123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164 |
-
- ######CHANGE#######
-
- #RHEL-06-000008: Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.
- #Change corresponding gpg key check to Debian compatible.
-
- #RHEL-06-000011: System security patches and updates must be installed and up-to-date.
- #Change corresponding update utility to Debian compatible.
-
- #RHEL-06-000017: The system must use a Linux Security Module at boot time.
- #Change the SElinux to AppArmor
-
- #RHEL-06-000030: The system must not have accounts configured with blank or null passwords.
- #RHEL-06-000274: The system must prohibit the reuse of passwords within twenty-four iterations.
- #Change /etc/pam.d/system-auth - CentOS/RHEL/Fedora/Red Hat/Scientific Linux pam config file.
- #To /etc/pam.d/common-password - Debian / Ubuntu Linux pam config file.
- #For more Detial http://www.cyberciti.biz/tips/linux-or-unix-disable-null-passwords.html
-
- #RHEL-06-000061:The system must disable accounts after three consecutive unsuccessful logon attempts.
- #Change pam_faillock.so pam module to use pam_tally2.so
-
- #RHEL-06-000065:The system boot loader configuration file(s) must be owned by root.
- #RHEL-06-000066:The system boot loader configuration file(s) must be group-owned by root.
- #RHEL-06-000067:The system boot loader configuration file(s) must have mode 0600 or less permissive.
- #Change /etc/grub.conf to /boot/grub/grub.cfg
-
- #RHEL-06-000068:The system boot loader must require authentication.
- #Change grub-crypt --sha-512 to grub-mkpasswd-pbkdf2
-
- #RHEL-06-000278:The system package management tool must verify permissions on all files and directories associated with the audit package.
- #RHEL-06-000279:The system package management tool must verify ownership on all files and directories associated with the audit package.
- #RHEL-06-000280:The system package management tool must verify group-ownership on all files and directories associated with the audit package.
- #RHEL-06-000281:The system package management tool must verify contents of all files associated with the audit package.
- #For auditd package, to do what we wanna do in Debian there's something different, if you wanna get the packages default permission or owner(group-owner), or the packages'contents. You should use the "aptitude download <package-name>" to download it and use "dpkg -c <package.deb>" to read.
- #There's one file is very special,if you issue the command "dpkg -c audit*.deb" you will found the audit rules file is "/etc/audit/rules.d/audit.rules", but when you extract the deb package and read the "DEBIAN/postinst" you will find the auditd package copy the "/etc/audit/audit.d/audit.rules" file to "/etc/audit/audit.rules", so we could'n only use the "dpkg -c audit*.deb | awk '{print $6}' | sed -e 's/^.//g'" to get "ALL" the files we want to check.We should manually add the "/etc/audit/audit.rules" to check
- #And the directory we check also have one thing special, the "/usr/share/man", in Debian that directory have permission 0775 by default. but the package show the 0755, so I decided to check without this directory.
- #I use the sha512sum to do the files' content checking
-
- #RHEL-06-000286:The x86 Ctrl-Alt-Delete key sequence must be disabled.
- #In Debian 8 use systemd by default, you could use "systemctl mask ctrl-alt-del.target" to disable it by link to /dev/null
-
- #RHEL-06-000514:The RPM package management tool must cryptographically verify the authenticity of all software packages during installation.
-
-
- ####DEPRECATED#####
- #RHEL-06-000009:The Red Hat Network Service (rhnsd) service must not be running, unless using RHN or an RHN Satellite.
- #DEPRECATED
-
- #RHEL-06-000069:The system must require authentication upon booting into single-user and maintenance modes.
- #DEPRECATED.
- #Debian and therefore Ubuntu both require root password when booting into single user mode or recovery mode. RHEL and CentOS allows access from the console into single user mode without a password.
-
- #RHEL-06-000070:The system must not permit interactive boot.
- #DEPRECATED.Don't find any interactive boot option in debian yet.
-
- #RHEL-06-000073:The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.
- #DEPRECATED
-
- #RHEL-06-000079:The system must limit the ability of processes to have simultaneous write and execute access to memory.
- #DEPRECATED
- #In debian 8 amd64, system enabled NX by default,and debian 8 i386 system use PAE by default
-
- #RHEL-06-000098:The IPv6 protocol handler must not be bound to the network stack unless needed.
- #Change ipv6 checking method and disable method.
- #Use /proc/net/if_inet6 to check if ipv6 is enabled
- #Use kernel boot option in Grub "ipv6.disable=1" to disable ipv6 permanently
-
- #RHEL-06-000103:The system must employ a local IPv6 firewall.
- #RHEL-06-000106:The operating system must connect to external networks or information systems only through managed IPv6 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
- #RHEL-06-000107:The operating system must prevent public IPv6 access into an organizations internal networks,except as appropriately mediated by managed interfaces employing boundary protection devices.
- #RHEL-06-000113:The system must employ a local IPv4 firewall.
- #RHEL-06-000116:The operating system must connect to external networks or information systems only through managed IPv4 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
- #RHEL-06-000117:The operating system must prevent public IPv4 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.
- #DEPRECATED. Debian 8 enable iptables (both ipv4 and ipv6) by default
-
- #RHEL-06-000183:The audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration (SELinux).
- #Change SELinux to Apparmor
-
- #RHEL-06-000203:The xinetd service must be disabled if no network services utilizing it are enabled.
- #Using 'service --status-all | grep "xinetd" ' instead of chkconfig
-
- #RHEL-06-000211:The telnet daemon must not be running.
- #In Debian telnet service using inetd. You could disable it by comment the telnet line in the /etc/inetd.conf
-
- #RHEL-06-000214:The rshd service must not be running.
- #In Debian rshd service using inetd. You could disable it by comment the rshd line in the /etc/inetd.conf
-
- #RHEL-06-000216:The rexecd service must not be running.
- #In Debian rexecd service using inetd. You could disable it by comment the rexecd line in the /etc/inetd.conf
-
- #RHEL-06-000218:The rlogind service must not be running.
- #In Debian rlogind service using inetd. You could disable it by comment the rlogind line in the /etc/inetd.conf
-
- #RHEL-06-000220:The ypserv package must not be installed.
- #In Debian using nis package instead of ypserv package.
-
- #RHEL-06-000221:The ypbind service must not be running.
- #In Debian using nis service instead of ypbind service.
-
- #RHEL-06-000240:The SSH daemon must be configured with the Department of Defense (DoD) login banner.
- #DEPRECATED
-
- #RHEL-06-000247:The system clock must be synchronized continuously, or at least daily.
- #In debian use ntp instead of ntpd
-
- #RHEL-06-000248:The system clock must be synchronized to an authoritative DoD time source.
- #Changing `DoD` time source to trusted time source
-
- #RHEL-06-000261:The Automatic Bug Reporting Tool (abrtd) service must not be running.
- #DEPRECATED.
- #Didn't find abrtd-like tool in debian yet
-
- #RHEL-06-000265:The ntpdate service must not be running.
- #DEPRECATED
- #In Debian there's no running service "ntpdate", some of ntpdate's function is include in "ntp" so DEPRECATED.
-
- #RHEL-06-000266:The oddjobd service must not be running.
- #DEPRECATED.Debian don't have oddjob service or package
-
- #RHEL-06-000267:The qpidd service must not be running.
- #Debian don't have qpidd service by default, in RHEL this service is selected by "base" package.
-
- #RHEL-06-000268:The rdisc service must not be running.
- #Debian don't have rdisc service by default
-
- #RHEL-06-000303:The operating system must employ automated mechanisms, per organization defined frequency, to detect the addition of unauthorized components/devices into the operating system.
- #RHEL-06-000304:The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization defined frequency.
- #RHEL-06-000305:The operating system must provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs.
- #RHEL-06-000306:The operating system must detect unauthorized changes to software and information.
- #RHEL-06-000307:The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked.
- #In aide package employ automated mechanisms by default.(cron.daily)
-
- #RHEL-06-000324:A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
-
- #RHEL-06-000326:The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
- #RHEL-06-000344:The system default umask in /etc/profile must be 077.
- #RHEL-06-000343:The system default umask for the csh shell must be 077.
- #RHEL-06-000342:The system default umask for the bash shell must be 077.
- #RHEL-06-000348:The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.
-
- #RHEL-06-000357:The system must disable accounts after excessive login failures within a 15-minute interval.
-
-
-
-
-
- #RHEL-06-000284:The system must use and update a DoD-approved virus scan program.
- #RHEL-06-000285:The system must have a host-based intrusion detection tool installed.
-
-
-
- ####SHOULD-CHECK-ON-YOU-OWN####
-
-
- #RHEL-06-000289:The netconsole service must be disabled unless required.
- #Red Hat has netconsole init script. However, under Debian / Ubuntu Linux, you need to manually configure netconsole. Type the following command to start netconsole by loading kernel netconsole module
- #RHEL-06-000297:Temporary accounts must be provisioned with an expiration date.
- #RHEL-06-000298:Emergency accounts must be provisioned with an expiration date.
- #RHEL-06-000311:The audit system must provide a warning when allocated audit record storage volume reaches a documented percentage of maximum audit record storage capacity.
- #RHEL-06-000321:The system must provide VPN connectivity for communications over untrusted networks.
- #RHEL-06-000349:The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.
- #RHEL-06-000504:The operating system must conduct backups of user-level information contained in the operating system per organization defined frequency to conduct backups consistent with recovery time and recovery point objectives.
- #RHEL-06-000505:The operating system must conduct backups of system-level information contained in the information system per organization defined frequency to conduct backups that are consistent with recovery time and recovery point objectives.
- #RHEL-06-000524:The system must provide automated support for account management functions.
|