X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;f=src%2Frootcheck%2Fdb%2Fcis_rhel_linux_rcl.txt;h=7b03ad215e7fc200ec3464a8a9c095c0ff74c250;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hp=6a34cb42cf4cd021db577adb29be689cd0b8f7b4;hpb=6ef2f786c6c8ead94841b5f93baf9f43421f08c8;p=ossec-hids.git diff --git a/src/rootcheck/db/cis_rhel_linux_rcl.txt b/src/rootcheck/db/cis_rhel_linux_rcl.txt index 6a34cb4..7b03ad2 100644 --- a/src/rootcheck/db/cis_rhel_linux_rcl.txt +++ b/src/rootcheck/db/cis_rhel_linux_rcl.txt @@ -1,11 +1,8 @@ -# @(#) $Id: ./src/rootcheck/db/cis_rhel_linux_rcl.txt, 2011/09/08 dcid Exp $ - -# -# OSSEC Linux Audit - (C) 2008 Daniel B. Cid - dcid@ossec.net +# OSSEC Linux Audit - (C) 2018 OSSEC Project # # Released under the same license as OSSEC. # More details at the LICENSE file included with OSSEC or online -# at: http://www.ossec.net/en/licensing.html +# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE # # [Application name] [any or all] [reference] # type:; @@ -16,11 +13,12 @@ # - d (any file inside the directory) # # Additional values: -# For the registry , use "->" to look for a specific entry and another +# For the registry and for directories, use "->" to look for a specific entry and another # "->" to look for the value. +# Also, use " -> r:^\. -> ..." to search all files in a directory # For files, use "->" to look for a specific value in the file. # -# Values can be preceeded by: =: (for equal) - default +# Values can be preceded by: =: (for equal) - default # r: (for ossec regexes) # >: (for strcmp greater) # <: (for strcmp lower) @@ -39,7 +37,7 @@ $rc_dirs=/etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d; # Main one. Only valid for Red Hat/Fedora. -[CIS - Testing against the CIS Red Hat Enterprise Linux Benchmark v1.0.5] [any required] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Testing against the CIS Red Hat Enterprise Linux Benchmark v1.0.5] [any required] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] f:/etc/redhat-release -> r:^Red Hat Enterprise Linux \S+ release 4; f:/etc/redhat-release -> r:^Red Hat Enterprise Linux \S+ release 3; f:/etc/redhat-release -> r:^Red Hat Enterprise Linux \S+ release 2.1; @@ -50,248 +48,234 @@ f:/etc/fedora-release -> r:^Fedora && r:release 4; f:/etc/fedora-release -> r:^Fedora && r:release 5; - # Build considerations - Partition scheme. -[CIS - Red Hat Linux - Build considerations - Robust partition scheme - /var is not on its own partition] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - - Build considerations - Robust partition scheme - /var is not on its own partition] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] f:/etc/fstab -> !r:/var; -[CIS - Red Hat Linux - Build considerations - Robust partition scheme - /home is not on its own partition] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - - Build considerations - Robust partition scheme - /home is not on its own partition] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] f:/etc/fstab -> !r:/home; - - # Section 1.3 - SSH configuration -[CIS - Red Hat Linux 1.3 - SSH Configuration - Protocol version 1 enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - 1.3 - SSH Configuration - Protocol version 1 enabled {CIS: 1.3 Red Hat Linux} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\.+1; -[CIS - Red Hat Linux 1.3 - SSH Configuration - IgnoreRHosts disabled] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - 1.3 - SSH Configuration - IgnoreRHosts disabled {CIS: 1.3 Red Hat Linux} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+no; -[CIS - Red Hat Linux 1.3 - SSH Configuration - Empty passwords permitted] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - 1.3 - SSH Configuration - Empty passwords permitted {CIS: 1.3 Red Hat Linux} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] f:/etc/ssh/sshd_config -> !r:^# && r:^PermitEmptyPasswords\.+yes; -[CIS - Red Hat Linux 1.3 - SSH Configuration - Host based authentication enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - 1.3 - SSH Configuration - Host based authentication enabled {CIS: 1.3 Red Hat Linux} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\.+yes; -[CIS - Red Hat Linux 1.3 - SSH Configuration - Root login allowed] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - 1.3 - SSH Configuration - Root login allowed {CIS: 1.3 Red Hat Linux} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\.+yes; - # Section 1.4 Enable system accounting -#[CIS - Red Hat Linux 1.4 - System Accounting - Sysstat not installed] [all] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +#[CIS - Red Hat Linux - 1.4 - System Accounting - Sysstat not installed] [all] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] #f:!/var/log/sa; - # Section 2.5 Install and run Bastille -#[CIS - Red Hat Linux 1.5 - System harderning - Bastille is not installed] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +#[CIS - Red Hat Linux - 1.5 - System harderning - Bastille is not installed] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] #f:!/etc/Bastille; - # Section 2 - Minimize xinetd services -[CIS - Red Hat Linux 2.3 - Telnet enabled on xinetd] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - 2.3 - Telnet enabled on xinetd {CIS: 2.3 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] f:/etc/xinetd.c/telnet -> !r:^# && r:disable && r:no; -[CIS - Red Hat Linux 2.4 - VSFTP enabled on xinetd] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - 2.4 - VSFTP enabled on xinetd {CIS: 2.4 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] f:/etc/xinetd.c/vsftpd -> !r:^# && r:disable && r:no; -[CIS - Red Hat Linux 2.4 - WU-FTP enabled on xinetd] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - 2.4 - WU-FTP enabled on xinetd {CIS: 2.4 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] f:/etc/xinetd.c/wu-ftpd -> !r:^# && r:disable && r:no; -[CIS - Red Hat Linux 2.5 - rsh/rlogin/rcp enabled on xinetd] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - 2.5 - rsh/rlogin/rcp enabled on xinetd {CIS: 2.5 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] f:/etc/xinetd.c/rlogin -> !r:^# && r:disable && r:no; f:/etc/xinetd.c/rsh -> !r:^# && r:disable && r:no; f:/etc/xinetd.c/shell -> !r:^# && r:disable && r:no; -[CIS - Red Hat Linux 2.6 - tftpd enabled on xinetd] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - 2.6 - tftpd enabled on xinetd {CIS: 2.6 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] f:/etc/xinetd.c/tftpd -> !r:^# && r:disable && r:no; -[CIS - Red Hat Linux 2.7 - imap enabled on xinetd] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - 2.7 - imap enabled on xinetd {CIS: 2.7 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] f:/etc/xinetd.c/imap -> !r:^# && r:disable && r:no; f:/etc/xinetd.c/imaps -> !r:^# && r:disable && r:no; -[CIS - Red Hat Linux 2.8 - pop3 enabled on xinetd] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - 2.8 - pop3 enabled on xinetd {CIS: 2.8 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] f:/etc/xinetd.c/ipop3 -> !r:^# && r:disable && r:no; f:/etc/xinetd.c/pop3s -> !r:^# && r:disable && r:no; - # Section 3 - Minimize boot services -[CIS - Red Hat Linux 3.1 - Set daemon umask - Default umask is higher than 027] [all] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - 3.1 - Set daemon umask - Default umask is higher than 027 {CIS: 3.1 Red Hat Linux}] [all] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] f:/etc/init.d/functions -> !r:^# && r:^umask && >:umask 027; -[CIS - Red Hat Linux 3.4 - GUI login enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - 3.4 - GUI login enabled {CIS: 3.4 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] f:/etc/inittab -> !r:^# && r:id:5; -[CIS - Red Hat Linux 3.7 - Disable standard boot services - Samba Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - 3.7 - Disable standard boot services - Samba Enabled {CIS: 3.7 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] d:$rc_dirs -> ^S\d\dsamba$; d:$rc_dirs -> ^S\d\dsmb$; -[CIS - Red Hat Linux 3.8 - Disable standard boot services - NFS Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - 3.8 - Disable standard boot services - NFS Enabled {CIS: 3.8 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] d:$rc_dirs -> ^S\d\dnfs$; d:$rc_dirs -> ^S\d\dnfslock$; -[CIS - Red Hat Linux 3.10 - Disable standard boot services - NIS Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - 3.10 - Disable standard boot services - NIS Enabled {CIS: 3.10 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] d:$rc_dirs -> ^S\d\dypbind$; d:$rc_dirs -> ^S\d\dypserv$; -[CIS - Red Hat Linux 3.13 - Disable standard boot services - NetFS Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - 3.13 - Disable standard boot services - NetFS Enabled {CIS: 3.13 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] d:$rc_dirs -> ^S\d\dnetfs$; -[CIS - Red Hat Linux 3.15 - Disable standard boot services - Apache web server Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - 3.15 - Disable standard boot services - Apache web server Enabled {CIS: 3.15 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] d:$rc_dirs -> ^S\d\dapache$; d:$rc_dirs -> ^S\d\dhttpd$; -[CIS - Red Hat Linux 3.15 - Disable standard boot services - TUX web server Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - 3.15 - Disable standard boot services - TUX web server Enabled {CIS: 3.15 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] d:$rc_dirs -> ^S\d\dtux$; -[CIS - Red Hat Linux 3.16 - Disable standard boot services - SNMPD process Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - 3.16 - Disable standard boot services - SNMPD process Enabled {CIS: 3.16 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] d:$rc_dirs -> ^S\d\dsnmpd$; -[CIS - Red Hat Linux 3.17 - Disable standard boot services - DNS server Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - 3.17 - Disable standard boot services - DNS server Enabled {CIS: 3.17 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] d:$rc_dirs -> ^S\d\dnamed$; -[CIS - Red Hat Linux 3.18 - Disable standard boot services - MySQL server Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - 3.18 - Disable standard boot services - MySQL server Enabled {CIS: 3.18 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] d:$rc_dirs -> ^S\d\dmysqld$; -[CIS - Red Hat Linux 3.18 - Disable standard boot services - PostgreSQL server Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - 3.18 - Disable standard boot services - PostgreSQL server Enabled {CIS: 3.18 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] d:$rc_dirs -> ^S\d\dpostgresql$; -[CIS - Red Hat Linux 3.19 - Disable standard boot services - Webmin Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - 3.19 - Disable standard boot services - Webmin Enabled {CIS: 3.19 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] d:$rc_dirs -> ^S\d\dwebmin$; -[CIS - Red Hat Linux 3.20 - Disable standard boot services - Squid Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - 3.20 - Disable standard boot services - Squid Enabled {CIS: 3.20 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] d:$rc_dirs -> ^S\d\dsquid$; -[CIS - Red Hat Linux 3.21 - Disable standard boot services - Kudzu hardware detection Enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - 3.21 - Disable standard boot services - Kudzu hardware detection Enabled {CIS: 3.21 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] d:$rc_dirs -> ^S\d\dkudzu$; - # Section 4 - Kernel tuning -[CIS - Red Hat Linux 4.1 - Network parameters - Source routing accepted] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - 4.1 - Network parameters - Source routing accepted {CIS: 4.1 Red Hat Linux}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 1; -[CIS - Red Hat Linux 4.1 - Network parameters - ICMP broadcasts accepted] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - 4.1 - Network parameters - ICMP broadcasts accepted {CIS: 4.1 Red Hat Linux}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 0; -[CIS - Red Hat Linux 4.2 - Network parameters - IP Forwarding enabled] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - 4.2 - Network parameters - IP Forwarding enabled {CIS: 4.2 Red Hat Linux}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] f:/proc/sys/net/ipv4/ip_forward -> 1; f:/proc/sys/net/ipv6/ip_forward -> 1; - # Section 6 - Permissions -[CIS - Red Hat Linux 6.1 - Partition /var without 'nodev' set] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - 6.1 - Partition /var without 'nodev' set {CIS: 6.1 Red Hat Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/var && !r:nodev; -[CIS - Red Hat Linux 6.1 - Partition /tmp without 'nodev' set] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - 6.1 - Partition /tmp without 'nodev' set {CIS: 6.1 Red Hat Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/tmp && !r:nodev; -[CIS - Red Hat Linux 6.1 - Partition /opt without 'nodev' set] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - 6.1 - Partition /opt without 'nodev' set {CIS: 6.1 Red Hat Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/opt && !r:nodev; -[CIS - Red Hat Linux 6.1 - Partition /home without 'nodev' set] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - 6.1 - Partition /home without 'nodev' set {CIS: 6.1 Red Hat Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/home && !r:nodev ; -[CIS - Red Hat Linux 6.2 - Removable partition /media without 'nodev' set] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - 6.2 - Removable partition /media without 'nodev' set {CIS: 6.2 Red Hat Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] f:/etc/fstab -> !r:^# && r:/media && !r:nodev; -[CIS - Red Hat Linux 6.2 - Removable partition /media without 'nosuid' set] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - 6.2 - Removable partition /media without 'nosuid' set {CIS: 6.2 Red Hat Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] f:/etc/fstab -> !r:^# && r:/media && !r:nosuid; -[CIS - Red Hat Linux 6.3 - User-mounted removable partition allowed on the console] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - 6.3 - User-mounted removable partition allowed on the console {CIS: 6.3 Red Hat Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] f:/etc/security/console.perms -> r:^ \d+ ; f:/etc/security/console.perms -> r:^ \d+ ; - # Section 7 - Access and authentication -[CIS - Red Hat Linux 7.8 - LILO Password not set] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - 7.8 - LILO Password not set {CIS: 7.8 Red Hat Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] f:/etc/lilo.conf -> !r:^# && !r:restricted; f:/etc/lilo.conf -> !r:^# && !r:password=; -[CIS - Red Hat Linux 7.8 - GRUB Password not set] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - 7.8 - GRUB Password not set {CIS: 7.8 Red Hat Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] f:/boot/grub/menu.lst -> !r:^# && !r:password; -[CIS - Red Hat Linux 8.2 - Account with empty password present] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - 8.2 - Account with empty password present {CIS: 8.2 Red Hat Linux} {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] f:/etc/shadow -> r:^\w+::; -[CIS - Red Hat Linux SN.11 - Non-root account with uid 0] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL] +[CIS - Red Hat Linux - SN.11 - Non-root account with uid 0 {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf] f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:; - -# Tests specific for VMware ESX - Runs on Red Hat Linux +# Tests specific for VMware ESX - Runs on Red Hat Linux - # Will not be tested anywhere else. -[VMware ESX - Testing against the Security Harderning benchmark VI3 for ESX 3.5] [any required] [http://www.ossec.net/wiki/index.php/SecurityHardening_VMwareESX] +[VMware ESX - Testing against the Security Harderning benchmark VI3 for ESX 3.5] [any required] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf] f:/etc/vmware-release -> r:^VMware ESX; # Virtual Machine Files and Settings - 1 # 1.1 -[VMware ESX - VM settings - Copy operation between guest and console enabled] [any] [http://www.ossec.net/wiki/index.php/SecurityHardening_VMwareESX] +[VMware ESX - VM settings - Copy operation between guest and console enabled] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf] d:/vmfs/volumes -> .vmx$ -> !r:^isolation.tools.copy.disable; d:/vmfs/volumes -> .vmx$ -> r:^isolation.tools.copy.disable && r:false; # 1.2 -[VMware ESX - VM settings - Paste operation between guest and console enabled] [any] [http://www.ossec.net/wiki/index.php/SecurityHardening_VMwareESX] +[VMware ESX - VM settings - Paste operation between guest and console enabled] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf] d:/vmfs/volumes -> .vmx$ -> !r:^isolation.tools.paste.disable; d:/vmfs/volumes -> .vmx$ -> r:^isolation.tools.paste.disable && r:false; # 1.3 -[VMware ESX - VM settings - GUI Options enabled] [any] [http://www.ossec.net/wiki/index.php/SecurityHardening_VMwareESX] +[VMware ESX - VM settings - GUI Options enabled] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf] d:/vmfs/volumes -> .vmx$ -> r:^isolation.tools.setGUIOptions.enable && r:true; # 1.4 -[VMware ESX - VM settings - Data Flow from the Virtual Machine to the Datastore not limited - Rotate size not 100KB] [any] [http://www.ossec.net/wiki/index.php/SecurityHardening_VMwareESX] +[VMware ESX - VM settings - Data Flow from the Virtual Machine to the Datastore not limited - Rotate size not 100KB] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf] d:/vmfs/volumes -> .vmx$ -> !r:^log.rotateSize; d:/vmfs/volumes -> .vmx$ -> r:^log.rotateSize && !r:"100000"; # 1.5 -[VMware ESX - VM settings - Data Flow from the Virtual Machine to the Datastore not limited - Maximum number of logs not 10] [any] [http://www.ossec.net/wiki/index.php/SecurityHardening_VMwareESX] +[VMware ESX - VM settings - Data Flow from the Virtual Machine to the Datastore not limited - Maximum number of logs not 10] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf] d:/vmfs/volumes -> .vmx$ -> !r:^log.keepOld; d:/vmfs/volumes -> .vmx$ -> r:^log.keepOld && r:"10"; # 1.6 -[VMware ESX - VM settings - Data Flow from the Virtual Machine to the Datastore not limited - Guests allowed to write SetInfo data to config] [any] [http://www.ossec.net/wiki/index.php/SecurityHardening_VMwareESX] +[VMware ESX - VM settings - Data Flow from the Virtual Machine to the Datastore not limited - Guests allowed to write SetInfo data to config] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf] d:/vmfs/volumes -> .vmx$ -> !r:^isolation.tools.setinfo.disable; d:/vmfs/volumes -> .vmx$ -> r:^isolation.tools.setinfo.disable && r:false; # 1.7 -[VMware ESX - VM settings - Nonpersistent Disks being used] [any] [http://www.ossec.net/wiki/index.php/SecurityHardening_VMwareESX] +[VMware ESX - VM settings - Nonpersistent Disks being used] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf] d:/vmfs/volumes -> .vmx$ -> r:^scsi\d:\d.mode && r:!independent-nonpersistent; # 1.8 -[VMware ESX - VM settings - Floppy drive present] [any] [http://www.ossec.net/wiki/index.php/SecurityHardening_VMwareESX] +[VMware ESX - VM settings - Floppy drive present] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf] d:/vmfs/volumes -> .vmx$ -> r:^floppy\d+.present && r:!false; -[VMware ESX - VM settings - Serial port present] [any] [http://www.ossec.net/wiki/index.php/SecurityHardening_VMwareESX] +[VMware ESX - VM settings - Serial port present] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf] d:/vmfs/volumes -> .vmx$ -> r:^serial\d+.present && r:!false; -[VMware ESX - VM settings - Parallel port present] [any] [http://www.ossec.net/wiki/index.php/SecurityHardening_VMwareESX] +[VMware ESX - VM settings - Parallel port present] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf] d:/vmfs/volumes -> .vmx$ -> r:^parallel\d+.present && r:!false; # 1.9 -[VMware ESX - VM settings - Unauthorized Removal or Connection of Devices allowed] [any] [http://www.ossec.net/wiki/index.php/SecurityHardening_VMwareESX] +[VMware ESX - VM settings - Unauthorized Removal or Connection of Devices allowed] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf] d:/vmfs/volumes -> .vmx$ -> !r:^Isolation.tools.connectable.disable; d:/vmfs/volumes -> .vmx$ -> r:^Isolation.tools.connectable.disable && r:false; # 1.10 -[VMware ESX - VM settings - Avoid Denial of Service Caused by Virtual Disk Modification Operations - diskWiper enabled] [any] [http://www.ossec.net/wiki/index.php/SecurityHardening_VMwareESX] +[VMware ESX - VM settings - Avoid Denial of Service Caused by Virtual Disk Modification Operations - diskWiper enabled] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf] d:/vmfs/volumes -> .vmx$ -> !r:^isolation.tools.diskWiper.disable; d:/vmfs/volumes -> .vmx$ -> r:^isolation.tools.diskWiper.disable && r:false; -[VMware ESX - VM settings - Avoid Denial of Service Caused by Virtual Disk Modification Operations - diskShrink enabled] [any] [http://www.ossec.net/wiki/index.php/SecurityHardening_VMwareESX] +[VMware ESX - VM settings - Avoid Denial of Service Caused by Virtual Disk Modification Operations - diskShrink enabled] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf] d:/vmfs/volumes -> .vmx$ -> !r:^isolation.tools.diskShrink.disable; d:/vmfs/volumes -> .vmx$ -> r:^isolation.tools.diskShrink.disable && r:false; # Configuring the Service Console in ESX 3.5 - 2 # 2.1 - - -# EOF