• Tidak ada hasil yang ditemukan

Buku CIS CentOS Linux 8 Benchmark v2.0.0

N/A
N/A
Info
Unduh - Bebas
Chiến Vũ

Academic year: 2024

Membagikan "Buku CIS CentOS Linux 8 Benchmark v2.0.0"

Copied!
747
0
0

Memuat.... (Lihat teks lengkap sekarang)

Unduh sekarang ( 747 Halaman )

Teks penuh

Overview

Intended Audience

Consensus Guidance

Typographical Conventions

Assessment Status

Profile Definitions

Acknowledgements

Recommendations

Filesystem Configuration

  • Disable unused filesystems
    • Ensure mounting of cramfs filesystems is disabled (Automated)
    • Ensure mounting of squashfs filesystems is disabled (Automated)
    • Ensure mounting of udf filesystems is disabled (Automated)
  • Configure /tmp
    • Ensure /tmp is a separate partition (Automated)
    • Ensure nodev option set on /tmp partition (Automated)
    • Ensure noexec option set on /tmp partition (Automated)
    • Ensure nosuid option set on /tmp partition (Automated)
  • Configure /var
    • Ensure separate partition exists for /var (Automated)
    • Ensure nodev option set on /var partition (Automated)
    • Ensure noexec option set on /var partition (Automated)
    • Ensure nosuid option set on /var partition (Automated)
  • Configure /var/tmp
    • Ensure separate partition exists for /var/tmp (Automated)
    • Ensure noexec option set on /var/tmp partition (Automated)
    • Ensure nosuid option set on /var/tmp partition (Automated)
    • Ensure nodev option set on /var/tmp partition (Automated)
  • Configure /var/log
    • Ensure separate partition exists for /var/log (Automated)
    • Ensure nodev option set on /var/log partition (Automated)
    • Ensure noexec option set on /var/log partition (Automated)
    • Ensure nosuid option set on /var/log partition (Automated)
  • Configure /var/log/audit
    • Ensure separate partition exists for /var/log/audit (Automated)
    • Ensure noexec option set on /var/log/audit partition (Automated) (Automated)
    • Ensure nodev option set on /var/log/audit partition (Automated)
    • Ensure nosuid option set on /var/log/audit partition (Automated) (Automated)
  • Configure /home
    • Ensure separate partition exists for /home (Automated)
    • Ensure nodev option set on /home partition (Automated)
    • Ensure nosuid option set on /home partition (Automated)
    • Ensure usrquota option set on /home partition (Automated)
    • Ensure grpquota option set on /home partition (Automated)
  • Configure /dev/shm
    • Ensure nodev option set on /dev/shm partition (Automated)
    • Ensure noexec option set on /dev/shm partition (Automated)
    • Ensure nosuid option set on /dev/shm partition (Automated)
  • Disable Automounting (Automated)
  • Disable USB Storage (Automated)

Because the /var/log file system is not intended to support devices, set this option to ensure that users cannot create block or character special devices in /var/log. Since the /var/log file system is only for log files, set this option to ensure that users cannot run executable binaries from /var/log. Since the /var/log file system is only for log files, set this option to ensure that users cannot create setuid files in /var/log.

Since the /var/log/audit file system is intended only for audit logs, set this option to ensure that users cannot run executable binaries from /var/log/audit. Since the /var/log/audit file system is not intended to support entities, set this option to ensure that users cannot create a block or character special entities in /var/log/audit.

Configure Software Updates

  • Ensure GPG keys are configured (Manual)
  • Ensure gpgcheck is globally activated (Automated)
  • Ensure package manager repositories are configured (Manual)

Repositories that store their respective GPG keys on disk must do so in /etc/pki/rpm-gpg/. Perform operating system updates on enterprise assets through automated patch management on a monthly, or more frequent, basis. Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.

Implement automated software update tools to ensure that operating systems use the latest security updates from the software vendor. Implement automated software update tools to ensure that third-party software is running the latest security updates from the software vendor on all systems. It is important to ensure that the package signature of an RPM is always checked before installation to ensure that the software comes from a trusted source.

Edit any error files in /etc/yum.repos.d/* and configure all instances starting with gpgcheck. Systems must have the respective package manager repositories configured to ensure that the system can receive the latest fixes and updates. For the repositories used, inspect the configuration file to ensure that all settings are applied correctly according to the site policy.

Deploy automated software update tools to ensure that third-party software on all systems is running the latest security updates provided by the software vendor.

Filesystem Integrity Checking

  • Ensure AIDE is installed (Automated)
  • Ensure filesystem integrity is regularly checked (Automated)

The prelink feature can interfere with AIDE because it modifies the binaries to speed up their startup time. Run prelink -ua to restore the binaries to their pre-linked state, thus avoiding false positives from AIDE. Implement detailed audit logging for access to sensitive data or changes to sensitive data (using tools such as File Integrity Monitoring or Security Information and Event Monitoring).

OR run the following commands to verify that aidcheck.service and aidcheck.timer are enabled and aidcheck.timer is running. Implement detailed audit logging for access to sensitive data or changes to sensitive data (using tools such as File Integrity Monitoring or Security Information and Event Monitoring).

Secure Boot Settings

  • Ensure bootloader password is set (Automated)
  • Ensure permissions on bootloader config are configured (Automated) (Automated)
  • Ensure authentication is required when booting into rescue mode (Automated) (Automated)

This recommendation is designed around the grub2 bootloader, if LILO or another bootloader is in use in your environment, apply the equivalent settings. Use data access control lists, also known as access permissions, for local and remote file systems, databases, and applications. Protect all information stored on systems with a file system, network share, claims, applications, or specific database access control lists.

This control will enforce the principle that only authorized individuals should have access to information based on their need to access the information as part of their responsibilities. The vfat filesystem itself has no concept of permissions, but it can be mounted under Linux with any. By setting read and write permissions for root only, you prevent non-root users from seeing or modifying boot parameters.

This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment, implement equivalent settings. Rescue mode (formerly single-user mode) is used to recover when the system detects a problem during boot or by manually selecting from the bootloader. Requiring authentication in rescue mode (formerly single-user mode) prevents an unauthorized user from rebooting the system into rescue mode to gain root privileges without credentials.

Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts use passwords unique to that system.

Additional Process Hardening

  • Ensure core dump storage is disabled (Automated)
  • Ensure core dump backtraces are disabled (Automated)
  • Ensure address space layout randomization (ASLR) is enabled (Automated) (Automated)

A core dump contains a memory image created at the time the operating system terminates an application. The memory image may contain sensitive data and is generally only useful to developers trying to troubleshoot problems, increasing the risk to the system. Address space layout randomization (ASLR) is an exploit mitigation technique that randomly arranges the address space of important data areas of a process.

Randomly placing virtual memory regions will make it difficult to write exploits on memory pages because the memory placement will constantly shift. Whenever possible, enable anti-exploitation features on assets and software, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™. Enable anti-exploitation features such as Data Execution Prevention (DEP) or Address Space Layout Randomization (ASLR) available in an operating system, or implement appropriate toolkits that can be configured to apply protection to a broader range of applications and executables.

Mandatory Access Control

  • Configure SELinux
    • Ensure SELinux is installed (Automated)
    • Ensure SELinux is not disabled in bootloader configuration (Automated) (Automated)
    • Ensure SELinux policy is configured (Automated)
    • Ensure the SELinux mode is not disabled (Automated)
    • Ensure the SELinux mode is enforcing (Automated)
    • Ensure no unconfined services exist (Automated)
    • Ensure SETroubleshoot is not installed (Automated)
    • Ensure the MCS Translation Service (mcstrans) is not installed (Automated) (Automated)

Not only does this provide a consistent way to refer to objects in the SELinux policy, but it also removes the ambiguity that can be found in other identification methods. The SELinux policy uses these contexts in a series of rules that specify how processes can interact with each other and with various system resources. The systemd daemon can consult the SELinux policy and check the calling process label and the file label of the unit the caller is trying to manage, and then ask SELinux whether the caller is allowed access or not.

For an action to occur, both the traditional DAC permissions must be satisfied as well as the SELinux MAC rules. Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available. Permissive - The system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations.

Disabled - Strongly discouraged; the system not only avoids enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future. Using SELinux in disabled mode is strongly discouraged; the system not only avoids enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future. Running SELinux in disabled mode, the system not only avoids enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making activation difficult.

CCI-002165: The information system enforces organization-defined discretionary access control policies for defined subjects and objects.

Command Line Warning Banners

  • Ensure message of the day is configured properly (Automated)
  • Ensure local login warning banner is configured properly (Automated) (Automated)
  • Ensure remote login warning banner is configured properly (Automated) (Automated)
  • Ensure permissions on /etc/motd are configured (Automated)
  • Ensure permissions on /etc/issue are configured (Automated)
  • Ensure permissions on /etc/issue.net are configured (Automated)

The contents of the /etc/motd file are displayed to users after login and serve as the message of the day for authenticated users. Unix-based systems typically have OS release and patch level information displayed when logging into the system. Edit the /etc/motd file with the appropriate content according to your site policy, removing any occurrences of \m , \r , \s , \v or references to the OS platform.

The contents of the /etc/issue file are displayed to users before they log in to local terminals. Edit the /etc/issue file with the appropriate content according to your site's policy, remove any instances of \m, \r, \s, \v or references to the OS platform. The contents of the /etc/issue.net file are displayed to users before they log in for remote connections from the configured services.

Edit the /etc/issue.net file with the appropriate content according to your site's policy, remove any instances of \m, \r, \s, \v or references to OS platform. If the /etc/motd file is not properly owned, it can be modified by unauthorized users with incorrect or misleading information. If the /etc/issue file does not have proper ownership, it can be modified by unauthorized users with incorrect or fraudulent information.

If the /etc/issue.net file does not have the correct ownership, it can be modified by unauthorized users with incorrect or misleading information.

GNOME Display Manager

  • Ensure GNOME Display Manager is removed (Manual)
  • Ensure GDM login banner is configured (Automated)
  • Ensure last logged in user display is disabled (Automated)
  • Ensure XDMCP is not enabled (Automated)
  • Ensure automatic mounting of removable media is disabled (Automated) (Automated)

Warning messages inform users attempting to log into the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies in place. Note: If a graphical login is not required, it should be removed to reduce the system's attack surface. Verify that a file exists in /etc/dconf/db/gdm.d/ and includes the following: (Typically this is /etc/dconf/db/gdm.d/01-banner-message).

Edit or create the file /etc/dconf/db/gdm.d/ and add the following: (This is usually . /etc/dconf/db/gdm.d/01-banner-message). Additional options and sections may appear in the /etc/dconf/db/gdm.d/01-banner-message file. If another GUI login service is in use and required on the system, refer to your documentation to disable the display of the last logged in user and apply an equivalent banner.

If a graphical input is not required, it should be removed to reduce the attack surface of the system. If another GUI login service is in use and required on the system, consult your documentation to disable the display of the last logged-in user. Verify that a file exists in /etc/dconf/db/gdm.d/ and includes the following: (This is usually /etc/dconf/db/gdm.d/00-login-screen).

Edit or create the file /etc/dconf/db/gdm.d/ and add the following: (This is usually . /etc/dconf/db/gdm.d/00-login-screen).

Ensure updates, patches, and additional security software are installed (Manual) installed (Manual)

Ensure system-wide crypto policy is not legacy (Automated)

CRYPTO-POLICIES(7)

  • Time Synchronization
    • Ensure time synchronization is in use (Automated)
    • Ensure chrony is configured (Automated)
  • Special Purpose Services
    • Ensure xinetd is not installed (Automated)
    • Ensure xorg-x11-server-common is not installed (Automated)
    • Ensure Avahi Server is not installed (Automated)
    • Ensure CUPS is not installed (Automated)
    • Ensure DHCP Server is not installed (Automated)
    • Ensure DNS Server is not installed (Automated)
    • Ensure FTP Server is not installed (Automated)
    • Ensure VSFTP Server is not installed (Automated)
    • Ensure TFTP Server is not installed (Automated)
    • Ensure a web server is not installed (Automated)
    • Ensure IMAP and POP3 server is not installed (Automated)
    • Ensure Samba is not installed (Automated)

On systems where host-based time synchronization is not available, verify that chrony is installed.

Referensi

Unduh sekarang ( PDF - 747 Halaman - 4.65 MB )

Garis besar

Configure /var/log Configure /var/log/audit Command Line Warning Banners GNOME Display Manager Special Purpose Services

Dokumen terkait