Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / linux / af730f9602bd9a81d1a22fa3bec80e63a661d534^! / . / metadata / service / system / cis / cis-1-5-1.yml
commitaf730f9602bd9a81d1a22fa3bec80e63a661d534[log] [tgz]
authorDmitry Teselkin <dteselkin@mirantis.com>Thu Aug 16 11:29:55 2018 +0300
committerDmitry Teselkin <dteselkin@mirantis.com>Tue Aug 21 10:29:33 2018 +0300
treeac944a3eb0470ed55237243857aff1da3337e0ba
parentcf1b5b322a077dc8d6f9bf5b36a7a0a71a2b3a06 [diff] [blame]
CIS compliance (sysctl, limits)

* CIS 1.5.1 Ensure core dumps are restricted
* CIS 1.5.3 Ensure address space layout randomization (ASLR) is enabled
* CIS 3.1.2 Ensure packet redirect sending is disabled
* CIS 3.2.1 Ensure source routed packets are not accepted
* CIS 3.2.2 Ensure ICMP redirects are not accepted
* CIS 3.2.3 Ensure secure ICMP redirects are not accepted
* CIS 3.2.4 Ensure suspicious packets are logged
* CIS 3.2.5 Ensure broadcast ICMP requests are ignored
* CIS 3.2.6 Ensure bogus ICMP responses are ignored
* CIS 3.2.7 Ensure Reverse Path Filtering is enabled
* CIS 3.2.8 Ensure TCP SYN Cookies is enabled

All sysctls are valid for Ubuntu 14.04, Ubuntu 16.04.

Change-Id: I48f34c55d97a78c253d4810db46b2a04ff5c0c1a

diff --git a/metadata/service/system/cis/cis-1-5-1.yml b/metadata/service/system/cis/cis-1-5-1.yml
new file mode 100644
index 0000000..955edf4
--- /dev/null
+++ b/metadata/service/system/cis/cis-1-5-1.yml

@@ -0,0 +1,59 @@
+# CIS 1.5.1 Ensure core dumps are restricted (Scored)
+#
+# Description
+# ===========
+#
+# A core dump is the memory of an executable program. It is generally used to determine
+# why a program aborted. It can also be used to glean confidential information from a core
+# file. The system provides the ability to set a soft limit for core dumps, but this can be
+# overridden by the user.
+#
+# Rationale
+# =========
+#
+# Setting a hard limit on core dumps prevents users from overriding the soft variable. If core
+# dumps are required, consider setting limits for user groups (see limits.conf(5) ). In
+# addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from
+# dumping core.
+#
+# Audit
+# =====
+#
+# Run the following commands and verify output matches:
+#
+#   # grep "hard core" /etc/security/limits.conf /etc/security/limits.d/*
+#   * hard core 0
+#   # sysctl fs.suid_dumpable
+#   fs.suid_dumpable = 0
+#
+# Remediation
+# ===========
+#
+# Add the following line to the /etc/security/limits.conf file or a
+# /etc/security/limits.d/* file:
+#
+#   * hard core 0
+#
+# Set the following parameter in the /etc/sysctl.conf file:
+#
+#   fs.suid_dumpable = 0
+#
+# Run the following command to set the active kernel parameter:
+#
+#   # sysctl -w fs.suid_dumpable=0
+
+parameters:
+  linux:
+    system:
+      limit:
+        cis:
+          enabled: true
+          domain: '*'
+          limits:
+          - type: 'hard'
+            item: 'core'
+            value: 0
+      kernel:
+        sysctl:
+          fs.suid_dumpable: 0
+