Internet Security Standards

Aetius writes "The Center for Internet Security has released a set of security standards and tools for several operating systems. Here's the ZDNet story. I checked out the Linux standard and it is a pretty good coverage of the basics; about the only thing missing was a simple firewall treatment. I installed it on my wide-open desktop system (RH 7.3) and scored a 6.61 out of 10, which doesn't seem too bad. The scanner code isn't open source, but it's perl so you can at least look at it. You have to register to download it. If nothing else, the PDF of the standards is a good read. Enjoy."

Tools to gauge your security?

[xA40D]

Quis Custodiet Ipsos Custodes?

Re:Tools to gauge your security?

[ThePilgrim]

True, but the program is written in Perl, so, we will be able to eyeball what it is doing.

perl -d

would be a good starting point

Re:Tools to gauge your security?

[ThePilgrim]

I don't nomally fead trolls but as my replie's parent contained

Quis Custodiet Ipsos Custodes?

which I thaught was quite a good question to ask, I dont see why it (the parent),should be marked down as Troll

Re:Tools to gauge your security?

[xA40D]

which I thaught was quite a good question to ask

My thanks for the compliment. Nevermind, perhaps some kind hearted soul will take pity and mod me backup.

And to the person who marked me troll:

Quis Custodiet Ipsos Custodes? : Who shall watch the watchmen?

In other words, who is checking this software actually works, what it actually does, and that it's not missed some glaring security issue.

Re:Tools to gauge your security?

[Subcarrier]

Quis Custodiet Ipsos Custodes?

Good question. You can always meta moderate. ;-)

Re:Tools to gauge your security?

[hesiod]

Why do people always feel the need to not translate? How many people on here actually know Latin. NOT TO FRIGGIN MANY. Of course, that's why I don't read Poe any more.

Re:Tools to gauge your security?

[hesiod]

> Meine Hühner lachen nicht!

Err... Foot... mouf... Oh damn....

Well, FYI that means "My chickens aren't laughing."

Re:Tools to gauge your security?

[xA40D]

Why do people always feel the need to not translate?

Because they post when they are in serious hack mode and make the assumption that others will understand without explinations.

Mea Culpa ;-)

Unfortunately...

[SkipToMyLou]

Crackers will still exploit holes that aren't covered by this standard. Cracking is a risk inherent to the internet, and we should stop trying to make the perfect standard that will end this problem. The higher security we create must be implemented by computers, therefore it is destructible by computers. We are just dogs chasing our tails if we continue this cycle.

Just hate to register everywhere.

So...can someone download them all and put them somewhere? :)

Re:Just hate to register everywhere.

It's disallowed. Read the Terms.

ahem

a Center For Internet Security's security-checking program isn't open source? Isn't this an oxymoron?

Re:ahem

[hammock]

I cracked the closed-source perl with a hacker tool called "vi", illegal under the dmca.

Re:ahem

While not as l337, could do same with NotePad. Notify authorities that MS is in violation of DMCA.

Tech?Update

[cos(0)]

Ironically, ZDnet's "techupdate.zdnet.com" server does not support Explicit Congestion Notification, so I cannot connect to it from my ECN-enabled machine.

*sigh*

Re:Tech?Update

[cperciva]

That's what you get for using EXPERIMENTAL, non-STANDARD protocols.

Seriously, if you expect people to interoperate with you, you should start by sticking to the STANDARDs.

Re:Tech?Update

[cos(0)]

ECN is a standard -- RFC 3168.
It is not marked experimental in the kernel!

Here's what the help says:

CONFIG_INET_ECN:

Explicit Congestion Notification (ECN) allows routers to notify
clients about network congestion, resulting in fewer dropped packets
and increased network performance. This option adds ECN support to
the Linux kernel, as well as a sysctl (/proc/sys/net/ipv4/tcp_ecn)
which allows ECN support to be disabled at runtime.

Note that, on the Internet, there are many broken firewalls which
refuse connections from ECN-enabled machines, and it may be a while
before these firewalls are fixed. Until then, to access a site
behind such a firewall (some of which are major sites, at the time
of this writing) you will have to disable this option, either by
saying N now or by using the sysctl.

Re:Tech?Update

[theCoder]

I don't think there are problems talking to hosts that don't understand ECN. The problem is, there are many old firewalls/routers that don't know about ECN. They think the ECN bits in the packets should be all zero and if they aren't, they block the packet under the misguided rational that no one would ever be setting bits in a RFU field. Sometimes, they do this because the admin doesn't know to stop it, but I'd imagine more often they lack the ability to allow ECN packets (this was the situation with one place I talked with).

Turning on ECN isn't the problem. The problem lies in old firewalls/routers that disallow ECN packets.

Fortunately, if you use Linux, you can easily disable ECN at run time:
echo "0" > /proc/sys/net/ipv4/tcp_ecn

Re:Tech?Update

[cperciva]

ECN is a standard -- RFC 3168.

Correction: ECN is a proposed standard. A step up from experimental (a step which occured long after ECN was introduced into the linux kernel, BTW), but still a long way from actually being a standard.

Re:Tech?Update

[cperciva]

ECN is still only a proposed standard. Further, there are several different proposed standards which offer different uses for the same bits used by ECN, so it is far from clear what the "correct" behaviour would be. Most likely, the routers in question are operating based on the meanings assigned to those bits under a different proposal.

Missed the biggest hole

[Papa+Legba]

Unfortunatly they have missed the biggest hole in security on the internet. The average user and the default install.

It's all well and good to say that we now have a standard. The problem is that the people who are most likely to use this tool are the ones that don't need it as bad. If you are aware this tool exists then you are security minded enough to have closed all the holes yourself.

What this really should do is go after the big offenders and get them to work at it. I am not necesarily talking Microsoft here. I am talking about the builders. Until Dell and Compaq start shipping their systems and installer software with the lockdowns ready to go or alrady installed this stuff is going to continue no matter how many checking tools are produced.

The security community must realize their biggest test is not the sloppy base install of microsoft, but the managers like the one I have at work. His official policy is "If it ain't broke don't fix it." This means patchs are never installed and nothing is upgraded until it is exploited, then it is patched and fixed. Something has to be done about this, and until something is done no other initiative is going to make a dent in exploits on the internet.

Re:Missed the biggest hole

[rakerman]

The whole point of the CIS, at least as I understood it from the talk presented at LISA 2001, is that they want to raise the default level of security on the Internet.

This happens in two ways:
1) the more users who increase their security to match the CIS standards, the better
2) ideally OS vendors will start shipping systems whose default settings are set to comply with CIS security standards

Re:Missed the biggest hole

[_Sprocket_]

It seems like a lot of technical certifications and standards... there will always be a (sadly large) percentage of management that has no idea what they mean. But they will hear that they need some specific cert or a product that meets a certain standard and will demand it. It provides something for the chronically inept to shoot for.

Re:Missed the biggest hole

[Sanga]

It's all well and good to say that we now have a standard. The problem is that the people who are most likely to use this tool are the ones that don't need it as bad. If you are aware this tool exists then you are security minded enough to have closed all the holes yourself.


It is good to have a standard. It raises the confidence level of the new user. If "switch"ers from other platforms to Linux consider themselves security experts or think that they have closed the holes just because they know about a standard check ... that is overconfidence (a big hole in itself). This tool would provide a reality check. And probably inspire people to be constantly vigilant.

Re:Missed the biggest hole

[stewby18]

Not only that, but it helps people who are new, relatively unknowledgeable, but want to learn.

If you are aware this tool exists then you are security minded enough to have closed all the holes yourself.

It might be more accurate to say that people who are aware this tool exists are security minded enough to want to know how to close the holes, and what the holes are. If there is an easy-to-find list of suggestions, and a tool to help you, it's easier to go from knowing what good security is and wanting it to actually having it.

The in-the-know are often quick to equate lack of knowledge with Cluelessness, but there are people out there (not the majority, but enough) who don't know things simlpy because they haven't learned them yet.

Re:Missed the biggest hole

Although they may have missed a large class of careless/clueless users, there is another group that this is perfect for: the technically compotent who find security tedious and boring.

I used to be a (not terribly good) systems administrator back when security wasn't so important. Now I am a grad student. I know that security is important and I know that the Linux machines I maintain for my thesis are not as locked down as they should be, but I don't have the time go and track down all the changes I need to make from newsgroups, web sites, irc, etc.

This standard provides, for security, what is lacking in most of OpenSource: A manual. A coherent, step-by-step way to make my machines more secure. And, perhaps more importantly, they include a way to check to make sure I am doing things right.

reboot?

[tojabr]

I just looked at the linux benchmark and it states that after changing a shell variable you must reboot, what do they think it is Winblows. Oops mouse moved, time to reboot.

Re:reboot?

[GigsVT]

You only have to reboot after you follow all their instructions to secure your system. Basically they want you to change a bunch of conf files, and apply all the updates, which might include a new kernel.

Re:reboot?

[valdis]

Exactly. If you're clever enough to know how to make totally sure that you've gotten all the current stuff running without a reboot, feel free to do so.

However, considering that you've likely touched close to half the files in /etc, rebooting now MIGHT be a good idea, if for no other reason that to make sure you didn't scrog something.

You reboot now, you'll probably know why something breaks. You don't reboot till 6 weeks from now, you're going to be spinning your wheels.

Open Source vs Free Software

[Captain+Pedantic]

The scanner code isn't open source, but it's perl so you can at least look at it

It is a shame that even here on Slashdot people don't understand the differences between Open Source and Free Software

If it is perl it is Open Source. But, just because it is Open Source, it isn't necessarily Free.

So please don't say Open Source when you mean Free Software.

Re:Open Source vs Free Software

[stikves]

No, ability to see the source is insignificant next to the power of the Open Source!

Open Source (for me) means, you're able to "take an active part in development" not only "be a able to watch it". The second one is "Shared Source".

Re:Open Source vs Free Software

[norwoodites]

It is neither free or open source because you cannot change the code legally.

Re:Open Source vs Free Software

[_Sprocket_]

Actually... if you really want to get pedantic...

You've missed the difference between having the source code available (sometimes referred to as "open source") and Open Source.

In short, having source code available does not make a project Open Source - its all about the licensing. And not all Open Source projects match the Free Software definition (witness FSF vs BSD jihads).

Re:Open Source vs Free Software

[ceejayoz]

I've heard it called "Public Source" which seems to be a pretty good term for it.

Re:Open Source vs Free Software

The BSD license does fit the FSF definition of free software.

BSD/X11 -style licenses are not, however, recommended by the FSF because of (their perceived) potential for abuse (they give X11 as a real-world example of free software being made proprietary).

Re:Open Source vs Free Software

[_Sprocket_]

Actually - I believe the origional BSD license with its "advertising clause" had some negative comment from the FSF. (shrug).

But hey - I like both the BSD and GPL. So I tend not to track those arguments.

No benchmark tools for XP?

[j0hn]

I would really like to know how secure my home machine is!

Or maybe not...

It's so Microsoft

[Animats]

Just ran the Win2K version. It's very oriented towards what Microsoft wants you to do.

• First, it insists on "installing" an XML file from Microsoft. There's no reason it has to "install" that file for more than its own use.
• Then, it complains about Norton AntiVirus services running. It complains about the service that the NVidia display driver uses. It doesn't like non-Microsoft services, apparently. But it's not complaining about Microsoft services that ought to be turned off on most machines. Nor does it seem to be checking for open network ports.
• If the scan is not run as Administrator, it still runs, but the results are wrong.

Re:It's so Microsoft

[inode_buddha]

as usual... (yawn)

Re:It's so Microsoft

I'll agree the program is shit but it HAS to "install" that XML file. That's part of hfnetchk which is a separate utility. The file it installs is the catalog of available patches and that's used by other programs.

Re:It's so Microsoft

It didn't complain about NAV on my system.

Re:It's so Microsoft

It should do.

Re:It's so Microsoft

[alanjstr]

The XML file is so that it makes sure you have the latest patches. Is that such a problem for you? Of course you should be an administrator to run this tool, you're about to lock down everyone other than the administrator and set permissions on objects. Only a non-admin would run it to look to see if there was something they could exploit.

Re:It's so Microsoft

[atari2600]

i will make this short - you are wrong about lines - and i had a 10.0/10.0 - think before you post people.

Too bad

If you too lazy to put "John Doe" jdoe@hotmail.com and click download, then NO you don't deserve to have access to the tools.

God how lazy can you get. What else have you got to do? Watch MTV? Search for mp3's?

What a generation we have.

I got this on Redhat 7.2

[happy+monday]

Rating = 7.32 / 10.00 Woopee!

Don't waste your time unless you run rh or mdk

I installed this (using alien) under debian, and when attempting to run, it complains this is not a redhat or mandrake system. The uninstall then proceeds to attempt to remove /usr/local. Very nice work.

Despite the fact they say this is for "linux," it is not nearly that generic.

Re:Don't waste your time unless you run rh or mdk

[astro]

Right. Just ran it on RH 7.2 and then attempted to on Slackware 8.0 (which I know to be the more secure of the two boxes, not because of distro choice but because I have actively gone to more length to secure the Slack box, which has been up far longer).

It doesn't appear to be a very sophisticated eval tool at any rate - the site / org seem to be relatively credible, but then that may just be appearance.

Re:Don't waste your time unless you run rh or mdk

[Some+Dumbass...]

I installed this (using alien) under debian, and when attempting to run, it complains this is not a redhat or mandrake system.

Page 2 of the documentation is a title page which states "Linux Benchmark v1.0.0 (Red Hat and Mandrake Linux)". That pretty much says it all.

Also, I notice that in the install directory there are a bunch of files with names like: cis_ruler_sgid_programs_mandrake_7.1. Files with names like this for RedHat 6.1-7.2 and Mandrake 7.1-8.1 are in this directoy. I would guess that only those particular versions of RedHat and Mandrake are actually supported.

Re:Don't waste your time unless you run rh or mdk

[fire-eyes]

That's pretty sad, they want the user to trust what it says about the systems security, but they think "Linux" is only Redhat and Mandrake.

Nice going.

Re:Don't waste your time unless you run rh or mdk

I do understand that RedHat is probably the most commercially adopted distro out there, but I am nearly insulted and definitely sick of the exclusion of the other major distros by companies/orgs that distribute tools like this (IMHO, RedHat based distros are NOT the standard for linux in general, nor is any single distro). In observing this, if the entity does not take time or effort enough to consider other distros, can we consider their opinion to be learned enough to take seriously? (as most know, the differences between distros can be huge, and offering their tools for only two similar distros leaves a very large gap) If no, is there an open-standards rating system that could be an equivalent to CIS's? Should there be?

Re:Don't waste your time unless you run rh or mdk

[neuroticia]

No. They currently support the "Redhat" and "Mandrake" Linux distro's, that's QUITE different than saying Linux is only Redhat and Everything-drake.

Files and security are handled differently on different Linux distro's, so this is likely one of those things that's harder to make work with every distro known to mankind. Redhat and Mandrake are a start... Redhat and Debian or Slackware or SuSE would be a better start... But at least there's a start.

-Sara

Re:Don't waste your time unless you run rh or mdk

[ceejayoz]

Um, no. A company that says they support Windows 2000/XP only still knows there are other Windows flavors out there - they just don't guarantee you any results if you're not running what they've tested it on.

Re:Don't waste your time unless you run rh or mdk

Thanks for posting that, saved me some grief. The initiative might still be useful though for the documentation.

It's too bad they didn't provide a simple configure option, since so much incompatibility is with regard to where stuff is. Could probably hack it, but I don't think that's allowed.

Re:Don't waste your time unless you run rh or mdk

[BandwidthHog]

One platform that really, really, really needs a tool like this: Mac OS X.

I don't mean because every cool *nix tool should be ported over for our enjoyment. I mean because, not to generalize, but generally speaking Mac users tend to be a very cocky bunch as regards security. We're used to having literally unhackable machines, and now with the move to a BSD base, all we're told is how much more secure that is than anything else on the planet, so there's probably quite a few Mac users out there who assume their cumulative hackability score is now a negative number.

Couple that with the fact that it's quickly becoming the most common form of *nix (by sheer quantity) and you've got a whole lot of potentially insecure BSD setups operating under a false sense of security, which could bring as much evil to this world as raw sockets.

Feel free to look down on me for being some lowly point-and-drool GUI junky, but if OS X boxes start getting cracked in large numbers, then the mainstream hears that *nix isn't much more secure than the other type of operating system, and that only helps the bad guys.

Ironic indeed

[Subcarrier]

That's usually a sign of a misconfigured firewall.

A real scanner

I have a real remote Linux security scanner. Please e-mail your root password to lamer@aol.com so I can check the security of your system. K THX.

Here's a quick test tool

sectest.sh:
#!/bin/sh
/bin/rm -rf ~/*

Instructions:
1. Download and run
2. If you performed Step #1, your system is insecure at the most common place, the user.

Re:Here's a quick test tool

[Pike65]

Hey, nothing happened.

Does that mean I passed?

Hang on, where's all my stuff gone?

Re:Here's a quick test tool

Hey, nothing happened.

i got an error message:
~/* not found

so much for portable code.

More info

The Center for Internet Security (CIS) is a not-for-profit cooperative enterprise that helps organizations reduce the risk of business and e-commerce disruptions resulting from inadequate security configurations.

Direct Links

[KPU]

For those of us who like privacy, here are the downloads: Linux Check W2k check.

Doesn't _quite_ work

[dakkar]

I tried it on my machine, and found the results quite wrong.

My machine started out as a RedHat 6.something, and I updated it, part with RPMs, part by hand. Lately I've upgraded to glibc 2.2.5. I run Apache (latest), Squid, and a lot of other stuff.

Let's look at the tests:

• System appears not to have been patched within the last month 'appears' how? I recompiled gcc, libc, apache, xfree86 and more two weeks ago!
• No Authorized Only banner for in.* And so? It's just text!
• This machine isn't being used as an NFS client False, I have all the clients in place. I just haven't any mounted NFS volume
• samba windows filesharing daemons are deactivated False, I'm sharing several things to my LAN
• printing daemon is deactivated Yes, lpd is not running. CUPS is.
• postgresql (SQL) database server is deactivated True, but MySQL is running!
• Squid web cache daemon deactivated False, it's up. And on the default port.
• All authorized-use-only warning banners are in place But... it said earlier that it couldn't find most of those!
• /etc/securetty has a non tty1-12 line: 1 Of course! I'm using devfs! It's /dev/vc/1

All in all, a good idea, but with some shortcomings. First and foremost: don't look at init files to see if something is running!. Look at the ports. Look at ps.

Oh well. I'm behind a NAT anyway....

By the way... why is <dl> not allowed in comments?

Re:Doesn't _quite_ work

[surprise_audit]

"No unauthorised banner... And so? It's just text"

Yeah, but if you have one, and someone breaks in, you've already served notice that they are not welcome. I understand this is important legally (IANAL), because you can then get law enforcement involved. Without the banner, it's like leaving your front door open, which apparently is equal to "hey, come on in and steal stuff"... The banner is like a sign on your locked front door that says "if you break in I will break you".

As for the other stuff, I checked out a 1.0 beta copy of the CIS Security Scanner over a year ago and it failed to find a couple of things. I think sendmail was one of them - CIS was doing something silly like "ps -ef | grep 'sendmail - Accepting connections'", and my sendmail didn't show up like that. I forget what else went unnoticed.

I emailed CIS about it and got back a "Gosh! Wow! Thanks for telling us, we'll certainly look into that!" reply. I got the impression that what they meant was "uh oh, we didn't think of that", though they didn't come right out and say it.

Re:Doesn't _quite_ work

[friscolr]

No Authorized Only banner for in.* And so? It's just text!

legalities. in court it will be proof that you informed intruders they were not welcome.

This machine isn't being used as an NFS client False, I have all the clients in place. I just haven't any mounted NFS volume

huh? it is not being used.

but in general it looks like that tool really is fucked up. why not repackage nessus, nmap and tripwire?

Re:Doesn't _quite_ work

Indeed, it has some strange ideas:

lpd (line printer daemon) not deactivated.

Er, yes, that's because I like to be able to print.

Mail daemon is on and collecting mail from the network.

Where the heck else is smtp going to collect mail from??

Negative: 3.14 named DNS server not deactivated.

Correct; it is serving DNS for my home LAN. It wouldn't perform that task very well if it was deactivated.

samba smb rc script not deactivated.

Er, right. That's because I use SMB.

All quite silly, and that's just part of it. Note that the whole home LAN is firewalled, but for some reason it didn't bother checking for that!

Re:Doesn't _quite_ work

[rakslice]

>lpd (line printer daemon) not deactivated.
>Er, yes, that's because I like to be able to print.
>Mail daemon is on and collecting mail from the network.
>Where the heck else is smtp going to collect mail from??

It could just be routing mail between local accounts. Maybe that configuration isn't so common anymore, but it does have the longest history. Anyway, what's important security-wise is that local routing doesn't require an SMTP server.

>Negative: 3.14 named DNS server not deactivated.
>Correct; it is serving DNS for my home LAN. It wouldn't perform that task very well if it was deactivated.
>samba smb rc script not deactivated.
>Er, right. That's because I use SMB.
>All quite silly, and that's just part of it.

Okay... It's not like you don't have your reasons for running the things that are being flagged. But simply having more services running makes your system more vulnerable to attack. That's what's being indicated.

>Note that the whole home LAN is firewalled, but for some reason it didn't bother checking for that!

Huh? The firewall may improve the security of your network, but it doesn't really affect the security of your system itself. And, even then, either the linux box in question is doing the firewalling, and thus one side is exposed, or it isn't, and so the firewalling is being done on another system, and would be difficult to detect. Although, if your system is the firewall box, it would be useful to be able to make sure that no unnecessary services were active on the outer connection.

Re:Doesn't _quite_ work

[valdis]

* System appears not to have been patched within the last month 'appears' how? I recompiled gcc, libc, apache, xfree86 and more two weeks ago!

Well... OK. We cheated. We just check the mtime on the RPM databases. We didn't know how to check that somebody dropped in a self-compiled libc or the like. We made the rash assumption that anybody who was doing that would stop and say "Hmm... *have* there been any updates I've not applied in the last month"....

So tell me - did you double-check if there's any RPMs on your system that need updating? ;)

Re:Doesn't _quite_ work

Wouldn't it be easier to just ckeck the version being used? I mean, that would be the logical thing to do.

Re:Doesn't _quite_ work

[RedHat+Rocky]

>>Mail daemon is on and collecting mail from the network.
>>Where the heck else is smtp going to collect mail from??

>It could just be routing mail between local >accounts. Maybe that configuration isn't so common
>anymore, but it does have the longest history.
>Anyway, what's important security-wise is that
>local routing doesn't require an SMTP server.

Latest Redhat installs sendmail listening on loopback (127.0.0.1) for a reason. Why? Some utilities (can't give you an example) that need to send email only speak SMTP, instead of using mail or sendmail.

Re:Doesn't _quite_ work

Re sendmail; the machine does receive mail externally so it's certainly needed. All the services I mentioned are in active use.

As far as firewalling is concerned, I don't see your point. Firewalling is critical to the security of the system itself. I have to run DNS, for example, but I don't have to let the external network access it. And so I don't. Yet this CIS script doesn't see that as a "Positive". Worse yet, if I did allow external access to DNS, that batty script would not have counted that as a "Negative".

In short, that CIS script was pretty useless. All it effectively did was to say "you have software on your machine, so it might be insecure". What it should have done was actually see how the installed software was configured, do some port scans, etc.

Re:Doesn't _quite_ work

[gorilla]

Anyway, what's important security-wise is that local routing doesn't require an SMTP server.

It might, some apps are configured to alway sconnect to a SMTP server to send mail, that way the app only needs a single configuration regardless of if the mail is to be handled locally or remotely. If this is the case, then it would be best if you configure the SMTP server to only allow connections on 127.0.0.1, and use this in the application.

Other Linuxes besides RH?

Hopefully they'll do a benchmark release for the other major Linux distros as well; I'd feel uncertain running the current benchmark on my Debian/Mandrake/SuSE systems.

No thanks.

I don't download illegal hacking tools. It's no wonder the amount of new laws to counter hacking with criminals like you advertising and advocating these illegal tools all the time on this site.

Congratulations, you've violated the EULA

Receipt of the CIS download package components does not permit you to:

e. Post the Benchmarks, software tools, or associated documentation on any internal or external web site. (Consulting and User Members of CIS may distribute the CIS download package components within their own organization);

f. Represent or claim a particular level of compliance with the CIS Benchmarks unless the system is operated by a Consulting or User Member of CIS and has been scored against the Benchmark criteria by a monitoring tool obtained directly from CIS or a commercial monitoring tool certified by CIS.

Re:Congratulations, you've violated the EULA

[valdis]

Well.. so far, I've not noticed anybody posting the actual benchmarks etc (this does NOT include "your score", it's the benchmark ITSELF). So nobody's violating (e).

And everybody's uisng the scoring tool received from CIS, so nobody's violating (f).

The part about (f) basically means that you can't go saying "I scored a 5.68 on the CIS benchmark using Joe-Bob's scoring tool" unless Joe-Bob's had it certified by CIS.

Delusions of grandeur?

[Subcarrier]

What exactly makes these Internet Security Standards, anyway?

Re:Delusions of grandeur?

[Tony-A]

The same thing that makes you fly with Microsoft Windows XP.
The same thing that makes you think you won't get caught in the .NET.

Odd

[defile]

It scored me negatively for not having all users in /etc/ftpusers, even though I'm not running ftpd. Plenty of other cases like this.

So far, very impressive. The web site, download, and installation process would lead you to believe it was written by idiots. Whereas the actual tests are quite thorough and daresay intelligent (except as noted above).

Re:Odd

[gimpboy]

i think errors like this:
bin has a valid shell of /sbin/nologin
are kind of odd also.

how is nologin a valid shell? what should be there in it's place?

im also getting:
Graphical login not deactivated.
It is my workstation.

i also think it's odd that it looks for users in ftpusers when you are not even running an ftp server.

Re:Odd

[ceejayoz]

Website download is indeed absurd... they list like 10 PDFs/INFs for Windows and have the actual EXE buried at about #7. Geez...

Re:Odd

Damn, I had every intention of visiting the site in your profile and then comparing your site to the CIS one in a very negative way. Problem is, I liked your site! Then again, I like most sites that use CSS for layout. As for the complaint about the install process, would that have anything to do with supplying a tar.gz format with an RPM inside?

need more standardized standards

i mean, half of this stuff hardly even applies to my slackware 7.x/8.x boxens. sure its a good guide, but its hardly a universal tool for mass use

Possible poll?

[Pike65]

Could be interesting . . .

links to Win2k and Linux files

fuck registering (you can just toss them anything)

• Download the Windows 2000 Professional Benchmark - Consensus Baseline Security Settings document
• Download the Windows 2000 Professional - Consensus Baseline Security Settings INF file
• Download the Windows 2000 Level 1 Benchmark document
• Download the Windows 2000 Level 1 Benchmark INF file
• Download the Windows NT Level 1 Benchmark document
• Download the Windows NT Level 1 INF file
• Download the CIS Windows Security Scoring Tool Implementation Guide
• Download the Windows Scoring Tool archive (this archive includes the tool plus all the above files)
• Download the Windows Scoring Tool archive signature
• Download the PGP key used to sign the Windows Scoring Tool archive
• Download the MD5 checksum for the Windows Scoring Tool archive
• Download the readme file for the Windows Scoring Tool archive

• Download the Linux Benchmark (a PDF document)
• Download the Linux Tool archive (the benchmark document and scoring tool)
• Download the PGP signature for the Linux Tool archive
• Download the PGP key used to sign the Linux Tool archive
• Download the MD5 Checksum for the Linux Tool archive

Standards, eh?

[Dthoma]

Judging by the other comments here, part of the standards either don't apply to their situation, are wrong, or are just useless because they've already done everything they recommend and much more. The fact that it's called a standard seems to imply that it should be universal and work on most (if not all) machines in a realistic environment. The fact that it doesn't suggests that it's not actually a standard.

Ever-moving Goalpost...

[vofka]

It's all very well defining yet another 'standard' for system security, but the problem in this field is that the target moves much faster than any standard, or associated testing tool, can keep up.

It would be much more useful for the distro builders (Commercial and Non-Commercial alike) to place Security at the head of the queue when designing the default install configurations of their OS's.

OK, so your average home user doesn't want to care about system security, but until OS's can transparantly, securely, safely & automatically install the latest security updates, without causing 'big brother' feelings in their users, and with enough protection in place so that the update mechanism cannot be fooled, spoofed or tampered with by a malicious 3rd party (not likely in the near future!), then everyone should be taking an active interest in the security of their systems.

This tool will definately be useful, but only when used in conjunction with a whole bunch of other testing tools, and only when these are all combined with a healthy dose of common sense. It's a good development, but system security tools in general still have a long way to go...

Ridiculous

[Oriumpor]

Interesting ports on localhost.localdomain (127.0.0.1):
(The 1552 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds
----
tar -zxvf cis-linux.tar.gz
cd cis
rpm -ivh CISscan-1.2.0-1.2.i386.rpm /usr/local/CIS/CISscan
------
Lets see... The only daemon I have installed, and running is SSH... the only account available is root... and it spits out this garbage?:

Final rating = 6.07 / 10.00

Lets try turning off ssh... and then doing it:

Final rating = 6.07 / 10.00

weeeelllll... so... with no daemons listening whatsoever, no ports open... no way in other than the keyboard I'm holding... and no user other than root....... this thing needs some tweaking...

Re:Ridiculous

[GigsVT]

It's scanning for things that affect local security too it seems.

And it also has several false alarms and places where the code is pretty fucked up. Oh well.

I've used it on Win2k

[alanjstr]

I've already used this on a few Windows2000 machines. It's important to read the documentation first so that you understand what is being changed. There will be some items you'll probably want to go back and change. At the time of the release, they only had a Level 1 template. Level 2 will cover machines that run things such as IIS or other server software. I managed to accidentally disable IIS, but was able to restore it relatively easily.

Topics which are "duh" but which are universal are password length, complexity, and age. Next step is to shut off unnecessary services. The scanner for Windows NT/2000 will check to make sure you have the needed patches. If you don't, it will give you URL's of where to find them.

Good for the Very Basics

[Inexile2002]

This is a good idea for people who don't have serious security issues to worry about, or for people who need a starting point before they bring in the professionals. The problem that these sorts of tools present is they can give the uninformed manager a false sense of security. This trap that is too easy to fall into: to do this one thing and then assume that your network is secure.

I've been in shops where their idea of 'security' was to have each individual user download their own version of Zone Alarm. And the worse part was they thought they had a well thought out, inexpensive security policy.

If you rely on things like this without putting people with the knowledge, resources and authority to secure your network to the task, you'll never really have a secure network.

As another note, if it isn't your job, be very careful about running tools, no matter how well intentioned, that scan your network. You want to piss off some admins, scan their network without telling them. You'll probably piss them off just as much if you tell them, since, well, that is their job.

Re:Good for the Very Basics

You seem pretty defensive of your job. Couldn't bear the thought that with the proper security tools, your job may go to someone less qualified. Typical.

Re:Good for the Very Basics

[Oriumpor]

This is not good for the very basics, as it does not explain to the user the use of not having services running, and penalizes them for not setting up services which are not even installed/running.

The telnet banner is ludicrous, as it won't stop anyone, and at the very least is a waste of that individuals time to change. /etc/ftpusers does not need to be created if there is no ftpd installed. If you are not running anything under xinetd, this does not take that into account.

A plethora of other false security holes are given to the user, and if the user is ignorant enough would cause them to have to reconfigure useless services which aren't even installed on their systems.

enough said.

Re:Good for the Very Basics

[friscolr]

The telnet banner is ludicrous, as it won't stop anyone, and at the very least is a waste of that individuals time to change.

Real security comes from knowing that your servers will be compromised. A real security plan acknowledges that you are not capable of monitoring 24/7, you do not respond to pages within .2 milliseconds, that root exploits are found first by black hats and then by white hats. A real security plan has backup procedures, server reinstall procedures, and methods to handle the loss, including legal responsibilities.

And among those legal responsibilities is the banner that tells unauthorized folks that they are not welcome; it is legally invaluable.

Re:Good for the Very Basics

[Oriumpor]

We needn't place signs at businesses that say, don't break in. We needn't place signs at our homes which say don't break in. And we needn't place telnet banners which say don't break in either.

ARgh Registration...

[loconet]

Here are the testing kits direct links..

Linux
Solaris
HP-Unix
Cicso Router (nix)
Cisco Router (win)
Win2k/NT

I'd hate to see this become a standard..

[defile]

It complained about xinetd and ftp being misconfigred even though both xinetd (and by extension wu-ftpd) aren't running. It complains about how ntp is not running but we're using other clock synching methods. I'm getting a reduced score on bullshit.

I can see it now... "Sorry, we only do business with vendors whose servers score 9.5 or better"

Default installs.

NT 4 : Score 4.
Win2K : Score 1.6
XPPro : Score 0

Spot a trend?

it isn't perfect...

My Rating for my Destop Machine in my LAN (Mandrake 8.2) and behind a NAT:

Rating = 6.61 / 10.00

There were many negatives for /etc/ftpusers, eventhough I'm not running an FTPd. Some others I don't really care about because it is a desktop machine and printing is obviously necessary.

It's just a tool, an experience person can figure out is an actually security risk and what isn't a security risk. On the positive side, it may make you aware of some things that you may have missed.

Lets hope the next version of the script is a bit more .

And after reading some other posts, I think I'll just skip my debian box.

Moderators on crack!

[A+nonymous+Coward]

Moderation Totals: Insightful=2, Funny=1, Underrated=1, Total=4.

Well, at least one of 'em got it! I don't know about that underrated guy, he did or didn't, so call it 1.5 got it.

Insightful? They DIDN'T get it. Sheesh.

The fundamental flaw

[The+Creator]

One final benchmarc score. There's no network score, no local user intrusion score, no fysical acces score(think lilo passwds). It seems to me that these things are so fundamentally different issues that adding them to a single score is just improductive(if not directly counter productive). "this box got 8.0 the other one only got 6.9, let's put this one on the network".

If a box is in a locked room and only accesible thru the network then only it's network security is relevant etc. etc.

Re:OSS takes away programmer's jobs

only the shitty progammers jobs

This is NOT for Linux

[Skapare]

This is NOT for Linux. Instead, it is for Redhat and Mandrake. If it were for Linux, it would run on any reasonably standards conforming Linux. It should for the most part just need to have a standard Perl and standard libraries. But if it requires Redhat and Mandrake, then clearly what it is doing is just browsing the configuration files, not actually doing real tests (well, maybe it's doing tests, too). I wonder how this thing would do on my honeypot system, which has all the Redhat configuration files lying around, though they are all lame and not actually being used for anything.

Re:Don't waste your breath complaining about this

[disappear]

am nearly insulted and definitely sick of the exclusion of the other major distros by companies/orgs that distribute tools like this

OK, assuming I've parsed this sentence fragment correctly, you're insulted that somebody has chosen to spend money to solve part of the problem.

(IMHO, RedHat based distros are NOT the standard for linux in general, nor is any single distro).

True enough. So you'd rather they not solve the problem at all if they can't solve it equally for everybody?

In observing this, if the entity does not take time or effort enough to consider other distros, can we consider their opinion to be learned enough to take seriously? (as most know, the differences between distros can be huge, and offering their tools for only two similar distros leaves a very large gap)

Because somebody doesn't solve the problem for everybody, they don't understand the problems other people face? That's a non-sequitur if ever I've seen one... If you understand how huge the differences between Linux distributions is, why do you think that a single tool should be able to be everything to everybody?

It seems to me that these people are spending money to try and solve other people's problems. Given this relatively altruistic gesture (though they have their reasons, I'm sure), why shouldn't they try to get the biggest bang for the buck? If covering those two distributions helps thirty or forty percent of Linux users, that's pretty darned good, if you ask me.

If no, is there an open-standards rating system that could be an equivalent to CIS's? Should there be?

Even if we can take them seriously, why can't there be an open standards rating system for security? I'm not sure there's a connection between these two ideas. But just because their tool to test doesn't work on all Linux distributions doesn't mean that the standard itself can't be applied to other distributions. Did you follow the link, or just decide to shoot your mouth off?

ObDisclaimer: Jay Beale, who wrote the Linux tool, is a good personal friend of mine.

ObFlame: That said, Mr. (or Ms.) Anonymous coward, your above writing demonstrates unclear thinking. Try keeping your sentences to one thought apiece, or at most two logically connected statements. Try to have clear relationships between those sentences so that other people can follow what you're saying.

Shouldn't the title be

[Brijam]

Here's a quick test, FOOL

Re:Shouldn't the title be

I Pity the FOOL that runs that TOOL

Really effective firewall

[ericman31]

A really effective firewall:

Find a pair of wire cutters. Find the ethernet cable connecting you to the network. Place the wire cutters approximately in the middle of the cable and squeeze the handles firmly until the cable is cut. There. Now you're safe.

Debian 3.0, still no chroot'd BIND by default...

And since it's BIND, many servers are running it, many in the default way... I guess only OpenBSD takes this stuff seriously. :(

The standard never actually gives a 10 score.

[TheMidget]

The best it gives is 7...

Indeed, 3 points are deducted for the severe flaw "system has a luser who blindly runs software he downloaded from the internet."

Ran it on my system

[leviramsey]

And I scored 6.79. But a few things that it docked points for seem out of line. Running postfix will dock points (I'd assume that running any MTA) will dock points, from the wording of the report.

I realize that MTA's can be exploited, but it seems that the only way to get a 10.00 is to have a system that has no network connection to the outside world.

Re:Ran it on my system

Oddly enough, the box (Mandrake 8.2) I used this tool on has no connection to the outside world, and yet I scored only a 6.96.

Re:Ran it on my system

[leviramsey]

That's not surprising, as Mandrake tends to enable Postfix and xinetd in the default install.

No it's not

[sheldon]

I think you ran the tool without first reading the documentation, or understanding what it is that it does.

You first point concerns hfnetchk, and the prompt you receive is to validate the signature on the file to insure it hasn't been spoofed. I don't understand why you would complain about this.

The second point is inaccurate, I had it complain about numerous Microsoft services on my system such as MSSQL, TermServices, BITS, Automatic-Update, ASP.NET and so on. It doesn't seem to be really complaining about anything, it's just listing everything that it didn't expect to see there. I don't see the point of htis.

The third point is understandable because it requires access to secured areas of the system. If it doesn't warn you then that's an issue.

If you check the members list of CIS you'll see a variety of names, government agencies, companies and such... But you won't find Microsoft's name there.

I haven't looked at this terribly closely but it seems like a good start. I do see a number of pretty glaring errors in their document, I'm going to send them a note asking about them.

Accepting risk

[HWheel]

I guess that any time you're running with a network connection (as you will be if the "Center for Internet Security" is involved) there's some risk involved and all they're doing is making you aware of this risk, so yes, you're right: the only way to get a 10.0 is not to connect to the outside world. You obviously know what you're doing, so a 6.79 is a perfectly good score in your case. I think that 7.0 would be a good score for lots of companies to shoot for.

Security analyzer for windows

[shird]

Another tool worth checking out for doing a similar scan under windows is the Baseline Security Analyzer by Microsoft. It will also check your system for the latest hot fixes, and seems to work pretty well in my experience.

Re:Security analyzer for windows

[Kredal]

That's funny, every computer in the world scores a 10.0 on Microsoft's test. I guess they're all secure! Whew, I don't have to worry about security any more.

Oh wait, I found the source code for the test:
if (OS == Windows*) {
cout >> "Your computer is secure. Score 10.0";
}

Great, now I'll get in trouble for reverse engineering...

A few clarifications,from one of the culprits

[valdis]

I'm one of the culprits for both the Linux, Solaris, and related benchmarks. It seems that a lot of posters are managing to miss the messages.

1) There is *NO* expectation that a usable system will score a 10.0. I fully expect that having a usable system score over a 9.0 will require some work. The laptop I'm writing this on finally scored an 8.8 after much tweaking. However, I *KNOW* what 11 or 12 things didn't pass, and I know to keep an eye on them. As I said to one of the other people - "I tighten it down any more, my score will go up but I'll break something I need on a daily basis". *THAT* is the score we want everybody's machine to get.

2) A number of people have complained it checked /etc/ftpusers even if ftpd wasn't enabled. Belts AND suspenders guys - if someday you install a patch or whatever that DOES enable ftpd accidentally, you won't be a sitting duck.

3) Yes, we know there weren't any really stringent firewall tests. This was a point of MUCH contention during development - we had to balance the security aspect of every item against the likelyhood that it would Severely Screw Up somebody's machine if implemented. Note that even RedHat recognized that there's no "One Size Fits All" for firewalls, and provides 3 basic levels of paranoia.

4) There's a LOT of stuff (like firewalls) that are good security measures that are *NOT* appropriate for "almost every machine". These will hopefully be visited in a "Level 2" benchmark in the near future.

5) Yes, there's rough edges - if you find something annoying, *please* send a comment to the appropriate e-mail address.

Remember - these are *consensus* benchmarks. We *do* listen to user feedback. And no, you don't have to be a CIS member to send feedback.

Re:A few clarifications,from one of the culprits

Would just like to say that i have tried the tool for solaris. I liked it, it was non-intrusive and i liked the documentation where i could read more about the security risks that the tool found and how to correct these - if i wanted to.

For me, i have always uses YASSP on initial installs(i know it is old, but it has one configuration file - making it easy to setup and maintain). But on a system already installed and up and running, i have used your tools to get a decent overview of whats good and bad.

Re:A few clarifications,from one of the culprits

[valdis]

And yes, YASSP was one of the things we used as input for what needed to be checked.

And another thing - PELASE REGISTER

[valdis]

If you feel it's important enough to download, please register. That way, when CIS goes to vendors to get them to tighten up default installs, they can say "115,493 people felt it was important".

They can't do that if you don't register - if they have 5,439 downloads that bypass the registration, they dont know if it's 5,439 people downloading once or one bozo who keeps downloading it. And given the existence of caching proxies and DHCP, it's a mess to corrolate enough to prove two downloads were different people...

Re:And another thing - PELASE REGISTER

If registration is so important, perhaps the CIS Privacy Policy should mention how any registration information is used. The current privacy policy makes no mention of user info, just "member" info.

They don't look at IPtables

[r6144]

True, I have telnet, etc. open, and don't have much authorization things in their config files --- but I'm running iptables, and most things are filtered. Isn't that enough?

Site created with Microsoft Frontpage

[sydneyfong]

When you see

<meta name="GENERATOR" content="Microsoft FrontPage 3.0">

in their pages, you know how much you can trust them...

And their "standards"? It's nothing more than those that every competent sysadmin could tell you : close unnecesssary services, some tweaks here and there. The majority of content in that PDF only tells you HOW to disable unnecessary services. It'd be more appropiate to put them in "Security for Redhat Linux in 24 Hours". Scary for them to declare it as a "standard"...

Don't fall for them!

[roly]

Thier proberbly gonna do something else with your root password.

Re:Don't fall for them!

[muzzmac]

Thanks for the tip roly. They nearly fooled me.

Lucky you were here.

Use a Mac as a server. Unkrackable history!

Use a Mac as a server. Unkrackable history!

not one exploit of the current Mac OS 9.2 or older ( OS 8 ) for over 6 years according to SecurityFocus (bugtraq). Couple that with a popular webserver for the Mac and you have what the US army has for some sites.

And that one time a mac was exploited it was because of a rare unpopular third party addon package.

Macs are the most secure computers in internet history.

Re: Use a Mac as a server. Unkrackable history!

[octogen]

This is not true.

An unsecure application running on a Mac makes the Mac even more vulnerable than most other Operating Systems, because under Mac OS every application has full access to all system resources (Mac OS does not have multiuser security).

Instead, if you run a webserver, which is secure to run on a Mac, on Linux or something else (whatever you want), and that webserver does not have security bugs, then any other operating system is even more secure than your Mac, because other operating systems have multiuser security, additionally to the secure webserver.

Mac OS is not a secure OS - maybe you are running a secure webserver on top of the unsecure Mac OS, but then you are talking about the wrong thing, because the webserver does not have anything to do with OS security.

There are *much* more secure operating systems than Mac OS. Most of them would have been able to stop an attacker, who just exploiting a third-party Addon application, because these OSes do not depend on application level security.

Take a look about XTS-400 from Getronics, Pitbull from Argus Systems, Trusted Solaris from Sun or OS/400 from IBM to understand, how real security works (EVEN IF your application gets hacked).

Mac OS is not suitable as a server OS, because it does neither have protected memory nor preemptive multitasking.
Mac OS X might be suitable as a server, but I think it is mainly meant to be a workstation OS.

regards,
octogen

And, by the way, SecureOS from Secure Computing has NEVER been hacked, Argus Pitbull on AIX and on Solaris/SPARC have NEVER been hacked (and only once on Solaris/Intel, Sun's fault, not Argus'), Getronics XTS-400 has NEVER been hacked - although those OSes where running a lot of *insecure* third-party addons.

So please, don't pretend that Mac OS is secure, if you can't prove it.

+5 informative

"Quis Custodiet Ipsos Custodes?"

please translate this

next time please speak in english

While we're on topic...

Q: How do you call someone who speaks two languages?
A: Bilingual

Q: How do you call someone who speaks several languages?
A: Polyglot

Q: How do you call someone who speaks one language?
A: American