DOCSLIB.ORG

CIS Amazon Linux 2 Benchmark

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
CIS Amazon Linux 2 Benchmark CIS Amazon Linux 2 Benchmark v1.0.0 - 11-14-2018 Terms of Use Please see the below link for our current terms of use: https://www.cisecurity.org/cis-securesuite/cis-securesuite-membership-terms-of-use/ 1 | P a g e Table of Contents Terms of Use ........................................................................................................................................................... 1 Overview ............................................................................................................................................................... 12 Intended Audience ........................................................................................................................................ 12 Consensus Guidance ..................................................................................................................................... 12 Typographical Conventions ...................................................................................................................... 13 Scoring Information ..................................................................................................................................... 13 Profile Definitions ......................................................................................................................................... 14 Acknowledgements ...................................................................................................................................... 15 Recommendations ............................................................................................................................................. 16 1 Initial Setup .................................................................................................................................................. 16 1.1 Filesystem Configuration ............................................................................................................... 17 1.1.1 Disable unused filesystems ................................................................................................... 18 1.1.1.1 Ensure mounting of cramfs filesystems is disabled (Scored) ......................... 19 1.1.1.2 Ensure mounting of hfs filesystems is disabled (Scored) ................................. 20 1.1.1.3 Ensure mounting of hfsplus filesystems is disabled (Scored) ........................ 21 1.1.1.4 Ensure mounting of squashfs filesystems is disabled (Scored) ..................... 22 1.1.1.5 Ensure mounting of udf filesystems is disabled (Scored) ................................ 23 1.1.2 Ensure /tmp is configured (Scored) ............................................................................. 24 1.1.3 Ensure nodev option set on /tmp partition (Scored) ............................................ 27 1.1.4 Ensure nosuid option set on /tmp partition (Scored) ........................................... 29 1.1.5 Ensure noexec option set on /tmp partition (Scored) .......................................... 31 1.1.6 Ensure separate partition exists for /var (Scored)................................................. 33 1.1.7 Ensure separate partition exists for /var/tmp (Scored) ...................................... 35 1.1.8 Ensure nodev option set on /var/tmp partition (Scored) ................................... 37 1.1.9 Ensure nosuid option set on /var/tmp partition (Scored) .................................. 38 1.1.10 Ensure noexec option set on /var/tmp partition (Scored) ............................... 39 1.1.11 Ensure separate partition exists for /var/log (Scored) ..................................... 40 1.1.12 Ensure separate partition exists for /var/log/audit (Scored) ......................... 42 1.1.13 Ensure separate partition exists for /home (Scored) ......................................... 44 2 | P a g e 1.1.14 Ensure nodev option set on /home partition (Scored) ...................................... 46 1.1.15 Ensure nodev option set on /dev/shm partition (Scored) ............................... 47 1.1.16 Ensure nosuid option set on /dev/shm partition (Scored) .............................. 48 1.1.17 Ensure noexec option set on /dev/shm partition (Scored) .............................. 49 1.1.18 Ensure sticky bit is set on all world-writable directories (Scored) ............... 50 1.1.19 Disable Automounting (Scored) .................................................................................. 51 1.2 Configure Software Updates ......................................................................................................... 53 1.2.1 Ensure package manager repositories are configured (Not Scored) ............... 53 1.2.2 Ensure GPG keys are configured (Not Scored) ......................................................... 55 1.2.3 Ensure gpgcheck is globally activated (Scored) ....................................................... 56 1.3 Filesystem Integrity Checking ...................................................................................................... 57 1.3.1 Ensure AIDE is installed (Scored) .................................................................................. 58 1.3.2 Ensure filesystem integrity is regularly checked (Scored) .................................. 60 1.4 Secure Boot Settings ........................................................................................................................ 62 1.4.1 Ensure permissions on bootloader config are configured (Scored) ................ 63 1.4.2 Ensure authentication required for single user mode (Scored) ........................ 65 1.5 Additional Process Hardening ..................................................................................................... 67 1.5.1 Ensure core dumps are restricted (Scored) .............................................................. 68 1.5.2 Ensure address space layout randomization (ASLR) is enabled (Scored) .... 70 1.5.3 Ensure prelink is disabled (Scored) .............................................................................. 72 1.6 Mandatory Access Control ............................................................................................................. 73 1.6.1 Configure SELinux .................................................................................................................... 74 1.6.1.1 Ensure SELinux is not disabled in bootloader configuration (Scored) ....... 76 1.6.1.2 Ensure the SELinux state is enforcing (Scored) ................................................... 78 1.6.1.3 Ensure SELinux policy is configured (Scored) ...................................................... 79 1.6.1.4 Ensure SETroubleshoot is not installed (Scored) ................................................ 81 1.6.1.5 Ensure the MCS Translation Service (mcstrans) is not installed (Scored) 82 1.6.1.6 Ensure no unconfined daemons exist (Scored) .................................................... 83 1.6.2 Ensure SELinux is installed (Scored) ........................................................................... 84 1.7 Warning Banners............................................................................................................................... 85 3 | P a g e 1.7.1 Command Line Warning Banners ...................................................................................... 86 1.7.1.1 Ensure message of the day is configured properly (Scored) ........................... 87 1.7.1.2 Ensure local login warning banner is configured properly (Not Scored) .. 89 1.7.1.3 Ensure remote login warning banner is configured properly (Not Scored) ................................................................................................................................................................ 91 1.7.1.4 Ensure permissions on /etc/motd are configured (Not Scored) ................... 93 1.7.1.5 Ensure permissions on /etc/issue are configured (Scored) ........................... 94 1.7.1.6 Ensure permissions on /etc/issue.net are configured (Not Scored) ........... 95 1.8 Ensure updates, patches, and additional security software are installed (Scored) .............................................................................................................................................. 96 2 Services .......................................................................................................................................................... 98 2.1 Special Purpose Services ................................................................................................................ 99 2.1.1 Time Synchronization ........................................................................................................... 100 2.1.1.1 Ensure time synchronization is in use (Not Scored) ........................................ 101 2.1.1.2 Ensure ntp is configured (Scored) ........................................................................... 103 2.1.1.3 Ensure chrony is configured (Scored) .................................................................... 105 2.1.2 Ensure X Window System is not installed (Scored) ............................................. 107 2.1.3 Ensure Avahi Server is not enabled (Scored) ......................................................... 108 2.1.4 Ensure CUPS is not enabled (Scored) ......................................................................... 109 2.1.5 Ensure DHCP Server is not enabled (Scored) ......................................................... 111 2.1.6 Ensure LDAP server is not enabled
Load more

Recommended publications
  • Study of File System Evolution
    Study of File System Evolution Swaminathan Sundararaman, Sriram Subramanian Department of Computer Science University of Wisconsin {swami, srirams} @cs.wisc.edu Abstract File systems have traditionally been a major area of file systems are typically developed and maintained by research and development. This is evident from the several programmer across the globe. At any point in existence of over 50 file systems of varying popularity time, for a file system, there are three to six active in the current version of the Linux kernel. They developers, ten to fifteen patch contributors but a single represent a complex subsystem of the kernel, with each maintainer. These people communicate through file system employing different strategies for tackling individual file system mailing lists [14, 16, 18] various issues. Although there are many file systems in submitting proposals for new features, enhancements, Linux, there has been no prior work (to the best of our reporting bugs, submitting and reviewing patches for knowledge) on understanding how file systems evolve. known bugs. The problems with the open source We believe that such information would be useful to the development approach is that all communication is file system community allowing developers to learn buried in the mailing list archives and aren’t easily from previous experiences. accessible to others. As a result when new file systems are developed they do not leverage past experience and This paper looks at six file systems (Ext2, Ext3, Ext4, could end up re-inventing the wheel. To make things JFS, ReiserFS, and XFS) from a historical perspective worse, people could typically end up doing the same (between kernel versions 1.0 to 2.6) to get an insight on mistakes as done in other file systems.
    [Show full text]
  • ECE 598 – Advanced Operating Systems Lecture 19
    ECE 598 { Advanced Operating Systems Lecture 19 Vince Weaver http://web.eece.maine.edu/~vweaver [email protected] 7 April 2016 Announcements • Homework #7 was due • Homework #8 will be posted 1 Why use FAT over ext2? • FAT simpler, easy to code • FAT supported on all major OSes • ext2 faster, more robust filename and permissions 2 btrfs • B-tree fs (similar to a binary tree, but with pages full of leaves) • overwrite filesystem (overwite on modify) vs CoW • Copy on write. When write to a file, old data not overwritten. Since old data not over-written, crash recovery better Eventually old data garbage collected • Data in extents 3 • Copy-on-write • Forest of trees: { sub-volumes { extent-allocation { checksum tree { chunk device { reloc • On-line defragmentation • On-line volume growth 4 • Built-in RAID • Transparent compression • Snapshots • Checksums on data and meta-data • De-duplication • Cloning { can make an exact snapshot of file, copy-on- write different than link, different inodles but same blocks 5 Embedded • Designed to be small, simple, read-only? • romfs { 32 byte header (magic, size, checksum,name) { Repeating files (pointer to next [0 if none]), info, size, checksum, file name, file data • cramfs 6 ZFS Advanced OS from Sun/Oracle. Similar in idea to btrfs indirect still, not extent based? 7 ReFS Resilient FS, Microsoft's answer to brtfs and zfs 8 Networked File Systems • Allow a centralized file server to export a filesystem to multiple clients. • Provide file level access, not just raw blocks (NBD) • Clustered filesystems also exist, where multiple servers work in conjunction.
    [Show full text]
  • Hardware-Driven Evolution in Storage Software by Zev Weiss A
    Hardware-Driven Evolution in Storage Software by Zev Weiss A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy (Computer Sciences) at the UNIVERSITY OF WISCONSIN–MADISON 2018 Date of final oral examination: June 8, 2018 ii The dissertation is approved by the following members of the Final Oral Committee: Andrea C. Arpaci-Dusseau, Professor, Computer Sciences Remzi H. Arpaci-Dusseau, Professor, Computer Sciences Michael M. Swift, Professor, Computer Sciences Karthikeyan Sankaralingam, Professor, Computer Sciences Johannes Wallmann, Associate Professor, Mead Witter School of Music i © Copyright by Zev Weiss 2018 All Rights Reserved ii To my parents, for their endless support, and my cousin Charlie, one of the kindest people I’ve ever known. iii Acknowledgments I have taken what might be politely called a “scenic route” of sorts through grad school. While Ph.D. students more focused on a rapid graduation turnaround time might find this regrettable, I am glad to have done so, in part because it has afforded me the opportunities to meet and work with so many excellent people along the way. I owe debts of gratitude to a large cast of characters: To my advisors, Andrea and Remzi Arpaci-Dusseau. It is one of the most common pieces of wisdom imparted on incoming grad students that one’s relationship with one’s advisor (or advisors) is perhaps the single most important factor in whether these years of your life will be pleasant or unpleasant, and I feel exceptionally fortunate to have ended up iv with the advisors that I’ve had.
    [Show full text]
  • Enterprise Filesystems
    Enterprise Filesystems Eric Sandeen Principal Software Engineer, Red Hat Feb 21, 2013 1 ERIC SANDEEN What We'll Cover ● Local “Enterprise-ready” Linux filesystems ● Ext3 ● Ext4 ● XFS ● BTRFS ● Use cases, features, pros & cons of each ● Recent & future work ● Features ● Scalability ● Benchmarks 2 ERIC SANDEEN Local Filesystems in RHEL6 ● We ship what customers need and can rely on ● We ship what we test and support ● Major on-disk local filesystems ● Ext3, Ext4, XFS, BTRFS* ● Others are available for special purposes ● fat, vfat, msdos, udf, cramfs, squashfs... ● We'll cover the “big four” today 3 ERIC SANDEEN The Ext3 filesystem ● Ext3 is was the most common file system in Linux ● Most distributions historically used it as their default ● Applications tuned to its specific behaviors (fsync...) ● Familiar to most system administrators ● Ext3 challenges ● File system repair (fsck) time can be extremely long ● Limited scalability - maximum file system size of 16TB ● Can be significantly slower than other local file systems ● direct/indirect, bitmaps, no delalloc ... 4 ERIC SANDEEN The Ext4 filesystem ● Ext4 has many compelling new features ● Extent based allocation ● Faster fsck time (up to 10x over ext3) ● Delayed allocation, preallocation ● Higher bandwidth ● Should be relatively familiar for existing ext3 users ● Ext4 challenges ● Large device support not polished in its user space tools ● Limits supported maximum file system size to 16TB* ● Has different behavior over system failure 5 ERIC SANDEEN The XFS filesystem ● XFS is very robust
    [Show full text]
  • CIS Ubuntu Linux 18.04 LTS Benchmark
    CIS Ubuntu Linux 18.04 LTS Benchmark v1.0.0 - 08-13-2018 Terms of Use Please see the below link for our current terms of use: https://www.cisecurity.org/cis-securesuite/cis-securesuite-membership-terms-of-use/ 1 | P a g e Table of Contents Terms of Use ........................................................................................................................................................... 1 Overview ............................................................................................................................................................... 12 Intended Audience ........................................................................................................................................ 12 Consensus Guidance ..................................................................................................................................... 13 Typographical Conventions ...................................................................................................................... 14 Scoring Information ..................................................................................................................................... 14 Profile Definitions ......................................................................................................................................... 15 Acknowledgements ...................................................................................................................................... 17 Recommendations ............................................................................................................................................
    [Show full text]
  • Proceedings of the Linux Symposium Volume
    Proceedings of the Linux Symposium Volume Two July 19th–22nd, 2006 Ottawa, Ontario Canada Contents Evolution in Kernel Debugging using Hardware Virtualization With Xen 1 Nitin A. Kamble Improving Linux Startup Time Using Software Resume (and other techniques) 17 Hiroki Kaminaga Automated Regression Hunting 27 A. Bowen, P. Fox, J. Kenefick, A. Romney, J. Ruesch, J. Wilde, & J. Wilson Hacking the Linux Automounter—Current Limitations and Future Directions 37 Ian Maxwell Kent & Jeff Moyer Why NFS Sucks 51 Olaf Kirch Efficient Use of the Page Cache with 64 KB Pages 65 Dave Kleikamp and Badari Pulavarty Startup Time in the 21st Century: Filesystem Hacks and Assorted Tweaks 71 Benjamin C.R. LaHaise Using Hugetlbfs for Mapping Application Text Regions 75 H.J. Lu, K. Doshi, R. Seth, & J. Tran Towards a Better SCM: Revlog and Mercurial 83 Matt Mackall Roadmap to a GL-based composited desktop for Linux 91 K.E. Martin and K. Packard Probing the Guts of Kprobes 101 A. Mavinakayanahalli, P. Panchamukhi, J. Keniston, A. Keshavamurthy, & M. Hiramatsu Shared Page Tables Redux 117 Dave McCracken Extending RCU for Realtime and Embedded Workloads 123 Paul E. McKenney OSTRA: Experiments With on-the-fly Source Patching 139 Arnaldo Carvalho de Melo Design and Implementation to Support Multiple Key Exchange Protocols for IPsec 143 K. Miyazawa, S. Sakane, K. Kamada, M. Kanda, & A. Fukumoto The State of Linux Power Management 2006 151 Patrick Mochel I/O Workload Fingerprinting in the Genetic-Library 165 Jake Moilanen X86-64 XenLinux: Architecture, Implementation, and Optimizations 173 Jun Nakajima, Asit Mallick GCC—An Architectural Overview, Current Status, and Future Directions 185 Diego Novillo Shared-Subtree Concept, Implementation, and Applications in Linux 201 Al Viro & Ram Pai The Ondemand Governor 215 Venkatesh Pallipadi & Alexey Starikovskiy Linux Bootup Time Reduction for Digital Still Camera 231 Chan-Ju Park A Lockless Pagecache in Linux—Introduction, Progress, Performance 241 Nick Piggin The Ongoing Evolution of Xen 255 I.
    [Show full text]
  • Ted Ts'o on Linux File Systems
    Ted Ts’o on Linux File Systems An Interview RIK FARROW Rik Farrow is the Editor of ;login:. ran into Ted Ts’o during a tutorial luncheon at LISA ’12, and that later [email protected] sparked an email discussion. I started by asking Ted questions that had I puzzled me about the early history of ext2 having to do with the perfor- mance of ext2 compared to the BSD Fast File System (FFS). I had met Rob Kolstad, then president of BSDi, because of my interest in the AT&T lawsuit against the University of California and BSDi. BSDi was being sued for, among other things, Theodore Ts’o is the first having a phone number that could be spelled 800-ITS-UNIX. I thought that it was important North American Linux for the future of open source operating systems that AT&T lose that lawsuit. Kernel Developer, having That said, when I compared the performance of early versions of Linux to the current version started working with Linux of BSDi, I found that they were closely matched, with one glaring exception. Unpacking tar in September 1991. He also archives using Linux (likely .9) was blazingly fast compared to BSDi. I asked Rob, and he served as the tech lead for the MIT Kerberos explained that the issue had to do with synchronous writes, finally clearing up a mystery for me. V5 development team, and was the architect at IBM in charge of bringing real-time Linux Now I had a chance to ask Ted about the story from the Linux side, as well as other questions in support of real-time Java to the US Navy.
    [Show full text]
  • Bull System Backup / Restore N O V a SC a LE
    Bull System Backup / Restore NOVASCALE User's Guide for NovaScale Universal & Intensive REFERENCE 86 A2 73EV 04 NOVASCALE Bull System Backup / Restore User's Guide for NovaScale Universal & Intensive Software November 2008 BULL CEDOC 357 AVENUE PATTON B.P.20845 49008 ANGERS CEDEX 01 FRANCE REFERENCE 86 A2 73EV 04 The following copyright notice protects this book under Copyright laws which prohibit such actions as, but not limited to, copying, distributing, modifying, and making derivative works. Copyright Bull SAS 2008 Printed in France Suggestions and criticisms concerning the form, content, and presentation of this book are invited. A form is provided at the end of this book for this purpose. To order additional copies of this book or other Bull Technical Publications, you are invited to use the Ordering Form also provided at the end of this book. Trademarks and Acknowledgements We acknowledge the right of proprietors of trademarks mentioned in this book. Intel ® and Itanium ® are registered trademarks of Intel Corporation. Windows ® and Microsoft ® software are registered trademarks of Microsoft Corporation. UNIX ® is a registered trademark in the United States of America and other countries licensed exclusively through the Open Group. Linux ® is a registered trademark of Linus Torvalds. NovaScale ® is a registered trademark of Bull The information in this document is subject to change without notice. Bull will not be liable for errors contained herein, or for incidental or consequential damages in connection with the use of this material.
    [Show full text]
  • CIS Red Hat Enterprise Linux 7 Benchmark
    CIS Red Hat Enterprise Linux 7 Benchmark v2.1.1 - 01-31-2017 This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International Public License. The link to the license terms can be found at https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode To further clarify the Creative Commons license related to CIS Benchmark content, you are authorized to copy and redistribute the content for use by you, within your organization and outside your organization for non-commercial purposes only, provided that (i) appropriate credit is given to CIS, (ii) a link to the license is provided. Additionally, if you remix, transform or build upon the CIS Benchmark(s), you may only distribute the modified materials if they are subject to the same license terms as the original Benchmark license and your derivative will no longer be a CIS Benchmark. Commercial use of CIS Benchmarks is subject to the prior approval of the Center for Internet Security. 1 | P a g e Table of Contents Overview ............................................................................................................................................................... 12 Intended Audience ........................................................................................................................................ 12 Consensus Guidance ..................................................................................................................................... 12 Typographical Conventions .....................................................................................................................
    [Show full text]
  • Embedded Linux Optimizations
    Embedded Linux optimizations Embedded Linux optimizations Size, RAM, speed, power, cost Michael Opdenacker Thomas Petazzoni Free Electrons © Copyright 2004-2009, Free Electrons. Creative Commons BY-SA 3.0 license Latest update: Dec 20, 2010, Document sources, updates and translations: http://free-electrons.com/docs/optimizations Corrections, suggestions, contributions and translations are welcome! 1 Free Electrons. Kernel, drivers and embedded Linux development, consulting, training and support. http//free-electrons.com Penguin weight watchers Make your penguin slimmer, faster, and reduce its consumption of fish! Before 2 weeks after 2 Free Electrons. Kernel, drivers and embedded Linux development, consulting, training and support. http//free-electrons.com CE Linux Forum http://celinuxforum.org/ Non profit organization, whose members are embedded Linux companies and Consumer Electronics (CE) devices makers. Mission: develop the use of Linux in CE devices Hosts many projects to improve the suitability of Linux for CE devices and embedded systems. All patches are meant to be included in the mainline Linux kernel. Most of the ideas introduced in this presentation have been gathered or even implemented by CE Linux Forum projects! 3 Free Electrons. Kernel, drivers and embedded Linux development, consulting, training and support. http//free-electrons.com Contents Ideas for optimizing the Linux kernel and executables Increasing speed Reducing size: disk footprint and RAM Reducing power consumption Global perspective: cost and combined optimization effects The ultimate optimization tool! 4 Free Electrons. Kernel, drivers and embedded Linux development, consulting, training and support. http//free-electrons.com Embedded Linux Optimizations Increasing speed Reducing kernel boot time 5 Free Electrons. Kernel, drivers and embedded Linux development, consulting, training and support.
    [Show full text]
  • Linux Professional Institute Tutorials LPI Exam 101 Prep: Hardware and Architecture Junior Level Administration (LPIC-1) Topic 101
    Linux Professional Institute Tutorials LPI exam 101 prep: Hardware and architecture Junior Level Administration (LPIC-1) topic 101 Skill Level: Introductory Ian Shields ([email protected]) Senior Programmer IBM 08 Aug 2005 In this tutorial, Ian Shields begins preparing you to take the Linux Professional Institute® Junior Level Administration (LPIC-1) Exam 101. In this first of five tutorials, Ian introduces you to configuring your system hardware with Linux™. By the end of this tutorial, you will know how Linux configures the hardware found on a modern PC and where to look if you have problems. Section 1. Before you start Learn what these tutorials can teach you and how you can get the most from them. About this series The Linux Professional Institute (LPI) certifies Linux system administrators at two levels: junior level (also called "certification level 1") and intermediate level (also called "certification level 2"). To attain certification level 1, you must pass exams 101 and 102; to attain certification level 2, you must pass exams 201 and 202. developerWorks offers tutorials to help you prepare for each of the four exams. Each exam covers several topics, and each topic has a corresponding self-study tutorial on developerWorks. For LPI exam 101, the five topics and corresponding developerWorks tutorials are: Hardware and architecture © Copyright IBM Corporation 1994, 2008. All rights reserved. Page 1 of 43 developerWorks® ibm.com/developerWorks Table 1. LPI exam 101: Tutorials and topics LPI exam 101 topic developerWorks tutorial Tutorial summary Topic 101 LPI exam 101 prep (topic (This tutorial). Learn to 101): configure your system Hardware and architecture hardware with Linux.
    [Show full text]
  • Filesystems for Embedded Linux
    Survey of Filesystems for Embedded Linux Presented by Gene Sally CELF Presentation °Filesystems In Summary ° What is a filesystem ° Kernel and User space filesystems ° Picking a root filesystem °Filesystem Round-up ° Slide-by-slide description of filesystems frequently used by embedded Linux engineers ° NFS and initramfs filesystems Drop by www.timesys.com 2 Diversion for Those New to Linux/Embedded: The Kernel and Filesystem ° The RFS and Kernel are separate entities. ° Related? Yes, but not so tightly bound that they can’t change independently. ° A filesystem must be present for the kernel to start successfully. ° Can be an in memory filesystem, network filesystem ° Can be “attached” to the kernel image loaded into memory ° This filesystem mounted at /, aptly called the root filesystem (RFS) ° Can have a system with several filesystem types For those new to using Linux for an embedded ° The Linux kernel, after startipnrgoje, cwt, ihlalv mingo au snepta trahte kfeirlneesl aynsdt uesmer- and execute some program.space takes some explaining, even for those ° While they may be packaged togewthhoe urs,e t Lhienu rxo oon tt hfeilire dseysskttoepm. is a separate entity from the kernel. Drop by www.timesys.com 3 Filesystems in Linux: General Features ° Linux (like Unix) is designed to use any number of arbitrary filesystems ° Provides uniform interface to filesystems through the VFS (Virtual FileSystem) ° Provides shared routines (like caching) ° Physical storage not necessary (think proc filesystem) ° Filesystems implemented as kernel modules
    [Show full text]