1. General Setting Policy

The "General Setting Policy" in CIS (Center for Internet Security) Benchmarks provides a set of security best practices and recommendations for configuring general settings across various operating systems and applications. The goal is to establish a secure baseline configuration that helps protect systems from common security threats and vulnerabilities. Adhering to the General Setting Policy helps organizations enhance the overall security posture of their IT environments.

1.1 Ensure SSH warning banner is configured

Description:

Before authentication is allowed, a file containing its contents must be provided to the remote user, as specified by the Banner argument.

Rationale:

Banners are used to inform users who are connected of the specific site's connection rules. The prosecution of computer system intruders may be aided by the display of a warning message prior to the normal user login.

Audit:

Using the CLI: Run the following command and verify that output should contain "Banner" parameter:

grep "^Banner" /etc/ssh/sshd_config

Remediation:

While the recommended way to apply this benchmark is to edit /etc/ssh/sshd_config and insert the following line:

Banner /etc/issue.net

Two issues arise:

1. Current versions of pfSense do not contain the file /etc/issue.net.

2. "sshd_config" is automatically generated by /etc/sshd which is a script that creates the configuration file at startup.

In order to comply with this benchmark:

1. edit the file /etc/sshd

2. Find the line containing: $sshconf .= "Subsystem\tsftp\t/usr/libexec/sftp-server\n";

3. Insert the following lines:

/* CIS 1.1 Ensure SSH warning banner is configured */
$sshconf .= "Banner /etc/ssh/ssh.banner";

Caution should be exercised when editing this file as an error could break the ssh service.

Next, create the file "ssh.banner" in /etc/ssh/ with the banner message to be displayed to remote users.

vi /etc/ssh/ssh.banner

************************************************************
**             WARNING: UNAUTHORIZED ACCESS               **
**             TO THIS SYSTEM IS PROHIBITED               **
************************************************************
** This system is the property of [Your Organization]     **
** Unauthorized access or use may result in legal action. **
** All activities are logged and monitored.               **
** If you are not an authorized user, disconnect now.     **
************************************************************

Save and close the file.

Restart the "SSH" service.

pfSsh.php playback svc restart sshd

Verify changes have been applied.

ssh [email protected]

************************************************************
**             WARNING: UNAUTHORIZED ACCESS               **
**             TO THIS SYSTEM IS PROHIBITED               **
************************************************************
** This system is the property of [Your Organization]     **
** Unauthorized access or use may result in legal action. **
** All activities are logged and monitored.               **
** If you are not an authorized user, disconnect now.     **
************************************************************

([email protected]) Password for [email protected]:

CIS Controls:

1.2 Ensure AutoConfigBackup is enabled

Description:

Making a backup before and after each large change or series of changes, as well as after each little change, is the recommended practice. A first backup is typically prepared in case the change being done has unfavorable repercussions.

Rationale:

An after-the-fact backup is taken after evaluating the change and ensuring it had the intended outcome. Periodic backups are also helpful, regardless of changes, especially in cases where a manual backup may be missed.

Audit:

In the GUI:

- Navigate to Services > Auto Config Backup

Default Value: Disabled

Remediation:

In the GUI:

- Navigate to Services > Auto Config Backup.
- CLIck the Setting at the top.
- Check on the Enable ACB.
- CLIck Save

References:

https://docs.netgate.com/pfsense/en/latest/backup/autoconfigbackup.html

CIS Controls:

1.3 Ensure 'Message Of The Day (MOTD)' is set

Description:

Sets the MOTD message.

Rationale:

Network banners are electronic messages that provide notice of legal rights to users of computer networks. From a legal standpoint, banners have four primary functions.

• First, banners may be used to generate consent to real-time monitoring under Title III.

• Second, banners may be used to generate consent to the retrieval of stored files and records pursuant to ECPA.

• Third, in the case of government networks, banners may eliminate any Fourth Amendment "reasonable expectation of privacy" that government employees or other users might otherwise retain in their use of the government's network under O'Connor v.

Audit:

From CLI:

cat /etc/motd

Remediation:

While the recommended way to apply this benchmark is to edit /etc/motd. pfSense does not contain the file and its login banner is generated and stored in the file /etc/rc.banner.

If satisfying this benchmark is mandatory, the benchmark can be applied by editing /etc/rc.banner.

Caution should be exercised when editing this file.

CIS Controls:

1.4 Ensure Hostname is set

Description:

Changes the device default hostname.

Rationale:

The device hostname is crucial for asset inventory and identification as a security need, as well as for the deployment of public keys and certificates and for comparing logs from various systems while handling an issue.

Audit:

From CLI:

hostname

In the GUI:

- Navigate to System > General Setup
- Check the Hostname Field

Default Value: pfSense

Remediation:

- Navigate to System > General Setup
- Update the field 'Hostname' with the new hostname, and CLIck "Save"

References:

https://docs.netgate.com/pfsense/en/latest/config/general.html

CIS Controls:

1.5 Ensure DNS server is configured

Description:

You must specify the main DNS server for your system in order to enable DNS lookups. Additionally, supplementary and third-party DNS servers can be specified. The system uses the main name server to resolve host names. The system examines the secondary name server, and if required, the tertiary, if a failure or time-out occurs.

Rationale:

The purpose is to perform the resolution of system hostnames to Internet Protocol (IP) addresses.

Audit:

In the GUI:

- Navigate to System > General Setup
- Check the 'DNS Servers' Field in 'DNS Server Settings' table

Default Value: Blank, unless the dynamic WAN type of DHCP is enabled then your ISP may assign these.

Remediation:

In the GUI:

- Navigate to System > General Setup
- Update the field DNS Servers' with the Your DNS Server, and CLIck "Save"

CIS Controls:

1.6 Ensure IPv6 is disabled if not used

Description:

Although IPv6 has many advantages over IPv4, not all organizations have IPv6 or dual stack configurations implemented.

Rationale:

If IPv6 or dual stack is not to be used, it is recommended that IPv6 be disabled to reduce the attack surface of the system.

Audit:

From CLI:

cat /etc/sysctl.conf

net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6 = 1

In the GUi:

Check if 'Allow IPv6' is checked.

Navigate to System > Advanced > Networking

Default Value: (In the GUI)

System > Advanced > Networking
'Allow IPv6' is checked.

Remediation:

From CLI:

Add below in the `/etc/sysctl.conf` file and reboot.
- net.ipv6.conf.all.disable_ipv6=1
- net.ipv6.conf.default.disable_ipv6=1
- net.ipv6.conf.lo.disable_ipv6 = 1

In the GUI:

Navigate to System > Advanced > Networking
Uncheck 'Allow IPv6'

CIS Controls:

1.7 Ensure DNS Rebind Check is unchecked

Description:

Ensure that the 'DNS Rebind Check' feature is unchecked to protect against DNS rebinding attacks.

Rationale:

Attackers can use DNS rebinding to exploit a DNS server's response to a domain name query that resolves to a private IP address. This could provide a hacker access to private network resources that shouldn't be made available to the general public. To defend against this kind of attack, pfSense's "DNS Rebind Check" function disables private IP responses from DNS servers. As advised in the CIS benchmark, disabling this feature would expose the system to DNS rebinding attacks.

Audit:

In the GUI:

- Navigate to System > Advance
- Check the 'DNS Rebind Check' Field

Default Value: By default the 'DNS Rebind Check' is unchecked.

Remediation:

In the GUI:

- Navigate to System > Advance
- Uncheck on 'DNS Rebind Check' Field

CIS Controls:

1.8 Ensure Hostname is set

Description:

Web Admin Management Portal should only be accessed using HTTPS Protocol.

Rationale:

HTTP transmits all data (including passwords) in clear text over the network and provides no assurance of the identity of the hosts involved. Because of this HTTP should never be used for sensitive tasks such as managing network devices or entering login credentials and HTTPS should be configured for Web Portal Management instead.

Audit:

In the GUI:

- Navigate to System > Advance > Admin Access
- Check the 'webConfigurator' Table for HTTPS Enable.

Remediation:

In the GUI:

- Navigate to System > Advanced > Admin Access
- Select 'HTTPS' in the 'webConfigurator'.
- CLIck 'Save'

CIS Controls:

1.9 Ensure a synchronized High Availability peer is configured

Description:

Ensure a High Availability peer is fully synchronized and in a passive or active state.

Rationale:

To ensure availability of both the firewall and the resources it protects, a High Availability peer is required. In the event a single firewall fails, or when maintenance such as a software update is required, the HA peer can be used to automatically fail over session states and maintain overall availability.

Audit:

In the GUI:

- Navigate to System > High Avail. Sync
- Check "Synchronize Config to IP" is configured.

Default Value: Blank

Remediation:

In the GUI:

- Navigate to System > High Avail. Sync
- Setup each field and Hit Save

CIS Controls: