File: //opt/microsoft/omsagent/plugin/oms_audits.xml
<data>
<audits
BaselineId="OMS.Linux.1"
BaseOrigId="1">
<audit
description="The nodev option should be enabled for all removable media."
msid="2.1"
cceid="CCE-3522-0"
severity="Important"
impact="An attacker could mount a special device (e.g. block or character device) via removable media"
remediation="Add the nodev option to the fourth field (mounting options) in /etc/fstab"
ruleId="5c7537f2-b90b-44a4-89c9-4fca5fd79ef7">
<check
distro="*"
command="CheckNoMatchingLines"
filter="^[^#]\S+\s+\S*(floppy|cdrom)"
regex="nodev"
path="/etc/fstab" />
</audit>
<audit
description="The noexec option should be enabled for all removable media."
msid="2.2"
cceid="CCE-4275-4"
severity="Important"
impact="An attacker could load executable file via removable media"
remediation="Add the noexec option to the fourth field (mounting options) in /etc/fstab"
ruleId="7976cc38-fddb-4913-9295-4fcac2e641c3">
<check
distro="*"
command="CheckNoMatchingLines"
filter="^[^#]\S+\s+\S*(floppy|cdrom)"
regex="noexec"
path="/etc/fstab" />
</audit>
<audit
description="The nosuid option should be enabled for all removable media."
msid="2.3"
cceid="CCE-4042-8"
severity="Important"
impact="An attacker could load files that run with an elevated security context via removable media"
remediation="Add the nosuid option to the fourth field (mounting options) in /etc/fstab"
ruleId="cdc390c9-fb4a-47f6-90a7-4e1bd6d0e9e6">
<check
distro="*"
command="CheckNoMatchingLines"
filter="^[^#]\S+\s+\S*(floppy|cdrom)"
regex="nosuid"
path="/etc/fstab" />
</audit>
<audit
description="The nodev/nosuid option should be enabled for all NFS mounts."
msid="5"
cceid="CCE-4368-7"
severity="Important"
impact="An attacker could load files that run with an elevated security context or special devices via remote file system"
remediation="Add the nosuid and nodev options to the fourth field (mounting options) in /etc/fstab"
ruleId="7ca24433-3c08-4ff5-9fe2-d8e1830c5829">
<check
distro="*"
command="CheckNoMatchingLines"
filter="nfs\s+"
regex="nosuid|nodev"
path="/etc/fstab" />
</audit>
<audit
description="/etc/passwd file permissions should be 0644"
msid="12.1"
cceid="CCE-3566-7"
severity="Critical"
impact="An attacker could modify userIDs and login shells"
remediation="Run the command '/opt/microsoft/omsagent/plugin/omsremediate -r set-etc-passwd-perms'. This will set the permissions and ownership of /etc/passwd"
ruleId="ad534c97-1070-415c-9fc7-c92366d3fc30">
<check
distro="*"
command="CheckFileStats"
path="/etc/passwd"
expect="root root 644" />
</audit>
<audit
description="/etc/group file permissions should be 0644"
msid="12.2"
cceid="CCE-3967-7"
severity="Critical"
impact="An attacker could elevate privileges by modifying group membership"
remediation="Run the command '/opt/microsoft/omsagent/plugin/omsremediate -r set-etc-group-perms'. This will set the permissions and ownership of /etc/group"
ruleId="c41a47e9-1ba0-4e72-9f43-4659a4bfed63">
<check
distro="*"
command="CheckFileStats"
path="/etc/group"
expect="root root 644" />
</audit>
<audit
description="The 'root' group should exist, and contain all members who can su to root"
msid="22"
cceid="CCE-14088-9"
severity="Critical"
impact="An attacker could escalate permissions by password guessing if su is not restricted to users in the root group."
remediation="Create the root group via the command 'groupadd -g 0 root'"
ruleId="8cac0c32-1add-42b9-9300-5ccb9f91aab3">
<check
distro="*"
command="CheckMatchingLines"
regex="^root:x:0:"
path="/etc/group" />
</audit>
<audit
description="There are no accounts without passwords"
msid="23.2"
cceid="CCE-4238-2"
severity="Critical"
impact="An attacker can login to accounts with no password and execute arbitrary commands."
remediation="Use the passwd command to set passwords for all accounts"
ruleId="ca9d29b7-79bd-4c99-85e2-1454295c3c8e">
<check
distro="*"
command="CheckNoMatchingLines"
regex="^[^:]+::"
path="/etc/shadow" />
</audit>
<audit
description="Accounts other than root must have unique UIDs greater than zero(0)"
msid="24"
cceid="CCE-4009-7"
severity="Critical"
impact="If an account other than root has uid zero, an attacker could compromise the account and gain root privileges."
remediation="Assign unique, non-zero uids to all non-root accounts using 'usermod -u'"
ruleId="7de0f0e6-f97b-4e12-8f9e-c6538ca5a85b">
<check
distro="*"
command="CheckNoMatchingLines"
filter="^root"
regex="^[^:]:[^:]:0:"
path="/etc/shadow" />
</audit>
<audit
description="Randomized placement of virtual memory regions should be enabled"
msid="25"
cceid="CCE-4146-7"
severity="Critical"
impact="An attacker could write executable code to known regions in memory resulting in elevation of privilege"
remediation="Add the value '1' or '2' to the file '/proc/sys/kernel/randomize_va_space'"
ruleId="d790e942-efd3-42e6-a3a5-9eb1d651a588">
<check
distro="*"
command="CheckMatchingLines"
regex="^(1|2)$"
path="/proc/sys/kernel/randomize_va_space" />
</audit>
<audit
description="Kernel support for the XD/NX processor feature should be enabled"
msid="26"
cceid="CCE-4172-3"
severity="Critical"
impact="An attacker could cause a system to executable code from data regions in memory resulting in elevation of privilege."
remediation="Confirm the file '/proc/cpuinfo' contains the flag 'nx'"
ruleId="49c89437-d116-4d84-a91d-0dd59daafa0d">
<check
distro="*"
command="CheckMatchingLines"
regex="^\s*flags.* nx[ $]"
path="/proc/cpuinfo" />
</audit>
<audit
description="IP forwarding should be disabled. (net.ipv4.ip_forward = 0)"
msid="37"
cceid="CCE-3561-8"
severity="Important"
impact="An attacker could use this system to perform IP routing functions"
remediation="Run the command '/opt/microsoft/omsagent/plugin/omsremediate -r disable-ip-forward'"
ruleId="5971bbd2-1977-4652-bd85-a38a8f780052">
<check
distro="*"
command="CheckMatchingLines"
regex="^0$"
path="/proc/sys/net/ipv4/ip_forward" />
</audit>
<audit
description="Accepting source routed packets should be disabled for all interfaces. (net.ipv4.conf.all.accept_source_route = 0)"
msid="40.1"
cceid="CCE-4236-6"
severity="Critical"
impact="An attacker could redirect traffic for malicious purposes."
remediation="Run the command '/opt/microsoft/omsagent/plugin/omsremediate -r disable-accept-source-route'"
ruleId="4ecae4e6-a3e2-44f5-9985-ea2a21962450">
<check
distro="*"
command="CheckMatchingLines"
regex="^0$"
path="/proc/sys/net/ipv4/conf/all/accept_source_route" />
</audit>
<audit
description="Ignoring bogus ICMP responses to broadcasts should be enabled. (net.ipv4.icmp_ignore_bogus_error_responses = 1)"
msid="43"
cceid="CCE-4133-5"
severity="Critical"
impact="An attacker could perform an ICMP attack resulting in DoS"
remediation="Run the command '/opt/microsoft/omsagent/plugin/omsremediate -r enable-icmp-ignore-bogus-error-responses'"
ruleId="88acc143-2f76-4418-9aa9-d0d5f244ab5f">
<check
distro="*"
command="CheckMatchingLines"
regex="^1$"
path="/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses" />
</audit>
<audit
description="Ignoring ICMP echo requests (pings) sent to broadcast / multicast addresses should be enabled. (net.ipv4.icmp_echo_ignore_broadcasts = 1)"
msid="44"
cceid="CCE-3644-2"
severity="Critical"
impact="An attacker could perform an ICMP attack resulting in DoS"
remediation="Run the command '/opt/microsoft/omsagent/plugin/omsremediate -r enable-icmp-echo-ignore-broadcasts'"
ruleId="f5a5926d-9c64-41fa-8220-5bc0f8213550">
<check
distro="*"
command="CheckMatchingLines"
regex="^1$"
path="/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts" />
</audit>
<audit
description="Performing source validation by reverse path should be enabled for all interfaces. (net.ipv4.conf.all.rp_filter = 1)"
msid="46.1"
cceid="CCE-4080-8"
severity="Critical"
impact="The system will accept traffic from addresses that are unroutable."
remediation="Run the command '/opt/microsoft/omsagent/plugin/omsremediate -r enable-rp-filter'"
ruleId="177e6190-1026-49fb-a1f9-fd5b10302280">
<check
distro="*"
command="CheckMatchingLines"
regex="^1$"
path="/proc/sys/net/ipv4/conf/all/rp_filter" />
</audit>
<audit
description="Performing source validation by reverse path should be enabled for all interfaces. (net.ipv4.conf.default.rp_filter = 1)"
msid="46.2"
cceid="CCE-3840-6"
severity="Critical"
impact="The system will accept traffic from addresses that are unroutable."
remediation="Run the command '/opt/microsoft/omsagent/plugin/omsremediate -r enable-rp-filter'"
ruleId="c28d5519-6e3a-466f-8d8c-b351851dfc78">
<check
distro="*"
command="CheckMatchingLines"
regex="^1$"
path="/proc/sys/net/ipv4/conf/default/rp_filter" />
</audit>
<audit
description="TCP syncookies should be enabled. (net.ipv4.tcp_syncookies = 1)"
msid="47"
cceid="CCE-4265-5"
severity="Critical"
impact="An attacker could perform a DoS over TCP"
remediation="Run the command '/opt/microsoft/omsagent/plugin/omsremediate -r enable-tcp-syncookies'"
ruleId="db6ca14e-26c5-48cd-a6b7-fc953861043c">
<check
distro="*"
command="CheckMatchingLines"
regex="^1$"
path="/proc/sys/net/ipv4/tcp_syncookies" />
</audit>
<audit
description="The system should not act as a network sniffer."
msid="48"
cceid="CCE-15013-6"
severity="Warning"
impact="An attacker may use promiscuous interfaces to sniff network traffic"
remediation="Promiscuous mode is enabled via a 'promisc' entry in '/etc/network/interfaces' or '/etc/rc.local.' Check both files and remove this entry."
ruleId="45766f27-5af3-453d-bade-f8195925cde1">
<check
distro="*"
command="CheckNoPromiscInterfaces" />
</audit>
<audit
description="All wireless interfaces should be disabled."
msid="49"
cceid="CCE-4276-2"
severity="Warning"
impact="An attacker could create a fake AP to intercept transmissions."
remediation="Confirm all wireless interfaces are disabled in '/etc/network/interfaces'"
ruleId="8def2d0c-303a-4c0b-858c-319f80f7c814">
<check
distro="*"
command="CheckNoWirelessInterfaces" />
</audit>
<audit
description="Disable support for RDS."
msid="56"
cceid="CCE-14027-7"
severity="Warning"
impact="An attacker could use a vulnerability in RDS to compromise the system"
remediation="Run the command '/opt/microsoft/omsagent/plugin/omsremediate -r disable-unnecessary-kernel-mods'"
ruleId="d9ed5e76-2348-4409-94dd-c76352407fe8">
<check
distro="*"
command="CheckMatchingLinesInDir"
regex="^install\srds"
path="/etc/modprobe.d/" />
</audit>
<audit
description="The syslog or rsyslog package should be installed."
msid="61"
cceid="CCE-17742-8"
severity="Important"
impact="Reliability and security issues will not be logged, preventing proper diagnosis."
remediation="Run the command '/opt/microsoft/omsagent/plugin/omsremediate -r install-syslog'. This will install the rsyslog package"
ruleId="8720959b-c356-4eaa-bb4f-720fb8006183">
<check
distro="*"
command="CheckPackageInstalledRegexp"
packagename="r?syslog" />
</audit>
<audit
description="The syslog service should be enabled."
msid="62"
cceid="CCE-17698-2"
severity="Important"
impact="Reliability and security issues will not be logged, preventing proper diagnosis."
remediation="Run the command '/opt/microsoft/omsagent/plugin/omsremediate -r enable-syslog'. This will enable and start the syslog service"
ruleId="27a8547e-ba91-4593-9360-d8e048e3c84e">
<check
distro="!SLES=11"
command="CheckServiceStatus"
expect="running"
service="rsyslog" />
<check
distro="SLES=11"
command="CheckServiceStatus"
expect="running"
service="syslog" />
</audit>
<audit
description="File permissions for all rsyslog log files should be set to 640 or 600."
msid="63"
cceid="CCE-18095-0"
severity="Important"
impact="An attacker could cover up activity by manipulating logs"
remediation="Run the command '/opt/microsoft/omsagent/plugin/omsremediate -r configure-syslog-file-create-mode'. This adds the line '$FileCreateMode 0640' to the file '/etc/rsyslog.conf'"
ruleId="fcc86485-487a-4644-87a0-f29f1b1cd28b">
<check
distro="!SLES"
command="CheckMatchingLines"
regex="^[\s]*.FileCreateMode\s+06[04]0"
path="/etc/rsyslog.conf" />
</audit>
<audit
description="All rsyslog log files should be owned by the adm group."
msid="64"
cceid="CCE-18240-2"
severity="Important"
impact="An attacker could cover up activity by manipulating logs"
remediation="Add the line '$FileGroup adm' to the file '/etc/rsyslog.conf'"
ruleId="c1d99621-913e-45f7-96e1-a60b1af83015">
<check
distro="Ubuntu|Debian"
command="CheckMatchingLines"
regex="^[\s]*.FileGroup\s+adm"
path="/etc/rsyslog.conf" />
</audit>
<audit
description="All rsyslog log files should be owned by the syslog user."
msid="65"
cceid="CCE-17857-4"
severity="Important"
impact="An attacker could cover up activity by manipulating logs"
remediation="Add the line '$FileOwner syslog' to the file '/etc/rsyslog.conf'"
ruleId="2830790c-5b3f-43cb-be6b-7572e441acc1">
<check
distro="Ubuntu"
command="CheckMatchingLines"
regex="^[\s]*.FileOwner\s+syslog"
path="/etc/rsyslog.conf" />
</audit>
<audit
description="Rsyslog should not accept remote messages."
msid="67"
cceid="CCE-17639-6"
severity="Important"
impact="An attacker could inject messages into syslog, causing a DoS or a distraction from other activity"
remediation="Remove the lines '$ModLoad imudp' and '$ModLoad imtcp' from the file '/etc/rsyslog.conf'"
ruleId="1e9567e1-d96d-4f90-be1a-0809947e789c">
<check
distro="!SLES"
command="CheckNoMatchingLines"
regex="^[\s]*.ModLoad\s+im(udp|tcp)"
path="/etc/rsyslog.conf" />
</audit>
<audit
description="The logrotate (syslog rotater) service should be enabled."
msid="68"
cceid="CCE-4182-2"
severity="Critical"
impact="Logfiles could grow unbounded and consume all disk space"
remediation="Install the logrotate package and confirm the logrotate cron entry is active (chmod 755 /etc/cron.daily/logrotate; chown root:root /etc/cron.daily/logrotate)"
ruleId="2d2355e7-7b07-4c0e-a395-16499c27ae94">
<check
distro="Ubuntu|Debian|SLES"
command="CheckFileStats"
path="/etc/cron.daily/logrotate"
expect="root root 755" />
<check
distro="CentOS|RedHat|Oracle"
command="CheckFileStats"
path="/etc/cron.daily/logrotate"
expect="root root 700" />
</audit>
<audit
description="The rlogin service should be disabled."
msid="69"
cceid="CCE-3537-8"
severity="Critical"
impact="An attacker could gain access, bypassing strict authentication requirements"
remediation="Remove the inetd service."
ruleId="f57ef648-bdaa-45a3-9e3a-f4649c48896f">
<check
distro="*"
command="CheckNoMatchingLinesIfExists"
regex="^[\s\t]*login"
path="/etc/inetd.conf" />
</audit>
<audit
description="The telnet service should be disabled."
msid="72"
cceid="CCE-3390-2"
severity="Critical"
impact="An attacker could eavesdrop or highjack unencrypted telnet sessions"
remediation="Remove or comment out the telnet entry in the file '/etc/inetd.conf'"
ruleId="0617b91c-2a28-42bd-b5b3-7562555b41ed">
<check
distro="*"
command="CheckNoMatchingLinesIfExists"
regex="^[\s\t]*telnet"
path="/etc/inetd.conf" />
</audit>
<audit
description="All telnetd packages should be uninstalled."
msid="73"
cceid="CCE-4330-7"
severity="Critical"
impact="An attacker could eavesdrop or highjack unencrypted telnet sessions"
remediation="Uninstall any telnetd packages"
ruleId="6c716f88-a252-4fe9-9c5c-ba9236a80beb">
<check
distro="*"
command="CheckPackageNotInstalledRegexp"
packagename="[a-z-]*telnetd" />
</audit>
<audit
description="The rcp/rsh service should be disabled."
msid="74"
cceid="CCE-4141-8"
severity="Critical"
impact="An attacker could eavesdrop or highjack unencrypted sessions"
remediation="Remove or comment out the shell entry in the file '/etc/inetd.conf'"
ruleId="dda66a42-30d1-4621-9565-f09628ac8047">
<check
distro="*"
command="CheckNoMatchingLinesIfExists"
regex="^[\s\t]*shell"
path="/etc/inetd.conf" />
</audit>
<audit
description="The rsh-server package should be uninstalled."
msid="77"
cceid="CCE-4308-3"
severity="Critical"
impact="An attacker could eavesdrop or highjack unencrypted rsh sessions"
remediation="Uninstall the rsh-server package (apt-get remove rsh-server)"
ruleId="b256491f-f804-4c44-bfa4-057dd2f44c30">
<check
distro="*"
command="CheckPackageNotInstalled"
packagename="rsh-server" />
</audit>
<audit
description="The readahead-fedora package should be uninstalled."
msid="82"
cceid="CCE-4421-4"
severity="Informational"
impact="No substantial exposure, but also no substantial benefit"
remediation="Uninstall the readahead-fedora package (apt-get remove readahead-fedora)"
ruleId="dbae0d26-55e9-49d5-8782-86cb7412f99f">
<check
distro="*"
command="CheckPackageNotInstalled"
packagename="readahead-fedora" />
</audit>
<audit
description="The bluetooth/hidd service should be disabled."
msid="84"
cceid="CCE-4355-4"
severity="Warning"
impact="An attacker could intercept or manipulate wireless communications."
remediation="Uninstall the bluetooth package (apt-get remove bluetooth)"
ruleId="9f107bb8-eaf3-445d-acbb-7ab635b442e9">
<check
distro="*"
command="CheckServiceDisabled"
service="bluetooth" />
</audit>
<audit
description="The isdn service should be disabled."
msid="86"
cceid="CCE-4286-1"
severity="Warning"
impact="An attacker could use a modem to gain unauthorized access"
remediation="Uninstall the isdnutils-base package (apt-get remove isdnutils-base)"
ruleId="51ebf409-911a-4d92-9d3a-1e331e7e4b27">
<check
distro="*"
command="CheckServiceDisabled"
service="isdnutils-base" />
</audit>
<audit
description="The isdnutils-base package should be uninstalled."
msid="87"
cceid="CCE-14825-4"
severity="Warning"
impact="An attacker could use a modem to gain unauthorized access"
remediation="Uninstall the isdnutils-base package (apt-get remove isdnutils-base)"
ruleId="49e5cb77-6272-4323-9c19-01fca3e12b9a">
<check
distro="*"
command="CheckPackageNotInstalled"
packagename="isdnutils-base" />
</audit>
<audit
description="The kdump service should be disabled."
msid="88"
cceid="CCE-3425-6"
severity="Important"
impact="An attacker could analyze a previous system crash to retrieve sensitive information"
remediation="Uninstall the kdump-tools package (apt-get remove kdump-tools)"
ruleId="290d7102-c4e3-4e88-863d-6ddc7e952a5a">
<check
distro="*"
command="CheckServiceDisabled"
service="kdump-tools" />
</audit>
<audit
description="Zeroconf networking should be disabled."
msid="89"
cceid="CCE-14054-1"
severity="Critical"
impact="An attacker could use abuse this to gain information on network systems, or spoof DNS requests due to flaws in its trust model"
remediation="Remove any 'ipv4ll' entries in the file '/etc/network/interfaces'"
ruleId="083550af-f4fe-4e1a-a304-dac894d58908">
<check
distro="*"
command="CheckNoMatchingLines"
regex="ipv4ll"
path="/etc/network/interfaces" />
</audit>
<audit
description="The crond service should be enabled."
msid="90"
cceid="CCE-4324-0"
severity="Critical"
impact="Cron is required by almost all systems for regular maintenance tasks"
remediation="Install the cron package (apt-get install -y cron) and confirm the file '/etc/init/cron.conf' contains the line 'start on runlevel [2345]'"
ruleId="80302f61-d760-4165-a92b-a789e579380f">
<check
distro="Ubuntu|Debian|SLES"
command="CheckServiceEnabled"
service="cron" />
<check
distro="CentOS|RedHat|Oracle"
command="CheckServiceEnabled"
service="crond" />
</audit>
<audit
description="File permissions for /etc/anacrontab should be set to root:root 600."
msid="91"
cceid="CCE-4304-2"
severity="Critical"
impact="An attacker could manipulate this file to prevent scheduled tasks or execute malicious tasks"
remediation="Run the command '/opt/microsoft/omsagent/plugin/omsremediate -r fix-anacrontab-perms'. This sets the ownership and permissions on /etc/anacrontab"
ruleId="8199ae98-8d9c-4a26-88ca-e6d9b87d3644">
<check
distro="*"
command="CheckFileStatsIfExists"
path="/etc/anacrontab"
expect="root root 600" />
</audit>
<audit
description="SSH must be configured and managed to meet best practices. - '/etc/ssh/sshd_config Protocol = 2'"
msid="106.1"
cceid="CCE-4325-7"
severity="Critical"
impact="An attacker could use flaws in an earlier version of the SSH protocol to gain access"
remediation="Run the command '/opt/microsoft/omsagent/plugin/omsremediate -r configure-ssh-protocol'. This will set 'Protocol 2' in the file '/etc/ssh/sshd_config'"
ruleId="35868e8c-97eb-4981-ab79-99b25101cc86">
<check
distro="*"
command="CheckMatchingLines"
regex="^[\s\t]*Protocol\s+2$"
path="/etc/ssh/sshd_config" />
</audit>
<audit
description="SSH must be configured and managed to meet best practices. - '/etc/ssh/sshd_config IgnoreRhosts = yes'"
msid="106.3"
cceid="CCE-4030-3"
severity="Critical"
impact="An attacker could use flaws in the Rhosts protocol to gain access"
remediation="Run the command '/opt/microsoft/omsagent/plugin/omsremediate -r enable-ssh-ignore-rhosts'. This will add the line 'IgnoreRhosts yes' to the file '/etc/ssh/sshd_config'"
ruleId="43945588-1bdc-495c-bac8-6a71a62d30aa">
<check
distro="*"
command="CheckMatchingLines"
regex="^[\s\t]*IgnoreRhosts\s+yes"
path="/etc/ssh/sshd_config" />
</audit>
<audit
description="Emulation of the rsh command through the ssh server should be disabled. - '/etc/ssh/sshd_config RhostsRSAAuthentication = no'"
msid="107"
cceid="CCE-4475-0"
severity="Critical"
impact="An attacker could use flaws in the RHosts protocol to gain access"
remediation="Run the command '/opt/microsoft/omsagent/plugin/omsremediate -r disable-ssh-rhost-rsa-auth'. This will add the line 'RhostsRSAAuthentication no' to the file '/etc/ssh/sshd_config'"
ruleId="c0b75409-01e3-4428-9a32-bfcdb42afcb5">
<check
distro="*"
command="CheckMatchingLines"
regex="^[\s\t]*RhostsRSAAuthentication\s+no"
path="/etc/ssh/sshd_config" />
</audit>
<audit
description="SSH host-based authentication should be disabled. - '/etc/ssh/sshd_config HostbasedAuthentication = no'"
msid="108"
cceid="CCE-4370-3"
severity="Critical"
impact="An attacker could use use host-based authentication to gain access from a compromised host"
remediation="Run the command '/opt/microsoft/omsagent/plugin/omsremediate -r disable-ssh-host-based-auth'. This will add the line 'HostbasedAuthentication no' to the file '/etc/ssh/sshd_config'"
ruleId="66511f6b-f690-43df-9654-642260699eec">
<check
distro="*"
command="CheckMatchingLines"
regex="^[\s\t]*HostbasedAuthentication\s+no"
path="/etc/ssh/sshd_config" />
</audit>
<audit
description="Remote connections from accounts with empty passwords should be disabled. - '/etc/ssh/sshd_config PermitEmptyPasswords = no'"
msid="110"
cceid="CCE-3660-8"
severity="Critical"
impact="An attacker could gain access through password guessing"
remediation="Run the command '/opt/microsoft/omsagent/plugin/omsremediate -r disable-ssh-empty-passwords'. This will add the line 'PermitEmptyPasswords no' to the file '/etc/ssh/sshd_config'"
ruleId="d50c3f39-264c-4cdc-b0ba-89de8a0f6828">
<check
distro="*"
command="CheckMatchingLines"
regex="^[\s\t]*PermitEmptyPasswords\s+no"
path="/etc/ssh/sshd_config" />
</audit>
<audit
description="Users are not allowed to set environment options for SSH."
msid="112"
cceid="CCE-14716-5"
severity="Warning"
impact="An attacker may be able to bypass some access restrictions over SSH"
remediation="Remove the line 'PermitUserEnvironment yes' from the file '/etc/ssh/sshd_config'"
ruleId="0e665978-91f4-45af-bb7b-e4090b600c8d">
<check
distro="*"
command="CheckNoMatchingLines"
regex="^[\s\t]*PermitUserEnvironment\s+yes"
path="/etc/ssh/sshd_config" />
</audit>
<audit
description="The avahi-daemon service should be disabled."
msid="114"
cceid="CCE-4365-3"
severity="Warning"
impact="An attacker could use a vulnerability in the avahi daemon to gain access"
remediation="Run the command '/opt/microsoft/omsagent/plugin/omsremediate -r disable-avahi-daemon'. This will disable the avahi-daemon service"
ruleId="c3bf78d8-43a0-4768-b790-c940621057b6">
<check
distro="*"
command="CheckServiceDisabled"
service="avahi-daemon" />
</audit>
<audit
description="The cups service should be disabled."
msid="115"
cceid="CCE-4425-5"
severity="Warning"
impact="An attacker could use a flaw in the cups service to elevate privileges"
remediation="Run the command '/opt/microsoft/omsagent/plugin/omsremediate -r disable-cups'. This will disable the cups service"
ruleId="4854666c-061b-4945-8a25-19133b8d5c7d">
<check
distro="*"
command="CheckServiceDisabled"
service="cups" />
</audit>
<audit
description="The dhcpd service should be disabled."
msid="116"
cceid="CCE-4336-4"
severity="Important"
impact="An attacker could use dhcpd to provide faulty information to clients, interfering with normal operation."
remediation="Remove the isc-dhcp-server package (apt-get remove isc-dhcp-server)"
ruleId="d56a6c3f-3ad9-4263-a38a-24b7ae4ea918">
<check
distro="*"
command="CheckServiceDisabled"
service="isc-dhcp-server" />
</audit>
<audit
description="The isc-dhcp-server package should be uninstalled."
msid="117"
cceid="CCE-4464-4"
severity="Important"
impact="An attacker could use dhcpd to provide faulty information to clients, interfering with normal operation."
remediation="Remove the isc-dhcp-server package (apt-get remove isc-dhcp-server)"
ruleId="660fa012-ca99-4314-a2a8-11728020bac7">
<check
distro="*"
command="CheckPackageNotInstalled"
packagename="isc-dhcp-server" />
</audit>
<audit
description="The rpcgssd service should be disabled."
msid="126"
cceid="CCE-3535-2"
severity="Important"
impact="An attacker could use a flaw in rpcgssd/nfs to gain access"
remediation="Run the command '/opt/microsoft/omsagent/plugin/omsremediate -r disable-rpcgssd'. This will disable the rpcgssd service."
ruleId="9c11dc9f-ab7e-4c3f-923f-5a8fc4e97cb9">
<check
distro="*"
command="CheckServiceDisabled"
service="rpcgssd" />
</audit>
<audit
description="The rpcidmapd service should be disabled."
msid="127"
cceid="CCE-3568-3"
severity="Important"
impact="An attacker could use a flaw in idmapd/nfs to gain access"
remediation="Run the command '/opt/microsoft/omsagent/plugin/omsremediate -r disable-rpcidmapd'. This will disable the rpcidmapd service."
ruleId="b600d670-5b01-4458-9143-8aa7cd25dadc">
<check
distro="*"
command="CheckServiceDisabled"
service="rpcidmapd" />
</audit>
<audit
description="The portmap service should be disabled."
msid="129"
cceid="CCE-4550-0"
severity="Important"
impact="An attacker could use a flaw in portmap to gain access"
remediation="Run the command '/opt/microsoft/omsagent/plugin/omsremediate -r disable-rpcbind'. This will disable the rpcbind service."
ruleId="f4a80328-1d67-45ed-b915-274d2e6c699e">
<check
distro="Debian|Ubuntu|Oracle|CentOS<7|RedHat<7|SLES=11"
command="CheckServiceDisabled"
service="rpcbind" />
<check
distro="CentOS>=7|RedHat>=7|SLES>11"
command="CheckServiceDisabled"
service="rpcbind.service,rpcbind.socket" />
</audit>
<audit
description="The rpcsvcgssd service should be disabled."
msid="130"
cceid="CCE-4491-7"
severity="Important"
impact="An attacker could use a flaw in rpcsvcgssd to gain access"
remediation="Remove the line 'NEED_SVCGSSD = yes' from the file '/etc/inetd.conf'"
ruleId="78963287-11b9-471b-9122-e6829e105989">
<check
distro="*"
command="CheckNoMatchingLinesIfExists"
regex="^[\s\t]*NEED_SVCGSSD\s*=\s*"yes""
path="/etc/inetd.conf" />
</audit>
<audit
description="Kernels should only be compiled from approved sources."
msid="10"
cceid="CCE-4209-3"
severity="Critical"
impact="A kernel from an unapproved source could contain vulnerabilities or backdoors to grant access to an attacker."
remediation="Install the kernel that is provided by your distro vendor."
ruleId="34e19f66-2387-4cdc-8ab2-cfac8e5865f0">
<check
distro="Ubuntu"
command="VerifyKernelSource"
regex="-Ubuntu " />
</audit>
<audit
description="The IPv6 protocol should be enabled."
msid="50"
cceid="CCE-18455-6"
severity="Informational"
impact="This is necessary for communication on modern networks."
remediation="Open /etc/sysctl.conf and confirm that 'net.ipv6.conf.all.disable_ipv6' and 'net.ipv6.conf.default.disable_ipv6' are set to 0"
ruleId="f04b1de8-1fd3-40da-a27f-39b7ea97bf8c">
<check
distro="Ubuntu"
command="CheckFileExists"
path="/proc/net/if_inet6" />
</audit>
<audit
description="Disable inetd unless required. (inetd)"
msid="70.1"
cceid="CCE-4234-1"
severity="Important"
impact="An attacker could exploit a vulnerability in an inetd service to gain access"
remediation="Uninstall the inetd service (apt-get remove inetd)"
ruleId="a8a37e7f-9aae-41cf-8313-42d1f69506b9">
<check
distro="Ubuntu"
command="CheckServiceDisabled"
service="inetd" />
</audit>
<audit
description="Disable xinetd unless required. (xinetd)"
msid="70.2"
cceid="CCE-4252-3"
severity="Important"
impact="An attacker could exploit a vulnerability in an xinetd service to gain access"
remediation="Uninstall the inetd service (apt-get remove xinetd)"
ruleId="1d9557b2-b58f-4f81-bde9-4f9b08a3b2f1">
<check
distro="Ubuntu"
command="CheckServiceDisabled"
service="xinetd" />
</audit>
<audit
description="Install inetd only if appropriate and required by your distro. Secure according to current hardening standards. (if required)"
msid="71.1"
cceid="CCE-4023-8"
severity="Important"
impact="An attacker could exploit a vulnerability in an inetd service to gain access"
remediation="Uninstall the inetd service (apt-get remove inetd)"
ruleId="d6bcd055-26cf-416e-a395-a9169b79f74c">
<check
distro="Ubuntu"
command="CheckPackageNotInstalled"
packagename="inetd" />
</audit>
<audit
description="Install xinetd only if appropriate and required by your distro. Secure according to current hardening standards. (if required)"
msid="71.2"
cceid="CCE-4164-0"
severity="Important"
impact="An attacker could exploit a vulnerability in an xinetd service to gain access"
remediation="Uninstall the inetd service (apt-get remove xinetd)"
ruleId="0552f68e-b759-4aa7-a211-d48b2f6d2117">
<check
distro="Ubuntu"
command="CheckPackageNotInstalled"
packagename="xinetd" />
</audit>
<audit
description="The ypbind service should be disabled."
msid="78"
cceid="CCE-3705-1"
severity="Important"
impact="An attacker could retrieve sensitive information from the ypbind service"
remediation="Uninstall the nis package (apt-get remove nis)"
ruleId="58f5187e-88bd-4f24-8570-2c295d5c93c6">
<check
distro="Ubuntu"
command="CheckServiceDisabled"
service="nis" />
</audit>
<audit
description="The nis package should be uninstalled."
msid="79"
cceid="CCE-4348-9"
severity="Important"
impact="An attacker could retrieve sensitive information from the NIS service"
remediation="Uninstall the nis package (apt-get remove nis)"
ruleId="7da0b32e-ced5-42eb-aa1e-6df90281e59c">
<check
distro="Ubuntu"
command="CheckPackageNotInstalled"
packagename="nis" />
</audit>
<audit
description="The tftp service should be disabled."
msid="80"
cceid="CCE-4273-9"
severity="Important"
impact="An attacker could eavesdrop or highjack an unencrypted session"
remediation="Remove the tftp entry from the file '/etc/inetd.conf'"
ruleId="cb086aef-fec2-467f-a03b-627c00020926">
<check
distro="Ubuntu"
command="CheckNoMatchingLinesIfExists"
regex="^[\s\t]*tftp"
path="/etc/inetd.conf" />
</audit>
<audit
description="The tftpd package should be uninstalled."
msid="81"
cceid="CCE-3916-4"
severity="Important"
impact="An attacker could eavesdrop or highjack an unencrypted session"
remediation="Uninstall the tftpd package (apt-get remove tftpd)"
ruleId="ae9ce111-ef4d-4d34-8f76-fdc38263f153">
<check
distro="Ubuntu"
command="CheckPackageNotInstalled"
packagename="tftpd" />
</audit>
<audit
description="The sendmail package should be uninstalled."
msid="120"
cceid="CCE-14495-6"
severity="Important"
impact="An attacker could use this system to send emails with malicious content to other users"
remediation="Uninstall the sendmail package (apt-get remove sendmail)"
ruleId="43356a32-24bb-401c-9746-a27b2be668fa">
<check
distro="Ubuntu"
command="CheckPackageNotInstalled"
packagename="sendmail" />
</audit>
<audit
description="The postfix package should be uninstalled."
msid="121"
cceid="CCE-14068-1"
severity="Important"
impact="An attacker could use this system to send emails with malicious content to other users"
remediation="Uninstall the postfix package (apt-get remove postfix)"
ruleId="f56bf32f-528f-48b3-9f82-62f5ff4e9787">
<check
distro="Ubuntu"
command="CheckPackageNotInstalled"
packagename="postfix" />
</audit>
<audit
description="Postfix network listening should be disabled as appropriate."
msid="122"
cceid="CCE-15018-5"
severity="Important"
impact="An attacker could use this system to send emails with malicious content to other users"
remediation="Add the line 'inet_interfaces localhost' to the file '/etc/postfix/main.cf'"
ruleId="d0cc4e35-70a1-4ee5-b572-3b969201562e">
<check
distro="Ubuntu"
command="CheckMatchingLinesIfExists"
regex="^[\s\t]*inet_interfaces\s+localhost\s*$"
path="/etc/postfix/main.cf" />
</audit>
<audit
description="The ldap service should be disabled."
msid="124"
cceid="CCE-3501-4"
severity="Important"
impact="An attacker could manipulate the LDAP service on this host to distribute false data to LDAP clients"
remediation="Uninstall the slapd package (apt-get remove slapd)"
ruleId="b577b358-6ec9-4ed7-b0df-259e44713b16">
<check
distro="Ubuntu"
command="CheckPackageNotInstalled"
packagename="slapd" />
</audit>
<audit
description="The named service should be disabled."
msid="131"
cceid="CCE-3578-2"
severity="Warning"
impact="An attacker could use the DNS service to distribute false data to clients"
remediation="Uninstall the bind9 package (apt-get remove bind9)"
ruleId="361a6cb4-f761-426f-a9d0-9e82ec0b3285">
<check
distro="Ubuntu"
command="CheckServiceDisabled"
service="bind9" />
</audit>
<audit
description="The bind package should be uninstalled."
msid="132"
cceid="CCE-4219-2"
severity="Warning"
impact="An attacker could use the DNS service to distribute false data to clients"
remediation="Uninstall the bind9 package (apt-get remove bind9)"
ruleId="696f915a-2733-42cd-9496-135718280bb9">
<check
distro="Ubuntu"
command="CheckPackageNotInstalled"
packagename="bind9" />
</audit>
<audit
description="The dovecot service should be disabled."
msid="137"
cceid="CCE-3847-1"
severity="Warning"
impact="The system could be used as an IMAP/POP3 server"
remediation="Uninstall the dovecot-core package (apt-get remove dovecot-core)"
ruleId="b0b6cf96-bd8a-40c5-b051-4615078a0bf0">
<check
distro="Ubuntu"
command="CheckServiceDisabled"
service="dovecot" />
</audit>
<audit
description="The dovecot package should be uninstalled."
msid="138"
cceid="CCE-4239-0"
severity="Warning"
impact="The system could be used as an IMAP/POP3 server"
remediation="Uninstall the dovecot-core package (apt-get remove dovecot-core)"
ruleId="9bd9ffdf-9a4b-4aff-816a-f365c7e7046b">
<check
distro="Ubuntu"
command="CheckPackageNotInstalled"
packagename="dovecot-core" />
</audit>
<audit
description="Remove unnecessary packages"
msid="158"
cceid="CCE-XXXXX-6"
severity="Informational"
impact=""
remediation=""
ruleId="29a14c8c-c7fe-4168-accf-ec224141ba65">
<check
distro="Ubuntu"
command="CheckPackageNotInstalled"
packagename="landscape-common" />
</audit>
<audit
description="Remove unnecessary accounts"
msid="159"
cceid="CCE-XXXXX-7"
severity="Informational"
impact="For compliance"
remediation="Remove the unnecesary accounts"
ruleId="627b7494-0e62-4093-9f77-db8d526d036b">
<check
distro="Ubuntu"
command="CheckNoMatchingLines"
regex="^games:"
path="/etc/passwd" />
</audit>
<audit
description="Accepting source routed packets should be disabled for all interfaces. (net.ipv6.conf.all.accept_source_route = 0)"
msid="40.2"
cceid="CCE-4236-6"
severity="Critical"
impact="An attacker could redirect traffic for malicious purposes."
remediation="Run the command '/opt/microsoft/omsagent/plugin/omsremediate -r disable-accept-source-route'"
ruleId="b659c9f6-a076-4886-9048-db10c349b9fe">
<check
distro="*"
command="CheckMatchingLines"
regex="^0$"
path="/proc/sys/net/ipv6/conf/all/accept_source_route" />
</audit>
<audit
description="SSH must be configured and managed to meet best practices. - '/etc/ssh/sshd_config RhostsAuthentication = no'"
msid="106.4"
cceid="CCE-4030-3"
severity="Critical"
impact="An attacker could use flaws in the RHosts protocol to gain access"
remediation="Remove the line 'RhostsAuthentication yes' from the file '/etc/ssh/sshd_config'"
ruleId="654b54c4-0a1f-40e7-b5e6-ee19b7a67b8b">
<check
distro="*"
command="CheckNoMatchingLines"
regex="^[\s\t]*RhostsAuthentication\s+yes"
path="/etc/ssh/sshd_config" />
</audit>
<audit
description="Ensure auditd package is installed"
msid="161"
cceid="CCE-4240-1"
severity="Critical"
impact="This package provides the auditd plugin used to collect audit events. If this package isn’t installed, then audit events are not collected. This leads to compliance failure and inability for detection pipeline to monitor system"
remediation="Install the auditd (apt-get install auditd) or audit package (yum install audit)."
ruleId="91e21b9b-9688-4bea-8a44-4a2de471151f">
<check
distro="*"
command="CheckPackageInstalledRegexp"
packagename="audit(?:d)?$" />
</audit>
<audit
description="Ensure auditd service is enabled"
msid="162"
cceid=" CCE-4240-2"
severity="Critical"
impact="The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
remediation="Install audit package (systemctl enable auditd)"
ruleId="f9fd03d2-75e4-4564-84a9-4e955f1e7c30">
<check
distro="*"
command="CheckServiceEnabled"
service="auditd" />
</audit>
<audit
description="Run AuditD service"
msid="163"
cceid=" CCE-4240-3"
severity="Critical"
impact="The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
remediation="Run AuditD service (systemctl start auditd)"
ruleId="f9fd03d2-75e4-4564-84a9-4e955f1e7c30">
<check
distro="*"
command="CheckServiceStatus"
expect="running"
service="auditd" />
</audit>
</audits>
<remediations>
<!--
Remediations are preformed in the order they appear in this file.
All actions in a remediation that match the distro are performed, and in the order they appear.
-->
<remediation id="install-updates" cceids="CCE-XXXXX-1" description="Install all available package updates">
<action distro="*" action="ActionUpdatePackageInfo"/>
<action distro="*" action="ActionInstallAvailableUpdates"/>
</remediation>
<remediation id="install-ntp" cceids="CCE-4376-0" description="Install the ntp service">
<action distro="*" action="ActionInstallPackage" package="ntp"/>
<action distro="Ubuntu|Debian|SLES=11" action="ActionEnableService" service="ntp"/>
<action distro="CentOS|RedHat|Oracle|SLES=12" action="ActionEnableService" service="ntpd"/>
<action distro="Ubuntu|Debian|SLES=11" action="ActionRestartService" service="ntp"/>
<action distro="CentOS|RedHat|Oracle|SLES=12" action="ActionRestartService" service="ntpd"/>
</remediation>
<remediation id="configure-ntp" cceids="CCE-4385-1" description="Configure the ntp service">
<action distro="!SLES" action="ActionScript">
<script>
<![CDATA[
# (Audit 119) Configure ntpd
if [ -z "$(egrep '^server\s+time.windows.com\s*$' /etc/ntp.conf)" ]; then
sed -i 's/^\([\s]*server\s\+\)0.*$/\1time.windows.com/g' /etc/ntp.conf
sed -i '/^[\s]*server\s\+[1-3].*$/d' /etc/ntp.conf
fi
]]>
</script>
</action>
<action distro="SLES" action="ActionScript">
<script>
<![CDATA[
if [ -z "$(egrep '^server\s+time.windows.com\s*$' /etc/ntp.conf)" ]; then
sed -i 's/^\(restrict\s*::1\s*\)$/\1\n\nserver time.windows.com/g' /etc/ntp.conf
fi
]]>
</script>
</action>
<action distro="Ubuntu|Debian|SLES=11" action="ActionRestartService" service="ntp"/>
<action distro="CentOS|RedHat|Oracle|SLES=12" action="ActionRestartService" service="ntpd"/>
</remediation>
<remediation id="remove-at" cceids="CCE-14466-7" description="Remove atd service">
<action distro="*" action="ActionRemovePackage" package="at"/>
<action distro="*" action="ActionScript">
<script>
<![CDATA[
rm -fr /etc/init/atd.conf /etc/init.d/atd
]]>
</script>
</action>
</remediation>
<remediation id="configure-ssh-protocol" cceids="CCE-4325-7" description="Configure ssh protocol">
<action distro="*" action="ActionEditConfig" name="Protocol" value="2" value-regex="[1-2\,]+" path="/etc/ssh/sshd_config"/>
</remediation>
<remediation id="enable-ssh-ignore-rhosts" cceids="CCE-4030-3" description="Enable IgnoreRhosts in ssh">
<action distro="*" action="ActionEditConfig" name="IgnoreRhosts" value="yes" value-regex="[a-z-]+" path="/etc/ssh/sshd_config"/>
</remediation>
<remediation id="disable-ssh-rhost-rsa-auth" cceids="CCE-4475-0" description="Disable RhostsRSAAuthentication in ssh">
<action distro="*" action="ActionEditConfig" name="RhostsRSAAuthentication" value="no" value-regex="[a-z-]+" path="/etc/ssh/sshd_config"/>
</remediation>
<remediation id="disable-ssh-host-based-auth" cceids="CCE-4370-3" description="Disable HostbasedAuthentication in ssh">
<action distro="*" action="ActionEditConfig" name="HostbasedAuthentication" value="no" value-regex="[a-z-]+" path="/etc/ssh/sshd_config"/>
</remediation>
<remediation id="disable-ssh-root-login" cceids="CCE-4387-7" description="Disable SSH root login">
<action distro="*" action="ActionEditConfig" name="PermitRootLogin" value="no" value-regex="[a-z-]+" path="/etc/ssh/sshd_config"/>
</remediation>
<remediation id="configure-ssh-ciphers" cceids="CCE-14491-5" description="Configure ssh ciphers">
<action distro="*" action="ActionEditConfig" name="Ciphers" value="aes128-ctr,aes192-ctr,aes256-ctr" value-regex="[a-z\,-]+" path="/etc/ssh/sshd_config"/>
</remediation>
<remediation id="disable-ssh-empty-passwords" cceids="CCE-3660-8" description="Disable SSH empty passwords">
<action distro="*" action="ActionEditConfig" name="PermitEmptyPasswords" value="no" value-regex="[a-z-]+" path="/etc/ssh/sshd_config"/>
</remediation>
<remediation id="configure-ssh-banner" cceids="CCE-4431-3" description="Configure ssh banner">
<action distro="*" action="ActionEditConfig" name="Banner" value="/etc/azsec/banner.txt" value-regex="\S+" path="/etc/ssh/sshd_config"/>
</remediation>
<remediation id="restart-ssh" cceids="CCE-4325-7,CCE-4475-0,CCE-4387-7,CCE-14491-5,CCE-4431-3" description="Restart ssh service">
<action distro="Ubuntu|Debian" action="ActionRestartService" service="ssh"/>
<action distro="CentOS|Redhat|Oracle|Sles" action="ActionRestartService" service="sshd"/>
</remediation>
<remediation id="restrict-root-login" cceids="CCE-3485-0" description="Restrict root login">
<action distro="*" action="ActionScript">
<script>
<![CDATA[
echo -e "console\ntty1" > /etc/securetty
]]>
</script>
</action>
</remediation>
<remediation id="fix-su-permissions" cceids="CCE-15047-4" description="Fix su permissions">
<action distro="!SLES" action="ActionScript">
<script>
<![CDATA[
sed -i 's/^#*\s*\(auth\s\+required\s\+pam_wheel.so\)\(\s\+use_uid\)\?$/\1 use_uid/g' /etc/pam.d/su
]]>
</script>
</action>
<action distro="SLES" action="ActionScript">
<!-- This change isn't sufficient on SLES -->
<script>
<![CDATA[
if [ -z "$(egrep '^\s*auth\s+required\s+pam_wheel.so\s+use_uid\s*$' /etc/pam.d/su)" ]; then
sed -i 's/\(\s*auth\s\+sufficient\s\+pam_rootok.so\s*\)$/\1\nauth required pam_wheel.so use_uid/g' /etc/pam.d/su
fi
]]>
</script>
</action>
</remediation>
<remediation id="fix-home-dir-permissions" cceids="CCE-4090-7" description="Fix home dir permissions">
<action distro="*" action="ActionScript">
<script>
<![CDATA[
chmod 750 /home/*
if [ -e /var/lib/libuuid ]; then
chmod 750 /var/lib/libuuid
fi
chmod 750 /var/run/dbus
chmod 750 /var/run/dbus
# /var/run/sshd created by service at bootup
if [ -e /etc/init.d/ssh ]; then
sed -i 's/\(chmod\s\+\)[0-7]\{4\}/\10750/g' /etc/init.d/ssh
fi
if [ -e /etc/init.d/sshd ]; then
sed -i 's/\(chmod\s\+\)[0-7]\{4\}/\10750/g' /etc/init.d/sshd
fi
if [ -e /etc/init/ssh.conf ]; then
sed -i 's/\(mkdir\s\+-p\s\+-m\)[0-9]\{4\}/\10750/g' /etc/init/ssh.conf
fi
]]>
</script>
</action>
</remediation>
<remediation id="set-default-user-umask" cceids="CCE-14847-8" description="Set default umask for all users to 077">
<action distro="*" action="ActionScript">
<script>
<![CDATA[
# (Audit 29) Set default umask to 077
sed -i 's/^\(UMASK\s\+\)[0-9]\{3\}/\1077/g' /etc/login.defs
]]>
</script>
</action>
</remediation>
<remediation id="disable-ip-forward" cceids="CCE-3561-8" description="Disable IP forwarding">
<action distro="*" action="ActionEditConfig" name="net.ipv4.ip_forward" value="0" value-regex="[0-9]+" sep="=" path="/etc/sysctl.conf"/>
<action distro="*" action="ActionEditConfig" name="net.ipv6.conf.default.forwarding" value="0" value-regex="[0-9]+" sep="=" path="/etc/sysctl.conf"/>
<action distro="*" action="ActionEditConfig" name="net.ipv6.conf.all.forwarding" value="0" value-regex="[0-9]+" sep="=" path="/etc/sysctl.conf"/>
<action distro="*" action="ActionScript">
<script>
<![CDATA[
sysctl -w net.ipv4.ip_forward=0
for i in $(sysctl -N net.ipv6.conf 2>/dev/null | egrep '^net\.ipv6\.conf\.[^\.]+\.forwarding')
do
sysctl -w $i=0
done
]]>
</script>
</action>
</remediation>
<remediation id="enable-tcp-syncookies" cceids="CCE-4265-5" description="Enable tcp_syncookies">
<action distro="*" action="ActionEditConfig" name="net.ipv4.tcp_syncookies" value="1" value-regex="[0-9]+" sep="=" path="/etc/sysctl.conf"/>
<action distro="*" action="ActionScript">
<script>
<![CDATA[
sysctl -w net.ipv4.tcp_syncookies=1
]]>
</script>
</action>
</remediation>
<remediation id="enable-rp-filter" cceids="CCE-4080-8,CCE-3840-6" description="Enable reverse path filter">
<!-- TODO: Add ipv6 once that support gets added to the kernel. -->
<action distro="*" action="ActionEditConfig" name="net.ipv4.conf.default.rp_filter" value="1" value-regex="[0-9]+" sep="=" path="/etc/sysctl.conf"/>
<action distro="*" action="ActionEditConfig" name="net.ipv4.conf.all.rp_filter" value="1" value-regex="[0-9]+" sep="=" path="/etc/sysctl.conf"/>
<action distro="*" action="ActionScript">
<script>
<![CDATA[
for i in $(sysctl -N net.ipv4.conf 2>/dev/null | egrep '^net\.ipv4\.conf\.[^\.]+\.rp_filter')
do
sysctl -w $i=1
done
]]>
</script>
</action>
</remediation>
<remediation id="disable-accept-redirects" cceids="CCE-4217-6,CCE-4186-3,CCE-4313-3" description="Disable accept-redirects">
<action distro="*" action="ActionEditConfig" name="net.ipv4.conf.default.accept_redirects" value="0" value-regex="[0-9]+" sep="=" path="/etc/sysctl.conf"/>
<action distro="*" action="ActionEditConfig" name="net.ipv4.conf.all.accept_redirects" value="0" value-regex="[0-9]+" sep="=" path="/etc/sysctl.conf"/>
<action distro="*" action="ActionEditConfig" name="net.ipv6.conf.default.accept_redirects" value="0" value-regex="[0-9]+" sep="=" path="/etc/sysctl.conf"/>
<action distro="*" action="ActionEditConfig" name="net.ipv6.conf.all.accept_redirects" value="0" value-regex="[0-9]+" sep="=" path="/etc/sysctl.conf"/>
<action distro="*" action="ActionScript">
<script>
<![CDATA[
for i in $(sysctl -N net 2>/dev/null | egrep '^net\.ipv[46]\.conf\.[^\.]+\.accept_redirects')
do
sysctl -w $i=0
done
]]>
</script>
</action>
</remediation>
<remediation id="disable-secure-redirects" cceids="CCE-3472-8,CCE-4151-7" description="Disable secure_redirects">
<action distro="*" action="ActionEditConfig" name="net.ipv4.conf.default.secure_redirects" value="0" value-regex="[0-9]+" sep="=" path="/etc/sysctl.conf"/>
<action distro="*" action="ActionEditConfig" name="net.ipv4.conf.all.secure_redirects" value="0" value-regex="[0-9]+" sep="=" path="/etc/sysctl.conf"/>
<action distro="*" action="ActionScript">
<script>
<![CDATA[
for i in $(sysctl -N net 2>/dev/null | egrep '^net\.ipv4\.conf\.[^\.]+\.secure_redirects')
do
sysctl -w $i=0
done
]]>
</script>
</action>
</remediation>
<remediation id="disable-send-redirects" cceids="CCE-4155-8,CCE-3339-9" description="Disable send_redirects">
<action distro="*" action="ActionEditConfig" name="net.ipv4.conf.default.send_redirects" value="0" value-regex="[0-9]+" sep="=" path="/etc/sysctl.conf"/>
<action distro="*" action="ActionEditConfig" name="net.ipv4.conf.all.send_redirects" value="0" value-regex="[0-9]+" sep="=" path="/etc/sysctl.conf"/>
<action distro="*" action="ActionScript">
<script>
<![CDATA[
for i in $(sysctl -N net 2>/dev/null | egrep '^net\.ipv4\.conf\.[^\.]+\.send_redirects')
do
sysctl -w $i=0
done
]]>
</script>
</action>
</remediation>
<remediation id="disable-accept-source-route" cceids="CCE-4236-6,CCE-4091-5" description="Disable accept_source_route">
<action distro="*" action="ActionEditConfig" name="net.ipv4.conf.default.accept_source_route" value="0" value-regex="[0-9]+" sep="=" path="/etc/sysctl.conf"/>
<action distro="*" action="ActionEditConfig" name="net.ipv4.conf.all.accept_source_route" value="0" value-regex="[0-9]+" sep="=" path="/etc/sysctl.conf"/>
<action distro="*" action="ActionEditConfig" name="net.ipv6.conf.default.accept_source_route" value="0" value-regex="[0-9]+" sep="=" path="/etc/sysctl.conf"/>
<action distro="*" action="ActionEditConfig" name="net.ipv6.conf.all.accept_source_route" value="0" value-regex="[0-9]+" sep="=" path="/etc/sysctl.conf"/>
<action distro="*" action="ActionScript">
<script>
<![CDATA[
for i in $(sysctl -N net 2>/dev/null | egrep '^net\.ipv[46]\.conf\.[^\.]+\.accept_source_route')
do
sysctl -w $i=0
done
]]>
</script>
</action>
</remediation>
<remediation id="enable-log-martians" cceids="CCE-4320-8" description="Enable log_martians">
<action distro="*" action="ActionEditConfig" name="net.ipv4.conf.default.log_martians" value="1" value-regex="[0-9]+" sep="=" path="/etc/sysctl.conf"/>
<action distro="*" action="ActionEditConfig" name="net.ipv4.conf.all.log_martians" value="1" value-regex="[0-9]+" sep="=" path="/etc/sysctl.conf"/>
<action distro="*" action="ActionScript">
<script>
<![CDATA[
for i in $(sysctl -N net 2>/dev/null | egrep '^net\.ipv4\.conf\.[^\.]+\.log_martians')
do
sysctl -w $i=1
done
]]>
</script>
</action>
</remediation>
<remediation id="enable-icmp-ignore-bogus-error-responses" cceids="CCE-4133-5" description="Enable icmp_ignore_bogus_error_responses">
<action distro="*" action="ActionEditConfig" name="net.ipv4.icmp_ignore_bogus_error_responses" value="1" value-regex="[0-9]+" sep="=" path="/etc/sysctl.conf"/>
<action distro="*" action="ActionScript">
<script>
<![CDATA[
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
]]>
</script>
</action>
</remediation>
<remediation id="enable-icmp-echo-ignore-broadcasts" cceids="CCE-3644-2" description="Enable icmp_echo_ignore_broadcasts">
<action distro="*" action="ActionEditConfig" name="net.ipv4.icmp_echo_ignore_broadcasts" value="1" value-regex="[0-9]+" sep="=" path="/etc/sysctl.conf"/>
<action distro="*" action="ActionScript">
<script>
<![CDATA[
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
]]>
</script>
</action>
</remediation>
<remediation id="install-rsyslog" cceids="CCE-17742-8" description="Install rsyslog">
<action distro="*" action="ActionInstallPackage" package="rsyslog"/>
</remediation>
<remediation id="enable-rsyslog" cceids="CCE-17698-2" description="Enable rsyslog">
<action distro="!SLES=11" action="ActionEnableService" service="rsyslog"/>
<action distro="SLES=11" action="ActionEnableService" service="syslog"/>
<action distro="!SLES=11" action="ActionRestartService" service="rsyslog"/>
<action distro="SLES=11" action="ActionRestartService" service="syslog"/>
</remediation>
<remediation id="configure-syslog-file-create-mode" cceids="CCE-18095-0" description="Configure rsyslog $FileCreateMode">
<action distro="CentOS|RedHat|Oracle" action="ActionScript">
<script>
<![CDATA[
if [ -z "$(egrep '^\s*$FileCreateMode' /etc/rsyslog.conf)" ]; then
sed -i 's/^\(.*GLOBAL DIRECTIVES.*\)$/\1\n\$FileCreateMode 0640/g' /etc/rsyslog.conf
fi
]]>
</script>
</action>
</remediation>
<remediation id="set-etc-shadow-perms" cceids="CCE-4130-1" description="Set permissions on /etc/shadow">
<action distro="*" action="ActionScript">
<script>
<![CDATA[
# Audit 11
chmod 400 /etc/shadow
if [ -e /etc/shadow- ]; then
chmod 400 /etc/shadow-
fi
if [ -e /etc/shadow.old ]; then
chmod 400 /etc/shadow.old
fi
]]>
</script>
</action>
</remediation>
<remediation id="set-etc-gshadow-perms" cceids="CCE-3932-1" description="Set permissions on /etc/gshadow">
<action distro="Ubuntu|Debian" action="ActionScript">
<script>
<![CDATA[
chown root:shadow /etc/gshadow
]]>
</script>
</action>
<action distro="CentOS|RedHat|Oracle" action="ActionScript">
<script>
<![CDATA[
chown root:root /etc/gshadow
]]>
</script>
</action>
<action distro="!SLES" action="ActionScript">
<script>
<![CDATA[
chmod 400 /etc/gshadow
]]>
</script>
</action>
</remediation>
<remediation id="set-etc-passwd-perms" cceids="CCE-3566-7" description="Set permissions on /etc/passwd">
<action distro="*" action="ActionScript">
<script>
<![CDATA[
chown root:root /etc/passwd
chmod 644 /etc/passwd
]]>
</script>
</action>
</remediation>
<remediation id="set-etc-group-perms" cceids="CCE-3967-7" description="Set permissions on /etc/group">
<action distro="*" action="ActionScript">
<script>
<![CDATA[
chown root:root /etc/group
chmod 644 /etc/group
]]>
</script>
</action>
</remediation>
<remediation id="fix-anacrontab-perms" cceids="CCE-4304-2" description="Fix anacrontab perms">
<action distro="*" action="ActionScript">
<script>
<![CDATA[
if [ -e /etc/anacrontab ]; then
chmod 600 /etc/anacrontab
fi
]]>
</script>
</action>
</remediation>
<remediation id="fix-crontab-perms" cceids="CCE-4388-5" description="Fix crontab perms">
<action distro="*" action="ActionScript">
<script>
<![CDATA[
# (Audit 92) Fix Permissions on cron files/folders
chmod 600 /etc/crontab
]]>
</script>
</action>
</remediation>
<remediation id="fix-cron-file-perms" cceids="CCE-4250-7,CCE-4450-3,CCE-4106-1,CCE-4251-5,CCE-4203-6" description="Fix cron file/folder permissions">
<action distro="*" action="ActionScript">
<script>
<![CDATA[
# (Audit 93-97, 100-103) Fix Permissions on cron files/folders
chmod 700 /etc/cron.*
]]>
</script>
</action>
</remediation>
<remediation id="fix-root-path-perms" cceids="CCE-14957-5" description="Fix permissions on dirs in root's path">
<action distro="*" action="ActionScript">
<script>
<![CDATA[
for d in $(bash -l -c 'echo $PATH' | sed 's/:/ /g')
do
chmod og-w $d
done
]]>
</script>
</action>
</remediation>
<remediation id="disable-non-root-system-login" cceids="CCE-3987-5" description="Disable login for system accounts">
<action distro="*" action="ActionScript">
<script>
<![CDATA[
# (Audit 23.1) Disable login for system accounts
for i in $(egrep -v '^([^:]*:){5}.*(root|home)' /etc/passwd | egrep -v '^([^:]*:){6}(/dev/null|/bin/false|/sbin/nologin|/usr/sbin/nologin)' | cut -d ":" -f 1; egrep '^syslog:' /etc/passwd | egrep -v '^syslog:([^:]*:){5}:(/dev/null|/bin/false|/sbin/nologin|/usr/sbin/nologin)' | cut -d ":" -f 1)
do
chsh -s /bin/false $i 2>/dev/null
done
]]>
</script>
</action>
</remediation>
<remediation id="disable-avahi-daemon" cceids="CCE-4365-3" description="Disable avahi-daemon service">
<action distro="*" action="ActionDisableService" service="avahi-daemon"/>
</remediation>
<remediation id="disable-cups" cceids="CCE-4425-5" description="Disable cups service">
<action distro="*" action="ActionDisableService" service="cups"/>
</remediation>
<remediation id="disable-rpcgssd" cceids="CCE-3535-2" description="Disable rpcgssd service">
<action distro="*" action="ActionDisableService" service="rpcgssd"/>
</remediation>
<remediation id="disable-rpcidmapd" cceids="CCE-3568-3" description="Disable rpcidmapd service">
<action distro="*" action="ActionDisableService" service="rpcidmapd"/>
</remediation>
<remediation id="disable-rpcbind" cceids="CCE-4550-0" description="Disable rpcbind service">
<action distro="SLES=11" action="ActionDisableService" service="nfs"/>
<action distro="*" action="ActionDisableService" service="rpcbind"/>
<action distro="CentOS>=7|RedHat>=7|SLES>11" action="ActionDisableService" service="rpcbind.socket"/>
</remediation>
<remediation id="disable-unnecessary-kernel-mods" cceids="CCE-14089-7,CCE-14457-6,CCE-15087-0,CCE-14093-9,CCE-14853-6,CCE-14118-4,CCE-14268-7,CCE-14132-5,CCE-14027-7,CCE-14911-2" description="Disable unnecessary Kernel Modules">
<action distro="*" action="ActionScript">
<script>
<![CDATA[
# (Audit6.1 - 6.6, 54, 55, 57) Disable unnecessary Kernel Modules
cat > /etc/modprobe.d/blacklist-azurebaseline.conf <<EOF
# Modules disabled per Azure baseline
install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true
install cramfs /bin/true
install freevxfs /bin/true
install hfs /bin/true
install hfsplus /bin/true
install jffs2 /bin/true
install squashfs /bin/true
EOF
chown root.root /etc/modprobe.d/blacklist-azurebaseline.conf
chmod 644 /etc/modprobe.d/blacklist-azurebaseline.conf
]]>
</script>
</action>
</remediation>
</remediations>
</data>