Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »


CIS® (Center for Internet Security, Inc.) is a forward-thinking, non-profit entity that harnesses the power of a global IT community to safeguard private and public organizations against cyber threats.

The CIS Controls™ and CIS Benchmarks™ are the global standard and recognized best practices for securing IT systems and data against the most pervasive attacks. These proven guidelines are continuously refined and verified by a volunteer, global community of experienced IT professionals.


Over time we have seen more and more customers asking for CIS hardening details on the Snare v8 install. This had a baseline applied around STIG, This is not going far enough and customers are asking for CIS template which has additional controls.  The cisecurity.org site provides a multitude of security review and hardening build standards for many operating systems.


The CIS Benchmark for Ubuntu Linux provides prescriptive guidance for establishing a secure configuration posture for Ubuntu Linux 18.04 LTS systems running on x86 and x64 platforms. Many lists are included including filesystem types, services, clients, and network protocols. Not all items in these lists are guaranteed to exist on all distributions and additional similar items may exist which should be considered in addition to those explicitly mentioned. The full document can be reviewed here:


 


Note

CIS requires auditd to be enabled in the system for it to be compliant. Snare Central enables the auditing system only when STIG compliance is enabled, hence it is required that STIG be enabled for the Snare Central to be fully CIS compliant.

We used Nessus vulnerability scanner for a CIS compliance  assessment on Snare Central. The following table lists all Nessus benchmark items that are assessed:








chaptersectionindextitlev8.x.x enabledpage
1

Initial Setup
20

1.1
Filesystem Configuration
20


1.1.1.1Ensure mounting of cramfs filesystems is disabledalways21


1.1.1.2Ensure mounting of freevxfs filesystems is disabledalways23


1.1.1.3Ensure mounting of jffs2 filesystems is disabledalways25


1.1.1.4Ensure mounting of hfs filesystems is disabledalways27


1.1.1.5Ensure mounting of hfsplus filesystems is disabledalways29


1.1.1.6Ensure mounting of udf filesystems is disabledalways31


1.1.2Ensure separate partition exists for /tmpalways33


1.1.3Ensure nodev option set on /tmp partitionalways35


1.1.4Ensure nosuid option set on /tmp partitionalways36


1.1.5Ensure separate partition exists for /varalways37


1.1.6Ensure separate partition exists for /var/tmpalways38


1.1.7Ensure nodev option set on /var/tmp partitionalways40


1.1.8Ensure nosuid option set on /var/tmp partitionalways41


1.1.9Ensure noexec option set on /var/tmp partitionalways42


1.1.10Ensure separate partition exists for /var/logalways43


1.1.11Ensure separate partition exists for /var/log/auditalways45


1.1.12Ensure separate partition exists for /homealways47


1.1.13Ensure nodev option set on /home partitionalways48


1.1.14Ensure nodev option set on /dev/shm partition (/run)always49


1.1.15Ensure nosuid option set on /dev/shm partition (/run)always50


1.1.16Ensure noexec option set on /dev/shm partition (/run)always51


1.1.17Ensure nodev option set on removable media partitionsalways52


1.1.18Ensure nosuid option set on removable media partitionsalways53


1.1.19Ensure noexec option set on removable media partitionsalways54


1.1.20Ensure sticky bit is set on all world-writable directoriesalways55


1.1.21Disable Automountingalways56

1.2
Configure Software Updates
58


1.2.1Ensure package manager repositories are configuredalways58


1.2.2Ensure GPG keys are configuredalways60

1.3
Filesystem Integrity Checking
61


1.3.1Ensure AIDE is installedalways61


1.3.2Ensure filesystem integrity is regularly checkedalways63

1.4
Secure Boot Settings
65


1.4.1Ensure permissions on bootloader config are configuredalways65


1.4.2Ensure bootloader password is setalways67


1.4.3Ensure authentication required for single user modealways70

1.5
Additional Process Hardening
71


1.5.1Ensure core dumps are restrictedalways71


1.5.2Ensure XD/NX support is enabledalways73


1.5.3Ensure address space layout randomization (ASLR) is enabledalways75


1.5.4Ensure prelink is disabledalways77

1.6
Mandatory Access Control
78


1.6.1.1Ensure SELinux is not disabled in bootloader configurationalways81


1.6.1.2Ensure the SELinux state is enforcingalways83


1.6.1.3Ensure SELinux policy is configuredalways84


1.6.1.4Ensure no unconfined daemons existalways85


1.6.2.1Ensure AppArmor is not disabled in bootloader configurationalways88


1.6.2.2Ensure all AppArmor Profiles are enforcingalways90


1.6.3Ensure SELinux or AppArmor are installedalways92

1.7
Warning Banners
93


1.7.1.1Ensure message of the day is configured properlyalways94


1.7.1.2Ensure local login warning banner is configured properlyalways96


1.7.1.3Ensure remote login warning banner is configured properlyalways98


1.7.1.4Ensure permissions on /etc/motd are configuredalways100


1.7.1.5Ensure permissions on /etc/issue are configuredalways101


1.7.1.6Ensure permissions on /etc/issue.net are configuredalways102


1.7.2Ensure GDM login banner is configuredalways103

1.8
Ensure updates patches and additional security software are installed
104

2

Services
106

2.1
inetd Services
107


2.1.1Ensure chargen services are not enabledalways107


2.1.2Ensure daytime services are not enabledalways109


2.1.3Ensure discard services are not enabledalways110


2.1.4Ensure echo services are not enabledalways111


2.1.5Ensure time services are not enabledalways112


2.1.6Ensure rsh server is not enabledalways113


2.1.7Ensure talk server is not enabledalways115


2.1.8Ensure telnet server is not enabledalways116


2.1.9Ensure tftp server is not enabledalways118


2.1.10Ensure xinetd is not enabledalways119


2.1.11Ensure openbsd-inetd is not installedalways120

2.2
Special Purpose Services
121


2.2.1.1Ensure time synchronization is in usealways122


2.2.1.2Ensure ntp is configuredalways124


2.2.1.3Ensure chrony is configuredalways126


2.2.2Ensure X Window System is not installedalways128


2.2.3Ensure Avahi Server is not enabledalways129


2.2.4Ensure CUPS is not enabledalways130


2.2.5Ensure DHCP Server is not enabledalways132


2.2.6Ensure LDAP server is not enabledalways134


2.2.7Ensure NFS and RPC are not enabledalways136


2.2.8Ensure DNS Server is not enabledalways138


2.2.9Ensure FTP Server is not enabledalways139


2.2.10Ensure HTTP server is not enabledalways141


2.2.11Ensure IMAP and POP3 server is not enabledalways142


2.2.12Ensure Samba is not enabledalways143


2.2.13Ensure HTTP Proxy Server is not enabledalways144


2.2.14Ensure SNMP Server is not enabledalways145


2.2.15Ensure mail transfer agent is configured for local-only modealways147


2.2.16Ensure rsync service is not enabledalways149


2.2.17Ensure NIS Server is not enabledalways150

2.3
Service Clients
151


2.3.1Ensure NIS Client is not installedalways151


2.3.2Ensure rsh client is not installedalways153


2.3.3Ensure talk client is not installedalways155


2.3.4Ensure telnet client is not installedalways156


2.3.5Ensure LDAP client is not installedalways158

3

Network Configuration
159

3.1
Network Parameters (Host Only)
160


3.1.1Ensure IP forwarding is disabledalways160


3.1.2Ensure packet redirect sending is disabledalways162

3.2
Network Parameters (Host and Router)
164


3.2.1Ensure source routed packets are not acceptedalways164


3.2.2Ensure ICMP redirects are not acceptedalways166


3.2.3Ensure secure ICMP redirects are not acceptedalways168


3.2.4Ensure suspicious packets are loggedalways170


3.2.5Ensure broadcast ICMP requests are ignoredalways172


3.2.6Ensure bogus ICMP responses are ignoredalways174


3.2.7Ensure Reverse Path Filtering is enabledalways176


3.2.8Ensure TCP SYN Cookies is enabledalways178

3.3
Ipv6
180


3.3.1Ensure IPv6 router advertisements are not acceptedalways180


3.3.2Ensure IPv6 redirects are not acceptedalways182


3.3.3Ensure IPv6 is disabledalways184

3.4
TCP Wrappers
186


3.4.1Ensure TCP Wrappers is installedalways186


3.4.2Ensure /etc/hosts.allow is configuredalways188


3.4.3Ensure /etc/hosts.deny is configuredalways190


3.4.4Ensure permissions on /etc/hosts.allow are configuredalways191


3.4.5Ensure permissions on /etc/hosts.deny are configuredalways192

3.5
Uncommon Network Protocols
193


3.5.1Ensure DCCP is disabledalways193


3.5.2Ensure SCTP is disabledalways195


3.5.3Ensure RDS is disabledalways197


3.5.4Ensure TIPC is disabledalways198

3.6
Firewall Configuration
199


3.6.1Ensure iptables is installedalways200


3.6.2Ensure default deny firewall policyalways201


3.6.3Ensure loopback traffic is configuredalways203


3.6.4Ensure outbound and established connections are configuredalways205


3.6.5Ensure firewall rules exist for all open portsalways207

3.7
Ensure wireless interfaces are disabledalways209

4

Logging and Auditing
211

4.1
Configure System Accounting (auditd)
212


4.1.1.1Ensure audit log storage size is configuredalways213


4.1.1.2Ensure system is disabled when audit logs are fullalways215


4.1.1.3Ensure audit logs are not automatically deletedalways216


4.1.2Ensure auditd service is enabledneeds STIG217


4.1.3Ensure auditing for processes that start prior to auditd is enabledneeds STIG218


4.1.4Ensure events that modify date and time information are collectedneeds STIG220


4.1.5Ensure events that modify user/group information are collectedneeds STIG223


4.1.6Ensure events that modify the system's network environment are collectedneeds STIG225


4.1.7Ensure events that modify the system's Mandatory Access Controls are collectedneeds STIG228


4.1.8Ensure login and logout events are collectedneeds STIG230


4.1.9Ensure session initiation information is collectedneeds STIG232


4.1.10Ensure discretionary access control permission modification events are collected

needs STIG

234


4.1.11Ensure unsuccessful unauthorized file access attempts are collectedneeds STIG238


4.1.12Ensure use of privileged commands is collectedneeds STIG241


4.1.13Ensure successful file system mounts are collectedneeds STIG243


4.1.14Ensure file deletion events by users are collectedneeds STIG246


4.1.15Ensure changes to system administration scope (sudoers) is collectedneeds STIG248


4.1.16Ensure system administrator actions (sudolog) are collectedneeds STIG250


4.1.17Ensure kernel module loading and unloading is collectedneeds STIG252


4.1.18Ensure the audit configuration is immutableneeds STIG255

4.2
Configure Logging
257


4.2.1.1Ensure rsyslog Service is enabledalways258


4.2.1.2Ensure logging is configuredalways260


4.2.1.3Ensure rsyslog default file permissions configuredalways262


4.2.1.4Ensure rsyslog is configured to send logs to a remote log hostalways264


4.2.1.5Ensure remote rsyslog messages are only accepted on designated log hostsalways266


4.2.2.1Ensure syslog-ng service is enabledalways268


4.2.2.2Ensure logging is configuredalways270


4.2.2.3Ensure syslog-ng default file permissions configuredalways273


4.2.2.4Ensure syslog-ng is configured to send logs to a remote log hostalways275


4.2.2.5Ensure remote syslog-ng messages are only accepted on designated log hosts]always277


4.2.3Ensure rsyslog or syslog-ng is installedalways279


4.2.4Ensure permissions on all logfiles are configuredalways281

4.3
Ensure logrotate is configuredalways282

5

Access, Authentication and Authorization
283

5.1
Configure cron
284


5.1.1Ensure cron daemon is enabledalways284


5.1.2Ensure permissions on /etc/crontab are configuredalways285


5.1.3Ensure permissions on /etc/cron.hourly are configuredalways287


5.1.4Ensure permissions on /etc/cron.daily are configuredalways289


5.1.5Ensure permissions on /etc/cron.weekly are configuredalways291


5.1.6Ensure permissions on /etc/cron.monthly are configuredalways293


5.1.7Ensure permissions on /etc/cron.d are configuredalways295


5.1.8Ensure at/cron is restricted to authorized usersalways297

5.2
SSH Server Configurationalways299


5.2.1Ensure permissions on /etc/ssh/sshd_config are configuredalways299


5.2.2Ensure SSH Protocol is set to 2always301


5.2.3Ensure SSH LogLevel is set to INFOalways302


5.2.4Ensure SSH X11 forwarding is disabledalways303


5.2.5Ensure SSH MaxAuthTries is set to 4 or lessalways304


5.2.6Ensure SSH IgnoreRhosts is enabledalways305


5.2.7Ensure SSH HostbasedAuthentication is disabledalways306


5.2.8Ensure SSH root login is disabledalways307


5.2.9Ensure SSH PermitEmptyPasswords is disabledalways308


5.2.10Ensure SSH PermitUserEnvironment is disabledalways309


5.2.11Ensure only approved MAC algorithms are usedalways310


5.2.12Ensure SSH Idle Timeout Interval is configuredalways312


5.2.13Ensure SSH LoginGraceTime is set to one minute or lessalways314


5.2.14Ensure SSH access is limitedalways315


5.2.15Ensure SSH warning banner is configuredalways317

5.3
Configure PAM
318


5.3.1Ensure password creation requirements are configuredalways318


5.3.2Ensure lockout for failed password attempts is configuredalways321


5.3.3Ensure password reuse is limitedalways323


5.3.4Ensure password hashing algorithm is SHA-512always325

5.4
User Accounts and Environment
327


5.4.1.1Ensure password expiration is 365 days or lessalways328


5.4.1.2Ensure minimum days between password changes is 7 or morealways330


5.4.1.3Ensure password expiration warning days is 7 or morealways332


5.4.1.4Ensure inactive password lock is 30 days or lessalways334


5.4.1.5Ensure all users last password change date is in the pastalways336


5.4.2Ensure system accounts are non-loginalways337


5.4.3Ensure default group for the root account is GID 0always339


5.4.4Ensure default user umask is 027 or more restrictivealways340


5.4.5Ensure default user shell timeout is 900 seconds or lessalways342

5.5
Ensure root login is restricted to system consolealways344

5.6
Ensure access to the su command is restrictedalways345

6

System Maintenance
347

6.1
System File Permissions
348


6.1.1Audit system file permissionsalways348


6.1.2Ensure permissions on /etc/passwd are configuredalways350


6.1.3Ensure permissions on /etc/shadow are configuredalways351


6.1.4Ensure permissions on /etc/group are configuredalways353


6.1.5Ensure permissions on /etc/gshadow are configuredalways354


6.1.6Ensure permissions on /etc/passwd- are configuredalways355


6.1.7Ensure permissions on /etc/shadow- are configuredalways356


6.1.8Ensure permissions on /etc/group- are configuredalways358


6.1.9Ensure permissions on /etc/gshadow- are configuredalways359


6.1.10Ensure no world writable files existalways361


6.1.11Ensure no unowned files or directories existalways363


6.1.12Ensure no ungrouped files or directories existalways364


6.1.13Audit SUID executablesalways365


6.1.14Audit SGID executablesalways367

6.2
User and Group Settings
369


6.2.1Ensure password fields are not emptyalways369


6.2.2Ensure no legacy "+" entries exist in /etc/passwdalways371


6.2.3Ensure no legacy "+" entries exist in /etc/shadowalways372


6.2.4Ensure no legacy "+" entries exist in /etc/groupalways373


6.2.5Ensure root is the only UID 0 accountalways374


6.2.6Ensure root PATH Integrityalways375


6.2.7Ensure all users' home directories existalways377


6.2.8Ensure users' home directories permissions are 750 or more restrictivealways378


6.2.9Ensure users own their home directoriesalways380


6.2.10Ensure users' dot files are not group or world writablealways382


6.2.11Ensure no users have .forward filesalways384


6.2.12Ensure no users have .netrc filesalways386


6.2.13Ensure users' .netrc Files are not group or world accessiblealways388


6.2.14Ensure no users have .rhosts filesalways391


6.2.15Ensure all groups in /etc/passwd exist in /etc/groupalways393


6.2.16Ensure no duplicate UIDs existalways394


6.2.17Ensure no duplicate GIDs existalways395


6.2.18Ensure no duplicate user names existalways397


6.2.19Ensure no duplicate group names existalways398


6.2.20Ensure shadow group is emptyalways400



CIS vs STIG solved only conflict:
CIS recommendation 5.2.11 states that we need to "Ensure only approved MAC algorithms are used", however STIG V-23826 requires that the SSH daemon only uses a FIPS 140-2 validated cryptographic module (operating in FIPS mode). And after some research, this document:  https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2907.pdf indicates that if we use the CIS settings for this parameter, we still satisfy the FIPS 140-2 validated cryptographic module and in consequence STIG V-23826 as well.
So the MAC parameter on sshd_conf for STIG changed from this:
    MACs hmac-sha1

to this one:
     MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com


  • No labels