Why CIS Benchmark?

CIS Benchmarks are the security standards for defending IT systems and data against Cyberattacks. It offers prescriptive guidance for establishing secure baseline configuration.

Introduction

This document gives information with examples to establish a secure configuration for Debian Linux 10 system running on x64 and x86 platforms. It is required to perform all the operations as a root user so that you can access all the areas in the system, especially after Remediation has been performed.

So, here we can make changes into running system configuration to reduce attack surface:

  • Filesystem types 
  • Services
  • Clients
  • Network protocol
  • System Maintenance

1. Filesystem Configuration

Directories in the system are protected and enabled to use mounting options by placing them on separate partitions. Here we can make partitions while installation or we can perform repartitioning if the system is installed.

1.1 Disable unused File systems:

Disabling unneeded file systems reduces the local attack surface of the system. So if the filesystem is not needed, it should be disabled.
E.g  Ensure mounting of freevxfs filesystem is Disabled:

Description:

freevxfs file system is a free version of veritas type file system.

Audit:

Run the following command and verify the output is as Indicated:-

$modprobe -n -v freevxfs

o\p-   install /bin/true

$lsmod | grep freevxfs

<No output>

Remediation:

Edit or create the file in the /etc/modprobe.d/ directory ending in .conf and add the following line,

Install freevxfs /bin/true

Run following command to unload freevxfs module,

$rmmode freevxfs

Similarly the same command is used for other files systems like iffs2, hfs etc.

1.2 Configure software updates:

In this distribution apt command is used for update and installation of software.

  •   E.g   Ensure package manager repositories are configured

Description:

Repositories need to be configured to ensure they receive the latest updates.

Audit:

Run the following command and verify package repositories

$apt-cache policy

Remediation:

Configure package repositories acco. To site policy.

1.3 Configure sudo:

According to security policy sudo allows the user to execute commands as superuser.

  • E.g  Ensure sudo is installed

Audit:

Run the following command and verify that sudo is installed,

$dpkg -s sudo

Remediation:

Install sudo using following command,

$apt install sudo

1.4 File System integrity checking:

AIDE is a file integrity checking tool, which detects unauthorised changes to configuration files.

  • E.g  Ensure AIDE is installed.

Audit:

Verify AIDE is installed

$dpkg -s aide

Remediation:

Install AIDE using appropriate package manager

$apt install aide aide-common 

1.5 Secure boot settings:

Here is the example on how to secure for boot settings.

  • E.g  Ensure authentication required for single user mode

Audit:

Perform following,

$grep ^root:[*\!]: /etc/shadow

Remediation:

Set a password for root user

$passwd root

2. Services

The best way to protect the system against unreported vulnerabilities is to disable services which are not required in the system. Using this we can prevent the exploitation of vulnerabilities.

2.1 Inetd services:

It is the super-server daemon which provides internet services and passes connection to configured services.

  • E.g    Ensure xinetd is not installed.

Audit:

Run the following command to verify,

$dpkg -s xinetd

Remediation:

Run the following command to remove xinetd

$apt purge xinetd

2.2 Special purpose services:

These Services are installed in the system and if any service is not required then it has to be diabled for security of the system..

  • E.g  Ensure Email services are not enabled.

Audit:

Ensure Dovecot is not enabled by using the following command,

$systemctl is-enabled dovecot 

o/p- disabled

Remediation:

To disable dovecot,

$systemctl --now disable dovecot

2.3 Service clients:

Clients of the services are removed unless they are required which prevents the local attack against the services.

  • E.g  Ensure nis client is not installed

Audit:

Verify nis is not installed using following command,

$dpkg -s nis

Remediation:

Uninstall NIS using following command,

$apt purge nis

3. Network Configuration

Network configuration can be secured through Kernel parameters, access control list and Firewall settings.

3.1 Disable unused network protocols and devices:

It reduces attack surfaces of the system.

  • E.g  Disable IPv6

Audit:

Run the following command and verify no lines should be returned,

$grep “^\s*linux” /boot/grub/grub.cfg | grep -v “ipv6.disable=1”

Remediation:

GRUB_CMDLINE_LINUX=“ipv6.disable=1”

$update-grub

3.2 Firewall Configuration:

Firewall provides defence against threats by refusing unauthorised connections.

3.3 Uncommon Network Protocols:

Uncommon network protocols if not needed then it can be disabled in the kernel.

4. Access, Authentication and Authorization

Providing or disabling access, authentication and authorization to system components leads towards a secure system and prevents from cyberattacks.

4.1 Configure Cron:

  • E.g  Ensure cron Daemon is enabled

Audit:

Based on system configuration run the command to verify Cron daemon is enabled,

$systemctl is-enabled cron

o/p- enabled

Remediation:

Run the appropriate command to enable cron,

$systemctl --now enable cron

4.2 SSH server configuration:

SSH is used to prevent session hijacking and sniffing of Sensitive data off the network. But, if remote access is not required then SSH Daemon can be removed.

4.3 Configure PAM:

PAM (pluggable authentication module) implements modular authentication module on UNIX.

PAM must be carefully installed to secure Authentication.

5. System Maintenance

System maintenance includes following settings to secure the system from attacks.

5.1 System file permissions:

This is used to secure files and Directories.

  • E.g  Ensure permissions on /etc/passwd are configured.

Audit:

Run the following command and verify both uid and gid are 0/root and access is 644,

$stat /etc/passwd

o/p- Access: ( 0644/-rw-r–r– )  uid: (  0/  root )  gid:  (  0/  root )

Remediation:

Run commands to set permissions on /etc/passwd

$chown root:root /etc/passwd
$chmod 644 /etc/passwd

5.2 User and group settings:

Using this we can secure groups and users.

  • E.g  Ensure password fields are not empty.

Audit:

Verify that no o/p is returned using below command,

$awk -F:  ‘( $2 == ”” ) { print $1 “ does not have a password ” }’ /etc/shadow

Remediation:

Lock the account using command mentioned below,

$passwd -l <username>

Conclusion

Secured configuration of the system can be achieved through CIS Benchmarks which leads to the safe and secured system.

Headquarter

4701 Patrick Henry Drive,
Bldg. 16, Suite 106, Santa Clara, California 95054
781-640-0588
sales@neovatechsolutions.com

Development Center

P3-603, Pentagon Tower,
Magarpatta City, Hadapsar, Pune, Maharashtra 411028
960-702-3233