Merge "CIS 5.4.4, 5.4.5"
diff --git a/.travis.yml b/.travis.yml
index 78246a5..fac2153 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,3 +1,6 @@
+language: python
+python:
+- "2.7.13"
sudo: required
services:
- docker
diff --git a/README.rst b/README.rst
index e4accd7..598b638 100644
--- a/README.rst
+++ b/README.rst
@@ -805,6 +805,22 @@
power/state: "root:power"
- devices/system/cpu/cpu0/cpufreq/scaling_governor: powersave
+Sysfs definition with disabled automatic write. Attributes are saved
+to configuration, but are not applied during the run.
+Thay will be applied automatically after the reboot.
+
+
+.. code-block:: yaml
+
+ linux:
+ system:
+ sysfs:
+ enable_apply: false
+ scheduler:
+ block/sda/queue/scheduler: deadline
+
+.. note:: The `enable_apply` parameter defaults to `True` if not defined.
+
Huge Pages
~~~~~~~~~~~~
@@ -902,6 +918,31 @@
priority: 900
package: '*'
+If you need to add multiple pin rules for one repo, please use new,ordered definition format
+('pinning' definition will be in priotity to use):
+
+.. code-block:: yaml
+
+ linux:
+ system:
+ repo:
+ mcp_saltstack:
+ source: "deb [arch=amd64] http://repo.saltstack.com/apt/ubuntu/16.04/amd64/2017.7/ xenial main"
+ architectures: amd64
+ clean_file: true
+ pinning:
+ 10:
+ enabled: true
+ pin: 'release o=SaltStack'
+ priority: 50
+ package: 'libsodium18'
+ 20:
+ enabled: true
+ pin: 'release o=SaltStack'
+ priority: 1100
+ package: '*'
+
+
.. note:: For old Ubuntu releases (<xenial)
extra packages for apt transport, like ``apt-transport-https``
may be required to be installed manually.
diff --git a/linux/files/preferences_repo b/linux/files/preferences_repo
index 603d313..4368356 100644
--- a/linux/files/preferences_repo
+++ b/linux/files/preferences_repo
@@ -1,8 +1,18 @@
{%- from "linux/map.jinja" import system with context %}
{%- set repo = system.repo[repo_name] %}
-{%- for pin in repo.pin %}
-{%- set package = pin.get('package', '*') %}
+{%- if repo.pinning is defined %}
+ {%- for id,pin in repo.pinning|dictsort %}
+ {%- if pin.get('enabled', False) %}
+Package: {{ pin.get('package','*') }}
+Pin: {{ pin.pin }}
+Pin-Priority: {{ pin.priority }}
+ {%- endif %}
+ {% endfor %}
+{%- elif repo.pin is defined %}
+ {%- for pin in repo.pin %}
+ {%- set package = pin.get('package', '*') %}
Package: {{ package }}
Pin: {{ pin.pin }}
Pin-Priority: {{ pin.priority }}
-{% endfor %}
+ {% endfor %}
+{%- endif %}
diff --git a/linux/network/interface.sls b/linux/network/interface.sls
index c2d2a23..a39fc37 100644
--- a/linux/network/interface.sls
+++ b/linux/network/interface.sls
@@ -2,7 +2,8 @@
{%- from "linux/map.jinja" import system with context %}
{%- if network.enabled %}
-{%- if network.get('dpdk', {}).get('enabled', False) %}
+{%- set dpdk_enabled = network.get('dpdk', {}).get('enabled', False) %}
+{%- if dpdk_enabled %}
include:
- linux.network.dpdk
{%- endif %}
@@ -117,7 +118,7 @@
- name: {{ interface_name }}
- bridge: {{ interface.bridge }}
- require:
- {%- if network.interface.get(interface.bridge, {}).get('type', 'ovs_bridge') == 'dpdk_ovs_bridge' %}
+ {%- if dpdk_enabled and network.interface.get(interface.bridge, {}).get('type', 'ovs_bridge') == 'dpdk_ovs_bridge' %}
- cmd: linux_network_dpdk_bridge_interface_{{ interface.bridge }}
{%- else %}
- openvswitch_bridge: ovs_bridge_{{ interface.bridge }}
diff --git a/linux/system/at.sls b/linux/system/at.sls
index a441d1a..864ae0c 100644
--- a/linux/system/at.sls
+++ b/linux/system/at.sls
@@ -33,8 +33,8 @@
- template: jinja
- source: salt://linux/files/cron_users.jinja
- user: root
- - group: root
- - mode: 0600
+ - group: daemon
+ - mode: 0640
- defaults:
users: {{ allow_users | yaml }}
- require:
diff --git a/linux/system/cron.sls b/linux/system/cron.sls
index 7f7ae0e..a5f57a4 100644
--- a/linux/system/cron.sls
+++ b/linux/system/cron.sls
@@ -33,8 +33,8 @@
- template: jinja
- source: salt://linux/files/cron_users.jinja
- user: root
- - group: root
- - mode: 0600
+ - group: crontab
+ - mode: 0640
- defaults:
users: {{ allow_users | yaml }}
- require:
diff --git a/linux/system/grub.sls b/linux/system/grub.sls
index 74ea553..49277ff 100644
--- a/linux/system/grub.sls
+++ b/linux/system/grub.sls
@@ -7,6 +7,7 @@
- makedirs: True
{%- if grains['os_family'] == 'RedHat' %}
+ {%- set boot_grub_cfg = '/boot/grub2/grub.cfg' %}
/etc/default/grub:
file.append:
- text:
@@ -14,14 +15,26 @@
grub_update:
cmd.wait:
- - name: grub2-mkconfig -o /boot/grub2/grub.cfg
+ - name: grub2-mkconfig -o {{ boot_grub_cfg }}
{%- else %}
+ {%- set boot_grub_cfg = '/boot/grub/grub.cfg' %}
-{%- if grains.get('virtual_subtype', None) not in ['Docker', 'LXC'] %}
grub_update:
cmd.wait:
- name: update-grub
-{%- endif %}
+ {%- if grains.get('virtual_subtype') in ['Docker', 'LXC'] %}
+ - onlyif: /bin/false
+ {%- endif %}
{%- endif %}
+
+grub_cfg_permissions:
+ file.managed:
+ - name: {{ boot_grub_cfg }}
+ - user: 'root'
+ - owner: 'root'
+ - mode: '400'
+ - onlyif: test -f {{ boot_grub_cfg }}
+ - require:
+ - cmd: grub_update
diff --git a/linux/system/repo.sls b/linux/system/repo.sls
index 0c0b026..dd41afe 100644
--- a/linux/system/repo.sls
+++ b/linux/system/repo.sls
@@ -57,7 +57,7 @@
file.absent
{%- endif %}
- {%- if repo.pin is defined %}
+ {%- if repo.pin is defined or repo.pinning is defined %}
linux_repo_{{ name }}_pin:
file.managed:
- name: /etc/apt/preferences.d/{{ name }}
diff --git a/linux/system/sysfs.sls b/linux/system/sysfs.sls
index 8440384..a4e28bf 100644
--- a/linux/system/sysfs.sls
+++ b/linux/system/sysfs.sls
@@ -11,6 +11,8 @@
- require:
- pkg: linux_sysfs_package
+{% set apply = system.get('sysfs', {}).pop('enable_apply', True) %}
+
{%- for name, sysfs in system.get('sysfs', {}).items() %}
/etc/sysfs.d/{{ name }}.conf:
@@ -32,6 +34,8 @@
{%- set sysfs_list = sysfs %}
{%- endif %}
+{%- if apply %}
+
{%- for item in sysfs_list %}
{%- set list_idx = loop.index %}
{%- for key, value in item.items() %}
@@ -48,4 +52,7 @@
{%- endfor %}
{%- endfor %}
+
+{%- endif %}
+
{%- endfor %}
diff --git a/metadata/service/system/cis/cis-1-1-1-1.yml b/metadata/service/system/cis/cis-1-1-1-1.yml
new file mode 100644
index 0000000..2331a54
--- /dev/null
+++ b/metadata/service/system/cis/cis-1-1-1-1.yml
@@ -0,0 +1,37 @@
+# 1.1.1.1 Ensure mounting of cramfs filesystems is disabled
+#
+# Description
+# ===========
+# The cramfs filesystem type is a compressed read-only Linux filesystem
+# embedded in small footprint systems. A cramfs image can be used without
+# having to first decompress the image.
+#
+# Rationale
+# =========
+# Removing support for unneeded filesystem types reduces the local attack
+# surface of the server. If this filesystem type is not needed, disable it.
+#
+# Audit
+# =====
+# Run the following commands and verify the output is as indicated:
+#
+# # modprobe -n -v cramfs
+# install /bin/true
+# # lsmod | grep cramfs
+# <No output>
+#
+# Remediation
+# ===========
+# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
+#
+# install cramfs /bin/true
+#
+parameters:
+ linux:
+ system:
+ kernel:
+ module:
+ cramfs:
+ install:
+ command: /bin/true
+
diff --git a/metadata/service/system/cis/cis-1-1-1-2.yml b/metadata/service/system/cis/cis-1-1-1-2.yml
new file mode 100644
index 0000000..f84b56f
--- /dev/null
+++ b/metadata/service/system/cis/cis-1-1-1-2.yml
@@ -0,0 +1,36 @@
+# 1.1.1.2 Ensure mounting of freevxfs filesystems is disabled
+#
+# Description
+# ===========
+# The freevxfs filesystem type is a free version of the Veritas type
+# filesystem. This is the primary filesystem type for HP-UX operating systems.
+#
+# Rationale
+# =========
+# Removing support for unneeded filesystem types reduces the local attack
+# surface of the system. If this filesystem type is not needed, disable it.
+#
+# Audit
+# =====
+# Run the following commands and verify the output is as indicated:
+#
+# # modprobe -n -v freevxfs
+# install /bin/true
+# # lsmod | grep freevxfs
+# <No output>
+#
+# Remediation
+# ===========
+# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
+#
+# install freevxfs /bin/true
+#
+parameters:
+ linux:
+ system:
+ kernel:
+ module:
+ freevxfs:
+ install:
+ command: /bin/true
+
diff --git a/metadata/service/system/cis/cis-1-1-1-3.yml b/metadata/service/system/cis/cis-1-1-1-3.yml
new file mode 100644
index 0000000..91390b5
--- /dev/null
+++ b/metadata/service/system/cis/cis-1-1-1-3.yml
@@ -0,0 +1,36 @@
+# 1.1.1.3 Ensure mounting of jffs2 filesystems is disabled
+#
+# Description
+# ===========
+# The jffs2 (journaling flash filesystem 2) filesystem type is a
+# log-structured filesystem used in flash memory devices.
+#
+# Rationale
+# =========
+# Removing support for unneeded filesystem types reduces the local attack
+# surface of the system. If this filesystem type is not needed, disable it.
+#
+# Audit
+# =====
+# Run the following commands and verify the output is as indicated:
+#
+# # modprobe -n -v jffs2
+# install /bin/true
+# # lsmod | grep jffs2
+# <No output>
+#
+# Remediation
+# ===========
+# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
+#
+# install jffs2 /bin/true
+#
+parameters:
+ linux:
+ system:
+ kernel:
+ module:
+ jffs2:
+ install:
+ command: /bin/true
+
diff --git a/metadata/service/system/cis/cis-1-1-1-4.yml b/metadata/service/system/cis/cis-1-1-1-4.yml
new file mode 100644
index 0000000..c246ad2
--- /dev/null
+++ b/metadata/service/system/cis/cis-1-1-1-4.yml
@@ -0,0 +1,36 @@
+# 1.1.1.4 Ensure mounting of hfs filesystems is disabled
+#
+# Description
+# ===========
+# The hfs filesystem type is a hierarchical filesystem that allows
+# you to mount Mac OS filesystems.
+#
+# Rationale
+# =========
+# Removing support for unneeded filesystem types reduces the local attack
+# surface of the system. If this filesystem type is not needed, disable it.
+#
+# Audit
+# =====
+# Run the following commands and verify the output is as indicated:
+#
+# # modprobe -n -v hfs
+# install /bin/true
+# # lsmod | grep hfs
+# <No output>
+#
+# Remediation
+# ===========
+# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
+#
+# install hfs /bin/true
+#
+parameters:
+ linux:
+ system:
+ kernel:
+ module:
+ hfs:
+ install:
+ command: /bin/true
+
diff --git a/metadata/service/system/cis/cis-1-1-1-5.yml b/metadata/service/system/cis/cis-1-1-1-5.yml
new file mode 100644
index 0000000..e258052
--- /dev/null
+++ b/metadata/service/system/cis/cis-1-1-1-5.yml
@@ -0,0 +1,36 @@
+# 1.1.1.5 Ensure mounting of hfsplus filesystems is disabled
+#
+# Description
+# ===========
+# The hfsplus filesystem type is a hierarchical filesystem designed to
+# replace hfs that allows you to mount Mac OS filesystems.
+#
+# Rationale
+# =========
+# Removing support for unneeded filesystem types reduces the local attack
+# surface of the system. If this filesystem type is not needed, disable it.
+#
+# Audit
+# =====
+# Run the following commands and verify the output is as indicated:
+#
+# # modprobe -n -v hfsplus
+# install /bin/true
+# # lsmod | grep hfsplus
+# <No output>
+#
+# Remediation
+# ===========
+# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
+#
+# install hfsplus /bin/true
+#
+parameters:
+ linux:
+ system:
+ kernel:
+ module:
+ hfsplus:
+ install:
+ command: /bin/true
+
diff --git a/metadata/service/system/cis/cis-1-1-1-6.yml b/metadata/service/system/cis/cis-1-1-1-6.yml
new file mode 100644
index 0000000..59da5db
--- /dev/null
+++ b/metadata/service/system/cis/cis-1-1-1-6.yml
@@ -0,0 +1,43 @@
+# 1.1.1.6 Ensure mounting of squashfs filesystems is disabled
+#
+# Description
+# ===========
+# The squashfs filesystem type is a compressed read-only Linux filesystem
+# embedded in small footprint systems (similar to cramfs). A squashfs image
+# can be used without having to first decompress the image.
+#
+# Rationale
+# =========
+# Removing support for unneeded filesystem types reduces the local attack
+# surface of the server. If this filesystem type is not needed, disable it.
+#
+# Audit
+# =====
+# Run the following commands and verify the output is as indicated:
+#
+# # modprobe -n -v squashfs
+# install /bin/true
+# # lsmod | grep squashfs
+# <No output>
+#
+# Remediation
+# ===========
+# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
+#
+# install squashfs /bin/true
+#
+# NOTE
+# ====
+# In Ubuntu 16.04 squashfs is built into kernel, and 'install' command
+# from modprobe.d dir has no effect. However, this is still checked by
+# CIS-CAT in Ubuntu 16.04 benchmark v.1.0.0. This was removed in v.1.1.0.
+#
+parameters:
+ linux:
+ system:
+ kernel:
+ module:
+ squashfs:
+ install:
+ command: /bin/true
+
diff --git a/metadata/service/system/cis/cis-1-1-1-7.yml b/metadata/service/system/cis/cis-1-1-1-7.yml
new file mode 100644
index 0000000..0102220
--- /dev/null
+++ b/metadata/service/system/cis/cis-1-1-1-7.yml
@@ -0,0 +1,38 @@
+# 1.1.1.7 Ensure mounting of udf filesystems is disabled
+#
+# Description
+# ===========
+# The udf filesystem type is the universal disk format used to implement
+# ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem
+# type for data storage on a broad range of media. This filesystem type is
+# necessary to support writing DVDs and newer optical disc formats.
+#
+# Rationale
+# =========
+# Removing support for unneeded filesystem types reduces the local attack
+# surface of the server. If this filesystem type is not needed, disable it.
+#
+# Audit
+# =====
+# Run the following commands and verify the output is as indicated:
+#
+# # modprobe -n -v udf
+# install /bin/true
+# # lsmod | grep udf
+# <No output>
+#
+# Remediation
+# ===========
+# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
+#
+# install udf /bin/true
+#
+parameters:
+ linux:
+ system:
+ kernel:
+ module:
+ udf:
+ install:
+ command: /bin/true
+
diff --git a/metadata/service/system/cis/cis-1-1-1-8.yml b/metadata/service/system/cis/cis-1-1-1-8.yml
new file mode 100644
index 0000000..7c06c8e
--- /dev/null
+++ b/metadata/service/system/cis/cis-1-1-1-8.yml
@@ -0,0 +1,50 @@
+# 1.1.1.8 Ensure mounting of FAT filesystems is disabled
+#
+# Description
+# ===========
+# The FAT filesystem format is primarily used on older windows systems and
+# portable USB drives or flash modules. It comes in three types FAT12, FAT16,
+# and FAT32 all of which are supported by the vfat kernel module.
+#
+# Rationale
+# =========
+# Removing support for unneeded filesystem types reduces the local attack
+# surface of the server. If this filesystem type is not needed, disable it.
+#
+# Audit
+# =====
+# Run the following commands and verify the output is as indicated:
+#
+# # modprobe -n -v vfat
+# install /bin/true
+# # lsmod | grep vfat
+# <No output>
+#
+# Remediation
+# ===========
+#
+# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
+#
+# install vfat /bin/true
+#
+# Impact
+# ======
+# FAT filesystems are often used on portable USB sticks and other flash
+# media are commonly used to transfer files between workstations, removing
+# VFAT support may prevent the ability to transfer files in this way.
+#
+# NOTE
+# ====
+# In Ubuntu 16.04 vfat is built into kernel, and 'install' command
+# from modprobe.d dir has no effect. However, this is still checked by
+# CIS-CAT in Ubuntu 16.04 benchmark v.1.0.0. This was removed in v.1.1.0.
+#
+parameters:
+ linux:
+ system:
+ kernel:
+ module:
+ vfat:
+ install:
+ command: /bin/true
+
diff --git a/metadata/service/system/cis/cis-1-1-14_15_16.yml b/metadata/service/system/cis/cis-1-1-14_15_16.yml
new file mode 100644
index 0000000..d9c7e72
--- /dev/null
+++ b/metadata/service/system/cis/cis-1-1-14_15_16.yml
@@ -0,0 +1,95 @@
+# CIS 1.1.14 Ensure nodev option set on /dev/shm partition (Scored)
+#
+# Description
+# ===========
+# The nodev mount option specifies that the filesystem cannot contain special
+# devices.
+#
+# Rationale
+# =========
+# Since the /run/shm filesystem is not intended to support devices, set this
+# option to ensure that users cannot attempt to create special devices in
+# /dev/shm partitions.
+#
+# Audit
+# =====
+# Run the following command and verify that the nodev option is set on /dev/shm .
+#
+# # mount | grep /dev/shm
+# shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime)
+#
+# Remediation
+# ===========
+#
+# Edit the /etc/fstab file and add nodev to the fourth field (mounting options)
+# for the /dev/shm partition. See the fstab(5) manual page for more information.
+# Run the following command to remount /dev/shm :
+#
+# # mount -o remount,nodev /dev/shm
+#
+# CIS 1.1.15 Ensure nosuid option set on /dev/shm partition (Scored)
+#
+# Description
+# ===========
+# The nosuid mount option specifies that the filesystem cannot contain setuid
+# files.
+#
+# Rationale
+# =========
+# Setting this option on a file system prevents users from introducing
+# privileged programs onto the system and allowing non-root users to execute them.
+#
+# Audit
+# =====
+# Run the following command and verify that the no suid option is set on /dev/shm .
+#
+# # mount | grep /dev/shm
+# shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime)
+#
+# Remediation
+# ===========
+# Edit the /etc/fstab file and add nosuid to the fourth field (mounting options)
+# for the /dev/shm partition. See the fstab(5) manual page for more information.
+# Run the following command to remount /dev/shm :
+#
+# # mount -o remount,nosuid /dev/shm
+#
+# 1.1.16 Ensure noexec option set on /dev/shm partition (Scored)
+#
+# Description
+# ===========
+# The noexec mount option specifies that the filesystem cannot contain
+# executable binaries.
+#
+# Rationale
+# =========
+# Setting this option on a file system prevents users from executing programs
+# from shared memory. This deters users from introducing potentially malicious
+# software on the system.
+#
+# Audit
+# =====
+# Run the following command and verify that the noexec option is set on /run/shm .
+#
+# # mount | grep /dev/shm
+# shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime)
+#
+# Remediation
+# ===========
+# Edit the /etc/fstab file and add noexec to the fourth field (mounting options)
+# for the /dev/shm partition. See the fstab(5) manual page for more information.
+# Run the following command to remount /dev/shm :
+#
+# # mount -o remount,noexec /dev/shm
+#
+parameters:
+ linux:
+ storage:
+ mount:
+ ensure_dev_shm_mount_options:
+ enabled: true
+ file_system: tmpfs
+ device: shm
+ path: /dev/shm
+ opts: rw,nosuid,nodev,noexec,relatime
+
diff --git a/metadata/service/system/cis/cis-1-1-21.yml b/metadata/service/system/cis/cis-1-1-21.yml
new file mode 100644
index 0000000..da84f49
--- /dev/null
+++ b/metadata/service/system/cis/cis-1-1-21.yml
@@ -0,0 +1,53 @@
+# CIS 1.1.21 Disable Automounting
+#
+# Description
+# ===========
+# autofs allows automatic mounting of devices, typically including CD/DVDs
+# and USB drives.
+#
+# Rationale
+# =========
+# With automounting enabled anyone with physical access could attach a USB
+# drive or disc and have its contents available in system even if they lacked
+# permissions to mount it themselves.
+#
+# Audit
+# =====
+# Run the following command to verify autofs is not enabled:
+#
+# # systemctl is-enabled autofs
+# disabled
+#
+# Verify result is not "enabled".
+#
+# Remediation
+# ===========
+#
+# Run the following command to disable autofs :
+#
+# # systemctl disable autofs
+#
+# Impact
+# ======
+# The use portable hard drives is very common for workstation users. If your
+# organization allows the use of portable storage or media on workstations
+# and physical access controls to workstations is considered adequate there
+# is little value add in turning off automounting.
+#
+# Notes
+# =====
+# This control should align with the tolerance of the use of portable drives
+# and optical media in the organization. On a server requiring an admin to
+# manually mount media can be part of defense-in-depth to reduce the risk of
+# unapproved software or information being introduced or proprietary software
+# or information being exfiltrated. If admins commonly use flash drives and
+# Server access has sufficient physical controls, requiring manual mounting
+# may not increase security.
+#
+parameters:
+ linux:
+ system:
+ service:
+ autofs:
+ status: disabled
+
diff --git a/metadata/service/system/cis/cis-1-5-4.yml b/metadata/service/system/cis/cis-1-5-4.yml
new file mode 100644
index 0000000..5583d80
--- /dev/null
+++ b/metadata/service/system/cis/cis-1-5-4.yml
@@ -0,0 +1,37 @@
+# CIS 1.5.4 Ensure prelink is disabled
+#
+# Description
+# ===========
+# prelink is a program that modifies ELF shared libraries and ELF dynamically
+# linked binaries in such a way that the time needed for the dynamic linker to
+# perform relocations at startup significantly decreases.
+#
+# Rationale
+# =========
+# The prelinking feature can interfere with the operation of AIDE, because it
+# changes binaries. Prelinking can also increase the vulnerability of the system
+# if a malicious user is able to compromise a common library such as libc.
+#
+# Audit
+# =====
+# Run the following command and verify prelink is not installed:
+#
+# # dpkg -s prelink
+#
+# Remediation
+# ===========
+# Run the following command to restore binaries to normal:
+#
+# # prelink -ua
+#
+# Run the following command to uninstall prelink :
+#
+# # apt-get remove prelink
+#
+parameters:
+ linux:
+ system:
+ package:
+ prelink:
+ version: removed
+
diff --git a/metadata/service/system/cis/cis-2-3-1.yml b/metadata/service/system/cis/cis-2-3-1.yml
new file mode 100644
index 0000000..6116f36
--- /dev/null
+++ b/metadata/service/system/cis/cis-2-3-1.yml
@@ -0,0 +1,43 @@
+# 2.3.1 Ensure NIS Client is not installed
+#
+# Description
+# ===========
+# The Network Information Service (NIS), formerly known as Yellow Pages,
+# is a client-server directory service protocol used to distribute system
+# configuration files. The NIS client ( ypbind ) was used to bind a machine
+# to an NIS server and receive the distributed configuration files.
+#
+# Rationale
+# =========
+# The NIS service is inherently an insecure system that has been vulnerable
+# to DOS attacks, buffer overflows and has poor authentication for querying
+# NIS maps. NIS generally has been replaced by such protocols as Lightweight
+# Directory Access Protocol (LDAP). It is recommended that the service be
+# removed.
+#
+# Audit
+# =====
+# Run the following command and verify nis is not installed:
+#
+# dpkg -s nis
+#
+# Remediation
+# ===========
+# Run the following command to uninstall nis:
+#
+# apt-get remove nis
+#
+# Impact
+# ======
+# Many insecure service clients are used as troubleshooting tools and in
+# testing environments. Uninstalling them can inhibit capability to test
+# and troubleshoot. If they are required it is advisable to remove the clients
+# after use to prevent accidental or intentional misuse.
+#
+parameters:
+ linux:
+ system:
+ package:
+ nis:
+ version: removed
+
diff --git a/metadata/service/system/cis/cis-2-3-2.yml b/metadata/service/system/cis/cis-2-3-2.yml
new file mode 100644
index 0000000..ecbfa6a
--- /dev/null
+++ b/metadata/service/system/cis/cis-2-3-2.yml
@@ -0,0 +1,55 @@
+# 2.3.2 Ensure rsh client is not installed
+#
+# Description
+# ===========
+# The rsh package contains the client commands for the rsh services.
+#
+# Rationale
+# =========
+# These legacy clients contain numerous security exposures and have been
+# replaced with the more secure SSH package. Even if the server is removed,
+# it is best to ensure the clients are also removed to prevent users from
+# inadvertently attempting to use these commands and therefore exposing
+# their credentials. Note that removing the rsh package removes the
+# clients for rsh , rcp and rlogin .
+#
+# Audit
+# =====
+# Run the following commands and verify rsh is not installed:
+#
+# dpkg -s rsh-client
+# dpkg -s rsh-redone-client
+#
+# Remediation
+# ===========
+# Run the following command to uninstall rsh :
+#
+# apt-get remove rsh-client rsh-redone-client
+#
+# Impact
+# ======
+# Many insecure service clients are used as troubleshooting tools and in
+# testing environments. Uninstalling them can inhibit capability to test
+# and troubleshoot. If they are required it is advisable to remove the
+# clients after use to prevent accidental or intentional misuse.
+#
+# NOTE
+# ====
+# It is not possible to remove rsh-client by means of SaltStack because
+# of the way SaltStack checks that package was really removed. 'rsh-client'
+# is "provided" by openssh-client package, and SaltStack thinks that
+# it is the same as 'rsh-client is installed'. So each time we try to
+# remove 'rsh-client' on a system where 'openssh-client' is installed
+# (that's almost every system), we got state failure.
+# This was fixed in upstream SaltStack in 2018, not sure where we start using
+# this version. Until that moment 'rsh-client' should remain unmanaged.
+#
+parameters:
+ linux:
+ system:
+ package:
+# rsh-client:
+# version: removed
+ rsh-redone-client:
+ version: removed
+
diff --git a/metadata/service/system/cis/cis-2-3-3.yml b/metadata/service/system/cis/cis-2-3-3.yml
new file mode 100644
index 0000000..859754b
--- /dev/null
+++ b/metadata/service/system/cis/cis-2-3-3.yml
@@ -0,0 +1,39 @@
+# 2.3.3 Ensure talk client is not installed
+#
+# Description
+# ===========
+# The talk software makes it possible for users to send and receive messages
+# across systems through a terminal session. The talk client, which allows
+# initialization of talk sessions, is installed by default.
+#
+# Rationale
+# =========
+# The software presents a security risk as it uses unencrypted protocols
+# for communication.
+#
+# Audit
+# =====
+# Run the following command and verify talk is not installed:
+#
+# dpkg -s talk
+#
+# Remediation
+# ===========
+# Run the following command to uninstall talk :
+#
+# apt-get remove talk
+#
+# Impact
+# ======
+# Many insecure service clients are used as troubleshooting tools and in
+# testing environments. Uninstalling them can inhibit capability to test
+# and troubleshoot. If they are required it is advisable to remove the clients
+# after use to prevent accidental or intentional misuse.
+#
+parameters:
+ linux:
+ system:
+ package:
+ talk:
+ version: removed
+
diff --git a/metadata/service/system/cis/cis-2-3-4.yml b/metadata/service/system/cis/cis-2-3-4.yml
new file mode 100644
index 0000000..34c8eb2
--- /dev/null
+++ b/metadata/service/system/cis/cis-2-3-4.yml
@@ -0,0 +1,40 @@
+# 2.3.4 Ensure telnet client is not installed
+#
+# Description
+# ===========
+# The telnet package contains the telnet client, which allows users to start
+# connections to other systems via the telnet protocol.
+#
+# Rationale
+# =========
+# The telnet protocol is insecure and unencrypted. The use of an unencrypted
+# transmission medium could allow an unauthorized user to steal credentials.
+# The ssh package provides an encrypted session and stronger security and is
+# included in most Linux distributions.
+#
+# Audit
+# =====
+# Run the following command and verify telnet is not installed:
+#
+# # dpkg -s telnet
+#
+# Remediation
+# ===========
+# Run the following command to uninstall telnet :
+#
+# # apt-get remove telnet
+#
+# Impact
+# ======
+# Many insecure service clients are used as troubleshooting tools and in
+# testing environments. Uninstalling them can inhibit capability to test and
+# troubleshoot. If they are required it is advisable to remove the clients
+# after use to prevent accidental or intentional misuse.
+#
+parameters:
+ linux:
+ system:
+ package:
+ telnet:
+ version: removed
+
diff --git a/metadata/service/system/cis/cis-3-5-1.yml b/metadata/service/system/cis/cis-3-5-1.yml
new file mode 100644
index 0000000..b232990
--- /dev/null
+++ b/metadata/service/system/cis/cis-3-5-1.yml
@@ -0,0 +1,38 @@
+# 3.5.2 Ensure DCCP is disabled
+#
+# Description
+# ===========
+# The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol
+# that supports streaming media and telephony. DCCP provides a way to gain
+# access to congestion control, without having to do it at the application
+# layer, but does not provide in-sequence delivery.
+#
+# Rationale
+# =========
+# If the protocol is not required, it is recommended that the drivers not be
+# installed to reduce the potential attack surface.
+#
+# Audit
+# =====
+# Run the following commands and verify the output is as indicated:
+#
+# # modprobe -n -v dccp
+# install /bin/true
+# # lsmod | grep dccp
+# <No output>
+#
+# Remediation
+# ===========
+# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
+#
+# install dccp /bin/true
+#
+parameters:
+ linux:
+ system:
+ kernel:
+ module:
+ dccp:
+ install:
+ command: /bin/true
+
diff --git a/metadata/service/system/cis/cis-3-5-2.yml b/metadata/service/system/cis/cis-3-5-2.yml
new file mode 100644
index 0000000..0207eb9
--- /dev/null
+++ b/metadata/service/system/cis/cis-3-5-2.yml
@@ -0,0 +1,41 @@
+# 3.5.2 Ensure SCTP is disabled
+#
+# Description
+# ===========
+# The Stream Control Transmission Protocol (SCTP) is a transport layer
+# protocol used to support message oriented communication, with several
+# streams of messages in one connection. It serves a similar function as
+# TCP and UDP, incorporating features of both. It is message-oriented
+# like UDP, and ensures reliable in-sequence transport of messages with
+# congestion control like TCP.
+#
+# Rationale
+# =========
+# If the protocol is not being used, it is recommended that kernel module
+# not be loaded, disabling the service to reduce the potential attack surface.
+#
+# Audit
+# =====
+# Run the following commands and verify the output is as indicated:
+#
+# # modprobe -n -v sctp
+# install /bin/true
+# # lsmod | grep sctp
+# <No output>
+#
+# Remediation
+# ===========
+#
+# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
+#
+# install sctp /bin/true
+#
+parameters:
+ linux:
+ system:
+ kernel:
+ module:
+ sctp:
+ install:
+ command: /bin/true
+
diff --git a/metadata/service/system/cis/cis-3-5-3.yml b/metadata/service/system/cis/cis-3-5-3.yml
new file mode 100644
index 0000000..723de8b
--- /dev/null
+++ b/metadata/service/system/cis/cis-3-5-3.yml
@@ -0,0 +1,37 @@
+# 3.5.3 Ensure RDS is disabled
+#
+# Description
+# ===========
+# The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol
+# designed to provide low-latency, high-bandwidth communications between
+# cluster nodes. It was developed by the Oracle Corporation.
+#
+# Rationale
+# =========
+# If the protocol is not being used, it is recommended that kernel module
+# not be loaded, disabling the service to reduce the potential attack surface.
+#
+# Audit
+# =====
+# Run the following commands and verify the output is as indicated:
+#
+# # modprobe -n -v rds
+# install /bin/true
+# # lsmod | grep rds
+# <No output>
+#
+# Remediation
+# ===========
+# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
+#
+# install rds /bin/true
+#
+parameters:
+ linux:
+ system:
+ kernel:
+ module:
+ rds:
+ install:
+ command: /bin/true
+
diff --git a/metadata/service/system/cis/cis-3-5-4.yml b/metadata/service/system/cis/cis-3-5-4.yml
new file mode 100644
index 0000000..6a4920c
--- /dev/null
+++ b/metadata/service/system/cis/cis-3-5-4.yml
@@ -0,0 +1,37 @@
+# 3.5.4 Ensure TIPC is disabled
+#
+# Description
+# ===========
+# The Transparent Inter-Process Communication (TIPC) protocol is designed
+# to provide communication between cluster nodes.
+#
+# Rationale
+# =========
+# If the protocol is not being used, it is recommended that kernel module
+# not be loaded, disabling the service to reduce the potential attack surface.
+#
+# Audit
+# =====
+# Run the following commands and verify the output is as indicated:
+#
+# # modprobe -n -v tipc
+# install /bin/true
+# # lsmod | grep tipc
+# <No output>
+#
+# Remediation
+# ===========
+#
+# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
+#
+# install tipc /bin/true
+#
+parameters:
+ linux:
+ system:
+ kernel:
+ module:
+ tipc:
+ install:
+ command: /bin/true
+
diff --git a/metadata/service/system/cis/init.yml b/metadata/service/system/cis/init.yml
index 5c91125..5f27e22 100644
--- a/metadata/service/system/cis/init.yml
+++ b/metadata/service/system/cis/init.yml
@@ -1,6 +1,21 @@
classes:
+- service.linux.system.cis.cis-1-1-1-1
+- service.linux.system.cis.cis-1-1-1-2
+- service.linux.system.cis.cis-1-1-1-3
+- service.linux.system.cis.cis-1-1-1-4
+- service.linux.system.cis.cis-1-1-1-5
+- service.linux.system.cis.cis-1-1-1-6
+- service.linux.system.cis.cis-1-1-1-7
+- service.linux.system.cis.cis-1-1-1-8
+- service.linux.system.cis.cis-1-1-14_15_16
+- service.linux.system.cis.cis-1-1-21
- service.linux.system.cis.cis-1-5-1
- service.linux.system.cis.cis-1-5-3
+- service.linux.system.cis.cis-1-5-4
+- service.linux.system.cis.cis-2-3-1
+- service.linux.system.cis.cis-2-3-2
+- service.linux.system.cis.cis-2-3-3
+- service.linux.system.cis.cis-2-3-4
- service.linux.system.cis.cis-3-1-2
- service.linux.system.cis.cis-3-2-1
- service.linux.system.cis.cis-3-2-2
@@ -12,6 +27,10 @@
- service.linux.system.cis.cis-3-2-8
# Temp. disable PROD-22520
#- service.linux.system.cis.cis-3-3-3
+- service.linux.system.cis.cis-3-5-1
+- service.linux.system.cis.cis-3-5-2
+- service.linux.system.cis.cis-3-5-3
+- service.linux.system.cis.cis-3-5-4
- service.linux.system.cis.cis-6-1-2
- service.linux.system.cis.cis-6-1-3
- service.linux.system.cis.cis-6-1-4
diff --git a/tests/pillar/system.sls b/tests/pillar/system.sls
index 5cfeea7..2973677 100644
--- a/tests/pillar/system.sls
+++ b/tests/pillar/system.sls
@@ -99,6 +99,7 @@
subjects:
- '@group1'
sysfs:
+ enable_apply: true
scheduler:
block/sda/queue/scheduler: deadline
power:
@@ -201,6 +202,22 @@
proxy:
enabled: true
https: https://127.0.5.1:443
+ saltstack:
+ source: "deb [arch=amd64] http://repo.saltstack.com/apt/ubuntu/16.04/amd64/2017.7/ xenial main"
+ key_url: "http://repo.saltstack.com/apt/ubuntu/16.04/amd64/2017.7/SALTSTACK-GPG-KEY.pub"
+ architectures: amd64
+ clean_file: true
+ pinning:
+ 10:
+ enabled: true
+ pin: 'release o=SaltStack'
+ priority: 50
+ package: 'libsodium18'
+ 20:
+ enabled: true
+ pin: 'release o=SaltStack'
+ priority: 1100
+ package: '*'
opencontrail:
source: "deb http://ppa.launchpad.net/tcpcloud/contrail-3.0/ubuntu xenial main"
keyid: E79EE90C