1 - Initial Configuration#

1.1 - Filesystem Configuration#

1.1.1 Disable unused filesystems#

1.1.1.1 - 1.1.1.6 Disable mounting of unnecessary filesystems#

Disable mounting of the following filesystems:

  • cramfs

  • freevxfs

  • jffs2

  • hfs

  • hfsplus

  • udf

To ensure a filesystem is not mounted:

Create and edit a file /etc/modprobe.d/MODULE_NAME.conf 

install MODULE_NAME /bin/true

Then run rmmod MODULE_NAME

1.1.2 - 1.1.5 Configure /tmp#

Edit /etc/fstab to contain:

tmpfs /tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0

Then remount the /tmp filesystem:

mount -o remount,nodev /tmp
mount -o remount,nosuid /tmp
mount -o remount,noexec /tmp

1.1.6 - 1.1.9 Configure /dev/shm#

1.2 - Configure Software Updates#

1.2.1 - Configure package manager repositories#

Run apt-cache policy to see a list of remote repositories.

The output should be similar to:

Package files:
 100 /var/lib/dpkg/status
     release a=now
 500 http://us.archive.ubuntu.com/ubuntu focal/main amd64 Packages
     release v=18.04,o=Ubuntu,a=focal,n=focal,l=Ubuntu,c=main,b=amd64
     origin us.archive.ubuntu.com

Scan through the repositories to check for suspicious repositories. Most repositories should be from http://security.ubuntu.com or http://us.archive.ubuntu.com.

1.2.2 - Configure package manager GPG keys#

Run apt-key list to list the GPG keys used by apt. Ensure that these come from valid sources (e.g.: ftpmaster@ubuntu.com or cdimage@ubuntu.com)

1.3 - Filesystem Integrity Checking#

1.3.1 - Install AIDE#

First, check if AIDE is installed by running dpkg -s aide and dpkg -s aide-common.

If not installed, run sudo apt install aide aide-common to install. To initialize aide, run:

sudo aideinit
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

To avoid false positives from pre-linked binaries, see 1.5.3.

1.3.2 - Schedule AIDE#

Set up a cron job or a service to run AIDE on a schedule.

1.4 - Bootloader Configuration#

1.4.1 - Ensure permissions on bootloader config are not overridden#

In /usr/sbin/grub-mkconfig find:

if [ "x${grub_cfg}" != "x" ] && ! grep "^password" ${grub_cfg}.new >/dev/null; then

    chmod 444 ${grub_cfg}.new || true

fi

and change to:

if [ "x%{grub_cfg}" != "x" ]; then
    chmod 400 ${grub_cfg}.new || true
fi

This can be run using the script found here, which can be run by running:

source <(curl -s https://raw.githubusercontent.com/CAMSCSC/CIS-Breakdown/main/scripts/1.4.1.sh)

1.4.2 - Set GRUB password#

Create an encrypted password with: sudo grub-mkpasswd-pbkdf2

Then edit /etc/grub.d to include:

cat <<EOF
set superusers="<username>"
password_pbkdf2 <username> <encrypted-passord>
EOF

and replace <username> and <encrypted-password>.

1.4.3 - Set grub configuration permissions#

Restrict grub configuration permissions by running:

chown root:root /boot/grub/grub.cfg
chmod u-wx,go-rwx /boot/grub/grub.cfg

1.4.4 - Require password for single user mode#

Run passwd root and follow the prompts.

1.5 - Additional Process Hardening#

1.5.2 - Enable ASLR#

Edit /etc/sysctl.conf and add kernel.randomize_va_space = 2

Then remove aslr overrides by running this script. You can run the script by running:

source <(curl -s https://raw.githubusercontent.com/CAMSCSC/CIS-Breakdown/main/scripts/1.4.1.sh)

1.5.4 - Restrict Coredump#

To /etc/security/limits.conf add:

* hard core 0

To /etc/sysctl.conf add:

fs.suid_dumpable = 0

Then run sysctl -w fs.suid_dumpable=0.

Run systemctl is-enabled coredump.service to check if systemd-coredump is installed. If it is installed, to /etc/systemd/coredump.conf add:

Storage=none
ProcessSizeMax=0

and run systemctl daemon-reload.

1.6 - Mandatory Access Control#

1.6.1 - Configure AppArmor#

1.6.1.1 - Ensure AppArmor is installed#

Ensure that AppArmor is installed by running apt install apparmor

1.6.1.2 - Ensure AppArmor is enabled in the bootloader configuration#

Then, ensure that AppArmor is enbled by adding apparmor=1 and security=apparmor to the line GRUB_CMDLINE_LINUX in /etc/default/grub.

Ex:

GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor"

Then, run update-grub.

1.6.1.4 - Ensure all AppArmor Profiles are enforcing#

Then, set all AppArmor profiles to enforcing by running aa-enforce /etc/apparmor.d/*. Then run apparmor_status | grep processes and make sure no processes are unconfined. If any are, create a profile for them.

1.7 - Command Line Warning Banners#

1.7.1 - Ensure MoTD is configured properly#

If a message of the day is not needed, run rm /etc/motd.

1.7.2 - 1.7.4 - Ensure permissions on motd files are configured#

Set the permissions on /etc/issue.net, /etc/issue, and /etc/motd (if it exists) by running:

chown root:root /etc/issue.net
chmod u-x,go-wx /etc/issue.net
chown root:root /etc/issue
chmod u-x,go-wx /etc/issue
chown root:root /etc/motd
chmod u-x,go-wx /etc/motd

1.7.5 - 1.7.6 - Ensure warning banners are configured properly#

Edit /etc/issue.net (remote login warning) or /etc/issue (local login warning) to fit with README instructions if necessary.

1.8 - GNOME Display Manager (GDM)#

1.8.2 - 1.8.3 - Enable warning banner and disable-user-list#

Make sure that /etc/gdm3/greeter.dconf-defaults contains:

[org/gnome/login-screen]
banner-message-enable=true
banner-messsage-text='warning text'
disable-user-list=true

Then reload GDM by running dpkg-reconfigure gdm3.

1.8.4 - Ensure XDCMP is not enabled#

Ensure that /etc/gdm3/custom.conf does not contain Enable=true by running cat /etc/gdm3/custom.conf | grep Enable

1.9 - Ensure updates, patches, and additional security software are installed#

Update everything by running:

sudo apt-get update
sudo apt-get upgrade