* CIS 1.5.1 Ensure core dumps are restricted * CIS 1.5.3 Ensure address space layout randomization (ASLR) is enabled * CIS 3.1.2 Ensure packet redirect sending is disabled * CIS 3.2.1 Ensure source routed packets are not accepted * CIS 3.2.2 Ensure ICMP redirects are not accepted * CIS 3.2.3 Ensure secure ICMP redirects are not accepted * CIS 3.2.4 Ensure suspicious packets are logged * CIS 3.2.5 Ensure broadcast ICMP requests are ignored * CIS 3.2.6 Ensure bogus ICMP responses are ignored * CIS 3.2.7 Ensure Reverse Path Filtering is enabled * CIS 3.2.8 Ensure TCP SYN Cookies is enabled All sysctls are valid for Ubuntu 14.04, Ubuntu 16.04. Change-Id: I48f34c55d97a78c253d4810db46b2a04ff5c0c1amaster
@@ -0,0 +1,59 @@ | |||
# CIS 1.5.1 Ensure core dumps are restricted (Scored) | |||
# | |||
# Description | |||
# =========== | |||
# | |||
# A core dump is the memory of an executable program. It is generally used to determine | |||
# why a program aborted. It can also be used to glean confidential information from a core | |||
# file. The system provides the ability to set a soft limit for core dumps, but this can be | |||
# overridden by the user. | |||
# | |||
# Rationale | |||
# ========= | |||
# | |||
# Setting a hard limit on core dumps prevents users from overriding the soft variable. If core | |||
# dumps are required, consider setting limits for user groups (see limits.conf(5) ). In | |||
# addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from | |||
# dumping core. | |||
# | |||
# Audit | |||
# ===== | |||
# | |||
# Run the following commands and verify output matches: | |||
# | |||
# # grep "hard core" /etc/security/limits.conf /etc/security/limits.d/* | |||
# * hard core 0 | |||
# # sysctl fs.suid_dumpable | |||
# fs.suid_dumpable = 0 | |||
# | |||
# Remediation | |||
# =========== | |||
# | |||
# Add the following line to the /etc/security/limits.conf file or a | |||
# /etc/security/limits.d/* file: | |||
# | |||
# * hard core 0 | |||
# | |||
# Set the following parameter in the /etc/sysctl.conf file: | |||
# | |||
# fs.suid_dumpable = 0 | |||
# | |||
# Run the following command to set the active kernel parameter: | |||
# | |||
# # sysctl -w fs.suid_dumpable=0 | |||
parameters: | |||
linux: | |||
system: | |||
limit: | |||
cis: | |||
enabled: true | |||
domain: '*' | |||
limits: | |||
- type: 'hard' | |||
item: 'core' | |||
value: 0 | |||
kernel: | |||
sysctl: | |||
fs.suid_dumpable: 0 | |||
@@ -0,0 +1,40 @@ | |||
# 1.5.3 Ensure address space layout randomization (ASLR) is enabled | |||
# | |||
# Description | |||
# =========== | |||
# | |||
# Address space layout randomization (ASLR) is an exploit mitigation technique which | |||
# randomly arranges the address space of key data areas of a process. | |||
# | |||
# Rationale | |||
# ========= | |||
# | |||
# Randomly placing virtual memory regions will make it difficult to write memory page | |||
# exploits as the memory placement will be consistently shifting. | |||
# | |||
# Audit | |||
# ===== | |||
# | |||
# Run the following command and verify output matches: | |||
# | |||
# # sysctl kernel.randomize_va_space | |||
# kernel.randomize_va_space = 2 | |||
# | |||
# Remediation | |||
# =========== | |||
# | |||
# Set the following parameter in the /etc/sysctl.conf file: | |||
# | |||
# kernel.randomize_va_space = 2 | |||
# | |||
# Run the following command to set the active kernel parameter: | |||
# | |||
# # sysctl -w kernel.randomize_va_space=2 | |||
parameters: | |||
linux: | |||
system: | |||
kernel: | |||
sysctl: | |||
kernel.randomize_va_space: 2 | |||
@@ -0,0 +1,44 @@ | |||
# 3.1.2 Ensure packet redirect sending is disabled | |||
# | |||
# Description | |||
# =========== | |||
# ICMP Redirects are used to send routing information to other hosts. As a host | |||
# itself does not act as a router (in a host only configuration), there is | |||
# no need to send redirects. | |||
# | |||
# Rationale | |||
# ========= | |||
# An attacker could use a compromised host to send invalid ICMP redirects to | |||
# other router devices in an attempt to corrupt routing and have users access | |||
# a system set up by the attacker as opposed to a valid system. | |||
# | |||
# Audit | |||
# ===== | |||
# | |||
# Run the following commands and verify output matches: | |||
# | |||
# # sysctl net.ipv4.conf.all.send_redirects | |||
# net.ipv4.conf.all.send_redirects = 0 | |||
# # sysctl net.ipv4.conf.default.send_redirects | |||
# net.ipv4.conf.default.send_redirects = 0 | |||
# | |||
# Remediation | |||
# =========== | |||
# | |||
# Set the following parameters in the /etc/sysctl.conf file: | |||
# | |||
# net.ipv4.conf.all.send_redirects = 0 | |||
# net.ipv4.conf.default.send_redirects = 0 | |||
# | |||
# Run the following commands to set the active kernel parameters: | |||
# | |||
# # sysctl -w net.ipv4.conf.all.send_redirects=0 | |||
# # sysctl -w net.ipv4.conf.default.send_red | |||
parameters: | |||
linux: | |||
system: | |||
kernel: | |||
sysctl: | |||
net.ipv4.conf.all.send_redirects: 0 | |||
net.ipv4.conf.default.send_redirects: 0 |
@@ -0,0 +1,56 @@ | |||
# 3.2.1 Ensure source routed packets are not accepted | |||
# | |||
# Description | |||
# =========== | |||
# In networking, source routing allows a sender to partially or fully specify | |||
# the route packets take through a network. In contrast, non-source routed | |||
# packets travel a path determined by routers in the network. In some cases, | |||
# systems may not be routable or reachable from some locations (e.g. private | |||
# addresses vs. Internet routable), and so source routed packets would need | |||
# to be used. | |||
# | |||
# Rationale | |||
# ========= | |||
# Setting `net.ipv4.conf.all.accept_source_route` and | |||
# `net.ipv4.conf.default.accept_source_route` to 0 disables the system from | |||
# accepting source routed packets. Assume this system was capable of routing | |||
# packets to Internet routable addresses on one interface and private addresses | |||
# on another interface. Assume that the private addresses were not routable to | |||
# the Internet routable addresses and vice versa. Under normal routing | |||
# circumstances, an attacker from the Internet routable addresses could not use | |||
# the system as a way to reach the private address systems. If, however, source | |||
# routed packets were allowed, they could be used to gain access to the private | |||
# address systems as the route could be specified, rather than rely on routing | |||
# protocols that did not allow this routing. | |||
# | |||
# Audit | |||
# ===== | |||
# | |||
# Run the following commands and verify output matches: | |||
# | |||
# # sysctl net.ipv4.conf.all.accept_source_route | |||
# net.ipv4.conf.all.accept_source_route = 0 | |||
# # sysctl net.ipv4.conf.default.accept_source_route | |||
# net.ipv4.conf.default.accept_source_route = 0 | |||
# | |||
# Remediation | |||
# =========== | |||
# | |||
# Set the following parameters in the /etc/sysctl.conf file: | |||
# | |||
# net.ipv4.conf.all.accept_source_route = 0 | |||
# net.ipv4.conf.default.accept_source_route = 0 | |||
# | |||
# Run the following commands to set the active kernel parameters: | |||
# | |||
# # sysctl -w net.ipv4.conf.all.accept_source_route=0 | |||
# # sysctl -w net.ipv4.conf.default.accept_source_route=0 | |||
# # sysctl -w net.ipv4.route.flush=1 | |||
parameters: | |||
linux: | |||
system: | |||
kernel: | |||
sysctl: | |||
net.ipv4.conf.all.accept_source_route: 0 | |||
net.ipv4.conf.default.accept_source_route: 0 |
@@ -0,0 +1,48 @@ | |||
# 3.2.2 Ensure ICMP redirects are not accepted | |||
# | |||
# Description | |||
# =========== | |||
# ICMP redirect messages are packets that convey routing information and tell | |||
# your host (acting as a router) to send packets via an alternate path. It is | |||
# a way of allowing an outside routing device to update your system routing | |||
# tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system will | |||
# not accept any ICMP redirect messages, and therefore, won't allow outsiders | |||
# to update the system's routing tables. | |||
# | |||
# Rationale | |||
# ========= | |||
# Attackers could use bogus ICMP redirect messages to maliciously alter the | |||
# system routing tables and get them to send packets to incorrect networks and | |||
# allow your system packets to be captured. | |||
# | |||
# Audit | |||
# ===== | |||
# | |||
# Run the following commands and verify output matches: | |||
# | |||
# # sysctl net.ipv4.conf.all.accept_redirects | |||
# net.ipv4.conf.all.accept_redirects = 0 | |||
# # sysctl net.ipv4.conf.default.accept_redirects | |||
# net.ipv4.conf.default.accept_redirects = 0 | |||
# | |||
# Remediation | |||
# =========== | |||
# | |||
# Set the following parameters in the /etc/sysctl.conf file: | |||
# | |||
# net.ipv4.conf.all.accept_redirects = 0 | |||
# net.ipv4.conf.default.accept_redirects = 0 | |||
# | |||
# Run the following commands to set the active kernel parameters: | |||
# | |||
# # sysctl -w net.ipv4.conf.all.accept_redirects=0 | |||
# # sysctl -w net.ipv4.conf.default.accept_redirects=0 | |||
# # sysctl -w net.ipv4.route.flush=1 | |||
parameters: | |||
linux: | |||
system: | |||
kernel: | |||
sysctl: | |||
net.ipv4.conf.all.accept_redirects: 0 | |||
net.ipv4.conf.default.accept_redirects: 0 |
@@ -0,0 +1,45 @@ | |||
# 3.2.3 Ensure secure ICMP redirects are not accepted | |||
# | |||
# Description | |||
# =========== | |||
# Secure ICMP redirects are the same as ICMP redirects, except they come from | |||
# gateways listed on the default gateway list. It is assumed that these | |||
# gateways are known to your system, and that they are likely to be secure. | |||
# | |||
# Rationale | |||
# ========= | |||
# It is still possible for even known gateways to be compromised. Setting | |||
# net.ipv4.conf.all.secure_redirects to 0 protects the system from routing | |||
# table updates by possibly compromised known gateways. | |||
# | |||
# Audit | |||
# ===== | |||
# | |||
# Run the following commands and verify output matches: | |||
# | |||
# # sysctl net.ipv4.conf.all.secure_redirects | |||
# net.ipv4.conf.all.secure_redirects = 0 | |||
# # sysctl net.ipv4.conf.default.secure_redirects | |||
# net.ipv4.conf.default.secure_redirects = 0 | |||
# | |||
# Remediation | |||
# =========== | |||
# | |||
# Set the following parameters in the /etc/sysctl.conf file: | |||
# | |||
# net.ipv4.conf.all.secure_redirects = 0 | |||
# net.ipv4.conf.default.secure_redirects = 0 | |||
# | |||
# Run the following commands to set the active kernel parameters: | |||
# | |||
# # sysctl -w net.ipv4.conf.all.secure_redirects=0 | |||
# # sysctl -w net.ipv4.conf.default.secure_redirects=0 | |||
# # sysctl -w net.ipv4.route.flush=1 | |||
parameters: | |||
linux: | |||
system: | |||
kernel: | |||
sysctl: | |||
net.ipv4.conf.all.secure_redirects: 0 | |||
net.ipv4.conf.default.secure_redirects: 0 |
@@ -0,0 +1,44 @@ | |||
# 3.2.4 Ensure suspicious packets are logged | |||
# | |||
# Description | |||
# =========== | |||
# When enabled, this feature logs packets with un-routable source | |||
# addresses to the kernel log. | |||
# | |||
# Rationale | |||
# ========= | |||
# Enabling this feature and logging these packets allows an administrator | |||
# to investigate the possibility that an attacker is sending spoofed | |||
# packets to their system. | |||
# | |||
# Audit | |||
# ===== | |||
# | |||
# Run the following commands and verify output matches: | |||
# | |||
# # sysctl net.ipv4.conf.all.log_martians | |||
# net.ipv4.conf.all.log_martians = 1 | |||
# # sysctl net.ipv4.conf.default.log_martians | |||
# net.ipv4.conf.default.log_martians = 1 | |||
# | |||
# Remediation | |||
# =========== | |||
# | |||
# Set the following parameters in the /etc/sysctl.conf file: | |||
# | |||
# net.ipv4.conf.all.log_martians = 1 | |||
# net.ipv4.conf.default.log_martians = 1 | |||
# | |||
# Run the following commands to set the active kernel parameters: | |||
# | |||
# # sysctl -w net.ipv4.conf.all.log_martians=1 | |||
# # sysctl -w net.ipv4.conf.default.log_martians=1 | |||
# # sysctl -w net.ipv4.route.flush=1 | |||
parameters: | |||
linux: | |||
system: | |||
kernel: | |||
sysctl: | |||
net.ipv4.conf.all.log_martians: 1 | |||
net.ipv4.conf.default.log_martians: 1 |
@@ -0,0 +1,45 @@ | |||
# 3.2.5 Ensure broadcast ICMP requests are ignored | |||
# | |||
# Description | |||
# =========== | |||
# Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the | |||
# system to ignore all ICMP echo and timestamp requests to broadcast | |||
# and multicast addresses. | |||
# | |||
# Rationale | |||
# ========= | |||
# Accepting ICMP echo and timestamp requests with broadcast or multicast | |||
# destinations for your network could be used to trick your host into starting | |||
# (or participating) in a Smurf attack. A Smurf attack relies on an attacker | |||
# sending large amounts of ICMP broadcast messages with a spoofed source | |||
# address. All hosts receiving this message and responding would send | |||
# echo-reply messages back to the spoofed address, which is probably not | |||
# routable. If many hosts respond to the packets, the amount of traffic on | |||
# the network could be significantly multiplied. | |||
# | |||
# Audit | |||
# ===== | |||
# | |||
# Run the following commands and verify output matches: | |||
# | |||
# # sysctl net.ipv4.icmp_echo_ignore_broadcasts | |||
# net.ipv4.icmp_echo_ignore_broadcasts = 1 | |||
# | |||
# Remediation | |||
# =========== | |||
# | |||
# Set the following parameter in the /etc/sysctl.conf file: | |||
# | |||
# net.ipv4.icmp_echo_ignore_broadcasts = 1 | |||
# | |||
# Run the following commands to set the active kernel parameters: | |||
# | |||
# # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 | |||
# # sysctl -w net.ipv4.route.flush=1 | |||
parameters: | |||
linux: | |||
system: | |||
kernel: | |||
sysctl: | |||
net.ipv4.icmp_echo_ignore_broadcasts: 1 |
@@ -0,0 +1,39 @@ | |||
# 3.2.6 Ensure bogus ICMP responses are ignored | |||
# | |||
# Description | |||
# =========== | |||
# Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from | |||
# logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, | |||
# keeping file systems from filling up with useless log messages. | |||
# | |||
# Rationale | |||
# ========= | |||
# Some routers (and some attackers) will send responses that violate RFC-1122 | |||
# and attempt to fill up a log file system with many useless error messages. | |||
# | |||
# Audit | |||
# ===== | |||
# | |||
# Run the following commands and verify output matches: | |||
# | |||
# # sysctl net.ipv4.icmp_ignore_bogus_error_responses | |||
# net.ipv4.icmp_ignore_bogus_error_responses = 1 | |||
# | |||
# Remediation | |||
# =========== | |||
# | |||
# Set the following parameter in the /etc/sysctl.conf file: | |||
# | |||
# net.ipv4.icmp_ignore_bogus_error_responses = 1 | |||
# | |||
# Run the following commands to set the active kernel parameters: | |||
# | |||
# # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 | |||
# # sysctl -w net.ipv4.route.flush=1 | |||
parameters: | |||
linux: | |||
system: | |||
kernel: | |||
sysctl: | |||
net.ipv4.icmp_ignore_bogus_error_responses: 1 |
@@ -0,0 +1,51 @@ | |||
# 3.2.7 Ensure Reverse Path Filtering is enabled | |||
# | |||
# Description | |||
# =========== | |||
# Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 | |||
# forces the Linux kernel to utilize reverse path filtering on a received | |||
# packet to determine if the packet was valid. Essentially, with reverse path | |||
# filtering, if the return packet does not go out the same interface that the | |||
# corresponding source packet came from, the packet is dropped (and logged if | |||
# log_martians is set). | |||
# | |||
# Rationale | |||
# ========= | |||
# Setting these flags is a good way to deter attackers from sending your system | |||
# bogus packets that cannot be responded to. One instance where this feature | |||
# breaks down is if asymmetrical routing is employed. This would occur when | |||
# using dynamic routing protocols (bgp, ospf, etc) on your system. If you are | |||
# using asymmetrical routing on your system, you will not be able to enable | |||
# this feature without breaking the routing. | |||
# | |||
# Audit | |||
# ===== | |||
# | |||
# Run the following commands and verify output matches: | |||
# | |||
# # sysctl net.ipv4.conf.all.rp_filter | |||
# net.ipv4.conf.all.rp_filter = 1 | |||
# # sysctl net.ipv4.conf.default.rp_filter | |||
# net.ipv4.conf.default.rp_filter = 1 | |||
# | |||
# Remediation | |||
# =========== | |||
# | |||
# Set the following parameters in the /etc/sysctl.conf file: | |||
# | |||
# net.ipv4.conf.all.rp_filter = 1 | |||
# net.ipv4.conf.default.rp_filter = 1 | |||
# | |||
# Run the following commands to set the active kernel parameters: | |||
# | |||
# # sysctl -w net.ipv4.conf.all.rp_filter=1 | |||
# # sysctl -w net.ipv4.conf.default.rp_filter=1 | |||
# # sysctl -w net.ipv4.route.flush=1 | |||
parameters: | |||
linux: | |||
system: | |||
kernel: | |||
sysctl: | |||
net.ipv4.conf.all.rp_filter: 1 | |||
net.ipv4.conf.default.rp_filter: 1 |
@@ -0,0 +1,49 @@ | |||
# 3.2.8 Ensure TCP SYN Cookies is enabled | |||
# | |||
# Description | |||
# =========== | |||
# When tcp_syncookies is set, the kernel will handle TCP SYN packets normally | |||
# until the half-open connection queue is full, at which time, the SYN cookie | |||
# functionality kicks in. SYN cookies work by not using the SYN queue at all. | |||
# Instead, the kernel simply replies to the SYN with a SYN|ACK, but will | |||
# include a specially crafted TCP sequence number that encodes the source and | |||
# destination IP address and port number and the time the packet was sent. | |||
# A legitimate connection would send the ACK packet of the three way handshake | |||
# with the specially crafted sequence number. This allows the system to verify | |||
# that it has received a valid response to a SYN cookie and allow the | |||
# connection, even though there is no corresponding SYN in the queue. | |||
# | |||
# Rationale | |||
# ========= | |||
# Attackers use SYN flood attacks to perform a denial of service attacked on a | |||
# system by sending many SYN packets without completing the three way handshake. | |||
# This will quickly use up slots in the kernel's half-open connection queue and | |||
# prevent legitimate connections from succeeding. SYN cookies allow the system | |||
# to keep accepting valid connections, even if under a denial of service attack. | |||
# | |||
# Audit | |||
# ===== | |||
# | |||
# Run the following commands and verify output matches: | |||
# | |||
# # sysctl net.ipv4.tcp_syncookies | |||
# net.ipv4.tcp_syncookies = 1 | |||
# | |||
# Remediation | |||
# =========== | |||
# | |||
# Set the following parameter in the /etc/sysctl.conf file: | |||
# | |||
# net.ipv4.tcp_syncookies = 1 | |||
# | |||
# Run the following commands to set the active kernel parameters: | |||
# | |||
# # sysctl -w net.ipv4.tcp_syncookies=1 | |||
# # sysctl -w net.ipv4.route.flush=1 | |||
parameters: | |||
linux: | |||
system: | |||
kernel: | |||
sysctl: | |||
net.ipv4.tcp_syncookies: 1 |
@@ -1,2 +1,21 @@ | |||
classes: | |||
- service.linux.system.cis.cis-1-1-1-1 | |||
- service.linux.system.cis.cis-1-1-1-2 | |||
- service.linux.system.cis.cis-1-1-1-3 | |||
- service.linux.system.cis.cis-1-1-1-4 | |||
- service.linux.system.cis.cis-1-1-1-5 | |||
- service.linux.system.cis.cis-1-1-1-6 | |||
- service.linux.system.cis.cis-1-1-1-7 | |||
- service.linux.system.cis.cis-1-1-1-8 | |||
- service.linux.system.cis.cis-1-5-1 | |||
- service.linux.system.cis.cis-1-5-3 | |||
- service.linux.system.cis.cis-3-1-2 | |||
- service.linux.system.cis.cis-3-2-1 | |||
- service.linux.system.cis.cis-3-2-2 | |||
- service.linux.system.cis.cis-3-2-3 | |||
- service.linux.system.cis.cis-3-2-4 | |||
- service.linux.system.cis.cis-3-2-5 | |||
- service.linux.system.cis.cis-3-2-6 | |||
- service.linux.system.cis.cis-3-2-7 | |||
- service.linux.system.cis.cis-3-2-8 | |||
- service.linux.system.cis.cis-3-3-3 |