CIS DILB 2.0.0 #67
Labels
Comments
|
I have separated the tests into sub-folders (e.g. Current diff (up to chapter 5): diff --git a/controls/1_initial_setup/1_1_filesystem_configuration.rb b/controls/1_initial_setup/1_1_filesystem_configuration.rb
index 7d19d99..03a4cda 100644
--- a/controls/1_initial_setup/1_1_filesystem_configuration.rb
+++ b/controls/1_initial_setup/1_1_filesystem_configuration.rb
@@ -14,6 +14,7 @@
# limitations under the License.
#
# author: Kristian Vlaardingerbroek
cis_level = attribute('cis_level')
@@ -141,6 +142,7 @@ control 'cis-dil-benchmark-1.1.2' do
describe mount('/tmp') do
it { should be_mounted }
+ its('type') { should eq 'tmpfs' }
end
end
@@ -153,7 +155,7 @@ control 'cis-dil-benchmark-1.1.3' do
tag level: 1
describe mount('/tmp') do
- its(:options) { should include 'nodev' }
+ its('options') { should include 'nodev' }
end
end
@@ -166,7 +168,7 @@ control 'cis-dil-benchmark-1.1.4' do
tag level: 1
describe mount('/tmp') do
- its(:options) { should include 'nosuid' }
+ its('options') { should include 'nosuid' }
end
end
@@ -179,7 +181,7 @@ control 'cis-dil-benchmark-1.1.5' do
tag level: 1
describe mount('/tmp') do
- its(:options) { should include 'noexec' }
+ its('options') { should include 'noexec' }
end
end
@@ -220,7 +222,7 @@ control 'cis-dil-benchmark-1.1.8' do
tag level: 1
describe mount('/var/tmp') do
- its(:options) { should include 'nodev' }
+ its('options') { should include 'nodev' }
end
end
@@ -233,7 +235,7 @@ control 'cis-dil-benchmark-1.1.9' do
tag level: 1
describe mount('/var/tmp') do
- its(:options) { should include 'nosuid' }
+ its('options') { should include 'nosuid' }
end
end
@@ -246,7 +248,7 @@ control 'cis-dil-benchmark-1.1.10' do
tag level: 1
describe mount('/var/tmp') do
- its(:options) { should include 'noexec' }
+ its('options') { should include 'noexec' }
end
end
@@ -272,11 +274,10 @@ control 'cis-dil-benchmark-1.1.12' do
tag cis: 'distribution-independent-linux:1.1.12'
tag level: 2
- only_if { cis_level == 2 }
-
describe mount('/var/log/audit') do
it { should be_mounted }
end
+ only_if { cis_level == 2 }
end
control 'cis-dil-benchmark-1.1.13' do
@@ -287,11 +288,10 @@ control 'cis-dil-benchmark-1.1.13' do
tag cis: 'distribution-independent-linux:1.1.13'
tag level: 2
- only_if { cis_level == 2 }
-
describe mount('/home') do
it { should be_mounted }
end
+ only_if { cis_level == 2 }
end
control 'cis-dil-benchmark-1.1.14' do
@@ -303,7 +303,7 @@ control 'cis-dil-benchmark-1.1.14' do
tag level: 1
describe mount('/home') do
- its(:options) { should include 'nodev' }
+ its('options') { should include 'nodev' }
end
end
@@ -316,12 +316,12 @@ control 'cis-dil-benchmark-1.1.15' do
tag level: 1
describe mount('/dev/shm') do
- its(:options) { should include 'nodev' }
+ its('options') { should include 'nodev' }
end
end
control 'cis-dil-benchmark-1.1.16' do
- title 'Ensure nosuid option set on /dev/shm partitionrun'
+ title 'Ensure nosuid option set on /dev/shm partition'
desc "The nosuid mount option specifies that the filesystem cannot contain setuid files.\n\nRationale: Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them."
impact 1.0
@@ -329,7 +329,7 @@ control 'cis-dil-benchmark-1.1.16' do
tag level: 1
describe mount('/dev/shm') do
- its(:options) { should include 'nosuid' }
+ its('options') { should include 'nosuid' }
end
end
@@ -342,7 +342,7 @@ control 'cis-dil-benchmark-1.1.17' do
tag level: 1
describe mount('/dev/shm') do
- its(:options) { should include 'noexec' }
+ its('options') { should include 'noexec' }
end
end
@@ -356,6 +356,7 @@ control 'cis-dil-benchmark-1.1.18' do
describe 'cis-dil-benchmark-1.1.18' do
skip 'Not implemented'
+ # TODO: cat /sys/block/sdX/removable -> 0 if not removable, 1 if removable
end
end
@@ -369,6 +370,7 @@ control 'cis-dil-benchmark-1.1.19' do
describe 'cis-dil-benchmark-1.1.19' do
skip 'Not implemented'
+ # TODO: cat /sys/block/sdX/removable -> 0 if not removable, 1 if removable
end
end
@@ -382,6 +384,7 @@ control 'cis-dil-benchmark-1.1.20' do
describe 'cis-dil-benchmark-1.1.20' do
skip 'Not implemented'
+ # TODO: cat /sys/block/sdX/removable -> 0 if not removable, 1 if removable
end
end
@@ -418,3 +421,17 @@ control 'cis-dil-benchmark-1.1.22' do
end
end
end
+
+control 'cis-dil-benchmark-1.1.23' do
+ title 'Disable USB Storage'
+ desc "USB storage provides a means to transfer and store files insuring persistence and availability of the files independent of network connection status. Its popularity and utility has led to USB-based malware being a simple and common means for network infiltration and a first step to establishing a persistent threat within a networked environment.\n\nRationale: Restricting USB access on the system will decrease the physical attack surface for a device and diminish the possible vectors to introduce malware."
+ impact 1.0
+
+ tag cis: 'distribution-independent-linux:1.1.23'
+ tag level: 1
+
+ describe kernel_module('usb-storage') do
+ it { should_not be_loaded }
+ it { should be_disabled }
+ end
+end
diff --git a/controls/1_initial_setup/1_2_configure_software_updates.rb b/controls/1_initial_setup/1_2_configure_software_updates.rb
index 409ec11..8a88a03 100644
--- a/controls/1_initial_setup/1_2_configure_software_updates.rb
+++ b/controls/1_initial_setup/1_2_configure_software_updates.rb
@@ -14,6 +14,7 @@
# limitations under the License.
#
# author: Kristian Vlaardingerbroek
title '1.2 Configure Software Updates'
diff --git a/controls/1_initial_setup/1_3_filesystem_integrity_checking.rb b/controls/1_initial_setup/1_3_filesystem_integrity_checking.rb
index a7d54fe..c8f09e4 100644
--- a/controls/1_initial_setup/1_3_filesystem_integrity_checking.rb
+++ b/controls/1_initial_setup/1_3_filesystem_integrity_checking.rb
@@ -14,6 +14,7 @@
# limitations under the License.
#
# author: Kristian Vlaardingerbroek
#
title '1.3 Filesystem Integrity Checking'
@@ -45,19 +46,11 @@ control 'cis-dil-benchmark-1.3.2' do
tag cis: 'distribution-independent-linux:1.3.2'
tag level: 1
- describe.one do
- %w(/var/spool/cron/crontabs/root /var/spool/cron/root /etc/crontab).each do |f|
- describe file(f) do
- its(:content) { should match(/aide --check/) }
- end
- end
+ describe command('crontab -u root -l | grep aide') do
+ its('exit_status') { should eq 0 }
+ end
- %w(cron.d cron.hourly cron.daily cron.weekly cron.monthly).each do |f|
- command("find /etc/#{f} -type f").stdout.split.each do |entry|
- describe file(entry) do
- its(:content) { should match(/aide --check/) }
- end
- end
- end
+ describe command("grep -r aide /etc/cron.* /etc/crontab") do
+ its('exit_status') { should eq 0 }
end
end
diff --git a/controls/1_initial_setup/1_4_secure_boot_settings.rb b/controls/1_initial_setup/1_4_secure_boot_settings.rb
index 5602b7e..fc19bb6 100644
--- a/controls/1_initial_setup/1_4_secure_boot_settings.rb
+++ b/controls/1_initial_setup/1_4_secure_boot_settings.rb
@@ -14,6 +14,7 @@
# limitations under the License.
#
# author: Kristian Vlaardingerbroek
title '1.4 Secure Boot Settings'
@@ -26,17 +27,12 @@ control 'cis-dil-benchmark-1.4.1' do
tag level: 1
describe.one do
- %w(/boot/grub/grub.conf /boot/grub/grub.cfg /boot/grub/menu.lst /boot/boot/grub/grub.conf /boot/boot/grub/grub.cfg /boot/boot/grub/menu.lst /boot/grub2/grub.cfg).each do |f|
+ %w(/boot/grub/grub.conf /boot/grub2/grub.cfg).each do |f|
describe file(f) do
it { should exist }
- it { should_not be_readable.by 'group' }
- it { should_not be_writable.by 'group' }
- it { should_not be_executable.by 'group' }
- it { should_not be_readable.by 'other' }
- it { should_not be_writable.by 'other' }
- it { should_not be_executable.by 'other' }
- its(:gid) { should cmp 0 }
- its(:uid) { should cmp 0 }
+ its('mode') { should cmp '0400' }
+ its('group') { should eq 'root' }
+ its('owner') { should eq 'root' }
end
end
end
@@ -53,8 +49,8 @@ control 'cis-dil-benchmark-1.4.2' do
describe.one do
%w(/boot/grub/grub.conf /boot/grub/grub.cfg /boot/grub/menu.lst /boot/boot/grub/grub.conf /boot/boot/grub/grub.cfg /boot/boot/grub/menu.lst /boot/grub/grub.cfg).each do |f|
describe file(f) do
- its(:content) { should match(/^set superusers/) }
- its(:content) { should match(/^password/) }
+ its('content') { should match /^\s*set superusers/ }
+ its('content') { should match /^\s*password/ }
end
end
end
@@ -68,19 +64,8 @@ control 'cis-dil-benchmark-1.4.3' do
tag cis: 'distribution-independent-linux:1.4.3'
tag level: 1
- describe.one do
- describe shadow.users('root') do
- its(:passwords) { should_not include('*') }
- its(:passwords) { should_not include('!') }
- end
-
- describe file('/etc/inittab') do
- its(:content) { should match(%r{^~~:S:respawn:/sbin/sulogin}) }
- end
-
- describe file('/etc/sysconfig/init') do
- its(:content) { should match(%r{^SINGLE=/sbin/sulogin$}) }
- end
+ describe command('grep ^root:[*\!]: /etc/shadow') do
+ its('stdout') { should eq '' }
end
end
@@ -94,7 +79,7 @@ control 'cis-dil-benchmark-1.4.4' do
if file('/etc/sysconfig/boot').exist?
describe file('/etc/sysconfig/boot') do
- its(:content) { should match(/^PROMPT_FOR_CONFIRM="no"$/) }
+ its('content') { should match /^PROMPT_FOR_CONFIRM="no"$/ }
end
else
describe 'cis-dil-benchmark-1.4.4' do
diff --git a/controls/1_initial_setup/1_5_additional_process_hardening.rb b/controls/1_initial_setup/1_5_additional_process_hardening.rb
index d0d65af..694b18c 100644
--- a/controls/1_initial_setup/1_5_additional_process_hardening.rb
+++ b/controls/1_initial_setup/1_5_additional_process_hardening.rb
@@ -14,6 +14,7 @@
# limitations under the License.
#
# author: Kristian Vlaardingerbroek
title '1.5 Additional Process Hardening'
@@ -27,12 +28,12 @@ control 'cis-dil-benchmark-1.5.1' do
describe.one do
describe file('/etc/security/limits.conf') do
- its(:content) { should match(/^\s*\*\s+hard\s+core\s+0\s*(?:#.*)?$/) }
+ its('content') { should match /^\s*\*\s+hard\s+core\s+0\s*(?:#.*)?$/ }
end
command('find /etc/security/limits.d -type f').stdout.split.each do |f|
describe file(f) do
- its(:content) { should match(/^\s*\*\s+hard\s+core\s+0\s*(?:#.*)?$/) }
+ its('content') { should match /^\s*\*\s+hard\s+core\s+0\s*(?:#.*)?$/ }
end
end
end
@@ -51,7 +52,7 @@ control 'cis-dil-benchmark-1.5.2' do
tag level: 1
describe command('dmesg | grep NX') do
- its(:stdout) { should match(/NX \(Execute Disable\) protection: active/) }
+ its(:stdout) { should match /NX \(Execute Disable\) protection: active/ }
end
end
diff --git a/controls/1_initial_setup/1_6_mandatory_access_control.rb b/controls/1_initial_setup/1_6_mandatory_access_control.rb
index 582ac6c..3a58e5e 100644
--- a/controls/1_initial_setup/1_6_mandatory_access_control.rb
+++ b/controls/1_initial_setup/1_6_mandatory_access_control.rb
@@ -14,97 +14,99 @@
# limitations under the License.
#
# author: Kristian Vlaardingerbroek
cis_level = attribute('cis_level')
title '1.6 Mandatory Access Control'
control 'cis-dil-benchmark-1.6.1.1' do
- title 'Ensure SELinux is not disabled in bootloader configuration'
- desc "Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters.\n\nRationale: SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden."
+ title 'Ensure SELinux or AppArmor are installed'
+ desc "SELinux and AppArmor provide Mandatory Access Controls.\n\nRationale: Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available."
impact 1.0
tag cis: 'distribution-independent-linux:1.6.1.1'
tag level: 2
- only_if do
- cis_level == 2 && (
- package('selinux').installed? || command('sestatus').exist?
- )
+ describe.one do
+ %w(libselinux apparmor).each do |p|
+ describe package(p) do
+ it { should be_installed }
+ end
+ end
end
+ only_if { cis_level == 2 }
+end
+
+control 'cis-dil-benchmark-1.6.2.1' do
+ title 'Ensure SELinux is not disabled in bootloader configuration'
+ desc "Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters.\n\nRationale: SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden."
+ impact 1.0
+
+ tag cis: 'distribution-independent-linux:1.6.2.1'
+ tag level: 2
+
describe.one do
- %w(/boot/grub/grub.conf /boot/grub/grub.cfg /boot/grub/menu.lst /boot/boot/grub/grub.conf /boot/boot/grub/grub.cfg /boot/boot/grub/menu.lst).each do |f|
+ %w(/boot/grub2/grub.cfg /boot/grub/menu.lst).each do |f|
describe file(f) do
- its(:content) { should_not match(/selinux=0/) }
- its(:content) { should_not match(/enforcing=0/) }
+ its('content') { should_not match /selinux=0/ }
+ its('content') { should_not match /enforcing=0/ }
end
end
end
+
+ only_if { cis_level == 2 }
end
-control 'cis-dil-benchmark-1.6.1.2' do
+control 'cis-dil-benchmark-1.6.2.2' do
title 'Ensure the SELinux state is enforcing'
desc "Set SELinux to enable when the system is booted.\n\nRationale: SELinux must be enabled at boot time in to ensure that the controls it provides are in effect at all times."
impact 1.0
- tag cis: 'distribution-independent-linux:1.6.1.2'
+ tag cis: 'distribution-independent-linux:1.6.2.2'
tag level: 2
- only_if do
- cis_level == 2 && (
- package('selinux').installed? || command('sestatus').exist?
- )
- end
-
describe file('/etc/selinux/config') do
- its(:content) { should match(/^SELINUX=enforcing\s*(?:#.*)?$/) }
+ its('content') { should match /^SELINUX=enforcing\s*(?:#.*)?$/ }
end
describe command('sestatus') do
- its(:stdout) { should match(/SELinux status:\s+enabled/) }
- its(:stdout) { should match(/Current mode:\s+enforcing/) }
- its(:stdout) { should match(/Mode from config file:\s+enforcing/) }
+ its('stdout') { should match /SELinux status:\s+enabled/ }
+ its('stdout') { should match /Current mode:\s+enforcing/ }
+ its('stdout') { should match /Mode from config file:\s+enforcing/ }
end
+
+ only_if { cis_level == 2 }
end
-control 'cis-dil-benchmark-1.6.1.3' do
+control 'cis-dil-benchmark-1.6.2.3' do
title 'Ensure SELinux policy is configured'
desc "Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only.\n\nRationale: Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met."
impact 1.0
- tag cis: 'distribution-independent-linux:1.6.1.3'
+ tag cis: 'distribution-independent-linux:1.6.2.3'
tag level: 2
- only_if do
- cis_level == 2 && (
- package('selinux').installed? || command('sestatus').exist?
- )
- end
-
describe file('/etc/selinux/config') do
- its(:content) { should match(/^SELINUXTYPE=(targeted|mls)\s*(?:#.*)?$/) }
+ its('content') { should match /^SELINUXTYPE=(targeted|mls)\s*(?:#.*)?$/ }
end
describe command('sestatus') do
- its(:stdout) { should match(/Policy from config file:\s+(targeted|mls)/) }
+ its(:stdout) { should match /Policy from config file:\s+(targeted|mls)/ }
end
+
+ only_if { cis_level == 2 }
end
-control 'cis-dil-benchmark-1.6.1.4' do
+control 'cis-dil-benchmark-1.6.2.4' do
title 'Ensure SETroubleshoot is not installed'
desc "The SETroubleshoot service notifies desktop users of SELinux denials through a user- friendly interface. The service provides important information around configuration errors, unauthorized intrusions, and other potential errors.\n\nRationale: The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled."
impact 1.0
- tag cis: 'distribution-independent-linux:1.6.1.4'
+ tag cis: 'distribution-independent-linux:1.6.2.4'
tag level: 2
- only_if do
- cis_level == 2 && (
- package('selinux').installed? || command('sestatus').exist?
- )
- end
-
describe package('setroubleshoot') do
it { should_not be_installed }
end
@@ -112,22 +114,18 @@ control 'cis-dil-benchmark-1.6.1.4' do
describe command('setroubleshoot') do
it { should_not exist }
end
+
+ only_if { cis_level == 2 }
end
-control 'cis-dil-benchmark-1.6.1.5' do
+control 'cis-dil-benchmark-1.6.2.5' do
title 'Ensure the MCS Translation Service (mcstrans) is not installed'
desc "The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf\n\nRationale: Since this service is not used very often, remove it to reduce the amount of potentially vulnerable code running on the system."
impact 1.0
- tag cis: 'distribution-independent-linux:1.6.1.5'
+ tag cis: 'distribution-independent-linux:1.6.2.5'
tag level: 2
- only_if do
- cis_level == 2 && (
- package('selinux').installed? || command('sestatus').exist?
- )
- end
-
describe package('mcstrans') do
it { should_not be_installed }
end
@@ -135,35 +133,31 @@ control 'cis-dil-benchmark-1.6.1.5' do
describe command('mcstransd') do
it { should_not exist }
end
+
+ only_if { cis_level == 2 }
end
-control 'cis-dil-benchmark-1.6.1.6' do
+control 'cis-dil-benchmark-1.6.2.6' do
title 'Ensure no unconfined daemons exist'
desc "Daemons that are not defined in SELinux policy will inherit the security context of their parent process.\n\nRationale: Since daemons are launched and descend from the init process, they will inherit the security context label initrc_t. This could cause the unintended consequence of giving the process more permission than it requires."
impact 1.0
- tag cis: 'distribution-independent-linux:1.6.1.6'
+ tag cis: 'distribution-independent-linux:1.6.2.6'
tag level: 2
- only_if do
- cis_level == 2 && (
- package('selinux').installed? || command('sestatus').exist?
- )
+ describe command('ps -eZ | grep -E "initrc" | grep -E -v -w "tr|ps|grep|bash|awk" | tr \':\' \' \' | awk \'{ print $NF }\'') do
+ its('stdout') { should eq '' }
end
- processes(/.*/).where { pid > 0 }.entries.each do |p|
- describe p.label.to_s.split(':')[2] do
- it { should_not cmp 'initrc_t' }
- end
- end
+ only_if { cis_level == 2 }
end
-control 'cis-dil-benchmark-1.6.2.1' do
+control 'cis-dil-benchmark-1.6.3.1' do
title 'Ensure AppArmor is not disabled in bootloader configuration'
desc "Configure AppArmor to be enabled at boot time and verify that it has not been overwritten by the bootloader boot parameters.\n\nRationale: AppArmor must be enabled at boot time in your bootloader configuration to ensure that the controls it provides are not overridden."
impact 1.0
- tag cis: 'distribution-independent-linux:1.6.2.1'
+ tag cis: 'distribution-independent-linux:1.6.3.1'
tag level: 2
only_if { cis_level == 2 && package('apparmor').installed? }
@@ -171,18 +165,18 @@ control 'cis-dil-benchmark-1.6.2.1' do
describe.one do
%w(/boot/grub/grub.conf /boot/grub/grub.cfg /boot/grub/menu.lst /boot/boot/grub/grub.conf /boot/boot/grub/grub.cfg /boot/boot/grub/menu.lst).each do |f|
describe file(f) do
- its(:content) { should_not match(/apparmor=0/) }
+ its('content') { should_not match /apparmor=0/ }
end
end
end
end
-control 'cis-dil-benchmark-1.6.2.2' do
+control 'cis-dil-benchmark-1.6.3.2' do
title 'Ensure all AppArmor Profiles are enforcing'
desc "AppArmor profiles define what resources applications are able to access.\n\nRationale: Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated."
impact 1.0
- tag cis: 'distribution-independent-linux:1.6.2.2'
+ tag cis: 'distribution-independent-linux:1.6.3.2'
tag level: 2
only_if { cis_level == 2 && package('apparmor').installed? }
@@ -196,35 +190,6 @@ control 'cis-dil-benchmark-1.6.2.2' do
end
describe command('apparmor_status') do
- its(:stdout) { should match(/0 processes are unconfined/) }
- end
-end
-
-control 'cis-dil-benchmark-1.6.3' do
- title 'Ensure SELinux or AppArmor are installed'
- desc "SELinux and AppArmor provide Mandatory Access Controls.\n\nRationale: Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available."
- impact 0.0
-
- tag cis: 'distribution-independent-linux:1.6.3'
- tag level: 2
-
- only_if { cis_level == 2 }
-
- describe.one do
- describe package('selinux') do
- it { should be_installed }
- end
-
- describe command('sestatus') do
- it { should exist }
- end
-
- describe package('apparmor') do
- it { should be_installed }
- end
-
- describe command('apparmor_status') do
- it { should exist }
- end
+ its(:stdout) { should match /0 processes are unconfined/ }
end
end
diff --git a/controls/1_initial_setup/1_7_warning_banners.rb b/controls/1_initial_setup/1_7_warning_banners.rb
index 58b7217..254ca02 100644
--- a/controls/1_initial_setup/1_7_warning_banners.rb
+++ b/controls/1_initial_setup/1_7_warning_banners.rb
@@ -14,6 +14,7 @@
# limitations under the License.
#
# author: Kristian Vlaardingerbroek
title '1.7 Warning Banners'
@@ -25,8 +26,8 @@ control 'cis-dil-benchmark-1.7.1.1' do
tag cis: 'distribution-independent-linux:1.7.1.1'
tag level: 1
- describe file('/etc/motd') do
- its(:content) { should_not match(/(\\v|\\r|\\m|\\s)/) }
+ describe command('grep -E -i \'(\\v|\\r|\\m|\\s|$(grep \'^ID=\' /etc/os-release | cut -d= -f2 | sed -e \'s/"//g\'))\' /etc/motd') do
+ its('stdout') { should eq '' }
end
end
@@ -38,8 +39,8 @@ control 'cis-dil-benchmark-1.7.1.2' do
tag cis: 'distribution-independent-linux:1.7.1.2'
tag level: 1
- describe file('/etc/issue') do
- its(:content) { should_not match(/(\\v|\\r|\\m|\\s)/) }
+ describe command('grep -E -i \'(\\v|\\r|\\m|\\s|$(grep \'^ID=\' /etc/os-release | cut -d= -f2 | sed -e \'s/"//g\'))\' /etc/issue') do
+ its('stdout') { should eq '' }
end
end
@@ -51,8 +52,8 @@ control 'cis-dil-benchmark-1.7.1.3' do
tag cis: 'distribution-independent-linux:1.7.1.3'
tag level: 1
- describe file('/etc/issue.net') do
- its(:content) { should_not match(/(\\v|\\r|\\m|\\s)/) }
+ describe command('grep -E -i \'(\\v|\\r|\\m|\\s|$(grep \'^ID=\' /etc/os-release | cut -d= -f2 | sed -e \'s/"//g\'))\' /etc/issue.net') do
+ its('stdout') { should eq '' }
end
end
@@ -65,21 +66,9 @@ control 'cis-dil-benchmark-1.7.1.4' do
tag level: 1
describe file('/etc/motd') do
- it { should exist }
- it { should be_readable.by 'owner' }
- it { should be_writable.by 'owner' }
- it { should_not be_executable.by 'owner' }
- it { should be_readable.by 'group' }
- it { should_not be_writable.by 'group' }
- it { should_not be_executable.by 'group' }
- it { should be_readable.by 'other' }
- it { should_not be_writable.by 'other' }
- it { should_not be_executable.by 'other' }
- its(:uid) { should cmp 0 }
- its(:gid) { should cmp 0 }
- its(:sticky) { should equal false }
- its(:suid) { should equal false }
- its(:sgid) { should equal false }
+ its('group') { should eq 'root' }
+ its('owner') { should eq 'root' }
+ its('mode') { should cmp '0644' }
end
end
@@ -92,21 +81,9 @@ control 'cis-dil-benchmark-1.7.1.5' do
tag level: 1
describe file('/etc/issue') do
- it { should exist }
- it { should be_readable.by 'owner' }
- it { should be_writable.by 'owner' }
- it { should_not be_executable.by 'owner' }
- it { should be_readable.by 'group' }
- it { should_not be_writable.by 'group' }
- it { should_not be_executable.by 'group' }
- it { should be_readable.by 'other' }
- it { should_not be_writable.by 'other' }
- it { should_not be_executable.by 'other' }
- its(:uid) { should cmp 0 }
- its(:gid) { should cmp 0 }
- its(:sticky) { should equal false }
- its(:suid) { should equal false }
- its(:sgid) { should equal false }
+ its('group') { should eq 'root' }
+ its('owner') { should eq 'root' }
+ its('mode') { should cmp '0644' }
end
end
@@ -119,21 +96,9 @@ control 'cis-dil-benchmark-1.7.1.6' do
tag level: 1
describe file('/etc/issue.net') do
- it { should exist }
- it { should be_readable.by 'owner' }
- it { should be_writable.by 'owner' }
- it { should_not be_executable.by 'owner' }
- it { should be_readable.by 'group' }
- it { should_not be_writable.by 'group' }
- it { should_not be_executable.by 'group' }
- it { should be_readable.by 'other' }
- it { should_not be_writable.by 'other' }
- it { should_not be_executable.by 'other' }
- its(:uid) { should cmp 0 }
- its(:gid) { should cmp 0 }
- its(:sticky) { should equal false }
- its(:suid) { should equal false }
- its(:sgid) { should equal false }
+ its('group') { should eq 'root' }
+ its('owner') { should eq 'root' }
+ its('mode') { should cmp '0644' }
end
end
@@ -145,18 +110,11 @@ control 'cis-dil-benchmark-1.7.2' do
tag cis: 'distribution-independent-linux:1.7.2'
tag level: 1
- only_if do
- package('gdm').installed?
+ describe file('/etc/gdm3/greeter.dconf-defaults') do
+ its('content') { should match /^\[org\/gnome\/login-screen\]$/ }
+ its('content') { should match /^banner-message-enable=true$/ }
+ its('content') { should match /^banner-message-text='.*'$/ }
end
- describe file('/etc/dconf/profile/gdm') do
- its(:content) { should match(/^user-db:user$/) }
- its(:content) { should match(/^system-db:gdm$/) }
- its(:content) { should match(%r{^file-db:/usr/share/gdm/greeter-dconf-defaults$}) }
- end
-
- describe file('/etc/dconf/db/gdm.d/01-banner-message') do
- its(:content) { should match(/^banner-message-enable=true$/) }
- its(:content) { should match(/^banner-message-text='.+'$/) }
- end
+ only_if { package('gdm').installed? }
end
diff --git a/controls/1_initial_setup/1_8_ensure_patches.rb b/controls/1_initial_setup/1_8_ensure_patches.rb
index fca3cbf..522aa33 100644
--- a/controls/1_initial_setup/1_8_ensure_patches.rb
+++ b/controls/1_initial_setup/1_8_ensure_patches.rb
@@ -14,6 +14,7 @@
# limitations under the License.
#
# author: Kristian Vlaardingerbroek
title '1.8 Ensure patches'
@@ -25,7 +26,7 @@ control 'cis-dil-benchmark-1.8' do
tag cis: 'distribution-independent-linux:1.8'
tag level: 1
- describe 'cis-dil-benchmark-1.8' do
- skip 'Not implemented'
+ describe command('yum check-update') do
+ its('exit_status') { should_not eq 100 }
end
end
diff --git a/controls/2_services/2_1_inetd_services.rb b/controls/2_services/2_1_inetd_services.rb
index b94a09a..903d654 100644
--- a/controls/2_services/2_1_inetd_services.rb
+++ b/controls/2_services/2_1_inetd_services.rb
@@ -14,6 +14,7 @@
# limitations under the License.
#
# author: Kristian Vlaardingerbroek
title '2.1 inetd Services'
diff --git a/controls/2_services/2_2_special_purpose_services.rb b/controls/2_services/2_2_special_purpose_services.rb
index 434b1a5..fb9f862 100644
--- a/controls/2_services/2_2_special_purpose_services.rb
+++ b/controls/2_services/2_2_special_purpose_services.rb
@@ -14,6 +14,7 @@
# limitations under the License.
#
# author: Kristian Vlaardingerbroek
title '2.2 Special Purpose Services'
@@ -67,28 +68,24 @@ control 'cis-dil-benchmark-2.2.1.2' do
end
describe ntp_conf.restrict.to_s do
- it { should match(/default\s+(\S+\s+)*kod(?:\s+|\s?")/) }
- it { should match(/default\s+(\S+\s+)*nomodify(?:\s+|\s?")/) }
- it { should match(/default\s+(\S+\s+)*notrap(?:\s+|\s?")/) }
- it { should match(/default\s+(\S+\s+)*nopeer(?:\s+|\s?")/) }
- it { should match(/default\s+(\S+\s+)*noquery(?:\s+|\s?")/) }
+ it { should match /default\s+(\S+\s+)*kod(?:\s+|\s?")/ }
+ it { should match /default\s+(\S+\s+)*nomodify(?:\s+|\s?")/ }
+ it { should match /default\s+(\S+\s+)*notrap(?:\s+|\s?")/ }
+ it { should match /default\s+(\S+\s+)*nopeer(?:\s+|\s?")/ }
+ it { should match /default\s+(\S+\s+)*noquery(?:\s+|\s?")/ }
end
describe.one do
describe file('/etc/init.d/ntp') do
- its(:content) { should match(/^RUNASUSER=ntp\s*(?:#.*)?$/) }
- end
-
- describe file('/etc/init.d/ntpd') do
- its(:content) { should match(/daemon\s+(\S+\s+)-u ntp:ntp(?:\s+|\s?")/) }
+ its('content') { should match /^RUNASUSER=ntp\s*(?:#.*)?$/ }
end
describe file('/etc/sysconfig/ntpd') do
- its(:content) { should match(/^OPTIONS="(?:.)?-u ntp:ntp\s*(?:.)?"\s*(?:#.*)?$/) }
+ its('content') { should match /^OPTIONS="(?:.)?-u ntp:ntp\s*(?:.)?"\s*(?:#.*)?$/ }
end
- describe file('/usr/lib/systemd/system/ntpd.service') do
- its(:content) { should match(%r{^ExecStart=/usr/s?bin/ntpd (?:.)?-u ntp:ntp\s*(?:.)?$}) }
+ describe file('/etc/sysconfig/ntp') do
+ its('content') { should match /^NTPD_OPTIONS="(?:.)?-u ntp:ntp\s*(?:.)?"\s*(?:#.*)?$/ }
end
end
end
@@ -108,7 +105,7 @@ control 'cis-dil-benchmark-2.2.1.3' do
describe.one do
%w(/etc/chrony/chrony.conf /etc/chrony.conf).each do |f|
describe file(f) do
- its(:content) { should match(/^server\s+\S+/) }
+ its('content') { should match /^server\s+\S+/ }
end
end
end
@@ -118,6 +115,25 @@ control 'cis-dil-benchmark-2.2.1.3' do
end
end
+control 'cis-dil-benchmark-2.2.1.4' do
+ title 'Ensure chrony is configured'
+ desc "chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. chrony can be configured to be a client and/or a server.\n\nRationale: If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly.\nThis recommendation only applies if chrony is in use on the system."
+ impact 1.0
+
+ tag cis: 'distribution-independent-linux:2.2.1.4'
+ tag level: 1
+
+ only_if do
+ service('systemd-timesyncd.service').enabled?
+ end
+
+
+ describe file('/etc/systemd/timesyncd.conf') do
+ its('content') { should match /^NTP=\S+/ }
+ its('content') { should match /^FallbackNTP=\S+/ }
+ its('content') { should match /^RootDistanceMax=[0-9]/ }
+end
+
control 'cis-dil-benchmark-2.2.2' do
title 'Ensure X Window System is not installed'
desc "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login.\n\nRationale: Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface."
diff --git a/controls/2_services/2_3_service_clients.rb b/controls/2_services/2_3_service_clients.rb
index c284c2b..3209e8f 100644
--- a/controls/2_services/2_3_service_clients.rb
+++ b/controls/2_services/2_3_service_clients.rb
@@ -14,6 +14,7 @@
# limitations under the License.
#
# author: Kristian Vlaardingerbroek
title '2.3 Service Clients'
@@ -40,7 +41,7 @@ control 'cis-dil-benchmark-2.3.2' do
tag cis: 'distribution-independent-linux:2.3.2'
tag level: 1
- %w(rsh-client rsh-redone-client).each do |p|
+ %w(rsh rsh-client rsh-redone-client).each do |p|
describe package(p) do
it { should_not be_installed }
end
@@ -81,7 +82,7 @@ control 'cis-dil-benchmark-2.3.5' do
tag cis: 'distribution-independent-linux:2.3.5'
tag level: 1
- %w(ldap-utils openldap-clients).each do |p|
+ %w(ldap-utils openldap-clients openldap2-client).each do |p|
describe package(p) do
it { should_not be_installed }
end
diff --git a/controls/3_network/3_1_network_parameters_host_only.rb b/controls/3_network/3_1_network_parameters_host_only.rb
index 4d9f07a..fe07e24 100644
--- a/controls/3_network/3_1_network_parameters_host_only.rb
+++ b/controls/3_network/3_1_network_parameters_host_only.rb
@@ -14,6 +14,7 @@
# limitations under the License.
#
# author: Kristian Vlaardingerbroek
title '3.1 Network Parameters (Host Only)'
@@ -29,6 +30,11 @@ control 'cis-dil-benchmark-3.1.1' do
its(:value) { should_not be_nil }
its(:value) { should eq 0 }
end
+
+ describe kernel_parameter('net.ipv6.conf.all.forwarding') do
+ its(:value) { should_not be_nil }
+ its(:value) { should eq 0 }
+ end
end
control 'cis-dil-benchmark-3.1.2' do
diff --git a/controls/3_network/3_2_network_parameters_host_and_router.rb b/controls/3_network/3_2_network_parameters_host_and_router.rb
index 5d176e2..3eab956 100644
--- a/controls/3_network/3_2_network_parameters_host_and_router.rb
+++ b/controls/3_network/3_2_network_parameters_host_and_router.rb
@@ -14,9 +14,12 @@
# limitations under the License.
#
# author: Kristian Vlaardingerbroek
title '3.2 Network Parameters (Host and Router)'
+ipv6 = command('test -f /proc/net/if_inet6').exit_status
+
control 'cis-dil-benchmark-3.2.1' do
title 'Ensure source routed packets are not accepted'
desc "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used.\n\nRationale: Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing."
@@ -25,7 +28,7 @@ control 'cis-dil-benchmark-3.2.1' do
tag cis: 'distribution-independent-linux:3.2.1'
tag level: 1
- %w(net.ipv4.conf.all.accept_source_route net.ipv4.conf.default.accept_source_route).each do |kp|
+ %w(net.ipv4.conf.all.accept_source_route net.ipv4.conf.default.accept_source_route net.ipv6.conf.all.accept_source_route net.ipv6.conf.default.accept_source_route).each do |kp|
describe kernel_parameter(kp) do
its(:value) { should_not be_nil }
its(:value) { should eq 0 }
@@ -41,7 +44,7 @@ control 'cis-dil-benchmark-3.2.2' do
tag cis: 'distribution-independent-linux:3.2.2'
tag level: 1
- %w(net.ipv4.conf.all.accept_redirects net.ipv4.conf.default.accept_redirects).each do |kp|
+ %w(net.ipv4.conf.all.accept_redirects net.ipv4.conf.default.accept_redirects net.ipv6.conf.all.accept_redirects net.ipv6.conf.default.accept_redirects).each do |kp|
describe kernel_parameter(kp) do
its(:value) { should_not be_nil }
its(:value) { should eq 0 }
@@ -138,3 +141,21 @@ control 'cis-dil-benchmark-3.2.8' do
its(:value) { should eq 1 }
end
end
+
+control 'cis-dil-benchmark-3.2.9' do
+ title 'Ensure IPv6 router advertisements are not accepted'
+ desc "This setting disables the system's ability to accept IPv6 router advertisements.\n\nRationale: It is recommended that systems do not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes."
+ impact 1.0
+
+ tag cis: 'distribution-independent-linux:3.2.9'
+ tag level: 1
+
+ %w(net.ipv6.conf.all.accept_ra net.ipv6.conf.default.accept_ra).each do |kp|
+ describe kernel_parameter(kp) do
+ its(:value) { should_not be_nil }
+ its(:value) { should eq 0 }
+ end
+ end
+
+ only_if { ipv6 == 0 }
+end
diff --git a/controls/3_network/3_3_ipv6.rb b/controls/3_network/3_3_ipv6.rb
deleted file mode 100644
index ce69322..0000000
--- a/controls/3_network/3_3_ipv6.rb
+++ /dev/null
@@ -1,95 +0,0 @@
-#
-# Copyright 2017, Schuberg Philis B.V.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# author: Kristian Vlaardingerbroek
-
-title '3.3 IPv6'
-
-control 'cis-dil-benchmark-3.3.1' do
- title 'Ensure IPv6 router advertisements are not accepted'
- desc "This setting disables the system's ability to accept IPv6 router advertisements.\n\nRationale: It is recommended that systems not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes."
- impact 0.0
-
- tag cis: 'distribution-independent-linux:3.3.1'
- tag level: 1
-
- only_if do
- ipv6_enabled = true
-
- %w(/boot/grub/grub.conf /boot/grub/grub.cfg /boot/grub/menu.lst /boot/boot/grub/grub.conf /boot/boot/grub/grub.cfg /boot/boot/grub/menu.lst).each do |f|
- grub_file = file(f)
- if !grub_file.content.nil? && grub_file.content.match(/ipv6\.disable=1/)
- ipv6_enabled = false
- break
- end
- end
-
- ipv6_enabled
- end
-
- %w(net.ipv6.conf.all.accept_ra net.ipv6.conf.default.accept_ra).each do |kp|
- describe kernel_parameter(kp) do
- its(:value) { should_not be_nil }
- its(:value) { should eq 0 }
- end
- end
-end
-
-control 'cis-dil-benchmark-3.3.2' do
- title 'Ensure IPv6 redirects are not accepted'
- desc "This setting prevents the system from accepting ICMP redirects. ICMP redirects tell the system about alternate routes for sending traffic.\n\nRationale: It is recommended that systems not accept ICMP redirects as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes."
- impact 0.0
-
- tag cis: 'distribution-independent-linux:3.3.2'
- tag level: 1
-
- only_if do
- ipv6_enabled = true
-
- %w(/boot/grub/grub.conf /boot/grub/grub.cfg /boot/grub/menu.lst /boot/boot/grub/grub.conf /boot/boot/grub/grub.cfg /boot/boot/grub/menu.lst).each do |f|
- grub_file = file(f)
- if !grub_file.content.nil? && grub_file.content.match(/ipv6\.disable=1/)
- ipv6_enabled = false
- break
- end
- end
-
- ipv6_enabled
- end
-
- %w(net.ipv6.conf.all.accept_redirects net.ipv6.conf.default.accept_redirects).each do |kp|
- describe kernel_parameter(kp) do
- its(:value) { should_not be_nil }
- its(:value) { should eq 0 }
- end
- end
-end
-
-control 'cis-dil-benchmark-3.3.3' do
- title 'Ensure IPv6 is disabled'
- desc "Although IPv6 has many advantages over IPv4, few organizations have implemented IPv6.\n\nRationale: If IPv6 is not to be used, it is recommended that it be disabled to reduce the attack surface of the system."
- impact 0.0
-
- tag cis: 'distribution-independent-linux:3.3.3'
- tag level: 1
-
- describe.one do
- %w(/boot/grub/grub.conf /boot/grub/grub.cfg /boot/grub/menu.lst /boot/boot/grub/grub.conf /boot/boot/grub/grub.cfg /boot/boot/grub/menu.lst).each do |f|
- describe file(f) do
- its(:content) { should match(/ipv6\.disable=1/) }
- end
- end
- end
-end
diff --git a/controls/3_network/3_4_tcp_wrappers.rb b/controls/3_network/3_3_tcp_wrappers.rb
similarity index 67%
rename from controls/3_network/3_4_tcp_wrappers.rb
rename to controls/3_network/3_3_tcp_wrappers.rb
index 7945436..8143c47 100644
--- a/controls/3_network/3_4_tcp_wrappers.rb
+++ b/controls/3_network/3_3_tcp_wrappers.rb
@@ -14,15 +14,16 @@
# limitations under the License.
#
# author: Kristian Vlaardingerbroek
-title '3.4 TCP Wrappers'
+title '3.3 TCP Wrappers'
-control 'cis-dil-benchmark-3.4.1' do
+control 'cis-dil-benchmark-3.3.1' do
title 'Ensure TCP Wrappers is installed'
desc "TCP Wrappers provides a simple access list and standardized logging method for services capable of supporting it. In the past, services that were called from inetd and xinetd supported the use of tcp wrappers. As inetd and xinetd have been falling in disuse, any service that can support tcp wrappers will have the libwrap.so library attached to it.\n\nRationale: TCP Wrappers provide a good simple access list mechanism to services that may not have that support built in. It is recommended that all services that can support TCP Wrappers, use it."
impact 1.0
- tag cis: 'distribution-independent-linux:3.4.1'
+ tag cis: 'distribution-independent-linux:3.3.1'
tag level: 1
describe.one do
@@ -34,12 +35,12 @@ control 'cis-dil-benchmark-3.4.1' do
end
end
-control 'cis-dil-benchmark-3.4.2' do
+control 'cis-dil-benchmark-3.3.2' do
title 'Ensure /etc/hosts.allow is configured'
desc "The /etc/hosts.allow file specifies which IP addresses are permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.deny file.\n\nRationale: The /etc/hosts.allow file supports access control by IP and helps ensure that only authorized systems can connect to the system."
impact 1.0
- tag cis: 'distribution-independent-linux:3.4.2'
+ tag cis: 'distribution-independent-linux:3.3.2'
tag level: 1
describe file('/etc/hosts.allow') do
@@ -47,69 +48,46 @@ control 'cis-dil-benchmark-3.4.2' do
end
end
-control 'cis-dil-benchmark-3.4.3' do
+control 'cis-dil-benchmark-3.3.3' do
title 'Ensure /etc/hosts.deny is configured'
desc "The /etc/hosts.deny file specifies which IP addresses are not permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.allow file.\n\nRationale: The /etc/hosts.deny file serves as a failsafe so that any host not specified in /etc/hosts.allow is denied access to the system."
impact 1.0
- tag cis: 'distribution-independent-linux:3.4.3'
+ tag cis: 'distribution-independent-linux:3.3.3'
tag level: 1
describe file('/etc/hosts.deny') do
- its(:content) { should match(/^ALL: ALL/) }
+ its('content') { should match /^ALL: ALL/ }
end
end
-control 'cis-dil-benchmark-3.4.4' do
+control 'cis-dil-benchmark-3.3.4' do
title 'Ensure permissions on /etc/hosts.allow are configured'
desc "The /etc/hosts.allow file contains networking information that is used by many applications and therefore must be readable for these applications to operate.\n\nRationale: It is critical to ensure that the /etc/hosts.allow file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
impact 1.0
- tag cis: 'distribution-independent-linux:3.4.4'
+ tag cis: 'distribution-independent-linux:3.3.4'
tag level: 1
describe file('/etc/hosts.allow') do
it { should exist }
- it { should be_readable.by 'owner' }
- it { should be_writable.by 'owner' }
- it { should_not be_executable.by 'owner' }
- it { should be_readable.by 'group' }
- it { should_not be_writable.by 'group' }
- it { should_not be_executable.by 'group' }
- it { should be_readable.by 'other' }
- it { should_not be_writable.by 'other' }
- it { should_not be_executable.by 'other' }
- its(:uid) { should cmp 0 }
- its(:gid) { should cmp 0 }
- its(:sticky) { should equal false }
- its(:suid) { should equal false }
- its(:sgid) { should equal false }
+ its('group') { should eq 'root' }
+ its('owner') { should eq 'root' }
+ its('mode') { should cmp '0644' }
end
end
-control 'cis-dil-benchmark-3.4.5' do
+control 'cis-dil-benchmark-3.3.5' do
title 'Ensure permissions on /etc/hosts.deny are 644'
desc "The /etc/hosts.deny file contains network information that is used by many system applications and therefore must be readable for these applications to operate.\n\nRationale: It is critical to ensure that the /etc/hosts.deny file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
impact 1.0
- tag cis: 'distribution-independent-linux:3.4.5'
+ tag cis: 'distribution-independent-linux:3.3.5'
tag level: 1
describe file('/etc/hosts.deny') do
- it { should exist }
- it { should be_readable.by 'owner' }
- it { should be_writable.by 'owner' }
- it { should_not be_executable.by 'owner' }
- it { should be_readable.by 'group' }
- it { should_not be_writable.by 'group' }
- it { should_not be_executable.by 'group' }
- it { should be_readable.by 'other' }
- it { should_not be_writable.by 'other' }
- it { should_not be_executable.by 'other' }
- its(:uid) { should cmp 0 }
- its(:gid) { should cmp 0 }
- its(:sticky) { should equal false }
- its(:suid) { should equal false }
- its(:sgid) { should equal false }
+ its('group') { should eq 'root' }
+ its('owner') { should eq 'root' }
+ its('mode') { should cmp '0644' }
end
end
diff --git a/controls/3_network/3_5_uncommon_network_protocols.rb b/controls/3_network/3_4_uncommon_network_protocols.rb
similarity index 82%
rename from controls/3_network/3_5_uncommon_network_protocols.rb
rename to controls/3_network/3_4_uncommon_network_protocols.rb
index a37f0a5..b8c6c4b 100644
--- a/controls/3_network/3_5_uncommon_network_protocols.rb
+++ b/controls/3_network/3_4_uncommon_network_protocols.rb
@@ -14,61 +14,70 @@
# limitations under the License.
#
# author: Kristian Vlaardingerbroek
-title '3.5 Uncommon Network Protocols'
+title '3.4 Uncommon Network Protocols'
-control 'cis-dil-benchmark-3.5.1' do
+control 'cis-dil-benchmark-3.4.1' do
title 'Ensure DCCP is disabled'
desc "The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery.\n\nRationale: If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface."
impact 0.0
- tag cis: 'distribution-independent-linux:3.5.1'
- tag level: 1
+ tag cis: 'distribution-independent-linux:3.4.1'
+ tag level: 2
describe kernel_module('dccp') do
it { should_not be_loaded }
it { should be_disabled }
end
+
+ only_if { cis_level == 2 }
end
-control 'cis-dil-benchmark-3.5.2' do
+control 'cis-dil-benchmark-3.4.2' do
title 'Ensure SCTP is disabled'
desc "The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP.\n\nRationale: If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
impact 0.0
- tag cis: 'distribution-independent-linux:3.5.2'
- tag level: 1
+ tag cis: 'distribution-independent-linux:3.4.2'
+ tag level: 2
describe kernel_module('sctp') do
it { should_not be_loaded }
it { should be_disabled }
end
+
+ only_if { cis_level == 2 }
end
-control 'cis-dil-benchmark-3.5.3' do
+control 'cis-dil-benchmark-3.4.3' do
title 'Ensure RDS is disabled'
desc "The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation.\n\nRationale: If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
impact 0.0
- tag cis: 'distribution-independent-linux:3.5.3'
- tag level: 1
+ tag cis: 'distribution-independent-linux:3.4.3'
+ tag level: 2
describe kernel_module('rds') do
it { should_not be_loaded }
it { should be_disabled }
end
+
+ only_if { cis_level == 2 }
end
-control 'cis-dil-benchmark-3.5.4' do
+control 'cis-dil-benchmark-3.4.4' do
title 'Ensure TIPC is disabled'
desc "The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes.\n\nRationale: If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
impact 0.0
- tag cis: 'distribution-independent-linux:3.5.4'
- tag level: 1
+ tag cis: 'distribution-independent-linux:3.4.4'
+ tag level: 2
describe kernel_module('tipc') do
it { should_not be_loaded }
it { should be_disabled }
end
+
+ only_if { cis_level == 2 }
end
diff --git a/controls/3_network/3_5_firewall_configuration.rb b/controls/3_network/3_5_firewall_configuration.rb
new file mode 100644
index 0000000..e85ea24
--- /dev/null
+++ b/controls/3_network/3_5_firewall_configuration.rb
@@ -0,0 +1,200 @@
+#
+# Copyright 2017, Schuberg Philis B.V.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# author: Kristian Vlaardingerbroek
+
+title '3.5 Firewall Configuration'
+
+ipv6 = command('test -f /proc/net/if_inet6').exit_status
+
+# IPv6
+control 'cis-dil-benchmark-3.5.1.1' do
+ title 'Ensure IPv6 default deny firewall policy'
+ desc "A default deny all policy on connections ensures that any unconfigured network usage will be rejected.\n\nRationale: With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage."
+ impact 1.0
+
+ tag cis: 'distribution-independent-linux:3.5.1.1'
+ tag level: 1
+
+ describe ip6tables do
+ it { should have_rule('-P INPUT DROP') }
+ it { should have_rule('-P OUTPUT DROP') }
+ it { should have_rule('-P FORWARD DROP') }
+ end
+
+ only_if { ipv6 == 0 }
+end
+
+control 'cis-dil-benchmark-3.5.1.2' do
+ title 'Ensure IPv6 loopback traffic is configured'
+ desc "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (::1).\n\nRationale: Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (::1) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure."
+ impact 1.0
+
+ tag cis: 'distribution-independent-linux:3.5.1.2'
+ tag level: 1
+
+ describe ip6tables do
+ it { should have_rule('-A INPUT -i lo -j ACCEPT') }
+ it { should have_rule('-A OUTPUT -o lo -j ACCEPT') }
+ it { should have_rule('-A INPUT -s ::1 -j DROP') }
+ end
+
+ only_if { ipv6 == 0 }
+end
+
+control 'cis-dil-benchmark-3.5.1.3' do
+ title 'Ensure IPv6 outbound and established connections are configured'
+ desc "Configure the firewall rules for new outbound, and established IPv6 connections.\n\nRationale: If rules are not in place for new outbound, and established connections all packets will be dropped by the default policy preventing network usage."
+ impact 1.0
+
+ tag cis: 'distribution-independent-linux:3.5.1.3'
+ tag level: 1
+
+ describe ip6tables do
+ it { should have_rule('-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT') }
+ it { should have_rule('-A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT') }
+ it { should have_rule('-A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT') }
+ it { should have_rule('-A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT') }
+ it { should have_rule('-A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT') }
+ it { should have_rule('-A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT') }
+ end
+
+ only_if { ipv6 == 0 }
+end
+
+control 'cis-dil-benchmark-3.5.1.4' do
+ title 'Ensure IPv6 firewall rules exist for all open ports'
+ desc "Any ports that have been opened on non-loopback addresses need firewall rules to govern traffic.\n\nRationale: Without a firewall rule configured for open ports default firewall policy will drop all packets to these ports."
+ impact 0.0
+
+ tag cis: 'distribution-independent-linux:3.5.1.4'
+ tag level: 1
+
+ port.where { address !~ /^::1$/ }.ports.each do |port|
+ describe "Firewall rule should exist for port #{port}" do
+ subject { ip6tables.retrieve_rules.any? { |s| s =~ /\s+--dport #{port}\s+/ } }
+ it { should be true }
+ end
+ end
+
+ only_if { ipv6 == 0 }
+end
+
+# IPv4
+control 'cis-dil-benchmark-3.5.2.1' do
+ title 'Ensure default deny firewall policy'
+ desc "A default deny all policy on connections ensures that any unconfigured network usage will be rejected.\n\nRationale: With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage."
+ impact 1.0
+
+ tag cis: 'distribution-independent-linux:3.5.2.1'
+ tag level: 1
+
+ describe iptables do
+ it { should have_rule('-P INPUT DROP') }
+ it { should have_rule('-P OUTPUT DROP') }
+ it { should have_rule('-P FORWARD DROP') }
+ end
+end
+
+control 'cis-dil-benchmark-3.5.2.2' do
+ title 'Ensure loopback traffic is configured'
+ desc "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8).\n\nRationale: Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure."
+ impact 1.0
+
+ tag cis: 'distribution-independent-linux:3.5.2.2'
+ tag level: 1
+
+ describe iptables do
+ it { should have_rule('-A INPUT -i lo -j ACCEPT') }
+ it { should have_rule('-A OUTPUT -o lo -j ACCEPT') }
+ it { should have_rule('-A INPUT -s 127.0.0.0/8 -j DROP') }
+ end
+end
+
+control 'cis-dil-benchmark-3.5.2.3' do
+ title 'Ensure outbound and established connections are configured'
+ desc "Configure the firewall rules for new outbound, and established connections.\n\nRationale: If rules are not in place for new outbound, and established connections all packets will be dropped by the default policy preventing network usage."
+ impact 0.0
+
+ tag cis: 'distribution-independent-linux:3.5.2.3'
+ tag level: 1
+
+ %w(tcp udp icmp).each do |proto|
+ describe iptables do
+ it { should have_rule("-A OUTPUT -p #{proto} -m state --state NEW,ESTABLISHED -j ACCEPT") }
+ it { should have_rule("-A INPUT -p #{proto} -m state --state ESTABLISHED -j ACCEPT") }
+ end
+ end
+end
+
+control 'cis-dil-benchmark-3.5.2.4' do
+ title 'Ensure firewall rules exist for all open ports'
+ desc "Any ports that have been opened on non-loopback addresses need firewall rules to govern traffic.\n\nRationale: Without a firewall rule configured for open ports default firewall policy will drop all packets to these ports."
+ impact 1.0
+
+ tag cis: 'distribution-independent-linux:3.5.2.4'
+ tag level: 1
+
+ port.where { address !~ /^(127\.0\.0\.1|::1)$/ }.ports.each do |port|
+ describe "Firewall rule should exist for port #{port}" do
+ subject { iptables.retrieve_rules.any? { |s| s =~ /\s+--dport #{port}\s+/ } }
+ it { should be true }
+ end
+ end
+end
+
+control 'cis-dil-benchmark-3.5.3' do
+ title 'Ensure iptables is installed'
+ desc "iptables allows configuration of the IPv4 tables in the linux kernel and the rules stored within them. Most firewall configuration utilities operate as a front end to iptables.\n\nRationale: iptables is required for firewall management and configuration."
+ impact 1.0
+
+ tag cis: 'distribution-independent-linux:3.5.3'
+ tag level: 1
+
+ describe package('iptables') do
+ it { should be_installed }
+ end
+end
+
+control 'cis-dil-benchmark-3.6' do
+ title 'Ensure wireless interfaces are disabled'
+ desc "Wireless networking is used when wired networks are unavailable. Most distributions contains a wireless tool kit to allow system administrators to configure and use wireless networks.\n\nRationale: If wireless is not to be used, wireless devices can be disabled to reduce the potential attack surface."
+ impact 0.0
+
+ tag cis: 'distribution-independent-linux:3.6'
+ tag level: 1
+
+ command('find /sys/class/net/ -type l -maxdepth 1').stdout.split.each do |i|
+ next unless file("#{i}/wireless").directory? || file("#{i}/phy80211").symlink?
+
+ describe interface(i) do
+ it { should_not be_up }
+ end
+ end
+end
+
+control 'cis-dil-benchmark-3.7' do
+ title 'Disable IPv6'
+ desc "Although IPv6 has many advantages over IPv4, not all organizations have IPv6 or dual stack configurations implemented.\n\nRationale: If IPv6 or dual stack is not to be used, it is recommended that IPv6 be disabled to reduce the attack surface of the system."
+ impact 0.0
+
+ tag cis: 'distribution-independent-linux:3.7'
+ tag level: 2
+
+ command('cat /proc/cmdline | grep ipv6.disable=1') do
+ its('exit_status') { should eq 0 }
+ end
+end
diff --git a/controls/3_network/3_6_firewall_configuration.rb b/controls/3_network/3_6_firewall_configuration.rb
deleted file mode 100644
index f366901..0000000
--- a/controls/3_network/3_6_firewall_configuration.rb
+++ /dev/null
@@ -1,115 +0,0 @@
-#
-# Copyright 2017, Schuberg Philis B.V.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# author: Kristian Vlaardingerbroek
-
-title '3.6 Firewall Configuration'
-
-control 'cis-dil-benchmark-3.6.1' do
- title 'Ensure iptables is installed'
- desc "iptables allows configuration of the IPv4 tables in the linux kernel and the rules stored within them. Most firewall configuration utilities operate as a front end to iptables.\n\nRationale: iptables is required for firewall management and configuration."
- impact 1.0
-
- tag cis: 'distribution-independent-linux:3.6.1'
- tag level: 1
-
- describe package('iptables') do
- it { should be_installed }
- end
-end
-
-control 'cis-dil-benchmark-3.6.2' do
- title 'Ensure default deny firewall policy'
- desc "A default deny all policy on connections ensures that any unconfigured network usage will be rejected.\n\nRationale: With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage."
- impact 1.0
-
- tag cis: 'distribution-independent-linux:3.6.2'
- tag level: 1
-
- %w(INPUT OUTPUT FORWARD).each do |chain|
- describe.one do
- describe iptables do
- it { should have_rule("-P #{chain} DROP") }
- end
- describe iptables do
- it { should have_rule("-P #{chain} REJECT") }
- end
- end
- end
-end
-
-control 'cis-dil-benchmark-3.6.3' do
- title 'Ensure loopback traffic is configured'
- desc "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8).\n\nRationale: Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure."
- impact 1.0
-
- tag cis: 'distribution-independent-linux:3.6.3'
- tag level: 1
-
- describe iptables do
- it { should have_rule('-A INPUT -i lo -j ACCEPT') }
- it { should have_rule('-A OUTPUT -o lo -j ACCEPT') }
- it { should have_rule('-A INPUT -s 127.0.0.0/8 -j DROP') }
- end
-end
-
-control 'cis-dil-benchmark-3.6.4' do
- title 'Ensure outbound and established connections are configured'
- desc "Configure the firewall rules for new outbound, and established connections.\n\nRationale: If rules are not in place for new outbound, and established connections all packets will be dropped by the default policy preventing network usage."
- impact 0.0
-
- tag cis: 'distribution-independent-linux:3.6.4'
- tag level: 1
-
- %w(tcp udp icmp).each do |proto|
- describe iptables do
- it { should have_rule("-A OUTPUT -p #{proto} -m state --state NEW,ESTABLISHED -j ACCEPT") }
- it { should have_rule("-A INPUT -p #{proto} -m state --state ESTABLISHED -j ACCEPT") }
- end
- end
-end
-
-control 'cis-dil-benchmark-3.6.5' do
- title 'Ensure firewall rules exist for all open ports'
- desc "Any ports that have been opened on non-loopback addresses need firewall rules to govern traffic.\n\nRationale: Without a firewall rule configured for open ports default firewall policy will drop all packets to these ports."
- impact 1.0
-
- tag cis: 'distribution-independent-linux:3.6.5'
- tag level: 1
-
- port.where { address !~ /^(127\.0\.0\.1|::1)$/ }.ports.each do |port|
- describe "Firewall rule should exist for port #{port}" do
- subject { iptables.retrieve_rules.any? { |s| s =~ /\s+--dport #{port}\s+/ } }
- it { should be true }
- end
- end
-end
-
-control 'cis-dil-benchmark-3.7' do
- title 'Ensure wireless interfaces are disabled'
- desc "Wireless networking is used when wired networks are unavailable. Most distributions contains a wireless tool kit to allow system administrators to configure and use wireless networks.\n\nRationale: If wireless is not to be used, wireless devices can be disabled to reduce the potential attack surface."
- impact 0.0
-
- tag cis: 'distribution-independent-linux:3.7'
- tag level: 1
-
- command('find /sys/class/net/ -type l -maxdepth 1').stdout.split.each do |i|
- next unless file("#{i}/wireless").directory? || file("#{i}/phy80211").symlink?
-
- describe interface(i) do
- it { should_not be_up }
- end
- end
-end
diff --git a/controls/4_logging_and_auditing/4_1_configure_system_accounting_auditd.rb b/controls/4_logging_and_auditing/4_1_configure_system_accounting_auditd.rb
index 9953526..aab9b41 100644
--- a/controls/4_logging_and_auditing/4_1_configure_system_accounting_auditd.rb
+++ b/controls/4_logging_and_auditing/4_1_configure_system_accounting_auditd.rb
@@ -14,27 +14,25 @@
# limitations under the License.
#
# author: Kristian Vlaardingerbroek
cis_level = attribute('cis_level')
title '4.1 Configure System Accounting (auditd)'
-uid_min = login_defs.UID_MIN.to_i
-
control 'cis-dil-benchmark-4.1.1.1' do
title 'Ensure audit log storage size is configured'
desc "Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started.\n\nRationale: It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost."
+ impact 1.0
tag cis: 'distribution-independent-linux:4.1.1.1'
tag level: 2
- impact 0.0
-
- only_if { cis_level == 2 }
-
describe file('/etc/audit/auditd.conf') do
- its(:content) { should match(/^max_log_file = \d+\s*(?:#.*)?$/) }
+ its('content') { should match /^max_log_file = \d+\s*(?:#.*)?$/ }
end
+
+ only_if { cis_level == 2 }
end
control 'cis-dil-benchmark-4.1.1.2' do
@@ -45,13 +43,13 @@ control 'cis-dil-benchmark-4.1.1.2' do
tag cis: 'distribution-independent-linux:4.1.1.2'
tag level: 2
- only_if { cis_level == 2 }
-
describe file('/etc/audit/auditd.conf') do
- its(:content) { should match(/^space_left_action = email\s*(?:#.*)?$/) }
- its(:content) { should match(/^action_mail_acct = root\s*(?:#.*)?$/) }
- its(:content) { should match(/^admin_space_left_action = halt\s*(?:#.*)?$/) }
+ its('content') { should match /^space_left_action = email\s*(?:#.*)?$/ }
+ its('content') { should match /^action_mail_acct = root\s*(?:#.*)?$/ }
+ its('content') { should match /^admin_space_left_action = halt\s*(?:#.*)?$/ }
end
+
+ only_if { cis_level == 2 }
end
control 'cis-dil-benchmark-4.1.1.3' do
@@ -62,360 +60,365 @@ control 'cis-dil-benchmark-4.1.1.3' do
tag cis: 'distribution-independent-linux:4.1.1.3'
tag level: 2
- only_if { cis_level == 2 }
-
describe file('/etc/audit/auditd.conf') do
- its(:content) { should match(/^max_log_file_action = keep_logs\s*(?:#.*)?$/) }
+ its('content') { should match /^max_log_file_action = keep_logs\s*(?:#.*)?$/ }
end
+
+ only_if { cis_level == 2 }
end
control 'cis-dil-benchmark-4.1.2' do
- title 'Ensure auditd service is enabled'
- desc "Turn on the auditd daemon to record system events.\n\nRationale: The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+ title 'Ensure auditd is installed'
+ desc "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk.\n\nRationale: The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
impact 1.0
tag cis: 'distribution-independent-linux:4.1.2'
tag level: 2
+ %w(audit audit-libs auditd audispd-plugins).each do |p|
+ describe package(p) do
+ it { should_not be_installed }
+ end
+ end
+
only_if { cis_level == 2 }
+end
+
+control 'cis-dil-benchmark-4.1.3' do
+ title 'Ensure auditd service is enabled'
+ desc "Turn on the auditd daemon to record system events.\n\nRationale: The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+ impact 1.0
+
+ tag cis: 'distribution-independent-linux:4.1.3'
+ tag level: 2
describe service('auditd') do
it { should be_enabled }
it { should be_running }
end
+
+ only_if { cis_level == 2 }
end
-control 'cis-dil-benchmark-4.1.3' do
+control 'cis-dil-benchmark-4.1.4' do
title 'Ensure auditing for processes that start prior to auditd is enabled'
desc "Configure grub so that processes that are capable of being audited can be audited even if they start up prior to auditd startup.\n\nRationale: Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected."
impact 1.0
- tag cis: 'distribution-independent-linux:4.1.3'
+ tag cis: 'distribution-independent-linux:4.1.4'
tag level: 2
- only_if { cis_level == 2 }
-
describe.one do
%w(/boot/grub/grub.conf /boot/grub/grub.cfg /boot/grub/menu.lst /boot/boot/grub/grub.conf /boot/boot/grub/grub.cfg /boot/boot/grub/menu.lst /boot/grub2/grub.cfg /usr/share/oem/grub.cfg).each do |f|
describe file(f) do
- its(:content) { should match(/audit=1/) }
+ its('content') { should match /audit=1/ }
end
end
end
+
+ only_if { cis_level == 2 }
end
-control 'cis-dil-benchmark-4.1.4' do
+control 'cis-dil-benchmark-4.1.5' do
title 'Ensure events that modify date and time information are collected'
desc "Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier \"time-change\"\n\nRationale: Unexpected changes in system date and/or time could be a sign of malicious activity on the system."
impact 1.0
- tag cis: 'distribution-independent-linux:4.1.4'
+ tag cis: 'distribution-independent-linux:4.1.5'
tag level: 2
- only_if { cis_level == 2 }
-
describe file('/etc/audit/audit.rules') do
- its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change$/) }
- its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b32 -S clock_settime -k time-change$/) }
- its(:content) { should match(%r{^-w /etc/localtime -p wa -k time-change$}) }
+ its('content') { should match /^-a (always,exit|exit,always) -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change$/ }
+ its('content') { should match /^-a (always,exit|exit,always) -F arch=b32 -S clock_settime -k time-change$/ }
+ its('content') { should match %r{^-w /etc/localtime -p wa -k time-change$} }
end
if command('uname -m').stdout.strip == 'x86_64'
describe file('/etc/audit/audit.rules') do
- its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b64 -S adjtimex -S settimeofday -k time-change$/) }
- its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b64 -S clock_settime -k time-change$/) }
+ its('content') { should match /^-a (always,exit|exit,always) -F arch=b64 -S adjtimex -S settimeofday -k time-change$/ }
+ its('content') { should match /^-a (always,exit|exit,always) -F arch=b64 -S clock_settime -k time-change$/ }
end
end
+
+ only_if { cis_level == 2 }
end
-control 'cis-dil-benchmark-4.1.5' do
+control 'cis-dil-benchmark-4.1.6' do
title 'Ensure events that modify user/group information are collected'
desc "Record events affecting the group, passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier \"identity\" in the audit log file.\n\nRationale: Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts."
impact 1.0
- tag cis: 'distribution-independent-linux:4.1.5'
+ tag cis: 'distribution-independent-linux:4.1.6'
tag level: 2
- only_if { cis_level == 2 }
-
describe file('/etc/audit/audit.rules') do
- its(:content) { should match(%r{^-w /etc/group -p wa -k identity$}) }
- its(:content) { should match(%r{^-w /etc/passwd -p wa -k identity$}) }
- its(:content) { should match(%r{^-w /etc/gshadow -p wa -k identity$}) }
- its(:content) { should match(%r{^-w /etc/shadow -p wa -k identity$}) }
- its(:content) { should match(%r{^-w /etc/security/opasswd -p wa -k identity$}) }
+ its('content') { should match %r{^-w /etc/group -p wa -k identity$} }
+ its('content') { should match %r{^-w /etc/passwd -p wa -k identity$} }
+ its('content') { should match %r{^-w /etc/gshadow -p wa -k identity$} }
+ its('content') { should match %r{^-w /etc/shadow -p wa -k identity$} }
+ its('content') { should match %r{^-w /etc/security/opasswd -p wa -k identity$} }
end
+
+ only_if { cis_level == 2 }
end
-control 'cis-dil-benchmark-4.1.6' do
+control 'cis-dil-benchmark-4.1.7' do
title "Ensure events that modify the system's network environment are collected"
desc "Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/sysconfig/network (directory containing network interface scripts and configurations) files.\n\nRationale: Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier \"system-locale.\""
impact 1.0
- tag cis: 'distribution-independent-linux:4.1.6'
+ tag cis: 'distribution-independent-linux:4.1.7'
tag level: 2
- only_if { cis_level == 2 }
-
describe file('/etc/audit/audit.rules') do
- its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b32 -S sethostname -S setdomainname -k system-locale$/) }
- its(:content) { should match(%r{^-w /etc/issue -p wa -k system-locale$}) }
- its(:content) { should match(%r{^-w /etc/issue\.net -p wa -k system-locale$}) }
- its(:content) { should match(%r{^-w /etc/hosts -p wa -k system-locale$}) }
- end
-
- describe.one do
- describe file('/etc/audit/audit.rules') do
- its(:content) { should match(%r{^-w /etc/network -p wa -k system-locale$}) }
- end
-
- describe file('/etc/audit/audit.rules') do
- its(:content) { should match(%r{^-w /etc/networks -p wa -k system-locale$}) }
- end
-
- describe file('/etc/audit/audit.rules') do
- its(:content) { should match(%r{^-w /etc/sysconfig/network -p wa -k system-locale$}) }
- end
+ its('content') { should match /^-a (always,exit|exit,always) -F arch=b32 -S sethostname -S setdomainname -k system-locale$/ }
+ its('content') { should match %r{^-w /etc/issue -p wa -k system-locale$} }
+ its('content') { should match %r{^-w /etc/issue\.net -p wa -k system-locale$} }
+ its('content') { should match %r{^-w /etc/hosts -p wa -k system-locale$} }
+ its('content') { should match %r{^-w /etc/network -p wa -k system-locale$} }
end
if command('uname -m').stdout.strip == 'x86_64'
describe file('/etc/audit/audit.rules') do
- its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b64 -S sethostname -S setdomainname -k system-locale$/) }
+ its('content') { should match /^-a (always,exit|exit,always) -F arch=b64 -S sethostname -S setdomainname -k system-locale$/ }
end
end
+
+ only_if { cis_level == 2 }
end
-control 'cis-dil-benchmark-4.1.7' do
+control 'cis-dil-benchmark-4.1.8' do
title "Ensure events that modify the system's Mandatory Access Controls are collected"
desc "Monitor SELinux/AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux or /etc/apparmor and /etc/apparmor.d directories.\n\nRationale: Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system."
impact 1.0
- tag cis: 'distribution-independent-linux:4.1.7'
+ tag cis: 'distribution-independent-linux:4.1.8'
tag level: 2
- only_if { cis_level == 2 }
-
describe.one do
describe file('/etc/audit/audit.rules') do
- its(:content) { should match(%r{^-w /etc/selinux/ -p wa -k MAC-policy$}) }
+ its('content') { should match %r{^-w /etc/selinux/ -p wa -k MAC-policy$} }
+ its('content') { should match %r{^-w /user/share/selinux/ -p wa -k MAC-policy$} }
end
describe file('/etc/audit/audit.rules') do
- its(:content) { should match(%r{^-w /etc/apparmor/ -p wa -k MAC-policy$}) }
- its(:content) { should match(%r{^-w /etc/apparmor.d/ -p wa -k MAC-policy$}) }
+ its('content') { should match %r{^-w /etc/apparmor/ -p wa -k MAC-policy$} }
+ its('content') { should match %r{^-w /etc/apparmor.d/ -p wa -k MAC-policy$} }
end
end
+
+ only_if { cis_level == 2 }
end
-control 'cis-dil-benchmark-4.1.8' do
+control 'cis-dil-benchmark-4.1.9' do
title 'Ensure login and logout events are collected'
desc "Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module\n\nRationale: Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins."
impact 1.0
- tag cis: 'distribution-independent-linux:4.1.8'
+ tag cis: 'distribution-independent-linux:4.1.9'
tag level: 2
- only_if { cis_level == 2 }
-
describe file('/etc/audit/audit.rules') do
- its(:content) { should match(%r{^-w /var/log/faillog -p wa -k logins$}) }
- its(:content) { should match(%r{^-w /var/log/lastlog -p wa -k logins$}) }
- its(:content) { should match(%r{^-w /var/log/tallylog -p wa -k logins$}) }
+ its('content') { should match %r{^-w /var/log/faillog -p wa -k logins$} }
+ its('content') { should match %r{^-w /var/log/lastlog -p wa -k logins$} }
+ its('content') { should match %r{^-w /var/log/tallylog -p wa -k logins$} }
end
+
+ only_if { cis_level == 2 }
end
-control 'cis-dil-benchmark-4.1.9' do
+control 'cis-dil-benchmark-4.1.10' do
title 'Ensure session initiation information is collected'
desc "Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp file tracks all currently logged in users. The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. All audit records will be tagged with the identifier \"session.\" The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp. All audit records will be tagged with the identifier \"logins.\"\n\nRationale: Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)."
impact 1.0
- tag cis: 'distribution-independent-linux:4.1.9'
+ tag cis: 'distribution-independent-linux:4.1.10'
tag level: 2
- only_if { cis_level == 2 }
-
describe file('/etc/audit/audit.rules') do
- its(:content) { should match(%r{^-w /var/run/utmp -p wa -k session$}) }
- its(:content) { should match(%r{^-w /var/log/wtmp -p wa -k logins$}) }
- its(:content) { should match(%r{^-w /var/log/btmp -p wa -k logins$}) }
+ its('content') { should match %r{^-w /var/run/utmp -p wa -k session$} }
+ its('content') { should match %r{^-w /var/log/wtmp -p wa -k logins$} }
+ its('content') { should match %r{^-w /var/log/btmp -p wa -k logins$} }
end
+
+ only_if { cis_level == 2 }
end
-control 'cis-dil-benchmark-4.1.10' do
+control 'cis-dil-benchmark-4.1.11' do
title 'Ensure discretionary access control permission modification events are collected'
desc "Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod, fchmod and fchmodat system calls affect the permissions associated with a file. The chown, fchown, fchownat and lchown system calls affect owner and group attributes on a file. The setxattr, lsetxattr, fsetxattr (set extended file attributes) and removexattr, lremovexattr, fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 500) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier \"perm_mod.\"\n\nRationale: Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation."
impact 1.0
- tag cis: 'distribution-independent-linux:4.1.10'
+ tag cis: 'distribution-independent-linux:4.1.11'
tag level: 2
- only_if { cis_level == 2 }
-
describe file('/etc/audit/audit.rules') do
- its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=#{uid_min} -F auid!=4294967295 -k perm_mod$/) }
- its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=#{uid_min} -F auid!=4294967295 -k perm_mod$/) }
- its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=#{uid_min} -F auid!=4294967295 -k perm_mod$/) }
+ its('content') { should match /^-a (always,exit|exit,always) -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod$/ }
+ its('content') { should match /^-a (always,exit|exit,always) -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod$/ }
+ its('content') { should match /^-a (always,exit|exit,always) -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod$/ }
end
if command('uname -m').stdout.strip == 'x86_64'
describe file('/etc/audit/audit.rules') do
- its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=#{uid_min} -F auid!=4294967295 -k perm_mod$/) }
- its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=#{uid_min} -F auid!=4294967295 -k perm_mod$/) }
- its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=#{uid_min} -F auid!=4294967295 -k perm_mod$/) }
+ its('content') { should match /^-a (always,exit|exit,always) -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod$/ }
+ its('content') { should match /^-a (always,exit|exit,always) -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod$/ }
+ its('content') { should match /^-a (always,exit|exit,always) -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod$/ }
end
end
+
+ only_if { cis_level == 2 }
end
-control 'cis-dil-benchmark-4.1.11' do
+control 'cis-dil-benchmark-4.1.12' do
title 'Ensure unsuccessful unauthorized file access attempts are collected'
desc "Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation (creat), opening (open, openat) and truncation (truncate, ftruncate) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 500), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier \"access.\"\n\nRationale: Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system."
impact 1.0
- tag cis: 'distribution-independent-linux:4.1.11'
+ tag cis: 'distribution-independent-linux:4.1.12'
tag level: 2
- only_if { cis_level == 2 }
-
describe file('/etc/audit/audit.rules') do
- its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=#{uid_min} -F auid!=4294967295 -k access$/) }
- its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=#{uid_min} -F auid!=4294967295 -k access$/) }
+ its('content') { should match /^-a (always,exit|exit,always) -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access$/ }
+ its('content') { should match /^-a (always,exit|exit,always) -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access$/ }
end
if command('uname -m').stdout.strip == 'x86_64'
describe file('/etc/audit/audit.rules') do
- its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=#{uid_min} -F auid!=4294967295 -k access$/) }
- its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=#{uid_min} -F auid!=4294967295 -k access$/) }
+ its('content') { should match /^-a (always,exit|exit,always) -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access$/ }
+ its('content') { should match /^-a (always,exit|exit,always) -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access$/ }
end
end
+
+ only_if { cis_level == 2 }
end
-control 'cis-dil-benchmark-4.1.12' do
+control 'cis-dil-benchmark-4.1.13' do
title 'Ensure use of privileged commands is collected'
desc "Monitor privileged programs (those that have the setuid and/or setgid bit set on execution) to determine if unprivileged users are running these commands.\n\nRationale: Execution of privileged commands by non-privileged users could be an indication of someone trying to gain unauthorized access to the system."
impact 1.0
- tag cis: 'distribution-independent-linux:4.1.12'
+ tag cis: 'distribution-independent-linux:4.1.13'
tag level: 2
- only_if { cis_level == 2 }
-
- command('find / -xdev \( -perm -4000 -o -perm -2000 \) -type f').stdout.split.map { |x| "^-a (always,exit|exit,always) -F path=#{x} -F perm=x -F auid>=#{uid_min} -F auid!=4294967295 -k privileged$" }.each do |entry|
+ command('find / -xdev \( -perm -4000 -o -perm -2000 \) -type f').stdout.split.map { |x| "^-a (always,exit|exit,always) -F path=#{x} -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged$" }.each do |entry|
describe file('/etc/audit/audit.rules') do
- its(:content) { should match Regexp.new(entry) }
+ its('content') { should match Regexp.new(entry) }
end
end
+
+ only_if { cis_level == 2 }
end
-control 'cis-dil-benchmark-4.1.13' do
+control 'cis-dil-benchmark-4.1.14' do
title 'Ensure successful file system mounts are collected'
desc "Monitor the use of the mount system call. The mount (and umount) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user\n\nRationale: It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open, creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document."
impact 1.0
- tag cis: 'distribution-independent-linux:4.1.13'
+ tag cis: 'distribution-independent-linux:4.1.14'
tag level: 2
- only_if { cis_level == 2 }
-
describe file('/etc/audit/audit.rules') do
- its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b32 -S mount -F auid>=#{uid_min} -F auid!=4294967295 -k mounts$/) }
+ its('content') { should match /^-a (always,exit|exit,always) -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts$/ }
end
if command('uname -m').stdout.strip == 'x86_64'
describe file('/etc/audit/audit.rules') do
- its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b64 -S mount -F auid>=#{uid_min} -F auid!=4294967295 -k mounts$/) }
+ its('content') { should match /^-a (always,exit|exit,always) -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts$/ }
end
end
+
+ only_if { cis_level == 2 }
end
-control 'cis-dil-benchmark-4.1.14' do
+control 'cis-dil-benchmark-4.1.15' do
title 'Ensure file deletion events by users are collected'
desc "Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier \"delete\".\n\nRationale: Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered."
impact 1.0
- tag cis: 'distribution-independent-linux:4.1.14'
+ tag cis: 'distribution-independent-linux:4.1.15'
tag level: 2
- only_if { cis_level == 2 }
-
describe file('/etc/audit/audit.rules') do
- its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=#{uid_min} -F auid!=4294967295 -k delete$/) }
+ its('content') { should match(/^-a (always,exit|exit,always) -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete$/) }
end
if command('uname -m').stdout.strip == 'x86_64'
describe file('/etc/audit/audit.rules') do
- its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=#{uid_min} -F auid!=4294967295 -k delete$/) }
+ its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete$/) }
end
end
+
+ only_if { cis_level == 2 }
end
-control 'cis-dil-benchmark-4.1.15' do
+control 'cis-dil-benchmark-4.1.16' do
title 'Ensure changes to system administration scope (sudoers) is collected'
desc "Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier \"scope.\"\n\nRationale: Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity."
impact 1.0
- tag cis: 'distribution-independent-linux:4.1.15'
+ tag cis: 'distribution-independent-linux:4.1.16'
tag level: 2
- only_if { cis_level == 2 }
-
describe file('/etc/audit/audit.rules') do
- its(:content) { should match(%r{^-w /etc/sudoers -p wa -k scope$}) }
- its(:content) { should match(%r{^-w /etc/sudoers\.d/? -p wa -k scope$}) }
+ its('content') { should match %r{^-w /etc/sudoers -p wa -k scope$} }
+ its('content') { should match %r{^-w /etc/sudoers\.d/? -p wa -k scope$} }
end
+
+ only_if { cis_level == 2 }
end
-control 'cis-dil-benchmark-4.1.16' do
+control 'cis-dil-benchmark-4.1.17' do
title 'Ensure system administrator actions (sudolog) are collected'
desc "Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log. Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log.\n\nRationale: Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed."
impact 1.0
- tag cis: 'distribution-independent-linux:4.1.16'
+ tag cis: 'distribution-independent-linux:4.1.17'
tag level: 2
- only_if { cis_level == 2 }
-
describe file('/etc/audit/audit.rules') do
- its(:content) { should match(%r{^-w /var/log/sudo\.log -p wa -k actions$}) }
+ its('content') { should match %r{^-w /var/log/sudo\.log -p wa -k actions$} }
end
+
+ only_if { cis_level == 2 }
end
-control 'cis-dil-benchmark-4.1.17' do
+control 'cis-dil-benchmark-4.1.18' do
title 'Ensure kernel module loading and unloading is collected'
desc "Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of \"modules\".\n\nRationale: Monitoring the use of insmod, rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules."
impact 1.0
- tag cis: 'distribution-independent-linux:4.1.17'
+ tag cis: 'distribution-independent-linux:4.1.18'
tag level: 2
- only_if { cis_level == 2 }
-
describe file('/etc/audit/audit.rules') do
- its(:content) { should match(%r{^-w /sbin/insmod -p x -k modules$}) }
- its(:content) { should match(%r{^-w /sbin/rmmod -p x -k modules$}) }
- its(:content) { should match(%r{^-w /sbin/modprobe -p x -k modules$}) }
+ its('content') { should match %r{^-w /sbin/insmod -p x -k modules$} }
+ its('content') { should match %r{^-w /sbin/rmmod -p x -k modules$} }
+ its('content') { should match %r{^-w /sbin/modprobe -p x -k modules$} }
end
if command('uname -m').stdout.strip == 'x86_64'
describe file('/etc/audit/audit.rules') do
- its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b64 -S init_module -S delete_module -k modules$/) }
+ its('content') { should match /^-a (always,exit|exit,always) -F arch=b64 -S init_module -S delete_module -k modules$/ }
end
else
describe file('/etc/audit/audit.rules') do
- its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b32 -S init_module -S delete_module -k modules$/) }
+ its('content') { should match /^-a (always,exit|exit,always) -F arch=b32 -S init_module -S delete_module -k modules$/ }
end
end
+
+ only_if { cis_level == 2 }
end
-control 'cis-dil-benchmark-4.1.18' do
+control 'cis-dil-benchmark-4.1.19' do
title 'Ensure the audit configuration is immutable'
desc "Set system audit so that audit rules cannot be modified with auditctl. Setting the flag \"-e 2\" forces audit to be put in immutable mode. Audit changes can only be made on system reboot.\n\nRationale: In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes."
impact 1.0
- only_if { cis_level == 2 }
-
- tag cis: 'distribution-independent-linux:4.1.18'
+ tag cis: 'distribution-independent-linux:4.1.19'
tag level: 2
describe file('/etc/audit/audit.rules') do
- its(:content) { should match(/^-e 2$/) }
+ its('content') { should match /^-e 2$/ }
end
+
+ only_if { cis_level == 2 }
end
diff --git a/controls/4_logging_and_auditing/4_2_configure_logging.rb b/controls/4_logging_and_auditing/4_2_configure_logging.rb
index 759f12b..6939722 100644
--- a/controls/4_logging_and_auditing/4_2_configure_logging.rb
+++ b/controls/4_logging_and_auditing/4_2_configure_logging.rb
@@ -14,15 +14,36 @@
# limitations under the License.
#
# author: Kristian Vlaardingerbroek
title '4.2 Configure Logging'
control 'cis-dil-benchmark-4.2.1.1' do
+ title 'Ensure rsyslog or syslog-ng is installed'
+ desc "The rsyslog and syslog-ng software are recommended replacements to the original syslogd daemon which provide improvements over syslogd, such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server.\n\nRationale: The security enhancements of rsyslog and syslog-ng such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server) justify installing and configuring the package."
+ impact 1.0
+
+ tag cis: 'distribution-independent-linux:4.2.1.1'
+ tag level: 1
+
+ describe.one do
+
+ describe package('rsyslog') do
+ it { should be_installed }
+ end
+
+ describe package('syslog-ng') do
+ it { should be_installed }
+ end
+ end
+end
+
+control 'cis-dil-benchmark-4.2.1.2' do
title 'Ensure rsyslog Service is enabled'
desc "Once the rsyslog package is installed it needs to be activated.\n\nRationale: If the rsyslog service is not activated the system may default to the syslogd service or lack logging instead."
impact 1.0
- tag cis: 'distribution-independent-linux:4.2.1.1'
+ tag cis: 'distribution-independent-linux:4.2.1.2'
tag level: 1
only_if do
@@ -35,7 +56,7 @@ control 'cis-dil-benchmark-4.2.1.1' do
end
end
-control 'cis-dil-benchmark-4.2.1.2' do
+control 'cis-dil-benchmark-4.2.1.3' do
title 'Ensure logging is configured'
desc "The /etc/rsyslog.conf file specifies rules for logging and which files are to be used to log certain classes of messages.\n\nRationale: A great deal of important security-related information is sent via rsyslog (e.g., successful and failed su attempts, failed login attempts, root login attempts, etc.)."
impact 0.0
@@ -49,10 +70,11 @@ control 'cis-dil-benchmark-4.2.1.2' do
describe file('/etc/rsyslog.conf') do
it { should exist }
+ its('size') { should > 0 }
end
end
-control 'cis-dil-benchmark-4.2.1.3' do
+control 'cis-dil-benchmark-4.2.1.4' do
title 'Ensure rsyslog default file permissions configured'
desc "rsyslog will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files.\n\nRationale: It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected."
impact 1.0
@@ -65,16 +87,16 @@ control 'cis-dil-benchmark-4.2.1.3' do
end
describe file('/etc/rsyslog.conf') do
- its(:content) { should match(/^\$FileCreateMode\s+0[6420][40]0\s*(?:#.*)?$/) }
+ its('content') { should match /^\$FileCreateMode\s+0[6420][40]0\s*(?:#.*)?$/ }
end
end
-control 'cis-dil-benchmark-4.2.1.4' do
+control 'cis-dil-benchmark-4.2.1.5' do
title 'Ensure rsyslog is configured to send logs to a remote log host'
desc "The rsyslog utility supports the ability to send logs it gathers to a remote log host running syslogd(8) or to receive messages from remote hosts, reducing administrative overhead.\n\nRationale: Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system"
impact 1.0
- tag cis: 'distribution-independent-linux:4.2.1.4'
+ tag cis: 'distribution-independent-linux:4.2.1.5'
tag level: 1
only_if do
@@ -82,147 +104,79 @@ control 'cis-dil-benchmark-4.2.1.4' do
end
describe file('/etc/rsyslog.conf') do
- its(:content) { should match(/^\s*\*\.\*\s+@/) }
+ its('content') { should match /^\s*\*\.\*\s+@/ }
end
end
-control 'cis-dil-benchmark-4.2.1.5' do
+control 'cis-dil-benchmark-4.2.1.6' do
title 'Ensure remote rsyslog messages are only accepted on designated log hosts.'
desc "By default, rsyslog does not listen for log messages coming in from remote systems. The ModLoad tells rsyslog to load the imtcp.so module so it can listen over a network via TCP. The InputTCPServerRun option instructs rsyslogd to listen on the specified TCP port.\n\nRationale: The guidance in the section ensures that remote log hosts are configured to only accept rsyslog data from hosts within the specified domain and that those systems that are not designed to be log hosts do not accept any remote rsyslog messages. This provides protection from spoofed log data and ensures that system administrators are reviewing reasonably complete syslog data in a central location."
impact 0.0
- tag cis: 'distribution-independent-linux:4.2.1.5'
+ tag cis: 'distribution-independent-linux:4.2.1.6'
tag level: 1
only_if do
package('rsyslog').installed? || command('rsyslogd').exist?
end
- describe 'cis-dil-benchmark-4.2.1.5' do
- skip 'Not implemented'
+ describe.one do
+
+ describe command("grep '$ModLoad imtcp' /etc/rsyslog.conf /etc/rsyslog.d/*.conf") do
+ its('exit_status') { should eq 0 }
+ end
+
+ describe command("grep '$InputTCPServerRun' /etc/rsyslog.conf /etc/rsyslog.d/*.conf") do
+ its('exit_status') { should eq 0 }
+ end
end
end
control 'cis-dil-benchmark-4.2.2.1' do
- title 'Ensure syslog-ng service is enabled'
- desc "Once the syslog-ng package is installed it needs to be activated.\n\nRationale: If the syslog-ng service is not activated the system may default to the syslogd service or lack logging instead."
+ title 'Ensure journald is configured to send logs to rsyslog'
+ desc "Data from journald may be stored in volatile memory or persisted locally on the server. Utilities exist to accept remote export of journald logs, however, use of the rsyslog service provides a consistent means of log collection and export.\n\nRationale: Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
impact 1.0
tag cis: 'distribution-independent-linux:4.2.2.1'
tag level: 1
- only_if do
- package('syslog-ng').installed? || command('syslog-ng').exist?
- end
-
- describe service('syslog-ng') do
- it { should be_enabled }
- it { should be_running }
+ describe command('grep -e ForwardToSyslog /etc/systemd/journald.conf') do
+ its('stdout') { should match /^ForwardToSyslog=yes$/ }
end
end
control 'cis-dil-benchmark-4.2.2.2' do
- title 'Ensure logging is configured'
- desc "The /etc/syslog-ng/syslog-ng.conf file specifies rules for logging and which files are to be used to log certain classes of messages.\n\nRationale: A great deal of important security-related information is sent via syslog-ng (e.g., successful and failed su attempts, failed login attempts, root login attempts, etc.)."
- impact 0.0
+ title 'Ensure journald is configured to compress large log files'
+ desc "The journald system includes the capability of compressing overly large files to avoid filling up the system with logs or making the logs unmanageably large.\n\nRationale: Uncompressed large files may unexpectedly fill a filesystem leading to resource unavailability. Compressing logs prior to write can prevent sudden, unexpected filesystem impacts."
+ impact 1.0
tag cis: 'distribution-independent-linux:4.2.2.2'
tag level: 1
- only_if do
- package('syslog-ng').installed? || command('syslog-ng').exist?
- end
-
- describe file('/etc/syslog-ng/syslog-ng.conf') do
- its(:content) { should match(/^log \{.*$/) }
+ describe command('grep -e Compress /etc/systemd/journald.conf') do
+ its('stdout') { should match /^Compress=yes$/ }
end
end
control 'cis-dil-benchmark-4.2.2.3' do
- title 'Ensure syslog-ng default file permissions configured'
- desc "syslog-ng will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files.\n\nRationale: It is important to ensure that log files exist and have the correct permissions to ensure that sensitive syslog-ng data is archived and protected."
+ title 'Ensure journald is configured to write logfiles to persistent disk'
+ desc "Data from journald may be stored in volatile memory or persisted locally on the server. Logs in memory will be lost upon a system reboot. By persisting logs to local disk on the server they are protected from loss.\n\nRationale: Writing log data to disk will provide the ability to forensically reconstruct events which may have impacted the operations or security of a system even after a system crash or reboot."
impact 1.0
tag cis: 'distribution-independent-linux:4.2.2.3'
tag level: 1
- only_if do
- package('syslog-ng').installed? || command('syslog-ng').exist?
- end
-
- describe file('/etc/syslog-ng/syslog-ng.conf') do
- its(:content) { should match(/^options { (\S+;\s*)*perm\(0[6420][40]0\); (\S+;\s*)*\};\s*(?:#.*)?$/) }
- end
-end
-
-control 'cis-dil-benchmark-4.2.2.4' do
- title 'Ensure syslog-ng is configured to send logs to a remote log host'
- desc "The syslog-ng utility supports the ability to send logs it gathers to a remote log host or to receive messages from remote hosts, reducing administrative overhead.\n\nRationale: Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system"
- impact 1.0
-
- tag cis: 'distribution-independent-linux:4.2.2.4'
- tag level: 1
-
- only_if do
- package('syslog-ng').installed? || command('syslog-ng').exist?
- end
-
- describe file('/etc/syslog-ng/syslog-ng.conf') do
- its(:content) { should match(/^destination \S+ \{(\S+;\s*)*\};\s*(?:#.*)?$/) }
- its(:content) { should match(/^log \{ (\S+;\s*)*destination\(\S+\); (\S+;\s*)*\};\s*(?:#.*)?$/) }
- end
-end
-
-control 'cis-dil-benchmark-4.2.2.5' do
- title 'Ensure remote syslog-ng messages are only accepted on designated log hosts'
- desc "By default, syslog-ng does not listen for log messages coming in from remote systems.\n\nRationale: The guidance in the section ensures that remote log hosts are configured to only accept syslog-ng data from hosts within the specified domain and that those systems that are not designed to be log hosts do not accept any remote syslog-ng messages. This provides protection from spoofed log data and ensures that system administrators are reviewing reasonably complete syslog data in a central location."
- impact 0.0
-
- tag cis: 'distribution-independent-linux:4.2.2.5'
- tag level: 1
-
- only_if do
- package('syslog-ng').installed? || command('syslog-ng').exist?
- end
-
- describe 'cis-dil-benchmark-4.2.2.5' do
- skip 'Not implemented'
+ describe command('grep -e Storage /etc/systemd/journald.conf') do
+ its('stdout') { should match /^Storage=persistent$/ }
end
end
control 'cis-dil-benchmark-4.2.3' do
- title 'Ensure rsyslog or syslog-ng is installed'
- desc "The rsyslog and syslog-ng software are recommended replacements to the original syslogd daemon which provide improvements over syslogd, such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server.\n\nRationale: The security enhancements of rsyslog and syslog-ng such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server) justify installing and configuring the package."
- impact 1.0
-
- tag cis: 'distribution-independent-linux:4.2.3'
- tag level: 1
-
- describe.one do
- describe package('rsyslog') do
- it { should be_installed }
- end
-
- describe command('rsyslogd') do
- it { should exist }
- end
-
- describe package('syslog-ng') do
- it { should be_installed }
- end
-
- describe command('syslog-ng') do
- it { should exist }
- end
- end
-end
-
-control 'cis-dil-benchmark-4.2.4' do
title 'Ensure permissions on all logfiles are configured'
desc "Log files stored in /var/log/ contain logged information from many services on the system, or on log hosts others as well.\n\nRationale: It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected."
impact 1.0
- tag cis: 'distribution-independent-linux:4.2.4'
+ tag cis: 'distribution-independent-linux:4.2.3'
tag level: 1
group_write_excepts = %w[lastlog wtmp]
@@ -245,7 +199,11 @@ control 'cis-dil-benchmark-4.3' do
tag cis: 'distribution-independent-linux:4.3'
tag level: 1
- describe 'cis-dil-benchmark-4.3' do
- skip 'Not implemented'
+ describe directory('/etc/logrotate.d/') do
+ it { should exist }
end
+
+ describe file('/var/lib/logrotate/logrotate.status') do
+ it { should exist }
+ its('size') { should > 0 }
end |
|
@luckylittle Thank you very much for posting the changes. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
New version of CIS DILB has been released on 2019-July-16 [CIS_Distribution_Independent_Linux_Benchmark_v2.0.0.pdf 3,152 KB; 572 pages; 2019-07-16].
Describe the solution you'd like
Update the current profile to adhere to the new rules.
Describe alternatives you've considered
N/A
Additional context
I am reviewing the aforementioned version and making local changes based on that - most of them are around IPv6 and SELinux. For various reasons (currently working in a very strict environment, conflict of interest) i cannot simply create a PR for you. However, i am going to paste diff of the changes i made below so you can incorporate it yourself.
The text was updated successfully, but these errors were encountered: