search

Hack23 / cia

Citizen Intelligence Agency (OSINT) , monitoring key political figures and institutions, provides insights into financial performance, risk metrics, and political trends
https://hack23.github.io/cia/
Apache License 2.0
153 stars 47 forks source link

Cloudformation os hardening #46

Open pethers opened 6 years ago

pethers commented 6 years ago

Follow lynis suggestions, Currently having 157 points (out of 243)

Hardening index : [64] [############ ] Hardening strength: System has been hardened, but could use additional hardening

sysctl

2018-06-09 18:03:07 Action: Performing tests from category: Kernel Hardening  16:03:07 2018-06-09 18:03:07 ===---------------------------------------------------------------===  16:03:07 2018-06-09 18:03:07 Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile)  16:03:07 2018-06-09 18:03:07 Result: sysctl key fs.protected_hardlinks contains equal expected and current value (1)  16:03:07 2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 129 points (out of 202)  16:03:07 2018-06-09 18:03:07 Result: sysctl key fs.protected_symlinks contains equal expected and current value (1)  16:03:07 2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 130 points (out of 203)  16:03:07 2018-06-09 18:03:07 Result: sysctl key fs.suid_dumpable has a different value than expected in scan profile. Expected=0, Real=2  16:03:07 2018-06-09 18:03:07 Hardening: assigned partial number of hardening points (0 of 1). Currently having 130 points (out of 204)  16:03:07 2018-06-09 18:03:07 Result: key hw.kbd.keymap_restrict_change does not exist on this machine  16:03:07 2018-06-09 18:03:07 Result: key kern.sugid_coredump does not exist on this machine  16:03:07 2018-06-09 18:03:07 Result: key kernel.core_setuid_ok does not exist on this machine  16:03:07 2018-06-09 18:03:07 Result: sysctl key kernel.core_uses_pid has a different value than expected in scan profile. Expected=1, Real=0  16:03:07 2018-06-09 18:03:07 Hardening: assigned partial number of hardening points (0 of 1). Currently having 130 points (out of 205)  16:03:07 2018-06-09 18:03:07 Result: sysctl key kernel.ctrl-alt-del contains equal expected and current value (0)  16:03:07 2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 131 points (out of 206)  16:03:07 2018-06-09 18:03:07 Result: sysctl key kernel.dmesg_restrict has a different value than expected in scan profile. Expected=1, Real=0  16:03:07 2018-06-09 18:03:07 Hardening: assigned partial number of hardening points (0 of 1). Currently having 131 points (out of 207)  16:03:07 2018-06-09 18:03:07 Result: key kernel.exec-shield-randomize does not exist on this machine  16:03:07 2018-06-09 18:03:07 Result: key kernel.exec-shield does not exist on this machine  16:03:07 2018-06-09 18:03:07 Result: sysctl key kernel.kptr_restrict has a different value than expected in scan profile. Expected=2, Real=1  16:03:07 2018-06-09 18:03:07 Hardening: assigned partial number of hardening points (0 of 1). Currently having 131 points (out of 208)  16:03:07 2018-06-09 18:03:07 Result: key kernel.maps_protect does not exist on this machine  16:03:07 2018-06-09 18:03:07 Result: sysctl key kernel.randomize_va_space contains equal expected and current value (2)  16:03:07 2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 132 points (out of 209)  16:03:07 2018-06-09 18:03:07 Result: key kernel.suid_dumpable does not exist on this machine  16:03:07 2018-06-09 18:03:07 Result: sysctl key kernel.sysrq has a different value than expected in scan profile. Expected=0, Real=176  16:03:07 2018-06-09 18:03:07 Hardening: assigned partial number of hardening points (0 of 1). Currently having 132 points (out of 210)  16:03:07 2018-06-09 18:03:07 Result: key kernel.use-nx does not exist on this machine  16:03:07 2018-06-09 18:03:07 Result: sysctl key kernel.yama.ptrace_scope contains equal expected and current value (1 2 3)  16:03:07 2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 133 points (out of 211)  16:03:07 2018-06-09 18:03:07 Result: key net.inet.icmp.bmcastecho does not exist on this machine  16:03:07 2018-06-09 18:03:07 Result: key net.inet.icmp.drop_redirect does not exist on this machine  16:03:07 2018-06-09 18:03:07 Result: key net.inet.icmp.rediraccept does not exist on this machine  16:03:07 2018-06-09 18:03:07 Result: key net.inet.icmp.timestamp does not exist on this machine  16:03:07 2018-06-09 18:03:07 Result: key net.inet.ip.accept_sourceroute does not exist on this machine  16:03:07 2018-06-09 18:03:07 Result: key net.inet.ip.check_interface does not exist on this machine  16:03:07 2018-06-09 18:03:07 Result: key net.inet.ip.forwarding does not exist on this machine  16:03:07 2018-06-09 18:03:07 Result: key net.inet.ip.linklocal.in.allowbadttl does not exist on this machine  16:03:07 2018-06-09 18:03:07 Result: key net.inet.ip.process_options does not exist on this machine  16:03:07 2018-06-09 18:03:07 Result: key net.inet.ip.random_id does not exist on this machine  16:03:07 2018-06-09 18:03:07 Result: key net.inet.ip.redirect does not exist on this machine  16:03:07 2018-06-09 18:03:07 Result: key net.inet.ip.sourceroute does not exist on this machine  16:03:07 2018-06-09 18:03:07 Result: key net.inet.ip6.redirect does not exist on this machine  16:03:07 2018-06-09 18:03:07 Result: key net.inet.tcp.always_keepalive does not exist on this machine  16:03:07 2018-06-09 18:03:07 Result: key net.inet.tcp.blackhole does not exist on this machine  16:03:07 2018-06-09 18:03:07 Result: key net.inet.tcp.drop_synfin does not exist on this machine  16:03:07 2018-06-09 18:03:07 Result: key net.inet.tcp.icmp_may_rst does not exist on this machine  16:03:07 2018-06-09 18:03:07 Result: key net.inet.tcp.nolocaltimewait does not exist on this machine  16:03:07 2018-06-09 18:03:07 Result: key net.inet.tcp.path_mtu_discovery does not exist on this machine  16:03:07 2018-06-09 18:03:07 Result: key net.inet.udp.blackhole does not exist on this machine  16:03:07 2018-06-09 18:03:07 Result: key net.inet6.icmp6.rediraccept does not exist on this machine  16:03:07 2018-06-09 18:03:07 Result: key net.inet6.ip6.forwarding does not exist on this machine  16:03:07 2018-06-09 18:03:07 Result: key net.inet6.ip6.fw.enable does not exist on this machine  16:03:07 2018-06-09 18:03:07 Result: key net.inet6.ip6.redirect does not exist on this machine  16:03:07 2018-06-09 18:03:07 Result: sysctl key net.ipv4.conf.all.accept_redirects contains equal expected and current value (0)  16:03:07 2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 134 points (out of 212)  16:03:07 2018-06-09 18:03:07 Result: sysctl key net.ipv4.conf.all.accept_source_route contains equal expected and current value (0)  16:03:07 2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 135 points (out of 213)  16:03:07 2018-06-09 18:03:07 Result: sysctl key net.ipv4.conf.all.bootp_relay contains equal expected and current value (0)  16:03:07 2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 136 points (out of 214)  16:03:07 2018-06-09 18:03:07 Result: sysctl key net.ipv4.conf.all.forwarding contains equal expected and current value (0)  16:03:07 2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 137 points (out of 215)  16:03:07 2018-06-09 18:03:07 Result: sysctl key net.ipv4.conf.all.log_martians has a different value than expected in scan profile. Expected=1, Real=0  16:03:07 2018-06-09 18:03:07 Hardening: assigned partial number of hardening points (0 of 1). Currently having 137 points (out of 216)  16:03:07 2018-06-09 18:03:07 Result: sysctl key net.ipv4.conf.all.mc_forwarding contains equal expected and current value (0)  16:03:07 2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 138 points (out of 217)  16:03:07 2018-06-09 18:03:07 Result: sysctl key net.ipv4.conf.all.proxy_arp contains equal expected and current value (0)  16:03:07 2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 139 points (out of 218)  16:03:07 2018-06-09 18:03:07 Result: sysctl key net.ipv4.conf.all.rp_filter contains equal expected and current value (1)  16:03:07 2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 140 points (out of 219)  16:03:07 2018-06-09 18:03:07 Result: sysctl key net.ipv4.conf.all.send_redirects has a different value than expected in scan profile. Expected=0, Real=1  16:03:07 2018-06-09 18:03:07 Hardening: assigned partial number of hardening points (0 of 1). Currently having 140 points (out of 220)  16:03:07 2018-06-09 18:03:07 Result: sysctl key net.ipv4.conf.default.accept_redirects contains equal expected and current value (0)  16:03:07 2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 141 points (out of 221)  16:03:07 2018-06-09 18:03:07 Result: sysctl key net.ipv4.conf.default.accept_source_route has a different value than expected in scan profile. Expected=0, Real=1  16:03:07 2018-06-09 18:03:07 Hardening: assigned partial number of hardening points (0 of 1). Currently having 141 points (out of 222)  16:03:07 2018-06-09 18:03:07 Result: sysctl key net.ipv4.conf.default.log_martians has a different value than expected in scan profile. Expected=1, Real=0  16:03:07 2018-06-09 18:03:07 Hardening: assigned partial number of hardening points (0 of 1). Currently having 141 points (out of 223)  16:03:07 2018-06-09 18:03:07 Result: sysctl key net.ipv4.icmp_echo_ignore_broadcasts contains equal expected and current value (1)  16:03:07 2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 142 points (out of 224)  16:03:07 2018-06-09 18:03:07 Result: sysctl key net.ipv4.icmp_ignore_bogus_error_responses contains equal expected and current value (1)  16:03:07 2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 143 points (out of 225)  16:03:07 2018-06-09 18:03:07 Result: sysctl key net.ipv4.tcp_syncookies contains equal expected and current value (1)  16:03:07 2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 144 points (out of 226)  16:03:07 2018-06-09 18:03:07 Result: sysctl key net.ipv4.tcp_timestamps contains equal expected and current value (0 1)  16:03:07 2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 145 points (out of 227)  16:03:07 2018-06-09 18:03:07 Result: sysctl key net.ipv6.conf.all.accept_redirects contains equal expected and current value (0)  16:03:07 2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 146 points (out of 228)  16:03:07 2018-06-09 18:03:07 Result: sysctl key net.ipv6.conf.all.accept_source_route contains equal expected and current value (0)  16:03:07 2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 147 points (out of 229)  16:03:07 2018-06-09 18:03:07 Result: key net.ipv6.conf.all.send_redirects does not exist on this machine  16:03:07 2018-06-09 18:03:07 Result: sysctl key net.ipv6.conf.default.accept_redirects contains equal expected and current value (0)  16:03:07 2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 148 points (out of 230)  16:03:07 2018-06-09 18:03:07 Result: sysctl key net.ipv6.conf.default.accept_source_route contains equal expected and current value (0)  16:03:07 2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 149 points (out of 231)  16:03:07 2018-06-09 18:03:07 Result: key security.bsd.hardlink_check_gid does not exist on this machine  16:03:07 2018-06-09 18:03:07 Result: key security.bsd.hardlink_check_uid does not exist on this machine  16:03:08 2018-06-09 18:03:08 Result: key security.bsd.see_other_gids does not exist on this machine  16:03:08 2018-06-09 18:03:08 Result: key security.bsd.see_other_uids does not exist on this machine  16:03:08 2018-06-09 18:03:08 Result: key security.bsd.stack_guard_page does not exist on this machine  16:03:08 2018-06-09 18:03:08 Result: key security.bsd.unprivileged_proc_debug does not exist on this machine  16:03:08 2018-06-09 18:03:08 Result: key security.bsd.unprivileged_read_msgbuf does not exist on this machine  16:03:08 2018-06-09 18:03:08 Result: found 9 keys that can use tuning, according scan profile  16:03:08 2018-06-09 18:03:08 Suggestion: One or more sysctl values differ from the scan profile and could be tweaked [test:KRNL-6000] [details:] [solution:Change sysctl value or disable test (skip-test=KRNL-6000:)]

pethers commented 6 years ago

2018-06-10 15:04:16 Hardening: assigned maximum number of hardening points for this item (3). Currently having 179 points (out of 248) 2018-06-10 15:04:16 ===---------------------------------------------------------------=== 2018-06-10 15:04:16 Action: Performing tests from category: Custom Tests 2018-06-10 15:04:16 Test: Checking for tests_custom file 2018-06-10 15:04:16 ===---------------------------------------------------------------=== 2018-06-10 15:04:16 Action: Performing plugin tests 2018-06-10 15:04:16 Result: Found 1 plugins of which 1 are enabled 2018-06-10 15:04:16 Result: Plugins phase 2 finished 2018-06-10 15:04:16 Checking permissions of /usr/share/lynis/include/report 2018-06-10 15:04:16 File permissions are OK 2018-06-10 15:04:16 Hardening index : [72] [############## ] 2018-06-10 15:04:16 Hardening strength: System has been hardened, but could use additional hardening 2018-06-10 15:04:16 ===---------------------------------------------------------------=== 2018-06-10 15:04:16 ================================================================================ 2018-06-10 15:04:16 Tests performed: 230 2018-06-10 15:04:16 Total tests: 393 2018-06-10 15:04:16 Active plugins: 1 2018-06-10 15:04:16 Total plugins: 1 2018-06-10 15:04:16 ================================================================================ 2018-06-10 15:04:16 Lynis 2.6.2 2018-06-10 15:04:16 2007-2018, CISOfy - https://cisofy.com/lynis/ 2018-06-10 15:04:16 Enterprise support available (compliance, plugins, interface and tools) 2018-06-10 15:04:16 Program ended successfully 2018-06-10 15:04:16 ================================================================================ 2018-06-10 15:04:16 PID file removed (/var/run/lynis.pid) 2018-06-10 15:04:16 Temporary files: /tmp/lynis.SzTTjPIJrF /tmp/lynis.6BrI0QmzvW /tmp/lynis.ssXn51NVGZ 2018-06-10 15:04:16 Action: removing temporary file /tmp/lynis.SzTTjPIJrF 2018-06-10 15:04:16 Info: temporary file /tmp/lynis.6BrI0QmzvW was already removed 2018-06-10 15:04:16 Info: temporary file /tmp/lynis.ssXn51NVGZ was already removed 2018-06-10 15:04:16 Lynis ended successfully.

pethers commented 6 years ago

2018-06-10 15:04:15 Result: sysctl key fs.suid_dumpable has a different value than expected in scan profile. Expected=0, Real=2 2018-06-10 15:04:15 Result: sysctl key kernel.dmesg_restrict has a different value than expected in scan profile. Expected=1, Real=0 2018-06-10 15:04:15 Result: sysctl key net.ipv4.conf.all.log_martians has a different value than expected in scan profile. Expected=1, Real=0 2018-06-10 15:04:16 Result: sysctl key net.ipv4.conf.default.log_martians has a different value than expected in scan profile. Expected=1, Real=0

pethers commented 6 years ago

Current suggestions

2018-06-10 15:03:56 Suggestion: Version of Lynis outdated, consider upgrading to the latest version [test:LYNIS] [details:-] [solution:-] 2018-06-10 15:04:03 Suggestion: Install libpam-tmpdir to set $TMP and $TMPDIR for PAM sessions [test:CUST-0280] [details:-] [solution:-] 2018-06-10 15:04:03 Suggestion: Install libpam-usb to enable multi-factor authentication for PAM sessions [test:CUST-0285] [details:-] [solution:-] 2018-06-10 15:04:03 Suggestion: Install apt-listbugs to display a list of critical bugs prior to each APT installation. [test:CUST-0810] [details:-] [solution:-] 2018-06-10 15:04:03 Suggestion: Install needrestart, alternatively to debian-goodies, so that you can run needrestart after upgrades to determine which daemons are using old versions of libraries and need restarting. [test:CUST-0831] [details:-] [solution:-] 2018-06-10 15:04:03 Suggestion: Copy /etc/fail2ban/jail.conf to jail.local to prevent it being changed by updates. [test:DEB-0880] [details:-] [solution:-] 2018-06-10 15:04:03 Suggestion: Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password) [test:BOOT-5122] [details:-] [solution:-] 2018-06-10 15:04:04 Suggestion: Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [test:AUTH-9262] [details:-] [solution:-] 2018-06-10 15:04:04 Suggestion: Configure minimum password age in /etc/login.defs [test:AUTH-9286] [details:-] [solution:-] 2018-06-10 15:04:04 Suggestion: Configure maximum password age in /etc/login.defs [test:AUTH-9286] [details:-] [solution:-] 2018-06-10 15:04:04 Suggestion: Set password for single user mode to minimize physical access attack surface [test:AUTH-9308] [details:-] [solution:-] 2018-06-10 15:04:04 Suggestion: Default umask in /etc/login.defs could be more strict like 027 [test:AUTH-9328] [details:-] [solution:-] 2018-06-10 15:04:05 Suggestion: To decrease the impact of a full /home file system, place /home on a separated partition [test:FILE-6310] [details:-] [solution:-] 2018-06-10 15:04:05 Suggestion: To decrease the impact of a full /tmp file system, place /tmp on a separated partition [test:FILE-6310] [details:-] [solution:-] 2018-06-10 15:04:05 Suggestion: To decrease the impact of a full /var file system, place /var on a separated partition [test:FILE-6310] [details:-] [solution:-] 2018-06-10 15:04:05 Suggestion: Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [test:STRG-1840] [details:-] [solution:-] 2018-06-10 15:04:05 Suggestion: Add the IP name and FQDN to /etc/hosts for proper name resolving [test:NAME-4404] [details:-] [solution:-] 2018-06-10 15:04:07 Suggestion: Purge old/removed packages (2 found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts. [test:PKGS-7346] [details:-] [solution:-] 2018-06-10 15:04:10 Suggestion: Install package apt-show-versions for patch management purposes [test:PKGS-7394] [details:-] [solution:-] 2018-06-10 15:04:11 Suggestion: Check your resolv.conf file and fill in a backup nameserver if possible [test:NETW-2705] [details:-] [solution:-] 2018-06-10 15:04:11 Suggestion: Consider running ARP monitoring software (arpwatch,arpon) [test:NETW-3032] [details:-] [solution:-] 2018-06-10 15:04:11 Suggestion: Check iptables rules to see which rules are currently not used [test:FIRE-4513] [details:-] [solution:-] 2018-06-10 15:04:12 Suggestion: Check what deleted files are still in use and why. [test:LOGG-2190] [details:-] [solution:-] 2018-06-10 15:04:13 Suggestion: Add a legal banner to /etc/issue, to warn unauthorized users [test:BANN-7126] [details:-] [solution:-] 2018-06-10 15:04:13 Suggestion: Add legal banner to /etc/issue.net, to warn unauthorized users [test:BANN-7130] [details:-] [solution:-] 2018-06-10 15:04:14 Suggestion: Enable sysstat to collect accounting (no results) [test:ACCT-9626] [details:-] [solution:-] 2018-06-10 15:04:14 Suggestion: Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules [test:ACCT-9630] [details:-] [solution:-] 2018-06-10 15:04:14 Suggestion: Check ntpq peers output for selected time source [test:TIME-3124] [details:-] [solution:-] 2018-06-10 15:04:14 Suggestion: Check ntpq peers output for time source candidates [test:TIME-3128] [details:-] [solution:-] 2018-06-10 15:04:14 Suggestion: Install a file integrity tool to monitor changes to critical and sensitive files [test:FINT-4350] [details:-] [solution:-] 2018-06-10 15:04:15 Suggestion: Determine if automation tools are present for system management [test:TOOL-5002] [details:-] [solution:-] 2018-06-10 15:04:16 Suggestion: One or more sysctl values differ from the scan profile and could be tweaked [test:KRNL-6000] [details:] [solution:Change sysctl value or disable test (skip-test=KRNL-6000:)] 2018-06-10 15:04:16 Suggestion: Harden compilers like restricting access to root user only [test:HRDN-7222] [details:-] [solution:-]