CIS Benchmarks Process.md

This CIS certified policy for Red Hat Enterprise Linux 7 is based on the CIS Benchmark for Red Hat Enterprise Linux 7, v2.2.0. The policy contains Level 1 and Level 2, Scored types of checks from the benchmark.

There is no clear approval process in the configuration deviations ticketing system. Deviations from the CIS benchmarks not accounted for in deviation documents.

https://github.xdr.accenturefederalcyber.com/mdr-engineering/msoc-infrastructure/wiki/CIS-Exceptions

To resolve the POAM we need a process for CIS benchmarks. Should we use the MSOCI jira queue to manage this?

Use the compliance project (COMP) use the CIS Execption template ( https://jira.xdr.accenturefederalcyber.com/browse/COMP-29 )

saltless master in packer packer/lcp/vmware/lcp-vmware.pkr.hcl

packer/scripts/salt-virtualenv-minion.sh

  "../../scripts/salt-virtualenv-minion.sh",

Does the CIS Hardening

provisioner "salt-masterless" {

skip_bootstrap     = true
salt_bin_dir       = "/mnt/bin"
local_state_tree   = "./salt"
remote_state_tree  = "/mnt/srv/salt"
temp_config_dir    = "/mnt/tmp/salt"
salt_call_args     = "-c /mnt/etc/salt"
no_exit_on_failure = true

}

migrate packer salt states

some checks are NOT IMPLEMENTED because they are set by default

Packer gets us 90% to CIS and salt fine tunes and gets us to 100% and it is ok that they are duplicated because salt is the final say.

Both AWS and Vmware are usign the masterless salt.

LCPs afs-splunk-ds-1 afs-splunk-ds-2 afs-splunk-ds-4 afs-splunk-syslog-1 afs-splunk-syslog-2 afs-splunk-syslog-3 afs-splunk-syslog-4 afs-splunk-syslog-7 afs-splunk-syslog-8 bas-splunk-ds-1 bas-splunk-syslog-1 bas-splunk-syslog-2 ca-c19-splunk-ds-1 ca-c19-splunk-syslog-1 ca-c19-splunk-syslog-2 frtib-splunk-ds-1 frtib-splunk-ds-3 frtib-splunk-syslog-1 frtib-splunk-syslog-2 frtib-splunk-syslog-5 frtib-splunk-syslog-6 nga-splunk-ds-1 nga-splunk-syslog-1 nga-splunk-syslog-2 nihors-splunk-ds-1 nihors-splunk-syslog-1 nihors-splunk-syslog-2

######################## #

EXCEPTIONS

# #########################

Control ID: 1073 Statement: Status of the 'Maximum Password Age' setting (expiration) / Accounts having the 'password never expires' flag set Control Number:5.57 Reference #: 5.4.1.1.a Framework: CIS Benchmark for Red Hat Enterprise Linux 7 3.1.1, § 5.5.1.1 The following Integer value X indicates the current status of the PASS_MAX_DAYS setting as defined within the /etc/login.defs file.

in range 1-365

Salt State: packer/lcp/vmware/salt/cis-hardening-rhel-7/section-5.sls

Currently being set in salt/fileroots/os_modifications/files/login.defs to -1 by Chris

exception!

###### Control ID: 1072 Statement: Status of the 'Minimum Password Age' setting Control Number: 5.59 Reference #: 5.4.1.2.a The following Integer value X indicates the current PASS_MIN_DAYS setting within the /etc/login.defs file.

greater than or equal to 7

To specify password minimum age for new accounts, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately:

PASS_MIN_DAYS [DAYS]

A value of 1 day is considered sufficient for many environments. The DoD requirement is 1.

Currently being set in salt/fileroots/os_modifications/files/login.defs to -1 by Chris

exception!

###### Control ID: 1417 Statement: Existence of the 'cron.deny' file Control Number: 5.14 Reference #: 5.1.8

salt file created! needs to be deployed

##### Control ID: 4437 Statement: Current list of hosts defined within the 'hosts.allow' file Reference #: 3.4.2

Exception!

##### Control ID: 4438 Statement: Status of the hosts defined within the hosts.deny file Reference #: 3.4.3

Exception!

##### Control ID: 4726 Statement: Current 'UMASK' setting for the '/etc/bashrc or /etc/bash.bashrc' file Reference #: 5.4.5/5.4.6

False positive. Qualys regex doesn't work with "022" umask configured here: packer/scripts/aws-hardening.sh

CIS provided grep command:

grep -E '^\s*umask\s+\s*(0[0-7][2-7]7|[0-7][2-7]7|u=(r?|w?|x?)(r?|w?|x?)(r?|w?|x?),g=(r?x?|x?r?),o=)\s*(\s*#.*)?$' /etc/profile /etc/profile.d/*.sh /etc/bashrc

##### Control ID: 4997 Statement: Current list of 'NTP servers' defined within '/etc/ntp.conf' Reference #: 2.2.1.2

False Positive. ntp is not installed. Chrony is used.

##### Control ID: 5215 Statement:Status of the 'AllowGroups' setting in the 'sshd_config' file Reference #: 5.2.14 (v2.2.0) (5.2.4 v3.0.0)

Exception!

##### Control ID: 5217 Statement:Status of the 'AllowUsers' setting in the 'sshd_config' file Reference #: 5.2.14 (v2.2.0) (5.2.4 v3.0.0)

Exception!

##### Control ID: 5222 Statement:Status of the 'ClientAliveInterval' setting in the 'sshd_config' file Ref #: 5.2.12 (v2.2.0) (5.2.16 - v3.0.0)

Exception! Handled by Teleport

##### Control ID:5224 Statement:Status of the 'DenyGroups' setting in the 'sshd_config' file Ref #: 5.2.14 (v2.2.0) (5.2.4 v3.0.0)

Exception! Handled by Teleport

##### Control ID: 5225 Statement:Status of the 'DenyUsers' setting in the 'sshd_config' file ref #: 5.2.14 (v2.2.0) (5.2.4 v3.0.0)

Exception! Handled by Teleport

##### Control ID: 5283/17996 Statement:Status of the 'MACs' setting in the '/etc/ssh/sshd_config' file ref #: 5.2.11 (v2.2.0) (5.2.14 v3.0.0)

Adjusted sshd_config

##### Control ID: 5963 Statement: Status of the current setting for 'net.ipv4.ip_forward' network parameter ref #: 3.1.1 (v2.2.0) (3.2.1 v3.0.0)

10.40.20.42 - openvpn ( required for VPN ) 10.40.24.97 - ghe-backup (docker) 10.40.32.16 - customer-portal (docker) 10.40.32.56 - customer-portal (docker)

Exception! Handled by Teleport

#### Control ID: 7339 Statement: Status of the 'Permissions' settings for the '/etc/cron.d' directory ref #: 5.1.7

This needs to be set. Currently it is 755. Salt state needs to be created.

### Control ID: 7408 Statement: Current list of world writable directories that do not have the sticky bit configurd ref #: 1.1.21 (v2.2.0) (1.1.24 v3.0.0) (1.1.22 v3.0.1)

/var/log/bash_history Modified here: salt/fileroots/os_modifications/tty_history.sls

I don't think this is needed anymore thanks to teleport No files are stored in that directory

### Control ID:7417 Statement: Current list of user accounts with 'existing home directories' defined in /etc/passwd and not present on the ref#: 6.2.7

10.40.30.24 (phantom) git-user:/home/git-user phantom-worker:/home/phantom-worker 10.40.28.74 (fm-shared-search) I added the dir. should clean it up. george_starcher:/home/george_starcher /etc/passwd george_starcher:x:60005:60005:sft-managed:/home/george_starcher:/bin/bash

Exception!

### Control ID:7418 Statement: Status of the current 'unowned' files and directories on the host ref #: 6.1.11

/home/shahid_mahmood /home/shahid_mahmood/.bashrc /home/shahid_mahmood/.bash_logout /home/shahid_mahmood/.bash_profile /home/shahid_mahmood/.zshrc

changed ownership to root:

#### Control ID: 7419 statement: Status of the current 'ungrouped' files and directories on the host ref #: 6.1.12

/home/shahid_mahmood /home/shahid_mahmood/.bashrc /home/shahid_mahmood/.bash_logout /home/shahid_mahmood/.bash_profile /home/shahid_mahmood/.zshrc

changed ownership to root:

#### Control ID: 7451 statement: Status of the 'restrict -6 default' setting in the '/etc/ntp.conf' file ref #: 2.2.1.2 (v2.2.0) (2.2.1.3 v3.0.0)

Exception!

#### Control ID: 7457 Statement:Status of the 'OPTIONS' setting in the '/etc/sysconfig/ntpd' file ref #: 2.2.1.2 (v2.2.0) (2.2.1.3 v3.0.0)

Exception!

#### Control ID: 7458 Statement: Status of the 'inet_interfaces' setting in the '/etc/postfix/main.cf' file ref #: 2.2.15 (v2.2.0) (2.2.16 v3.0.0)

10.40.0.96 / mailrelay

Exception!

#### Control ID: 7949 Statement:Status of the 'unconfined daemons' on the host ref #: 1.6.1.6 (v2.2.0) (1.7.1.7 v3.0.0)

The host should not have 'unconfined daemons' which are daemons that are not defined in SELinux policy and inherit permissions from parent processes. Unconfined daemons are daemons without proper permissions and present security risks to the host and this check should be regularly performed and reviewed according to the needs of the business. NOTE: This check should produce NO unconfined daemons on the list.

unconfined daemons mongod splunkd

Exception!

#### Control ID: 8327 Statement:Status of the 'world-writable' files and directories on the host ref #: 6.1.10

The following List String value(s) X indicate the status of local world-writable files and directories.

======Expected Value(s)======

File not found ------------ OR ------------ does not contain regular expression list .+

======Current Value(s) - Last updated: 06/10/2021 at 05:25:24 PM (GMT-0400)====== root:root:drwxrwxrwt.:/dev/mqueue root:root:drwxrwxrwt.:/dev/shm root:root:drwxrwxrwt.:/opt/tmp root:root:drwxrwxrwt.:/tmp root:root:drwxrwxrwt.:/tmp/.font-unix root:root:drwxrwxrwt.:/tmp/.ICE-unix root:root:drwxrwxrwt.:/tmp/.Test-unix root:root:drwxrwxrwt.:/tmp/.X11-unix root:root:drwxrwxrwt.:/tmp/.XIM-unix root:root:drwxrwxrwt.:/tmp/systemd-private-5e8298ad14-chronyd.service-vs5GMY/tmp root:root:drwxrwxrwt.:/var/tmp root:root:drwxrwxrwt.:/var/tmp/cloud-init root:root:drwxrwxrwx.:/var/log/bash_history

This needs to be figured out one by one. :-(

##### Control ID: 9380 Statement:Status of the Mail Transfer Agent for Local-Only Mode ref #: 2.2.15 (v2.2.0) (2.2.16 v3.0.0)

10.40.0.96 / mailrelay

Exception!

#### Control ID: 9391 Statement: Status of the System Accounts ref #: 5.4.2

10.40.30.24 / phantom

pgbouncer:x:993:989:PgBouncer Server:/home/pgbouncer:/bin/bash postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash

Exception!

#### Control ID: 9623 Statement: Status of the 'try_first_pass' setting within the '/etc/pam.d/system-auth' ref #: 5.3.1

This needs to be figured out. possible execption

#### Control ID: 9629 Statement: Status of the 'retry' parameter for login attempts defined within '/etc/pam.d/system-auth' ref #: 5.3.1

This needs to be figured out. possible execption

#### Control ID: 9881 Statement: Status of the 'httpd' service using systemd ref #: 2.2.10 (v2.2.0) (2.2.11 v3.0.0)

10.40.2.41/reposerver needs httpd

Exception!

#### Control ID: 10236 Statement: Status of the ownership set for the home directory of Non system User ref #: 6.2.9 (v2.2.0) (6.2.7 v3.0.0)

fm-shared-search phantom-0

This is a false positive. CIS benchamrk bash script does not show home directory ownership issues.

The following List string value(s) X indicate the ownership details for the user account home directories on the host. Each line in the result consists of the account name, UID, home-directory path followed by the actual owner of the home directory.

======Expected Value(s)======

Non-system users not found ------------ OR ------------ matches regular expression list ^(nfsnobody:.)|(([^:]+):.:\3)$

======Current Value(s) - Last updated: 06/10/2021 at 05:25:24 PM (GMT-0400)====== brad_poulton:60010:/home/brad_poulton:brad_poulton brandon.naughton:50022:/home/brandon.naughton:brandon.naughton brandon_naughton:60012:/home/brandon_naughton:brandon_naughton centos:1001:/home/centos:centos charles.kuykendall:50021:/home/charles.kuykendall:charles.kuykendall charles_kuykendall:60014:/home/charles_kuykendall:charles_kuykendall colby_williams:60018:/home/colby_williams:colby_williams donald.wong:50023:/home/donald.wong:donald.wong donald_wong:150045:/home/donald_wong:donald_wong duane_waddle:60001:/home/duane_waddle:duane_waddle frederick_t_damstra:60017:/home/frederick_t_damstra:frederick_t_damstra george_starcher:60005:/home/george_starcher:Directory not found james_m_jarrett:150002:/home/james_m_jarrett:james_m_jarrett jeremy_cooper:150036:/home/jeremy_cooper:jeremy_cooper john_reuther:60003:/home/john_reuther:john_reuther j_kerr:50020:/home/j_kerr:j_kerr randy_coffman:60015:/home/randy_coffman:randy_coffman splunk:50009:/opt/splunk:splunk svc-qualys:50008:/home/svc-qualys:svc-qualys s_scott:150035:/home/s_scott:s_scott wesley_leonard:60009:/home/wesley_leonard:wesley_leonard

#### Control ID: 10480 Statement: Status of the 'restrict -4 default' setting in the '/etc/ntp.conf' file ref #: 2.2.1.2 (v2.2.0) (2.2.1.3 v3.0.0)

Exception! COMP-39

#### Control ID: 10655 Statement: Status of the 'vfat' Filesystems (modprobe) ref #: 1.1.1.8 (v2.2.0) (1.1.1.4 v3.0.0)

This needs to be figured out.

The List string value of X indicates the status of the file systems using modeprobe utility to check if the file system is mountable on the host.

======Expected Value(s)====== contains regular expression list vfat\s*:\s*install\s+/bin/true

======Current Value(s) - Last updated: 06/10/2021 at 05:25:24 PM (GMT-0400)====== cramfs : install /bin/true freevxfs : install /bin/true hfs : install /bin/true hfsplus : install /bin/true jffs2 : install /bin/true squashfs : insmod /lib/modules/3.10.0-1160.25.1.el7.x86_64/kernel/fs/squashfs/squashfs.ko.xz udf : insmod /lib/modules/3.10.0-1160.25.1.el7.x86_64/kernel/lib/crc-itu-t.ko.xz :install /bin/true vfat : insmod /lib/modules/3.10.0-1160.25.1.el7.x86_64/kernel/fs/fat/fat.ko.xz :insmod /lib/modules/3.10.0-1160.25.1.el7.x86_64/kernel/fs/fat/vfat.ko.xz

Control ID: 10664 Statement: Status of the 'OPTIONS' setting within '/etc/sysconfig/chronyd' file ref #: 2.2.1.3 (v2.2.0) (2.2.1.2 v3.0.0)

This needs to be figured out.

# grep ^OPTIONS /etc/sysconfig/chronyd

OPTIONS="-u chrony"

See packer/lcp/vmware/salt/cis-hardening-rhel-7/section-2.sls

#### Control ID: 10665 Statement: Status of the default deny firewall policy ref #: 3.6.2

This needs to be figured out. possible execption for security groups? Why have the FW without default deny?

#### Control ID: 10666 Statement: Status of the '$FileCreateMode' setting within '/etc/rsyslog.conf' file ref #: 4.2.1.3 (v2.2.0) (4.2.1.4 v3.0.0)

This needs to be figured out. packer/lcp/vmware/salt/cis-hardening-rhel-7/section-4.sls packer/scripts/aws-hardening.sh

#### Control ID: 10667 Statement: Status of the 'perm' option within '/etc/syslog-ng/syslog-ng.conf' file ref #: 4.2.2.3

Exception for C2 servers. LCP servers have syslog-ng installed.

#### Control ID: 10669 Statement: Status of the 'password hashing algorithm' setting within '/etc/pam.d/system-auth' file ref #: 5.3.4 (v2.2.0) (5.3.3 v3.0.0)

exception? users don't use passwords? What about service accounts?

This needs to be figured out. Yes it is in password-auth, but not in system-auth. [gc-prod]brad.poulton@salt-master:~:$ egrep '^password\s+sufficient\s+pam_unix.so' /etc/pam.d/password-auth password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok [gc-prod]brad.poulton@salt-master:~:$ egrep '^password\s+sufficient\s+pam_unix.so' /etc/pam.d/system-auth [gc-prod]brad.poulton@salt-master:~:$

#### Control ID: 10671 Statement: Status of the 'syslog-ng' service ref #: 4.2.2.1 (v2.2.0) ( not found in v3.0.0)

Exception! COMP-46

#### Control ID: 10672 Statement: Status of the installed 'syslog-ng' package on the host ref #: 4.2.3 (v2.2.0) ( not found in v3.0.0)

Exception! COMP-46

#### Control ID: 10673 Statement: Status of the 'permission' set for all logfiles in '/var/log' directory ref #: 4.2.4 (v2.2.0) (4.2.3 v3.0.0)

find /var/log -type f -perm /g+wx,o+rwx -exec ls -l {} \; This needs to be figured out.

#### Control ID: 10675 Statement: Status of the 'loopback traffic' setting ref #: 3.6.3 (v2.2.0) (3.5.3.2.2 v3.0.0)

This needs to be figured out. See CIS workbench.

#### Control ID: 10676 Statement: Status of the 'iptables rules' for all 'open ports' on the host ref #: 3.6.5 (v2.2.0) (3.5.3.2.4 v3.0.0)

This needs to be figured out. possible execption for security groups? if we add a default deny we will need these.

#### Control ID: 10724 Statement: Status of the 'user-db' parameter in '/etc/dconf/profile/gdm' ref #: 1.7.2 (v2.2.0) (1.10 v3.0.0)

Exception! no Gnome display manager

#### Control ID: 10725 Statement: Status of the 'system-db' parameter in '/etc/dconf/profile/gdm' ref #: 1.7.2 (v2.2.0) (1.10 v3.0.0)

Exception! no Gnome display manager

#### Control ID: 10726 Statement: Status of the 'file-db' parameter in /etc/dconf/profile/gdm ref #: 1.7.2 (v2.2.0) (1.10 v3.0.0)

Exception! no Gnome display manager

#### Control ID: 10732 Statement: Status of the 'Maximum Password Age' setting (expiration) for 'users with a password' setting ref #: 5.4.1.1

exception! teleport COMP-33

#### Control ID: 10733 Statement: Status of the 'Minimum Password Age' for 'users with a password' setting ref #: 5.4.1.2

exception! teleport COMP-33

#### Control ID: 10734 Statement: Status of the 'number of days before a [Prompt user] password expiration warning prompt is displayed at logi ref #: 5.4.1.3

exception! teleport COMP-33

#### Control ID: 10735 Statement: Status of the 'Maximum number of days of inactivity allowed before a user account is locked out' for 'users ref #: 5.4.1.4 (v2.2.0) (5.4.1.5 v3.0.0)

exception! teleport COMP-33

#### Control ID: 10823 Statement: Status of the home directory ownership and permissions for the system accounts defined within the /etc/passwd file / Ensure users' home directories permissions are 750 or more restrictive ref #: 6.2.8 (v2.2.0) (6.2.6 v3.0.0)

Possible exception for splunk user?

[gc-prod]root@salt-master:~:# bash cis-deleteme.sh Other Read permission set on the home directory (/opt/splunkforwarder) of user splunk Other Execute permission set on the home directory (/opt/splunkforwarder) of user splunk

#### Control ID: 10824 Statement: Status of the home directory ownership and permissions for the user accounts (non-system users) defined within the /etc/passwd file ref #:6.2.8 (v2.2.0) (6.2.6 v3.0.0)

Possible exception for splunk user?

#### Control ID: 10848 Statement: Status of the 'ExecStart' setting in '/usr/lib/systemd/system/ntpd.service' ref #: 2.2.1.2 (v2.2.0) (2.2.1.3 v3.0.0)

False Positive. ntp is not installed. Chrony is used.

#### Control ID: 10859 Statement: Status of the 'periodically scheduled (crontab)' aide check (/etc/cron.* and /etc/crontab) ref #: 1.3.2 (v2.2.0) (1.4.2 v3.0.0)

False Positive. Qualys is looking for the vanilla aide.

SALT_CRON_IDENTIFIER:AIDE

@daily /usr/local/bin/aide-run.sh > /dev/null 2>&1

#### Control ID: 12751 Statement: Status of ownership set for the /boot/grub2/user.cfg ref #: 1.4.1 (v2.2.0) (1.5.2 v3.0.0)

false positive. [gc-prod]root@salt-master:/boot/grub2:# stat /boot/grub2/user.cfg stat: cannot stat ‘/boot/grub2/user.cfg’: No such file or directory

#### Control ID: 12752 Statement: Status of permission set for the /boot/grub2/user.cfg ref #: 1.4.1 (v2.2.0) (1.5.2 v3.0.0)

false positive. [gc-prod]root@salt-master:/boot/grub2:# stat /boot/grub2/user.cfg stat: cannot stat ‘/boot/grub2/user.cfg’: No such file or directory

#### Control ID: 12785 Statement: Status of the 'fs.suid_dumpable' parameter configured under '/etc/sysctl.d/', '/run/sysctl.d/' or '/usr/lib/sysctl.d/' directories ref #: 1.4.1

False positive: recommend moving # CIS 1.5.1 to allow regex to work properly packer/scripts/aws-hardening.sh

The following List String value(s) x indicates the current status of fs.suid_dumpable setting configured for sysctl on the host. This includes all the .conf files under /etc/sysctl.d/, /run/sysctl.d/ and /usr/lib/sysctl.d/ directories. The return value consists of filename, setting name and value set for the setting.

======Expected Value(s)====== matches regular expression list ^[^:]+:\sfs.suid_dumpable\s=\s0\s$

======Current Value(s) - Last updated: 06/10/2021 at 05:25:24 PM (GMT-0400)====== /etc/sysctl.d/99-sysctl.conf:fs.suid_dumpable = 0 # CIS 1.5.1

#### Control ID: 12786 Statement: Status of the 'kernel.randomize_va_space' parameter configured under '/etc/sysctl.d/', '/run/sysctl.d/' or '/usr/lib/sysctl.d/' directories ref #: 1.5.3 (v2.2.0) (1.6.3 v3.0.0)

False positive: recommend moving # CIS 1.5.x to allow regex to work properly packer/scripts/aws-hardening.sh

The following List String value(s) x indicates the current status of kernel.randomize_va_space setting configured for sysctl on the host. This includes all the .conf files under /etc/sysctl.d/, /run/sysctl.d/ and /usr/lib/sysctl.d/ directories. The return value consists of filename, setting name and value set for the setting.

======Expected Value(s)====== matches regular expression list ^[^:]+:\skernel.randomize_va_space\s=\s2\s$

======Current Value(s) - Last updated: 06/10/2021 at 05:25:24 PM (GMT-0400)====== /etc/sysctl.d/99-sysctl.conf:kernel.randomize_va_space = 2 # CIS 1.5.3

#### Control ID: 12787 Statement: Status of the 'net.ipv4.ip_forward' network parameter configured under '/etc/sysctl.d/', '/run/sysctl.d/' or '/usr/lib/sysctl.d/' directories ref #: 3.1.1 (v2.2.0) (3.2.1 v3.0.0)