--- controls: version: 2.0.0 id: 1 description: "Initial Setup" type: "master" groups: - id: 1.1 description: "Filesystem Configuration" checks: - id: 1.1.1 description: "Disable unused filesystems" checks: - id: 1.1.1.1.a description: "Ensure mounting of cramfs filesystems is disabled" audit: "modprobe -n -v cramfs" tests: test_items: - flag: "install /bin/true" remediation: | Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/cramfs.conf and add the following line: install cramfs /bin/true Run the following command to unload the cramfs module: # rmmod cramfs scored: true - id: 1.1.1.1.b description: "Ensure mounting of cramfs filesystems is disabled" audit: "lsmod | grep cramfs" tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/cramfs.conf and add the following line: install cramfs /bin/true Run the following command to unload the cramfs module: # rmmod cramfs scored: true - id: 1.1.1.2.a description: "Ensure mounting of freevxfs filesystems is disabled" audit: "modprobe -n -v freevxfs" tests: test_items: - flag: "install /bin/true" remediation: | Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/freevxfs.conf and add the following line: install freevxfs /bin/true Run the following command to unload the freevxfs module: # rmmod freevxfs scored: true - id: 1.1.1.2.b description: "Ensure mounting of freevxfs filesystems is disabled" audit: "lsmod | grep freevxfs" tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/freevxfs.conf and add the following line: install freevxfs /bin/true Run the following command to unload the freevxfs module: # rmmod freevxfs scored: true - id: 1.1.1.3.a description: "Ensure mounting of jffs2 filesystems is disabled" audit: "modprobe -n -v jffs2" tests: test_items: - flag: "install /bin/true" remediation: | Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/jffs2.conf and add the following line: install jffs2 /bin/true Run the following command to unload the jffs2 module: # rmmod jffs2 scored: true - id: 1.1.1.3.b description: "Ensure mounting of jffs2 filesystems is disabled" audit: "lsmod | grep jffs2" tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/jffs2.conf and add the following line: install jffs2 /bin/true Run the following command to unload the jffs2 module: # rmmod jffs2 scored: true - id: 1.1.1.4.a description: "Ensure mounting of hfs filesystems is disabled" audit: "modprobe -n -v hfs" tests: test_items: - flag: "install /bin/true" remediation: | Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/hfs.conf and add the following line: install hfs /bin/true Run the following command to unload the hfs module: # rmmod hfs scored: true - id: 1.1.1.4.b description: "Ensure mounting of hfs filesystems is disabled" audit: "lsmod | grep hfs" tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/hfs.conf and add the following line: install hfs /bin/true Run the following command to unload the hfs module: # rmmod hfs scored: true - id: 1.1.1.5.a description: "Ensure mounting of hfsplus filesystems is disabled" audit: "modprobe -n -v hfsplus" tests: test_items: - flag: "install /bin/true" remediation: | Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/hfsplus.conf and add the following line: install hfsplus /bin/true Run the following command to unload the hfsplus module: # rmmod hfsplus scored: true - id: 1.1.1.5.b description: "Ensure mounting of hfsplus filesystems is disabled" audit: "lsmod | grep hfsplus" tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/hfsplus.conf and add the following line: install hfsplus /bin/true Run the following command to unload the hfsplus module: # rmmod hfsplus scored: true - id: 1.1.1.6.a description: "Ensure mounting of squashfs filesystems is disabled" sub_checks: - check: audit: "modprobe -n -v squashfs" constraints: platform: - rhel7 tests: test_items: - flag: "install /bin/true" remediation: | Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/squashfs.conf and add the following line: install squashfs /bin/true Run the following command to unload the squashfs module: # rmmod squashfs scored: true - id: 1.1.1.6.b description: "Ensure mounting of squashfs filesystems is disabled" sub_checks: - check: audit: "lsmod | grep squashfs" constraints: platform: - rhel7 tests: test_items: - flag: "" remediation: | Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/squashfs.conf and add the following line: install squashfs /bin/true Run the following command to unload the squashfs module: # rmmod squashfs scored: true - id: 1.1.1.7.a description: "Ensure mounting of udf filesystems is disabled" audit: "modprobe -n -v udf" tests: test_items: - flag: "install /bin/true" remediation: | Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/udf.conf and add the following line: install udf /bin/true Run the following command to unload the udf module: # rmmod udf scored: true - id: 1.1.1.7.b description: "Ensure mounting of udf filesystems is disabled" audit: "lsmod | grep udf" tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/udf.conf and add the following line: install udf /bin/true Run the following command to unload the udf module: # rmmod udf scored: true - id: 1.1.1.8.a description: "Ensure mounting of FAT filesystems is disabled" sub_checks: - check: audit: "grep -i vfat /etc/fstab" constraints: platform: - rhel7 type: manual remediation: | Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/vfat.conf install vfat /bin/true Run the following command to unload the vfat module: # rmmod vfat scored: false - id: 1.1.1.8.b description: "Ensure mounting of FAT filesystems is disabled" sub_checks: - check: audit: "modprobe -n -v vfat" constraints: platform: - rhel7 tests: test_items: - flag: "install /bin/true" remediation: | Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/vfat.conf install vfat /bin/true Run the following command to unload the vfat module: # rmmod vfat scored: false - id: 1.1.1.8.c description: "Ensure mounting of FAT filesystems is disabled" sub_checks: - check: audit: "lsmod | grep vfat" constraints: platform: - rhel7 tests: test_items: - flag: "" remediation: | Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/vfat.conf install vfat /bin/true Run the following command to unload the vfat module: # rmmod vfat scored: false - id: 1.1.2.a description: "Ensure /tmp is configured" audit: "mount | grep -E '\\s/tmp\\s'" tests: test_items: - flag: "" compare: op: eq value: "" set: false remediation: | Configure /etc/fstab as appropriate. example: tmpfs /tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0 OR Run the following commands to enable systemd /tmp mounting: systemctl unmask tmp.mount systemctl enable tmp.mount Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount: [Mount] What=tmpfs Where=/tmp Type=tmpfs Options=mode=1777,strictatime,noexec,nodev,nosuid scored: true - id: 1.1.2.b description: "Ensure /tmp is configured" audit: "grep -E '\\s/tmp\\s' /etc/fstab | grep -E -v '^\\s*#'" tests: test_items: - flag: "" compare: op: eq value: "" set: false remediation: | Configure /etc/fstab as appropriate. example: tmpfs /tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0 OR Run the following commands to enable systemd /tmp mounting: systemctl unmask tmp.mount systemctl enable tmp.mount Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount: [Mount] What=tmpfs Where=/tmp Type=tmpfs Options=mode=1777,strictatime,noexec,nodev,nosuid scored: true - id: 1.1.3 description: "Ensure nodev option set on /tmp partition" audit: "mount | grep -E '\\s/tmp\\s' | grep -v nodev" tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp : # mount -o remount,nodev /tmp or Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add nodev to the /tmp mount options: [Mount] Options=mode=1777,strictatime,noexec,nodev,nosuid un the following command to remount /tmp : # mount -o remount,nodev /tmp scored: true - id: 1.1.4 description: "Ensure nosuid option set on /tmp partition" audit: "mount | grep -E '\\s/tmp\\s' | grep -v nosuid" tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp : # mount -o remount,nosuid /tmp or Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add nosuid to the /tmp mount options: [Mount] Options=mode=1777,strictatime,noexec,nodev,nosuid Run the following command to remount /tmp : # mount -o remount,nosuid /tmp scored: true - id: 1.1.5 description: "Ensure noexec option set on /tmp partition" audit: "mount | grep -E '\\s/tmp\\s' | grep -v noexec" tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Edit the `/etc/fstab` file and add `noexec` to the fourth field (mounting options) for the `/tmp` partition. See the `fstab(5)` manual page for more information. Run the following command to remount `/tmp` : # mount -o remount,noexec /tmp scored: true - id: 1.1.6 description: "Ensure separate partition exists for /var" audit: "mount | grep -E '\\s/var\\s'" tests: test_items: - flag: "/dev/xvdg1 on /var type ext4 (rw,relatime,data=ordered)" remediation: | For new installations, during installation create a custom partition setup and specify a separate partition for `/var` . For systems that were previously installed, create a new partition and configure `/etc/fstab` as appropriate. scored: true - id: 1.1.7 description: "Ensure separate partition exists for /var/tmp" audit: "mount | grep /var/tmp" tests: test_items: - flag: " on /var/tmp type ext4 (rw,nosuid,nodev,noexec,relatime)" remediation: | For new installations, during installation create a custom partition setup and specify a separate partition for `/var/tmp` . For systems that were previously installed, create a new partition and configure `/etc/fstab` as appropriate. scored: true - id: 1.1.8 description: "Ensure nodev option set on /var/tmp partition" audit: "mount | grep -E '\\s/var/tmp\\s' | grep -v nodev" tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp : # mount -o remount,nodev /var/tmp scored: true - id: 1.1.9 description: "Ensure nosuid option set on /var/tmp partition" audit: "mount | grep -E '\\s/var/tmp\\s' | grep -v nosuid" tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp : # mount -o remount,nosuid /var/tmp scored: true - id: 1.1.10 description: "Ensure noexec option set on /var/tmp partition" audit: "mount | grep -E '\\s/var/tmp\\s' | grep -v noexec" tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp : # mount -o remount,noexec /var/tmp scored: true - id: 1.1.11 description: "Ensure separate partition exists for /var/log" audit: "mount | grep /var/log" tests: test_items: - flag: "/dev/xvdh1 on /var/log type ext4 (rw,relatime,data=ordered)" remediation: | For new installations, during installation create a custom partition setup and specify a separate partition for `/var/log` . For systems that were previously installed, create a new partition and configure `/etc/fstab` as appropriate. scored: true - id: 1.1.12 description: "Ensure separate partition exists for /var/log/audit" audit: "mount | grep /var/log/audit" tests: test_items: - flag: "/dev/xvdi1 on /var/log/audit type ext4 (rw,relatime,data=ordered)" remediation: | For new installations, during installation create a custom partition setup and specify a separate partition for `/var/log/audit` . For systems that were previously installed, create a new partition and configure `/etc/fstab` as appropriate. scored: true - id: 1.1.13 description: "Ensure separate partition exists for /home" audit: "mount | grep /home" tests: test_items: - flag: "/dev/xvdf1 on /home type ext4 (rw,nodev,relatime,data=ordered)" remediation: | For new installations, during installation create a custom partition setup and specify a separate partition for `/home` . For systems that were previously installed, create a new partition and configure `/etc/fstab` as appropriate. scored: true - id: 1.1.14 description: "Ensure nodev option set on /home partition" audit: "mount | grep -E '\\s/home\\s' | grep -v nodev" tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Edit the `/etc/fstab` file and add `nodev` to the fourth field (mounting options) for the `/home` partition. See the `fstab(5)` manual page for more information. # mount -o remount,nodev /home scored: true - id: 1.1.15 description: "Ensure nodev option set on /dev/shm partition" audit: "mount | grep -E '\\s/dev/shm\\s' | grep -v nodev" tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Edit the `/etc/fstab` file and add `nodev` to the fourth field (mounting options) for the `/dev/shm` partition. See the `fstab(5)` manual page for more information. Run the following command to remount `/dev/shm` : # mount -o remount,nodev /dev/shm scored: true - id: 1.1.16 description: "Ensure nosuid option set on /dev/shm partition" audit: "mount | grep -E '\\s/dev/shm\\s' | grep -v nosuid" tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Edit the `/etc/fstab` file and add `nosuid` to the fourth field (mounting options) for the `/dev/shm` partition. See the `fstab(5)` manual page for more information. Run the following command to remount `/dev/shm` : # mount -o remount,nosuid /dev/shm scored: true - id: 1.1.17 description: "Ensure noexec option set on /dev/shm partition" audit: "mount | grep -E '\\s/dev/shm\\s' | grep -v noexec" tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Edit the `/etc/fstab` file and add `noexec` to the fourth field (mounting options) for the `/dev/shm` partition. See the `fstab(5)` manual page for more information. Run the following command to remount `/dev/shm` : # mount -o remount,noexec /dev/shm scored: true - id: 1.1.18 description: "Ensure nodev option set on removable media partitions" audit: "mount" type: manual remediation: | Edit the `/etc/fstab` file and add `nodev` to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the `fstab(5)` manual page for more information. scored: false - id: 1.1.19 description: "Ensure nosuid option set on removable media partitions" audit: "mount" type: manual remediation: | Edit the `/etc/fstab` file and add `nosuid` to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the `fstab(5)` manual page for more information. scored: false - id: 1.1.20 description: "Ensure noexec option set on removable media partitions" audit: "mount" type: manual remediation: | Edit the `/etc/fstab` file and add `noexec` to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the `fstab(5)` manual page for more information. scored: false - id: 1.1.21 description: "Ensure sticky bit is set on all world-writable directories" audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \\( -perm -0002 -a ! -perm -1000 \\) 2>/dev/null | head -n 100" tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Run the following command to set the sticky bit on all world writable directories: # df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null | xargs -I '{}' chmod a+t '{}' scored: true - id: 1.1.22 description: "Disable Automounting" sub_checks: - check: audit: "chkconfig --list autofs" constraints: platform: - rhel6 tests: test_items: - flag: "autofs 0:off 1:off 2:off 3:off 4:off 5:off 6:off" remediation: | Run one of the following commands to disable `autofs` : # chkconfig autofs off # systemctl disable autofs # update-rc.d autofs disable - check: audit: "systemctl is-enabled autofs" constraints: platform: - rhel7 - ubuntu16 - ubuntu18 tests: test_items: - flag: "disabled" remediation: | Run one of the following commands to disable `autofs` : # chkconfig autofs off # systemctl disable autofs # update-rc.d autofs disable - check: audit: "ls /etc/rc*.d | grep autofs" constraints: platform: - ubuntuOptional tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Run one of the following commands to disable `autofs` : # chkconfig autofs off # systemctl disable autofs # update-rc.d autofs disable scored: true - id: 1.1.23.a description: "Disable USB Storage" audit: "modprobe -n -v usb-storage" tests: test_items: - flag: "install /bin/true" remediation: | Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/usb-storage.conf and add the following line: install usb-storage /bin/true Run the following command to unload the usb-storage module: # rmmod usb-storage scored: true - id: 1.1.23.b description: "Disable USB Storage" audit: "lsmod | grep usb-storage" tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/usb-storage.conf and add the following line: install usb-storage /bin/true Run the following command to unload the usb-storage module: # rmmod usb-storage scored: true - id: 1.2 description: "Configure Software Updates" checks: - id: 1.2.1 description: "Ensure package manager repositories are configured" sub_checks: - check: audit: "yum repo-list" constraints: platform: - rhel7 type: manual remediation: | Configure your package manager repositories according to site policy. - check: audit: "apt-cache policy" constraints: platform: - ubuntu16 - ubuntu18 type: manual remediation: | Configure your package manager repositories according to site policy. - check: audit: "zypper repos" constraints: platform: - opensuse type: manual remediation: | Configure your package manager repositories according to site policy. scored: false - id: 1.2.2 description: "Ensure GPG keys are configured" sub_checks: - check: audit: "rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}'" constraints: platform: - rhel7 type: manual remediation: | Update your package manager GPG keys in accordance with site policy. - check: audit: "apt-key list" constraints: platform: - ubuntu16 - ubuntu18 type: manual remediation: | Update your package manager GPG keys in accordance with site policy. - check: audit: "zypper repos" constraints: platform: - opensuse type: manual remediation: | Update your package manager GPG keys in accordance with site policy. scored: false - id: 1.3 description: "Filesystem Integrity Checking" checks: - id: 1.3.1 description: "Ensure AIDE is installed" sub_checks: - check: audit: "rpm -q aide" constraints: platform: - rhel7 tests: test_items: - flag: "package aide is not installed" set: false remediation: | Install AIDE using the appropriate package manager or manual installation: # yum install aide # apt-get install aide # zypper install aide Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Initialize AIDE: # aide --init - check: audit: "dpkg -s aide" constraints: platform: - ubuntu16 tests: test_items: - flag: "install ok installed" remediation: | Install AIDE using the appropriate package manager or manual installation: # yum install aide # apt-get install aide # zypper install aide Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Initialize AIDE: # aide --init - check: audit: "apt-cache show aide" constraints: platform: - ubuntu18 tests: test_items: - flag: "Installed-Size:" remediation: | Install AIDE using the appropriate package manager or manual installation: # yum install aide # apt-get install aide # zypper install aide Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Initialize AIDE: # aide --init scored: true - id: 1.3.2.a description: "Ensure filesystem integrity is regularly checked" audit: "crontab -u root -l | grep aide" tests: test_items: - flag: "aide --check" remediation: | Run the following commands: # cp ./config/aidecheck.service /etc/systemd/system/aidecheck.service # cp ./config/aidecheck.timer /etc/systemd/system/aidecheck.timer # chmod 0644 /etc/systemd/system/aidecheck.* # systemctl reenable aidecheck.timer # systemctl restart aidecheck.timer # systemctl daemon-reload or Run the following command: # crontab -u root -e Add the following line to the crontab: 0 5 * * * /usr/sbin/aide --check scored: true - id: 1.3.2.b description: "Ensure filesystem integrity is regularly checked" audit: "grep -r aide /etc/cron.* /etc/crontab" tests: test_items: - flag: "aide --check" remediation: | Run the following commands: # cp ./config/aidecheck.service /etc/systemd/system/aidecheck.service # cp ./config/aidecheck.timer /etc/systemd/system/aidecheck.timer # chmod 0644 /etc/systemd/system/aidecheck.* # systemctl reenable aidecheck.timer # systemctl restart aidecheck.timer # systemctl daemon-reload or Run the following command: # crontab -u root -e Add the following line to the crontab: 0 5 * * * /usr/sbin/aide --check scored: true - id: 1.4 description: "Secure Boot Settings" checks: - id: 1.4.1 description: "Ensure permissions on bootloader config are configured" sub_checks: - check: audit: "stat -c %a/Uid:%U/%uGid:%G/%g /boot/grub/menu.lst" constraints: boot: - grub tests: test_items: - flag: "400/Uid:root/0Gid:root/0" remediation: | Run the following commands to set permissions on your grub configuration: # chown root:root /boot/grub/menu.lst # chmod og-rwx /boot/grub/menu.lst - check: audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/default/grub" constraints: boot: - grub2 tests: test_items: - flag: "400/Uid:root/0Gid:root/0" remediation: | Run the following commands to set permissions on your grub configuration: # chown root:root /etc/default/grub # chmod og-rwx /etc/default/grub scored: true - id: 1.4.2 description: "Ensure bootloader password is set" sub_checks: - check: audit: "grep \"^\\s*password\" /boot/grub/menu.lst" constraints: boot: - grub tests: test_items: - flag: "password --md5 " remediation: | For grub based systems create an encrypted password with grub-md5-crypt: # grub-crypt Password: Retype Password: Copy and paste the into the global section of /boot/grub/menu.lst: password For grub2 based systems Create an encrypted password with grub2-setpassword : # grub2-setpassword Enter password: Confirm password: OR create an encrypted password with grub-mkpasswd-pbkdf2: # grub-mkpasswd-pbkdf2 Enter password: Reenter password: Your PBKDF2 is Add the following into /etc/grub.d/00_header or a custom /etc/grub.d configuration file: cat < EOF Run the following command to update the grub2 configuration: # grub2-mkconfig -o /boot/grub2/grub.cfg OR # update-grub - check: audit: "grep \"^\\s*GRUB2_PASSWORD\" /boot/grub2/user.cfg" constraints: boot: - grub2 tests: test_items: - flag: "GRUB2_PASSWORD" remediation: | For grub based systems create an encrypted password with grub-md5-crypt: # grub-crypt Password: Retype Password: Copy and paste the into the global section of /boot/grub/menu.lst: password For grub2 based systems Create an encrypted password with grub2-setpassword : # grub2-setpassword Enter password: Confirm password: OR create an encrypted password with grub-mkpasswd-pbkdf2: # grub-mkpasswd-pbkdf2 Enter password: Reenter password: Your PBKDF2 is Add the following into /etc/grub.d/00_header or a custom /etc/grub.d configuration file: cat < EOF Run the following command to update the grub2 configuration: # grub2-mkconfig -o /boot/grub2/grub.cfg OR # update-grub scored: true - id: 1.4.3 description: "Ensure authentication required for single user mode" audit: 'grep ^root:[*\!]: /etc/shadow' tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Consult your documentation and configure single user mode to require a password for login as appropriate. scored: true - id: 1.4.4 description: "Ensure interactive boot is not enabled" sub_checks: - check: audit: 'grep "^PROMPT_FOR_CONFIRM=" /etc/sysconfig/boot' constraints: boot: - grub platform: - rhel7 tests: test_items: - flag: 'PROMPT_FOR_CONFIRM="no"' remediation: | If interactive boot is available disable it. - check: audit: "grep PROMPT /etc/sysconfig/init" constraints: boot: - grub2 platform: - rhel7 tests: test_items: - flag: "PROMPT" compare: op: eq value: "no" remediation: | If interactive boot is available disable it. scored: false - id: 1.5 description: "Additional Process Hardening" checks: - id: 1.5.1.a description: "Ensure core dumps are restricted" audit: "grep \"hard\\s*core\" /etc/security/limits.conf /etc/security/limits.d/*" tests: bin_op: and test_items: - flag: "hard" - flag: "core" remediation: | Add the following line to `/etc/security/limits.conf` or a `/etc/security/limits.d/*` file: * hard core 0 Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: fs.suid_dumpable = 0 Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0 If systemd-coredump is installed: edit /etc/systemd/coredump.conf and add/modify the following lines: Storage=none ProcessSizeMax=0 Run the command: systemctl daemon-reload scored: true - id: 1.5.1.b description: "Ensure core dumps are restricted" audit: "sysctl fs.suid_dumpable" tests: test_items: - flag: "fs.suid_dumpable" compare: op: eq value: "0" remediation: | Add the following line to `/etc/security/limits.conf` or a `/etc/security/limits.d/*` file: * hard core 0 Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: fs.suid_dumpable = 0 Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0 If systemd-coredump is installed: edit /etc/systemd/coredump.conf and add/modify the following lines: Storage=none ProcessSizeMax=0 Run the command: systemctl daemon-reload scored: true - id: 1.5.1.c description: "Ensure core dumps are restricted" audit: "grep \"fs\\.suid_dumpable\" /etc/sysctl.conf /etc/sysctl.d/* | head -n 1" tests: test_items: - flag: "fs.suid_dumpable" compare: op: eq value: "0" remediation: | Add the following line to `/etc/security/limits.conf` or a `/etc/security/limits.d/*` file: * hard core 0 Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: fs.suid_dumpable = 0 Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0 If systemd-coredump is installed: edit /etc/systemd/coredump.conf and add/modify the following lines: Storage=none ProcessSizeMax=0 Run the command: systemctl daemon-reload scored: true - id: 1.5.1.d description: "Ensure core dumps are restricted" audit: "systemctl is-enabled coredump.service" tests: bin_op: or test_items: - flag: "enabled" - flag: "disabled" remediation: | Add the following line to `/etc/security/limits.conf` or a `/etc/security/limits.d/*` file: * hard core 0 Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: fs.suid_dumpable = 0 Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0 If systemd-coredump is installed: edit /etc/systemd/coredump.conf and add/modify the following lines: Storage=none ProcessSizeMax=0 Run the command: systemctl daemon-reload scored: true - id: 1.5.2 description: "Ensure XD/NX support is enabled" audit: "journalctl | grep 'protection: active'" tests: test_items: - flag: "" compare: op: has value: "kernel: NX (Execute Disable) protection: active" remediation: | On 32 bit systems install a kernel with PAE support, no installation is required on 64 bit systems: If necessary configure your bootloader to load the new kernel and reboot the system. You may need to enable NX or XD support in your bios. scored: true - id: 1.5.3.a description: "Ensure address space layout randomization (ASLR) is enabled" audit: "sysctl kernel.randomize_va_space" tests: test_items: - flag: "kernel.randomize_va_space" compare: op: eq value: "2" remediation: | Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: kernel.randomize_va_space = 2 Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2 scored: true - id: 1.5.3.b description: "Ensure address space layout randomization (ASLR) is enabled" audit: "grep \"kernel\\.randomize_va_space\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "kernel.randomize_va_space" compare: op: eq value: "2" remediation: | Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: kernel.randomize_va_space = 2 Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2 scored: true - id: 1.5.4 description: "Ensure prelink is disabled" sub_checks: - check: audit: "rpm -q prelink" constraints: platform: - rhel7 tests: test_items: - flag: "package prelink is not installed" remediation: | Run the following command to restore binaries to normal: # prelink -ua Uninstall `prelink` using the appropriate package manager or manual installation: # yum remove prelink # apt-get remove prelink # zypper remove prelink - check: audit: "dpkg -s prelink" constraints: platform: - ubuntu16 tests: test_items: - flag: "install ok installed" set: false remediation: | Run the following command to restore binaries to normal: # prelink -ua Uninstall `prelink` using the appropriate package manager or manual installation: yum remove prelink apt-get remove prelink zypper remove prelink - check: audit: "apt-cache show prelink" constraints: platform: - ubuntu18 tests: test_items: - flag: "Installed-Size:" set: false remediation: | Run the following command to restore binaries to normal: # prelink -ua Uninstall `prelink` using the appropriate package manager or manual installation: yum remove prelink apt-get remove prelink zypper remove prelink scored: true - id: 1.6 description: "Mandatory Access Control" checks: - id: 1.6.1 description: "Ensure Mandatory Access Control Software is Installed" checks: - id: 1.6.1.1 description: "Ensure SELinux or AppArmor are installed" sub_checks: - check: audit: "rpm -q libselinux" constraints: platform: - rhel7 lsm: - selinux tests: test_items: - flag: "is not installed" set: false remediation: | Install SELinux or apparmor using the appropriate package manager or manual installation: # yum install libselinux # apt-get install libselinux1 # zypper install libselinux The previous commands install SELinux, use the appropriate package if AppArmor is desired. - check: audit: "rpm -q apparmor" constraints: platform: - rhel7 lsm: - apparmor tests: test_items: - flag: "is not installed" set: false remediation: | Install SELinux or apparmor using the appropriate package manager or manual installation: # yum install libselinux # apt-get install libselinux1 # zypper install libselinux The previous commands install SELinux, use the appropriate package if AppArmor is desired. - check: audit: "dpkg -s libselinux1" constraints: platform: - ubuntu16 lsm: - selinux tests: test_items: - flag: "is not installed" set: false remediation: | Install SELinux or apparmor using the appropriate package manager or manual installation: # yum install libselinux # apt-get install libselinux1 # zypper install libselinux The previous commands install SELinux, use the appropriate package if AppArmor is desired. - check: audit: "dpkg -s apparmor" constraints: platform: - ubuntu16 lsm: - apparmor tests: test_items: - flag: "install ok installed" remediation: | Install SELinux or apparmor using the appropriate package manager or manual installation: # yum install libselinux # apt-get install libselinux1 # zypper install libselinux The previous commands install SELinux, use the appropriate package if AppArmor is desired. - check: audit: "apt-cache show libselinux1" constraints: platform: - ubuntu18 lsm: - selinux tests: test_items: - flag: "Installed-Size:" remediation: | Install SELinux or apparmor using the appropriate package manager or manual installation: # yum install libselinux # apt-get install libselinux1 # zypper install libselinux The previous commands install SELinux, use the appropriate package if AppArmor is desired. - check: audit: "apt-cache show apparmor" constraints: platform: - ubuntu18 lsm: - apparmor tests: test_items: - flag: "Installed-Size:" remediation: | Install SELinux or apparmor using the appropriate package manager or manual installation: # yum install libselinux # apt-get install libselinux1 # zypper install libselinux The previous commands install SELinux, use the appropriate package if AppArmor is desired. - id: 1.6.2 description: "Configure SELinux" checks: - id: 1.6.2.1 description: "Ensure SELinux is not disabled in bootloader configuration" sub_checks: - check: audit: "grep \"^\\s*kernel\" /boot/grub/menu.lst" constraints: lsm: - selinux boot: - grub tests: bin_op: and test_items: - flag: "selinux" compare: op: eq value: "0" set: false - flag: "enforcing" compare: op: eq value: "0" set: false remediation: | For `grub` based systems edit `/boot/grub/menu.lst` and remove all instances of `selinux=0` and `enforcing=0` on all `kernel` lines. For `grub2` based systems edit /etc/default/grub and remove all instances of `selinux=0` and `enforcing=0` from all CMDLINE\_LINUX parameters: GRUB_CMDLINE_LINUX_DEFAULT="quiet" GRUB_CMDLINE_LINUX="" Run the following command to update the `grub2` configuration: # update-grub - check: audit: "grep \"^\\s*linux\" /boot/grub2/grub.cfg" constraints: lsm: - selinux boot: - grub2 tests: bin_op: and test_items: - flag: "selinux" compare: op: eq value: "0" set: false - flag: "enforcing" compare: op: eq value: "0" set: false remediation: | For `grub` based systems edit `/boot/grub/menu.lst` and remove all instances of `selinux=0` and `enforcing=0` on all `kernel` lines. For `grub2` based systems edit /etc/default/grub and remove all instances of `selinux=0` and `enforcing=0` from all CMDLINE\_LINUX parameters: GRUB_CMDLINE_LINUX_DEFAULT="quiet" GRUB_CMDLINE_LINUX="" Run the following command to update the `grub2` configuration: # update-grub or # grub2-mkconfig -o /boot/grub2/guub.cfg scored: true - id: 1.6.2.2.a description: "Ensure the SELinux state is enforcing" sub_checks: - check: audit: "grep SELINUX=enforcing /etc/selinux/config" constraints: lsm: - selinux tests: test_items: - flag: "SELINUX=enforcing" remediation: | Edit the /etc/selinux/config file to set the SELINUX parameter: SELINUX=enforcing scored: true - id: 1.6.2.2.b description: "Ensure the SELinux state is enforcing" sub_checks: - check: audit: "sestatus" constraints: lsm: - selinux tests: bin_op: and test_items: - flag: "SELinux status:" compare: op: has value: "enabled" - flag: "Current mode:" compare: op: has value: "enforcing" - flag: "Mode from config file:" compare: op: has value: "enforcing" remediation: | Edit the /etc/selinux/config file to set the SELINUX parameter: SELINUX=enforcing scored: true - id: 1.6.2.3.a description: "Ensure SELinux policy is configured" sub_checks: - check: audit: "grep SELINUXTYPE=targeted /etc/selinux/config" constraints: lsm: - selinux tests: test_items: - flag: "SELINUXTYPE=targeted" remediation: | Edit the `/etc/selinux/config` file to set the SELINUXTYPE parameter: SELINUXTYPE=targeted scored: true - id: 1.6.2.3.b description: "Ensure SELinux policy is configured" sub_checks: - check: audit: "sestatus" constraints: lsm: - selinux tests: bin_op: or test_items: - flag: "Policy from config file:" compare: op: has value: "targeted" - flag: "Policy from config file:" compare: op: has value: "mils" remediation: | Edit the `/etc/selinux/config` file to set the SELINUXTYPE parameter: SELINUXTYPE=targeted scored: true - id: 1.6.2.4 description: "Ensure SETroubleshoot is not installed" sub_checks: - check: audit: "rpm -q setroubleshoot" constraints: platform: - rhel7 lsm: - selinux tests: test_items: - flag: "is not installed" remediation: | Uninstall s `etroubleshoot` using the appropriate package manager or manual installation: # yum remove setroubleshoot # apt-get remove setroubleshoot # zypper remove setroubleshoot - check: audit: "dpkg -s setroubleshoot" constraints: platform: - ubuntu16 lsm: - selinux tests: test_items: - flag: "is not installed" remediation: | Uninstall s `etroubleshoot` using the appropriate package manager or manual installation: # yum remove setroubleshoot # apt-get remove setroubleshoot # zypper remove setroubleshoot - check: audit: "apt-cache show setroubleshoot" constraints: platform: - ubuntu18 lsm: - selinux tests: test_items: - flag: "Installed-Size:" set: false remediation: | Uninstall s `etroubleshoot` using the appropriate package manager or manual installation: # yum remove setroubleshoot # apt-get remove setroubleshoot # zypper remove setroubleshoot scored: true - id: 1.6.2.5 description: "Ensure the MCS Translation Service (mcstrans) is not installed" sub_checks: - check: audit: "rpm -q mcstrans" constraints: platform: - rhel7 tests: test_items: - flag: "is not installed" remediation: | Uninstall `mcstrans` using the appropriate package manager or manual installation: yum remove mcstrans apt-get remove mcstrans zypper remove mcstrans - check: audit: "dpkg -s mcstrans" constraints: platform: - ubuntu16 tests: test_items: - flag: "install ok installed" set: false remediation: | Uninstall `mcstrans` using the appropriate package manager or manual installation: yum remove mcstrans apt-get remove mcstrans zypper remove mcstrans - check: audit: "apt-cache show mcstrans" constraints: platform: - ubuntu18 tests: test_items: - flag: "Installed-Size:" set: false remediation: | Uninstall `mcstrans` using the appropriate package manager or manual installation: yum remove mcstrans apt-get remove mcstrans zypper remove mcstrans scored: true - id: 1.6.2.6 description: "Ensure no unconfined daemons exist" audit: 'ps -eZ | egrep "initrc" | grep -E -v -w "tr|ps|egrep|bash|awk " | tr '':'' '' '' | awk ''{ print $NF }''' tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Investigate any unconfined daemons found during the audit action. They may need to have an existing security context assigned to them or a policy built for them. scored: true - id: 1.6.3 description: "Configure AppArmor" checks: - id: 1.6.3.1 description: "Ensure AppArmor is not disabled in bootloader configuration" sub_checks: - check: audit: "grep \"^\\s*kernel\" /boot/grub/menu.lst" constraints: lsm: - apparmor boot: - grub tests: test_items: - flag: "apparmor" compare: op: eq value: "0" set: false remediation: | For `grub` based systems edit `/boot/grub/menu.lst` and remove all instances of `apparmor=0` on all `kernel` lines. For `grub2` based systems edit /etc/default/grub and remove all instances of `apparmor=0` from all CMDLINE\_LINUX parameters: GRUB_CMDLINE_LINUX_DEFAULT="quiet" GRUB_CMDLINE_LINUX="" Run the following command to update the `grub2` configuration: # update-grub - check: audit: "grep LINUX /etc/default/grub" constraints: lsm: - apparmor boot: - grub2 tests: test_items: - flag: "apparmor" compare: op: eq value: "0" set: false remediation: | For `grub` based systems edit `/boot/grub/menu.lst` and remove all instances of `apparmor=0` on all `kernel` lines. For `grub2` based systems edit /etc/default/grub and remove all instances of `apparmor=0` from all CMDLINE\_LINUX parameters: GRUB_CMDLINE_LINUX_DEFAULT="quiet" GRUB_CMDLINE_LINUX="" Run the following command to update the `grub2` configuration: # update-grub scored: true - id: 1.6.3.2 description: "Ensure all AppArmor Profiles are enforcing" sub_checks: - check: audit: "apparmor_status" type: manual constraints: lsm: - apparmor tests: remediation: | Run the following command to set all profiles to enforce mode: # enforce /etc/apparmor.d/* Any unconfined processes may need to have a profile created or activated for them and then be restarted. scored: true - id: 1.7 description: "Warning Banners" checks: - id: 1.7.1 description: "Command Line Warning Banners" checks: - id: 1.7.1.1.a description: "Ensure message of the day is configured properly" audit: "cat /etc/motd" type: manual remediation: | Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of \m , \r , \s , or \v. scored: true - id: 1.7.1.1.b description: "Ensure message of the day is configured properly" audit: "grep -E -i \"(\\\\v|\\\\r|\\\\m|\\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/\"//g'))\" /etc/motd" tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of \m , \r , \s , or \v. scored: true - id: 1.7.1.2.a description: "Ensure local login warning banner is configured properly" audit: "cat /etc/issue" type: manual remediation: | Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \m , \r , \s , or \v : # echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue scored: true - id: 1.7.1.2.b description: "Ensure local login warning banner is configured properly" audit: "grep -E -i \"(\\\\v|\\\\r|\\\\m|\\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/\"//g'))\" /etc/issue" tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \m , \r , \s , or \v : # echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue scored: true - id: 1.7.1.3.a description: "Ensure remote login warning banner is configured properly" audit: "cat /etc/issue.net" type: manual tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Edit the /etc/issue.net file with the appropriate contents according to your site policy, remove any instances of \m , \r , \s , or \v : # echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue.net scored: true - id: 1.7.1.3.b description: "Ensure remote login warning banner is configured properly" audit: "grep -E -i \"(\\\\v|\\\\r|\\\\m|\\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/\"//g'))\" /etc/issue.net" tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Edit the /etc/issue.net file with the appropriate contents according to your site policy, remove any instances of \m , \r , \s , or \v : # echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue.net scored: true - id: 1.7.1.4 description: "Ensure permissions on /etc/motd are configured" audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/motd" tests: test_items: - flag: "644/Uid:root/0Gid:root/0" remediation: | Run the following commands to set permissions on `/etc/motd` : # chown root:root /etc/motd # chmod 644 /etc/motd scored: true - id: 1.7.1.5 description: "Ensure permissions on /etc/issue are configured" audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/issue" tests: test_items: - flag: "644/Uid:root/0Gid:root/0" remediation: | Run the following commands to set permissions on /etc/issue : # chown root:root /etc/issue # chmod 644 /etc/issue scored: true - id: 1.7.1.6 description: "Ensure permissions on /etc/issue.net are configured" audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/issue.net" tests: test_items: - flag: "644/Uid:root/0Gid:root/0" remediation: | Run the following commands to set permissions on /etc/issue.net : # chown root:root /etc/issue.net # chmod 644 /etc/issue.net scored: true - id: 1.7.2 description: "Ensure GDM login banner is configured" audit: "grep -v ^#.* /etc/gdm3/greeter.dconf-defaults" tests: bin_op: and test_items: - flag: "[org/gnome/login-screen]" - flag: "banner-message-enable=true" - flag: "banner-message-text" remediation: | Edit or create the file /etc/gdm3/greeter.dconf-defaults and add the following: [org/gnome/login-screen] banner-message-enable=true banner-message-text='Authorized uses only. All activity may be monitored and reported.' scored: true - id: 1.8 description: "Ensure updates, patches, and additional security software are installed" sub_checks: - check: audit: "yum check-update" type: manual constraints: platform: - rhel7 remediation: | Use your package manager to update all packages on the system according to site policy. - check: audit: "apt-get -s upgrade" type: manual constraints: platform: - ubuntu16 - ubuntu18 remediation: | Use your package manager to update all packages on the system according to site policy. - check: audit: "zypper list-updates" type: manual constraints: platform: - opensuse remediation: | Use your package manager to update all packages on the system according to site policy. scored: false - id: 2 description: "Services" - id: 2.1 description: "inetd Services" checks: - id: 2.1.1.a description: "Ensure chargen services are not enabled" audit: 'grep -R "^chargen" /etc/inetd.*' tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Comment out or remove any lines starting with `chargen` from `/etc/inetd.conf` and `/etc/inetd.d/*` . Set `disable = yes` on all `chargen` services in `/etc/xinetd.conf` and `/etc/xinetd.d/*` . scored: true - id: 2.1.1.b description: "Ensure chargen services are not enabled" audit: 'grep -R "^chargen" /etc/xinetd.conf /etc/xinetd.* ' tests: test_items: - flag: "disable" compare: op: eq value: "yes" remediation: | Comment out or remove any lines starting with `chargen` from `/etc/inetd.conf` and `/etc/inetd.d/*` . Set `disable = yes` on all `chargen` services in `/etc/xinetd.conf` and `/etc/xinetd.d/*` . scored: true - id: 2.1.2.a description: "Ensure daytime services are not enabled" audit: 'grep -R "^daytime" /etc/inetd.*' tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Comment out or remove any lines starting with `daytime` from `/etc/inetd.conf` and `/etc/inetd.d/*` . Set `disable = yes` on all `daytime` services in `/etc/xinetd.conf` and `/etc/xinetd.d/*` . scored: true - id: 2.1.2.b description: "Ensure daytime services are not enabled" audit: 'grep -R "^daytime" /etc/xinetd.conf /etc/xinetd.*' tests: test_items: - flag: "disable" compare: op: eq value: "yes" remediation: | Comment out or remove any lines starting with `daytime` from `/etc/inetd.conf` and `/etc/inetd.d/*` . Set `disable = yes` on all `daytime` services in `/etc/xinetd.conf` and `/etc/xinetd.d/*` . scored: true - id: 2.1.3.a description: "Ensure discard services are not enabled" audit: 'grep -R "^discard" /etc/inetd.*' tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Comment out or remove any lines starting with `discard` from `/etc/inetd.conf` and `/etc/inetd.d/*` . Set `disable = yes` on all `discard` services in `/etc/xinetd.conf` and `/etc/xinetd.d/*` . scored: true - id: 2.1.3.b description: "Ensure discard services are not enabled" audit: 'grep -R "^discard" /etc/xinetd.conf /etc/xinetd.*' tests: test_items: - flag: "disable" compare: op: eq value: "yes" remediation: | Comment out or remove any lines starting with `discard` from `/etc/inetd.conf` and `/etc/inetd.d/*` . Set `disable = yes` on all `discard` services in `/etc/xinetd.conf` and `/etc/xinetd.d/*` . scored: true - id: 2.1.4.a description: "Ensure echo services are not enabled" audit: 'grep -R "^echo" /etc/inetd.*' tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Comment out or remove any lines starting with `echo` from `/etc/inetd.conf` and `/etc/inetd.d/*` . Set `disable = yes` on all `echo` services in `/etc/xinetd.conf` and `/etc/xinetd.d/*` . scored: true - id: 2.1.4.b description: "Ensure echo services are not enabled" audit: 'grep -R "^echo" /etc/xinetd.conf /etc/xinetd.*' tests: test_items: - flag: "disable" compare: op: eq value: "yes" remediation: | Comment out or remove any lines starting with `echo` from `/etc/inetd.conf` and `/etc/inetd.d/*` . Set `disable = yes` on all `echo` services in `/etc/xinetd.conf` and `/etc/xinetd.d/*` . scored: true - id: 2.1.5.a description: "Ensure time services are not enabled" audit: 'grep -R "^time" /etc/inetd.*' tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Comment out or remove any lines starting with `time` from `/etc/inetd.conf` and `/etc/inetd.d/*` . Set `disable = yes` on all `time` services in `/etc/xinetd.conf` and `/etc/xinetd.d/*` . scored: true - id: 2.1.5.b description: "Ensure time services are not enabled" audit: 'grep -R "^time" /etc/xinetd.conf /etc/xinetd.*' tests: test_items: - flag: "disable" compare: op: eq value: "yes" remediation: | Comment out or remove any lines starting with `time` from `/etc/inetd.conf` and `/etc/inetd.d/*` . Set `disable = yes` on all `time` services in `/etc/xinetd.conf` and `/etc/xinetd.d/*` . scored: true - id: 2.1.6.a description: "Ensure rsh server is not enabled" audit: 'grep -R "^shell" /etc/inetd.*; grep -R "^login" /etc/inetd.*; grep -R "^exec" /etc/inetd.*' tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Comment out or remove any lines starting with `shell` , `login` , or `exec` from `/etc/inetd.conf` and `/etc/inetd.d/*` . Set `disable = yes` on all `rsh` , `rlogin` , and `rexec` services in `/etc/xinetd.conf` and `/etc/xinetd.d/*` . scored: true - id: 2.1.6.b description: "Ensure rsh server is not enabled" audit: 'grep -R "^shell" /etc/xinetd.*; grep -R "^login" /etc/xinetd.*; grep -R "^exec" /etc/xinetd.*' tests: test_items: - flag: "disable" compare: op: eq value: "yes" remediation: | Comment out or remove any lines starting with `shell` , `login` , or `exec` from `/etc/inetd.conf` and `/etc/inetd.d/*` . Set `disable = yes` on all `rsh` , `rlogin` , and `rexec` services in `/etc/xinetd.conf` and `/etc/xinetd.d/*` . scored: true - id: 2.1.7.a description: "Ensure talk server is not enabled" audit: 'grep -R "^talk" /etc/inetd.*; grep -R "^ntalk" /etc/inetd.*' tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Comment out or remove any lines starting with `talk` or `ntalk` from `/etc/inetd.conf` and `/etc/inetd.d/*` . Set `disable = yes` on all `talk` services in `/etc/xinetd.conf` and `/etc/xinetd.d/*` . scored: true - id: 2.1.7.b description: "Ensure talk server is not enabled" audit: 'grep -R "^talk" /etc/xinetd.*; grep -R "^ntalk" /etc/xinetd.*' tests: test_items: - flag: "disable" compare: op: eq value: "yes" remediation: | Comment out or remove any lines starting with `talk` or `ntalk` from `/etc/inetd.conf` and `/etc/inetd.d/*` . Set `disable = yes` on all `talk` services in `/etc/xinetd.conf` and `/etc/xinetd.d/*` . scored: true - id: 2.1.8.a description: "Ensure telnet server is not enabled" audit: 'grep -R "^telnet" /etc/inetd.*' tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Comment out or remove any lines starting with `telnet` from `/etc/inetd.conf` and `/etc/inetd.d/*` . Set `disable = yes` on all `telnet` services in `/etc/xinetd.conf` and `/etc/xinetd.d/*` . scored: true - id: 2.1.8.b description: "Ensure telnet server is not enabled" audit: 'grep -R "^telnet" /etc/xinetd.*' tests: test_items: - flag: "disable" compare: op: eq value: "yes" remediation: | Comment out or remove any lines starting with `telnet` from `/etc/inetd.conf` and `/etc/inetd.d/*` . Set `disable = yes` on all `telnet` services in `/etc/xinetd.conf` and `/etc/xinetd.d/*` . scored: true - id: 2.1.9.a description: "Ensure tftp server is not enabled" audit: 'grep -R "^tftp" /etc/inetd.*' tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Comment out or remove any lines starting with `tftp` from `/etc/inetd.conf` and `/etc/inetd.d/*` . Set `disable = yes` on all `tftp` services in `/etc/xinetd.conf` and `/etc/xinetd.d/*` . scored: true - id: 2.1.9.b description: "Ensure tftp server is not enabled" audit: 'grep -R "^tftp" /etc/xinetd.*' tests: test_items: - flag: "disable" compare: op: eq value: "yes" remediation: | Comment out or remove any lines starting with `tftp` from `/etc/inetd.conf` and `/etc/inetd.d/*` . Set `disable = yes` on all `tftp` services in `/etc/xinetd.conf` and `/etc/xinetd.d/*` . scored: true - id: 2.1.10 description: "Ensure xinetd service is not enabled" sub_checks: - check: audit: "chkconfig --list xinetd" constraints: platform: - rhel6 tests: test_items: - flag: "xinetd 0:off 1:off 2:off 3:off 4:off 5:off 6:off" remediation: | Run one of the following commands to disable `xinetd` : # chkconfig xinetd off # systemctl disable xinetd # update-rc.d xinetd disable - check: audit: "systemctl is-enabled xinetd" constraints: platform: - ubuntu18 #- rhel7 #- ubuntu16 #- ubuntu18 tests: test_items: - flag: "enabled" set: false remediation: | Run one of the following commands to disable `xinetd` : # chkconfig xinetd off # systemctl disable xinetd # update-rc.d xinetd disable - check: audit: "ls /etc/rc*.d | grep xinetd" constraints: platform: - ubuntuOptional tests: test_items: - flag: "enabled" set: false remediation: | Run one of the following commands to disable `xinetd` : # chkconfig xinetd off # systemctl disable xinetd # update-rc.d xinetd disable scored: true - id: 2.2 description: "Special Purpose Services" checks: - id: 2.2.1 description: "Time Synchronization" checks: - id: 2.2.1.1.a description: "Ensure time synchronization is in use" sub_checks: - check: audit: "rpm -q ntp" constraints: platform: - rhel7 tests: test_items: - flag: "package ntp is not installed" set: false remediation: | On physical systems or virtual systems where host based time synchronization is not available install NTP or chrony using the appropriate package manager or manual installation: # yum install ntp # dnf install ntp # apt-get install ntp # zypper install ntp # emerge ntp The previous commands install NTP, use the appropriate package if chrony is desired. On virtual systems where host based time synchronization is available consult your virtualization software documentation and setup host based synchronization. - check: audit: "dpkg -s ntp" constraints: platform: - ubuntu16 tests: test_items: - flag: "install ok installed" remediation: | On physical systems or virtual systems where host based time synchronization is not available install NTP or chrony using the appropriate package manager or manual installation: # yum install ntp # dnf install ntp # apt-get install ntp # zypper install ntp # emerge ntp The previous commands install NTP, use the appropriate package if chrony is desired. On virtual systems where host based time synchronization is available consult your virtualization software documentation and setup host based synchronization. - check: audit: "apt-cache show ntp" constraints: platform: - ubuntu18 tests: test_items: - flag: "Installed-Size:" remediation: | On physical systems or virtual systems where host based time synchronization is not available install NTP or chrony using the appropriate package manager or manual installation: # yum install ntp # dnf install ntp # apt-get install ntp # zypper install ntp # emerge ntp The previous commands install NTP, use the appropriate package if chrony is desired. On virtual systems where host based time synchronization is available consult your virtualization software documentation and setup host based synchronization. scored: false - id: 2.2.1.1.b description: "Ensure time synchronization is in use" sub_checks: - check: audit: "rpm -q chrony" constraints: platform: - rhel7 tests: test_items: - flag: "package chrony is not installed" set: false remediation: | On physical systems or virtual systems where host based time synchronization is not available install NTP or chrony using the appropriate package manager or manual installation: # yum install ntp # dnf install ntp # apt-get install ntp # zypper install ntp # emerge ntp The previous commands install NTP, use the appropriate package if chrony is desired. On virtual systems where host based time synchronization is available consult your virtualization software documentation and setup host based synchronization. - check: audit: "dpkg -s chrony" constraints: platform: - ubuntu16 tests: test_items: - flag: "install ok installed" remediation: | On physical systems or virtual systems where host based time synchronization is not available install NTP or chrony using the appropriate package manager or manual installation: # yum install ntp # dnf install ntp # apt-get install ntp # zypper install ntp # emerge ntp The previous commands install NTP, use the appropriate package if chrony is desired. On virtual systems where host based time synchronization is available consult your virtualization software documentation and setup host based synchronization. - check: audit: "apt-cache show chrony" constraints: platform: - ubuntu18 tests: test_items: - flag: "Installed-Size:" remediation: | On physical systems or virtual systems where host based time synchronization is not available install NTP or chrony using the appropriate package manager or manual installation: # yum install ntp # dnf install ntp # apt-get install ntp # zypper install ntp # emerge ntp The previous commands install NTP, use the appropriate package if chrony is desired. On virtual systems where host based time synchronization is available consult your virtualization software documentation and setup host based synchronization. scored: false - id: 2.2.1.2.a description: "Ensure ntp is configured" audit: "grep ^restrict /etc/ntp.conf" tests: bin_op: and test_items: - flag: "restrict -4 default kod nomodify notrap nopeer noquery" - flag: "restrict -6 default kod nomodify notrap nopeer noquery" remediation: | Add or edit restrict lines in `/etc/ntp.conf` to match the following: restrict -4 default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery Add or edit server or pool lines to `/etc/ntp.conf` as appropriate: server Configure `ntp` to run as the `ntp` user by adding or editing one of the following files as appropriate for your distribution: `/etc/sysconfig/ntpd` : OPTIONS="-u ntp:ntp" `/etc/sysconfig/ntp` : NTPD_OPTIONS="-u ntp:ntp" `/etc/init.d/ntp`: RUNASUSER=ntp scored: true - id: 2.2.1.2.b description: "Ensure ntp is configured" audit: 'grep -E "^(server|pool)" /etc/ntp.conf' type: manual tests: test_items: - flag: "server " remediation: | Add or edit restrict lines in `/etc/ntp.conf` to match the following: restrict -4 default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery Add or edit server or pool lines to `/etc/ntp.conf` as appropriate: server Configure `ntp` to run as the `ntp` user by adding or editing one of the following files as appropriate for your distribution: `/etc/sysconfig/ntpd` : OPTIONS="-u ntp:ntp" `/etc/sysconfig/ntp` : NTPD_OPTIONS="-u ntp:ntp" `/etc/init.d/ntp`: RUNASUSER=ntp scored: true - id: 2.2.1.2.c description: "Ensure ntp is configured" sub_checks: - check: audit: "grep ^OPTIONS /etc/sysconfig/ntpd" constraints: platform: - rhel7 tests: test_items: - flag: 'OPTIONS="-u ntp:ntp"' remediation: | Add or edit restrict lines in `/etc/ntp.conf` to match the following: restrict -4 default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery Add or edit server or pool lines to `/etc/ntp.conf` as appropriate: server Configure `ntp` to run as the `ntp` user by adding or editing one of the following files as appropriate for your distribution: `/etc/sysconfig/ntpd` : OPTIONS="-u ntp:ntp" `/etc/sysconfig/ntp` : NTPD_OPTIONS="-u ntp:ntp" `/etc/init.d/ntp`: RUNASUSER=ntp - check: audit: "grep ^OPTIONS /etc/default/ntp" constraints: platform: - ubuntu16 - ubuntu18 tests: test_items: - flag: 'OPTIONS="-u ntp:ntp"' remediation: | Add or edit restrict lines in `/etc/ntp.conf` to match the following: restrict -4 default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery Add or edit server or pool lines to `/etc/ntp.conf` as appropriate: server Configure `ntp` to run as the `ntp` user by adding or editing one of the following files as appropriate for your distribution: `/etc/default/ntp` : OPTIONS="-u ntp:ntp" `/etc/default/ntp` : NTPD_OPTIONS="-u ntp:ntp" `/etc/init.d/ntp`: RUNASUSER=ntp scored: true - id: 2.2.1.2.d description: "Ensure ntp is configured" sub_checks: - check: audit: "grep ^NTPD_OPTIONS /etc/sysconfig/ntp" constraints: platform: - rhel7 tests: test_items: - flag: 'NTPD_OPTIONS="-u ntp:ntp"' remediation: | Add or edit restrict lines in `/etc/ntp.conf` to match the following: restrict -4 default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery Add or edit server or pool lines to `/etc/ntp.conf` as appropriate: server Configure `ntp` to run as the `ntp` user by adding or editing one of the following files as appropriate for your distribution: `/etc/sysconfig/ntpd` : OPTIONS="-u ntp:ntp" `/etc/sysconfig/ntp` : NTPD_OPTIONS="-u ntp:ntp" `/etc/init.d/ntp`: RUNASUSER=ntp - check: audit: "grep ^NTPD_OPTIONS /etc/default/ntp" constraints: platform: - ubuntu16 - ubuntu18 tests: test_items: - flag: 'NTPD_OPTIONS="-u ntp:ntp"' remediation: | Add or edit restrict lines in `/etc/ntp.conf` to match the following: restrict -4 default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery Add or edit server or pool lines to `/etc/ntp.conf` as appropriate: server Configure `ntp` to run as the `ntp` user by adding or editing one of the following files as appropriate for your distribution: `/etc/default/ntp` : OPTIONS="-u ntp:ntp" `/etc/default/ntp` : NTPD_OPTIONS="-u ntp:ntp" `/etc/init.d/ntp`: RUNASUSER=ntp scored: true - id: 2.2.1.2.e description: "Ensure ntp is configured" audit: "grep RUNASUSER=ntp /etc/init.d/ntp" tests: test_items: - flag: "RUNASUSER" compare: op: eq value: "ntp" remediation: | Add or edit restrict lines in `/etc/ntp.conf` to match the following: restrict -4 default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery Add or edit server or pool lines to `/etc/ntp.conf` as appropriate: server Configure `ntp` to run as the `ntp` user by adding or editing one of the following files as appropriate for your distribution: `/etc/sysconfig/ntpd` : OPTIONS="-u ntp:ntp" `/etc/sysconfig/ntp` : NTPD_OPTIONS="-u ntp:ntp" `/etc/init.d/ntp`: RUNASUSER=ntp scored: true - id: 2.2.1.3.a description: "Ensure chrony is configured" audit: 'grep -E "^(server|pool)" /etc/chrony.conf' type: manual tests: test_items: - flag: "server " remediation: | Add or edit server or pool lines to `/etc/chrony.conf` as appropriate: server Configure `chrony` to run as the `chrony` user by configuring the appropriate startup script for your distribution. Startup scripts are typically stored in `/etc/init.d` or `/etc/systemd`. scored: true - id: 2.2.1.3.b description: "Ensure chrony is configured" audit: "ps -ef | grep chronyd" type: manual remediation: | Add or edit server or pool lines to `/etc/chrony.conf` as appropriate: server Configure `chrony` to run as the `chrony` user by configuring the appropriate startup script for your distribution. Startup scripts are typically stored in `/etc/init.d` or `/etc/systemd`. scored: true - id: 2.2.1.4.a description: "Ensure ntp is configured" audit: "systemctl is-enabled systemd-timesyncd.service" tests: test_items: - flag: "enabled" remediation: | Run the following command to enable systemd-timesyncd systemctl enable systemd-timesyncd.service edit the file /etc/systemd/timesyncd.conf and add/modify the following lines: NTP=0.debian.pool.ntp.org 1.debian.pool.ntp.org #Servers listed should be In Accordence With Local Policy FallbackNTP=2.debian.pool.ntp.org 3.debian.pool.ntp.org #Servers listed should be In Accordence With Local Policy RootDistanceMax=1 #should be In Accordence With Local Policy Run the following commands to start systemd-timesyncd.service # systemctl start systemd-timesyncd.service # timedatectl set-ntp true scored: true - id: 2.2.1.4.b description: "Ensure ntp is configured" audit: "timedatectl status" type: manual remediation: | Run the following command to enable systemd-timesyncd systemctl enable systemd-timesyncd.service edit the file /etc/systemd/timesyncd.conf and add/modify the following lines: NTP=0.debian.pool.ntp.org 1.debian.pool.ntp.org #Servers listed should be In Accordence With Local Policy FallbackNTP=2.debian.pool.ntp.org 3.debian.pool.ntp.org #Servers listed should be In Accordence With Local Policy RootDistanceMax=1 #should be In Accordence With Local Policy Run the following commands to start systemd-timesyncd.service # systemctl start systemd-timesyncd.service # timedatectl set-ntp true scored: true - id: 2.2.2 description: "Ensure X Window System is not installed" sub_checks: - check: audit: "rpm -q xorg-x11*" constraints: platform: - rhel7 tests: test_items: - flag: "is not installed" remediation: | Remove the X Windows System packages using the appropriate package manager or manual installation: yum remove xorg-x11* apt-get remove xserver-xorg* zypper remove xorg-x11* - check: audit: "dpkg -l xserver-xorg*" constraints: platform: - ubuntu16 tests: test_items: - flag: "ii" set: false remediation: | Remove the X Windows System packages using the appropriate package manager or manual installation: yum remove xorg-x11* apt-get remove xserver-xorg* zypper remove xorg-x11* - check: audit: "apt-cache policy xserver-xorg* | grep Installed -B1" use_multiple_values: true constraints: platform: - ubuntu18 tests: bin_op: or test_items: - flag: "Installed" compare: op: eq value: "(none)" - flag: "Installed" set: false remediation: | Remove the X Windows System packages using the appropriate package manager or manual installation: yum remove xorg-x11* apt-get remove xserver-xorg* zypper remove xorg-x11* scored: true - id: 2.2.3 description: "Ensure Avahi service is not enabled" sub_checks: - check: audit: "chkconfig --list avahi-daemon" constraints: platform: - rhel6 tests: test_items: - flag: "avahi-daemon 0:off 1:off 2:off 3:off 4:off 5:off 6:off" remediation: | Run one of the following commands to disable `avahi-daemon` : # chkconfig avahi-daemon off # systemctl disable avahi-daemon # update-rc.d avahi-daemon disable - check: audit: "systemctl is-enabled avahi-daemon" constraints: platform: - rhel7 - ubuntu16 - ubuntu18 tests: test_items: - flag: "enabled" set: false remediation: | Run one of the following commands to disable `avahi-daemon` : # chkconfig avahi-daemon off # systemctl disable avahi-daemon # update-rc.d avahi-daemon disable - check: audit: "ls /etc/rc*.d | grep avahi-daemon" type: manual constraints: platform: - ubuntuOptional tests: test_items: - flag: "enabled" set: false remediation: | Run one of the following commands to disable `avahi-daemon` : # chkconfig avahi-daemon off # systemctl disable avahi-daemon # update-rc.d avahi-daemon disable scored: true - id: 2.2.4 description: "Ensure cups service is not enabled" sub_checks: - check: audit: "chkconfig --list cups" constraints: platform: - rhel6 tests: test_items: - flag: "cups 0:off 1:off 2:off 3:off 4:off 5:off 6:off" remediation: | Run one of the following commands to disable `cups` : # chkconfig cups off # systemctl disable cups # update-rc.d cups disable - check: audit: "systemctl is-enabled cups" constraints: platform: - rhel7 - ubuntu16 - ubuntu18 tests: test_items: - flag: "enabled" set: false remediation: | Run one of the following commands to disable `cups` : # chkconfig cups off # systemctl disable cups # update-rc.d cups disable - check: audit: "ls /etc/rc*.d | grep cups" type: manual constraints: platform: - ubuntuOptional tests: test_items: - flag: "enabled" set: false remediation: | Run one of the following commands to disable `cups` : # chkconfig cups off # systemctl disable cups # update-rc.d cups disable scored: true - id: 2.2.5 description: "Ensure DHCP service is not enabled" sub_checks: - check: audit: "chkconfig --list dhcpd" constraints: platform: - rhel6 tests: test_items: - flag: "dhcpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off" remediation: | Run one of the following commands to disable `dhcpd` : # chkconfig dhcpd off # systemctl disable dhcpd # update-rc.d dhcpd disable - check: audit: "systemctl is-enabled dhcpd" constraints: platform: - rhel7 - ubuntu16 - ubuntu18 tests: test_items: - flag: "enabled" set: false remediation: | Run one of the following commands to disable `dhcpd` : # chkconfig dhcpd off # systemctl disable dhcpd # update-rc.d dhcpd disable - check: audit: "ls /etc/rc*.d | grep dhcpd" type: manual constraints: platform: - ubuntuOptional tests: test_items: - flag: "enabled" set: false remediation: | Run one of the following commands to disable `dhcpd` : # chkconfig dhcpd off # systemctl disable dhcpd # update-rc.d dhcpd disable scored: true - id: 2.2.6 description: "Ensure LDAP service is not enabled" sub_checks: - check: audit: "chkconfig --list slapd" constraints: platform: - rhel6 tests: test_items: - flag: "slapd 0:off 1:off 2:off 3:off 4:off 5:off 6:off" remediation: | Run one of the following commands to disable `slapd` : # chkconfig slapd off # systemctl disable slapd # update-rc.d slapd disable - check: audit: "systemctl is-enabled slapd" constraints: platform: - rhel7 - ubuntu16 - ubuntu18 tests: test_items: - flag: "enabled" set: false remediation: | Run one of the following commands to disable `slapd` : # chkconfig slapd off # systemctl disable slapd # update-rc.d slapd disable - check: audit: "ls /etc/rc*.d | grep slapd" type: manual constraints: platform: - ubuntuOptional tests: test_items: - flag: "enabled" set: false remediation: | Run one of the following commands to disable `slapd` : # chkconfig slapd off # systemctl disable slapd # update-rc.d slapd disable scored: true - id: 2.2.7.a description: "Ensure NFS and RPC are not enabled" sub_checks: - check: audit: "chkconfig --list nfs" constraints: platform: - rhel6 tests: test_items: - flag: "nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off" remediation: | Run one of the following commands to disable `nfs` : # chkconfig nfs off # systemctl disable nfs # update-rc.d nfs disable - check: audit: "systemctl is-enabled nfs" constraints: platform: - rhel7 - ubuntu16 - ubuntu18 tests: test_items: - flag: "enabled" set: false remediation: | Run one of the following commands to disable `nfs` : # chkconfig nfs off # systemctl disable nfs # update-rc.d nfs disable - check: audit: "ls /etc/rc*.d | grep nfs" type: manual constraints: platform: - ubuntuOptional tests: test_items: - flag: "enabled" set: false remediation: | Run one of the following commands to disable `nfs` : # chkconfig nfs off # systemctl disable nfs # update-rc.d nfs disable scored: true - id: 2.2.7.b description: "Ensure NFS and RPC are not enabled" sub_checks: - check: audit: "chkconfig --list rpcbind" constraints: platform: - rhel6 tests: test_items: - flag: "rpcbind 0:off 1:off 2:off 3:off 4:off 5:off 6:off" remediation: | Run one of the following commands to disable `rpcbind` : # chkconfig rpcbind off # systemctl disable rpcbind # update-rc.d rpcbind disable - check: audit: "systemctl is-enabled rpcbind" constraints: platform: - rhel7 - ubuntu16 - ubuntu18 tests: test_items: - flag: "enabled" set: false remediation: | Run one of the following commands to disable `rpcbind` : # chkconfig rpcbind off # systemctl disable rpcbind # update-rc.d rpcbind disable - check: audit: "ls /etc/rc*.d | grep rpcbind" type: manual constraints: platform: - ubuntuOptional tests: test_items: - flag: "rpcbind" set: false remediation: | Run one of the following commands to disable `rpcbind` : # chkconfig rpcbind off # systemctl disable rpcbind # update-rc.d rpcbind disable scored: true - id: 2.2.8 description: "Ensure DNS service is not enabled" sub_checks: - check: audit: "chkconfig --list named" constraints: platform: - rhel6 tests: test_items: - flag: "named 0:off 1:off 2:off 3:off 4:off 5:off 6:off" remediation: | Run one of the following commands to disable `named` : # chkconfig named off # systemctl disable named # update-rc.d named disable - check: audit: "systemctl is-enabled named" constraints: platform: - rhel7 - ubuntu16 - ubuntu18 tests: test_items: - flag: "enabled" set: false remediation: | Run one of the following commands to disable `named` : # chkconfig named off # systemctl disable named # update-rc.d named disable - check: audit: "ls /etc/rc*.d | grep named" type: manual constraints: platform: - ubuntuOptional tests: test_items: - flag: "named" set: false remediation: | Run one of the following commands to disable `named` : # chkconfig named off # systemctl disable named # update-rc.d named disable scored: true - id: 2.2.9 description: "Ensure FTP service is not enabled" sub_checks: - check: audit: "chkconfig --list vsftpd" constraints: platform: - rhel6 tests: test_items: - flag: "vsftpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off" remediation: | Run one of the following commands to disable `vsftpd` : # chkconfig vsftpd off # systemctl disable vsftpd # update-rc.d vsftpd disable - check: audit: "systemctl is-enabled vsftpd" constraints: platform: - rhel7 - ubuntu16 - ubuntu18 tests: test_items: - flag: "enabled" set: false remediation: | Run one of the following commands to disable `vsftpd` : # chkconfig vsftpd off # systemctl disable vsftpd # update-rc.d vsftpd disable - check: audit: "ls /etc/rc*.d | grep vsftpd" type: manual constraints: platform: - ubuntuOptional tests: test_items: - flag: "vsftpd" set: false remediation: | Run one of the following commands to disable `vsftpd` : # chkconfig vsftpd off # systemctl disable vsftpd # update-rc.d vsftpd disable scored: true - id: 2.2.10 description: "Ensure HTTP service is not enabled" sub_checks: - check: audit: "chkconfig --list httpd" constraints: platform: - rhel6 tests: test_items: - flag: "httpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off" remediation: | Run one of the following commands to disable `httpd` : # chkconfig httpd off # systemctl disable httpd # update-rc.d httpd disable - check: audit: "systemctl is-enabled httpd" constraints: platform: - rhel7 - ubuntu16 - ubuntu18 tests: test_items: - flag: "enabled" set: false remediation: | Run one of the following commands to disable `httpd` : # chkconfig httpd off # systemctl disable httpd # update-rc.d httpd disable - check: audit: "ls /etc/rc*.d | grep httpd" type: manual constraints: platform: - ubuntuOptional tests: test_items: - flag: "httpd" set: false remediation: | Run one of the following commands to disable `httpd` : # chkconfig httpd off # systemctl disable httpd # update-rc.d httpd disable scored: true - id: 2.2.11 description: "Ensure IMAP and POP3 service are not enabled" sub_checks: - check: audit: "chkconfig --list dovecot" constraints: platform: - rhel6 tests: test_items: - flag: "dovecot 0:off 1:off 2:off 3:off 4:off 5:off 6:off" remediation: | Run one of the following commands to disable `dovecot` : # chkconfig dovecot off # systemctl disable dovecot # update-rc.d dovecot disable - check: audit: "systemctl is-enabled dovecot" constraints: platform: - rhel7 - ubuntu16 - ubuntu18 tests: test_items: - flag: "enabled" set: false remediation: | Run one of the following commands to disable `dovecot` : # chkconfig dovecot off # systemctl disable dovecot # update-rc.d dovecot disable - check: audit: "ls /etc/rc*.d | grep dovecot" type: manual constraints: platform: - ubuntuOptional tests: test_items: - flag: "dovecot" set: false remediation: | Run one of the following commands to disable `dovecot` : # chkconfig dovecot off # systemctl disable dovecot # update-rc.d dovecot disable scored: true - id: 2.2.12 description: "Ensure Samba is not enabled" sub_checks: - check: audit: "chkconfig --list smb" constraints: platform: - rhel6 tests: test_items: - flag: "smb 0:off 1:off 2:off 3:off 4:off 5:off 6:off" remediation: | Run one of the following commands to disable `smb` : # chkconfig smb off # systemctl disable smb # update-rc.d smb disable - check: audit: "systemctl is-enabled smb" constraints: platform: - rhel7 - ubuntu16 - ubuntu18 tests: test_items: - flag: "enabled" set: false remediation: | Run one of the following commands to disable `smb` : # chkconfig smb off # systemctl disable smb # update-rc.d smb disable - check: audit: "ls /etc/rc*.d | grep smb" type: manual constraints: platform: - ubuntuOptional tests: test_items: - flag: "smb" set: false remediation: | Run one of the following commands to disable `smb` : # chkconfig smb off # systemctl disable smb # update-rc.d smb disable scored: true - id: 2.2.13 description: "Ensure HTTP Proxy Server is not enabled" sub_checks: - check: audit: "chkconfig --list squid" constraints: platform: - rhel6 tests: test_items: - flag: "squid 0:off 1:off 2:off 3:off 4:off 5:off 6:off" remediation: | Run one of the following commands to disable `squid` : # chkconfig squid off # systemctl disable squid # update-rc.d squid disable - check: audit: "systemctl is-enabled squid" constraints: platform: - rhel7 - ubuntu16 - ubuntu18 tests: test_items: - flag: "enabled" set: false remediation: | Run one of the following commands to disable `squid` : # chkconfig squid off # systemctl disable squid # update-rc.d squid disable - check: audit: "ls /etc/rc*.d | grep squid" type: manual constraints: platform: - ubuntuOptional tests: test_items: - flag: "squid" set: false remediation: | Run one of the following commands to disable `squid` : # chkconfig squid off # systemctl disable squid # update-rc.d squid disable scored: true - id: 2.2.14 description: "Ensure SNMP Server is not enabled" sub_checks: - check: audit: "chkconfig --list snmpd" constraints: platform: - rhel6 tests: test_items: - flag: "snmpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off" remediation: | Run one of the following commands to disable `snmpd` : # chkconfig snmpd off # systemctl disable snmpd # update-rc.d snmpd disable - check: audit: "systemctl is-enabled snmpd" constraints: platform: - rhel7 - ubuntu16 - ubuntu18 tests: test_items: - flag: "enabled" set: false remediation: | Run one of the following commands to disable `snmpd` : # chkconfig snmpd off # systemctl disable snmpd # update-rc.d snmpd disable - check: audit: "ls /etc/rc*.d | grep snmpd" type: manual constraints: platform: - ubuntuOptional tests: test_items: - flag: "snmpd" set: false remediation: | Run one of the following commands to disable `snmpd` : # chkconfig snmpd off # systemctl disable snmpd # update-rc.d snmpd disable scored: true - id: 2.2.15 description: "Ensure mail transfer agent is configured for local-only mode" audit: | ss -lntu | grep -E ':25\\s' | grep -E -v '\\s(127.0.0.1|::1):25\\s' tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Edit `/etc/postfix/main.cf` and add the following line to the RECEIVING MAIL section. If the line already exists, change it to look like the line below: inet_interfaces = loopback-only Restart postfix with one of the following commands: # service postfix restart # systemctl restart postfix scored: true - id: 2.2.16 description: "Ensure rsync service is not enabled" sub_checks: - check: audit: "chkconfig --list rsyncd" constraints: platform: - rhel6 tests: test_items: - flag: "rsyncd 0:off 1:off 2:off 3:off 4:off 5:off 6:off" remediation: | Run one of the following commands to disable `rsyncd` : # chkconfig rsyncd off # systemctl disable rsyncd # update-rc.d rsyncd disable - check: audit: "systemctl is-enabled rsyncd" constraints: platform: - rhel7 - ubuntu16 - ubuntu18 tests: test_items: - flag: "enabled" set: false remediation: | Run one of the following commands to disable `rsyncd` : # chkconfig rsyncd off # systemctl disable rsyncd # update-rc.d rsyncd disable - check: audit: "ls /etc/rc*.d | grep rsyncd" type: manual constraints: platform: - ubuntuOptional tests: test_items: - flag: "rsyncd" set: false remediation: | Run one of the following commands to disable `rsyncd` : # chkconfig rsyncd off # systemctl disable rsyncd # update-rc.d rsyncd disable scored: true - id: 2.2.17 description: "Ensure NIS Server is not enabled" sub_checks: - check: audit: "chkconfig --list ypserv" constraints: platform: - rhel6 tests: test_items: - flag: "ypserv 0:off 1:off 2:off 3:off 4:off 5:off 6:off" remediation: | Run one of the following commands to disable `ypserv` : # chkconfig ypserv off # systemctl disable ypserv # update-rc.d ypserv disable - check: audit: "systemctl is-enabled ypserv" constraints: platform: - rhel7 - ubuntu16 - ubuntu18 tests: test_items: - flag: "enabled" set: false remediation: | Run one of the following commands to disable `ypserv` : # chkconfig ypserv off # systemctl disable ypserv # update-rc.d ypserv disable - check: audit: "ls /etc/rc*.d | grep ypserv" type: manual constraints: platform: - ubuntuOptional tests: test_items: - flag: "ypserv" set: false remediation: | Run one of the following commands to disable `ypserv` : # chkconfig ypserv off # systemctl disable ypserv # update-rc.d ypserv disable scored: true - id: 2.3 description: "Service Clients" checks: - id: 2.3.1 description: "Ensure NIS Client is not installed" sub_checks: - check: audit: "rpm -q ypbind" constraints: platform: - rhel7 tests: test_items: - flag: "is not installed" remediation: | Uninstall `ypbind` using the appropriate package manager or manual installation: yum remove ypbind apt-get remove ypbind zypper remove ypbind - check: audit: "dpkg -s ypbind" constraints: platform: - ubuntu16 tests: test_items: - flag: "install ok installed" set: false remediation: | Uninstall `ypbind` using the appropriate package manager or manual installation: yum remove ypbind apt-get remove ypbind zypper remove ypbind - check: audit: "apt-cache show ypbind" constraints: platform: - ubuntu18 tests: test_items: - flag: "Installed-Size:" set: false remediation: | Uninstall `ypbind` using the appropriate package manager or manual installation: yum remove ypbind apt-get remove ypbind zypper remove ypbind scored: true - id: 2.3.2 description: "Ensure rsh client is not installed" sub_checks: - check: audit: "rpm -q rsh" constraints: platform: - rhel7 tests: test_items: - flag: "is not installed" remediation: | Uninstall `rsh` using the appropriate package manager or manual installation: yum remove rsh apt-get remove rsh zypper remove rsh - check: audit: "dpkg -s rsh-client rsh-redone-client" constraints: platform: - ubuntu16 tests: test_items: - flag: "install ok installed" set: false remediation: | Uninstall `rsh` using the appropriate package manager or manual installation: yum remove rsh apt-get remove rsh zypper remove rsh - check: audit: "apt-cache show rsh-client rsh-redone-client" constraints: platform: - ubuntu18 tests: test_items: - flag: "Installed-Size:" set: false remediation: | Uninstall `rsh` using the appropriate package manager or manual installation: yum remove rsh apt-get remove rsh zypper remove rsh scored: true - id: 2.3.3 description: "Ensure talk client is not installed" sub_checks: - check: audit: "rpm -q talk" constraints: platform: - rhel7 tests: test_items: - flag: "is not installed" remediation: | Uninstall `talk` using the appropriate package manager or manual installation: yum remove talk apt-get remove talk zypper remove talk - check: audit: "dpkg -s talk" constraints: platform: - ubuntu16 tests: test_items: - flag: "install ok installed" set: false remediation: | Uninstall `talk` using the appropriate package manager or manual installation: yum remove talk apt-get remove talk zypper remove talk - check: audit: "apt-cache show talk" constraints: platform: - ubuntu18 tests: test_items: - flag: "Installed-Size:" set: false remediation: | Uninstall `talk` using the appropriate package manager or manual installation: yum remove talk apt-get remove talk zypper remove talk scored: true - id: 2.3.4 description: "Ensure telnet client is not installed" sub_checks: - check: audit: "rpm -q telnet" constraints: platform: - rhel7 tests: test_items: - flag: "package telnet is not installed" remediation: | Uninstall `telnet` using the appropriate package manager or manual installation: # yum remove telnet # apt-get remove telnet # zypper remove telnet - check: audit: "dpkg -s telnet" constraints: platform: - ubuntu16 tests: test_items: - flag: "install ok installed" set: false remediation: | Uninstall `telnet` using the appropriate package manager or manual installation: # yum remove telnet # apt-get remove telnet # zypper remove telnet - check: audit: "apt-cache show telnet" constraints: platform: - ubuntu18 tests: test_items: - flag: "Installed-Size:" set: false remediation: | Uninstall `telnet` using the appropriate package manager or manual installation: # yum remove telnet # apt-get remove telnet # zypper remove telnet scored: true - id: 2.3.5 description: "Ensure LDAP client is not installed" sub_checks: - check: audit: "rpm -q openldap-clients" constraints: platform: - rhel7 tests: test_items: - flag: "is not installed" remediation: | Uninstall `openldap-clients` using the appropriate package manager or manual installation: # yum remove openldap-clients # apt-get remove openldap-clients # zypper remove openldap-clients - check: audit: "dpkg -s openldap-clients" constraints: platform: - ubuntu16 tests: test_items: - flag: "install ok installed" set: false remediation: | Uninstall `openldap-clients` using the appropriate package manager or manual installation: # yum remove openldap-clients # apt-get remove openldap-clients # zypper remove openldap-clients - check: audit: "apt-cache show openldap-clients" constraints: platform: - ubuntu18 tests: test_items: - flag: "Installed-Size:" set: false remediation: | Uninstall `openldap-clients` using the appropriate package manager or manual installation: # yum remove openldap-clients # apt-get remove openldap-clients # zypper remove openldap-clients scored: true - id: 3 description: "Network Configuration" - id: 3.1 description: "Network Parameters (Host Only)etwork Parameters (Host Only)" checks: - id: 3.1.1.a description: "Ensure IP forwarding is disabled" audit: "sysctl net.ipv4.ip_forward" tests: test_items: - flag: "net.ipv4.ip_forward" compare: op: eq value: "0" remediation: | Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.ip_forward = 0 net.ipv6.conf.all.forwarding = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.ip_forward=0 # sysctl -w net.ipv6.conf.all.forwarding=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1 scored: true - id: 3.1.1.b description: "Ensure IP forwarding is disabled" audit: "grep ^\\s*\"net\\.ipv4\\.ip_forward\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv4.ip_forward" compare: op: eq value: "0" remediation: | Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.ip_forward = 0 net.ipv6.conf.all.forwarding = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.ip_forward=0 # sysctl -w net.ipv6.conf.all.forwarding=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1 scored: true - id: 3.1.1.c description: "Ensure IP forwarding is disabled" audit: "sysctl net.ipv6.conf.all.forwarding" tests: test_items: - flag: "net.ipv6.conf.all.forwarding" compare: op: eq value: "0" remediation: | Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.ip_forward = 0 net.ipv6.conf.all.forwarding = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.ip_forward=0 # sysctl -w net.ipv6.conf.all.forwarding=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1 scored: true - id: 3.1.1.d description: "Ensure IP forwarding is disabled" audit: "grep ^\\s*\"net\\.ipv6\\.conf\\.all\\.forwarding\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv6.conf.all.forwarding" compare: op: eq value: "0" remediation: | Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.ip_forward = 0 net.ipv6.conf.all.forwarding = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.ip_forward=0 # sysctl -w net.ipv6.conf.all.forwarding=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1 scored: true - id: 3.1.2.a description: "Ensure packet redirect sending is disabled" audit: "sysctl net.ipv4.conf.all.send_redirects" tests: test_items: - flag: "net.ipv4.conf.all.send_redirects" compare: op: eq value: "0" remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.send_redirects=0 # sysctl -w net.ipv4.conf.default.send_redirects=0 # sysctl -w net.ipv4.route.flush=1 scored: true - id: 3.1.2.b description: "Ensure packet redirect sending is disabled" audit: "sysctl net.ipv4.conf.default.send_redirects" tests: test_items: - flag: "net.ipv4.conf.default.send_redirects" compare: op: eq value: "0" remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.send_redirects=0 # sysctl -w net.ipv4.conf.default.send_redirects=0 # sysctl -w net.ipv4.route.flush=1 scored: true - id: 3.1.2.c description: "Ensure packet redirect sending is disabled" audit: "grep ^\\s*\"net\\.ipv4\\.conf\\.all\\.send_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv4.conf.all.send_redirects" compare: op: eq value: "0" remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.send_redirects=0 # sysctl -w net.ipv4.conf.default.send_redirects=0 # sysctl -w net.ipv4.route.flush=1 scored: true - id: 3.1.2.d description: "Ensure packet redirect sending is disabled" audit: "grep ^\\s*\"net\\.ipv4\\.conf\\.default\\.send_redirects /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv4.conf.default.send_redirects" compare: op: eq value: "0" remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.send_redirects=0 # sysctl -w net.ipv4.conf.default.send_redirects=0 # sysctl -w net.ipv4.route.flush=1 scored: true - id: 3.2 description: "Network Parameters (Host and Router)" checks: - id: 3.2.1.a description: "Ensure source routed packets are not accepted" audit: "sysctl net.ipv4.conf.all.accept_source_route" tests: test_items: - flag: "net.ipv4.conf.all.accept_source_route" compare: op: eq value: "0" remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0 # sysctl -w net.ipv4.conf.default.accept_source_route=0 # sysctl -w net.ipv6.conf.all.accept_source_route=0 # sysctl -w net.ipv6.conf.default.accept_source_route=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1 scored: true - id: 3.2.1.b description: "Ensure source routed packets are not accepted" audit: "sysctl net.ipv4.conf.default.accept_source_route" tests: test_items: - flag: "net.ipv4.conf.default.accept_source_route" compare: op: eq value: 0 remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0 # sysctl -w net.ipv4.conf.default.accept_source_route=0 # sysctl -w net.ipv6.conf.all.accept_source_route=0 # sysctl -w net.ipv6.conf.default.accept_source_route=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1 scored: true - id: 3.2.1.c description: "Ensure source routed packets are not accepted" audit: "grep ^\\s*\"net\\.ipv4\\.conf\\.all\\.accept_source_route\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv4.conf.all.accept_source_route" compare: op: eq value: "0" remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0 # sysctl -w net.ipv4.conf.default.accept_source_route=0 # sysctl -w net.ipv6.conf.all.accept_source_route=0 # sysctl -w net.ipv6.conf.default.accept_source_route=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1 scored: true - id: 3.2.1.d description: "Ensure source routed packets are not accepted" audit: "grep ^\\s*\"net\\.ipv4\\.conf\\.default\\.accept_source_route\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv4.conf.default.accept_source_route" compare: op: eq value: "0" remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0 # sysctl -w net.ipv4.conf.default.accept_source_route=0 # sysctl -w net.ipv6.conf.all.accept_source_route=0 # sysctl -w net.ipv6.conf.default.accept_source_route=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1 scored: true - id: 3.2.1.e description: "Ensure packet redirect sending is disabled" audit: "sysctl net.ipv6.conf.all.accept_source_route" tests: test_items: - flag: "net.ipv6.conf.all.accept_source_route" compare: op: eq value: "0" remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0 # sysctl -w net.ipv4.conf.default.accept_source_route=0 # sysctl -w net.ipv6.conf.all.accept_source_route=0 # sysctl -w net.ipv6.conf.default.accept_source_route=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1 scored: true - id: 3.2.1.f description: "Ensure packet redirect sending is disabled" audit: "sysctl net.ipv6.conf.default.accept_source_route" tests: test_items: - flag: "net.ipv6.conf.default.accept_source_route" compare: op: eq value: "0" remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0 # sysctl -w net.ipv4.conf.default.accept_source_route=0 # sysctl -w net.ipv6.conf.all.accept_source_route=0 # sysctl -w net.ipv6.conf.default.accept_source_route=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1 scored: true - id: 3.2.1.g description: "Ensure packet redirect sending is disabled" audit: "grep ^\\s*\"net\\.ipv6\\.conf\\.all\\.accept_source_route\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv6.conf.all.accept_source_route" compare: op: eq value: "0" remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0 # sysctl -w net.ipv4.conf.default.accept_source_route=0 # sysctl -w net.ipv6.conf.all.accept_source_route=0 # sysctl -w net.ipv6.conf.default.accept_source_route=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1 scored: true - id: 3.2.1.h description: "Ensure packet redirect sending is disabled" audit: "grep ^\\s*\"net\\.ipv6\\.conf\\.default\\.accept_source_route\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv6.conf.default.accept_source_route" compare: op: eq value: "0" remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0 # sysctl -w net.ipv4.conf.default.accept_source_route=0 # sysctl -w net.ipv6.conf.all.accept_source_route=0 # sysctl -w net.ipv6.conf.default.accept_source_route=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1 scored: true - id: 3.2.2.a description: "Ensure ICMP redirects are not accepted" audit: "sysctl net.ipv4.conf.all.accept_redirects" tests: test_items: - flag: "net.ipv4.conf.all.accept_redirects" compare: op: eq value: "0" remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0 # sysctl -w net.ipv4.conf.default.accept_redirects=0 # sysctl -w net.ipv6.conf.all.accept_redirects=0 # sysctl -w net.ipv6.conf.default.accept_redirects=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1 scored: true - id: 3.2.2.b description: "Ensure ICMP redirects are not accepted" audit: "sysctl net.ipv4.conf.default.accept_redirects" tests: test_items: - flag: "net.ipv4.conf.default.accept_redirects" compare: op: eq value: "0" remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0 # sysctl -w net.ipv4.conf.default.accept_redirects=0 # sysctl -w net.ipv6.conf.all.accept_redirects=0 # sysctl -w net.ipv6.conf.default.accept_redirects=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1 scored: true - id: 3.2.2.c description: "Ensure ICMP redirects are not accepted" audit: "grep ^\\s*\"net\\.ipv4\\.conf\\.all\\.accept_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv4.conf.all.accept_redirects" compare: op: eq value: "0" remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0 # sysctl -w net.ipv4.conf.default.accept_redirects=0 # sysctl -w net.ipv6.conf.all.accept_redirects=0 # sysctl -w net.ipv6.conf.default.accept_redirects=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1 scored: true - id: 3.2.2.d description: "Ensure ICMP redirects are not accepted" audit: "grep ^\\s*\"net\\.ipv4\\.conf\\.default\\.accept_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv4.conf.default.accept_redirects" compare: op: eq value: "0" remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0 # sysctl -w net.ipv4.conf.default.accept_redirects=0 # sysctl -w net.ipv6.conf.all.accept_redirects=0 # sysctl -w net.ipv6.conf.default.accept_redirects=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1 scored: true - id: 3.2.2.e description: "Ensure ICMP redirects are not accepted" audit: "sysctl net.ipv6.conf.all.accept_redirects" tests: test_items: - flag: "net.ipv6.conf.all.accept_redirects" compare: op: eq value: "0" remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0 # sysctl -w net.ipv4.conf.default.accept_redirects=0 # sysctl -w net.ipv6.conf.all.accept_redirects=0 # sysctl -w net.ipv6.conf.default.accept_redirects=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1 scored: true - id: 3.2.2.f description: "Ensure ICMP redirects are not accepted" audit: "sysctl net.ipv6.conf.default.accept_redirects" tests: test_items: - flag: "net.ipv6.conf.default.accept_redirects" compare: op: eq value: "0" remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0 # sysctl -w net.ipv4.conf.default.accept_redirects=0 # sysctl -w net.ipv6.conf.all.accept_redirects=0 # sysctl -w net.ipv6.conf.default.accept_redirects=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1 scored: true - id: 3.2.2.g description: "Ensure ICMP redirects are not accepted" audit: "grep ^\\s*\"net\\.ipv6\\.conf\\.all\\.accept_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv6.conf.all.accept_redirects" compare: op: eq value: "0" remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0 # sysctl -w net.ipv4.conf.default.accept_redirects=0 # sysctl -w net.ipv6.conf.all.accept_redirects=0 # sysctl -w net.ipv6.conf.default.accept_redirects=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1 scored: true - id: 3.2.2.h description: "Ensure ICMP redirects are not accepted" audit: "grep ^\\s*\"net\\.ipv6\\.conf\\.default\\.accept_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv6.conf.default.accept_redirects" compare: op: eq value: "0" remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0 # sysctl -w net.ipv4.conf.default.accept_redirects=0 # sysctl -w net.ipv6.conf.all.accept_redirects=0 # sysctl -w net.ipv6.conf.default.accept_redirects=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1 scored: true - id: 3.2.3.a description: "Ensure secure ICMP redirects are not accepted" audit: "sysctl net.ipv4.conf.all.secure_redirects" tests: test_items: - flag: "net.ipv4.conf.all.secure_redirects" compare: op: eq value: "0" remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1 scored: true - id: 3.2.3.b description: "Ensure secure ICMP redirects are not accepted" audit: "sysctl net.ipv4.conf.default.secure_redirects" tests: test_items: - flag: "net.ipv4.conf.default.secure_redirects" compare: op: eq value: "0" remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1 scored: true - id: 3.2.3.c description: "Ensure secure ICMP redirects are not accepted" audit: "grep ^\\s*\"net\\.ipv4\\.conf\\.all\\.secure_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv4.conf.all.secure_redirects" compare: op: eq value: "0" remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1 scored: true - id: 3.2.3.d description: "Ensure secure ICMP redirects are not accepted" audit: "grep ^\\s*\"net\\.ipv4\\.conf\\.default\\.secure_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv4.conf.default.secure_redirects" compare: op: eq value: "0" remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1 scored: true - id: 3.2.4.a description: "Ensure suspicious packets are logged" audit: "sysctl net.ipv4.conf.all.log_martians" tests: test_items: - flag: "net.ipv4.conf.all.log_martians" compare: op: eq value: "1" remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1 # sysctl -w net.ipv4.conf.default.log_martians=1 # sysctl -w net.ipv4.route.flush=1 scored: true - id: 3.2.4.b description: "Ensure suspicious packets are logged" audit: "sysctl net.ipv4.conf.default.log_martians" tests: test_items: - flag: "net.ipv4.conf.default.log_martians" compare: op: eq value: "1" remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1 # sysctl -w net.ipv4.conf.default.log_martians=1 # sysctl -w net.ipv4.route.flush=1 scored: true - id: 3.2.4.c description: "Ensure suspicious packets are logged" audit: "grep ^\\s*\"net\\.ipv4\\.conf\\.all\\.log_martians\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv4.conf.all.log_martians" compare: op: eq value: "1" remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1 # sysctl -w net.ipv4.conf.default.log_martians=1 # sysctl -w net.ipv4.route.flush=1 scored: true - id: 3.2.4.d description: "Ensure suspicious packets are logged" audit: "grep ^\\s*\"net\\.ipv4\\.conf\\.default\\.log_martians\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv4.conf.default.log_martians" compare: op: eq value: "1" remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1 # sysctl -w net.ipv4.conf.default.log_martians=1 # sysctl -w net.ipv4.route.flush=1 scored: true - id: 3.2.5.a description: "Ensure broadcast ICMP requests are ignored" audit: "sysctl net.ipv4.icmp_echo_ignore_broadcasts" tests: test_items: - flag: "net.ipv4.icmp_echo_ignore_broadcasts" compare: op: eq value: "1" remediation: | Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.icmp_echo_ignore_broadcasts = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # sysctl -w net.ipv4.route.flush=1 scored: true - id: 3.2.5.b description: "Ensure broadcast ICMP requests are ignored" audit: "grep ^\\s*\"net\\.ipv4\\.icmp_echo_ignore_broadcasts\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv4.icmp_echo_ignore_broadcasts" compare: op: eq value: "1" remediation: | Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.icmp_echo_ignore_broadcasts = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # sysctl -w net.ipv4.route.flush=1 scored: true - id: 3.2.6.a description: "Ensure bogus ICMP responses are ignored" audit: "sysctl net.ipv4.icmp_ignore_bogus_error_responses" tests: test_items: - flag: "net.ipv4.icmp_ignore_bogus_error_responses" compare: op: eq value: "1" remediation: | Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.icmp_ignore_bogus_error_responses = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # sysctl -w net.ipv4.route.flush=1 scored: true - id: 3.2.6.b description: "Ensure bogus ICMP responses are ignored" audit: "grep ^\\s*\"net\\.ipv4\\.icmp_ignore_bogus_error_responses\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv4.icmp_ignore_bogus_error_responses" compare: op: eq value: "1" remediation: | Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.icmp_ignore_bogus_error_responses = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # sysctl -w net.ipv4.route.flush=1 scored: true - id: 3.2.7.a description: "Ensure Reverse Path Filtering is enabled" audit: "sysctl net.ipv4.conf.all.rp_filter" tests: test_items: - flag: "net.ipv4.conf.all.rp_filter" compare: op: eq value: "1" remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.rp_filter=1 # sysctl -w net.ipv4.conf.default.rp_filter=1 # sysctl -w net.ipv4.route.flush=1 scored: true - id: 3.2.7.b description: "Ensure Reverse Path Filtering is enabled" audit: "sysctl net.ipv4.conf.default.rp_filter" tests: test_items: - flag: "net.ipv4.conf.default.rp_filter" compare: op: eq value: "1" remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.rp_filter=1 # sysctl -w net.ipv4.conf.default.rp_filter=1 # sysctl -w net.ipv4.route.flush=1 scored: true - id: 3.2.7.c description: "Ensure Reverse Path Filtering is enabled" audit: "grep ^\\s*\"net\\.ipv4\\.conf\\.all\\.rp_filter\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv4.conf.all.rp_filter" compare: op: eq value: "1" remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.rp_filter=1 # sysctl -w net.ipv4.conf.default.rp_filter=1 # sysctl -w net.ipv4.route.flush=1 scored: true - id: 3.2.7.d description: "Ensure Reverse Path Filtering is enabled" audit: "grep ^\\s*\"net\\.ipv4\\.conf\\.default\\.rp_filter\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv4.conf.default.rp_filter" compare: op: eq value: "1" remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.rp_filter=1 # sysctl -w net.ipv4.conf.default.rp_filter=1 # sysctl -w net.ipv4.route.flush=1 scored: true - id: 3.2.8.a description: "Ensure TCP SYN Cookies is enabled" audit: "sysctl net.ipv4.tcp_syncookies" tests: test_items: - flag: "net.ipv4.tcp_syncookies" compare: op: eq value: "1" remediation: | Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.tcp_syncookies = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.tcp_syncookies=1 # sysctl -w net.ipv4.route.flush=1 scored: true - id: 3.2.8.b description: "Ensure TCP SYN Cookies is enabled" audit: "grep ^\\s*\"net\\.ipv4\\.tcp_syncookies\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv4.tcp_syncookies" compare: op: eq value: "1" remediation: | Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv4.tcp_syncookies = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.tcp_syncookies=1 # sysctl -w net.ipv4.route.flush=1 scored: true - id: 3.2.9.a description: "Ensure IPv6 router advertisements are not accepted" audit: "sysctl net.ipv6.conf.all.accept_ra" tests: test_items: - flag: "net.ipv6.conf.all.accept_ra" compare: op: eq value: "0" remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv6.conf.all.accept_ra = 0 net.ipv6.conf.default.accept_ra = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.accept_ra=0 # sysctl -w net.ipv6.conf.default.accept_ra=0 # sysctl -w net.ipv6.route.flush=1 scored: true - id: 3.2.9.b description: "Ensure IPv6 router advertisements are not accepted" audit: "sysctl net.ipv6.conf.default.accept_ra" tests: test_items: - flag: "net.ipv6.conf.default.accept_ra" compare: op: eq value: "0" remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv6.conf.all.accept_ra = 0 net.ipv6.conf.default.accept_ra = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.accept_ra=0 # sysctl -w net.ipv6.conf.default.accept_ra=0 # sysctl -w net.ipv6.route.flush=1 scored: true - id: 3.2.9.c description: "Ensure IPv6 router advertisements are not accepted" audit: "grep ^\\s*\"net\\.ipv6\\.conf\\.all\\.accept_ra\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv6.conf.all.accept_ra" compare: op: eq value: "0" remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv6.conf.all.accept_ra = 0 net.ipv6.conf.default.accept_ra = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.accept_ra=0 # sysctl -w net.ipv6.conf.default.accept_ra=0 # sysctl -w net.ipv6.route.flush=1 scored: true - id: 3.2.9.d description: "Ensure IPv6 router advertisements are not accepted" audit: "grep ^\\s*\"net\\.ipv6\\.conf\\.default\\.accept_ra\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv6.conf.default.accept_ra" compare: op: eq value: "0" remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: net.ipv6.conf.all.accept_ra = 0 net.ipv6.conf.default.accept_ra = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.accept_ra=0 # sysctl -w net.ipv6.conf.default.accept_ra=0 # sysctl -w net.ipv6.route.flush=1 scored: true - id: 3.3 description: "TCP Wrappers" checks: - id: 3.3.1 description: "Ensure TCP Wrappers is installed" sub_checks: - check: audit: "rpm -q tcp_wrappers" constraints: platform: - rhel7 tests: test_items: - flag: "is not installed" set: false remediation: | Install TCP Wrappers using the appropriate package manager or manual installation: yum install tcp_wrappers apt-get install tcpd zypper install tcpd - check: audit: "dpkg -s tcpd" constraints: platform: - ubuntu16 tests: test_items: - flag: "install ok installed" remediation: | Install TCP Wrappers using the appropriate package manager or manual installation: yum install tcp_wrappers apt-get install tcpd zypper install tcpd - check: audit: "apt-cache show tcpd" constraints: platform: - ubuntu18 tests: test_items: - flag: "Installed-Size:" remediation: | Install TCP Wrappers using the appropriate package manager or manual installation: yum install tcp_wrappers apt-get install tcpd zypper install tcpd scored: false - id: 3.3.2 description: "Ensure /etc/hosts.allow is configured" audit: "cat /etc/hosts.allow" type: manual tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Run the following command to create `/etc/hosts.allow` : # echo "ALL: /, /, ..." >/etc/hosts.allow where each `/` combination (for example, "192.168.1.0/255.255.255.0") represents one network block in use by your organization that requires access to this system. scored: false - id: 3.3.3 description: "Ensure /etc/hosts.deny is configured" audit: "cat /etc/hosts.deny" tests: test_items: - flag: "ALL: ALL" remediation: | Run the following command to create `/etc/hosts.deny` : # echo "ALL: ALL" >> /etc/hosts.deny scored: false - id: 3.3.4 description: "Ensure permissions on /etc/hosts.allow are configured" audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/hosts.allow" tests: test_items: - flag: "644/Uid:root/0Gid:root/0" remediation: | Run the following commands to set permissions on `/etc/hosts.allow` : # chown root:root /etc/hosts.allow # chmod 644 /etc/hosts.allow scored: true - id: 3.3.5 description: "Ensure permissions on /etc/hosts.deny are configured" audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/hosts.deny" tests: test_items: - flag: "644/Uid:root/0Gid:root/0" remediation: | Run the following commands to set permissions on `/etc/hosts.deny` : # chown root:root /etc/hosts.deny # chmod 644 /etc/hosts.deny scored: true - id: 3.4 description: "Uncommon Network Protocols" checks: - id: 3.4.1.a description: "Ensure DCCP is disabled" audit: "modprobe -n -v dccp" tests: test_items: - flag: "install /bin/true" remediation: | Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line: install dccp /bin/true scored: true - id: 3.4.1.b description: "Ensure DCCP is disabled" audit: "lsmod | grep dccp" tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line: install dccp /bin/true scored: true - id: 3.4.2.a description: "Ensure SCTP is disabled" audit: "modprobe -n -v sctp" tests: test_items: - flag: "install /bin/true" remediation: | Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line: install sctp /bin/true scored: true - id: 3.4.2.b description: "Ensure SCTP is disabled" audit: "lsmod | grep sctp" tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line: install sctp /bin/true scored: true - id: 3.4.3.a description: "Ensure RDS is disabled" audit: "modprobe -n -v rds" tests: test_items: - flag: "install /bin/true" compare: op: eq value: "install /bin/true" remediation: | Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line: install rds /bin/true scored: true - id: 3.4.3.b description: "Ensure RDS is disabled" audit: "lsmod | grep rds" tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line: install rds /bin/true scored: true - id: 3.4.4.a description: "Ensure TIPC is disabled" audit: "modprobe -n -v tipc" tests: test_items: - flag: "install /bin/true" remediation: | Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line: install tipc /bin/true scored: true - id: 3.4.4.b description: "Ensure TIPC is disabled" audit: "lsmod | grep tipc" tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line: install tipc /bin/true scored: true - id: 3.5 description: "Firewall Configuration" - id: 3.5.1 description: "Configure IPv6 ip6tables" checks: - id: 3.5.1.1 description: "Ensure IPv6 default deny firewall policy" audit: "ip6tables -L" tests: bin_op: and test_items: - flag: "Chain INPUT (policy DROP)" - flag: "Chain FORWARD (policy DROP)" - flag: "Chain OUTPUT (policy DROP)" remediation: | Run the following commands to implement a default DROP policy: # iptables -P INPUT DROP # iptables -P OUTPUT DROP # iptables -P FORWARD DROP scored: true - id: 3.5.1.2.a description: "Ensure IPv6 loopback traffic is configured" audit: "ip6tables -L INPUT -v -n" type: manual tests: test_items: - flag: | Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 127.0.0.0/8 0.0.0.0/0 remediation: | Run the following commands to implement the loopback rules: # ip6tables -A INPUT -i lo -j ACCEPT # ip6tables -A OUTPUT -o lo -j ACCEPT # ip6tables -A INPUT -s ::1 -j DROP scored: true - id: 3.5.1.2.b description: "Ensure IPv6 loopback traffic is configured" audit: "ip6tables -L OUTPUT -v -n" type: manual tests: test_items: - flag: | Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 remediation: | Run the following commands to implement the loopback rules: # ip6tables -A INPUT -i lo -j ACCEPT # ip6tables -A OUTPUT -o lo -j ACCEPT # ip6tables -A INPUT -s ::1 -j DROP scored: true - id: 3.5.1.3 description: "Ensure IPv6 outbound and established connections are configured" audit: "ip6tables -L -v -n" type: manual remediation: | Configure iptables in accordance with site policy. The following commands will implement a policy to allow all outbound connections and all established connections: # ip6tables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT # ip6tables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT # ip6tables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT # ip6tables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT # ip6tables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT # ip6tables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT scored: false - id: 3.5.1.4.a description: "Ensure IPv6 firewall rules exist for all open ports" audit: "ss -6tuln" type: manual remediation: | For each port identified in the audit which does not have a firewall rule establish a proper rule for accepting inbound connections: # ip6tables -A INPUT -p --dport -m state --state NEW -j ACCEPT scored: true - id: 3.5.1.4.b description: "Ensure IPv6 firewall rules exist for all open ports" audit: "ip6tables -L INPUT -v -n" type: manual remediation: | For each port identified in the audit which does not have a firewall rule establish a proper rule for accepting inbound connections: # ip6tables -A INPUT -p --dport -m state --state NEW -j ACCEPT scored: true - id: 3.5.2 description: "Configure IPv4 iptables" checks: - id: 3.5.2.1 description: "Ensure default deny firewall policy" audit: "iptables -L" tests: bin_op: and test_items: - flag: "Chain INPUT (policy DROP)" - flag: "Chain FORWARD (policy DROP)" - flag: "Chain OUTPUT (policy DROP)" remediation: | Run the following commands to implement a default DROP policy: # iptables -P INPUT DROP # iptables -P OUTPUT DROP # iptables -P FORWARD DROP scored: true - id: 3.5.2.2.a description: "Ensure loopback traffic is configured" audit: "iptables -L INPUT -v -n" type: manual tests: test_items: - flag: | Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 127.0.0.0/8 0.0.0.0/0 remediation: | Run the following commands to implement the loopback rules: # iptables -A INPUT -i lo -j ACCEPT # iptables -A OUTPUT -o lo -j ACCEPT # iptables -A INPUT -s 127.0.0.0/8 -j DROP scored: true - id: 3.5.2.2.b description: "Ensure loopback traffic is configured" audit: "iptables -L OUTPUT -v -n" type: manual tests: test_items: - flag: | Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 remediation: | Run the following commands to implement the loopback rules: # iptables -A INPUT -i lo -j ACCEPT # iptables -A OUTPUT -o lo -j ACCEPT # iptables -A INPUT -s 127.0.0.0/8 -j DROP scored: true - id: 3.5.2.3 description: "Ensure outbound and established connections are configured" audit: "iptables -L -v -n" type: manual remediation: | Configure iptables in accordance with site policy. The following commands will implement a policy to allow all outbound connections and all established connections: # iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT # iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT # iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT # iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT # iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT # iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT scored: false - id: 3.5.2.4.a description: "Ensure firewall rules exist for all open ports" audit: "netstat -ln" type: manual tests: test_items: - flag: | Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN remediation: | For each port identified in the audit which does not have a firewall rule establish a proper rule for accepting inbound connections: # iptables -A INPUT -p --dport -m state --state NEW -j ACCEPT scored: true - id: 3.5.2.4.b description: "Ensure firewall rules exist for all open ports" audit: "iptables -L INPUT -v -n" type: manual tests: test_items: - flag: | Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 127.0.0.0/8 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW remediation: | For each port identified in the audit which does not have a firewall rule establish a proper rule for accepting inbound connections: # iptables -A INPUT -p --dport -m state --state NEW -j ACCEPT scored: true - id: 3.5.3 description: "Ensure iptables is installed" sub_checks: - check: audit: "rpm -q iptables" constraints: platform: - rhel7 tests: test_items: - flag: "is not installed" set: false remediation: | Install `iptables` using the appropriate package manager or manual installation: # yum install iptables # apt-get install iptables # zypper install iptables - check: audit: "dpkg -s iptables" constraints: platform: - ubuntu16 tests: test_items: - flag: "install ok installed" remediation: | Install `iptables` using the appropriate package manager or manual installation: # yum install iptables # apt-get install iptables # zypper install iptables - check: audit: "apt-cache show iptables" constraints: platform: - ubuntu18 tests: test_items: - flag: "Installed-Size:" remediation: | Install `iptables` using the appropriate package manager or manual installation: # yum install iptables # apt-get install iptables # zypper install iptables scored: true - id: 3.6 description: "Ensure wireless interfaces are disabled (Not Scored)" checks: - id: 3.6.a description: "Ensure wireless interfaces are disabled" audit: "iwconfig" type: manual remediation: | Run the following command to disable any wireless interfaces: # ip link set down Disable any wireless interfaces in your network configuration. scored: false - id: 3.6.b description: "Ensure wireless interfaces are disabled" audit: "ip link show up" type: manual remediation: | Run the following command to disable any wireless interfaces: # ip link set down Disable any wireless interfaces in your network configuration. scored: false - id: 3.7 description: "Ensure wireless interfaces are disabled (Not Scored)" checks: - id: 3.7 description: "Disable IPv6" sub_checks: - check: audit: "grep \"^\\s*linux\" /boot/grub/grub.cfg | grep -v ipv6.disabled=1" constraints: boot: - grub tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Edit /etc/default/grub and add ipv6.disable=1 to the GRUB_CMDLINE_LINUX parameters: GRUB_CMDLINE_LINUX="ipv6.disable=1" Depending or your distribution, run the appropriate following command to update the grub2 configuration: # grub2-mkconfig –o /boot/grub2/grub.cfg or # update-grub - check: audit: "grep \"^\\s*linux\" /boot/grub2/grub.cfg | grep -v ipv6.disabled=1" constraints: boot: - grub2 tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Edit /etc/default/grub and add ipv6.disable=1 to the GRUB_CMDLINE_LINUX parameters: GRUB_CMDLINE_LINUX="ipv6.disable=1" Depending or your distribution, run the appropriate following command to update the grub2 configuration: # grub2-mkconfig –o /boot/grub2/grub.cfg or # update-grub scored: false - id: 4 description: "Logging and Auditing" - id: 4.1 description: "Configure System Accounting (auditd)" checks: - id: 4.1.1 description: "Configure Data Retention" checks: - id: 4.1.1.1 description: "Ensure audit log storage size is configured" audit: "grep max_log_file /etc/audit/auditd.conf" type: "manual" tests: test_items: - flag: "max_log_file" compare: op: has value: "" remediation: | Set the following parameter in `/etc/audit/auditd.conf` in accordance with site policy: max_log_file = scored: true - id: 4.1.1.2.a description: "Ensure system is disabled when audit logs are full" audit: "grep ^space_left_action /etc/audit/auditd.conf" tests: test_items: - flag: "space_left_action = email" remediation: | Set the following parameters in `/etc/audit/auditd.conf:` space_left_action = email action_mail_acct = root admin_space_left_action = halt scored: true - id: 4.1.1.2.b description: "Ensure system is disabled when audit logs are full" audit: "grep action_mail_acct /etc/audit/auditd.conf" tests: test_items: - flag: "action_mail_acct = root" remediation: | Set the following parameters in `/etc/audit/auditd.conf:` space_left_action = email action_mail_acct = root admin_space_left_action = halt scored: true - id: 4.1.1.2.c description: "Ensure system is disabled when audit logs are full" audit: "grep admin_space_left_action /etc/audit/auditd.conf" tests: test_items: - flag: "admin_space_left_action = halt" remediation: | Set the following parameters in `/etc/audit/auditd.conf:` space_left_action = email action_mail_acct = root admin_space_left_action = halt scored: true - id: 4.1.1.3 description: "Ensure audit logs are not automatically deleted" audit: "grep max_log_file_action /etc/audit/auditd.conf" tests: test_items: - flag: "max_log_file_action = keep_logs" remediation: | Set the following parameter in `/etc/audit/auditd.conf:` max_log_file_action = keep_logs scored: true - id: 4.1.2 description: "Ensure auditd service is enabled" sub_checks: - check: audit: "rpm -q audit audit-libs" constraints: platform: - rhel7 tests: test_items: - flag: "is not installed" set: false remediation: | Run the following command to Install auditd # yum install audit audit-libs # apt-get install auditd audispd-plugins # zipper install audit audit-libs - check: audit: "dpkg -s auditd audispd-plugins" constraints: platform: - ubuntu16 tests: test_items: - flag: "install ok installed" remediation: | Run the following command to Install auditd # yum install audit audit-libs # apt-get install auditd audispd-plugins # zipper install audit audit-libs - check: audit: "apt-cache show auditd" constraints: platform: - ubuntu18 tests: test_items: - flag: "Installed-Size:" remediation: | Run the following command to Install auditd # yum install audit audit-libs # apt-get install auditd audispd-plugins # zipper install audit audit-libs scored: true - id: 4.1.3 description: "Ensure auditd service is enabled" sub_checks: - check: audit: "chkconfig --list auditd" constraints: platform: - rhel6 tests: test_items: - flag: "auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off" remediation: | Run one of the following commands to enable `auditd` : # chkconfig auditd on # systemctl enable auditd # update-rc.d auditd enable - check: audit: "systemctl is-enabled auditd" constraints: platform: - rhel7 - ubuntu16 - ubuntu18 tests: test_items: - flag: "enabled" remediation: | Run one of the following commands to enable `auditd` : # chkconfig auditd on # systemctl enable auditd # update-rc.d auditd enable - check: audit: "ls /etc/rc*.d | grep auditd" type: manual constraints: platform: - ubuntuOptional tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Run one of the following commands to enable `auditd` : # chkconfig auditd on # systemctl enable auditd # update-rc.d auditd enable scored: true - id: 4.1.4 description: "Ensure auditing for processes that start prior to auditd is enabled" sub_checks: - check: audit: "grep \"^\\s*kernel\" /boot/grub/menu.lst" constraints: boot: - grub tests: test_items: - flag: "audit=1" remediation: | For `grub` based systems edit `/boot/grub/menu.lst` to include `audit=1` on all `kernel` lines. For `grub2` based systems edit /etc/default/grub and add audit=1 to GRUB\_CMDLINE\_LINUX: GRUB_CMDLINE_LINUX="audit=1" Run the following command to update the `grub2` configuration: # update-grub - check: audit: "grep -i linux /etc/default/grub" constraints: boot: - grub2 bin_op: and tests: test_items: - flag: "GRUB_CMDLINE_LINUX=" - flag: "audit=1" remediation: | For `grub` based systems edit `/boot/grub/menu.lst` to include `audit=1` on all `kernel` lines. For `grub2` based systems edit /etc/default/grub and add audit=1 to GRUB\_CMDLINE\_LINUX: GRUB_CMDLINE_LINUX="audit=1" Run the following command to update the `grub2` configuration: # update-grub scored: true - id: 4.1.5.a description: "Ensure events that modify date and time information are collected" audit: "grep time-change /etc/audit/rules.d/*.rules" tests: bin_op: and test_items: - flag: "-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change" - flag: "-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change" - flag: "-a always,exit -F arch=b64 -S clock_settime -k time-change" - flag: "-a always,exit -F arch=b32 -S clock_settime -k time-change" - flag: "-w /etc/localtime -p wa -k time-change" remediation: | For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/audit.rules and add the following lines: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change scored: true - id: 4.1.5.b description: "Ensure events that modify date and time information are collected" audit: "auditctl -l | grep time-change" tests: bin_op: and test_items: - flag: "-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change" - flag: "-a always,exit -F arch=b32 -S stime,settimeofday,adjtimex -F key=time-change" - flag: "-a always,exit -F arch=b64 -S clock_settime -F key=time-change" - flag: "-a always,exit -F arch=b32 -S clock_settime -F key=time-change" - flag: "-w /etc/localtime -p wa -k time-change" remediation: | For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/audit.rules and add the following lines: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change scored: true - id: 4.1.6.a description: "Ensure events that modify user/group information are collected" audit: "grep identity /etc/audit/rules.d/*.rules" tests: bin_op: and test_items: - flag: "-w /etc/group -p wa -k identity" - flag: "-w /etc/passwd -p wa -k identity" - flag: "-w /etc/gshadow -p wa -k identity" - flag: "-w /etc/shadow -p wa -k identity" - flag: "-w /etc/security/opasswd -p wa -k identity" remediation: | For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/audit.rules and add the following lines: -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity scored: true - id: 4.1.6.b description: "Ensure events that modify user/group information are collected" audit: "auditctl -l | grep identity" tests: bin_op: and test_items: - flag: "-w /etc/group -p wa -k identity" - flag: "-w /etc/passwd -p wa -k identity" - flag: "-w /etc/gshadow -p wa -k identity" - flag: "-w /etc/shadow -p wa -k identity" - flag: "-w /etc/security/opasswd -p wa -k identity" remediation: | For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/audit.rules and add the following lines: -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity scored: true - id: 4.1.7.a description: "Ensure events that modify the system's network environment are collected" audit: "grep system-locale /etc/audit/rules.d/*.rules" tests: bin_op: and test_items: - flag: "-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale" - flag: "-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale" - flag: "-w /etc/issue -p wa -k system-locale" - flag: "-w /etc/issue.net -p wa -k system-locale" - flag: "-w /etc/hosts -p wa -k system-locale" - flag: "-w /etc/sysconfig/network -p wa -k system-locale" remediation: | For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/audit.rules and add the following lines: -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/sysconfig/network -p wa -k system-locale scored: true - id: 4.1.7.b description: "Ensure events that modify the system's network environment are collected" audit: "auditctl -l | grep system-locale" tests: bin_op: and test_items: - flag: "-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale" - flag: "-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale" - flag: "-w /etc/issue -p wa -k system-locale" - flag: "-w /etc/issue.net -p wa -k system-locale" - flag: "-w /etc/hosts -p wa -k system-locale" - flag: "-w /etc/sysconfig/network -p wa -k system-locale" remediation: | For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/audit.rules and add the following lines: -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/sysconfig/network -p wa -k system-locale scored: true - id: 4.1.8.a description: "Ensure events that modify the system's Mandatory Access Controls are collected" sub_checks: - check: audit: "grep MAC-policy /etc/audit/rules.d/*.rules" constraints: lsm: - selinux tests: bin_op: and test_items: - flag: "-w /etc/selinux/ -p wa -k MAC-policy" - flag: "-w /usr/share/selinux/ -p wa -k MAC-policy" remediation: | On systems using SELinux Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/audit.rules and add the following lines: -w /etc/selinux/ -p wa -k MAC-policy -w /usr/share/selinux/ -p wa -k MAC-policy - check: audit: "grep MAC-policy /etc/audit/rules.d/*.rules" constraints: lsm: - apparmor tests: bin_op: and test_items: - flag: "-w /etc/apparmor/ -p wa -k MAC-policy" - flag: "-w /etc/apparmor.d/ -p wa -k MAC-policy" remediation: | On systems using AppArmor Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/audit.rules and add the following lines: -w /etc/apparmor/ -p wa -k MAC-policy -w /etc/apparmor.d/ -p wa -k MAC-policy scored: true - id: 4.1.8.b description: "Ensure events that modify the system's Mandatory Access Controls are collected" sub_checks: - check: audit: "auditctl -l | grep MAC-policy" constraints: lsm: - selinux tests: bin_op: and test_items: - flag: "-w /etc/selinux -p wa -k MAC-policy" - flag: "-w /usr/share/selinux -p wa -k MAC-policy" remediation: | On systems using SELinux Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/audit.rules and add the following lines: -w /etc/selinux/ -p wa -k MAC-policy -w /usr/share/selinux/ -p wa -k MAC-policy - check: audit: "auditctl -l | grep MAC-policy" constraints: lsm: - apparmor tests: bin_op: and test_items: - flag: "-w /etc/apparmor -p wa -k MAC-policy" - flag: "-w /etc/apparmor.d -p wa -k MAC-policy" remediation: | On systems using AppArmor Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/audit.rules and add the following lines: -w /etc/apparmor/ -p wa -k MAC-policy -w /etc/apparmor.d/ -p wa -k MAC-policy scored: true - id: 4.1.9.a description: "Ensure login and logout events are collected" audit: "grep logins /etc/audit/rules.d/*.rules" tests: bin_op: and test_items: - flag: "-w /var/log/faillog -p wa -k logins" - flag: "-w /var/log/lastlog -p wa -k logins" - flag: "-w /var/log/tallylog -p wa -k logins" remediation: | Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/audit.rules and add the following lines: -w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/log/tallylog -p wa -k logins scored: true - id: 4.1.9.b description: "Ensure login and logout events are collected" audit: "auditctl -l | grep logins" tests: test_items: - flag: "-w /var/log/faillog -p wa -k logins" - flag: "-w /var/log/lastlog -p wa -k logins" - flag: "-w /var/log/tallylog -p wa -k logins" remediation: | Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/audit.rules and add the following lines: -w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/log/tallylog -p wa -k logins scored: true - id: 4.1.10.a description: "Ensure session initiation information is collected" audit: "grep -E '(session|logins)' /etc/audit/rules.d/*.rules" tests: test_items: - flag: "-w /var/run/utmp -p wa -k session" - flag: "-w /var/log/wtmp -p wa -k logins" - flag: "-w /var/log/btmp -p wa -k logins" remediation: | Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/audit.rules and add the following lines: -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k logins -w /var/log/btmp -p wa -k logins scored: true - id: 4.1.10.b description: "Ensure session initiation information is collected" audit: "auditctl -l | grep -E '(session|logins)'" tests: test_items: - flag: "-w /var/run/utmp -p wa -k session" - flag: "-w /var/log/wtmp -p wa -k logins" - flag: "-w /var/log/btmp -p wa -k logins" remediation: | Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/audit.rules and add the following lines: -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k logins -w /var/log/btmp -p wa -k logins scored: true - id: 4.1.11.a description: "Ensure discretionary access control permission modification events are collected" audit: "grep perm_mod /etc/audit/rules.d/*.rules" tests: bin_op: and test_items: - flag: "-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod" - flag: "-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod" - flag: "-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod" - flag: "-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod" - flag: "-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod" - flag: "-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod" remediation: | For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/audit.rules and add the following lines: -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod scored: true - id: 4.1.11.b description: "Ensure discretionary access control permission modification events are collected" audit: "auditctl -l | grep perm_mod" tests: bin_op: and test_items: - flag: "-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=500 -F auid!=-1 -F key=perm_mod" - flag: "-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=500 -F auid!=-1 -F key=perm_mod" - flag: "-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=500 -F auid!=-1 -F key=perm_mod" - flag: "-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=500 -F auid!=-1 -F key=perm_mod" - flag: "-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=500 -F auid!=-1 -F key=perm_mod" - flag: "-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=500 -F auid!=-1 -F key=perm_mod" remediation: | For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/audit.rules and add the following lines: -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod scored: true - id: 4.1.12.a description: "Ensure unsuccessful unauthorized file access attempts are collected" audit: "grep access /etc/audit/rules.d/*.rules" tests: bin_op: and test_items: - flag: "-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access" - flag: "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access" - flag: "-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access" - flag: "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access" remediation: | For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/audit.rules and add the following lines: -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access scored: true - id: 4.1.12.b description: "Ensure unsuccessful unauthorized file access attempts are collected" audit: "auditctl -l | grep access" tests: bin_op: and test_items: - flag: "-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat -F exit=-EACCES -F auid>=500 -F auid!=-1 -F key=access" - flag: "-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat -F exit=-EACCES -F auid>=500 -F auid!=-1 -F key=access" - flag: "-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat -F exit=-EPERM -F auid>=500 -F auid!=-1 -F key=access" - flag: "-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat -F exit=-EPERM -F auid>=500 -F auid!=-1 -F key=access" remediation: | For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/audit.rules and add the following lines: -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access scored: true - id: 4.1.13 description: "Ensure use of privileged commands is collected" audit: "find -xdev \\( -perm -4000 -o -perm -2000 \\) -type f | awk '{print \"-a always,exit -F path=\" $1 \" -F perm=x -F auid>=500 -F auid!=4294967295 \ -k privileged\" }' " type: "manual" remediation: | To remediate this issue, the system administrator will have to execute a find command to locate all the privileged programs and then add an audit line for each one of them. The audit parameters associated with this are as follows: -F path=" $1 " - will populate each file name found through the find command and processed by awk. -F perm=x - will write an audit record if the file is executed. -F auid>=500 - will write a record if the user executing the command is not a privileged user. -F auid!= 4294967295 - will ignore Daemon events All audit records should be tagged with the identifier "privileged". Run the following command replacing with a list of partitions where programs can be executed from on your system: # find -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print \ "-a always,exit -F path=" $1 " -F perm=x -F auid>=500 -F auid!=4294967295 \ -k privileged" }' Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/audit.rules And add all resulting lines to the file. scored: true - id: 4.1.14.a description: "Ensure successful file system mounts are collected" audit: "grep mounts /etc/audit/rules.d/*.rules" tests: bin_op: and test_items: - flag: "-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts" - flag: "-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts" remediation: | For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/audit.rules and add the following lines: -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts scored: true - id: 4.1.14.b description: "Ensure successful file system mounts are collected" audit: "auditctl -l | grep mounts" tests: bin_op: and test_items: - flag: "-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=-1 -F key=mounts" - flag: "-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=-1 -F key=mounts" remediation: | For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/audit.rules and add the following lines: -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts scored: true - id: 4.1.15.a description: "Ensure file deletion events by users are collected" audit: "grep delete /etc/audit/rules.d/*.rules" tests: bin_op: and test_items: - flag: "-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete" - flag: "-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete" remediation: | For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/audit.rules and add the following lines: -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete scored: true - id: 4.1.15.b description: "Ensure file deletion events by users are collected" audit: "auditctl -l | grep delete" tests: bin_op: and test_items: - flag: "-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=500 -F auid!=-1 -F key=delete" - flag: "-a always,exit -F arch=b32 -S unlink,rename,unlinkat,renameat -F auid>=500 -F auid!=-1 -F key=delete" remediation: | For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/audit.rules and add the following lines: -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete scored: true - id: 4.1.16.a description: "Ensure changes to system administration scope (sudoers) is collected" audit: "grep scope /etc/audit/rules.d/*.rules" tests: bin_op: and test_items: - flag: "-w /etc/sudoers -p wa -k scope" - flag: "-w /etc/sudoers.d/ -p wa -k scope" remediation: | Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/audit.rules and add the following lines: -w /etc/sudoers -p wa -k scope -w /etc/sudoers.d/ -p wa -k scope scored: true - id: 4.1.16.b description: "Ensure changes to system administration scope (sudoers) is collected" audit: "auditctl -l | grep scope" tests: bin_op: and test_items: - flag: "-w /etc/sudoers -p wa -k scope" - flag: "-w /etc/sudoers.d -p wa -k scope" remediation: | Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/audit.rules and add the following lines: -w /etc/sudoers -p wa -k scope -w /etc/sudoers.d/ -p wa -k scope scored: true - id: 4.1.17.a description: "Ensure system administrator actions (sudolog) are collected" audit: "grep actions /etc/audit/rules.d/*.rules" tests: test_items: - flag: "-w /var/log/sudo.log -p wa -k actions" compare: op: eq value: "-w /var/log/sudo.log -p wa -k actions" remediation: | Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/audit.rules and add the following lines: -w /var/log/sudo.log -p wa -k actions scored: true - id: 4.1.17.b description: "Ensure system administrator actions (sudolog) are collected" audit: "auditctl -l | grep actions" tests: test_items: - flag: "-w /var/log/sudo.log -p wa -k actions" remediation: | Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/audit.rules and add the following lines: -w /var/log/sudo.log -p wa -k actions scored: true - id: 4.1.18.a description: "Ensure kernel module loading and unloading is collected" audit: "grep modules /etc/audit/rules.d/*.rules" tests: bin_op: and test_items: - flag: "-w /sbin/insmod -p x -k modules" - flag: "-w /sbin/rmmod -p x -k modules" - flag: "-w /sbin/modprobe -p x -k modules" - flag: "-a always,exit -F arch=b64 -S init_module -S delete_module -k modules" remediation: | For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/audit.rules and add the following lines: -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit -F arch=b64 -S init_module -S delete_module -k modules scored: true - id: 4.1.18.b description: "Ensure kernel module loading and unloading is collected" audit: "auditctl -l | grep modules" tests: bin_op: and test_items: - flag: "-w /sbin/insmod -p x -k modules" - flag: "-w /sbin/rmmod -p x -k modules" - flag: "-w /sbin/modprobe -p x -k modules" - flag: "-a always,exit -F arch=b64 -S init_module,delete_module -F key=modules" remediation: | For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/audit.rules and add the following lines: -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit -F arch=b64 -S init_module -S delete_module -k modules scored: true - id: 4.1.19 description: "Ensure the audit configuration is immutable" audit: "grep ^\\s*[^#] /etc/audit/rules.d/*.rules | tail -1" tests: test_items: - flag: "-e 2" remediation: | Edit or create the file /etc/audit/rules.d/99-finalize.rules and add the line -e 2 at the end of the file scored: true - id: 4.2 description: "Configure Logging" - id: 4.2.1 description: "Configure rsyslog" checks: - id: 4.2.1.1 description: "Ensure rsyslog is installed" sub_checks: - check: audit: "rpm -q rsyslog" constraints: platform: - rhel7 syslog: - rsyslog tests: test_items: - flag: "is not installed" set: false remediation: | Install rsyslog or `syslog-ng` using the appropriate package manager or manual installation: # yum install rsyslog # apt-get install rsyslog # zypper install rsyslog The previous commands install `rsyslog` , use the appropriate package if `syslog-ng` is desired. - check: audit: "dpkg -s rsyslog" constraints: platform: - ubuntu16 syslog: - rsyslog tests: test_items: - flag: "install ok installed" remediation: | Install rsyslog or `syslog-ng` using the appropriate package manager or manual installation: # yum install rsyslog # apt-get install rsyslog # zypper install rsyslog The previous commands install `rsyslog` , use the appropriate package if `syslog-ng` is desired. - check: audit: "apt-cache show rsyslog" constraints: platform: - ubuntu18 syslog: - rsyslog tests: test_items: - flag: "Installed-Size:" remediation: | Install rsyslog or `syslog-ng` using the appropriate package manager or manual installation: # yum install rsyslog # apt-get install rsyslog # zypper install rsyslog The previous commands install `rsyslog` , use the appropriate package if `syslog-ng` is desired. scored: true - id: 4.2.1.2 description: "Ensure rsyslog Service is enabled" sub_checks: - check: audit: "chkconfig --list rsyslog" constraints: platform: - rhel6 tests: test_items: - flag: "rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off" remediation: | Run one of the following commands to enable `rsyslog` : # chkconfig rsyslog on # systemctl enable rsyslog # update-rc.d rsyslog enable - check: audit: "systemctl is-enabled rsyslog" constraints: platform: - rhel7 - ubuntu16 - ubuntu18 tests: test_items: - flag: "enabled" remediation: | Run one of the following commands to enable `rsyslog` : # chkconfig rsyslog on # systemctl enable rsyslog # update-rc.d rsyslog enable - check: audit: "ls /etc/rc*.d | grep rsyslog" type: manual constraints: platform: - ubuntuOptional tests: test_items: - flag: "" remediation: | Run one of the following commands to enable `rsyslog` : # chkconfig rsyslog on # systemctl enable rsyslog # update-rc.d rsyslog enable scored: true - id: 4.2.1.3 description: "Ensure logging is configured" sub_checks: - check: audit: "ls -l /var/log/" constraints: syslog: - rsyslog type: manual remediation: | Edit the following lines in the `/etc/rsyslog.conf` and `/etc/rsyslog.d/*.conf` files as appropriate for your environment: *.emerg :omusrmsg:* mail.* -/var/log/mail mail.info -/var/log/mail.info mail.warning -/var/log/mail.warn mail.err /var/log/mail.err news.crit -/var/log/news/news.crit news.err -/var/log/news/news.err news.notice -/var/log/news/news.notice *.=warning;*.=err -/var/log/warn *.crit /var/log/warn *.*;mail.none;news.none -/var/log/messages local0,local1.* -/var/log/localmessages local2,local3.* -/var/log/localmessages local4,local5.* -/var/log/localmessages local6,local7.* -/var/log/localmessages Run the following command to reload the `rsyslogd` configuration: # pkill -HUP rsyslogd scored: false - id: 4.2.1.4 description: "Ensure rsyslog default file permissions configured" sub_checks: - check: audit: "grep ^\\$FileCreateMode /etc/rsyslog.conf /etc/rsyslog.d/*.conf -h | tr \"$\" \" \" " constraints: syslog: - rsyslog tests: test_items: - flag: "FileCreateMode" compare: op: bitmask value: "0640" remediation: | Edit the `/etc/rsyslog.conf` and `/etc/rsyslog.d/*.conf` files and set `$FileCreateMode` to `0640` or more restrictive: $FileCreateMode 0640 scored: true - id: 4.2.1.5 description: "Ensure rsyslog is configured to send logs to a remote log host" sub_checks: - check: audit: 'grep "^*.*[^I][^I]*@" /etc/rsyslog.conf /etc/rsyslog.d/*.conf' constraints: syslog: - rsyslog type: manual remediation: | Edit the `/etc/rsyslog.conf` and `/etc/rsyslog.d/*.conf` files and add the following line (where `loghost.example.com` is the name of your central log host). *.* @@loghost.example.com Run the following command to reload the `rsyslogd` configuration: # pkill -HUP rsyslogd scored: true - id: 4.2.1.6.a description: "Ensure remote rsyslog messages are only accepted on designated log hosts." sub_checks: - check: audit: "grep ^\\$ModLoad /etc/rsyslog.conf /etc/rsyslog.d/*.conf" constraints: syslog: - rsyslog tests: test_items: - flag: "\\$ModLoad imtcp" remediation: | For hosts that are designated as log hosts, edit the `/etc/rsyslog.conf` file and un-comment or add the following lines: $ModLoad imtcp $InputTCPServerRun 514 For hosts that are not designated as log hosts, edit the `/etc/rsyslog.conf` file and comment or remove the following lines: # $ModLoad imtcp # $InputTCPServerRun 514 Run the following command to reload the `rsyslogd` configuration: # pkill -HUP rsyslogd scored: false - id: 4.2.1.6.b description: "Ensure remote rsyslog messages are only accepted on designated log hosts." sub_checks: - check: audit: "grep ^\\$InputTCPServerRun /etc/rsyslog.conf /etc/rsyslog.d/*.conf" constraints: syslog: - rsyslog tests: test_items: - flag: "\\$InputTCPServerRun 514" remediation: | For hosts that are designated as log hosts, edit the `/etc/rsyslog.conf` file and un-comment or add the following lines: $ModLoad imtcp $InputTCPServerRun 514 For hosts that are not designated as log hosts, edit the `/etc/rsyslog.conf` file and comment or remove the following lines: # $ModLoad imtcp # $InputTCPServerRun 514 Run the following command to reload the `rsyslogd` configuration: # pkill -HUP rsyslogd scored: false - id: 4.2.2 description: "Configure journald" checks: - id: 4.2.2.1 description: "Ensure journald is configured to send logs to rsyslog" audit: "grep -e ForwardToSyslog /etc/systemd/journald.conf" tests: test_items: - flag: "ForwardToSyslog=yes" remediation: | Edit the /etc/systemd/journald.conf file and add the following line: ForwardToSyslog=yes scored: true - id: 4.2.2.2 description: "Ensure journald is configured to compress large log files (Scored)" audit: "grep -e Compress /etc/systemd/journald.conf" tests: test_items: - flag: "Compress=yes" remediation: | Edit the /etc/systemd/journald.conf file and add the following line: Compress=yes scored: true - id: 4.2.2.3 description: "Ensure journald is configured to write logfiles to persistent disk" audit: "grep -e Storage /etc/systemd/journald.conf" tests: test_items: - flag: "Storage=persistent" remediation: | Edit the /etc/systemd/journald.conf file and add the following line: Storage=persistent scored: true - id: 4.2.3 description: "Ensure permissions on all logfiles are configured" audit: "find /var/log -type f -ls" type: manual remediation: | Run the following commands to set permissions on all existing log files: find /var/log -type f -exec chmod g-wx,o-rwx "{}" + -o -type d -exec chmod g-w,o-rwx "{}" + scored: true - id: 4.3 description: "Ensure logrotate is configured" audit: "cat /etc/logrotate.conf; cat /etc/logrotate.d/* ;" type: manual remediation: | Edit `/etc/logrotate.conf` and `/etc/logrotate.d/*` to ensure logs are rotated according to site policy. scored: false - id: 5 description: "Access, Authentication and Authorization" - id: 5.1 description: "Configure cron" checks: - id: 5.1.1 description: "Ensure cron daemon is enabled" sub_checks: - check: audit: "chkconfig --list crond" constraints: platform: - rhel6 tests: test_items: - flag: "2:on 3:on 4:on 5:on" remediation: | Based on your system configuration, run the appropriate one of the following commands to enable `cron` : # chkconfig crond on # systemctl enable crond # update-rc.d crond enable - check: audit: "systemctl is-enabled crond" constraints: platform: - rhel7 tests: test_items: - flag: "enabled" remediation: | Based on your system configuration, run the appropriate one of the following commands to enable `cron` : # chkconfig crond on # systemctl enable crond # update-rc.d crond enable - check: audit: "systemctl is-enabled cron" constraints: platform: - ubuntu16 - ubuntu18 tests: test_items: - flag: "enabled" remediation: | Based on your system configuration, run the appropriate one of the following commands to enable `cron` : # chkconfig cron on # systemctl enable cron # update-rc.d cron enable scored: true - id: 5.1.2 description: "Ensure permissions on /etc/crontab are configured" audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/crontab" tests: test_items: - flag: "600/Uid:root/0Gid:root/0" remediation: | Run the following commands to set ownership and permissions on `/etc/crontab` : # chown root:root /etc/crontab # chmod og-rwx /etc/crontab scored: true - id: 5.1.3 description: "Ensure permissions on /etc/cron.hourly are configured" audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.hourly" tests: test_items: - flag: "700/Uid:root/0Gid:root/0" remediation: | Run the following commands to set ownership and permissions on `/etc/cron.hourly` : # chown root:root /etc/cron.hourly # chmod og-rwx /etc/cron.hourly scored: true - id: 5.1.4 description: "Ensure permissions on /etc/cron.daily are configured" audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.daily" tests: test_items: - flag: "700/Uid:root/0Gid:root/0" remediation: | Run the following commands to set ownership and permissions on `/etc/cron.daily` : # chown root:root /etc/cron.daily # chmod og-rwx /etc/cron.daily scored: true - id: 5.1.5 description: "Ensure permissions on /etc/cron.weekly are configured" audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.weekly" tests: test_items: - flag: "700/Uid:root/0Gid:root/0" remediation: | Run the following commands to set ownership and permissions on `/etc/cron.weekly` : # chown root:root /etc/cron.weekly # chmod og-rwx /etc/cron.weekly scored: true - id: 5.1.6 description: "Ensure permissions on /etc/cron.monthly are configured" audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.monthly" tests: test_items: - flag: "700/Uid:root/0Gid:root/0" remediation: | Run the following commands to set ownership and permissions on `/etc/cron.monthly` : # chown root:root /etc/cron.monthly # chmod og-rwx /etc/cron.monthly scored: true - id: 5.1.7 description: "Ensure permissions on /etc/cron.d are configured" audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.d" tests: test_items: - flag: "700/Uid:root/0Gid:root/0" remediation: | Run the following commands to set ownership and permissions on `/etc/cron.d` : # chown root:root /etc/cron.d # chmod og-rwx /etc/cron.d scored: true - id: 5.1.8.a description: "Ensure at/cron is restricted to authorized users" audit: "stat /etc/cron.deny" tests: test_items: - flag: "stat: cannot stat '/etc/cron.deny': No such file or directory" remediation: | Run the following commands to remove `/etc/cron.deny` and `/etc/at.deny` and create and set permissions and ownership for `/etc/cron.allow` and `/etc/at.allow` : # rm /etc/cron.deny # rm /etc/at.deny # touch /etc/cron.allow # touch /etc/at.allow # chmod og-rwx /etc/cron.allow # chmod og-rwx /etc/at.allow # chown root:root /etc/cron.allow # chown root:root /etc/at.allow scored: true - id: 5.1.8.b description: "Ensure at/cron is restricted to authorized users" audit: "stat /etc/at.deny" tests: test_items: - flag: "stat: cannot stat '/etc/at.deny': No such file or directory" remediation: | Run the following commands to remove `/etc/cron.deny` and `/etc/at.deny` and create and set permissions and ownership for `/etc/cron.allow` and `/etc/at.allow` : # rm /etc/cron.deny # rm /etc/at.deny # touch /etc/cron.allow # touch /etc/at.allow # chmod og-rwx /etc/cron.allow # chmod og-rwx /etc/at.allow # chown root:root /etc/cron.allow # chown root:root /etc/at.allow scored: true - id: 5.1.8.c description: "Ensure at/cron is restricted to authorized users" audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.allow" tests: test_items: - flag: "600/Uid:root/0Gid:root/0" remediation: | Run the following commands to remove `/etc/cron.deny` and `/etc/at.deny` and create and set permissions and ownership for `/etc/cron.allow` and `/etc/at.allow` : # rm /etc/cron.deny # rm /etc/at.deny # touch /etc/cron.allow # touch /etc/at.allow # chmod og-rwx /etc/cron.allow # chmod og-rwx /etc/at.allow # chown root:root /etc/cron.allow # chown root:root /etc/at.allow scored: true - id: 5.1.8.d description: "Ensure at/cron is restricted to authorized users" audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/at.allow" tests: test_items: - flag: "600/Uid:root/0Gid:root/0" remediation: | Run the following commands to remove `/etc/cron.deny` and `/etc/at.deny` and create and set permissions and ownership for `/etc/cron.allow` and `/etc/at.allow` : # rm /etc/cron.deny # rm /etc/at.deny # touch /etc/cron.allow # touch /etc/at.allow # chmod og-rwx /etc/cron.allow # chmod og-rwx /etc/at.allow # chown root:root /etc/cron.allow # chown root:root /etc/at.allow scored: true - id: 5.2 description: "SSH Server Configuration" checks: - id: 5.2.1 description: "Ensure permissions on /etc/ssh/sshd_config are configured" audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/ssh/sshd_config" tests: test_items: - flag: "600/Uid:root/0Gid:root/0" remediation: | Run the following commands to set ownership and permissions on `/etc/ssh/sshd_config`: # chown root:root /etc/ssh/sshd_config # chmod og-rwx /etc/ssh/sshd_config scored: true - id: 5.2.2 description: "Ensure permissions on SSH private host key files are configured" audit: "find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec stat -c \"%N permissions=%a Uid:%U/%u Gid:%G/%g\" {} \\;" use_multiple_values: true tests: bin_op: and test_items: - flag: "Uid:root/0 Gid:root/0" - flag: "permissions" compare: op: bitmask value: "600" remediation: | Run the following commands to set ownership and permissions on the private SSH host key files # find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec chown root:root {} \; # find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec chmod 0600 {} \; scored: true - id: 5.2.3 description: "Ensure permissions on SSH public host key files are configured" audit: "find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec stat -c \"%N permissions=%a Uid:%U/%u Gid:%G/%g\" {} \\;" use_multiple_values: true tests: bin_op: and test_items: - flag: "Uid:root/0 Gid:root/0" - flag: "permissions" compare: op: bitmask value: "600" remediation: | Run the following commands to set permissions and ownership on the SSH host public key files # find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chmod 0644 {} \; #find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chown root:root {} \; scored: true - id: 5.2.4 description: "Ensure SSH Protocol is set to 2" audit: "grep ^Protocol /etc/ssh/sshd_config" tests: test_items: - flag: "Protocol 2" remediation: | Edit the `/etc/ssh/sshd_config` file to set the parameter as follows: Protocol 2 scored: true - id: 5.2.5 description: "Ensure SSH LogLevel is set to INFO" audit: "grep ^LogLevel /etc/ssh/sshd_config" tests: bin_op: or test_items: - flag: "LogLevel VERBOSE" - flag: "LogLevel INFO" remediation: | Edit the `/etc/ssh/sshd_config` file to set the parameter as follows: LogLevel VERBOSE OR LogLevel INFO scored: true - id: 5.2.6 description: "Ensure SSH X11 forwarding is disabled" audit: "grep ^X11Forwarding /etc/ssh/sshd_config" tests: test_items: - flag: "X11Forwarding no" remediation: | Edit the `/etc/ssh/sshd_config` file to set the parameter as follows: X11Forwarding no scored: true - id: 5.2.7 description: "Ensure SSH MaxAuthTries is set to 4 or less" audit: "sshd -T | grep maxauthtries" tests: test_items: - flag: "maxauthtries" compare: op: lte value: "4" remediation: | Edit the `/etc/ssh/sshd_config` file to set the parameter as follows: MaxAuthTries 4 scored: true - id: 5.2.8 description: "Ensure SSH IgnoreRhosts is enabled" audit: "sshd -T | grep ignorerhosts" tests: test_items: - flag: "ignorerhosts yes" remediation: | Edit the `/etc/ssh/sshd_config` file to set the parameter as follows: IgnoreRhosts yes scored: true - id: 5.2.9 description: "Ensure SSH HostbasedAuthentication is disabled" audit: "sshd -T | grep hostbasedauthentication" tests: test_items: - flag: "hostbasedauthentication no" remediation: | Edit the `/etc/ssh/sshd_config` file to set the parameter as follows: hostbasedauthentication no scored: true - id: 5.2.10 description: "Ensure SSH root login is disabled" audit: "sshd -T | grep permitrootlogin" tests: test_items: - flag: "permitrootlogin no" remediation: | Edit the `/etc/ssh/sshd_config` file to set the parameter as follows: permitrootlogin no scored: true - id: 5.2.11 description: "Ensure SSH PermitEmptyPasswords is disabled" audit: "sshd -T | grep permitemptypasswords" tests: test_items: - flag: "permitemptypasswords no" remediation: | Edit the `/etc/ssh/sshd_config` file to set the parameter as follows: permitemptypasswords no scored: true - id: 5.2.12 description: "Ensure SSH PermitUserEnvironment is disabled" audit: "sshd -T | grep permituserenvironment" tests: test_items: - flag: "permituserenvironment no" remediation: | Edit the `/etc/ssh/sshd_config` file to set the parameter as follows: permituserenvironment no scored: true - id: 5.2.13 description: "Ensure only approved MAC algorithms are used" audit: "sshd -T | grep ciphers" tests: bin_op: and test_items: - flag: "3des-cbc" set: false - flag: "aes128-cbc" set: false - flag: "aes192-cbc" set: false - flag: "aes256-cbc" set: false - flag: "arcfour" set: false - flag: "arcfour128" set: false - flag: "arcfour256" set: false - flag: "blowfish-cbc" set: false - flag: "cast128-cbc" set: false - flag: "rijndael-cbc@lysator.liu.se" set: false remediation: | Edit the /etc/ssh/sshd_config file add/modify the Ciphers line to contain a comma separated list of the site approved ciphers Example: Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr scored: true - id: 5.2.14 description: "Ensure only strong MAC algorithms are used" audit: 'sshd -T | grep -i "MACs"' tests: bin_op: and test_items: - flag: "hmac-md5" set: false - flag: "hmac-md5-96" set: false - flag: "hmac-ripemd160" set: false - flag: "hmac-sha1" set: false - flag: "hmac-sha1-96" set: false - flag: "umac-64@openssh.com" set: false - flag: "umac-128@openssh.com" set: false - flag: "hmac-md5-etm@openssh.com" set: false - flag: "hmac-md5-96-etm@openssh.com" set: false - flag: "hmac-ripemd160-etm@openssh.com" set: false - flag: "hmac-sha1-etm@openssh.com" set: false - flag: "hmac-sha1-96-etm@openssh.com" set: false - flag: "umac-64-etm@openssh.com" set: false - flag: "umac-128-etm@openssh.com" set: false remediation: | Edit the /etc/ssh/sshd_config file and add/modify the MACs line to contain a comma separated list of the site approved MACs Example: MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 scored: true - id: 5.2.15 description: "Ensure only strong Key Exchange algorithms are used" audit: "sshd -T | grep kexalgorithms" tests: bin_op: and test_items: - flag: "diffie-hellman-group1-sha1" set: false - flag: "diffie-hellman-group14-sha1" set: false - flag: "diffie-hellman-group-exchange-sha1" set: false remediation: | Edit the /etc/ssh/sshd_config file add/modify the KexAlgorithms line to contain a comma separated list of the site approved key exchange algorithms Example: KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman- group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18- sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie- hellman-group-exchange-sha256 scored: true - id: 5.2.16.a description: "Ensure SSH Idle Timeout Interval is configured" audit: "sshd -T | grep clientaliveinterval" tests: bin_op: and test_items: - flag: "clientaliveinterval" compare: op: lte value: "300" - flag: "clientaliveinterval" compare: op: gte value: "1" remediation: | Edit the `/etc/ssh/sshd_config` file to set the parameters according to site policy: clientaliveinterval 300 clientalivecountmax 0 scored: true - id: 5.2.16.b description: "Ensure SSH Idle Timeout Interval is configured" audit: "sshd -T | grep clientalivecountmax" tests: test_items: - flag: "clientalivecountmax" compare: op: lte value: "3" remediation: | Edit the `/etc/ssh/sshd_config` file to set the parameters according to site policy: clientaliveinterval 300 clientalivecountmax 0 scored: true - id: 5.2.17 description: "Ensure SSH LoginGraceTime is set to one minute or less" audit: "sshd -T | grep logingracetime" tests: test_items: - flag: "logingracetime" compare: op: lte value: "60" remediation: | Edit the `/etc/ssh/sshd_config` file to set the parameter as follows: logingracetime 60 scored: true - id: 5.2.18 description: "Ensure SSH access is limited" audit: "sshd -T | grep -e allowusers -e allowgroups -e denyusers -e denygroups" tests: bin_op: and test_items: - flag: "" compare: op: regex value: "[aA]llow[uU]sers" - flag: "" compare: op: regex value: "[aA]llow[gG]roups" - flag: "" compare: op: regex value: "[dD]eny[uU]sers" - flag: "" compare: op: regex value: "[dD]eny[gG]roups" remediation: | Edit the `/etc/ssh/sshd_config` file to set one or more of the parameter as follows: AllowUsers AllowGroups DenyUsers DenyGroups scored: true - id: 5.2.19 description: "Ensure SSH warning banner is configured" audit: "sshd -T | grep banner" tests: test_items: - flag: "banner /etc/issue.net" remediation: | Edit the `/etc/ssh/sshd_config` file to set the parameter as follows: banner /etc/issue.net scored: true - id: 5.2.20 description: "Ensure SSH PAM is enabled" audit: "sshd -T | grep -i usepam" tests: test_items: - flag: "usepam yes" remediation: | Edit the /etc/ssh/sshd_config file to set the parameter as follows: UsePAM yes scored: true - id: 5.2.21 description: "Ensure SSH AllowTcpForwarding is disabled" audit: "sshd -T | grep -i allowtcpforwarding" tests: test_items: - flag: "allowtcpforwarding no" remediation: | Edit the /etc/ssh/sshd_config file to set the parameter as follows: allowtcpforwarding no scored: true - id: 5.2.22 description: "Ensure SSH MaxStartups is configured" audit: "sshd -T | grep -i maxstartups" tests: test_items: - flag: "maxstartups 10:30:60" remediation: | Edit the /etc/ssh/sshd_config file to set the parameter as follows: maxstartups 10:30:60 scored: true - id: 5.2.23 description: "Ensure SSH MaxSessions is set to 4 or less" audit: "sshd -T | grep -i maxsessions" tests: test_items: - flag: "maxsessions" compare: op: lte value: "4" remediation: | Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxSessions 4 scored: true - id: 5.3 description: "Configure PAM" checks: - id: 5.3.1 description: "Ensure password creation requirements are configured" audit: "cat /etc/pam.d/common-password; cat /etc/pam.d/system-auth; cat /etc/security/pwquality.conf" tests: bin_op: and test_items: - flag: "minlen" compare: op: gte value: "14" - flag: "retry" compare: op: lte value: "3" - flag: "dcredit" compare: op: eq value: "-1" - flag: "ucredit" compare: op: eq value: "-1" - flag: "ocredit" compare: op: eq value: "-1" - flag: "lcredit" compare: op: eq value: "-1" remediation: | Set password creation requirements to conform to site policy. Many distributions provide tools for updating PAM configuration, consult your documentation for details. If no tooling is provided edit the appropriate `/etc/pam.d/` configuration file and add or modify the `pam_cracklib.so` or `pam_pwquality.so` lines to include the required options: password required pam_cracklib.so try_first_pass retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 password requisite pam_pwquality.so try_first_pass retry=3 If `pam_pwquality.so` is in use also configure settings in `/etc/security/pwquality.conf` : minlen = 14 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1 scored: true - id: 5.3.2 description: "Ensure lockout for failed password attempts is configured" audit: "cat /etc/pam.d/system-auth; cat /etc/pam.d/password-auth; cat /etc/pam.d/common-auth" type: manual remediation: | Set password lockouts to conform to site policy. Many distributions provide tools for updating PAM configuration, consult your documentation for details. If no tooling is provided edit the appropriate `/etc/pam.d/` configuration file and add or modify the `pam_tally2.so` or `pam_faillock.so` lines as appropriate: auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900 auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900 auth sufficient pam_unix.so auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900 auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900 scored: false - id: 5.3.3 description: "Ensure password reuse is limited" audit: "cat /etc/pam.d/common-password; cat /etc/pam.d/system-auth" type: manual tests: bin_op: and test_items: - flag: "password required pam_pwhistory.so remember=5" - flag: "password sufficient pam_unix.so remember=5" remediation: | Set remembered password history to conform to site policy. Many distributions provide tools for updating PAM configuration, consult your documentation for details. If no tooling is provided edit the appropriate `/etc/pam.d/` configuration file and add or modify the `pam_pwhistory.so` or `pam_unix.so` lines to include the `remember` option: password required pam_pwhistory.so remember=5 password sufficient pam_unix.so remember=5 scored: false - id: 5.3.4 description: "Ensure password hashing algorithm is SHA-512" audit: "grep -E ^[^#].*sha512 /etc/pam.d/common-password /etc/pam.d/system-auth /etc/pam.d/password-auth" tests: test_items: - flag: "sha512" remediation: | Set password hashing algorithm to sha512. Many distributions provide tools for updating PAM configuration, consult your documentation for details. If no tooling is provided edit the appropriate `/etc/pam.d/` configuration file and add or modify the `pam_unix.so` lines to include the sha512 option: password sufficient pam_unix.so sha512 scored: false - id: 5.4 description: "User Accounts and Environment" - id: 5.4.1 description: "Set Shadow Password Suite Parameters" checks: - id: 5.4.1.1.a description: "Ensure password expiration is 365 days or less" audit: "grep ^PASS_MAX_DAYS /etc/login.defs" tests: test_items: - flag: "PASS_MAX_DAYS" compare: op: lte value: "365" remediation: | Set the `PASS_MAX_DAYS` parameter to conform to site policy in `/etc/login.defs` : PASS_MAX_DAYS 356 Modify user parameters for all users with a password set to match: # chage --maxdays 356 scored: true - id: 5.4.1.1.b description: "Ensure password expiration is 365 days or less" audit: "grep -E '^[^:]+:[^!*]' /etc/shadow | cut -d: -f1,5" type: manual tests: test_items: - flag: "" remediation: | Set the `PASS_MAX_DAYS` parameter to conform to site policy in `/etc/login.defs` : PASS_MAX_DAYS 365 Modify user parameters for all users with a password set to match: # chage --maxdays 365 scored: true - id: 5.4.1.2.a description: "Ensure minimum days between password changes is 7 or more" audit: "grep ^PASS_MIN_DAYS /etc/login.defs" tests: test_items: - flag: "PASS_MIN_DAYS" compare: op: gte value: "7" remediation: | Set the `PASS_MIN_DAYS` parameter to 7 in `/etc/login.defs` : PASS_MIN_DAYS 7 Modify user parameters for all users with a password set to match: # chage --mindays 7 scored: true - id: 5.4.1.2.b description: "Ensure minimum days between password changes is 7 or more" audit: "grep -E ^[^:]+:[^\\!*] /etc/shadow | cut -d: -f1,4" type: manual tests: test_items: - flag: "" remediation: | Set the `PASS_MIN_DAYS` parameter to 7 in `/etc/login.defs` : PASS_MIN_DAYS 7 Modify user parameters for all users with a password set to match: # chage --mindays 7 scored: true - id: 5.4.1.3.a description: "Ensure password expiration warning days is 7 or more" audit: "grep ^PASS_WARN_AGE /etc/login.defs" tests: test_items: - flag: "PASS_WARN_AGE" compare: op: gte value: "7" remediation: | Set the `PASS_WARN_AGE` parameter to 7 in `/etc/login.defs` : PASS_WARN_AGE 7 Modify user parameters for all users with a password set to match: # chage --warndays 7 scored: true - id: 5.4.1.3.b description: "Ensure password expiration warning days is 7 or more" audit: "grep -E ^[^:]+:[^\\!*] /etc/shadow | cut -d: -f1,6" type: manual tests: test_items: - flag: "" remediation: | Set the `PASS_WARN_AGE` parameter to 7 in `/etc/login.defs` : PASS_WARN_AGE 7 Modify user parameters for all users with a password set to match: # chage --warndays 7 scored: true - id: 5.4.1.4.a description: "Ensure inactive password lock is 30 days or less" audit: "useradd -D | grep INACTIVE" tests: test_items: - flag: "INACTIVE" compare: op: lte value: 30 remediation: | Run the following command to set the default password inactivity period to 30 days: # useradd -D -f 30 Modify user parameters for all users with a password set to match: # chage --inactive 30 scored: true - id: 5.4.1.4.b description: "Ensure inactive password lock is 30 days or less" audit: "grep -E ^[^:]+:[^\\!*] /etc/shadow | cut -d: -f1,7" type: manual tests: test_items: - flag: "" remediation: | Run the following command to set the default password inactivity period to 30 days: # useradd -D -f 30 Modify user parameters for all users with a password set to match: # chage --inactive 30 scored: true - id: 5.4.1.5 description: "Ensure all users last password change date is in the past" audit: | #!/bin/bash for usr in $(cut -d: -f1 /etc/shadow | sort -u ); do p=$(chage --list $usr | grep '^Last password change' | cut -d: -f2) today=$(date +'%b %d %Y') if [ $(date --date="$p" +%s) -gt $(date --date="$today" +%s) ]; then echo "$usr : $p" fi done tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Investigate any users with a password change date in the future and correct them. Locking the account, expiring the password, or resetting the password manually may be appropriate. scored: true - id: 5.4.2.a description: "Ensure system accounts are non-login" audit: "awk -F: '($1!=\"root\" && $1!=\"sync\" && $1!=\"shutdown\" && $1!=\"halt\" && $1!~/^\\+/ && $3<'\"$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs)\"' && $7!=\"'\"$(which nologin)\"'\" && $7!=\"/bin/false\") {print}' /etc/passwd" tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Run the commands appropriate for your distribution: Set the shell for any accounts returned by the audit to nologin: # usermod -s $(which nologin) Lock any non root accounts returned by the audit: # usermod -L The following command will set all system accounts to a non login shell: awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $1!~/^\+/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"' && $7!="'"$(which nologin)"'" && $7!="/bin/false") {print $1}' /etc/passwd | while read user do usermod -s $(which nologin) $user done The following command will automatically lock not root system accounts: awk -F: '($1!="root" && $1!~/^\+/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"') {print $1}' /etc/passwd | xargs -I '{}' passwd -S '{}' | awk '($2!="L" && $2!="LK") {print $1}' | while read user do usermod -L $user done scored: true - id: 5.4.2.b description: "Ensure system accounts are non-login" audit: "awk -F: '($1!=\"root\" && $1!~/^\\+/ && $3<'\"$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs)\"') {print $1}' /etc/passwd | xargs -I '{}' passwd -S '{}' | awk '($2!=\"L\" && $2!=\"LK\") {print $1}'" tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Run the commands appropriate for your distribution: Set the shell for any accounts returned by the audit to nologin: # usermod -s $(which nologin) Lock any non root accounts returned by the audit: # usermod -L The following command will set all system accounts to a non login shell: awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $1!~/^\+/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"' && $7!="'"$(which nologin)"'" && $7!="/bin/false") {print $1}' /etc/passwd | while read user do usermod -s $(which nologin) $user done The following command will automatically lock not root system accounts: awk -F: '($1!="root" && $1!~/^\+/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"') {print $1}' /etc/passwd | xargs -I '{}' passwd -S '{}' | awk '($2!="L" && $2!="LK") {print $1}' | while read user do usermod -L $user done scored: true - id: 5.4.3 description: "Ensure default group for the root account is GID 0" audit: "grep ^root: /etc/passwd | cut -f4 -d:" tests: test_items: - flag: "0" remediation: | Run the following command to set the `root` user default group to GID `0` : # usermod -g 0 root scored: true - id: 5.4.4.a description: "Ensure default user umask is 027 or more restrictive" sub_checks: - check: audit: "grep umask /etc/bashrc" constraints: platform: - rhel7 tests: test_items: - flag: "umask 027" remediation: | Edit the `/etc/bashrc`, `/etc/profile` and `/etc/profile.d/*.sh` files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows: umask 027 - check: audit: "grep umask /etc/bash.bashrc" constraints: platform: - ubuntu16 - ubuntu18 tests: test_items: - flag: "umask 027" remediation: | Edit the `/etc/bashrc`, `/etc/profile` and `/etc/profile.d/*.sh` files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows: umask 027 scored: true - id: 5.4.4.b description: "Ensure default user umask is 027 or more restrictive" audit: "grep -h umask /etc/profile /etc/profile.d/*.sh" tests: test_items: - flag: "umask 027" remediation: | Edit the `/etc/bashrc`, `/etc/profile` and `/etc/profile.d/*.sh` files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows: umask 027 scored: true - id: 5.4.5.a description: "Ensure default user shell timeout is 900 seconds or less" sub_checks: - check: audit: "grep ^TMOUT /etc/bashrc" constraints: platform: - rhel7 tests: test_items: - flag: "TMOUT" compare: op: lte value: "900" remediation: | Edit the `/etc/bashrc` and `/etc/profile` files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows: TMOUT=600 - check: audit: "grep ^TMOUT /etc/bash.bashrc" constraints: platform: - ubuntu16 - ubuntu18 tests: test_items: - flag: "TMOUT" compare: op: lte value: "900" remediation: | Edit the `/etc/bashrc` and `/etc/profile` files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows: TMOUT=600 scored: true - id: 5.4.5.b description: "Ensure default user shell timeout is 900 seconds or less" audit: "grep ^TMOUT /etc/profile" tests: test_items: - flag: "TMOUT" compare: op: lte value: "900" remediation: | Edit the `/etc/bashrc` and `/etc/profile` files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows: TMOUT=600 scored: true - id: 5.5 description: "Set Shadow Password Suite Parameters" checks: - id: 5.5 description: "Ensure root login is restricted to system console" audit: "cat /etc/securetty" type: manual remediation: | Remove entries for any consoles that are not in a physically secure location. scored: true - id: 5.6.a description: "Ensure access to the su command is restricted" audit: "grep pam_wheel.so /etc/pam.d/su" tests: bin_op: and test_items: - flag: "auth" - flag: "required" - flag: "pam_wheel.so" - flag: "use_uid" remediation: | Add the following line to the `/etc/pam.d/su` file: auth required pam_wheel.so use_uid Create a comma separated list of users in the wheel statement in the `/etc/group` file: wheel:x:10:root, scored: true - id: 5.6.b description: "Ensure access to the su command is restricted" audit: "grep wheel /etc/group" type: manual tests: test_items: - flag: "wheel:x:10:root," remediation: | Add the following line to the `/etc/pam.d/su` file: auth required pam_wheel.so use_uid Create a comma separated list of users in the wheel statement in the `/etc/group` file: wheel:x:10:root, scored: true - id: 6 description: "System Maintenance" - id: 6.1 description: "System File Permissions" checks: - id: 6.1.1 description: "Audit system file permissions" sub_checks: - check: audit: "rpm -Va --nomtime --nosize --nomd5 --nolinkto > " type: "manual" constraints: platform: - rhel7 remediation: | Correct any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted. - check: audit: "dpkg --verify > " type: "manual" constraints: platform: - ubuntu16 remediation: | Correct any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted. - check: audit: "apt-get source > " type: "manual" constraints: platform: - ubuntu18 remediation: | Correct any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted. scored: false - id: 6.1.2 description: "Ensure permissions on /etc/passwd are configured" audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/passwd" tests: test_items: - flag: "644/Uid:root/0Gid:root/0" remediation: | Run the following command to set permissions on `/etc/passwd` : # chown root:root /etc/passwd # chmod 644 /etc/passwd scored: true - id: 6.1.3 description: "Ensure permissions on /etc/shadow are configured" audit: 'stat -c "Uid:%U/%u Gid:%G permissions=%a" /etc/shadow' tests: bin_op: and test_items: - flag: "Uid:root/0" - flag: "Gid" compare: op: regex value: "shadow|root" - flag: "permissions" compare: op: bitmask value: "640" remediation: | Run the one of the following chown commands as appropriate and the chmod to set permissions on `/etc/shadow` : # chown root:root /etc/shadow # chown root:shadow /etc/shadow # chmod o-rwx,g-wx /etc/shadow scored: true - id: 6.1.4 description: "Ensure permissions on /etc/group are configured" audit: 'stat -c "Uid:%U/%u Gid:%G/%g permissions=%a" /etc/group' tests: test_items: - flag: "Uid:root/0 Gid:root/0 permissions=644" remediation: | Run the following command to set permissions on `/etc/group` : # chown root:root /etc/group # chmod 644 /etc/group scored: true - id: 6.1.5 description: "Ensure permissions on /etc/gshadow are configured" audit: 'stat -c "Uid:%U/%u Gid:%G permissions=%a" /etc/gshadow' tests: bin_op: and test_items: - flag: "Uid:root/0" - flag: "Gid" compare: op: regex value: "shadow|root" - flag: "permissions" compare: op: bitmask value: "640" remediation: | Run the one of the following chown commands as appropriate and the chmod to set permissions on `/etc/gshadow` : # chown root:root /etc/gshadow # chown root:shadow /etc/gshadow # chmod o-rwx,g-rw /etc/gshadow scored: true - id: 6.1.6 description: "Ensure permissions on /etc/passwd- are configured" audit: 'stat -c "Uid:%U/%u Gid:%G/%g permissions=%a" /etc/passwd-' tests: bin_op: and test_items: - flag: "Uid:root/0 Gid:root/0" - flag: "permissions" compare: op: bitmask value: "600" remediation: | Run the following command to set permissions on `/etc/passwd-` : # chown root:root /etc/passwd- # chmod u-x,go-rwx /etc/passwd- scored: true - id: 6.1.7 description: "Ensure permissions on /etc/shadow- are configured" audit: 'stat -c "Uid:%U/%u Gid:%G permissions=%a" /etc/shadow-' tests: bin_op: and test_items: - flag: "Uid:root/0" - flag: "Gid" compare: op: regex value: "shadow|root" - flag: "permissions" compare: op: bitmask value: "640" remediation: | Run the one of the following chown commands as appropriate and the chmod to set permissions on `/etc/shadow-` : # chown root:root /etc/shadow- # chown root:shadow /etc/shadow- # chmod o-rwx,g-rw /etc/shadow- scored: true - id: 6.1.8 description: "Ensure permissions on /etc/group- are configured" audit: 'stat -c "Uid:%U/%u Gid:%G/%g permissions=%a" /etc/group-' tests: bin_op: and test_items: - flag: "Uid:root/0 Gid:root/0" - flag: "permissions" compare: op: bitmask value: "644" remediation: | Run the following command to set permissions on `/etc/group-` : # chown root:root /etc/group- # chmod u-x,go-wx /etc/group- scored: true - id: 6.1.9 description: "Ensure permissions on /etc/gshadow- are configured" audit: 'stat -c "Uid:%U/%u Gid:%G permissions=%a" /etc/gshadow-' tests: bin_op: and test_items: - flag: "Uid:root/0" - flag: "Gid" compare: op: regex value: "shadow|root" - flag: "permissions" compare: op: bitmask value: "640" remediation: | Run the one of the following chown commands as appropriate and the chmod to set permissions on `/etc/gshadow-` : # chown root:root /etc/gshadow- # chown root:shadow /etc/gshadow- # chmod o-rwx,g-rw /etc/gshadow- scored: true - id: 6.1.10.a description: "Ensure no world writable files exist" audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 | head -n 100" tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Removing write access for the "other" category ( `chmod o-w ` ) is advisable, but always consult relevant vendor documentation to avoid breaking any application dependencies on a given file. scored: true - id: 6.1.10.b description: "Ensure no world writable files exist" audit: "find -xdev -type f -perm -0002 " type: manual remediation: | Removing write access for the "other" category ( `chmod o-w ` ) is advisable, but always consult relevant vendor documentation to avoid breaking any application dependencies on a given file. scored: true - id: 6.1.11.a description: "Ensure no unowned files or directories exist" audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser | head -n 100" tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Locate files that are owned by users or groups not listed in the system configuration files, and reset the ownership of these files to some active user on the system as appropriate. scored: true - id: 6.1.11.b description: "Ensure no unowned files or directories exist" audit: "find -xdev -type f -perm -0002" type: manual remediation: | Locate files that are owned by users or groups not listed in the system configuration files, and reset the ownership of these files to some active user on the system as appropriate. scored: true - id: 6.1.12.a description: "Ensure no ungrouped files or directories exist" audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup | head -n 100" tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Locate files that are owned by users or groups not listed in the system configuration files, and reset the ownership of these files to some active user on the system as appropriate. scored: true - id: 6.1.12.b description: "Ensure no ungrouped files or directories exist" audit: "find -xdev -nogroup" type: manual remediation: | Locate files that are owned by users or groups not listed in the system configuration files, and reset the ownership of these files to some active user on the system as appropriate. scored: true - id: 6.1.13.a description: "Audit SUID executables" audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000 | head -n 100" type: manual tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Ensure that no rogue SUID programs have been introduced into the system. Review the files returned by the action in the Audit section and confirm the integrity of these binaries. scored: false - id: 6.1.13.b description: "Audit SUID executables" audit: "find -xdev -type f -perm -4000" type: manual remediation: | Ensure that no rogue SUID programs have been introduced into the system. Review the files returned by the action in the Audit section and confirm the integrity of these binaries. scored: false - id: 6.1.14.a description: "Audit SGID executables" audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000 | head -n 100" type: manual tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Ensure that no rogue SGID programs have been introduced into the system. Review the files returned by the action in the Audit section and confirm the integrity of these binaries. scored: false - id: 6.1.14.b description: "Audit SGID executables" audit: "find -xdev -type f -perm -2000" type: manual remediation: | Ensure that no rogue SGID programs have been introduced into the system. Review the files returned by the action in the Audit section and confirm the integrity of these binaries. scored: false - id: 6.2 description: "User and Group Settings" checks: - id: 6.2.1 description: "Ensure password fields are not empty" audit: 'awk -F: ''($2 == "" ) { print $1 " does not have a password "}'' /etc/shadow' tests: test_items: - flag: "" compare: op: eq value: "" remediation: | If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off. scored: true - id: 6.2.2 description: 'Ensure no legacy "+" entries exist in /etc/passwd' audit: "grep '^\\+:' /etc/passwd" tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Remove any legacy '+' entries from `/etc/passwd` if they exist. scored: true - id: 6.2.3 description: 'Ensure no legacy "+" entries exist in /etc/shadow' audit: "grep '^\\+:' /etc/shadow" tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Remove any legacy '+' entries from `/etc/shadow` if they exist. scored: true - id: 6.2.4 description: 'Ensure no legacy "+" entries exist in /etc/group' audit: "grep '^\\+:' /etc/group" tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Remove any legacy '+' entries from `/etc/group` if they exist. scored: true - id: 6.2.5 description: "Ensure root is the only UID 0 account" audit: "awk -F: '($3 == 0) { print $1 }' /etc/passwd" tests: test_items: - flag: "root" remediation: | Remove any users other than `root` with UID `0` or assign them a new UID if appropriate. scored: true - id: 6.2.6 description: "Ensure root PATH Integrity" audit: | #!/bin/bash if [ "$(echo "$PATH" | grep ::)" != "" ]; then echo "Empty Directory in PATH (::)" fi if [ "$(echo "$PATH" | grep :$)" != "" ]; then echo "Trailing : in PATH" fi p=$(echo "$PATH" | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g') set -- $p while [ "$1" != "" ]; do if [ "$1" = "." ]; then shift continue fi if [ -d "$1" ]; then dirperm=$(ls -ldH "$1" | cut -f1 -d" ") if [ "$(echo "$dirperm" | cut -c6)" != "-" ]; then echo "Group Write permission set on directory $1" fi if [ "$(echo "$dirperm" | cut -c9)" != "-" ]; then echo "Other Write permission set on directory $1" fi dirown=$(ls -ldH "$1" | awk '{print $3}') if [ "$dirown" != "root" ] ; then echo "$1 is not owned by root" fi else echo "$1 is not a directory" fi shift done tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Correct or justify any items discovered in the Audit step. scored: true - id: 6.2.7 description: "Ensure all users' home directories exist" audit: | #!/bin/bash grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read -r user dir; do if [ ! -d "$dir" ]; then echo "The home directory ($dir) of user $user does not exist." fi done tests: test_items: - flag: "" compare: op: eq value: "" remediation: | If any users' home directories do not exist, create them and make sure the respective user owns the directory. Users without an assigned home directory should be removed or assigned a home directory as appropriate. scored: true - id: 6.2.8 description: "Ensure users' home directories permissions are 750 or more restrictive" audit: | #!/bin/bash grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do if [ ! -d "$dir" ]; then echo "The home directory ($dir) of user $user does not exist." else dirperm=$(ls -ld $dir | cut -f1 -d" ") if [ $(echo $dirperm | cut -c6) != "-" ]; then echo "Group Write permission set on the home directory ($dir) of user $user" fi if [ $(echo $dirperm | cut -c8) != "-" ]; then echo "Other Read permission set on the home directory ($dir) of user $user" fi if [ $(echo $dirperm | cut -c9) != "-" ]; then echo "Other Write permission set on the home directory ($dir) of user $user" fi if [ $(echo $dirperm | cut -c10) != "-" ]; then echo "Other Execute permission set on the home directory ($dir) of user $user" fi fi done tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Making global modifications to user home directories without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user file permissions and determine the action to be taken in accordance with site policy. scored: true - id: 6.2.9 description: "Ensure users own their home directories" audit: | #!/bin/bash grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do if [ ! -d "$dir" ]; then echo "The home directory ($dir) of user $user does not exist." else owner=$(stat -L -c "%U" "$dir") if [ "$owner" != "$user" ]; then echo "The home directory ($dir) of user $user is owned by $owner." fi fi done tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Change the ownership of any home directories that are not owned by the defined user to the correct user. scored: true - id: 6.2.10 description: "Ensure users' dot files are not group or world writable" audit: | #!/bin/bash grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do if [ ! -d "$dir" ]; then echo "The home directory ($dir) of user $user does not exist." else for file in $dir/.[A-Za-z0-9]*; do if [ ! -h "$file" -a -f "$file" ]; then fileperm=$(ls -ld $file | cut -f1 -d" ") if [ $(echo $fileperm | cut -c6) != "-" ]; then echo "Group Write permission set on file $file" fi if [ $(echo $fileperm | cut -c9) != "-" ]; then echo "Other Write permission set on file $file" fi fi done fi done tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user dot file permissions and determine the action to be taken in accordance with site policy. scored: true - id: 6.2.11 description: "Ensure no users have .forward files" audit: | #!/bin/bash grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do if [ ! -d "$dir" ]; then echo "The home directory ($dir) of user $user does not exist." else if [ ! -h "$dir/.forward" -a -f "$dir/.forward" ]; then echo ".forward file $dir/.forward exists" fi fi done tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user `.forward` files and determine the action to be taken in accordance with site policy. scored: true - id: 6.2.12 description: "Ensure no users have .netrc files" audit: | #!/bin/bash grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do if [ ! -d "$dir" ]; then echo "The home directory ($dir) of user $user does not exist." else if [ ! -h "$dir/.netrc" -a -f "$dir/.netrc" ]; then echo ".netrc file $dir/.netrc exists" fi fi done tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user `.netrc` files and determine the action to be taken in accordance with site policy. scored: true - id: 6.2.13 description: "Ensure users' .netrc Files are not group or world accessible" audit: | #!/bin/bash grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do if [ ! -d "$dir" ]; then echo "The home directory ($dir) of user $user does not exist." else for file in $dir/.netrc; do if [ ! -h "$file" -a -f "$file" ]; then fileperm=$(ls -ld $file | cut -f1 -d" ") if [ $(echo $fileperm | cut -c5) != "-" ]; then echo "Group Read set on $file" fi if [ $(echo $fileperm | cut -c6) != "-" ]; then echo "Group Write set on $file" fi if [ $(echo $fileperm | cut -c7) != "-" ]; then echo "Group Execute set on $file" fi if [ $(echo $fileperm | cut -c8) != "-" ]; then echo "Other Read set on $file" fi if [ $(echo $fileperm | cut -c9) != "-" ]; then echo "Other Write set on $file" fi if [ $(echo $fileperm | cut -c10) != "-" ]; then echo "Other Execute set on $file" fi fi done fi done tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user `.netrc` file permissions and determine the action to be taken in accordance with site policy. scored: true - id: 6.2.14 description: "Ensure no users have .rhosts files" audit: | #!/bin/bash grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do if [ ! -d "$dir" ]; then echo "The home directory ($dir) of user $user does not exist." else for file in $dir/.rhosts; do if [ ! -h "$file" -a -f "$file" ]; then echo ".rhosts file in $dir" fi done fi done tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user `.rhosts` files and determine the action to be taken in accordance with site policy. scored: true - id: 6.2.15 description: "Ensure all groups in /etc/passwd exist in /etc/group" audit: | #!/bin/bash for i in $(cut -s -d: -f4 /etc/passwd | sort -u ); do grep -q -P "^.*?:[^:]*:$i:" /etc/group if [ $? -ne 0 ]; then echo "Group $i is referenced by /etc/passwd but does not exist in /etc/group" fi done tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Analyze the output of the Audit step above and perform the appropriate action to correct any discrepancies found. scored: true - id: 6.2.16 description: "Ensure no duplicate UIDs exist" audit: | #!/bin/bash cut -f3 -d":" /etc/passwd | sort -n | uniq -c | while read x ; do [ -z "$x" ] && break set - $x if [ $1 -gt 1 ]; then users=$(awk -F: '($3 == n) { print $1 }' n=$2 /etc/passwd | xargs) echo "Duplicate UID ($2): $users" fi done tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Based on the results of the audit script, establish unique UIDs and review all files owned by the shared UIDs to determine which UID they are supposed to belong to. scored: true - id: 6.2.17 description: "Ensure no duplicate GIDs exist" audit: | #!/bin/bash cut -f3 -d":" /etc/group | sort -n | uniq -c | while read x ; do [ -z "$x" ] && break set - $x if [ $1 -gt 1 ]; then groups=$(awk -F: '($3 == n) { print $1 }' n=$2 /etc/group | xargs) echo "Duplicate GID ($2): $groups" fi done tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Based on the results of the audit script, establish unique GIDs and review all files owned by the shared GID to determine which group they are supposed to belong to. scored: true - id: 6.2.18 description: "Ensure no duplicate user names exist" audit: | #!/bin/bash cut -f1 -d":" /etc/passwd | sort -n | uniq -c | while read x ; do [ -z "$x" ] && break set - $x if [ $1 -gt 1 ]; then uids=$(awk -F: '($1 == n) { print $3 }' n=$2 /etc/passwd | xargs) echo "Duplicate User Name ($2): $uids" fi done tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Based on the results of the audit script, establish unique user names for the users. File ownerships will automatically reflect the change as long as the users have unique UIDs. scored: true - id: 6.2.19 description: "Ensure no duplicate group names exist" audit: | #!/bin/bash cut -f1 -d":" /etc/group | sort -n | uniq -c | while read x ; do [ -z "$x" ] && break set - $x if [ $1 -gt 1 ]; then gids=$(gawk -F: '($1 == n) { print $3 }' n=$2 /etc/group | xargs) echo "Duplicate Group Name ($2): $gids" fi done tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Based on the results of the audit script, establish unique names for the user groups. File group ownerships will automatically reflect the change as long as the groups have unique GIDs. scored: true - id: 6.2.20.a description: "Ensure shadow group is empty" audit: "grep ^shadow:[^:]*:[^:]*:[^:]+ /etc/group" tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Remove all users from the shadow group, and change the primary group of any users with shadow as their primary group. scored: true - id: 6.2.20.b description: "Ensure shadow group is empty" audit: 'awk -F: ''($4 == "") { print }'' /etc/passwd' tests: test_items: - flag: "" compare: op: eq value: "" remediation: | Remove all users from the shadow group, and change the primary group of any users with shadow as their primary group. scored: true