* CIS 1.1.1.1 Ensure mounting of cramfs filesystems is disabled * CIS 1.1.1.2 Ensure mounting of freevxfs filesystems is disabled * CIS 1.1.1.3 Ensure mounting of jffs2 filesystems is disabled * CIS 1.1.1.4 Ensure mounting of hfs filesystems is disabled * CIS 1.1.1.5 Ensure mounting of hfsplus filesystems is disabled * CIS 1.1.1.6 Ensure mounting of squashfs filesystems is disabled * CIS 1.1.1.7 Ensure mounting of udf filesystems is disabled * CIS 1.1.1.8 Ensure mounting of FAT filesystems is disabled * CIS 3.5.1 Ensure DCCP is disabled * CIS 3.5.2 Ensure SCTP is disabled * CIS 3.5.3 Ensure RDS is disabled * CIS 3.5.4 Ensure TIPC is disabled Related-Prod: PROD-20756 Related-Prod: PROD-20757 Related-Prod: PROD-20758 Related-Prod: PROD-20759 Change-Id: I719984829978caf0401e78daaabf1adfb0d1cfdfmaster
@@ -0,0 +1,37 @@ | |||
# 1.1.1.1 Ensure mounting of cramfs filesystems is disabled | |||
# | |||
# Description | |||
# =========== | |||
# The cramfs filesystem type is a compressed read-only Linux filesystem | |||
# embedded in small footprint systems. A cramfs image can be used without | |||
# having to first decompress the image. | |||
# | |||
# Rationale | |||
# ========= | |||
# Removing support for unneeded filesystem types reduces the local attack | |||
# surface of the server. If this filesystem type is not needed, disable it. | |||
# | |||
# Audit | |||
# ===== | |||
# Run the following commands and verify the output is as indicated: | |||
# | |||
# # modprobe -n -v cramfs | |||
# install /bin/true | |||
# # lsmod | grep cramfs | |||
# <No output> | |||
# | |||
# Remediation | |||
# =========== | |||
# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: | |||
# | |||
# install cramfs /bin/true | |||
# | |||
parameters: | |||
linux: | |||
system: | |||
kernel: | |||
module: | |||
cramfs: | |||
install: | |||
command: /bin/true | |||
@@ -0,0 +1,36 @@ | |||
# 1.1.1.2 Ensure mounting of freevxfs filesystems is disabled | |||
# | |||
# Description | |||
# =========== | |||
# The freevxfs filesystem type is a free version of the Veritas type | |||
# filesystem. This is the primary filesystem type for HP-UX operating systems. | |||
# | |||
# Rationale | |||
# ========= | |||
# Removing support for unneeded filesystem types reduces the local attack | |||
# surface of the system. If this filesystem type is not needed, disable it. | |||
# | |||
# Audit | |||
# ===== | |||
# Run the following commands and verify the output is as indicated: | |||
# | |||
# # modprobe -n -v freevxfs | |||
# install /bin/true | |||
# # lsmod | grep freevxfs | |||
# <No output> | |||
# | |||
# Remediation | |||
# =========== | |||
# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: | |||
# | |||
# install freevxfs /bin/true | |||
# | |||
parameters: | |||
linux: | |||
system: | |||
kernel: | |||
module: | |||
freevxfs: | |||
install: | |||
command: /bin/true | |||
@@ -0,0 +1,36 @@ | |||
# 1.1.1.3 Ensure mounting of jffs2 filesystems is disabled | |||
# | |||
# Description | |||
# =========== | |||
# The jffs2 (journaling flash filesystem 2) filesystem type is a | |||
# log-structured filesystem used in flash memory devices. | |||
# | |||
# Rationale | |||
# ========= | |||
# Removing support for unneeded filesystem types reduces the local attack | |||
# surface of the system. If this filesystem type is not needed, disable it. | |||
# | |||
# Audit | |||
# ===== | |||
# Run the following commands and verify the output is as indicated: | |||
# | |||
# # modprobe -n -v jffs2 | |||
# install /bin/true | |||
# # lsmod | grep jffs2 | |||
# <No output> | |||
# | |||
# Remediation | |||
# =========== | |||
# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: | |||
# | |||
# install jffs2 /bin/true | |||
# | |||
parameters: | |||
linux: | |||
system: | |||
kernel: | |||
module: | |||
jffs2: | |||
install: | |||
command: /bin/true | |||
@@ -0,0 +1,36 @@ | |||
# 1.1.1.4 Ensure mounting of hfs filesystems is disabled | |||
# | |||
# Description | |||
# =========== | |||
# The hfs filesystem type is a hierarchical filesystem that allows | |||
# you to mount Mac OS filesystems. | |||
# | |||
# Rationale | |||
# ========= | |||
# Removing support for unneeded filesystem types reduces the local attack | |||
# surface of the system. If this filesystem type is not needed, disable it. | |||
# | |||
# Audit | |||
# ===== | |||
# Run the following commands and verify the output is as indicated: | |||
# | |||
# # modprobe -n -v hfs | |||
# install /bin/true | |||
# # lsmod | grep hfs | |||
# <No output> | |||
# | |||
# Remediation | |||
# =========== | |||
# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: | |||
# | |||
# install hfs /bin/true | |||
# | |||
parameters: | |||
linux: | |||
system: | |||
kernel: | |||
module: | |||
hfs: | |||
install: | |||
command: /bin/true | |||
@@ -0,0 +1,36 @@ | |||
# 1.1.1.5 Ensure mounting of hfsplus filesystems is disabled | |||
# | |||
# Description | |||
# =========== | |||
# The hfsplus filesystem type is a hierarchical filesystem designed to | |||
# replace hfs that allows you to mount Mac OS filesystems. | |||
# | |||
# Rationale | |||
# ========= | |||
# Removing support for unneeded filesystem types reduces the local attack | |||
# surface of the system. If this filesystem type is not needed, disable it. | |||
# | |||
# Audit | |||
# ===== | |||
# Run the following commands and verify the output is as indicated: | |||
# | |||
# # modprobe -n -v hfsplus | |||
# install /bin/true | |||
# # lsmod | grep hfsplus | |||
# <No output> | |||
# | |||
# Remediation | |||
# =========== | |||
# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: | |||
# | |||
# install hfsplus /bin/true | |||
# | |||
parameters: | |||
linux: | |||
system: | |||
kernel: | |||
module: | |||
hfsplus: | |||
install: | |||
command: /bin/true | |||
@@ -0,0 +1,37 @@ | |||
# 1.1.1.6 Ensure mounting of squashfs filesystems is disabled | |||
# | |||
# Description | |||
# =========== | |||
# The squashfs filesystem type is a compressed read-only Linux filesystem | |||
# embedded in small footprint systems (similar to cramfs). A squashfs image | |||
# can be used without having to first decompress the image. | |||
# | |||
# Rationale | |||
# ========= | |||
# Removing support for unneeded filesystem types reduces the local attack | |||
# surface of the server. If this filesystem type is not needed, disable it. | |||
# | |||
# Audit | |||
# ===== | |||
# Run the following commands and verify the output is as indicated: | |||
# | |||
# # modprobe -n -v squashfs | |||
# install /bin/true | |||
# # lsmod | grep squashfs | |||
# <No output> | |||
# | |||
# Remediation | |||
# =========== | |||
# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: | |||
# | |||
# install squashfs /bin/true | |||
# | |||
parameters: | |||
linux: | |||
system: | |||
kernel: | |||
module: | |||
squashfs: | |||
install: | |||
command: /bin/true | |||
@@ -0,0 +1,38 @@ | |||
# 1.1.1.7 Ensure mounting of udf filesystems is disabled | |||
# | |||
# Description | |||
# =========== | |||
# The udf filesystem type is the universal disk format used to implement | |||
# ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem | |||
# type for data storage on a broad range of media. This filesystem type is | |||
# necessary to support writing DVDs and newer optical disc formats. | |||
# | |||
# Rationale | |||
# ========= | |||
# Removing support for unneeded filesystem types reduces the local attack | |||
# surface of the server. If this filesystem type is not needed, disable it. | |||
# | |||
# Audit | |||
# ===== | |||
# Run the following commands and verify the output is as indicated: | |||
# | |||
# # modprobe -n -v udf | |||
# install /bin/true | |||
# # lsmod | grep udf | |||
# <No output> | |||
# | |||
# Remediation | |||
# =========== | |||
# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: | |||
# | |||
# install udf /bin/true | |||
# | |||
parameters: | |||
linux: | |||
system: | |||
kernel: | |||
module: | |||
udf: | |||
install: | |||
command: /bin/true | |||
@@ -0,0 +1,44 @@ | |||
# 1.1.1.8 Ensure mounting of FAT filesystems is disabled | |||
# | |||
# Description | |||
# =========== | |||
# The FAT filesystem format is primarily used on older windows systems and | |||
# portable USB drives or flash modules. It comes in three types FAT12, FAT16, | |||
# and FAT32 all of which are supported by the vfat kernel module. | |||
# | |||
# Rationale | |||
# ========= | |||
# Removing support for unneeded filesystem types reduces the local attack | |||
# surface of the server. If this filesystem type is not needed, disable it. | |||
# | |||
# Audit | |||
# ===== | |||
# Run the following commands and verify the output is as indicated: | |||
# | |||
# # modprobe -n -v vfat | |||
# install /bin/true | |||
# # lsmod | grep vfat | |||
# <No output> | |||
# | |||
# Remediation | |||
# =========== | |||
# | |||
# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: | |||
# | |||
# install vfat /bin/true | |||
# | |||
# Impact | |||
# ====== | |||
# FAT filesystems are often used on portable USB sticks and other flash | |||
# media are commonly used to transfer files between workstations, removing | |||
# VFAT support may prevent the ability to transfer files in this way. | |||
# | |||
parameters: | |||
linux: | |||
system: | |||
kernel: | |||
module: | |||
vfat: | |||
install: | |||
command: /bin/true | |||
@@ -0,0 +1,38 @@ | |||
# 3.5.2 Ensure SCTP is disabled | |||
# | |||
# Description | |||
# =========== | |||
# The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol | |||
# that supports streaming media and telephony. DCCP provides a way to gain | |||
# access to congestion control, without having to do it at the application | |||
# layer, but does not provide in-sequence delivery. | |||
# | |||
# Rationale | |||
# ========= | |||
# If the protocol is not required, it is recommended that the drivers not be | |||
# installed to reduce the potential attack surface. | |||
# | |||
# Audit | |||
# ===== | |||
# Run the following commands and verify the output is as indicated: | |||
# | |||
# # modprobe -n -v dccp | |||
# install /bin/true | |||
# # lsmod | grep dccp | |||
# <No output> | |||
# | |||
# Remediation | |||
# =========== | |||
# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: | |||
# | |||
# install dccp /bin/true | |||
# | |||
parameters: | |||
linux: | |||
system: | |||
kernel: | |||
module: | |||
dccp: | |||
install: | |||
command: /bin/true | |||
@@ -0,0 +1,41 @@ | |||
# 3.5.2 Ensure SCTP is disabled | |||
# | |||
# Description | |||
# =========== | |||
# The Stream Control Transmission Protocol (SCTP) is a transport layer | |||
# protocol used to support message oriented communication, with several | |||
# streams of messages in one connection. It serves a similar function as | |||
# TCP and UDP, incorporating features of both. It is message-oriented | |||
# like UDP, and ensures reliable in-sequence transport of messages with | |||
# congestion control like TCP. | |||
# | |||
# Rationale | |||
# ========= | |||
# If the protocol is not being used, it is recommended that kernel module | |||
# not be loaded, disabling the service to reduce the potential attack surface. | |||
# | |||
# Audit | |||
# ===== | |||
# Run the following commands and verify the output is as indicated: | |||
# | |||
# # modprobe -n -v sctp | |||
# install /bin/true | |||
# # lsmod | grep sctp | |||
# <No output> | |||
# | |||
# Remediation | |||
# =========== | |||
# | |||
# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: | |||
# | |||
# install sctp /bin/true | |||
# | |||
parameters: | |||
linux: | |||
system: | |||
kernel: | |||
module: | |||
sctp: | |||
install: | |||
command: /bin/true | |||
@@ -0,0 +1,37 @@ | |||
# 3.5.3 Ensure RDS is disabled | |||
# | |||
# Description | |||
# =========== | |||
# The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol | |||
# designed to provide low-latency, high-bandwidth communications between | |||
# cluster nodes. It was developed by the Oracle Corporation. | |||
# | |||
# Rationale | |||
# ========= | |||
# If the protocol is not being used, it is recommended that kernel module | |||
# not be loaded, disabling the service to reduce the potential attack surface. | |||
# | |||
# Audit | |||
# ===== | |||
# Run the following commands and verify the output is as indicated: | |||
# | |||
# # modprobe -n -v rds | |||
# install /bin/true | |||
# # lsmod | grep rds | |||
# <No output> | |||
# | |||
# Remediation | |||
# =========== | |||
# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: | |||
# | |||
# install rds /bin/true | |||
# | |||
parameters: | |||
linux: | |||
system: | |||
kernel: | |||
module: | |||
rds: | |||
install: | |||
command: /bin/true | |||
@@ -0,0 +1,37 @@ | |||
# 3.5.4 Ensure TIPC is disabled | |||
# | |||
# Description | |||
# =========== | |||
# The Transparent Inter-Process Communication (TIPC) protocol is designed | |||
# to provide communication between cluster nodes. | |||
# | |||
# Rationale | |||
# ========= | |||
# If the protocol is not being used, it is recommended that kernel module | |||
# not be loaded, disabling the service to reduce the potential attack surface. | |||
# | |||
# Audit | |||
# ===== | |||
# Run the following commands and verify the output is as indicated: | |||
# | |||
# # modprobe -n -v tipc | |||
# install /bin/true | |||
# # lsmod | grep tipc | |||
# <No output> | |||
# | |||
# Remediation | |||
# =========== | |||
# | |||
# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: | |||
# | |||
# install tipc /bin/true | |||
# | |||
parameters: | |||
linux: | |||
system: | |||
kernel: | |||
module: | |||
tipc: | |||
install: | |||
command: /bin/true | |||
@@ -1,2 +1,14 @@ | |||
classes: | |||
- service.linux.system.cis.cis-1-1-1-1.yml | |||
- service.linux.system.cis.cis-1-1-1-2.yml | |||
- service.linux.system.cis.cis-1-1-1-3.yml | |||
- service.linux.system.cis.cis-1-1-1-4.yml | |||
- service.linux.system.cis.cis-1-1-1-5.yml | |||
- service.linux.system.cis.cis-1-1-1-6.yml | |||
- service.linux.system.cis.cis-1-1-1-7.yml | |||
- service.linux.system.cis.cis-1-1-1-8.yml | |||
- service.linux.system.cis.cis-3-3-3 | |||
- service.linux.system.cis.cis-3-5-1 | |||
- service.linux.system.cis.cis-3-5-2 | |||
- service.linux.system.cis.cis-3-5-3 | |||
- service.linux.system.cis.cis-3-5-4 |