1. Ensure mounting of cramfs filesystems is disabled
Audit:
# lsmod | grep cramfs
no output
Remediation:
Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
install cramfs /bin/true
2. Ensure mounting of freevxfs filesystems is disabled
Audit:
# modprobe -n -v freevxfs
modprobe: FATAL: Module freevxfs not found.
# lsmod | grep freevxfs
<No output>
Remediation:
Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
install freevxfs /bin/true
3. Ensure mounting of jffs2 filesystems is disabled
Audit:
# modprobe -n -v jffs2
modprobe: FATAL: Module jffs2 not found.
# lsmod | grep jffs2
<No output>
Remediation:
Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
install jffs2 /bin/true
4. Ensure mounting of hfs filesystems is disabled
Audit:
# modprobe -n -v hfs
modprobe: FATAL: Module hfs not found
# lsmod | grep hfs
<No output>
Remediation:
Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
install hfs /bin/true
5. Ensure mounting of hfsplus filesystems is disabled
Audit:
# modprobe -n -v hfsplus
modprobe: FATAL: Module hfsplus not found.
# lsmod | grep hfsplus
<No output>
Remediation:
Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
install hfsplus /bin/true
6. Ensure mounting of squashfs filesystems is disabled
Audit:
# modprobe -n -v squashfs
insmod /lib/modules/3.10.0-327.el7.x86_64/kernel/fs/squashfs/squashfs.ko
# lsmod | grep squashfs
<No output>
Remediation:
Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
install squashfs /bin/true
7. Ensure mounting of udf filesystems is disabled
Audit:
# modprobe -n -v udf
insmod /lib/modules/3.10.0-327.el7.x86_64/kernel/lib/crc-itu-t.ko
insmod /lib/modules/3.10.0-327.el7.x86_64/kernel/fs/udf/udf.ko
# lsmod | grep udf
<No output>
Remediation:
Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
install udf /bin/true
8. Ensure mounting of FAT filesystems is disabled
Audit:
# modprobe -n -v vfat
insmod /lib/modules/3.10.0-327.el7.x86_64/kernel/fs/fat/fat.ko
insmod /lib/modules/3.10.0-327.el7.x86_64/kernel/fs/fat/vfat.ko
# lsmod | grep vfat
<No output>
Remediation:
Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
install vfat /bin/true
9. Ensure separate partition exists for /tmp with nodev, noexec , nosuid
Audit:
# mount | grep /tmp
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noexec,relatime)
Remediation:
For systems that were previously installed, create a new partition for /tmp if not using tmpfs .
Run the following commands to enable systemd /tmp mounting:
systemctl unmask tmp.mount
systemctl enable tmp.mount
Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount:
[Mount]
What=tmpfs
Where=/tmp
Type=tmpfs
Options=mode=1777,strictatime,noexec,nodev,nosuid
10. Ensure separate partition exists for /var
Audit:
# mount | grep /var
/dev/xvdg1 on /var type ext4 (rw,relatime,data=ordered)
Remediation:
For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate
11. Ensure separate partition exists for /home
Audit:
# mount | grep /home
/dev/xvdf1 on /home type ext4 (rw,nodev,relatime,data=ordered)
Remediation:
For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.
12. Ensure nodev option set on /home partition
Audit:
# mount | grep /home
/dev/xvdf1 on /home type ext4 (rw,nodev,relatime,data=ordered)
Remediation:
Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. See the fstab(5) manual page for more information.
Run the following command to remount /home :
# mount -o remount,nodev /home
13. Ensure nodev, nosuid, noexec option set on /dev/shm partition
Audit:
mount | grep /dev/shm
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime)
Remediation:
Edit the /etc/fstab file and add nodev, nosuid, noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information.
Run the following command to remount /dev/shm :
# mount -o remount,nodev,nosuid,noexec /dev/shm
Notes:
/dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab:
tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0
14. Ensure sticky bit is set on all world-writable directories
Audit:
Run the following command to verify no world writable directories exist without the sticky bit set:
# df --local -P | awk if (NR!=1) print $6 | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null
No output should be returned.
Remediation:
Run the following command to set the sticky bit on all world writable directories:
# df --local -P | awk if (NR!=1) print $6 | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
15. Ensure disable automounting
Audit:
Run the following command and verify result is not "enabled":
# systemctl is-enabled autofs
disabled
Remediation:
Run the following command to disable autofs :
# systemctl disable autofs
16. Ensure package manager repositories are configured
Run the following command and verify repositories are configured correctly:
# yum repolist
Remediation:
Configure your package manager repositories according to site policy.
17. Ensure gpgcheck is globally activated
Audit:
Run the following command and verify gpgcheck is set to ' 1 ':
# grep ^gpgcheck /etc/yum.conf
gpgcheck=1
Run the following command and verify that all instances of gpgcheck returned are set to ' 1 ':
# grep ^gpgcheck /etc/yum.repos.d/*
Remediation:
Edit /etc/yum.conf and set ' gpgcheck=1 ' in the [main] section.
Edit files in /etc/yum.repos.d/* and set all instances of gpgcheck to ' 1 '.
18. Ensure AIDE is installed
Audit:
Run the following command and verify aide is installed:
# rpm -q aide
aide-<version>
Remediation:
Run the following command to install aide :
# yum install aide
Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options.
Initialize AIDE:
# aide --init
# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
19. Ensure filesystem integrity is regularly checked
Audit:
Run the following commands to determine if there is a cron job scheduled to run the aide check.
# crontab -u root -l | grep aide
# grep -r aide /etc/cron.* /etc/crontab
Ensure a cron job in compliance with site policy is returned.
Remediation:
Run the following command:
# crontab -u root -e
Add the following line to the crontab:
0 5 * * * /usr/sbin/aide –check
20. Ensure core dumps are restricted
Audit:
Run the following commands and verify output matches:
# grep "hard core" /etc/security/limits.conf /etc/security/limits.d/*
* hard core 0
# sysctl fs.suid_dumpable
fs.suid_dumpable = 0
Remediation:
Add the following line to the /etc/security/limits.conf file or a /etc/security/limits.d/* file:
* hard core 0
Set the following parameter in the /etc/sysctl.conf file:
fs.suid_dumpable = 0
Run the following command to set the active kernel parameter:
# sysctl -w fs.suid_dumpable=0
21. Ensure address space layout randomization (ASLR) is enabled
Audit:
Run the following command and verify output matches:
# sysctl kernel.randomize_va_space
kernel.randomize_va_space = 2
Remediation:
Set the following parameter in the /etc/sysctl.conf file:
kernel.randomize_va_space = 2
Run the following command to set the active kernel parameter:
# sysctl -w kernel.randomize_va_space=2
22. Ensure prelink is disabled
Audit:
Run the following command and verify prelink is not installed:
# rpm -q prelink
package prelink is not installed
Remediation:
Run the following commands to restore binaries to normal and uninstall prelink :
# prelink -ua
# yum remove prelink
23. Ensure SETroubleshoot is not installed
Audit:
Run the following command and verify setroubleshoot is not installed:
# rpm -q setroubleshoot
package setroubleshoot is not installed
Remediation:
Run the following command to uninstall setroubleshoot :
# yum remove setroubleshoot
24. Ensure MCS Translation Service (mcstrans) is not installed
Audit:
Run the following command and verify mcstrans is not installed:
# rpm -q mcstrans
package mcstrans is not installed
Remediation:
Run the following command to uninstall mcstrans:
# yum remove mcstrans
25. Ensure no unconfined daemons exist
Audit:
Run the following command and verify not output is produced:
# ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'
Remediation:
Investigate any unconfined daemons found during the audit action. They may need to have an existing security context assigned to them or a policy built for them.
26. Ensure message of the day is configured properly
Audit:
Run the following command and verify that the contents match site policy:
# cat /etc/motd
Run the following command and verify no results are returned:
# egrep '(\\v|\\r|\\m|\\s)' /etc/motd
Remediation:
Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of \m , \r , \s , or \v.
27. Ensure permissions on /etc/issue are configured
Audit:
Run the following command and verify Uid and Gid are both 0/root and Access is 644 :
# stat /etc/issue
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Remediation:
Run the following commands to set permissions on /etc/issue :
# chown root:root /etc/issue
# chmod 644 /etc/issue
28. Ensure GDM login banner is configured
Audit:
If GDM is installed on the system verify that /etc/dconf/profile/gdm exists and contains the following:
user-db:user
system-db:gdm
file-db:/usr/share/gdm/greeter-dconf-defaults
Then verify the banner-message-enable and banner-message-text options are configured in /etc/dconf/db/gdm.d/01-banner-message :
[org/gnome/login-screen]
banner-message-enable=true
banner-message-text='<banner message>'
Remediation:
Create the /etc/dconf/profile/gdm file with the following contents:
user-db:user
system-db:gdm
file-db:/usr/share/gdm/greeter-dconf-defaults
Create or edit the banner-message-enable and banner-message-text options in /etc/dconf/db/gdm.d/01-banner-message :
[org/gnome/login-screen]
banner-message-enable=true
banner-message-text='Authorized uses only. All activity may be monitored and reported.'
Run the following command to update the system databases:
# dconf update
Notes:
Additional options and sections may appear in the /etc/dconf/db/gdm.d/01-banner-message file.
If a different GUI login service is in use, consult your documentation and apply an equivalent banner.
29. Ensure chargen services are not enabled
Audit:
Run the following command and verify chargen-dgram and chargen-stream are off or missing:
# chkconfig --list
xinetd based services:
chargen-dgram: off
chargen-stream: off
Remediation:
Run the following commands to disable chargen-dgram and chargen-stream :
# chkconfig chargen-dgram off
# chkconfig chargen-stream off
30. Ensure daytime services are not enabled
Audit:
Run the following command and verify daytime-dgram and daytime-stream are off or missing:
# chkconfig --list
xinetd based services:
daytime-dgram: off
daytime-stream: off
Remediation:
Run the following commands to disable daytime-dgram and daytime-stream:
# chkconfig daytime-dgram off
# chkconfig daytime-stream off
31. Ensure discard services are not enabled
Audit:
Run the following command and verify discard-dgram and discard-stream are off or missing:
# chkconfig --list
xinetd based services:
discard-dgram: off
discard-stream: off
Remediation:
Run the following commands to disable discard-dgram and discard-stream:
# chkconfig discard-dgram off
# chkconfig discard-stream off
32. Ensure echo services are not enabled
Audit:
Run the following command and verify echo-dgram and echo-stream are off or missing:
# chkconfig --list
xinetd based services:
echo-dgram: off
echo-stream: off
Remediation:
Run the following commands to disable echo-dgram and echo-stream:
# chkconfig echo-dgram off
# chkconfig echo-stream off
33. Ensure time services are not enabled
Audit:
Run the following command and verify time-dgram and time-stream are off or missing:
# chkconfig --list
xinetd based services:
time-dgram: off
time-stream: off
Remediation:
Run the following commands to disable time-dgram and time-stream:
# chkconfig time-dgram off
# chkconfig time-stream off
34. Ensure tftp server is not enabled
Audit:
Run the following command and verify tftp is off or missing:
# chkconfig --list
xinetd based services:
tftp: off
Remediation:
Run the following command to disable tftp:
# chkconfig tftp off
35. Ensure xinetd is not enabled
Audit:
Run the following command and verify result is not "enabled":
# systemctl is-enabled xinetd
disabled
Remediation:
Run the following command to disable xinetd :
# systemctl disable xinetd
36. Ensure X Window System is not installed
Audit:
Run the following command and verify no output is returned:
# rpm -qa xorg-x11*
Remediation:
Run the following command to remove the X Windows System packages:
# yum remove xorg-x11*
37. Ensure Avahi Server is not enabled
Audit:
Run the following command and verify result is not "enabled":
# systemctl is-enabled avahi-daemon
disabled
Remediation:
Run the following command to disable avahi-daemon :
# systemctl disable avahi-daemon
38. Ensure CUPS is not enabled
Audit:
Run the following command and verify result is not "enabled":
# systemctl is-enabled cups
disabled
Remediation:
Run the following command to disable cups :
# systemctl disable cups
39. Ensure DHCP Server is not enabled
Audit:
Run the following command and verify result is not "enabled":
# systemctl is-enabled dhcpd
disabled
Remediation:
Run the following command to disable dhcpd :
# systemctl disable dhcpd
40. Ensure telnet server is not enabled
Audit:
Run the following command and verify result is not "enabled":
# systemctl is-enabled telnet.socket
disabled
Remediation:
Run the following command to disable telnet:
# systemctl disable telnet.socket
41. Ensure telnet client is not installed
Audit:
Run the following command and verify telnet is not installed:
# rpm -q telnet
package telnet is not installed
Remediation:
Run the following command to uninstall telnet :
# yum remove telnet
42. Ensure NFS and RPC are not enabled
Audit:
Run the following command and verify result is not "enabled":
# systemctl is-enabled nfs
disabled
Run the following command and verify result is not "enabled":
# systemctl is-enabled rpcbind
disabled
Remediation:
Run the following commands to disable nfs and rpcbind :
# systemctl disable nfs
# systemctl disable rpcbind
43. Ensure FTP Server is not enabled
Audit:
Run the following command and verify result is not "enabled":
# systemctl is-enabled vsftpd
disabled
Remediation:
Run the following command to disable vsftpd :
# systemctl disable vsftpd
44. Ensure Samba is not enabled
Audit:
Run the following command and verify result is not "enabled":
# systemctl is-enabled smb
disabled
Remediation:
Run the following command to disable smb :
# systemctl disable smb
45. Ensure HTTP Proxy Server is not enabled
Audit:
Run the following command and verify result is not "enabled":
# systemctl is-enabled squid
disabled
Remediation:
Run the following command to disable squid :
# systemctl disable squid
46. Ensure SNMP Server is not enabled
Audit:
Run the following command and verify result is not "enabled":
# systemctl is-enabled snmpd
disabled
Remediation:
Run the following command to disable snmpd :
# systemctl disable snmpd
47. Ensure NIS Server is not enabled
Audit:
Run the following command and verify result is not "enabled":
# systemctl is-enabled ypserv
disabled
Remediation:
Run the following command to disable ypserv :
# systemctl disable ypserv
48. Ensure rsh server is not enabled
Audit:
Run the following command and verify result is not "enabled":
# systemctl is-enabled rsh.socket
disabled
Run the following command and verify result is not "enabled":
# systemctl is-enabled rlogin.socket
disabled
Run the following command and verify result is not "enabled":
# systemctl is-enabled rexec.socket
disabled
Remediation:
Run the following commands to disable rsh , rlogin , and rexec :
# systemctl disable rsh.socket
# systemctl disable rlogin.socket
# systemctl disable rexec.socket
49. Ensure talk server is not enabled
Audit:
Run the following command and verify result is not "enabled":
# systemctl is-enabled ntalk
disabled
Remediation:
Run the following command to disable talk:
# systemctl disable ntalk
50. Ensure telnet server is not enabled
Audit:
Run the following command and verify result is not "enabled":
# systemctl is-enabled telnet.socket
disabled
Remediation:
Run the following command to disable telnet:
# systemctl disable telnet.socket
51. Ensure tftp server is not enabled
Audit:
Run the following command and verify result is not "enabled":
# systemctl is-enabled tftp.socket
disabled
Remediation:
Run the following command to disable tftp:
# systemctl disable tftp.socket
52. Ensure NIS Client is not installed
Audit:
Run the following command and verify ypbind is not installed:
# rpm -q ypbind
package ypbind is not installed
Remediation:
Run the following command to uninstall ypbind :
# yum remove ypbind
53. Ensure rsh client is not installed
Audit:
Run the following command and verify rsh is not installed:
# rpm -q rsh
package rsh is not installed
Remediation:
Run the following command to uninstall rsh :
# yum remove rsh
54. Ensure talk client is not installed
Audit:
Run the following command and verify talk is not installed:
# rpm -q talk
package talk is not installed
Remediation:
Run the following command to uninstall talk :
# yum remove talk
55. Ensure IP forwarding is disabled
Audit:
Run the following command and verify output matches:
# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0
Remediation:
Set the following parameter in the /etc/sysctl.conf file:
net.ipv4.ip_forward = 0
Run the following commands to set the active kernel parameters:
# sysctl -w net.ipv4.ip_forward=0
# sysctl -w net.ipv4.route.flush=1
56. Ensure packet redirect sending is disabled
Audit:
Run the following commands and verify output matches:
# sysctl net.ipv4.conf.all.send_redirects
net.ipv4.conf.all.send_redirects = 0
# sysctl net.ipv4.conf.default.send_redirects
net.ipv4.conf.default.send_redirects = 0
Remediation:
Set the following parameters in the /etc/sysctl.conf file:
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
Run the following commands to set the active kernel parameters:
# sysctl -w net.ipv4.conf.all.send_redirects=0
# sysctl -w net.ipv4.conf.default.send_redirects=0
# sysctl -w net.ipv4.route.flush=1
57. Ensure source routed packets are not accepted
Audit:
Run the following commands and verify output matches:
# sysctl net.ipv4.conf.all.accept_source_route
net.ipv4.conf.all.accept_source_route = 0
# sysctl net.ipv4.conf.default.accept_source_route
net.ipv4.conf.default.accept_source_route = 0 147 | P a g e
Remediation:
Set the following parameters in the /etc/sysctl.conf file:
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
Run the following commands to set the active kernel parameters:
# sysctl -w net.ipv4.conf.all.accept_source_route=0
# sysctl -w net.ipv4.conf.default.accept_source_route=0
# sysctl -w net.ipv4.route.flush=1
58. Ensure ICMP redirects are not accepted
Audit:
Run the following commands and verify output matches:
# sysctl net.ipv4.conf.all.accept_redirects
net.ipv4.conf.all.accept_redirects = 0
# sysctl net.ipv4.conf.default.accept_redirects
net.ipv4.conf.default.accept_redirects = 0
Remediation:
Set the following parameters in the /etc/sysctl.conf file:
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
Run the following commands to set the active kernel parameters:
# sysctl -w net.ipv4.conf.all.accept_redirects=0
# sysctl -w net.ipv4.conf.default.accept_redirects=0
# sysctl -w net.ipv4.route.flush=1
59. Ensure secure ICMP redirects are not accepted
Audit:
Run the following commands and verify output matches:
# sysctl net.ipv4.conf.all.secure_redirects
net.ipv4.conf.all.secure_redirects = 0
# sysctl net.ipv4.conf.default.secure_redirects
net.ipv4.conf.default.secure_redirects = 0
Remediation:
Set the following parameters in the /etc/sysctl.conf file:
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
Run the following commands to set the active kernel parameters:
# sysctl -w net.ipv4.conf.all.secure_redirects=0
# sysctl -w net.ipv4.conf.default.secure_redirects=0
# sysctl -w net.ipv4.route.flush=1
60. Ensure suspicious packets are logged
Audit:
Run the following commands and verify output matches:
# sysctl net.ipv4.conf.all.log_martians
net.ipv4.conf.all.log_martians = 1
# sysctl net.ipv4.conf.default.log_martians
net.ipv4.conf.default.log_martians = 1
Remediation:
Set the following parameters in the /etc/sysctl.conf file:
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
Run the following commands to set the active kernel parameters:
# sysctl -w net.ipv4.conf.all.log_martians=1
# sysctl -w net.ipv4.conf.default.log_martians=1
# sysctl -w net.ipv4.route.flush=1
61. Ensure broadcast ICMP requests are ignored
Audit:
Run the following commands and verify output matches:
# sysctl net.ipv4.icmp_echo_ignore_broadcasts
net.ipv4.icmp_echo_ignore_broadcasts = 1
Remediation:
Set the following parameter in the /etc/sysctl.conf file:
net.ipv4.icmp_echo_ignore_broadcasts = 1
Run the following commands to set the active kernel parameters:
# sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
# sysctl -w net.ipv4.route.flush=1
62. Ensure bogus ICMP responses are ignored
Audit:
Run the following commands and verify output matches:
# sysctl net.ipv4.icmp_ignore_bogus_error_responses
net.ipv4.icmp_ignore_bogus_error_responses = 1
Remediation:
Set the following parameter in the /etc/sysctl.conf file:
net.ipv4.icmp_ignore_bogus_error_responses = 1
Run the following commands to set the active kernel parameters:
# sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
# sysctl -w net.ipv4.route.flush=1
63. Ensure Reverse Path Filtering is enabled
Audit:
Run the following commands and verify output matches:
# sysctl net.ipv4.conf.all.rp_filter
net.ipv4.conf.all.rp_filter = 1
# sysctl net.ipv4.conf.default.rp_filter
net.ipv4.conf.default.rp_filter = 1
Remediation:
Set the following parameters in the /etc/sysctl.conf file:
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
Run the following commands to set the active kernel parameters:
# sysctl -w net.ipv4.conf.all.rp_filter=1
# sysctl -w net.ipv4.conf.default.rp_filter=1
# sysctl -w net.ipv4.route.flush=1
64. Ensure TCP SYN Cookies is enabled
Audit:
Run the following commands and verify output matches:
# sysctl net.ipv4.tcp_syncookies
net.ipv4.tcp_syncookies = 1
Remediation:
Set the following parameter in the /etc/sysctl.conf file:
net.ipv4.tcp_syncookies = 1
Run the following commands to set the active kernel parameters:
# sysctl -w net.ipv4.tcp_syncookies=1
# sysctl -w net.ipv4.route.flush=1
65. Ensure iptables is installed
Audit:
Run the following command and verify iptables is installed:
# rpm -q iptables
iptables-<version>
Remediation:
Run the following command to install iptables :
# yum install iptables
66. Ensure default deny firewall policy
Audit:
Run the following command and verify that the policy for the INPUT , OUTPUT , and FORWARD chains is DROP or REJECT :
# iptables -L
Chain INPUT (policy DROP)
Chain FORWARD (policy DROP)
Chain OUTPUT (policy DROP)
Remediation:
Run the following commands to implement a default DROP policy:
# iptables -P INPUT DROP
# iptables -P OUTPUT DROP
# iptables -P FORWARD DROP
Notes:
Changing firewall settings while connected over network can result in being locked out of the system.
Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well.
67. Ensure loopback traffic is configured
Audit:
Run the following commands and verify output includes the listed rules in order (packet and byte counts may differ):
# iptables -L INPUT -v -n
| ||||||||||||||||||||||||||||||||
Chain
|
INPUT
|
(policy DROP 0 packets, 0 bytes)
| ||||||||||||||||||||||||||||||
pkts
|
bytes
|
target
|
prot
|
opt
|
in
|
out
|
source
| |||||||||||||||||||||||||
destination
| ||||||||||||||||||||||||||||||||
0
|
0
|
ACCEPT
|
all
|
--
|
lo
|
*
|
0.0.0.0/0
|
0.0.0.0/0
| ||||||||||||||||||||||||
0
|
0
|
DROP
|
all
|
--
|
*
|
*
|
127.0.0.0/8
|
0.0.0.0/0
| ||||||||||||||||||||||||
# iptables
|
-L OUTPUT -v -n
| |||||||||||||||||||||||||||||||
Chain
|
OUTPUT (policy DROP 0
|
packets, 0 bytes)
| ||||||||||||||||||||||||||||||
pkts
|
bytes
|
target
|
prot
|
opt
|
in
|
out
|
source
| |||||||||||||||||||||||||
destination
| ||||||||||||||||||||||||||||||||
0
|
0
|
ACCEPT
|
all
|
--
|
*
|
lo
|
0.0.0.0/0
|
0.0.0.0/0
|
Remediation:
Run the following commands to implement the loopback rules:
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A OUTPUT -o lo -j ACCEPT
# iptables -A INPUT -s 127.0.0.0/8 -j DROP
Notes:
Changing firewall settings while connected over network can result in being locked out of the system.
Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well.
68. Ensure firewall rules exist for all open ports
Run the following command to determine open ports:
# netstat -ln
| |||||
Active Internet connections (only servers)
| |||||
Proto Recv-Q
|
Send-Q
|
Local Address
|
Foreign Address
|
State
| |
tcp
|
0
|
0
|
0.0.0.0:22
|
0.0.0.0:*
|
LISTEN
|
Run the following command to determine firewall rules:
# iptables -L INPUT -v -n
| |||||||||||||||||||||||||
Chain INPUT
|
(policy DROP 0 packets, 0 bytes)
| ||||||||||||||||||||||||
pkts bytes
|
target
|
prot
|
opt
|
in
|
out
|
source
| |||||||||||||||||||
destination
| |||||||||||||||||||||||||
0
|
0
|
ACCEPT
|
all
|
--
|
lo
|
*
|
0.0.0.0/0
|
0.0.0.0/0
| |||||||||||||||||
0
|
0
|
DROP
|
all
|
--
|
*
|
*
|
127.0.0.0/8
|
0.0.0.0/0
| |||||||||||||||||
0
|
0
|
ACCEPT
|
tcp
|
--
|
*
|
*
|
0.0.0.0/0
|
0.0.0.0/0
| |||||||||||||||||
tcp dpt:22 stateNew
|
Verify all open ports listening on non-localhost addresses have at least one firewall rule.
The last line identified by the "tcp dpt:22 state NEW" identifies it as a firewall rule for new connections on tcp port 22.
Remediation:
For each port identified in the audit which does not have a firewall rule establish a proper rule for accepting inbound connections:
# iptables -A INPUT -p <protocol> --dport <port> -m state --state NEW -j ACCEPT
Notes:
Changing firewall settings while connected over network can result in being locked out of the system.
Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well.
The remediation command opens up the port to traffic from all sources. Consult iptables documentation and set any restrictions in compliance with site policy.
69. Ensure rsyslog Service is enabled
Audit:
Run the following command and verify result is "enabled":
# systemctl is-enabled rsyslog
enabled
Remediation:
Run the following command to enable rsyslog :
# systemctl enable rsyslog
70. Ensure rsyslog default file permissions configured
Audit:
Run the following command and verify that $FileCreateMode is 0640 or more restrictive:
# grep ^\$FileCreateMode /etc/rsyslog.conf
Remediation:
Edit the /etc/rsyslog.conf and set $FileCreateMode to 0640 or more restrictive:
$FileCreateMode 0640
71. Ensure permissions on all logfiles are configured
Audit:
Run the following command and verify that other has no permissions on any files and group does not have write or execute permissions on any files:
# find /var/log -type f -ls
Remediation:
Run the following command to set permissions on all existing log files:
# find /var/log -type f -exec chmod g-wx,o-rwx {} +
72. Ensure permissions on /etc/ssh/sshd_config are configured
Audit:
Run the following command and verify Uid and Gid are both 0/root and Access does not grant permissions to group or other :
# stat /etc/ssh/sshd_config
Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root)
Remediation:
Run the following commands to set ownership and permissions on /etc/ssh/sshd_config :
# chown root:root /etc/ssh/sshd_config
# chmod og-rwx /etc/ssh/sshd_config
73. Ensure SSH Protocol is set to 2
Audit:
Run the following command and verify that output matches:
# grep "^Protocol" /etc/ssh/sshd_config
Protocol 2
Remediation:
Edit the /etc/ssh/sshd_config file to set the parameter as follows:
Protocol 2
74. Ensure SSH LogLevel is set to INFO
Audit:
Run the following command and verify that output matches:
# grep "^LogLevel" /etc/ssh/sshd_config
LogLevel INFO
Remediation:
Edit the /etc/ssh/sshd_config file to set the parameter as follows:
LogLevel INFO
75. Ensure SSH X11 forwarding is disabled
Audit:
Run the following command and verify that output matches:
# grep "^X11Forwarding" /etc/ssh/sshd_config
X11Forwarding no
Remediation:
Edit the /etc/ssh/sshd_config file to set the parameter as follows:
X11Forwarding no
76. Ensure SSH MaxAuthTries is set to 4 or less
Audit:
Run the following command and verify that output MaxAuthTries is 4 or less:
# grep "^MaxAuthTries" /etc/ssh/sshd_config
MaxAuthTries 4
Remediation:
Edit the /etc/ssh/sshd_config file to set the parameter as follows:
MaxAuthTries 4
77. Ensure SSH IgnoreRhosts is enabled
Audit:
Run the following command and verify that output matches:
# grep "^IgnoreRhosts" /etc/ssh/sshd_config
IgnoreRhosts yes
Remediation:
Edit the /etc/ssh/sshd_config file to set the parameter as follows:
IgnoreRhosts yes
78. Ensure SSH HostbasedAuthentication is disabled
Audit:
Run the following command and verify that output matches:
# grep "^HostbasedAuthentication" /etc/ssh/sshd_config
HostbasedAuthentication no
Remediation:
Edit the /etc/ssh/sshd_config file to set the parameter as follows:
HostbasedAuthentication no
79. Ensure SSH root login is disabled
Audit:
Run the following command and verify that output matches:
# grep "^PermitRootLogin" /etc/ssh/sshd_config
PermitRootLogin no
Remediation:
Edit the /etc/ssh/sshd_config file to set the parameter as follows:
PermitRootLogin no
80. Ensure SSH PermitEmptyPasswords is disabled
Audit:
Run the following command and verify that output matches:
# grep "^PermitEmptyPasswords" /etc/ssh/sshd_config
PermitEmptyPasswords no
Remediation:
Edit the /etc/ssh/sshd_config file to set the parameter as follows:
PermitEmptyPasswords no
81. Ensure SSH PermitUserEnvironment is disabled
Audit:
Run the following command and verify that output matches:
# grep PermitUserEnvironment /etc/ssh/sshd_config
PermitUserEnvironment no
Remediation:
Edit the /etc/ssh/sshd_config file to set the parameter as follows:
PermitUserEnvironment no
82. Ensure only approved ciphers are used
Audit:
Run the following command and verify that output does not contain any cipher block chaining (-cbc) algorithms:
# grep "Ciphers" /etc/ssh/sshd_config
Ciphers aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com
Remediation:
Edit the /etc/ssh/sshd_config file to set the parameter as follows:
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
83. Ensure only approved MAC algorithms are used
Audit:
Run the following command and verify that output does not contain any unlisted MAC algorithms:
# grep "MACs" /etc/ssh/sshd_config
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Remediation:
Edit the /etc/ssh/sshd_config file to set the parameter in accordance with site policy. The following includes all supported and accepted MACs:
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
84. Ensure SSH Idle Timeout Interval is configured
Audit:
Run the following commands and verify ClientAliveInterval is 300 or less and ClientAliveCountMax is 3 or less:
# grep "^ClientAliveInterval" /etc/ssh/sshd_config
ClientAliveInterval 300
# grep "^ClientAliveCountMax" /etc/ssh/sshd_config
ClientAliveCountMax 0
Remediation:
Edit the /etc/ssh/sshd_config file to set the parameters as follows:
ClientAliveInterval 300
ClientAliveCountMax 0
85. Ensure SSH LoginGraceTime is set to one minute or less
Audit:
Run the following command and verify that output LoginGraceTime is 60 or less:
# grep "^LoginGraceTime" /etc/ssh/sshd_config
LoginGraceTime 60
Remediation:
Edit the /etc/ssh/sshd_config file to set the parameter as follows:
LoginGraceTime 60
86. Ensure SSH access is limited
Audit:
Run the following commands and verify that output matches for at least one:
# grep "^AllowUsers" /etc/ssh/sshd_config
AllowUsers <userlist>
# grep "^AllowGroups" /etc/ssh/sshd_config
AllowGroups <grouplist>
# grep "^DenyUsers" /etc/ssh/sshd_config
DenyUsers <userlist>
# grep "^DenyGroups" /etc/ssh/sshd_config
DenyGroups <grouplist>
Remediation:
Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows:
AllowUsers <userlist>
AllowGroups <grouplist>
DenyUsers <userlist>
DenyGroups <grouplist>
87. Ensure password creation requirements are configured
Audit:
Run the following commands and verify all password requirements are as listed or stricter:
# grep pam_pwquality.so /etc/pam.d/password-auth
password requisite pam_pwquality.so try_first_pass retry=3
# grep pam_pwquality.so /etc/pam.d/system-auth
password requisite pam_pwquality.so try_first_pass retry=3
# grep ^minlen /etc/security/pwquality.conf
minlen=14
# grep ^dcredit /etc/security/pwquality.conf
dcredit=-1
# grep ^lcredit /etc/security/pwquality.conf
lcredit=-1
# grep ^ocredit /etc/security/pwquality.conf
ocredit=-1
# grep ^ucredit /etc/security/pwquality.conf
ucredit=-1
Remediation:
Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files to include the appropriate options for pam_pwquality.so and to conform to site policy:
password requisite pam_pwquality.so try_first_pass retry=3
Edit /etc/security/pwquality.conf to add or update the following settings to conform to site policy:
minlen=14
dcredit=-1
ucredit=-1
ocredit=-1
lcredit=-1
88. Ensure lockout for failed password attempts is configured
Audit:
Review the /etc/pam.d/password-auth and /etc/pam.d/system-auth files and verify the following pam_faillock.so lines appear surrounding a pam_unix.so line and the pam_unix.so is [success=1 default=bad] as listed in both:
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900
auth [success=1 default=bad] pam_unix.so
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900
auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900
Remediation:
Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files and add the following pam_faillock.so lines surrounding a pam_unix.so line modify the pam_unix.so is [success=1 default=bad] as listed in both:
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900
auth [success=1 default=bad] pam_unix.so
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900
auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900
89. Ensure password reuse is limited
Audit:
Run the following commands and ensure the remember option is ' 5 ' or more and included in all results:
# egrep '^password\s+sufficient\s+pam_unix.so' /etc/pam.d/password-auth
password sufficient pam_unix.so remember=5
# egrep '^password\s+sufficient\s+pam_unix.so' /etc/pam.d/system-auth
password sufficient pam_unix.so remember=5
Remediation:
Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files to include the remember option and conform to site policy as shown:
password sufficient pam_unix.so remember=5
90. Ensure password hashing algorithm is SHA-512
Audit:
Run the following commands and ensure the sha512 option is included in all results:
# egrep '^password\s+sufficient\s+pam_unix.so' /etc/pam.d/password-auth
password sufficient pam_unix.so sha512
# egrep '^password\s+sufficient\s+pam_unix.so' /etc/pam.d/system-auth
password sufficient pam_unix.so sha512
Remediation:
Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files to include the sha512 option for pam_unix.so as shown:
password sufficient pam_unix.so sha512
By:- Vinay Kumar
By:- Vinay Kumar