Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cloudformation os hardening #46

Open
pethers opened this issue Jun 10, 2018 · 3 comments
Open

Cloudformation os hardening #46

pethers opened this issue Jun 10, 2018 · 3 comments
Projects
Citizen Intelligence Agency
Milestone
Election2022

Comments

@pethers
Copy link
Member

pethers commented Jun 10, 2018

Follow lynis suggestions, Currently having 157 points (out of 243)

Hardening index : [64] [############ ]
Hardening strength: System has been hardened, but could use additional hardening

sysctl

2018-06-09 18:03:07 Action: Performing tests from category: Kernel Hardening

16:03:07
2018-06-09 18:03:07 ===---------------------------------------------------------------===

16:03:07
2018-06-09 18:03:07 Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile)

16:03:07
2018-06-09 18:03:07 Result: sysctl key fs.protected_hardlinks contains equal expected and current value (1)

16:03:07
2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 129 points (out of 202)

16:03:07
2018-06-09 18:03:07 Result: sysctl key fs.protected_symlinks contains equal expected and current value (1)

16:03:07
2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 130 points (out of 203)

16:03:07
2018-06-09 18:03:07 Result: sysctl key fs.suid_dumpable has a different value than expected in scan profile. Expected=0, Real=2

16:03:07
2018-06-09 18:03:07 Hardening: assigned partial number of hardening points (0 of 1). Currently having 130 points (out of 204)

16:03:07
2018-06-09 18:03:07 Result: key hw.kbd.keymap_restrict_change does not exist on this machine

16:03:07
2018-06-09 18:03:07 Result: key kern.sugid_coredump does not exist on this machine

16:03:07
2018-06-09 18:03:07 Result: key kernel.core_setuid_ok does not exist on this machine

16:03:07
2018-06-09 18:03:07 Result: sysctl key kernel.core_uses_pid has a different value than expected in scan profile. Expected=1, Real=0

16:03:07
2018-06-09 18:03:07 Hardening: assigned partial number of hardening points (0 of 1). Currently having 130 points (out of 205)

16:03:07
2018-06-09 18:03:07 Result: sysctl key kernel.ctrl-alt-del contains equal expected and current value (0)

16:03:07
2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 131 points (out of 206)

16:03:07
2018-06-09 18:03:07 Result: sysctl key kernel.dmesg_restrict has a different value than expected in scan profile. Expected=1, Real=0

16:03:07
2018-06-09 18:03:07 Hardening: assigned partial number of hardening points (0 of 1). Currently having 131 points (out of 207)

16:03:07
2018-06-09 18:03:07 Result: key kernel.exec-shield-randomize does not exist on this machine

16:03:07
2018-06-09 18:03:07 Result: key kernel.exec-shield does not exist on this machine

16:03:07
2018-06-09 18:03:07 Result: sysctl key kernel.kptr_restrict has a different value than expected in scan profile. Expected=2, Real=1

16:03:07
2018-06-09 18:03:07 Hardening: assigned partial number of hardening points (0 of 1). Currently having 131 points (out of 208)

16:03:07
2018-06-09 18:03:07 Result: key kernel.maps_protect does not exist on this machine

16:03:07
2018-06-09 18:03:07 Result: sysctl key kernel.randomize_va_space contains equal expected and current value (2)

16:03:07
2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 132 points (out of 209)

16:03:07
2018-06-09 18:03:07 Result: key kernel.suid_dumpable does not exist on this machine

16:03:07
2018-06-09 18:03:07 Result: sysctl key kernel.sysrq has a different value than expected in scan profile. Expected=0, Real=176

16:03:07
2018-06-09 18:03:07 Hardening: assigned partial number of hardening points (0 of 1). Currently having 132 points (out of 210)

16:03:07
2018-06-09 18:03:07 Result: key kernel.use-nx does not exist on this machine

16:03:07
2018-06-09 18:03:07 Result: sysctl key kernel.yama.ptrace_scope contains equal expected and current value (1 2 3)

16:03:07
2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 133 points (out of 211)

16:03:07
2018-06-09 18:03:07 Result: key net.inet.icmp.bmcastecho does not exist on this machine

16:03:07
2018-06-09 18:03:07 Result: key net.inet.icmp.drop_redirect does not exist on this machine

16:03:07
2018-06-09 18:03:07 Result: key net.inet.icmp.rediraccept does not exist on this machine

16:03:07
2018-06-09 18:03:07 Result: key net.inet.icmp.timestamp does not exist on this machine

16:03:07
2018-06-09 18:03:07 Result: key net.inet.ip.accept_sourceroute does not exist on this machine

16:03:07
2018-06-09 18:03:07 Result: key net.inet.ip.check_interface does not exist on this machine

16:03:07
2018-06-09 18:03:07 Result: key net.inet.ip.forwarding does not exist on this machine

16:03:07
2018-06-09 18:03:07 Result: key net.inet.ip.linklocal.in.allowbadttl does not exist on this machine

16:03:07
2018-06-09 18:03:07 Result: key net.inet.ip.process_options does not exist on this machine

16:03:07
2018-06-09 18:03:07 Result: key net.inet.ip.random_id does not exist on this machine

16:03:07
2018-06-09 18:03:07 Result: key net.inet.ip.redirect does not exist on this machine

16:03:07
2018-06-09 18:03:07 Result: key net.inet.ip.sourceroute does not exist on this machine

16:03:07
2018-06-09 18:03:07 Result: key net.inet.ip6.redirect does not exist on this machine

16:03:07
2018-06-09 18:03:07 Result: key net.inet.tcp.always_keepalive does not exist on this machine

16:03:07
2018-06-09 18:03:07 Result: key net.inet.tcp.blackhole does not exist on this machine

16:03:07
2018-06-09 18:03:07 Result: key net.inet.tcp.drop_synfin does not exist on this machine

16:03:07
2018-06-09 18:03:07 Result: key net.inet.tcp.icmp_may_rst does not exist on this machine

16:03:07
2018-06-09 18:03:07 Result: key net.inet.tcp.nolocaltimewait does not exist on this machine

16:03:07
2018-06-09 18:03:07 Result: key net.inet.tcp.path_mtu_discovery does not exist on this machine

16:03:07
2018-06-09 18:03:07 Result: key net.inet.udp.blackhole does not exist on this machine

16:03:07
2018-06-09 18:03:07 Result: key net.inet6.icmp6.rediraccept does not exist on this machine

16:03:07
2018-06-09 18:03:07 Result: key net.inet6.ip6.forwarding does not exist on this machine

16:03:07
2018-06-09 18:03:07 Result: key net.inet6.ip6.fw.enable does not exist on this machine

16:03:07
2018-06-09 18:03:07 Result: key net.inet6.ip6.redirect does not exist on this machine

16:03:07
2018-06-09 18:03:07 Result: sysctl key net.ipv4.conf.all.accept_redirects contains equal expected and current value (0)

16:03:07
2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 134 points (out of 212)

16:03:07
2018-06-09 18:03:07 Result: sysctl key net.ipv4.conf.all.accept_source_route contains equal expected and current value (0)

16:03:07
2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 135 points (out of 213)

16:03:07
2018-06-09 18:03:07 Result: sysctl key net.ipv4.conf.all.bootp_relay contains equal expected and current value (0)

16:03:07
2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 136 points (out of 214)

16:03:07
2018-06-09 18:03:07 Result: sysctl key net.ipv4.conf.all.forwarding contains equal expected and current value (0)

16:03:07
2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 137 points (out of 215)

16:03:07
2018-06-09 18:03:07 Result: sysctl key net.ipv4.conf.all.log_martians has a different value than expected in scan profile. Expected=1, Real=0

16:03:07
2018-06-09 18:03:07 Hardening: assigned partial number of hardening points (0 of 1). Currently having 137 points (out of 216)

16:03:07
2018-06-09 18:03:07 Result: sysctl key net.ipv4.conf.all.mc_forwarding contains equal expected and current value (0)

16:03:07
2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 138 points (out of 217)

16:03:07
2018-06-09 18:03:07 Result: sysctl key net.ipv4.conf.all.proxy_arp contains equal expected and current value (0)

16:03:07
2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 139 points (out of 218)

16:03:07
2018-06-09 18:03:07 Result: sysctl key net.ipv4.conf.all.rp_filter contains equal expected and current value (1)

16:03:07
2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 140 points (out of 219)

16:03:07
2018-06-09 18:03:07 Result: sysctl key net.ipv4.conf.all.send_redirects has a different value than expected in scan profile. Expected=0, Real=1

16:03:07
2018-06-09 18:03:07 Hardening: assigned partial number of hardening points (0 of 1). Currently having 140 points (out of 220)

16:03:07
2018-06-09 18:03:07 Result: sysctl key net.ipv4.conf.default.accept_redirects contains equal expected and current value (0)

16:03:07
2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 141 points (out of 221)

16:03:07
2018-06-09 18:03:07 Result: sysctl key net.ipv4.conf.default.accept_source_route has a different value than expected in scan profile. Expected=0, Real=1

16:03:07
2018-06-09 18:03:07 Hardening: assigned partial number of hardening points (0 of 1). Currently having 141 points (out of 222)

16:03:07
2018-06-09 18:03:07 Result: sysctl key net.ipv4.conf.default.log_martians has a different value than expected in scan profile. Expected=1, Real=0

16:03:07
2018-06-09 18:03:07 Hardening: assigned partial number of hardening points (0 of 1). Currently having 141 points (out of 223)

16:03:07
2018-06-09 18:03:07 Result: sysctl key net.ipv4.icmp_echo_ignore_broadcasts contains equal expected and current value (1)

16:03:07
2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 142 points (out of 224)

16:03:07
2018-06-09 18:03:07 Result: sysctl key net.ipv4.icmp_ignore_bogus_error_responses contains equal expected and current value (1)

16:03:07
2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 143 points (out of 225)

16:03:07
2018-06-09 18:03:07 Result: sysctl key net.ipv4.tcp_syncookies contains equal expected and current value (1)

16:03:07
2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 144 points (out of 226)

16:03:07
2018-06-09 18:03:07 Result: sysctl key net.ipv4.tcp_timestamps contains equal expected and current value (0 1)

16:03:07
2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 145 points (out of 227)

16:03:07
2018-06-09 18:03:07 Result: sysctl key net.ipv6.conf.all.accept_redirects contains equal expected and current value (0)

16:03:07
2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 146 points (out of 228)

16:03:07
2018-06-09 18:03:07 Result: sysctl key net.ipv6.conf.all.accept_source_route contains equal expected and current value (0)

16:03:07
2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 147 points (out of 229)

16:03:07
2018-06-09 18:03:07 Result: key net.ipv6.conf.all.send_redirects does not exist on this machine

16:03:07
2018-06-09 18:03:07 Result: sysctl key net.ipv6.conf.default.accept_redirects contains equal expected and current value (0)

16:03:07
2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 148 points (out of 230)

16:03:07
2018-06-09 18:03:07 Result: sysctl key net.ipv6.conf.default.accept_source_route contains equal expected and current value (0)

16:03:07
2018-06-09 18:03:07 Hardening: assigned maximum number of hardening points for this item (1). Currently having 149 points (out of 231)

16:03:07
2018-06-09 18:03:07 Result: key security.bsd.hardlink_check_gid does not exist on this machine

16:03:07
2018-06-09 18:03:07 Result: key security.bsd.hardlink_check_uid does not exist on this machine

16:03:08
2018-06-09 18:03:08 Result: key security.bsd.see_other_gids does not exist on this machine

16:03:08
2018-06-09 18:03:08 Result: key security.bsd.see_other_uids does not exist on this machine

16:03:08
2018-06-09 18:03:08 Result: key security.bsd.stack_guard_page does not exist on this machine

16:03:08
2018-06-09 18:03:08 Result: key security.bsd.unprivileged_proc_debug does not exist on this machine

16:03:08
2018-06-09 18:03:08 Result: key security.bsd.unprivileged_read_msgbuf does not exist on this machine

16:03:08
2018-06-09 18:03:08 Result: found 9 keys that can use tuning, according scan profile

16:03:08
2018-06-09 18:03:08 Suggestion: One or more sysctl values differ from the scan profile and could be tweaked [test:KRNL-6000] [details:] [solution:Change sysctl value or disable test (skip-test=KRNL-6000:)]
pethers added a commit that referenced this issue Jun 10, 2018
@pethers
https://github.com/Hack23/cia/issues/46
282f474
@pethers
Copy link
Member Author

pethers commented Jun 10, 2018

2018-06-10 15:04:16 Hardening: assigned maximum number of hardening points for this item (3). Currently having 179 points (out of 248)
2018-06-10 15:04:16 ===---------------------------------------------------------------===
2018-06-10 15:04:16 Action: Performing tests from category: Custom Tests
2018-06-10 15:04:16 Test: Checking for tests_custom file
2018-06-10 15:04:16 ===---------------------------------------------------------------===
2018-06-10 15:04:16 Action: Performing plugin tests
2018-06-10 15:04:16 Result: Found 1 plugins of which 1 are enabled
2018-06-10 15:04:16 Result: Plugins phase 2 finished
2018-06-10 15:04:16 Checking permissions of /usr/share/lynis/include/report
2018-06-10 15:04:16 File permissions are OK
2018-06-10 15:04:16 Hardening index : [72] [############## ]
2018-06-10 15:04:16 Hardening strength: System has been hardened, but could use additional hardening
2018-06-10 15:04:16 ===---------------------------------------------------------------===
2018-06-10 15:04:16 ================================================================================
2018-06-10 15:04:16 Tests performed: 230
2018-06-10 15:04:16 Total tests: 393
2018-06-10 15:04:16 Active plugins: 1
2018-06-10 15:04:16 Total plugins: 1
2018-06-10 15:04:16 ================================================================================
2018-06-10 15:04:16 Lynis 2.6.2
2018-06-10 15:04:16 2007-2018, CISOfy - https://cisofy.com/lynis/
2018-06-10 15:04:16 Enterprise support available (compliance, plugins, interface and tools)
2018-06-10 15:04:16 Program ended successfully
2018-06-10 15:04:16 ================================================================================
2018-06-10 15:04:16 PID file removed (/var/run/lynis.pid)
2018-06-10 15:04:16 Temporary files: /tmp/lynis.SzTTjPIJrF /tmp/lynis.6BrI0QmzvW /tmp/lynis.ssXn51NVGZ
2018-06-10 15:04:16 Action: removing temporary file /tmp/lynis.SzTTjPIJrF
2018-06-10 15:04:16 Info: temporary file /tmp/lynis.6BrI0QmzvW was already removed
2018-06-10 15:04:16 Info: temporary file /tmp/lynis.ssXn51NVGZ was already removed
2018-06-10 15:04:16 Lynis ended successfully.

@pethers
Copy link
Member Author

pethers commented Jun 10, 2018

2018-06-10 15:04:15 Result: sysctl key fs.suid_dumpable has a different value than expected in scan profile. Expected=0, Real=2
2018-06-10 15:04:15 Result: sysctl key kernel.dmesg_restrict has a different value than expected in scan profile. Expected=1, Real=0
2018-06-10 15:04:15 Result: sysctl key net.ipv4.conf.all.log_martians has a different value than expected in scan profile. Expected=1, Real=0
2018-06-10 15:04:16 Result: sysctl key net.ipv4.conf.default.log_martians has a different value than expected in scan profile. Expected=1, Real=0

@pethers
Copy link
Member Author

pethers commented Jun 10, 2018

Current suggestions

2018-06-10 15:03:56 Suggestion: Version of Lynis outdated, consider upgrading to the latest version [test:LYNIS] [details:-] [solution:-]
2018-06-10 15:04:03 Suggestion: Install libpam-tmpdir to set $TMP and $TMPDIR for PAM sessions [test:CUST-0280] [details:-] [solution:-]
2018-06-10 15:04:03 Suggestion: Install libpam-usb to enable multi-factor authentication for PAM sessions [test:CUST-0285] [details:-] [solution:-]
2018-06-10 15:04:03 Suggestion: Install apt-listbugs to display a list of critical bugs prior to each APT installation. [test:CUST-0810] [details:-] [solution:-]
2018-06-10 15:04:03 Suggestion: Install needrestart, alternatively to debian-goodies, so that you can run needrestart after upgrades to determine which daemons are using old versions of libraries and need restarting. [test:CUST-0831] [details:-] [solution:-]
2018-06-10 15:04:03 Suggestion: Copy /etc/fail2ban/jail.conf to jail.local to prevent it being changed by updates. [test:DEB-0880] [details:-] [solution:-]
2018-06-10 15:04:03 Suggestion: Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password) [test:BOOT-5122] [details:-] [solution:-]
2018-06-10 15:04:04 Suggestion: Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [test:AUTH-9262] [details:-] [solution:-]
2018-06-10 15:04:04 Suggestion: Configure minimum password age in /etc/login.defs [test:AUTH-9286] [details:-] [solution:-]
2018-06-10 15:04:04 Suggestion: Configure maximum password age in /etc/login.defs [test:AUTH-9286] [details:-] [solution:-]
2018-06-10 15:04:04 Suggestion: Set password for single user mode to minimize physical access attack surface [test:AUTH-9308] [details:-] [solution:-]
2018-06-10 15:04:04 Suggestion: Default umask in /etc/login.defs could be more strict like 027 [test:AUTH-9328] [details:-] [solution:-]
2018-06-10 15:04:05 Suggestion: To decrease the impact of a full /home file system, place /home on a separated partition [test:FILE-6310] [details:-] [solution:-]
2018-06-10 15:04:05 Suggestion: To decrease the impact of a full /tmp file system, place /tmp on a separated partition [test:FILE-6310] [details:-] [solution:-]
2018-06-10 15:04:05 Suggestion: To decrease the impact of a full /var file system, place /var on a separated partition [test:FILE-6310] [details:-] [solution:-]
2018-06-10 15:04:05 Suggestion: Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [test:STRG-1840] [details:-] [solution:-]
2018-06-10 15:04:05 Suggestion: Add the IP name and FQDN to /etc/hosts for proper name resolving [test:NAME-4404] [details:-] [solution:-]
2018-06-10 15:04:07 Suggestion: Purge old/removed packages (2 found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts. [test:PKGS-7346] [details:-] [solution:-]
2018-06-10 15:04:10 Suggestion: Install package apt-show-versions for patch management purposes [test:PKGS-7394] [details:-] [solution:-]
2018-06-10 15:04:11 Suggestion: Check your resolv.conf file and fill in a backup nameserver if possible [test:NETW-2705] [details:-] [solution:-]
2018-06-10 15:04:11 Suggestion: Consider running ARP monitoring software (arpwatch,arpon) [test:NETW-3032] [details:-] [solution:-]
2018-06-10 15:04:11 Suggestion: Check iptables rules to see which rules are currently not used [test:FIRE-4513] [details:-] [solution:-]
2018-06-10 15:04:12 Suggestion: Check what deleted files are still in use and why. [test:LOGG-2190] [details:-] [solution:-]
2018-06-10 15:04:13 Suggestion: Add a legal banner to /etc/issue, to warn unauthorized users [test:BANN-7126] [details:-] [solution:-]
2018-06-10 15:04:13 Suggestion: Add legal banner to /etc/issue.net, to warn unauthorized users [test:BANN-7130] [details:-] [solution:-]
2018-06-10 15:04:14 Suggestion: Enable sysstat to collect accounting (no results) [test:ACCT-9626] [details:-] [solution:-]
2018-06-10 15:04:14 Suggestion: Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules [test:ACCT-9630] [details:-] [solution:-]
2018-06-10 15:04:14 Suggestion: Check ntpq peers output for selected time source [test:TIME-3124] [details:-] [solution:-]
2018-06-10 15:04:14 Suggestion: Check ntpq peers output for time source candidates [test:TIME-3128] [details:-] [solution:-]
2018-06-10 15:04:14 Suggestion: Install a file integrity tool to monitor changes to critical and sensitive files [test:FINT-4350] [details:-] [solution:-]
2018-06-10 15:04:15 Suggestion: Determine if automation tools are present for system management [test:TOOL-5002] [details:-] [solution:-]
2018-06-10 15:04:16 Suggestion: One or more sysctl values differ from the scan profile and could be tweaked [test:KRNL-6000] [details:] [solution:Change sysctl value or disable test (skip-test=KRNL-6000:)]
2018-06-10 15:04:16 Suggestion: Harden compilers like restricting access to root user only [test:HRDN-7222] [details:-] [solution:-]

pethers added a commit that referenced this issue Jun 11, 2018
@pethers
https://github.com/Hack23/cia/issues/46
dc20fb9
@pethers pethers added this to the Election2022 milestone Jan 26, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Citizen Intelligence Agency
  
To do
Milestone
Election2022
Development

No branches or pull requests
1 participant
@pethers