From 85d3e1dbf9c110780174c1efa6b69c7accde0831 Mon Sep 17 00:00:00 2001 From: samson Date: Tue, 4 Dec 2018 04:16:39 +0800 Subject: [PATCH] Rename 99.1 to 10.6, 99.2 to 4.6, Add description to benchmark doc for 4.6 10.6 --- ...timeout_tty.sh => 10.6_set_timeout_tty.sh} | 6 +- ..._devices.sh => 4.6_disable_usb_devices.sh} | 6 +- .../harbian_audit_Debian_9_Benchmark_v0.1.mkd | 73 +++++++++++++++++++ 3 files changed, 79 insertions(+), 6 deletions(-) rename bin/hardening/{99.1_timeout_tty.sh => 10.6_set_timeout_tty.sh} (96%) rename bin/hardening/{99.2_disable_usb_devices.sh => 4.6_disable_usb_devices.sh} (96%) diff --git a/bin/hardening/99.1_timeout_tty.sh b/bin/hardening/10.6_set_timeout_tty.sh similarity index 96% rename from bin/hardening/99.1_timeout_tty.sh rename to bin/hardening/10.6_set_timeout_tty.sh index 763c3d6..df20058 100755 --- a/bin/hardening/99.1_timeout_tty.sh +++ b/bin/hardening/10.6_set_timeout_tty.sh @@ -1,11 +1,11 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening /!\ Not in the Guide +# harbian audit 7/8/9 Hardening # # -# 99.1 Set Timeout on ttys +# 10.6 Set Timeout on ttys # set -e # One error, it's over @@ -17,7 +17,7 @@ USER='root' PATTERN='TMOUT=' VALUE='600' FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d /etc/profile' -FILE='/etc/profile.d/CIS_99.1_timeout.sh' +FILE='/etc/profile.d/CIS_10.6_timeout.sh' # This function will be called if the script status is on enabled / audit mode audit () { diff --git a/bin/hardening/99.2_disable_usb_devices.sh b/bin/hardening/4.6_disable_usb_devices.sh similarity index 96% rename from bin/hardening/99.2_disable_usb_devices.sh rename to bin/hardening/4.6_disable_usb_devices.sh index 0584598..4dfc158 100755 --- a/bin/hardening/99.2_disable_usb_devices.sh +++ b/bin/hardening/4.6_disable_usb_devices.sh @@ -1,11 +1,11 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening /!\ Not in the Guide +# harbian audit 7/8/9 Hardening / # # -# 99.2 Disable USB Devices +# 4.6 Disable USB Devices # set -e # One error, it's over @@ -16,7 +16,7 @@ HARDENING_LEVEL=4 USER='root' PATTERN='ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"' # We do test disabled by default, whitelist is up to you FILES_TO_SEARCH='/etc/udev/rules.d' -FILE='/etc/udev/rules.d/10-CIS_99.2_usb_devices.sh' +FILE='/etc/udev/rules.d/CIS_4.6_usb_devices.conf' # This function will be called if the script status is on enabled / audit mode audit () { diff --git a/docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd b/docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd index 9d958ac..09b7be4 100644 --- a/docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd +++ b/docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd @@ -169,6 +169,45 @@ If the system is mounting file systems via NFS and has the sec option without th ### Remediation Update the "/etc/fstab" file so the option "sec" is defined for each NFS mounted file system and the "sec" option does not have the "sys" setting. \n\nEnsure the "sec" option is defined as "krb5:krb5i:krb5p" +## 4.6 Disable USB Devices (scored) + +### Profile Applicability +Level 4 + +### Description +USB Devices must be disabled. + +### Rationale +USB Devices permits easy introduction of unknown devices, thereby facilitating malicious activity. + +### Aduit +If there is an HBSS with a Device Control Module and a Data Loss Prevention mechanism, this requirement is not applicable. Verify the operating system disables the ability to use USB devices. Check to see if USB Devices is disabled with the following command: +``` +# grep '^ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"' /etc/udev/rules.d/ -r +/etc/udev/rules.d/CIS_4.6_usb_devices.conf:ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0" +``` +If the command does not return any output, and use of USB storage devices is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. + +### Remediation +Configure the operating system to disable the ability to use USB devices. +``` +# vim /etc/udev/rules.d/CIS_4.6_usb_devices.conf +``` +Add or update the line: +``` +# By default, disable all. +ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0" + +# Enable hub devices. +ACTION=="add", ATTR{bDeviceClass}=="09", TEST=="authorized", ATTR{authorized}="1" + +# Enables keyboard devices +ACTION=="add", ATTR{product}=="*[Kk]eyboard*", TEST=="authorized", ATTR{authorized}="1" + +# PS2-USB converter +ACTION=="add", ATTR{product}=="*Thinnet TM*", TEST=="authorized", ATTR{authorized}="1" +``` + ## 5.7 Install screen (scored) ### Profile Applicability @@ -1793,3 +1832,37 @@ If the kernel core dump is set, this is a finding. ### Remediation If kernel core dumps are not required, delete the contain "core" line in /etc/security/limits.conf. +## 10.6 Set Timeout on ttys (Scored) + +### Profile Applicability +Level 2 + +### Description +All network connections associated with a communication session must be terminated at the end of the session or after 10 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements. + +### Rationale +Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. + +### Aduit +Verify the operating system terminates all network connections associated with a communications session at the end of the session or based on inactivity. Check the value of the system inactivity timeout with the following command: +``` +# grep -i tmout /etc/bashrc /etc/profile.d/* +TMOUT=600 +``` +If "TMOUT" is not set to "600" or less in "/etc/bashrc" or in a script created to enforce session termination after inactivity, this is a finding. + +### Remediation +Configure the operating system to terminate all network connections associated with a communications session at the end of the session or after a period of inactivity. Add or update the following lines in "/etc/profile". +``` +TMOUT=600 +readonly TMOUT +export TMOUT +``` +Or create a script to enforce the inactivity timeout (for example /etc/profile.d/tmout.sh) such as: +``` +#!/bin/bash +TMOUT=600 +readonly TMOUT +export TMOUT +``` +