free
/
freedombone
Obserwuj 1
Gwiazdka 0
Forkuj 0
Kod Problemy 0 Pull Requests 0 Wydania 0 Wiki Aktywność
9710 Commity
5 Gałęzie
Gałąź: master
Gałęzie Tagi
${ item.name }
Utwórz gałąź ${ searchTerm }
z 'master'
${ noResults }
freedombone/tests/porting_log

porting_log 11KB
Bezpośredni odnośnik Historia Czysty

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164 
  1. 

  2. ######CHANGE#######

  3. 

  4. #RHEL-06-000008: Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.

  5. #Change corresponding gpg key check to Debian compatible.

  6. 

  7. #RHEL-06-000011: System security patches and updates must be installed and up-to-date.

  8. #Change corresponding update utility to Debian compatible.

  9. 

  10. #RHEL-06-000017: The system must use a Linux Security Module at boot time.

  11. #Change the SElinux to AppArmor

  12. 

  13. #RHEL-06-000030: The system must not have accounts configured with blank or null passwords.

  14. #RHEL-06-000274: The system must prohibit the reuse of passwords within twenty-four iterations.

  15. #Change /etc/pam.d/system-auth - CentOS/RHEL/Fedora/Red Hat/Scientific Linux pam config file.

  16. #To /etc/pam.d/common-password - Debian / Ubuntu Linux pam config file.

  17. #For more Detial http://www.cyberciti.biz/tips/linux-or-unix-disable-null-passwords.html

  18. 

  19. #RHEL-06-000061:The system must disable accounts after three consecutive unsuccessful logon attempts.

  20. #Change pam_faillock.so pam module to use pam_tally2.so

  21. 

  22. #RHEL-06-000065:The system boot loader configuration file(s) must be owned by root.

  23. #RHEL-06-000066:The system boot loader configuration file(s) must be group-owned by root.

  24. #RHEL-06-000067:The system boot loader configuration file(s) must have mode 0600 or less permissive.

  25. #Change /etc/grub.conf to /boot/grub/grub.cfg

  26. 

  27. #RHEL-06-000068:The system boot loader must require authentication.

  28. #Change grub-crypt --sha-512 to grub-mkpasswd-pbkdf2 

  29. 

  30. #RHEL-06-000278:The system package management tool must verify permissions on all files and directories associated with the audit package.

  31. #RHEL-06-000279:The system package management tool must verify ownership on all files and directories associated with the audit package.

  32. #RHEL-06-000280:The system package management tool must verify group-ownership on all files and directories associated with the audit package.

  33. #RHEL-06-000281:The system package management tool must verify contents of all files associated with the audit package.

  34. #For auditd package, to do what we wanna do in Debian there's something different, if you wanna get the packages default permission or owner(group-owner), or the packages'contents. You should use the "aptitude download <package-name>" to download it and use "dpkg -c <package.deb>" to read.

  35. #There's one file is very special,if you issue the command "dpkg -c audit*.deb" you will found the audit rules file is "/etc/audit/rules.d/audit.rules", but when you extract the deb package and read the "DEBIAN/postinst" you will find the auditd package copy the "/etc/audit/audit.d/audit.rules" file to "/etc/audit/audit.rules", so we could'n only use the "dpkg -c audit*.deb | awk '{print $6}' | sed -e 's/^.//g'" to get "ALL" the files we want to check.We should manually add the "/etc/audit/audit.rules" to check

  36. #And the directory we check also have one thing special, the "/usr/share/man", in Debian that directory have permission 0775 by default. but the package show the 0755, so I decided to check without this directory.

  37. #I use the sha512sum to do the files' content checking

  38. 

  39. #RHEL-06-000286:The x86 Ctrl-Alt-Delete key sequence must be disabled.

  40. #In Debian 8 use systemd by default, you could use "systemctl mask ctrl-alt-del.target" to disable it by link to /dev/null

  41. 

  42. #RHEL-06-000514:The RPM package management tool must cryptographically verify the authenticity of all software packages during installation.

  43. 

  44. 

  45. ####DEPRECATED#####

  46. #RHEL-06-000009:The Red Hat Network Service (rhnsd) service must not be running, unless using RHN or an RHN Satellite.

  47. #DEPRECATED

  48. 

  49. #RHEL-06-000069:The system must require authentication upon booting into single-user and maintenance modes.

  50. #DEPRECATED.

  51. #Debian and therefore Ubuntu both require root password when booting into single user mode or recovery mode. RHEL and CentOS allows access from the console into single user mode without a password.

  52. 

  53. #RHEL-06-000070:The system must not permit interactive boot.

  54. #DEPRECATED.Don't find any interactive boot option in debian yet.

  55. 

  56. #RHEL-06-000073:The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.

  57. #DEPRECATED

  58. 

  59. #RHEL-06-000079:The system must limit the ability of processes to have simultaneous write and execute access to memory.

  60. #DEPRECATED

  61. #In debian 8 amd64, system enabled NX by default,and debian 8 i386 system use PAE by default

  62. 

  63. #RHEL-06-000098:The IPv6 protocol handler must not be bound to the network stack unless needed.

  64. #Change ipv6 checking method and disable method.

  65. #Use /proc/net/if_inet6 to check if ipv6  is enabled

  66. #Use kernel boot option in Grub "ipv6.disable=1" to disable ipv6 permanently

  67. 

  68. #RHEL-06-000103:The system must employ a local IPv6 firewall.

  69. #RHEL-06-000106:The operating system must connect to external networks or information systems only through managed IPv6 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.

  70. #RHEL-06-000107:The operating system must prevent public IPv6 access into an organizations internal networks,except as appropriately mediated by managed interfaces employing boundary protection devices.

  71. #RHEL-06-000113:The system must employ a local IPv4 firewall.

  72. #RHEL-06-000116:The operating system must connect to external networks or information systems only through managed IPv4 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.

  73. #RHEL-06-000117:The operating system must prevent public IPv4 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.

  74. #DEPRECATED. Debian 8 enable iptables (both ipv4 and ipv6) by default

  75. 

  76. #RHEL-06-000183:The audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration (SELinux).

  77. #Change SELinux to Apparmor

  78. 

  79. #RHEL-06-000203:The xinetd service must be disabled if no network services utilizing it are enabled.

  80. #Using 'service --status-all | grep "xinetd" ' instead of chkconfig

  81. 

  82. #RHEL-06-000211:The telnet daemon must not be running.

  83. #In Debian telnet service using inetd. You could disable it by comment the telnet line in the /etc/inetd.conf

  84. 

  85. #RHEL-06-000214:The rshd service must not be running.

  86. #In Debian rshd service using inetd. You could disable it by comment the rshd line in the /etc/inetd.conf

  87. 

  88. #RHEL-06-000216:The rexecd service must not be running.

  89. #In Debian rexecd service using inetd. You could disable it by comment the rexecd line in the /etc/inetd.conf

  90. 

  91. #RHEL-06-000218:The rlogind service must not be running.

  92. #In Debian rlogind service using inetd. You could disable it by comment the rlogind line in the /etc/inetd.conf

  93. 

  94. #RHEL-06-000220:The ypserv package must not be installed.

  95. #In Debian using nis package instead of ypserv package.

  96. 

  97. #RHEL-06-000221:The ypbind service must not be running.

  98. #In Debian using nis service instead of ypbind service.

  99. 

  100. #RHEL-06-000240:The SSH daemon must be configured with the Department of Defense (DoD) login banner.

  101. #DEPRECATED

  102. 

  103. #RHEL-06-000247:The system clock must be synchronized continuously, or at least daily.

  104. #In debian use ntp instead of ntpd

  105. 

  106. #RHEL-06-000248:The system clock must be synchronized to an authoritative DoD time source.

  107. #Changing `DoD` time source to trusted time source 

  108. 

  109. #RHEL-06-000261:The Automatic Bug Reporting Tool (abrtd) service must not be running.

  110. #DEPRECATED.

  111. #Didn't find abrtd-like  tool in debian yet

  112. 

  113. #RHEL-06-000265:The ntpdate service must not be running.

  114. #DEPRECATED

  115. #In Debian there's no running service "ntpdate", some of ntpdate's function is include in "ntp" so  DEPRECATED.

  116. 

  117. #RHEL-06-000266:The oddjobd service must not be running.

  118. #DEPRECATED.Debian don't have oddjob service or package

  119. 

  120. #RHEL-06-000267:The qpidd service must not be running.

  121. #Debian don't have qpidd service by default, in RHEL this service is selected by "base" package.

  122. 

  123. #RHEL-06-000268:The rdisc service must not be running.

  124. #Debian don't have rdisc service by default

  125. 

  126. #RHEL-06-000303:The operating system must employ automated mechanisms, per organization defined frequency, to detect the addition of unauthorized components/devices into the operating system.

  127. #RHEL-06-000304:The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization defined frequency.

  128. #RHEL-06-000305:The operating system must provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs.

  129. #RHEL-06-000306:The operating system must detect unauthorized changes to software and information.

  130. #RHEL-06-000307:The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked.

  131. #In aide package employ automated mechanisms by default.(cron.daily)

  132. 

  133. #RHEL-06-000324:A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.

  134. 

  135. #RHEL-06-000326:The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.

  136. #RHEL-06-000344:The system default umask in /etc/profile must be 077.

  137. #RHEL-06-000343:The system default umask for the csh shell must be 077.

  138. #RHEL-06-000342:The system default umask for the bash shell must be 077.

  139. #RHEL-06-000348:The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.

  140. 

  141. #RHEL-06-000357:The system must disable accounts after excessive login failures within a 15-minute interval.

  142. 

  143. 

  144. 

  145. 

  146. 

  147. #RHEL-06-000284:The system must use and update a DoD-approved virus scan program.

  148. #RHEL-06-000285:The system must have a host-based intrusion detection tool installed.

  149. 

  150. 

  151. 

  152. ####SHOULD-CHECK-ON-YOU-OWN####

  153. 

  154. 

  155. #RHEL-06-000289:The netconsole service must be disabled unless required.

  156. #Red Hat has netconsole init script. However, under Debian / Ubuntu Linux, you need to manually configure netconsole. Type the following command to start netconsole by loading kernel netconsole module

  157. #RHEL-06-000297:Temporary accounts must be provisioned with an expiration date.

  158. #RHEL-06-000298:Emergency accounts must be provisioned with an expiration date.

  159. #RHEL-06-000311:The audit system must provide a warning when allocated audit record storage volume reaches a documented percentage of maximum audit record storage capacity.

  160. #RHEL-06-000321:The system must provide VPN connectivity for communications over untrusted networks.

  161. #RHEL-06-000349:The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.

  162. #RHEL-06-000504:The operating system must conduct backups of user-level information contained in the operating system per organization defined frequency to conduct backups consistent with recovery time and recovery point objectives.

  163. #RHEL-06-000505:The operating system must conduct backups of system-level information contained in the information system per organization defined frequency to conduct backups that are consistent with recovery time and recovery point objectives.

  164. #RHEL-06-000524:The system must provide automated support for account management functions.