CIS Benchmark Fail - Packets

[Septim]

Hello! I have found that the following CIS Benchmarks are failed by Debian on its default installation:

2578 - Ensure packet redirect sending is disabled
2579 - Ensure IP forwarding is disabled
2580 - Ensure source routed packets are not accepted
2581 - Ensure ICMP redirects are not accepted
2582 - Ensure secure ICMP redirects are not accepted

Is there a reason for this? Could the OS be shipped with these issues fixed? Or are these necessary functions for its correct functioning?
Thank you in advance! Cheers

[Septim]

Greetings. I have found that Debian does not pass the following CIS Benchmarks:

2500 - Ensure mounting of freevxfs filesystems is disabled
2501 - Ensure mounting of jffs2 filesystems is disabled
2502 - Ensure mounting of hfs filesystems is disabled
2503 - Ensure mounting of hfsplus filesystems is disabled
2504 - Ensure mounting of squashfs filesystems is disabled
2505 - Ensure mounting of udf filesystems is disabled
2506 - Ensure mounting of FAT filesystems is disabled

Are these filesystems necessary for the correct functioning of Debian? What would be the effect of disabling them?

Thank you in advance!

[steve_v]

Are you going to offer any coherent and informed arguments as to why these standard features should be disabled (to the detriment of those who may be using them), or are you just going to keep posting results from some third-party tool?
The latter makes you sound very much like a bot TBH.

As this "benchmark" you keep referring to appears to be "security" related, perhaps you could explain why support for non-native filesystems is a security problem to begin with?


HFS is used on older MacOS volumes. I've used Debian's support to read such disks in the past, it's useful.
SquashFS was (and still is) widely used for embedded systems and livecds.
I still have UDF formatted optical media I want to read.
FAT is not only still extremely common, it's used for the UEFI partition on almost all modern machines - go ahead and disable it for "security" if you want to be unable to update your bootloader.
JFFS is used in embedded systems, some of which may well run Debian.
VXFS is from (IIRC) SCO unixware. It's probably historical at this point.

The effect of disabling any one these would be the loss of the compatibility it provides... Obviously.

Whether you put enough stock in this "benchmark" to do so is up to you, I'm certainly not going to be paying much attention to such ridiculous blanket "recommendations".


The same goes for your other nearly identical thread BTW. If you want useful advice there, I likewise suggest you put forward some actual arguments rather than just parroting a tool you found on the internet.

[Septim]

Hello! I have found that Debian 10 fails the following CIS benchmarks:

2507 - Ensure /tmp is configured
2508 - Ensure nodev option set on /tmp partition
2509 - Ensure nosuid option set on /tmp partition
2510 - Ensure noexec option set on /tmp partition
2511 - Ensure separate partition exists for /var
2512 - Ensure separate partition exists for /var/tmp
2513 - Ensure nodev option set on /var/tmp partition
2514 - Ensure nosuid option set on /var/tmp partition
2515 - Ensure noexec option set on /var/tmp partition
2516 - Ensure separate partition exists for /var/log
2517 - Ensure separate partition exists for /var/log/audit
2518 - Ensure separate partition exists for /home
2519 - Ensure nodev option set on /home partition
2522 - Ensure noexec option set on /dev/shm partition

In general, is it possible to create these partitions (/tmp, /var, /var/tmp, /var/log, /var/log/audit, /home, /dev/shm) and secure them without affecint the OS's working?

Thanks in advance!

[Septim]

Hello! I have found that Debian 10 fails the following CIS Benchmarks:

2523 - Disable Automounting
2524 - Disable USB Storage

These, together, would allow anyone to plug a USB device into the system and mount it. Could these be disabled?

Thank you in advance!

[mm3100]

Yes, they can be disabled. But no need to disable USB storage, just disable auto mounting.

[sunrat]

Please stop creating new threads for what is basically the same topic. You have 4 separate threads on CIS Benchmark Fails. Your posts would still be read if in a single thread.

[dilberts_left_nut]

Merged.