License

CENTER FOR INTERNET SECURITY (CIS) SECURITY BENCHMARKS MEMBERSHIP TERMS OF USE
CIS SECURITY BENCHMARKS DIVISION MEMBERS MAY:
Use XLS Benchmarks in accordance with
UNDER THE FOLLOWING TERMS AND CONDITIONS:
SB Products Provided As Is. CIS is providing the SB Products as is and as available without: (1) any representations, warranties, or covenant
any SB Product on the operation or the security of any network, system, software, hardware, or any component of any of them, and (b) the ac
notify you of any corrections, updates, upgrades, or fixes.
Intellectual Property and Rights Reserved. You are not acquiring any title or ownership rights in or to any SB Product, and full title and all own
expressly granted in these Terms of Use are hereby reserved.
Restrictions. You acknowledge and agree that you may not: (1) decompile, dis-assemble, alter, reverse engineer, or otherwise attempt to der
redistribute, sell, rent, lease, sublicense or otherwise transfer or exploit any rights to any SB Product in any way or for any purpose; (3) post a
(4) remove from or alter these CIS Security Benchmarks Terms of Use on any SB Product; (5) remove from or alter any proprietary notices on
based directly on an SB Product or any component of an SB Product; (7) use any SB Product or any component of an SB Product with other
an SB Product for any part of their functionality; (8) represent or claim a particular level of compliance or consistency with any SB Product; or
of Use.
Your Responsibility to Evaluate Risks. You acknowledge and agree that: (1) no network, system, device, hardware, software, or component
Products to your particular circumstances and requirements; and (3) CIS is not assuming any of the liabilities associated with your use of any
CIS Liability. You acknowledge and agree that neither CIS nor any of its employees, officers, directors, agents or other service providers has
direct, indirect, incidental, consequential, or special damages that arise out of or are connected in any way with your use of any SB Product.
Indemnification. You agree to indemnify, defend, and hold CIS and all of CIS's employees, officers, directors, agents and other service provid
your violation of these CIS Security Benchmarks Terms of Use.
Jurisdiction. You acknowledge and agree that: (1) these CIS Security Benchmarks Terms of Use will be governed by and construed in accor
these CIS Security Benchmarks Terms of Use shall be filed only in the courts located in the State of New York; and (3) you hereby consent a
U.S. Export Control and Sanctions laws. Regarding your use of the SB Products with any non-U.S. entity or country, you acknowledge that it
to time by the U.S. Bureau of Industry and Security (BIS) and the U.S. Office of Foreign Assets Control (OFAC).
SPECIAL RULES FOR CIS MEMBERS:
Distribution of SB Products by Member. CIS hereby grants to each Member in good standing the right to distribute the SB Products within su
and agrees that the foregoing grants in this paragraph are subject to the terms of any membership arrangement with CIS and may, therefore,
Membership Agreement. For those CIS Members whose membership is governed by a membership agreement, in addition to these Terms o
any conflict exists between these Terms of Use and the terms of a Member's membership agreement, the terms of the membership agreeme
No Reimbursement of Membership Fees. In the event that a CIS Security Benchmarks Member terminates its membership prior to the end o
certification fees, unless: (1) Member terminates its membership for cause under the terms of its membership agreement; or (2) CIS terminate
the Member's membership fee and any unused certification fees, if applicable.
section
recommendation
# # title status scoring status description rationale statement

1 Patching and Softwainterim

<div><div> <div><div><div>
1 1.1 Install Updates, Pat interim unscored
Directories that are
Periodically used for
patches aresystem-wide
Newer
released forfunctions
patches may
included cansecurity
contain be further
software eitherpr
enhad
2 Filesystem Configurainterim
NOTE: If you are repartitioning a system that has already been
2 2.1 Create Separate Partiinterim scored The /tmp directory is Since the /tmp direct

2 2.2 Set nodev option for interim scored The nodev mount optiSince the /tmp filesy

2 2.3 Set nosuid option forinterim scored The nosuid mount opti
Since the /tmp filesy

2 2.4 Set noexec option forinterim scored The noexec mount opt
Since the /tmp filesy

2 2.5 Create Separate Partiinterim scored The /var directory i Since the /var directo

2 2.6 Bind Mount the /var/ interim scored The /var/tmp directorAll programs that use

2 2.7 Create Separate Partiinterim scored The /var/log director There are two importa

2 2.8 Create Separate Partiinterim scored The auditing daemon,There are two importa

2 2.9 Create Separate Partinterim scored The /home directory If the system is inte
Since the user partitions are not intended to sup
2 2.10 Add nodev Option to interim scored When set on a file sy
NOTE: The actions in the item refer to the
2 2.11 Add nodev Option to interim unscored Set nodev on removab Removable media cont

2 2.12 Add noexec Option t interim unscored Set noexec on removSetting this option

2 2.13 Add nosuid Option t interim unscored Set nosuid on removaSetting this option

2 2.14 Add nodev Option to interim scored The nodev mount optiSince the /run/shm fi

2 2.15 Add nosuid Option tointerim scored The nosuid mount optSetting this option

2 2.16 Add noexec Option tointerim scored Set noexec on the shSetting this option

2 2.17 Set Sticky Bit on All interim scored Setting the sticky bi This feature prevents

2 2.25 Disable Automountininterim scored autofs allows automaWith automounting en

3 Secure Boot Setting interim

3 3.1 Set User/Group Owne

interim scored Set the owner and gro
Setting the owner an

3 3.2 Set Permissions on binterim scored Set permission on theSetting the permissi

3 3.3 Set Boot Loader Pa interim scored Setting the boot loa Requiring a boot pas

3 3.4 Require Authenticati interim scored Setting a password foRequiring authenticat

4 Additional Process interim

4 4.1 Restrict Core Dumpsinterim scored A core dump is the me

Setting a hard limit

4 4.2 Enable XD/NX Suppor

interim unscored Recent processors inEnabling any feature

4 4.3 Enable Randomized interim scored Set the system flag Randomly placing virt

4 4.4 Disable Prelink interim scored The prelinking featur The prelinking featur

5 OS Services interim While applying system updates and patches helps correct known vu

5 5.2 Ensure chargen is n interim scored chargen is a networkDisabling this servic

5 5.3 Ensure daytime is n interim scored daytime is a network Disabling this servic

5 5.4 Ensure echo is not interim scored echo is a network serDisabling this servic

5 5.5 Ensure discard is no interim scored discard is a network Disabling this servic

5 5.6 Ensure time is not e interim scored time is a network serDisabling this servic
 The items in this section are intended to ensure that legacy services
5.1 Ensure Legacy Serviinterim
NOTE: The audit items in the section check to see if the packag
5.1 5.1.1 Ensure NIS is not insinterim scored The Network Informati
The NIS service is i

5.1 5.1.2 Ensure rsh server is interim scored The Berkeley rsh-serv
These legacy servic

5.1 5.1.3 Ensure rsh client is ninterim scored The rsh package contThese legacy clients

5.1 5.1.4 Ensure talk server i interim scored The talk software mak
The software present

5.1 5.1.5 Ensure talk client is interim scored The talk software maThe software present

5.1 5.1.6 Ensure telnet server interim scored The telnet-server pa The telnet protocol

5.1 5.1.7 Ensure tftp-server is interim scored Trivial File Transfer TFTP does not suppor
The eXtended InterNET Daemon (xinetd) is an open source super d
5.1 5.1.8 Ensure xinetd is not interim scored If there are no xine
This section describes
NOTE: Several services
other thatrecommended
services are installed ontoservers that spe
be disabled in
6 Special Purpose Ser interim
NOTE: This section lists common packages for different service
6 6.1 Ensure the X Windowinterim scored The X Window system
Unless your organizat

6 6.2 Ensure Avahi Server interim scored Avahi is a free zeroc Since servers are not

6 6.3 Ensure print server i interim unscored The Common Unix Prin
If the system does no

6 6.4 Ensure DHCP Serverinterim scored The Dynamic Host Con

Unless a server is sp

6 6.5 Configure Network Tinterim scored The Network Time Pro

It is recommended tha

6 6.6 Ensure LDAP is not interim unscored The Lightweight DireIf the server will no

6 6.7 Ensure NFS and RPC

interim unscored The Network File Syst
If the server does n

6 6.8 Ensure DNS Server iinterim unscored The Domain Name Sys
Unless a server is sp

6 6.9 Ensure FTP Server i interim unscored The File Transfer ProFTP does not protect

6 6.10 Ensure HTTP Serverinterim unscored HTTP or web serversUnless

p there is a ne

6 6.11 Ensure IMAP and POP

interim unscored Dovecot is an open Unless POP3 and/or I

6 6.12 Ensure Samba is notinterim unscored The Samba daemon Ifallthere is no need t

6 6.13 Ensure HTTP Proxy S

interim unscored Squid is a standard If there is no need f

6 6.14 Ensure SNMP Serverinterim unscored The Simple Network The SNMP server com
The software for all Mail Transfer Agents is com
6 6.15 Configure Mail Transinterim scored Mail Transfer Agents
NOTE: The remediation given here provid
6 6.16 Ensure rsync serviceinterim scored The rsyncd service cThe rsyncd service p

7 Network Configuratiointerim This section provides guidance for secure network and firewall confi

7 7.6 Deactivate Wireless interim unscored Wireless networking If wireless is not to

IPtables is an application
<div that
class="overview">
allows a system administrator to config
7 7.7 Ensure Firewall is acinterim scored
NOTE: the audit and IPtables
remediation
provides
included
extra
provide
protection
instructions
for the L
7.1 Modify Network Parainterim The following network parameters determine if the system is to act a

7.1 7.1.1 Disable IP Forwardi interim scored The net.ipv4.ip_forwar

Setting the flag to 0

7.1 7.1.2 Disable Send Packetinterim scored ICMP Redirects are us

An attacker could us

7.2 Modify Network Parainterim The following network parameters determine if the system is to act a

7.2 7.2.1 Disable Source Rou interim scored In networking, sourc Setting net.ipv4.con
7.2 7.2.2 Disable ICMP Redireinterim scored ICMP redirect message
Attackers could use

7.2 7.2.3 Disable Secure ICMPinterim scored Secure ICMP redirectIt is still possible

7.2 7.2.4 Log Suspicious Packinterim scored When enabled, this f Enabling this feature

7.2 7.2.5 Enable Ignore Broadinterim scored Setting net.ipv4.icm Accepting ICMP echo

7.2 7.2.6 Enable Bad Error Meinterim scored Setting icmp_ignore_Some routers (and so

7.2 7.2.7 Enable RFC-recomme

interim scored Setting net.ipv4.conf Setting these flags

7.2 7.2.8 Enable TCP SYN Cointerim scored When tcp_syncookiesAttackers use SYN fl

7.3 Configure IPv6 interim IPv6 is a networking protocol that supersedes IPv4. It has more rout

7.3 7.3.1 Disable IPv6 Router interim unscored This setting disables It is recommended tha

7.3 7.3.2 Disable IPv6 Redire interim unscored This setting preventsIt is recommended tha

7.3 7.3.3 Disable IPv6 interim unscored Although IPv6 has mIf IPv6 is not to be

7.4 Install TCP Wrapper interim

7.4 7.4.1 Install TCP Wrapper interim scored TCP Wrappers provides
TCP Wrappers provide

7.4 7.4.2 Create /etc/hosts.all interim unscored The /etc/hosts.allow The /etc/hosts.allow

7.4 7.4.3 Verify Permissions o interim scored The /etc/hosts.allow It is critical to ens

7.4 7.4.4 Create /etc/hosts.de interim unscored The /etc/hosts.deny fThe /etc/hosts.deny f

7.4 7.4.5 Verify Permissions o interim scored The /etc/hosts.deny It is critical to ens

7.5 Uncommon Network interim The Linux kernel modules support several network protocols that are
If the protocol is not required, it is recommende
7.5 7.5.1 Disable DCCP interim unscored The Datagram Congest
to reduce the potential attack surface.
7.5 7.5.2 Disable SCTP interim unscored The Stream Control TIf the protocol is no
The items in this section describe how to configure logging, log mon
7.5 7.5.3 Disable RDS interim unscored The Reliable DatagraIf the protocol is no
It is recommended that rsyslog be used for logging (with logwat
7.5 7.5.4 Disable TIPC interim unscored The Transparent Int If the protocol is no
In addition to the local log files created by the steps in this secti
8 Logging and Auditin interim
Because it is often necessary to correlate log information from m
8 8.4 Configure logrotate interim unscored The system includes By t keeping the log fi
It is important that all logs described in this section be monitore
System auditing, through auditd, allows system administrators to mo
8.1 Configure System Acinterim
NOTE: For 64 bit systems that have arch as a rule parameter, you w
WhenNOTE
auditing,
ON itLOG
is important to carefully configure
FILE PERMISSIONS: the storage
There really requ
isn't a "one
8.1.1 Configure Data Rete interim
NOTE: Items in this section configure auditd, ensure it is install
8.2 Configure rsyslog interim The rsyslog software is recommended as a replacement for the defa

8.2 8.2.1 Install the rsyslog p interim scored The rsyslog packageThe security enhancem

8.2 8.2.2 Ensure the rsyslog Sinterim scored Once the rsyslog pack
If the rsyslog servic

8.2 8.2.3 Configure /etc/rsyslo interim unscored The /etc/rsyslog.confA great deal of impor

8.2 8.2.4 Create and Set Permiinterim scored A log file must alreadIt is important to en

8.2 8.2.5 Configure rsyslog t interim scored The rsyslog utility s Storing log data on a

8.2 8.2.6 Accept Remote rsys interim unscored By default, rsyslog The guidance in the

8.3 Advanced Intrusion interim AIDE is a file integrity checking tool, similar in nature to Tripwire. Wh
9 System Access, Authinterim

9 9.4 Restrict root Login interim unscored The file /etc/securett Since the system cons

9 9.5 Restrict Access to interim scored The su command allow

Restricting the use

9.1 Configure cron interim

9.1 9.1.1 Enable cron Daemo interim scored The cron daemon is uWhile there may not

9.1 9.1.2 Set User/Group Owne

interim scored The /etc/crontab file This file contains in

9.1 9.1.3 Set User/Group Owne

interim scored This directory conta Granting write access

9.1 9.1.4 Set User/Group Owne

interim scored The /etc/cron.daily d Granting write access

9.1 9.1.5 Set User/Group Owne

interim scored The /etc/cron.weeklyGranting write access

9.1 9.1.6 Set User/Group Owne

interim scored The /etc/cron.monthl Granting write access

9.1 9.1.7 Set User/Group Owne

interim scored The /etc/cron.d direc Granting write access
The pam_cracklib module checks the strength of passwords. It perfo
9.1 9.1.8 Restrict at/cron to A interim scored Configure /etc/cron.aOn many systems, only
* retry=3 - Allow 3 tries before sending back a failure.
9.2 Configure PAM interim PAM (Pluggable Authentication Modules) is a service that implemen
* minlen=14 - password must be 14 characters or more
* dcredit=-1 - provide at least one digit
9.2 9.2.1 Set Password Creati interim scored Strong passwords pr
* ucredit=-1 - provide at least one uppercase character
Lock out users after _n_ unsuccessful consecutive login attempts. T
* ocredit=-1 - provide at least one special character
9.2 9.2.2 Set Lockout for Fai interim unscored Locking out userIDs
* lcredit=-1 - provide at least one lowercase character
DESCRIPTION: SSHnumber
Set the lockout is a secure,
Forcing to theencrypted
users not replacement
to reuse
policy their
in effect forpasswor
past 5
at your commo
site.
9.2 9.2.3 Limit Password Reu interim scored The /etc/security/op
The setting shown above is one possible policy. Alter these val
RATIONALE: It is strongly recommended
Note that these changethatonly
sites abandon
apply ol
to acco
9.3 Configure SSH interim
If the ssh server is not installed the contents of this section are
9.3 9.3.1 Set SSH Protocol to interim scored SSH supports two difSSH v1 suffers from i
# dpkg -s openssh-server
9.3 9.3.2 Set LogLevel to INF interim scored The INFO parameterSSH sp provides several

9.3 9.3.3 Set Permissions on /interim scored The /etc/ssh/sshd_con

The /etc/ssh/sshd_co

9.3 9.3.4 Disable SSH X11 Fointerim scored The X11Forwarding pa

Disable X11 forwardi

9.3 9.3.5 Set SSH MaxAuthTrie

interim scored The MaxAuthTries par
Setting the MaxAuthT

9.3 9.3.6 Set SSH IgnoreRhostinterim scored The IgnoreRhosts parSetting this paramet

9.3 9.3.7 Set SSH HostbasedAu

interim scored The HostbasedAuthenti
Even though the .rhost

9.3 9.3.8 Disable SSH Root L interim scored The PermitRootLoginDisallowing

p root logi

9.3 9.3.9 Set SSH PermitEmptinterim scored There are several options
The PermitEmptyPassw available
Disallowing to limit
remote s which users and group ca

9.3 9.3.10 Do Not Allow Users interim scored AllowUsers

The PermitUserEnvirPermitting users the

9.3 9.3.11 Use Only Approved interim scored The AllowUsers

This variable variable
limits Based ongives the system
research co administrator the opt
Having no timeout value associated with a conn
9.3 9.3.12 Set Idle Timeout Inteinterim scored AllowGroups
The two options Clien
While the recommended setting is 300 sec
9.3 9.3.13 Limit Access via SS interim scored The AllowGroups Restricting
variable gives
whichthe
us system administrator the o

9.3 9.3.14 Set SSH Banner interim scored The Banner parameter
DenyUsers Banners are used to w

10 User Accounts and interim This section provides variable

The DenyUsers guidancegives
on setting up secure
the system defaults the
administrator for sys
opt

10 10.2 Disable System Acc interim scored ThereDenyGroups

are a number oIt is important to ma

10 10.3 Set Default Group fo interim scored The usermod command

Using
The DenyGroups GID gives
variable 0 for the
the system administrator the op
 Setting a very secure default value for umask e
10 10.4 Set Default umask fointerim scored The default umask det
NOTE: The directives in this section apply
10 10.5 Lock Inactive User interim scored User accounts that hInactive accounts pos

10.1 Set Shadow Password

interim While a majority of the password control parameters have been mov

10.1 10.1.1 Set Password Expirainterim scored The PASS_MAX_DAYS

Thepwindow of opport

10.1 10.1.2 Set Password Chan interim scored The PASS_MIN_DAYS

By prestricting the f

10.1 10.1.3 Set Password Expiri interim scored Presenting a warningProviding

The PASS_WARN_AGE message
p prior
an to the normal user login may as
advance

11 Warning Banners interim Guidelines published by the US Department of Defense require

11 11.1 Set Warning Banner interim scored Unix-based

NOTE:systems
The contents of the
The have typically
text/ Warning
provided in thedisplayed
messages inf information
remediation about
actions for theite
these O
\m - machine architecture (uname -m)
11 11.2 Remove OS Informatinterim scored \r - operating system Displaying
release (uname
OS and -r) pat
\s - operating system name
11 11.3 Set Graphical Warni interim unscored Debian
\v defaults
- operating to u Warning
system messages
version (uname -v) inf

12 Verify System File P interim

12 12.1 Verify Permissions o interim scored The /etc/passwd file It is critical to ens

12 12.2 Verify Permissions o interim scored The /etc/shadow file If attackers can gain

12 12.3 Verify Permissions o interim scored The /etc/group file c The /etc/group file

12 12.4 Verify User/Group O interim scored The /etc/passwd file The /etc/passwd file

12 12.5 Verify User/Group O interim scored The /etc/shadow file If attackers can gain

12 12.6 Verify User/Group O interim scored The /etc/group file c The /etc/group file

12 12.7 Find World Writable interim unscored Unix-based systems D

s ata in world-writabl

12 12.8 Find Un-owned Files interim scored Sometimes when admin

A new user who is as

12 12.9 Find Un-grouped Fileinterim scored Sometimes when admin

A new user who is as

12 12.10 Find SUID System Einterim unscored The owner of a file There are valid reaso

12 12.11 Find SGID System Einterim unscored The owner of a file There are valid reas

13 Review User and Grointerim This section provides guidance on securing aspects of the users and

13 13.1 Ensure Password Fieinterim scored An account with an eAll accounts must ha

13 13.2 Verify No Legacy "+" interim scored The character + in vaThese entries may pr

13 13.3 Verify No Legacy "+" interim scored The character + in vaThese entries may pr

13 13.4 Verify No Legacy "+" interim scored The character + in vaThese entries may pr

13 13.5 Verify No UID 0 Accointerim scored Any account with UIDThis access must be

13 13.6 Ensure root PATH Intinterim scored The root user can exIncluding the current

13 13.7 Check Permissions ointerim scored While the system adm

Group or world-writab

13 13.8 Check User Dot File interim scored While the system admi
Group or world-writab

13 13.9 Check Permissions on

interim scored While the system admi
.netrc files may con

13 13.10 Check for Presence ointerim scored While no .rhosts file This action is only m

13 13.11 Check Groups in /et interim scored Over time, system adGroups defined in the
13 13.12 Check That Users Arinterim scored Users can be definedIf the user's home di

13 13.13 Check User Home Diinterim scored The user home directo
Since the user is acc

13 13.14 Check for Duplicate interim scored Although the useraddUsers must be assign

13 13.15 Check for Duplicate interim scored Although the groupadd

User groups must be

13 13.16 Check for Duplicate interim scored Although the useraddIf a user is assigned

13 13.17 Check for Duplicat interim scored Although the groupadd

If a group is assigne

13 13.18 Check for Presence ointerim scored The .netrc file contai The .netrc file prese

13 13.19 Check for Presence ointerim scored The .forward file spe Use of the .forward f

13 13.20 Ensure shadow grouinterim scored The shadow group allAny users assigned t
 remediation procedureaudit procedure impact statement CCE-ID

Run the following commands to determine if there are packages to be updated:

Run the following command to update all packages on the system:
# apt-get update
system-wide functions can be
# apt-get further protected by placing them on separate partitions. This provides protection for resource exhaustion and enables the us
upgrade
# apt-get --just-print upgrade
itioning a system that has already been installed, make sure the data has been copied over to the new partition, unmount it and then remove the data from
 Run the following command
Verify that
to enable
there isthe
a /tmp
/tmppartition
mount service:
mounted.

# systemctl enable Runtmp.mount

the following
# mount | grep commands
/tmp to determine if the system is configured as recommended.
Edit the /etc/systemd/system/tmp.mount file and add nodev to the options field of the [Mount] section.
Ensure the proper Run the
#
settings
Ensurefollowing
mount forthe| your
grep commands
command /tmpmount
/tmp | grep toare
returns determine
nodev aset
properly if the system/tmp is configured
filesystem.as recommended.
in /etc/systemd/system/tmp.mount.
mounted
Edit the /etc/systemd/system/tmp.mount
# mount -o remount,nodev /tmp file and add nosuid to the options field of the [Mount] section.
Run the # following
If mount
the command| grep commands
/tmp
emits notooutput
| grep determine
nosuid then the if the system
system is is
notconfigured
configuredasasrecommended.
recommended.
Edit the /etc/systemd/system/tmp.mount
# mount -o remount,nosuid /tmp file and add noexec to the options field of the [Mount] section.
Verify# Ifthat
mount there
the command | grepis a /tmp/var
emits file
| grep
no partition
noexec
output in
thenthethe/etc/fstab
systemfile.
is not configured as recommended.
Perform the following to determine if the system is configured as recommended:
For new installations,
# mount during installation
-o remount,noexec /tmp create a custom partition setup and specify a separate partition for /var.
# mount --bind /tmp /var/tmp #
If grep "[[:space:]]/var[[:space:]]"
the command emits no output then /etc/fstab
the system is not configured as recommended.
# grep -e "^/tmp" /etc/fstab | grep /var/tmp
For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions.
/tmp /var/tmp none bind 0 0
and edit the /etc/fstab VerifyIfthat
file there
thetocommand
contain is a the /var/log
emits nofile
following partition
line:theninthe
output thesystem
/etc/fstab file.configured as recommended.
is not
# mount | grep -e "^/tmp" | grep /var/tmp
For new installations, during installation create a custom partition setup and specify a separate partition for /var/log.
/tmp on /var/tmp type none (rw,bind)
/tmp /var/tmp none Verify #that
bind 0 0there
grep is a /var/log/audit file partition
"[[:space:]]/var/log[[:space:]]" in the /etc/fstab file.
/etc/fstab
For new
For installations,
systems thatduring installationinstalled,
were previously create a use custom partitionVolume
the Logical setup and specify(LVM)
Manager a separate partition
to create for /var/log/audit.
partitions.
If the above commands emit no output then the system is not configured as recommended.
Verify# Ifthat
grep there is a /home fileoutput
"[[:space:]]/var/log/audit[[:space:]]"
the command emits no partition thenin the
the /etc/fstab
system is file.
/etc/fstab not configured as recommended.
For new
For installations,
systems thatduring installationinstalled,
were previously create a use custom partitionVolume
the Logical setup and specify(LVM)
Manager a separate partition
to create for /home.
partitions.
Run the following commands to determine if the system is configured as recommended.
#
If grep "[[:space:]]/home[[:space:]]"
the command emits no output then /etc/fstab
the system is not configured as recommended.
Edit the
For/etc/fstab
systems that file and
were add nodev toinstalled,
previously the fourthuse field the(mounting
Logical Volume options). See the(LVM)
Manager fstab(5) manualpartitions.
to create page for more information.
# grep /home /etc/fstab | grep nodev
If the command emits no output then the system is not configured as recommended.
# mount | grep /home | grep nodev
# mount -o remount,nodev /home
# grep <each removable media mountpoint> /etc/fstab
Edit the /etc/fstab f
VerifyIfthat
either nodevcommand is an optionemits no output then the system is not configured as recommended.
# grep <each removable media mountpoint> /etc/fstab
Edit the /etc/fstab f
NOTE: Verify that noexec is an option
Run
# grep the<each
following removable commands media to mountpoint>
determine if the system is in configured as recommended:
/etc/fstab
Edit the /etc/fstab f
Verify that nosuid is an option
Edit the /etc/fstab file and add nodev to the fourth field (mounting options of entries that have mount points that contain /run/shm. See the fsta
Run the # grepfollowing
/run/shm commands
/etc/fstabto| determine
grep nodevif the system is in configured as recommended:
# mount | grep /run/shm | grep nodev
Edit the /etc/fstab
# mount file and add nosuid
-o remount,nodev /run/shm to the fourth field (mounting options). Look for entries that have mount points that contain /run/shm. See
Run the # grepfollowing
/run/shm commands
/etc/fstabto| determine
grep nosuid if the system is in configured as recommended:
# mount | grep
If either /run/shmemits
command | grepno nosuid
output then the system is not configured as recommended.
Edit the /etc/fstab file and add
# mount -o remount,nosuid /run/shm noexec to the fourth field (mounting options). Look for entries that have mount points that contain /run/shm. See
# grep /run/shm /etc/fstab | grep noexec
# mount | grep
If either /run/shmemits
command | grepno noexec
output then the system is not configured as recommended.
# mount -o remount,noexec /run/shm
Create an encrypted
# df --local #password
-P | awk Ensure with
autofs
df --local -P |isgrub-md5-crypt:
awk not{'if enabled:
(NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null
If either command emits no output then the system is not configured as recommended.
Disable autofs:
# grub-mkpasswd-pbkdf2 # ls /etc/rc*.d | grep autofs
Enter#password:
update-rc.d _<password>_
autofs disable
Reenter password: _<password>_Perform Ensurethe following
no S* lines to are
determine
returned. if the /boot/grub/grub.cfg file has the correct ownership:
_Your
Run the PBKDF2
following is to
<encrypted-password>_
change ownership of /boot/grub/grub.cfg:
Perform # statthe-cfollowing
"%u %g"to/boot/grub/grub.cfg
determine if a thepassword
| egrepis"^0 required
/boot/grub/grub.cfg 0" to set
file command are
permissions linecorrect:
boot parameters:
Add
Run the the following
following
# chown to setinto
root:root the/etc/grub.d/00_header
permissions fro /boot/grub/grub.cfg:
/boot/grub/grub.cfg or a custom /etc/grub.d configuration file:
#
If grep
stat -L
the above "^set
-c "%a" superusers"
command /boot/grub/grub.cfg
/boot/grub/grub.cfg
emits no output | egrep
then ".00"
the system is not configured as recommended.
cat <<EOF
# chmod og-rwxset superusers="_<user-list>_"
/boot/grub/grub.cfg
set superusers="_<user-list>_"Perform
# grep_ If thetheabove
following
"^_password_"_ command to determine if aoutput
/boot/grub/grub.cfg<em>
emits no password then is theset for theisroot
system not user:
configured as recommended.
Run the following command
password_pbkdf2 _<user> and follow the prompts <user>
</em>password_pbkdf2<em>
<encrypted-password>_ to set a<encrypted
password for the root user:
password>
EOF </em> # grep ^root:[*\!]: /etc/shadow
Add the following
# passwd rootline to the /etc/security/limits.conf file.
Perform the following to determine if core dumps are restricted.
Unless the --unrestricted No results
At leastoption one should
isuseradded betoreturned.
must CLASS
be specified in /etc/grub.d/10_linux
as a super user and a password
have a password
will be required
assigned. to boot in addition to editing boot
* hard core 0
# grep "hard core" /etc/security/limits.conf
On 32CLASS="--class
bit systems install a kernel
gnu-linux with PAE
--class support,osno
gnu --class installation is required on 64 bit systems:
--unrestricted"
Run
* hard thecorefollowing
0 to see if your kernel has identified and activated NX/XD protection.
Add the following line to the /etc/sysctl.conf file.
# sysctl fs.suid_dumpable
If
Runnecessary configure
the following your bootloader
to update the grub configuration: to load the new kernel and reboot the system.
Perform the following
# dmesg
fs.suid_dumpable | grep = 0NX to determine if virtual memory is randomized.
Run
Add the command:
following
fs.suid_dumpable line to=the0 /etc/sysctl.conf file.
NX (Execute Disable) protection: active
You may need to
# update-grub Run the following
enable NX or XDcommand: support in your bios.
# sysctl kernel.randomize_va_space
# /usr/sbin/prelink -ua
kernel.randomize_va_space =2
kernel.randomize_va_space = 2
# dpkg -s prelink
to restore binaries to a normal, non-prelinked state, then remove prelink:
tes and patches helps correct known Ensure the chargen
vulnerabilities,
Ensure package one services
of the best
status isare not
ways enabled:
not-installed to protect
or dpkg thereturns
systemno against
info isas yet unreported vulnerabilities is to disable all ser
available.
Remove or comment
# apt-get out any chargen lines in /etc/inetd.conf:
purge prelink
Ensure the daytime
# grep ^chargen services are not enabled:
/etc/inetd.conf
Remove or comment
#chargen streamout tcpanynowaitdaytime lines in /etc/inetd.conf:
root internal
Ensure # the
Nogrep echo
results^daytime services
should be are
/etc/inetd.confnot enabled:
returned.
Remove or comment
#daytime streamout tcpany
nowait echo root lines in /etc/inetd.conf:
internal
Ensure # the
Nogrep discard
results^echo should services
/etc/inetd.conf are not enabled:
be returned.
Remove#echo or comment
stream tcpout any discard
nowait root internal lines in /etc/inetd.conf:
Ensure # the
Nogrep time
results^discard services
should beare
/etc/inetd.conf not enabled:
returned.
Remove or comment
#discard stream out tcp any
nowait time rootlines in /etc/inetd.conf:
internal
#
Nogrepresults^time should/etc/inetd.conf
be returned.
#time stream tcp nowait root internal
No results should be returned.
 intended to ensure that legacy services are not active on the system. This guidance recommends disabling the software however removal is also an accep
Run the following command:
in the sectionUninstall
check tothe seenis Ensure the
package:
if the packages arersh services
listed in theare not enabled:
package management database and installed. It could be argued that someone may have insta
Remove or comment out any # dpkgshell,
-s login,
nis or exec lines in /etc/inetd.conf:
# apt-get purge nis # grep ^shell /etc/inetd.conf
Run the following commands:
#shell stream tcp # grep
nowait ^login
Ensure rootpackage
/etc/inetd.conf
/usr/sbin/tcpd status/usr/sbin/in.rshd
is not-installed or dpkg returns no info is available.
Uninstall the rsh-client
#login stream tcp nowait and
# greprootrsh-reload-client
^exec
/usr/sbin/tcpd
/etc/inetd.conf packages:
/usr/sbin/in.rlogind
Ensure the talk
# dpkg services are not enabled:
-s rsh-client
#exec stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rexecd
Remove or comment#out dpkgany-stalk or ntalk lines in /etc/inetd.conf:
rsh-redone-client
# apt-get purge rsh-client rsh-reload-client
No results should be returned.
# grep ^talk /etc/inetd.conf
Run the following command:
#talk dgram udp#wait grep nobody.tty
^ntalkpackage
Ensure /etc/inetd.conf
/usr/sbin/in.talkd in.talkd or dpkg returns no info is available for both.
status is not-installed
Uninstall the talk package:
#ntalk dgram udp wait nobody.tty /usr/sbin/in.ntalkd in.ntalkd
Ensure the telnet
# dpkg -s talkservices is not enabled:
No results should be returned.
Remove or comment
# apt-get out any telnet lines in /etc/inetd.conf:
purge talk
Ensure # the tftp
grep
Ensure service
^telnet
package is not is
/etc/inetd.conf
status enabled:
not-installed or dpkg returns no info is available.
Remove or comment
#telnet stream tcp outnowait
any tftp lines /usr/sbin/tcpd
telnetd in /etc/inetd.conf: /usr/sbin/in.telnetd
Ensure # xinetd
Nogrep isshould
^tftp
results not enabled:
/etc/inetd.conf
be returned.
Disable xinetd:
#tftp stream tcp nowait root internal
#
Nolsresults
/etc/rc*.d | grep
should bexinetd
returned.
ces that are installed on servers that
# update-rc.d xinetdspecifically
disable need to run these services. If any of these services are not required, it is recommended that they be disabl
Run the Ensurefollowing
no S*command:
lines are returned.
UninstallforX different
s common packages Windows: services however there are alternate packages which provide many of these services which should also be disabled or de
Run the following to ensure ntp is installed:
Perform # dpkgthe following to determine if avahi-daemon is disabled.
-l xserver-xorg-core*
Disable avahi-daemon:
# apt-get purge xserver-xorg-core*
Install ntp: # dpkg -s ntp
Perform # the following
systemctl
Ensure is-enabled
no matching to determine ifare
avahi-daemon
packages cups is disabled.
listed as installed.
Disable cups:
# systemctl disable avahi-daemon
# apt-get install ntp Ensure package status is installed ok installed.
Ensure # isc-dhcp-server
systemctl
Ensure result is notisenabled.
is-enabled not enabled:
cups
Disable isc-dhcp-server:
# systemctl disable cups
Ensure the following The linesfollowing
are in /etc/ntp.conf:
script checks for the correct parameters on restrict default and restrict -6 default:
# ls /etc/rc*.d
Ensure result |isgrep isc-dhcp-server
not enabled.
# update-rc.d isc-dhcp-server disable enabled:
Ensure rpcbind is not
restrict -4 default kod#nomodifygrep "restrict
notrap .* default"
nopeer noquery
/etc/ntp.conf
Run the Ensurefollowing
no S*command:
lines are returned.
restrict -6 default kodrestrict
nomodify -4 default
notrap kod nopeer nomodify
noquery notrap nopeer noquery
Disable
Uninstallrpcbind:
the slapd package: # ls /etc/rc*.d | grep rpcbind
restrict -6 default kod nomodify notrap nopeer noquery
# dpkg -s slapd
Also, make sure /etc/ntp.conf has at least one NTP server specified:
# update-rc.d
apt-get purge rpcbind
slapdEnsure
disableno S* lines are returned.
Perform the following to determine if the system is configured to use an NTP Server and that the ntp daemon is run
Perform Ensurethe following
package to determine
status if bind9 isordisabled.
is not-installed dpkg returns no info is available.
server <ntp-server>
Disable bind9:nfs-kernel-server:
Disable Ensure nfs-kernel-server is not enabled:
# grep "^server" /etc/ntp.conf
Perform the following
# systemctl is-enabledto determine
bind9 if vsftpd is disabled.
NOTE: _<ntp-server>_ server is the IP address or hostname of a trusted time server. Configuring an NTP server is outside the scope of this be
Disable vsftpd: disable
# systemctl
update-rc.d bind9
nfs-kernel-server
# ls /etc/rc*.d disable
| grep nfs-kernel-server
# grep "RUNASUSER=ntp" /etc/init.d/ntp
Ensure # apache2
systemctl
Ensure result is isnot
is-enabled
notenabled:
vsftpd
enabled.
RUNASUSER=ntp
Disable apache2:disable vsftpd
# systemctl Ensure no S* lines are returned.
Perform # lsthe
Ensure following
/etc/rc*.d
result |isgrep to determine
not apache2 if dovecot is disabled.
enabled.
Disable dovecot: apache2 disable
# update-rc.d
Ensure # samba
systemctl
Ensure noisS* not enabled:
is-enabled
lines are dovecot
returned.
Disable samba: disable dovecot
# systemctl
Ensure # lssquid3
Ensure is not
/etc/rc*.d
result enabled:
|isgrep smbd
not enabled.
Edit /etc/exim4/update-exim4.conf.conf
Disable squid3:
# update-rc.d smbd disable and edit the dc_local_interfaces line to remove non loopback addresses:
Ensure # lssnmpd
Ensure noisS*not
/etc/rc*.d enabled:
|lines
grep squid3
are returned.
Ensure that rsync is not installed:
dc_local_interfaces='127.0.0.1
Disable snmpd:
# update-rc.d squid3 disable ; ::1'
# ls /etc/rc*.d
Ensure no S* |lines grepare snmpd
returned.
Perform # dpkg -s rsync command and make sure that the MTA is listening on the loopback address (127.0.0.1):
the following
Run update-exim4.conf:
# update-rc.d snmpd disable
Ensure no S* lines are returned.
Ensure
# netstatpackage
-an | grep status
LISTis| not-installed or dpkg returns no info is available.
grep ":25[[:space:]]"
Set RSYNC_ENABLE
# update-exim4.conf to false in /etc/default/rsync:
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
Run the following to ensure the iptables and iptables-persistent packages are installed:
Or
RSYNC_ENABLE=false
Reload exim4 configuration:
nce for secure network and firewall Perform # dpkg -s iptablesto determine if wireless interfaces are active.
the following
configuration.
Ensure that the rsync service is not enabled:
Install
# the
Use the iptables
following
service and#reload
command
exim4 dpkg
iptables-persistent
-s
to iptables-persistent
disable wireless: packages:
# ifconfig -a
# grep ^RSYNC_ENABLE /etc/default/rsync
# apt-get
nmcli nm install iptables
wifi off Ensureiptables-persistent
package status is install ok installed for both.
RSYNC_ENABLE=false
Validate that all interfaces using wireless are down.
Set the net.ipv4.ip_forward parameter to 0 in /etc/sysctl.conf:
Enable the netfilter-persistent
Ensure netfilter-persistent
service: service is enabled:
Set the net.ipv4.conf.all.send_redirects and net.ipv4.conf.default.send_redirects parameters to 0 in /etc/sysctl.conf:
meters determine if the system is to act as a _host only_. A system is considered _host only_ if the system has a single interface, or has multiple interfaces
net.ipv4.ip_forward=0Perform the following to determine if net.ipv4.ip_forward is enabled on the system.
# update-rc.d netfilter-persistent
# ls /etc/rc*.d/S*netfilter-persistent
enable
net.ipv4.conf.all.send_redirects=0
Perform the following to determine if send packet redirects is disabled.
/etc/rcS.d/S19netfilter-persistent
net.ipv4.conf.default.send_redirects=0
Modify active kernel parameters
# /sbin/sysctl tonet.ipv4.ip_forward
match:
Set the net.ipv4.conf.all.accept_source_route = 0 and net.ipv4.conf.default.accept_source_route parameters to 0 in /etc/sysctl.conf:
# /sbin/sysctl net.ipv4.conf.all.send_redirects
net.ipv4.ip_forward
Start links should exist for run levels S.
Modify active -w
# /sbin/sysctl kernel
net.ipv4.conf.all.send_redirects
parameters to match:
net.ipv4.ip_forward=0 =0
net.ipv4.conf.all.accept_source_route=0
# /sbin/sysctl Perform
# /sbin/sysctlthe following
-w net.ipv4.route.flush=1 to determine if accepting source routed packets is disabled.
net.ipv4.conf.default.send_redirects
meters determine if the system is to act as a router. A system acts as a router if it has at least two interfaces and is configured to perform routing functions.
net.ipv4.conf.default.accept_source_route=0
# /sbin/sysctl -wnet.ipv4.conf.default.send_redirects
net.ipv4.conf.all.send_redirects=0 = 0
# /sbin/sysctl net.ipv4.conf.all.accept_source_route
# /sbin/sysctl -w net.ipv4.conf.default.send_redirects=0
Modify active
# /sbin/sysctl kernel
net.ipv4.conf.all.accept_source_route
parameters to match:
-w net.ipv4.route.flush=1 =0
# /sbin/sysctl net.ipv4.conf.default.accept_source_route
# /sbin/sysctl -wnet.ipv4.conf.default.accept_source_route
net.ipv4.conf.all.accept_source_route=0 = 0
# /sbin/sysctl -w net.ipv4.conf.default.accept_source_route=0
# /sbin/sysctl -w net.ipv4.route.flush=1
 Set the net.ipv4.conf.all.accept_redirects and net.ipv4.conf.default.accept_redirects parameters to 0 in /etc/sysctl.conf:

Set the net.ipv4.conf.all.secure_redirects

Perform the followingand
net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.secure_redirects
to determine if ICMP redirect messages will parameters to 0 in /etc/sysctl.conf:
be rejected.
net.ipv4.conf.default.accept_redirects=0
Set the net.ipv4.conf.all.log_martians
net.ipv4.conf.all.secure_redirects=0
Perform and
the following
# /sbin/sysctl net.ipv4.conf.default.log_martians
to determine if ICMP redirect messages
net.ipv4.conf.all.accept_redirects parameters
will betorejected
1 in /etc/sysctl.conf:
from known gateways.
net.ipv4.conf.default.secure_redirects=0
Modify active kernel
net.ipv4.conf.all.accept_redirects
parameters to match: =0
net.ipv4.conf.all.log_martians=1
Perform the following
# /sbin/sysctl
# /sbin/sysctl to determine if suspicious packets are logged.
net.ipv4.conf.all.secure_redirects
net.ipv4.conf.default.accept_redirects
Set the net.ipv4.icmp_echo_ignore_broadcasts
Modify active -w
# /sbin/sysctl kernel parameters to match: parameter
net.ipv4.conf.default.log_martians=1
net.ipv4.conf.all.secure_redirects
net.ipv4.conf.default.accept_redirects
net.ipv4.conf.all.accept_redirects=0 = 0 to = 01 in /etc/sysctl.conf:
# /sbin/sysctl
# /sbin/sysctl net.ipv4.conf.all.log_martians
net.ipv4.conf.default.secure_redirects
# /sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0
Set the net.ipv4.icmp_ignore_bogus_error_responses
net.ipv4.icmp_echo_ignore_broadcasts=1
Modify active
# /sbin/sysctl
# /sbin/sysctl Perform
kernel
-w the following
net.ipv4.conf.all.log_martians
parameters to match: = 1 parameter
to determine
net.ipv4.conf.default.secure_redirects
net.ipv4.conf.all.secure_redirects=0
-w net.ipv4.route.flush=1 0 toecho
if all= ICMP 1 in /etc/sysctl.conf:
and timestamp requests to broadcast and multicast addresses will be
Set the net.ipv4.conf.all.rp_filter
# /sbin/sysctl and
# /sbin/sysctl net.ipv4.conf.default.rp_filter parameters to 1 in /etc/sysctl.conf:
net.ipv4.conf.default.log_martians
-w net.ipv4.conf.default.secure_redirects=0
net.ipv4.icmp_ignore_bogus_error_responses=1
Modify active
# /sbin/sysctl
# /sbin/sysctl -w Perform
kernel the following
parameters
# /sbin/sysctl to determine=if 1bogus messages will be ignored.
tonet.ipv4.icmp_echo_ignore_broadcasts
match:
net.ipv4.conf.default.log_martians
net.ipv4.conf.all.log_martians=1
-w net.ipv4.route.flush=1
net.ipv4.conf.all.rp_filter=1
# /sbin/sysctl Perform the following to determine if RFC-recommended
net.ipv4.icmp_echo_ignore_broadcasts
-w net.ipv4.conf.default.log_martians=1 =1 source route validation is enabled.
Set the net.ipv4.tcp_syncookies
net.ipv4.conf.default.rp_filter=1
Modify active
# /sbin/sysctl
# /sbin/sysctl kernel
-w parameter
parameters
# /sbin/sysctl to 1 in /etc/sysctl.conf:
tonet.ipv4.icmp_ignore_bogus_error_responses
match:
net.ipv4.icmp_echo_ignore_broadcasts=1
-w net.ipv4.route.flush=1
# /sbin/sysctl net.ipv4.conf.all.rp_filter
net.ipv4.icmp_ignore_bogus_error_responses
# /sbin/sysctl -w net.ipv4.route.flush=1 =1
net.ipv4.tcp_syncookies=1
Modify active -w
# /sbin/sysctl Perform
kernel the following to determine
net.ipv4.conf.all.rp_filter
parameters to match: =1 if TCP SYN Cookies is enabled.
net.ipv4.icmp_ignore_bogus_error_responses=1
Set the net.ipv6.conf.all.accept_ra
# /sbin/sysctl and net.ipv6.conf.default.accept_ra parameter to 0 in /etc/sysctl.conf:
# /sbin/sysctl net.ipv4.conf.default.rp_filter
-w net.ipv4.route.flush=1
Modify active -w
# /sbin/sysctl kernel parameters
# /sbin/sysctltonet.ipv4.tcp_syncookies
match: = 1
net.ipv4.conf.default.rp_filter
net.ipv4.conf.all.rp_filter=1
Set the net.ipv6.conf.all.accept_redirects
net.ipv6.conf.all.accept_ra=0
# /sbin/sysctl Perform the followingand
net.ipv4.tcp_syncookies =net.ipv6.conf.default.accept_redirects
to determine
-w net.ipv4.conf.default.rp_filter=1 1 if the system is disabled from parameters
accepting to 0 in advertisements:
router /etc/sysctl.conf:
l that supersedes IPv4. It has more routable addresses and has built in security. If IPv6 is to be used, follow this section of the benchmark to configure IPv6
net.ipv6.conf.default.accept_ra=0
# /sbin/sysctl
# /sbin/sysctl -w net.ipv4.tcp_syncookies=1
-w net.ipv4.route.flush=1
net.ipv6.conf.all.accept_redirects=0
# /sbin/sysctl Perform the following
# /sbin/sysctl
-w net.ipv4.route.flush=1 to determine if IPv6 redirects are disabled.
net.ipv6.conf.all.accept_ra
Create or edit the file /etc/sysctl.conf and add the following lines:
net.ipv6.conf.default.accept_redirects=0
Modify active kernel
net.ipv6.conf.all.accept_ra
parameters to match: = 0
# /sbin/sysctl
# /sbin/sysctl net.ipv6.conf.all.accept_redirects
net.ipv6.conf.default.accept_ra
net.ipv6.conf.all.disable_ipv6=1
Run the following command to determine if IPv6 is enabled:
Modify active -w
# /sbin/sysctl kernel
net.ipv4.
parameters
net.ipv6.conf.all.accept_redirect
to match:
net.ipv6.conf.default.accept_ra
net.ipv6.conf.all.accept_ra=0 =0 =0
net.ipv6.conf.default.disable_ipv6=1
# /sbin/sysctl net.ipv6.conf.default.accept_redirects
# /sbin/sysctl -w net.ipv6.conf.default.accept_ra=0
Install tcpd:
net.ipv6.conf.lo.disable_ipv6=1# ip addr | grep inet6
# /sbin/sysctl
# /sbin/sysctl -wnet.ipv4.
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirect = 0
-w net.ipv6.route.flush=1
# /sbin/sysctl -w net.ipv6.conf.default.accept_redirects=0
#
Runapt-get install Run
the followingtcpd the
No following
command results to ensure
or reboot
should tcpd
tobeapply is changes:
returned.
the installed:
# /sbin/sysctl -w net.ipv6.route.flush=1
Create
To /etc/hosts.allow:
verify-pif a service supports
# sysctl # dpkg -sTCP
tcpd Wrappers, run the following command:
Run the following command to verify the contents of the /etc/hosts.allow file.
# echo "ALL: <net>/<mask>,
ldd <path-to-daemon> Ensure <net>/<mask>,
| grep
package
libwrap.so " >/etc/hosts.allow
status is installed ok installed.
Run the
# catfollowing command to determine the permissions on the /etc/hosts.allow file.
/etc/hosts.allow
If the permissions of the /etc/hosts.allow file are incorrect, run the following command to correct them:
[contents will vary, depending on your network configuration]
where
If thereeach _<net>/<mask>_
is any output, then thecombination (for example,
service supports "192.168.1.0/255.255.255.0") represents one network block in use by your orga
TCP Wrappers.
Verify#that /etc/hosts.deny
/bin/ls exists and is configured to deny all hosts not explicitly listed in /etc/hosts.allow:
-l /etc/hosts.allow
Create /etc/hosts.deny:
# /bin/chmod 644 /etc/hosts.allow
-rw-r--r-- 1 root root 2055 Jan 30 16:30 /etc/hosts.allow
Run the following
# grep "ALL: command to determine the permissions on the /etc/hosts.deny file.
ALL" /etc/hosts.deny
If the #permissions
echo "ALL: of the >>
ALL" /etc/hosts.deny
/etc/hosts.deny file are incorrect, run the following command to correct them:
ALL: ALL
# /bin/ls -l /etc/hosts.deny
# /bin/chmod 644 /etc/hosts.deny
-rw-r--r-- 1 root root 2055 Jan 30 16:30 /etc/hosts.deny
upport several network protocols that are not commonly used. If these protocols are not needed, it is recommended that they be disabled in the kernel.
Perform the following to determine if DCCP is disabled.
# echo "install dccp
Perform the "install
# grep following to determine
dccp if SCTP is disabled.
/bin/true" /etc/modprobe.d/CIS.conf
install dccp /bin/true
# echo "install sctp
Perform the "install
# grep following to /bin/true"
sctp determine/etc/modprobe.d/CIS.conf
if RDS is disabled.
cribe how to configure logging, log monitoring, and auditing, using tools included in most distributions.
install sctp /bin/true
# echo "install rds /
Perform the "install
# grep followingrdsto/bin/true"
determine if TIPC is disabled.
/etc/modprobe.d/CIS.conf
rsyslog be used for logging (with logwatch providing summarization) and auditd be used for auditing (with aureport providing summarization) to automatica
install rds /bin/true
# echo "install tipc
# grep "install tipc /bin/true" /etc/modprobe.d/CIS.conf
og files created by the steps in this section, it is also recommended that sites collect copies of their system logs on a secure, centralized log server via an e
install tipc /bin/true
essary to correlate log information from many different systems (particularly after a security incident) it is recommended that the time be synchronized amon
Edit the /etc/logrota Review the /etc/logrotate.d/rsyslog file to determine if the appropriate system logs are rotated according to your site polic
gs described Edit
in this section be monitored theon a regular basisor and correlated to determine trends. Aforseemingly innocuous entry in one log could be more sign
ditd, allows systemthe following
administratorslines
to in /etc/rsyslog.conf
monitor their systems such /etc/rsyslog.d/*
that they can file as appropriate
detect unauthorized your or modification
access of data. By default, auditd will aud
at have arch asenvironment:
a rule parameter, you will need two rules: one for 64 bit and one for 32 bit systems. For 32 bit systems, only one rule is needed.
t to carefully configure
ERMISSIONS: the storage
There really requirements
isn't a "one for solution
size fits all" audit logs. By default,
to the auditd
permissions onwill
logmax
files.out the log
Many sitesfiles at 5MB
utilize and
group retain onlyso
permissions 4 copies of them. Older
that administrators whove
*.emerg :omusrmsg:*
ction configure auditd, ensure it is installed per 8.1.2 Install and Enable auditd Service.
mail.* -/var/log/mail
mmended as a replacement for theEnsure defaultrsyslog
syslogdisdaemon
installed:and provides improvements over syslogd, such as connection-oriented (i.e. TCP) transmission
mail.info -/var/log/mail.info
For sites
Install thethat havepackage:
rsyslog NOT implemented a secure admin group:
mail.warning -/var/log/mail.warn
Perform the following
# dpkg -s rsyslogto determine if rsyslog is enabled.
mail.err /var/log/mail.err
Enable Create theinstall
rsyslog:
# apt-get /var/log/ directory and for each _<logfile>_ listed in the /etc/rsyslog.conf or /etc/rsyslog.d/* files, perform the following comman
rsyslog
news.crit -/var/log/news/news.crit
# systemctl
Ensure is-enabled
package statusrsyslog
is installed ok installed.
news.err -/var/log/news/news.err
# touch _<logfile>_
systemctl Review
enable the contents of the /etc/rsyslog.conf and /etc/rsyslog.d/* files to ensure appropriate logging is set. In addition, per
rsyslog
news.notice -/var/log/news/news.notice
# chown root:root <em><logfile> Ensure result is enabled.
*.=warning;*.=err -/var/log/warn
Edit
</em>#the /etc/rsyslog.conf
chmod og-rwx For file
# lsand
_<logfile>_
each add the following
-l_<logfile>_
/var/log/ line/etc/rsyslog.conf
listed in the (where _logfile.example.com_ is following
file, perform the the namecommand
of your central log host).
and verify that the _<owner>:<gro
*.crit /var/log/warn
For hosts that are designated
*.*;mail.none;news.none Review as /etc/rsyslog.conf
the log hosts, edit thefile
-/var/log/messages /etc/rsyslog.conf file and
and verify that logs are un-comment the following
sent to a central lines:
host (where _logfile.example.com_ is the name
*.*
For@@loghost.example.com
sites that HAVE implemented
# ls -l _<logfile>_
a secure admin group:
local0,local1.* -/var/log/localmessages
# Execute the following command to restart rsyslogd
$ModLoad
local2,local3.* imtcp.so
# grep '$ModLoad
# grep
-/var/log/localmessages imtcp.so'/etc/rsyslog.conf
"^*.*[^I][^I]*@" /etc/rsyslog.conf
# pkillCreate
-HUP thersyslogd
/var/log/ directory and for each _<logfile>_ listed in the /etc/rsyslog.conf file, perform the following commands (where is the na
$InputTCPServerRun $ModLoad
*.*514 imtcp.so
@@loghost.example.com
local4,local5.* -/var/log/localmessages
# grep '$InputTCPServerRun' /etc/rsyslog.conf
local6,local7.* -/var/log/localmessages
NOTE:
# touch The double "at" sign (@@) directs rsyslog to use TCP to send log messages to the server, which is a more reliable transport me
_<logfile>_
Execute the following$InputTCPServerRun
command to restart 514 rsyslogd:
ng tool, similar in nature
# chown to Tripwire. While _<logfile>_
root:_<securegrp>_ it cannot prevent intrusions, it can detect unauthorized changes to configuration files by alerting when the files a
Execute the following command to restart rsyslogd
# chmod g-wx,o-rwx_<logfile>_
# pkill -HUP rsyslogd
# pkill -HUP rsyslogd
 add the following
Remove entries forline#tocat
an the/etc/securetty
/etc/pam.d/su file.
# grep pam_wheel.so /etc/pam.d/su
auth required pam_wheel.so use_uid
auth required pam_wheel.so use_uid
# grep wheel /etc/group
Perform the following
wheel:x:10:root, <usertolist>
determine if cron and anacron are enabled.
Once this is done, create a comma separated list of users in the wheel statement in the /etc/group file.
Enable cron and anacron:
# systemctl is-enabled cron
Perform the following to determine if the /etc/crontab file has the correct permissions.
# systemctl enable # systemctl
cron is-enabled anacron
# chown
systemctlroot:root
enable/etc/crontab
anacron
Perform the-cfollowing
# stat "%a %u to determine
%g" if the| /etc/cron.hourly
/etc/crontab egrep ".00 0 0" file has the correct permissions.
# chmod og-rwx /etc/crontab Ensure result is enabled for both.
# chown root:root /etc/cron.hourly
Perform# theabove
If stat
the -cfollowing
%u to
"%acommand determine
%g" if the
/etc/cron.hourly
emits no /etc/cron.daily
output | then
egrepthe ".00 directory
0 0" is not
system has the correct
configured aspermissions.
recommended.
# chmod og-rwx /etc/cron.hourly
# chown root:root /etc/cron.daily
Perform# theabove
If stat
the -cfollowing
%u to
"%acommand determine
%g" if the
/etc/cron.daily
emits no /etc/cron.weekly
output| egrep 0 0"directory
".00system
then the is not has the correct
configured permissions.
as recommended.
# chmod og-rwx /etc/cron.daily
# chown root:root /etc/cron.weekly
Perform# theabove
If stat
the -cfollowing
%u to
"%acommand determine
%g" if the
/etc/cron.weekly
emits no /etc/cron.monthly
output |then
egrep the".00 directory
0 0"
system has the correct
is not configured permissions.
as recommended.
# chmod og-rwx /etc/cron.weekly
Perform the following to determine if the remediation in the section has been performed:
# chown root:root /etc/cron.monthly
Perform# theabove
If stat
the -cfollowing
%u to
"%acommand determine
%g" if the
/etc/cron.monthly
emits no /etc/cron.d
output thedirectory
| egrep
then ".00 0 0"is
system has
notthe correct permissions.
configured as recommended.
# /bin/rm /etc/cron.deny
chmod og-rwx /etc/cron.monthly
# /bin/rm /etc/at.deny
chown root:root # ls -l /etc/cron.deny
/etc/cron.d
#
If stat -c "%acommand
the above %u %g" /etc/cron.d | egrepthen
emits no output ".00the
0 0"
system is not configured as recommended.
# touch
chmod/etc/cron.allow [no output returned]
og-rwx /etc/cron.d
# touch /etc/at.allow Ensure that the libpam-cracklib package is installed:
# ls -l /etc/at.deny
If the above command emits no output then the system is not configured as recommended.
# chmod og-rwx /etc/cron.allow
[no output returned]
Install the libpam-cracklib package:
# ls -l#/etc/cron.allow
# chmod og-rwx /etc/at.allow dpkg -s libpam-cracklib
ion Modules) is a service that implements modular authentication modules on UNIX systems. PAM is implemented as a set of shared objects that are loade
# chown root:root /etc/cron.allow
-rw------- 1 root root /etc/cron.allow
# apt-get install libpam-cracklib
# ls -lEnsure
# chown root:root /etc/at.allow package status is install ok installed.
/etc/at.allow
Edit the /etc/pam.d/login file and add the auth line below:
Perform
-rw------- the following
1 root to determine the current settings for user lockout.
root /etc/at.allow
Set the pam_cracklib.so parameters as follows in /etc/pam.d/common-password:
Perform the following to determine the current settings in the /etc/pam.d/common-password file.
Set the
authpam_unix.so remember parameter
required pam_tally2.so onerr=failto 5 insilent
audit /etc/pam.d/common-password:
deny=5 unlock_time=900
Perform the "pam_tally2"
# grep following to determine the current setting for reuse of older passwords:
/etc/pam.d/login
cure, encrypted replacement for common
password required login servicesretry=3
pam_cracklib.so such as telnet, ftp,dcredit=-1
minlen=14 rlogin, rsh, and rcp. ocredit=-1 lcredit=-1
ucredit=-1
auth required pam_tally2.so onerr=fail
# grep pam_cracklib.so audit silent deny=5 unlock_time=900
/etc/pam.d/common-password
password
NOTE: If a[success=1
user has been default=ignore] pam_unix.so
locked out because obscure
they have sha512
reached theremember=5
maximum consecutive failure count defined by deny= in the pam_t
# grep
password "remember"
required /etc/pam.d/common-password
pam_cracklib.so retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1
gly recommended that sites abandon older clear-text login protocols and use SSH to prevent session hijacking and sniffing of sensitive data off the network
password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5
NOTE: The default password setting in this document is the last 5 passwords. Change this number to conform to your site's password po
To verify the correct SSH setting, run the following command and verify that the output is as shown:
Edit the of
nstalled the contents /etc/ssh/sshd_config
this section are notfile to set the
required. Youparameter
can checkasthe follows:
install status of the ssh server with the following command:
To verify the"^Protocol"
# grep correct SSH setting, run the following command and verify that the output is as shown:
/etc/ssh/sshd_config
er If
Editthethe
user and2group ownership
/etc/ssh/sshd_config
Protocol file of
to the
set /etc/ssh/sshd_config
the parameter as follows: file are incorrect, run the following command to correct them:
Protocol 2
Run the following
# grep command
"^LogLevel" to determine the user and group ownership on the /etc/ssh/sshd_config file.
/etc/ssh/sshd_config
# chown root:root
LogLevel INFO /etc/ssh/sshd_config
LogLevel INFO
To verify the correct
# /bin/ls SSH setting, run the following command and verify that the output is as shown:
-l /etc/ssh/sshd_config
Edit the /etc/ssh/sshd_config
If the file to set
permissions are incorrect, runthethe
parameter
followingas follows: to correct them:
command
-rw------- 1 root root 762 Sep 23 002 /etc/ssh/sshd_config
To verify the"^X11Forwarding"
# grep correct SSH setting, run the following command and verify that the output is as shown:
/etc/ssh/sshd_config
Edit the /etc/ssh/sshd_config
X11Forwarding
# chmod no file to set the parameter as follows:
600 /etc/ssh/sshd_config
X11Forwarding no
To verify the"^MaxAuthTries"
# grep correct SSH setting, run the following command and verify that the output is as shown:
/etc/ssh/sshd_config
Edit the /etc/ssh/sshd_config
MaxAuthTries 4 file to set the parameter as follows:
MaxAuthTries 4
To verify the"^IgnoreRhosts"
# grep correct SSH setting, run the following command and verify that the output is as shown:
/etc/ssh/sshd_config
Edit the /etc/ssh/sshd_config
IgnoreRhosts yes file to set the parameter as follows:
IgnoreRhosts yes
To verify the"^HostbasedAuthentication"
# grep correct SSH setting, run the/etc/ssh/sshd_config
following command and verify that the output is as shown:
Edit the /etc/ssh/sshd_config file
HostbasedAuthentication noto set the parameter as follows:
HostbasedAuthentication no
To verify the"^PermitRootLogin"
# grep correct SSH setting,/etc/ssh/sshd_config
run the following command and verify that the output is as shown:
Edit the /etc/ssh/sshd_config
PermitRootLogin no file to set the parameter as follows:
PermitRootLogin no
To verify the"^PermitEmptyPasswords"
# grep correct SSH setting, run the following command and verify that the output is as shown:
/etc/ssh/sshd_config
Edit the /etc/ssh/sshd_config file
PermitEmptyPasswords no to set the parameter as follows:
PermitEmptyPasswords no
To verify thePermitUserEnvironment
# grep correct SSH setting, run/etc/ssh/sshd_config
the following command and verify that the output is as shown:
Edit the /etc/ssh/sshd_config file
PermitUserEnvironment no to set the parameter as follows:
To verify the correct SSHno
PermitUserEnvironment setting, run the following command and verify that the output is as shown:
Edit the /etc/ssh/sshd_config file to
# grep set the parameter
"Ciphers" as follows:
/etc/ssh/sshd_config
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
Edit the /etc/ssh/sshd_config # grep
Ciphers file to
"^AllowUsers"
set one or more /etc/ssh/sshd_config
"^ClientAliveInterval"
aes128-ctr,aes192-ctr,aes256-ctrof the parameter as follows:
/etc/ssh/sshd_config
ClientAliveInterval AllowUsers <userlist>
ClientAliveInterval
300 300
AllowUsers <userlist>
ClientAliveCountMax #0grep "^AllowGroups"
"^ClientAliveCountMax" /etc/ssh/sshd_config
/etc/ssh/sshd_config
Accounts that have been locked are prohibited from running commands on the system. Such accounts are not able to login to the system nor
AllowGroups <grouplist> To verify the correct
AllowGroups <grouplist>
ClientAliveCountMax SSH
0 setting, run the following command and verify that <bannerfile> is either /etc/issue or /etc/issue
Edit the /etc/ssh/sshd_config file to set the parameter as follows:
DenyUsers <userlist># grep "^DenyUsers" /etc/ssh/sshd_config
#!/bin/bash
DenyGroups <grouplist> # grep <userlist>
DenyUsers -i "^Banner" /etc/ssh/sshd_config
for user in `awk
Banner -F: '($3 < 1000) {print $1 }' /etc/passwd`; do
/etc/issue.net
Banner <bannerfile> /etc/ssh/sshd_config
# grep "^DenyGroups"
if [ secure
nce on setting up $user !=defaults
"root" ] for
Run the following
system and userscript to determine
accounts and theirifenvironment.
any system accounts can be accessed:
DenyGroups <grouplist>
then
/usr/sbin/usermod -L $user egrep -v "^\+" /etc/passwd | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $
if [ $user != "sync" ] && [ $user != "shutdown" ] && [ $user != "halt" ]
# grep "^root:" /etc/passwd | cut -f4 -d:
#then
usermod -g 0 root There should be no results returned.
0
/usr/sbin/usermod -s /usr/sbin/nologin $user
fi
fi
done
 # grep "^umask 077" /etc/bash.bashrc
Edit the /etc/bash.bashrc and /etc/profile.d/cis.sh files (and the appropriate files for any other shell supported on your system) and add the foll
umask 077
# grep "^umask 077" /etc/profile.d/*
umask 077
#
umask useradd 077-D | grep INACTIVE
# useradd -D -f 35 Ensure PASS_MAX_DAYS set in /etc/login.defs:
INACTIVE=35
Set the PASS_MAX_DAYS parameter to 90 in /etc/login.defs:
word control parameters have beenEnsure moved # grepPASS_MIN_DAYS
to PAM,PASS_MAX_DAYS
some parameters set in/etc/login.defs
/etc/login.defs:
are still available through the shadow password suite. Any changes made to /etc/logi
Set the PASS_MIN_DAYS
PASS_MAX_DAYS 90parameter to 790in /etc/login.defs:
PASS_MAX_DAYS
Ensure # grepPASS_WARN_DAYS
PASS_MIN_DAYSset in /etc/login.defs:
/etc/login.defs
Set the PASS_WARN_AGE
PASS_MIN_DAYS
Modify PASS_MIN_DAYS
user parameters 7 Ensure parameter
for all allusers
usersto7 with
7with
in /etc/login.defs:
aapassword
passwordset have to match:
their password expiration set:
# grep PASS_WARN_DAYS /etc/login.defs
# touch /etc/motd
PASS_WARN_AGE
Modify
# chage user
--maxdays PASS_WARN_DAYS
parameters 907
Ensure
# chagefor all
<user> allusers
users
--list 7 aapassword
with
with
_<user>_ passwordset have to match:
their password expiration set:
Run the following commands and ensure that the files exist and have the correct permissions.
ge prior to the#normal
echo "Authorized
user login may uses
Maximum only. All
assist the activity ofmay
prosecution
number daysbe \
ofbetween
trespassers password on thechange:
computer 90 system. Changing some of these login banners also has the si
monitored
Modifyand
# chage userreported."
parameters
--mindays 7>Ensure
/etc/issue
#<user>for all
chage allusers
users
--list with
withaapassword
_<user>_ passwordset have to match:
their password expiration set:
# /bin/ls -l /etc/motd
# echo "Authorized
y the US Department uses
of Defense require
Minimum only.
thatAll activity
warning
number may
daysbe
ofmessages \ include
between at least change:
password the name7 of the organization that owns the system, the fact that the system
-rw-r--r-- 1 root root 2055 Jan 30 16:30 /etc/motd
monitored and--warndays
# chage reported." > /etc/issue.net
7# <user>
chage --list _<user>_
# ls /etc/issue
# chownactions
ed in the remediation root:root Perform
for /etc/motd
these
Number itemsof the following
isdays
intendedof warning commands
as beforetopassword
an example check if OS
only. Please information
expires: is setthe
edit 7to include to specific
be displayed in your
text for the system login banners:
organization as approved by yo
Run
-rw-r--r-- the following
1 root root command:
2055 Jan 30 16:30 /etc/issue
# chmod 644 /etc/motd
# ls /etc/issue.net
Edit
# the /etc/motd,
chown /e
root:root /etc/issue # egrep '(\\v|\\r|\\m|\\s)' /etc/issue
Uncomment or add the following
-rw-r--r-- # grep 1 rootlines
banner-message
rootto /etc/gdm3/greeter.dconf-defaults:
2055 Jan /etc/gdm3/greeter.dconf-defaults
30 16:30 /etc/issue.net
# chmod 644 /etc/issue # egrep '(\\v|\\r|\\m|\\s)' /etc/motd
# egrep '(\\v|\\r|\\m|\\s)' /etc/issue.net
# chown root:root /etc/issue.net
banner-message-enable=true The following
commands linesaboveshould simplyby returned:
validate the presence of the /etc/motd, /etc/issue and /etc/issue.net files. Review the
# chmod 644 /etc/issue.net
banner-message-text='_<banner-text>_'
Run the following command to determine the permissions on the /etc/passwd file.
banner-message-enable=true
If the permissions of the /etc/passwd file are incorrect, run the following command to correct them:
banner-message-text='_<banner-text>_'
Run the following
# /bin/ls command to determine the permissions on the /etc/shadow file. Ensure world has no access, group ha
-l /etc/passwd
If the #permissions
/bin/chmod of 644the/etc/passwd
/etc/shadow file are incorrect, run the following commands to correct them:
-rw-r--r-- 1 root root 2055 Jan 30 16:30 /etc/passwd
Run the following
# /bin/ls command to determine the permissions on the /etc/group file.
-l /etc/shadow
If the #permissions
/bin/chmod of 640the/etc/shadow
/etc/group file are incorrect, run the following command to correct them:
-rw-r----- 1 root shadow 712 Jul 22 21:33 shadow
Run the following
# /bin/ls command to determine the user and group ownership on the /etc/passwd file.
-l /etc/group
If the #user and group
/bin/chmod 644ownership
/etc/groupof the /etc/passwd file are incorrect, run the following command to correct them:
-rw-r--r-- 1 root root 762 Sep 23 002 /etc/group
Run the following
# /bin/ls command to determine the ownership of the /etc/shadow file. Ensure it is owned by user root, and grou
-l /etc/passwd
If the #ownership
/bin/chown ofroot:root
the /etc/shadow /etc/passwd file are incorrect, run the following command to correct them:
-rw-r--r-- 1 root root 762 Sep 23 002 /etc/passwd
Run the following
# /bin/ls command to determine the permissions on the /etc/group file.
-l /etc/shadow
If the #ownership
/bin/chown ofroot:shadow
the /etc/group file are incorrect, run the following command to correct them:
/etc/shadow
-rw-r----- 1 root shadow 712 Jul 22 21:33 shadow
# /bin/ls -l /etc/group
# /bin/chown root:root /etc/group
#!/bin/bash
-rw-r--r-- 1 root root 762 Sep 23 002 /etc/group
Removing write acces
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print
#!/bin/bash
Locate files that are
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls
#!/bin/bash
Locate files that are
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls
#!/bin/bash
Ensure that no rogue#!/bin/bash
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000 -print
if [ "`echo $PATH | grep :: `" != "" ]; then
#!/bin/bash
Ensure that no rogue echo "Empty Directory in PATH (::)"
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000 -print
fi
nce on securing If any accounts
aspects of theinusers
the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why
if [and "`echo groups.$PATH | bin/grep :$`" != "" ]; then
Run the following command and verify that no output is returned:
echo "Trailing : in PATH"
# /usr/bin/passwd #!/bin/bash
-l <username>
fi
for
Rundirthe #in `/bin/cat
following
/bin/cat /etc/passwd
command| and
/etc/shadow | /bin/egrep
verify that
/usr/bin/awk -vno
-F: '(root|sync|halt|shutdown)'
output
'($2 { print $1 " does|\ not have a password "}'
== ""is) returned:
p=`echo $PATH | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g'`
Delete these
Also, entries
check i /usr/bin/awk
to see if the account -F: '($7
is logged!= "/usr/sbin/nologin")
in and investigate { print
what$6 }'`;being
it is do used for to determine if it needs to be forced off.
set -- $p
for file
Run the infollowing
$dir/.netrc;
# /bin/grep command
'^+:' do
/etc/passwd and verify that no output is returned:
#!/bin/bash
while [ "$1" != "" ]; do
Delete these entries i if [ ! -h "$file" -a -f "$file" ]; then
for
if [ dir"$1" in =`/bin/cat
"." ]; then /etc/passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | /usr/bin/awk -F: '($7 != "/usr/sbin/nologin") { prin
fileperm=`/bin/ls
Run the following'^+:'
# /bin/grep -ld $file
command | /usr/bin/cut
/etc/shadow and verify-f1 that -d"no"` output is returned:
if
echo [ -d "PATH
$dir ]; then contains ."
Delete these entries i if [ `echo $fileperm | /usr/bin/cut -c5 ` != "-" ]
dirperm=`/bin/ls
shiftthe following-ld
Run $dir | /usr/bin/cut
command and verify-f1that -d"only
"` the word "root" is returned:
then # /bin/grep '^+:' /etc/group
#!/bin/bash
if [ `echo $dirperm | /usr/bin/cut -c6 ` != "-" ]; then
continue
Delete any other entr echo "Group Read set on $file"
for
fi dir#"Group
echo in `/bin/cat
/bin/cat Write /etc/passwd
permission
/etc/passwd | /bin/egrep
set on directory
| /usr/bin/awk -v '(root|sync|halt|shutdown)'
-F: '($3$dir"
== 0) { print $1 }' | /usr/bin/awk -F: '($7 != "/usr/sbin/nologin") { prin
fi
for file$1
fiif [ -d
root in ];$dir/.[A-Za-z0-9]*;
then do
Correct or justify an if [ `echo $fileperm | /usr/bin/cut -c6 ` != "-" ]
if [ !`echo
-h "$file"
dirperm=`ls -a -f$1
$dirperm
-ldH "$file"cut ];-f1
then
| |/usr/bin/cut -d" "`-c8 ` != "-" ]; then
then
fileperm=`/bin/ls
echo
if [ `echo "Other Read
$dirperm -ldpermission
| $file
cut -c6| /usr/bin/cut
` !=set"-"on -f1 -d" "` $dir"
directory
]; then
Making global modifi echo "Group Write set on $file"
if [ `echo
fiecho "Group $fileperm | /usr/bin/cutset
Write permission -c6on` != "-" ]; then
directory $1"
fi
echo
if
fi [ `echo "Group Write |permission
$dirperm /usr/bin/cutset -c9on file"-"$file"
` != ]; then
Making global modificif [ `echo $fileperm | /usr/bin/cut -c7 ` != "-" ]
#!/bin/bash
fiecho
if [ `echo "Other Write permission
$dirperm | cut -c9 ` !=set "-"on directory $dir"
]; then
then
for
if [ dir
fiecho `echoin `/bin/cat
"Other Write/etc/passwd
$fileperm | /usr/bin/cut
permission | set
/bin/egrep
-c9 != "-"-v];'(root|halt|sync|shutdown)'
on` directory then
$1" |\
Making global modificCreate echo "Group a scriptExecuteas shown setbelow
on $file" and run it:
/usr/bin/awk
echo
if
fi [ `echo "Other -F: '($7
Write
$dirperm != "/usr/sbin/nologin")
permission
| /usr/bin/cut set
-c10on `file "-"{ ];
!= $file" print
then $6 }'`; do
fi
for
fiecho file"Other
dirown=`ls in $dir/.rhosts;
Execute
-ldH $1 | awk do '{print $3}'`
permission set on directory $dir"
If any users have .r if [ `echo #!/bin/bash
$fileperm | /usr/bin/cut -c8 ` != "-" ]
if
fi [ !"$dirown"
-h "$file" != -a "root"
-f "$file" ] ; ]; then
then
for
then i in $(cut -s -d: -f4 /etc/passwd | sort -u ); do
echo
done
fi ".rhosts
$1 is notfile ownedin $dir" by root
Analyze the output o grep echo -q -P "^.*?:[^:]*:$i:"
"Other Read set on/etc/group $file"
fi done
done
if
fi [ $? -ne 0 ]; then
done
else
echo
if [ `echo "Group $i is referenced
$fileperm | /usr/bin/cut by -c9
/etc/passwd
` != "-" ] but does not exist in /etc/group"
echo $1 is not a directory
fithen
fi
done
echo "Other Write set on $file"
shift
fi
done
if [ `echo $fileperm | /usr/bin/cut -c10 ` != "-" ]
 This script checks to make sure that home directories assigned in the /etc/passwd file exist.
This script checks to make sure users own the home directory they are assigned to in the /etc/passwd file.
#!/bin/bash
This script checks to make sure all UIDs in the /etc/passwd file are unique.
#!/bin/bash
cat /etc/passwd | awk -F: '{ print $1 " " $3 " " $6 }' | while read user uid dir; do
If any users' home d cat /etc/passwd | awk -F: '{ print $1 " " $3 " " $6 }' | while read user uid dir; do
if [ $uid -ge 500 -a ! -d "$dir" -a $user != "nfsnobody" -a $user != "nobody" ]; then
This
if [ $uid script
-gechecks
500 -ato-dmake
#!/bin/bash "$dir"sure all UIDs
-a $user in the /etc/group
!= "nfsnobody" ]; thenfile are unique. You can also use the /usr/sbin/grpck command
echo "The home directory ($dir) of user $user does not exist."
Change the ownership /bin/cat
owner=$(stat /etc/passwd | /usr/bin/cut
-L -c "%U" "$dir") -f3 -d":" | /usr/bin/sort -n | /usr/bin/uniq -c |\
fi
This
while script
if [ "$owner"readchecks
#!/bin/bash
x !=
; do to make
"$user" sure all user names in the /etc/passwd file are unique.
]; then
done
Based on the results /bin/cat
[echo /etc/group
-z "${x}"
"The ] home | /usr/bin/cut
& thendirectory ($dir)-f3
of-d":"
user| $user
/usr/bin/sort
is owned -n |by
/usr/bin/uniq
$owner." -c |\
This
fi script
while readchecks
x ; do to -F:
#!/bin/bash
users=`/usr/bin/awk make '($3sure
== n)all{group names
print $1 }' n=$2in the
\ /etc/group file are unique.
Based on the results catfi -z/etc/passwd
[/etc/passwd
"${x}" ] &| then | /usr/bin/cut -f1 -d":" | /usr/bin/sort -n | /usr/bin/uniq -c |\
/usr/bin/xargs`
echo#!/bin/bash
while
done read x ; doUID-F:($2):
grps=`/usr/bin/awk
"Duplicate '($3${users}"
== n) { print $1 }' n=$2 \
Based on the results cat fi -z/etc/group
[/etc/group | /usr/bin/cut -f1 -d":" | /usr/bin/sort -n | /usr/bin/uniq -c |\
"${x}" ] |&xargs`
then
#!/bin/bash
donewhile read x ; doGID
uids=`/usr/bin/awk
echo "Duplicate -F:($2):
'($1 ${grps}"
== n) { print $3 }' n=$2 \
Based on the results This
for script
fi -zdir ]checks
in `/bin/cat
[/etc/passwd
"${x}" &| then for the presence
/etc/passwd
xargs` |\ of .forward files that may be in violation of the site security policy.
done /usr/bin/awk
gids=`/usr/bin/awk
echo "Duplicate -F: '{User
print $6 }'`;
-F: Name
'($1 do
==($2):
n) { ${uids}"
print $3 }' n=$2 \
Making global modificif #!/bin/bash
fi [ ! -h
/etc/group "$dir/.netrc"
| xargs` -a -f "$dir/.netrc" ]; then
Ensure
for
done echo inthere
dir ".netrc are$dir/.netrc
`/bin/cat
file
"Duplicate no userName
/etc/passwd
Group inexists"
the shadow
|\($2): group:
${gids}"
Making global modific/usr/bin/awk
fi -F: '{ print $6 }'`; do
done grep
if [ ! -h ^shadow /etc/group
"$dir/.forward" -a -f "$dir/.forward" ]; then
Remove all users fro echo ".forward file $dir/.forward exists"
fi Ensure no users have shadow as their primary group:
done
awk -F: '($4 == "_<shadow-gid>_") { print }' /etc/passwd
ce exhaustion and enables the use of mounting options that are applicable to the directory's intended use. User's data can be stored on separate partitions

it and then remove the data from the directory that was in the old partition. Otherwise it will still consume space in the old partition that will be masked when
2 -a ! -perm -1000 \) 2>/dev/null

vulnerabilities is to disable all services that are not required for normal system operation. This prevents the exploitation of vulnerabilities discovered at a late
 owever removal is also an acceptable remediation.

ed that someone may have installed them separately. However, this is also true for any other type of rogue software. It is beyond the scope of this benchm

ecommended that they be disabled or deleted from the system to reduce the potential attack surface.

ich should also be disabled or deleted if not required.

ct -6 default:

er and that the ntp daemon is running as an unprivileged user.

k address (127.0.0.1):

erface, or has multiple interfaces but will not be configured as a router.

ed to perform routing functions.

wn gateways.

st and multicast addresses will be ignored.

the benchmark to configure IPv6, otherwise disable IPv6.

n /etc/hosts.allow:

ey be disabled in the kernel.

ng summarization) to automatically monitor logs for intrusion attempts and other suspicious system behavior.

re, centralized log server via an encrypted connection. Not only does centralized logging help sites correlate events that may be occurring on multiple syste

at the time be synchronized among systems and devices connected to the local network. The standard Internet protocol for time synchronization is the Netw
otated according to your site policy.
ntry in one log could be more significant when compared to an entry in another log.
of data. By default, auditd will audit SELinux AVC denials, system logins, account modifications, and authentication events. Events will be logged to /var/log
ly one rule is needed.
in onlyso
ssions 4 copies of them. Older
that administrators versions
who are in awill be deleted.
defined It is
security possible
group, suchonasa "wheel"
system do
thatnot
thehave
20 MBs of auditprivileges
to elevate logs maytofillroot
up in
theorder
system causing
to read loss of
log files. audit
Also, if a

-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server.

ate logging is set. In addition, perform the following command and ensure that the log files are logging information:

and verify that the _<owner>:<group>_ is root:root and the permissions are 0600 (for sites that have not implemented a secure group) and root:securegrp w
ogfile.example.com_ is the name of your central log host).

n files by alerting when the files are changed. When setting up AIDE, decide internally what the site policy will be concerning integrity checking. Review the
et of shared objects that are loaded and executed when a program needs to authenticate a user. Files for PAM are typically located in the /etc/pam.d directo

password file.

lcredit=-1
g of sensitive data off the network.

ommand:

sshd_config file.

> is either /etc/issue or /etc/issue.net:

&& $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}'

e. Any changes made to /etc/login.defs will only be applied if the usermod command is used. If userIDs are added a different way, use the chage command

ssions.
ese login banners also has the side effect of hiding OS version information and other detailed system information from attackers attempting to target specifi

e system, the fact that the system is subject to monitoring and that such monitoring is in compliance with local statutes, and that use of the system implies c

rsystem login banners:

organization as approved by your legal department.

d /etc/issue.net files. Review the contents of these files with the "cat" command and ensure that it is appropriate for your organization.

re world has no access, group has no write or execute access.

it is owned by user root, and group root or shadow.

: '($7 != "/usr/sbin/nologin") { print $6 }'`; do

: '($7 != "/usr/sbin/nologin") { print $6 }'`; do

he /etc/passwd file.

use the /usr/sbin/grpck command to check for other inconsistencies in the /etc/group file.

ecurity policy.
tored on separate partitions and have stricter mount options. A user partition is a filesystem that has been established for use by the users and does not co

on that will be masked when the new filesystem is mounted. For example, if a system is in single-user mode with no filesystems mounted and the administr
rabilities discovered at a later date. If a service is not enabled, it cannot be exploited. The actions in this section of the document provide guidance on what
nd the scope of this benchmark to address software that is installed using non-standard methods and installation directories.
 occurring on multiple systems, but having a second copy of the system log information may be critical after a system compromise where the attacker has m

e synchronization is the Network Time Protocol (NTP), which is supported by most network-ready devices. See the ntpd(8) manual page for more informatio

nts will be logged to /var/log/audit/audit.log. The recording of these events will use a modest amount of disk space on a system. If significantly more events
ystem
der causing
to read loss of
log files. audit
Also, if adata.
thirdWhile
party the
log recommendations
aggregation tool ishere
used,provide
it may guidance, check
need to have yourpermissions
group site policy for auditthe
to read storage requirements.
log files, which is preferable to havi

tral logging server.

group) and root:securegrp with permissions of 0640 (for sites that have implemented a secure group):

egrity checking. Review the AIDE quick start guide and AIDE documentation before proceeding.
ated in the /etc/pam.d directory. PAM must be carefully configured to secure system authentication. While this section covers some of PAM, please consult
ay, use the chage command to effect changes to individual userIDs.

s attempting to target specific exploits at a system.

t use of the system implies consent to such monitoring. It is important that the organization's legal counsel review the content of all messages before any sy
y the users and does not contain software for system operations. The directives in this section are easier to perform during initial system installation. If the s

mounted and the administrator adds a lot of data to the /tmp directory, this data will still consume space in / once the /tmp filesystem is mounted unless it i
nt provide guidance on what services can be safely disabled and under which circumstances, greatly reducing the number of possible threats to the resultin
ise where the attacker has modified the local log files on the affected system(s). If a log correlation system is deployed, configure it to process the logs des

ual page for more information on configuring NTP.

If significantly more events are captured, additional on system or off system storage may need to be allocated.
, which is preferable to having it run setuid to root. Therefore, there are two remediation and audit steps for log file permissions. One is for systems that do
me of PAM, please consult other PAM resources to fully understand the configuration capabilities.
all messages before any system modifications are made, as these warning messages are inherently site-specific. More information (including citations of r
al system installation. If the system is already installed, it is recommended that a full backup be performed before repartitioning the system.

ystem is mounted unless it is removed first.

ssible threats to the resulting system.
re it to process the logs described in this section.

One is for systems that do not have a secured group method implemented that only permits root to read the log files (root:root 600). The other is for sites t
ation (including citations of relevant case law) can be found at http://www.justice.gov/criminal/cybercrime/ [http://www.justice.gov/criminal/cybercrime/ ]
600). The other is for sites that do have such a setup and are designated as root:securegrp 640 where securegrp is the defined security group (in some ca
v/criminal/cybercrime/ ]
security group (in some cases wheel).
section
recommendation
# # title status scoring status description rationale statement

1 Patching and Softwainterim

Directories that are used for system-wide functions can be further pr
2 Filesystem Configurainterim
NOTE: If you are repartitioning a system that has already been
2 2.18 Disable Mounting of interim unscored The cramfs filesyste Removing support for
2 2.19 Disable Mounting of interim unscored The freevxfs filesyst Removing support for

2 2.20 Disable Mounting of interim unscored The jffs2 (journaling Removing support for

2 2.21 Disable Mounting of interim unscored The hfs filesystem ty Removing support for

2 2.22 Disable Mounting of interim unscored The hfsplus filesyst Removing support for

2 2.23 Disable Mounting of interim unscored The squashfs filesys Removing support for

2 2.24 Disable Mounting of interim unscored The udf filesystem t Removing support for

3 Secure Boot Setting interim

4 Additional Process interim

4 4.5 Activate AppArmor interim scored AppArmor provides aFor an action to occ

5 OS Services interim While applying system updates and patches helps correct known vu
The items in this section are intended to ensure that legacy services
5.1 Ensure Legacy Serviinterim
This section describes
NOTE: The services
audit items thatsection
in the are installed
check on servers
to see if thethat spe
packag
6 Special Purpose Ser interim
NOTE: This section lists common packages for different service
7 Network Configuratiointerim This section provides guidance for secure network and firewall confi

7.1 Modify Network Parainterim The following network parameters determine if the system is to act a

7.2 Modify Network Parainterim The following network parameters determine if the system is to act a

7.3 Configure IPv6 interim IPv6 is a networking protocol that supersedes IPv4. It has more rout
The items in this section describe how to configure logging, log mon
7.4 Install TCP Wrapper interim
It is recommended that rsyslog be used for logging (with logwat
7.5 Uncommon Network interim The Linux kernel modules support several network protocols that are
In addition to the local log files created by the steps in this secti
8 Logging and Auditin interim
Because it is often necessary to correlate log information from m
System auditing, through auditd, allows system administrators to mo
8.1 Configure System Acinterim
NOTE: For 64 bit systems that have arch as a rule parameter, you w
It is important that all logs described in this section be monitore
8.1 8.1.2 Install and Enable a interim scored Install and turn on The capturing of sys
NOTE ON LOG FILE PERMISSIONS: There really isn't a "one
8.1 8.1.3 Enable Auditing for Pinterim scored Configure grub or lil Audit events need to

8.1 8.1.4 Record Events That interim scored Capture events where
Unexpected changes i

8.1 8.1.5 Record Events That interim scored Record events affectUnexpected changes t

8.1 8.1.6 Record Events That interim scored Record changes to ne

Monitoring sethostnam

8.1 8.1.7 Record Events That interim scored Monitor SELinux manda
Changes to files in t

8.1 8.1.8 Collect Login and L interim scored Monitor login and logMonitoring login/logo

8.1 8.1.9 Collect Session Initi interim scored Monitor session initi Monitoring these file

8.1 8.1.10 Collect Discretionar interim scored Monitor changes to fiMonitoring for changes

8.1 8.1.11 Collect Unsuccessfulinterim scored Monitor for unsuccess

Failed attempts to op

8.1 8.1.12 Collect Use of Priv interim scored Monitor privileged p Execution of privile
It is highly unusual for a non privileged user to m
8.1 8.1.13 Collect Successful interim scored Monitor the use of t
NOTE: This tracks successful and unsucc
8.1 8.1.14 Collect File Deletio interim scored Monitor the use of syMonitoring these call

8.1 8.1.15 Collect Changes to interim scored Monitor scope changes

Changes in the /etc/
8.1 8.1.16 Collect System Admin
interim scored Monitor the sudo log Changes in /var/log/s

8.1 8.1.17 Collect Kernel Modu interim scored Monitor the loading Monitoring the use o

8.1 8.1.18 Make the Audit Conf interim scored Set system audit so tIn immutable mode, u
When auditing, it is important to carefully configure the storage requ
8.1.1 Configure Data Rete interim
NOTE: Items in this section configure auditd, ensure it is install
8.1.1 8.1.1.1 Configure Audit Log interim unscored Configure the maximum
It is important that

8.1.1 8.1.1.2 Disable System on Au

interim unscored The auditd daemon ca
In high security cont

8.1.1 8.1.1.3 Keep All Auditing In interim scored Normally, auditd will In high security cont

8.2 Configure rsyslog interim The rsyslog software is recommended as a replacement for the defa

8.3 Advanced Intrusion interim AIDE is a file integrity checking tool, similar in nature to Tripwire. Wh

8.3 8.3.1 Install AIDE interim scored In some installations Install AIDE to make u

8.3 8.3.2 Implement Periodic Ex

interim scored Implement periodic fiPeriodic file checkin

9 System Access, Authinterim

9.1 Configure cron interim

DESCRIPTION: SSH is a secure, encrypted replacement for commo
9.2 Configure PAM interim PAM (Pluggable Authentication Modules) is a service that implemen
RATIONALE: It is strongly recommended that sites abandon ol
9.3 Configure SSH interim
If the ssh server is not installed the contents of this section are
10 User Accounts and interim This section provides guidance on setting up secure defaults for sys
# dpkg -s openssh-server
10.1 Set Shadow Password
interim Presenting a warning
While a majority of themessage
passwordprior to the
control normal user
parameters login
have may
been as
mov

11 Warning Banners interim Guidelines published by the US Department of Defense require

12 Verify System File P interim NOTE: The text provided in the remediation actions for these ite

13 Review User and Grointerim This section provides guidance on securing aspects of the users and
 remediation procedureaudit procedure impact statement CCE-ID

system-wide functions can be further protected by placing them on separate partitions. This provides protection for resource exhaustion and enables the us
# /sbin/modprobe -n -v cramfs
Edit that
itioning a system or create the file been
has already /etc/modprobe.d/CIS.conf anddata
installed, make sure the add has
the following line:over to the new partition, unmount it and then remove the data from
been copied
install /bin/true
# /sbin/lsmod | grep cramfs
install cramfs /bin/true
<No output>
 Check the status of AppArmor:
# /sbin/modprobe
# apparmor_status -n -v freevxfs
Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
install
AppArmor /bin/trueavailable in kernel.
#
26 /sbin/modprobe
/sbin/lsmod
profiles are| loaded. grep -n freexvfs
-v jffs2
Edit or create
install the file/bin/true
freevxfs /etc/modprobe.d/CIS.conf and add the following line:
install
<No /bin/true
output>
26 profiles are in enforce mode.
#/bin/ping
/sbin/modprobe
/sbin/lsmod | grep jffs2 -n -v hfs
Edit or create
install jffs2the/bin/true
file /etc/modprobe.d/CIS.conf and add the following line:
install
<No /bin/true
output>
/sbin/klogd
# /sbin/modprobe
/sbin/lsmod | grep -n hfs-v hfsplus
Edit or create
install hfsthe /sbin/syslog-ng
file /etc/modprobe.d/CIS.conf
/bin/true and add the following line:
install
<No /bin/true
output>
/sbin/syslogd
# /sbin/modprobe
/sbin/lsmod | grep -n hfsplus
-v squashfs
Edit or create
install the file
hfsplus /usr/lib/chromium-browser/chromium-browser
/etc/modprobe.d/CIS.conf
/bin/true and add the following line:
install
<No output> /bin/true
Install apparmor and apparmor-utils /usr/lib/chromium-browser/chromium-browser//browser_java
if missing (additional profiles can be found in the apparmor-profiles package):
# /sbin/modprobe
/sbin/lsmod | grep -n squashfs
-v udf
Edit or create
install squashfs /usr/lib/chromium-browser/chromium-browser//browser_openjdk
the file /bin/true
/etc/modprobe.d/CIS.conf and add the following line:
install
<No output> /bin/true
# apt-get install apparmor /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox
apparmor-profiles apparmor-utils
# /sbin/lsmod | grep udf
install udf /bin/true /usr/lib/chromium-browser/chromium-browser//sanitized_helper
<No output>
Add apparmor=1/usr/lib/dovecot/deliver
and security=apparmor to GRUB_CMDLINE_LINUX in /etc/default/grub:
/usr/lib/dovecot/dovecot-auth
GRUB_CMDLINE_LINUX="apparmor=1
/usr/lib/dovecot/imap security=apparmor"
/usr/lib/dovecot/imap-login
Update grub configuration /usr/lib/dovecot/managesieve-login
(reboot will be required to apply changes):
/usr/lib/dovecot/pop3
tes and patches helps correct known
# update-grub vulnerabilities, one of the best ways to protect the system against as yet unreported vulnerabilities is to disable all ser
/usr/lib/dovecot/pop3-login
intended to ensure that legacy services are not active on the system. This guidance recommends disabling the software however removal is also an accep
/usr/sbin/avahi-daemon
Set all profiles to/usr/sbin/dnsmasq
enforce mode:
ces thatsection
in the are installed
check on servers
to see if thethat specifically
packages
/usr/sbin/dovecot need in
are listed to therun package
these services. management If any of these services
database are notItrequired,
and installed. could beitargued
is recommended
that someone thatmay
theyhave
be disabl
insta
# aa-enforce /etc/apparmor.d/*
/usr/sbin/identd
s common packages for different services /usr/sbin/mdnsdhowever there are alternate packages which provide many of these services which should also be disabled or de
nce for secure network Any and firewall configuration.
unconfined processes
/usr/sbin/named may need to have a profile created or activated for them and then be restarted.
/usr/sbin/nmbd
meters determine if the system is to /usr/sbin/nscd act as a _host only_. A system is considered _host only_ if the system has a single interface, or has multiple interfaces
/usr/sbin/smbd
meters determine if the system is to /usr/{sbin/traceroute,bin/traceroute.db}
act as a router. A system acts as a router if it has at least two interfaces and is configured to perform routing functions.
0 profiles are in complain mode.
l that supersedes IPv4. It has more0routable processes addresses
have profiles and has defined.built in security. If IPv6 is to be used, follow this section of the benchmark to configure IPv6
cribe how to configure logging, log0monitoring, processes and are in auditing,
enforceusing mode. tools included in most distributions.
0 processes are in complain mode.
rsyslog be used for logging (with logwatch 0 processes providingare unconfinedsummarization) but have andaauditd
profilebe used for auditing (with aureport providing summarization) to automatica
defined.
upport several network protocols that are not commonly used. If these protocols are not needed, it is recommended that they be disabled in the kernel.
og files created by the steps in thisRun section,the
Ensurefollowingalso to
it is profiles ensure
recommended
are loaded, auditd no isprofiles
that installed:
sites collect
are in copies
complain of their
mode, system
and no logs on a secure,
processes centralized log server via an e
are unconfined.
For 64 bit systems, add Perform
the following
the following lines to the determine
/etc/audit/audit.rules
if events where file.
the system date and/or time has been modified are captured.
Installlog
essary to correlate auditd:
information from many # dpkgdifferent
-s auditd systems (particularly after a security incident) it is recommended that the time be synchronized amon
ditd, allows system administrators to monitor their systems such that they can detect unauthorized access or modification of data. By default, auditd will aud
-a always,exit -F arch=b64 On a 64 -S bitadjtimex
system, -Sperform
settimeofday the following
-k time-changecommand and ensure the output is as shown.
at have arch asFora64 rulebitparameter,
systems, add youthe willfollowing
need twolines rules: to one the /etc/audit/audit.rules
for 64 bit and one forfile. 32 bit systems. For 32 bit systems, only one rule is needed.
gs described -a Editalways,exit
in this apt-get -F
/etc/default/grub
# section arch=b32
install
be On a Ensure
to include
auditd
monitored 64onbit
-S system,
adjtimex
aaudit=1
package
regular -S
as perform
settimeofday
basispart
status of the
and following
-S stime
GRUB_CMDLINE_LINUX:
is installed
correlated oktocommand
-k time-change
installed.
determine and ensure
trends. the output innocuous
A seemingly is as shown entry in one log could be more sign
-a always,exit -F arch=b64 to determine
Perform #-Sgrep if events to
clock_settime
the time-change
following that modify the
-kdetermine
/etc/audit/audit.rules
time-change system's environment
if /boot/grub/grub.cfg are recorded.
is configured to log processes that start prior to auditd.
-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
ERMISSIONS: -aThere
always,exit
really -F
If needed arch=b32
enable
isn't a -a
GRUB_CMDLINE_LINUX="audit=1""one always,exit
auditd: -S clock_settime
Perform
size -F arch=b64
the
fits all" following
solution -k time-change
-S
to adjtimex
determine -S settimeofday
if auditd files.-kMany
is enabled. time-change
-S to
the permissions
-k on
log sites utilize group permissions so that administrators who
-a exit,always -F arch=b32 -S sethostname setdomainname system-locale
Add the following-plines
-w /etc/localtime wa -a -kto # grep
the
always,exit
time-change system-locale
/etc/audit/audit.rules
-F arch=b32
"linux" /etc/audit/audit.rules
/boot/grub/grub.cfg-Sfile.
adjtimex -S settimeofday -S stime -k time-change
-w /etc/issue -p wa -kPerform system-locale the following to determine if events that modify user/group information are recorded.
For 64
# Execute
Andbit run
systems,
thethe
# systemctl following add
following
enable the
-a exit,alwaysfollowing
always,exit
command
#command
auditd systemctl lines
to-Frestart
toarch=b64
update
is-enabled toauditd
thethe-S/etc/audit/audit.rules
sethostname
clock_settime
grub configuration:
auditd -S file.
-k setdomainname
time-change -k system-locale
-w /etc/issue.net -p wa -k system-locale
# pkill-w-P/etc/group
1-HUP auditd -p For
-a 64
waexit,alwaysbit systems,
-kMake
identity
always,exit sure -Feach perform
arch=b32 line that -S the following
sethostname
clock_settime
starts command
with linux -S and
setdomainname
-k has
time-change
the ensureparameter
audit=1 the
-k outputset.
system-locale is as shown to determine if permission modific
-w /etc/hosts -p wa -k system-locale # grep identity /etc/audit/audit.rules
-a always,exit
-w /etc/passwd
# update-grub -p wa -F-w arch=b64
-k Ensure-Sresult
/etc/issue
identity
/etc/localtime -pchmod
wa -p is-k -S -kfchmod
system-locale
waenabled. time-change -S fchmodat -F auid>=1000 \
-w /etc/network -p wa-w -k/etc/group
system-locale -p wa -k identity
-F
-w auid!=4294967295
/etc/gshadow
For 32 bit systems, -p wa -w-k-k/etc/issue.net
perm_mod
# grep
identity
add perm_mod
the following -p walines /etc/audit/audit.rules
-k system-locale
to the /etc/audit/audit.rules file.
# Execute the following -w command
/etc/passwd to -prestartwa -kauditd identity
-a
-w always,exit
/etc/shadow-F-parch=b32 wa-a-w-kalways,exit
-S achmod
/etc/hosts
identity
On 32 -p -Fwa
bit -Sarch=b64
fchmod
-k
system, -S
system-locale-S chmod
perform fchmodat -S -F
fchmod
the following auid>=1000-S fchmodat
command \ and -F auid>=1000
ensure the output \ is as shown.
Add
# pkillthe-Pfollowing
1-HUP auditd lines -wto/etc/gshadow
the /etc/audit/audit.rules-p wato-kthe identityfile.
For
-F 64-abit systems, -F
-w auid!=4294967295
/etc/security/opasswd
always,exit add
-F
-w-k the-p following
auid!=4294967295
perm_mod
/etc/network
arch=b32 wa -k-Sidentity lines
-p
adjtimex /etc/audit/audit.rules
perm_mod
wa -k-Ssystem-locale
settimeofday -S stime -k file.
time-change
Perform
-w /etc/shadow the following -p wa to
-k determine
identity if events that modify the system's mandatory access controls are recorded
-a
Add always,exit the -F
the following
# Execute arch=b64
lines
following
arch=b32On
-a to 64the
command bit
always,exit
#-S systems,
chown to-Frestart
-S
/etc/audit/audit.rules
grep clock_settime
time-change perform
arch=b32
fchown auditd -Sthe following
fchownat
chmod
file.
-k/etc/audit/audit.rules
time-change -S-S command
fchmod and
lchown-S-Ffchmodat ensure
auid>=1000 -Fthe \ output is as
auid>=1000 \ shown to determine if there are unsucces
Add
For 32 thebitfollowing
systems, Perform
-w lines
addtothe the following lines
/etc/audit/audit.rules
following
/etc/security/opasswd to determine
-p towa if login and logout events
the-k/etc/audit/audit.rules
identity file. are recorded.
-F
Add
#
-wpkill -a-Palways,exit
auid!=4294967295
the following
1-HUP auditd
/etc/localtime -F
-plines
wa -F arch=b64
-a-k to
-k the 32-S
auid!=4294967295
perm_mod creat
For/etc/audit/audit.rules
always,exit
time-change bit-F systems, -S-k
arch=b32 open -S-S
perm_mod
perform openat
file. -S truncate
the following
adjtimex command
settimeofday -S ftruncate
-Sand \ -k time-change
ensure
stime the output is as shown to determine if events that m
-w /etc/selinux/ -p wa -k MAC-policy # grep MAC-policy /etc/audit/audit.rules
-F
-a exit=-EACCES
always,exit the -F
-w /var/log/faillog
# Execute -F -a
arch=b32
following auid>=1000
-p #-S
wa
command grep
always,exit
-kchown access
-F
loginsto-Fauid!=4294967295
-S
restart /etc/audit/audit.rules
arch=b64
fchown
arch=b32 auditd -S fchownat
chown -k -S
clock_settime access
-S
fchown
lchown -S-F fchownat
-k time-change auid>=1000 -S lchown
\ -F auid>=1000 \
# Execute the following
-a exit,always -FPerform
-warch=b32 # grep
command the-S
/etc/selinux/ following
logins
tosethostname
-p
restartwa toauditd
-k determine
/etc/audit/audit.rules
MAC-policy if session initiation
-S setdomainname information is collected.
-k system-locale
-a
-F
-w always,exit
auid!=4294967295 -F auditd
-w-P/var/run/utmp
/var/log/lastlog
# pkill 1-HUP arch=b32
-p wa-a
-F
-w -kalways,exit
-p -S-kcreat
auid!=4294967295
perm_mod
wa
-k #logins
grep
/etc/localtimesession -F
-S-p arch=b64
system-locale openwa-k-k -Sperm_mod
openat
-S creat -S-S truncate
/etc/audit/audit.rules
time-change open -S-Sopenat ftruncate -S truncate
\ -S ftruncate \
#
-wpkill -P 1-HUP
/etc/issue -p wa auditd-k-w /var/log/faillog -p wa -k logins
system-locale
-F
-a exit=-EACCES
-w always,exit
/var/log/wtmp
/var/log/tallylog -p-F
-F arch=b64
-pwa-F
auid>=1000
-a
wa-k exit=-EACCES
always,exit
-S
-ksession
logins
exit,always -F-Fauid!=4294967295
setxattr -S-Flsetxattr
arch=b32 auid>=1000 -S-Schown -F-kauid!=4294967295
fsetxattr
sethostname access
-S fchown
-S removexattr -S fchownat
-S setdomainname -k access
-S \ -S -klchown -F auid>=1000 \
system-locale
To remediate this-pissue,
-w /etc/issue.net wa the system
# grep
-w-k/var/log/lastlog
system-locale sessionadministrator
-p /etc/audit/audit.rules
wa -k logins will have to execute a find command to locate all the privileged programs and then add an a
-a always,exit
lremovexattr
-w the-S-F
/var/log/btmp
# Execute arch=b64-a
fremovexattr
-p
followingwa -F
-w-k always,exit
-S-F creat
auid!=4294967295
session
command
/etc/issue to-F
-S
auid>=1000
-p arch=b32
open
restart
wa -S
-kauditd openat
-S creat
-Fperm_mod
-k system-locale -S-S
auid!=4294967295 truncate
open -S-S -kopenat
ftruncate
perm_mod -S truncate
\ -S ftruncate \
-w /etc/hosts -p wa -k-w /var/run/utmp
/var/log/tallylog-p-pwa
system-locale wa-k-ksession logins
-F
-a exit=-EPERM
always,exit
# Execute
pkill -HUP the -P-F 1 -F
following
auditdauid>=1000
arch=b32-F exit=-EACCES
-a always,exit
command -Fto
-S setxattr auid!=4294967295
-Frestart -Fwa
arch=b64
-S auid>=1000
lsetxattr
auditd -S-Ssetxattr -F
-k access
fsetxattr auid!=4294967295
-S-S lsetxattr
removexattr -k access
-S fsetxattr
-S \ -S removexattr -S \
-w -F path=" $1
/etc/network -p "wa- -w
will
-w-k
/etc/issue.net
populate each-p
/var/log/wtmp
system-locale -pfile
waname
-k system-locale
-k session found through the find command and processed by awk.
At
-a a minimum,
always,exit
lremovexattr
# pkill -HUP -P -S-Fconfigure
arch=b32-a
1fremovexattr
auditd the-Saudit
always,exit
lremovexattr
-w /etc/hosts-F creat system
-F
-S
auid>=1000
-S
-p arch=b64
open
fremovexattr
wa -k tosystem-locale
collect
-S
-F openat
-S-F file
creat -S
auid!=4294967295 deletion
-S
auid>=1000 openevents
truncate -S
-F-S
-kopenatfor all-Susers
ftruncate
auid!=4294967295
perm_mod truncate
\ and -S root.
-k ftruncate \
perm_mod
For
-F 64 bit systems,
perm=x
# Execute - willfollowing
the write add the
ancommand
-w audit following
/var/log/btmprecord iflines
-pthe
to restart wato file
-k the /etc/audit/audit.rules file.
is executed.
session
auditd
-F exit=-EPERM
# Execute -F auid>=1000
the following -F
-a
-w exit=-EPERM
always,exit
command
/etc/network -Fto auid!=4294967295
-F-p -F
restart auid>=1000
arch=b32
wa -kauditd -S setxattr
system-locale -F-kauid!=4294967295
access
-S lsetxattr -S fsetxattr -k access -S removexattr -S \
-F auid>=500
# pkillFor-P 641-HUP - will
auditd For
write 64
a bit
record systems
if the perform
user executing the following
the command
command is and
not a ensure
privileged the output
user. is as shown to determine if filesystem mounts
# Execute
pkillNOTE:
-HUP thebit
-P
Use systems,
following
1 the
auditd For
-a add
64
lremovexattr bit
lastalways,exit
command
command the systems,
following
to-F
-S restart perform
arch=b32
tofremovexattr
read to/var/log/wtmp
the-S
auditd /etc/audit/audit.rules
the following
creat
-F -S
auid>=1000 open
(last command
with -S
-Fno file.
openat and-Sensure
auid!=4294967295
parameters) truncate
andthe-S-koutput is as\ shown
ftruncate
perm_mod
/var/run/utmp (last -f to determine if file deletion events
/var/run/utmp)
-a always,exit
-F auid!= 4294967295 -F arch=b64
- will ignore -S Daemon
mount -Fevents auid>=1000 -F auid!=4294967295 -k mounts
# pkill -HUP -P 1 auditd -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32#-S grep mountmounts -F auid>=1000
/etc/audit/audit.rules -F auid!=4294967295 -k mounts
-a
Foralways,exit
32 bit systems, -FVerify
arch=b64
add#
Forgrep
that 32an
the -S
delete
unlink
bitaudit
following
systems, /etc/audit/audit.rules
-S
line linesunlinkat
for each
perform
to the-S rename
setuid/setgid -S program
/etc/audit/audit.rules
the following renameat
command -F
file.and auid>=1000
identified ensurein thethe \ output
find command appears
is as shown to in the auditiffile
determine with the ab
permission m
# Execute therecords
All audit following -awillalways,exit
command
be tagged to-Fwith
restart
arch=b64theauditd -S mount
identifier -F auid>=1000 -F auid!=4294967295 -k mounts
"privileged."
-F auid!=4294967295
For 32 bit systems, -a-kalways,exit
delete
addOn the 32 bit -F
following arch=b64
systems, lines -Sthe
perform
to unlinkthe -S unlinkat
/etc/audit/audit.rules
following -S rename
command file.and -Sensure
renameat the -F auid>=1000
output is as shown \ to determine if there are uns
# pkill -HUP -P 1 auditd -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit
-a always,exit -F arch=b32
-F-Farch=b32
auid!=4294967295
#-Sgrep unlink
-S
perm_mod-S unlinkat
chmod -S-k/etc/audit/audit.rules
delete
-S rename
fchmod -S fchmodat-S renameat -F auid>=1000
-F auid>=1000 \ \
# find PART -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print \
-F auid!=4294967295
-a always,exit -F-a-k always,exit
delete
arch=b32# grep-S
perm_mod -F
access
creat arch=b32
-S open-S-Sunlink
/etc/audit/audit.rules openat
chmod -S unlinkat
-S-S truncate
fchmod -S
-S-Srename
ftruncate
fchmodat -S-Frenameat
\ auid>=1000 -F auid>=1000
\ \
For 32 bit -F
"-a always,exit systems,
path=" add $1For" the32perm=x
-F following
bit systems -Flines perform
auid>=1000to the the /etc/audit/audit.rules
-Ffollowing command
auid!=4294967295 file.and
\ ensure the output is as shown to determine if filesystem mo
Add
#
-F the following
-aExecute
exit=-EACCES
always,exit the -F lines
following
-F -F
arch=b32-a to
auid>=1000the-S/etc/audit/audit.rules
auid!=4294967295
command
always,exit chown -Fto-Fauid!=4294967295
restart
-S arch=b32
fchown -kauditd -Sfile.
delete
perm_mod creat-k-Saccess
fchownat open
-S lchown-S openat -S truncate\ -S ftruncate \
-F auid>=1000
-k privileged" }' Perform the following to determine if changes to /etc/sudoers are recorded.
#
-Fpkill
-a -HUP -P-F1 arch=b32
always,exit
auid!=4294967295 auditd -F exit=-EACCES
-S creat -F
-a-kalways,exit
perm_mod -Sarch=b32
open
-F auid>=1000
-S openat-S chown -F
-S auid!=4294967295
truncate
-S fchown -S -Sftruncate
fchownat-k \access
-S lchown -F auid>=1000 \
-a always,exit -F arch=b32 # grep-S mounts
mount/etc/audit/audit.rules
-F auid>=1000 -F auid!=4294967295 -k mounts
-F -w /etc/sudoers
exit=-EPERM
-a always,exit -F -Farch=b32-p always,exit
-F waFor
auid>=1000
-a -k scope
32
auid!=4294967295
-S bitauid!=4294967295
-F
setxattr -Fsystems,
arch=b32
-S lsetxattr perform
-k perm_mod-S-Screat the
-k -S
fsetxattr following
access
open -Scommand
openat -S
-S removexattr -Sand \ ensure
truncate -S the output\ is as shown to determine if file deletion e
ftruncate
# Execute
Next, theaddfollowing
those-a lines #togrep
always,exit
command the scope to-Frestart /etc/audit/audit.rules
arch=b32
/etc/audit/audit.rules auditd -S mount file. -F auid>=1000 -F auid!=4294967295 -k mounts
# Execute
For 32the
lremovexattr -Sfollowing
bit systems, -F
fremovexattr command
add -F
exit=-EPERM
-a always,exit to-Frestart
theauid>=1000
following -F toauditd
auid>=1000
arch=b32 theauid!=4294967295
-F -S/etc/audit/audit.rules
-F auid!=4294967295
setxattr -S lsetxattr file.
-k perm_mod -k access
-S fsetxattr -S removexattr -S \
# pkill -HUP -P 1 auditd -w /etc/sudoers -p wa -k scope
# pkill
Execute-HUP the -Pfollowing
1 auditd # grep delete
lremovexattr
command -S /etc/audit/audit.rules
to fremovexattr
restart auditd-F auid>=1000 -F auid!=4294967295 -k perm_mod
# pkill-a-HUP
always,exit
-P 1 auditd -F-aarch=b32
always,exit -S -F unlink arch=b32 -S unlinkat -S unlink -S rename-S unlinkat -S renameat
-S rename -F -S auid>=1000
renameat \-F auid>=1000 \
-F auid!=4294967295-F-kauid!=4294967295 delete -k delete
# Execute the following command to restart auditd
# pkill -P 1-HUP auditd
 Add the following lines to the /etc/audit/audit.rules file.
Perform the following to determine if kernel module loading and unloading is recorded.
Add the following lines to the /etc/audit/audit.rules file.
Perform the following to determine if administrator activity is recorded.
-w /var/log/sudo.log -p wa -k actions
# grep modules /etc/audit/audit.rules
-w /sbin/insmod
# Execute the following-p command
x -k modules to restart auditd
-w /sbin/insmod
# grep actions -p x/etc/audit/audit.rules
-k modules
-w /sbin/rmmod
# pkill -HUP -P 1-pauditd
x -k modules
-w /sbin/rmmod
/var/log/sudo.log -p x -p
-k wa
modules
-k actions
Add the following lines
-w /sbin/modprobe -p x to
-k the /etc/audit/audit.rules file.
modules
Perform the following
-w /sbin/modprobe -p xto-kdetermine
modules if the audit configuration is immutable.
FOR NOTE:
32 BIT The
SYSTEMS,
system ADDmust be configured with su disabled (See Item 9.5 Restrict Access to the su Command) to force all command execu
FOR 32 BIT SYSTEMS
-e 2
-a always,exit -F arch=b32 -S init_module -S delete_module -k modules
# tail -n 1-F
-a always,exit /etc/audit/audit.rules
arch=b32 -S init_module -S delete_module -k modules
t to carefully configure
FOR 64 BIT the SYSTEMS,
storage requirements
ADD for audit logs. By default, auditd will max out the log files at 5MB and retain only 4 copies of them. Older ve
-e
FOR 2 64 BIT SYSTEMS
Set the max_log_file
NOTE:
-a always,exit This mustparameter
-F arch=b64be the-S lastin line
/etc/audit/auditd.conf
init_module in the
-S/etc/audit/audit.rules
delete_module -k modules file
Perform the following
-a always,exit to determine
-F arch=b64 ifthe
auditd
-S init_module -Sisdelete_module
maximum configured to notify
size of the audit the
log administrator
-k modulesfiles. and halt the system when audit logs a
ction configure auditd, ensure it is installed per 8.1.2 Install and Enable auditd Service.
Add the following lines
max_log_file to the /etc/audit/auditd.conf file.
= _<MB>_
# grep space_left_action /etc/audit/auditd.conf
max_log_file /etc/audit/auditd.conf
space_left_action
max_log_file = _<MB>_ = email
space_left_action
NOTE: MB is the number = email of MegaBytes the file can be.
Perform the following to determine
# grep action_mail_acct if audit logs are retained.
/etc/audit/auditd.conf
Add the following =line
action_mail_acct rootto the /etc/audit/auditd.conf file.
action_mail_acct = root
admin_space_left_action = halt
# grep # grep max_log_file_action /etc/audit/auditd.conf
admin_space_left_action
max_log_file_action = keep_logs
Install AIDE: max_log_file_action
admin_space_left_action = keep_logs
= halt
mmended as a replacement for the default syslogd daemon and provides improvements over syslogd, such as connection-oriented (i.e. TCP) transmission
# apt-get install aide
Execute
ng tool, similar thetofollowing
in nature Tripwire.command:
Run the following
While to ensure
it cannot prevent aide is installed:
intrusions, it can detect unauthorized changes to configuration files by alerting when the files a
Initialize AIDE:
# crontab -u root -e # dpkg -s aide
Perform the following to determine if there is a cron job scheduled to run the aide check.
# aideinit
Add the following lineEnsure
to the crontab:
package status is installed ok installed.
# crontab
# cp /var/lib/aide/aide.db.new -u root -l | grep aide
/var/lib/aide/aide.db
0 5 * * * /usr/sbin/aide --check
0 5 * * * /usr/sbin/aide --check
NOTE: The prelinking feature can interfere with AIDE because it alters binaries to speed up their start up times. Run /usr/sbin/prelink -ua
NOTE: The checking in this instance occurs every day at 5am. Alter the frequency and time of the checks in compliance with site policy.
cure, encrypted replacement for common login services such as telnet, ftp, rlogin, rsh, and rcp.
ion Modules) is a service that implements modular authentication modules on UNIX systems. PAM is implemented as a set of shared objects that are loade
gly recommended that sites abandon older clear-text login protocols and use SSH to prevent session hijacking and sniffing of sensitive data off the network

nstalled the contents of this section are not required. You can check the install status of the ssh server with the following command:
nce on setting up secure defaults for system and user accounts and their environment.
er
ge prior
word to the
control normal user
parameters login
have may
been assisttothe
moved prosecution
PAM, of trespassers
some parameters on available
are still the computer system.
through Changing
the shadow some ofsuite.
password theseAny
login bannersmade
changes also to
has the si
/etc/logi

y the US Department of Defense require that warning messages include at least the name of the organization that owns the system, the fact that the system

ed in the remediation actions for these items is intended as an example only. Please edit to include the specific text for your organization as approved by yo

nce on securing aspects of the users and groups.

ce exhaustion and enables the use of mounting options that are applicable to the directory's intended use. User's data can be stored on separate partitions

it and then remove the data from the directory that was in the old partition. Otherwise it will still consume space in the old partition that will be masked when
vulnerabilities is to disable all services that are not required for normal system operation. This prevents the exploitation of vulnerabilities discovered at a late
owever removal is also an acceptable remediation.

ecommended thatmay
ed that someone theyhave
be disabled
installedorthem
deleted from theHowever,
separately. system tothis
reduce thetrue
is also potential
for anyattack
othersurface.
type of rogue software. It is beyond the scope of this benchm

ich should also be disabled or deleted if not required.

erface, or has multiple interfaces but will not be configured as a router.

ed to perform routing functions.

the benchmark to configure IPv6, otherwise disable IPv6.

ng summarization) to automatically monitor logs for intrusion attempts and other suspicious system behavior.
ey be disabled in the kernel.
re, centralized log server via an encrypted connection. Not only does centralized logging help sites correlate events that may be occurring on multiple syste
e unconfined.
n modified are captured.
at the time be synchronized among systems and devices connected to the local network. The standard Internet protocol for time synchronization is the Netw
of data. By default, auditd will audit SELinux AVC denials, system logins, account modifications, and authentication events. Events will be logged to /var/log
hown.
ly one rule is needed.
ntry in one log could be more significant when compared to an entry in another log.
hat start prior to auditd.
ssions so that administrators who are in a defined security group, such as "wheel" do not have to elevate privileges to root in order to read log files. Also, if a

o determine if permission modifications are being recorded.

hown.
controls are recorded
o determine if there are unsuccessful attempts to access files.
own to determine if events that modify the system's environment are recorded.

o determine if filesystem mounts are recorded.

o determine if file deletion events by user are recorded.

ppears
own to in the auditiffile
determine with the above
permission attributes.
modifications are being recorded.
\
own to determine if there are unsuccessful attempts to access files.

\
own to determine if filesystem mounts are recorded.

own to determine if file deletion events by user are recorded.

\
in only 4 copies of them. Older versions will be deleted. It is possible on a system that the 20 MBs of audit logs may fill up the system causing loss of audit
halt the system when audit logs are full.

-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server.

n files by alerting when the files are changed. When setting up AIDE, decide internally what the site policy will be concerning integrity checking. Review the

et of shared objects that are loaded and executed when a program needs to authenticate a user. Files for PAM are typically located in the /etc/pam.d directo
g of sensitive data off the network.

ommand:

ese login
e. Any bannersmade
changes also to
has the side effect
/etc/login.defs willofonly
hiding
be OS version
applied information
if the and other detailed
usermod command is used. system information
If userIDs are addedfrom attackers
a different attempting
way, to target
use the chage specifi
command

e system, the fact that the system is subject to monitoring and that such monitoring is in compliance with local statutes, and that use of the system implies c

r organization as approved by your legal department.

tored on separate partitions and have stricter mount options. A user partition is a filesystem that has been established for use by the users and does not co

on that will be masked when the new filesystem is mounted. For example, if a system is in single-user mode with no filesystems mounted and the administr
rabilities discovered at a later date. If a service is not enabled, it cannot be exploited. The actions in this section of the document provide guidance on what

nd the scope of this benchmark to address software that is installed using non-standard methods and installation directories.

occurring on multiple systems, but having a second copy of the system log information may be critical after a system compromise where the attacker has m

e synchronization is the Network Time Protocol (NTP), which is supported by most network-ready devices. See the ntpd(8) manual page for more informatio
nts will be logged to /var/log/audit/audit.log. The recording of these events will use a modest amount of disk space on a system. If significantly more events

der to read log files. Also, if a third party log aggregation tool is used, it may need to have group permissions to read the log files, which is preferable to havi
ystem causing loss of audit data. While the recommendations here provide guidance, check your site policy for audit storage requirements.

tral logging server.

egrity checking. Review the AIDE quick start guide and AIDE documentation before proceeding.

ated in the /etc/pam.d directory. PAM must be carefully configured to secure system authentication. While this section covers some of PAM, please consult

say,
attempting to target
use the chage specific to
command exploits
effect at a system.
changes to individual userIDs.

t use of the system implies consent to such monitoring. It is important that the organization's legal counsel review the content of all messages before any sy
y the users and does not contain software for system operations. The directives in this section are easier to perform during initial system installation. If the s

mounted and the administrator adds a lot of data to the /tmp directory, this data will still consume space in / once the /tmp filesystem is mounted unless it i
nt provide guidance on what services can be safely disabled and under which circumstances, greatly reducing the number of possible threats to the resultin

ise where the attacker has modified the local log files on the affected system(s). If a log correlation system is deployed, configure it to process the logs des

ual page for more information on configuring NTP.

If significantly more events are captured, additional on system or off system storage may need to be allocated.

, which is preferable to having it run setuid to root. Therefore, there are two remediation and audit steps for log file permissions. One is for systems that do
me of PAM, please consult other PAM resources to fully understand the configuration capabilities.

all messages before any system modifications are made, as these warning messages are inherently site-specific. More information (including citations of r
al system installation. If the system is already installed, it is recommended that a full backup be performed before repartitioning the system.

ystem is mounted unless it is removed first.

ssible threats to the resulting system.

re it to process the logs described in this section.

One is for systems that do not have a secured group method implemented that only permits root to read the log files (root:root 600). The other is for sites t
ation (including citations of relevant case law) can be found at http://www.justice.gov/criminal/cybercrime/ [http://www.justice.gov/criminal/cybercrime/ ]
600). The other is for sites that do have such a setup and are designated as root:securegrp 640 where securegrp is the defined security group (in some ca
v/criminal/cybercrime/ ]
security group (in some cases wheel).