Versions Compared

Old Version 2

changes.mady.by.user jorge.rueda

Saved on

compared with

New Version Current

changes.mady.by.user Steve Challans

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Over time we have seen more and more customers asking for CIS hardening details on the Snare v8 install. This had a baseline applied around STIG, This is not going far enough and customers are asking for CIS template which has additional The v7 of Snare Central used STIG and some CIS technical controls. For v8 of Snare Central it now has full coverage of the CIS controls which extended the STIG technical controls.  The cisecurity.org site provides a multitude of security review and hardening build standards for many operating systems. The CIS Benchmark for Ubuntu Linux provides prescriptive guidance for establishing a STIG hardening controls for Snare Central v8 are based on https://www.stigviewer.com/stig/canonical_ubuntu_18.04_lts/

The CIS Benchmark for Ubuntu Linux provides prescriptive guidance for establishing a secure configuration posture for Ubuntu Linux 18.04 LTS systems running on x86 and x64 platforms. Many lists are included including include filesystem types, services, clients, and network protocols. Not all items in these lists are guaranteed to exist on all distributions and additional similar items may exist which should be considered in addition to those explicitly mentioned. The full document can be reviewed here:

 

View file
nameCIS_Ubuntu_Linux_18.04_LTS_Benchmark_v1.0.0.pdf
height250

...

titleNote

...

on the cisecurity.org site. 



Info
titleNote

CIS requires auditd to be enabled in the system for it to be compliant. Snare Central enables the auditing system only when STIG compliance is enabled, hence it is required that STIG be enabled for the Snare Central to be fully CIS compliant.

We used Nessus vulnerability scanner for a CIS compliance  assessment on Snare Central. The following table lists all Nessus benchmark items that are assessed:






chaptersectionindextitlev8.x.x enabledpage
1

Initial Setup20

1.1
Filesystem Configuration20


1.1.1.1Ensure mounting of cramfs filesystems is disabledalways21


1.1.1.2Ensure mounting of freevxfs filesystems is disabledalways23


1.1.1.3Ensure mounting of jffs2 filesystems is disabledalways25


1.1.1.4Ensure mounting of hfs filesystems is disabledalways27


1.1.1.5Ensure mounting of hfsplus filesystems is disabledalways29


1.1.1.6Ensure mounting of udf filesystems is disabledalways31


1.1.2Ensure separate partition exists for /tmpalways33


1.1.3Ensure nodev option set on /tmp partitionalways35


1.1.4Ensure nosuid option set on /tmp partitionalways36


1.1.5Ensure separate partition exists for /varalways37


1.1.6Ensure separate partition exists for /var/tmpalways38


1.1.7Ensure nodev option set on /var/tmp partitionalways40


1.1.8Ensure nosuid option set on /var/tmp partitionalways41


1.1.9Ensure noexec option set on /var/tmp partitionalways42


1.1.10Ensure separate partition exists for /var/logalways43


1.1.11Ensure separate partition exists for /var/log/auditalways45


11.1.12Ensure separate partition exists for /homealways47


1.1.13Ensure nodev option set on /home partitionalways48


1.1.14Ensure nodev option set on /dev/shm partition (/run)always49


1.1.15Ensure nosuid option set on /dev/shm partition (/run)always50


1.1.16Ensure noexec option set on /dev/shm partition (/run)always51


1.1.17Ensure nodev option set on removable media partitionsalways52


1.1.18Ensure nosuid option set on removable media partitionsalways53


1.1.19Ensure noexec option set on removable media partitionsalways54


1.1.20Ensure sticky bit is set on all world-writable directoriesalways55


1.1.21Disable Automountingalways56

1.2
Configure Software Updates58


1.2.1Ensure package manager repositories are configuredalways58


1.2.2Ensure GPG keys are configuredalways60

1.3
Filesystem Integrity Checking61


1.3.1Ensure AIDE is installedalways61


1.3.2Ensure filesystem integrity is regularly checkedalways63

1.4
Secure Boot Settings65


1.4.1Ensure permissions on bootloader config are configuredalways65


1.4.2Ensure bootloader password is setalways67Customer to set see below notes


1.4.3Ensure authentication required for single user modealways70

1.5
Additional Process Hardening71


1.5.1Ensure core dumps are restrictedalways71


1.5.2Ensure XD/NX support is enabledalways73


1.5.3Ensure address space layout randomization (ASLR) is enabledalways75


1.5.4Ensure prelink is disabledalways77

1.6
Mandatory Access Control78


1.6.1.1Ensure SELinux is not disabled in bootloader configurationalways81


1.6.1.2Ensure the SELinux state is enforcingalways83


1.6.1.3Ensure SELinux policy is configuredalways84


1.6.1.4Ensure no unconfined daemons existalways85


1.6.2.1Ensure AppArmor is not disabled in bootloader configurationalways88


1.6.2.2Ensure all AppArmor Profiles are enforcingalways90


1.6.3Ensure SELinux or AppArmor are installedalways92

1.7
Warning Banners93


1.7.1.1Ensure message of the day is configured properlyalways94


1.7.1.2Ensure local login warning banner is configured properlyalways96


1.7.1.3Ensure remote login warning banner is configured properlyalways98


1.7.1.4Ensure permissions on /etc/motd are configuredalways100


1.7.1.5Ensure permissions on /etc/issue are configuredalways101


1.7.1.6Ensure permissions on /etc/issue.net are configuredalways102


1.7.2Ensure GDM login banner is configuredalways103

1.8
Ensure updates patches and additional security software are installed104Snare Central patches the system with OS and security updates with each new release.

2

Services106

2.1
inetd Services107


2.1.1Ensure chargen services are not enabledalways107


2.1.2Ensure daytime services are not enabledalways109


2.1.3Ensure discard services are not enabledalways110


2.1.4Ensure echo services are not enabledalways111


2.1.5Ensure time services are not enabledalways112


2.1.6Ensure rsh server is not enabledalways113


2.1.7Ensure talk server is not enabledalways115


2.1.8Ensure telnet server is not enabledalways116


2.1.9Ensure tftp server is not enabledalways118


2.1.10Ensure xinetd is not enabledalways119


2.1.11Ensure openbsd-inetd is not installedalways120

2.2
Special Purpose Services121


2.2.1.1Ensure time synchronization is in usealways1222false positive


2.2.1.2Ensure ntp is configuredalways124


2.2.1.3Ensure chrony is configuredalways126false positive


2.2.2Ensure X Window System is not installedalways128


2.2.3Ensure Avahi Server is not enabledalways129


2.2.4Ensure CUPS is not enabledalways130


2.2.5Ensure DHCP Server is not enabledalways132


2.2.6Ensure LDAP server is not enabledalways134


2.2.7Ensure NFS and RPC are not enabledalwaysfalse positive136


2.2.8Ensure DNS Server is not enabledalways138


2.2.9Ensure FTP Server is not enabledalways139


2.2.10Ensure HTTP server is not enabledalways141The website redirects from HTTP to HTTPS on login page


2.2.11Ensure IMAP and POP3 server is not enabledalways142


2.2.12Ensure Samba is not enabledalwaysfalse positive143


2.2.13Ensure HTTP Proxy Server is not enabledalways144


2.2.14Ensure SNMP Server is not enabledalwaysfalse positive145


2.2.15Ensure mail transfer agent is configured for local-only modealways147


2.2.16Ensure rsync service is not enabledalwaysfalse positive149


2.2.17Ensure NIS Server is not enabledalways150

2.3
Service Clients151


2.3.1Ensure NIS Client is not installedalways151


2.3.2Ensure rsh client is not installedalways153


22.3.3Ensure talk client is not installedalways155


2.3.4Ensure telnet client is not installedalways156


2.3.5Ensure LDAP client is not installedalwaysfalse positive158

3

Network Configuration159

3.1
Network Parameters (Host Only)160


3.1.1Ensure IP forwarding is disabledalways160


3.1.2Ensure packet redirect sending is disabledalways162

3.2
Network Parameters (Host and Router)164


3.2.1Ensure source routed packets are not acceptedalways164


3.2.2Ensure ICMP redirects are not acceptedalways166


3.2.3Ensure secure ICMP redirects are not acceptedalways168


3.2.4Ensure suspicious packets are loggedalways170


3.2.5Ensure broadcast ICMP requests are ignoredalways172


3.2.6Ensure bogus ICMP responses are ignoredalways174


3.2.7Ensure Reverse Path Filtering is enabledalways176


3.2.8Ensure TCP SYN Cookies is enabledalways178

3.3
Ipv6180


3.3.1Ensure IPv6 router advertisements are not acceptedalways180


3.3.2Ensure IPv6 redirects are not acceptedalways182


3.3.3Ensure IPv6 is disabledalways184

3.4
TCP Wrappers186


3.4.1Ensure TCP Wrappers is installedalways186


3.4.2Ensure /etc/hosts.allow is configuredalwaysfalse positive188


3.4.3Ensure /etc/hosts.deny is configuredalwaysfalse positive190


3.4.4Ensure permissions on /etc/hosts.allow are configuredalways191


3.4.5Ensure permissions on /etc/hosts.deny are configuredalways192

3.5
Uncommon Network Protocols193


3.5.1Ensure DCCP is disabledalways193


3.5.2Ensure SCTP is disabledalways195


3.5.3Ensure RDS is disabledalways197


3.5.4Ensure TIPC is disabledalways198

3.6
Firewall Configuration199


3.6.1Ensure iptables is installedalways200


3.6.2Ensure default deny firewall policyalways201


3.6.3Ensure loopback traffic is configuredalways203


3.6.4Ensure outbound and established connections are configuredalways205


3.6.5Ensure firewall rules exist for all open portsalways207

3.7
Ensure wireless interfaces are disabledalways209

4

Logging and Auditing211

4.1
Configure System Accounting (auditd)212


4.1.1.1Ensure audit log storage size is configuredalways213


4.1.1.2Ensure system is disabled when audit logs are fullalwaysfalse positive215


4.1.1.3Ensure audit logs are not automatically deletedalways216false positive


4.1.2Ensure auditd service is enabledneeds STIG217


4.1.3Ensure auditing for processes that start prior to auditd is enabledneeds STIG218


4.1.4Ensure events that modify date and time information are collectedneeds STIG220


4.1.5Ensure events that modify user/group information are collectedneeds STIG223


4.1.6Ensure events that modify the system's network environment are collectedneeds STIG225


4.1.7Ensure events that modify the system's Mandatory Access Controls are collectedneeds STIG228


4.1.8Ensure login and logout events are collectedneeds STIG230


4.1.9Ensure session initiation information is collectedneeds STIG232


4.1.10Ensure discretionary access control permission modification events are collected

needs STIG

234



4.1.11Ensure unsuccessful unauthorized file access attempts are collectedneeds STIG238


4.1.12Ensure use of privileged commands is collectedneeds STIG241


4.1.13Ensure successful file system mounts are collectedneeds STIG243


4.1.14Ensure file deletion events by users are collectedneeds STIG246


4.1.15Ensure changes to system administration scope (sudoers) is collectedneeds STIG248


4.1.16Ensure system administrator actions (sudolog) are collectedneeds STIG250


4.1.17Ensure kernel module loading and unloading is collectedneeds STIG252


4.1.18Ensure the audit configuration is immutableneeds STIG255

4.2
Configure Logging257


4.2.1.1Ensure rsyslog Service is enabledalways258


4.2.1.2Ensure logging is configuredalways260


4.2.1.3Ensure rsyslog default file permissions configuredalways262


4.2.1.4Ensure rsyslog is configured to send logs to a remote log hostalways264false positive


4.2.1.5Ensure remote rsyslog messages are only accepted on designated log hostsalwaysfalse positive266


4.2.2.1Ensure syslog-ng service is enabledalways268


4.2.2.2Ensure logging is configuredalways270


4.2.2.3Ensure syslog-ng default file permissions configuredalways273


4.2.2.4Ensure syslog-ng is configured to send logs to a remote log hostalways275


4.2.2.5Ensure remote syslog-ng messages are only accepted on designated log hosts]always277


4.2.3Ensure rsyslog or syslog-ng is installedalways279


4.2.4Ensure permissions on all logfiles are configuredalways281

4.3
Ensure logrotate is configuredalways282

5

Access, Authentication and Authorization283

5.1
Configure cron284


5.1.1Ensure cron daemon is enabledalways284


5.1.2Ensure permissions on /etc/crontab are configuredalways285


5.1.3Ensure permissions on /etc/cron.hourly are configuredalways287


5.1.4Ensure permissions on /etc/cron.daily are configuredalways289


5.1.5Ensure permissions on /etc/cron.weekly are configuredalways291


5.1.6Ensure permissions on /etc/cron.monthly are configuredalways293


5.1.7Ensure permissions on /etc/cron.d are configuredalways295


5.1.8Ensure at/cron is restricted to authorized usersalways297

5.2
SSH Server Configurationalways299


5.2.1Ensure permissions on /etc/ssh/sshd_config are configuredalways299


5.2.2Ensure SSH Protocol is set to 2always301


5.2.3Ensure SSH LogLevel is set to INFOalways302


5.2.4Ensure SSH X11 forwarding is disabledalways303


5.2.5Ensure SSH MaxAuthTries is set to 4 or lessalways304


5.2.6Ensure SSH IgnoreRhosts is enabledalways305


5.2.7Ensure SSH HostbasedAuthentication is disabledalways306


5.2.8Ensure SSH root login is disabledalways307


5.2.9Ensure SSH PermitEmptyPasswords is disabledalways308


5.2.10Ensure SSH PermitUserEnvironment is disabledalways309


5.2.11Ensure only approved MAC algorithms are usedalways310


5.2.12Ensure SSH Idle Timeout Interval is configuredalways312


5.2.13Ensure SSH LoginGraceTime is set to one minute or lessalways314


5.2.14Ensure SSH access is limitedalways315


5.2.15Ensure SSH warning banner is configuredalways317

5.3
Configure PAM318


5.3.1Ensure password creation requirements are configuredalwaysfalse positive318


5.3.2Ensure lockout for failed password attempts is configuredalways321


5.3.3Ensure password reuse is limitedalways323


5.3.4Ensure password hashing algorithm is SHA-512always325

5.4
User Accounts and Environment327


5.4.1.1Ensure password expiration is 365 days or lessalways328


5.4.1.2Ensure minimum days between password changes is 7 or morealways330


5.4.1.3Ensure password expiration warning days is 7 or morealways332


5.4.1.4Ensure inactive password lock is 30 days or lessalways334


5.4.1.5Ensure all users last password change date is in the pastalways336


5.4.2Ensure system accounts are non-loginalways337


5.4.3Ensure default group for the root account is GID 0always339


5.4.4Ensure default user umask is 027 or more restrictivealways340


5.4.5Ensure default user shell timeout is 900 seconds or lessalways342

5.5
Ensure root login is restricted to system consolealways344

5.6
Ensure access to the su command is restrictedalways345

6

System Maintenance347

6.1
System File Permissions348


6.1.1Audit system file permissionsalways348


6.1.2Ensure permissions on /etc/passwd are configuredalways350


6.1.3Ensure permissions on /etc/shadow are configuredalways351


6.1.4Ensure permissions on /etc/group are configuredalways353


6.1.5Ensure permissions on /etc/gshadow are configuredalways354


6.1.6Ensure permissions on /etc/passwd- are configuredalways355


6.1.7Ensure permissions on /etc/shadow- are configuredalways356


6.1.8Ensure permissions on /etc/group- are configuredalways358


66.1.9Ensure permissions on /etc/gshadow- are configuredalways359


6.1.10Ensure no world writable files existalways361false positive


6.1.11Ensure no unowned files or directories existalways363


6.1.12Ensure no ungrouped files or directories existalways364


6.1.13Audit SUID executablesalways365


6.1.14Audit SGID executablesalways367

6.2
User and Group Settings369


6.2.1Ensure password fields are not emptyalways369


6.2.2Ensure no legacy "+" entries exist in /etc/passwdalways371


6.2.3Ensure no legacy "+" entries exist in /etc/shadowalways372


6.2.4Ensure no legacy "+" entries exist in /etc/groupalways373


6.2.5Ensure root is the only UID 0 accountalways374


6.2.6Ensure root PATH Integrityalways375


6.2.7Ensure all users' home directories existalways377


6.2.8Ensure users' home directories permissions are 750 or more restrictivealways378


6.2.9Ensure users own their home directoriesalways380


6.2.10Ensure users' dot files are not group or world writablealways382


6.2.11Ensure no users have .forward filesalways384


6.2.12Ensure no users have .netrc filesalways386


6.2.13Ensure users' .netrc Files are not group or world accessiblealways388


6.2.14Ensure no users have .rhosts filesalways391


6.2.15Ensure all groups in /etc/passwd exist in /etc/groupalways393


6.2.16Ensure no duplicate UIDs existalways394


6.2.17Ensure no duplicate GIDs existalways395


6.2.18Ensure no duplicate user names existalways397


6.2.19Ensure no duplicate group names existalways398


6.2.20Ensure shadow group is emptyalways400


CIS vs STIG solved only conflict:

CIS recommendation 5.2.11 states that we need to "Ensure only approved MAC algorithms are used", however STIG V-23826 requires that the SSH daemon only uses a FIPS 140-2 validated cryptographic module (operating in FIPS mode). And after some research, this This document:  https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2907.pdf indicates that if we use the CIS settings for this parameter, we still satisfy the FIPS 140-2 validated cryptographic module and in consequence STIG V-23826 as well.
So the MAC parameter on sshd_conf for STIG changed from this:
    MACs hmac-sha1to this one:
     MACs hmac-  MAC algorithms include:

hmac-sha2-512-etm@openssh.com,

hmac-sha2-256-etm@openssh.com,

umac-128-etm@openssh.com,

hmac-sha2-512,

hmac-sha2-256,

umac-128@openssh.com


False positives:




2.2.1.1Ensure time synchronization is in use.Snare Central runs ntpdate daily, the ntp source server is set by the customer during the install.
2.2.1.3Ensure chrony is configured.Snare Central does not use chrony
2.2.7Ensure NFS and RPC are not enabled.User can disable NFS from UI
2.2.12Ensure Samba is not enabled.User can disable samba from UI
2.2.14Ensure SNMP Server is not enabled.User can disable SNMP from UI
2.2.16Ensure rsync service is not enabled.rsync Is used for side by side migration only.
2.3.5Ensure LDAP client is not installed.Snare Central comes with LDAP client.
3.4.2Ensure /etc/hosts.allow is configured.The contents depend on user network layout.
3.4.3Ensure /etc/hosts.deny is configured.The contents depend on user network layout.
4.1.1.2Ensure system is disabled when audit logs are full.Snare Central uses SUSPEND instead of HALT as Snare Central is a logging system it needs to keep operating.
4.1.1.3Ensure audit logs are not automatically deleted.Snare Central uses ROTATE instead of KEEP.
4.2.1.4Ensure rsyslog is configured to send logs to a remote log host.Not Applicable, Snare Central is the central logging system so it collects its own logs and also other systems, so the context is different to what the CIS checklist is asking for.
4.2.1.5Ensure remote rsyslog messages are only accepted on designated log hosts.Not Applicable
5.3.1Ensure password creation requirements are configured.Snare Central uses pam_cracklib to help enforce password complexity.
6.1.10Ensure no world writable files exist.Apache web server needs this file only: /tmp/perf-23853.map owner: www-data, group: www-data, permissions: 0666

Won't do:
    1.4.2     Ensure bootloader password is set.    this need to be done manually by the sysadmin