CIS Benchmarks for Linux Systems
CIS Benchmarks for Linux Systems
Objective:
Below are the standard Guidelines as per the CIS Benchmarking standard to adopt a secure Configuration posture for Linux Systems running on x86 and x64 platforms. This benchmark is intended for system and application administrators, security specialists, auditors, helpdesk, and platform deployment personnel who plan to develop, deploy, assess, or secure solutions that incorporate Linux on the x86 or x64 platform.
About CIS Benchmarks:
CIS Benchmarks are a set of guidelines and best practices for securing IT systems, networks, and infrastructure. They are developed by the Center for Internet Security (CIS), a global non-profit organization. CIS Benchmarks are free to the public and are used by thousands of businesses.
Note: It is advisable to verify root users’ path integrity and the integrity of any programs being run prior to the execution of commands and scripts.
–> Disable unused filesystems
Ensure mounting of cramfs filesystems is disabled
Ensure mounting of freevxfs filesystems is disabled
Ensure mounting of jffs2 filesystems is disabled
Ensure mounting of hfs filesystems is disabled
Ensure mounting of hfsplus filesystems is disabled
Ensure mounting of squashfs filesystems is disabled
Ensure mounting of udf filesystems is disabled
Ensure mounting of FAT filesystems is limited
Ensure /tmp is configured
Ensure nodev option set on /tmp partition
Ensure nosuid option set on /tmp partition
Ensure noexec option set on /tmp partition
Ensure separate partition exists for /var
Ensure separate partition exists for /var/tmp
Ensure nodev option set on /var/tmp partition
Ensure nosuid option set on /var/tmp partition
Ensure noexec option set on /var/tmp partition
Ensure separate partition exists for /var/log
Ensure separate partition exists for /var/log/audit
Ensure separate partition exists for /home
Ensure nodev option set on /home partition
Ensure nodev option set on /dev/shm partition
Ensure nosuid option set on /dev/shm partition
Ensure noexec option set on /dev/shm partition
Ensure nodev option set on removable media partitions
Ensure nosuid option set on removable media partitions
Ensure noexec option set on removable media partitions
Ensure sticky bit is set on all world-writable directories
Disable Automounting
Disable USB Storage
–> Configure Software Updates
Ensure package manager repositories are configured
Ensure GPG keys are configured
Filesystem Integrity Checking
Ensure AIDE is installed
Ensure filesystem integrity is regularly checked
Secure Boot Settings
Ensure permissions on bootloader config are configured
Ensure bootloader password is set
Ensure authentication required for single user mode
Ensure interactive boot is not enabled
–> Additional Process Hardening
Ensure core dumps are restricted
Ensure XD/NX support is enabled
Ensure address space layout randomization (ASLR) is enabled
Ensure prelink is disabled
Mandatory Access Control
Ensure login and logout events are collected
Ensure session initiation information is collected
Ensure discretionary access control permission modification events are collected
Ensure unsuccessful unauthorized file access attempts are collected
Ensure use of privileged commands is collected
Ensure successful file system mounts are collected
Ensure file deletion events by users are collected
Ensure changes to system administration scope (sudoers) is collected
Ensure system administrator actions (sudolog) are collected
Ensure kernel module loading and unloading is collected
Ensure the audit configuration is immutable
–>Configure Logging
Configure rsyslog
Ensure rsyslog is installed
Ensure rsyslog Service is enabled
Ensure logging is configured
Ensure rsyslog default file permissions configured
Ensure rsyslog is configured to send logs to a remote log host
Ensure remote rsyslog messages are only accepted on designated log hosts.
–>Configure journald
Ensure journald is configured to send logs to rsyslog
Ensure journald is configured to compress large log files
Ensure journald is configured to write logfiles to persistent disk
Ensure permissions on all logfiles are configured
Ensurelogrotate is configured
Access, Authentication and Authorization
–> Configure cron
Ensure cron daemon is enabled
Ensure permissions on /etc/crontab are configured
Ensure permissions on /etc/cron.hourly are configured
Ensure permissions on /etc/cron.daily are configured
Ensure permissions on /etc/cron.weekly are configured
Ensure permissions on /etc/cron.monthly are configured
Ensure permissions on /etc/cron.d are configured
Ensure at/cron is restricted to authorized users
–> SSH Server Configuration
Ensure permissions on /etc/ssh/sshd_config are configured
Ensure permissions on SSH private host key files are configured
Ensure permissions on SSH public host key files are configured
Ensure SSH Protocol is set to 2
Ensure SSH LogLevel is appropriate
Ensure SSH X11 forwarding is disabled
Ensure SSH MaxAuthTries is set to 4 or less
Ensure SSH IgnoreRhosts is enabled
Ensure SSH HostbasedAuthentication is disabled
Ensure SSH root login is disabled
Ensure SSH PermitEmptyPasswords is disabled
Ensure SSH PermitUserEnvironment is disabled
Ensure only strong Ciphers are used
Ensure only strong MAC algorithms are used
Ensure only strong Key Exchange algorithms are used
Ensure SSH Idle Timeout Interval is configured
Ensure SSH LoginGraceTime is set to one minute or less
Ensure SSH access is limited
Ensure SSH warning banner is configured
Ensure SSH PAM is enabled
Ensure SSH AllowTcpForwarding is disabled
Ensure SSH MaxStartups is configured
Ensure SSH MaxSessions is set to 4 or less
–> Configure PAM
Ensure password creation requirements are configured
Ensure lockout for failed password attempts is configured
Ensure password reuse is limited
Ensure password hashing algorithm is SHA-512
–> User Accounts and Environment
–> Set Shadow Password Suite Parameters
Ensure password expiration is 365 days or less
Ensure minimum days between password changes is 7 or more
Ensure password expiration warning days is 7 or more
Ensure inactive password lock is 30 days or less
Ensure all users last password change date is in the past
Ensure system accounts are secured
Ensure default group for the root account is GID 0
Ensure default user umask is 027 or more restrictive
Ensure default user shell timeout is 900 seconds or less
Ensure root login is restricted to system console
Ensure access to the su command is restricted
–> System Maintenance
System File Permissions
Audit system file permissions
Ensure permissions on /etc/passwd are configured
Ensure permissions on /etc/shadow are configured
Ensure permissions on /etc/group are configured
Ensure permissions on /etc/gshadow are configured
Ensure permissions on /etc/passwd-are configured
Ensure permissions on /etc/shadow-are configured
Ensure permissions on /etc/group-are configured
Ensure permissions on /etc/gshadow-are configured
Ensure no world writable files exist
Ensure no unowned files or directories exist
Ensure no ungrouped files or directories exist
Audit SUID executables
Audit SGID executables
–> User and Group Settings
Ensure password fields are not empty
Ensure no legacy “+” entries exist in /etc/passwd
Ensure no legacy “+” entries exist in /etc/shadow
Ensure no legacy “+” entries exist in /etc/group
Ensure root is the only UID 0 account
Ensure root PATH Integrity
Ensure all users’ home directories exist
Ensure users’ home directories permissions are 750 or more restrictive
Ensure users own their home directories
Ensure users’ dot files are not group or world writable
Ensure no users have .forward files
Ensure no users have .netrc files
Ensure users’ .netrc Files are not group or world accessible
Ensure no users have .rhosts files
Ensure all groups in /etc/passwd exist in /etc/group
Ensure no duplicate UIDs exist
Ensure no duplicate GIDs exist
Ensure no duplicate user names exist
Ensure no duplicate group names exist
Ensure shadow group is empty
