Description | Tests | Scoring | ||||||
---|---|---|---|---|---|---|---|---|
Pass | Fail | Error | Unkn. | Man. | Score | Max | Percent | |
1 Initial Setup | 42 | 0 | 0 | 0 | 7 | 42.0 | 42.0 | 100% |
1.1 Filesystem Configuration | 21 | 0 | 0 | 0 | 3 | 21.0 | 21.0 | 100% |
1.1.1 Disable unused filesystems | 6 | 0 | 0 | 0 | 0 | 6.0 | 6.0 | 100% |
1.2 Configure Software Updates | 0 | 0 | 0 | 0 | 2 | 0.0 | 0.0 | 0% |
1.3 Filesystem Integrity Checking | 2 | 0 | 0 | 0 | 0 | 2.0 | 2.0 | 100% |
1.4 Secure Boot Settings | 4 | 0 | 0 | 0 | 0 | 4.0 | 4.0 | 100% |
1.5 Additional Process Hardening | 3 | 0 | 0 | 0 | 1 | 3.0 | 3.0 | 100% |
1.6 Mandatory Access Control | 3 | 0 | 0 | 0 | 0 | 3.0 | 3.0 | 100% |
1.6.1 Configure AppArmor | 3 | 0 | 0 | 0 | 0 | 3.0 | 3.0 | 100% |
1.7 Command Line Warning Banners | 6 | 0 | 0 | 0 | 0 | 6.0 | 6.0 | 100% |
1.8 GNOME Display Manager | 3 | 0 | 0 | 0 | 0 | 3.0 | 3.0 | 100% |
2 Services | 26 | 0 | 0 | 0 | 1 | 26.0 | 26.0 | 100% |
2.1 Special Purpose Services | 20 | 0 | 0 | 0 | 0 | 20.0 | 20.0 | 100% |
2.1.1 Time Synchronization | 4 | 0 | 0 | 0 | 0 | 4.0 | 4.0 | 100% |
2.2 Service Clients | 6 | 0 | 0 | 0 | 0 | 6.0 | 6.0 | 100% |
3 Network Configuration | 34 | 0 | 0 | 0 | 6 | 34.0 | 34.0 | 100% |
3.1 Disable unused network protocols and devices | 1 | 0 | 0 | 0 | 0 | 1.0 | 1.0 | 100% |
3.2 Network Parameters (Host Only) | 2 | 0 | 0 | 0 | 0 | 2.0 | 2.0 | 100% |
3.3 Network Parameters (Host and Router) | 9 | 0 | 0 | 0 | 0 | 9.0 | 9.0 | 100% |
3.4 Uncommon Network Protocols | 0 | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
3.5 Firewall Configuration | 22 | 0 | 0 | 0 | 6 | 22.0 | 22.0 | 100% |
3.5.1 Configure UncomplicatedFirewall | 5 | 0 | 0 | 0 | 2 | 5.0 | 5.0 | 100% |
3.5.2 Configure nftables | 8 | 0 | 0 | 0 | 2 | 8.0 | 8.0 | 100% |
3.5.3 Configure iptables | 9 | 0 | 0 | 0 | 2 | 9.0 | 9.0 | 100% |
3.5.3.1 Configure iptables software | 3 | 0 | 0 | 0 | 0 | 3.0 | 3.0 | 100% |
3.5.3.2 Configure IPv4 iptables | 3 | 0 | 0 | 0 | 1 | 3.0 | 3.0 | 100% |
3.5.3.3 Configure IPv6 ip6tables | 3 | 0 | 0 | 0 | 1 | 3.0 | 3.0 | 100% |
4 Logging and Auditing | 8 | 1 | 0 | 0 | 3 | 8.0 | 9.0 | 89% |
4.1 Configure System Accounting (auditd) | 0 | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
4.1.1 Ensure auditing is enabled | 0 | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
4.1.2 Configure Data Retention | 0 | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
4.2 Configure Logging | 7 | 1 | 0 | 0 | 2 | 7.0 | 8.0 | 88% |
4.2.1 Configure rsyslog | 3 | 1 | 0 | 0 | 2 | 3.0 | 4.0 | 75% |
4.2.2 Configure journald | 3 | 0 | 0 | 0 | 0 | 3.0 | 3.0 | 100% |
5 Access, Authentication and Authorization | 46 | 0 | 0 | 0 | 1 | 46.0 | 46.0 | 100% |
5.1 Configure time-based job schedulers | 9 | 0 | 0 | 0 | 0 | 9.0 | 9.0 | 100% |
5.2 Configure sudo | 3 | 0 | 0 | 0 | 0 | 3.0 | 3.0 | 100% |
5.3 Configure SSH Server | 20 | 0 | 0 | 0 | 0 | 20.0 | 20.0 | 100% |
5.4 Configure PAM | 4 | 0 | 0 | 0 | 0 | 4.0 | 4.0 | 100% |
5.5 User Accounts and Environment | 9 | 0 | 0 | 0 | 0 | 9.0 | 9.0 | 100% |
5.5.1 Set Shadow Password Suite Parameters | 5 | 0 | 0 | 0 | 0 | 5.0 | 5.0 | 100% |
6 System Maintenance | 27 | 1 | 0 | 0 | 2 | 27.0 | 28.0 | 96% |
6.1 System File Permissions | 11 | 0 | 0 | 0 | 2 | 11.0 | 11.0 | 100% |
6.2 User and Group Settings | 16 | 1 | 0 | 0 | 0 | 16.0 | 17.0 | 94% |
Total | 183 | 2 | 0 | 0 | 20 | 183.0 | 185.0 | 99% |
This benchmark contains 4 profiles.The Level 1 - Server profile was used for this assessment.
Title | Description |
---|---|
Level 1 - Server |
Items in this profile intend to:
This profile is intended for servers. Show
<xccdf:Profile xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:cc6="http://cisecurity.org/20-cc/v6.1" xmlns:cc7="http://cisecurity.org/20-cc/v7.0" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sce="http://open-scap.org/page/SCE_xccdf_stream" xmlns:cat="urn:oasis:names:tc:entity:xmlns:xml:catalog" xmlns:ds="http://scap.nist.gov/schema/scap/source/1.2" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" id="xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server"> <xccdf:title xml:lang="en">Level 1 - Server</xccdf:title> <xccdf:description xml:lang="en"> <xhtml:p>Items in this profile intend to:</xhtml:p> <xhtml:ul> <xhtml:li>be practical and prudent;</xhtml:li> <xhtml:li>provide a clear security benefit; and</xhtml:li> <xhtml:li>not inhibit the utility of the technology beyond acceptable means.</xhtml:li> </xhtml:ul> <xhtml:p>This profile is intended for servers.</xhtml:p> </xccdf:description> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.1_Ensure_mounting_of_cramfs_filesystems_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.2_Ensure_mounting_of_freevxfs_filesystems_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.3_Ensure_mounting_of_jffs2_filesystems_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.4_Ensure_mounting_of_hfs_filesystems_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.5_Ensure_mounting_of_hfsplus_filesystems_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.7_Ensure_mounting_of_udf_filesystems_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.2_Ensure_tmp_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.3_Ensure_nodev_option_set_on_tmp_partition" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.4_Ensure_nosuid_option_set_on_tmp_partition" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.5_Ensure_noexec_option_set_on_tmp_partition" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.6_Ensure_devshm_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.7_Ensure_nodev_option_set_on_devshm_partition" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.8_Ensure_nosuid_option_set_on_devshm_partition" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.9_Ensure_noexec_option_set_on_devshm_partition" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.12_Ensure_vartmp_partition_includes_the_nodev_option" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.13_Ensure_vartmp_partition_includes_the_nosuid_option" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.14_Ensure_vartmp_partition_includes_the_noexec_option" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.18_Ensure_home_partition_includes_the_nodev_option" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.19_Ensure_nodev_option_set_on_removable_media_partitions" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.20_Ensure_nosuid_option_set_on_removable_media_partitions" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.21_Ensure_noexec_option_set_on_removable_media_partitions" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.22_Ensure_sticky_bit_is_set_on_all_world-writable_directories" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.23_Disable_Automounting" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.24_Disable_USB_Storage" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.1_Ensure_package_manager_repositories_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.2_Ensure_GPG_keys_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.3.1_Ensure_AIDE_is_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.3.2_Ensure_filesystem_integrity_is_regularly_checked" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.1_Ensure_permissions_on_bootloader_config_are_not_overridden" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.2_Ensure_bootloader_password_is_set" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.3_Ensure_permissions_on_bootloader_config_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.4_Ensure_authentication_required_for_single_user_mode" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.1_Ensure_XDNX_support_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.2_Ensure_address_space_layout_randomization_ASLR_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.3_Ensure_prelink_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.4_Ensure_core_dumps_are_restricted" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.1_Ensure_AppArmor_is_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.2_Ensure_AppArmor_is_enabled_in_the_bootloader_configuration" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.3_Ensure_all_AppArmor_Profiles_are_in_enforce_or_complain_mode" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.1_Ensure_message_of_the_day_is_configured_properly" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.2_Ensure_local_login_warning_banner_is_configured_properly" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.3_Ensure_remote_login_warning_banner_is_configured_properly" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.4_Ensure_permissions_on_etcmotd_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.5_Ensure_permissions_on_etcissue_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.6_Ensure_permissions_on_etcissue.net_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.2_Ensure_GDM_login_banner_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.3_Ensure_disable-user-list_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.4_Ensure_XDCMP_is_not_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.9_Ensure_updates_patches_and_additional_security_software_are_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.1.1_Ensure_time_synchronization_is_in_use" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.1.2_Ensure_systemd-timesyncd_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.1.3_Ensure_chrony_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.1.4_Ensure_ntp_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.2_Ensure_X_Window_System_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.3_Ensure_Avahi_Server_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.4_Ensure_CUPS_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.5_Ensure_DHCP_Server_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.6_Ensure_LDAP_server_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.7_Ensure_NFS_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.8_Ensure_DNS_Server_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.9_Ensure_FTP_Server_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.10_Ensure_HTTP_server_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.11_Ensure_IMAP_and_POP3_server_are_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.12_Ensure_Samba_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.13_Ensure_HTTP_Proxy_Server_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.14_Ensure_SNMP_Server_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.15_Ensure_mail_transfer_agent_is_configured_for_local-only_mode" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.16_Ensure_rsync_service_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.17_Ensure_NIS_Server_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.1_Ensure_NIS_Client_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.2_Ensure_rsh_client_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.3_Ensure_talk_client_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.4_Ensure_telnet_client_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.5_Ensure_LDAP_client_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.6_Ensure__RPC_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.3_Ensure_nonessential_services_are_removed_or_masked" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.1.2_Ensure_wireless_interfaces_are_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.2.1_Ensure_packet_redirect_sending_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.2.2_Ensure_IP_forwarding_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.1_Ensure_source_routed_packets_are_not_accepted" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.2_Ensure_ICMP_redirects_are_not_accepted" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.3_Ensure_secure_ICMP_redirects_are_not_accepted" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.4_Ensure_suspicious_packets_are_logged" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.5_Ensure_broadcast_ICMP_requests_are_ignored" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.6_Ensure_bogus_ICMP_responses_are_ignored" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.7_Ensure_Reverse_Path_Filtering_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.8_Ensure_TCP_SYN_Cookies_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.9_Ensure_IPv6_router_advertisements_are_not_accepted" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.1_Ensure_ufw_is_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.2_Ensure_iptables-persistent_is_not_installed_with_ufw" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.3_Ensure_ufw_service_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.4_Ensure_ufw_loopback_traffic_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.5_Ensure_ufw_outbound_connections_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.6_Ensure_ufw_firewall_rules_exist_for_all_open_ports" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.7_Ensure_ufw_default_deny_firewall_policy" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.1_Ensure_nftables_is_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.2_Ensure_ufw_is_uninstalled_or_disabled_with_nftables" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.3_Ensure_iptables_are_flushed_with_nftables" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.4_Ensure_a_nftables_table_exists" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.5_Ensure_nftables_base_chains_exist" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.6_Ensure_nftables_loopback_traffic_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.7_Ensure_nftables_outbound_and_established_connections_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.8_Ensure_nftables_default_deny_firewall_policy" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.9_Ensure_nftables_service_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.10_Ensure_nftables_rules_are_permanent" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.1.1_Ensure_iptables_packages_are_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.1.2_Ensure_nftables_is_not_installed_with_iptables" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.1.3_Ensure_ufw_is_uninstalled_or_disabled_with_iptables" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.1_Ensure_iptables_loopback_traffic_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.2_Ensure_iptables_outbound_and_established_connections_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.3_Ensure_iptables_default_deny_firewall_policy" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.4_Ensure_iptables_firewall_rules_exist_for_all_open_ports" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.1_Ensure_ip6tables_loopback_traffic_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.2_Ensure_ip6tables_outbound_and_established_connections_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.3_Ensure_ip6tables_default_deny_firewall_policy" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.4_Ensure_ip6tables_firewall_rules_exist_for_all_open_ports" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.1_Ensure_rsyslog_is_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.2_Ensure_rsyslog_Service_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.3_Ensure_logging_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.4_Ensure_rsyslog_default_file_permissions_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.5_Ensure_rsyslog_is_configured_to_send_logs_to_a_remote_log_host" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.6_Ensure_remote_rsyslog_messages_are_only_accepted_on_designated_log_hosts." selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.1_Ensure_journald_is_configured_to_send_logs_to_rsyslog" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.2_Ensure_journald_is_configured_to_compress_large_log_files" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.3_Ensure_journald_is_configured_to_write_logfiles_to_persistent_disk" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.3_Ensure_permissions_on_all_logfiles_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.3_Ensure_logrotate_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.4_Ensure_logrotate_assigns_appropriate_permissions" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.1_Ensure_cron_daemon_is_enabled_and_running" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.2_Ensure_permissions_on_etccrontab_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.3_Ensure_permissions_on_etccron.hourly_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.4_Ensure_permissions_on_etccron.daily_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.5_Ensure_permissions_on_etccron.weekly_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.6_Ensure_permissions_on_etccron.monthly_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.7_Ensure_permissions_on_etccron.d_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.8_Ensure_cron_is_restricted_to_authorized_users" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.9_Ensure_at_is_restricted_to_authorized_users" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.1_Ensure_sudo_is_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.2_Ensure_sudo_commands_use_pty" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.3_Ensure_sudo_log_file_exists" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.1_Ensure_permissions_on_etcsshsshd_config_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.2_Ensure_permissions_on_SSH_private_host_key_files_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.3_Ensure_permissions_on_SSH_public_host_key_files_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.4_Ensure_SSH_access_is_limited" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.5_Ensure_SSH_LogLevel_is_appropriate" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.7_Ensure_SSH_MaxAuthTries_is_set_to_4_or_less" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.8_Ensure_SSH_IgnoreRhosts_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.9_Ensure_SSH_HostbasedAuthentication_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.10_Ensure_SSH_root_login_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.11_Ensure_SSH_PermitEmptyPasswords_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.12_Ensure_SSH_PermitUserEnvironment_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.13_Ensure_only_strong_Ciphers_are_used" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.14_Ensure_only_strong_MAC_algorithms_are_used" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.15_Ensure_only_strong_Key_Exchange_algorithms_are_used" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.16_Ensure_SSH_Idle_Timeout_Interval_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.17_Ensure_SSH_LoginGraceTime_is_set_to_one_minute_or_less" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.18_Ensure_SSH_warning_banner_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.19_Ensure_SSH_PAM_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.21_Ensure_SSH_MaxStartups_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.22_Ensure_SSH_MaxSessions_is_limited" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.1_Ensure_password_creation_requirements_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.2_Ensure_lockout_for_failed_password_attempts_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.3_Ensure_password_reuse_is_limited" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.4_Ensure_password_hashing_algorithm_is_SHA-512" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.1_Ensure_minimum_days_between_password_changes_is__configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.2_Ensure_password_expiration_is_365_days_or_less" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.3_Ensure_password_expiration_warning_days_is_7_or_more" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.4_Ensure_inactive_password_lock_is_30_days_or_less" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.5_Ensure_all_users_last_password_change_date_is_in_the_past" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.2_Ensure_system_accounts_are_secured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.3_Ensure_default_group_for_the_root_account_is_GID_0" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.4_Ensure_default_user_umask_is_027_or_more_restrictive" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.5_Ensure_default_user_shell_timeout_is_900_seconds_or_less" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.6_Ensure_root_login_is_restricted_to_system_console" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.7_Ensure_access_to_the_su_command_is_restricted" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.2_Ensure_permissions_on_etcpasswd_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.3_Ensure_permissions_on_etcpasswd-_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.4_Ensure_permissions_on_etcgroup_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.5_Ensure_permissions_on_etcgroup-_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.6_Ensure_permissions_on_etcshadow_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.7_Ensure_permissions_on_etcshadow-_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.8_Ensure_permissions_on_etcgshadow_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.9_Ensure_permissions_on_etcgshadow-_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.10_Ensure_no_world_writable_files_exist" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.11_Ensure_no_unowned_files_or_directories_exist" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.12_Ensure_no_ungrouped_files_or_directories_exist" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.13_Audit_SUID_executables" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.14_Audit_SGID_executables" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.1_Ensure_accounts_in_etcpasswd_use_shadowed_passwords" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.2_Ensure_password_fields_are_not_empty" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.3_Ensure_all_groups_in_etcpasswd_exist_in_etcgroup" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.4_Ensure_all_users_home_directories_exist" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.5_Ensure_users_own_their_home_directories" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.6_Ensure_users_home_directories_permissions_are_750_or_more_restrictive" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.7_Ensure_users_dot_files_are_not_group_or_world_writable" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.8_Ensure_no_users_have_.netrc_files" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.9_Ensure_no_users_have_.forward_files" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.10_Ensure_no_users_have_.rhosts_files" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.11_Ensure_root_is_the_only_UID_0_account" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.12_Ensure_root_PATH_Integrity" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.13_Ensure_no_duplicate_UIDs_exist" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.14_Ensure_no_duplicate_GIDs_exist" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.15_Ensure_no_duplicate_user_names_exist" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.16_Ensure_no_duplicate_group_names_exist" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.17_Ensure_shadow_group_is_empty" selected="true"/> </xccdf:Profile> |
Level 2 - Server |
This profile extends the "Level 1 - Server" profile. Items in this profile exhibit one or more of the following characteristics:
This profile is intended for servers. Show
<xccdf:Profile xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:cc6="http://cisecurity.org/20-cc/v6.1" xmlns:cc7="http://cisecurity.org/20-cc/v7.0" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sce="http://open-scap.org/page/SCE_xccdf_stream" xmlns:cat="urn:oasis:names:tc:entity:xmlns:xml:catalog" xmlns:ds="http://scap.nist.gov/schema/scap/source/1.2" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" id="xccdf_org.cisecurity.benchmarks_profile_Level_2_-_Server"> <xccdf:title xml:lang="en">Level 2 - Server</xccdf:title> <xccdf:description xml:lang="en"> <xhtml:p>This profile extends the "Level 1 - Server" profile. Items in this profile exhibit one or more of the following characteristics:</xhtml:p> <xhtml:ul> <xhtml:li>are intended for environments or use cases where security is paramount.</xhtml:li> <xhtml:li>acts as defense in depth measure.</xhtml:li> <xhtml:li>may negatively inhibit the utility or performance of the technology.</xhtml:li> </xhtml:ul> <xhtml:p>This profile is intended for servers.</xhtml:p> </xccdf:description> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.1_Ensure_mounting_of_cramfs_filesystems_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.2_Ensure_mounting_of_freevxfs_filesystems_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.3_Ensure_mounting_of_jffs2_filesystems_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.4_Ensure_mounting_of_hfs_filesystems_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.5_Ensure_mounting_of_hfsplus_filesystems_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.6_Ensure_mounting_of_squashfs_filesystems_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.7_Ensure_mounting_of_udf_filesystems_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.2_Ensure_tmp_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.3_Ensure_nodev_option_set_on_tmp_partition" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.4_Ensure_nosuid_option_set_on_tmp_partition" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.5_Ensure_noexec_option_set_on_tmp_partition" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.6_Ensure_devshm_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.7_Ensure_nodev_option_set_on_devshm_partition" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.8_Ensure_nosuid_option_set_on_devshm_partition" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.9_Ensure_noexec_option_set_on_devshm_partition" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.10_Ensure_separate_partition_exists_for_var" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.11_Ensure_separate_partition_exists_for_vartmp" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.12_Ensure_vartmp_partition_includes_the_nodev_option" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.13_Ensure_vartmp_partition_includes_the_nosuid_option" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.14_Ensure_vartmp_partition_includes_the_noexec_option" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.15_Ensure_separate_partition_exists_for_varlog" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.16_Ensure_separate_partition_exists_for_varlogaudit" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.17_Ensure_separate_partition_exists_for_home" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.18_Ensure_home_partition_includes_the_nodev_option" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.19_Ensure_nodev_option_set_on_removable_media_partitions" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.20_Ensure_nosuid_option_set_on_removable_media_partitions" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.21_Ensure_noexec_option_set_on_removable_media_partitions" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.22_Ensure_sticky_bit_is_set_on_all_world-writable_directories" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.23_Disable_Automounting" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.24_Disable_USB_Storage" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.1_Ensure_package_manager_repositories_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.2_Ensure_GPG_keys_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.3.1_Ensure_AIDE_is_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.3.2_Ensure_filesystem_integrity_is_regularly_checked" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.1_Ensure_permissions_on_bootloader_config_are_not_overridden" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.2_Ensure_bootloader_password_is_set" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.3_Ensure_permissions_on_bootloader_config_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.4_Ensure_authentication_required_for_single_user_mode" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.1_Ensure_XDNX_support_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.2_Ensure_address_space_layout_randomization_ASLR_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.3_Ensure_prelink_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.4_Ensure_core_dumps_are_restricted" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.1_Ensure_AppArmor_is_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.2_Ensure_AppArmor_is_enabled_in_the_bootloader_configuration" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.3_Ensure_all_AppArmor_Profiles_are_in_enforce_or_complain_mode" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.4_Ensure_all_AppArmor_Profiles_are_enforcing" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.1_Ensure_message_of_the_day_is_configured_properly" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.2_Ensure_local_login_warning_banner_is_configured_properly" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.3_Ensure_remote_login_warning_banner_is_configured_properly" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.4_Ensure_permissions_on_etcmotd_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.5_Ensure_permissions_on_etcissue_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.6_Ensure_permissions_on_etcissue.net_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.1_Ensure_GNOME_Display_Manager_is_removed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.2_Ensure_GDM_login_banner_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.3_Ensure_disable-user-list_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.4_Ensure_XDCMP_is_not_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.9_Ensure_updates_patches_and_additional_security_software_are_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.1.1_Ensure_time_synchronization_is_in_use" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.1.2_Ensure_systemd-timesyncd_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.1.3_Ensure_chrony_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.1.4_Ensure_ntp_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.2_Ensure_X_Window_System_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.3_Ensure_Avahi_Server_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.4_Ensure_CUPS_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.5_Ensure_DHCP_Server_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.6_Ensure_LDAP_server_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.7_Ensure_NFS_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.8_Ensure_DNS_Server_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.9_Ensure_FTP_Server_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.10_Ensure_HTTP_server_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.11_Ensure_IMAP_and_POP3_server_are_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.12_Ensure_Samba_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.13_Ensure_HTTP_Proxy_Server_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.14_Ensure_SNMP_Server_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.15_Ensure_mail_transfer_agent_is_configured_for_local-only_mode" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.16_Ensure_rsync_service_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.17_Ensure_NIS_Server_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.1_Ensure_NIS_Client_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.2_Ensure_rsh_client_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.3_Ensure_talk_client_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.4_Ensure_telnet_client_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.5_Ensure_LDAP_client_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.6_Ensure__RPC_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.3_Ensure_nonessential_services_are_removed_or_masked" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.1.1_Disable_IPv6" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.1.2_Ensure_wireless_interfaces_are_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.2.1_Ensure_packet_redirect_sending_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.2.2_Ensure_IP_forwarding_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.1_Ensure_source_routed_packets_are_not_accepted" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.2_Ensure_ICMP_redirects_are_not_accepted" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.3_Ensure_secure_ICMP_redirects_are_not_accepted" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.4_Ensure_suspicious_packets_are_logged" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.5_Ensure_broadcast_ICMP_requests_are_ignored" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.6_Ensure_bogus_ICMP_responses_are_ignored" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.7_Ensure_Reverse_Path_Filtering_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.8_Ensure_TCP_SYN_Cookies_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.9_Ensure_IPv6_router_advertisements_are_not_accepted" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.4.1_Ensure_DCCP_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.4.2_Ensure_SCTP_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.4.3_Ensure_RDS_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.4.4_Ensure_TIPC_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.1_Ensure_ufw_is_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.2_Ensure_iptables-persistent_is_not_installed_with_ufw" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.3_Ensure_ufw_service_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.4_Ensure_ufw_loopback_traffic_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.5_Ensure_ufw_outbound_connections_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.6_Ensure_ufw_firewall_rules_exist_for_all_open_ports" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.7_Ensure_ufw_default_deny_firewall_policy" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.1_Ensure_nftables_is_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.2_Ensure_ufw_is_uninstalled_or_disabled_with_nftables" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.3_Ensure_iptables_are_flushed_with_nftables" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.4_Ensure_a_nftables_table_exists" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.5_Ensure_nftables_base_chains_exist" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.6_Ensure_nftables_loopback_traffic_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.7_Ensure_nftables_outbound_and_established_connections_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.8_Ensure_nftables_default_deny_firewall_policy" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.9_Ensure_nftables_service_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.10_Ensure_nftables_rules_are_permanent" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.1.1_Ensure_iptables_packages_are_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.1.2_Ensure_nftables_is_not_installed_with_iptables" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.1.3_Ensure_ufw_is_uninstalled_or_disabled_with_iptables" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.1_Ensure_iptables_loopback_traffic_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.2_Ensure_iptables_outbound_and_established_connections_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.3_Ensure_iptables_default_deny_firewall_policy" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.4_Ensure_iptables_firewall_rules_exist_for_all_open_ports" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.1_Ensure_ip6tables_loopback_traffic_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.2_Ensure_ip6tables_outbound_and_established_connections_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.3_Ensure_ip6tables_default_deny_firewall_policy" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.4_Ensure_ip6tables_firewall_rules_exist_for_all_open_ports" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.1.1_Ensure_auditd_is_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.1.2_Ensure_auditd_service_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.1.3_Ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.1.4_Ensure_audit_backlog_limit_is_sufficient" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.2.1_Ensure_audit_log_storage_size_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.2.2_Ensure_audit_logs_are_not_automatically_deleted" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.2.3_Ensure_system_is_disabled_when_audit_logs_are_full" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3_Ensure_events_that_modify_date_and_time_information_are_collected" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.4_Ensure_events_that_modify_usergroup_information_are_collected" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.5_Ensure_events_that_modify_the_systems_network_environment_are_collected" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.6_Ensure_events_that_modify_the_systems_Mandatory_Access_Controls_are_collected" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.7_Ensure_login_and_logout_events_are_collected" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.8_Ensure_session_initiation_information_is_collected" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.9_Ensure_discretionary_access_control_permission_modification_events_are_collected" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.10_Ensure_unsuccessful_unauthorized_file_access_attempts_are_collected" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.11_Ensure_use_of_privileged_commands_is_collected" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.12_Ensure_successful_file_system_mounts_are_collected" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.13_Ensure_file_deletion_events_by_users_are_collected" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.14_Ensure_changes_to_system_administration_scope_sudoers_is_collected" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.15_Ensure_system_administrator_command_executions_sudo_are_collected" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.16_Ensure_kernel_module_loading_and_unloading_is_collected" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.17_Ensure_the_audit_configuration_is_immutable" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.1_Ensure_rsyslog_is_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.2_Ensure_rsyslog_Service_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.3_Ensure_logging_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.4_Ensure_rsyslog_default_file_permissions_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.5_Ensure_rsyslog_is_configured_to_send_logs_to_a_remote_log_host" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.6_Ensure_remote_rsyslog_messages_are_only_accepted_on_designated_log_hosts." selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.1_Ensure_journald_is_configured_to_send_logs_to_rsyslog" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.2_Ensure_journald_is_configured_to_compress_large_log_files" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.3_Ensure_journald_is_configured_to_write_logfiles_to_persistent_disk" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.3_Ensure_permissions_on_all_logfiles_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.3_Ensure_logrotate_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.4_Ensure_logrotate_assigns_appropriate_permissions" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.1_Ensure_cron_daemon_is_enabled_and_running" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.2_Ensure_permissions_on_etccrontab_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.3_Ensure_permissions_on_etccron.hourly_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.4_Ensure_permissions_on_etccron.daily_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.5_Ensure_permissions_on_etccron.weekly_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.6_Ensure_permissions_on_etccron.monthly_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.7_Ensure_permissions_on_etccron.d_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.8_Ensure_cron_is_restricted_to_authorized_users" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.9_Ensure_at_is_restricted_to_authorized_users" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.1_Ensure_sudo_is_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.2_Ensure_sudo_commands_use_pty" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.3_Ensure_sudo_log_file_exists" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.1_Ensure_permissions_on_etcsshsshd_config_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.2_Ensure_permissions_on_SSH_private_host_key_files_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.3_Ensure_permissions_on_SSH_public_host_key_files_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.4_Ensure_SSH_access_is_limited" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.5_Ensure_SSH_LogLevel_is_appropriate" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.6_Ensure_SSH_X11_forwarding_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.7_Ensure_SSH_MaxAuthTries_is_set_to_4_or_less" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.8_Ensure_SSH_IgnoreRhosts_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.9_Ensure_SSH_HostbasedAuthentication_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.10_Ensure_SSH_root_login_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.11_Ensure_SSH_PermitEmptyPasswords_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.12_Ensure_SSH_PermitUserEnvironment_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.13_Ensure_only_strong_Ciphers_are_used" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.14_Ensure_only_strong_MAC_algorithms_are_used" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.15_Ensure_only_strong_Key_Exchange_algorithms_are_used" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.16_Ensure_SSH_Idle_Timeout_Interval_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.17_Ensure_SSH_LoginGraceTime_is_set_to_one_minute_or_less" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.18_Ensure_SSH_warning_banner_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.19_Ensure_SSH_PAM_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.20_Ensure_SSH_AllowTcpForwarding_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.21_Ensure_SSH_MaxStartups_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.22_Ensure_SSH_MaxSessions_is_limited" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.1_Ensure_password_creation_requirements_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.2_Ensure_lockout_for_failed_password_attempts_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.3_Ensure_password_reuse_is_limited" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.4_Ensure_password_hashing_algorithm_is_SHA-512" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.1_Ensure_minimum_days_between_password_changes_is__configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.2_Ensure_password_expiration_is_365_days_or_less" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.3_Ensure_password_expiration_warning_days_is_7_or_more" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.4_Ensure_inactive_password_lock_is_30_days_or_less" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.5_Ensure_all_users_last_password_change_date_is_in_the_past" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.2_Ensure_system_accounts_are_secured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.3_Ensure_default_group_for_the_root_account_is_GID_0" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.4_Ensure_default_user_umask_is_027_or_more_restrictive" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.5_Ensure_default_user_shell_timeout_is_900_seconds_or_less" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.6_Ensure_root_login_is_restricted_to_system_console" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.7_Ensure_access_to_the_su_command_is_restricted" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.1_Audit_system_file_permissions" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.2_Ensure_permissions_on_etcpasswd_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.3_Ensure_permissions_on_etcpasswd-_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.4_Ensure_permissions_on_etcgroup_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.5_Ensure_permissions_on_etcgroup-_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.6_Ensure_permissions_on_etcshadow_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.7_Ensure_permissions_on_etcshadow-_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.8_Ensure_permissions_on_etcgshadow_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.9_Ensure_permissions_on_etcgshadow-_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.10_Ensure_no_world_writable_files_exist" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.11_Ensure_no_unowned_files_or_directories_exist" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.12_Ensure_no_ungrouped_files_or_directories_exist" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.13_Audit_SUID_executables" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.14_Audit_SGID_executables" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.1_Ensure_accounts_in_etcpasswd_use_shadowed_passwords" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.2_Ensure_password_fields_are_not_empty" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.3_Ensure_all_groups_in_etcpasswd_exist_in_etcgroup" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.4_Ensure_all_users_home_directories_exist" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.5_Ensure_users_own_their_home_directories" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.6_Ensure_users_home_directories_permissions_are_750_or_more_restrictive" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.7_Ensure_users_dot_files_are_not_group_or_world_writable" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.8_Ensure_no_users_have_.netrc_files" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.9_Ensure_no_users_have_.forward_files" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.10_Ensure_no_users_have_.rhosts_files" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.11_Ensure_root_is_the_only_UID_0_account" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.12_Ensure_root_PATH_Integrity" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.13_Ensure_no_duplicate_UIDs_exist" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.14_Ensure_no_duplicate_GIDs_exist" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.15_Ensure_no_duplicate_user_names_exist" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.16_Ensure_no_duplicate_group_names_exist" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.17_Ensure_shadow_group_is_empty" selected="true"/> </xccdf:Profile> |
Level 1 - Workstation |
Items in this profile intend to:
This profile is intended for workstations. Show
<xccdf:Profile xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:cc6="http://cisecurity.org/20-cc/v6.1" xmlns:cc7="http://cisecurity.org/20-cc/v7.0" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sce="http://open-scap.org/page/SCE_xccdf_stream" xmlns:cat="urn:oasis:names:tc:entity:xmlns:xml:catalog" xmlns:ds="http://scap.nist.gov/schema/scap/source/1.2" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" id="xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Workstation"> <xccdf:title xml:lang="en">Level 1 - Workstation</xccdf:title> <xccdf:description xml:lang="en"> <xhtml:p>Items in this profile intend to:</xhtml:p> <xhtml:ul> <xhtml:li>be practical and prudent;</xhtml:li> <xhtml:li>provide a clear security benefit; and</xhtml:li> <xhtml:li>not inhibit the utility of the technology beyond acceptable means.</xhtml:li> </xhtml:ul> <xhtml:p>This profile is intended for workstations.</xhtml:p> </xccdf:description> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.1_Ensure_mounting_of_cramfs_filesystems_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.2_Ensure_mounting_of_freevxfs_filesystems_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.3_Ensure_mounting_of_jffs2_filesystems_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.4_Ensure_mounting_of_hfs_filesystems_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.5_Ensure_mounting_of_hfsplus_filesystems_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.7_Ensure_mounting_of_udf_filesystems_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.2_Ensure_tmp_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.3_Ensure_nodev_option_set_on_tmp_partition" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.4_Ensure_nosuid_option_set_on_tmp_partition" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.5_Ensure_noexec_option_set_on_tmp_partition" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.6_Ensure_devshm_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.7_Ensure_nodev_option_set_on_devshm_partition" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.8_Ensure_nosuid_option_set_on_devshm_partition" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.9_Ensure_noexec_option_set_on_devshm_partition" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.12_Ensure_vartmp_partition_includes_the_nodev_option" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.13_Ensure_vartmp_partition_includes_the_nosuid_option" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.14_Ensure_vartmp_partition_includes_the_noexec_option" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.18_Ensure_home_partition_includes_the_nodev_option" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.19_Ensure_nodev_option_set_on_removable_media_partitions" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.20_Ensure_nosuid_option_set_on_removable_media_partitions" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.21_Ensure_noexec_option_set_on_removable_media_partitions" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.22_Ensure_sticky_bit_is_set_on_all_world-writable_directories" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.1_Ensure_package_manager_repositories_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.2_Ensure_GPG_keys_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.3.1_Ensure_AIDE_is_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.3.2_Ensure_filesystem_integrity_is_regularly_checked" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.1_Ensure_permissions_on_bootloader_config_are_not_overridden" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.2_Ensure_bootloader_password_is_set" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.3_Ensure_permissions_on_bootloader_config_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.4_Ensure_authentication_required_for_single_user_mode" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.1_Ensure_XDNX_support_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.2_Ensure_address_space_layout_randomization_ASLR_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.3_Ensure_prelink_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.4_Ensure_core_dumps_are_restricted" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.1_Ensure_AppArmor_is_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.2_Ensure_AppArmor_is_enabled_in_the_bootloader_configuration" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.3_Ensure_all_AppArmor_Profiles_are_in_enforce_or_complain_mode" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.1_Ensure_message_of_the_day_is_configured_properly" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.2_Ensure_local_login_warning_banner_is_configured_properly" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.3_Ensure_remote_login_warning_banner_is_configured_properly" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.4_Ensure_permissions_on_etcmotd_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.5_Ensure_permissions_on_etcissue_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.6_Ensure_permissions_on_etcissue.net_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.2_Ensure_GDM_login_banner_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.3_Ensure_disable-user-list_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.4_Ensure_XDCMP_is_not_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.9_Ensure_updates_patches_and_additional_security_software_are_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.1.1_Ensure_time_synchronization_is_in_use" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.1.2_Ensure_systemd-timesyncd_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.1.3_Ensure_chrony_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.1.4_Ensure_ntp_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.3_Ensure_Avahi_Server_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.5_Ensure_DHCP_Server_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.6_Ensure_LDAP_server_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.7_Ensure_NFS_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.8_Ensure_DNS_Server_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.9_Ensure_FTP_Server_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.10_Ensure_HTTP_server_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.11_Ensure_IMAP_and_POP3_server_are_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.12_Ensure_Samba_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.13_Ensure_HTTP_Proxy_Server_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.14_Ensure_SNMP_Server_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.15_Ensure_mail_transfer_agent_is_configured_for_local-only_mode" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.16_Ensure_rsync_service_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.17_Ensure_NIS_Server_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.1_Ensure_NIS_Client_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.2_Ensure_rsh_client_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.3_Ensure_talk_client_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.4_Ensure_telnet_client_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.5_Ensure_LDAP_client_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.6_Ensure__RPC_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.3_Ensure_nonessential_services_are_removed_or_masked" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.2.1_Ensure_packet_redirect_sending_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.2.2_Ensure_IP_forwarding_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.1_Ensure_source_routed_packets_are_not_accepted" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.2_Ensure_ICMP_redirects_are_not_accepted" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.3_Ensure_secure_ICMP_redirects_are_not_accepted" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.4_Ensure_suspicious_packets_are_logged" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.5_Ensure_broadcast_ICMP_requests_are_ignored" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.6_Ensure_bogus_ICMP_responses_are_ignored" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.7_Ensure_Reverse_Path_Filtering_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.8_Ensure_TCP_SYN_Cookies_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.9_Ensure_IPv6_router_advertisements_are_not_accepted" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.1_Ensure_ufw_is_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.2_Ensure_iptables-persistent_is_not_installed_with_ufw" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.3_Ensure_ufw_service_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.4_Ensure_ufw_loopback_traffic_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.5_Ensure_ufw_outbound_connections_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.6_Ensure_ufw_firewall_rules_exist_for_all_open_ports" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.7_Ensure_ufw_default_deny_firewall_policy" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.1_Ensure_nftables_is_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.2_Ensure_ufw_is_uninstalled_or_disabled_with_nftables" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.3_Ensure_iptables_are_flushed_with_nftables" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.4_Ensure_a_nftables_table_exists" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.5_Ensure_nftables_base_chains_exist" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.6_Ensure_nftables_loopback_traffic_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.7_Ensure_nftables_outbound_and_established_connections_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.8_Ensure_nftables_default_deny_firewall_policy" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.9_Ensure_nftables_service_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.10_Ensure_nftables_rules_are_permanent" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.1.1_Ensure_iptables_packages_are_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.1.2_Ensure_nftables_is_not_installed_with_iptables" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.1.3_Ensure_ufw_is_uninstalled_or_disabled_with_iptables" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.1_Ensure_iptables_loopback_traffic_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.2_Ensure_iptables_outbound_and_established_connections_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.3_Ensure_iptables_default_deny_firewall_policy" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.4_Ensure_iptables_firewall_rules_exist_for_all_open_ports" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.1_Ensure_ip6tables_loopback_traffic_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.2_Ensure_ip6tables_outbound_and_established_connections_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.3_Ensure_ip6tables_default_deny_firewall_policy" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.4_Ensure_ip6tables_firewall_rules_exist_for_all_open_ports" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.1_Ensure_rsyslog_is_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.2_Ensure_rsyslog_Service_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.3_Ensure_logging_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.4_Ensure_rsyslog_default_file_permissions_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.5_Ensure_rsyslog_is_configured_to_send_logs_to_a_remote_log_host" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.6_Ensure_remote_rsyslog_messages_are_only_accepted_on_designated_log_hosts." selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.1_Ensure_journald_is_configured_to_send_logs_to_rsyslog" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.2_Ensure_journald_is_configured_to_compress_large_log_files" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.3_Ensure_journald_is_configured_to_write_logfiles_to_persistent_disk" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.3_Ensure_permissions_on_all_logfiles_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.3_Ensure_logrotate_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.4_Ensure_logrotate_assigns_appropriate_permissions" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.1_Ensure_cron_daemon_is_enabled_and_running" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.2_Ensure_permissions_on_etccrontab_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.3_Ensure_permissions_on_etccron.hourly_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.4_Ensure_permissions_on_etccron.daily_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.5_Ensure_permissions_on_etccron.weekly_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.6_Ensure_permissions_on_etccron.monthly_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.7_Ensure_permissions_on_etccron.d_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.8_Ensure_cron_is_restricted_to_authorized_users" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.9_Ensure_at_is_restricted_to_authorized_users" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.1_Ensure_sudo_is_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.2_Ensure_sudo_commands_use_pty" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.3_Ensure_sudo_log_file_exists" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.1_Ensure_permissions_on_etcsshsshd_config_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.2_Ensure_permissions_on_SSH_private_host_key_files_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.3_Ensure_permissions_on_SSH_public_host_key_files_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.4_Ensure_SSH_access_is_limited" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.5_Ensure_SSH_LogLevel_is_appropriate" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.6_Ensure_SSH_X11_forwarding_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.7_Ensure_SSH_MaxAuthTries_is_set_to_4_or_less" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.8_Ensure_SSH_IgnoreRhosts_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.9_Ensure_SSH_HostbasedAuthentication_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.10_Ensure_SSH_root_login_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.11_Ensure_SSH_PermitEmptyPasswords_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.12_Ensure_SSH_PermitUserEnvironment_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.13_Ensure_only_strong_Ciphers_are_used" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.14_Ensure_only_strong_MAC_algorithms_are_used" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.15_Ensure_only_strong_Key_Exchange_algorithms_are_used" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.16_Ensure_SSH_Idle_Timeout_Interval_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.17_Ensure_SSH_LoginGraceTime_is_set_to_one_minute_or_less" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.18_Ensure_SSH_warning_banner_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.19_Ensure_SSH_PAM_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.21_Ensure_SSH_MaxStartups_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.22_Ensure_SSH_MaxSessions_is_limited" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.1_Ensure_password_creation_requirements_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.2_Ensure_lockout_for_failed_password_attempts_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.3_Ensure_password_reuse_is_limited" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.4_Ensure_password_hashing_algorithm_is_SHA-512" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.1_Ensure_minimum_days_between_password_changes_is__configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.2_Ensure_password_expiration_is_365_days_or_less" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.3_Ensure_password_expiration_warning_days_is_7_or_more" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.4_Ensure_inactive_password_lock_is_30_days_or_less" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.5_Ensure_all_users_last_password_change_date_is_in_the_past" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.2_Ensure_system_accounts_are_secured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.3_Ensure_default_group_for_the_root_account_is_GID_0" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.4_Ensure_default_user_umask_is_027_or_more_restrictive" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.5_Ensure_default_user_shell_timeout_is_900_seconds_or_less" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.6_Ensure_root_login_is_restricted_to_system_console" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.7_Ensure_access_to_the_su_command_is_restricted" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.2_Ensure_permissions_on_etcpasswd_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.3_Ensure_permissions_on_etcpasswd-_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.4_Ensure_permissions_on_etcgroup_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.5_Ensure_permissions_on_etcgroup-_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.6_Ensure_permissions_on_etcshadow_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.7_Ensure_permissions_on_etcshadow-_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.8_Ensure_permissions_on_etcgshadow_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.9_Ensure_permissions_on_etcgshadow-_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.10_Ensure_no_world_writable_files_exist" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.11_Ensure_no_unowned_files_or_directories_exist" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.12_Ensure_no_ungrouped_files_or_directories_exist" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.13_Audit_SUID_executables" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.14_Audit_SGID_executables" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.1_Ensure_accounts_in_etcpasswd_use_shadowed_passwords" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.2_Ensure_password_fields_are_not_empty" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.3_Ensure_all_groups_in_etcpasswd_exist_in_etcgroup" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.4_Ensure_all_users_home_directories_exist" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.5_Ensure_users_own_their_home_directories" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.6_Ensure_users_home_directories_permissions_are_750_or_more_restrictive" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.7_Ensure_users_dot_files_are_not_group_or_world_writable" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.8_Ensure_no_users_have_.netrc_files" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.9_Ensure_no_users_have_.forward_files" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.10_Ensure_no_users_have_.rhosts_files" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.11_Ensure_root_is_the_only_UID_0_account" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.12_Ensure_root_PATH_Integrity" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.13_Ensure_no_duplicate_UIDs_exist" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.14_Ensure_no_duplicate_GIDs_exist" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.15_Ensure_no_duplicate_user_names_exist" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.16_Ensure_no_duplicate_group_names_exist" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.17_Ensure_shadow_group_is_empty" selected="true"/> </xccdf:Profile> |
Level 2 - Workstation |
This profile extends the "Level 1 - Workstation" profile. Items in this profile exhibit one or more of the following characteristics:
This profile is intended for workstations. Show
<xccdf:Profile xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:cc6="http://cisecurity.org/20-cc/v6.1" xmlns:cc7="http://cisecurity.org/20-cc/v7.0" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sce="http://open-scap.org/page/SCE_xccdf_stream" xmlns:cat="urn:oasis:names:tc:entity:xmlns:xml:catalog" xmlns:ds="http://scap.nist.gov/schema/scap/source/1.2" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" id="xccdf_org.cisecurity.benchmarks_profile_Level_2_-_Workstation"> <xccdf:title xml:lang="en">Level 2 - Workstation</xccdf:title> <xccdf:description xml:lang="en"> <xhtml:p>This profile extends the "Level 1 - Workstation" profile. Items in this profile exhibit one or more of the following characteristics:</xhtml:p> <xhtml:ul> <xhtml:li>are intended for environments or use cases where security is paramount.</xhtml:li> <xhtml:li>acts as defense in depth measure.</xhtml:li> <xhtml:li>may negatively inhibit the utility or performance of the technology.</xhtml:li> </xhtml:ul> <xhtml:p>This profile is intended for workstations.</xhtml:p> </xccdf:description> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.1_Ensure_mounting_of_cramfs_filesystems_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.2_Ensure_mounting_of_freevxfs_filesystems_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.3_Ensure_mounting_of_jffs2_filesystems_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.4_Ensure_mounting_of_hfs_filesystems_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.5_Ensure_mounting_of_hfsplus_filesystems_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.6_Ensure_mounting_of_squashfs_filesystems_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.7_Ensure_mounting_of_udf_filesystems_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.2_Ensure_tmp_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.3_Ensure_nodev_option_set_on_tmp_partition" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.4_Ensure_nosuid_option_set_on_tmp_partition" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.5_Ensure_noexec_option_set_on_tmp_partition" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.6_Ensure_devshm_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.7_Ensure_nodev_option_set_on_devshm_partition" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.8_Ensure_nosuid_option_set_on_devshm_partition" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.9_Ensure_noexec_option_set_on_devshm_partition" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.10_Ensure_separate_partition_exists_for_var" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.11_Ensure_separate_partition_exists_for_vartmp" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.12_Ensure_vartmp_partition_includes_the_nodev_option" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.13_Ensure_vartmp_partition_includes_the_nosuid_option" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.14_Ensure_vartmp_partition_includes_the_noexec_option" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.15_Ensure_separate_partition_exists_for_varlog" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.16_Ensure_separate_partition_exists_for_varlogaudit" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.17_Ensure_separate_partition_exists_for_home" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.18_Ensure_home_partition_includes_the_nodev_option" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.19_Ensure_nodev_option_set_on_removable_media_partitions" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.20_Ensure_nosuid_option_set_on_removable_media_partitions" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.21_Ensure_noexec_option_set_on_removable_media_partitions" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.22_Ensure_sticky_bit_is_set_on_all_world-writable_directories" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.23_Disable_Automounting" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.24_Disable_USB_Storage" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.1_Ensure_package_manager_repositories_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.2_Ensure_GPG_keys_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.3.1_Ensure_AIDE_is_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.3.2_Ensure_filesystem_integrity_is_regularly_checked" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.1_Ensure_permissions_on_bootloader_config_are_not_overridden" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.2_Ensure_bootloader_password_is_set" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.3_Ensure_permissions_on_bootloader_config_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.4_Ensure_authentication_required_for_single_user_mode" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.1_Ensure_XDNX_support_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.2_Ensure_address_space_layout_randomization_ASLR_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.3_Ensure_prelink_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.4_Ensure_core_dumps_are_restricted" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.1_Ensure_AppArmor_is_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.2_Ensure_AppArmor_is_enabled_in_the_bootloader_configuration" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.3_Ensure_all_AppArmor_Profiles_are_in_enforce_or_complain_mode" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.4_Ensure_all_AppArmor_Profiles_are_enforcing" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.1_Ensure_message_of_the_day_is_configured_properly" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.2_Ensure_local_login_warning_banner_is_configured_properly" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.3_Ensure_remote_login_warning_banner_is_configured_properly" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.4_Ensure_permissions_on_etcmotd_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.5_Ensure_permissions_on_etcissue_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.6_Ensure_permissions_on_etcissue.net_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.2_Ensure_GDM_login_banner_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.3_Ensure_disable-user-list_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.4_Ensure_XDCMP_is_not_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.9_Ensure_updates_patches_and_additional_security_software_are_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.1.1_Ensure_time_synchronization_is_in_use" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.1.2_Ensure_systemd-timesyncd_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.1.3_Ensure_chrony_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.1.4_Ensure_ntp_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.3_Ensure_Avahi_Server_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.4_Ensure_CUPS_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.5_Ensure_DHCP_Server_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.6_Ensure_LDAP_server_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.7_Ensure_NFS_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.8_Ensure_DNS_Server_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.9_Ensure_FTP_Server_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.10_Ensure_HTTP_server_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.11_Ensure_IMAP_and_POP3_server_are_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.12_Ensure_Samba_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.13_Ensure_HTTP_Proxy_Server_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.14_Ensure_SNMP_Server_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.15_Ensure_mail_transfer_agent_is_configured_for_local-only_mode" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.16_Ensure_rsync_service_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.17_Ensure_NIS_Server_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.1_Ensure_NIS_Client_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.2_Ensure_rsh_client_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.3_Ensure_talk_client_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.4_Ensure_telnet_client_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.5_Ensure_LDAP_client_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.6_Ensure__RPC_is_not_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.3_Ensure_nonessential_services_are_removed_or_masked" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.1.1_Disable_IPv6" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.1.2_Ensure_wireless_interfaces_are_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.2.1_Ensure_packet_redirect_sending_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.2.2_Ensure_IP_forwarding_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.1_Ensure_source_routed_packets_are_not_accepted" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.2_Ensure_ICMP_redirects_are_not_accepted" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.3_Ensure_secure_ICMP_redirects_are_not_accepted" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.4_Ensure_suspicious_packets_are_logged" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.5_Ensure_broadcast_ICMP_requests_are_ignored" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.6_Ensure_bogus_ICMP_responses_are_ignored" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.7_Ensure_Reverse_Path_Filtering_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.8_Ensure_TCP_SYN_Cookies_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.9_Ensure_IPv6_router_advertisements_are_not_accepted" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.4.1_Ensure_DCCP_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.4.2_Ensure_SCTP_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.4.3_Ensure_RDS_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.4.4_Ensure_TIPC_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.1_Ensure_ufw_is_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.2_Ensure_iptables-persistent_is_not_installed_with_ufw" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.3_Ensure_ufw_service_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.4_Ensure_ufw_loopback_traffic_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.5_Ensure_ufw_outbound_connections_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.6_Ensure_ufw_firewall_rules_exist_for_all_open_ports" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.7_Ensure_ufw_default_deny_firewall_policy" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.1_Ensure_nftables_is_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.2_Ensure_ufw_is_uninstalled_or_disabled_with_nftables" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.3_Ensure_iptables_are_flushed_with_nftables" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.4_Ensure_a_nftables_table_exists" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.5_Ensure_nftables_base_chains_exist" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.6_Ensure_nftables_loopback_traffic_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.7_Ensure_nftables_outbound_and_established_connections_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.8_Ensure_nftables_default_deny_firewall_policy" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.9_Ensure_nftables_service_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.10_Ensure_nftables_rules_are_permanent" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.1.1_Ensure_iptables_packages_are_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.1.2_Ensure_nftables_is_not_installed_with_iptables" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.1.3_Ensure_ufw_is_uninstalled_or_disabled_with_iptables" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.1_Ensure_iptables_loopback_traffic_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.2_Ensure_iptables_outbound_and_established_connections_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.3_Ensure_iptables_default_deny_firewall_policy" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.4_Ensure_iptables_firewall_rules_exist_for_all_open_ports" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.1_Ensure_ip6tables_loopback_traffic_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.2_Ensure_ip6tables_outbound_and_established_connections_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.3_Ensure_ip6tables_default_deny_firewall_policy" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.4_Ensure_ip6tables_firewall_rules_exist_for_all_open_ports" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.1.1_Ensure_auditd_is_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.1.2_Ensure_auditd_service_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.1.3_Ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.1.4_Ensure_audit_backlog_limit_is_sufficient" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.2.1_Ensure_audit_log_storage_size_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.2.2_Ensure_audit_logs_are_not_automatically_deleted" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.2.3_Ensure_system_is_disabled_when_audit_logs_are_full" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3_Ensure_events_that_modify_date_and_time_information_are_collected" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.4_Ensure_events_that_modify_usergroup_information_are_collected" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.5_Ensure_events_that_modify_the_systems_network_environment_are_collected" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.6_Ensure_events_that_modify_the_systems_Mandatory_Access_Controls_are_collected" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.7_Ensure_login_and_logout_events_are_collected" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.8_Ensure_session_initiation_information_is_collected" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.9_Ensure_discretionary_access_control_permission_modification_events_are_collected" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.10_Ensure_unsuccessful_unauthorized_file_access_attempts_are_collected" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.11_Ensure_use_of_privileged_commands_is_collected" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.12_Ensure_successful_file_system_mounts_are_collected" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.13_Ensure_file_deletion_events_by_users_are_collected" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.14_Ensure_changes_to_system_administration_scope_sudoers_is_collected" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.15_Ensure_system_administrator_command_executions_sudo_are_collected" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.16_Ensure_kernel_module_loading_and_unloading_is_collected" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.17_Ensure_the_audit_configuration_is_immutable" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.1_Ensure_rsyslog_is_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.2_Ensure_rsyslog_Service_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.3_Ensure_logging_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.4_Ensure_rsyslog_default_file_permissions_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.5_Ensure_rsyslog_is_configured_to_send_logs_to_a_remote_log_host" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.6_Ensure_remote_rsyslog_messages_are_only_accepted_on_designated_log_hosts." selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.1_Ensure_journald_is_configured_to_send_logs_to_rsyslog" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.2_Ensure_journald_is_configured_to_compress_large_log_files" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.3_Ensure_journald_is_configured_to_write_logfiles_to_persistent_disk" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.3_Ensure_permissions_on_all_logfiles_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.3_Ensure_logrotate_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.4_Ensure_logrotate_assigns_appropriate_permissions" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.1_Ensure_cron_daemon_is_enabled_and_running" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.2_Ensure_permissions_on_etccrontab_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.3_Ensure_permissions_on_etccron.hourly_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.4_Ensure_permissions_on_etccron.daily_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.5_Ensure_permissions_on_etccron.weekly_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.6_Ensure_permissions_on_etccron.monthly_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.7_Ensure_permissions_on_etccron.d_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.8_Ensure_cron_is_restricted_to_authorized_users" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.9_Ensure_at_is_restricted_to_authorized_users" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.1_Ensure_sudo_is_installed" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.2_Ensure_sudo_commands_use_pty" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.3_Ensure_sudo_log_file_exists" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.1_Ensure_permissions_on_etcsshsshd_config_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.2_Ensure_permissions_on_SSH_private_host_key_files_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.3_Ensure_permissions_on_SSH_public_host_key_files_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.4_Ensure_SSH_access_is_limited" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.5_Ensure_SSH_LogLevel_is_appropriate" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.6_Ensure_SSH_X11_forwarding_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.7_Ensure_SSH_MaxAuthTries_is_set_to_4_or_less" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.8_Ensure_SSH_IgnoreRhosts_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.9_Ensure_SSH_HostbasedAuthentication_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.10_Ensure_SSH_root_login_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.11_Ensure_SSH_PermitEmptyPasswords_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.12_Ensure_SSH_PermitUserEnvironment_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.13_Ensure_only_strong_Ciphers_are_used" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.14_Ensure_only_strong_MAC_algorithms_are_used" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.15_Ensure_only_strong_Key_Exchange_algorithms_are_used" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.16_Ensure_SSH_Idle_Timeout_Interval_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.17_Ensure_SSH_LoginGraceTime_is_set_to_one_minute_or_less" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.18_Ensure_SSH_warning_banner_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.19_Ensure_SSH_PAM_is_enabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.20_Ensure_SSH_AllowTcpForwarding_is_disabled" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.21_Ensure_SSH_MaxStartups_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.22_Ensure_SSH_MaxSessions_is_limited" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.1_Ensure_password_creation_requirements_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.2_Ensure_lockout_for_failed_password_attempts_is_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.3_Ensure_password_reuse_is_limited" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.4_Ensure_password_hashing_algorithm_is_SHA-512" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.1_Ensure_minimum_days_between_password_changes_is__configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.2_Ensure_password_expiration_is_365_days_or_less" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.3_Ensure_password_expiration_warning_days_is_7_or_more" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.4_Ensure_inactive_password_lock_is_30_days_or_less" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.5_Ensure_all_users_last_password_change_date_is_in_the_past" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.2_Ensure_system_accounts_are_secured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.3_Ensure_default_group_for_the_root_account_is_GID_0" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.4_Ensure_default_user_umask_is_027_or_more_restrictive" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.5_Ensure_default_user_shell_timeout_is_900_seconds_or_less" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.6_Ensure_root_login_is_restricted_to_system_console" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.7_Ensure_access_to_the_su_command_is_restricted" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.1_Audit_system_file_permissions" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.2_Ensure_permissions_on_etcpasswd_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.3_Ensure_permissions_on_etcpasswd-_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.4_Ensure_permissions_on_etcgroup_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.5_Ensure_permissions_on_etcgroup-_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.6_Ensure_permissions_on_etcshadow_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.7_Ensure_permissions_on_etcshadow-_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.8_Ensure_permissions_on_etcgshadow_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.9_Ensure_permissions_on_etcgshadow-_are_configured" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.10_Ensure_no_world_writable_files_exist" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.11_Ensure_no_unowned_files_or_directories_exist" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.12_Ensure_no_ungrouped_files_or_directories_exist" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.13_Audit_SUID_executables" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.14_Audit_SGID_executables" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.1_Ensure_accounts_in_etcpasswd_use_shadowed_passwords" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.2_Ensure_password_fields_are_not_empty" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.3_Ensure_all_groups_in_etcpasswd_exist_in_etcgroup" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.4_Ensure_all_users_home_directories_exist" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.5_Ensure_users_own_their_home_directories" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.6_Ensure_users_home_directories_permissions_are_750_or_more_restrictive" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.7_Ensure_users_dot_files_are_not_group_or_world_writable" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.8_Ensure_no_users_have_.netrc_files" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.9_Ensure_no_users_have_.forward_files" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.10_Ensure_no_users_have_.rhosts_files" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.11_Ensure_root_is_the_only_UID_0_account" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.12_Ensure_root_PATH_Integrity" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.13_Ensure_no_duplicate_UIDs_exist" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.14_Ensure_no_duplicate_GIDs_exist" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.15_Ensure_no_duplicate_user_names_exist" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.16_Ensure_no_duplicate_group_names_exist" selected="true"/> <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.17_Ensure_shadow_group_is_empty" selected="true"/> </xccdf:Profile> |
Items in this section are advised for all systems, but may be difficult or require extensive preparation after the initial setup of the system.
Directories that are used for system-wide functions can be further protected by placing them on separate partitions. This provides protection for resource exhaustion and enables the use of mounting options that are applicable to the directory's intended use. Users' data can be stored on separate partitions and have stricter mount options. A user partition is a filesystem that has been established for use by the users and does not contain software for system operations.
The recommendations in this section are easier to perform during initial system installation. If the system is already installed, it is recommended that a full backup be performed before repartitioning the system.
Note: If you are repartitioning a system that has already been installed, make sure the data has been copied over to the new partition, unmount it and then remove the data from the directory that was in the old partition. Otherwise it will still consume space in the old partition that will be masked when the new filesystem is mounted. For example, if a system is in single-user mode with no filesystems mounted and the administrator adds a lot of data to the /tmp directory, this data will still consume space in / once the /tmp filesystem is mounted unless it is removed first.
A number of uncommon filesystem types are supported under Linux. Removing support for unneeded filesystem types reduces the local attack surface of the system. If a filesystem type is not needed it should be disabled. Native Linux file systems are designed to ensure that built-in security controls function as expected. Non-native filesystems can lead to unexpected consequences to both the security and functionality of the system and should be used with caution. Many filesystems are created for niche use cases and are not maintained and supported as the operating systems are updated and patched. Users of non-native filesystems should ensure that there is attention and ongoing support for them, especially in light of frequent operating system changes.
Standard network connectivity and Internet access to cloud storage may make the use of non-standard filesystem formats to directly attach heterogeneous devices much less attractive.
Note: This should not be considered a comprehensive list of filesystems. You may wish to consider additions to those listed here for your environment.
The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image.
Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it.
Edit or create a file in the /etc/modprobe.d/ directory ending in .conf
Example: vim /etc/modprobe.d/cramfs.conf
and add the following line:
install cramfs /bin/true
Run the following command to unload the cramfs module:
# rmmod cramfs
AND |
|
<xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:cc7="http://cisecurity.org/20-cc/v7.0" xmlns:cc6="http://cisecurity.org/20-cc/v6.1" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.1_Ensure_mounting_of_cramfs_filesystems_is_disabled" role="full" severity="unknown" time="2022-04-13T17:15:55.958Z" version="1" weight="1.0"> <xccdf:result>pass</xccdf:result> <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1" system="http://cisecurity.org/20-cc/v7.0"/> <xccdf:complex-check operator="AND" negate="false"> <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" negate="false" multi-check="false"> <xccdf:check-content-ref href="#OVAL-Results-1" name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455907"/> <evidence xmlns="http://cisecurity.org/evidence"> <div class="definition" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455907"> <div class="criteria"> <div class="criterion" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1455907" check="at least one" check_existence="at_least_one_exists"> <table class="evidence-sep" width="100%"> <tbody class="tbe"> <tr> <td class="bold">Criterion:</td> <td>Ensure kernel module cramfs is not loadable</td> </tr> <tr> <td class="bold">Existence Check:</td> <td>At Least One Exists</td> </tr> <tr> <td class="bold">Item Check:</td> <td>At least one</td> </tr> <tr> <td class="bold">Result:</td> <td class="pass">Pass</td> </tr> </tbody> </table> <table class="evidence" width="100%"> <caption>Shellcommand Item</caption> <thead> <tr> <th scope="col">Name</th> <th scope="col">Type</th> <th scope="col">Status</th> <th scope="col">Value</th> </tr> </thead> <tbody class="tbe"> <tr> <td>Command</td> <td>String</td> <td>Exists</td> <td>modprobe -n -v cramfs</td> </tr> <tr> <td>Line Selection</td> <td>String</td> <td>Exists</td> <td>.+</td> </tr> <tr> <td>Exit Status</td> <td>Int</td> <td>Exists</td> <td>0</td> </tr> <tr class="evaluated"> <td>Stdout Line</td> <td>String</td> <td>Exists</td> <td>insmod /lib/modules/5.4.0-26-generic/kernel/drivers/mtd/mtd.ko </td> </tr> <tr class="evaluated"> <td>Stdout Line</td> <td>String</td> <td>Exists</td> <td>install /bin/true </td> </tr> </tbody> </table> </div> </div> </div> </evidence> </xccdf:check> <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" negate="false" multi-check="false"> <xccdf:check-content-ref href="#OVAL-Results-1" name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455908"/> <evidence xmlns="http://cisecurity.org/evidence"> <div class="definition" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455908"> <div class="criteria"> <div class="criterion" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1455908" check="none satisfy" check_existence="at_least_one_exists"> <table class="evidence-sep" width="100%"> <tbody class="tbe"> <tr> <td class="bold">Criterion:</td> <td>Ensure kernel module cramfs is not loaded</td> </tr> <tr> <td class="bold">Existence Check:</td> <td>At Least One Exists</td> </tr> <tr> <td class="bold">Item Check:</td> <td>None satisfy</td> </tr> <tr> <td class="bold">Result:</td> <td class="pass">Pass</td> </tr> </tbody> </table> <table class="evidence" width="100%"> <caption>Shellcommand Item</caption> <thead> <tr> <th scope="col">Name</th> <th scope="col">Type</th> <th scope="col">Status</th> <th scope="col">Value</th> </tr> </thead> <tbody class="tbe"> <tr> <td>Command</td> <td>String</td> <td>Exists</td> <td>modprobe -n -v cramfs</td> </tr> <tr> <td>Line Selection</td> <td>String</td> <td>Exists</td> <td>.+</td> </tr> <tr> <td>Exit Status</td> <td>Int</td> <td>Exists</td> <td>0</td> </tr> <tr class="evaluated"> <td>Stdout Line</td> <td>String</td> <td>Exists</td> <td>insmod /lib/modules/5.4.0-26-generic/kernel/drivers/mtd/mtd.ko </td> </tr> <tr class="evaluated"> <td>Stdout Line</td> <td>String</td> <td>Exists</td> <td>install /bin/true </td> </tr> </tbody> </table> </div> </div> </div> </evidence> </xccdf:check> </xccdf:complex-check> </xccdf:rule-result>
References:
CIS Controls V7.0:
CIS Control Information | |
---|---|
Control: | Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings. |
Subcontrol: | 5.1 |
Label: | Establish Secure Configurations |
Description: | Maintain documented, standard security configuration standards for all authorized operating systems and software. |
The freevxfs filesystem type is a free version of the Veritas type filesystem. This is the primary filesystem type for HP-UX operating systems.
Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.
Edit or create a file in the /etc/modprobe.d/ directory ending in .conf
Example: vi /etc/modprobe.d/freevxfs.conf
and add the following line:
install freevxfs /bin/true
Run the following command to unload the freevxfs module:
rmmod freevxfs
AND |
|
<xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:cc7="http://cisecurity.org/20-cc/v7.0" xmlns:cc6="http://cisecurity.org/20-cc/v6.1" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.2_Ensure_mounting_of_freevxfs_filesystems_is_disabled" role="full" severity="unknown" time="2022-04-13T17:15:55.958Z" version="1" weight="1.0"> <xccdf:result>pass</xccdf:result> <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1" system="http://cisecurity.org/20-cc/v7.0"/> <xccdf:complex-check operator="AND" negate="false"> <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" negate="false" multi-check="false"> <xccdf:check-content-ref href="#OVAL-Results-1" name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455909"/> <evidence xmlns="http://cisecurity.org/evidence"> <div class="definition" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455909"> <div class="criteria"> <div class="criterion" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1455909" check="at least one" check_existence="at_least_one_exists"> <table class="evidence-sep" width="100%"> <tbody class="tbe"> <tr> <td class="bold">Criterion:</td> <td>Ensure kernel module freevxfs is not loadable</td> </tr> <tr> <td class="bold">Existence Check:</td> <td>At Least One Exists</td> </tr> <tr> <td class="bold">Item Check:</td> <td>At least one</td> </tr> <tr> <td class="bold">Result:</td> <td class="pass">Pass</td> </tr> </tbody> </table> <table class="evidence" width="100%"> <caption>Shellcommand Item</caption> <thead> <tr> <th scope="col">Name</th> <th scope="col">Type</th> <th scope="col">Status</th> <th scope="col">Value</th> </tr> </thead> <tbody class="tbe"> <tr> <td>Command</td> <td>String</td> <td>Exists</td> <td>modprobe -n -v freevxfs</td> </tr> <tr> <td>Line Selection</td> <td>String</td> <td>Exists</td> <td>.+</td> </tr> <tr> <td>Exit Status</td> <td>Int</td> <td>Exists</td> <td>0</td> </tr> <tr class="evaluated"> <td>Stdout Line</td> <td>String</td> <td>Exists</td> <td>install /bin/true </td> </tr> </tbody> </table> </div> </div> </div> </evidence> </xccdf:check> <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" negate="false" multi-check="false"> <xccdf:check-content-ref href="#OVAL-Results-1" name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455910"/> <evidence xmlns="http://cisecurity.org/evidence"> <div class="definition" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455910"> <div class="criteria"> <div class="criterion" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1455910" check="none satisfy" check_existence="at_least_one_exists"> <table class="evidence-sep" width="100%"> <tbody class="tbe"> <tr> <td class="bold">Criterion:</td> <td>Ensure kernel module freevxfs is not loaded</td> </tr> <tr> <td class="bold">Existence Check:</td> <td>At Least One Exists</td> </tr> <tr> <td class="bold">Item Check:</td> <td>None satisfy</td> </tr> <tr> <td class="bold">Result:</td> <td class="pass">Pass</td> </tr> </tbody> </table> <table class="evidence" width="100%"> <caption>Shellcommand Item</caption> <thead> <tr> <th scope="col">Name</th> <th scope="col">Type</th> <th scope="col">Status</th> <th scope="col">Value</th> </tr> </thead> <tbody class="tbe"> <tr> <td>Command</td> <td>String</td> <td>Exists</td> <td>modprobe -n -v freevxfs</td> </tr> <tr> <td>Line Selection</td> <td>String</td> <td>Exists</td> <td>.+</td> </tr> <tr> <td>Exit Status</td> <td>Int</td> <td>Exists</td> <td>0</td> </tr> <tr class="evaluated"> <td>Stdout Line</td> <td>String</td> <td>Exists</td> <td>install /bin/true </td> </tr> </tbody> </table> </div> </div> </div> </evidence> </xccdf:check> </xccdf:complex-check> </xccdf:rule-result>
References:
CIS Controls V7.0:
CIS Control Information | |
---|---|
Control: | Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings. |
Subcontrol: | 5.1 |
Label: | Establish Secure Configurations |
Description: | Maintain documented, standard security configuration standards for all authorized operating systems and software. |
The jffs2 (journaling flash filesystem 2) filesystem type is a log-structured filesystem used in flash memory devices.
Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.
Edit or create a file in the /etc/modprobe.d/ directory ending in .conf
Example: vi /etc/modprobe.d/jffs2.conf
and add the following line:
install jffs2 /bin/true
Run the following command to unload the jffs2 module:
# rmmod jffs2
AND |
|
<xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:cc7="http://cisecurity.org/20-cc/v7.0" xmlns:cc6="http://cisecurity.org/20-cc/v6.1" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.3_Ensure_mounting_of_jffs2_filesystems_is_disabled" role="full" severity="unknown" time="2022-04-13T17:15:55.958Z" version="1" weight="1.0"> <xccdf:result>pass</xccdf:result> <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1" system="http://cisecurity.org/20-cc/v7.0"/> <xccdf:complex-check operator="AND" negate="false"> <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" negate="false" multi-check="false"> <xccdf:check-content-ref href="#OVAL-Results-1" name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455911"/> <evidence xmlns="http://cisecurity.org/evidence"> <div class="definition" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455911"> <div class="criteria"> <div class="criterion" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1455911" check="at least one" check_existence="at_least_one_exists"> <table class="evidence-sep" width="100%"> <tbody class="tbe"> <tr> <td class="bold">Criterion:</td> <td>Ensure kernel module jffs2 is not loadable</td> </tr> <tr> <td class="bold">Existence Check:</td> <td>At Least One Exists</td> </tr> <tr> <td class="bold">Item Check:</td> <td>At least one</td> </tr> <tr> <td class="bold">Result:</td> <td class="pass">Pass</td> </tr> </tbody> </table> <table class="evidence" width="100%"> <caption>Shellcommand Item</caption> <thead> <tr> <th scope="col">Name</th> <th scope="col">Type</th> <th scope="col">Status</th> <th scope="col">Value</th> </tr> </thead> <tbody class="tbe"> <tr> <td>Command</td> <td>String</td> <td>Exists</td> <td>modprobe -n -v jffs2</td> </tr> <tr> <td>Line Selection</td> <td>String</td> <td>Exists</td> <td>.+</td> </tr> <tr> <td>Exit Status</td> <td>Int</td> <td>Exists</td> <td>0</td> </tr> <tr class="evaluated"> <td>Stdout Line</td> <td>String</td> <td>Exists</td> <td>insmod /lib/modules/5.4.0-26-generic/kernel/drivers/mtd/mtd.ko </td> </tr> <tr class="evaluated"> <td>Stdout Line</td> <td>String</td> <td>Exists</td> <td>install /bin/true </td> </tr> </tbody> </table> </div> </div> </div> </evidence> </xccdf:check> <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" negate="false" multi-check="false"> <xccdf:check-content-ref href="#OVAL-Results-1" name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455912"/> <evidence xmlns="http://cisecurity.org/evidence"> <div class="definition" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455912"> <div class="criteria"> <div class="criterion" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1455912" check="none satisfy" check_existence="at_least_one_exists"> <table class="evidence-sep" width="100%"> <tbody class="tbe"> <tr> <td class="bold">Criterion:</td> <td>Ensure kernel module jffs2 is not loaded</td> </tr> <tr> <td class="bold">Existence Check:</td> <td>At Least One Exists</td> </tr> <tr> <td class="bold">Item Check:</td> <td>None satisfy</td> </tr> <tr> <td class="bold">Result:</td> <td class="pass">Pass</td> </tr> </tbody> </table> <table class="evidence" width="100%"> <caption>Shellcommand Item</caption> <thead> <tr> <th scope="col">Name</th> <th scope="col">Type</th> <th scope="col">Status</th> <th scope="col">Value</th> </tr> </thead> <tbody class="tbe"> <tr> <td>Command</td> <td>String</td> <td>Exists</td> <td>modprobe -n -v jffs2</td> </tr> <tr> <td>Line Selection</td> <td>String</td> <td>Exists</td> <td>.+</td> </tr> <tr> <td>Exit Status</td> <td>Int</td> <td>Exists</td> <td>0</td> </tr> <tr class="evaluated"> <td>Stdout Line</td> <td>String</td> <td>Exists</td> <td>insmod /lib/modules/5.4.0-26-generic/kernel/drivers/mtd/mtd.ko </td> </tr> <tr class="evaluated"> <td>Stdout Line</td> <td>String</td> <td>Exists</td> <td>install /bin/true </td> </tr> </tbody> </table> </div> </div> </div> </evidence> </xccdf:check> </xccdf:complex-check> </xccdf:rule-result>
References:
CIS Controls V7.0:
CIS Control Information | |
---|---|
Control: | Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings. |
Subcontrol: | 5.1 |
Label: | Establish Secure Configurations |
Description: | Maintain documented, standard security configuration standards for all authorized operating systems and software. |
The hfs filesystem type is a hierarchical filesystem that allows you to mount Mac OS filesystems.
Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.
Edit or create a file in the /etc/modprobe.d/ directory ending in .conf
Example: vi /etc/modprobe.d/hfs.conf
and add the following line:
install hfs /bin/true
Run the following command to unload the hfs module:
# rmmod hfs
AND |
|
<xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:cc7="http://cisecurity.org/20-cc/v7.0" xmlns:cc6="http://cisecurity.org/20-cc/v6.1" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.4_Ensure_mounting_of_hfs_filesystems_is_disabled" role="full" severity="unknown" time="2022-04-13T17:15:55.959Z" version="1" weight="1.0"> <xccdf:result>pass</xccdf:result> <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1" system="http://cisecurity.org/20-cc/v7.0"/> <xccdf:complex-check operator="AND" negate="false"> <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" negate="false" multi-check="false"> <xccdf:check-content-ref href="#OVAL-Results-1" name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455913"/> <evidence xmlns="http://cisecurity.org/evidence"> <div class="definition" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455913"> <div class="criteria"> <div class="criterion" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1455913" check="at least one" check_existence="at_least_one_exists"> <table class="evidence-sep" width="100%"> <tbody class="tbe"> <tr> <td class="bold">Criterion:</td> <td>Ensure kernel module hfs is not loadable</td> </tr> <tr> <td class="bold">Existence Check:</td> <td>At Least One Exists</td> </tr> <tr> <td class="bold">Item Check:</td> <td>At least one</td> </tr> <tr> <td class="bold">Result:</td> <td class="pass">Pass</td> </tr> </tbody> </table> <table class="evidence" width="100%"> <caption>Shellcommand Item</caption> <thead> <tr> <th scope="col">Name</th> <th scope="col">Type</th> <th scope="col">Status</th> <th scope="col">Value</th> </tr> </thead> <tbody class="tbe"> <tr> <td>Command</td> <td>String</td> <td>Exists</td> <td>modprobe -n -v hfs</td> </tr> <tr> <td>Line Selection</td> <td>String</td> <td>Exists</td> <td>.+</td> </tr> <tr> <td>Exit Status</td> <td>Int</td> <td>Exists</td> <td>0</td> </tr> <tr class="evaluated"> <td>Stdout Line</td> <td>String</td> <td>Exists</td> <td>install /bin/true </td> </tr> </tbody> </table> </div> </div> </div> </evidence> </xccdf:check> <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" negate="false" multi-check="false"> <xccdf:check-content-ref href="#OVAL-Results-1" name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455914"/> <evidence xmlns="http://cisecurity.org/evidence"> <div class="definition" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455914"> <div class="criteria"> <div class="criterion" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1455914" check="none satisfy" check_existence="at_least_one_exists"> <table class="evidence-sep" width="100%"> <tbody class="tbe"> <tr> <td class="bold">Criterion:</td> <td>Ensure kernel module hfs is not loaded</td> </tr> <tr> <td class="bold">Existence Check:</td> <td>At Least One Exists</td> </tr> <tr> <td class="bold">Item Check:</td> <td>None satisfy</td> </tr> <tr> <td class="bold">Result:</td> <td class="pass">Pass</td> </tr> </tbody> </table> <table class="evidence" width="100%"> <caption>Shellcommand Item</caption> <thead> <tr> <th scope="col">Name</th> <th scope="col">Type</th> <th scope="col">Status</th> <th scope="col">Value</th> </tr> </thead> <tbody class="tbe"> <tr> <td>Command</td> <td>String</td> <td>Exists</td> <td>modprobe -n -v hfs</td> </tr> <tr> <td>Line Selection</td> <td>String</td> <td>Exists</td> <td>.+</td> </tr> <tr> <td>Exit Status</td> <td>Int</td> <td>Exists</td> <td>0</td> </tr> <tr class="evaluated"> <td>Stdout Line</td> <td>String</td> <td>Exists</td> <td>install /bin/true </td> </tr> </tbody> </table> </div> </div> </div> </evidence> </xccdf:check> </xccdf:complex-check> </xccdf:rule-result>
References:
CIS Controls V7.0:
CIS Control Information | |
---|---|
Control: | Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings. |
Subcontrol: | 5.1 |
Label: | Establish Secure Configurations |
Description: | Maintain documented, standard security configuration standards for all authorized operating systems and software. |
The hfsplus filesystem type is a hierarchical filesystem designed to replace hfs that allows you to mount Mac OS filesystems.
Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.
Edit or create a file in the /etc/modprobe.d/ directory ending in .conf
Example: vi /etc/modprobe.d/hfsplus.conf
and add the following line:
install hfsplus /bin/true
Run the following command to unload the hfsplus module:
# rmmod hfsplus
AND |
|
<xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:cc7="http://cisecurity.org/20-cc/v7.0" xmlns:cc6="http://cisecurity.org/20-cc/v6.1" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.5_Ensure_mounting_of_hfsplus_filesystems_is_disabled" role="full" severity="unknown" time="2022-04-13T17:15:55.959Z" version="1" weight="1.0"> <xccdf:result>pass</xccdf:result> <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1" system="http://cisecurity.org/20-cc/v7.0"/> <xccdf:complex-check operator="AND" negate="false"> <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" negate="false" multi-check="false"> <xccdf:check-content-ref href="#OVAL-Results-1" name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455915"/> <evidence xmlns="http://cisecurity.org/evidence"> <div class="definition" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455915"> <div class="criteria"> <div class="criterion" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1455915" check="none satisfy" check_existence="at_least_one_exists"> <table class="evidence-sep" width="100%"> <tbody class="tbe"> <tr> <td class="bold">Criterion:</td> <td>Ensure kernel module hfsplus is not loaded</td> </tr> <tr> <td class="bold">Existence Check:</td> <td>At Least One Exists</td> </tr> <tr> <td class="bold">Item Check:</td> <td>None satisfy</td> </tr> <tr> <td class="bold">Result:</td> <td class="pass">Pass</td> </tr> </tbody> </table> <table class="evidence" width="100%"> <caption>Shellcommand Item</caption> <thead> <tr> <th scope="col">Name</th> <th scope="col">Type</th> <th scope="col">Status</th> <th scope="col">Value</th> </tr> </thead> <tbody class="tbe"> <tr> <td>Command</td> <td>String</td> <td>Exists</td> <td>modprobe -n -v hfsplus</td> </tr> <tr> <td>Line Selection</td> <td>String</td> <td>Exists</td> <td>.+</td> </tr> <tr> <td>Exit Status</td> <td>Int</td> <td>Exists</td> <td>0</td> </tr> <tr class="evaluated"> <td>Stdout Line</td> <td>String</td> <td>Exists</td> <td>install /bin/true </td> </tr> </tbody> </table> </div> </div> </div> </evidence> </xccdf:check> <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" negate="false" multi-check="false"> <xccdf:check-content-ref href="#OVAL-Results-1" name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455916"/> <evidence xmlns="http://cisecurity.org/evidence"> <div class="definition" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455916"> <div class="criteria"> <div class="criterion" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1455916" check="at least one" check_existence="at_least_one_exists"> <table class="evidence-sep" width="100%"> <tbody class="tbe"> <tr> <td class="bold">Criterion:</td> <td>Ensure kernel module hfsplus is not loadable</td> </tr> <tr> <td class="bold">Existence Check:</td> <td>At Least One Exists</td> </tr> <tr> <td class="bold">Item Check:</td> <td>At least one</td> </tr> <tr> <td class="bold">Result:</td> <td class="pass">Pass</td> </tr> </tbody> </table> <table class="evidence" width="100%"> <caption>Shellcommand Item</caption> <thead> <tr> <th scope="col">Name</th> <th scope="col">Type</th> <th scope="col">Status</th> <th scope="col">Value</th> </tr> </thead> <tbody class="tbe"> <tr> <td>Command</td> <td>String</td> <td>Exists</td> <td>modprobe -n -v hfsplus</td> </tr> <tr> <td>Line Selection</td> <td>String</td> <td>Exists</td> <td>.+</td> </tr> <tr> <td>Exit Status</td> <td>Int</td> <td>Exists</td> <td>0</td> </tr> <tr class="evaluated"> <td>Stdout Line</td> <td>String</td> <td>Exists</td> <td>install /bin/true </td> </tr> </tbody> </table> </div> </div> </div> </evidence> </xccdf:check> </xccdf:complex-check> </xccdf:rule-result>
References:
CIS Controls V7.0:
CIS Control Information | |
---|---|
Control: | Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings. |
Subcontrol: | 5.1 |
Label: | Establish Secure Configurations |
Description: | Maintain documented, standard security configuration standards for all authorized operating systems and software. |
The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats.
Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.
Edit or create a file in the /etc/modprobe.d/ directory ending in .conf
Example: vi /etc/modprobe.d/udf.conf
and add the following line:
install udf /bin/true
Run the following command to unload the udf module:
# rmmod udf
AND |
|
<xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:cc7="http://cisecurity.org/20-cc/v7.0" xmlns:cc6="http://cisecurity.org/20-cc/v6.1" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.7_Ensure_mounting_of_udf_filesystems_is_disabled" role="full" severity="unknown" time="2022-04-13T17:15:55.960Z" version="1" weight="1.0"> <xccdf:result>pass</xccdf:result> <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1" system="http://cisecurity.org/20-cc/v7.0"/> <xccdf:complex-check operator="AND" negate="false"> <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" negate="false" multi-check="false"> <xccdf:check-content-ref href="#OVAL-Results-1" name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455919"/> <evidence xmlns="http://cisecurity.org/evidence"> <div class="definition" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455919"> <div class="criteria"> <div class="criterion" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1455919" check="at least one" check_existence="at_least_one_exists"> <table class="evidence-sep" width="100%"> <tbody class="tbe"> <tr> <td class="bold">Criterion:</td> <td>Ensure kernel module udf is not loadable</td> </tr> <tr> <td class="bold">Existence Check:</td> <td>At Least One Exists</td> </tr> <tr> <td class="bold">Item Check:</td> <td>At least one</td> </tr> <tr> <td class="bold">Result:</td> <td class="pass">Pass</td> </tr> </tbody> </table> <table class="evidence" width="100%"> <caption>Shellcommand Item</caption> <thead> <tr> <th scope="col">Name</th> <th scope="col">Type</th> <th scope="col">Status</th> <th scope="col">Value</th> </tr> </thead> <tbody class="tbe"> <tr> <td>Command</td> <td>String</td> <td>Exists</td> <td>modprobe -n -v udf</td> </tr> <tr> <td>Line Selection</td> <td>String</td> <td>Exists</td> <td>.+</td> </tr> <tr> <td>Exit Status</td> <td>Int</td> <td>Exists</td> <td>0</td> </tr> <tr class="evaluated"> <td>Stdout Line</td> <td>String</td> <td>Exists</td> <td>insmod /lib/modules/5.4.0-26-generic/kernel/lib/crc-itu-t.ko </td> </tr> <tr class="evaluated"> <td>Stdout Line</td> <td>String</td> <td>Exists</td> <td>install /bin/true </td> </tr> </tbody> </table> </div> </div> </div> </evidence> </xccdf:check> <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" negate="false" multi-check="false"> <xccdf:check-content-ref href="#OVAL-Results-1" name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455920"/> <evidence xmlns="http://cisecurity.org/evidence"> <div class="definition" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455920"> <div class="criteria"> <div class="criterion" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1455920" check="none satisfy" check_existence="at_least_one_exists"> <table class="evidence-sep" width="100%"> <tbody class="tbe"> <tr> <td class="bold">Criterion:</td> <td>Ensure kernel module udf is not loaded</td> </tr> <tr> <td class="bold">Existence Check:</td> <td>At Least One Exists</td> </tr> <tr> <td class="bold">Item Check:</td> <td>None satisfy</td> </tr> <tr> <td class="bold">Result:</td> <td class="pass">Pass</td> </tr> </tbody> </table> <table class="evidence" width="100%"> <caption>Shellcommand Item</caption> <thead> <tr> <th scope="col">Name</th> <th scope="col">Type</th> <th scope="col">Status</th> <th scope="col">Value</th> </tr> </thead> <tbody class="tbe"> <tr> <td>Command</td> <td>String</td> <td>Exists</td> <td>modprobe -n -v udf</td> </tr> <tr> <td>Line Selection</td> <td>String</td> <td>Exists</td> <td>.+</td> </tr> <tr> <td>Exit Status</td> <td>Int</td> <td>Exists</td> <td>0</td> </tr> <tr class="evaluated"> <td>Stdout Line</td> <td>String</td> <td>Exists</td> <td>insmod /lib/modules/5.4.0-26-generic/kernel/lib/crc-itu-t.ko </td> </tr> <tr class="evaluated"> <td>Stdout Line</td> <td>String</td> <td>Exists</td> <td>install /bin/true </td> </tr> </tbody> </table> </div> </div> </div> </evidence> </xccdf:check> </xccdf:complex-check> </xccdf:rule-result>
References:
CIS Controls V7.0:
CIS Control Information | |
---|---|
Control: | Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings. |
Subcontrol: | 5.1 |
Label: | Establish Secure Configurations |
Description: | Maintain documented, standard security configuration standards for all authorized operating systems and software. |
The /tmp directory is a world-writable directory used for temporary storage by all users and some applications
Making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw.
This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp.
Configure /etc/fstab as appropriate.
Example:
tmpfs /tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0
OR Run the following commands to enable systemd /tmp mounting:
Run the following command to create the tmp.mount file is the correct location:
# cp -v /usr/share/systemd/tmp.mount /etc/systemd/system/
Edit /etc/systemd/system/tmp.mount to configure the /tmp mount:
[Mount]
What=tmpfs
Where=/tmp
Type=tmpfs
Options=mode=1777,strictatime,nosuid,nodev,noexec
Run the following command to reload the systemd daemon with the unpdated tmp.mount unit file:
# systemctl daemon-reload
Run the following command to enable and start tmp.mount
# systemctl --now enable tmp.mount
Impact:
Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition.
Running out of /tmp space is a problem regardless of what kind of filesystem lies under it, but in a default installation a disk-based /tmp will essentially have the whole disk available, as it only creates a single / partition. On the other hand, a RAM-based /tmp as with tmpfs will almost certainly be much smaller, which can lead to applications filling up the filesystem much more easily.
/tmp utilizing tmpfs can be resized using the size={size} parameter on the Options line on the tmp.mount file
AND |
|
<xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:cc7="http://cisecurity.org/20-cc/v7.0" xmlns:cc6="http://cisecurity.org/20-cc/v6.1" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" idref="xccdf_org.cisecurity.benchmarks_rule_1.1.2_Ensure_tmp_is_configured" role="full" severity="unknown" time="2022-04-13T17:15:55.961Z" version="1" weight="1.0"> <xccdf:result>pass</xccdf:result> <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1" system="http://cisecurity.org/20-cc/v7.0"/> <xccdf:ident system="URL">AJ Lewis, "LVM HOWTO", http://tldp.org/HOWTO/LVM-HOWTO/</xccdf:ident> <xccdf:ident system="URL">https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/</xccdf:ident> <xccdf:complex-check operator="AND" negate="false"> <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" negate="false" multi-check="false"> <xccdf:check-content-ref href="#OVAL-Results-1" name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1519226"/> <evidence xmlns="http://cisecurity.org/evidence"> <div class="definition" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1519226"> <div class="criteria"> <div class="criterion" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1519226" check="all" check_existence="at_least_one_exists"> <table class="evidence-sep" width="100%"> <tbody class="tbe"> <tr> <td class="bold">Criterion:</td> <td>Ensure partition at /tmp and all</td> </tr> <tr> <td class="bold">Existence Check:</td> <td>At Least One Exists</td> </tr> <tr> <td class="bold">Item Check:</td> <td>All</td> </tr> <tr> <td class="bold">Result:</td> <td class="pass">Pass</td> </tr> </tbody> </table> <table class="evidence" width="100%"> <caption>Partition Item</caption> <thead> <tr> <th scope="col">Name</th> <th scope="col">Type</th> <th scope="col">Status</th> <th scope="col">Value</th> </tr> </thead> <tbody class="tbe"> <tr> <td>Mount Point</td> <td>String</td> <td>Exists</td> <td>/tmp</td> </tr> <tr> <td>Device</td> <td>String</td> <td>Exists</td> <td>tmpfs</td> </tr> <tr> <td>Uuid</td> <td>String</td> <td>Does not exist</td> <td>No Value</td> </tr> <tr> <td>Fs Type</td> <td>String</td> <td>Exists</td> <td>tmpfs</td> </tr> <tr> <td>Mount Options</td> <td>String</td> <td>Exists</td> <td>rw</td> </tr> <tr> <td>Mount Options</td> <td>String</td> <td>Exists</td> <td>nosuid</td> </tr> <tr> <td>Mount Options</td> <td>String</td> <td>Exists</td> <td>nodev</td> </tr> <tr> <td>Mount Options</td> <td>String</td> <td>Exists</td> <td>noexec</td> </tr> <tr> <td>Mount Options</td> <td>String</td> <td>Exists</td> <td>relatime</td> </tr> <tr> <td>Total Space</td> <td>Int</td> <td>Exists</td> <td>1533605</td> </tr> <tr> <td>Space Used</td> <td>Int</td> <td>Exists</td> <td>8</td> </tr> <tr> <td>Space Left</td> <td>Int</td> <td>Exists</td> <td>1533597</td> </tr> </tbody> </table> </div> </div> </div> </evidence> </xccdf:check> </xccdf:complex-check> </xccdf:rule-result>
References:
CIS Controls V7.0:
CIS Control Information | |
---|---|
Control: | Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings. |
Subcontrol: | 5.1 |
Label: | Establish Secure Configurations |
Description: | Maintain documented, standard security configuration standards for all authorized operating systems and software. |
The nodev mount option specifies that the filesystem cannot contain special devices.
Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp .
Edit the /etc/fstab file OR the /etc/systemd/system/local-fs.target.wants/tmp.mount file:
If /etc/fstab is used to mount /tmp :
Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information.
Run the following command to remount /tmp :
# mount -o remount,nodev /tmp
OR If systemd is used to mount /tmp :
Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add nodev to the /tmp mount options:
[Mount]
Options=mode=1777,strictatime,noexec,nodev,nosuid
Run the following command to restart the systemd daemon:
# systemctl daemon-reload
Run the following command to restart tmp.mount
# systemctl restart tmp.mount
AND |
|
<xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:cc7="http://cisecurity.org/20-cc/v7.0" xmlns:cc6="http://cisecurity.org/20-cc/v6.1" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" idref="xccdf_org.cisecurity.benchmarks_rule_1.1.3_Ensure_nodev_option_set_on_tmp_partition" role="full" severity="unknown" time="2022-04-13T17:15:55.961Z" version="1" weight="1.0"> <xccdf:result>pass</xccdf:result> <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1" system="http://cisecurity.org/20-cc/v7.0"/> <xccdf:complex-check operator="AND" negate="false"> <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" negate="false" multi-check="false"> <xccdf:check-content-ref href="#OVAL-Results-1" name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455922"/> <evidence xmlns="http://cisecurity.org/evidence"> <div class="definition" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455922"> <div class="criteria"> <div class="criterion" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1455922" check="all" check_existence="at_least_one_exists"> <table class="evidence-sep" width="100%"> <tbody class="tbe"> <tr> <td class="bold">Criterion:</td> <td>Ensure partition at /tmp and all</td> </tr> <tr> <td class="bold">Existence Check:</td> <td>At Least One Exists</td> </tr> <tr> <td class="bold">Item Check:</td> <td>All</td> </tr> <tr> <td class="bold">Result:</td> <td class="pass">Pass</td> </tr> </tbody> </table> <table class="evidence" width="100%"> <caption>Partition Item</caption> <thead> <tr> <th scope="col">Name</th> <th scope="col">Type</th> <th scope="col">Status</th> <th scope="col">Value</th> </tr> </thead> <tbody class="tbe"> <tr> <td>Mount Point</td> <td>String</td> <td>Exists</td> <td>/tmp</td> </tr> <tr> <td>Device</td> <td>String</td> <td>Exists</td> <td>tmpfs</td> </tr> <tr> <td>Uuid</td> <td>String</td> <td>Does not exist</td> <td>No Value</td> </tr> <tr> <td>Fs Type</td> <td>String</td> <td>Exists</td> <td>tmpfs</td> </tr> <tr class="evaluated"> <td>Mount Options</td> <td>String</td> <td>Exists</td> <td>rw</td> </tr> <tr class="evaluated"> <td>Mount Options</td> <td>String</td> <td>Exists</td> <td>nosuid</td> </tr> <tr class="evaluated"> <td>Mount Options</td> <td>String</td> <td>Exists</td> <td>nodev</td> </tr> <tr class="evaluated"> <td>Mount Options</td> <td>String</td> <td>Exists</td> <td>noexec</td> </tr> <tr class="evaluated"> <td>Mount Options</td> <td>String</td> <td>Exists</td> <td>relatime</td> </tr> <tr> <td>Total Space</td> <td>Int</td> <td>Exists</td> <td>1533605</td> </tr> <tr> <td>Space Used</td> <td>Int</td> <td>Exists</td> <td>8</td> </tr> <tr> <td>Space Left</td> <td>Int</td> <td>Exists</td> <td>1533597</td> </tr> </tbody> </table> </div> </div> </div> </evidence> </xccdf:check> </xccdf:complex-check> </xccdf:rule-result>
References:
CIS Controls V7.0:
CIS Control Information | |
---|---|
Control: | Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings. |
Subcontrol: | 5.1 |
Label: | Establish Secure Configurations |
Description: | Maintain documented, standard security configuration standards for all authorized operating systems and software. |
The nosuid mount option specifies that the filesystem cannot contain setuid files.
Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp .
Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information.
Run the following command to remount /tmp :
# mount -o remount,nosuid /tmp
OR Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add nosuid to the /tmp mount options:
[Mount]
Options=mode=1777,strictatime,noexec,nodev,nosuid
Run the following command to remount /tmp :
# mount -o remount,nosuid /tmp
AND |
|
<xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:cc7="http://cisecurity.org/20-cc/v7.0" xmlns:cc6="http://cisecurity.org/20-cc/v6.1" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" idref="xccdf_org.cisecurity.benchmarks_rule_1.1.4_Ensure_nosuid_option_set_on_tmp_partition" role="full" severity="unknown" time="2022-04-13T17:15:55.961Z" version="1" weight="1.0"> <xccdf:result>pass</xccdf:result> <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1" system="http://cisecurity.org/20-cc/v7.0"/> <xccdf:complex-check operator="AND" negate="false"> <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" negate="false" multi-check="false"> <xccdf:check-content-ref href="#OVAL-Results-1" name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455923"/> <evidence xmlns="http://cisecurity.org/evidence"> <div class="definition" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455923"> <div class="criteria"> <div class="criterion" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1455923" check="all" check_existence="any_exist"> <table class="evidence-sep" width="100%"> <tbody class="tbe"> <tr> <td class="bold">Criterion:</td> <td>Ensure partition at /tmp may exists and all have at least one partition option equals 'nosuid' (string)</td> </tr> <tr> <td class="bold">Existence Check:</td> <td>Any Exist</td> </tr> <tr> <td class="bold">Item Check:</td> <td>All</td> </tr> <tr> <td class="bold">Result:</td> <td class="pass">Pass</td> </tr> </tbody> </table> <table class="evidence" width="100%"> <caption>Partition Item</caption> <thead> <tr> <th scope="col">Name</th> <th scope="col">Type</th> <th scope="col">Status</th> <th scope="col">Value</th> </tr> </thead> <tbody class="tbe"> <tr> <td>Mount Point</td> <td>String</td> <td>Exists</td> <td>/tmp</td> </tr> <tr> <td>Device</td> <td>String</td> <td>Exists</td> <td>tmpfs</td> </tr> <tr> <td>Uuid</td> <td>String</td> <td>Does not exist</td> <td>No Value</td> </tr> <tr> <td>Fs Type</td> <td>String</td> <td>Exists</td> <td>tmpfs</td> </tr> <tr class="evaluated"> <td>Mount Options</td> <td>String</td> <td>Exists</td> <td>rw</td> </tr> <tr class="evaluated"> <td>Mount Options</td> <td>String</td> <td>Exists</td> <td>nosuid</td> </tr> <tr class="evaluated"> <td>Mount Options</td> <td>String</td> <td>Exists</td> <td>nodev</td> </tr> <tr class="evaluated"> <td>Mount Options</td> <td>String</td> <td>Exists</td> <td>noexec</td> </tr> <tr class="evaluated"> <td>Mount Options</td> <td>String</td> <td>Exists</td> <td>relatime</td> </tr> <tr> <td>Total Space</td> <td>Int</td> <td>Exists</td> <td>1533605</td> </tr> <tr> <td>Space Used</td> <td>Int</td> <td>Exists</td> <td>8</td> </tr> <tr> <td>Space Left</td> <td>Int</td> <td>Exists</td> <td>1533597</td> </tr> </tbody> </table> </div> </div> </div> </evidence> </xccdf:check> </xccdf:complex-check> </xccdf:rule-result>
References:
CIS Controls V7.0:
CIS Control Information | |
---|---|
Control: | Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings. |
Subcontrol: | 5.1 |
Label: | Establish Secure Configurations |
Description: | Maintain documented, standard security configuration standards for all authorized operating systems and software. |
The noexec mount option specifies that the filesystem cannot contain executable binaries.
Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp .
Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information.
Run the following command to remount /tmp :
# mount -o remount,noexec /tmp
OR Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add noexec to the /tmp mount options:
[Mount]
Options=mode=1777,strictatime,noexec,nodev,nosuid
Run the following command to remount /tmp :
# mount -o remount,noexec /tmp
AND |
|
<xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:cc7="http://cisecurity.org/20-cc/v7.0" xmlns:cc6="http://cisecurity.org/20-cc/v6.1" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" idref="xccdf_org.cisecurity.benchmarks_rule_1.1.5_Ensure_noexec_option_set_on_tmp_partition" role="full" severity="unknown" time="2022-04-13T17:15:55.962Z" version="1" weight="1.0"> <xccdf:result>pass</xccdf:result> <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/2/subcontrol/6" system="http://cisecurity.org/20-cc/v7.0"/> <xccdf:complex-check operator="AND" negate="false"> <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" negate="false" multi-check="false"> <xccdf:check-content-ref href="#OVAL-Results-1" name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455924"/> <evidence xmlns="http://cisecurity.org/evidence"> <div class="definition" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455924"> <div class="criteria"> <div class="criterion" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1455924" check="all" check_existence="any_exist"> <table class="evidence-sep" width="100%"> <tbody class="tbe"> <tr> <td class="bold">Criterion:</td> <td>Ensure partition at /tmp may exists{else}exists and all</td> </tr> <tr> <td class="bold">Existence Check:</td> <td>Any Exist</td> </tr> <tr> <td class="bold">Item Check:</td> <td>All</td> </tr> <tr> <td class="bold">Result:</td> <td class="pass">Pass</td> </tr> </tbody> </table> <table class="evidence" width="100%"> <caption>Partition Item</caption> <thead> <tr> <th scope="col">Name</th> <th scope="col">Type</th> <th scope="col">Status</th> <th scope="col">Value</th> </tr> </thead> <tbody class="tbe"> <tr> <td>Mount Point</td> <td>String</td> <td>Exists</td> <td>/tmp</td> </tr> <tr> <td>Device</td> <td>String</td> <td>Exists</td> <td>tmpfs</td> </tr> <tr> <td>Uuid</td> <td>String</td> <td>Does not exist</td> <td>No Value</td> </tr> <tr> <td>Fs Type</td> <td>String</td> <td>Exists</td> <td>tmpfs</td> </tr> <tr class="evaluated"> <td>Mount Options</td> <td>String</td> <td>Exists</td> <td>rw</td> </tr> <tr class="evaluated"> <td>Mount Options</td> <td>String</td> <td>Exists</td> <td>nosuid</td> </tr> <tr class="evaluated"> <td>Mount Options</td> <td>String</td> <td>Exists</td> <td>nodev</td> </tr> <tr class="evaluated"> <td>Mount Options</td> <td>String</td> <td>Exists</td> <td>noexec</td> </tr> <tr class="evaluated"> <td>Mount Options</td> <td>String</td> <td>Exists</td> <td>relatime</td> </tr> <tr> <td>Total Space</td> <td>Int</td> <td>Exists</td> <td>1533605</td> </tr> <tr> <td>Space Used</td> <td>Int</td> <td>Exists</td> <td>8</td> </tr> <tr> <td>Space Left</td> <td>Int</td> <td>Exists</td> <td>1533597</td> </tr> </tbody> </table> </div> </div> </div> </evidence> </xccdf:check> </xccdf:complex-check> </xccdf:rule-result>
References:
CIS Controls V7.0:
CIS Control Information | |
---|---|
Control: | Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that all unauthorized and unmanaged software is found and prevented from installation or execution. |
Subcontrol: | 2.6 |
Label: | Address unapproved software |
Description: | Ensure that unauthorized software is either removed or the inventory is updated in a timely manner |
/dev/shm is a traditional shared memory concept. One program will create a memory portion, which other processes (if permitted) can access. Mounting tmpfs at /dev/shm is handled automatically by systemd.
Any user can upload and execute files inside the /dev/shm similar to the /tmp partition. Configuring /dev/shm allows an administrator to set the noexec option on the mount, making /dev/shm useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw.
Edit /etc/fstab and add or edit the following line:
tmpfs /dev/shm tmpfs defaults,noexec,nodev,nosuid,seclabel 0 0
Run the following command to remount /dev/shm :
# mount -o remount,noexec,nodev,nosuid /dev/shm
AND |
|
<xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:cc7="http://cisecurity.org/20-cc/v7.0" xmlns:cc6="http://cisecurity.org/20-cc/v6.1" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" idref="xccdf_org.cisecurity.benchmarks_rule_1.1.6_Ensure_devshm_is_configured" role="full" severity="unknown" time="2022-04-13T17:15:55.962Z" version="1" weight="1.0"> <xccdf:result>pass</xccdf:result> <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1" system="http://cisecurity.org/20-cc/v7.0"/> <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/13" system="http://cisecurity.org/20-cc/v7.0"/> <xccdf:complex-check operator="AND" negate="false"> <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" negate="false" multi-check="false"> <xccdf:check-content-ref href="#OVAL-Results-1" name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1519227"/> <evidence xmlns="http://cisecurity.org/evidence"> <div class="definition" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1519227"> <div class="criteria"> <div class="criterion" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1519227" check="all" check_existence="at_least_one_exists"> <table class="evidence-sep" width="100%"> <tbody class="tbe"> <tr> <td class="bold">Criterion:</td> <td>Ensure partition at /dev/shm and all</td> </tr> <tr> <td class="bold">Existence Check:</td> <td>At Least One Exists</td> </tr> <tr> <td class="bold">Item Check:</td> <td>All</td> </tr> <tr> <td class="bold">Result:</td> <td class="pass">Pass</td> </tr> </tbody> </table> <table class="evidence" width="100%"> <caption>Partition Item</caption> <thead> <tr> <th scope="col">Name</th> <th scope="col">Type</th> <th scope="col">Status</th> <th scope="col">Value</th> </tr> </thead> <tbody class="tbe"> <tr> <td>Mount Point</td> <td>String</td> <td>Exists</td> <td>/dev/shm</td> </tr> <tr> <td>Device</td> <td>String</td> <td>Exists</td> <td>tmpfs</td> </tr> <tr> <td>Uuid</td> <td>String</td> <td>Does not exist</td> <td>No Value</td> </tr> <tr> <td>Fs Type</td> <td>String</td> <td>Exists</td> <td>tmpfs</td> </tr> <tr> <td>Mount Options</td> <td>String</td> <td>Exists</td> <td>rw</td> </tr> <tr> <td>Mount Options</td> <td>String</td> <td>Exists</td> <td>nosuid</td> </tr> <tr> <td>Mount Options</td> <td>String</td> <td>Exists</td> <td>nodev</td> </tr> <tr> <td>Mount Options</td> <td>String</td> <td>Exists</td> <td>noexec</td> </tr> <tr> <td>Total Space</td> <td>Int</td> <td>Exists</td> <td>1533605</td> </tr> <tr> <td>Space Used</td> <td>Int</td> <td>Exists</td> <td>0</td> </tr> <tr> <td>Space Left</td> <td>Int</td> <td>Exists</td> <td>1533605</td> </tr> </tbody> </table> </div> </div> </div> </evidence> </xccdf:check> </xccdf:complex-check> </xccdf:rule-result>
References:
CIS Controls V7.0:
CIS Control Information | |
---|---|
Control: | Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings. |
Subcontrol: | 5.1 |
Label: | Establish Secure Configurations |
Description: | Maintain documented, standard security configuration standards for all authorized operating systems and software. |
CIS Control Information | |
---|---|
Control: | The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of sensitive information. |
The nodev mount option specifies that the filesystem cannot contain special devices.
Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions.
Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information.
Run the following command to remount /dev/shm :
# mount -o remount,nosuid,nodev,noexec /dev/shm
AND |
|
<xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:cc7="http://cisecurity.org/20-cc/v7.0" xmlns:cc6="http://cisecurity.org/20-cc/v6.1" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" idref="xccdf_org.cisecurity.benchmarks_rule_1.1.7_Ensure_nodev_option_set_on_devshm_partition" role="full" severity="unknown" time="2022-04-13T17:15:55.962Z" version="1" weight="1.0"> <xccdf:result>pass</xccdf:result> <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1" system="http://cisecurity.org/20-cc/v7.0"/> <xccdf:complex-check operator="AND" negate="false"> <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" negate="false" multi-check="false"> <xccdf:check-content-ref href="#OVAL-Results-1" name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455926"/> <evidence xmlns="http://cisecurity.org/evidence"> <div class="definition" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455926"> <div class="criteria"> <div class="criterion" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1455926" check="all" check_existence="any_exist"> <table class="evidence-sep" width="100%"> <tbody class="tbe"> <tr> <td class="bold">Criterion:</td> <td>Ensure partition at /dev/shm may exists{else}exists and all</td> </tr> <tr> <td class="bold">Existence Check:</td> <td>Any Exist</td> </tr> <tr> <td class="bold">Item Check:</td> <td>All</td> </tr> <tr> <td class="bold">Result:</td> <td class="pass">Pass</td> </tr> </tbody> </table> <table class="evidence" width="100%"> <caption>Partition Item</caption> <thead> <tr> <th scope="col">Name</th> <th scope="col">Type</th> <th scope="col">Status</th> <th scope="col">Value</th> </tr> </thead> <tbody class="tbe"> <tr> <td>Mount Point</td> <td>String</td> <td>Exists</td> <td>/dev/shm</td> </tr> <tr> <td>Device</td> <td>String</td> <td>Exists</td> <td>tmpfs</td> </tr> <tr> <td>Uuid</td> <td>String</td> <td>Does not exist</td> <td>No Value</td> </tr> <tr> <td>Fs Type</td> <td>String</td> <td>Exists</td> <td>tmpfs</td> </tr> <tr class="evaluated"> <td>Mount Options</td> <td>String</td> <td>Exists</td> <td>rw</td> </tr> <tr class="evaluated"> <td>Mount Options</td> <td>String</td> <td>Exists</td> <td>nosuid</td> </tr> <tr class="evaluated"> <td>Mount Options</td> <td>String</td> <td>Exists</td> <td>nodev</td> </tr> <tr class="evaluated"> <td>Mount Options</td> <td>String</td> <td>Exists</td> <td>noexec</td> </tr> <tr> <td>Total Space</td> <td>Int</td> <td>Exists</td> <td>1533605</td> </tr> <tr> <td>Space Used</td> <td>Int</td> <td>Exists</td> <td>0</td> </tr> <tr> <td>Space Left</td> <td>Int</td> <td>Exists</td> <td>1533605</td> </tr> </tbody> </table> </div> </div> </div> </evidence> </xccdf:check> </xccdf:complex-check> </xccdf:rule-result>
References:
CIS Controls V7.0:
CIS Control Information | |
---|---|
Control: | Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings. |
Subcontrol: | 5.1 |
Label: | Establish Secure Configurations |
Description: | Maintain documented, standard security configuration standards for all authorized operating systems and software. |
The nosuid mount option specifies that the filesystem cannot contain setuid files.
Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them.
Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information.
Run the following command to remount /dev/shm :
# mount -o remount,nosuid,nodev,noexec /dev/shm
AND |
|
<xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:cc7="http://cisecurity.org/20-cc/v7.0" xmlns:cc6="http://cisecurity.org/20-cc/v6.1" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" idref="xccdf_org.cisecurity.benchmarks_rule_1.1.8_Ensure_nosuid_option_set_on_devshm_partition" role="full" severity="unknown" time="2022-04-13T17:15:55.963Z" version="1" weight="1.0"> <xccdf:result>pass</xccdf:result> <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1" system="http://cisecurity.org/20-cc/v7.0"/> <xccdf:complex-check operator="AND" negate="false"> <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" negate="false" multi-check="false"> <xccdf:check-content-ref href="#OVAL-Results-1" name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455927"/> <evidence xmlns="http://cisecurity.org/evidence"> <div class="definition" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455927"> <div class="criteria"> <div class="criterion" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1455927" check="all" check_existence="any_exist"> <table class="evidence-sep" width="100%"> <tbody class="tbe"> <tr> <td class="bold">Criterion:</td> <td>Ensure partition at /dev/shm may exists{else}exists and all</td> </tr> <tr> <td class="bold">Existence Check:</td> <td>Any Exist</td> </tr> <tr> <td class="bold">Item Check:</td> <td>All</td> </tr> <tr> <td class="bold">Result:</td> <td class="pass">Pass</td> </tr> </tbody> </table> <table class="evidence" width="100%"> <caption>Partition Item</caption> <thead> <tr> <th scope="col">Name</th> <th scope="col">Type</th> <th scope="col">Status</th> <th scope="col">Value</th> </tr> </thead> <tbody class="tbe"> <tr> <td>Mount Point</td> <td>String</td> <td>Exists</td> <td>/dev/shm</td> </tr> <tr> <td>Device</td> <td>String</td> <td>Exists</td> <td>tmpfs</td> </tr> <tr> <td>Uuid</td> <td>String</td> <td>Does not exist</td> <td>No Value</td> </tr> <tr> <td>Fs Type</td> <td>String</td> <td>Exists</td> <td>tmpfs</td> </tr> <tr class="evaluated"> <td>Mount Options</td> <td>String</td> <td>Exists</td> <td>rw</td> </tr> <tr class="evaluated"> <td>Mount Options</td> <td>String</td> <td>Exists</td> <td>nosuid</td> </tr> <tr class="evaluated"> <td>Mount Options</td> <td>String</td> <td>Exists</td> <td>nodev</td> </tr> <tr class="evaluated"> <td>Mount Options</td> <td>String</td> <td>Exists</td> <td>noexec</td> </tr> <tr> <td>Total Space</td> <td>Int</td> <td>Exists</td> <td>1533605</td> </tr> <tr> <td>Space Used</td> <td>Int</td> <td>Exists</td> <td>0</td> </tr> <tr> <td>Space Left</td> <td>Int</td> <td>Exists</td> <td>1533605</td> </tr> </tbody> </table> </div> </div> </div> </evidence> </xccdf:check> </xccdf:complex-check> </xccdf:rule-result>
References:
CIS Controls V7.0:
CIS Control Information | |
---|---|
Control: | Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings. |
Subcontrol: | 5.1 |
Label: | Establish Secure Configurations |
Description: | Maintain documented, standard security configuration standards for all authorized operating systems and software. |
The noexec mount option specifies that the filesystem cannot contain executable binaries.
Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system.
Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information.
Run the following command to remount /dev/shm :
# mount -o remount,nosuid,nodev,noexec /dev/shm
AND |
|
<xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:cc7="http://cisecurity.org/20-cc/v7.0" xmlns:cc6="http://cisecurity.org/20-cc/v6.1" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" idref="xccdf_org.cisecurity.benchmarks_rule_1.1.9_Ensure_noexec_option_set_on_devshm_partition" role="full" severity="unknown" time="2022-04-13T17:15:55.963Z" version="1" weight="1.0"> <xccdf:result>pass</xccdf:result> <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/2/subcontrol/6" system="http://cisecurity.org/20-cc/v7.0"/> <xccdf:complex-check operator="AND" negate="false"> <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" negate="false" multi-check="false"> <xccdf:check-content-ref href="#OVAL-Results-1" name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455928"/> <evidence xmlns="http://cisecurity.org/evidence"> <div class="definition" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455928"> <div class="criteria"> <div class="criterion" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1455928" check="all" check_existence="any_exist"> <table class="evidence-sep" width="100%"> <tbody class="tbe"> <tr> <td class="bold">Criterion:</td> <td>Ensure partition at /dev/shm may exists{else}exists and all</td> </tr> <tr> <td class="bold">Existence Check:</td> <td>Any Exist</td> </tr> <tr> <td class="bold">Item Check:</td> <td>All</td> </tr> <tr> <td class="bold">Result:</td> <td class="pass">Pass</td> </tr> </tbody> </table> <table class="evidence" width="100%"> <caption>Partition Item</caption> <thead> <tr> <th scope="col">Name</th> <th scope="col">Type</th> <th scope="col">Status</th> <th scope="col">Value</th> </tr> </thead> <tbody class="tbe"> <tr> <td>Mount Point</td> <td>String</td> <td>Exists</td> <td>/dev/shm</td> </tr> <tr> <td>Device</td> <td>String</td> <td>Exists</td> <td>tmpfs</td> </tr> <tr> <td>Uuid</td> <td>String</td> <td>Does not exist</td> <td>No Value</td> </tr> <tr> <td>Fs Type</td> <td>String</td> <td>Exists</td> <td>tmpfs</td> </tr> <tr class="evaluated"> <td>Mount Options</td> <td>String</td> <td>Exists</td> <td>rw</td> </tr> <tr class="evaluated"> <td>Mount Options</td> <td>String</td> <td>Exists</td> <td>nosuid</td> </tr> <tr class="evaluated"> <td>Mount Options</td> <td>String</td> <td>Exists</td> <td>nodev</td> </tr> <tr class="evaluated"> <td>Mount Options</td> <td>String</td> <td>Exists</td> <td>noexec</td> </tr> <tr> <td>Total Space</td> <td>Int</td> <td>Exists</td> <td>1533605</td> </tr> <tr> <td>Space Used</td> <td>Int</td> <td>Exists</td> <td>0</td> </tr> <tr> <td>Space Left</td> <td>Int</td> <td>Exists</td> <td>1533605</td> </tr> </tbody> </table> </div> </div> </div> </evidence> </xccdf:check> </xccdf:complex-check> </xccdf:rule-result>
References:
CIS Controls V7.0:
CIS Control Information | |
---|---|
Control: | Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that all unauthorized and unmanaged software is found and prevented from installation or execution. |
Subcontrol: | 2.6 |
Label: | Address unapproved software |
Description: | Ensure that unauthorized software is either removed or the inventory is updated in a timely manner |
The nodev mount option specifies that the filesystem cannot contain special devices.
Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp .
Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information.
Run the following command to remount /var/tmp :
# mount -o remount,nosuid,nodev,noexec /var/tmp
AND |
|
<xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:cc7="http://cisecurity.org/20-cc/v7.0" xmlns:cc6="http://cisecurity.org/20-cc/v6.1" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" idref="xccdf_org.cisecurity.benchmarks_rule_1.1.12_Ensure_vartmp_partition_includes_the_nodev_option" role="full" severity="unknown" time="2022-04-13T17:15:55.964Z" version="1" weight="1.0"> <xccdf:result>pass</xccdf:result> <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1" system="http://cisecurity.org/20-cc/v7.0"/> <xccdf:complex-check operator="AND" negate="false"> <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" negate="false" multi-check="false"> <xccdf:check-content-ref href="#OVAL-Results-1" name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1519228"/> <evidence xmlns="http://cisecurity.org/evidence"> <div class="definition" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1519228"> <div class="criteria"> <div class="criterion" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1519228" check="all" check_existence="any_exist"> <table class="evidence-sep" width="100%"> <tbody class="tbe"> <tr> <td class="bold">Criterion:</td> <td>Ensure partition at /var/tmp may exists and all have at least one partition option equals 'nodev' (string)</td> </tr> <tr> <td class="bold">Existence Check:</td> <td>Any Exist</td> </tr> <tr> <td class="bold">Item Check:</td> <td>All</td> </tr> <tr> <td class="bold">Result:</td> <td class="pass">Pass</td> </tr> </tbody> </table> <table class="evidence" width="100%"> <tr> <td>No matching system items were found.</td> </tr> </table> </div> </div> </div> </evidence> </xccdf:check> </xccdf:complex-check> </xccdf:rule-result>
References:
CIS Controls V7.0:
CIS Control Information | |
---|---|
Control: | Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings. |
Subcontrol: | 5.1 |
Label: | Establish Secure Configurations |
Description: | Maintain documented, standard security configuration standards for all authorized operating systems and software. |
The nosuid mount option specifies that the filesystem cannot contain setuid files.
Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp .
Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information.
Run the following command to remount /var/tmp :
# mount -o remount,nosuid,nodev,noexec /var/tmp
AND |
|
<xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:cc7="http://cisecurity.org/20-cc/v7.0" xmlns:cc6="http://cisecurity.org/20-cc/v6.1" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" idref="xccdf_org.cisecurity.benchmarks_rule_1.1.13_Ensure_vartmp_partition_includes_the_nosuid_option" role="full" severity="unknown" time="2022-04-13T17:15:55.964Z" version="1" weight="1.0"> <xccdf:result>pass</xccdf:result> <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1" system="http://cisecurity.org/20-cc/v7.0"/> <xccdf:complex-check operator="AND" negate="false"> <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" negate="false" multi-check="false"> <xccdf:check-content-ref href="#OVAL-Results-1" name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1456427"/> <evidence xmlns="http://cisecurity.org/evidence"> <div class="definition" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1456427"> <div class="criteria"> <div class="criterion" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1456427" check="all" check_existence="any_exist"> <table class="evidence-sep" width="100%"> <tbody class="tbe"> <tr> <td class="bold">Criterion:</td> <td>Ensure partition at /var/tmp may exists and all have at least one partition option equals 'nosuid' (string)</td> </tr> <tr> <td class="bold">Existence Check:</td> <td>Any Exist</td> </tr> <tr> <td class="bold">Item Check:</td> <td>All</td> </tr> <tr> <td class="bold">Result:</td> <td class="pass">Pass</td> </tr> </tbody> </table> <table class="evidence" width="100%"> <tr> <td>No matching system items were found.</td> </tr> </table> </div> </div> </div> </evidence> </xccdf:check> </xccdf:complex-check> </xccdf:rule-result>
References:
CIS Controls V7.0:
CIS Control Information | |
---|---|
Control: | Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings. |
Subcontrol: | 5.1 |
Label: | Establish Secure Configurations |
Description: | Maintain documented, standard security configuration standards for all authorized operating systems and software. |
The noexec mount option specifies that the filesystem cannot contain executable binaries.
Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp .
Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information.
Run the following command to remount /var/tmp :
# mount -o remount,nosuid,nodev,noexec /var/tmp
AND |
|
<xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:cc7="http://cisecurity.org/20-cc/v7.0" xmlns:cc6="http://cisecurity.org/20-cc/v6.1" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" idref="xccdf_org.cisecurity.benchmarks_rule_1.1.14_Ensure_vartmp_partition_includes_the_noexec_option" role="full" severity="unknown" time="2022-04-13T17:15:55.964Z" version="1" weight="1.0"> <xccdf:result>pass</xccdf:result> <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/2/subcontrol/6" system="http://cisecurity.org/20-cc/v7.0"/> <xccdf:complex-check operator="AND" negate="false"> <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" negate="false" multi-check="false"> <xccdf:check-content-ref href="#OVAL-Results-1" name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1456428"/> <evidence xmlns="http://cisecurity.org/evidence"> <div class="definition" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1456428"> <div class="criteria"> <div class="criterion" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1456428" check="all" check_existence="any_exist"> <table class="evidence-sep" width="100%"> <tbody class="tbe"> <tr> <td class="bold">Criterion:</td> <td>Ensure partition at /var/tmp may exists{else}exists and all</td> </tr> <tr> <td class="bold">Existence Check:</td> <td>Any Exist</td> </tr> <tr> <td class="bold">Item Check:</td> <td>All</td> </tr> <tr> <td class="bold">Result:</td> <td class="pass">Pass</td> </tr> </tbody> </table> <table class="evidence" width="100%"> <tr> <td>No matching system items were found.</td> </tr> </table> </div> </div> </div> </evidence> </xccdf:check> </xccdf:complex-check> </xccdf:rule-result>
References:
CIS Controls V7.0:
CIS Control Information | |
---|---|
Control: | Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that all unauthorized and unmanaged software is found and prevented from installation or execution. |
Subcontrol: | 2.6 |
Label: | Address unapproved software |
Description: | Ensure that unauthorized software is either removed or the inventory is updated in a timely manner |
The nodev mount option specifies that the filesystem cannot contain special devices.
Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices.
Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. See the fstab(5) manual page for more information.
# mount -o remount,nodev /home
AND |
|
<xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:cc7="http://cisecurity.org/20-cc/v7.0" xmlns:cc6="http://cisecurity.org/20-cc/v6.1" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" idref="xccdf_org.cisecurity.benchmarks_rule_1.1.18_Ensure_home_partition_includes_the_nodev_option" role="full" severity="unknown" time="2022-04-13T17:15:55.965Z" version="1" weight="1.0"> <xccdf:result>pass</xccdf:result> <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1" system="http://cisecurity.org/20-cc/v7.0"/> <xccdf:complex-check operator="AND" negate="false"> <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" negate="false" multi-check="false"> <xccdf:check-content-ref href="#OVAL-Results-1" name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1456429"/> <evidence xmlns="http://cisecurity.org/evidence"> <div class="definition" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1456429"> <div class="criteria"> <div class="criterion" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1456429" check="all" check_existence="any_exist"> <table class="evidence-sep" width="100%"> <tbody class="tbe"> <tr> <td class="bold">Criterion:</td> <td>Ensure partition at /home may exists{else}exists and all</td> </tr> <tr> <td class="bold">Existence Check:</td> <td>Any Exist</td> </tr> <tr> <td class="bold">Item Check:</td> <td>All</td> </tr> <tr> <td class="bold">Result:</td> <td class="pass">Pass</td> </tr> </tbody> </table> <table class="evidence" width="100%"> <tr> <td>No matching system items were found.</td> </tr> </table> </div> </div> </div> </evidence> </xccdf:check> </xccdf:complex-check> </xccdf:rule-result>
References:
CIS Controls V7.0:
CIS Control Information | |
---|---|
Control: | Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings. |
Subcontrol: | 5.1 |
Label: | Establish Secure Configurations |
Description: | Maintain documented, standard security configuration standards for all authorized operating systems and software. |
The nodev mount option specifies that the filesystem cannot contain special devices.
Removable media containing character and block special devices could be used to circumvent security controls by allowing non-root users to access sensitive device files such as /dev/kmem or the raw disk partitions.
Edit the /etc/fstab file and add nodev to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information.
<xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:cc7="http://cisecurity.org/20-cc/v7.0" xmlns:cc6="http://cisecurity.org/20-cc/v6.1" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" idref="xccdf_org.cisecurity.benchmarks_rule_1.1.19_Ensure_nodev_option_set_on_removable_media_partitions" role="unscored" severity="unknown" time="2022-04-13T17:15:55.965Z" version="1" weight="0.0"> <xccdf:result>notchecked</xccdf:result> <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1" system="http://cisecurity.org/20-cc/v7.0"/> </xccdf:rule-result>
References:
CIS Controls V7.0:
CIS Control Information | |
---|---|
Control: | Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings. |
Subcontrol: | 5.1 |
Label: | Establish Secure Configurations |
Description: | Maintain documented, standard security configuration standards for all authorized operating systems and software. |
The nosuid mount option specifies that the filesystem cannot contain setuid files.
Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them.
Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information.
<xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:cc7="http://cisecurity.org/20-cc/v7.0" xmlns:cc6="http://cisecurity.org/20-cc/v6.1" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" idref="xccdf_org.cisecurity.benchmarks_rule_1.1.20_Ensure_nosuid_option_set_on_removable_media_partitions" role="unscored" severity="unknown" time="2022-04-13T17:15:55.965Z" version="1" weight="0.0"> <xccdf:result>notchecked</xccdf:result> <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1" system="http://cisecurity.org/20-cc/v7.0"/> </xccdf:rule-result>
References:
CIS Controls V7.0:
CIS Control Information | |
---|---|
Control: | Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings. |
Subcontrol: | 5.1 |
Label: | Establish Secure Configurations |
Description: | Maintain documented, standard security configuration standards for all authorized operating systems and software. |
The noexec mount option specifies that the filesystem cannot contain executable binaries.
Setting this option on a file system prevents users from executing programs from the removable media. This deters users from being able to introduce potentially malicious software on the system.
Edit the /etc/fstab file and add noexec to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information.
<xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:cc7="http://cisecurity.org/20-cc/v7.0" xmlns:cc6="http://cisecurity.org/20-cc/v6.1" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" idref="xccdf_org.cisecurity.benchmarks_rule_1.1.21_Ensure_noexec_option_set_on_removable_media_partitions" role="unscored" severity="unknown" time="2022-04-13T17:15:55.965Z" version="1" weight="0.0"> <xccdf:result>notchecked</xccdf:result> <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/2/subcontrol/6" system="http://cisecurity.org/20-cc/v7.0"/> </xccdf:rule-result>
References:
CIS Controls V7.0:
CIS Control Information | |
---|---|
Control: | Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that all unauthorized and unmanaged software is found and prevented from installation or execution. |
Subcontrol: | 2.6 |
Label: | Address unapproved software |
Description: | Ensure that unauthorized software is either removed or the inventory is updated in a timely manner |
Setting the sticky bit on world writable directories prevents users from deleting or renaming files in that directory that are not owned by them.
This feature prevents the ability to delete or rename files in world writable directories (such as /tmp ) that are owned by another user.
Run the following command to set the sticky bit on all world writable directories:
# df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type
d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null | xargs -I '{}' chmod a+t '{}'
AND |
|
<xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:cc7="http://cisecurity.org/20-cc/v7.0" xmlns:cc6="http://cisecurity.org/20-cc/v6.1" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" idref="xccdf_org.cisecurity.benchmarks_rule_1.1.22_Ensure_sticky_bit_is_set_on_all_world-writable_directories" role="full" severity="unknown" time="2022-04-13T17:15:55.966Z" version="1" weight="1.0"> <xccdf:result>pass</xccdf:result> <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1" system="http://cisecurity.org/20-cc/v7.0"/> <xccdf:complex-check operator="AND" negate="false"> <xccdf:check system="http://open-scap.org/page/SCE" negate="false" multi-check="false"> <xccdf:check-content-ref href="sce/world_writable_dirs_sticky.sh"/> <xccdf:check-content> <command_result href="sce/world_writable_dirs_sticky.sh" xccdf="pass" script="/home/crosslife/Assessor-CLI/sce/world_writable_dirs_sticky.sh" exit-value="101"> <out/> <err/> <env/> </command_result> </xccdf:check-content> <evidence xmlns="http://cisecurity.org/evidence"> <div class="sce"> <table class="evidence-sep" width="100%"> <tbody class="tbe"> <tr> <td class="bold">Script:</td> <td>sce/world_writable_dirs_sticky.sh</td> </tr> <tr> <td class="bold">Result:</td> <td class="pass">Pass</td> </tr> <tr> <td class="bold">Exit Value:</td> <td>101</td> </tr> </tbody> </table> <table class="evidence" width="100%"> <tbody class="tbe"> <tr> <td>No output lines were collected.</td> </tr> </tbody> </table> <table class="evidence" width="100%"> <tbody class="tbe"> <tr> <td>No error lines were collected.</td> </tr> </tbody> </table> </div> </evidence> </xccdf:check> </xccdf:complex-check> </xccdf:rule-result>
References:
CIS Controls V7.0:
CIS Control Information | |
---|---|
Control: | Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings. |
Subcontrol: | 5.1 |
Label: | Establish Secure Configurations |
Description: | Maintain documented, standard security configuration standards for all authorized operating systems and software. |
autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives.
With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themselves.
Run one of the following commands:
Run the following command to disable autofs :
# systemctl --now disable autofs
OR run the following command to remove autofs
# apt purge autofs
Impact:
The use of portable hard drives is very common for workstation users. If your organization allows the use of portable storage or media on workstations and physical access controls to workstations is considered adequate there is little value add in turning off automounting.
OR |
|
<xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:cc7="http://cisecurity.org/20-cc/v7.0" xmlns:cc6="http://cisecurity.org/20-cc/v6.1" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" idref="xccdf_org.cisecurity.benchmarks_rule_1.1.23_Disable_Automounting" role="full" severity="unknown" time="2022-04-13T17:15:55.966Z" version="1" weight="1.0"> <xccdf:result>pass</xccdf:result> <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/8/subcontrol/4" system="http://cisecurity.org/20-cc/v7.0"/> <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/8/subcontrol/5" system="http://cisecurity.org/20-cc/v7.0"/> <xccdf:complex-check operator="OR" negate="false"> <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" negate="false" multi-check="false"> <xccdf:check-export export-name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:var:1519231" value-id="xccdf_org.cisecurity.benchmarks_value_1519231_var"/> <xccdf:check-content-ref href="#OVAL-Results-1" name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1519231"/> <evidence xmlns="http://cisecurity.org/evidence"> <div class="definition" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1519231"> <div class="criteria"> <div class="criterion" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1519231" check="all" check_existence="at_least_one_exists"> <table class="evidence-sep" width="100%"> <tbody class="tbe"> <tr> <td class="bold">Criterion:</td> <td>Ensure systemd 'autofs.service' unit 'UnitFileState' property not equal enabled</td> </tr> <tr> <td class="bold">Existence Check:</td> <td>At Least One Exists</td> </tr> <tr> <td class="bold">Item Check:</td> <td>All</td> </tr> <tr> <td class="bold">Result:</td> <td class="pass">Pass</td> </tr> </tbody> </table> <table class="evidence" width="100%"> <caption>Systemdunitproperty Item</caption> <thead> <tr> <th scope="col">Name</th> <th scope="col">Type</th> <th scope="col">Status</th> <th scope="col">Value</th> </tr> </thead> <tbody class="tbe"> <tr> <td>Unit</td> <td>String</td> <td>Exists</td> <td>autofs.service</td> </tr> <tr> <td>Property</td> <td>String</td> <td>Exists</td> <td>UnitFileState</td> </tr> <tr class="evaluated"> <td>Value</td> <td>String</td> <td>Exists</td> <td>No Value</td> </tr> </tbody> </table> </div> </div> </div> </evidence> </xccdf:check> <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" negate="false" multi-check="false"> <xccdf:check-content-ref href="#OVAL-Results-1" name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1519232"/> <evidence xmlns="http://cisecurity.org/evidence"> <div class="definition" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1519232"> <div class="criteria"> <div class="criterion" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1519232" check="all" check_existence="none_exist"> <table class="evidence-sep" width="100%"> <tbody class="tbe"> <tr> <td class="bold">Criterion:</td> <td>Ensure package name equals 'autofs' is not installed</td> </tr> <tr> <td class="bold">Existence Check:</td> <td>None Exist</td> </tr> <tr> <td class="bold">Item Check:</td> <td>All</td> </tr> <tr> <td class="bold">Result:</td> <td class="pass">Pass</td> </tr> </tbody> </table> <table class="evidence" width="100%"> <tr> <td>No matching system items were found.</td> </tr> </table> </div> </div> </div> </evidence> </xccdf:check> </xccdf:complex-check> </xccdf:rule-result>
References:
CIS Controls V7.0:
CIS Control Information | |
---|---|
Control: | Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action. |
Subcontrol: | 8.4 |
Label: | Configure Anti-Malware Scanning of Removable Devices |
Description: | Configure devices so that they automatically conduct an anti-malware scan of removable media when inserted or connected. |
CIS Control Information | |
---|---|
Control: | Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action. |
Subcontrol: | 8.5 |
Label: | Configure Devices Not To Auto-Run Content |
Description: | Configure devices to not auto-run content from removable media. |
USB storage provides a means to transfer and store files insuring persistence and availability of the files independent of network connection status. Its popularity and utility has led to USB-based malware being a simple and common means for network infiltration and a first step to establishing a persistent threat within a networked environment.
Note: An alternative solution to disabling the usb-storage module may be found in USBGuard. Use of USBGuard and construction of USB device policies should be done in alignment with site policy.
Restricting USB access on the system will decrease the physical attack surface for a device and diminish the possible vectors to introduce malware.
Edit or create a file in the /etc/modprobe.d/ directory ending in .conf
Example: vi /etc/modprobe.d/usb_storage.conf and add the following line:
install usb-storage /bin/true
Run the following command to unload the usb-storage module:
rmmod usb-storage
AND |
|
<xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:cc7="http://cisecurity.org/20-cc/v7.0" xmlns:cc6="http://cisecurity.org/20-cc/v6.1" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" idref="xccdf_org.cisecurity.benchmarks_rule_1.1.24_Disable_USB_Storage" role="full" severity="unknown" time="2022-04-13T17:15:55.966Z" version="1" weight="1.0"> <xccdf:result>pass</xccdf:result> <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/8/subcontrol/4" system="http://cisecurity.org/20-cc/v7.0"/> <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/8/subcontrol/5" system="http://cisecurity.org/20-cc/v7.0"/> <xccdf:complex-check operator="AND" negate="false"> <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" negate="false" multi-check="false"> <xccdf:check-content-ref href="#OVAL-Results-1" name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455960"/> <evidence xmlns="http://cisecurity.org/evidence"> <div class="definition" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455960"> <div class="criteria"> <div class="criterion" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1455960" check="none satisfy" check_existence="at_least_one_exists"> <table class="evidence-sep" width="100%"> <tbody class="tbe"> <tr> <td class="bold">Criterion:</td> <td>Ensure kernel module usb-storage is not loaded</td> </tr> <tr> <td class="bold">Existence Check:</td> <td>At Least One Exists</td> </tr> <tr> <td class="bold">Item Check:</td> <td>None satisfy</td> </tr> <tr> <td class="bold">Result:</td> <td class="pass">Pass</td> </tr> </tbody> </table> <table class="evidence" width="100%"> <caption>Shellcommand Item</caption> <thead> <tr> <th scope="col">Name</th> <th scope="col">Type</th> <th scope="col">Status</th> <th scope="col">Value</th> </tr> </thead> <tbody class="tbe"> <tr> <td>Command</td> <td>String</td> <td>Exists</td> <td>modprobe -n -v usb-storage</td> </tr> <tr> <td>Line Selection</td> <td>String</td> <td>Exists</td> <td>.+</td> </tr> <tr> <td>Exit Status</td> <td>Int</td> <td>Exists</td> <td>0</td> </tr> <tr class="evaluated"> <td>Stdout Line</td> <td>String</td> <td>Exists</td> <td>install /bin/true </td> </tr> </tbody> </table> </div> </div> </div> </evidence> </xccdf:check> <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" negate="false" multi-check="false"> <xccdf:check-content-ref href="#OVAL-Results-1" name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455961"/> <evidence xmlns="http://cisecurity.org/evidence"> <div class="definition" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455961"> <div class="criteria"> <div class="criterion" id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1455961" check="at least one" check_existence="at_least_one_exists"> <table class="evidence-sep" width="100%"> <tbody class="tbe"> <tr> <td class="bold">Criterion:</td> <td>Ensure kernel module usb-storage is not loadable</td> </tr> <tr> <td class="bold">Existence Check:</td> <td>At Least One Exists</td> </tr> <tr> <td class="bold">Item Check:</td> <td>At least one</td> </tr> <tr> <td class="bold">Result:</td> <td class="pass">Pass</td> </tr> </tbody> </table> <table class="evidence" width="100%"> <caption>Shellcommand Item</caption> <thead> <tr> <th scope="col">Name</th> <th scope="col">Type</th> <th scope="col">Status</th> <th scope="col">Value</th> </tr> </thead> <tbody class="tbe"> <tr> <td>Command</td> <td>String</td> <td>Exists</td> <td>modprobe -n -v usb-storage</td> </tr> <tr> <td>Line Selection</td> <td>String</td> <td>Exists</td> <td>.+</td> </tr> <tr> <td>Exit Status</td> <td>Int</td> <td>Exists</td> <td>0</td> </tr> <tr class="evaluated"> <td>Stdout Line</td> <td>String</td> <td>Exists</td> <td>install /bin/true </td> </tr> </tbody> </table> </div> </div> </div> </evidence> </xccdf:check> </xccdf:complex-check> </xccdf:rule-result>
References:
CIS Controls V7.0:
CIS Control Information | |
---|---|
Control: | Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action. |
Subcontrol: | 8.4 |
Label: | Configure Anti-Malware Scanning of Removable Devices |
Description: | Configure devices so that they automatically conduct an anti-malware scan of removable media when inserted or connected. |
CIS Control Information | |
---|---|
Control: | Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action. |
Subcontrol: | 8.5 |
Label: | Configure Devices Not To Auto-Run Content |
Description: | Configure devices to not auto-run content from removable media. |
Debian Family Linux distributions use apt to install and update software packages. Patch management procedures may vary widely between enterprises. Large enterprises may choose to install a local updates server that can be used in place of their distributions servers, whereas a single deployment of a system may prefer to get updates directly. Updates can be performed automatically or manually, depending on the site's policy for patch management. Many large enterprises prefer to test patches on a non-production system before rolling out to production.
For the purpose of this benchmark, the requirement is to ensure that a patch management system is configured and maintained. The specifics on patch update procedures are left to the organization.
Systems need to have package manager repositories configured to ensure they receive the latest patches and updates.
If a system's package repositories are misconfigured important patches may not be identified or a rogue repository could introduce compromised software.
Configure your package manager repositories according to site policy.
<xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:cc7="http://cisecurity.org/20-cc/v7.0" xmlns:cc6="http://cisecurity.org/20-cc/v6.1" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" idref="xccdf_org.cisecurity.benchmarks_rule_1.2.1_Ensure_package_manager_repositories_are_configured" role="unscored" severity="unknown" time="2022-04-13T17:15:55.966Z" version="1" weight="0.0"> <xccdf:result>notchecked</xccdf:result> <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/3/subcontrol/4" system="http://cisecurity.org/20-cc/v7.0"/> <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/3/subcontrol/5" system="http://cisecurity.org/20-cc/v7.0"/> </xccdf:rule-result>
References:
CIS Controls V7.0:
CIS Control Information | |
---|---|
Control: | Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers. |
Subcontrol: | 3.4 |
Label: | Deploy Automated Operating System Patch Management Tools |
Description: | Deploy automated software update tools in order to ensure that the operating systems are running the most recent security updates provided by the software vendor. |
CIS Control Information | |
---|---|
Control: | Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers. |
Subcontrol: | 3.5 |
Label: | Deploy Automated Software Patch Management Tools |
Description: | Deploy automated software update tools in order to ensure that third-party software on all systems is running the most recent security updates provided by the software vendor. |
Most packages managers implement GPG key signing to verify package integrity during installation.
It is important to ensure that updates are obtained from a valid source to protect against spoofing that could lead to the inadvertent installation of malware on the system.
Update your package manager GPG keys in accordance with site policy.
<xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:cc7="http://cisecurity.org/20-cc/v7.0" xmlns:cc6="http://cisecurity.org/20-cc/v6.1" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" idref="xccdf_org.cisecurity.benchmarks_rule_1.2.2_Ensure_GPG_keys_are_configured" role="unscored" severity="unknown" time="2022-04-13T17:15:55.966Z" version="1" weight="0.0"> <xccdf:result>notchecked</xccdf:result> <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/3/subcontrol/4" system="http://cisecurity.org/20-cc/v7.0"/> <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/3/subcontrol/5" system="http://cisecurity.org/20-cc/v7.0"/> </xccdf:rule-result>
References:
CIS Controls V7.0:
CIS Control Information | |
---|---|
Control: | Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers. |
Subcontrol: | 3.4 |
Label: | Deploy Automated Operating System Patch Management Tools |
Description: | Deploy automated software update tools in order to ensure that the operating systems are running the most recent security updates provided by the software vendor. |
CIS Control Information | |
---|---|
Control: | Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers. |
Subcontrol: | 3.5 |
Label: | Deploy Automated Software Patch Management Tools |
Description: | Deploy automated software update tools in order to ensure that third-party software on all systems is running the most recent security updates provided by the software vendor. |
AIDE is a file integrity checking tool, similar in nature to Tripwire. While it cannot prevent intrusions, it can detect unauthorized changes to configuration files by alerting when the files are changed. When setting up AIDE, decide internally what the site policy will be concerning integrity checking. Review the AIDE quick start guide and AIDE documentation before proceeding.
AIDE takes a snapshot of filesystem state including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system.
By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries.
Install AIDE using the appropriate package manager or manual installation:
# apt install aide aide-common
Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options.
Run the following commands to initialize AIDE:
# aideinit
# mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
AND |
|
<xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:cc7="http://cisecurity.org/20-cc/v7.0" xmlns:cc6="http://cisecurity.org/20-cc/v6.1"