CIS Compliance

Owned by Andrew Madge
Last updated: Mar 21, 2022 by Steve Challans
8 min read

CIS® (Center for Internet Security, Inc.) is a forward-thinking, non-profit entity that harnesses the power of a global IT community to safeguard private and public organizations against cyber threats.

The CIS Controls™ and CIS Benchmarks™ are the global standard and recognized best practices for securing IT systems and data against the most pervasive attacks. These proven guidelines are continuously refined and verified by a volunteer, global community of experienced IT professionals.

Over time we have seen more and more customers asking for CIS hardening details on the Snare v8 install. The v7 of Snare Central used STIG and some CIS technical controls. For v8 of Snare Central it now has full coverage of the CIS controls which extended the STIG technical controls.  The cisecurity.org site provides a multitude of security review and hardening build standards for many operating systems. The STIG hardening controls for Snare Central v8 are based on https://www.stigviewer.com/stig/canonical_ubuntu_18.04_lts/

The CIS Benchmark for Ubuntu Linux provides prescriptive guidance for establishing a secure configuration posture for Ubuntu Linux 18.04 LTS systems running on x86 and x64 platforms. Many lists include filesystem types, services, clients, and network protocols. Not all items in these lists are guaranteed to exist on all distributions and additional similar items may exist which should be considered in addition to those explicitly mentioned. The full document can be reviewed on the cisecurity.org site. 


Note

CIS requires auditd to be enabled in the system for it to be compliant. Snare Central enables the auditing system only when STIG compliance is enabled, hence it is required that STIG be enabled for the Snare Central to be fully CIS compliant.

We used Nessus vulnerability scanner for a CIS compliance  assessment on Snare Central. The following table lists all Nessus benchmark items that are assessed:






chaptersectionindextitlev8.x.x enabled
1

Initial Setup

1.1
Filesystem Configuration


1.1.1.1Ensure mounting of cramfs filesystems is disabledalways


1.1.1.2Ensure mounting of freevxfs filesystems is disabledalways


1.1.1.3Ensure mounting of jffs2 filesystems is disabledalways


1.1.1.4Ensure mounting of hfs filesystems is disabledalways


1.1.1.5Ensure mounting of hfsplus filesystems is disabledalways


1.1.1.6Ensure mounting of udf filesystems is disabledalways


1.1.2Ensure separate partition exists for /tmpalways


1.1.3Ensure nodev option set on /tmp partitionalways


1.1.4Ensure nosuid option set on /tmp partitionalways


1.1.5Ensure separate partition exists for /varalways


1.1.6Ensure separate partition exists for /var/tmpalways


1.1.7Ensure nodev option set on /var/tmp partitionalways


1.1.8Ensure nosuid option set on /var/tmp partitionalways


1.1.9Ensure noexec option set on /var/tmp partitionalways


1.1.10Ensure separate partition exists for /var/logalways


1.1.11Ensure separate partition exists for /var/log/auditalways


1.1.12Ensure separate partition exists for /homealways


1.1.13Ensure nodev option set on /home partitionalways


1.1.14Ensure nodev option set on /dev/shm partition (/run)always


1.1.15Ensure nosuid option set on /dev/shm partition (/run)always


1.1.16Ensure noexec option set on /dev/shm partition (/run)always


1.1.17Ensure nodev option set on removable media partitionsalways


1.1.18Ensure nosuid option set on removable media partitionsalways


1.1.19Ensure noexec option set on removable media partitionsalways


1.1.20Ensure sticky bit is set on all world-writable directoriesalways


1.1.21Disable Automountingalways

1.2
Configure Software Updates


1.2.1Ensure package manager repositories are configuredalways


1.2.2Ensure GPG keys are configuredalways

1.3
Filesystem Integrity Checking


1.3.1Ensure AIDE is installedalways


1.3.2Ensure filesystem integrity is regularly checkedalways

1.4
Secure Boot Settings


1.4.1Ensure permissions on bootloader config are configuredalways


1.4.2Ensure bootloader password is setCustomer to set see below notes


1.4.3Ensure authentication required for single user modealways

1.5
Additional Process Hardening


1.5.1Ensure core dumps are restrictedalways


1.5.2Ensure XD/NX support is enabledalways


1.5.3Ensure address space layout randomization (ASLR) is enabledalways


1.5.4Ensure prelink is disabledalways

1.6
Mandatory Access Control


1.6.1.1Ensure SELinux is not disabled in bootloader configurationalways


1.6.1.2Ensure the SELinux state is enforcingalways


1.6.1.3Ensure SELinux policy is configuredalways


1.6.1.4Ensure no unconfined daemons existalways


1.6.2.1Ensure AppArmor is not disabled in bootloader configurationalways


1.6.2.2Ensure all AppArmor Profiles are enforcingalways


1.6.3Ensure SELinux or AppArmor are installedalways

1.7
Warning Banners


1.7.1.1Ensure message of the day is configured properlyalways


1.7.1.2Ensure local login warning banner is configured properlyalways


1.7.1.3Ensure remote login warning banner is configured properlyalways


1.7.1.4Ensure permissions on /etc/motd are configuredalways


1.7.1.5Ensure permissions on /etc/issue are configuredalways


1.7.1.6Ensure permissions on /etc/issue.net are configuredalways


1.7.2Ensure GDM login banner is configuredalways

1.8
Ensure updates patches and additional security software are installedSnare Central patches the system with OS and security updates with each new release.

2

Services

2.1
inetd Services


2.1.1Ensure chargen services are not enabledalways


2.1.2Ensure daytime services are not enabledalways


2.1.3Ensure discard services are not enabledalways


2.1.4Ensure echo services are not enabledalways


2.1.5Ensure time services are not enabledalways


2.1.6Ensure rsh server is not enabledalways


2.1.7Ensure talk server is not enabledalways


2.1.8Ensure telnet server is not enabledalways


2.1.9Ensure tftp server is not enabledalways


2.1.10Ensure xinetd is not enabledalways


2.1.11Ensure openbsd-inetd is not installedalways

2.2
Special Purpose Services


2.2.1.1Ensure time synchronization is in usefalse positive


2.2.1.2Ensure ntp is configuredalways


2.2.1.3Ensure chrony is configuredfalse positive


2.2.2Ensure X Window System is not installedalways


2.2.3Ensure Avahi Server is not enabledalways


2.2.4Ensure CUPS is not enabledalways


2.2.5Ensure DHCP Server is not enabledalways


2.2.6Ensure LDAP server is not enabledalways


2.2.7Ensure NFS and RPC are not enabledfalse positive


2.2.8Ensure DNS Server is not enabledalways


2.2.9Ensure FTP Server is not enabledalways


2.2.10Ensure HTTP server is not enabledThe website redirects from HTTP to HTTPS on login page


2.2.11Ensure IMAP and POP3 server is not enabledalways


2.2.12Ensure Samba is not enabledfalse positive


2.2.13Ensure HTTP Proxy Server is not enabledalways


2.2.14Ensure SNMP Server is not enabledfalse positive


2.2.15Ensure mail transfer agent is configured for local-only modealways


2.2.16Ensure rsync service is not enabledfalse positive


2.2.17Ensure NIS Server is not enabledalways

2.3
Service Clients


2.3.1Ensure NIS Client is not installedalways


2.3.2Ensure rsh client is not installedalways


2.3.3Ensure talk client is not installedalways


2.3.4Ensure telnet client is not installedalways


2.3.5Ensure LDAP client is not installedfalse positive

3

Network Configuration

3.1
Network Parameters (Host Only)


3.1.1Ensure IP forwarding is disabledalways


3.1.2Ensure packet redirect sending is disabledalways

3.2
Network Parameters (Host and Router)


3.2.1Ensure source routed packets are not acceptedalways


3.2.2Ensure ICMP redirects are not acceptedalways


3.2.3Ensure secure ICMP redirects are not acceptedalways


3.2.4Ensure suspicious packets are loggedalways


3.2.5Ensure broadcast ICMP requests are ignoredalways


3.2.6Ensure bogus ICMP responses are ignoredalways


3.2.7Ensure Reverse Path Filtering is enabledalways


3.2.8Ensure TCP SYN Cookies is enabledalways

3.3
Ipv6


3.3.1Ensure IPv6 router advertisements are not acceptedalways


3.3.2Ensure IPv6 redirects are not acceptedalways


3.3.3Ensure IPv6 is disabledalways

3.4
TCP Wrappers


3.4.1Ensure TCP Wrappers is installedalways


3.4.2Ensure /etc/hosts.allow is configuredfalse positive


3.4.3Ensure /etc/hosts.deny is configuredfalse positive


3.4.4Ensure permissions on /etc/hosts.allow are configuredalways


3.4.5Ensure permissions on /etc/hosts.deny are configuredalways

3.5
Uncommon Network Protocols


3.5.1Ensure DCCP is disabledalways


3.5.2Ensure SCTP is disabledalways


3.5.3Ensure RDS is disabledalways


3.5.4Ensure TIPC is disabledalways

3.6
Firewall Configuration


3.6.1Ensure iptables is installedalways


3.6.2Ensure default deny firewall policyalways


3.6.3Ensure loopback traffic is configuredalways


3.6.4Ensure outbound and established connections are configuredalways


3.6.5Ensure firewall rules exist for all open portsalways

3.7
Ensure wireless interfaces are disabledalways

4

Logging and Auditing

4.1
Configure System Accounting (auditd)


4.1.1.1Ensure audit log storage size is configuredalways


4.1.1.2Ensure system is disabled when audit logs are fullfalse positive


4.1.1.3Ensure audit logs are not automatically deletedfalse positive


4.1.2Ensure auditd service is enabledneeds STIG


4.1.3Ensure auditing for processes that start prior to auditd is enabledneeds STIG


4.1.4Ensure events that modify date and time information are collectedneeds STIG


4.1.5Ensure events that modify user/group information are collectedneeds STIG


4.1.6Ensure events that modify the system's network environment are collectedneeds STIG


4.1.7Ensure events that modify the system's Mandatory Access Controls are collectedneeds STIG


4.1.8Ensure login and logout events are collectedneeds STIG


4.1.9Ensure session initiation information is collectedneeds STIG


4.1.10Ensure discretionary access control permission modification events are collected

needs STIG



4.1.11Ensure unsuccessful unauthorized file access attempts are collectedneeds STIG


4.1.12Ensure use of privileged commands is collectedneeds STIG


4.1.13Ensure successful file system mounts are collectedneeds STIG


4.1.14Ensure file deletion events by users are collectedneeds STIG


4.1.15Ensure changes to system administration scope (sudoers) is collectedneeds STIG


4.1.16Ensure system administrator actions (sudolog) are collectedneeds STIG


4.1.17Ensure kernel module loading and unloading is collectedneeds STIG


4.1.18Ensure the audit configuration is immutableneeds STIG

4.2
Configure Logging


4.2.1.1Ensure rsyslog Service is enabledalways


4.2.1.2Ensure logging is configuredalways


4.2.1.3Ensure rsyslog default file permissions configuredalways


4.2.1.4Ensure rsyslog is configured to send logs to a remote log hostfalse positive


4.2.1.5Ensure remote rsyslog messages are only accepted on designated log hostsfalse positive


4.2.2.1Ensure syslog-ng service is enabledalways


4.2.2.2Ensure logging is configuredalways


4.2.2.3Ensure syslog-ng default file permissions configuredalways


4.2.2.4Ensure syslog-ng is configured to send logs to a remote log hostalways


4.2.2.5Ensure remote syslog-ng messages are only accepted on designated log hosts]always


4.2.3Ensure rsyslog or syslog-ng is installedalways


4.2.4Ensure permissions on all logfiles are configuredalways

4.3
Ensure logrotate is configuredalways

5

Access, Authentication and Authorization

5.1
Configure cron


5.1.1Ensure cron daemon is enabledalways


5.1.2Ensure permissions on /etc/crontab are configuredalways


5.1.3Ensure permissions on /etc/cron.hourly are configuredalways


5.1.4Ensure permissions on /etc/cron.daily are configuredalways


5.1.5Ensure permissions on /etc/cron.weekly are configuredalways


5.1.6Ensure permissions on /etc/cron.monthly are configuredalways


5.1.7Ensure permissions on /etc/cron.d are configuredalways


5.1.8Ensure at/cron is restricted to authorized usersalways

5.2
SSH Server Configurationalways


5.2.1Ensure permissions on /etc/ssh/sshd_config are configuredalways


5.2.2Ensure SSH Protocol is set to 2always


5.2.3Ensure SSH LogLevel is set to INFOalways


5.2.4Ensure SSH X11 forwarding is disabledalways


5.2.5Ensure SSH MaxAuthTries is set to 4 or lessalways


5.2.6Ensure SSH IgnoreRhosts is enabledalways


5.2.7Ensure SSH HostbasedAuthentication is disabledalways


5.2.8Ensure SSH root login is disabledalways


5.2.9Ensure SSH PermitEmptyPasswords is disabledalways


5.2.10Ensure SSH PermitUserEnvironment is disabledalways


5.2.11Ensure only approved MAC algorithms are usedalways


5.2.12Ensure SSH Idle Timeout Interval is configuredalways


5.2.13Ensure SSH LoginGraceTime is set to one minute or lessalways


5.2.14Ensure SSH access is limitedalways


5.2.15Ensure SSH warning banner is configuredalways

5.3
Configure PAM


5.3.1Ensure password creation requirements are configuredfalse positive


5.3.2Ensure lockout for failed password attempts is configuredalways


5.3.3Ensure password reuse is limitedalways


5.3.4Ensure password hashing algorithm is SHA-512always

5.4
User Accounts and Environment


5.4.1.1Ensure password expiration is 365 days or lessalways


5.4.1.2Ensure minimum days between password changes is 7 or morealways


5.4.1.3Ensure password expiration warning days is 7 or morealways


5.4.1.4Ensure inactive password lock is 30 days or lessalways


5.4.1.5Ensure all users last password change date is in the pastalways


5.4.2Ensure system accounts are non-loginalways


5.4.3Ensure default group for the root account is GID 0always


5.4.4Ensure default user umask is 027 or more restrictivealways


5.4.5Ensure default user shell timeout is 900 seconds or lessalways

5.5
Ensure root login is restricted to system consolealways

5.6
Ensure access to the su command is restrictedalways

6

System Maintenance

6.1
System File Permissions


6.1.1Audit system file permissionsalways


6.1.2Ensure permissions on /etc/passwd are configuredalways


6.1.3Ensure permissions on /etc/shadow are configuredalways


6.1.4Ensure permissions on /etc/group are configuredalways


6.1.5Ensure permissions on /etc/gshadow are configuredalways


6.1.6Ensure permissions on /etc/passwd- are configuredalways


6.1.7Ensure permissions on /etc/shadow- are configuredalways


6.1.8Ensure permissions on /etc/group- are configuredalways


6.1.9Ensure permissions on /etc/gshadow- are configuredalways


6.1.10Ensure no world writable files existfalse positive


6.1.11Ensure no unowned files or directories existalways


6.1.12Ensure no ungrouped files or directories existalways


6.1.13Audit SUID executablesalways


6.1.14Audit SGID executablesalways

6.2
User and Group Settings


6.2.1Ensure password fields are not emptyalways


6.2.2Ensure no legacy "+" entries exist in /etc/passwdalways


6.2.3Ensure no legacy "+" entries exist in /etc/shadowalways


6.2.4Ensure no legacy "+" entries exist in /etc/groupalways


6.2.5Ensure root is the only UID 0 accountalways


6.2.6Ensure root PATH Integrityalways


6.2.7Ensure all users' home directories existalways


6.2.8Ensure users' home directories permissions are 750 or more restrictivealways


6.2.9Ensure users own their home directoriesalways


6.2.10Ensure users' dot files are not group or world writablealways


6.2.11Ensure no users have .forward filesalways


6.2.12Ensure no users have .netrc filesalways


6.2.13Ensure users' .netrc Files are not group or world accessiblealways


6.2.14Ensure no users have .rhosts filesalways


6.2.15Ensure all groups in /etc/passwd exist in /etc/groupalways


6.2.16Ensure no duplicate UIDs existalways


6.2.17Ensure no duplicate GIDs existalways


6.2.18Ensure no duplicate user names existalways


6.2.19Ensure no duplicate group names existalways


6.2.20Ensure shadow group is emptyalways


CIS vs STIG solved only conflict:

CIS recommendation 5.2.11 states that we need to "Ensure only approved MAC algorithms are used", however STIG V-23826 requires that the SSH daemon only uses a FIPS 140-2 validated cryptographic module (operating in FIPS mode). This document:  https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2907.pdf indicates that if we use the CIS settings for this parameter, we still satisfy the FIPS 140-2 validated cryptographic module and in consequence STIG V-23826 as well.  MAC algorithms include:

hmac-sha2-512-etm@openssh.com,

hmac-sha2-256-etm@openssh.com,

umac-128-etm@openssh.com,

hmac-sha2-512,

hmac-sha2-256,

umac-128@openssh.com


False positives:




2.2.1.1Ensure time synchronization is in use.Snare Central runs ntpdate daily, the ntp source server is set by the customer during the install.
2.2.1.3Ensure chrony is configured.Snare Central does not use chrony
2.2.7Ensure NFS and RPC are not enabled.User can disable NFS from UI
2.2.12Ensure Samba is not enabled.User can disable samba from UI
2.2.14Ensure SNMP Server is not enabled.User can disable SNMP from UI
2.2.16Ensure rsync service is not enabled.rsync Is used for side by side migration only.
2.3.5Ensure LDAP client is not installed.Snare Central comes with LDAP client.
3.4.2Ensure /etc/hosts.allow is configured.The contents depend on user network layout.
3.4.3Ensure /etc/hosts.deny is configured.The contents depend on user network layout.
4.1.1.2Ensure system is disabled when audit logs are full.Snare Central uses SUSPEND instead of HALT as Snare Central is a logging system it needs to keep operating.
4.1.1.3Ensure audit logs are not automatically deleted.Snare Central uses ROTATE instead of KEEP.
4.2.1.4Ensure rsyslog is configured to send logs to a remote log host.Not Applicable, Snare Central is the central logging system so it collects its own logs and also other systems, so the context is different to what the CIS checklist is asking for.
4.2.1.5Ensure remote rsyslog messages are only accepted on designated log hosts.Not Applicable
5.3.1Ensure password creation requirements are configured.Snare Central uses pam_cracklib to help enforce password complexity.
6.1.10Ensure no world writable files exist.Apache web server needs this file only: /tmp/perf-23853.map owner: www-data, group: www-data, permissions: 0666

Won't do:
    1.4.2     Ensure bootloader password is set.    this need to be done manually by the sysadmin