tyler.durden
/
harbian-audit
mirror of https://github.com/hardenedlinux/harbian-audit.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add description for 8.1.1.4

This commit is contained in:
samson 2018-11-12 16:24:24 +08:00
parent f6d67de7df
commit 06f4109735
1 changed files with 69 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd
View File

@ -18,6 +18,37 @@ Note: If a separate file system has not been created for the user home directori
# cut -d: -f 1,3,6 /etc/passwd | egrep ":[1-4][0-9]{3}" # cut -d: -f 1,3,6 /etc/passwd | egrep ":[1-4][0-9]{3}"
smithj:1001:/home/smithj smithj:1001:/home/smithj
thomasr:1002:/home/thomasr thomasr:1002:/home/thomasr
```
Check the file systems that are mounted at boot time with the following command:
```
# more /etc/fstab
UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /home ext4 rw,relatime,discard,data=ordered,nosuid 0 2
```
### Remediation
Configure the "/etc/fstab" to use the "nosuid" option on file systems that contain user home directories.
## 2.27 Set nosuid option for /home filesystem/Partition (scored)
### Profile Applicability
Level 2
### Description
File systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed.
### Rationale
The "nosuid" mount option causes the system to not execute setuid and setgid files with owner privileges. This option must be used for mounting any file system not containing approved setuid and setguid files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
### Aduit
Verify file systems that contain user home directories are mounted with the "nosuid" option. Find the file system(s) that contain the user home directories with the following command:
Note: If a separate file system has not been created for the user home directories (user home directories are mounted under "/"), this is not a finding as the "nosuid" option cannot be used on the "/" system.
```
# cut -d: -f 1,3,6 /etc/passwd | egrep ":[1-4][0-9]{3}"
smithj:1001:/home/smithj
thomasr:1002:/home/thomasr
```
Check the file systems that are mounted at boot time with the following command: Check the file systems that are mounted at boot time with the following command:
``` ```
# more /etc/fstab # more /etc/fstab
@ -165,6 +196,44 @@ If the database file has a date older than seven days from the current date, thi
### Remediation ### Remediation
Update the virus scan software and virus definition files, enable clamav-freshclam service. Update the virus scan software and virus definition files, enable clamav-freshclam service.
## 8.1.1.4 Set failure mode of audit service (scored)
### Profile Applicability
Level 4
### Description
The operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure.
### Rationale
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.
### Aduit
Confirm the audit configuration regarding how auditing processing failures are handled. Check to see what level "auditctl" is set to with following command:
```
# auditctl -s | grep -i "fail"
failure 2
```
If the value of "failure" is set to "2", the system is configured to panic (shut down) in the event of an auditing failure. If the value of "failure" is set to "1", the system is configured to only send information to the kernel log regarding the failure. If the "failure" setting is not set, this is a CAT I finding. If the "failure" setting is set to any value other than "1" or "2", this is a CAT II finding. If the "failure" setting is set to "1" but the availability concern is not documented or there is no monitoring of the kernel log, this is a CAT III finding.
### Remediation
Configure the operating system to shut down in the event of an audit processing failure. Add or correct the option to shut down the operating system with the following command:
```
# auditctl -f 2
```
Edit the "/etc/audit/rules.d/audit.rules" file and add the following line:
```
-f 2
```
If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure with the following command:
```
# auditctl -f 1
```
Edit the "/etc/audit/rules.d/audit.rules" file and add the following line:
```
-f 1
```
Kernel log monitoring must also be configured to properly alert designated staff. The audit daemon must be restarted for the changes to take effect.
## 8.1.19 Recored ssh-keysign command usage (scored) ## 8.1.19 Recored ssh-keysign command usage (scored)
### Profile Applicability ### Profile Applicability