PageRenderTime 20ms CodeModel.GetById 18ms app.highlight 1ms RepoModel.GetById 0ms app.codeStats 0ms

/policy/cis_debian_linux_rcl.txt

https://bitbucket.org/oscarschneider/ossec-rules
Plain Text | 212 lines | 142 code | 70 blank | 0 comment | 0 complexity | dc51c441300bc6c9a9ba9b98419009cb MD5 | raw file
  1# @(#) $Id: cis_debian_linux_rcl.txt,v 1.2 2008/07/10 18:03:00 dcid Exp $
  2#
  3# OSSEC Linux Audit - (C) 2008 Daniel B. Cid - dcid@ossec.net
  4#
  5# Released under the same license as OSSEC.
  6# More details at the LICENSE file included with OSSEC or online
  7# at: http://www.ossec.net/en/licensing.html
  8#
  9# [Application name] [any or all] [reference]
 10# type:<entry name>;
 11#
 12# Type can be:
 13#             - f (for file or directory)
 14#             - p (process running)
 15#             - d (any file inside the directory)
 16#
 17# Additional values:
 18# For the registry , use "->" to look for a specific entry and another
 19# "->" to look for the value.
 20# For files, use "->" to look for a specific value in the file.
 21#
 22# Values can be preceeded by: =: (for equal) - default
 23#                             r: (for ossec regexes)
 24#                             >: (for strcmp greater)
 25#                             <: (for strcmp  lower)
 26# Multiple patterns can be specified by using " && " between them.
 27# (All of them must match for it to return true).
 28
 29
 30# CIS Checks for Debian/Ubuntu
 31# Based on Center for Internet Security Benchmark for Debian Linux v1.0
 32
 33
 34# Main one. Only valid for Debian/Ubuntu.
 35[CIS - Testing against the CIS Debian Linux Benchmark v1.0] [all required] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
 36f:/etc/debian_version;
 37f:/proc/sys/kernel/ostype -> Linux;
 38
 39
 40
 41# Section 1.4 - Partition scheme.
 42[CIS - Debian Linux 1.4 - Robust partition scheme - /tmp is not on its own partition] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
 43f:/etc/fstab -> !r:/tmp;
 44
 45[CIS - Debian Linux 1.4 - Robust partition scheme - /opt is not on its own partition] [all] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
 46f:/opt;
 47f:/etc/fstab -> !r:/opt;
 48
 49[CIS - Debian Linux 1.4 - Robust partition scheme - /var is not on its own partition] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
 50f:/etc/fstab -> !r:/var;
 51
 52
 53
 54# Section 2.3 - SSH configuration
 55[CIS - Debian Linux 2.3 - SSH Configuration - Protocol version 1 enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
 56f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\.+1;
 57
 58[CIS - Debian Linux 2.3 - SSH Configuration - IgnoreRHosts disabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
 59f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+no;
 60
 61[CIS - Debian Linux 2.3 - SSH Configuration - Empty passwords permitted] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
 62f:/etc/ssh/sshd_config -> !r:^# && r:^PermitEmptyPasswords\.+yes;
 63
 64[CIS - Debian Linux 2.3 - SSH Configuration - Host based authentication enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
 65f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\.+yes;
 66
 67[CIS - Debian Linux 2.3 - SSH Configuration - Root login allowed] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
 68f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\.+yes;
 69
 70
 71
 72# Section 2.4 Enable system accounting
 73[CIS - Debian Linux 2.4 - System Accounting - Sysstat not installed] [all] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
 74f:!/etc/default/sysstat;
 75f:!/var/log/sysstat;
 76
 77[CIS - Debian Linux 2.4 - System Accounting - Sysstat not enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
 78f:!/etc/default/sysstat;
 79f:/etc/default/sysstat -> !r:^# && r:ENABLED="false";
 80
 81
 82
 83# Section 2.5 Install and run Bastille
 84[CIS - Debian Linux 2.5 - System harderning - Bastille is not installed] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
 85f:!/etc/Bastille;
 86
 87
 88
 89# Section 2.6 Ensure sources.list Sanity
 90[CIS - Debian Linux 2.6 - Sources list sanity - Security updates not enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
 91f:!/etc/apt/sources.list;
 92f:!/etc/apt/sources.list -> !r:^# && r:http://security.debian|http://security.ubuntu;
 93
 94
 95
 96# Section 3 - Minimize inetd services
 97[CIS - Debian Linux 3.3 - Telnet enabled on inetd] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
 98f:/etc/inetd.conf -> !r:^# && r:telnet;
 99
100[CIS - Debian Linux 3.4 - FTP enabled on inetd] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
101f:/etc/inetd.conf -> !r:^# && r:/ftp;
102
103[CIS - Debian Linux 3.5 - rsh/rlogin/rcp enabled on inetd] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
104f:/etc/inetd.conf -> !r:^# && r:shell|login;
105
106[CIS - Debian Linux 3.6 - tftpd enabled on inetd] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
107f:/etc/inetd.conf -> !r:^# && r:tftp;
108
109[CIS - Debian Linux 3.7 - imap enabled on inetd] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
110f:/etc/inetd.conf -> !r:^# && r:imap;
111
112[CIS - Debian Linux 3.8 - pop3 enabled on inetd] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
113f:/etc/inetd.conf -> !r:^# && r:pop;
114
115[CIS - Debian Linux 3.9 - Ident enabled on inetd] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
116f:/etc/inetd.conf -> !r:^# && r:ident;
117
118
119
120# Section 4 - Minimize boot services
121[CIS - Debian Linux 4.1 - Disable inetd - Inetd enabled but no services running] [all] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
122p:inetd;
123f:!/etc/inetd.conf -> !r:^# && r:wait;
124
125[CIS - Debian Linux 4.3 - GUI login enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
126f:/etc/inittab -> !r:^# && r:id:5;
127
128[CIS - Debian Linux 4.6 - Disable standard boot services - Samba Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
129f:/etc/init.d/samba;
130
131[CIS - Debian Linux 4.7 - Disable standard boot services - NFS Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
132f:/etc/init.d/nfs-common;
133f:/etc/init.d/nfs-user-server;
134f:/etc/init.d/nfs-kernel-server;
135
136[CIS - Debian Linux 4.9 - Disable standard boot services - NIS Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
137f:/etc/init.d/nis;
138
139[CIS - Debian Linux 4.13 - Disable standard boot services - Web server Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
140f:/etc/init.d/apache;
141f:/etc/init.d/apache2;
142
143[CIS - Debian Linux 4.15 - Disable standard boot services - DNS server Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
144f:/etc/init.d/bind;
145
146[CIS - Debian Linux 4.16 - Disable standard boot services - MySQL server Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
147f:/etc/init.d/mysql;
148
149[CIS - Debian Linux 4.16 - Disable standard boot services - PostgreSQL server Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
150f:/etc/init.d/postgresql;
151
152[CIS - Debian Linux 4.17 - Disable standard boot services - Webmin Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
153f:/etc/init.d/webmin;
154
155[CIS - Debian Linux 4.18 - Disable standard boot services - Squid Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
156f:/etc/init.d/squid;
157
158
159
160# Section 5 - Kernel tuning
161[CIS - Debian Linux 5.1 - Network parameters - Source routing accepted] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
162f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 1;
163
164[CIS - Debian Linux 5.1 - Network parameters - ICMP broadcasts accepted] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
165f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 0;
166
167[CIS - Debian Linux 5.2 - Network parameters - IP Forwarding enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
168f:/proc/sys/net/ipv4/ip_forward -> 1;
169f:/proc/sys/net/ipv6/ip_forward -> 1;
170
171
172
173# Section 7 - Permissions
174[CIS - Debian Linux 7.1 - Partition /var without 'nodev' set] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
175f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/var && !r:nodev;
176
177[CIS - Debian Linux 7.1 - Partition /tmp without 'nodev' set] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
178f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/tmp && !r:nodev;
179
180[CIS - Debian Linux 7.1 - Partition /opt without 'nodev' set] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
181f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/opt && !r:nodev;
182
183[CIS - Debian Linux 7.1 - Partition /home without 'nodev' set] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
184f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/home && !r:nodev ;
185
186[CIS - Debian Linux 7.2 - Removable partition /media without 'nodev' set] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
187f:/etc/fstab -> !r:^# && r:/media && !r:nodev;
188
189[CIS - Debian Linux 7.2 - Removable partition /media without 'nosuid' set] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
190f:/etc/fstab -> !r:^# && r:/media && !r:nosuid;
191
192[CIS - Debian Linux 7.3 - User-mounted removable partition /media] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
193f:/etc/fstab -> !r:^# && r:/media && r:user;
194
195
196
197# Section 8 - Access and authentication
198[CIS - Debian Linux 8.8 - LILO Password not set] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
199f:/etc/lilo.conf -> !r:^# && !r:restricted;
200f:/etc/lilo.conf -> !r:^# && !r:password=;
201
202[CIS - Debian Linux 8.8 - GRUB Password not set] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
203f:/boot/grub/menu.lst -> !r:^# && !r:password;
204
205[CIS - Debian Linux 9.2 - Account with empty password present] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
206f:/etc/shadow -> r:^\w+::;
207
208[CIS - Debian Linux 13.11 - Non-root account with uid 0] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
209f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:;
210
211
212# EOF