Definition of Standard Benchmark for Kylin Server 10 for kylinserver10

1.1: Ensure a print server is not installed (Automated)

Description: None

• l2_server

Automated: yes

• package_cups_removed: Uninstall CUPS Package

1.1: system must not have the sendmail package installed.

Description: None

• l2_server

Automated: yes

• package_sendmail_removed: Uninstall Sendmail Package

1.3: Ensure NFS Service Disabled

Description: None

• l2_server

Automated: yes

• service_nfs_disabled: Disable Network File System (nfs)

1.4: Ensure nfs-utils is not installed or the nfs-server service is masked (Automated)

Description: None

• l2_server

Automated: yes

• package_nfs-utils_removed: Uninstall nfs-utils Package
• service_nfs_disabled: Disable Network File System (nfs)

1.5: ident{auth.socket}

Description: None

• l2_server

Automated: no

No rules selected

1.6: ntalk

Description: None

• l2_server

Automated: no

No rules selected

1.7: Ensure DHCP Service Disabled

Description: None

• l2_server

Automated: yes

• service_dhcpd_disabled: Disable DHCP Service

1.8: Ensure NIS Client Not Installed

Description: None

• l2_server

Automated: yes

• package_ypbind_removed: Remove NIS Client

1.9: Ensure TFTP Server Not Installed

Description: None

• l2_server

Automated: yes

• package_tftp-server_removed: Uninstall tftp-server Package
• package_tftp_removed: Remove tftp Daemon

1.1: Ensure rsync-daemon is not installed or the rsyncd service is masked (Automated)

Description: None

• l2_server

Automated: yes

• package_rsync_removed: Uninstall rsync Package

1.11: Prohibit anonymous VSFTP user login

Description: None

• l2_server

Automated: no

No rules selected

1.12: Prohibit root login to VSFTP

Description: None

• l2_server

Automated: no

No rules selected

1.13: ensure-local-login-warning-banner-is-configured-properly

Description: None

• l2_server

Automated: yes

• banner_etc_issue: Modify the System Login Banner
• login_banner_text = cis_banners

1.14: ensure-message-of-the-day-is-configured-properly

Description: None

• l2_server

Automated: yes

• banner_etc_motd: Modify the System Message of the Day Banner
• login_banner_text = cis_banners

1.15: Ensure sshd PermitRootLogin is disabled (Automated)

Description: None

• l2_server

Automated: yes

• sshd_disable_root_login: Disable SSH Root Login

1.16: Ensure SSHd Protocol Version Is 2

Description: None

• l2_server

Automated: yes

• sshd_allow_only_protocol2: Allow Only SSH Protocol 2

1.17: Ensure SSHd Log Level Correct

Description: None

• l2_server

Automated: yes

• sshd_set_loglevel_verbose: Set SSH Daemon LogLevel to VERBOSE

1.18: Ensure SSHd MaxAuthTries Correct

Description: None

• l2_server

Automated: yes

• sshd_max_auth_tries_value = 3
• sshd_set_max_auth_tries: Set SSH authentication attempt limit

1.19: ensure-ssh-permitemptypasswords-is-disabled

Description: None

• l2_server

Automated: yes

• sshd_disable_empty_passwords: Disable SSH Access via Empty Passwords

1.2: Ensure SSHd PermitUserEnvironment Forbidden

Description: None

• l2_server

Automated: yes

• sshd_do_not_permit_user_env: Do Not Allow SSH Environment Options

1.21: Ensure SSHd Ciphers Algorithm Correct

Description: None

• l2_server

Automated: yes

• sshd_use_strong_ciphers: Use Only Strong Ciphers

1.22: check is installed chkrootkit

Description: None

• l2_server

Automated: no

No rules selected

1.23: Check for the existence of rootkit programs

Description: None

• l2_server

Automated: no

No rules selected

1.24: Restricting the directories that FTP users can access after logging in

Description: None

• l2_server

Automated: no

No rules selected

1.25: operating system must use SSH to protect the confidentiality and integrity of transmitted information.

Description: None

• l2_server

Automated: yes

• package_openssh-server_installed: Install the OpenSSH Server Package
• service_sshd_enabled: Enable the OpenSSH Service

1.26: Ensure telnet server services are not in use (Automated)

Description: None

• l2_server

Automated: yes

• package_telnet-server_removed: Uninstall telnet-server Package

1.27: Prohibit remote telnet login for root user

Description: None

• l2_server

Automated: no

No rules selected

1.28: Set warning banner before telnet login

Description: None

• l2_server

Automated: no

No rules selected

1.29: Set warning banner after telnet login

Description: None

• l2_server

Automated: no

No rules selected

1.3: Disable unnecessary xinetd services

Description: None

• l2_server

Automated: no

No rules selected

1.31: Ensure Unnecessary Service And Port Disabled (Manual)

Description: None

• l2_server

Automated: no

No rules selected

1.32: Ensure SSH access is limited (Automated)

Description: None

• l2_server

Automated: yes

• sshd_limit_user_access: Limit Users' SSH Access

1.33: SSH daemon must display the date and time of the last successful account logon upon an SSH logon.

Description: None

• l2_server

Automated: yes

• sshd_print_last_log: Enable SSH Print Last Log

2.1: Ensure ICMP Redirect Package Not Received

Description: None

• l2_server

Automated: yes

• sysctl_net_ipv4_conf_all_accept_redirects: Disable Accepting ICMP Redirects for All IPv4 Interfaces
• sysctl_net_ipv4_conf_all_accept_redirects_value = disabled
• sysctl_net_ipv4_conf_all_secure_redirects: Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces
• sysctl_net_ipv4_conf_all_secure_redirects_value = disabled
• sysctl_net_ipv4_conf_default_secure_redirects: Configure Kernel Parameter for Accepting Secure Redirects By Default
• sysctl_net_ipv4_conf_default_secure_redirects_value = disabled

2.2: Ensure packet redirect sending is disabled (Automated)

Description: None

• l2_server

Automated: yes

• sysctl_net_ipv4_conf_all_send_redirects: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
• sysctl_net_ipv4_conf_default_send_redirects: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default

2.3: Ensure ICMP Broadcast Package Not Responsed

Description: None

• l2_server

Automated: yes

• sysctl_net_ipv4_icmp_echo_ignore_broadcasts: Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces

2.4: Ensure Source Route Disabled

Description: None

• l2_server

Automated: yes

• sysctl_net_ipv4_conf_all_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
• sysctl_net_ipv4_conf_all_accept_source_route_value = disabled
• sysctl_net_ipv4_conf_default_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default
• sysctl_net_ipv4_conf_default_accept_source_route_value = disabled

2.5: Ensure IP Forwarding Disabled

Description: None

• l2_server

Automated: yes

• sysctl_net_ipv4_ip_forward: Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces

3.1: Modify SNMP default group characters

Description: None

• l2_server

Automated: no

No rules selected

3.2: Disable multi IP binding

Description: None

• l2_server

Automated: no

No rules selected

3.3: Ensure Reverse Proxy Filter Enabled

Description: None

• l2_server

Automated: yes

• sysctl_net_ipv4_conf_all_rp_filter: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
• sysctl_net_ipv4_conf_all_rp_filter_value = enabled
• sysctl_net_ipv4_conf_default_rp_filter: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default
• sysctl_net_ipv4_conf_default_rp_filter_value = enabled

4.1: Ensure sudo log file exists (Automated)

Description: None

• l2_server

Automated: yes

• sudo_custom_logfile: Ensure Sudo Logfile Exists - sudo logfile

4.2: Ensure sudo commands use pty (Automated)

Description: None

• l2_server

Automated: yes

• sudo_add_use_pty: Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty

4.3: must use the invoking user's password for privilege escalation when using "sudo".

Description: None

• l2_server

Automated: yes

• sudoers_validate_passwd: Ensure invoking users password for privilege escalation when using sudo

4.4: Ensure Important Services Logged

Description: None

• l1_server

Automated: yes

• rsyslog_logging_configured: Ensure logging is configured

4.5: Ensure HISTSIZE and HISTFILESIZE Limited

Description: None

• l1_server

Automated: no

No rules selected

5.1: check is installed swatch

Description: None

• l1_server

Automated: no

No rules selected

5.2: Ensure Auditd Enabled

Description: None

• l2_server

Automated: yes

• service_auditd_enabled: Enable auditd Service

5.3: Set system audit log rules

Description: None

• l1_server

Automated: no

No rules selected

5.4: Ensure Audit Disk Space Set Correct

Description: None

• l1_server

Automated: yes

• auditd_data_retention_space_left: Configure auditd space_left on Low Disk Space

5.5: Ensure cron is restricted to authorized users (Automated)

Description: None

• l2_server

Automated: yes

• file_cron_allow_exists: Ensure that /etc/cron.allow exists

5.6: Ensure Rsyslog Enabled

Description: None

• l2_server

Automated: yes

• service_rsyslog_enabled: Enable rsyslog Service

5.7: Record user operations on the device

Description: None

• l2_server

Automated: yes

• package_psacct_installed: Install the psacct package
• service_psacct_enabled: Enable Process Accounting (psacct)

5.8: Record user login logs

Description: None

• l1_server

Automated: no

No rules selected

5.9: Configure security event logs

Description: None

• l1_server

Automated: no

No rules selected

5.1: Ensure Cron Logged

Description: None

• l2_server

Automated: yes

• rsyslog_cron_logging: Ensure cron Is Logging To Rsyslog

5.11: Ensure AIDE Enabled

Description: None

• l1_server

Automated: yes

• package_aide_installed: Install AIDE

5.12: Ensure filesystem integrity is regularly checked (Automated)

Description: None

• l2_server

Automated: yes

• aide_periodic_cron_checking: Configure Periodic Execution of AIDE

6.1: Ensure TIMOUT Set Correct

Description: None

• l2_server

Automated: yes

• accounts_tmout: Set Interactive Session Timeout
• var_accounts_tmout = 5_min

6.2: Ensure Grub Password Set

Description: None

• l2_server

Automated: yes

• grub2_password: Set Boot Loader Password in grub2
• grub2_uefi_password: Set the UEFI Boot Loader Password

6.3: Ensure Use Sudo To Run

Description: None

• l2_server

Automated: yes

• sudo_restrict_privilege_elevation_to_authorized: The operating system must restrict privilege elevation to authorized personnel
• sudoers_no_root_target: Don't target root user in the sudoers file

6.4: Ensure SU Usage Limited

Description: None

• l2_server

Automated: yes

• use_pam_wheel_for_su: Enforce usage of pam_wheel for su authentication

6.5: Ensure time synchronization is in use (Automated)

Description: None

• l2_server

Automated: yes

• package_chrony_installed: The Chrony package is installed
• package_ntp_installed: Install the ntp service

6.6: Ensure chrony is running as user _chrony (Automated)

Description: None

• l2_server

Automated: yes

• chronyd_configure_pool_and_server: Chrony Configure Pool and Server
• service_chronyd_or_ntpd_enabled: Enable the NTP Daemon

6.7: must disable core dumps for all users.

Description: None

• l2_server

Automated: yes

• disable_users_coredumps: Disable Core Dumps for All Users

6.8: operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical user interface is installed.

Description: None

• l2_server

Automated: yes

• dconf_gnome_disable_ctrlaltdel_reboot: Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3

6.9: Enable idle screen lock time

Description: None

• l2_server

Automated: yes

• dconf_gnome_screensaver_idle_delay: Set GNOME3 Screensaver Inactivity Timeout

6.1: via the session lock, information previously visible on the display with a publicly viewable image.

Description: None

• l2_server

Automated: yes

• dconf_gnome_screensaver_mode_blank: Implement Blank Screensaver

6.11: Prohibit automatic system login

Description: None

• l1_server

Automated: no

No rules selected

6.12: Prohibit SSH password free login

Description: None

• l2_server

Automated: yes

• sshd_disable_pubkey_auth: Disable PubkeyAuthentication Authentication

6.13: Set the umask value of the daemon process

Description: None

• l1_server

Automated: no

No rules selected

6.14: limit the number of concurrent sessions to ten for all accounts and/or account types.

Description: None

• l2_server

Automated: yes

• accounts_max_concurrent_login_sessions: Limit the Number of Concurrent Login Sessions Allowed Per User
• var_accounts_max_concurrent_login_sessions = 10

7.1: Ensure No Empty Symlink

Description: None

• l2_server

Automated: no

No rules selected

7.2: Ensure SNMP Not Installed

Description: None

• l2_server

Automated: yes

• package_net-snmp_removed: Uninstall net-snmp Package

7.3: Check the debuggable components

Description: None

• l2_server

Automated: yes

• package_binutils_installed: Install binutils Package

7.4: /etc/aliases Disable unnecessary aliases

Description: None

• l2_server

Automated: yes

• postfix_client_configure_mail_alias: Configure System to Forward All Mail For The Root Account

7.5: /etc/mail/aliases Disable unnecessary aliases

Description: None

• l2_server

Automated: no

No rules selected

7.6: Ensure No .netrc Files In Home Folder

Description: None

• l1_server

Automated: yes

• no_netrc_files: Verify No netrc Files Exist

7.7: Ensure No hosts.equiv Files In Home Folder

Description: None

• l2_server

Automated: no

No rules selected

7.8: Ensure No .rhosts Files In Home Folder

Description: None

• l2_server

Automated: no

No rules selected

7.9: Ensure No equiv Files In Home Folder

Description: None

• l2_server

Automated: no

No rules selected

7.1: Ensure No rhosts Files In Home Folder

Description: None

• l2_server

Automated: no

No rules selected

8.1: Ensure All Files Have Owner And Group

Description: None

• l2_server

Automated: yes

• file_permissions_ungroupowned: Ensure All Files Are Owned by a Group
• no_files_unowned_by_user: Ensure All Files Are Owned by a User

8.2: Ensure UMASK Correct

Description: None

• l2_server

Automated: yes

• accounts_umask_etc_bashrc: Ensure the Default Bash Umask is Set Correctly
• var_accounts_user_umask = 027

8.3: Ensure File Permission Minimize

Description: None

• l2_server

Automated: no

No rules selected

8.4: Ensure permissions on /etc/passwd are configured (Automated)

Description: None

• l2_server

Automated: yes

• file_groupowner_etc_passwd: Verify Group Who Owns passwd File
• file_owner_etc_passwd: Verify User Who Owns passwd File
• file_permissions_etc_passwd: Verify Permissions on passwd File

8.5: Ensure permissions on /etc/group are configured (Automated)

Description: None

• l2_server

Automated: yes

• file_groupowner_etc_group: Verify Group Who Owns group File
• file_owner_etc_group: Verify User Who Owns group File
• file_permissions_etc_group: Verify Permissions on group File

8.6: Ensure permissions on /etc/shadow are configured (Automated)

Description: None

• l2_server

Automated: yes

• file_groupowner_etc_shadow: Verify Group Who Owns shadow File
• file_owner_etc_shadow: Verify User Who Owns shadow File
• file_permissions_etc_shadow: Verify Permissions on shadow File

8.7: Ensure all logfiles have appropriate permissions(Automated)

Description: None

• l2_server

Automated: yes

• rsyslog_files_permissions: Ensure System Log Files Have Correct Permissions

8.8: Restrict the permissions of FTP users to upload files

Description: None

• l2_server

Automated: no

No rules selected

8.9: Prohibit global read-write of log files

Description: None

• l2_server

Automated: no

No rules selected

9.1: Delete accounts unrelated to device operation, maintenance, and other work

Description: None

• l2_server

Automated: no

No rules selected

9.2: Ensure pam_unix does not include nullok (Automated)

Description: None

• l2_server

Automated: yes

• no_empty_passwords: Prevent Login to Accounts With Empty Password

9.3: Ensure /etc/shadow password fields are not empty (Automated)

Description: None

• l2_server

Automated: yes

• no_empty_passwords_etc_shadow: Ensure There Are No Accounts With Blank or Null Passwords

9.4: Prohibit interactive login of system accounts

Description: None

• l2_server

Automated: no

No rules selected

9.5: Ensure UID Unique

Description: None

• l2_server

Automated: yes

• account_unique_id: Ensure All Accounts on the System Have Unique User IDs

10.1: Check the usage rate of system disk partitions

Description: None

• l2_server

Automated: no

No rules selected

11.1: Ensure Set Correct Password Complexity

Description: None

• l2_server

Automated: yes

• accounts_password_pam_dcredit: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
• accounts_password_pam_enforce_root: Ensure PAM Enforces Password Requirements - Enforce for root User
• accounts_password_pam_lcredit: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
• accounts_password_pam_minclass: Ensure PAM Enforces Password Requirements - Minimum Different Categories
• accounts_password_pam_ocredit: Ensure PAM Enforces Password Requirements - Minimum Special Characters
• accounts_password_pam_retry: Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
• accounts_password_pam_ucredit: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
• var_password_pam_dcredit = 0
• var_password_pam_lcredit = 0
• var_password_pam_minclass = 3
• var_password_pam_ocredit = 0
• var_password_pam_retry = 3
• var_password_pam_ucredit = 0

11.2: Ensure Password Expiration Warning Days

Description: None

• l2_server

Automated: yes

• accounts_password_warn_age_login_defs: Set Password Warning Age
• var_accounts_password_warn_age_login_defs = 7

11.3: Enable password complexity policy

Description: None

• l2_server

Automated: no

No rules selected

11.4: Ensure Password Expire Correct

Description: None

• l2_server

Automated: yes

• accounts_maximum_age_login_defs: Set Password Maximum Age
• var_accounts_maximum_age_login_defs = 90

11.5: Ensure Set Correct Password Complexity

Description: None

• l2_server

Automated: yes

• accounts_password_pam_minlen: Ensure PAM Enforces Password Requirements - Minimum Length
• var_password_pam_minlen = 8

11.6: Minimum Days Between Password Change

Description: None

• l2_server

Automated: yes

• accounts_minimum_age_login_defs: Set Password Minimum Age
• var_accounts_minimum_age_login_defs = 0

11.7: Ensure No History Password Used

Description: None

• l2_server

Automated: yes

• accounts_password_pam_unix_remember: Limit Password Reuse
• var_password_pam_unix_remember = 5

11.8: Ensure Using Strong Hash Algorithm To Encipher Password

Description: None

• l2_server

Automated: yes

• set_password_hashing_algorithm_passwordauth: Set PAM''s Password Hashing Algorithm - password-auth
• set_password_hashing_algorithm_systemauth: Set PAM''s Password Hashing Algorithm

12.1: Ensure Account Locked After Accessing Fail

Description: None

• l2_server

Automated: yes

• accounts_passwords_pam_faillock_deny: Lock Accounts After Failed Password Attempts
• accounts_passwords_pam_faillock_unlock_time: Set Lockout Time for Failed Password Attempts
• var_accounts_passwords_pam_faillock_deny = 3
• var_accounts_passwords_pam_faillock_unlock_time = 300

13.1: Ensure Firewalld Enabled

Description: None

• l1_server

Automated: yes

• service_firewalld_enabled: Verify firewalld Enabled

13.2: Ensure the SELinux mode is not disabled (Automated)

Description: None

• l2_server

Automated: yes

• selinux_not_disabled: Ensure SELinux is Not Disabled

13.3: Ensure firewalld default zone is set (Automated)

Description: None

• l1_server

Automated: yes

• set_firewalld_default_zone: Set Default firewalld Zone for Incoming Packets

14.1: Ensure authentication required for single user mode (Automated)

Description: None

• l2_server

Automated: yes

• require_emergency_target_auth: Require Authentication for Emergency Systemd Target
• require_singleuser_auth: Require Authentication for Single User Mode

15.1: Check system resource usage control

Description: None

• l2_server

Automated: yes

No rules selected

16.1: Ensure root path integrity (Automated)

Description: None

• l2_server

Automated: yes

• accounts_root_path_dirs_no_write: Ensure that Root's Path Does Not Include World or Group-Writable Directories
• root_path_no_dot: Ensure that Root's Path Does Not Include Relative Paths or Null Directories

16.2: Ensure GPG Check Configured

Description: None

• l2_server

Automated: yes

• ensure_gpgcheck_globally_activated: Ensure gpgcheck Enabled In Main dnf Configuration
• ensure_gpgcheck_never_disabled: Ensure gpgcheck Enabled for All dnf Package Repositories

16.3: ensure-permissions-on-ssh-private-host-key-files-are-configured

Description: None

• l2_server

Automated: yes

• file_permissions_sshd_private_key: Verify Permissions on SSH Server Private *_key Key Files

16.4: Ensure SSH IgnoreRhosts is enabled (Automated)

Description: None

• l2_server

Automated: yes

• sshd_disable_rhosts: Disable SSH Support for .rhosts Files

16.5: Ensure that SSH X11 forwarding is disabled

Description: None

• l2_server

Automated: yes

• sshd_disable_x11_forwarding: Disable X11 Forwarding

16.6: Ensure sshd Hostl2_serverdAuthentication is disabled (Automated)

Description: None

• l2_server

Automated: yes

• disable_host_auth: Disable Host-Based Authentication

16.7: interactive user accounts must be assigned a home directory upon creation.

Description: None

• l2_server

Automated: yes

• accounts_have_homedir_login_defs: Ensure Home Directories are Created for New Users

16.8: Ensure autofs services are not in use (Automated)

Description: None

• l2_server

Automated: yes

• service_autofs_disabled: Disable the Automounter