CIS FreeBSD v1.0.5

Audit Details

Name: CIS FreeBSD v1.0.5

Updated: 4/25/2022

Authority: CIS

Plugin: Unix

Revision: 1.40

Estimated Item Count: 118

File Details

Filename: CIS_FreeBSD_105.audit

Size: 98.9 kB

MD5: 3573fcd2660cf65079a12b04e2f350e7
SHA256: 53f091c87c396f6266be7eb0b8849d24bc7a6554f0bc9277e52d69987c0e2580

Audit Changelog

 
Revision 1.40

Apr 25, 2022

Miscellaneous
  • Metadata updated.
Revision 1.39

Mar 29, 2022

Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.38

Jun 17, 2021

Miscellaneous
  • Metadata updated.
Added
  • 1.2 Enable SSH (/etc/ssh/sshd_config)
  • 1.2 Enable SSH (Banner)
  • 1.2 Enable SSH (PermitRootLogin)
  • 1.2 Enable SSH (Protocol 2)
  • 1.2 Enable SSH (sshd_enable)
  • 1.3 Enable TCP Wrappers and a host based firewall (/etc/hosts.allow)
  • 1.3 Enable TCP Wrappers and a host based firewall (firewall_enable)
  • 1.3 Enable TCP Wrappers and a host based firewall (inetd_enable)
  • 1.3 Enable TCP Wrappers and a host based firewall (inetd_flags)
  • 1.3 Enable TCP Wrappers and a host based firewall (ipfw_load)
  • 2.1 Disable all inetd daemons
  • 2.2 Only enable telnetd if absolutely necessary
  • 2.3 Only enable ftpd if absolutely necessary
  • 2.4 Only enable rlogin/rsh/rcp if absolutely necessary (login)
  • 2.4 Only enable rlogin/rsh/rcp if absolutely necessary (shell)
  • 2.5 Only enable TFTP if absolutely necessary
  • 2.6 Only enable finger if absolutely necessary
  • 2.7 Only enable Kerberos-related daemons if absolutely necessary (kadmind5_server_enable)
  • 2.7 Only enable Kerberos-related daemons if absolutely necessary (kerberos5_enable)
  • 2.7 Only enable Kerberos-related daemons if absolutely necessary (kpasswdd_server_enable)
  • 2.8 Minimize the inetd.conf file
  • 3.1 Disable login prompts on serial ports (ttyd0)
  • 3.1 Disable login prompts on serial ports (ttyd1)
  • 3.1 Disable login prompts on serial ports (ttyd2)
  • 3.1 Disable login prompts on serial ports (ttyd3)
  • 3.10 Block NFS connections to non-privileged ports
  • 3.11 Block non-privileged mountd requests
  • 3.12 Only enable NIS if absolutely necessary (nis_server_enable)
  • 3.12 Only enable NIS if absolutely necessary (nis_yppasswdd_enable)
  • 3.12 Only enable NIS if absolutely necessary (nis_ypxfrd_enable)
  • 3.12 Only enable NIS if absolutely necessary (rpc_ypupdated_enable)
  • 3.13 Only enable NIS client daemons if absolutely necessary (nis_client_enable)
  • 3.13 Only enable NIS client daemons if absolutely necessary (nis_ypset_enable)
  • 3.14 Only enable the printer daemons if absolutely necessary
  • 3.2 Set password on single user console
  • 3.3 Set daemon umask (/etc/* umask)
  • 3.3 Set daemon umask (/etc/periodic/* umask)
  • 3.3 Set daemon umask (/usr/local/etc/rc.d umask)
  • 3.3 Set daemon umask (/usr/local/etc/rc.d/* umask)
  • 3.4 Prevent syslogd from accepting messages from the network
  • 3.5 Disable the email server if possible (sendmail_enable)
  • 3.5 Disable the email server if possible (sendmail_msp_queue_enable)
  • 3.5 Disable the email server if possible (sendmail_outbound_enable)
  • 3.5 Disable the email server if possible (sendmail_submit_enable)
  • 3.6 Only enable BIND if absolutely necessary
  • 3.7 Only enable other RPC-based services if absolutely necessary (rpc_lockd_enable)
  • 3.7 Only enable other RPC-based services if absolutely necessary (rpc_statd_enable)
  • 3.7 Only enable other RPC-based services if absolutely necessary (rpcbind_enable)
  • 3.8 Only enable the NFS server if absolutely necessary (mountd_enable)
  • 3.8 Only enable the NFS server if absolutely necessary (nfs_server_enable)
  • 3.9 Only enable NFS client processes if absolutely necessary
  • 4.1 Disable core dumps
  • 4.2 Set a default secure level
  • 4.3 Block users from viewing unowned processes
  • 4.4 Block users from viewing processes in other groups
  • 5.1 Capture ftpd and inetd information
  • 5.2 Enable system accounting (/var/account/acct)
  • 5.2 Enable system accounting (accounting_enable)
  • 5.3 Enable logging of packets received on closed ports (net.inet.tcp.log_in_vain)
  • 5.3 Enable logging of packets received on closed ports (net.inet.udp.log_in_vain)
  • 5.4 Set permissions on system log files (/var/log/auth.lo*)
  • 5.4 Set permissions on system log files (/var/log/lpd-errs)
  • 5.4 Set permissions on system log files (/var/log/maillo*)
  • 5.4 Set permissions on system log files (/var/log/mess*)
  • 5.4 Set permissions on system log files (/var/log/ppp.lo*)
  • 5.4 Set permissions on system log files (/var/log/sendmail.s*)
  • 5.4 Set permissions on system log files (/var/log/slip.log*)
  • 5.5 Configure newsyslog for secure file permissions (/var/log/amd.log)
  • 5.5 Configure newsyslog for secure file permissions (/var/log/daily.log)
  • 5.5 Configure newsyslog for secure file permissions (/var/log/lpd-errs)
  • 5.5 Configure newsyslog for secure file permissions (/var/log/maillog)
  • 5.5 Configure newsyslog for secure file permissions (/var/log/messages)
  • 5.5 Configure newsyslog for secure file permissions (/var/log/monthly.log)
  • 5.5 Configure newsyslog for secure file permissions (/var/log/ppp.log)
  • 5.5 Configure newsyslog for secure file permissions (/var/log/sendmail.st)
  • 5.5 Configure newsyslog for secure file permissions (/var/log/slip.log)
  • 5.6 Configure periodic log files (/etc/periodic.conf)
  • 5.6 Configure periodic log files (daily_output)
  • 6.1 Add nosuid option to /etc/fstab
  • 6.2 Verify passwd, master.passwd, and group file permissions (/etc/group)
  • 6.2 Verify passwd, master.passwd, and group file permissions (/etc/master.passwd)
  • 6.2 Verify passwd, master.passwd, and group file permissions (/etc/passwd)
  • 6.2 Verify passwd, master.passwd, and group file permissions (/etc/pwd.db)
  • 6.2 Verify passwd, master.passwd, and group file permissions (/etc/spwd.db)
  • 6.3 Set sticky bit on world writable directories
  • 6.4 Find world writable files
  • 6.5 Find SUID and SGID files (/usr/bin)
  • 6.5 Find SUID and SGID files (/usr/compat/)
  • 6.5 Find SUID and SGID files (/usr/sbin)
  • 6.6 User home directories should be kept private
  • 6.7 Find 'Unowned' Files and Directories
  • 7.1 Remove weak authentication services from PAM (/etc/pam.d/rexecd)
  • 7.1 Remove weak authentication services from PAM (/etc/pam.d/rsh)
  • 7.4 Restrict at/cron to authorized users (/etc/crontab permissions)
  • 7.4 Restrict at/cron to authorized users (/var/at/at.allow permissions)
  • 7.4 Restrict at/cron to authorized users (/var/at/at.allow)
  • 7.4 Restrict at/cron to authorized users (/var/cron/allow permissions)
  • 7.4 Restrict at/cron to authorized users (/var/cron/allow)
  • 7.5 Create warning banners for the system (/etc/motd permissions)
  • 7.5 Create warning banners for the system (/etc/motd)
  • 7.6 Remove the X wrapper and enable xdm
  • 7.7 Prevent xdm from listening on port 6000/TCP
  • 8.1 Block system accounts
  • 8.10 Use Blowfish encryption for all users by default
  • 8.2 Verify that accounts either have a password or are disabled
  • 8.3 Set account expiration parameters on all active user accounts
  • 8.4 Create default adduser.conf file
  • 8.5 Remove the toor user.
  • 8.7 No user dot-files should be world writable
  • 8.8 Set default umask for users (/etc/csh.cshrc)
  • 8.8 Set default umask for users (/etc/csh.login)
  • 8.8 Set default umask for users (/etc/login.conf)
  • 8.8 Set default umask for users (/etc/profile)
  • 8.8 Set default umask for users (/usr/share/skel/dot.cshrc)
  • 8.8 Set default umask for users (/usr/share/skel/dot.shrc)
  • 8.9 Set 'mesg n' as the default for all users (/etc/csh.login)
  • 8.9 Set 'mesg n' as the default for all users (/etc/profile)
Removed
  • 1.2. Enable SSH (/etc/ssh/sshd_config)
  • 1.2. Enable SSH (Banner)
  • 1.2. Enable SSH (PermitRootLogin)
  • 1.2. Enable SSH (Protocol 2)
  • 1.2. Enable SSH (sshd_enable)
  • 1.3. Enable TCP Wrappers and a host based firewall (/etc/hosts.allow)
  • 1.3. Enable TCP Wrappers and a host based firewall (firewall_enable)
  • 1.3. Enable TCP Wrappers and a host based firewall (inetd_enable)
  • 1.3. Enable TCP Wrappers and a host based firewall (inetd_flags)
  • 1.3. Enable TCP Wrappers and a host based firewall (ipfw_load)
  • 2.1. Disable all inetd daemons
  • 2.2. Only enable telnetd if absolutely necessary
  • 2.3. Only enable ftpd if absolutely necessary
  • 2.4. Only enable rlogin/rsh/rcp if absolutely necessary (login)
  • 2.4. Only enable rlogin/rsh/rcp if absolutely necessary (shell)
  • 2.5. Only enable TFTP if absolutely necessary
  • 2.6. Only enable finger if absolutely necessary
  • 2.7. Only enable Kerberos-related daemons if absolutely necessary (kadmind5_server_enable)
  • 2.7. Only enable Kerberos-related daemons if absolutely necessary (kerberos5_enable)
  • 2.7. Only enable Kerberos-related daemons if absolutely necessary (kpasswdd_server_enable)
  • 2.8. Minimize the inetd.conf file
  • 3.1. Disable login prompts on serial ports (ttyd0)
  • 3.1. Disable login prompts on serial ports (ttyd1)
  • 3.1. Disable login prompts on serial ports (ttyd2)
  • 3.1. Disable login prompts on serial ports (ttyd3)
  • 3.10. Block NFS connections to non-privileged ports
  • 3.11. Block non-privileged mountd requests
  • 3.12. Only enable NIS if absolutely necessary (nis_server_enable)
  • 3.12. Only enable NIS if absolutely necessary (nis_yppasswdd_enable)
  • 3.12. Only enable NIS if absolutely necessary (nis_ypxfrd_enable)
  • 3.12. Only enable NIS if absolutely necessary (rpc_ypupdated_enable)
  • 3.13. Only enable NIS client daemons if absolutely necessary (nis_client_enable)
  • 3.13. Only enable NIS client daemons if absolutely necessary (nis_ypset_enable)
  • 3.14. Only enable the printer daemons if absolutely necessary
  • 3.2. Set password on single user console
  • 3.3. Set daemon umask (/etc/* umask)
  • 3.3. Set daemon umask (/etc/periodic/* umask)
  • 3.3. Set daemon umask (/usr/local/etc/rc.d umask)
  • 3.3. Set daemon umask (/usr/local/etc/rc.d/* umask)
  • 3.4. Prevent syslogd from accepting messages from the network
  • 3.5. Disable the email server if possible (sendmail_enable)
  • 3.5. Disable the email server if possible (sendmail_msp_queue_enable)
  • 3.5. Disable the email server if possible (sendmail_outbound_enable)
  • 3.5. Disable the email server if possible (sendmail_submit_enable)
  • 3.6. Only enable BIND if absolutely necessary
  • 3.7. Only enable other RPC-based services if absolutely necessary (rpc_lockd_enable)
  • 3.7. Only enable other RPC-based services if absolutely necessary (rpc_statd_enable)
  • 3.7. Only enable other RPC-based services if absolutely necessary (rpcbind_enable)
  • 3.8. Only enable the NFS server if absolutely necessary (mountd_enable)
  • 3.8. Only enable the NFS server if absolutely necessary (nfs_server_enable)
  • 3.9. Only enable NFS client processes if absolutely necessary
  • 4.1. Disable core dumps
  • 4.2. Set a default secure level
  • 4.3. Block users from viewing unowned processes
  • 4.4. Block users from viewing processes in other groups
  • 5.1. Capture ftpd and inetd information
  • 5.2. Enable system accounting (/var/account/acct)
  • 5.2. Enable system accounting (accounting_enable)
  • 5.3. Enable logging of packets received on closed ports (net.inet.tcp.log_in_vain)
  • 5.3. Enable logging of packets received on closed ports (net.inet.udp.log_in_vain)
  • 5.4. Set permissions on system log files (/var/log/auth.lo*)
  • 5.4. Set permissions on system log files (/var/log/lpd-errs)
  • 5.4. Set permissions on system log files (/var/log/maillo*)
  • 5.4. Set permissions on system log files (/var/log/mess*)
  • 5.4. Set permissions on system log files (/var/log/ppp.lo*)
  • 5.4. Set permissions on system log files (/var/log/sendmail.s*)
  • 5.4. Set permissions on system log files (/var/log/slip.log*)
  • 5.5. Configure newsyslog for secure file permissions (/var/log/amd.log)
  • 5.5. Configure newsyslog for secure file permissions (/var/log/daily.log)
  • 5.5. Configure newsyslog for secure file permissions (/var/log/lpd-errs)
  • 5.5. Configure newsyslog for secure file permissions (/var/log/maillog)
  • 5.5. Configure newsyslog for secure file permissions (/var/log/messages)
  • 5.5. Configure newsyslog for secure file permissions (/var/log/monthly.log)
  • 5.5. Configure newsyslog for secure file permissions (/var/log/ppp.log)
  • 5.5. Configure newsyslog for secure file permissions (/var/log/sendmail.st)
  • 5.5. Configure newsyslog for secure file permissions (/var/log/slip.log)
  • 5.6. Configure periodic log files (/etc/periodic.conf)
  • 5.6. Configure periodic log files (daily_output)
  • 6.1. Add nosuid option to /etc/fstab
  • 6.2. Verify passwd, master.passwd, and group file permissions (/etc/group)
  • 6.2. Verify passwd, master.passwd, and group file permissions (/etc/master.passwd)
  • 6.2. Verify passwd, master.passwd, and group file permissions (/etc/passwd)
  • 6.2. Verify passwd, master.passwd, and group file permissions (/etc/pwd.db)
  • 6.2. Verify passwd, master.passwd, and group file permissions (/etc/spwd.db)
  • 6.3. Set sticky bit on world writable directories
  • 6.4. Find world writable files
  • 6.5. Find SUID and SGID files (/usr/bin)
  • 6.5. Find SUID and SGID files (/usr/compat/)
  • 6.5. Find SUID and SGID files (/usr/sbin)
  • 6.6. User home directories should be kept private
  • 6.7. Find 'Unowned' Files and Directories
  • 7.1. Remove weak authentication services from PAM (/etc/pam.d/rexecd)
  • 7.1. Remove weak authentication services from PAM (/etc/pam.d/rsh)
  • 7.4. Restrict at/cron to authorized users (/etc/crontab permissions)
  • 7.4. Restrict at/cron to authorized users (/var/at/at.allow permissions)
  • 7.4. Restrict at/cron to authorized users (/var/at/at.allow)
  • 7.4. Restrict at/cron to authorized users (/var/cron/allow permissions)
  • 7.4. Restrict at/cron to authorized users (/var/cron/allow)
  • 7.5. Create warning banners for the system (/etc/motd permissions)
  • 7.5. Create warning banners for the system (/etc/motd)
  • 7.6. Remove the X wrapper and enable xdm
  • 7.7. Prevent xdm from listening on port 6000/TCP
  • 8.1. Block system accounts
  • 8.10. Use Blowfish encryption for all users by default
  • 8.2. Verify that accounts either have a password or are disabled
  • 8.3. Set account expiration parameters on all active user accounts
  • 8.4. Create default adduser.conf file
  • 8.5. Remove the toor user.
  • 8.7. No user dot-files should be world writable
  • 8.8. Set default umask for users (/etc/csh.cshrc)
  • 8.8. Set default umask for users (/etc/csh.login)
  • 8.8. Set default umask for users (/etc/login.conf)
  • 8.8. Set default umask for users (/etc/profile)
  • 8.8. Set default umask for users (/usr/share/skel/dot.cshrc)
  • 8.8. Set default umask for users (/usr/share/skel/dot.shrc)
  • 8.9. Set 'mesg n' as the default for all users (/etc/csh.login)
  • 8.9. Set 'mesg n' as the default for all users (/etc/profile)
Revision 1.37

Feb 1, 2021

Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.36

Sep 29, 2020

Miscellaneous
  • References updated.
Revision 1.35

Jul 14, 2020

Miscellaneous
  • Metadata updated.
Revision 1.34

Apr 17, 2020

Miscellaneous
  • References updated.
Revision 1.33

Aug 5, 2019

Miscellaneous
  • Metadata updated.
  • See also link updated.
Revision 1.32

May 21, 2019

Functional Update
  • 1.2. Enable SSH (PermitRootLogin)
Miscellaneous
  • References updated.
Revision 1.31

Mar 4, 2019

Functional Update
  • 7.5. Create warning banners for the system (/etc/motd)
Informational Update
  • 7.5. Create warning banners for the system (/etc/motd)
Miscellaneous
  • Variables updated.