Closed hgbarreto closed 1 year ago
hgbarreto
commented
1 year ago We started with a 55% compliance score with unhardened AL2 images. These AL2 images have since been fixed by having a newer hardening script leveraged in the workflows.
BigFix scans put our new hardened image at 80% compliance score with approx only 35-40 check failures (down from 170-190 failures before hardening)
hgbarreto
commented
1 year ago Will work on newer compliance failure checklist.
jhouse-solvd
commented
1 year ago This work relates to an issue the Platform Security team is tracking here.
hgbarreto
commented
1 year ago | Checks | Status | |
|---|---|---|
| 3.3.6 Ensure bogus ICMP responses | Added to script (Already enabled) | |
| 3.2.1 Ensure IP forwarding is disabled | SKIP K8s? | |
| 1.7.1 Ensure message of the day is configured properly | Fixed with VA Banner | |
| 5.3.13 Ensure only strong Ciphers are used | Need to fix (VA Deviation) | |
| 5.5.5 Ensure default user umask is configured | Need to fix (umask 077) | |
| 5.4.4 Ensure password reuse is limited | Need to fix | |
| 1.7.3 Ensure remote login warning banner is configured properly | Fixed with VA Banner | |
| 2.1.1.2 Ensure chrony is configured | Pass > Bad Check | does not check the /etc/chrony.d directory |
| 3.3.1 Ensure source routed packets are not accepted | Added to script (testing needed) | |
| 1.7.2 Ensure local login warning banner is configured properly | Fixed with VA Banner | |
| 5.3.4 Ensure SSH access is limited | Need to Fix | |
| 5.5.1.4 Ensure inactive password lock is 30 days or less | Added to script (added VA deviation) | |
| 5.4.2 Ensure lockout for failed password attempts is configured | Need to fix | |
| 3.5.3.3.4 Ensure ip6tables default deny firewall policy | SKIP K8s? | |
| 3.5.3.2.1 Ensure iptables loopback traffic is configured | SKIP K8s? | |
| 3.3.2 Ensure ICMP redirects are not accepted | Added to script (testing needed) | |
| 1.1.5 Ensure nosuid option set on /tmp partition | Pass | |
| 4.2.1.3 Ensure rsyslog default file permissions configured | Pass | |
| 3.3.5 Ensure broadcast ICMP requests are ignored | Added to script (Already enabled) | |
| 3.3.7 Ensure Reverse Path Filtering is enabled | Need to Fix | |
| 3.3.8 Ensure TCP SYN Cookies is enabled | Added to script (Already enabled) | |
| ????? Ensure mounting of hfsplus filesystems is disabled | Added to script (testing needed) | |
| 5.5.1.1 Ensure password expiration is 365 days or less | Added to script (added VA deviation) | |
| ????? Ensure IPv6 loopback traffic is configured | SKIP K8s? | |
| 3.5.3.2.4 Ensure iptables default deny firewall policy | SKIP K8s? | |
| 3.3.9 Ensure IPv6 router advertisements are not accepted | Need to fix (Not sure why it is currently enabled) | |
| 3.3.4 Ensure suspicious packets are logged | Added to script (testing needed) | |
| 5.3.14 Ensure only strong MAC algorithms are used | Need to fix (VA Deviation) | |
| 1.1.4 Ensure nodev option set on /tmp partition | Pass | |
| 4.2.4 Ensure permissions on all logfiles are configured | SKIP K8s? | |
| ????? Ensure mounting of hfs filesystems is disabled | Added to script (testing needed) | |
| 3.3.3 Ensure secure ICMP redirects are not accepted | Added to script (testing needed) | |
| ????? Ensure no unconfined daemons exist | Need to Fix | |
| 4.1.14 Ensure changes to system administration scope (sudoers) is collected | Pass | |
| 4.1.7 Ensure login and logout events are collected | Pass | |
| 4.1.2.3 Ensure system is disabled when audit logs are full | Added to script (added VA deviation) |
hgbarreto
commented
1 year ago Working on clearing up some questions and concerns with BigFix contacts that @jhouse-solvd has reached out to.
We are also looking to confirm/remediate false positives Note - The chart above details the false positives as "pass"
hgbarreto
commented
1 year ago Total Findings - 36 Corrected Findings in AL2 image - 17 Findings that need to be remediated by Bigfix team - 7 (so far) Remaining Findings - 12
hgbarreto
commented
1 year ago Initial work for this effort is complete - Follow up for hardening of different types of AMIs will be needed. Waiting on bigfix scans to confirm current score of this Base AMI
Description
The new AL2 Base Image needs to have a 90% compliance score using the "CIS for Amazon Linux 2" Benchmarks.
Resources
https://www.cisecurity.org/benchmark/amazon_linux
Acceptance Criteria
Manual)Refinement Guidance - Check the following before working on this issue: