Thursday, 30 November 2017

Server Hardening CentOS 7

1. Ensure mounting of cramfs filesystems is disabled
Audit:
# lsmod | grep cramfs
no output

Remediation:
Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
install cramfs /bin/true

2. Ensure mounting of freevxfs filesystems is disabled
Audit:
# modprobe -n -v freevxfs
modprobe: FATAL: Module freevxfs not found.
# lsmod | grep freevxfs
<No output>

Remediation:
Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
install freevxfs /bin/true


3. Ensure mounting of jffs2 filesystems is disabled

Audit:
# modprobe -n -v jffs2
 modprobe: FATAL: Module jffs2 not found.

# lsmod | grep jffs2
<No output>

Remediation:
Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
install jffs2 /bin/true


4. Ensure mounting of hfs filesystems is disabled
Audit:
# modprobe -n -v hfs
modprobe: FATAL: Module hfs not found

# lsmod | grep hfs
<No output>

Remediation:
Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
install hfs /bin/true


5. Ensure mounting of hfsplus filesystems is disabled
Audit:
# modprobe -n -v hfsplus
modprobe: FATAL: Module hfsplus not found.

# lsmod | grep hfsplus
<No output>
Remediation:
Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
install hfsplus /bin/true


6. Ensure mounting of squashfs filesystems is disabled
Audit:
# modprobe -n -v squashfs
insmod /lib/modules/3.10.0-327.el7.x86_64/kernel/fs/squashfs/squashfs.ko

# lsmod | grep squashfs
<No output>
Remediation:
Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
install squashfs /bin/true

7. Ensure mounting of udf filesystems is disabled
Audit:
# modprobe -n -v udf
insmod /lib/modules/3.10.0-327.el7.x86_64/kernel/lib/crc-itu-t.ko
insmod /lib/modules/3.10.0-327.el7.x86_64/kernel/fs/udf/udf.ko
# lsmod | grep udf
<No output>

Remediation:
Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
install udf /bin/true

8. Ensure mounting of FAT filesystems is disabled
Audit:
# modprobe -n -v vfat
insmod /lib/modules/3.10.0-327.el7.x86_64/kernel/fs/fat/fat.ko
insmod /lib/modules/3.10.0-327.el7.x86_64/kernel/fs/fat/vfat.ko

# lsmod | grep vfat
<No output>

Remediation:
Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
install vfat /bin/true


9. Ensure separate partition exists for /tmp with nodev, noexec , nosuid
Audit:
# mount | grep /tmp
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noexec,relatime)

Remediation:
For systems that were previously installed, create a new partition for /tmp if not using tmpfs .
Run the following commands to enable systemd /tmp mounting:
systemctl unmask tmp.mount
systemctl enable tmp.mount

Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount:

[Mount]
What=tmpfs
Where=/tmp
Type=tmpfs
Options=mode=1777,strictatime,noexec,nodev,nosuid


10. Ensure separate partition exists for /var
Audit:
# mount | grep /var
/dev/xvdg1 on /var type ext4 (rw,relatime,data=ordered)

Remediation:
For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate


11. Ensure separate partition exists for /home
Audit:
# mount | grep /home
/dev/xvdf1 on /home type ext4 (rw,nodev,relatime,data=ordered)
Remediation:
For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.

12. Ensure nodev option set on /home partition
Audit:
# mount | grep /home
/dev/xvdf1 on /home type ext4 (rw,nodev,relatime,data=ordered)

Remediation:
Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. See the fstab(5) manual page for more information.

Run the following command to remount /home :
# mount -o remount,nodev /home


13. Ensure nodev, nosuid, noexec option set on /dev/shm partition
Audit:
mount | grep /dev/shm
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime)

Remediation:
Edit the /etc/fstab file and add nodev, nosuid, noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information.
Run the following command to remount /dev/shm :
# mount -o remount,nodev,nosuid,noexec /dev/shm
Notes:
/dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab:
tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0


14. Ensure sticky bit is set on all world-writable directories
Audit:
Run the following command to verify no world writable directories exist without the sticky bit set:
# df --local -P | awk if (NR!=1) print $6 | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null
No output should be returned.

Remediation:
Run the following command to set the sticky bit on all world writable directories:
# df --local -P | awk if (NR!=1) print $6 | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t

15. Ensure disable automounting
Audit:
Run the following command and verify result is not "enabled":
# systemctl is-enabled autofs
disabled

Remediation:
Run the following command to disable autofs :
# systemctl disable autofs


16. Ensure package manager repositories are configured
Run the following command and verify repositories are configured correctly:
# yum repolist

Remediation:
Configure your package manager repositories according to site policy.


17. Ensure gpgcheck is globally activated
Audit:
Run the following command and verify gpgcheck is set to ' 1 ':
# grep ^gpgcheck /etc/yum.conf
gpgcheck=1
Run the following command and verify that all instances of gpgcheck returned are set to ' 1 ':
# grep ^gpgcheck /etc/yum.repos.d/*

Remediation:
Edit /etc/yum.conf and set ' gpgcheck=1 ' in the [main] section.
Edit files in /etc/yum.repos.d/* and set all instances of gpgcheck to ' 1 '.


18. Ensure AIDE is installed
Audit:
Run the following command and verify aide is installed:
# rpm -q aide
aide-<version>

Remediation:
Run the following command to install aide :
# yum install aide

Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options.
Initialize AIDE:
# aide --init

# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

19. Ensure filesystem integrity is regularly checked
Audit:
Run the following commands to determine if there is a cron job scheduled to run the aide check.
# crontab -u root -l | grep aide
# grep -r aide /etc/cron.* /etc/crontab
Ensure a cron job in compliance with site policy is returned.

Remediation:
Run the following command:
# crontab -u root -e
Add the following line to the crontab:
0 5 * * * /usr/sbin/aide –check

20. Ensure core dumps are restricted
Audit:
Run the following commands and verify output matches:
# grep "hard core" /etc/security/limits.conf /etc/security/limits.d/*
* hard core 0
# sysctl fs.suid_dumpable
fs.suid_dumpable = 0

Remediation:
Add the following line to the /etc/security/limits.conf file or a /etc/security/limits.d/* file:
* hard core 0
Set the following parameter in the /etc/sysctl.conf file:
fs.suid_dumpable = 0
Run the following command to set the active kernel parameter:
# sysctl -w fs.suid_dumpable=0


21. Ensure address space layout randomization (ASLR) is enabled
Audit:
Run the following command and verify output matches:
# sysctl kernel.randomize_va_space
kernel.randomize_va_space = 2

Remediation:
Set the following parameter in the /etc/sysctl.conf file:
kernel.randomize_va_space = 2
Run the following command to set the active kernel parameter:
# sysctl -w kernel.randomize_va_space=2

22. Ensure prelink is disabled
Audit:
Run the following command and verify prelink is not installed:
# rpm -q prelink
package prelink is not installed

Remediation:
Run the following commands to restore binaries to normal and uninstall prelink :
# prelink -ua
# yum remove prelink

23. Ensure SETroubleshoot is not installed
Audit:
Run the following command and verify setroubleshoot is not installed:
# rpm -q setroubleshoot
package setroubleshoot is not installed

Remediation:
Run the following command to uninstall setroubleshoot :
# yum remove setroubleshoot

24. Ensure MCS Translation Service (mcstrans) is not installed
Audit:
Run the following command and verify mcstrans is not installed:
# rpm -q mcstrans
package mcstrans is not installed

Remediation:
Run the following command to uninstall mcstrans:
# yum remove mcstrans  

25. Ensure no unconfined daemons exist
Audit:
Run the following command and verify not output is produced:
# ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'

Remediation:
Investigate any unconfined daemons found during the audit action. They may need to have an existing security context assigned to them or a policy built for them.
26. Ensure message of the day is configured properly
Audit:
Run the following command and verify that the contents match site policy:
# cat /etc/motd
Run the following command and verify no results are returned:
# egrep '(\\v|\\r|\\m|\\s)' /etc/motd

Remediation:
Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of \m , \r , \s , or \v.

27. Ensure permissions on /etc/issue are configured
Audit:
Run the following command and verify Uid and Gid are both 0/root and Access is 644 :
# stat /etc/issue
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)

Remediation:
Run the following commands to set permissions on /etc/issue :
# chown root:root /etc/issue
# chmod 644 /etc/issue


28. Ensure GDM login banner is configured
Audit:
If GDM is installed on the system verify that /etc/dconf/profile/gdm exists and contains the following:
user-db:user
system-db:gdm
file-db:/usr/share/gdm/greeter-dconf-defaults
Then verify the banner-message-enable and banner-message-text options are configured in /etc/dconf/db/gdm.d/01-banner-message :
[org/gnome/login-screen]
banner-message-enable=true
banner-message-text='<banner message>'

Remediation:
Create the /etc/dconf/profile/gdm file with the following contents:
user-db:user
system-db:gdm
file-db:/usr/share/gdm/greeter-dconf-defaults
Create or edit the banner-message-enable and banner-message-text options in /etc/dconf/db/gdm.d/01-banner-message :
[org/gnome/login-screen]
banner-message-enable=true

banner-message-text='Authorized uses only. All activity may be monitored and reported.'
Run the following command to update the system databases:
# dconf update
Notes:
Additional options and sections may appear in the /etc/dconf/db/gdm.d/01-banner-message file.
If a different GUI login service is in use, consult your documentation and apply an equivalent banner.  

29. Ensure chargen services are not enabled
Audit:
Run the following command and verify chargen-dgram and chargen-stream are off or missing:
# chkconfig --list
xinetd based services:
chargen-dgram: off
chargen-stream: off

Remediation:
Run the following commands to disable chargen-dgram and chargen-stream :
# chkconfig chargen-dgram off
# chkconfig chargen-stream off

30. Ensure daytime services are not enabled
Audit:
Run the following command and verify daytime-dgram and daytime-stream are off or missing:
# chkconfig --list
xinetd based services:
daytime-dgram: off
daytime-stream: off

Remediation:
Run the following commands to disable daytime-dgram and daytime-stream:
# chkconfig daytime-dgram off
# chkconfig daytime-stream off

31. Ensure discard services are not enabled
Audit:
Run the following command and verify discard-dgram and discard-stream are off or missing:
# chkconfig --list
xinetd based services:
discard-dgram: off
discard-stream: off

Remediation:
Run the following commands to disable discard-dgram and discard-stream:
# chkconfig discard-dgram off
# chkconfig discard-stream off

32. Ensure echo services are not enabled
Audit:
Run the following command and verify echo-dgram and echo-stream are off or missing:
# chkconfig --list
xinetd based services:
echo-dgram: off
echo-stream: off

Remediation:
Run the following commands to disable echo-dgram and echo-stream:
# chkconfig echo-dgram off
# chkconfig echo-stream off

33. Ensure time services are not enabled
Audit:
Run the following command and verify time-dgram and time-stream are off or missing:
# chkconfig --list
xinetd based services:
time-dgram: off
time-stream: off

Remediation:
Run the following commands to disable time-dgram and time-stream:
# chkconfig time-dgram off
# chkconfig time-stream off

34.  Ensure tftp server is not enabled
Audit:
Run the following command and verify tftp is off or missing:
# chkconfig --list
xinetd based services:
tftp: off

Remediation:
Run the following command to disable tftp:
# chkconfig tftp off

35. Ensure xinetd is not enabled
Audit:
Run the following command and verify result is not "enabled":
# systemctl is-enabled xinetd
disabled

Remediation:
Run the following command to disable xinetd :
# systemctl disable xinetd


36.  Ensure X Window System is not installed
Audit:
Run the following command and verify no output is returned:
# rpm -qa xorg-x11*

Remediation:
Run the following command to remove the X Windows System packages:
# yum remove xorg-x11*

37. Ensure Avahi Server is not enabled
Audit:
Run the following command and verify result is not "enabled":
# systemctl is-enabled avahi-daemon
disabled

Remediation:
Run the following command to disable avahi-daemon :
# systemctl disable avahi-daemon

38. Ensure CUPS is not enabled
Audit:
Run the following command and verify result is not "enabled":
# systemctl is-enabled cups
disabled

Remediation:
Run the following command to disable cups :
# systemctl disable cups

39. Ensure DHCP Server is not enabled
Audit:
Run the following command and verify result is not "enabled":
# systemctl is-enabled dhcpd
disabled

Remediation:
Run the following command to disable dhcpd :
# systemctl disable dhcpd

40. Ensure telnet server is not enabled
Audit:
Run the following command and verify result is not "enabled":
# systemctl is-enabled telnet.socket
disabled

Remediation:
Run the following command to disable telnet:
# systemctl disable telnet.socket

41. Ensure telnet client is not installed
Audit:
Run the following command and verify telnet is not installed:
# rpm -q telnet
package telnet is not installed

Remediation:
Run the following command to uninstall telnet :
# yum remove telnet

42. Ensure NFS and RPC are not enabled
Audit:
Run the following command and verify result is not "enabled":
# systemctl is-enabled nfs
disabled
Run the following command and verify result is not "enabled":
# systemctl is-enabled rpcbind
disabled

Remediation:
Run the following commands to disable nfs and rpcbind :
# systemctl disable nfs
# systemctl disable rpcbind

43. Ensure FTP Server is not enabled
Audit:
Run the following command and verify result is not "enabled":
# systemctl is-enabled vsftpd
disabled

Remediation:
Run the following command to disable vsftpd :
# systemctl disable vsftpd

44. Ensure Samba is not enabled
Audit:
Run the following command and verify result is not "enabled":
# systemctl is-enabled smb
disabled

Remediation:
Run the following command to disable smb :
# systemctl disable smb

45. Ensure HTTP Proxy Server is not enabled
Audit:
Run the following command and verify result is not "enabled":
# systemctl is-enabled squid
disabled

Remediation:
Run the following command to disable squid :
# systemctl disable squid

46. Ensure SNMP Server is not enabled
Audit:
Run the following command and verify result is not "enabled":
# systemctl is-enabled snmpd
disabled

Remediation:
Run the following command to disable snmpd :
# systemctl disable snmpd

47. Ensure NIS Server is not enabled
Audit:
Run the following command and verify result is not "enabled":
# systemctl is-enabled ypserv
disabled

Remediation:
Run the following command to disable ypserv :
# systemctl disable ypserv

48. Ensure rsh server is not enabled
Audit:
Run the following command and verify result is not "enabled":
# systemctl is-enabled rsh.socket
disabled
Run the following command and verify result is not "enabled":
# systemctl is-enabled rlogin.socket
disabled
Run the following command and verify result is not "enabled":
# systemctl is-enabled rexec.socket
disabled

Remediation:
Run the following commands to disable rsh , rlogin , and rexec :
# systemctl disable rsh.socket
# systemctl disable rlogin.socket
# systemctl disable rexec.socket


49. Ensure talk server is not enabled
Audit:
Run the following command and verify result is not "enabled":
# systemctl is-enabled ntalk
disabled

Remediation:
Run the following command to disable talk:
# systemctl disable ntalk


50. Ensure telnet server is not enabled
Audit:
Run the following command and verify result is not "enabled":
# systemctl is-enabled telnet.socket
disabled

Remediation:
Run the following command to disable telnet:
# systemctl disable telnet.socket


51. Ensure tftp server is not enabled
Audit:
Run the following command and verify result is not "enabled":
# systemctl is-enabled tftp.socket
disabled

Remediation:
Run the following command to disable tftp:
# systemctl disable tftp.socket


52. Ensure NIS Client is not installed
Audit:
Run the following command and verify ypbind is not installed:
# rpm -q ypbind
package ypbind is not installed

Remediation:
Run the following command to uninstall ypbind :
# yum remove ypbind


53. Ensure rsh client is not installed
Audit:
Run the following command and verify rsh is not installed:
# rpm -q rsh
package rsh is not installed

Remediation:
Run the following command to uninstall rsh :
# yum remove rsh


54. Ensure talk client is not installed
Audit:
Run the following command and verify talk is not installed:
# rpm -q talk
package talk is not installed

Remediation:
Run the following command to uninstall talk :
# yum remove talk


55. Ensure IP forwarding is disabled
Audit:
Run the following command and verify output matches:
# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0

Remediation:
Set the following parameter in the /etc/sysctl.conf file:
net.ipv4.ip_forward = 0
Run the following commands to set the active kernel parameters:
# sysctl -w net.ipv4.ip_forward=0
# sysctl -w net.ipv4.route.flush=1

56. Ensure packet redirect sending is disabled
Audit:
Run the following commands and verify output matches:
# sysctl net.ipv4.conf.all.send_redirects
net.ipv4.conf.all.send_redirects = 0
# sysctl net.ipv4.conf.default.send_redirects
net.ipv4.conf.default.send_redirects = 0

Remediation:
Set the following parameters in the /etc/sysctl.conf file:
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
Run the following commands to set the active kernel parameters:
# sysctl -w net.ipv4.conf.all.send_redirects=0
# sysctl -w net.ipv4.conf.default.send_redirects=0
# sysctl -w net.ipv4.route.flush=1

57. Ensure source routed packets are not accepted
Audit:
Run the following commands and verify output matches:
# sysctl net.ipv4.conf.all.accept_source_route
net.ipv4.conf.all.accept_source_route = 0
# sysctl net.ipv4.conf.default.accept_source_route
net.ipv4.conf.default.accept_source_route = 0 147 | P a g e

Remediation:
Set the following parameters in the /etc/sysctl.conf file:
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
Run the following commands to set the active kernel parameters:
# sysctl -w net.ipv4.conf.all.accept_source_route=0
# sysctl -w net.ipv4.conf.default.accept_source_route=0
# sysctl -w net.ipv4.route.flush=1

58. Ensure ICMP redirects are not accepted
Audit:
Run the following commands and verify output matches:
# sysctl net.ipv4.conf.all.accept_redirects
net.ipv4.conf.all.accept_redirects = 0
# sysctl net.ipv4.conf.default.accept_redirects
net.ipv4.conf.default.accept_redirects = 0

Remediation:
Set the following parameters in the /etc/sysctl.conf file:
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
Run the following commands to set the active kernel parameters:
# sysctl -w net.ipv4.conf.all.accept_redirects=0
# sysctl -w net.ipv4.conf.default.accept_redirects=0
# sysctl -w net.ipv4.route.flush=1

59. Ensure secure ICMP redirects are not accepted
Audit:
Run the following commands and verify output matches:
# sysctl net.ipv4.conf.all.secure_redirects
net.ipv4.conf.all.secure_redirects = 0
# sysctl net.ipv4.conf.default.secure_redirects
net.ipv4.conf.default.secure_redirects = 0

Remediation:
Set the following parameters in the /etc/sysctl.conf file:
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
Run the following commands to set the active kernel parameters:
# sysctl -w net.ipv4.conf.all.secure_redirects=0
# sysctl -w net.ipv4.conf.default.secure_redirects=0
# sysctl -w net.ipv4.route.flush=1

60. Ensure suspicious packets are logged
Audit:
Run the following commands and verify output matches:
# sysctl net.ipv4.conf.all.log_martians
net.ipv4.conf.all.log_martians = 1
# sysctl net.ipv4.conf.default.log_martians
net.ipv4.conf.default.log_martians = 1

Remediation:
Set the following parameters in the /etc/sysctl.conf file:
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
Run the following commands to set the active kernel parameters:
# sysctl -w net.ipv4.conf.all.log_martians=1
# sysctl -w net.ipv4.conf.default.log_martians=1
# sysctl -w net.ipv4.route.flush=1

61. Ensure broadcast ICMP requests are ignored
Audit:
Run the following commands and verify output matches:
# sysctl net.ipv4.icmp_echo_ignore_broadcasts
net.ipv4.icmp_echo_ignore_broadcasts = 1

Remediation:
Set the following parameter in the /etc/sysctl.conf file:
net.ipv4.icmp_echo_ignore_broadcasts = 1
Run the following commands to set the active kernel parameters:
# sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
# sysctl -w net.ipv4.route.flush=1

62. Ensure bogus ICMP responses are ignored
Audit:
Run the following commands and verify output matches:
# sysctl net.ipv4.icmp_ignore_bogus_error_responses
net.ipv4.icmp_ignore_bogus_error_responses = 1

Remediation:
Set the following parameter in the /etc/sysctl.conf file:
net.ipv4.icmp_ignore_bogus_error_responses = 1
Run the following commands to set the active kernel parameters:
# sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
# sysctl -w net.ipv4.route.flush=1

63. Ensure Reverse Path Filtering is enabled
Audit:
Run the following commands and verify output matches:
# sysctl net.ipv4.conf.all.rp_filter
net.ipv4.conf.all.rp_filter = 1
# sysctl net.ipv4.conf.default.rp_filter
net.ipv4.conf.default.rp_filter = 1

Remediation:
Set the following parameters in the /etc/sysctl.conf file:
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
Run the following commands to set the active kernel parameters:
# sysctl -w net.ipv4.conf.all.rp_filter=1
# sysctl -w net.ipv4.conf.default.rp_filter=1
# sysctl -w net.ipv4.route.flush=1

64. Ensure TCP SYN Cookies is enabled
Audit:
Run the following commands and verify output matches:
# sysctl net.ipv4.tcp_syncookies
net.ipv4.tcp_syncookies = 1

Remediation:
Set the following parameter in the /etc/sysctl.conf file:
net.ipv4.tcp_syncookies = 1
Run the following commands to set the active kernel parameters:
# sysctl -w net.ipv4.tcp_syncookies=1
# sysctl -w net.ipv4.route.flush=1


65. Ensure iptables is installed
Audit:
Run the following command and verify iptables is installed:
# rpm -q iptables
iptables-<version>

Remediation:
Run the following command to install iptables :
# yum install iptables

66. Ensure default deny firewall policy
Audit:
Run the following command and verify that the policy for the INPUT , OUTPUT , and FORWARD chains is DROP or REJECT :
# iptables -L
Chain INPUT (policy DROP)
Chain FORWARD (policy DROP)
Chain OUTPUT (policy DROP)

Remediation:
Run the following commands to implement a default DROP policy:
# iptables -P INPUT DROP
# iptables -P OUTPUT DROP
# iptables -P FORWARD DROP
Notes:
Changing firewall settings while connected over network can result in being locked out of the system.
Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well.


67. Ensure loopback traffic is configured
Audit:
Run the following commands and verify output includes the listed rules in order (packet and byte counts may differ):
# iptables -L INPUT -v -n






Chain
INPUT
(policy DROP 0 packets, 0 bytes)









pkts
bytes
target
prot
opt
in
out
source


destination








0
0
ACCEPT
all
--
lo
*
0.0.0.0/0
0.0.0.0/0

0
0
DROP
all
--
*
*
127.0.0.0/8
0.0.0.0/0









# iptables
-L OUTPUT -v -n














Chain
OUTPUT (policy DROP 0
packets, 0 bytes)



pkts
bytes
target
prot
opt
in
out
source


destination








0
0
ACCEPT
all
--
*
lo
0.0.0.0/0
0.0.0.0/0


Remediation:
Run the following commands to implement the loopback rules:
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A OUTPUT -o lo -j ACCEPT
# iptables -A INPUT -s 127.0.0.0/8 -j DROP

Notes:

Changing firewall settings while connected over network can result in being locked out of the system.
Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well.

68. Ensure firewall rules exist for all open ports
Run the following command to determine open ports:
# netstat -ln



Active Internet connections (only servers)





Proto Recv-Q
Send-Q
Local Address
Foreign Address
State
tcp
0
0
0.0.0.0:22
0.0.0.0:*
LISTEN








Run the following command to determine firewall rules:
# iptables -L INPUT -v -n





Chain INPUT
(policy DROP 0 packets, 0 bytes)


pkts bytes
target
prot
opt
in
out
source









destination







0
0
ACCEPT
all
--
lo
*
0.0.0.0/0
0.0.0.0/0
0
0
DROP
all
--
*
*
127.0.0.0/8
0.0.0.0/0
0
0
ACCEPT
tcp
--
*
*
0.0.0.0/0
0.0.0.0/0
tcp dpt:22 stateNew









Verify all open ports listening on non-localhost addresses have at least one firewall rule.
The last line identified by the "tcp dpt:22 state NEW" identifies it as a firewall rule for new connections on tcp port 22.
Remediation:
For each port identified in the audit which does not have a firewall rule establish a proper rule for accepting inbound connections:
# iptables -A INPUT -p <protocol> --dport <port> -m state --state NEW -j ACCEPT
Notes:
Changing firewall settings while connected over network can result in being locked out of the system.
Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well.
The remediation command opens up the port to traffic from all sources. Consult iptables documentation and set any restrictions in compliance with site policy.

69.  Ensure rsyslog Service is enabled
Audit:
Run the following command and verify result is "enabled":
# systemctl is-enabled rsyslog
enabled

Remediation:
Run the following command to enable rsyslog :
# systemctl enable rsyslog

70. Ensure rsyslog default file permissions configured
Audit:
Run the following command and verify that $FileCreateMode is 0640 or more restrictive:
# grep ^\$FileCreateMode /etc/rsyslog.conf

Remediation:
Edit the /etc/rsyslog.conf and set $FileCreateMode to 0640 or more restrictive:
$FileCreateMode 0640

71. Ensure permissions on all logfiles are configured
Audit:
Run the following command and verify that other has no permissions on any files and group does not have write or execute permissions on any files:
# find /var/log -type f -ls

Remediation:
Run the following command to set permissions on all existing log files:
# find /var/log -type f -exec chmod g-wx,o-rwx {} +

72. Ensure permissions on /etc/ssh/sshd_config are configured
Audit:
Run the following command and verify Uid and Gid are both 0/root and Access does not grant permissions to group or other :
# stat /etc/ssh/sshd_config
Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root)

Remediation:
Run the following commands to set ownership and permissions on /etc/ssh/sshd_config :
# chown root:root /etc/ssh/sshd_config
# chmod og-rwx /etc/ssh/sshd_config

73. Ensure SSH Protocol is set to 2
Audit:
Run the following command and verify that output matches:
# grep "^Protocol" /etc/ssh/sshd_config
Protocol 2

Remediation:
Edit the /etc/ssh/sshd_config file to set the parameter as follows:
Protocol 2

74. Ensure SSH LogLevel is set to INFO
Audit:
Run the following command and verify that output matches:
# grep "^LogLevel" /etc/ssh/sshd_config
LogLevel INFO

Remediation:
Edit the /etc/ssh/sshd_config file to set the parameter as follows:
LogLevel INFO

75. Ensure SSH X11 forwarding is disabled
Audit:
Run the following command and verify that output matches:
# grep "^X11Forwarding" /etc/ssh/sshd_config
X11Forwarding no

Remediation:
Edit the /etc/ssh/sshd_config file to set the parameter as follows:
X11Forwarding no

76. Ensure SSH MaxAuthTries is set to 4 or less
Audit:
Run the following command and verify that output MaxAuthTries is 4 or less:
# grep "^MaxAuthTries" /etc/ssh/sshd_config
MaxAuthTries 4

Remediation:
Edit the /etc/ssh/sshd_config file to set the parameter as follows:
MaxAuthTries 4

77. Ensure SSH IgnoreRhosts is enabled
Audit:
Run the following command and verify that output matches:
# grep "^IgnoreRhosts" /etc/ssh/sshd_config
IgnoreRhosts yes

Remediation:
Edit the /etc/ssh/sshd_config file to set the parameter as follows:
IgnoreRhosts yes

78. Ensure SSH HostbasedAuthentication is disabled
Audit:
Run the following command and verify that output matches:
# grep "^HostbasedAuthentication" /etc/ssh/sshd_config
HostbasedAuthentication no

Remediation:
Edit the /etc/ssh/sshd_config file to set the parameter as follows:
HostbasedAuthentication no

79. Ensure SSH root login is disabled
Audit:
Run the following command and verify that output matches:
# grep "^PermitRootLogin" /etc/ssh/sshd_config
PermitRootLogin no

Remediation:
Edit the /etc/ssh/sshd_config file to set the parameter as follows:
PermitRootLogin no

80. Ensure SSH PermitEmptyPasswords is disabled
Audit:
Run the following command and verify that output matches:
# grep "^PermitEmptyPasswords" /etc/ssh/sshd_config
PermitEmptyPasswords no

Remediation:
Edit the /etc/ssh/sshd_config file to set the parameter as follows:
PermitEmptyPasswords no

81. Ensure SSH PermitUserEnvironment is disabled
Audit:
Run the following command and verify that output matches:
# grep PermitUserEnvironment /etc/ssh/sshd_config
PermitUserEnvironment no

Remediation:
Edit the /etc/ssh/sshd_config file to set the parameter as follows:
PermitUserEnvironment no

82. Ensure only approved ciphers are used
Audit:
Run the following command and verify that output does not contain any cipher block chaining (-cbc) algorithms:
# grep "Ciphers" /etc/ssh/sshd_config
Ciphers aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com

Remediation:
Edit the /etc/ssh/sshd_config file to set the parameter as follows:
Ciphers aes256-ctr,aes192-ctr,aes128-ctr

83. Ensure only approved MAC algorithms are used
Audit:
Run the following command and verify that output does not contain any unlisted MAC algorithms:
# grep "MACs" /etc/ssh/sshd_config
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256

Remediation:
Edit the /etc/ssh/sshd_config file to set the parameter in accordance with site policy. The following includes all supported and accepted MACs:
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com


84. Ensure SSH Idle Timeout Interval is configured
Audit:
Run the following commands and verify ClientAliveInterval is 300 or less and ClientAliveCountMax is 3 or less:
# grep "^ClientAliveInterval" /etc/ssh/sshd_config
ClientAliveInterval 300
# grep "^ClientAliveCountMax" /etc/ssh/sshd_config
ClientAliveCountMax 0

Remediation:
Edit the /etc/ssh/sshd_config file to set the parameters as follows:
ClientAliveInterval 300

ClientAliveCountMax 0

85. Ensure SSH LoginGraceTime is set to one minute or less
Audit:
Run the following command and verify that output LoginGraceTime is 60 or less:
# grep "^LoginGraceTime" /etc/ssh/sshd_config
LoginGraceTime 60

Remediation:
Edit the /etc/ssh/sshd_config file to set the parameter as follows:
LoginGraceTime 60

86. Ensure SSH access is limited
Audit:
Run the following commands and verify that output matches for at least one:
# grep "^AllowUsers" /etc/ssh/sshd_config
AllowUsers <userlist>
# grep "^AllowGroups" /etc/ssh/sshd_config
AllowGroups <grouplist>

# grep "^DenyUsers" /etc/ssh/sshd_config
DenyUsers <userlist>

# grep "^DenyGroups" /etc/ssh/sshd_config
DenyGroups <grouplist>

Remediation:
Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows:
AllowUsers <userlist>
AllowGroups <grouplist>
DenyUsers <userlist>
DenyGroups <grouplist>

87. Ensure password creation requirements are configured
Audit:
Run the following commands and verify all password requirements are as listed or stricter:
# grep pam_pwquality.so /etc/pam.d/password-auth
password requisite pam_pwquality.so try_first_pass retry=3

# grep pam_pwquality.so /etc/pam.d/system-auth
password requisite pam_pwquality.so try_first_pass retry=3

# grep ^minlen /etc/security/pwquality.conf
minlen=14

# grep ^dcredit /etc/security/pwquality.conf
dcredit=-1

# grep ^lcredit /etc/security/pwquality.conf
lcredit=-1

# grep ^ocredit /etc/security/pwquality.conf
ocredit=-1

# grep ^ucredit /etc/security/pwquality.conf
ucredit=-1

Remediation:
Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files to include the appropriate options for pam_pwquality.so and to conform to site policy:
password requisite pam_pwquality.so try_first_pass retry=3

Edit /etc/security/pwquality.conf to add or update the following settings to conform to site policy:
minlen=14
dcredit=-1
ucredit=-1
ocredit=-1
lcredit=-1


88. Ensure lockout for failed password attempts is configured
Audit:
Review the /etc/pam.d/password-auth and /etc/pam.d/system-auth files and verify the following pam_faillock.so lines appear surrounding a pam_unix.so line and the pam_unix.so is [success=1 default=bad] as listed in both:

auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900
auth [success=1 default=bad] pam_unix.so
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900
auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900


Remediation:
Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files and add the following pam_faillock.so lines surrounding a pam_unix.so line modify the pam_unix.so is [success=1 default=bad] as listed in both:

auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900
auth [success=1 default=bad] pam_unix.so
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900
auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900

89. Ensure password reuse is limited
Audit:
Run the following commands and ensure the remember option is ' 5 ' or more and included in all results:
# egrep '^password\s+sufficient\s+pam_unix.so' /etc/pam.d/password-auth
password sufficient pam_unix.so remember=5
# egrep '^password\s+sufficient\s+pam_unix.so' /etc/pam.d/system-auth
password sufficient pam_unix.so remember=5
Remediation:
Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files to include the remember option and conform to site policy as shown:
password sufficient pam_unix.so remember=5

90.  Ensure password hashing algorithm is SHA-512
Audit:
Run the following commands and ensure the sha512 option is included in all results:
# egrep '^password\s+sufficient\s+pam_unix.so' /etc/pam.d/password-auth
password sufficient pam_unix.so sha512
# egrep '^password\s+sufficient\s+pam_unix.so' /etc/pam.d/system-auth
password sufficient pam_unix.so sha512

Remediation:
Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files to include the sha512 option for pam_unix.so as shown:
password sufficient pam_unix.so sha512

By:- Vinay Kumar