Amazon Inspector - Assessment Report

Amazon Inspector - Assessment Report

Findings Report

Report generated on 2019-02-11 at 22:00:00 UTC

Assessment Template: Assessment-Template-Default

Assessment Run start: 2019-02-11 at 21:39:57 UTCAssessment Run end: 2019-02-11 at 21:56:39 UTC

Amazon InspectorAssessment-Template-Default

2019-02-11 21:56:40 UTC

Section 1: Executive Summary

This is an Inspector assessment report for an assessment started on 2019-02-11 21:39:57UTC for assessment template 'Assessment-Template-Default'. The assessment targetincluded 1 instances, and was tested against 4 Rules Packages.

The assessment target is defined using the following EC2 tagsKey Value

Name Ubuntu-Desktop-1

The following Rules Packages were assessed. A total of 252 findings were created, withthe following distribution by severity:

Rules Package High Medium Low Informational

CIS Operating System Security ConfigurationBenchmarks-1.0

80 0 0 10

Common Vulnerabilities and Exposures-1.1 96 60 2 0

Network Reachability-1.1 0 0 1 2

Security Best Practices-1.0 0 1 0 0


2019-02-11 21:56:40 UTC

Section 2: What is Tested

This section details the Rules Packages included in this assessment run, and the EC2instances included in the assessment target.

2.1: Rules Packages - Count: 4

2.1.1: CIS Operating System Security Configuration Benchmarks-1.0

Description: The CIS Security Benchmarks program provides well-defined, un-biased and consensus-based industry best practices to help organizations assessand improve their security.

The rules in this package help establish a secure configuration posture for thefollowing operating systems:

- Amazon Linux version 2015.03 (CIS benchmark v1.1.0)- Windows Server 2008 R2 (CIS Benchmark for Microsoft Windows 2008 R2,v3.0.0, Level 1 Domain Controller)- Windows Server 2008 R2 (CIS Benchmark for Microsoft Windows 2008 R2,v3.0.0, Level 1 Member Server Profile)- Windows Server 2012 R2 (CIS Benchmark for Microsoft Windows Server2012 R2, v2.2.0, Level 1 Member Server Profile)- Windows Server 2012 R2 (CIS Benchmark for Microsoft Windows Server2012 R2, v2.2.0, Level 1 Domain Controller Profile)- Windows Server 2012 (CIS Benchmark for Microsoft Windows Server 2012non-R2, v2.0.0, Level 1 Member Server Profile)- Windows Server 2012 (CIS Benchmark for Microsoft Windows Server 2012non-R2, v2.0.0, Level 1 Domain Controller Profile)- Amazon Linux (CIS Benchmark for Amazon Linux Benchmark v2.1.0 Level 1)- Amazon Linux (CIS Benchmark for Amazon Linux Benchmark v2.1.0 Level 2)- CentOS Linux 7 (CIS Benchmark for CentOS Linux 7 Benchmark v2.2.0 Level1 Server)


2019-02-11 21:56:40 UTC

- CentOS Linux 7 (CIS Benchmark for CentOS Linux 7 Benchmark v2.2.0 Level2 Server)- CentOS Linux 7 (CIS Benchmark for CentOS Linux 7 Benchmark v2.2.0 Level1 Workstation)- CentOS Linux 7 (CIS Benchmark for CentOS Linux 7 Benchmark v2.2.0 Level2 Workstation)- Red Hat Enterprise Linux 7 (CIS Benchmark for Red Hat Enterprise Linux 7Benchmark v2.1.1 Level 1 Server)- Red Hat Enterprise Linux 7 (CIS Benchmark for Red Hat Enterprise Linux 7Benchmark v2.1.1 Level 2 Server)- Red Hat Enterprise Linux 7 (CIS Benchmark for Red Hat Enterprise Linux 7Benchmark v2.1.1 Level 1 Workstation)- Red Hat Enterprise Linux 7 (CIS Benchmark for Red Hat Enterprise Linux 7Benchmark v2.1.1 Level 2 Workstation)- Ubuntu Linux 16.04 LTS (CIS Benchmark for Ubuntu Linux 16.04 LTSBenchmark v1.1.0 Level 1 Server)- Ubuntu Linux 16.04 LTS (CIS Benchmark for Ubuntu Linux 16.04 LTSBenchmark v1.1.0 Level 2 Server)- Ubuntu Linux 16.04 LTS (CIS Benchmark for Ubuntu Linux 16.04 LTSBenchmark v1.1.0 Level 1 Workstation)- Ubuntu Linux 16.04 LTS (CIS Benchmark for Ubuntu Linux 16.04 LTSBenchmark v1.1.0 Level 2 Workstation)- CentOS Linux 6 (CIS Benchmark for CentOS Linux 6 Benchmark v2.0.2,Level 1 Server)- CentOS Linux 6 (CIS Benchmark for CentOS Linux 6 Benchmark v2.0.2,Level 2 Server)- CentOS Linux 6 (CIS Benchmark for CentOS Linux 6 Benchmark v2.0.2,Level 1 Workstation)- CentOS Linux 6 (CIS Benchmark for CentOS Linux 6 Benchmark v2.0.2,Level 2 Workstation)- Red Hat Enterprise Linux 6 (CIS Benchmark for Red Hat Enterprise Linux 6Benchmark v2.0.2, Level 1 Server)- Red Hat Enterprise Linux 6 (CIS Benchmark for Red Hat Enterprise Linux 6Benchmark v2.0.2, Level 2 Server)- Red Hat Enterprise Linux 6 (CIS Benchmark for Red Hat Enterprise Linux 6Benchmark v2.0.2, Level 1 Workstation)


2019-02-11 21:56:40 UTC

- Red Hat Enterprise Linux 6 (CIS Benchmark for Red Hat Enterprise Linux 6Benchmark v2.0.2 Level 2 Workstation)- Ubuntu Linux 14.04 LTS (CIS Benchmark for Ubuntu Linux 14.04 LTSBenchmark v2.0.0, Level 1 Server)- Ubuntu Linux 14.04 LTS (CIS Benchmark for Ubuntu Linux 14.04 LTSBenchmark v2.0.0, Level 2 Server)- Ubuntu Linux 14.04 LTS (CIS Benchmark for Ubuntu Linux 14.04 LTSBenchmark v2.0.0, Level 1 Workstation)- Ubuntu Linux 14.04 LTS (CIS Benchmark for Ubuntu Linux 14.04 LTSBenchmark v2.0.0, Level 2 Workstation)

If a particular CIS benchmark appears in a finding produced by an AmazonInspector assessment run, you can download a detailed PDF description ofthe benchmark from https://benchmarks.cisecurity.org/ (free registrationrequired). The benchmark document provides detailed information about this CISbenchmark, its severity, and how to mitigate it.Provider: Amazon Web Services, Inc.Version: 1.0

2.1.2: Common Vulnerabilities and Exposures-1.1

Description: The rules in this package help verify whether the EC2 instancesin your application are exposed to Common Vulnerabilities and Exposures(CVEs). Attacks can exploit unpatched vulnerabilities to compromise theconfidentiality, integrity, or availability of your service or data. The CVE systemprovides a reference for publicly known information security vulnerabilitiesand exposures. For more information, see https://cve.mitre.org/. If a particularCVE appears in one of the produced Findings at the end of a completed Inspectorassessment, you can search https://cve.mitre.org/ using the CVE's ID (forexample, "CVE-2009-0021") to find detailed information about this CVE, itsseverity, and how to mitigate it.Provider: Amazon Web Services, Inc.Version: 1.1

2.1.3: Network Reachability-1.1


2019-02-11 21:56:40 UTC

Description: These rules analyze the reachability of your instances over thenetwork. Attacks can exploit your instances over the network by accessingservices that are listening on open ports. These rules evaluate the security yourhost configuration in AWS to determine if it allows access to ports and servicesover the network. For reachable ports and services, the Amazon Inspectorfindings identify where they can be reached from, and provide guidance on howto restrict access to these ports.Provider: Amazon Web Services, Inc.Version: 1.1

2.1.4: Security Best Practices-1.0

Description: The rules in this package help determine whether your systems areconfigured securely.Provider: Amazon Web Services, Inc.Version: 1.0

2.2: Assessment Target - Assessment-Template-Default

2.2.1: EC2 Tags:

The following EC2 tags (Key/Value pairs) were used to define this assessment target.

Key Value

Name Ubuntu-Desktop-1

2.2.2: Instances - Count 1

Instance ID

i-04372149a51fe6560


2019-02-11 21:56:40 UTC

Section 3: Findings Summary

This section lists the rules that generated findings, the severity of the finding, andthe number of instances affected. More details about the findings can be found in the"Findings Details" section. Rules that passed on all target instances available during theassessment run are listed in the "Passed Rules" section.

3.1: Findings table - CIS Operating System SecurityConfiguration Benchmarks-1.0

3.1.1 Level 1 - Server

Rule Severity Failed

1.1.16 Ensure noexec option set on /run/shm partition High 1

1.1.1.1 Ensure mounting of cramfs filesystems is disabled High 1

1.1.1.2 Ensure mounting of freevxfs filesystems is disabled High 1

1.1.1.3 Ensure mounting of jffs2 filesystems is disabled High 1

1.1.1.4 Ensure mounting of hfs filesystems is disabled High 1

1.1.1.5 Ensure mounting of hfsplus filesystems is disabled High 1

1.1.1.6 Ensure mounting of udf filesystems is disabled High 1

1.3.1 Ensure AIDE is installed High 1

1.3.2 Ensure filesystem integrity is regularly checked High 1

1.4.1 Ensure permissions on bootloader config are configured High 1

1.4.2 Ensure bootloader password is set High 1

1.5.1 Ensure core dumps are restricted High 1

1.7.1.4 Ensure permissions on /etc/motd are configured Informational 1

2.2.2 Ensure X Window System is not installed High 1

2.2.3 Ensure Avahi Server is not enabled High 1

2.2.4 Ensure CUPS is not enabled High 1

2.3.4 Ensure telnet client is not installed High 1

3.1.2 Ensure packet redirect sending is disabled High 1

3.2.1 Ensure source routed packets are not accepted High 1

3.2.2 Ensure ICMP redirects are not accepted High 1

3.2.3 Ensure secure ICMP redirects are not accepted High 1

3.2.4 Ensure suspicious packets are logged High 1


2019-02-11 21:56:40 UTC

3.3.1 Ensure IPv6 router advertisements are not accepted Informational 1

3.3.2 Ensure IPv6 redirects are not accepted Informational 1

3.3.3 Ensure IPv6 is disabled Informational 1

3.4.3 Ensure /etc/hosts.deny is configured High 1

3.5.1 Ensure DCCP is disabled Informational 1

3.5.2 Ensure SCTP is disabled Informational 1

3.5.3 Ensure RDS is disabled Informational 1

3.5.4 Ensure TIPC is disabled Informational 1

3.6.2 Ensure default deny firewall policy High 1

3.6.3 Ensure loopback traffic is configured High 1

3.6.5 Ensure firewall rules exist for all open ports High 1

4.2.4 Ensure permissions on all logfiles are configured High 1

4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host High 1

5.6 Ensure access to the su command is restricted High 1

5.1.2 Ensure permissions on /etc/crontab are configured High 1

5.1.3 Ensure permissions on /etc/cron.hourly are configured High 1

5.1.4 Ensure permissions on /etc/cron.daily are configured High 1

5.1.5 Ensure permissions on /etc/cron.weekly are configured High 1

5.1.6 Ensure permissions on /etc/cron.monthly are configured High 1

5.1.7 Ensure permissions on /etc/cron.d are configured High 1

5.1.8 Ensure at/cron is restricted to authorized users High 1

5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured High 1

5.2.4 Ensure SSH X11 forwarding is disabled High 1

5.2.5 Ensure SSH MaxAuthTries is set to 4 or less High 1

5.2.8 Ensure SSH root login is disabled High 1

5.2.10 Ensure SSH PermitUserEnvironment is disabled High 1

5.2.11 Ensure only approved MAC algorithms are used High 1

5.2.12 Ensure SSH Idle Timeout Interval is configured High 1

5.2.13 Ensure SSH LoginGraceTime is set to one minute or less High 1

5.2.14 Ensure SSH access is limited High 1

5.2.15 Ensure SSH warning banner is configured High 1

5.3.1 Ensure password creation requirements are configured High 1

5.3.2 Ensure lockout for failed password attempts is configured Informational 1

5.3.3 Ensure password reuse is limited High 1

5.4.2 Ensure system accounts are non-login High 1

5.4.4 Ensure default user umask is 027 or more restrictive High 1

5.4.5 Ensure default user shell timeout is 900 seconds or less High 1

5.4.1.1 Ensure password expiration is 90 days or less High 1

5.4.1.2 Ensure minimum days between password changes is 7 or more High 1


2019-02-11 21:56:40 UTC

5.4.1.4 Ensure inactive password lock is 30 days or less High 1

6.2.1 Ensure password fields are not empty High 1

6.2.7 Ensure all users' home directories exist High 1

6.2.8 Ensure users' home directories permissions are 750 or morerestrictive

High 1

3.1.2 Level 1 - Workstation

































2019-02-11 21:56:40 UTC


































High 1



1.1.2 Ensure separate partition exists for /tmp High 1


2019-02-11 21:56:40 UTC

1.1.5 Ensure separate partition exists for /var High 1

1.1.6 Ensure separate partition exists for /var/tmp High 1

1.1.10 Ensure separate partition exists for /var/log High 1

1.1.11 Ensure separate partition exists for /var/log/audit High 1

1.1.12 Ensure separate partition exists for /home High 1














2.2.2 Ensure X Window System is not installed High 1




















4.1.2 Ensure auditd service is enabled High 1


2019-02-11 21:56:40 UTC

4.1.3 Ensure auditing for processes that start prior to auditd is enabled High 1

4.1.4 Ensure events that modify date and time information are collected High 1

4.1.5 Ensure events that modify user/group information are collected High 1

4.1.6 Ensure events that modify the system's network environment arecollected

High 1

4.1.7 Ensure events that modify the system's Mandatory Access Controlsare collected

High 1

4.1.8 Ensure login and logout events are collected High 1

4.1.9 Ensure session initiation information is collected High 1

4.1.10 Ensure discretionary access control permission modificationevents are collected

High 1

4.1.11 Ensure unsuccessful unauthorized file access attempts arecollected

High 1

4.1.13 Ensure successful file system mounts are collected High 1

4.1.14 Ensure file deletion events by users are collected High 1

4.1.15 Ensure changes to system administration scope (sudoers) iscollected

High 1

4.1.16 Ensure system administrator actions (sudolog) are collected High 1

4.1.17 Ensure kernel module loading and unloading is collected High 1

4.1.18 Ensure the audit configuration is immutable High 1

4.1.1.1 Ensure audit log storage size is configured Informational 1

4.1.1.2 Ensure system is disabled when audit logs are full High 1

4.1.1.3 Ensure audit logs are not automatically deleted High 1



















2019-02-11 21:56:40 UTC
















High 1



1.1.2 Ensure separate partition exists for /tmp High 1

1.1.5 Ensure separate partition exists for /var High 1

1.1.6 Ensure separate partition exists for /var/tmp High 1

1.1.10 Ensure separate partition exists for /var/log High 1

1.1.11 Ensure separate partition exists for /var/log/audit High 1

1.1.12 Ensure separate partition exists for /home High 1















2019-02-11 21:56:40 UTC




















4.1.2 Ensure auditd service is enabled High 1

4.1.3 Ensure auditing for processes that start prior to auditd is enabled High 1

4.1.4 Ensure events that modify date and time information are collected High 1

4.1.5 Ensure events that modify user/group information are collected High 1

4.1.6 Ensure events that modify the system's network environment arecollected

High 1

4.1.7 Ensure events that modify the system's Mandatory Access Controlsare collected

High 1

4.1.8 Ensure login and logout events are collected High 1

4.1.9 Ensure session initiation information is collected High 1

4.1.10 Ensure discretionary access control permission modificationevents are collected

High 1

4.1.11 Ensure unsuccessful unauthorized file access attempts arecollected

High 1

4.1.13 Ensure successful file system mounts are collected High 1

4.1.14 Ensure file deletion events by users are collected High 1

4.1.15 Ensure changes to system administration scope (sudoers) iscollected

High 1

4.1.16 Ensure system administrator actions (sudolog) are collected High 1

4.1.17 Ensure kernel module loading and unloading is collected High 1

4.1.18 Ensure the audit configuration is immutable High 1


2019-02-11 21:56:40 UTC

4.1.1.1 Ensure audit log storage size is configured Informational 1

4.1.1.2 Ensure system is disabled when audit logs are full High 1

4.1.1.3 Ensure audit logs are not automatically deleted High 1

































High 1


2019-02-11 21:56:40 UTC

3.2: Findings table - Common Vulnerabilities andExposures-1.1


CVE-2013-7447 Medium 1

CVE-2014-8625 High 1

CVE-2014-9939 High 1

CVE-2015-1336 High 1


CVE-2015-8539 High 1

CVE-2016-10708 High 1

CVE-2016-2226 High 1

CVE-2016-4484 High 1


CVE-2016-7913 High 1


CVE-2017-0794 High 1

CVE-2017-11591 High 1

CVE-2017-11683 Medium 1

CVE-2017-13168 Medium 1

CVE-2017-14502 High 1

CVE-2017-14859 Medium 1

CVE-2017-14862 Medium 1

CVE-2017-14864 Medium 1

CVE-2017-15299 Medium 1

CVE-2017-16649 High 1

CVE-2017-17669 Medium 1

CVE-2017-18216 Medium 1

CVE-2017-2647 High 1

CVE-2017-6519 High 1


CVE-2017-9525 High 1

CVE-2018-0495 Low 1



CVE-2018-1000004 High 1

CVE-2018-1000030 High 1

CVE-2018-1000802 High 1


2019-02-11 21:56:40 UTC

CVE-2018-1000877 High 1

CVE-2018-1000878 High 1

CVE-2018-1000880 Medium 1

CVE-2018-10119 High 1

CVE-2018-10120 High 1

CVE-2018-10583 High 1

CVE-2018-1060 High 1

CVE-2018-1061 High 1

CVE-2018-1066 High 1

CVE-2018-10902 Medium 1

CVE-2018-10963 Medium 1

CVE-2018-11574 High 1

CVE-2018-11790 Medium 1

CVE-2018-12384 Medium 1

CVE-2018-12389 High 1

CVE-2018-12390 High 1

CVE-2018-12392 High 1

CVE-2018-12393 High 1

CVE-2018-12896 Medium 1

CVE-2018-14633 High 1

CVE-2018-14634 High 1

CVE-2018-14647 High 1

CVE-2018-14734 High 1

CVE-2018-15126 High 1

CVE-2018-15127 High 1

CVE-2018-15473 High 1

CVE-2018-15572 Medium 1

CVE-2018-15594 Medium 1

CVE-2018-16276 High 1

CVE-2018-16336 Medium 1

CVE-2018-16395 High 1

CVE-2018-16396 High 1

CVE-2018-16646 Medium 1

CVE-2018-16658 Medium 1

CVE-2018-17100 High 1

CVE-2018-17101 High 1

CVE-2018-17466 High 1

CVE-2018-17581 Medium 1

CVE-2018-17972 Medium 1


2019-02-11 21:56:40 UTC

CVE-2018-18281 Medium 1

CVE-2018-18311 High 1

CVE-2018-18312 High 1

CVE-2018-18313 High 1

CVE-2018-18314 High 1

CVE-2018-18386 Medium 1

CVE-2018-18500 High 1

CVE-2018-18501 High 1

CVE-2018-18502 High 1

CVE-2018-18503 High 1

CVE-2018-18504 High 1

CVE-2018-18505 High 1

CVE-2018-18506 Medium 1

CVE-2018-18557 High 1

CVE-2018-18661 Medium 1

CVE-2018-18690 Medium 1

CVE-2018-18710 Medium 1

CVE-2018-18751 High 1

CVE-2018-19058 Medium 1

CVE-2018-19059 Medium 1

CVE-2018-19060 Medium 1

CVE-2018-19149 Medium 1

CVE-2018-19409 High 1

CVE-2018-19475 High 1

CVE-2018-19476 High 1

CVE-2018-19477 High 1

CVE-2018-19787 Medium 1

CVE-2018-19788 High 1

CVE-2018-19840 Medium 1

CVE-2018-19841 Medium 1

CVE-2018-20019 High 1

CVE-2018-20020 High 1

CVE-2018-20021 High 1

CVE-2018-20022 High 1

CVE-2018-20023 High 1

CVE-2018-20024 High 1

CVE-2018-20459 Medium 1

CVE-2018-20481 Medium 1

CVE-2018-20544 Medium 1


2019-02-11 21:56:40 UTC

CVE-2018-20545 High 1

CVE-2018-20546 Medium 1

CVE-2018-20547 Medium 1

CVE-2018-20548 High 1

CVE-2018-20549 High 1

CVE-2018-20551 Medium 1

CVE-2018-20650 Medium 1

CVE-2018-20685 Medium 1

CVE-2018-20748 High 1

CVE-2018-20749 High 1

CVE-2018-20750 High 1



CVE-2018-3149 High 1

CVE-2018-3169 High 1

CVE-2018-3180 High 1

CVE-2018-5407 Low 1

CVE-2018-5807 High 1

CVE-2018-5810 High 1



CVE-2018-5813 High 1

CVE-2018-5815 High 1

CVE-2018-5816 High 1

CVE-2018-6307 High 1


CVE-2018-6555 High 1



CVE-2018-8784 High 1

CVE-2018-8785 High 1

CVE-2018-8786 High 1

CVE-2018-8787 High 1

CVE-2018-8788 High 1

CVE-2018-8789 High 1

CVE-2018-8905 High 1

CVE-2018-9363 High 1

CVE-2018-9518 High 1

CVE-2018-9568 High 1


2019-02-11 21:56:40 UTC

CVE-2019-1000019 Medium 1

CVE-2019-1000020 Medium 1

CVE-2019-3813 High 1

CVE-2019-3823 High 1



CVE-2019-7310 High 1

3.3: Findings table - Network Reachability-1.1


Recognized port with listener reachable from internet Informational 1

Recognized port with no listener reachable from internet Informational 1

Unrecognized port with listener reachable from internet Low 1

3.4: Findings table - Security Best Practices-1.0


Disable root login over SSH Medium 1


2019-02-11 21:56:40 UTC

Section 4: Findings Details

This section details the findings generated in this assessment run, and the instances thatgenerated the finding. If an instance is not listed here, that means it was checked andpassed.

4.1: Findings details - CIS Operating System SecurityConfiguration Benchmarks-1.0


1.1.16 Ensure noexec option set on /run/shm partition

SeverityHigh

DescriptionDescription The noexec mount option specifies that the filesystem cannot containexecutable binaries. Rationale Setting this option on a file system prevents users fromexecuting programs from shared memory. This deters users from introducing potentiallymalicious software on the system.

RecommendationEdit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /run/shm partition. See the fstab(5) manual page for more information. Run the followingcommand to remount /run/shm: # mount -o remount,noexec /run/shm

Failed Instancesi-04372149a51fe6560

1.1.1.1 Ensure mounting of cramfs filesystems is disabled

SeverityHigh

Description


2019-02-11 21:56:40 UTC

Description The cramfs filesystem type is a compressed read-only Linux filesystemembedded in small footprint systems. A cramfs image can be used without havingto first decompress the image. Rationale Removing support for unneeded filesystemtypes reduces the local attack surface of the server. If this filesystem type is not needed,disable it.

RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: installcramfs /bin/true


1.1.1.2 Ensure mounting of freevxfs filesystems is disabled

SeverityHigh

DescriptionDescription The freevxfs filesystem type is a free version of the Veritas type filesystem.This is the primary filesystem type for HP-UX operating systems. Rationale Removingsupport for unneeded filesystem types reduces the local attack surface of the system. Ifthis filesystem type is not needed, disable it.

RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: installfreevxfs /bin/true


1.1.1.3 Ensure mounting of jffs2 filesystems is disabled

SeverityHigh

DescriptionDescription The jffs2 (journaling flash filesystem 2) filesystem type is a log-structuredfilesystem used in flash memory devices. Rationale Removing support for unneeded


2019-02-11 21:56:40 UTC

filesystem types reduces the local attack surface of the system. If this filesystem type isnot needed, disable it.

RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: install jffs2 /bin/true


1.1.1.4 Ensure mounting of hfs filesystems is disabled

SeverityHigh

DescriptionDescription The hfs filesystem type is a hierarchical filesystem that allows you tomount Mac OS filesystems. Rationale Removing support for unneeded filesystem typesreduces the local attack surface of the system. If this filesystem type is not needed,disable it.

RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: install hfs /bin/true


1.1.1.5 Ensure mounting of hfsplus filesystems is disabled

SeverityHigh

DescriptionDescription The hfsplus filesystem type is a hierarchical filesystem designed to replacehfs that allows you to mount Mac OS filesystems. Rationale Removing support forunneeded filesystem types reduces the local attack surface of the system. If thisfilesystem type is not needed, disable it.

Recommendation


2019-02-11 21:56:40 UTC

Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: installhfsplus /bin/true


1.1.1.6 Ensure mounting of udf filesystems is disabled

SeverityHigh

DescriptionDescription The udf filesystem type is the universal disk format used to implementISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystemtype for data storage on a broad range of media. This filesystem type is necessary tosupport writing DVDs and newer optical disc formats. Rationale Removing supportfor unneeded filesystem types reduces the local attack surface of the system. If thisfilesystem type is not needed, disable it.

RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: install udf /bin/true


1.3.1 Ensure AIDE is installed

SeverityHigh

DescriptionDescription AIDE takes a snapshot of filesystem state including modification times,permissions, and file hashes which can then be used to compare against the current stateof the filesystem to detect modifications to the system. Rationale By monitoring thefilesystem state compromised files can be detected to prevent or limit the exposure ofaccidental or malicious misconfigurations or modified binaries.

Recommendation


2019-02-11 21:56:40 UTC

Run the following command to install AIDE: # apt-get install aide Configure AIDEas appropriate for your environment. Consult the AIDE documentation for options.Initialize AIDE: # aide --init


1.3.2 Ensure filesystem integrity is regularly checked

SeverityHigh

DescriptionDescription Periodic checking of the filesystem integrity is needed to detect changesto the filesystem. Rationale Periodic file checking allows the system administratorto determine on a regular basis if critical files have been changed in an unauthorizedfashion.

RecommendationRun the following command: # crontab -u root -e Add the following line to the crontab:0 5 * * * /usr/bin/aide --check


1.4.1 Ensure permissions on bootloader config are configured

SeverityHigh

DescriptionDescription The grub configuration file contains information on boot settings andpasswords for unlocking boot options. The grub configuration is usually grub.cfg storedin /boot/grub. Rationale Setting the permissions to read and write for root only preventsnon-root users from seeing the boot parameters or changing them. Non-root users whoread the boot parameters may be able to identify weaknesses in security upon boot andbe able to exploit them.

Recommendation


2019-02-11 21:56:40 UTC

Run the following commands to set permissions on your grub configuration: # chownroot:root /boot/grub/grub.cfg# chmod og-rwx /boot/grub/grub.cfg


1.4.2 Ensure bootloader password is set

SeverityHigh

DescriptionDescription Setting the boot loader password will require that anyone rebooting thesystem must enter a password before being able to set command line boot parametersRationale Requiring a boot password upon execution of the boot loader will prevent anunauthorized user from entering boot parameters or changing the boot partition. Thisprevents users from weakening security (e.g. turning off SELinux at boot time).

RecommendationCreate an encrypted password with grub-mkpasswd-pbkdf2: # grub-mkpasswd-pbkdf2Enter password: <password>Reenter password: <password>Your PBKDF2 is<encrypted-password> Add the following into /etc/grub.d/00_header or a custom /etc/grub.d configuration file: cat <<EOFset superusers="<username>"password_pbkdf2<username><encrypted-password>EOF Run the following command to update thegrub2 configuration: # update-grub


1.5.1 Ensure core dumps are restricted

SeverityHigh

DescriptionDescription A core dump is the memory of an executable program. It is generallyused to determine why a program aborted. It can also be used to glean confidentialinformation from a core file. The system provides the ability to set a soft limit for coredumps, but this can be overridden by the user. Rationale Setting a hard limit on coredumps prevents users from overriding the soft variable. If core dumps are required,


2019-02-11 21:56:40 UTC

consider setting limits for user groups (see limits.conf(5)). In addition, setting thefs.suid_dumpable variable to 0 will prevent setuid programs from dumping core.

RecommendationAdd the following line to the /etc/security/limits.conf file or a /etc/security/limits.d/* file: * hard core 0 Set the following parameter in the /etc/sysctl.conf file:fs.suid_dumpable = 0 Run the following command to set the active kernel parameter: #sysctl -w fs.suid_dumpable=0


1.7.1.4 Ensure permissions on /etc/motd are configured

SeverityInformational

DescriptionDescription The contents of the /etc/motd file are displayed to users after login andfunction as a message of the day for authenticated users. Rationale If the /etc/motd filedoes not have the correct ownership it could be modified by unauthorized users withincorrect or misleading information.

RecommendationRun the following commands to set permissions on /etc/motd: # chown root:root /etc/motd# chmod 644 /etc/motd


2.2.2 Ensure X Window System is not installed

SeverityHigh

DescriptionDescription The X Window System provides a Graphical User Interface (GUI) whereusers can have multiple windows in which to run programs and various add on. The XWindows system is typically used on workstations where users login, but not on serverswhere users typically do not login. Rationale Unless your organization specifically


2019-02-11 21:56:40 UTC

requires graphical login access via X Windows, remove it to reduce the potential attacksurface.

RecommendationRun the following command to remove the X Windows System packages: apt-getremove xserver-xorg*


2.2.3 Ensure Avahi Server is not enabled

SeverityHigh

DescriptionDescription Avahi is a free zeroconf implementation, including a system for multicastDNS/DNS-SD service discovery. Avahi allows programs to publish and discoverservices and hosts running on a local network with no specific configuration. Forexample, a user can plug a computer into a network and Avahi automatically findsprinters to print to, files to look at and people to talk to, as well as network servicesrunning on the machine. Rationale Automatic discovery of network services is notnormally required for system functionality. It is recommended to disable the service toreduce the potential attach surface.

RecommendationRemove or comment out start lines in /etc/init/avahi-daemon.conf: #start on runlevel[2345]


2.2.4 Ensure CUPS is not enabled

SeverityHigh

DescriptionDescription The Common Unix Print System (CUPS) provides the ability to print toboth local and network printers. A system running CUPS can also accept print jobs from


2019-02-11 21:56:40 UTC

remote systems and print them to local printers. It also provides a web based remoteadministration capability. Rationale If the system does not need to print jobs or acceptprint jobs from other systems, it is recommended that CUPS be disabled to reduce thepotential attack surface.

RecommendationRemove or comment out start lines in /etc/init/cups.conf: #start on runlevel [2345]Impact: Disabling CUPS will prevent printing from the system, a common task forworkstation systems.


2.3.4 Ensure telnet client is not installed

SeverityHigh

DescriptionDescription The telnet package contains the telnet client, which allows users to startconnections to other systems via the telnet protocol. Rationale The telnet protocol isinsecure and unencrypted. The use of an unencrypted transmission medium could allowan unauthorized user to steal credentials. The ssh package provides an encrypted sessionand stronger security and is included in most Linux distributions.

RecommendationRun the following command to uninstall telnet: # apt-get remove telnet Impact: Manyinsecure service clients are used as troubleshooting tools and in testing environments.Uninstalling them can inhibit capability to test and troubleshoot. If they are required it isadvisable to remove the clients after use to prevent accidental or intentional misuse.


3.1.2 Ensure packet redirect sending is disabled

SeverityHigh

Description


2019-02-11 21:56:40 UTC

Description ICMP Redirects are used to send routing information to other hosts. As ahost itself does not act as a router (in a host only configuration), there is no need to sendredirects. Rationale An attacker could use a compromised host to send invalid ICMPredirects to other router devices in an attempt to corrupt routing and have users access asystem set up by the attacker as opposed to a valid system.

RecommendationSet the following parameters in the /etc/sysctl.conf file: net.ipv4.conf.all.send_redirects = 0net.ipv4.conf.default.send_redirects = 0 Run the following commands to set theactive kernel parameters: # sysctl -w net.ipv4.conf.all.send_redirects=0# sysctl -w net.ipv4.conf.default.send_redirects=0# sysctl -w net.ipv4.route.flush=1


3.2.1 Ensure source routed packets are not accepted

SeverityHigh

DescriptionDescription In networking, source routing allows a sender to partially or fully specifythe route packets take through a network. In contrast, non-source routed packets travel apath determined by routers in the network. In some cases, systems may not be routableor reachable from some locations (e.g. private addresses vs. Internet routable), andso source routed packets would need to be used. Rationale Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disablesthe system from accepting source routed packets. Assume this system was capable ofrouting packets to Internet routable addresses on one interface and private addresses onanother interface. Assume that the private addresses were not routable to the Internetroutable addresses and vice versa. Under normal routing circumstances, an attackerfrom the Internet routable addresses could not use the system as a way to reach theprivate address systems. If, however, source routed packets were allowed, they could beused to gain access to the private address systems as the route could be specified, ratherthan rely on routing protocols that did not allow this routing.

RecommendationSet the following parameters in the /etc/sysctl.conf file: net.ipv4.conf.all.accept_source_route = 0net.ipv4.conf.default.accept_source_route = 0 Run the following commands to


2019-02-11 21:56:40 UTC

set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0#sysctl -w net.ipv4.conf.default.accept_source_route=0# sysctl -w net.ipv4.route.flush=1


3.2.2 Ensure ICMP redirects are not accepted

SeverityHigh

DescriptionDescription ICMP redirect messages are packets that convey routing information andtell your host (acting as a router) to send packets via an alternate path. It is a way ofallowing an outside routing device to update your system routing tables. By settingnet.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirectmessages, and therefore, won't allow outsiders to update the system's routing tables.Rationale Attackers could use bogus ICMP redirect messages to maliciously alter thesystem routing tables and get them to send packets to incorrect networks and allow yoursystem packets to be captured.

RecommendationSet the following parameters in the /etc/sysctl.conf file: net.ipv4.conf.all.accept_redirects = 0net.ipv4.conf.default.accept_redirects = 0 Run the following commands to set theactive kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0# sysctl -w net.ipv4.conf.default.accept_redirects=0# sysctl -w net.ipv4.route.flush=1


3.2.3 Ensure secure ICMP redirects are not accepted

SeverityHigh

DescriptionDescription Secure ICMP redirects are the same as ICMP redirects, except they comefrom gateways listed on the default gateway list. It is assumed that these gateways areknown to your system, and that they are likely to be secure. Rationale It is still possiblefor even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirec


2019-02-11 21:56:40 UTC

ts to 0 protects the system from routing table updates by possibly compromised knowngateways.

RecommendationSet the following parameters in the /etc/sysctl.conf file: net.ipv4.conf.all.secure_redirects = 0net.ipv4.conf.default.secure_redirects = 0 Run the following commands to set theactive kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0# sysctl -w net.ipv4.conf.default.secure_redirects=0# sysctl -w net.ipv4.route.flush=1


3.2.4 Ensure suspicious packets are logged

SeverityHigh

DescriptionDescription When enabled, this feature logs packets with un-routable source addressesto the kernel log. Rationale Enabling this feature and logging these packets allows anadministrator to investigate the possibility that an attacker is sending spoofed packets totheir system.

RecommendationSet the following parameters in the /etc/sysctl.conf file: net.ipv4.conf.all.log_martians =1net.ipv4.conf.default.log_martians = 1 Run the following commands to set the activekernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1# sysctl -w net.ipv4.conf.default.log_martians=1# sysctl -w net.ipv4.route.flush=1


3.3.1 Ensure IPv6 router advertisements are not accepted


DescriptionDescription This setting disables the system's ability to accept IPv6 routeradvertisements. Rationale It is recommended that systems not accept router


2019-02-11 21:56:40 UTC

advertisements as they could be tricked into routing traffic to compromised machines.Setting hard routes within the system (usually a single default route to a trusted router)protects the system from bad routes.

RecommendationSet the following parameters in the /etc/sysctl.conf file: net.ipv6.conf.all.accept_ra =0net.ipv6.conf.default.accept_ra = 0 Run the following commands to set the activekernel parameters: # sysctl -w net.ipv6.conf.all.accept_ra=0# sysctl -w net.ipv6.conf.default.accept_ra=0# sysctl -w net.ipv6.route.flush=1


3.3.2 Ensure IPv6 redirects are not accepted


DescriptionDescription This setting prevents the system from accepting ICMP redirects. ICMPredirects tell the system about alternate routes for sending traffic. Rationale It isrecommended that systems not accept ICMP redirects as they could be tricked intorouting traffic to compromised machines. Setting hard routes within the system (usuallya single default route to a trusted router) protects the system from bad routes.



3.3.3 Ensure IPv6 is disabled


Description


2019-02-11 21:56:40 UTC

Description Although IPv6 has many advantages over IPv4, few organizations haveimplemented IPv6. Rationale If IPv6 is not to be used, it is recommended that it bedisabled to reduce the attack surface of the system.

RecommendationEdit /etc/default/grub and add ' ipv6.disable=1' to GRUB_CMDLINE_LINUX: GRUB_CMDLINE_LINUX="ipv6.disable=1" Run the following command to update thegrub2 configuration: # update-grub


3.4.3 Ensure /etc/hosts.deny is configured

SeverityHigh

DescriptionDescription The /etc/hosts.deny file specifies which IP addresses are not permitted toconnect to the host. It is intended to be used in conjunction with the /etc/hosts.allow file.Rationale The /etc/hosts.deny file serves as a failsafe so that any host not specified in /etc/hosts.allow is denied access to the system.

RecommendationRun the following command to create /etc/hosts.deny: # echo "ALL: ALL" >> /etc/hosts.deny


3.5.1 Ensure DCCP is disabled


DescriptionDescription The Datagram Congestion Control Protocol (DCCP) is a transport layerprotocol that supports streaming media and telephony. DCCP provides a way to gainaccess to congestion control, without having to do it at the application layer, but


2019-02-11 21:56:40 UTC

does not provide in-sequence delivery. Rationale If the protocol is not required, it isrecommended that the drivers not be installed to reduce the potential attack surface.

RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: installdccp /bin/true


3.5.2 Ensure SCTP is disabled


DescriptionDescription The Stream Control Transmission Protocol (SCTP) is a transport layerprotocol used to support message oriented communication, with several streams ofmessages in one connection. It serves a similar function as TCP and UDP, incorporatingfeatures of both. It is message-oriented like UDP, and ensures reliable in-sequencetransport of messages with congestion control like TCP. Rationale If the protocol is notbeing used, it is recommended that kernel module not be loaded, disabling the service toreduce the potential attack surface.

RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: install sctp /bin/true


3.5.3 Ensure RDS is disabled


DescriptionDescription The Reliable Datagram Sockets (RDS) protocol is a transport layer protocoldesigned to provide low-latency, high-bandwidth communications between clusternodes. It was developed by the Oracle Corporation. Rationale If the protocol is not


2019-02-11 21:56:40 UTC

being used, it is recommended that kernel module not be loaded, disabling the service toreduce the potential attack surface.

RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: install rds /bin/true


3.5.4 Ensure TIPC is disabled


DescriptionDescription The Transparent Inter-Process Communication (TIPC) protocol is designedto provide communication between cluster nodes. Rationale If the protocol is not beingused, it is recommended that kernel module not be loaded, disabling the service toreduce the potential attack surface.

RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: install tipc /bin/true


3.6.2 Ensure default deny firewall policy

SeverityHigh

DescriptionDescription A default deny all policy on connections ensures that any unconfigurednetwork usage will be rejected. Rationale With a default accept policy the firewall willaccept any packet that is not configured to be denied. It is easier to white list acceptableusage than to black list unacceptable usage.

Recommendation


2019-02-11 21:56:40 UTC

Run the following commands to implement a default DROP policy: # iptables -PINPUT DROP# iptables -P OUTPUT DROP# iptables -P FORWARD DROP


3.6.3 Ensure loopback traffic is configured

SeverityHigh

DescriptionDescription Configure the loopback interface to accept traffic. Configure all otherinterfaces to deny traffic to the loopback network (127.0.0.0/8). Rationale Loopbacktraffic is generated between processes on machine and is typically critical to operationof the system. The loopback interface is the only place that loopback network(127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on thisnetwork as an anti-spoofing measure.

RecommendationRun the following commands to implement the loopback rules: # iptables -A INPUT-i lo -j ACCEPT# iptables -A OUTPUT -o lo -j ACCEPT# iptables -A INPUT -s127.0.0.0/8 -j DROP


3.6.5 Ensure firewall rules exist for all open ports

SeverityHigh

DescriptionDescription Any ports that have been opened on non-loopback addresses need firewallrules to govern traffic. Rationale Without a firewall rule configured for open portsdefault firewall policy will drop all packets to these ports.

Recommendation


2019-02-11 21:56:40 UTC

For each port identified in the audit which does not have a firewall rule establish aproper rule for accepting inbound connections: # iptables -A INPUT -p <protocol> --dport <port> -m state --state NEW -j ACCEPT


4.2.4 Ensure permissions on all logfiles are configured

SeverityHigh

DescriptionDescription Log files stored in /var/log/ contain logged information from many serviceson the system, or on log hosts others as well. Rationale It is important to ensure that logfiles have the correct permissions to ensure that sensitive data is archived and protected.

RecommendationRun the following command to set permissions on all existing log files: # chmod -R g-wx,o-rwx /var/log/*


4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host

SeverityHigh

DescriptionDescription The rsyslog utility supports the ability to send logs it gathers to a remotelog host running syslogd(8) or to receive messages from remote hosts, reducingadministrative overhead. Rationale Storing log data on a remote host protects logintegrity from local attacks. If an attacker gains root access on the local system, theycould tamper with or remove log data that is stored on the local system

RecommendationEdit the /etc/rsyslog.conf file and add the following line (where loghost.example.comis the name of your central log host). *.* @@loghost.example.com Run the followingcommand to restart rsyslog: # pkill -HUP rsyslogd


2019-02-11 21:56:40 UTC


5.6 Ensure access to the su command is restricted

SeverityHigh

DescriptionDescription The su command allows a user to run a command or shell as another user.The program has been superseded by sudo, which allows for more granular controlover privileged access. Normally, the su command can be executed by any user. Byuncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will onlyallow users in the wheel group to execute su. Rationale Restricting the use of su, andusing sudo in its place, provides system administrators better control of the escalation ofuser privileges to execute privileged commands. The sudo utility also provides a betterlogging and audit mechanism, as it can log each command executed via sudo, whereassu can only record that a user executed the su program.

RecommendationAdd the following line to the /etc/pam.d/su file: auth required pam_wheel.so use_uidCreate a comma separated list of users in the wheel statement in the /etc/group file:wheel:x:10:root,<user list>


5.1.2 Ensure permissions on /etc/crontab are configured

SeverityHigh

DescriptionDescription The /etc/crontab file is used by cron to control its own jobs. The commandsin this item make sure that root is the user and group owner of the file and that only theowner can access the file. Rationale This file contains information on what system jobsare run by cron. Write access to these files could provide unprivileged users with theability to elevate their privileges. Read access to these files could provide users with the


2019-02-11 21:56:40 UTC

ability to gain insight on system jobs that run on the system and could provide them away to gain unauthorized privileged access.

RecommendationRun the following commands to set ownership and permissions on /etc/crontab: #chown root:root /etc/crontab# chmod og-rwx /etc/crontab


5.1.3 Ensure permissions on /etc/cron.hourly are configured

SeverityHigh

DescriptionDescription This directory contains system cron jobs that need to run on an hourlybasis. The files in this directory cannot be manipulated by the crontab command, butare instead edited by system administrators using a text editor. The commands belowrestrict read/write and search access to user and group root, preventing regular usersfrom accessing this directory. Rationale Granting write access to this directory fornon-privileged users could provide them the means for gaining unauthorized elevatedprivileges. Granting read access to this directory could give an unprivileged user insightin how to gain elevated privileges or circumvent auditing controls.

RecommendationRun the following commands to set ownership and permissions on /etc/cron.hourly: #chown root:root /etc/cron.hourly# chmod og-rwx /etc/cron.hourly


5.1.4 Ensure permissions on /etc/cron.daily are configured

SeverityHigh

DescriptionDescription The /etc/cron.daily directory contains system cron jobs that need to run ona daily basis. The files in this directory cannot be manipulated by the crontab command,


2019-02-11 21:56:40 UTC

but are instead edited by system administrators using a text editor. The commandsbelow restrict read/write and search access to user and group root, preventing regularusers from accessing this directory. Rationale Granting write access to this directory fornon-privileged users could provide them the means for gaining unauthorized elevatedprivileges. Granting read access to this directory could give an unprivileged user insightin how to gain elevated privileges or circumvent auditing controls.

RecommendationRun the following commands to set ownership and permissions on /etc/cron.daily: #chown root:root /etc/cron.daily# chmod og-rwx /etc/cron.daily


5.1.5 Ensure permissions on /etc/cron.weekly are configured

SeverityHigh

DescriptionDescription The /etc/cron.weekly directory contains system cron jobs that needto run on a weekly basis. The files in this directory cannot be manipulated by thecrontab command, but are instead edited by system administrators using a text editor.The commands below restrict read/write and search access to user and group root,preventing regular users from accessing this directory. Rationale Granting write accessto this directory for non-privileged users could provide them the means for gainingunauthorized elevated privileges. Granting read access to this directory could give anunprivileged user insight in how to gain elevated privileges or circumvent auditingcontrols.

RecommendationRun the following commands to set ownership and permissions on /etc/cron.weekly: #chown root:root /etc/cron.weekly# chmod og-rwx /etc/cron.weekly


5.1.6 Ensure permissions on /etc/cron.monthly are configured

Severity


2019-02-11 21:56:40 UTC

High

DescriptionDescription The /etc/cron.monthly directory contains system cron jobs that needto run on a monthly basis. The files in this directory cannot be manipulated by thecrontab command, but are instead edited by system administrators using a text editor.The commands below restrict read/write and search access to user and group root,preventing regular users from accessing this directory. Rationale Granting write accessto this directory for non-privileged users could provide them the means for gainingunauthorized elevated privileges. Granting read access to this directory could give anunprivileged user insight in how to gain elevated privileges or circumvent auditingcontrols.

RecommendationRun the following commands to set ownership and permissions on /etc/cron.monthly: #chown root:root /etc/cron.monthly# chmod og-rwx /etc/cron.monthly


5.1.7 Ensure permissions on /etc/cron.d are configured

SeverityHigh

DescriptionDescription The /etc/cron.d directory contains system cron jobs that need to run in asimilar manner to the hourly, daily weekly and monthly jobs from /etc/crontab, butrequire more granular control as to when they run. The files in this directory cannot bemanipulated by the crontab command, but are instead edited by system administratorsusing a text editor. The commands below restrict read/write and search access to userand group root, preventing regular users from accessing this directory. RationaleGranting write access to this directory for non-privileged users could provide themthe means for gaining unauthorized elevated privileges. Granting read access to thisdirectory could give an unprivileged user insight in how to gain elevated privileges orcircumvent auditing controls.

Recommendation


2019-02-11 21:56:40 UTC

Run the following commands to set ownership and permissions on /etc/cron.d: # chownroot:root /etc/cron.d# chmod og-rwx /etc/cron.d


5.1.8 Ensure at/cron is restricted to authorized users

SeverityHigh

DescriptionDescription Configure /etc/cron.allow and /etc/at.allow to allow specific users to usethese services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed touse at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.alloware allowed to use at and cron. Note that even though a given user is not listed incron.allow, cron jobs can still be run as that user. The cron.allow file only controlsadministrative access to the crontab command for scheduling and modifying cron jobs.Rationale On many systems, only the system administrator is authorized to schedulecron jobs. Using the cron.allow file to control who can run cron jobs enforces thispolicy. It is easier to manage an allow list than a deny list. In a deny list, you couldpotentially add a user ID to the system and forget to add it to the deny files.

RecommendationRun the following commands to remove /etc/cron.deny and /etc/at.deny and createand set permissions and ownership for /etc/cron.allow and /etc/at.allow: # rm /etc/cron.deny# rm /etc/at.deny# touch /etc/cron.allow# touch /etc/at.allow# chmod og-rwx /etc/cron.allow# chmod og-rwx /etc/at.allow# chown root:root /etc/cron.allow# chownroot:root /etc/at.allow


5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured

SeverityHigh

Description


2019-02-11 21:56:40 UTC

Description The /etc/ssh/sshd_config file contains configuration specifications for sshd.The command below sets the owner and group of the file to root. Rationale The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non-privilegedusers.

RecommendationRun the following commands to set ownership and permissions on /etc/ssh/sshd_config:# chown root:root /etc/ssh/sshd_config# chmod 600 /etc/ssh/sshd_config


5.2.4 Ensure SSH X11 forwarding is disabled

SeverityHigh

DescriptionDescription The X11Forwarding parameter provides the ability to tunnel X11 trafficthrough the connection to enable remote graphic connections. Rationale Disable X11forwarding unless there is an operational requirement to use X11 applications directly.There is a small risk that the remote X11 servers of users who are logged in via SSHwith X11 forwarding could be compromised by other users on the X11 server. Note thateven if X11 forwarding is disabled, users can always install their own forwarders.

RecommendationEdit the /etc/ssh/sshd_config file to set the parameter as follows: X11Forwarding no


5.2.5 Ensure SSH MaxAuthTries is set to 4 or less

SeverityHigh

DescriptionDescription The MaxAuthTries parameter specifies the maximum number ofauthentication attempts permitted per connection. When the login failure count reacheshalf the number, error messages will be written to the syslog file detailing the login


2019-02-11 21:56:40 UTC

failure. Rationale Setting the MaxAuthTries parameter to a low number will minimizethe risk of successful brute force attacks to the SSH server. While the recommendedsetting is 4, set the number based on site policy.

RecommendationEdit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4


5.2.8 Ensure SSH root login is disabled

SeverityHigh

DescriptionDescription The PermitRootLogin parameter specifies if the root user can log in usingssh(1). The default is no. Rationale Disallowing root logins over SSH requires systemadmins to authenticate using their own individual account, then escalating to root viasudo or su. This in turn limits opportunity for non-repudiation and provides a clear audittrail in the event of a security incident

RecommendationEdit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no


5.2.10 Ensure SSH PermitUserEnvironment is disabled

SeverityHigh

DescriptionDescription The PermitUserEnvironment option allows users to present environmentoptions to the ssh daemon. Rationale Permitting users the ability to set environmentvariables through the SSH daemon could potentially allow users to bypass securitycontrols (e.g. setting an execution path that has ssh executing trojan'd programs)

Recommendation


2019-02-11 21:56:40 UTC

Edit the /etc/ssh/sshd_config file to set the parameter as follows:PermitUserEnvironment no


5.2.11 Ensure only approved MAC algorithms are used

SeverityHigh

DescriptionDescription This variable limits the types of MAC algorithms that SSH can use duringcommunication. Rationale MD5 and 96-bit MAC algorithms are considered weak andhave been shown to increase exploitability in SSH downgrade attacks. Weak algorithmscontinue to have a great deal of attention as a weak spot that can be exploited withexpanded computing power. An attacker that breaks the algorithm could take advantageof a MiTM position to decrypt the SSH tunnel and capture credentials and information

RecommendationEdit the /etc/ssh/sshd_config file to set the parameter as follows: MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]


5.2.12 Ensure SSH Idle Timeout Interval is configured

SeverityHigh

DescriptionDescription The two options ClientAliveInterval and ClientAliveCountMax controlthe timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessionsthat have no activity for the specified length of time are terminated. When theClientAliveCountMax variable is set, sshd will send client alive messages at everyClientAliveInterval interval. When the number of consecutive client alive messages aresent with no response from the client, the ssh session is terminated. For example, if theClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, the


2019-02-11 21:56:40 UTC

client ssh session will be terminated after 45 seconds of idle time. Rationale Having notimeout value associated with a connection could allow an unauthorized user access toanother user's ssh session (e.g. user walks away from their computer and doesn't lockthe screen). Setting a timeout value at least reduces the risk of this happening.. Whilethe recommended setting is 300 seconds (5 minutes), set this timeout value based on sitepolicy. The recommended setting for ClientAliveCountMax is 0. In this case, the clientsession will be terminated after 5 minutes of idle time and no keepalive messages willbe sent.

RecommendationEdit the /etc/ssh/sshd_config file to set the parameters as follows: ClientAliveInterval300ClientAliveCountMax 0


5.2.13 Ensure SSH LoginGraceTime is set to one minute or less

SeverityHigh

DescriptionDescription The LoginGraceTime parameter specifies the time allowed for successfulauthentication to the SSH server. The longer the Grace period is the more openunauthenticated connections can exist. Like other session controls in this session theGrace Period should be limited to appropriate organizational limits to ensure the serviceis available for needed access. Rationale Setting the LoginGraceTime parameter to alow number will minimize the risk of successful brute force attacks to the SSH server.It will also limit the number of concurrent unauthenticated connections While therecommended setting is 60 seconds (1 Minute), set the number based on site policy.

RecommendationEdit the /etc/ssh/sshd_config file to set the parameter as follows: LoginGraceTime 60


5.2.14 Ensure SSH access is limited

Severity


2019-02-11 21:56:40 UTC

High

DescriptionDescription There are several options available to limit which users and group canaccess the system via SSH. It is recommended that at least one of the following optionsbe leveraged: AllowUsers The AllowUsers variable gives the system administrator theoption of allowing specific users to ssh into the system. The list consists of commaseparated user names. Numeric user IDs are not recognized with this variable. Ifa system administrator wants to restrict user access further by only allowing theallowed users to log in from a particular host, the entry can be specified in the form ofuser@host. AllowGroups The AllowGroups variable gives the system administratorthe option of allowing specific groups of users to ssh into the system. The list consistsof comma separated group names. Numeric group IDs are not recognized with thisvariable. DenyUsers The DenyUsers variable gives the system administrator theoption of denying specific users to ssh into the system. The list consists of commaseparated user names. Numeric user IDs are not recognized with this variable. If asystem administrator wants to restrict user access further by specifically denying auser's access from a particular host, the entry can be specified in the form of [email protected] The DenyGroups variable gives the system administrator the option ofdenying specific groups of users to ssh into the system. The list consists of commaseparated group names. Numeric group IDs are not recognized with this variable.Rationale Restricting which users can remotely access the system via SSH will helpensure that only authorized users access the system.

RecommendationEdit the /etc/ssh/sshd_config file to set one or more of the parameter as follows:AllowUsers <userlist>AllowGroups <grouplist>DenyUsers <userlist>DenyGroups<grouplist>


5.2.15 Ensure SSH warning banner is configured

SeverityHigh

Description


2019-02-11 21:56:40 UTC

Description The Banner parameter specifies a file whose contents must be sent to theremote user before authentication is permitted. By default, no banner is displayed.Rationale Banners are used to warn connecting users of the particular site's policyregarding connection. Presenting a warning message prior to the normal user login mayassist the prosecution of trespassers on the computer system.

RecommendationEdit the /etc/ssh/sshd_config file to set the parameter as follows: Banner /etc/issue.net


5.3.1 Ensure password creation requirements are configured

SeverityHigh

DescriptionDescription The pam_pwquality.so module checks the strength of passwords. Itperforms checks such as making sure a password is not a dictionary word, it is a certainlength, contains a mix of characters (e.g. alphabet, numeric, other) and more. Thefollowing are definitions of the pam_pwquality.so options. try_first_pass - retrieve thepassword from a previous stacked PAM module. If not available, then prompt the userfor a password. retry=3 - Allow 3 tries before sending back a failure. The followingoptions are set in the /etc/security/pwquality.conf file: minlen=14 - password must be14 characters or moredcredit=-1 - provide at least one digitucredit=-1 - provide at leastone uppercase characterocredit=-1 - provide at least one special characterlcredit=-1- provide at least one lowercase character The settings shown above are one possiblepolicy. Alter these values to conform to your own organization's password policies.Rationale Strong passwords protect systems from being hacked through brute forcemethods.

RecommendationRun the following command to install the pam_pwquality module: apt-get installlibpam-pwquality Edit the /etc/pam.d/common-passwd file to include the appropriateoptions for pam_pwquality.so and to conform to site policy: password requisitepam_pwquality.so try_first_pass retry=3 Edit /etc/security/pwquality.conf to add orupdate the following settings to conform to site policy: minlen=14dcredit=-1ucredit=-1ocredit=-1lcredit=-1


2019-02-11 21:56:40 UTC


5.3.2 Ensure lockout for failed password attempts is configured


DescriptionDescription Lock out users after n unsuccessful consecutive login attempts. The firstsets of changes are made to the PAM configuration files. The second set of changes areapplied to the program specific PAM configuration file. The second set of changes mustbe applied to each program that will lock out users. Check the documentation for eachsecondary program for instructions on how to configure them to work with PAM. Setthe lockout number to the policy in effect at your site. Rationale Locking out user IDsafter n unsuccessful consecutive login attempts mitigates brute force password attacksagainst your systems.

RecommendationEdit the /etc/pam.d/common-auth file and add the auth line below: auth requiredpam_tally2.so onerr=fail audit silent deny=5 unlock_time=900 Note: If a user hasbeen locked out because they have reached the maximum consecutive failure countdefined by deny= in the pam_tally2.so module, the user can be unlocked by issuing thecommand /sbin/pam_tally2 -u <username> --reset. This command sets the failed countto 0, effectively unlocking the user.


5.3.3 Ensure password reuse is limited

SeverityHigh

DescriptionDescription The /etc/security/opasswd file stores the users' old passwords and can bechecked to ensure that users are not recycling recent passwords. Rationale Forcing usersnot to reuse their past 5 passwords make it less likely that an attacker will be able to


2019-02-11 21:56:40 UTC

guess the password. Note that these change only apply to accounts configured on thelocal system.

RecommendationEdit the /etc/pam.d/common-password file to include the remember option and conformto site policy as shown: password sufficient pam_unix.so remember=5


5.4.2 Ensure system accounts are non-login

SeverityHigh

DescriptionDescription There are a number of accounts provided with Ubuntu that are used tomanage applications and are not intended to provide an interactive shell. Rationale Itis important to make sure that accounts that are not being used by regular users areprevented from being used to provide an interactive shell. By default, Ubuntu sets thepassword field for these accounts to an invalid string, but it is also recommended thatthe shell field in the password file be set to /sbin/nologin. This prevents the accountfrom potentially being used to run any commands.

RecommendationSet the shell for any accounts returned by the audit script to /usr/sbin/nologin: #usermod -s /usr/sbin/nologin <user> The following script will automatically set all usershells required to /usr/sbin/nologin and lock the sync, shutdown, and halt users: #!/bin/bashfor user in `awk -F: '($3 < 1000) {print $1 }' /etc/passwd`; do if [ $user != "root" ];then usermod -L $user if [ $user != "sync" ] && [ $user != "shutdown" ] && [ $user !="halt" ]; then usermod -s /usr/sbin/nologin $user fi fidone


5.4.4 Ensure default user umask is 027 or more restrictive

SeverityHigh


2019-02-11 21:56:40 UTC

DescriptionDescription The default umask determines the permissions of files created by users. Theuser creating the file has the discretion of making their files and directories readableby others via the chmod command. Users who wish to allow their files and directoriesto be readable by others by default may choose a different default umask by insertingthe umask command into the standard shell configuration files (.profile, .bashrc, etc.) intheir home directories. Rationale Setting a very secure default value for umask ensuresthat users make a conscious choice about their file permissions. A default umask settingof 077 causes files and directories created by users to not be readable by any other useron the system. A umask of 027 would make files and directories readable by users in thesame Unix group, while a umask of 022 would make files readable by every user on thesystem.

RecommendationEdit the /etc/bash.bashrc and /etc/profile files (and the appropriate files for any othershell supported on your system) and add or edit any umask parameters as follows:umask 027


5.4.5 Ensure default user shell timeout is 900 seconds or less

SeverityHigh

DescriptionDescription The default TMOUT determines the shell timeout for users. The TMOUTvalue is measured in seconds. Rationale Having no timeout value associated with a shellcould allow an unauthorized user access to another user's shell session (e.g. user walksaway from their computer and doesn't lock the screen). Setting a timeout value at leastreduces the risk of this happening.

RecommendationEdit the /etc/bashrc and /etc/profile files (and the appropriate files for any othershell supported on your system) and add or edit any umask parameters as follows:TMOUT=600

Failed Instances


2019-02-11 21:56:40 UTC

i-04372149a51fe6560

5.4.1.1 Ensure password expiration is 90 days or less

SeverityHigh

DescriptionDescription The PASS_MAX_DAYS parameter in /etc/login.defs allows anadministrator to force passwords to expire once they reach a defined age. It isrecommended that the PASS_MAX_DAYS parameter be set to less than or equal to 90days. Rationale The window of opportunity for an attacker to leverage compromisedcredentials or successfully compromise credentials via an online brute force attack islimited by the age of the password. Therefore, reducing the maximum age of a passwordalso reduces an attacker's window of opportunity.

RecommendationSet the PASS_MAX_DAYS parameter to 90 in /etc/login.defs: PASS_MAX_DAYS 90Modify user parameters for all users with a password set to match: # chage --maxdays90 <user>


5.4.1.2 Ensure minimum days between password changes is 7 or more

SeverityHigh

DescriptionDescription The PASS_MIN_DAYS parameter in /etc/login.defs allows anadministrator to prevent users from changing their password until a minimum number ofdays have passed since the last time the user changed their password. It is recommendedthat PASS_MIN_DAYS parameter be set to 7 or more days. Rationale By restrictingthe frequency of password changes, an administrator can prevent users from repeatedlychanging their password in an attempt to circumvent password reuse controls.

Recommendation


2019-02-11 21:56:40 UTC

Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs: PASS_MIN_DAYS 7Modify user parameters for all users with a password set to match: # chage --mindays 7<user>


5.4.1.4 Ensure inactive password lock is 30 days or less

SeverityHigh

DescriptionDescription User accounts that have been inactive for over a given period of time canbe automatically disabled. It is recommended that accounts that are inactive for 30days after password expiration be disabled. Rationale Inactive accounts pose a threat tosystem security since the users are not logging in to notice failed login attempts or otheranomalies.

RecommendationRun the following command to set the default password inactivity period to 30 days: #useradd -D -f 30 Modify user parameters for all users with a password set to match: #chage --inactive 30 <user>


6.2.1 Ensure password fields are not empty

SeverityHigh

DescriptionDescription An account with an empty password field means that anybody may log in asthat user without providing a password. Rationale All accounts must have passwords orbe locked to prevent the account from being used by an unauthorized user.

RecommendationIf any accounts in the /etc/shadow file do not have a password, run the followingcommand to lock the account until it can be determined why it does not have a


2019-02-11 21:56:40 UTC

password: # passwd -l <username> Also, check to see if the account is logged in andinvestigate what it is being used for to determine if it needs to be forced off.


6.2.7 Ensure all users' home directories exist

SeverityHigh

DescriptionDescription Users can be defined in /etc/passwd without a home directory or with ahome directory that does not actually exist. Rationale If the user's home directory doesnot exist or is unassigned, the user will be placed in "/" and will not be able to write anyfiles or have local environment variables set.

RecommendationIf any users' home directories do not exist, create them and make sure the respectiveuser owns the directory. Users without an assigned home directory should be removedor assigned a home directory as appropriate.


6.2.8 Ensure users' home directories permissions are 750 or more restrictive

SeverityHigh

DescriptionDescription While the system administrator can establish secure permissions for users'home directories, the users can easily override these. Rationale Group or world-writableuser home directories may enable malicious users to steal or modify other users' data orto gain another user's system privileges.

RecommendationMaking global modifications to user home directories without alerting the usercommunity can result in unexpected outages and unhappy users. Therefore, it is


2019-02-11 21:56:40 UTC

recommended that a monitoring policy be established to report user file permissions anddetermine the action to be taken in accordance with site policy.




SeverityHigh





SeverityHigh

DescriptionDescription The cramfs filesystem type is a compressed read-only Linux filesystemembedded in small footprint systems. A cramfs image can be used without havingto first decompress the image. Rationale Removing support for unneeded filesystemtypes reduces the local attack surface of the server. If this filesystem type is not needed,disable it.

Recommendation


2019-02-11 21:56:40 UTC

Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: installcramfs /bin/true



SeverityHigh





SeverityHigh

DescriptionDescription The jffs2 (journaling flash filesystem 2) filesystem type is a log-structuredfilesystem used in flash memory devices. Rationale Removing support for unneededfilesystem types reduces the local attack surface of the system. If this filesystem type isnot needed, disable it.




2019-02-11 21:56:40 UTC


SeverityHigh





SeverityHigh


RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: installhfsplus /bin/true



SeverityHigh


2019-02-11 21:56:40 UTC





SeverityHigh


RecommendationRun the following command to install AIDE: # apt-get install aide Configure AIDEas appropriate for your environment. Consult the AIDE documentation for options.Initialize AIDE: # aide --init



SeverityHigh


2019-02-11 21:56:40 UTC





SeverityHigh


RecommendationRun the following commands to set permissions on your grub configuration: # chownroot:root /boot/grub/grub.cfg# chmod og-rwx /boot/grub/grub.cfg



SeverityHigh

Description


2019-02-11 21:56:40 UTC

Description Setting the boot loader password will require that anyone rebooting thesystem must enter a password before being able to set command line boot parametersRationale Requiring a boot password upon execution of the boot loader will prevent anunauthorized user from entering boot parameters or changing the boot partition. Thisprevents users from weakening security (e.g. turning off SELinux at boot time).




SeverityHigh

DescriptionDescription A core dump is the memory of an executable program. It is generallyused to determine why a program aborted. It can also be used to glean confidentialinformation from a core file. The system provides the ability to set a soft limit for coredumps, but this can be overridden by the user. Rationale Setting a hard limit on coredumps prevents users from overriding the soft variable. If core dumps are required,consider setting limits for user groups (see limits.conf(5)). In addition, setting thefs.suid_dumpable variable to 0 will prevent setuid programs from dumping core.




2019-02-11 21:56:40 UTC







SeverityHigh





2019-02-11 21:56:40 UTC


SeverityHigh





SeverityHigh

DescriptionDescription ICMP Redirects are used to send routing information to other hosts. As ahost itself does not act as a router (in a host only configuration), there is no need to sendredirects. Rationale An attacker could use a compromised host to send invalid ICMPredirects to other router devices in an attempt to corrupt routing and have users access asystem set up by the attacker as opposed to a valid system.


Failed Instances


2019-02-11 21:56:40 UTC

i-04372149a51fe6560


SeverityHigh


RecommendationSet the following parameters in the /etc/sysctl.conf file: net.ipv4.conf.all.accept_source_route = 0net.ipv4.conf.default.accept_source_route = 0 Run the following commands toset the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0#sysctl -w net.ipv4.conf.default.accept_source_route=0# sysctl -w net.ipv4.route.flush=1



SeverityHigh

Description


2019-02-11 21:56:40 UTC

Description ICMP redirect messages are packets that convey routing information andtell your host (acting as a router) to send packets via an alternate path. It is a way ofallowing an outside routing device to update your system routing tables. By settingnet.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirectmessages, and therefore, won't allow outsiders to update the system's routing tables.Rationale Attackers could use bogus ICMP redirect messages to maliciously alter thesystem routing tables and get them to send packets to incorrect networks and allow yoursystem packets to be captured.




SeverityHigh

DescriptionDescription Secure ICMP redirects are the same as ICMP redirects, except they comefrom gateways listed on the default gateway list. It is assumed that these gateways areknown to your system, and that they are likely to be secure. Rationale It is still possiblefor even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised knowngateways.




2019-02-11 21:56:40 UTC


SeverityHigh






DescriptionDescription This setting disables the system's ability to accept IPv6 routeradvertisements. Rationale It is recommended that systems not accept routeradvertisements as they could be tricked into routing traffic to compromised machines.Setting hard routes within the system (usually a single default route to a trusted router)protects the system from bad routes.




2019-02-11 21:56:40 UTC








DescriptionDescription Although IPv6 has many advantages over IPv4, few organizations haveimplemented IPv6. Rationale If IPv6 is not to be used, it is recommended that it bedisabled to reduce the attack surface of the system.





2019-02-11 21:56:40 UTC

SeverityHigh






DescriptionDescription The Datagram Congestion Control Protocol (DCCP) is a transport layerprotocol that supports streaming media and telephony. DCCP provides a way to gainaccess to congestion control, without having to do it at the application layer, butdoes not provide in-sequence delivery. Rationale If the protocol is not required, it isrecommended that the drivers not be installed to reduce the potential attack surface.





Description


2019-02-11 21:56:40 UTC

Description The Stream Control Transmission Protocol (SCTP) is a transport layerprotocol used to support message oriented communication, with several streams ofmessages in one connection. It serves a similar function as TCP and UDP, incorporatingfeatures of both. It is message-oriented like UDP, and ensures reliable in-sequencetransport of messages with congestion control like TCP. Rationale If the protocol is notbeing used, it is recommended that kernel module not be loaded, disabling the service toreduce the potential attack surface.





DescriptionDescription The Reliable Datagram Sockets (RDS) protocol is a transport layer protocoldesigned to provide low-latency, high-bandwidth communications between clusternodes. It was developed by the Oracle Corporation. Rationale If the protocol is notbeing used, it is recommended that kernel module not be loaded, disabling the service toreduce the potential attack surface.





Description


2019-02-11 21:56:40 UTC

Description The Transparent Inter-Process Communication (TIPC) protocol is designedto provide communication between cluster nodes. Rationale If the protocol is not beingused, it is recommended that kernel module not be loaded, disabling the service toreduce the potential attack surface.




SeverityHigh


RecommendationRun the following commands to implement a default DROP policy: # iptables -PINPUT DROP# iptables -P OUTPUT DROP# iptables -P FORWARD DROP



SeverityHigh

DescriptionDescription Configure the loopback interface to accept traffic. Configure all otherinterfaces to deny traffic to the loopback network (127.0.0.0/8). Rationale Loopbacktraffic is generated between processes on machine and is typically critical to operationof the system. The loopback interface is the only place that loopback network


2019-02-11 21:56:40 UTC

(127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on thisnetwork as an anti-spoofing measure.




SeverityHigh


RecommendationFor each port identified in the audit which does not have a firewall rule establish aproper rule for accepting inbound connections: # iptables -A INPUT -p <protocol> --dport <port> -m state --state NEW -j ACCEPT



SeverityHigh


Recommendation


2019-02-11 21:56:40 UTC

Run the following command to set permissions on all existing log files: # chmod -R g-wx,o-rwx /var/log/*



SeverityHigh





SeverityHigh

DescriptionDescription The su command allows a user to run a command or shell as another user.The program has been superseded by sudo, which allows for more granular controlover privileged access. Normally, the su command can be executed by any user. Byuncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will onlyallow users in the wheel group to execute su. Rationale Restricting the use of su, andusing sudo in its place, provides system administrators better control of the escalation ofuser privileges to execute privileged commands. The sudo utility also provides a better


2019-02-11 21:56:40 UTC

logging and audit mechanism, as it can log each command executed via sudo, whereassu can only record that a user executed the su program.




SeverityHigh

DescriptionDescription The /etc/crontab file is used by cron to control its own jobs. The commandsin this item make sure that root is the user and group owner of the file and that only theowner can access the file. Rationale This file contains information on what system jobsare run by cron. Write access to these files could provide unprivileged users with theability to elevate their privileges. Read access to these files could provide users with theability to gain insight on system jobs that run on the system and could provide them away to gain unauthorized privileged access.




SeverityHigh

DescriptionDescription This directory contains system cron jobs that need to run on an hourlybasis. The files in this directory cannot be manipulated by the crontab command, but


2019-02-11 21:56:40 UTC

are instead edited by system administrators using a text editor. The commands belowrestrict read/write and search access to user and group root, preventing regular usersfrom accessing this directory. Rationale Granting write access to this directory fornon-privileged users could provide them the means for gaining unauthorized elevatedprivileges. Granting read access to this directory could give an unprivileged user insightin how to gain elevated privileges or circumvent auditing controls.




SeverityHigh

DescriptionDescription The /etc/cron.daily directory contains system cron jobs that need to run ona daily basis. The files in this directory cannot be manipulated by the crontab command,but are instead edited by system administrators using a text editor. The commandsbelow restrict read/write and search access to user and group root, preventing regularusers from accessing this directory. Rationale Granting write access to this directory fornon-privileged users could provide them the means for gaining unauthorized elevatedprivileges. Granting read access to this directory could give an unprivileged user insightin how to gain elevated privileges or circumvent auditing controls.




SeverityHigh


2019-02-11 21:56:40 UTC





SeverityHigh



Failed Instances


2019-02-11 21:56:40 UTC

i-04372149a51fe6560


SeverityHigh


RecommendationRun the following commands to set ownership and permissions on /etc/cron.d: # chownroot:root /etc/cron.d# chmod og-rwx /etc/cron.d



SeverityHigh

DescriptionDescription Configure /etc/cron.allow and /etc/at.allow to allow specific users to usethese services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed touse at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.alloware allowed to use at and cron. Note that even though a given user is not listed incron.allow, cron jobs can still be run as that user. The cron.allow file only controlsadministrative access to the crontab command for scheduling and modifying cron jobs.


2019-02-11 21:56:40 UTC

Rationale On many systems, only the system administrator is authorized to schedulecron jobs. Using the cron.allow file to control who can run cron jobs enforces thispolicy. It is easier to manage an allow list than a deny list. In a deny list, you couldpotentially add a user ID to the system and forget to add it to the deny files.




SeverityHigh

DescriptionDescription The /etc/ssh/sshd_config file contains configuration specifications for sshd.The command below sets the owner and group of the file to root. Rationale The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non-privilegedusers.




SeverityHigh

Description


2019-02-11 21:56:40 UTC

Description The X11Forwarding parameter provides the ability to tunnel X11 trafficthrough the connection to enable remote graphic connections. Rationale Disable X11forwarding unless there is an operational requirement to use X11 applications directly.There is a small risk that the remote X11 servers of users who are logged in via SSHwith X11 forwarding could be compromised by other users on the X11 server. Note thateven if X11 forwarding is disabled, users can always install their own forwarders.




SeverityHigh

DescriptionDescription The MaxAuthTries parameter specifies the maximum number ofauthentication attempts permitted per connection. When the login failure count reacheshalf the number, error messages will be written to the syslog file detailing the loginfailure. Rationale Setting the MaxAuthTries parameter to a low number will minimizethe risk of successful brute force attacks to the SSH server. While the recommendedsetting is 4, set the number based on site policy.




SeverityHigh

DescriptionDescription The PermitRootLogin parameter specifies if the root user can log in usingssh(1). The default is no. Rationale Disallowing root logins over SSH requires system


2019-02-11 21:56:40 UTC

admins to authenticate using their own individual account, then escalating to root viasudo or su. This in turn limits opportunity for non-repudiation and provides a clear audittrail in the event of a security incident




SeverityHigh


RecommendationEdit the /etc/ssh/sshd_config file to set the parameter as follows:PermitUserEnvironment no



SeverityHigh



2019-02-11 21:56:40 UTC




SeverityHigh

DescriptionDescription The two options ClientAliveInterval and ClientAliveCountMax controlthe timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessionsthat have no activity for the specified length of time are terminated. When theClientAliveCountMax variable is set, sshd will send client alive messages at everyClientAliveInterval interval. When the number of consecutive client alive messages aresent with no response from the client, the ssh session is terminated. For example, if theClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, theclient ssh session will be terminated after 45 seconds of idle time. Rationale Having notimeout value associated with a connection could allow an unauthorized user access toanother user's ssh session (e.g. user walks away from their computer and doesn't lockthe screen). Setting a timeout value at least reduces the risk of this happening.. Whilethe recommended setting is 300 seconds (5 minutes), set this timeout value based on sitepolicy. The recommended setting for ClientAliveCountMax is 0. In this case, the clientsession will be terminated after 5 minutes of idle time and no keepalive messages willbe sent.





2019-02-11 21:56:40 UTC

SeverityHigh





SeverityHigh

DescriptionDescription There are several options available to limit which users and group canaccess the system via SSH. It is recommended that at least one of the following optionsbe leveraged: AllowUsers The AllowUsers variable gives the system administrator theoption of allowing specific users to ssh into the system. The list consists of commaseparated user names. Numeric user IDs are not recognized with this variable. Ifa system administrator wants to restrict user access further by only allowing theallowed users to log in from a particular host, the entry can be specified in the form ofuser@host. AllowGroups The AllowGroups variable gives the system administratorthe option of allowing specific groups of users to ssh into the system. The list consistsof comma separated group names. Numeric group IDs are not recognized with thisvariable. DenyUsers The DenyUsers variable gives the system administrator theoption of denying specific users to ssh into the system. The list consists of commaseparated user names. Numeric user IDs are not recognized with this variable. If asystem administrator wants to restrict user access further by specifically denying a


2019-02-11 21:56:40 UTC

user's access from a particular host, the entry can be specified in the form of [email protected] The DenyGroups variable gives the system administrator the option ofdenying specific groups of users to ssh into the system. The list consists of commaseparated group names. Numeric group IDs are not recognized with this variable.Rationale Restricting which users can remotely access the system via SSH will helpensure that only authorized users access the system.




SeverityHigh

DescriptionDescription The Banner parameter specifies a file whose contents must be sent to theremote user before authentication is permitted. By default, no banner is displayed.Rationale Banners are used to warn connecting users of the particular site's policyregarding connection. Presenting a warning message prior to the normal user login mayassist the prosecution of trespassers on the computer system.




SeverityHigh

Description


2019-02-11 21:56:40 UTC

Description The pam_pwquality.so module checks the strength of passwords. Itperforms checks such as making sure a password is not a dictionary word, it is a certainlength, contains a mix of characters (e.g. alphabet, numeric, other) and more. Thefollowing are definitions of the pam_pwquality.so options. try_first_pass - retrieve thepassword from a previous stacked PAM module. If not available, then prompt the userfor a password. retry=3 - Allow 3 tries before sending back a failure. The followingoptions are set in the /etc/security/pwquality.conf file: minlen=14 - password must be14 characters or moredcredit=-1 - provide at least one digitucredit=-1 - provide at leastone uppercase characterocredit=-1 - provide at least one special characterlcredit=-1- provide at least one lowercase character The settings shown above are one possiblepolicy. Alter these values to conform to your own organization's password policies.Rationale Strong passwords protect systems from being hacked through brute forcemethods.







2019-02-11 21:56:40 UTC




SeverityHigh

DescriptionDescription The /etc/security/opasswd file stores the users' old passwords and can bechecked to ensure that users are not recycling recent passwords. Rationale Forcing usersnot to reuse their past 5 passwords make it less likely that an attacker will be able toguess the password. Note that these change only apply to accounts configured on thelocal system.




SeverityHigh

DescriptionDescription There are a number of accounts provided with Ubuntu that are used tomanage applications and are not intended to provide an interactive shell. Rationale Itis important to make sure that accounts that are not being used by regular users areprevented from being used to provide an interactive shell. By default, Ubuntu sets the


2019-02-11 21:56:40 UTC

password field for these accounts to an invalid string, but it is also recommended thatthe shell field in the password file be set to /sbin/nologin. This prevents the accountfrom potentially being used to run any commands.




SeverityHigh



Failed Instances


2019-02-11 21:56:40 UTC

i-04372149a51fe6560


SeverityHigh





SeverityHigh




2019-02-11 21:56:40 UTC



SeverityHigh


RecommendationSet the PASS_MIN_DAYS parameter to 7 in /etc/login.defs: PASS_MIN_DAYS 7Modify user parameters for all users with a password set to match: # chage --mindays 7<user>



SeverityHigh




2019-02-11 21:56:40 UTC



SeverityHigh


RecommendationIf any accounts in the /etc/shadow file do not have a password, run the followingcommand to lock the account until it can be determined why it does not have apassword: # passwd -l <username> Also, check to see if the account is logged in andinvestigate what it is being used for to determine if it needs to be forced off.



SeverityHigh





2019-02-11 21:56:40 UTC


SeverityHigh


RecommendationMaking global modifications to user home directories without alerting the usercommunity can result in unexpected outages and unhappy users. Therefore, it isrecommended that a monitoring policy be established to report user file permissions anddetermine the action to be taken in accordance with site policy.



1.1.2 Ensure separate partition exists for /tmp

SeverityHigh

DescriptionDescription The /tmp directory is a world-writable directory used for temporary storageby all users and some applications. Rationale Since the /tmp directory is intended tobe world-writable, there is a risk of resource exhaustion if it is not bound to a separatepartition. In addition, making /tmp its own file system allows an administrator to set thenoexec option on the mount, making /tmp useless for an attacker to install executablecode. It would also prevent an attacker from establishing a hardlink to a system setuidprogram and wait for it to be updated. Once the program was updated, the hardlinkwould be broken and the attacker would have his own copy of the program. If theprogram happened to have a security vulnerability, the attacker could continue toexploit the known flaw.


2019-02-11 21:56:40 UTC

RecommendationFor new installations, during installation create a custom partition setup and specifya separate partition for /tmp. For systems that were previously installed, create a newpartition and configure /etc/fstab as appropriate. Impact: Resizing filesystems is acommon activity in cloud-hosted servers. Separate filesystem partitions may preventsuccessful resizing, or may require the installation of additional tools solely for thepurpose of resizing operations. The use of these additional tools may introduce theirown security considerations.


1.1.5 Ensure separate partition exists for /var

SeverityHigh

DescriptionDescription The /var directory is used by daemons and other system services totemporarily store dynamic data. Some directories created by these processes may beworld-writable. Rationale Since the /var directory may contain world-writable files anddirectories, there is a risk of resource exhaustion if it is not bound to a separate partition.

RecommendationFor new installations, during installation create a custom partition setup and specifya separate partition for /var. For systems that were previously installed, create a newpartition and configure /etc/fstab as appropriate. Impact: Resizing filesystems is acommon activity in cloud-hosted servers. Separate filesystem partitions may preventsuccessful resizing, or may require the installation of additional tools solely for thepurpose of resizing operations. The use of these additional tools may introduce theirown security considerations.


1.1.6 Ensure separate partition exists for /var/tmp

SeverityHigh


2019-02-11 21:56:40 UTC

DescriptionDescription The /var/tmp directory is a world-writable directory used for temporarystorage by all users and some applications. Rationale Since the /var/tmp directory isintended to be world-writable, there is a risk of resource exhaustion if it is not boundto a separate partition. In addition, making /var/tmp its own file system allows anadministrator to set the noexec option on the mount, making /var/tmp useless for anattacker to install executable code. It would also prevent an attacker from establishing ahardlink to a system setuid program and wait for it to be updated. Once the program wasupdated, the hardlink would be broken and the attacker would have his own copy of theprogram. If the program happened to have a security vulnerability, the attacker couldcontinue to exploit the known flaw.

RecommendationFor new installations, during installation create a custom partition setup and specifya separate partition for /var/tmp. For systems that were previously installed, create anew partition and configure /etc/fstab as appropriate. Impact: Resizing filesystems isa common activity in cloud-hosted servers. Separate filesystem partitions may preventsuccessful resizing, or may require the installation of additional tools solely for thepurpose of resizing operations. The use of these additional tools may introduce theirown security considerations.


1.1.10 Ensure separate partition exists for /var/log

SeverityHigh

DescriptionDescription The /var/log directory is used by system services to store log data .Rationale There are two important reasons to ensure that system logs are stored on aseparate partition: protection against resource exhaustion (since logs can grow quitelarge) and protection of audit data.

RecommendationFor new installations, during installation create a custom partition setup and specifya separate partition for /var/log. For systems that were previously installed, create anew partition and configure /etc/fstab as appropriate. Impact: Resizing filesystems is


2019-02-11 21:56:40 UTC

a common activity in cloud-hosted servers. Separate filesystem partitions may preventsuccessful resizing, or may require the installation of additional tools solely for thepurpose of resizing operations. The use of these additional tools may introduce theirown security considerations.


1.1.11 Ensure separate partition exists for /var/log/audit

SeverityHigh

DescriptionDescription The auditing daemon, auditd, stores log data in the /var/log/audit directory.Rationale There are two important reasons to ensure that data gathered by auditd isstored on a separate partition: protection against resource exhaustion (since the audit.logfile can grow quite large) and protection of audit data. The audit daemon calculates howmuch free space is left and performs actions based on the results. If other processes(such as syslog) consume space in the same partition as auditd, it may not perform asdesired.

RecommendationFor new installations, during installation create a custom partition setup and specify aseparate partition for /var/log/audit. For systems that were previously installed, createa new partition and configure /etc/fstab as appropriate. Impact: Resizing filesystems isa common activity in cloud-hosted servers. Separate filesystem partitions may preventsuccessful resizing, or may require the installation of additional tools solely for thepurpose of resizing operations. The use of these additional tools may introduce theirown security considerations.


1.1.12 Ensure separate partition exists for /home

SeverityHigh

Description


2019-02-11 21:56:40 UTC

Description The /home directory is used to support disk storage needs of local users.Rationale If the system is intended to support local users, create a separate partition forthe /home directory to protect against resource exhaustion and restrict the type of filesthat can be stored under /home.

RecommendationFor new installations, during installation create a custom partition setup and specifya separate partition for /home. For systems that were previously installed, create anew partition and configure /etc/fstab as appropriate. Impact: Resizing filesystems isa common activity in cloud-hosted servers. Separate filesystem partitions may preventsuccessful resizing, or may require the installation of additional tools solely for thepurpose of resizing operations. The use of these additional tools may introduce theirown security considerations.



SeverityHigh





SeverityHigh


2019-02-11 21:56:40 UTC





SeverityHigh





SeverityHigh

DescriptionDescription The jffs2 (journaling flash filesystem 2) filesystem type is a log-structuredfilesystem used in flash memory devices. Rationale Removing support for unneeded


2019-02-11 21:56:40 UTC

filesystem types reduces the local attack surface of the system. If this filesystem type isnot needed, disable it.




SeverityHigh





SeverityHigh


Recommendation


2019-02-11 21:56:40 UTC

Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: installhfsplus /bin/true



SeverityHigh





SeverityHigh


Recommendation


2019-02-11 21:56:40 UTC

Run the following command to install AIDE: # apt-get install aide Configure AIDEas appropriate for your environment. Consult the AIDE documentation for options.Initialize AIDE: # aide --init



SeverityHigh





SeverityHigh


Recommendation


2019-02-11 21:56:40 UTC

Run the following commands to set permissions on your grub configuration: # chownroot:root /boot/grub/grub.cfg# chmod og-rwx /boot/grub/grub.cfg



SeverityHigh





SeverityHigh

DescriptionDescription A core dump is the memory of an executable program. It is generallyused to determine why a program aborted. It can also be used to glean confidentialinformation from a core file. The system provides the ability to set a soft limit for coredumps, but this can be overridden by the user. Rationale Setting a hard limit on coredumps prevents users from overriding the soft variable. If core dumps are required,


2019-02-11 21:56:40 UTC

consider setting limits for user groups (see limits.conf(5)). In addition, setting thefs.suid_dumpable variable to 0 will prevent setuid programs from dumping core.








2.2.2 Ensure X Window System is not installed

SeverityHigh

DescriptionDescription The X Window System provides a Graphical User Interface (GUI) whereusers can have multiple windows in which to run programs and various add on. The XWindows system is typically used on workstations where users login, but not on serverswhere users typically do not login. Rationale Unless your organization specifically


2019-02-11 21:56:40 UTC

requires graphical login access via X Windows, remove it to reduce the potential attacksurface.

RecommendationRun the following command to remove the X Windows System packages: apt-getremove xserver-xorg*



SeverityHigh





SeverityHigh

DescriptionDescription The Common Unix Print System (CUPS) provides the ability to print toboth local and network printers. A system running CUPS can also accept print jobs from


2019-02-11 21:56:40 UTC

remote systems and print them to local printers. It also provides a web based remoteadministration capability. Rationale If the system does not need to print jobs or acceptprint jobs from other systems, it is recommended that CUPS be disabled to reduce thepotential attack surface.




SeverityHigh





SeverityHigh

Description


2019-02-11 21:56:40 UTC

Description ICMP Redirects are used to send routing information to other hosts. As ahost itself does not act as a router (in a host only configuration), there is no need to sendredirects. Rationale An attacker could use a compromised host to send invalid ICMPredirects to other router devices in an attempt to corrupt routing and have users access asystem set up by the attacker as opposed to a valid system.




SeverityHigh


RecommendationSet the following parameters in the /etc/sysctl.conf file: net.ipv4.conf.all.accept_source_route = 0net.ipv4.conf.default.accept_source_route = 0 Run the following commands to


2019-02-11 21:56:40 UTC

set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0#sysctl -w net.ipv4.conf.default.accept_source_route=0# sysctl -w net.ipv4.route.flush=1



SeverityHigh

DescriptionDescription ICMP redirect messages are packets that convey routing information andtell your host (acting as a router) to send packets via an alternate path. It is a way ofallowing an outside routing device to update your system routing tables. By settingnet.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirectmessages, and therefore, won't allow outsiders to update the system's routing tables.Rationale Attackers could use bogus ICMP redirect messages to maliciously alter thesystem routing tables and get them to send packets to incorrect networks and allow yoursystem packets to be captured.




SeverityHigh

DescriptionDescription Secure ICMP redirects are the same as ICMP redirects, except they comefrom gateways listed on the default gateway list. It is assumed that these gateways areknown to your system, and that they are likely to be secure. Rationale It is still possiblefor even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirec


2019-02-11 21:56:40 UTC

ts to 0 protects the system from routing table updates by possibly compromised knowngateways.




SeverityHigh






DescriptionDescription This setting disables the system's ability to accept IPv6 routeradvertisements. Rationale It is recommended that systems not accept router


2019-02-11 21:56:40 UTC

advertisements as they could be tricked into routing traffic to compromised machines.Setting hard routes within the system (usually a single default route to a trusted router)protects the system from bad routes.










Description


2019-02-11 21:56:40 UTC

Description Although IPv6 has many advantages over IPv4, few organizations haveimplemented IPv6. Rationale If IPv6 is not to be used, it is recommended that it bedisabled to reduce the attack surface of the system.




SeverityHigh






DescriptionDescription The Datagram Congestion Control Protocol (DCCP) is a transport layerprotocol that supports streaming media and telephony. DCCP provides a way to gainaccess to congestion control, without having to do it at the application layer, but


2019-02-11 21:56:40 UTC

does not provide in-sequence delivery. Rationale If the protocol is not required, it isrecommended that the drivers not be installed to reduce the potential attack surface.





DescriptionDescription The Stream Control Transmission Protocol (SCTP) is a transport layerprotocol used to support message oriented communication, with several streams ofmessages in one connection. It serves a similar function as TCP and UDP, incorporatingfeatures of both. It is message-oriented like UDP, and ensures reliable in-sequencetransport of messages with congestion control like TCP. Rationale If the protocol is notbeing used, it is recommended that kernel module not be loaded, disabling the service toreduce the potential attack surface.





DescriptionDescription The Reliable Datagram Sockets (RDS) protocol is a transport layer protocoldesigned to provide low-latency, high-bandwidth communications between clusternodes. It was developed by the Oracle Corporation. Rationale If the protocol is not


2019-02-11 21:56:40 UTC

being used, it is recommended that kernel module not be loaded, disabling the service toreduce the potential attack surface.





DescriptionDescription The Transparent Inter-Process Communication (TIPC) protocol is designedto provide communication between cluster nodes. Rationale If the protocol is not beingused, it is recommended that kernel module not be loaded, disabling the service toreduce the potential attack surface.




SeverityHigh


Recommendation


2019-02-11 21:56:40 UTC

Run the following commands to implement a default DROP policy: # iptables -PINPUT DROP# iptables -P OUTPUT DROP# iptables -P FORWARD DROP



SeverityHigh

DescriptionDescription Configure the loopback interface to accept traffic. Configure all otherinterfaces to deny traffic to the loopback network (127.0.0.0/8). Rationale Loopbacktraffic is generated between processes on machine and is typically critical to operationof the system. The loopback interface is the only place that loopback network(127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on thisnetwork as an anti-spoofing measure.




SeverityHigh


Recommendation


2019-02-11 21:56:40 UTC

For each port identified in the audit which does not have a firewall rule establish aproper rule for accepting inbound connections: # iptables -A INPUT -p <protocol> --dport <port> -m state --state NEW -j ACCEPT


4.1.2 Ensure auditd service is enabled

SeverityHigh

DescriptionDescription Turn on the auditd daemon to record system events. Rationale Thecapturing of system events provides system administrators with information to allowthem to determine if unauthorized access to their system is occurring.

RecommendationRun the following command to enable auditd: # update-rc.d auditd enable


4.1.3 Ensure auditing for processes that start prior to auditd is enabled

SeverityHigh

DescriptionDescription Configure grub so that processes that are capable of being audited can beaudited even if they start up prior to auditd startup. Rationale Audit events need to becaptured on processes that start up prior to auditd, so that potential malicious activitycannot go undetected.

RecommendationEdit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX:GRUB_CMDLINE_LINUX="audit=1" Run the following command to update thegrub2 configuration: # update-grub



2019-02-11 21:56:40 UTC

4.1.4 Ensure events that modify date and time information are collected

SeverityHigh

DescriptionDescription Capture events where the system date and/or time has been modified.The parameters in this section are set to determine if the adjtimex (tune kernel clock),settimeofday (Set time, using timeval and timezone structures) stime (using secondssince 1/1/1970) or clock_settime (allows for the setting of several internal clocks andtimers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier "time-change" RationaleUnexpected changes in system date and/or time could be a sign of malicious activity onthe system.

RecommendationFor 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit-F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change-a always,exit -Farch=b32 -S clock_settime -k time-change-w /etc/localtime -p wa -k time-change For64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit-F arch=b64 -S adjtimex -S settimeofday -k time-change-a always,exit -F arch=b32-S adjtimex -S settimeofday -S stime -k time-change-a always,exit -F arch=b64 -Sclock_settime -k time-change-a always,exit -F arch=b32 -S clock_settime -k time-change-w /etc/localtime -p wa -k time-change


4.1.5 Ensure events that modify user/group information are collected

SeverityHigh

DescriptionDescription Record events affecting the group, passwd (user IDs), shadow and gshadow(passwords) or /etc/security/opasswd (old passwords, based on remember parameterin the PAM configuration) files. The parameters in this section will watch the files tosee if they have been opened for write or have had attribute changes (e.g. permissions)and tag them with the identifier "identity" in the audit log file. Rationale Unexpected


2019-02-11 21:56:40 UTC

changes to these files could be an indication that the system has been compromised andthat an unauthorized user is attempting to hide their activities or compromise additionalaccounts.

RecommendationAdd the following lines to the /etc/audit/audit.rules file: -w /etc/group -p wa -k identity-w /etc/passwd -p wa -k identity-w /etc/gshadow -p wa -k identity-w /etc/shadow -p wa -k identity-w /etc/security/opasswd -p wa -k identity


4.1.6 Ensure events that modify the system's network environment are collected

SeverityHigh

DescriptionDescription Record changes to network environment files or system calls. The belowparameters monitor the sethostname (set the systems host name) or setdomainname (setthe systems domainname) system calls, and write an audit event on system call exit.The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayedpre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/sysconfig/network (directory containing network interface scripts and configurations)files. Rationale Monitoring sethostname and setdomainname will identify potentialunauthorized changes to host and domainname of a system. The changing of thesenames could potentially break security parameters that are set based on those names.The /etc/hosts file is monitored for changes in the file that can indicate an unauthorizedintruder is trying to change machine associations with IP addresses and trick usersand processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trickusers into providing information to the intruder. Monitoring /etc/sysconfig/network isimportant as it can show if network interfaces or scripts are being modified in a way thatcan lead to the machine becoming unavailable or compromised. All audit records willbe tagged with the identifier "system-locale."

RecommendationFor 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit-F arch=b32 -S sethostname -S setdomainname -k system-locale-w /etc/issue -p wa -


2019-02-11 21:56:40 UTC

k system-locale-w /etc/issue.net -p wa -k system-locale-w /etc/hosts -p wa -k system-locale-w /etc/network -p wa -k system-locale-w /etc/networks -p wa -k system-localeFor 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit-F arch=b64 -S sethostname -S setdomainname -k system-locale-a always,exit -Farch=b32 -S sethostname -S setdomainname -k system-locale-w /etc/issue -p wa -ksystem-locale-w /etc/issue.net -p wa -k system-locale-w /etc/hosts -p wa -k system-locale-w /etc/network -p wa -k system-locale-w /etc/networks -p wa -k system-locale


4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected

SeverityHigh

DescriptionDescription Monitor SELinux/AppArmor mandatory access controls. The parametersbelow monitor any write access (potential additional, deletion or modification of filesin the directory) or attribute changes to the /etc/selinux or /etc/apparmor and /etc/apparmor.d directories. Rationale Changes to files in these directories could indicatethat an unauthorized user is attempting to modify access controls and change securitycontexts, leading to a compromise of the system.

RecommendationOn systems using SELinux add the following line to the /etc/audit/audit.rules file: -w /etc/selinux/ -p wa -k MAC-policy On systems using AppArmor add the followingline to the /etc/audit/audit.rules file: -w /etc/apparmor/ -p wa -k MAC-policy-w /etc/apparmor.d/ -p wa -k MAC-policy


4.1.8 Ensure login and logout events are collected

SeverityHigh

Description


2019-02-11 21:56:40 UTC

Description Monitor login and logout events. The parameters below track changes tofiles associated with login/logout events. The file /var/log/faillog tracks failed eventsfrom login. The file /var/log/lastlog maintain records of the last time a user successfullylogged in. The file /var/log/tallylog maintains records of failures via the pam_tally2module Rationale Monitoring login/logout events could provide a system administratorwith information associated with brute force attacks against user logins.

RecommendationAdd the following lines to the /etc/audit/audit.rules file: -w /var/log/faillog -p wa -klogins-w /var/log/lastlog -p wa -k logins-w /var/log/tallylog -p wa -k logins


4.1.9 Ensure session initiation information is collected

SeverityHigh

DescriptionDescription Monitor session initiation events. The parameters in this section trackchanges to the files associated with session events. The file /var/run/utmp file tracksall currently logged in users. The /var/log/wtmp file tracks logins, logouts, shutdown,and reboot events. All audit records will be tagged with the identifier "session." Thefile /var/log/btmp keeps track of failed login attempts and can be read by enteringthe command /usr/bin/last -f /var/log/btmp. All audit records will be tagged with theidentifier "logins." Rationale Monitoring these files for changes could alert a systemadministrator to logins occurring at unusual hours, which could indicate intruder activity(i.e. a user logging in at a time when they do not normally log in).

RecommendationAdd the following lines to the /etc/audit/audit.rules file: -w /var/run/utmp -p wa -ksession-w /var/log/wtmp -p wa -k logins-w /var/log/btmp -p wa -k logins


4.1.10 Ensure discretionary access control permission modification events are collected

Severity


2019-02-11 21:56:40 UTC

High

DescriptionDescription Monitor changes to file permissions, attributes, ownership and group. Theparameters in this section track changes for system calls that affect file permissionsand attributes. The chmod, fchmod and fchmodat system calls affect the permissionsassociated with a file. The chown, fchown, fchownat and lchown system calls affectowner and group attributes on a file. The setxattr, lsetxattr, fsetxattr (set extended fileattributes) and removexattr, lremovexattr, fremovexattr (remove extended file attributes)control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295).All audit records will be tagged with the identifier "perm_mod." Rationale Monitoringfor changes in file attributes could alert a system administrator to activity that couldindicate intruder activity or policy violation.

RecommendationFor 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit-F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -Fauid>=1000 -F auid!=4294967295 -k perm_mod-a always,exit -F arch=b32 -S setxattr-S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000-F auid!=4294967295 -k perm_mod For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat-F auid>=1000 -F auid!=4294967295 -k perm_mod-a always,exit -F arch=b32 -Schmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod-aalways,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod-a always,exit -F arch=b32 -S chown -S fchown -Sfchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod-a always,exit-F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -Sfremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -Sfremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod


4.1.11 Ensure unsuccessful unauthorized file access attempts are collected

Severity


2019-02-11 21:56:40 UTC

High

DescriptionDescription Monitor for unsuccessful attempts to access files. The parametersbelow are associated with system calls that control creation (creat), opening (open,openat) and truncation (truncate, ftruncate) of files. An audit log record will only bewritten if the user is a non-privileged user (auid > = 1000), is not a Daemon event(auid=4294967295) and if the system call returned EACCES (permission denied to thefile) or EPERM (some other permanent error associated with the specific system call).All audit records will be tagged with the identifier "access." Rationale Failed attemptsto open, create or truncate files could be an indication that an individual or process istrying to gain unauthorized access to the system.

RecommendationFor 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit-F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate-S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access-aalways,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -Fauid!=4294967295 -k access-a always,exit -F arch=b32 -S creat -S open -S openat -Struncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access


4.1.13 Ensure successful file system mounts are collected

SeverityHigh

DescriptionDescription Monitor the use of the mount system call. The mount (and umount) systemcall controls the mounting and unmounting of file systems. The parameters belowconfigure the system to create an audit record when the mount system call is used


2019-02-11 21:56:40 UTC

by a non-privileged user Rationale It is highly unusual for a non privileged user tomount file systems to the system. While tracking mount commands gives the systemadministrator evidence that external media may have been mounted (based on a reviewof the source of the mount and confirming it's an external media type), it does notconclusively indicate that data was exported to the media. System administrators whowish to determine if data were exported, would also have to track successful open, creatand truncate system calls requiring write access to a file under the mount point of theexternal media file system. This could give a fair indication that a write occurred. Theonly way to truly prove it, would be to track successful writes to the external media.Tracking write system calls could quickly fill up the audit log and is not recommended.Recommendations on configuration options to track data export to media is beyond thescope of this document.

RecommendationFor 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit-F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts For 64 bitsystems add the following lines to the /etc/audit/audit.rules file: -a always,exit -Farch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts-a always,exit -Farch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts


4.1.14 Ensure file deletion events by users are collected

SeverityHigh

DescriptionDescription Monitor the use of system calls associated with the deletion or renamingof files and file attributes. This configuration statement sets up monitoring for theunlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) andrenameat (rename a file attribute) system calls and tags them with the identifier "delete".Rationale Monitoring these calls from non-privileged users could provide a systemadministrator with evidence that inappropriate removal of files and file attributesassociated with protected files is occurring. While this audit option will look at allevents, system administrators will want to look for specific privileged files that arebeing deleted or altered.


2019-02-11 21:56:40 UTC

RecommendationFor 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit-F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat-F auid>=1000 -F auid!=4294967295 -k delete-a always,exit -F arch=b32 -S unlink -Sunlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete


4.1.15 Ensure changes to system administration scope (sudoers) is collected

SeverityHigh

DescriptionDescription Monitor scope changes for system administrations. If the system has beenproperly configured to force system administrators to log in as themselves first andthen use the sudo command to execute privileged commands, it is possible to monitorchanges in scope. The file /etc/sudoers will be written to when the file or its attributeshave changed. The audit records will be tagged with the identifier "scope." RationaleChanges in the /etc/sudoers file can indicate that an unauthorized change has been madeto scope of system administrator activity.

RecommendationAdd the following line to the /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k scope-w /etc/sudoers.d/ -p wa -k scope


4.1.16 Ensure system administrator actions (sudolog) are collected

SeverityHigh

DescriptionDescription Monitor the sudo log file. If the system has been properly configured todisable the use of the su command and force all administrators to have to log in first


2019-02-11 21:56:40 UTC

and then use sudo to execute privileged commands, then all administrator commandswill be logged to /var/log/sudo.log. Any time a command is executed, an audit eventwill be triggered as the /var/log/sudo.log file will be opened for write and the executedadministration command will be written to the log. Rationale Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself hasbeen tampered with. Administrators will want to correlate the events written to the audittrail with the records written to /var/log/sudo.log to verify if unauthorized commandshave been executed.

RecommendationAdd the following lines to the /etc/audit/audit.rules file: -w /var/log/sudo.log -p wa -kactions


4.1.17 Ensure kernel module loading and unloading is collected

SeverityHigh

DescriptionDescription Monitor the loading and unloading of kernel modules. The programsinsmod (install a kernel module), rmmod (remove a kernel module), and modprobe(a more sophisticated program to load and unload modules, as well as some otherfeatures) control loading and unloading of modules. The init_module (load a module)and delete_module (delete a module) system calls control loading and unloading ofmodules. Any execution of the loading and unloading module programs and systemcalls will trigger an audit record with an identifier of "modules". Rationale Monitoringthe use of insmod, rmmod and modprobe could provide system administrators withevidence that an unauthorized user loaded or unloaded a kernel module, possiblycompromising the security of the system. Monitoring of the init_module anddelete_module system calls would reflect an unauthorized user attempting to use adifferent program to load and unload modules.

RecommendationFor 32 bit systems add the following lines to the /etc/audit/audit.rules file: -w /sbin/insmod -p x -k modules-w /sbin/rmmod -p x -k modules-w /sbin/modprobe -p x -kmodules-a always,exit arch=b32 -S init_module -S delete_module -k modules For 64


2019-02-11 21:56:40 UTC

bit systems add the following lines to the /etc/audit/audit.rules file: -w /sbin/insmod -p x -k modules-w /sbin/rmmod -p x -k modules-w /sbin/modprobe -p x -k modules-aalways,exit arch=b64 -S init_module -S delete_module -k modules


4.1.18 Ensure the audit configuration is immutable

SeverityHigh

DescriptionDescription Set system audit so that audit rules cannot be modified with auditctl. Settingthe flag "-e 2" forces audit to be put in immutable mode. Audit changes can only bemade on system reboot. Rationale In immutable mode, unauthorized users cannotexecute changes to the audit system to potentially hide malicious activity and then putthe audit rules back. Users would most likely notice a system reboot and that could alertadministrators of an attempt to make unauthorized audit changes.

RecommendationAdd the following line to the end of the/etc/audit/audit.rules file. -e 2


4.1.1.1 Ensure audit log storage size is configured


DescriptionDescription Configure the maximum size of the audit log file. Once the log reachesthe maximum size, it will be rotated and a new log file will be started. Rationale It isimportant that an appropriate size is determined for log files so that they do not impactthe system and audit data is not lost.

RecommendationSet the following parameter in /etc/audit/auditd.conf in accordance with site policy:max_log_file = <MB>


2019-02-11 21:56:40 UTC


4.1.1.2 Ensure system is disabled when audit logs are full

SeverityHigh

DescriptionDescription The auditd daemon can be configured to halt the system when the audit logsare full. Rationale In high security contexts, the risk of detecting unauthorized access ornonrepudiation exceeds the benefit of the system's availability.

RecommendationSet the following parameters in /etc/audit/auditd.conf: space_left_action =emailaction_mail_acct = rootadmin_space_left_action = halt


4.1.1.3 Ensure audit logs are not automatically deleted

SeverityHigh

DescriptionDescription The max_log_file_action setting determines how to handle the audit log filereaching the max file size. A value of keep_logs will rotate the logs but never delete oldlogs. Rationale In high security contexts, the benefits of maintaining a long audit historyexceed the cost of storing the audit history.

RecommendationSet the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs



Severity


2019-02-11 21:56:40 UTC

High





SeverityHigh





SeverityHigh

Description


2019-02-11 21:56:40 UTC

Description The su command allows a user to run a command or shell as another user.The program has been superseded by sudo, which allows for more granular controlover privileged access. Normally, the su command can be executed by any user. Byuncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will onlyallow users in the wheel group to execute su. Rationale Restricting the use of su, andusing sudo in its place, provides system administrators better control of the escalation ofuser privileges to execute privileged commands. The sudo utility also provides a betterlogging and audit mechanism, as it can log each command executed via sudo, whereassu can only record that a user executed the su program.




SeverityHigh





2019-02-11 21:56:40 UTC


SeverityHigh





SeverityHigh




2019-02-11 21:56:40 UTC



SeverityHigh





SeverityHigh

DescriptionDescription The /etc/cron.monthly directory contains system cron jobs that needto run on a monthly basis. The files in this directory cannot be manipulated by thecrontab command, but are instead edited by system administrators using a text editor.The commands below restrict read/write and search access to user and group root,preventing regular users from accessing this directory. Rationale Granting write accessto this directory for non-privileged users could provide them the means for gainingunauthorized elevated privileges. Granting read access to this directory could give an


2019-02-11 21:56:40 UTC

unprivileged user insight in how to gain elevated privileges or circumvent auditingcontrols.




SeverityHigh





SeverityHigh

Description


2019-02-11 21:56:40 UTC

Description Configure /etc/cron.allow and /etc/at.allow to allow specific users to usethese services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed touse at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.alloware allowed to use at and cron. Note that even though a given user is not listed incron.allow, cron jobs can still be run as that user. The cron.allow file only controlsadministrative access to the crontab command for scheduling and modifying cron jobs.Rationale On many systems, only the system administrator is authorized to schedulecron jobs. Using the cron.allow file to control who can run cron jobs enforces thispolicy. It is easier to manage an allow list than a deny list. In a deny list, you couldpotentially add a user ID to the system and forget to add it to the deny files.




SeverityHigh





2019-02-11 21:56:40 UTC


SeverityHigh





SeverityHigh






2019-02-11 21:56:40 UTC

SeverityHigh





SeverityHigh





SeverityHigh

Description


2019-02-11 21:56:40 UTC

Description This variable limits the types of MAC algorithms that SSH can use duringcommunication. Rationale MD5 and 96-bit MAC algorithms are considered weak andhave been shown to increase exploitability in SSH downgrade attacks. Weak algorithmscontinue to have a great deal of attention as a weak spot that can be exploited withexpanded computing power. An attacker that breaks the algorithm could take advantageof a MiTM position to decrypt the SSH tunnel and capture credentials and information




SeverityHigh


Recommendation


2019-02-11 21:56:40 UTC

Edit the /etc/ssh/sshd_config file to set the parameters as follows: ClientAliveInterval300ClientAliveCountMax 0



SeverityHigh





SeverityHigh

DescriptionDescription There are several options available to limit which users and group canaccess the system via SSH. It is recommended that at least one of the following optionsbe leveraged: AllowUsers The AllowUsers variable gives the system administrator theoption of allowing specific users to ssh into the system. The list consists of commaseparated user names. Numeric user IDs are not recognized with this variable. Ifa system administrator wants to restrict user access further by only allowing theallowed users to log in from a particular host, the entry can be specified in the form of


2019-02-11 21:56:40 UTC

user@host. AllowGroups The AllowGroups variable gives the system administratorthe option of allowing specific groups of users to ssh into the system. The list consistsof comma separated group names. Numeric group IDs are not recognized with thisvariable. DenyUsers The DenyUsers variable gives the system administrator theoption of denying specific users to ssh into the system. The list consists of commaseparated user names. Numeric user IDs are not recognized with this variable. If asystem administrator wants to restrict user access further by specifically denying auser's access from a particular host, the entry can be specified in the form of [email protected] The DenyGroups variable gives the system administrator the option ofdenying specific groups of users to ssh into the system. The list consists of commaseparated group names. Numeric group IDs are not recognized with this variable.Rationale Restricting which users can remotely access the system via SSH will helpensure that only authorized users access the system.




SeverityHigh





2019-02-11 21:56:40 UTC


SeverityHigh

DescriptionDescription The pam_pwquality.so module checks the strength of passwords. Itperforms checks such as making sure a password is not a dictionary word, it is a certainlength, contains a mix of characters (e.g. alphabet, numeric, other) and more. Thefollowing are definitions of the pam_pwquality.so options. try_first_pass - retrieve thepassword from a previous stacked PAM module. If not available, then prompt the userfor a password. retry=3 - Allow 3 tries before sending back a failure. The followingoptions are set in the /etc/security/pwquality.conf file: minlen=14 - password must be14 characters or moredcredit=-1 - provide at least one digitucredit=-1 - provide at leastone uppercase characterocredit=-1 - provide at least one special characterlcredit=-1- provide at least one lowercase character The settings shown above are one possiblepolicy. Alter these values to conform to your own organization's password policies.Rationale Strong passwords protect systems from being hacked through brute forcemethods.





DescriptionDescription Lock out users after n unsuccessful consecutive login attempts. The firstsets of changes are made to the PAM configuration files. The second set of changes are


2019-02-11 21:56:40 UTC

applied to the program specific PAM configuration file. The second set of changes mustbe applied to each program that will lock out users. Check the documentation for eachsecondary program for instructions on how to configure them to work with PAM. Setthe lockout number to the policy in effect at your site. Rationale Locking out user IDsafter n unsuccessful consecutive login attempts mitigates brute force password attacksagainst your systems.




SeverityHigh





Severity


2019-02-11 21:56:40 UTC

High





SeverityHigh



2019-02-11 21:56:40 UTC




SeverityHigh





SeverityHigh

DescriptionDescription The PASS_MAX_DAYS parameter in /etc/login.defs allows anadministrator to force passwords to expire once they reach a defined age. It isrecommended that the PASS_MAX_DAYS parameter be set to less than or equal to 90days. Rationale The window of opportunity for an attacker to leverage compromisedcredentials or successfully compromise credentials via an online brute force attack is


2019-02-11 21:56:40 UTC

limited by the age of the password. Therefore, reducing the maximum age of a passwordalso reduces an attacker's window of opportunity.




SeverityHigh





SeverityHigh

DescriptionDescription User accounts that have been inactive for over a given period of time canbe automatically disabled. It is recommended that accounts that are inactive for 30


2019-02-11 21:56:40 UTC

days after password expiration be disabled. Rationale Inactive accounts pose a threat tosystem security since the users are not logging in to notice failed login attempts or otheranomalies.




SeverityHigh





SeverityHigh

DescriptionDescription Users can be defined in /etc/passwd without a home directory or with ahome directory that does not actually exist. Rationale If the user's home directory does


2019-02-11 21:56:40 UTC

not exist or is unassigned, the user will be placed in "/" and will not be able to write anyfiles or have local environment variables set.




SeverityHigh





1.1.2 Ensure separate partition exists for /tmp

SeverityHigh

Description


2019-02-11 21:56:40 UTC

Description The /tmp directory is a world-writable directory used for temporary storageby all users and some applications. Rationale Since the /tmp directory is intended tobe world-writable, there is a risk of resource exhaustion if it is not bound to a separatepartition. In addition, making /tmp its own file system allows an administrator to set thenoexec option on the mount, making /tmp useless for an attacker to install executablecode. It would also prevent an attacker from establishing a hardlink to a system setuidprogram and wait for it to be updated. Once the program was updated, the hardlinkwould be broken and the attacker would have his own copy of the program. If theprogram happened to have a security vulnerability, the attacker could continue toexploit the known flaw.

RecommendationFor new installations, during installation create a custom partition setup and specifya separate partition for /tmp. For systems that were previously installed, create a newpartition and configure /etc/fstab as appropriate. Impact: Resizing filesystems is acommon activity in cloud-hosted servers. Separate filesystem partitions may preventsuccessful resizing, or may require the installation of additional tools solely for thepurpose of resizing operations. The use of these additional tools may introduce theirown security considerations.


1.1.5 Ensure separate partition exists for /var

SeverityHigh

DescriptionDescription The /var directory is used by daemons and other system services totemporarily store dynamic data. Some directories created by these processes may beworld-writable. Rationale Since the /var directory may contain world-writable files anddirectories, there is a risk of resource exhaustion if it is not bound to a separate partition.

RecommendationFor new installations, during installation create a custom partition setup and specifya separate partition for /var. For systems that were previously installed, create a newpartition and configure /etc/fstab as appropriate. Impact: Resizing filesystems is acommon activity in cloud-hosted servers. Separate filesystem partitions may prevent


2019-02-11 21:56:40 UTC

successful resizing, or may require the installation of additional tools solely for thepurpose of resizing operations. The use of these additional tools may introduce theirown security considerations.


1.1.6 Ensure separate partition exists for /var/tmp

SeverityHigh

DescriptionDescription The /var/tmp directory is a world-writable directory used for temporarystorage by all users and some applications. Rationale Since the /var/tmp directory isintended to be world-writable, there is a risk of resource exhaustion if it is not boundto a separate partition. In addition, making /var/tmp its own file system allows anadministrator to set the noexec option on the mount, making /var/tmp useless for anattacker to install executable code. It would also prevent an attacker from establishing ahardlink to a system setuid program and wait for it to be updated. Once the program wasupdated, the hardlink would be broken and the attacker would have his own copy of theprogram. If the program happened to have a security vulnerability, the attacker couldcontinue to exploit the known flaw.

RecommendationFor new installations, during installation create a custom partition setup and specifya separate partition for /var/tmp. For systems that were previously installed, create anew partition and configure /etc/fstab as appropriate. Impact: Resizing filesystems isa common activity in cloud-hosted servers. Separate filesystem partitions may preventsuccessful resizing, or may require the installation of additional tools solely for thepurpose of resizing operations. The use of these additional tools may introduce theirown security considerations.


1.1.10 Ensure separate partition exists for /var/log

Severity


2019-02-11 21:56:40 UTC

High

DescriptionDescription The /var/log directory is used by system services to store log data .Rationale There are two important reasons to ensure that system logs are stored on aseparate partition: protection against resource exhaustion (since logs can grow quitelarge) and protection of audit data.

RecommendationFor new installations, during installation create a custom partition setup and specifya separate partition for /var/log. For systems that were previously installed, create anew partition and configure /etc/fstab as appropriate. Impact: Resizing filesystems isa common activity in cloud-hosted servers. Separate filesystem partitions may preventsuccessful resizing, or may require the installation of additional tools solely for thepurpose of resizing operations. The use of these additional tools may introduce theirown security considerations.


1.1.11 Ensure separate partition exists for /var/log/audit

SeverityHigh

DescriptionDescription The auditing daemon, auditd, stores log data in the /var/log/audit directory.Rationale There are two important reasons to ensure that data gathered by auditd isstored on a separate partition: protection against resource exhaustion (since the audit.logfile can grow quite large) and protection of audit data. The audit daemon calculates howmuch free space is left and performs actions based on the results. If other processes(such as syslog) consume space in the same partition as auditd, it may not perform asdesired.

RecommendationFor new installations, during installation create a custom partition setup and specify aseparate partition for /var/log/audit. For systems that were previously installed, createa new partition and configure /etc/fstab as appropriate. Impact: Resizing filesystems isa common activity in cloud-hosted servers. Separate filesystem partitions may prevent


2019-02-11 21:56:40 UTC

successful resizing, or may require the installation of additional tools solely for thepurpose of resizing operations. The use of these additional tools may introduce theirown security considerations.


1.1.12 Ensure separate partition exists for /home

SeverityHigh

DescriptionDescription The /home directory is used to support disk storage needs of local users.Rationale If the system is intended to support local users, create a separate partition forthe /home directory to protect against resource exhaustion and restrict the type of filesthat can be stored under /home.

RecommendationFor new installations, during installation create a custom partition setup and specifya separate partition for /home. For systems that were previously installed, create anew partition and configure /etc/fstab as appropriate. Impact: Resizing filesystems isa common activity in cloud-hosted servers. Separate filesystem partitions may preventsuccessful resizing, or may require the installation of additional tools solely for thepurpose of resizing operations. The use of these additional tools may introduce theirown security considerations.



SeverityHigh



2019-02-11 21:56:40 UTC




SeverityHigh





SeverityHigh


Recommendation


2019-02-11 21:56:40 UTC

Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: installfreevxfs /bin/true



SeverityHigh

DescriptionDescription The jffs2 (journaling flash filesystem 2) filesystem type is a log-structuredfilesystem used in flash memory devices. Rationale Removing support for unneededfilesystem types reduces the local attack surface of the system. If this filesystem type isnot needed, disable it.




SeverityHigh





2019-02-11 21:56:40 UTC


SeverityHigh


RecommendationEdit or create the file /etc/modprobe.d/CIS.conf and add the following line: installhfsplus /bin/true



SeverityHigh






2019-02-11 21:56:40 UTC

SeverityHigh


RecommendationRun the following command to install AIDE: # apt-get install aide Configure AIDEas appropriate for your environment. Consult the AIDE documentation for options.Initialize AIDE: # aide --init



SeverityHigh





SeverityHigh


2019-02-11 21:56:40 UTC


RecommendationRun the following commands to set permissions on your grub configuration: # chownroot:root /boot/grub/grub.cfg# chmod og-rwx /boot/grub/grub.cfg



SeverityHigh






2019-02-11 21:56:40 UTC

SeverityHigh

DescriptionDescription A core dump is the memory of an executable program. It is generallyused to determine why a program aborted. It can also be used to glean confidentialinformation from a core file. The system provides the ability to set a soft limit for coredumps, but this can be overridden by the user. Rationale Setting a hard limit on coredumps prevents users from overriding the soft variable. If core dumps are required,consider setting limits for user groups (see limits.conf(5)). In addition, setting thefs.suid_dumpable variable to 0 will prevent setuid programs from dumping core.










2019-02-11 21:56:40 UTC

SeverityHigh





SeverityHigh

DescriptionDescription The Common Unix Print System (CUPS) provides the ability to print toboth local and network printers. A system running CUPS can also accept print jobs fromremote systems and print them to local printers. It also provides a web based remoteadministration capability. Rationale If the system does not need to print jobs or acceptprint jobs from other systems, it is recommended that CUPS be disabled to reduce thepotential attack surface.




2019-02-11 21:56:40 UTC


SeverityHigh





SeverityHigh

DescriptionDescription ICMP Redirects are used to send routing information to other hosts. As ahost itself does not act as a router (in a host only configuration), there is no need to sendredirects. Rationale An attacker could use a compromised host to send invalid ICMPredirects to other router devices in an attempt to corrupt routing and have users access asystem set up by the attacker as opposed to a valid system.


Failed Instances


2019-02-11 21:56:40 UTC

i-04372149a51fe6560


SeverityHigh


RecommendationSet the following parameters in the /etc/sysctl.conf file: net.ipv4.conf.all.accept_source_route = 0net.ipv4.conf.default.accept_source_route = 0 Run the following commands toset the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0#sysctl -w net.ipv4.conf.default.accept_source_route=0# sysctl -w net.ipv4.route.flush=1



SeverityHigh

Description


2019-02-11 21:56:40 UTC

Description ICMP redirect messages are packets that convey routing information andtell your host (acting as a router) to send packets via an alternate path. It is a way ofallowing an outside routing device to update your system routing tables. By settingnet.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirectmessages, and therefore, won't allow outsiders to update the system's routing tables.Rationale Attackers could use bogus ICMP redirect messages to maliciously alter thesystem routing tables and get them to send packets to incorrect networks and allow yoursystem packets to be captured.




SeverityHigh

DescriptionDescription Secure ICMP redirects are the same as ICMP redirects, except they comefrom gateways listed on the default gateway list. It is assumed that these gateways areknown to your system, and that they are likely to be secure. Rationale It is still possiblefor even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised knowngateways.




2019-02-11 21:56:40 UTC


SeverityHigh






DescriptionDescription This setting disables the system's ability to accept IPv6 routeradvertisements. Rationale It is recommended that systems not accept routeradvertisements as they could be tricked into routing traffic to compromised machines.Setting hard routes within the system (usually a single default route to a trusted router)protects the system from bad routes.




2019-02-11 21:56:40 UTC








DescriptionDescription Although IPv6 has many advantages over IPv4, few organizations haveimplemented IPv6. Rationale If IPv6 is not to be used, it is recommended that it bedisabled to reduce the attack surface of the system.





2019-02-11 21:56:40 UTC

SeverityHigh






DescriptionDescription The Datagram Congestion Control Protocol (DCCP) is a transport layerprotocol that supports streaming media and telephony. DCCP provides a way to gainaccess to congestion control, without having to do it at the application layer, butdoes not provide in-sequence delivery. Rationale If the protocol is not required, it isrecommended that the drivers not be installed to reduce the potential attack surface.





Description


2019-02-11 21:56:40 UTC

Description The Stream Control Transmission Protocol (SCTP) is a transport layerprotocol used to support message oriented communication, with several streams ofmessages in one connection. It serves a similar function as TCP and UDP, incorporatingfeatures of both. It is message-oriented like UDP, and ensures reliable in-sequencetransport of messages with congestion control like TCP. Rationale If the protocol is notbeing used, it is recommended that kernel module not be loaded, disabling the service toreduce the potential attack surface.





DescriptionDescription The Reliable Datagram Sockets (RDS) protocol is a transport layer protocoldesigned to provide low-latency, high-bandwidth communications between clusternodes. It was developed by the Oracle Corporation. Rationale If the protocol is notbeing used, it is recommended that kernel module not be loaded, disabling the service toreduce the potential attack surface.





Description


2019-02-11 21:56:40 UTC

Description The Transparent Inter-Process Communication (TIPC) protocol is designedto provide communication between cluster nodes. Rationale If the protocol is not beingused, it is recommended that kernel module not be loaded, disabling the service toreduce the potential attack surface.




SeverityHigh


RecommendationRun the following commands to implement a default DROP policy: # iptables -PINPUT DROP# iptables -P OUTPUT DROP# iptables -P FORWARD DROP



SeverityHigh

DescriptionDescription Configure the loopback interface to accept traffic. Configure all otherinterfaces to deny traffic to the loopback network (127.0.0.0/8). Rationale Loopbacktraffic is generated between processes on machine and is typically critical to operationof the system. The loopback interface is the only place that loopback network


2019-02-11 21:56:40 UTC

(127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on thisnetwork as an anti-spoofing measure.




SeverityHigh


RecommendationFor each port identified in the audit which does not have a firewall rule establish aproper rule for accepting inbound connections: # iptables -A INPUT -p <protocol> --dport <port> -m state --state NEW -j ACCEPT


4.1.2 Ensure auditd service is enabled

SeverityHigh

DescriptionDescription Turn on the auditd daemon to record system events. Rationale Thecapturing of system events provides system administrators with information to allowthem to determine if unauthorized access to their system is occurring.

RecommendationRun the following command to enable auditd: # update-rc.d auditd enable


2019-02-11 21:56:40 UTC


4.1.3 Ensure auditing for processes that start prior to auditd is enabled

SeverityHigh

DescriptionDescription Configure grub so that processes that are capable of being audited can beaudited even if they start up prior to auditd startup. Rationale Audit events need to becaptured on processes that start up prior to auditd, so that potential malicious activitycannot go undetected.

RecommendationEdit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX:GRUB_CMDLINE_LINUX="audit=1" Run the following command to update thegrub2 configuration: # update-grub


4.1.4 Ensure events that modify date and time information are collected

SeverityHigh

DescriptionDescription Capture events where the system date and/or time has been modified.The parameters in this section are set to determine if the adjtimex (tune kernel clock),settimeofday (Set time, using timeval and timezone structures) stime (using secondssince 1/1/1970) or clock_settime (allows for the setting of several internal clocks andtimers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier "time-change" RationaleUnexpected changes in system date and/or time could be a sign of malicious activity onthe system.

RecommendationFor 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit-F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change-a always,exit -F


2019-02-11 21:56:40 UTC

arch=b32 -S clock_settime -k time-change-w /etc/localtime -p wa -k time-change For64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit-F arch=b64 -S adjtimex -S settimeofday -k time-change-a always,exit -F arch=b32-S adjtimex -S settimeofday -S stime -k time-change-a always,exit -F arch=b64 -Sclock_settime -k time-change-a always,exit -F arch=b32 -S clock_settime -k time-change-w /etc/localtime -p wa -k time-change


4.1.5 Ensure events that modify user/group information are collected

SeverityHigh

DescriptionDescription Record events affecting the group, passwd (user IDs), shadow and gshadow(passwords) or /etc/security/opasswd (old passwords, based on remember parameterin the PAM configuration) files. The parameters in this section will watch the files tosee if they have been opened for write or have had attribute changes (e.g. permissions)and tag them with the identifier "identity" in the audit log file. Rationale Unexpectedchanges to these files could be an indication that the system has been compromised andthat an unauthorized user is attempting to hide their activities or compromise additionalaccounts.

RecommendationAdd the following lines to the /etc/audit/audit.rules file: -w /etc/group -p wa -k identity-w /etc/passwd -p wa -k identity-w /etc/gshadow -p wa -k identity-w /etc/shadow -p wa -k identity-w /etc/security/opasswd -p wa -k identity


4.1.6 Ensure events that modify the system's network environment are collected

SeverityHigh

Description


2019-02-11 21:56:40 UTC

Description Record changes to network environment files or system calls. The belowparameters monitor the sethostname (set the systems host name) or setdomainname (setthe systems domainname) system calls, and write an audit event on system call exit.The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayedpre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/sysconfig/network (directory containing network interface scripts and configurations)files. Rationale Monitoring sethostname and setdomainname will identify potentialunauthorized changes to host and domainname of a system. The changing of thesenames could potentially break security parameters that are set based on those names.The /etc/hosts file is monitored for changes in the file that can indicate an unauthorizedintruder is trying to change machine associations with IP addresses and trick usersand processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trickusers into providing information to the intruder. Monitoring /etc/sysconfig/network isimportant as it can show if network interfaces or scripts are being modified in a way thatcan lead to the machine becoming unavailable or compromised. All audit records willbe tagged with the identifier "system-locale."

RecommendationFor 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit-F arch=b32 -S sethostname -S setdomainname -k system-locale-w /etc/issue -p wa -k system-locale-w /etc/issue.net -p wa -k system-locale-w /etc/hosts -p wa -k system-locale-w /etc/network -p wa -k system-locale-w /etc/networks -p wa -k system-localeFor 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit-F arch=b64 -S sethostname -S setdomainname -k system-locale-a always,exit -Farch=b32 -S sethostname -S setdomainname -k system-locale-w /etc/issue -p wa -ksystem-locale-w /etc/issue.net -p wa -k system-locale-w /etc/hosts -p wa -k system-locale-w /etc/network -p wa -k system-locale-w /etc/networks -p wa -k system-locale


4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected

SeverityHigh

Description


2019-02-11 21:56:40 UTC

Description Monitor SELinux/AppArmor mandatory access controls. The parametersbelow monitor any write access (potential additional, deletion or modification of filesin the directory) or attribute changes to the /etc/selinux or /etc/apparmor and /etc/apparmor.d directories. Rationale Changes to files in these directories could indicatethat an unauthorized user is attempting to modify access controls and change securitycontexts, leading to a compromise of the system.

RecommendationOn systems using SELinux add the following line to the /etc/audit/audit.rules file: -w /etc/selinux/ -p wa -k MAC-policy On systems using AppArmor add the followingline to the /etc/audit/audit.rules file: -w /etc/apparmor/ -p wa -k MAC-policy-w /etc/apparmor.d/ -p wa -k MAC-policy


4.1.8 Ensure login and logout events are collected

SeverityHigh

DescriptionDescription Monitor login and logout events. The parameters below track changes tofiles associated with login/logout events. The file /var/log/faillog tracks failed eventsfrom login. The file /var/log/lastlog maintain records of the last time a user successfullylogged in. The file /var/log/tallylog maintains records of failures via the pam_tally2module Rationale Monitoring login/logout events could provide a system administratorwith information associated with brute force attacks against user logins.

RecommendationAdd the following lines to the /etc/audit/audit.rules file: -w /var/log/faillog -p wa -klogins-w /var/log/lastlog -p wa -k logins-w /var/log/tallylog -p wa -k logins


4.1.9 Ensure session initiation information is collected

SeverityHigh


2019-02-11 21:56:40 UTC

DescriptionDescription Monitor session initiation events. The parameters in this section trackchanges to the files associated with session events. The file /var/run/utmp file tracksall currently logged in users. The /var/log/wtmp file tracks logins, logouts, shutdown,and reboot events. All audit records will be tagged with the identifier "session." Thefile /var/log/btmp keeps track of failed login attempts and can be read by enteringthe command /usr/bin/last -f /var/log/btmp. All audit records will be tagged with theidentifier "logins." Rationale Monitoring these files for changes could alert a systemadministrator to logins occurring at unusual hours, which could indicate intruder activity(i.e. a user logging in at a time when they do not normally log in).

RecommendationAdd the following lines to the /etc/audit/audit.rules file: -w /var/run/utmp -p wa -ksession-w /var/log/wtmp -p wa -k logins-w /var/log/btmp -p wa -k logins


4.1.10 Ensure discretionary access control permission modification events are collected

SeverityHigh

DescriptionDescription Monitor changes to file permissions, attributes, ownership and group. Theparameters in this section track changes for system calls that affect file permissionsand attributes. The chmod, fchmod and fchmodat system calls affect the permissionsassociated with a file. The chown, fchown, fchownat and lchown system calls affectowner and group attributes on a file. The setxattr, lsetxattr, fsetxattr (set extended fileattributes) and removexattr, lremovexattr, fremovexattr (remove extended file attributes)control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295).All audit records will be tagged with the identifier "perm_mod." Rationale Monitoringfor changes in file attributes could alert a system administrator to activity that couldindicate intruder activity or policy violation.

RecommendationFor 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit-F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -


2019-02-11 21:56:40 UTC

k perm_mod-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -Fauid>=1000 -F auid!=4294967295 -k perm_mod-a always,exit -F arch=b32 -S setxattr-S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000-F auid!=4294967295 -k perm_mod For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat-F auid>=1000 -F auid!=4294967295 -k perm_mod-a always,exit -F arch=b32 -Schmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod-aalways,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod-a always,exit -F arch=b32 -S chown -S fchown -Sfchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod-a always,exit-F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -Sfremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -Sfremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod


4.1.11 Ensure unsuccessful unauthorized file access attempts are collected

SeverityHigh

DescriptionDescription Monitor for unsuccessful attempts to access files. The parametersbelow are associated with system calls that control creation (creat), opening (open,openat) and truncation (truncate, ftruncate) of files. An audit log record will only bewritten if the user is a non-privileged user (auid > = 1000), is not a Daemon event(auid=4294967295) and if the system call returned EACCES (permission denied to thefile) or EPERM (some other permanent error associated with the specific system call).All audit records will be tagged with the identifier "access." Rationale Failed attemptsto open, create or truncate files could be an indication that an individual or process istrying to gain unauthorized access to the system.

RecommendationFor 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit-F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!


2019-02-11 21:56:40 UTC

=4294967295 -k access For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate-S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access-aalways,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -Fauid!=4294967295 -k access-a always,exit -F arch=b32 -S creat -S open -S openat -Struncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access


4.1.13 Ensure successful file system mounts are collected

SeverityHigh

DescriptionDescription Monitor the use of the mount system call. The mount (and umount) systemcall controls the mounting and unmounting of file systems. The parameters belowconfigure the system to create an audit record when the mount system call is usedby a non-privileged user Rationale It is highly unusual for a non privileged user tomount file systems to the system. While tracking mount commands gives the systemadministrator evidence that external media may have been mounted (based on a reviewof the source of the mount and confirming it's an external media type), it does notconclusively indicate that data was exported to the media. System administrators whowish to determine if data were exported, would also have to track successful open, creatand truncate system calls requiring write access to a file under the mount point of theexternal media file system. This could give a fair indication that a write occurred. Theonly way to truly prove it, would be to track successful writes to the external media.Tracking write system calls could quickly fill up the audit log and is not recommended.Recommendations on configuration options to track data export to media is beyond thescope of this document.

RecommendationFor 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit-F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts For 64 bitsystems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F


2019-02-11 21:56:40 UTC

arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts-a always,exit -Farch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts


4.1.14 Ensure file deletion events by users are collected

SeverityHigh

DescriptionDescription Monitor the use of system calls associated with the deletion or renamingof files and file attributes. This configuration statement sets up monitoring for theunlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) andrenameat (rename a file attribute) system calls and tags them with the identifier "delete".Rationale Monitoring these calls from non-privileged users could provide a systemadministrator with evidence that inappropriate removal of files and file attributesassociated with protected files is occurring. While this audit option will look at allevents, system administrators will want to look for specific privileged files that arebeing deleted or altered.

RecommendationFor 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit-F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat-F auid>=1000 -F auid!=4294967295 -k delete-a always,exit -F arch=b32 -S unlink -Sunlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete


4.1.15 Ensure changes to system administration scope (sudoers) is collected

SeverityHigh

Description


2019-02-11 21:56:40 UTC

Description Monitor scope changes for system administrations. If the system has beenproperly configured to force system administrators to log in as themselves first andthen use the sudo command to execute privileged commands, it is possible to monitorchanges in scope. The file /etc/sudoers will be written to when the file or its attributeshave changed. The audit records will be tagged with the identifier "scope." RationaleChanges in the /etc/sudoers file can indicate that an unauthorized change has been madeto scope of system administrator activity.

RecommendationAdd the following line to the /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k scope-w /etc/sudoers.d/ -p wa -k scope


4.1.16 Ensure system administrator actions (sudolog) are collected

SeverityHigh

DescriptionDescription Monitor the sudo log file. If the system has been properly configured todisable the use of the su command and force all administrators to have to log in firstand then use sudo to execute privileged commands, then all administrator commandswill be logged to /var/log/sudo.log. Any time a command is executed, an audit eventwill be triggered as the /var/log/sudo.log file will be opened for write and the executedadministration command will be written to the log. Rationale Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself hasbeen tampered with. Administrators will want to correlate the events written to the audittrail with the records written to /var/log/sudo.log to verify if unauthorized commandshave been executed.

RecommendationAdd the following lines to the /etc/audit/audit.rules file: -w /var/log/sudo.log -p wa -kactions



2019-02-11 21:56:40 UTC

4.1.17 Ensure kernel module loading and unloading is collected

SeverityHigh

DescriptionDescription Monitor the loading and unloading of kernel modules. The programsinsmod (install a kernel module), rmmod (remove a kernel module), and modprobe(a more sophisticated program to load and unload modules, as well as some otherfeatures) control loading and unloading of modules. The init_module (load a module)and delete_module (delete a module) system calls control loading and unloading ofmodules. Any execution of the loading and unloading module programs and systemcalls will trigger an audit record with an identifier of "modules". Rationale Monitoringthe use of insmod, rmmod and modprobe could provide system administrators withevidence that an unauthorized user loaded or unloaded a kernel module, possiblycompromising the security of the system. Monitoring of the init_module anddelete_module system calls would reflect an unauthorized user attempting to use adifferent program to load and unload modules.

RecommendationFor 32 bit systems add the following lines to the /etc/audit/audit.rules file: -w /sbin/insmod -p x -k modules-w /sbin/rmmod -p x -k modules-w /sbin/modprobe -p x -kmodules-a always,exit arch=b32 -S init_module -S delete_module -k modules For 64bit systems add the following lines to the /etc/audit/audit.rules file: -w /sbin/insmod -p x -k modules-w /sbin/rmmod -p x -k modules-w /sbin/modprobe -p x -k modules-aalways,exit arch=b64 -S init_module -S delete_module -k modules


4.1.18 Ensure the audit configuration is immutable

SeverityHigh

DescriptionDescription Set system audit so that audit rules cannot be modified with auditctl. Settingthe flag "-e 2" forces audit to be put in immutable mode. Audit changes can only bemade on system reboot. Rationale In immutable mode, unauthorized users cannot


2019-02-11 21:56:40 UTC

execute changes to the audit system to potentially hide malicious activity and then putthe audit rules back. Users would most likely notice a system reboot and that could alertadministrators of an attempt to make unauthorized audit changes.

RecommendationAdd the following line to the end of the/etc/audit/audit.rules file. -e 2


4.1.1.1 Ensure audit log storage size is configured


DescriptionDescription Configure the maximum size of the audit log file. Once the log reachesthe maximum size, it will be rotated and a new log file will be started. Rationale It isimportant that an appropriate size is determined for log files so that they do not impactthe system and audit data is not lost.

RecommendationSet the following parameter in /etc/audit/auditd.conf in accordance with site policy:max_log_file = <MB>


4.1.1.2 Ensure system is disabled when audit logs are full

SeverityHigh

DescriptionDescription The auditd daemon can be configured to halt the system when the audit logsare full. Rationale In high security contexts, the risk of detecting unauthorized access ornonrepudiation exceeds the benefit of the system's availability.

RecommendationSet the following parameters in /etc/audit/auditd.conf: space_left_action =emailaction_mail_acct = rootadmin_space_left_action = halt


2019-02-11 21:56:40 UTC


4.1.1.3 Ensure audit logs are not automatically deleted

SeverityHigh

DescriptionDescription The max_log_file_action setting determines how to handle the audit log filereaching the max file size. A value of keep_logs will rotate the logs but never delete oldlogs. Rationale In high security contexts, the benefits of maintaining a long audit historyexceed the cost of storing the audit history.

RecommendationSet the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs



SeverityHigh





Severity


2019-02-11 21:56:40 UTC

High





SeverityHigh

DescriptionDescription The su command allows a user to run a command or shell as another user.The program has been superseded by sudo, which allows for more granular controlover privileged access. Normally, the su command can be executed by any user. Byuncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will onlyallow users in the wheel group to execute su. Rationale Restricting the use of su, andusing sudo in its place, provides system administrators better control of the escalation ofuser privileges to execute privileged commands. The sudo utility also provides a betterlogging and audit mechanism, as it can log each command executed via sudo, whereassu can only record that a user executed the su program.




2019-02-11 21:56:40 UTC


SeverityHigh





SeverityHigh




2019-02-11 21:56:40 UTC



SeverityHigh





SeverityHigh

DescriptionDescription The /etc/cron.weekly directory contains system cron jobs that needto run on a weekly basis. The files in this directory cannot be manipulated by thecrontab command, but are instead edited by system administrators using a text editor.The commands below restrict read/write and search access to user and group root,preventing regular users from accessing this directory. Rationale Granting write accessto this directory for non-privileged users could provide them the means for gainingunauthorized elevated privileges. Granting read access to this directory could give an


2019-02-11 21:56:40 UTC

unprivileged user insight in how to gain elevated privileges or circumvent auditingcontrols.




SeverityHigh





SeverityHigh

Description


2019-02-11 21:56:40 UTC

Description The /etc/cron.d directory contains system cron jobs that need to run in asimilar manner to the hourly, daily weekly and monthly jobs from /etc/crontab, butrequire more granular control as to when they run. The files in this directory cannot bemanipulated by the crontab command, but are instead edited by system administratorsusing a text editor. The commands below restrict read/write and search access to userand group root, preventing regular users from accessing this directory. RationaleGranting write access to this directory for non-privileged users could provide themthe means for gaining unauthorized elevated privileges. Granting read access to thisdirectory could give an unprivileged user insight in how to gain elevated privileges orcircumvent auditing controls.




SeverityHigh

DescriptionDescription Configure /etc/cron.allow and /etc/at.allow to allow specific users to usethese services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed touse at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.alloware allowed to use at and cron. Note that even though a given user is not listed incron.allow, cron jobs can still be run as that user. The cron.allow file only controlsadministrative access to the crontab command for scheduling and modifying cron jobs.Rationale On many systems, only the system administrator is authorized to schedulecron jobs. Using the cron.allow file to control who can run cron jobs enforces thispolicy. It is easier to manage an allow list than a deny list. In a deny list, you couldpotentially add a user ID to the system and forget to add it to the deny files.

RecommendationRun the following commands to remove /etc/cron.deny and /etc/at.deny and createand set permissions and ownership for /etc/cron.allow and /etc/at.allow: # rm /etc/


2019-02-11 21:56:40 UTC

cron.deny# rm /etc/at.deny# touch /etc/cron.allow# touch /etc/at.allow# chmod og-rwx /etc/cron.allow# chmod og-rwx /etc/at.allow# chown root:root /etc/cron.allow# chownroot:root /etc/at.allow



SeverityHigh





SeverityHigh




2019-02-11 21:56:40 UTC



SeverityHigh





SeverityHigh





2019-02-11 21:56:40 UTC


SeverityHigh





SeverityHigh






2019-02-11 21:56:40 UTC

SeverityHigh





SeverityHigh

DescriptionDescription The LoginGraceTime parameter specifies the time allowed for successfulauthentication to the SSH server. The longer the Grace period is the more openunauthenticated connections can exist. Like other session controls in this session theGrace Period should be limited to appropriate organizational limits to ensure the serviceis available for needed access. Rationale Setting the LoginGraceTime parameter to alow number will minimize the risk of successful brute force attacks to the SSH server.


2019-02-11 21:56:40 UTC

It will also limit the number of concurrent unauthenticated connections While therecommended setting is 60 seconds (1 Minute), set the number based on site policy.




SeverityHigh

DescriptionDescription There are several options available to limit which users and group canaccess the system via SSH. It is recommended that at least one of the following optionsbe leveraged: AllowUsers The AllowUsers variable gives the system administrator theoption of allowing specific users to ssh into the system. The list consists of commaseparated user names. Numeric user IDs are not recognized with this variable. Ifa system administrator wants to restrict user access further by only allowing theallowed users to log in from a particular host, the entry can be specified in the form ofuser@host. AllowGroups The AllowGroups variable gives the system administratorthe option of allowing specific groups of users to ssh into the system. The list consistsof comma separated group names. Numeric group IDs are not recognized with thisvariable. DenyUsers The DenyUsers variable gives the system administrator theoption of denying specific users to ssh into the system. The list consists of commaseparated user names. Numeric user IDs are not recognized with this variable. If asystem administrator wants to restrict user access further by specifically denying auser's access from a particular host, the entry can be specified in the form of [email protected] The DenyGroups variable gives the system administrator the option ofdenying specific groups of users to ssh into the system. The list consists of commaseparated group names. Numeric group IDs are not recognized with this variable.Rationale Restricting which users can remotely access the system via SSH will helpensure that only authorized users access the system.

Recommendation


2019-02-11 21:56:40 UTC

Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows:AllowUsers <userlist>AllowGroups <grouplist>DenyUsers <userlist>DenyGroups<grouplist>



SeverityHigh





SeverityHigh

DescriptionDescription The pam_pwquality.so module checks the strength of passwords. Itperforms checks such as making sure a password is not a dictionary word, it is a certainlength, contains a mix of characters (e.g. alphabet, numeric, other) and more. Thefollowing are definitions of the pam_pwquality.so options. try_first_pass - retrieve thepassword from a previous stacked PAM module. If not available, then prompt the userfor a password. retry=3 - Allow 3 tries before sending back a failure. The followingoptions are set in the /etc/security/pwquality.conf file: minlen=14 - password must be14 characters or moredcredit=-1 - provide at least one digitucredit=-1 - provide at leastone uppercase characterocredit=-1 - provide at least one special characterlcredit=-1


2019-02-11 21:56:40 UTC

- provide at least one lowercase character The settings shown above are one possiblepolicy. Alter these values to conform to your own organization's password policies.Rationale Strong passwords protect systems from being hacked through brute forcemethods.








2019-02-11 21:56:40 UTC



SeverityHigh





SeverityHigh


RecommendationSet the shell for any accounts returned by the audit script to /usr/sbin/nologin: #usermod -s /usr/sbin/nologin <user> The following script will automatically set all usershells required to /usr/sbin/nologin and lock the sync, shutdown, and halt users: #!/bin/


2019-02-11 21:56:40 UTC

bashfor user in `awk -F: '($3 < 1000) {print $1 }' /etc/passwd`; do if [ $user != "root" ];then usermod -L $user if [ $user != "sync" ] && [ $user != "shutdown" ] && [ $user !="halt" ]; then usermod -s /usr/sbin/nologin $user fi fidone



SeverityHigh





SeverityHigh

Description


2019-02-11 21:56:40 UTC

Description The default TMOUT determines the shell timeout for users. The TMOUTvalue is measured in seconds. Rationale Having no timeout value associated with a shellcould allow an unauthorized user access to another user's shell session (e.g. user walksaway from their computer and doesn't lock the screen). Setting a timeout value at leastreduces the risk of this happening.




SeverityHigh





SeverityHigh


2019-02-11 21:56:40 UTC





SeverityHigh





SeverityHigh


2019-02-11 21:56:40 UTC





SeverityHigh





SeverityHigh

Description


2019-02-11 21:56:40 UTC

Description While the system administrator can establish secure permissions for users'home directories, the users can easily override these. Rationale Group or world-writableuser home directories may enable malicious users to steal or modify other users' data orto gain another user's system privileges.



4.2: Findings details - Common Vulnerabilities andExposures-1.1

CVE-2013-7447

SeverityMedium

DescriptionInteger overflow in the gdk_cairo_set_source_pixbuf function in gdk/gdkcairo.c inGTK+ before 3.9.8, as used in eom, gnome-photos, eog, gambas3, thunar, pinpoint, andpossibly other applications, allows remote attackers to cause a denial of service (crash)via a large image file, which triggers a large memory allocation.

RecommendationUse your Operating System's update feature to update package thunar-0:1.6.3-1ubuntu5.For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7447


CVE-2014-8625

Severity


2019-02-11 21:56:40 UTC

High

DescriptionMultiple format string vulnerabilities in the parse_error_msg function in parsehelp.cin dpkg before 1.17.22 allow remote attackers to cause a denial of service (crash) andpossibly execute arbitrary code via format string specifiers in the (1) package or (2)architecture name.

RecommendationUse your Operating System's update feature to update packagedpkg-0:1.17.5ubuntu5.8-0. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8625


CVE-2014-9939

SeverityHigh

Descriptionihex.c in GNU Binutils before 2.26 contains a stack buffer overflow when printing badbytes in Intel Hex objects.

RecommendationUse your Operating System's update feature to update packagebinutils-0:2.24-5ubuntu14.2. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9939


CVE-2015-1336

SeverityHigh

Description


2019-02-11 21:56:40 UTC

The daily mandb cleanup job in Man-db before 2.7.6.1-1 as packaged in Ubuntu andDebian allows local users with access to the man account to gain privileges via vectorsinvolving insecure chown use.

RecommendationUse your Operating System's update feature to update package man-db-0:2.6.7.1-1ubuntu1. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1336


CVE-2015-5297

SeverityMedium

DescriptionAn integer overflow issue has been reported in the general_composite_rect() functionin pixman prior to version 0.32.8. An attacker could exploit this issue to cause anapplication using pixman to crash or, potentially, execute arbitrary code.

RecommendationUse your Operating System's update feature to update package libpixman-1-0-0:0.30.2-2ubuntu1.1. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5297


CVE-2015-8539

SeverityHigh

DescriptionThe KEYS subsystem in the Linux kernel before 4.4 allows local users to gainprivileges or cause a denial of service (BUG) via crafted keyctl commands thatnegatively instantiate a key, related to security/keys/encrypted-keys/encrypted.c,security/keys/trusted.c, and security/keys/user_defined.c.


2019-02-11 21:56:40 UTC

RecommendationUse your Operating System's update feature to update package linux-image-3.13.0-158-generic-0:3.13.0-158.208. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8539


CVE-2016-10708

SeverityHigh

Descriptionsshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULLpointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, asdemonstrated by Honggfuzz, related to kex.c and packet.c.

RecommendationUse your Operating System's update feature to update package openssh-server-1:6.6p1-2ubuntu2.10. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10708


CVE-2016-2226

SeverityHigh

DescriptionInteger overflow in the string_appends function in cplus-dem.c in libiberty allowsremote attackers to execute arbitrary code via a crafted executable, which triggers abuffer overflow.

RecommendationUse your Operating System's update feature to update packagebinutils-0:2.24-5ubuntu14.2. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2226


2019-02-11 21:56:40 UTC


CVE-2016-4484

SeverityHigh

DescriptionThe Debian initrd script for the cryptsetup package 2:1.7.3-2 and earlier allowsphysically proximate attackers to gain shell access via many log in attempts with aninvalid password.

RecommendationUse your Operating System's update feature to update packagecryptsetup-2:1.6.1-1ubuntu1. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4484


CVE-2016-5011

SeverityMedium

DescriptionThe parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memoryconsumption) via a crafted MSDOS partition table with an extended partition bootrecord at zero offset.

RecommendationUse your Operating System's update feature to update package util-linux-0:2.20.1-5.1ubuntu20.9. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5011



2019-02-11 21:56:40 UTC

CVE-2016-7913

SeverityHigh

DescriptionThe xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c in the Linuxkernel before 4.6 allows local users to gain privileges or cause a denial of service (use-after-free) via vectors involving omission of the firmware name from a certain datastructure.



CVE-2016-9588

SeverityMedium

Descriptionarch/x86/kvm/vmx.c in the Linux kernel through 4.9 mismanages the #BP and #OFexceptions, which allows guest OS users to cause a denial of service (guest OS crash)by declining to handle an exception thrown by an L2 guest.

RecommendationUse your Operating System's update feature to update package linux-image-3.13.0-158-generic-0:3.13.0-158.208, linux-image-3.13.0-161-generic-0:3.13.0-161.211. For moreinformation see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9588


CVE-2017-0794

Severity


2019-02-11 21:56:40 UTC

High

DescriptionA elevation of privilege vulnerability in the Upstream kernel scsi driver. Product:Android. Versions: Android kernel. Android ID: A-35644812.



CVE-2017-11591

SeverityHigh

DescriptionThere is a Floating point exception in the Exiv2::ValueType function in Exiv2 0.26 thatwill lead to a remote denial of service attack via crafted input.

RecommendationUse your Operating System's update feature to update packagelibexiv2-12-0:0.23-1ubuntu2.1. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11591


CVE-2017-11683

SeverityMedium

DescriptionThere is a reachable assertion in the Internal::TiffReader::visitDirectory function intiffvisitor.cpp of Exiv2 0.26 that will lead to a remote denial of service attack via craftedinput.


2019-02-11 21:56:40 UTC



CVE-2017-13168

SeverityMedium

DescriptionAn elevation of privilege vulnerability in the kernel scsi driver. Product: Android.Versions: Android kernel. Android ID A-65023233.



CVE-2017-14502

SeverityHigh

Descriptionread_header in archive_read_support_format_rar.c in libarchive 3.3.2 suffers from anoff-by-one error for UTF-16 names in RAR archives, leading to an out-of-bounds readin archive_read_format_rar_read_header.

RecommendationUse your Operating System's update feature to update package libarchive13-0:3.1.2-7ubuntu2.6. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14502

Failed Instances


2019-02-11 21:56:40 UTC

i-04372149a51fe6560

CVE-2017-14859

SeverityMedium

DescriptionAn Invalid memory address dereference was discovered inExiv2::StringValueBase::read in value.cpp in Exiv2 0.26. The vulnerability causes asegmentation fault and application crash, which leads to denial of service.



CVE-2017-14862

SeverityMedium

DescriptionAn Invalid memory address dereference was discovered in Exiv2::DataValue::read invalue.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and applicationcrash, which leads to denial of service.



CVE-2017-14864


2019-02-11 21:56:40 UTC

SeverityMedium

DescriptionAn Invalid memory address dereference was discovered in Exiv2::getULong intypes.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and applicationcrash, which leads to denial of service.



CVE-2017-15299

SeverityMedium

DescriptionThe KEYS subsystem in the Linux kernel through 4.13.7 mishandles use of add_key fora key that already exists but is uninstantiated, which allows local users to cause a denialof service (NULL pointer dereference and system crash) or possibly have unspecifiedother impact via a crafted system call.



CVE-2017-16649

SeverityHigh

Description


2019-02-11 21:56:40 UTC

The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in the Linuxkernel through 4.13.11 allows local users to cause a denial of service (divide-by-zeroerror and system crash) or possibly have unspecified other impact via a crafted USBdevice.



CVE-2017-17669

SeverityMedium

DescriptionThere is a heap-based buffer over-read in the Exiv2::Internal::PngChunk::keyTXTChunk function of pngchunk_int.cpp in Exiv2 0.26. A crafted PNG file will lead to a remotedenial of service attack.



CVE-2017-18216

SeverityMedium

DescriptionIn fs/ocfs2/cluster/nodemanager.c in the Linux kernel before 4.15, local users can causea denial of service (NULL pointer dereference and BUG) because a required mutex isnot used.


2019-02-11 21:56:40 UTC



CVE-2017-2647

SeverityHigh

DescriptionThe KEYS subsystem in the Linux kernel before 3.18 allows local users to gainprivileges or cause a denial of service (NULL pointer dereference and systemcrash) via vectors involving a NULL value for a certain match field, related to thekeyring_search_iterator function in keyring.c.



CVE-2017-6519

SeverityHigh

Descriptionavahi-daemon in Avahi through 0.6.32 and 0.7 inadvertently responds to IPv6 unicastqueries with source addresses that are not on-link, which allows remote attackers tocause a denial of service (traffic amplification) and may cause information leakage byobtaining potentially sensitive information from the responding device via port-5353UDP packets. NOTE: this may overlap CVE-2015-2809.

Recommendation


2019-02-11 21:56:40 UTC

Use your Operating System's update feature to update package avahi-daemon-0:0.6.31-4ubuntu1.2, libavahi-core7-0:0.6.31-4ubuntu1.2. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6519


CVE-2017-9239

SeverityMedium

DescriptionAn issue was discovered in Exiv2 0.26. When the data structure of the structure ifdis incorrect, the program assigns pValue_ to 0x0, and the value of pValue() is 0x0.TiffImageEntry::doWriteImage will use the value of pValue() to cause a segmentationfault. To exploit this vulnerability, someone must open a crafted tiff file.



CVE-2017-9525

SeverityHigh

DescriptionIn the cron package through 3.0pl1-128 on Debian, and through 3.0pl1-128ubuntu2on Ubuntu, the postinst maintainer script allows for group-crontab-to-root privilegeescalation via symlink attacks against unsafe usage of the chown and chmod programs.

RecommendationUse your Operating System's update feature to update packagecron-0:3.0pl1-124ubuntu2. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9525


2019-02-11 21:56:40 UTC


CVE-2018-0495

SeverityLow

DescriptionLibgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channelattack on ECDSA signatures that can be mitigated through the use of blinding duringthe signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka theReturn Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, theattacker needs access to either the local machine or a different virtual machine on thesame physical host.

RecommendationUse your Operating System's update feature to update package libnss3-2:3.28.4-0ubuntu0.14.04.3. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495


CVE-2018-0734

SeverityMedium

DescriptionThe OpenSSL DSA signature algorithm has been shown to be vulnerable to a timingside channel attack. An attacker could use variations in the signing algorithm to recoverthe private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j(Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).

RecommendationUse your Operating System's update feature to update package libssl1.0.0-0:1.0.1f-1ubuntu2.26. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0734


2019-02-11 21:56:40 UTC


CVE-2018-0735

SeverityMedium

DescriptionThe OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timingside channel attack. An attacker could use variations in the signing algorithm to recoverthe private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL1.1.1a (Affected 1.1.1).



CVE-2018-1000004

SeverityHigh

DescriptionIn the Linux kernel 4.12, 3.10, 2.6 and possibly earlier versions a race conditionvulnerability exists in the sound system, this can lead to a deadlock and denial of servicecondition.




2019-02-11 21:56:40 UTC

CVE-2018-1000030

SeverityHigh

DescriptionPython 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears thatPython 2.7.17 and prior may also be vulnerable however this has not been confirmed.The vulnerability lies when multiply threads are handling large amounts of data.In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing tothe buffer without knowing how much to write. So when a large amount of data is beingprocessed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow.As for the Use-After-Free, Thread3->Malloc->Thread1->Free's->Thread2-Re-uses-Free'd Memory. The PSRT has stated that this is not a security vulnerability due to the factthat the attacker must be able to run code, however in some situations, such as functionas a service, this vulnerability can potentially be used by an attacker to violate a trustboundary, as such the DWF feels this issue deserves a CVE.

RecommendationUse your Operating System's update feature to update packagepython2.7-0:2.7.6-8ubuntu0.4, python2.7-minimal-0:2.7.6-8ubuntu0.4, python3.4-0:3.4.3-1ubuntu1~14.04.6, python3.4-minimal-0:3.4.3-1ubuntu1~14.04.6. For moreinformation see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000030


CVE-2018-1000802

SeverityHigh

DescriptionPython Software Foundation Python (CPython) version 2.7 contains a CWE-77:Improper Neutralization of Special Elements used in a Command ('Command Injection')vulnerability in shutil module (make_archive function) that can result in Denial ofservice, Information gain via injection of arbitrary files on the system or entire drive.


2019-02-11 21:56:40 UTC

This attack appear to be exploitable via Passage of unfiltered user input to the function.This vulnerability appears to have been fixed in after commit add531a1e55b0a739b0f42582f1c9747e5649ace.



CVE-2018-1000877

SeverityHigh

Descriptionlibarchive version commit 416694915449219d505531b1096384f3237dd6cc onwards(release v3.1.0 onwards) contains a CWE-415: Double Free vulnerability in RARdecoder - libarchive/archive_read_support_format_rar.c, parse_codes(), realloc(rar->lzss.window, new_size) with new_size = 0 that can result in Crash/DoS. This attackappear to be exploitable via the victim must open a specially crafted RAR archive.



CVE-2018-1000878

SeverityHigh

Description


2019-02-11 21:56:40 UTC

libarchive version commit 416694915449219d505531b1096384f3237dd6cc onwards(release v3.1.0 onwards) contains a CWE-416: Use After Free vulnerability in RARdecoder - libarchive/archive_read_support_format_rar.c that can result in Crash/DoS - itis unknown if RCE is possible. This attack appear to be exploitable via the victim mustopen a specially crafted RAR archive.



CVE-2018-1000880

SeverityMedium

Descriptionlibarchive version commit 9693801580c0cf7c70e862d305270a16b52826a7 onwards(release v3.2.0 onwards) contains a CWE-20: Improper Input Validation vulnerability inWARC parser - libarchive/archive_read_support_format_warc.c, _warc_read() that canresult in DoS - quasi-infinite run time and disk usage from tiny file. This attack appearto be exploitable via the victim must open a specially crafted WARC file.



CVE-2018-10119

SeverityHigh

Description


2019-02-11 21:56:40 UTC

sot/source/sdstor/stgstrms.cxx in LibreOffice before 5.4.5.1 and 6.x before 6.0.1.1uses an incorrect integer data type in the StgSmallStrm class, which allows remoteattackers to cause a denial of service (use-after-free with write access) or possibly haveunspecified other impact via a crafted document that uses the structured storage ole2wrapper file format.

RecommendationUse your Operating System's update feature to update package libreoffice-core-1:4.2.8-0ubuntu5.3. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10119


CVE-2018-10120

SeverityHigh

DescriptionThe SwCTBWrapper::Read function in sw/source/filter/ww8/ww8toolbar.cxx inLibreOffice before 5.4.6.1 and 6.x before 6.0.2.1 does not validate a customizationsindex, which allows remote attackers to cause a denial of service (heap-based bufferoverflow with write access) or possibly have unspecified other impact via a crafteddocument that contains a certain Microsoft Word record.



CVE-2018-10583

SeverityHigh

Description


2019-02-11 21:56:40 UTC

An information disclosure vulnerability occurs when LibreOffice 6.0.3 and ApacheOpenOffice Writer 4.1.5 automatically process and initiate an SMB connectionembedded in a malicious file, as demonstrated by xlink:href=file://192.168.0.2/test.jpgwithin an office:document-content element in a .odt XML document.



CVE-2018-1060

SeverityHigh

Descriptionpython before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable tocatastrophic backtracking in pop3lib's apop() method. An attacker could use this flaw tocause denial of service.



CVE-2018-1061

SeverityHigh

Description


2019-02-11 21:56:40 UTC

python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable tocatastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could usethis flaw to cause denial of service.



CVE-2018-1066

SeverityHigh

DescriptionThe Linux kernel before version 4.11 is vulnerable to a NULL pointer dereference in fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() that allows an attacker controlling a CIFS serverto kernel panic a client that has this server mounted, because an empty TargetInfo fieldin an NTLMSSP setup negotiation response is mishandled during session recovery.



CVE-2018-10902

SeverityMedium

DescriptionIt was found that the raw midi kernel driver does not protect against concurrentaccess which leads to a double realloc (double free) in snd_rawmidi_input_params()


2019-02-11 21:56:40 UTC

and snd_rawmidi_output_status() which are part of snd_rawmidi_ioctl() handlerin rawmidi.c file. A malicious local attacker could possibly use this for privilegeescalation.



CVE-2018-10963

SeverityMedium

DescriptionThe TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF through 4.0.9 allowsremote attackers to cause a denial of service (assertion failure and application crash) viaa crafted file, a different vulnerability than CVE-2017-13726.

RecommendationUse your Operating System's update feature to update packagelibtiff5-0:4.0.3-7ubuntu0.9. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10963


CVE-2018-11574

SeverityHigh

DescriptionImproper input validation together with an integer overflow in the EAP-TLS protocolimplementation in PPPD may cause a crash, information disclosure, or authenticationbypass. This implementation is distributed as a patch for PPPD 0.91, and includes the


2019-02-11 21:56:40 UTC

affected eap.c and eap-tls.c files. Configurations that use the `refuse-app` option areunaffected.

RecommendationUse your Operating System's update feature to update packageppp-0:2.4.5-5.1ubuntu2.2. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11574


CVE-2018-11790

SeverityMedium

DescriptionWhen loading a document with Apache Open Office 4.1.5 and earlier with smallerend line termination than the operating system uses, the defect occurs. In this caseOpenOffice runs into an Arithmetic Overflow at a string length calculation.



CVE-2018-12384

SeverityMedium

DescriptionA flaw was found in the way NSS responded to an SSLv2-compatible ClientHello witha ServerHello that had an all-zero random. A man-in-the-middle attacker could use thisflaw in a passive replay attack.

Recommendation


2019-02-11 21:56:40 UTC

Use your Operating System's update feature to update package libnss3-2:3.28.4-0ubuntu0.14.04.3. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12384


CVE-2018-12389

SeverityHigh

DescriptionRESERVED This candidate has been reserved by an organization or individual thatwill use it when announcing a new security problem. When the candidate has beenpublicized, the details for this candidate will be provided.

RecommendationUse your Operating System's update feature to update package thunderbird-1:60.2.1+build1-0ubuntu0.14.04.2. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12389


CVE-2018-12390

SeverityHigh



Failed Instances


2019-02-11 21:56:40 UTC

i-04372149a51fe6560

CVE-2018-12392

SeverityHigh




CVE-2018-12393

SeverityHigh




CVE-2018-12896


2019-02-11 21:56:40 UTC

SeverityMedium

DescriptionAn issue was discovered in the Linux kernel through 4.17.3. An Integer Overflow inkernel/time/posix-timers.c in the POSIX timer code is caused by the way the overrunaccounting works. Depending on interval and expiry time values, the overrun canbe larger than INT_MAX, but the accounting is int based. This basically makesthe accounting values, which are visible to user space via timer_getoverrun(2) andsiginfo::si_overrun, random. For example, a local user can cause a denial of service(signed integer overflow) via crafted mmap, futex, timer_create, and timer_settimesystem calls.



CVE-2018-14633

SeverityHigh

DescriptionA security flaw was found in the chap_server_compute_md5() function in the ISCSItarget code in the Linux kernel in a way an authentication request from an ISCSIinitiator is processed. An unauthenticated remote attacker can cause a stack bufferoverflow and smash up to 17 bytes of the stack. The attack requires the iSCSI targetto be enabled on the victim host. Depending on how the target's code was built (i.e.depending on a compiler, compile flags and hardware architecture) an attack may leadto a system crash and thus to a denial-of-service or possibly to a non-authorized accessto data exported by an iSCSI target. Due to the nature of the flaw, privilege escalationcannot be fully ruled out, although we believe it is highly unlikely. Kernel versions4.18.x, 4.14.x and 3.10.x are believed to be vulnerable.

Recommendation


2019-02-11 21:56:40 UTC

Use your Operating System's update feature to update package linux-image-3.13.0-158-generic-0:3.13.0-158.208. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14633


CVE-2018-14634

SeverityHigh

DescriptionAn integer overflow flaw was found in the Linux kernel's create_elf_tables() function.An unprivileged local user with access to SUID (or otherwise privileged) binary coulduse this flaw to escalate their privileges on the system. Kernel versions 2.6.x, 3.10.x and4.14.x are believed to be vulnerable.



CVE-2018-14647

SeverityHigh

DescriptionPython's elementtree C accelerator failed to initialise Expat's hash salt duringinitialization. This could make it easy to conduct denial of service attacks against Expatby constructing an XML document that would cause pathological hash collisions inExpat's internal data structures, consuming large amounts CPU and RAM. Python 3.8,3.7, 3.6, 3.5, 3.4, 2.7 are believed to be vulnerable.

Recommendation


2019-02-11 21:56:40 UTC

Use your Operating System's update feature to update packagepython2.7-0:2.7.6-8ubuntu0.4, python2.7-minimal-0:2.7.6-8ubuntu0.4, python3.4-0:3.4.3-1ubuntu1~14.04.6, python3.4-minimal-0:3.4.3-1ubuntu1~14.04.6. For moreinformation see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647


CVE-2018-14734

SeverityHigh

Descriptiondrivers/infiniband/core/ucma.c in the Linux kernel through 4.17.11 allowsucma_leave_multicast to access a certain data structure after a cleanup step inucma_process_join, which allows attackers to cause a denial of service (use-after-free).



CVE-2018-15126

SeverityHigh

DescriptionLibVNC before commit 73cb96fec028a576a5a24417b57723b55854ad7b containsheap use-after-free vulnerability in server code of file transfer extension that can resultremote code execution

RecommendationUse your Operating System's update feature to update package libvncserver0-0:0.9.9+dfsg-1ubuntu1.3. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15126


2019-02-11 21:56:40 UTC


CVE-2018-15127

SeverityHigh

DescriptionLibVNC before commit 502821828ed00b4a2c4bef90683d0fd88ce495de contains heapout-of-bound write vulnerability in server code of file transfer extension that can resultremote code execution



CVE-2018-15473

SeverityHigh

DescriptionOpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delayingbailout for an invalid authenticating user until after the packet containing the request hasbeen fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.

RecommendationUse your Operating System's update feature to update package openssh-server-1:6.6p1-2ubuntu2.10. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15473


CVE-2018-15572


2019-02-11 21:56:40 UTC

SeverityMedium

DescriptionThe spectre_v2_select_mitigation function in arch/x86/kernel/cpu/bugs.c in the Linuxkernel before 4.18.1 does not always fill RSB upon a context switch, which makes iteasier for attackers to conduct userspace-userspace spectreRSB attacks.



CVE-2018-15594

SeverityMedium

Descriptionarch/x86/kernel/paravirt.c in the Linux kernel before 4.18.1 mishandles certainindirect calls, which makes it easier for attackers to conduct Spectre-v2 attacks againstparavirtual guests.



CVE-2018-16276

SeverityHigh

Description


2019-02-11 21:56:40 UTC

An issue was discovered in yurex_read in drivers/usb/misc/yurex.c in the Linux kernelbefore 4.17.7. Local attackers could use user access read/writes with incorrect boundschecking in the yurex USB driver to crash the kernel or potentially escalate privileges.



CVE-2018-16336

SeverityMedium

DescriptionExiv2::Internal::PngChunk::parseTXTChunk in Exiv2 v0.26 allows remote attackersto cause a denial of service (heap-based buffer over-read) via a crafted image file, adifferent vulnerability than CVE-2018-10999.



CVE-2018-16395

SeverityHigh

DescriptionAn issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.xbefore 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When twoOpenSSL::X509::Name objects are compared using ==, depending on the ordering,non-equal objects may return true. When the first argument is one character longer than


2019-02-11 21:56:40 UTC

the second, or the second argument contains a character that is one less than a characterin the same position of the first argument, the result of == will be true. This could beleveraged to create an illegitimate certificate that may be accepted as legitimate andthen used in signing or encryption operations.

RecommendationUse your Operating System's update feature to update package libruby1.9.1-0:1.9.3.484-2ubuntu1.12, ruby1.9.1-0:1.9.3.484-2ubuntu1.12. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16395


CVE-2018-16396

SeverityHigh

DescriptionAn issue was discovered in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and2.6.x before 2.6.0-preview3. It does not taint strings that result from unpacking taintedstrings with some formats.

RecommendationUse your Operating System's update feature to update package libruby1.9.1-0:1.9.3.484-2ubuntu1.12, ruby1.9.1-0:1.9.3.484-2ubuntu1.12. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16396


CVE-2018-16646

SeverityMedium

DescriptionIn Poppler 0.68.0, the Parser::getObj() function in Parser.cc may cause infinite recursionvia a crafted file. A remote attacker can leverage this for a DoS attack.

Recommendation


2019-02-11 21:56:40 UTC

Use your Operating System's update feature to update package libpoppler44-0:0.24.5-2ubuntu4.12, poppler-utils-0:0.24.5-2ubuntu4.12. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16646


CVE-2018-16658

SeverityMedium

DescriptionAn issue was discovered in the Linux kernel before 4.18.6. An information leak incdrom_ioctl_drive_status in drivers/cdrom/cdrom.c could be used by local attackersto read kernel memory because a cast from unsigned long to int interferes with boundschecking. This is similar to CVE-2018-10940.



CVE-2018-17100

SeverityHigh

DescriptionAn issue was discovered in LibTIFF 4.0.9. There is a int32 overflow in multiply_msin tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly haveunspecified other impact via a crafted image file.



2019-02-11 21:56:40 UTC


CVE-2018-17101

SeverityHigh

DescriptionAn issue was discovered in LibTIFF 4.0.9. There are two out-of-bounds writes incpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service(application crash) or possibly have unspecified other impact via a crafted image file.



CVE-2018-17466

SeverityHigh

DescriptionIncorrect texture handling in Angle in Google Chrome prior to 70.0.3538.67 allowed aremote attacker to perform an out of bounds memory read via a crafted HTML page.

RecommendationUse your Operating System's update feature to update package firefox-0:63.0+build2-0ubuntu0.14.04.2, thunderbird-1:60.2.1+build1-0ubuntu0.14.04.2. For more informationsee https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17466


CVE-2018-17581


2019-02-11 21:56:40 UTC

SeverityMedium

DescriptionCiffDirectory::readDirectory() at crwimage_int.cpp in Exiv2 0.26 has excessive stackconsumption due to a recursive function, leading to Denial of service.



CVE-2018-17972

SeverityMedium

DescriptionAn issue was discovered in the proc_pid_stack function in fs/proc/base.c in the Linuxkernel through 4.18.11. It does not ensure that only root may inspect the kernel stackof an arbitrary task, allowing a local attacker to exploit racy stack unwinding and leakkernel task stack contents.



CVE-2018-18281

SeverityMedium

Description


2019-02-11 21:56:40 UTC

Since Linux kernel version 3.2, the mremap() syscall performs TLB flushes afterdropping pagetable locks. If a syscall such as ftruncate() removes entries from thepagetables of a task that is in the middle of mremap(), a stale TLB entry can remainfor a short time that permits access to a physical page after it has been released back tothe page allocator and reused. This is fixed in the following kernel versions: 4.9.135,4.14.78, 4.18.16, 4.19.



CVE-2018-18311

SeverityHigh

DescriptionPerl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regularexpression that triggers invalid write operations.

RecommendationUse your Operating System's update feature to update packageperl-0:5.18.2-2ubuntu1.6. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18311


CVE-2018-18312

SeverityHigh

DescriptionPerl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regularexpression that triggers invalid write operations.


2019-02-11 21:56:40 UTC



CVE-2018-18313

SeverityHigh

DescriptionPerl before 5.26.3 has a buffer over-read via a crafted regular expression that triggersdisclosure of sensitive information from process memory.



CVE-2018-18314

SeverityHigh

DescriptionPerl before 5.26.3 has a buffer overflow via a crafted regular expression that triggersinvalid write operations.




2019-02-11 21:56:40 UTC

CVE-2018-18386

SeverityMedium

Descriptiondrivers/tty/n_tty.c in the Linux kernel before 4.14.11 allows local attackers (who areable to access pseudo terminals) to hang/block further usage of any pseudo terminaldevices due to an EXTPROC versus ICANON confusion in TIOCINQ.



CVE-2018-18500

SeverityHigh

DescriptionA use-after-free vulnerability can occur while parsing an HTML5 stream in concert withcustom HTML elements. This results in the stream parser object being freed while stillin use, leading to a potentially exploitable crash. This vulnerability affects Thunderbird< 60.5, Firefox ESR < 60.5, and Firefox < 65.

RecommendationUse your Operating System's update feature to update package firefox-0:63.0+build2-0ubuntu0.14.04.2. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18500


CVE-2018-18501

Severity


2019-02-11 21:56:40 UTC

High

DescriptionMozilla developers and community members reported memory safety bugs present inFirefox 64 and Firefox ESR 60.4. Some of these bugs showed evidence of memorycorruption and we presume that with enough effort that some of these could beexploited to run arbitrary code. This vulnerability affects Thunderbird < 60.5, FirefoxESR < 60.5, and Firefox < 65.



CVE-2018-18502

SeverityHigh

DescriptionMozilla developers and community members reported memory safety bugs present inFirefox 64. Some of these bugs showed evidence of memory corruption and we presumethat with enough effort that some of these could be exploited to run arbitrary code. Thisvulnerability affects Firefox < 65.



CVE-2018-18503

SeverityHigh


2019-02-11 21:56:40 UTC

DescriptionWhen JavaScript is used to create and manipulate an audio buffer, a potentiallyexploitable crash may occur because of a compartment mismatch in some situations.This vulnerability affects Firefox < 65.



CVE-2018-18504

SeverityHigh

DescriptionA crash and out-of-bounds read can occur when the buffer of a texture client is freedwhile it is still in use during graphic operations. This results is a potentially exploitablecrash and the possibility of reading from the memory of the freed buffers. Thisvulnerability affects Firefox < 65.



CVE-2018-18505

SeverityHigh

DescriptionAn earlier fix for an Inter-process Communication (IPC) vulnerability, CVE-2011-3079,added authentication to communication between IPC endpoints and server parents


2019-02-11 21:56:40 UTC

during IPC process creation. This authentication is insufficient for channels created afterthe IPC process is started, leading to the authentication not being correctly applied tolater channels. This could allow for a sandbox escape through IPC channels due to lackof message validation in the listener process. This vulnerability affects Thunderbird <60.5, Firefox ESR < 60.5, and Firefox < 65.



CVE-2018-18506

SeverityMedium

DescriptionWhen proxy auto-detection is enabled, if a web server serves a Proxy Auto-Configuration (PAC) file or if a PAC file is loaded locally, this PAC file can specifythat requests to the localhost are to be sent through the proxy to another server. Thisbehavior is disallowed by default when a proxy is manually configured, but whenenabled could allow for attacks on services and tools that bind to the localhost fornetworked behavior if they are accessed through browsing. This vulnerability affectsFirefox < 65.



CVE-2018-18557

SeverityHigh


2019-02-11 21:56:40 UTC

DescriptionLibTIFF 4.0.9 (with JBIG enabled) decodes arbitrarily-sized JBIG into a buffer,ignoring the buffer size, which leads to a tif_jbig.c JBIGDecode out-of-bounds write.



CVE-2018-18661

SeverityMedium

DescriptionAn issue was discovered in LibTIFF 4.0.9. There is a NULL pointer dereference in thefunction LZWDecode in the file tif_lzw.c.



CVE-2018-18690

SeverityMedium

DescriptionIn the Linux kernel before 4.17, a local attacker able to set attributes on an xfsfilesystem could make this filesystem non-operational until the next mount bytriggering an unchecked error condition during an xfs attribute change, becausexfs_attr_shortform_addname in fs/xfs/libxfs/xfs_attr.c mishandles ATTR_REPLACEoperations with conversion of an attr from short to long form.


2019-02-11 21:56:40 UTC



CVE-2018-18710

SeverityMedium

DescriptionAn issue was discovered in the Linux kernel through 4.19. An information leak incdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers toread kernel memory because a cast from unsigned long to int interferes with boundschecking. This is similar to CVE-2018-10940 and CVE-2018-16658.



CVE-2018-18751

SeverityHigh

DescriptionAn issue was discovered in GNU gettext 0.19.8. There is a double free indefault_add_message in read-catalog.c, related to an invalid free in po_gram_parse inpo-gram-gen.y, as demonstrated by lt-msgfmt.

Recommendation


2019-02-11 21:56:40 UTC

Use your Operating System's update feature to update packagegettext-0:0.18.3.1-1ubuntu3. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18751


CVE-2018-19058

SeverityMedium

DescriptionAn issue was discovered in Poppler 0.71.0. There is a reachable abort in Object.h, willlead to denial of service because EmbFile::save2 in FileSpec.cc lacks a stream checkbefore saving an embedded file.

RecommendationUse your Operating System's update feature to update package libpoppler44-0:0.24.5-2ubuntu4.12, poppler-utils-0:0.24.5-2ubuntu4.12. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19058


CVE-2018-19059

SeverityMedium

DescriptionAn issue was discovered in Poppler 0.71.0. There is a out-of-bounds read inEmbFile::save2 in FileSpec.cc, will lead to denial of service, as demonstrated by utils/pdfdetach.cc not validating embedded files before save attempts.


Failed Instances


2019-02-11 21:56:40 UTC

i-04372149a51fe6560

CVE-2018-19060

SeverityMedium

DescriptionAn issue was discovered in Poppler 0.71.0. There is a NULL pointer dereference in goo/GooString.h, will lead to denial of service, as demonstrated by utils/pdfdetach.cc notvalidating a filename of an embedded file before constructing a save path.



CVE-2018-19149

SeverityMedium

DescriptionPoppler before 0.70.0 has a NULL pointer dereference in _poppler_attachment_newwhen called from poppler_annot_file_attachment_get_attachment.



CVE-2018-19409

Severity


2019-02-11 21:56:40 UTC

High

DescriptionAn issue was discovered in Artifex Ghostscript before 9.26. LockSafetyParams is notchecked correctly if another device is used.

RecommendationUse your Operating System's update feature to update package ghostscript-0:9.25~dfsg+1-0ubuntu0.14.04.2, libgs9-0:9.25~dfsg+1-0ubuntu0.14.04.2. For more information seehttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19409


CVE-2018-19475

SeverityHigh

Descriptionpsi/zdevice2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypassintended access restrictions because available stack space is not checked when thedevice remains the same.



CVE-2018-19476

SeverityHigh

Descriptionpsi/zicc.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intendedaccess restrictions because of a setcolorspace type confusion.


2019-02-11 21:56:40 UTC



CVE-2018-19477

SeverityHigh

Descriptionpsi/zfjbig2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypassintended access restrictions because of a JBIG2Decode type confusion.



CVE-2018-19787

SeverityMedium

DescriptionAn issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.cleanmodule does not remove javascript: URLs that use escaping, allowing a remote attackerto conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. Thisis a similar issue to CVE-2014-3146.

RecommendationUse your Operating System's update feature to update package python-lxml-0:3.3.3-1ubuntu0.1, python3-lxml-0:3.3.3-1ubuntu0.1. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19787


2019-02-11 21:56:40 UTC


CVE-2018-19788

SeverityHigh

DescriptionA flaw was found in PolicyKit (aka polkit) 0.115 that allows a user with a uid greaterthan INT_MAX to successfully execute any systemctl command.

RecommendationUse your Operating System's update feature to update package libpolkit-backend-1-0-0:0.105-4ubuntu3.14.04.2, policykit-1-0:0.105-4ubuntu3.14.04.2. For more informationsee https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19788


CVE-2018-19840

SeverityMedium

DescriptionThe function WavpackPackInit in pack_utils.c in libwavpack.a in WavPack through5.1.0 allows attackers to cause a denial-of-service (resource exhaustion caused byan infinite loop) via a crafted wav audio file because WavpackSetConfiguration64mishandles a sample rate of zero.

RecommendationUse your Operating System's update feature to update package libwavpack1-0:4.70.0-1ubuntu0.1. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19840


CVE-2018-19841


2019-02-11 21:56:40 UTC

SeverityMedium

DescriptionThe function WavpackVerifySingleBlock in open_utils.c in libwavpack.a in WavPackthrough 5.1.0 allows attackers to cause a denial-of-service (out-of-bounds read andapplication crash) via a crafted WavPack Lossless Audio file, as demonstrated bywvunpack.

RecommendationUse your Operating System's update feature to update package libwavpack1-0:4.70.0-1ubuntu0.1. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19841


CVE-2018-20019

SeverityHigh

DescriptionLibVNC before commit a83439b9fbe0f03c48eb94ed05729cb016f8b72f containsmultiple heap out-of-bound write vulnerabilities in VNC client code that can resultremote code execution



CVE-2018-20020

SeverityHigh

Description


2019-02-11 21:56:40 UTC

LibVNC before commit 7b1ef0ffc4815cab9a96c7278394152bdc89dc4d contains heapout-of-bound write vulnerability inside structure in VNC client code that can resultremote code execution



CVE-2018-20021

SeverityHigh

DescriptionLibVNC before commit c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c contains aCWE-835: Infinite loop vulnerability in VNC client code. Vulnerability allows attackerto consume excessive amount of resources like CPU and RAM



CVE-2018-20022

SeverityHigh

DescriptionLibVNC before 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 contains multipleweaknesses CWE-665: Improper Initialization vulnerability in VNC client code thatallows attacker to read stack memory and can be abuse for information disclosure.


2019-02-11 21:56:40 UTC

Combined with another vulnerability, it can be used to leak stack memory layout and inbypassing ASLR



CVE-2018-20023

SeverityHigh

DescriptionLibVNC before 8b06f835e259652b0ff026898014fc7297ade858 contains CWE-665:Improper Initialization vulnerability in VNC Repeater client code that allows attacker toread stack memory and can be abuse for information disclosure. Combined with anothervulnerability, it can be used to leak stack memory layout and in bypassing ASLR



CVE-2018-20024

SeverityHigh

DescriptionLibVNC before commit 4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 contains nullpointer dereference in VNC client code that can result DoS.

Recommendation


2019-02-11 21:56:40 UTC

Use your Operating System's update feature to update package libvncserver0-0:0.9.9+dfsg-1ubuntu1.3. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20024


CVE-2018-20459

SeverityMedium

DescriptionIn radare2 through 3.1.3, the armass_assemble function in libr/asm/arch/arm/armass.callows attackers to cause a denial-of-service (application crash by out-of-boundsread) by crafting an arm assembly input because a loop uses an incorrect index inarmass.c and certain length validation is missing in armass64.c, a related issue toCVE-2018-20457.

RecommendationUse your Operating System's update feature to update package libcaca0-0:0.99.beta18-1ubuntu5. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20459


CVE-2018-20481

SeverityMedium

DescriptionXRef::getEntry in XRef.cc in Poppler 0.72.0 mishandles unallocated XRef entries,which allows remote attackers to cause a denial of service (NULL pointer dereference)via a crafted PDF document, when XRefEntry::setFlag in XRef.h is called fromParser::makeStream in Parser.cc.

Recommendation


2019-02-11 21:56:40 UTC



CVE-2018-20544

SeverityMedium

DescriptionThere is floating point exception at caca/dither.c (function caca_dither_bitmap) inlibcaca 0.99.beta19.



CVE-2018-20545

SeverityHigh

DescriptionThere is an illegal WRITE memory access at common-image.c (function load_image) inlibcaca 0.99.beta19 for 4bpp data.




2019-02-11 21:56:40 UTC

CVE-2018-20546

SeverityMedium

DescriptionThere is an illegal READ memory access at caca/dither.c (function get_rgba_default) inlibcaca 0.99.beta19 for the default bpp case.



CVE-2018-20547

SeverityMedium

DescriptionThere is an illegal READ memory access at caca/dither.c (function get_rgba_default) inlibcaca 0.99.beta19 for 24bpp data.



CVE-2018-20548

SeverityHigh

Description


2019-02-11 21:56:40 UTC

There is an illegal WRITE memory access at common-image.c (function load_image) inlibcaca 0.99.beta19 for 1bpp data.



CVE-2018-20549

SeverityHigh

DescriptionThere is an illegal WRITE memory access at caca/file.c (function caca_file_read) inlibcaca 0.99.beta19.



CVE-2018-20551

SeverityMedium

DescriptionA reachable Object::getString assertion in Poppler 0.72.0 allows attackers to causea denial of service due to construction of invalid rich media annotation assets in theAnnotRichMedia class in Annot.c.

Recommendation


2019-02-11 21:56:40 UTC



CVE-2018-20650

SeverityMedium

DescriptionA reachable Object::dictLookup assertion in Poppler 0.72.0 allows attackers to cause adenial of service due to the lack of a check for the dict data type, as demonstrated by useof the FileSpec class (in FileSpec.cc) in pdfdetach.



CVE-2018-20685

SeverityMedium

DescriptionIn OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intendedaccess restrictions via the filename of . or an empty filename. The impact is modifyingthe permissions of the target directory on the client side.

RecommendationUse your Operating System's update feature to update package openssh-client-1:6.6p1-2ubuntu2.10, openssh-server-1:6.6p1-2ubuntu2.10. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20685

Failed Instances


2019-02-11 21:56:40 UTC

i-04372149a51fe6560

CVE-2018-20748

SeverityHigh

DescriptionLibVNC before 0.9.12 contains multiple heap out-of-bounds write vulnerabilities inlibvncclient/rfbproto.c. The fix for CVE-2018-20019 was incomplete.



CVE-2018-20749

SeverityHigh

DescriptionLibVNC before 0.9.12 contains a heap out-of-bounds write vulnerability inlibvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete.



CVE-2018-20750

SeverityHigh


2019-02-11 21:56:40 UTC

DescriptionLibVNC through 0.9.12 contains a heap out-of-bounds write vulnerability inlibvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete.



CVE-2018-3136

SeverityMedium

DescriptionVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE(subcomponent: Security). Supported versions that are affected are Java SE: 6u201,7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerabilityallows unauthenticated attacker with network access via multiple protocols tocompromise Java SE, Java SE Embedded. Successful attacks require human interactionfrom a person other than the attacker and while the vulnerability is in Java SE, Java SEEmbedded, attacks may significantly impact additional products. Successful attacks ofthis vulnerability can result in unauthorized update, insert or delete access to some ofJava SE, Java SE Embedded accessible data. Note: This vulnerability applies to Javadeployments, typically in clients running sandboxed Java Web Start applications orsandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code thatcomes from the internet) and rely on the Java sandbox for security. This vulnerabilitydoes not apply to Java deployments, typically in servers, that load and run only trustedcode (e.g. code installed by an administrator). CVSS 3.0 Base Score 3.4 (Integrityimpacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N).

RecommendationUse your Operating System's update feature to update package openjdk-7-jre-0:7u181-2.6.14-0ubuntu0.2, openjdk-7-jre-headless-0:7u181-2.6.14-0ubuntu0.2. For moreinformation see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3136


2019-02-11 21:56:40 UTC


CVE-2018-3139

SeverityMedium

DescriptionVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE(subcomponent: Networking). Supported versions that are affected are Java SE: 6u201,7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerabilityallows unauthenticated attacker with network access via multiple protocols tocompromise Java SE, Java SE Embedded. Successful attacks require human interactionfrom a person other than the attacker. Successful attacks of this vulnerability can resultin unauthorized read access to a subset of Java SE, Java SE Embedded accessibledata. Note: This vulnerability applies to Java deployments, typically in clients runningsandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), thatload and run untrusted code (e.g. code that comes from the internet) and rely on the Javasandbox for security. This vulnerability does not apply to Java deployments, typicallyin servers, that load and run only trusted code (e.g. code installed by an administrator).CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).



CVE-2018-3149

SeverityHigh

Description


2019-02-11 21:56:40 UTC

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE(subcomponent: JNDI). Supported versions that are affected are Java SE: 6u201, 7u191,8u182 and 11; Java SE Embedded: 8u181; JRockit: R28.3.19. Difficult to exploitvulnerability allows unauthenticated attacker with network access via multiple protocolsto compromise Java SE, Java SE Embedded, JRockit. Successful attacks require humaninteraction from a person other than the attacker and while the vulnerability is in JavaSE, Java SE Embedded, JRockit, attacks may significantly impact additional products.Successful attacks of this vulnerability can result in takeover of Java SE, Java SEEmbedded, JRockit. Note: This vulnerability applies to Java deployments, typically inclients running sandboxed Java Web Start applications or sandboxed Java applets (inJava SE 8), that load and run untrusted code (e.g. code that comes from the internet) andrely on the Java sandbox for security. This vulnerability can also be exploited by usingAPIs in the specified Component, e.g. through a web service which supplies data to theAPIs. CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts).CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).



CVE-2018-3169

SeverityHigh

DescriptionVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE(subcomponent: Hotspot). Supported versions that are affected are Java SE: 7u191,8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allowsunauthenticated attacker with network access via multiple protocols to compromiseJava SE, Java SE Embedded. Successful attacks require human interaction froma person other than the attacker and while the vulnerability is in Java SE, Java SEEmbedded, attacks may significantly impact additional products. Successful attacksof this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: Thisvulnerability applies to Java deployments, typically in clients running sandboxed Java


2019-02-11 21:56:40 UTC

Web Start applications or sandboxed Java applets (in Java SE 8), that load and rununtrusted code (e.g. code that comes from the internet) and rely on the Java sandbox forsecurity. This vulnerability does not apply to Java deployments, typically in servers, thatload and run only trusted code (e.g. code installed by an administrator). CVSS 3.0 BaseScore 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).



CVE-2018-3180

SeverityHigh

DescriptionVulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle JavaSE (subcomponent: JSSE). Supported versions that are affected are Java SE: 6u201,7u191, 8u182 and 11; Java SE Embedded: 8u181; JRockit: R28.3.19. Difficult toexploit vulnerability allows unauthenticated attacker with network access via SSL/TLS to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of thisvulnerability can result in unauthorized update, insert or delete access to some of JavaSE, Java SE Embedded, JRockit accessible data as well as unauthorized read accessto a subset of Java SE, Java SE Embedded, JRockit accessible data and unauthorizedability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded,JRockit. Note: This vulnerability applies to Java deployments, typically in clientsrunning sandboxed Java Web Start applications or sandboxed Java applets (in Java SE8), that load and run untrusted code (e.g. code that comes from the internet) and rely onthe Java sandbox for security. This vulnerability can also be exploited by using APIs inthe specified Component, e.g. through a web service which supplies data to the APIs.CVSS 3.0 Base Score 5.6 (Confidentiality, Integrity and Availability impacts). CVSSVector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).

Recommendation


2019-02-11 21:56:40 UTC

Use your Operating System's update feature to update package openjdk-7-jre-0:7u181-2.6.14-0ubuntu0.2, openjdk-7-jre-headless-0:7u181-2.6.14-0ubuntu0.2. For moreinformation see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3180


CVE-2018-5407

SeverityLow

DescriptionSimultaneous Multi-threading (SMT) in processors can enable local users to exploitsoftware vulnerable to timing attacks via a side-channel timing attack on 'portcontention'.



CVE-2018-5807

SeverityHigh

DescriptionAn error within the "samsung_load_raw()" function (internal/dcraw_common.cpp)in LibRaw versions prior to 0.18.9 can be exploited to cause an out-of-bounds readmemory access and subsequently cause a crash.

RecommendationUse your Operating System's update feature to update packagelibraw9-0:0.15.4-1ubuntu0.2. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5807

Failed Instances


2019-02-11 21:56:40 UTC

i-04372149a51fe6560

CVE-2018-5810

SeverityHigh

DescriptionAn error within the "rollei_load_raw()" function (internal/dcraw_common.cpp) inLibRaw versions prior to 0.18.9 can be exploited to cause a heap-based buffer overflowand subsequently cause a crash.



CVE-2018-5811

SeverityMedium

DescriptionAn error within the "nikon_coolscan_load_raw()" function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.9 can be exploited to cause anout-of-bounds read memory access and subsequently cause a crash.



CVE-2018-5812


2019-02-11 21:56:40 UTC

SeverityMedium

DescriptionAn error within the "nikon_coolscan_load_raw()" function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.9 can be exploited to trigger aNULL pointer dereference.



CVE-2018-5813

SeverityHigh

DescriptionAn error within the "parse_minolta()" function (dcraw/dcraw.c) in LibRaw versionsprior to 0.18.11 can be exploited to trigger an infinite loop via a specially crafted file.



CVE-2018-5815

SeverityHigh

Description


2019-02-11 21:56:40 UTC

An integer overflow error within the "parse_qt()" function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.12 can be exploited to trigger aninfinite loop via a specially crafted Apple QuickTime file.



CVE-2018-5816

SeverityHigh

DescriptionAn integer overflow error within the "identify()" function (internal/dcraw_common.cpp)in LibRaw versions prior to 0.18.12 can be exploited to trigger a division by zerovia specially crafted NOKIARAW file (Note: This vulnerability is caused due to anincomplete fix of CVE-2018-5804).



CVE-2018-6307

SeverityHigh

DescriptionLibVNC before commit ca2a5ac02fbbadd0a21fabba779c1ea69173d10b contains heapuse-after-free vulnerability in server code of file transfer extension that can resultremote code execution.


2019-02-11 21:56:40 UTC



CVE-2018-6554

SeverityMedium

DescriptionMemory leak in the irda_bind function in net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c in the Linux kernel before 4.17 allows local users to cause a denial ofservice (memory consumption) by repeatedly binding an AF_IRDA socket.



CVE-2018-6555

SeverityHigh

DescriptionThe irda_setsockopt function in net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c in the Linux kernel before 4.17 allows local users to cause a denial of service(ias_object use-after-free and system crash) or possibly have unspecified other impactvia an AF_IRDA socket.

Recommendation


2019-02-11 21:56:40 UTC



CVE-2018-7456

SeverityMedium

DescriptionA NULL Pointer Dereference occurs in the function TIFFPrintDirectory in tif_print.cin LibTIFF 4.0.9 when using the tiffinfo tool to print crafted TIFF information, adifferent vulnerability than CVE-2017-18013. (This affects an earlier part of theTIFFPrintDirectory function that was not addressed by the CVE-2017-18013 patch.)



CVE-2018-7566

SeverityMedium

DescriptionThe Linux kernel 4.15 has a Buffer Overflow via an SNDRV_SEQ_IOCTL_SET_CLIENT_POOL ioctl write operation to /dev/snd/seq by a local user.


Failed Instances


2019-02-11 21:56:40 UTC

i-04372149a51fe6560

CVE-2018-8784

SeverityHigh

DescriptionFreeRDP prior to version 2.0.0-rc4 contains a Heap-Based Buffer Overflow in functionzgfx_decompress_segment() that results in a memory corruption and probably even aremote code execution.

RecommendationUse your Operating System's update feature to update package libfreerdp1-0:1.0.2-2ubuntu1.1. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8784


CVE-2018-8785

SeverityHigh

DescriptionFreeRDP prior to version 2.0.0-rc4 contains a Heap-Based Buffer Overflow in functionzgfx_decompress() that results in a memory corruption and probably even a remotecode execution.



CVE-2018-8786


2019-02-11 21:56:40 UTC

SeverityHigh

DescriptionFreeRDP prior to version 2.0.0-rc4 contains an Integer Truncation that leads to a Heap-Based Buffer Overflow in function update_read_bitmap_update() and results in amemory corruption and probably even a remote code execution.



CVE-2018-8787

SeverityHigh

DescriptionFreeRDP prior to version 2.0.0-rc4 contains an Integer Overflow that leads to a Heap-Based Buffer Overflow in function gdi_Bitmap_Decompress() and results in a memorycorruption and probably even a remote code execution.



CVE-2018-8788

SeverityHigh

Description


2019-02-11 21:56:40 UTC

FreeRDP prior to version 2.0.0-rc4 contains an Out-Of-Bounds Write of up to 4 bytesin function nsc_rle_decode() that results in a memory corruption and possibly even aremote code execution.



CVE-2018-8789

SeverityHigh

DescriptionFreeRDP prior to version 2.0.0-rc4 contains several Out-Of-Bounds Reads in theNTLM Authentication module that results in a Denial of Service (segfault).



CVE-2018-8905

SeverityHigh

DescriptionIn LibTIFF 4.0.9, a heap-based buffer overflow occurs in the functionLZWDecodeCompat in tif_lzw.c via a crafted TIFF file, as demonstrated by tiff2ps.

Recommendation


2019-02-11 21:56:40 UTC

Use your Operating System's update feature to update packagelibtiff5-0:4.0.3-7ubuntu0.9. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8905


CVE-2018-9363

SeverityHigh

DescriptionIn the hidp_process_report in bluetooth, there is an integer overflow. This could lead toan out of bounds write with no additional execution privileges needed. User interactionis not needed for exploitation. Product: Android Versions: Android kernel Android ID:A-65853588 References: Upstream kernel.



CVE-2018-9518

SeverityHigh

DescriptionIn nfc_llcp_build_sdreq_tlv of llcp_commands.c, there is a possible out of bounds writedue to a missing bounds check. This could lead to local escalation of privilege withSystem execution privileges needed. User interaction is not needed for exploitation.Product: Android. Versions: Android kernel. Android ID: A-73083945.

Recommendation


2019-02-11 21:56:40 UTC



CVE-2018-9568

SeverityHigh

DescriptionIn sk_clone_lock of sock.c, there is a possible memory corruption due to typeconfusion. This could lead to local escalation of privilege with no additional executionprivileges needed. User interaction is not needed for exploitation. Product: Android.Versions: Android kernel. Android ID: A-113509306. References: Upstream kernel.



CVE-2019-1000019

SeverityMedium

Descriptionlibarchive version commit bf9aec176c6748f0ee7a678c5f9f9555b9a757c1 onwards(release v3.0.2 onwards) contains a CWE-125: Out-of-bounds Read vulnerability in7zip decompression, archive_read_support_format_7zip.c, header_bytes() that canresult in a crash (denial of service). This attack appears to be exploitable via the victimopening a specially crafted 7zip file.

Recommendation


2019-02-11 21:56:40 UTC

Use your Operating System's update feature to update package libarchive13-0:3.1.2-7ubuntu2.6. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1000019


CVE-2019-1000020

SeverityMedium

Descriptionlibarchive version commit 5a98dcf8a86364b3c2c469c85b93647dfb139961 onwards(version v2.8.0 onwards) contains a CWE-835: Loop with Unreachable Exit Condition('Infinite Loop') vulnerability in ISO9660 parser, archive_read_support_format_iso9660.c, read_CE()/parse_rockridge() that can result in DoS by infinite loop. This attackappears to be exploitable via the victim opening a specially crafted ISO9660 file.



CVE-2019-3813

SeverityHigh

DescriptionSpice, versions 0.5.2 through 0.14.1, are vulnerable to an out-of-bounds read due to anoff-by-one error in memslot_get_virt. This may lead to a denial of service, or, in theworst case, code-execution by unauthenticated attackers.

Recommendation


2019-02-11 21:56:40 UTC

Use your Operating System's update feature to update package libspice-server1-0:0.12.4-0nocelt2ubuntu1.7. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3813


CVE-2019-3823

SeverityHigh

Descriptionlibcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap out-of-boundsread in the code handling the end-of-response for SMTP. If the buffer passed to`smtp_endofresp()` isn't NUL terminated and contains no character ending the parsednumber, and `len` is set to 5, then the `strtol()` call reads beyond the allocated buffer.The read contents will not be returned to the caller.

RecommendationUse your Operating System's update feature to update packagecurl-0:7.35.0-1ubuntu2.19, libcurl3-0:7.35.0-1ubuntu2.19, libcurl3-gnutls-0:7.35.0-1ubuntu2.19. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3823


CVE-2019-6109

SeverityMedium

DescriptionAn issue was discovered in OpenSSH 7.9. Due to missing character encoding in theprogress display, a malicious server (or Man-in-The-Middle attacker) can employcrafted object names to manipulate the client output, e.g., by using ANSI control codesto hide additional files being transferred. This affects refresh_progress_meter() inprogressmeter.c.


2019-02-11 21:56:40 UTC



CVE-2019-6110

SeverityMedium

DescriptionIn OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server,a malicious server (or Man-in-The-Middle attacker) can manipulate the client output,for example to use ANSI control codes to hide additional files being transferred.



CVE-2019-7310

SeverityHigh

DescriptionIn Poppler 0.73.0, a heap-based buffer over-read (due to an integer signedness error inthe XRef::getEntry function in XRef.cc) allows remote attackers to cause a denial ofservice (application crash) or possibly have unspecified other impact via a crafted PDFdocument, as demonstrated by pdftocairo.

Recommendation


2019-02-11 21:56:40 UTC



4.3: Findings details - Network Reachability-1.1

Recognized port with listener reachable from internet


DescriptionA recognized port is reachable from the internet with a service listening

RecommendationYou can edit the Security Group sg-070eb17ac5ab81bb6 to remove access from theinternet on port 22, 80


Recognized port with no listener reachable from internet


DescriptionOn this instance, recognized port(s) are reachable from the internet with no processlistening on the port.

RecommendationYou can edit the Security Group sg-070eb17ac5ab81bb6 to remove access from theinternet on port 443, 3389



2019-02-11 21:56:40 UTC

Unrecognized port with listener reachable from internet

SeverityLow

DescriptionAn unrecognized port is reachable from the internet with a service listening

RecommendationYou can edit the Security Group sg-070eb17ac5ab81bb6 to remove access from theinternet on port 5901


4.4: Findings details - Security Best Practices-1.0

Disable root login over SSH

SeverityMedium

DescriptionThis rule helps determine whether the SSH daemon is configured to permit logging in toyour EC2 instance as root.

RecommendationTo reduce the likelihood of a successful brute-force attack, we recommend that youconfigure your EC2 instance to prevent root account logins over SSH. To disable SSHroot account logins, set PermitRootLogin to 'no' in /etc/ssh/sshd_config and restartsshd. When logged in as a non-root user, you can use sudo to escalate privileges whennecessary. If you want to allow public key authentication with a command associatedwith the key, you can set PermitRootLogin to 'forced-commands-only'.



2019-02-11 21:56:40 UTC

Documents

Amazon Inspector - Assessment Report