CIS: Ubuntu Linux Enterprise Server 18.04

This document provides information about the hotfix containing Center for Internet Security (CIS) templates for Ubuntu 18.04 Benchmark Version 1.0.0, with implementation for 220 rules that can be installed on  TrueSight Server Automation 8.9.04 onwards.

Before you begin

Before you install this hotfix, ensure that you perform the following:

  • Ensure that all compliance content provided by BMC in your environment is at least updated to version 8.9.04.
  • Save backup copies of the sensors folders, which are present on all Application Servers in your environment. The sensors folders contain extended object scripts and is located at the following path on an Application Server:
    <Application_Server_installation_directory >/share/sensors

Step 1: Downloading and installing the files

  1. Login to ftp.bmc.com host using SFTP protocol. Download the CIS - Ubuntu Enterprise Linux 18.04.zip and extended_objects.zip packages from the following location:
    You must log in or register to view this page

    Click here to expand checksum related infromation

    Verify the downloaded content by using the following check sums.

    S.No

    File Name

    MD5SUM

    1

    CIS - Ubuntu Enterprise Linux 18.04.zip

    bc806f058f431d1640e141775846e2e0

    2

    extended_objects.zip

    9809da85c09e0a7bbe98fa0941992e91 

  2. Move the Ubuntu Enterprise Linux 18.04.zip package to your RCP client server.
  3. Extract the contents from the extended_objects.zip package and move them to a temporary location on all Application Servers.

Step 2: Replacing the extended object scripts on all Application Servers

Ensure that you perform the following steps on all the Application Servers in your environment:

  1. Navigate to the extended objects script files on your Application Server:

<Application_Server_installation_directory >/share/sensors/

Step 3: Importing the Compliance Content

  1. Log on to the Console.
  2. Right-click Component Templates and select Import
    1.png
    The Import Wizard starts.
  3. Select the Import (Version-neutral) option.
    CIS_Ubuntu18__ImportVN.png
  4. Select the CIS - Ubuntu Enterprise Linux 18.04.zip package and click Next.
    CIS_Ubuntu18_SrcFileLoc.png

  5. The CIS template for CIS Ubuntu 18.04 is available in the CIS - Ubuntu Enterprise Linux 18.04.zip package. To import the templates, select the zip file.

    Select the Update objects according to the imported package and Preserve template group path options and click Next.

    CIS_Ubuntu18_templateLoc.png

  6. Navigate to the last screen of the wizard and then click Finish.
    CIS_Ubuntu18_Finish.png
    The templates are imported successfully.
    CIS_Ubuntu18_ImportDone.png

Rules within the templates

The following are the details of the 220 rules provided in the zip package. It contains the following types of rules:

  • Rules that check for compliance and provides remediation- 170
  • Rules that check for compliance but do not provide remediation - 42
  • Rules that do not check for compliance and do not provide remediation - 8

The following are the details of the rules that are divided into parts:

  • Rules not divided into parts - 183
  • Rules Divided into two parts - (24 * 2) = 48 [Rule ID : 1.5.3 , 1.6.1.2 , 1.6.1.3 ,  2.1.1 , 2.1.2 , 2.1.3 , 2.1.4 , 2.1.5, 2.1.7 , 3.1.1 , 3.2.5 , 3.2.6 , 3.2.8 , 3.3.3 , 4.1.3 , 4.1.7 , 5.1.8 , 5.2.12 , 5.4.1.1 , 5.4.1.2 , 5.4.1.3 , 5.4.1.4 , 5.4.4 , 5.4.5 ]
  • Rules Divided into three parts - (13 * 3) = 39 [Rule ID : 1.5.1 , 1.6.1.1 , 1.6.2.1 , 2.1.6 , 2.2.1.2 , 3.1.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.7 , 3.3.1 , 3.3.2 ]

 So, the current rule count as per CIS Ubuntu 18.04 template after running the compliance job is 270 (183 + 48 + 39).

The following tables list the rules along with comments.

Rules IDs without compliance checks

Comments

1.2.1

The apt-cache policy output can vary, so it has to be reviewed by the administrator according to the site policy.

1.2.2

GPG keys values can vary because it can be reviewed by the administrator according to the site policy.

3.6.3, 3.6.4, 3.6.5

Changing firewall settings while connected over network can result in being locked out of the system. 

4.2.2.4, 4.2.2.5, 4.2.1.5

Not Applicable


Rules with compliance checks but no remediation

Comments

1.1.10, 1.1.11, 1.1.12, 1.1.2, 1.1.5, 1.1.6, 1.4.2, 1.7.2, 1.8, 4.2.2.3, 5.4.2, 5.4.3, 5.6, 6.2.1, 6.2.11, 6.2.12, 6.2.14, 6.2.15, 6.2.20

Remediation not provided as it needs manual intervention by System Administrator.

1.5.2

Remediation is not available as package updation/configuration information depends upon organization.

3.7, 5.4.1.5, 5.5, 6.1.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.7, 4.2.3

Remediation must be performed manually with required permission.

3.4.2, 3.4.3

Remediation is not provided. System Administrator need to create /etc/hosts.allow and /etc/hosts.deny manually as required.

4.1.18, 4.2.1.4

Remediation configures the system to immutable mode.

4.2.1.2, 4.2.2.2

Editing file entries require manual intervention to take effect.

1.6.1.4, 6.2.6, 6.2.16, 6.2.17, 6.2.18, 6.2.19

System administrator is required to approve configuration changes based on the organizational processes and policies.

Target/Local property

Rule in which property is used

property name

Default Value/ Options

Delimiter

TARGET

2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.2.10, 2.2.11 ,2.2.12, 2.2.13 , 2.2.14 , 2.2.16 , 2.2.17

MISSION_CRITICAL_PACKAGES

BLANK


TARGET

2.2.15

 DEFAULT_MTA

??TARGET.BSA_CONTENT_DEFAULT_MTA??


LOCAL

4.2.1.4

LOGHOSTS_SEND

BLANK


LOCAL

1.1.17 , 1.1.18 , 1.1.19

MEDIA_PARTITION_LIST

BLANK


LOCAL

4.1.1.1

AUDIT_MAX_LOG_SIZE

8


LOCAL

5.6

SUDO_GROUP_USER_LIST

root


LOCAL

1.1.1.1, 1.1.1.2, 1.1.1.3, 1.1.1.4, 1.1.1.5, 1.1.1.6, 3.5.1, 3.5.2, 3.5.3, 3.5.4

KERNEL_MODULES

cramfs freevxfs jffs2 hfs hfsplus udf dccp sctp rds tipc


LOCAL

1.7.1.1

BANNER_LONG_PART1

BLANK


LOCAL

1.7.1.2

BANNER_LONG_PART2

Authorized users only. All activity may be monitored and reported.


LOCAL

1.7.1.3

BANNER_LONG_PART3

Authorized users only. All activity may be monitored and reported.


LOCAL

1.6.1.6

EXCLUDE_DAEMONS_LIST

tr,ps,egrep,bash,awk

,

LOCAL

6.2.5

USER_LIST

root


LOCAL

6.2.8, 6.2.9, 6.2.10, 6.2.13, 6.2.14 

EXCLUDED_USER_LIST

root,sync,halt,shutdown

,

LOCAL

6.2.7 , 6.2.11 , 6.2.12

EXCLUDE_USERS_LIST

"root","sync","halt","shutdown"

LIST

LOCAL

6.2.7 , 6.2.11 , 6.2.12

NON_LOGIN_SHELLS_LIST

"/sbin/nologin","/bin/false", "/usr/sbin/nologin"

LIST

LOCAL

5.5

SECURE_TERMINALS_LIST

BLANK


LOCAL

5.2.14

SSH_ALLOW_GROUPS, SSH_ALLOW_USERS, SSH_DENY_GROUPS, and SSH_DENY_USERS 

BLANK


LOCAL

2.2.1.2 , 2.2.1.3

NTP_DAEMON_ENABLED_NAME

(Default) chrony

The following value is also available in the list:

  • ntp


LOCAL

2.2.1.2 , 2.2.1.3

NTP_SERVERS_LIST

BLANK


LOCAL

4.2.3

PACKAGE_ENABLED_NAME

(Default) rsyslog

The following value is also available in the list:

  • syslog-ng


LOCAL

5.2.11

MAC_ALGOS

hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com


LOCAL

5.2.12.1

CLIENT_ALIVE_INTERVAL_COUNT

300


LOCAL

5.2.12.2

CLIENT_ALIVE_COUNT_MAX 

3


LOCAL

1.3.2

AIDE_RUN_SCHEDULE 

0 5 * * *


LOCAL

4.1.18

AUDIT_RULES_FILE

/etc/audit/audit.rules


LOCAL

1.7.2

GNOME_BANNER_DISPLAY_CONF

/etc/gdm3/greeter.dconf-defaults


LOCAL

1.7.2

BANNER_MSG

Authorized users only. All activity may be monitored and reported.


LOCAL

4.3

LOGROTATE_FILES_RSYSLOG

/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/daemon.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/debug
/var/log/messages
/var/log/syslog


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*