# CIS Benchmark Process
This CIS certified policy for Red Hat Enterprise Linux 7 is based on the CIS Benchmark for Red Hat Enterprise Linux 7, v2.2.0. The policy contains Level 1 and Level 2, Scored types of checks from the benchmark.
There is no clear approval process in the configuration deviations ticketing system. Deviations from the CIS benchmarks not accounted for in deviation documents.
See [CIS Exceptions in our Github](https://github.xdr.accenturefederalcyber.com/mdr-engineering/msoc-infrastructure/wiki/CIS-Exceptions)
To resolve the POAM we need a process for CIS benchmarks. Should we use the MSOCI JIRA queue to manage this?
Use the Compliance project (COMP-29) use the [CIS Exception template](https://jira.xdr.accenturefederalcyber.com/browse/COMP-29)
saltless master in packer
`packer/lcp/vmware/lcp-vmware.pkr.hcl`
packer/scripts/salt-virtualenv-minion.sh
"../../scripts/salt-virtualenv-minion.sh",
Does the CIS Hardening
```
provisioner "salt-masterless" {
skip_bootstrap = true
salt_bin_dir = "/mnt/bin"
local_state_tree = "./salt"
remote_state_tree = "/mnt/srv/salt"
temp_config_dir = "/mnt/tmp/salt"
salt_call_args = "-c /mnt/etc/salt"
no_exit_on_failure = true
}
```
- migrate packer salt states
some checks are NOT IMPLEMENTED because they are set by default
Packer gets us 50% to CIS and salt fine tunes and gets us to 100% and it is ok that they are duplicated because salt is the final say.
Both AWS and Vmware are using the masterless salt.
## Commands run in PROD Sensu/Vault are guiena pigs
### First Group of changes pushed to first group of PROD servers
```
salt sensu* state.sls os_modifications.auditd --output-diff
salt sensu* state.sls os_modifications.timezone --output-diff
salt sensu* state.sls os_modifications.sshd_config --output-diff
salt sensu* state.sls os_modifications.modprobe --output-diff
salt sensu* state.sls os_modifications.disable_ipv6 --output-diff
salt sensu* state.sls os_modifications.audit_backlog_limit --output-diff
salt sensu* state.sls os_modifications.fstab --output-diff
salt sensu* state.sls os_modifications.sysctl --output-diff
salt sensu* state.sls os_modifications.rsyslog --output-diff
salt *com cmd.run 'systemctl start auditd'
```
### Second Group of changes Part 2
```
salt sensu* state.sls os_modifications.disable_services --output-diff
salt sensu* state.sls os_modifications.sugroup --output-diff
salt sensu* state.sls os_modifications.sudo --output-diff
salt sensu* state.sls os_modifications.auditd --output-diff
salt sensu* state.sls os_modifications.sshd_config --output-diff
salt sensu* state.sls os_modifications.journald --output-diff
salt sensu* state.sls os_modifications.securetty --output-diff
salt sensu* state.sls os_modifications.tty_history --output-diff
salt sensu* state.sls os_modifications.timeout --output-diff
salt sensu* state.sls os_modifications.umask --output-diff
#Fix unowned files and dirs
salt sensu* cmd.run 'rm -rf /home/shahid_mahmood'
salt sensu* cmd.run 'rm -rf /home/donald_wong'
salt sensu* cmd.run 'rm -rf /home/randy_coffman'
salt sensu* cmd.run 'rm -rf /var/spool/mail/shahid_mahmood'
salt sensu* cmd.run 'rm -rf /var/spool/mail/randy_coffman'
salt sensu* cmd.run 'rm -rf /var/spool/mail/donald_wong'
salt sensu* cmd.run "ls -larth /home | grep 'randy_coffman\|shahid_mahmood\|donald_wong'"
```
### Third group of changes Part 3
TODO
Server Groups
First is Sensu
Second Group is
`salt vault*`
Third Group is limited internal, no customers.
`salt -C '* not ( afs* or nga* or ma-* or dc-c19* or la-c19* or nihor* or bas-* or ca-c19* or frtib* or dgi* or threatq* or customer* or teleport* or moose*idx* or jira* or openvpn* or phantom-0* )'`
Fourth Group is all internal, no customers.
`salt -C 'customer* or teleport* or moose*idx* or jira* or openvpn* or phantom-0*'`
Fifth Group is all servers besides LCPs
`salt *com`
Sixth Group is LCPs
`salt -G 'msoc_pop:True'`
--------Part 1----------
Commands run in TEST; things to add to `os_modifications/init.sls`
```
#fix mispelled squashfs and add usb-storage
salt * state.sls_id /etc/modprobe.d/CIS.conf os_modifications.cis-hardening-rhel-7.section-1.1-1 test=false saltenv=feature/bp_MSOCI-1676_cis_audit
salt vault-1* state.sls os_modifications.modprobe saltenv=feature/bp_MSOCI-1676_cis_audit test=true
os_modifications/modprobe.sls
#fix ipv6
salt sensu* state.sls os_modifications.cis-hardening-rhel-7.section-3.3-1 test=false saltenv=feature/bp_MSOCI-1676_cis_audit
os_modifications/disable_ipv6.sls
salt vault-1* state.sls os_modifications.disable_ipv6 saltenv=feature/bp_MSOCI-1676_cis_audit test=true
#Fix 4.1.2.4 audit_backlog_limit
salt sensu* state.sls os_modifications.cis-hardening-rhel-7.section-4.4-1-2-4 test=false saltenv=feature/bp_MSOCI-1676_cis_audit
os_modifications/audit_backlog_limit.sls
salt vault-1* state.sls os_modifications.audit_backlog_limit saltenv=feature/bp_MSOCI-1676_cis_audit test=true
#Fix fstab
salt vault-1* state.sls os_modifications.fstab saltenv=feature/bp_MSOCI-1676_cis_audit test=true
salt/fileroots/os_modifications/fstab.sls
#Fix sysctl
salt vault-1* state.sls os_modifications.sysctl saltenv=feature/bp_MSOCI-1676_cis_audit test=true
salt/fileroots/os_modifications/sysctl.sls
#Fix chrony
salt vault-1* state.sls os_modifications.timezone saltenv=feature/bp_MSOCI-1676_cis_audit test=true
salt/fileroots/os_modifications/timezone.sls ( already in init.sls)
#Fix rsyslog
salt vault-1* state.sls os_modifications.rsyslog saltenv=feature/bp_MSOCI-1676_cis_audit test=true
salt/fileroots/os_modifications/rsyslog.sls
#fix auditd
salt vault-1* state.sls os_modifications.auditd saltenv=feature/bp_MSOCI-1676_cis_audit test=true
salt/fileroots/os_modifications/auditd.sls
#fix sshd_config
salt vault-1* state.sls os_modifications.sshd_config saltenv=feature/bp_MSOCI-1676_cis_audit test=true
salt/fileroots/os_modifications/sshd_config.sls
-------- PART 2 -------------
#fix rhsnd + rsync
salt vault-1* state.sls os_modifications.disable_services saltenv=feature/bp_MSOCI-1676_cis_audit_part2 test=true
salt/fileroots/os_modifications/disable_services.sls
#fix su ( what will break?)
salt vault-1* state.sls os_modifications.sugroup saltenv=feature/bp_MSOCI-1676_cis_audit_part2 test=true
salt/fileroots/os_modifications/sugroup.sls
#fix sudoers
salt vault-1* state.sls os_modifications.sudo saltenv=feature/bp_MSOCI-1676_cis_audit_part2 test=true
#fix more auditd
salt vault-1* state.sls os_modifications.auditd saltenv=feature/bp_MSOCI-1676_cis_audit_part2 test=true
#fix sshd_config again
salt vault-1* state.sls os_modifications.sshd_config saltenv=feature/bp_MSOCI-1676_cis_audit_part2 test=true
#fix journald logging
salt vault-1* state.sls os_modifications.journald saltenv=feature/bp_MSOCI-1676_cis_audit_part2 test=true
#fix securetty
salt vault-1* state.sls os_modifications.securetty saltenv=feature/bp_MSOCI-1676_cis_audit_part2 test=true
#fix pam password remember
salt vault-1* state.sls os_modifications.tty_history saltenv=feature/bp_MSOCI-1676_cis_audit_part2 test=true
#fix timeout
salt vault-1* state.sls os_modifications.timeout saltenv=feature/bp_MSOCI-1676_cis_audit_part2 test=true
#fix umask (this doesn't totaly fix the finding!)
salt vault-1* state.sls os_modifications.umask saltenv=feature/bp_MSOCI-1676_cis_audit_part2 test=true
#Fix unowned files and dirs
salt vault-1* cmd.run 'rm -rf /home/shahid_mahmood'
salt vault-1* cmd.run 'rm -rf /home/donald_wong'
salt vault-1* cmd.run 'rm -rf /home/randy_coffman'
salt vault-1* cmd.run 'rm -rf /var/spool/mail/shahid_mahmood'
salt vault-1* cmd.run 'rm -rf /var/spool/mail/randy_coffman'
salt vault-1* cmd.run 'rm -rf /var/spool/mail/donald_wong'
salt vault-1* cmd.run "ls -larth /home | grep 'randy_coffman\|shahid_mahmood\|donald_wong'"
------PART 3-----
salt ghe-backup* state.sls docker saltenv=feature/bp_MSOCI-1676_cis_audit_part3 --output-diff test=true
salt ghe-backup* cmd.run 'systemctl stop iptables && systemctl disable iptables && yum remove iptables-services -y'
salt ghe-backup* cmd.run 'systemctl enable firewalld && systemctl start firewalld'
salt customer* state.sls docker --output-diff test=true saltenv=feature/bp_MSOCI-1676_cis_audit_part3
#this should clean up the garbabge in audit.rules
salt customer* state.sls os_modifications.auditd
# then this will add in the correct file.
salt customer* state.sls docker --output-diff test=true
# reload the audit.rules file. Then wait for a reboot of the server.
salt customer* cmd.run 'augenrules --load'
salt customer* cmd.run 'auditctl -l | grep docker'
```
########
#TODO ITEMS
########
4.2.3 Ensure permissions on all logfiles are configured
6.1.11 Ensure no unowned files or directories exist (Docker files) sft home dirs
6.1.12 Ensure no ungrouped files or directories exist (Docker files) sft home dirs
1.8.1.3 Ensure remote login warning banner is configured properly - banner text WTF Nessus? False positive?
create internal DNS entries for these in test and prod so they will show up in Nessus.
10.20.32.59 customer-portal
10.20.16.86 moose-splunk-indexer-0
10.20.16.237 moose-splunk-indexer-1
10.20.17.42 moose-splunk-indexer-2
10.20.32.84 customer-portal
10.20.0.25 sensu
# Audit Controls and Exceptions
Control ID: 1073
Statement: Status of the 'Maximum Password Age' setting (expiration) / Accounts having the 'password never expires' flag set
Control Number:5.57
Reference #: 5.4.1.1.a
Framework: CIS Benchmark for Red Hat Enterprise Linux 7 3.1.1, § 5.5.1.1
The following Integer value X indicates the current status of the PASS_MAX_DAYS setting as defined within the /etc/login.defs file.
in range 1-365
Salt State: packer/lcp/vmware/salt/cis-hardening-rhel-7/section-5.sls
Currently being set in salt/fileroots/os_modifications/files/login.defs to -1 by Chris
exception!
####
Control ID: 1072
Statement: Status of the 'Minimum Password Age' setting
Control Number: 5.59
Reference #: 5.4.1.2.a
The following Integer value X indicates the current PASS_MIN_DAYS setting within the /etc/login.defs file.
greater than or equal to 7
To specify password minimum age for new accounts, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately:
PASS_MIN_DAYS [DAYS]
A value of 1 day is considered sufficient for many environments. The DoD requirement is 1.
Currently being set in salt/fileroots/os_modifications/files/login.defs to -1 by Chris
exception!
####
Control ID: 1417
Statement: Existence of the 'cron.deny' file
Control Number: 5.14
Reference #: 5.1.8
salt file created! needs to be deployed
####
Control ID: 4437
Statement: Current list of hosts defined within the 'hosts.allow' file
Reference #: 3.4.2
Exception!
####
Control ID: 4438
Statement: Status of the hosts defined within the hosts.deny file
Reference #: 3.4.3
Exception!
####
Control ID: 4726
Statement: Current 'UMASK' setting for the '/etc/bashrc or /etc/bash.bashrc' file
Reference #: 5.4.5/5.4.6
False positive. Qualys regex doesn't work with "022"
umask configured here: packer/scripts/aws-hardening.sh & cis-harden.sh
CIS provided grep command:
```
grep -E '^\s*umask\s+\s*(0[0-7][2-7]7|[0-7][2-7]7|u=(r?|w?|x?)(r?|w?|x?)(r?|w?|x?),g=(r?x?|x?r?),o=)\s*(\s*#.*)?$' /etc/profile /etc/profile.d/*.sh /etc/bashrc
```
####
Control ID: 5215
Statement:Status of the 'AllowGroups' setting in the 'sshd_config' file
Reference #: 5.2.14 (v2.2.0) (5.2.4 v3.0.0)
Exception!
####
Control ID: 5217
Statement:Status of the 'AllowUsers' setting in the 'sshd_config' file
Reference #: 5.2.14 (v2.2.0) (5.2.4 v3.0.0)
Exception!
####
Control ID: 5222
Statement:Status of the 'ClientAliveInterval' setting in the 'sshd_config' file
Ref #: 5.2.12 (v2.2.0) (5.2.16 - v3.0.0)
Exception! Handled by Teleport
####
Control ID:5224
Statement:Status of the 'DenyGroups' setting in the 'sshd_config' file
Ref #: 5.2.14 (v2.2.0) (5.2.4 v3.0.0)
Exception! Handled by Teleport
####
Control ID: 5225
Statement:Status of the 'DenyUsers' setting in the 'sshd_config' file
ref #: 5.2.14 (v2.2.0) (5.2.4 v3.0.0)
Exception! Handled by Teleport
####
Control ID: 5283/17996
Statement:Status of the 'MACs' setting in the '/etc/ssh/sshd_config' file
ref #: 5.2.11 (v2.2.0) (5.2.14 v3.0.0)
Adjusted sshd_config
####
Control ID: 5963
Statement: Status of the current setting for 'net.ipv4.ip_forward' network parameter
ref #: 3.1.1 (v2.2.0) (3.2.1 v3.0.0)
10.40.20.42 - openvpn ( required for VPN )
10.40.24.97 - ghe-backup (docker)
10.40.32.16 - customer-portal (docker)
10.40.32.56 - customer-portal (docker)
Exception! Handled by Teleport
####
Control ID: 7339
Statement: Status of the 'Permissions' settings for the '/etc/cron.d' directory
ref #: 5.1.7
This needs to be set. Currently it is 755. Salt state needs to be created.
####
Control ID: 7408
Statement: Current list of world writable directories that do not have the sticky bit configurd
ref #: 1.1.21 (v2.2.0) (1.1.24 v3.0.0) (1.1.22 v3.0.1)
/var/log/bash_history
Modified here: salt/fileroots/os_modifications/tty_history.sls
I don't think this is needed anymore thanks to teleport
No files are stored in that directory
Needs Review
####
Control ID:7417
Statement: Current list of user accounts with 'existing home directories' defined in /etc/passwd and not present on the
ref#: 6.2.7
10.40.30.24 (phantom)
git-user:/home/git-user
phantom-worker:/home/phantom-worker
10.40.28.74 (fm-shared-search)
I added the dir. should clean it up.
george_starcher:/home/george_starcher
/etc/passwd
george_starcher:x:60005:60005:sft-managed:/home/george_starcher:/bin/bash
Exception!
####
Control ID:7418
Statement: Status of the current 'unowned' files and directories on the host
ref #: 6.1.11
/home/shahid_mahmood
/home/shahid_mahmood/.bashrc
/home/shahid_mahmood/.bash_logout
/home/shahid_mahmood/.bash_profile
/home/shahid_mahmood/.zshrc
changed ownership to root:
####
Control ID: 7419
statement: Status of the current 'ungrouped' files and directories on the host
ref #: 6.1.12
/home/shahid_mahmood
/home/shahid_mahmood/.bashrc
/home/shahid_mahmood/.bash_logout
/home/shahid_mahmood/.bash_profile
/home/shahid_mahmood/.zshrc
changed ownership to root:
####
Control ID: 7451
statement: Status of the 'restrict -6 default' setting in the '/etc/ntp.conf' file
ref #: 2.2.1.2 (v2.2.0) (2.2.1.3 v3.0.0)
Exception!
####
Control ID: 7457
Statement:Status of the 'OPTIONS' setting in the '/etc/sysconfig/ntpd' file
ref #: 2.2.1.2 (v2.2.0) (2.2.1.3 v3.0.0)
Exception!
####
Control ID: 7458
Statement: Status of the 'inet_interfaces' setting in the '/etc/postfix/main.cf' file
ref #: 2.2.15 (v2.2.0) (2.2.16 v3.0.0)
10.40.0.96 / mailrelay
Exception!
####
Control ID: 7949
Statement:Status of the 'unconfined daemons' on the host
ref #: 1.6.1.6 (v2.2.0) (1.7.1.7 v3.0.0)
The host should not have 'unconfined daemons' which are daemons that are not defined in SELinux policy and inherit permissions from parent processes. Unconfined daemons are daemons without proper permissions and present security risks to the host and this check should be regularly performed and reviewed according to the needs of the business. NOTE: This check should produce NO unconfined daemons on the list.
unconfined daemons
mongod
splunkd
Exception!
####
Control ID: 8327
Statement:Status of the 'world-writable' files and directories on the host
ref #: 6.1.10
The following List String value(s) X indicate the status of local world-writable files and directories.
======Expected Value(s)======
File not found
------------ OR ------------
does not contain regular expression list
.+
======Current Value(s) - Last updated: 06/10/2021 at 05:25:24 PM (GMT-0400)======
root:root:drwxrwxrwt.:/dev/mqueue
root:root:drwxrwxrwt.:/dev/shm
root:root:drwxrwxrwt.:/opt/tmp
root:root:drwxrwxrwt.:/tmp
root:root:drwxrwxrwt.:/tmp/.font-unix
root:root:drwxrwxrwt.:/tmp/.ICE-unix
root:root:drwxrwxrwt.:/tmp/.Test-unix
root:root:drwxrwxrwt.:/tmp/.X11-unix
root:root:drwxrwxrwt.:/tmp/.XIM-unix
root:root:drwxrwxrwt.:/tmp/systemd-private-5e8298ad14ed4e9381a2786970c55c78-chronyd.service-vs5GMY/tmp
root:root:drwxrwxrwt.:/var/tmp
root:root:drwxrwxrwt.:/var/tmp/cloud-init
root:root:drwxrwxrwx.:/var/log/bash_history
This needs to be figured out one by one. :-(
#####
Control ID: 9380
Statement:Status of the Mail Transfer Agent for Local-Only Mode
ref #: 2.2.15 (v2.2.0) (2.2.16 v3.0.0)
10.40.0.96 / mailrelay
Exception!
####
Control ID: 9391
Statement: Status of the System Accounts
ref #: 5.4.2
10.40.30.24 / phantom
pgbouncer:x:993:989:PgBouncer Server:/home/pgbouncer:/bin/bash
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
Exception!
####
Control ID: 9623
Statement: Status of the 'try_first_pass' setting within the '/etc/pam.d/system-auth'
ref #: 5.3.1
This needs to be figured out. possible execption
####
Control ID: 9629
Statement: Status of the 'retry' parameter for login attempts defined within '/etc/pam.d/system-auth'
ref #: 5.3.1
This needs to be figured out. possible execption
####
Control ID: 9881
Statement: Status of the 'httpd' service using systemd
ref #: 2.2.10 (v2.2.0) (2.2.11 v3.0.0)
10.40.2.41/reposerver needs httpd
Exception!
####
Control ID: 10236
Statement: Status of the ownership set for the home directory of Non system User
ref #: 6.2.9 (v2.2.0) (6.2.7 v3.0.0)
fm-shared-search
phantom-0
This is a false positive. CIS benchamrk bash script does not show home directory ownership issues.
The following List string value(s) X indicate the ownership details for the user account home directories on the host. Each line in the result consists of the account name, UID, home-directory path followed by the actual owner of the home directory.
======Expected Value(s)======
Non-system users not found
------------ OR ------------
matches regular expression list
^(nfsnobody:.*)|(([^:]+):.*:\3)$
======Current Value(s) - Last updated: 06/10/2021 at 05:25:24 PM (GMT-0400)======
brad_poulton:60010:/home/brad_poulton:brad_poulton
brandon.naughton:50022:/home/brandon.naughton:brandon.naughton
brandon_naughton:60012:/home/brandon_naughton:brandon_naughton
centos:1001:/home/centos:centos
charles.kuykendall:50021:/home/charles.kuykendall:charles.kuykendall
charles_kuykendall:60014:/home/charles_kuykendall:charles_kuykendall
colby_williams:60018:/home/colby_williams:colby_williams
donald.wong:50023:/home/donald.wong:donald.wong
donald_wong:150045:/home/donald_wong:donald_wong
duane_waddle:60001:/home/duane_waddle:duane_waddle
frederick_t_damstra:60017:/home/frederick_t_damstra:frederick_t_damstra
george_starcher:60005:/home/george_starcher:Directory not found
james_m_jarrett:150002:/home/james_m_jarrett:james_m_jarrett
jeremy_cooper:150036:/home/jeremy_cooper:jeremy_cooper
john_reuther:60003:/home/john_reuther:john_reuther
j_kerr:50020:/home/j_kerr:j_kerr
randy_coffman:60015:/home/randy_coffman:randy_coffman
splunk:50009:/opt/splunk:splunk
svc-qualys:50008:/home/svc-qualys:svc-qualys
s_scott:150035:/home/s_scott:s_scott
wesley_leonard:60009:/home/wesley_leonard:wesley_leonard
####
Control ID: 10480
Statement: Status of the 'restrict -4 default' setting in the '/etc/ntp.conf' file
ref #: 2.2.1.2 (v2.2.0) (2.2.1.3 v3.0.0)
Exception! COMP-39
####
Control ID: 10655
Statement: Status of the 'vfat' Filesystems (modprobe)
ref #: 1.1.1.8 (v2.2.0) (1.1.1.4 v3.0.0)
This needs to be figured out.
The List string value of X indicates the status of the file systems using modeprobe utility to check if the file system is mountable on the host.
======Expected Value(s)======
contains regular expression list
vfat\s*:\s*install\s+/bin/true
======Current Value(s) - Last updated: 06/10/2021 at 05:25:24 PM (GMT-0400)======
cramfs : install /bin/true
freevxfs : install /bin/true
hfs : install /bin/true
hfsplus : install /bin/true
jffs2 : install /bin/true
squashfs : insmod /lib/modules/3.10.0-1160.25.1.el7.x86_64/kernel/fs/squashfs/squashfs.ko.xz
udf : insmod /lib/modules/3.10.0-1160.25.1.el7.x86_64/kernel/lib/crc-itu-t.ko.xz :install /bin/true
vfat : insmod /lib/modules/3.10.0-1160.25.1.el7.x86_64/kernel/fs/fat/fat.ko.xz :insmod /lib/modules/3.10.0-1160.25.1.el7.x86_64/kernel/fs/fat/vfat.ko.xz
####
Control ID: 10664
Statement: Status of the 'OPTIONS' setting within '/etc/sysconfig/chronyd' file
ref #: 2.2.1.3 (v2.2.0) (2.2.1.2 v3.0.0)
This needs to be figured out.
`# grep ^OPTIONS /etc/sysconfig/chronyd`
OPTIONS="-u chrony"
See packer/lcp/vmware/salt/cis-hardening-rhel-7/section-2.sls
salt/fileroots/os_modifications/timezone.sls
Chrony was already running as chrony user.
####
Control ID: 4997
Statement: Current list of 'NTP servers' defined within '/etc/ntp.conf'
Reference #: 2.2.1.2
edit /etc/chrony.conf and add
OPTIONS="-u chrony"
salt/fileroots/os_modifications/timezone.sls
####
Control ID: 10665
Statement: Status of the default deny firewall policy
ref #: 3.6.2
This needs to be figured out. possible execption for security groups? Why have the FW without default deny?
####
Control ID: 10666
Statement: Status of the '$FileCreateMode' setting within '/etc/rsyslog.conf' file
ref #: 4.2.1.3 (v2.2.0) (4.2.1.4 v3.0.0)
This needs to be figured out.
packer/lcp/vmware/salt/cis-hardening-rhel-7/section-4.sls
packer/scripts/aws-hardening.sh
####
Control ID: 10667
Statement: Status of the 'perm' option within '/etc/syslog-ng/syslog-ng.conf' file
ref #: 4.2.2.3
Exception for C2 servers. LCP servers have syslog-ng installed.
####
Control ID: 10669
Statement: Status of the 'password hashing algorithm' setting within '/etc/pam.d/system-auth' file
ref #: 5.3.4 (v2.2.0) (5.3.3 v3.0.0)
exception? users don't use passwords? What about service accounts?
This needs to be figured out. Yes it is in password-auth, but not in system-auth.
[gc-prod]brad.poulton@salt-master:~:$ egrep '^password\s+sufficient\s+pam_unix.so' /etc/pam.d/password-auth
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
[gc-prod]brad.poulton@salt-master:~:$ egrep '^password\s+sufficient\s+pam_unix.so' /etc/pam.d/system-auth
[gc-prod]brad.poulton@salt-master:~:$
####
Control ID: 10671
Statement: Status of the 'syslog-ng' service
ref #: 4.2.2.1 (v2.2.0) ( not found in v3.0.0)
Exception! COMP-46
####
Control ID: 10672
Statement: Status of the installed 'syslog-ng' package on the host
ref #: 4.2.3 (v2.2.0) ( not found in v3.0.0)
Exception! COMP-46
####
Control ID: 10673
Statement: Status of the 'permission' set for all logfiles in '/var/log' directory
ref #: 4.2.4 (v2.2.0) (4.2.3 v3.0.0)
find /var/log -type f -perm /g+wx,o+rwx -exec ls -l {} \;
This needs to be figured out.
####
Control ID: 10675
Statement: Status of the 'loopback traffic' setting
ref #: 3.6.3 (v2.2.0) (3.5.3.2.2 v3.0.0)
This needs to be figured out. See CIS workbench.
####
Control ID: 10676
Statement: Status of the 'iptables rules' for all 'open ports' on the host
ref #: 3.6.5 (v2.2.0) (3.5.3.2.4 v3.0.0)
This needs to be figured out. possible execption for security groups? if we add a default deny we will need these.
####
Control ID: 10724
Statement: Status of the 'user-db' parameter in '/etc/dconf/profile/gdm'
ref #: 1.7.2 (v2.2.0) (1.10 v3.0.0)
Exception! no Gnome display manager
####
Control ID: 10725
Statement: Status of the 'system-db' parameter in '/etc/dconf/profile/gdm'
ref #: 1.7.2 (v2.2.0) (1.10 v3.0.0)
Exception! no Gnome display manager
####
Control ID: 10726
Statement: Status of the 'file-db' parameter in /etc/dconf/profile/gdm
ref #: 1.7.2 (v2.2.0) (1.10 v3.0.0)
Exception! no Gnome display manager
####
Control ID: 10732
Statement: Status of the 'Maximum Password Age' setting (expiration) for 'users with a password' setting
ref #: 5.4.1.1
exception! teleport COMP-33
####
Control ID: 10733
Statement: Status of the 'Minimum Password Age' for 'users with a password' setting
ref #: 5.4.1.2
exception! teleport COMP-33
####
Control ID: 10734
Statement: Status of the 'number of days before a [Prompt user] password expiration warning prompt is displayed at logi
ref #: 5.4.1.3
exception! teleport COMP-33
####
Control ID: 10735
Statement: Status of the 'Maximum number of days of inactivity allowed before a user account is locked out' for 'users
ref #: 5.4.1.4 (v2.2.0) (5.4.1.5 v3.0.0)
exception! teleport COMP-33
####
Control ID: 10823
Statement: Status of the home directory ownership and permissions for the system accounts defined within the /etc/passwd file / Ensure users' home directories permissions are 750 or more restrictive
ref #: 6.2.8 (v2.2.0) (6.2.6 v3.0.0)
Possible exception for splunk user?
[gc-prod]root@salt-master:~:# bash cis-deleteme.sh
Other Read permission set on the home directory (/opt/splunkforwarder) of user splunk
Other Execute permission set on the home directory (/opt/splunkforwarder) of user splunk
####
Control ID: 10824
Statement: Status of the home directory ownership and permissions for the user accounts (non-system users) defined within the /etc/passwd file
ref #:6.2.8 (v2.2.0) (6.2.6 v3.0.0)
Possible exception for splunk user?
[gc-prod]root@salt-master:~:# bash cis-deleteme.sh
Other Read permission set on the home directory (/opt/splunkforwarder) of user splunk
Other Execute permission set on the home directory (/opt/splunkforwarder) of user splunk
####
Control ID: 10848
Statement: Status of the 'ExecStart' setting in '/usr/lib/systemd/system/ntpd.service'
ref #: 2.2.1.2 (v2.2.0) (2.2.1.3 v3.0.0)
False Positive. ntp is not installed. Chrony is used.
####
Control ID: 10859
Statement: Status of the 'periodically scheduled (crontab)' aide check (/etc/cron.* and /etc/crontab)
ref #: 1.3.2 (v2.2.0) (1.4.2 v3.0.0)
False Positive. Qualys is looking for the vanilla aide.
# SALT_CRON_IDENTIFIER:AIDE
@daily /usr/local/bin/aide-run.sh > /dev/null 2>&1
####
Control ID: 12751
Statement: Status of ownership set for the /boot/grub2/user.cfg
ref #: 1.4.1 (v2.2.0) (1.5.2 v3.0.0)
false positive.
[gc-prod]root@salt-master:/boot/grub2:# stat /boot/grub2/user.cfg
stat: cannot stat ‘/boot/grub2/user.cfg’: No such file or directory
####
Control ID: 12752
Statement: Status of permission set for the /boot/grub2/user.cfg
ref #: 1.4.1 (v2.2.0) (1.5.2 v3.0.0)
false positive.
[gc-prod]root@salt-master:/boot/grub2:# stat /boot/grub2/user.cfg
stat: cannot stat ‘/boot/grub2/user.cfg’: No such file or directory
####
Control ID: 12785
Statement: Status of the 'fs.suid_dumpable' parameter configured under '/etc/sysctl.d/', '/run/sysctl.d/' or '/usr/lib/sysctl.d/' directories
ref #: 1.4.1
False positive: recommend moving # CIS 1.5.1 to allow regex to work properly
packer/scripts/aws-hardening.sh
The following List String value(s) x indicates the current status of fs.suid_dumpable setting configured for sysctl on the host. This includes all the .conf files under /etc/sysctl.d/, /run/sysctl.d/ and /usr/lib/sysctl.d/ directories. The return value consists of filename, setting name and value set for the setting.
======Expected Value(s)======
matches regular expression list
^[^:]+:\s*fs.suid_dumpable\s*=\s*0\s*$
======Current Value(s) - Last updated: 06/10/2021 at 05:25:24 PM (GMT-0400)======
/etc/sysctl.d/99-sysctl.conf:fs.suid_dumpable = 0 # CIS 1.5.1
####
Control ID: 12786
Statement: Status of the 'kernel.randomize_va_space' parameter configured under '/etc/sysctl.d/', '/run/sysctl.d/' or '/usr/lib/sysctl.d/' directories
ref #: 1.5.3 (v2.2.0) (1.6.3 v3.0.0)
False positive: recommend moving # CIS 1.5.x to allow regex to work properly
packer/scripts/aws-hardening.sh
The following List String value(s) x indicates the current status of kernel.randomize_va_space setting configured for sysctl on the host. This includes all the .conf files under /etc/sysctl.d/, /run/sysctl.d/ and /usr/lib/sysctl.d/ directories. The return value consists of filename, setting name and value set for the setting.
======Expected Value(s)======
matches regular expression list
^[^:]+:\s*kernel.randomize_va_space\s*=\s*2\s*$
======Current Value(s) - Last updated: 06/10/2021 at 05:25:24 PM (GMT-0400)======
/etc/sysctl.d/99-sysctl.conf:kernel.randomize_va_space = 2 # CIS 1.5.3
####
Control ID: 12787
Statement: Status of the 'net.ipv4.ip_forward' network parameter configured under '/etc/sysctl.d/', '/run/sysctl.d/' or '/usr/lib/sysctl.d/' directories
ref #: 3.1.1 (v2.2.0) (3.2.1 v3.0.0)
False positive: recommend moving # CIS x.x.x to allow regex to work properly
packer/scripts/aws-hardening.sh
The following List String value(s) x indicates the current status of net.ipv4.ip_forward setting configured for sysctl on the host. This includes all the .conf files under /etc/sysctl.d/, /run/sysctl.d/ and /usr/lib/sysctl.d/ directories. The return value consists of filename, setting name and value set for the setting.
======Expected Value(s)======
matches regular expression list
^[^:]+:\s*net\.ipv4\.ip_forward\s*=\s*0\s*$
======Current Value(s) - Last updated: 06/10/2021 at 05:25:24 PM (GMT-0400)======
/etc/sysctl.d/99-sysctl.conf:net.ipv4.ip_forward = 0 # CIS 3.1.1
####
Control ID: 12788
Statement: Status of the 'net.ipv4.conf.all.send_redirects' network parameter configured under '/etc/sysctl.d/', '/run/sysctl.d/' or '/usr/lib/sysctl.d/' directories
ref #: 3.1.2 (v2.2.0) (3.2.2 v3.0.0)
False positive: recommend moving # CIS x.x.x to allow regex to work properly
Recommend using salt to manage the file POST golden image.
packer/scripts/aws-hardening.sh
The following List String value(s) x indicates the current status of net.ipv4.conf.all.send_redirects setting configured for sysctl on the host. This includes all the .conf files under /etc/sysctl.d/, /run/sysctl.d/ and /usr/lib/sysctl.d/ directories. The return value consists of filename, setting name and value set for the setting.
======Expected Value(s)======
matches regular expression list
^[^:]+:\s*net\.ipv4\.conf\.all\.send_redirects\s*=\s*0\s*$
======Current Value(s) - Last updated: 06/10/2021 at 05:25:24 PM (GMT-0400)======
/etc/sysctl.d/99-sysctl.conf:net.ipv4.conf.all.send_redirects = 0 # CIS 3.1.2
####
Control ID: 12789
Statement: Status of the 'net.ipv4.conf.default.send_redirects' network parameter configured under '/etc/sysctl.d/', '/run/sysctl.d/' or '/usr/lib/sysctl.d/' directories
ref #: 3.1.2 (v2.2.0) (3.2.2 v3.0.0)
False positive: recommend moving # CIS x.x.x to allow regex to work properly
packer/scripts/aws-hardening.sh
The following List String value(s) x indicates the current status of net.ipv4.conf.default.send_redirects setting configured for sysctl on the host. This includes all the .conf files under /etc/sysctl.d/, /run/sysctl.d/ and /usr/lib/sysctl.d/ directories. The return value consists of filename, setting name and value set for the setting.
======Expected Value(s)======
matches regular expression list
^[^:]+:\s*net\.ipv4\.conf\.default\.send_redirects\s*=\s*0\s*$
======Current Value(s) - Last updated: 06/10/2021 at 05:25:24 PM (GMT-0400)======
/etc/sysctl.d/99-sysctl.conf:net.ipv4.conf.default.send_redirects = 0 # CIS 3.1.2
####
Control ID: 12790
Statement: Status of the 'net.ipv4.conf.all.accept_source_route' network parameter configured under '/etc/sysctl.d/', '/run/sysctl.d/' or '/usr/lib/sysctl.d/' directories
ref #: 3.2.1 (v2.2.0) (3.3.1 v3.0.0)
False positive: recommend moving # CIS x.x.x to allow regex to work properly
packer/scripts/aws-hardening.sh
The following List String value(s) x indicates the current status of net.ipv4.conf.all.accept_source_route setting configured for sysctl on the host. This includes all the .conf files under /etc/sysctl.d/, /run/sysctl.d/ and /usr/lib/sysctl.d/ directories. The return value consists of filename, setting name and value set for the setting.
======Expected Value(s)======
matches regular expression list
^[^:]+:\s*net\.ipv4\.conf\.all\.accept_source_route\s*=\s*0\s*$
======Current Value(s) - Last updated: 06/10/2021 at 05:25:24 PM (GMT-0400)======
/etc/sysctl.d/99-sysctl.conf:net.ipv4.conf.all.accept_source_route = 0 # CIS 3.2.1
/usr/lib/sysctl.d/50-default.conf:net.ipv4.conf.all.accept_source_route = 0
####
Control ID: 12791
Statement: Status of the 'net.ipv4.conf.default.accept_source_route' network parameter configured under '/etc/sysctl.d/', '/run/sysctl.d/' or '/usr/lib/sysctl.d/' directories
ref #: 3.2.1 (v2.2.0) (3.3.1 v3.0.0)
False positive: recommend moving # CIS x.x.x to allow regex to work properly
packer/scripts/aws-hardening.sh
The following List String value(s) x indicates the current status of net.ipv4.conf.default.accept_source_route setting configured for sysctl on the host. This includes all the .conf files under /etc/sysctl.d/, /run/sysctl.d/ and /usr/lib/sysctl.d/ directories. The return value consists of filename, setting name and value set for the setting.
======Expected Value(s)======
matches regular expression list
^[^:]+:\s*net\.ipv4\.conf\.default\.accept_source_route\s*=\s*0\s*$
======Current Value(s) - Last updated: 06/10/2021 at 05:25:24 PM (GMT-0400)======
/etc/sysctl.d/99-sysctl.conf:net.ipv4.conf.default.accept_source_route = 0 # CIS 3.2.1
/usr/lib/sysctl.d/50-default.conf:net.ipv4.conf.default.accept_source_route = 0
####
Control ID: 12792
Statement: Status of the 'net.ipv4.conf.all.accept_redirects' network parameter configured under '/etc/sysctl.d/', '/run/sysctl.d/' or '/usr/lib/sysctl.d/' directories
ref #: 3.2.2 (v2.2.0) (3.3.2 v3.0.0)
False positive: recommend moving # CIS x.x.x to allow regex to work properly
packer/scripts/aws-hardening.sh
The following List String value(s) x indicates the current status of net.ipv4.conf.all.accept_redirects setting configured for sysctl on the host. This includes all the .conf files under /etc/sysctl.d/, /run/sysctl.d/ and /usr/lib/sysctl.d/ directories. The return value consists of filename, setting name and value set for the setting.
======Expected Value(s)======
matches regular expression list
^[^:]+:\s*net\.ipv4\.conf\.all\.accept_redirects\s*=\s*0\s*$
======Current Value(s) - Last updated: 06/10/2021 at 05:25:24 PM (GMT-0400)======
/etc/sysctl.d/99-sysctl.conf:net.ipv4.conf.all.accept_redirects = 0 # CIS 3.2.2
####
Control ID: 12793
Statement: Status of the 'net.ipv4.conf.default.accept_redirects' network parameter configured under '/etc/sysctl.d/', '/run/sysctl.d/' or '/usr/lib/sysctl.d/' directories
ref #: 3.2.2 (v2.2.0) (3.3.2 v3.0.0)
False positive: recommend moving # CIS x.x.x to allow regex to work properly
packer/scripts/aws-hardening.sh
####
Control ID: 12796
Statement: Status of the 'net.ipv4.conf.all.log_martians' network parameter configured under '/etc/sysctl.d/'
ref #: 3.2.4 (v2.2.0) (3.3.4 v3.0.0)
False positive: recommend moving # CIS x.x.x to allow regex to work properly
packer/scripts/aws-hardening.sh
####
Control ID: 12797
Statement: Status of the 'net.ipv4.conf.default.log_martians' network parameter configured under '/etc/sysctl.d/', '/run/sysctl.d/' or '/usr/lib/sysctl.d/' directories
ref #: 3.2.4 (v2.2.0) (3.3.4 v3.0.0)
False positive: recommend moving # CIS x.x.x to allow regex to work properly
packer/scripts/aws-hardening.sh
####
Control ID: 12798
Statement: Status of the 'net.ipv4.icmp_echo_ignore_broadcasts' network parameter
ref #: 3.2.5 (v2.2.0) (3.3.5 v3.0.0)
False positive: recommend moving # CIS x.x.x to allow regex to work properly
packer/scripts/aws-hardening.sh
####
Control ID: 12799
Statement: Status of the 'net.ipv4.icmp_ignore_bogus_error_responses' network parameter
ref #: 3.2.6 (v2.2.0) (3.3.6 v3.0.0)
False positive: recommend moving # CIS x.x.x to allow regex to work properly
packer/scripts/aws-hardening.sh
####
Control ID: 12800
Statement: Status of the 'net.ipv4.conf.all.rp_filter' network parameter
ref #: 3.2.7 (v2.2.0) (3.3.7 v3.0.0)
False positive: recommend moving # CIS x.x.x to allow regex to work properly
packer/scripts/aws-hardening.sh
####
Control ID: 12801
Statement: Status of the 'net.ipv4.conf.default.rp_filter' network parameter
ref #: 3.2.7 (v2.2.0) (3.3.7 v3.0.0)
False positive: recommend moving # CIS x.x.x to allow regex to work properly
packer/scripts/aws-hardening.sh
####
Control ID: 12802
Statement: Status of the 'net.ipv4.tcp_syncookies' network parameter
ref #: 3.2.8 (v2.2.0) (3.3.8 v3.0.0)
False positive: recommend moving # CIS x.x.x to allow regex to work properly
packer/scripts/aws-hardening.sh
####
Control ID: 12807
Statement: Status of the 'Last password change' setting for user
ref #: 5.4.1.5 (v2.2.0) (5.4.1.6 v3.0.0)
exception!
####
Control ID: 12814
Statement: List of runtime audit rules for '/etc/group' file, using auditctl
ref #: 4.1.5 (v2.2.0) (4.1.4 v3.0.0)
This needs to be figured out. See CIS workbench.
####
Control ID: 12815
Statement: List of runtime audit rules for '/etc/passwd' file, using auditctl
ref #: 4.1.5 (v2.2.0) (4.1.4 v3.0.0)
This needs to be figured out. See CIS workbench.
####
Control ID: 12816
Statement: List of runtime audit rules for '/etc/gshadow' file, using auditctl
ref #: 4.1.5 (v2.2.0) (4.1.4 v3.0.0)
This needs to be figured out. See CIS workbench.
####
Control ID: 12817
Statement: List of runtime audit rules for '/etc/shadow' file, using auditctl
ref #: 4.1.5 (v2.2.0) (4.1.4 v3.0.0)
This needs to be figured out. See CIS workbench.
####
Control ID: 12884
Statement: Status of 'umask' setting in /etc/profile and /etc/profile.d/*.sh files
ref #: 5.4.4 (v2.2.0) (5.4.6 v3.0.0)
False positive. Qualys regex doesn't work with "022"
umask configured here: packer/scripts/aws-hardening.sh
```
[gc-prod]brad.poulton@salt-master:~:$ grep -Ev '^\s*umask\s+\s*(0[0-7][2-7]7|[0-7][2-7]7|u=(r?|w?|x?)(r?|w?|x?)(r?|w?|x?),g=(r?x?|x?r?),o=)\s*(\s*#.*)?$' /etc/profile /etc/profile.d/*.sh /etc/bashrc | grep -E '(^|^[^#]*)umask'
/etc/profile: umask 022
/etc/bashrc: umask 022
[gc-prod]brad.poulton@salt-master:~:$ grep -E '^\s*umask\s+\s*(0[0-7][2-7]7|[0-7][2-7]7|u=(r?|w?|x?)(r?|w?|x?)(r?|w?|x?),g=(r?x?|x?r?),o=)\s*(\s*#.*)?$' /etc/profile /etc/profile.d/*.sh /etc/bashrc
/etc/profile: umask 027
/etc/bashrc: umask 027
```
####
Control ID: 13241
Statement: Status of the remember setting for pam_unix.so or pam_pwhistory.so module in /etc/pam.d/password-auth file
ref #: 5.3.3 (v2.2.0) (5.3.4 v3.0.0)
This needs to be figured out. possible execption
####
Control ID: 13242
Statement: Status of the remember setting for pam_unix.so or pam_pwhistory.so module in /etc/pam.d/system-auth file
ref #: 5.3.3 (v2.2.0) (5.3.4 v3.0.0)
This needs to be figured out. possible execption
####
Plugin Name: 4.1.2.1 Ensure audit log storage size is configured
Plugin ID:
max_log_file = 512
exception
####
Plugin Name: 4.1.3 Ensure events that modify date and time information are collected - auditctl adjtimex (32-bit)4
####
Plugin Name: 1.1.6 Ensure /dev/shm is configured - fstab
Tenable: does not match regex due to missing defaults. Defaults is not needed, but also doesn't hurt anything.
Suggestion: change none to tmpfs in packer/scripts/aws-partition-lvms.sh Does this conflict?
####
Plugin Name: 1.2.3 Ensure gpgcheck is globally activated
Non-compliant file: /etc/yum.repos.d/msoc.repo
exception
####
Plugin Name: 4.2.1.3 Ensure rsyslog default file permissions configured
See Qualys: 10666
Will this break splunk log collection?
####
Plugin Name: 4.2.2.1 Ensure journald is configured to send logs to rsyslog
Forward journald logs to Splunk. [Get data with the Journald input](https://docs.splunk.com/Documentation/Splunk/8.2.1/Data/CollecteventsfromJournalD)
exception? or pull journald logs
####
Plugin Name: 4.2.2.2 Ensure journald is configured to compress large log files
Not found in v2.2.0
Added new file
####
Plugin Name: 4.2.3 Ensure permissions on all logfiles are configured
####
Plugin Name: 6.2.7 Ensure users own their home directories
The home directory (/etc/vault) of user vault is owned by root.
exception?