Назад | Перейти на главную страницу

Проблемы с усилением безопасности CIS-CAT файловой системы Debian 9

Я выполняю сканирование CIS-CAT и сомневаюсь в том, что сканер плохо спроектирован. Теперь я работаю на Debian 9, который официально не поддерживается сканером, но я могу запустить его, выполнил 95% их требований и могу успешно сканировать с помощью следующей команды:

sudo ./CIS-CAT.sh -f -D ignore.platform.mismatch=true -D include.csv.remediation=true -csv

/ bin имеет разрешения drwxr-x - x, и они хотят, чтобы я удалил выполнение для других, однако, если я "chmod o-x /bin" то обычный пользователь не может выполнять стандартные команды вроде "ls" Есть ли другой подход к этому?

Same thing with the following:
/dev
/var/cache/man
/run/systemd
/run/dbus
/run/sshd

которые имеют разрешения drwxr-xr-x. CIS-CAT хочет, чтобы я удалил другие операции чтения и выполнения, но его разрешения сбрасываются при перезагрузке.

Вот результаты сканирования:

File:   /usr/sbin
CIS-CAT Expected... CIS-CAT Collected...
the file's Other Read to be set to false    false
the file's Other Execute to be set to false false
the file's Other Write to be set to false   false
the file's Group Write to be set to false   false
File:   /bin
CIS-CAT Expected... CIS-CAT Collected...
the file's Other Read to be set to false    false
the file's Other Execute to be set to false true
the file's Other Write to be set to false   false
the file's Group Write to be set to false   false
File:   /dev
CIS-CAT Expected... CIS-CAT Collected...
the file's Other Read to be set to false    true
the file's Other Execute to be set to false true
the file's Other Write to be set to false   false
the file's Group Write to be set to false   false
File:   /usr/games
CIS-CAT Expected... CIS-CAT Collected...
the file's Other Read to be set to false    false
the file's Other Execute to be set to false false
the file's Other Write to be set to false   false
the file's Group Write to be set to false   false
File:   /var/cache/man
CIS-CAT Expected... CIS-CAT Collected...
the file's Other Read to be set to false    true
the file's Other Execute to be set to false true
the file's Other Write to be set to false   false
the file's Group Write to be set to false   false
File:   /var/spool/lpd
CIS-CAT expected any number of matching file items to be collected, and found 0 items.
File:   /var/mail
CIS-CAT Expected... CIS-CAT Collected...
the file's Other Read to be set to false    false
the file's Other Execute to be set to false false
the file's Other Write to be set to false   false
the file's Group Write to be set to false   false
File:   /var/spool/news
CIS-CAT expected any number of matching file items to be collected, and found 0 items.
File:   /var/spool/uucp
CIS-CAT expected any number of matching file items to be collected, and found 0 items.
File:   /bin
CIS-CAT Expected... CIS-CAT Collected...
the file's Other Read to be set to false    false
the file's Other Execute to be set to false true
the file's Other Write to be set to false   false
the file's Group Write to be set to false   false
File:   /var/www
CIS-CAT expected any number of matching file items to be collected, and found 0 items.
File:   /var/backups
CIS-CAT Expected... CIS-CAT Collected...
the file's Other Read to be set to false    false
the file's Other Execute to be set to false false
the file's Other Write to be set to false   false
the file's Group Write to be set to false   false
File:   /var/list
CIS-CAT expected any number of matching file items to be collected, and found 0 items.
File:   /run/ircd
CIS-CAT expected any number of matching file items to be collected, and found 0 items.
File:   /var/lib/gnats
CIS-CAT expected any number of matching file items to be collected, and found 0 items.
File:   /nonexistent
CIS-CAT expected any number of matching file items to be collected, and found 0 items.
File:   /run/systemd
CIS-CAT Expected... CIS-CAT Collected...
the file's Other Read to be set to false    true
the file's Other Execute to be set to false true
the file's Other Write to be set to false   false
the file's Group Write to be set to false   false
File:   /run/systemd/netif
CIS-CAT Expected... CIS-CAT Collected...
the file's Other Read to be set to false    true
the file's Other Execute to be set to false true
the file's Other Write to be set to false   false
the file's Group Write to be set to false   false
File:   /run/systemd/resolve
CIS-CAT expected any number of matching file items to be collected, and found 0 items.
File:   /run/systemd
CIS-CAT Expected... CIS-CAT Collected...
the file's Other Read to be set to false    true
the file's Other Execute to be set to false true
the file's Other Write to be set to false   false
the file's Group Write to be set to false   false
File:   /nonexistent
CIS-CAT expected any number of matching file items to be collected, and found 0 items.
File:   /var/spool/exim4
CIS-CAT Expected... CIS-CAT Collected...
the file's Other Read to be set to false    false
the file's Other Execute to be set to false false
the file's Other Write to be set to false   false
the file's Group Write to be set to false   false
File:   /run/dbus
CIS-CAT Expected... CIS-CAT Collected...
the file's Other Read to be set to false    true
the file's Other Execute to be set to false true
the file's Other Write to be set to false   false
the file's Group Write to be set to false   false
File:   /run/sshd
CIS-CAT Expected... CIS-CAT Collected...
the file's Other Read to be set to false    true
the file's Other Execute to be set to false true
the file's Other Write to be set to false   false
the file's Group Write to be set to false   false
File:   /home/UserName
CIS-CAT Expected... CIS-CAT Collected...
the file's Other Read to be set to false    false
the file's Other Execute to be set to false false
the file's Other Write to be set to false   false
the file's Group Write to be set to false   false
File:   /nonexistent
CIS-CAT expected any number of matching file items to be collected, and found 0 items.
File:   /home/ntp
CIS-CAT expected any number of matching file items to be collected, and found 0 items.
File:   /home/esets
CIS-CAT Expected... CIS-CAT Collected...
the file's Other Read to be set to false    false
the file's Other Execute to be set to false false
the file's Other Write to be set to false   false
the file's Group Write to be set to false   false