Product:
BigFix Compliance
Title:
Updated CIS Checklist for Ubuntu 18.04 LTS Server.
Security Benchmark:
CIS Ubuntu Linux 18.04 LTS Benchmark, V2.2.0
Published Sites:
CIS Checklist for Ubuntu 18.04 LTS Server, site version 25.
(The site version is provided for air-gap customers.)
Details:
Total New Fixlets: 69
Total Updated Fixlets: 134
Total Deleted Fixlets: 83
Total Fixlets in Site: 269
New Fixlets:
● Ensure GDM autorun-never is enabled
● Ensure audit configuration files are owned by root
● Ensure cryptographic mechanisms are used to protect the integrity of audit tools
● Ensure GDM disable-user-list option is enabled
● Ensure audit tools belong to group root
● Ensure successful and unsuccessful attempts to use the setfacl command are recorded
● Ensure Automatic Error Reporting is not enabled
● Ensure re-authentication for privilege escalation is not disabled globally
● Ensure sshd MaxAuthTries is configured
● Ensure GDM autorun-never is not overridden
● Ensure audit log files are mode 0640 or less permissive
● Ensure only authorized groups are assigned ownership of audit log files
● Ensure audit configuration files belong to group root
● Ensure the number of changed characters in a new password is configured
● Ensure audit tools are 755 or more restrictive
● Ensure GDM screen locks cannot be overridden
● Ensure chrony is enabled and running
● Ensure noexec option set on /var/log/audit partition
● Ensure nosuid option set on /var/log/audit partition
● Ensure nosuid option set on /var partition
● Ensure systemd-journal-remote is configured
● Ensure bluetooth services are not in use
● Ensure permissions on /etc/security/opasswd are configured
● Ensure /etc/shadow password fields are not empty
● Ensure noexec option set on /var/log partition
● Ensure GDM screen locks when the user is idle
● Ensure the running and on disk configuration is the same
● Ensure events that modify the sudo log file are collected
● Ensure sudo authentication timeout is configured correctly
● Ensure systemd-journal-remote is enabled
● Ensure journald is not configured to receive logs from a remote client
● Ensure dnsmasq is not installed
● Ensure nodev option set on /var/log partition
● Ensure IPv6 status is identified
● Ensure the audit log directory is 0750 or more restrictive
● Ensure iptables are flushed with nftables
● Ensure successful and unsuccessful attempts to use the usermod command are recorded
● Ensure ntp is configured with authorized timeserver
● Ensure nodev option set on /var/log/audit partition
● Ensure password dictionary check is enabled
● Ensure sshd DisableForwarding is enabled
● Ensure ntp is running as user ntp
● Ensure users must provide password for privilege escalation
● Ensure journald log rotation is configured per site policy
● Ensure sshd GSSAPIAuthentication is disabled
● Ensure journald default file permissions configured
● Ensure ptrace_scope is restricted
● Ensure maximum number of same consecutive characters in a password is configured
● Ensure ntp is enabled and running
● Correct platform is installed on CISCAT Host
● Ensure nosuid option set on /var/log partition
● Ensure systemd-journal-remote is installed
● Ensure successful and unsuccessful attempts to use the chacl command are recorded
● Ensure GDM automatic mounting of removable media is disabled
● Ensure only authorized users own audit log files
● Ensure rsyslog is not configured to receive logs from a remote client
● Ensure permissions on /etc/shells are configured
● Ensure chrony is running as user _chrony
● Ensure systemd-timesyncd is enabled and running
● Ensure nologin is not listed in /etc/shells
● Ensure journald service is enabled
● Ensure GDM disabling automatic mounting of removable media is not overridden
● Ensure journald is not configured to send logs to rsyslog
● Ensure nodev option set on /var partition
● Ensure audit configuration files are 640 or more restrictive
● Ensure all current passwords uses the configured hashing algorithm
● Ensure successful and unsuccessful attempts to use the chcon command are recorded
● Ensure audit tools are owned by root
● Ensure nosuid option set on /home partition
Updated Fixlets:
● Ensure mounting of udf filesystems is disabled
● Disable USB Storage
● Ensure nodev option set on /tmp partition
● Ensure noexec option set on /tmp partition
● Ensure nosuid option set on /tmp partition
● Ensure separate partition exists for /var
● Ensure separate partition exists for /var/tmp
● Ensure separate partition exists for /var/log
● Ensure separate partition exists for /var/log/audit
● Ensure separate partition exists for /home
● Ensure nodev option set on /dev/shm partition
● Ensure noexec option set on /dev/shm partition
● Ensure nosuid option set on /dev/shm partition
● Ensure AIDE is installed
● Ensure filesystem integrity is regularly checked
● Ensure bootloader password is set
● Ensure permissions on bootloader config are configured
● Ensure core dumps are restricted
● Ensure address space layout randomization (ASLR) is enabled
● Ensure local login warning banner is configured properly
● Ensure remote login warning banner is configured properly
● Ensure permissions on /etc/issue are configured
● Ensure permissions on /etc/issue.net are configured
● Ensure X Window System is not installed
● Ensure IMAP and POP3 server are not installed
● Ensure Samba is not installed
● Ensure HTTP Proxy Server is not installed
● Ensure SNMP Server is not installed
● Ensure NIS Server is not installed
● Ensure mail transfer agent is configured for local-only mode
● Ensure Avahi Server is not installed
● Ensure CUPS is not installed
● Ensure DHCP Server is not installed
● Ensure LDAP server is not installed
● Ensure NFS is not installed
● Ensure DNS Server is not installed
● Ensure FTP Server is not installed
● Ensure HTTP server is not installed
● Ensure NIS Client is not installed
● Ensure rsh client is not installed
● Ensure talk client is not installed
● Ensure telnet client is not installed
● Ensure LDAP client is not installed
● Ensure RPC is not installed
● Ensure nonessential services are removed or masked
● Ensure packet redirect sending is disabled
● Ensure source routed packets are not accepted
● Ensure suspicious packets are logged
● Ensure ufw is installed
● Ensure ufw service is enabled
● Ensure ufw outbound connections are configured
● Ensure ufw firewall rules exist for all open ports
● Ensure ufw default deny firewall policy
● Ensure ufw is uninstalled or disabled with nftables
● Ensure nftables loopback traffic is configured
● Ensure nftables default deny firewall policy
● Ensure iptables packages are installed
● Ensure nftables is not installed with iptables
● Ensure ufw is uninstalled or disabled with iptables
● Ensure iptables default deny firewall policy
● Ensure ip6tables default deny firewall policy
● Ensure ip6tables loopback traffic is configured
● Ensure ip6tables outbound and established connections are configured
● Ensure ip6tables firewall rules exist for all open ports
● Ensure permissions on /etc/crontab are configured
● Ensure permissions on /etc/cron.hourly are configured
● Ensure permissions on /etc/cron.daily are configured
● Ensure permissions on /etc/cron.weekly are configured
● Ensure permissions on /etc/cron.monthly are configured
● Ensure permissions on /etc/cron.d are configured
● Ensure cron is restricted to authorized users
● Ensure at is restricted to authorized users
● Ensure permissions on /etc/ssh/sshd_config are configured
● Ensure sudo is installed
● Ensure sudo commands use pty
● Ensure sudo log file exists
● Ensure access to the su command is restricted
● Ensure password creation requirements are configured
● Ensure lockout for failed password attempts is configured
● Ensure password reuse is limited
● Ensure minimum days between password changes is configured
● Ensure password expiration is 365 days or less
● Ensure password expiration warning days is 7 or more
● Ensure inactive password lock is 30 days or less
● Ensure all users last password change date is in the past
● Ensure system accounts are secured
● Ensure journald is configured to compress large log files
● Ensure journald is configured to write logfiles to persistent disk
● Ensure rsyslog is installed
● Ensure journald is configured to send logs to rsyslog
● Ensure logging is configured
● Ensure rsyslog is configured to send logs to a remote log host
● Ensure auditd is installed
● Ensure auditing for processes that start prior to auditd is enabled
● Ensure audit_backlog_limit is sufficient
● Ensure audit log storage size is configured
● Ensure system is disabled when audit logs are full
● Ensure changes to system administration scope (sudoers) is collected
● Ensure successful file system mounts are collected
● Ensure session initiation information is collected
● Ensure login and logout events are collected
● Ensure file deletion events by users are collected
● Ensure events that modify the system's Mandatory Access Controls are collected
● Ensure the audit configuration is immutable
● Ensure events that modify date and time information are collected
● Ensure events that modify the system's network environment are collected
● Ensure events that modify user/group information are collected
● Ensure discretionary access control permission modification events are collected
● Ensure permissions on /etc/passwd are configured
● Ensure permissions on /etc/passwd- are configured
● Ensure permissions on /etc/group are configured
● Ensure permissions on /etc/group- are configured
● Ensure permissions on /etc/shadow are configured
● Ensure permissions on /etc/shadow- are configured
● Ensure permissions on /etc/gshadow are configured
● Ensure permissions on /etc/gshadow- are configured
● Ensure shadow group is empty
● Ensure no duplicate UIDs exist
● Ensure no duplicate GIDs exist
● Ensure no duplicate user names exist
● Ensure no duplicate group names exist
● Ensure mounting of cramfs filesystems is disabled
● Ensure mounting of freevxfs filesystems is disabled
● Ensure mounting of jffs2 filesystems is disabled
● Ensure mounting of hfs filesystems is disabled
● Ensure mounting of hfsplus filesystems is disabled
● Ensure AppArmor is installed
● Ensure message of the day is configured properly
● Ensure permissions on /etc/motd are configured
● Ensure GNOME Display Manager is removed
● Ensure GDM login banner is configured
● Ensure wireless interfaces are disabled
● Ensure accounts in /etc/passwd use shadowed passwords
● Ensure all groups in /etc/passwd exist in /etc/group
Deleted Fixlets:
● Ensure /var/tmp partition includes the nodev option
● Ensure /var/tmp partition includes the nosuid option
● Ensure /var/tmp partition includes the noexec option
● Ensure /home partition includes the nodev option
● Ensure nodev option set on removable media partitions
● Ensure /tmp is configured
● Ensure nosuid option set on removable media partitions
● Ensure noexec option set on removable media partitions
● Ensure sticky bit is set on all world-writable directories
● Disable Automounting
● Ensure /dev/shm is configured
● Ensure permissions on bootloader config are not overridden
● Ensure XD/NX support is enabled
● Ensure prelink is disabled
● Ensure disable-userlist is enabled
● Ensure systemd-timesyncd is configured
● Ensure chrony is configured
● Ensure ntp is configured
● Ensure rsync service is not installed
● Disable IPv6
● Ensure IP forwarding is disabled
● Ensure ICMP redirects are not accepted
● Ensure secure ICMP redirects are not accepted
● Ensure broadcast ICMP requests are ignored
● Ensure bogus ICMP responses are ignored
● Ensure Reverse Path Filtering is enabled
● Ensure TCP SYN Cookies is enabled
● Ensure IPv6 router advertisements are not accepted
● Ensure DCCP is disabled
● Ensure SCTP is disabled
● Ensure RDS is disabled
● Ensure TIPC is disabled
● Ensure auditd service is enabled
● Ensure unsuccessful unauthorized file access attempts are collected
● Ensure use of privileged commands is collected
● Ensure system administrator command executions (sudo) are collected
● Ensure kernel module loading and unloading is collected
● Ensure rsyslog service is enabled
● Ensure rsyslog default file permissions configured
● Ensure remote rsyslog messages are only accepted on designated log hosts
● Ensure permissions on all logfiles are configured
● Ensure logrotate is configured
● Ensure logrotate assigns appropriate permissions
● Ensure cron daemon is enabled and running
● Ensure SSH root login is disabled
● Ensure SSH PermitEmptyPasswords is disabled
● Ensure SSH PermitUserEnvironment is disabled
● Ensure only strong ciphers are used
● Ensure only strong MAC algorithms are used
● Ensure only strong key exchange algorithms are used
● Ensure SSH Idle Timeout Interval is configured
● Ensure SSH LoginGraceTime is set to one minute or less
● Ensure SSH warning banner is configured
● Ensure SSH PAM is enabled
● Ensure permissions on SSH private host key files are configured
● Ensure SSH AllowTcpForwarding is disabled
● Ensure SSH MaxStartups is configured
● Ensure SSH MaxSessions is limited
● Ensure permissions on SSH public host key files are configured
● Ensure SSH access is limited
● Ensure SSH LogLevel is appropriate
● Ensure SSH X11 forwarding is disabled
● Ensure SSH MaxAuthTries is set to 4 or less
● Ensure SSH IgnoreRhosts is enabled
● Ensure SSH HostbasedAuthentication is disabled
● Ensure password hashing algorithm is SHA-512
● Ensure default user shell timeout is 900 seconds or less
● Ensure root login is restricted to system console
● Audit system file permissions
● Ensure no world writable files exist
● Ensure no unowned files or directories exist
● Ensure no ungrouped files or directories exist
● Audit SUID executables
● Audit SGID executables
● Ensure no users have .rhosts files
● Ensure root is the only UID 0 account
● Ensure root PATH Integrity
● Ensure password fields are not empty
● Ensure all users' home directories exist
● Ensure users own their home directories
● Ensure users' home directories permissions are 750 or more restrictive
● Ensure users' dot files are not group or world writable
● Ensure no users have .netrc files
Additional details:
● Both analysis and remediation checks are included
● Some of the checks allow you to use the parameterized setting to enable customization for compliance evaluation. Note that parameterization and remediation actions require the creation of a custom site.
Improved a few checks by adding the pending restart feature to them. The pending restart feature works in the following ways:
● The action results will show “Pending Restart” instead of “Fixed” for those checks which require OS reboot.
● The check will show relevant for those endpoints until they are rebooted.
● Post reboot of the endpoint the action results will show as “Fixed” and the check will be compliant.
Actions to take:
● To subscribe to the above site, you can use the License Overview Dashboard to enable and gather the site. Note that you must be entitled to the BigFix Compliance product and you must be using BigFix version 10.0.0 and later.
●If you use custom sites, update your custom sites accordingly to use the latest content. You can synchronize your content by using the Synchronize Custom Checks wizard. For more information, see Using the Synchronize Custom Checks wizard
More information:
To know more about the BigFix Compliance SCM checklists, please see the following resources:
● BigFix Forum:
https://forum.bigfix.com/c/release-announcements/compliance
● BigFix Compliance SCM Checklists:
Welcome to Wikis
We hope you find this latest release of SCM content useful and effective.
Thank you!
– The BigFix Compliance team