-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcis_ubuntu24-04.yml
8235 lines (7929 loc) · 624 KB
/
cis_ubuntu24-04.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
# Security Configuration Assessment
# CIS Checks for Ubuntu Linux 22.04 LTS
# Copyright (C) 2015, Wazuh Inc.
#
# This program is free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation
#
# SCA policy for Ubuntu Linux 24.04 LTS based on Center for Internet Security Ubuntu Linux 24.04 LTS Benchmark v1.0.0 - 08-26-2024
policy:
id: "cis_ubuntu24-04"
file: "cis_ubuntu24-04.yml"
name: "CIS Ubuntu Linux 24.04 LTS Benchmark v1.0.0."
description: "This document provides prescriptive guidance for establishing a secure configuration posture for Ubuntu Linux 24.04 LTS based on CIS benchmark for Ubuntu Linux 24.04 LTS."
references:
- https://www.cisecurity.org/cis-benchmarks/
requirements:
title: "Check Ubuntu version."
description: "Requirements for running the SCA scan against Ubuntu Linux 24.04 LTS"
condition: all
rules:
- "f:/etc/os-release -> r:Ubuntu 24.04"
- "f:/proc/sys/kernel/ostype -> Linux"
# variables:
checks:
# 1.1.1.1 Ensure cramfs kernel module is not available. (Automated)
- id: 18500
title: "Ensure cramfs kernel module is not available."
description: "The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image."
rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
remediation: "Run the following script to unload and disable the freevxfs module: - IF - the freevxfs kernel module is available in ANY installed kernel: - Create a file ending in .conf with install freevxfs /bin/false in the /etc/modprobe.d/ directory - Create a file ending in .conf with blacklist freevxfs in the /etc/modprobe.d/ directory - Run modprobe -r freevxfs 2>/dev/null; rmmod freevxfs 2>/dev/null to remove freevxfs from the kernel - IF - the freevxfs kernel module is not available on the system, or pre-compiled into the kernel, no remediation is necessary #!/usr/bin/env bash."
compliance:
- cis: ["1.1.1.1"]
- cis_csc_v8: ["4.8"]
- cis_csc_v7: ["9.2"]
- cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
- iso_27001-2013: ["A.13.1.3"]
- mitre_mitigations: ["M1050"]
- mitre_tactics: ["TA0005"]
- mitre_techniques: ["T1005"]
- pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
- pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
- soc_2: ["CC6.3", "CC6.6"]
condition: all
rules:
- "c:modprobe -n -v cramfs -> r:^install /bin/false"
- "not c:lsmod -> r:cramfs"
# 1.1.1.2 Ensure freevxfs kernel module is not available. (Automated)
- id: 18501
title: "Ensure freevxfs kernel module is not available."
description: "The freevxfs filesystem type is a free version of the Veritas type filesystem. This is the primary filesystem type for HP-UX operating systems."
rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
remediation: "Run the following steps to unload and disable the freevxfs module, if available. If the freevxfs kernel module is present in any installed kernel Create a configuration file in the /etc/modprobe.d/ directory."
compliance:
- cis: ["1.1.1.2"]
- cis_csc_v8: ["4.8"]
- cis_csc_v7: ["9.2"]
- cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
- iso_27001-2013: ["A.13.1.3"]
- mitre_mitigations: ["M1050"]
- mitre_tactics: ["TA0005"]
- mitre_techniques: ["T1005"]
- pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
- pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
- soc_2: ["CC6.3", "CC6.6"]
condition: all
rules:
- "c:modprobe -n -v freevxfs -> r:^install /bin/false"
- "not c:lsmod -> r:freevxfs"
# 1.1.1.3 Ensure hfs kernel module is not available. (Automated)
- id: 18502
title: "Ensure hfs kernel module is not available."
description: "The hfs filesystem type is a hierarchical filesystem that allows you to mount Mac OS filesystems."
rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
remediation: "Run the following script to unload and disable the hfs module: - IF - the hfs kernel module is available in ANY installed kernel: - Create a file ending in .conf with install hfs /bin/false in the /etc/modprobe.d/ directory - Create a file ending in .conf with blacklist hfs in the /etc/modprobe.d/ directory - Run modprobe -r hfs 2>/dev/null; rmmod hfs 2>/dev/null to remove hfs from the kernel."
compliance:
- cis: ["1.1.1.3"]
- cis_csc_v8: ["4.8"]
- cis_csc_v7: ["9.2"]
- cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
- iso_27001-2013: ["A.13.1.3"]
- mitre_mitigations: ["M1050"]
- mitre_tactics: ["TA0005"]
- mitre_techniques: ["T1005"]
- pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
- pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
- soc_2: ["CC6.3", "CC6.6"]
condition: all
rules:
- "c:modprobe -n -v hfs -> r:^install /bin/false"
- "not c:lsmod -> r:hfs"
# 1.1.1.4 Ensure hfsplus kernel module is not available. (Automated)
- id: 18503
title: "Ensure hfsplus kernel module is not available."
description: "The hfsplus filesystem type is a hierarchical filesystem designed to replace hfs that allows you to mount Mac OS filesystems."
rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
remediation: "Run the following script to unload and disable the hfsplus module: - IF - the hfsplus kernel module is available in ANY installed kernel: - Create a file ending in .conf with install hfsplus /bin/false in the /etc/modprobe.d/ directory - Create a file ending in .conf with blacklist hfsplus in the /etc/modprobe.d/ directory."
compliance:
- cis: ["1.1.1.4"]
- cis_csc_v8: ["4.8"]
- cis_csc_v7: ["9.2"]
- cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
- iso_27001-2013: ["A.13.1.3"]
- mitre_mitigations: ["M1050"]
- mitre_tactics: ["TA0005"]
- mitre_techniques: ["T1005"]
- pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
- pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
- soc_2: ["CC6.3", "CC6.6"]
condition: all
rules:
- "c:modprobe -n -v hfsplus -> r:^install /bin/false"
- "not c:lsmod -> r:hfsplus"
# 1.1.1.5 Ensure jffs2 kernel module is not available. (Automated)
- id: 18504
title: "Ensure jffs2 kernel module is not available."
description: "The jffs2 (journaling flash filesystem 2) filesystem type is a log-structured filesystem used in flash memory devices."
rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
remediation: "Run the following script to unload and disable the jffs2 module: - IF - the jffs2 kernel module is available in ANY installed kernel: - Create a file ending in .conf with install jffs2 /bin/false in the /etc/modprobe.d/ directory - Create a file ending in .conf with blacklist jffs2 in the /etc/modprobe.d/ directory - Run modprobe -r jffs2 2>/dev/null; rmmod jffs2 2>/dev/null to remove jffs2 from the kernel - IF - the jffs2 kernel module is not available on the system, or pre-compiled into the kernel, no remediation is necessary."
compliance:
- cis: ["1.1.1.5"]
- cis_csc_v8: ["4.8"]
- cis_csc_v7: ["9.2"]
- cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
- iso_27001-2013: ["A.13.1.3"]
- mitre_mitigations: ["M1050"]
- mitre_tactics: ["TA0005"]
- mitre_techniques: ["T1005"]
- pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
- pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
- soc_2: ["CC6.3", "CC6.6"]
condition: all
rules:
- "c:modprobe -n -v jffs2 -> r:^install /bin/false"
- "not c:lsmod -> r:jffs2"
# 1.1.1.6 Ensure overlayfs kernel module is not available. (Automated)
- id: 18505
title: "Ensure overlayfs kernel module is not available."
description: 'overlayfs is a Linux filesystem that layers multiple filesystems to create a single unified view which allows a user to "merge" several mount points into a unified filesystem.'
rationale: "The overlayfs has known CVE's: CVE-2023-32629, CVE-2023-2640, CVE-2023-0386. Disabling the overlayfs reduces the local attack surface by removing support for unnecessary filesystem types and mitigates potential risks associated with unauthorized execution of setuid files, enhancing the overall system security."
impact: "WARNING: If Container applications such as Docker, Kubernetes, Podman, Linux Containers (LXC), etc. are in use proceed with caution and consider the impact on containerized workloads, as disabling the overlayfs may severely disrupt containerization."
remediation: "Run the following script to unload and disable the overlayfs module: - IF - the overlayfs kernel module is available in ANY installed kernel: - Create a file ending in .conf with install overlayfs /bin/false in the /etc/modprobe.d/ directory - Create a file ending in .conf with blacklist overlayfs in the /etc/modprobe.d/ directory - Run modprobe -r overlayfs 2>/dev/null; rmmod overlayfs 2>/dev/null to remove overlayfs from the kernel - IF - the overlayfs kernel module is not available on the system, or pre-compiled into the kernel, no remediation is necessary #!/usr/bin/env bash."
references:
- "https://docs.kernel.org/filesystems/overlayfs.html"
- "https://wiki.archlinux.org/title/Overlay_filesystem"
- "https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=overlayfs"
compliance:
- cis: ["1.1.1.6"]
- cis_csc_v8: ["4.8"]
- cis_csc_v7: ["9.2"]
- cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
- iso_27001-2013: ["A.13.1.3"]
- mitre_mitigations: ["M1050"]
- mitre_tactics: ["TA0005"]
- mitre_techniques: ["T1005"]
- pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
- pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
- soc_2: ["CC6.3", "CC6.6"]
condition: all
rules:
- "c:modprobe -n -v overlayfs -> r:^install /bin/false"
- "not c:lsmod -> r:overlayfs"
# 1.1.1.7 Ensure squashfs kernel module is not available. (Automated)
- id: 18506
title: "Ensure squashfs kernel module is not available."
description: "The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A squashfs image can be used without having to first decompress the image."
rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
impact: 'As Snap packages utilize squashfs as a compressed filesystem, disabling squashfs will cause Snap packages to fail. Snap application packages of software are self-contained and work across a range of Linux distributions. This is unlike traditional Linux package management approaches, like APT or RPM, which require specifically adapted packages per Linux distribution on an application update and delay therefore application deployment from developers to their software''s end-user. Snaps themselves have no dependency on any external store ("App store"), can be obtained from any source and can be therefore used for upstream software deployment.'
remediation: "Run the following script to unload and disable the udf module: - IF - the squashfs kernel module is available in ANY installed kernel: - Create a file ending in .conf with install squashfs /bin/false in the /etc/modprobe.d/ directory - Create a file ending in .conf with blacklist squashfs in the /etc/modprobe.d/ directory - Run modprobe -r squashfs 2>/dev/null; rmmod squashfs 2>/dev/null to remove squashfs from the kernel - IF - the squashfs kernel module is not available on the system, or pre-compiled into the kernel, no remediation is necessary."
compliance:
- cis: ["1.1.1.7"]
- cis_csc_v8: ["4.8"]
- cis_csc_v7: ["9.2"]
- cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
- iso_27001-2013: ["A.13.1.3"]
- mitre_mitigations: ["M1050"]
- mitre_tactics: ["TA0005"]
- mitre_techniques: ["T1005"]
- pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
- pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
- soc_2: ["CC6.3", "CC6.6"]
condition: all
rules:
- "c:modprobe -n -v squashfs -> r:^install /bin/false"
- "not c:lsmod -> r:squashfs"
# 1.1.1.8 Ensure udf kernel module is not available. (Automated)
- id: 18507
title: "Ensure udf kernel module is not available."
description: "The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats."
rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
impact: "Microsoft Azure requires the usage of udf. udf should not be disabled on systems run on Microsoft Azure."
remediation: "Run the following script to unload and disable the udf module: - IF - the udf kernel module is available in ANY installed kernel: - Create a file ending in .conf with install udf /bin/false in the /etc/modprobe.d/ directory - Create a file ending in .conf with blacklist udf in the /etc/modprobe.d/ directory - Run modprobe -r udf 2>/dev/null; rmmod udf 2>/dev/null to remove udf from the kernel - IF - the udf kernel module is not available on the system, or pre-compiled into the kernel, no remediation is necessary."
compliance:
- cis: ["1.1.1.8"]
- cis_csc_v8: ["4.8"]
- cis_csc_v7: ["9.2"]
- cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
- iso_27001-2013: ["A.13.1.3"]
- mitre_mitigations: ["M1050"]
- mitre_tactics: ["TA0005"]
- mitre_techniques: ["T1005"]
- pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
- pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
- soc_2: ["CC6.3", "CC6.6"]
condition: all
rules:
- "c:/sbin/modprobe -n -v udf -> r:^install /bin/false"
- "not c:lsmod -> r:udf"
# 1.1.1.9 Ensure usb-storage kernel module is not available. (Automated)
- id: 18508
title: "Ensure usb-storage kernel module is not available."
description: "USB storage provides a means to transfer and store files ensuring persistence and availability of the files independent of network connection status. Its popularity and utility has led to USB-based malware being a simple and common means for network infiltration and a first step to establishing a persistent threat within a networked environment."
rationale: "Restricting USB access on the system will decrease the physical attack surface for a device and diminish the possible vectors to introduce malware."
impact: "Disabling the usb-storage module will disable any usage of USB storage devices. If requirements and local site policy allow the use of such devices, other solutions should be configured accordingly instead. One example of a commonly used solution is USBGuard."
remediation: "Run the following script to unload and disable the usb-storage module: - IF - the usb-storage kernel module is available in ANY installed kernel: - Create a file ending in .conf with install usb-storage /bin/false in the /etc/modprobe.d/ directory - Create a file ending in .conf with blacklist usb-storage in the /etc/modprobe.d/ directory - Run modprobe -r usb-storage 2>/dev/null; rmmod usb-storage 2>/dev/null to remove usb-storage from the kernel - IF - the usb-storage kernel module is not available on the system, or pre-compiled into the kernel, no remediation is necessary."
compliance:
- cis: ["1.1.1.9"]
- cis_csc_v8: ["10.3"]
- cis_csc_v7: ["13.7"]
- cmmc_v2.0: ["MP.L2-3.8.7"]
- hipaa: ["164.310(d)(1)"]
- iso_27001-2013: ["A.8.3.1"]
- mitre_mitigations: ["M1034"]
- mitre_tactics: ["TA0001", "TA0010"]
- mitre_techniques: ["T1052", "T1052.001", "T1091", "T1200"]
condition: all
rules:
- "c:modprobe -n -v usb-storage -> r:^install /bin/false"
- "not c:lsmod -> r:usb-storage"
# 1.1.1.10 Ensure unused filesystems kernel modules are not available. (Manual)
- id: 18509
title: "Ensure unused filesystems kernel modules are not available."
description: "Filesystem kernel modules are pieces of code that can be dynamically loaded into the Linux kernel to extend its filesystem capabilities, or so-called base kernel, of an operating system. Filesystem kernel modules are typically used to add support for new hardware (as device drivers), or for adding system calls."
rationale: "While loadable filesystem kernel modules are a convenient method of modifying the running kernel, this can be abused by attackers on a compromised system to prevent detection of their processes or files, allowing them to maintain control over the system. Many rootkits make use of loadable filesystem kernel modules in this way. Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it. The following filesystem kernel modules have known CVE's and should be made unavailable if no dependencies exist: - afs - CVE-2022-37402 - ceph - CVE-2022-0670 - cifs - CVE-2022-29869 - exfat CVE-2022-29973 - ext CVE-2022-1184 - fat CVE-2022-22043 - fscache CVE-2022-3630 - fuse CVE-2023-0386 - gfs2 CVE-2023-3212 - nfs_common CVE-2023-6660 - nfsd CVE-2022-43945 - smbfs_common CVE-2022-2585."
impact: "This list may be quite extensive and covering all edges cases is difficult. Therefore, it's crucial to carefully consider the implications and dependencies before making any changes to the filesystem kernel module configurations."
remediation: "- IF - the module is available in the running kernel: - Unload the filesystem kernel module from the kernel - Create a file ending in .conf with install filesystem kernel modules /bin/false in the /etc/modprobe.d/ directory - Create a file ending in .conf with deny list filesystem kernel modules in the /etc/modprobe.d/ directory WARNING: unloading, disabling or denylisting filesystem modules that are in use on the system maybe FATAL. It is extremely important to thoroughly review the filesystems returned by the audit before following the remediation procedure. Example of unloading the gfs2kernel module: # modprobe -r gfs2 2>/dev/null # rmmod gfs2 2>/dev/null Example of fully disabling the gfs2 kernel module."
references:
- "https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=filesystem"
compliance:
- cis: ["1.1.1.10"]
- cis_csc_v8: ["4.8"]
- cis_csc_v7: ["9.2"]
- cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
- iso_27001-2013: ["A.13.1.3"]
- pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
- pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
- soc_2: ["CC6.3", "CC6.6"]
condition: all
rules:
- "c:modprobe -n -v afs -> r:^install /bin/false" # CVE-2022-37402
- "not c:lsmod -> r:afs" # CVE-2022-37402
- "c:modprobe -n -v ceph -> r:^install /bin/false" # CVE-2022-0670
- "not c:lsmod -> r:ceph" # CVE-2022-0670
- "c:modprobe -n -v cifs -> r:^install /bin/false" # CVE-2022-29869
- "not c:lsmod -> r:cifs" # CVE-2022-29869
- "c:modprobe -n -v exfat -> r:^install /bin/false" # CVE-2022-29973
- "not c:lsmod -> r:exfat" # CVE-2022-29973
- "c:modprobe -n -v ext -> r:^install /bin/false" # CVE-2022-1184
- "not c:lsmod -> r:ext" # CVE-2022-1184
- "c:modprobe -n -v fat -> r:^install /bin/false" # CVE-2022-22043
- "not c:lsmod -> r:fat" # CVE-2022-22043
- "c:modprobe -n -v fscache -> r:^install /bin/false" # CVE-2022-3630
- "not c:lsmod -> r:fscache" # CVE-2022-3630
- "c:modprobe -n -v fuse -> r:^install /bin/false" # CVE-2023-0386
- "not c:lsmod -> r:fuse" # CVE-2023-0386
- "c:modprobe -n -v gfs2 -> r:^install /bin/false" # CVE-2023-3212
- "not c:lsmod -> r:gfs2" # CVE-2023-3212
- "c:modprobe -n -v nfs_common -> r:^install /bin/false" # CVE-2023-6660
- "not c:lsmod -> r:nfs_common" # CVE-2023-6660
- "c:modprobe -n -v nfsd -> r:^install /bin/false" # CVE-2022-43945
- "not c:lsmod -> r:nfsd" # CVE-2022-43945
- "c:modprobe -n -v smbfs_common -> r:^install /bin/false" # CVE-2022-2585
- "not c:lsmod -> r:smbfs_common" # CVE-2022-2585
# 1.1.2.1.1 Ensure /tmp is a separate partition. (Automated)
- id: 18510
title: "Ensure /tmp is a separate partition."
description: 'The /tmp directory is a world-writable directory used for temporary storage by all users and some applications. - IF - an entry for /tmp exists in /etc/fstab it will take precedence over entries in systemd default unit file. Note: In an environment where the main system is diskless and connected to iSCSI, entries in /etc/fstab may not take precedence. /tmp can be configured to use tmpfs. tmpfs puts everything into the kernel internal caches and grows and shrinks to accommodate the files it contains and is able to swap unneeded pages out to swap space. It has maximum size limits which can be adjusted on the fly via mount -o remount. Since tmpfs lives completely in the page cache and on swap, all tmpfs pages will be shown as "Shmem" in /proc/meminfo and "Shared" in free. Notice that these counters also include shared memory. The most reliable way to get the count is using df and du. tmpfs has three mount options for sizing: - size: The limit of allocated bytes for this tmpfs instance. The default is half of your physical RAM without swap. If you oversize your tmpfs instances the machine will deadlock since the OOM handler will not be able to free that memory. - nr_blocks: The same as size, but in blocks of PAGE_SIZE. - nr_inodes: The maximum number of inodes for this instance. The default is half of the number of your physical RAM pages, or (on a machine with highmem) the number of lowmem RAM pages, whichever is the lower. These parameters accept a suffix k, m or g and can be changed on remount. The size parameter also accepts a suffix % to limit this tmpfs instance to that percentage of your physical RAM. The default, when neither size nor nr_blocks is specified, is size=50%.'
rationale: "Making /tmp its own file system allows an administrator to set additional mount options such as the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hard link to a system setuid program and wait for it to be updated. Once the program was updated, the hard link would be broken, and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp."
impact: "By design files saved to /tmp should have no expectation of surviving a reboot of the system. tmpfs is ram based and all files stored to tmpfs will be lost when the system is rebooted. If files need to be persistent through a reboot, they should be saved to /var/tmp not /tmp. Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to tmpfs or a separate partition. Running out of /tmp space is a problem regardless of what kind of filesystem lies under it, but in a configuration where /tmp is not a separate file system it will essentially have the whole disk available, as the default installation only creates a single / partition. On the other hand, a RAM-based /tmp (as with tmpfs) will almost certainly be much smaller, which can lead to applications filling up the filesystem much more easily. Another alternative is to create a dedicated partition for /tmp from a separate volume or disk. One of the downsides of a disk-based dedicated partition is that it will be slower than tmpfs which is RAM-based."
remediation: "First ensure that systemd is correctly configured to ensure that /tmp will be mounted at boot time. # systemctl unmask tmp.mount For specific configuration requirements of the /tmp mount for your environment, modify /etc/fstab. Example of using tmpfs with specific mount options: tmpfs /tmp 0 tmpfs defaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 Note: the size=2G is an example of setting a specific size for tmpfs. Example of using a volume or disk with specific mount options. The source location of the volume or disk will vary depending on your environment: <device> /tmp <fstype> defaults,nodev,nosuid,noexec 0 0."
references:
- "https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/"
- "https://www.freedesktop.org/software/systemd/man/systemd-fstab-generator.html"
- "https://www.kernel.org/doc/Documentation/filesystems/tmpfs.txt"
compliance:
- cis: ["1.1.2.1.1"]
- cis_csc_v8: ["4.8"]
- cis_csc_v7: ["9.2"]
- cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
- iso_27001-2013: ["A.13.1.3"]
- mitre_mitigations: ["M1022"]
- mitre_tactics: ["TA0005"]
- mitre_techniques: ["T1499", "T1499.001"]
- pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
- pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
- soc_2: ["CC6.3", "CC6.6"]
condition: all
rules:
- 'c:findmnt -kn /tmp -> r:\s*/tmp\s'
- "c:systemctl is-enabled tmp.mount -> r:generated|enabled"
# 1.1.2.1.2 Ensure nodev option set on /tmp partition. (Automated)
- id: 18511
title: "Ensure nodev option set on /tmp partition."
description: "The nodev mount option specifies that the filesystem cannot contain special devices."
rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /tmp."
remediation: "- IF - a separate partition exists for /tmp. Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp."
compliance:
- cis: ["1.1.2.1.2"]
- cis_csc_v8: ["4.8"]
- cis_csc_v7: ["9.2"]
- cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
- iso_27001-2013: ["A.13.1.3"]
- mitre_mitigations: ["M1022"]
- mitre_tactics: ["TA0005"]
- mitre_techniques: ["T1200"]
- pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
- pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
- soc_2: ["CC6.3", "CC6.6"]
condition: all
rules:
- 'c:findmnt -kn /tmp -> r:\s*/tmp\s && r:nodev'
# 1.1.2.1.3 Ensure nosuid option set on /tmp partition. (Automated)
- id: 18512
title: "Ensure nosuid option set on /tmp partition."
description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp."
remediation: "- IF - a separate partition exists for /tmp. Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp."
compliance:
- cis: ["1.1.2.1.3"]
- cis_csc_v8: ["3.3"]
- cis_csc_v7: ["14.6"]
- cmmc_v2.0:
[
"AC.L1-3.1.1",
"AC.L1-3.1.2",
"AC.L2-3.1.3",
"AC.L2-3.1.5",
"MP.L2-3.8.2",
]
- hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
- iso_27001-2013: ["A.9.1.1"]
- mitre_mitigations: ["M1022"]
- mitre_tactics: ["TA0005"]
- mitre_techniques: ["T1548", "T1548.001"]
- nist_sp_800-53: ["AC-5", "AC-6"]
- pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
- pci_dss_v4.0: ["1.3.1", "7.1"]
- soc_2: ["CC5.2", "CC6.1"]
condition: all
rules:
- 'c:findmnt -kn /tmp -> r:\s*/tmp\s && r:nosuid'
# 1.1.2.1.4 Ensure noexec option set on /tmp partition. (Automated)
- id: 18513
title: "Ensure noexec option set on /tmp partition."
description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp."
impact: "Setting the noexec option on /tmp may prevent installation and/or updating of some 3rd party software."
remediation: "- IF - a separate partition exists for /tmp. Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp."
compliance:
- cis: ["1.1.2.1.4"]
- cis_csc_v8: ["3.3"]
- cis_csc_v7: ["14.6"]
- cmmc_v2.0:
[
"AC.L1-3.1.1",
"AC.L1-3.1.2",
"AC.L2-3.1.3",
"AC.L2-3.1.5",
"MP.L2-3.8.2",
]
- hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
- iso_27001-2013: ["A.9.1.1"]
- mitre_mitigations: ["M1022"]
- mitre_tactics: ["TA0005"]
- mitre_techniques: ["T1204", "T1204.002"]
- nist_sp_800-53: ["AC-5", "AC-6"]
- pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
- pci_dss_v4.0: ["1.3.1", "7.1"]
- soc_2: ["CC5.2", "CC6.1"]
condition: all
rules:
- 'c:findmnt -kn /tmp -> r:\s*/tmp\s && r:noexec'
# 1.1.2.2.1 Ensure /dev/shm is a separate partition. (Automated)
- id: 18514
title: "Ensure /dev/shm is a separate partition."
description: "The /dev/shm directory is a world-writable directory that can function as shared memory that facilitates inter process communication (IPC)."
rationale: "Making /dev/shm its own file system allows an administrator to set additional mount options such as the noexec option on the mount, making /dev/shm useless for an attacker to install executable code. It would also prevent an attacker from establishing a hard link to a system setuid program and wait for it to be updated. Once the program was updated, the hard link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by mounting tmpfs to /dev/shm."
impact: "Since the /dev/shm directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. /dev/shm utilizing tmpfs can be resized using the size={size} parameter in the relevant entry in /etc/fstab."
remediation: "For specific configuration requirements of the /dev/shm mount for your environment, modify /etc/fstab. Example: tmpfs /dev/shm defaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 0 tmpfs."
references:
- "https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/"
- "https://www.freedesktop.org/software/systemd/man/systemd-fstab-generator.html"
compliance:
- cis: ["1.1.2.2.1"]
- cis_csc_v8: ["4.8"]
- cis_csc_v7: ["9.2"]
- cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
- iso_27001-2013: ["A.13.1.3"]
- mitre_mitigations: ["M1022"]
- mitre_tactics: ["TA0005"]
- mitre_techniques: ["T1499", "T1499.001"]
- pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
- pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
- soc_2: ["CC6.3", "CC6.6"]
condition: all
rules:
- 'c:findmnt -kn /dev/shm -> r:\s*/dev/shm\s'
# 1.1.2.2.2 Ensure nodev option set on /dev/shm partition. (Automated)
- id: 18515
title: "Ensure nodev option set on /dev/shm partition."
description: "The nodev mount option specifies that the filesystem cannot contain special devices."
rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions."
remediation: "- IF - a separate partition exists for /dev/shm. Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Example: tmpfs /dev/shm tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /dev/shm with the configured options: # mount -o remount /dev/shm Note: It is recommended to use tmpfs as the device/filesystem type as /dev/shm is used as shared memory space by applications."
compliance:
- cis: ["1.1.2.2.2"]
- cis_csc_v8: ["3.3"]
- cis_csc_v7: ["14.6"]
- cmmc_v2.0:
[
"AC.L1-3.1.1",
"AC.L1-3.1.2",
"AC.L2-3.1.3",
"AC.L2-3.1.5",
"MP.L2-3.8.2",
]
- hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
- iso_27001-2013: ["A.9.1.1"]
- mitre_mitigations: ["M1022"]
- mitre_tactics: ["TA0005"]
- mitre_techniques: ["T1200"]
- nist_sp_800-53: ["AC-5", "AC-6"]
- pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
- pci_dss_v4.0: ["1.3.1", "7.1"]
- soc_2: ["CC5.2", "CC6.1"]
condition: all
rules:
- 'c:findmnt -kn /dev/shm -> r:\s*/dev/shm\s && r:nodev'
# 1.1.2.2.3 Ensure nosuid option set on /dev/shm partition. (Automated)
- id: 18516
title: "Ensure nosuid option set on /dev/shm partition."
description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them."
remediation: "- IF - a separate partition exists for /dev/shm. Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Example: tmpfs /dev/shm tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /dev/shm with the configured options: # mount -o remount /dev/shm Note: It is recommended to use tmpfs as the device/filesystem type as /dev/shm is used as shared memory space by applications."
compliance:
- cis: ["1.1.2.2.3"]
- cis_csc_v8: ["3.3"]
- cis_csc_v7: ["14.6"]
- cmmc_v2.0:
[
"AC.L1-3.1.1",
"AC.L1-3.1.2",
"AC.L2-3.1.3",
"AC.L2-3.1.5",
"MP.L2-3.8.2",
]
- hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
- iso_27001-2013: ["A.9.1.1"]
- mitre_mitigations: ["M1038"]
- mitre_tactics: ["TA0005"]
- mitre_techniques: ["T1548", "T1548.001"]
- nist_sp_800-53: ["AC-5", "AC-6"]
- pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
- pci_dss_v4.0: ["1.3.1", "7.1"]
- soc_2: ["CC5.2", "CC6.1"]
condition: all
rules:
- 'c:findmnt -kn /dev/shm -> r:\s*/dev/shm\s && r:nosuid'
# 1.1.2.2.4 Ensure noexec option set on /dev/shm partition. (Automated)
- id: 18517
title: "Ensure noexec option set on /dev/shm partition."
description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system."
remediation: "- IF - a separate partition exists for /dev/shm. Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. Example: tmpfs /dev/shm tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /dev/shm with the configured options: # mount -o remount /dev/shm Note: It is recommended to use tmpfs as the device/filesystem type as /dev/shm is used as shared memory space by applications."
compliance:
- cis: ["1.1.2.2.4"]
- cis_csc_v8: ["3.3"]
- cis_csc_v7: ["14.6"]
- cmmc_v2.0:
[
"AC.L1-3.1.1",
"AC.L1-3.1.2",
"AC.L2-3.1.3",
"AC.L2-3.1.5",
"MP.L2-3.8.2",
]
- hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
- iso_27001-2013: ["A.9.1.1"]
- mitre_mitigations: ["M1022"]
- mitre_tactics: ["TA0005"]
- mitre_techniques: ["T1204", "T1204.002"]
- nist_sp_800-53: ["AC-5", "AC-6"]
- pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
- pci_dss_v4.0: ["1.3.1", "7.1"]
- soc_2: ["CC5.2", "CC6.1"]
condition: all
rules:
- 'c:findmnt -kn /dev/shm -> r:\s*/dev/shm\s && r:noexec'
# 1.1.2.3.1 Ensure separate partition exists for /home. (Automated)
- id: 18518
title: "Ensure separate partition exists for /home."
description: "The /home directory is used to support disk storage needs of local users."
rationale: "The default installation only creates a single / partition. Since the /home directory contains user generated data, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /home and impact all local users. Configuring /home as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limit an attacker's ability to create exploits on the system. In the case of /home options such as usrquota/grpquota may be considered to limit the impact that users can have on each other with regards to disk resource exhaustion. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. As /home contains user data, care should be taken to ensure the security and integrity of the data and mount point."
impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
references:
- "http://tldp.org/HOWTO/LVM-HOWTO/"
compliance:
- cis: ["1.1.2.3.1"]
- cis_csc_v8: ["3.3"]
- cis_csc_v7: ["14.6"]
- cmmc_v2.0:
[
"AC.L1-3.1.1",
"AC.L1-3.1.2",
"AC.L2-3.1.3",
"AC.L2-3.1.5",
"MP.L2-3.8.2",
]
- hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
- iso_27001-2013: ["A.9.1.1"]
- mitre_mitigations: ["M1038"]
- mitre_tactics: ["TA0005"]
- mitre_techniques: ["T1499", "T1499.001"]
- nist_sp_800-53: ["AC-5", "AC-6"]
- pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
- pci_dss_v4.0: ["1.3.1", "7.1"]
- soc_2: ["CC5.2", "CC6.1"]
condition: all
rules:
- 'c:findmnt -kn /home -> r:\s*/home\s'
# 1.1.2.3.2 Ensure nodev option set on /home partition. (Automated)
- id: 18519
title: "Ensure nodev option set on /home partition."
description: "The nodev mount option specifies that the filesystem cannot contain special devices."
rationale: "Since the /home filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /home."
remediation: "- IF - a separate partition exists for /home. Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. Example: <device> /home <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /home with the configured options: # mount -o remount /home."
compliance:
- cis: ["1.1.2.3.2"]
- cis_csc_v8: ["3.3"]
- cis_csc_v7: ["14.6"]
- cmmc_v2.0:
[
"AC.L1-3.1.1",
"AC.L1-3.1.2",
"AC.L2-3.1.3",
"AC.L2-3.1.5",
"MP.L2-3.8.2",
]
- hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
- iso_27001-2013: ["A.9.1.1"]
- mitre_mitigations: ["M1038"]
- mitre_tactics: ["TA0005"]
- mitre_techniques: ["T1200"]
- nist_sp_800-53: ["AC-5", "AC-6"]
- pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
- pci_dss_v4.0: ["1.3.1", "7.1"]
- soc_2: ["CC5.2", "CC6.1"]
condition: all
rules:
- 'c:findmnt -kn /home -> r:\s*/home\s && r:nodev'
# 1.1.2.3.3 Ensure nosuid option set on /home partition. (Automated)
- id: 18520
title: "Ensure nosuid option set on /home partition."
description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
rationale: "Since the /home filesystem is only intended for user file storage, set this option to ensure that users cannot create setuid files in /home."
remediation: "- IF - a separate partition exists for /home. Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /home partition. Example: <device> /home <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /home with the configured options: # mount -o remount /home."
compliance:
- cis: ["1.1.2.3.3"]
- cis_csc_v8: ["3.3"]
- cis_csc_v7: ["14.6"]
- cmmc_v2.0:
[
"AC.L1-3.1.1",
"AC.L1-3.1.2",
"AC.L2-3.1.3",
"AC.L2-3.1.5",
"MP.L2-3.8.2",
]
- hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
- iso_27001-2013: ["A.9.1.1"]
- mitre_mitigations: ["M1022"]
- mitre_tactics: ["TA0005"]
- mitre_techniques: ["T1548", "T1548.001"]
- nist_sp_800-53: ["AC-5", "AC-6"]
- pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
- pci_dss_v4.0: ["1.3.1", "7.1"]
- soc_2: ["CC5.2", "CC6.1"]
condition: all
rules:
- 'c:findmnt -kn /home -> r:\s*/home\s && r:nosuid'
# 1.1.2.4.1 Ensure separate partition exists for /var. (Automated)
- id: 18521
title: "Ensure separate partition exists for /var."
description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable."
rationale: "The reasoning for mounting /var on a separate partition is as follows. The default installation only creates a single / partition. Since the /var directory may contain world writable files and directories, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system. In addition, other operations on the system could fill up the disk unrelated to /var and cause unintended behavior across the system as the disk is full. See man auditd.conf for details. Configuring /var as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limit an attacker's ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. An example of exploiting /var may be an attacker establishing a hard-link to a system setuid program and waiting for it to be updated. Once the program is updated, the hard-link can be broken and the attacker would have their own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
references:
- "http://tldp.org/HOWTO/LVM-HOWTO/"
compliance:
- cis: ["1.1.2.4.1"]
- cis_csc_v8: ["3.3"]
- cis_csc_v7: ["14.6"]
- cmmc_v2.0:
[
"AC.L1-3.1.1",
"AC.L1-3.1.2",
"AC.L2-3.1.3",
"AC.L2-3.1.5",
"MP.L2-3.8.2",
]
- hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
- iso_27001-2013: ["A.9.1.1"]
- mitre_mitigations: ["M1022"]
- mitre_tactics: ["TA0006"]
- mitre_techniques: ["T1499", "T1499.001"]
- nist_sp_800-53: ["AC-5", "AC-6"]
- pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
- pci_dss_v4.0: ["1.3.1", "7.1"]
- soc_2: ["CC5.2", "CC6.1"]
condition: all
rules:
- 'c:findmnt -kn /var -> r:\s*/var\s'
# 1.1.2.4.2 Ensure nodev option set on /var partition. (Automated)
- id: 18522
title: "Ensure nodev option set on /var partition."
description: "The nodev mount option specifies that the filesystem cannot contain special devices."
rationale: "Since the /var filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var."
remediation: "- IF - a separate partition exists for /var. Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var partition. Example: <device> /var <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var with the configured options: # mount -o remount /var."
compliance:
- cis: ["1.1.2.4.2"]
- cis_csc_v8: ["3.3"]
- cis_csc_v7: ["14.6"]
- cmmc_v2.0:
[
"AC.L1-3.1.1",
"AC.L1-3.1.2",
"AC.L2-3.1.3",
"AC.L2-3.1.5",
"MP.L2-3.8.2",
]
- hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
- iso_27001-2013: ["A.9.1.1"]
- mitre_mitigations: ["M1022"]
- mitre_tactics: ["TA0005"]
- mitre_techniques: ["T1200"]
- nist_sp_800-53: ["AC-5", "AC-6"]
- pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
- pci_dss_v4.0: ["1.3.1", "7.1"]
- soc_2: ["CC5.2", "CC6.1"]
condition: all
rules:
- 'c:findmnt -kn /var -> r:\s*/var\s && r:nodev'
# 1.1.2.4.3 Ensure nosuid option set on /var partition. (Automated)
- id: 18523
title: "Ensure nosuid option set on /var partition."
description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
rationale: "Since the /var filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create setuid files in /var."
remediation: "- IF - a separate partition exists for /var. Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var partition. Example: <device> /var <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var with the configured options: # mount -o remount /var."
compliance:
- cis: ["1.1.2.4.3"]
- cis_csc_v8: ["3.3"]
- cis_csc_v7: ["14.6"]
- cmmc_v2.0:
[
"AC.L1-3.1.1",
"AC.L1-3.1.2",
"AC.L2-3.1.3",
"AC.L2-3.1.5",
"MP.L2-3.8.2",
]
- hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
- iso_27001-2013: ["A.9.1.1"]
- mitre_mitigations: ["M1022"]
- mitre_tactics: ["TA0005"]
- mitre_techniques: ["T1548", "T1548.001"]
- nist_sp_800-53: ["AC-5", "AC-6"]
- pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
- pci_dss_v4.0: ["1.3.1", "7.1"]
- soc_2: ["CC5.2", "CC6.1"]
condition: all
rules:
- 'c:findmnt -kn /var -> r:\s*/var\s && r:nosuid'
# 1.1.2.5.1 Ensure separate partition exists for /var/tmp. (Automated)
- id: 18524
title: "Ensure separate partition exists for /var/tmp."
description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications. Temporary files residing in /var/tmp are to be preserved between reboots."
rationale: "The default installation only creates a single / partition. Since the /var/tmp directory is world-writable, there is a risk of resource exhaustion. In addition, other operations on the system could fill up the disk unrelated to /var/tmp and cause potential disruption to daemons as the disk is full. Configuring /var/tmp as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limit an attacker's ability to create exploits on the system."
impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
references:
- "http://tldp.org/HOWTO/LVM-HOWTO/"
compliance:
- cis: ["1.1.2.5.1"]
- cis_csc_v8: ["3.3"]
- cis_csc_v7: ["14.6"]
- cmmc_v2.0:
[
"AC.L1-3.1.1",
"AC.L1-3.1.2",
"AC.L2-3.1.3",
"AC.L2-3.1.5",
"MP.L2-3.8.2",
]
- hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
- iso_27001-2013: ["A.9.1.1"]
- mitre_mitigations: ["M1022"]
- mitre_tactics: ["TA0005"]
- mitre_techniques: ["T1499", "T1499.001"]
- nist_sp_800-53: ["AC-5", "AC-6"]
- pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
- pci_dss_v4.0: ["1.3.1", "7.1"]
- soc_2: ["CC5.2", "CC6.1"]
condition: all
rules:
- 'c:findmnt -kn /var/tmp -> r:\s*/var/tmp\s'
# 1.1.2.5.2 Ensure nodev option set on /var/tmp partition. (Automated)
- id: 18525
title: "Ensure nodev option set on /var/tmp partition."
description: "The nodev mount option specifies that the filesystem cannot contain special devices."
rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/tmp."
remediation: "- IF - a separate partition exists for /var/tmp. Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp."
compliance:
- cis: ["1.1.2.5.2"]
- cis_csc_v8: ["3.3"]
- cis_csc_v7: ["14.6"]
- cmmc_v2.0:
[
"AC.L1-3.1.1",
"AC.L1-3.1.2",
"AC.L2-3.1.3",
"AC.L2-3.1.5",
"MP.L2-3.8.2",
]
- hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
- iso_27001-2013: ["A.9.1.1"]
- mitre_mitigations: ["M1022"]
- mitre_tactics: ["TA0005"]
- mitre_techniques: ["T1499", "T1499.001"]
- nist_sp_800-53: ["AC-5", "AC-6"]
- pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
- pci_dss_v4.0: ["1.3.1", "7.1"]
- soc_2: ["CC5.2", "CC6.1"]
condition: all
rules:
- 'c:findmnt -kn /var/tmp -> r:\s*/var/tmp\s && r:nodev'
# 1.1.2.5.3 Ensure nosuid option set on /var/tmp partition. (Automated)
- id: 18526
title: "Ensure nosuid option set on /var/tmp partition."
description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp."
remediation: "- IF - a separate partition exists for /var/tmp. Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp."
compliance:
- cis: ["1.1.2.5.3"]
- cis_csc_v8: ["3.3"]
- cis_csc_v7: ["14.6"]
- cmmc_v2.0:
[
"AC.L1-3.1.1",
"AC.L1-3.1.2",
"AC.L2-3.1.3",
"AC.L2-3.1.5",
"MP.L2-3.8.2",
]
- hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
- iso_27001-2013: ["A.9.1.1"]
- mitre_mitigations: ["M1022"]
- mitre_tactics: ["TA0005"]
- mitre_techniques: ["T1548", "T1548.001"]
- nist_sp_800-53: ["AC-5", "AC-6"]
- pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
- pci_dss_v4.0: ["1.3.1", "7.1"]
- soc_2: ["CC5.2", "CC6.1"]
condition: all
rules:
- 'c:findmnt -kn /var/tmp -> r:\s*/var/tmp\s && r:nosuid'
# 1.1.2.5.4 Ensure noexec option set on /var/tmp partition. (Automated)
- id: 18527
title: "Ensure noexec option set on /var/tmp partition."
description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
remediation: "- IF - a separate partition exists for /var/tmp. Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp."
compliance:
- cis: ["1.1.2.5.4"]
- cis_csc_v8: ["3.3"]
- cis_csc_v7: ["14.6"]
- cmmc_v2.0:
[
"AC.L1-3.1.1",
"AC.L1-3.1.2",
"AC.L2-3.1.3",
"AC.L2-3.1.5",
"MP.L2-3.8.2",
]
- hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
- iso_27001-2013: ["A.9.1.1"]
- mitre_mitigations: ["M1022"]
- mitre_tactics: ["TA0005"]
- mitre_techniques: ["T1204", "T1204.002"]
- nist_sp_800-53: ["AC-5", "AC-6"]
- pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
- pci_dss_v4.0: ["1.3.1", "7.1"]
- soc_2: ["CC5.2", "CC6.1"]
condition: all
rules:
- 'c:findmnt -kn /var/tmp -> r:\s*/var/tmp\s && r:noexec'
# 1.1.2.6.1 Ensure separate partition exists for /var/log. (Automated)
- id: 18528
title: "Ensure separate partition exists for /var/log."
description: "The /var/log directory is used by system services to store log data."
rationale: "The default installation only creates a single / partition. Since the /var/log directory contains log files which can grow quite large, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. Configuring /var/log as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limit an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. As /var/log contains log files, care should be taken to ensure the security and integrity of the data and mount point."
impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
references:
- "http://tldp.org/HOWTO/LVM-HOWTO/"
compliance:
- cis: ["1.1.2.6.1"]
- cis_csc_v8: ["8.3"]
- cis_csc_v7: ["6.4"]
- iso_27001-2013: ["A.12.4.1"]
- mitre_mitigations: ["M1022"]
- mitre_tactics: ["TA0005"]
- mitre_techniques: ["T1499", "T1499.001"]
- pci_dss_v3.2.1: ["10.7"]
- soc_2: ["A1.1"]
condition: all
rules:
- 'c:findmnt -kn /var/log -> r:\s*/var/log\s'
# 1.1.2.6.2 Ensure nodev option set on /var/log partition. (Automated)
- id: 18529
title: "Ensure nodev option set on /var/log partition."
description: "The nodev mount option specifies that the filesystem cannot contain special devices."
rationale: "Since the /var/log filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/log."
remediation: "- IF - a separate partition exists for /var/log. Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/log partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log."
compliance:
- cis: ["1.1.2.6.2"]
- cis_csc_v8: ["3.3"]
- cis_csc_v7: ["14.6"]
- cmmc_v2.0:
[
"AC.L1-3.1.1",
"AC.L1-3.1.2",
"AC.L2-3.1.3",
"AC.L2-3.1.5",
"MP.L2-3.8.2",
]
- hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
- iso_27001-2013: ["A.9.1.1"]
- mitre_mitigations: ["M1038"]
- mitre_tactics: ["TA0005"]
- mitre_techniques: ["T1200"]
- nist_sp_800-53: ["AC-5", "AC-6"]
- pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
- pci_dss_v4.0: ["1.3.1", "7.1"]
- soc_2: ["CC5.2", "CC6.1"]
condition: all
rules:
- 'c:findmnt -kn /var/log -> r:\s*/var/log\s && r:nodev'
# 1.1.2.6.3 Ensure nosuid option set on /var/log partition. (Automated)
- id: 18530
title: "Ensure nosuid option set on /var/log partition."
description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
rationale: "Since the /var/log filesystem is only intended for log files, set this option to ensure that users cannot create setuid files in /var/log."
remediation: "- IF - a separate partition exists for /var/log. Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/log partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log."
compliance:
- cis: ["1.1.2.6.3"]
- cis_csc_v8: ["3.3"]
- cis_csc_v7: ["14.6"]
- cmmc_v2.0:
[
"AC.L1-3.1.1",
"AC.L1-3.1.2",
"AC.L2-3.1.3",
"AC.L2-3.1.5",
"MP.L2-3.8.2",
]
- hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
- iso_27001-2013: ["A.9.1.1"]
- mitre_mitigations: ["M1022"]
- mitre_tactics: ["TA0005"]
- mitre_techniques: ["T1548", "T1548.001"]
- nist_sp_800-53: ["AC-5", "AC-6"]
- pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
- pci_dss_v4.0: ["1.3.1", "7.1"]
- soc_2: ["CC5.2", "CC6.1"]
condition: all
rules:
- 'c:findmnt -kn /var/log -> r:\s*/var/log\s && r:nosuid'
# 1.1.2.6.4 Ensure noexec option set on /var/log partition. (Automated)
- id: 18531
title: "Ensure noexec option set on /var/log partition."
description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
rationale: "Since the /var/log filesystem is only intended for log files, set this option to ensure that users cannot run executable binaries from /var/log."
remediation: "- IF - a separate partition exists for /var/log. Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/log partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log."
compliance:
- cis: ["1.1.2.6.4"]
- cis_csc_v8: ["3.3"]
- cis_csc_v7: ["14.6"]
- cmmc_v2.0:
[
"AC.L1-3.1.1",
"AC.L1-3.1.2",
"AC.L2-3.1.3",
"AC.L2-3.1.5",
"MP.L2-3.8.2",
]
- hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
- iso_27001-2013: ["A.9.1.1"]
- mitre_mitigations: ["M1022"]
- mitre_tactics: ["TA0005"]
- mitre_techniques: ["T1204", "T1204.002"]
- nist_sp_800-53: ["AC-5", "AC-6"]
- pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
- pci_dss_v4.0: ["1.3.1", "7.1"]
- soc_2: ["CC5.2", "CC6.1"]
condition: all
rules:
- 'c:findmnt -kn /var/log -> r:\s*/var/log\s && r:noexec'
# 1.1.2.7.1 Ensure separate partition exists for /var/log/audit. (Automated)
- id: 18532
title: "Ensure separate partition exists for /var/log/audit."
description: "The auditing daemon, auditd, stores log data in the /var/log/audit directory."
rationale: "The default installation only creates a single / partition. Since the /var/log/audit directory contains the audit.log file which can grow quite large, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var/log/audit and cause auditd to trigger its space_left_action as the disk is full. See man auditd.conf for details. Configuring /var/log/audit as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limit an attacker's ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. As /var/log/audit contains audit logs, care should be taken to ensure the security and integrity of the data and mount point."
impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
references:
- "http://tldp.org/HOWTO/LVM-HOWTO/"
compliance:
- cis: ["1.1.2.7.1"]
- cis_csc_v8: ["8.3"]
- cis_csc_v7: ["6.4"]
- iso_27001-2013: ["A.12.4.1"]
- mitre_mitigations: ["M1022"]
- mitre_tactics: ["TA0005"]
- mitre_techniques: ["T1499", "T1499.001"]
- pci_dss_v3.2.1: ["10.7"]
- soc_2: ["A1.1"]
condition: all
rules:
- 'c:findmnt -kn /var/log/audit -> r:\s*/var/log/audit\s'
# 1.1.2.7.2 Ensure nodev option set on /var/log/audit partition. (Automated)
- id: 18533
title: "Ensure nodev option set on /var/log/audit partition."
description: "The nodev mount option specifies that the filesystem cannot contain special devices."
rationale: "Since the /var/log/audit filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/log/audit."
remediation: "- IF - a separate partition exists for /var/log/audit. Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/log/audit partition. Example: <device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit."
compliance:
- cis: ["1.1.2.7.2"]
- cis_csc_v8: ["3.3"]
- cis_csc_v7: ["14.6"]
- cmmc_v2.0:
[
"AC.L1-3.1.1",
"AC.L1-3.1.2",
"AC.L2-3.1.3",
"AC.L2-3.1.5",
"MP.L2-3.8.2",
]
- hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
- iso_27001-2013: ["A.9.1.1"]
- mitre_mitigations: ["M1022"]
- mitre_tactics: ["TA0005"]