36
Initial Setup
Ensure AppArmor is enabled in the bootloader configuration
Vim /etc/default/grub
GRUB_CMDLINE_LINUX='apparmor=1 security=apparmor'
update-grub
88
Network Configuration
Ensure packet redirect sending is disabled
vim /etc/sysctl.conf or a /etc/sysctl.d/
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv4.conf.default.send_redirects=0
sysctl -w net.ipv4.route.flush=1
91
Network Configuration
Ensure secure ICMP redirects are not accepted
Ensure secure ICMP redirects are not accepted - sysctl net.ipv4.conf.default.secure_redirects
vim /etc/sysctl.conf
sysctl -w net.ipv4.conf.all.secure_redirects=0
sysctl -w net.ipv4.conf.default.secure_redirects=0
sysctl -w net.ipv4.route.flush=1
https://www.tenable.com/audits/items/CIS_Rocky_Linux_8_v1.0.0_L1_Server.audit:b7dc53dfed6facc205a673d5c03093f8
92
Network Configuration
Ensure suspicious packets are logged
Ensure suspicious packets are logged
vim /etc/sysctl.d/
sysctl -w net.ipv4.conf.all.log_martians=1
sysctl -w net.ipv4.conf.default.log_martians=1
sysctl -w net.ipv4.route.flush=1
93
Network Configuration
Ensure broadcast ICMP requests are ignored
sysctl net.ipv4.icmp_echo_ignore_broadcasts
vim /etc/sysctl.conf
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
sysctl -w net.ipv4.route.flush=1
https://secscan.acron.pl/centos7/3/2/5
188
Access, Authentication and Authorization
Ensure password creation requirements are configured
Note :- if /etc/pam.d/password-auth this is not available in server, then you can search file in chatgpt and copy the file and past in server then you can edit,
Ensure password creation requirements are configured - system-auth try_first_pass
Vim /etc/pam.d/password-auth
password requisite pam_pwquality.so try_first_pass retry=3
Vim /etc/pam.d/system-auth
password requisite pam_pwquality.so try_first_pass retry=3
Vim /etc/security/pwquality.conf
minlen = 14
dcredit = -1
ucredit = -1
ocredit = -1
lcredit = -1
https://www.tenable.com/audits/items/CIS_Amazon_Linux_2_STIG_v1.0.0_L1.audit:5028910c4153b619bd94605827869065
189
Access, Authentication and Authorization
Ensure lockout for failed password attempts is configured
Ensure lockout for failed password attempts is configured - password-auth 'auth sufficient pam_unix.so'
Vim /etc/pam.d/system-auth
https://www.tenable.com/audits/items/CIS_Amazon_Linux_2_v2.0.0_L1.audit:58f8cb939f1422afaa205be4ca646857
This is the Excel sheet for Server Security,
2 Initial Setup Ensure /tmp is a separate partition The `/tmp` directory is a world-writable directory used for temporary storage by all users and some applications. High Making `/tmp` its own file system allows an administrator to set additional mount options such as the `noexec` option on the mount, making `/tmp` useless for an attacker to install executable code. It would also prevent an attacker from establishing a hard link to a system `setuid` program and wait for it to be updated. Once the program was updated, the hard link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw.
This can be accomplished by either mounting `tmpfs` to `/tmp`, or creating a separate partition for `/tmp`. It was observed that /tmp is not a separate partition, it is mounted on /root directory Misconfigured fail It is recommended that /tmp is a separate partition https://www.tenable.com/audits/items/CIS_Debian_Linux_11_v1.0.0_L1_Server.audit:3cdd6e70e09cdf67e65b4118276f20cb Done 36 Initial Setup Ensure AppArmor is enabled in the bootloader configuration Configure AppArmor to be enabled at boot time and verify that it has not been overwritten by the bootloader boot parameters.
_Note: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings._ High AppArmor must be enabled at boot time in your bootloader configuration to ensure that the controls it provides are not overridden. It was observed that AppArmor is not enabled in the bootloader configuration Misconfigured fail It is recommended that AppArmor is enabled in the bootloader configuration https://www.tenable.com/audits/items/CIS_Debian_Linux_10_v1.0.0_L1_Workstation.audit:e623af4464dcd9d63ca5634e6a7b2a30 Done 88 Network Configuration Ensure packet redirect sending is disabled ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects. High IP forwarding is required on systems configured to act as a router. If these parameters are disabled, the system will not be able to perform as a router. It was observed that packet redirect sending is not disabled in sysctl conf file Misconfigured fail It is recommended that packet redirect sending is disabled Note:
- This setting is not explicitly set in systcl conf files
- It is set to enabled by default according to CIS https://www.tenable.com/audits/items/Tenable_Best_Practices_Cisco_Firepower_Management_Center_OS.audit:24b8fcd749b252466282dc40c9226bf3 Done 91 Network Configuration Ensure secure ICMP redirects are not accepted Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set). High If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing. It was observed that secure icmp redirects are accepted. Setting not configured in sysctl conf file
Misconfigured fail It is recommended that secure icmp redirects are not accepted Note:
- This setting is not explicitly set in systcl conf files
- Icmp redirects are accepted by default according to CIS https://www.tenable.com/audits/items/CIS_Rocky_Linux_8_v1.0.0_L1_Server.audit:b7dc53dfed6facc205a673d5c03093f8 Done 92 Network Configuration Ensure suspicious packets are logged When enabled, this feature logs packets with un-routable source addresses to the kernel log. High Setting net.ipv4.conf.all.log_martians and net.ipv4.conf.default.log_martians to 1 enables this feature. Logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system. It was observed that suspicious packet logging is not configured
Misconfigured fail It is recommended that suspicious packets are logged Note:
- This setting is not explicitly set in systcl conf files
- secure icmp redirects are accepted by default according to CIS https://www.tenable.com/audits/items/CIS_Red_Hat_EL8_Server_v3.0.0_L1.audit:a44cf048f1e41d5b4107e6505b9d2bbe Done 93 Network Configuration Ensure broadcast ICMP requests are ignored Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses. High Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied. It was observed that broadcast ICMP requests are not ignored .Setting not configured in sysctl conf file Misconfigured fail It is recommended that broadcast ICMP requests are ignored Note:
- This setting is not explicitly set in systcl conf files
- reverse path filtering is enabled by default according to CIS https://secscan.acron.pl/centos7/3/2/5 Done 161 Access, Authentication and Authorization Ensure at is restricted to authorized users Configure `/etc/at.allow` to allow specific users to use this service. If `/etc/at.allow` does not exist, then `/etc/at.deny` is checked. Any user not specifically defined in this file is allowed to use `at`. By removing the file, only users in `/etc/at.allow` are allowed to use `at`.
**Note:** Other methods, such as `systemd timers`, exist for scheduling jobs. If another method is used, `at` should be removed, and the alternate method should be secured in accordance with local site policy High On many systems, only the system administrator is authorized to schedule `at` jobs. Using the `at.allow` file to control who can run `at` jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files. It was observed that /etc/at.allow file is not configured
at.deny file exists for which
owner:root , group:daemon, access:0640
( alias, backup, bin, daemon, ftp, games, gnats, guest, irc, lp, mail, man, nobody, operator, proxy, qmaild, qmaill, qmailp, qmailq, qmailr, qmails, sync, sys, www-data)
Misconfigured fail It is recommended that `at` service is restricted to authorized users. Ensure the following if /etc/at.allow or /etc/at.deny exists:
• Is mode 0640 or more restrictive
• Is owned by the user root
• Is group owned by the group daemon or group root https://www.tenable.com/audits/items/CIS_Ubuntu_22.04_LTS_v1.0.0_Server_L1.audit:86c8d9d215137feb6325397a01cb0483 Done 188 Access, Authentication and Authorization Ensure password creation requirements are configured The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more.
The following options are set in the /etc/security/pwquality.conf file:
Password Length:
minlen = 14 - password must be 14 characters or more
Password complexity:
minclass = 4 - The minimum number of required classes of characters for the new password (digits, uppercase, lowercase, others) High Strong passwords protect systems from being hacked through brute force methods. It was observed that password creation requirements are not configured Misconfigured fail It is recommended that password creation requirements are configured https://www.tenable.com/audits/items/CIS_Amazon_Linux_2_STIG_v1.0.0_L1.audit:5028910c4153b619bd94605827869065 Done 189 Access, Authentication and Authorization Ensure lockout for failed password attempts is configured Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the common PAM configuration files. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will lock out users. Check the documentation for each secondary program for instructions on how to configure them to work with PAM. High Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems. It was observed that lockout for failed password attempts is not configured in /etc/security/faillock.conf Misconfigured fail It is recommended that lockout for failed password attempts is configured https://www.tenable.com/audits/items/CIS_Amazon_Linux_2_v2.0.0_L1.audit:58f8cb939f1422afaa205be4ca646857 Done 210 System Maintenance Ensure no world writable files exist World writable files are the least secure. Data in world-writable files can be modified and compromised by any user on the system. World writable files may also indicate an incorrectly written script or program that could potentially be the cause of a larger compromise to the system's integrity. See the chmod(2) man page for more information.
Setting the sticky bit on world writable directories prevents users from deleting or renaming files in that directory that are not owned by them. High Data in world-writable files can be modified and compromised by any user on the system. World writable files may also indicate an incorrectly written script or program that could potentially be the cause of a larger compromise to the system's integrity. It was observed that world writable files are not secured with sticky bits Misconfigured fail It is recommended that world writable files and directories are secured https://secscan.acron.pl/centos7/6/1/10 No 5 Initial Setup Ensure nosuid option set on /tmp partition The `noexec` mount option specifies that the filesystem cannot contain executable binaries. High Since the `/tmp` filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from `/tmp`. It was observed that /tmp is not a separate partition, it is mounted on /root directory Misconfigured pass It is recommended that noexec option is set on /tmp partition https://www.tenable.com/audits/items/CIS_Amazon_Linux_2_STIG_v1.0.0_L1.audit:dadfef667196d8ef78d5216412782d08 13 Initial Setup Ensure nosuid option set on /var/log partition The `noexec` mount option specifies that the filesystem cannot contain executable binaries. High Since the `/var/log` filesystem is only intended for log files, set this option to ensure that users cannot run executable binaries from `/var/log`. It was observed that /var is not a separate partition Misconfigured pass It is recommended that noexec option is set on /var/log partition https://www.tenable.com/audits/items/CIS_Debian_Linux_11_v1.0.0_L1_Server.audit:6e20291a42c119d456e34a34415142b0 14 Initial Setup Ensure noexec option set on /var/log/audit partition The `nodev` mount option specifies that the filesystem cannot contain special devices. High Since the `/var/log/audit` filesystem is not intended to support devices, set this option to ensure that users cannot create block or character special devices in `/var/log/audit`. It was observed that /var is not a separate partition Misconfigured pass It is recommended that nodev option is set on /var/log/audit partition https://www.tenable.com/audits/items/CIS_Debian_Linux_11_v1.0.0_L1_Server.audit:806bf7864025e1ac6154efbcca56cdd0 15 Initial Setup Ensure nodev option set on /var/log/audit partition The `nosuid` mount option specifies that the filesystem cannot contain `setuid` files. High Since the `/var/log/audit` filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create `setuid` files in `/var/log/audit`. It was observed that /var is not a separate partition Misconfigured pass It is recommended that nosuid option is set on /var/log/audit partition https://www.tenable.com/audits/items/CIS_Red_Hat_EL8_Server_v2.0.0_L1.audit:839a86495f52e7e7f68bd7d413cbcdf9 20 Initial Setup Ensure noexec option set on /dev/shm partition The `nosuid` mount option specifies that the filesystem cannot contain `setuid` files. High Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them. It was observed that nosuid option is set on /dev/shm partition Configured pass It is recommended that nosuid option is set on /dev/shm partition 23 Initial Setup Disable USB Storage USB storage provides a means to transfer and store files insuring persistence and availability of the files independent of network connection status. Its popularity and utility has led to USB-based malware being a simple and common means for network infiltration and a first step to establishing a persistent threat within a networked environment. High Restricting USB access on the system will decrease the physical attack surface for a device and diminish the possible vectors to introduce malware. It was observed that usb storage is enabled NA fail It is recommended to disabled USB Storage https://www.tenable.com/audits/items/CIS_Red_Hat_EL8_Server_v2.0.0_L1.audit:ef5b7c51225c9f08cee616b9ca89b1a5 25 Initial Setup Ensure GPG keys are configured Most package managers implement GPG key signing to verify package integrity during installation. High It is important to ensure that updates are obtained from a valid source to protect against spoofing that could lead to the inadvertent installation of malware on the system. It was observed that GPG keys are configured:
-Microsoft release sign
-Ubuntu CD Image automatic signing key
-Ubuntu archive automatic signing key Configured manual It is recommended that GPG keys are configured 27 Logging and Auditing Ensure filesystem integrity is regularly checked Periodic checking of the filesystem integrity is needed to detect changes to the filesystem. High Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion. It was observed that filesystem integrity is regularly checked with aide Configured pass It is recommended that filesystem integrity is regularly checked 28 Initial Setup Ensure bootloader password is set Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters High Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off AppArmor at boot time). It was observed that bootloader password is set Configured pass It is recommended that bootloader password is set 30 Initial Setup Ensure authentication required for single user mode Single user mode is used for recovery when the system detects an issue during boot or by manual selection from the bootloader. High Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials. It was observed that root password is required before entering into single-user mode or recovery mode Configured pass It is recommended to ensure that authentication required for single user mode 46 Initial Setup Ensure GDM screen locks when the user is idle GNOME Desktop Manager can make the screen lock automatically whenever the user is idle for some amount of time.
- `idle-delay=uint32 {n}` - Number of seconds of inactivity before the screen goes blank
- `lock-delay=uint32 {n}` - Number of seconds after the screen is blank before locking the screen
_Example key file:_
```
# Specify the dconf path
[org/gnome/desktop/session]
# Number of seconds of inactivity before the screen goes blank
# Set to 0 seconds if you want to deactivate the screensaver.
idle-delay=uint32 900
# Specify the dconf path
[org/gnome/desktop/screensaver]
# Number of seconds after the screen is blank before locking the screen
lock-delay=uint32 5
``` High Setting a lock-out value reduces the window of opportunity for unauthorized user access to another user's session that has been left unattended. It was observed that package GDM or GDM3 is not present in the system NA pass It is recommended that GDM screen locks when the user is idle 47 Initial Setup Ensure GDM screen locks cannot be overridden GNOME Desktop Manager can make the screen lock automatically whenever the user is idle for some amount of time.
By using the lockdown mode in dconf, you can prevent users from changing specific settings.
To lock down a dconf key or subpath, create a locks subdirectory in the keyfile directory. The files inside this directory contain a list of keys or subpaths to lock. Just as with the keyfiles, you may add any number of files to this directory.
_Example Lock File:_
```
# Lock desktop screensaver settings
/org/gnome/desktop/session/idle-delay
/org/gnome/desktop/screensaver/lock-delay
``` High Setting a lock-out value reduces the window of opportunity for unauthorized user access to another user's session that has been left unattended.
Without locking down the system settings, user settings take precedence over the system settings. It was observed that package GDM or GDM3 is not present in the system NA pass It is recommended that GDM screen locks cannot be overridden 48 Initial Setup Ensure GDM automatic mounting of removable media is disabled By default GNOME automatically mounts removable media when inserted as a convenience to the user. High With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themselves. It was observed that package GDM or GDM3 is not present in the system NA pass It is recommended that GDM automatic mounting of removable media is disabled 49 Initial Setup Ensure GDM disabling automatic mounting of removable media is not overridden By default GNOME automatically mounts removable media when inserted as a convenience to the user
By using the lockdown mode in dconf, you can prevent users from changing specific settings.
To lock down a dconf key or subpath, create a locks subdirectory in the keyfile directory. The files inside this directory contain a list of keys or subpaths to lock. Just as with the keyfiles, you may add any number of files to this directory.
_Example Lock File:_
```
# Lock desktop screensaver settings
/org/gnome/desktop/media-handling/automount
/org/gnome/desktop/media-handling/automount-open
``` High With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themselves. It was observed that package GDM or GDM3 is not present in the system NA pass It is recommended that GDM disabling automatic mounting of removable media is not overridden 55 Access, Authentication and Authorization Ensure chrony is configured with authorized timeserver The server directive specifies an NTP server which can be used as a time source. The client-server relationship is strictly hierarchical: a client might synchronize its system time to that of the server, but the server’s system time will never be influenced by that of a client.
This directive can be used multiple times to specify multiple servers.
The directive is immediately followed by either the name of the server, or its IP address.
pool
The syntax of this directive is similar to that for the server directive, except that it is used to specify a pool of NTP servers rather than a single NTP server. The pool name is expected to resolve to multiple addresses which might change over time.
This directive can be used multiple times to specify multiple pools.
All options valid in the server directive can be used in this directive too. High Time synchronization is important to support time sensitive security mechanisms and to ensure log files have consistent time records across the enterprise to aid in forensic investigations
It was observed that chrony is configured with authorized timeserver: pool of NTP servers provided by Ubuntu such as :
ntp.ubuntu.com
0.ubuntu.pool.ntp.org
1.ubuntu.pool.ntp.org
2.ubuntu.pool.ntp.org
It is not configured as per CER-IN guidelines Misconfigured manual It is recommended that systemd-timesyncd configured with authorized timeserver. As per CERT-IN guidelines, It is recommended to configure a custom ntp and sync all the network devices with the same ntp server with standard time source samay1.nic.in or samay2.nic.in 59 Logging and Auditing Ensure systemd-timesyncd is enabled and running systemd-timesyncd is a daemon that has been added for synchronizing the system clock across the network High systemd-timesyncd needs to be enabled and running in order to synchronize the system to a timeserver.
Time synchronization is important to support time sensitive security mechanisms and to ensure log files have consistent time records across the enterprise to aid in forensic investigations
It was observed that systemd-timesyncd for time synchronization is not enabled Configured pass It is recommended that systemd-timesyncd for time synchronization is enabled and running 60 Services Ensure ntp access control is configured ntp Access Control Commands:
restrict address [mask mask] [ippeerlimit int] [flag ...]
The address argument expressed in dotted-quad form is the address of a host or network. Alternatively, the address argument can be a valid host DNS name.
The mask argument expressed in dotted-quad form defaults to 255.255.255.255, meaning that the address is treated as the address of an individual host. A default entry (address 0.0.0.0, mask 0.0.0.0) is always included and is always the first entry in the list. Note: the text string default, with no mask option, may be used to indicate the default entry.
The ippeerlimit directive limits the number of peer requests for each IP to int, where a value of -1 means "unlimited", the current default. A value of 0 means "none". There would usually be at most 1 peering request per IP, but if the remote peering requests are behind a proxy there could well be more than 1 per IP. In the current implementation, flag always restricts access, i.e., an entry with no flags indicates that free access to the server is to be given. High If ntp is in use on the system, proper configuration is vital to ensuring time synchronization is accurate. It was observed that ntp access control is configured Configured pass It is recommended to configured ntp access control 61 Services Ensure ntp is configured with authorized timeserver The various modes are determined by the command keyword and the type of the required IP address. Addresses are classed by type as (s) a remote server or peer (IPv4 class A, B and C), (b) the broadcast address of a local interface, (m) a multicast address (IPv4 class D), or (r) a reference clock address (127.127.x.x). High Time synchronization is important to support time sensitive security mechanisms and to ensure log files have consistent time records across the enterprise to aid in forensic investigations It was observed that chrony service is used for time synchronization Configured manual It is recommended that ntp is configured with authorized timeserver 62 Services Ensure ntp is running as user ntp The ntp package is installed with a dedicated user account ntp . This account is granted the access required by the ntpd daemon
Note:
If chrony or systemd-timesyncd are used, ntp should be removed and this section skipped
This recommendation only applies if ntp is in use on the system
Only one time synchronization method should be in use on the system High Running the NTP service as the root user can increase the potential attack surface. If an attacker compromises the NTP daemon running as root, they could gain full control over the system It was observed that ntp is not running as user ntp. Chrony is used for time synchronization NA fail It is recommended that The ntpd daemon should run with only the required privilege https://www.tenable.com/audits/items/CIS_Ubuntu_22.04_LTS_v1.0.0_Workstation_L1.audit:b6efa0a093a0ec880f1af044e03c67d9 63 Services Ensure ntp is enabled and running ntp is a daemon for synchronizing the system clock across the network High ntp needs to be enabled and running in order to synchronize the system to a timeserver.
Time synchronization is important to support time sensitive security mechanisms and to ensure log files have consistent time records across the enterprise to aid in forensic investigations It was observed that ntp is not enabled and running. Chrony is used for time synchronization NA fail It is recommended that NTP is enabled and running in order to synchronize the system to a timeserver. https://www.tenable.com/audits/items/CIS_Debian_Linux_11_v1.0.0_L1_Server.audit:0bf39d70f3ac516950878b2f6391a1ea 64 Services Ensure X Window System is not installed The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login. High Many Linux systems run applications which require a Java runtime. Some Linux Java packages have a dependency on specific X Windows xorg-x11-fonts. One workaround to avoid this dependency is to use the "headless" Java packages for your specific Java runtime, if provided by your distribution. It was observed that X Windows system is not installed NA pass It is recommended that X Window System is not installed 87 Access, Authentication and Authorization Ensure wireless interfaces are disabled Wireless networking is used when wired networks are unavailable. High Many if not all laptop workstations and some desktop workstations will connect via wireless requiring these interfaces be enabled. It was observed that wireless interfaces are not present Configured pass It is recommended that wireless interfaces are disabled 89 Network Configuration Ensure source routed packets are not accepted In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used. High Setting net.ipv4.conf.all.accept_source_route , net.ipv4.conf.default.accept_source_route , net.ipv6.conf.all.accept_source_route and net.ipv6.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. It was observed that source routed are accepted. Setting not configured in sysctl conf file Misconfigured pass It is recommended that source routed packets are not accepted Note:
- This setting is not explicitly set in systcl conf files
- Bogus icmp responses are ignored by default according to CIS 90 Network Configuration Ensure ICMP redirects are not accepted ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables.
High ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects , net.ipv4.conf.default.accept_redirects , net.ipv6.conf.all.accept_redirects , and net.ipv6.conf.default.accept_redirects to 0 , the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables. It was observed that ICMP redirects are accepted. Setting not configured in sysctl conf file Misconfigured pass It is recommended that ICMP redirects are not accepted Note:
- This setting is not explicitly set in systcl conf files
- broadcast icmp requests are not ignored by default according to CIS 100 Firewall configuration Ensure ufw service is enabled UncomplicatedFirewall (ufw) is a frontend for iptables. ufw provides a framework for managing netfilter, as well as a command-line and available graphical user interface for manipulating the firewall. High The ufw service must be enabled and running in order for ufw to protect the system Dedicated firewall, EDR, & security groups in place NA fail It is recommended that ufw service is enabled https://www.tenable.com/audits/items/CIS_Ubuntu_22.04_LTS_v1.0.0_Server_L1.audit:225933fb277c1b30729b3506c261ea9e 101 Firewall configuration Ensure ufw loopback traffic is configured Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8 for IPv4 and ::1/128 for IPv6). High Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (127.0.0.0/8 for IPv4 and ::1/128 for IPv6) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure. Dedicated firewall, EDR, & security groups in place NA fail It is recommended that ufw loopback traffic is configured https://www.tenable.com/audits/items/CIS_Debian_Linux_11_v1.0.0_L1_Server.audit:66faf3329ba5cd534549ff2a6b7e5f79 102 Firewall configuration Ensure ufw outbound connections are configured Configure the firewall rules for new outbound connections. High If rules are not in place for new outbound connections all packets will be dropped by the default policy preventing network usage.
It was observed that ufw firewall is not enabled NA manual It is recommended that ufw outbound connections are configured 103 Firewall configuration Ensure ufw firewall rules exist for all open ports Services and ports can be accepted or explicitly rejected. High To reduce the attack surface of a system, all services and ports should be blocked unless required.
Any ports that have been opened on non-loopback addresses need firewall rules to govern traffic.
Without a firewall rule configured for open ports, the default firewall policy will drop all packets to these ports.
Required ports should have a firewall rule created to allow approved connections in accordance with local site policy.
Unapproved ports should have an explicit deny rule created. Dedicated firewall, EDR, & security groups in place NA fail It is recommended that ufw firewall rules exist for all open ports https://www.tenable.com/audits/items/CIS_Ubuntu_20.04_LTS_v1.1.0_Workstation_L1.audit:a44ebcd8819800533ff20ebb8e75ac6f 105 Firewall configuration Ensure nftables is installed nftables provides a new in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and a new nft userspace command line tool. nftables reuses the existing Netfilter subsystems such as the existing hook infrastructure, the connection tracking system, NAT, userspace queuing and logging subsystem.
_Notes:_
- _nftables is available in Linux kernel 3.13 and newer_
- _Only one firewall utility should be installed and configured_
- _Changing firewall settings while connected over the network can result in being locked out of the system_ High nftables is a subsystem of the Linux kernel that can protect against threats originating from within a corporate network to include malicious mobile code and poorly configured software on a host. Dedicated firewall, EDR, & security groups in place NA pass It is recommended that nftables is installed 109 Firewall configuration Ensure nftables base chains exist Chains are containers for rules. They exist in two kinds, base chains and regular chains. A base chain is an entry point for packets from the networking stack, a regular chain may be used as jump target and is used for better rule organization. High If configuring nftables over ssh, creating a base chain with a policy of drop will cause loss of connectivity.
Ensure that a rule allowing ssh has been added to the base chain prior to setting the base chain's policy to drop Dedicated firewall, EDR, & security groups in place NA fail It is recommended that nftables base chains exist https://docs.datadoghq.com/security/default_rules/xccdf-org-ssgproject-content-rule-set-nftables-base-chain/ 114 Firewall configuration Ensure nftables rules are permanent nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames.
The nftables service reads the `/etc/nftables.conf` file for a nftables file or files to include in the nftables ruleset.
A nftables ruleset containing the input, forward, and output base chains allow network traffic to be filtered. High Changes made to nftables ruleset only affect the live system, you will also need to configure the nftables ruleset to apply on boot Dedicated firewall, EDR, & security groups in place NA fail It is recommended that nftables rules are permanent https://www.tenable.com/audits/items/CIS_AlmaLinux_OS_8_Workstation_v2.0.0_L1.audit:a7c704bd873646f52850c46d58b4eae5 115 Firewall configuration Ensure iptables packages are installed iptables is a utility program that allows a system administrator to configure the tables provided by the Linux kernel firewall, implemented as different Netfilter modules, and the chains and rules it stores. Different kernel modules and programs are used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables to Ethernet frames. High A method of configuring and maintaining firewall rules is necessary to configure a Host Based Firewall. Dedicated firewall, EDR, & security groups in place NA fail It is recommended that iptables packages are installed https://www.tenable.com/audits/items/CIS_Red_Hat_EL7_v3.0.1_Server_L1.audit:6ed84fe783ebb5ad211026864f8095b3 116 Firewall configuration Ensure nftables is not installed with iptables nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames and is the successor to iptables. High Running both `iptables` and `nftables` may lead to conflict. Dedicated firewall, EDR, & security groups in place NA fail It is recommended that nftables is not installed with iptables https://www.tenable.com/audits/items/CIS_CentOS_7_v3.1.2_Workstation_L1.audit:2139e2b993a76c3532853cd2eed339a8 118 Firewall configuration Ensure iptables default deny firewall policy A default deny all policy on connections ensures that any unconfigured network usage will be rejected. High With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage. Dedicated firewall, EDR, & security groups in place NA fail It is recommended that iptables default deny firewall policy is configured https://www.tenable.com/audits/items/CIS_CentOS_7_v3.1.1_Server_L1.audit:455c14089614a64290642e415d48f856 119 Firewall configuration Ensure iptables loopback traffic is configured Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8). High Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure. Dedicated firewall, EDR, & security groups in place NA fail It is recommended that iptables loopback traffic is configured https://www.tenable.com/audits/items/CIS_Ubuntu_18.04_LTS_Server_v2.1.0_L1.audit:c0ce751a5ad0852acb96bec1c28d9105 120 Firewall configuration Ensure iptables outbound and established connections are configured Configure the firewall rules for new outbound, and established connections. High If rules are not in place for new outbound, and established connections all packets will be dropped by the default policy preventing network usage. It was observed that iptables outbound and established connections are not configured NA manual It is recommended that iptables outbound and established connections are configured 121 Firewall configuration Ensure iptables firewall rules exist for all open ports Any ports that have been opened on non-loopback addresses need firewall rules to govern traffic. High Without a firewall rule configured for open ports default firewall policy will drop all packets to these ports. Dedicated firewall, EDR, & security groups in place NA fail It is recommended that iptables firewall rules exist for all open ports https://www.tenable.com/audits/items/CIS_SUSE_Linux_Enterprise_Server_11_v2.0.0_L1.audit:c83c879ed03801e36ce2e169002793d1 122 Firewall configuration Ensure ip6tables default deny firewall policy A default deny all policy on connections ensures that any unconfigured network usage will be rejected. High With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage. Dedicated firewall, EDR, & security groups in place NA fail It is recommended that ip6tables default deny firewall policy is configured https://www.tenable.com/audits/items/CIS_Oracle_Linux_7_v3.0.0_Workstation_L1.audit:9a9c8edebd3f0f2901a1f65d6ff50883 123 Firewall configuration Ensure ip6tables loopback traffic is configured Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (::1). High Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (::1) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure. Dedicated firewall, EDR, & security groups in place NA fail It is recommended that ip6tables loopback traffic is configured https://www.tenable.com/audits/items/CIS_Distribution_Independent_Linux_Server_L1_v2.0.0.audit:f0d6b5b41bb49815c686aab7f55ce7cd 124 Firewall configuration Ensure ip6tables outbound and established connections are configured Configure the firewall rules for new outbound, and established IPv6 connections. High If rules are not in place for new outbound, and established connections all packets will be dropped by the default policy preventing network usage. It was observed that ip6tables outbound and established connections are not configured NA manual It is recommended that ip6tables outbound and established connections are configured 127 Logging and Auditing Ensure only authorized users own audit log files Audit log files contain information about the system and system activity. High Access to audit records can reveal system and configuration data to attackers, potentially compromising its confidentiality. It was observed that All audit log files are owned by "root" Configured pass It is recommended that only authorized users own audit log files 128 Logging and Auditing Ensure only authorized groups are assigned ownership of audit log files Audit log files contain information about the system and system activity. High Access to audit records can reveal system and configuration data to attackers, potentially compromising its confidentiality. It was observed that - The "log_group" parameter is correctly set to "log_group = adm" in "/etc/audit/auditd.conf"
- All audit log files are group owned by: "root or adm" Configured pass It is recommended that only authorized groups are assigned ownership of audit log files 129 Logging and Auditing Ensure the audit log directory is 0750 or more restrictive The audit log directory contains audit log files. High Audit information includes all information including: audit records, audit settings and audit reports. This information is needed to successfully audit system activity. This information must be protected from unauthorized modification or deletion. If this information were to be compromised, forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. It was observed that the audit log directories /etc/audit, etc/audit/plugins.d and etc/audit/rules.d are set to mode 750 Configured pass It is recommended that the audit log directory is 0750 or more restrictive 140 Logging and Auditing Ensure journald service is enabled Ensure that the systemd-journald service is enabled to allow capturing of logging events High If the systemd-journald service is not enabled to start on boot, the system will not capture logging events It was observed that journald service is enabled and active Configured pass It is recommended that journald service is enabled and active 146 Logging and Auditing Ensure rsyslog service is enabled Once the rsyslog package is installed, ensure that the service is enabled. High If the rsyslog service is not enabled to start on boot, the system will not capture logging events. It was observed that rsyslog service is enabled Configured pass It is recommended that once the rsyslog package is installed, ensure that the service is enabled. 147 Logging and Auditing Ensure journald is configured to send logs to rsyslog Data from journald may be stored in volatile memory or persisted locally on the server. Utilities exist to accept remote export of journald logs, however, use of the RSyslog service provides a consistent means of log collection and export. High RSyslog is the preferred method for capturing logs, all logs of the system should be sent to it for further processing. It was observed journald is not configured to send logs to rsyslog Misconfigured manual It is recommended to ensure that journald is configured to send logs to rsyslog 148 Logging and Auditing Ensure rsyslog default file permissions are configured RSyslog will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files. High It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected. It was observed that rsyslog default file permissions are configured to 640 Configured pass It is recommended that rsyslog default file permissions are configured to 0640 or more restrictive 156 Access, Authentication and Authorization Ensure permissions on /etc/cron.daily are configured The `/etc/cron.daily` directory contains system cron jobs that need to run on a daily basis. The files in this directory cannot be manipulated by the `crontab` command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory.
**Note:** Other methods, such as `systemd timers`, exist for scheduling jobs. If another method is used, `cron` should be removed, and the alternate method should be secured in accordance with local site policy High Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. It was observed that permissions on /etc/cron.daily are configured
Access: (0700) and suid,guid=0 (root) Configured pass It is recommended that permissions on /etc/cron.daily are configured. Ensure Uid and Gid are both 0/root and Access does not grant permissions to group or other 157 Access, Authentication and Authorization Ensure permissions on /etc/cron.weekly are configured The `/etc/cron.weekly` directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the `crontab` command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory.
**Note:** Other methods, such as `systemd timers`, exist for scheduling jobs. If another method is used, `cron` should be removed, and the alternate method should be secured in accordance with local site policy High Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. It was observed that permissions on /etc/cron.weekly are configured
Access: (0700) and suid,guid=0 (root) Configured pass It is recommended that permissions on /etc/cron.weekly are configured. Ensure Uid and Gid are both 0/root and Access does not grant permissions to group or other 158 Access, Authentication and Authorization Ensure permissions on /etc/cron.monthly are configured The `/etc/cron.monthly` directory contains system cron jobs that need to run on a monthly basis. The files in this directory cannot be manipulated by the `crontab` command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory.
**Note:** Other methods, such as `systemd timers`, exist for scheduling jobs. If another method is used, `cron` should be removed, and the alternate method should be secured in accordance with local site policy High Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. It was observed that permissions on /etc/cron.monthly are configured
Access: (0700) and suid,guid=0 (root) Configured pass It is recommended that permissions on /etc/cron.monthly are configured. Ensure Uid and Gid are both 0/root and Access does not grant permissions to group or other 159 Access, Authentication and Authorization Ensure permissions on /etc/cron.d are configured The `/etc/cron.d` directory contains system `cron` jobs that need to run in a similar manner to the hourly, daily weekly and monthly jobs from `/etc/crontab`, but require more granular control as to when they run. The files in this directory cannot be manipulated by the `crontab` command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory.
**Note:** Other methods, such as `systemd timers`, exist for scheduling jobs. If another method is used, `cron` should be removed, and the alternate method should be secured in accordance with local site policy High Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. It was observed that permissions on /etc/cron.d are configured
Access: (0700) and suid,guid=0 (root) Configured pass It is recommended that permissions on /etc/cron.d are configured. Ensure Uid and Gid are both 0/root and Access does not grant permissions to group or other 160 Access, Authentication and Authorization Ensure cron is restricted to authorized users Configure /etc/cron.allow to allow specific users to use this service. If /etc/cron.allow does not exist, then /etc/cron.deny is checked. Any user not specifically defined in this file is allowed to use cron. By removing the file, only users in /etc/cron.allow are allowed to use cron. High On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files.
It was observed that cron.allow file is configured, but no users are present in the file Misconfigured pass It is recommended that cron is restricted to authorized users 178 Access control Ensure SSH MaxStartups is configured The MaxStartups parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon High To protect a system from denial of service due to a large number of pending authentication connection attempts, use the rate limiting function of MaxStartups to protect availability of sshd logins and prevent overwhelming the daemon It was observed that sshd maxstartups is set to 10:30:60 Configured pass It is recommended that SSH MaxStartups is configured 179 Access control Ensure SSH MaxSessions is set to 10 or less The MaxSessions parameter specifies the maximum number of open sessions permitted from a given connection. High To protect a system from denial of service due to a large number of concurrent sessions, use the rate limiting function of MaxSessions to protect availability of sshd logins and prevent overwhelming the daemon It was observed that sshd MaxSessions is set to 3 Configured pass It is recommended that SSH MaxSessions is set to 10 or less 181 Access control Ensure SSH Idle Timeout Interval is configured The two options ClientAliveInterval and ClientAliveCountMax control the timeout of SSH sessions. Taken directly from man 5 sshd_config :
ClientAliveInterval Sets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client.
ClientAliveCountMax Sets the number of client alive messages which may be sent without sshd(8) receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. It is important to note that the use of client alive messages is very different from TCPKeepAlive. The client alive messages are sent through the encrypted channel and therefore will not be spoofable. The TCP keepalive option en‐abled by TCPKeepAlive is spoofable. The client alive mechanism is valuable when the client or server depend on knowing when a connection has become unresponsive. The default value is 3. If ClientAliveInterval is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds. Setting a zero ClientAliveCountMax disables connection termination.
High In order to prevent resource exhaustion, appropriate values should be set for both ClientAliveInterval and ClientAliveCountMax . Specifically, looking at the source code, ClientAliveCountMax must be greater than zero in order to utilize the ability of SSH to drop idle connections. If connections are allowed to stay open indefinately, this can potentially be used as a DDOS attack or simple resource exhaustion could occur over unreliable networks. Ensure SSH Idle Timeout Interval is configured:
ClientAliveInterval 5 mins
ClientAliveCountMax 3 Configured pass It is recommended that SSH Idle Timeout Interval is configured 182 Access control Ensure sudo is installed `sudo` allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user's real (not effective) user ID is used to determine the user name with which to query the security policy. High `sudo` supports a plug-in architecture for security policies and input/output logging. Third parties can develop and distribute their own policy and I/O logging plug-ins to work seamlessly with the `sudo` front end. The default security policy is `sudoers`, which is configured via the file `/etc/sudoers` and any entries in `/etc/sudoers.d`.
The security policy determines what privileges, if any, a user has to run `sudo`. The policy may require that users authenticate themselves with a password or another authentication mechanism. If authentication is required, `sudo` will exit if the user's password is not entered within a configurable time limit. This limit is policy-specific. It was observed that sudo is installed Configured pass It is recommended that sudo is installed 183 Access control Ensure sudo commands use pty `sudo` can be configured to run only from a pseudo terminal (`pseudo-pty`). High Attackers can run a malicious program using `sudo` which would fork a background process that remains even when the main program has finished executing. It was observed that sudo commands use pty Configured pass It is recommended that sudo commands use pty 184 Access control Ensure sudo log file exists sudo can use a custom log file High A sudo log file simplifies auditing of sudo commands It was observed that sudo log file exists Configured pass It is recommended that sudo log file exists 185 Access control Ensure re-authentication for privilege escalation is not disabled globally The operating system must be configured so that users must re-authenticate for privilege escalation. High Without re-authentication, users may access resources or perform tasks for which they do not have authorization.
When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. It was observed that re-authentication for privilege escalation is not disabled globally Configured pass It is recommended that re-authentication for privilege escalation is not disabled globally 187 Access control Ensure access to the su command is restricted The `su` command allows a user to run a command or shell as another user. The program has been superseded by `sudo`, which allows for more granular control over privileged access. Normally, the `su` command can be executed by any user. By uncommenting the `pam_wheel.so` statement in `/etc/pam.d/su`, the `su` command will only allow users in a specific groups to execute `su`. This group should be empty to reinforce the use of `sudo` for privileged access. High Restricting the use of `su` , and using `sudo` in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via `sudo` , whereas `su` can only record that a user executed the `su` program. It was observed that access to the su command is restricted to sugroup
Access permission set to -rwsr-xr-x Configured pass It is recommended that access to the su command is restricted 190 Access, Authentication and Authorization Ensure password reuse is limited The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords. High Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. It was observed that password reuse is set to 5 passwords Configured pass It is recommended that password reuse is limited 191 Access, Authentication and Authorization Ensure password hashing algorithm is up to date with the latest standards The commands below change password encryption to yescrypt . All existing accounts will need to perform a password change to upgrade the stored hashes to the new algorithm. High The yescrypt algorithm provides much stronger hashing than previous available algorithms, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. It was observed that password hashing algorithm is set to yescrypt Configured fail It is recommended that password hashing algorithm is up to date with the latest standards https://secscan.acron.pl/centos7/5/3/4 192 User Accounts and Environment Ensure all current passwords uses the configured hashing algorithm A cryptographic hash function converts an arbitrary-length input into a fixed length output. Password hashing performs a one-way transformation of a password, turning the password into another string, called the hashed password.
ENCRYPT_METHOD (string) - This defines the system default encryption algorithm for encrypting passwords (if no algorithm are specified on the command line). It can take one of these values:
MD5 - MD5-based algorithm will be used for encrypting password
SHA256 - SHA256-based algorithm will be used for encrypting password
SHA512 - SHA512-based algorithm will be used for encrypting password
BCRYPT - BCRYPT-based algorithm will be used for encrypting password
YESCRYPT - YESCRYPT-based algorithm will be used for encrypting password
DES - DES-based algorithm will be used for encrypting password (default) High The SHA-512 and yescrypt algorithms provide a stronger hash than other algorithms used by Linux for password hash generation. A stronger hash provides additional protection to the system by increasing the level of effort needed for an attacker to successfully determine local group passwords. It was observed that strong password hashing algorithm is set to sha512 Configured manual It is recommended that strong password hashing algorithm is configured SHA512 or YESCRYPT 194 User Accounts and Environment Ensure password expiration is 365 days or less The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age.
PASS_MAX_DAYS<N> - The maximum number of days a password may be used. If the password is older than this, a password change will be forced. If not specified, -1 will be assumed (which disables the restriction) High The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity.
We recommend a yearly password change. This is primarily because for all their good intentions users will share credentials across accounts. Therefore, even if a breach is publicly identified, the user may not see this notification, or forget they have an account on that site. This could leave a shared credential vulnerable indefinitely. Having an organizational policy of a 1-year (annual) password expiration is a reasonable compromise to mitigate this with minimal user burden It was observed that password expiration is configure is configured to 365 days Configured fail It is recommended that password expiration is configured to 365 days or less and greater than 0 days 196 User Accounts and Environment Ensure inactive password lock is 30 days or less User accounts that have been inactive for over a given period of time can be automatically disabled.
INACTIVE - Defines the number of days after the password exceeded its maximum age where the user is expected to replace this password.
The value is stored in the shadow password file. An input of 0 will disable an expired password with no delay. An input of -1 will blank the respective field in the shadow password file. High Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies It was observed that inactive password lock is configured to 30 days Configured fail It is recommended that inactive password lock is configured to no more than 45 days 199 User Accounts and Environment Ensure default group for the root account is GID 0 The groupmod command can be used to specify which group the root group belongs to. This affects permissions of files that are group owned by the root group High Using GID 0 for the root group helps prevent root group owned files from accidentally becoming accessible to non-privileged users It was observed that default group for the root account is GID 0 Configured pass It is recommended that group root is the only GID 0 group 202 System Maintenance Ensure permissions on /etc/passwd are configured The `/etc/passwd` file contains user account information that is used by many system utilities and therefore must be readable for these utilities to operate. High It is critical to ensure that the `/etc/passwd` file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions. It was observed that permissions on /etc/passwd are configured and set to 0644 Configured pass It is recommended that permissions on /etc/passwd are configured. .Ensure /etc/passwd is mode 644 or more restrictive, Uid is 0/root and Gid is 0/root 203 System Maintenance Ensure permissions on /etc/passwd- are configured The /etc/passwd- file contains backup user account information High It is critical to ensure that the /etc/passwd- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions It was observed that permissions on /etc/passwd- are configured and set to 0644 Configured pass It is recommended that permissions on /etc/passwd- are configured.Ensure /etc/passwd- is mode 644 or more restrictive, Uid is 0/root and Gid is 0/root 204 System Maintenance Ensure permissions on /etc/group are configured The `/etc/group` file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else. High The `/etc/group` file needs to be protected from unauthorized changes by non-privileged users, but needs to be readable as this information is used with many non-privileged programs. It was observed that permissions on /etc/group are configured and set to 0644 Configured pass It is recommended that permissions on /etc/group are configured. Ensure /etc/group is mode 644 or more restrictive, Uid is 0/root and Gid is 0/root 205 System Maintenance Ensure permissions on /etc/group- are configured The /etc/group- file contains a backup list of all the valid groups defined in the system High It is critical to ensure that the /etc/group- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions.
It was observed that permissions on /etc/group- are configured and set to 0644 Configured pass It is recommended that permissions on /etc/group- are configured. Ensure /etc/group- is mode 644 or more restrictive, Uid is 0/root and Gid is 0/root 206 System Maintenance Ensure permissions on /etc/shadow are configured The /etc/shadow file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information High If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert the user accounts It was observed that permissions on /etc/shadow are configured and set to 0640 Configured pass It is recommended that permissions on /etc/shadow are configured. Ensure /etc/shadow is mode 640 or more restrictive, Uid is 0/root and Gid is 0/root or ({GID}/ shadow) 207 System Maintenance Ensure permissions on /etc/shadow- are configured The /etc/shadow- file is used to store backup information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information High It is critical to ensure that the /etc/shadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions It was observed that permissions on /etc/shadow- are configured and set to 0640 Configured pass It is recommended that permissions on /etc/shadow- are configured. Ensure /etc/shadow- is mode 640 or more restrictive, Uid is 0/root and Gid is 0/root or ({GID}/ shadow) 208 System Maintenance Ensure permissions on /etc/gshadow are configured The `/etc/gshadow` file is used to store the information about groups that is critical to the security of those accounts, such as the hashed password and other security information. High If attackers can gain read access to the `/etc/gshadow` file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the `/etc/gshadow` file (such as group administrators) could also be useful to subvert the group. It was observed that permissions on /etc/gshadow are configured and set to 0640 Configured pass It is recommended that permissions on /etc/gshadow are configured. Ensure /etc/gshadow is mode 640 or more restrictive, Uid is 0/root and Gid is 0/root or `{GID}/shadow` 209 System Maintenance Ensure permissions on /etc/gshadow- are configured The /etc/gshadow- file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information. High It is critical to ensure that the /etc/gshadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions It was observed that permissions on /etc/gshadow- are configured and set to 0640 Configured pass It is recommended that permissions on /etc/gshadow- are configured. Ensure /etc/gshadow- is mode 640 or more restrictive, Uid is 0/root and Gid is 0/root or `{GID}/shadow` 211 System Maintenance Ensure no unowned files or directories exist Administrators may delete users or groups from the system and neglect to remove all files and/or directories owned by those users or groups High A new user or group who is assigned a deleted user's user ID or group ID may then end up "owning" a deleted user or group's files, and thus have more access on the system than was intended It was observed that no files or directories without an owner and a group exist Configured pass It is recommended that no files or directories without an owner and a group exist 213 System Maintenance Ensure SUID and SGID files are reviewed The owner of a file can set the file's permissions to run with the owner's or group's permissions, even if the user running the program is not the owner or a member of the group. The most common reason for a SUID or SGID program is to enable users to perform functions (such as changing their password) that require root privileges High There are valid reasons for SUID and SGID programs, but it is important to identify and review such programs to ensure they are legitimate. Review the files returned by the action in the audit section and check to see if system binaries have a different checksum than what from the package. This is an indication that the binary may have been replaced It was observed that SUID and SGID files are set with permissions 4755/4744 and 6755
for ( /usr/bin/at ) Misconfigured manual It is recommended that SUID and SGID files are reviewed and restrict access as needed 214 Local user and group settings Ensure accounts in /etc/passwd use shadowed passwords Local accounts can uses shadowed passwords. With shadowed passwords, The passwords are saved in shadow password file, `/etc/shadow`, encrypted by a salted one-way hash. Accounts with a shadowed password have an `x` in the second field in `/etc/passwd`. High The `/etc/passwd` file also contains information like user ID's and group ID's that are used by many system programs. Therefore, the `/etc/passwd` file must remain world readable. In spite of encoding the password with a randomly-generated one-way hash function, an attacker could still break the system if they got access to the `/etc/passwd` file. This can be mitigated by using shadowed passwords, thus moving the passwords in the `/etc/passwd` file to `/etc/shadow`. The `/etc/shadow` file is set so only root will be able to read and write. This helps mitigate the risk of an attacker gaining access to the encoded passwords with which to perform a dictionary attack.
**Note:**
- All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user.
- A user account with an empty second field in `/etc/passwd` allows the account to be logged into by providing only the username. It was observed that accounts in /etc/passwd use shadowed passwords Configured pass It is recommended that accounts in /etc/passwd use shadowed passwords 215 Local user and group settings Ensure /etc/shadow password fields are not empty An account with an empty password field means that anybody may log in as that user without providing a password. High All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user. It was observed that /etc/shadow password fields are not empty for root and test users Configured pass It is recommended that /etc/shadow password fields are not empty
| Initial Setup | Ensure AppArmor is enabled in the bootloader configuration |
Vim /etc/default/grub
GRUB_CMDLINE_LINUX='apparmor=1 security=apparmor'
update-grub
88 | Network Configuration | Ensure packet redirect sending is disabled |
vim /etc/sysctl.conf or a /etc/sysctl.d/
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv4.conf.default.send_redirects=0
sysctl -w net.ipv4.route.flush=1
91 | Network Configuration | Ensure secure ICMP redirects are not accepted |
Ensure secure ICMP redirects are not accepted - sysctl net.ipv4.conf.default.secure_redirects
vim /etc/sysctl.conf
sysctl -w net.ipv4.conf.all.secure_redirects=0
sysctl -w net.ipv4.conf.default.secure_redirects=0
sysctl -w net.ipv4.route.flush=1
https://www.tenable.com/audits/items/CIS_Rocky_Linux_8_v1.0.0_L1_Server.audit:b7dc53dfed6facc205a673d5c03093f8
92 | Network Configuration | Ensure suspicious packets are logged |
Ensure suspicious packets are logged
vim /etc/sysctl.d/
sysctl -w net.ipv4.conf.all.log_martians=1
sysctl -w net.ipv4.conf.default.log_martians=1
sysctl -w net.ipv4.route.flush=1
93 | Network Configuration | Ensure broadcast ICMP requests are ignored |
sysctl net.ipv4.icmp_echo_ignore_broadcasts
vim /etc/sysctl.conf
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
sysctl -w net.ipv4.route.flush=1
https://secscan.acron.pl/centos7/3/2/5
188 | Access, Authentication and Authorization | Ensure password creation requirements are configured |
Note :- if /etc/pam.d/password-auth this is not available in server, then you can search file in chatgpt and copy the file and past in server then you can edit,
Ensure password creation requirements are configured - system-auth try_first_pass
Vim /etc/pam.d/password-auth
password requisite pam_pwquality.so try_first_pass retry=3
Vim /etc/pam.d/system-auth
password requisite pam_pwquality.so try_first_pass retry=3
Vim /etc/security/pwquality.conf
minlen = 14
dcredit = -1
ucredit = -1
ocredit = -1
lcredit = -1
https://www.tenable.com/audits/items/CIS_Amazon_Linux_2_STIG_v1.0.0_L1.audit:5028910c4153b619bd94605827869065
189 | Access, Authentication and Authorization | Ensure lockout for failed password attempts is configured |
Ensure lockout for failed password attempts is configured - password-auth 'auth sufficient pam_unix.so'
Vim /etc/pam.d/system-auth
-
https://www.tenable.com/audits/items/CIS_Amazon_Linux_2_v2.0.0_L1.audit:58f8cb939f1422afaa205be4ca646857This is the Excel sheet for Server Security,
2 Initial Setup Ensure /tmp is a separate partition The `/tmp` directory is a world-writable directory used for temporary storage by all users and some applications. High Making `/tmp` its own file system allows an administrator to set additional mount options such as the `noexec` option on the mount, making `/tmp` useless for an attacker to install executable code. It would also prevent an attacker from establishing a hard link to a system `setuid` program and wait for it to be updated. Once the program was updated, the hard link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw.
This can be accomplished by either mounting `tmpfs` to `/tmp`, or creating a separate partition for `/tmp`.It was observed that /tmp is not a separate partition, it is mounted on /root directory Misconfigured fail It is recommended that /tmp is a separate partition https://www.tenable.com/audits/items/CIS_Debian_Linux_11_v1.0.0_L1_Server.audit:3cdd6e70e09cdf67e65b4118276f20cb Done 36 Initial Setup Ensure AppArmor is enabled in the bootloader configuration Configure AppArmor to be enabled at boot time and verify that it has not been overwritten by the bootloader boot parameters.
_Note: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings._High AppArmor must be enabled at boot time in your bootloader configuration to ensure that the controls it provides are not overridden. It was observed that AppArmor is not enabled in the bootloader configuration Misconfigured fail It is recommended that AppArmor is enabled in the bootloader configuration https://www.tenable.com/audits/items/CIS_Debian_Linux_10_v1.0.0_L1_Workstation.audit:e623af4464dcd9d63ca5634e6a7b2a30 Done 88 Network Configuration Ensure packet redirect sending is disabled ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects. High IP forwarding is required on systems configured to act as a router. If these parameters are disabled, the system will not be able to perform as a router. It was observed that packet redirect sending is not disabled in sysctl conf file Misconfigured fail It is recommended that packet redirect sending is disabled Note:
- This setting is not explicitly set in systcl conf files
- It is set to enabled by default according to CIShttps://www.tenable.com/audits/items/Tenable_Best_Practices_Cisco_Firepower_Management_Center_OS.audit:24b8fcd749b252466282dc40c9226bf3 Done 91 Network Configuration Ensure secure ICMP redirects are not accepted Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set). High If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing. It was observed that secure icmp redirects are accepted. Setting not configured in sysctl conf file
Misconfigured fail It is recommended that secure icmp redirects are not accepted Note:
- This setting is not explicitly set in systcl conf files
- Icmp redirects are accepted by default according to CIShttps://www.tenable.com/audits/items/CIS_Rocky_Linux_8_v1.0.0_L1_Server.audit:b7dc53dfed6facc205a673d5c03093f8 Done 92 Network Configuration Ensure suspicious packets are logged When enabled, this feature logs packets with un-routable source addresses to the kernel log. High Setting net.ipv4.conf.all.log_martians and net.ipv4.conf.default.log_martians to 1 enables this feature. Logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system. It was observed that suspicious packet logging is not configured Misconfigured fail It is recommended that suspicious packets are logged Note:
- This setting is not explicitly set in systcl conf files
- secure icmp redirects are accepted by default according to CIShttps://www.tenable.com/audits/items/CIS_Red_Hat_EL8_Server_v3.0.0_L1.audit:a44cf048f1e41d5b4107e6505b9d2bbe Done 93 Network Configuration Ensure broadcast ICMP requests are ignored Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses. High Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied. It was observed that broadcast ICMP requests are not ignored .Setting not configured in sysctl conf file Misconfigured fail It is recommended that broadcast ICMP requests are ignored Note:
- This setting is not explicitly set in systcl conf files
- reverse path filtering is enabled by default according to CIShttps://secscan.acron.pl/centos7/3/2/5 Done 161 Access, Authentication and Authorization Ensure at is restricted to authorized users Configure `/etc/at.allow` to allow specific users to use this service. If `/etc/at.allow` does not exist, then `/etc/at.deny` is checked. Any user not specifically defined in this file is allowed to use `at`. By removing the file, only users in `/etc/at.allow` are allowed to use `at`.
**Note:** Other methods, such as `systemd timers`, exist for scheduling jobs. If another method is used, `at` should be removed, and the alternate method should be secured in accordance with local site policyHigh On many systems, only the system administrator is authorized to schedule `at` jobs. Using the `at.allow` file to control who can run `at` jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files. It was observed that /etc/at.allow file is not configured
at.deny file exists for which
owner:root , group:daemon, access:0640
( alias, backup, bin, daemon, ftp, games, gnats, guest, irc, lp, mail, man, nobody, operator, proxy, qmaild, qmaill, qmailp, qmailq, qmailr, qmails, sync, sys, www-data)Misconfigured fail It is recommended that `at` service is restricted to authorized users. Ensure the following if /etc/at.allow or /etc/at.deny exists:
• Is mode 0640 or more restrictive
• Is owned by the user root
• Is group owned by the group daemon or group roothttps://www.tenable.com/audits/items/CIS_Ubuntu_22.04_LTS_v1.0.0_Server_L1.audit:86c8d9d215137feb6325397a01cb0483 Done 188 Access, Authentication and Authorization Ensure password creation requirements are configured The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more.
The following options are set in the /etc/security/pwquality.conf file:
Password Length:
minlen = 14 - password must be 14 characters or more
Password complexity:
minclass = 4 - The minimum number of required classes of characters for the new password (digits, uppercase, lowercase, others)High Strong passwords protect systems from being hacked through brute force methods. It was observed that password creation requirements are not configured Misconfigured fail It is recommended that password creation requirements are configured https://www.tenable.com/audits/items/CIS_Amazon_Linux_2_STIG_v1.0.0_L1.audit:5028910c4153b619bd94605827869065 Done 189 Access, Authentication and Authorization Ensure lockout for failed password attempts is configured Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the common PAM configuration files. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will lock out users. Check the documentation for each secondary program for instructions on how to configure them to work with PAM. High Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems. It was observed that lockout for failed password attempts is not configured in /etc/security/faillock.conf Misconfigured fail It is recommended that lockout for failed password attempts is configured https://www.tenable.com/audits/items/CIS_Amazon_Linux_2_v2.0.0_L1.audit:58f8cb939f1422afaa205be4ca646857 Done 210 System Maintenance Ensure no world writable files exist World writable files are the least secure. Data in world-writable files can be modified and compromised by any user on the system. World writable files may also indicate an incorrectly written script or program that could potentially be the cause of a larger compromise to the system's integrity. See the chmod(2) man page for more information.
Setting the sticky bit on world writable directories prevents users from deleting or renaming files in that directory that are not owned by them.High Data in world-writable files can be modified and compromised by any user on the system. World writable files may also indicate an incorrectly written script or program that could potentially be the cause of a larger compromise to the system's integrity. It was observed that world writable files are not secured with sticky bits Misconfigured fail It is recommended that world writable files and directories are secured https://secscan.acron.pl/centos7/6/1/10 No 5 Initial Setup Ensure nosuid option set on /tmp partition The `noexec` mount option specifies that the filesystem cannot contain executable binaries. High Since the `/tmp` filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from `/tmp`. It was observed that /tmp is not a separate partition, it is mounted on /root directory Misconfigured pass It is recommended that noexec option is set on /tmp partition https://www.tenable.com/audits/items/CIS_Amazon_Linux_2_STIG_v1.0.0_L1.audit:dadfef667196d8ef78d5216412782d08 13 Initial Setup Ensure nosuid option set on /var/log partition The `noexec` mount option specifies that the filesystem cannot contain executable binaries. High Since the `/var/log` filesystem is only intended for log files, set this option to ensure that users cannot run executable binaries from `/var/log`. It was observed that /var is not a separate partition Misconfigured pass It is recommended that noexec option is set on /var/log partition https://www.tenable.com/audits/items/CIS_Debian_Linux_11_v1.0.0_L1_Server.audit:6e20291a42c119d456e34a34415142b0 14 Initial Setup Ensure noexec option set on /var/log/audit partition The `nodev` mount option specifies that the filesystem cannot contain special devices. High Since the `/var/log/audit` filesystem is not intended to support devices, set this option to ensure that users cannot create block or character special devices in `/var/log/audit`. It was observed that /var is not a separate partition Misconfigured pass It is recommended that nodev option is set on /var/log/audit partition https://www.tenable.com/audits/items/CIS_Debian_Linux_11_v1.0.0_L1_Server.audit:806bf7864025e1ac6154efbcca56cdd0 15 Initial Setup Ensure nodev option set on /var/log/audit partition The `nosuid` mount option specifies that the filesystem cannot contain `setuid` files. High Since the `/var/log/audit` filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create `setuid` files in `/var/log/audit`. It was observed that /var is not a separate partition Misconfigured pass It is recommended that nosuid option is set on /var/log/audit partition https://www.tenable.com/audits/items/CIS_Red_Hat_EL8_Server_v2.0.0_L1.audit:839a86495f52e7e7f68bd7d413cbcdf9 20 Initial Setup Ensure noexec option set on /dev/shm partition The `nosuid` mount option specifies that the filesystem cannot contain `setuid` files. High Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them. It was observed that nosuid option is set on /dev/shm partition Configured pass It is recommended that nosuid option is set on /dev/shm partition 23 Initial Setup Disable USB Storage USB storage provides a means to transfer and store files insuring persistence and availability of the files independent of network connection status. Its popularity and utility has led to USB-based malware being a simple and common means for network infiltration and a first step to establishing a persistent threat within a networked environment. High Restricting USB access on the system will decrease the physical attack surface for a device and diminish the possible vectors to introduce malware. It was observed that usb storage is enabled NA fail It is recommended to disabled USB Storage https://www.tenable.com/audits/items/CIS_Red_Hat_EL8_Server_v2.0.0_L1.audit:ef5b7c51225c9f08cee616b9ca89b1a5 25 Initial Setup Ensure GPG keys are configured Most package managers implement GPG key signing to verify package integrity during installation. High It is important to ensure that updates are obtained from a valid source to protect against spoofing that could lead to the inadvertent installation of malware on the system. It was observed that GPG keys are configured:
-Microsoft release sign
-Ubuntu CD Image automatic signing key
-Ubuntu archive automatic signing keyConfigured manual It is recommended that GPG keys are configured 27 Logging and Auditing Ensure filesystem integrity is regularly checked Periodic checking of the filesystem integrity is needed to detect changes to the filesystem. High Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion. It was observed that filesystem integrity is regularly checked with aide Configured pass It is recommended that filesystem integrity is regularly checked 28 Initial Setup Ensure bootloader password is set Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters High Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off AppArmor at boot time). It was observed that bootloader password is set Configured pass It is recommended that bootloader password is set 30 Initial Setup Ensure authentication required for single user mode Single user mode is used for recovery when the system detects an issue during boot or by manual selection from the bootloader. High Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials. It was observed that root password is required before entering into single-user mode or recovery mode Configured pass It is recommended to ensure that authentication required for single user mode 46 Initial Setup Ensure GDM screen locks when the user is idle GNOME Desktop Manager can make the screen lock automatically whenever the user is idle for some amount of time.
- `idle-delay=uint32 {n}` - Number of seconds of inactivity before the screen goes blank
- `lock-delay=uint32 {n}` - Number of seconds after the screen is blank before locking the screen
_Example key file:_
```
# Specify the dconf path
[org/gnome/desktop/session]
# Number of seconds of inactivity before the screen goes blank
# Set to 0 seconds if you want to deactivate the screensaver.
idle-delay=uint32 900
# Specify the dconf path
[org/gnome/desktop/screensaver]
# Number of seconds after the screen is blank before locking the screen
lock-delay=uint32 5
```High Setting a lock-out value reduces the window of opportunity for unauthorized user access to another user's session that has been left unattended. It was observed that package GDM or GDM3 is not present in the system NA pass It is recommended that GDM screen locks when the user is idle 47 Initial Setup Ensure GDM screen locks cannot be overridden GNOME Desktop Manager can make the screen lock automatically whenever the user is idle for some amount of time.
By using the lockdown mode in dconf, you can prevent users from changing specific settings.
To lock down a dconf key or subpath, create a locks subdirectory in the keyfile directory. The files inside this directory contain a list of keys or subpaths to lock. Just as with the keyfiles, you may add any number of files to this directory.
_Example Lock File:_
```
# Lock desktop screensaver settings
/org/gnome/desktop/session/idle-delay
/org/gnome/desktop/screensaver/lock-delay
```High Setting a lock-out value reduces the window of opportunity for unauthorized user access to another user's session that has been left unattended.
Without locking down the system settings, user settings take precedence over the system settings.It was observed that package GDM or GDM3 is not present in the system NA pass It is recommended that GDM screen locks cannot be overridden 48 Initial Setup Ensure GDM automatic mounting of removable media is disabled By default GNOME automatically mounts removable media when inserted as a convenience to the user. High With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themselves. It was observed that package GDM or GDM3 is not present in the system NA pass It is recommended that GDM automatic mounting of removable media is disabled 49 Initial Setup Ensure GDM disabling automatic mounting of removable media is not overridden By default GNOME automatically mounts removable media when inserted as a convenience to the user
By using the lockdown mode in dconf, you can prevent users from changing specific settings.
To lock down a dconf key or subpath, create a locks subdirectory in the keyfile directory. The files inside this directory contain a list of keys or subpaths to lock. Just as with the keyfiles, you may add any number of files to this directory.
_Example Lock File:_
```
# Lock desktop screensaver settings
/org/gnome/desktop/media-handling/automount
/org/gnome/desktop/media-handling/automount-open
```High With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themselves. It was observed that package GDM or GDM3 is not present in the system NA pass It is recommended that GDM disabling automatic mounting of removable media is not overridden 55 Access, Authentication and Authorization Ensure chrony is configured with authorized timeserver The server directive specifies an NTP server which can be used as a time source. The client-server relationship is strictly hierarchical: a client might synchronize its system time to that of the server, but the server’s system time will never be influenced by that of a client.
This directive can be used multiple times to specify multiple servers.
The directive is immediately followed by either the name of the server, or its IP address.
pool
The syntax of this directive is similar to that for the server directive, except that it is used to specify a pool of NTP servers rather than a single NTP server. The pool name is expected to resolve to multiple addresses which might change over time.
This directive can be used multiple times to specify multiple pools.
All options valid in the server directive can be used in this directive too.High Time synchronization is important to support time sensitive security mechanisms and to ensure log files have consistent time records across the enterprise to aid in forensic investigations It was observed that chrony is configured with authorized timeserver: pool of NTP servers provided by Ubuntu such as :
ntp.ubuntu.com
0.ubuntu.pool.ntp.org
1.ubuntu.pool.ntp.org
2.ubuntu.pool.ntp.org
It is not configured as per CER-IN guidelinesMisconfigured manual It is recommended that systemd-timesyncd configured with authorized timeserver. As per CERT-IN guidelines, It is recommended to configure a custom ntp and sync all the network devices with the same ntp server with standard time source samay1.nic.in or samay2.nic.in 59 Logging and Auditing Ensure systemd-timesyncd is enabled and running systemd-timesyncd is a daemon that has been added for synchronizing the system clock across the network High systemd-timesyncd needs to be enabled and running in order to synchronize the system to a timeserver.
Time synchronization is important to support time sensitive security mechanisms and to ensure log files have consistent time records across the enterprise to aid in forensic investigationsIt was observed that systemd-timesyncd for time synchronization is not enabled Configured pass It is recommended that systemd-timesyncd for time synchronization is enabled and running 60 Services Ensure ntp access control is configured ntp Access Control Commands:
restrict address [mask mask] [ippeerlimit int] [flag ...]
The address argument expressed in dotted-quad form is the address of a host or network. Alternatively, the address argument can be a valid host DNS name.
The mask argument expressed in dotted-quad form defaults to 255.255.255.255, meaning that the address is treated as the address of an individual host. A default entry (address 0.0.0.0, mask 0.0.0.0) is always included and is always the first entry in the list. Note: the text string default, with no mask option, may be used to indicate the default entry.
The ippeerlimit directive limits the number of peer requests for each IP to int, where a value of -1 means "unlimited", the current default. A value of 0 means "none". There would usually be at most 1 peering request per IP, but if the remote peering requests are behind a proxy there could well be more than 1 per IP. In the current implementation, flag always restricts access, i.e., an entry with no flags indicates that free access to the server is to be given.High If ntp is in use on the system, proper configuration is vital to ensuring time synchronization is accurate. It was observed that ntp access control is configured Configured pass It is recommended to configured ntp access control 61 Services Ensure ntp is configured with authorized timeserver The various modes are determined by the command keyword and the type of the required IP address. Addresses are classed by type as (s) a remote server or peer (IPv4 class A, B and C), (b) the broadcast address of a local interface, (m) a multicast address (IPv4 class D), or (r) a reference clock address (127.127.x.x). High Time synchronization is important to support time sensitive security mechanisms and to ensure log files have consistent time records across the enterprise to aid in forensic investigations It was observed that chrony service is used for time synchronization Configured manual It is recommended that ntp is configured with authorized timeserver 62 Services Ensure ntp is running as user ntp The ntp package is installed with a dedicated user account ntp . This account is granted the access required by the ntpd daemon
Note:
If chrony or systemd-timesyncd are used, ntp should be removed and this section skipped
This recommendation only applies if ntp is in use on the system
Only one time synchronization method should be in use on the systemHigh Running the NTP service as the root user can increase the potential attack surface. If an attacker compromises the NTP daemon running as root, they could gain full control over the system It was observed that ntp is not running as user ntp. Chrony is used for time synchronization NA fail It is recommended that The ntpd daemon should run with only the required privilege https://www.tenable.com/audits/items/CIS_Ubuntu_22.04_LTS_v1.0.0_Workstation_L1.audit:b6efa0a093a0ec880f1af044e03c67d9 63 Services Ensure ntp is enabled and running ntp is a daemon for synchronizing the system clock across the network High ntp needs to be enabled and running in order to synchronize the system to a timeserver.
Time synchronization is important to support time sensitive security mechanisms and to ensure log files have consistent time records across the enterprise to aid in forensic investigationsIt was observed that ntp is not enabled and running. Chrony is used for time synchronization NA fail It is recommended that NTP is enabled and running in order to synchronize the system to a timeserver. https://www.tenable.com/audits/items/CIS_Debian_Linux_11_v1.0.0_L1_Server.audit:0bf39d70f3ac516950878b2f6391a1ea 64 Services Ensure X Window System is not installed The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login. High Many Linux systems run applications which require a Java runtime. Some Linux Java packages have a dependency on specific X Windows xorg-x11-fonts. One workaround to avoid this dependency is to use the "headless" Java packages for your specific Java runtime, if provided by your distribution. It was observed that X Windows system is not installed NA pass It is recommended that X Window System is not installed 87 Access, Authentication and Authorization Ensure wireless interfaces are disabled Wireless networking is used when wired networks are unavailable. High Many if not all laptop workstations and some desktop workstations will connect via wireless requiring these interfaces be enabled. It was observed that wireless interfaces are not present Configured pass It is recommended that wireless interfaces are disabled 89 Network Configuration Ensure source routed packets are not accepted In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used. High Setting net.ipv4.conf.all.accept_source_route , net.ipv4.conf.default.accept_source_route , net.ipv6.conf.all.accept_source_route and net.ipv6.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. It was observed that source routed are accepted. Setting not configured in sysctl conf file Misconfigured pass It is recommended that source routed packets are not accepted Note:
- This setting is not explicitly set in systcl conf files
- Bogus icmp responses are ignored by default according to CIS90 Network Configuration Ensure ICMP redirects are not accepted ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. High ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects , net.ipv4.conf.default.accept_redirects , net.ipv6.conf.all.accept_redirects , and net.ipv6.conf.default.accept_redirects to 0 , the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables. It was observed that ICMP redirects are accepted. Setting not configured in sysctl conf file Misconfigured pass It is recommended that ICMP redirects are not accepted Note:
- This setting is not explicitly set in systcl conf files
- broadcast icmp requests are not ignored by default according to CIS100 Firewall configuration Ensure ufw service is enabled UncomplicatedFirewall (ufw) is a frontend for iptables. ufw provides a framework for managing netfilter, as well as a command-line and available graphical user interface for manipulating the firewall. High The ufw service must be enabled and running in order for ufw to protect the system Dedicated firewall, EDR, & security groups in place NA fail It is recommended that ufw service is enabled https://www.tenable.com/audits/items/CIS_Ubuntu_22.04_LTS_v1.0.0_Server_L1.audit:225933fb277c1b30729b3506c261ea9e 101 Firewall configuration Ensure ufw loopback traffic is configured Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8 for IPv4 and ::1/128 for IPv6). High Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (127.0.0.0/8 for IPv4 and ::1/128 for IPv6) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure. Dedicated firewall, EDR, & security groups in place NA fail It is recommended that ufw loopback traffic is configured https://www.tenable.com/audits/items/CIS_Debian_Linux_11_v1.0.0_L1_Server.audit:66faf3329ba5cd534549ff2a6b7e5f79 102 Firewall configuration Ensure ufw outbound connections are configured Configure the firewall rules for new outbound connections. High If rules are not in place for new outbound connections all packets will be dropped by the default policy preventing network usage. It was observed that ufw firewall is not enabled NA manual It is recommended that ufw outbound connections are configured 103 Firewall configuration Ensure ufw firewall rules exist for all open ports Services and ports can be accepted or explicitly rejected. High To reduce the attack surface of a system, all services and ports should be blocked unless required.
Any ports that have been opened on non-loopback addresses need firewall rules to govern traffic.
Without a firewall rule configured for open ports, the default firewall policy will drop all packets to these ports.
Required ports should have a firewall rule created to allow approved connections in accordance with local site policy.
Unapproved ports should have an explicit deny rule created.Dedicated firewall, EDR, & security groups in place NA fail It is recommended that ufw firewall rules exist for all open ports https://www.tenable.com/audits/items/CIS_Ubuntu_20.04_LTS_v1.1.0_Workstation_L1.audit:a44ebcd8819800533ff20ebb8e75ac6f 105 Firewall configuration Ensure nftables is installed nftables provides a new in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and a new nft userspace command line tool. nftables reuses the existing Netfilter subsystems such as the existing hook infrastructure, the connection tracking system, NAT, userspace queuing and logging subsystem.
_Notes:_
- _nftables is available in Linux kernel 3.13 and newer_
- _Only one firewall utility should be installed and configured_
- _Changing firewall settings while connected over the network can result in being locked out of the system_High nftables is a subsystem of the Linux kernel that can protect against threats originating from within a corporate network to include malicious mobile code and poorly configured software on a host. Dedicated firewall, EDR, & security groups in place NA pass It is recommended that nftables is installed 109 Firewall configuration Ensure nftables base chains exist Chains are containers for rules. They exist in two kinds, base chains and regular chains. A base chain is an entry point for packets from the networking stack, a regular chain may be used as jump target and is used for better rule organization. High If configuring nftables over ssh, creating a base chain with a policy of drop will cause loss of connectivity.
Ensure that a rule allowing ssh has been added to the base chain prior to setting the base chain's policy to dropDedicated firewall, EDR, & security groups in place NA fail It is recommended that nftables base chains exist https://docs.datadoghq.com/security/default_rules/xccdf-org-ssgproject-content-rule-set-nftables-base-chain/ 114 Firewall configuration Ensure nftables rules are permanent nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames.
The nftables service reads the `/etc/nftables.conf` file for a nftables file or files to include in the nftables ruleset.
A nftables ruleset containing the input, forward, and output base chains allow network traffic to be filtered.High Changes made to nftables ruleset only affect the live system, you will also need to configure the nftables ruleset to apply on boot Dedicated firewall, EDR, & security groups in place NA fail It is recommended that nftables rules are permanent https://www.tenable.com/audits/items/CIS_AlmaLinux_OS_8_Workstation_v2.0.0_L1.audit:a7c704bd873646f52850c46d58b4eae5 115 Firewall configuration Ensure iptables packages are installed iptables is a utility program that allows a system administrator to configure the tables provided by the Linux kernel firewall, implemented as different Netfilter modules, and the chains and rules it stores. Different kernel modules and programs are used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables to Ethernet frames. High A method of configuring and maintaining firewall rules is necessary to configure a Host Based Firewall. Dedicated firewall, EDR, & security groups in place NA fail It is recommended that iptables packages are installed https://www.tenable.com/audits/items/CIS_Red_Hat_EL7_v3.0.1_Server_L1.audit:6ed84fe783ebb5ad211026864f8095b3 116 Firewall configuration Ensure nftables is not installed with iptables nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames and is the successor to iptables. High Running both `iptables` and `nftables` may lead to conflict. Dedicated firewall, EDR, & security groups in place NA fail It is recommended that nftables is not installed with iptables https://www.tenable.com/audits/items/CIS_CentOS_7_v3.1.2_Workstation_L1.audit:2139e2b993a76c3532853cd2eed339a8 118 Firewall configuration Ensure iptables default deny firewall policy A default deny all policy on connections ensures that any unconfigured network usage will be rejected. High With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage. Dedicated firewall, EDR, & security groups in place NA fail It is recommended that iptables default deny firewall policy is configured https://www.tenable.com/audits/items/CIS_CentOS_7_v3.1.1_Server_L1.audit:455c14089614a64290642e415d48f856 119 Firewall configuration Ensure iptables loopback traffic is configured Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8). High Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure. Dedicated firewall, EDR, & security groups in place NA fail It is recommended that iptables loopback traffic is configured https://www.tenable.com/audits/items/CIS_Ubuntu_18.04_LTS_Server_v2.1.0_L1.audit:c0ce751a5ad0852acb96bec1c28d9105 120 Firewall configuration Ensure iptables outbound and established connections are configured Configure the firewall rules for new outbound, and established connections. High If rules are not in place for new outbound, and established connections all packets will be dropped by the default policy preventing network usage. It was observed that iptables outbound and established connections are not configured NA manual It is recommended that iptables outbound and established connections are configured 121 Firewall configuration Ensure iptables firewall rules exist for all open ports Any ports that have been opened on non-loopback addresses need firewall rules to govern traffic. High Without a firewall rule configured for open ports default firewall policy will drop all packets to these ports. Dedicated firewall, EDR, & security groups in place NA fail It is recommended that iptables firewall rules exist for all open ports https://www.tenable.com/audits/items/CIS_SUSE_Linux_Enterprise_Server_11_v2.0.0_L1.audit:c83c879ed03801e36ce2e169002793d1 122 Firewall configuration Ensure ip6tables default deny firewall policy A default deny all policy on connections ensures that any unconfigured network usage will be rejected. High With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage. Dedicated firewall, EDR, & security groups in place NA fail It is recommended that ip6tables default deny firewall policy is configured https://www.tenable.com/audits/items/CIS_Oracle_Linux_7_v3.0.0_Workstation_L1.audit:9a9c8edebd3f0f2901a1f65d6ff50883 123 Firewall configuration Ensure ip6tables loopback traffic is configured Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (::1). High Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (::1) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure. Dedicated firewall, EDR, & security groups in place NA fail It is recommended that ip6tables loopback traffic is configured https://www.tenable.com/audits/items/CIS_Distribution_Independent_Linux_Server_L1_v2.0.0.audit:f0d6b5b41bb49815c686aab7f55ce7cd 124 Firewall configuration Ensure ip6tables outbound and established connections are configured Configure the firewall rules for new outbound, and established IPv6 connections. High If rules are not in place for new outbound, and established connections all packets will be dropped by the default policy preventing network usage. It was observed that ip6tables outbound and established connections are not configured NA manual It is recommended that ip6tables outbound and established connections are configured 127 Logging and Auditing Ensure only authorized users own audit log files Audit log files contain information about the system and system activity. High Access to audit records can reveal system and configuration data to attackers, potentially compromising its confidentiality. It was observed that All audit log files are owned by "root" Configured pass It is recommended that only authorized users own audit log files 128 Logging and Auditing Ensure only authorized groups are assigned ownership of audit log files Audit log files contain information about the system and system activity. High Access to audit records can reveal system and configuration data to attackers, potentially compromising its confidentiality. It was observed that - The "log_group" parameter is correctly set to "log_group = adm" in "/etc/audit/auditd.conf"
- All audit log files are group owned by: "root or adm"Configured pass It is recommended that only authorized groups are assigned ownership of audit log files 129 Logging and Auditing Ensure the audit log directory is 0750 or more restrictive The audit log directory contains audit log files. High Audit information includes all information including: audit records, audit settings and audit reports. This information is needed to successfully audit system activity. This information must be protected from unauthorized modification or deletion. If this information were to be compromised, forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. It was observed that the audit log directories /etc/audit, etc/audit/plugins.d and etc/audit/rules.d are set to mode 750 Configured pass It is recommended that the audit log directory is 0750 or more restrictive 140 Logging and Auditing Ensure journald service is enabled Ensure that the systemd-journald service is enabled to allow capturing of logging events High If the systemd-journald service is not enabled to start on boot, the system will not capture logging events It was observed that journald service is enabled and active Configured pass It is recommended that journald service is enabled and active 146 Logging and Auditing Ensure rsyslog service is enabled Once the rsyslog package is installed, ensure that the service is enabled. High If the rsyslog service is not enabled to start on boot, the system will not capture logging events. It was observed that rsyslog service is enabled Configured pass It is recommended that once the rsyslog package is installed, ensure that the service is enabled. 147 Logging and Auditing Ensure journald is configured to send logs to rsyslog Data from journald may be stored in volatile memory or persisted locally on the server. Utilities exist to accept remote export of journald logs, however, use of the RSyslog service provides a consistent means of log collection and export. High RSyslog is the preferred method for capturing logs, all logs of the system should be sent to it for further processing. It was observed journald is not configured to send logs to rsyslog Misconfigured manual It is recommended to ensure that journald is configured to send logs to rsyslog 148 Logging and Auditing Ensure rsyslog default file permissions are configured RSyslog will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files. High It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected. It was observed that rsyslog default file permissions are configured to 640 Configured pass It is recommended that rsyslog default file permissions are configured to 0640 or more restrictive 156 Access, Authentication and Authorization Ensure permissions on /etc/cron.daily are configured The `/etc/cron.daily` directory contains system cron jobs that need to run on a daily basis. The files in this directory cannot be manipulated by the `crontab` command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory.
**Note:** Other methods, such as `systemd timers`, exist for scheduling jobs. If another method is used, `cron` should be removed, and the alternate method should be secured in accordance with local site policyHigh Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. It was observed that permissions on /etc/cron.daily are configured
Access: (0700) and suid,guid=0 (root)Configured pass It is recommended that permissions on /etc/cron.daily are configured. Ensure Uid and Gid are both 0/root and Access does not grant permissions to group or other 157 Access, Authentication and Authorization Ensure permissions on /etc/cron.weekly are configured The `/etc/cron.weekly` directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the `crontab` command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory.
**Note:** Other methods, such as `systemd timers`, exist for scheduling jobs. If another method is used, `cron` should be removed, and the alternate method should be secured in accordance with local site policyHigh Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. It was observed that permissions on /etc/cron.weekly are configured
Access: (0700) and suid,guid=0 (root)Configured pass It is recommended that permissions on /etc/cron.weekly are configured. Ensure Uid and Gid are both 0/root and Access does not grant permissions to group or other 158 Access, Authentication and Authorization Ensure permissions on /etc/cron.monthly are configured The `/etc/cron.monthly` directory contains system cron jobs that need to run on a monthly basis. The files in this directory cannot be manipulated by the `crontab` command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory.
**Note:** Other methods, such as `systemd timers`, exist for scheduling jobs. If another method is used, `cron` should be removed, and the alternate method should be secured in accordance with local site policyHigh Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. It was observed that permissions on /etc/cron.monthly are configured
Access: (0700) and suid,guid=0 (root)Configured pass It is recommended that permissions on /etc/cron.monthly are configured. Ensure Uid and Gid are both 0/root and Access does not grant permissions to group or other 159 Access, Authentication and Authorization Ensure permissions on /etc/cron.d are configured The `/etc/cron.d` directory contains system `cron` jobs that need to run in a similar manner to the hourly, daily weekly and monthly jobs from `/etc/crontab`, but require more granular control as to when they run. The files in this directory cannot be manipulated by the `crontab` command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory.
**Note:** Other methods, such as `systemd timers`, exist for scheduling jobs. If another method is used, `cron` should be removed, and the alternate method should be secured in accordance with local site policyHigh Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. It was observed that permissions on /etc/cron.d are configured
Access: (0700) and suid,guid=0 (root)Configured pass It is recommended that permissions on /etc/cron.d are configured. Ensure Uid and Gid are both 0/root and Access does not grant permissions to group or other 160 Access, Authentication and Authorization Ensure cron is restricted to authorized users Configure /etc/cron.allow to allow specific users to use this service. If /etc/cron.allow does not exist, then /etc/cron.deny is checked. Any user not specifically defined in this file is allowed to use cron. By removing the file, only users in /etc/cron.allow are allowed to use cron. High On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files. It was observed that cron.allow file is configured, but no users are present in the file Misconfigured pass It is recommended that cron is restricted to authorized users 178 Access control Ensure SSH MaxStartups is configured The MaxStartups parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon High To protect a system from denial of service due to a large number of pending authentication connection attempts, use the rate limiting function of MaxStartups to protect availability of sshd logins and prevent overwhelming the daemon It was observed that sshd maxstartups is set to 10:30:60 Configured pass It is recommended that SSH MaxStartups is configured 179 Access control Ensure SSH MaxSessions is set to 10 or less The MaxSessions parameter specifies the maximum number of open sessions permitted from a given connection. High To protect a system from denial of service due to a large number of concurrent sessions, use the rate limiting function of MaxSessions to protect availability of sshd logins and prevent overwhelming the daemon It was observed that sshd MaxSessions is set to 3 Configured pass It is recommended that SSH MaxSessions is set to 10 or less 181 Access control Ensure SSH Idle Timeout Interval is configured The two options ClientAliveInterval and ClientAliveCountMax control the timeout of SSH sessions. Taken directly from man 5 sshd_config :
ClientAliveInterval Sets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client.
ClientAliveCountMax Sets the number of client alive messages which may be sent without sshd(8) receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. It is important to note that the use of client alive messages is very different from TCPKeepAlive. The client alive messages are sent through the encrypted channel and therefore will not be spoofable. The TCP keepalive option en‐abled by TCPKeepAlive is spoofable. The client alive mechanism is valuable when the client or server depend on knowing when a connection has become unresponsive. The default value is 3. If ClientAliveInterval is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds. Setting a zero ClientAliveCountMax disables connection termination.High In order to prevent resource exhaustion, appropriate values should be set for both ClientAliveInterval and ClientAliveCountMax . Specifically, looking at the source code, ClientAliveCountMax must be greater than zero in order to utilize the ability of SSH to drop idle connections. If connections are allowed to stay open indefinately, this can potentially be used as a DDOS attack or simple resource exhaustion could occur over unreliable networks. Ensure SSH Idle Timeout Interval is configured:
ClientAliveInterval 5 mins
ClientAliveCountMax 3Configured pass It is recommended that SSH Idle Timeout Interval is configured 182 Access control Ensure sudo is installed `sudo` allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user's real (not effective) user ID is used to determine the user name with which to query the security policy. High `sudo` supports a plug-in architecture for security policies and input/output logging. Third parties can develop and distribute their own policy and I/O logging plug-ins to work seamlessly with the `sudo` front end. The default security policy is `sudoers`, which is configured via the file `/etc/sudoers` and any entries in `/etc/sudoers.d`.
The security policy determines what privileges, if any, a user has to run `sudo`. The policy may require that users authenticate themselves with a password or another authentication mechanism. If authentication is required, `sudo` will exit if the user's password is not entered within a configurable time limit. This limit is policy-specific.It was observed that sudo is installed Configured pass It is recommended that sudo is installed 183 Access control Ensure sudo commands use pty `sudo` can be configured to run only from a pseudo terminal (`pseudo-pty`). High Attackers can run a malicious program using `sudo` which would fork a background process that remains even when the main program has finished executing. It was observed that sudo commands use pty Configured pass It is recommended that sudo commands use pty 184 Access control Ensure sudo log file exists sudo can use a custom log file High A sudo log file simplifies auditing of sudo commands It was observed that sudo log file exists Configured pass It is recommended that sudo log file exists 185 Access control Ensure re-authentication for privilege escalation is not disabled globally The operating system must be configured so that users must re-authenticate for privilege escalation. High Without re-authentication, users may access resources or perform tasks for which they do not have authorization.
When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate.It was observed that re-authentication for privilege escalation is not disabled globally Configured pass It is recommended that re-authentication for privilege escalation is not disabled globally 187 Access control Ensure access to the su command is restricted The `su` command allows a user to run a command or shell as another user. The program has been superseded by `sudo`, which allows for more granular control over privileged access. Normally, the `su` command can be executed by any user. By uncommenting the `pam_wheel.so` statement in `/etc/pam.d/su`, the `su` command will only allow users in a specific groups to execute `su`. This group should be empty to reinforce the use of `sudo` for privileged access. High Restricting the use of `su` , and using `sudo` in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via `sudo` , whereas `su` can only record that a user executed the `su` program. It was observed that access to the su command is restricted to sugroup
Access permission set to -rwsr-xr-xConfigured pass It is recommended that access to the su command is restricted 190 Access, Authentication and Authorization Ensure password reuse is limited The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords. High Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. It was observed that password reuse is set to 5 passwords Configured pass It is recommended that password reuse is limited 191 Access, Authentication and Authorization Ensure password hashing algorithm is up to date with the latest standards The commands below change password encryption to yescrypt . All existing accounts will need to perform a password change to upgrade the stored hashes to the new algorithm. High The yescrypt algorithm provides much stronger hashing than previous available algorithms, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. It was observed that password hashing algorithm is set to yescrypt Configured fail It is recommended that password hashing algorithm is up to date with the latest standards https://secscan.acron.pl/centos7/5/3/4 192 User Accounts and Environment Ensure all current passwords uses the configured hashing algorithm A cryptographic hash function converts an arbitrary-length input into a fixed length output. Password hashing performs a one-way transformation of a password, turning the password into another string, called the hashed password.
ENCRYPT_METHOD (string) - This defines the system default encryption algorithm for encrypting passwords (if no algorithm are specified on the command line). It can take one of these values:
MD5 - MD5-based algorithm will be used for encrypting password
SHA256 - SHA256-based algorithm will be used for encrypting password
SHA512 - SHA512-based algorithm will be used for encrypting password
BCRYPT - BCRYPT-based algorithm will be used for encrypting password
YESCRYPT - YESCRYPT-based algorithm will be used for encrypting password
DES - DES-based algorithm will be used for encrypting password (default)High The SHA-512 and yescrypt algorithms provide a stronger hash than other algorithms used by Linux for password hash generation. A stronger hash provides additional protection to the system by increasing the level of effort needed for an attacker to successfully determine local group passwords. It was observed that strong password hashing algorithm is set to sha512 Configured manual It is recommended that strong password hashing algorithm is configured SHA512 or YESCRYPT 194 User Accounts and Environment Ensure password expiration is 365 days or less The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age.
PASS_MAX_DAYS<N> - The maximum number of days a password may be used. If the password is older than this, a password change will be forced. If not specified, -1 will be assumed (which disables the restriction)High The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity.
We recommend a yearly password change. This is primarily because for all their good intentions users will share credentials across accounts. Therefore, even if a breach is publicly identified, the user may not see this notification, or forget they have an account on that site. This could leave a shared credential vulnerable indefinitely. Having an organizational policy of a 1-year (annual) password expiration is a reasonable compromise to mitigate this with minimal user burdenIt was observed that password expiration is configure is configured to 365 days Configured fail It is recommended that password expiration is configured to 365 days or less and greater than 0 days 196 User Accounts and Environment Ensure inactive password lock is 30 days or less User accounts that have been inactive for over a given period of time can be automatically disabled.
INACTIVE - Defines the number of days after the password exceeded its maximum age where the user is expected to replace this password.
The value is stored in the shadow password file. An input of 0 will disable an expired password with no delay. An input of -1 will blank the respective field in the shadow password file.High Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies It was observed that inactive password lock is configured to 30 days Configured fail It is recommended that inactive password lock is configured to no more than 45 days 199 User Accounts and Environment Ensure default group for the root account is GID 0 The groupmod command can be used to specify which group the root group belongs to. This affects permissions of files that are group owned by the root group High Using GID 0 for the root group helps prevent root group owned files from accidentally becoming accessible to non-privileged users It was observed that default group for the root account is GID 0 Configured pass It is recommended that group root is the only GID 0 group 202 System Maintenance Ensure permissions on /etc/passwd are configured The `/etc/passwd` file contains user account information that is used by many system utilities and therefore must be readable for these utilities to operate. High It is critical to ensure that the `/etc/passwd` file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions. It was observed that permissions on /etc/passwd are configured and set to 0644 Configured pass It is recommended that permissions on /etc/passwd are configured. .Ensure /etc/passwd is mode 644 or more restrictive, Uid is 0/root and Gid is 0/root 203 System Maintenance Ensure permissions on /etc/passwd- are configured The /etc/passwd- file contains backup user account information High It is critical to ensure that the /etc/passwd- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions It was observed that permissions on /etc/passwd- are configured and set to 0644 Configured pass It is recommended that permissions on /etc/passwd- are configured.Ensure /etc/passwd- is mode 644 or more restrictive, Uid is 0/root and Gid is 0/root 204 System Maintenance Ensure permissions on /etc/group are configured The `/etc/group` file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else. High The `/etc/group` file needs to be protected from unauthorized changes by non-privileged users, but needs to be readable as this information is used with many non-privileged programs. It was observed that permissions on /etc/group are configured and set to 0644 Configured pass It is recommended that permissions on /etc/group are configured. Ensure /etc/group is mode 644 or more restrictive, Uid is 0/root and Gid is 0/root 205 System Maintenance Ensure permissions on /etc/group- are configured The /etc/group- file contains a backup list of all the valid groups defined in the system High It is critical to ensure that the /etc/group- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions. It was observed that permissions on /etc/group- are configured and set to 0644 Configured pass It is recommended that permissions on /etc/group- are configured. Ensure /etc/group- is mode 644 or more restrictive, Uid is 0/root and Gid is 0/root 206 System Maintenance Ensure permissions on /etc/shadow are configured The /etc/shadow file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information High If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert the user accounts It was observed that permissions on /etc/shadow are configured and set to 0640 Configured pass It is recommended that permissions on /etc/shadow are configured. Ensure /etc/shadow is mode 640 or more restrictive, Uid is 0/root and Gid is 0/root or ({GID}/ shadow) 207 System Maintenance Ensure permissions on /etc/shadow- are configured The /etc/shadow- file is used to store backup information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information High It is critical to ensure that the /etc/shadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions It was observed that permissions on /etc/shadow- are configured and set to 0640 Configured pass It is recommended that permissions on /etc/shadow- are configured. Ensure /etc/shadow- is mode 640 or more restrictive, Uid is 0/root and Gid is 0/root or ({GID}/ shadow) 208 System Maintenance Ensure permissions on /etc/gshadow are configured The `/etc/gshadow` file is used to store the information about groups that is critical to the security of those accounts, such as the hashed password and other security information. High If attackers can gain read access to the `/etc/gshadow` file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the `/etc/gshadow` file (such as group administrators) could also be useful to subvert the group. It was observed that permissions on /etc/gshadow are configured and set to 0640 Configured pass It is recommended that permissions on /etc/gshadow are configured. Ensure /etc/gshadow is mode 640 or more restrictive, Uid is 0/root and Gid is 0/root or `{GID}/shadow` 209 System Maintenance Ensure permissions on /etc/gshadow- are configured The /etc/gshadow- file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information. High It is critical to ensure that the /etc/gshadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions It was observed that permissions on /etc/gshadow- are configured and set to 0640 Configured pass It is recommended that permissions on /etc/gshadow- are configured. Ensure /etc/gshadow- is mode 640 or more restrictive, Uid is 0/root and Gid is 0/root or `{GID}/shadow` 211 System Maintenance Ensure no unowned files or directories exist Administrators may delete users or groups from the system and neglect to remove all files and/or directories owned by those users or groups High A new user or group who is assigned a deleted user's user ID or group ID may then end up "owning" a deleted user or group's files, and thus have more access on the system than was intended It was observed that no files or directories without an owner and a group exist Configured pass It is recommended that no files or directories without an owner and a group exist 213 System Maintenance Ensure SUID and SGID files are reviewed The owner of a file can set the file's permissions to run with the owner's or group's permissions, even if the user running the program is not the owner or a member of the group. The most common reason for a SUID or SGID program is to enable users to perform functions (such as changing their password) that require root privileges High There are valid reasons for SUID and SGID programs, but it is important to identify and review such programs to ensure they are legitimate. Review the files returned by the action in the audit section and check to see if system binaries have a different checksum than what from the package. This is an indication that the binary may have been replaced It was observed that SUID and SGID files are set with permissions 4755/4744 and 6755
for ( /usr/bin/at )Misconfigured manual It is recommended that SUID and SGID files are reviewed and restrict access as needed 214 Local user and group settings Ensure accounts in /etc/passwd use shadowed passwords Local accounts can uses shadowed passwords. With shadowed passwords, The passwords are saved in shadow password file, `/etc/shadow`, encrypted by a salted one-way hash. Accounts with a shadowed password have an `x` in the second field in `/etc/passwd`. High The `/etc/passwd` file also contains information like user ID's and group ID's that are used by many system programs. Therefore, the `/etc/passwd` file must remain world readable. In spite of encoding the password with a randomly-generated one-way hash function, an attacker could still break the system if they got access to the `/etc/passwd` file. This can be mitigated by using shadowed passwords, thus moving the passwords in the `/etc/passwd` file to `/etc/shadow`. The `/etc/shadow` file is set so only root will be able to read and write. This helps mitigate the risk of an attacker gaining access to the encoded passwords with which to perform a dictionary attack.
**Note:**
- All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user.
- A user account with an empty second field in `/etc/passwd` allows the account to be logged into by providing only the username.It was observed that accounts in /etc/passwd use shadowed passwords Configured pass It is recommended that accounts in /etc/passwd use shadowed passwords 215 Local user and group settings Ensure /etc/shadow password fields are not empty An account with an empty password field means that anybody may log in as that user without providing a password. High All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user. It was observed that /etc/shadow password fields are not empty for root and test users Configured pass It is recommended that /etc/shadow password fields are not empty
Kaafi preranadayak jivani.
ReplyDeleteAAP research karke likhte ho
ReplyDeletearticle is awesome
DeleteJi ha.
ReplyDeleteरामानुज हमारे लिए गौरव है बहुत अच्छी जीवनी लिखी है आपने
ReplyDeleteवे वास्तव में अद्भुत थें।
ReplyDelete93061 77605 भाई यह मेरा व्हाट्सएप नंबर है प्लीज मुझे कांटेक्ट करो,
ReplyDeleteमैं भी ब्लॉग लिखता हूं शायद इससे आपकी भी थोड़ी मदद हो जाए और कुछ मेरी भी मदद हो जाएगी
जी हां मैं आपसे बिल्कुल संपर्क करूंगा।
Delete
ReplyDeleteIndia is known worldwide for its culture and civilization. Various types of festivals are celebrated every year in India. India is also called a festival country.