Acasă Explorează Ajutor
Înregistrare Autentificare
AFS
/
infrastructure-notes
2
0
Bifurcare 0
Fisiere Probleme 0 Trageți solicitările 0 Wiki
Arbore: 883a468866
Ramuri Etichete
infrastructure-...
/
CIS Benchmarks Audit.md

CIS Benchmarks Audit.md 39 KB
Istoric Crud

CIS Benchmark Process

This CIS certified policy for Red Hat Enterprise Linux 7 is based on the CIS Benchmark for Red Hat Enterprise Linux 7, v2.2.0. The policy contains Level 1 and Level 2, Scored types of checks from the benchmark.

There is no clear approval process in the configuration deviations ticketing system. Deviations from the CIS benchmarks not accounted for in deviation documents.

See CIS Exceptions in our Github

To resolve the POAM we need a process for CIS benchmarks. Should we use the MSOCI JIRA queue to manage this?

Use the Compliance project (COMP-29) use the CIS Exception template

saltless master in packer packer/lcp/vmware/lcp-vmware.pkr.hcl

packer/scripts/salt-virtualenv-minion.sh

  "../../scripts/salt-virtualenv-minion.sh",

Does the CIS Hardening

  provisioner "salt-masterless" {
    skip_bootstrap     = true
    salt_bin_dir       = "/mnt/bin"
    local_state_tree   = "./salt"
    remote_state_tree  = "/mnt/srv/salt"
    temp_config_dir    = "/mnt/tmp/salt"
    salt_call_args     = "-c /mnt/etc/salt"
    no_exit_on_failure = true
  }
  • migrate packer salt states

some checks are NOT IMPLEMENTED because they are set by default

Packer gets us 50% to CIS and salt fine tunes and gets us to 100% and it is ok that they are duplicated because salt is the final say.

Both AWS and Vmware are using the masterless salt.

Commands run in PROD Sensu/Vault are guiena pigs

First Group of changes pushed to first group of PROD servers

salt sensu* state.sls os_modifications.auditd --output-diff
salt sensu* state.sls os_modifications.timezone --output-diff
salt sensu* state.sls os_modifications.sshd_config --output-diff
salt sensu* state.sls os_modifications.modprobe --output-diff
salt sensu* state.sls os_modifications.disable_ipv6 --output-diff
salt sensu* state.sls os_modifications.audit_backlog_limit --output-diff
salt sensu* state.sls os_modifications.fstab --output-diff
salt sensu* state.sls os_modifications.sysctl --output-diff
salt sensu* state.sls os_modifications.rsyslog --output-diff
salt *com cmd.run 'systemctl start auditd'

Second Group of changes Part 2

salt sensu* state.sls os_modifications.disable_services --output-diff
salt sensu* state.sls os_modifications.sugroup --output-diff
salt sensu* state.sls os_modifications.sudo --output-diff
salt sensu* state.sls os_modifications.auditd --output-diff
salt sensu* state.sls os_modifications.sshd_config --output-diff
salt sensu* state.sls os_modifications.journald --output-diff
salt sensu* state.sls os_modifications.securetty --output-diff
salt sensu* state.sls os_modifications.tty_history --output-diff
salt sensu* state.sls os_modifications.timeout --output-diff
salt sensu* state.sls os_modifications.umask --output-diff

#Fix unowned files and dirs
salt sensu* cmd.run 'rm -rf /home/shahid_mahmood'
salt sensu* cmd.run 'rm -rf /home/donald_wong'
salt sensu* cmd.run 'rm -rf /home/randy_coffman'
salt sensu* cmd.run 'rm -rf /var/spool/mail/shahid_mahmood'
salt sensu* cmd.run 'rm -rf /var/spool/mail/randy_coffman'
salt sensu* cmd.run 'rm -rf /var/spool/mail/donald_wong'
salt sensu* cmd.run "ls -larth /home | grep 'randy_coffman\|shahid_mahmood\|donald_wong'"

Third group of changes Part 3

TODO

Server Groups First is Sensu

Second Group is
salt vault*

Third Group is limited internal, no customers.
salt -C '* not ( afs* or nga* or ma-* or dc-c19* or la-c19* or nihor* or bas-* or ca-c19* or frtib* or dgi* or threatq* or customer* or teleport* or moose*idx* or jira* or openvpn* or phantom-0* )'

Fourth Group is all internal, no customers.
salt -C 'customer* or teleport* or moose*idx* or jira* or openvpn* or phantom-0*'

Fifth Group is all servers besides LCPs
salt *com

Sixth Group is LCPs
salt -G 'msoc_pop:True'

--------Part 1----------
Commands run in TEST; things to add to os_modifications/init.sls

#fix mispelled squashfs and add usb-storage
salt * state.sls_id /etc/modprobe.d/CIS.conf os_modifications.cis-hardening-rhel-7.section-1.1-1 test=false  saltenv=feature/bp_MSOCI-1676_cis_audit
salt vault-1* state.sls os_modifications.modprobe saltenv=feature/bp_MSOCI-1676_cis_audit test=true
os_modifications/modprobe.sls

#fix ipv6 
salt sensu* state.sls os_modifications.cis-hardening-rhel-7.section-3.3-1 test=false saltenv=feature/bp_MSOCI-1676_cis_audit
os_modifications/disable_ipv6.sls
salt vault-1* state.sls os_modifications.disable_ipv6 saltenv=feature/bp_MSOCI-1676_cis_audit test=true

#Fix 4.1.2.4  audit_backlog_limit 
salt sensu* state.sls os_modifications.cis-hardening-rhel-7.section-4.4-1-2-4 test=false saltenv=feature/bp_MSOCI-1676_cis_audit
os_modifications/audit_backlog_limit.sls
salt vault-1* state.sls os_modifications.audit_backlog_limit saltenv=feature/bp_MSOCI-1676_cis_audit test=true

#Fix fstab
salt vault-1* state.sls os_modifications.fstab saltenv=feature/bp_MSOCI-1676_cis_audit test=true
salt/fileroots/os_modifications/fstab.sls

#Fix sysctl
salt vault-1* state.sls os_modifications.sysctl saltenv=feature/bp_MSOCI-1676_cis_audit test=true
salt/fileroots/os_modifications/sysctl.sls

#Fix chrony
salt vault-1* state.sls os_modifications.timezone saltenv=feature/bp_MSOCI-1676_cis_audit test=true
salt/fileroots/os_modifications/timezone.sls ( already in init.sls)

#Fix rsyslog
salt vault-1* state.sls os_modifications.rsyslog saltenv=feature/bp_MSOCI-1676_cis_audit test=true
salt/fileroots/os_modifications/rsyslog.sls

#fix auditd
salt vault-1* state.sls os_modifications.auditd saltenv=feature/bp_MSOCI-1676_cis_audit test=true
salt/fileroots/os_modifications/auditd.sls

#fix sshd_config
salt vault-1* state.sls os_modifications.sshd_config saltenv=feature/bp_MSOCI-1676_cis_audit test=true
salt/fileroots/os_modifications/sshd_config.sls

-------- PART 2 -------------  
#fix rhsnd + rsync
salt vault-1* state.sls os_modifications.disable_services saltenv=feature/bp_MSOCI-1676_cis_audit_part2 test=true
salt/fileroots/os_modifications/disable_services.sls

#fix su ( what will break?)
salt vault-1* state.sls os_modifications.sugroup saltenv=feature/bp_MSOCI-1676_cis_audit_part2 test=true
salt/fileroots/os_modifications/sugroup.sls

#fix sudoers
salt vault-1* state.sls os_modifications.sudo saltenv=feature/bp_MSOCI-1676_cis_audit_part2 test=true

#fix more auditd
salt vault-1* state.sls os_modifications.auditd saltenv=feature/bp_MSOCI-1676_cis_audit_part2 test=true

#fix sshd_config again
salt vault-1* state.sls os_modifications.sshd_config saltenv=feature/bp_MSOCI-1676_cis_audit_part2 test=true

#fix journald logging
salt vault-1* state.sls os_modifications.journald saltenv=feature/bp_MSOCI-1676_cis_audit_part2 test=true

#fix securetty
salt vault-1* state.sls os_modifications.securetty saltenv=feature/bp_MSOCI-1676_cis_audit_part2 test=true

#fix pam password remember
salt vault-1* state.sls os_modifications.tty_history saltenv=feature/bp_MSOCI-1676_cis_audit_part2 test=true

#fix timeout
salt vault-1* state.sls os_modifications.timeout saltenv=feature/bp_MSOCI-1676_cis_audit_part2 test=true

#fix umask (this doesn't totaly fix the finding!)
salt vault-1* state.sls os_modifications.umask saltenv=feature/bp_MSOCI-1676_cis_audit_part2 test=true

#Fix unowned files and dirs
salt vault-1* cmd.run 'rm -rf /home/shahid_mahmood'
salt vault-1* cmd.run 'rm -rf /home/donald_wong'
salt vault-1* cmd.run 'rm -rf /home/randy_coffman'
salt vault-1* cmd.run 'rm -rf /var/spool/mail/shahid_mahmood'
salt vault-1* cmd.run 'rm -rf /var/spool/mail/randy_coffman'
salt vault-1* cmd.run 'rm -rf /var/spool/mail/donald_wong'
salt vault-1* cmd.run "ls -larth /home | grep 'randy_coffman\|shahid_mahmood\|donald_wong'"

------PART 3-----  
salt ghe-backup* state.sls docker saltenv=feature/bp_MSOCI-1676_cis_audit_part3 --output-diff test=true
salt ghe-backup* cmd.run 'systemctl stop iptables && systemctl disable iptables && yum remove iptables-services -y'
salt ghe-backup* cmd.run 'systemctl enable firewalld && systemctl start firewalld'
salt customer* state.sls docker --output-diff test=true saltenv=feature/bp_MSOCI-1676_cis_audit_part3
#this should clean up the garbabge in audit.rules
salt customer* state.sls os_modifications.auditd
# then this will add in the correct file. 
salt customer* state.sls docker --output-diff test=true
# reload the audit.rules file. Then wait for a reboot of the server. 
salt customer* cmd.run 'augenrules --load'
salt customer* cmd.run 'auditctl -l | grep docker'

######## #TODO ITEMS ########

4.2.3 Ensure permissions on all logfiles are configured
6.1.11 Ensure no unowned files or directories exist (Docker files) sft home dirs
6.1.12 Ensure no ungrouped files or directories exist (Docker files) sft home dirs
1.8.1.3 Ensure remote login warning banner is configured properly - banner text WTF Nessus? False positive?

create internal DNS entries for these in test and prod so they will show up in Nessus.
10.20.32.59 customer-portal
10.20.16.86 moose-splunk-indexer-0
10.20.16.237 moose-splunk-indexer-1
10.20.17.42 moose-splunk-indexer-2
10.20.32.84 customer-portal
10.20.0.25 sensu

Audit Controls and Exceptions

Control ID: 1073 Statement: Status of the 'Maximum Password Age' setting (expiration) / Accounts having the 'password never expires' flag set Control Number:5.57 Reference #: 5.4.1.1.a Framework: CIS Benchmark for Red Hat Enterprise Linux 7 3.1.1, § 5.5.1.1 The following Integer value X indicates the current status of the PASS_MAX_DAYS setting as defined within the /etc/login.defs file.

in range 1-365

Salt State: packer/lcp/vmware/salt/cis-hardening-rhel-7/section-5.sls

Currently being set in salt/fileroots/os_modifications/files/login.defs to -1 by Chris

exception!

#### Control ID: 1072 Statement: Status of the 'Minimum Password Age' setting Control Number: 5.59 Reference #: 5.4.1.2.a The following Integer value X indicates the current PASS_MIN_DAYS setting within the /etc/login.defs file.

greater than or equal to 7

To specify password minimum age for new accounts, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately:

PASS_MIN_DAYS [DAYS]

A value of 1 day is considered sufficient for many environments. The DoD requirement is 1.

Currently being set in salt/fileroots/os_modifications/files/login.defs to -1 by Chris

exception!

#### Control ID: 1417 Statement: Existence of the 'cron.deny' file Control Number: 5.14 Reference #: 5.1.8

salt file created! needs to be deployed

#### Control ID: 4437 Statement: Current list of hosts defined within the 'hosts.allow' file Reference #: 3.4.2

Exception!

#### Control ID: 4438 Statement: Status of the hosts defined within the hosts.deny file Reference #: 3.4.3

Exception!

#### Control ID: 4726 Statement: Current 'UMASK' setting for the '/etc/bashrc or /etc/bash.bashrc' file Reference #: 5.4.5/5.4.6

False positive. Qualys regex doesn't work with "022" umask configured here: packer/scripts/aws-hardening.sh & cis-harden.sh

CIS provided grep command:

grep -E '^\s*umask\s+\s*(0[0-7][2-7]7|[0-7][2-7]7|u=(r?|w?|x?)(r?|w?|x?)(r?|w?|x?),g=(r?x?|x?r?),o=)\s*(\s*#.*)?$' /etc/profile /etc/profile.d/*.sh /etc/bashrc

#### Control ID: 5215 Statement:Status of the 'AllowGroups' setting in the 'sshd_config' file Reference #: 5.2.14 (v2.2.0) (5.2.4 v3.0.0)

Exception!

#### Control ID: 5217 Statement:Status of the 'AllowUsers' setting in the 'sshd_config' file Reference #: 5.2.14 (v2.2.0) (5.2.4 v3.0.0)

Exception!

#### Control ID: 5222 Statement:Status of the 'ClientAliveInterval' setting in the 'sshd_config' file Ref #: 5.2.12 (v2.2.0) (5.2.16 - v3.0.0)

Exception! Handled by Teleport

#### Control ID:5224 Statement:Status of the 'DenyGroups' setting in the 'sshd_config' file Ref #: 5.2.14 (v2.2.0) (5.2.4 v3.0.0)

Exception! Handled by Teleport

#### Control ID: 5225 Statement:Status of the 'DenyUsers' setting in the 'sshd_config' file ref #: 5.2.14 (v2.2.0) (5.2.4 v3.0.0)

Exception! Handled by Teleport

#### Control ID: 5283/17996 Statement:Status of the 'MACs' setting in the '/etc/ssh/sshd_config' file ref #: 5.2.11 (v2.2.0) (5.2.14 v3.0.0)

Adjusted sshd_config

#### Control ID: 5963 Statement: Status of the current setting for 'net.ipv4.ip_forward' network parameter ref #: 3.1.1 (v2.2.0) (3.2.1 v3.0.0)

10.40.20.42 - openvpn ( required for VPN ) 10.40.24.97 - ghe-backup (docker) 10.40.32.16 - customer-portal (docker) 10.40.32.56 - customer-portal (docker)

Exception! Handled by Teleport

#### Control ID: 7339 Statement: Status of the 'Permissions' settings for the '/etc/cron.d' directory ref #: 5.1.7

This needs to be set. Currently it is 755. Salt state needs to be created.

#### Control ID: 7408 Statement: Current list of world writable directories that do not have the sticky bit configurd ref #: 1.1.21 (v2.2.0) (1.1.24 v3.0.0) (1.1.22 v3.0.1)

/var/log/bash_history Modified here: salt/fileroots/os_modifications/tty_history.sls

I don't think this is needed anymore thanks to teleport No files are stored in that directory Needs Review

#### Control ID:7417 Statement: Current list of user accounts with 'existing home directories' defined in /etc/passwd and not present on the ref#: 6.2.7

10.40.30.24 (phantom) git-user:/home/git-user phantom-worker:/home/phantom-worker 10.40.28.74 (fm-shared-search) I added the dir. should clean it up. george_starcher:/home/george_starcher /etc/passwd george_starcher:x:60005:60005:sft-managed:/home/george_starcher:/bin/bash

Exception!

#### Control ID:7418 Statement: Status of the current 'unowned' files and directories on the host ref #: 6.1.11

/home/shahid_mahmood /home/shahid_mahmood/.bashrc /home/shahid_mahmood/.bash_logout /home/shahid_mahmood/.bash_profile /home/shahid_mahmood/.zshrc

changed ownership to root:

#### Control ID: 7419 statement: Status of the current 'ungrouped' files and directories on the host ref #: 6.1.12

/home/shahid_mahmood /home/shahid_mahmood/.bashrc /home/shahid_mahmood/.bash_logout /home/shahid_mahmood/.bash_profile /home/shahid_mahmood/.zshrc

changed ownership to root:

#### Control ID: 7451 statement: Status of the 'restrict -6 default' setting in the '/etc/ntp.conf' file ref #: 2.2.1.2 (v2.2.0) (2.2.1.3 v3.0.0)

Exception!

#### Control ID: 7457 Statement:Status of the 'OPTIONS' setting in the '/etc/sysconfig/ntpd' file ref #: 2.2.1.2 (v2.2.0) (2.2.1.3 v3.0.0)

Exception!

#### Control ID: 7458 Statement: Status of the 'inet_interfaces' setting in the '/etc/postfix/main.cf' file ref #: 2.2.15 (v2.2.0) (2.2.16 v3.0.0)

10.40.0.96 / mailrelay

Exception!

#### Control ID: 7949 Statement:Status of the 'unconfined daemons' on the host ref #: 1.6.1.6 (v2.2.0) (1.7.1.7 v3.0.0)

The host should not have 'unconfined daemons' which are daemons that are not defined in SELinux policy and inherit permissions from parent processes. Unconfined daemons are daemons without proper permissions and present security risks to the host and this check should be regularly performed and reviewed according to the needs of the business. NOTE: This check should produce NO unconfined daemons on the list.

unconfined daemons mongod splunkd

Exception!

#### Control ID: 8327 Statement:Status of the 'world-writable' files and directories on the host ref #: 6.1.10

The following List String value(s) X indicate the status of local world-writable files and directories.

======Expected Value(s)======

File not found ------------ OR ------------ does not contain regular expression list .+

======Current Value(s) - Last updated: 06/10/2021 at 05:25:24 PM (GMT-0400)====== root:root:drwxrwxrwt.:/dev/mqueue root:root:drwxrwxrwt.:/dev/shm root:root:drwxrwxrwt.:/opt/tmp root:root:drwxrwxrwt.:/tmp root:root:drwxrwxrwt.:/tmp/.font-unix root:root:drwxrwxrwt.:/tmp/.ICE-unix root:root:drwxrwxrwt.:/tmp/.Test-unix root:root:drwxrwxrwt.:/tmp/.X11-unix root:root:drwxrwxrwt.:/tmp/.XIM-unix root:root:drwxrwxrwt.:/tmp/systemd-private-5e8298ad14-chronyd.service-vs5GMY/tmp root:root:drwxrwxrwt.:/var/tmp root:root:drwxrwxrwt.:/var/tmp/cloud-init root:root:drwxrwxrwx.:/var/log/bash_history

This needs to be figured out one by one. :-(

##### Control ID: 9380 Statement:Status of the Mail Transfer Agent for Local-Only Mode ref #: 2.2.15 (v2.2.0) (2.2.16 v3.0.0)

10.40.0.96 / mailrelay

Exception!

#### Control ID: 9391 Statement: Status of the System Accounts ref #: 5.4.2

10.40.30.24 / phantom

pgbouncer:x:993:989:PgBouncer Server:/home/pgbouncer:/bin/bash postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash

Exception!

#### Control ID: 9623 Statement: Status of the 'try_first_pass' setting within the '/etc/pam.d/system-auth' ref #: 5.3.1

This needs to be figured out. possible execption

#### Control ID: 9629 Statement: Status of the 'retry' parameter for login attempts defined within '/etc/pam.d/system-auth' ref #: 5.3.1

This needs to be figured out. possible execption

#### Control ID: 9881 Statement: Status of the 'httpd' service using systemd ref #: 2.2.10 (v2.2.0) (2.2.11 v3.0.0)

10.40.2.41/reposerver needs httpd

Exception!

#### Control ID: 10236 Statement: Status of the ownership set for the home directory of Non system User ref #: 6.2.9 (v2.2.0) (6.2.7 v3.0.0)

fm-shared-search phantom-0

This is a false positive. CIS benchamrk bash script does not show home directory ownership issues.

The following List string value(s) X indicate the ownership details for the user account home directories on the host. Each line in the result consists of the account name, UID, home-directory path followed by the actual owner of the home directory.

======Expected Value(s)======

Non-system users not found ------------ OR ------------ matches regular expression list ^(nfsnobody:.)|(([^:]+):.:\3)$

======Current Value(s) - Last updated: 06/10/2021 at 05:25:24 PM (GMT-0400)====== brad_poulton:60010:/home/brad_poulton:brad_poulton brandon.naughton:50022:/home/brandon.naughton:brandon.naughton brandon_naughton:60012:/home/brandon_naughton:brandon_naughton centos:1001:/home/centos:centos charles.kuykendall:50021:/home/charles.kuykendall:charles.kuykendall charles_kuykendall:60014:/home/charles_kuykendall:charles_kuykendall colby_williams:60018:/home/colby_williams:colby_williams donald.wong:50023:/home/donald.wong:donald.wong donald_wong:150045:/home/donald_wong:donald_wong duane_waddle:60001:/home/duane_waddle:duane_waddle frederick_t_damstra:60017:/home/frederick_t_damstra:frederick_t_damstra george_starcher:60005:/home/george_starcher:Directory not found james_m_jarrett:150002:/home/james_m_jarrett:james_m_jarrett jeremy_cooper:150036:/home/jeremy_cooper:jeremy_cooper john_reuther:60003:/home/john_reuther:john_reuther j_kerr:50020:/home/j_kerr:j_kerr randy_coffman:60015:/home/randy_coffman:randy_coffman splunk:50009:/opt/splunk:splunk svc-qualys:50008:/home/svc-qualys:svc-qualys s_scott:150035:/home/s_scott:s_scott wesley_leonard:60009:/home/wesley_leonard:wesley_leonard

#### Control ID: 10480 Statement: Status of the 'restrict -4 default' setting in the '/etc/ntp.conf' file ref #: 2.2.1.2 (v2.2.0) (2.2.1.3 v3.0.0)

Exception! COMP-39

#### Control ID: 10655 Statement: Status of the 'vfat' Filesystems (modprobe) ref #: 1.1.1.8 (v2.2.0) (1.1.1.4 v3.0.0)

This needs to be figured out.

The List string value of X indicates the status of the file systems using modeprobe utility to check if the file system is mountable on the host.

======Expected Value(s)====== contains regular expression list vfat\s*:\s*install\s+/bin/true

======Current Value(s) - Last updated: 06/10/2021 at 05:25:24 PM (GMT-0400)====== cramfs : install /bin/true freevxfs : install /bin/true hfs : install /bin/true hfsplus : install /bin/true jffs2 : install /bin/true squashfs : insmod /lib/modules/3.10.0-1160.25.1.el7.x86_64/kernel/fs/squashfs/squashfs.ko.xz udf : insmod /lib/modules/3.10.0-1160.25.1.el7.x86_64/kernel/lib/crc-itu-t.ko.xz :install /bin/true vfat : insmod /lib/modules/3.10.0-1160.25.1.el7.x86_64/kernel/fs/fat/fat.ko.xz :insmod /lib/modules/3.10.0-1160.25.1.el7.x86_64/kernel/fs/fat/vfat.ko.xz

#### Control ID: 10664 Statement: Status of the 'OPTIONS' setting within '/etc/sysconfig/chronyd' file ref #: 2.2.1.3 (v2.2.0) (2.2.1.2 v3.0.0)

This needs to be figured out.

# grep ^OPTIONS /etc/sysconfig/chronyd

OPTIONS="-u chrony"

See packer/lcp/vmware/salt/cis-hardening-rhel-7/section-2.sls salt/fileroots/os_modifications/timezone.sls

Chrony was already running as chrony user.

#### Control ID: 4997 Statement: Current list of 'NTP servers' defined within '/etc/ntp.conf' Reference #: 2.2.1.2

edit /etc/chrony.conf and add OPTIONS="-u chrony"

salt/fileroots/os_modifications/timezone.sls

#### Control ID: 10665 Statement: Status of the default deny firewall policy ref #: 3.6.2

This needs to be figured out. possible execption for security groups? Why have the FW without default deny?

#### Control ID: 10666 Statement: Status of the '$FileCreateMode' setting within '/etc/rsyslog.conf' file ref #: 4.2.1.3 (v2.2.0) (4.2.1.4 v3.0.0)

This needs to be figured out. packer/lcp/vmware/salt/cis-hardening-rhel-7/section-4.sls packer/scripts/aws-hardening.sh

#### Control ID: 10667 Statement: Status of the 'perm' option within '/etc/syslog-ng/syslog-ng.conf' file ref #: 4.2.2.3

Exception for C2 servers. LCP servers have syslog-ng installed.

#### Control ID: 10669 Statement: Status of the 'password hashing algorithm' setting within '/etc/pam.d/system-auth' file ref #: 5.3.4 (v2.2.0) (5.3.3 v3.0.0)

exception? users don't use passwords? What about service accounts?

This needs to be figured out. Yes it is in password-auth, but not in system-auth. [gc-prod]brad.poulton@salt-master:~:$ egrep '^password\s+sufficient\s+pam_unix.so' /etc/pam.d/password-auth password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok [gc-prod]brad.poulton@salt-master:~:$ egrep '^password\s+sufficient\s+pam_unix.so' /etc/pam.d/system-auth [gc-prod]brad.poulton@salt-master:~:$

#### Control ID: 10671 Statement: Status of the 'syslog-ng' service ref #: 4.2.2.1 (v2.2.0) ( not found in v3.0.0)

Exception! COMP-46

#### Control ID: 10672 Statement: Status of the installed 'syslog-ng' package on the host ref #: 4.2.3 (v2.2.0) ( not found in v3.0.0)

Exception! COMP-46

#### Control ID: 10673 Statement: Status of the 'permission' set for all logfiles in '/var/log' directory ref #: 4.2.4 (v2.2.0) (4.2.3 v3.0.0)

find /var/log -type f -perm /g+wx,o+rwx -exec ls -l {} \; This needs to be figured out.

#### Control ID: 10675 Statement: Status of the 'loopback traffic' setting ref #: 3.6.3 (v2.2.0) (3.5.3.2.2 v3.0.0)

This needs to be figured out. See CIS workbench.

#### Control ID: 10676 Statement: Status of the 'iptables rules' for all 'open ports' on the host ref #: 3.6.5 (v2.2.0) (3.5.3.2.4 v3.0.0)

This needs to be figured out. possible execption for security groups? if we add a default deny we will need these.

#### Control ID: 10724 Statement: Status of the 'user-db' parameter in '/etc/dconf/profile/gdm' ref #: 1.7.2 (v2.2.0) (1.10 v3.0.0)

Exception! no Gnome display manager

#### Control ID: 10725 Statement: Status of the 'system-db' parameter in '/etc/dconf/profile/gdm' ref #: 1.7.2 (v2.2.0) (1.10 v3.0.0)

Exception! no Gnome display manager

#### Control ID: 10726 Statement: Status of the 'file-db' parameter in /etc/dconf/profile/gdm ref #: 1.7.2 (v2.2.0) (1.10 v3.0.0)

Exception! no Gnome display manager

#### Control ID: 10732 Statement: Status of the 'Maximum Password Age' setting (expiration) for 'users with a password' setting ref #: 5.4.1.1

exception! teleport COMP-33

#### Control ID: 10733 Statement: Status of the 'Minimum Password Age' for 'users with a password' setting ref #: 5.4.1.2

exception! teleport COMP-33

#### Control ID: 10734 Statement: Status of the 'number of days before a [Prompt user] password expiration warning prompt is displayed at logi ref #: 5.4.1.3

exception! teleport COMP-33

#### Control ID: 10735 Statement: Status of the 'Maximum number of days of inactivity allowed before a user account is locked out' for 'users ref #: 5.4.1.4 (v2.2.0) (5.4.1.5 v3.0.0)

exception! teleport COMP-33

#### Control ID: 10823 Statement: Status of the home directory ownership and permissions for the system accounts defined within the /etc/passwd file / Ensure users' home directories permissions are 750 or more restrictive ref #: 6.2.8 (v2.2.0) (6.2.6 v3.0.0)

Possible exception for splunk user?

[gc-prod]root@salt-master:~:# bash cis-deleteme.sh Other Read permission set on the home directory (/opt/splunkforwarder) of user splunk Other Execute permission set on the home directory (/opt/splunkforwarder) of user splunk

#### Control ID: 10824 Statement: Status of the home directory ownership and permissions for the user accounts (non-system users) defined within the /etc/passwd file ref #:6.2.8 (v2.2.0) (6.2.6 v3.0.0)

Possible exception for splunk user?

[gc-prod]root@salt-master:~:# bash cis-deleteme.sh Other Read permission set on the home directory (/opt/splunkforwarder) of user splunk Other Execute permission set on the home directory (/opt/splunkforwarder) of user splunk

#### Control ID: 10848 Statement: Status of the 'ExecStart' setting in '/usr/lib/systemd/system/ntpd.service' ref #: 2.2.1.2 (v2.2.0) (2.2.1.3 v3.0.0)

False Positive. ntp is not installed. Chrony is used.

#### Control ID: 10859 Statement: Status of the 'periodically scheduled (crontab)' aide check (/etc/cron.* and /etc/crontab) ref #: 1.3.2 (v2.2.0) (1.4.2 v3.0.0)

False Positive. Qualys is looking for the vanilla aide.

SALT_CRON_IDENTIFIER:AIDE

@daily /usr/local/bin/aide-run.sh > /dev/null 2>&1

#### Control ID: 12751 Statement: Status of ownership set for the /boot/grub2/user.cfg ref #: 1.4.1 (v2.2.0) (1.5.2 v3.0.0)

false positive. [gc-prod]root@salt-master:/boot/grub2:# stat /boot/grub2/user.cfg stat: cannot stat ‘/boot/grub2/user.cfg’: No such file or directory

#### Control ID: 12752 Statement: Status of permission set for the /boot/grub2/user.cfg ref #: 1.4.1 (v2.2.0) (1.5.2 v3.0.0)

false positive. [gc-prod]root@salt-master:/boot/grub2:# stat /boot/grub2/user.cfg stat: cannot stat ‘/boot/grub2/user.cfg’: No such file or directory

#### Control ID: 12785 Statement: Status of the 'fs.suid_dumpable' parameter configured under '/etc/sysctl.d/', '/run/sysctl.d/' or '/usr/lib/sysctl.d/' directories ref #: 1.4.1

False positive: recommend moving # CIS 1.5.1 to allow regex to work properly packer/scripts/aws-hardening.sh

The following List String value(s) x indicates the current status of fs.suid_dumpable setting configured for sysctl on the host. This includes all the .conf files under /etc/sysctl.d/, /run/sysctl.d/ and /usr/lib/sysctl.d/ directories. The return value consists of filename, setting name and value set for the setting.

======Expected Value(s)====== matches regular expression list ^[^:]+:\sfs.suid_dumpable\s=\s0\s$

======Current Value(s) - Last updated: 06/10/2021 at 05:25:24 PM (GMT-0400)====== /etc/sysctl.d/99-sysctl.conf:fs.suid_dumpable = 0 # CIS 1.5.1

#### Control ID: 12786 Statement: Status of the 'kernel.randomize_va_space' parameter configured under '/etc/sysctl.d/', '/run/sysctl.d/' or '/usr/lib/sysctl.d/' directories ref #: 1.5.3 (v2.2.0) (1.6.3 v3.0.0)

False positive: recommend moving # CIS 1.5.x to allow regex to work properly packer/scripts/aws-hardening.sh

The following List String value(s) x indicates the current status of kernel.randomize_va_space setting configured for sysctl on the host. This includes all the .conf files under /etc/sysctl.d/, /run/sysctl.d/ and /usr/lib/sysctl.d/ directories. The return value consists of filename, setting name and value set for the setting.

======Expected Value(s)====== matches regular expression list ^[^:]+:\skernel.randomize_va_space\s=\s2\s$

======Current Value(s) - Last updated: 06/10/2021 at 05:25:24 PM (GMT-0400)====== /etc/sysctl.d/99-sysctl.conf:kernel.randomize_va_space = 2 # CIS 1.5.3

#### Control ID: 12787 Statement: Status of the 'net.ipv4.ip_forward' network parameter configured under '/etc/sysctl.d/', '/run/sysctl.d/' or '/usr/lib/sysctl.d/' directories ref #: 3.1.1 (v2.2.0) (3.2.1 v3.0.0)

False positive: recommend moving # CIS x.x.x to allow regex to work properly packer/scripts/aws-hardening.sh

The following List String value(s) x indicates the current status of net.ipv4.ip_forward setting configured for sysctl on the host. This includes all the .conf files under /etc/sysctl.d/, /run/sysctl.d/ and /usr/lib/sysctl.d/ directories. The return value consists of filename, setting name and value set for the setting.

======Expected Value(s)====== matches regular expression list ^[^:]+:\snet.ipv4.ip_forward\s=\s0\s$

======Current Value(s) - Last updated: 06/10/2021 at 05:25:24 PM (GMT-0400)====== /etc/sysctl.d/99-sysctl.conf:net.ipv4.ip_forward = 0 # CIS 3.1.1

#### Control ID: 12788 Statement: Status of the 'net.ipv4.conf.all.send_redirects' network parameter configured under '/etc/sysctl.d/', '/run/sysctl.d/' or '/usr/lib/sysctl.d/' directories ref #: 3.1.2 (v2.2.0) (3.2.2 v3.0.0)

False positive: recommend moving # CIS x.x.x to allow regex to work properly Recommend using salt to manage the file POST golden image. packer/scripts/aws-hardening.sh

The following List String value(s) x indicates the current status of net.ipv4.conf.all.send_redirects setting configured for sysctl on the host. This includes all the .conf files under /etc/sysctl.d/, /run/sysctl.d/ and /usr/lib/sysctl.d/ directories. The return value consists of filename, setting name and value set for the setting.

======Expected Value(s)====== matches regular expression list ^[^:]+:\snet.ipv4.conf.all.send_redirects\s=\s0\s$

======Current Value(s) - Last updated: 06/10/2021 at 05:25:24 PM (GMT-0400)====== /etc/sysctl.d/99-sysctl.conf:net.ipv4.conf.all.send_redirects = 0 # CIS 3.1.2

#### Control ID: 12789 Statement: Status of the 'net.ipv4.conf.default.send_redirects' network parameter configured under '/etc/sysctl.d/', '/run/sysctl.d/' or '/usr/lib/sysctl.d/' directories ref #: 3.1.2 (v2.2.0) (3.2.2 v3.0.0)

False positive: recommend moving # CIS x.x.x to allow regex to work properly packer/scripts/aws-hardening.sh

The following List String value(s) x indicates the current status of net.ipv4.conf.default.send_redirects setting configured for sysctl on the host. This includes all the .conf files under /etc/sysctl.d/, /run/sysctl.d/ and /usr/lib/sysctl.d/ directories. The return value consists of filename, setting name and value set for the setting.

======Expected Value(s)====== matches regular expression list ^[^:]+:\snet.ipv4.conf.default.send_redirects\s=\s0\s$

======Current Value(s) - Last updated: 06/10/2021 at 05:25:24 PM (GMT-0400)====== /etc/sysctl.d/99-sysctl.conf:net.ipv4.conf.default.send_redirects = 0 # CIS 3.1.2

#### Control ID: 12790 Statement: Status of the 'net.ipv4.conf.all.accept_source_route' network parameter configured under '/etc/sysctl.d/', '/run/sysctl.d/' or '/usr/lib/sysctl.d/' directories ref #: 3.2.1 (v2.2.0) (3.3.1 v3.0.0)

False positive: recommend moving # CIS x.x.x to allow regex to work properly packer/scripts/aws-hardening.sh

The following List String value(s) x indicates the current status of net.ipv4.conf.all.accept_source_route setting configured for sysctl on the host. This includes all the .conf files under /etc/sysctl.d/, /run/sysctl.d/ and /usr/lib/sysctl.d/ directories. The return value consists of filename, setting name and value set for the setting.

======Expected Value(s)====== matches regular expression list ^[^:]+:\snet.ipv4.conf.all.accept_source_route\s=\s0\s$

======Current Value(s) - Last updated: 06/10/2021 at 05:25:24 PM (GMT-0400)====== /etc/sysctl.d/99-sysctl.conf:net.ipv4.conf.all.accept_source_route = 0 # CIS 3.2.1 /usr/lib/sysctl.d/50-default.conf:net.ipv4.conf.all.accept_source_route = 0

#### Control ID: 12791 Statement: Status of the 'net.ipv4.conf.default.accept_source_route' network parameter configured under '/etc/sysctl.d/', '/run/sysctl.d/' or '/usr/lib/sysctl.d/' directories ref #: 3.2.1 (v2.2.0) (3.3.1 v3.0.0)

False positive: recommend moving # CIS x.x.x to allow regex to work properly packer/scripts/aws-hardening.sh

The following List String value(s) x indicates the current status of net.ipv4.conf.default.accept_source_route setting configured for sysctl on the host. This includes all the .conf files under /etc/sysctl.d/, /run/sysctl.d/ and /usr/lib/sysctl.d/ directories. The return value consists of filename, setting name and value set for the setting.

======Expected Value(s)====== matches regular expression list ^[^:]+:\snet.ipv4.conf.default.accept_source_route\s=\s0\s$

======Current Value(s) - Last updated: 06/10/2021 at 05:25:24 PM (GMT-0400)====== /etc/sysctl.d/99-sysctl.conf:net.ipv4.conf.default.accept_source_route = 0 # CIS 3.2.1 /usr/lib/sysctl.d/50-default.conf:net.ipv4.conf.default.accept_source_route = 0

#### Control ID: 12792 Statement: Status of the 'net.ipv4.conf.all.accept_redirects' network parameter configured under '/etc/sysctl.d/', '/run/sysctl.d/' or '/usr/lib/sysctl.d/' directories ref #: 3.2.2 (v2.2.0) (3.3.2 v3.0.0)

False positive: recommend moving # CIS x.x.x to allow regex to work properly packer/scripts/aws-hardening.sh

The following List String value(s) x indicates the current status of net.ipv4.conf.all.accept_redirects setting configured for sysctl on the host. This includes all the .conf files under /etc/sysctl.d/, /run/sysctl.d/ and /usr/lib/sysctl.d/ directories. The return value consists of filename, setting name and value set for the setting.

======Expected Value(s)====== matches regular expression list ^[^:]+:\snet.ipv4.conf.all.accept_redirects\s=\s0\s$

======Current Value(s) - Last updated: 06/10/2021 at 05:25:24 PM (GMT-0400)====== /etc/sysctl.d/99-sysctl.conf:net.ipv4.conf.all.accept_redirects = 0 # CIS 3.2.2

#### Control ID: 12793 Statement: Status of the 'net.ipv4.conf.default.accept_redirects' network parameter configured under '/etc/sysctl.d/', '/run/sysctl.d/' or '/usr/lib/sysctl.d/' directories ref #: 3.2.2 (v2.2.0) (3.3.2 v3.0.0)

False positive: recommend moving # CIS x.x.x to allow regex to work properly packer/scripts/aws-hardening.sh

#### Control ID: 12796 Statement: Status of the 'net.ipv4.conf.all.log_martians' network parameter configured under '/etc/sysctl.d/' ref #: 3.2.4 (v2.2.0) (3.3.4 v3.0.0)

False positive: recommend moving # CIS x.x.x to allow regex to work properly packer/scripts/aws-hardening.sh

#### Control ID: 12797 Statement: Status of the 'net.ipv4.conf.default.log_martians' network parameter configured under '/etc/sysctl.d/', '/run/sysctl.d/' or '/usr/lib/sysctl.d/' directories ref #: 3.2.4 (v2.2.0) (3.3.4 v3.0.0)

False positive: recommend moving # CIS x.x.x to allow regex to work properly packer/scripts/aws-hardening.sh

#### Control ID: 12798 Statement: Status of the 'net.ipv4.icmp_echo_ignore_broadcasts' network parameter ref #: 3.2.5 (v2.2.0) (3.3.5 v3.0.0)

False positive: recommend moving # CIS x.x.x to allow regex to work properly packer/scripts/aws-hardening.sh

#### Control ID: 12799 Statement: Status of the 'net.ipv4.icmp_ignore_bogus_error_responses' network parameter ref #: 3.2.6 (v2.2.0) (3.3.6 v3.0.0)

False positive: recommend moving # CIS x.x.x to allow regex to work properly packer/scripts/aws-hardening.sh

#### Control ID: 12800 Statement: Status of the 'net.ipv4.conf.all.rp_filter' network parameter ref #: 3.2.7 (v2.2.0) (3.3.7 v3.0.0)

False positive: recommend moving # CIS x.x.x to allow regex to work properly packer/scripts/aws-hardening.sh

#### Control ID: 12801 Statement: Status of the 'net.ipv4.conf.default.rp_filter' network parameter ref #: 3.2.7 (v2.2.0) (3.3.7 v3.0.0)

False positive: recommend moving # CIS x.x.x to allow regex to work properly packer/scripts/aws-hardening.sh

#### Control ID: 12802 Statement: Status of the 'net.ipv4.tcp_syncookies' network parameter ref #: 3.2.8 (v2.2.0) (3.3.8 v3.0.0)

False positive: recommend moving # CIS x.x.x to allow regex to work properly packer/scripts/aws-hardening.sh

#### Control ID: 12807 Statement: Status of the 'Last password change' setting for user ref #: 5.4.1.5 (v2.2.0) (5.4.1.6 v3.0.0)

exception!

#### Control ID: 12814 Statement: List of runtime audit rules for '/etc/group' file, using auditctl ref #: 4.1.5 (v2.2.0) (4.1.4 v3.0.0)

This needs to be figured out. See CIS workbench.

#### Control ID: 12815 Statement: List of runtime audit rules for '/etc/passwd' file, using auditctl ref #: 4.1.5 (v2.2.0) (4.1.4 v3.0.0)

This needs to be figured out. See CIS workbench.

#### Control ID: 12816 Statement: List of runtime audit rules for '/etc/gshadow' file, using auditctl ref #: 4.1.5 (v2.2.0) (4.1.4 v3.0.0)

This needs to be figured out. See CIS workbench.

#### Control ID: 12817 Statement: List of runtime audit rules for '/etc/shadow' file, using auditctl ref #: 4.1.5 (v2.2.0) (4.1.4 v3.0.0)

This needs to be figured out. See CIS workbench.

#### Control ID: 12884 Statement: Status of 'umask' setting in /etc/profile and /etc/profile.d/*.sh files ref #: 5.4.4 (v2.2.0) (5.4.6 v3.0.0)

False positive. Qualys regex doesn't work with "022" umask configured here: packer/scripts/aws-hardening.sh

[gc-prod]brad.poulton@salt-master:~:$ grep -Ev '^\s*umask\s+\s*(0[0-7][2-7]7|[0-7][2-7]7|u=(r?|w?|x?)(r?|w?|x?)(r?|w?|x?),g=(r?x?|x?r?),o=)\s*(\s*#.*)?$' /etc/profile /etc/profile.d/*.sh /etc/bashrc | grep -E '(^|^[^#]*)umask'
/etc/profile:    umask 022
/etc/bashrc:       umask 022
[gc-prod]brad.poulton@salt-master:~:$ grep -E '^\s*umask\s+\s*(0[0-7][2-7]7|[0-7][2-7]7|u=(r?|w?|x?)(r?|w?|x?)(r?|w?|x?),g=(r?x?|x?r?),o=)\s*(\s*#.*)?$' /etc/profile /etc/profile.d/*.sh /etc/bashrc
/etc/profile:    umask 027
/etc/bashrc:       umask 027

#### Control ID: 13241 Statement: Status of the remember setting for pam_unix.so or pam_pwhistory.so module in /etc/pam.d/password-auth file ref #: 5.3.3 (v2.2.0) (5.3.4 v3.0.0)

This needs to be figured out. possible execption

#### Control ID: 13242 Statement: Status of the remember setting for pam_unix.so or pam_pwhistory.so module in /etc/pam.d/system-auth file ref #: 5.3.3 (v2.2.0) (5.3.4 v3.0.0)

This needs to be figured out. possible execption

#### Plugin Name: 4.1.2.1 Ensure audit log storage size is configured Plugin ID: max_log_file = 512

exception

#### Plugin Name: 4.1.3 Ensure events that modify date and time information are collected - auditctl adjtimex (32-bit)4

Plugin Name: 1.1.6 Ensure /dev/shm is configured - fstab Tenable: does not match regex due to missing defaults. Defaults is not needed, but also doesn't hurt anything.

Suggestion: change none to tmpfs in packer/scripts/aws-partition-lvms.sh Does this conflict?

#### Plugin Name: 1.2.3 Ensure gpgcheck is globally activated Non-compliant file: /etc/yum.repos.d/msoc.repo

exception

#### Plugin Name: 4.2.1.3 Ensure rsyslog default file permissions configured See Qualys: 10666

Will this break splunk log collection?

#### Plugin Name: 4.2.2.1 Ensure journald is configured to send logs to rsyslog
Forward journald logs to Splunk. Get data with the Journald input

exception? or pull journald logs

#### Plugin Name: 4.2.2.2 Ensure journald is configured to compress large log files Not found in v2.2.0

Added new file

#### Plugin Name: 4.2.3 Ensure permissions on all logfiles are configured

#### Plugin Name: 6.2.7 Ensure users own their home directories

The home directory (/etc/vault) of user vault is owned by root.

exception?