def gen(cb):
appendices = []
plugin_ids = [57582, 51192]
plugin_ids += [45411]
plugin_ids += [15901]
plugin_ids += [60108, 69551, 73459]
plugin_ids += [35291]
plugin_ids += [42873, 26928, "SSL Null Cipher Suites Supported"]
plugin_ids += [65821]
plugin_ids += [31705]
plugin_ids += [53491]
plugin_ids += [20007]
plugin_ids += [89058]
plugin_ids += [
58751,
'SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability (BEAST)'
]
plugin_ids += [62565]
plugin_ids += [78479]
plugin_ids += [80035]
plugin_ids += [42880]
plugin_ids += [
"SSL/TLS EXPORT_RSA <= 512-bit Cipher Suites Supported (FREAK)",
'SSL/TLS EXPORT_DHE <= 512-bit Export Cipher Suites Supported (Logjam)',
'SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)'
]
plugin_ids += [94437]
plugin_ids += [42053]
description = "TLS/SSL Multiple Issues\nA number of hosts have been found to be susceptible to several issues within services using the Transport Layer Security (TLS)/Secure Sockets Layer (SSL) protocol. These issues range from support for cryptographically weak ciphers that leave encrypted traffic vulnerable to decryption to certificate configuration errors that prevent a host's authenticity from being accurately determined, leaving traffic vulnerable to interception and redirection."
genParent.genr(cb, plugin_ids, description)
def gen(cb):
appendices = []
plugin_ids = ["%Rename administrator account%"]
plugin_ids += ["%Rename guest account%"]
plugin_ids += [
"%Do not allow anonymous enumeration of SAM accounts and shares%"
]
plugin_ids += [
"%Admin Approval Mode for the Built-in Administrator account%"
]
plugin_ids += [
"%Behavior of the Elevation Prompt for Administrators in Admin Approval Mode%"
]
plugin_ids += [
"%Apply UAC restrictions to local accounts on network logons%"
]
plugin_ids += ["%Do not display last user name%"]
plugin_ids += ["%Number of previous logons to cache%"]
plugin_ids += [
"%Require Domain Controller authentication to unlock workstation%"
]
plugin_ids += ["%Minimum session security for NTLM SSP based % servers%"]
plugin_ids += ["%Minimum session security for NTLM SSP based % clients%"]
plugin_ids += ["%LAPS AdmPwd GPO Extension / CSE%"]
plugin_ids += ["%Hardened UNC Paths%"]
description = "Build Review\nThe following section details the findings of a Windows system configuration build review carried out against network connected hosts.\nThe current values set for the following settings are not seen to be in line with generic best practice guidelines (e.g. CIS). Some of these values may be set in a manner reflective of organisational policy and the risks presented by the use of such settings accepted as part of organisational policy. It is recommended that each setting be reviewed in order to ensure the host build is suitably hardened."
genParent.genr(cb, plugin_ids, description)
def gen(cb):
appendices = []
plugin_ids = [35372]
plugin_ids += ["DNS Server Cache Snooping Remote Information Disclosure"]
description = "DNS services provide a mechanism to map human-readable names to IP addresses. Issues associated with such services can facilitate a variety of attacks which can lead to the disclosure of sensitive information."
genParent.genr(cb, plugin_ids, description)
def gen(cb):
appendices = []
plugin_ids = [97861]
plugin_ids += [43156]
plugin_ids += [71783]
plugin_ids += ["Network Time Protocol Daemon (ntpd) %<%"]
description = "NTP Service Issues\nA number of hosts have been found with Network Time Protocol (NTP) server services listening. Each service is affected by at least one known issue introduced by a service misconfiguration or due to the service running on top of an older software version. These issues are typically limited to potential denial-of-service or information disclosure attacks."
genParent.genr(cb, plugin_ids, description)
def gen(cb):
appendices = []
plugin_ids = ["Cacheable HTTPS response"]
plugin_ids += ["Strict transport security not enforced"]
plugin_ids += ["Frameable response (potential Clickjacking)"]
plugin_ids += ["Browser cross-site scripting filter misconfiguration"]
description = "HTTP Header Configuration\nThe following issues relate to the HTTP headers issued by the server. HTTP headers can be used to enable additional security funcitonality within client browsers that reduce the risks from certain classes of web application vulnerabilities."
genParent.genr(cb, plugin_ids, description)
def gen(cb):
appendices = []
plugin_ids = [51894, 51895]
plugin_ids += [26014]
plugin_ids += ["Macrovision FLEXnet %", "FLEXNet %"]
plugin_ids += ["Data Dynamics %"]
plugin_ids += [
"EasyMail SMTP Object ActiveX Control Multiple Buffer Overflows"
]
plugin_ids += ['Oracle Document Capture Multiple Vulnerabilities']
plugin_ids += ['Adobe SVG Viewer Circle Transform Remote Code Execution']
plugin_ids += ['Evernote < 5.8.1 ActiveX Control Arbitrary File Overwrite']
plugin_ids += [
'Autodesk Design Review AdView.AdViewer ActiveX Control RCE'
]
plugin_ids += ['Autodesk IDrop ActiveX Control Heap Corruption']
description = "ActiveX Controls\nHosts have been identified with vulnerable ActiveX controls installed. Hosts would be at risk of remote compromise if a user was tricked into accessing malicious resources.\n<url>https://support.microsoft.com/kb/240797</url>\n\n"
genParent.genr(cb, plugin_ids, description)
def gen(cb):
appendices = []
plugin_ids = ['Flash Player %', 'Adobe Flash Player %']
plugin_ids += ['Shockwave Player %', 'Adobe Shockwave Player %']
plugin_ids += ['Adobe Reader %', 'Adobe Acrobat %']
plugin_ids += [
'Firefox %', 'Mozilla Foundation Unsupported Application Detection',
'Mozilla Firefox %'
]
plugin_ids += ['Adobe AIR %']
plugin_ids += ['Oracle Java %', 'Sun Java %']
plugin_ids += [
'Citrix ICA Client%', 'Citrix XenApp Online Plug-in %',
'Citrix Receiver / Online Plug-in Remote Code Execution (CTX134681)'
]
plugin_ids += ['Google Chrome %']
plugin_ids += ['Wireshark %']
plugin_ids += ['VLC %']
plugin_ids += ['VMware vSphere Client %']
plugin_ids += [
'Cisco VPN Client cvpnd.exe Privilege Escalation',
'Cisco VPN Client Unsupported'
]
plugin_ids += [
'Microsoft Silverlight Unsupported Version Detection (Windows)'
]
plugin_ids += ['HP Version Control Agent (VCA) < %']
plugin_ids += ['HP Version Control Repository Manager%']
plugin_ids += ['FileZilla Client %']
plugin_ids += ['Microsoft Internet Explorer Unsupported Version Detection']
plugin_ids += [
'Microsoft Office Service Pack Out of Date',
'Microsoft Office Unsupported Version Detection'
]
plugin_ids += [
'Microsoft .NET Framework Unsupported',
'Microsoft .NET Framework Service Pack Out of Date'
]
plugin_ids += ['Microsoft SQL Server Unsupported Version Detection']
plugin_ids += ['Microsoft Visio Unsupported Version Detection']
plugin_ids += ['Adobe Digital Editions%']
plugin_ids += ['WinZIP Unsupported']
plugin_ids += ['7-Zip Unsupported', '7-Zip < 16%']
plugin_ids += ['WinSCP %']
plugin_ids += ['PuTTY %']
plugin_ids += ['IBM Notes %', 'Lotus Notes %', 'IBM Lotus Notes %']
plugin_ids += ['IBM DB2 9.7 %']
plugin_ids += [
'IBM Tivoli Storage Manager Client %', 'IBM Spectrum Protect Client%'
]
plugin_ids += ['IBM Domino %']
plugin_ids += ['HP Systems Insight Manager < %']
plugin_ids += ['OpenVPN %']
plugin_ids += ['Firebird SQL Server %']
plugin_ids += ['VMware vCenter / vRealize Orchestrator %']
plugin_ids += ['Google SketchUp %']
plugin_ids += ['Adobe Photoshop %', 'Photoshop %']
plugin_ids += ['Adobe Flash Professional%']
plugin_ids += ['Adobe Illustrator %']
plugin_ids += ['Apple Quicktime %', 'Quicktime %']
plugin_ids += ['VMware Player %']
plugin_ids += ['Adobe Camera Raw %']
plugin_ids += ['Apple Software Update Insecure Transport']
plugin_ids += ['LibreOffice < %']
plugin_ids += ['Apache OpenOffice <%']
plugin_ids += ['Apple iTunes < %']
plugin_ids += ['Autodesk AutoCAD%']
plugin_ids += ['Autodesk Design Review <%']
plugin_ids += ['Cygwin <%']
plugin_ids += [
'VMware Horizon View Client%(VMSA-%', 'VMware Horizon View Client <%'
]
description = "Outdated Client Software\nSeveral instances of outdated client software have been found on systems across the network. Client software does not generally present services to the network and therefore does not pose a direct threat to the hosting system; however, if a user can be made to access malicious files or URLs, an attacker can potentially exploit issues within the software to execute code with the privilege level of the user running the software."
genParent.genr(cb, plugin_ids, description)
def gen(cb):
appendices = []
plugin_ids = ["%/etc/security/user - mindiff%"]
plugin_ids += ["%/etc/security/user - minage%"]
plugin_ids += ["%/etc/security/user - maxage%"]
plugin_ids += ["%/etc/security/user - minlen%"]
plugin_ids += ["%/etc/security/user - minalpha%"]
plugin_ids += ["%/etc/security/user - minother%"]
plugin_ids += ["%/etc/security/user - maxrepeats%"]
plugin_ids += ["%/etc/security/user - histexpire%"]
plugin_ids += ["%/etc/security/user - histsize%"]
plugin_ids += ["%/etc/security/user - maxexpired%"]
plugin_ids += ["%/etc/security/user - minloweralpha%"]
plugin_ids += ["%/etc/security/user - minupperalpha%"]
plugin_ids += ["%/etc/security/user - mindigit%"]
plugin_ids += ["%/etc/security/user - minspecialchar%"]
plugin_ids += ["%/etc/security/user - loginretries%"]
plugin_ids += ["%/etc/security/user - rlogin%"]
plugin_ids += ["%/etc/security/user - sugroups%"]
plugin_ids += ["%/etc/inetd.conf - telnet%"]
plugin_ids += ["%/etc/inetd.conf - FTP%"]
plugin_ids += ["%crontab permissions%"]
plugin_ids += ["%Configuring SSH - disabling direct root access%"]
plugin_ids += [
"%Configuring SSH - server protocol 2%",
"%Configuring SSH - server protocol - Protocol 2%"
]
plugin_ids += ["%Configuring SSH - ignore .shosts and .rhosts%"]
plugin_ids += ["%Configuring SSH - disable null passwords%"]
plugin_ids += ["%Configuring SSH - set LogLevel to INFO%"]
plugin_ids += ["%Configuring SSH - set MaxAuthTries to 4 or Less%"]
plugin_ids += [
"%Configuring SSH - set Idle Timeout Interval for User Login - ClientAliveCountMax%",
"%Configuring SSH - set Idle Timeout Interval for User Login - ClientAliveInterval%"
]
plugin_ids += ["%Configuring SSH - restrict Cipher list%"]
plugin_ids += [
"%Configuring SSH - ignore user-provided environment variables%"
]
plugin_ids += ["%Configuring SSH - sshd_config permissions lockdown%"]
plugin_ids += ["%/etc/mail/sendmail.cf - SmtpGreetingMessage%"]
plugin_ids += ["%/etc/mail/sendmail.cf - permissions and ownership%"]
plugin_ids += ["%/var/spool/mqueue - permissions and ownership%"]
plugin_ids += ["%NFS - nosuid on NFS client mounts%"]
# plugin_ids+=["%Permissions and Ownership - /smit.log%"]
plugin_ids += [
"%Permissions and Ownership - /var/adm/cron/log%",
"%Permissions and Ownership - /var/adm/cron/log root:cron 660"
]
plugin_ids += [
"%Permissions and Ownership - /var/spool/cron/crontabs - files%",
"%Permissions and Ownership - /var/spool/cron/crontabs/ root:cron 770"
]
plugin_ids += [
"%Permissions and Ownership - /var/adm/cron/at.allow%",
"%Permissions and Ownership - /var/adm/cron/at.allow root:sys 400"
]
plugin_ids += [
"%Permissions and Ownership - /var/adm/cron/cron.allow%",
"%Permissions and Ownership - /var/adm/cron/cron.allow root:sys 400%"
]
plugin_ids += [
"%Permissions and Ownership - /var/adm/ras%",
"%Permissions and Ownership - /var/adm/ras/* files are not world readable or writable"
]
plugin_ids += [
"%Permissions and Ownership - /var/ct/RMstart.log%",
"%Permissions and Ownership - /var/ct/RMstart.log root:system 640"
]
# plugin_ids+=["%Permissions and Ownership - /var/tmp/dpid2.log%"]
plugin_ids += [
"%Permissions and Ownership - /var/adm/sa%",
"%Permissions and Ownership - /var/adm/sa adm:adm 755"
]
plugin_ids += [
"%Permissions and Ownership - home directory configuration files%"
]
plugin_ids += [
"%Permissions and Ownership - home directory permissions - existing home directories%"
]
plugin_ids += [
"%Permissions and Ownership - home directory permissions - new home directories%"
]
plugin_ids += [
"%Permissions and Ownership - world/group writable directory in root PATH%"
]
plugin_ids += [
"%Miscellaneous Config - authorized users in at.allow - adm%",
"%Miscellaneous Config - authorized users in at.allow - sys%",
"%Miscellaneous Config - authorized users in at.allow - at.allow contains adm",
"%Miscellaneous Config - authorized users in at.allow - at.allow contains sys"
]
plugin_ids += [
"%Miscellaneous Config - authorized users in cron.allow - adm%",
"%Miscellaneous Config - authorized users in cron.allow - sys%",
"%Miscellaneous Config - authorized users in cron.allow - cron.allow contains adm",
"%Miscellaneous Config - authorized users in cron.allow - cron.allow contains sys",
"%Miscellaneous Config - authorized users in cron.allow - cron.allow contains no other entries besides sys and adm"
]
plugin_ids += [
"%Miscellaneous Config - all unlocked accounts must have a password%",
"%Miscellaneous Config - all unlocked accounts must have a password%"
]
plugin_ids += [
"%Miscellaneous Config - unnecessary user and group removal - /etc/group - printq%",
"%Miscellaneous Config - unnecessary user and group removal - /etc/group - uucp%",
"%Miscellaneous Config - unnecessary user and group removal - /etc/passwd - lpd%",
"%Miscellaneous Config - unnecessary user and group removal - /etc/passwd - nuucp%",
"%Miscellaneous Config - unnecessary user and group removal - /etc/passwd - uucp%"
]
plugin_ids += ["%Miscellaneous Config - ftp umask%"]
description = "Build Review\nThe following finding details the observations made during a system build review carried out against one or more AIX 7.1 hosts.\nThe assessed host(s) were each seen to be running a deployment of AIX 7.1. Their present configuration was compared against the recommended settings for AIX deployments laid out within the CIS benchmarks and the following observations were made.\n\n<url>https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_7.1_Benchmark_v1.1.0.pdf</url>"
genParent.genr(cb, plugin_ids, description)
def gen(cb):
appendices = []
plugin_ids = ["%Ensure no duplicate group names exist%"]
plugin_ids += ["%Ensure no duplicate user names exist%"]
plugin_ids += ["%Ensure no duplicate GIDs exist%"]
plugin_ids += ["%Ensure no duplicate UIDs exist%"]
plugin_ids += ["%Ensure all groups in /etc/passwd exist in /etc/group%"]
plugin_ids += ["%Ensure no users have .rhosts files%"]
plugin_ids += [
"%Ensure users .netrc Files are not group or world accessible%"
]
plugin_ids += ["%Ensure no users have .netrc files%"]
plugin_ids += ["%Ensure no users have .forward files%"]
plugin_ids += ["%Ensure users dot files are not group or world writable%"]
plugin_ids += ["%Ensure users own their home directories%"]
plugin_ids += [
"%Ensure users home directories permissions are 750 or more restrictive%"
]
plugin_ids += ["%Ensure all users home directories exist%"]
plugin_ids += ["%Ensure root PATH Integrity%"]
plugin_ids += ["%Ensure root is the only UID 0 account%"]
plugin_ids += ["%Ensure no legacy + entries exist in /etc/group%"]
plugin_ids += ["%Ensure no legacy + entries exist in /etc/shadow%"]
plugin_ids += ["%Ensure no legacy + entries exist in /etc/passwd%"]
plugin_ids += ["%Ensure password fields are not empty%"]
plugin_ids += ["%Audit SGID executables%"]
plugin_ids += ["%Audit SUID executables%"]
plugin_ids += ["%Ensure no ungrouped files or directories exist%"]
plugin_ids += ["%Ensure no unowned files or directories exist%"]
plugin_ids += ["%Ensure no world writable files exist%"]
plugin_ids += ["%Ensure permissions on /etc/gshadow- are configured%"]
plugin_ids += ["%Ensure permissions on /etc/group- are configured%"]
plugin_ids += ["%Ensure permissions on /etc/shadow- are configured%"]
plugin_ids += ["%Ensure permissions on /etc/passwd- are configured%"]
plugin_ids += ["%Ensure permissions on /etc/gshadow are configured%"]
plugin_ids += ["%Ensure permissions on /etc/group are configured%"]
plugin_ids += ["%Ensure permissions on /etc/shadow are configured%"]
plugin_ids += ["%Ensure permissions on /etc/passwd are configured%"]
plugin_ids += [
"%Ensure access to the su command is restricted - wheel group contains root%"
]
plugin_ids += [
"%Ensure access to the su command is restricted - pam_wheel.so%"
]
plugin_ids += ["%Ensure root login is restricted to system console%"]
plugin_ids += [
"%Ensure default user umask is 027 or more restrictive - /etc/profile%"
]
plugin_ids += [
"%Ensure default user umask is 027 or more restrictive - /etc/bashrc%"
]
plugin_ids += ["%Ensure default group for the root account is GID 0%"]
plugin_ids += ["%Ensure system accounts are non-login%"]
plugin_ids += ["%Ensure inactive password lock is 30 days or less%"]
plugin_ids += ["%Ensure password expiration warning days is 7 or more%"]
plugin_ids += [
"%Ensure minimum days between password changes is 7 or more%"
]
plugin_ids += ["%Ensure password expiration is 90 days or less%"]
plugin_ids += [
"%Ensure password hashing algorithm is SHA-512 - password-auth%"
]
plugin_ids += [
"%Ensure password hashing algorithm is SHA-512 - system-auth%"
]
plugin_ids += ["%Ensure password reuse is limited - password-auth%"]
plugin_ids += ["%Ensure password reuse is limited - system-auth%"]
plugin_ids += [
"%Lockout for failed password attempts - password-auth auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900%"
]
plugin_ids += [
"%Lockout for failed password attempts - password-auth auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900%"
]
plugin_ids += [
"%Lockout for failed password attempts - password-auth auth [success=1 default=bad] pam_unix.so%"
]
plugin_ids += [
"%Lockout for failed password attempts - password-auth auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900%"
]
plugin_ids += [
"%Lockout for failed password attempts - system-auth auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900%"
]
plugin_ids += [
"%Lockout for failed password attempts - system-auth auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900%"
]
plugin_ids += [
"%Lockout for failed password attempts - system-auth auth [success=1 default=bad] pam_unix.so%"
]
plugin_ids += [
"%Lockout for failed password attempts - system-auth auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900%"
]
plugin_ids += [
"%Ensure password creation requirements are configured - lcredit%"
]
plugin_ids += [
"%Ensure password creation requirements are configured - ocredit%"
]
plugin_ids += [
"%Ensure password creation requirements are configured - ucredit%"
]
plugin_ids += [
"%Ensure password creation requirements are configured - dcredit%"
]
plugin_ids += [
"%Ensure password creation requirements are configured - minlen%"
]
plugin_ids += [
"%Ensure password creation requirements are configured - system-auth retry=3%"
]
plugin_ids += [
"%Ensure password creation requirements are configured - password-auth retry=3%"
]
plugin_ids += [
"%Ensure password creation requirements are configured - system-auth try_first_pass%"
]
plugin_ids += [
"%Ensure password creation requirements are configured - password-auth try_first_pass%"
]
plugin_ids += ["%Ensure SSH warning banner is configured%"]
plugin_ids += ["%Ensure SSH access is limited%"]
plugin_ids += ["%Ensure SSH LoginGraceTime is set to one minute or less%"]
plugin_ids += [
"%Ensure SSH Idle Timeout Interval is configured - ClientAliveCountMax%"
]
plugin_ids += [
"%Ensure SSH Idle Timeout Interval is configured - ClientAliveInterval%"
]
plugin_ids += ["%Ensure only approved MAC algorithms are used%"]
plugin_ids += ["%Ensure only approved ciphers are used%"]
plugin_ids += ["%Ensure SSH PermitUserEnvironment is disabled%"]
plugin_ids += ["%Ensure SSH PermitEmptyPasswords is disabled%"]
plugin_ids += ["%Ensure SSH root login is disabled%"]
plugin_ids += ["%Ensure SSH HostbasedAuthentication is disabled%"]
plugin_ids += ["%Ensure SSH IgnoreRhosts is enabled%"]
plugin_ids += ["%Ensure SSH MaxAuthTries is set to 4 or less%"]
plugin_ids += ["%Ensure SSH X11 forwarding is disabled%"]
plugin_ids += ["%Ensure SSH LogLevel is set to INFO%"]
plugin_ids += ["%Ensure SSH Protocol is set to 2%"]
plugin_ids += [
"%Ensure permissions on /etc/ssh/sshd_config are configured%"
]
plugin_ids += [
"%Ensure at/cron is restricted to authorized users - at.deny%"
]
plugin_ids += [
"%Ensure at/cron is restricted to authorized users - at.allow%"
]
plugin_ids += [
"%Ensure at/cron is restricted to authorized users - cron.deny%"
]
plugin_ids += [
"%Ensure at/cron is restricted to authorized users - cron.allow%"
]
plugin_ids += ["%Ensure permissions on /etc/cron.d are configured%"]
plugin_ids += ["%Ensure permissions on /etc/cron.monthly are configured%"]
plugin_ids += ["%Ensure permissions on /etc/cron.weekly are configured%"]
plugin_ids += ["%Ensure permissions on /etc/cron.daily are configured%"]
plugin_ids += ["%Ensure permissions on /etc/cron.hourly are configured%"]
plugin_ids += ["%Ensure permissions on /etc/crontab are configured%"]
plugin_ids += ["%Ensure cron daemon is enabled%"]
plugin_ids += ["%Ensure logrotate is configured%"]
plugin_ids += ["%Ensure permissions on all logfiles are configured%"]
plugin_ids += ["%Ensure rsyslog or syslog-ng is installed%"]
plugin_ids += [
"%Ensure remote rsyslog messages are only accepted on designated log hosts. - InputTCPServerRun 514%"
]
plugin_ids += [
"%Ensure remote rsyslog messages are only accepted on designated log hosts. - imtcp.so%"
]
plugin_ids += [
"%Ensure rsyslog is configured to send logs to a remote log host%"
]
plugin_ids += ["%Ensure rsyslog default file permissions configured%"]
plugin_ids += ["%Ensure logging is configured%"]
plugin_ids += ["%Ensure rsyslog Service is enabled%"]
plugin_ids += ["%Ensure wireless interfaces are disabled%"]
plugin_ids += ["%Ensure firewall rules exist for all open ports%"]
plugin_ids += [
"%Ensure outbound and established connections are configured%"
]
plugin_ids += ["%Ensure loopback traffic is configured%"]
plugin_ids += ["%Ensure default deny firewall policy - Chain OUTPUT%"]
plugin_ids += ["%Ensure default deny firewall policy - Chain FORWARD%"]
plugin_ids += ["%Ensure default deny firewall policy - Chain INPUT%"]
plugin_ids += ["%Ensure iptables is installed%"]
plugin_ids += ["%Ensure TIPC is disabled%"]
plugin_ids += ["%Ensure RDS is disabled%"]
plugin_ids += ["%Ensure SCTP is disabled%"]
plugin_ids += ["%Ensure DCCP is disabled%"]
plugin_ids += ["%Ensure permissions on /etc/hosts.deny are 644%"]
plugin_ids += ["%Ensure permissions on /etc/hosts.allow are configured%"]
plugin_ids += ["%Ensure /etc/hosts.deny is configured%"]
plugin_ids += ["%Ensure /etc/hosts.allow is configured%"]
plugin_ids += ["%Ensure TCP Wrappers is installed%"]
plugin_ids += ["%Ensure IPv6 is disabled%"]
plugin_ids += [
"%Ensure IPv6 redirects are not accepted - net.ipv6.conf.all.accept_redirects = 0%"
]
plugin_ids += [
"%Ensure IPv6 redirects are not accepted - net.ipv6.conf.default.accept_redirects = 0%"
]
plugin_ids += [
"%Ensure IPv6 router advertisements are not accepted - net.ipv6.conf.default.accept_ra = 0%"
]
plugin_ids += [
"%Ensure IPv6 router advertisements are not accepted - net.ipv6.conf.all.accept_ra = 0%"
]
plugin_ids += ["%Ensure TCP SYN Cookies is enabled%"]
plugin_ids += [
"%Ensure Reverse Path Filtering is enabled - net.ipv4.conf.all.rp_filter = 1%"
]
plugin_ids += [
"%Ensure Reverse Path Filtering is enabled - net.ipv4.conf.default.rp_filter = 1%"
]
plugin_ids += ["%Ensure bogus ICMP responses are ignored%"]
plugin_ids += ["%Ensure broadcast ICMP requests are ignored%"]
plugin_ids += [
"%Ensure suspicious packets are logged - net.ipv4.conf.default.log_martians = 1%"
]
plugin_ids += [
"%Ensure suspicious packets are logged - net.ipv4.conf.all.log_martians = 1%"
]
plugin_ids += [
"%Ensure secure ICMP redirects are not accepted - net.ipv4.conf.all.secure_redirects = 0%"
]
plugin_ids += [
"%Ensure secure ICMP redirects are not accepted - net.ipv4.conf.default.secure_redirects = 0%"
]
plugin_ids += [
"%Ensure ICMP redirects are not accepted - net.ipv4.conf.default.accept_redirects = 0%"
]
plugin_ids += [
"%Ensure ICMP redirects are not accepted - net.ipv4.conf.all.accept_redirects = 0%"
]
plugin_ids += [
"%Ensure source routed packets are not accepted - net.ipv4.conf.all.accept_source_route = 0%"
]
plugin_ids += [
"%Ensure source routed packets are not accepted - net.ipv4.conf.default.accept_source_route = 0%"
]
plugin_ids += [
"%Ensure packet redirect sending is disabled - net.ipv4.conf.default.send_redirects = 0%"
]
plugin_ids += [
"%Ensure packet redirect sending is disabled - net.ipv4.conf.all.send_redirects = 0%"
]
plugin_ids += ["%Ensure LDAP client is not installed%"]
plugin_ids += ["%Ensure telnet client is not installed%"]
plugin_ids += ["%Ensure talk client is not installed%"]
plugin_ids += ["%Ensure rsh client is not installed%"]
plugin_ids += ["%Ensure NIS Client is not installed%"]
plugin_ids += ["%Ensure rsync service is not enabled%"]
plugin_ids += ["%Ensure tftp server is not enabled%"]
plugin_ids += ["%Ensure telnet server is not enabled%"]
plugin_ids += ["%Ensure talk server is not enabled%"]
plugin_ids += ["%Ensure rsh server is not enabled - rsh%"]
plugin_ids += ["%Ensure rsh server is not enabled - rlogin%"]
plugin_ids += ["%Ensure rsh server is not enabled - rexec%"]
plugin_ids += ["%Ensure NIS Server is not enabled%"]
plugin_ids += [
"%Ensure mail transfer agent is configured for local-only mode%"
]
plugin_ids += ["%Ensure SNMP Server is not enabled%"]
plugin_ids += ["%Ensure HTTP Proxy Server is not enabled%"]
plugin_ids += ["%Ensure Samba is not enabled%"]
plugin_ids += ["%Ensure IMAP and POP3 server is not enabled%"]
plugin_ids += ["%Ensure HTTP server is not enabled%"]
plugin_ids += ["%Ensure FTP Server is not enabled%"]
plugin_ids += ["%Ensure DNS Server is not enabled%"]
plugin_ids += ["%Ensure NFS and RPC are not enabled - RPC%"]
plugin_ids += ["%Ensure NFS and RPC are not enabled - NFS%"]
plugin_ids += ["%Ensure LDAP server is not enabled%"]
plugin_ids += ["%Ensure DHCP Server is not enabled%"]
plugin_ids += ["%Ensure CUPS is not enabled%"]
plugin_ids += ["%Ensure Avahi Server is not enabled%"]
plugin_ids += ["%Ensure X Window System is not installed%"]
plugin_ids += ["%Ensure chrony is configured - OPTIONS%"]
plugin_ids += ["%Ensure chrony is configured - NTP server%"]
plugin_ids += [
"%Ensure ntp is configured - OPTIONS or ExecStart -u ntp:ntp%"
]
plugin_ids += ["%Ensure ntp is configured - NTP Server%"]
plugin_ids += ["%Ensure ntp is configured - restrict -6%"]
plugin_ids += ["%Ensure ntp is configured - restrict -4%"]
plugin_ids += ["%Ensure time synchronization is in use%"]
plugin_ids += ["%Ensure xinetd is not enabled%"]
plugin_ids += ["%Ensure tftp server is not enabled%"]
plugin_ids += ["%Ensure time services are not enabled - time-dgram%"]
plugin_ids += ["%Ensure time services are not enabled - time-stream%"]
plugin_ids += ["%Ensure echo services are not enabled - echo-dgram%"]
plugin_ids += ["%Ensure echo services are not enabled - echo-stream%"]
plugin_ids += ["%Ensure discard services are not enabled - discard-dgram%"]
plugin_ids += [
"%Ensure discard services are not enabled - discard-stream%"
]
plugin_ids += ["%Ensure daytime services are not enabled - daytime-dgram%"]
plugin_ids += [
"%Ensure daytime services are not enabled - daytime-stream%"
]
plugin_ids += ["%Ensure chargen services are not enabled - chargen-dgram%"]
plugin_ids += [
"%Ensure chargen services are not enabled - chargen-stream%"
]
plugin_ids += [
"%Ensure updates, patches, and additional security software are installed%"
]
plugin_ids += ["%Ensure GDM login banner is configured - not installed%"]
plugin_ids += ["%Ensure permissions on /etc/issue.net are configured%"]
plugin_ids += ["%Ensure permissions on /etc/issue are configured%"]
plugin_ids += ["%Ensure permissions on /etc/motd are configured%"]
plugin_ids += [
"%Ensure remote login warning banner is configured properly%"
]
plugin_ids += [
"%Ensure local login warning banner is configured properly%"
]
plugin_ids += ["%Ensure message of the day is configured properly%"]
plugin_ids += ["%Ensure prelink is disabled%"]
plugin_ids += [
"%Ensure address space layout randomization (ASLR) is enabled%"
]
plugin_ids += ["%Ensure XD/NX support is enabled%"]
plugin_ids += ["%Ensure core dumps are restricted - sysctl%"]
plugin_ids += ["%Ensure core dumps are restricted - limits.conf%"]
plugin_ids += [
"%Ensure authentication required for single user mode - emergency.service%"
]
plugin_ids += [
"%Ensure authentication required for single user mode - rescue.service%"
]
plugin_ids += ["%Ensure bootloader password is set - password_pbkdf2%"]
plugin_ids += ["%Ensure bootloader password is set - set superusers%"]
plugin_ids += ["%Ensure permissions on bootloader config are configured%"]
plugin_ids += ["%Ensure filesystem integrity is regularly checked%"]
plugin_ids += ["%Ensure AIDE is installed%"]
plugin_ids += [
"%Ensure Red Hat Network or Subscription Manager connection is configured%"
]
plugin_ids += ["%Ensure GPG keys are configured%"]
plugin_ids += ["%Ensure gpgcheck is globally activated%"]
plugin_ids += ["%Ensure package manager repositories are configured%"]
plugin_ids += ["%Disable Automounting%"]
plugin_ids += [
"%Ensure sticky bit is set on all world-writable directories%"
]
plugin_ids += ["%Ensure noexec option set on /dev/shm partition%"]
plugin_ids += ["%Ensure nosuid option set on /dev/shm partition%"]
plugin_ids += ["%Ensure nodev option set on /dev/shm partition%"]
plugin_ids += ["%Ensure nodev option set on /home partition%"]
plugin_ids += ["%Ensure noexec option set on /var/tmp partition%"]
plugin_ids += ["%Ensure nosuid option set on /var/tmp partition%"]
plugin_ids += ["%Ensure nodev option set on /var/tmp partition%"]
plugin_ids += ["%Ensure noexec option set on /tmp partition%"]
plugin_ids += ["%Ensure nosuid option set on /tmp partition%"]
plugin_ids += ["%Ensure nodev option set on /tmp partition%"]
plugin_ids += ["%Ensure mounting of FAT filesystems is disabled%"]
plugin_ids += ["%Ensure mounting of udf filesystems is disabled%"]
plugin_ids += ["%Ensure mounting of squashfs filesystems is disabled%"]
plugin_ids += ["%Ensure mounting of hfsplus filesystems is disabled%"]
plugin_ids += ["%Ensure mounting of hfs filesystems is disabled%"]
plugin_ids += ["%Ensure mounting of jffs2 filesystems is disabled%"]
plugin_ids += ["%Ensure mounting of freevxfs filesystems is disabled%"]
plugin_ids += ["%Ensure mounting of cramfs filesystems is disabled%"]
description = "The following section details the findings of a RHEL system configuration build review carried out against network connected hosts.\nThe current values set for the following settings are not seen to be in line with generic best practice guidelines (e.g. CIS). Some of these values may be set in a manner reflective of organisational policy and the risks presented by the use of such settings accepted as part of organisational policy. It is recommended that each setting be reviewed in order to ensure the host build is suitably hardened.\n<url>https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v2.1.1.pdf</url>"
genParent.genr(cb, plugin_ids, description)