run OpenSCAP security test

https://www.open-scap.org

https://www.open-scap.org/tools/scap-workbench/

Using the most restrictive Debian profile:

Install the ntp service
Enable the ntp service

We use sdwdate.

SSH

We don’t use SSH.

Disable unauthenticated repositories in APT configuration
Ensure that official distribution repositories are used
Ensure System Log Files Have Correct Permissions
Ensure Log Files Are Owned By Appropriate User
Ensure Log Files Are Owned By Appropriate Group

Done, although we could restrict some other less important logs:

/var/log/alternatives.log 644
/var/log/apparmor 755
/var/log/apt 755
/var/log/bootclockrandomization.log 775
/var/log/dpkg.log 644
/var/log/faillog 644
/var/log/fontconfig.log 644
/var/log/lastlog 664
/var/log/openvpn 755
/var/log/sdwdate.log 644
/var/log/wtmp 664
/var/log/Xorg.0.log 644
/var/log/Xorg.0.log.old 644

We can remove all “other” access to these. Maybe even all “other” access to /var/log/.

Enable syslog-ng Service
Ensure syslog-ng is Installed

There’s no use for this.

Partitioning

See the related phabricator ticket.

Uninstall the nis package
Uninstall the inet-based telnet server
Uninstall the ntpdate package
Uninstall the ssl compliant telnet server
Uninstall the telnet server
Install the cron service
Install the auditd service
Enable the auditd service
Enable rsyslog Service
Ensure rsyslog is Installed
Ensure Users Re-Authenticate for Privilege Escalation
Disallow creating symlinks to a file you not own
IOMMU configuration directive
Verify Permissions and ownership on {gshadow,shadow,group,passwd} File
Verify that local System.map file (if exists) is readable only by root
Disable Core Dumps for SUID programs
Enable Randomized Layout of Virtual Address Space

All done except we shred System.map instead.

1 Like