ITSC Hardening Guide for Linux

advertisement
Hardening Guideline for Redhat 6 / CentOS 6
and Ubuntu 12.04 LTS
CIS Rule ID
Description
Ubuntu
CentOS /
12.04 LTS
RHEL 6
Patching and Software Updates
1.2.3 (CentOS) Install OS updates, patches and additional security
1.1
1.2.5 (RHEL)
software in a timely manner
OS Services
5.1.1
2.1.5
Ensure NIS client and server are not installed
2.1.6
5.1.2
2.1.3
Ensure rsh server is not enabled
5.1.3
2.1.4
Ensure rsh client is not installed
5.1.4
2.1.10
Ensure talk server is not enabled
5.1.5
2.1.9
Ensure talk client is not installed
5.1.6
2.1.1
Ensure telnet server is not enabled
5.1.7
2.1.8
Ensure tftp-server is not enabled
5.2
2.1.12
Ensure chargen is not enabled
2.1.13
5.3
2.1.14
Ensure daytime is not enabled
2.1.15
5.4
2.1.16
Ensure echo is not enabled
2.1.17
5.5
Ensure discard is not enabled
5.6
Ensure time is not enabled
6.1
3.2
Ensure the X Window system is not installed
6.5
3.6
Ensure NTP service is running
6.9
3.10
Ensure FTP Server is not enabled
Firewall
7.7
4.7
Ensure firewall is active
Logging and Auditing
8.1.2
5.2.2
Install and Enable auditd Service
8.1.3
5.2.3
Enable auditing for processes that start prior to auditd
8.1.8
5.2.8
Collect login and logout events
8.1.14
5.2.14
Collect file deletion events by user
System Access, Authentication and Authorization
9.2.1
6.3.2
Set strong password creation policies
 password must be 14 characters or more
 provide at least 1 digit
1
9.2.2
6.3.3
9.2.3
6.3.4
9.3.8
6.2.8
9.4
6.4
10.1.1
7.1.1
10.1.3
7.1.3
User Settings
13.1
9.2.1
13.5
9.2.5
 provide at least 1 uppercase character
 provide at least 1 special character
 provide at least 1 lowercase character
Set lockout for 5 failed password attempts
Prohibit reuse past 5 passwords
Disable SSH root login
Restrict root login to system console
Set password expiration days to 90 days
Provide 7-day advance warning that a password will expire
Ensure password fields are not empty
Verify No UID 0 Accounts Exist Other Than root
2
Download