Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / linux / d87f461319b5b7c2dbb6d4160773c9d4abf046f3^! / . / metadata / service / system / cis / cis-3-5-2.yml
commitd87f461319b5b7c2dbb6d4160773c9d4abf046f3[log] [tgz]
authorDmitry Teselkin <dteselkin@mirantis.com>Thu Aug 16 11:29:55 2018 +0300
committerDmitry Teselkin <dteselkin@mirantis.com>Mon Aug 20 13:05:41 2018 +0300
tree6d56e2c40bb026e6b229d1173c64107569d46376
parent809834c85eba328b2c4f3509542a9aa7c9413c72 [diff] [blame]
CIS compliance (modprobe.d)

* CIS 1.1.1.1 Ensure mounting of cramfs filesystems is disabled
* CIS 1.1.1.2 Ensure mounting of freevxfs filesystems is disabled
* CIS 1.1.1.3 Ensure mounting of jffs2 filesystems is disabled
* CIS 1.1.1.4 Ensure mounting of hfs filesystems is disabled
* CIS 1.1.1.5 Ensure mounting of hfsplus filesystems is disabled
* CIS 1.1.1.6 Ensure mounting of squashfs filesystems is disabled
* CIS 1.1.1.7 Ensure mounting of udf filesystems is disabled
* CIS 1.1.1.8 Ensure mounting of FAT filesystems is disabled
* CIS 3.5.1 Ensure DCCP is disabled
* CIS 3.5.2 Ensure SCTP is disabled
* CIS 3.5.3 Ensure RDS is disabled
* CIS 3.5.4 Ensure TIPC is disabled

Related-Prod: PROD-20756
Related-Prod: PROD-20757
Related-Prod: PROD-20758
Related-Prod: PROD-20759

Change-Id: I719984829978caf0401e78daaabf1adfb0d1cfdf

diff --git a/metadata/service/system/cis/cis-3-5-2.yml b/metadata/service/system/cis/cis-3-5-2.yml
new file mode 100644
index 0000000..0207eb9
--- /dev/null
+++ b/metadata/service/system/cis/cis-3-5-2.yml

@@ -0,0 +1,41 @@
+# 3.5.2 Ensure SCTP is disabled
+#
+# Description
+# ===========
+# The Stream Control Transmission Protocol (SCTP) is a transport layer
+# protocol used to support message oriented communication, with several
+# streams of messages in one connection. It serves a similar function as
+# TCP and UDP, incorporating features of both. It is message-oriented
+# like UDP, and ensures reliable in-sequence transport of messages with
+# congestion control like TCP.
+#
+# Rationale
+# =========
+# If the protocol is not being used, it is recommended that kernel module
+# not be loaded, disabling the service to reduce the potential attack surface.
+#
+# Audit
+# =====
+# Run the following commands and verify the output is as indicated:
+#
+#   # modprobe -n -v sctp
+#   install /bin/true
+#   # lsmod | grep sctp
+#   <No output>
+#
+# Remediation
+# ===========
+#
+# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
+#
+#   install sctp /bin/true
+#
+parameters:
+  linux:
+    system:
+      kernel:
+        module:
+          sctp:
+            install:
+              command: /bin/true
+