Important

   

This space contains documentation for TrueSight Server Automation 8.9.03 and the later service packs for 8.9. For earlier releases, see BMC Server Automation 8.9.

Updating CIS for SuSE 12 to newer benchmarks

This document provides information about the hotfix containing Center for Internet Security (CIS) templates for SuSE Linux 12 Benchmark Version 2.1.0, with implementation for 226 rules that can be installed on  TrueSight Server Automation 8.9.00 onwards.

Before you begin

Before you install this hotfix, ensure that you perform the following:

  • Ensure that all compliance content provided by BMC in your environment is at least updated to version 8.9.
  • Save backup copies of the sensors folders, which are present on all Application Servers in your environment. The sensors folders contain extended object scripts and is located at the following path on an Application Server:
    <Application_Server_installation_directory >/share/sensors

Step 1: Downloading and installing the files

  1. Login to ftp.bmc.com host using SFTP protocol. Download the CIS - SUSE Enterprise Linux 12.zip and extended_objects.zip packages from the following location:

     Click here to expand checksum related infromation

    Verify the downloaded content by using the following check sums.

    S.No

    File Name

    MD5SUM

    1

    CIS - SUSE Enterprise Linux 12.zip

    9E5B34394241A39D51C6D529FD64620A

    2extended_objects.zip

    08D7C12E9497CB09FF0D6FE2E9772661

    Verify the extended objects present on the application. If the md5sums match, go ahead and replace them. If these md5sums do not match, you must manually merge the fixes.

    Extended Objects shipped with this template (part of extended_objects.zip)

    S. No

    File Name

    MD5SUM
    1

    eo_common_code

    ED52FC43F39626FEB08EB165A441AF6A

    2

    eo_executer

    3C72FB0F42991B6D1B33E3CC88B7727C

    3

    Eo-Audit_main

    826F5E3DB47073E78ADA6FEC6796808C

    4

    EO-Banner

    DFDDFB5F05B3E22FE8169A3A67B199E2

    5

    EO-CIS_SUSE12_audit_conf

    92EF62195CCC2ADB5F6E2A3E69F96702

    6

    EO-Collect_use_of_privileged_commands_cis_suse12

    48239713FF29F7F71F15F7693899E53D

    7

    EO-Command_output_auditctl_complex_rules_new

    B4545C7092D954D2A4A5E5D56A964B54

    8

    EO-FindFiles

    58E3F78FB8B9E033DC6B722DD57D6D2D

    9

    EO-Main

    83EFB310367739D9799AE475D884F382

    10

    EO-Mount

    1C88BECEFCBE494AE6172C1BD8145F16

    11

    EO-package

    F00EFDD6875F707E245000E46BECE37D

    12

    EO-Parameter_allowed_entries

    F0F436E304CFEB25013E5C74FCA6AF26

    13

    EO-Parameter_denied_entries

    48CDCA1A410F5D0CD83946B7A265C375

    14

    EO-Parameter_functions

    E9B903DC280FAB638D0618CC14B32308

    15

    EO-Parameter_required_entries

    2F191E45888824A8392364DB5F486295

    16

    Eo-Syslog

    B0954FED88CD37E4BEA8BE236F7B9032

    17

    EO-Umask

    AA5F74F788114FB9E2B32BD72A6CDED6

    18

    EO-User_accounts

    EE43E2743507D770A72767B9C651814A

    19

    EO-User_functions

    012E6DC58E839A565FA6E2A3C199740C

    20

    EO-User_home

    01688CCA83B1A67D110E834F1218C609

    21

    EO-Wireless

    2414CD5A082DF7A7F2CA28C06C4C6071

    22

    findFiles

    F97A111BC46B0C30BD9B92D42BFA33F2

    23

    lib_filehandling

    FBEA6C92EEA7635AC20FA806D3EA60CC

    24

    lib_user

    1B1AD994E45A01B0FC620394271B360E

    25

    lib_utils

    80C91E9944028A5197D3537D9DF83B2F

    26

    unix_svcs_status.Linux

    C665732FF44AD6791B83EE9D2C3586E4

    27EO-Logrotatee0bb9f8ef8b0d9d403a88b7ff6b36109
  2. Move the CIS - SUSE Enterprise Linux 12.zip package to your RCP client server.
  3. Extract the contents from the extended_objects.zip package and move them to a temporary location on all Application Servers.

Step 2: Replacing the extended object scripts on all Application Servers

Ensure that you perform the following steps on all the Application Servers in your environment:

  1. Navigate to the extended objects script files on your Application Server:

<Application_Server_installation_directory >/share/sensors/

Step 3: Importing the Compliance Content 

  1. Log on to the Console.
  2. Right-click Component Templates and select Import

    The Import Wizard starts.
  3. Select the Import (Version-neutral) option.
  4. Select the CIS - SUSE Enterprise Linux 12.zip package and click Next.
  5. The CIS template for CIS SuSE 12 is available in the CIS - SUSE Enterprise Linux 12.zip package. To import the templates, select the zip file and click Next.

    Note

    Ensure that you select the Update objects according to the imported package and Preserve template group path options before you click Next.

  6. Navigate to the last screen of the wizard and then click Finish.

    The templates are imported successfully.

Rules within the templates

The following are the details of the 226 rules provided in the zip package. It contains the following types of rules:

  • Rules that check for compliance and provides remediation- 175

  • Rules that check for compliance but do not provide remediation - 44
  • Rules that do not check for compliance and do not provide remediation - 7

The following are the details of the rules that are divided into parts:

  • Rules not divided into parts - 194
  • Rules Divided into two parts - (20 * 2) = 40
  • Rules Divided into three parts - (12 * 3) = 36

 So, the current rule count as per CIS SuSE 12 template after running the compliance job is 270 (194 + 40 + 36).

The following tables list the rules along with comments.

Rules IDs without compliance checksComments
1.2.2GPG keys values can vary because it can be reviewed by the administrator according to the site policy.
3.6.3, 3.6.4, 3.6.5Changing firewall settings while connected over network can result in being locked out of the system. 
4.2.2.4, 4.2.2.5, 4.2.1.5Not Applicable


Rules with compliance checks but no remediationComments
1.1.11, 1.1.12, 1.1.13, 1.1.2, 1.1.6, 1.1.7, 1.4.2, 1.7.2, 1.8, 4.2.2.3, 5.4.2, 5.4.3, 5.6, 6.2.1, 6.2.11, 6.2.12, 6.2.14, 6.2.15, 6.2.20Remediation not provided as it needs manual intervention by System Administrator.
1.2.1 ,1.2.2 , 1.5.2Remediation is not available as package updation/configuration information depends upon organization.
3.7, 5.4.1.5, 5.5, 6.1.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.7, 4.3Remediation must be performed manually with required permission.
3.4.2, 3.4.3Remediation is not provided. System Administrator need to create /etc/hosts.allow and /etc/hosts.deny manually as required.
4.1.18, 4.2.1.4Remediation configures the system to immutable mode.
4.2.1.2, 4.2.2.2Editing file entries require manual intervention to take effect.
1.6.1.6, 6.2.6, 6.2.16, 6.2.17, 6.2.18, 6.2.19System administrator is required to approve configuration changes based on the organizational processes and policies.
Target/Local property

Rule in which property is used

property name

Default Value/ Options

Delimiter
TARGET2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.2.10, 2.2.11 ,2.2.12, 2.2.13 , 2.2.14 , 2.2.16 , 2.2.17MISSION_CRITICAL_PACKAGESBLANK 
TARGET2.2.15 DEFAULT_MTA??TARGET.BSA_CONTENT_DEFAULT_MTA?? 
LOCAL4.2.1.4LOGHOSTS_SENDBLANK 
LOCAL1.1.18, 1.1.19, 1.1.20MEDIA_PARTITION_LISTBLANK 
LOCAL4.1.1.1AUDIT_MAX_LOG_SIZEBLANK 
LOCAL5.6WHEEL_GROUP_USER_LISTroot 
LOCAL1.1.1.1, 1.1.1.2, 1.1.1.3, 1.1.1.4, 1.1.1.5, 1.1.1.6, 1.1.1.7, 1.1.1.8, 3.5.1, 3.5.2, 3.5.3, 3.5.4KERNEL_MODULEScramfs freevxfs jffs2 hfs hfsplus squashfs udf vfat dccp sctp rds tipc 
LOCAL1.7.1.1BANNER_LONG_PART1BLANK 
LOCAL1.7.1.2BANNER_LONG_PART2Authorized users only. All activity may be monitored and reported. 
LOCAL1.7.1.3BANNER_LONG_PART3Authorized users only. All activity may be monitored and reported. 
LOCAL1.6.1.6EXCLUDE_DAEMONS_LISTtr,ps,egrep,bash,awk,
LOCAL6.2.5USER_LISTroot 
LOCAL6.2.8, 6.2.9, 6.2.10, 6.2.13, 6.2.14 EXCLUDED_USER_LISTroot,sync,halt,shutdown,
LOCAL6.2.7 , 6.2.11 , 6.2.12EXCLUDE_USERS_LIST"root","sync","halt","shutdown"LIST
LOCAL6.2.7 , 6.2.11 , 6.2.12NON_LOGIN_SHELLS_LIST"/sbin/nologin","/bin/false"LIST
LOCAL5.5SECURE_TERMINALS_LISTBLANK 
LOCAL5.2.14SSH_ALLOW_GROUPS, SSH_ALLOW_USERS, SSH_DENY_GROUPS, and SSH_DENY_USERS BLANK 
LOCAL2.2.1.2 , 2.2.1.3NTP_DAEMON_ENABLED_NAME

(Default) chrony

The following value is also available in the list:

  • ntp
 
LOCAL2.2.1.2 , 2.2.1.3NTP_SERVERS_LISTBLANK 
LOCAL4.2.1.1 , 4.2.1.2 , 4.2.1.3 , 4.2.1.4 , 4.2.1.5 , 4.2.2.1 , 4.2.2.2 , 4.2.2.3 , 4.2.2.4 , 4.2.2.5PACKAGE_ENABLED_NAME

(Default) rsyslog

The following value is also available in the list:

  • syslog-ng
 
LOCAL5.2.11MAC_ALGOShmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com 
LOCAL5.2.12.1CLIENT_ALIVE_INTERVAL_COUNT300 
LOCAL5.2.12.2CLIENT_ALIVE_COUNT_MAX 3 
LOCAL1.3.2AIDE_RUN_SCHEDULE 0 5 * * * 
LOCAL4.1.18AUDIT_RULES_FILE/etc/audit/audit.rules 
LOCAL1.7.2GNOME_BANNER_DISPLAY_CONF/etc/dconf/db/gdm.d/01-banner-message 
LOCAL1.7.2BANNER_MSGAuthorized users only. All activity may be monitored and reported. 
LOCAL1.2.1REPOS_ENABLEDYes 
LOCAL1.2.1REPOS_GPG_CHECK(r)Yes 
LOCAL4.3LOGROTATE_FILES /var/log/warn /var/log/messages /var/log/allmessages /var/log/localmessages /var/log/firewall /var/log/acpid /var/log/NetworkManager /var/log/mail /var/log/mail.info /var/log/mail.warn /var/log/mail.err /var/log/news/news.crit /var/log/news/news.err /var/log/news/news.notice

Difference between benchmark version 2.1.0 and 2.0.0 

The following table lists down the rules that have been modified for SuSE Linux 12 Benchmark Version 2.1.0:

Rule IDChange in RemediationChange in Compliance
1.1.1.1 Ensure mounting of cramfs filesystems is disabled (Scored) (tick)(error)
1.1.1.2 Ensure mounting of freevxfs filesystems is disabled (Scored) (tick)(error) 
1.1.1.3 Ensure mounting of jffs2 filesystems is disabled (Scored) (tick)(error)
1.1.1.4 Ensure mounting of hfs filesystems is disabled (Scored) (tick)(error)
1.1.1.5 Ensure mounting of hfsplus filesystems is disabled (Scored) (tick)(error)
1.1.1.6 Ensure mounting of squashfs filesystems is disabled (Scored) (tick)(error)
1.1.1.7 Ensure mounting of udf filesystems is disabled (Scored) (tick)(error)
1.1.1.8 Ensure mounting of FAT filesystems is disabled (Scored)(tick)(error)
1.4.3 Ensure authentication required for single user mode (Not Scored)(tick)(tick)
1.5.3 Ensure address space layout randomization (ASLR) is enabled (Scored)(tick)(tick)
3.1.1 Ensure IP forwarding is disabled (Scored) (tick)(tick)
3.1.2 Ensure packet redirect sending is disabled (Scored)(tick)(tick)
3.2.1 Ensure source routed packets are not accepted (Scored)(tick)(tick)
3.2.2 Ensure ICMP redirects are not accepted (Scored)(tick)(tick)
3.2.3 Ensure secure ICMP redirects are not accepted (Scored)(tick)(tick)
3.2.4 Ensure suspicious packets are logged (Scored)(tick)(tick)
3.2.5 Ensure broadcast ICMP requests are ignored (Scored)(tick)(tick)
3.2.6 Ensure bogus ICMP responses are ignored (Scored)(tick)(tick)
3.2.7 Ensure Reverse Path Filtering is enabled (Scored)(tick)(tick)
3.2.8 Ensure TCP SYN Cookies is enabled (Scored)(tick)(tick)
3.3.1 Ensure IPv6 router advertisements are not accepted (Not Scored) (tick)(tick)
3.3.2 Ensure IPv6 redirects are not accepted (Not Scored)(tick)(tick)
2.1.9 Ensure tftp server is not enabled (Scored)(tick)(tick)
2.2.17 Ensure tftp server is not enabled (Scored)(tick)(tick)
2.2.1.2 Ensure ntp is configured (Scored)(tick)(tick)
2.2.1.3 Ensure chrony is configured (Scored)(tick)(tick)
2.2.15 Ensure mail transfer agent is configured for local-only mode (Scored)(tick)(tick)

2.2.18 Ensure rsync service is not enabled (Scored) NEW IN 2.1.0

(tick)(tick)
4.1.6 Ensure events that modify the system's network environment are collected (Scored)(tick)(tick)
4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected (Scored)(tick)(tick)
4.1.9 Ensure session initiation information is collected (Scored)(tick)(tick)
4.2.1.2 Ensure logging is configured (Not Scored)(tick)(tick)
4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host (Scored)(tick)(tick)
4.2.2.5 Ensure remote syslog-ng messages are only accepted on designated log hosts (Not Scored)(tick)(tick)
4.2.1.5 Ensure remote rsyslog messages are only accepted on designated log hosts. (Not Scored)(tick)(tick)
5.2.11 Ensure only approved MAC algorithms are used (Scored)(tick)(tick)
5.2.13 Ensure SSH LoginGraceTime is set to one minute or less (Scored)(tick)(tick)
5.4.1.1 Ensure password expiration is 365 days or less (Scored)(tick)(tick)

5.4.1.5 Ensure all users last password change date is in the past (Scored)NEW IN 2.1.0

(tick)(tick)
5.4.4 Ensure default user umask is 027 or more restrictive (Scored) (tick)(tick)

5.4.5 Ensure default user shell timeout is 900 seconds or less (Scored) NEW IN 2.1.0

(tick)(tick)
6.1.3 Ensure permissions on /etc/shadow are configured (Scored)(tick)(tick)

6.1.5 Ensure permissions on /etc/gshadow are configured (Scored)NEW IN 2.1.0

(tick)(tick)

6.1.9 Ensure permissions on /etc/gshadow- are configured (Scored)NEW IN 2.1.0

(tick)(tick)
6.1.6 Ensure permissions on /etc/passwd- are configured (Scored)(tick)(tick)
6.1.8 Ensure permissions on /etc/group- are configured (Scored)(tick)(tick)

6.2.20 Ensure shadow group is empty (Scored)NEW IN 2.1.0

(tick)(tick)

5.2.11 Ensure only approved ciphers are used (Scored) REMOVED IN 2.1.0

Not ApplicableNot Applicable
Was this page helpful? Yes No Submitting... Thank you

Comments