/policy/cis_debian_linux_rcl.txt
Plain Text | 212 lines | 142 code | 70 blank | 0 comment | 0 complexity | dc51c441300bc6c9a9ba9b98419009cb MD5 | raw file
1# @(#) $Id: cis_debian_linux_rcl.txt,v 1.2 2008/07/10 18:03:00 dcid Exp $ 2# 3# OSSEC Linux Audit - (C) 2008 Daniel B. Cid - dcid@ossec.net 4# 5# Released under the same license as OSSEC. 6# More details at the LICENSE file included with OSSEC or online 7# at: http://www.ossec.net/en/licensing.html 8# 9# [Application name] [any or all] [reference] 10# type:<entry name>; 11# 12# Type can be: 13# - f (for file or directory) 14# - p (process running) 15# - d (any file inside the directory) 16# 17# Additional values: 18# For the registry , use "->" to look for a specific entry and another 19# "->" to look for the value. 20# For files, use "->" to look for a specific value in the file. 21# 22# Values can be preceeded by: =: (for equal) - default 23# r: (for ossec regexes) 24# >: (for strcmp greater) 25# <: (for strcmp lower) 26# Multiple patterns can be specified by using " && " between them. 27# (All of them must match for it to return true). 28 29 30# CIS Checks for Debian/Ubuntu 31# Based on Center for Internet Security Benchmark for Debian Linux v1.0 32 33 34# Main one. Only valid for Debian/Ubuntu. 35[CIS - Testing against the CIS Debian Linux Benchmark v1.0] [all required] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 36f:/etc/debian_version; 37f:/proc/sys/kernel/ostype -> Linux; 38 39 40 41# Section 1.4 - Partition scheme. 42[CIS - Debian Linux 1.4 - Robust partition scheme - /tmp is not on its own partition] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 43f:/etc/fstab -> !r:/tmp; 44 45[CIS - Debian Linux 1.4 - Robust partition scheme - /opt is not on its own partition] [all] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 46f:/opt; 47f:/etc/fstab -> !r:/opt; 48 49[CIS - Debian Linux 1.4 - Robust partition scheme - /var is not on its own partition] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 50f:/etc/fstab -> !r:/var; 51 52 53 54# Section 2.3 - SSH configuration 55[CIS - Debian Linux 2.3 - SSH Configuration - Protocol version 1 enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 56f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\.+1; 57 58[CIS - Debian Linux 2.3 - SSH Configuration - IgnoreRHosts disabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 59f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+no; 60 61[CIS - Debian Linux 2.3 - SSH Configuration - Empty passwords permitted] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 62f:/etc/ssh/sshd_config -> !r:^# && r:^PermitEmptyPasswords\.+yes; 63 64[CIS - Debian Linux 2.3 - SSH Configuration - Host based authentication enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 65f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\.+yes; 66 67[CIS - Debian Linux 2.3 - SSH Configuration - Root login allowed] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 68f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\.+yes; 69 70 71 72# Section 2.4 Enable system accounting 73[CIS - Debian Linux 2.4 - System Accounting - Sysstat not installed] [all] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 74f:!/etc/default/sysstat; 75f:!/var/log/sysstat; 76 77[CIS - Debian Linux 2.4 - System Accounting - Sysstat not enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 78f:!/etc/default/sysstat; 79f:/etc/default/sysstat -> !r:^# && r:ENABLED="false"; 80 81 82 83# Section 2.5 Install and run Bastille 84[CIS - Debian Linux 2.5 - System harderning - Bastille is not installed] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 85f:!/etc/Bastille; 86 87 88 89# Section 2.6 Ensure sources.list Sanity 90[CIS - Debian Linux 2.6 - Sources list sanity - Security updates not enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 91f:!/etc/apt/sources.list; 92f:!/etc/apt/sources.list -> !r:^# && r:http://security.debian|http://security.ubuntu; 93 94 95 96# Section 3 - Minimize inetd services 97[CIS - Debian Linux 3.3 - Telnet enabled on inetd] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 98f:/etc/inetd.conf -> !r:^# && r:telnet; 99 100[CIS - Debian Linux 3.4 - FTP enabled on inetd] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 101f:/etc/inetd.conf -> !r:^# && r:/ftp; 102 103[CIS - Debian Linux 3.5 - rsh/rlogin/rcp enabled on inetd] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 104f:/etc/inetd.conf -> !r:^# && r:shell|login; 105 106[CIS - Debian Linux 3.6 - tftpd enabled on inetd] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 107f:/etc/inetd.conf -> !r:^# && r:tftp; 108 109[CIS - Debian Linux 3.7 - imap enabled on inetd] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 110f:/etc/inetd.conf -> !r:^# && r:imap; 111 112[CIS - Debian Linux 3.8 - pop3 enabled on inetd] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 113f:/etc/inetd.conf -> !r:^# && r:pop; 114 115[CIS - Debian Linux 3.9 - Ident enabled on inetd] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 116f:/etc/inetd.conf -> !r:^# && r:ident; 117 118 119 120# Section 4 - Minimize boot services 121[CIS - Debian Linux 4.1 - Disable inetd - Inetd enabled but no services running] [all] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 122p:inetd; 123f:!/etc/inetd.conf -> !r:^# && r:wait; 124 125[CIS - Debian Linux 4.3 - GUI login enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 126f:/etc/inittab -> !r:^# && r:id:5; 127 128[CIS - Debian Linux 4.6 - Disable standard boot services - Samba Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 129f:/etc/init.d/samba; 130 131[CIS - Debian Linux 4.7 - Disable standard boot services - NFS Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 132f:/etc/init.d/nfs-common; 133f:/etc/init.d/nfs-user-server; 134f:/etc/init.d/nfs-kernel-server; 135 136[CIS - Debian Linux 4.9 - Disable standard boot services - NIS Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 137f:/etc/init.d/nis; 138 139[CIS - Debian Linux 4.13 - Disable standard boot services - Web server Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 140f:/etc/init.d/apache; 141f:/etc/init.d/apache2; 142 143[CIS - Debian Linux 4.15 - Disable standard boot services - DNS server Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 144f:/etc/init.d/bind; 145 146[CIS - Debian Linux 4.16 - Disable standard boot services - MySQL server Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 147f:/etc/init.d/mysql; 148 149[CIS - Debian Linux 4.16 - Disable standard boot services - PostgreSQL server Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 150f:/etc/init.d/postgresql; 151 152[CIS - Debian Linux 4.17 - Disable standard boot services - Webmin Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 153f:/etc/init.d/webmin; 154 155[CIS - Debian Linux 4.18 - Disable standard boot services - Squid Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 156f:/etc/init.d/squid; 157 158 159 160# Section 5 - Kernel tuning 161[CIS - Debian Linux 5.1 - Network parameters - Source routing accepted] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 162f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 1; 163 164[CIS - Debian Linux 5.1 - Network parameters - ICMP broadcasts accepted] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 165f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 0; 166 167[CIS - Debian Linux 5.2 - Network parameters - IP Forwarding enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 168f:/proc/sys/net/ipv4/ip_forward -> 1; 169f:/proc/sys/net/ipv6/ip_forward -> 1; 170 171 172 173# Section 7 - Permissions 174[CIS - Debian Linux 7.1 - Partition /var without 'nodev' set] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 175f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/var && !r:nodev; 176 177[CIS - Debian Linux 7.1 - Partition /tmp without 'nodev' set] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 178f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/tmp && !r:nodev; 179 180[CIS - Debian Linux 7.1 - Partition /opt without 'nodev' set] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 181f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/opt && !r:nodev; 182 183[CIS - Debian Linux 7.1 - Partition /home without 'nodev' set] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 184f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/home && !r:nodev ; 185 186[CIS - Debian Linux 7.2 - Removable partition /media without 'nodev' set] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 187f:/etc/fstab -> !r:^# && r:/media && !r:nodev; 188 189[CIS - Debian Linux 7.2 - Removable partition /media without 'nosuid' set] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 190f:/etc/fstab -> !r:^# && r:/media && !r:nosuid; 191 192[CIS - Debian Linux 7.3 - User-mounted removable partition /media] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 193f:/etc/fstab -> !r:^# && r:/media && r:user; 194 195 196 197# Section 8 - Access and authentication 198[CIS - Debian Linux 8.8 - LILO Password not set] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 199f:/etc/lilo.conf -> !r:^# && !r:restricted; 200f:/etc/lilo.conf -> !r:^# && !r:password=; 201 202[CIS - Debian Linux 8.8 - GRUB Password not set] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 203f:/boot/grub/menu.lst -> !r:^# && !r:password; 204 205[CIS - Debian Linux 9.2 - Account with empty password present] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 206f:/etc/shadow -> r:^\w+::; 207 208[CIS - Debian Linux 13.11 - Non-root account with uid 0] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] 209f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:; 210 211 212# EOF