This reverts commit d87f461319. Change-Id: If175b29f2e130ecf5041e7b0be20f15485089ffa

6 年之前 · cf1b5b322a
--- a/metadata/service/system/cis/cis-1-1-1-1.yml
+++ b/metadata/service/system/cis/cis-1-1-1-1.yml
@@ -1,37 +0,0 @@
 # 1.1.1.1 Ensure mounting of cramfs filesystems is disabled
 #
 # Description
 # ===========
 # The cramfs filesystem type is a compressed read-only Linux filesystem
 # embedded in small footprint systems. A cramfs image can be used without
 # having to first decompress the image.
 #
 # Rationale
 # =========
 # Removing support for unneeded filesystem types reduces the local attack
 # surface of the server. If this filesystem type is not needed, disable it.
 #
 # Audit
 # =====
 # Run the following commands and verify the output is as indicated:
 #
 #   # modprobe -n -v cramfs
 #   install /bin/true
 #   # lsmod | grep cramfs
 #   <No output>
 #
 # Remediation
 # ===========
 # Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
 #
 #   install cramfs /bin/true
 #
 parameters:
  linux:
    system:
      kernel:
        module:
          cramfs:
            install:
              command: /bin/true

--- a/metadata/service/system/cis/cis-1-1-1-2.yml
+++ b/metadata/service/system/cis/cis-1-1-1-2.yml
@@ -1,36 +0,0 @@
 # 1.1.1.2 Ensure mounting of freevxfs filesystems is disabled
 #
 # Description
 # ===========
 # The freevxfs filesystem type is a free version of the Veritas type
 # filesystem. This is the primary filesystem type for HP-UX operating systems.
 #
 # Rationale
 # =========
 # Removing support for unneeded filesystem types reduces the local attack
 # surface of the system. If this filesystem type is not needed, disable it.
 #
 # Audit
 # =====
 # Run the following commands and verify the output is as indicated:
 #
 #   # modprobe -n -v freevxfs
 #   install /bin/true
 #   # lsmod | grep freevxfs
 #   <No output>
 #
 # Remediation
 # ===========
 # Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
 #
 #   install freevxfs /bin/true
 #
 parameters:
  linux:
    system:
      kernel:
        module:
          freevxfs:
            install:
              command: /bin/true

--- a/metadata/service/system/cis/cis-1-1-1-3.yml
+++ b/metadata/service/system/cis/cis-1-1-1-3.yml
@@ -1,36 +0,0 @@
 # 1.1.1.3 Ensure mounting of jffs2 filesystems is disabled
 #
 # Description
 # ===========
 # The jffs2 (journaling flash filesystem 2) filesystem type is a
 # log-structured filesystem used in flash memory devices.
 #
 # Rationale
 # =========
 # Removing support for unneeded filesystem types reduces the local attack
 # surface of the system. If this filesystem type is not needed, disable it.
 #
 # Audit
 # =====
 # Run the following commands and verify the output is as indicated:
 #
 #   # modprobe -n -v jffs2
 #   install /bin/true
 #   # lsmod | grep jffs2
 #   <No output>
 #
 # Remediation
 # ===========
 # Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
 #
 #   install jffs2 /bin/true
 #
 parameters:
  linux:
    system:
      kernel:
        module:
          jffs2:
            install:
              command: /bin/true

--- a/metadata/service/system/cis/cis-1-1-1-4.yml
+++ b/metadata/service/system/cis/cis-1-1-1-4.yml
@@ -1,36 +0,0 @@
 # 1.1.1.4 Ensure mounting of hfs filesystems is disabled
 #
 # Description
 # ===========
 # The hfs filesystem type is a hierarchical filesystem that allows
 # you to mount Mac OS filesystems.
 #
 # Rationale
 # =========
 # Removing support for unneeded filesystem types reduces the local attack
 # surface of the system. If this filesystem type is not needed, disable it.
 #
 # Audit
 # =====
 # Run the following commands and verify the output is as indicated:
 #
 #   # modprobe -n -v hfs
 #   install /bin/true
 #   # lsmod | grep hfs
 #   <No output>
 #
 # Remediation
 # ===========
 # Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
 #
 #   install hfs /bin/true
 #
 parameters:
  linux:
    system:
      kernel:
        module:
          hfs:
            install:
              command: /bin/true

--- a/metadata/service/system/cis/cis-1-1-1-5.yml
+++ b/metadata/service/system/cis/cis-1-1-1-5.yml
@@ -1,36 +0,0 @@
 # 1.1.1.5 Ensure mounting of hfsplus filesystems is disabled
 #
 # Description
 # ===========
 # The hfsplus filesystem type is a hierarchical filesystem designed to
 # replace hfs that allows you to mount Mac OS filesystems.
 #
 # Rationale
 # =========
 # Removing support for unneeded filesystem types reduces the local attack
 # surface of the system. If this filesystem type is not needed, disable it.
 #
 # Audit
 # =====
 # Run the following commands and verify the output is as indicated:
 #
 #   # modprobe -n -v hfsplus
 #   install /bin/true
 #   # lsmod | grep hfsplus
 #   <No output>
 #
 # Remediation
 # ===========
 # Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
 #
 #   install hfsplus /bin/true
 #
 parameters:
  linux:
    system:
      kernel:
        module:
          hfsplus:
            install:
              command: /bin/true

--- a/metadata/service/system/cis/cis-1-1-1-6.yml
+++ b/metadata/service/system/cis/cis-1-1-1-6.yml
@@ -1,37 +0,0 @@
 # 1.1.1.6 Ensure mounting of squashfs filesystems is disabled
 #
 # Description
 # ===========
 # The squashfs filesystem type is a compressed read-only Linux filesystem
 # embedded in small footprint systems (similar to cramfs). A squashfs image
 # can be used without having to first decompress the image.
 #
 # Rationale
 # =========
 # Removing support for unneeded filesystem types reduces the local attack
 # surface of the server. If this filesystem type is not needed, disable it.
 #
 # Audit
 # =====
 # Run the following commands and verify the output is as indicated:
 #
 #   # modprobe -n -v squashfs
 #   install /bin/true
 #   # lsmod | grep squashfs
 #   <No output>
 #
 # Remediation
 # ===========
 # Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
 #
 #   install squashfs /bin/true
 #
 parameters:
  linux:
    system:
      kernel:
        module:
          squashfs:
            install:
              command: /bin/true

--- a/metadata/service/system/cis/cis-1-1-1-7.yml
+++ b/metadata/service/system/cis/cis-1-1-1-7.yml
@@ -1,38 +0,0 @@
 # 1.1.1.7 Ensure mounting of udf filesystems is disabled
 #
 # Description
 # ===========
 # The udf filesystem type is the universal disk format used to implement
 # ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem
 # type for data storage on a broad range of media. This filesystem type is
 # necessary to support writing DVDs and newer optical disc formats.
 #
 # Rationale
 # =========
 # Removing support for unneeded filesystem types reduces the local attack
 # surface of the server. If this filesystem type is not needed, disable it.
 #
 # Audit
 # =====
 # Run the following commands and verify the output is as indicated:
 #
 #   # modprobe -n -v udf
 #   install /bin/true
 #   # lsmod | grep udf
 #   <No output>
 #
 # Remediation
 # ===========
 # Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
 #
 #   install udf /bin/true
 #
 parameters:
  linux:
    system:
      kernel:
        module:
          udf:
            install:
              command: /bin/true

--- a/metadata/service/system/cis/cis-1-1-1-8.yml
+++ b/metadata/service/system/cis/cis-1-1-1-8.yml
@@ -1,44 +0,0 @@
 # 1.1.1.8 Ensure mounting of FAT filesystems is disabled
 #
 # Description
 # ===========
 # The FAT filesystem format is primarily used on older windows systems and
 # portable USB drives or flash modules. It comes in three types FAT12, FAT16,
 # and FAT32 all of which are supported by the vfat kernel module.
 #
 # Rationale
 # =========
 # Removing support for unneeded filesystem types reduces the local attack
 # surface of the server. If this filesystem type is not needed, disable it.
 #
 # Audit
 # =====
 # Run the following commands and verify the output is as indicated:
 #
 #   # modprobe -n -v vfat
 #   install /bin/true
 #   # lsmod | grep vfat
 #   <No output>
 #
 # Remediation
 # ===========
 #
 # Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
 #
 #   install vfat /bin/true
 #
 # Impact
 # ======
 # FAT filesystems are often used on portable USB sticks and other flash
 # media are commonly used to transfer files between workstations, removing
 # VFAT support may prevent the ability to transfer files in this way.
 #
 parameters:
  linux:
    system:
      kernel:
        module:
          vfat:
            install:
              command: /bin/true

--- a/metadata/service/system/cis/cis-3-5-1.yml
+++ b/metadata/service/system/cis/cis-3-5-1.yml
@@ -1,38 +0,0 @@
 # 3.5.2 Ensure SCTP is disabled
 #
 # Description
 # ===========
 # The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol
 # that supports streaming media and telephony. DCCP provides a way to gain
 # access to congestion control, without having to do it at the application
 # layer, but does not provide in-sequence delivery.
 #
 # Rationale
 # =========
 # If the protocol is not required, it is recommended that the drivers not be
 # installed to reduce the potential attack surface.
 #
 # Audit
 # =====
 # Run the following commands and verify the output is as indicated:
 #
 #   # modprobe -n -v dccp
 #   install /bin/true
 #   # lsmod | grep dccp
 #   <No output>
 #
 # Remediation
 # ===========
 # Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
 #
 #   install dccp /bin/true
 #
 parameters:
  linux:
    system:
      kernel:
        module:
          dccp:
            install:
              command: /bin/true

--- a/metadata/service/system/cis/cis-3-5-2.yml
+++ b/metadata/service/system/cis/cis-3-5-2.yml
@@ -1,41 +0,0 @@
 # 3.5.2 Ensure SCTP is disabled
 #
 # Description
 # ===========
 # The Stream Control Transmission Protocol (SCTP) is a transport layer
 # protocol used to support message oriented communication, with several
 # streams of messages in one connection. It serves a similar function as
 # TCP and UDP, incorporating features of both. It is message-oriented
 # like UDP, and ensures reliable in-sequence transport of messages with
 # congestion control like TCP.
 #
 # Rationale
 # =========
 # If the protocol is not being used, it is recommended that kernel module
 # not be loaded, disabling the service to reduce the potential attack surface.
 #
 # Audit
 # =====
 # Run the following commands and verify the output is as indicated:
 #
 #   # modprobe -n -v sctp
 #   install /bin/true
 #   # lsmod | grep sctp
 #   <No output>
 #
 # Remediation
 # ===========
 #
 # Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
 #
 #   install sctp /bin/true
 #
 parameters:
  linux:
    system:
      kernel:
        module:
          sctp:
            install:
              command: /bin/true

--- a/metadata/service/system/cis/cis-3-5-3.yml
+++ b/metadata/service/system/cis/cis-3-5-3.yml
@@ -1,37 +0,0 @@
 # 3.5.3 Ensure RDS is disabled
 #
 # Description
 # ===========
 # The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol
 # designed to provide low-latency, high-bandwidth communications between
 # cluster nodes. It was developed by the Oracle Corporation.
 #
 # Rationale
 # =========
 # If the protocol is not being used, it is recommended that kernel module
 # not be loaded, disabling the service to reduce the potential attack surface.
 #
 # Audit
 # =====
 # Run the following commands and verify the output is as indicated:
 #
 #   # modprobe -n -v rds
 #   install /bin/true
 #   # lsmod | grep rds
 #   <No output>
 #
 # Remediation
 # ===========
 # Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
 #
 #   install rds /bin/true
 #
 parameters:
  linux:
    system:
      kernel:
        module:
          rds:
            install:
              command: /bin/true

--- a/metadata/service/system/cis/cis-3-5-4.yml
+++ b/metadata/service/system/cis/cis-3-5-4.yml
@@ -1,37 +0,0 @@
 # 3.5.4 Ensure TIPC is disabled
 #
 # Description
 # ===========
 # The Transparent Inter-Process Communication (TIPC) protocol is designed
 # to provide communication between cluster nodes.
 #
 # Rationale
 # =========
 # If the protocol is not being used, it is recommended that kernel module
 # not be loaded, disabling the service to reduce the potential attack surface.
 #
 # Audit
 # =====
 # Run the following commands and verify the output is as indicated:
 #
 #   # modprobe -n -v tipc
 #   install /bin/true
 #   # lsmod | grep tipc
 #   <No output>
 #
 # Remediation
 # ===========
 #
 # Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
 #
 #   install tipc /bin/true
 #
 parameters:
  linux:
    system:
      kernel:
        module:
          tipc:
            install:
              command: /bin/true

--- a/metadata/service/system/cis/init.yml
+++ b/metadata/service/system/cis/init.yml
@@ -1,14 +1,2 @@
 classes:
 - service.linux.system.cis.cis-1-1-1-1.yml
 - service.linux.system.cis.cis-1-1-1-2.yml
 - service.linux.system.cis.cis-1-1-1-3.yml
 - service.linux.system.cis.cis-1-1-1-4.yml
 - service.linux.system.cis.cis-1-1-1-5.yml
 - service.linux.system.cis.cis-1-1-1-6.yml
 - service.linux.system.cis.cis-1-1-1-7.yml
 - service.linux.system.cis.cis-1-1-1-8.yml
 - service.linux.system.cis.cis-3-3-3
 - service.linux.system.cis.cis-3-5-1
 - service.linux.system.cis.cis-3-5-2
 - service.linux.system.cis.cis-3-5-3
 - service.linux.system.cis.cis-3-5-4