Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Caution
This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the CentOS End Of Life guidance.
This article details the configuration settings for Linux guests as applicable in the following implementations:
- Linux machines should meet requirements for the Azure compute security baseline Azure Policy guest configuration definition
- Vulnerabilities in security configuration on your machines should be remediated in Microsoft Defender for Cloud
For the remediation checks and suggestions we took a best practices approach - however please always ensure that the commands will be tested and not applied blindly in any production environment. For automatic remediations, we've release in Limited Public Preview our new auto-remediation capability so you can test this policy with "DeployIfNotExist" action as well.
The new release of the policy for both audit and remediation is powered by azure-osconfig our open-source engine - you can read more about the replatforming announcement.
For more information, see Azure Policy guest configuration and Overview of the Azure Security Benchmark (V2).
The CIS mappings are based on the Distro Independent Benchmark v2.0.0 version.
General security controls
| Name (CCEID) |
New Name | Details | Remediation check |
|---|---|---|---|
| Ensure nodev option set on /home partition. (1.1.4) |
Ensure nodev option set on /home partition (CIS: L1 - Server - 1.1.14) | Description: An attacker could mount a special device (for example, block or character device) on the /home partition. | Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. For more information, see the fstab(5) manual pages. |
| Ensure nodev option set on /tmp partition. (1.1.5) |
Ensure nodev option set on /tmp partition (CIS: L1 - Server - 1.1.3) | Description: An attacker could mount a special device (for example, block or character device) on the /tmp partition. | Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. For more information, see the fstab(5) manual pages. |
| Ensure nodev option set on /var/tmp partition. (1.1.6) |
Ensure nodev option set on /var/tmp partition (CIS: L1 - Server - 1.1.8) | Description: An attacker could mount a special device (for example, block or character device) on the /var/tmp partition. | Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. For more information, see the fstab(5) manual pages. |
| Ensure nosuid option set on /tmp partition. (1.1.7) |
Ensure nosuid option set on /tmp partition (CIS: L1 - Server - 1.1.4) | Description: Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users can't create setuid files in /var/tmp. | Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. For more information, see the fstab(5) manual pages. |
| Ensure nosuid option set on /var/tmp partition. (1.1.8) |
Ensure nosuid option set on /var/tmp partition (CIS: L1 - Server - 1.1.9) | Description: Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users can't create setuid files in /var/tmp. | Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. For more information, see the fstab(5) manual pages. |
| Ensure noexec option set on /var/tmp partition. (1.1.9) |
Ensure noexec option set on /var/tmp partition (CIS: L1 - Server - 1.1.10) | Description: Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users can't run executable binaries from /var/tmp . |
Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. For more information, see the fstab(5) manual pages. |
| Ensure noexec option set on /dev/shm partition. (1.1.16) |
Ensure noexec option set on /dev/shm partition (CIS: L1 - Server - 1.1.17) | Description: Setting this option on a file system prevents users from executing programs from shared memory. This control deters users from introducing potentially malicious software on the system. | Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. For more information, see the fstab(5) manual pages. |
| Disable automounting (1.1.21) |
Ensure automounting is disabled (CIS: L1 - Server - 1.1.22) | Description: With automounting enabled, anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lack permissions to mount it themselves. | Disable the autofs service: systemctl disable autofs (systemd) or chkconfig autofs off (sysv) |
| Ensure mounting of USB storage devices is disabled (1.1.21.1) |
Ensure mounting of USB storage devices is disabled (CIS: L1 - Server - 1.1.23) | Description: Removing support for USB storage devices reduces the local attack surface of the server. | Add install usb-storage /bin/true to a file in /etc/modprobe.d/ ending in .conf, then run modprobe -r usb-storage |
| Ensure core dumps are restricted. (1.5.1) |
Ensure core dumps are restricted (CIS: L1 - Server - 1.5.1) | Description: Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5)). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core. |
Add * hard core 0 to /etc/security/limits.conf and set fs.suid_dumpable = 0 in /etc/sysctl.conf, then run sysctl -p |
| Ensure prelink is disabled. (1.5.4) |
Ensure prelink is disabled (CIS: L1 - Server - 1.5.4) | Description: The prelinking feature can interfere with the operation of AIDE, because it changes binaries. Prelinking can also increase the vulnerability of the system if a malicious user is able to compromise a common library such as libc. | Uninstall prelink: yum remove prelink (RHEL/CentOS) or apt remove prelink (Debian/Ubuntu) |
| Ensure permissions on /etc/motd are configured. (1.7.1.4) |
Ensure permissions on /etc/motd are configured (CIS: L1 - Server - 1.7.1.4) | Description: If the /etc/motd file doesn't have the correct ownership, it could be modified by unauthorized users with incorrect or misleading information. |
Set ownership and permissions: chown root:root /etc/motd && chmod 644 /etc/motd |
| Ensure permissions on /etc/issue are configured. (1.7.1.5) |
Ensure permissions on /etc/issue are configured (CIS: L1 - Server - 1.7.1.5) | Description: If the /etc/issue file doesn't have the correct ownership, it could be modified by unauthorized users with incorrect or misleading information. |
Set ownership and permissions: chown root:root /etc/issue && chmod 644 /etc/issue |
| Ensure permissions on /etc/issue.net are configured. (1.7.1.6) |
Ensure permissions on /etc/issue.net are configured (CIS: L1 - Server - 1.7.1.6) | Description: If the /etc/issue.net file doesn't have the correct ownership, it could be modified by unauthorized users with incorrect or misleading information. |
Set ownership and permissions: chown root:root /etc/issue.net && chmod 644 /etc/issue.net |
| The nodev option should be enabled for all removable media. (2.1) |
Ensure the nodev option is enabled for all removable media (CIS: L1 - Server - 1.1.18) | Description: An attacker could mount a special device (for example, block or character device) via removable media | Add the nodev option to the fourth field (mounting options) in /etc/fstab. For more information, see the fstab(5) manual pages. |
| The noexec option should be enabled for all removable media. (2.2) |
Ensure the noexec option is enabled for all removable media (CIS: L1 - Server - 1.1.20) | Description: An attacker could load executable file via removable media | Add the noexec option to the fourth field (mounting options) in /etc/fstab. For more information, see the fstab(5) manual pages. |
| The nosuid option should be enabled for all removable media. (2.3) |
Ensure the nosuid option is enabled for all removable media (CIS: L1 - Server - 1.1.19) | Description: An attacker could load files that run with an elevated security context via removable media | Add the nosuid option to the fourth field (mounting options) in /etc/fstab. For more information, see the fstab(5) manual pages. |
| Ensure talk client is not installed. (2.3.3) |
Ensure talk client is not installed (CIS: L1 - Server - 2.3.3) | Description: The software presents a security risk as it uses unencrypted protocols for communication. | Uninstall talk: yum remove talk (RHEL/CentOS) or apt remove talk (Debian/Ubuntu) |
| Ensure permissions on /etc/hosts.allow are configured. (3.4.4) |
Ensure permissions on /etc/hosts.allow are configured (CIS: L1 - Server - 3.3.2 + 3.3.4) | Description: It's critical to ensure that the /etc/hosts.allow file is protected from unauthorized write access. Although it's protected by default, the file permissions could be changed either inadvertently or through malicious actions. |
Set ownership and permissions: chown root:root /etc/hosts.allow && chmod 644 /etc/hosts.allow |
| Ensure permissions on /etc/hosts.deny are configured. (3.4.5) |
Ensure permissions on /etc/hosts.deny are configured (CIS: L1 - Server - 3.3.3 + 3.3.5) | Description: It's critical to ensure that the /etc/hosts.deny file is protected from unauthorized write access. Although it's protected by default, the file permissions could be changed either inadvertently or through malicious actions. |
Set ownership and permissions: chown root:root /etc/hosts.deny && chmod 644 /etc/hosts.deny |
| Ensure default deny firewall policy (3.6.2) |
Ensure default deny firewall policy is set (CIS: L1 - Server - 3.5.2.1) | Description: With a default accept policy, the firewall will accept any packet that is not explicitly denied. It is easier to maintain a secure firewall with a default DROP policy than it is with a default Allow policy. | Set the default policy for incoming, outgoing, and routed traffic to deny or reject as appropriate using your firewall software |
| The nodev/nosuid option should be enabled for all NFS mounts. (5) |
Ensure the nodev/nosuid option is enabled for all NFS mounts | Description: An attacker could load files that run with an elevated security context or special devices via remote file system | Add the nosuid and nodev options to the fourth field (mounting options) in /etc/fstab. For more information, see the fstab(5) manual pages. |
| Ensure permissions on /etc/ssh/sshd_config are configured. (5.2.1) |
Ensure permissions on /etc/ssh/sshd_config are configured (CIS: L1 - Server - 5.2.1) | Description: The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non-privileged users. |
Set ownership and permissions: chown root:root /etc/ssh/sshd_config && chmod 600 /etc/ssh/sshd_config |
| Ensure password creation requirements are configured. (5.3.1) |
Ensure password creation requirements are configured (CIS: L1 - Server - 5.3.1) | Description: Strong passwords protect systems from being hacked through brute force methods. | Configure PAM password complexity in /etc/pam.d/common-password or /etc/pam.d/system-auth: password requisite pam_pwquality.so minlen=14 minclass=4 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 |
| Ensure lockout for failed password attempts is configured. (5.3.2) |
Ensure lockout for failed password attempts is configured (CIS: L1 - Server - 5.3.2) | Description: Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems. |
for Ubuntu and Debian, add the pam_tally and pam_deny modules as appropriate. For all other distros, refer to your distro's documentation |
| Disable the installation and use of file systems that aren't required (cramfs) (6.1) |
Ensure the cramfs file system is disabled (CIS: L1 - Server - 1.1.1.1) | Description: An attacker could use a vulnerability in cramfs to elevate privileges | Add install cramfs /bin/true to a file in /etc/modprobe.d/ ending in .conf, then run modprobe -r cramfs |
| Disable the installation and use of file systems that aren't required (freevxfs) (6.2) |
Ensure the freevxfs file system is disabled (CIS: L1 - Server - 1.1.1.2) | Description: An attacker could use a vulnerability in freevxfs to elevate privileges | Add install freevxfs /bin/true to a file in /etc/modprobe.d/ ending in .conf, then run modprobe -r freevxfs |
| Ensure all users' home directories exist (6.2.7) |
Ensure all users' home directories exist (CIS: L1 - Server - 6.2.7) | Description: If the user's home directory does not exist or is unassigned, the user will be placed in the volume root. Moreover, the user will be unable either to write any files or set environment variables. | If any users' home directories don't exist, create them and make sure the respective user owns the directory. Users without an assigned home directory should be removed or assigned a home directory as appropriate. |
| Ensure users own their home directories (6.2.9) |
Ensure users own their home directories (CIS: L1 - Server - 6.2.9) | Description: Since the user is accountable for files stored in the user home directory, the user must be the owner of the directory. | Change the ownership of any home directories that aren't owned by the defined user to the correct user. |
| Ensure users' dot files aren't group or world writable. (6.2.10) |
Ensure users' dot files aren't group or world writable (CIS: L1 - Server - 6.2.10) | Description: Group or world-writable user configuration files may enable malicious users to steal or modify other users' data or to gain another user's system privileges. | Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, we recommended you establish a monitoring policy to report user dot file permissions and determine site policy remediation actions. |
| Ensure no users have .forward files (6.2.11) |
Ensure no users have .forward files (CIS: L1 - Server - 6.2.11) | Description: Use of the .forward file poses a security risk in that sensitive data may be inadvertently transferred outside the organization. The .forward file also poses a risk as it can be used to execute commands that may perform unintended actions. |
Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it's recommended that a monitoring policy be established to report user .forward files and determine the action to be taken in accordance with site policy. |
| Ensure no users have .netrc files (6.2.12) |
Ensure no users have .netrc files (CIS: L1 - Server - 6.2.12) | Description: The .netrc file presents a significant security risk since it stores passwords in unencrypted form. Even if FTP is disabled, user accounts may have brought over .netrc files from other systems that could pose a risk to those systems |
Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it's recommended that a monitoring policy be established to report user .netrc files and determine the action to be taken in accordance with site policy. |
| Ensure no users have .rhosts files (6.2.14) |
Ensure no users have .rhosts files (CIS: L1 - Server - 6.2.14) | Description: This action is only meaningful if .rhosts support is permitted in the file /etc/pam.conf . Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf , they may have been brought over from other systems and could contain information useful to an attacker for those other systems. |
Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it's recommended that a monitoring policy be established to report user .rhosts files and determine the action to be taken in accordance with site policy. |
| Ensure all groups in /etc/passwd exist in /etc/group (6.2.15) |
Ensure all groups in /etc/passwd exist in /etc/group (CIS: L1 - Server - 6.2.15) | Description: Groups which are defined in the /etc/passwd file but not in the /etc/group file poses a threat to system security since group permissions aren't properly managed. | For each group defined in /etc/passwd, ensure there is a corresponding group in /etc/group |
| Ensure no duplicate UIDs exist (6.2.16) |
Ensure no duplicate UIDs exist (CIS: L1 - Server - 6.2.16) | Description: Users must be assigned unique UIDs for accountability and to ensure appropriate access protections. | Establish unique UIDs and review all files owned by the shared UIDs to determine which UID they are supposed to belong to. |
| Ensure no duplicate GIDs exist (6.2.17) |
Ensure no duplicate GIDs exist (CIS: L1 - Server - 6.2.17) | Description: Groups must be assigned unique GIDs for accountability and to ensure appropriate access protections. | Establish unique GIDs and review all files owned by the shared GIDs to determine which GID they are supposed to belong to. |
| Ensure no duplicate user names exist (6.2.18) |
Ensure no duplicate user names exist (CIS: L1 - Server - 6.2.18) | Description: If a user is assigned a duplicate user name, it will create and have access to files with the first UID for that username in /etc/passwd . For example, if 'test4' has a UID of 1000 and a subsequent 'test4' entry has a UID of 2000, logging in as 'test4' will use UID 1000. Effectively, the UID is shared, which is a security problem. |
Establish unique user names for all users. File ownerships will automatically reflect the change as long as the users have unique UIDs. |
| Ensure no duplicate groups exist (6.2.19) |
Ensure no duplicate groups exist (CIS: L1 - Server - 6.2.19) | Description: If a group is assigned a duplicate group name, it will create and have access to files with the first GID for that group in /etc/group . Effectively, the GID is shared, which is a security problem. |
Establish unique names for all user groups. File group ownerships will automatically reflect the change as long as the groups have unique GIDs. |
| Ensure shadow group is empty (6.2.20) |
Ensure shadow group is empty (CIS: L1 - Server - 6.2.20) | Description: Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert other user accounts. |
Remove all users form the shadow group |
| Disable the installation and use of file systems that aren't required (hfs) (6.3) |
Ensure the hfs file system is disabled (CIS: L1 - Server - 1.1.1.4) | Description: An attacker could use a vulnerability in hfs to elevate privileges | Add install hfs /bin/true to a file in /etc/modprobe.d/ ending in .conf, then run modprobe -r hfs |
| Disable the installation and use of file systems that aren't required (hfsplus) (6.4) |
Ensure the hfsplus file systems is disabled (CIS: L1 - Server - 1.1.1.5) | Description: An attacker could use a vulnerability in hfsplus to elevate privileges | Add install hfsplus /bin/true to a file in /etc/modprobe.d/ ending in .conf, then run modprobe -r hfsplus |
| Disable the installation and use of file systems that aren't required (jffs2) (6.5) |
Ensure the jffs2 file systems is disabled (CIS: L1 - Server - 1.1.1.3) | Description: An attacker could use a vulnerability in jffs2 to elevate privileges | Add install jffs2 /bin/true to a file in /etc/modprobe.d/ ending in .conf, then run modprobe -r jffs2 |
| Kernels should only be compiled from approved sources. (10) |
Ensure the kernel is compiled from approved sources | Description: A kernel from an unapproved source could contain vulnerabilities or backdoors to grant access to an attacker. | Install the kernel that is provided by your distro vendor. |
| /etc/shadow file permissions should be set to 0400 (11.1) |
Ensure file permissions on /etc/shadow are configured (CIS: L1 - Server - 6.1.3) | Description: An attacker can retrieve or manipulate hashed passwords from /etc/shadow if it's not correctly secured. | Set ownership and permissions: chown root:shadow /etc/shadow && chmod 640 /etc/shadow |
| /etc/shadow- file permissions should be set to 0400 (11.2) |
Ensure file permissions on /etc/shadow- are configured (CIS: L1 - Server - 6.1.7) | Description: An attacker can retrieve or manipulate hashed passwords from /etc/shadow- if it's not correctly secured. | Set ownership and permissions: chown root:shadow /etc/shadow- && chmod 640 /etc/shadow- |
| /etc/gshadow file permissions should be set to 0400 (11.3) |
Ensure file permissions on /etc/gshadow are configured (CIS: L1 - Server - 6.1.5) | Description: An attacker could join security groups if this file isn't properly secured | Set ownership and permissions: chown root:shadow /etc/gshadow && chmod 640 /etc/gshadow |
| /etc/gshadow- file permissions should be set to 0400 (11.4) |
Ensure file permissions on /etc/gshadow- are configured (CIS: L1 - Server - 6.1.9) | Description: An attacker could join security groups if this file isn't properly secured | Set ownership and permissions: chown root:shadow /etc/gshadow- && chmod 640 /etc/gshadow- |
| /etc/passwd file permissions should be 0644 (12.1) |
Ensure file permissions on /etc/passwd are configured (CIS: L1 - Server - 6.1.2) | Description: An attacker could modify userIDs and login shells | Set ownership and permissions: chown root:root /etc/passwd && chmod 644 /etc/passwd |
| /etc/group file permissions should be 0644 (12.2) |
Ensure file permissions on /etc/group are configured (CIS: L1 - Server - 6.1.4) | Description: An attacker could elevate privileges by modifying group membership | Set ownership and permissions: chown root:root /etc/group && chmod 644 /etc/group |
| /etc/passwd- file permissions should be set to 0600 (12.3) |
Ensure file permissions on /etc/passwd- are configured (CIS: L1 - Server - 6.1.6) | Description: An attacker could join security groups if this file isn't properly secured | Set ownership and permissions: chown root:root /etc/passwd- && chmod 600 /etc/passwd- |
| /etc/group- file permissions should be 0644 (12.4) |
Ensure file permissions on /etc/group- are configured (CIS: L1 - Server - 6.1.8) | Description: An attacker could elevate privileges by modifying group membership | Set ownership and permissions: chown root:root /etc/group- && chmod 644 /etc/group- |
| Access to the root account via su should be restricted to the 'root' group (21) |
Ensure that access to the root account via su is restricted to the 'root' group (CIS: L1 - Server - 5.5) | Description: An attacker could escalate permissions by password guessing if su is not restricted to users in the root group. | Add auth required pam_wheel.so use_uid to /etc/pam.d/su and ensure the wheel group exists |
| The 'root' group should exist, and contain all members who can su to root (22) |
Ensure the 'root' group exists, and contain all members who can su to root (CIS: L1 - Server - 5.6) | Description: An attacker could escalate permissions by password guessing if su is not restricted to users in the root group. | Create the root group via the command 'groupadd -g 0 root' |
| All accounts should have a password (23.2) |
Ensure that all user accounts that can login have a password set | Description: An attacker can login to accounts with no password and execute arbitrary commands. | Use the passwd command to set passwords for all accounts |
| Accounts other than root must have unique UIDs greater than zero(0) (24) |
Ensure that all user accounts other than root have unique UIDs greater than zero (0) | Description: If an account other than root has uid zero, an attacker could compromise the account and gain root privileges. | Assign unique, non-zero uids to all non-root accounts using 'usermod -u' |
| Randomized placement of virtual memory regions should be enabled (25) |
Ensure that randomized placement (ASLR) of virtual memory regions is enabled (CIS: L1 - Server - 1.5.3) | Description: An attacker could write executable code to known regions in memory resulting in elevation of privilege | Add the value '1' or '2' to the file '/proc/sys/kernel/randomize_va_space' |
| Kernel support for the XD/NX processor feature should be enabled (26) |
Ensure that kernel support for the XD/NX processor feature is enabled (CIS: L1 - Server - 1.5.2) | Description: An attacker could cause a system to execute code from data regions in memory resulting in elevation of privilege. | Confirm the file '/proc/cpuinfo' contains the flag 'nx' |
| The '.' shouldn't appear in root's $PATH (27.1) |
Ensure '.' does not appear in root's $PATH (CIS: L1 - Server - 6.2.6) | Description: An attacker could elevate privileges by placing a malicious file in root's $PATH | Modify the 'export PATH=' line in /root/.profile |
| User home directories should be mode 750 or more restrictive (28) |
Ensure access to user home directories is restricted | Description: An attacker could retrieve sensitive information from the home folders of other users. | Set home directory permissions to 750 or more restrictive: chmod 750 /home/* |
| The default umask for all users should be set to 077 in login.defs (29) |
Ensure the default umask for all users is configured | Description: An attacker could retrieve sensitive information from files owned by other users. | Add UMASK 077 to /etc/login.defs and add umask 077 to /etc/profile and /etc/bashrc |
| All bootloaders should have password protection enabled. (31) |
Ensure all bootloaders have password protection enabled (CIS: L1 - Server - 1.4.2) | Description: An attacker with physical access could modify bootloader options, yielding unrestricted system access | Add a boot loader password to the file '/boot/grub/grub.cfg' |
| Ensure permissions on bootloader config are configured (31.1) |
Ensure permissions on bootloader config are configured (CIS: L1 - Server - 1.4.1) | Description: Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them. | Set bootloader config permissions: chown root:root /boot/grub*/grub.cfg && chmod 400 /boot/grub*/grub.cfg (adjust path for your bootloader) |
| Ensure authentication required for single user mode. (33) |
Ensure authentication is required for single user mode (CIS: L1 - Server - 1.4.3) | Description: Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials. | run the following command to set a password for the root user: passwd root |
| Ensure packet redirect sending is disabled. (38.3) |
Ensure packet redirect sending is disabled (CIS: L1 - Server - 3.1.2) | Description: An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system. | Add to /etc/sysctl.conf: net.ipv4.conf.all.send_redirects = 0 and net.ipv4.conf.default.send_redirects = 0, then run sysctl -p |
| Sending ICMP redirects should be disabled for all interfaces. (net.ipv4.conf.default.accept_redirects = 0) (38.4) |
Ensure ICMP redirects are not accepted (CIS: L1 - Server - 3.2.2) - multiple rules combined | Description: An attacker could alter this system's routing table, redirecting traffic to an alternate destination | Add to /etc/sysctl.conf: net.ipv4.conf.default.accept_redirects = 0 and net.ipv6.conf.default.accept_redirects = 0, then run sysctl -p |
| Sending ICMP redirects should be disabled for all interfaces. (net.ipv4.conf.default.secure_redirects = 0) (38.5) |
Ensure ICMP redirects are not accepted (CIS: L1 - Server - 3.2.2) - multiple rules combined | Description: An attacker could alter this system's routing table, redirecting traffic to an alternate destination | Add to /etc/sysctl.conf: net.ipv4.conf.default.secure_redirects = 0, then run sysctl -p |
| Accepting source routed packets should be disabled for all interfaces. (net.ipv4.conf.all.accept_source_route = 0) (40.1) |
Ensure accepting source routed packets is disabled for all interfaces (CIS: L1 - Server - 3.2.1) - IPv4 and IPv6 rules combined | Description: An attacker could redirect traffic for malicious purposes. | Run sysctl -w key=value and set to a compliant value. |
| Accepting source routed packets should be disabled for all interfaces. (net.ipv6.conf.all.accept_source_route = 0) (40.2) |
Ensure accepting source routed packets is disabled for all interfaces (CIS: L1 - Server - 3.2.1) - IPv4 and IPv6 rules combined | Description: An attacker could redirect traffic for malicious purposes. | Run sysctl -w key=value and set to a compliant value. |
| The default setting for accepting source routed packets should be disabled for network interfaces. (net.ipv4.conf.default.accept_source_route = 0) (42.1) |
Ensure the default setting for accepting source routed packets is disabled for network interfaces (CIS: L1 - Server - 3.2.1) - IPv4 and IPv6 rules combined | Description: An attacker could redirect traffic for malicious purposes. | Run sysctl -w key=value and set to a compliant value. |
| The default setting for accepting source routed packets should be disabled for network interfaces. (net.ipv6.conf.default.accept_source_route = 0) (42.2) |
Ensure the default setting for accepting source routed packets is disabled for network interfaces (CIS: L1 - Server - 3.2.1) - IPv4 and IPv6 rules combined | Description: An attacker could redirect traffic for malicious purposes. | Run sysctl -w key=value and set to a compliant value. |
| Ignoring bogus ICMP responses to broadcasts should be enabled. (net.ipv4.icmp_ignore_bogus_error_responses = 1) (43) |
Ensure ignoring bogus ICMP responses to broadcasts is enabled (CIS: L1 - Server - 3.2.6) | Description: An attacker could perform an ICMP attack resulting in DoS | Add to /etc/sysctl.conf: net.ipv4.icmp_ignore_bogus_error_responses = 1, then run sysctl -p |
| Ignoring ICMP echo requests (pings) sent to broadcast / multicast addresses should be enabled. (net.ipv4.icmp_echo_ignore_broadcasts = 1) (44) |
Ensure ignoring ICMP echo requests (pings) sent to broadcast/multicast addresses is enabled (CIS: L1 - Server - 3.2.5) | Description: An attacker could perform an ICMP attack resulting in DoS | Add to /etc/sysctl.conf: net.ipv4.icmp_echo_ignore_broadcasts = 1, then run sysctl -p |
| Logging of martian packets (those with impossible addresses) should be enabled for all interfaces. (net.ipv4.conf.all.log_martians = 1) (45.1) |
Ensure logging of martian packets (those with impossible addresses) is enabled for all interfaces | Description: An attacker could send traffic from spoofed addresses without being detected | Add to /etc/sysctl.conf: net.ipv4.conf.all.log_martians = 1 and net.ipv4.conf.default.log_martians = 1, then run sysctl -p |
| Performing source validation by reverse path should be enabled for all interfaces. (net.ipv4.conf.all.rp_filter = 1) (46.1) |
Ensure performing source validation by reverse path is enabled for all interfaces (CIS: L1 - Server - 3.2.7) - multiple rules combined | Description: The system will accept traffic from addresses that are unroutable. | Add to /etc/sysctl.conf: net.ipv4.conf.all.rp_filter = 1 and net.ipv4.conf.default.rp_filter = 1, then run sysctl -p |
| Performing source validation by reverse path should be enabled for all interfaces. (net.ipv4.conf.default.rp_filter = 1) (46.2) |
Ensure performing source validation by reverse path is enabled for all interfaces (CIS: L1 - Server - 3.2.7) - multiple rules combined | Description: The system will accept traffic from addresses that are unroutable. | Add to /etc/sysctl.conf: net.ipv4.conf.all.rp_filter = 1 and net.ipv4.conf.default.rp_filter = 1, then run sysctl -p |
| TCP SYN cookies should be enabled. (net.ipv4.tcp_syncookies = 1) (47) |
Ensure TCP SYN cookies are enabled (CIS: L1 - Server - 3.2.8) | Description: An attacker could perform a DoS over TCP | Add to /etc/sysctl.conf: net.ipv4.tcp_syncookies = 1, then run sysctl -p |
| The system shouldn't act as a network sniffer. (48) |
Ensure the system does not act as a network sniffer | Description: An attacker may use promiscuous interfaces to sniff network traffic | Promiscuous mode is enabled via a 'promisc' entry in '/etc/network/interfaces' or '/etc/rc.local.' Check both files and remove this entry. |
| All wireless interfaces should be disabled. (49) |
Ensure all wireless interfaces are disabled (CIS: L1 - Server - 3.6) | Description: An attacker could create a fake AP to intercept transmissions. | Confirm all wireless interfaces are disabled in '/etc/network/interfaces' |
| The IPv6 protocol should be enabled. (50) |
Ensure the IPv6 protocol is enabled | Description: This is necessary for communication on modern networks. | Open /etc/sysctl.conf and confirm that 'net.ipv6.conf.all.disable_ipv6' and 'net.ipv6.conf.default.disable_ipv6' are set to 0 |
| Ensure DCCP is disabled (54) |
Ensure DCCP is disabled | Description: If the protocol is not required, it's recommended that the drivers not be installed to reduce the potential attack surface. | Add install dccp /bin/true to a file in /etc/modprobe.d/ ending in .conf, then run modprobe -r dccp |
| Ensure SCTP is disabled (55) |
Ensure SCTP is disabled | Description: If the protocol is not required, it's recommended that the drivers not be installed to reduce the potential attack surface. | Add install sctp /bin/true to a file in /etc/modprobe.d/ ending in .conf, then run modprobe -r sctp |
| Disable support for RDS. (56) |
Ensure support for RDS is disabled | Description: An attacker could use a vulnerability in RDS to compromise the system | Add install rds /bin/true to a file in /etc/modprobe.d/ ending in .conf, then run modprobe -r rds |
| Ensure TIPC is disabled (57) |
Ensure TIPC is disabled | Description: If the protocol is not required, it's recommended that the drivers not be installed to reduce the potential attack surface. | Add install tipc /bin/true to a file in /etc/modprobe.d/ ending in .conf, then run modprobe -r tipc |
| Ensure logging is configured (60) |
Ensure logging is configured (CIS: L1 - Server - 4.2.1.2 + 4.2.1.3) | Description: A great deal of important security-related information is sent via rsyslog (for example, successful and failed su attempts, failed login attempts, root login attempts, etc.). |
Configure syslog, rsyslog or syslog-ng as appropriate |
| The syslog, rsyslog, or syslog-ng package should be installed. (61) |
Ensure the syslog, rsyslog, or syslog-ng package is installed (CIS: L1 - Server - 4.2.1.1) | Description: Reliability and security issues will not be logged, preventing proper diagnosis. | Install rsyslog: yum install rsyslog (RHEL/CentOS) or apt install rsyslog (Debian/Ubuntu) |
| The systemd-journald service should be configured to persists log messages (61.1) |
Ensure the systemd-journald service persists log messages (CIS: L1 - Server - 4.2.2.3) | Description: Reliability and security issues will not be logged, preventing proper diagnosis. | Create /var/log/journal and ensure that Storage in journald.conf is auto or persistent |
| Ensure a logging service is enabled (62) |
Ensure a logging service is enabled | Description: It's imperative to have the ability to log events on a node. | Enable rsyslog service: systemctl enable rsyslog (systemd) or chkconfig rsyslog on (sysv) |
| File permissions for all rsyslog log files should be set to 640 or 600. (63) |
Ensure file permissions for all rsyslog log files are configured (CIS: L1 - Server - 4.2.1.4) | Description: An attacker could hide activity by manipulating logs | Add the line '$FileCreateMode 0640' to the file '/etc/rsyslog.conf' |
| Ensure logger configuration files are restricted. (63.1) |
Ensure logger configuration files are restricted (CIS: L1 - Server - 4.2.1.4) | Description: It's important to ensure that log files exist and have the correct permissions to ensure that sensitive syslog data is archived and protected. | Set rsyslog config permissions: chown root:root /etc/rsyslog.conf && chmod 640 /etc/rsyslog.conf |
| All rsyslog log files should be owned by the adm group. (64) |
Ensure that all rsyslog log files are owned by the adm group | Description: An attacker could hide activity by manipulating logs | Add the line '$FileGroup adm' to the file '/etc/rsyslog.conf' |
| All rsyslog log files should be owned by the syslog user. (65) |
Ensure all rsyslog log files are owned by the syslog user (CIS: L1 - Server - 4.2.1.4) | Description: An attacker could hide activity by manipulating logs | Add $FileOwner syslog to /etc/rsyslog.conf and restart rsyslog service |
| Rsyslog shouldn't accept remote messages. (67) |
Ensure rsyslog does not accept remote messages | Description: An attacker could inject messages into syslog, causing a DoS or a distraction from other activity | Remove the lines '$ModLoad imudp' and '$ModLoad imtcp' from the file '/etc/rsyslog.conf' |
| The logrotate (syslog rotater) service should be enabled. (68) |
Ensure the logrotate (syslog rotater) service is enabled (CIS: L1 - Server - 4.3) | Description: Logfiles could grow unbounded and consume all disk space | Install the logrotate package and confirm the logrotate cron entry is active (chmod 755 /etc/cron.daily/logrotate; chown root:root /etc/cron.daily/logrotate) |
| The rlogin service should be disabled. (69) |
Ensure the rlogin service is disabled | Description: An attacker could gain access, bypassing strict authentication requirements | Remove the inetd service. |
| Disable inetd unless required. (inetd) (70.1) |
Ensure inetd is not installed (CIS: L1 - Server - 2.1.10) - service and package rules combined | Description: An attacker could exploit a vulnerability in an inetd service to gain access | Uninstall the inetd service: yum remove inetd (RHEL/CentOS) or apt remove inetd (Debian/Ubuntu) |
| Disable xinetd unless required. (xinetd) (70.2) |
Ensure xinetd is not installed (CIS: L1 - Server - 2.1.10) - service and package rules combined | Description: An attacker could exploit a vulnerability in a xinetd service to gain access | Uninstall the xinetd service: yum remove xinetd (RHEL/CentOS) or apt remove xinetd (Debian/Ubuntu) |
| Install inetd only if appropriate and required by your distro. Secure according to current hardening standards. (if required) (71.1) |
Ensure inetd is not installed (CIS: L1 - Server - 2.1.10) - service and package rules combined | Description: An attacker could exploit a vulnerability in an inetd service to gain access | Uninstall the inetd service: yum remove inetd (RHEL/CentOS) or apt remove inetd (Debian/Ubuntu) |
| Install xinetd only if appropriate and required by your distro. Secure according to current hardening standards. (if required) (71.2) |
Ensure xinetd is not installed (CIS: L1 - Server - 2.1.10) - service and package rules combined | Description: An attacker could exploit a vulnerability in a xinetd service to gain access | Uninstall the xinetd service: yum remove xinetd (RHEL/CentOS) or apt remove xinetd (Debian/Ubuntu) |
| The telnet service should be disabled. (72) |
Ensure the telnet service is disabled (CIS: L1 - Server - 2.1.8) | Description: An attacker could eavesdrop or hijack unencrypted telnet sessions | Remove or comment out the telnet entry in the file '/etc/inetd.conf' |
| All telnetd packages should be uninstalled. (73) |
Ensure all telnetd packages are uninstalled | Description: An attacker could eavesdrop or hijack unencrypted telnet sessions | Uninstall any telnetd packages |
| The rcp/rsh service should be disabled. (74) |
Ensure the rcp/rsh service is disabled | Description: An attacker could eavesdrop or hijack unencrypted sessions | Remove or comment out the shell entry in the file '/etc/inetd.conf' |
| The rsh-server package should be uninstalled. (77) |
Ensure the rsh-server package is uninstalled (CIS: L1 - Server - 2.1.6) | Description: An attacker could eavesdrop or hijack unencrypted rsh sessions | Uninstall the rsh-server package: yum remove rsh-server (RHEL/CentOS) or apt remove rsh-server (Debian/Ubuntu) |
| The ypbind service should be disabled. (78) |
Ensure the ypbind service is disabled and the nis package is not installed - service and package rules combined | Description: An attacker could retrieve sensitive information from the ypbind service | Uninstall the nis package: yum remove nis (RHEL/CentOS) or apt remove nis (Debian/Ubuntu) |
| The nis package should be uninstalled. (79) |
Ensure the ypbind service is disabled and the nis package is not installed - service and package rules combined | Description: An attacker could retrieve sensitive information from the NIS service | Uninstall the nis package: yum remove nis (RHEL/CentOS) or apt remove nis (Debian/Ubuntu) |
| The tftp service should be disabled. (80) |
Ensure the tftp service is disabled (CIS: L1 - Server - 2.1.9) | Description: An attacker could eavesdrop or hijack an unencrypted session | Remove the tftp entry from the file '/etc/inetd.conf' |
| The tftpd package should be uninstalled. (81) |
Ensure the tftpd package is not installed (CIS: L1 - Server - 2.1.9) | Description: An attacker could eavesdrop or hijack an unencrypted session | Uninstall the tftpd package: yum remove tftpd (RHEL/CentOS) or apt remove tftpd (Debian/Ubuntu) |
| The readahead-fedora package should be uninstalled. (82) |
Ensure the readahead-fedora package is not installed | Description: The package creates no substantial exposure, but also adds no substantial benefit. | Uninstall the readahead-fedora package: yum remove readahead-fedora (RHEL/CentOS) or apt remove readahead-fedora (Debian/Ubuntu) |
| The bluetooth/hidd service should be disabled. (84) |
Ensure the bluetooth package is not installed | Description: An attacker could intercept or manipulate wireless communications. | Uninstall the bluetooth package: yum remove bluetooth (RHEL/CentOS) or apt remove bluetooth (Debian/Ubuntu) |
| The isdn service should be disabled. (86) |
Ensure the isdn service is disabled and the isdnutils-base package is not installed - service and package rules combined | Description: An attacker could use a modem to gain unauthorized access | Uninstall the isdnutils-base package: yum remove isdnutils-base (RHEL/CentOS) or apt remove isdnutils-base (Debian/Ubuntu) |
| The isdnutils-base package should be uninstalled. (87) |
Ensure the isdn service is disabled and the isdnutils-base package is not installed - service and package rules combined | Description: An attacker could use a modem to gain unauthorized access | Uninstall the isdnutils-base package: yum remove isdnutils-base (RHEL/CentOS) or apt remove isdnutils-base (Debian/Ubuntu) |
| The kdump service should be disabled. (88) |
Ensure the kdump service is disabled and the kdump-tools package is not installed | Description: An attacker could analyze a previous system crash to retrieve sensitive information | Uninstall the kdump-tools package: yum remove kdump-tools (RHEL/CentOS) or apt remove kdump-tools (Debian/Ubuntu) |
| Zeroconf networking should be disabled. (89) |
Ensure zeroconf networking is disabled | Description: An attacker could abuse this to gain information on networked systems, or spoof DNS requests due to flaws in its trust model | RHEL/CentOS: Add NOZEROCONF=yes to /etc/sysconfig/network. Debian/Ubuntu: Remove ipv4ll entries from /etc/network/interfaces |
| The crond service should be enabled. (90) |
Ensure the cron service is enabled (CIS: L1 - Server - 5.1.1) | Description: Cron is required by almost all systems for regular maintenance tasks | Install the cron package: yum install cron (RHEL/CentOS) or apt install cron (Debian/Ubuntu) and enable the service |
| File permissions for /etc/anacrontab should be set to root:root 600. (91) |
Ensure File permissions on /etc/anacrontab are configured | Description: An attacker could manipulate this file to prevent scheduled tasks or execute malicious tasks | Set ownership and permissions: chown root:root /etc/anacrontab && chmod 600 /etc/anacrontab |
| Ensure permissions on /etc/cron.d are configured. (93) |
Ensure permissions on /etc/cron.d are configured (CIS: L1 - Server - 5.1.7) | Description: Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. | Set ownership and permissions: chown root:root /etc/cron.d && chmod 700 /etc/cron.d |
| Ensure permissions on /etc/cron.daily are configured. (94) |
Ensure permissions on /etc/cron.daily are configured (CIS: L1 - Server - 5.1.4) | Description: Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. | Set ownership and permissions: chown root:root /etc/cron.daily && chmod 700 /etc/cron.daily |
| Ensure permissions on /etc/cron.hourly are configured. (95) |
Ensure permissions on /etc/cron.hourly are configured (CIS: L1 - Server - 5.1.3) | Description: Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. | Set ownership and permissions: chown root:root /etc/cron.hourly && chmod 700 /etc/cron.hourly |
| Ensure permissions on /etc/cron.monthly are configured. (96) |
Ensure permissions on /etc/cron.monthly are configured (CIS: L1 - Server - 5.1.6) | Description: Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. | Set ownership and permissions: chown root:root /etc/cron.monthly && chmod 700 /etc/cron.monthly |
| Ensure permissions on /etc/cron.weekly are configured. (97) |
Ensure permissions on /etc/cron.weekly are configured (CIS: L1 - Server - 5.1.5) | Description: Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. | Set ownership and permissions: chown root:root /etc/cron.weekly && chmod 700 /etc/cron.weekly |
| Ensure at/cron is restricted to authorized users (98) |
Ensure at/cron is restricted to authorized users (CIS: L1 - Server - 5.1.8) | Description: On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It's easier to manage an allowlist than a denylist. In a denylist, you could potentially add a user ID to the system and forget to add it to the deny files. |
Create /etc/cron.allow and /etc/at.allow with authorized users, remove /etc/cron.deny and /etc/at.deny |
| SSH must be configured and managed to meet best practices. - '/etc/ssh/sshd_config Protocol = 2' (106.1) |
Ensure that the SSH protocol is configured (CIS: L1 - Server - 5.2.4) | Description: An attacker could use flaws in an earlier version of the SSH protocol to gain access | Add Protocol 2 to /etc/ssh/sshd_config and restart sshd service |
| SSH must be configured and managed to meet best practices. - '/etc/ssh/sshd_config IgnoreRhosts = yes' (106.3) |
Ensure that the SSH IgnoreRhosts is configured (CIS: L1 - Server - 5.2.8) | Description: An attacker could use flaws in the Rhosts protocol to gain access | Add IgnoreRhosts yes to /etc/ssh/sshd_config and restart sshd service |
| Ensure SSH LogLevel is set to INFO (106.5) |
Ensure that the SSH LogLevel is configured (CIS: L1 - Server - 5.2.5) | Description: SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it's difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it's important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. |
Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO |
| Ensure SSH MaxAuthTries is set to 6 or less (106.7) |
Ensure that the SSH MaxAuthTries is configured (CIS: L1 - Server - 5.2.7) | Description: Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy. |
Ensure SSH MaxAuthTries is set to 6 or less Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 6 |
| Ensure SSH access is limited (106.11) |
Ensure that the allowed users for SSH access are configured (CIS: L1 - Server - 5.2.18) | Description: Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system. | Ensure SSH access is limited Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows: AllowUsers AllowGroups DenyUsers DenyGroups |
| Emulation of the rsh command through the ssh server should be disabled. - '/etc/ssh/sshd_config RhostsRSAAuthentication = no' (107) |
N/A | Description: An attacker could use flaws in the RHosts protocol to gain access | Add RhostsRSAAuthentication no to /etc/ssh/sshd_config and restart sshd service |
| SSH host-based authentication should be disabled. - '/etc/ssh/sshd_config HostbasedAuthentication = no' (108) |
Ensure that the SSH HostBasedAuthentication is configured (CIS: L1 - Server - 5.2.9) | Description: An attacker could use host-based authentication to gain access from a compromised host | Add HostbasedAuthentication no to /etc/ssh/sshd_config and restart sshd service |
| Root login via SSH should be disabled. - '/etc/ssh/sshd_config PermitRootLogin = no' (109) |
Ensure that the SSH PermitRootLogin is configured (CIS: L1 - Server - 5.2.10) | Description: An attacker could brute force the root password, or hide their command history by logging in directly as root | Add PermitRootLogin no to /etc/ssh/sshd_config and restart sshd service |
| Remote connections from accounts with empty passwords should be disabled. - '/etc/ssh/sshd_config PermitEmptyPasswords = no' (110) |
Ensure that the SSH PermitEmptyPasswords is configured (CIS: L1 - Server - 5.2.11) | Description: An attacker could gain access through password guessing | Add PermitEmptyPasswords no to /etc/ssh/sshd_config and restart sshd service |
| Ensure SSH Idle Timeout Interval is configured. (110.1) |
Ensure that the SSH ClientAliveCountMax is configured | Description: Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session. Setting a timeout value at least reduces the risk of this happening. While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent. |
Edit the /etc/ssh/sshd_config file to set the parameters according to the policy |
| Ensure SSH LoginGraceTime is set to one minute or less. (110.2) |
Ensure that the SSH LoginGraceTime is configured (CIS: L1 - Server - 5.2.17) | Description: Setting the LoginGraceTime parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections While the recommended setting is 60 seconds (1 Minute), set the number based on site policy. |
Add LoginGraceTime 60 to /etc/ssh/sshd_config and restart sshd service |
| Ensure only approved MAC algorithms are used (110.3) |
Ensure that only approved MAC algorithms are used (CIS: L1 - Server - 5.2.14) | Description: MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of attention as a weak spot that can be exploited with expanded computing power. An attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the SSH tunnel and capture credentials and information | Add approved MACs to /etc/ssh/sshd_config: MACs hmac-sha2-512,hmac-sha2-256 and restart sshd service |
| Ensure remote login warning banner is configured properly. (111) |
Ensure the remote login warning banner is properly configured (CIS: L1 - Server - 1.7.1.3) | Description: Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the uname -acommand once they have logged in. |
Remove system information escape sequences (\m, \r, \s, \v) from /etc/issue.net and replace with appropriate warning text |
| Ensure local login warning banner is configured properly. (111.1) |
Ensure the local login warning banner is properly configured (CIS: L1 - Server - 1.7.1.2) | Description: Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the uname -acommand once they have logged in. |
Remove system information escape sequences (\m, \r, \s, \v) from /etc/issue and replace with appropriate warning text |
| SSH warning banner should be enabled. - '/etc/ssh/sshd_config Banner = /etc/issue.net' (111.2) |
Ensure that the SSH warning banner is configured (CIS: L1 - Server - 5.2.19) | Description: Users will not be warned that their actions on the system are monitored | Add Banner /etc/issue.net to /etc/ssh/sshd_config and restart sshd service |
| Users aren't allowed to set environment options for SSH. (112) |
Ensure that the SSH PermitUserEnvironment is configured (CIS: L1 - Server - 5.2.12) | Description: An attacker may be able to bypass some access restrictions over SSH | Remove the line 'PermitUserEnvironment yes' from the file '/etc/ssh/sshd_config' |
| Appropriate ciphers should be used for SSH. (Ciphers aes128-ctr,aes192-ctr,aes256-ctr) (113) |
Ensure that appropriate ciphers are used for SSH (CIS: L1 - Server - 5.2.13) | Description: An attacker could compromise a weakly secured SSH connection | Add Ciphers aes128-ctr,aes192-ctr,aes256-ctr to /etc/ssh/sshd_config and restart sshd service |
| The avahi-daemon service should be disabled. (114) |
Ensure the avahi-daemon service is disabled (CIS: L1 - Server - 2.2.3) | Description: An attacker could use a vulnerability in the avahi daemon to gain access | Disable the avahi-daemon service: systemctl disable avahi-daemon (systemd) or chkconfig avahi-daemon off (sysv) |
| The cups service should be disabled. (115) |
Ensure the cups service is disabled (CIS: L1 - Server - 2.2.4) | Description: An attacker could use a flaw in the cups service to elevate privileges | Disable the cups service: systemctl disable cups (systemd) or chkconfig cups off (sysv) |
| The isc-dhcpd service should be disabled. (116) |
Ensure the isc-dhcp-server package is not installed (CIS: L1 - Server - 2.2.5) - service and package rules combined | Description: An attacker could use dhcpd to provide faulty information to clients, interfering with normal operation. | Remove the isc-dhcp-server package: yum remove dhcp-server (RHEL/CentOS) or apt remove isc-dhcp-server (Debian/Ubuntu) |
| The isc-dhcp-server package should be uninstalled. (117) |
Ensure the isc-dhcp-server package is not installed (CIS: L1 - Server - 2.2.5) - service and package rules combined | Description: An attacker could use dhcpd to provide faulty information to clients, interfering with normal operation. | Remove the isc-dhcp-server package: yum remove dhcp-server (RHEL/CentOS) or apt remove isc-dhcp-server (Debian/Ubuntu) |
| The sendmail package should be uninstalled. (120) |
Ensure the sendmail package is not installed | Description: An attacker could use this system to send emails with malicious content to other users | Uninstall the sendmail package: yum remove sendmail (RHEL/CentOS) or apt remove sendmail (Debian/Ubuntu) |
| The postfix package should be uninstalled. (121) |
Ensure the postfix package is not installed | Description: An attacker could use this system to send emails with malicious content to other users | Uninstall the postfix package: yum remove postfix (RHEL/CentOS) or apt remove postfix (Debian/Ubuntu) |
| Postfix network listening should be disabled as appropriate. (122) |
Ensure that postfix network listening is disabled | Description: An attacker could use this system to send emails with malicious content to other users | Add the line 'inet_interfaces localhost' to the file '/etc/postfix/main.cf' |
| The ldap service should be disabled. (124) |
Ensure the ldap service is disabled and the sldapd package is not installed (CIS: L1 - Server - 2.2.6) | Description: An attacker could manipulate the LDAP service on this host to distribute false data to LDAP clients | Uninstall the slapd package: yum remove openldap-servers (RHEL/CentOS) or apt remove slapd (Debian/Ubuntu) |
| The rpcgssd service should be disabled. (126) |
Ensure the rpcgssd service is disabled | Description: An attacker could use a flaw in rpcgssd/nfs to gain access | Disable the rpcgssd service: systemctl disable rpc-gssd (systemd) or chkconfig rpc-gssd off (sysv) |
| The rpcidmapd service should be disabled. (127) |
Ensure the rpcidmapd service is disabled | Description: An attacker could use a flaw in idmapd/nfs to gain access | Disable the rpcidmapd service: systemctl disable rpc-idmapd (systemd) or chkconfig rpc-idmapd off (sysv) |
| The portmap service should be disabled. (129.1) |
Ensure the portmap service is disabled | Description: An attacker could use a flaw in portmap to gain access | Disable the rpcbind service: systemctl disable rpcbind (systemd) or chkconfig rpcbind off (sysv) |
| The Network File System (NFS) service should be disabled. (129.2) |
Ensure the Network File System (NFS) service is disabled (CIS: L1 - Server - 2.2.7 - partial) | Description: An attacker could use nfs to mount shares and execute/copy files. | Disable the nfs service: systemctl disable nfs-server (systemd) or chkconfig nfs off (sysv) |
| The rpcsvcgssd service should be disabled. (130) |
Ensure the rpcsvcgssd service is disabled | Description: An attacker could use a flaw in rpcsvcgssd to gain access | Remove the line 'NEED_SVCGSSD = yes' from the file '/etc/inetd.conf' |
| The named service should be disabled. (131) |
Ensure the named service is disabled and the bind9 package is not installed (CIS: L1 - Server - 2.2.8) - service and package rules combined | Description: An attacker could use the DNS service to distribute false data to clients | Uninstall the bind package: yum remove bind (RHEL/CentOS) or apt remove bind9 (Debian/Ubuntu) |
| The bind package should be uninstalled. (132) |
Ensure the named service is disabled and the bind9 package is not installed (CIS: L1 - Server - 2.2.8) - service and package rules combined | Description: An attacker could use the DNS service to distribute false data to clients | Uninstall the bind package: yum remove bind (RHEL/CentOS) or apt remove bind9 (Debian/Ubuntu) |
| The dovecot service should be disabled. (137) |
Ensure the dovecot service is disabled and the dovecot-core package is not installed - service and package rules combined | Description: The system could be used as an IMAP/POP3 server | Uninstall the dovecot package: yum remove dovecot (RHEL/CentOS) or apt remove dovecot-core (Debian/Ubuntu) |
| The dovecot package should be uninstalled. (138) |
Ensure the dovecot service is disabled and the dovecot-core package is not installed - service and package rules combined | Description: The system could be used as an IMAP/POP3 server | Uninstall the dovecot package: yum remove dovecot (RHEL/CentOS) or apt remove dovecot-core (Debian/Ubuntu) |
Ensure no legacy + entries exist in /etc/passwd(156.1) |
Ensure no legacy + entries exist in /etc/passwd (CIS: L1 - Server - 6.2.2) | Description: An attacker could gain access by using the username '+' with no password | Remove any entries in /etc/passwd that begin with '+:' |
Ensure no legacy + entries exist in /etc/shadow(156.2) |
Ensure no legacy + entries exist in /etc/shadow (CIS: L1 - Server - 6.2.3) | Description: An attacker could gain access by using the username '+' with no password | Remove any entries in /etc/shadow that begin with '+:' |
Ensure no legacy + entries exist in /etc/group(156.3) |
Ensure no legacy + entries exist in /etc/group (CIS: L1 - Server - 6.2.4) | Description: An attacker could gain access by using the username '+' with no password | Remove any entries in /etc/group that begin with '+:' |
| Ensure password expiration is 365 days or less. (157.1) |
Ensure password expiration is configured (CIS: L1 - Server - 5.4.1.1) | Description: Reducing the maximum age of a password also reduces an attacker's window of opportunity to leverage compromised credentials or successfully compromise credentials via an online brute force attack. | Set PASS_MAX_DAYS 365 in /etc/login.defs |
| Ensure password expiration warning days is 7 or more. (157.2) |
Ensure password expiration warning days is configured (CIS: L1 - Server - 5.4.1.3) | Description: Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered. | Set PASS_WARN_AGE 7 in /etc/login.defs |
| Ensure password reuse is limited. (157.5) |
Ensure password reuse is limited (CIS: L1 - Server - 5.3.3) | Description: Forcing users not to reuse their past five passwords makes it less likely that an attacker will be able to guess the password. | Add remember=5 to PAM password module in /etc/pam.d/common-password |
| Ensure password hashing algorithm is SHA-512 (157.11) |
Ensure the password hashing algorithm is SHA-512 (CIS: L1 - Server - 5.3.4) | Description: The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. Note: These changes only apply to accounts configured on the local system. | Set password hashing algorithm to sha512. Many distributions provide tools for updating PAM configuration, consult your documentation for details. If no tooling is provided edit the appropriate /etc/pam.d/ configuration file and add or modify the pam_unix.so lines to include the sha512 option: password sufficient pam_unix.so sha512 |
| Ensure minimum days between password changes is 7 or more. (157.12) |
Ensure the minimum days between password changes is configured (CIS: L1 - Server - 5.4.1.2) | Description: By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls. | Set PASS_MIN_DAYS 7 in /etc/login.defs and run chage --mindays 7 <username> for existing users |
| Ensure all users last password change date is in the past (157.14) |
Ensure the inactive password lock period is configured (CIS: L1 - Server - 5.4.1.4) | Description: If a users recorded password change date is in the future, then they could bypass any set password expiration. | Ensure inactive password lock is 30 days or less Run the following command to set the default password inactivity period to 30 days: # useradd -D -f 30 Modify user parameters for all users with a password set to match: # chage --inactive 30 |
| Ensure system accounts are non-login (157.15) |
Ensure all system accounts are non-login (CIS: L1 - Server - 5.4.2) | Description: It's important to make sure that accounts that aren't being used by regular users are prevented from being used to provide an interactive shell. By default, Ubuntu sets the password field for these accounts to an invalid string, but it's also recommended that the shell field in the password file be set to /usr/sbin/nologin. This prevents the account from potentially being used to run any commands. |
Set the shell for any accounts returned by the audit script to /sbin/nologin |
| Ensure default group for the root account is GID 0 (157.16) |
Ensure default group for the root account is GID 0 (CIS: L1 - Server - 5.4.3) | Description: Using GID 0 for the root account helps prevent root-owned files from accidentally becoming accessible to non-privileged users. |
Run the following command to set the root user default group to GID 0 : # usermod -g 0 root |
| Ensure root is the only UID 0 account (157.18) |
Ensure root is the only UID 0 account (CIS: L1 - Server - 6.2.5) | Description: This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism. |
Remove any users other than root with UID 0 or assign them a new UID if appropriate. |
| Remove unnecessary accounts (159) |
Ensure unnecessary accounts are removed | Description: For compliance | Remove the unnecessary accounts |
| Ensure auditd service is enabled (162) |
Ensure the auditd package is installed | Description: The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring. | Install audit package (systemctl enable auditd) |
| Run AuditD service (163) |
Ensure the auditd service is running | Description: The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring. | Run AuditD service (systemctl start auditd) |
| Ensure SNMP Server is not enabled (179) |
Ensure the SNMP Server is not enabled (CIS: L1 - Server - 2.2.14) | Description: The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it's recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1. | Run one of the following commands to disable snmpd: # chkconfig snmpd off # systemctl disable snmpd # update-rc.d snmpd disable |
| Ensure rsync service is not enabled (181) |
Ensure the rsync service is not enabled (CIS: L1 - Server - 2.2.16) | Description: The rsyncd service presents a security risk as it uses unencrypted protocols for communication. |
Disable the rsync service: systemctl disable rsyncd (systemd) or chkconfig rsyncd off (sysv) |
| Ensure NIS server is not enabled (182) |
Ensure the NIS server is not enabled (CIS: L1 - Server - 2.2.17) | Description: The NIS service is an inherently insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS is generally replaced by protocols like Lightweight Directory Access Protocol (LDAP). It's recommended that the service be disabled and more secure services be used | Run one of the following commands to disable ypserv : # chkconfig ypserv off # systemctl disable ypserv # update-rc.d ypserv disable |
| Ensure rsh client is not installed (183) |
Ensure the rsh client is not installed (CIS: L1 - Server - 2.3.2) | Description: These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it's best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh package removes the clients for rsh, rcp and rlogin. |
Uninstall rsh using the appropriate package manager: yum remove rsh (RHEL/CentOS), apt remove rsh (Debian/Ubuntu), or zypper remove rsh (SUSE) |
| Disable SMB V1 with Samba (185) |
Ensure SMB V1 with Samba is disabled (CIS: L1 - Server - 2.2.12) | Description: SMB v1 has well-known, serious vulnerabilities and does not encrypt data in transit. If it must be used for business reasons, it's strongly recommended that additional steps be taken to mitigate the risks inherent to this protocol. | Add min protocol = SMB2 to [global] section in /etc/samba/smb.conf and restart smbd service |
Note
Availability of specific Azure Policy guest configuration settings may vary in Azure Government and other national clouds.
Next steps
Additional articles about Azure Policy and guest configuration:
- Azure Policy guest configuration.
- Regulatory Compliance overview.
- Review other examples at Azure Policy samples.
- Review Understanding policy effects.
- Learn how to remediate non-compliant resources with the new azure-osconfig auto-remediation function Limited Public Preview.