CIS_CentOS_Linux_7_Benchmark_v3.1.1.pdf_centosntpdate

Benchmark

CentOS

需积分: 26 56 浏览量更新于2023-04-28 评论收藏 4.3MB PDF 举报

身份认证购VIP最低享 7 折!

领优惠券(最高得80元）

资源详情

资源评论

资源推荐

CIS CentOS Linux 7 Benchmark

v3.1.1 - 05-21-2021

| P a g e  
 
Table of Contents 
Terms of Use ........................................................................................................................................................... 1 
Overview ............................................................................................................................................................... 13 
Intended Audience ........................................................................................................................................ 13 
Consensus Guidance ..................................................................................................................................... 13 
Assessment Status......................................................................................................................................... 14 
Profile Definitions ......................................................................................................................................... 15 
Acknowledgements ...................................................................................................................................... 16 
Recommendations ............................................................................................................................................. 17 
Initial Setup .................................................................................................................................................. 17 
1 Filesystem Configuration ............................................................................................................... 18 
1.1 Disable unused filesystems ................................................................................................... 19 
1.1.1 Ensure mounting of cramfs filesystems is disabled (Automated) ................ 20 
1.1.2 Ensure mounting of squashfs filesystems is disabled (Automated) ............. 22 
1.1.3 Ensure mounting of udf filesystems is disabled (Automated) ........................ 24 
1.2 Ensure /tmp is configured (Automated) .................................................................... 26 
1.3 Ensure noexec option set on /tmp partition (Automated) .................................. 30 
1.4 Ensure nodev option set on /tmp partition (Automated) ................................... 32 
1.5 Ensure nosuid option set on /tmp partition (Automated) .................................. 34 
1.6 Ensure /dev/shm is configured (Automated) .......................................................... 36 
1.7 Ensure noexec option set on /dev/shm partition (Automated) ........................ 38 
1.8 Ensure nodev option set on /dev/shm partition (Automated) ......................... 40 
1.9 Ensure nosuid option set on /dev/shm partition (Automated) ........................ 42 
1.10 Ensure separate partition exists for /var (Automated) ..................................... 44 
1.11 Ensure separate partition exists for /var/tmp (Automated) ........................... 46 
1.12 Ensure /var/tmp partition includes the noexec option (Automated) .......... 48 
1.13 Ensure /var/tmp partition includes the nodev option (Automated) ........... 50 
1.14 Ensure /var/tmp partition includes the nosuid option (Automated) .......... 52 
1.15 Ensure separate partition exists for /var/log (Automated) ............................. 54 
1.16 Ensure separate partition exists for /var/log/audit (Automated) ................ 56 

| P a g e  
 
1.17 Ensure separate partition exists for /home (Automated)................................. 58 
1.18 Ensure /home partition includes the nodev option (Automated) ................. 60 
1.19 Ensure removable media partitions include noexec option (Automated) .. 62 
1.20 Ensure nodev option set on removable media partitions (Automated) ...... 64 
1.21 Ensure nosuid option set on removable media partitions (Automated) ..... 66 
1.22 Ensure sticky bit is set on all world-writable directories (Automated) ...... 68 
1.23 Disable Automounting (Automated) ......................................................................... 70 
1.24 Disable USB Storage (Automated) .............................................................................. 72 
2 Configure Software Updates ......................................................................................................... 74 
2.1 Ensure GPG keys are configured (Manual) ................................................................ 75 
2.2 Ensure package manager repositories are configured (Manual) ...................... 77 
2.3 Ensure gpgcheck is globally activated (Automated) .............................................. 79 
3 Filesystem Integrity Checking ...................................................................................................... 81 
3.1 Ensure AIDE is installed (Automated) ......................................................................... 82 
3.2 Ensure filesystem integrity is regularly checked (Automated) ......................... 84 
4 Secure Boot Settings ........................................................................................................................ 87 
4.1 Ensure bootloader password is set (Automated) .................................................... 88 
4.2 Ensure permissions on bootloader config are configured (Automated) ........ 92 
4.3 Ensure authentication required for single user mode (Automated) ............... 95 
5 Additional Process Hardening ..................................................................................................... 97 
5.1 Ensure core dumps are restricted (Automated) ...................................................... 98 
5.2 Ensure XD/NX support is enabled (Automated) ................................................... 100 
5.3 Ensure address space layout randomization (ASLR) is enabled (Automated)
 .............................................................................................................................................................. 102 
5.4 Ensure prelink is not installed (Automated) ........................................................... 104 
6 Mandatory Access Control ........................................................................................................... 106 
6.1 Configure SELinux .................................................................................................................. 107 
6.1.1 Ensure SELinux is installed (Automated) ............................................................. 108 
6.1.2 Ensure SELinux is not disabled in bootloader configuration (Automated)
 .............................................................................................................................................................. 110 
6.1.3 Ensure SELinux policy is configured (Automated) ........................................... 112 

| P a g e  
 
6.1.4 Ensure the SELinux mode is enforcing or permissive (Automated) .......... 114 
6.1.5 Ensure the SELinux mode is enforcing (Automated) ....................................... 117 
6.1.6 Ensure no unconfined services exist (Automated) ........................................... 119 
6.1.7 Ensure SETroubleshoot is not installed (Automated) ..................................... 121 
6.1.8 Ensure the MCS Translation Service (mcstrans) is not installed 
(Automated) .................................................................................................................................... 123 
7 Command Line Warning Banners ............................................................................................. 125 
7.1 Ensure message of the day is configured properly (Automated) .................... 126 
7.2 Ensure local login warning banner is configured properly (Automated) .... 128 
7.3 Ensure remote login warning banner is configured properly (Automated)
 .............................................................................................................................................................. 130 
7.4 Ensure permissions on /etc/motd are configured (Automated) .................... 132 
7.5 Ensure permissions on /etc/issue are configured (Automated) .................... 134 
7.6 Ensure permissions on /etc/issue.net are configured (Automated) ............. 136 
8 GNOME Display Manager ............................................................................................................. 138 
8.1 Ensure GNOME Display Manager is removed (Manual) ..................................... 139 
8.2 Ensure GDM login banner is configured (Automated) ........................................ 141 
8.3 Ensure last logged in user display is disabled (Automated) ............................. 143 
8.4 Ensure XDCMP is not enabled (Automated) ............................................................ 145 
9 Ensure updates, patches, and additional security software are installed 
(Manual) ........................................................................................................................................... 147 
Services ........................................................................................................................................................ 149 
1 inetd Services .................................................................................................................................... 150 
1.1 Ensure xinetd is not installed (Automated) ............................................................. 151 
2 Special Purpose Services .............................................................................................................. 153 
2.1 Time Synchronization ........................................................................................................... 154 
2.1.1 Ensure time synchronization is in use (Manual) ............................................... 155 
2.1.2 Ensure chrony is configured (Automated) ........................................................... 157 
2.1.3 Ensure ntp is configured (Automated) .................................................................. 159 
2.2 Ensure X11 Server components are not installed (Automated) ...................... 162 
2.3 Ensure Avahi Server is not installed (Automated) ............................................... 164 