CIS compliance (modprobe.d)
* CIS 1.1.1.1 Ensure mounting of cramfs filesystems is disabled
* CIS 1.1.1.2 Ensure mounting of freevxfs filesystems is disabled
* CIS 1.1.1.3 Ensure mounting of jffs2 filesystems is disabled
* CIS 1.1.1.4 Ensure mounting of hfs filesystems is disabled
* CIS 1.1.1.5 Ensure mounting of hfsplus filesystems is disabled
* CIS 1.1.1.6 Ensure mounting of squashfs filesystems is disabled
* CIS 1.1.1.7 Ensure mounting of udf filesystems is disabled
* CIS 1.1.1.8 Ensure mounting of FAT filesystems is disabled
* CIS 3.5.1 Ensure DCCP is disabled
* CIS 3.5.2 Ensure SCTP is disabled
* CIS 3.5.3 Ensure RDS is disabled
* CIS 3.5.4 Ensure TIPC is disabled
Related-Prod: PROD-20756
Related-Prod: PROD-20757
Related-Prod: PROD-20758
Related-Prod: PROD-20759
Change-Id: Ia8bf992498ef739a4a40fb108fcb449900caf6e3
diff --git a/metadata/service/system/cis/cis-1-1-1-1.yml b/metadata/service/system/cis/cis-1-1-1-1.yml
new file mode 100644
index 0000000..2331a54
--- /dev/null
+++ b/metadata/service/system/cis/cis-1-1-1-1.yml
@@ -0,0 +1,37 @@
+# 1.1.1.1 Ensure mounting of cramfs filesystems is disabled
+#
+# Description
+# ===========
+# The cramfs filesystem type is a compressed read-only Linux filesystem
+# embedded in small footprint systems. A cramfs image can be used without
+# having to first decompress the image.
+#
+# Rationale
+# =========
+# Removing support for unneeded filesystem types reduces the local attack
+# surface of the server. If this filesystem type is not needed, disable it.
+#
+# Audit
+# =====
+# Run the following commands and verify the output is as indicated:
+#
+# # modprobe -n -v cramfs
+# install /bin/true
+# # lsmod | grep cramfs
+# <No output>
+#
+# Remediation
+# ===========
+# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
+#
+# install cramfs /bin/true
+#
+parameters:
+ linux:
+ system:
+ kernel:
+ module:
+ cramfs:
+ install:
+ command: /bin/true
+
diff --git a/metadata/service/system/cis/cis-1-1-1-2.yml b/metadata/service/system/cis/cis-1-1-1-2.yml
new file mode 100644
index 0000000..f84b56f
--- /dev/null
+++ b/metadata/service/system/cis/cis-1-1-1-2.yml
@@ -0,0 +1,36 @@
+# 1.1.1.2 Ensure mounting of freevxfs filesystems is disabled
+#
+# Description
+# ===========
+# The freevxfs filesystem type is a free version of the Veritas type
+# filesystem. This is the primary filesystem type for HP-UX operating systems.
+#
+# Rationale
+# =========
+# Removing support for unneeded filesystem types reduces the local attack
+# surface of the system. If this filesystem type is not needed, disable it.
+#
+# Audit
+# =====
+# Run the following commands and verify the output is as indicated:
+#
+# # modprobe -n -v freevxfs
+# install /bin/true
+# # lsmod | grep freevxfs
+# <No output>
+#
+# Remediation
+# ===========
+# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
+#
+# install freevxfs /bin/true
+#
+parameters:
+ linux:
+ system:
+ kernel:
+ module:
+ freevxfs:
+ install:
+ command: /bin/true
+
diff --git a/metadata/service/system/cis/cis-1-1-1-3.yml b/metadata/service/system/cis/cis-1-1-1-3.yml
new file mode 100644
index 0000000..91390b5
--- /dev/null
+++ b/metadata/service/system/cis/cis-1-1-1-3.yml
@@ -0,0 +1,36 @@
+# 1.1.1.3 Ensure mounting of jffs2 filesystems is disabled
+#
+# Description
+# ===========
+# The jffs2 (journaling flash filesystem 2) filesystem type is a
+# log-structured filesystem used in flash memory devices.
+#
+# Rationale
+# =========
+# Removing support for unneeded filesystem types reduces the local attack
+# surface of the system. If this filesystem type is not needed, disable it.
+#
+# Audit
+# =====
+# Run the following commands and verify the output is as indicated:
+#
+# # modprobe -n -v jffs2
+# install /bin/true
+# # lsmod | grep jffs2
+# <No output>
+#
+# Remediation
+# ===========
+# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
+#
+# install jffs2 /bin/true
+#
+parameters:
+ linux:
+ system:
+ kernel:
+ module:
+ jffs2:
+ install:
+ command: /bin/true
+
diff --git a/metadata/service/system/cis/cis-1-1-1-4.yml b/metadata/service/system/cis/cis-1-1-1-4.yml
new file mode 100644
index 0000000..c246ad2
--- /dev/null
+++ b/metadata/service/system/cis/cis-1-1-1-4.yml
@@ -0,0 +1,36 @@
+# 1.1.1.4 Ensure mounting of hfs filesystems is disabled
+#
+# Description
+# ===========
+# The hfs filesystem type is a hierarchical filesystem that allows
+# you to mount Mac OS filesystems.
+#
+# Rationale
+# =========
+# Removing support for unneeded filesystem types reduces the local attack
+# surface of the system. If this filesystem type is not needed, disable it.
+#
+# Audit
+# =====
+# Run the following commands and verify the output is as indicated:
+#
+# # modprobe -n -v hfs
+# install /bin/true
+# # lsmod | grep hfs
+# <No output>
+#
+# Remediation
+# ===========
+# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
+#
+# install hfs /bin/true
+#
+parameters:
+ linux:
+ system:
+ kernel:
+ module:
+ hfs:
+ install:
+ command: /bin/true
+
diff --git a/metadata/service/system/cis/cis-1-1-1-5.yml b/metadata/service/system/cis/cis-1-1-1-5.yml
new file mode 100644
index 0000000..e258052
--- /dev/null
+++ b/metadata/service/system/cis/cis-1-1-1-5.yml
@@ -0,0 +1,36 @@
+# 1.1.1.5 Ensure mounting of hfsplus filesystems is disabled
+#
+# Description
+# ===========
+# The hfsplus filesystem type is a hierarchical filesystem designed to
+# replace hfs that allows you to mount Mac OS filesystems.
+#
+# Rationale
+# =========
+# Removing support for unneeded filesystem types reduces the local attack
+# surface of the system. If this filesystem type is not needed, disable it.
+#
+# Audit
+# =====
+# Run the following commands and verify the output is as indicated:
+#
+# # modprobe -n -v hfsplus
+# install /bin/true
+# # lsmod | grep hfsplus
+# <No output>
+#
+# Remediation
+# ===========
+# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
+#
+# install hfsplus /bin/true
+#
+parameters:
+ linux:
+ system:
+ kernel:
+ module:
+ hfsplus:
+ install:
+ command: /bin/true
+
diff --git a/metadata/service/system/cis/cis-1-1-1-6.yml b/metadata/service/system/cis/cis-1-1-1-6.yml
new file mode 100644
index 0000000..59da5db
--- /dev/null
+++ b/metadata/service/system/cis/cis-1-1-1-6.yml
@@ -0,0 +1,43 @@
+# 1.1.1.6 Ensure mounting of squashfs filesystems is disabled
+#
+# Description
+# ===========
+# The squashfs filesystem type is a compressed read-only Linux filesystem
+# embedded in small footprint systems (similar to cramfs). A squashfs image
+# can be used without having to first decompress the image.
+#
+# Rationale
+# =========
+# Removing support for unneeded filesystem types reduces the local attack
+# surface of the server. If this filesystem type is not needed, disable it.
+#
+# Audit
+# =====
+# Run the following commands and verify the output is as indicated:
+#
+# # modprobe -n -v squashfs
+# install /bin/true
+# # lsmod | grep squashfs
+# <No output>
+#
+# Remediation
+# ===========
+# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
+#
+# install squashfs /bin/true
+#
+# NOTE
+# ====
+# In Ubuntu 16.04 squashfs is built into kernel, and 'install' command
+# from modprobe.d dir has no effect. However, this is still checked by
+# CIS-CAT in Ubuntu 16.04 benchmark v.1.0.0. This was removed in v.1.1.0.
+#
+parameters:
+ linux:
+ system:
+ kernel:
+ module:
+ squashfs:
+ install:
+ command: /bin/true
+
diff --git a/metadata/service/system/cis/cis-1-1-1-7.yml b/metadata/service/system/cis/cis-1-1-1-7.yml
new file mode 100644
index 0000000..0102220
--- /dev/null
+++ b/metadata/service/system/cis/cis-1-1-1-7.yml
@@ -0,0 +1,38 @@
+# 1.1.1.7 Ensure mounting of udf filesystems is disabled
+#
+# Description
+# ===========
+# The udf filesystem type is the universal disk format used to implement
+# ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem
+# type for data storage on a broad range of media. This filesystem type is
+# necessary to support writing DVDs and newer optical disc formats.
+#
+# Rationale
+# =========
+# Removing support for unneeded filesystem types reduces the local attack
+# surface of the server. If this filesystem type is not needed, disable it.
+#
+# Audit
+# =====
+# Run the following commands and verify the output is as indicated:
+#
+# # modprobe -n -v udf
+# install /bin/true
+# # lsmod | grep udf
+# <No output>
+#
+# Remediation
+# ===========
+# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
+#
+# install udf /bin/true
+#
+parameters:
+ linux:
+ system:
+ kernel:
+ module:
+ udf:
+ install:
+ command: /bin/true
+
diff --git a/metadata/service/system/cis/cis-1-1-1-8.yml b/metadata/service/system/cis/cis-1-1-1-8.yml
new file mode 100644
index 0000000..7c06c8e
--- /dev/null
+++ b/metadata/service/system/cis/cis-1-1-1-8.yml
@@ -0,0 +1,50 @@
+# 1.1.1.8 Ensure mounting of FAT filesystems is disabled
+#
+# Description
+# ===========
+# The FAT filesystem format is primarily used on older windows systems and
+# portable USB drives or flash modules. It comes in three types FAT12, FAT16,
+# and FAT32 all of which are supported by the vfat kernel module.
+#
+# Rationale
+# =========
+# Removing support for unneeded filesystem types reduces the local attack
+# surface of the server. If this filesystem type is not needed, disable it.
+#
+# Audit
+# =====
+# Run the following commands and verify the output is as indicated:
+#
+# # modprobe -n -v vfat
+# install /bin/true
+# # lsmod | grep vfat
+# <No output>
+#
+# Remediation
+# ===========
+#
+# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
+#
+# install vfat /bin/true
+#
+# Impact
+# ======
+# FAT filesystems are often used on portable USB sticks and other flash
+# media are commonly used to transfer files between workstations, removing
+# VFAT support may prevent the ability to transfer files in this way.
+#
+# NOTE
+# ====
+# In Ubuntu 16.04 vfat is built into kernel, and 'install' command
+# from modprobe.d dir has no effect. However, this is still checked by
+# CIS-CAT in Ubuntu 16.04 benchmark v.1.0.0. This was removed in v.1.1.0.
+#
+parameters:
+ linux:
+ system:
+ kernel:
+ module:
+ vfat:
+ install:
+ command: /bin/true
+
diff --git a/metadata/service/system/cis/cis-3-5-1.yml b/metadata/service/system/cis/cis-3-5-1.yml
new file mode 100644
index 0000000..b232990
--- /dev/null
+++ b/metadata/service/system/cis/cis-3-5-1.yml
@@ -0,0 +1,38 @@
+# 3.5.2 Ensure DCCP is disabled
+#
+# Description
+# ===========
+# The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol
+# that supports streaming media and telephony. DCCP provides a way to gain
+# access to congestion control, without having to do it at the application
+# layer, but does not provide in-sequence delivery.
+#
+# Rationale
+# =========
+# If the protocol is not required, it is recommended that the drivers not be
+# installed to reduce the potential attack surface.
+#
+# Audit
+# =====
+# Run the following commands and verify the output is as indicated:
+#
+# # modprobe -n -v dccp
+# install /bin/true
+# # lsmod | grep dccp
+# <No output>
+#
+# Remediation
+# ===========
+# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
+#
+# install dccp /bin/true
+#
+parameters:
+ linux:
+ system:
+ kernel:
+ module:
+ dccp:
+ install:
+ command: /bin/true
+
diff --git a/metadata/service/system/cis/cis-3-5-2.yml b/metadata/service/system/cis/cis-3-5-2.yml
new file mode 100644
index 0000000..0207eb9
--- /dev/null
+++ b/metadata/service/system/cis/cis-3-5-2.yml
@@ -0,0 +1,41 @@
+# 3.5.2 Ensure SCTP is disabled
+#
+# Description
+# ===========
+# The Stream Control Transmission Protocol (SCTP) is a transport layer
+# protocol used to support message oriented communication, with several
+# streams of messages in one connection. It serves a similar function as
+# TCP and UDP, incorporating features of both. It is message-oriented
+# like UDP, and ensures reliable in-sequence transport of messages with
+# congestion control like TCP.
+#
+# Rationale
+# =========
+# If the protocol is not being used, it is recommended that kernel module
+# not be loaded, disabling the service to reduce the potential attack surface.
+#
+# Audit
+# =====
+# Run the following commands and verify the output is as indicated:
+#
+# # modprobe -n -v sctp
+# install /bin/true
+# # lsmod | grep sctp
+# <No output>
+#
+# Remediation
+# ===========
+#
+# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
+#
+# install sctp /bin/true
+#
+parameters:
+ linux:
+ system:
+ kernel:
+ module:
+ sctp:
+ install:
+ command: /bin/true
+
diff --git a/metadata/service/system/cis/cis-3-5-3.yml b/metadata/service/system/cis/cis-3-5-3.yml
new file mode 100644
index 0000000..723de8b
--- /dev/null
+++ b/metadata/service/system/cis/cis-3-5-3.yml
@@ -0,0 +1,37 @@
+# 3.5.3 Ensure RDS is disabled
+#
+# Description
+# ===========
+# The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol
+# designed to provide low-latency, high-bandwidth communications between
+# cluster nodes. It was developed by the Oracle Corporation.
+#
+# Rationale
+# =========
+# If the protocol is not being used, it is recommended that kernel module
+# not be loaded, disabling the service to reduce the potential attack surface.
+#
+# Audit
+# =====
+# Run the following commands and verify the output is as indicated:
+#
+# # modprobe -n -v rds
+# install /bin/true
+# # lsmod | grep rds
+# <No output>
+#
+# Remediation
+# ===========
+# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
+#
+# install rds /bin/true
+#
+parameters:
+ linux:
+ system:
+ kernel:
+ module:
+ rds:
+ install:
+ command: /bin/true
+
diff --git a/metadata/service/system/cis/cis-3-5-4.yml b/metadata/service/system/cis/cis-3-5-4.yml
new file mode 100644
index 0000000..6a4920c
--- /dev/null
+++ b/metadata/service/system/cis/cis-3-5-4.yml
@@ -0,0 +1,37 @@
+# 3.5.4 Ensure TIPC is disabled
+#
+# Description
+# ===========
+# The Transparent Inter-Process Communication (TIPC) protocol is designed
+# to provide communication between cluster nodes.
+#
+# Rationale
+# =========
+# If the protocol is not being used, it is recommended that kernel module
+# not be loaded, disabling the service to reduce the potential attack surface.
+#
+# Audit
+# =====
+# Run the following commands and verify the output is as indicated:
+#
+# # modprobe -n -v tipc
+# install /bin/true
+# # lsmod | grep tipc
+# <No output>
+#
+# Remediation
+# ===========
+#
+# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
+#
+# install tipc /bin/true
+#
+parameters:
+ linux:
+ system:
+ kernel:
+ module:
+ tipc:
+ install:
+ command: /bin/true
+
diff --git a/metadata/service/system/cis/init.yml b/metadata/service/system/cis/init.yml
index a72366d..c1dd60d 100644
--- a/metadata/service/system/cis/init.yml
+++ b/metadata/service/system/cis/init.yml
@@ -1,5 +1,13 @@
classes:
- service.linux.system.cis.cis-1-1-14_15_16
+- service.linux.system.cis.cis-1-1-1-1
+- service.linux.system.cis.cis-1-1-1-2
+- service.linux.system.cis.cis-1-1-1-3
+- service.linux.system.cis.cis-1-1-1-4
+- service.linux.system.cis.cis-1-1-1-5
+- service.linux.system.cis.cis-1-1-1-6
+- service.linux.system.cis.cis-1-1-1-7
+- service.linux.system.cis.cis-1-1-1-8
- service.linux.system.cis.cis-1-5-1
- service.linux.system.cis.cis-1-5-3
- service.linux.system.cis.cis-3-1-2
@@ -13,6 +21,10 @@
- service.linux.system.cis.cis-3-2-8
# Temp. disable PROD-22520
#- service.linux.system.cis.cis-3-3-3
+- service.linux.system.cis.cis-3-5-1
+- service.linux.system.cis.cis-3-5-2
+- service.linux.system.cis.cis-3-5-3
+- service.linux.system.cis.cis-3-5-4
- service.linux.system.cis.cis-6-1-2
- service.linux.system.cis.cis-6-1-3
- service.linux.system.cis.cis-6-1-4