majm
- 浏览: 34304 次
- 性别:
- 来自: 深圳
-
文章分类
最新评论
Center for Internet Security SUSE
Linux Enterprise Server Benchmark
Version: 2.0
May, 2008
Editor: Nancy Whitney
1
Table of Contents
Terms of Use.......................................................................... 5
Introduction............................................................................ 8
Applicability......................................................................... 8
Root Shell Environment Assumed ..................................................... 8
Executing Actions ................................................................... 8
Reboot Required ..................................................................... 8
Vulnerabilities........................................................................ 8
Backup Key Files .................................................................... 8
Build Considerations ................................................................. 9
Software Package Removal............................................................ 9
Software Package Installation......................................................... 10
1 Patches, Packages and Initial Lockdown................................................ 11
1.1 Apply Latest OS Patches ......................................................... 11
1.2ValidateYourSystemBeforeMakingChanges...................................... 12
1.3 Configure SSH.................................................................. 12
1.4 Enable System Accounting........................................................ 14
1.5 SuSEfirewall2 is active........................................................... 14
1.6 seccheck is active................................................................ 15
1.7 AppArmor is active.............................................................. 15
2 Minimize xinetd network services ..................................................... 16
2.1 Disable Standard Services ........................................................ 16
2.2 Limit access to trusted networks................................................... 16
2.3 OnlyEnabletelnetIfAbsolutely Necessary.........................................17
2.4 OnlyEnableFTP IfAbsolutely Necessary ..........................................18
2.5 Only Enable rlogin/rsh/rcp If Absolutely Necessary .................................. 18
2.6OnlyEnableTFTPServerifAbsolutelyNecessary................................... 19
2.7 OnlyEnableIMAPIf AbsolutelyNecessary.........................................20
2.8OnlyEnablePOPIfAbsolutelyNecessary.......................................... 20
3 Minimize boot services .............................................................. 22
3.1 Set Daemon umask .............................................................. 22
3.2 Disable xinetd, If Possible ........................................................22
3.3 Disable remote SMTP connections................................................. 23
3.4 Disable GUI Login If Possible .................................................... 23
3.5 Disable X Font Server If Possible ................................................. 24
3.6 Disable Standard Boot Services ................................................... 24
3.7 Only Enable SMB (Windows File Sharing) and NMB (NetBIOS Message Block) Processes If
Absolutely Necessary................................................................ 26
3.8O nlyEnableNFSServerProcessesIfAbsolutelyNecessary........................... 26
3.9 Only Enable NFS Client Processes If Absolutely Necessary ...........................26
3.10 OnlyEnableNISClientProcessesIfAbsolutelyNecessary.......................... 27
3.11 Only Enable NIS Server Processes If Absolutely Necessary .......................... 27
3.12 OnlyEnableRPCPortmapProcessIfAbsolutelyNecessary......................... 28
3.13 OnlyEnablencpfsScriptIfAbsolutelyNecessary.................................. 28
3.14 OnlyEnableWebServerProcessesIfAbsolutelyNecessary......................... 28
3.15 OnlyEnableSNMPProcessesIfAbsolutelyNecessary............................. 29
3.16 Only Enable DNS Server Process If Absolutely Necessary ...........................29
3.17 Only Enable SQL services If Absolutely Necessary ................................. 30
3.18OnlyEnableWebminProcessesIfAbsolutelyNecessary............................ 30
3.19OnlyEnableSquidCacheServerIfAbsolutelyNecessary........................... 30
4 Kernel Tuning ...................................................................... 32
4.1 Network Parameter Modifications ................................................. 32
4.2 AdditionalNetworkParameterModifications........................................ 33
5 Logging............................................................................ 35
5.1 syslog is active.................................................................. 35
5.2 NTP is active....................................................................35
5.3 System log file permissions....................................................... 36
5.4 Configure remote system logging.................................................. 36
6 File/Directory Permissions/Access .....................................................38
6.1 Add'nodev'OptionToAppropriatePartitionsIn/etc/fstab............................ 38
6.2 Add 'nosuid' and 'nodev' Option For Removable Media In /etc/fstab............. 38
6.3 Disable User-Mounted Removable File Systems .....................................39
6.4 Verifypasswd,shadow,andgroupFilePermissions................................. 40
6.5 World-Writable Directories Should Have Their Sticky Bit Set ......................... 40
6.6FindUnauthorizedWorld-WritableFiles........................................... 40
6.7FindUnauthorizedSUID/SGIDSystemExecutables................................. 41
6.8 Find All Unowned Files.......................................................... 41
6.9DisableUSBDevices(AKAHotplugger)........................................... 42
7 SystemAccess,Authentication,andAuthorization...................................... 43
7.1Remove.rhostsSupportInPAMConfigurationFiles................................ 43
7.2 /etc/ftpusers..................................................................... 43
7.3PreventXServerFromListeningOnPort6000/tcp.................................. 44
7.4 Restrict at/cron To Authorized Users .............................................. 45
7.5 RestrictPermissionsOn crontab Files ..............................................46
7.6 Configure xinetd Access Control .................................................. 46
7.7 Restrict RootLoginsTo SystemConsole...........................................47
7.8 Set LILO/GRUB Password ....................................................... 47
7.9 RequireAuthenticationForSingle-UserMode...................................... 48
7.10 RestrictNFSClientRequestsToPrivilegedPorts.................................. 49
7.11 Only Enable syslog To Accept Messages If Absolutely Necessary. . . . . . . . . . . . . . . . . . . . . 50
8 User Accounts and Environment ...................................................... 52
8.1 Block System Accounts .......................................................... 52
8.2VerifyThatThereAreNoAccountsWithEmptyPasswordFields..................... 52
8.3 Set Account Expiration and Password Parameters On Active Accounts . . . . . . . . . . . . . . . . . 53
8.4 Verify No Legacy '+' Entries Exist In passwd, shadow, And group Files . . . . . . . . . . . . . . . . 54
8.5 Verify That No UID 0 Accounts Exist Other Than Root .............................. 54
8.6No'.'orGroup/World-WritableDirectoryInRoot's$PATH.......................... 54
8.7UserHomeDirectoriesShouldBeMode750orMoreRestrictive...................... 55
8.8NoUserDot-FilesShouldBeWorld-Writable...................................... 55
8.9 Remove User .netrc Files......................................................... 56
8.10 Set Default umask For Users .................................................... 56
8.11 Disable Core Dumps ........................................................... 58
8.12LimitAccessToTheRootAccountFromsu...................................... 58
8.13 Reboot.........................................................................59
9 Warning Banners.................................................................... 60
9.1 CreateWarningsForNetworkAndPhysicalAccessServices.......................... 60
9.2 Create Warnings For GUI-Based Logins............................................ 62
9.3 Create "authorized only" Banners For vsftpd, If Applicable............................ 64
10 Anti-Virus Consideration............................................................ 65
10.1 Anti-Virus Products............................................................. 65
11 Remove Backup Files............................................................... 66
11.1 Remove Backup Files........................................................... 66
12 Additional Security Notes............................................................67
12.1 Create Symlinks ForDangerous Files .............................................67
12.2 Enable TCP SYN Cookie Protection.............................................. 67
12.3 Additional LILO/GRUB Security ................................................ 68
12.4 EvaluatePackagesAssociatedWithStartupScripts................................. 68
12.5 Evaluate Every Installed Package................................................. 69
12.6 Configure sudo................................................................. 70
12.7 Additional Kernel Tunings....................................................... 70
12.8RemoveAllCompilersandAssemblers........................................... 71
Appendix A: File Backup Script.........................................................72
Appendix B: Change History............................................................74
Terms of Use
Background.
The Center for Internet Security ("CIS") provides benchmarks, scoring tools, software, data,
information, suggestions, ideas, and other services and materials from the CIS website or elsewhere
("Products") as a public service to Internet users worldwide. Recommendations contained in the
Products ("Recommendations") result from a consensus-building process that involves many
security experts and are generally generic in nature. The Recommendations are intended to provide
helpful information to organizations attempting to evaluate or improve the security of their networks,
systems, and devices. Proper use of the Recommendations requires careful analysis and adaptation to
specific user requirements. The Recommendations are not in any way intended to be a "quick fix" for
anyone's information security needs.
No Representations, Warranties, or Covenants.
CIS makes no representations, warranties, or covenants whatsoever as to (i) the positive or negative
effect of the Products or the Recommendations on the operation or the security of any particular
network, computer system, network device, software, hardware, or any component of any of
the foregoing or (ii) the accuracy, reliability, timeliness, or completeness of the Products or the
Recommendations. CIS is providing the Products and the Recommendations "as is" and "as available"
without representations, warranties, or covenants of any kind.
User Agreements.
By using the Products and/or the Recommendations, I and/or my organization ("We") agree and
acknowledge that:
1. No network, system, device, hardware, software, or component can be made fully secure;
2. We are using the Products and the Recommendations solely at our own risk;
3. We are not compensating CIS to assume any liabilities associated with our use of the Products or
the Recommendations, even risks that result from CIS's negligence or failure to perform;
4. We have the sole responsibility to evaluate the risks and benefits of the Products and
Recommendations to us and to adapt the Products and the Recommendations to our particular
circumstances and requirements;
5. Neither CIS, nor any CIS Party (defined below) has any responsibility to make any corrections,
updates, upgrades, or bug fixes; or to notify us of the need for any such corrections, updates, upgrades,
or bug fixes; and
6. Neither CIS nor any CIS Party has or will have any liability to us whatsoever (whether based in
contract, tort, strict liability or otherwise) for any direct, indirect, incidental, consequential, or special
damages (including without limitation loss of profits, loss of sales, loss of or damage to reputation,
loss of customers, loss of software, data, information or emails, loss of privacy, loss of use of any
computer or other equipment, business interruption, wasted management or other staff resources or
5
claims of any kind against us from third parties) arising out of or in any way connected with our use of
or our inability to use any of the Products or Recommendations (even if CIS has been advised of the
possibility of such damages), including without limitation any liability associated with infringement
of intellectual property, defects, bugs, errors, omissions, viruses, worms, backdoors, Trojan horses or
other harmful items.
Grant of Limited Rights.
CIS hereby grants each user the following rights, but only so long as the user complies with all of the
terms of these Agreed Terms of Use:
1. Except to the extent that we may have received additional authorization pursuant to a written
agreement with CIS, each user may download, install and use each of the Products on a single
computer;
2. Each user may print one or more copies of any Product or any component of a Product that is in a
.txt, .pdf, .doc, .mcw, or .rtf format, provided that all such copies are printed in full and are kept intact,
including without limitation the text of this Agreed Terms of Use in its entirety.
Retention of Intellectual Property Rights; Limitations on Distribution.
The Products are protected by copyright and other intellectual property laws and by international
treaties. We acknowledge and agree that we are not acquiring title to any intellectual property rights
in the Products and that full title and all ownership rights to the Products will remain the exclusive
property of CIS or CIS Parties. CIS reserves all rights not expressly granted to users in the preceding
section entitled "Grant of limited rights."
Subject to the paragraph entitled "Special Rules" (which includes a waiver, granted to some classes of
CIS Members, of certain limitations in this paragraph), and except as we may have otherwise agreed in
a written agreement with CIS, we agree that we will not (i) decompile, disassemble, reverse engineer,
or otherwise attempt to derive the source code for any software Product that is not already in the form
of source code; (ii) distribute, redistribute, encumber, sell, rent, lease, lend, sublicense, or otherwise
transfer or exploit rights to any Product or any component of a Product; (iii) post any Product or
any component of a Product on any website, bulletin board, ftp server, newsgroup, or other similar
mechanism or device, without regard to whether such mechanism or device is internal or external, (iv)
remove or alter trademark, logo, copyright or other proprietary notices, legends, symbols or labels
in any Product or any component of a Product; (v) remove these Agreed Terms of Use from, or alter
these Agreed Terms of Use as they appear in, any Product or any component of a Product; (vi) use
any Product or any component of a Product with any derivative works based directly on a Product or
any component of a Product; (vii) use any Product or any component of a Product with other products
or applications that are directly and specifically dependent on such Product or any component for
any part of their functionality, or (viii) represent or claim a particular level of compliance with a CIS
Benchmark, scoring tool or other Product. We will not facilitate or otherwise aid other individuals or
entities in any of the activities listed in this paragraph.
We hereby agree to indemnify, defend, and hold CIS and all of its officers, directors, members,
contributors, employees, authors, developers, agents, affiliates, licensors, information and service
providers, software suppliers, hardware suppliers, and all other persons who aided CIS in the creation,
6
development, or maintenance of the Products or Recommendations ("CIS Parties") harmless from
and against any and all liability, losses, costs, and expenses (including attorneys' fees and court costs)
incurred by CIS or any CIS Party in connection with any claim arising out of any violation by us
of the preceding paragraph, including without limitation CIS's right, at our expense, to assume the
exclusive defense and control of any matter subject to this indemnification, and in such case, we agree
to cooperate with CIS in its defense of such claim. We further agree that all CIS Parties are third-party
beneficiaries of our undertakings in these Agreed Terms of Use.
Special Rules.
The distribution of the NSA Security Recommendations is subject to the terms of the NSA
Legal Notice and the terms contained in the NSA Security Recommendations themselves
(http://nsa2.www.conxion.com/cisco/notice.htm).
CIS has created and will from time to time create, special rules for its members and for other persons
and organizations with which CIS has a written contractual relationship. Those special rules will
override and supersede these Agreed Terms of Use with respect to the users who are covered by the
special rules.
CIS hereby grants each CIS Security Consulting or Software Vendor Member and each CIS
Organizational User Member, but only so long as such Member remains in good standing with CIS
and complies with all of the terms of these Agreed Terms of Use, the right to distribute the Products
and Recommendations within such Member's own organization, whether by manual or electronic
means. Each such Member acknowledges and agrees that the foregoing grant is subject to the terms of
such Member's membership arrangement with CIS and may, therefore, be modified or terminated by
CIS at any time.
Choice of Law; Jurisdiction; Venue
We acknowledge and agree that these Agreed Terms of Use will be governed by and construed in
accordance with the laws of the State of Maryland, that any action at law or in equity arising out
of or relating to these Agreed Terms of Use shall be filed only in the courts located in the State
of Maryland, that we hereby consent and submit to the personal jurisdiction of such courts for the
purposes of litigating any such action. If any of these Agreed Terms of Use shall be determined to be
unlawful, void, or for any reason unenforceable, then such terms shall be deemed severable and shall
not affect the validity and enforceability of any remaining provisions.
Terms of Use Agreement Version 2.1 – 02/20/04
7
Introduction
Applicability
This benchmark was developed and tested on SUSE Linux Enterprise Server (SLES) 10 SP1. It is
likely to work for other versions of SUSE Linux as well (such as openSUSE). The scoring tool may
yield inaccurate results on non-SUSE systems.
Root Shell Environment Assumed
The actions listed in this document are written with the assumption that they will be executed by the
root user running the bash shell and without noclobber set. Also, the following directories are assumed
to be in root's path:
/bin:/sbin:/usr/bin:/usr/sbin
Executing Actions
The actions listed in this document are written with the assumption that they will be executed in
the order presented here. Some actions may need to be modified if the order is changed. Actions
are written so that they may be copied directly from this document into a root shell window with
a "cut-and-paste" operation. You may find that many of the "chkconfig" actions, which activate or
deactivate services, produce the message "<service name>: unknown service" These messages are
quite normal and should not cause alarm – they simply indicate that the program being referenced
was not installed on your machine. As SUSE Linux installs allow a great deal of flexibility in what
software you choose to install, these messages are unavoidable.
Reboot Required
Rebooting the system is required after completing all of the actions below in order to complete the
re-configuration of the system. In many cases, the changes made in the steps below will not take effect
until this reboot is performed. If substantial operating system updates are performed after the initial
OS load, you may have to reboot more than once.
Vulnerabilities
In addition to any specific issues presented by a particular service or protocol, every service has the
potential of being an entry point into a system if a vulnerability is found. This is why we recommend
that some services are disabled even though there is no clear way to exploit them, and there has never
been a problem with the service. If you are running an un-needed service, you could have a problem if
a hole is found.
Backup Key Files
Before performing the steps of this benchmark it is strongly recommended that administrators make
backup copies of critical configuration files that may get modified by various benchmark items. If this
step is not performed, then the site may have no reasonable back-out strategy for reversing system
modifications made as a result of this document. The script provided in Appendix B of this document
will automatically back up all files that may be modified by the actions below. Note that an executable
copy of this script is also provided in the archive containing the PDF version of this document and the
8
CIS scoring tool. Assuming the administrator is in the directory where the archive has been unpacked,
the command to execute the backup script would be:
./do-backup.sh
One of the byproducts of the do-backup.sh script is /root/do-restore.sh, which is dynamically
generated based on the results of the do-backup.sh script. To roll back the changes performed by this
benchmark, first run RevertBastille followed by do-restore.sh, and all changes will be backed out.
Since not all Linux installations are identical, the do-restore.sh script is created based on the files that
actually existed at the time do-backup.sh was run.
Note: If you make any changes manually to any of the files that were preserved by do-backup.sh,
those changes will be lost when do-restore.sh is executed. It may be prudent to delete the do-restore.sh
script once you have validated the changes to prevent inadvertently undoing the changes.
Build Considerations
If you have not done so already, plan out a partitioned hard drive. The default partitioning for SUSE
Linux Enterprise Server is a single file system. It is preferable to use a setup similar to the following:
/ 1 GB
swap 1xRAM
/var 1 GB
/usr 4 GB
/opt 4 GB
/home remaining disk space
It is important to keep /var and /home on their own partitions. Some applications have a tendency
to crash when the / or /usr filesystem reaches 100%. This could happen if users were to store
considerable amounts of data (developers storing jar files or copies of application logs, for example) or
logs were to fill up their partition. Some Enterprises define a /logs partition and store application logs
there.
For additional security, an additional and separate partition may be created for /boot which creates
the kernel binaries and boot loader configuration. A /boot partition may be mounted read-only to
avoid accidental damage and to make malicious changes a little bit more difficult (e.g. less space
for backdoors in malicious kernel patches). A read-only /boot partition however will require special
procedures for a valid kernel patch (or update).
To limit the inconveniences caused by filling up /home, consider implementing user and group quotas
on the /home filesystem. Quotas will limit how much a single user (or single group) can store on a
given filesystem. More information is available in the SUSE Linux manuals (see the installation CDs).
Software Package Removal
There is considerable debate over the maintenance of unused software packages. Some people feel
that as long as the software is not being used, leaving it installed poses no appreciable risk. Others
9
feel that unused software presents another attack vector and increases the maintenance effort for the
administrators. This Benchmark makes no recommendation for the removal of unused software. If
vulnerable software is present on a system, that vulnerability may be exploitable by a local attacker,
and the reader is advised to consider the effort in either its removal or maintenance and the risks
thereof.
Software Package Installation
Throughout this Benchmark, you may be directed to enable software package init scripts using the
chkconfig command. This assumes you already installed said package(s). If the chkconfig command
fails, verify you actually installed the software required.
10
1 Patches, Packages and Initial Lockdown
1.1 Apply Latest OS Patches
Description:
Developing a procedure for keeping up-to-date with vendor patches is critical for the security and
reliability of the system. Vendors issue operating system updates when they become aware of
security vulnerabilities and other serious functionality issues, but it is up to their customers to actually
download and install these patches.
When Novell publishes an update for SUSE Linux, they include the procedures with it for updating
the package. This usually entails downloading the new RPMs from Novell, and making them available
to the individual servers. Some Enterprises make these packages available over an NFS share or an
internal anonymous FTP/HTTP server – your Enterprise may follow this practice or do something
different.
It is also important to observe that your applications work properly after patching. Though problems
in patches are quite rare in SUSE Linux, it is generally recommended that any patch be deployed to a
non-production system first for testing.
Some RPMs may need to be installed before others. For the most part, RPM understands and solves
dependencies. Novell creates separate instructions for special cases, like the replacement of the kernel
or the general C library glibc. You may need to examine the list of updates that you have downloaded
to check for any of these cases.
Finally, there is some risk to using a non-patched, non-hardened machine to download the patches, as
this involves connecting a system with security vulnerabilities on a network, which is not an Industry
Best Practice. Please consider these issues carefully. One approach is to use a stateful hardware
firewall to separate and protect the unpatched system from all other systems. For the purpose of update
and installation the hardware firewall should be configured to prevent all inbound connections; as well
as packets that aren’t part of an established session.
Novell offers at least partially automated patch download and installation via YaST Online Update.
In lieu of an existing Enterprise Standard, consider using YaST Online Update whenever Novell
announces vulnerabilities. If your Enterprise has several servers, consider installing an update server
that can be used in place of the update servers at Novell– the updates will go much faster, you will use
much less bandwidth from your ISP, and you will reduce the load on Novell's servers.
If YaST Online Update is used, it should be used on a lab server and the patches validated and the
system regression tested before going to live/production systems.
Recommendation Level: 1
Remediation:
Update system per your Enterprise Update procedures.
Scoring Status: Scorable
Compliance Mapping: TBD
11
Audit: TBD
1.2 Validate Your System Before Making Changes
Description:
Ensuring your system is functioning properly before you make a change is a prudent system
administration best practice and will save you hours of aggravation. Applying this Benchmark to a
system that already has issues makes troubleshooting very difficult and may lead you to believe the
Benchmark is at fault.
Examine the system and application logs (/var/log). Key words to look for include, but are not
limited to, "error", "warning", "critical", and "alert".
Performing a scan for rootkits is a prudent measure. Some enterprises may also wish to perform
further validation on the integrity of the operating system: anti-virus scanning and checking the
integrity of system files against a trusted database of file hashes. While this standard does not endorse
specific tools, the following are examples of tools used.
Rootkit detection: Chkrootkit, Rootkit Hunter or kstat (for advanced users).
Anti-virus: clamav (freeware) or commercial anti-virus products from Computer Associates, F-Secure,
Kaspersky, Sophos, Symantec or Trend Micro.
Trusted hash databases: The NSRL hash database, a database of file hashes from this server, stored on
a separate system (e.g. hashes from AIDE, Tripwire, Trusted Computing Base, etc).
Resolve all issues before continuing.
Recommendation Level: 1
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
1.3 Configure SSH
Description:
OpenSSH is installed by default. OpenSSH is a popular free distribution of the standards-track
SSH protocols which has become the standard implementation on Linux distributions. For more
information on OpenSSH, see http://www.openssh.org.
The settings in this section attempt to ensure safe defaults for both the client and the server.
Specifically, both the ssh client and the sshd server are configured to use only SSH protocol 2, as
security vulnerabilities have been found in the first SSH protocol. This may cause compatibility issues
at sites still using the vulnerable SSH protocol 1 these sites should endeavor to configure all systems
to use only SSH protocol 2.
12
Warning: Note that a banner is added in the sshd_config file – we will create
this banner later and it is discussed in detail in section 9. If you choose not to
implement a banner, you will have to remove the reference to /etc/issue from
sshd_config manually. Please read the section on the legal use of banners before
deciding to remove it.
Recommendation Level: 1
Remediation:
unalias cp rm mv
cd /etc/ssh
cp ssh_config ssh_config.tmp
awk '/^#? *Protocol/ { print "Protocol 2"; next };
{ print }' ssh_config.tmp > ssh_config
if [ "`egrep -l ^Protocol ssh_config`" == "" ]; then
echo 'Protocol 2' >> ssh_config
fi
rm ssh_config.tmp
diff ssh_config-preCIS ssh_config
Look at /etc/ssh/ssh_config to and verify “Protocol 2” is under the “Host *” entry. If it is not there,
edit the file and put “Protocol 2” under the “Host *” entry.
cp sshd_config sshd_config.tmp
awk '/^#? *Protocol/ { print "Protocol 2"; next };
/^#? *X11Forwarding/ \
{ print "X11Forwarding yes"; next };
/^#? *IgnoreRhosts/ \
{ print "IgnoreRhosts yes"; next };
/^#? *HostbasedAuthentication/ \
{ print "HostbasedAuthentication no"; next };
/^#? *PermitRootLogin/ \
{ print "PermitRootLogin no"; next };
/^#? *PermitEmptyPasswords/ \
{ print "PermitEmptyPasswords no"; next };
/^#? *Banner/ \
{ print "Banner /etc/issue.net"; next };
{print}' sshd_config.tmp > sshd_config
rm sshd_config.tmp
diff sshd_config-preCIS sshd_config
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
13
1.4 Enable System Accounting
Description:
System accounting gathers baseline system data (CPU utilization, disk I/O, etc.) every 10 minutes.
The data may be accessed with the sar command, or by reviewing the nightly report files named
/var/log/sa/sar*. Once a normal baseline for the system has been established, unauthorized activity
(password crackers and other CPU-intensive jobs, and activity outside of normal usage hours) may
be detected due to departures from the normal system performance curve. Note that this data is
only archived for one week before being automatically removed by the regular nightly cron job.
Administrators may wish to archive the /var/log/sa/ directory on a regular basis to preserve this data
for longer periods.
Note: SLES does not include sysstat by default (unless the full installation is chosen).
Recommendation Level: 1
Remediation:
Install package sysstat.
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
1.5 SuSEfirewall2 is active
Description:
SuSEfirewall2 is a stateful network packet filter also known as firewall. It is a script that generates
iptables rules from configuration stored in the /etc/sysconfig/SuSEfirewall2file.
SuSEfirewall2 protects from network attacks by rejecting or dropping some unwanted packets that
reach your network interface.
SuSEfirewall2 is installed and activated by default. No services are allowed by default. Any services
to be allowed, such as SSH, must be specifically enabled. Use YaST Control Center#Security and
Users#Firewall to adjust the firewall configuration. Finer configuration control can be exercised by
using YaST Control Center#System#/etc/sysconfig editor in the Network/Firewall/SuSEfirewall2
selection, or editing the /etc/sysconfig/SuSEfirewall2file directly.
For additional information, see http://en.opensuse.org/SuSEfirewall2.
Recommendation Level: 1
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
14
1.6 seccheck is active
Description:
The SuSE Security Checker (package seccheck) is a set of several shellscripts which check the local
security of the system on a regular basis and email reports to a designated user (by default, root).
It includes several checks specified by other items within this benchmark.
Warning: If the package john is installed, seccheck will use it to evaluate the
password strength of accounts during weekly and monthly evaluations. You may
notice 100% processor utilization (due to the use of john) during these times.
Recommendation Level: 1
Remediation:
Install the seccheck package.
Run /usr/lib/secchk/security-control.sh.
Further adjustments can be made with the YaST Control Center#System#/etc/sysconfig editor in the
System/Security/Seccheck selection.
Monitor the daily, weekly, and monthly reports generated by the package.
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
1.7 AppArmor is active
Description:
AppArmor provides network application security via mandatory access control for programs,
protecting against the exploitation of software flaws and compromised systems.
Use YaST Control Center#Novell AppArmor to adjust the AppArmor configuration.
For additional information, see http://www.novell.com/linux/security/apparmor/.
Recommendation Level: 1
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
15
2 Minimize xinetd network services
2.1 Disable Standard Services
Description:
SUSE Linux used xinetd, and in a default configuration, all xinetd services are off
On Linux, xinetd has outpaced inetd as the default network superserver.
After enabling SSH, it is possible to nearly do away with all xinetd-based services, since SSH provides
both a secure login mechanism and a means of transferring files to and from the system. The action
above will disable all standard services in the xinetd configuration.
The rest of the actions in this section give the administrator the option of re-enabling certain services.
Rather than disabling and then re-enabling these services, experienced administrators may wish to
simply disable only those services that they know are unnecessary for their systems. If there is any
doubt, it is better to disable everything, then re-enable the necessary services based on the function of
the server.
Note: If you attempt to re-enable a service and get a message like this:
unknown service
it means that you have not installed the software for that service yet. Install the software package then
proceed with the Benchmark.
Recommendation Level: 1
Remediation:
( cd /etc/xinetd.d; for s in *; do chkconfig $s off ; done; )
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
2.2 Limit access to trusted networks
Description:
Question: Is there a reason to allow unlimited network access to this server? If the answer to this
question is no, then perform the action below.
Use the standard system firewall configuration facility (SuSEfirewall2) to define networks to be
trusted.
Recommendation Level: 1
16
Remediation:
Add trusted networks to the FW_TRUSTED_NETSvariable in section 10 of the firewall configuration
file /etc/sysconfig/SuSEfirewall2/. This can be done using the YaST Control
Center#System#/etc/sysconfig editor in the Network/Firewall/SuSEfirewall2 selection.
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
2.3 Only Enable telnet If Absolutely Necessary
Description:
Question: Is there a mission-critical reason that requires users to access this system via telnet,
rather than the more secure SSH protocol?
To enable telnet, chkconfig telnet on.
telnet uses an unencrypted network protocol, which means data from the login session (such as
passwords and all other data transmitted during the session) can be stolen by eavesdroppers on the
network, and also that the session can be hijacked by outsiders to gain access to the remote system.
The freely-available SSH utilities that ship with SUSE Linux (see http://www.openssh.com/) provide
encrypted network logins and should be used instead.
To aid in the migration to SSH, there is a freely available SSH client for Windows called putty, which
is available from Simon Tatham (see http://www.chiark.greenend.org.uk/~sgtatham/putty/). There are
numerous commercially supported SSH clients as well – check to see if your Enterprise already has an
Enterprise SSH client.
Some Enterprises are using telnet over SSL, however, the simpler and more standard solution is to
use SSH. Configuring telnet over SSL is beyond the scope of a Level 1 Benchmark and will not be
addressed here.
It is understood that large Enterprises deeply entrenched in using telnet may take considerable effort
in migrating from telnet to ssh, so telnet may have to be enabled. When it can be disabled, simply run
chkconfig telnet off to turn it off again.
Recommendation Level: 1
Remediation:
chkconfig telnet off
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
17
2.4 Only Enable FTP If Absolutely Necessary
Description:
Question: Is this machine an (anonymous) FTP server, or is there a mission-critical reason why
data must be transferred to and from this system via an ftp server, rather than sftp or scp? If the
answer to this question is yes, proceed with the actions below.
vsftpd is not installed by default.
chkconfig vsftpd on
Like telnet, the FTP protocol is unencrypted, which means passwords and other data transmitted
during the session can be captured by sniffing the network, and that the FTP session itself can be
hijacked by an external attacker. SSH provides two different encrypted file transfer mechanisms –
scp and sftp – and should be used instead. Even if FTP is required because the local system is an
anonymous FTP server, consider requiring non-anonymous users on the system to transfer files via
SSH-based protocols. For further information on restricting FTP access to the system, see section 7.2
below.
Note: Any directory writable by an anonymous FTP server should have its own partition. This helps
prevent an FTP server from filling a hard drive used by other services.
To aid in the migration away from FTP, there are a number of freely available scp and sftp client
for Windows, such as WinSCP (available from http://winscp.sourceforge.net/eng/index.php) for a
Graphical interface to putty, and pscp, which is a part of the previously mentioned putty package.
Some Enterprises are using FTP over SSL, however, the simpler and more standard solution is to
use SSH. Configuring FTP over SSL is beyond the scope of a Level 1 Benchmark and will not be
addressed here.
Recommendation Level: 1
Remediation:
chkconfig vsftpd off.
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
2.5 Only Enable rlogin/rsh/rcp If Absolutely Necessary
Description:
The r-commands suffer from the same hijacking and sniffing issues as telnet and ftp, and in addition
have a number of well-known weaknesses in their authentication scheme. SSH was designed to be
a drop-in replacement for these protocols. Given the wide availability of free SSH implementations,
it seems unlikely that there is ever a case where these tools cannot be replaced with SSH (again, see
http://www.openssh.com/).
chkconfig rexec on
18
chkconfig rlogin on
chkconfig rsh on
If these protocols are left enabled, please also see section 7.1 for additional security-related
configuration settings.
Recommendation Level: 1
Remediation:
chkconfig rexec off
chkconfig rlogin off
chkconfig rsh off
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
2.6 Only Enable TFTP Server if Absolutely Necessary
Description:
Question: Is this system a boot server or is there some other mission-critical reason why data must
be transferred to and from this system via TFTP? If the answer to this question is yes, proceed with the
actions below.
chkconfig tftp on
if [ ! -d "/tftpboot" ] ; then
mkdir -m 0755 /tftpboot && \
chown root:root /tftpboot
fi
TFTP is typically used for network booting of diskless workstations, X-terminals, and other similar
devices. Routers and other network devices may copy configuration data to remote systems via TFTP
for backup. However, unless this system is needed in one of these roles, it is best to leave the TFTP
service disabled.
Note: The tftp-server software is not installed by default on SUSE Linux. You will have to install it if
you need to use it. After installing it, perform the actions above.
Recommendation Level: 1
Remediation:
chkconfig tftp off.
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
19
2.7 Only Enable IMAP If Absolutely Necessary
Description:
Question: Is this machine a mail server with a mission-critical reason to use imap to serve mail to
remote mail clients? If the answer to this question is yes, proceed with the actions below.
chkconfig cyrus on
or
chkconfig imap on
Remote mail clients (like Eudora, Netscape Mail and Kmail) may retrieve mail from remote mail
servers using IMAP, the Internet Message Access Protocol, or POP, the Post Office Protocol. If this
system is a mail server that must offer this protocol then either cyrus or imap may be activated. Note:
cyrus and imap both provide IMAP and POP services.
Recommendation Level: 1
Remediation:
chkconfig cyrus off
or
chkconfig imap off
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
2.8 Only Enable POP If Absolutely Necessary
Description:
Question: Is this machine a mail server with a mission-critical reason to use pop to serve mail to
remote mail clients? If the answer to this question is yes, proceed with the actions below.
chkconfig qpopper on
or
chkconfig cyrus on
Remote mail clients (like Eudora, Netscape Mail and Kmail) may retrieve mail from remote mail
servers using IMAP, the Internet Message Access Protocol, or POP, the Post Office Protocol. If this
system is a mail server that must offer the POP protocol then either qpopper or cyrus may be activated.
Recommendation Level: 1
20
Remediation:
chkconfig qpopper off
or
chkconfig cyrus off
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
3 Minimize boot services
3.1 Set Daemon umask
Description:
system default umask should be set to at least 027 in order to prevent daemon processes (such as the
syslog daemon) from creating world-writable files by default. If a particular daemon needs a less
restrictive umask, consider editing the daemon startup script to grant that daemon the required umask
while maintaining the increased server security posture.
Recommendation Level: 1
Remediation:
cd /etc
awk '($1=="umask") { if ($2 < "027") { $2="027";} }; \
{ print }' rc.status-preCIS > rc.status
if [ `grep -c umask rc.status` -eq 0 ]; then
echo "umask 027" >> rc.status
fi
diff rc.status-preCIS rc.status
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
3.2 Disable xinetd, If Possible
Description:
If the actions in Section 2 of this benchmark resulted in no services being enabled in the inet super
daemon /etc/xinetd.dconfiguration files, then the xinetd service may be disabled completely on
this system.
Recommendation Level: 1
Remediation:
cd /etc/xinetd.d
if [ `find . -type f | \
xargs awk '($1=="disable" && $3=="no") {print}'\
| wc -l` -eq 0 ]; then
chkconfig xinetd off;rcxinetd stop
fi
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
22
3.3 Disable remote SMTP connections
Description:
Question: Is this system a mail server – that is, does this machine receive and process email from
other hosts?
Postfix is installed and active by default on SUSE.
If the system must accept remote SMTP connections, enable remote SMTP connections by setting
SMTPD_LISTEN_REMOTE="yes"in the /etc/sysconfig/mailfile using YaST Control
Center#Network Services#Mail Transfer Agent, Incoming Mail, Accept Remote SMTP connections,
or YaST Control Center#System#/etc/sysconfig editor in the Network/Mail/General selection. The
SMTP service must also be enabled in the firewall.
Note that if the system is an email server, the administrator is encouraged to search the Web for
additional documentation on postfix security issues.
Experienced administrators will understand that a chroot-jailed user or program can still interact with a
postfix process listening on the loopback interface.
Rationale:
Leave the postfix service active and adjust the configuration if the system must act as an MTA.
Recommendation Level: 1
Remediation:
If the system need not accept remote SMTP connections, disable remote SMTP connections by setting
SMTPD_LISTEN_REMOTE="no"in the /etc/sysconfig/mailfile using YaST Control
Center#Network Services#Mail Transfer Agent, Incoming Mail, Accept Remote SMTP connections,
or YaST Control Center#System#/etc/sysconfig editor in the Network/Mail/General selection. Remote
SMTP connections are not accepted in a default configuration.
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
3.4 Disable GUI Login If Possible
Description:
Question: Is there a mission-critical reason to run a GUI login program on this system? If the
answer to this question is no, proceed with the actions below.
This action disables the graphical login, if present, leaving the user to login via SSH or a normal
text-based console. If you elect to deactivate the GUI login screen, users can still run X Windows by
typing startx at the shell prompt. In SUSE Linux, there are two main runlevels that the system runs in.
Runlevel 5 boots directly into X Windows, so as to allow graphical login or easy use of specialized
X terminals. Otherwise, for normal text-based console login, runlevel 3 is desirable. GUI login is
23
activated or deactivated by changing this runlevel in /etc/inittab. Again, note that runlevel 3 still
allows the user to run X Windows by typing startx at the shell prompt.
Recommendation Level: 1
Remediation:
sed -e 's/id:5:initdefault:/id:3:initdefault:/' \
< /etc/inittab > /etc/inittab.tmp
cp /etc/inittab.tmp /etc/inittab
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
3.5 Disable X Font Server If Possible
Description:
Question: Is there a mission-critical reason to run X Windows on this system? If the answer to this
question is no, proceed with the actions below.
If you won't be using an X server on this machine, this action will deactivate the font server.
Recommendation Level: 1
Remediation:
chkconfig xfs off
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
3.6 Disable Standard Boot Services
Description:
Every system daemon that does not have a clear and necessary purpose on the host should be
deactivated. This greatly reduces the chances that the machine will be running a vulnerable daemon
when the next vulnerability is discovered in its operating system.
SUSE Linux uses a facility called chkconfig to manage all the SysV rc-scripts. chkconfig adds or
deletes links in each of the appropriate runlevel directories (/etc/rc.d/rc*.d) to activate or deactivate
each of the rc-scripts.
This process "chkconfig's" all of the rc-scripts off, so that the local administrator can easily reactivate
any of these scripts upon discovery of a mission-critical need for one of these services. One could
reactivate the daemon script by typing chkconfig daemon on in most cases, which activates it in
runlevels 2 through 5. If one of these runlevels is undesirable, like runlevel 2 for the NFS script, or
24
the script needs to run in one of the other available runlevels, chkconfig takes the argument " level
<levels>" where one can explicitly specify runlevels that it should act on.
Note that vendor patches may restore some of the original entries in the startup script directories
/etc/rc.d/rc*.d – it is always a good idea to check these boot directories and remove any scripts that
may have been added by the patch installation process. This would be a good time to ensure this check
is in your Enterprise OS Upgrade Procedure.
The rest of the actions in this section give the administrator the option of re-enabling certain services
– in particular, the services that are disabled in the second loop in the "Action" section above. Rather
than disabling and then re-enabling these services, experienced administrators may wish to simply
disable only those services that they know are unnecessary for their systems.
The third loop in the "Action" section locks daemon-user accounts related to servers that we examine
by setting a lockout password. This will not prevent a given daemon from running as these users
– it simply confirms that these users are not available for human login. It also changes the shell to
/bin/false for an additional layer of security as long as shell access is not necessary. Bear in mind that
some packages (findutils up to version 4.1.20, for example) do not work properly without a shell for
the nobody account – be sure you test this thoroughly if you choose to invalidate the daemon shells.
Note: Not all of the scripts listed above will exist on all systems, as this is a superset of the available
rc-scripts in the various SUSE distributions. The benchmark's recommended action will register some
trivial errors on each distribution version as a result – these are not cause for alarm.
Recommendation Level: 1
Remediation:
for FILE in
Makefile aaeventd atd autofs autoyast boot.evms \
boot.multipath boot.sched boot.scsidev chargen \
chargen-udp cups-lpd cups cupsrenice daytime \
daytime-udp echo echo-udp esound evms fam gpm gssd \
idmapd ipmi ipxmount joystick lm_sensors mdadmd \
multipathd netstat nfsboot nfsserver nmb openct \
pcscd portmap powerd raw rexec rlogin rpasswdd \
rpmconfigcheck rsh rsync rsyncd saslauthd servers \
services skeleton.compat smartd smb smbfs smpppd \
snmpd svcgssd swat systat tftp time time-udp vnc \
vsftpd xfs xinetd ypbind ; do
/etc/init.d/$FILE stop
chkconfig $FILE off
done
for USERID in lp apache named mysql; do
usermod -L -s /bin/false $USERID
done
Scoring Status: Not Scorable
Compliance Mapping: TBD
25
Audit: TBD
3.7 Only Enable SMB (Windows File Sharing) and NMB (NetBIOS
Message Block) Processes If Absolutely Necessary
Description:
Question: Is this machine sharing files via the Windows file sharing protocols? If the answer to this
question is yes, proceed with the actions below.
chkconfig smb on
SUSE Linux includes the popular Open Source Samba server for providing file and print services to
Windows-based systems. This allows a Unix system to act as a file or print server in on a Windows
network, and even act as a Domain Controller (authentication server) to older Windows operating
systems. However, if this functionality is not required by the site, the service should be disabled.
Recommendation Level: 1
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
3.8 Only Enable NFS Server Processes If Absolutely Necessary
Description:
Question: Is this machine an NFS file server? If the answer to this question is yes, proceed with the
actions below.
chkconfig nfsserver on
NFS is frequently exploited to gain unauthorized access to files and systems. Clearly there is no need
to run the NFS server-related daemons on hosts that are not NFS servers. If the system is an NFS
server, the administrator should take reasonable precautions when exporting file systems, including
restricting NFS access to a specific range of local IP addresses and exporting file systems "read-only"
where appropriate. For more information, consult the exports manual page.
Recommendation Level: 1
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
3.9 Only Enable NFS Client Processes If Absolutely Necessary
Description:
Question: Is there a mission-critical reason why this system must access file systems from remote
servers via NFS? If the answer to this question is yes, proceed with the actions below.
26
chkconfig autofs on
Again, unless there is a significant need for this system to acquire data via NFS, administrators should
disable NFS-related services. Note that other file transfer schemes (such as rdist via SSH) can often be
preferable to NFS for certain applications.
Recommendation Level: 1
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
3.10 Only Enable NIS Client Processes If Absolutely Necessary
Description:
Question: Is there a mission-critical reason why this machine must be an NIS client? If the answer to
this question is yes, proceed with the actions below.
chkconfig ypbind on
Unless this site must use NIS, it should really be avoided. While it can be very useful for transparently
scaling the number of workstations, it's not well designed for security. Sun Microsystems is now
phasing out NIS+ in favor of LDAP for naming services – NIS and NIS+ are now reaching end of life.
Recommendation Level: 1
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
3.11 Only Enable NIS Server Processes If Absolutely Necessary
Description:
Question: Is there a mission-critical reason why this machine must be an NIS server? If the answer
to this question is yes, proceed with the actions below.
chkconfig ypserv on
chkconfig yppasswdd on
Unless this site must use NIS, it should be avoided. While it can be very useful for transparently
scaling the number of workstations, it is not well designed for security.
Recommendation Level: 1
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
27
3.12 Only Enable RPC Portmap Process If Absolutely Necessary
Description:
Question: This machine is an NFS client or server? Is this machine an NIS (YP) or NIS+ client or
server? Does the machine run a third-party software application which is dependent on RPC support?
If the answer to any of these questions is yes, proceed with the actions below.
chkconfig portmap on
RPC-based services typically use very weak or non-existent authentication and yet may share very
sensitive information. Unless one of the services listed above is required on this machine, best to
disable RPC-based tools completely. If there is uncertainty in whether or not a particular third-party
application requires RPC services, consult with the application vendor.
Recommendation Level: 1
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
3.13 Only Enable ncpfs Script If Absolutely Necessary
Description:
Question: Is this machine sharing files via the NFS, Novell Netware or Windows file sharing
protocols? If the answer to this question is yes, proceed with the actions below.
chkconfig ncpfs on
This service is not necessarily installed by default, therefore the above command may fail. If there
are no network file sharing protocols being used, one can deactivate the netfs script. This script
mounts network drives on the client. Though this is not a persistent daemon and thus not so dangerous,
thinning out the /etc/rc.d/rcN.d directories makes the system much easier to audit.
Recommendation Level: 1
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
3.14 Only Enable Web Server Processes If Absolutely Necessary
Description:
Question: Is there a mission-critical reason why this system must run a Web server? If the answer to
this question is yes, proceed with the actions below.
chkconfig apache2 on
Even if this machine is a web server, the local site may choose not to use the web server provided with
SLES in favor of a locally developed and supported Web environment.
28
Recommendation Level: 1
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
3.15 Only Enable SNMP Processes If Absolutely Necessary
Description:
Question: Are hosts at this site remotely monitored by a tool (e.g., HP OpenView, MRTG, Cricket)
that relies on SNMP? If the answer to this question is yes, proceed with the actions below.
chkconfig snmpd on
If SNMP is used to monitor the hosts on this network, experts recommend changing the default
community string used to access data via SNMP. On SUSE Linux systems, this parameter has already
been changed to a reasonably secure setting in the file /etc/snmpd.conf.
Note: In a large Enterprise that relied heavily on SNMP, it was discovered during the Linux rollout
that SNMP was not a critical service, and not having it enabled increased the security posture of the
servers.
Recommendation Level: 1
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
3.16 Only Enable DNS Server Process If Absolutely Necessary
Description:
Question: Is this machine a DNS server, or is a local name server needed? If the answer to this
question is yes, proceed with the actions below.
chkconfig named on
Most of the machines in the organization do not need a DNS server running on the box. Unless this
is one of the organization's name servers, or a local cacheing name server is needed, it is safe to leave
inactive.
If this must be left active, please ensure patches are applied in a timely fashio and consider tightening
the configuration.
Additionally, consider the use of Access Control Lists (ACL's) in /etc/named.confto limit
who can query your name server. For example, Internal name servers should not respond to outside
requests. Large Enterprises run multiple name servers so this should not be an issue. However, smaller
organizations may not be able to deploy internal and external name servers and should consider this
precaution.
29
Recommendation Level: 1
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
3.17 Only Enable SQL services If Absolutely Necessary
Description:
Question: Is this machine an SQL (database) server? If the answer to this question is yes, proceed
with the actions below.
chkconfig postgresql on
chkconfig mysql on
If this machine does not need to run the mainstream database (SQL) servers Postgres or MySQL, it is
safe to deactivate them. If you need to enable them, issue the command (above) for the database that
you installed.
Please read the discussion before executing these commands and select the appropriate command.
Recommendation Level: 1
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
3.18 Only Enable Webmin Processes If Absolutely Necessary
Description:
Not Applicable to SUSE, This section is retained for consistency with the other Linux Benchmarks.
Recommendation Level: 1
Scoring Status: Not Scorable
Compliance Mapping: TBD
Audit: TBD
3.19 Only Enable Squid Cache Server If Absolutely Necessary
Description:
Question: Do you use the squid web cache? If the answer to this question is yes, proceed with the
actions below.
chkconfig squid on
30
Squid can actually be beneficial to security, as it imposes a proxy between the client and server.
On the other hand, if it is not being used, it should be deactivated and removed. This deactivation
decreases the risk of system compromise should a security vulnerability later be discovered in
Squid. Finally, if your site does used Squid, do configure it carefully. Many Squid caches are badly
configured to either allow outsider attackers to probe internal machines through the firewall or to use
the cache to hide their true source IP address from their target hosts. Each site should configure Squid
to not allow people outside their perimeter to use the cache without authentication of some sort. A
better deployment for squid is on a server with no external-facing network interface (unless you are
using it for a reverse web proxy, which is a very specific installation, and beyond the scope of this
benchmark).
Recommendation Level: 1
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
31
4 Kernel Tuning
4.1 Network Parameter Modifications
Description:
For an explanation of some of these parameters, see
/Documentation/networking/ip-sysctl.txt in your local copy of the kernel source or read the latest from
the cross-referencing Linux site: http://lxr.linux.no/source/Documentation/networking/ip-sysctl.txt.
tcp_max_syn_backlog -INTEGER Maximal number of remembered connection requests, which are
still did not receive an acknowledgment from connecting client. Default value is 1024 for systems with
more than 128Mb of memory, and 128 for low memory machines. If server suffers of overload, try to
increase this number.
accept_source_route -BOOLEAN Accept packets with SRR option. conf/all/accept_source_route
must also be set to TRUE to accept packets with SRR option on the interface default TRUE (router)
FALSE (host)
accept_redirects -BOOLEAN Accept Redirects. Functional default: enabled if local forwarding is
disabled. disabled if local forwarding is enabled.
secure_redirects -BOOLEAN Accept ICMP redirect messages only for gateways, listed
in default gateway list. secure_redirects for the interface will be enabled if at least one of
conf/{all,interface}/secure_redirects is set to TRUE, it will be disabled otherwise default TRUE
rp_filter -BOOLEAN 1 -do source validation by reversed path, as specified in RFC1812
Recommended option for single homed hosts and stub network routers. Could cause troubles for
complicated (not loop free) networks running a slow unreliable protocol (sort of RIP), or using static
routes. 0 -No source validation. conf/all/rp_filter must also be set to TRUE to do source validation on
the interface Default value is 0. Note that some distributions enable it in startup scripts.
accept_source_route -INTEGER Accept source routing (routing extension header). >= 0: Accept only
routing header type 2. <0: Do not accept routing header.
accept_redirects -
Linux Enterprise Server Benchmark
Version: 2.0
May, 2008
Editor: Nancy Whitney
1
Table of Contents
Terms of Use.......................................................................... 5
Introduction............................................................................ 8
Applicability......................................................................... 8
Root Shell Environment Assumed ..................................................... 8
Executing Actions ................................................................... 8
Reboot Required ..................................................................... 8
Vulnerabilities........................................................................ 8
Backup Key Files .................................................................... 8
Build Considerations ................................................................. 9
Software Package Removal............................................................ 9
Software Package Installation......................................................... 10
1 Patches, Packages and Initial Lockdown................................................ 11
1.1 Apply Latest OS Patches ......................................................... 11
1.2ValidateYourSystemBeforeMakingChanges...................................... 12
1.3 Configure SSH.................................................................. 12
1.4 Enable System Accounting........................................................ 14
1.5 SuSEfirewall2 is active........................................................... 14
1.6 seccheck is active................................................................ 15
1.7 AppArmor is active.............................................................. 15
2 Minimize xinetd network services ..................................................... 16
2.1 Disable Standard Services ........................................................ 16
2.2 Limit access to trusted networks................................................... 16
2.3 OnlyEnabletelnetIfAbsolutely Necessary.........................................17
2.4 OnlyEnableFTP IfAbsolutely Necessary ..........................................18
2.5 Only Enable rlogin/rsh/rcp If Absolutely Necessary .................................. 18
2.6OnlyEnableTFTPServerifAbsolutelyNecessary................................... 19
2.7 OnlyEnableIMAPIf AbsolutelyNecessary.........................................20
2.8OnlyEnablePOPIfAbsolutelyNecessary.......................................... 20
3 Minimize boot services .............................................................. 22
3.1 Set Daemon umask .............................................................. 22
3.2 Disable xinetd, If Possible ........................................................22
3.3 Disable remote SMTP connections................................................. 23
3.4 Disable GUI Login If Possible .................................................... 23
3.5 Disable X Font Server If Possible ................................................. 24
3.6 Disable Standard Boot Services ................................................... 24
3.7 Only Enable SMB (Windows File Sharing) and NMB (NetBIOS Message Block) Processes If
Absolutely Necessary................................................................ 26
3.8O nlyEnableNFSServerProcessesIfAbsolutelyNecessary........................... 26
3.9 Only Enable NFS Client Processes If Absolutely Necessary ...........................26
3.10 OnlyEnableNISClientProcessesIfAbsolutelyNecessary.......................... 27
3.11 Only Enable NIS Server Processes If Absolutely Necessary .......................... 27
3.12 OnlyEnableRPCPortmapProcessIfAbsolutelyNecessary......................... 28
3.13 OnlyEnablencpfsScriptIfAbsolutelyNecessary.................................. 28
3.14 OnlyEnableWebServerProcessesIfAbsolutelyNecessary......................... 28
3.15 OnlyEnableSNMPProcessesIfAbsolutelyNecessary............................. 29
3.16 Only Enable DNS Server Process If Absolutely Necessary ...........................29
3.17 Only Enable SQL services If Absolutely Necessary ................................. 30
3.18OnlyEnableWebminProcessesIfAbsolutelyNecessary............................ 30
3.19OnlyEnableSquidCacheServerIfAbsolutelyNecessary........................... 30
4 Kernel Tuning ...................................................................... 32
4.1 Network Parameter Modifications ................................................. 32
4.2 AdditionalNetworkParameterModifications........................................ 33
5 Logging............................................................................ 35
5.1 syslog is active.................................................................. 35
5.2 NTP is active....................................................................35
5.3 System log file permissions....................................................... 36
5.4 Configure remote system logging.................................................. 36
6 File/Directory Permissions/Access .....................................................38
6.1 Add'nodev'OptionToAppropriatePartitionsIn/etc/fstab............................ 38
6.2 Add 'nosuid' and 'nodev' Option For Removable Media In /etc/fstab............. 38
6.3 Disable User-Mounted Removable File Systems .....................................39
6.4 Verifypasswd,shadow,andgroupFilePermissions................................. 40
6.5 World-Writable Directories Should Have Their Sticky Bit Set ......................... 40
6.6FindUnauthorizedWorld-WritableFiles........................................... 40
6.7FindUnauthorizedSUID/SGIDSystemExecutables................................. 41
6.8 Find All Unowned Files.......................................................... 41
6.9DisableUSBDevices(AKAHotplugger)........................................... 42
7 SystemAccess,Authentication,andAuthorization...................................... 43
7.1Remove.rhostsSupportInPAMConfigurationFiles................................ 43
7.2 /etc/ftpusers..................................................................... 43
7.3PreventXServerFromListeningOnPort6000/tcp.................................. 44
7.4 Restrict at/cron To Authorized Users .............................................. 45
7.5 RestrictPermissionsOn crontab Files ..............................................46
7.6 Configure xinetd Access Control .................................................. 46
7.7 Restrict RootLoginsTo SystemConsole...........................................47
7.8 Set LILO/GRUB Password ....................................................... 47
7.9 RequireAuthenticationForSingle-UserMode...................................... 48
7.10 RestrictNFSClientRequestsToPrivilegedPorts.................................. 49
7.11 Only Enable syslog To Accept Messages If Absolutely Necessary. . . . . . . . . . . . . . . . . . . . . 50
8 User Accounts and Environment ...................................................... 52
8.1 Block System Accounts .......................................................... 52
8.2VerifyThatThereAreNoAccountsWithEmptyPasswordFields..................... 52
8.3 Set Account Expiration and Password Parameters On Active Accounts . . . . . . . . . . . . . . . . . 53
8.4 Verify No Legacy '+' Entries Exist In passwd, shadow, And group Files . . . . . . . . . . . . . . . . 54
8.5 Verify That No UID 0 Accounts Exist Other Than Root .............................. 54
8.6No'.'orGroup/World-WritableDirectoryInRoot's$PATH.......................... 54
8.7UserHomeDirectoriesShouldBeMode750orMoreRestrictive...................... 55
8.8NoUserDot-FilesShouldBeWorld-Writable...................................... 55
8.9 Remove User .netrc Files......................................................... 56
8.10 Set Default umask For Users .................................................... 56
8.11 Disable Core Dumps ........................................................... 58
8.12LimitAccessToTheRootAccountFromsu...................................... 58
8.13 Reboot.........................................................................59
9 Warning Banners.................................................................... 60
9.1 CreateWarningsForNetworkAndPhysicalAccessServices.......................... 60
9.2 Create Warnings For GUI-Based Logins............................................ 62
9.3 Create "authorized only" Banners For vsftpd, If Applicable............................ 64
10 Anti-Virus Consideration............................................................ 65
10.1 Anti-Virus Products............................................................. 65
11 Remove Backup Files............................................................... 66
11.1 Remove Backup Files........................................................... 66
12 Additional Security Notes............................................................67
12.1 Create Symlinks ForDangerous Files .............................................67
12.2 Enable TCP SYN Cookie Protection.............................................. 67
12.3 Additional LILO/GRUB Security ................................................ 68
12.4 EvaluatePackagesAssociatedWithStartupScripts................................. 68
12.5 Evaluate Every Installed Package................................................. 69
12.6 Configure sudo................................................................. 70
12.7 Additional Kernel Tunings....................................................... 70
12.8RemoveAllCompilersandAssemblers........................................... 71
Appendix A: File Backup Script.........................................................72
Appendix B: Change History............................................................74
Terms of Use
Background.
The Center for Internet Security ("CIS") provides benchmarks, scoring tools, software, data,
information, suggestions, ideas, and other services and materials from the CIS website or elsewhere
("Products") as a public service to Internet users worldwide. Recommendations contained in the
Products ("Recommendations") result from a consensus-building process that involves many
security experts and are generally generic in nature. The Recommendations are intended to provide
helpful information to organizations attempting to evaluate or improve the security of their networks,
systems, and devices. Proper use of the Recommendations requires careful analysis and adaptation to
specific user requirements. The Recommendations are not in any way intended to be a "quick fix" for
anyone's information security needs.
No Representations, Warranties, or Covenants.
CIS makes no representations, warranties, or covenants whatsoever as to (i) the positive or negative
effect of the Products or the Recommendations on the operation or the security of any particular
network, computer system, network device, software, hardware, or any component of any of
the foregoing or (ii) the accuracy, reliability, timeliness, or completeness of the Products or the
Recommendations. CIS is providing the Products and the Recommendations "as is" and "as available"
without representations, warranties, or covenants of any kind.
User Agreements.
By using the Products and/or the Recommendations, I and/or my organization ("We") agree and
acknowledge that:
1. No network, system, device, hardware, software, or component can be made fully secure;
2. We are using the Products and the Recommendations solely at our own risk;
3. We are not compensating CIS to assume any liabilities associated with our use of the Products or
the Recommendations, even risks that result from CIS's negligence or failure to perform;
4. We have the sole responsibility to evaluate the risks and benefits of the Products and
Recommendations to us and to adapt the Products and the Recommendations to our particular
circumstances and requirements;
5. Neither CIS, nor any CIS Party (defined below) has any responsibility to make any corrections,
updates, upgrades, or bug fixes; or to notify us of the need for any such corrections, updates, upgrades,
or bug fixes; and
6. Neither CIS nor any CIS Party has or will have any liability to us whatsoever (whether based in
contract, tort, strict liability or otherwise) for any direct, indirect, incidental, consequential, or special
damages (including without limitation loss of profits, loss of sales, loss of or damage to reputation,
loss of customers, loss of software, data, information or emails, loss of privacy, loss of use of any
computer or other equipment, business interruption, wasted management or other staff resources or
5
claims of any kind against us from third parties) arising out of or in any way connected with our use of
or our inability to use any of the Products or Recommendations (even if CIS has been advised of the
possibility of such damages), including without limitation any liability associated with infringement
of intellectual property, defects, bugs, errors, omissions, viruses, worms, backdoors, Trojan horses or
other harmful items.
Grant of Limited Rights.
CIS hereby grants each user the following rights, but only so long as the user complies with all of the
terms of these Agreed Terms of Use:
1. Except to the extent that we may have received additional authorization pursuant to a written
agreement with CIS, each user may download, install and use each of the Products on a single
computer;
2. Each user may print one or more copies of any Product or any component of a Product that is in a
.txt, .pdf, .doc, .mcw, or .rtf format, provided that all such copies are printed in full and are kept intact,
including without limitation the text of this Agreed Terms of Use in its entirety.
Retention of Intellectual Property Rights; Limitations on Distribution.
The Products are protected by copyright and other intellectual property laws and by international
treaties. We acknowledge and agree that we are not acquiring title to any intellectual property rights
in the Products and that full title and all ownership rights to the Products will remain the exclusive
property of CIS or CIS Parties. CIS reserves all rights not expressly granted to users in the preceding
section entitled "Grant of limited rights."
Subject to the paragraph entitled "Special Rules" (which includes a waiver, granted to some classes of
CIS Members, of certain limitations in this paragraph), and except as we may have otherwise agreed in
a written agreement with CIS, we agree that we will not (i) decompile, disassemble, reverse engineer,
or otherwise attempt to derive the source code for any software Product that is not already in the form
of source code; (ii) distribute, redistribute, encumber, sell, rent, lease, lend, sublicense, or otherwise
transfer or exploit rights to any Product or any component of a Product; (iii) post any Product or
any component of a Product on any website, bulletin board, ftp server, newsgroup, or other similar
mechanism or device, without regard to whether such mechanism or device is internal or external, (iv)
remove or alter trademark, logo, copyright or other proprietary notices, legends, symbols or labels
in any Product or any component of a Product; (v) remove these Agreed Terms of Use from, or alter
these Agreed Terms of Use as they appear in, any Product or any component of a Product; (vi) use
any Product or any component of a Product with any derivative works based directly on a Product or
any component of a Product; (vii) use any Product or any component of a Product with other products
or applications that are directly and specifically dependent on such Product or any component for
any part of their functionality, or (viii) represent or claim a particular level of compliance with a CIS
Benchmark, scoring tool or other Product. We will not facilitate or otherwise aid other individuals or
entities in any of the activities listed in this paragraph.
We hereby agree to indemnify, defend, and hold CIS and all of its officers, directors, members,
contributors, employees, authors, developers, agents, affiliates, licensors, information and service
providers, software suppliers, hardware suppliers, and all other persons who aided CIS in the creation,
6
development, or maintenance of the Products or Recommendations ("CIS Parties") harmless from
and against any and all liability, losses, costs, and expenses (including attorneys' fees and court costs)
incurred by CIS or any CIS Party in connection with any claim arising out of any violation by us
of the preceding paragraph, including without limitation CIS's right, at our expense, to assume the
exclusive defense and control of any matter subject to this indemnification, and in such case, we agree
to cooperate with CIS in its defense of such claim. We further agree that all CIS Parties are third-party
beneficiaries of our undertakings in these Agreed Terms of Use.
Special Rules.
The distribution of the NSA Security Recommendations is subject to the terms of the NSA
Legal Notice and the terms contained in the NSA Security Recommendations themselves
(http://nsa2.www.conxion.com/cisco/notice.htm).
CIS has created and will from time to time create, special rules for its members and for other persons
and organizations with which CIS has a written contractual relationship. Those special rules will
override and supersede these Agreed Terms of Use with respect to the users who are covered by the
special rules.
CIS hereby grants each CIS Security Consulting or Software Vendor Member and each CIS
Organizational User Member, but only so long as such Member remains in good standing with CIS
and complies with all of the terms of these Agreed Terms of Use, the right to distribute the Products
and Recommendations within such Member's own organization, whether by manual or electronic
means. Each such Member acknowledges and agrees that the foregoing grant is subject to the terms of
such Member's membership arrangement with CIS and may, therefore, be modified or terminated by
CIS at any time.
Choice of Law; Jurisdiction; Venue
We acknowledge and agree that these Agreed Terms of Use will be governed by and construed in
accordance with the laws of the State of Maryland, that any action at law or in equity arising out
of or relating to these Agreed Terms of Use shall be filed only in the courts located in the State
of Maryland, that we hereby consent and submit to the personal jurisdiction of such courts for the
purposes of litigating any such action. If any of these Agreed Terms of Use shall be determined to be
unlawful, void, or for any reason unenforceable, then such terms shall be deemed severable and shall
not affect the validity and enforceability of any remaining provisions.
Terms of Use Agreement Version 2.1 – 02/20/04
7
Introduction
Applicability
This benchmark was developed and tested on SUSE Linux Enterprise Server (SLES) 10 SP1. It is
likely to work for other versions of SUSE Linux as well (such as openSUSE). The scoring tool may
yield inaccurate results on non-SUSE systems.
Root Shell Environment Assumed
The actions listed in this document are written with the assumption that they will be executed by the
root user running the bash shell and without noclobber set. Also, the following directories are assumed
to be in root's path:
/bin:/sbin:/usr/bin:/usr/sbin
Executing Actions
The actions listed in this document are written with the assumption that they will be executed in
the order presented here. Some actions may need to be modified if the order is changed. Actions
are written so that they may be copied directly from this document into a root shell window with
a "cut-and-paste" operation. You may find that many of the "chkconfig" actions, which activate or
deactivate services, produce the message "<service name>: unknown service" These messages are
quite normal and should not cause alarm – they simply indicate that the program being referenced
was not installed on your machine. As SUSE Linux installs allow a great deal of flexibility in what
software you choose to install, these messages are unavoidable.
Reboot Required
Rebooting the system is required after completing all of the actions below in order to complete the
re-configuration of the system. In many cases, the changes made in the steps below will not take effect
until this reboot is performed. If substantial operating system updates are performed after the initial
OS load, you may have to reboot more than once.
Vulnerabilities
In addition to any specific issues presented by a particular service or protocol, every service has the
potential of being an entry point into a system if a vulnerability is found. This is why we recommend
that some services are disabled even though there is no clear way to exploit them, and there has never
been a problem with the service. If you are running an un-needed service, you could have a problem if
a hole is found.
Backup Key Files
Before performing the steps of this benchmark it is strongly recommended that administrators make
backup copies of critical configuration files that may get modified by various benchmark items. If this
step is not performed, then the site may have no reasonable back-out strategy for reversing system
modifications made as a result of this document. The script provided in Appendix B of this document
will automatically back up all files that may be modified by the actions below. Note that an executable
copy of this script is also provided in the archive containing the PDF version of this document and the
8
CIS scoring tool. Assuming the administrator is in the directory where the archive has been unpacked,
the command to execute the backup script would be:
./do-backup.sh
One of the byproducts of the do-backup.sh script is /root/do-restore.sh, which is dynamically
generated based on the results of the do-backup.sh script. To roll back the changes performed by this
benchmark, first run RevertBastille followed by do-restore.sh, and all changes will be backed out.
Since not all Linux installations are identical, the do-restore.sh script is created based on the files that
actually existed at the time do-backup.sh was run.
Note: If you make any changes manually to any of the files that were preserved by do-backup.sh,
those changes will be lost when do-restore.sh is executed. It may be prudent to delete the do-restore.sh
script once you have validated the changes to prevent inadvertently undoing the changes.
Build Considerations
If you have not done so already, plan out a partitioned hard drive. The default partitioning for SUSE
Linux Enterprise Server is a single file system. It is preferable to use a setup similar to the following:
/ 1 GB
swap 1xRAM
/var 1 GB
/usr 4 GB
/opt 4 GB
/home remaining disk space
It is important to keep /var and /home on their own partitions. Some applications have a tendency
to crash when the / or /usr filesystem reaches 100%. This could happen if users were to store
considerable amounts of data (developers storing jar files or copies of application logs, for example) or
logs were to fill up their partition. Some Enterprises define a /logs partition and store application logs
there.
For additional security, an additional and separate partition may be created for /boot which creates
the kernel binaries and boot loader configuration. A /boot partition may be mounted read-only to
avoid accidental damage and to make malicious changes a little bit more difficult (e.g. less space
for backdoors in malicious kernel patches). A read-only /boot partition however will require special
procedures for a valid kernel patch (or update).
To limit the inconveniences caused by filling up /home, consider implementing user and group quotas
on the /home filesystem. Quotas will limit how much a single user (or single group) can store on a
given filesystem. More information is available in the SUSE Linux manuals (see the installation CDs).
Software Package Removal
There is considerable debate over the maintenance of unused software packages. Some people feel
that as long as the software is not being used, leaving it installed poses no appreciable risk. Others
9
feel that unused software presents another attack vector and increases the maintenance effort for the
administrators. This Benchmark makes no recommendation for the removal of unused software. If
vulnerable software is present on a system, that vulnerability may be exploitable by a local attacker,
and the reader is advised to consider the effort in either its removal or maintenance and the risks
thereof.
Software Package Installation
Throughout this Benchmark, you may be directed to enable software package init scripts using the
chkconfig command. This assumes you already installed said package(s). If the chkconfig command
fails, verify you actually installed the software required.
10
1 Patches, Packages and Initial Lockdown
1.1 Apply Latest OS Patches
Description:
Developing a procedure for keeping up-to-date with vendor patches is critical for the security and
reliability of the system. Vendors issue operating system updates when they become aware of
security vulnerabilities and other serious functionality issues, but it is up to their customers to actually
download and install these patches.
When Novell publishes an update for SUSE Linux, they include the procedures with it for updating
the package. This usually entails downloading the new RPMs from Novell, and making them available
to the individual servers. Some Enterprises make these packages available over an NFS share or an
internal anonymous FTP/HTTP server – your Enterprise may follow this practice or do something
different.
It is also important to observe that your applications work properly after patching. Though problems
in patches are quite rare in SUSE Linux, it is generally recommended that any patch be deployed to a
non-production system first for testing.
Some RPMs may need to be installed before others. For the most part, RPM understands and solves
dependencies. Novell creates separate instructions for special cases, like the replacement of the kernel
or the general C library glibc. You may need to examine the list of updates that you have downloaded
to check for any of these cases.
Finally, there is some risk to using a non-patched, non-hardened machine to download the patches, as
this involves connecting a system with security vulnerabilities on a network, which is not an Industry
Best Practice. Please consider these issues carefully. One approach is to use a stateful hardware
firewall to separate and protect the unpatched system from all other systems. For the purpose of update
and installation the hardware firewall should be configured to prevent all inbound connections; as well
as packets that aren’t part of an established session.
Novell offers at least partially automated patch download and installation via YaST Online Update.
In lieu of an existing Enterprise Standard, consider using YaST Online Update whenever Novell
announces vulnerabilities. If your Enterprise has several servers, consider installing an update server
that can be used in place of the update servers at Novell– the updates will go much faster, you will use
much less bandwidth from your ISP, and you will reduce the load on Novell's servers.
If YaST Online Update is used, it should be used on a lab server and the patches validated and the
system regression tested before going to live/production systems.
Recommendation Level: 1
Remediation:
Update system per your Enterprise Update procedures.
Scoring Status: Scorable
Compliance Mapping: TBD
11
Audit: TBD
1.2 Validate Your System Before Making Changes
Description:
Ensuring your system is functioning properly before you make a change is a prudent system
administration best practice and will save you hours of aggravation. Applying this Benchmark to a
system that already has issues makes troubleshooting very difficult and may lead you to believe the
Benchmark is at fault.
Examine the system and application logs (/var/log). Key words to look for include, but are not
limited to, "error", "warning", "critical", and "alert".
Performing a scan for rootkits is a prudent measure. Some enterprises may also wish to perform
further validation on the integrity of the operating system: anti-virus scanning and checking the
integrity of system files against a trusted database of file hashes. While this standard does not endorse
specific tools, the following are examples of tools used.
Rootkit detection: Chkrootkit, Rootkit Hunter or kstat (for advanced users).
Anti-virus: clamav (freeware) or commercial anti-virus products from Computer Associates, F-Secure,
Kaspersky, Sophos, Symantec or Trend Micro.
Trusted hash databases: The NSRL hash database, a database of file hashes from this server, stored on
a separate system (e.g. hashes from AIDE, Tripwire, Trusted Computing Base, etc).
Resolve all issues before continuing.
Recommendation Level: 1
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
1.3 Configure SSH
Description:
OpenSSH is installed by default. OpenSSH is a popular free distribution of the standards-track
SSH protocols which has become the standard implementation on Linux distributions. For more
information on OpenSSH, see http://www.openssh.org.
The settings in this section attempt to ensure safe defaults for both the client and the server.
Specifically, both the ssh client and the sshd server are configured to use only SSH protocol 2, as
security vulnerabilities have been found in the first SSH protocol. This may cause compatibility issues
at sites still using the vulnerable SSH protocol 1 these sites should endeavor to configure all systems
to use only SSH protocol 2.
12
Warning: Note that a banner is added in the sshd_config file – we will create
this banner later and it is discussed in detail in section 9. If you choose not to
implement a banner, you will have to remove the reference to /etc/issue from
sshd_config manually. Please read the section on the legal use of banners before
deciding to remove it.
Recommendation Level: 1
Remediation:
unalias cp rm mv
cd /etc/ssh
cp ssh_config ssh_config.tmp
awk '/^#? *Protocol/ { print "Protocol 2"; next };
{ print }' ssh_config.tmp > ssh_config
if [ "`egrep -l ^Protocol ssh_config`" == "" ]; then
echo 'Protocol 2' >> ssh_config
fi
rm ssh_config.tmp
diff ssh_config-preCIS ssh_config
Look at /etc/ssh/ssh_config to and verify “Protocol 2” is under the “Host *” entry. If it is not there,
edit the file and put “Protocol 2” under the “Host *” entry.
cp sshd_config sshd_config.tmp
awk '/^#? *Protocol/ { print "Protocol 2"; next };
/^#? *X11Forwarding/ \
{ print "X11Forwarding yes"; next };
/^#? *IgnoreRhosts/ \
{ print "IgnoreRhosts yes"; next };
/^#? *HostbasedAuthentication/ \
{ print "HostbasedAuthentication no"; next };
/^#? *PermitRootLogin/ \
{ print "PermitRootLogin no"; next };
/^#? *PermitEmptyPasswords/ \
{ print "PermitEmptyPasswords no"; next };
/^#? *Banner/ \
{ print "Banner /etc/issue.net"; next };
{print}' sshd_config.tmp > sshd_config
rm sshd_config.tmp
diff sshd_config-preCIS sshd_config
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
13
1.4 Enable System Accounting
Description:
System accounting gathers baseline system data (CPU utilization, disk I/O, etc.) every 10 minutes.
The data may be accessed with the sar command, or by reviewing the nightly report files named
/var/log/sa/sar*. Once a normal baseline for the system has been established, unauthorized activity
(password crackers and other CPU-intensive jobs, and activity outside of normal usage hours) may
be detected due to departures from the normal system performance curve. Note that this data is
only archived for one week before being automatically removed by the regular nightly cron job.
Administrators may wish to archive the /var/log/sa/ directory on a regular basis to preserve this data
for longer periods.
Note: SLES does not include sysstat by default (unless the full installation is chosen).
Recommendation Level: 1
Remediation:
Install package sysstat.
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
1.5 SuSEfirewall2 is active
Description:
SuSEfirewall2 is a stateful network packet filter also known as firewall. It is a script that generates
iptables rules from configuration stored in the /etc/sysconfig/SuSEfirewall2file.
SuSEfirewall2 protects from network attacks by rejecting or dropping some unwanted packets that
reach your network interface.
SuSEfirewall2 is installed and activated by default. No services are allowed by default. Any services
to be allowed, such as SSH, must be specifically enabled. Use YaST Control Center#Security and
Users#Firewall to adjust the firewall configuration. Finer configuration control can be exercised by
using YaST Control Center#System#/etc/sysconfig editor in the Network/Firewall/SuSEfirewall2
selection, or editing the /etc/sysconfig/SuSEfirewall2file directly.
For additional information, see http://en.opensuse.org/SuSEfirewall2.
Recommendation Level: 1
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
14
1.6 seccheck is active
Description:
The SuSE Security Checker (package seccheck) is a set of several shellscripts which check the local
security of the system on a regular basis and email reports to a designated user (by default, root).
It includes several checks specified by other items within this benchmark.
Warning: If the package john is installed, seccheck will use it to evaluate the
password strength of accounts during weekly and monthly evaluations. You may
notice 100% processor utilization (due to the use of john) during these times.
Recommendation Level: 1
Remediation:
Install the seccheck package.
Run /usr/lib/secchk/security-control.sh.
Further adjustments can be made with the YaST Control Center#System#/etc/sysconfig editor in the
System/Security/Seccheck selection.
Monitor the daily, weekly, and monthly reports generated by the package.
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
1.7 AppArmor is active
Description:
AppArmor provides network application security via mandatory access control for programs,
protecting against the exploitation of software flaws and compromised systems.
Use YaST Control Center#Novell AppArmor to adjust the AppArmor configuration.
For additional information, see http://www.novell.com/linux/security/apparmor/.
Recommendation Level: 1
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
15
2 Minimize xinetd network services
2.1 Disable Standard Services
Description:
SUSE Linux used xinetd, and in a default configuration, all xinetd services are off
On Linux, xinetd has outpaced inetd as the default network superserver.
After enabling SSH, it is possible to nearly do away with all xinetd-based services, since SSH provides
both a secure login mechanism and a means of transferring files to and from the system. The action
above will disable all standard services in the xinetd configuration.
The rest of the actions in this section give the administrator the option of re-enabling certain services.
Rather than disabling and then re-enabling these services, experienced administrators may wish to
simply disable only those services that they know are unnecessary for their systems. If there is any
doubt, it is better to disable everything, then re-enable the necessary services based on the function of
the server.
Note: If you attempt to re-enable a service and get a message like this:
unknown service
it means that you have not installed the software for that service yet. Install the software package then
proceed with the Benchmark.
Recommendation Level: 1
Remediation:
( cd /etc/xinetd.d; for s in *; do chkconfig $s off ; done; )
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
2.2 Limit access to trusted networks
Description:
Question: Is there a reason to allow unlimited network access to this server? If the answer to this
question is no, then perform the action below.
Use the standard system firewall configuration facility (SuSEfirewall2) to define networks to be
trusted.
Recommendation Level: 1
16
Remediation:
Add trusted networks to the FW_TRUSTED_NETSvariable in section 10 of the firewall configuration
file /etc/sysconfig/SuSEfirewall2/. This can be done using the YaST Control
Center#System#/etc/sysconfig editor in the Network/Firewall/SuSEfirewall2 selection.
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
2.3 Only Enable telnet If Absolutely Necessary
Description:
Question: Is there a mission-critical reason that requires users to access this system via telnet,
rather than the more secure SSH protocol?
To enable telnet, chkconfig telnet on.
telnet uses an unencrypted network protocol, which means data from the login session (such as
passwords and all other data transmitted during the session) can be stolen by eavesdroppers on the
network, and also that the session can be hijacked by outsiders to gain access to the remote system.
The freely-available SSH utilities that ship with SUSE Linux (see http://www.openssh.com/) provide
encrypted network logins and should be used instead.
To aid in the migration to SSH, there is a freely available SSH client for Windows called putty, which
is available from Simon Tatham (see http://www.chiark.greenend.org.uk/~sgtatham/putty/). There are
numerous commercially supported SSH clients as well – check to see if your Enterprise already has an
Enterprise SSH client.
Some Enterprises are using telnet over SSL, however, the simpler and more standard solution is to
use SSH. Configuring telnet over SSL is beyond the scope of a Level 1 Benchmark and will not be
addressed here.
It is understood that large Enterprises deeply entrenched in using telnet may take considerable effort
in migrating from telnet to ssh, so telnet may have to be enabled. When it can be disabled, simply run
chkconfig telnet off to turn it off again.
Recommendation Level: 1
Remediation:
chkconfig telnet off
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
17
2.4 Only Enable FTP If Absolutely Necessary
Description:
Question: Is this machine an (anonymous) FTP server, or is there a mission-critical reason why
data must be transferred to and from this system via an ftp server, rather than sftp or scp? If the
answer to this question is yes, proceed with the actions below.
vsftpd is not installed by default.
chkconfig vsftpd on
Like telnet, the FTP protocol is unencrypted, which means passwords and other data transmitted
during the session can be captured by sniffing the network, and that the FTP session itself can be
hijacked by an external attacker. SSH provides two different encrypted file transfer mechanisms –
scp and sftp – and should be used instead. Even if FTP is required because the local system is an
anonymous FTP server, consider requiring non-anonymous users on the system to transfer files via
SSH-based protocols. For further information on restricting FTP access to the system, see section 7.2
below.
Note: Any directory writable by an anonymous FTP server should have its own partition. This helps
prevent an FTP server from filling a hard drive used by other services.
To aid in the migration away from FTP, there are a number of freely available scp and sftp client
for Windows, such as WinSCP (available from http://winscp.sourceforge.net/eng/index.php) for a
Graphical interface to putty, and pscp, which is a part of the previously mentioned putty package.
Some Enterprises are using FTP over SSL, however, the simpler and more standard solution is to
use SSH. Configuring FTP over SSL is beyond the scope of a Level 1 Benchmark and will not be
addressed here.
Recommendation Level: 1
Remediation:
chkconfig vsftpd off.
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
2.5 Only Enable rlogin/rsh/rcp If Absolutely Necessary
Description:
The r-commands suffer from the same hijacking and sniffing issues as telnet and ftp, and in addition
have a number of well-known weaknesses in their authentication scheme. SSH was designed to be
a drop-in replacement for these protocols. Given the wide availability of free SSH implementations,
it seems unlikely that there is ever a case where these tools cannot be replaced with SSH (again, see
http://www.openssh.com/).
chkconfig rexec on
18
chkconfig rlogin on
chkconfig rsh on
If these protocols are left enabled, please also see section 7.1 for additional security-related
configuration settings.
Recommendation Level: 1
Remediation:
chkconfig rexec off
chkconfig rlogin off
chkconfig rsh off
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
2.6 Only Enable TFTP Server if Absolutely Necessary
Description:
Question: Is this system a boot server or is there some other mission-critical reason why data must
be transferred to and from this system via TFTP? If the answer to this question is yes, proceed with the
actions below.
chkconfig tftp on
if [ ! -d "/tftpboot" ] ; then
mkdir -m 0755 /tftpboot && \
chown root:root /tftpboot
fi
TFTP is typically used for network booting of diskless workstations, X-terminals, and other similar
devices. Routers and other network devices may copy configuration data to remote systems via TFTP
for backup. However, unless this system is needed in one of these roles, it is best to leave the TFTP
service disabled.
Note: The tftp-server software is not installed by default on SUSE Linux. You will have to install it if
you need to use it. After installing it, perform the actions above.
Recommendation Level: 1
Remediation:
chkconfig tftp off.
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
19
2.7 Only Enable IMAP If Absolutely Necessary
Description:
Question: Is this machine a mail server with a mission-critical reason to use imap to serve mail to
remote mail clients? If the answer to this question is yes, proceed with the actions below.
chkconfig cyrus on
or
chkconfig imap on
Remote mail clients (like Eudora, Netscape Mail and Kmail) may retrieve mail from remote mail
servers using IMAP, the Internet Message Access Protocol, or POP, the Post Office Protocol. If this
system is a mail server that must offer this protocol then either cyrus or imap may be activated. Note:
cyrus and imap both provide IMAP and POP services.
Recommendation Level: 1
Remediation:
chkconfig cyrus off
or
chkconfig imap off
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
2.8 Only Enable POP If Absolutely Necessary
Description:
Question: Is this machine a mail server with a mission-critical reason to use pop to serve mail to
remote mail clients? If the answer to this question is yes, proceed with the actions below.
chkconfig qpopper on
or
chkconfig cyrus on
Remote mail clients (like Eudora, Netscape Mail and Kmail) may retrieve mail from remote mail
servers using IMAP, the Internet Message Access Protocol, or POP, the Post Office Protocol. If this
system is a mail server that must offer the POP protocol then either qpopper or cyrus may be activated.
Recommendation Level: 1
20
Remediation:
chkconfig qpopper off
or
chkconfig cyrus off
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
3 Minimize boot services
3.1 Set Daemon umask
Description:
system default umask should be set to at least 027 in order to prevent daemon processes (such as the
syslog daemon) from creating world-writable files by default. If a particular daemon needs a less
restrictive umask, consider editing the daemon startup script to grant that daemon the required umask
while maintaining the increased server security posture.
Recommendation Level: 1
Remediation:
cd /etc
awk '($1=="umask") { if ($2 < "027") { $2="027";} }; \
{ print }' rc.status-preCIS > rc.status
if [ `grep -c umask rc.status` -eq 0 ]; then
echo "umask 027" >> rc.status
fi
diff rc.status-preCIS rc.status
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
3.2 Disable xinetd, If Possible
Description:
If the actions in Section 2 of this benchmark resulted in no services being enabled in the inet super
daemon /etc/xinetd.dconfiguration files, then the xinetd service may be disabled completely on
this system.
Recommendation Level: 1
Remediation:
cd /etc/xinetd.d
if [ `find . -type f | \
xargs awk '($1=="disable" && $3=="no") {print}'\
| wc -l` -eq 0 ]; then
chkconfig xinetd off;rcxinetd stop
fi
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
22
3.3 Disable remote SMTP connections
Description:
Question: Is this system a mail server – that is, does this machine receive and process email from
other hosts?
Postfix is installed and active by default on SUSE.
If the system must accept remote SMTP connections, enable remote SMTP connections by setting
SMTPD_LISTEN_REMOTE="yes"in the /etc/sysconfig/mailfile using YaST Control
Center#Network Services#Mail Transfer Agent, Incoming Mail, Accept Remote SMTP connections,
or YaST Control Center#System#/etc/sysconfig editor in the Network/Mail/General selection. The
SMTP service must also be enabled in the firewall.
Note that if the system is an email server, the administrator is encouraged to search the Web for
additional documentation on postfix security issues.
Experienced administrators will understand that a chroot-jailed user or program can still interact with a
postfix process listening on the loopback interface.
Rationale:
Leave the postfix service active and adjust the configuration if the system must act as an MTA.
Recommendation Level: 1
Remediation:
If the system need not accept remote SMTP connections, disable remote SMTP connections by setting
SMTPD_LISTEN_REMOTE="no"in the /etc/sysconfig/mailfile using YaST Control
Center#Network Services#Mail Transfer Agent, Incoming Mail, Accept Remote SMTP connections,
or YaST Control Center#System#/etc/sysconfig editor in the Network/Mail/General selection. Remote
SMTP connections are not accepted in a default configuration.
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
3.4 Disable GUI Login If Possible
Description:
Question: Is there a mission-critical reason to run a GUI login program on this system? If the
answer to this question is no, proceed with the actions below.
This action disables the graphical login, if present, leaving the user to login via SSH or a normal
text-based console. If you elect to deactivate the GUI login screen, users can still run X Windows by
typing startx at the shell prompt. In SUSE Linux, there are two main runlevels that the system runs in.
Runlevel 5 boots directly into X Windows, so as to allow graphical login or easy use of specialized
X terminals. Otherwise, for normal text-based console login, runlevel 3 is desirable. GUI login is
23
activated or deactivated by changing this runlevel in /etc/inittab. Again, note that runlevel 3 still
allows the user to run X Windows by typing startx at the shell prompt.
Recommendation Level: 1
Remediation:
sed -e 's/id:5:initdefault:/id:3:initdefault:/' \
< /etc/inittab > /etc/inittab.tmp
cp /etc/inittab.tmp /etc/inittab
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
3.5 Disable X Font Server If Possible
Description:
Question: Is there a mission-critical reason to run X Windows on this system? If the answer to this
question is no, proceed with the actions below.
If you won't be using an X server on this machine, this action will deactivate the font server.
Recommendation Level: 1
Remediation:
chkconfig xfs off
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
3.6 Disable Standard Boot Services
Description:
Every system daemon that does not have a clear and necessary purpose on the host should be
deactivated. This greatly reduces the chances that the machine will be running a vulnerable daemon
when the next vulnerability is discovered in its operating system.
SUSE Linux uses a facility called chkconfig to manage all the SysV rc-scripts. chkconfig adds or
deletes links in each of the appropriate runlevel directories (/etc/rc.d/rc*.d) to activate or deactivate
each of the rc-scripts.
This process "chkconfig's" all of the rc-scripts off, so that the local administrator can easily reactivate
any of these scripts upon discovery of a mission-critical need for one of these services. One could
reactivate the daemon script by typing chkconfig daemon on in most cases, which activates it in
runlevels 2 through 5. If one of these runlevels is undesirable, like runlevel 2 for the NFS script, or
24
the script needs to run in one of the other available runlevels, chkconfig takes the argument " level
<levels>" where one can explicitly specify runlevels that it should act on.
Note that vendor patches may restore some of the original entries in the startup script directories
/etc/rc.d/rc*.d – it is always a good idea to check these boot directories and remove any scripts that
may have been added by the patch installation process. This would be a good time to ensure this check
is in your Enterprise OS Upgrade Procedure.
The rest of the actions in this section give the administrator the option of re-enabling certain services
– in particular, the services that are disabled in the second loop in the "Action" section above. Rather
than disabling and then re-enabling these services, experienced administrators may wish to simply
disable only those services that they know are unnecessary for their systems.
The third loop in the "Action" section locks daemon-user accounts related to servers that we examine
by setting a lockout password. This will not prevent a given daemon from running as these users
– it simply confirms that these users are not available for human login. It also changes the shell to
/bin/false for an additional layer of security as long as shell access is not necessary. Bear in mind that
some packages (findutils up to version 4.1.20, for example) do not work properly without a shell for
the nobody account – be sure you test this thoroughly if you choose to invalidate the daemon shells.
Note: Not all of the scripts listed above will exist on all systems, as this is a superset of the available
rc-scripts in the various SUSE distributions. The benchmark's recommended action will register some
trivial errors on each distribution version as a result – these are not cause for alarm.
Recommendation Level: 1
Remediation:
for FILE in
Makefile aaeventd atd autofs autoyast boot.evms \
boot.multipath boot.sched boot.scsidev chargen \
chargen-udp cups-lpd cups cupsrenice daytime \
daytime-udp echo echo-udp esound evms fam gpm gssd \
idmapd ipmi ipxmount joystick lm_sensors mdadmd \
multipathd netstat nfsboot nfsserver nmb openct \
pcscd portmap powerd raw rexec rlogin rpasswdd \
rpmconfigcheck rsh rsync rsyncd saslauthd servers \
services skeleton.compat smartd smb smbfs smpppd \
snmpd svcgssd swat systat tftp time time-udp vnc \
vsftpd xfs xinetd ypbind ; do
/etc/init.d/$FILE stop
chkconfig $FILE off
done
for USERID in lp apache named mysql; do
usermod -L -s /bin/false $USERID
done
Scoring Status: Not Scorable
Compliance Mapping: TBD
25
Audit: TBD
3.7 Only Enable SMB (Windows File Sharing) and NMB (NetBIOS
Message Block) Processes If Absolutely Necessary
Description:
Question: Is this machine sharing files via the Windows file sharing protocols? If the answer to this
question is yes, proceed with the actions below.
chkconfig smb on
SUSE Linux includes the popular Open Source Samba server for providing file and print services to
Windows-based systems. This allows a Unix system to act as a file or print server in on a Windows
network, and even act as a Domain Controller (authentication server) to older Windows operating
systems. However, if this functionality is not required by the site, the service should be disabled.
Recommendation Level: 1
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
3.8 Only Enable NFS Server Processes If Absolutely Necessary
Description:
Question: Is this machine an NFS file server? If the answer to this question is yes, proceed with the
actions below.
chkconfig nfsserver on
NFS is frequently exploited to gain unauthorized access to files and systems. Clearly there is no need
to run the NFS server-related daemons on hosts that are not NFS servers. If the system is an NFS
server, the administrator should take reasonable precautions when exporting file systems, including
restricting NFS access to a specific range of local IP addresses and exporting file systems "read-only"
where appropriate. For more information, consult the exports manual page.
Recommendation Level: 1
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
3.9 Only Enable NFS Client Processes If Absolutely Necessary
Description:
Question: Is there a mission-critical reason why this system must access file systems from remote
servers via NFS? If the answer to this question is yes, proceed with the actions below.
26
chkconfig autofs on
Again, unless there is a significant need for this system to acquire data via NFS, administrators should
disable NFS-related services. Note that other file transfer schemes (such as rdist via SSH) can often be
preferable to NFS for certain applications.
Recommendation Level: 1
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
3.10 Only Enable NIS Client Processes If Absolutely Necessary
Description:
Question: Is there a mission-critical reason why this machine must be an NIS client? If the answer to
this question is yes, proceed with the actions below.
chkconfig ypbind on
Unless this site must use NIS, it should really be avoided. While it can be very useful for transparently
scaling the number of workstations, it's not well designed for security. Sun Microsystems is now
phasing out NIS+ in favor of LDAP for naming services – NIS and NIS+ are now reaching end of life.
Recommendation Level: 1
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
3.11 Only Enable NIS Server Processes If Absolutely Necessary
Description:
Question: Is there a mission-critical reason why this machine must be an NIS server? If the answer
to this question is yes, proceed with the actions below.
chkconfig ypserv on
chkconfig yppasswdd on
Unless this site must use NIS, it should be avoided. While it can be very useful for transparently
scaling the number of workstations, it is not well designed for security.
Recommendation Level: 1
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
27
3.12 Only Enable RPC Portmap Process If Absolutely Necessary
Description:
Question: This machine is an NFS client or server? Is this machine an NIS (YP) or NIS+ client or
server? Does the machine run a third-party software application which is dependent on RPC support?
If the answer to any of these questions is yes, proceed with the actions below.
chkconfig portmap on
RPC-based services typically use very weak or non-existent authentication and yet may share very
sensitive information. Unless one of the services listed above is required on this machine, best to
disable RPC-based tools completely. If there is uncertainty in whether or not a particular third-party
application requires RPC services, consult with the application vendor.
Recommendation Level: 1
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
3.13 Only Enable ncpfs Script If Absolutely Necessary
Description:
Question: Is this machine sharing files via the NFS, Novell Netware or Windows file sharing
protocols? If the answer to this question is yes, proceed with the actions below.
chkconfig ncpfs on
This service is not necessarily installed by default, therefore the above command may fail. If there
are no network file sharing protocols being used, one can deactivate the netfs script. This script
mounts network drives on the client. Though this is not a persistent daemon and thus not so dangerous,
thinning out the /etc/rc.d/rcN.d directories makes the system much easier to audit.
Recommendation Level: 1
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
3.14 Only Enable Web Server Processes If Absolutely Necessary
Description:
Question: Is there a mission-critical reason why this system must run a Web server? If the answer to
this question is yes, proceed with the actions below.
chkconfig apache2 on
Even if this machine is a web server, the local site may choose not to use the web server provided with
SLES in favor of a locally developed and supported Web environment.
28
Recommendation Level: 1
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
3.15 Only Enable SNMP Processes If Absolutely Necessary
Description:
Question: Are hosts at this site remotely monitored by a tool (e.g., HP OpenView, MRTG, Cricket)
that relies on SNMP? If the answer to this question is yes, proceed with the actions below.
chkconfig snmpd on
If SNMP is used to monitor the hosts on this network, experts recommend changing the default
community string used to access data via SNMP. On SUSE Linux systems, this parameter has already
been changed to a reasonably secure setting in the file /etc/snmpd.conf.
Note: In a large Enterprise that relied heavily on SNMP, it was discovered during the Linux rollout
that SNMP was not a critical service, and not having it enabled increased the security posture of the
servers.
Recommendation Level: 1
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
3.16 Only Enable DNS Server Process If Absolutely Necessary
Description:
Question: Is this machine a DNS server, or is a local name server needed? If the answer to this
question is yes, proceed with the actions below.
chkconfig named on
Most of the machines in the organization do not need a DNS server running on the box. Unless this
is one of the organization's name servers, or a local cacheing name server is needed, it is safe to leave
inactive.
If this must be left active, please ensure patches are applied in a timely fashio and consider tightening
the configuration.
Additionally, consider the use of Access Control Lists (ACL's) in /etc/named.confto limit
who can query your name server. For example, Internal name servers should not respond to outside
requests. Large Enterprises run multiple name servers so this should not be an issue. However, smaller
organizations may not be able to deploy internal and external name servers and should consider this
precaution.
29
Recommendation Level: 1
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
3.17 Only Enable SQL services If Absolutely Necessary
Description:
Question: Is this machine an SQL (database) server? If the answer to this question is yes, proceed
with the actions below.
chkconfig postgresql on
chkconfig mysql on
If this machine does not need to run the mainstream database (SQL) servers Postgres or MySQL, it is
safe to deactivate them. If you need to enable them, issue the command (above) for the database that
you installed.
Please read the discussion before executing these commands and select the appropriate command.
Recommendation Level: 1
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
3.18 Only Enable Webmin Processes If Absolutely Necessary
Description:
Not Applicable to SUSE, This section is retained for consistency with the other Linux Benchmarks.
Recommendation Level: 1
Scoring Status: Not Scorable
Compliance Mapping: TBD
Audit: TBD
3.19 Only Enable Squid Cache Server If Absolutely Necessary
Description:
Question: Do you use the squid web cache? If the answer to this question is yes, proceed with the
actions below.
chkconfig squid on
30
Squid can actually be beneficial to security, as it imposes a proxy between the client and server.
On the other hand, if it is not being used, it should be deactivated and removed. This deactivation
decreases the risk of system compromise should a security vulnerability later be discovered in
Squid. Finally, if your site does used Squid, do configure it carefully. Many Squid caches are badly
configured to either allow outsider attackers to probe internal machines through the firewall or to use
the cache to hide their true source IP address from their target hosts. Each site should configure Squid
to not allow people outside their perimeter to use the cache without authentication of some sort. A
better deployment for squid is on a server with no external-facing network interface (unless you are
using it for a reverse web proxy, which is a very specific installation, and beyond the scope of this
benchmark).
Recommendation Level: 1
Scoring Status: Scorable
Compliance Mapping: TBD
Audit: TBD
31
4 Kernel Tuning
4.1 Network Parameter Modifications
Description:
For an explanation of some of these parameters, see
/Documentation/networking/ip-sysctl.txt in your local copy of the kernel source or read the latest from
the cross-referencing Linux site: http://lxr.linux.no/source/Documentation/networking/ip-sysctl.txt.
tcp_max_syn_backlog -INTEGER Maximal number of remembered connection requests, which are
still did not receive an acknowledgment from connecting client. Default value is 1024 for systems with
more than 128Mb of memory, and 128 for low memory machines. If server suffers of overload, try to
increase this number.
accept_source_route -BOOLEAN Accept packets with SRR option. conf/all/accept_source_route
must also be set to TRUE to accept packets with SRR option on the interface default TRUE (router)
FALSE (host)
accept_redirects -BOOLEAN Accept Redirects. Functional default: enabled if local forwarding is
disabled. disabled if local forwarding is enabled.
secure_redirects -BOOLEAN Accept ICMP redirect messages only for gateways, listed
in default gateway list. secure_redirects for the interface will be enabled if at least one of
conf/{all,interface}/secure_redirects is set to TRUE, it will be disabled otherwise default TRUE
rp_filter -BOOLEAN 1 -do source validation by reversed path, as specified in RFC1812
Recommended option for single homed hosts and stub network routers. Could cause troubles for
complicated (not loop free) networks running a slow unreliable protocol (sort of RIP), or using static
routes. 0 -No source validation. conf/all/rp_filter must also be set to TRUE to do source validation on
the interface Default value is 0. Note that some distributions enable it in startup scripts.
accept_source_route -INTEGER Accept source routing (routing extension header). >= 0: Accept only
routing header type 2. <0: Do not accept routing header.
accept_redirects -
分享到:
发表评论
相关推荐
SuSE操作系统CIS标准。
the_definitive_guide_to_suse_linux_enterprise_server
总结了nmon_for_SUSE_Linux监控指标的含义,有兴趣的可以看看
OpenSUSE__11.0_and_SUSE__Linux__Enterprise_Server_Bible.pdf linux opensuse suse 操作系统配置脚本详解。 对于其它类型的linux系统配置也有参考作用,因为所有linux发行版操作系统内部配置大部分都相同。 注意,...
CIS_SUSE_Linux_Enterprise_12_Benchmark_v2.1.0.pdf CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.1.0.pdf CIS_Ubuntu_Linux_18.04_LTS_Benchmark_v2.0.1.pdf CIS_VMware_ESXi_6.5_Benchmark_v1.0.0.pdf CIS_VMware_...
OpenSUSE__11.0_and_SUSE__Linux__Enterprise_Server_Bible.pdf linux opensuse suse 操作系统配置脚本详解。 对于其它类型的linux系统配置也有参考作用,因为所有linux发行版操作系统内部配置大部分都相同。 注意,...
suse linux 10.0安装教程,用图形一步一步教你如何安装及设置,非常详细。
open suse linux 学习介绍
TongLnk/Q8.1客户端
Wiley_SUSE_Linux_10宝典
业务安全_SUSE_Linux_主机安全加固
a pdf about open suse linux
R_TLQCli8.1.3.0_Linux2.6.16_X86_64.tar.Z
第一章: Linux操作系统简介 第二章: Linux操作系统安装和基本配置 第三章: Linux操作系统的文件系统结构 第四章: Linux操作系统的用户管理 第五章: Linux操作系统常用命令详解 第六章: Linux操作系统的进程...
dws_client_8.0.x_suse_x64.zip
IBM System X DSA日志抓取工具v10.1_suse11_X32
cacti_suse_64_sp4所有都是源码包安装说明:是全程采用源码包安装,适用于所有LINUX系统的安装,包括解决乱码,图出不来,以及安装过程配置客户端被监控的对应内容都有详细说明
R_TLQ8.1.3.0_Linux2.6.16_X86_64.tar.Z
针对个人用户。2005年10月6日推出的SUSE Linux有三个版本 - OSS版 (完全地开放原始码)