Skip to content

Instantly share code, notes, and snippets.

@aborruso

aborruso/3c_output.csv

Created July 13, 2021 16:27
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save aborruso/1cfbb905d82c749114b8ace5d04e7212 to your computer and use it in GitHub Desktop.
Save aborruso/1cfbb905d82c749114b8ace5d04e7212 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
3c_output.csv
Finding Hostname Recommendation
Instance i-01aae074f79eaa71f is not compliant with rule 1.7.1.3 Ensure remote login warning banner is configured properly, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Edit the /etc/issue.net file with the appropriate contents according to your site policy, remove any instances of \m , \r , \s , or \v : # echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue.net
Instance i-01aae074f79eaa71f is not compliant with rule 5.2.8 Ensure SSH root login is disabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no
Instance i-01aae074f79eaa71f is not compliant with rule 5.1.8 Ensure atcron is restricted to authorized users, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Run the following commands to remove /etc/cron.deny and /etc/at.deny and create and set permissions and ownership for /etc/cron.allow and /etc/at.allow : # rm /etc/cron.deny# rm /etc/at.deny# touch /etc/cron.allow# touch /etc/at.allow# chmod og-rwx /etc/cron.allow# chmod og-rwx /etc/at.allow# chown root:root /etc/cron.allow# chown root:root /etc/at.allow
Instance i-01aae074f79eaa71f is not compliant with rule 1.6.1.2 Ensure the SELinux state is enforcing, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. qahobserver4b100 Edit the /etc/selinux/config file to set the SELINUX parameter: SELINUX=enforcing
Instance i-01aae074f79eaa71f is not compliant with rule 5.1.7 Ensure permissions on etccron.d are configured, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Run the following commands to set ownership and permissions on /etc/cron.d : # chown root:root /etc/cron.d# chmod og-rwx /etc/cron.d
Instance i-01aae074f79eaa71f is not compliant with rule 6.2.8 Ensure users home directories permissions are 750 or more restrictive, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Making global modifications to user home directories without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user file permissions and determine the action to be taken in accordance with site policy.
Instance i-01aae074f79eaa71f is not compliant with rule 1.1.21 Ensure sticky bit is set on all world-writable directories, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Run the following command to set the sticky bit on all world writable directories: # df --local -P | awk if (NR!=1) print $6 | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
Instance i-01aae074f79eaa71f is not compliant with rule 5.2.14 Ensure SSH LoginGraceTime is set to one minute or less, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Edit the /etc/ssh/sshd_config file to set the parameter as follows: LoginGraceTime 60
Instance i-01aae074f79eaa71f is not compliant with rule 6.2.7 Ensure all users home directories exist, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 If any users' home directories do not exist, create them and make sure the respective user owns the directory. Users without an assigned home directory should be removed or assigned a home directory as appropriate.
Instance i-01aae074f79eaa71f is not compliant with rule 6.1.10 Ensure no world writable files exist, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Removing write access for the "other" category ( chmod o-w <filename> ) is advisable, but always consult relevant vendor documentation to avoid breaking any application dependencies on a given file.
Instance i-01aae074f79eaa71f is not compliant with rule 4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Edit the /etc/rsyslog.conf file and add the following line (where loghost.example.com is the name of your central log host). *.* @@loghost.example.com Run the following command to restart rsyslog : # pkill -HUP rsyslogd
Instance i-01aae074f79eaa71f is not compliant with rule 1.1.12 Ensure separate partition exists for varlogaudit, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. qahobserver4b100 For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate. Impact: Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.
Instance i-01aae074f79eaa71f is not compliant with rule 1.1.1.2 Ensure mounting of freevxfs filesystems is disabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install freevxfs /bin/true
Instance i-01aae074f79eaa71f is not compliant with rule 4.1.15 Ensure changes to system administration scope sudoers is collected, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. qahobserver4b100 Add the following line to the /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k scope-w /etc/sudoers.d/ -p wa -k scope
Instance i-01aae074f79eaa71f is not compliant with rule 4.1.16 Ensure system administrator actions sudolog are collected, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. qahobserver4b100 Add the following lines to the /etc/audit/audit.rules file: -w /var/log/sudo.log -p wa -k actions
On instance i-01aae074f79eaa71f, TCP port 80 which is associated with 'HTTP' is reachable from a Peered VPC qahobserver4b100 You can edit the Security Group sg-eb55aaa3 to remove access from a Peered VPC on port 80
Instance i-01aae074f79eaa71f is not compliant with rule 4.2.4 Ensure permissions on all logfiles are configured, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Run the following command to set permissions on all existing log files: # find -L /var/log -type f -exec chmod g-wx,o-rwx {} +
Instance i-01aae074f79eaa71f is not compliant with rule 4.1.6 Ensure events that modify the systems network environment are collected, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. qahobserver4b100 For 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale-w /etc/issue -p wa -k system-locale-w /etc/issue.net -p wa -k system-locale-w /etc/hosts -p wa -k system-locale-w /etc/sysconfig/network -p wa -k system-locale For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale-w /etc/issue -p wa -k system-locale-w /etc/issue.net -p wa -k system-locale-w /etc/hosts -p wa -k system-locale-w /etc/sysconfig/network -p wa -k system-locale
Instance i-01aae074f79eaa71f is not compliant with rule 1.1.1.3 Ensure mounting of jffs2 filesystems is disabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install jffs2 /bin/true
Instance i-01aae074f79eaa71f is not compliant with rule 5.4.1.4 Ensure inactive password lock is 30 days or less, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Run the following command to set the default password inactivity period to 30 days: # useradd -D -f 30 Modify user parameters for all users with a password set to match: # chage --inactive 30 <user>
Instance i-01aae074f79eaa71f is not compliant with rule 1.6.1.6 Ensure no unconfined daemons exist, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. qahobserver4b100 Investigate any unconfined daemons found during the audit action. They may need to have an existing security context assigned to them or a policy built for them.
Instance i-01aae074f79eaa71f is not compliant with rule 5.2.5 Ensure SSH MaxAuthTries is set to 4 or less, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4
Instance i-01aae074f79eaa71f is not compliant with rule 4.1.11 Ensure unsuccessful unauthorized file access attempts are collected, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. qahobserver4b100 For 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
Instance i-01aae074f79eaa71f is not compliant with rule 4.1.4 Ensure events that modify date and time information are collected, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. qahobserver4b100 For 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change-a always,exit -F arch=b32 -S clock_settime -k time-change-w /etc/localtime -p wa -k time-change For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change-a always,exit -F arch=b64 -S clock_settime -k time-change-a always,exit -F arch=b32 -S clock_settime -k time-change-w /etc/localtime -p wa -k time-change
Instance i-01aae074f79eaa71f is not compliant with rule 5.3.1 Ensure password creation requirements are configured, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files to include the appropriate options for pam_pwquality.so and to conform to site policy: password requisite pam_pwquality.so try_first_pass retry=3 Edit /etc/security/pwquality.conf to add or update the following settings to conform to site policy: minlen=14dcredit=-1ucredit=-1ocredit=-1lcredit=-1
Instance i-01aae074f79eaa71f is not compliant with rule 3.5.2 Ensure SCTP is disabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install sctp /bin/true
Instance i-01aae074f79eaa71f is not compliant with rule 5.2.12 Ensure only approved MAC algorithms are used, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Edit the /etc/ssh/sshd_config file to set the parameter in accordance with site policy. The following includes all supported and accepted MACs: MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
Instance i-01aae074f79eaa71f is not compliant with rule 6.1.12 Ensure no ungrouped files or directories exist, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Locate files that are owned by users or groups not listed in the system configuration files, and reset the ownership of these files to some active user on the system as appropriate.
On instance i-01aae074f79eaa71f, TCP port 80 which is associated with 'HTTP' is reachable from a Peered VPC qahobserver4b100 You can edit the Security Group sg-eb55aaa3 to remove access from a Peered VPC on port 80
Instance i-01aae074f79eaa71f is not compliant with rule 4.1.17 Ensure kernel module loading and unloading is collected, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. qahobserver4b100 For 32 bit systems add the following lines to the /etc/audit/audit.rules file: -w /sbin/insmod -p x -k modules-w /sbin/rmmod -p x -k modules-w /sbin/modprobe -p x -k modules-a always,exit arch=b32 -S init_module -S delete_module -k modules For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -w /sbin/insmod -p x -k modules-w /sbin/rmmod -p x -k modules-w /sbin/modprobe -p x -k modules-a always,exit arch=b64 -S init_module -S delete_module -k modules
Instance i-01aae074f79eaa71f is not compliant with rule 3.6.5 Ensure firewall rules exist for all open ports, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 For each port identified in the audit which does not have a firewall rule establish a proper rule for accepting inbound connections: # iptables -A INPUT -p <protocol> --dport <port> -m state --state NEW -j ACCEPT
Instance i-01aae074f79eaa71f is not compliant with rule 5.2.10 Ensure SSH PermitUserEnvironment is disabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitUserEnvironment no
Instance i-01aae074f79eaa71f is not compliant with rule 4.1.1.2 Ensure system is disabled when audit logs are full, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. qahobserver4b100 Set the following parameters in /etc/audit/auditd.conf: space_left_action = emailaction_mail_acct = rootadmin_space_left_action = halt
Instance i-01aae074f79eaa71f is not compliant with rule 4.1.18 Ensure the audit configuration is immutable, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. qahobserver4b100 Add the following line to the end of the /etc/audit/audit.rules file. -e 2
Instance i-01aae074f79eaa71f is not compliant with rule 5.2.9 Ensure SSH PermitEmptyPasswords is disabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no
No password complexity mechanism or restrictions are configured on instance i-01aae074f79eaa71f in your assessment target. This allows users to set simple passwords, thereby increasing the chances of unauthorized users gaining access and misusing accounts. qahobserver4b100 If you are using passwords, it is recommended that you configure all EC2 instances in your assessment target to require a level of password complexity. You can do this by using **pam_cracklib.so** "lcredit","ucredit","dcredit", and "ocredit" settings. See man pam_cracklib for more information.
On instance i-01aae074f79eaa71f, process 'sshd' is listening on TCP port 22 which is associated with 'SSH' and is reachable from a Peered VPC qahobserver4b100 You can edit the Security Group sg-eb55aaa3 to remove access from a Peered VPC on port 22
On instance i-01aae074f79eaa71f, TCP port 80 which is associated with 'HTTP' is reachable from a Peered VPC qahobserver4b100 You can edit the Security Group sg-eb55aaa3 to remove access from a Peered VPC on port 80
Instance i-01aae074f79eaa71f is not compliant with rule 4.1.14 Ensure file deletion events by users are collected, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. qahobserver4b100 For 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
Aggregate network exposure: On instance i-01aae074f79eaa71f, ports are reachable from a Peered VPC through ENI eni-09529e193cdc9a8bb and security group sg-eb55aaa3 qahobserver4b100 You can edit the Security Group sg-eb55aaa3 to remove access from a Peered VPC
Instance i-01aae074f79eaa71f is not compliant with rule 3.6.2 Ensure default deny firewall policy, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Run the following commands to implement a default DROP policy: # iptables -P INPUT DROP# iptables -P OUTPUT DROP# iptables -P FORWARD DROP
Instance i-01aae074f79eaa71f is not compliant with rule 1.3.1 Ensure AIDE is installed, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Run the following command to install aide : # yum install aide Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Initialize AIDE: # aide --init# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
Instance i-01aae074f79eaa71f is not compliant with rule 5.1.4 Ensure permissions on etccron.daily are configured, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Run the following commands to set ownership and permissions on /etc/cron.daily : # chown root:root /etc/cron.daily# chmod og-rwx /etc/cron.daily
Instance i-01aae074f79eaa71f is not compliant with rule 5.3.2 Ensure lockout for failed password attempts is configured, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files and add the following pam_faillock.so lines surrounding a pam_unix.so line modify the pam_unix.so is [success=1 default=bad] as listed in both: auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900auth [success=1 default=bad] pam_unix.soauth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900
Instance i-01aae074f79eaa71f is not compliant with rule 1.2.3 Ensure gpgcheck is globally activated, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Edit /etc/yum.conf and set ' gpgcheck=1 ' in the [main] section. Edit any failing files in /etc/yum.repos.d/* and set all instances of gpgcheck to ' 1 '.
Instance i-01aae074f79eaa71f is not compliant with rule 4.1.9 Ensure session initiation information is collected, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. qahobserver4b100 Add the following lines to the /etc/audit/audit.rules file: -w /var/run/utmp -p wa -k session-w /var/log/wtmp -p wa -k logins-w /var/log/btmp -p wa -k logins
Instance i-01aae074f79eaa71f is not compliant with rule 2.3.4 Ensure telnet client is not installed, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Run the following command to uninstall telnet : # yum remove telnet Impact: Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse.
Instance i-01aae074f79eaa71f is not compliant with rule 1.7.1.2 Ensure local login warning banner is configured properly, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \m , \r , \s , or \v : # echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue
Instance i-01aae074f79eaa71f is not compliant with rule 4.1.1.3 Ensure audit logs are not automatically deleted, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. qahobserver4b100 Set the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs
Instance i-01aae074f79eaa71f is not compliant with rule 1.4.2 Ensure bootloader password is set, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Create an encrypted password with grub-mkpasswd-pbkdf2 : # grub2-mkpasswd-pbkdf2Enter password: <password>Reenter password: <password>Your PBKDF2 is <encrypted-password> Add the following into /etc/grub.d/01_users or a custom /etc/grub.d configuration file: cat <<EOFset superusers="<username>"password_pbkdf2 <username> <encrypted-password>EOF Run the following command to update the grub2 configuration: # grub2-mkconfig > /boot/grub2/grub.cfg
Instance i-01aae074f79eaa71f is not compliant with rule 3.5.1 Ensure DCCP is disabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install dccp /bin/true
Instance i-01aae074f79eaa71f is not compliant with rule 3.2.3 Ensure secure ICMP redirects are not accepted, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Set the following parameters in the /etc/sysctl.conf file: net.ipv4.conf.all.secure_redirects = 0net.ipv4.conf.default.secure_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0# sysctl -w net.ipv4.conf.default.secure_redirects=0# sysctl -w net.ipv4.route.flush=1
Instance i-01aae074f79eaa71f is not compliant with rule 3.1.2 Ensure packet redirect sending is disabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Set the following parameters in the /etc/sysctl.conf file: net.ipv4.conf.all.send_redirects = 0net.ipv4.conf.default.send_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.send_redirects=0# sysctl -w net.ipv4.conf.default.send_redirects=0# sysctl -w net.ipv4.route.flush=1
Instance i-01aae074f79eaa71f is not compliant with rule 1.7.1.4 Ensure permissions on etcmotd are configured, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Run the following commands to set permissions on /etc/motd : # chown root:root /etc/motd# chmod 644 /etc/motd
Instance i-01aae074f79eaa71f is not compliant with rule 5.1.2 Ensure permissions on etccrontab are configured, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Run the following commands to set ownership and permissions on /etc/crontab : # chown root:root /etc/crontab# chmod og-rwx /etc/crontab
On instance i-01aae074f79eaa71f, process 'sshd' is listening on TCP port 22 which is associated with 'SSH' and is reachable from a Peered VPC qahobserver4b100 You can edit the Security Group sg-eb55aaa3 to remove access from a Peered VPC on port 22
Instance i-01aae074f79eaa71f is configured to support password authentication over SSH. Password authentication is susceptible to brute-force attacks and should be disabled in favor of key-based authentication where possible. qahobserver4b100 It is recommended that you disable password authentication over SSH on your EC2 instances and enable support for key-based authentication instead. This significantly reduces the likelihood of a successful brute-force attack. For more information see [https://aws.amazon.com/articles/1233/](https://aws.amazon.com/articles/1233/). If password authentication is supported, it is important to restrict access to the SSH server to trusted IP addresses.
Instance i-01aae074f79eaa71f is not compliant with rule 4.1.12 Ensure use of privileged commands is collected, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. qahobserver4b100 To remediate this issue, the system administrator will have to execute a find command to locate all the privileged programs and then add an audit line for each one of them. The audit parameters associated with this are as follows: -F path=" $1 " - will populate each file name found through the find command and processed by awk. -F perm=x - will write an audit record if the file is executed. -F auid>=1000 - will write a record if the user executing the command is not a privileged user. -F auid!= 4294967295 - will ignore Daemon events All audit records should be tagged with the identifier "privileged". Run the following command replacing <partition> with a list of partitions where programs can be executed from on your system: # find <partition> -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }' Add all resulting lines to the /etc/audit/audit.rules file.
Instance i-01aae074f79eaa71f is not compliant with rule 5.2.4 Ensure SSH X11 forwarding is disabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Edit the /etc/ssh/sshd_config file to set the parameter as follows: X11Forwarding no
Instance i-01aae074f79eaa71f is not compliant with rule 1.1.14 Ensure nodev option set on home partition, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. See the fstab(5) manual page for more information. # mount -o remount,nodev /home
Instance i-01aae074f79eaa71f is not compliant with rule 1.1.11 Ensure separate partition exists for varlog, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. qahobserver4b100 For new installations, during installation create a custom partition setup and specify a separate partition for /var/log . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate. Impact: Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.
Instance i-01aae074f79eaa71f is not compliant with rule 1.3.2 Ensure filesystem integrity is regularly checked, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Run the following command: # crontab -u root -e Add the following line to the crontab: 0 5 * * * /usr/sbin/aide --check
Instance i-01aae074f79eaa71f is not compliant with rule 1.1.2 Ensure separate partition exists for tmp, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. qahobserver4b100 For new installations, during installation create a custom partition setup and specify a separate partition for /tmp . For systems that were previously installed, create a new partition for /tmp if not using tmpfs . Run the following commands to enable systemd /tmp mounting: systemctl unmask tmp.mountsystemctl enable tmp.mount Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount: [Mount]What=tmpfsWhere=/tmpType=tmpfsOptions=mode=1777,strictatime,noexec,nodev,nosuid Impact: Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.
Instance i-01aae074f79eaa71f is not compliant with rule 3.3.3 Ensure IPv6 is disabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Create the file /etc/modprobe.d/CIS.conf and add the following line: options ipv6 disable=1
Instance i-01aae074f79eaa71f is not compliant with rule 4.1.7 Ensure events that modify the systems Mandatory Access Controls are collected, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. qahobserver4b100 Add the following line to the /etc/audit/audit.rules file: -w /etc/selinux/ -p wa -k MAC-policy
Instance i-01aae074f79eaa71f is not compliant with rule 3.3.1 Ensure IPv6 router advertisements are not accepted, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Set the following parameters in the /etc/sysctl.conf file: net.ipv6.conf.all.accept_ra = 0net.ipv6.conf.default.accept_ra = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.accept_ra=0# sysctl -w net.ipv6.conf.default.accept_ra=0# sysctl -w net.ipv6.route.flush=1
Instance i-01aae074f79eaa71f is not compliant with rule 5.4.5 Ensure default user shell timeout is 900 seconds or less, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Server. qahobserver4b100 Edit the /etc/bashrc and /etc/profile files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows: TMOUT=600
Instance i-01aae074f79eaa71f is not compliant with rule 1.1.1.6 Ensure mounting of squashfs filesystems is disabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install squashfs /bin/true
Instance i-01aae074f79eaa71f is not compliant with rule 5.2.3 Ensure SSH LogLevel is set to INFO, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO
Instance i-01aae074f79eaa71f is not compliant with rule 4.1.8 Ensure login and logout events are collected, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. qahobserver4b100 Add the following lines to the /etc/audit/audit.rules file: -w /var/log/lastlog -p wa -k logins-w /var/run/faillock/ -p wa -k logins
Instance i-01aae074f79eaa71f is not compliant with rule 3.4.3 Ensure etchosts.deny is configured, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Run the following command to create /etc/hosts.deny : # echo "ALL: ALL" >> /etc/hosts.deny
Instance i-01aae074f79eaa71f is not compliant with rule 5.3.3 Ensure password reuse is limited, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files to include the remember option and conform to site policy as shown: password sufficient pam_unix.so remember=5
Instance i-01aae074f79eaa71f is not compliant with rule 5.4.1.2 Ensure minimum days between password changes is 7 or more, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs : PASS_MIN_DAYS 7 Modify user parameters for all users with a password set to match: # chage --mindays 7 <user>
Instance i-01aae074f79eaa71f is not compliant with rule 1.1.7 Ensure separate partition exists for vartmp, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. qahobserver4b100 For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate. Impact: Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.
Instance i-01aae074f79eaa71f is not compliant with rule 5.2.15 Ensure SSH access is limited, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows: AllowUsers <userlist>AllowGroups <grouplist>DenyUsers <userlist>DenyGroups <grouplist>
Instance i-01aae074f79eaa71f is not compliant with rule 3.5.4 Ensure TIPC is disabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install tipc /bin/true
Instance i-01aae074f79eaa71f is not compliant with rule 3.2.2 Ensure ICMP redirects are not accepted, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Set the following parameters in the /etc/sysctl.conf file: net.ipv4.conf.all.accept_redirects = 0net.ipv4.conf.default.accept_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0# sysctl -w net.ipv4.conf.default.accept_redirects=0# sysctl -w net.ipv4.route.flush=1
Instance i-01aae074f79eaa71f is not compliant with rule 4.1.3 Ensure auditing for processes that start prior to auditd is enabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. qahobserver4b100 Edit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX : GRUB_CMDLINE_LINUX="audit=1" Run the following command to update the grub2 configuration: # grub2-mkconfig > /boot/grub2/grub.cfg
On instance i-01aae074f79eaa71f, TCP port 80 which is associated with 'HTTP' is reachable from a Peered VPC qahobserver4b100 You can edit the Security Group sg-eb55aaa3 to remove access from a Peered VPC on port 80
On instance i-01aae074f79eaa71f, process 'sshd' is listening on TCP port 22 which is associated with 'SSH' and is reachable from a Peered VPC qahobserver4b100 You can edit the Security Group sg-eb55aaa3 to remove access from a Peered VPC on port 22
Instance i-01aae074f79eaa71f is not compliant with rule 4.1.13 Ensure successful file system mounts are collected, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. qahobserver4b100 For 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
Instance i-01aae074f79eaa71f is not compliant with rule 5.2.6 Ensure SSH IgnoreRhosts is enabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes
Instance i-01aae074f79eaa71f is not compliant with rule 5.6 Ensure access to the su command is restricted, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Add the following line to the /etc/pam.d/su file: auth required pam_wheel.so use_uid Create a comma separated list of users in the wheel statement in the /etc/group file: wheel:x:10:root,<user list>
Instance i-01aae074f79eaa71f is not compliant with rule 3.2.4 Ensure suspicious packets are logged, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Set the following parameters in the /etc/sysctl.conf file: net.ipv4.conf.all.log_martians = 1net.ipv4.conf.default.log_martians = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1# sysctl -w net.ipv4.conf.default.log_martians=1# sysctl -w net.ipv4.route.flush=1
On instance i-01aae074f79eaa71f, process 'sshd' is listening on TCP port 22 which is associated with 'SSH' and is reachable from a Peered VPC qahobserver4b100 You can edit the Security Group sg-eb55aaa3 to remove access from a Peered VPC on port 22
Instance i-01aae074f79eaa71f is not compliant with rule 5.1.6 Ensure permissions on etccron.monthly are configured, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Run the following commands to set ownership and permissions on /etc/cron.monthly : # chown root:root /etc/cron.monthly# chmod og-rwx /etc/cron.monthly
Instance i-01aae074f79eaa71f is not compliant with rule 3.6.3 Ensure loopback traffic is configured, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Run the following commands to implement the loopback rules: # iptables -A INPUT -i lo -j ACCEPT# iptables -A OUTPUT -o lo -j ACCEPT# iptables -A INPUT -s 127.0.0.0/8 -j DROP
Instance i-01aae074f79eaa71f is not compliant with rule 5.2.16 Ensure SSH warning banner is configured, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Edit the /etc/ssh/sshd_config file to set the parameter as follows: Banner /etc/issue.net
Instance i-01aae074f79eaa71f is not compliant with rule 5.2.11 Ensure only approved ciphers are used, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Edit the /etc/ssh/sshd_config file to set the parameter as follows: Ciphers aes256-ctr,aes192-ctr,aes128-ctr
Instance i-01aae074f79eaa71f is not compliant with rule 1.1.1.7 Ensure mounting of udf filesystems is disabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install udf /bin/true
Instance i-01aae074f79eaa71f is not compliant with rule 6.2.9 Ensure users own their home directories, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Change the ownership of any home directories that are not owned by the defined user to the correct user.
Instance i-01aae074f79eaa71f is not compliant with rule 1.5.1 Ensure core dumps are restricted, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Add the following line to the /etc/security/limits.conf file or a /etc/security/limits.d/* file: * hard core 0 Set the following parameter in the /etc/sysctl.conf file: fs.suid_dumpable = 0 Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0
Instance i-01aae074f79eaa71f is not compliant with rule 5.4.4 Ensure default user umask is 027 or more restrictive, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Edit the /etc/bashrc and /etc/profile files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows: umask 027
Instance i-01aae074f79eaa71f is not compliant with rule 1.1.1.8 Ensure mounting of FAT filesystems is disabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server. qahobserver4b100 Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install vfat /bin/true Impact: FAT filesystems are often used on portable USB sticks and other flash media are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way.
Instance i-01aae074f79eaa71f is not compliant with rule 2.2.1.2 Ensure ntp is configured, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Add or edit restrict lines in /etc/ntp.conf to match the following: restrict -4 default kod nomodify notrap nopeer noqueryrestrict -6 default kod nomodify notrap nopeer noquery Add or edit server lines to /etc/ntp.conf as appropriate: server <remote-server> Add or edit the OPTIONS in /etc/sysconfig/ntpd to include ' -u ntp:ntp ': OPTIONS="-u ntp:ntp"
Instance i-01aae074f79eaa71f is not compliant with rule 1.1.1.1 Ensure mounting of cramfs filesystems is disabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install cramfs /bin/true
Instance i-01aae074f79eaa71f is not compliant with rule 1.1.6 Ensure separate partition exists for var, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. qahobserver4b100 For new installations, during installation create a custom partition setup and specify a separate partition for /var . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate. Impact: Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.
Instance i-01aae074f79eaa71f is configured to allow users to log in with root credentials over SSH, without having to use a command authenticated by a public key. This increases the likelihood of a successful brute-force attack. qahobserver4b100 To reduce the likelihood of a successful brute-force attack, we recommend that you configure your EC2 instance to prevent root account logins over SSH. To disable SSH root account logins, set PermitRootLogin to 'no' in /etc/ssh/sshd_config and restart sshd. When logged in as a non-root user, you can use sudo to escalate privileges when necessary. If you want to allow public key authentication with a command associated with the key, you can set **PermitRootLogin** to 'forced-commands-only'.
Instance i-01aae074f79eaa71f is not compliant with rule 5.2.7 Ensure SSH HostbasedAuthentication is disabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no
Instance i-01aae074f79eaa71f is vulnerable to CVE-2019-8912 qahobserver4b100 Use your Operating System's update feature to update package kernel-0:3.10.0-1160.31.1.el7. For more information see <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8912" target="_blank">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8912</a>
Instance i-01aae074f79eaa71f is not compliant with rule 1.1.1.4 Ensure mounting of hfs filesystems is disabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install hfs /bin/true
Instance i-01aae074f79eaa71f is not compliant with rule 5.4.2 Ensure system accounts are non-login, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Set the shell for any accounts returned by the audit script to /sbin/nologin : # usermod -s /sbin/nologin <user> The following script will automatically set all user shells required to /sbin/nologin and lock the sync , shutdown , and halt users: #!/bin/bashfor user in `awk -F: '($3 < 1000) {print $1 }' /etc/passwd` ; do if [ $user != "root" ]; then usermod -L $user if [ $user != "sync" ] && [ $user != "shutdown" ] && [ $user != "halt" ]; then usermod -s /sbin/nologin $user fi fidone
Instance i-01aae074f79eaa71f is not compliant with rule 1.1.1.5 Ensure mounting of hfsplus filesystems is disabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install hfsplus /bin/true
Instance i-01aae074f79eaa71f is not compliant with rule 3.3.2 Ensure IPv6 redirects are not accepted, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Set the following parameters in the /etc/sysctl.conf file: net.ipv6.conf.all.accept_redirects = 0net.ipv6.conf.default.accept_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.accept_redirects=0# sysctl -w net.ipv6.conf.default.accept_redirects=0# sysctl -w net.ipv6.route.flush=1
Instance i-01aae074f79eaa71f is not compliant with rule 4.2.1.3 Ensure rsyslog default file permissions configured, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Edit the /etc/rsyslog.conf and set $FileCreateMode to 0640 or more restrictive: $FileCreateMode 0640
Instance i-01aae074f79eaa71f is not compliant with rule 5.4.1.1 Ensure password expiration is 90 days or less, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Set the PASS_MAX_DAYS parameter to 90 in /etc/login.defs : PASS_MAX_DAYS 90 Modify user parameters for all users with a password set to match: # chage --maxdays 90 <user>
Instance i-01aae074f79eaa71f is not compliant with rule 5.1.3 Ensure permissions on etccron.hourly are configured, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Run the following commands to set ownership and permissions on /etc/cron.hourly : # chown root:root /etc/cron.hourly# chmod og-rwx /etc/cron.hourly
Instance i-01aae074f79eaa71f is not compliant with rule 5.2.13 Ensure SSH Idle Timeout Interval is configured, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Edit the /etc/ssh/sshd_config file to set the parameters as follows: ClientAliveInterval 300ClientAliveCountMax 0
Instance i-01aae074f79eaa71f is not compliant with rule 5.1.5 Ensure permissions on etccron.weekly are configured, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Run the following commands to set ownership and permissions on /etc/cron.weekly : # chown root:root /etc/cron.weekly# chmod og-rwx /etc/cron.weekly
Instance i-01aae074f79eaa71f is not compliant with rule 4.1.5 Ensure events that modify usergroup information are collected, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. qahobserver4b100 Add the following lines to the /etc/audit/audit.rules file: -w /etc/group -p wa -k identity-w /etc/passwd -p wa -k identity-w /etc/gshadow -p wa -k identity-w /etc/shadow -p wa -k identity-w /etc/security/opasswd -p wa -k identity
Instance i-01aae074f79eaa71f is not compliant with rule 1.4.1 Ensure permissions on bootloader config are configured, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Run the following commands to set permissions on your grub configuration: # chown root:root /boot/grub2/grub.cfg# chmod og-rwx /boot/grub2/grub.cfg
Instance i-01aae074f79eaa71f is not compliant with rule 4.1.10 Ensure discretionary access control permission modification events are collected, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 2 - Workstation, Level 2 - Server. qahobserver4b100 For 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
Instance i-01aae074f79eaa71f is not compliant with rule 3.5.3 Ensure RDS is disabled, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install rds /bin/true
Instance i-01aae074f79eaa71f is not compliant with rule 6.1.11 Ensure no unowned files or directories exist, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Locate files that are owned by users or groups not listed in the system configuration files, and reset the ownership of these files to some active user on the system as appropriate.
Instance i-01aae074f79eaa71f is not compliant with rule 1.1.17 Ensure noexec option set on devshm partition, 2.2.0 CIS CentOS Linux 7 Benchmark. Applicable profiles: Level 1 - Server, Level 2 - Workstation, Level 2 - Server, Level 1 - Workstation. qahobserver4b100 Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,noexec /dev/shm
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment