Cis Rhel Linux RCL

# Copyright (C) 2015-2020, Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation
#
# OSSEC Linux Audit - (C) 2014
#
# Released under the same license as OSSEC.
# More details at the LICENSE file included with OSSEC or online
# at: https://www.gnu.org/licenses/gpl.html
#
# [Application name] [any or all] [reference]
# type:<entry name>;
#
# Type can be:
# - f (for file or directory)
# - p (process running)
# - d (any file inside the directory)
#
# Additional values:
# For the registry and for directories, use "->" to look for a specific entry and
another
# "->" to look for the value.
# Also, use " -> r:^\. -> ..." to search all files in a directory
# For files, use "->" to look for a specific value in the file.
#
# Values can be preceded by: =: (for equal) - default
# r: (for ossec regexes)
# >: (for strcmp greater)
# <: (for strcmp lower)
# Multiple patterns can be specified by using " && " between them.
# (All of them must match for it to return true).
# CIS Checks for Red Hat (RHEL 2.1, 3.0, 4.0 and Fedora Core 1,2,3,4 and 5).
# Based on CIS Benchmark for Red Hat Enterprise Linux v1.0.5
# RC scripts location
$rc_dirs=/etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d;
# Main one. Only valid for Red Hat/Fedora.

[CIS - Testing against the CIS Red Hat Enterprise Linux Benchmark v1.0.5] [any
required]
[https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
f:/etc/redhat-release -> r:^Red Hat Enterprise Linux \S+ release 4;
f:/etc/redhat-release -> r:^Red Hat Enterprise Linux \S+ release 3;
f:/etc/redhat-release -> r:^Red Hat Enterprise Linux \S+ release 2.1;
f:/etc/fedora-release -> r:^Fedora && r:release 1;
# Build considerations - Partition scheme.
[CIS - Red Hat Linux - - Build considerations - Robust partition scheme - /var is
not on its own partition] [any]
f:/etc/fstab -> !r:/var;
[CIS - Red Hat Linux - - Build considerations - Robust partition scheme - /home is
not on its own partition] [any]
f:/etc/fstab -> !r:/home;
# Section 1.3 - SSH configuration

[CIS - Red Hat Linux - 1.3 - SSH Configuration - Protocol version 1 enabled {CIS:
1.3 Red Hat Linux} {PCI_DSS: 4.1}] [any]
f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\.+1;
[CIS - Red Hat Linux - 1.3 - SSH Configuration - IgnoreRHosts disabled {CIS: 1.3
Red Hat Linux} {PCI_DSS: 4.1}] [any]
f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+no;
[CIS - Red Hat Linux - 1.3 - SSH Configuration - Empty passwords permitted {CIS:
1.3 Red Hat Linux} {PCI_DSS: 4.1}] [any]
f:/etc/ssh/sshd_config -> !r:^# && r:^PermitEmptyPasswords\.+yes;
[CIS - Red Hat Linux - 1.3 - SSH Configuration - Host based authentication enabled
{CIS: 1.3 Red Hat Linux} {PCI_DSS: 4.1}] [any]
f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\.+yes;
[CIS - Red Hat Linux - 1.3 - SSH Configuration - Root login allowed {CIS: 1.3 Red
Hat Linux} {PCI_DSS: 4.1}] [any]
f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\.+yes;
# Section 1.4 Enable system accounting

#[CIS - Red Hat Linux - 1.4 - System Accounting - Sysstat not installed] [all]
#f:!/var/log/sa;
# Section 2.5 Install and run Bastille

#[CIS - Red Hat Linux - 1.5 - System harderning - Bastille is not installed] [any]
#f:!/etc/Bastille;
# Section 2 - Minimize xinetd services

[CIS - Red Hat Linux - 2.3 - Telnet enabled on xinetd {CIS: 2.3 Red Hat Linux}
{PCI_DSS: 2.2.2}] [any]
f:/etc/xinetd.c/telnet -> !r:^# && r:disable && r:no;
[CIS - Red Hat Linux - 2.4 - VSFTP enabled on xinetd {CIS: 2.4 Red Hat Linux}
{PCI_DSS: 2.2.2}] [any]
f:/etc/xinetd.c/vsftpd -> !r:^# && r:disable && r:no;
[CIS - Red Hat Linux - 2.4 - WU-FTP enabled on xinetd {CIS: 2.4 Red Hat Linux}
{PCI_DSS: 2.2.2}] [any]
f:/etc/xinetd.c/wu-ftpd -> !r:^# && r:disable && r:no;
[CIS - Red Hat Linux - 2.5 - rsh/rlogin/rcp enabled on xinetd {CIS: 2.5 Red Hat
Linux} {PCI_DSS: 2.2.2}] [any]
f:/etc/xinetd.c/rlogin -> !r:^# && r:disable && r:no;
f:/etc/xinetd.c/rsh -> !r:^# && r:disable && r:no;
f:/etc/xinetd.c/shell -> !r:^# && r:disable && r:no;
[CIS - Red Hat Linux - 2.6 - tftpd enabled on xinetd {CIS: 2.6 Red Hat Linux}
{PCI_DSS: 2.2.2}] [any]
f:/etc/xinetd.c/tftpd -> !r:^# && r:disable && r:no;
[CIS - Red Hat Linux - 2.7 - imap enabled on xinetd {CIS: 2.7 Red Hat Linux}
{PCI_DSS: 2.2.2}] [any]
f:/etc/xinetd.c/imap -> !r:^# && r:disable && r:no;
f:/etc/xinetd.c/imaps -> !r:^# && r:disable && r:no;
[CIS - Red Hat Linux - 2.8 - pop3 enabled on xinetd {CIS: 2.8 Red Hat Linux}
{PCI_DSS: 2.2.2}] [any]
f:/etc/xinetd.c/ipop3 -> !r:^# && r:disable && r:no;
f:/etc/xinetd.c/pop3s -> !r:^# && r:disable && r:no;
# Section 3 - Minimize boot services

[CIS - Red Hat Linux - 3.1 - Set daemon umask - Default umask is higher than 027
{CIS: 3.1 Red Hat Linux}] [all]
f:/etc/init.d/functions -> !r:^# && r:ûmask && >:umask 027;
[CIS - Red Hat Linux - 3.4 - GUI login enabled {CIS: 3.4 Red Hat Linux} {PCI_DSS:
2.2.2}] [any]
f:/etc/inittab -> !r:^# && r:id:5;
[CIS - Red Hat Linux - 3.7 - Disable standard boot services - Samba Enabled {CIS:
3.7 Red Hat Linux} {PCI_DSS: 2.2.2}] [any]
d:$rc_dirs -> ^S\d\dsamba$;
d:$rc_dirs -> ^S\d\dsmb$;
[CIS - Red Hat Linux - 3.8 - Disable standard boot services - NFS Enabled {CIS: 3.8
Red Hat Linux} {PCI_DSS: 2.2.2}] [any]
d:$rc_dirs -> ^S\d\dnfs$;
d:$rc_dirs -> ^S\d\dnfslock$;
[CIS - Red Hat Linux - 3.10 - Disable standard boot services - NIS Enabled {CIS:
d:$rc_dirs -> ^S\d\dypbind$;
d:$rc_dirs -> ^S\d\dypserv$;
[CIS - Red Hat Linux - 3.13 - Disable standard boot services - NetFS Enabled {CIS:
d:$rc_dirs -> ^S\d\dnetfs$;
[CIS - Red Hat Linux - 3.15 - Disable standard boot services - Apache web server
Enabled {CIS: 3.15 Red Hat Linux} {PCI_DSS: 2.2.2}] [any]
d:$rc_dirs -> ^S\d\dapache$;
d:$rc_dirs -> ^S\d\dhttpd$;
[CIS - Red Hat Linux - 3.15 - Disable standard boot services - TUX web server
d:$rc_dirs -> ^S\d\dtux$;
[CIS - Red Hat Linux - 3.16 - Disable standard boot services - SNMPD process
d:$rc_dirs -> ^S\d\dsnmpd$;
[CIS - Red Hat Linux - 3.17 - Disable standard boot services - DNS server Enabled
{CIS: 3.17 Red Hat Linux} {PCI_DSS: 2.2.2}] [any]
d:$rc_dirs -> ^S\d\dnamed$;
[CIS - Red Hat Linux - 3.18 - Disable standard boot services - MySQL server Enabled
{CIS: 3.18 Red Hat Linux} {PCI_DSS: 2.2.2}] [any]
d:$rc_dirs -> ^S\d\dmysqld$;
[CIS - Red Hat Linux - 3.18 - Disable standard boot services - PostgreSQL server
d:$rc_dirs -> ^S\d\dpostgresql$;
[CIS - Red Hat Linux - 3.19 - Disable standard boot services - Webmin Enabled {CIS:
d:$rc_dirs -> ^S\d\dwebmin$;
[CIS - Red Hat Linux - 3.20 - Disable standard boot services - Squid Enabled {CIS:
d:$rc_dirs -> ^S\d\dsquid$;
[CIS - Red Hat Linux - 3.21 - Disable standard boot services - Kudzu hardware
detection Enabled {CIS: 3.21 Red Hat Linux} {PCI_DSS: 2.2.2}] [any]
d:$rc_dirs -> ^S\d\dkudzu$;
# Section 4 - Kernel tuning

[CIS - Red Hat Linux - 4.1 - Network parameters - Source routing accepted {CIS: 4.1
Red Hat Linux}] [any]
f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 1;
[CIS - Red Hat Linux - 4.1 - Network parameters - ICMP broadcasts accepted {CIS:
4.1 Red Hat Linux}] [any]
f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 0;
[CIS - Red Hat Linux - 4.2 - Network parameters - IP Forwarding enabled {CIS: 4.2
Red Hat Linux}] [any]
f:/proc/sys/net/ipv4/ip_forward -> 1;
f:/proc/sys/net/ipv6/ip_forward -> 1;
# Section 6 - Permissions
[CIS - Red Hat Linux - 6.1 - Partition /var without 'nodev' set {CIS: 6.1 Red Hat
f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/var && !r:nodev;
[CIS - Red Hat Linux - 6.1 - Partition /tmp without 'nodev' set {CIS: 6.1 Red Hat
f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/tmp && !r:nodev;
[CIS - Red Hat Linux - 6.1 - Partition /opt without 'nodev' set {CIS: 6.1 Red Hat
f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/opt && !r:nodev;
[CIS - Red Hat Linux - 6.1 - Partition /home without 'nodev' set {CIS: 6.1 Red Hat
f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/home && !r:nodev ;
[CIS - Red Hat Linux - 6.2 - Removable partition /media without 'nodev' set {CIS:
f:/etc/fstab -> !r:^# && r:/media && !r:nodev;
[CIS - Red Hat Linux - 6.2 - Removable partition /media without 'nosuid' set {CIS:
f:/etc/fstab -> !r:^# && r:/media && !r:nosuid;
[CIS - Red Hat Linux - 6.3 - User-mounted removable partition allowed on the
console {CIS: 6.3 Red Hat Linux} {PCI_DSS: 2.2.4}] [any]
f:/etc/security/console.perms -> r:^<console> \d+ <cdrom>;
f:/etc/security/console.perms -> r:^<console> \d+ <floppy>;
# Section 7 - Access and authentication

[CIS - Red Hat Linux - 7.8 - LILO Password not set {CIS: 7.8 Red Hat Linux}
{PCI_DSS: 2.2.4}] [any]
f:/etc/lilo.conf -> !r:^# && !r:restricted;
f:/etc/lilo.conf -> !r:^# && !r:password=;
[CIS - Red Hat Linux - 7.8 - GRUB Password not set {CIS: 7.8 Red Hat Linux}
{PCI_DSS: 2.2.4}] [any]
f:/boot/grub/menu.lst -> !r:^# && !r:password;
[CIS - Red Hat Linux - 8.2 - Account with empty password present {CIS: 8.2 Red Hat
f:/etc/shadow -> r:^\w+::;
[CIS - Red Hat Linux - SN.11 - Non-root account with uid 0 {PCI_DSS: 10.2.5}] [any]
f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:;
# Tests specific for VMware ESX - Runs on Red Hat Linux -

# Will not be tested anywhere else.
[VMware ESX - Testing against the Security Harderning benchmark VI3 for ESX 3.5]
[any required] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf]
f:/etc/vmware-release -> r:^VMware ESX;
# Virtual Machine Files and Settings - 1

# 1.1
[VMware ESX - VM settings - Copy operation between guest and console enabled] [any]
[http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf]
d:/vmfs/volumes -> .vmx$ -> !r:îsolation.tools.copy.disable;
d:/vmfs/volumes -> .vmx$ -> r:îsolation.tools.copy.disable && r:false;
# 1.2
[VMware ESX - VM settings - Paste operation between guest and console enabled]
[any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf]
d:/vmfs/volumes -> .vmx$ -> !r:îsolation.tools.paste.disable;
d:/vmfs/volumes -> .vmx$ -> r:îsolation.tools.paste.disable && r:false;
# 1.3
[VMware ESX - VM settings - GUI Options enabled] [any]
d:/vmfs/volumes -> .vmx$ -> r:îsolation.tools.setGUIOptions.enable && r:true;
# 1.4
[VMware ESX - VM settings - Data Flow from the Virtual Machine to the Datastore not
limited - Rotate size not 100KB] [any]
d:/vmfs/volumes -> .vmx$ -> !r:^log.rotateSize;
d:/vmfs/volumes -> .vmx$ -> r:^log.rotateSize && !r:"100000";
# 1.5
limited - Maximum number of logs not 10] [any]
d:/vmfs/volumes -> .vmx$ -> !r:^log.keepOld;
d:/vmfs/volumes -> .vmx$ -> r:^log.keepOld && r:"10";
# 1.6
limited - Guests allowed to write SetInfo data to config] [any]
d:/vmfs/volumes -> .vmx$ -> !r:îsolation.tools.setinfo.disable;
d:/vmfs/volumes -> .vmx$ -> r:îsolation.tools.setinfo.disable && r:false;
# 1.7
[VMware ESX - VM settings - Nonpersistent Disks being used] [any]
d:/vmfs/volumes -> .vmx$ -> r:^scsi\d:\d.mode && r:!independent-nonpersistent;
# 1.8
[VMware ESX - VM settings - Floppy drive present] [any]
d:/vmfs/volumes -> .vmx$ -> r:^floppy\d+.present && r:!false;
[VMware ESX - VM settings - Serial port present] [any]

d:/vmfs/volumes -> .vmx$ -> r:^serial\d+.present && r:!false;
[VMware ESX - VM settings - Parallel port present] [any]

d:/vmfs/volumes -> .vmx$ -> r:^parallel\d+.present && r:!false;
# 1.9
[VMware ESX - VM settings - Unauthorized Removal or Connection of Devices allowed]
[any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf]
d:/vmfs/volumes -> .vmx$ -> !r:Îsolation.tools.connectable.disable;
d:/vmfs/volumes -> .vmx$ -> r:Îsolation.tools.connectable.disable && r:false;
# 1.10
[VMware ESX - VM settings - Avoid Denial of Service Caused by Virtual Disk
Modification Operations - diskWiper enabled] [any]
d:/vmfs/volumes -> .vmx$ -> !r:îsolation.tools.diskWiper.disable;
d:/vmfs/volumes -> .vmx$ -> r:îsolation.tools.diskWiper.disable && r:false;
[VMware ESX - VM settings - Avoid Denial of Service Caused by Virtual Disk

Modification Operations - diskShrink enabled] [any]
d:/vmfs/volumes -> .vmx$ -> !r:îsolation.tools.diskShrink.disable;
d:/vmfs/volumes -> .vmx$ -> r:îsolation.tools.diskShrink.disable && r:false;
# Configuring the Service Console in ESX 3.5 - 2

# 2.1

Cis Rhel Linux RCL

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cis Rhel Linux RCL

Uploaded by

Copyright:

Available Formats

# Copyright (C) 2015-2020, Wazuh Inc.

# Main one. Only valid for Red Hat/Fedora.

# Section 1.3 - SSH configuration

# Section 1.4 Enable system accounting

# Section 2.5 Install and run Bastille

# Section 2 - Minimize xinetd services

# Section 3 - Minimize boot services

# Section 4 - Kernel tuning

# Section 7 - Access and authentication

# Tests specific for VMware ESX - Runs on Red Hat Linux -

# Virtual Machine Files and Settings - 1

[VMware ESX - VM settings - Serial port present] [any]

[VMware ESX - VM settings - Parallel port present] [any]

[VMware ESX - VM settings - Avoid Denial of Service Caused by Virtual Disk

# Configuring the Service Console in ESX 3.5 - 2

You might also like