From 5b41b45756225eeea41c47eda78b7bf877b1d276 Mon Sep 17 00:00:00 2001 From: Yoav Hizkiahou Date: Sun, 27 Jan 2019 16:12:29 +0200 Subject: [PATCH 1/2] Uploaded improved yaml file for version 1.1.0 Added information to readme file and to help cli --- README.md | 16 +- cfg/1.1.0/definitions.yaml | 3104 ++++++++++++++++++------------------ root.go | 2 +- 3 files changed, 1586 insertions(+), 1536 deletions(-) diff --git a/README.md b/README.md index 0d70428..76300b7 100644 --- a/README.md +++ b/README.md @@ -7,8 +7,14 @@ Tests are configured with YAML files, making this tool easy to update as test sp ## CIS Linux Benchmark support -linux-bench currently supports tests for multiple platforms of Linux (ubntu, rhel and debian). -linux-bench will determine the test set to run based on the operating system and the boot loader running on the host machine. +linux-bench currently supports tests for benchmark version 1.1.0 only. + +linux-bench will determine the test set to run on the host machine based on the following: +##### Operating system platform - ubuntu/debian/rhel/coreos +##### Boot loader - grub/grub2 +##### System logging tool - rsyslog/syslog-ng +##### Lsm - selinux/apparmor + ## Installation ### Installing from sources @@ -28,12 +34,12 @@ go build -o linux-bench . ./linux-bench # Run checks for specified linux cis version -./linux-bench - +./linux-bench --version ``` # Tests -Tests are specified in definition files `cfg//definitions.yaml. +Tests are specified in definition files `cfg//definitions.yaml.` + Where `` is the version of linux cis for which the test applies. # Contributing diff --git a/cfg/1.1.0/definitions.yaml b/cfg/1.1.0/definitions.yaml index 29fb1d5..364ed71 100644 --- a/cfg/1.1.0/definitions.yaml +++ b/cfg/1.1.0/definitions.yaml @@ -1,1530 +1,1574 @@ ---- -controls: -version: 1.11 -id: 1 -description: "Initial Setup" -type: "master" -groups: -- id: 1.1 - description: "Filesystem Configuration" - checks: - - id: 1.1.2 - description: "Ensure separate partition exists for /tmp" - audit: "mount | grep /tmp" - tests: - test_items: - - flag: "tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noexec,relatime)" - set: true - remediation: | - For new installations, during installation create a custom partition setup and specify a separate partition for `/tmp` . - For systems that were previously installed, create a new partition and configure `/etc/fstab` as appropriate. - scored: true - - - id: 1.1.6 - description: "Ensure separate partition exists for /var" - audit: "mount | grep /var" - tests: - test_items: - - flag: "/dev/xvdg1 on /var type ext4 (rw,relatime,data=ordered)" - set: true - remediation: | - For new installations, during installation create a custom partition setup and specify a separate partition for `/var` . - For systems that were previously installed, create a new partition and configure `/etc/fstab` as appropriate. - scored: true - - - id: 1.1.7 - description: "Ensure separate partition exists for /var/tmp" - audit: "mount | grep /var/tmp" - tests: - test_items: - - flag: " on /var/tmp type ext4 (rw,nosuid,nodev,noexec,relatime)" - set: true - remediation: | - For new installations, during installation create a custom partition setup and specify a separate partition for `/var/tmp` . - For systems that were previously installed, create a new partition and configure `/etc/fstab` as appropriate. - scored: true - - - id: 1.1.15 - description: "Ensure separate partition exists for /var/log" - audit: "mount | grep /var/log" - tests: - test_items: - - flag: "/dev/xvdh1 on /var/log type ext4 (rw,relatime,data=ordered)" - set: true - remediation: | - For new installations, during installation create a custom partition setup and specify a separate partition for `/var/log` . - For systems that were previously installed, create a new partition and configure `/etc/fstab` as appropriate. - scored: true - - - id: 1.1.16 - description: "Ensure separate partition exists for /var/log/audit" - audit: "mount | grep /var/log/audit" - tests: - test_items: - - flag: "/dev/xvdi1 on /var/log/audit type ext4 (rw,relatime,data=ordered)" - set: true - remediation: | - For new installations, during installation create a custom partition setup and specify a separate partition for `/var/log/audit` . - For systems that were previously installed, create a new partition and configure `/etc/fstab` as appropriate. - scored: true - - - - id: 1.1.17 - description: "Ensure separate partition exists for /home" - audit: "mount | grep /home" - tests: - test_items: - - flag: "/dev/xvdf1 on /home type ext4 (rw,nodev,relatime,data=ordered)" - set: true - remediation: | - For new installations, during installation create a custom partition setup and specify a separate partition for `/home` . - For systems that were previously installed, create a new partition and configure `/etc/fstab` as appropriate. - scored: true - -- id: 1.1.1 - description: "Disable unused filesystemsisable unused filesystems" - checks: - - id: 1.1.1.8.a - description: "Ensure mounting of FAT filesystems is disabled" - audit: "modprobe -n -v vfat" - tests: - test_items: - - flag: "install /bin/true" - set: true - - remediation: | - Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line: - - install vfat /bin/true - - Run the following command to unload the `vfat` module: - - # rmmod vfat - - scored: true - - - id: 1.1.1.8.b - description: "Ensure mounting of FAT filesystems is disabled" - audit: "lsmod | grep vfat" - tests: - test_items: - - flag: "" - set: true - remediation: | - Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line: - - install vfat /bin/true - - Run the following command to unload the `vfat` module: - - # rmmod vfat - - scored: true - -- id: 1.6 - description: "Mandatory Access Controlandatory Access Control" - checks: - - id: 1.6.3 - description: "Ensure SELinux or AppArmor are installed" - sub_checks: - - check: - audit: "rpm -q libselinux" - constraints: - platform: - - rhel7 - lsm: - - selinux - tests: - test_items: - - flag: "is not installed" - set: false - remediation: | - Install SELinux or apparmor using the appropriate package manager or manual installation: - - # yum install libselinux - - - # apt-get install libselinux1 - - - # zypper install libselinux - - The previous commands install SELinux, use the appropriate package if AppArmor is desired. - scored: false - - check: - audit: "rpm -q apparmor" - constraints: - platform: - - rhel7 - lsm: - - apparmor - tests: - test_items: - - flag: "is not installed" - set: false - remediation: | - Install SELinux or apparmor using the appropriate package manager or manual installation: - - # yum install libselinux - - - # apt-get install libselinux1 - - - # zypper install libselinux - - The previous commands install SELinux, use the appropriate package if AppArmor is desired. - scored: false - - - - check: - audit: "dpkg -s libselinux1" - constraints: - platform: - - ubuntu - lsm: - - selinux - tests: - test_items: - - flag: "is not installed" - set: false - remediation: | - Install SELinux or apparmor using the appropriate package manager or manual installation: - - # yum install libselinux - - - # apt-get install libselinux1 - - - # zypper install libselinux - - The previous commands install SELinux, use the appropriate package if AppArmor is desired. - scored: false - - - - - check: - audit: "dpkg -s apparmor" - constraints: - platform: - - ubuntu - lsm: - - apparmor - tests: - test_items: - - flag: "is not installed" - set: false - remediation: | - Install SELinux or apparmor using the appropriate package manager or manual installation: - - # yum install libselinux - - - # apt-get install libselinux1 - - - # zypper install libselinux - - The previous commands install SELinux, use the appropriate package if AppArmor is desired. - scored: false - - - - -- id: 1.6.1 - description: "Configure SELinuxonfigure SELinux" - checks: - - id: 1.6.1.1 - description: "Ensure SELinux is not disabled in bootloader configuration" - sub_checks: - - check: - audit: "grep \"^\\s*kernel\" /boot/grub/menu.lst" - constraints: - lsm: - - selinux - boot: - - grub - tests: - bin_op: and - test_items: - - flag: "selinux=0" - set: false - test_items: - - flag: "enforcing=0" - set: false - remediation: | - For `grub` based systems edit `/boot/grub/menu.lst` and remove all instances of `selinux=0` and `enforcing=0` on all `kernel` lines. - For `grub2` based systems edit /etc/default/grub and remove all instances of `selinux=0` and `enforcing=0` from all CMDLINE\_LINUX parameters: - - GRUB_CMDLINE_LINUX_DEFAULT="quiet" - GRUB_CMDLINE_LINUX="" - - Run the following command to update the `grub2` configuration: - - # update-grub - - scored: true - - check: - audit: "grep LINUX /etc/default/grub" - constraints: - lsm: - - selinux - boot: - - grub2 - tests: - bin_op: and - test_items: - - flag: "selinux=0" - set: false - test_items: - - flag: "enforcing=0" - set: false - remediation: | - For `grub` based systems edit `/boot/grub/menu.lst` and remove all instances of `selinux=0` and `enforcing=0` on all `kernel` lines. - For `grub2` based systems edit /etc/default/grub and remove all instances of `selinux=0` and `enforcing=0` from all CMDLINE\_LINUX parameters: - - GRUB_CMDLINE_LINUX_DEFAULT="quiet" - GRUB_CMDLINE_LINUX="" - - Run the following command to update the `grub2` configuration: - - # update-grub - - scored: true - - id: 1.6.1.2.a - description: "Ensure the SELinux state is enforcing" - sub_checks: - - check: - audit: "grep SELINUX=enforcing /etc/selinux/config" - constraints: - lsm: - - selinux - tests: - test_items: - - flag: "SELINUX=enforcing" - set: true - remediation: | - For `grub` based systems edit `/boot/grub/menu.lst` and remove all instances of `selinux=0` and `enforcing=0` on all `kernel` lines. - For `grub2` based systems edit /etc/default/grub and remove all instances of `selinux=0` and `enforcing=0` from all CMDLINE\_LINUX parameters: - - GRUB_CMDLINE_LINUX_DEFAULT="quiet" - GRUB_CMDLINE_LINUX="" - - Run the following command to update the `grub2` configuration: - - # update-grub - - scored: true - - id: 1.6.1.2.b - description: "Ensure the SELinux state is enforcing" - sub_checks: - - check: - audit: "sestatus" - constraints: - lsm: - - selinux - tests: - test_items: - - flag: "SELinux status:" - compare: - op: has - value: "enabled" - set: true - - flag: "Current mode:" - compare: - op: has - value: "enforcing" - set: true - - flag: "Mode from config file:" - compare: - op: has - value: "enforcing" - set: true - remediation: | - For `grub` based systems edit `/boot/grub/menu.lst` and remove all instances of `selinux=0` and `enforcing=0` on all `kernel` lines. - For `grub2` based systems edit /etc/default/grub and remove all instances of `selinux=0` and `enforcing=0` from all CMDLINE\_LINUX parameters: - - GRUB_CMDLINE_LINUX_DEFAULT="quiet" - GRUB_CMDLINE_LINUX="" - - Run the following command to update the `grub2` configuration: - - # update-grub - - scored: true - - - id: 1.6.1.3.a - description: "Ensure SELinux policy is configured" - sub_checks: - - check: - audit: "grep SELINUXTYPE=targeted /etc/selinux/config" - constraints: - lsm: - - selinux - tests: - test_items: - - flag: "SELINUXTYPE=targeted" - set: true - remediation: | - Edit the `/etc/selinux/config` file to set the SELINUXTYPE parameter: - - SELINUXTYPE=targeted - - scored: true - - id: 1.6.1.3.b - description: "Ensure SELinux policy is configured" - sub_checks: - - check: - audit: "sestatus" - constraints: - lsm: - - selinux - tests: - test_items: - - flag: "Loaded policy name:" - compare: - op: has - value: "targeted" - set: true - remediation: | - Edit the `/etc/selinux/config` file to set the SELINUXTYPE parameter: - - SELINUXTYPE=targeted - - scored: true - - - - id: 1.6.1.4 - description: "Ensure SETroubleshoot is not installed" - sub_checks: - - check: - audit: "rpm -q setroubleshoot" - constraints: - platform: - - rhel7 - lsm: - - selinux - tests: - test_items: - - flag: "is not installed" - set: true - remediation: | - Uninstall s `etroubleshoot` using the appropriate package manager or manual installation: - - # yum remove setroubleshoot - - - # apt-get remove setroubleshoot - - - # zypper remove setroubleshoot - - scored: true - - check: - audit: "dpkg -s setroubleshoot" - constraints: - platform: - - ubuntu - lsm: - - selinux - tests: - test_items: - - flag: "is not installed" - set: true - remediation: | - Uninstall s `etroubleshoot` using the appropriate package manager or manual installation: - - # yum remove setroubleshoot - - - # apt-get remove setroubleshoot - - - # zypper remove setroubleshoot - - scored: true - - id: 1.6.1.5 - description: "Ensure the MCS Translation Service (mcstrans) is not installed" - sub_checks: - - check: - audit: "rpm -q mcstrans" - constraints: - platform: - - rhel7 - lsm: - - selinux - tests: - test_items: - - flag: "is not installed" - set: true - remediation: | - Uninstall `mcstrans` using the appropriate package manager or manual installation: - - yum remove mcstrans - - - apt-get remove mcstrans - - - zypper remove mcstrans - - - scored: true - - check: - audit: "dpkg -s mcstrans" - constraints: - platform: - - ubuntu - lsm: - - selinux - tests: - test_items: - - flag: "is not installed" - set: true - remediation: | - Uninstall `mcstrans` using the appropriate package manager or manual installation: - - yum remove mcstrans - - - apt-get remove mcstrans - - - zypper remove mcstrans - - - scored: true - - - - id: 1.6.1.6 - description: "Ensure no unconfined daemons exist" - audit: "ps -eZ | egrep \"initrc\" | egrep -vw \"tr|ps|egrep|bash|awk \" | tr ':' ' ' | awk '{ print $NF }'" - tests: - test_items: - - flag: "" - set: true - remediation: | - Investigate any unconfined daemons found during the audit action. They may need to have an existing security context assigned to them or a policy built for them. - scored: true - - -- id: 1.6.2 - description: "Configure AppArmoronfigure AppArmor" - checks: - - id: 1.6.2.1 - description: "Ensure AppArmor is not disabled in bootloader configuration" - sub_checks: - - check: - audit: "grep \"^\\s*kernel\" /boot/grub/menu.lst" - constraints: - lsm: - - apparmor - boot: - - grub - tests: - test_items: - - flag: "apparmor=0" - set: false - remediation: | - For `grub` based systems edit `/boot/grub/menu.lst` and remove all instances of `apparmor=0` on all `kernel` lines. - For `grub2` based systems edit /etc/default/grub and remove all instances of `apparmor=0` from all CMDLINE\_LINUX parameters: - - GRUB_CMDLINE_LINUX_DEFAULT="quiet" - GRUB_CMDLINE_LINUX="" - - Run the following command to update the `grub2` configuration: - - # update-grub - - scored: true - - check: - audit: "grep \"^\\s*LINUX\" /etc/default/grub" - constraints: - lsm: - - apparmor - boot: - - grub - tests: - test_items: - - flag: "apparmor=0" - set: false - remediation: | - For `grub` based systems edit `/boot/grub/menu.lst` and remove all instances of `apparmor=0` on all `kernel` lines. - For `grub2` based systems edit /etc/default/grub and remove all instances of `apparmor=0` from all CMDLINE\_LINUX parameters: - - GRUB_CMDLINE_LINUX_DEFAULT="quiet" - GRUB_CMDLINE_LINUX="" - - Run the following command to update the `grub2` configuration: - - # update-grub - - scored: true - - id: 1.6.2.2 - description: "Ensure all AppArmor Profiles are enforcing" - sub_checks: - - check: - audit: "apparmor_status" - type: manual - constraints: - lsm: - - apparmor - tests: - remediation: | - Run the following command to set all profiles to enforce mode: - - # enforce /etc/apparmor.d/* - - Any unconfined processes may need to have a profile created or activated for them and then be restarted. - scored: true - -- id: 4.1 - description: "Configure System Accounting (auditd)onfigure System Accounting (auditd)" - checks: - - id: 4.1.2 - description: "Ensure auditd service is enabled" - sub_checks: - - check: - audit: "chkconfig --list auditd" - constraints: - platform: - - rhel6 - tests: - test_items: - - flag: "auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off" - set: true - remediation: | - Run one of the following commands to enable `auditd` : - - # chkconfig auditd on - - - # systemctl enable auditd - - - # update-rc.d auditd enable - - scored: true - - check: - audit: "systemctl is-enabled auditd" - constraints: - platform: - - rhel7 - tests: - test_items: - - flag: "enabled" - set: true - remediation: | - Run one of the following commands to enable `auditd` : - - # chkconfig auditd on - - - # systemctl enable auditd - - - # update-rc.d auditd enable - - scored: true - - check: - audit: "ls /etc/rc*.d | grep auditd" - type: manual - constraints: - platform: - - ubuntu - tests: - test_items: - - flag: "" - set: true - remediation: | - Run one of the following commands to enable `auditd` : - - # chkconfig auditd on - - - # systemctl enable auditd - - - # update-rc.d auditd enable - - scored: true - - id: 4.1.3 - description: "Ensure auditing for processes that start prior to auditd is enabled" - sub_checks: - - check: - audit: "grep \"^\\s*kernel\" /boot/grub/menu.lst" - constraints: - boot: - - grub - tests: - test_items: - - flag: "audit=1" - set: true - remediation: | - For `grub` based systems edit `/boot/grub/menu.lst` to include `audit=1` on all `kernel` lines. - For `grub2` based systems edit /etc/default/grub and add audit=1 to GRUB\_CMDLINE\_LINUX: - - GRUB_CMDLINE_LINUX="audit=1" - - Run the following command to update the `grub2` configuration: - - # update-grub - - scored: true - - check: - audit: "grep -i linux /etc/default/grub" - constraints: - boot: - - grub2 - bin_op: and - tests: - test_items: - - flag: "GRUB_CMDLINE_LINUX=" - set: true - - flag: "audit=1" - set: true - remediation: | - For `grub` based systems edit `/boot/grub/menu.lst` to include `audit=1` on all `kernel` lines. - For `grub2` based systems edit /etc/default/grub and add audit=1 to GRUB\_CMDLINE\_LINUX: - - GRUB_CMDLINE_LINUX="audit=1" - - Run the following command to update the `grub2` configuration: - - # update-grub - - scored: true - - - id: 4.1.4.a - description: "Ensure events that modify date and time information are collected" - audit: "grep time-change /etc/audit/audit.rules" - tests: - bin_op: and - test_items: - - flag: "-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change" - set: true - - flag: "-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change" - set: true - - flag: "-a always,exit -F arch=b64 -S clock_settime -k time-change" - set: true - - flag: "-a always,exit -F arch=b32 -S clock_settime -k time-change" - set: true - - flag: "-w /etc/localtime -p wa -k time-change" - set: true - remediation: | - - For 64 bit systems add the following lines to the `/etc/audit/audit.rules` file: - - -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change - -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change - -a always,exit -F arch=b64 -S clock_settime -k time-change - -a always,exit -F arch=b32 -S clock_settime -k time-change - -w /etc/localtime -p wa -k time-change - - scored: true - - - id: 4.1.4.b - description: "Ensure events that modify date and time information are collected" - audit: "auditctl -l | grep time-change" - tests: - bin_op: and - test_items: - - flag: "-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change" - set: true - - flag: "-a always,exit -F arch=b32 -S stime,settimeofday,adjtimex -F key=time-change" - set: true - - flag: "-a always,exit -F arch=b64 -S clock_settime -F key=time-change" - set: true - - flag: "-a always,exit -F arch=b32 -S clock_settime -F key=time-change" - set: true - - flag: "-w /etc/localtime -p wa -k time-change" - set: true - remediation: | - - For 64 bit systems add the following lines to the `/etc/audit/audit.rules` file: - - -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change - -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change - -a always,exit -F arch=b64 -S clock_settime -k time-change - -a always,exit -F arch=b32 -S clock_settime -k time-change - -w /etc/localtime -p wa -k time-change - - scored: true - - id: 4.1.5.a - description: "Ensure events that modify user/group information are collected" - audit: "grep identity /etc/audit/audit.rules" - tests: - bin_op: and - test_items: - - flag: "-w /etc/group -p wa -k identity" - set: true - - flag: "-w /etc/passwd -p wa -k identity" - set: true - - flag: "-w /etc/gshadow -p wa -k identity" - set: true - - flag: "-w /etc/shadow -p wa -k identity" - set: true - - flag: "-w /etc/security/opasswd -p wa -k identity" - set: true - remediation: | - Add the following lines to the `/etc/audit/audit.rules` file: - - -w /etc/group -p wa -k identity - -w /etc/passwd -p wa -k identity - -w /etc/gshadow -p wa -k identity - -w /etc/shadow -p wa -k identity - -w /etc/security/opasswd -p wa -k identity - - scored: true - - - id: 4.1.5.b - description: "Ensure events that modify user/group information are collected" - audit: "auditctl -l | grep identity" - tests: - bin_op: and - test_items: - - flag: "-w /etc/group -p wa -k identity" - set: true - - flag: "-w /etc/passwd -p wa -k identity" - set: true - - flag: "-w /etc/gshadow -p wa -k identity" - set: true - - flag: "-w /etc/shadow -p wa -k identity" - set: true - - flag: "-w /etc/security/opasswd -p wa -k identity" - set: true - remediation: | - Add the following lines to the `/etc/audit/audit.rules` file: - - -w /etc/group -p wa -k identity - -w /etc/passwd -p wa -k identity - -w /etc/gshadow -p wa -k identity - -w /etc/shadow -p wa -k identity - -w /etc/security/opasswd -p wa -k identity - - scored: true - - - id: 4.1.6.a - description: "Ensure events that modify the system's network environment are collected" - audit: "grep system-locale /etc/audit/audit.rules" - tests: - bin_op: and - test_items: - - flag: "-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale" - set: true - - flag: "-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale" - set: true - - flag: "-w /etc/issue -p wa -k system-locale" - set: true - - flag: "-w /etc/issue.net -p wa -k system-locale" - set: true - - flag: "-w /etc/hosts -p wa -k system-locale" - set: true - - flag: "-w /etc/sysconfig/network -p wa -k system-locale" - set: true - remediation: | - For 64 bit systems add the following lines to the `/etc/audit/audit.rules` file: - - -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale - -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale - -w /etc/issue -p wa -k system-locale - -w /etc/issue.net -p wa -k system-locale - -w /etc/hosts -p wa -k system-locale - -w /etc/sysconfig/network -p wa -k system-locale - - scored: true - - - id: 4.1.6.b - description: "Ensure events that modify the system's network environment are collected" - audit: "grep system-locale /etc/audit/audit.rules" - tests: - bin_op: and - test_items: - - flag: "-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale" - set: true - - flag: "-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale" - set: true - - flag: "-w /etc/issue -p wa -k system-locale" - set: true - - flag: "-w /etc/issue.net -p wa -k system-locale" - set: true - - flag: "-w /etc/hosts -p wa -k system-locale" - set: true - - flag: "-w /etc/sysconfig/network -p wa -k system-locale" - set: true - remediation: | - For 64 bit systems add the following lines to the `/etc/audit/audit.rules` file: - - -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale - -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale - -w /etc/issue -p wa -k system-locale - -w /etc/issue.net -p wa -k system-locale - -w /etc/hosts -p wa -k system-locale - -w /etc/sysconfig/network -p wa -k system-locale - - scored: true - - - id: 4.1.7.a - description: "Ensure events that modify the system's Mandatory Access Controls are collected" - sub_checks: - - check: - audit: "grep MAC-policy /etc/audit/audit.rules" - constraints: - lsm: - - selinux - tests: - bin_op: and - test_items: - - flag: "-w /etc/selinux/ -p wa -k MAC-policy" - set: true - - flag: "-w /usr/share/selinux/ -p wa -k MAC-policy" - set: true - remediation: | - On systems using SELinux add the following line to the `/etc/audit/audit.rules` file: - - -w /etc/selinux/ -p wa -k MAC-policy - -w /usr/share/selinux/ -p wa -k MAC-policy - - scored: true - - check: - audit: "grep MAC-policy /etc/audit/audit.rules" - constraints: - lsm: - - apparmor - tests: - bin_op: and - test_items: - - flag: "-w /etc/apparmor/ -p wa -k MAC-policy" - set: true - - flag: "-w /etc/apparmor.d/ -p wa -k MAC-policy" - set: true - remediation: | - On systems using AppArmor add the following line to the `/etc/audit/audit.rules` file: - - -w /etc/apparmor/ -p wa -k MAC-policy - -w /etc/apparmor.d/ -p wa -k MAC-policy - - scored: true - - id: 4.1.7.b - description: "Ensure events that modify the system's Mandatory Access Controls are collected" - sub_checks: - - check: - audit: "auditctl -l | grep MAC-policy" - constraints: - lsm: - - selinux - tests: - bin_op: and - test_items: - - flag: "-w /etc/selinux -p wa -k MAC-policy" - set: true - - flag: "-w /usr/share/selinux -p wa -k MAC-policy" - set: true - remediation: | - On systems using SELinux add the following line to the `/etc/audit/audit.rules` file: - - -w /etc/selinux/ -p wa -k MAC-policy - -w /usr/share/selinux/ -p wa -k MAC-policy - - scored: true - - check: - audit: "auditctl -l | grep MAC-policy" - constraints: - lsm: - - selinux - tests: - bin_op: and - test_items: - - flag: "-w /etc/apparmor -p wa -k MAC-policy" - set: true - - flag: "-w /etc/apparmor.d -p wa -k MAC-policy" - set: true - remediation: | - On systems using AppArmor add the following line to the `/etc/audit/audit.rules` file: - - -w /etc/apparmor/ -p wa -k MAC-policy - -w /etc/apparmor.d/ -p wa -k MAC-policy - - scored: true - - id: 4.1.8.a - description: "Ensure login and logout events are collected" - audit: "grep logins /etc/audit/audit.rules" - tests: - bin_op: and - test_items: - - flag: "-w /var/log/faillog -p wa -k logins" - set: true - - flag: "-w /var/log/lastlog -p wa -k logins" - set: true - - flag: "-w /var/log/tallylog -p wa -k logins" - set: true - remediation: | - Add the following lines to the `/etc/audit/audit.rules` file: - - -w /var/log/faillog -p wa -k logins - -w /var/log/lastlog -p wa -k logins - -w /var/log/tallylog -p wa -k logins - - scored: true - - - - id: 4.1.8.b - description: "Ensure login and logout events are collected" - audit: "auditctl -l | grep logins" - tests: - test_items: - - flag: "-w /var/log/faillog -p wa -k logins" - set: true - - flag: "-w /var/log/lastlog -p wa -k logins" - set: true - - flag: "-w /var/log/tallylog -p wa -k logins" - set: true - remediation: | - Add the following lines to the `/etc/audit/audit.rules` file: - - -w /var/log/faillog -p wa -k logins - -w /var/log/lastlog -p wa -k logins - -w /var/log/tallylog -p wa -k logins - - scored: true - - - id: 4.1.9.a - description: "Ensure session initiation information is collected" - audit: "grep session /etc/audit/audit.rules" - tests: - test_items: - - flag: "-w /var/run/utmp -p wa -k session" - set: true - remediation: | - Add the following lines to the `/etc/audit/audit.rules` file: - - -w /var/run/utmp -p wa -k session - -w /var/log/wtmp -p wa -k logins - -w /var/log/btmp -p wa -k logins - - scored: true - - - id: 4.1.9.b - description: "Ensure session initiation information is collected" - audit: "auditctl -l | grep session" - tests: - test_items: - - flag: "-w /var/run/utmp -p wa -k session" - set: true - remediation: | - Add the following lines to the `/etc/audit/audit.rules` file: - - -w /var/run/utmp -p wa -k session - -w /var/log/wtmp -p wa -k logins - -w /var/log/btmp -p wa -k logins - - scored: true - - - id: 4.1.9.a - description: "Ensure session initiation information is collected" - audit: "grep logins /etc/audit/audit.rules" - tests: - test_items: - - flag: "-w /var/log/wtmp -p wa -k logins" - set: true - - flag: "-w /var/log/btmp -p wa -k logins" - set: true - remediation: | - Add the following lines to the `/etc/audit/audit.rules` file: - - -w /var/run/utmp -p wa -k session - -w /var/log/wtmp -p wa -k logins - -w /var/log/btmp -p wa -k logins - - scored: true - - - id: 4.1.9.b - description: "Ensure session initiation information is collected" - audit: "auditctl -l | grep logins" - tests: - test_items: - - flag: "-w /var/log/wtmp -p wa -k logins" - set: true - - flag: "-w /var/log/btmp -p wa -k logins" - set: true - remediation: | - Add the following lines to the `/etc/audit/audit.rules` file: - - -w /var/run/utmp -p wa -k session - -w /var/log/wtmp -p wa -k logins - -w /var/log/btmp -p wa -k logins - - scored: true - - - id: 4.1.10.a - description: "Ensure discretionary access control permission modification events are collected" - audit: "grep perm_mod /etc/audit/audit.rules" - tests: - bin_op: and - test_items: - - flag: "-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod" - set: true - - flag: "-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod" - set: true - - flag: "-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod" - set: true - - flag: "-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod" - set: true - - flag: "-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod" - set: true - - flag: "-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod" - set: true - remediation: | - For 64 bit systems add the following lines to the `/etc/audit/audit.rules` file: - - -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod - -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod - -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod - -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod - -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod - -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod - - scored: true - - id: 4.1.10.b - description: "Ensure discretionary access control permission modification events are collected" - audit: "auditctl -l | grep perm_mod" - tests: - bin_op: and - test_items: - - flag: "-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=500 -F auid!=-1 -F key=perm_mod" - set: true - - flag: "-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=500 -F auid!=-1 -F key=perm_mod" - set: true - - flag: "-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=500 -F auid!=-1 -F key=perm_mod" - set: true - - flag: "-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=500 -F auid!=-1 -F key=perm_mod" - set: true - - flag: "-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=500 -F auid!=-1 -F key=perm_mod" - set: true - - flag: "-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=500 -F auid!=-1 -F key=perm_mod" - set: true - remediation: | - For 64 bit systems add the following lines to the `/etc/audit/audit.rules` file: - - -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod - -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod - -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod - -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod - -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod - -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod - - scored: true - - id: 4.1.11.a - description: "Ensure unsuccessful unauthorized file access attempts are collected" - audit: "grep access /etc/audit/audit.rules" - tests: - bin_op: and - test_items: - - flag: "-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access" - set: true - - flag: "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access" - set: true - - flag: "-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access" - set: true - - flag: "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access" - set: true - remediation: | - For 64 bit systems add the following lines to the `/etc/audit/audit.rules` file: - - -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access - -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access - -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access - -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access - - scored: true - - id: 4.1.11.b - description: "Ensure unsuccessful unauthorized file access attempts are collected" - audit: "auditctl -l | grep access" - tests: - bin_op: and - test_items: - - flag: "-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat -F exit=-EACCES -F auid>=500 -F auid!=-1 -F key=access" - set: true - - flag: "-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat -F exit=-EACCES -F auid>=500 -F auid!=-1 -F key=access" - set: true - - flag: "-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat -F exit=-EPERM -F auid>=500 -F auid!=-1 -F key=access" - set: true - - flag: "-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat -F exit=-EPERM -F auid>=500 -F auid!=-1 -F key=access" - set: true - remediation: | - For 64 bit systems add the following lines to the `/etc/audit/audit.rules` file: - - -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access - -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access - -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access - -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access - - scored: true - - id: 4.1.12 - description: "Ensure use of privileged commands is collected" - audit: "find -xdev \\( -perm -4000 -o -perm -2000 \\) -type f | awk '{print \"-a always,exit -F path=\" $1 \" -F perm=x -F auid>=500 -F auid!=4294967295 \ -k privileged\" }' " - type: "manual" - remediation: | - To remediate this issue, the system administrator will have to execute a find command to locate all the privileged programs and then add an audit line for each one of them. The audit parameters associated with this are as follows: - `-F path=" $1 "` - will populate each file name found through the find command and processed by awk. `-F perm=x` - will write an audit record if the file is executed. `-F auid>=500` - will write a record if the user executing the command is not a privileged user. `-F auid!= 4294967295` - will ignore Daemon events - All audit records should be tagged with the identifier "privileged". - Run the following command replacing _ - _ with a list of partitions where programs can be executed from on your system: - - # find - -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged" }' - - Add all resulting lines to the `/etc/audit/audit.rules` file. - scored: true - - - - id: 4.1.13.a - description: "Ensure successful file system mounts are collected" - audit: "grep mounts /etc/audit/audit.rules" - tests: - bin_op: and - test_items: - - flag: "-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts" - set: true - - flag: "-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts" - set: true - remediation: | - For 64 bit systems add the following lines to the `/etc/audit/audit.rules` file: - - -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts - -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts - - scored: true - - - id: 4.1.13.b - description: "Ensure successful file system mounts are collected" - audit: "auditctl -l | grep mounts" - tests: - bin_op: and - test_items: - - flag: "-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=-1 -F key=mounts" - set: true - - flag: "-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=-1 -F key=mounts" - set: true - remediation: | - For 64 bit systems add the following lines to the `/etc/audit/audit.rules` file: - - -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts - -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts - - scored: true - - - id: 4.1.14.a - description: "Ensure file deletion events by users are collected" - audit: "grep delete /etc/audit/audit.rules" - tests: - bin_op: and - test_items: - - flag: "-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete" - set: true - - flag: "-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete" - set: true - remediation: | - For 64 bit systems add the following lines to the `/etc/audit/audit.rules` file: - - -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete - -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete - - scored: true - - - id: 4.1.14.b - description: "Ensure file deletion events by users are collected" - audit: "auditctl -l | grep delete" - tests: - bin_op: and - test_items: - - flag: "-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=500 -F auid!=-1 -F key=delete" - set: true - - flag: "-a always,exit -F arch=b32 -S unlink,rename,unlinkat,renameat -F auid>=500 -F auid!=-1 -F key=delete" - set: true - remediation: | - For 64 bit systems add the following lines to the `/etc/audit/audit.rules` file: - - -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete - -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete - - scored: true - - - id: 4.1.15.a - description: "Ensure changes to system administration scope (sudoers) is collected" - audit: "grep scope /etc/audit/audit.rules" - tests: - bin_op: and - test_items: - - flag: "-w /etc/sudoers -p wa -k scope" - set: true - - flag: "-w /etc/sudoers.d/ -p wa -k scope" - set: true - remediation: | - Add the following line to the `/etc/audit/audit.rules` file: - - -w /etc/sudoers -p wa -k scope - -w /etc/sudoers.d/ -p wa -k scope - - scored: true - - - id: 4.1.15.b - description: "Ensure changes to system administration scope (sudoers) is collected" - audit: "auditctl -l | grep scope" - tests: - bin_op: and - test_items: - - flag: "-w /etc/sudoers -p wa -k scope" - set: true - - flag: "-w /etc/sudoers.d -p wa -k scope" - set: true - remediation: | - Add the following line to the `/etc/audit/audit.rules` file: - - -w /etc/sudoers -p wa -k scope - -w /etc/sudoers.d/ -p wa -k scope - - scored: true - remediation: | - Add the following line to the `/etc/audit/audit.rules` file: - - -w /etc/sudoers -p wa -k scope - -w /etc/sudoers.d/ -p wa -k scope - - scored: true - - - id: 4.1.16.a - description: "Ensure system administrator actions (sudolog) are collected" - audit: "grep actions /etc/audit/audit.rules" - tests: - test_items: - - flag: "-w /var/log/sudo.log -p wa -k actions" - compare: - op: eq - value: "-w /var/log/sudo.log -p wa -k actions" - set: true - remediation: | - Add the following lines to the `/etc/audit/audit.rules` file: - - -w /var/log/sudo.log -p wa -k actions - - scored: true - - - id: 4.1.16.b - description: "Ensure system administrator actions (sudolog) are collected" - audit: "auditctl -l | grep actions" - tests: - test_items: - - flag: "-w /var/log/sudo.log -p wa -k actions" - set: true - remediation: | - Add the following lines to the `/etc/audit/audit.rules` file: - - -w /var/log/sudo.log -p wa -k actions - - scored: true - - - id: 4.1.17.a - description: "Ensure kernel module loading and unloading is collected" - audit: "grep modules /etc/audit/audit.rules" - tests: - bin_op: and - test_items: - - flag: "-w /sbin/insmod -p x -k modules" - set: true - - flag: "-w /sbin/rmmod -p x -k modules" - set: true - - flag: "-w /sbin/modprobe -p x -k modules" - set: true - - flag: "-a always,exit -F arch=b64 -S init_module -S delete_module -k modules" - set: true - remediation: | - For 64 bit systems add the following lines to the `/etc/audit/audit.rules` file: - - -w /sbin/insmod -p x -k modules - -w /sbin/rmmod -p x -k modules - -w /sbin/modprobe -p x -k modules - -a always,exit -F arch=b64 -S init_module -S delete_module -k modules - - scored: true - - - id: 4.1.17.b - description: "Ensure kernel module loading and unloading is collected" - audit: "auditctl -l | grep modules" - tests: - bin_op: and - test_items: - - flag: "-w /sbin/insmod -p x -k modules" - set: true - - flag: "-w /sbin/rmmod -p x -k modules" - set: true - - flag: "-w /sbin/modprobe -p x -k modules" - set: true - - flag: "-a always,exit -F arch=b64 -S init_module,delete_module -F key=modules" - set: true - remediation: | - For 64 bit systems add the following lines to the `/etc/audit/audit.rules` file: - - -w /sbin/insmod -p x -k modules - -w /sbin/rmmod -p x -k modules - -w /sbin/modprobe -p x -k modules - -a always,exit -F arch=b64 -S init_module -S delete_module -k modules - - scored: true - - scored: true - - id: 4.1.18 - description: "Ensure the audit configuration is immutable" - audit: "grep ^\\s*[^#] /etc/audit/audit.rules | tail -1" - tests: - test_items: - - flag: "-e 2" - set: true - remediation: | - Add the following line to the end of the `/etc/audit/audit.rules` file. - - -e 2 - - scored: true - - -- id: 4.1.1 - description: "Configure Data Retentiononfigure Data Retention" - checks: - - id: 4.1.1.1 - description: "Ensure audit log storage size is configured" - audit: "grep max_log_file /etc/audit/auditd.conf" - type: "manual" - tests: - test_items: - - flag: "max_log_file" - compare: - op: has - value: "" - set: true - remediation: | - Set the following parameter in `/etc/audit/auditd.conf` in accordance with site policy: - - max_log_file = - - scored: false - - - id: 4.1.1.2.a - description: "Ensure system is disabled when audit logs are full" - audit: "grep ^space_left_action /etc/audit/auditd.conf" - tests: - test_items: - - flag: "space_left_action = email" - set: true - remediation: | - Set the following parameters in `/etc/audit/auditd.conf:` - - space_left_action = email - action_mail_acct = root - admin_space_left_action = halt - - scored: true - - - id: 4.1.1.2.b - description: "Ensure system is disabled when audit logs are full" - audit: "grep action_mail_acct /etc/audit/auditd.conf" - tests: - test_items: - - flag: "action_mail_acct = root" - set: true - remediation: | - Set the following parameters in `/etc/audit/auditd.conf:` - - space_left_action = email - action_mail_acct = root - admin_space_left_action = halt - - scored: true - - - id: 4.1.1.2.c - description: "Ensure system is disabled when audit logs are full" - audit: "grep admin_space_left_action /etc/audit/auditd.conf" - tests: - test_items: - - flag: "admin_space_left_action = halt" - set: true - remediation: | - Set the following parameters in `/etc/audit/auditd.conf:` - - space_left_action = email - action_mail_acct = root - admin_space_left_action = halt - - scored: true - - - id: 4.1.1.3 - description: "Ensure audit logs are not automatically deleted" - audit: "grep max_log_file_action /etc/audit/auditd.conf" - tests: - test_items: - - flag: "max_log_file_action = keep_logs" - set: true - remediation: | - Set the following parameter in `/etc/audit/auditd.conf:` - - max_log_file_action = keep_logs - - scored: true -- id: 5.4 - description: "User Accounts and Environmentser Accounts and Environment" - checks: - - id: 5.4.5.a - description: "Ensure default user shell timeout is 900 seconds or less" - audit: "grep ^TMOUT /etc/bashrc" - tests: - test_items: - - flag: "TMOUT" - compare: - op: lte - value: "900" - set: true - remediation: | - Edit the `/etc/bashrc` and `/etc/profile` files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows: - - TMOUT=600 - - scored: true - - - id: 5.4.5.b - description: "Ensure default user shell timeout is 900 seconds or less" - audit: "grep ^TMOUT /etc/profile" - tests: - test_items: - - flag: "TMOUT" - compare: - op: lte - value: "900" - set: true - remediation: | - Edit the `/etc/bashrc` and `/etc/profile` files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows: - - TMOUT=600 - - scored: true - -- id: 6.1 - description: "System File Permissionsystem File Permissions" - checks: - - id: 6.1.1.a - description: "Audit system file permissions" - audit: "rpm -Va --nomtime --nosize --nomd5 --nolinkto > " - skip: true - type: "manual" - remediation: | - Correct any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted. - scored: false - - - id: 6.1.1.b - description: "Audit system file permissions" - audit: "dpkg --verify > " - skip: true - type: "manual" - remediation: | - Correct any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted. - scored: false +--- +controls: +version: 1.11 +id: 1 +description: "Initial Setup" +type: "master" +groups: +- id: 1.1 + description: "Filesystem Configuration" + checks: + - id: 1.1.2 + description: "Ensure separate partition exists for /tmp" + audit: "mount | grep /tmp" + tests: + test_items: + - flag: "tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noexec,relatime)" + set: true + remediation: | + For new installations, during installation create a custom partition setup and specify a separate partition for `/tmp` . + For systems that were previously installed, create a new partition and configure `/etc/fstab` as appropriate. + scored: true + + - id: 1.1.6 + description: "Ensure separate partition exists for /var" + audit: "mount | grep /var" + tests: + test_items: + - flag: "/dev/xvdg1 on /var type ext4 (rw,relatime,data=ordered)" + set: true + remediation: | + For new installations, during installation create a custom partition setup and specify a separate partition for `/var` . + For systems that were previously installed, create a new partition and configure `/etc/fstab` as appropriate. + scored: true + + - id: 1.1.7 + description: "Ensure separate partition exists for /var/tmp" + audit: "mount | grep /var/tmp" + tests: + test_items: + - flag: " on /var/tmp type ext4 (rw,nosuid,nodev,noexec,relatime)" + set: true + remediation: | + For new installations, during installation create a custom partition setup and specify a separate partition for `/var/tmp` . + For systems that were previously installed, create a new partition and configure `/etc/fstab` as appropriate. + scored: true + + - id: 1.1.15 + description: "Ensure separate partition exists for /var/log" + audit: "mount | grep /var/log" + tests: + test_items: + - flag: "/dev/xvdh1 on /var/log type ext4 (rw,relatime,data=ordered)" + set: true + remediation: | + For new installations, during installation create a custom partition setup and specify a separate partition for `/var/log` . + For systems that were previously installed, create a new partition and configure `/etc/fstab` as appropriate. + scored: true + + - id: 1.1.16 + description: "Ensure separate partition exists for /var/log/audit" + audit: "mount | grep /var/log/audit" + tests: + test_items: + - flag: "/dev/xvdi1 on /var/log/audit type ext4 (rw,relatime,data=ordered)" + set: true + remediation: | + For new installations, during installation create a custom partition setup and specify a separate partition for `/var/log/audit` . + For systems that were previously installed, create a new partition and configure `/etc/fstab` as appropriate. + scored: true + + + - id: 1.1.17 + description: "Ensure separate partition exists for /home" + audit: "mount | grep /home" + tests: + test_items: + - flag: "/dev/xvdf1 on /home type ext4 (rw,nodev,relatime,data=ordered)" + set: true + remediation: | + For new installations, during installation create a custom partition setup and specify a separate partition for `/home` . + For systems that were previously installed, create a new partition and configure `/etc/fstab` as appropriate. + scored: true + +- id: 1.1.1 + description: "Disable unused filesystemsisable unused filesystems" + checks: + - id: 1.1.1.8.a + description: "Ensure mounting of FAT filesystems is disabled" + sub_checks: + - check: + audit: "modprobe -n -v vfat" + constraints: + platform: + - rhel7 + tests: + test_items: + - flag : "install /bin/true" + set: true + + remediation: | + Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line: + + install vfat /bin/true + + Run the following command to unload the `vfat` module: + + # rmmod vfat + + scored: true + - id: 1.1.1.8.b + description: "Ensure mounting of FAT filesystems is disabled" + sub_checks: + - check: + audit: "lsmod | grep vfat" + constraints: + platform: + - rhel7 + tests: + test_items: + - flag : "" + set: true + + remediation: | + Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line: + + install vfat /bin/true + + Run the following command to unload the `vfat` module: + + # rmmod vfat + + scored: true + +- id: 1.6 + description: "Mandatory Access Controlandatory Access Control" + checks: + - id: 1.6.3 + description: "Ensure SELinux or AppArmor are installed" + sub_checks: + - check: + audit: "rpm -q libselinux" + constraints: + platform: + - rhel7 + lsm: + - selinux + tests: + test_items: + - flag: "is not installed" + set: false + remediation: | + Install SELinux or apparmor using the appropriate package manager or manual installation: + + # yum install libselinux + + + # apt-get install libselinux1 + + + # zypper install libselinux + + The previous commands install SELinux, use the appropriate package if AppArmor is desired. + - check: + audit: "rpm -q apparmor" + constraints: + platform: + - rhel7 + lsm: + - apparmor + tests: + test_items: + - flag: "is not installed" + set: false + remediation: | + Install SELinux or apparmor using the appropriate package manager or manual installation: + + # yum install libselinux + + + # apt-get install libselinux1 + + + # zypper install libselinux + + The previous commands install SELinux, use the appropriate package if AppArmor is desired. + - check: + audit: "dpkg -s libselinux1" + constraints: + platform: + - ubuntu + lsm: + - selinux + tests: + test_items: + - flag: "is not installed" + set: false + remediation: | + Install SELinux or apparmor using the appropriate package manager or manual installation: + + # yum install libselinux + + + # apt-get install libselinux1 + + + # zypper install libselinux + + The previous commands install SELinux, use the appropriate package if AppArmor is desired. + - check: + audit: "dpkg -s apparmor" + constraints: + platform: + - ubuntu + lsm: + - apparmor + tests: + test_items: + - flag: "is not installed" + set: false + remediation: | + Install SELinux or apparmor using the appropriate package manager or manual installation: + + # yum install libselinux + + + # apt-get install libselinux1 + + + # zypper install libselinux + + The previous commands install SELinux, use the appropriate package if AppArmor is desired. + scored: false +- id: 1.6.1 + description: "Configure SELinuxonfigure SELinux" + checks: + - id: 1.6.1.1 + description: "Ensure SELinux is not disabled in bootloader configuration" + sub_checks: + - check: + audit: "grep \"^\\s*kernel\" /boot/grub/menu.lst" + constraints: + lsm: + - selinux + boot: + - grub + tests: + bin_op: and + test_items: + - flag: "selinux=0" + set: false + test_items: + - flag: "enforcing=0" + set: false + remediation: | + For `grub` based systems edit `/boot/grub/menu.lst` and remove all instances of `selinux=0` and `enforcing=0` on all `kernel` lines. + For `grub2` based systems edit /etc/default/grub and remove all instances of `selinux=0` and `enforcing=0` from all CMDLINE\_LINUX parameters: + + GRUB_CMDLINE_LINUX_DEFAULT="quiet" + GRUB_CMDLINE_LINUX="" + + Run the following command to update the `grub2` configuration: + + # update-grub + - check: + audit: "grep LINUX /etc/default/grub" + constraints: + lsm: + - selinux + boot: + - grub2 + tests: + bin_op: and + test_items: + - flag: "selinux=0" + set: false + test_items: + - flag: "enforcing=0" + set: false + remediation: | + For `grub` based systems edit `/boot/grub/menu.lst` and remove all instances of `selinux=0` and `enforcing=0` on all `kernel` lines. + For `grub2` based systems edit /etc/default/grub and remove all instances of `selinux=0` and `enforcing=0` from all CMDLINE\_LINUX parameters: + + GRUB_CMDLINE_LINUX_DEFAULT="quiet" + GRUB_CMDLINE_LINUX="" + + Run the following command to update the `grub2` configuration: + + # update-grub + scored: true + - id: 1.6.1.2.a + description: "Ensure the SELinux state is enforcing" + sub_checks: + - check: + audit: "grep SELINUX=enforcing /etc/selinux/config" + constraints: + lsm: + - selinux + tests: + test_items: + - flag: "SELINUX=enforcing" + set: true + remediation: | + For `grub` based systems edit `/boot/grub/menu.lst` and remove all instances of `selinux=0` and `enforcing=0` on all `kernel` lines. + For `grub2` based systems edit /etc/default/grub and remove all instances of `selinux=0` and `enforcing=0` from all CMDLINE\_LINUX parameters: + + GRUB_CMDLINE_LINUX_DEFAULT="quiet" + GRUB_CMDLINE_LINUX="" + + Run the following command to update the `grub2` configuration: + + # update-grub + scored: true + - id: 1.6.1.2.b + description: "Ensure the SELinux state is enforcing" + sub_checks: + - check: + audit: "sestatus" + constraints: + lsm: + - selinux + tests: + test_items: + - flag: "SELinux status:" + compare: + op: has + value: "enabled" + set: true + - flag: "Current mode:" + compare: + op: has + value: "enforcing" + set: true + - flag: "Mode from config file:" + compare: + op: has + value: "enforcing" + set: true + remediation: | + For `grub` based systems edit `/boot/grub/menu.lst` and remove all instances of `selinux=0` and `enforcing=0` on all `kernel` lines. + For `grub2` based systems edit /etc/default/grub and remove all instances of `selinux=0` and `enforcing=0` from all CMDLINE\_LINUX parameters: + + GRUB_CMDLINE_LINUX_DEFAULT="quiet" + GRUB_CMDLINE_LINUX="" + + Run the following command to update the `grub2` configuration: + + # update-grub + scored: true + - id: 1.6.1.3.a + description: "Ensure SELinux policy is configured" + sub_checks: + - check: + audit: "grep SELINUXTYPE=targeted /etc/selinux/config" + constraints: + lsm: + - selinux + tests: + test_items: + - flag: "SELINUXTYPE=targeted" + set: true + remediation: | + Edit the `/etc/selinux/config` file to set the SELINUXTYPE parameter: + + SELINUXTYPE=targeted + scored: true + - id: 1.6.1.3.b + description: "Ensure SELinux policy is configured" + sub_checks: + - check: + audit: "sestatus" + constraints: + lsm: + - selinux + tests: + test_items: + - flag: "Loaded policy name:" + compare: + op: has + value: "targeted" + set: true + remediation: | + Edit the `/etc/selinux/config` file to set the SELINUXTYPE parameter: + + SELINUXTYPE=targeted + scored: true + + + - id: 1.6.1.4 + description: "Ensure SETroubleshoot is not installed" + sub_checks: + - check: + audit: "rpm -q setroubleshoot" + constraints: + platform: + - rhel7 + lsm: + - selinux + tests: + test_items: + - flag: "is not installed" + set: true + remediation: | + Uninstall s `etroubleshoot` using the appropriate package manager or manual installation: + + # yum remove setroubleshoot + + + # apt-get remove setroubleshoot + + + # zypper remove setroubleshoot + - check: + audit: "dpkg -s setroubleshoot" + constraints: + platform: + - ubuntu + lsm: + - selinux + tests: + test_items: + - flag: "is not installed" + set: true + remediation: | + Uninstall s `etroubleshoot` using the appropriate package manager or manual installation: + + # yum remove setroubleshoot + + + # apt-get remove setroubleshoot + + + # zypper remove setroubleshoot + scored: true + - id: 1.6.1.5 + description: "Ensure the MCS Translation Service (mcstrans) is not installed" + sub_checks: + - check: + audit: "rpm -q mcstrans" + constraints: + platform: + - rhel7 + tests: + test_items: + - flag: "is not installed" + set: true + remediation: | + Uninstall `mcstrans` using the appropriate package manager or manual installation: + + yum remove mcstrans + + + apt-get remove mcstrans + + + zypper remove mcstrans + - check: + audit: "dpkg -s mcstrans" + constraints: + platform: + - ubuntu + tests: + test_items: + - flag: "" + set: true + remediation: | + Uninstall `mcstrans` using the appropriate package manager or manual installation: + + yum remove mcstrans + + + apt-get remove mcstrans + + + zypper remove mcstrans + scored: true + - id: 1.6.1.6 + description: "Ensure no unconfined daemons exist" + audit: "ps -eZ | egrep \"initrc\" | egrep -vw \"tr|ps|egrep|bash|awk \" | tr ':' ' ' | awk '{ print $NF }'" + tests: + test_items: + - flag: "" + set: true + remediation: | + Investigate any unconfined daemons found during the audit action. They may need to have an existing security context assigned to them or a policy built for them. + scored: true + + +- id: 1.6.2 + description: "Configure AppArmoronfigure AppArmor" + checks: + - id: 1.6.2.1 + description: "Ensure AppArmor is not disabled in bootloader configuration" + sub_checks: + - check: + audit: "grep \"^\\s*kernel\" /boot/grub/menu.lst" + constraints: + lsm: + - apparmor + boot: + - grub + tests: + test_items: + - flag: "apparmor=0" + set: false + remediation: | + For `grub` based systems edit `/boot/grub/menu.lst` and remove all instances of `apparmor=0` on all `kernel` lines. + For `grub2` based systems edit /etc/default/grub and remove all instances of `apparmor=0` from all CMDLINE\_LINUX parameters: + + GRUB_CMDLINE_LINUX_DEFAULT="quiet" + GRUB_CMDLINE_LINUX="" + + Run the following command to update the `grub2` configuration: + + # update-grub + - check: + audit: "grep LINUX /etc/default/grub" + constraints: + lsm: + - apparmor + boot: + - grub2 + tests: + test_items: + - flag: "apparmor=0" + set: false + remediation: | + For `grub` based systems edit `/boot/grub/menu.lst` and remove all instances of `apparmor=0` on all `kernel` lines. + For `grub2` based systems edit /etc/default/grub and remove all instances of `apparmor=0` from all CMDLINE\_LINUX parameters: + + GRUB_CMDLINE_LINUX_DEFAULT="quiet" + GRUB_CMDLINE_LINUX="" + + Run the following command to update the `grub2` configuration: + + # update-grub + scored: true + - id: 1.6.2.2 + description: "Ensure all AppArmor Profiles are enforcing" + sub_checks: + - check: + audit: "apparmor_status" + type: manual + constraints: + lsm: + - apparmor + tests: + remediation: | + Run the following command to set all profiles to enforce mode: + + # enforce /etc/apparmor.d/* + + Any unconfined processes may need to have a profile created or activated for them and then be restarted. + scored: true + +- id: 4.1 + description: "Configure System Accounting (auditd)onfigure System Accounting (auditd)" + checks: + - id: 4.1.2 + description: "Ensure auditd service is enabled" + sub_checks: + - check: + audit: "chkconfig --list auditd" + constraints: + platform: + - rhel6 + tests: + test_items: + - flag: "auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off" + set: true + remediation: | + Run one of the following commands to enable `auditd` : + + # chkconfig auditd on + + + # systemctl enable auditd + + + # update-rc.d auditd enable + - check: + audit: "systemctl is-enabled auditd" + constraints: + platform: + - rhel7 + tests: + test_items: + - flag: "enabled" + set: true + remediation: | + Run one of the following commands to enable `auditd` : + + # chkconfig auditd on + + + # systemctl enable auditd + + + # update-rc.d auditd enable + - check: + audit: "ls /etc/rc*.d | grep auditd" + type: manual + constraints: + platform: + - ubuntu + tests: + test_items: + - flag: "" + set: true + remediation: | + Run one of the following commands to enable `auditd` : + + # chkconfig auditd on + + + # systemctl enable auditd + + + # update-rc.d auditd enable + scored: true + - id: 4.1.3 + description: "Ensure auditing for processes that start prior to auditd is enabled" + sub_checks: + - check: + audit: "grep \"^\\s*kernel\" /boot/grub/menu.lst" + constraints: + boot: + - grub + tests: + test_items: + - flag: "audit=1" + set: true + remediation: | + For `grub` based systems edit `/boot/grub/menu.lst` to include `audit=1` on all `kernel` lines. + For `grub2` based systems edit /etc/default/grub and add audit=1 to GRUB\_CMDLINE\_LINUX: + + GRUB_CMDLINE_LINUX="audit=1" + + Run the following command to update the `grub2` configuration: + + # update-grub + - check: + audit: "grep -i linux /etc/default/grub" + constraints: + boot: + - grub2 + bin_op: and + tests: + test_items: + - flag: "GRUB_CMDLINE_LINUX=" + set: true + - flag: "audit=1" + set: true + remediation: | + For `grub` based systems edit `/boot/grub/menu.lst` to include `audit=1` on all `kernel` lines. + For `grub2` based systems edit /etc/default/grub and add audit=1 to GRUB\_CMDLINE\_LINUX: + + GRUB_CMDLINE_LINUX="audit=1" + + Run the following command to update the `grub2` configuration: + + # update-grub + scored: true + - id: 4.1.4.a + description: "Ensure events that modify date and time information are collected" + audit: "grep time-change /etc/audit/audit.rules" + tests: + bin_op: and + test_items: + - flag: "-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change" + set: true + - flag: "-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change" + set: true + - flag: "-a always,exit -F arch=b64 -S clock_settime -k time-change" + set: true + - flag: "-a always,exit -F arch=b32 -S clock_settime -k time-change" + set: true + - flag: "-w /etc/localtime -p wa -k time-change" + set: true + remediation: | + + For 64 bit systems add the following lines to the `/etc/audit/audit.rules` file: + + -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change + -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change + -a always,exit -F arch=b64 -S clock_settime -k time-change + -a always,exit -F arch=b32 -S clock_settime -k time-change + -w /etc/localtime -p wa -k time-change + + scored: true + + - id: 4.1.4.b + description: "Ensure events that modify date and time information are collected" + audit: "auditctl -l | grep time-change" + tests: + bin_op: and + test_items: + - flag: "-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change" + set: true + - flag: "-a always,exit -F arch=b32 -S stime,settimeofday,adjtimex -F key=time-change" + set: true + - flag: "-a always,exit -F arch=b64 -S clock_settime -F key=time-change" + set: true + - flag: "-a always,exit -F arch=b32 -S clock_settime -F key=time-change" + set: true + - flag: "-w /etc/localtime -p wa -k time-change" + set: true + remediation: | + + For 64 bit systems add the following lines to the `/etc/audit/audit.rules` file: + + -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change + -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change + -a always,exit -F arch=b64 -S clock_settime -k time-change + -a always,exit -F arch=b32 -S clock_settime -k time-change + -w /etc/localtime -p wa -k time-change + + scored: true + - id: 4.1.5.a + description: "Ensure events that modify user/group information are collected" + audit: "grep identity /etc/audit/audit.rules" + tests: + bin_op: and + test_items: + - flag: "-w /etc/group -p wa -k identity" + set: true + - flag: "-w /etc/passwd -p wa -k identity" + set: true + - flag: "-w /etc/gshadow -p wa -k identity" + set: true + - flag: "-w /etc/shadow -p wa -k identity" + set: true + - flag: "-w /etc/security/opasswd -p wa -k identity" + set: true + remediation: | + Add the following lines to the `/etc/audit/audit.rules` file: + + -w /etc/group -p wa -k identity + -w /etc/passwd -p wa -k identity + -w /etc/gshadow -p wa -k identity + -w /etc/shadow -p wa -k identity + -w /etc/security/opasswd -p wa -k identity + + scored: true + + - id: 4.1.5.b + description: "Ensure events that modify user/group information are collected" + audit: "auditctl -l | grep identity" + tests: + bin_op: and + test_items: + - flag: "-w /etc/group -p wa -k identity" + set: true + - flag: "-w /etc/passwd -p wa -k identity" + set: true + - flag: "-w /etc/gshadow -p wa -k identity" + set: true + - flag: "-w /etc/shadow -p wa -k identity" + set: true + - flag: "-w /etc/security/opasswd -p wa -k identity" + set: true + remediation: | + Add the following lines to the `/etc/audit/audit.rules` file: + + -w /etc/group -p wa -k identity + -w /etc/passwd -p wa -k identity + -w /etc/gshadow -p wa -k identity + -w /etc/shadow -p wa -k identity + -w /etc/security/opasswd -p wa -k identity + + scored: true + + - id: 4.1.6.a + description: "Ensure events that modify the system's network environment are collected" + sub_checks: + - check: + audit: "grep system-locale /etc/audit/audit.rules" + constraints: + platform: + - rhel7 + tests: + bin_op: and + test_items: + - flag: "-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale" + set: true + - flag: "-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale" + set: true + - flag: "-w /etc/issue -p wa -k system-locale" + set: true + - flag: "-w /etc/issue.net -p wa -k system-locale" + set: true + - flag: "-w /etc/hosts -p wa -k system-locale" + set: true + - flag: "-w /etc/sysconfig/network -p wa -k system-locale" + set: true + remediation: | + For 64 bit systems add the following lines to the `/etc/audit/audit.rules` file: + + -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale + -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale + -w /etc/issue -p wa -k system-locale + -w /etc/issue.net -p wa -k system-locale + -w /etc/hosts -p wa -k system-locale + -w /etc/sysconfig/network -p wa -k system-locale + - check: + audit: "grep system-locale /etc/audit/audit.rules" + constraints: + platform: + - ubuntu + tests: + bin_op: and + test_items: + - flag: "-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale" + set: true + - flag: "-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale" + set: true + - flag: "-w /etc/issue -p wa -k system-locale" + set: true + - flag: "-w /etc/issue.net -p wa -k system-locale" + set: true + - flag: "-w /etc/hosts -p wa -k system-locale" + set: true + - flag: "-w /etc/network -p wa -k system-locale" + set: true + remediation: | + For 64 bit systems add the following lines to the `/etc/audit/audit.rules` file: + + -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale + -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale + -w /etc/issue -p wa -k system-locale + -w /etc/issue.net -p wa -k system-locale + -w /etc/hosts -p wa -k system-locale + -w /etc/network -p wa -k system-locale + scored: true + - id: 4.1.6.b + description: "Ensure events that modify the system's network environment are collected" + sub_checks: + - check: + audit: "grep system-locale /etc/audit/audit.rules" + constraints: + platform: + - rhel7 + tests: + bin_op: and + test_items: + - flag: "-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale" + set: true + - flag: "-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale" + set: true + - flag: "-w /etc/issue -p wa -k system-locale" + set: true + - flag: "-w /etc/issue.net -p wa -k system-locale" + set: true + - flag: "-w /etc/hosts -p wa -k system-locale" + set: true + - flag: "-w /etc/sysconfig/network -p wa -k system-locale" + set: true + remediation: | + For 64 bit systems add the following lines to the `/etc/audit/audit.rules` file: + + -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale + -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale + -w /etc/issue -p wa -k system-locale + -w /etc/issue.net -p wa -k system-locale + -w /etc/hosts -p wa -k system-locale + -w /etc/sysconfig/network -p wa -k system-locale + - check: + audit: "grep system-locale /etc/audit/audit.rules" + constraints: + platform: + - ubuntu + tests: + bin_op: and + test_items: + - flag: "-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale" + set: true + - flag: "-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale" + set: true + - flag: "-w /etc/issue -p wa -k system-locale" + set: true + - flag: "-w /etc/issue.net -p wa -k system-locale" + set: true + - flag: "-w /etc/hosts -p wa -k system-locale" + set: true + - flag: "-w /etc/network -p wa -k system-locale" + set: true + remediation: | + For 64 bit systems add the following lines to the `/etc/audit/audit.rules` file: + + -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale + -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale + -w /etc/issue -p wa -k system-locale + -w /etc/issue.net -p wa -k system-locale + -w /etc/hosts -p wa -k system-locale + -w /etc/network -p wa -k system-locale + scored: true + - id: 4.1.7.a + description: "Ensure events that modify the system's Mandatory Access Controls are collected" + sub_checks: + - check: + audit: "grep MAC-policy /etc/audit/audit.rules" + constraints: + lsm: + - selinux + tests: + bin_op: and + test_items: + - flag: "-w /etc/selinux/ -p wa -k MAC-policy" + set: true + - flag: "-w /usr/share/selinux/ -p wa -k MAC-policy" + set: true + remediation: | + On systems using SELinux add the following line to the `/etc/audit/audit.rules` file: + + -w /etc/selinux/ -p wa -k MAC-policy + -w /usr/share/selinux/ -p wa -k MAC-policy + - check: + audit: "grep MAC-policy /etc/audit/audit.rules" + constraints: + lsm: + - apparmor + tests: + bin_op: and + test_items: + - flag: "-w /etc/apparmor/ -p wa -k MAC-policy" + set: true + - flag: "-w /etc/apparmor.d/ -p wa -k MAC-policy" + set: true + remediation: | + On systems using AppArmor add the following line to the `/etc/audit/audit.rules` file: + + -w /etc/apparmor/ -p wa -k MAC-policy + -w /etc/apparmor.d/ -p wa -k MAC-policy + + scored: true + - id: 4.1.7.b + description: "Ensure events that modify the system's Mandatory Access Controls are collected" + sub_checks: + - check: + audit: "auditctl -l | grep MAC-policy" + constraints: + lsm: + - selinux + tests: + bin_op: and + test_items: + - flag: "-w /etc/selinux -p wa -k MAC-policy" + set: true + - flag: "-w /usr/share/selinux -p wa -k MAC-policy" + set: true + remediation: | + On systems using SELinux add the following line to the `/etc/audit/audit.rules` file: + + -w /etc/selinux/ -p wa -k MAC-policy + -w /usr/share/selinux/ -p wa -k MAC-policy + - check: + audit: "auditctl -l | grep MAC-policy" + constraints: + lsm: + - apparmor + tests: + bin_op: and + test_items: + - flag: "-w /etc/apparmor -p wa -k MAC-policy" + set: true + - flag: "-w /etc/apparmor.d -p wa -k MAC-policy" + set: true + remediation: | + On systems using AppArmor add the following line to the `/etc/audit/audit.rules` file: + + -w /etc/apparmor/ -p wa -k MAC-policy + -w /etc/apparmor.d/ -p wa -k MAC-policy + + scored: true + - id: 4.1.8.a + description: "Ensure login and logout events are collected" + audit: "grep logins /etc/audit/audit.rules" + tests: + bin_op: and + test_items: + - flag: "-w /var/log/faillog -p wa -k logins" + set: true + - flag: "-w /var/log/lastlog -p wa -k logins" + set: true + - flag: "-w /var/log/tallylog -p wa -k logins" + set: true + remediation: | + Add the following lines to the `/etc/audit/audit.rules` file: + + -w /var/log/faillog -p wa -k logins + -w /var/log/lastlog -p wa -k logins + -w /var/log/tallylog -p wa -k logins + + scored: true + + + - id: 4.1.8.b + description: "Ensure login and logout events are collected" + audit: "auditctl -l | grep logins" + tests: + test_items: + - flag: "-w /var/log/faillog -p wa -k logins" + set: true + - flag: "-w /var/log/lastlog -p wa -k logins" + set: true + - flag: "-w /var/log/tallylog -p wa -k logins" + set: true + remediation: | + Add the following lines to the `/etc/audit/audit.rules` file: + + -w /var/log/faillog -p wa -k logins + -w /var/log/lastlog -p wa -k logins + -w /var/log/tallylog -p wa -k logins + + scored: true + + - id: 4.1.9.a + description: "Ensure session initiation information is collected" + audit: "grep session /etc/audit/audit.rules" + tests: + test_items: + - flag: "-w /var/run/utmp -p wa -k session" + set: true + remediation: | + Add the following lines to the `/etc/audit/audit.rules` file: + + -w /var/run/utmp -p wa -k session + -w /var/log/wtmp -p wa -k logins + -w /var/log/btmp -p wa -k logins + + scored: true + + - id: 4.1.9.b + description: "Ensure session initiation information is collected" + audit: "auditctl -l | grep session" + tests: + test_items: + - flag: "-w /var/run/utmp -p wa -k session" + set: true + remediation: | + Add the following lines to the `/etc/audit/audit.rules` file: + + -w /var/run/utmp -p wa -k session + -w /var/log/wtmp -p wa -k logins + -w /var/log/btmp -p wa -k logins + + scored: true + + - id: 4.1.9.a + description: "Ensure session initiation information is collected" + audit: "grep logins /etc/audit/audit.rules" + tests: + test_items: + - flag: "-w /var/log/wtmp -p wa -k logins" + set: true + - flag: "-w /var/log/btmp -p wa -k logins" + set: true + remediation: | + Add the following lines to the `/etc/audit/audit.rules` file: + + -w /var/run/utmp -p wa -k session + -w /var/log/wtmp -p wa -k logins + -w /var/log/btmp -p wa -k logins + + scored: true + + - id: 4.1.9.b + description: "Ensure session initiation information is collected" + audit: "auditctl -l | grep logins" + tests: + test_items: + - flag: "-w /var/log/wtmp -p wa -k logins" + set: true + - flag: "-w /var/log/btmp -p wa -k logins" + set: true + remediation: | + Add the following lines to the `/etc/audit/audit.rules` file: + + -w /var/run/utmp -p wa -k session + -w /var/log/wtmp -p wa -k logins + -w /var/log/btmp -p wa -k logins + + scored: true + + - id: 4.1.10.a + description: "Ensure discretionary access control permission modification events are collected" + audit: "grep perm_mod /etc/audit/audit.rules" + tests: + bin_op: and + test_items: + - flag: "-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod" + set: true + - flag: "-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod" + set: true + - flag: "-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod" + set: true + - flag: "-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod" + set: true + - flag: "-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod" + set: true + - flag: "-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod" + set: true + remediation: | + For 64 bit systems add the following lines to the `/etc/audit/audit.rules` file: + + -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod + -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod + -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod + -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod + -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod + -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod + + scored: true + - id: 4.1.10.b + description: "Ensure discretionary access control permission modification events are collected" + audit: "auditctl -l | grep perm_mod" + tests: + bin_op: and + test_items: + - flag: "-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=500 -F auid!=-1 -F key=perm_mod" + set: true + - flag: "-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=500 -F auid!=-1 -F key=perm_mod" + set: true + - flag: "-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=500 -F auid!=-1 -F key=perm_mod" + set: true + - flag: "-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=500 -F auid!=-1 -F key=perm_mod" + set: true + - flag: "-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=500 -F auid!=-1 -F key=perm_mod" + set: true + - flag: "-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=500 -F auid!=-1 -F key=perm_mod" + set: true + remediation: | + For 64 bit systems add the following lines to the `/etc/audit/audit.rules` file: + + -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod + -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod + -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod + -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod + -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod + -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod + + scored: true + - id: 4.1.11.a + description: "Ensure unsuccessful unauthorized file access attempts are collected" + audit: "grep access /etc/audit/audit.rules" + tests: + bin_op: and + test_items: + - flag: "-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access" + set: true + - flag: "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access" + set: true + - flag: "-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access" + set: true + - flag: "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access" + set: true + remediation: | + For 64 bit systems add the following lines to the `/etc/audit/audit.rules` file: + + -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access + -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access + -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access + -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access + + scored: true + - id: 4.1.11.b + description: "Ensure unsuccessful unauthorized file access attempts are collected" + audit: "auditctl -l | grep access" + tests: + bin_op: and + test_items: + - flag: "-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat -F exit=-EACCES -F auid>=500 -F auid!=-1 -F key=access" + set: true + - flag: "-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat -F exit=-EACCES -F auid>=500 -F auid!=-1 -F key=access" + set: true + - flag: "-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat -F exit=-EPERM -F auid>=500 -F auid!=-1 -F key=access" + set: true + - flag: "-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat -F exit=-EPERM -F auid>=500 -F auid!=-1 -F key=access" + set: true + remediation: | + For 64 bit systems add the following lines to the `/etc/audit/audit.rules` file: + + -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access + -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access + -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access + -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access + + scored: true + - id: 4.1.12 + description: "Ensure use of privileged commands is collected" + audit: "find -xdev \\( -perm -4000 -o -perm -2000 \\) -type f | awk '{print \"-a always,exit -F path=\" $1 \" -F perm=x -F auid>=500 -F auid!=4294967295 \ -k privileged\" }' " + type: "manual" + remediation: | + To remediate this issue, the system administrator will have to execute a find command to locate all the privileged programs and then add an audit line for each one of them. The audit parameters associated with this are as follows: + `-F path=" $1 "` - will populate each file name found through the find command and processed by awk. `-F perm=x` - will write an audit record if the file is executed. `-F auid>=500` - will write a record if the user executing the command is not a privileged user. `-F auid!= 4294967295` - will ignore Daemon events + All audit records should be tagged with the identifier "privileged". + Run the following command replacing _ + _ with a list of partitions where programs can be executed from on your system: + + # find + -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged" }' + + Add all resulting lines to the `/etc/audit/audit.rules` file. + scored: true + + + - id: 4.1.13.a + description: "Ensure successful file system mounts are collected" + audit: "grep mounts /etc/audit/audit.rules" + tests: + bin_op: and + test_items: + - flag: "-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts" + set: true + - flag: "-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts" + set: true + remediation: | + For 64 bit systems add the following lines to the `/etc/audit/audit.rules` file: + + -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts + -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts + + scored: true + + - id: 4.1.13.b + description: "Ensure successful file system mounts are collected" + audit: "auditctl -l | grep mounts" + tests: + bin_op: and + test_items: + - flag: "-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=-1 -F key=mounts" + set: true + - flag: "-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=-1 -F key=mounts" + set: true + remediation: | + For 64 bit systems add the following lines to the `/etc/audit/audit.rules` file: + + -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts + -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts + + scored: true + + - id: 4.1.14.a + description: "Ensure file deletion events by users are collected" + audit: "grep delete /etc/audit/audit.rules" + tests: + bin_op: and + test_items: + - flag: "-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete" + set: true + - flag: "-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete" + set: true + remediation: | + For 64 bit systems add the following lines to the `/etc/audit/audit.rules` file: + + -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete + -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete + + scored: true + + - id: 4.1.14.b + description: "Ensure file deletion events by users are collected" + audit: "auditctl -l | grep delete" + tests: + bin_op: and + test_items: + - flag: "-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=500 -F auid!=-1 -F key=delete" + set: true + - flag: "-a always,exit -F arch=b32 -S unlink,rename,unlinkat,renameat -F auid>=500 -F auid!=-1 -F key=delete" + set: true + remediation: | + For 64 bit systems add the following lines to the `/etc/audit/audit.rules` file: + + -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete + -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete + + scored: true + + - id: 4.1.15.a + description: "Ensure changes to system administration scope (sudoers) is collected" + audit: "grep scope /etc/audit/audit.rules" + tests: + bin_op: and + test_items: + - flag: "-w /etc/sudoers -p wa -k scope" + set: true + - flag: "-w /etc/sudoers.d/ -p wa -k scope" + set: true + remediation: | + Add the following line to the `/etc/audit/audit.rules` file: + + -w /etc/sudoers -p wa -k scope + -w /etc/sudoers.d/ -p wa -k scope + + scored: true + + - id: 4.1.15.b + description: "Ensure changes to system administration scope (sudoers) is collected" + audit: "auditctl -l | grep scope" + tests: + bin_op: and + test_items: + - flag: "-w /etc/sudoers -p wa -k scope" + set: true + - flag: "-w /etc/sudoers.d -p wa -k scope" + set: true + remediation: | + Add the following line to the `/etc/audit/audit.rules` file: + + -w /etc/sudoers -p wa -k scope + -w /etc/sudoers.d/ -p wa -k scope + + scored: true + remediation: | + Add the following line to the `/etc/audit/audit.rules` file: + + -w /etc/sudoers -p wa -k scope + -w /etc/sudoers.d/ -p wa -k scope + + scored: true + + - id: 4.1.16.a + description: "Ensure system administrator actions (sudolog) are collected" + audit: "grep actions /etc/audit/audit.rules" + tests: + test_items: + - flag: "-w /var/log/sudo.log -p wa -k actions" + compare: + op: eq + value: "-w /var/log/sudo.log -p wa -k actions" + set: true + remediation: | + Add the following lines to the `/etc/audit/audit.rules` file: + + -w /var/log/sudo.log -p wa -k actions + + scored: true + + - id: 4.1.16.b + description: "Ensure system administrator actions (sudolog) are collected" + audit: "auditctl -l | grep actions" + tests: + test_items: + - flag: "-w /var/log/sudo.log -p wa -k actions" + set: true + remediation: | + Add the following lines to the `/etc/audit/audit.rules` file: + + -w /var/log/sudo.log -p wa -k actions + + scored: true + + - id: 4.1.17.a + description: "Ensure kernel module loading and unloading is collected" + audit: "grep modules /etc/audit/audit.rules" + tests: + bin_op: and + test_items: + - flag: "-w /sbin/insmod -p x -k modules" + set: true + - flag: "-w /sbin/rmmod -p x -k modules" + set: true + - flag: "-w /sbin/modprobe -p x -k modules" + set: true + - flag: "-a always,exit -F arch=b64 -S init_module -S delete_module -k modules" + set: true + remediation: | + For 64 bit systems add the following lines to the `/etc/audit/audit.rules` file: + + -w /sbin/insmod -p x -k modules + -w /sbin/rmmod -p x -k modules + -w /sbin/modprobe -p x -k modules + -a always,exit -F arch=b64 -S init_module -S delete_module -k modules + + scored: true + + - id: 4.1.17.b + description: "Ensure kernel module loading and unloading is collected" + audit: "auditctl -l | grep modules" + tests: + bin_op: and + test_items: + - flag: "-w /sbin/insmod -p x -k modules" + set: true + - flag: "-w /sbin/rmmod -p x -k modules" + set: true + - flag: "-w /sbin/modprobe -p x -k modules" + set: true + - flag: "-a always,exit -F arch=b64 -S init_module,delete_module -F key=modules" + set: true + remediation: | + For 64 bit systems add the following lines to the `/etc/audit/audit.rules` file: + + -w /sbin/insmod -p x -k modules + -w /sbin/rmmod -p x -k modules + -w /sbin/modprobe -p x -k modules + -a always,exit -F arch=b64 -S init_module -S delete_module -k modules + + scored: true + + scored: true + - id: 4.1.18 + description: "Ensure the audit configuration is immutable" + audit: "grep ^\\s*[^#] /etc/audit/audit.rules | tail -1" + tests: + test_items: + - flag: "-e 2" + set: true + remediation: | + Add the following line to the end of the `/etc/audit/audit.rules` file. + + -e 2 + + scored: true + + +- id: 4.1.1 + description: "Configure Data Retentiononfigure Data Retention" + checks: + - id: 4.1.1.1 + description: "Ensure audit log storage size is configured" + audit: "grep max_log_file /etc/audit/auditd.conf" + type: "manual" + tests: + test_items: + - flag: "max_log_file" + compare: + op: has + value: "" + set: true + remediation: | + Set the following parameter in `/etc/audit/auditd.conf` in accordance with site policy: + + max_log_file = + + scored: false + + - id: 4.1.1.2.a + description: "Ensure system is disabled when audit logs are full" + audit: "grep ^space_left_action /etc/audit/auditd.conf" + tests: + test_items: + - flag: "space_left_action = email" + set: true + remediation: | + Set the following parameters in `/etc/audit/auditd.conf:` + + space_left_action = email + action_mail_acct = root + admin_space_left_action = halt + + scored: true + + - id: 4.1.1.2.b + description: "Ensure system is disabled when audit logs are full" + audit: "grep action_mail_acct /etc/audit/auditd.conf" + tests: + test_items: + - flag: "action_mail_acct = root" + set: true + remediation: | + Set the following parameters in `/etc/audit/auditd.conf:` + + space_left_action = email + action_mail_acct = root + admin_space_left_action = halt + + scored: true + + - id: 4.1.1.2.c + description: "Ensure system is disabled when audit logs are full" + audit: "grep admin_space_left_action /etc/audit/auditd.conf" + tests: + test_items: + - flag: "admin_space_left_action = halt" + set: true + remediation: | + Set the following parameters in `/etc/audit/auditd.conf:` + + space_left_action = email + action_mail_acct = root + admin_space_left_action = halt + + scored: true + + - id: 4.1.1.3 + description: "Ensure audit logs are not automatically deleted" + audit: "grep max_log_file_action /etc/audit/auditd.conf" + tests: + test_items: + - flag: "max_log_file_action = keep_logs" + set: true + remediation: | + Set the following parameter in `/etc/audit/auditd.conf:` + + max_log_file_action = keep_logs + + scored: true +- id: 5.4 + description: "User Accounts and Environmentser Accounts and Environment" + checks: + - id: 5.4.5.a + description: "Ensure default user shell timeout is 900 seconds or less" + sub_checks: + - check: + audit: "grep ^TMOUT /etc/bashrc" + constraints: + platform: + - rhel7 + tests: + test_items: + - flag: "TMOUT" + compare: + op: lte + value: "900" + set: true + remediation: | + Edit the `/etc/bashrc` and `/etc/profile` files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows: + + TMOUT=600 + - check: + audit: "grep ^TMOUT /etc/bash.bashrc" + constraints: + platform: + - ubuntu + tests: + test_items: + - flag: "TMOUT" + compare: + op: lte + value: "900" + set: true + remediation: | + Edit the `/etc/bashrc` and `/etc/profile` files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows: + + TMOUT=600 + + scored: true + - id: 5.4.5.b + description: "Ensure default user shell timeout is 900 seconds or less" + audit: "grep ^TMOUT /etc/profile" + tests: + test_items: + - flag: "TMOUT" + compare: + op: lte + value: "900" + set: true + remediation: | + Edit the `/etc/bashrc` and `/etc/profile` files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows: + + TMOUT=600 + + scored: true + +- id: 6.1 + description: "System File Permissionsystem File Permissions" + checks: + - id: 6.1.1.a + description: "Audit system file permissions" + audit: "rpm -Va --nomtime --nosize --nomd5 --nolinkto > " + skip: true + type: "manual" + remediation: | + Correct any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted. + scored: false + + - id: 6.1.1.b + description: "Audit system file permissions" + audit: "dpkg --verify > " + skip: true + type: "manual" + remediation: | + Correct any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted. + scored: false diff --git a/root.go b/root.go index 151d23e..212ba7a 100644 --- a/root.go +++ b/root.go @@ -41,7 +41,7 @@ var ( var RootCmd = &cobra.Command{ Use: "linux-bench", Short: "linux-bench is a Go application that checks whether the linux operating system is deployed securely", - Long: `This tool runs the CIS Linux Benchmark (https://www.cisecurity.org/benchmark/linux/)`, + Long: `This tool runs the CIS Linux Benchmark (https://www.cisecurity.org/cis-benchmarks)`, Run: app, } From db5b6e3209c72354f3e85133e6f0af18a2b8557a Mon Sep 17 00:00:00 2001 From: Liz Rice Date: Tue, 5 Feb 2019 06:31:23 -0800 Subject: [PATCH 2/2] Specify Distribution Independent Linux Benchmark --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 76300b7..9a35168 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) -Linux-bench is a Go application that checks whether The linux operating system is configured securely by running the checks documented in the CIS Linux Benchmark. +Linux-bench is a Go application that checks whether The linux operating system is configured securely by running the checks documented in the CIS Distribution Independent Linux Benchmark. Tests are configured with YAML files, making this tool easy to update as test specifications evolve.