Bladeren bron

CIS compliance (sysctl, limits)

* CIS 1.5.1 Ensure core dumps are restricted
* CIS 1.5.3 Ensure address space layout randomization (ASLR) is enabled
* CIS 3.1.2 Ensure packet redirect sending is disabled
* CIS 3.2.1 Ensure source routed packets are not accepted
* CIS 3.2.2 Ensure ICMP redirects are not accepted
* CIS 3.2.3 Ensure secure ICMP redirects are not accepted
* CIS 3.2.4 Ensure suspicious packets are logged
* CIS 3.2.5 Ensure broadcast ICMP requests are ignored
* CIS 3.2.6 Ensure bogus ICMP responses are ignored
* CIS 3.2.7 Ensure Reverse Path Filtering is enabled
* CIS 3.2.8 Ensure TCP SYN Cookies is enabled

All sysctls are valid for Ubuntu 14.04, Ubuntu 16.04.

Change-Id: I48f34c55d97a78c253d4810db46b2a04ff5c0c1a
master
Dmitry Teselkin 6 jaren geleden
bovenliggende
commit
af730f9602
12 gewijzigde bestanden met toevoegingen van 539 en 0 verwijderingen
  1. +59
    -0
      metadata/service/system/cis/cis-1-5-1.yml
  2. +40
    -0
      metadata/service/system/cis/cis-1-5-3.yml
  3. +44
    -0
      metadata/service/system/cis/cis-3-1-2.yml
  4. +56
    -0
      metadata/service/system/cis/cis-3-2-1.yml
  5. +48
    -0
      metadata/service/system/cis/cis-3-2-2.yml
  6. +45
    -0
      metadata/service/system/cis/cis-3-2-3.yml
  7. +44
    -0
      metadata/service/system/cis/cis-3-2-4.yml
  8. +45
    -0
      metadata/service/system/cis/cis-3-2-5.yml
  9. +39
    -0
      metadata/service/system/cis/cis-3-2-6.yml
  10. +51
    -0
      metadata/service/system/cis/cis-3-2-7.yml
  11. +49
    -0
      metadata/service/system/cis/cis-3-2-8.yml
  12. +19
    -0
      metadata/service/system/cis/init.yml

+ 59
- 0
metadata/service/system/cis/cis-1-5-1.yml Bestand weergeven

@@ -0,0 +1,59 @@
# CIS 1.5.1 Ensure core dumps are restricted (Scored)
#
# Description
# ===========
#
# A core dump is the memory of an executable program. It is generally used to determine
# why a program aborted. It can also be used to glean confidential information from a core
# file. The system provides the ability to set a soft limit for core dumps, but this can be
# overridden by the user.
#
# Rationale
# =========
#
# Setting a hard limit on core dumps prevents users from overriding the soft variable. If core
# dumps are required, consider setting limits for user groups (see limits.conf(5) ). In
# addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from
# dumping core.
#
# Audit
# =====
#
# Run the following commands and verify output matches:
#
# # grep "hard core" /etc/security/limits.conf /etc/security/limits.d/*
# * hard core 0
# # sysctl fs.suid_dumpable
# fs.suid_dumpable = 0
#
# Remediation
# ===========
#
# Add the following line to the /etc/security/limits.conf file or a
# /etc/security/limits.d/* file:
#
# * hard core 0
#
# Set the following parameter in the /etc/sysctl.conf file:
#
# fs.suid_dumpable = 0
#
# Run the following command to set the active kernel parameter:
#
# # sysctl -w fs.suid_dumpable=0

parameters:
linux:
system:
limit:
cis:
enabled: true
domain: '*'
limits:
- type: 'hard'
item: 'core'
value: 0
kernel:
sysctl:
fs.suid_dumpable: 0


+ 40
- 0
metadata/service/system/cis/cis-1-5-3.yml Bestand weergeven

@@ -0,0 +1,40 @@
# 1.5.3 Ensure address space layout randomization (ASLR) is enabled
#
# Description
# ===========
#
# Address space layout randomization (ASLR) is an exploit mitigation technique which
# randomly arranges the address space of key data areas of a process.
#
# Rationale
# =========
#
# Randomly placing virtual memory regions will make it difficult to write memory page
# exploits as the memory placement will be consistently shifting.
#
# Audit
# =====
#
# Run the following command and verify output matches:
#
# # sysctl kernel.randomize_va_space
# kernel.randomize_va_space = 2
#
# Remediation
# ===========
#
# Set the following parameter in the /etc/sysctl.conf file:
#
# kernel.randomize_va_space = 2
#
# Run the following command to set the active kernel parameter:
#
# # sysctl -w kernel.randomize_va_space=2

parameters:
linux:
system:
kernel:
sysctl:
kernel.randomize_va_space: 2


+ 44
- 0
metadata/service/system/cis/cis-3-1-2.yml Bestand weergeven

@@ -0,0 +1,44 @@
# 3.1.2 Ensure packet redirect sending is disabled
#
# Description
# ===========
# ICMP Redirects are used to send routing information to other hosts. As a host
# itself does not act as a router (in a host only configuration), there is
# no need to send redirects.
#
# Rationale
# =========
# An attacker could use a compromised host to send invalid ICMP redirects to
# other router devices in an attempt to corrupt routing and have users access
# a system set up by the attacker as opposed to a valid system.
#
# Audit
# =====
#
# Run the following commands and verify output matches:
#
# # sysctl net.ipv4.conf.all.send_redirects
# net.ipv4.conf.all.send_redirects = 0
# # sysctl net.ipv4.conf.default.send_redirects
# net.ipv4.conf.default.send_redirects = 0
#
# Remediation
# ===========
#
# Set the following parameters in the /etc/sysctl.conf file:
#
# net.ipv4.conf.all.send_redirects = 0
# net.ipv4.conf.default.send_redirects = 0
#
# Run the following commands to set the active kernel parameters:
#
# # sysctl -w net.ipv4.conf.all.send_redirects=0
# # sysctl -w net.ipv4.conf.default.send_red

parameters:
linux:
system:
kernel:
sysctl:
net.ipv4.conf.all.send_redirects: 0
net.ipv4.conf.default.send_redirects: 0

+ 56
- 0
metadata/service/system/cis/cis-3-2-1.yml Bestand weergeven

@@ -0,0 +1,56 @@
# 3.2.1 Ensure source routed packets are not accepted
#
# Description
# ===========
# In networking, source routing allows a sender to partially or fully specify
# the route packets take through a network. In contrast, non-source routed
# packets travel a path determined by routers in the network. In some cases,
# systems may not be routable or reachable from some locations (e.g. private
# addresses vs. Internet routable), and so source routed packets would need
# to be used.
#
# Rationale
# =========
# Setting `net.ipv4.conf.all.accept_source_route` and
# `net.ipv4.conf.default.accept_source_route` to 0 disables the system from
# accepting source routed packets. Assume this system was capable of routing
# packets to Internet routable addresses on one interface and private addresses
# on another interface. Assume that the private addresses were not routable to
# the Internet routable addresses and vice versa. Under normal routing
# circumstances, an attacker from the Internet routable addresses could not use
# the system as a way to reach the private address systems. If, however, source
# routed packets were allowed, they could be used to gain access to the private
# address systems as the route could be specified, rather than rely on routing
# protocols that did not allow this routing.
#
# Audit
# =====
#
# Run the following commands and verify output matches:
#
# # sysctl net.ipv4.conf.all.accept_source_route
# net.ipv4.conf.all.accept_source_route = 0
# # sysctl net.ipv4.conf.default.accept_source_route
# net.ipv4.conf.default.accept_source_route = 0
#
# Remediation
# ===========
#
# Set the following parameters in the /etc/sysctl.conf file:
#
# net.ipv4.conf.all.accept_source_route = 0
# net.ipv4.conf.default.accept_source_route = 0
#
# Run the following commands to set the active kernel parameters:
#
# # sysctl -w net.ipv4.conf.all.accept_source_route=0
# # sysctl -w net.ipv4.conf.default.accept_source_route=0
# # sysctl -w net.ipv4.route.flush=1

parameters:
linux:
system:
kernel:
sysctl:
net.ipv4.conf.all.accept_source_route: 0
net.ipv4.conf.default.accept_source_route: 0

+ 48
- 0
metadata/service/system/cis/cis-3-2-2.yml Bestand weergeven

@@ -0,0 +1,48 @@
# 3.2.2 Ensure ICMP redirects are not accepted
#
# Description
# ===========
# ICMP redirect messages are packets that convey routing information and tell
# your host (acting as a router) to send packets via an alternate path. It is
# a way of allowing an outside routing device to update your system routing
# tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system will
# not accept any ICMP redirect messages, and therefore, won't allow outsiders
# to update the system's routing tables.
#
# Rationale
# =========
# Attackers could use bogus ICMP redirect messages to maliciously alter the
# system routing tables and get them to send packets to incorrect networks and
# allow your system packets to be captured.
#
# Audit
# =====
#
# Run the following commands and verify output matches:
#
# # sysctl net.ipv4.conf.all.accept_redirects
# net.ipv4.conf.all.accept_redirects = 0
# # sysctl net.ipv4.conf.default.accept_redirects
# net.ipv4.conf.default.accept_redirects = 0
#
# Remediation
# ===========
#
# Set the following parameters in the /etc/sysctl.conf file:
#
# net.ipv4.conf.all.accept_redirects = 0
# net.ipv4.conf.default.accept_redirects = 0
#
# Run the following commands to set the active kernel parameters:
#
# # sysctl -w net.ipv4.conf.all.accept_redirects=0
# # sysctl -w net.ipv4.conf.default.accept_redirects=0
# # sysctl -w net.ipv4.route.flush=1

parameters:
linux:
system:
kernel:
sysctl:
net.ipv4.conf.all.accept_redirects: 0
net.ipv4.conf.default.accept_redirects: 0

+ 45
- 0
metadata/service/system/cis/cis-3-2-3.yml Bestand weergeven

@@ -0,0 +1,45 @@
# 3.2.3 Ensure secure ICMP redirects are not accepted
#
# Description
# ===========
# Secure ICMP redirects are the same as ICMP redirects, except they come from
# gateways listed on the default gateway list. It is assumed that these
# gateways are known to your system, and that they are likely to be secure.
#
# Rationale
# =========
# It is still possible for even known gateways to be compromised. Setting
# net.ipv4.conf.all.secure_redirects to 0 protects the system from routing
# table updates by possibly compromised known gateways.
#
# Audit
# =====
#
# Run the following commands and verify output matches:
#
# # sysctl net.ipv4.conf.all.secure_redirects
# net.ipv4.conf.all.secure_redirects = 0
# # sysctl net.ipv4.conf.default.secure_redirects
# net.ipv4.conf.default.secure_redirects = 0
#
# Remediation
# ===========
#
# Set the following parameters in the /etc/sysctl.conf file:
#
# net.ipv4.conf.all.secure_redirects = 0
# net.ipv4.conf.default.secure_redirects = 0
#
# Run the following commands to set the active kernel parameters:
#
# # sysctl -w net.ipv4.conf.all.secure_redirects=0
# # sysctl -w net.ipv4.conf.default.secure_redirects=0
# # sysctl -w net.ipv4.route.flush=1

parameters:
linux:
system:
kernel:
sysctl:
net.ipv4.conf.all.secure_redirects: 0
net.ipv4.conf.default.secure_redirects: 0

+ 44
- 0
metadata/service/system/cis/cis-3-2-4.yml Bestand weergeven

@@ -0,0 +1,44 @@
# 3.2.4 Ensure suspicious packets are logged
#
# Description
# ===========
# When enabled, this feature logs packets with un-routable source
# addresses to the kernel log.
#
# Rationale
# =========
# Enabling this feature and logging these packets allows an administrator
# to investigate the possibility that an attacker is sending spoofed
# packets to their system.
#
# Audit
# =====
#
# Run the following commands and verify output matches:
#
# # sysctl net.ipv4.conf.all.log_martians
# net.ipv4.conf.all.log_martians = 1
# # sysctl net.ipv4.conf.default.log_martians
# net.ipv4.conf.default.log_martians = 1
#
# Remediation
# ===========
#
# Set the following parameters in the /etc/sysctl.conf file:
#
# net.ipv4.conf.all.log_martians = 1
# net.ipv4.conf.default.log_martians = 1
#
# Run the following commands to set the active kernel parameters:
#
# # sysctl -w net.ipv4.conf.all.log_martians=1
# # sysctl -w net.ipv4.conf.default.log_martians=1
# # sysctl -w net.ipv4.route.flush=1

parameters:
linux:
system:
kernel:
sysctl:
net.ipv4.conf.all.log_martians: 1
net.ipv4.conf.default.log_martians: 1

+ 45
- 0
metadata/service/system/cis/cis-3-2-5.yml Bestand weergeven

@@ -0,0 +1,45 @@
# 3.2.5 Ensure broadcast ICMP requests are ignored
#
# Description
# ===========
# Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the
# system to ignore all ICMP echo and timestamp requests to broadcast
# and multicast addresses.
#
# Rationale
# =========
# Accepting ICMP echo and timestamp requests with broadcast or multicast
# destinations for your network could be used to trick your host into starting
# (or participating) in a Smurf attack. A Smurf attack relies on an attacker
# sending large amounts of ICMP broadcast messages with a spoofed source
# address. All hosts receiving this message and responding would send
# echo-reply messages back to the spoofed address, which is probably not
# routable. If many hosts respond to the packets, the amount of traffic on
# the network could be significantly multiplied.
#
# Audit
# =====
#
# Run the following commands and verify output matches:
#
# # sysctl net.ipv4.icmp_echo_ignore_broadcasts
# net.ipv4.icmp_echo_ignore_broadcasts = 1
#
# Remediation
# ===========
#
# Set the following parameter in the /etc/sysctl.conf file:
#
# net.ipv4.icmp_echo_ignore_broadcasts = 1
#
# Run the following commands to set the active kernel parameters:
#
# # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
# # sysctl -w net.ipv4.route.flush=1

parameters:
linux:
system:
kernel:
sysctl:
net.ipv4.icmp_echo_ignore_broadcasts: 1

+ 39
- 0
metadata/service/system/cis/cis-3-2-6.yml Bestand weergeven

@@ -0,0 +1,39 @@
# 3.2.6 Ensure bogus ICMP responses are ignored
#
# Description
# ===========
# Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from
# logging bogus responses (RFC-1122 non-compliant) from broadcast reframes,
# keeping file systems from filling up with useless log messages.
#
# Rationale
# =========
# Some routers (and some attackers) will send responses that violate RFC-1122
# and attempt to fill up a log file system with many useless error messages.
#
# Audit
# =====
#
# Run the following commands and verify output matches:
#
# # sysctl net.ipv4.icmp_ignore_bogus_error_responses
# net.ipv4.icmp_ignore_bogus_error_responses = 1
#
# Remediation
# ===========
#
# Set the following parameter in the /etc/sysctl.conf file:
#
# net.ipv4.icmp_ignore_bogus_error_responses = 1
#
# Run the following commands to set the active kernel parameters:
#
# # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
# # sysctl -w net.ipv4.route.flush=1

parameters:
linux:
system:
kernel:
sysctl:
net.ipv4.icmp_ignore_bogus_error_responses: 1

+ 51
- 0
metadata/service/system/cis/cis-3-2-7.yml Bestand weergeven

@@ -0,0 +1,51 @@
# 3.2.7 Ensure Reverse Path Filtering is enabled
#
# Description
# ===========
# Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1
# forces the Linux kernel to utilize reverse path filtering on a received
# packet to determine if the packet was valid. Essentially, with reverse path
# filtering, if the return packet does not go out the same interface that the
# corresponding source packet came from, the packet is dropped (and logged if
# log_martians is set).
#
# Rationale
# =========
# Setting these flags is a good way to deter attackers from sending your system
# bogus packets that cannot be responded to. One instance where this feature
# breaks down is if asymmetrical routing is employed. This would occur when
# using dynamic routing protocols (bgp, ospf, etc) on your system. If you are
# using asymmetrical routing on your system, you will not be able to enable
# this feature without breaking the routing.
#
# Audit
# =====
#
# Run the following commands and verify output matches:
#
# # sysctl net.ipv4.conf.all.rp_filter
# net.ipv4.conf.all.rp_filter = 1
# # sysctl net.ipv4.conf.default.rp_filter
# net.ipv4.conf.default.rp_filter = 1
#
# Remediation
# ===========
#
# Set the following parameters in the /etc/sysctl.conf file:
#
# net.ipv4.conf.all.rp_filter = 1
# net.ipv4.conf.default.rp_filter = 1
#
# Run the following commands to set the active kernel parameters:
#
# # sysctl -w net.ipv4.conf.all.rp_filter=1
# # sysctl -w net.ipv4.conf.default.rp_filter=1
# # sysctl -w net.ipv4.route.flush=1

parameters:
linux:
system:
kernel:
sysctl:
net.ipv4.conf.all.rp_filter: 1
net.ipv4.conf.default.rp_filter: 1

+ 49
- 0
metadata/service/system/cis/cis-3-2-8.yml Bestand weergeven

@@ -0,0 +1,49 @@
# 3.2.8 Ensure TCP SYN Cookies is enabled
#
# Description
# ===========
# When tcp_syncookies is set, the kernel will handle TCP SYN packets normally
# until the half-open connection queue is full, at which time, the SYN cookie
# functionality kicks in. SYN cookies work by not using the SYN queue at all.
# Instead, the kernel simply replies to the SYN with a SYN|ACK, but will
# include a specially crafted TCP sequence number that encodes the source and
# destination IP address and port number and the time the packet was sent.
# A legitimate connection would send the ACK packet of the three way handshake
# with the specially crafted sequence number. This allows the system to verify
# that it has received a valid response to a SYN cookie and allow the
# connection, even though there is no corresponding SYN in the queue.
#
# Rationale
# =========
# Attackers use SYN flood attacks to perform a denial of service attacked on a
# system by sending many SYN packets without completing the three way handshake.
# This will quickly use up slots in the kernel's half-open connection queue and
# prevent legitimate connections from succeeding. SYN cookies allow the system
# to keep accepting valid connections, even if under a denial of service attack.
#
# Audit
# =====
#
# Run the following commands and verify output matches:
#
# # sysctl net.ipv4.tcp_syncookies
# net.ipv4.tcp_syncookies = 1
#
# Remediation
# ===========
#
# Set the following parameter in the /etc/sysctl.conf file:
#
# net.ipv4.tcp_syncookies = 1
#
# Run the following commands to set the active kernel parameters:
#
# # sysctl -w net.ipv4.tcp_syncookies=1
# # sysctl -w net.ipv4.route.flush=1

parameters:
linux:
system:
kernel:
sysctl:
net.ipv4.tcp_syncookies: 1

+ 19
- 0
metadata/service/system/cis/init.yml Bestand weergeven

@@ -1,2 +1,21 @@
classes:
- service.linux.system.cis.cis-1-1-1-1
- service.linux.system.cis.cis-1-1-1-2
- service.linux.system.cis.cis-1-1-1-3
- service.linux.system.cis.cis-1-1-1-4
- service.linux.system.cis.cis-1-1-1-5
- service.linux.system.cis.cis-1-1-1-6
- service.linux.system.cis.cis-1-1-1-7
- service.linux.system.cis.cis-1-1-1-8
- service.linux.system.cis.cis-1-5-1
- service.linux.system.cis.cis-1-5-3
- service.linux.system.cis.cis-3-1-2
- service.linux.system.cis.cis-3-2-1
- service.linux.system.cis.cis-3-2-2
- service.linux.system.cis.cis-3-2-3
- service.linux.system.cis.cis-3-2-4
- service.linux.system.cis.cis-3-2-5
- service.linux.system.cis.cis-3-2-6
- service.linux.system.cis.cis-3-2-7
- service.linux.system.cis.cis-3-2-8
- service.linux.system.cis.cis-3-3-3

Laden…
Annuleren
Opslaan