• Tidak ada hasil yang ditemukan

Buku CIS CentOS Linux 7 Benchmark v3.1.2

N/A
N/A
Info
Unduh - Bebas
Chiến Vũ

Academic year: 2024

Membagikan "Buku CIS CentOS Linux 7 Benchmark v3.1.2"

Copied!
625
0
0

Memuat.... (Lihat teks lengkap sekarang)

Unduh sekarang ( 625 Halaman )

Teks penuh

Overview

Intended Audience

Consensus Guidance

Assessment Status

Profile Definitions

Acknowledgements

Recommendations

Filesystem Configuration

  • Disable unused filesystems
    • Ensure mounting of cramfs filesystems is disabled (Automated)
    • Ensure mounting of squashfs filesystems is disabled (Automated)
    • Ensure mounting of udf filesystems is disabled (Automated)
  • Ensure /tmp is configured (Automated)
  • Ensure noexec option set on /tmp partition (Automated)
  • Ensure nodev option set on /tmp partition (Automated)
  • Ensure nosuid option set on /tmp partition (Automated)
  • Ensure /dev/shm is configured (Automated)
  • Ensure noexec option set on /dev/shm partition (Automated)
  • Ensure nodev option set on /dev/shm partition (Automated)
  • Ensure nosuid option set on /dev/shm partition (Automated)
  • Ensure separate partition exists for /var (Automated)
  • Ensure separate partition exists for /var/tmp (Automated)
  • Ensure /var/tmp partition includes the noexec option (Automated) (Automated)
  • Ensure /var/tmp partition includes the nodev option (Automated)
  • Ensure /var/tmp partition includes the nosuid option (Automated) (Automated)
  • Ensure separate partition exists for /var/log (Automated)
  • Ensure separate partition exists for /var/log/audit (Automated)
  • Ensure separate partition exists for /home (Automated)
  • Ensure /home partition includes the nodev option (Automated)
  • Ensure removable media partitions include noexec option (Automated) (Automated)
  • Ensure nodev option set on removable media partitions (Automated) (Automated)
  • Ensure nosuid option set on removable media partitions (Automated) (Automated)
  • Ensure sticky bit is set on all world-writable directories (Automated) (Automated)
  • Disable Automounting (Automated)
  • Disable USB Storage (Automated)

OR If the systemd tmp.mount file is used: Run the following command to verify that tmp.mount. OR if the systemd tmp.mount file is used: run the following command to create the file. If the /var/tmp partition exists, run the following command to check if it is nosuid.

Run the following command to verify that the nosuid option is set on all partitions of the removable media.

Configure Software Updates

  • Ensure GPG keys are configured (Manual)
  • Ensure package manager repositories are configured (Manual)
  • Ensure gpgcheck is globally activated (Automated)

It is important to ensure that updates are obtained from a valid source to protect against scams that can lead to the unintended installation of malware on the system. Perform operating system updates for enterprise assets through automated patch management on a monthly or more frequent basis. Perform application updates for enterprise assets through automated patch management on a monthly or more frequent basis.

Implement automated software update tools to ensure operating systems are running the latest security updates from the software vendor. Implement automated software update tools to ensure that third-party software on all systems is running the latest security updates from the software vendor. Systems must have package management repositories configured to ensure they receive the latest patches and updates.

The gpgcheck option found in the main /etc/yum.conf section and individual It is important to ensure that the RPM package signature is always verified before installation to ensure that the software is obtained from a trusted source. Install automatic software update tools to ensure operating systems are running the latest security updates provided by the software vendor.

Filesystem Integrity Checking

  • Ensure AIDE is installed (Automated)
  • Ensure filesystem integrity is regularly checked (Automated)

AIDE creates a snapshot of the file system's state, including modification times, permissions, and file hashes, which can then be used to compare to the current state of the file system to detect changes to the system. Note: The pre-linking feature can disrupt AIDE as it modifies the binaries to speed up boot times. Run prelink -ua to restore the binaries to their pre-linked state, avoiding false positives from AIDE.

Monitoring file system health can detect compromised files to prevent or limit exposure to accidental or malicious misconfigurations or modified binaries. Enforce detailed audit logging for access to sensitive data or changes to sensitive data (using tools such as File Integrity Monitoring or Security Information and Event Monitoring). Periodic file audits allow the system administrator to regularly determine whether critical files have been modified in an unauthorized manner.

OR run the following commands to verify that aidcheck.service and aidcheck.timer are enabled and aidcheck.timer is running. Enforce detailed audit logging for sensitive data access or changes to sensitive data (using tools such as file integrity control or security information and event control).

Secure Boot Settings

  • Ensure bootloader password is set (Automated)
  • Ensure permissions on bootloader config are configured (Automated) (Automated)
  • Ensure authentication required for single user mode (Automated)

Setting the bootloader password requires anyone who reboots the system to enter a password before being able to set the boot parameters via the command line. Requiring a boot password when running the boot loader prevents an unauthorized user from entering boot parameters or modifying the boot partition. You can add --unrestricted to the menu items to allow the system to boot without entering a password.

The information can be placed in any /etc/grub.d file, as long as that file is included in grub.cfg. It is preferable to enter this data in a custom file, such as /etc/grub.d/40_custom, so that it is not overwritten when the Grub package is updated. This recommendation is designed around the grub2 bootloader, if LILO or another bootloader is in use in your environment, perform equivalent settings.

Setting read and write permissions only to root prevents non-root users from seeing or changing the boot parameters. Single user mode (rescue mode) is used for recovery when the system detects a problem during boot or by manual selection from the bootloader. Requiring authentication in single user mode (rescue mode) prevents an unauthorized user from rebooting the system in single user to gain root privileges without credentials.

Additional Process Hardening

  • Ensure core dumps are restricted (Automated)
  • Ensure XD/NX support is enabled (Automated)
  • Ensure address space layout randomization (ASLR) is enabled (Automated) (Automated)
  • Ensure prelink is not installed (Automated)

The system offers the option to set a soft limit for core dumps, but this can be overridden by the user. Additionally, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping the core. Other processors, such as Itanium and POWER, have included such support since their inception, and the standard kernel for those platforms supports the feature.

Enabling any feature that can protect against buffer overflow attacks increases system security. Run the following command to check if your kernel has recognized and activated NX/XD protection. Enable exploit prevention features in enterprise assets and software where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.

Enable anti-exploit features such as Data Execution Prevention (DEP) or Address Space Layout Randomization (ASLR) available in an operating system or deploy appropriate toolkits that can be configured to apply protection to a broader set of applications and executables. Address Space Layout Randomization (ASLR) is an exploit mitigation technique that randomizes the address space of key data areas of a process. Pre-compilation can also increase the vulnerability of the system if a malicious user can compromise a common library such as libc.

Mandatory Access Control

  • Configure SELinux
    • Ensure SELinux is installed (Automated)
    • Ensure SELinux is not disabled in bootloader configuration (Automated) (Automated)
    • Ensure SELinux policy is configured (Automated)
    • Ensure the SELinux mode is enforcing or permissive (Automated)
    • Ensure the SELinux mode is enforcing (Automated)
    • Ensure no unconfined services exist (Automated)
    • Ensure SETroubleshoot is not installed (Automated)
    • Ensure the MCS Translation Service (mcstrans) is not installed (Automated) (Automated)

SELinux provides a mandatory access control (MAC) system that greatly enhances the default Discretionary Access Control (DAC) model. Without a mandatory access control system installed, only the default discretionary access control system will be available. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.

Protect all information stored on systems with specific file system, network share, claim, application, or database access control lists. Run the following script to verify that no linux line has selinux=0 or imposing=0. Permissive - The system acts as if SELinux is enforcing the loaded security policy, including labeling objects and issuing access-deny entries in the logs, but does not actually deny any operations.

Disabled - Strongly discouraged; the system not only avoids enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future. Using SELinux in disabled mode is strongly discouraged; the system not only avoids enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future. Using SELinux in disabled mode, the system not only avoids enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future.

Command Line Warning Banners

  • Ensure message of the day is configured properly (Automated)
  • Ensure local login warning banner is configured properly (Automated) (Automated)
  • Ensure remote login warning banner is configured properly (Automated) (Automated)
  • Ensure permissions on /etc/motd are configured (Automated)
  • Ensure permissions on /etc/issue are configured (Automated)
  • Ensure permissions on /etc/issue.net are configured (Automated)

The contents of the /etc/motd file are displayed to users after login and serve as the message of the day for authenticated users. Edit the /etc/motd file with the appropriate content according to your site policy, removing any occurrences of \m , \r , \s , \v or references to the OS platform. The contents of the /etc/issue file are displayed to users before login to local terminals.

Edit the /etc/issue file with the appropriate content according to your site policy, removing any occurrences of \m , \r , \s , \v or references to the OS platform. The contents of the /etc/issue.net file are displayed to users before login for remote connections from configured services. Edit the /etc/issue.net file with the appropriate content according to your site policy, removing any occurrences of \m , \r , \s , \v or references to the OS platform.

If the /etc/motd file is not properly owned, it can be modified by unauthorized users with incorrect or misleading information. If the /etc/issue file does not have proper ownership, it can be modified by unauthorized users with incorrect or fraudulent information. If the /etc/issue.net file is not properly owned, it can be modified by unauthorized users with incorrect or misleading information.

GNOME Display Manager

  • Ensure GNOME Display Manager is removed (Manual)
  • Ensure GDM login banner is configured (Automated)
  • Ensure last logged in user display is disabled (Automated)
  • Ensure XDCMP is not enabled (Automated)

If a graphical user interface (GUI) is not required, it should be removed to reduce the attack surface of the system. Warning messages inform users attempting to log into the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies in place. Note: If a graphical login is not required, it should be removed to reduce the attack surface of the system.

Check if a file exists in /etc/dconf/db/gdm.d/ and contains: (This is usually /etc/dconf/db/gdm.d/01-banner-message). Edit or create the file /etc/dconf/db/gdm.d/ and add the following: (This is usually . /etc/dconf/db/gdm.d/01-banner-message). Additional options and sections may appear in the /etc/dconf/db/gdm.d/01-banner-message file.

If graphical login is not required, you should remove it to reduce the attack surface of the system. Check that the file exists in /etc/dconf/db/gdm.d/ and includes the following: (This is usually /etc/dconf/db/gdm.d/00-login-screen). Edit or create the file /etc/dconf/db/gdm.d/ and add the following: (This is usually . /etc/dconf/db/gdm.d/00-login-screen).

Ensure updates, patches, and additional security software are installed (Manual) installed (Manual)

While applying system updates and patches helps correct known vulnerabilities, one of the best ways to protect your system from as yet unreported vulnerabilities is to disable all services that are not required for normal system operation. The actions in this section of the document provide guidance on which services can be safely disabled and under what circumstances, greatly reducing the number of potential threats to the resulting system. In addition, some services that must remain enabled but with secure configuration are covered, as well as insecure service clients.

  • Ensure xinetd is not installed (Automated)

Note: If a xinetd service or services are required, ensure that any xinetd service that is not required is stopped and disabled. Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service feature. Ensure that unauthorized software is either removed or that the inventory is updated in a timely manner.

Ensure that only network ports, protocols and services listening on a system with validated business needs are running on each system.

Special Purpose Services

  • Time Synchronization
    • Ensure time synchronization is in use (Manual)
    • Ensure chrony is configured (Automated)
    • Ensure ntp is configured (Automated)
  • Ensure X11 Server components are not installed (Automated)
  • Ensure Avahi Server is not installed (Automated)
  • Ensure CUPS is not installed (Automated)
  • Ensure DHCP Server is not installed (Automated)
  • Ensure LDAP server is not installed (Automated)
  • Ensure DNS Server is not installed (Automated)
  • Ensure FTP Server is not installed (Automated)
  • Ensure HTTP server is not installed (Automated)
  • Ensure IMAP and POP3 server is not installed (Automated)
  • Ensure Samba is not installed (Automated)
  • Ensure HTTP Proxy Server is not installed (Automated)
  • Ensure net-snmp is not installed (Automated)
  • Ensure NIS server is not installed (Automated)
  • Ensure telnet-server is not installed (Automated)
  • Ensure mail transfer agent is configured for local-only mode (Automated) (Automated)
  • Ensure nfs-utils is not installed or the nfs-server service is masked (Automated) (Automated)
  • Ensure rpcbind is not installed or the rpcbind services are masked (Automated) (Automated)
  • Ensure rsync is not installed or the rsyncd service is masked (Automated) (Automated)

Service Clients

Referensi

Unduh sekarang ( PDF - 625 Halaman - 4.30 MB )

Garis besar

Additional Process Hardening Command Line Warning Banners GNOME Display Manager

Dokumen terkait