CIS compliance (packages)

* CIS 1.5.4 Ensure prelink is disabled
* CIS 2.3.1 Ensure NIS Client is not installed
* CIS 2.3.2 Ensure rsh client is not installed
* CIS 2.3.3 Ensure talk client is not installed
* CIS 2.3.4 Ensure telnet client is not installed

Change-Id: I0eb11d39deaa28f238a2e618bf95cc248189197c

metadata/service/system/cis/cis-1-5-4.yml

@@ -0,0 +1,37 @@
+# CIS 1.5.4 Ensure prelink is disabled
+#
+# Description
+# ===========
+# prelink is a program that modifies ELF shared libraries and ELF dynamically
+# linked binaries in such a way that the time needed for the dynamic linker to
+# perform relocations at startup significantly decreases.
+#
+# Rationale
+# =========
+# The prelinking feature can interfere with the operation of AIDE, because it
+# changes binaries. Prelinking can also increase the vulnerability of the system
+# if a malicious user is able to compromise a common library such as libc.
+#
+# Audit
+# =====
+# Run the following command and verify prelink is not installed:
+#
+#   # dpkg -s prelink
+#
+# Remediation
+# ===========
+# Run the following command to restore binaries to normal:
+#
+#   # prelink -ua
+#
+# Run the following command to uninstall prelink :
+#
+#   # apt-get remove prelink
+#
+parameters:
+  linux:
+    system:
+      package:
+        prelink:
+          version: removed
+

metadata/service/system/cis/cis-2-3-1.yml

@@ -0,0 +1,43 @@
+# 2.3.1 Ensure NIS Client is not installed
+#
+# Description
+# ===========
+# The Network Information Service (NIS), formerly known as Yellow Pages,
+# is a client-server directory service protocol used to distribute system
+# configuration files. The NIS client ( ypbind ) was used to bind a machine
+# to an NIS server and receive the distributed configuration files.
+#
+# Rationale
+# =========
+# The NIS service is inherently an insecure system that has been vulnerable
+# to DOS attacks, buffer overflows and has poor authentication for querying
+# NIS maps. NIS generally has been replaced by such protocols as Lightweight
+# Directory Access Protocol (LDAP). It is recommended that the service be
+# removed.
+#
+# Audit
+# =====
+# Run the following command and verify nis is not installed:
+#
+#   dpkg -s nis
+#
+# Remediation
+# ===========
+# Run the following command to uninstall nis:
+#
+#   apt-get remove nis
+#
+# Impact
+# ======
+# Many insecure service clients are used as troubleshooting tools and in
+# testing environments. Uninstalling them can inhibit capability to test
+# and troubleshoot. If they are required it is advisable to remove the clients
+# after use to prevent accidental or intentional misuse.
+#
+parameters:
+  linux:
+    system:
+      package:
+        nis:
+          version: removed
+

metadata/service/system/cis/cis-2-3-2.yml

@@ -0,0 +1,55 @@
+# 2.3.2 Ensure rsh client is not installed
+#
+# Description
+# ===========
+# The rsh package contains the client commands for the rsh services.
+#
+# Rationale
+# =========
+# These legacy clients contain numerous security exposures and have been
+# replaced with the more secure SSH package. Even if the server is removed,
+# it is best to ensure the clients are also removed to prevent users from
+# inadvertently attempting to use these commands and therefore exposing
+# their credentials. Note that removing the rsh package removes the
+# clients for rsh , rcp and rlogin .
+#
+# Audit
+# =====
+# Run the following commands and verify rsh is not installed:
+#
+#   dpkg -s rsh-client
+#   dpkg -s rsh-redone-client
+#
+# Remediation
+# ===========
+# Run the following command to uninstall rsh :
+#
+#   apt-get remove rsh-client rsh-redone-client
+#
+# Impact
+# ======
+# Many insecure service clients are used as troubleshooting tools and in
+# testing environments. Uninstalling them can inhibit capability to test
+# and troubleshoot. If they are required it is advisable to remove the
+# clients after use to prevent accidental or intentional misuse.
+#
+# NOTE
+# ====
+# It is not possible to remove rsh-client by means of SaltStack because
+# of the way SaltStack checks that package was really removed. 'rsh-client'
+# is "provided" by openssh-client package, and SaltStack thinks that
+# it is the same as 'rsh-client is installed'. So each time we try to
+# remove 'rsh-client' on a system where 'openssh-client' is installed
+# (that's almost every system), we got state failure.
+# This was fixed in upstream SaltStack in 2018, not sure where we start using
+# this version. Until that moment 'rsh-client' should remain unmanaged.
+#
+parameters:
+  linux:
+    system:
+      package:
+#        rsh-client:
+#          version: removed
+        rsh-redone-client:
+          version: removed
+

metadata/service/system/cis/cis-2-3-3.yml

@@ -0,0 +1,39 @@
+# 2.3.3 Ensure talk client is not installed
+#
+# Description
+# ===========
+# The talk software makes it possible for users to send and receive messages
+# across systems through a terminal session. The talk client, which allows
+# initialization of talk sessions, is installed by default.
+#
+# Rationale
+# =========
+# The software presents a security risk as it uses unencrypted protocols
+# for communication.
+#
+# Audit
+# =====
+# Run the following command and verify talk is not installed:
+#
+#   dpkg -s talk
+#
+# Remediation
+# ===========
+# Run the following command to uninstall talk :
+#
+#   apt-get remove talk
+#
+# Impact
+# ======
+# Many insecure service clients are used as troubleshooting tools and in
+# testing environments. Uninstalling them can inhibit capability to test
+# and troubleshoot. If they are required it is advisable to remove the clients
+# after use to prevent accidental or intentional misuse.
+#
+parameters:
+  linux:
+    system:
+      package:
+        talk:
+          version: removed
+

metadata/service/system/cis/cis-2-3-4.yml

@@ -0,0 +1,40 @@
+# 2.3.4 Ensure telnet client is not installed
+#
+# Description
+# ===========
+# The telnet package contains the telnet client, which allows users to start
+# connections to other systems via the telnet protocol.
+#
+# Rationale
+# =========
+# The telnet protocol is insecure and unencrypted. The use of an unencrypted
+# transmission medium could allow an unauthorized user to steal credentials.
+# The ssh package provides an encrypted session and stronger security and is
+# included in most Linux distributions.
+#
+# Audit
+# =====
+# Run the following command and verify telnet is not installed:
+#
+#   # dpkg -s telnet
+#
+# Remediation
+# ===========
+# Run the following command to uninstall telnet :
+#
+#   # apt-get remove telnet
+#
+# Impact
+# ======
+# Many insecure service clients are used as troubleshooting tools and in
+# testing environments. Uninstalling them can inhibit capability to test and
+# troubleshoot. If they are required it is advisable to remove the clients
+# after use to prevent accidental or intentional misuse.
+#
+parameters:
+  linux:
+    system:
+      package:
+        telnet:
+          version: removed
+

metadata/service/system/cis/init.yml

@@ -1,6 +1,11 @@
 classes:
 - service.linux.system.cis.cis-1-5-1
 - service.linux.system.cis.cis-1-5-3
+- service.linux.system.cis.cis-1-5-4
+- service.linux.system.cis.cis-2-3-1
+- service.linux.system.cis.cis-2-3-2
+- service.linux.system.cis.cis-2-3-3
+- service.linux.system.cis.cis-2-3-4
 - service.linux.system.cis.cis-3-1-2
 - service.linux.system.cis.cis-3-2-1
 - service.linux.system.cis.cis-3-2-2