Hello! I have found that the following CIS Benchmarks are failed by Debian on its default installation:
2578 - Ensure packet redirect sending is disabled
2579 - Ensure IP forwarding is disabled
2580 - Ensure source routed packets are not accepted
2581 - Ensure ICMP redirects are not accepted
2582 - Ensure secure ICMP redirects are not accepted
Is there a reason for this? Could the OS be shipped with these issues fixed? Or are these necessary functions for its correct functioning?
Thank you in advance! Cheers
Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
CIS Benchmark Fail - Packets
CIS Benchmark Fail - System Mounts
Greetings. I have found that Debian does not pass the following CIS Benchmarks:
2500 - Ensure mounting of freevxfs filesystems is disabled
2501 - Ensure mounting of jffs2 filesystems is disabled
2502 - Ensure mounting of hfs filesystems is disabled
2503 - Ensure mounting of hfsplus filesystems is disabled
2504 - Ensure mounting of squashfs filesystems is disabled
2505 - Ensure mounting of udf filesystems is disabled
2506 - Ensure mounting of FAT filesystems is disabled
Are these filesystems necessary for the correct functioning of Debian? What would be the effect of disabling them?
Thank you in advance!
2500 - Ensure mounting of freevxfs filesystems is disabled
2501 - Ensure mounting of jffs2 filesystems is disabled
2502 - Ensure mounting of hfs filesystems is disabled
2503 - Ensure mounting of hfsplus filesystems is disabled
2504 - Ensure mounting of squashfs filesystems is disabled
2505 - Ensure mounting of udf filesystems is disabled
2506 - Ensure mounting of FAT filesystems is disabled
Are these filesystems necessary for the correct functioning of Debian? What would be the effect of disabling them?
Thank you in advance!
-
- df -h | grep > 20TiB
- Posts: 1418
- Joined: 2012-10-06 05:31
- Location: /dev/chair
- Has thanked: 80 times
- Been thanked: 191 times
Re: CIS Benchmark Fail - System Mounts
Are you going to offer any coherent and informed arguments as to why these standard features should be disabled (to the detriment of those who may be using them), or are you just going to keep posting results from some third-party tool?
The latter makes you sound very much like a bot TBH.
As this "benchmark" you keep referring to appears to be "security" related, perhaps you could explain why support for non-native filesystems is a security problem to begin with?
HFS is used on older MacOS volumes. I've used Debian's support to read such disks in the past, it's useful.
SquashFS was (and still is) widely used for embedded systems and livecds.
I still have UDF formatted optical media I want to read.
FAT is not only still extremely common, it's used for the UEFI partition on almost all modern machines - go ahead and disable it for "security" if you want to be unable to update your bootloader.
JFFS is used in embedded systems, some of which may well run Debian.
VXFS is from (IIRC) SCO unixware. It's probably historical at this point.
The effect of disabling any one these would be the loss of the compatibility it provides... Obviously.
Whether you put enough stock in this "benchmark" to do so is up to you, I'm certainly not going to be paying much attention to such ridiculous blanket "recommendations".
The same goes for your other nearly identical thread BTW. If you want useful advice there, I likewise suggest you put forward some actual arguments rather than just parroting a tool you found on the internet.
The latter makes you sound very much like a bot TBH.
As this "benchmark" you keep referring to appears to be "security" related, perhaps you could explain why support for non-native filesystems is a security problem to begin with?
HFS is used on older MacOS volumes. I've used Debian's support to read such disks in the past, it's useful.
SquashFS was (and still is) widely used for embedded systems and livecds.
I still have UDF formatted optical media I want to read.
FAT is not only still extremely common, it's used for the UEFI partition on almost all modern machines - go ahead and disable it for "security" if you want to be unable to update your bootloader.
JFFS is used in embedded systems, some of which may well run Debian.
VXFS is from (IIRC) SCO unixware. It's probably historical at this point.
The effect of disabling any one these would be the loss of the compatibility it provides... Obviously.
Whether you put enough stock in this "benchmark" to do so is up to you, I'm certainly not going to be paying much attention to such ridiculous blanket "recommendations".
The same goes for your other nearly identical thread BTW. If you want useful advice there, I likewise suggest you put forward some actual arguments rather than just parroting a tool you found on the internet.
Once is happenstance. Twice is coincidence. Three times is enemy action. Four times is Official GNOME Policy.
CIS Benchmark Fails - Partitions
Hello! I have found that Debian 10 fails the following CIS benchmarks:
2507 - Ensure /tmp is configured
2508 - Ensure nodev option set on /tmp partition
2509 - Ensure nosuid option set on /tmp partition
2510 - Ensure noexec option set on /tmp partition
2511 - Ensure separate partition exists for /var
2512 - Ensure separate partition exists for /var/tmp
2513 - Ensure nodev option set on /var/tmp partition
2514 - Ensure nosuid option set on /var/tmp partition
2515 - Ensure noexec option set on /var/tmp partition
2516 - Ensure separate partition exists for /var/log
2517 - Ensure separate partition exists for /var/log/audit
2518 - Ensure separate partition exists for /home
2519 - Ensure nodev option set on /home partition
2522 - Ensure noexec option set on /dev/shm partition
In general, is it possible to create these partitions (/tmp, /var, /var/tmp, /var/log, /var/log/audit, /home, /dev/shm) and secure them without affecint the OS's working?
Thanks in advance!
2507 - Ensure /tmp is configured
2508 - Ensure nodev option set on /tmp partition
2509 - Ensure nosuid option set on /tmp partition
2510 - Ensure noexec option set on /tmp partition
2511 - Ensure separate partition exists for /var
2512 - Ensure separate partition exists for /var/tmp
2513 - Ensure nodev option set on /var/tmp partition
2514 - Ensure nosuid option set on /var/tmp partition
2515 - Ensure noexec option set on /var/tmp partition
2516 - Ensure separate partition exists for /var/log
2517 - Ensure separate partition exists for /var/log/audit
2518 - Ensure separate partition exists for /home
2519 - Ensure nodev option set on /home partition
2522 - Ensure noexec option set on /dev/shm partition
In general, is it possible to create these partitions (/tmp, /var, /var/tmp, /var/log, /var/log/audit, /home, /dev/shm) and secure them without affecint the OS's working?
Thanks in advance!
CIS Benchmark Fails - USB Issues
Hello! I have found that Debian 10 fails the following CIS Benchmarks:
2523 - Disable Automounting
2524 - Disable USB Storage
These, together, would allow anyone to plug a USB device into the system and mount it. Could these be disabled?
Thank you in advance!
2523 - Disable Automounting
2524 - Disable USB Storage
These, together, would allow anyone to plug a USB device into the system and mount it. Could these be disabled?
Thank you in advance!
- sunrat
- Administrator
- Posts: 6497
- Joined: 2006-08-29 09:12
- Location: Melbourne, Australia
- Has thanked: 118 times
- Been thanked: 476 times
Re: CIS Benchmark Fails - USB Issues
Please stop creating new threads for what is basically the same topic. You have 4 separate threads on CIS Benchmark Fails. Your posts would still be read if in a single thread.
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ” Remember to BACKUP!
Those who have lost data
...and those who have not lost data YET ” Remember to BACKUP!
- dilberts_left_nut
- Administrator
- Posts: 5347
- Joined: 2009-10-05 07:54
- Location: enzed
- Has thanked: 13 times
- Been thanked: 66 times