{ "format_version": 3, "policy": { "external_id": "901c7e0c5a68511f9321f9bb689fde30", "name": "CIS Linux Mint 22 Benchmark v1.0.0 - Level 1 Workstation", "version": "1.0.1", "description": "Center for Internet Security benchmark — Level 1 server hardening for Linux Mint 22 — apt-based desktop distro derived from Ubuntu. Workstation-profile hardening (Mint does not ship a Server profile). Generated from CIS_Linux_Mint_22_Benchmark_v1.0.0.pdf.", "author": "Center for Internet Security" }, "tests": [ { "external_id": "104e51085edee5015e62bf256f8e4547", "name": "1.1.1.1 — Ensure cramfs kernel module is not available", "description": "Ensure cramfs kernel module is not available", "rational": "Removing support for unneeded filesystem types reduces the local attack surface of the \nsystem. If this filesystem type is not needed, disable it. \n\nPage 23", "remediation": "Unload and disable the cramfs kernel module. \n\n1. Run the following commands to unload the cramfs kernel module: \n\n# modprobe -r cramfs 2>/dev/null \n# rmmod cramfs 2>/dev/null \n\n2. Perform the following to disable the cramfs kernel module: \n\nCreate a file ending in .conf with install cramfs /bin/false in the \n/etc/modprobe.d/ directory. \nExample: \n# printf '%s\\n' \"\" \"install cramfs /bin/false\" >> /etc/modprobe.d/60-\ncramfs.conf \n\nCreate a file ending in .conf with blacklist cramfs in the /e...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "lsmod | grep -c '^cramfs ' || true", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "8a17d83116aea265cb3420a66f106dcd", "name": "1.1.1.3 — Ensure hfs kernel module is not available", "description": "Ensure hfs kernel module is not available", "rational": "Removing support for unneeded filesystem types reduces the local attack surface of the \nsystem. If this filesystem type is not needed, disable it. \n\nPage 30", "remediation": "Unload and disable the hfs kernel module. \n\n1. Run the following commands to unload the hfs kernel module: \n\nmodprobe -r hfs 2>/dev/null \nrmmod hfs 2>/dev/null \n\n2. Perform the following to disable the hfs kernel module: \n\nCreate a file ending in .conf with install hfs /bin/false in the /etc/modprobe.d/ \ndirectory. \nExample: \n# printf '%s\\n' \"\" \"install hfs /bin/false\" >> /etc/modprobe.d/60-hfs.conf \n\nCreate a file ending in .conf with blacklist hfs in the /etc/modprobe.d/ directory. \n\nExam...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "lsmod | grep -c '^hfs ' || true", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "e6e3b64c3426b1ab992ac375115ac06d", "name": "1.1.1.4 — Ensure hfsplus kernel module is not available", "description": "Ensure hfsplus kernel module is not available", "rational": "Removing support for unneeded filesystem types reduces the local attack surface of the \nsystem. If this filesystem type is not needed, disable it. \n\nPage 33", "remediation": "Unload and disable the hfsplus kernel module. \n\n1. Run the following commands to unload the hfsplus kernel module: \n\n# modprobe -r hfsplus 2>/dev/null \n# rmmod hfsplus 2>/dev/null \n\n2. Perform the following to disable the hfsplus kernel module: \n\nCreate a file ending in .conf with install hfsplus /bin/false in the \n/etc/modprobe.d/ directory. \nExample: \n# printf '%s\\n' \"\" \"install hfsplus /bin/false\" >> /etc/modprobe.d/60-\nhfsplus.conf \n\nCreate a file ending in .conf with blacklist hfsplus...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "lsmod | grep -c '^hfsplus ' || true", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "80161059b5f7ed08982b4c0fae18de09", "name": "1.1.1.5 — Ensure jffs2 kernel module is not available", "description": "Ensure jffs2 kernel module is not available", "rational": "Removing support for unneeded filesystem types reduces the local attack surface of the \nsystem. If this filesystem type is not needed, disable it. \n\nPage 36", "remediation": "Unload and disable the jffs2 kernel module. \n\n1. Run the following commands to unload the jffs2 kernel module: \n\n# modprobe -r jffs2 2>/dev/null \n# rmmod jffs2 2>/dev/null \n\n2. Perform the following to disable the jffs2 kernel module: \n\nCreate a file ending in .conf with install jffs2 /bin/false in the \n/etc/modprobe.d/ directory. \nExample: \n# printf '%s\\n' \"\" \"install jffs2 /bin/false\" >> /etc/modprobe.d/60-\njffs2.conf \n\nCreate a file ending in .conf with blacklist jffs2 in the /etc/modpro...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "lsmod | grep -c '^jffs2 ' || true", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "7532416e539b059a1f80d200072cd1d1", "name": "1.1.1.8 — Ensure udf kernel module is not available", "description": "Ensure udf kernel module is not available", "rational": "Removing support for unneeded filesystem types reduces the local attack surface of the \nsystem. If this filesystem type is not needed, disable it.", "remediation": "Unload and disable the udf kernel module. \n\n1. Run the following commands to unload the udf kernel module: \n\n# modprobe -r udf 2>/dev/null \n# rmmod udf 2>/dev/null \n\n2. Perform the following to disable the udf kernel module: \n\nCreate a file ending in .conf with install udf /bin/false in the /etc/modprobe.d/ \ndirectory \nExample: \n# printf '%s\\n' \"\" \"install udf /bin/false\" >> /etc/modprobe.d/60-udf.conf \n\nCreate a file ending in .conf with blacklist udf in the /etc/modprobe.d/ directory \n\nEx...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "lsmod | grep -c '^udf ' || true", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "5a5498d55f332dca57d9d78765ccf1e5", "name": "1.1.2.1.1 — Ensure /tmp is tmpfs or a separate partition", "description": "Ensure /tmp is tmpfs or a separate partition", "rational": "Making /tmp its own file system allows an administrator to set additional mount options \nsuch as the noexec option on the mount, making /tmp useless for an attacker to install \nexecutable code. It would also prevent an attacker from establishing a hard link to a \nsystem setuid program and wait for it to be updated. Once the program was updated, \nthe hard link would be broken, and the attacker w...", "remediation": "First ensure that systemd is correctly configured to ensure that /tmp will be mounted at \nboot time. \n\n# systemctl unmask tmp.mount \n\nFor specific configuration requirements of the /tmp mount for your environment, modify \n/etc/fstab. \n\nExample of using tmpfs with specific mount options: \n\ntmpfs /tmp \n0 \n\ntmpfs defaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 \n\nNote: the size=2G is an example of setting a specific size for tmpfs. \n\nExample of using a volume or disk with specific mount...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "SERVICE", "input": "tmp.mount", "selement": "ENABLED", "condition": null, "sinput": null } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "4f42a8fc06fb68fc169e7645aae03f30", "name": "1.1.2.1.2 — Ensure nodev option set on /tmp partition", "description": "Ensure nodev option set on /tmp partition", "rational": "Since the /tmp filesystem is not intended to support devices, set this option to ensure \nthat users cannot create a block or character special devices in /tmp.", "remediation": "- IF - a separate partition exists for /tmp. \n\nEdit the /etc/fstab file and add nodev to the fourth field (mounting options) for the \n/tmp partition. \n\nExample: \n\n /tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0 \n\nRun the following command to remount /tmp with the configured options: \n\n# mount -o remount /tmp", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /tmp", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nodev" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "6047f41a375ab0696f02625e36b6bead", "name": "1.1.2.1.3 — Ensure nosuid option set on /tmp partition", "description": "Ensure nosuid option set on /tmp partition", "rational": "Since the /tmp filesystem is only intended for temporary file storage, set this option to \nensure that users cannot create setuid files in /tmp.", "remediation": "- IF - a separate partition exists for /tmp. \n\nEdit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the \n/tmp partition. \n\nExample: \n\n /tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0 \n\nRun the following command to remount /tmp with the configured options: \n\n# mount -o remount /tmp", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /tmp", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nosuid" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "62fbb870c6ccfeb92e6f3091d1639385", "name": "1.1.2.1.4 — Ensure noexec option set on /tmp partition", "description": "Ensure noexec option set on /tmp partition", "rational": "Since the /tmp filesystem is only intended for temporary file storage, set this option to \nensure that users cannot run executable binaries from /tmp.", "remediation": "- IF - a separate partition exists for /tmp. \n\nEdit the /etc/fstab file and add noexec to the fourth field (mounting options) for the \n/tmp partition. \n\nExample: \n\n /tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0 \n\nRun the following command to remount /tmp with the configured options: \n\n# mount -o remount /tmp \n\nPage 69", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /tmp", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "noexec" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "cd25f93db017daa25d8e6c42cab03e8e", "name": "1.1.2.3.2 — Ensure nodev option set on /home partition", "description": "Ensure nodev option set on /home partition", "rational": "Since the /home filesystem is not intended to support devices, set this option to ensure \nthat users cannot create a block or character special devices in /home.", "remediation": "- IF - a separate partition exists for /home. \n\nEdit the /etc/fstab file and add nodev to the fourth field (mounting options) for the \n/home partition. \n\nExample: \n\n /home defaults,rw,nosuid,nodev,relatime 0 0 \n\nRun the following command to remount /home with the configured options: \n\n# mount -o remount /home", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /home", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nodev" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "78e1f9a0d7a5537aa23314338521c650", "name": "1.1.2.3.3 — Ensure nosuid option set on /home partition", "description": "Ensure nosuid option set on /home partition", "rational": "Since the /home filesystem is only intended for user file storage, set this option to \nensure that users cannot create setuid files in /home.", "remediation": "- IF - a separate partition exists for /home. \n\nEdit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the \n/home partition. \n\nExample: \n\n /home defaults,rw,nosuid,nodev,relatime 0 0 \n\nRun the following command to remount /home with the configured options: \n\n# mount -o remount /home", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /home", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nosuid" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "db4bf28c927bc4d28b5bf70d603fac92", "name": "1.1.2.4.2 — Ensure nodev option set on /var partition", "description": "Ensure nodev option set on /var partition", "rational": "Since the /var filesystem is not intended to support devices, set this option to ensure \nthat users cannot create a block or character special devices in /var.", "remediation": "- IF - a separate partition exists for /var. \n\nEdit the /etc/fstab file and add nodev to the fourth field (mounting options) for the \n/var partition. \n\nExample: \n\n /var defaults,rw,nosuid,nodev,relatime 0 0 \n\nRun the following command to remount /var with the configured options: \n\n# mount -o remount /var", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /var", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nodev" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "93ad06a03e6fba96d5170d566011ac58", "name": "1.1.2.4.3 — Ensure nosuid option set on /var partition", "description": "Ensure nosuid option set on /var partition", "rational": "Since the /var filesystem is only intended for variable files such as logs, set this option \nto ensure that users cannot create setuid files in /var.", "remediation": "- IF - a separate partition exists for /var. \n\nEdit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the \n/var partition. \n\nExample: \n\n /var defaults,rw,nosuid,nodev,relatime 0 0 \n\nRun the following command to remount /var with the configured options: \n\n# mount -o remount /var", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /var", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nosuid" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "1e4b9fd6e197b6f0f62b3451378a891b", "name": "1.1.2.6.1 — Ensure separate partition exists for /var/log", "description": "Ensure separate partition exists for /var/log", "rational": "The default installation only creates a single / partition. Since the /var/log directory \ncontains log files which can grow quite large, there is a risk of resource exhaustion. It \nwill essentially have the whole disk available to fill up and impact the system as a whole. \n\nConfiguring /var/log as its own file system allows an administrator to set additional \nmount options such as noexec/nosuid...", "remediation": "For new installations, during installation create a custom partition setup and specify a \nseparate partition for /var/log . \n\nFor systems that were previously installed, create a new partition and configure \n/etc/fstab as appropriate. \n\nPage 104", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /var/log", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "681195636cdc0079143ea138118470c8", "name": "1.2.2.2 — Ensure Automatic updates are configured", "description": "Ensure Automatic updates are configured", "rational": "Enabling automatic updates ensures your system receives the latest security patches \nand bug fixes, protecting it from vulnerabilities and malware.", "remediation": "Run the following command to enable automatic updates: \n\n# mintupdate-automation upgrade enable", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "SERVICE", "input": "mintupdate-automation-upgrade.timer", "selement": "ENABLED", "condition": null, "sinput": null } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "f98cbffb02919b4ba9d58058b489211e", "name": "1.3.1.1 — Ensure the apparmor packages are installed", "description": "Ensure the apparmor packages are installed", "rational": "Without a Mandatory Access Control system installed only the default Discretionary \nAccess Control system will be available.", "remediation": "Run the following command to install apparmor and apparmor-utils: \n\n# apt install apparmor apparmor-utils", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "apparmor", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "507b220e18ca060422b190e00dbd9878", "name": "1.3.1.4 — Ensure all AppArmor Profiles are enforcing", "description": "Ensure all AppArmor Profiles are enforcing", "rational": "Security configuration requirements vary from site to site. Some sites may mandate a \npolicy that is stricter than the default policy, which is perfectly acceptable. This item is \nintended to ensure that any policies that exist on the system are activated.", "remediation": "Run the following command to set all profiles to enforce mode: \n\n# aa-enforce /etc/apparmor.d/* \n\nNote: Any unconfined processes may need to have a profile created or activated for \nthem and then be restarted", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "apparmor_status | grep profiles", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "4df02d6d8dbc738e99d483982e89333d", "name": "1.4.1 — Ensure bootloader password is set", "description": "Ensure bootloader password is set", "rational": "Requiring a boot password upon execution of the boot loader will prevent an \nunauthorized user from entering boot parameters or changing the boot partition. This \nprevents users from weakening security (e.g. turning off AppArmor at boot time).", "remediation": "Create an encrypted password with grub-mkpasswd-pbkdf2: \n\n# grub-mkpasswd-pbkdf2 --iteration-count=600000 --salt=64 \n\nEnter password: \nReenter password: \nPBKDF2 hash of your password is \n\nAdd the following into a custom /etc/grub.d configuration file: \n\nset superusers=\"\" \npassword_pbkdf2 \n\nThe superuser/user information and password should not be contained in the \n/etc/grub.d/00_header file as this file could...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep \"^set superusers\" /boot/grub/grub.cfg", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "7ef542ff417ec9b840a3672a9f317213", "name": "1.5.1 — Ensure randomize_va_space is configured", "description": "Ensure randomize_va_space is configured", "rational": "Randomly placing virtual memory regions will make it difficult to write memory page \nexploits as the memory placement will be consistently shifting. \n\nPage 151", "remediation": "1. Review all files ending in .conf in the /etc/sysctl.d directory and comment \n\nout or remove all kernel.randomize_va_space lines that are not \nkernel.randomize_va_spacee=2. \n\nExample script: \n#!/usr/bin/env bash \n\n{ \n l_option=\"kernel.randomize_va_space\" l_grep=\"${l_option//./\\\\.}\" \nl_value=\"2\" \n while IFS= read -r -d $'\\0' l_file; do \n grep -Poi '\\h*'\"$l_option\"'\\h*=\\h*\\H+\\b' \"$l_file\" \\ \n | grep -Pivq '^\\h*'\"$l_grep\"'\\h*=\\h*'\"$l_value\"'\\b' && \\ \n sed -ri '/^\\s*kernel.y...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sysctl -n kernel.randomize_va_space", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "2`" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "87b27f5f4ad3d6a8fc4852e078d36b0e", "name": "1.5.2 — Ensure ptrace_scope is configured", "description": "Ensure ptrace_scope is configured", "rational": "If one application is compromised, it would be possible for an attacker to attach to other \nrunning processes (e.g. Bash, Firefox, SSH sessions, GPG agent, etc) to extract \nadditional credentials and continue to expand the scope of their attack. \n\nEnabling restricted mode will limit the ability of a compromised process to \nPTRACE_ATTACH on other processes running under the same user. With restr...", "remediation": "1. Review all files ending in .conf in the /etc/sysctl.d directory and comment \n\nout or remove all kernel.yama.ptrace_scope lines that are not \nkernel.yama.ptrace_scope=1, kernel.yama.ptrace_scope=2, or \nkernel.yama.ptrace_scope=3. \n\nExample script: \n#!/usr/bin/env bash \n\n{ \n l_option=\"kernel.yama.ptrace_scope\" l_grep=\"${l_option//./\\\\.}\" \nl_value=\"(1|2|3)\" \n while IFS= read -r -d $'\\0' l_file; do \n grep -Poi '\\h*'\"$l_option\"'\\h*=\\h*\\H+\\b' \"$l_file\" \\ \n | grep -Pivq '^\\h*'\"$l_g...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sysctl -n kernel.yama.ptrace_scope", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "7aa4a3ae8570170cfaf6fd5ddde2185b", "name": "1.5.3 — Ensure suid_dumpable is configured", "description": "Ensure suid_dumpable is configured", "rational": "core dumps may contain sensitive in-memory data like password hashes or keys. An \nattacker could potentially exploit this to gain access to such data. \n\nPage 161", "remediation": "1. Review all files ending in .conf in the /etc/sysctl.d directory and comment \nout or remove all fs.suid_dumpable lines that are not fs.suid_dumpable=0. \n\nExample script: \n#!/usr/bin/env bash \n\n{ \n l_option=\"fs.suid_dumpable\" l_grep=\"${l_option//./\\\\.}\" l_value=\"0\" \n while IFS= read -r -d $'\\0' l_file; do \n grep -Poi '\\h*'\"$l_option\"'\\h*=\\h*\\H+\\b' \"$l_file\" \\ \n | grep -Pivq '^\\h*'\"$l_grep\"'\\h*=\\h*'\"$l_value\"'\\b' && \\ \n sed -ri '/^\\s*kernel.yama.ptrace_scope\\s*=/s/^/# /' \"...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sysctl -n fs.suid_dumpable", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "b291de25ab33350c7c19eaff511e3ce5", "name": "1.5.4 — Ensure core file size is configured", "description": "Ensure core file size is configured", "rational": "Setting a hard limit on core dumps prevents users from overriding the soft variable. \n\nA core dump includes a memory image taken at the time the operating system \nterminates an application. The memory image could contain sensitive data and is \ngenerally useful only for developers trying to debug problems.", "remediation": "1. Run the following command to comment out any entries that include a hard \n\nvalue for core greater than 0 in /etc/security/limits.conf and and file in \nthe /etc/security/limits.d/ directory. \n\nExample: \n# sed -ri '/^\\s*[#\\n\\r]+\\s+hard\\s+core\\h+([1-9][0-9]*)/s/^/# /' \n/etc/security/limits.conf /etc/security/limits.d/* \n\n2. Create or edit a file in /etc/security/limits.d/ and add the following line: \n\n* hard core 0 \n\nExample: \n\n# printf '%s\\n' \"\" \"* hard core 0\" >> /etc/security/limits.d/6...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Psi -- '^\\h*\\*\\h+hard\\h+core\\b' /etc/security/limits.conf", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "ab12004874795d1dc425505b3652f8bf", "name": "1.5.5 — Ensure prelink is not installed", "description": "Ensure prelink is not installed", "rational": "The prelinking feature can interfere with the operation of AIDE, because it changes \nbinaries. Prelinking can also increase the vulnerability of the system if a malicious user \nis able to compromise a common library such as libc.", "remediation": "Run the following command to restore binaries to normal: \n\n# prelink -ua \n\nUninstall prelink using the appropriate package manager or manual installation: \n\n# apt purge prelink", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "prelink", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "a9f099bcdfb95bb1a4846f8776c4bed2", "name": "1.5.6 — Ensure Automatic Error Reporting is configured", "description": "Ensure Automatic Error Reporting is configured", "rational": "Apport collects potentially sensitive data, such as core dumps, stack traces, and log \nfiles. They can contain passwords, credit card numbers, serial numbers, and other \nprivate material.", "remediation": "Edit /etc/default/apport and add or edit the enabled parameter to equal 0: \n\nenabled=0 \n\nRun the following commands to stop and mask the apport service \n\n# systemctl stop apport.service \n# systemctl mask apport.service \n\n- OR - \n\nRun the following command to remove the apport package: \n\n# apt purge apport", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "apport", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "f63b8c1e6e4b97c75bcb97e09494f0c4", "name": "1.6.1 — Ensure /etc/motd is configured", "description": "Ensure /etc/motd is configured", "rational": "Warning messages inform users who are attempting to login to the system of their legal \nstatus regarding the system and must include the name of the organization that owns \nthe system and any monitoring policies that are in place. Displaying OS and patch level \ninformation in login banners also has the side effect of providing detailed system \ninformation to attackers attempting to target speci...", "remediation": "Edit the file found in /etc/motd.d/* with the appropriate contents according to your \nsite policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform \n\n- OR - \n\n- IF - the motd is not used, this file can be removed. \n\nRun the following command to remove the motd file: \n\n# rm /etc/motd \n\nRun the following script and review and/or update all returned files' contents to: \n\n• Remove all system information (\\v, \\r; \\m, \\s) \n• Remove any refence to the operating system \n•...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "5f06675422de30b0a4b9839e4efb6073", "name": "1.6.2 — Ensure /etc/issue is configured", "description": "Ensure /etc/issue is configured", "rational": "Warning messages inform users who are attempting to login to the system of their legal \nstatus regarding the system and must include the name of the organization that owns \nthe system and any monitoring policies that are in place. Displaying OS and patch level \ninformation in login banners also has the side effect of providing detailed system \ninformation to attackers attempting to target speci...", "remediation": "Edit the /etc/issue file with the appropriate contents according to your site policy, \nremove any instances of \\m , \\r , \\s , \\v or references to the OS platform \n\nExample: \n\n# echo \"Authorized users only. All activity may be monitored and reported.\" > \n/etc/issue", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "cat /etc/issue", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "f3b88d22a7aee1ee75fdf5afeac1ba57", "name": "1.6.3 — Ensure /etc/issue.net is configured", "description": "Ensure /etc/issue.net is configured", "rational": "Warning messages inform users who are attempting to login to the system of their legal \nstatus regarding the system and must include the name of the organization that owns \nthe system and any monitoring policies that are in place. Displaying OS and patch level \ninformation in login banners also has the side effect of providing detailed system \ninformation to attackers attempting to target speci...", "remediation": "Edit the /etc/issue.net file with the appropriate contents according to your site policy, \nremove any instances of \\m , \\r , \\s , \\v or references to the OS platform \n\nExample: \n\n# echo \"Authorized users only. All activity may be monitored and reported.\" > \n/etc/issue.net", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "cat /etc/issue.net", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "2f3d0f9f37dc181ecc695099de16afc2", "name": "1.6.4 — Ensure access to /etc/motd is configured", "description": "Ensure access to /etc/motd is configured", "rational": "- IF - the /etc/motd file does not have the correct access configured, it could be \nmodified by unauthorized users with incorrect or misleading information.", "remediation": "Run the following commands to set mode, owner, and group on /etc/motd: \n\n# chown root:root $(readlink -e /etc/motd) \n# chmod u-x,go-wx $(readlink -e /etc/motd) \n\n- OR - \n\nRun the following command to remove the /etc/motd file: \n\n# rm /etc/motd", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "[ -e /etc/motd ] && stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: { %g/", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "c76c9c2998560c1ef588773afcfeba5b", "name": "1.6.5 — Ensure access to /etc/issue is configured", "description": "Ensure access to /etc/issue is configured", "rational": "- IF - the /etc/issue file does not have the correct access configured, it could be \nmodified by unauthorized users with incorrect or misleading information.", "remediation": "Run the following commands to set mode, owner, and group on /etc/issue: \n\n# chown root:root $(readlink -e /etc/issue) \n# chmod u-x,go-wx $(readlink -e /etc/issue)", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: { %g/ %G)' /etc/issue", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "26ffd57e9e9f79b1552e3192f2359371", "name": "1.6.6 — Ensure access to /etc/issue.net is configured", "description": "Ensure access to /etc/issue.net is configured", "rational": "- IF - the /etc/issue.net file does not have the correct access configured, it could be \nmodified by unauthorized users with incorrect or misleading information.", "remediation": "Run the following commands to set mode, owner, and group on /etc/issue.net: \n\n# chown root:root $(readlink -e /etc/issue.net) \n# chmod u-x,go-wx $(readlink -e /etc/issue.net)", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: { %g/ %G)' /etc/issue.net", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "f9f824d7836fcd17ac595c371ca097e0", "name": "1.7.1 — Ensure user list is not displayed", "description": "Ensure user list is not displayed", "rational": "Displaying the user list eliminates half of the Userid/Password equation that an \nunauthorized person would need to log on. \n\nPage 187", "remediation": "Run the following script to set the greeter-hide-users key to true: \n\n#!/usr/bin/env bash \n\n{ \n a_output=();a_output2=();l_parameter=\"greeter-hide-users=true\" \nl_type='Seat:*' l_found=\"\" \n unset A_files;declare -A A_files;unset A_key_pair;declare -A A_key_pair \n while IFS=\" \" read -r l_letter l_value; do \n if grep -Pq -- '^\\h*\\/' <<< \"$l_value\"; then \n A_files+=([\"$l_letter\"]=\"$l_value\") \n elif grep -q -- '=' <<< \"$l_value\"; then \n A_key_pair+=([\"$l_value\"]=\"$l...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "62421a0c326ef19c5ba7ba228c240eae", "name": "1.7.3 — Ensure desktop autorun-never is enabled", "description": "Ensure desktop autorun-never is enabled", "rational": "Malware on removable media may taking advantage of Autorun features when the \nmedia is inserted into a system and execute.", "remediation": "Run the following command to set autorun-never to true: \n\n# gsettings set org.cinnamon.desktop.media-handling autorun-never true \n\nNote: A reboot may be required for the setting to take effect", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "gsettings get org.cinnamon.desktop.media-handling autorun-never", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "cd6f7ebfa30e8af58bb5aa70f1359443", "name": "2.1.3 — Ensure dhcp server services are not in use", "description": "Ensure dhcp server services are not in use", "rational": "Unless a system is specifically set up to act as a DHCP server, it is recommended that \nthis package be removed to reduce the potential attack surface.", "remediation": "Run the following commands to stop isc-dhcp-server.service and isc-dhcp-\nserver6.service and remove the isc-dhcp-server package: \n\n# systemctl stop isc-dhcp-server.service isc-dhcp-server6.service \n# apt purge isc-dhcp-server \n\n- OR - \n\n- IF - the isc-dhcp-server package is required as a dependency: \n\nRun the following commands to stop and mask isc-dhcp-server.service and isc-\ndhcp-server6.service: \n\n# systemctl stop isc-dhcp-server.service isc-dhcp-server6.service \n# systemctl mask isc-dhcp-...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "isc-dhcp-server", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "bb59f923ae0d57cb9266c61e77d8ea5c", "name": "2.1.4 — Ensure dns server services are not in use", "description": "Ensure dns server services are not in use", "rational": "Unless a system is specifically designated to act as a DNS server, it is recommended \nthat the package be deleted to reduce the potential attack surface.", "remediation": "Run the following commands to stop named.service and remove the bind9 package: \n\n# systemctl stop named.service \n# apt purge bind9 \n\n- OR - \n\n- IF - the bind9 package is required as a dependency: \n\nRun the following commands to stop and mask bind9.service: \n\n# systemctl stop named.service \n# systemctl mask named.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "bind9", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "6f3aa0160c4d5a006d074b21b356544f", "name": "2.1.5 — Ensure dnsmasq services are not in use", "description": "Ensure dnsmasq services are not in use", "rational": "Unless a system is specifically designated to act as a DNS caching, DNS forwarding \nand/or DHCP server, it is recommended that the package be removed to reduce the \npotential attack surface.", "remediation": "Run the following commands to stop dnsmasq.service and remove dnsmasq package: \n\n# systemctl stop dnsmasq.service \n# apt purge dnsmasq \n\n- OR - \n\n- IF - the dnsmasq package is required as a dependency: \n\nRun the following commands to stop and mask the dnsmasq.service: \n\n# systemctl stop dnsmasq.service \n# systemctl mask dnsmasq.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "dnsmasq", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "84f741c7dc5246e05c220729563b11b4", "name": "2.1.6 — Ensure ftp server services are not in use", "description": "Ensure ftp server services are not in use", "rational": "FTP does not protect the confidentiality of data or authentication credentials. It is \nrecommended SFTP be used if file transfer is required. Unless there is a need to run \nthe system as a FTP server (for example, to allow anonymous downloads), it is \nrecommended that the package be deleted to reduce the potential attack surface.", "remediation": "Run the following commands to stop vsftpd.service and remove the vsftpd \npackage: \n\n# systemctl stop vsftpd.service \n# apt purge vsftpd \n\n- OR - \n\n- IF - the vsftpd package is required as a dependency: \n\nRun the following commands to stop and mask the vsftpd.service: \n\n# systemctl stop vsftpd.service \n# systemctl mask vsftpd.service \n\nNote: Other ftp server packages may exist. If not required and authorized by local site \npolicy, they should also be removed. If the package is required for a d...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "vsftpd", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "dac9413000f1b77f697d6a26b50ccf61", "name": "2.1.7 — Ensure ldap server services are not in use", "description": "Ensure ldap server services are not in use", "rational": "If the system will not need to act as an LDAP server, it is recommended that the \nsoftware be removed to reduce the potential attack surface.", "remediation": "Run the following commands to stop slapd.service and remove the slapd package: \n\n# systemctl stop slapd.service \n# apt purge slapd \n\n- OR - \n\n- IF - the slapd package is required as a dependency: \n\nRun the following commands to stop and mask slapd.service: \n\n# systemctl stop slapd.service \n# systemctl mask slapd.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "slapd", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "6c407d5c81755f0dd3b155596d1117af", "name": "2.1.10 — Ensure nis server services are not in use", "description": "Ensure nis server services are not in use", "rational": "ypserv.service is inherently an insecure system that has been vulnerable to DOS \nattacks, buffer overflows and has poor authentication for querying NIS maps. NIS \ngenerally has been replaced by such protocols as Lightweight Directory Access \nProtocol (LDAP). It is recommended that ypserv.service be removed and other, more \nsecure services be used", "remediation": "Run the following commands to stop ypserv.service and remove ypserv package: \n\n# systemctl stop ypserv.service \n# apt purge ypserv \n\n- OR - \n\n- IF - the ypserv package is required as a dependency: \n\nRun the following commands to stop and mask ypserv.service: \n\n# systemctl stop ypserv.service \n# systemctl mask ypserv.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "ypserv", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "ebc3718f62e9ec0bced88aa3a9efd7d0", "name": "2.1.13 — Ensure rpcbind services are not in use", "description": "Ensure rpcbind services are not in use", "rational": "A small request (~82 bytes via UDP) sent to the Portmapper generates a large \nresponse (7x to 28x amplification), which makes it a suitable tool for DDoS attacks. If \nrpcbind is not required, it is recommended to remove rpcbind package to reduce the \npotential attack surface.", "remediation": "Run the following commands to stop rpcbind.socket and rpcbind.service, and \nremove the rpcbind package: \n\n# systemctl stop rpcbind.socket rpcbind.service \n# apt purge rpcbind \n\n- OR - \n\n- IF - the rpcbind package is required as a dependency: \n\nRun the following commands to stop and mask the rpcbind.socket and \nrpcbind.service: \n\n# systemctl stop rpcbind.socket rpcbind.service \n# systemctl mask rpcbind.socket rpcbind.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "rpcbind", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "e66bf9e3cf528d3be779f4510a042450", "name": "2.1.14 — Ensure rsync services are not in use", "description": "Ensure rsync services are not in use", "rational": "rsync.service presents a security risk as the rsync protocol is unencrypted. \n\nThe rsync package should be removed to reduce the attack area of the system.", "remediation": "Run the following commands to stop rsync.service, and remove the rsync package: \n\n# systemctl stop rsync.service \n# apt purge rsync \n\n- OR - \n\n- IF - the rsync package is required as a dependency: \n\nRun the following commands to stop and mask rsync.service: \n\n# systemctl stop rsync.service \n# systemctl mask rsync.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "rsync", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "3ad4519336f0a898ad7fb136ff7bfbdd", "name": "2.1.16 — Ensure snmp services are not in use", "description": "Ensure snmp services are not in use", "rational": "The SNMP server can communicate using SNMPv1, which transmits data in the clear \nand does not require authentication to execute commands. SNMPv3 replaces the \nsimple/clear text password sharing used in SNMPv2 with more securely encoded \nparameters. If the the SNMP service is not required, the snmpd package should be \nremoved to reduce the attack surface of the system. \n\nNote: If SNMP is require...", "remediation": "Run the following commands to stop snmpd.service and remove the snmpd package: \n\n# systemctl stop snmpd.service \n# apt purge snmpd \n\n- OR - If the package is required for dependencies: \n\nRun the following commands to stop and mask the snmpd.service: \n\n# systemctl stop snmpd.service \n# systemctl mask snmpd.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "snmpd", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "1e94a8a85919ab04f57920cd0b685781", "name": "2.1.17 — Ensure tftp server services are not in use", "description": "Ensure tftp server services are not in use", "rational": "Unless there is a need to run the system as a TFTP server, it is recommended that the \npackage be removed to reduce the potential attack surface. \n\nTFTP does not have built-in encryption, access control or authentication. This makes it \nvery easy for an attacker to exploit TFTP to gain access to files", "remediation": "Run the following commands to stop tftpd-hpa.service, and remove the tftpd-hpa \npackage: \n\n# systemctl stop tftpd-hpa.service \n# apt purge tftpd-hpa \n\n- OR - \n\n- IF - the tftpd-hpa package is required as a dependency: \n\nRun the following commands to stop and mask tftpd-hpa.service: \n\n# systemctl stop tftpd-hpa.service \n# systemctl mask tftpd-hpa.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "tftpd-hpa", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "8613ea104b609d468f154a833df68d76", "name": "2.1.19 — Ensure web server services are not in use", "description": "Ensure web server services are not in use", "rational": "Unless there is a local site approved requirement to run a web server service on the \nsystem, web server packages should be removed to reduce the potential attack surface.", "remediation": "Run the following commands to stop httpd.socket, httpd.service and remove the \napache2 package: \n\n# systemctl stop apache2.socket apache2.service \n# apt purge apache2 \n\nRun the following commands to stop nginx.service and remove the nginx package: \n\n# systemctl stop nginx.service \n# apt purge nginx \n\n- OR - \n\n- IF - a package is installed and is required for dependencies: \n\n- IF - the httpd package is required for dependencies: \n\nRun the following commands to stop and mask httpd.socket and ht...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "apache2", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "b1375eafc737abce385ef6dfa5a8b9a4", "name": "2.1.20 — Ensure xinetd services are not in use", "description": "Ensure xinetd services are not in use", "rational": "If there are no xinetd services required, it is recommended that the package be \nremoved to reduce the attack surface are of the system. \n\nNote: If an xinetd service or services are required, ensure that any xinetd service not \nrequired is stopped and masked", "remediation": "Run the following commands to stop xinetd.service, and remove the xinetd \npackage: \n\n# systemctl stop xinetd.service \n# apt purge xinetd \n\n-OR- \n\n-IF- the xinetd package is required as a dependency: \n\nRun the following commands to stop and mask the xinetd.service: \n\n# systemctl stop xinetd.service \n# systemctl mask xinetd.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "xinetd", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "2026d0f036ad4d88522472baea111854", "name": "2.2.1 — Ensure nis client is not installed", "description": "Ensure nis client is not installed", "rational": "The NIS service is inherently an insecure system that has been vulnerable to DOS \nattacks, buffer overflows and has poor authentication for querying NIS maps. NIS \ngenerally has been replaced by such protocols as Lightweight Directory Access \nProtocol (LDAP). It is recommended that the service be removed.", "remediation": "Uninstall nis: \n\n# apt purge nis", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "nis", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "0bda445bd7377b9c6446208d34df6370", "name": "2.2.2 — Ensure rsh client is not installed", "description": "Ensure rsh client is not installed", "rational": "These legacy clients contain numerous security exposures and have been replaced with \nthe more secure SSH package. Even if the server is removed, it is best to ensure the \nclients are also removed to prevent users from inadvertently attempting to use these \ncommands and therefore exposing their credentials. Note that removing the rsh-\nclient package removes the clients for rsh , rcp and rlogin .", "remediation": "Run the following command to uninstall rsh-redone-client: \n\n# apt purge rsh-redone-client", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "rsh-redone-client", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "fb9e9c3eb97f282034502f5e83907307", "name": "2.2.3 — Ensure talk client is not installed", "description": "Ensure talk client is not installed", "rational": "The software presents a security risk as it uses unencrypted protocols for \ncommunication.", "remediation": "Uninstall talk: \n\n# apt purge talk", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "talk", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "877a14be262dc5e9b26da80946eea660", "name": "2.2.4 — Ensure telnet client is not installed", "description": "Ensure telnet client is not installed", "rational": "The telnet protocol is insecure and unencrypted. The use of an unencrypted \ntransmission medium could allow an unauthorized user to steal credentials. The ssh \npackage provides an encrypted session and stronger security and is included in most \nLinux distributions.", "remediation": "Run the following commands to uninstall telnet & inetutils-telnet: \n\n# apt purge telnet \n# apt purge inetutils-telnet", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "dpkg-query -l | grep -E 'telnet|inetutils-telnet' &>/dev/null && echo", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "6a67f9058cbc86b89192d7f4fbf92c3b", "name": "2.2.5 — Ensure ldap client is not installed", "description": "Ensure ldap client is not installed", "rational": "If the system will not need to act as an LDAP client, it is recommended that the software \nbe removed to reduce the potential attack surface.", "remediation": "Uninstall ldap-utils: \n\n# apt purge ldap-utils", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "ldap-utils", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "4708e727ec06d72b63ba88ce6ae6ea0f", "name": "2.2.6 — Ensure ftp client is not installed", "description": "Ensure ftp client is not installed", "rational": "Unless there is a need to run the system using Internet standard File Transfer Protocol \n(for example, to allow anonymous downloads), it is recommended that the package be \nremoved to reduce the potential attack surface.", "remediation": "Run the following commands to uninstall tnftp & ftp: \n\n# apt purge ftp \n# apt purge tnftp", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "dpkg-query -l | grep -E 'ftp|tnftp' &>/dev/null && echo \"ftp is installed\"", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "ce5518c21c573282fa6a65bfc795195b", "name": "2.4.1.1 — Ensure cron daemon is enabled and active", "description": "Ensure cron daemon is enabled and active", "rational": "While there may not be user jobs that need to be run on the system, the system does \nhave maintenance jobs that may include security monitoring that have to run, and cron \nis used to execute them.", "remediation": "- IF - cron is installed on the system: \n\nRun the following commands to unmask, enable, and start cron: \n\n# systemctl unmask \"$(systemctl list-unit-files | awk \n'$1~/^crond?\\.service/{print $1}')\" \n# systemctl --now enable \"$(systemctl list-unit-files | awk \n'$1~/^crond?\\.service/{print $1}')\"", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "systemctl list-unit-files | awk '$1~/^crond?\\.service/{print $2}'", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "8b3dcc9cf7f1380e2c264d9a722afc5a", "name": "2.4.1.2 — Ensure access to /etc/crontab is configured", "description": "Ensure access to /etc/crontab is configured", "rational": "This file contains information on what system jobs are run by cron. Write access to \nthese files could provide unprivileged users with the ability to elevate their privileges. \nRead access to these files could provide users with the ability to gain insight on system \njobs that run on the system and could provide them a way to gain unauthorized \nprivileged access.", "remediation": "- IF - cron is installed on the system: \n\nRun the following commands to set ownership and permissions on /etc/crontab: \n\n# chown root:root /etc/crontab \n# chmod og-rwx /etc/crontab", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/crontab", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "df5f6e7e3a884ea2b79fe19bc3989092", "name": "2.4.1.4 — Ensure access to /etc/cron.daily is configured", "description": "Ensure access to /etc/cron.daily is configured", "rational": "Granting write access to this directory for non-privileged users could provide them the \nmeans for gaining unauthorized elevated privileges. Granting read access to this \ndirectory could give an unprivileged user insight in how to gain elevated privileges or \ncircumvent auditing controls.", "remediation": "- IF - cron is installed on the system: \n\nRun the following commands to set ownership and permissions on the \n/etc/cron.daily directory: \n\n# chown root:root /etc/cron.daily/ \n# chmod og-rwx /etc/cron.daily/", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/cron.daily/", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "f24b09dcaed0c1b8dc6254bcfec89d77", "name": "2.4.1.8 — Ensure access to /etc/cron.d is configured", "description": "Ensure access to /etc/cron.d is configured", "rational": "Granting write access to this directory for non-privileged users could provide them the \nmeans for gaining unauthorized elevated privileges. Granting read access to this \ndirectory could give an unprivileged user insight in how to gain elevated privileges or \ncircumvent auditing controls.", "remediation": "- IF - cron is installed on the system: \n\nRun the following commands to set ownership and permissions on the /etc/cron.d \ndirectory: \n\n# chown root:root /etc/cron.d/ \n# chmod og-rwx /etc/cron.d/", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/cron.d/", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "6e1b6be78781b72cadd32f8e9b79f761", "name": "2.4.1.9 — Ensure access to crontab is configured", "description": "Ensure access to crontab is configured", "rational": "On many systems, only the system administrator is authorized to schedule cron jobs. \nUsing the cron.allow file to control who can run cron jobs enforces this policy. It is \neasier to manage an allow list than a deny list. In a deny list, you could potentially add a \nuser ID to the system and forget to add it to the deny files.", "remediation": "- IF - cron is installed on the system: \n\nRun the following script to: \n\n• Create /etc/cron.allow if it doesn't exist \n• Change owner to user root \n• Change group owner to group root - OR - group crontab if it exists \n• Change mode to 640 or more restrictive \n\n#!/usr/bin/env bash \n\n{ \n [ ! -e \"/etc/cron.allow\" ] && touch /etc/cron.allow \n chmod u-x,g-wx,o-rwx /etc/cron.allow \n if grep -Pq -- '^\\h*crontab\\:' /etc/group; then \n chown root:crontab /etc/cron.allow \n else \n c...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%a/%A) Owner: (%U) Group: (%G)' /etc/cron.allow", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "a1c512d25450879f5cf90db68c13cf68", "name": "2.4.2.1 — Ensure access to at is configured", "description": "Ensure access to at is configured", "rational": "On many systems, only the system administrator is authorized to schedule at jobs. \nUsing the at.allow file to control who can run at jobs enforces this policy. It is easier \nto manage an allow list than a deny list. In a deny list, you could potentially add a user \nID to the system and forget to add it to the deny files. \n\nPage 313", "remediation": "- IF - at is installed on the system: \n\nRun the following script to: \n\n• /etc/at.allow: \n\no Create the file if it doesn't exist \no Change owner or user root \no \n\nIf group daemon exists, change to group daemon, else change group to \nroot \n\no Change mode to 640 or more restrictive \n\n• \n\n- IF - /etc/at.deny exists: \n\no Change owner or user root \no \n\nIf group daemon exists, change to group daemon, else change group to \nroot \n\no Change mode to 640 or more restrictive \n\n#!/usr/bin/env bash...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%a/%A) Owner: (%U) Group: (%G)' /etc/at.allow", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "41ee7edb7df56811741ec24cd70ca36f", "name": "3.2.1 — Ensure dccp kernel module is not available", "description": "Ensure dccp kernel module is not available", "rational": "Removing support for unneeded protocols reduces the local attack surface of the \nsystem. If this protocol is not needed, disable it. \n\nPage 325", "remediation": "Unload and disable the dccp kernel module. \n\n1. Run the following commands to unload the dccp kernel module: \n\n# modprobe -r dccp 2>/dev/null \n# rmmod dccp 2>/dev/null \n\n2. Perform the following to disable the dccp kernel module: \n\nCreate a file ending in .conf with install dccp /bin/false in the \n/etc/modprobe.d/ directory \nExample: \n# printf '\\n%s\\n' \"install dccp /bin/false\" >> /etc/modprobe.d/60-dccp.conf \n\nCreate a file ending in .conf with blacklist dccp in the /etc/modprobe.d/ direct...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "lsmod | grep -c '^dccp ' || true", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "f308c6e7770f8164cda736cf83dd62cb", "name": "3.2.2 — Ensure tipc kernel module is not available", "description": "Ensure tipc kernel module is not available", "rational": "Removing support for unneeded protocols reduces the local attack surface of the \nsystem. If this protocol is not needed, disable it. \n\nPage 328", "remediation": "Unload and disable the tipc kernel module. \n\n1. Run the following commands to unload the tipc kernel module: \n\n# modprobe -r tipc 2>/dev/null \n# rmmod tipc 2>/dev/null \n\n2. Perform the following to disable the tipc kernel module: \n\nCreate a file ending in .conf with install tipc /bin/false in the \n/etc/modprobe.d/ directory \nExample: \n# printf '\\n%s\\n' \"install tipc /bin/false\" >> /etc/modprobe.d/60-tipc.conf \n\nCreate a file ending in .conf with blacklist tipc in the /etc/modprobe.d/ direct...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "lsmod | grep -c '^tipc ' || true", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "78105b72128b647464031ded9044cdfe", "name": "3.2.3 — Ensure rds kernel module is not available", "description": "Ensure rds kernel module is not available", "rational": "Removing support for unneeded protocols reduces the local attack surface of the \nsystem. If this protocol is not needed, disable it. \n\nPage 332", "remediation": "Unload and disable the rds kernel module. \n\n1. Run the following commands to unload the rds kernel module: \n\n# modprobe -r rds 2>/dev/null \n# rmmod rds 2>/dev/null \n\n2. Perform the following to disable the rds kernel module: \n\nCreate a file ending in .conf with install rds /bin/false in the /etc/modprobe.d/ \ndirectory \nExample: \n# printf '\\n%s\\n' \"install rds /bin/false\" >> /etc/modprobe.d/60-rds.conf \n\nCreate a file ending in .conf with blacklist rds in the /etc/modprobe.d/ directory \n\nExa...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "lsmod | grep -c '^rds ' || true", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "882ea68510f65d8aff9e8b3a207c147f", "name": "3.2.4 — Ensure sctp kernel module is not available", "description": "Ensure sctp kernel module is not available", "rational": "Removing support for unneeded protocols reduces the local attack surface of the \nsystem. If this protocol is not needed, disable it. \n\nPage 335", "remediation": "Unload and disable the sctp kernel module. \n\n1. Run the following commands to unload the sctp kernel module: \n\n# modprobe -r sctp 2>/dev/null \n# rmmod sctp 2>/dev/null \n\n2. Perform the following to disable the sctp kernel module: \n\nCreate a file ending in .conf with install sctp /bin/false in the \n/etc/modprobe.d/ directory \nExample: \n# printf '\\n%s\\n' \"install sctp /bin/false\" >> /etc/modprobe.d/60-sctp.conf \n\nCreate a file ending in .conf with blacklist sctp in the /etc/modprobe.d/ direct...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "lsmod | grep -c '^sctp ' || true", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "f6768dbe303c3704baa4e2583adbb2d6", "name": "3.3.1 — Ensure ip forwarding is disabled", "description": "Ensure ip forwarding is disabled", "rational": "Setting net.ipv4.ip_forward and net.ipv6.conf.all.forwarding to 0 ensures \nthat a system with multiple interfaces (for example, a hard proxy), will never be able to \nforward packets, and therefore, never serve as a router.", "remediation": "Set the following parameter in /etc/sysctl.conf or a file in /etc/sysctl.d/ ending \nin .conf: \n\n• net.ipv4.ip_forward = 0 \n\nExample: \n# printf '%s\\n' \"net.ipv4.ip_forward = 0\" >> /etc/sysctl.d/60-\nnetipv4_sysctl.conf \n\nRun the following script to set the active kernel parameters: \n\n#!/usr/bin/env bash \n\n{ \n sysctl -w net.ipv4.ip_forward=0 \n sysctl -w net.ipv4.route.flush=1 \n} \n\n- IF - IPv6 is enabled on the system: \n\nSet the following parameter in /etc/sysctl.conf or a file in /etc/sysct...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "33493b52ad501cdee33a07b9b2cd5f5e", "name": "3.3.2 — Ensure packet redirect sending is disabled", "description": "Ensure packet redirect sending is disabled", "rational": "An attacker could use a compromised host to send invalid ICMP redirects to other \nrouter devices in an attempt to corrupt routing and have users access a system set up \nby the attacker as opposed to a valid system.", "remediation": "Set the following parameters in /etc/sysctl.conf or a file in /etc/sysctl.d/ ending \nin .conf: \n\n• net.ipv4.conf.all.send_redirects = 0 \n• net.ipv4.conf.default.send_redirects = 0 \n\nExample: \n# printf '%s\\n' \"net.ipv4.conf.all.send_redirects = 0\" \n\"net.ipv4.conf.default.send_redirects = 0\" >> /etc/sysctl.d/60-\nnetipv4_sysctl.conf \n\nRun the following script to set the active kernel parameters: \n\n#!/usr/bin/env bash \n\n{ \n sysctl -w net.ipv4.conf.all.send_redirects=0 \n sysctl -w net.ipv4.c...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "43fe1e8d84ad5c23b1a9e74d0955134d", "name": "3.3.3 — Ensure bogus icmp responses are ignored", "description": "Ensure bogus icmp responses are ignored", "rational": "Some routers (and some attackers) will send responses that violate RFC-1122 and \nattempt to fill up a log file system with many useless error messages.", "remediation": "Set the following parameter in /etc/sysctl.conf or a file in /etc/sysctl.d/ ending \nin .conf: \n\n• net.ipv4.icmp_ignore_bogus_error_responses = 1 \n\nExample: \n# printf '%s\\n' \"net.ipv4.icmp_ignore_bogus_error_responses = 1\" >> \n/etc/sysctl.d/60-netipv4_sysctl.conf \n\nRun the following script to set the active kernel parameters: \n\n#!/usr/bin/env bash \n\n{ \n sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 \n sysctl -w net.ipv4.route.flush=1 \n} \n\nNote: If these settings appear in a canoni...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "04a774fa892dfeae7f2b97d2532a92fe", "name": "3.3.4 — Ensure broadcast icmp requests are ignored", "description": "Ensure broadcast icmp requests are ignored", "rational": "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations \nfor your network could be used to trick your host into starting (or participating) in a \nSmurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP \nbroadcast messages with a spoofed source address. All hosts receiving this message \nand responding would send echo-reply messages back to the...", "remediation": "Set the following parameter in /etc/sysctl.conf or a file in /etc/sysctl.d/ ending \nin .conf: \n\n• net.ipv4.icmp_echo_ignore_broadcasts = 1 \n\nExample: \n# printf '%s\\n' \"net.ipv4.icmp_echo_ignore_broadcasts = 1\" >> \n/etc/sysctl.d/60-netipv4_sysctl.conf \n\nRun the following script to set the active kernel parameters: \n\n#!/usr/bin/env bash \n\n{ \n sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 \n sysctl -w net.ipv4.route.flush=1 \n} \n\nNote: If these settings appear in a canonically later file,...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "a45b4832736db9387ae22354f1999075", "name": "3.3.5 — Ensure icmp redirects are not accepted", "description": "Ensure icmp redirects are not accepted", "rational": "ICMP redirect messages are packets that convey routing information and tell your host \n(acting as a router) to send packets via an alternate path. It is a way of allowing an \noutside routing device to update your system routing tables. By setting \nnet.ipv4.conf.all.accept_redirects, \nnet.ipv4.conf.default.accept_redirects, \nnet.ipv6.conf.all.accept_redirects, and \nnet.ipv6.conf.default.accept_r...", "remediation": "Set the following parameters in /etc/sysctl.conf or a file in /etc/sysctl.d/ ending \nin .conf: \n\n• net.ipv4.conf.all.accept_redirects = 0 \n• net.ipv4.conf.default.accept_redirects = 0 \n\nExample: \n# printf '%s\\n' \"net.ipv4.conf.all.accept_redirects = 0\" \n\"net.ipv4.conf.default.accept_redirects = 0\" >> /etc/sysctl.d/60-\nnetipv4_sysctl.conf \n\nRun the following script to set the active kernel parameters: \n\n#!/usr/bin/env bash \n\n{ \n sysctl -w net.ipv4.conf.all.accept_redirects=0 \n sysctl -w...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "67d645b59119456414ee81a3c4600c63", "name": "3.3.6 — Ensure secure icmp redirects are not accepted", "description": "Ensure secure icmp redirects are not accepted", "rational": "It is still possible for even known gateways to be compromised. Setting \nnet.ipv4.conf.all.secure_redirects and \nnet.ipv4.conf.default.secure_redirects to 0 protects the system from routing \ntable updates by possibly compromised known gateways.", "remediation": "Set the following parameters in /etc/sysctl.conf or a file in /etc/sysctl.d/ ending \nin .conf: \n\n• net.ipv4.conf.all.secure_redirects = 0 \n• net.ipv4.conf.default.secure_redirects = 0 \n\nExample: \n# printf '%s\\n' \"net.ipv4.conf.all.secure_redirects = 0\" \n\"net.ipv4.conf.default.secure_redirects = 0\" >> /etc/sysctl.d/60-\nnetipv4_sysctl.conf \n\nRun the following script to set the active kernel parameters: \n\n#!/usr/bin/env bash \n\n{ \n sysctl -w net.ipv4.conf.all.secure_redirects=0 \n sysctl -w...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "e06273f6fc9b001e4498c2021a4bd686", "name": "3.3.7 — Ensure reverse path filtering is enabled", "description": "Ensure reverse path filtering is enabled", "rational": "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to \n1 is a good way to deter attackers from sending your system bogus packets that cannot \nbe responded to. One instance where this feature breaks down is if asymmetrical \nrouting is employed. This would occur when using dynamic routing protocols (bgp, ospf, \netc) on your system. If you are using asymmetrical routing on you...", "remediation": "Set the following parameters in /etc/sysctl.conf or a file in /etc/sysctl.d/ ending \nin .conf: \n\n• net.ipv4.conf.all.rp_filter = 1 \n• net.ipv4.conf.default.rp_filter = 1 \n\nExample: \n# printf '%s\\n' \"net.ipv4.conf.all.rp_filter = 1\" \n\"net.ipv4.conf.default.rp_filter = 1\" >> /etc/sysctl.d/60-netipv4_sysctl.conf \n\nRun the following script to set the active kernel parameters: \n\n#!/usr/bin/env bash \n\n{ \n sysctl -w net.ipv4.conf.all.rp_filter=1 \n sysctl -w net.ipv4.conf.default.rp_filter=1...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "85611b2311e8673a452e60681af18a9f", "name": "3.3.9 — Ensure suspicious packets are logged", "description": "Ensure suspicious packets are logged", "rational": "Setting net.ipv4.conf.all.log_martians and \nnet.ipv4.conf.default.log_martians to 1 enables this feature. Logging these \npackets allows an administrator to investigate the possibility that an attacker is sending \nspoofed packets to their system.", "remediation": "Set the following parameters in /etc/sysctl.conf or a file in /etc/sysctl.d/ ending \nin .conf: \n\n• net.ipv4.conf.all.log_martians = 1 \n• net.ipv4.conf.default.log_martians = 1 \n\nExample: \n# printf '%s\\n' \"net.ipv4.conf.all.log_martians = 1\" \n\"net.ipv4.conf.default.log_martians = 1\" >> /etc/sysctl.d/60-\nnetipv4_sysctl.conf \n\nRun the following script to set the active kernel parameters: \n\n#!/usr/bin/env bash \n\n{ \n sysctl -w net.ipv4.conf.all.log_martians=1 \n sysctl -w net.ipv4.conf.defaul...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "2b59fc40296c8f538f8891b81fa6af7b", "name": "3.3.10 — Ensure tcp syn cookies is enabled", "description": "Ensure tcp syn cookies is enabled", "rational": "Attackers use SYN flood attacks to perform a denial of service attacked on a system by \nsending many SYN packets without completing the three way handshake. This will \nquickly use up slots in the kernel's half-open connection queue and prevent legitimate \nconnections from succeeding. Setting net.ipv4.tcp_syncookies to 1 enables SYN \ncookies, allowing the system to keep accepting valid connectio...", "remediation": "Set the following parameter in /etc/sysctl.conf or a file in /etc/sysctl.d/ ending \nin .conf: \n\n• net.ipv4.tcp_syncookies = 1 \n\nExample: \n# printf '%s\\n' \"net.ipv4.tcp_syncookies = 1\" >> /etc/sysctl.d/60-\nnetipv4_sysctl.conf \n\nRun the following script to set the active kernel parameters: \n\n#!/usr/bin/env bash \n\n{ \n sysctl -w net.ipv4.tcp_syncookies=1 \n sysctl -w net.ipv4.route.flush=1 \n} \n\nNote: If these settings appear in a canonically later file, or later in the same file, these \nsetti...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "966862601f95236d13f102d5d5e9cb46", "name": "4.1.1 — Ensure gufw package is installed", "description": "Ensure gufw package is installed", "rational": "A firewall utility is required to configure the Linux kernel's netfilter framework via the \niptables back-end.", "remediation": "Run the following command to install Graphical Uncomplicated Firewall (GUFW): \n\n# apt install gufw", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "gufw", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "ee3c81968bcea59765c09d8aa974feae", "name": "4.1.2 — Ensure ufw service is enabled", "description": "Ensure ufw service is enabled", "rational": "The ufw service must be enabled and running in order for ufw to protect the system", "remediation": "Run the following command to unmask the ufw daemon: \n\n# systemctl unmask ufw.service \n\nRun the following command to enable and start the ufw daemon: \n\n# systemctl --now enable ufw.service \n\nactive \n\nRun the following command to enable ufw: \n\n# ufw enable", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "SERVICE", "input": "ufw", "selement": "ENABLED", "condition": null, "sinput": null } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "7908b0302fb6c408a7e3db56b966b2ce", "name": "4.1.3 — Ensure ufw default incoming is configured", "description": "Ensure ufw default incoming is configured", "rational": "With a default accept policy the firewall will accept any packet that is not configured to \nbe denied. It is easier to allow list acceptable usage than to deny list unacceptable \nusage.", "remediation": "Run the following command to set incoming to deny by default: \n\n# ufw default deny incoming", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "ufw status verbose | awk -F',' '$1~/Default/ {print $1}'", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "375e20cfd5503057f3e874f4e16b07b8", "name": "4.1.4 — Ensure ufw default routed is configured", "description": "Ensure ufw default routed is configured", "rational": "With a default accept policy the firewall will route any packet that is not configured to be \ndenied. Unless a system is specifically intended to be used as a router, traffic should \nnot be routed.", "remediation": "Run the following command to set the defalut for routed to disabled: \n\n# ufw default disabled routed", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "ufw status verbose | awk -F',' '$1=\"Default\"{print $3}'", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "c4cd34bd8e4c687e45b104dcc39f544e", "name": "5.1.1 — Ensure sudo is installed", "description": "Ensure sudo is installed", "rational": "sudo supports a plug-in architecture for security policies and input/output logging. Third \nparties can develop and distribute their own policy and I/O logging plug-ins to work \nseamlessly with the sudo front end. The default security policy is sudoers, which is \nconfigured via the file /etc/sudoers and any entries in /etc/sudoers.d. \n\nThe security policy determines what privileges, if any, a u...", "remediation": "First determine is LDAP functionality is required. If so, then install sudo-ldap, else \ninstall sudo. \n\nExample: \n\n# apt install sudo \n\nPage 408", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "sudo", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "ee0473d3e6c07b1074c3f07946422491", "name": "5.1.2 — Ensure sudo commands use pty", "description": "Ensure sudo commands use pty", "rational": "Attackers can run a malicious program using sudo which would fork a background \nprocess that remains even when the main program has finished executing.", "remediation": "Edit the file /etc/sudoers with visudo or a file in /etc/sudoers.d/ with visudo -f \n and add the following line: \n\nDefaults use_pty \n\nEdit the file /etc/sudoers with visudo and any files in /etc/sudoers.d/ with visudo \n-f and remove any occurrence of !use_pty \n\nNote: \n\n• sudo will read each file in /etc/sudoers.d, skipping file names that end in ~ or \ncontain a . character to avoid causing problems with package manager or editor \ntemporary/backup files. \n\n• File...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -rPi -- '^\\h*Defaults\\h+([^#\\n\\r]+,\\h*)?use_pty\\b' /etc/sudoers*", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "b7954495a2948fcd722163979d33a37b", "name": "5.1.3 — Ensure sudo log file exists", "description": "Ensure sudo log file exists", "rational": "A sudo log file simplifies auditing of sudo commands", "remediation": "Edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo -f and add the following line: \n\nExample: \n\nDefaults logfile=\"/var/log/sudo.log\" \n\nNotes: \n\n• sudo will read each file in /etc/sudoers.d, skipping file names that end in ~ or \ncontain a . character to avoid causing problems with package manager or editor \ntemporary/backup files. \n\n• Files are parsed in sorted lexical order. That is, /etc/sudoers.d/01_first will \n\nbe parsed before /etc/sudoers.d/10_second....", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -rPsi", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "db40023f5401bf8fa32bdf3860612194", "name": "5.1.7 — Ensure access to the su command is restricted", "description": "Ensure access to the su command is restricted", "rational": "Restricting the use of su , and using sudo in its place, provides system administrators \nbetter control of the escalation of user privileges to execute privileged commands. The \nsudo utility also provides a better logging and audit mechanism, as it can log each \ncommand executed via sudo , whereas su can only record that a user executed the su \nprogram.", "remediation": "Create an empty group that will be specified for use of the su command. The group \nshould be named according to site policy. \n\nExample: \n\n# groupadd sugroup \n\nAdd the following line to the /etc/pam.d/su file, specifying the empty group: \n\nauth required pam_wheel.so use_uid group=sugroup", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "FILE", "input": "/etc/group", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "bc259e6f7b86ff9495adbb7536bb4b89", "name": "5.2.1.1 — Ensure latest version of pam is installed", "description": "Ensure latest version of pam is installed", "rational": "Older versions of the libpam-runtime package may not include the latest security and \nfeature patches and updates. \n\nNote: This Benchmark includes Recommendations that depend on newer libpam-\nruntime features.", "remediation": "Run the following command to install the latest version of libpam-runtime: \n\n# apt install libpam-runtime", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "libpam-runtime", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "719b29c1d73b51264157460172d6a40d", "name": "5.2.2.1 — Ensure pam_unix module is enabled", "description": "Ensure pam_unix module is enabled", "rational": "The system should only provide access after performing authentication of a user.", "remediation": "Run the following command to enable the pam_unix module: \n\n# pam-auth-update --enable unix \n\nNote: If a site specific custom profile is being used in your environment to configure \nPAM that includes the configuration for the pam_faillock module, enable that module \ninstead", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -PH -- '\\bpam_unix\\.so\\b' /etc/pam.d/common-", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "69aab166b395379eba987052593d5835", "name": "5.2.2.2 — Ensure pam_faillock module is enabled", "description": "Ensure pam_faillock module is enabled", "rational": "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute \nforce password attacks against your systems.", "remediation": "Create two pam-auth-update profiles in /usr/share/pam-configs/: \n\n1. Create the faillock profile in /usr/share/pam-configs/ with the following \n\nlines: \n\nName: Enable pam_faillock to deny access \nDefault: yes \nPriority: 0 \nAuth-Type: Primary \nAuth: \n [default=die] pam_faillock.so authfail \n\nExample Script: \n\n#!/usr/bin/env bash \n\n{ \n arr=('Name: Enable pam_faillock to deny access' 'Default: yes' 'Priority: \n0' 'Auth-Type: Primary' 'Auth:' ' [default=die]...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -P -- '\\bpam_faillock\\.so\\b' /etc/pam.d/common-{auth,account}", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "cd9669f9e428a0ae6f90e59022c4bf2d", "name": "5.2.2.3 — Ensure pam_pwquality module is enabled", "description": "Ensure pam_pwquality module is enabled", "rational": "Use of a unique, complex passwords helps to increase the time and resources required \nto compromise the password.", "remediation": "Run the following script to verify the pam_pwquality.so line exists in a pam-auth-\nupdate profile: \n\n# grep -P -- '\\bpam_pwquality\\.so\\b' /usr/share/pam-configs/* \n\nOutput should be similar to: \n\n/usr/share/pam-configs/pwquality: requisite \npam_pwquality.so retry=3 \n/usr/share/pam-configs/pwquality: requisite \npam_pwquality.so retry=3 \n\n- IF - similar output is returned: \n\nRun the following command to update /etc/pam.d/common-password wi...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -P -- '\\bpam_pwquality\\.so\\b' /etc/pam.d/common-password", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "31e55034a719eab82ef4a3900719f422", "name": "5.2.2.4 — Ensure pam_pwhistory module is enabled", "description": "Ensure pam_pwhistory module is enabled", "rational": "Use of a unique, complex passwords helps to increase the time and resources required \nto compromise the password.", "remediation": "Run the following script to verify the pam_pwhistory.so line exists in a pam-auth-\nupdate profile: \n\n# grep -P -- '\\bpam_pwhistory\\.so\\b' /usr/share/pam-configs/* \n\nOutput should be similar to: \n\n/usr/share/pam-configs/pwhistory: requisite pam_pwhistory.so remember=24 \nenforce_for_root use_authtok \n\n- IF - similar output is returned: \n\nRun the following command to update /etc/pam.d/common-password with the \nreturned profile: \n\n# pam-auth-update --enable {PROFILE_NAME} \n\nExample: \n\n# pam-a...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -P -- '\\bpam_pwhistory\\.so\\b' /etc/pam.d/common-password", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "3c5c803b26a5169f7f66ec35b299bb99", "name": "5.2.3.1.2 — Ensure password unlock time is configured", "description": "Ensure password unlock time is configured", "rational": "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute \nforce password attacks against your systems.", "remediation": "Set password unlock time to conform to site policy. unlock_time should be 0 (never), \nor 900 seconds or greater. \n\nEdit /etc/security/faillock.conf and update or add the following line: \n\nunlock_time = 300 \n\nRun the following command: remove the unlock_time argument from the \npam_faillock.so module in the PAM files: \n\n# grep -Pl -- '\\bpam_faillock\\.so\\h+([^#\\n\\r]+\\h+)?unlock_time\\b' \n/usr/share/pam-configs/* \n\nEdit any returned files and remove the unlock_time= argument from the \npam_faill...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Pi -- '^\\h*unlock_time\\h*=\\h*(0|9[0-9][0-9]|[1-9][0-9]{3,})\\b'", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "3587ebd920db698b7b407cd949fb4cc1", "name": "5.2.3.4.1 — Ensure pam_unix does not include nullok", "description": "Ensure pam_unix does not include nullok", "rational": "Using a strong password is essential to helping protect personal and sensitive \ninformation from unauthorized access", "remediation": "Run the following command: \n\n# grep -PH -- '^\\h*([^#\\n\\r]+\\h+)?pam_unix\\.so\\h+([^#\\n\\r]+\\h+)?nullok\\b' \n/usr/share/pam-configs/* \n\nEdit any files returned and remove the nullok argument for the pam_unix lines \n\nExample File: \n\nName: Unix authentication \nDefault: yes \nPriority: 256 \nAuth-Type: Primary \nAuth: \n [success=end default=ignore] pam_unix.so try_first_pass # <- \n**ensure line does not include nullok nullok** \nAuth-Initial: \n [success=end default=ignore] pam_unix.so...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -PHs -- '^\\h*[^#\\n\\r]+\\h+pam_unix\\.so\\h+([^#\\n\\r]+\\h+)?nullok\\b'", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "2e92c0acb35f188a549d9e5d818a4436", "name": "5.2.3.4.4 — Ensure pam_unix includes use_authtok", "description": "Ensure pam_unix includes use_authtok", "rational": "use_authtok allows multiple pam modules to confirm a new password before it is \naccepted.", "remediation": "Run the following command: \n\n# awk '/Password-Type:/{ f = 1;next } /-Type:/{ f = 0 } f {if \n(/pam_unix\\.so/) print FILENAME}' /usr/share/pam-configs/* \n\nEdit any returned files add use_authtok to the pam_unix line in the Password section \nunder Password: subsection: \n\nNote: The if the file's Password section includes a Password-Initial: subsection, \nuse_authtok should not be added to the pam_unix line in the Password-Initial: \nsubsection \n\nExample File: \n\nName: Unix authentication \nDefault: y...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -PH --", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "24be4f74bf809db2cd5968ced461820c", "name": "5.3.1.5 — Ensure inactive password lock is configured", "description": "Ensure inactive password lock is configured", "rational": "Inactive accounts pose a threat to system security since the users are not logging in to \nnotice failed login attempts or other anomalies.", "remediation": "Run the following command to set the default password inactivity period to 45 days or \nless that meets local site policy: \n\n# useradd -D -f \n\nExample: \n\n# useradd -D -f 45 \n\nRun the following command to modify user parameters for all users with a password set \nto a inactive age of 45 days or less that follows local site policy: \n\n# chage --inactive \n\nExample: \n\n# awk -F: '($2~/^\\$.+\\$/) {if($7 > 45 || $7 < 0)system (\"chage --inactive 45 \n\" $1)}' /etc/shadow", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "useradd -D | grep INACTIVE", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "8a6c00f5e85d6dc6ecbea018417206d2", "name": "5.3.2.1 — Ensure root is the only UID 0 account", "description": "Ensure root is the only UID 0 account", "rational": "This access must be limited to only the default root account and only from the system \nconsole. Administrative access must be through an unprivileged account using an \napproved mechanism as noted in the Recommendation \"Ensure access to the su \ncommand is restricted\".", "remediation": "Run the following command to change the root account UID to 0: \n\n# usermod -u 0 root \n\nModify any users other than root with UID 0 and assign them a new UID.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "awk -F: '($3 == 0) { print $1 }' /etc/passwd", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "0dd5c5d2da077bf66d2a2248a57ee1ea", "name": "5.3.2.2 — Ensure root is the only GID 0 account", "description": "Ensure root is the only GID 0 account", "rational": "Using GID 0 for the root account helps prevent root -owned files from accidentally \nbecoming accessible to non-privileged users.", "remediation": "Run the following command to set the root user's GID to 0: \n\n# usermod -g 0 root \n\nRun the following command to set the root group's GID to 0: \n\n# groupmod -g 0 root \n\nRemove any users other than the root user with GID 0 or assign them a new GID if \nappropriate.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "awk -F: '($1 !~ /^(sync|shutdown|halt|operator)/ && $4==\"0\") {print", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "b329b0f6042e1628a2d0f00b32c90046", "name": "5.3.2.3 — Ensure group root is the only GID 0 group", "description": "Ensure group root is the only GID 0 group", "rational": "Using GID 0 for the root group helps prevent root group owned files from accidentally \nbecoming accessible to non-privileged users.", "remediation": "Run the following command to set the root group's GID to 0: \n\n# groupmod -g 0 root \n\nRemove any groups other than the root group with GID 0 or assign them a new GID if \nappropriate.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "awk -F: '$3==\"0\"{print $1\":\"$3}' /etc/group", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "86a595db7ee3b5998fade282dc68eb23", "name": "5.3.2.4 — Ensure root account access is controlled", "description": "Ensure root account access is controlled", "rational": "Access to root should be secured at all times.", "remediation": "Run the following command to set a password for the root user: \n\n# passwd root \n\n- OR - \n\nRun the following command to lock the root user account: \n\n# usermod -L root", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "passwd -S root | awk '$2 ~ /^(P|L)/ {print \"User: \\\"\" $1 \"\\\" Password is", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "a4a94c9d79a0702c91afff339081b9ec", "name": "5.3.2.5 — Ensure root path integrity", "description": "Ensure root path integrity", "rational": "Including the current working directory (.) or other writable directory in root's \nexecutable path makes it likely that an attacker can gain superuser access by forcing an \nadministrator operating as root to execute a Trojan horse program. \n\nPage 523", "remediation": "Correct or justify any: \n\n• Locations that are not directories \n• Empty directories (::) \n• Trailing (:) \n• Current working directory (.) \n• Non root owned directories \n• Directories that less restrictive than mode 0755", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "387513537c6ac695813c7850f70340a6", "name": "5.3.2.6 — Ensure root user umask is configured", "description": "Ensure root user umask is configured", "rational": "Setting a secure value for umask ensures that users make a conscious choice about \ntheir file permissions. A permissive umask value could result in directories or files with \nexcessive permissions that can be read and/or written to by unauthorized users.", "remediation": "Edit /root/.profile and /root/.bashrc and either: \n\n• \n\nremove, comment out, or update any line with umask. \n\n- OR - \n\n• update any line that includes umask to a value of 0027 or more restrictive. \n\nExample: \numask 027 \n\nNote: the Recommendation \"Ensure default user umask is configured\" includes \nguidance to set the default umask", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Psi -- '^\\h*umask\\h+((\\d{1,2}(\\d[^7]|[^2-", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "f142b23a77fca124b7c41eee38351b0e", "name": "5.3.3.1 — Ensure nologin is not listed in /etc/shells", "description": "Ensure nologin is not listed in /etc/shells", "rational": "A user can use chsh to change their configured shell. \n\nIf a user has a shell configured that isn't in in /etc/shells, then the system assumes \nthat they're somehow restricted. In the case of chsh it means that the user cannot \nchange that value. \n\nOther programs might query that list and apply similar restrictions. \n\nBy putting nologin in /etc/shells, any user that has nologin as its shell is...", "remediation": "Edit /etc/shells and remove any lines that include nologin", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "FILE", "input": "/etc/shells", "selement": "CONTENT", "condition": "NOT CONTAINS", "sinput": "^\\h*([^#\\n\\r]+)?\\/nologin\\b" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "ffb91e99c70b5cc5afe6cdafca90e5de", "name": "6.1.1.1 — Ensure journald service is enabled and active", "description": "Ensure journald service is enabled and active", "rational": "If the systemd-journald service is not enabled to start on boot, the system will not \ncapture logging events.", "remediation": "Run the following commands to unmask and start systemd-journald.service \n\n# systemctl unmask systemd-journald.service \n# systemctl start systemd-journald.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "SERVICE", "input": "systemd-journald", "selement": "ENABLED", "condition": null, "sinput": null } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "0c7af4efc31ac025e40a88c7e3d3e131", "name": "6.1.2.2 — Ensure journald ForwardToSyslog is disabled", "description": "Ensure journald ForwardToSyslog is disabled", "rational": "- IF - journald is the method for capturing logs, all logs of the system should be \nhandled by journald and not forwarded to other logging mechanisms. \n\nNote: This recommendation only applies if journald is the chosen method for \nclient side logging. Do not apply this recommendation if rsyslog is used.", "remediation": "- IF - rsyslog is the preferred method for capturing logs, this section and \nRecommendation should be skipped and the \"Configure rsyslog\" section followed. \n\n- IF - journald is the preferred method for capturing logs: \n\nSet the following parameter in the [Journal] section in \n/etc/systemd/journald.conf or a file in /etc/systemd/journald.conf.d/ ending \nin .conf: \n\nForwardToSyslog=no \n\nNote: If this setting appears in a canonically later file, or later in the same file, the \nsetting will be ov...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "FILE", "input": "/etc/systemd/journald.conf", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "^ForwardToSyslog=no" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "1a52b9fffed4fb5714943adc8024c615", "name": "6.1.2.3 — Ensure journald Compress is configured", "description": "Ensure journald Compress is configured", "rational": "Uncompressed large files may unexpectedly fill a filesystem leading to resource \nunavailability. Compressing logs prior to write can prevent sudden, unexpected \nfilesystem impacts. \n\nNote: This recommendation only applies if journald is the chosen method for \nclient side logging. Do not apply this recommendation if rsyslog is used.", "remediation": "- IF - rsyslog is the preferred method for capturing logs, this section and \nRecommendation should be skipped and the \"Configure rsyslog\" section followed. \n\n- IF - journald is the preferred method for capturing logs: \n\nSet the following parameter in the [Journal] section in \n/etc/systemd/journald.conf or a file in /etc/systemd/journald.conf.d/ ending \nin .conf: \n\nCompress=yes \n\nNote: If this setting appears in a canonically later file, or later in the same file, the \nsetting will be overwrit...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "FILE", "input": "/etc/systemd/journald.conf", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "^Compress=yes" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "a53513c0e09f7af5fcb4f8321fb8d973", "name": "6.1.2.4 — Ensure journald Storage is configured", "description": "Ensure journald Storage is configured", "rational": "Writing log data to disk will provide the ability to forensically reconstruct events which \nmay have impacted the operations or security of a system even after a system crash or \nreboot. \n\nNote: This recommendation only applies if journald is the chosen method for \nclient side logging. Do not apply this recommendation if rsyslog is used.", "remediation": "- IF - rsyslog is the preferred method for capturing logs, this section and \nRecommendation should be skipped and the \"Configure rsyslog\" section followed. \n\n- IF - journald is the preferred method for capturing logs: \n\nSet the following parameter in the [Journal] section in \n/etc/systemd/journald.conf or a file in /etc/systemd/journald.conf.d/ ending \nin .conf: \n\nStorage=persistent \n\nNote: If this setting appears in a canonically later file, or later in the same file, the \nsetting will be ov...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "FILE", "input": "/etc/systemd/journald.conf", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "^Storage=persistent" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "7ab1f909377dbdcff2d372c903e1df5a", "name": "7.1.1 — Ensure access to /etc/passwd is configured", "description": "Ensure access to /etc/passwd is configured", "rational": "It is critical to ensure that the /etc/passwd file is protected from unauthorized write \naccess. Although it is protected by default, the file permissions could be changed either \ninadvertently or through malicious actions.", "remediation": "Run the following commands to remove excess permissions, set owner, and set group \non /etc/passwd: \n\n# chmod u-x,go-wx /etc/passwd \n# chown root:root /etc/passwd", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/passwd", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "0d104b1c44355bc3eeb25533883035b3", "name": "7.1.2 — Ensure access to /etc/passwd- is configured", "description": "Ensure access to /etc/passwd- is configured", "rational": "It is critical to ensure that the /etc/passwd- file is protected from unauthorized access. \nAlthough it is protected by default, the file permissions could be changed either \ninadvertently or through malicious actions.", "remediation": "Run the following commands to remove excess permissions, set owner, and set group \non /etc/passwd-: \n\n# chmod u-x,go-wx /etc/passwd- \n# chown root:root /etc/passwd-", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: { %g/ %G)' /etc/passwd-", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "c91a54cc245495bd92fabbd351e6a4d0", "name": "7.1.3 — Ensure access to /etc/group is configured", "description": "Ensure access to /etc/group is configured", "rational": "The /etc/group file needs to be protected from unauthorized changes by non-\nprivileged users, but needs to be readable as this information is used with many non-\nprivileged programs.", "remediation": "Run the following commands to remove excess permissions, set owner, and set group \non /etc/group: \n\n# chmod u-x,go-wx /etc/group \n# chown root:root /etc/group", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/group", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "f0252f3418c5c96bdafc2fafe6ee1bb2", "name": "7.1.4 — Ensure access to /etc/group- is configured", "description": "Ensure access to /etc/group- is configured", "rational": "It is critical to ensure that the /etc/group- file is protected from unauthorized access. \nAlthough it is protected by default, the file permissions could be changed either \ninadvertently or through malicious actions.", "remediation": "Run the following commands to remove excess permissions, set owner, and set group \non /etc/group-: \n\n# chmod u-x,go-wx /etc/group- \n# chown root:root /etc/group-", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/group-", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "f3063c10c0097a2d76f75bf513386572", "name": "7.1.5 — Ensure access to /etc/shadow is configured", "description": "Ensure access to /etc/shadow is configured", "rational": "If attackers can gain read access to the /etc/shadow file, they can easily run a \npassword cracking program against the hashed password to break it. Other security \ninformation that is stored in the /etc/shadow file (such as expiration) could also be \nuseful to subvert the user accounts.", "remediation": "Run one of the following commands to set ownership of /etc/shadow to root and \ngroup to either root or shadow: \n\n# chown root:shadow /etc/shadow \n -OR- \n# chown root:root /etc/shadow \n\nRun the following command to remove excess permissions form /etc/shadow: \n\n# chmod u-x,g-wx,o-rwx /etc/shadow", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/shadow", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "9c6577060ad7fe8484a31d897e8f1817", "name": "7.1.6 — Ensure access to /etc/shadow- is configured", "description": "Ensure access to /etc/shadow- is configured", "rational": "It is critical to ensure that the /etc/shadow- file is protected from unauthorized access. \nAlthough it is protected by default, the file permissions could be changed either \ninadvertently or through malicious actions.", "remediation": "Run one of the following commands to set ownership of /etc/shadow- to root and \ngroup to either root or shadow: \n\n# chown root:shadow /etc/shadow- \n -OR- \n# chown root:root /etc/shadow- \n\nRun the following command to remove excess permissions form /etc/shadow-: \n\n# chmod u-x,g-wx,o-rwx /etc/shadow-", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/shadow-", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "b3926b0ec028930af6100bccf6021c5f", "name": "7.1.7 — Ensure access to /etc/gshadow is configured", "description": "Ensure access to /etc/gshadow is configured", "rational": "If attackers can gain read access to the /etc/gshadow file, they can easily run a \npassword cracking program against the hashed password to break it. Other security \ninformation that is stored in the /etc/gshadow file (such as group administrators) could \nalso be useful to subvert the group.", "remediation": "Run one of the following commands to set ownership of /etc/gshadow to root and \ngroup to either root or shadow: \n\n# chown root:shadow /etc/gshadow \n -OR- \n# chown root:root /etc/gshadow \n\nRun the following command to remove excess permissions form /etc/gshadow: \n\n# chmod u-x,g-wx,o-rwx /etc/gshadow", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/gshadow", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "882984cd630836f774533e291b6632a1", "name": "7.1.8 — Ensure access to /etc/gshadow- is configured", "description": "Ensure access to /etc/gshadow- is configured", "rational": "It is critical to ensure that the /etc/gshadow- file is protected from unauthorized \naccess. Although it is protected by default, the file permissions could be changed either \ninadvertently or through malicious actions.", "remediation": "Run one of the following commands to set ownership of /etc/gshadow- to root and \ngroup to either root or shadow: \n\n# chown root:shadow /etc/gshadow- \n -OR- \n# chown root:root /etc/gshadow- \n\nRun the following command to remove excess permissions form /etc/gshadow-: \n\n# chmod u-x,g-wx,o-rwx /etc/gshadow-", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/gshadow-", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "838e401b5a507f1286c14a14f6bd3f83", "name": "7.1.9 — Ensure access to /etc/shells is configured", "description": "Ensure access to /etc/shells is configured", "rational": "It is critical to ensure that the /etc/shells file is protected from unauthorized access. \nAlthough it is protected by default, the file permissions could be changed either \ninadvertently or through malicious actions.", "remediation": "Run the following commands to remove excess permissions, set owner, and set group \non /etc/shells: \n\n# chmod u-x,go-wx /etc/shells \n# chown root:root /etc/shells", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/shells", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "7ecc0141fe25a9e5b361e7e789ff369e", "name": "7.2.4 — Ensure shadow group is empty", "description": "Ensure shadow group is empty", "rational": "Any users assigned to the shadow group would be granted read access to the \n/etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can \neasily run a password cracking program against the hashed passwords to break them. \nOther security information that is stored in the /etc/shadow file (such as expiration) \ncould also be useful to subvert additional user accounts.", "remediation": "Run the following command to remove all users from the shadow group \n\n# sed -ri 's/(^shadow:[^:]*:[^:]*:)([^:]+$)/\\1/' /etc/group \n\nChange the primary group of any users with shadow as their primary group. \n\n# usermod -g ", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "awk -F: '($1==\"shadow\") {print $NF}' /etc/group", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "d6ecfac7244b1f92f7d79d0609379e70", "name": "7.2.5 — Ensure no duplicate UIDs exist", "description": "Ensure no duplicate UIDs exist", "rational": "Users must be assigned unique UIDs for accountability and to ensure appropriate \naccess protections. \n\nSatisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPOS-00062, SRG-OS-\n000042-GPOS-00020", "remediation": "Based on the results of the audit script, establish unique UIDs and review all files owned \nby the shared UIDs to determine which UID they are supposed to belong to.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "5eebdd366cde2965587e81017e574a05", "name": "7.2.6 — Ensure no duplicate GIDs exist", "description": "Ensure no duplicate GIDs exist", "rational": "User groups must be assigned unique GIDs for accountability and to ensure appropriate \naccess protections.", "remediation": "Based on the results of the audit script, establish unique GIDs and review all files \nowned by the shared GID to determine which group they are supposed to belong to.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "9ed5cf861953b0764d902b2ab5ac5251", "name": "7.2.7 — Ensure no duplicate user names exist", "description": "Ensure no duplicate user names exist", "rational": "If a user is assigned a duplicate user name, it will create and have access to files with \nthe first UID for that username in /etc/passwd . For example, if \"test4\" has a UID of \n1000 and a subsequent \"test4\" entry has a UID of 2000, logging in as \"test4\" will use \nUID 1000. Effectively, the UID is shared, which is a security problem.", "remediation": "Based on the results of the audit script, establish unique user names for the users. File \nownerships will automatically reflect the change as long as the users have unique UIDs.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] }, { "external_id": "f2e0bcde103e30a0fbb8e06938cde3ac", "name": "7.2.8 — Ensure no duplicate group names exist", "description": "Ensure no duplicate group names exist", "rational": "If a group is assigned a duplicate group name, it will create and have access to files \nwith the first GID for that group in /etc/group . Effectively, the GID is shared, which is \na security problem.", "remediation": "Based on the results of the audit script, establish unique names for the user groups. File \ngroup ownerships will automatically reflect the change as long as the groups have \nunique GIDs.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Mint" } ] } ] }