-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathjddicki2-ubuntu-server-report-20170213T063457Z.txt
179 lines (178 loc) · 9.37 KB
/
jddicki2-ubuntu-server-report-20170213T063457Z.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
CIS Ubuntu Linux 16.04 LTS Benchmark
Evaluation of jddicki2-ubuntu-server
Ended: 2017-02-13T00:35:18.824-06:00
pass: 1.1.1.1 Ensure mounting of cramfs filesystems is disabled
pass: 1.1.1.2 Ensure mounting of freevxfs filesystems is disabled
pass: 1.1.1.3 Ensure mounting of jffs2 filesystems is disabled
pass: 1.1.1.4 Ensure mounting of hfs filesystems is disabled
pass: 1.1.1.5 Ensure mounting of hfsplus filesystems is disabled
fail: 1.1.1.6 Ensure mounting of squashfs filesystems is disabled
pass: 1.1.1.7 Ensure mounting of udf filesystems is disabled
fail: 1.1.1.8 Ensure mounting of FAT filesystems is disabled
pass: 1.1.3 Ensure nodev option set on /tmp partition
pass: 1.1.4 Ensure nosuid option set on /tmp partition
pass: 1.1.7 Ensure nodev option set on /var/tmp partition
pass: 1.1.8 Ensure nosuid option set on /var/tmp partition
pass: 1.1.9 Ensure noexec option set on /var/tmp partition
pass: 1.1.13 Ensure nodev option set on /home partition
pass: 1.1.14 Ensure nodev option set on /dev/shm partitiov
pass: 1.1.15 Ensure nosuid option set on /dev/shm partitionrun
fail: 1.1.16 Ensure noexec option set on /dev/shm partition
fail: 1.1.20 Ensure sticky bit is set on all world-writable directories
pass: 1.1.21 Disable Automounting
pass: 1.3.1 Ensure AIDE is installed
pass: 1.3.2 Ensure filesystem integrity is regularly checked
fail: 1.4.1 Ensure permissions on bootloader config are configured
fail: 1.4.2 Ensure bootloader password is set
fail: 1.5.1 Ensure core dumps are restricted
informational: 1.5.2 Ensure XD/NX support is enabled
pass: 1.5.3 Ensure address space layout randomization (ASLR) is enabled
pass: 1.5.4 Ensure prelink is disabled
pass: 1.7.1.1 Ensure message of the day is configured properly
informational: 1.7.1.2 Ensure local login warning banner is configured properly
informational: 1.7.1.3 Ensure remote login warning banner is configured properly
informational: 1.7.1.4 Ensure permissions on /etc/motd are configured
pass: 1.7.1.5 Ensure permissions on /etc/issue are configured
informational: 1.7.1.6 Ensure permissions on /etc/issue.net are configured
pass: 1.7.2 Ensure GDM login banner is configured
pass: 2.1.1 Ensure chargen services are not enabled
pass: 2.1.2 Ensure daytime services are not enabled
pass: 2.1.3 Ensure discard services are not enabled
pass: 2.1.4 Ensure echo services are not enabled
pass: 2.1.5 Ensure time services are not enabled
pass: 2.1.6 Ensure rsh server is not enabled
pass: 2.1.7 Ensure talk server is not enabled
pass: 2.1.8 Ensure telnet server is not enabled
pass: 2.1.9 Ensure tftp server is not enabled
pass: 2.1.10 Ensure xinetd is not enabled
informational: 2.2.1.1 Ensure time synchronization is in use
pass: 2.2.1.2 Ensure ntp is configured
pass: 2.2.1.3 Ensure chrony is configured
pass: 2.2.2 Ensure X Window System is not installed
pass: 2.2.3 Ensure Avahi Server is not enabled
pass: 2.2.4 Ensure CUPS is not enabled
pass: 2.2.5 Ensure DHCP Server is not enabled
pass: 2.2.6 Ensure LDAP server is not enabled
pass: 2.2.7 Ensure NFS and RPC are not enabled
pass: 2.2.8 Ensure DNS Server is not enabled
pass: 2.2.9 Ensure FTP Server is not enabled
pass: 2.2.10 Ensure HTTP server is not enabled
pass: 2.2.11 Ensure IMAP and POP3 server is not enabled
pass: 2.2.12 Ensure Samba is not enabled
pass: 2.2.13 Ensure HTTP Proxy Server is not enabled
pass: 2.2.14 Ensure SNMP Server is not enabled
pass: 2.2.15 Ensure mail transfer agent is configured for local-only mode
pass: 2.2.16 Ensure rsync service is not enabled
pass: 2.2.17 Ensure NIS Server is not enabled
pass: 2.3.1 Ensure NIS Client is not installed
pass: 2.3.2 Ensure rsh client is not installed
pass: 2.3.3 Ensure talk client is not installed
pass: 2.3.4 Ensure telnet client is not installed
pass: 2.3.5 Ensure LDAP client is not installed
pass: 3.1.1 Ensure IP forwarding is disabled
pass: 3.1.2 Ensure packet redirect sending is disabled
pass: 3.2.1 Ensure source routed packets are not accepted
pass: 3.2.2 Ensure ICMP redirects are not accepted
pass: 3.2.3 Ensure secure ICMP redirects are not accepted
pass: 3.2.4 Ensure suspicious packets are logged
pass: 3.2.5 Ensure broadcast ICMP requests are ignored
pass: 3.2.6 Ensure bogus ICMP responses are ignored
pass: 3.2.7 Ensure Reverse Path Filtering is enabled
pass: 3.2.8 Ensure TCP SYN Cookies is enabled
informational: 3.3.1 Ensure IPv6 router advertisements are not accepted
informational: 3.3.2 Ensure IPv6 redirects are not accepted
informational: 3.3.3 Ensure IPv6 is disabled
pass: 3.4.1 Ensure TCP Wrappers is installed
pass: 3.4.2 Ensure /etc/hosts.allow is configured
pass: 3.4.3 Ensure /etc/hosts.deny is configured
pass: 3.4.4 Ensure permissions on /etc/hosts.allow are configured
pass: 3.4.5 Ensure permissions on /etc/hosts.deny are 644
informational: 3.5.1 Ensure DCCP is disabled
informational: 3.5.2 Ensure SCTP is disabled
informational: 3.5.3 Ensure RDS is disabled
informational: 3.5.4 Ensure TIPC is disabled
pass: 3.6.1 Ensure iptables is installed
fail: 3.6.2 Ensure default deny firewall policy
fail: 3.6.3 Ensure loopback traffic is configured
fail: 3.6.5 Ensure firewall rules exist for all open ports
pass: 4.2.1.1 Ensure rsyslog Service is enabled
pass: 4.2.1.3 Ensure rsyslog default file permissions configured
fail: 4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host
pass: 4.2.2.1 Ensure syslog-ng service is enabled
pass: 4.2.2.3 Ensure syslog-ng default file permissions configured
pass: 4.2.3 Ensure rsyslog or syslog-ng is installed
fail: 4.2.4 Ensure permissions on all logfiles are configured
pass: 5.1.1 Ensure cron daemon is enabled
pass: 5.1.2 Ensure permissions on /etc/crontab are configured
pass: 5.1.3 Ensure permissions on /etc/cron.hourly are configured
pass: 5.1.4 Ensure permissions on /etc/cron.daily are configured
pass: 5.1.5 Ensure permissions on /etc/cron.weekly are configured
pass: 5.1.6 Ensure permissions on /etc/cron.monthly are configured
pass: 5.1.7 Ensure permissions on /etc/cron.d are configured
pass: 5.1.8 Ensure at/cron is restricted to authorized users
pass: 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured
pass: 5.2.2 Ensure SSH Protocol is set to 2
pass: 5.2.3 Ensure SSH LogLevel is set to INFO
pass: 5.2.4 Ensure SSH X11 forwarding is disabled
pass: 5.2.5 Ensure SSH MaxAuthTries is set to 4 or less
pass: 5.2.6 Ensure SSH IgnoreRhosts is enabled
pass: 5.2.7 Ensure SSH HostbasedAuthentication is disabled
pass: 5.2.8 Ensure SSH root login is disabled
pass: 5.2.9 Ensure SSH PermitEmptyPasswords is disabled
pass: 5.2.10 Ensure SSH PermitUserEnvironment is disabled
pass: 5.2.11 Ensure only approved MAC algorithms are used
pass: 5.2.12 Ensure SSH Idle Timeout Interval is configured
pass: 5.2.13 Ensure SSH LoginGraceTime is set to one minute or less
pass: 5.2.14 Ensure SSH access is limited
pass: 5.2.15 Ensure SSH warning banner is configured
pass: 5.3.1 Ensure password creation requirements are configured
pass: 5.3.3 Ensure password reuse is limited
pass: 5.3.4 Ensure password hashing algorithm is SHA-512
fail: 5.4.1.1 Ensure password expiration is 90 days or less
fail: 5.4.1.2 Ensure minimum days between password changes is 7 or more
pass: 5.4.1.3 Ensure password expiration warning days is 7 or more
fail: 5.4.1.4 Ensure inactive password lock is 30 days or less
fail: 5.4.2 Ensure system accounts are non-login
pass: 5.4.3 Ensure default group for the root account is GID 0
fail: 5.4.4 Ensure default user umask is 027 or more restrictive
fail: 5.6 Ensure access to the su command is restricted
pass: 6.1.2 Ensure permissions on /etc/passwd are configured
pass: 6.1.3 Ensure permissions on /etc/shadow are configured
pass: 6.1.4 Ensure permissions on /etc/group are configured
pass: 6.1.5 Ensure permissions on /etc/gshadow are configured
pass: 6.1.6 Ensure permissions on /etc/passwd- are configured
pass: 6.1.7 Ensure permissions on /etc/shadow- are configured
pass: 6.1.8 Ensure permissions on /etc/group- are configured
pass: 6.1.9 Ensure permissions on /etc/gshadow- are configured
fail: 6.1.10 Ensure no world writable files exist
pass: 6.1.11 Ensure no unowned files or directories exist
pass: 6.1.12 Ensure no ungrouped files or directories exist
pass: 6.2.1 Ensure password fields are not empty
pass: 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd
pass: 6.2.3 Ensure no legacy "+" entries exist in /etc/shadow
pass: 6.2.4 Ensure no legacy "+" entries exist in /etc/group
pass: 6.2.5 Ensure root is the only UID 0 account
fail: 6.2.6 Ensure root PATH Integrity
fail: 6.2.7 Ensure all users' home directories exist
fail: 6.2.8 Ensure users' home directories permissions are 750 or more restrictive
pass: 6.2.9 Ensure users own their home directories
fail: 6.2.10 Ensure users' dot files are not group or world writable
pass: 6.2.11 Ensure no users have .forward files
pass: 6.2.12 Ensure no users have .netrc files
pass: 6.2.13 Ensure users' .netrc Files are not group or world accessible
pass: 6.2.14 Ensure no users have .rhosts files
pass: 6.2.15 Ensure all groups in /etc/passwd exist in /etc/group
pass: 6.2.16 Ensure no duplicate UIDs exist
pass: 6.2.17 Ensure no duplicate GIDs exist
pass: 6.2.18 Ensure no duplicate user names exist
pass: 6.2.19 Ensure no duplicate group names exist
pass: 6.2.20 Ensure shadow group is empty
********** Total **********
Pass: 130
Fail: 23
Error: 0
Unknown: 0
Not Selected: 67
Actual Pass: 130.0
Maximum Possible: 153.0
Score: 85%