Explorar el Código

CIS compliance (modprobe.d)

* CIS 1.1.1.1 Ensure mounting of cramfs filesystems is disabled
* CIS 1.1.1.2 Ensure mounting of freevxfs filesystems is disabled
* CIS 1.1.1.3 Ensure mounting of jffs2 filesystems is disabled
* CIS 1.1.1.4 Ensure mounting of hfs filesystems is disabled
* CIS 1.1.1.5 Ensure mounting of hfsplus filesystems is disabled
* CIS 1.1.1.6 Ensure mounting of squashfs filesystems is disabled
* CIS 1.1.1.7 Ensure mounting of udf filesystems is disabled
* CIS 1.1.1.8 Ensure mounting of FAT filesystems is disabled
* CIS 3.5.1 Ensure DCCP is disabled
* CIS 3.5.2 Ensure SCTP is disabled
* CIS 3.5.3 Ensure RDS is disabled
* CIS 3.5.4 Ensure TIPC is disabled

Related-Prod: PROD-20756
Related-Prod: PROD-20757
Related-Prod: PROD-20758
Related-Prod: PROD-20759

Change-Id: Ia8bf992498ef739a4a40fb108fcb449900caf6e3
pull/138/merge
Dmitry Teselkin hace 6 años
padre
commit
ee7b811a62
Se han modificado 13 ficheros con 477 adiciones y 0 borrados
  1. +37
    -0
      metadata/service/system/cis/cis-1-1-1-1.yml
  2. +36
    -0
      metadata/service/system/cis/cis-1-1-1-2.yml
  3. +36
    -0
      metadata/service/system/cis/cis-1-1-1-3.yml
  4. +36
    -0
      metadata/service/system/cis/cis-1-1-1-4.yml
  5. +36
    -0
      metadata/service/system/cis/cis-1-1-1-5.yml
  6. +43
    -0
      metadata/service/system/cis/cis-1-1-1-6.yml
  7. +38
    -0
      metadata/service/system/cis/cis-1-1-1-7.yml
  8. +50
    -0
      metadata/service/system/cis/cis-1-1-1-8.yml
  9. +38
    -0
      metadata/service/system/cis/cis-3-5-1.yml
  10. +41
    -0
      metadata/service/system/cis/cis-3-5-2.yml
  11. +37
    -0
      metadata/service/system/cis/cis-3-5-3.yml
  12. +37
    -0
      metadata/service/system/cis/cis-3-5-4.yml
  13. +12
    -0
      metadata/service/system/cis/init.yml

+ 37
- 0
metadata/service/system/cis/cis-1-1-1-1.yml Ver fichero

@@ -0,0 +1,37 @@
# 1.1.1.1 Ensure mounting of cramfs filesystems is disabled
#
# Description
# ===========
# The cramfs filesystem type is a compressed read-only Linux filesystem
# embedded in small footprint systems. A cramfs image can be used without
# having to first decompress the image.
#
# Rationale
# =========
# Removing support for unneeded filesystem types reduces the local attack
# surface of the server. If this filesystem type is not needed, disable it.
#
# Audit
# =====
# Run the following commands and verify the output is as indicated:
#
# # modprobe -n -v cramfs
# install /bin/true
# # lsmod | grep cramfs
# <No output>
#
# Remediation
# ===========
# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
#
# install cramfs /bin/true
#
parameters:
linux:
system:
kernel:
module:
cramfs:
install:
command: /bin/true


+ 36
- 0
metadata/service/system/cis/cis-1-1-1-2.yml Ver fichero

@@ -0,0 +1,36 @@
# 1.1.1.2 Ensure mounting of freevxfs filesystems is disabled
#
# Description
# ===========
# The freevxfs filesystem type is a free version of the Veritas type
# filesystem. This is the primary filesystem type for HP-UX operating systems.
#
# Rationale
# =========
# Removing support for unneeded filesystem types reduces the local attack
# surface of the system. If this filesystem type is not needed, disable it.
#
# Audit
# =====
# Run the following commands and verify the output is as indicated:
#
# # modprobe -n -v freevxfs
# install /bin/true
# # lsmod | grep freevxfs
# <No output>
#
# Remediation
# ===========
# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
#
# install freevxfs /bin/true
#
parameters:
linux:
system:
kernel:
module:
freevxfs:
install:
command: /bin/true


+ 36
- 0
metadata/service/system/cis/cis-1-1-1-3.yml Ver fichero

@@ -0,0 +1,36 @@
# 1.1.1.3 Ensure mounting of jffs2 filesystems is disabled
#
# Description
# ===========
# The jffs2 (journaling flash filesystem 2) filesystem type is a
# log-structured filesystem used in flash memory devices.
#
# Rationale
# =========
# Removing support for unneeded filesystem types reduces the local attack
# surface of the system. If this filesystem type is not needed, disable it.
#
# Audit
# =====
# Run the following commands and verify the output is as indicated:
#
# # modprobe -n -v jffs2
# install /bin/true
# # lsmod | grep jffs2
# <No output>
#
# Remediation
# ===========
# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
#
# install jffs2 /bin/true
#
parameters:
linux:
system:
kernel:
module:
jffs2:
install:
command: /bin/true


+ 36
- 0
metadata/service/system/cis/cis-1-1-1-4.yml Ver fichero

@@ -0,0 +1,36 @@
# 1.1.1.4 Ensure mounting of hfs filesystems is disabled
#
# Description
# ===========
# The hfs filesystem type is a hierarchical filesystem that allows
# you to mount Mac OS filesystems.
#
# Rationale
# =========
# Removing support for unneeded filesystem types reduces the local attack
# surface of the system. If this filesystem type is not needed, disable it.
#
# Audit
# =====
# Run the following commands and verify the output is as indicated:
#
# # modprobe -n -v hfs
# install /bin/true
# # lsmod | grep hfs
# <No output>
#
# Remediation
# ===========
# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
#
# install hfs /bin/true
#
parameters:
linux:
system:
kernel:
module:
hfs:
install:
command: /bin/true


+ 36
- 0
metadata/service/system/cis/cis-1-1-1-5.yml Ver fichero

@@ -0,0 +1,36 @@
# 1.1.1.5 Ensure mounting of hfsplus filesystems is disabled
#
# Description
# ===========
# The hfsplus filesystem type is a hierarchical filesystem designed to
# replace hfs that allows you to mount Mac OS filesystems.
#
# Rationale
# =========
# Removing support for unneeded filesystem types reduces the local attack
# surface of the system. If this filesystem type is not needed, disable it.
#
# Audit
# =====
# Run the following commands and verify the output is as indicated:
#
# # modprobe -n -v hfsplus
# install /bin/true
# # lsmod | grep hfsplus
# <No output>
#
# Remediation
# ===========
# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
#
# install hfsplus /bin/true
#
parameters:
linux:
system:
kernel:
module:
hfsplus:
install:
command: /bin/true


+ 43
- 0
metadata/service/system/cis/cis-1-1-1-6.yml Ver fichero

@@ -0,0 +1,43 @@
# 1.1.1.6 Ensure mounting of squashfs filesystems is disabled
#
# Description
# ===========
# The squashfs filesystem type is a compressed read-only Linux filesystem
# embedded in small footprint systems (similar to cramfs). A squashfs image
# can be used without having to first decompress the image.
#
# Rationale
# =========
# Removing support for unneeded filesystem types reduces the local attack
# surface of the server. If this filesystem type is not needed, disable it.
#
# Audit
# =====
# Run the following commands and verify the output is as indicated:
#
# # modprobe -n -v squashfs
# install /bin/true
# # lsmod | grep squashfs
# <No output>
#
# Remediation
# ===========
# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
#
# install squashfs /bin/true
#
# NOTE
# ====
# In Ubuntu 16.04 squashfs is built into kernel, and 'install' command
# from modprobe.d dir has no effect. However, this is still checked by
# CIS-CAT in Ubuntu 16.04 benchmark v.1.0.0. This was removed in v.1.1.0.
#
parameters:
linux:
system:
kernel:
module:
squashfs:
install:
command: /bin/true


+ 38
- 0
metadata/service/system/cis/cis-1-1-1-7.yml Ver fichero

@@ -0,0 +1,38 @@
# 1.1.1.7 Ensure mounting of udf filesystems is disabled
#
# Description
# ===========
# The udf filesystem type is the universal disk format used to implement
# ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem
# type for data storage on a broad range of media. This filesystem type is
# necessary to support writing DVDs and newer optical disc formats.
#
# Rationale
# =========
# Removing support for unneeded filesystem types reduces the local attack
# surface of the server. If this filesystem type is not needed, disable it.
#
# Audit
# =====
# Run the following commands and verify the output is as indicated:
#
# # modprobe -n -v udf
# install /bin/true
# # lsmod | grep udf
# <No output>
#
# Remediation
# ===========
# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
#
# install udf /bin/true
#
parameters:
linux:
system:
kernel:
module:
udf:
install:
command: /bin/true


+ 50
- 0
metadata/service/system/cis/cis-1-1-1-8.yml Ver fichero

@@ -0,0 +1,50 @@
# 1.1.1.8 Ensure mounting of FAT filesystems is disabled
#
# Description
# ===========
# The FAT filesystem format is primarily used on older windows systems and
# portable USB drives or flash modules. It comes in three types FAT12, FAT16,
# and FAT32 all of which are supported by the vfat kernel module.
#
# Rationale
# =========
# Removing support for unneeded filesystem types reduces the local attack
# surface of the server. If this filesystem type is not needed, disable it.
#
# Audit
# =====
# Run the following commands and verify the output is as indicated:
#
# # modprobe -n -v vfat
# install /bin/true
# # lsmod | grep vfat
# <No output>
#
# Remediation
# ===========
#
# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
#
# install vfat /bin/true
#
# Impact
# ======
# FAT filesystems are often used on portable USB sticks and other flash
# media are commonly used to transfer files between workstations, removing
# VFAT support may prevent the ability to transfer files in this way.
#
# NOTE
# ====
# In Ubuntu 16.04 vfat is built into kernel, and 'install' command
# from modprobe.d dir has no effect. However, this is still checked by
# CIS-CAT in Ubuntu 16.04 benchmark v.1.0.0. This was removed in v.1.1.0.
#
parameters:
linux:
system:
kernel:
module:
vfat:
install:
command: /bin/true


+ 38
- 0
metadata/service/system/cis/cis-3-5-1.yml Ver fichero

@@ -0,0 +1,38 @@
# 3.5.2 Ensure DCCP is disabled
#
# Description
# ===========
# The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol
# that supports streaming media and telephony. DCCP provides a way to gain
# access to congestion control, without having to do it at the application
# layer, but does not provide in-sequence delivery.
#
# Rationale
# =========
# If the protocol is not required, it is recommended that the drivers not be
# installed to reduce the potential attack surface.
#
# Audit
# =====
# Run the following commands and verify the output is as indicated:
#
# # modprobe -n -v dccp
# install /bin/true
# # lsmod | grep dccp
# <No output>
#
# Remediation
# ===========
# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
#
# install dccp /bin/true
#
parameters:
linux:
system:
kernel:
module:
dccp:
install:
command: /bin/true


+ 41
- 0
metadata/service/system/cis/cis-3-5-2.yml Ver fichero

@@ -0,0 +1,41 @@
# 3.5.2 Ensure SCTP is disabled
#
# Description
# ===========
# The Stream Control Transmission Protocol (SCTP) is a transport layer
# protocol used to support message oriented communication, with several
# streams of messages in one connection. It serves a similar function as
# TCP and UDP, incorporating features of both. It is message-oriented
# like UDP, and ensures reliable in-sequence transport of messages with
# congestion control like TCP.
#
# Rationale
# =========
# If the protocol is not being used, it is recommended that kernel module
# not be loaded, disabling the service to reduce the potential attack surface.
#
# Audit
# =====
# Run the following commands and verify the output is as indicated:
#
# # modprobe -n -v sctp
# install /bin/true
# # lsmod | grep sctp
# <No output>
#
# Remediation
# ===========
#
# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
#
# install sctp /bin/true
#
parameters:
linux:
system:
kernel:
module:
sctp:
install:
command: /bin/true


+ 37
- 0
metadata/service/system/cis/cis-3-5-3.yml Ver fichero

@@ -0,0 +1,37 @@
# 3.5.3 Ensure RDS is disabled
#
# Description
# ===========
# The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol
# designed to provide low-latency, high-bandwidth communications between
# cluster nodes. It was developed by the Oracle Corporation.
#
# Rationale
# =========
# If the protocol is not being used, it is recommended that kernel module
# not be loaded, disabling the service to reduce the potential attack surface.
#
# Audit
# =====
# Run the following commands and verify the output is as indicated:
#
# # modprobe -n -v rds
# install /bin/true
# # lsmod | grep rds
# <No output>
#
# Remediation
# ===========
# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
#
# install rds /bin/true
#
parameters:
linux:
system:
kernel:
module:
rds:
install:
command: /bin/true


+ 37
- 0
metadata/service/system/cis/cis-3-5-4.yml Ver fichero

@@ -0,0 +1,37 @@
# 3.5.4 Ensure TIPC is disabled
#
# Description
# ===========
# The Transparent Inter-Process Communication (TIPC) protocol is designed
# to provide communication between cluster nodes.
#
# Rationale
# =========
# If the protocol is not being used, it is recommended that kernel module
# not be loaded, disabling the service to reduce the potential attack surface.
#
# Audit
# =====
# Run the following commands and verify the output is as indicated:
#
# # modprobe -n -v tipc
# install /bin/true
# # lsmod | grep tipc
# <No output>
#
# Remediation
# ===========
#
# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
#
# install tipc /bin/true
#
parameters:
linux:
system:
kernel:
module:
tipc:
install:
command: /bin/true


+ 12
- 0
metadata/service/system/cis/init.yml Ver fichero

@@ -1,5 +1,13 @@
classes:
- service.linux.system.cis.cis-1-1-14_15_16
- service.linux.system.cis.cis-1-1-1-1
- service.linux.system.cis.cis-1-1-1-2
- service.linux.system.cis.cis-1-1-1-3
- service.linux.system.cis.cis-1-1-1-4
- service.linux.system.cis.cis-1-1-1-5
- service.linux.system.cis.cis-1-1-1-6
- service.linux.system.cis.cis-1-1-1-7
- service.linux.system.cis.cis-1-1-1-8
- service.linux.system.cis.cis-1-5-1
- service.linux.system.cis.cis-1-5-3
- service.linux.system.cis.cis-3-1-2
@@ -13,6 +21,10 @@ classes:
- service.linux.system.cis.cis-3-2-8
# Temp. disable PROD-22520
#- service.linux.system.cis.cis-3-3-3
- service.linux.system.cis.cis-3-5-1
- service.linux.system.cis.cis-3-5-2
- service.linux.system.cis.cis-3-5-3
- service.linux.system.cis.cis-3-5-4
- service.linux.system.cis.cis-6-1-2
- service.linux.system.cis.cis-6-1-3
- service.linux.system.cis.cis-6-1-4

Cargando…
Cancelar
Guardar