CIS: Red Hat Enterprise Linux 6

This document provides information about the hotfix containing Center for Internet Security (CIS) templates for Red Hat Enterprise Linux 6 Benchmark Version 2.1.0, with implementation for 226 rules that can be installed on TrueSight Server Automation 8.9.00 onwards.

Before you begin

Before you install this hotfix, ensure that you perform the following:

Ensure that all compliance content provided by BMC in your environment is at least updated to version 8.9.
Save backup copies of the sensors folders, which are present on all Application Servers in your environment. The sensors folders contain extended object scripts and is located at the following path on an Application Server:
<Application_Server_installation_directory >/share/sensors

Step 1: Downloading and installing the files

Login to ftp.bmc.com host using SFTP protocol. Download the CIS - Red Hat Enterprise Linux 6.zip and extended_objects.zip packages from the following location:

You must log in or register to view this page

Click here to expand checksum related infromation

Verify the downloaded content by using the following check sums.

S.No	File Name	MD5SUM
1	CIS - Red Hat Enterprise Linux 6.zip	F8B4F73C34DBEC302277CFFB2E6DBF69
2	extended_objects.zip	BC764AC4F6EBE53729FDBDB0249CE7E8

Verify the extended objects present on the application. If the md5sums match, go ahead and replace them. If these md5sums do not match, you must manually merge the fixes.

Extended Objects shipped with this template (part of extended_objects.zip)

S. No	File Name	MD5SUM
1	eo_common_code	379EB0082261C608BAB264221AC573F2
2	eo_executer	09F03F0CC726CFAE7E7CFCFD6D3C03A8
3	Eo-Audit_main	9BB214FD68CB0CA1583A30A6F9544341
4	EO-Banner	2A267414CFDD35CD2F9A07DC4F454BF6
5	EO-CIS_SUSE12_audit_conf	E4650679EC08BB92E7F53171DFE0BEE1
6	EO-Collect_use_of_privileged_commands_cis_suse12	2D44F00B226C08B03782273A4371D0CC
7	EO-Command_output_auditctl_complex_rules_new	73213AD580DE124434AFF8EFEF9EF9D6
8	EO-FindFiles	D147E5D3D406307FFD86D0A30D2478CB
9	EO-Main	0F444988A48FC77F1FC396557EC64271
10	EO-Mount	AC01B62C162852F0F2CFBA882F57DFE4
11	EO-package	13905A36015E02EC35E6449B277204D5
12	EO-Parameter_allowed_entries	FBF705947396956E442D78A396411DFF
13	EO-Parameter_denied_entries	E7517C8D4224750C8E095AB49582F059
14	EO-Parameter_functions	93BA5D17B1BB9A2412AF9027D518098D
15	EO-Parameter_required_entries	C393287B012B38EE85C95EEDC4E090DA
16	Eo-Syslog	71199B84E38F3974A057631F559DF69A
17	EO-Umask	87D86E1DDC6EFE7FC12C93551699C6A5
18	EO-User_accounts	A30197C76F059C3F9F1D33DA2EEF1FC2
19	EO-User_functions	1B714FF9112D822B78E5A8308003B028
20	EO-User_home	79970DBBA970AED51DC146CACF17ED32
21	EO-Wireless	571FC075D852E7EB5E9B8A75B71238F7
22	findFiles	B55F485A0CFC21C3E9F17A8D94F1240D
23	lib_filehandling	6ABD2EBBD96A2D23D9A7C23C1F8DFAE2
24	lib_user	343D30A2128764B93B4BE49F1B6894D5
25	lib_utils	4465765A2FBAD3A37E47DE75ED769D80
26	unix_svcs_status.Linux	F0B939741456C773679F6D58971A8E2D

Move the CIS - Red Hat Enterprise Linux 6.zip package to your RCP client server.
Extract the contents from the extended_objects.zip package and move them to a temporary location on all Application Servers.

Step 2: Replacing the extended object scripts on all Application Servers

Ensure that you perform the following steps on all the Application Servers in your environment:

Navigate to the extended objects script files on your Application Server:

<Application_Server_installation_directory >/share/sensors/

Step 3: Importing the Compliance Content

Log on to the Console.
Right-click Component Templates and select Import.

The Import Wizard starts.
Select the Import (Version-neutral) option.
Select the CIS - Red Hat Enterprise Linux 6.zip package and click Next.
The CIS template for CIS SuSE 12 is available in the CIS - Red Hat Enterprise Linux 6.zip package. To import the templates, select the zip file and click Next.
Note
Ensure that you select the Update objects according to the imported package and Preserve template group path options before you click Next.
Navigate to the last screen of the wizard and then click Finish.

The templates are imported successfully.

Rules within the templates

The following are the details of the 226 rules provided in the zip package. It contains the following types of rules:

Rules that check for compliance and provides remediation- 175
Rules that check for compliance but do not provide remediation - 43
Rules that do not check for compliance and do not provide remediation - 8

The following are the details of the rules that are divided into parts:

Rules not divided into parts - 194
Rules Divided into two parts - (20 * 2) = 40
Rules Divided into three parts - (12 * 3) = 36

So, the current rule count as per CIS SuSE 12 template after running the compliance job is 270 (194 + 40 + 36).

The following tables list the rules along with comments.

Rules IDs without compliance checks	Comments
1.2.2	GPG keys values can vary because it can be reviewed by the administrator according to the site policy.
3.6.3, 3.6.4, 3.6.5	Changing firewall settings while connected over network can result in being locked out of the system.
4.2.2.4, 4.2.2.5, 4.2.1.5, 4.3	Not Applicable

Rules with compliance checks but no remediation	Comments
1.1.11, 1.1.12, 1.1.13, 1.1.2, 1.1.6, 1.1.7, 1.4.2, 1.7.2, 1.8, 4.2.2.3, 5.4.2, 5.4.3, 5.6, 6.2.1, 6.2.11, 6.2.12, 6.2.14, 6.2.15, 6.2.20	Remediation not provided as it needs manual intervention by System Administrator.
1.2.1 ,1.2.2 , 1.5.2	Remediation is not available as package updation/configuration information depends upon organization.
3.7, 5.4.1.5, 5.5, 6.1.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.7	Remediation must be performed manually with required permission.
3.4.2, 3.4.3	Remediation is not provided. System Administrator need to create /etc/hosts.allow and /etc/hosts.deny manually as required.
4.1.18, 4.2.1.4	Remediation configures the system to immutable mode.
4.2.1.2, 4.2.2.2	Editing file entries require manual intervention to take effect.
1.6.1.6, 6.2.6, 6.2.16, 6.2.17, 6.2.18, 6.2.19	System administrator is required to approve configuration changes based on the organizational processes and policies.

Target/Local property	Rule in which property is used	property name	Default Value/ Options	Delimiter
TARGET	2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.2.10, 2.2.11 ,2.2.12, 2.2.13 , 2.2.14 , 2.2.16 , 2.2.17	MISSION_CRITICAL_PACKAGES	BLANK
TARGET	2.2.15	DEFAULT_MTA	??TARGET.BSA_CONTENT_DEFAULT_MTA??
LOCAL	4.2.1.4	LOGHOSTS_SEND	BLANK
LOCAL	1.1.18, 1.1.19, 1.1.20	MEDIA_PARTITION_LIST	BLANK
LOCAL	4.1.1.1	AUDIT_MAX_LOG_SIZE	BLANK
LOCAL	5.6	WHEEL_GROUP_USER_LIST	root
LOCAL	1.1.1.1, 1.1.1.2, 1.1.1.3, 1.1.1.4, 1.1.1.5, 1.1.1.6, 1.1.1.7, 1.1.1.8, 3.5.1, 3.5.2, 3.5.3, 3.5.4	KERNEL_MODULES	cramfs freevxfs jffs2 hfs hfsplus squashfs udf vfat dccp sctp rds tipc
LOCAL	1.7.1.1	BANNER_LONG_PART1	BLANK
LOCAL	1.7.1.2	BANNER_LONG_PART2	Authorized users only. All activity may be monitored and reported.
LOCAL	1.7.1.3	BANNER_LONG_PART3	Authorized users only. All activity may be monitored and reported.
LOCAL	1.6.1.6	EXCLUDE_DAEMONS_LIST	tr,ps,egrep,bash,awk	,
LOCAL	6.2.5	USER_LIST	root
LOCAL	6.2.8, 6.2.9, 6.2.10, 6.2.13, 6.2.14	EXCLUDED_USER_LIST	root,sync,halt,shutdown	,
LOCAL	6.2.7 , 6.2.11 , 6.2.12	EXCLUDE_USERS_LIST	"root","sync","halt","shutdown"	LIST
LOCAL	6.2.7 , 6.2.11 , 6.2.12	NON_LOGIN_SHELLS_LIST	"/sbin/nologin","/bin/false"	LIST
LOCAL	5.5	SECURE_TERMINALS_LIST	BLANK
LOCAL	5.2.14	SSH_ALLOW_GROUPS, SSH_ALLOW_USERS, SSH_DENY_GROUPS, and SSH_DENY_USERS	BLANK
LOCAL	2.2.1.2 , 2.2.1.3	NTP_DAEMON_ENABLED_NAME	(Default) chrony The following value is also available in the list: ntp
LOCAL	2.2.1.2 , 2.2.1.3	NTP_SERVERS_LIST	BLANK
LOCAL	4.2.1.1 , 4.2.1.2 , 4.2.1.3 , 4.2.1.4 , 4.2.1.5 , 4.2.2.1 , 4.2.2.2 , 4.2.2.3 , 4.2.2.4 , 4.2.2.5	PACKAGE_ENABLED_NAME	(Default) rsyslog The following value is also available in the list: syslog-ng
LOCAL	5.2.11	MAC_ALGOS	hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
LOCAL	5.2.12.1	CLIENT_ALIVE_INTERVAL_COUNT	300
LOCAL	5.2.12.2	CLIENT_ALIVE_COUNT_MAX	3
LOCAL	1.3.2	AIDE_RUN_SCHEDULE	0 5 * * *
LOCAL	4.1.18	AUDIT_RULES_FILE	/etc/audit/audit.rules
LOCAL	1.7.2	GNOME_BANNER_DISPLAY_CONF	/etc/dconf/db/gdm.d/01-banner-message
LOCAL	1.7.2	BANNER_MSG	Authorized users only. All activity may be monitored and reported.
LOCAL	1.2.1	REPOS_ENABLED	Yes
LOCAL	1.2.1	REPOS_GPG_CHECK	(r)Yes
LOCAL	ALL	SCORE_VALUE	(Default) ANY The following values are also available in the list: SCORED NOT SCORED
LOCAL	ALL	CONFIGURATION_LEVEL	(Default) ALL The following values are also available in the list: LEVEL-1 LEVEL-2
LOCAL	ALL	PROFILE_LEVEL	(Default) ANY The following values are also available in the list: SERVER WORKSTATION

Note

CIS Security Benchmark provides the following information(meta data) for each and every rule :

Scoring Information
Profile Level Information
Configuration Level Information

For example, The 1.1.1.1 rule that ensures mounting of cramfs filesystems is disabled contains the following metadata:

Scored
Level 1 - Server
Level 1 - Workstation

TrueSight Server Automation Compliance Job for CIS - Red Hat Enterprise Linux 6 can be executed based on the above meta data.

In order to achieve this goal, the following table lists the new local properties that are provided in the template.

Metadata	Property	Values assigned
Scoring	SCORE_VALUE	(Default) ANY SCORED NOT SCORED
Profile Level	PROFILE_LEVEL	(Default) ANY SERVER WORKSTATION
Configuration Level	CONFIGURATION_LEVEL	(Default) ALL LEVEL-1 LEVEL-2

If you want to execute CIS - Red Hat Enterprise Linux 6 Compliance job for only the rules classified as LEVEL 1, perform the following steps:

Open CIS - Red Hat Enterprise Linux 6 template and go to Local Properties tab.
Locate CONFIGURATION_LEVEL property and select LEVEL-1 value from the list.
Save the template.
Execute compliance job.

The job executes only the rules with LEVEL 1 category and evaluate the result for these rules. Rules that are not under LEVEL 1 category will be Compliant.

Difference between benchmark version 2.1.0 and 2.0.0

The following table lists down the rules that have been modified for SuSE Linux 12 Benchmark Version 2.1.0:

Rule ID	Change in Remediation	Change in Compliance
1.1.1.1 Ensure mounting of cramfs filesystems is disabled (Scored)	✅️	❌️
1.1.1.2 Ensure mounting of freevxfs filesystems is disabled (Scored)	✅️	❌️
1.1.1.3 Ensure mounting of jffs2 filesystems is disabled (Scored)	✅️	❌️
1.1.1.4 Ensure mounting of hfs filesystems is disabled (Scored)	✅️	❌️
1.1.1.5 Ensure mounting of hfsplus filesystems is disabled (Scored)	✅️	❌️
1.1.1.6 Ensure mounting of squashfs filesystems is disabled (Scored)	✅️	❌️
1.1.1.7 Ensure mounting of udf filesystems is disabled (Scored)	✅️	❌️
1.1.1.8 Ensure mounting of FAT filesystems is disabled (Scored)	✅️	❌️
1.4.3 Ensure authentication required for single user mode (Not Scored)	✅️	✅️
1.5.3 Ensure address space layout randomization (ASLR) is enabled (Scored)	✅️	✅️
3.1.1 Ensure IP forwarding is disabled (Scored)	✅️	✅️
3.1.2 Ensure packet redirect sending is disabled (Scored)	✅️	✅️
3.2.1 Ensure source routed packets are not accepted (Scored)	✅️	✅️
3.2.2 Ensure ICMP redirects are not accepted (Scored)	✅️	✅️
3.2.3 Ensure secure ICMP redirects are not accepted (Scored)	✅️	✅️
3.2.4 Ensure suspicious packets are logged (Scored)	✅️	✅️
3.2.5 Ensure broadcast ICMP requests are ignored (Scored)	✅️	✅️
3.2.6 Ensure bogus ICMP responses are ignored (Scored)	✅️	✅️
3.2.7 Ensure Reverse Path Filtering is enabled (Scored)	✅️	✅️
3.2.8 Ensure TCP SYN Cookies is enabled (Scored)	✅️	✅️
3.3.1 Ensure IPv6 router advertisements are not accepted (Not Scored)	✅️	✅️
3.3.2 Ensure IPv6 redirects are not accepted (Not Scored)	✅️	✅️
2.1.9 Ensure tftp server is not enabled (Scored)	✅️	✅️
2.2.17 Ensure tftp server is not enabled (Scored)	✅️	✅️
2.2.1.2 Ensure ntp is configured (Scored)	✅️	✅️
2.2.1.3 Ensure chrony is configured (Scored)	✅️	✅️
2.2.15 Ensure mail transfer agent is configured for local-only mode (Scored)	✅️	✅️
2.2.18 Ensure rsync service is not enabled (Scored) New in 2.1.0	✅️	✅️
4.1.6 Ensure events that modify the system's network environment are collected (Scored)	✅️	✅️
4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected (Scored)	✅️	✅️
4.1.9 Ensure session initiation information is collected (Scored)	✅️	✅️
4.2.1.2 Ensure logging is configured (Not Scored)	✅️	✅️
4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host (Scored)	✅️	✅️
4.2.2.5 Ensure remote syslog-ng messages are only accepted on designated log hosts (Not Scored)	✅️	✅️
4.2.1.5 Ensure remote rsyslog messages are only accepted on designated log hosts. (Not Scored)	✅️	✅️
5.2.11 Ensure only approved MAC algorithms are used (Scored)	✅️	✅️
5.2.13 Ensure SSH LoginGraceTime is set to one minute or less (Scored)	✅️	✅️
5.4.1.1 Ensure password expiration is 365 days or less (Scored)	✅️	✅️
5.4.1.5 Ensure all users last password change date is in the past (Scored)New in 2.1.0	✅️	✅️
5.4.4 Ensure default user umask is 027 or more restrictive (Scored)	✅️	✅️
5.4.5 Ensure default user shell timeout is 900 seconds or less (Scored) New in 2.1.0	✅️	✅️
6.1.3 Ensure permissions on /etc/shadow are configured (Scored)	✅️	✅️
6.1.5 Ensure permissions on /etc/gshadow are configured (Scored)New in 2.1.0	✅️	✅️
6.1.9 Ensure permissions on /etc/gshadow- are configured (Scored)New in 2.1.0	✅️	✅️
6.1.6 Ensure permissions on /etc/passwd- are configured (Scored)	✅️	✅️
6.1.8 Ensure permissions on /etc/group- are configured (Scored)	✅️	✅️
6.2.20 Ensure shadow group is empty (Scored)New in 2.1.0	✅️	✅️
5.2.11 Ensure only approved ciphers are used (Scored) Removed in 2.1.0	Not Applicable	Not Applicable