/
cis_debian9.yml
2960 lines (2755 loc) · 200 KB
/
cis_debian9.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
# Security Configuration Assessment
# CIS Checks for Debian Linux 9
# Copyright (C) 2015-2020, Wazuh Inc.
#
# This program is free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation
#
# Based on:
# Center for Internet Security Debian Linux 9 Benchmark v1.0.0 - 12-21-2018
# Center for Internet Security Debian Linux 9 Benchmark v1.0.1 - 01-13-2020
policy:
id: "cis_debian9"
file: "cis_debian9.yml"
name: "CIS Benchmark for Debian/Linux 9"
description: "This document provides prescriptive guidance for establishing a secure configuration posture for Debian Linux 9."
references:
- https://www.cisecurity.org/cis-benchmarks/
requirements:
title: "Check Debian version"
description: "Requirements for running the SCA scan against Debian/Ubuntu."
condition: all
rules:
- 'f:/etc/debian_version'
- 'f:/proc/sys/kernel/ostype -> Linux'
checks:
# 1.1.1 Disable unused filesystems
- id: 2000
title: "Ensure mounting of freevxfs filesystems is disabled"
description: "The freevxfs filesystem type is a free version of the Veritas type filesystem. This is the primary filesystem type for HP-UX operating systems."
rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/freevxfs.conf and add the following line: install freevxfs /bin/true Run the following command to unload the freevxfs module: # rmmod freevxfs"
compliance:
- cis: ["1.1.1.1"]
- cis_csc: ["5.1"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
condition: all
rules:
- 'c:modprobe -n -v freevxfs -> r:^install /bin/true'
- 'not c:lsmod -> r:freevxfs'
- id: 2001
title: "Ensure mounting of jffs2 filesystems is disabled"
description: "The jffs2 (journaling flash filesystem 2) filesystem type is a log-structured filesystem used in flash memory devices."
rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/jffs2.conf and add the following line: install jffs2 /bin/true Run the following command to unload the jffs2 module: # rmmod jffs2"
compliance:
- cis: ["1.1.1.2"]
- cis_csc: ["5.1"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
condition: all
rules:
- 'c:modprobe -n -v jffs2 -> r:^install /bin/true'
- 'not c:lsmod -> r:jffs2'
- id: 2002
title: "Ensure mounting of hfs filesystems is disabled"
description: "The hfs filesystem type is a hierarchical filesystem that allows you to mount Mac OS filesystems."
rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/hfs.conf and add the following line: install hfs /bin/true Run the following command to unload the hfs module: # rmmod hfs"
compliance:
- cis: ["1.1.1.3"]
- cis_csc: ["5.1"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
condition: all
rules:
- 'c:modprobe -n -v hfs -> r:^install /bin/true'
- 'not c:lsmod -> r:hfs'
- id: 2003
title: "Ensure mounting of hfsplus filesystems is disabled"
description: "The hfsplus filesystem type is a hierarchical filesystem designed to replace hfs that allows you to mount Mac OS filesystems."
rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .confExample: vim /etc/modprobe.d/hfsplus.conf and add the following line: install hfsplus /bin/true Run the following command to unload the hfsplus module: # rmmod hfsplus"
compliance:
- cis: ["1.1.1.4"]
- cis_csc: ["5.1"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
condition: all
rules:
- 'c:modprobe -n -v hfsplus -> r:^install /bin/true'
- 'not c:lsmod -> r:hfsplus'
- id: 2004
title: "Ensure mounting of udf filesystems is disabled"
description: "The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats."
rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/udf.conf and add the following line: install udf /bin/true Run the following command to unload the udf module: # rmmod udf"
compliance:
- cis: ["1.1.1.5"]
- cis_csc: ["5.1"]
- pci_dss: ["2.2.5"]
- tsc: ["CC6.3"]
condition: all
rules:
- 'c:modprobe -n -v udf -> r:^install /bin/true'
- 'not c:lsmod -> r:udf'
# 2 Filesystem Configuration
- id: 2005
title: "Ensure /tmp is configured"
description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications."
rationale: "Making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
remediation: "Configure /etc/fstab as appropriate. Example: tmpfs /tmp tmpfs defaults,rw,nosuid,nodev,noexec,realtime 0 0 or Run the following commands to enable systemd /tmp mounting: systemctl unmask tmp.mount systemctl enable tmp.mount Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount"
compliance:
- cis: ["1.1.2"]
- cis_csc: ["5.1"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
references:
- http://tldp.org/HOWTO/LVM-HOWTO/
- https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/
condition: all
rules:
- 'c:mount -> r:\s/tmp\s'
- 'c:systemctl is-enabled tmp.mount -> enabled'
- id: 2006
title: "Ensure nodev option set on /tmp partition"
description: "The nodev mount option specifies that the filesystem cannot contain special devices."
rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp."
remediation: "Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount: [Mount] What=tmpfs Where=/tmp Type=tmpfs Options=mode=1777,strictatime,noexec,nodev,nosuid and run the following commands to enable systemd /tmp mounting: systemctl unmask tmp.mount systemctl enable tmp.mount"
compliance:
- cis: ["1.1.3"]
- cis_csc: ["5.1"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: all
rules:
- 'c:mount -> r:\s/tmp\s && r:nodev'
- id: 2007
title: "Ensure nosuid option set on /tmp partition"
description: "The nosuid mount option specifies that the filesystem cannot contain set userid files."
rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create set userid files in /tmp."
remediation: "Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add nodev to the /tmp mount options: [Mount] Options=mode=1777,strictatime,noexec,nodev,nosuid Run the following command to remount /tmp : # mount -o remount,nodev /tmp"
compliance:
- cis: ["1.1.4"]
- cis_csc: ["5.1"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: all
rules:
- 'c:mount -> r:\s/tmp\s && r:nosuid'
- id: 2008
title: "Ensure noexec option set on /tmp partition"
description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp ."
remediation: "Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add noexec to the /tmp mount options: [Mount] Options=mode=1777,strictatime,noexec,nodev,nosuid Run the following command to remount /tmp : # mount -o remount,noexec /tmp"
compliance:
- cis: ["1.1.5"]
- cis_csc: ["2.6", "8"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: all
rules:
- 'c:mount -> r:\s/tmp\s && r:noexec'
- id: 2009
title: "Ensure separate partition exists for /var"
description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable."
rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition."
remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
compliance:
- cis: ["1.1.6"]
- cis_csc: ["5.1"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
references:
- http://tldp.org/HOWTO/LVM-HOWTO/
condition: all
rules:
- 'c:mount -> r:\s/var\s'
- id: 2010
title: "Ensure separate partition exists for /var/tmp"
description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications."
rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated."
remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
compliance:
- cis: ["1.1.7"]
- cis_csc: ["5.1"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
references:
- http://tldp.org/HOWTO/LVM-HOWTO/
condition: all
rules:
- 'c:mount -> r:\s/var/tmp\s'
- id: 2011
title: "Ensure nodev option set on /var/tmp partition"
description: "The nodev mount option specifies that the filesystem cannot contain special devices."
rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp."
remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp : # mount -o remount,nodev /var/tmp"
compliance:
- cis: ["1.1.8"]
- cis_csc: ["5.1"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: all
rules:
- 'c:mount -> r:\s/var/tmp\s && r:nodev'
- id: 2012
title: "Ensure nosuid option set on /var/tmp partition"
description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp."
remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,nosuid /var/tmp"
compliance:
- cis: ["1.1.9"]
- cis_csc: ["5.1"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: all
rules:
- 'c:mount -> r:\s/var/tmp\s && r:nosuid'
- id: 2013
title: "Ensure noexec option set on /var/tmp partition"
description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,noexec /var/tmp"
compliance:
- cis: ["1.1.10"]
- cis_csc: ["2.6"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: all
rules:
- 'c:mount -> r:\s/var/tmp\s && r:noexec'
- id: 2014
title: "Ensure separate partition exists for /var/log"
description: "The /var/log directory is used by system services to store log data."
rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data."
remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
compliance:
- cis: ["1.1.11"]
- cis_csc: ["6.4"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
references:
- http://tldp.org/HOWTO/LVM-HOWTO/
condition: all
rules:
- 'c:mount -> r:\s/var/log\s'
- id: 2015
title: "Ensure separate partition exists for /var/log/audit"
description: "The auditing daemon, auditd, stores log data in the /var/log/audit directory."
rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog) consume space in the same partition as auditd, it may not perform as desired."
remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
compliance:
- cis: ["1.1.12"]
- cis_csc: ["6.4"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
references:
- http://tldp.org/HOWTO/LVM-HOWTO/
condition: all
rules:
- 'c:mount -> r:\s/var/log/audit\s'
- id: 2016
title: "Ensure separate partition exists for /home"
description: "The /home directory is used to support disk storage needs of local users."
rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home."
remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
compliance:
- cis: ["1.1.13"]
- cis_csc: ["5.1"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
references:
- http://tldp.org/HOWTO/LVM-HOWTO/
condition: all
rules:
- 'c:mount -> r:\s/home\s'
- id: 2017
title: "Ensure nodev option set on /home partition"
description: "When set on a file system, this option prevents character and block special devices from being defined, or if they exist, from being used as character and block special devices."
rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices. Note: The actions in the item refer to the /home partition, which is the default user partition that is defined in many distributions. If you have created other user partitions, it is recommended that the Remediation and Audit steps be applied to these partitions as well."
remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. See the fstab(5) manual page for more information. # mount -o remount,nodev /home"
compliance:
- cis: ["1.1.14"]
- cis_csc: ["5.1"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: all
rules:
- 'c:mount -> r:\s/home\s && r:nodev'
- id: 2018
title: "Ensure nodev option set on /dev/shm partition"
description: "The nodev mount option specifies that the filesystem cannot contain special devices."
rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions."
remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,nodev /dev/shm"
compliance:
- cis: ["1.1.15"]
- cis_csc: ["5.1"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: all
rules:
- 'c:mount -> r:\s/dev/shm\s && r:nodev'
- id: 2019
title: "Ensure nosuid option set on /dev/shm partition"
description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them."
remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,nosuid /dev/shm"
compliance:
- cis: ["1.1.16"]
- cis_csc: ["5.1"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: all
rules:
- 'c:mount -> r:\s/dev/shm\s && r:nosuid'
- id: 2020
title: "Ensure noexec option set on /dev/shm partition"
description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system."
remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,noexec /dev/shm"
compliance:
- cis: ["1.1.17"]
- cis_csc: ["2.6", "8"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: all
rules:
- 'c:mount -> r:\s/dev/shm\s && r:noexec'
- id: 2021
title: "Disable Automounting"
description: "autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives."
rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have it's contents available in system even if they lacked permissions to mount it themselves."
remediation: "Run the following command to disable autofs: # systemctl disable autofs"
compliance:
- cis: ["1.1.22"]
- cis_csc: ["8.4", "8.5"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: none
rules:
- 'c:systemctl is-enabled autofs -> r:^enabled'
# 1.3 Filesystem Integrity Checking
- id: 2022
title: "Ensure AIDE is installed"
description: "AIDE takes a snapshot of filesystem state including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system."
rationale: "By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries."
remediation: "Run the following command to install AIDE: # apt-get install aide aide-common. Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Initialize AIDE: # aideinit"
compliance:
- cis: ["1.3.1"]
- cis_csc: ["14.9"]
- pci_dss: ["11.5"]
- tsc: ["PI1.4","PI1.5","CC6.8","CC7.2","CC7.3","CC7.4"]
reference:
- 'AIDE stable manual: http://aide.sourceforge.net/stable/manual.html'
condition: all
rules:
- 'c:dpkg -s aide -> r:install ok installed'
- id: 2023
title: "Ensure filesystem integrity is regularly checked"
description: "Periodic checking of the filesystem integrity is needed to detect changes to the filesystem."
rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion."
remediation: "Run the following command: # crontab -u root -e Add the following line to the crontab: 0 5 * * * /usr/bin/aide.wrapper --config /etc/aide/aide.conf --check"
compliance:
- cis: ["1.3.2"]
- cis_csc: ["14.9"]
- pci_dss: ["11.5"]
- tsc: ["PI1.4","PI1.5","CC6.8","CC7.2","CC7.3","CC7.4"]
condition: all
rules:
- 'c:grep -Rh aide /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly /etc/crontab -> r:\.+'
- 'c:crontab -u root -l -> !r:^# && r:/usr/bin/aide && r:--check'
# 1.4 Secure Boot Settings
- id: 2024
title: "Ensure permissions on bootloader config are configured"
description: "The grub configuration file contains information on boot settings and passwords for unlocking boot options. The grub configuration is usually grub.cfg stored in /boot/grub."
rationale: "Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them."
remediation: "Run the following commands to set permissions on your grub configuration: chown root:root /boot/grub/grub.cfg, chmod og-rwx /boot/grub/grub.cfg"
compliance:
- cis: ["1.4.1"]
- cis_csc: ["5.1"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: all
rules:
- 'c:stat /boot/grub/grub.cfg -> r:Access:\s*\(0\d00/-\w\w-------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
- id: 2025
title: "Ensure bootloader password is set"
description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters."
rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)."
remediation: "Create an encrypted password with grub-mkpasswd-pbkdf2 Create a custom /etc/grub.d configuration file: If there is a requirement to be able to boot/reboot without entering the password, edit /etc/grub.d/10_linux and add --unrestricted to the line CLASS= Example: CLASS=\"--class gnu-linux --class gnu --class os --unrestricted\" Run the following command to update the grub2 configuration: # update-grub"
compliance:
- cis: ["1.4.2"]
- cis_csc: ["5.1"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: all
rules:
- 'f:/boot/grub/grub.cfg -> r:^\s*\t*set superusers'
- 'f:/boot/grub/grub.cfg -> r:^\s*\t*password'
- id: 2026
title: "Ensure authentication required for single user mode"
description: "Single user mode is used for recovery when the system detects an issue during boot or by manual selection from the bootloader."
rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials."
remediation: "Run the following command and follow the prompts to set a password for the root user: # passwd root"
compliance:
- cis: ["1.4.3"]
- cis_csc: ["5.1"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: none
rules:
- 'f:/etc/shadow -> r:^root:*:|^root:!:'
# 1.5 Additional Process Hardening
- id: 2027
title: "Ensure core dumps are restricted"
description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user."
rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core."
remediation: "Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/* file: * hard core 0 Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: fs.suid_dumpable = 0 Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0"
compliance:
- cis: ["1.5.1"]
- cis_csc: ["13"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: all
rules:
- 'c:sysctl fs.suid_dumpable -> r:=\s*\t*0$'
- 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d -> !r:^# && r:=\s*\t*0$'
- 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s*\t*0$'
- id: 2029
title: "Ensure address space layout randomization (ASLR) is enabled"
description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process."
rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting."
remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2 Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2"
compliance:
- cis: ["1.5.3"]
- cis_csc: ["8.3"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: all
rules:
- 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:\s*\t*2$'
- 'c:sysctl kernel.randomize_va_space -> r:^kernel.randomize_va_space\s*\t*=\s*\t*2'
- id: 2030
title: "Ensure prelink is disabled"
description: "prelink is a program that modifies ELF shared libraries and ELF dynamically linked binaries in such a way that the time needed for the dynamic linker to perform relocations at startup significantly decreases."
rationale: "The prelinking feature can interfere with the operation of AIDE, because it changes binaries. Prelinking can also increase the vulnerability of the system if a malicious user is able to compromise a common library such as libc."
remediation: "Run the following commands to restore binaries to normal and uninstall prelink: prelink -ua && yum remove prelink"
compliance:
- cis: ["1.5.4"]
- cis_csc: ["14.9"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: none
rules:
- 'c:dpkg -s prelink -> r:install ok installed'
# 1.6 Configure SELinux
- id: 2031
title: "Ensure SELinux is enabled in the bootloader configuration"
description: "Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters."
rationale: "SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden."
remediation: "Run the following command to configure GRUB and PAM and to create /.autorelabel: # selinux-activate Edit /etc/default/grub and add the following parameters to the GRUB_CMDLINE_LINUX= line: selinux=1 security=selinux example: GRUB_CMDLINE_LINUX_DEFAULT=\"quiet\" GRUB_CMDLINE_LINUX=\"selinux=1 security=selinux enforcing=1 audit=1\" Run the following command to update the grub2configuration: # update-grub"
compliance:
- cis: ["1.6.1.1"]
- cis_csc: ["14.6"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: none
rules:
- 'f:/boot/grub/grub.cfg -> r:^\s*\t*linux && !r:selinux=1'
- 'f:/boot/grub/grub.cfg -> r:^\s*\t*linux && !r:security=selinux'
- id: 2032
title: "Ensure the SELinux state is enforcing"
description: "Set SELinux to enable when the system is booted."
rationale: "SELinux must be enabled at boot time in to ensure that the controls it provides are in effect at all times."
remediation: "Edit the /etc/selinux/config file to set the SELINUX parameter: SELINUX=enforcing Edit /etc/default/grub and add the following parameters to the GRUB_CMDLINE_LINUX= line: enforcing=1 Example: GRUB_CMDLINE_LINUX_DEFAULT=\"quiet\" GRUB_CMDLINE_LINUX=\"selinux=1 security=selinux enforcing=1 audit=1\" Run the following command to update the grub2 configuration: # update-grub"
compliance:
- cis: ["1.6.1.2"]
- cis_csc: ["14.6"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: all
rules:
- 'c:sestatus -> r:^SELinux status:\s+enabled$'
- 'c:sestatus -> r:^Current mode:\s+enforcing$'
- 'c:sestatus -> r:^Mode from config file:\s+enforcing$'
- 'f:/etc/selinux/config -> r:^\s*SELINUX\s*=\s*enforcing'
- 'not f:/boot/grub/grub.cfg -> r:^\s*\t*linux && !r:enforcing=1'
- id: 2033
title: "Ensure SELinux policy is configured"
description: "Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only."
rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met."
remediation: "Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: SELINUXTYPE=targeted"
compliance:
- cis: ["1.6.1.3"]
- cis_csc: ["14.6"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: all
rules:
- 'c:sestatus -> r:^Loaded policy name:\s+default|^Loaded policy name:\s+mls'
- 'f:/etc/selinux/config -> r:^\s*SELINUXTYPE\s*=\s*default|^\s*SELINUXTYPE\s*=\s*mls'
- id: 2034
title: "Ensure no unconfined daemons exist"
description: "Daemons that are not defined in SELinux policy will inherit the security context of their parent process."
rationale: "Since daemons are launched and descend from the init process, they will inherit the security context label initrc_t . This could cause the unintended consequence of giving the process more permission than it requires."
remediation: "Investigate any unconfined daemons found during the audit action. They may need to have an existing security context assigned to them or a policy built for them."
compliance:
- cis: ["1.6.1.4"]
- cis_csc: ["14.6"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: none
rules:
- 'c:ps -eZ -> r:initrc && !r:tr|ps|egrep|bash|awk'
- id: 2035
title: "Ensure AppArmor is enabled in the bootloader configuration"
description: "Configure AppArmor to be enabled at boot time and verify that it has not been overwrittenby the bootloader boot parameters."
rationale: "AppArmor must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden."
remediation: "Edit /etc/default/grub and add the appermor=1 and security=apparmor parameters to the GRUB_CMDLINE_LINUX= line GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor\" update the grub configuration # update-grub Notes: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings."
compliance:
- cis: ["1.6.2.1"]
- cis_csc: ["14.6"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: none
rules:
- 'f:/boot/grub/grub.cfg -> r:^\s*\t*linux && !r:apparmor=1'
- 'f:/boot/grub/grub.cfg -> r:^\s*\t*linux && !r:security=apparmor'
- id: 2036
title: "Ensure all AppArmor Profiles are enforcing"
description: "AppArmor profiles define what resources applicatons are able to access."
rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.."
remediation: "Run the following command to set all profiles to enforce mode: # aa-enforce /etc/apparmor.d/* Any unconfined processes may need to have a profile created or activated for them and then be restarted."
compliance:
- cis: ["1.6.2.2"]
- cis_csc: ["14.6"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: all
rules:
- 'c:apparmor status -> r:0 profiles are in complain mode'
- 'c:apparmor status -> r:0 processes are unconfined'
- 'c:apparmor status -> n:(\d+) profiles are loaded compare > 0'
- id: 2037
title: "Ensure SELinux or AppArmor are installed"
description: "SELinux and AppArmor provide Mandatory Access Controls."
rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available."
remediation: "Run one of the following commands to install SELinux or apparmor: # apt-get install selinux-basics Or: # apt-get install apparmor apparmor-profiles apparmor-utils"
compliance:
- cis: ["1.6.3"]
- cis_csc: ["14.6"]
- pci_dss: ["2.2.4"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: any
rules:
- 'c:dpkg -s selinux-basics -> r:install ok installed'
- 'c:dpkg -s apparmor -> r:install ok installed'
# 1.7 Warning Banners
- id: 2038
title: "Ensure message of the day is configured properly"
description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version"
rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \" uname -a \" command once they have logged in."
remediation: "Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , or \\v."
compliance:
- cis: ["1.7.1.1"]
- cis_csc: ["5.1"]
- pci_dss: ["7.1"]
condition: none
rules:
- 'f:/etc/motd -> r:\\v|\\r|\\m|\\s|Debian'
- id: 2039
title: "Ensure local login warning banner is configured properly"
description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version"
rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \" uname -a \" command once they have logged in."
remediation: "Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , or \\v , or references to the OS platform # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue"
compliance:
- cis: ["1.7.1.2"]
- cis_csc: ["5.1"]
condition: none
rules:
- 'f:/etc/issue -> r:\\v|\\r|\\m|\\s|Debian'
- id: 2040
title: "Ensure remote login warning banner is configured properly"
description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version"
rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \" uname -a \" command once they have logged in."
remediation: "Edit the /etc/issue.net file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , or \\v: # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.net"
compliance:
- cis: ["1.7.1.3"]
- cis_csc: ["5.1"]
- pci_dss: ["7.1"]
condition: none
rules:
- 'f:/etc/issue.net -> r:\\v|\\r|\\m|\\s|Debian'
- id: 2041
title: "Ensure permissions on /etc/motd are configured"
description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users."
rationale: "If the /etc/motd file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
remediation: "Run the following commands to set permissions on /etc/motd: # chown root:root /etc/motd # chmod 644 /etc/motd"
compliance:
- cis: ["1.7.1.4"]
- cis_csc: ["5.1"]
- pci_dss: ["10.2.5"]
- hipaa: ["164.312.b"]
- nist_800_53: ["AU.14", "AC.7"]
- gpg_13: ["7.8"]
- gdpr_IV: ["35.7","32.2"]
- tsc: ["CC6.1","CC6.8","CC7.2","CC7.3","CC7.4"]
condition: all
rules:
- 'c:stat /etc/motd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
- id: 2042
title: "Ensure permissions on /etc/issue are configured"
description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals."
rationale: "If the /etc/issue file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
remediation: "Run the following commands to set permissions on /etc/issue: # chown root:root /etc/issue # chmod 644 /etc/issue"
compliance:
- cis: ["1.7.1.5"]
- cis_csc: ["5.1"]
- pci_dss: ["10.2.5"]
- hipaa: ["164.312.b"]
- nist_800_53: ["AU.14", "AC.7"]
- gpg_13: ["7.8"]
- gdpr_IV: ["35.7","32.2"]
- tsc: ["CC6.1","CC6.8","CC7.2","CC7.3","CC7.4"]
condition: all
rules:
- 'c:stat /etc/issue -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
- id: 2043
title: "Ensure permissions on /etc/issue.net are configured"
description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services."
rationale: "If the /etc/issue.net file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
remediation: "Run the following commands to set permissions on /etc/issue.net: # chown root:root /etc/issue.net # chmod 644 /etc/issue.net"
compliance:
- cis: ["1.7.1.6"]
- cis_csc: ["5.1"]
- pci_dss: ["10.2.5"]
- hipaa: ["164.312.b"]
- nist_800_53: ["AU.14", "AC.7"]
- gpg_13: ["7.8"]
- gdpr_IV: ["35.7","32.2"]
- tsc: ["CC6.1","CC6.8","CC7.2","CC7.3","CC7.4"]
condition: all
rules:
- 'c:stat /etc/issue.net -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
- id: 2044
title: "Ensure GDM login banner is configured"
description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems."
rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place."
remediation: "Edit or create the file /etc/gdm3/greeter.dconf-defaults and add: [org/gnome/login-screen], banner-message-enable=true, banner-message-text='Authorized uses only. All activity may be monitored and reported.'"
compliance:
- cis: ["1.7.2"]
- cis_csc: ["5.1"]
- pci_dss: ["2.2.2"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: all
rules:
- 'f:/etc/gdm3/greeter.dconf-defaults -> r:^[org/gnome/login-screen]'
- 'f:/etc/gdm3/greeter.dconf-defaults -> r:^banner-message-enable=true'
- 'f:/etc/gdm3/greeter.dconf-defaults -> r:^banner-message-text=\.+'
- id: 2045
title: "Ensure updates, patches, and additional security software are installed"
description: "Periodically patches are released for included software either due to security flaws or to include additional functionality."
rationale: "Newer patches may contain security enhancements that would not be available through the latest full update. As a result, it is recommended that the latest software patches be used to take advantage of the latest functionality. As with any software installation, organizations need to determine if a given update meets their requirements and verify the compatibility and supportability of any additional software against the update revision that is selected."
remediation: "Use your package manager to update all packages on the system according to site policy. Notes: Site policy may mandate a testing period before install onto production systems for available updates."
compliance:
- cis: ["1.8"]
- cis_csc: ["3.4", "3.5"]
- pci_dss: ["5.2"]
- nist_800_53: ["AU.6","SI.4"]
- gpg_13: ["4.2"]
- gdpr_IV: ["35.7.d"]
- hipaa: ["164.312.b"]
- tsc: ["A1.2"]
condition: none
rules:
- 'c:apt-get -s upgrade -> r:^The following packages will be upgraded'
# 2 Services
- id: 2046
title: "Ensure xinetd is not installed"
description: "The eXtended InterNET Daemon (xinetd) is an open source super daemon that replaced the original inetd daemon. The xinetddaemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests."
rationale: "If there are no xinetd services required, it is recommended that the package be removed."
remediation: "Run the following commands to remove xinetd: # apt-get remove xinetd # apt-get purge xinetd"
compliance:
- cis: ["2.1.1"]
- cis_csc: ["9.2"]
- pci_dss: ["2.2.3"]
- nist_800_53: ["CM.1"]
- gpg_13: ["4.3"]
- gdpr_IV: ["35.7.d"]
- hipaa: ["164.312.b"]
- tsc: ["CC5.2"]
condition: all
rules:
- 'c:dpkg -s xinetd -> r:dpkg-query: package \.+ is not installed'
- id: 2047
title: "Ensure openbsd-inetd is not installed"
description: "The inetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests."
rationale: "If there are no inetd services required, it is recommended that the daemon be removed."
remediation: "Run the following command to uninstall openbsd-inetd: apt-get remove openbsd-inetd"
compliance:
- cis: ["2.1.2"]
- cis_csc: ["9.2"]
- pci_dss: ["2.2.3"]
- nist_800_53: ["CM.1"]
- gpg_13: ["4.3"]
- gdpr_IV: ["35.7.d"]
- hipaa: ["164.312.b"]
- tsc: ["CC5.2"]
condition: none
rules:
- 'c:dpkg -s openbsd-inetd -> r:install ok installed'
- id: 2048
title: "Ensure time synchronization is in use"
description: "System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them."
rationale: "Time synchronization is important to support time sensitive security mechanisms like Kerberos and also ensures log files have consistent time records across the enterprise, which aids in forensic investigations."
remediation: "On physical systems or virtual systems where host based time synchronization is not available install NTP or chrony using one of the following commands: # apt-get install ntp # apt-get install chrony On virtual systems where host based time synchronization is available consult your virtualization software documentation and setup host based synchronization."
compliance:
- cis: ["2.2.1.1"]
- cis_csc: ["6.1"]
- pci_dss: ["10.4"]
- nist_800_53: ["AU.8"]
- tsc: ["CC6.1","CC6.8","CC7.2","CC7.3","CC7.4"]
condition: any
rules:
- 'c:dpkg -s ntp -> r:install ok installed'
- 'c:dpkg -s chrony -> r:install ok installed'
- id: 2049
title: "Ensure ntp is configured"
description: "ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at http://www.ntp.org. ntp can be configured to be a client and/or a server. This recommendation only applies if ntp is in use on the system."
rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly."
remediation: "Add or edit restrict lines in /etc/ntp.conf to match the following: restrict -4 default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery Add or edit server or pool lines to /etc/ntp.conf as appropriate: server <remote-server> Configure ntp to run as the ntp user by adding or editing the /etc/init.d/ntp file: RUNASUSER=ntp"
compliance:
- cis: ["2.2.1.2"]
- cis_csc: ["6.1"]
- pci_dss: ["2.2.2"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
references:
- http://www.ntp.org/
condition: all
rules:
- 'f:/etc/ntp.conf -> r:^restrict\s+-4\s+default|^restrict\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery'
- 'f:/etc/ntp.conf -> r:^restrict\s+-6\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery'
- 'f:/etc/ntp.conf -> r:^server\.+|^pool\.+'
- 'f:/etc/init.d/ntp -> r:^RUNASUSER\s*\t*=\s*\t*ntp'
- id: 2050
title: "Ensure chrony is configured"
description: "chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. chrony can be configured to be a client and/or a server."
rationale: "If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly. This recommendation only applies if chrony is in use on the system."
remediation: "Add or edit server or pool lines to /etc/chrony/chrony.conf as appropriate: server <remote-server>"
compliance:
- cis: ["2.2.1.3"]
- cis_csc: ["6.1"]
- pci_dss: ["2.2.2"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: all
rules:
- 'f:/etc/chrony.conf -> r:^server\.+|^pool\.+'
# 2.2.2 Ensure the X Window system is not installed (Scored)
- id: 2051
title: "Ensure the X Window system is not installed"
description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login."
rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface."
remediation: "Run the following command to remove the X Windows System packages: apt-get remove xserver-xorg*"
compliance:
- cis: ["2.2.2"]
- cis_csc: ["2.6"]
- pci_dss: ["2.2.2"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2","CC6.1","CC6.8","CC7.1","CC7.2","CC8.1"]
condition: none
rules:
- 'c:dpkg -l xserver-xorg-core* -> r:^\wi\s*xserver-xorg'
- id: 2052
title: "Ensure Avahi Server is not enabled"
description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine."
rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attach surface."
remediation: "Run the following command to disable avahi-daemon: # systemctl disable avahi-daemon"
compliance:
- cis: ["2.2.3"]
- cis_csc: ["9.2"]
- pci_dss: ["2.2.2"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: none
rules:
- 'c:systemctl is-enabled avahi-daemon -> enabled'
- id: 2053
title: "Ensure CUPS is not enabled"
description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability."
rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface."
remediation: "Run the following command to disable cups: # systemctl disable cups"
compliance:
- cis: ["2.2.4"]
- cis_csc: ["9.2"]
- pci_dss: ["2.2.2"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
references:
- https://www.cups.org
condition: none
rules:
- 'c:systemctl is-enabled cups -> enabled'
- id: 2054
title: "Ensure DHCP Server is not enabled"
description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses."
rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface."
remediation: "Run the following commands to disable dhcpd: # systemctl disable isc-dhcp-server # systemctl disable isc-dhcp-server6"
references:
- https://www.isc.org/dhcp/
compliance:
- cis: ["2.2.5"]
- cis_csc: ["9.2"]
- pci_dss: ["2.2.2"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: none
rules:
- 'c:systemctl is-enabled isc-dhcp-server -> enabled'
- 'c:systemctl is-enabled isc-dhcp-server6 -> enabled'
- id: 2055
title: "Ensure LDAP server is not enabled"
description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
rationale: "If the system will not need to act as an LDAP server, it is recommended that the software be disabled to reduce the potential attack surface."
remediation: "Run the following command to disable slapd: # systemctl disable slapd"
compliance:
- cis: ["2.2.6"]
- cis_csc: ["9.2"]
- pci_dss: ["2.2.2"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
references:
- https://www.openldap.org
condition: none
rules:
- 'c:systemctl is-enabled slapd -> enabled'
- id: 2056
title: "Ensure NFS and RPC are not enabled"
description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network."
rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface."
remediation: "Run the following commands to disable nfs and rpcbind: # systemctl disable nfs-server # systemctl disable rpcbind"
compliance:
- cis: ["2.2.7"]
- cis_csc: ["9.2"]
- pci_dss: ["2.2.2"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: none
rules:
- 'c:systemctl is-enabled nfs-server -> enabled'
- 'c:systemctl is-enabled rpcbind -> enabled'
- id: 2057
title: "Ensure DNS Server is not enabled"
description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network."
rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface."
remediation: "Run the following command to disable named: # systemctl disable bind9"
compliance:
- cis: ["2.2.8"]
- cis_csc: ["9.2"]
- pci_dss: ["2.2.2"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: none
rules:
- 'c:systemctl is-enabled bind9 -> enabled'
- id: 2058
title: "Ensure FTP Server is not enabled"
description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files."
rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface."
remediation: "Run the following command to disable vsftpd: # systemctl disable vsftpd"
compliance:
- cis: ["2.2.9"]
- cis_csc: ["9.2"]
- pci_dss: ["2.2.2"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: none
rules:
- 'c:systemctl is-enabled vsftpd -> enabled'
- id: 2059
title: "Ensure HTTP Server is not enabled"
description: "HTTP or web servers provide the ability to host web site content."
rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface."
remediation: "Run the following command to disable apache2: # systemctl disable apache2"
compliance:
- cis: ["2.2.10"]
- cis_csc: ["9.2"]
- pci_dss: ["2.2.2"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: none
rules:
- 'c:systemctl is-enabled apache2 -> enabled'
- id: 2060
title: "Ensure IMAP and POP3 server is not enabled"
description: "exim is an open source IMAP and POP3 server for Linux based systems."
rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface."
remediation: "Run the following commands to remove exim: # apt-get remove exim4; # apt-get purge exim4"
compliance:
- cis: ["2.2.11"]
- cis_csc: ["9.2"]
- pci_dss: ["2.2.2"]
- nist_800_53: ["CM.1"]
- tsc: ["CC5.2"]
condition: none