diff --git a/benchmarks/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.md b/benchmarks/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.md new file mode 100644 index 0000000000000000000000000000000000000000..286277a4a3916d18a5b3639daf83ecd3a884c161 --- /dev/null +++ b/benchmarks/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.md @@ -0,0 +1,54 @@ +# 1.45 确保正确配置了密码尝试失败次数和失败后锁定时间 + +## 安全等级 + +- Level 1 + +## 描述 + +对于连续多次登录密码验证失败的用户,应锁定其账户。 + +可通过修改`system-auth`及`password-auth`配置文件中以下两个参数,对上述功能进行管理。 + +* `deny=n` -> 密码验证的尝试次数(n),超过n次后锁定用户。建议值:3-8(次)。 +* `unlock_time=n` -> 用户锁定后解锁所需的时间(秒)。建议值:600-1800(秒)。 + +根据实际情况对密码尝试次数和解锁时间进行配置,防范密码暴力破解。 + +## 修复建议 + +对`system-auth`及`password-auth`配置文件的参数进行配置。 + +1. 运行以下两个脚本,更新`system-auth`及`password-auth`文件,添加`deny=5`和`unlock_time=900`参数。: + +```bash +cat >> /etc/pam.d/password-auth << EOF +auth required pam_faillock.so preauth silent deny=5 unlock_time=900 +auth required pam_faillock.so authfail deny=5 unlock_time=900 +EOF +``` + +```bash +cat >> /etc/pam.d/system-auth << EOF +auth required pam_faillock.so preauth silent deny=5 unlock_time=900 +auth required pam_faillock.so authfail deny=5 unlock_time=900 +EOF +``` + +## 扫描检测 + +确保配置了密码验证失败超过阈值后锁定用户 + +1. 执行以下命令,验证`system-auth`及`password-auth`配置文件的参数是否合规: + +```bash +# grep -E '^\s*auth\s+required\s+pam_faillock.so\s+' /etc/pam.d/password-auth /etc/pam.d/system-auth +/etc/pam.d/password-auth:auth required pam_faillock.so preauth silent deny=5 unlock_time=900 +/etc/pam.d/password-auth:auth required pam_faillock.so authfail deny=5 unlock_time=900 +/etc/pam.d/system-auth:auth required pam_faillock.so preauth silent deny=5 unlock_time=900 +/etc/pam.d/system-auth:auth required pam_faillock.so authfail deny=5 unlock_time=900 +``` + +输出结果中应符合:`deny`的值在 3-8 之间、`unlock_time`的值在 600-1800 之间。 + +## 参考 \ No newline at end of file diff --git a/benchmarks/access-and-control/1.46-ensure-default-user-shell-timeout-is-between-600-and-1800-seconds.md b/benchmarks/access-and-control/1.46-ensure-default-user-shell-timeout-is-between-600-and-1800-seconds.md new file mode 100644 index 0000000000000000000000000000000000000000..03bfd59830385162332241715880546d4431aa73 --- /dev/null +++ b/benchmarks/access-and-control/1.46-ensure-default-user-shell-timeout-is-between-600-and-1800-seconds.md @@ -0,0 +1,61 @@ +# 1.46 确保用户 shell 超时时间在600至1800秒之间 + +## 安全等级 + +- Level 1 + +## 描述 + +`TMOUT`是一个环境变量,用于指定`shell`的超时时间,单位为秒。 + +* `TMOUT=n` -> 设置shell超时时间为n秒。`TMOUT=0`表示禁用超时时间。 +* `readonly TMOUT` -> 可将`TMOUT`环境变量设置为只读,避免其被篡改。 +* `export TMOUT` -> 对`TMOUT`的值进行修改。 + +环境变量的配置文件: + +* `/etc/profile` -> 此文件内的变量为全局变量,可作用于所有用户。 +* `/etc/profile.d` -> 在系统启动或用户第一次登录 shell 时,会自动运行其目录下所有`*.sh` 文件。 +* `/etc/bashrc` -> 为每个运行 bash shell 的用户执行该文件,当 bash shell 打开时,该文件被执行,其配置对所有使用 bash 的用户打开的每个 bash 都有效。当被修改后,不用重启系统只需要打开一个新的 bash 即可生效。 + +设置 shell 超时时间可以减少未经授权的用户通过其他已登录用户的 shell 会话进行非法操作的情况,也能及时释放被不活跃用户占用的会话资源。 + +## 修复建议 + +对`TMOUT`环境变量的值进行配置。 + +检查 +* `/etc/bashrc`文件 +* `/etc/profile`文件 +* `/etc/profile.d/`目录下所有以`.sh`结尾的文件 +中`TMOUT=n`条目的值,应在600~1800之间: + +示例: +```bash +readonly TMOUT=900 ; export TMOUT +``` + +或 + +```bash +TMOUT=900 +readonly TMOUT +export TMOUT +``` + +以上分别为单行与多行配置,符合任意一种即可。 + +## 扫描检测 + +确保用户shell超时时间在600至1800秒之间。 + +执行以下命令,验证`TMOUT`环境变量是否正确设置: + +```bash +# grep -Pio "TMOUT=[0-9]+" /etc/profile /etc/bashrc /etc/profile.d/*.sh +/etc/profile:TMOUT=1800 +``` + +如输出`TMOUT`的值在600~1800之间,则视为通过此项检查。 + +## 参考 \ No newline at end of file diff --git a/benchmarks/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.md b/benchmarks/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.md new file mode 100644 index 0000000000000000000000000000000000000000..1562916df79e72a050d537ec7c218674b7bbfe51 --- /dev/null +++ b/benchmarks/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.md @@ -0,0 +1,42 @@ +# 1.47 确保 SSH 的 MaxAuthTries 设置为3~5 + +## 安全等级 + +- Level 1 + +## 描述 + +SSH 配置文件:`/etc/ssh/sshd_config`中的 MaxAuthTries 参数规定了每个会话连接所允许的最大认证尝试次数。当登录失败次数达到一半时,错误信息将被写入 syslog 文件,记录登录失败信息。 + +将 MaxAuthTries 参数设置为一个较低的数字,可最大限度地降低对 SSH 服务器暴力攻击的成功率。推荐设置为3~5。 + +## 修复建议 + +对`/etc/ssh/sshd_config`配置文件的`MaxAuthTries `参数进行配置。 + +1. 编辑`/etc/ssh/sshd_config`配置文件,修改`MaxAuthTries`参数,或添加以下代码,对`MaxAuthTries `参数进行配置: + +```bash +MaxAuthTries 4 +``` + +* `MaxAuthTries`参数默认为`6`,建议配置为3~5。 + +## 扫描检测 + +确保`SSH`的`MaxAuthTries`配置正确。 + +1. 执行以下命令,验证`SSH`的`MaxAuthTries`配置是否正确: + +```bash +# sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep maxauthtries +maxauthtries 4 +# grep -Ei '^\s*maxauthtries\s+([5-9]|[1-9][0-9]+)' /etc/ssh/sshd_config +Nothing is returned +# grep -Ei '^\s*maxauthtries\s+([0-2])' /etc/ssh/sshd_config +Nothing is returned +``` + +如果第一条命令执行后返回3~5,且其余两条命令执行后,没有返回任何结果,则视为通过此项检查。 + +## 参考 \ No newline at end of file diff --git a/benchmarks/access-and-control/1.48-restrict-the-terminals-that-can-be-managed-over-the-network.md b/benchmarks/access-and-control/1.48-restrict-the-terminals-that-can-be-managed-over-the-network.md new file mode 100644 index 0000000000000000000000000000000000000000..ba20a20f44677ca23d6122ccd74ed1ec9750b84c --- /dev/null +++ b/benchmarks/access-and-control/1.48-restrict-the-terminals-that-can-be-managed-over-the-network.md @@ -0,0 +1,42 @@ +# 1.48 对通过网络进行管理的终端进行限制 + +## 安全等级 + +- Level 2 + +## 描述 + +对于能过xinetd程序启动的网络服务,比如ftp telnet,我们就可以修改/etc/hosts.allow和/etc/hosts.deny的配制,来许可或者拒绝哪些IP、主机、用户可以访问。 + +* /etc/hosts.allow: + * 在此文件内加入的IP访问请求将被允许。 + +* /etc/hosts.deny: + * 在此文件内加入的IP访问请求将被拒绝。 + + +## 修复建议 + +向`/etc/hosts.allow`、`/etc/hosts.deny`配置文件中添加允许及拒绝的IP地址。 + +1. 编辑`/etc/hosts.allow`、`/etc/hosts.deny`配置文件,如没有此文件,需创建: + +```bash +echo "ALL: 0.0.0.0/0" >> /etc/hosts.allow +echo "ALL: ALL" >> /etc/hosts.deny +``` + +请根据实际情况,替换`""`内的IP地址。 + +## 扫描检测 + +执行以下命令,验证`/etc/hosts.allow`、`/etc/hosts.deny`配置文件的内容是否正确: + +```bash +# cat /etc/hosts.allow +# cat /etc/hosts.deny +``` + +检查两个配置文件中的IP地址,是否符合实际生产环境的需求,如符合则视为通过此项检查。 + +## 参考 \ No newline at end of file diff --git a/benchmarks/access-and-control/1.49-lock-or-delete-the-shutdown-and-halt-users.md b/benchmarks/access-and-control/1.49-lock-or-delete-the-shutdown-and-halt-users.md new file mode 100644 index 0000000000000000000000000000000000000000..c70f71618710ccb84469dd0fca2da61675c2b959 --- /dev/null +++ b/benchmarks/access-and-control/1.49-lock-or-delete-the-shutdown-and-halt-users.md @@ -0,0 +1,36 @@ +# 1.49 锁定或删除shutdown、halt用户 + +## 安全等级 + +- Level 1 + +## 描述 + +锁定或删除shutdown、halt用户,避免生产环境内的服务器等设备被非法关机。 + +## 修复建议 + +锁定或删除shutdown、halt用户。 + +执行以下命令,锁定shutdown、halt用户 + +```bash +usermod -L shutdown +usermod -L halt +``` + +## 扫描检测 + +执行以下命令,验证shutdown、halt用户是否被锁定: + +```bash +# passwd -S shutdown | grep -E "shutdown\s+LK" +shutdown LK 2021-06-16 7 90 7 -1 (Alternate authentication scheme in use.) + +# passwd -S halt | grep -E "halt\s+LK" +halt LK 2021-06-16 7 90 7 -1 (Alternate authentication scheme in use.) +``` + +如输出结果符合预期,则视为通过此项检查。 + +## 参考 \ No newline at end of file diff --git a/benchmarks/logging-and-auditing/2.21-ensure-that-the-rsyslog-service-is-installed-and-enabled.md b/benchmarks/logging-and-auditing/2.21-ensure-that-the-rsyslog-service-is-installed-and-enabled.md new file mode 100644 index 0000000000000000000000000000000000000000..e57e967d348de74532391ec0d2391987c35d311d --- /dev/null +++ b/benchmarks/logging-and-auditing/2.21-ensure-that-the-rsyslog-service-is-installed-and-enabled.md @@ -0,0 +1,50 @@ +# 2.21 确保 rsyslog 服务安装并启用 + +## 安全等级 + +- Level 1 + +## 描述 + +rsyslog 软件是原 syslogd 守护程序的替代品,其相比于 syslogd 做了很多改进,添加了如:面向连接(即TCP)的日志传输、将日志记录到数据库,以及在与中央日志服务器交互中对日志数据进行加密等特性及功能。 + +以上多种新特性与功能,都证明了安装和配置 rsyslog 软件包的合理性及必要性。在安装了 rsyslog 软件后,应正确的激活并启用该服务。 + +## 修复建议 + +目标:安装`rsyslog`软件包。 + +1. 运行以下命令安装`rsyslog`: + +```bash +# yum install rsyslog -y +``` + +2. 运行以下命令启用 rsyslog 服务: + +```bash +# systemctl --now enable rsyslog +``` + +## 扫描检测 + +确保已安装并启用 rsyslog。 + +1. 执行以下命令,检查 rsyslog 软件是否正确安装: + +```bash +# rpm -q rsyslog +rsyslog- +``` + +``为版本号,如:`rsyslog-8.2102.0-5.an8.x86_64` + +2. 执行以下命令,检查 rsyslog 服务是否启用: + +```bash +# systemctl is-enabled rsyslog +enabled +``` + +如输出结果符合预期,则视为通过此项检查。 +## 参考 diff --git a/benchmarks/logging-and-auditing/2.22-make-sure-to-collect-file-deletion-events-for-users.md b/benchmarks/logging-and-auditing/2.22-make-sure-to-collect-file-deletion-events-for-users.md new file mode 100644 index 0000000000000000000000000000000000000000..8db66eae427fa989f0795e33aabe2eed3b89bee6 --- /dev/null +++ b/benchmarks/logging-and-auditing/2.22-make-sure-to-collect-file-deletion-events-for-users.md @@ -0,0 +1,39 @@ +# 2.22 确保收集用户的文件删除事件 + +## 安全等级 + +- Level 3 + +## 描述 + +对删除文件的操作进行审计记录 + +## 修复建议 + +目标:对删除文件的操作进行审计记录。 + +运行以下命令,配置审计服务,确保收集用户的文件删除事件: + +```bash +# echo -e "\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n" >> /etc/audit/rules.d/audit.rules +# echo -e "\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n" >> /etc/audit/audit.rules +``` + +## 扫描检测 + +确保收集用户的文件删除事件。 + +执行以下命令,检查文件删除审计收集是否正确配置: + +```bash +# grep -P "\-a\salways\,exit\s\-F\sarch=b(32|64)\s\-S\sunlink\s\-S\sunlinkat\s\-S\srename\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/rules.d/audit.rules +-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +# grep -P "\-a\salways\,exit\s\-F\sarch=b(32|64)\s\-S\sunlink\s\-S\sunlinkat\s\-S\srename\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/audit.rules +-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete +``` + +如输出结果符合预期,则视为通过此项检查。 +## 参考 diff --git a/benchmarks/logging-and-auditing/2.23-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.md b/benchmarks/logging-and-auditing/2.23-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.md new file mode 100644 index 0000000000000000000000000000000000000000..7dc8b1e4f81eddfd63c1bd2c5dd2983d1d87beed --- /dev/null +++ b/benchmarks/logging-and-auditing/2.23-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.md @@ -0,0 +1,53 @@ +# 2.23 确保收集对系统管理范围(sudoers)的更改 + +## 安全等级 + +- Level 3 + +## 描述 + +对系统管理范围(sudoers)的更改操作进行审计记录 + +## 修复建议 + +目标:确保收集对系统管理范围(sudoers)的更改。 + +运行以下命令,配置审计服务,确保收集对系统管理范围(sudoers)的更改: + +```bash +# echo -e "-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n" >> /etc/audit/rules.d/audit.rules +# echo -e "\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n" >> /etc/audit/audit.rules +``` + +## 扫描检测 + +确保收集对系统管理范围(sudoers)的更改。 + +执行以下命令,检查对系统管理范围(sudoers)的审计收集是否正确配置: + +```bash +# grep -E "\-w\s/etc/group\s\-p\swa\s\-k\sidentity +\-w\s/etc/passwd\s\-p\swa\s\-k\sidentity +\-w\s/etc/gshadow\s\-p\swa\s\-k\sidentity +\-w\s/etc/shadow\s\-p\swa\s\-k\sidentity +\-w\s/etc/security/opasswd\s\-p\swa\s\-k\sidentity" /etc/audit/rules.d/audit.rules +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +# grep -E "\-w\s/etc/group\s\-p\swa\s\-k\sidentity +\-w\s/etc/passwd\s\-p\swa\s\-k\sidentity +\-w\s/etc/gshadow\s\-p\swa\s\-k\sidentity +\-w\s/etc/shadow\s\-p\swa\s\-k\sidentity +\-w\s/etc/security/opasswd\s\-p\swa\s\-k\sidentity" /etc/audit/audit.rules +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity +``` + +如输出结果符合预期,则视为通过此项检查。 +## 参考 diff --git a/benchmarks/logging-and-auditing/2.24-ensure-that-events-that-modify-user-group-information-are-collected.md b/benchmarks/logging-and-auditing/2.24-ensure-that-events-that-modify-user-group-information-are-collected.md new file mode 100644 index 0000000000000000000000000000000000000000..db1e7934dc646228c0a292264628bdb108221c01 --- /dev/null +++ b/benchmarks/logging-and-auditing/2.24-ensure-that-events-that-modify-user-group-information-are-collected.md @@ -0,0 +1,41 @@ +# 2.24 确保收集修改用户/组信息的事件 + +## 安全等级 + +- Level 3 + +## 描述 + +收集修改用户/组信息的事件 + +## 修复建议 + +目标:确保收集修改用户/组信息的事件。 + +运行以下命令,配置审计服务,确保收集对用户/组信息的修改事件: + +```bash +# echo -e "-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/rules.d/audit.rules +# echo -e "-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/audit.rules +``` + +## 扫描检测 + +确保收集修改用户/组信息的事件。 + +执行以下命令,检查对用户/组信息的修改审计收集是否正确配置: + +```bash +# grep -E "\-w\s/etc/sudoers\s\-p\swa\s\-k\sscope +\-w\s/etc/sudoers.d/\s\-p\swa\s\-k\sscope" /etc/audit/rules.d/audit.rules +-w /etc/sudoers -p wa -k scope +-w /etc/sudoers.d/ -p wa -k scope + +# grep -E "\-w\s/etc/sudoers\s\-p\swa\s\-k\sscope +\-w\s/etc/sudoers.d/\s\-p\swa\s\-k\sscope" /etc/audit/audit.rules +-w /etc/sudoers -p wa -k scope +-w /etc/sudoers.d/ -p wa -k scope +``` + +如输出结果符合预期,则视为通过此项检查。 +## 参考 diff --git a/benchmarks/mandatory-access-control/5.8-create-common-audit-and-security-users.md b/benchmarks/mandatory-access-control/5.8-create-common-audit-and-security-users.md new file mode 100644 index 0000000000000000000000000000000000000000..be8c58567b9e1605e22c632551dc5d82473d27f2 --- /dev/null +++ b/benchmarks/mandatory-access-control/5.8-create-common-audit-and-security-users.md @@ -0,0 +1,28 @@ +# 5.8 创建普通、审计、安全用户 + +## 安全等级 +- Level 2 + +## 描述 + +> * 当前,Linux操作系统已广泛应用于各种设备和产品中,如服务器、PC机、机顶盒及路由器等。随着Linux系统的不断发展和广泛应用,Linux系统的安全问题也引起越来越多的关注。 +> * 在Linux操作系统中,存在一个超级用户即root用户。root也称为系统管理员,它拥有管理系统的一切权限。当一个非法用户获得root用户口令后,他就可以以超级用户的身份登录系统,然后做任何他想做的事情:如任意添加、删除用户,终止进程,删除重要文件甚至更改root用户的口令。因此,一旦root权限被恶意用户利用,就可能导致系统数据遭到泄密和破坏。 +> * 该问题也引起了国家的重点关注,如国家保密标准BMB20-2007《涉及国家秘密的信息系统分级保护管理规范》中明确提出:涉密信息系统应配备系统管理员、安全保密管理员和安全审计员这三类安全保密管理人员,三员应该相互独立、相互制约、不得兼任。三个管理员之间的工作机制分为协作和制约两种机制,行使的是原超级用户的权力,即系统管理员、安全管理员和审计管理员间相互协作,共同维护系统的正常运行。制约机制指只有在当前管理员操作不影响其他管理员正在进行的操作时才被允许,从而保证了管理员行为的可预期性,避免超级用户的误操作或其身份被假冒而带来的安全隐患,增强了系统的安全性。该规范可以有效防止由系统管理员权力过大所带来的系统安全威胁和隐患。 + +## 修复建议 + +使用`useradd` `passwd` 创建系统、安全、审计管理员用户并配置密码。 +``` +# 创建自定义用户 +# useradd [username] +# passwd +``` + +## 扫描检测 + +使用以下命令,查看用户是否创建成功。 +```bash +cat /etc/passwd |cut -f 1 -d : +``` + +## 参考 diff --git a/benchmarks/services/3.18-uninstall-the-avahi-server.md b/benchmarks/services/3.18-uninstall-the-avahi-server.md new file mode 100644 index 0000000000000000000000000000000000000000..3c220dbe38103954b3ff1d72ff2b8041a245a2e0 --- /dev/null +++ b/benchmarks/services/3.18-uninstall-the-avahi-server.md @@ -0,0 +1,34 @@ +# 3.18 卸载Avahi + +## 安全等级 + +- Level 1 + +## 描述 + +Avahi 是一个免费的 zeroconf(零配置网络服务规范) 实现,包括用于多播 DNS/DNS-SD 服务发现的系统。 Avahi 允许程序在没有特定配置的情况下发布和发现在本地网络上运行的服务和主机。 例如,用户可以将计算机插入网络,Avahi 会自动查找要打印到的打印机、要查看的文件和要交谈的人,以及机器上运行的网络服务。 + +系统功能通常不需要自动发现网络服务。 建议卸载该服务以减少潜在的攻击面。 + +## 修复建议 + +运行以下命令来卸载`avahi` + +```bash +# yum remove -y --noautoremove avahi +``` + +## 扫描检测 + +确保未安装 avahi。 + +1. 执行以下命令,检查 avahi 软件包是否安装: + +```bash +# rpm -q avahi +package avahi is not installed +``` + +如输出结果符合预期,则视为通过此项检查。 + +## 参考 diff --git a/benchmarks/services/3.19-uninstall-the-kexec-tools.md b/benchmarks/services/3.19-uninstall-the-kexec-tools.md new file mode 100644 index 0000000000000000000000000000000000000000..224deaa485c0641ca2c006abf4a2f753316a7720 --- /dev/null +++ b/benchmarks/services/3.19-uninstall-the-kexec-tools.md @@ -0,0 +1,34 @@ +# 3.19 卸载 kexec-tools + +## 安全等级 + +- Level 1 + +## 描述 + +kexec工具是Linux内核的一个补丁,让您可以从当前正在运行的内核直接引导到一个新内核。在上面描述的引导序列中,kexec跳过了整个引导装载程序阶段(第一部分)并直接跳转到我们希望引导到的内核。不再有硬件的重启,不再有固件操作,不再涉及引导装载程序。完全避开了引导序列中最弱的一环:固件。这一功能部件带来的最大益处在于,系统现在可以极其快速地重新启动。 + +但由于其直接跳过了引导阶段,可以滥用此功能来加载恶意内核并在内核模式下获得任意代码执行能力。因此应当卸载此工具。 + +## 修复建议 + +运行以下命令来卸载`kexec-tools` + +```bash +# yum remove -y --noautoremove kexec-tools +``` + +## 扫描检测 + +确保未安装 kexec-tools。 + +1. 执行以下命令,检查 kexec-tools 软件包是否安装: + +```bash +# rpm -q kexec-tools +package kexec-tools is not installed +``` + +如输出结果符合预期,则视为通过此项检查。 + +## 参考 diff --git a/benchmarks/services/3.20-uninstall-the-firstboot.md b/benchmarks/services/3.20-uninstall-the-firstboot.md new file mode 100644 index 0000000000000000000000000000000000000000..c21eb746bd2bfd8424a1e0f6f60affd726c48724 --- /dev/null +++ b/benchmarks/services/3.20-uninstall-the-firstboot.md @@ -0,0 +1,32 @@ +# 3.20 卸载 firstboot + +## 安全等级 + +- Level 1 + +## 描述 + +Linux在安装完之后第一次启动会启动firstboot服务。Firstboot 只能在使用图形安装或者安装了桌面和 X 视窗系统,并启用图形登录的 kickstart 安装中使用。如果执行文本安装或者没有包括桌面和 X 视窗系统的 kickstart 安装,则不会出现 firstboot 配置工具。 + +## 修复建议 + +运行以下命令来卸载`firstboot` + +```bash +# yum remove -y --noautoremove firstboot +``` + +## 扫描检测 + +确保未安装 firstboot。 + +1. 执行以下命令,检查 firstboot 软件包是否安装: + +```bash +# rpm -q firstboot +package firstboot is not installed +``` + +如输出结果符合预期,则视为通过此项检查。 + +## 参考 diff --git a/benchmarks/services/3.21-uninstall-the-wpa_supplicant.md b/benchmarks/services/3.21-uninstall-the-wpa_supplicant.md new file mode 100644 index 0000000000000000000000000000000000000000..89495a8dae5300e1dec907ee918e6b609a142d48 --- /dev/null +++ b/benchmarks/services/3.21-uninstall-the-wpa_supplicant.md @@ -0,0 +1,33 @@ +# 3.21 卸载 wpa_supplicant + +## 安全等级 + +- Level 1 + +## 描述 + +wpa_supplicant是wifi客户端(client)加密认证工具,和iwconfig不同,wpa_supplicant支持wep、wpa、wpa2等完整的加密认证,而iwconfig只能支持wep。 +如对无线网络没有需求,应卸载此服务,以减少潜在的攻击面。 + +## 修复建议 + +运行以下命令来卸载`wpa_supplicant` + +```bash +# yum remove -y --noautoremove wpa_supplicant +``` + +## 扫描检测 + +确保未安装 wpa_supplicant。 + +1. 执行以下命令,检查 wpa_supplicant 软件包是否安装: + +```bash +# rpm -q wpa_supplicant +package wpa_supplicant is not installed +``` + +如输出结果符合预期,则视为通过此项检查。 + +## 参考 diff --git a/benchmarks/services/3.22-uninstall-the-ypbind-server.md b/benchmarks/services/3.22-uninstall-the-ypbind-server.md new file mode 100644 index 0000000000000000000000000000000000000000..d218103f7a1cd1beb5d163946b90454b7b203160 --- /dev/null +++ b/benchmarks/services/3.22-uninstall-the-ypbind-server.md @@ -0,0 +1,33 @@ +# 3.22 卸载 ypbind + +## 安全等级 + +- Level 1 + +## 描述 + +NIS的全称是Network Information Service是sun Microsystem于1985年发布的一项目录服务,用来集中控制多个系统管理数据库的网络用品。ypbind是NIS(网络信息系统)客户机激活ypbind的服务进程。 +如对NIS没有需求,应卸载此服务,以减少潜在的攻击面。 + +## 修复建议 + +运行以下命令来卸载`ypbind` + +```bash +# yum remove -y --noautoremove ypbind +``` + +## 扫描检测 + +确保未安装 ypbind。 + +1. 执行以下命令,检查 ypbind 软件包是否安装: + +```bash +# rpm -q ypbind +package ypbind is not installed +``` + +如输出结果符合预期,则视为通过此项检查。 + +## 参考 diff --git a/benchmarks/services/3.23-disable-rsh.md b/benchmarks/services/3.23-disable-rsh.md new file mode 100644 index 0000000000000000000000000000000000000000..0699385d4c8bac529bebd8fa7f3ea3b68fbc3a08 --- /dev/null +++ b/benchmarks/services/3.23-disable-rsh.md @@ -0,0 +1,32 @@ +# 3.23 禁用rsh + +## 安全等级 + +- Level 1 + +## 描述 + +Rsh 是远程外壳(remote shell) 的缩写(外壳是操作系统的一种命令接口)。运行于远程计算机上的rshd 后台程序,接受rsh 命令,验证用户名和主机名信息,并执行该命令。当用户不愿或不需要与远程计算机建立远程会话时,可以使用rsh 工具执行输入的命令。Rsh 工具允许用户在远程计算机上执行单条命令,而无需在该远程计算机上进行登录。 + +因rsh使用明文传输,且没有密钥的机制,有极大的安全隐患。所以应当禁用rsh服务,使用更加安全的远程链接方式,如SSH等。 + +## 修复建议 + +运行以下命令来禁用`rsh` + +```bash +# systemctl --now disable rsh.socket +``` + +## 扫描检测 + +运行以下命令来检查`rsh`是否被禁用 + +```bash +# systemctl is-enabled rsh.socket +disabled +``` + +如输出结果为`disabled`,或提示未安装此服务,则视为通过此项检查。 + +## 参考 diff --git a/benchmarks/services/3.24-disable-ntalk.md b/benchmarks/services/3.24-disable-ntalk.md new file mode 100644 index 0000000000000000000000000000000000000000..a9678216eff03bf80789a885015208b9844d620c --- /dev/null +++ b/benchmarks/services/3.24-disable-ntalk.md @@ -0,0 +1,32 @@ +# 3.24 禁用ntalk + +## 安全等级 + +- Level 1 + +## 描述 + +talk/ntalk是一个用于Linux用户之间交流的程序,write也可以实现用户交流,但是write一次只能发送一条信息。而talk是基于socket实现的,用户可以实时交流。 + +因ntalk使用明文传输,且没有密钥的机制,有极大的安全隐患。所以应当禁用ntalk服务,使用更加安全的远程链接方式,如SSH等。 + +## 修复建议 + +运行以下命令来禁用`ntalk` + +```bash +# systemctl --now disable ntalk +``` + +## 扫描检测 + +运行以下命令来检查`ntalk`是否被禁用 + +```bash +# systemctl is-enabled ntalk +disabled +``` + +如输出结果为`disabled`,或提示未安装此服务,则视为通过此项检查。 + +## 参考 diff --git a/remediation-kits/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh b/remediation-kits/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh new file mode 100644 index 0000000000000000000000000000000000000000..d162024789dd854aa8c1580206c690840ffea943 --- /dev/null +++ b/remediation-kits/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh @@ -0,0 +1,11 @@ +grep -Eq '^\s*auth\s+required\s+pam_faillock.so\s+(preauth|authfail)\s+' /etc/pam.d/password-auth || +cat >> /etc/pam.d/password-auth << EOF +auth required pam_faillock.so preauth silent deny=5 unlock_time=900 +auth required pam_faillock.so authfail deny=5 unlock_time=900 +EOF + +grep -Eq '^\s*auth\s+required\s+pam_faillock.so\s+(preauth|authfail)\s+' /etc/pam.d/system-auth || +cat >> /etc/pam.d/system-auth << EOF +auth required pam_faillock.so preauth silent deny=5 unlock_time=900 +auth required pam_faillock.so authfail deny=5 unlock_time=900 +EOF \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.46-ensure-default-user-shell-timeout-is-between-600-and-1800-seconds.sh b/remediation-kits/access-and-control/1.46-ensure-default-user-shell-timeout-is-between-600-and-1800-seconds.sh new file mode 100644 index 0000000000000000000000000000000000000000..1f96cdda116d78e8bd1dd85782310a181597fa5b --- /dev/null +++ b/remediation-kits/access-and-control/1.46-ensure-default-user-shell-timeout-is-between-600-and-1800-seconds.sh @@ -0,0 +1 @@ +grep -Piq "TMOUT=[0-9]+" /etc/profile || echo "readonly TMOUT=1800 ; export TMOUT" >> /etc/profile \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh b/remediation-kits/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh new file mode 100644 index 0000000000000000000000000000000000000000..7dee409b4d3a9ff84f568e500a255bf45a11eaa0 --- /dev/null +++ b/remediation-kits/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh @@ -0,0 +1 @@ +egrep -q "^(\s*)MaxAuthTries\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)MaxAuthTries\s+\S+(\s*#.*)?\s*$/\1MaxAuthTries 4\2/" /etc/ssh/sshd_config || echo "MaxAuthTries 4" >> /etc/ssh/sshd_config \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.49-lock-or-delete-the-shutdown-and-halt-users.sh b/remediation-kits/access-and-control/1.49-lock-or-delete-the-shutdown-and-halt-users.sh new file mode 100644 index 0000000000000000000000000000000000000000..cd85095dd0ac3e5772e2da685e3291efad6b4f96 --- /dev/null +++ b/remediation-kits/access-and-control/1.49-lock-or-delete-the-shutdown-and-halt-users.sh @@ -0,0 +1,2 @@ +usermod -L shutdown +usermod -L halt \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.21-ensure-that-the-rsyslog-service-is-installed-and-enabled.sh b/remediation-kits/logging-and-auditing/2.21-ensure-that-the-rsyslog-service-is-installed-and-enabled.sh new file mode 100644 index 0000000000000000000000000000000000000000..4b99193fb31d87c8c5cf850714e3ed1782161bc4 --- /dev/null +++ b/remediation-kits/logging-and-auditing/2.21-ensure-that-the-rsyslog-service-is-installed-and-enabled.sh @@ -0,0 +1,2 @@ +yum install rsyslog -y +systemctl --now enable rsyslog \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.22-make-sure-to-collect-file-deletion-events-for-users.sh b/remediation-kits/logging-and-auditing/2.22-make-sure-to-collect-file-deletion-events-for-users.sh new file mode 100644 index 0000000000000000000000000000000000000000..3059f359e1300412e18566a016ff4cdf6bad6470 --- /dev/null +++ b/remediation-kits/logging-and-auditing/2.22-make-sure-to-collect-file-deletion-events-for-users.sh @@ -0,0 +1,2 @@ +echo -e "\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n" >> /etc/audit/rules.d/audit.rules +echo -e "\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n" >> /etc/audit/audit.rules \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.23-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh b/remediation-kits/logging-and-auditing/2.23-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh new file mode 100644 index 0000000000000000000000000000000000000000..4a39c74e776a7d2e0cc820e6897f6a5a9cfa5d70 --- /dev/null +++ b/remediation-kits/logging-and-auditing/2.23-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh @@ -0,0 +1,2 @@ +echo -e "-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n" >> /etc/audit/rules.d/audit.rules +echo -e "\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n" >> /etc/audit/audit.rules \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.24-ensure-that-events-that-modify-user-group-information-are-collected.sh b/remediation-kits/logging-and-auditing/2.24-ensure-that-events-that-modify-user-group-information-are-collected.sh new file mode 100644 index 0000000000000000000000000000000000000000..8729e8193dc291a2ef3bbde8aa9055e0a1f9881d --- /dev/null +++ b/remediation-kits/logging-and-auditing/2.24-ensure-that-events-that-modify-user-group-information-are-collected.sh @@ -0,0 +1,2 @@ +echo -e "-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/rules.d/audit.rules +echo -e "-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/audit.rules \ No newline at end of file diff --git a/remediation-kits/services/3.18-uninstall-the-avahi-server.sh b/remediation-kits/services/3.18-uninstall-the-avahi-server.sh new file mode 100644 index 0000000000000000000000000000000000000000..26adfaf794e5fc3658a9507be2e6d753e569a9f6 --- /dev/null +++ b/remediation-kits/services/3.18-uninstall-the-avahi-server.sh @@ -0,0 +1 @@ +yum remove -y --noautoremove avahi \ No newline at end of file diff --git a/remediation-kits/services/3.19-uninstall-the-kexec-tools.sh b/remediation-kits/services/3.19-uninstall-the-kexec-tools.sh new file mode 100644 index 0000000000000000000000000000000000000000..7d5e3c5a92dd6ff658fe88d477d580f303fedfe8 --- /dev/null +++ b/remediation-kits/services/3.19-uninstall-the-kexec-tools.sh @@ -0,0 +1 @@ +yum remove -y --noautoremove kexec-tools \ No newline at end of file diff --git a/remediation-kits/services/3.20-uninstall-the-firstboot.sh b/remediation-kits/services/3.20-uninstall-the-firstboot.sh new file mode 100644 index 0000000000000000000000000000000000000000..008ae9d62052c3440805717424732412061dc4f9 --- /dev/null +++ b/remediation-kits/services/3.20-uninstall-the-firstboot.sh @@ -0,0 +1 @@ +yum remove -y --noautoremove firstboot \ No newline at end of file diff --git a/remediation-kits/services/3.21-uninstall-the-wpa_supplicant.sh b/remediation-kits/services/3.21-uninstall-the-wpa_supplicant.sh new file mode 100644 index 0000000000000000000000000000000000000000..084aa8668fc8d7216f74b03b5076f0dd5f7954af --- /dev/null +++ b/remediation-kits/services/3.21-uninstall-the-wpa_supplicant.sh @@ -0,0 +1 @@ +yum remove -y --noautoremove wpa_supplicant \ No newline at end of file diff --git a/remediation-kits/services/3.22-uninstall-the-ypbind-server.sh b/remediation-kits/services/3.22-uninstall-the-ypbind-server.sh new file mode 100644 index 0000000000000000000000000000000000000000..2f72bc74fa977684f5fd1b8fced9e66dd3c7cd2b --- /dev/null +++ b/remediation-kits/services/3.22-uninstall-the-ypbind-server.sh @@ -0,0 +1 @@ +yum remove -y --noautoremove ypbind \ No newline at end of file diff --git a/remediation-kits/services/3.23-disable-rsh.sh b/remediation-kits/services/3.23-disable-rsh.sh new file mode 100644 index 0000000000000000000000000000000000000000..87bda8141990ce2a4136e1e68adcd91a9a716412 --- /dev/null +++ b/remediation-kits/services/3.23-disable-rsh.sh @@ -0,0 +1 @@ +systemctl --now disable rsh.socket \ No newline at end of file diff --git a/remediation-kits/services/3.24-disable-ntalk.sh b/remediation-kits/services/3.24-disable-ntalk.sh new file mode 100644 index 0000000000000000000000000000000000000000..f6828df5ebccf4f0da6de3a74ef3060c1fefbd58 --- /dev/null +++ b/remediation-kits/services/3.24-disable-ntalk.sh @@ -0,0 +1 @@ +systemctl --now disable ntalk.socket \ No newline at end of file diff --git a/scanners/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh b/scanners/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh new file mode 100644 index 0000000000000000000000000000000000000000..277dcaf6b0388871fe6302cda01daca141369fbe --- /dev/null +++ b/scanners/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh @@ -0,0 +1,22 @@ +result_File_Password=`grep -E '^\s*auth\s+required\s+pam_faillock.so\s+(preauth|authfail)\s+' /etc/pam.d/password-auth | grep -Eio "deny=[0-9]+\sunlock_time=[0-9]+"` +result_File_System=`grep -E '^\s*auth\s+required\s+pam_faillock.so\s+(preauth|authfail)\s+' /etc/pam.d/system-auth | grep -Eio "deny=[0-9]+\sunlock_time=[0-9]+"` +result_Deny=true +result_Unlock_Time=true + +for i in `grep -E '^\s*auth\s+required\s+pam_faillock.so\s+(preauth|authfail)\s+' /etc/pam.d/password-auth /etc/pam.d/system-auth | grep -Eio "deny=[0-9]+" | cut -d"=" -f 2`; do + if [[ i -lt 3 ]] || [[ i -gt 8 ]] ; then + result_Deny=false + fi +done + +for i in `grep -E '^\s*auth\s+required\s+pam_faillock.so\s+(preauth|authfail)\s+' /etc/pam.d/password-auth /etc/pam.d/system-auth | grep -Eio "unlock_time=[0-9]+" | cut -d"=" -f 2`; do + if [[ i -lt 600 ]] || [[ i -gt 1800 ]] ; then + result_Unlock_Time=false + fi +done + +if [[ -n $result_File_Password && -n $result_File_System && $result_Deny == true && $result_Unlock_Time == true ]]; then + echo 'pass' +else + echo 'fail' +fi \ No newline at end of file diff --git a/scanners/access-and-control/1.46-ensure-default-user-shell-timeout-is-between-600-and-1800-seconds.sh b/scanners/access-and-control/1.46-ensure-default-user-shell-timeout-is-between-600-and-1800-seconds.sh new file mode 100644 index 0000000000000000000000000000000000000000..4044f896d5d19e5ba698d239672a8e20ba04b27c --- /dev/null +++ b/scanners/access-and-control/1.46-ensure-default-user-shell-timeout-is-between-600-and-1800-seconds.sh @@ -0,0 +1,12 @@ +result=false +val_TMOUT=99999 +val_TMOUT=`grep -Pio "TMOUT=[0-9]+" /etc/profile | cut -d"=" -f 2` +val_TMOUT_Count=`grep -Pio "TMOUT=[0-9]+" /etc/profile | wc -l` + +[[ $val_TMOUT_Count -eq 1 ]] && [[ $val_TMOUT -ge 600 ]] && [[ $val_TMOUT -le 1800 ]] && result=true + +if [ "$result" = true ]; then + echo "pass" +else + echo "fail" +fi \ No newline at end of file diff --git a/scanners/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh b/scanners/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh new file mode 100644 index 0000000000000000000000000000000000000000..4434380dc51d73f9d7d627510b57fa714ebcfb0d --- /dev/null +++ b/scanners/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh @@ -0,0 +1,10 @@ +result=true + +grep -Eiq '^\s*maxauthtries\s+([6-9]|[1-9][0-9]+)' /etc/ssh/sshd_config && result=false +[ "$result" = true ] && grep -Eiq '^\s*maxauthtries\s+([0-2])' /etc/ssh/sshd_config && result=false + +if [ "$result" = true ]; then + echo "pass" +else + echo "fail" +fi \ No newline at end of file diff --git a/scanners/access-and-control/1.49-lock-or-delete-the-shutdown-and-halt-users.sh b/scanners/access-and-control/1.49-lock-or-delete-the-shutdown-and-halt-users.sh new file mode 100644 index 0000000000000000000000000000000000000000..d5adb05986ac620b5bbc99b9dea1776a2b57e960 --- /dev/null +++ b/scanners/access-and-control/1.49-lock-or-delete-the-shutdown-and-halt-users.sh @@ -0,0 +1,9 @@ +result=false + +passwd -S shutdown | grep -Eq "shutdown\s+LK" && passwd -S halt | grep -Eq "halt\s+LK" && result=true + +if [ "$result" = true ]; then + echo "pass" +else + echo "fail" +fi \ No newline at end of file diff --git a/scanners/logging-and-auditing/2.21-ensure-that-the-rsyslog-service-is-installed-and-enabled.sh b/scanners/logging-and-auditing/2.21-ensure-that-the-rsyslog-service-is-installed-and-enabled.sh new file mode 100644 index 0000000000000000000000000000000000000000..76398943e30e734042f8a523311a8f556d7dd339 --- /dev/null +++ b/scanners/logging-and-auditing/2.21-ensure-that-the-rsyslog-service-is-installed-and-enabled.sh @@ -0,0 +1,10 @@ +if [ "$(rpm -qa rsyslog)" ]; then + result=$(systemctl is-enabled rsyslog) + if [ $result = enabled ]; then + echo "pass" + else + echo "fail" + fi +else + echo "fail" +fi \ No newline at end of file diff --git a/scanners/logging-and-auditing/2.22-make-sure-to-collect-file-deletion-events-for-users.sh b/scanners/logging-and-auditing/2.22-make-sure-to-collect-file-deletion-events-for-users.sh new file mode 100644 index 0000000000000000000000000000000000000000..c7ffd87f053a39ff6964f2d0d2038cdef2b3506c --- /dev/null +++ b/scanners/logging-and-auditing/2.22-make-sure-to-collect-file-deletion-events-for-users.sh @@ -0,0 +1,9 @@ +result=false + +grep -Pq "\-a\salways\,exit\s\-F\sarch=b(32|64)\s\-S\sunlink\s\-S\sunlinkat\s\-S\srename\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/rules.d/audit.rules && grep -Pq "\-a\salways\,exit\s\-F\sarch=b(32|64)\s\-S\sunlink\s\-S\sunlinkat\s\-S\srename\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/audit.rules && result=true + +if [ "$result" = true ]; then + echo "pass" +else + echo "fail" +fi \ No newline at end of file diff --git a/scanners/logging-and-auditing/2.23-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh b/scanners/logging-and-auditing/2.23-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh new file mode 100644 index 0000000000000000000000000000000000000000..e2f67484d0e1fb9d3680cdb8ddef85bcd03467f3 --- /dev/null +++ b/scanners/logging-and-auditing/2.23-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh @@ -0,0 +1,17 @@ +result=false + +grep -Eq "\-w\s/etc/group\s\-p\swa\s\-k\sidentity +\-w\s/etc/passwd\s\-p\swa\s\-k\sidentity +\-w\s/etc/gshadow\s\-p\swa\s\-k\sidentity +\-w\s/etc/shadow\s\-p\swa\s\-k\sidentity +\-w\s/etc/security/opasswd\s\-p\swa\s\-k\sidentity" /etc/audit/rules.d/audit.rules && grep -Eq "\-w\s/etc/group\s\-p\swa\s\-k\sidentity +\-w\s/etc/passwd\s\-p\swa\s\-k\sidentity +\-w\s/etc/gshadow\s\-p\swa\s\-k\sidentity +\-w\s/etc/shadow\s\-p\swa\s\-k\sidentity +\-w\s/etc/security/opasswd\s\-p\swa\s\-k\sidentity" /etc/audit/audit.rules && result=true + +if [ "$result" = true ]; then + echo "pass" +else + echo "fail" +fi \ No newline at end of file diff --git a/scanners/logging-and-auditing/2.24-ensure-that-events-that-modify-user-group-information-are-collected.sh b/scanners/logging-and-auditing/2.24-ensure-that-events-that-modify-user-group-information-are-collected.sh new file mode 100644 index 0000000000000000000000000000000000000000..c3707241454b7f69e00f85f8a23c910a21ef667e --- /dev/null +++ b/scanners/logging-and-auditing/2.24-ensure-that-events-that-modify-user-group-information-are-collected.sh @@ -0,0 +1,11 @@ +result=false + +grep -Eq "\-w\s/etc/sudoers\s\-p\swa\s\-k\sscope +\-w\s/etc/sudoers.d/\s\-p\swa\s\-k\sscope" /etc/audit/rules.d/audit.rules && grep -Eq "\-w\s/etc/sudoers\s\-p\swa\s\-k\sscope +\-w\s/etc/sudoers.d/\s\-p\swa\s\-k\sscope" /etc/audit/audit.rules && result=true + +if [ "$result" = true ]; then + echo "pass" +else + echo "fail" +fi \ No newline at end of file diff --git a/scanners/services/3.18-uninstall-the-avahi-server.sh b/scanners/services/3.18-uninstall-the-avahi-server.sh new file mode 100644 index 0000000000000000000000000000000000000000..0e85c742731d8ac7cf7cbd57a3028eea29c0245c --- /dev/null +++ b/scanners/services/3.18-uninstall-the-avahi-server.sh @@ -0,0 +1,9 @@ +result=false + +rpm -q avahi | grep -Psiq "^package\s+avahi\s+is\s+not\s+installed$" && result=true + +if [ "$result" = true ]; then + echo "pass" +else + echo "fail" +fi \ No newline at end of file diff --git a/scanners/services/3.19-uninstall-the-kexec-tools.sh b/scanners/services/3.19-uninstall-the-kexec-tools.sh new file mode 100644 index 0000000000000000000000000000000000000000..e00c03ec885133e5271b9593e8e1a1ba0473e1c5 --- /dev/null +++ b/scanners/services/3.19-uninstall-the-kexec-tools.sh @@ -0,0 +1,9 @@ +result=false + +rpm -q kexec-tools | grep -Psiq "^package\s+kexec-tools\s+is\s+not\s+installed$" && result=true + +if [ "$result" = true ]; then + echo "pass" +else + echo "fail" +fi \ No newline at end of file diff --git a/scanners/services/3.20-uninstall-the-firstboot.sh b/scanners/services/3.20-uninstall-the-firstboot.sh new file mode 100644 index 0000000000000000000000000000000000000000..e32be54112b5f10a060c5ca01329c683b2dcb639 --- /dev/null +++ b/scanners/services/3.20-uninstall-the-firstboot.sh @@ -0,0 +1,9 @@ +result=false + +rpm -q firstboot | grep -Psiq "^package\s+firstboot\s+is\s+not\s+installed$" && result=true + +if [ "$result" = true ]; then + echo "pass" +else + echo "fail" +fi \ No newline at end of file diff --git a/scanners/services/3.21-uninstall-the-wpa_supplicant.sh b/scanners/services/3.21-uninstall-the-wpa_supplicant.sh new file mode 100644 index 0000000000000000000000000000000000000000..902db48391620d2ec289f51b2dfc248c3b96b5f0 --- /dev/null +++ b/scanners/services/3.21-uninstall-the-wpa_supplicant.sh @@ -0,0 +1,9 @@ +result=false + +rpm -q wpa_supplicant | grep -Psiq "^package\s+wpa_supplicant\s+is\s+not\s+installed$" && result=true + +if [ "$result" = true ]; then + echo "pass" +else + echo "fail" +fi \ No newline at end of file diff --git a/scanners/services/3.22-uninstall-the-ypbind-server.sh b/scanners/services/3.22-uninstall-the-ypbind-server.sh new file mode 100644 index 0000000000000000000000000000000000000000..483acc6591d1d808fef247095b0473ca75bdad1d --- /dev/null +++ b/scanners/services/3.22-uninstall-the-ypbind-server.sh @@ -0,0 +1,9 @@ +result=false + +rpm -q ypbind | grep -Psiq "^package\s+ypbind\s+is\s+not\s+installed$" && result=true + +if [ "$result" = true ]; then + echo "pass" +else + echo "fail" +fi \ No newline at end of file diff --git a/scanners/services/3.23-disable-rsh.sh b/scanners/services/3.23-disable-rsh.sh new file mode 100644 index 0000000000000000000000000000000000000000..5b720fca1c3a722d3853f97aa3e14d4818059b8e --- /dev/null +++ b/scanners/services/3.23-disable-rsh.sh @@ -0,0 +1,10 @@ +if [ "$(rpm -qa rsh)" ]; then + result=$(systemctl is-enabled rsh.socket) + if [ $result != enabled ]; then + echo "pass" + else + echo "fail" + fi +else + echo "pass" +fi \ No newline at end of file diff --git a/scanners/services/3.24-disable-ntalk.sh b/scanners/services/3.24-disable-ntalk.sh new file mode 100644 index 0000000000000000000000000000000000000000..ac540854101dfcee92d39837453246e76e6cb730 --- /dev/null +++ b/scanners/services/3.24-disable-ntalk.sh @@ -0,0 +1,10 @@ +if [ "$(rpm -qa ntalk)" ]; then + result=$(systemctl is-enabled ntalk.socket) + if [ $result != enabled ]; then + echo "pass" + else + echo "fail" + fi +else + echo "pass" +fi \ No newline at end of file