Linux security baseline
Caution
This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the CentOS End Of Life guidance.
This article details the configuration settings for Linux guests as applicable in the following implementations:
- [Preview]: Linux machines should meet requirements for the Azure compute security baseline Azure Policy guest configuration definition
- Vulnerabilities in security configuration on your machines should be remediated in Microsoft Defender for Cloud
For more information, see Azure Policy guest configuration and Overview of the Azure Security Benchmark (V2).
General security controls
| Name (CCEID) |
Details | Remediation check |
|---|---|---|
| Ensure nodev option set on /home partition. (1.1.4) |
Description: An attacker could mount a special device (for example, block or character device) on the /home partition. | Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. For more information, see the fstab(5) manual pages. |
| Ensure nodev option set on /tmp partition. (1.1.5) |
Description: An attacker could mount a special device (for example, block or character device) on the /tmp partition. | Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. For more information, see the fstab(5) manual pages. |
| Ensure nodev option set on /var/tmp partition. (1.1.6) |
Description: An attacker could mount a special device (for example, block or character device) on the /var/tmp partition. | Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. For more information, see the fstab(5) manual pages. |
| Ensure nosuid option set on /tmp partition. (1.1.7) |
Description: Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users can't create setuid files in /var/tmp. | Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. For more information, see the fstab(5) manual pages. |
| Ensure nosuid option set on /var/tmp partition. (1.1.8) |
Description: Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users can't create setuid files in /var/tmp. | Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. For more information, see the fstab(5) manual pages. |
| Ensure noexec option set on /var/tmp partition. (1.1.9) |
Description: Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users can't run executable binaries from /var/tmp . |
Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. For more information, see the fstab(5) manual pages. |
| Ensure noexec option set on /dev/shm partition. (1.1.16) |
Description: Setting this option on a file system prevents users from executing programs from shared memory. This control deters users from introducing potentially malicious software on the system. | Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. For more information, see the fstab(5) manual pages. |
| Disable automounting (1.1.21) |
Description: With automounting enabled, anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lack permissions to mount it themselves. | Disable the autofs service or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-autofs' |
| Ensure mounting of USB storage devices is disabled (1.1.21.1) |
Description: Removing support for USB storage devices reduces the local attack surface of the server. | Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add install usb-storage /bin/true then unload the usb-storage module or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-unnecessary-kernel-mods' |
| Ensure core dumps are restricted. (1.5.1) |
Description: Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5)). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core. |
Add hard core 0 to /etc/security/limits.conf or a file in the limits.d directory and set fs.suid_dumpable = 0 in sysctl or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-core-dumps' |
| Ensure prelink is disabled. (1.5.4) |
Description: The prelinking feature can interfere with the operation of AIDE, because it changes binaries. Prelinking can also increase the vulnerability of the system if a malicious user is able to compromise a common library such as libc. | uninstall prelink using your package manager or run '/opt/microsoft/omsagent/plugin/omsremediate -r remove-prelink' |
| Ensure permissions on /etc/motd are configured. (1.7.1.4) |
Description: If the /etc/motd file doesn't have the correct ownership, it could be modified by unauthorized users with incorrect or misleading information. |
Set the owner and group of /etc/motd to root and set permissions to 0644 or run '/opt/microsoft/omsagent/plugin/omsremediate -r file-permissions' |
| Ensure permissions on /etc/issue are configured. (1.7.1.5) |
Description: If the /etc/issue file doesn't have the correct ownership, it could be modified by unauthorized users with incorrect or misleading information. |
Set the owner and group of /etc/issue to root and set permissions to 0644 or run '/opt/microsoft/omsagent/plugin/omsremediate -r file-permissions' |
| Ensure permissions on /etc/issue.net are configured. (1.7.1.6) |
Description: If the /etc/issue.net file doesn't have the correct ownership, it could be modified by unauthorized users with incorrect or misleading information. |
Set the owner and group of /etc/issue.net to root and set permissions to 0644 or run '/opt/microsoft/omsagent/plugin/omsremediate -r file-permissions' |
| The nodev option should be enabled for all removable media. (2.1) |
Description: An attacker could mount a special device (for example, block or character device) via removable media | Add the nodev option to the fourth field (mounting options) in /etc/fstab. For more information, see the fstab(5) manual pages. |
| The noexec option should be enabled for all removable media. (2.2) |
Description: An attacker could load executable file via removable media | Add the noexec option to the fourth field (mounting options) in /etc/fstab. For more information, see the fstab(5) manual pages. |
| The nosuid option should be enabled for all removable media. (2.3) |
Description: An attacker could load files that run with an elevated security context via removable media | Add the nosuid option to the fourth field (mounting options) in /etc/fstab. For more information, see the fstab(5) manual pages. |
| Ensure talk client is not installed. (2.3.3) |
Description: The software presents a security risk as it uses unencrypted protocols for communication. | Uninstall talk or run '/opt/microsoft/omsagent/plugin/omsremediate -r remove-talk' |
| Ensure permissions on /etc/hosts.allow are configured. (3.4.4) |
Description: It's critical to ensure that the /etc/hosts.allow file is protected from unauthorized write access. Although it's protected by default, the file permissions could be changed either inadvertently or through malicious actions. |
Set the owner and group of /etc/hosts.allow to root and the permissions to 0644 or run '/opt/microsoft/omsagent/plugin/omsremediate -r file-permissions' |
| Ensure permissions on /etc/hosts.deny are configured. (3.4.5) |
Description: It's critical to ensure that the /etc/hosts.deny file is protected from unauthorized write access. Although it's protected by default, the file permissions could be changed either inadvertently or through malicious actions. |
Set the owner and group of /etc/hosts.deny to root and the permissions to 0644 or run '/opt/microsoft/omsagent/plugin/omsremediate -r file-permissions' |
| Ensure default deny firewall policy (3.6.2) |
Description: With a default accept policy, the firewall will accept any packet that is not explicitly denied. It is easier to maintain a secure firewall with a default DROP policy than it is with a default Allow policy. | Set the default policy for incoming, outgoing, and routed traffic to deny or reject as appropriate using your firewall software |
| The nodev/nosuid option should be enabled for all NFS mounts. (5) |
Description: An attacker could load files that run with an elevated security context or special devices via remote file system | Add the nosuid and nodev options to the fourth field (mounting options) in /etc/fstab. For more information, see the fstab(5) manual pages. |
| Ensure permissions on /etc/ssh/sshd_config are configured. (5.2.1) |
Description: The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non-privileged users. |
Set the owner and group of /etc/ssh/sshd_config to root and set the permissions to 0600 or run '/opt/microsoft/omsagent/plugin/omsremediate -r sshd-config-file-permissions' |
| Ensure password creation requirements are configured. (5.3.1) |
Description: Strong passwords protect systems from being hacked through brute force methods. | Set the following key/value pairs in the appropriate PAM for your distro: minlen=14, minclass = 4, dcredit = -1, ucredit = -1, ocredit = -1, lcredit = -1, or run '/opt/microsoft/omsagent/plugin/omsremediate -r enable-password-requirements' |
| Ensure lockout for failed password attempts is configured. (5.3.2) |
Description: Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems. |
for Ubuntu and Debian, add the pam_tally and pam_deny modules as appropriate. For all other distros, refer to your distro's documentation |
| Disable the installation and use of file systems that aren't required (cramfs) (6.1) |
Description: An attacker could use a vulnerability in cramfs to elevate privileges | Add a file to the /etc/modprob.d directory that disables cramfs or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-unnecessary-kernel-mods' |
| Disable the installation and use of file systems that aren't required (freevxfs) (6.2) |
Description: An attacker could use a vulnerability in freevxfs to elevate privileges | Add a file to the /etc/modprob.d directory that disables freevxfs or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-unnecessary-kernel-mods' |
| Ensure all users' home directories exist (6.2.7) |
Description: If the user's home directory does not exist or is unassigned, the user will be placed in the volume root. Moreover, the user will be unable either to write any files or set environment variables. | If any users' home directories don't exist, create them and make sure the respective user owns the directory. Users without an assigned home directory should be removed or assigned a home directory as appropriate. |
| Ensure users own their home directories (6.2.9) |
Description: Since the user is accountable for files stored in the user home directory, the user must be the owner of the directory. | Change the ownership of any home directories that aren't owned by the defined user to the correct user. |
| Ensure users' dot files aren't group or world writable. (6.2.10) |
Description: Group or world-writable user configuration files may enable malicious users to steal or modify other users' data or to gain another user's system privileges. | Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, we recommended you establish a monitoring policy to report user dot file permissions and determine site policy remediation actions. |
| Ensure no users have .forward files (6.2.11) |
Description: Use of the .forward file poses a security risk in that sensitive data may be inadvertently transferred outside the organization. The .forward file also poses a risk as it can be used to execute commands that may perform unintended actions. |
Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it's recommended that a monitoring policy be established to report user .forward files and determine the action to be taken in accordance with site policy. |
| Ensure no users have .netrc files (6.2.12) |
Description: The .netrc file presents a significant security risk since it stores passwords in unencrypted form. Even if FTP is disabled, user accounts may have brought over .netrc files from other systems that could pose a risk to those systems |
Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it's recommended that a monitoring policy be established to report user .netrc files and determine the action to be taken in accordance with site policy. |
| Ensure no users have .rhosts files (6.2.14) |
Description: This action is only meaningful if .rhosts support is permitted in the file /etc/pam.conf . Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf , they may have been brought over from other systems and could contain information useful to an attacker for those other systems. |
Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it's recommended that a monitoring policy be established to report user .rhosts files and determine the action to be taken in accordance with site policy. |
| Ensure all groups in /etc/passwd exist in /etc/group (6.2.15) |
Description: Groups which are defined in the /etc/passwd file but not in the /etc/group file poses a threat to system security since group permissions aren't properly managed. | For each group defined in /etc/passwd, ensure there is a corresponding group in /etc/group |
| Ensure no duplicate UIDs exist (6.2.16) |
Description: Users must be assigned unique UIDs for accountability and to ensure appropriate access protections. | Establish unique UIDs and review all files owned by the shared UIDs to determine which UID they are supposed to belong to. |
| Ensure no duplicate GIDs exist (6.2.17) |
Description: Groups must be assigned unique GIDs for accountability and to ensure appropriate access protections. | Establish unique GIDs and review all files owned by the shared GIDs to determine which GID they are supposed to belong to. |
| Ensure no duplicate user names exist (6.2.18) |
Description: If a user is assigned a duplicate user name, it will create and have access to files with the first UID for that username in /etc/passwd . For example, if 'test4' has a UID of 1000 and a subsequent 'test4' entry has a UID of 2000, logging in as 'test4' will use UID 1000. Effectively, the UID is shared, which is a security problem. |
Establish unique user names for all users. File ownerships will automatically reflect the change as long as the users have unique UIDs. |
| Ensure no duplicate groups exist (6.2.19) |
Description: If a group is assigned a duplicate group name, it will create and have access to files with the first GID for that group in /etc/group . Effectively, the GID is shared, which is a security problem. |
Establish unique names for all user groups. File group ownerships will automatically reflect the change as long as the groups have unique GIDs. |
| Ensure shadow group is empty (6.2.20) |
Description: Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert other user accounts. |
Remove all users form the shadow group |
| Disable the installation and use of file systems that aren't required (hfs) (6.3) |
Description: An attacker could use a vulnerability in hfs to elevate privileges | Add a file to the /etc/modprob.d directory that disables hfs or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-unnecessary-kernel-mods' |
| Disable the installation and use of file systems that aren't required (hfsplus) (6.4) |
Description: An attacker could use a vulnerability in hfsplus to elevate privileges | Add a file to the /etc/modprob.d directory that disables hfsplus or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-unnecessary-kernel-mods' |
| Disable the installation and use of file systems that aren't required (jffs2) (6.5) |
Description: An attacker could use a vulnerability in jffs2 to elevate privileges | Add a file to the /etc/modprob.d directory that disables jffs2 or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-unnecessary-kernel-mods' |
| Kernels should only be compiled from approved sources. (10) |
Description: A kernel from an unapproved source could contain vulnerabilities or backdoors to grant access to an attacker. | Install the kernel that is provided by your distro vendor. |
| /etc/shadow file permissions should be set to 0400 (11.1) |
Description: An attacker can retrieve or manipulate hashed passwords from /etc/shadow if it's not correctly secured. | Set the permissions and ownership of /etc/shadow* or run '/opt/microsoft/omsagent/plugin/omsremediate -r set-etc-shadow-perms' |
| /etc/shadow- file permissions should be set to 0400 (11.2) |
Description: An attacker can retrieve or manipulate hashed passwords from /etc/shadow- if it's not correctly secured. | Set the permissions and ownership of /etc/shadow* or run '/opt/microsoft/omsagent/plugin/omsremediate -r set-etc-shadow-perms' |
| /etc/gshadow file permissions should be set to 0400 (11.3) |
Description: An attacker could join security groups if this file isn't properly secured | Set the permissions and ownership of /etc/gshadow- or run '/opt/microsoft/omsagent/plugin/omsremediate -r set-etc-gshadow-perms' |
| /etc/gshadow- file permissions should be set to 0400 (11.4) |
Description: An attacker could join security groups if this file isn't properly secured | Set the permissions and ownership of /etc/gshadow or run '/opt/microsoft/omsagent/plugin/omsremediate -r set-etc-gshadow-perms' |
| /etc/passwd file permissions should be 0644 (12.1) |
Description: An attacker could modify userIDs and login shells | Set the permissions and ownership of /etc/passwd or run '/opt/microsoft/omsagent/plugin/omsremediate -r set-etc-passwd-perms' |
| /etc/group file permissions should be 0644 (12.2) |
Description: An attacker could elevate privileges by modifying group membership | Set the permissions and ownership of /etc/group or run '/opt/microsoft/omsagent/plugin/omsremediate -r set-etc-group-perms |
| /etc/passwd- file permissions should be set to 0600 (12.3) |
Description: An attacker could join security groups if this file isn't properly secured | Set the permissions and ownership of /etc/passwd- or run '/opt/microsoft/omsagent/plugin/omsremediate -r set-etc-passwd-perms |
| /etc/group- file permissions should be 0644 (12.4) |
Description: An attacker could elevate privileges by modifying group membership | Set the permissions and ownership of /etc/group- or run '/opt/microsoft/omsagent/plugin/omsremediate -r set-etc-group-perms |
| Access to the root account via su should be restricted to the 'root' group (21) |
Description: An attacker could escalate permissions by password guessing if su is not restricted to users in the root group. | Run the command '/opt/microsoft/omsagent/plugin/omsremediate -r fix-su-permissions'. This control adds the line 'auth required pam_wheel.so use_uid' to the file '/etc/pam.d/su' |
| The 'root' group should exist, and contain all members who can su to root (22) |
Description: An attacker could escalate permissions by password guessing if su is not restricted to users in the root group. | Create the root group via the command 'groupadd -g 0 root' |
| All accounts should have a password (23.2) |
Description: An attacker can login to accounts with no password and execute arbitrary commands. | Use the passwd command to set passwords for all accounts |
| Accounts other than root must have unique UIDs greater than zero(0) (24) |
Description: If an account other than root has uid zero, an attacker could compromise the account and gain root privileges. | Assign unique, non-zero uids to all non-root accounts using 'usermod -u' |
| Randomized placement of virtual memory regions should be enabled (25) |
Description: An attacker could write executable code to known regions in memory resulting in elevation of privilege | Add the value '1' or '2' to the file '/proc/sys/kernel/randomize_va_space' |
| Kernel support for the XD/NX processor feature should be enabled (26) |
Description: An attacker could cause a system to executable code from data regions in memory resulting in elevation of privilege. | Confirm the file '/proc/cpuinfo' contains the flag 'nx' |
| The '.' shouldn't appear in root's $PATH (27.1) |
Description: An attacker could elevate privileges by placing a malicious file in root's $PATH | Modify the 'export PATH=' line in /root/.profile |
| User home directories should be mode 750 or more restrictive (28) |
Description: An attacker could retrieve sensitive information from the home folders of other users. | Set home folder permissions to 750 or run '/opt/microsoft/omsagent/plugin/omsremediate -r fix-home-dir-permissions |
| The default umask for all users should be set to 077 in login.defs (29) |
Description: An attacker could retrieve sensitive information from files owned by other users. | Run the command '/opt/microsoft/omsagent/plugin/omsremediate -r set-default-user-umask'. This will add the line 'UMASK 077' to the file '/etc/login.defs' |
| All bootloaders should have password protection enabled. (31) |
Description: An attacker with physical access could modify bootloader options, yielding unrestricted system access | Add a boot loader password to the file '/boot/grub/grub.cfg' |
| Ensure permissions on bootloader config are configured (31.1) |
Description: Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them. | Set the owner and group of your bootloader to root:root and permissions to 0400 or run '/opt/microsoft/omsagent/plugin/omsremediate -r bootloader-permissions |
| Ensure authentication required for single user mode. (33) |
Description: Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials. | run the following command to set a password for the root user: passwd root |
| Ensure packet redirect sending is disabled. (38.3) |
Description: An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system. | set the following parameters in /etc/sysctl.conf: 'net.ipv4.conf.all.send_redirects = 0' and 'net.ipv4.conf.default.send_redirects = 0' or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-send-redirects |
| Sending ICMP redirects should be disabled for all interfaces. (net.ipv4.conf.default.accept_redirects = 0) (38.4) |
Description: An attacker could alter this system's routing table, redirecting traffic to an alternate destination | Run sysctl -w key=value and set to a compliant value or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-accept-redirects'. |
| Sending ICMP redirects should be disabled for all interfaces. (net.ipv4.conf.default.secure_redirects = 0) (38.5) |
Description: An attacker could alter this system's routing table, redirecting traffic to an alternate destination | Run sysctl -w key=value and set to a compliant value or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-secure-redirects' |
| Accepting source routed packets should be disabled for all interfaces. (net.ipv4.conf.all.accept_source_route = 0) (40.1) |
Description: An attacker could redirect traffic for malicious purposes. | Run sysctl -w key=value and set to a compliant value. |
| Accepting source routed packets should be disabled for all interfaces. (net.ipv6.conf.all.accept_source_route = 0) (40.2) |
Description: An attacker could redirect traffic for malicious purposes. | Run sysctl -w key=value and set to a compliant value. |
| The default setting for accepting source routed packets should be disabled for network interfaces. (net.ipv4.conf.default.accept_source_route = 0) (42.1) |
Description: An attacker could redirect traffic for malicious purposes. | Run sysctl -w key=value and set to a compliant value. |
| The default setting for accepting source routed packets should be disabled for network interfaces. (net.ipv6.conf.default.accept_source_route = 0) (42.2) |
Description: An attacker could redirect traffic for malicious purposes. | Run sysctl -w key=value and set to a compliant value. |
| Ignoring bogus ICMP responses to broadcasts should be enabled. (net.ipv4.icmp_ignore_bogus_error_responses = 1) (43) |
Description: An attacker could perform an ICMP attack resulting in DoS | Run sysctl -w key=value and set to a compliant value or run '/opt/microsoft/omsagent/plugin/omsremediate -r enable-icmp-ignore-bogus-error-responses' |
| Ignoring ICMP echo requests (pings) sent to broadcast / multicast addresses should be enabled. (net.ipv4.icmp_echo_ignore_broadcasts = 1) (44) |
Description: An attacker could perform an ICMP attack resulting in DoS | Run sysctl -w key=value and set to a compliant value or run '/opt/microsoft/omsagent/plugin/omsremediate -r enable-icmp-echo-ignore-broadcasts' |
| Logging of martian packets (those with impossible addresses) should be enabled for all interfaces. (net.ipv4.conf.all.log_martians = 1) (45.1) |
Description: An attacker could send traffic from spoofed addresses without being detected | Run sysctl -w key=value and set to a compliant value or run '/opt/microsoft/omsagent/plugin/omsremediate -r enable-log-martians' |
| Performing source validation by reverse path should be enabled for all interfaces. (net.ipv4.conf.all.rp_filter = 1) (46.1) |
Description: The system will accept traffic from addresses that are unroutable. | Run sysctl -w key=value and set to a compliant value or run '/opt/microsoft/omsagent/plugin/omsremediate -r enable-rp-filter' |
| Performing source validation by reverse path should be enabled for all interfaces. (net.ipv4.conf.default.rp_filter = 1) (46.2) |
Description: The system will accept traffic from addresses that are unroutable. | Run sysctl -w key=value and set to a compliant value or run '/opt/microsoft/omsagent/plugin/omsremediate -r enable-rp-filter' |
| TCP SYN cookies should be enabled. (net.ipv4.tcp_syncookies = 1) (47) |
Description: An attacker could perform a DoS over TCP | Run sysctl -w key=value and set to a compliant value or run '/opt/microsoft/omsagent/plugin/omsremediate -r enable-tcp-syncookies' |
| The system shouldn't act as a network sniffer. (48) |
Description: An attacker may use promiscuous interfaces to sniff network traffic | Promiscuous mode is enabled via a 'promisc' entry in '/etc/network/interfaces' or '/etc/rc.local.' Check both files and remove this entry. |
| All wireless interfaces should be disabled. (49) |
Description: An attacker could create a fake AP to intercept transmissions. | Confirm all wireless interfaces are disabled in '/etc/network/interfaces' |
| The IPv6 protocol should be enabled. (50) |
Description: This is necessary for communication on modern networks. | Open /etc/sysctl.conf and confirm that 'net.ipv6.conf.all.disable_ipv6' and 'net.ipv6.conf.default.disable_ipv6' are set to 0 |
| Ensure DCCP is disabled (54) |
Description: If the protocol is not required, it's recommended that the drivers not be installed to reduce the potential attack surface. | Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add install dccp /bin/true then unload the dccp module or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-unnecessary-kernel-mods' |
| Ensure SCTP is disabled (55) |
Description: If the protocol is not required, it's recommended that the drivers not be installed to reduce the potential attack surface. | Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add install sctp /bin/true then unload the sctp module or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-unnecessary-kernel-mods' |
| Disable support for RDS. (56) |
Description: An attacker could use a vulnerability in RDS to compromise the system | Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add install rds /bin/true then unload the rds module or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-unnecessary-kernel-mods' |
| Ensure TIPC is disabled (57) |
Description: If the protocol is not required, it's recommended that the drivers not be installed to reduce the potential attack surface. | Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add install tipc /bin/true then unload the tipc module or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-unnecessary-kernel-mods' |
| Ensure logging is configured (60) |
Description: A great deal of important security-related information is sent via rsyslog (for example, successful and failed su attempts, failed login attempts, root login attempts, etc.). |
Configure syslog, rsyslog or syslog-ng as appropriate |
| The syslog, rsyslog, or syslog-ng package should be installed. (61) |
Description: Reliability and security issues will not be logged, preventing proper diagnosis. | Install the rsyslog package, or run '/opt/microsoft/omsagent/plugin/omsremediate -r install-rsyslog' |
| The systemd-journald service should be configured to persists log messages (61.1) |
Description: Reliability and security issues will not be logged, preventing proper diagnosis. | Create /var/log/journal and ensure that Storage in journald.conf is auto or persistent |
| Ensure a logging service is enabled (62) |
Description: It's imperative to have the ability to log events on a node. | Enable the rsyslog package or run '/opt/microsoft/omsagent/plugin/omsremediate -r enable-rsyslog' |
| File permissions for all rsyslog log files should be set to 640 or 600. (63) |
Description: An attacker could hide activity by manipulating logs | Add the line '$FileCreateMode 0640' to the file '/etc/rsyslog.conf' |
| Ensure logger configuration files are restricted. (63.1) |
Description: It's important to ensure that log files exist and have the correct permissions to ensure that sensitive syslog data is archived and protected. | Set your logger's configuration files to 0640 or run '/opt/microsoft/omsagent/plugin/omsremediate -r logger-config-file-permissions' |
| All rsyslog log files should be owned by the adm group. (64) |
Description: An attacker could hide activity by manipulating logs | Add the line '$FileGroup adm' to the file '/etc/rsyslog.conf' |
| All rsyslog log files should be owned by the syslog user. (65) |
Description: An attacker could hide activity by manipulating logs | Add the line '$FileOwner syslog' to the file '/etc/rsyslog.conf' or run '/opt/microsoft/omsagent/plugin/omsremediate -r syslog-owner |
| Rsyslog shouldn't accept remote messages. (67) |
Description: An attacker could inject messages into syslog, causing a DoS or a distraction from other activity | Remove the lines '$ModLoad imudp' and '$ModLoad imtcp' from the file '/etc/rsyslog.conf' |
| The logrotate (syslog rotater) service should be enabled. (68) |
Description: Logfiles could grow unbounded and consume all disk space | Install the logrotate package and confirm the logrotate cron entry is active (chmod 755 /etc/cron.daily/logrotate; chown root:root /etc/cron.daily/logrotate) |
| The rlogin service should be disabled. (69) |
Description: An attacker could gain access, bypassing strict authentication requirements | Remove the inetd service. |
| Disable inetd unless required. (inetd) (70.1) |
Description: An attacker could exploit a vulnerability in an inetd service to gain access | Uninstall the inetd service (apt-get remove inetd) |
| Disable xinetd unless required. (xinetd) (70.2) |
Description: An attacker could exploit a vulnerability in a xinetd service to gain access | Uninstall the inetd service (apt-get remove xinetd) |
| Install inetd only if appropriate and required by your distro. Secure according to current hardening standards. (if required) (71.1) |
Description: An attacker could exploit a vulnerability in an inetd service to gain access | Uninstall the inetd service (apt-get remove inetd) |
| Install xinetd only if appropriate and required by your distro. Secure according to current hardening standards. (if required) (71.2) |
Description: An attacker could exploit a vulnerability in an xinetd service to gain access | Uninstall the inetd service (apt-get remove xinetd) |
| The telnet service should be disabled. (72) |
Description: An attacker could eavesdrop or hijack unencrypted telnet sessions | Remove or comment out the telnet entry in the file '/etc/inetd.conf' |
| All telnetd packages should be uninstalled. (73) |
Description: An attacker could eavesdrop or hijack unencrypted telnet sessions | Uninstall any telnetd packages |
| The rcp/rsh service should be disabled. (74) |
Description: An attacker could eavesdrop or hijack unencrypted sessions | Remove or comment out the shell entry in the file '/etc/inetd.conf' |
| The rsh-server package should be uninstalled. (77) |
Description: An attacker could eavesdrop or hijack unencrypted rsh sessions | Uninstall the rsh-server package (apt-get remove rsh-server) |
| The ypbind service should be disabled. (78) |
Description: An attacker could retrieve sensitive information from the ypbind service | Uninstall the nis package (apt-get remove nis) |
| The nis package should be uninstalled. (79) |
Description: An attacker could retrieve sensitive information from the NIS service | Uninstall the nis package (apt-get remove nis) |
| The tftp service should be disabled. (80) |
Description: An attacker could eavesdrop or hijack an unencrypted session | Remove the tftp entry from the file '/etc/inetd.conf' |
| The tftpd package should be uninstalled. (81) |
Description: An attacker could eavesdrop or hijack an unencrypted session | Uninstall the tftpd package (apt-get remove tftpd) |
| The readahead-fedora package should be uninstalled. (82) |
Description: The package creates no substantial exposure, but also adds no substantial benefit. | Uninstall the readahead-fedora package (apt-get remove readahead-fedora) |
| The bluetooth/hidd service should be disabled. (84) |
Description: An attacker could intercept or manipulate wireless communications. | Uninstall the bluetooth package (apt-get remove bluetooth) |
| The isdn service should be disabled. (86) |
Description: An attacker could use a modem to gain unauthorized access | Uninstall the isdnutils-base package (apt-get remove isdnutils-base) |
| The isdnutils-base package should be uninstalled. (87) |
Description: An attacker could use a modem to gain unauthorized access | Uninstall the isdnutils-base package (apt-get remove isdnutils-base) |
| The kdump service should be disabled. (88) |
Description: An attacker could analyze a previous system crash to retrieve sensitive information | Uninstall the kdump-tools package (apt-get remove kdump-tools) |
| Zeroconf networking should be disabled. (89) |
Description: An attacker could abuse this to gain information on networked systems, or spoof DNS requests due to flaws in its trust model | For RedHat, CentOS, and Oracle: Add NOZEROCONF=yes or no to /etc/sysconfig/network. For all other distros: Remove any 'ipv4ll' entries in the file '/etc/network/interfaces' or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-zeroconf' |
| The crond service should be enabled. (90) |
Description: Cron is required by almost all systems for regular maintenance tasks | Install the cron package (apt-get install -y cron) and confirm the file '/etc/init/cron.conf' contains the line 'start on runlevel [2345]' |
| File permissions for /etc/anacrontab should be set to root:root 600. (91) |
Description: An attacker could manipulate this file to prevent scheduled tasks or execute malicious tasks | Set the ownership and permissions on /etc/anacrontab or run '/opt/microsoft/omsagent/plugin/omsremediate -r fix-anacrontab-perms' |
| Ensure permissions on /etc/cron.d are configured. (93) |
Description: Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. | Set the owner and group of /etc/chron.d to root and permissions to 0700 or run '/opt/microsoft/omsagent/plugin/omsremediate -r fix-cron-file-perms' |
| Ensure permissions on /etc/cron.daily are configured. (94) |
Description: Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. | Set the owner and group of /etc/chron.daily to root and permissions to 0700 or run '/opt/microsoft/omsagent/plugin/omsremediate -r fix-cron-file-perms |
| Ensure permissions on /etc/cron.hourly are configured. (95) |
Description: Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. | Set the owner and group of /etc/chron.hourly to root and permissions to 0700 or run '/opt/microsoft/omsagent/plugin/omsremediate -r fix-cron-file-perms |
| Ensure permissions on /etc/cron.monthly are configured. (96) |
Description: Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. | Set the owner and group of /etc/chron.monthly to root and permissions to 0700 or run '/opt/microsoft/omsagent/plugin/omsremediate -r fix-cron-file-perms |
| Ensure permissions on /etc/cron.weekly are configured. (97) |
Description: Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. | Set the owner and group of /etc/chron.weekly to root and permissions to 0700 or run '/opt/microsoft/omsagent/plugin/omsremediate -r fix-cron-file-perms |
| Ensure at/cron is restricted to authorized users (98) |
Description: On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It's easier to manage an allowlist than a denylist. In a denylist, you could potentially add a user ID to the system and forget to add it to the deny files. |
Replace /etc/cron.deny and /etc/at.deny with their respective allow files or run '/opt/microsoft/omsagent/plugin/omsremediate -r fix-cron-job-allow' |
| SSH must be configured and managed to meet best practices. - '/etc/ssh/sshd_config Protocol = 2' (106.1) |
Description: An attacker could use flaws in an earlier version of the SSH protocol to gain access | Run the command '/opt/microsoft/omsagent/plugin/omsremediate -r configure-ssh-protocol'. This will set 'Protocol 2' in the file '/etc/ssh/sshd_config' |
| SSH must be configured and managed to meet best practices. - '/etc/ssh/sshd_config IgnoreRhosts = yes' (106.3) |
Description: An attacker could use flaws in the Rhosts protocol to gain access | Run the command '/usr/local/bin/azsecd remediate (/opt/microsoft/omsagent/plugin/omsremediate) -r enable-ssh-ignore-rhosts'. This will add the line 'IgnoreRhosts yes' to the file '/etc/ssh/sshd_config' |
| Ensure SSH LogLevel is set to INFO (106.5) |
Description: SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it's difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it's important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. |
Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO |
| Ensure SSH MaxAuthTries is set to 6 or less (106.7) |
Description: Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy. |
Ensure SSH MaxAuthTries is set to 6 or less Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 6 |
| Ensure SSH access is limited (106.11) |
Description: Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system. | Ensure SSH access is limited Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows: AllowUsers AllowGroups DenyUsers DenyGroups |
| Emulation of the rsh command through the ssh server should be disabled. - '/etc/ssh/sshd_config RhostsRSAAuthentication = no' (107) |
Description: An attacker could use flaws in the RHosts protocol to gain access | Run the command '/opt/microsoft/omsagent/plugin/omsremediate -r disable-ssh-rhost-rsa-auth'. This will add the line 'RhostsRSAAuthentication no' to the file '/etc/ssh/sshd_config' |
| SSH host-based authentication should be disabled. - '/etc/ssh/sshd_config HostbasedAuthentication = no' (108) |
Description: An attacker could use host-based authentication to gain access from a compromised host | Run the command '/opt/microsoft/omsagent/plugin/omsremediate -r disable-ssh-host-based-auth'. This will add the line 'HostbasedAuthentication no' to the file '/etc/ssh/sshd_config' |
| Root login via SSH should be disabled. - '/etc/ssh/sshd_config PermitRootLogin = no' (109) |
Description: An attacker could brute force the root password, or hide their command history by logging in directly as root | Run the command '/usr/local/bin/azsecd remediate -r disable-ssh-root-login'. This will add the line 'PermitRootLogin no' to the file '/etc/ssh/sshd_config' |
| Remote connections from accounts with empty passwords should be disabled. - '/etc/ssh/sshd_config PermitEmptyPasswords = no' (110) |
Description: An attacker could gain access through password guessing | Run the command '/usr/local/bin/azsecd remediate (/opt/microsoft/omsagent/plugin/omsremediate) -r disable-ssh-empty-passwords'. This will add the line 'PermitEmptyPasswords no' to the file '/etc/ssh/sshd_config' |
| Ensure SSH Idle Timeout Interval is configured. (110.1) |
Description: Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session. Setting a timeout value at least reduces the risk of this happening. While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent. |
Edit the /etc/ssh/sshd_config file to set the parameters according to the policy |
| Ensure SSH LoginGraceTime is set to one minute or less. (110.2) |
Description: Setting the LoginGraceTime parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections While the recommended setting is 60 seconds (1 Minute), set the number based on site policy. |
Edit the /etc/ssh/sshd_config file to set the parameters according to the policy or run '/opt/microsoft/omsagent/plugin/omsremediate -r configure-login-grace-time' |
| Ensure only approved MAC algorithms are used (110.3) |
Description: MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of attention as a weak spot that can be exploited with expanded computing power. An attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the SSH tunnel and capture credentials and information | Edit the /etc/sshd_config file and add/modify the MACs line to contain a comma separated list of the approved MACs or run '/opt/microsoft/omsagent/plugin/omsremediate -r configure-macs' |
| Ensure remote login warning banner is configured properly. (111) |
Description: Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the uname -acommand once they have logged in. |
Remove any instances of \m \r \s and \v from the /etc/issue.net file |
| Ensure local login warning banner is configured properly. (111.1) |
Description: Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the uname -acommand once they have logged in. |
Remove any instances of \m \r \s and \v from the /etc/issue file |
| SSH warning banner should be enabled. - '/etc/ssh/sshd_config Banner = /etc/issue.net' (111.2) |
Description: Users will not be warned that their actions on the system are monitored | Run the command '/usr/local/bin/azsecd remediate -r configure-ssh-banner'. This will add the line 'Banner /etc/azsec/banner.txt' to the file '/etc/ssh/sshd_config' |
| Users aren't allowed to set environment options for SSH. (112) |
Description: An attacker may be able to bypass some access restrictions over SSH | Remove the line 'PermitUserEnvironment yes' from the file '/etc/ssh/sshd_config' |
| Appropriate ciphers should be used for SSH. (Ciphers aes128-ctr,aes192-ctr,aes256-ctr) (113) |
Description: An attacker could compromise a weakly secured SSH connection | Run the command '/usr/local/bin/azsecd remediate -r configure-ssh-ciphers'. This will add the line 'Ciphers aes128-ctr,aes192-ctr,aes256-ctr' to the file '/etc/ssh/sshd_config' |
| The avahi-daemon service should be disabled. (114) |
Description: An attacker could use a vulnerability in the avahi daemon to gain access | Disable the avahi-daemon service or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-avahi-daemon' |
| The cups service should be disabled. (115) |
Description: An attacker could use a flaw in the cups service to elevate privileges | Disable the cups service or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-cups' |
| The isc-dhcpd service should be disabled. (116) |
Description: An attacker could use dhcpd to provide faulty information to clients, interfering with normal operation. | Remove the isc-dhcp-server package (apt-get remove isc-dhcp-server) |
| The isc-dhcp-server package should be uninstalled. (117) |
Description: An attacker could use dhcpd to provide faulty information to clients, interfering with normal operation. | Remove the isc-dhcp-server package (apt-get remove isc-dhcp-server) |
| The sendmail package should be uninstalled. (120) |
Description: An attacker could use this system to send emails with malicious content to other users | Uninstall the sendmail package (apt-get remove sendmail) |
| The postfix package should be uninstalled. (121) |
Description: An attacker could use this system to send emails with malicious content to other users | Uninstall the postfix package (apt-get remove postfix) or run '/opt/microsoft/omsagent/plugin/omsremediate -r remove-postfix' |
| Postfix network listening should be disabled as appropriate. (122) |
Description: An attacker could use this system to send emails with malicious content to other users | Add the line 'inet_interfaces localhost' to the file '/etc/postfix/main.cf' |
| The ldap service should be disabled. (124) |
Description: An attacker could manipulate the LDAP service on this host to distribute false data to LDAP clients | Uninstall the slapd package (apt-get remove slapd) |
| The rpcgssd service should be disabled. (126) |
Description: An attacker could use a flaw in rpcgssd/nfs to gain access | Disable the rpcgssd service or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-rpcgssd' |
| The rpcidmapd service should be disabled. (127) |
Description: An attacker could use a flaw in idmapd/nfs to gain access | Disable the rpcidmapd service or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-rpcidmapd' |
| The portmap service should be disabled. (129.1) |
Description: An attacker could use a flaw in portmap to gain access | Disable the rpcbind service or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-rpcbind' |
| The Network File System (NFS) service should be disabled. (129.2) |
Description: An attacker could use nfs to mount shares and execute/copy files. | Disable the nfs service or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-nfs' |
| The rpcsvcgssd service should be disabled. (130) |
Description: An attacker could use a flaw in rpcsvcgssd to gain access | Remove the line 'NEED_SVCGSSD = yes' from the file '/etc/inetd.conf' |
| The named service should be disabled. (131) |
Description: An attacker could use the DNS service to distribute false data to clients | Uninstall the bind9 package (apt-get remove bind9) |
| The bind package should be uninstalled. (132) |
Description: An attacker could use the DNS service to distribute false data to clients | Uninstall the bind9 package (apt-get remove bind9) |
| The dovecot service should be disabled. (137) |
Description: The system could be used as an IMAP/POP3 server | Uninstall the dovecot-core package (apt-get remove dovecot-core) |
| The dovecot package should be uninstalled. (138) |
Description: The system could be used as an IMAP/POP3 server | Uninstall the dovecot-core package (apt-get remove dovecot-core) |
Ensure no legacy + entries exist in /etc/passwd(156.1) |
Description: An attacker could gain access by using the username '+' with no password | Remove any entries in /etc/passwd that begin with '+:' |
Ensure no legacy + entries exist in /etc/shadow(156.2) |
Description: An attacker could gain access by using the username '+' with no password | Remove any entries in /etc/shadow that begin with '+:' |
Ensure no legacy + entries exist in /etc/group(156.3) |
Description: An attacker could gain access by using the username '+' with no password | Remove any entries in /etc/group that begin with '+:' |
| Ensure password expiration is 365 days or less. (157.1) |
Description: Reducing the maximum age of a password also reduces an attacker's window of opportunity to leverage compromised credentials or successfully compromise credentials via an online brute force attack. | Set the PASS_MAX_DAYS parameter to no more than 365 in /etc/login.defs or run '/opt/microsoft/omsagent/plugin/omsremediate -r configure-password-policy-max-days' |
| Ensure password expiration warning days is 7 or more. (157.2) |
Description: Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered. | Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs or run '/opt/microsoft/omsagent/plugin/omsremediate -r configure-password-policy-warn-age' |
| Ensure password reuse is limited. (157.5) |
Description: Forcing users not to reuse their past five passwords makes it less likely that an attacker will be able to guess the password. | Ensure the 'remember' option is set to at least 5 in either /etc/pam.d/common-password or both /etc/pam.d/password_auth and /etc/pam.d/system_auth or run '/opt/microsoft/omsagent/plugin/omsremediate -r configure-password-policy-history' |
| Ensure password hashing algorithm is SHA-512 (157.11) |
Description: The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. Note: These changes only apply to accounts configured on the local system. | Set password hashing algorithm to sha512. Many distributions provide tools for updating PAM configuration, consult your documentation for details. If no tooling is provided edit the appropriate /etc/pam.d/ configuration file and add or modify the pam_unix.so lines to include the sha512 option: password sufficient pam_unix.so sha512 |
| Ensure minimum days between password changes is 7 or more. (157.12) |
Description: By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls. | Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs: PASS_MIN_DAYS 7. Modify user parameters for all users with a password set to match: chage --mindays 7 or run '/opt/microsoft/omsagent/plugin/omsremediate -r set-pass-min-days' |
| Ensure all users last password change date is in the past (157.14) |
Description: If a users recorded password change date is in the future, then they could bypass any set password expiration. | Ensure inactive password lock is 30 days or less Run the following command to set the default password inactivity period to 30 days: # useradd -D -f 30 Modify user parameters for all users with a password set to match: # chage --inactive 30 |
| Ensure system accounts are non-login (157.15) |
Description: It's important to make sure that accounts that aren't being used by regular users are prevented from being used to provide an interactive shell. By default, Ubuntu sets the password field for these accounts to an invalid string, but it's also recommended that the shell field in the password file be set to /usr/sbin/nologin. This prevents the account from potentially being used to run any commands. |
Set the shell for any accounts returned by the audit script to /sbin/nologin |
| Ensure default group for the root account is GID 0 (157.16) |
Description: Using GID 0 for the _root_ account helps prevent _root_-owned files from accidentally becoming accessible to non-privileged users. |
Run the following command to set the root user default group to GID 0 : # usermod -g 0 root |
| Ensure root is the only UID 0 account (157.18) |
Description: This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism. |
Remove any users other than root with UID 0 or assign them a new UID if appropriate. |
| Remove unnecessary accounts (159) |
Description: For compliance | Remove the unnecessary accounts |
| Ensure auditd service is enabled (162) |
Description: The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring. | Install audit package (systemctl enable auditd) |
| Run AuditD service (163) |
Description: The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring. | Run AuditD service (systemctl start auditd) |
| Ensure SNMP Server is not enabled (179) |
Description: The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it's recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1. | Run one of the following commands to disable snmpd: # chkconfig snmpd off # systemctl disable snmpd # update-rc.d snmpd disable |
| Ensure rsync service is not enabled (181) |
Description: The rsyncd service presents a security risk as it uses unencrypted protocols for communication. |
Run one of the following commands to disable rsyncd : chkconfig rsyncd off, systemctl disable rsyncd, update-rc.d rsyncd disable or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-rsync' |
| Ensure NIS server is not enabled (182) |
Description: The NIS service is an inherently insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS is generally replaced by protocols like Lightweight Directory Access Protocol (LDAP). It's recommended that the service be disabled and more secure services be used | Run one of the following commands to disable ypserv : # chkconfig ypserv off # systemctl disable ypserv # update-rc.d ypserv disable |
| Ensure rsh client is not installed (183) |
Description: These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it's best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh package removes the clients for rsh, rcp and rlogin. |
Uninstall rsh using the appropriate package manager or manual installation: yum remove rsh apt-get remove rsh zypper remove rsh |
| Disable SMB V1 with Samba (185) |
Description: SMB v1 has well-known, serious vulnerabilities and does not encrypt data in transit. If it must be used for business reasons, it's strongly recommended that additional steps be taken to mitigate the risks inherent to this protocol. | If Samba is not running, remove package, otherwise there should be a line in the [global] section of /etc/samba/smb.conf: min protocol = SMB2 or run '/opt/microsoft/omsagent/plugin/omsremediate -r set-smb-min-version |
Note
Availability of specific Azure Policy guest configuration settings may vary in Azure Government and other national clouds.
Next steps
Additional articles about Azure Policy and guest configuration:
- Azure Policy guest configuration.
- Regulatory Compliance overview.
- Review other examples at Azure Policy samples.
- Review Understanding policy effects.
- Learn how to remediate non-compliant resources.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for