cis_debian_linux_rcl.txt

/policy/cis_debian_linux_rcl.txt

https://bitbucket.org/oscarschneider/ossec-rules · Plain Text · 212 lines · 142 code · 70 blank · 0 comment · 0 complexity · dc51c441300bc6c9a9ba9b98419009cb MD5 · raw file

# @(#) $Id: cis_debian_linux_rcl.txt,v 1.2 2008/07/10 18:03:00 dcid Exp $
#
# OSSEC Linux Audit - (C) 2008 Daniel B. Cid - dcid@ossec.net
#
# Released under the same license as OSSEC.
# More details at the LICENSE file included with OSSEC or online
# at: http://www.ossec.net/en/licensing.html
#
# [Application name] [any or all] [reference]
# type:<entry name>;
#
# Type can be:
#             - f (for file or directory)
#             - p (process running)
#             - d (any file inside the directory)
#
# Additional values:
# For the registry , use "->" to look for a specific entry and another
# "->" to look for the value.
# For files, use "->" to look for a specific value in the file.
#
# Values can be preceeded by: =: (for equal) - default
#                             r: (for ossec regexes)
#                             >: (for strcmp greater)
#                             <: (for strcmp  lower)
# Multiple patterns can be specified by using " && " between them.
# (All of them must match for it to return true).


# CIS Checks for Debian/Ubuntu
# Based on Center for Internet Security Benchmark for Debian Linux v1.0


# Main one. Only valid for Debian/Ubuntu.
[CIS - Testing against the CIS Debian Linux Benchmark v1.0] [all required] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:/etc/debian_version;
f:/proc/sys/kernel/ostype -> Linux;



# Section 1.4 - Partition scheme.
[CIS - Debian Linux 1.4 - Robust partition scheme - /tmp is not on its own partition] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:/etc/fstab -> !r:/tmp;

[CIS - Debian Linux 1.4 - Robust partition scheme - /opt is not on its own partition] [all] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:/opt;
f:/etc/fstab -> !r:/opt;

[CIS - Debian Linux 1.4 - Robust partition scheme - /var is not on its own partition] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:/etc/fstab -> !r:/var;



# Section 2.3 - SSH configuration
[CIS - Debian Linux 2.3 - SSH Configuration - Protocol version 1 enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\.+1;

[CIS - Debian Linux 2.3 - SSH Configuration - IgnoreRHosts disabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+no;

[CIS - Debian Linux 2.3 - SSH Configuration - Empty passwords permitted] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:/etc/ssh/sshd_config -> !r:^# && r:^PermitEmptyPasswords\.+yes;

[CIS - Debian Linux 2.3 - SSH Configuration - Host based authentication enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\.+yes;

[CIS - Debian Linux 2.3 - SSH Configuration - Root login allowed] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\.+yes;



# Section 2.4 Enable system accounting
[CIS - Debian Linux 2.4 - System Accounting - Sysstat not installed] [all] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:!/etc/default/sysstat;
f:!/var/log/sysstat;

[CIS - Debian Linux 2.4 - System Accounting - Sysstat not enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:!/etc/default/sysstat;
f:/etc/default/sysstat -> !r:^# && r:ENABLED="false";



# Section 2.5 Install and run Bastille
[CIS - Debian Linux 2.5 - System harderning - Bastille is not installed] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:!/etc/Bastille;



# Section 2.6 Ensure sources.list Sanity
[CIS - Debian Linux 2.6 - Sources list sanity - Security updates not enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:!/etc/apt/sources.list;
f:!/etc/apt/sources.list -> !r:^# && r:http://security.debian|http://security.ubuntu;



# Section 3 - Minimize inetd services
[CIS - Debian Linux 3.3 - Telnet enabled on inetd] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:/etc/inetd.conf -> !r:^# && r:telnet;

[CIS - Debian Linux 3.4 - FTP enabled on inetd] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:/etc/inetd.conf -> !r:^# && r:/ftp;

[CIS - Debian Linux 3.5 - rsh/rlogin/rcp enabled on inetd] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:/etc/inetd.conf -> !r:^# && r:shell|login;

[CIS - Debian Linux 3.6 - tftpd enabled on inetd] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:/etc/inetd.conf -> !r:^# && r:tftp;

[CIS - Debian Linux 3.7 - imap enabled on inetd] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:/etc/inetd.conf -> !r:^# && r:imap;

[CIS - Debian Linux 3.8 - pop3 enabled on inetd] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:/etc/inetd.conf -> !r:^# && r:pop;

[CIS - Debian Linux 3.9 - Ident enabled on inetd] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:/etc/inetd.conf -> !r:^# && r:ident;



# Section 4 - Minimize boot services
[CIS - Debian Linux 4.1 - Disable inetd - Inetd enabled but no services running] [all] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
p:inetd;
f:!/etc/inetd.conf -> !r:^# && r:wait;

[CIS - Debian Linux 4.3 - GUI login enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:/etc/inittab -> !r:^# && r:id:5;

[CIS - Debian Linux 4.6 - Disable standard boot services - Samba Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:/etc/init.d/samba;

[CIS - Debian Linux 4.7 - Disable standard boot services - NFS Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:/etc/init.d/nfs-common;
f:/etc/init.d/nfs-user-server;
f:/etc/init.d/nfs-kernel-server;

[CIS - Debian Linux 4.9 - Disable standard boot services - NIS Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:/etc/init.d/nis;

[CIS - Debian Linux 4.13 - Disable standard boot services - Web server Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:/etc/init.d/apache;
f:/etc/init.d/apache2;

[CIS - Debian Linux 4.15 - Disable standard boot services - DNS server Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:/etc/init.d/bind;

[CIS - Debian Linux 4.16 - Disable standard boot services - MySQL server Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:/etc/init.d/mysql;

[CIS - Debian Linux 4.16 - Disable standard boot services - PostgreSQL server Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:/etc/init.d/postgresql;

[CIS - Debian Linux 4.17 - Disable standard boot services - Webmin Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:/etc/init.d/webmin;

[CIS - Debian Linux 4.18 - Disable standard boot services - Squid Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:/etc/init.d/squid;



# Section 5 - Kernel tuning
[CIS - Debian Linux 5.1 - Network parameters - Source routing accepted] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 1;

[CIS - Debian Linux 5.1 - Network parameters - ICMP broadcasts accepted] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 0;

[CIS - Debian Linux 5.2 - Network parameters - IP Forwarding enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:/proc/sys/net/ipv4/ip_forward -> 1;
f:/proc/sys/net/ipv6/ip_forward -> 1;



# Section 7 - Permissions
[CIS - Debian Linux 7.1 - Partition /var without 'nodev' set] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/var && !r:nodev;

[CIS - Debian Linux 7.1 - Partition /tmp without 'nodev' set] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/tmp && !r:nodev;

[CIS - Debian Linux 7.1 - Partition /opt without 'nodev' set] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/opt && !r:nodev;

[CIS - Debian Linux 7.1 - Partition /home without 'nodev' set] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/home && !r:nodev ;

[CIS - Debian Linux 7.2 - Removable partition /media without 'nodev' set] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:/etc/fstab -> !r:^# && r:/media && !r:nodev;

[CIS - Debian Linux 7.2 - Removable partition /media without 'nosuid' set] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:/etc/fstab -> !r:^# && r:/media && !r:nosuid;

[CIS - Debian Linux 7.3 - User-mounted removable partition /media] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:/etc/fstab -> !r:^# && r:/media && r:user;



# Section 8 - Access and authentication
[CIS - Debian Linux 8.8 - LILO Password not set] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:/etc/lilo.conf -> !r:^# && !r:restricted;
f:/etc/lilo.conf -> !r:^# && !r:password=;

[CIS - Debian Linux 8.8 - GRUB Password not set] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:/boot/grub/menu.lst -> !r:^# && !r:password;

[CIS - Debian Linux 9.2 - Account with empty password present] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:/etc/shadow -> r:^\w+::;

[CIS - Debian Linux 13.11 - Non-root account with uid 0] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:;


# EOF