######CHANGE####### #RHEL-06-000008: Vendor-provided cryptographic certificates must be installed to verify the integrity of system software. #Change corresponding gpg key check to Debian compatible. #RHEL-06-000011: System security patches and updates must be installed and up-to-date. #Change corresponding update utility to Debian compatible. #RHEL-06-000017: The system must use a Linux Security Module at boot time. #Change the SElinux to AppArmor #RHEL-06-000030: The system must not have accounts configured with blank or null passwords. #RHEL-06-000274: The system must prohibit the reuse of passwords within twenty-four iterations. #Change /etc/pam.d/system-auth - CentOS/RHEL/Fedora/Red Hat/Scientific Linux pam config file. #To /etc/pam.d/common-password - Debian / Ubuntu Linux pam config file. #For more Detial http://www.cyberciti.biz/tips/linux-or-unix-disable-null-passwords.html #RHEL-06-000061:The system must disable accounts after three consecutive unsuccessful logon attempts. #Change pam_faillock.so pam module to use pam_tally2.so #RHEL-06-000065:The system boot loader configuration file(s) must be owned by root. #RHEL-06-000066:The system boot loader configuration file(s) must be group-owned by root. #RHEL-06-000067:The system boot loader configuration file(s) must have mode 0600 or less permissive. #Change /etc/grub.conf to /boot/grub/grub.cfg #RHEL-06-000068:The system boot loader must require authentication. #Change grub-crypt --sha-512 to grub-mkpasswd-pbkdf2 #RHEL-06-000278:The system package management tool must verify permissions on all files and directories associated with the audit package. #RHEL-06-000279:The system package management tool must verify ownership on all files and directories associated with the audit package. #RHEL-06-000280:The system package management tool must verify group-ownership on all files and directories associated with the audit package. #RHEL-06-000281:The system package management tool must verify contents of all files associated with the audit package. #For auditd package, to do what we wanna do in Debian there's something different, if you wanna get the packages default permission or owner(group-owner), or the packages'contents. You should use the "aptitude download " to download it and use "dpkg -c " to read. #There's one file is very special,if you issue the command "dpkg -c audit*.deb" you will found the audit rules file is "/etc/audit/rules.d/audit.rules", but when you extract the deb package and read the "DEBIAN/postinst" you will find the auditd package copy the "/etc/audit/audit.d/audit.rules" file to "/etc/audit/audit.rules", so we could'n only use the "dpkg -c audit*.deb | awk '{print $6}' | sed -e 's/^.//g'" to get "ALL" the files we want to check.We should manually add the "/etc/audit/audit.rules" to check #And the directory we check also have one thing special, the "/usr/share/man", in Debian that directory have permission 0775 by default. but the package show the 0755, so I decided to check without this directory. #I use the sha512sum to do the files' content checking #RHEL-06-000286:The x86 Ctrl-Alt-Delete key sequence must be disabled. #In Debian 8 use systemd by default, you could use "systemctl mask ctrl-alt-del.target" to disable it by link to /dev/null #RHEL-06-000514:The RPM package management tool must cryptographically verify the authenticity of all software packages during installation. ####DEPRECATED##### #RHEL-06-000009:The Red Hat Network Service (rhnsd) service must not be running, unless using RHN or an RHN Satellite. #DEPRECATED #RHEL-06-000069:The system must require authentication upon booting into single-user and maintenance modes. #DEPRECATED. #Debian and therefore Ubuntu both require root password when booting into single user mode or recovery mode. RHEL and CentOS allows access from the console into single user mode without a password. #RHEL-06-000070:The system must not permit interactive boot. #DEPRECATED.Don't find any interactive boot option in debian yet. #RHEL-06-000073:The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts. #DEPRECATED #RHEL-06-000079:The system must limit the ability of processes to have simultaneous write and execute access to memory. #DEPRECATED #In debian 8 amd64, system enabled NX by default,and debian 8 i386 system use PAE by default #RHEL-06-000098:The IPv6 protocol handler must not be bound to the network stack unless needed. #Change ipv6 checking method and disable method. #Use /proc/net/if_inet6 to check if ipv6 is enabled #Use kernel boot option in Grub "ipv6.disable=1" to disable ipv6 permanently #RHEL-06-000103:The system must employ a local IPv6 firewall. #RHEL-06-000106:The operating system must connect to external networks or information systems only through managed IPv6 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. #RHEL-06-000107:The operating system must prevent public IPv6 access into an organizations internal networks,except as appropriately mediated by managed interfaces employing boundary protection devices. #RHEL-06-000113:The system must employ a local IPv4 firewall. #RHEL-06-000116:The operating system must connect to external networks or information systems only through managed IPv4 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. #RHEL-06-000117:The operating system must prevent public IPv4 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices. #DEPRECATED. Debian 8 enable iptables (both ipv4 and ipv6) by default #RHEL-06-000183:The audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration (SELinux). #Change SELinux to Apparmor #RHEL-06-000203:The xinetd service must be disabled if no network services utilizing it are enabled. #Using 'service --status-all | grep "xinetd" ' instead of chkconfig #RHEL-06-000211:The telnet daemon must not be running. #In Debian telnet service using inetd. You could disable it by comment the telnet line in the /etc/inetd.conf #RHEL-06-000214:The rshd service must not be running. #In Debian rshd service using inetd. You could disable it by comment the rshd line in the /etc/inetd.conf #RHEL-06-000216:The rexecd service must not be running. #In Debian rexecd service using inetd. You could disable it by comment the rexecd line in the /etc/inetd.conf #RHEL-06-000218:The rlogind service must not be running. #In Debian rlogind service using inetd. You could disable it by comment the rlogind line in the /etc/inetd.conf #RHEL-06-000220:The ypserv package must not be installed. #In Debian using nis package instead of ypserv package. #RHEL-06-000221:The ypbind service must not be running. #In Debian using nis service instead of ypbind service. #RHEL-06-000240:The SSH daemon must be configured with the Department of Defense (DoD) login banner. #DEPRECATED #RHEL-06-000247:The system clock must be synchronized continuously, or at least daily. #In debian use ntp instead of ntpd #RHEL-06-000248:The system clock must be synchronized to an authoritative DoD time source. #Changing `DoD` time source to trusted time source #RHEL-06-000261:The Automatic Bug Reporting Tool (abrtd) service must not be running. #DEPRECATED. #Didn't find abrtd-like tool in debian yet #RHEL-06-000265:The ntpdate service must not be running. #DEPRECATED #In Debian there's no running service "ntpdate", some of ntpdate's function is include in "ntp" so DEPRECATED. #RHEL-06-000266:The oddjobd service must not be running. #DEPRECATED.Debian don't have oddjob service or package #RHEL-06-000267:The qpidd service must not be running. #Debian don't have qpidd service by default, in RHEL this service is selected by "base" package. #RHEL-06-000268:The rdisc service must not be running. #Debian don't have rdisc service by default #RHEL-06-000303:The operating system must employ automated mechanisms, per organization defined frequency, to detect the addition of unauthorized components/devices into the operating system. #RHEL-06-000304:The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization defined frequency. #RHEL-06-000305:The operating system must provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs. #RHEL-06-000306:The operating system must detect unauthorized changes to software and information. #RHEL-06-000307:The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked. #In aide package employ automated mechanisms by default.(cron.daily) #RHEL-06-000324:A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts. #RHEL-06-000326:The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts. #RHEL-06-000344:The system default umask in /etc/profile must be 077. #RHEL-06-000343:The system default umask for the csh shell must be 077. #RHEL-06-000342:The system default umask for the bash shell must be 077. #RHEL-06-000348:The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner. #RHEL-06-000357:The system must disable accounts after excessive login failures within a 15-minute interval. #RHEL-06-000284:The system must use and update a DoD-approved virus scan program. #RHEL-06-000285:The system must have a host-based intrusion detection tool installed. ####SHOULD-CHECK-ON-YOU-OWN#### #RHEL-06-000289:The netconsole service must be disabled unless required. #Red Hat has netconsole init script. However, under Debian / Ubuntu Linux, you need to manually configure netconsole. Type the following command to start netconsole by loading kernel netconsole module #RHEL-06-000297:Temporary accounts must be provisioned with an expiration date. #RHEL-06-000298:Emergency accounts must be provisioned with an expiration date. #RHEL-06-000311:The audit system must provide a warning when allocated audit record storage volume reaches a documented percentage of maximum audit record storage capacity. #RHEL-06-000321:The system must provide VPN connectivity for communications over untrusted networks. #RHEL-06-000349:The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication. #RHEL-06-000504:The operating system must conduct backups of user-level information contained in the operating system per organization defined frequency to conduct backups consistent with recovery time and recovery point objectives. #RHEL-06-000505:The operating system must conduct backups of system-level information contained in the information system per organization defined frequency to conduct backups that are consistent with recovery time and recovery point objectives. #RHEL-06-000524:The system must provide automated support for account management functions.