--- # Some standard permissions to use root_0000: { owner: root, group: root, mode: '0000' } root_0444: { owner: root, group: root, mode: '0444' } root_0600: { owner: root, group: root, mode: '0600' } root_0640: { owner: root, group: root, mode: '0640' } root_0644: { owner: root, group: root, mode: '0644' } root_0700: { owner: root, group: root, mode: '0700' } root_4755: { owner: root, group: root, mode: '4755' } root_2755: { owner: root, group: root, mode: '2755' } # filesystems: # CIS 1.1.2 L2 Ensure separate partition exists for /tmp # CIS 1.1.3 L1 Ensure nodev option set on /tmp partition # CIS 1.1.4 L1 Ensure nosuid option set on /tmp partition # CIS 1.1.5 L1 Ensure noexec option set on /tmp partition /tmp: options: nodev,nosuid,noexec size: 512M # CIS 1.1.6 L2 Ensure separate partition exists for /var /var: size: 2048M # CIS 1.1.7 L2 Ensure separate partition exists for /var/tmp # CIS 1.1.8 L1 Ensure nodev option set on /var/tmp partition # CIS 1.1.9 L1 Ensure nosuid option set on /var/tmp partition # CIS 1.1.10 L1 Ensure noexec option set on /var/tmp partition /var/tmp: options: nodev,nosuid,noexec size: 512M # CIS 1.1.11 L2 Ensure separate partition exists for /var/log /var/log: size: 512M # CIS 1.1.12 L2 Ensure separate partition exists for /var/log/audit /var/log/audit: size: 512M # CIS 1.1.13 L2 Ensure separate partition exists for /home # CIS 1.1.14 L1 Ensure nodev option set on /home partition /home: size: 2048M options: nodev # CIS 1.1.15 L1 Ensure nodev option set on /dev/shm partition # CIS 1.1.16 L1 Ensure nosuid option set on /dev/shm partition # CIS 1.1.17 L1 Ensure noexec option set on /dev/shm partition /dev/shm: options: nodev,nosuid,noexec fstype: tmpfs device: tmpfs # CIS 1.1.18 L1 Ensure nodev option set on removable media partitions # CIS 1.1.19 L1 Ensure nosuid option set on removable media partitions # CIS 1.1.20 L1 Ensure noexec option set on removable media partitions # CIS 1.1.21 L1 Ensure sticky bit is set on all world-writable directories # CIS 1.2.1 L1 Ensure package manager repositories are configured # CIS 1.2.2 L1 Ensure gpgcheck is globally activated # CIS 1.2.3 L1 Ensure GPG keys are configured # CIS 1.2.4 L1 Ensure Red Hat Subscription Manager connection is configured # CIS 1.3.1 L1 Ensure AIDE is installed # CIS 1.7.1.2 L1 Ensure local login warning banner is configured properly - banner text profile::ssh::banner_content: |2+ Do not logon unless you have read and agree to the following. By continuing to logon you are representing that you are an authorised user and you accept and agree that: 1. use of Australia Post (AP) computers, systems, software and facilities including email and Internet Browsing is subject to policies and guidelines issued by Australia Post from time to time; 2. the contents of all internal, incoming and outgoing emails are the property of Australia Post; 3. Australia Post may take disciplinary action under the AP Employee Counselling and Disciplinary Process, and/or legal action against anyone failing to comply with relevant policy or misusing IT facilities including email and Internet; 4. misuse includes use, access or transmission of pornographic photos, animations, cartoons, and images (including screensavers), sexually explicit, sexist, racist material or material that offends, embarrasses or degrades a person because of disability, sex, religion or ethnic background, or unacceptable behaviour or harrassment as outlined in the Code of Ethics or Harrassment Policy; 5. Australia Post may monitor or audit the use of any of its IT facilities and any information stored or passed through these facilities including email and Internet browsing details; It is your responsibility to read and comply with the Group Technology Use Policy. Should you have any questions about these conditions or the policies detailed here please contact your line manager. For all information security related issues contact the Information Security Office at secureatpost@auspost.com.au I agree to these terms and conditions. profile::file_ops::files: # CIS 1.4.1 L1 Ensure permissions on bootloader config are configured - grub.cfg /boot/grub2/grub.cfg: "%{alias('root_0640')}" # CIS 1.4.1 L1 Ensure permissions on bootloader config are configured - user.cfg /boot/grub2/user.cfg: "%{alias('root_0640')}" # CIS 1.7.1.1 L1 Ensure message of the day is configured properly - banner text # CIS 1.7.1.4 L1 Ensure permissions on /etc/motd are configured /etc/motd: content: '' mode: '0644' owner: root group: root # CIS 1.7.1.5 L1 Ensure permissions on /etc/issue are configured - already covered by SSH module #/etc/issue: #content: "%{hiera('profile::ssh::banner_content')}" #mode: 644 #owner: root #group: root # CIS 1.7.1.3 L1 Ensure remote login warning banner is configured properly - banner text # CIS 1.7.1.6 L1 Ensure permissions on /etc/issue.net are configured - already covered by SSH module #/etc/issue.net: #content: "%{hiera('profile::ssh::banner_content')}" #mode: 644 #owner: root #group: root # CIS 3.4.2 L1 Ensure /etc/hosts.allow is configured # CIS 3.4.4 L1 Ensure permissions on /etc/hosts.allow are configured /etc/hosts.allow: content: | # File managed by Puppet 'ALL: 10.0.0.0/255.0.0.0' mode: '0644' owner: root group: root # CIS 3.4.3 L1 Ensure /etc/hosts.deny is configured # CIS 3.4.5 L1 Ensure permissions on /etc/hosts.deny are configured /etc/hosts.deny: content: | # File managed by Puppet 'ALL: ALL' mode: '0644' owner: root group: root /etc/modprobe.d/CIS.conf: content: | # File managed by Puppet # CIS 1.1.1.1 L1 Ensure mounting of cramfs filesystems is disabled - modprobe install cramfs /bin/true # CIS 1.1.1.2 L1 Ensure mounting of freevxfs filesystems is disabled - lsmod install freevxfs /bin/true # CIS 1.1.1.3 L1 Ensure mounting of jffs2 filesystems is disabled - modprobe install jffs2 /bin/true # CIS 1.1.1.4 L1 Ensure mounting of hfs filesystems is disabled - modprobe install hfs /bin/true # CIS 1.1.1.5 L1 Ensure mounting of hfsplus filesystems is disabled - lsmod install hfsplus /bin/true # CIS 1.1.1.6 L1 Ensure mounting of squashfs filesystems is disabled - modprobe install squashfs /bin/true # CIS 1.1.1.7 L1 Ensure mounting of udf filesystems is disabled - lsmod install udf /bin/true # CIS 1.1.1.8 L2 Ensure mounting of FAT filesystems is disabled install vfat /bin/true # CIS 3.5.1 L1 Ensure DCCP is disabled install dccp /bin/true # CIS 3.5.2 L1 Ensure SCTP is disabled install sctp /bin/true # CIS 3.5.3 L1 Ensure RDS is disabled install rds /bin/true # CIS 3.5.4 L1 Ensure TIPC is disabled install tipc /bin/true mode: '0644' owner: root group: root # CIS 5.1.2 L1 Ensure permissions on /etc/crontab are configured /etc/crontab: "%{alias('root_0600')}" # CIS 5.1.8 L1 Ensure at/cron is restricted to authorized users - cron.allow /etc/cron.allow: "%{alias('root_0600')}" # CIS 5.1.8 L1 Ensure at/cron is restricted to authorized users - cron.deny /etc/cron.deny: ensure: absent # CIS 5.1.8 L1 Ensure at/cron is restricted to authorized users - at.allow /etc/at.allow: "%{alias('root_0600')}" # CIS 5.1.8 L1 Ensure at/cron is restricted to authorized users - at.deny /etc/at.deny: ensure: absent /etc/security/pwquality.conf: content: | # File managed by Puppet difok = 5 # CIS 5.3.1 L1 Ensure password creation requirements are configured - minlen minlen = 9 # CIS 5.3.1 L1 Ensure password creation requirements are configured - dcredit dcredit = -1 # CIS 5.3.1 L1 Ensure password creation requirements are configured - ucredit ucredit = -1 # CIS 5.3.1 L1 Ensure password creation requirements are configured - lcredit lcredit = -1 # CIS 5.3.1 L1 Ensure password creation requirements are configured - ocredit ocredit = -1 # minclass = 0 # maxrepeat = 0 # maxclassrepeat = 0 # gecoscheck = 0 # dictpath = mode: '0644' owner: root group: root # CIS 5.4.4 L1 Ensure default user umask is 027 or more restrictive - /etc/profile /etc/profile.d/*.sh /etc/profile.d/umask.sh: content: "umask 0027\n" /etc/profile.d/umask.csh: content: "umask 0027\n" # CIS 5.4.5 L2 Ensure default user shell timeout is 900 seconds or less - /etc/profile /etc/profile.d/autologout.sh: content: "export TMOUT=36000\n" /etc/profile.d/tmout.csh: content: "TMOUT=36000\n" # CIS 6.1.2 L1 Ensure permissions on /etc/passwd are configured /etc/passwd: "%{alias('root_0644')}" # CIS 6.1.3 L1 Ensure permissions on /etc/shadow are configured /etc/shadow: "%{alias('root_0000')}" # CIS 6.1.4 L1 Ensure permissions on /etc/group are configured /etc/group: "%{alias('root_0644')}" # CIS 6.1.5 L1 Ensure permissions on /etc/gshadow are configured /etc/gshadow: "%{alias('root_0000')}" # CIS 6.1.6 L1 Ensure permissions on /etc/passwd- are configured /etc/passwd-: "%{alias('root_0644')}" # CIS 6.1.7 L1 Ensure permissions on /etc/shadow- are configured /etc/shadow-: "%{alias('root_0000')}" # CIS 6.1.8 L1 Ensure permissions on /etc/group- are configured /etc/group-: "%{alias('root_0644')}" # CIS 6.1.9 L1 Ensure permissions on /etc/gshadow- are configured /etc/gshadow-: "%{alias('root_0000')}" # CIS 2.2.1.2 L1 Ensure ntp is configured - restrict -4 - not using NTP # CIS 2.2.1.2 L1 Ensure ntp is configured - restrict -6 - not using NTP # CIS 2.2.1.2 L1 Ensure ntp is configured - server - not using NTP # CIS 2.2.1.3 L1 Ensure chrony is configured - NTP server - set elsewhere in hiera # CIS 2.2.1.3 L1 Ensure chrony is configured - OPTIONS /etc/sysconfig/chronyd: content: | # File managed by Puppet OPTIONS='-u chrony' # CIS 4.1.1.1 L2 Ensure audit log storage size is configured # CIS 4.1.1.2 L2 Ensure system is disabled when audit logs are full - 'space_left_action = email' # CIS 4.1.1.2 L2 Ensure system is disabled when audit logs are full - 'action_mail_acct = root' # CIS 4.1.1.2 L2 Ensure system is disabled when audit logs are full - 'admin_space_left_action = halt' # CIS 4.1.1.3 L2 Ensure audit logs are not automatically deleted # CIS 4.1.2 L2 Ensure auditd service is enabled # CIS 4.1.3 L2 Ensure auditing for processes that start prior to auditd is enabled # CIS 4.1.4 L2 Ensure events that modify date and time information are collected - auditctl adjtimex (32-bit) # CIS 4.1.4 L2 Ensure events that modify date and time information are collected - adjtimex (32-bit) # CIS 4.1.4 L2 Ensure events that modify date and time information are collected - auditctl clock_settime (32-bit) # CIS 4.1.4 L2 Ensure events that modify date and time information are collected - clock_settime (32-bit) # CIS 4.1.4 L2 Ensure events that modify date and time information are collected - auditctl /etc/localtime # CIS 4.1.4 L2 Ensure events that modify date and time information are collected - /etc/localtime # CIS 4.1.4 L2 Ensure events that modify date and time information are collected - auditctl adjtimex (64-bit) # CIS 4.1.4 L2 Ensure events that modify date and time information are collected - auditctl clock_settime (64-bit) # CIS 4.1.4 L2 Ensure events that modify date and time information are collected - adjtimex (64-bit) # CIS 4.1.4 L2 Ensure events that modify date and time information are collected - clock_settime (64-bit) # CIS 4.1.5 L2 Ensure events that modify user/group information are collected - '/etc/group' # CIS 4.1.5 L2 Ensure events that modify user/group information are collected - auditctl '/etc/group' # CIS 4.1.5 L2 Ensure events that modify user/group information are collected - '/etc/passwd' # CIS 4.1.5 L2 Ensure events that modify user/group information are collected - auditctl '/etc/passwd' # CIS 4.1.5 L2 Ensure events that modify user/group information are collected - '/etc/gshadow' # CIS 4.1.5 L2 Ensure events that modify user/group information are collected - auditctl '/etc/gshadow' # CIS 4.1.5 L2 Ensure events that modify user/group information are collected - '/etc/shadow' # CIS 4.1.5 L2 Ensure events that modify user/group information are collected - auditctl '/etc/shadow' # CIS 4.1.5 L2 Ensure events that modify user/group information are collected - '/etc/security/opasswd' # CIS 4.1.5 L2 Ensure events that modify user/group information are collected - auditctl '/etc/security/opasswd' # CIS 4.1.6 L2 Ensure events that modify the system's network environment are collected - sethostname (32-bit) # CIS 4.1.6 L2 Ensure events that modify the system's network environment are collected - auditctl sethostname (32-bit) # CIS 4.1.6 L2 Ensure events that modify the system's network environment are collected - issue # CIS 4.1.6 L2 Ensure events that modify the system's network environment are collected - auditctl issue # CIS 4.1.6 L2 Ensure events that modify the system's network environment are collected - issue.net # CIS 4.1.6 L2 Ensure events that modify the system's network environment are collected - auditctl issue.net # CIS 4.1.6 L2 Ensure events that modify the system's network environment are collected - /etc/hosts # CIS 4.1.6 L2 Ensure events that modify the system's network environment are collected - auditctl hosts # CIS 4.1.6 L2 Ensure events that modify the system's network environment are collected - /etc/sysconfig/network # CIS 4.1.6 L2 Ensure events that modify the system's network environment are collected - auditctl network # CIS 4.1.6 L2 Ensure events that modify the system's network environment are collected - /etc/sysconfig/network-scripts # CIS 4.1.6 L2 Ensure events that modify the system's network environment are collected - auditctl network-scripts # CIS 4.1.6 L2 Ensure events that modify the system's network environment are collected - sethostname (64-bit) # CIS 4.1.6 L2 Ensure events that modify the system's network environment are collected - auditctl sethostname (64-bit) # CIS 4.1.7 L2 Ensure events that modify the system's Mandatory Access Controls are collected - /etc/selinux/ # CIS 4.1.7 L2 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /etc/selinux/ # CIS 4.1.7 L2 Ensure events that modify the system's Mandatory Access Controls are collected - /usr/share/selinux/ # CIS 4.1.7 L2 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /usr/share/selinux/ # CIS 4.1.8 L2 Ensure login and logout events are collected - /var/log/lastlog # CIS 4.1.8 L2 Ensure login and logout events are collected - auditctl /var/log/lastlog # CIS 4.1.8 L2 Ensure login and logout events are collected - /var/run/faillock/ # CIS 4.1.8 L2 Ensure login and logout events are collected - auditctl /var/run/faillock/ # CIS 4.1.9 L2 Ensure session initiation information is collected - utmp # CIS 4.1.9 L2 Ensure session initiation information is collected - auditctl utmp # CIS 4.1.9 L2 Ensure session initiation information is collected - wtmp # CIS 4.1.9 L2 Ensure session initiation information is collected - auditctl wtmp # CIS 4.1.9 L2 Ensure session initiation information is collected - btmp # CIS 4.1.9 L2 Ensure session initiation information is collected - auditctl btmp # CIS 4.1.10 L2 Ensure discretionary access control permission modification events are collected - chmod/fchmod/fchmodat # CIS 4.1.10 L2 Ensure discretionary access control permission modification events are collected - auditctl chmod/fchmod/fchmodat # CIS 4.1.10 L2 Ensure discretionary access control permission modification events are collected - chown/fchown/fchownat/lchown # CIS 4.1.10 L2 Ensure discretionary access control permission modification events are collected - auditctl chown/fchown/fchownat/lchown # CIS 4.1.10 L2 Ensure discretionary access control permission modification events are collected - setxattr/lsetxattr/fsetxattr/removexattr # CIS 4.1.10 L2 Ensure discretionary access control permission modification events are collected - auditctl setxattr/lsetxattr/fsetxattr/removexattr # CIS 4.1.10 L2 Ensure discretionary access control permission modification events are collected - chmod/fchmod/fchmodat (64-bit) # CIS 4.1.10 L2 Ensure discretionary access control permission modification events are collected - auditctl chmod/fchmod/fchmodat (64-bit) # CIS 4.1.10 L2 Ensure discretionary access control permission modification events are collected - chown/fchown/fchownat/lchown (64-bit) # CIS 4.1.10 L2 Ensure discretionary access control permission modification events are collected - auditctl chown/fchown/fchownat/lchown (64-bit) # CIS 4.1.10 L2 Ensure discretionary access control permission modification events are collected - xattr (64-bit) # CIS 4.1.10 L2 Ensure discretionary access control permission modification events are collected - auditctl xattr (64-bit) # CIS 4.1.11 L2 Ensure unsuccessful unauthorized file access attempts are collected - EACCES # CIS 4.1.11 L2 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EACCES # CIS 4.1.11 L2 Ensure unsuccessful unauthorized file access attempts are collected - EPERM # CIS 4.1.11 L2 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EPERM # CIS 4.1.11 L2 Ensure unsuccessful unauthorized file access attempts are collected - EACCES (64-bit) # CIS 4.1.11 L2 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EACCES (64-bit) # CIS 4.1.11 L2 Ensure unsuccessful unauthorized file access attempts are collected - EPERM (64-bit) # CIS 4.1.11 L2 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EPERM (64-bit) # CIS 4.1.12 L2 Ensure use of privileged commands is collected # CIS 4.1.13 L2 Ensure successful file system mounts are collected # CIS 4.1.13 L2 Ensure successful file system mounts are collected - auditctl # CIS 4.1.13 L2 Ensure successful file system mounts are collected - b64 # CIS 4.1.13 L2 Ensure successful file system mounts are collected - auditctl (64-bit) # CIS 4.1.14 L2 Ensure file deletion events by users are collected # CIS 4.1.14 L2 Ensure file deletion events by users are collected - auditctl # CIS 4.1.14 L2 Ensure file deletion events by users are collected - b64 # CIS 4.1.14 L2 Ensure file deletion events by users are collected - auditctl (64-bit) # CIS 4.1.15 L2 Ensure changes to system administration scope (sudoers) is collected - sudoers # CIS 4.1.15 L2 Ensure changes to system administration scope (sudoers) is collected - auditctl sudoers # CIS 4.1.15 L2 Ensure changes to system administration scope (sudoers) is collected - sudoers.d # CIS 4.1.15 L2 Ensure changes to system administration scope (sudoers) is collected - auditctl sudoers.d # CIS 4.1.16 L2 Ensure system administrator actions (sudolog) are collected # CIS 4.1.16 L2 Ensure system administrator actions (sudolog) are collected - auditctl # CIS 4.1.17 L2 Ensure kernel module loading and unloading is collected - insmod # CIS 4.1.17 L2 Ensure kernel module loading and unloading is collected - auditctl insmod # CIS 4.1.17 L2 Ensure kernel module loading and unloading is collected - rmmod # CIS 4.1.17 L2 Ensure kernel module loading and unloading is collected - auditctl rmmod # CIS 4.1.17 L2 Ensure kernel module loading and unloading is collected - modprobe # CIS 4.1.17 L2 Ensure kernel module loading and unloading is collected - auditctl modprobe # CIS 4.1.17 L2 Ensure kernel module loading and unloading is collected - init_module/delete_module # CIS 4.1.17 L2 Ensure kernel module loading and unloading is collected - auditctl init_module/delete_module # CIS 4.1.17 L2 Ensure kernel module loading and unloading is collected - init_module/delete_module # CIS 4.1.17 L2 Ensure kernel module loading and unloading is collected - auditctl init_module/delete_module # CIS 4.1.18 L2 Ensure the audit configuration is immutable /etc/audit/auditd.conf: content: | # File managed by Puppet # # This file controls the configuration of the audit daemon # local_events = yes write_logs = yes log_file = /var/log/audit/audit.log log_group = root log_format = RAW flush = INCREMENTAL_ASYNC freq = 50 max_log_file = 8 num_logs = 5 priority_boost = 4 disp_qos = lossy dispatcher = /sbin/audispd name_format = NONE ##name = mydomain max_log_file_action = ROTATE space_left = 75 space_left_action = SYSLOG verify_email = yes action_mail_acct = root admin_space_left = 50 admin_space_left_action = SUSPEND disk_full_action = SUSPEND disk_error_action = SUSPEND use_libwrap = yes ##tcp_listen_port = 60 tcp_listen_queue = 5 tcp_max_per_addr = 1 ##tcp_client_ports = 1024-65535 tcp_client_max_idle = 0 enable_krb5 = no krb5_principal = auditd ##krb5_key_file = /etc/audit/audit.key distribute_network = no profile::file_ops::directories: # CIS 5.1.3 L1 Ensure permissions on /etc/cron.hourly are configured /etc/cron.hourly: "%{alias('root_0700')}" # CIS 5.1.4 L1 Ensure permissions on /etc/cron.daily are configured /etc/cron.daily: "%{alias('root_0700')}" # CIS 5.1.5 L1 Ensure permissions on /etc/cron.weekly are configured /etc/cron.weekly: "%{alias('root_0700')}" # CIS 5.1.6 L1 Ensure permissions on /etc/cron.monthly are configured /etc/cron.monthly: "%{alias('root_0700')}" # CIS 5.1.7 L1 Ensure permissions on /etc/cron.d are configured /etc/cron.d: "%{alias('root_0700')}" # CIS 5.3.1 L1 Ensure password creation requirements are configured - password-auth try_first_pass # CIS 5.3.1 L1 Ensure password creation requirements are configured - system-auth try_first_pass # CIS 5.3.1 L1 Ensure password creation requirements are configured - password-auth retry=3 # CIS 5.3.1 L1 Ensure password creation requirements are configured - system-auth retry=3 central_auth::pam::dfok: 5 central_auth::pam::minlen: 9 central_auth::pam::dcredit: -1 central_auth::pam::ucredit: -1 central_auth::pam::ocredit: -1 central_auth::pam::lcredit: -1 # CIS 1.4.2 L1 Ensure bootloader password is set # CIS 1.4.3 L1 Ensure authentication required for single user mode - rescue.service # CIS 1.4.3 L1 Ensure authentication required for single user mode - emergency.service # CIS 1.5.1 L1 Ensure core dumps are restricted - limits.conf limits.d security::limits::limits_hash: "*/hard/core": value: '0' # CIS 1.5.1 L1 Ensure core dumps are restricted - sysctl # CIS 1.5.1 L1 Ensure core dumps are restricted - sysctl.conf sysctl.d profile::kernel::sysctl: fs.suid_dumpable: 0 # CIS 1.5.3 L1 Ensure address space layout randomization (ASLR) is enabled - sysctl # CIS 1.5.3 L1 Ensure address space layout randomization (ASLR) is enabled - sysctl.conf sysctl.d kernel.randomize_va_space: 2 # CIS 3.1.1 L1 Ensure IP forwarding is disabled - sysctl # CIS 3.1.1 L1 Ensure IP forwarding is disabled - sysctlc.conf sysctl.d net.ipv4.ip_forward: 0 # CIS 3.1.2 L1 Ensure packet redirect sending is disabled - 'net.ipv4.conf.all.send_redirects = 0' # CIS 3.1.2 L1 Ensure packet redirect sending is disabled - 'net.ipv4.conf.default.send_redirects = 0' net.ipv4.conf.all.send_redirects: 0 net.ipv4.conf.default.send_redirects: 0 # CIS 3.2.1 L1 Ensure source routed packets are not accepted - 'net.ipv4.conf.default.accept_source_route = 0' # CIS 3.2.1 L1 Ensure source routed packets are not accepted - 'net.ipv4.conf.all.accept_source_route = 0' net.ipv4.conf.all.accept_source_route: 0 net.ipv4.conf.default.accept_source_route: 0 # CIS 3.2.2 L1 Ensure ICMP redirects are not accepted - 'net.ipv4.conf.all.accept_redirects = 0' # CIS 3.2.2 L1 Ensure ICMP redirects are not accepted - 'net.ipv4.conf.default.accept_redirects = 0' net.ipv4.conf.all.accept_redirects: 0 net.ipv4.conf.default.accept_redirects: 0 # CIS 3.2.3 L1 Ensure secure ICMP redirects are not accepted - 'net.ipv4.conf.default.secure_redirects = 0' # CIS 3.2.3 L1 Ensure secure ICMP redirects are not accepted - 'net.ipv4.conf.all.secure_redirects = 0' net.ipv4.conf.all.secure_redirects: 0 net.ipv4.conf.default.secure_redirects: 0 # CIS 3.2.4 L1 Ensure suspicious packets are logged - 'net.ipv4.conf.all.log_martians = 1' # CIS 3.2.4 L1 Ensure suspicious packets are logged - 'net.ipv4.conf.default.log_martians = 1' net.ipv4.conf.all.log_martians: 1 net.ipv4.conf.default.log_martians: 1 # CIS 3.2.5 L1 Ensure broadcast ICMP requests are ignored - sysctl # CIS 3.2.5 L1 Ensure broadcast ICMP requests are ignored - sysctl.conf sysctl.d net.ipv4.icmp_echo_ignore_broadcasts: 1 # CIS 3.2.6 L1 Ensure bogus ICMP responses are ignored - sysctl # CIS 3.2.6 L1 Ensure bogus ICMP responses are ignored - sysctl.conf sysctl.d net.ipv4.icmp_ignore_bogus_error_responses: 1 # CIS 3.2.7 L1 Ensure Reverse Path Filtering is enabled - 'net.ipv4.conf.default.rp_filter = 1' # CIS 3.2.7 L1 Ensure Reverse Path Filtering is enabled - 'net.ipv4.conf.all.rp_filter = 1' net.ipv4.conf.all.rp_filter: 1 net.ipv4.conf.default.rp_filter: 1 # CIS 3.2.8 L1 Ensure TCP SYN Cookies is enabled - sysctl # CIS 3.2.8 L1 Ensure TCP SYN Cookies is enabled - sysctl.conf sysctl.d net.ipv4.tcp_syncookies: 1 # CIS 3.3.1 L1 Ensure IPv6 router advertisements are not accepted - 'net.ipv6.conf.all.accept_ra = 0' # CIS 3.3.1 L1 Ensure IPv6 router advertisements are not accepted - 'net.ipv6.conf.default.accept_ra = 0' # CIS 3.3.1 L1 Ensure IPv6 router advertisements are not accepted - files 'net.ipv6.conf.all.accept_ra = 0' # CIS 3.3.1 L1 Ensure IPv6 router advertisements are not accepted - files 'net.ipv6.conf.default.accept_ra = 0' net.ipv6.conf.all.accept_ra: 0 net.ipv6.conf.default.accept_ra: 0 # CIS 3.3.2 L1 Ensure IPv6 redirects are not accepted - 'net.ipv6.conf.default.accept_redirects = 0' # CIS 3.3.2 L1 Ensure IPv6 redirects are not accepted - 'net.ipv6.conf.all.accept_redirects = 0' # CIS 3.3.2 L1 Ensure IPv6 redirects are not accepted - files 'net.ipv6.conf.default.accept_redirects = 0' # CIS 3.3.2 L1 Ensure IPv6 redirects are not accepted - files 'net.ipv6.conf.all.accept_redirects = 0' net.ipv6.conf.all.accept_redirects: 0 net.ipv6.conf.default.accept_redirects: 0 # CIS 1.5.2 L1 Ensure XD/NX support is enabled (32 bit only) # CIS 1.8 L1 Ensure updates, patches, and additional security software are installed # CIS 2.2.15 L1 Ensure mail transfer agent is configured for local-only mode networking::mailclient::inet_interfaces: 'localhost' packages::remove: RedHat: # CIS 1.1.22 L1 Disable Automounting - autofs # CIS 1.5.4 L1 Ensure prelink is disabled - prelink # CIS 1.6.1.4 L2 Ensure SETroubleshoot is not installed - setroubleshoot # CIS 1.6.1.5 L2 Ensure the MCS Translation Service (mcstrans) is not installed - mcstrans # CIS 1.7.2 L1 Ensure GDM login banner is configured - user-db # CIS 1.7.2 L1 Ensure GDM login banner is configured - system-db # CIS 1.7.2 L1 Ensure GDM login banner is configured - file-db # CIS 1.7.2 L1 Ensure GDM login banner is configured - banner message enabled # CIS 1.7.2 L1 Ensure GDM login banner is configured - banner message text - gdm # CIS 2.1.1 L1 Ensure chargen services are not enabled - dgram # CIS 2.1.1 L1 Ensure chargen services are not enabled - stream # CIS 2.1.2 L1 Ensure daytime services are not enabled - dgram # CIS 2.1.2 L1 Ensure daytime services are not enabled - stream # CIS 2.1.3 L1 Ensure discard services are not enabled - dgram # CIS 2.1.3 L1 Ensure discard services are not enabled - stream # CIS 2.1.4 L1 Ensure echo services are not enabled - dgram # CIS 2.1.4 L1 Ensure echo services are not enabled - stream # CIS 2.1.5 L1 Ensure time services are not enabled - dgram # CIS 2.1.5 L1 Ensure time services are not enabled - stream # CIS 2.1.7 L1 Ensure xinetd is not enabled - xinetd # CIS 2.1.6 L1 Ensure tftp server is not enabled # CIS 2.2.20 L1 Ensure tftp server is not enabled - tftp-server # CIS 2.2.2 L1 Ensure X Window System is not installed # CIS 2.2.3 L1 Ensure Avahi Server is not enabled - avahi # CIS 2.2.4 L1 Ensure CUPS is not enabled - cups # CIS 2.2.5 L1 Ensure DHCP Server is not enabled - dhcp - dnsmasq # CIS 2.2.6 L1 Ensure LDAP server is not enabled - openldap-servers # CIS 2.2.7 L1 Ensure NFS and RPC are not enabled - nfs # CIS 2.2.7 L1 Ensure NFS and RPC are not enabled - nfs-server # CIS 2.2.7 L1 Ensure NFS and RPC are not enabled - rpcbind # CIS 2.2.8 L1 Ensure DNS Server is not enabled - bind - pdns # CIS 2.2.9 L1 Ensure FTP Server is not enabled - vsftpd - pure-ftpd - perl-ftpd - proftpd # CIS 2.2.10 L1 Ensure HTTP server is not enabled - caddy - httpd - lighttpd - nginx - nginx14-nginx - nginx16-nginx - nodejs-ws - xbean - rubygem-thin # CIS 2.2.11 L1 Ensure IMAP and POP3 server is not enabled - dovecot - cyrus-imapd # CIS 2.2.12 L1 Ensure Samba is not enabled - samba - samba-dc # CIS 2.2.13 L1 Ensure HTTP Proxy Server is not enabled - squid # CIS 2.2.14 L1 Ensure SNMP Server is not enabled - net-snmp # CIS 2.2.16 L1 Ensure NIS Server is not enabled # CIS 2.3.1 L1 Ensure NIS Client is not installed - ypserv - ypbind # CIS 2.2.17 L1 Ensure rsh server is not enabled - rexec # CIS 2.2.17 L1 Ensure rsh server is not enabled - rlogin # CIS 2.2.17 L1 Ensure rsh server is not enabled - rsh # CIS 2.3.2 L1 Ensure rsh client is not installed - rsh-server - rsh # CIS 2.2.18 L1 Ensure talk server is not enabled # CIS 2.3.3 L1 Ensure talk client is not installed - ntalk - talk # CIS 2.2.19 L1 Ensure telnet server is not enabled - telnet-server profile::services: # CIS 1.2.5 L2 Disable the rhnsd Daemon rhnsd: ensure: stopped enable: false # CIS 2.2.21 L1 Ensure rsync service is not enabled rsyncd: ensure: stopped enable: false # CIS 5.1.1 L1 Ensure cron daemon is enabled crond: ensure: running enable: true # CIS 2.3.4 L1 Ensure telnet client is not installed - disputed # CIS 2.3.5 L1 Ensure LDAP client is not installed - disputed packages::add: RedHat: # CIS 3.4.1 L1 Ensure TCP Wrappers is installed - tcp_wrappers # CIS 1.6.2 L2 Ensure SELinux is installed - libselinux # CIS 3.6.1 L1 Ensure iptables is installed profile::firewall::enable: true profile::firewall::chains: # CIS 3.6.2 L1 Ensure default deny firewall policy - Chain INPUT INPUT:filter:IPv4: policy: drop INPUT:filter:IPv6: policy: drop # CIS 3.6.2 L1 Ensure default deny firewall policy - Chain FORWARD FORWARD:filter:IPv4: policy: drop FORWARD:filter:IPv6: policy: drop # CIS 3.6.2 L1 Ensure default deny firewall policy - Chain OUTPUT OUTPUT:filter:IPv4: policy: drop OUTPUT:filter:IPv6: policy: drop # CIS 3.6.3 L1 Ensure loopback traffic is configured # Configured in code # CIS 3.6.4 L1 Ensure outbound and established connections are configured # Configured in code # CIS 3.6.5 L1 Ensure firewall rules exist for all open ports profile::firewall::inbound: '101 DHCP Server': sport: 67 proto: udp '110 SSH Access': dport: 22 '161 NetBackup Server': dport: [ 1556, 13724 ] profile::firewall::outbound: '101 DHCP Client': sport: 68 proto: udp '120 SSH Access': sport: 22 '130 Puppet Server Access': dport: [8140,8142] destination: 10.5.162.0/24 '102 Network Time Protocol': dport: 123 proto: udp '103 Name Resolution TCP': dport: 53 proto: tcp '103 Name Resolution UDP': dport: 53 proto: udp '104 AD Authentication TCP': dport: [ 88, 389, 445, 464, 3268 ] '104 AD Authentication UDP': dport: [ 88, 137, 389 ] proto: udp '140 RightLink Agent': # From here: https://docs.rightscale.com/faq/Firewall_Configuration_Ruleset.html dport: 443 destination: - 54.225.248.128/27 - 54.244.88.96/27 - 54.86.63.128/26 - 54.187.254.128/26 - 54.246.247.16/28 - 54.248.220.128/28 - 54.255.255.208/28 - 52.65.255.224/28 '141 AWS Instance Data': dport: 80 destination: 169.254.169.254/32 '145 Sumo Logic Monitoring': # Unfortunately SUMO runs on AWS randomly, so we need to open up access to the whole of AWS EC2 for our region ap-southeast-2 # https://help.sumologic.com/APIs/General-API-Information/Sumo-Logic-Endpoints-and-Firewall-Security dport: 443 destination: - 13.210.0.0/15 - 13.236.0.0/14 - 13.54.0.0/15 - 15.193.3.0/24 - 3.104.0.0/14 - 3.24.0.0/14 - 52.62.0.0/15 - 52.64.0.0/17 - 52.64.128.0/17 - 52.65.0.0/16 - 52.94.248.64/28 - 52.95.241.0/24 - 52.95.255.16/28 - 54.153.128.0/17 - 54.206.0.0/16 - 54.252.0.0/16 - 54.253.0.0/16 - 54.66.0.0/16 - 54.79.0.0/16 - 99.77.144.0/24 # Currently some sumo installations are trying to hit the US AWS site us-east-1, hopefully we can delete these after getting the # sumo agent to just point to AU - 100.24.0.0/13 - 107.20.0.0/14 - 15.193.6.0/24 - 162.250.236.0/24 - 162.250.237.0/24 - 162.250.238.0/23 - 174.129.0.0/16 - 18.204.0.0/14 - 18.208.0.0/13 - 18.232.0.0/14 - 184.72.128.0/17 - 184.72.64.0/18 - 184.73.0.0/16 - 204.236.192.0/18 - 208.86.88.0/23 - 216.182.224.0/21 - 216.182.232.0/22 - 216.182.238.0/23 - 23.20.0.0/14 - 3.208.0.0/12 - 3.224.0.0/12 - 3.80.0.0/12 - 34.192.0.0/12 - 34.224.0.0/12 - 35.153.0.0/16 - 35.168.0.0/13 - 44.192.0.0/11 - 50.16.0.0/15 - 50.19.0.0/16 - 52.0.0.0/15 - 52.2.0.0/15 - 52.20.0.0/14 - 52.200.0.0/13 - 52.4.0.0/14 - 52.44.0.0/15 - 52.54.0.0/15 - 52.70.0.0/15 - 52.72.0.0/15 - 52.86.0.0/15 - 52.90.0.0/15 - 52.94.201.0/26 - 52.94.248.0/28 - 52.95.245.0/24 - 52.95.255.80/28 - 54.144.0.0/14 - 54.152.0.0/16 - 54.156.0.0/14 - 54.160.0.0/13 - 54.172.0.0/15 - 54.174.0.0/15 - 54.196.0.0/15 - 54.198.0.0/16 - 54.204.0.0/15 - 54.208.0.0/15 - 54.210.0.0/15 - 54.221.0.0/16 - 54.224.0.0/15 - 54.226.0.0/15 - 54.234.0.0/15 - 54.236.0.0/15 - 54.242.0.0/15 - 54.80.0.0/13 - 54.88.0.0/14 - 54.92.128.0/17 - 67.202.0.0/18 - 72.44.32.0/19 - 75.101.128.0/17 - 99.77.128.0/24 - 99.77.129.0/24 - 99.77.191.0/24 - 99.77.254.0/24 '150 Telegraf Monitoring': dport: 80 destination: [ 10.212.82.107/32, 10.212.85.6/32 ] '160 YUM Server': dport: [ 80, 443 ] destination: "%{::yum_server}" '161 NetBackup Server': dport: [ 1556, 13724 ] '162 Mail Server': dport: 25 destination: "%{hiera('networking::mailclient::relayhost')}" '163 Log Server': dport: [ 5514, 6514 ] destination: - "%{hiera('profile::nxlog_client::logserver1')}" - "%{hiera('profile::nxlog_client::logserver2')}" # CIS 3.7 L1 Ensure wireless interfaces are disabled # CIS 4.2.1.1 L1 Ensure rsyslog Service is enabled # CIS 4.2.1.3 L1 Ensure rsyslog default file permissions configured # CIS 4.2.1.4 L1 Ensure rsyslog is configured to send logs to a remote log host # CIS 4.2.1.5 L1 Ensure remote rsyslog messages are only accepted on designated log hosts. - imtcp.so # CIS 4.2.1.5 L1 Ensure remote rsyslog messages are only accepted on designated log hosts. - InputTCPServerRun 514 # CIS 4.2.2.1 L1 Ensure syslog-ng service is enabled # CIS 4.2.2.3 L1 Ensure syslog-ng default file permissions configured # CIS 4.2.2.4 L1 Ensure syslog-ng is configured to send logs to a remote log host - destination logserver # CIS 4.2.2.4 L1 Ensure syslog-ng is configured to send logs to a remote log host - log src # CIS 4.2.2.5 L1 Ensure remote syslog-ng messages are only accepted on designated log hosts # CIS 4.2.4 L1 Ensure permissions on all logfiles are configured # CIS 5.2.1 L1 Ensure permissions on /etc/ssh/sshd_config are configured # Set to 600 by SSH server module profile::ssh::options_hash: # CIS 5.2.2 L1 Ensure SSH Protocol is set to 2 Protocol: '2' # CIS 5.2.3 L1 Ensure SSH LogLevel is set to INFO LogLevel: INFO # CIS 5.2.4 L1 Ensure SSH X11 forwarding is disabled X11Forwarding: no # CIS 5.2.5 L1 Ensure SSH MaxAuthTries is set to 4 or less MaxAuthTries: '4' # CIS 5.2.6 L1 Ensure SSH IgnoreRhosts is enabled IgnoreRhosts: yes # CIS 5.2.7 L1 Ensure SSH HostbasedAuthentication is disabled HostbasedAuthentication: no # CIS 5.2.8 L1 Ensure SSH root login is disabled PermitRootLogin: no # CIS 5.2.9 L1 Ensure SSH PermitEmptyPasswords is disabled PermitEmptyPasswords: no # CIS 5.2.10 L1 Ensure SSH PermitUserEnvironment is disabled PermitUserEnvironment: no # CIS 5.2.11 L1 Ensure only approved MAC algorithms are used MACs: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com # CIS 5.2.12 L1 Ensure SSH Idle Timeout Interval is configured - ClientAliveInterval - setting to an hour to balance productivity ClientAliveInterval: '3600' # CIS 5.2.12 L1 Ensure SSH Idle Timeout Interval is configured - ClientAliveCountMax ClientAliveCountMax: '0' # CIS 5.2.13 L1 Ensure SSH LoginGraceTime is set to one minute or less LoginGraceTime: 60 # CIS 5.2.15 L1 Ensure SSH warning banner is configured Banner: /etc/issue # CIS 5.2.14 L1 Ensure SSH access is limited profile::ssh::allowed_groups: - gg_linux_admins # CIS 5.3.2 L1 Ensure lockout for failed password attempts is configured - system-auth 'auth required pam_faillock.so' # CIS 5.3.2 L1 Ensure lockout for failed password attempts is configured - system-auth 'auth [success=1 default=bad] pam_unix.so' # CIS 5.3.2 L1 Ensure lockout for failed password attempts is configured - system-auth 'auth [default=die] pam_faillock.so' # CIS 5.3.2 L1 Ensure lockout for failed password attempts is configured - system-auth 'auth sufficient pam_faillock.so' # CIS 5.3.2 L1 Ensure lockout for failed password attempts is configured - password-auth 'auth required pam_faillock.so' # CIS 5.3.2 L1 Ensure lockout for failed password attempts is configured - password-auth 'auth [success=1 default=bad] pam_unix.so' # CIS 5.3.2 L1 Ensure lockout for failed password attempts is configured - password-auth 'auth [default=die] pam_faillock.so' # CIS 5.3.2 L1 Ensure lockout for failed password attempts is configured - password-auth 'auth sufficient pam_faillock.so' # CIS 5.3.3 L1 Ensure password reuse is limited - system-auth # CIS 5.3.3 L1 Ensure password reuse is limited - password-auth # CIS 5.3.4 L1 Ensure password hashing algorithm is SHA-512 - system-auth # CIS 5.3.4 L1 Ensure password hashing algorithm is SHA-512 - password-auth # Set via the central_auth module # CIS 5.4.1.1 L1 Ensure password expiration is 365 days or less # CIS 5.4.1.2 L1 Ensure minimum days between password changes is 7 or more # CIS 5.4.1.3 L1 Ensure password expiration warning days is 7 or more # CIS 5.4.1.4 L1 Ensure inactive password lock is 30 days or less # CIS 5.4.1.5 L1 Ensure all users last password change date is in the past # CIS 5.4.2 L1 Ensure system accounts are non-login local_users::add::users: root: uid: 0 # CIS 5.4.3 L1 Ensure default group for the root account is GID 0 gid: 0 # CIS 5.6 L1 Ensure access to the su command is restricted - wheel group contains root groups: [ wheel ] profile::file_ops::file_lines: /etc/bashrc: # CIS 5.4.5 L2 Ensure default user shell timeout is 900 seconds or less - /etc/bashrc - setting to an hour to balance productivity - line : 'TMOUT=3600' match : 'TMOUT=' # CIS 5.4.4 L1 Ensure default user umask is 027 or more restrictive - /etc/bashrc - line : ' umask 027' match : ' umask 0\d\d' multiple : true # CIS 5.6 L1 Ensure access to the su command is restricted - pam_wheel.so /etc/pam.d/su: line : 'auth required pam_wheel.so use_uid' match : '#auth required pam_wheel.so use_uid' # CIS 3.3.3 L1 Ensure IPv6 is disabled /etc/default/grub: line: GRUB_CMDLINE_LINUX='ipv6.disable=1' match: GRUB_CMDLINE_LINUX # CIS 6.2.2 L1 Ensure no legacy '+' entries exist in /etc/passwd /etc/passwd: ensure: absent line: '+' # CIS 6.2.3 L1 Ensure no legacy '+' entries exist in /etc/shadow /etc/shadow: ensure: absent line: '+' # CIS 6.2.4 L1 Ensure no legacy '+' entries exist in /etc/group /etc/group: ensure: absent line: '+' # CIS 5.5 L1 Ensure root login is restricted to system console - TBD # CIS 6.1.10 L1 Ensure no world writable files exist # CIS 6.1.11 L1 Ensure no unowned files or directories exist # CIS 6.1.12 L1 Ensure no ungrouped files or directories exist # CIS 6.1.13 L1 Audit SUID executables # CIS 6.1.14 L1 Audit SGID executables # CIS 6.2.1 L1 Ensure password fields are not empty # CIS 6.2.5 L1 Ensure root is the only UID 0 account # CIS 6.2.6 L1 Ensure root PATH Integrity # CIS 6.2.7 L1 Ensure all users' home directories exist # CIS 6.2.8 L1 Ensure users' home directories permissions are 750 or more restrictive # CIS 6.2.9 L1 Ensure users own their home directories # CIS 6.2.10 L1 Ensure users' dot files are not group or world writable # CIS 6.2.11 L1 Ensure no users have .forward files # CIS 6.2.12 L1 Ensure no users have .netrc files # CIS 6.2.13 L1 Ensure users' .netrc Files are not group or world accessible # CIS 6.2.14 L1 Ensure no users have .rhosts files # CIS 6.2.15 L1 Ensure all groups in /etc/passwd exist in /etc/group # CIS 6.2.16 L1 Ensure no duplicate UIDs exist # CIS 6.2.17 L1 Ensure no duplicate GIDs exist # CIS 6.2.18 L1 Ensure no duplicate user names exist # CIS 6.2.19 L1 Ensure no duplicate group names exist # CIS 1.6.1.1 L2 Ensure SELinux is not disabled in bootloader configuration - selinux = 0 # CIS 1.6.1.1 L2 Ensure SELinux is not disabled in bootloader configuration - enforcing = 0 profile::file_ops::templates: # CIS 1.6.1.2 L2 Ensure the SELinux state is enforcing # CIS 1.6.1.3 L2 Ensure SELinux policy is configured /etc/selinux/config: data: setting: permissive type: targeted owner: root group: root mode: '0644' content: | # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=<%= $setting %> # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=<%= $type %> # CIS 1.6.1.6 L2 Ensure no unconfined daemons exist # CIS 6.1.1 L2 Audit system file permissions