Host Configuration Assessment - Linux
A. Cent OS
A1. File System Configuration
A2. Services
A2.1 Ensure the following services are disabled.
Automounting, xinetd, Avahi Server, CUPS, DHCP Server, LDAP server, NFS and RPC, DNS Server, FTP Server, HTTP server, IMAP and POP3 server, Samba, HTTP Proxy Server, SNMP Server, NIS Server, rsh server, telnet server, tftp server, rsync service, talk server
systemctl list-unit-files | grep "enabled" | grep "autofs\|xinetd\|avahi-daemon\|cups\|dhcpd\|slapd\|nfs\|named\|vsftpd\|httpd\|dovecot\|smb\|squid\|snmpd\|ypserv\|rsh.socket\|rlogin.socket\|rexec.socket\|telnet.socket\|tftp.socket\|rsyncd\|ntalk"
A2.2 Ensure the following services and service client are not installed.
X Window System, NIS Client, rsh client, talk client, telnet client, LDAP client, prelink, SETroubleshoot, MCS Translation Service (mcstrans)
rpm -qa | grep "xorg-x11\|ypbind\|rsh\|talk\|telnet\|openldap-clients\|prelink\|setroubleshoot\|mcstrans"
A2.3 Ensure the following services are in use.
auditd service, rsyslog Service, syslog-ng service, cron daemon
systemctl list-unit-files | grep "enabled" | grep "auditd\|rsyslog\|syslog-ng\|crond"
Time Synchonization, TCP Wrappers, AIDE, SELinux, iptables, rsyslog, syslog-ng
rpm -qa | grep "ntp\|chrony\|tcp_wrappers\|AIDE, SELinux, iptables, rsyslog, syslog-ng"
A2.4 SMTP
cat /etc/postfix/main.cf | grep "smtpd_banner"
A3. Network Configuration
A3.1 Network Parameters
sysctl -a | grep "net.ipv4.ip_forward\|net.ipv4.conf.all.send_redirects\|net.ipv4.conf.default.send_redirects\|net.ipv4.conf.all.accept_source_route\|net.ipv4.conf.default.accept_source_route\|net.ipv4.conf.all.accept_redirects\|net.ipv4.conf.default.accept_redirects\|net.ipv4.conf.all.secure_redirects\|net.ipv4.conf.default.secure_redirects\|net.ipv4.conf.all.log_martians\|net.ipv4.conf.default.log_martians\|net.ipv4.icmp_echo_ignore_broadcasts\|net.ipv4.icmp_ignore_bogus_error_responses\|net.ipv4.conf.all.rp_filter\|net.ipv4.conf.default.rp_filter\|net.ipv4.tcp_syncookies\|net.ipv6.conf.all.disable_ipv6"
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_syncookies = 1
net.ipv6.conf.all.disable_ipv6 = 1
A3.2 Uncommon Network Protocols
Disable the following protocol:
DCCP, SCTP, RDS, TIPC
modprobe -n -v -a dccp sctp rds tipc
A4. Logging and Auditing
A4.1 Ensure logging is configuredls -l /var/log/
cat /etc/audit/auditd.conf | grep "max_log_file\|space_left_action\|action_mail_acct\|admin_space_left_action\|max_log_file_action"
CIS recommended audit logs configuration:
max_log_file = <mb>
space_left_action = email
action_mail_acct = root
admin_space_left_action = halt
max_log_file_action = keep_logs
A4.3 Ensure sufficient events information are collected
cat /etc/audit/audit.rules | grep "time-change\|identity\|system-locale\|MAC-policy\|logins\|session\|perm_mod\|access\|mounts\|delete\|scope\|actions\|modules"
A5. Access, Authentication and Authorization
A5.1 Configure cronEnsure permissions are configured to 0600 (-rw-------)
ls -l /etc/ | grep "crontab\|cron.hourly\|cron.daily\|cron.weekly\|cron.monthly\|cron.d\|cron.deny\|cron.allow\|at.allow\|at.deny"
A5.2 SSH Server Configuration
Ensure permissions are configured to 0600 (-rw-------)
ls -l /etc/ssh/sshd_config
cat /etc/ssh/sshd_config | grep "Protocol\|LogLevel\|X11Forwarding\|MaxAuthTries\|IgnoreRhosts\|HostbasedAuthentication\|PermitRootLogin\|PermitEmptyPasswords\|PermitUserEnvironment\|Ciphers\|MACs\|ClientAliveInterval\|ClientAliveCountMax\|LoginGraceTime\|AllowUsers\|AllowGroups\|DenyUsers\|DenyGroups\|Banner"
CIS recommended SSH server configuration:
Protocol 2
LogLevel INFO
X11Forwarding no
MaxAuthTries 4
IgnoreRhosts yes
HostbasedAuthentication no
PermitRootLogin no
PermitEmptyPasswords no
PermitUserEnvironment no
Ciphers aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
ClientAliveInterval 300
ClientAliveCountMax 0
LoginGraceTime 60
AllowUsers <userlist>
AllowGroups <grouplist>
DenyUsers <userlist>
DenyGroups <grouplist>
Banner /etc/issue.net
A5.3 Ensure password creation requirements are configured
cat /etc/pam.d/system-auth | grep "pam_pwquality.so\|pam_unix.so\|pam_faillock.so"
cat /etc/pam.d/password-auth | grep "pam_pwquality.so\|pam_unix.so\|pam_faillock.so"
CIS Recommended PAM configuration:password requisite pam_pwquality.so try_first_pass retry=3
password sufficient pam_unix.so remember=5
password sufficient pam_unix.so sha512
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900
auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900
cat /etc/security/pwquality.conf | grep "minlen\|dcredit\|lcredit\|ocredit\|ucredit"
CIS Recommended PAM configuration:
minlen=14
dcredit=-1
lcredit=-1
ocredit=-1
ucredit=-1
A5.4 Set Shadow Password Suite Parameters
cat /etc/login.defs | grep "PASS_MAX_DAYS\|PASS_MIN_DAYS\|PASS_WARN_AGE"
CIS Recommended Shadow Password Suite Parameters:
PASS_MAX_DAYS 90
PASS_MIN_DAYS 7
PASS_WARN_AGE 7
A5.5 Ensure default user umask is 027 or more restrictive
cat /etc/bashrc | grep "umask"
cat /etc/profile | grep "umask"
A6. System Maintenance
A6.1 System File Permissionsls -l /etc/ | grep "passwd\|shadow\|group\|gshadow"
CIS Recommended System File Permission:
0644 (-rw-r--r--) group
0600 (-rw-------) group-
0600 (-rw-------) gshadow
0600 (-rw-------) gshadow-
0644 (-rw-r--r--) passwd
0600 (-rw-------) passwd-
0000 (----------) shadow
0600 (-rw-------) shadow-
Automated Assessment Tool
Lynis *
./lynis audit system -Q
Reference:
https://www.open-scap.org/tools/openscap-base/