You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/governance/policy/samples/guest-configuration-baseline-linux.md
+6-6Lines changed: 6 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,7 +1,7 @@
1
1
---
2
2
title: Reference - Azure Policy guest configuration baseline for Linux
3
3
description: Details of the Linux baseline on Azure implemented through Azure Policy guest configuration.
4
-
ms.date: 06/21/2022
4
+
ms.date: 08/02/2022
5
5
ms.topic: reference
6
6
ms.custom: generated
7
7
ms.author: timwarner
@@ -28,7 +28,7 @@ For more information, see [Azure Policy guest configuration](../concepts/guest-c
28
28
|Ensure nosuid option set on /tmp partition.<br /><sub>(1.1.7)</sub> |Description: Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp. |Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. For more information, see the fstab(5) manual pages. |
29
29
|Ensure nosuid option set on /var/tmp partition.<br /><sub>(1.1.8)</sub> |Description: Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp. |Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. For more information, see the fstab(5) manual pages. |
30
30
|Ensure noexec option set on /var/tmp partition.<br /><sub>(1.1.9)</sub> |Description: Since the `/var/tmp` filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from `/var/tmp` . |Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. For more information, see the fstab(5) manual pages. |
31
-
|Ensure noexec option set on /dev/shm partition.<br /><sub>(1.1.16)</sub> |Description: Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system. |Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. For more information, see the fstab(5) manual pages. |
31
+
|Ensure noexec option set on /dev/shm partition.<br /><sub>(1.1.16)</sub> |Description: Setting this option on a file system prevents users from executing programs from shared memory. This option deters users from introducing potentially malicious software on the system. |Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. For more information, see the fstab(5) manual pages. |
32
32
|Disable automounting<br /><sub>(1.1.21)</sub> |Description: With automounting enabled, anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lack permissions to mount it themselves. |Disable the autofs service or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-autofs' |
33
33
|Ensure mounting of USB storage devices is disabled<br /><sub>(1.1.21.1)</sub> |Description: Removing support for USB storage devices reduces the local attack surface of the server. |Edit or create a file in the `/etc/modprobe.d/` directory ending in .conf and add `install usb-storage /bin/true` then unload the usb-storage module or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-unnecessary-kernel-mods' |
34
34
|Ensure core dumps are restricted.<br /><sub>(1.5.1)</sub> |Description: Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see `limits.conf(5)` ). In addition, setting the `fs.suid_dumpable` variable to 0 will prevent setuid programs from dumping core. |Add `hard core 0` to /etc/security/limits.conf or a file in the limits.d directory and set `fs.suid_dumpable = 0` in sysctl or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-core-dumps' |
@@ -42,16 +42,16 @@ For more information, see [Azure Policy guest configuration](../concepts/guest-c
42
42
|Ensure talk client is not installed.<br /><sub>(2.3.3)</sub> |Description: The software presents a security risk as it uses unencrypted protocols for communication. |Uninstall `talk` or run '/opt/microsoft/omsagent/plugin/omsremediate -r remove-talk' |
43
43
|Ensure permissions on /etc/hosts.allow are configured.<br /><sub>(3.4.4)</sub> |Description: It is critical to ensure that the `/etc/hosts.allow` file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions. |Set the owner and group of /etc/hosts.allow to root and the permissions to 0644 or run '/opt/microsoft/omsagent/plugin/omsremediate -r file-permissions' |
44
44
|Ensure permissions on /etc/hosts.deny are configured.<br /><sub>(3.4.5)</sub> |Description: It is critical to ensure that the `/etc/hosts.deny` file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions. |Set the owner and group of /etc/hosts.deny to root and the permissions to 0644 or run '/opt/microsoft/omsagent/plugin/omsremediate -r file-permissions' |
45
-
|Ensure default deny firewall policy<br /><sub>(3.6.2)</sub> |Description: With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to maintain a secure firewall with a default DROP policy than it is with a default ALLOW policy. |Set the default policy for incoming, outgoing, and routed traffic to `deny` or `reject` as appropriate using your firewall software |
45
+
|Ensure default deny firewall policy<br /><sub>(3.6.2)</sub> |Description: With a default accept policy, the firewall will accept any packet that is not explicitly denied. It is easier to maintain a secure firewall with a default DROP policy than it is with a default ALLOW policy. |Set the default policy for incoming, outgoing, and routed traffic to `deny` or `reject` as appropriate using your firewall software |
46
46
|The nodev/nosuid option should be enabled for all NFS mounts.<br /><sub>(5)</sub> |Description: An attacker could load files that run with an elevated security context or special devices via remote file system |Add the nosuid and nodev options to the fourth field (mounting options) in /etc/fstab. For more information, see the fstab(5) manual pages. |
47
47
|Ensure permissions on /etc/ssh/sshd_config are configured.<br /><sub>(5.2.1)</sub> |Description: The `/etc/ssh/sshd_config` file needs to be protected from unauthorized changes by non-privileged users. |Set the owner and group of /etc/ssh/sshd_config to root and set the permissions to 0600 or run '/opt/microsoft/omsagent/plugin/omsremediate -r sshd-config-file-permissions' |
48
48
|Ensure password creation requirements are configured.<br /><sub>(5.3.1)</sub> |Description: Strong passwords protect systems from being hacked through brute force methods. |Set the following key/value pairs in the appropriate PAM for your distro: minlen=14, minclass = 4, dcredit = -1, ucredit = -1, ocredit = -1, lcredit = -1, or run '/opt/microsoft/omsagent/plugin/omsremediate -r enable-password-requirements' |
49
49
|Ensure lockout for failed password attempts is configured.<br /><sub>(5.3.2)</sub> |Description: Locking out user IDs after `n` unsuccessful consecutive login attempts mitigates brute force password attacks against your systems. |for Ubuntu and Debian, add the pam_tally and pam_deny modules as appropriate. For all other distros, refer to your distro's documentation |
50
50
|Disable the installation and use of file systems that are not required (cramfs)<br /><sub>(6.1)</sub> |Description: An attacker could use a vulnerability in cramfs to elevate privileges |Add a file to the /etc/modprob.d directory that disables cramfs or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-unnecessary-kernel-mods' |
51
51
|Disable the installation and use of file systems that are not required (freevxfs)<br /><sub>(6.2)</sub> |Description: An attacker could use a vulnerability in freevxfs to elevate privileges |Add a file to the /etc/modprob.d directory that disables freevxfs or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-unnecessary-kernel-mods' |
52
-
|Ensure all users' home directories exist<br /><sub>(6.2.7)</sub> |Description: If the user's home directory does not exist or is unassigned, the user will be placed in '/' and will not be able to write any files or have local environment variables set. |If any users' home directories do not exist, create them and make sure the respective user owns the directory. Users without an assigned home directory should be removed or assigned a home directory as appropriate. |
52
+
|Ensure all users' home directories exist<br /><sub>(6.2.7)</sub> |Description: If the user's home directory does not exist or is unassigned, the user will be placed at the directory root. Moreover, the user will be unable to write any files or set local environment variables. |If any users' home directories do not exist, create them and make sure the respective user owns the directory. Users without an assigned home directory should be removed or assigned a home directory as appropriate. |
53
53
|Ensure users own their home directories<br /><sub>(6.2.9)</sub> |Description: Since the user is accountable for files stored in the user home directory, the user must be the owner of the directory. |Change the ownership of any home directories that are not owned by the defined user to the correct user. |
54
-
|Ensure users' dot files are not group or world writable.<br /><sub>(6.2.10)</sub> |Description: Group or world-writable user configuration files may enable malicious users to steal or modify other users' data or to gain another user's system privileges. |Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user dot file permissions and determine the action to be taken in accordance with site policy. |
54
+
|Ensure users' dot files are not group or world writable.<br /><sub>(6.2.10)</sub> |Description: Group or world-writable user configuration files may enable malicious users to steal or modify other users' data or to gain another user's system privileges. |Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, you should implement a monitoring policy to report user file permissions and determine a remediation action. |
55
55
|Ensure no users have .forward files<br /><sub>(6.2.11)</sub> |Description: Use of the `.forward` file poses a security risk in that sensitive data may be inadvertently transferred outside the organization. The `.forward` file also poses a risk as it can be used to execute commands that may perform unintended actions. |Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user `.forward` files and determine the action to be taken in accordance with site policy. |
56
56
|Ensure no users have .netrc files<br /><sub>(6.2.12)</sub> |Description: The `.netrc` file presents a significant security risk since it stores passwords in unencrypted form. Even if FTP is user accounts may have brought over `.netrc` files from other systems which could pose a risk to those systems |Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user `.netrc` files and determine the action to be taken in accordance with site policy. |
57
57
|Ensure no users have .rhosts files<br /><sub>(6.2.14)</sub> |Description: This action is only meaningful if `.rhosts` support is permitted in the file `/etc/pam.conf` . Even though the `.rhosts` files are ineffective if support is disabled in `/etc/pam.conf` , they may have been brought over from other systems and could contain information useful to an attacker for those other systems. |Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user `.rhosts` files and determine the action to be taken in accordance with site policy. |
@@ -100,7 +100,7 @@ For more information, see [Azure Policy guest configuration](../concepts/guest-c
100
100
|TCP SYN cookies should be enabled. (net.ipv4.tcp_syncookies = 1)<br /><sub>(47)</sub> |Description: An attacker could perform a DoS over TCP |Run `sysctl -w key=value` and set to a compliant value or run '/opt/microsoft/omsagent/plugin/omsremediate -r enable-tcp-syncookies' |
101
101
|The system should not act as a network sniffer.<br /><sub>(48)</sub> |Description: An attacker may use promiscuous interfaces to sniff network traffic |Promiscuous mode is enabled via a 'promisc' entry in '/etc/network/interfaces' or '/etc/rc.local.' Check both files and remove this entry. |
102
102
|All wireless interfaces should be disabled.<br /><sub>(49)</sub> |Description: An attacker could create a fake AP to intercept transmissions. |Confirm all wireless interfaces are disabled in '/etc/network/interfaces' |
103
-
|The IPv6 protocol should be enabled.<br /><sub>(50)</sub> |Description: This is necessary for communication on modern networks. |Open /etc/sysctl.conf and confirm that 'net.ipv6.conf.all.disable_ipv6' and 'net.ipv6.conf.default.disable_ipv6' are set to 0 |
103
+
|The IPv6 protocol should be enabled.<br /><sub>(50)</sub> |Description: IPv6 is necessary for communication on many modern networks. |Open /etc/sysctl.conf and confirm that 'net.ipv6.conf.all.disable_ipv6' and 'net.ipv6.conf.default.disable_ipv6' are set to 0 |
104
104
|Ensure DCCP is disabled<br /><sub>(54)</sub> |Description: If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface. |Edit or create a file in the `/etc/modprobe.d/` directory ending in .conf and add `install dccp /bin/true` then unload the dccp module or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-unnecessary-kernel-mods' |
105
105
|Ensure SCTP is disabled<br /><sub>(55)</sub> |Description: If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface. |Edit or create a file in the `/etc/modprobe.d/` directory ending in .conf and add `install sctp /bin/true` then unload the sctp module or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-unnecessary-kernel-mods' |
106
106
|Disable support for RDS.<br /><sub>(56)</sub> |Description: An attacker could use a vulnerability in RDS to compromise the system |Edit or create a file in the `/etc/modprobe.d/` directory ending in .conf and add `install rds /bin/true` then unload the rds module or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-unnecessary-kernel-mods' |
0 commit comments