search

wazuh / wazuh-qa

Wazuh - Quality Assurance
GNU General Public License v2.0
65 stars 32 forks source link

Ubuntu Linux 22.04 SCA Policy - Update and rework - checks 1 to 1.1.10 #3442

Closed 72nomada closed 1 year ago

72nomada commented 2 years ago
Target version Related issue Related PR
4.4.0 #3390 https://github.com/wazuh/wazuh/pull/15051
Check ID Check Name Implemented Ready for review QA review
1 Initial Setup
1.1 Filesystem Configuration
1.1.1 Disable unused filesystems
1.1.1.1 Ensure mounting of cramfs filesystems is disabled (Automated) 🔴 Not implemented
1.1.1.2 Ensure mounting of squashfs filesystems is disabled (Automated) 🔴 Not implemented
1.1.1.3 Ensure mounting of udf filesystems is disabled (Automated) 🔴 Not implemented
1.1.2 Configure /tmp
1.1.2.1 Ensure /tmp is a separate partition (Automated) 🟢
1.1.2.2 Ensure nodev option set on /tmp partition (Automated) 🟢
1.1.2.3 Ensure noexec option set on /tmp partition (Automated) 🟢
1.1.2.4 Ensure nosuid option set on /tmp partition (Automated) 🟢
1.1.3 Configure /var
1.1.3.1 Ensure separate partition exists for /var (Automated) 🟢
1.1.3.2 Ensure nodev option set on /var partition (Automated) 🟢
1.1.3.3 Ensure nosuid option set on /var partition (Automated) 🟢
1.1.4 Configure /var/tmp
1.1.4.1 Ensure separate partition exists for /var/tmp (Automated) 🟢
1.1.4.2 Ensure noexec option set on /var/tmp partition (Automated) 🟢
1.1.4.3 Ensure nosuid option set on /var/tmp partition (Automated) 🟢
1.1.4.4 Ensure nodev option set on /var/tmp partition (Automated) 🟢
1.1.5 Configure /var/log
1.1.5.1 Ensure separate partition exists for /var/log (Automated) 🟢
1.1.5.2 Ensure nodev option set on /var/log partition (Automated) 🟢
1.1.5.3 Ensure noexec option set on /var/log partition (Automated) 🟢
1.1.5.4 Ensure nosuid option set on /var/log partition (Automated) 🟢
1.1.6 Configure /var/log/audit
1.1.6.1 Ensure separate partition exists for /var/log/audit (Automated) 🟢
1.1.6.2 Ensure noexec option set on /var/log/audit partition (Automated) 🟢
1.1.6.3 Ensure nodev option set on /var/log/audit partition (Automated) 🟢
1.1.6.4 Ensure nosuid option set on /var/log/audit partition (Automated) 🟢
1.1.7 Configure /home
1.1.7.1 Ensure separate partition exists for /home (Automated) 🟢
1.1.7.2 Ensure nodev option set on /home partition (Automated) 🟢
1.1.7.3 Ensure nosuid option set on /home partition (Automated) 🟢
1.1.8 Configure /dev/shm
1.1.8.1 Ensure nodev option set on /dev/shm partition (Automated) 🟢
1.1.8.2 Ensure noexec option set on /dev/shm partition (Automated) 🟢
1.1.8.3 Ensure nosuid option set on /dev/shm partition (Automated) 🟢
1.1.9 Disable Automounting (Automated) 🟢
1.1.10 Disable USB Storage (Automated) 🔴 Not implemented
Rebits commented 2 years ago

Tester review

Tester PR commit
@Rebits 0e33beb

Testing environment

OS OS version Deployment Image/AMI
Ubuntu 22 EC2 ami-003530de8839921c4

Tested packages

OS Package
Ubuntu Manager

Conclusion

Minor discrepancies were detected in some of the checks fields:

Status

Rebits commented 2 years ago

Testing results :red_circle:

1.1.2.1 :green_circle: - CIS ID :green_circle: - Title :green_circle: - Description :green_circle: - Rationale :green_circle: - Remediation :green_circle: - Impact :green_circle: - References :green_circle: - Compliance :green_circle: - Rules
Command output :green_circle: - `'c:findmnt --kernel /tmp -> r:\s*/tmp\s'` ``` root@ip-172-31-4-235:/home/qa# findmnt --kernel /tmp root@ip-172-31-4-235:/home/qa# ``` - 'c:systemctl is-enabled tmp.mount -> r:generated|enabled' ``` root@ip-172-31-4-235:/home/qa# systemctl is-enabled tmp.mount Failed to get unit file state for tmp.mount: No such file or directory ```
Expected result :green_circle: - Expected Result: Fail - Alert: ``` Rule: 19007 (level 7) -> 'CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.: Ensure /tmp is a separate partition.' {"type":"check","id":182003034,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28500,"title":"Ensure /tmp is a separate partition.","description":"The /tmp directory is a world-writable directory used for temporary storage by all users and some applications.","rationale":"Making /tmp its own file system allows an administrator to set additional mount options such as the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hard link to a system setuid program and wait for it to be updated. Once the program was updated, the hard link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp.","remediation":"First ensure that systemd is correctly configured to ensure that /tmp will be mounted at boot time. # systemctl unmask tmp.mount For specific configuration requirements of the /tmp mount for your environment, modify /etc/fstab or tmp.mount. Example of /etc/fstab configured tmpfs file system with specific mount options: tmpfs 0 /tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 Example of tmp.mount configured tmpfs file system with specific mount options: [Unit] Description=Temporary Directory /tmp ConditionPathIsSymbolicLink=!/tmp DefaultDependencies=no Conflicts=umount.target Before=local-fs.target umount.target After=swap.target [Mount] What=tmpfs Where=/tmp Type=tmpfs.","compliance":{"cis":"1.1.2.1","cis_csc_v7":"14.6","cis_csc_v8":"3.3","mitre_techniques":"T1499,T1499.001","mitre_tactics":"TA0005","mitre_mitigations":"M1022","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_v3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_v4":"1.3.1,7.1","nist_853":"AC-5,AC-6","soc_2":"CC5.2,CC6.1"},"rules":["c:findmnt --kernel /tmp -> r:\\s*/tmp\\s","c:systemctl is-enabled tmp.mount -> r:generated|enabled"],"condition":"all","references":"https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/,https://www.freedesktop.org/software/systemd/man/systemd-fstab-generator.html","command":"findmnt --kernel /tmp","result":"failed"}} ```
1.1.2.2 :green_circle: Updated after https://github.com/wazuh/wazuh-qa/issues/3442#issuecomment-1284302166 comment - CIS ID :green_circle: - Title :green_circle: - Description :green_circle: - Rationale :green_circle: - Remediation :green_circle: - Impact :black_circle: - References :green_circle: - Compliance :green_circle:: mitre_techniques does not contain sub technique. Expected `T1200, T1200.000` - Rules
Command output :green_circle: - `'c:findmnt --kernel /tmp -> r:\s*/tmp\s'` ``` root@ip-172-31-4-235:/home/qa# findmnt --kernel /tmp root@ip-172-31-4-235:/home/qa# ```
Expected result :green_circle: - Expected Result: Fail - Alert: ``` {"type":"check","id":182003034,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28501,"title":"Ensure nodev option set on /tmp partition.","description":"The nodev mount option specifies that the filesystem cannot contain special devices.","rationale":"Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /tmp.","remediation":"Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. Example: /tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp.","compliance":{"cis":"1.1.2.2","cis_csc_v7":"14.6","cis_csc_v8":"3.3","mitre_techniques":"T1200","mitre_tactics":"TA0005","mitre_mitigations":"M1022","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_v3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_v4":"1.3.1,7.1","nist_853":"AC-5,AC-6","soc_2":"CC5.2,CC6.1"},"rules":["c:findmnt --kernel /tmp -> r:nodev"],"condition":"all","references":"See the fstab(5) manual page for more information.","command":"findmnt --kernel /tmp","result":"failed"}} ```
1.1.2.3 :green_circle: - CIS ID :green_circle: - Title :green_circle: - Description :green_circle: - Rationale :green_circle: - Remediation :green_circle: - Impact :black_circle: - References :green_circle: - Compliance :green_circle: - Rules
Command output :green_circle: - `'c:findmnt --kernel /tmp -> r:noexec'` ``` root@ip-172-31-4-235:/home/qa# findmnt --kernel /tmp root@ip-172-31-4-235:/home/qa# ```
Expected result :green_circle: - Expected Result: Fail - Alert: ``` {"type":"check","id":182003034,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28502,"title":"Ensure noexec option set on /tmp partition.","description":"The noexec mount option specifies that the filesystem cannot contain executable binaries.","rationale":"Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp.","remediation":"Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. Example: /tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp.","compliance":{"cis":"1.1.2.3","cis_csc_v7":"14.6","cis_csc_v8":"3.3","mitre_techniques":"T1204,T1204.002","mitre_tactics":"TA0005","mitre_mitigations":"M1022","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_v3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_v4":"1.3.1,7.1","nist_853":"AC-5,AC-6","soc_2":"CC5.2,CC6.1"},"rules":["c:findmnt --kernel /tmp -> r:noexec"],"condition":"all","references":"See the fstab(5) manual page for more information.","command":"findmnt --kernel /tmp","result":"failed"}} ```
1.1.2.4 :green_circle: - CIS ID :green_circle: - Title :green_circle: - Description :green_circle: - Rationale :green_circle: - Remediation :green_circle: - Impact :black_circle: - References :green_circle: - Compliance :green_circle: - Rules
Command output :green_circle: - 'c:findmnt --kernel /tmp -> r:nosuid' ``` root@ip-172-31-4-235:/home/qa# findmnt --kernel /tmp root@ip-172-31-4-235:/home/qa# ```
Expected result :green_circle: - Expected Result: Fail - Alert: ``` {"type":"check","id":182003034,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28503,"title":"Ensure nosuid option set on /tmp partition.","description":"The nosuid mount option specifies that the filesystem cannot contain setuid files.","rationale":"Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp.","remediation":"Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. Example: /tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp.","compliance":{"cis":"1.1.2.4","cis_csc_v7":"1@@@ ```
1.1.3.1 :green_circle: - CIS ID :green_circle: - Title :green_circle: - Description :green_circle: - Rationale :green_circle: - Remediation :green_circle: - Impact :black_circle: - References :green_circle: - Compliance :green_circle: - Rules
Command output :green_circle: - ` 'c:findmnt --kernel /var -> r:\s*/var\s'` ``` root@ip-172-31-4-235:/home/qa# findmnt --kernel /var root@ip-172-31-4-235:/home/qa# ```
Expected result :green_circle: - Expected Result: Fail - Alert: ``` {"type":"check","id":182003034,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28504,"title":"Ensure separate partition exists for /var.","description":"The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable.","rationale":"The reasoning for mounting /var on a separate partition is as follow. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var and cause unintended behavior across the system as the disk is full. See man auditd.conf for details. Fine grained control over the mount Configuring /var as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behaviour. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection from exploitation An example of exploiting /var may be an attacker establishing a hard-link to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw.","remediation":"For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.","compliance":{"cis":"1.1.3.1","cis_csc_v7":"14.6","cis_csc_v8":"3.3","mitre_techniques":"T1499,T1499.001","mitre_tactics":"TA0006","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_v3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_v4":"1.3.1,7.1","nist_853":"AC-5,AC-6","soc_2":"CC5.2,CC6.1"},"rules":["c:findmnt --kernel /var -> r:\\s*/var\\s"],"condition":"all","references":"http://tldp.org/HOWTO/LVM-HOWTO/","command":"findmnt --kernel /var","result":"failed"}} ```
1.1.3.2 :green_circle: Updated after https://github.com/wazuh/wazuh-qa/issues/3442#issuecomment-1284302166 comment - CIS ID :green_circle: - Title :green_circle: - Description :green_circle: - Rationale :green_circle: - Remediation :green_circle: - Impact :black_circle: - References :green_circle: - Compliance :green_circle:: mitre_techniques does not contain sub technique. Expected `T1200, T1200.000` - Rules :green_circle:
Command output :green_circle: - `'c:findmnt --kernel /var -> r:nodev'` ``` root@ip-172-31-4-235:/home/qa# findmnt --kernel /var root@ip-172-31-4-235:/home/qa# ```
Expected result :green_circle: - Expected Result: Fail - Alert: ``` {"type":"check","id":182003034,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28505,"title":"Ensure nodev option set on /var partition.","description":"The nodev mount option specifies that the filesystem cannot contain special devices.","rationale":"Since the /var filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var.","remediation":"IF the /var partition exists, edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var partition. Example: /var defaults,rw,nosuid,nodev,relatime 0 0 Run the following command to remount /var with the configured options: # mount -o remount /var.","compliance":{"cis":"1.1.3.2","cis_csc_v7":"14.6","cis_csc_v8":"3.3","mitre_techniques":"T1200","mitre_tactics":"TA0005","mitre_mitigations":"M1038","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_v3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_v4":"1.3.1,7.1","nist_853":"AC-5,AC-6","soc_2":"CC5.2,CC6.1"},"rules":["c:findmnt --kern@@@ ```
1.1.3.3 :green_circle: - CIS ID :green_circle: - Title :green_circle: - Description :green_circle: - Rationale :green_circle: - Remediation :green_circle: - Impact :black_circle: - References :green_circle: - Compliance :green_circle: - Rules :green_circle:
Command output :green_circle: - `'c:findmnt --kernel /var -> r:nosuid'` ``` root@ip-172-31-4-235:/home/qa# findmnt --kernel /var root@ip-172-31-4-235:/home/qa# ```
Expected result :green_circle: - Expected Result: Fail - Alert: ``` {"type":"check","id":182003034,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28506,"title":"Ensure nosuid option set on /var partition.","description":"The nosuid mount option specifies that the filesystem cannot contain setuid files.","rationale":"Since the /var filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create setuid files in /var.","remediation":"IF the /var partition exists, edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var partition. Example: /var defaults,rw,nosuid,nodev,relatime 0 0 Run the following command to remount /var with the configured options: # mount -o remount /var.","compliance":{"cis":"1.1.3.3","cis_csc_v7":"14.6","cis_csc_v8":"3.3","mitre_techniques":"T1548,T1548.001","mitre_tactics":"TA0005","mitre_mitigations":"M1038","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_v3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_v4":"1.3.1,7.1","nist_853":"AC-5,AC-6","soc_2":"CC5.2,CC6.1"},"rules":["c:findmnt --kernel /var -> r:nosuid"],"condition":"all","references":"See the fstab(5) manual page for more information.","command":"findmnt --kernel /var","result":"failed"}} ```
1.1.4.1 :green_circle: - CIS ID :green_circle: - Title :green_circle: - Description :green_circle: - Rationale :green_circle: - Remediation :green_circle: - Impact :black_circle: - References :green_circle: - Compliance :green_circle: - Rules :green_circle: - Rules :green_circle: Output: ``` root@ip-172-31-10-156:/home/qa# findmnt --kernel /var/tmp root@ip-172-31-10-156:/home/qa# ```
1.1.4.2 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` root@ip-172-31-10-156:/home/qa# findmnt --kernel /var/tmp root@ip-172-31-10-156:/home/qa# ``` Expected - Failed :green_circle: ``` {"type":"check","id":1871834103,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 20.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28508,"title":"Ensure nosuid option set on /tmp partition.","description":"The nosuid mount option specifies that the filesystem cannot contain setuid files.","rationale":"Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp.","remediation":"Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp: # mount -o remount,nosuid /tmp OR Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add nosuidto the /tmp mount options:[Mount] Options=mode=1777,strictatime,noexec,nodev,nosuid Run the following command to remount /tmp:# mount -o remount,nosuid /tmp","compliance":{"cis":"1.1.4","cis_csc":"5.1","pci_dss":"2.2.4","nist_800_53":"CM.1","tsc":"CC5.2"},"rules":["c:findmnt -n /tmp -> r:nosuid"],"condition":"all","command":"findmnt -n /tmp","result":"failed"}} ```
1.1.4.3 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` root@ip-172-31-10-156:/home/qa# findmnt --kernel /var/tmp root@ip-172-31-10-156:/home/qa# ``` Expected - Failed :green_circle: ``` {"type":"check","id":1871834103,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 20.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28509,"title":"Ensure noexec option set on /tmp partition.","description":"The noexec mount option specifies that the filesystem cannot contain executable binaries.","rationale":"Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create set userid files in /tmp.","remediation":"Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp: # mount -o remount,noexec /tmp OR Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add noexec to the /tmp mount options: [Mount] Options=mode=1777,strictatime,noexec,nodev,nosuid Run the following command to remount /tmp: # mount -o remount,noexec /tmp","compliance":{"cis":"1.1.5","cis_csc":"2.6","pci_dss":"2.2.4","nist_800_53":"CM.1","tsc":"CC5.2"},"rules":["c:mount -> r:\\s/tmp\\s && r:noexec"],"condition":"all","command":"mount","result":"failed"}} ```
1.1.4.4 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` root@ip-172-31-10-156:/home/qa# findmnt --kernel /var/tmp root@ip-172-31-10-156:/home/qa# ``` Expected - Failed :green_circle: ``` {"type":"check","id":1871834103,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 20.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28506,"title":"Ensure /tmp is configured.","description":"The /tmp directory is a world-writable directory used for temporary storage by all users and some applications.","rationale":"Making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp.","remediation":"Configure /etc/fstab as appropriate. Example: tmpfs /tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0 or Run the following commands to enable systemd /tmp mounting: systemctl unmask tmp.mount systemctl enable tmp.mount Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount: [Mount] What=tmpfs Where=/tmp Type=tmpfs Options=mode=1777,strictatime,noexec,nodev,nosuid","compliance":{"cis":"1.1.2","cis_csc":"5.1","pci_dss":"2.2.4","nist_800_53":"CM.1","tsc":"CC5.2"},"rules":["c:mount -> r:\\s/tmp\\s"],"condition":"all","references":"http://tldp.org/HOWTO/LVM-HOWTO/,https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/","command":"mount","result":"failed"}} ```

Updated policy to commit d00ad3543b8edc24129d41d117749eb1b48429f5

1.1.5.1 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :green_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` root@ip-172-31-6-103:/home/qa# findmnt --kernel /var/log root@ip-172-31-6-103:/home/qa# ``` Expected - Failed :green_circle: ``` {"type":"check","id":2118688731,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28511,"title":"Ensure separate partition exists for /var/log.","description":"The /var/log directory is used by system services to store log data.","rationale":"The reasoning for mounting /var/log on a separate partition is as follow. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var/log directory contain the log files that can grow quite large, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. Fine grained control over the mount Configuring /var/log as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection of log data As /var/log contains log files, care should be taken to ensure the security and integrity of the data and mount point.","remediation":"For new installations, during installation create a custom partition setup and specify a separate partition for /var/log . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.","compliance":{"cis":"1.1.5.1","cis_csc_v7":"6.4","cis_csc_v8":"8.3","mitre_techniques":"T1499,T1499.001","mitre_tactics":"TA0005","mitre_mitigations":"M1022","pci_dss_v3.2.1":"10.7","soc_2":"A1.1"},"rules":["c:findmnt --kernel /var/log -> r:\\s*/var/log\\s"],"condition":"all","references":"http://tldp.org/HOWTO/LVM-HOWTO/","command":"findmnt --kernel /var/log","result":"failed"}} ```
1.1.5.2 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :red_circle: Wrong remediation. Expected: ``` IF the /var/log partition exists, edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/log partition. Example: /var/log defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log. ``` - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` root@ip-172-31-6-103:/home/qa# findmnt --kernel /var/log root@ip-172-31-6-103:/home/qa# ``` Expected - Failed :green_circle: ``` {"type":"check","id":2118688731,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28512,"title":"Ensure nodev option set on /var/log partition.","description":"The nodev mount option specifies that the filesystem cannot contain special devices.","rationale":"Since the /var/log filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/log.","remediation":"IF the /var/log partition exists, edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/log partition. Example: /var/log 0 defaults,rw,nosuid,nodev,noexec,relatime 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log.","compliance":{"cis":"1.1.5.2","cis_csc_v7":"14.6","cis_csc_v8":"3.3","mitre_techniques":"T1200","mitre_tactics":"TA0005","mitre_mitigations":"M1022","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_v3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_v4":"1.3.1,7.1","nist_853":"AC-5,AC-6","soc_2":"CC5.2,CC6.1"},"rules":["c:findmnt --kernel /var/log -> r:\\s*/var/log\\s && r:nodev"],"condition":"all","references":"See the fstab(5) manual page for more information.","command":"findmnt --kernel /var/log","result":"failed"}} ```
1.1.5.3 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :red_circle: - Wrong remediation expected: ``` IF the /var/log partition exists, edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/log partition. Example: /var/log defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log. ``` - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` sca.check.compliance.nist_853: AC-5,AC-6 root@ip-172-31-6-103:/home/qa# findmnt --kernel /var/log root@ip-172-31-6-103:/home/qa# ``` Expected - Failed :green_circle: ``` {"type":"check","id":2118688731,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28513,"title":"Ensure noexec option set on /var/log partition.","description":"The noexec mount option specifies that the filesystem cannot contain executable binaries.","rationale":"Since the /var/log filesystem is only intended for log files, set this option to ensure that users cannot run executable binaries from /var/log.","remediation":"IF the /var/log partition exists, edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/log partition. Example: /var/log 0 defaults,rw,nosuid,nodev,noexec,relatime 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log.","compliance":{"cis":"1.1.5.3","cis_csc_v7":"14.6","cis_csc_v8":"3.3","mitre_techniques":"T1204,T1204.002","mitre_tactics":"TA0005","mitre_mitigations":"M1022","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_v3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_v4":"1.3.1,7.1","nist_853":"AC-5,AC-6","soc_2":"CC5.2,CC6.1"},"rules":["c:findmnt --kernel /var/log -> r:\\s*/var/log\\s && r:noexec"],"condition":"all","references":"See the fstab(5) manual page for more information.","command":"findmnt --kernel /var/log","result":"failed"}} ```
1.1.5.4 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :red_circle: - Wrong remediation, expected: ``` IF the /var/log partition exists, edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/log partition. Example: /var/log defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log ``` - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` root@ip-172-31-6-103:/home/qa# findmnt --kernel /var/log root@ip-172-31-6-103:/home/qa# ``` Expected - Failed :green_circle: ``` {"type":"check","id":2118688731,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28514,"title":"Ensure nosuid option set on /var/log partition.","description":"The nosuid mount option specifies that the filesystem cannot contain setuid files.","rationale":"Since the /var/log filesystem is only intended for log files, set this option to ensure that users cannot create setuid files in /var/log.","remediation":"IF the /var/log partition exists, edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/log partition. Example: /var/log 0 defaults,rw,nosuid,nodev,noexec,relatime 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log.","compliance":{"cis":"1.1.5.4","cis_csc_v7":"14.6","cis_csc_v8":"3.3","mitre_techniques":"T1548,T1548.001","mitre_tactics":"TA0005","mitre_mitigations":"M1022","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_v3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_v4":"1.3.1,7.1","nist_853":"AC-5,AC-6","soc_2":"CC5.2,CC6.1"},"rules":["c:findmnt --kernel /var/log -> r:\\s*/var/log\\s && r:nosuid"],"condition":"all","references":"See the fstab(5) manual page for more information.","command":"findmnt --kernel /var/log","result":"failed"}} ```
1.1.6.1 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` root@ip-172-31-6-103:/home/qa# findmnt --kernel /var/log/audit root@ip-172-31-6-103:/home/qa# ``` Expected - Failed :green_circle: ``` {"type":"check","id":2118688731,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28515,"title":"Ensure separate partition exists for /var/log/audit.","description":"The auditing daemon, auditd, stores log data in the /var/log/audit directory.","rationale":"The reasoning for mounting /var/log/audit on a separate partition is as follow. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var/log/audit directory contain the audit.log file that can grow quite large, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var/log/audit and cause auditd to trigger it's space_left_action as the disk is full. See man auditd.conf for details. Fine grained control over the mount Configuring /var/log/audit as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection of audit data As /var/log/audit contains audit logs, care should be taken to ensure the security and integrity of the data and mount point.","remediation":"For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.","compliance":{"cis":"1.1.6.1","cis_csc_v7":"6.4","cis_csc_v8":"8.3","mitre_techniques":"T1499,T1499.001","mitre_tactics":"TA0005","mitre_mitigations":"M1022","pci_dss_v3.2.1":"10.7","soc_2":"A1.1"},"rules":["c:findmnt --kernel /var/log/audit -> r:\\s*/var/log/audit\\s"],"condition":"all","references":"http://tldp.org/HOWTO/LVM-HOWTO/","command":"findmnt --kernel /var/log/audit","result":"failed"}} ```
1.1.6.2 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` root@ip-172-31-6-103:/home/qa# findmnt --kernel /var/log/audit root@ip-172-31-6-103:/home/qa# ``` Expected - Failed :green_circle: ``` {"type":"check","id":2118688731,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28516,"title":"Ensure noexec option set on /var/log/audit partition.","description":"The noexec mount option specifies that the filesystem cannot contain executable binaries.","rationale":"Since the /var/log/audit filesystem is only intended for audit logs, set this option to ensure that users cannot run executable binaries from /var/log/audit.","remediation":"IF the /var/log/audit partition exists, edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var partition. Example: /var/log/audit defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit.","compliance":{"cis":"1.1.6.2","cis_csc_v7":"14.6","cis_csc_v8":"3.3","mitre_techniques":"T1204,T1204.002","mitre_tactics":"TA0005","mitre_mitigations":"M1022","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_v3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_v4":"1.3.1,7.1","nist_853":"AC-5,AC-6","soc_2":"CC5.2,CC6.1"},"rules":["c:findmnt --kernel /var/log/audit -> r:\\s*/var/log/audit\\s && r:noexec"],"condition":"all","references":"See the fstab(5) manual page for more information.","command":"findmnt --kernel /var/log/audit","result":"failed"}} ```
1.1.6.3 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` root@ip-172-31-6-103:/home/qa# findmnt --kernel /var/log/audit root@ip-172-31-6-103:/home/qa# ``` Expected - Failed :green_circle: ``` {"type":"check","id":2118688731,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28516,"title":"Ensure noexec option set on /var/log/audit partition.","description":"The noexec mount option specifies that the filesystem cannot contain executable binaries.","rationale":"Since the /var/log/audit filesystem is only intended for audit logs, set this option to ensure that users cannot run executable binaries from /var/log/audit.","remediation":"IF the /var/log/audit partition exists, edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var partition. Example: /var/log/audit defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit.","compliance":{"cis":"1.1.6.2","cis_csc_v7":"14.6","cis_csc_v8":"3.3","mitre_techniques":"T1204,T1204.002","mitre_tactics":"TA0005","mitre_mitigations":"M1022","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_v3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_v4":"1.3.1,7.1","nist_853":"AC-5,AC-6","soc_2":"CC5.2,CC6.1"},"rules":["c:findmnt --kernel /var/log/audit -> r:\\s*/var/log/audit\\s && r:noexec"],"condition":"all","references":"See the fstab(5) manual page for more information.","command":"findmnt --kernel /var/log/audit","result":"failed"}} ```
1.1.6.4 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` root@ip-172-31-6-103:/home/qa# findmnt --kernel /dev/ TARGET SOURCE FSTYPE OPTIONS /dev devtmpfs devtmpfs rw,relatime,size=1972548k,nr_inodes=493137,mode=755,inode64 ``` Expected - Passed :green_circle: ``` {"type":"check","id":2118688731,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28518,"title":"Ensure nosuid option set on /var/log/audit partition.","description":"The nosuid mount option specifies that the filesystem cannot contain setuid files.","rationale":"Since the /var/log/audit filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create setuid files in /var/log/audit.","remediation":"IF the /var/log/audit partition exists, edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/log/audit partition. Example: /var/log/audit defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit.","compliance":{"cis":"1.1.6.4","cis_csc_v7":"14.6","cis_csc_v8":"3.3","mitre_techniques":"T1548,T1548.001","mitre_tactics":"TA0005","mitre_mitigations":"M1022","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_v3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_v4":"1.3.1,7.1","nist_853":"AC-5,AC-6","soc_2":"CC5.2,CC6.1"},"rules":["c:findmnt --kernel /var/log/audit -> r:\\s*/var/log/audit\\s && r:nosuid"],"condition":"all","references":"See the fstab(5) manual page for more information.","command":"findmnt --kernel /var/log/audit","result":"failed"}} ```
1.1.7.1. :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` root@ip-172-31-6-103:/home/qa# findmnt --kernel /home root@ip-172-31-6-103:/home/qa# ``` Expected - Failed :green_circle: ``` {"type":"check","id":2118688731,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28519,"title":"Ensure separate partition exists for /home.","description":"The /home directory is used to support disk storage needs of local users.","rationale":"The reasoning for mounting /home on a separate partition is as follow. Protection from resource exhaustion The default installation only creates a single / partition. Since the /home directory contains user generated data, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /home and impact all local users. Fine grained control over the mount Configuring /home as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. In the case of /home options such as usrquota/grpquota may be considered to limit the impact that users can have on each other with regards to disk resource exhaustion. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection of user data As /home contains user data, care should be taken to ensure the security and integrity of the data and mount point.","remediation":"For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.","compliance":{"cis":"1.1.7.1","cis_csc_v7":"14.6","cis_csc_v8":"3.3","mitre_techniques":"T1499,T1499.001","mitre_tactics":"TA0005","mitre_mitigations":"M1038","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_v3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_v4":"1.3.1,7.1","nist_853":"AC-5,AC-6","soc_2":"CC5.2,CC6.1"},"rules":["c:findmnt --kernel /home -> r:\\s*/home\\s"],"condition":"all","references":"http://tldp.org/HOWTO/LVM-HOWTO/","command":"findmnt --kernel /home","result":"failed"}} ```
1.1.7.2 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :red_circle: - Wrong tactics, expected ``` TA0005 ``` - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` root@ip-172-31-6-103:/home/qa# findmnt --kernel /home root@ip-172-31-6-103:/home/qa# ``` Expected - Failed :green_circle: ``` {"type":"check","id":2118688731,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28520,"title":"Ensure nodev option set on /home partition.","description":"The nodev mount option specifies that the filesystem cannot contain special devices.","rationale":"Since the /home filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var.","remediation":"IF the /home partition exists, edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. Example: /home defaults,rw,nosuid,nodev,relatime 0 0 Run the following command to remount /home with the configured options: # mount -o remount /home.","compliance":{"cis":"1.1.7.2","cis_csc_v7":"14.6","cis_csc_v8":"3.3","mitre_techniques":"T1200","mitre_tactics":"T1200","mitre_mitigations":"M1022","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_v3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_v4":"1.3.1,7.1","nist_853":"AC-5,AC-6","soc_2":"CC5.2,CC6.1"},"rules":["c:findmnt --kernel /home -> r:\\s*/home\\s && r:nodev"],"condition":"all","references":"See the fstab(5) manual page for more information.","command":"findmnt --kernel /home","result":"failed"}} ```
1.1.7.3 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` root@ip-172-31-6-103:/home/qa# findmnt --kernel /home root@ip-172-31-6-103:/home/qa# ``` Expected - Failed :green_circle: ``` {"type":"check","id":2118688731,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28521,"title":"Ensure nosuid option set on /home partition.","description":"The nosuid mount option specifies that the filesystem cannot contain setuid files.","rationale":"Since the /home filesystem is only intended for user file storage, set this option to ensure that users cannot create setuid files in /home.","remediation":"IF the /home partition exists, edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /home partition. Example: /home defaults,rw,nosuid,nodev,relatime 0 0 Run the following command to remount /home with the configured options: # mount -o remount /home.","compliance":{"cis":"1.1.7.3","cis_csc_v7":"14.6","cis_csc_v8":"3.3","mitre_techniques":"T1548,T1548.001","mitre_tactics":"TA0005","mitre_mitigations":"M1022","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_v3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_v4":"1.3.1,7.1","nist_853":"AC-5,AC-6","soc_2":"CC5.2,CC6.1"},"rules":["c:findmnt --kernel /home -> r:\\s*/home\\s && r:nosuid"],"condition":"all","references":"See the fstab(5) manual page for more information.","command":"findmnt --kernel /home","result":"failed"}} ```
1.1.8.1 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` root@ip-172-31-6-103:/home/qa# findmnt --kernel /dev/shm TARGET SOURCE FSTYPE OPTIONS /dev/shm tmpfs tmpfs rw,nosuid,nodev,inode64 ``` Expected - Pass :green_circle: ``` {"type":"check","id":2118688731,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28522,"title":"Ensure nodev option set on /dev/shm partition.","description":"The nodev mount option specifies that the filesystem cannot contain special devices.","rationale":"Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions.","remediation":"Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm using the updated options from /etc/fstab: # mount -o remount /dev/shm Additional Information: Some distributions mount /dev/shm through other means and require /dev/shm to be added to /etc/fstab even though it is already being mounted on boot. Others may configure /dev/shm in other locations and may override /etc/fstab configuration. Consult the documentation appropriate for your distribution.","compliance":{"cis":"1.1.8.1","cis_csc_v7":"14.6","cis_csc_v8":"3.3","mitre_techniques":"T1200","mitre_tactics":"TA0005","mitre_mitigations":"M1038","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_v3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_v4":"1.3.1,7.1","nist_853":"AC-5,AC-6","soc_2":"CC5.2,CC6.1"},"rules":["c:findmnt --kernel /dev/shm -> r:\\s*/dev/shm\\s && r:nodev"],"condition":"all","command":"findmnt --kernel /dev/shm","result":"passed"}} ```
1.1.8.2 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :red_circle: - Wrong remediation, expected: ``` Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. Example: /dev/shm defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /dev/shm with the configured options: # mount -o remount /dev/shm NOTE It is recommended to use tmpfs as the device/filesystem type as /dev/shm is used as shared memory space by applications ``` - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` root@ip-172-31-6-103:/home/qa# findmnt --kernel /dev/shm TARGET SOURCE FSTYPE OPTIONS /dev/shm tmpfs tmpfs rw,nosuid,nodev,inode64 ``` Expected - Failed :green_circle: ``` {"type":"check","id":2118688731,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28523,"title":"Ensure noexec option set on /dev/shm partition.","description":"The noexec mount option specifies that the filesystem cannot contain executable binaries.","rationale":"Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system.","remediation":"Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. Example: /dev/shm 0 defaults,rw,nosuid,nodev,noexec,relatime 0 Run the following command to remount /dev/shm with the configured options: # mount -o remount /dev/shm NOTE It is recommended to use tmpfs as the device/filesystem type as /dev/shm is used as shared memory space by applications.","compliance":{"cis":"1.1.8.2","cis_csc_v7":"14.6","cis_csc_v8":"3.3","mitre_techniques":"T1204,T1204.002","mitre_tactics":"TA0005","mitre_mitigations":"M1022","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_v3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_v4":"1.3.1,7.1","nist_853":"AC-5,AC-6","soc_2":"CC5.2,CC6.1"},"rules":["c:findmnt --kernel /dev/shm -> r:\\s*/dev/shm\\s && r:noexec"],"condition":"all","references":"See the fstab(5) manual page for more information.","command":"findmnt --kernel /dev/shm","result":"failed"}} ```
1.1.8.3 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` root@ip-172-31-6-103:/home/qa# findmnt --kernel /dev/shm TARGET SOURCE FSTYPE OPTIONS /dev/shm tmpfs tmpfs rw,nosuid,nodev,inode64 ``` Expected - Passed :green_circle: ``` {"type":"check","id":2118688731,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28524,"title":"Ensure nosuid option set on /dev/shm partition.","description":"The nosuid mount option specifies that the filesystem cannot contain setuid files.","rationale":"Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them.","remediation":"Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm using the updated options from /etc/fstab: # mount -o remount /dev/shm Additional Information: Some distributions mount /dev/shm through other means and require /dev/shm to be added to /etc/fstab even though it is already being mounted on boot. Others may configure /dev/shm in other locations and may override /etc/fstab configuration. Consult the documentation appropriate for your distribution.","compliance":{"cis":"1.1.8.3","cis_csc_v7":"14.6","cis_csc_v8":"3.3","mitre_techniques":"T1548,T1548.001","mitre_tactics":"TA0005","mitre_mitigations":"M1038","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_v3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_v4":"1.3.1,7.1","nist_853":"AC-5,AC-6","soc_2":"CC5.2,CC6.1"},"rules":["c:findmnt --kernel /dev/shm -> r:\\s*/dev/shm\\s && r:nosuid"],"condition":"all","command":"findmnt --kernel /dev/shm","result":"passed"}} ```
1.1.9 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` root@ip-172-31-6-103:/home/qa# systemctl is-enabled autofs Failed to get unit file state for autofs.service: No such file or directory ``` Expected - Passed :green_circle: ``` {"type":"check","id":2118688731,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28525,"title":"Disable Automounting.","description":"autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives.","rationale":"With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themselves.","remediation":"If there are no other packages that depends on autofs, remove the package with: # apt purge autofs OR if there are dependencies on the autofs package: Run the following commands to mask autofs: # systemctl stop autofs # systemctl mask autofs Additional Information: This control should align with the tolerance of the use of portable drives and optical media in the organization. On a server requiring an admin to manually mount media can be part of defense-in-depth to reduce the risk of unapproved software or information being introduced or proprietary software or information being exfiltrated. If admins commonly use flash drives and Server access has sufficient physical controls, requiring manual mounting may not increase security.","compliance":{"cis":"1.1.9","cis_csc_v7":"8.5","cis_csc_v8":"10.3","mitre_techniques":"T1068,T1203,T1211,T1212","cmmc_v2.0":"MP.L2-3.8.7","hipaa":"164.310(d)(1)"},"rules":["c:systemctl is-enabled autofs -> r:Failed to get unit file state for autofs\\.service|disabled"],"condition":"all","command":"systemctl is-enabled autofs","result":"passed"}} ```
Rebits commented 2 years ago

Update - 19/10/2022

72nomada commented 2 years ago

@Rebits there is no sub-technique for T1200.

https://attack.mitre.org/techniques/T1200/

We think is a typo in the PDF.

Rebits commented 2 years ago

Update - 24/10/2022

Rebits commented 2 years ago

Update - 25/10/2022

fabamatic commented 2 years ago

Update 25/10/2022

Rebits commented 1 year ago

Testing after requested changes

Testing results :green_circle:

Wrong remediation in checks 1.1.5.2, 1.1.5.3, 1.1.5.4, 1.1.8.2 :green_circle: Remediations of `1.1.5.2, 1.1.5.3, 1.1.5.4, 1.1.8.2` were correctly fixed.
Wrong tactics in check 1.1.7.2 :green_circle:
jmv74211 commented 1 year ago

Closing conclusion 👍🏼

Everything seems to be working properly after the proposed fixes.