Update harbian_audit_Debian_9_Benchmark_v0.1.mkd

This commit is contained in:
Samson-W 2019-05-14 18:24:26 +08:00
parent b762376882
commit 471a3a0d62
1 changed files with 8 additions and 77 deletions

View File

@ -902,7 +902,7 @@ Fixtext: Configure the operating system to generate audit records that modify co
``` ```
The audit daemon must be restarted for the changes to take effect. The audit daemon must be restarted for the changes to take effect.
## 8.5 Verifies integrity all packages (scored) ## 8.7 Verifies integrity all packages (scored)
### Profile Applicability ### Profile Applicability
Level 5 Level 5
@ -1620,55 +1620,7 @@ Configure the operating system to store only SHA512 encrypted representations of
ENCRYPT_METHOD SHA512 ENCRYPT_METHOD SHA512
``` ```
## 10.1.5 Set accounts minimum password lifetime (Scored) ## 10.1.6 Remove(Replace) NOPASSWD to PASSWD in the sudoers config file (Scored)
### Profile Applicability
Level 3
### Description
Passwords must be restricted to a 24 hours/1 day minimum lifetime.
### Rationale
Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.
### Aduit
Check whether the minimum time period between password changes for each user account is one day or greater.
```
# awk -F: '$4 < 1 {print $1}' /etc/shadow
```
If any results are returned that are not associated with a system account, this is a finding.
### Remediation
Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime:
```
# chage -m 1 [username]
```
## 10.1.6 Set accounts maximum password lifetime (Scored)
### Profile Applicability
Level 3
### Description
Existing passwords must be restricted to a 60-day maximum lifetime.
### Rationale
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.
### Aduit
Check whether the maximum time period for existing passwords is restricted to 60 days.
```
# awk -F: '$5 > 60 {print $1}' /etc/shadow
```
If any results are returned that are not associated with a system account, this is a finding.
### Remediation
Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction.
```
# chage -M 60 [username]
```
## 10.1.7 Remove(Replace) NOPASSWD to PASSWD in the sudoers config file (Scored)
### Profile Applicability ### Profile Applicability
Level 3 Level 3
@ -1689,7 +1641,7 @@ If any uncommented line is found with a "NOPASSWD" tag, this is a finding.
### Remediation ### Remediation
Replace any occurrences of "NOPASSWD" tags to "PASSWD" tags in the file. Replace any occurrences of "NOPASSWD" tags to "PASSWD" tags in the file.
## 10.1.8 Remove(Replace) not authenticate(!authenticate) to authenticate in the sudoers config file (Scored) ## 10.1.7 Remove(Replace) not authenticate(!authenticate) to authenticate in the sudoers config file (Scored)
### Profile Applicability ### Profile Applicability
Level 3 Level 3
@ -1710,7 +1662,7 @@ If any line is found with a "!authenticate" tag, this is a finding.
### Remediation ### Remediation
Replace any occurrences of "!authenticate" tags to "authenticate" tags in the file. Replace any occurrences of "!authenticate" tags to "authenticate" tags in the file.
## 10.1.9 Set FAIL_DELAY to wait to allow login when the last login failed (Scored) ## 10.1.8 Set FAIL_DELAY to wait to allow login when the last login failed (Scored)
### Profile Applicability ### Profile Applicability
Level 2 Level 2
@ -1735,7 +1687,7 @@ Configure the operating system to enforce a delay of at least four seconds betwe
auth optional pam_faildelay.so delay=4000000 auth optional pam_faildelay.so delay=4000000
``` ```
## 10.1.10 Set create home bool to yes (Scored) ## 10.1.9 Set create home bool to yes (Scored)
### Profile Applicability ### Profile Applicability
Level 3 Level 3
@ -1760,7 +1712,7 @@ Configure the operating system to assign home directories to all new local inter
CREATE_HOME yes CREATE_HOME yes
``` ```
## 10.1.11 Set maxlogins for all accounts (Scored) ## 10.1.10 Set maxlogins for all accounts (Scored)
### Profile Applicability ### Profile Applicability
Level 2 Level 2
@ -1785,7 +1737,7 @@ Configure the operating system to limit the number of concurrent sessions to "10
* hard maxlogins 10 * hard maxlogins 10
``` ```
## 10.1.12 Ensure no shosts configure file on system (Scored) ## 10.1.11 Ensure no shosts configure file on system (Scored)
### Profile Applicability ### Profile Applicability
Level 3 Level 3
@ -1811,28 +1763,7 @@ Remove any found ".shosts" and "shosts.equiv" files from the system.
# rm /[path]/[to]/[file]/shosts.equiv # rm /[path]/[to]/[file]/shosts.equiv
``` ```
## 10.1.13 Disabled Kernel core dumps (Scored) ## 10.5 Set Timeout on ttys (Scored)
### Profile Applicability
Level 2
### Description
Kernel core dumps must be disabled unless needed.
### Rationale
Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition.
### Aduit
Verify that kernel core dumps are disabled unless needed. Check the status of the "kdump" service with the following command:
```
# grep "core" /etc/security/limits.conf
```
If the kernel core dump is set, this is a finding.
### Remediation
If kernel core dumps are not required, delete the contain "core" line in /etc/security/limits.conf.
## 10.6 Set Timeout on ttys (Scored)
### Profile Applicability ### Profile Applicability
Level 2 Level 2