CIS compliance (sysctl, limits)

* CIS 1.5.1 Ensure core dumps are restricted
* CIS 1.5.3 Ensure address space layout randomization (ASLR) is enabled
* CIS 3.1.2 Ensure packet redirect sending is disabled
* CIS 3.2.1 Ensure source routed packets are not accepted
* CIS 3.2.2 Ensure ICMP redirects are not accepted
* CIS 3.2.3 Ensure secure ICMP redirects are not accepted
* CIS 3.2.4 Ensure suspicious packets are logged
* CIS 3.2.5 Ensure broadcast ICMP requests are ignored
* CIS 3.2.6 Ensure bogus ICMP responses are ignored
* CIS 3.2.7 Ensure Reverse Path Filtering is enabled
* CIS 3.2.8 Ensure TCP SYN Cookies is enabled

All sysctls are valid for Ubuntu 14.04, Ubuntu 16.04.

Change-Id: I48f34c55d97a78c253d4810db46b2a04ff5c0c1a

metadata/service/system/cis/cis-1-5-1.yml

+# CIS 1.5.1 Ensure core dumps are restricted (Scored)
+#
+# Description
+# ===========
+#
+# A core dump is the memory of an executable program. It is generally used to determine
+# why a program aborted. It can also be used to glean confidential information from a core
+# file. The system provides the ability to set a soft limit for core dumps, but this can be
+# overridden by the user.
+#
+# Rationale
+# =========
+#
+# Setting a hard limit on core dumps prevents users from overriding the soft variable. If core
+# dumps are required, consider setting limits for user groups (see limits.conf(5) ). In
+# addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from
+# dumping core.
+#
+# Audit
+# =====
+#
+# Run the following commands and verify output matches:
+#
+#   # grep "hard core" /etc/security/limits.conf /etc/security/limits.d/*
+#   * hard core 0
+#   # sysctl fs.suid_dumpable
+#   fs.suid_dumpable = 0
+#
+# Remediation
+# ===========
+#
+# Add the following line to the /etc/security/limits.conf file or a
+# /etc/security/limits.d/* file:
+#
+#   * hard core 0
+#
+# Set the following parameter in the /etc/sysctl.conf file:
+#
+#   fs.suid_dumpable = 0
+#
+# Run the following command to set the active kernel parameter:
+#
+#   # sysctl -w fs.suid_dumpable=0
+
+parameters:
+  linux:
+    system:
+      limit:
+        cis:
+          enabled: true
+          domain: '*'
+          limits:
+          - type: 'hard'
+            item: 'core'
+            value: 0
+      kernel:
+        sysctl:
+          fs.suid_dumpable: 0
+

metadata/service/system/cis/cis-1-5-3.yml

+# 1.5.3 Ensure address space layout randomization (ASLR) is enabled
+#
+# Description
+# ===========
+#
+# Address space layout randomization (ASLR) is an exploit mitigation technique which
+# randomly arranges the address space of key data areas of a process.
+#
+# Rationale
+# =========
+#
+# Randomly placing virtual memory regions will make it difficult to write memory page
+# exploits as the memory placement will be consistently shifting.
+#
+# Audit
+# =====
+#
+# Run the following command and verify output matches:
+#
+#   # sysctl kernel.randomize_va_space
+#   kernel.randomize_va_space = 2
+#
+# Remediation
+# ===========
+#
+# Set the following parameter in the /etc/sysctl.conf file:
+#
+#   kernel.randomize_va_space = 2
+#
+# Run the following command to set the active kernel parameter:
+#
+#   # sysctl -w kernel.randomize_va_space=2
+
+parameters:
+  linux:
+    system:
+      kernel:
+        sysctl:
+          kernel.randomize_va_space: 2
+

metadata/service/system/cis/cis-3-1-2.yml

+# 3.1.2 Ensure packet redirect sending is disabled
+#
+# Description
+# ===========
+# ICMP Redirects are used to send routing information to other hosts. As a host
+# itself does not act as a router (in a host only configuration), there is
+# no need to send redirects.
+#
+# Rationale
+# =========
+# An attacker could use a compromised host to send invalid ICMP redirects to
+# other router devices in an attempt to corrupt routing and have users access
+# a system set up by the attacker as opposed to a valid system.
+#
+# Audit
+# =====
+#
+# Run the following commands and verify output matches:
+#
+#   # sysctl net.ipv4.conf.all.send_redirects
+#   net.ipv4.conf.all.send_redirects = 0
+#   # sysctl net.ipv4.conf.default.send_redirects
+#   net.ipv4.conf.default.send_redirects = 0
+#
+# Remediation
+# ===========
+#
+# Set the following parameters in the /etc/sysctl.conf file:
+#
+#   net.ipv4.conf.all.send_redirects = 0
+#   net.ipv4.conf.default.send_redirects = 0
+#
+# Run the following commands to set the active kernel parameters:
+#
+#   # sysctl -w net.ipv4.conf.all.send_redirects=0
+#   # sysctl -w net.ipv4.conf.default.send_red
+
+parameters:
+  linux:
+    system:
+      kernel:
+        sysctl:
+          net.ipv4.conf.all.send_redirects: 0
+          net.ipv4.conf.default.send_redirects: 0

metadata/service/system/cis/cis-3-2-1.yml

+# 3.2.1 Ensure source routed packets are not accepted
+#
+# Description
+# ===========
+# In networking, source routing allows a sender to partially or fully specify
+# the route packets take through a network. In contrast, non-source routed
+# packets travel a path determined by routers in the network. In some cases,
+# systems may not be routable or reachable from some locations (e.g. private
+# addresses vs. Internet routable), and so source routed packets would need
+# to be used.
+#
+# Rationale
+# =========
+# Setting `net.ipv4.conf.all.accept_source_route` and
+# `net.ipv4.conf.default.accept_source_route` to 0 disables the system from
+# accepting source routed packets. Assume this system was capable of routing
+# packets to Internet routable addresses on one interface and private addresses
+# on another interface. Assume that the private addresses were not routable to
+# the Internet routable addresses and vice versa. Under normal routing
+# circumstances, an attacker from the Internet routable addresses could not use
+# the system as a way to reach the private address systems. If, however, source
+# routed packets were allowed, they could be used to gain access to the private
+# address systems as the route could be specified, rather than rely on routing
+# protocols that did not allow this routing.
+#
+# Audit
+# =====
+#
+# Run the following commands and verify output matches:
+#
+#   # sysctl net.ipv4.conf.all.accept_source_route
+#   net.ipv4.conf.all.accept_source_route = 0
+#   # sysctl net.ipv4.conf.default.accept_source_route
+#   net.ipv4.conf.default.accept_source_route = 0
+#
+# Remediation
+# ===========
+#
+# Set the following parameters in the /etc/sysctl.conf file:
+#
+#   net.ipv4.conf.all.accept_source_route = 0
+#   net.ipv4.conf.default.accept_source_route = 0
+#
+# Run the following commands to set the active kernel parameters:
+#
+#   # sysctl -w net.ipv4.conf.all.accept_source_route=0
+#   # sysctl -w net.ipv4.conf.default.accept_source_route=0
+#   # sysctl -w net.ipv4.route.flush=1
+
+parameters:
+  linux:
+    system:
+      kernel:
+        sysctl:
+          net.ipv4.conf.all.accept_source_route: 0
+          net.ipv4.conf.default.accept_source_route: 0

metadata/service/system/cis/cis-3-2-2.yml

+# 3.2.2 Ensure ICMP redirects are not accepted
+#
+# Description
+# ===========
+# ICMP redirect messages are packets that convey routing information and tell
+# your host (acting as a router) to send packets via an alternate path. It is
+# a way of allowing an outside routing device to update your system routing
+# tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system will
+# not accept any ICMP redirect messages, and therefore, won't allow outsiders
+# to update the system's routing tables.
+#
+# Rationale
+# =========
+# Attackers could use bogus ICMP redirect messages to maliciously alter the
+# system routing tables and get them to send packets to incorrect networks and
+# allow your system packets to be captured.
+#
+# Audit
+# =====
+#
+# Run the following commands and verify output matches:
+#
+#   # sysctl net.ipv4.conf.all.accept_redirects
+#   net.ipv4.conf.all.accept_redirects = 0
+#   # sysctl net.ipv4.conf.default.accept_redirects
+#   net.ipv4.conf.default.accept_redirects = 0
+#
+# Remediation
+# ===========
+#
+# Set the following parameters in the /etc/sysctl.conf file:
+#
+#   net.ipv4.conf.all.accept_redirects = 0
+#   net.ipv4.conf.default.accept_redirects = 0
+#
+# Run the following commands to set the active kernel parameters:
+#
+#   # sysctl -w net.ipv4.conf.all.accept_redirects=0
+#   # sysctl -w net.ipv4.conf.default.accept_redirects=0
+#   # sysctl -w net.ipv4.route.flush=1
+
+parameters:
+  linux:
+    system:
+      kernel:
+        sysctl:
+          net.ipv4.conf.all.accept_redirects: 0
+          net.ipv4.conf.default.accept_redirects: 0

metadata/service/system/cis/cis-3-2-3.yml

+# 3.2.3 Ensure secure ICMP redirects are not accepted
+#
+# Description
+# ===========
+# Secure ICMP redirects are the same as ICMP redirects, except they come from
+# gateways listed on the default gateway list. It is assumed that these
+# gateways are known to your system, and that they are likely to be secure.
+#
+# Rationale
+# =========
+# It is still possible for even known gateways to be compromised. Setting
+# net.ipv4.conf.all.secure_redirects to 0 protects the system from routing
+# table updates by possibly compromised known gateways.
+#
+# Audit
+# =====
+#
+# Run the following commands and verify output matches:
+#
+#   # sysctl net.ipv4.conf.all.secure_redirects
+#   net.ipv4.conf.all.secure_redirects = 0
+#   # sysctl net.ipv4.conf.default.secure_redirects
+#   net.ipv4.conf.default.secure_redirects = 0
+#
+# Remediation
+# ===========
+#
+# Set the following parameters in the /etc/sysctl.conf file:
+#
+#   net.ipv4.conf.all.secure_redirects = 0
+#   net.ipv4.conf.default.secure_redirects = 0
+#
+# Run the following commands to set the active kernel parameters:
+#
+#   # sysctl -w net.ipv4.conf.all.secure_redirects=0
+#   # sysctl -w net.ipv4.conf.default.secure_redirects=0
+#   # sysctl -w net.ipv4.route.flush=1
+
+parameters:
+  linux:
+    system:
+      kernel:
+        sysctl:
+          net.ipv4.conf.all.secure_redirects: 0
+          net.ipv4.conf.default.secure_redirects: 0

metadata/service/system/cis/cis-3-2-4.yml

+# 3.2.4 Ensure suspicious packets are logged
+#
+# Description
+# ===========
+# When enabled, this feature logs packets with un-routable source
+# addresses to the kernel log.
+#
+# Rationale
+# =========
+# Enabling this feature and logging these packets allows an administrator
+# to investigate the possibility that an attacker is sending spoofed
+# packets to their system.
+#
+# Audit
+# =====
+#
+# Run the following commands and verify output matches:
+#
+#   # sysctl net.ipv4.conf.all.log_martians
+#   net.ipv4.conf.all.log_martians = 1
+#   # sysctl net.ipv4.conf.default.log_martians
+#   net.ipv4.conf.default.log_martians = 1
+#
+# Remediation
+# ===========
+#
+# Set the following parameters in the /etc/sysctl.conf file:
+#
+#   net.ipv4.conf.all.log_martians = 1
+#   net.ipv4.conf.default.log_martians = 1
+#
+# Run the following commands to set the active kernel parameters:
+#
+#   # sysctl -w net.ipv4.conf.all.log_martians=1
+#   # sysctl -w net.ipv4.conf.default.log_martians=1
+#   # sysctl -w net.ipv4.route.flush=1
+
+parameters:
+  linux:
+    system:
+      kernel:
+        sysctl:
+          net.ipv4.conf.all.log_martians: 1
+          net.ipv4.conf.default.log_martians: 1

metadata/service/system/cis/cis-3-2-5.yml

+# 3.2.5 Ensure broadcast ICMP requests are ignored
+#
+# Description
+# ===========
+# Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the
+# system to ignore all ICMP echo and timestamp requests to broadcast
+# and multicast addresses.
+#
+# Rationale
+# =========
+# Accepting ICMP echo and timestamp requests with broadcast or multicast
+# destinations for your network could be used to trick your host into starting
+# (or participating) in a Smurf attack. A Smurf attack relies on an attacker
+# sending large amounts of ICMP broadcast messages with a spoofed source
+# address. All hosts receiving this message and responding would send
+# echo-reply messages back to the spoofed address, which is probably not
+# routable. If many hosts respond to the packets, the amount of traffic on
+# the network could be significantly multiplied.
+#
+# Audit
+# =====
+#
+# Run the following commands and verify output matches:
+#
+#   # sysctl net.ipv4.icmp_echo_ignore_broadcasts
+#   net.ipv4.icmp_echo_ignore_broadcasts = 1
+#
+# Remediation
+# ===========
+#
+# Set the following parameter in the /etc/sysctl.conf file:
+#
+#   net.ipv4.icmp_echo_ignore_broadcasts = 1
+#
+# Run the following commands to set the active kernel parameters:
+#
+#   # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
+#   # sysctl -w net.ipv4.route.flush=1
+
+parameters:
+  linux:
+    system:
+      kernel:
+        sysctl:
+          net.ipv4.icmp_echo_ignore_broadcasts: 1

metadata/service/system/cis/cis-3-2-6.yml

+# 3.2.6 Ensure bogus ICMP responses are ignored
+#
+# Description
+# ===========
+# Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from
+# logging bogus responses (RFC-1122 non-compliant) from broadcast reframes,
+# keeping file systems from filling up with useless log messages.
+#
+# Rationale
+# =========
+# Some routers (and some attackers) will send responses that violate RFC-1122
+# and attempt to fill up a log file system with many useless error messages.
+#
+# Audit
+# =====
+#
+# Run the following commands and verify output matches:
+#
+#   # sysctl net.ipv4.icmp_ignore_bogus_error_responses
+#   net.ipv4.icmp_ignore_bogus_error_responses = 1
+#
+# Remediation
+# ===========
+#
+# Set the following parameter in the /etc/sysctl.conf file:
+#
+#   net.ipv4.icmp_ignore_bogus_error_responses = 1
+#
+# Run the following commands to set the active kernel parameters:
+#
+#   # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
+#   # sysctl -w net.ipv4.route.flush=1
+
+parameters:
+  linux:
+    system:
+      kernel:
+        sysctl:
+          net.ipv4.icmp_ignore_bogus_error_responses: 1

metadata/service/system/cis/cis-3-2-7.yml

+# 3.2.7 Ensure Reverse Path Filtering is enabled
+#
+# Description
+# ===========
+# Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1
+# forces the Linux kernel to utilize reverse path filtering on a received
+# packet to determine if the packet was valid. Essentially, with reverse path
+# filtering, if the return packet does not go out the same interface that the
+# corresponding source packet came from, the packet is dropped (and logged if
+# log_martians is set).
+#
+# Rationale
+# =========
+# Setting these flags is a good way to deter attackers from sending your system
+# bogus packets that cannot be responded to. One instance where this feature
+# breaks down is if asymmetrical routing is employed. This would occur when
+# using dynamic routing protocols (bgp, ospf, etc) on your system. If you are
+# using asymmetrical routing on your system, you will not be able to enable
+# this feature without breaking the routing.
+#
+# Audit
+# =====
+#
+# Run the following commands and verify output matches:
+#
+#   # sysctl net.ipv4.conf.all.rp_filter
+#   net.ipv4.conf.all.rp_filter = 1
+#   # sysctl net.ipv4.conf.default.rp_filter
+#   net.ipv4.conf.default.rp_filter = 1
+#
+# Remediation
+# ===========
+#
+# Set the following parameters in the /etc/sysctl.conf file:
+#
+#   net.ipv4.conf.all.rp_filter = 1
+#   net.ipv4.conf.default.rp_filter = 1
+#
+# Run the following commands to set the active kernel parameters:
+#
+#   # sysctl -w net.ipv4.conf.all.rp_filter=1
+#   # sysctl -w net.ipv4.conf.default.rp_filter=1
+#   # sysctl -w net.ipv4.route.flush=1
+
+parameters:
+  linux:
+    system:
+      kernel:
+        sysctl:
+          net.ipv4.conf.all.rp_filter: 1
+          net.ipv4.conf.default.rp_filter: 1

metadata/service/system/cis/cis-3-2-8.yml

+# 3.2.8 Ensure TCP SYN Cookies is enabled
+#
+# Description
+# ===========
+# When tcp_syncookies is set, the kernel will handle TCP SYN packets normally
+# until the half-open connection queue is full, at which time, the SYN cookie
+# functionality kicks in. SYN cookies work by not using the SYN queue at all.
+# Instead, the kernel simply replies to the SYN with a SYN|ACK, but will
+# include a specially crafted TCP sequence number that encodes the source and
+# destination IP address and port number and the time the packet was sent.
+# A legitimate connection would send the ACK packet of the three way handshake
+# with the specially crafted sequence number. This allows the system to verify
+# that it has received a valid response to a SYN cookie and allow the
+# connection, even though there is no corresponding SYN in the queue.
+#
+# Rationale
+# =========
+# Attackers use SYN flood attacks to perform a denial of service attacked on a
+# system by sending many SYN packets without completing the three way handshake.
+# This will quickly use up slots in the kernel's half-open connection queue and
+# prevent legitimate connections from succeeding. SYN cookies allow the system
+# to keep accepting valid connections, even if under a denial of service attack.
+#
+# Audit
+# =====
+#
+# Run the following commands and verify output matches:
+#
+#   # sysctl net.ipv4.tcp_syncookies
+#   net.ipv4.tcp_syncookies = 1
+#
+# Remediation
+# ===========
+#
+# Set the following parameter in the /etc/sysctl.conf file:
+#
+#   net.ipv4.tcp_syncookies = 1
+#
+# Run the following commands to set the active kernel parameters:
+#
+#   # sysctl -w net.ipv4.tcp_syncookies=1
+#   # sysctl -w net.ipv4.route.flush=1
+
+parameters:
+  linux:
+    system:
+      kernel:
+        sysctl:
+          net.ipv4.tcp_syncookies: 1

metadata/service/system/cis/init.yml

 classes:
+- service.linux.system.cis.cis-1-1-1-1
+- service.linux.system.cis.cis-1-1-1-2
+- service.linux.system.cis.cis-1-1-1-3
+- service.linux.system.cis.cis-1-1-1-4
+- service.linux.system.cis.cis-1-1-1-5
+- service.linux.system.cis.cis-1-1-1-6
+- service.linux.system.cis.cis-1-1-1-7
+- service.linux.system.cis.cis-1-1-1-8
+- service.linux.system.cis.cis-1-5-1
+- service.linux.system.cis.cis-1-5-3
+- service.linux.system.cis.cis-3-1-2
+- service.linux.system.cis.cis-3-2-1
+- service.linux.system.cis.cis-3-2-2
+- service.linux.system.cis.cis-3-2-3
+- service.linux.system.cis.cis-3-2-4
+- service.linux.system.cis.cis-3-2-5
+- service.linux.system.cis.cis-3-2-6
+- service.linux.system.cis.cis-3-2-7
+- service.linux.system.cis.cis-3-2-8
 - service.linux.system.cis.cis-3-3-3