From d3bb46eb882dc12a28ffe69ca87e81231c26c66a Mon Sep 17 00:00:00 2001 From: 10serr Date: Tue, 18 Apr 2023 07:54:57 +0000 Subject: [PATCH 1/8] =?UTF-8?q?benchmarks/logging-and-auditing=EF=BC=9A?= =?UTF-8?q?=E6=96=B0=E5=A2=9E2.24-ensure-successful-and-unsuccessful-attem?= =?UTF-8?q?pts-to-use-the-chsh-command-are-recorded.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 10serr --- ...mounting-of-udf-filesystems-is-disabled.md | 63 +++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 benchmarks/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.md diff --git a/benchmarks/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.md b/benchmarks/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.md new file mode 100644 index 0000000..a361b92 --- /dev/null +++ b/benchmarks/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.md @@ -0,0 +1,63 @@ +# 1.51 确保udf文件系统的挂载被禁用 + +## 安全等级 + +- Level 2 + +## 描述 + +udf文件系统类型是用于实现ISO/IEC 13346和ECMA-167规范的通用磁盘格式。这是一种开放的供应商文件系统类型,用于在广泛的媒体上存储数据。该文件系统类型是必需的,以支持编写DVD和较新的光盘格式。 + +删除不需要的文件系统类型的支持可以减少系统的本地攻击面。如果不需要此文件系统类型,请禁用它。Microsoft Azure需要使用udf。因此,在运行于Microsoft Azure的系统上不应禁用udf。 + +## 修复建议 + +目标:确保udf文件系统的挂载被禁用。 + +1. 在`/etc/modprobe.d/`目录中编辑或创建一个以`.conf` 结尾的文件,并添加一行内容:`install udf /bin/false`。 + + 示例: + +```bash +echo "install udf /bin/false" >> /etc/modprobe.d/udf.conf +echo "blacklist udf" >> /etc/modprobe.d/udf.conf +``` + +2. 运行以下命令以卸载udf模块。 + +```bash +modprobe -r udf +``` + +## 扫描检测 + +运行以下命令并验证输出是否符合预期。 + +1. 模块将如何加载。 + + 运行如下命令,若输出为`install /bin/false`,则视为通过此项检查。 + +```bash +modprobe -n -v udf | grep "^install" +``` + +2. 模块当前是否已加载。 + + 运行如下命令,若输出为空,则视为通过此项检查。 + +```bash +lsmod | grep udf +``` + +3. 模块是否已列入黑名单。 + + 运行如下命令,若输出为`/etc/modprobe.d/udf.conf:blacklist udf `,则视为通过此项检查。 + + +```bash +grep -E "^blacklist[[:blank:]]*udf" /etc/modprobe.d/* +``` + +## 参考 + +- cis: \ No newline at end of file -- Gitee From 4962b9d40c83dba521a45a64348a206a8b747238 Mon Sep 17 00:00:00 2001 From: 10serr Date: Tue, 18 Apr 2023 11:25:36 +0000 Subject: [PATCH 2/8] update benchmarks/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.md. Signed-off-by: 10serr --- .../1.51-ensure-mounting-of-udf-filesystems-is-disabled.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/benchmarks/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.md b/benchmarks/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.md index a361b92..9f517c4 100644 --- a/benchmarks/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.md +++ b/benchmarks/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.md @@ -2,14 +2,13 @@ ## 安全等级 -- Level 2 +- Level 1 ## 描述 udf文件系统类型是用于实现ISO/IEC 13346和ECMA-167规范的通用磁盘格式。这是一种开放的供应商文件系统类型,用于在广泛的媒体上存储数据。该文件系统类型是必需的,以支持编写DVD和较新的光盘格式。 -删除不需要的文件系统类型的支持可以减少系统的本地攻击面。如果不需要此文件系统类型,请禁用它。Microsoft Azure需要使用udf。因此,在运行于Microsoft Azure的系统上不应禁用udf。 - +删除不需要的文件系统类型的支持可以减少系统的本地攻击面。如果不需要此文件系统类型,请禁用它。 ## 修复建议 目标:确保udf文件系统的挂载被禁用。 -- Gitee From 914803a602a7a29e89042c8b7157d4f5e5b200d7 Mon Sep 17 00:00:00 2001 From: 10serr Date: Tue, 18 Apr 2023 11:38:45 +0000 Subject: [PATCH 3/8] =?UTF-8?q?1.51-ensure-mounting-of-udf-filesystems-is-?= =?UTF-8?q?disabled.sh=20=E4=BF=AE=E5=A4=8D=E8=84=9A=E6=9C=AC?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 10serr --- .../1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 remediation-kits/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh diff --git a/remediation-kits/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh b/remediation-kits/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh new file mode 100644 index 0000000..2211012 --- /dev/null +++ b/remediation-kits/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh @@ -0,0 +1,3 @@ +echo "install udf /bin/false" >> /etc/modprobe.d/udf.conf +echo "blacklist udf" >> /etc/modprobe.d/udf.conf +modprobe -r udf -- Gitee From d28d1c47e125ab30e081aae3ed8e9b79031bb5bd Mon Sep 17 00:00:00 2001 From: 10serr Date: Tue, 18 Apr 2023 11:39:44 +0000 Subject: [PATCH 4/8] =?UTF-8?q?1.51-ensure-mounting-of-udf-filesystems-is-?= =?UTF-8?q?disabled=20=E6=A3=80=E6=B5=8B=E8=84=9A=E6=9C=AC?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 10serr --- ...1-ensure-mounting-of-udf-filesystems-is-disabled.sh | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 scanners/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh diff --git a/scanners/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh b/scanners/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh new file mode 100644 index 0000000..167a93f --- /dev/null +++ b/scanners/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh @@ -0,0 +1,10 @@ +result=false + +modprobe -n -v udf | grep -q "^install" && test -z "$(lsmod | grep -e udf)" && grep -E -q "^blacklist[[:blank:]]*udf" /etc/modprobe.d/* && result=true + + +if [ "$result" == true ]; then + echo "pass" +else + echo "fail" +fi -- Gitee From aebcaa29b04193019cfe72e464dcd9fd51dd4b0b Mon Sep 17 00:00:00 2001 From: 10serr Date: Tue, 18 Apr 2023 11:41:22 +0000 Subject: [PATCH 5/8] summary update 1.51 Signed-off-by: 10serr --- docs/summary-of-rules.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/summary-of-rules.md b/docs/summary-of-rules.md index e30eccc..b41ef74 100644 --- a/docs/summary-of-rules.md +++ b/docs/summary-of-rules.md @@ -49,6 +49,7 @@ | 1.47 | 1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.md | 1.47 确保 SSH 的 MaxAuthTries 设置为3~5 | benchmarks/access-and-control | 1 | | 1.48 | 1.48-restrict-the-terminals-that-can-be-managed-over-the-network.md | 1.48 对通过网络进行管理的终端进行限制 | benchmarks/access-and-control | 2 | | 1.49 | 1.49-lock-or-delete-the-shutdown-and-halt-users.md | 1.49 锁定或删除shutdown、halt用户 | benchmarks/access-and-control | 1 | +| 1.51 | 1.51-ensure-mounting-of-udf-filesystems-is-disabled.md | 1.51 确保udf文件系统的挂载被禁用 | benchmarks/access-and-control | 1 | | 2.1 | 2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users.md | 2.1 确保审计日志的文件权限被正确配置 | benchmarks/logging-and-auditing | 1 | | 2.2 | 2.2-ensure-only-authorized-users-own-audit-log-files.md | 2.2 确保审计日志文件的所有者为已授权用户 | benchmarks/logging-and-auditing | 1 | | 2.3 | 2.3-ensure-only-authorized-groups-ownership-of-audit-log-files.md | 2.3 确保审计日志文件的所属组为已授权的用户组 | benchmarks/logging-and-auditing | 1 | -- Gitee From b77f29718c5a3d2270e49fb9c78b1017c29001c3 Mon Sep 17 00:00:00 2001 From: hujiajin Date: Wed, 19 Apr 2023 14:21:51 +0800 Subject: [PATCH 6/8] final commit Signed-off-by: hujiajin --- ...mounting-of-udf-filesystems-is-disabled.md | 21 ++++++++++--------- docs/summary-of-rules.md | 1 + ...mounting-of-udf-filesystems-is-disabled.sh | 1 - 3 files changed, 12 insertions(+), 11 deletions(-) diff --git a/benchmarks/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.md b/benchmarks/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.md index 9f517c4..64a7356 100644 --- a/benchmarks/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.md +++ b/benchmarks/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.md @@ -9,23 +9,22 @@ udf文件系统类型是用于实现ISO/IEC 13346和ECMA-167规范的通用磁盘格式。这是一种开放的供应商文件系统类型,用于在广泛的媒体上存储数据。该文件系统类型是必需的,以支持编写DVD和较新的光盘格式。 删除不需要的文件系统类型的支持可以减少系统的本地攻击面。如果不需要此文件系统类型,请禁用它。 + ## 修复建议 目标:确保udf文件系统的挂载被禁用。 1. 在`/etc/modprobe.d/`目录中编辑或创建一个以`.conf` 结尾的文件,并添加一行内容:`install udf /bin/false`。 - 示例: - ```bash -echo "install udf /bin/false" >> /etc/modprobe.d/udf.conf -echo "blacklist udf" >> /etc/modprobe.d/udf.conf +# echo "install udf /bin/false" >> /etc/modprobe.d/udf.conf +# echo "blacklist udf" >> /etc/modprobe.d/udf.conf ``` 2. 运行以下命令以卸载udf模块。 ```bash -modprobe -r udf +# modprobe -r udf ``` ## 扫描检测 @@ -37,7 +36,8 @@ modprobe -r udf 运行如下命令,若输出为`install /bin/false`,则视为通过此项检查。 ```bash -modprobe -n -v udf | grep "^install" +# modprobe -n -v udf | grep "^install" +install /bin/false ``` 2. 模块当前是否已加载。 @@ -45,16 +45,17 @@ modprobe -n -v udf | grep "^install" 运行如下命令,若输出为空,则视为通过此项检查。 ```bash -lsmod | grep udf +# lsmod | grep udf + ``` 3. 模块是否已列入黑名单。 - 运行如下命令,若输出为`/etc/modprobe.d/udf.conf:blacklist udf `,则视为通过此项检查。 - + 运行如下命令,若输出为`/etc/modprobe.d/udf.conf:blacklist udf`,则视为通过此项检查。 ```bash -grep -E "^blacklist[[:blank:]]*udf" /etc/modprobe.d/* +# grep -E "^blacklist[[:blank:]]*udf" /etc/modprobe.d/* +/etc/modprobe.d/udf.conf:blacklist udf ``` ## 参考 diff --git a/docs/summary-of-rules.md b/docs/summary-of-rules.md index b41ef74..3a89983 100644 --- a/docs/summary-of-rules.md +++ b/docs/summary-of-rules.md @@ -49,6 +49,7 @@ | 1.47 | 1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.md | 1.47 确保 SSH 的 MaxAuthTries 设置为3~5 | benchmarks/access-and-control | 1 | | 1.48 | 1.48-restrict-the-terminals-that-can-be-managed-over-the-network.md | 1.48 对通过网络进行管理的终端进行限制 | benchmarks/access-and-control | 2 | | 1.49 | 1.49-lock-or-delete-the-shutdown-and-halt-users.md | 1.49 锁定或删除shutdown、halt用户 | benchmarks/access-and-control | 1 | +| 1.50 | 1.50-ensure-ssh-x11-forwarding-is-disabled.md | 1.50 确保SSH X11转发功能被禁用 | benchmarks/access-and-control | 1 | | 1.51 | 1.51-ensure-mounting-of-udf-filesystems-is-disabled.md | 1.51 确保udf文件系统的挂载被禁用 | benchmarks/access-and-control | 1 | | 2.1 | 2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users.md | 2.1 确保审计日志的文件权限被正确配置 | benchmarks/logging-and-auditing | 1 | | 2.2 | 2.2-ensure-only-authorized-users-own-audit-log-files.md | 2.2 确保审计日志文件的所有者为已授权用户 | benchmarks/logging-and-auditing | 1 | diff --git a/scanners/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh b/scanners/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh index 167a93f..bd23f6e 100644 --- a/scanners/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh +++ b/scanners/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh @@ -2,7 +2,6 @@ result=false modprobe -n -v udf | grep -q "^install" && test -z "$(lsmod | grep -e udf)" && grep -E -q "^blacklist[[:blank:]]*udf" /etc/modprobe.d/* && result=true - if [ "$result" == true ]; then echo "pass" else -- Gitee From 0b4d3b7dc88d8dbf55e2cb71165a4ec66ee06cd3 Mon Sep 17 00:00:00 2001 From: 10serr Date: Wed, 19 Apr 2023 08:23:32 +0000 Subject: [PATCH 7/8] final repair Signed-off-by: 10serr --- .../1.51-ensure-mounting-of-udf-filesystems-is-disabled.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/benchmarks/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.md b/benchmarks/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.md index 64a7356..54b98a0 100644 --- a/benchmarks/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.md +++ b/benchmarks/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.md @@ -14,7 +14,7 @@ udf文件系统类型是用于实现ISO/IEC 13346和ECMA-167规范的通用磁 目标:确保udf文件系统的挂载被禁用。 -1. 在`/etc/modprobe.d/`目录中编辑或创建一个以`.conf` 结尾的文件,并添加一行内容:`install udf /bin/false`。 +1. 执行以下命令,在/etc/modprobe.d/目录中编辑或创建一个以.conf 结尾的文件,并添加配置。 ```bash # echo "install udf /bin/false" >> /etc/modprobe.d/udf.conf -- Gitee From 88332c73a4fd019dd7f59f2a0c929b88d386041f Mon Sep 17 00:00:00 2001 From: 10serr Date: Wed, 19 Apr 2023 08:26:54 +0000 Subject: [PATCH 8/8] fff Signed-off-by: 10serr --- .../1.51-ensure-mounting-of-udf-filesystems-is-disabled.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/benchmarks/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.md b/benchmarks/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.md index 54b98a0..2ee45d0 100644 --- a/benchmarks/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.md +++ b/benchmarks/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.md @@ -14,7 +14,7 @@ udf文件系统类型是用于实现ISO/IEC 13346和ECMA-167规范的通用磁 目标:确保udf文件系统的挂载被禁用。 -1. 执行以下命令,在/etc/modprobe.d/目录中编辑或创建一个以.conf 结尾的文件,并添加配置。 +1. 执行以下命令,在`/etc/modprobe.d/`目录中编辑或创建一个以`.conf`结尾的文件,并添加配置。 ```bash # echo "install udf /bin/false" >> /etc/modprobe.d/udf.conf -- Gitee