weixin_39800875
weixin_39800875
2020-12-02 19:43

Improve RHEL 7 CIS benchmark for the SCA module

commented on Mon Apr 13 2020

Hello team, working on the improvement of the RHEL7 CIS policy: https://github.com/wazuh/wazuh/blob/v3.12.2/etc/sca/rhel/7/cis_rhel7_linux.yml

  • Section 1 Missing checks from section 1.1 Filesystem Configuration:

  • [x] 1.1.1.1 Ensure mounting of cramfs filesystems is disabled

  • [x] 1.1.1.2 Ensure mounting of freevxfs filesystems is disabled

  • [x] 1.1.1.3 Ensure mounting of jffs2 filesystems is disabled

  • [x] 1.1.1.4 Ensure mounting of hfs filesystems is disabled

  • [x] 1.1.1.5 Ensure mounting of hfsplus filesystems is disabled

  • [x] 1.1.1.6 Ensure mounting of squashfs filesystems is disabled

  • [x] 1.1.1.7 Ensure mounting of udf filesystems is disabled

  • [x] 1.1.1.8 Ensure mounting of FAT filesystems is disabled

  • [x] 1.1.8 Ensure nodev option set on /var/tmp partition

  • [x] 1.1.9 Ensure nosuid option set on /var/tmp partition

  • [x] 1.1.10 Ensure noexec option set on /var/tmp partition

  • [ ] 1.1.18 Ensure nodev option set on removable media partitions

  • [ ] 1.1.19 Ensure nosuid option set on removable media partitions

  • [ ] 1.1.20 Ensure noexec option set on removable media partitions

  • [ ] 1.1.21 Ensure sticky bit is set on all world-writable directories

  • [x] 1.1.22 Disable Automounting

All sections missing in 1.2 Configure Software Update :

  • [ ] 1.2.1 Ensure package manager repositories are configured

  • [x] 1.2.2 Ensure gpgcheck is globally activated

  • [ ] 1.2.3 Ensure GPG keys are configured

  • [ ] 1.2.4 Ensure Red Hat Subscription Manager connection is configured

  • [ ] 1.2.5 Disable the rhnsd Daemon

All sections missing in 1.3 Filesystem Integrity Checking - [x] 1.3.1 Ensure AIDE is installed

  • [x] 1.3.2 Ensure filesystem integrity is regularly checked

Sections in 1.4 Secure Boot Settings

  • [x] 1.4.1 Ensure permissions on bootloader config are configured

  • [x] 1.4.3 Ensure authentication required for single user mode

Sections in 1.5 Additional Process Hardening - [x] 1.5.2 Ensure XD/NX support is enabled

  • [x] 1.5.4 Ensure prelink is disabled

1.6 Mandatory Access Control

  • [x] 1.6.1.1 Ensure SELinux is not disabled in bootloader configuration

  • [x] 1.6.1.6 Ensure no unconfined daemons exist

  • [x] 1.6.2 Ensure SELinux is installed

1.7 Warning Banners

  • [x] 1.7.1.1 Ensure message of the day is configured properly

  • [x] 1.7.1.2 Ensure local login warning banner is configured properly

  • [x] 1.7.1.3 Ensure remote login warning banner is configured properly

  • [x] 1.7.1.4 Ensure permissions on /etc/motd are configured

  • [x] 1.7.1.5 Ensure permissions on /etc/issue are configured

  • [x] 1.7.1.6 Ensure permissions on /etc/issue.net are configured

  • [x] 1.7.2 Ensure GDM login banner is configured

  • [x] 1.8 Ensure updates, patches, and additional security software are installed

  • Section 2: Services

2.1 inetd Services

  • [x] 2.1.6 Ensure tftp server is not enabled

2.2 Special Purpose Services

  • [x] 2.2.1.1 Ensure time synchronization is in use

  • [x] 2.2.4 Ensure CUPS is not enabled

  • [x] 2.2.8 Ensure DNS Server is not enabled

  • [x] 2.2.15 Ensure mail transfer agent is configured for local-only mode

2.3 Service Clients

  • [x] 2.3.2 Ensure rsh client is not installed

  • [x] 2.3.3 Ensure talk client is not installed

  • [x] 2.3.4 Ensure telnet client is not installed

  • [x] 2.3.5 Ensure LDAP client is not installed

  • 3 Network Configuration

3.3 IPv6

  • [x] 3.3.1 Ensure IPv6 router advertisements are not accepted

  • [x] 3.3.2 Ensure IPv6 redirects are not accepted

  • [x] 3.3.3 Ensure IPv6 is disabled

3.4 TCP Wrappers

  • [x] 3.4.1 Ensure TCP Wrappers is installed

  • [ ] 3.4.2 Ensure /etc/hosts.allow is configured

  • [x] 3.4.3 Ensure /etc/hosts.deny is configured

  • [x] 3.4.4 Ensure permissions on /etc/hosts.allow are configured

  • [x] 3.4.5 Ensure permissions on /etc/hosts.deny are configured

3.5 Uncommon Network Protocols

  • [x] 3.5.1 Ensure DCCP is disabled

  • [x] 3.5.2 Ensure SCTP is disabled

  • [x] 3.5.3 Ensure RDS is disabled

  • [x] 3.5.4 Ensure TIPC is disabled

3.6 Firewall Configuration

  • [x] 3.6.1 Ensure iptables is installed

  • [x] 3.6.2 Ensure default deny firewall policy

  • [x] 3.6.3 Ensure loopback traffic is configured

  • [ ] 3.6.4 Ensure outbound and established connections are configured

  • [ ] 3.6.5 Ensure firewall rules exist for all open ports

  • [ ] 3.7 Ensure wireless interfaces are disabled

  • Section 4: Logging and Auditing

4.1 Configure System Accounting (auditd) - [x] 4.1.1.1 Ensure audit log storage size is configured

  • [x] 4.1.1.2 Ensure system is disabled when audit logs are full

  • [x] 4.1.1.3 Ensure audit logs are not automatically deleted

  • [x] 4.1.2 Ensure auditd service is enabled

  • [x] 4.1.3 Ensure auditing for processes that start prior to auditd is enabled

  • [x] 4.1.4 Ensure events that modify date and time information are collected

  • [x] 4.1.5 Ensure events that modify user/group information are collected

  • [x] 4.1.6 Ensure events that modify the system's network environment are collected

  • [x] 4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected

  • [x] 4.1.8 Ensure login and logout events are collected

  • [x] 4.1.9 Ensure session initiation information are collected

  • [x] 4.1.10 Ensure discretionary access control permission modification events are collected

  • [x] 4.1.11 Ensure unsuccessfull unauthorized file access attempts are collected

  • [ ] 4.1.12 Ensure use of privileged commands is collected

  • [x] 4.1.13 Ensure successful file system mounts are collected

  • [x] 4.1.14 Ensure file deletion events by users are collected

  • [x] 4.1.15 Ensure changes to system administration scope (sudoers) is collected

  • [x] 4.1.16 Ensure system administrator actions (sudolog) are collected

  • [x] 4.1.17 Ensure kernel module loading and unloading is collected

  • [x] 4.1.18 Ensure the audit configuration is immutable

4.2 Configure Logging

  • [x] 4.2.1.1 Ensure rsyslog Service is enabled

  • [ ] 4.2.1.2 Ensure logging is configured

  • [x] 4.2.1.3 Ensure rsyslog default file permissions configured

  • [x] 4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host

  • [x] 4.2.1.5 Ensure remote rsyslog messages are only accepted on designated log hosts

  • [x] 4.2.2.1 Ensure syslog-ng service is enabled

  • [ ] 4.2.2.2 Ensure logging is configured

  • [x] 4.2.2.3 Ensure syslog-ng default file permissions configured

  • [x] 4.2.2.3 Ensure syslog-ng is configured to send logs to a remote log host

  • [ ] 4.2.2.5 Ensure remote syslog-ng messages are only accepted on designated log hosts

  • [x] 4.2.3 Ensure rsyslog or syslog-ng is installed

  • [x] 4.2.4 Ensure permissions on all logfiles are configured

4.3 Ensure logrotate is configured

  • [ ] 4.3 Ensure logrotate is configuredevents that modify user/group information are collected

  • Section 5: Access, Authentication and Authorization

5.1 Configure cron

  • [x] 5.1.1 Ensure cron daemon is enabled

  • [x] 5.1.2 Ensure permissions on /etc/crontab are configured

  • [x] 5.1.3 Ensure permissions on /etc/cron.hourly are configured

  • [x] 5.1.4 Ensure permissions on /etc/cron.daily are configured

  • [x] 5.1.5 Ensure permissions on /etc/cron.weekly are configured

  • [x] 5.1.6 Ensure permissions on /etc/cron.monthly are configured

  • [x] 5.1.7 Ensure permissions on /etc/cron.d are configured

  • [x] 5.1.8 Ensure at/cron is restricted to authorized users

5.2 SSH Server Configuration

  • [x] 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured

  • [x] 5.2.4 Ensure SSH X11 forwarding is disabled

  • [x] 5.2.10 Ensure SSH PermitUserEnvironment is disabled

  • [ ] 5.2.11 Ensure only approved MAC algorithms are used

  • [x] 5.2.12 Ensure SSH Idle Timeout Interval is configured

  • [x] 5.2.13 Ensure SSH LoginGraceTime is set to one minute or less

  • [x] 5.2.14 Ensure SSH access is limited

  • [x] 5.2.15 Ensure SSH warning banner is configured

5.3 Configure PAM

  • [x] 5.3.1 Ensure password creation requirements are configured

  • [ ] 5.3.2 Ensure lockout for failed password attempts is configured

  • [x] 5.3.3 Ensure password reuse is limited

  • [x] 5.3.4 Ensure password hashing algorithm is SHA-512

5.4 User Accounts and Environment

  • [x] 5.4.1.1 Ensure password expiration is 365 days or less

  • [x] 5.4.1.2 Ensure minimum days between password changes is 7 or more

  • [x] 5.4.1.3 Ensure password expiration warning days is 7 or more

  • [x] 5.4.1.4 Ensure inactive password lock is 30 days or less

  • [ ] 5.4.1.5 Ensure all users last password change date is in the past

  • [ ] 5.4.2 Ensure system accounts are non-login

  • [x] 5.4.3 Ensure default group for the root account is GID 0

  • [x] 5.4.4 Ensure default user umask is 027 or more restrictive

  • [x] 5.4.5 Ensure default user shell timeout is 900 seconds or less

  • [ ] 5.5 Ensure root login is restricted to system console

  • [x] 5.6 Ensure access to the su command is restricted

6 System Maintenance

6.1 System File Permissions - [ ] 6.1.1 Audit system file permissions (Not Scored)

  • [x] 6.1.2 Ensure permissions on /etc/passwd are configured (Scored)

  • [x] 6.1.3 Ensure permissions on /etc/shadow are configured (Scored)

  • [x] 6.1.4 Ensure permissions on /etc/group are configured (Scored)

  • [x] 6.1.5 Ensure permissions on /etc/gshadow are configured (Scored)

  • [x] 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored)

  • [x] 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored)

  • [x] 6.1.8 Ensure permissions on /etc/group- are configured (Scored)

  • [x] 6.1.9 Ensure permissions on /etc/gshadow- are configured (Scored)

  • [ ] 6.1.10 Ensure no world writable files exist (Scored)

  • [ ] 6.1.11 Ensure no unowned files or directories exist (Scored)

  • [ ] 6.1.12 Ensure no ungrouped files or directories exist (Scored)

  • [ ] 6.1.13 Audit SUID executables (Not Scored)

  • [ ] 6.1.14 Audit SGID executables (Not Scored)

6.2 User and Group Settings - [x] 6.2.1 Ensure password fields are not empty (Scored)

  • [x] 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd (Scored)

  • [x] 6.2.3 Ensure no legacy "+" entries exist in /etc/shadow (Scored)

  • [x] 6.2.4 Ensure no legacy "+" entries exist in /etc/group (Scored)

  • [ ] 6.2.6 Ensure root PATH Integrity (Scored)

  • [ ] 6.2.7 Ensure all users' home directories exist (Scored)

  • [ ] 6.2.8 Ensure users' home directories permissions are 750 or more restrictive (Scored)

  • [ ] 6.2.9 Ensure users own their home directories (Scored)

  • [ ] 6.2.10 Ensure users' dot files are not group or world writable (Scored)

  • [ ] 6.2.11 Ensure no users have .forward files (Scored)

  • [ ] 6.2.12 Ensure no users have .netrc files (Scored)

  • [ ] 6.2.13 Ensure users' .netrc Files are not group or world accessible (Scored)

  • [ ] 6.2.14 Ensure no users have .rhosts files (Scored)

  • [ ] 6.2.15 Ensure all groups in /etc/passwd exist in /etc/group (Scored)

  • [ ] 6.2.16 Ensure no duplicate UIDs exist (Scored)

  • [ ] 6.2.17 Ensure no duplicate GIDs exist (Scored)

  • [ ] 6.2.18 Ensure no duplicate user names exist (Scored)

  • [ ] 6.2.19 Ensure no duplicate group names exist (Scored)

Testing

  • [x] Tested in official vagrant box: centos/7

  • [x] Tested in reliable vagrant box: bento/centos-7

  • [x] Tested in RHEL 7 machine in AWS

该提问来源于开源项目:wazuh/wazuh-ruleset

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

16条回答

  • weixin_39541600 weixin_39541600 5月前

    Added section 5 compliances

    点赞 评论 复制链接分享
  • weixin_39651735 weixin_39651735 5月前

    Reviewed and added additional compliances to every check

    点赞 评论 复制链接分享
  • weixin_39651735 weixin_39651735 5月前

    Added missing cis control compliances

    点赞 评论 复制链接分享
  • weixin_39928801 weixin_39928801 5月前

    When can we expect these updated templates to be released? Are these updated ones available for download?

    点赞 评论 复制链接分享
  • weixin_39651735 weixin_39651735 5月前

    Started testing and reviewing all checks on 3 different environments

    点赞 评论 复制链接分享
  • weixin_39758712 weixin_39758712 5月前

    Added all missing 2.1.x and 2.2.x checks. 2.1.1 was already there and on the list by mistake.

    点赞 评论 复制链接分享
  • weixin_39541600 weixin_39541600 5月前

    Added 3.3.1 and 3.3.2.

    点赞 评论 复制链接分享
  • weixin_39758712 weixin_39758712 5月前

    Added the section 4 checks to the issue, as the entire section was missing. Currently up to 4.1.3.

    点赞 评论 复制链接分享
  • weixin_39541600 weixin_39541600 5月前

    Created the policies of section 3 and section 5 from 5.1.1 to 5.1.7. Added the section 5 checks.

    点赞 评论 复制链接分享
  • weixin_39651735 weixin_39651735 5月前

    Fixed false positives from 1.1.1.1 to 1.1.1.8

    Created policies for 1.2.2, 1.3.1 and 1.4.1

    点赞 评论 复制链接分享
  • weixin_39758712 weixin_39758712 5月前

    Currently up to 4.1.14

    点赞 评论 复制链接分享
  • weixin_39541600 weixin_39541600 5月前

    Section 5 updated with 16 new policies.

    点赞 评论 复制链接分享
  • weixin_39651735 weixin_39651735 5月前

    Section 1 finished.

    Section 6: Created 6.1.2-6.1.9

    点赞 评论 复制链接分享
  • weixin_39758712 weixin_39758712 5月前

    Finished section 4.

    点赞 评论 复制链接分享
  • weixin_39541600 weixin_39541600 5月前

    Section 5 created and tested

    点赞 评论 复制链接分享
  • weixin_39651735 weixin_39651735 5月前

    Reviewed section 1,2,3,4 and 6 Added missing checks. Fixed existing checks. Added some missing compliances

    点赞 评论 复制链接分享

相关推荐