Sfoglia il codice sorgente
CIS compliance (sysctl, limits)
* CIS 1.5.1 Ensure core dumps are restricted * CIS 1.5.3 Ensure address space layout randomization (ASLR) is enabled * CIS 3.1.2 Ensure packet redirect sending is disabled * CIS 3.2.1 Ensure source routed packets are not accepted * CIS 3.2.2 Ensure ICMP redirects are not accepted * CIS 3.2.3 Ensure secure ICMP redirects are not accepted * CIS 3.2.4 Ensure suspicious packets are logged * CIS 3.2.5 Ensure broadcast ICMP requests are ignored * CIS 3.2.6 Ensure bogus ICMP responses are ignored * CIS 3.2.7 Ensure Reverse Path Filtering is enabled * CIS 3.2.8 Ensure TCP SYN Cookies is enabled All sysctls are valid for Ubuntu 14.04, Ubuntu 16.04. Change-Id: I48f34c55d97a78c253d4810db46b2a04ff5c0c1apull/165/head
Dmitry Teselkin
6 anni fa
12 ha cambiato i file con 539 aggiunte e 0 eliminazioni
+ 59
- 0
metadata/service/system/cis/cis-1-5-1.yml
Vedi File
| @@ -0,0 +1,59 @@ | |||
| # CIS 1.5.1 Ensure core dumps are restricted (Scored) | |||
| # | |||
| # Description | |||
| # =========== | |||
| # | |||
| # A core dump is the memory of an executable program. It is generally used to determine | |||
| # why a program aborted. It can also be used to glean confidential information from a core | |||
| # file. The system provides the ability to set a soft limit for core dumps, but this can be | |||
| # overridden by the user. | |||
| # | |||
| # Rationale | |||
| # ========= | |||
| # | |||
| # Setting a hard limit on core dumps prevents users from overriding the soft variable. If core | |||
| # dumps are required, consider setting limits for user groups (see limits.conf(5) ). In | |||
| # addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from | |||
| # dumping core. | |||
| # | |||
| # Audit | |||
| # ===== | |||
| # | |||
| # Run the following commands and verify output matches: | |||
| # | |||
| # # grep "hard core" /etc/security/limits.conf /etc/security/limits.d/* | |||
| # * hard core 0 | |||
| # # sysctl fs.suid_dumpable | |||
| # fs.suid_dumpable = 0 | |||
| # | |||
| # Remediation | |||
| # =========== | |||
| # | |||
| # Add the following line to the /etc/security/limits.conf file or a | |||
| # /etc/security/limits.d/* file: | |||
| # | |||
| # * hard core 0 | |||
| # | |||
| # Set the following parameter in the /etc/sysctl.conf file: | |||
| # | |||
| # fs.suid_dumpable = 0 | |||
| # | |||
| # Run the following command to set the active kernel parameter: | |||
| # | |||
| # # sysctl -w fs.suid_dumpable=0 | |||
| parameters: | |||
| linux: | |||
| system: | |||
| limit: | |||
| cis: | |||
| enabled: true | |||
| domain: '*' | |||
| limits: | |||
| - type: 'hard' | |||
| item: 'core' | |||
| value: 0 | |||
| kernel: | |||
| sysctl: | |||
| fs.suid_dumpable: 0 | |||
+ 40
- 0
metadata/service/system/cis/cis-1-5-3.yml
Vedi File
| @@ -0,0 +1,40 @@ | |||
| # 1.5.3 Ensure address space layout randomization (ASLR) is enabled | |||
| # | |||
| # Description | |||
| # =========== | |||
| # | |||
| # Address space layout randomization (ASLR) is an exploit mitigation technique which | |||
| # randomly arranges the address space of key data areas of a process. | |||
| # | |||
| # Rationale | |||
| # ========= | |||
| # | |||
| # Randomly placing virtual memory regions will make it difficult to write memory page | |||
| # exploits as the memory placement will be consistently shifting. | |||
| # | |||
| # Audit | |||
| # ===== | |||
| # | |||
| # Run the following command and verify output matches: | |||
| # | |||
| # # sysctl kernel.randomize_va_space | |||
| # kernel.randomize_va_space = 2 | |||
| # | |||
| # Remediation | |||
| # =========== | |||
| # | |||
| # Set the following parameter in the /etc/sysctl.conf file: | |||
| # | |||
| # kernel.randomize_va_space = 2 | |||
| # | |||
| # Run the following command to set the active kernel parameter: | |||
| # | |||
| # # sysctl -w kernel.randomize_va_space=2 | |||
| parameters: | |||
| linux: | |||
| system: | |||
| kernel: | |||
| sysctl: | |||
| kernel.randomize_va_space: 2 | |||
+ 44
- 0
metadata/service/system/cis/cis-3-1-2.yml
Vedi File
| @@ -0,0 +1,44 @@ | |||
| # 3.1.2 Ensure packet redirect sending is disabled | |||
| # | |||
| # Description | |||
| # =========== | |||
| # ICMP Redirects are used to send routing information to other hosts. As a host | |||
| # itself does not act as a router (in a host only configuration), there is | |||
| # no need to send redirects. | |||
| # | |||
| # Rationale | |||
| # ========= | |||
| # An attacker could use a compromised host to send invalid ICMP redirects to | |||
| # other router devices in an attempt to corrupt routing and have users access | |||
| # a system set up by the attacker as opposed to a valid system. | |||
| # | |||
| # Audit | |||
| # ===== | |||
| # | |||
| # Run the following commands and verify output matches: | |||
| # | |||
| # # sysctl net.ipv4.conf.all.send_redirects | |||
| # net.ipv4.conf.all.send_redirects = 0 | |||
| # # sysctl net.ipv4.conf.default.send_redirects | |||
| # net.ipv4.conf.default.send_redirects = 0 | |||
| # | |||
| # Remediation | |||
| # =========== | |||
| # | |||
| # Set the following parameters in the /etc/sysctl.conf file: | |||
| # | |||
| # net.ipv4.conf.all.send_redirects = 0 | |||
| # net.ipv4.conf.default.send_redirects = 0 | |||
| # | |||
| # Run the following commands to set the active kernel parameters: | |||
| # | |||
| # # sysctl -w net.ipv4.conf.all.send_redirects=0 | |||
| # # sysctl -w net.ipv4.conf.default.send_red | |||
| parameters: | |||
| linux: | |||
| system: | |||
| kernel: | |||
| sysctl: | |||
| net.ipv4.conf.all.send_redirects: 0 | |||
| net.ipv4.conf.default.send_redirects: 0 | |||
+ 56
- 0
metadata/service/system/cis/cis-3-2-1.yml
Vedi File
| @@ -0,0 +1,56 @@ | |||
| # 3.2.1 Ensure source routed packets are not accepted | |||
| # | |||
| # Description | |||
| # =========== | |||
| # In networking, source routing allows a sender to partially or fully specify | |||
| # the route packets take through a network. In contrast, non-source routed | |||
| # packets travel a path determined by routers in the network. In some cases, | |||
| # systems may not be routable or reachable from some locations (e.g. private | |||
| # addresses vs. Internet routable), and so source routed packets would need | |||
| # to be used. | |||
| # | |||
| # Rationale | |||
| # ========= | |||
| # Setting `net.ipv4.conf.all.accept_source_route` and | |||
| # `net.ipv4.conf.default.accept_source_route` to 0 disables the system from | |||
| # accepting source routed packets. Assume this system was capable of routing | |||
| # packets to Internet routable addresses on one interface and private addresses | |||
| # on another interface. Assume that the private addresses were not routable to | |||
| # the Internet routable addresses and vice versa. Under normal routing | |||
| # circumstances, an attacker from the Internet routable addresses could not use | |||
| # the system as a way to reach the private address systems. If, however, source | |||
| # routed packets were allowed, they could be used to gain access to the private | |||
| # address systems as the route could be specified, rather than rely on routing | |||
| # protocols that did not allow this routing. | |||
| # | |||
| # Audit | |||
| # ===== | |||
| # | |||
| # Run the following commands and verify output matches: | |||
| # | |||
| # # sysctl net.ipv4.conf.all.accept_source_route | |||
| # net.ipv4.conf.all.accept_source_route = 0 | |||
| # # sysctl net.ipv4.conf.default.accept_source_route | |||
| # net.ipv4.conf.default.accept_source_route = 0 | |||
| # | |||
| # Remediation | |||
| # =========== | |||
| # | |||
| # Set the following parameters in the /etc/sysctl.conf file: | |||
| # | |||
| # net.ipv4.conf.all.accept_source_route = 0 | |||
| # net.ipv4.conf.default.accept_source_route = 0 | |||
| # | |||
| # Run the following commands to set the active kernel parameters: | |||
| # | |||
| # # sysctl -w net.ipv4.conf.all.accept_source_route=0 | |||
| # # sysctl -w net.ipv4.conf.default.accept_source_route=0 | |||
| # # sysctl -w net.ipv4.route.flush=1 | |||
| parameters: | |||
| linux: | |||
| system: | |||
| kernel: | |||
| sysctl: | |||
| net.ipv4.conf.all.accept_source_route: 0 | |||
| net.ipv4.conf.default.accept_source_route: 0 | |||
+ 48
- 0
metadata/service/system/cis/cis-3-2-2.yml
Vedi File
| @@ -0,0 +1,48 @@ | |||
| # 3.2.2 Ensure ICMP redirects are not accepted | |||
| # | |||
| # Description | |||
| # =========== | |||
| # ICMP redirect messages are packets that convey routing information and tell | |||
| # your host (acting as a router) to send packets via an alternate path. It is | |||
| # a way of allowing an outside routing device to update your system routing | |||
| # tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system will | |||
| # not accept any ICMP redirect messages, and therefore, won't allow outsiders | |||
| # to update the system's routing tables. | |||
| # | |||
| # Rationale | |||
| # ========= | |||
| # Attackers could use bogus ICMP redirect messages to maliciously alter the | |||
| # system routing tables and get them to send packets to incorrect networks and | |||
| # allow your system packets to be captured. | |||
| # | |||
| # Audit | |||
| # ===== | |||
| # | |||
| # Run the following commands and verify output matches: | |||
| # | |||
| # # sysctl net.ipv4.conf.all.accept_redirects | |||
| # net.ipv4.conf.all.accept_redirects = 0 | |||
| # # sysctl net.ipv4.conf.default.accept_redirects | |||
| # net.ipv4.conf.default.accept_redirects = 0 | |||
| # | |||
| # Remediation | |||
| # =========== | |||
| # | |||
| # Set the following parameters in the /etc/sysctl.conf file: | |||
| # | |||
| # net.ipv4.conf.all.accept_redirects = 0 | |||
| # net.ipv4.conf.default.accept_redirects = 0 | |||
| # | |||
| # Run the following commands to set the active kernel parameters: | |||
| # | |||
| # # sysctl -w net.ipv4.conf.all.accept_redirects=0 | |||
| # # sysctl -w net.ipv4.conf.default.accept_redirects=0 | |||
| # # sysctl -w net.ipv4.route.flush=1 | |||
| parameters: | |||
| linux: | |||
| system: | |||
| kernel: | |||
| sysctl: | |||
| net.ipv4.conf.all.accept_redirects: 0 | |||
| net.ipv4.conf.default.accept_redirects: 0 | |||
+ 45
- 0
metadata/service/system/cis/cis-3-2-3.yml
Vedi File
| @@ -0,0 +1,45 @@ | |||
| # 3.2.3 Ensure secure ICMP redirects are not accepted | |||
| # | |||
| # Description | |||
| # =========== | |||
| # Secure ICMP redirects are the same as ICMP redirects, except they come from | |||
| # gateways listed on the default gateway list. It is assumed that these | |||
| # gateways are known to your system, and that they are likely to be secure. | |||
| # | |||
| # Rationale | |||
| # ========= | |||
| # It is still possible for even known gateways to be compromised. Setting | |||
| # net.ipv4.conf.all.secure_redirects to 0 protects the system from routing | |||
| # table updates by possibly compromised known gateways. | |||
| # | |||
| # Audit | |||
| # ===== | |||
| # | |||
| # Run the following commands and verify output matches: | |||
| # | |||
| # # sysctl net.ipv4.conf.all.secure_redirects | |||
| # net.ipv4.conf.all.secure_redirects = 0 | |||
| # # sysctl net.ipv4.conf.default.secure_redirects | |||
| # net.ipv4.conf.default.secure_redirects = 0 | |||
| # | |||
| # Remediation | |||
| # =========== | |||
| # | |||
| # Set the following parameters in the /etc/sysctl.conf file: | |||
| # | |||
| # net.ipv4.conf.all.secure_redirects = 0 | |||
| # net.ipv4.conf.default.secure_redirects = 0 | |||
| # | |||
| # Run the following commands to set the active kernel parameters: | |||
| # | |||
| # # sysctl -w net.ipv4.conf.all.secure_redirects=0 | |||
| # # sysctl -w net.ipv4.conf.default.secure_redirects=0 | |||
| # # sysctl -w net.ipv4.route.flush=1 | |||
| parameters: | |||
| linux: | |||
| system: | |||
| kernel: | |||
| sysctl: | |||
| net.ipv4.conf.all.secure_redirects: 0 | |||
| net.ipv4.conf.default.secure_redirects: 0 | |||
+ 44
- 0
metadata/service/system/cis/cis-3-2-4.yml
Vedi File
| @@ -0,0 +1,44 @@ | |||
| # 3.2.4 Ensure suspicious packets are logged | |||
| # | |||
| # Description | |||
| # =========== | |||
| # When enabled, this feature logs packets with un-routable source | |||
| # addresses to the kernel log. | |||
| # | |||
| # Rationale | |||
| # ========= | |||
| # Enabling this feature and logging these packets allows an administrator | |||
| # to investigate the possibility that an attacker is sending spoofed | |||
| # packets to their system. | |||
| # | |||
| # Audit | |||
| # ===== | |||
| # | |||
| # Run the following commands and verify output matches: | |||
| # | |||
| # # sysctl net.ipv4.conf.all.log_martians | |||
| # net.ipv4.conf.all.log_martians = 1 | |||
| # # sysctl net.ipv4.conf.default.log_martians | |||
| # net.ipv4.conf.default.log_martians = 1 | |||
| # | |||
| # Remediation | |||
| # =========== | |||
| # | |||
| # Set the following parameters in the /etc/sysctl.conf file: | |||
| # | |||
| # net.ipv4.conf.all.log_martians = 1 | |||
| # net.ipv4.conf.default.log_martians = 1 | |||
| # | |||
| # Run the following commands to set the active kernel parameters: | |||
| # | |||
| # # sysctl -w net.ipv4.conf.all.log_martians=1 | |||
| # # sysctl -w net.ipv4.conf.default.log_martians=1 | |||
| # # sysctl -w net.ipv4.route.flush=1 | |||
| parameters: | |||
| linux: | |||
| system: | |||
| kernel: | |||
| sysctl: | |||
| net.ipv4.conf.all.log_martians: 1 | |||
| net.ipv4.conf.default.log_martians: 1 | |||
+ 45
- 0
metadata/service/system/cis/cis-3-2-5.yml
Vedi File
| @@ -0,0 +1,45 @@ | |||
| # 3.2.5 Ensure broadcast ICMP requests are ignored | |||
| # | |||
| # Description | |||
| # =========== | |||
| # Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the | |||
| # system to ignore all ICMP echo and timestamp requests to broadcast | |||
| # and multicast addresses. | |||
| # | |||
| # Rationale | |||
| # ========= | |||
| # Accepting ICMP echo and timestamp requests with broadcast or multicast | |||
| # destinations for your network could be used to trick your host into starting | |||
| # (or participating) in a Smurf attack. A Smurf attack relies on an attacker | |||
| # sending large amounts of ICMP broadcast messages with a spoofed source | |||
| # address. All hosts receiving this message and responding would send | |||
| # echo-reply messages back to the spoofed address, which is probably not | |||
| # routable. If many hosts respond to the packets, the amount of traffic on | |||
| # the network could be significantly multiplied. | |||
| # | |||
| # Audit | |||
| # ===== | |||
| # | |||
| # Run the following commands and verify output matches: | |||
| # | |||
| # # sysctl net.ipv4.icmp_echo_ignore_broadcasts | |||
| # net.ipv4.icmp_echo_ignore_broadcasts = 1 | |||
| # | |||
| # Remediation | |||
| # =========== | |||
| # | |||
| # Set the following parameter in the /etc/sysctl.conf file: | |||
| # | |||
| # net.ipv4.icmp_echo_ignore_broadcasts = 1 | |||
| # | |||
| # Run the following commands to set the active kernel parameters: | |||
| # | |||
| # # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 | |||
| # # sysctl -w net.ipv4.route.flush=1 | |||
| parameters: | |||
| linux: | |||
| system: | |||
| kernel: | |||
| sysctl: | |||
| net.ipv4.icmp_echo_ignore_broadcasts: 1 | |||
+ 39
- 0
metadata/service/system/cis/cis-3-2-6.yml
Vedi File
| @@ -0,0 +1,39 @@ | |||
| # 3.2.6 Ensure bogus ICMP responses are ignored | |||
| # | |||
| # Description | |||
| # =========== | |||
| # Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from | |||
| # logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, | |||
| # keeping file systems from filling up with useless log messages. | |||
| # | |||
| # Rationale | |||
| # ========= | |||
| # Some routers (and some attackers) will send responses that violate RFC-1122 | |||
| # and attempt to fill up a log file system with many useless error messages. | |||
| # | |||
| # Audit | |||
| # ===== | |||
| # | |||
| # Run the following commands and verify output matches: | |||
| # | |||
| # # sysctl net.ipv4.icmp_ignore_bogus_error_responses | |||
| # net.ipv4.icmp_ignore_bogus_error_responses = 1 | |||
| # | |||
| # Remediation | |||
| # =========== | |||
| # | |||
| # Set the following parameter in the /etc/sysctl.conf file: | |||
| # | |||
| # net.ipv4.icmp_ignore_bogus_error_responses = 1 | |||
| # | |||
| # Run the following commands to set the active kernel parameters: | |||
| # | |||
| # # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 | |||
| # # sysctl -w net.ipv4.route.flush=1 | |||
| parameters: | |||
| linux: | |||
| system: | |||
| kernel: | |||
| sysctl: | |||
| net.ipv4.icmp_ignore_bogus_error_responses: 1 | |||
+ 51
- 0
metadata/service/system/cis/cis-3-2-7.yml
Vedi File
| @@ -0,0 +1,51 @@ | |||
| # 3.2.7 Ensure Reverse Path Filtering is enabled | |||
| # | |||
| # Description | |||
| # =========== | |||
| # Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 | |||
| # forces the Linux kernel to utilize reverse path filtering on a received | |||
| # packet to determine if the packet was valid. Essentially, with reverse path | |||
| # filtering, if the return packet does not go out the same interface that the | |||
| # corresponding source packet came from, the packet is dropped (and logged if | |||
| # log_martians is set). | |||
| # | |||
| # Rationale | |||
| # ========= | |||
| # Setting these flags is a good way to deter attackers from sending your system | |||
| # bogus packets that cannot be responded to. One instance where this feature | |||
| # breaks down is if asymmetrical routing is employed. This would occur when | |||
| # using dynamic routing protocols (bgp, ospf, etc) on your system. If you are | |||
| # using asymmetrical routing on your system, you will not be able to enable | |||
| # this feature without breaking the routing. | |||
| # | |||
| # Audit | |||
| # ===== | |||
| # | |||
| # Run the following commands and verify output matches: | |||
| # | |||
| # # sysctl net.ipv4.conf.all.rp_filter | |||
| # net.ipv4.conf.all.rp_filter = 1 | |||
| # # sysctl net.ipv4.conf.default.rp_filter | |||
| # net.ipv4.conf.default.rp_filter = 1 | |||
| # | |||
| # Remediation | |||
| # =========== | |||
| # | |||
| # Set the following parameters in the /etc/sysctl.conf file: | |||
| # | |||
| # net.ipv4.conf.all.rp_filter = 1 | |||
| # net.ipv4.conf.default.rp_filter = 1 | |||
| # | |||
| # Run the following commands to set the active kernel parameters: | |||
| # | |||
| # # sysctl -w net.ipv4.conf.all.rp_filter=1 | |||
| # # sysctl -w net.ipv4.conf.default.rp_filter=1 | |||
| # # sysctl -w net.ipv4.route.flush=1 | |||
| parameters: | |||
| linux: | |||
| system: | |||
| kernel: | |||
| sysctl: | |||
| net.ipv4.conf.all.rp_filter: 1 | |||
| net.ipv4.conf.default.rp_filter: 1 | |||
+ 49
- 0
metadata/service/system/cis/cis-3-2-8.yml
Vedi File
| @@ -0,0 +1,49 @@ | |||
| # 3.2.8 Ensure TCP SYN Cookies is enabled | |||
| # | |||
| # Description | |||
| # =========== | |||
| # When tcp_syncookies is set, the kernel will handle TCP SYN packets normally | |||
| # until the half-open connection queue is full, at which time, the SYN cookie | |||
| # functionality kicks in. SYN cookies work by not using the SYN queue at all. | |||
| # Instead, the kernel simply replies to the SYN with a SYN|ACK, but will | |||
| # include a specially crafted TCP sequence number that encodes the source and | |||
| # destination IP address and port number and the time the packet was sent. | |||
| # A legitimate connection would send the ACK packet of the three way handshake | |||
| # with the specially crafted sequence number. This allows the system to verify | |||
| # that it has received a valid response to a SYN cookie and allow the | |||
| # connection, even though there is no corresponding SYN in the queue. | |||
| # | |||
| # Rationale | |||
| # ========= | |||
| # Attackers use SYN flood attacks to perform a denial of service attacked on a | |||
| # system by sending many SYN packets without completing the three way handshake. | |||
| # This will quickly use up slots in the kernel's half-open connection queue and | |||
| # prevent legitimate connections from succeeding. SYN cookies allow the system | |||
| # to keep accepting valid connections, even if under a denial of service attack. | |||
| # | |||
| # Audit | |||
| # ===== | |||
| # | |||
| # Run the following commands and verify output matches: | |||
| # | |||
| # # sysctl net.ipv4.tcp_syncookies | |||
| # net.ipv4.tcp_syncookies = 1 | |||
| # | |||
| # Remediation | |||
| # =========== | |||
| # | |||
| # Set the following parameter in the /etc/sysctl.conf file: | |||
| # | |||
| # net.ipv4.tcp_syncookies = 1 | |||
| # | |||
| # Run the following commands to set the active kernel parameters: | |||
| # | |||
| # # sysctl -w net.ipv4.tcp_syncookies=1 | |||
| # # sysctl -w net.ipv4.route.flush=1 | |||
| parameters: | |||
| linux: | |||
| system: | |||
| kernel: | |||
| sysctl: | |||
| net.ipv4.tcp_syncookies: 1 | |||
+ 19
- 0
metadata/service/system/cis/init.yml
Vedi File
| @@ -1,2 +1,21 @@ | |||
| classes: | |||
| - service.linux.system.cis.cis-1-1-1-1 | |||
| - service.linux.system.cis.cis-1-1-1-2 | |||
| - service.linux.system.cis.cis-1-1-1-3 | |||
| - service.linux.system.cis.cis-1-1-1-4 | |||
| - service.linux.system.cis.cis-1-1-1-5 | |||
| - service.linux.system.cis.cis-1-1-1-6 | |||
| - service.linux.system.cis.cis-1-1-1-7 | |||
| - service.linux.system.cis.cis-1-1-1-8 | |||
| - service.linux.system.cis.cis-1-5-1 | |||
| - service.linux.system.cis.cis-1-5-3 | |||
| - service.linux.system.cis.cis-3-1-2 | |||
| - service.linux.system.cis.cis-3-2-1 | |||
| - service.linux.system.cis.cis-3-2-2 | |||
| - service.linux.system.cis.cis-3-2-3 | |||
| - service.linux.system.cis.cis-3-2-4 | |||
| - service.linux.system.cis.cis-3-2-5 | |||
| - service.linux.system.cis.cis-3-2-6 | |||
| - service.linux.system.cis.cis-3-2-7 | |||
| - service.linux.system.cis.cis-3-2-8 | |||
| - service.linux.system.cis.cis-3-3-3 | |||
Loading…