165 lines
11 KiB
Plaintext
165 lines
11 KiB
Plaintext
|
|
######CHANGE#######
|
|
|
|
#RHEL-06-000008: Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.
|
|
#Change corresponding gpg key check to Debian compatible.
|
|
|
|
#RHEL-06-000011: System security patches and updates must be installed and up-to-date.
|
|
#Change corresponding update utility to Debian compatible.
|
|
|
|
#RHEL-06-000017: The system must use a Linux Security Module at boot time.
|
|
#Change the SElinux to AppArmor
|
|
|
|
#RHEL-06-000030: The system must not have accounts configured with blank or null passwords.
|
|
#RHEL-06-000274: The system must prohibit the reuse of passwords within twenty-four iterations.
|
|
#Change /etc/pam.d/system-auth - CentOS/RHEL/Fedora/Red Hat/Scientific Linux pam config file.
|
|
#To /etc/pam.d/common-password - Debian / Ubuntu Linux pam config file.
|
|
#For more Detial http://www.cyberciti.biz/tips/linux-or-unix-disable-null-passwords.html
|
|
|
|
#RHEL-06-000061:The system must disable accounts after three consecutive unsuccessful logon attempts.
|
|
#Change pam_faillock.so pam module to use pam_tally2.so
|
|
|
|
#RHEL-06-000065:The system boot loader configuration file(s) must be owned by root.
|
|
#RHEL-06-000066:The system boot loader configuration file(s) must be group-owned by root.
|
|
#RHEL-06-000067:The system boot loader configuration file(s) must have mode 0600 or less permissive.
|
|
#Change /etc/grub.conf to /boot/grub/grub.cfg
|
|
|
|
#RHEL-06-000068:The system boot loader must require authentication.
|
|
#Change grub-crypt --sha-512 to grub-mkpasswd-pbkdf2
|
|
|
|
#RHEL-06-000278:The system package management tool must verify permissions on all files and directories associated with the audit package.
|
|
#RHEL-06-000279:The system package management tool must verify ownership on all files and directories associated with the audit package.
|
|
#RHEL-06-000280:The system package management tool must verify group-ownership on all files and directories associated with the audit package.
|
|
#RHEL-06-000281:The system package management tool must verify contents of all files associated with the audit package.
|
|
#For auditd package, to do what we wanna do in Debian there's something different, if you wanna get the packages default permission or owner(group-owner), or the packages'contents. You should use the "aptitude download <package-name>" to download it and use "dpkg -c <package.deb>" to read.
|
|
#There's one file is very special,if you issue the command "dpkg -c audit*.deb" you will found the audit rules file is "/etc/audit/rules.d/audit.rules", but when you extract the deb package and read the "DEBIAN/postinst" you will find the auditd package copy the "/etc/audit/audit.d/audit.rules" file to "/etc/audit/audit.rules", so we could'n only use the "dpkg -c audit*.deb | awk '{print $6}' | sed -e 's/^.//g'" to get "ALL" the files we want to check.We should manually add the "/etc/audit/audit.rules" to check
|
|
#And the directory we check also have one thing special, the "/usr/share/man", in Debian that directory have permission 0775 by default. but the package show the 0755, so I decided to check without this directory.
|
|
#I use the sha512sum to do the files' content checking
|
|
|
|
#RHEL-06-000286:The x86 Ctrl-Alt-Delete key sequence must be disabled.
|
|
#In Debian 8 use systemd by default, you could use "systemctl mask ctrl-alt-del.target" to disable it by link to /dev/null
|
|
|
|
#RHEL-06-000514:The RPM package management tool must cryptographically verify the authenticity of all software packages during installation.
|
|
|
|
|
|
####DEPRECATED#####
|
|
#RHEL-06-000009:The Red Hat Network Service (rhnsd) service must not be running, unless using RHN or an RHN Satellite.
|
|
#DEPRECATED
|
|
|
|
#RHEL-06-000069:The system must require authentication upon booting into single-user and maintenance modes.
|
|
#DEPRECATED.
|
|
#Debian and therefore Ubuntu both require root password when booting into single user mode or recovery mode. RHEL and CentOS allows access from the console into single user mode without a password.
|
|
|
|
#RHEL-06-000070:The system must not permit interactive boot.
|
|
#DEPRECATED.Don't find any interactive boot option in debian yet.
|
|
|
|
#RHEL-06-000073:The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.
|
|
#DEPRECATED
|
|
|
|
#RHEL-06-000079:The system must limit the ability of processes to have simultaneous write and execute access to memory.
|
|
#DEPRECATED
|
|
#In debian 8 amd64, system enabled NX by default,and debian 8 i386 system use PAE by default
|
|
|
|
#RHEL-06-000098:The IPv6 protocol handler must not be bound to the network stack unless needed.
|
|
#Change ipv6 checking method and disable method.
|
|
#Use /proc/net/if_inet6 to check if ipv6 is enabled
|
|
#Use kernel boot option in Grub "ipv6.disable=1" to disable ipv6 permanently
|
|
|
|
#RHEL-06-000103:The system must employ a local IPv6 firewall.
|
|
#RHEL-06-000106:The operating system must connect to external networks or information systems only through managed IPv6 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
|
|
#RHEL-06-000107:The operating system must prevent public IPv6 access into an organizations internal networks,except as appropriately mediated by managed interfaces employing boundary protection devices.
|
|
#RHEL-06-000113:The system must employ a local IPv4 firewall.
|
|
#RHEL-06-000116:The operating system must connect to external networks or information systems only through managed IPv4 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
|
|
#RHEL-06-000117:The operating system must prevent public IPv4 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.
|
|
#DEPRECATED. Debian 8 enable iptables (both ipv4 and ipv6) by default
|
|
|
|
#RHEL-06-000183:The audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration (SELinux).
|
|
#Change SELinux to Apparmor
|
|
|
|
#RHEL-06-000203:The xinetd service must be disabled if no network services utilizing it are enabled.
|
|
#Using 'service --status-all | grep "xinetd" ' instead of chkconfig
|
|
|
|
#RHEL-06-000211:The telnet daemon must not be running.
|
|
#In Debian telnet service using inetd. You could disable it by comment the telnet line in the /etc/inetd.conf
|
|
|
|
#RHEL-06-000214:The rshd service must not be running.
|
|
#In Debian rshd service using inetd. You could disable it by comment the rshd line in the /etc/inetd.conf
|
|
|
|
#RHEL-06-000216:The rexecd service must not be running.
|
|
#In Debian rexecd service using inetd. You could disable it by comment the rexecd line in the /etc/inetd.conf
|
|
|
|
#RHEL-06-000218:The rlogind service must not be running.
|
|
#In Debian rlogind service using inetd. You could disable it by comment the rlogind line in the /etc/inetd.conf
|
|
|
|
#RHEL-06-000220:The ypserv package must not be installed.
|
|
#In Debian using nis package instead of ypserv package.
|
|
|
|
#RHEL-06-000221:The ypbind service must not be running.
|
|
#In Debian using nis service instead of ypbind service.
|
|
|
|
#RHEL-06-000240:The SSH daemon must be configured with the Department of Defense (DoD) login banner.
|
|
#DEPRECATED
|
|
|
|
#RHEL-06-000247:The system clock must be synchronized continuously, or at least daily.
|
|
#In debian use ntp instead of ntpd
|
|
|
|
#RHEL-06-000248:The system clock must be synchronized to an authoritative DoD time source.
|
|
#Changing `DoD` time source to trusted time source
|
|
|
|
#RHEL-06-000261:The Automatic Bug Reporting Tool (abrtd) service must not be running.
|
|
#DEPRECATED.
|
|
#Didn't find abrtd-like tool in debian yet
|
|
|
|
#RHEL-06-000265:The ntpdate service must not be running.
|
|
#DEPRECATED
|
|
#In Debian there's no running service "ntpdate", some of ntpdate's function is include in "ntp" so DEPRECATED.
|
|
|
|
#RHEL-06-000266:The oddjobd service must not be running.
|
|
#DEPRECATED.Debian don't have oddjob service or package
|
|
|
|
#RHEL-06-000267:The qpidd service must not be running.
|
|
#Debian don't have qpidd service by default, in RHEL this service is selected by "base" package.
|
|
|
|
#RHEL-06-000268:The rdisc service must not be running.
|
|
#Debian don't have rdisc service by default
|
|
|
|
#RHEL-06-000303:The operating system must employ automated mechanisms, per organization defined frequency, to detect the addition of unauthorized components/devices into the operating system.
|
|
#RHEL-06-000304:The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization defined frequency.
|
|
#RHEL-06-000305:The operating system must provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs.
|
|
#RHEL-06-000306:The operating system must detect unauthorized changes to software and information.
|
|
#RHEL-06-000307:The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked.
|
|
#In aide package employ automated mechanisms by default.(cron.daily)
|
|
|
|
#RHEL-06-000324:A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
|
|
|
|
#RHEL-06-000326:The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
|
|
#RHEL-06-000344:The system default umask in /etc/profile must be 077.
|
|
#RHEL-06-000343:The system default umask for the csh shell must be 077.
|
|
#RHEL-06-000342:The system default umask for the bash shell must be 077.
|
|
#RHEL-06-000348:The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.
|
|
|
|
#RHEL-06-000357:The system must disable accounts after excessive login failures within a 15-minute interval.
|
|
|
|
|
|
|
|
|
|
|
|
#RHEL-06-000284:The system must use and update a DoD-approved virus scan program.
|
|
#RHEL-06-000285:The system must have a host-based intrusion detection tool installed.
|
|
|
|
|
|
|
|
####SHOULD-CHECK-ON-YOU-OWN####
|
|
|
|
|
|
#RHEL-06-000289:The netconsole service must be disabled unless required.
|
|
#Red Hat has netconsole init script. However, under Debian / Ubuntu Linux, you need to manually configure netconsole. Type the following command to start netconsole by loading kernel netconsole module
|
|
#RHEL-06-000297:Temporary accounts must be provisioned with an expiration date.
|
|
#RHEL-06-000298:Emergency accounts must be provisioned with an expiration date.
|
|
#RHEL-06-000311:The audit system must provide a warning when allocated audit record storage volume reaches a documented percentage of maximum audit record storage capacity.
|
|
#RHEL-06-000321:The system must provide VPN connectivity for communications over untrusted networks.
|
|
#RHEL-06-000349:The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.
|
|
#RHEL-06-000504:The operating system must conduct backups of user-level information contained in the operating system per organization defined frequency to conduct backups consistent with recovery time and recovery point objectives.
|
|
#RHEL-06-000505:The operating system must conduct backups of system-level information contained in the information system per organization defined frequency to conduct backups that are consistent with recovery time and recovery point objectives.
|
|
#RHEL-06-000524:The system must provide automated support for account management functions.
|