forked from mondoohq/cnspec-policies
-
Notifications
You must be signed in to change notification settings - Fork 0
/
mondoo-linux-workstation-security.mql.yaml
294 lines (253 loc) · 11.8 KB
/
mondoo-linux-workstation-security.mql.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
# Copyright (c) Mondoo, Inc.
# SPDX-License-Identifier: BUSL-1.1
policies:
- uid: mondoo-linux-workstation-security
name: Linux Workstation Security
version: 1.1.0
license: BUSL-1.1
tags:
mondoo.com/category: security
mondoo.com/platform: linux
authors:
- name: Mondoo, Inc
email: [email protected]
docs:
desc: |
## Overview
This policy provides prescriptive guidance for establishing a secure configuration posture for Client Linux systems running on x86 and x64 platforms.
Commands and scripts are provided which should work on most distributions however some translation to local styles may be required in places.
Where possible Red Hat, Debian, and SUSE derivative styles are provided. Many lists are included including filesystem types, services, clients, and network protocols. Not all items in these lists are guaranteed to exist on all distributions and additional similar items may exist, which should be considered in addition to those explicitly mentioned. The guidance within broadly assumes that operations are being performed as the root user. Operations performed using sudo instead of the root user may produce unexpected results, or fail to make the intended changes to the system. Non-root users may not be able to access certain areas of the system, especially after remediation has been performed. It is advisable to verify root users path integrity and the integrity of any programs being run before execution of commands and scripts included in this benchmark.
### Intended Audience
This benchmark is intended for system and application administrators, security specialists, auditors, help desk, and platform deployment personnel who plan to develop, deploy, assess, or secure solutions that incorporate Linux on x86 or x64 platforms.
## Local scan
Local scan refer to scans of files and operating systems where cnspec is installed.
To scan the `localhost` against this policy:
```bash
cnspec scan local
```
## Remote scan
Remote scans use cnspec providers to retrieve on-demand scan results without having to install any agents.
For a complete list of providers run:
```bash
cnspec scan --help
```
### Prerequisites
Remote scans of Linux hosts requires authentication such as SSH keys.
### Scan a remote Linux host (SSH authentication)
```bash
cnspec scan ssh <user>@<IP_ADDRESS> -i /path/to/ssh_key
```
## Join the community!
Our goal is to build policies that are simple to deploy, accurate, and actionable.
If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions.
groups:
- title: Secure Boot
filters: |
asset.family.contains('linux')
packages.where(name == /xorg|xserver|wayland/i).any(installed)
checks:
- uid: mondoo-linux-workstation-security-permissions-on-bootloader-config-are-configured
- uid: mondoo-linux-workstation-security-secure-boot-is-enabled
- title: Disk encryption
filters: |
asset.family.contains('linux')
packages.where(name == /xorg|xserver|wayland/i).any(installed)
checks:
- uid: mondoo-linux-workstation-security-aes-encryption-algorithm
- uid: mondoo-linux-workstation-security-root-and-home-are-encrypted
- title: BIOS Firmware up-to-date
filters: |
asset.family.contains('linux')
package('fwupd').installed
packages.where(name == /xorg|xserver|wayland/i).any(installed)
checks:
- uid: mondoo-linux-workstation-security-bios-uptodate
scoring_system: highest impact
queries:
- uid: mondoo-linux-workstation-security-permissions-on-bootloader-config-are-configured
title: Ensure permissions on bootloader config are configured
impact: 90
mql: |
if (file("/boot/grub/grub.cfg").exists) {
file("/boot/grub/grub.cfg") {
path
user.name == 'root'
group.name == 'root'
permissions.group_readable == false
permissions.group_writeable == false
permissions.group_executable == false
permissions.other_readable == false
permissions.other_writeable == false
permissions.other_executable == false
}
}
if (file("/boot/grub/menu.lst").exists) {
file("/boot/grub/menu.lst") {
path
user.name == 'root'
group.name == 'root'
permissions.group_readable == false
permissions.group_writeable == false
permissions.group_executable == false
permissions.other_readable == false
permissions.other_writeable == false
permissions.other_executable == false
}
}
if (file("/boot/grub2/grub.cfg").exists) {
file("/boot/grub2/grub.cfg") {
path
user.name == 'root'
group.name == 'root'
permissions.group_readable == false
permissions.group_writeable == false
permissions.group_executable == false
permissions.other_readable == false
permissions.other_writeable == false
permissions.other_executable == false
}
}
if (file("/boot/grub/user.cfg").exists) {
file("/boot/grub/user.cfg") {
path
user.name == 'root'
group.name == 'root'
permissions.group_readable == false
permissions.group_writeable == false
permissions.group_executable == false
permissions.other_readable == false
permissions.other_writeable == false
permissions.other_executable == false
}
}
if (file("/boot/grub2/user.cfg").exists) {
file("/boot/grub2/user.cfg") {
path
user.name == 'root'
group.name == 'root'
permissions.group_readable == false
permissions.group_writeable == false
permissions.group_executable == false
permissions.other_readable == false
permissions.other_writeable == false
permissions.other_executable == false
}
}
if (file("/boot/loader/loader.conf").exists) {
file("/boot/loader/loader.conf") {
path
user.name == 'root'
group.name == 'root'
permissions.group_readable == false
permissions.group_writeable == false
permissions.group_executable == false
permissions.other_readable == false
permissions.other_writeable == false
permissions.other_executable == false
}
}
if(mount.list.where( fstype == 'vfat' && path == /boot/) != []) {
mount.list.where( fstype == 'vfat' && path == /boot/) {
device
options['fmask'] == "0077"
}
}
docs:
desc: |-
The grub files contain information on boot settings and passwords for unlocking boot options.
If the system uses UEFI, /boot/efi is a vfat filesystem. The vfat filesystem itself doesn't have the concept of permissions but can be mounted under Linux with whatever permissions desired.
remediation: |-
Run these commands to set ownership and permissions on your grub configuration file(s):
```
# chown root:root /boot/grub2/grub.cfg
# chmod og-rwx /boot/grub2/grub.cfg
# chown root:root /boot/grub2/grubenv
# chmod og-rwx /boot/grub2/grubenv
# chown root:root /boot/grub2/user.cfg
# chmod og-rwx /boot/grub2/user.cfg
```
Run these commands to set ownership and permissions on your systemd-boot loader configuration file:
```
chown root:root /boot/loader/loader.conf
chmod og-rwx /boot/loader/loader.conf
```
\*\*OR If the system uses UEFI, edit `/etc/fstab` and add the `fmask=0077` , `uid=0` , and `gid=0` options:
_Example:_
```
<device> /boot/efi vfat defaults,umask=0027,fmask=0077,uid=0,gid=0 0 0
```
_Note: This may require a re-boot to enable the change_
- uid: mondoo-linux-workstation-security-secure-boot-is-enabled
title: Ensure Secure Boot is enabled
impact: 90
mql: |
command('mokutil --sb-state').stdout.downcase.contains('secureboot enabled')
docs:
desc: |
Secure Boot is required in order to ensure that the booting kernel hasn't been modified. It needs to be enabled in your computer's firmware and be supported by your Linux distribution.
audit: |
Run the `mokutil --sb-state` command and check whether it prints `SecureBoot enabled`
remediation: |
Enable Secure Boot in your computer's firmware and use a Linux distribution supporting Secure Boot
- uid: mondoo-linux-workstation-security-root-and-home-are-encrypted
title: Ensure / and /home are encrypted
impact: 90
mql: |-
mount.list.where( path == '/') {
lsblkDevice = parse.json(content: command('lsblk -a --json -s ' + _.device).stdout).params
lsblkDevice['blockdevices'][0]['children'][0]['type'] == 'crypt' || lsblkDevice['blockdevices'][0]['type'] == 'crypt'
}
if( mount.list.where( path == /home/) != [] ) {
mount.list.where( path == '/home') {
lsblkDevice = parse.json(content: command('lsblk -a --json -s ' + _.device).stdout).params
lsblkDevice['blockdevices'][0]['children'][0]['type'] == 'crypt' || lsblkDevice['blockdevices'][0]['type'] == 'crypt'
}
}
docs:
desc: |
It is mandatory to encrypt the / and /home partitions in case of theft
audit: Get the device names serving `/` and `root` by running `df`, check the device status using `dmsetup status`
remediation: ""
- uid: mondoo-linux-workstation-security-aes-encryption-algorithm
title: Ensure AES encryption algorithm is used
impact: 90
mql: |
lsblk.list.where( fstype == /crypt/).length >= 1
lsblk.list.where( fstype == /crypt/).all(
parse.json(
content: command('cryptsetup --dump-json-metadata luksDump /dev/disk/by-uuid/' + uuid).stdout
).params['segments']['0']['encryption'].contains('aes-xts') ||
command('cryptsetup luksDump /dev/disk/by-uuid/' + uuid).stdout.lines.where( _ == /Cipher\:/).all(/aes/)
)
docs:
desc: |
It is mandatory to encrypt the / and /home with the aes-xts-plain64 or aes-xts-benbi algorithm.
audit: |
Run the `cryptsetup --dump-json-metadata luksDump /dev/disk/by-uuid/<device uuid>` command and check whether encryption is used.
remediation: |
Encrypt you complete disk with this command:
```
cryptsetup luksFormat --type luks2 --cipher aes-xts-benbi --key-size 512 --hash sha512 --iter-time 5000 --label <label> /dev/disk/by-partlabel/<device>
```
- uid: mondoo-linux-workstation-security-bios-uptodate
title: Ensure system BIOS is running the latest available version
impact: 60
mql: |
parse.json(content: command('fwupdmgr get-updates -y --json').stdout).params["Devices"].length == 0
docs:
desc: |
The system BIOS should be on the latest available version. This check depends on fwupdmgr to be available on the system.
Warning: The fwupd daemon will try to connect to the Internet automatically to receive the latest updates.
audit: |
Runs the `fwupdmgr get-updates -y --json` command to find if the BIOS already running the latest version.
remediation: |
Make sure to keep your BIOS firmware up-to-date by running these commands:
1.
```
fwupdmgr get-updates
```
2.
```
fwupdmgr update
```
Alternatively, use your manufacturer's manual update process.