 |
|
|
|
|
FAQ - The Benchmarks
March 2003 |
- General Questions
1.2 - How does the benchmark help me improve the security at my site?
1.3 - So after I perform all of the steps from the benchmark, is my system "secure"?
1.4 - Is there an automatic mechanism to audit my systems to see how well they conform to the benchmark?
1.5 - Will running the testing tools change my system configuration, impact the functioning of the system, or disclose data to unauthorized parties?
1.6 - When I run the system testing tool, should all of my systems score a perfect "10"?
1.7 - What about the additional local security customizations that we perform at our site which aren't part of the benchmarks?
1.8 - Why don't the benchmark documents include any information on DNS/BIND security, Web server/CGI security, Sendmail security, etc?
1.9 - I am using the CIS scripts to harden my system. After doing so, I'd like to be able to revert back to the previous system configuration. How can I accomplish this?
Solaris Questions
Windows Questions
|
| General Questions |
| 1.1 - How do you decide what steps appear in the benchmark documents? |
The benchmark documents attempt to provide security-related configuration directives which meet the following three criteria:
1.The configuration directive is one which can be automatically monitored and scored by an automated testing tool (such as the scanner supplied with the benchmark documents)
2.The item can be understood and performed by an administrator of any level of expertise, and can be maintained without undue administrative burden
3.The configuration directive is unlikely to cause an interruption of service to the system or the applications which run on it
In other words, the benchmark items are things which anybody should be able to do to any system, and which will improve overall security without breaking anything.
^ TOP
1.2 - How does the benchmark help me improve the security at my site?
First, by providing a clearly defined list of tasks to improve system security which can be performed without jeopardizing mission-critical applications. The actions have all undergone substantial peer review and testing from many different organizations and security experts.
Second, by providing and automated testing tool with a simple scoring system which gives organizations an objective metric to compare the relative levels of security among their different groups of systems-- and potentially with systems belonging to other organizations.
Third, beyond an initial evaluation of a given system, the tester can be run on a regular basis to continuously monitor the state of security on the machine and track the impact of various configuration changes over the life-cycle of the host.
Fourth, the benchmark document and the testing tool provide a framework for having a discussion about the security choices you make at your site. You need not agree with all of the configuration changes suggested by the benchmark document, but at least you will be made aware of your options and be given the information to make a conscious decision about a given item.
^ TOP
1.3 - So after I perform all of the steps from the benchmark, is my system "secure"?
The answer to this question depends on what you mean by "secure". If you're asking if following the benchmark eliminates all known security vulnerabilities and renders your system completely invulnerable to unauthorized access, then the answer has to be an unequivocal "no". In fact, you're not even close.
However, following the steps in the benchmark results in a system which is substantially more secure and reliable than a default install of the given OS and a system which is not vulnerable to many well-known security holes. Every day, dozens (if not hundreds) of systems are compromised (and later used to attack other systems) because the administrators of those machines failed to exercise even "minimum due care" when installing and configuring the system-- patches are not kept up to date, dangerous services are left running even though vulnerabilities have been known for years, etc.
Consider the benchmark as a consensus from many different organizations and security experts on a "lowest common denominator" for system security. We don't guarantee you won't be broken into if you perform all of the steps from the benchmark, but we do guarantee that your system will be extremely vulnerable to attack if you fail to perform many of these steps.
^ TOP
1.4 - Is there an automatic mechanism to audit my systems to see how well they conform to the benchmark?
Absolutely. Being able to automatically monitor systems for compliance is one of the primary goals of the Center's benchmark programs.
Each benchmark comes with an automated testing tool, cis-scan, which may be run on an individual system. The cis-scantool checks each of the configuration steps listed in the benchmark document and provides a 1-10 score to indicate what percentage of the benchmark items have been performed on the machine. The cis-scantool also writes a report file which indicates the status of each item from the benchmark and provides other diagnostic information.
The benchmark packages also ship with a copy of the freely available SARA network scanner. This version includes a plug-in which can be used to monitor systems for compliance with the benchmark from a central point on your network. Obviously, the network scanner is not able to perform a complete audit of the benchmark's recommendations, but it can be useful for providing an overall picture of the level of compliance on your network and enable you to target the areas most in need of reconfiguration.
^ TOP
1.5 - Will running the testing tools change my system configuration, impact the functioning of the system, or disclose data to unauthorized parties?
Absolutely not.
The testing tools are designed to be "read-only" and completely non-invasive. No system parameters will be changed or reconfigured. Performance impact on the system running the testing tools is minimal. When the testing tools are run on a system, the data captured by the tools are kept on the system's local hard drive in a secure directory.
^ TOP
1.6 - When I run the system testing tool, should all of my systems score a perfect "10"?
No. Different sites will have different operational requirements, and may choose to leave certain services running or choose not to configure certain security-related parameters. The benchmark documents merely give sites information to make informed decisions about certain available security choices. The Center does not expect to enforce "full-compliance" on any system.
^ TOP
1.7 - What about the additional local security customizations that we perform at our site which aren't part of the benchmarks?
Certainly the benchmark documents do not contain all possible security-related customizations. Organizations are encouraged to take additional steps as desired to improve the security of their systems and networks.
^ TOP
1.8 - Why don't the benchmark documents include any information on DNS/BIND security, Web server/CGI security, Sendmail security, etc?
The benchmark documents are designed to address platform-specific security configuration issues which apply broadly to all systems running a given OS. BIND security configuration information, for example, would really only be relevant to you if the machine in question were intended to be used as a name server. However, it wouldn't really matter if the machine were a Solaris machine, a Linux machine, etc.-- the BIND-specific security configuration steps are largely the same regardless of platform.
The Center plans to issue separate documents which address application-specific security issues-- NFS, DNS, Web, FTP, and database security concerns plus many others. These application-specific benchmarks are intended to be used in conjunction with the platform-specific benchmark documents (such as the existing Solaris benchmark). In order to target our limited resources most effectively, we would love to receive feedback from the community on which applications the Center should target first. You can send this feedback to cis@cisecurity.org.
^ TOP
1.9 - I am using the CIS scripts to harden my system. After doing so, I'd like to be able to revert back to the previous system configuration. How can I accomplish this?
This process is manual. CIS does not offer any tools for automatically reconfiguring a system to a previous configuration. Therefore, users are encourage by the Benchmark documentation to understand the implications of making configuration changes to their system prior to making those changes. In addition, each user is encouraged to follow various initil steps, which include making backup copies of the files that modified by the later hardening steps outlined in the Benchmark guide. This way, the user can (in most cases) rever to the previous configuration by simply putting the old version of the various files back in place.
^ TOP
|
| Solaris Questions |
2.1 - Who do I send feedback to regarding the Solaris Benchmark document and related tools?
There are several different contact addresses:
sol-bench@cisecurity.org
Specific feedback on the benchmark document and any general questions relating to the information provided for Solaris
sol-scan@cisecurity.org
Feedback on the cis-scan automated system testing tool
cis@cisecurity.org
General issues and questions regarding the Center for Internet Security and its mission.
^ TOP
2.2 - How does the Solaris Benchmark compare to YASSP, TITAN, JASS, etc?
YASSP, TITAN, and JASS are all automated tools for performing security improvements on Solaris systems. Many of the configuration steps these tools perform overlap with items from the benchmark.
However, each of these tools also performs a number of security modifications which fail to meet one of the criteria which would be required for that action to be included in the benchmark document (see the answer to question 1.1 above). Conversely, the benchmark document ventures into areas (like user directory and file permissions) which are not covered by these tools.
The bottom line is that YASSP, TITAN, JASS, and the Center's benchmark documents all have different goals and different requirements. There will always be a great deal of overlap among these various projects, but never complete correspondence.
^ TOP
2.3 - So is there an automated tool which I can use to configure my systems according to the Center's Solaris Benchmark?
Hal Pomeranz has modified his configurator tool with additional configuration files so that the tool may be used to configure systems according to the Center's benchmark guidelines. This tool is maintained privately by Hal Pomeranz and is not officially supported by the Center for Internet Security.
^ TOP
2.4 - I'm concerned about running an untrusted binary on my system. Can I run the benchmark test without running the cis-scan binary?
Yes. The cis-scan binary is really a simple wrapper program which has been linked against a copy of the Perl interpreter library (libperl.a) so that sites can run the tester without installing the Perl distribution. cis-scan simply runs the Perl code in the tester.sub file.
Assuming, your system already has Perl installed, you can run tester.sub directly with only minor modifications:
1.Edit the tester.sub file and locate the line which reads
sub tester {
Add an additional line above this line so that the file reads
&tester();
sub tester {
2.If Perl is not installed on the local machine as /usr/bin/perl, change the first line of tester.sub ("#!/usr/bin/perl") to use the appropriate path name.
3.Save your changes to tester.sub and exit the editor
4.Execute tester.sub directly by running /opt/CIS/tester.sub
^ TOP
2.5 - Why can't I run the tester on Solaris x86 machines?
cis-scan is compiled for the Sparc architecture and does not run on Solaris x86 systems due to byte-order incompatibility. If you have Perl installed on your system, you can execute the tester.sub script directly with only minor modifications (see the answer to question 2.4 above for further information). Pre-compiled Perl binaries for Solaris x86 are available from www.sunfreeware.com.
^ TOP
2.6 - Why rename boot scripts in the /etc/rc?.d directories when the system configuration prevents the given service from running anyway?
Let's consider a specific example. /etc/rc2.d/S47asppp is run during the boot process to initialize dialup PPP interfaces on the system. However, the script is coded in such a way that it will normally exit immediately unless the /etc/asppp.cf file is present-- a file which does not exist by default on Solaris machines. Many of the various boot scripts in the /etc/rc?.d directories have similar behaviors.
Since these scripts are "no-ops" without the correct configuration files being present, why go to the trouble of renaming the scripts to remove them from the boot sequence? Two reasons really. First, removing the script documents intent on the part of the system administrator that the system should never perform a certain operation. Second, renaming the script prevents problems in the event that a given configuration file is ever "accidentally" created on the system.
^ TOP
2.7 - Why remove .rhosts support from /etc/pam.conf when the r-commands are disabled in inetd.conf, and why create /etc/ftpusers when FTP is disabled?
Again, this is a matter of "strength in depth" in your security configuration. These daemons may not be running at the time the system is configured initially. However, future system administrators may choose to re-enable these services for various reasons (whether due to ignorance or simply changing business requirements for the system). By making the extra effort now to tighten down the security configurations for these services, you are saving yourself from the possibility of future pain.
^ TOP
2.8 - How does the scoring tool determine if the latest patches have been installed?
Currently, the CIS scoring tool merely checks the dates on the patches that have been installed on the system. If any patch has been installed within the last 30 days, then the scorer gives full credit for the item.
^ TOP
2.9 - How does the scoring tool weight it's scores?
Currently, the scoring tool uses a strict percentage, normalized to a score between 0 and 10. For example, if you comply with 60% of the items, you score a 6.0. Future versions of the tool will use more accurate weighting to better reflect the relative importance of the items.
^ TOP
|
| Windows 2000 Questions |
3.1 - What are the Gold Standard Benchmarks, and what does that mean?
The "Gold Standard" designation reflects that:
(1) technical specialists from CIS members including the National Security Agency, Defense Information Systems Agency, General Services Administration, NIST and the SANS Institute participate in the consensus process for that benchmark
(2) those federal government agencies recommend the benchmark as the minimum baseline security configuration for their agenciesÂ’ systems.
^ TOP
3.2 - Who do I send feedback to regarding the Windows Benchmark document and related tools?
Primary contact address:
win2k-feedback@cisecurity.org
Specific feedback on the benchmark document and any general questions relating to the information provided for Windows
^ TOP
3.3 - Does the Windows tool have the ability to scan remote hosts?
The Windows Scoring tool is considered to be a "host based" tool, because it runs on and scans only the host on which it is installed. Therefore, you will have to install it on every system you wish to score.
^ TOP
3.4 - When running the Scoring Tool, I appear to be getting points deducted on certain settings, even though I know my security on that item is greater then the benchmark defines. What is going on?
The current version of the tool only checks for exact compliance with the benchmark, meaning that even a more secure setting will be considered a negative since it doesn't match the benchmark. This is a known weakness in the tool and efforts are underway to correct this problem.
^ TOP
3.5 -Does the Scoring tool run on Windows 2003 Server?
The current CIS NG Scoring Tool will correctly score 2003 Server systems.
^ TOP
3.6 - Where do I find information about exactly what my score means, and descriptions of the items being scored?
The readme.txt file and Implementation Guide included with the scoring tool contain installation and operation instructions. Each of the 3 benchmarks included with the scoring tool contains a pie chart and accompanying description that breaks down how the score is calculated. You can also get a short description of each item by holding your mouse over each item in the GUI of the scoring tool.
^ TOP
3.7 - Is it possible to go back to my old configuration after I have applied the security template?
Microsoft does not support this functionality natively, and the CIS tool does not provide a mechanism to accomplish it. Because of this, you should always back up your existing configuration before making changes. This will insure that you have a template you can apply to your system that will return it to it's original state.
^ TOP
3.8 - Does the Benchmark for Windows XP Professional provide security configuration recommendations for both XP Professional and XP Home?
The Benchmark for Windows XP Professional is designed for XP Professional alone. XP Home has very few configurable security options.
^ TOP
3.9 - We currently use CIS to test the security of our Windows 2000 servers. Would the Windows 2000 Server Benchmark and Scoring Tool also work for Windows 2003?
CIS does not recommend using the Windows Scoring Tool and the Benchmark for Windows 2000 Server for assessing the security configuration of Windows 2003 operating system. There are enough differences between Windows 2000 server and Windows 2003 that the score would not be reliable.
^ TOP
3.10 - Have the CIS Benchmarks and Scoring Tools for Windows been updated to reflect the differences between Windows XP SP1 and Windows XP SP2?
The current CIS NG Scoring Tool can score both XP Professoinal SP1 and SP2 systems.
^ TOP
3.11 - Does the current Windows Scoring Tool work for all of the CIS Benchmarks that are now posted on the CIS website?
The Scoring Tool scans Windows NT 4.0, Windows 2000, and Windows XP Professional SP1 (not SP2) operating systems. Please note that the current version of the scoring tool DOES NOT score Windows Server 2003 systems. We are working on an update and will release it as soon as possible.
To use the new versions of the Windows 2000 Professional (v2.2.1) and Server (v2.2.1) benchmarks. please download the .inf files and manually place them into the "templates" directory of your CIS tool installation. Restart the tool and the new templates will appear.
^ TOP
|
|
|
|
