1 # @(#) $Id: ./src/rootcheck/db/cis_rhel5_linux_rcl.txt, 2011/09/08 dcid Exp $
4 # OSSEC Linux Audit - (C) 2008 Daniel B. Cid - dcid@ossec.net
6 # Released under the same license as OSSEC.
7 # More details at the LICENSE file included with OSSEC or online
8 # at: http://www.ossec.net/en/licensing.html
10 # [Application name] [any or all] [reference]
14 # - f (for file or directory)
15 # - p (process running)
16 # - d (any file inside the directory)
19 # For the registry , use "->" to look for a specific entry and another
20 # "->" to look for the value.
21 # For files, use "->" to look for a specific value in the file.
23 # Values can be preceeded by: =: (for equal) - default
24 # r: (for ossec regexes)
25 # >: (for strcmp greater)
26 # <: (for strcmp lower)
27 # Multiple patterns can be specified by using " && " between them.
28 # (All of them must match for it to return true).
31 # CIS Checks for Red Hat (RHEL 2.1, 3.0, 4.0 and Fedora Core 1,2,3,4 and 5).
32 # Based on CIS Benchmark for Red Hat Enterprise Linux 5 v1.1
37 $rc_dirs=/etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d;
41 # Main one. Only valid for Red Hat 5.
42 [CIS - Testing against the CIS Red Hat Enterprise Linux 5 Benchmark v1.1] [any required] [http://www.ossec.net/wiki/index.php/CIS_RHEL5]
43 f:/etc/redhat-release -> r:^Red Hat Enterprise Linux \S+ release 5;
44 f:/etc/redhat-release -> r:^CentOS && r:release 5.2;
48 # Build considerations - Partition scheme.
49 [CIS - RHEL5 - Build considerations - Robust partition scheme - /var is not on its own partition] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL5]
50 f:/etc/fstab -> !r:/var;
54 # Section 2.3 - SSH configuration
55 [CIS - RHEL5 2.3 - SSH Configuration - Protocol version 1 enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL5]
56 f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\.+1;
58 [CIS - RHEL5 2.3 - SSH Configuration - IgnoreRHosts disabled] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL5]
59 f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+no;
61 [CIS - RHEL5 2.3 - SSH Configuration - Empty passwords permitted] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL5]
62 f:/etc/ssh/sshd_config -> !r:^# && r:^PermitEmptyPasswords\.+yes;
64 [CIS - RHEL5 2.3 - SSH Configuration - Host based authentication enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL5]
65 f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\.+yes;
67 [CIS - RHEL5 2.3 - SSH Configuration - Root login allowed] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL5]
68 f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\.+yes;
72 # Section 2.4 Enable system accounting
73 #[CIS - RHEL5 2.4 - System Accounting - Sysstat not installed] [all] [http://www.ossec.net/wiki/index.php/CIS_RHEL5]
78 # Section 3 - Minimize xinetd services
79 [CIS - RHEL5 3.3 - Telnet enabled on xinetd] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL5]
80 f:/etc/xinetd.c/telnet -> !r:^# && r:disable && r:no;
82 [CIS - RHEL5 3.4 - VSFTP enabled on xinetd] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL5]
83 f:/etc/xinetd.c/vsftpd -> !r:^# && r:disable && r:no;
85 [CIS - RHEL5 3.5 - rsh/rlogin/rcp enabled on xinetd] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL5]
86 f:/etc/xinetd.c/rlogin -> !r:^# && r:disable && r:no;
87 f:/etc/xinetd.c/rsh -> !r:^# && r:disable && r:no;
88 f:/etc/xinetd.c/shell -> !r:^# && r:disable && r:no;
90 [CIS - RHEL5 3.6 - tftpd enabled on xinetd] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL5]
91 f:/etc/xinetd.c/tftpd -> !r:^# && r:disable && r:no;
93 [CIS - RHEL5 3.7 - imap enabled on xinetd] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL5]
94 f:/etc/xinetd.c/cyrus-imapd -> !r:^# && r:disable && r:no;
96 [CIS - RHEL5 3.8 - pop3 enabled on xinetd] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL5]
97 f:/etc/xinetd.c/dovecot -> !r:^# && r:disable && r:no;
101 # Section 4 - Minimize boot services
102 [CIS - RHEL5 4.1 - Set daemon umask - Default umask is higher than 027] [all] [http://www.ossec.net/wiki/index.php/CIS_RHEL5]
103 f:/etc/init.d/functions -> !r:^# && r:^umask && <:umask 027;
105 [CIS - RHEL5 4.4 - GUI login enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL5]
106 f:/etc/inittab -> !r:^# && r:id:5;
108 [CIS - RHEL5 4.7 - Disable standard boot services - Samba Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL5]
109 d:$rc_dirs -> ^S\d\dsamba$;
110 d:$rc_dirs -> ^S\d\dsmb$;
112 [CIS - RHEL5 4.8 - Disable standard boot services - NFS Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL5]
113 d:$rc_dirs -> ^S\d\dnfs$;
114 d:$rc_dirs -> ^S\d\dnfslock$;
116 [CIS - RHEL5 4.10 - Disable standard boot services - NIS Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL5]
117 d:$rc_dirs -> ^S\d\dypbind$;
118 d:$rc_dirs -> ^S\d\dypserv$;
120 [CIS - RHEL5 4.13 - Disable standard boot services - NetFS Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL5]
121 d:$rc_dirs -> ^S\d\dnetfs$;
123 [CIS - RHEL5 4.15 - Disable standard boot services - Apache web server Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL5]
124 d:$rc_dirs -> ^S\d\dapache$;
126 [CIS - RHEL5 4.16 - Disable standard boot services - SNMPD process Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL5]
127 d:$rc_dirs -> ^S\d\dsnmpd$;
129 [CIS - RHEL5 4.17 - Disable standard boot services - DNS server Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL5]
130 d:$rc_dirs -> ^S\d\dnamed$;
132 [CIS - RHEL5 4.18 - Disable standard boot services - MySQL server Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL5]
133 d:$rc_dirs -> ^S\d\dmysqld$;
135 [CIS - RHEL5 4.18 - Disable standard boot services - PostgreSQL server Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL5]
136 d:$rc_dirs -> ^S\d\dpostgresql$;
138 [CIS - RHEL5 4.19 - Disable standard boot services - Squid Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL5]
139 d:$rc_dirs -> ^S\d\dsquid$;
141 [CIS - RHEL5 4.20 - Disable standard boot services - Kudzu hardware detection Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL5]
142 d:$rc_dirs -> ^S\d\dkudzu$;
146 # Section 5 - Kernel tuning
147 [CIS - RHEL5 5.1 - Network parameters - Source routing accepted] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL5]
148 f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 1;
150 [CIS - RHEL5 5.1 - Network parameters - ICMP redirects accepted] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL5]
151 f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 1;
153 [CIS - RHEL5 5.1 - Network parameters - ICMP secure redirects accepted] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL5]
154 f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 1;
156 [CIS - RHEL5 5.1 - Network parameters - ICMP broadcasts accepted] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL5]
157 f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 0;
159 [CIS - RHEL5 5.2 - Network parameters - IP Forwarding enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL5]
160 f:/proc/sys/net/ipv4/ip_forward -> 1;
161 f:/proc/sys/net/ipv6/ip_forward -> 1;
165 # Section 7 - Permissions
166 [CIS - RHEL5 7.2 - Removable partition /media without 'nodev' set] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL5]
167 f:/etc/fstab -> !r:^# && r:/media && !r:nodev;
169 [CIS - RHEL5 7.2 - Removable partition /media without 'nosuid' set] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL5]
170 f:/etc/fstab -> !r:^# && r:/media && !r:nosuid;
172 [CIS - RHEL5 7.3 - User-mounted removable partition allowed on the console] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL5]
173 f:/etc/security/console.perms -> r:^<console> \d+ <cdrom>;
174 f:/etc/security/console.perms -> r:^<console> \d+ <floppy>;
178 # Section 8 - Access and authentication
179 [CIS - RHEL5 8.7 - GRUB Password not set] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL5]
180 f:/boot/grub/menu.lst -> !r:^# && !r:password;
182 [CIS - RHEL5 9.2 - Account with empty password present] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL5]
183 f:/etc/shadow -> r:^\w+::;
185 [CIS - RHEL5 SN.11 - Non-root account with uid 0] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL5]
186 f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:;