@@ -0,0 +1,37 @@ | |||
# CIS 1.5.4 Ensure prelink is disabled | |||
# | |||
# Description | |||
# =========== | |||
# prelink is a program that modifies ELF shared libraries and ELF dynamically | |||
# linked binaries in such a way that the time needed for the dynamic linker to | |||
# perform relocations at startup significantly decreases. | |||
# | |||
# Rationale | |||
# ========= | |||
# The prelinking feature can interfere with the operation of AIDE, because it | |||
# changes binaries. Prelinking can also increase the vulnerability of the system | |||
# if a malicious user is able to compromise a common library such as libc. | |||
# | |||
# Audit | |||
# ===== | |||
# Run the following command and verify prelink is not installed: | |||
# | |||
# # dpkg -s prelink | |||
# | |||
# Remediation | |||
# =========== | |||
# Run the following command to restore binaries to normal: | |||
# | |||
# # prelink -ua | |||
# | |||
# Run the following command to uninstall prelink : | |||
# | |||
# # apt-get remove prelink | |||
# | |||
parameters: | |||
linux: | |||
system: | |||
package: | |||
prelink: | |||
version: removed | |||
@@ -0,0 +1,43 @@ | |||
# 2.3.1 Ensure NIS Client is not installed | |||
# | |||
# Description | |||
# =========== | |||
# The Network Information Service (NIS), formerly known as Yellow Pages, | |||
# is a client-server directory service protocol used to distribute system | |||
# configuration files. The NIS client ( ypbind ) was used to bind a machine | |||
# to an NIS server and receive the distributed configuration files. | |||
# | |||
# Rationale | |||
# ========= | |||
# The NIS service is inherently an insecure system that has been vulnerable | |||
# to DOS attacks, buffer overflows and has poor authentication for querying | |||
# NIS maps. NIS generally has been replaced by such protocols as Lightweight | |||
# Directory Access Protocol (LDAP). It is recommended that the service be | |||
# removed. | |||
# | |||
# Audit | |||
# ===== | |||
# Run the following command and verify nis is not installed: | |||
# | |||
# dpkg -s nis | |||
# | |||
# Remediation | |||
# =========== | |||
# Run the following command to uninstall nis: | |||
# | |||
# apt-get remove nis | |||
# | |||
# Impact | |||
# ====== | |||
# Many insecure service clients are used as troubleshooting tools and in | |||
# testing environments. Uninstalling them can inhibit capability to test | |||
# and troubleshoot. If they are required it is advisable to remove the clients | |||
# after use to prevent accidental or intentional misuse. | |||
# | |||
parameters: | |||
linux: | |||
system: | |||
package: | |||
nis: | |||
version: removed | |||
@@ -0,0 +1,55 @@ | |||
# 2.3.2 Ensure rsh client is not installed | |||
# | |||
# Description | |||
# =========== | |||
# The rsh package contains the client commands for the rsh services. | |||
# | |||
# Rationale | |||
# ========= | |||
# These legacy clients contain numerous security exposures and have been | |||
# replaced with the more secure SSH package. Even if the server is removed, | |||
# it is best to ensure the clients are also removed to prevent users from | |||
# inadvertently attempting to use these commands and therefore exposing | |||
# their credentials. Note that removing the rsh package removes the | |||
# clients for rsh , rcp and rlogin . | |||
# | |||
# Audit | |||
# ===== | |||
# Run the following commands and verify rsh is not installed: | |||
# | |||
# dpkg -s rsh-client | |||
# dpkg -s rsh-redone-client | |||
# | |||
# Remediation | |||
# =========== | |||
# Run the following command to uninstall rsh : | |||
# | |||
# apt-get remove rsh-client rsh-redone-client | |||
# | |||
# Impact | |||
# ====== | |||
# Many insecure service clients are used as troubleshooting tools and in | |||
# testing environments. Uninstalling them can inhibit capability to test | |||
# and troubleshoot. If they are required it is advisable to remove the | |||
# clients after use to prevent accidental or intentional misuse. | |||
# | |||
# NOTE | |||
# ==== | |||
# It is not possible to remove rsh-client by means of SaltStack because | |||
# of the way SaltStack checks that package was really removed. 'rsh-client' | |||
# is "provided" by openssh-client package, and SaltStack thinks that | |||
# it is the same as 'rsh-client is installed'. So each time we try to | |||
# remove 'rsh-client' on a system where 'openssh-client' is installed | |||
# (that's almost every system), we got state failure. | |||
# This was fixed in upstream SaltStack in 2018, not sure where we start using | |||
# this version. Until that moment 'rsh-client' should remain unmanaged. | |||
# | |||
parameters: | |||
linux: | |||
system: | |||
package: | |||
# rsh-client: | |||
# version: removed | |||
rsh-redone-client: | |||
version: removed | |||
@@ -0,0 +1,39 @@ | |||
# 2.3.3 Ensure talk client is not installed | |||
# | |||
# Description | |||
# =========== | |||
# The talk software makes it possible for users to send and receive messages | |||
# across systems through a terminal session. The talk client, which allows | |||
# initialization of talk sessions, is installed by default. | |||
# | |||
# Rationale | |||
# ========= | |||
# The software presents a security risk as it uses unencrypted protocols | |||
# for communication. | |||
# | |||
# Audit | |||
# ===== | |||
# Run the following command and verify talk is not installed: | |||
# | |||
# dpkg -s talk | |||
# | |||
# Remediation | |||
# =========== | |||
# Run the following command to uninstall talk : | |||
# | |||
# apt-get remove talk | |||
# | |||
# Impact | |||
# ====== | |||
# Many insecure service clients are used as troubleshooting tools and in | |||
# testing environments. Uninstalling them can inhibit capability to test | |||
# and troubleshoot. If they are required it is advisable to remove the clients | |||
# after use to prevent accidental or intentional misuse. | |||
# | |||
parameters: | |||
linux: | |||
system: | |||
package: | |||
talk: | |||
version: removed | |||
@@ -0,0 +1,40 @@ | |||
# 2.3.4 Ensure telnet client is not installed | |||
# | |||
# Description | |||
# =========== | |||
# The telnet package contains the telnet client, which allows users to start | |||
# connections to other systems via the telnet protocol. | |||
# | |||
# Rationale | |||
# ========= | |||
# The telnet protocol is insecure and unencrypted. The use of an unencrypted | |||
# transmission medium could allow an unauthorized user to steal credentials. | |||
# The ssh package provides an encrypted session and stronger security and is | |||
# included in most Linux distributions. | |||
# | |||
# Audit | |||
# ===== | |||
# Run the following command and verify telnet is not installed: | |||
# | |||
# # dpkg -s telnet | |||
# | |||
# Remediation | |||
# =========== | |||
# Run the following command to uninstall telnet : | |||
# | |||
# # apt-get remove telnet | |||
# | |||
# Impact | |||
# ====== | |||
# Many insecure service clients are used as troubleshooting tools and in | |||
# testing environments. Uninstalling them can inhibit capability to test and | |||
# troubleshoot. If they are required it is advisable to remove the clients | |||
# after use to prevent accidental or intentional misuse. | |||
# | |||
parameters: | |||
linux: | |||
system: | |||
package: | |||
telnet: | |||
version: removed | |||
@@ -10,6 +10,11 @@ classes: | |||
- service.linux.system.cis.cis-1-1-1-8 | |||
- service.linux.system.cis.cis-1-5-1 | |||
- service.linux.system.cis.cis-1-5-3 | |||
- service.linux.system.cis.cis-1-5-4 | |||
- service.linux.system.cis.cis-2-3-1 | |||
- service.linux.system.cis.cis-2-3-2 | |||
- service.linux.system.cis.cis-2-3-3 | |||
- service.linux.system.cis.cis-2-3-4 | |||
- service.linux.system.cis.cis-3-1-2 | |||
- service.linux.system.cis.cis-3-2-1 | |||
- service.linux.system.cis.cis-3-2-2 |