CIS Benchmarks for Linux Systems

Objective:

Below are the standard Guidelines as per the CIS Benchmarking standard to adopt a secure Configuration posture for Linux Systems running on x86 and x64 platforms. This benchmark is intended for system and application administrators, security specialists, auditors, helpdesk, and platform deployment personnel who plan to develop, deploy, assess, or secure solutions that incorporate Linux on the x86 or x64 platform.

 

About CIS Benchmarks:

CIS Benchmarks are a set of guidelines and best practices for securing IT systems, networks, and infrastructure. They are developed by the Center for Internet Security (CIS), a global non-profit organization. CIS Benchmarks are free to the public and are used by thousands of businesses.

Note: It is advisable to verify root users’ path integrity and the integrity of any programs being run prior to the execution of commands and scripts.

–> Disable unused filesystems

Ensure mounting of cramfs filesystems is disabled

Ensure mounting of freevxfs filesystems is disabled

Ensure mounting of jffs2 filesystems is disabled

Ensure mounting of hfs filesystems is disabled

Ensure mounting of hfsplus filesystems is disabled

Ensure mounting of squashfs filesystems is disabled

Ensure mounting of udf filesystems is disabled

Ensure mounting of FAT filesystems is limited

Ensure /tmp is configured

Ensure nodev option set on /tmp partition

Ensure nosuid option set on /tmp partition

Ensure noexec option set on /tmp partition

Ensure separate partition exists for /var

Ensure separate partition exists for /var/tmp

Ensure nodev option set on /var/tmp partition

Ensure nosuid option set on /var/tmp partition

Ensure noexec option set on /var/tmp partition

Ensure separate partition exists for /var/log

Ensure separate partition exists for /var/log/audit

Ensure separate partition exists for /home

Ensure nodev option set on /home partition

Ensure nodev option set on /dev/shm partition

Ensure nosuid option set on /dev/shm partition

Ensure noexec option set on /dev/shm partition

Ensure nodev option set on removable media partitions

Ensure nosuid option set on removable media partitions

Ensure noexec option set on removable media partitions

Ensure sticky bit is set on all world-writable directories

Disable Automounting

Disable USB Storage

 –> Configure Software Updates

Ensure package manager repositories are configured

Ensure GPG keys are configured

Filesystem Integrity Checking

Ensure AIDE is installed

Ensure filesystem integrity is regularly checked

Secure Boot Settings

Ensure permissions on bootloader config are configured

Ensure bootloader password is set

Ensure authentication required for single user mode

Ensure interactive boot is not enabled

 –> Additional Process Hardening

Ensure core dumps are restricted

Ensure XD/NX support is enabled

Ensure address space layout randomization (ASLR) is enabled

Ensure prelink is disabled

Mandatory Access Control

Ensure login and logout events are collected

Ensure session initiation information is collected

Ensure discretionary access control permission modification events are collected

Ensure unsuccessful unauthorized file access attempts are collected

Ensure use of privileged commands is collected

Ensure successful file system mounts are collected

Ensure file deletion events by users are collected

Ensure changes to system administration scope (sudoers) is collected

Ensure system administrator actions (sudolog) are collected

Ensure kernel module loading and unloading is collected

Ensure the audit configuration is immutable

 –>Configure Logging

Configure rsyslog

Ensure rsyslog is installed

Ensure rsyslog Service is enabled

Ensure logging is configured

Ensure rsyslog default file permissions configured

Ensure rsyslog is configured to send logs to a remote log host

Ensure remote rsyslog messages are only accepted on designated log hosts.

 –>Configure journald

Ensure journald is configured to send logs to rsyslog

Ensure journald is configured to compress large log files

Ensure journald is configured to write logfiles to persistent disk

Ensure permissions on all logfiles are configured

Ensurelogrotate is configured

Access, Authentication and Authorization

 –> Configure cron

Ensure cron daemon is enabled

Ensure permissions on /etc/crontab are configured

Ensure permissions on /etc/cron.hourly are configured

Ensure permissions on /etc/cron.daily are configured

Ensure permissions on /etc/cron.weekly are configured

Ensure permissions on /etc/cron.monthly are configured

Ensure permissions on /etc/cron.d are configured

Ensure at/cron is restricted to authorized users

 –> SSH Server Configuration

Ensure permissions on /etc/ssh/sshd_config are configured

Ensure permissions on SSH private host key files are configured

Ensure permissions on SSH public host key files are configured

Ensure SSH Protocol is set to 2

Ensure SSH LogLevel is appropriate

Ensure SSH X11 forwarding is disabled

Ensure SSH MaxAuthTries is set to 4 or less

Ensure SSH IgnoreRhosts is enabled

Ensure SSH HostbasedAuthentication is disabled

Ensure SSH root login is disabled

Ensure SSH PermitEmptyPasswords is disabled

Ensure SSH PermitUserEnvironment is disabled

Ensure only strong Ciphers are used

Ensure only strong MAC algorithms are used

Ensure only strong Key Exchange algorithms are used

Ensure SSH Idle Timeout Interval is configured

Ensure SSH LoginGraceTime is set to one minute or less

Ensure SSH access is limited

Ensure SSH warning banner is configured

Ensure SSH PAM is enabled

Ensure SSH AllowTcpForwarding is disabled

Ensure SSH MaxStartups is configured

Ensure SSH MaxSessions is set to 4 or less

–> Configure PAM

Ensure password creation requirements are configured

Ensure lockout for failed password attempts is configured

Ensure password reuse is limited

Ensure password hashing algorithm is SHA-512

–> User Accounts and Environment

–> Set Shadow Password Suite Parameters

Ensure password expiration is 365 days or less

Ensure minimum days between password changes is 7 or more

Ensure password expiration warning days is 7 or more

Ensure inactive password lock is 30 days or less

Ensure all users last password change date is in the past

Ensure system accounts are secured

Ensure default group for the root account is GID 0

Ensure default user umask is 027 or more restrictive

Ensure default user shell timeout is 900 seconds or less

Ensure root login is restricted to system console

Ensure access to the su command is restricted

–> System Maintenance

System File Permissions

Audit system file permissions

Ensure permissions on /etc/passwd are configured

Ensure permissions on /etc/shadow are configured

Ensure permissions on /etc/group are configured

Ensure permissions on /etc/gshadow are configured

Ensure permissions on /etc/passwd-are configured

Ensure permissions on /etc/shadow-are configured

Ensure permissions on /etc/group-are configured

Ensure permissions on /etc/gshadow-are configured

Ensure no world writable files exist

Ensure no unowned files or directories exist

Ensure no ungrouped files or directories exist

Audit SUID executables

Audit SGID executables

–> User and Group Settings

Ensure password fields are not empty

Ensure no legacy “+” entries exist in /etc/passwd

Ensure no legacy “+” entries exist in /etc/shadow

Ensure no legacy “+” entries exist in /etc/group

Ensure root is the only UID 0 account

Ensure root PATH Integrity

Ensure all users’ home directories exist

Ensure users’ home directories permissions are 750 or more restrictive

Ensure users own their home directories

Ensure users’ dot files are not group or world writable

Ensure no users have .forward files

Ensure no users have .netrc files

Ensure users’ .netrc Files are not group or world accessible

Ensure no users have .rhosts files

Ensure all groups in /etc/passwd exist in /etc/group

Ensure no duplicate UIDs exist

Ensure no duplicate GIDs exist

Ensure no duplicate user names exist

Ensure no duplicate group names exist

Ensure shadow group is empty

Leave a Comment

Your email address will not be published. Required fields are marked *