Chef InSpec Report

          
control 'cis-dil-benchmark-1.1.8' do
  title 'Ensure nodev option set on /var/tmp partition'
  desc  "The nodev mount option specifies that the filesystem cannot contain special devices.\n\nRationale: Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp."
  impact 1.0

  tag cis: 'distribution-independent-linux:1.1.8'
  tag level: 1

  only_if('/var/tmp is mounted') do
    mount('/var/tmp').mounted?
  end

  describe mount('/var/tmp') do
    its('options') { should include 'nodev' }
  end
end

          
        

          
control 'cis-dil-benchmark-1.1.9' do
  title 'Ensure nosuid option set on /var/tmp partition'
  desc  "The nosuid mount option specifies that the filesystem cannot contain setuid files.\n\nRationale: Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp."
  impact 1.0

  tag cis: 'distribution-independent-linux:1.1.9'
  tag level: 1

  only_if('/var/tmp is mounted') do
    mount('/var/tmp').mounted?
  end

  describe mount('/var/tmp') do
    its('options') { should include 'nosuid' }
  end
end

          
        

          
control 'cis-dil-benchmark-1.1.10' do
  title 'Ensure noexec option set on /var/tmp partition'
  desc  "The noexec mount option specifies that the filesystem cannot contain executable binaries.\n\nRationale: Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
  impact 1.0

  tag cis: 'distribution-independent-linux:1.1.10'
  tag level: 1

  only_if('/var/tmp is mounted') do
    mount('/var/tmp').mounted?
  end

  describe mount('/var/tmp') do
    its('options') { should include 'noexec' }
  end
end

          
        

          
control 'cis-dil-benchmark-1.1.14' do
  title 'Ensure nodev option set on /home partition'
  desc  "The nodev mount option specifies that the filesystem cannot contain special devices.\n\nRationale: Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices."
  impact 1.0

  tag cis: 'distribution-independent-linux:1.1.14'
  tag level: 1

  only_if('/home is mounted') do
    mount('/home').mounted?
  end

  describe mount('/home') do
    its('options') { should include 'nodev' }
  end
end

          
        

          
control 'cis-dil-benchmark-1.1.18' do
  title 'Ensure nodev option set on removable media partitions'
  desc  "The nodev mount option specifies that the filesystem cannot contain special devices.\n\nRationale: Removable media containing character and block special devices could be used to circumvent security controls by allowing non-root users to access sensitive device files such as /dev/kmem or the raw disk partitions."
  impact 0.0

  tag cis: 'distribution-independent-linux:1.1.18'
  tag level: 1

  describe 'cis-dil-benchmark-1.1.18' do
    skip 'Not implemented'
  end
end

          
        

          
control 'cis-dil-benchmark-1.1.19' do
  title 'Ensure nosuid option set on removable media partitions'
  desc  "The nosuid mount option specifies that the filesystem cannot contain setuid files.\n\nRationale: Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them."
  impact 0.0

  tag cis: 'distribution-independent-linux:1.1.19'
  tag level: 1

  describe 'cis-dil-benchmark-1.1.19' do
    skip 'Not implemented'
  end
end

          
        

          
control 'cis-dil-benchmark-1.1.20' do
  title 'Ensure noexec option set on removable media partitions'
  desc  "The noexec mount option specifies that the filesystem cannot contain executable binaries.\n\nRationale: Setting this option on a file system prevents users from executing programs from the removable media. This deters users from being able to introduce potentially malicious software on the system."
  impact 0.0

  tag cis: 'distribution-independent-linux:1.1.20'
  tag level: 1

  describe 'cis-dil-benchmark-1.1.20' do
    skip 'Not implemented'
  end
end

          
        

          
control 'cis-dil-benchmark-1.2.1' do
  title 'Ensure package manager repositories are configured'
  desc  "Systems need to have package manager repositories configured to ensure they receive the latest patches and updates.\n\nRationale: If a system's package repositories are misconfigured important patches may not be identified or a rogue repository could introduce compromised software."
  impact 0.0

  tag cis: 'distribution-independent-linux:1.2.1'
  tag level: 1

  describe 'cis-dil-benchmark-1.2.1' do
    skip 'Not implemented'
  end
end

          
        

          
control 'cis-dil-benchmark-1.2.2' do
  title 'Ensure GPG keys are configured'
  desc  "Most packages managers implement GPG key signing to verify package integrity during installation.\n\nRationale: It is important to ensure that updates are obtained from a valid source to protect against spoofing that could lead to the inadvertent installation of malware on the system."
  impact 0.0

  tag cis: 'distribution-independent-linux:1.2.2'
  tag level: 1

  describe 'cis-dil-benchmark-1.2.2' do
    skip 'Not implemented'
  end
end

          
        

          
control 'cis-dil-benchmark-1.4.4' do
  title 'Ensure interactive boot is not enabled'
  desc  "Interactive boot allows console users to interactively select which services start on boot. Not all distributions support this capability.\nThe PROMPT_FOR_CONFIRM option provides console users the ability to interactively boot the system and select which services to start on boot .\n\nRationale: Turn off the PROMPT_FOR_CONFIRM option on the console to prevent console users from potentially overriding established security settings."
  impact 0.0

  tag cis: 'distribution-independent-linux:1.4.4'
  tag level: 1

  if file('/etc/sysconfig/boot').exist?
    describe file('/etc/sysconfig/boot') do
      its(:content) { should match(/^PROMPT_FOR_CONFIRM="no"$/) }
    end
  else
    describe 'cis-dil-benchmark-1.4.4' do
      skip 'Not implemented'
    end
  end
end

          
        

          
control 'cis-dil-benchmark-1.5.2' do
  title 'Ensure XD/NX support is enabled'
  desc  "Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Intel processors it is called Execute Disable (XD). This ability can help prevent exploitation of buffer overflow vulnerabilities and should be activated whenever possible. Extra steps must be taken to ensure that this protection is enabled, particularly on 32-bit x86 systems. Other processors, such as Itanium and POWER, have included such support since inception and the standard kernel for those platforms supports the feature.\n\nRationale: Enabling any feature that can protect against buffer overflow attacks enhances the security of the system."
  impact 0.0

  tag cis: 'distribution-independent-linux:1.5.2'
  tag level: 1

  if uname_machine == 'i386' || uname_machine == 'i686' || uname_machine == 'x86_64'
    describe command('dmesg | grep NX') do
      its(:stdout) { should match(/NX \(Execute Disable\) protection: active/) }
    end
  else
    describe 'cis-dil-benchmark-1.5.2' do
      skip 'Not implemented'
    end
  end
end

          
        

          
control 'cis-dil-benchmark-1.7.2' do
  title 'Ensure GDM login banner is configured'
  desc  "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems.\n\nRationale: Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place."
  impact 1.0

  tag cis: 'distribution-independent-linux:1.7.2'
  tag level: 1

  only_if do
    package('gdm').installed?
  end

  describe file('/etc/dconf/profile/gdm') do
    its(:content) { should match(/^user-db:user$/) }
    its(:content) { should match(/^system-db:gdm$/) }
    its(:content) { should match(%r{^file-db:/usr/share/gdm/greeter-dconf-defaults$}) }
  end

  describe file('/etc/dconf/db/gdm.d/01-banner-message') do
    its(:content) { should match(/^banner-message-enable=true$/) }
    its(:content) { should match(/^banner-message-text='.+'$/) }
  end
end

          
        

          
control 'cis-dil-benchmark-1.8' do
  title 'Ensure updates, patches, and additional security software are installed'
  desc  "Periodically patches are released for included software either due to security flaws or to include additional functionality.\n\nRationale: Newer patches may contain security enhancements that would not be available through the latest full update. As a result, it is recommended that the latest software patches be used to take advantage of the latest functionality. As with any software installation, organizations need to determine if a given update meets their requirements and verify the compatibility and supportability of any additional software against the update revision that is selected."
  impact 0.0

  tag cis: 'distribution-independent-linux:1.8'
  tag level: 1

  describe 'cis-dil-benchmark-1.8' do
    skip 'Not implemented'
  end
end

          
        

          
control 'cis-dil-benchmark-2.1.1' do
  title 'Ensure chargen services are not enabled'
  desc  "chargen is a network service that responds with 0 to 512 ASCII characters for each connection it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled.\n\nRationale: Disabling this service will reduce the remote attack surface of the system."
  impact 1.0

  tag cis: 'distribution-independent-linux:2.1.1'
  tag level: 1

  only_if('inetd/xinetd config exists') do
    file('/etc/xinetd.conf').exist? || file('/etc/inetd.conf').exist?
  end

  describe xinetd_conf.services('chargen') do
    it { should be_disabled }
  end

  describe inetd_conf do
    its(:chargen) { should eq nil }
  end

  command('find /etc/inetd.d -type f').stdout.split.each do |entry|
    describe inetd_conf(entry) do
      its(:chargen) { should eq nil }
    end
  end
end

          
        

          
control 'cis-dil-benchmark-2.1.2' do
  title 'Ensure daytime services are not enabled'
  desc  "daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is recommended that this service be disabled.\n\nRationale: Disabling this service will reduce the remote attack surface of the system."
  impact 1.0

  tag cis: 'distribution-independent-linux:2.1.2'
  tag level: 1

  only_if('inetd/xinetd config exists') do
    file('/etc/xinetd.conf').exist? || file('/etc/inetd.conf').exist?
  end

  describe xinetd_conf.services('daytime') do
    it { should be_disabled }
  end

  describe inetd_conf do
    its(:daytime) { should eq nil }
  end

  command('find /etc/inetd.d -type f').stdout.split.each do |entry|
    describe inetd_conf(entry) do
      its(:daytime) { should eq nil }
    end
  end
end

          
        

          
control 'cis-dil-benchmark-2.1.3' do
  title 'Ensure discard services are not enabled'
  desc  "discard is a network service that simply discards all data it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled.\n\nRationale: Disabling this service will reduce the remote attack surface of the system."
  impact 1.0

  tag cis: 'distribution-independent-linux:2.1.3'
  tag level: 1

  only_if('inetd/xinetd config exists') do
    file('/etc/xinetd.conf').exist? || file('/etc/inetd.conf').exist?
  end

  describe xinetd_conf.services('discard') do
    it { should be_disabled }
  end

  describe inetd_conf do
    its(:discard) { should eq nil }
  end

  command('find /etc/inetd.d -type f').stdout.split.each do |entry|
    describe inetd_conf(entry) do
      its(:discard) { should eq nil }
    end
  end
end

          
        

          
control 'cis-dil-benchmark-2.1.4' do
  title 'Ensure echo services are not enabled'
  desc  "echo is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is recommended that this service be disabled.\n\nRationale: Disabling this service will reduce the remote attack surface of the system."
  impact 1.0

  tag cis: 'distribution-independent-linux:2.1.4'
  tag level: 1

  only_if('inetd/xinetd config exists') do
    file('/etc/xinetd.conf').exist? || file('/etc/inetd.conf').exist?
  end

  describe xinetd_conf.services('echo') do
    it { should be_disabled }
  end

  describe inetd_conf do
    its(:echo) { should eq nil }
  end

  command('find /etc/inetd.d -type f').stdout.split.each do |entry|
    describe inetd_conf(entry) do
      its(:echo) { should eq nil }
    end
  end
end

          
        

          
control 'cis-dil-benchmark-2.1.5' do
  title 'Ensure time services are not enabled'
  desc  "time is a network service that responds with the server's current date and time as a 32 bit integer. This service is intended for debugging and testing purposes. It is recommended that this service be disabled.\n\nRationale: Disabling this service will reduce the remote attack surface of the system."
  impact 1.0

  tag cis: 'distribution-independent-linux:2.1.5'
  tag level: 1

  only_if('inetd/xinetd config exists') do
    file('/etc/xinetd.conf').exist? || file('/etc/inetd.conf').exist?
  end

  describe xinetd_conf.services('time') do
    it { should be_disabled }
  end

  describe inetd_conf do
    its(:time) { should eq nil }
  end

  command('find /etc/inetd.d -type f').stdout.split.each do |entry|
    describe inetd_conf(entry) do
      its(:time) { should eq nil }
    end
  end
end

          
        

          
control 'cis-dil-benchmark-2.1.6' do
  title 'Ensure rsh server is not enabled'
  desc  "The Berkeley rsh-server (rsh, rlogin, rexec) package contains legacy services that exchange credentials in clear-text.\n\nRationale: These legacy services contain numerous security exposures and have been replaced with the more secure SSH package."
  impact 1.0

  tag cis: 'distribution-independent-linux:2.1.6'
  tag level: 1

  only_if('inetd/xinetd config exists') do
    file('/etc/xinetd.conf').exist? || file('/etc/inetd.conf').exist?
  end

  %w(shell login exec rsh rlogin rexec).each do |s|
    describe xinetd_conf.services(s) do
      it { should be_disabled }
    end

    describe inetd_conf do
      its(s) { should eq nil }
    end

    command('find /etc/inetd.d -type f').stdout.split.each do |entry|
      describe inetd_conf(entry) do
        its(s) { should eq nil }
      end
    end
  end
end

          
        

          
control 'cis-dil-benchmark-2.1.7' do
  title 'Ensure talk server is not enabled'
  desc  "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default.\n\nRationale: The software presents a security risk as it uses unencrypted protocols for communication."
  impact 1.0

  tag cis: 'distribution-independent-linux:2.1.7'
  tag level: 1

  only_if('inetd/xinetd config exists') do
    file('/etc/xinetd.conf').exist? || file('/etc/inetd.conf').exist?
  end

  %w(talk ntalk).each do |s|
    describe xinetd_conf.services(s) do
      it { should be_disabled }
    end

    describe inetd_conf do
      its(s) { should eq nil }
    end

    command('find /etc/inetd.d -type f').stdout.split.each do |entry|
      describe inetd_conf(entry) do
        its(s) { should eq nil }
      end
    end
  end
end

          
        

          
control 'cis-dil-benchmark-2.1.8' do
  title 'Ensure telnet server is not enabled'
  desc  "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol.\n\nRationale: The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security."
  impact 1.0

  tag cis: 'distribution-independent-linux:2.1.8'
  tag level: 1

  only_if('inetd/xinetd config exists') do
    file('/etc/xinetd.conf').exist? || file('/etc/inetd.conf').exist?
  end

  describe xinetd_conf.services('telnet') do
    it { should be_disabled }
  end

  describe inetd_conf do
    its(:telnet) { should eq nil }
  end

  command('find /etc/inetd.d -type f').stdout.split.each do |entry|
    describe inetd_conf(entry) do
      its(:telnet) { should eq nil }
    end
  end
end

          
        

          
control 'cis-dil-benchmark-2.1.9' do
  title 'Ensure tftp server is not enabled'
  desc  "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The packages tftp and atftp are both used to define and support a TFTP server.\n\nRationale: TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services."
  impact 1.0

  tag cis: 'distribution-independent-linux:2.1.9'
  tag level: 1

  only_if('inetd/xinetd config exists') do
    file('/etc/xinetd.conf').exist? || file('/etc/inetd.conf').exist?
  end

  describe xinetd_conf.services('tftp') do
    it { should be_disabled }
  end

  describe inetd_conf do
    its(:tftp) { should eq nil }
  end

  command('find /etc/inetd.d -type f').stdout.split.each do |entry|
    describe inetd_conf(entry) do
      its(:tftp) { should eq nil }
    end
  end
end

          
        

          
control 'cis-dil-benchmark-2.1.10' do
  title 'Ensure xinetd is not enabled'
  desc  "The eXtended InterNET Daemon (xinetd) is an open source super daemon that replaced the original inetd daemon. The xinetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests.\n\nRationale: If there are no xinetd services required, it is recommended that the daemon be disabled."
  impact 1.0

  tag cis: 'distribution-independent-linux:2.1.10'
  tag level: 1

  describe service('xinetd') do
    it { should_not be_enabled }
    it { should_not be_running }
  end
end

          
        

          
control 'cis-dil-benchmark-2.2.1.2' do
  title 'Ensure ntp is configured'
  desc "ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at http://www.ntp.org. ntp can be configured to be a client and/or a server.\nThis recommendation only applies if ntp is in use on the system.\n\nRationale: If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly."
  impact 1.0

  tag cis: 'distribution-independent-linux:2.2.1.2'
  tag level: 1

  only_if do
    package('ntp').installed? || command('ntpd').exist?
  end

  describe.one do
    describe ntp_conf do
      its(:server) { should_not eq nil }
    end

    describe ntp_conf do
      its(:pool) { should_not eq nil }
    end
  end

  describe ntp_conf.restrict.to_s do
    it { should match(/default\s+(\S+\s+)*kod(?:\s+|\s?")/) }
    it { should match(/default\s+(\S+\s+)*nomodify(?:\s+|\s?")/) }
    it { should match(/default\s+(\S+\s+)*notrap(?:\s+|\s?")/) }
    it { should match(/default\s+(\S+\s+)*nopeer(?:\s+|\s?")/) }
    it { should match(/default\s+(\S+\s+)*noquery(?:\s+|\s?")/) }
  end

  describe.one do
    describe file('/etc/init.d/ntp') do
      its(:content) { should match(/^RUNASUSER=ntp\s*(?:#.*)?$/) }
    end

    describe file('/etc/init.d/ntpd') do
      its(:content) { should match(/daemon\s+(\S+\s+)-u ntp:ntp(?:\s+|\s?")/) }
    end

    describe file('/etc/sysconfig/ntpd') do
      its(:content) { should match(/^OPTIONS="(?:.)?-u ntp:ntp\s*(?:.)?"\s*(?:#.*)?$/) }
    end

    describe file('/usr/lib/systemd/system/ntpd.service') do
      its(:content) { should match(%r{^ExecStart=/usr/s?bin/ntpd (?:.)?-u ntp:ntp\s*(?:.)?$}) }
    end
  end
end

          
        

          
control 'cis-dil-benchmark-2.2.1.4' do
  title 'Ensure systemd-timesyncd is configured'
  desc  "systemd-timesyncd is a daemon that has been added for synchronizing the system clock across the network. It implements an SNTP client. In contrast to NTP implementations such as chrony or the NTP reference server this only implements a client side, and does not bother with the full NTP complexity, focusing only on querying time from one remote server and synchronizing the local clock to it. The daemon runs with minimal privileges, and has been hooked up with networkd to only operate when network connectivity is available. The daemon saves the current clock to disk every time a new NTP sync has been acquired, and uses this to possibly correct the system clock early at bootup, in order to accommodate for systems that lack an RTC such as the Raspberry Pi and embedded devices, and make sure that time monotonically progresses on these systems, even if it is not always correct. To make use of this daemon a new system user and group 'systemd- timesync' needs to be created on installation of systemd. This recommendation only applies if timesyncd is in use on the system."
  impact 1.0

  tag cis: 'distribution-independent-linux:2.2.1.4'
  tag level: 1

  only_if do
    service('systemd-timesyncd.service').enabled?
  end

  describe file('/etc/systemd/timesyncd.conf') do
    its('content') { should match /^NTP=\S+/ }
    its('content') { should match /^FallbackNTP=\S+/ }
    its('content') { should match /^RootDistanceMaxSec=[0-9]/ }
  end
end

          
        

          
control 'cis-dil-benchmark-2.2.3' do
  title 'Ensure Avahi Server is not enabled'
  desc  "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine.\n\nRationale: Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attach surface."
  impact 1.0

  tag cis: 'distribution-independent-linux:2.2.3'
  tag level: 1

  describe service('avahi-daemon') do
    it { should_not be_enabled }
    it { should_not be_running }
  end
end

          
        

          
control 'cis-dil-benchmark-2.2.4' do
  title 'Ensure CUPS is not enabled'
  desc  "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability.\n\nRationale: If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface."
  impact 1.0

  tag cis: 'distribution-independent-linux:2.2.4'
  tag level: 1

  describe service('cups') do
    it { should_not be_enabled }
    it { should_not be_running }
  end
end

          
        

          
control 'cis-dil-benchmark-2.2.5' do
  title 'Ensure DHCP Server is not enabled'
  desc  "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses.\n\nRationale: Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be deleted to reduce the potential attack surface."
  impact 1.0

  tag cis: 'distribution-independent-linux:2.2.5'
  tag level: 1

  %w(isc-dhcp-server isc-dhcp-server6 dhcpd).each do |s|
    describe service(s) do
      it { should_not be_enabled }
      it { should_not be_running }
    end
  end
end

          
        

          
control 'cis-dil-benchmark-2.2.6' do
  title 'Ensure LDAP server is not enabled'
  desc  "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database.\n\nRationale: If the system will not need to act as an LDAP server, it is recommended that the software be disabled to reduce the potential attack surface."
  impact 1.0

  tag cis: 'distribution-independent-linux:2.2.6'
  tag level: 1

  describe service('slapd') do
    it { should_not be_enabled }
    it { should_not be_running }
  end
end

          
        

          
control 'cis-dil-benchmark-2.2.7' do
  title 'Ensure NFS and RPC are not enabled'
  desc  "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network.\n\nRationale: If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface."
  impact 1.0

  tag cis: 'distribution-independent-linux:2.2.7'
  tag level: 1

  %w(nfs-kernel-server nfs rpcbind).each do |s|
    describe service(s) do
      it { should_not be_enabled }
      it { should_not be_running }
    end
  end
end

          
        

          
control 'cis-dil-benchmark-2.2.8' do
  title 'Ensure DNS Server is not enabled'
  desc  "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network.\n\nRationale: Unless a system is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface."
  impact 1.0

  tag cis: 'distribution-independent-linux:2.2.8'
  tag level: 1

  %w(named bind bind9).each do |s|
    describe service(s) do
      it { should_not be_enabled }
      it { should_not be_running }
    end
  end
end

          
        

          
control 'cis-dil-benchmark-2.2.9' do
  title 'Ensure FTP Server is not enabled'
  desc  "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files.\n\nRationale: FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface."
  impact 1.0

  tag cis: 'distribution-independent-linux:2.2.9'
  tag level: 1

  describe service('vsftpd') do
    it { should_not be_enabled }
    it { should_not be_running }
  end
end

          
        

          
control 'cis-dil-benchmark-2.2.10' do
  title 'Ensure HTTP server is not enabled'
  desc  "HTTP or web servers provide the ability to host web site content.\n\nRationale: Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface."
  impact 1.0

  tag cis: 'distribution-independent-linux:2.2.10'
  tag level: 1

  %w(apache apache2 httpd lighttpd nginx).each do |s|
    describe service(s) do
      it { should_not be_enabled }
      it { should_not be_running }
    end
  end
end

          
        

          
control 'cis-dil-benchmark-2.2.11' do
  title 'Ensure IMAP and POP3 server is not enabled'
  desc  "dovecot is an open source IMAP and POP3 server for Linux based systems.\n\nRationale: Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be deleted to reduce the potential attack surface."
  impact 1.0

  tag cis: 'distribution-independent-linux:2.2.11'
  tag level: 1

  %w(dovecot courier-imap cyrus-imap).each do |s|
    describe service(s) do
      it { should_not be_enabled }
      it { should_not be_running }
    end
  end
end

          
        

          
control 'cis-dil-benchmark-2.2.12' do
  title 'Ensure Samba is not enabled'
  desc  "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems.\n\nRationale: If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface."
  impact 1.0

  tag cis: 'distribution-independent-linux:2.2.12'
  tag level: 1

  %w(samba smb smbd).each do |s|
    describe service(s) do
      it { should_not be_enabled }
      it { should_not be_running }
    end
  end
end

          
        

          
control 'cis-dil-benchmark-2.2.13' do
  title 'Ensure HTTP Proxy Server is not enabled'
  desc  "Squid is a standard proxy server used in many distributions and environments.\n\nRationale: If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface."
  impact 1.0

  tag cis: 'distribution-independent-linux:2.2.13'
  tag level: 1

  %w(squid squid3).each do |s|
    describe service(s) do
      it { should_not be_enabled }
      it { should_not be_running }
    end
  end
end

          
        

          
control 'cis-dil-benchmark-2.2.14' do
  title 'Ensure SNMP Server is not enabled'
  desc  "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system.\n\nRationale: The SNMP server communicates using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used."
  impact 1.0

  tag cis: 'distribution-independent-linux:2.2.14'
  tag level: 1

  describe service('snmpd') do
    it { should_not be_enabled }
    it { should_not be_running }
  end
end

          
        

          
control 'cis-dil-benchmark-2.2.16' do
  title 'Ensure rsync service is not enabled'
  desc  "The rsyncd service can be used to synchronize files between systems over network links.\n\nRationale: The rsyncd service presents a security risk as it uses unencrypted protocols for communication."
  impact 1.0

  tag cis: 'distribution-independent-linux:2.2.16'
  tag level: 1

  %w(rsync rsyncd).each do |s|
    describe service(s) do
      it { should_not be_enabled }
      it { should_not be_running }
    end
  end
end

          
        

          
control 'cis-dil-benchmark-2.2.17' do
  title 'Ensure NIS Server is not enabled'
  desc  "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files.\n\nRationale: The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used"
  impact 1.0

  tag cis: 'distribution-independent-linux:2.2.17'
  tag level: 1

  %w(nis ypserv).each do |s|
    describe service(s) do
      it { should_not be_enabled }
      it { should_not be_running }
    end
  end
end