56 KiB

Raw Blame History

harbian audit Debian Linux 9 Benchmark

5.7 Install screen (scored)

Profile Applicability

Level 4

Description

A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. The screen package allows for a session lock to be implemented and configured.

Rationale

You can use the lock function of the screen to lock the current terminal and prevent the current session from exiting due to timeout.

Aduit

Verify the operating system has the screen package installed. Check to see if the screen package is installed with the following command:

# dpkg -s screen | grep  '^Status: install'

Remediation

Install the screen program (if it is not on the system) with the following command:

# apt-get install screen

The console can now be locked with the following key combination: ctrl+a x

5.8 Ensure openssh server is enabled (scored)

Profile Applicability

Level 2

Description

All networked systems must have SSH installed.

Rationale

Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa.

Aduit

Check to see if sshd is installed with the following command:

# dpkg -s openssh-server | grep '^Status: install'
Status: install ok installed
# dpkg -s openssh-client | grep '^Status: install'
Status: install ok installed

If the "openssh-server" package is not installed, this is a finding. If the "openssh-client" package is not installed, this is a finding.

Remediation

Install SSH packages onto the host with the following commands:

# apt-get install -y openssh-server openssh-client

6.17 ensure virul scan server is enabled (scored)

Profile Applicability

Level 4

Description

The system must use a virus scan program.

Rationale

Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems. The virus scanning software should be configured to perform scans dynamically on accessed files. If this capability is not available, the system must be configured to scan, at a minimum, all altered files on the system on a daily basis.

Aduit

Verify the system is using a virus scan program. check for the presence of "clamav" on the system with the following command:

# systemctl | grep clamav-daemon
clamav-daemon.service                                                                         loaded active running   Clam AntiVirus userspace daemon

If neither of these applications are loaded and active, ask the System Administrator if there is an antivirus package installed and active on the system. If no antivirus scan program is active on the system, this is a finding.

Remediation

Install the clamav program (if it is not on the system) with the following command:

# apt-get install -y clamav-daemon

6.18 ensure virul scan server update is enabled (scored)

Profile Applicability

Level 4

Description

The system must update the virus scan program every seven days or more frequently.

Rationale

Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems. The virus scanning software should be configured to check for software and virus definition updates with a frequency no longer than seven days. If a manual process is required to update the virus scan software or definitions, it must be documented with the Information System Security Officer (ISSO).

Aduit

Verify the system is using a virus scan program and the virus definition file is less than seven days old. Check for the presence of "clamav" on the system with the following command:

# systemctl | grep clamav
clamav-daemon.service                                                                            loaded active running   Clam AntiVirus userspace daemon

If "clamav" is active on the system, check the dates of the virus database with the following commands:

# grep -i databasedirectory /etc/clamav/clamd.conf
DatabaseDirectory /var/lib/clamav
# ls -al /var/lib/clamav/daily.cvd 
-rw-r--r-- 1 clamav clamav 51698014 Oct 26  2018 /var/lib/clamav/daily.cvd

If the database file has a date older than seven days from the current date, this is a finding.

Remediation

Update the virus scan software and virus definition files, enable clamav-freshclam service.

8.1.19 Recored ssh-keysign command usage (scored)

Profile Applicability

Level 4

Description

All uses of the ssh-keysign command must be audited.

Rationale

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged ssh commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.

Aduit

Verify the operating system generates audit records when successful/unsuccessful attempts to use the "ssh-keysign" command occur. Check for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":

# grep -i /usr/lib/openssh/ssh-keysign /etc/audit/audit.rules
-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh

If the command does not return any output, this is a finding.

Remediation

Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "ssh-keysign" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules":

-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh

The audit daemon must be restarted for the changes to take effect.

8.1.20 Recored open_by_handle_at syscall (scored)

Profile Applicability

Level 4

Description

All uses of the open_by_handle_at commands must be audited.

Rationale

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Aduit

Verify the operating system generates audit records when successful/unsuccessful attempts to use the "open_by_handle_at" command occur. Check the file system rules in "/etc/audit/audit.rules" with the following commands:

# grep -iw open_by_handle_at /etc/audit/audit.rules
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access 
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access

If there are no audit rules defined for the open_by_handle_at syscall, this is a finding. If the output does not produce a rule containing -F exit=-EPERM, this is a finding. If the output does not produce a rule containing -F exit=-EACCES, this is a finding.

Remediation

Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "open_by_handle_at" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules":

-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access

The audit daemon must be restarted for the changes to take effect.

8.1.21 Recored Events that privileged-pasdsw command usage (Scored)

Profile Applicability

Level 4

Description

All uses of the privileged-passwd commands must be audited.

Rationale

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.

Aduit

Verify the operating system generates audit records when successful/unsuccessful attempts to use the "privileged-passwd" commands occur. Check the file system rule in "/etc/audit/audit.rules" with the following command:

# grep -i /usr/bin/passwd /etc/audit/audit.rules
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
# grep -i /sbin/unix_chkpwd /etc/audit/audit.rules
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
# grep -i /usr/bin/gpasswd /etc/audit/audit.rules
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
# grep -i /usr/bin/chage /etc/audit/audit.rules
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd'

If the command does not return any output, this is a finding.

Remediation

Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "privileged-passwd" commands occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules":

-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd

The audit daemon must be restarted for the changes to take effect.

8.1.22 Recored Events that privileged-priv-change command usage (Scored)

Profile Applicability

Level 4

Description

All uses of the privileged-priv-change commands must be audited.

Rationale

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.

Aduit

Verify the operating system generates audit records when successful/unsuccessful attempts to use the "privileged-priv-change" commands occur. Check for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":

# grep -i /bin/su /etc/audit/audit.rules
-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
# grep -i /usr/bin/sudo /etc/audit/audit.rules
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
# grep -i /usr/bin/newgrp /etc/audit/audit.rules
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
# grep -i /usr/bin/chsh /etc/audit/audit.rules
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
# grep -i /usr/bin/sudoedit /etc/audit/audit.rules
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change

If the command does not return any output, this is a finding.

Remediation

Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "privileged-priv-change" commands occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules":

-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change

The audit daemon must be restarted for the changes to take effect.

8.1.23 Recored Events that privileged-postfix commands usage (Scored)

Profile Applicability

Level 4

Description

All uses of the privileged-postfix commands must be audited.

Rationale

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.

Aduit

Verify the operating system generates audit records when successful/unsuccessful attempts to use the "privileged-postfix" commands occur.Check for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":

# grep -i /usr/sbin/postdrop /etc/audit/audit.rules
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
# grep -i /usr/sbin/postqueue /etc/audit/audit.rules
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix

If the command does not return any output, this is a finding.

Remediation

Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "privileged-postfix" commands occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules":

-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix

The audit daemon must be restarted for the changes to take effect.

8.1.24 Recored crontab command usage (scored)

Profile Applicability

Level 4

Description

All uses of the crontab command must be audited.

Rationale

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.

Aduit

Verify the operating system generates audit records when successful/unsuccessful attempts to use the "crontab" command occur. Check for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":

# grep -i /usr/bin/crontab /etc/audit/audit.rules
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron

If the command does not return any output, this is a finding.

Remediation

Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "crontab" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules":

-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron

The audit daemon must be restarted for the changes to take effect.

8.1.25 Recored pam_timestamp_check command usage (scored)

Profile Applicability

Level 4

Description

All uses of the pam_timestamp_check command must be audited.

Rationale

Aduit

Verify the operating system generates audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. Check the auditing rules in "/etc/audit/audit.rules" with the following command:

# grep -i "/sbin/pam_timestamp_check" /etc/audit/audit.rules
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295  -k privileged-pam

If the command does not return any output, this is a finding.

Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules":

-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam

The audit daemon must be restarted for the changes to take effect.

8.5 Verifies integrity all packages (scored)

Profile Applicability

Level 5

Description

Without cryptographic integrity protections, system command and files can be altered by unauthorized users without detection. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.

Rationale

Verify integrity all packages features to to monitor the files of the packages installed by the system.

Aduit

Perform the following to determine(example):

# dpkg -V 
??5?????? c /etc/sudoers
??5?????? c /etc/vim/vimrc

Remediation

Run the following command to determine which package owns the file:

# dpkg -S <filename>

If the confirmation is not modified by owner, the package can be reinstalled from a apt repository using the command:

# apt-get --reinstall <packagename>

9.2.1 Set password creation requirement Parameters Using pam_cracklib: retry option (scored)

Profile Applicability

Level 2

Description

When user at 3 times enter error password, returning error.

Rationale

Prevent multiple attempts and guess the password.

Aduit

The "retry" option sets the number of attempt password times. Check for the value of the "retry" option in "/etc/pam.d/common-password" with the following command:

# grep retry /etc/pam.d/common-password 
password	  requisite			pam_cracklib.so retry=3 minlen=8 difok=3

If the value of "retry" is set to more than "3", this is a finding.

Remediation

Add the following line to "/etc/pam.d/common-password" (or modify the line to have the required value):

password	  requisite			pam_cracklib.so retry=3 minlen=8 difok=3

9.2.2 Set password creation requirement Parameters Using pam_cracklib: minlen option (scored)

Profile Applicability

Level 2

Description

Passwords must be a minimum of 14 characters in length.

Rationale

The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force Passwords are one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.

Aduit

Verify the operating system enforces a minimum 14-character password length. The "minlen" option sets the minimum number of characters in a new password. Check for the value of the "minlen" option in "/etc/pam.d/common-password " with the following command:

# grep minlen /etc/pam.d/common-password 
password	  requisite			pam_cracklib.so retry=3 minlen=8 difok=3

If the command does not return a "minlen" value of 14 or greater, this is a finding.

Remediation

Configure operating system to enforce a minimum 14-character password length. Add the following line to "/etc/pam.d/common-password" (or modify the line to have the required value):

password	  requisite			pam_cracklib.so retry=3 minlen=14 difok=3

9.2.3 Set password creation requirement Parameters Using pam_cracklib: dcredit option (scored)

Profile Applicability

Level 2

Description

When passwords are changed or new passwords are assigned, the new password must contain at least one numeric character.

Rationale

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Aduit

The value to require a number of numeric characters to be set is expressed as a negative number in "/etc/pam.d/common-password ". Check the value for "dcredit" in "/etc/pam.d/common-password" with the following command:

# grep dcredit /etc/pam.d/common-password  
password	  requisite			pam_cracklib.so retry=3 minlen=8 difok=3  dcredit=-1

If the value of "dcredit" is not set to a negative value, this is a finding.

Remediation

Configure the operating system to enforce password complexity by requiring that at least one numeric character be used by setting the "dcredit" option. Add the following line to /etc/pam.d/common-password (or modify the line to have the required value):

password	  requisite			pam_cracklib.so retry=3 minlen=8 difok=3  dcredit=-1

9.2.4 Set password creation requirement Parameters Using pam_cracklib: ucredit option (scored)

Profile Applicability

Level 2

Description

When passwords are changed or new passwords are established, the new password must contain at least one upper-case character.

Rationale

Aduit

The value to require a number of upper-case characters to be set is expressed as a negative number in "/etc/pam.d/common-password". Check the value for "ucredit" in "/etc/pam.d/common-password" with the following command:

# grep ucredit /etc/pam.d/common-password 
password	  requisite			pam_cracklib.so retry=3 minlen=8 difok=3 ucredit=-1

If the value of "ucredit" is not set to a negative value, this is a finding.

Remediation

Add the following line to "/etc/pam.d/common-password" (or modify the line to have the required value):

password	  requisite			pam_cracklib.so retry=3 minlen=8 difok=3 ucredit=-1

9.2.5 Set password creation requirement Parameters Using pam_cracklib: ocredit option (scored)

Profile Applicability

Level 2

Description

When passwords are changed or new passwords are assigned, the new password must contain at least one special character.

Rationale

Aduit

Verify the operating system enforces password complexity by requiring that at least one special character be used. Note: The value to require a number of special characters to be set is expressed as a negative number in "/etc/pam.d/common-password". Check the value for "ocredit" in "/etc/pam.d/common-password" with the following command:

# grep ocredit /etc/pam.d/common-password 
password	  requisite			pam_cracklib.so retry=3 minlen=8 difok=3 nocredit=-1

If the value of "ocredit" is not set to a negative value, this is a finding.

Remediation

Add the following line to "/etc/pam.d/common-password" (or modify the line to have the required value):

password	  requisite			pam_cracklib.so retry=3 minlen=8 difok=3 ocredit=-1

9.2.6 Set password creation requirement Parameters Using pam_cracklib: lcredit option (scored)

Profile Applicability

Level 2

Description

When passwords are changed or new passwords are established, the new password must contain at least one lower-case character.

Rationale

Aduit

The value to require a number of lower-case characters to be set is expressed as a negative number in "/etc/pam.d/common-password ". Check the value for "lcredit" in "/etc/pam.d/common-password " with the following command:

# grep lcredit /etc/pam.d/common-password 
password	   requisite			pam_cracklib.so retry=3 minlen=8 difok=3 lcredit=-1

If the value of "lcredit" is not set to a negative value, this is a finding.

Remediation

Add the following line to "/etc/pam.d/common-password" (or modify the line to have the required value):

password  	requisite			pam_cracklib.so retry=3 minlen=8 difok=3 lcredit=-1

9.2.7 Set password creation requirement Parameters Using pam_cracklib: difok option (scored)

Profile Applicability

Level 2

Description

When passwords are changed a minimum of eight of the total number of characters must be changed.

Rationale

Aduit

The "difok" option sets the number of characters in a password that must not be present in the old password. Check for the value of the "difok" option in "/etc/pam.d/common-password" with the following command:

# grep difok /etc/pam.d/common-password 
password  	requisite			pam_cracklib.so retry=3 minlen=8 difok=3

If the value of "difok" is set to less than "8", this is a finding.

Remediation

Add the following line to "/etc/pam.d/common-password" (or modify the line to have the required value):

password  	requisite			pam_cracklib.so retry=3 minlen=8 difok=8

9.2.8 Set password creation requirement Parameters Using pam_cracklib: minclass option (scored)

Profile Applicability

Level 2

Description

When passwords are changed a minimum of four character classes must be changed.

Rationale

Aduit

The "minclass" option sets the minimum number of required classes of characters for the new password (digits, upper-case, lower-case, others). Check for the value of the "minclass" option in "/etc/pam.d/common-password" with the following command:

# grep minclass /etc/pam.d/common-password
password  	requisite			pam_cracklib.so retry=3 minlen=8 difok=8 minclass=4

If the value of "minclass" is set to less than "4", this is a finding.

Remediation

Configure the operating system to require the change of at least four character classes when passwords are changed by setting the "minclass" option. Add the following line to "/etc/pam.d/common-password" (or modify the line to have the required value):

password  	requisite			pam_cracklib.so retry=3 minlen=8 difok=8 minclass=4

9.2.9 Set password creation requirement Parameters Using pam_cracklib: maxrepeat option (scored)

Profile Applicability

Level 2

Description

When passwords are changed the number of repeating consecutive characters must not be more than three characters.

Rationale

Aduit

The "maxrepeat" option sets the maximum number of allowed same consecutive characters in a new password. Check for the value of the "maxrepeat" option in "/etc/pam.d/common-password" with the following command:

# grep maxrepeat /etc/pam.d/common-password 
password  	requisite			pam_cracklib.so retry=3 minlen=8 difok=8 maxrepeat=3

If the value of "maxrepeat" is set to more than "3", this is a finding.

Remediation

Configure the operating system to require the change of the number of repeating consecutive characters when passwords are changed by setting the "maxrepeat" option. Add the following line to "/etc/pam.d/common-password" (or modify the line to have the required value):

password  	requisite			pam_cracklib.so retry=3 minlen=8 difok=8 maxrepeat=3

9.2.10 Set password creation requirement Parameters Using pam_cracklib: maxclassrepeat option (scored)

Profile Applicability

Level 2

Description

When passwords are changed the number of repeating characters of the same character class must not be more than four characters.

Rationale

Aduit

The "maxclassrepeat" option sets the maximum number of allowed same consecutive characters in the same class in the new password. Check for the value of the "maxclassrepeat" option in "/etc/pam.d/common-password" with the following command:

# grep maxclassrepeat /etc/pam.d/common-password
password	requisite			pam_cracklib.so retry=3 minlen=8 difok=3 maxclassrepeat=4

If the value of "maxclassrepeat" is set to more than "4", this is a finding.

Remediation

Configure the operating system to require the change of the number of repeating characters of the same character class when passwords are changed by setting the "maxclassrepeat" option. Add the following line to "/etc/pam.d/common-password" conf (or modify the line to have the required value):

password	requisite			pam_cracklib.so retry=3 minlen=8 difok=3 maxclassrepeat=4

9.2.13 Set password creation requirement Parameters Using pam_unix: sha512 option (scored)

Profile Applicability

Level 2

Description

The PAM system service must be configured to store only encrypted representations of passwords.

Rationale

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.

Aduit

Verify the PAM system service is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512. Check that the system is configured to create SHA512 hashed passwords with the following command:

# grep "password.*pam_unix.*sha512" /etc/pam.d/common-password    
password	[success=1 default=ignore]	pam_unix.so obscure use_authtok try_first_pass sha512

If the "/etc/pam.d/common-password" configuration files allow for password hashes other less than SHA512 to be used, this is a finding.

Remediation

Configure the operating system to store only SHA512 encrypted representations of passwords. Add the following line in "/etc/pam.d/common-password":

password	[success=1 default=ignore]	pam_unix.so obscure use_authtok try_first_pass sha512

9.2.14 Check auth config is not blank or null passwords using pam_unix (scored)

Profile Applicability

Level 2

Description

The system must not have accounts configured with blank or null passwords.

Rationale

If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.

Aduit

To verify that null passwords cannot be used, run the following command:

# grep nullok /etc/pam.d/common-auth
# grep nullok_secure /etc/pam.d/common-auth

If this produces any output, it may be possible to log on with accounts with empty passwords. If null passwords can be used, this is a finding.

Remediation

If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating. Remove any instances of the "nullok" option in "/etc/pam.d/common-auth" to prevent logons with empty passwords.

# sed -ie "s/nullok//"  /etc/pam.d/common-auth
# sed -ie "s/nullok_secure//"  /etc/pam.d/common-auth

Profile Applicability

Level 3

Description

The system must display the date and time of the last successful account logon upon logon.

Rationale

Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.

Aduit

Verify users are provided with feedback on when account accesses last occurred. Check that "pam_lastlog" is used and not silent with the following command:

# grep pam_lastlog /etc/pam.d/login
session optional pam_lastlog.so showfailed

If "pam_lastlog" is missing from "/etc/pam.d/login" file, this is a finding.

Remediation

Configure the operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/login". Add the following line to the top of "/etc/pam.d/login":

session     optional      pam_lastlog.so showfailed

Profile Applicability

Level 2

Description

The system must display the date and time of the last successful account logon upon an SSH logon.

Rationale

Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.

Aduit

Verify SSH provides users with feedback on when account accesses last occurred. Check that "PrintLastLog" keyword in the sshd daemon configuration file is used and set to "yes" with the following command:

# grep -i printlastlog /etc/ssh/sshd_config
PrintLastLog yes

If the "PrintLastLog" keyword is set to "no", is missing, or is commented out, this is a finding.

Remediation

Add the following line to "/etc/ssh/sshd_config":

PrintLastLog yes

The SSH service must be restarted for changes to "sshd_config" to take effect.

9.3.16 Set SSHD ignoreuserknownhosts to yes (scored)

Profile Applicability

Level 2

Description

The SSH daemon must not allow authentication using known hosts authentication.

Rationale

Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.

Aduit

Verify the SSH daemon does not allow authentication using known hosts authentication. To determine how the SSH daemon's "IgnoreUserKnownHosts" option is set, run the following command:

# grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config
IgnoreUserKnownHosts yes

If the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.

Remediation

Configure the SSH daemon to not allow authentication using known hosts authentication. Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes":

IgnoreUserKnownHosts yes

The SSH service must be restarted for changes to take effect.

9.3.17 Set SSHD GSSAPIAuthentication to yes (scored)

Profile Applicability

Level 2

Description

The SSH daemon must not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.

Rationale

GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the systems GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.

Aduit

Verify the SSH daemon does not permit GSSAPI authentication unless approved. Check that the SSH daemon does not permit GSSAPI authentication with the following command:

# grep -i gssapiauth /etc/ssh/sshd_config
GSSAPIAuthentication no

If the "GSSAPIAuthentication" keyword is missing, is set to "yes" and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding.

Remediation

Uncomment the "GSSAPIAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no":

GSSAPIAuthentication no

The SSH service must be restarted for changes to take effect. If GSSAPI authentication is required, it must be documented, to include the location of the configuration file, with the ISSO.

9.3.18 Set SSHD KerberosAuthentication to yes (scored)

Profile Applicability

Level 2

Description

The SSH daemon must not permit Kerberos authentication unless needed.

Rationale

Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementation may then be subject to exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be disabled for systems not using this capability.

Aduit

Verify the SSH daemon does not permit Kerberos to authenticate passwords unless approved. Check that the SSH daemon does not permit Kerberos to authenticate passwords with the following command:

# grep -i kerberosauth /etc/ssh/sshd_config
KerberosAuthentication no

If the "KerberosAuthentication" keyword is missing, or is set to "yes" and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding.

Remediation

Uncomment the "KerberosAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no":

KerberosAuthentication no

The SSH service must be restarted for changes to take effect. If Kerberos authentication is required, it must be documented, to include the location of the configuration file, with the ISSO.

9.3.19 Set SSHD StrictModes to yes (scored)

Profile Applicability

Level 2

Description

The SSH daemon must perform strict mode checking of home directory configuration files.

Rationale

If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.

Aduit

Verify the SSH daemon performs strict mode checking of home directory configuration files. The location of the "sshd_config" file may vary if a different daemon is in use. Inspect the "sshd_config" file with the following command:

# grep -i strictmodes /etc/ssh/sshd_config
StrictModes yes

If "StrictModes" is set to "no", is missing, or the returned line is commented out, this is a finding.

Remediation

Uncomment the "StrictModes" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "yes":

StrictModes yes

The SSH service must be restarted for changes to take effect.

9.3.20 Set SSHD UsePrivilegeSeparation to sandbox (scored)

Profile Applicability

Level 2

Description

The SSH daemon must use privilege separation.

Rationale

SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section.

Aduit

Verify the SSH daemon performs privilege separation. Check that the SSH daemon performs privilege separation with the following command:

# grep -i usepriv /etc/ssh/sshd_config
UsePrivilegeSeparation sandbox

If the "UsePrivilegeSeparation" keyword is set to "no", is missing, or the retuned line is commented out, this is a finding.

Remediation

Uncomment the "UsePrivilegeSeparation" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "sandbox":

UsePrivilegeSeparation sandbox

The SSH service must be restarted for changes to take effect.

9.3.21 Set SSHD Compression to no (scored)

Profile Applicability

Level 2

Description

The SSH daemon must not allow compression or must only allow compression after successful authentication.

Rationale

If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.

Aduit

Verify the SSH daemon performs compression after a user successfully authenticates. Check that the SSH daemon performs compression after a user successfully authenticates with the following command:

# grep -i compression /etc/ssh/sshd_config
Compression delayed

If the "Compression" keyword is set to "yes", is missing, or the retuned line is commented out, this is a finding.

Remediation

Uncomment the "Compression" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) on the system and set the value to "no":

Compression no

The SSH service must be restarted for changes to take effect.

9.3.22 Set SSHD MACs to hmac-sha2-256,hmac-sha2-512 (scored)

Profile Applicability

Level 2

Description

The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.

Rationale

DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. The only SSHv2 hash algorithm meeting this requirement is SHA.

Aduit

Verify the SSH daemon is configured to only use MACs employing FIPS 140-2-approved ciphers. Check that the SSH daemon is configured to only use MACs employing FIPS 140-2-approved ciphers with the following command:

# grep -i macs /etc/ssh/sshd_config
MACs hmac-sha2-256,hmac-sha2-512

If any ciphers other than "hmac-sha2-256" or "hmac-sha2-512" are listed or the retuned line is commented out, this is a finding.

Remediation

Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "MACs" keyword and set its value to "hmac-sha2-256" and/or "hmac-sha2-512" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):

MACs hmac-sha2-256,hmac-sha2-512

The SSH service must be restarted for changes to take effect.

9.3.23 Check SSH public host key permission (scored)

Profile Applicability

Level 2

Description

The SSH public host key files must have mode 0644 or less permissive.

Rationale

If a public host key file is modified by an unauthorized user, the SSH service may be compromised.

Aduit

Verify the SSH public host key files have mode "0644" or less permissive. Note: SSH public key files may be found in other directories on the system depending on the installation. The following command will find all SSH public key files on the system:

# find /etc/ssh/ -name "*key.pub" -perm /133 -exec ls -l {} \;
-rw-rw-rw- 1 root root 91 Jun 13 00:40 /etc/ssh/ssh_host_ed25519_key.pub
-rw-rw-rw- 1 root root 391 Jun 13 00:40 /etc/ssh/ssh_host_rsa_key.pub

If any file has a mode more permissive than "0644", this is a finding.

Remediation

Note: SSH public key files may be found in other directories on the system depending on the installation. Change the mode of public host key files under "/etc/ssh" to "0644" with the following command:

# chmod 0644 /etc/ssh/*.key.pub

9.3.24 Check SSH private host key permission (scored)

Profile Applicability

Level 2

Description

The SSH private host key files must have mode 0600 or less permissive.

Rationale

If an unauthorized user obtains the private SSH host key file, the host could be impersonated.

Aduit

Verify the SSH private host key files have mode "0600" or less permissive. Check the mode of the private host key files under "/etc/ssh" file with the following command:

# find /etc/ssh/ -type f -name "*ssh_host*key" -exec ls -l {} \;
-rwxrwxrwx 1 root root 399 Jun 13 00:40 /etc/ssh/ssh_host_ed25519_key
-rwxrwxrwx 1 root root 1679 Jun 13 00:40 /etc/ssh/ssh_host_rsa_key
-rwxrwxrwx 1 root root 227 Jun 13 00:40 /etc/ssh/ssh_host_ecdsa_key

If any file has a mode more permissive than "0600", this is a finding.

Remediation

Configure the mode of SSH private host key files under "/etc/ssh" to "0600" with the following command:

# chmod 0600 /etc/ssh/ssh_host*key

10.1.4 Set encrypt method (Scored)

Profile Applicability

Level 3

Description

The shadow file must be configured to store only encrypted representations of passwords.

Rationale

Aduit

Verify the system's shadow file is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512. Check that the system is configured to create SHA512 hashed passwords with the following command:

# grep -i encrypt /etc/login.defs
ENCRYPT_METHOD SHA512

If the "/etc/login.defs" configuration file does not exist or allows for password hashes other than SHA512 to be used, this is a finding.

Remediation

Configure the operating system to store only SHA512 encrypted representations of passwords. Add or update the following line in "/etc/login.defs":

ENCRYPT_METHOD SHA512

10.1.5 Set accounts minimum password lifetime (Scored)

Profile Applicability

Level 3

Description

Passwords must be restricted to a 24 hours/1 day minimum lifetime.

Rationale

Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.

Aduit

Check whether the minimum time period between password changes for each user account is one day or greater.

# awk -F: '$4 < 1 {print $1}' /etc/shadow

If any results are returned that are not associated with a system account, this is a finding.

Remediation

Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime:

# chage -m 1 [username]

10.1.6 Set accounts maximum password lifetime (Scored)

Profile Applicability

Level 3

Description

Existing passwords must be restricted to a 60-day maximum lifetime.

Rationale

Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.

Aduit

Check whether the maximum time period for existing passwords is restricted to 60 days.

# awk -F: '$5 > 60 {print $1}' /etc/shadow

If any results are returned that are not associated with a system account, this is a finding.

Remediation

Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction.

# chage -M 60 [username]

10.1.7 Remove(Replace) NOPASSWD to PASSWD in the sudoers config file (Scored)

Profile Applicability

Level 3

Description

Users must provide a password for privilege escalation.

Rationale

Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate.

Aduit

If passwords are not being used for authentication, this is Not Applicable. Verify the operating system requires users to supply a password for privilege escalation. Check the configuration of the "/etc/sudoers" and "/etc/sudoers.d/*" files with the following command:

# grep -i nopasswd /etc/sudoers /etc/sudoers.d/*

If any uncommented line is found with a "NOPASSWD" tag, this is a finding.

Remediation

Replace any occurrences of "NOPASSWD" tags to "PASSWD" tags in the file.

10.1.8 Remove(Replace) not authenticate(!authenticate) to authenticate in the sudoers config file (Scored)

Profile Applicability

Level 3

Description

Users must re-authenticate for privilege escalation.

Rationale

Aduit

Verify the operating system requires users to reauthenticate for privilege escalation. Check the configuration of the "/etc/sudoers" and "/etc/sudoers.d/*" files with the following command:

# grep -i authenticate /etc/sudoers /etc/sudoers.d/*

If any line is found with a "!authenticate" tag, this is a finding.

Remediation

Replace any occurrences of "!authenticate" tags to "authenticate" tags in the file.

Profile Applicability

Level 2

Description

The delay between logon prompts following a failed console logon attempt must be at least four seconds.

Rationale

Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.

Aduit

Verify the operating system enforces a delay of at least four seconds between console logon prompts following a failed logon attempt. Check the value of the "delay" parameter in the "/etc/pam.d/login" file with the following command:

# grep -i delay /etc/pam.d/login
auth       optional   pam_faildelay.so delay=4000000

If the value of "delay" is not set to "4000000" or greater, this is a finding.

Remediation

Configure the operating system to enforce a delay of at least four seconds between logon prompts following a failed console logon attempt. Modify the "/etc/pam.d/login" file to set the "delay" parameter to "4000000" or greater:

auth       optional   pam_faildelay.so delay=4000000

10.1.10 Set create home bool to yes (Scored)

Profile Applicability

Level 3

Description

All local interactive user accounts, upon creation, must be assigned a home directory.

Rationale

If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.

Aduit

Verify all local interactive users on the system are assigned a home directory upon creation. Check to see if the system is configured to create home directories for local interactive users with the following command:

# grep -i create_home /etc/login.defs
CREATE_HOME yes

If the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out, this is a finding.

Remediation

Configure the operating system to assign home directories to all new local interactive users by setting the "CREATE_HOME" parameter in "/etc/login.defs" to "yes" as follows.

CREATE_HOME yes

56 KiB Raw Blame History

harbian audit Debian Linux 9 Benchmark

5.7 Install screen (scored)

Profile Applicability

Description

Rationale

Aduit

Remediation

5.8 Ensure openssh server is enabled (scored)

Profile Applicability

Description

Rationale

Aduit

Remediation

6.17 ensure virul scan server is enabled (scored)

Profile Applicability

Description

Rationale

Aduit

Remediation

6.18 ensure virul scan server update is enabled (scored)

Profile Applicability

Description

Rationale

Aduit

Remediation

8.1.19 Recored ssh-keysign command usage (scored)

Profile Applicability

Description

Rationale

Aduit

Remediation

8.1.20 Recored open_by_handle_at syscall (scored)

Profile Applicability

Description

Rationale

Aduit

Remediation

8.1.21 Recored Events that privileged-pasdsw command usage (Scored)

Profile Applicability

Description

Rationale

Aduit

Remediation

8.1.22 Recored Events that privileged-priv-change command usage (Scored)

Profile Applicability

Description

Rationale

Aduit

Remediation

8.1.23 Recored Events that privileged-postfix commands usage (Scored)

Profile Applicability

Description

Rationale

Aduit

Remediation

8.1.24 Recored crontab command usage (scored)

Profile Applicability

Description

Rationale

Aduit

Remediation

8.1.25 Recored pam_timestamp_check command usage (scored)

Profile Applicability

Description

Rationale

Aduit

8.5 Verifies integrity all packages (scored)

Profile Applicability

Description

Rationale

Aduit

Remediation

9.2.1 Set password creation requirement Parameters Using pam_cracklib: retry option (scored)

Profile Applicability

Description

Rationale

Aduit

Remediation

9.2.2 Set password creation requirement Parameters Using pam_cracklib: minlen option (scored)

56 KiB

Raw Blame History