Explorar el Código

CIS compliance (packages)

* CIS 1.5.4 Ensure prelink is disabled
* CIS 2.3.1 Ensure NIS Client is not installed
* CIS 2.3.2 Ensure rsh client is not installed
* CIS 2.3.3 Ensure talk client is not installed
* CIS 2.3.4 Ensure telnet client is not installed

Change-Id: I0eb11d39deaa28f238a2e618bf95cc248189197c
pull/138/merge
Dmitry Teselkin hace 6 años
padre
commit
4326d345c7
Se han modificado 6 ficheros con 219 adiciones y 0 borrados
  1. +37
    -0
      metadata/service/system/cis/cis-1-5-4.yml
  2. +43
    -0
      metadata/service/system/cis/cis-2-3-1.yml
  3. +55
    -0
      metadata/service/system/cis/cis-2-3-2.yml
  4. +39
    -0
      metadata/service/system/cis/cis-2-3-3.yml
  5. +40
    -0
      metadata/service/system/cis/cis-2-3-4.yml
  6. +5
    -0
      metadata/service/system/cis/init.yml

+ 37
- 0
metadata/service/system/cis/cis-1-5-4.yml Ver fichero

@@ -0,0 +1,37 @@
# CIS 1.5.4 Ensure prelink is disabled
#
# Description
# ===========
# prelink is a program that modifies ELF shared libraries and ELF dynamically
# linked binaries in such a way that the time needed for the dynamic linker to
# perform relocations at startup significantly decreases.
#
# Rationale
# =========
# The prelinking feature can interfere with the operation of AIDE, because it
# changes binaries. Prelinking can also increase the vulnerability of the system
# if a malicious user is able to compromise a common library such as libc.
#
# Audit
# =====
# Run the following command and verify prelink is not installed:
#
# # dpkg -s prelink
#
# Remediation
# ===========
# Run the following command to restore binaries to normal:
#
# # prelink -ua
#
# Run the following command to uninstall prelink :
#
# # apt-get remove prelink
#
parameters:
linux:
system:
package:
prelink:
version: removed


+ 43
- 0
metadata/service/system/cis/cis-2-3-1.yml Ver fichero

@@ -0,0 +1,43 @@
# 2.3.1 Ensure NIS Client is not installed
#
# Description
# ===========
# The Network Information Service (NIS), formerly known as Yellow Pages,
# is a client-server directory service protocol used to distribute system
# configuration files. The NIS client ( ypbind ) was used to bind a machine
# to an NIS server and receive the distributed configuration files.
#
# Rationale
# =========
# The NIS service is inherently an insecure system that has been vulnerable
# to DOS attacks, buffer overflows and has poor authentication for querying
# NIS maps. NIS generally has been replaced by such protocols as Lightweight
# Directory Access Protocol (LDAP). It is recommended that the service be
# removed.
#
# Audit
# =====
# Run the following command and verify nis is not installed:
#
# dpkg -s nis
#
# Remediation
# ===========
# Run the following command to uninstall nis:
#
# apt-get remove nis
#
# Impact
# ======
# Many insecure service clients are used as troubleshooting tools and in
# testing environments. Uninstalling them can inhibit capability to test
# and troubleshoot. If they are required it is advisable to remove the clients
# after use to prevent accidental or intentional misuse.
#
parameters:
linux:
system:
package:
nis:
version: removed


+ 55
- 0
metadata/service/system/cis/cis-2-3-2.yml Ver fichero

@@ -0,0 +1,55 @@
# 2.3.2 Ensure rsh client is not installed
#
# Description
# ===========
# The rsh package contains the client commands for the rsh services.
#
# Rationale
# =========
# These legacy clients contain numerous security exposures and have been
# replaced with the more secure SSH package. Even if the server is removed,
# it is best to ensure the clients are also removed to prevent users from
# inadvertently attempting to use these commands and therefore exposing
# their credentials. Note that removing the rsh package removes the
# clients for rsh , rcp and rlogin .
#
# Audit
# =====
# Run the following commands and verify rsh is not installed:
#
# dpkg -s rsh-client
# dpkg -s rsh-redone-client
#
# Remediation
# ===========
# Run the following command to uninstall rsh :
#
# apt-get remove rsh-client rsh-redone-client
#
# Impact
# ======
# Many insecure service clients are used as troubleshooting tools and in
# testing environments. Uninstalling them can inhibit capability to test
# and troubleshoot. If they are required it is advisable to remove the
# clients after use to prevent accidental or intentional misuse.
#
# NOTE
# ====
# It is not possible to remove rsh-client by means of SaltStack because
# of the way SaltStack checks that package was really removed. 'rsh-client'
# is "provided" by openssh-client package, and SaltStack thinks that
# it is the same as 'rsh-client is installed'. So each time we try to
# remove 'rsh-client' on a system where 'openssh-client' is installed
# (that's almost every system), we got state failure.
# This was fixed in upstream SaltStack in 2018, not sure where we start using
# this version. Until that moment 'rsh-client' should remain unmanaged.
#
parameters:
linux:
system:
package:
# rsh-client:
# version: removed
rsh-redone-client:
version: removed


+ 39
- 0
metadata/service/system/cis/cis-2-3-3.yml Ver fichero

@@ -0,0 +1,39 @@
# 2.3.3 Ensure talk client is not installed
#
# Description
# ===========
# The talk software makes it possible for users to send and receive messages
# across systems through a terminal session. The talk client, which allows
# initialization of talk sessions, is installed by default.
#
# Rationale
# =========
# The software presents a security risk as it uses unencrypted protocols
# for communication.
#
# Audit
# =====
# Run the following command and verify talk is not installed:
#
# dpkg -s talk
#
# Remediation
# ===========
# Run the following command to uninstall talk :
#
# apt-get remove talk
#
# Impact
# ======
# Many insecure service clients are used as troubleshooting tools and in
# testing environments. Uninstalling them can inhibit capability to test
# and troubleshoot. If they are required it is advisable to remove the clients
# after use to prevent accidental or intentional misuse.
#
parameters:
linux:
system:
package:
talk:
version: removed


+ 40
- 0
metadata/service/system/cis/cis-2-3-4.yml Ver fichero

@@ -0,0 +1,40 @@
# 2.3.4 Ensure telnet client is not installed
#
# Description
# ===========
# The telnet package contains the telnet client, which allows users to start
# connections to other systems via the telnet protocol.
#
# Rationale
# =========
# The telnet protocol is insecure and unencrypted. The use of an unencrypted
# transmission medium could allow an unauthorized user to steal credentials.
# The ssh package provides an encrypted session and stronger security and is
# included in most Linux distributions.
#
# Audit
# =====
# Run the following command and verify telnet is not installed:
#
# # dpkg -s telnet
#
# Remediation
# ===========
# Run the following command to uninstall telnet :
#
# # apt-get remove telnet
#
# Impact
# ======
# Many insecure service clients are used as troubleshooting tools and in
# testing environments. Uninstalling them can inhibit capability to test and
# troubleshoot. If they are required it is advisable to remove the clients
# after use to prevent accidental or intentional misuse.
#
parameters:
linux:
system:
package:
telnet:
version: removed


+ 5
- 0
metadata/service/system/cis/init.yml Ver fichero

@@ -1,6 +1,11 @@
classes:
- service.linux.system.cis.cis-1-5-1
- service.linux.system.cis.cis-1-5-3
- service.linux.system.cis.cis-1-5-4
- service.linux.system.cis.cis-2-3-1
- service.linux.system.cis.cis-2-3-2
- service.linux.system.cis.cis-2-3-3
- service.linux.system.cis.cis-2-3-4
- service.linux.system.cis.cis-3-1-2
- service.linux.system.cis.cis-3-2-1
- service.linux.system.cis.cis-3-2-2

Cargando…
Cancelar
Guardar