-
Notifications
You must be signed in to change notification settings - Fork 0
/
cis_centos7_linux_cm.yml
3715 lines (3377 loc) · 261 KB
/
cis_centos7_linux_cm.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
# Security Configuration Assessment
# CIS Checks for CentOS 7
# Copyright (C) 2015-2020, Wazuh Inc.
#
# This program is free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation
#
# Based on:
# Center for Internet Security CentOS 7 Benchmark v3.0.0 - 06-30-2020
policy:
id: "cis_centos7_linux"
file: "cis_centos7_linux.yml"
name: "CIS Benchmark for CentOS 7"
description: "This document provides prescriptive guidance for establishing a secure configuration posture for CentOS 7 systems running on x86 and x64 platforms. This document was tested against CentOS 7."
references:
- https://www.cisecurity.org/cis-benchmarks/
requirements:
title: "Check CentOS 7 platform"
description: "Requirements for running the policy against CentOS 7."
condition: any
rules:
- 'f:/etc/system-release -> r:^CentOS && r:release 7'
variables:
$sshd_file: /etc/ssh/sshd_config
checks:
# 1.1.1.1 cramfs: filesystem
# Assessment: FIle integrity monitoring capability is in place, so any mounted drive would generate an alert that we could act on.
# - id: 6000
# title: "Ensure mounting of cramfs filesystems is disabled"
# description: "The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image."
# rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it."
# remediation: "Edit or create a file in the /etc/modprobe.d/directory ending in .conf. Example: vim /etc/modprobe.d/cramfs.confand add the following line: install cramfs /bin/true. Run the following command to unload the cramfs module: rmmod cramfs"
# compliance:
# - cis: ["1.1.1.1"]
# - cis_csc: ["5.1"]
# - pci_dss: ["2.2.5"]
# - tsc: ["CC6.3"]
# references:
# - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
# condition: all
# rules:
# - 'c:modprobe -n -v cramfs -> r:install /bin/true|Module cramfs not found'
# - 'not c:lsmod -> r:cramfs'
# 1.1.1.2 squashfs: filesystem
# Assessment: FIle integrity monitoring capability is in place, so any mounted drive would generate an alert that we could act on.
# - id: 6001
# title: "Ensure mounting of squashfs filesystems is disabled"
# description: "The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems (similar to cramfs ). A squashfs image can be used without having to first decompress the image."
# rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
# remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install squashfs /bin/true. Run the following command to unload the squashfs module: rmmod squashfs"
# compliance:
# - cis: ["1.1.1.2"]
# - cis_csc: ["5.1"]
# - pci_dss: ["2.2.5"]
# - tsc: ["CC6.3"]
# references:
# - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
# condition: all
# rules:
# - 'c:modprobe -n -v squashfs -> r:install /bin/true|Module squashfs not found'
# - 'not c:lsmod -> r:squashfs'
# 1.1.1.3 udf: filesystem
# Assessment: FIle integrity monitoring capability is in place, so any mounted drive would generate an alert that we could act on.
# - id: 6002
# title: "Ensure mounting of udf filesystems is disabled"
# description: "The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats."
# rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
# remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install udf /bin/true. Run the following command to unload the udf module: rmmod udf"
# compliance:
# - cis: ["1.1.1.3"]
# - cis_csc: ["5.1"]
# - pci_dss: ["2.2.5"]
# - tsc: ["CC6.3"]
# references:
# - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
# condition: all
# rules:
# - 'c:modprobe -n -v udf -> r:install /bin/true|Module udf not found'
# - 'not c:lsmod -> r:udf'
# 1.1.1.4 FAT: filesystem
# Assessment: FIle integrity monitoring capability is in place, so any mounted drive would generate an alert that we could act on. We also have legitimate use cases (SWIFT Windows Servers) where we need to access FAT filesystems
# - id: 6003
# title: "Ensure mounting of FAT filesystems is disabled"
# description: "The FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12, FAT16, and FAT32 all of which are supported by the vfat kernel module."
# rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
# remediation: "If utilizing UEFI the FAT filesystem format is required. If this case, ensure that the FAT filesystem is only used where appropriate. Run the following command: grep -E -i '\\svfat\\s' /etc/fstab And review that any output is appropriate for your environment. If not utilizing UEFI: Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following lines: Example: vim /etc/modprobe.d/fat.conf install fat /bin/true install vfat /bin/true install msdos /bin/true Run the following commands to unload the msdos, vfat, and fatmodules: # rmmod msdos # rmmod vfat # rmmod fat "
# compliance:
# - cis: ["1.1.1.4"]
# - cis_csc: ["5.1"]
# - pci_dss: ["2.2.5"]
# - tsc: ["CC6.3"]
# references:
# - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
# condition: all
# rules:
# - 'c:modprobe -n -v vfat -> r:install /bin/true|Module vfat not found'
# - 'not c:lsmod -> r:vfat'
# - 'c:modprobe -n -v fat -> r:install /bin/true|Module fat not found'
# - 'not c:lsmod -> r:fat'
# - 'c:modprobe -n -v msdos -> r:install /bin/true|Module msdos not found'
# - 'not c:lsmod -> r:msdos'
# 1.1.2 /tmp: partition
# Assessment: All of our deployed systems are integrated with DataDog which has operational metrics to validate any problematic resource exhaustion in any mounted drive.
# - id: 6004
# title: "Ensure /tmp is configured"
# description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications."
# rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
# remediation: "Create or update an entry for /tmp in either /etc/fstab OR in a systemd tmp.mount file: If /etc/fstab is used: Configure /etc/fstab as appropriate. Example: tmpfs /tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp: # mount -o remount,noexec,nodev,nosuid /tmp OR If systemd tmp.mount file is used: Run the following command to create the file /etc/systemd/system/tmp.mount if it doesn't exist: # [ ! -f /etc/systemd/system/tmp.mount ] && cp -v /usr/lib/systemd/system/tmp.mount /etc/systemd/system/ Edit the file /etc/systemd/system/tmp.mount: [Mount] What=tmpfs Where=/tmp Type=tmpfs Options=mode=1777,strictatime,noexec,nodev,nosuid Run the following command to reload the systemd daemon:# systemctl daemon-reload Run the following command to unmask tmp.mount: # systemctl unmask tmp.mpunt Run the following command to enable and start tmp.mount: # systemctl enable --now tmp.mount"
# compliance:
# - cis: ["1.1.2"]
# - cis_csc: ["9.4","13"]
# - pci_dss: ["2.2.4"]
# - nist_800_53: ["CM.1"]
# - tsc: ["CC5.2"]
# references:
# - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
# condition: any
# rules:
# - 'c:mount -> r:\s/tmp\s'
# - 'f:/etc/fstab -> r:\s/tmp\s'
# - 'c:systemctl is-enabled tmp.mount -> r:enabled'
# 1.1.3 /tmp: noexec
# Assessment: only relevant if 6004 is verified, which assessment has been made.
# - id: 6005
# title: "Ensure noexec option set on /tmp partition"
# description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
# rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp."
# remediation: "Edit the /etc/fstab file OR the /etc/systemd/system/local-fs.target.wants/tmp.mount file: IF /etc/fstab is used to mount /tmp Edit the /etc/fstabfile and add noexecto the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp: # mount -o remount,noexec /tmp OR IF systemd is used to mount /tmp: Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add noexec to the /tmp mount options: [Mount] Options=mode=1777,strictatime,noexec,nodev,nosuid Run the following command to restart the systemd daemon: # systemctl daemon-reload Run the following command to restart tmp.mount # systemctl restart tmp.mount"
# compliance:
# - cis: ["1.1.3"]
# - cis_csc: ["2.6"]
# - pci_dss: ["2.2.4"]
# - nist_800_53: ["CM.1"]
# - tsc: ["CC5.2"]
# condition: all
# rules:
# - 'c:mount -> r:\s/tmp\s && r:noexec'
# 1.1.4 /tmp: nodev
# Assessment: only relevant if 6004 is verified, which assessment has been made.
# - id: 6006
# title: "Ensure nodev option set on /tmp partition"
# description: "The nodev mount option specifies that the filesystem cannot contain special devices."
# rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp."
# remediation: "Edit the /etc/fstab file OR the /etc/systemd/system/local-fs.target.wants/tmp.mount file: IF /etc/fstab is used to mount /tmp Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp: # mount -o remount,nodev /tmp OR IF systemd is used to mount /tmp: Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add nodev to the /tmp mount options: [Mount] Options=mode=1777,strictatime,noexec,nodev,nosuid Run the following command to restart the systemd daemon: # systemctl daemon-reload Run the following command to restart tmp.mount # systemctl restart tmp.mount"
# compliance:
# - cis: ["1.1.4"]
# - cis_csc: ["5.1"]
# - pci_dss: ["2.2.4"]
# - nist_800_53: ["CM.1"]
# - tsc: ["CC5.2"]
# condition: all
# rules:
# - 'c:mount -> r:\s/tmp\s && r:nodev'
# 1.1.5 /tmp: nosuid
# Assessment: only relevant if 6004 is verified, which assessment has been made.
# - id: 6007
# title: "Ensure nosuid option set on /tmp partition"
# description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
# rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp."
# remediation: "IF /etc/fstab is used to mount /tmp Edit the /etc/fstab file OR the /etc/systemd/system/local-fs.target.wants/tmp.mount file: IF /etc/fstab is used to mount /tmp Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp: # mount -o remount,nosuid /tmp OR IF systemd is used to mount /tmp: Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add nosuid to the /tmp mount options: [Mount] Options=mode=1777,strictatime,noexec,nosuid,nosuid Run the following command to restart the systemd daemon: # systemctl daemon-reload Run the following command to restart tmp.mount # systemctl restart tmp.mount"
# compliance:
# - cis: ["1.1.5"]
# - cis_csc: ["5.1","13"]
# - pci_dss: ["2.2.4"]
# - nist_800_53: ["CM.1"]
# - tsc: ["CC5.2"]
# condition: all
# rules:
# - 'c:mount -> r:\s/tmp\s && r:nosuid'
# 1.1.6 /dev/shm:
# Assessment: as we don't have /dev as it's own partition, this control isn't relevant. # Assessment: FIle integrity monitoring capability is in place, so any mounted drive would generate an alert that we could act on, through DataDog
# - id: 6008
# title: "Ensure /dev/shm is configured "
# description: "/dev/shm is a traditional shared memory concept. One program will create a memory portion, which other processes (if permitted) can access. Mounting tmpfs at /dev/shm is handled automatically by systemd."
# rationale: "Any user can upload and execute files inside the /dev/shm similar to the /tmp partition. Configuring /dev/shm allows an administrator to set the noexec option on the mount, making /dev/shm useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
# remediation: "Edit /etc/fstab and add or edit the following line: tmpfs /dev/shm tmpfs defaults,noexec,nodev,nosuid,seclabel 0 0 Run the following command to remount /dev/shm: # mount -o remount,noexec,nodev,nosuid /dev/shm"
# compliance:
# - cis: ["1.1.6"]
# - cis_csc: ["5.1","13"]
# - pci_dss: ["2.2.4"]
# - nist_800_53: ["CM.1"]
# - tsc: ["CC5.2"]
# condition: all
# rules:
# - 'c:mount -> r:\s/dev/shm\s'
# - 'f:/etc/fstab -> r:\s/dev/shm\s'
# 1.1.7 /dev/shm: noexec
# Assessment: as we don't have /dev as it's own partition, this control isn't relevant.
# - id: 6009
# title: "Ensure noexec option set on /dev/shm partition"
# description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
# rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system."
# remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm: # mount -o remount,noexec /dev/shm"
# compliance:
# - cis: ["1.1.7"]
# - cis_csc: ["2.6","13"]
# - pci_dss: ["2.2.4"]
# - nist_800_53: ["CM.1"]
# - tsc: ["CC5.2"]
# condition: all
# rules:
# - 'c:mount -> r:\s/dev/shm\s && r:noexec'
# 1.1.8 /dev/shm: nodev
# Assessment: as we don't have /dev as it's own partition, this control isn't relevant.
# - id: 6010
# title: "Ensure nodev option set on /dev/shm partition"
# description: "The nodev mount option specifies that the filesystem cannot contain special devices."
# rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions."
# remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm: # mount -o remount,nodev /dev/shm"
# compliance:
# - cis: ["1.1.8"]
# - cis_csc: ["5.1","13"]
# - pci_dss: ["2.2.4"]
# - nist_800_53: ["CM.1"]
# - tsc: ["CC5.2"]
# condition: all
# rules:
# - 'c:mount -> r:\s/dev/shm\s && r:nodev'
# 1.1.9 /dev/shm: nosuid
# Assessment: as we don't have /dev as it's own partition, this control isn't relevant.
# - id: 6011
# title: "Ensure nosuid option set on /dev/shm partition"
# description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
# rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them."
# remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm: # mount -o remount,nosuid /dev/shm"
# compliance:
# - cis: ["1.1.9"]
# - cis_csc: ["5.1","13"]
# - pci_dss: ["2.2.4"]
# - nist_800_53: ["CM.1"]
# - tsc: ["CC5.2"]
# condition: all
# rules:
# - 'c:mount -> r:\s/dev/shm\s && r:nosuid'
# 1.1.10 Build considerations - Partition scheme.
# Assessment: as we don't have /var as it's own partition, this control isn't relevant.
# - id: 6012
# title: "Ensure separate partition exists for /var"
# description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable."
# rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition."
# remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
# compliance:
# - cis: ["1.1.10"]
# - cis_csc: ["5.1"]
# - pci_dss: ["2.2.4"]
# - nist_800_53: ["CM.1"]
# - tsc: ["CC5.2"]
# references:
# - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
# condition: all
# rules:
# - 'c:mount -> r:\s/var\s'
# 1.1.11 bind mount /var/tmp to /tmp
# Assessment: All of our deployed systems are integrated with DataDog which has operational metrics to validate any problematic resource exhaustion in any mounted drive.
# - id: 6013
# title: "Ensure separate partition exists for /var/tmp"
# description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications and is intended for temporary files that are preserved across reboots."
# rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code."
# remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
# compliance:
# - cis: ["1.1.11"]
# - cis_csc: ["5.1","13"]
# - pci_dss: ["2.2.4"]
# - nist_800_53: ["CM.1"]
# - tsc: ["CC5.2"]
# condition: all
# rules:
# - 'c:mount -> r:\s/var/tmp\s'
# 1.1.12 noexec set on /var/tmp
# Assessment: FIle integrity monitoring capability is in place, so any mounted drive would generate an alert that we could act on.
# - id: 6014
# title: "Ensure noexec option set on /var/tmp partition"
# description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
# rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
# remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. un the following command to remount /var/tmp: # mount -o remount,noexec /var/tmp"
# compliance:
# - cis: ["1.1.12"]
# - cis_csc: ["2.6"]
# - pci_dss: ["2.2.4"]
# - nist_800_53: ["CM.1"]
# - tsc: ["CC5.2"]
# condition: all
# rules:
# - 'c:mount -> r:\s/var/tmp\s && r:noexec'
# 1.1.13 nodev set on /var/tmp
# - id: 6015
# title: "Ensure nodev option set on /var/tmp partition"
# description: "The nodev mount option specifies that the filesystem cannot contain special devices."
# rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp ."
# remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,nodev /var/tmp"
# compliance:
# - cis: ["1.1.13"]
# - cis_csc: ["5.1","13"]
# - pci_dss: ["2.2.4"]
# - nist_800_53: ["CM.1"]
# - tsc: ["CC5.2"]
# condition: all
# rules:
# - 'c:mount -> r:\s/var/tmp\s && r:nodev'
# 1.1.14 nosuid set on /var/tmp
# Assessment: as we don't have /var as it's own partition, this control isn't relevant.
# - id: 6016
# title: "Ensure nosuid option set on /var/tmp partition"
# description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
# rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp."
# remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,nosuid /var/tmp"
# compliance:
# - cis: ["1.1.14"]
# - cis_csc: ["5.1","13"]
# - pci_dss: ["2.2.4"]
# - nist_800_53: ["CM.1"]
# - tsc: ["CC5.2"]
# condition: all
# rules:
# - 'c:mount -> r:\s/var/tmp\s && r:nosuid'
# 1.1.15 /var/log: partition
# Assessment: as we don't have /var as it's own partition, this control isn't relevant.
# - id: 6017
# title: "Ensure separate partition exists for /var/log"
# description: "The /var/log directory is used by system services to store log data ."
# rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data."
# remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
# compliance:
# - cis: ["1.1.15"]
# - cis_csc: ["6.4"]
# - pci_dss: ["2.2.4","10.7"]
# - nist_800_53: ["CM.1"]
# - tsc: ["CC5.2"]
# references:
# - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
# condition: all
# rules:
# - 'c:mount -> r:\s/var/log\s'
# 1.1.16 /var/log/audit: partition
# Assessment: as we don't have /var as it's own partition, this control isn't relevant.
# - id: 6018
# title: "Ensure separate partition exists for /var/log/audit"
# description: "The auditing daemon, auditd, stores log data in the /var/log/audit directory."
# rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data."
# remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
# compliance:
# - cis: ["1.1.16"]
# - cis_csc: ["6.3"]
# - pci_dss: ["2.2.4","10.7"]
# - nist_800_53: ["CM.1"]
# - tsc: ["CC5.2"]
# references:
# - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
# condition: all
# rules:
# - 'c:mount -> r:\s/var/log/audit\s'
# 1.1.17 /home: partition
# Assessment: as we don't have /home as it's own partition, this control isn't relevant.
# - id: 6019
# title: "Ensure separate partition exists for /home"
# description: "The /home directory is used to support disk storage needs of local users."
# rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home."
# remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
# compliance:
# - cis: ["1.1.17"]
# - cis_csc: ["5.1","13"]
# - pci_dss: ["2.2.4"]
# - nist_800_53: ["CM.1"]
# - tsc: ["CC5.2"]
# references:
# - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
# condition: all
# rules:
# - 'c:mount -> r:\s/home\s'
# 1.1.18 /home: nodev
# Assessment: as we don't have /home as it's own partition, this control isn't relevant.
# - id: 6020
# title: "Ensure nodev option set on /home partition"
# description: "The nodev mount option specifies that the filesystem cannot contain special devices."
# rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices."
# remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. # mount -o remount,nodev /home"
# compliance:
# - cis: ["1.1.18"]
# - cis_csc: ["5.1","13"]
# - pci_dss: ["2.2.4"]
# - nist_800_53: ["CM.1"]
# - tsc: ["CC5.2"]
# condition: all
# rules:
# - 'c:mount -> r:\s/home\s && r:nodev'
# 1.1.23 Disable Automounting
- id: 6021
title: "Disable Automounting"
description: "autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives."
rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themselves."
remediation: "Run the following command to disable autofs: systemctl disable autofs"
compliance:
- cis: ["1.1.23"]
- cis_csc: ["8.4","8.5"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: none
rules:
- 'c:systemctl is-enabled autofs -> r:enabled'
# 1.1.24 Disable USB Storage
# Assessment: all of the systems with agents are Cloud machines without any CD or USB ports so this control isn't applicable
# - id: 6022
# title: "Disable USB Storage"
# description: "USB storage provides a means to transfer and store files insuring persistence and availability of the files independent of network connection status. Its popularity and utility has led to USB-based malware being a simple and common means for network infiltration and a first step to establishing a persistent threat within a networked environment."
# rationale: "Restricting USB access on the system will decrease the physical attack surface for a device and diminish the possible vectors to introduce malware."
# remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/usb_storage.conf Add the following line: install usb-storage /bin/true Run the following command to unload the usb-storage module: rmmod usb-storage"
# compliance:
# - cis: ["1.1.22"]
# - cis_csc: ["8.4","8.5"]
# - pci_dss: ["2.2.4"]
# - nist_800_53: ["CM.1"]
# - tsc: ["CC5.2"]
# condition: all
# rules:
# - 'c:modprobe -n -v usb-storage -> r:install /bin/true'
# - 'not c:lsmod -> r:install /bin/true'
###############################################
# 1.2 Configure Software Updates
###############################################
# 1.2.3 Activate gpgcheck
- id: 6023
title: "Ensure gpgcheck is globally activated"
description: "The gpgcheck option, found in the main section of the /etc/yum.conf and individual /etc/yum/repos.d/* files determines if an RPM package's signature is checked prior to its installation."
rationale: "It is important to ensure that an RPM's package signature is always checked prior to installation to ensure that the software is obtained from a trusted source."
remediation: "Edit /etc/yum.conf and set ' gpgcheck=1 ' in the [main] section. Edit any failing files in /etc/yum.repos.d/* and set all instances of gpgcheck to ' 1 '."
compliance:
- cis: ["1.2.3"]
- cis_csc: ["3.4"]
- pci_dss: ["6.2"]
- nist_800_53: ["SI.2","SA.11","SI.4"]
- gpg_13: ["4.3"]
- gdpr_IV: ["35.7.d"]
- hipaa: ["164.312.b"]
- tsc: ["A1.2","CC6.8"]
condition: all
rules:
- 'f:/etc/yum.conf -> r:gpgcheck=1'
- 'not c:grep -Rh ^gpgcheck /etc/yum.repos.d/ -> r:gpgcheck=0'
###############################################
# 1.3 Configure sudo
###############################################
# 1.3.1 install sudo
- id: 6024
title: "Ensure sudo is installed"
description: "sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user's real (not effective) user ID is used to determine the user name with which to query the security policy."
rationale: "sudo supports a plugin architecture for security policies and input/output logging. Third parties can develop and distribute their own policy and I/O logging plugins to work seamlessly with the sudo front end. The default security policy is sudoers, which is configured via the file /etc/sudoers. The security policy determines what privileges, if any, a user has to run sudo. The policy may require that users authenticate themselves with a password or another authentication mechanism. If authentication is required, sudo will exit if the user's password is not entered within a configurable time limit. This limit is policy-specific."
remediation: "Run the following command to install sudo. # yum install sudo"
compliance:
- cis: ["1.3.1"]
- cis_csc: ["4"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
references: "AIDE stable manual: http://aide.sourceforge.net/stable/manual.html"
condition: all
rules:
- 'c:rpm -q sudo -> r:sudo-\S*'
# 1.3.2 Configure sudo
- id: 6025
title: "Ensure sudo commands use pty"
description: "sudo can be configured to run only from a pseudo-pty"
rationale: "Attackers can run a malicious program using sudo, which would again fork a background process that remains even when the main program has finished executing. This can be mitigated by configuring sudo to run other commands only from a pseudo-pty, whether I/O logging is turned on or not."
remediation: "Edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo or visudo -f <PATH TO FILE> and add the following line: Defaults use_pty"
compliance:
- cis: ["1.3.2"]
- cis_csc: ["4"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
references: "AIDE stable manual: http://aide.sourceforge.net/stable/manual.html"
condition: any
rules:
- 'f:/etc/sudoers -> r:^\s*Defaults\s*\t*use_pty'
- 'd:/etc/sudoers.d/ -> r:\. -> r:^\s*Defaults\s*\t*\s*use_pty'
# 1.3.3 Ensure sudo log file exists
- id: 6026
title: "Ensure sudo log file exists"
description: "sudo can use a custom log file"
rationale: "A sudo log file simplifies auditing of sudo commands"
remediation: "Edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo or visudo -f <PATH TO FILE> and add the following line: Defaults logfile='<PATH TO CUSTOM LOG FILE>' Example:Defaults logfile=\"/var/log/sudo.log\""
compliance:
- cis: ["1.3.3"]
- cis_csc: ["6.3"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: all
rules:
- 'f:/etc/sudoers -> r:^\s*Defaults\s+logfile\s*=\s*"/var/log/sudo.log"'
- 'd:/etc/sudoers.d/ -> r:\. -> r:^\s*Defaults\s+logfile\s*=\s*"/var/log/sudo.log"'
###############################################
# 1.4 Filesystem Integrity Checking
###############################################
# 1.4.1 install AIDE
# Assessment: FIle system integrity is always on, so modifications of these kind are captured within FIM policies in Wazuh.
# - id: 6027
# title: "Ensure AIDE is installed"
# description: "AIDE takes a snapshot of filesystem state including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system."
# rationale: "By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries."
# remediation: "Run the following command to install AIDE: yum install aide // Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Initialize AIDE: aide --init && mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz"
# compliance:
# - cis: ["1.4.1"]
# - cis_csc: ["14.9"]
# - pci_dss: ["11.5"]
# - tsc: ["PI1.4","PI1.5","CC6.8","CC7.2","CC7.3","CC7.4"]
# references: "AIDE stable manual: http://aide.sourceforge.net/stable/manual.html"
# condition: all
# rules:
# - 'c:rpm -q aide -> r:aide-\S*'
# 1.4.2 AIDE regular checks
# Assessment: FIle system integrity is always on, so modifications of these kind are captured within FIM policies in Wazuh.
# - id: 6028
# title: "Ensure filesystem integrity is regularly checked"
# description: "Periodic checking of the filesystem integrity is needed to detect changes to the filesystem."
# rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion."
# remediation: "If cron will be used to schedule and run aide check run the following command: crontab -u root -e Add the following line to the crontab: 0 5 * * * /usr/sbin/aide --check // Notes: The checking in this recommendation occurs every day at 5am. Alter the frequency and time of the checks in compliance with site policy. OR If aidecheck.service and aidecheck.timer will be used to schedule and run aide check: Create or edit the file /etc/systemd/system/aidecheck.service and add the following lines: [Unit] Description=Aide Check [Service] Type=simpleExecStart=/usr/sbin/aide --check [Install] WantedBy=multi-user.target Create or edit the file /etc/systemd/system/aidecheck.timer and add the following lines: [Unit] Description=Aide check every day at 5AM [Timer] OnCalendar=*-*-* 05:00:00 Unit=aidecheck.service [Install] WantedBy=multi-user.target Run the following commands: # chown root:root /etc/systemd/system/aidecheck.* # chmod 0644 /etc/systemd/system/aidecheck.* # systemctl daemon-reload # systemctl enable aidecheck.service # systemctl --now enable aidecheck.timer "
# compliance:
# - cis: ["1.4.2"]
# - cis_csc: ["14.9"]
# - pci_dss: ["11.5"]
# - tsc: ["PI1.4","PI1.5","CC6.8","CC7.2","CC7.3","CC7.4"]
# condition: any
# rules:
# - 'c:crontab -u root -l -> r:aide'
# - 'c:grep -r aide /etc/cron.* /etc/crontab -> r:aide'
# - 'c:systemctl is-enabled aidecheck.service -> r:enabled'
# - 'c:systemctl is-enabled aidecheck.timer -> r:enabled'
# - 'c:systemctl status aidecheck.timer -> r:enabled'
###############################################
# 1.5 Secure Boot Settings
###############################################
# 1.5.1 Set Boot Loader Password (Scored)
# Assessment: As these policies apply to cloud instances, where console access is severity restricted from AWS Console protected with MFA, bootloader settings are considered out of scope
# - id: 6029
# title: "Ensure bootloader password is set"
# description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters."
# rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)."
# remediation: "For newergrub2based systems (centOS/RHEL 7.2 and newer): Create an encrypted password with grub2-setpassword: # grub2-setpassword OR For older grub2based systems: create an encrypted password with grub2-mkpasswd-pbkdf2: # grub2-mkpasswd-pbkdf2 Enter password: <password> Reenter password: <password> Your PBKDF2 is <encrypted-password> Add the following into /etc/grub.d/01_users or a custom /etc/grub.d configuration file: cat <<EOFset superusers=\"<username>\"password_pbkdf2 <username> <encrypted-password>EOF Run the following command to update the grub2 configuration: # grub2-mkconfig -o /boot/grub2/grub.cfg"
# compliance:
# - cis: ["1.5.1"]
# - cis_csc: ["5.1"]
# - pci_dss: ["2.2.4"]
# - nist_800_53: ["CM.1"]
# - tsc: ["CC5.2"]
# condition: all
# rules:
# - 'f:/boot/grub2/user.cfg -> r:^GRUB2_PASSWORD\s*=\.+'
# - 'f:/boot/grub2/grub.cfg -> r:^set superusers\s*=\.+'
# - 'f:/boot/grub2/grub.cfg -> r:^password_pbkdf2 \.+'
# 1.5.2 Configure bootloader
# Assessment: As these policies apply to cloud instances, where console access is severity restricted from AWS Console protected with MFA, bootloader settings are considered out of scope
# - id: 6030
# title: "Ensure permissions on bootloader config are configured"
# description: "The grub configuration file contains information on boot settings and passwords for unlocking boot options. The grub configuration is usually located at /boot/grub2/grub.cfg and linked as /etc/grub2.cfg . On newer grub2 systems the encrypted bootloader password is contained in /boot/grub2/user.cfg"
# rationale: "Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them."
# remediation: "Run the following commands to set permissions on your grub configuration: # chown root:root /boot/grub2/grub.cfg # chmod og-rwx /boot/grub2/grub.cfg # chown root:root /boot/grub2/user.cfg # chmod og-rwx /boot/grub2/user.cfg"
# compliance:
# - cis: ["1.5.2"]
# - cis_csc: ["5.1"]
# - pci_dss: ["2.2.4"]
# - nist_800_53: ["CM.1"]
# - tsc: ["CC5.2"]
# condition: all
# rules:
# - 'c:stat /boot/grub2/grub.cfg -> r:Access:\s*\(0\d00/-\w\w\w------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
# - 'c:stat /boot/grub2/user.cfg -> r:Access:\s*\(0\d00/-\w\w\w------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)|cannot stat'
# 1.5.3 Single user authentication
# Assessment: As these policies apply to cloud instances, where console access is severity restricted from AWS Console protected with MFA, bootloader settings are considered out of scope
# - id: 6031
# title: "Ensure authentication required for single user mode"
# description: "Single user mode (rescue mode) is used for recovery when the system detects an issue during boot or by manual selection from the bootloader."
# rationale: "Requiring authentication in single user mode (rescue mode) prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials."
# remediation: "Edit /usr/lib/systemd/system/rescue.service and /usr/lib/systemd/system/emergency.service and set ExecStart to use /sbin/sulogin or /usr/sbin/sulogin: ExecStart=-/bin/sh -c \"/sbin/sulogin; /usr/bin/systemctl --fail --no-block default\" "
# compliance:
# - cis: ["1.5.3"]
# - cis_csc: ["5.1"]
# - pci_dss: ["2.2.4"]
# - nist_800_53: ["CM.1"]
# - tsc: ["CC5.2"]
# condition: all
# rules:
# - 'f:/usr/lib/systemd/system/rescue.service -> r:ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"|ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"'
# - 'f:/usr/lib/systemd/system/emergency.service -> r:ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"|ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"'
###############################################
# 1.6 Additional Process Hardening
###############################################
# 1.6.1 Restrict Core Dumps (Scored)
- id: 6032
title: "Ensure core dumps are restricted"
description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file."
rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core."
remediation: "Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/* file: * hard core 0. Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: fs.suid_dumpable = 0. Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0"
compliance:
- cis: ["1.6.1"]
- cis_csc: ["5.1"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: all
rules:
- 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:hard\s*\t*core\s*\t*0$'
- 'c:sysctl fs.suid_dumpable -> r:^\s*fs.suid_dumpable\s*=\s*0\s*$'
- 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d -> r:^\s*fs.suid_dumpable\s*=\s*0\s*$'
# 1.6.2 XD/NX enabled
- id: 6033
title: "Ensure XD/NX support is enabled"
description: "Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Intel processors it is called Execute Disable (XD). This ability can help prevent exploitation of buffer overflow vulnerabilities and should be activated whenever possible. Extra steps must be taken to ensure that this protection is enabled, particularly on 32-bit x86 systems. Other processors, such as Itanium and POWER, have included such support since inception and the standard kernel for those platforms supports the feature."
rationale: "Enabling any feature that can protect against buffer overflow attacks enhances the security of the system."
remediation: "On 32 bit systems install a kernel with PAE support, no installation is required on 64 bit systems: If necessary configure your bootloader to load the new kernel and reboot the system. You may need to enable NX or XD support in your bios."
compliance:
- cis: ["1.6.2"]
- cis_csc: ["8.3"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: any
rules:
- 'c:journalctl -> r:^kernel:\s+NX \(Execute Disable\) protection: active'
- 'c:dmesg -> r:NX \(Execute Disable\) protection: active'
# 1.6.3 Enable Randomized Virtual Memory Region Placement (Scored)
- id: 6034
title: "Ensure address space layout randomization (ASLR) is enabled"
description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process."
rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting."
remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2. Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2"
compliance:
- cis: ["1.6.3"]
- cis_csc: ["8.3"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: all
rules:
- 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:^\s*kernel.randomize_va_space\s*=\s*2$'
- 'c:sysctl kernel.randomize_va_space -> r:^\s*kernel.randomize_va_space\s*=\s*2'
# 1.6.4 Disable prelink
- id: 6035
title: "Ensure prelink is disabled"
description: "prelink is a program that modifies ELF shared libraries and ELF dynamically linked binaries in such a way that the time needed for the dynamic linker to perform relocations at startup significantly decreases."
rationale: "The prelinking feature can interfere with the operation of AIDE, because it changes binaries. Prelinking can also increase the vulnerability of the system if a malicious user is able to compromise a common library such as libc."
remediation: "Run the following commands to restore binaries to normal: # prelink -ua Run the following command to uninstall prelink: # yum remove prelink"
compliance:
- cis: ["1.6.4"]
- cis_csc: ["14.9"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: all
rules:
- 'c:rpm -q prelink -> r:package prelink is not installed'
###############################################
# 1.7 Configure SELinux
###############################################
# 1.7.1.1 Install SELinux
- id: 6036
title: "Ensure SELinux is installed"
description: "SELinux provides Mandatory Access Controls."
rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available."
remediation: "Run the following command to install libselinux: # yum install libselinux"
compliance:
- cis: ["1.7.1.1"]
- cis_csc: ["14.6"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: all
rules:
- 'c:rpm -q libselinux -> r:libselinux-\S+'
# 1.7.1.2 SELinux not disabled
- id: 6037
title: "Ensure SELinux is not disabled in bootloader configuration"
description: "Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters."
rationale: "SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden."
remediation: "Edit /etc/default/grub and remove all instances of selinux=0 and enforcing=0 from all CMDLINE_LINUX parameters: GRUB_CMDLINE_LINUX_DEFAULT=\"quiet\" GRUB_CMDLINE_LINUX=\"\" || Run the following command to update the grub2 configuration: grub2-mkconfig -o /boot/grub2/grub.cfg"
compliance:
- cis: ["1.7.1.2"]
- cis_csc: ["14.6"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: none
rules:
- 'f:/boot/grub2/grub.cfg -> r:^\s*linux\.+selinux=0|linux\.+enforcing=0'
# 1.7.1.3 Set selinux policy
- id: 6038
title: "Ensure SELinux policy is configured"
description: "Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only."
rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met."
remediation: "Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: SELINUXTYPE=targeted"
compliance:
- cis: ["1.7.1.3"]
- cis_csc: ["14.6"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: all
rules:
- 'c:sestatus -> r:^Loaded policy name:\s*\t*targeted$|^Loaded policy name:\s*\t*mls'
- 'f:/etc/selinux/config -> r:^\s*SELINUXTYPE\s*=\s*targeted|^\s*SELINUXTYPE\s*=\s*mls'
# 1.7.1.4 Set selinux mode
- id: 6039
title: "Ensure the SELinux mode is enforcing or permissive"
description: "SELinux can run in one of three modes: disabled, permissive, or enforcing: Enforcing - Is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system. Permissive - The system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not recommended for production systems, permissive mode can be helpful for SELinux policy development. Disabled -Is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future"
rationale: "Running SELinux in disabled modeis strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future."
remediation: "Run one of the following commands to set SELinux's running mode: To set SELinux mode to Enforcing: # setenforce 1 OR To set SELinux mode to Permissive: # setenforce 0 Edit the /etc/selinux/config file to set the SELINUX parameter: For Enforcing mode: SELINUX=enforcing OR For Permissive mode: SELINUX=permissive"
compliance:
- cis: ["1.7.1.4"]
- cis_csc: ["14.6"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: all
rules:
- 'c:getenforce -> r:^Enforcing|^Permissive'
- 'f:/etc/selinux/config -> r:^SELINUX=enforcing|^SELINUX=permissive'
# 1.7.1.6 Ensure no unconfined services exist
- id: 6040
title: "Ensure no unconfined services exist"
description: "Unconfined processes run in unconfined domains"
rationale: "For unconfined processes, SELinux policy rules are applied, but policy rules exist that allow processes running in unconfined domains almost all access. Processes running in unconfined domains fall back to using DAC rules exclusively. If an unconfined process is compromised, SELinux does not prevent an attacker from gaining access to system resources and data, but of course, DAC rules are still used. SELinux is a security enhancement on top of DAC rules – it does not replace them"
remediation: "Investigate any unconfined processes found during the audit action. They may need to have an existing security context assigned to them or a policy built for them."
compliance:
- cis: ["1.7.1.6"]
- cis_csc: ["9.2"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: none
rules:
- 'c:ps -eZ -> r:unconfined_service_t'
# 1.7.1.7 Remove SETroubleshoot
- id: 6041
title: "Ensure SETroubleshoot is not installed"
description: "The SETroubleshoot service notifies desktop users of SELinux denials through a user-friendly interface. The service provides important information around configuration errors, unauthorized intrusions, and other potential errors."
rationale: "The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled."
remediation: "Run the following command to uninstall setroubleshoot: # yum remove setroubleshoot"
compliance:
- cis: ["1.7.1.7"]
- cis_csc: ["14.6"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: all
rules:
- 'c:rpm -q setroubleshoot -> r:package setroubleshoot is not installed'
# 1.7.1.8 Disable MCS Translation service mcstrans
# Assessment: This setting doesn't pose signficant risk, and we have measures in place (FIM) to detect any changes that could take advantage of it
# - id: 6042
# title: "Ensure the MCS Translation Service (mcstrans) is not installed"
# description: "The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf"
# rationale: "Since this service is not used very often, remove it to reduce the amount of potentially vulnerable code running on the system."
# remediation: "Run the following command to uninstall mcstrans: # yum remove mcstrans"
# compliance:
# - cis: ["1.7.1.8"]
# - cis_csc: ["9.2"]
# - pci_dss: ["2.2.4"]
# - nist_800_53: ["CM.1"]
# - tsc: ["CC5.2"]
# condition: none
# rules:
# - 'c:rpm -q mcstrans -> r:package mcstrans is not installed'
###############################################
# 1.8 Warning Banners
###############################################
# 1.8.1.1 Configure message of the day (Scored)
- id: 6043
title: "Ensure message of the day is configured properly"
description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version"
rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \" uname -a \" command once they have logged in."
remediation: "Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of \\m, \\r, \\s, \\v or references to the OS platform OR If the motd is not used, this file can be removed. Run the following command to remove the motd file: # rm /etc/motd"
compliance:
- cis: ["1.8.1.1"]
- cis_csc: ["5.1"]
- pci_dss: ["7.1"]
- tsc: ["CC6.4"]
condition: none
rules:
- 'f:/etc/motd -> r:\\v|\\r|\\m|\\s'
# 1.8.1.2 Configure local login warning banner (Not Scored)
- id: 6044
title: "Ensure local login warning banner is configured properly"
description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version -or the operating system's name."
rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \" uname -a \" command once they have logged in."
remediation: "Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m, \\r, \\s, or \\v: # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue"
compliance:
- cis: ["1.8.1.2"]
- cis_csc: ["5.1"]
- pci_dss: ["7.1"]
- tsc: ["CC6.4"]
condition: none
rules:
- 'f:/etc/issue -> r:\\v|\\r|\\m|\\s'
# 1.8.1.3 Configure remote login warning banner (Not Scored)
- id: 6045
title: "Ensure remote login warning banner is configured properly"
description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version"
rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \" uname -a \" command once they have logged in."
remediation: "Edit the /etc/issue.net file with the appropriate contents according to your site policy, remove any instances of \\m, \\r, \\s, or \\v: # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.net"
compliance:
- cis: ["1.8.1.3"]
- cis_csc: ["5.1"]
- pci_dss: ["7.1"]
- tsc: ["CC6.4"]
condition: none
rules:
- 'f:/etc/issue.net -> r:\\v|\\r|\\m|\\s'
# 1.8.1.4 Configure /etc/motd permissions (Not Scored)
- id: 6046
title: "Ensure permissions on /etc/motd are configured"
description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users."
rationale: "If the /etc/motd file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
remediation: "Run the following commands to set permissions on /etc/motd: # chown root:root /etc/motd # chmod 644 /etc/motd"
compliance:
- cis: ["1.8.1.4"]
- cis_csc: ["14.6"]
- pci_dss: ["10.2.5"]
- hipaa: ["164.312.b"]
- nist_800_53: ["AU.14", "AC.7"]
- gpg_13: ["7.8"]
- gdpr_IV: ["35.7","32.2"]
- tsc: ["CC6.1","CC6.8","CC7.2","CC7.3","CC7.4"]
condition: all
rules:
- 'c:stat /etc/motd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
# 1.8.1.5 Configure /etc/issue permissions (Scored)
- id: 6047
title: "Ensure permissions on /etc/issue are configured"
description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals."
rationale: "If the /etc/issue file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
remediation: "Run the following commands to set permissions on /etc/issue: # chown root:root /etc/issue # chmod 644 /etc/issue"
compliance:
- cis: ["1.8.1.5"]
- cis_csc: ["14.6"]
- pci_dss: ["10.2.5"]
- hipaa: ["164.312.b"]
- nist_800_53: ["AU.14", "AC.7"]
- gpg_13: ["7.8"]
- gdpr_IV: ["35.7","32.2"]
- tsc: ["CC6.1","CC6.8","CC7.2","CC7.3","CC7.4"]
condition: all
rules:
- 'c:stat /etc/issue -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
# 1.8.1.6 Configure /etc/issue.net permissions (Not Scored)
- id: 6048
title: "Ensure permissions on /etc/issue.net are configured"
description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services."
rationale: "If the /etc/issue.net file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
remediation: "Run the following commands to set permissions on /etc/issue.net: # chown root:root /etc/issue.net # chmod 644 /etc/issue.net"
compliance:
- cis: ["1.8.1.6"]
- cis_csc: ["14.6"]
- pci_dss: ["10.2.5"]
- hipaa: ["164.312.b"]
- nist_800_53: ["AU.14", "AC.7"]
- gpg_13: ["7.8"]
- gdpr_IV: ["35.7","32.2"]
- tsc: ["CC6.1","CC6.8","CC7.2","CC7.3","CC7.4"]
condition: all
rules:
- 'c:stat /etc/issue.net -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
# 1.9 Ensure updates, patches, and additional security software are installed
- id: 6049
title: "Ensure updates, patches, and additional security software are installed"
description: "Periodically patches are released for included software either due to security flaws or to include additional functionality."
rationale: "Newer patches may contain security enhancements that would not be available through the latest full update. As a result, it is recommended that the latest software patches be used to take advantage of the latest functionality. As with any software installation, organizations need to determine if a given update meets their requirements and verify the compatibility and supportability of any additional software against the update revision that is selected."
remediation: "Use your package manager to update all packages on the system according to site policy. The following command will install all available packages # yum update "
compliance:
- cis: ["1.9"]
- cis_csc: ["3.4","3.5"]
- pci_dss: ["5.2"]
- nist_800_53: ["AU.6","SI.4"]
- gpg_13: ["4.2"]
- gdpr_IV: ["35.7.d"]
- hipaa: ["164.312.b"]
- tsc: ["A1.2"]
condition: all
rules:
- 'c:yum check-update -> r:No packages needed for security'
# 1.10 Ensure GDM login banner is configured (Scored)
- id: 6050
title: "Ensure GDM login banner is configured"
description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems."
rationale: "If a graphical login is not required, it should be removed to reduce the attack surface of the system. If a graphical login is required, last logged in user display should be disabled, and a warning banner should be configured. Displaying the last logged in user eliminates half of the Userid/Password equation that an unauthorized person would need to log on. Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place."
remediation: "Run the following command to remove gdm: # yum remove gdm OR If GDM is required: Edit or create the file /etc/dconf/profile/gdm and add the following: user-db:user system-db:gdm file-db:/usr/share/gdm/greeter-dconf-defaults Edit or create the file /etc/dconf/db/gdm.d/ and add the following: (This is typically /etc/dconf/db/gdm.d/01-banner-message) [org/gnome/login-screen] banner-message-enable=true banner-message-text='<banner message>' Example Banner Text: 'Authorized uses only. All activity may be monitored and reported. 'Edit or create the file /etc/dconf/db/gdm.d/and add the following: (This is typically /etc/dconf/db/gdm.d/00-login-screen) [org/gnome/login-screen] # Do not show the user list disable-user-list=true Run the following command to update the system databases: # dconf update"
compliance:
- cis: ["1.10"]
- cis_csc: ["5.1"]
- pci_dss: ["7.1"]
- tsc: ["CC6.4"]
condition: all
rules:
- 'f:/etc/dconf/profile/gdm -> r:user-db:user'
- 'f:/etc/dconf/profile/gdm -> r:system-db:gdm'
- 'f:/etc/dconf/profile/gdm -> r:file-db:/usr/share/gdm/greeter-dconf-defaults'
- 'd:/etc/dconf/db/gdm.d/ -> r:\. -> r:banner-message-enable=true'
- 'd:/etc/dconf/db/gdm.d/ -> r:\. -> r:banner-message-text=\.+'
- 'd:/etc/dconf/db/gdm.d/ -> r:\. -> r:disable-user-list=true'
###############################################