threatmodel Linux EN - edamametechnologies/threatmodels GitHub Wiki
Linux Threat Model (EN)
Contents
- EDAMAME helper inactive
- No antivirus enabled
- No password manager installed
- Disk encryption disabled
- Potentially compromised email address
- Unverified or unsafe network environment
- Unverified or unsafe services exposed to the LAN
- Unverified or anomalous traffic
- File permissions /etc/passwd
- File permissions /etc/shadow
- File permissions /etc/fstab
- File permissions /etc/group
- Group Ownership of /etc/group
- Group Ownership of /etc/shadow
- Your OS is not up to date
- Local firewall disabled
- Remote login enabled
- Remote desktop enabled
- File sharing enabled
- Screen saver requires password disabled
- Secure boot disabled
- Weak password policy
- Business rule not respected
EDAMAME helper inactive
Threat
Dimension : system services / Severity : 5
EDAMAME's Helper software is not running or requires an update. It's required for complete Security Score analysis and remediation.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | user |
Script
helper_check
Remediation
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | user |
Script
https://github.com/edamametechnologies/edamame_helper/releases/download
Rollback
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | system |
Script
printf '%s
' '# Metric: edamame helper disabled' '' 'if command -v apk >/dev/null 2>&1; then' ' apk del edamame_helper' 'else' 'apt remove edamame_helper' 'fi' | /bin/sh
No antivirus enabled
Threat
Dimension : applications / Severity : 4
Tags : ISO 27001/2,A.12.2.1-Malware Controls, SOC 2,CC6.8-Malware Protection
You don't have any antivirus enabled (Sentinel One...). We recommend you to enable one.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | admin |
Script
printf '%s
' 'service_active() {' ' # systemd, sysvinit, openrc' ' if command -v systemctl >/dev/null 2>&1; then' ' systemctl is-active --quiet "$1"' ' elif command -v service >/dev/null 2>&1; then' ' service "$1" status >/dev/null 2>&1' ' elif command -v rc-service >/dev/null 2>&1; then' ' rc-service "$1" status >/dev/null 2>&1' ' else' ' return 1' ' fi' '}' '' 'has_sentinelone() {' ' # SentinelOne (Linux)' ' if [ -x /opt/sentinelone/bin/sentinelctl ]; then' ' /opt/sentinelone/bin/sentinelctl version 2>/dev/null | grep -q . && return 0' ' fi' ' command -v sentinelctl >/dev/null 2>&1 && sentinelctl version 2>/dev/null | grep -q . && return 0' ' return 1' '}' '' 'has_crowdstrike() {' ' # CrowdStrike Falcon on Linux' ' service_active "falcon-sensor" && return 0' ' if [ -x /opt/CrowdStrike/falconctl ]; then' ' /opt/CrowdStrike/falconctl -g --version 2>/dev/null | grep -q . && return 0' ' fi' ' return 1' '}' '' 'has_ms_defender() {' ' # Microsoft Defender for Endpoint (Linux)' ' command -v mdatp >/dev/null 2>&1 || return 1' ' mdatp health --field real_time_protection_enabled 2>/dev/null | grep -qi "true" && return 0' ' mdatp --version >/dev/null 2>&1 && return 0' ' return 1' '}' '' 'has_carbon_black() {' ' # VMware Carbon Black Cloud sensor' ' if [ -x /opt/carbonblack/psc/bin/repcli ]; then' ' /opt/carbonblack/psc/bin/repcli status >/dev/null 2>&1 && return 0' ' fi' ' [ -d /opt/carbonblack/psc/bin ] && return 0' ' return 1' '}' '' 'has_cortex_xdr() {' ' # Palo Alto Networks Cortex XDR / Traps' ' if [ -x /opt/traps/bin/cytool ]; then' ' /opt/traps/bin/cytool runtime query >/dev/null 2>&1 && return 0' ' fi' ' [ -d /opt/traps/bin ] && return 0' ' return 1' '}' '' 'has_cisco_secure_endpoint() {' ' # Cisco Secure Endpoint (AMP) CLI' ' if [ -x /opt/cisco/amp/bin/ampcli ]; then' ' /opt/cisco/amp/bin/ampcli status >/dev/null 2>&1 && return 0' ' fi' ' if [ -x /opt/cisco/amp/ampcli ]; then' ' /opt/cisco/amp/ampcli status >/dev/null 2>&1 && return 0' ' fi' ' [ -d /opt/cisco/amp ] && return 0' ' return 1' '}' '' 'has_sophos() {' ' # Sophos Protection for Linux (SPL)' ' service_active "sophos-spl.service" && return 0' ' [ -d /opt/sophos-spl ] && return 0' ' return 1' '}' '' 'has_cylance() {' ' # CylancePROTECT' ' service_active "cylancesvc" && return 0' ' return 1' '}' '' 'has_eset() {' ' # ESET Endpoint for Linux' ' pgrep -x esets_daemon >/dev/null 2>&1 && return 0' ' service_active "esets" && return 0' ' return 1' '}' '' 'has_clamav() {' ' # ClamAV daemon (service name varies by distro)' ' service_active "clamav-daemon" && return 0' ' service_active "clamd" && return 0' ' service_active "clamd@scan" && return 0' ' pgrep -x clamd >/dev/null 2>&1 && return 0' ' return 1' '}' '' 'if ! (' ' has_sentinelone ||' ' has_crowdstrike ||' ' has_ms_defender ||' ' has_carbon_black ||' ' has_cortex_xdr ||' ' has_cisco_secure_endpoint ||' ' has_sophos ||' ' has_cylance ||' ' has_eset ||' ' has_clamav' '); then' ' echo "epp_disabled"' 'fi' | /bin/sh
Remediation
https://help.ubuntu.com/community/Antivirus
Rollback
No password manager installed
Threat
Dimension : credentials / Severity : 4
You don't have any password manager installed. It's recommended to install one.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | admin |
Script
printf '%s
' 'ensure_home() {' ' if [ -n "${HOME:-}" ] && [ -d "${HOME}" ]; then' ' return' ' fi' '' ' local user' ' user="$(id -un)"' '' ' if command -v getent >/dev/null 2>&1; then' ' HOME="$(getent passwd "${user}" | cut -d: -f6)"' ' if [ -n "${HOME}" ] && [ -d "${HOME}" ]; then' ' return' ' fi' ' fi' '' ' HOME="$(eval echo "~${user}")"' ' if [ -n "${HOME}" ] && [ -d "${HOME}" ]; then' ' return' ' fi' '' ' HOME="/root"' '}' '' 'ensure_home' '' 'found_pm=0' '' '# --- Native CLIs ---' 'pm_bins="1password op keepassxc keepassxc-cli bitwarden bw enpass pass gopass lpass proton-pass protonpass keeper"' '' 'for bin in $pm_bins; do' ' if command -v "$bin" >/dev/null 2>&1; then' ' found_pm=1' ' break' ' fi' 'done' '' 'if [ "$found_pm" -eq 1 ]; then' ' exit 0' 'fi' '' '# --- Chrome Extensions ---' 'ext_ids="aeblfdkhhhdcdjpifhhbdiojplfjncoa nngceckbapebfimnlniiiahkandclblb hdokiejnpimakedhajhdlcegeplioahd fdjamakpfbbddfjaooikfcpapjohcfmg bfogiafebfohielmmehodmfbbebbbpei oboonakemofpalcgghocfoadofidjkkk kmcfomidfpdkfieipokbalgegidffkal"' '' 'chromium_bases="$HOME/.config/google-chrome $HOME/.config/chromium $HOME/.config/microsoft-edge $HOME/.config/BraveSoftware/Brave-Browser $HOME/.config/vivaldi $HOME/.var/app/com.google.Chrome/config/google-chrome $HOME/.var/app/org.chromium.Chromium/config/chromium $HOME/.var/app/com.microsoft.Edge/config/microsoft-edge $HOME/.var/app/com.brave.Browser/config/BraveSoftware/Brave-Browser $HOME/.var/app/com.vivaldi.Vivaldi/config/vivaldi"' '' 'for base in $chromium_bases; do' ' if [ -d "$base" ]; then' ' # Iterate over profiles (subdirectories)' ' for profile in "$base"/*; do' ' if [ -d "$profile" ] && [ -d "$profile/Extensions" ]; then' ' for id in $ext_ids; do' ' if [ -d "$profile/Extensions/$id" ]; then' ' found_pm=1' ' exit 0' ' fi' ' done' ' fi' ' done' ' fi' ' done' '' '# --- Firefox ---' ' ff_root="$HOME/.mozilla/firefox"' 'if [ -d "$ff_root" ]; then' ' # Search for extensions.json containing known names' ' if find "$ff_root" -type f -name '"'"'extensions.json'"'"' -exec grep -Eiq '"'"'"name".*"(1Password|Bitwarden|LastPass|Dashlane|Keeper|KeePassXC|Enpass)"'"'"' {} +; then' ' found_pm=1' ' exit 0' ' fi' 'fi' '' 'if [ "$found_pm" -eq 0 ]; then' ' echo "No password manager installed"' 'fi' | /bin/sh
Remediation
https://en.wikipedia.org/wiki/Password_manager
Rollback
Disk encryption disabled
Threat
Dimension : system services / Severity : 4
Tags : CIS Benchmark Level 2,Configure Disk Encryption, ISO 27001/2,A.8.3.1-Media Protection, SOC 2,CC6.7-Data Protection
Your main disk and swap are not encrypted. Enabling disk encryption helps protect your data from unauthorized access.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | admin |
Script
printf '%s
' '# Detect virtualization' 'is_virtual=""' '' 'if command -v apk >/dev/null 2>&1; then' ' # Alpine: virt-what works on aarch64' ' apk add virt-what util-linux >/dev/null 2>&1' ' [ -n "$(virt-what 2>/dev/null)" ] && is_virtual="yes"' 'elif [ "$(uname -m)" = "aarch64" ]; then' ' # Debian/Ubuntu aarch64: virt-what not available, use fast file-based detection' ' # Check /sys/hypervisor (Xen)' ' if [ -d /sys/hypervisor ]; then' ' is_virtual="yes"' ' # Check DMI vendor info' ' elif grep -qiE "qemu|kvm|vmware|virtualbox|xen|microsoft|amazon" /sys/class/dmi/id/sys_vendor 2>/dev/null; then' ' is_virtual="yes"' ' # Check DMI product name' ' elif grep -qiE "virtual|vm|kvm|qemu" /sys/class/dmi/id/product_name 2>/dev/null; then' ' is_virtual="yes"' ' # Check device tree (ARM VMs)' ' elif grep -qiE "qemu|kvm|xen" /sys/firmware/devicetree/base/compatible 2>/dev/null; then' ' is_virtual="yes"' ' # Last resort: systemd-detect-virt with timeout' ' elif command -v systemd-detect-virt >/dev/null 2>&1; then' ' virt_type=$(timeout 5 systemd-detect-virt 2>/dev/null)' ' [ "$virt_type" != "none" ] && [ -n "$virt_type" ] && is_virtual="yes"' ' fi' 'else' ' # Debian/Ubuntu x86_64: virt-what available' ' apt install virt-what -y > /dev/null 2>&1' ' [ -n "$(virt-what 2>/dev/null)" ] && is_virtual="yes"' 'fi' '' 'if [ -z "$is_virtual" ]; then' ' root_dev=$(findmnt -n -o SOURCE /)' ' swap_dev=$(swapon --show=NAME --noheadings 2>/dev/null | head -n1)' ' root_parent=$(lsblk -n -o NAME,TYPE,MOUNTPOINT -p | grep " $(readlink -f "$root_dev")$" | awk '"'"'{print $1}'"'"')' ' lsblk -n -o NAME,TYPE -p | grep -q "^$root_parent.*crypt$" || echo "root_encryption_disabled"' ' if [ -n "$swap_dev" ]; then' ' swap_parent=$(lsblk -n -o NAME,TYPE,MOUNTPOINT -p | grep " $(readlink -f "$swap_dev")$" | awk '"'"'{print $1}'"'"')' ' lsblk -n -o NAME,TYPE -p | grep -q "^$swap_parent.*crypt$" || echo "swap_encryption_disabled"' ' fi' 'fi' | /bin/sh
Remediation
https://help.ubuntu.com/community/FullDiskEncryptionHowto
Rollback
https://help.ubuntu.com/community/FullDiskEncryptionHowto
Potentially compromised email address
Threat
Dimension : credentials / Severity : 1
Tags : Personal Posture
Check if your email address might have recently appeared in a data breach.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | user |
Script
pwned -i 365
Remediation
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line |
Script
digitalidentity_manager
Rollback
https://haveibeenpwned.com/
Unverified or unsafe network environment
Threat
Dimension : network / Severity : 1
Tags : Personal Posture
The network you are connected to is not a known one or it contains unsafe devices. If you are allowed to scan this network, go to the network tab and verify the presence of potentially dangerous devices.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | user |
Script
lanscan
Remediation
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line |
Script
network_manager
Rollback
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line |
Script
network_manager
Unverified or unsafe services exposed to the LAN
Threat
Dimension : network / Severity : 1
Tags : Personal Posture
Your device is exposing services to the local network that may be unsafe or unverified. Go to the network tab, select your own device, and review the open ports and associated vulnerabilities.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | user |
Script
lanscan_host
Remediation
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line |
Script
network_manager
Rollback
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line |
Script
network_manager
Unverified or anomalous traffic
Threat
Dimension : network / Severity : 1
Tags : Personal Posture
The egress network traffic is not verified or contains anomalous traffic.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | user |
Script
egresscan
Remediation
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line |
Script
session_manager
Rollback
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line |
Script
session_manager
File permissions /etc/passwd
Threat
Dimension : system integrity / Severity : 5
Tags : CIS Benchmark Level 1,Verify Password File Permissions
The /etc/passwd file in Unix and Linux systems contains user account information. The recommended permissions for this file are 644. This means: The owner (usually root) has read and write permissions (6). The group and other users have read-only permissions (4). This setup ensures that only the superuser can modify the file, preserving system security. Meanwhile, other users and processes can still read the information they need from the file. This balance of functionality and security is why 644 permissions are considered good practice for the /etc/passwd file.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | user |
Script
printf '%s
' '# Use stat -c %a for portable permission check' 'perms=$(stat -c %a /etc/passwd 2>/dev/null)' 'if [ "$perms" != "644" ]; then' 'echo bad_permissions' 'fi' | /bin/sh
Remediation
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | admin |
Script
printf '%s
' 'chmod 644 /etc/passwd' | /bin/sh
Rollback
File permissions /etc/shadow
Threat
Dimension : system integrity / Severity : 5
Tags : CIS Benchmark Level 1,Verify Shadow File Permissions
The /etc/shadow file in Unix and Linux systems stores encrypted password data for each user and has stricter permissions than /etc/passwd. This is because /etc/shadow contains sensitive data. The recommended permissions for the /etc/shadow file are 640: 6 (read and write) for the owner, who should be the root or superuser. This allows the system to modify the file when passwords are changed. 0 for the group and others. This means no permissions are given to the group or others, meaning they cannot read, write, or execute the file.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | user |
Script
printf '%s
' '# Use stat -c %a for portable permission check' 'perms=$(stat -c %a /etc/shadow 2>/dev/null)' 'if [ "$perms" != "640" ]; then' 'echo bad_permissions' 'fi' | /bin/sh
Remediation
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | admin |
Script
printf '%s
' 'chmod 640 /etc/shadow' | /bin/sh
Rollback
File permissions /etc/fstab
Threat
Dimension : system integrity / Severity : 5
The /etc/fstab file in Unix and Linux systems provides a table of filesystems that should be mounted automatically at system startup. This file contains important information like what filesystems to mount, where to mount them, and what options to use.
Given its significance, the recommended permissions for the /etc/fstab file are 644:
6(read and write) for the owner, which should be the root or superuser. This allows the system to modify the file when filesystems are added or removed.4(read-only) for the group and others. This allows users and processes to read the file and understand the system's filesystems, but prevents them from making potentially harmful changes. This setup ensures only the root user can modify the file, protecting the system's filesystem configuration. Meanwhile, it allows other users and processes to read the file, providing necessary access to filesystem information.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | user |
Script
printf '%s
' '# Use stat -c %a for portable permission check (works on GNU and Busybox)' 'perms=$(stat -c %a /etc/fstab 2>/dev/null)' 'if [ "$perms" != "644" ]; then' 'echo bad_permissions' 'fi' | /bin/sh
Remediation
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | admin |
Script
printf '%s
' 'chmod 644 /etc/fstab' | /bin/sh
Rollback
File permissions /etc/group
Threat
Dimension : system integrity / Severity : 5
Tags : CIS Benchmark Level 1,Verify Group File Permissions
The /etc/group file in Unix and Linux systems stores group information or data. It contains a list of all the groups on the system, along with each group's associated users.
Given its importance, the recommended permissions for the /etc/group file are 644:
6(read and write) for the owner, which should be the root or superuser. This allows the system to add or remove groups or modify group membership.4(read-only) for the group and others. This allows users and processes to read the file and understand the system's group memberships, but prevents them from making unauthorized changes. This setup ensures only the root user can modify the file, protecting the system's group configuration. Meanwhile, it allows other users and processes to read the file, providing necessary access to group information.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | user |
Script
printf '%s
' 'perms=$(stat -c %a /etc/group 2>/dev/null)' 'if [ "$perms" != "644" ]; then' 'echo bad_permissions' 'fi' | /bin/sh
Remediation
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | admin |
Script
printf '%s
' 'chmod 644 /etc/group' | /bin/sh
Rollback
Group Ownership of /etc/group
Threat
Dimension : system integrity / Severity : 5
Tags : CIS Benchmark Level 1,Verify Group File Ownership
The /etc/group file should be owned by the root group to maintain the integrity and confidentiality of group information stored within. Incorrect group ownership could lead to unauthorized access or modification of this sensitive file, compromising system security.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | user |
Script
printf '%s
' '# Use stat -c for portable owner/group check' 'ownership=$(stat -c "%U %G" /etc/group 2>/dev/null)' 'if [ "$ownership" != "root root" ]; then' 'echo bad_group' 'fi' | /bin/sh
Remediation
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | admin |
Script
printf '%s
' 'chown root:root /etc/group' | /bin/sh
Rollback
Group Ownership of /etc/shadow
Threat
Dimension : system integrity / Severity : 5
Tags : CIS Benchmark Level 1,Verify Shadow File Group Ownership
The /etc/shadow file should be owned by the root group or a specific security or system group. This file contains sensitive user information such as encrypted passwords. Incorrect group ownership could lead to unauthorized access or potential manipulation of this critical file, compromising system security and user confidentiality.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | user |
Script
printf '%s
' '# Use stat -c for portable owner/group check' 'ownership=$(stat -c "%U %G" /etc/shadow 2>/dev/null)' 'if [ "$ownership" != "root shadow" ]; then' 'echo bad_group' 'fi' | /bin/sh
Remediation
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | admin |
Script
printf '%s
' 'chown root:shadow /etc/shadow' | /bin/sh
Rollback
Your OS is not up to date
Threat
Dimension : system integrity / Severity : 2
Tags : CIS Benchmark Level 1,Ensure package manager repositories are configured
Your operating system is not up to date, please proceed to upgrade to get the latest security patches.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | admin |
Script
printf '%s
' 'if command -v apk >/dev/null 2>&1; then' ' apk update >/dev/null 2>&1' ' # apk list -u lists upgradeable packages. If output is not empty, updates are available.' ' if [ -n "$(apk list -u 2>/dev/null)" ]; then' 'echo os_outdated' ' fi' 'else' ' LANG=C apt list --upgradeable 2>/dev/null | grep -q '"'"'upgradable'"'"' && echo os_outdated' 'fi' | /bin/sh
Remediation
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | admin |
Script
printf '%s
' 'if command -v apk >/dev/null 2>&1; then' ' apk update >/dev/null 2>&1' ' apk upgrade >/dev/null 2>&1' 'else' ' apt update -qq > /dev/null 2>&1' ' apt upgrade -y > /dev/null 2>&1' 'fi' | /bin/sh
Rollback
Local firewall disabled
Threat
Dimension : network / Severity : 3
Tags : CIS Benchmark Level 1,Ensure UFW is installed
Your local firewall is disabled. This is fine in a trusted environment but dangerous if you happened to connect to public networks. You should turn it on by default.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | admin |
Script
printf '%s
' 'if command -v ufw >/dev/null 2>&1; then' ' LANG=C ufw status | grep -qi '"'"'Status: active'"'"' || echo firewall_disabled' 'else' ' # If ufw is missing, report as disabled (remediation will attempt to install)' 'echo firewall_disabled' 'fi' | /bin/sh
Remediation
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | admin |
Script
printf '%s
' 'if command -v apk >/dev/null 2>&1; then' ' apk add ufw >/dev/null 2>&1' ' ufw enable' 'else' ' apt install ufw -y > /dev/null 2>&1' ' ufw enable' 'fi' | /bin/sh
Rollback
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | admin |
Script
ufw disable
Remote login enabled
Threat
Dimension : system integrity / Severity : 4
Tags : CIS Benchmark Level 1,Ensure SSH Server is configured with appropriate ciphers
Remote login is enabled. This is not necessary unless your are an IT professional. This is unusual and dangerous for most users.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | admin |
Script
printf '%s
' 'if command -v systemctl >/dev/null 2>&1; then' ' # Check both ssh and sshd service names' ' if LANG=C systemctl is-active ssh 2>/dev/null | grep -q '"'"'active'"'"'; then' ' echo remote_login_enabled' ' elif LANG=C systemctl is-active sshd 2>/dev/null | grep -q '"'"'active'"'"'; then' ' echo remote_login_enabled' ' fi' 'elif command -v rc-service >/dev/null 2>&1; then' ' # Alpine typically uses sshd' ' if rc-service sshd status >/dev/null 2>&1; then' ' echo remote_login_enabled' ' elif rc-service ssh status >/dev/null 2>&1; then' 'echo remote_login_enabled' ' fi' 'fi' | /bin/sh
Remediation
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | admin |
Script
printf '%s
' 'if command -v systemctl >/dev/null 2>&1; then' ' systemctl stop ssh 2>/dev/null' ' systemctl disable ssh 2>/dev/null' ' systemctl stop sshd 2>/dev/null' ' systemctl disable sshd 2>/dev/null' 'elif command -v rc-service >/dev/null 2>&1; then' ' rc-service sshd stop 2>/dev/null' ' rc-update del sshd default 2>/dev/null' ' rc-service ssh stop 2>/dev/null' ' rc-update del ssh default 2>/dev/null' 'fi' | /bin/sh
Rollback
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | admin |
Script
printf '%s
' 'if command -v apk >/dev/null 2>&1; then' ' # ssh usually installed, but ensure service enabled' ' rc-update add sshd default 2>/dev/null' ' rc-service sshd start 2>/dev/null' 'else' ' systemctl enable ssh 2>/dev/null' ' systemctl start ssh 2>/dev/null' ' systemctl enable sshd 2>/dev/null' ' systemctl start sshd 2>/dev/null' 'fi' | /bin/sh
Remote desktop enabled
Threat
Dimension : system integrity / Severity : 4
Tags : CIS Benchmark Level 1,Ensure remote administration tools are not installed
Remote desktop is enabled. This is not necessary unless your are an IT professional. This is unusual and dangerous for most users.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | user |
Script
printf '%s
' 'if command -v systemctl >/dev/null 2>&1; then' ' LANG=C systemctl is-active xrdp 2>/dev/null | grep -q '"'"'inactive'"'"' || echo rdp_enabled' 'elif command -v rc-service >/dev/null 2>&1; then' ' rc-service xrdp status >/dev/null 2>&1 && echo rdp_enabled' 'fi' | /bin/sh
Remediation
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | admin |
Script
printf '%s
' 'if command -v systemctl >/dev/null 2>&1; then' ' systemctl stop xrdp 2>/dev/null' ' systemctl disable xrdp 2>/dev/null' 'elif command -v rc-service >/dev/null 2>&1; then' ' rc-service xrdp stop 2>/dev/null' ' rc-update del xrdp default 2>/dev/null' 'fi' | /bin/sh
Rollback
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | admin |
Script
printf '%s
' 'if command -v apk >/dev/null 2>&1; then' ' apk update >/dev/null 2>&1' ' apk add xrdp >/dev/null 2>&1' ' rc-service xrdp start 2>/dev/null' ' rc-update add xrdp default 2>/dev/null' 'else' ' apt install xrdp -y > /dev/null 2>&1' ' systemctl start xrdp' 'systemctl enable xrdp' 'fi' | /bin/sh
File sharing enabled
Threat
Dimension : system services / Severity : 4
Tags : CIS Benchmark Level 1,Ensure NFS and RPC are not enabled
File sharing is enabled. While this could be intentional we strongly recommend to turn it off. It's not that easy to configure and can expose your data to unwanted people.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | user |
Script
printf '%s
' 'if command -v systemctl >/dev/null 2>&1; then' ' LANG=C systemctl is-active nfs-kernel-server 2>/dev/null | grep -q '"'"'inactive'"'"' || echo nfs_enabled' ' LANG=C systemctl is-active smbd 2>/dev/null | grep -q '"'"'inactive'"'"' || echo smb_enabled' 'elif command -v rc-service >/dev/null 2>&1; then' ' rc-service nfs status >/dev/null 2>&1 && echo nfs_enabled' ' rc-service samba status >/dev/null 2>&1 && echo smb_enabled' 'fi' | /bin/sh
Remediation
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | admin |
Script
printf '%s
' 'if command -v systemctl >/dev/null 2>&1; then' ' systemctl stop smbd && systemctl disable smbd' ' systemctl stop nfs-kernel-server && systemctl disable nfs-kernel-server' 'elif command -v rc-service >/dev/null 2>&1; then' ' rc-service samba stop 2>/dev/null' ' rc-update del samba default 2>/dev/null' ' rc-service nfs stop 2>/dev/null' ' rc-update del nfs default 2>/dev/null' 'fi' | /bin/sh
Rollback
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | admin |
Script
printf '%s
' 'if command -v apk >/dev/null 2>&1; then' ' apk update >/dev/null 2>&1' ' apk add samba nfs-utils >/dev/null 2>&1' ' if command -v rc-service >/dev/null 2>&1; then' ' rc-service samba start' ' rc-update add samba default' ' rc-service nfs start' ' rc-update add nfs default' ' fi' 'else' ' apt install samba -y > /dev/null 2>&1' ' systemctl start smbd' ' systemctl enable smbd' ' apt install nfs-kernel-server -y > /dev/null 2>&1' ' systemctl start nfs-kernel-server' 'systemctl enable nfs-kernel-server' 'fi' | /bin/sh
Screen saver requires password disabled
Threat
Dimension : credentials / Severity : 3
Tags : CIS Benchmark Level 1,Lock inactive user accounts, ISO 27001/2,A.11.2.8-Unattended User Equipment, SOC 2,CC6.1-Logical Access
When the screen saver is active, we recommend that a password is required to exit it. Otherwise anyone could access your computer while you are away.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | user |
Script
printf '%s
' 'if command -v gsettings >/dev/null 2>&1; then' ' LANG=C gsettings get org.gnome.desktop.screensaver lock-enabled | grep -q '"'"'true'"'"' || echo screensaver_lock_disabled' 'else' ' # If gsettings is missing, we can'"'"'t verify, but existing logic implies disabled if check fails' 'echo screensaver_lock_disabled' 'fi' | /bin/sh
Remediation
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | user |
Script
printf '%s
' 'gsettings set org.gnome.desktop.screensaver lock-enabled true' | /bin/sh
Rollback
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | user |
Script
printf '%s
' 'gsettings set org.gnome.desktop.screensaver lock-enabled false' | /bin/sh
Secure boot disabled
Threat
Dimension : system services / Severity : 5
Tags : CIS Benchmark Level 2,Ensure Secure Boot is enabled
Secure Boot is a security standard developed to ensure that a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM). Enabling Secure Boot helps protect against bootloader attacks.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | user |
Script
printf '%s
' 'if command -v mokutil >/dev/null 2>&1; then' ' LANG=C mokutil --sb-state | grep -q '"'"'SecureBoot enabled'"'"' || echo secure_boot_disabled' 'else' ' # If mokutil is missing, we can'"'"'t verify, but assuming disabled if we can'"'"'t check might be safe or noisy.' ' # For now, only report if we can check and it says disabled.' ' # Or echo "unknown" ?' ' # Existing script echoed "secure_boot_disabled" if mokutil failed or grep failed.' ' # I'"'"'ll stick to that behavior but clean up the garbage line.' ' LANG=C mokutil --sb-state 2>/dev/null | grep -q '"'"'SecureBoot enabled'"'"' || echo secure_boot_disabled' 'fi' | /bin/sh
Remediation
https://wiki.debian.org/SecureBoot
Rollback
https://wiki.debian.org/SecureBoot
Weak password policy
Threat
Dimension : credentials / Severity : 4
Tags : CIS Benchmark Level 1,Configure Password Policy Requirements
Enforcing a strong password policy is essential to protect against unauthorized access. Ensure that the system has a robust password policy implemented.
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | user |
Script
printf '%s
' 'if [ ! -f /etc/security/pwquality.conf ]; then' ' echo '"'"'weak password_policy: pwquality is not in use'"'"'' 'elif ! grep -qvE '"'"'^\s*#|^\s*$'"'"' /etc/security/pwquality.conf; then' 'echo '"'"'weak password policy: conf file uses defaults'"'"'' 'fi' | /bin/sh
Remediation
https://manpages.ubuntu.com/manpages/questing/en/man3/pwquality.3.html
Rollback
https://manpages.ubuntu.com/manpages/questing/en/man3/pwquality.3.html
Business rule not respected
Threat
Dimension : applications / Severity : 1
One or more business rules are not respected. Please check the command output for more details. To enable business rules, set the EDAMAME_BUSINESS_RULES_CMD environment variable. See: https://github.com/edamametechnologies/edamame_posture_cli?tab=readme-ov-file#business-rules
Implementation
| Tested for | Action | Elevation |
|---|---|---|
| Linux 3 | Command line | user |
Script
business_rules
Remediation
Refer to the business rules documentation for more details.
Rollback
Refer to the business rules documentation for more details.