" + audit: "grep pam_wheel.so /etc/pam.d/su" + tests: + test_items: + - flag: "auth" + compare: + op: eq + value: "sufficient pam_wheel.so trust use_uid" + set: true + remediation: | + Add the following line to the `/etc/pam.d/su` file: + + auth required pam_wheel.so use_uid + + Create a comma separated list of users in the wheel statement in the `/etc/group` file: + + wheel:x:10:root, + + scored: true + + - id: 5.6.b + description: "Ensure access to the su command is restricted" + audit: "grep wheel /etc/group" + type: manual + tests: + test_items: + - flag: "wheel:x:10:root," + set: true + remediation: | + Add the following line to the `/etc/pam.d/su` file: + + auth required pam_wheel.so use_uid + + Create a comma separated list of users in the wheel statement in the `/etc/group` file: + + wheel:x:10:root, + + scored: true + +- id: 5.1 + description: "Configure crononfigure cron" + checks: + - id: 5.1.1 + description: "Ensure cron daemon is enabled" + sub_checks: + - check: + audit: "chkconfig --list crond" + constraints: + platform: + - rhel6 + tests: + test_items: + - flag: "2:on 3:on 4:on 5:on" + set: true + remediation: | + Based on your system configuration, run the appropriate one of the following commands to enable `cron` : + + # chkconfig crond on + + + # systemctl enable crond + + + # update-rc.d crond enable + - check: + audit: "systemctl is-enabled crond" + constraints: + platform: + - rhel7 + tests: + test_items: + - flag: "enabled" + set: true + remediation: | + Based on your system configuration, run the appropriate one of the following commands to enable `cron` : + + # chkconfig crond on + + + # systemctl enable crond + + + # update-rc.d crond enable + - check: + audit: "systemctl is-enabled cron" + constraints: + platform: + - ubuntu + tests: + test_items: + - flag: "enabled" + set: true + remediation: | + Based on your system configuration, run the appropriate one of the following commands to enable `cron` : + + # chkconfig cron on + + + # systemctl enable cron + + + # update-rc.d cron enable + scored: true + - id: 5.1.2 + description: "Ensure permissions on /etc/crontab are configured" + audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/crontab" + tests: + test_items: + - flag: "Uid:root/0Gid:root/0" + set: true + remediation: | + Run the following commands to set ownership and permissions on `/etc/crontab` : + + # chown root:root /etc/crontab + # chmod og-rwx /etc/crontab + + scored: true + + + - id: 5.1.3 + description: "Ensure permissions on /etc/cron.hourly are configured" + audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.hourly" + tests: + test_items: + - flag: "Uid:root/0Gid:root/0" + set: true + remediation: | + Run the following commands to set ownership and permissions on `/etc/cron.hourly` : + + # chown root:root /etc/cron.hourly + # chmod og-rwx /etc/cron.hourly + + scored: true + + + - id: 5.1.4 + description: "Ensure permissions on /etc/cron.daily are configured" + audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.daily" + tests: + test_items: + - flag: "Uid:root/0Gid:root/0" + set: true + remediation: | + Run the following commands to set ownership and permissions on `/etc/cron.daily` : + + # chown root:root /etc/cron.daily + # chmod og-rwx /etc/cron.daily + + scored: true + + + - id: 5.1.5 + description: "Ensure permissions on /etc/cron.weekly are configured" + audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.weekly" + tests: + test_items: + - flag: "Uid:root/0Gid:root/0" + set: true + remediation: | + Run the following commands to set ownership and permissions on `/etc/cron.weekly` : + + # chown root:root /etc/cron.weekly + # chmod og-rwx /etc/cron.weekly + + scored: true + + + - id: 5.1.6 + description: "Ensure permissions on /etc/cron.monthly are configured" + audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.monthly" + tests: + test_items: + - flag: "Uid:root/0Gid:root/0" + set: true + remediation: | + Run the following commands to set ownership and permissions on `/etc/cron.monthly` : + + # chown root:root /etc/cron.monthly + # chmod og-rwx /etc/cron.monthly + + scored: true + + + - id: 5.1.7 + description: "Ensure permissions on /etc/cron.d are configured" + audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.d" + tests: + test_items: + - flag: "Uid:root/0Gid:root/0" + set: true + remediation: | + Run the following commands to set ownership and permissions on `/etc/cron.d` : + + # chown root:root /etc/cron.d + # chmod og-rwx /etc/cron.d + + scored: true + + + - id: 5.1.8.a + description: "Ensure at/cron is restricted to authorized users" + audit: "stat /etc/cron.deny" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Run the following commands to remove `/etc/cron.deny` and `/etc/at.deny` and create and set permissions and ownership for `/etc/cron.allow` and `/etc/at.allow` : + + # rm /etc/cron.deny + # rm /etc/at.deny + # touch /etc/cron.allow + # touch /etc/at.allow + # chmod og-rwx /etc/cron.allow + # chmod og-rwx /etc/at.allow + # chown root:root /etc/cron.allow + # chown root:root /etc/at.allow + + scored: true + + - id: 5.1.8.b + description: "Ensure at/cron is restricted to authorized users" + audit: "stat /etc/at.deny" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Run the following commands to remove `/etc/cron.deny` and `/etc/at.deny` and create and set permissions and ownership for `/etc/cron.allow` and `/etc/at.allow` : + + # rm /etc/cron.deny + # rm /etc/at.deny + # touch /etc/cron.allow + # touch /etc/at.allow + # chmod og-rwx /etc/cron.allow + # chmod og-rwx /etc/at.allow + # chown root:root /etc/cron.allow + # chown root:root /etc/at.allow + + scored: true + + - id: 5.1.8.c + description: "Ensure at/cron is restricted to authorized users" + audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.allow" + tests: + test_items: + - flag: "Uid:root/0Gid:root/0" + set: true + remediation: | + Run the following commands to remove `/etc/cron.deny` and `/etc/at.deny` and create and set permissions and ownership for `/etc/cron.allow` and `/etc/at.allow` : + + # rm /etc/cron.deny + # rm /etc/at.deny + # touch /etc/cron.allow + # touch /etc/at.allow + # chmod og-rwx /etc/cron.allow + # chmod og-rwx /etc/at.allow + # chown root:root /etc/cron.allow + # chown root:root /etc/at.allow + + scored: true + + - id: 5.1.8.d + description: "Ensure at/cron is restricted to authorized users" + audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/at.allow" + tests: + test_items: + - flag: "Uid:root/0Gid:root/0" + set: true + remediation: | + Run the following commands to remove `/etc/cron.deny` and `/etc/at.deny` and create and set permissions and ownership for `/etc/cron.allow` and `/etc/at.allow` : + + # rm /etc/cron.deny + # rm /etc/at.deny + # touch /etc/cron.allow + # touch /etc/at.allow + # chmod og-rwx /etc/cron.allow + # chmod og-rwx /etc/at.allow + # chown root:root /etc/cron.allow + # chown root:root /etc/at.allow + + scored: true + +- id: 5.2 + description: "SSH Server ConfigurationSH Server Configuration" + checks: + - id: 5.2.1 + description: "Ensure permissions on /etc/ssh/sshd_config are configured" + audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/ssh/sshd_config" + tests: + test_items: + - flag: "600/Uid:root/0Gid:root/0" + set: true + remediation: | + Run the following commands to set ownership and permissions on `/etc/ssh/sshd_config`: + + # chown root:root /etc/ssh/sshd_config + # chmod og-rwx /etc/ssh/sshd_config + + scored: true + + + - id: 5.2.2 + description: "Ensure SSH Protocol is set to 2" + audit: "grep ^Protocol /etc/ssh/sshd_config" + tests: + test_items: + - flag: "Protocol 2" + set: true + remediation: | + Edit the `/etc/ssh/sshd_config` file to set the parameter as follows: + + Protocol 2 + + scored: true + + + - id: 5.2.3 + description: "Ensure SSH LogLevel is set to INFO" + audit: "grep ^LogLevel /etc/ssh/sshd_config" + tests: + test_items: + - flag: "LogLevel INFO" + set: true + remediation: | + Edit the `/etc/ssh/sshd_config` file to set the parameter as follows: + + LogLevel INFO + + scored: true + + + - id: 5.2.4 + description: "Ensure SSH X11 forwarding is disabled" + audit: "grep ^X11Forwarding /etc/ssh/sshd_config" + tests: + test_items: + - flag: "X11Forwarding no" + set: true + remediation: | + Edit the `/etc/ssh/sshd_config` file to set the parameter as follows: + + X11Forwarding no + + scored: true + + + + - id: 5.2.5 + description: "Ensure SSH MaxAuthTries is set to 4 or less" + audit: "grep ^MaxAuthTries /etc/ssh/sshd_config" + tests: + test_items: + - flag: "MaxAuthTries 4" + set: true + remediation: | + Edit the `/etc/ssh/sshd_config` file to set the parameter as follows: + + MaxAuthTries 4 + + scored: true + + - id: 5.2.6 + description: "Ensure SSH IgnoreRhosts is enabled" + audit: "grep ^IgnoreRhosts /etc/ssh/sshd_config" + tests: + test_items: + - flag: "IgnoreRhosts yes" + set: true + remediation: | + Edit the `/etc/ssh/sshd_config` file to set the parameter as follows: + + IgnoreRhosts yes + + scored: true + + + - id: 5.2.7 + description: "Ensure SSH HostbasedAuthentication is disabled" + audit: "grep ^HostbasedAuthentication /etc/ssh/sshd_config" + tests: + test_items: + - flag: "HostbasedAuthentication no" + set: true + remediation: | + Edit the `/etc/ssh/sshd_config` file to set the parameter as follows: + + HostbasedAuthentication no + + scored: true + + + - id: 5.2.8 + description: "Ensure SSH root login is disabled" + audit: "grep ^PermitRootLogin /etc/ssh/sshd_config" + tests: + test_items: + - flag: "PermitRootLogin no" + set: true + remediation: | + Edit the `/etc/ssh/sshd_config` file to set the parameter as follows: + + PermitRootLogin no + + scored: true + + + + - id: 5.2.9 + description: "Ensure SSH PermitEmptyPasswords is disabled" + audit: "grep ^PermitEmptyPasswords /etc/ssh/sshd_config" + tests: + test_items: + - flag: "PermitEmptyPasswords no" + set: true + remediation: | + Edit the `/etc/ssh/sshd_config` file to set the parameter as follows: + + PermitEmptyPasswords no + + scored: true + + - id: 5.2.10 + description: "Ensure SSH PermitUserEnvironment is disabled" + audit: "grep ^PermitUserEnvironment /etc/ssh/sshd_config" + tests: + test_items: + - flag: "PermitUserEnvironment no" + set: true + remediation: | + Edit the `/etc/ssh/sshd_config` file to set the parameter as follows: + + PermitUserEnvironment no + + scored: true + + + - id: 5.2.11 + description: "Ensure only approved MAC algorithms are used" + audit: "grep MACs /etc/ssh/sshd_config" + tests: + test_items: + - flag: "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256" + set: true + remediation: | + Edit the `/etc/ssh/sshd_config` file to set the parameter as follows: + + MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 + + scored: true + + + - id: 5.2.12.a + description: "Ensure SSH Idle Timeout Interval is configured" + audit: "grep ^ClientAliveInterval /etc/ssh/sshd_config" + tests: + test_items: + - flag: "ClientAliveInterval 300" + set: true + remediation: | + Edit the `/etc/ssh/sshd_config` file to set the parameters according to site policy: + + ClientAliveInterval 300 + ClientAliveCountMax 0 + + scored: true + + - id: 5.2.12.b + description: "Ensure SSH Idle Timeout Interval is configured" + audit: "grep ^ClientAliveCountMax /etc/ssh/sshd_config" + tests: + test_items: + - flag: "ClientAliveCountMax 0" + set: true + remediation: | + Edit the `/etc/ssh/sshd_config` file to set the parameters according to site policy: + + ClientAliveInterval 300 + ClientAliveCountMax 0 + + scored: true + + - id: 5.2.13 + description: "Ensure SSH LoginGraceTime is set to one minute or less" + audit: "grep ^LoginGraceTime /etc/ssh/sshd_config" + tests: + test_items: + - flag: "LoginGraceTime 60" + set: true + remediation: | + Edit the `/etc/ssh/sshd_config` file to set the parameter as follows: + + LoginGraceTime 60 + + scored: true + + + - id: 5.2.14.a + description: "Ensure SSH access is limited" + audit: "grep ^AllowUsers /etc/ssh/sshd_config" + type: manual + tests: + test_items: + - flag: "AllowUsers " + set: true + remediation: | + Edit the `/etc/ssh/sshd_config` file to set one or more of the parameter as follows: + + AllowUsers + AllowGroups + DenyUsers + DenyGroups + + scored: true + + - id: 5.2.14.b + description: "Ensure SSH access is limited" + audit: "grep ^AllowGroups /etc/ssh/sshd_config" + type: manual + tests: + test_items: + - flag: "AllowGroups " + set: true + remediation: | + Edit the `/etc/ssh/sshd_config` file to set one or more of the parameter as follows: + + AllowUsers + AllowGroups + DenyUsers + DenyGroups + + scored: true + + - id: 5.2.14.c + description: "Ensure SSH access is limited" + audit: "grep ^DenyUsers /etc/ssh/sshd_config" + type: manual + tests: + test_items: + - flag: "DenyUsers " + set: true + remediation: | + Edit the `/etc/ssh/sshd_config` file to set one or more of the parameter as follows: + + AllowUsers + AllowGroups + DenyUsers + DenyGroups + + scored: true + + - id: 5.2.14.d + description: "Ensure SSH access is limited" + audit: "grep ^DenyGroups /etc/ssh/sshd_config" + type: manual + tests: + test_items: + - flag: "DenyGroups " + set: true + remediation: | + Edit the `/etc/ssh/sshd_config` file to set one or more of the parameter as follows: + + AllowUsers + AllowGroups + DenyUsers + DenyGroups + + scored: true + + - id: 5.2.15 + description: "Ensure SSH warning banner is configured" + audit: "grep ^Banner /etc/ssh/sshd_config" + tests: + test_items: + - flag: "Banner /etc/issue.net" + set: true + remediation: | + Edit the `/etc/ssh/sshd_config` file to set the parameter as follows: + + Banner /etc/issue.net + + scored: true + + +- id: 5.3 + description: "Configure PAMonfigure PAM" + checks: + - id: 5.3.1 + description: "Ensure password creation requirements are configured" + audit: "cat /etc/pam.d/common-password; cat /etc/pam.d/system-auth" + type: manual + remediation: | + Set password creation requirements to conform to site policy. Many distributions provide tools for updating PAM configuration, consult your documentation for details. If no tooling is provided edit the appropriate `/etc/pam.d/` configuration file and add or modify the `pam_cracklib.so` or `pam_pwquality.so` lines to include the required options: + + password required pam_cracklib.so try_first_pass retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 + password requisite pam_pwquality.so try_first_pass retry=3 + + If `pam_pwquality.so` is in use also configure settings in `/etc/security/pwquality.conf` : + + minlen = 14 + dcredit = -1 + ucredit = -1 + ocredit = -1 + lcredit = -1 + + scored: true + + - id: 5.3.2 + description: "Ensure lockout for failed password attempts is configured" + audit: "cat /etc/pam.d/system-auth; cat /etc/pam.d/password-auth; cat /etc/pam.d/common-auth" + type: manual + remediation: | + Set password lockouts to conform to site policy. Many distributions provide tools for updating PAM configuration, consult your documentation for details. If no tooling is provided edit the appropriate `/etc/pam.d/` configuration file and add or modify the `pam_tally2.so` or `pam_faillock.so` lines as appropriate: + + auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900 + + + auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900 + auth sufficient pam_unix.so + auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900 + auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900 + + scored: false + + - id: 5.3.3 + description: "Ensure password reuse is limited" + audit: "cat /etc/pam.d/common-password; cat /etc/pam.d/system-auth" + type: manual + tests: + bin_op: and + test_items: + - flag: "password required pam_pwhistory.so remember=5" + set: true + - flag: "password sufficient pam_unix.so remember=5" + set: true + remediation: | + Set remembered password history to conform to site policy. Many distributions provide tools for updating PAM configuration, consult your documentation for details. If no tooling is provided edit the appropriate `/etc/pam.d/` configuration file and add or modify the `pam_pwhistory.so` or `pam_unix.so` lines to include the `remember` option: + + password required pam_pwhistory.so remember=5 + password sufficient pam_unix.so remember=5 + + scored: false + + - id: 5.3.4 + description: "Ensure password hashing algorithm is SHA-512" + audit: "grep password /etc/pam.d/common-password /etc/pam.d/system-auth /etc/pam.d/password-auth" + tests: + test_items: + - flag: "password sufficient pam_unix.so sha512" + set: true + remediation: | + Set password hashing algorithm to sha512. Many distributions provide tools for updating PAM configuration, consult your documentation for details. If no tooling is provided edit the appropriate `/etc/pam.d/` configuration file and add or modify the `pam_unix.so` lines to include the sha512 option: + + password sufficient pam_unix.so sha512 + + scored: false + - id: 5.4 description: "User Accounts and Environmentser Accounts and Environment" checks: + - id: 5.4.2 + description: "Ensure system accounts are non-login" + audit: "egrep -v \"^\\+\" /etc/passwd | awk -F: '($1!=\"root\" && $1!=\"sync\" && $1!=\"shutdown\" && $1!=\"halt\" && $3<500 && $7!=\"/sbin/nologin\" && $7!=\"/bin/false\") {print}'" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Set the shell for any accounts returned by the audit script to `/sbin/nologin` : + + # usermod -s /sbin/nologin + + The following script will automatically set all user shells required to `/sbin/nologin` and lock the `sync` , `shutdown` , and `halt` users: + + #!/bin/bash + for user in `awk -F: '($3 < 500) {print $1 }' /etc/passwd` ; do + if [ $user != "root" ]; then + usermod -L $user + if [ $user != "sync" ] && [ $user != "shutdown" ] & then + usermod -s /sbin/nologin $user + fi + fi + done + + scored: true + + - id: 5.4.3 + description: "Ensure default group for the root account is GID 0" + audit: "grep ^root: /etc/passwd | cut -f4 -d:" + tests: + test_items: + - flag: "0" + set: true + remediation: | + Run the following command to set the `root` user default group to GID `0` : + + # usermod -g 0 root + + scored: true + + + - id: 5.4.4.a + description: "Ensure default user umask is 027 or more restrictive" + sub_checks: + - check: + audit: "grep umask /etc/bashrc" + constraints: + platform: + - rhel7 + tests: + test_items: + - flag: "umask 027" + set: true + remediation: | + Edit the `/etc/bashrc`, `/etc/profile` and `/etc/profile.d/*.sh` files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows: + + umask 027 + - check: + audit: "grep umask /etc/bash.bashrc" + constraints: + platform: + - ubuntu + tests: + test_items: + - flag: "umask 027" + set: true + remediation: | + Edit the `/etc/bashrc`, `/etc/profile` and `/etc/profile.d/*.sh` files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows: + + umask 027 + scored: true + + - id: 5.4.4.b + description: "Ensure default user umask is 027 or more restrictive" + audit: "grep -h umask /etc/profile /etc/profile.d/*.sh" + tests: + test_items: + - flag: "umask 027" + set: true + remediation: | + Edit the `/etc/bashrc`, `/etc/profile` and `/etc/profile.d/*.sh` files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows: + + umask 027 + + scored: true - id: 5.4.5.a description: "Ensure default user shell timeout is 900 seconds or less" sub_checks: @@ -1550,15 +7505,279 @@ groups: TMOUT=600 + scored: true +- id: 5.4.1 + description: "Set Shadow Password Suite Parameterset Shadow Password Suite Parameters" + checks: + - id: 5.4.1.1.a + description: "Ensure password expiration is 365 days or less" + audit: "grep ^PASS_MAX_DAYS /etc/login.defs" + tests: + bin_op: and + test_items: + - flag: "PASS_MAX_DAYS" + set: true + flag: "90" + set: true + remediation: | + Set the `PASS_MAX_DAYS` parameter to conform to site policy in `/etc/login.defs` : + + PASS_MAX_DAYS 90 + + Modify user parameters for all users with a password set to match: + + # chage --maxdays 90 + + scored: true + + - id: 5.4.1.1.b + description: "Ensure password expiration is 365 days or less" + audit: "egrep ^[^:]+:[^\\!*] /etc/shadow | cut -d: -f1" + type: manual + tests: + test_items: + - flag: "" + set: true + remediation: | + Set the `PASS_MAX_DAYS` parameter to conform to site policy in `/etc/login.defs` : + + PASS_MAX_DAYS 90 + + Modify user parameters for all users with a password set to match: + + # chage --maxdays 90 + + scored: true + + - id: 5.4.1.1.c + description: "Ensure password expiration is 365 days or less" + audit: "chage --list " + type: manual + tests: + test_items: + - flag: "Maximum number of days between password change : 90" + set: true + remediation: | + Set the `PASS_MAX_DAYS` parameter to conform to site policy in `/etc/login.defs` : + + PASS_MAX_DAYS 90 + + Modify user parameters for all users with a password set to match: + + # chage --maxdays 90 + + scored: true + + - id: 5.4.1.2.a + description: "Ensure minimum days between password changes is 7 or more" + audit: "grep ^PASS_MIN_DAYS /etc/login.defs" + tests: + bin_op: and + test_items: + - flag: "PASS_MIN_DAYS" + set: true + flag: "7" + set: true + remediation: | + Set the `PASS_MIN_DAYS` parameter to 7 in `/etc/login.defs` : + + PASS_MIN_DAYS 7 + + Modify user parameters for all users with a password set to match: + + # chage --mindays 7 + scored: true + - id: 5.4.1.2.b + description: "Ensure minimum days between password changes is 7 or more" + audit: "egrep ^[^:]+:[^\\!*] /etc/shadow | cut -d: -f1" + type: manual + tests: + test_items: + - flag: "" + set: true + remediation: | + Set the `PASS_MIN_DAYS` parameter to 7 in `/etc/login.defs` : + + PASS_MIN_DAYS 7 + + Modify user parameters for all users with a password set to match: + + # chage --mindays 7 + + scored: true + + - id: 5.4.1.2.c + description: "Ensure minimum days between password changes is 7 or more" + audit: "chage --list " + type: manual + tests: + test_items: + - flag: "Minimum number of days between password change : 7" + set: true + remediation: | + Set the `PASS_MIN_DAYS` parameter to 7 in `/etc/login.defs` : + + PASS_MIN_DAYS 7 + + Modify user parameters for all users with a password set to match: + + # chage --mindays 7 + + scored: true + + - id: 5.4.1.3.a + description: "Ensure password expiration warning days is 7 or more" + audit: "grep ^PASS_WARN_AGE /etc/login.defs" + tests: + bin_op: and + test_items: + - flag: "PASS_WARN_AGE" + set: true + flag: "7" + set: true + remediation: | + Set the `PASS_WARN_AGE` parameter to 7 in `/etc/login.defs` : + + PASS_WARN_AGE 7 + + Modify user parameters for all users with a password set to match: + + # chage --warndays 7 + + scored: true + + - id: 5.4.1.3.b + description: "Ensure minimum days between password changes is 7 or more" + audit: "egrep ^[^:]+:[^\\!*] /etc/shadow | cut -d: -f1" + type: manual + tests: + test_items: + - flag: "" + set: true + remediation: | + Set the `PASS_WARN_AGE` parameter to 7 in `/etc/login.defs` : + + PASS_WARN_AGE 7 + + Modify user parameters for all users with a password set to match: + + # chage --warndays 7 + + scored: true + + - id: 5.4.1.3.c + description: "Ensure minimum days between password changes is 7 or more" + audit: "chage --list " + type: manual + tests: + test_items: + - flag: "Number of days of warning before password expires : 7" + set: true + remediation: | + Set the `PASS_MIN_DAYS` parameter to 7 in `/etc/login.defs` : + + PASS_MIN_DAYS 7 + + Modify user parameters for all users with a password set to match: + + # chage --mindays 7 + + scored: true + + - id: 5.4.1.4.a + description: "Ensure inactive password lock is 30 days or less" + audit: "useradd -D | grep INACTIVE" + tests: + test_items: + - flag: "INACTIVE" + compare: + op: lte + value: 30 + set: true + remediation: | + Run the following command to set the default password inactivity period to 30 days: + + # useradd -D -f 30 + + Modify user parameters for all users with a password set to match: + + # chage --inactive 30 + + scored: true + + - id: 5.4.1.4.b + description: "Ensure inactive password lock is 30 days or less" + audit: "egrep ^[^:]+:[^\\!*] /etc/shadow | cut -d: -f1" + type: manual + tests: + test_items: + - flag: "" + set: true + remediation: | + Run the following command to set the default password inactivity period to 30 days: + + # useradd -D -f 30 + + Modify user parameters for all users with a password set to match: + + # chage --inactive 30 + + scored: true + + - id: 5.4.1.4.c + description: "Ensure inactive password lock is 30 days or less" + audit: "chage --list " + type: manual + tests: + test_items: + - flag: "Password inactive : " + set: true + remediation: | + Run the following command to set the default password inactivity period to 30 days: + + # useradd -D -f 30 + + Modify user parameters for all users with a password set to match: + + # chage --inactive 30 + + scored: true + + - id: 5.4.1.5.a + description: "Ensure all users last password change date is in the past" + audit: "cat /etc/shadow | cut -d: -f1" + type: manual + tests: + test_items: + - flag: "" + set: true + remediation: | + Investigate any users with a password change date in the future and correct them. Locking the account, expiring the password, or resetting the password manually may be appropriate. + scored: true + + - id: 5.4.1.5.b + description: "Ensure all users last password change date is in the past" + audit: "chage --list " + type: manual + tests: + test_items: + - flag: "Last Change : " + set: true + type: manual + remediation: | + Investigate any users with a password change date in the future and correct them. Locking the account, expiring the password, or resetting the password manually may be appropriate. + scored: true + +- id: 6 + description: "System Maintenanceystem Maintenance" - id: 6.1 description: "System File Permissionsystem File Permissions" checks: - id: 6.1.1.a description: "Audit system file permissions" - audit: "rpm -Va --nomtime --nosize --nomd5 --nolinkto > " - skip: true + audit: "rpm -Va --nomtime --nosize --nomd5 --nolinkto > " type: "manual" remediation: | Correct any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted. @@ -1566,9 +7785,568 @@ groups: - id: 6.1.1.b description: "Audit system file permissions" - audit: "dpkg --verify > " - skip: true + audit: "dpkg --verify > " type: "manual" remediation: | Correct any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted. + scored: false + - id: 6.1.2 + description: "Ensure permissions on /etc/passwd are configured" + audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/passwd" + tests: + test_items: + - flag: "644/Uid:root/0Gid:root/0" + set: true + remediation: | + Run the following command to set permissions on `/etc/passwd` : + + # chown root:root /etc/passwd + # chmod 644 /etc/passwd + + scored: true + + + - id: 6.1.3 + description: "Ensure permissions on /etc/shadow are configured" + audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/shadow" + tests: + bin_op: or + test_items: + - flag: "640/Uid:root/0Gid:root/0" + set: true + - flag: "640/Uid:root/0Gid:shadow" + set: true + remediation: | + Run the one of the following chown commands as appropriate and the chmod to set permissions on `/etc/shadow` : + + # chown root:root /etc/shadow + # chown root:shadow /etc/shadow + # chmod o-rwx,g-wx /etc/shadow + + scored: true + + + - id: 6.1.4 + description: "Ensure permissions on /etc/group are configured" + audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/group" + tests: + test_items: + - flag: "644/Uid:root/0Gid:root/0" + set: true + remediation: | + Run the following command to set permissions on `/etc/group` : + + # chown root:root /etc/group + # chmod 644 /etc/group + + scored: true + + + - id: 6.1.5 + description: "Ensure permissions on /etc/gshadow are configured" + audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/gshadow" + tests: + bin_op: or + test_items: + - flag: "640/Uid:root/0Gid:root/0" + set: true + - flag: "640/Uid:root/0Gid:shadow" + set: true + remediation: | + Run the one of the following chown commands as appropriate and the chmod to set permissions on `/etc/gshadow` : + + # chown root:root /etc/gshadow + # chown root:shadow /etc/gshadow + # chmod o-rwx,g-rw /etc/gshadow + + scored: true + + - id: 6.1.6 + description: "Ensure permissions on /etc/passwd- are configured" + audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/passwd-" + tests: + test_items: + - flag: "644/Uid:root/0Gid:root/0" + set: true + remediation: | + Run the following command to set permissions on `/etc/passwd-` : + + # chown root:root /etc/passwd- + # chmod u-x,go-wx /etc/passwd- + + scored: true + + + - id: 6.1.7 + description: "Ensure permissions on /etc/shadow- are configured" + audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/shadow-" + tests: + bin_op: or + test_items: + - flag: "640/Uid:root/0Gid:root/0" + set: true + - flag: "640/Uid:root/0Gid:shadow" + set: true + remediation: | + Run the one of the following chown commands as appropriate and the chmod to set permissions on `/etc/shadow-` : + + # chown root:root /etc/shadow- + # chown root:shadow /etc/shadow- + # chmod o-rwx,g-rw /etc/shadow- + + scored: true + + + - id: 6.1.8 + description: "Ensure permissions on /etc/group- are configured" + audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/group-" + tests: + test_items: + - flag: "644/Uid:root/0Gid:root/0" + set: true + remediation: | + Run the following command to set permissions on `/etc/group-` : + + # chown root:root /etc/group- + # chmod u-x,go-wx /etc/group- + + scored: true + + + - id: 6.1.9 + description: "Ensure permissions on /etc/gshadow- are configured" + audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/gshadow-" + tests: + bin_op: or + test_items: + - flag: "640/Uid:root/0Gid:root/0" + set: true + - flag: "640/Uid:root/0Gid:shadow" + set: true + remediation: | + Run the one of the following chown commands as appropriate and the chmod to set permissions on `/etc/gshadow-` : + + # chown root:root /etc/gshadow- + # chown root:shadow /etc/gshadow- + # chmod o-rwx,g-rw /etc/gshadow- + + scored: true + + + - id: 6.1.10.a + description: "Ensure no world writable files exist" + audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Removing write access for the "other" category ( `chmod o-w ` ) is advisable, but always consult relevant vendor documentation to avoid breaking any application dependencies on a given file. + scored: true + + - id: 6.1.10.b + description: "Ensure no world writable files exist" + audit: "find -xdev -type f -perm -0002 " + type: manual + remediation: | + Removing write access for the "other" category ( `chmod o-w ` ) is advisable, but always consult relevant vendor documentation to avoid breaking any application dependencies on a given file. + scored: true + + - id: 6.1.11.a + description: "Ensure no unowned files or directories exist" + audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Locate files that are owned by users or groups not listed in the system configuration files, and reset the ownership of these files to some active user on the system as appropriate. + scored: true + + - id: 6.1.11.b + description: "Ensure no unowned files or directories exist" + audit: "find -xdev -type f -perm -0002" + type: manual + remediation: | + Locate files that are owned by users or groups not listed in the system configuration files, and reset the ownership of these files to some active user on the system as appropriate. + scored: true + + - id: 6.1.12.a + description: "Ensure no ungrouped files or directories exist" + audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Locate files that are owned by users or groups not listed in the system configuration files, and reset the ownership of these files to some active user on the system as appropriate. + scored: true + + - id: 6.1.12.b + description: "Ensure no ungrouped files or directories exist" + audit: "find -xdev -nogroup" + type: manual + remediation: | + Locate files that are owned by users or groups not listed in the system configuration files, and reset the ownership of these files to some active user on the system as appropriate. + scored: true + + - id: 6.1.13.a + description: "Audit SUID executables" + audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000" + type: manual + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Ensure that no rogue SUID programs have been introduced into the system. Review the files returned by the action in the Audit section and confirm the integrity of these binaries. scored: false + + - id: 6.1.13.b + description: "Audit SUID executables" + audit: "find -xdev -type f -perm -4000" + type: manual + remediation: | + Ensure that no rogue SUID programs have been introduced into the system. Review the files returned by the action in the Audit section and confirm the integrity of these binaries. + scored: false + + - id: 6.1.14.a + description: "Audit SGID executables" + audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000" + type: manual + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Ensure that no rogue SGID programs have been introduced into the system. Review the files returned by the action in the Audit section and confirm the integrity of these binaries. + scored: false + + - id: 6.1.14.b + description: "Audit SGID executables" + audit: "find -xdev -type f -perm -2000" + type: manual + remediation: | + Ensure that no rogue SGID programs have been introduced into the system. Review the files returned by the action in the Audit section and confirm the integrity of these binaries. + scored: false + +- id: 6.2 + description: "User and Group Settings" + checks: + - id: 6.2.1 + description: "Ensure password fields are not empty" + audit: "cat /etc/shadow | awk -F: '($2 == \"\" ) { print $1 \" does not have a password \"}'" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + If any accounts in the `/etc/shadow` file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: + + # passwd -l + + Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off. + scored: true + + - id: 6.2.2 + description: "Ensure no legacy \"+\" entries exist in /etc/passwd" + audit: "grep '^\\+:' /etc/passwd" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Remove any legacy '+' entries from `/etc/passwd` if they exist. + scored: true + + + - id: 6.2.3 + description: "Ensure no legacy \"+\" entries exist in /etc/shadow" + audit: "grep '^\\+:' /etc/shadow" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Remove any legacy '+' entries from `/etc/shadow` if they exist. + scored: true + + + - id: 6.2.4 + description: "Ensure no legacy \"+\" entries exist in /etc/group" + audit: "grep '^\\+:' /etc/group" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Remove any legacy '+' entries from `/etc/group` if they exist. + scored: true + + + - id: 6.2.5 + description: "Ensure root is the only UID 0 account" + audit: "cat /etc/passwd | awk -F: '($3 == 0) { print $1 }'" + tests: + test_items: + - flag: "root" + set: true + remediation: | + Remove any users other than `root` with UID `0` or assign them a new UID if appropriate. + scored: true + + - id: 6.2.6 + description: "Ensure root PATH Integrity" + audit: "./6.2.6.sh" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Correct or justify any items discovered in the Audit step. + scored: true + + + - id: 6.2.7 + description: "Ensure all users' home directories exist" + audit: "./6.2.7.sh" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + If any users' home directories do not exist, create them and make sure the respective user owns the directory. Users without an assigned home directory should be removed or assigned a home directory as appropriate. + scored: true + + - id: 6.2.8 + description: "Ensure users' home directories permissions are 750 or more restrictive" + audit: "./6.2.8.sh" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Making global modifications to user home directories without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user file permissions and determine the action to be taken in accordance with site policy. + scored: true + + - id: 6.2.9 + description: "Ensure users own their home directories" + audit: "./6.2.9.sh" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Change the ownership of any home directories that are not owned by the defined user to the correct user. + scored: true + + + - id: 6.2.10 + description: "Ensure users' dot files are not group or world writable" + audit: "./6.2.10.sh" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user dot file permissions and determine the action to be taken in accordance with site policy. + scored: true + + - id: 6.2.11 + description: "Ensure no users have .forward files" + audit: "./6.2.11.sh" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user `.forward` files and determine the action to be taken in accordance with site policy. + scored: true + + + - id: 6.2.12 + description: "Ensure no users have .netrc files" + audit: "./6.2.12.sh" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user `.netrc` files and determine the action to be taken in accordance with site policy. + scored: true + + - id: 6.2.13 + description: "Ensure users' .netrc Files are not group or world accessible" + audit: "./6.2.13.sh" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user `.netrc` file permissions and determine the action to be taken in accordance with site policy. + scored: true + + - id: 6.2.14 + description: "Ensure no users have .rhosts files" + audit: "./6.2.14.sh" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user `.rhosts` files and determine the action to be taken in accordance with site policy. + scored: true + + - id: 6.2.15 + description: "Ensure all groups in /etc/passwd exist in /etc/group" + audit: "./6.2.15.sh" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Analyze the output of the Audit step above and perform the appropriate action to correct any discrepancies found. + scored: true + + - id: 6.2.16 + description: "Ensure no duplicate UIDs exist" + audit: "./6.2.16.sh" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Based on the results of the audit script, establish unique UIDs and review all files owned by the shared UIDs to determine which UID they are supposed to belong to. + scored: true + + - id: 6.2.17 + description: "Ensure no duplicate GIDs exist" + audit: "./6.2.17.sh" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Based on the results of the audit script, establish unique GIDs and review all files owned by the shared GID to determine which group they are supposed to belong to. + scored: true + + - id: 6.2.18 + description: "Ensure no duplicate user names exist" + audit: "./6.2.18.sh" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Based on the results of the audit script, establish unique user names for the users. File ownerships will automatically reflect the change as long as the users have unique UIDs. + scored: true + + + - id: 6.2.19 + description: "Ensure no duplicate group names exist" + audit: "./6.2.19.sh" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Based on the results of the audit script, establish unique names for the user groups. File group ownerships will automatically reflect the change as long as the groups have unique GIDs. + scored: true + + - id: 6.2.20.a + description: "Ensure shadow group is empty" + audit: "grep ^shadow:[^:]*:[^:]*:[^:]+ /etc/group" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Remove all users from the shadow group, and change the primary group of any users with shadow as their primary group. + scored: true + + - id: 6.2.20.b + description: "Ensure shadow group is empty" + audit: "awk -F: '($4 == \"\") { print }' /etc/passwd" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Remove all users from the shadow group, and change the primary group of any users with shadow as their primary group. + scored: true + \ No newline at end of file