/
remediate.sh
1716 lines (1407 loc) · 96.9 KB
/
remediate.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
#!/usr/bin/env bash
# 1.1.2 Ensure /tmp is configured
###Description###
# Description The /tmp directory is a world-writable directory used for temporary storage
# by all users and some applications. Rationale Making /tmp its own file system allows
# an administrator to set the noexec option on the mount, making /tmp useless for an attacker
# to install executable code. It would also prevent an attacker from establishing a hardlink to a system
# setuid program and wait for it to be updated. Once the program was updated, the hardlink
# would be broken and the attacker would have his own copy of the program. If the program happened to
# have a security vulnerability, the attacker could continue to exploit the known flaw. This can be
# accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp.
###Recommendation###
# Configure /etc/fstab as appropriate. example:tmpfs /tmp tmpfs defaults,rw,nosuid,nodev
# ,noexec,relatime 0 0 or Run the following commands to enable systemd /tmp mounting:
# systemctl unmask tmp.mountsystemctl enable tmp.mount
# Edit /etc/systemd/system/
# local-fs.target.wants/tmp.mount to configure the /tmp mount: [Mount]What=tmpfsWhe
# re=/tmpType=tmpfsOptions=mode=1777,strictatime,noexec,nodev,nosuid Impact:
# Since the /tmp directory is intended to be world-writable, there is a risk of resource
# exhaustion if it is not bound to a separate partition.Running out of /tmp space is a problem
# regardless of what kind of filesystem lies under it, but in a default installation
# a disk-based /tmp will essentially have the whole disk available, as it only creates a
# single / partition. On the other hand, a RAM-based /tmp as with tmpfs will almost
# certainly be much smaller, which can lead to applications filling up the filesystem much
# more easily./tmp utalizing tmpfs can be resized using the size={size} parameter on the
# Options line on the tmp.mount file
######
# 1.1.17 Ensure noexec option set on /dev/shm partition
###Description###
# The noexec mount option specifies that the filesystem cannot contain executable binaries.
# Rationale Setting this option on a file system prevents users from executing programs from
# shared memory. This deters users from introducing potentially malicious software on the system.
###Recommendation###
# Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for
# the /dev/shm partition. See the fstab(5) manual page for more information. Run the
# following command to remount /dev/shm : # mount -o remount,noexec /dev/shm
######
# 1.1.1.1 Ensure mounting of cramfs filesystems is disabled (worked)
###Description###
# The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems.
# A cramfs image can be used without having to first decompress the image. Rationale Removing support for
# unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it.
######
echo "install cramfs /bin/true" >> /etc/modprobe.d/cramfs.conf
sudo rmmod cramfs
# 1.1.1.2 Ensure mounting of hfs filesystems is disabled (worked)
###Description###
# The hfs filesystem type is a hierarchical filesystem that allows you to mount Mac OS filesystems.
# Rationale Removing support for unneeded filesystem types reduces the local attack surface of the system.
# If this filesystem type is not needed, disable it.
######
echo "install hfs /bin/true" >> /etc/modprobe.d/hfs.conf
sudo rmmod hfs
# 1.1.1.3 Ensure mounting of hfsplus filesystems is disabled (worked)
###Description###
# The hfsplus filesystem type is a hierarchical filesystem designed to replace hfs that allows you to mount
# Mac OS filesystems. Rationale Removing support for unneeded filesystem types reduces the local attack
# surface of the system. If this filesystem type is not needed, disable it.
######
echo "install hfsplus /bin/true" >> /etc/modprobe.d/hfsplus.conf
sudo rmmod hfsplus
# 1.1.1.4 Ensure mounting of squashfs filesystems is disabled (worked)
###Description###
# The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small
# footprint systems (similar to cramfs ). A squashfs image can be used without having to first
# decompress the image. Rationale Removing support
# for unneeded filesystem types reduces the local attack surface of the system.
# If this filesystem type is not needed, disable it.
######
echo "install squashfs /bin/true" >> /etc/modprobe.d/squashfs.conf
sudo rmmod squashfs
# 1.1.1.5 Ensure mounting of udf filesystems is disabled (worked)
###Description###
# The udf filesystem type is the universal disk format used to implement ISO/IEC 13346
# and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a
# broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats.
# Rationale Removing support for unneeded filesystem types reduces the local attack surface of the system.
# If this filesystem type is not needed, disable it.
######
echo "install udf /bin/true" >> /etc/modprobe.d/udf.conf
sudo rmmod udf
# 1.3.1 Ensure AIDE is installed (worked)
###Description###
# Description AIDE takes a snapshot of filesystem state including modification times, permissions,
# and file hashes which can then be used to compare against the current state of the filesystem to
# detect modifications to the system. Rationale By monitoring the filesystem state compromised files
# can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries.
######
sudo yum install aide -y
# 1.3.2 Ensure filesystem integrity is regularly checked (fixed)
###Description###
# Periodic checking of the filesystem integrity is needed to detect changes to the filesystem.
# Rationale Periodic file checking allows the system administrator to determine on a regular basis
# if critical files have been changed in an unauthorized fashion.
###Recommendation###
# Run the following command: # crontab -u root -e Add the following line to the crontab:
# 0 5 * * * /usr/sbin/aide --check
######
crontab -u root -e
echo "0 5 * * * /usr/sbin/aide --check" >> /etc/crontab
# 1.4.1 Ensure permissions on bootloader config are configured (worked)
###Description###
# The grub configuration file contains information on boot settings and passwords for unlocking boot options.
# The grub configuration is usually located at / boot/grub2/grub.cfg and linked as /etc/grub2.cfg.
# Additional settings can be found in the /boot/grub2/user.cfg file. Rationale Setting the permissions
# to read and write for root only prevents non-root users from seeing the boot parameters or changing them.
# Non- root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them.
######
sudo chownroot: root /boot/grub2/grub.cfg
sudo chmod og-rwx /boot/grub2/grub.cfg
# 1.5.1 Ensure core dumps are restricted (worked)
###Description###
# A core dump is the memory of an executable program. It is generally used to determine why a program aborted.
# It can also be used to glean confidential information from a core file. The system provides the ability
# to set a soft limit for core dumps, but this can be overridden by the user. Rationale Setting a hard limit
# on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting
# limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid_dumpable variable to 0 will
# prevent setuid programs from dumping core.
echo "* hard core 0" >> /etc/security/limits.conf
echo "fs.suid_dumpable = 0" >> /etc/sysctl.conf
sysctl -w fs.suid_dumpable = 0
# 1.5.2 Ensure address space layout randomization (ASLR) is enabled (worked)
###Description###
# Address space layout randomization (ASLR) is an exploit mitigation technique which randomly
# arranges the address space of key data areas of a process. Rationale Randomly placing virtual
# memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting.
######
echo "kernel.randomize_va_space = 2" >> /etc/sysctl.conf
sysctl -w kernel.randomize_va_space = 2
# 1.7.1.1 Ensure message of the day is configured properly
###Description###
# The contents of the /etc/motd file are displayed to users after login and function as a message
# of the day for authenticated users. Unix-based systems have typically displayed information about
# the OS release and patch level upon logging in to the system. This information can be useful to
# developers who are developing software for a particular OS platform. If mingetty(8) supports the
# following options, they display operating system information: \m - machine architecture \r - operating
# system release \s - operating system name \v - operating system version Rationale Warning messages
# inform users who are attempting to login to the system of their legal status regarding
# the system and must include the name of the organization that owns the system and any monitoring
# policies that are in place. Displaying OS and patch level information in login banners also has the
# side effect of providing detailed system information to attackers attempting to target specific
# exploits of a system. Authorized users can easily get
###Recommendation###
# Edit the /etc/motd file with the appropriate contents according to your site policy,
# remove any instances of \m , \r , \s ,\v. , or references to the OS platform
######
# 1.7.1.2 Ensure local login warning banner is configured properly (fixed)
###Description###
# The contents of the /etc/issue file are displayed to users prior to login for local terminals.
# Unix-based systems have typically displayed information about the OS release and patch level upon
# logging in to the system. This information can be useful to developers who are developing
# software for a particular OS platform. If mingetty(8) supports the following options,
# they display operating system information: \m - machine architecture \r - operating system
# release \s - operating system name \v - operating system version Rationale Warning messages
# inform users who are attempting to login to the system of their legal status regarding the system
# and must include the name of the organization that owns the system and any monitoring
# policies that are in place. Displaying OS and patch level information in login banners also
# has the side effect of providing detailed system information to attackers attempting to target
# specific exploits of a system. Authorized users can easily get this information by running the
# " uname -a " command once they have logged in.
###Recommendation###
# Edit the /etc/issue file with the appropriate contents according to your site policy,
# remove any instances of \m , \r , \s , \v or references to the OS platform: # echo
# "Authorized uses only. All activity may be monitored and reported." > /etc/issue
######
echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue
# 1.7.1.3 Ensure remote login warning banner is configured properly (fixed)
###Description###
# The contents of the /etc/issue.net file are displayed to users prior to login for
# remote connections from configured services. Unix-based systems have typically displayed
# information about the OS release and patch level upon logging in to the system. This information
# can be useful to developers who are developing software for a particular OS platform. If mingetty(8)
# supports the following options, they display operating system information: \m - machine architecture
# \r - operating system release \s - operating system name \v - operating system version Rationale
# Warning messages inform users who are attempting to login to the system of their legal status regarding
# the system and must include the name of the organization that owns the system and any monitoring policies
# that are in place. Displaying OS and patch level information in login banners also has the side effect of
# providing detailed system information to attackers attempting to target specific exploits of a system.
# Authorized users can easily get this information by running the " uname -a " command once they have logged in.
###Recommendation###
# Edit the /etc/issue.net file with the appropriate contents according to your site policy,
# remove any instances of \m , \r , \s , or \v , or references to the OS platform: # echo
# "Authorized uses only. All activity may be monitored and reported." > /etc/issue.net
######
echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue.net
# 3.1.1 Ensure IP forwarding is disabled (worked)
###Description###
# The net.ipv4.ip_forward and net.ipv6.conf.all.forwarding flags are used to tell the system whether
# it can forward packets or not. Rationale Setting the flags to 0 ensures that a system with multiple interfaces
# (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router.
######
echo "net.ipv4.ip_forward = 0" >> /etc/sysctl.conf
echo "net.ipv6.conf.all.forwarding = 0" >> /etc/sysctl.conf
sudo sysctl -w net.ipv4.ip_forward = 0
sudo sysctl -w net.ipv6.conf.all.forwarding = 0
sudo sysctl -w net.ipv4.route.flush = 1
sudo sysctl -w net.ipv6.route.flush = 1
# 3.1.2 Ensure packet redirect sending is disabled (fixed)
###Description###
# ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as
# a router (in a host only configuration), there is no need to send redirects. Rationale An attacker
# could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to
# corrupt routing and have users access a system set up by the attacker as opposed to a valid system.
###Recommendation###
# Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4
# .conf.all.send_redirects = 0net.ipv4.conf.default.send_redirects = 0 Run the
# following commands to set the active kernel parameters: # sysctl -w net.ipv4.con
# f.all.send_redirects=0# sysctl -w net.ipv4.conf.default.send_redirects=0# sysctl -w
# net.ipv4.route.flush=1
######
echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf
echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf
sudo sysctl -w net.ipv4.conf.all.send_redirects = 0
sudo sysctl -w net.ipv4.conf.default.send_redirects = 0
sudo sysctl -w net.ipv4.route.flush = 1
# 3.2.1 Ensure source routed packets are not accepted (worked)
###Description###
# In networking, source routing allows a sender to partially or fully specify the route packets
# take through a network. In contrast, non-source routed packets travel a path determined by
# routers in the network. In some cases, systems may not be routable or reachable from some locations
# (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used.
# Rationale Setting net.ipv4.conf.all.accept _source_route, net.ipv4.conf.default.accept_source_route,
# net.ipv6.conf.all.accept_sou rce_route and net.ipv6.conf.default.accept_source_route to 0 disables the
# system from accepting source routed packets. Assume this system was capable of routing packets to Internet
# routable addresses on one interface and private addresses on another interface. Assume that the private
# addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances,
# an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems.
# If, however, source routed packets were allowed, they could be used to gain access to the private address systems
# as the route could be specified, rather than rely on routing protocols that did not allow this routing.
######
echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf
echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
echo "net.ipv6.conf.all.accept_source_route = 0" >> /etc/sysctl.conf
echo "net.ipv6.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
sudo sysctl -w net.ipv4.conf.all.accept_source_route = 0
sudo sysctl -w net.ipv4.conf.default.accept_source_route = 0
sudo sysctl -w net.ipv6.conf.all.accept_source_route = 0
sudo sysctl -w net.ipv6.conf.default.accept_source_route = 0
sudo sysctl -w net.ipv4.route.flush = 1
sudo sysctl -w net.ipv6.route.flush = 1
# 3.2.2 Ensure ICMP redirects are not accepted (fixed)
###Description###
# ICMP redirect messages are packets that convey routing information and tell your host
# (acting as a router) to send packets via an alternate path. It is a way of allowing an outside
# routing device to update your system routing tables. By setting net. ipv4.conf.all.accept_redirects
# and net.ipv6.conf.all.accept_redirects to 0, the system will not accept any ICMP redirect messages,
# and therefore, won't allow outsiders to update the system's routing tables. Rationale Attackers could
# use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send
# packets to incorrect networks and allow your system packets to be captured.
###Recommendation###
# Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.con
# f.all.accept_redirects = 0net.ipv4.conf.default.accept_redirects = 0net.ipv6.conf.a
# ll.accept_redirects = 0net.ipv6.conf.default.accept_redirects = 0 Run the following
# commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_red
# irects=0# sysctl -w net.ipv4.conf.default.accept_redirects=0# sysctl -w net.ipv6.con
# f.all.accept_redirects=0# sysctl -w net.ipv6.conf.default.accept_redirects=0# sysctl -w
# net.ipv4.route.flush=1# sysctl -w net.ipv6.route.flush=1
######
echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.conf
echo "net.ipv6.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
echo "net.ipv6.conf.default.accept_redirects = 0" >> /etc/sysctl.conf
sudo sysctl -w net.ipv4.conf.all.accept_redirects = 0
sudo sysctl -w net.ipv4.conf.default.accept_redirects = 0
sudo sysctl -w net.ipv6.conf.all.accept_redirects = 0
sudo sysctl -w net.ipv6.conf.default.accept_redirects = 0
sudo sysctl -w net.ipv4.route.flush = 1
sudo sysctl -w net.ipv6.route.flush = 1
# 3.2.3 Ensure secure ICMP redirects are not accepted (fixed)
###Description###
# Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed
# on the default gateway list. It is assumed that these gateways are known to your system, and that
# they are likely to be secure. Rationale It is still possible for even known gateways to be compromised.
# Setting net.ipv4.conf.all.secure_redirec ts to 0 protects the system from routing table updates
# by possibly compromised known gateways.
###Recommendation###
# Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4
# .conf.all.secure_redirects = 0net.ipv4.conf.default.secure_redirects = 0 Run the
# following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0#
# sysctl -w net.ipv4.conf.default.secure_redirects=0# sysctl -w
# net.ipv4.route.flush=1
######
echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.conf
echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.conf
sudo sysctl -w net.ipv4.conf.all.secure_redirects = 0
sudo sysctl -w net.ipv4.conf.default.secure_redirects = 0
sudo sysctl -w net.ipv4.route.flush = 1
# 3.2.4 Ensure suspicious packets are logged (fixed)
###Description###
# Description When enabled, this feature logs packets with un-routable source addresses to the
# kernel log. Rationale Enabling this feature and logging these packets allows an administrator
# to investigate the possibility that an attacker is sending spoofed packets to their system.
###Recommendation###
# Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file:
# net.ipv4.conf.all.log_martians = 1net.ipv4.conf.default.log_martians = 1 Run the
# following commands to set the active kernel parameters: # sysctl -w net.ipv4.con
# f.all.log_martians=1# sysctl -w net.ipv4.conf.default.log_martians=1# sysctl -w
# net.ipv4.route.flush=1
######
echo "net.ipv4.conf.all.log_martians = 1" >> /etc/sysctl.conf
echo "net.ipv4.conf.default.log_martians = 1" >> /etc/sysctl.conf
sudo sysctl -w net.ipv4.conf.all.log_martians = 1
sudo sysctl -w net.ipv4.conf.default.log_martians = 1
sudo sysctl -w net.ipv4.route.flush = 1
# 3.2.5 Ensure broadcast ICMP requests are ignored (worked)
###Description###
# Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and
# timestamp requests to broadcast and multicast addresses. Rationale Accepting ICMP echo and timestamp
# requests with broadcast or multicast destinations for your network could be used to trick your host
# into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending
# large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message
# and responding would send echo-reply messages back to the spoofed address, which is probably not routable.
# If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied.
######
echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.conf
sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts = 1
sudo sysctl -w net.ipv4.route.flush = 1
# 3.2.6 Ensure bogus ICMP responses are ignored (worked)
###Description###
# Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus
# responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from
# filling up with useless log messages. Rationale Some routers (and some attackers) will
# send responses that violate RFC-1122 and attempt to fill up a log file system with many
# useless error messages.
######
echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.conf
sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses = 1
sudo sysctl -w net.ipv4.route.flush = 1
# 3.2.7 Ensure Reverse Path Filtering is enabled (worked)
###Description###
# Setting net.ipv4.conf.all.rp_filterand net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel
# to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially,
# with reverse path filtering, if the return packet does not go out the same interface that the corresponding
# source packet came from, the packet is dropped (and logged if log_martians is set). Rationale Setting these flags is
# a good way to deter attackers from sending your system bogus packets that cannot be responded to.
# One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when
# using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on
# your system, you will not be able to enable this feature without breaking the routing.
######
echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf
echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.conf
sudo sysctl -w net.ipv4.conf.all.rp_filter = 1
sudo sysctl -w net.ipv4.conf.default.rp_filter = 1
sudo sysctl -w net.ipv4.route.flush = 1
# 3.2.8 Ensure TCP SYN Cookies is enabled (worked)
###Description###
# When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection
# queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the
# SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially
# crafted TCP sequence number that encodes the source and destination IP address
# and port number and the time the packet was sent. A legitimate connection would
# send the ACK packet of the three way handshake with the specially crafted sequence number.
# This allows the system to verify that it has received a valid response to a
# SYN cookie and allow the connection, even though there is no corresponding SYN in the queue.
# Rationale Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many
# SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's
# half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system
# to keep accepting valid connections, even if under a denial of service attack.
######
echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
sudo sysctl -w net.ipv4.tcp_syncookies = 1
sudo sysctl -w net.ipv4.route.flush = 1
# 3.2.9 Ensure IPv6 router advertisements are not accepted (fixed)
###Description###
# This setting disables the system's ability to accept IPv6 router advertisements.
# Rationale It is recommended that systems not accept router advertisements as they could be tricked
# into routing traffic to compromised machines. Setting hard routes within the system (usually a single
# default route to a trusted router) protects the system from bad routes.
###Recommendation###
# Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file:
# net.ipv6.conf.all.accept_ra = 0net.ipv6.conf.default.accept_ra = 0 Run
# the following commands to set the active kernel parameters: # sysctl -w
# net.ipv6.conf.all.accept_ra=0# sysctl -w net.ipv6.conf.default.accept_ra=0# sysctl -w
# net.ipv6.route.flush=1
######
echo "net.ipv6.conf.all.accept_ra = 0" >> /etc/sysctl.conf
echo "net.ipv6.conf.default.accept_ra = 0" >> /etc/sysctl.conf
sudo sysctl -w net.ipv6.conf.all.accept_ra = 0
sudo sysctl -w net.ipv6.conf.default.accept_ra = 0
sudo sysctl -w net.ipv6.route.flush = 1
# 3.3.3 Ensure /etc/hosts.deny is configured (worked)
###Description###
# The /etc/hosts.deny file specifies which IP addresses are not permitted to connect to the host.
# It is intended to be used in conjunction with the /etc/hosts.allow file. Rationale The /etc/hosts.deny
# file serves as a failsafe so that any host not specified in / etc/hosts.allow is denied access to the system.
######
echo "ALL: ALL" >> /etc/hosts.deny
# 3.4.1 Ensure DCCP is disabled (worked)
###Description###
# The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming
# media and telephony. DCCP provides a way to gain access to congestion control, without having to do it
# at the application layer, but does not provide in-sequence delivery. Rationale If the protocol is not required,
# it is recommended that the drivers not be installed to reduce the potential attack surface.
######
echo "install dccp /bin/true" >> /etc/modprobe.d/dccp.conf
# 3.4.2 Ensure SCTP is disabled (worked)
###Description###
# The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support
# message oriented communication, with several streams of messages in one connection. It serves a
# similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP,
# and ensures reliable in-sequence transport of messages with congestion control like TCP. Rationale
# If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the
# service to reduce the potential attack surface.
######
echo "install sctp /bin/true" >> /etc/modprobe.d/sctp.conf
# 3.4.3 Ensure RDS is disabled (worked)
###Description###
# The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to
# provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the
# Oracle Corporation. Rationale If the protocol is not being used, it is recommended that kernel
# module not be loaded, disabling the service to reduce the potential attack surface.
######
echo "install rds /bin/true" >> /etc/modprobe.d/rds.conf
# 3.4.4 Ensure TIPC is disabled (worked)
###Description###
# The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication
# between cluster nodes. Rationale If the protocol is not being used, it is recommended that kernel
# module not be loaded, disabling the service to reduce the potential attack surface.
echo "install tipc /bin/true" >> /etc/modprobe.d/tipc.conf
# 3.5.1.1 Ensure default deny firewall policy (fixed)
###Description###
# A default deny all policy on connections ensures that any unconfigured network usage
# will be rejected. Rationale With a default accept policy the firewall will accept any
# packet that is not configured to be denied. It is easier to white list acceptable usage
# than to black list unacceptable usage.
###Recommendation###
# Run the following commands to implement a default DROP policy: # iptables -P
# INPUT DROP# iptables -P OUTPUT DROP# iptables -P FORWARD DROP
######
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# 3.5.1.2 Ensure loopback traffic is configured (fixed)
###Description ###
# Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic
# to the loopback network (127.0.0.0/8). Rationale Loopback traffic is generated between processes
# on machine and is typically critical to operation of the system. The loopback interface is the
# only place that loopback network (127.0.0.0/8) traffic should be seen, all other interfaces should
# ignore traffic on this network as an anti-spoofing measure.
###Recommendation###
# Run the following commands to implement the loopback rules: # iptables -A INPUT
# -i lo -j ACCEPT# iptables -A OUTPUT -o lo -j ACCEPT# iptables -A INPUT -s
# 127.0.0.0/8 -j DROP
######
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -s 127.0.0.0/8 -j DROP
# 3.5.1.4 Ensure firewall rules exist for all open ports
###Description###
# Any ports that have been opened on non-loopback addresses need firewall rules to govern traffic.
# Rationale Without a firewall rule configured for open ports default firewall policy will
# drop all packets to these ports.
###Recommendation###
# For each port identified in the audit which does not have a firewall rule establish a
# proper rule for accepting inbound connections:
# iptables -A INPUT -p <protocol> -- dport <port> -m state --state NEW -j ACCEPT
######
# 3.5.2.1 Ensure IPv6 default deny firewall policy (fixed)
###Description###
# A default deny all policy on connections ensures that any unconfigured network usage will be rejected.
# Rationale With a default accept policy the firewall will accept any packet that is not configured to be denied.
# It is easier to white list acceptable usage than to black list unacceptable usage.
###Recommendation###
# Run the following commands to implement a default DROP policy: # ip6tables -P
# INPUT DROP# ip6tables -P OUTPUT DROP# ip6tables -P FORWARD DROP
######
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
# 3.5.2.2 Ensure IPv6 loopback traffic is configured (fixed)
###Description###
# Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic
# to the loopback network (::1). Rationale Loopback traffic is generated between processes on machine
# and is typically critical to operation of the system. The loopback interface is the only place that
# loopback network (::1) traffic should be seen, all other interfaces should ignore traffic on this
# network as an anti- spoofing measure.
###Recommendation###
# Run the following commands to implement the loopback rules: # ip6tables -A INPUT -
# i lo -j ACCEPT# ip6tables -A OUTPUT -o lo -j ACCEPT# ip6tables -A INPUT -s ::1 -j
# DROP
######
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
ip6tables -A INPUT -s ::1 -j DROP
# 4.2.4 Ensure permissions on all logfiles are configured (fixed)
###Description###
# Log files stored in /var/log/ contain logged information from many services on the system,
# or on log hosts others as well. Rationale It is important to ensure that log files have
# the correct permissions to ensure that sensitive data is archived and protected.
###Recommendation###
# Run the following command to set permissions on all existing log files: # find -L /var/
# log -type f -exec chmod g-wx,o-rwx {} +
######
find -L /var/log -type f -exe chmod g-wx,o-rwx {} +
# 4.2.1.3 Ensure rsyslog default file permissions configured (worked)
###Description###
# rsyslog will create logfiles that do not already exist on the system. This setting controls what permissions
# will be applied to these newly created files. Rationale It is important to ensure that log files have the
# correct permissions to ensure that sensitive data is archived and protected.
######
echo "\$FileCreateMode 0640" >> /etc/rsyslog.conf
# 4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host
###Description###
# The rsyslog utility supports the ability to send logs it gathers to a remote log host running syslogd(8)
# or to receive messages from remote hosts, reducing administrative overhead. Rationale Storing log data
# on a remote host protects log integrity from local attacks. If an attacker gains root access on the
# local system, they could tamper with or remove log data that is stored on the local system
###Recommendation###
# Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and add the following
# line (where loghost.example.com is the name of your central log host). *.*
# @@loghost.example.com Run the following command to reload the rsyslogd
# configuration: # pkill -HUP rsyslogd
######
# 5.6 Ensure access to the su command is restricted (worked)
###Description###
# The su command allows a user to run a command or shell as another user. The program has been superseded by sudo ,
# which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By
# uncommenting the pam_wheel.so statement in /etc/pam.d/su , the su command will only allow users in the wheel group
# to execute su . Rationale Restricting the use of su , and using sudo in its place, provides system administrators
# better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides
# a better logging and audit mechanism, as it can log each command executed via sudo , whereas su can only record
# that a user executed the su program.
######
echo "auth required pam_wheel.so use_uid" >> /etc/pam.d/su
# 5.1.2 Ensure permissions on /etc/crontab are configured (worked)
###Description###
# The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure
# that root is the user and group owner of the file and that only the owner can access the file.
# Rationale This file contains information on what system jobs are run by cron. Write access to these files
# could provide unprivileged users with the ability to elevate their privileges. Read access to these files
# could provide users with the ability to gain insight on system jobs that run on the system and could provide
# them a way to gain unauthorized privileged access.
######
sudo chown root:root /etc/crontab
sudo chmod og-rwx /etc/crontab
# 5.1.3 Ensure permissions on /etc/cron.hourly are configured (worked)
###Description###
# This directory contains system cron jobs that need to run on an hourly basis.
# The files in this directory cannot be manipulated by the crontab command, but are instead edited
# by system administrators using a text editor. The commands below restrict read/write and search
# access to user and group root, preventing regular users from accessing this directory. Rationale
# Granting write access to this directory for non-privileged users could provide them the means for
# gaining unauthorized elevated privileges. Granting read access to this directory could give an
# unprivileged user insight in how to gain elevated privileges or circumvent auditing controls.
######
chown root:root /etc/cron.hourly
chmod og-rwx /etc/cron.hourly
# 5.1.4 Ensure permissions on /etc/cron.daily are configured (worked)
###Description###
# The /etc/cron.daily directory contains system cron jobs that need to run on a daily basis.
# The files in this directory cannot be manipulated by the crontab command, but are instead
# edited by system administrators using a text editor. The commands below restrict read/write
# and search access to user and group root, preventing regular users from accessing this directory.
# Rationale Granting write access to this directory for non-privileged users could provide them the
# means for gaining unauthorized elevated privileges. Granting read access to this directory could
# give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls.
######
chown root:root /etc/cron.daily
chmod og-rwx /etc/cron.daily
# 5.1.5 Ensure permissions on /etc/cron.weekly are configured (worked)
###Description###
# The /etc/cron.weekly directory contains system cron jobs that need
# to run on a weekly basis. The files in this directory cannot be manipulated by the crontab command,
# but are instead edited by system administrators using a text editor. The commands below restrict
# read/write and search access to user and group root, preventing regular users from accessing this directory.
# Rationale Granting write access to this directory for non-privileged users could provide them the means
# for gaining unauthorized elevated privileges. Granting read access to this directory could give an
# unprivileged user insight in how to gain elevated privileges or circumvent auditing controls.
######
chown root:root /etc/cron.weekly
chmod og-rwx /etc/cron.weekly
# 5.1.6 Ensure permissions on /etc/cron.monthly are configured (worked)
###Description###
# The /etc/cron.monthly directory contains system cron jobs that need
# to run on a monthly basis. The files in this directory cannot be manipulated by the crontab command,
# but are instead edited by system administrators using a text editor. The commands below restrict read/write
# and search access to user and group root, preventing regular users from accessing this directory.
# Rationale Granting write access to this directory for non-privileged users could provide them the means
# for gaining unauthorized elevated privileges. Granting read access to this directory could give an
# unprivileged user insight in how to gain elevated privileges or circumvent auditing controls.
######
chown root:root /etc/cron.monthly
chmod og-rwx /etc/cron.monthly
# 5.1.7 Ensure permissions on /etc/cron.d are configured (worked)
###Description###
# The /etc/cron.d directory contains system cron jobs that need to run in a similar manner
# to the hourly, daily weekly and monthly jobs from /etc/crontab , but require more granular control
# as to when they run. The files in this directory cannot be manipulated by the crontab command,
# but are instead edited by system administrators using a text editor. The commands below restrict
# read/write and search access to user and group root, preventing regular users from accessing this directory.
# Rationale Granting write access to this directory for non-privileged users could provide them the means for
# gaining unauthorized elevated privileges. Granting read access to this directory could give an
# unprivileged user insight in how to gain elevated privileges or circumvent auditing controls.
######
chown root:root /etc/cron.d
chmod og-rwx /etc/cron.d
# 5.1.8 Ensure at/cron is restricted to authorized users (worked)
###Description###
# Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services.
# If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/ cron.deny are checked.
# Any user not specifically defined in those files is allowed to use at and cron. By removing the files,
# only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a
# given user is not listed in cron.allow , cron jobs can still be run as that user. The cron.allow file
# only controls administrative access to the crontab command for scheduling and modifying cron jobs.
# Rationale On many systems, only the system administrator is authorized to schedule cron jobs.
# Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an
# allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to
# add it to the deny files.
######
rm /etc/cron.deny
rm /etc/at.deny
touch /etc/cron.allow
touch /etc/at.allow
chmod og-rwx /etc/cron.allow
chmod og-rwx /etc/at.allow
chown root:root /etc/cron.allow
chown root:root /etc/at.allow
# 5.2.4 Ensure SSH Protocol is set to 2 (worked)
###Description###
# SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol
# and was subject to security issues. SSH2 is more advanced and secure. Rationale SSH v1 suffers from
# insecurities that do not affect SSH v2.
######
cat /etc/ssh/sshd_config | grep -v Protocol > /etc/ssh/sshd_config.new
echo "Protocol 2" >> /etc/ssh/sshd_config.new
cp /etc/ssh/sshd_config.new /etc/ssh/sshd_config
rm /etc/ssh/sshd_config.new
# 5.2.5 Ensure SSH LogLevel is appropriate (worked)
###Description###
# INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response,
# it is important to determine when a particular user was active on a system. The logout record can eliminate those users
# who disconnected, which helps narrow the field. VERBOSE level specifies that login and logout activity as well as
# the key fingerprint for any SSH key used for login will be logged. This information is important for SSH key management,
# especially in legacy environments. Rationale SSH provides several logging levels with varying amounts of verbosity.
# DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much
# data that it is difficult to identify important security information.
######
cat /etc/ssh/sshd_config | grep -v LogLevel > /etc/ssh/sshd_config.new
echo "LogLevel VERBOSE" >> /etc/ssh/sshd_config.new
cp /etc/ssh/sshd_config.new /etc/ssh/sshd_config
rm /etc/ssh/sshd_config.new
# 5.2.6 Ensure SSH X11 forwarding is disabled
###Description###
# The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to
# enable remote graphic connections. Rationale Disable X11 forwarding unless there is an operational
# requirement to use X11 applications directly. There is a small risk that the remote X11 servers of
# users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server.
# Note that even if X11 forwarding is disabled, users can always install their own forwarders.
###Recommendation###
# Edit the /etc/ssh/sshd_config file to set the parameter as follows: X11Forwarding no
######
cat /etc/ssh/sshd_config | grep -v X11Forwarding > /etc/ssh/sshd_config.new
echo "X11Forwarding no" >> /etc/ssh/sshd_config.new
cp /etc/ssh/sshd_config.new /etc/ssh/sshd_config
rm /etc/ssh/sshd_config.new
# 5.2.7 Ensure SSH MaxAuthTries is set to 4 or less (worked)
###Description###
# The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per
# connection. When the login failure count reaches half the number, error messages will be written
# to the syslog file detailing the login failure. Rationale Setting the MaxAuthTries parameter
# to a low number will minimize the risk of successful brute force attacks to the SSH server.
# While the recommended setting is 4, set the number based on site policy.
######
cat /etc/ssh/sshd_config | grep -v MaxAuthTries > /etc/ssh/sshd_config.new
echo "MaxAuthTries 4" >> /etc/ssh/sshd_config.new
cp /etc/ssh/sshd_config.new /etc/ssh/sshd_config
rm /etc/ssh/sshd_config.new
# 5.2.8 Ensure SSH IgnoreRhosts is enabled (worked)
###Description###
# The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in
# RhostsRSAAuthentication or HostbasedAuthentication . Rationale Setting this parameter
# forces users to enter a password when authenticating with ssh.
######
cat /etc/ssh/sshd_config | grep -v IgnoreRhosts > /etc/ssh/sshd_config.new
echo "IgnoreRhosts yes" >> /etc/ssh/sshd_config.new
cp /etc/ssh/sshd_config.new /etc/ssh/sshd_config
rm /etc/ssh/sshd_config.new
# 5.2.9 Ensure SSH HostbasedAuthentication is disabled (worked)
###Description###
# The HostbasedAuthentication parameter specifies if authentication is allowed through trusted
# hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client
# host authentication. This option only applies to SSH Protocol Version 2. Rationale Even though
# the .rhosts files are ineffective if support is disabled in /etc/pam.conf , disabling the ability
# to use .rhosts files in SSH provides an additional layer of protection .
######
cat /etc/ssh/sshd_config | grep -v HostbasedAuthentication > /etc/ssh/sshd_config.new
echo "HostbasedAuthentication no" >> /etc/ssh/sshd_config.new
cp /etc/ssh/sshd_config.new /etc/ssh/sshd_config
rm /etc/ssh/sshd_config.new
# 5.2.10 Ensure SSH root login is disabled (worked)
###Description###
# The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no.
# Rationale Disallowing root logins over SSH requires system admins to authenticate using their own
# individual account, then escalating to root via sudo or su . This in turn limits opportunity
# for non-repudiation and provides a clear audit trail in the event of a security incident
######
cat /etc/ssh/sshd_config | grep -v PermitRootLogin > /etc/ssh/sshd_config.new
echo "PermitRootLogin no" >> /etc/ssh/sshd_config.new
cp /etc/ssh/sshd_config.new /etc/ssh/sshd_config
rm /etc/ssh/sshd_config.new
# 5.2.11 Ensure SSH PermitEmptyPasswords is disabled (worked)
###Description###
# The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings.
# Rationale Disallowing remote shell access to accounts that have an empty password reduces the probability
# of unauthorized access to the system
######
cat /etc/ssh/sshd_config | grep -v PermitEmptyPasswords > /etc/ssh/sshd_config.new
echo "PermitEmptyPasswords no" >> /etc/ssh/sshd_config.new
cp /etc/ssh/sshd_config.new /etc/ssh/sshd_config
rm /etc/ssh/sshd_config.new
# 5.2.12 Ensure SSH PermitUserEnvironment is disabled (worked)
###Description###
# The PermitUserEnvironment option allows users to present environment options to the ssh daemon.
# Rationale Permitting users the ability to set environment variables through the SSH daemon could potentially
# allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)
######
cat /etc/ssh/sshd_config | grep -v PermitUserEnvironment > /etc/ssh/sshd_config.new
echo "PermitUserEnvironment no" >> /etc/ssh/sshd_config.new
cp /etc/ssh/sshd_config.new /etc/ssh/sshd_config
rm /etc/ssh/sshd_config.new
# 5.2.13 Ensure only strong ciphers are used
###Description###
# Description This variable limits the ciphers that SSH can use during communication.
# Rationale Weak ciphers that are used for authentication to the cryptographic module cannot be relied upon to provide
# confidentiality or integrity, and system data may
# be compromised The DES, Triple DES, and Blowfish ciphers, as used in SSH, have
# a birthday bound of approximately four billion blocks, which makes it easier for
# remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, aka a
# "Sweet32" attack The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data
# with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext- recovery
# attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by
# the Invariance Weakness, and then using a brute- force approach involving LSB values, aka the "Bar Mitzvah" issue
# The passwords used during an SSH session encrypted with RC4 can be recovered by an attacker who is able to capture and replay
# the session Error handling in the SSH protocol; Client and Server, when using a block cipher algorithm in Cipher
# Block Chaining (CBC) mode, makes it easier for remote attackers to recover certain plaintext data from an arbitrary block
# of ciphertext in an SSH session via unknown vectors The mm_newkeys_from_blob function in monitor_wrap.c, when an
# AES-GCM cipher is used, does not properly initialize memory for a MAC context data structure, which allows remote
# authenticated users to bypass intended ForceCommand and login-shell restrictions via packet data that provides a
# crafted callback address
###Recommendation###
# Edit the /etc/ssh/sshd_config file add/modify the Ciphers line to contain a comma
# separated list of the site approved ciphers Example: Ciphers chacha20-poly1305@op
# enssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ct
# r,aes128-ctr
######
# 5.2.14 Ensure only strong MAC algorithms are used
###Description###
# This variable limits the types of MAC algorithms that SSH can use during communication.
# Rationale MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase exploitability
# in SSH downgrade attacks. Weak algorithms continue to have a great deal of attention as a weak spot that can be
# exploited with expanded computing power. An attacker that breaks the algorithm could take advantage
# of a MiTM position to decrypt the SSH tunnel and capture credentials and information
###Recommendation###
# Edit the /etc/ssh/sshd_config file and add/modify the MACs line to contain a comma
# separated list of the site approved MACs Example: MACs hmac-sha2-512-etm@openss
# h.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
######
# 5.2.15 Ensure that strong Key Exchange algorithms are used
###Description###
# Key exchange is any method in cryptography by which cryptographic keys are exchanged between two
# parties, allowing use of a cryptographic algorithm. If the sender and receiver wish to exchange
# encrypted messages, each must be equipped to encrypt messages to be sent and decrypt messages
# received Rationale Key exchange methods that are considered weak should be removed.
# A key exchange method may be weak because too few bits are used, or the hashing algorithm is considered too weak.
# Using weak algorithms could expose connections to man-in-the-middle attacks
###Recommendation###
# Edit the /etc/ssh/sshd_config file add/modify the KexAlgorithms line to contain
# a comma separated list of the site approved key exchange algorithms Example:
# KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-gr
# oup14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sh
# a2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchangesha256
######
# 5.2.16 Ensure SSH Idle Timeout Interval is configured (fixed)
###Description###
# The two options ClientAliveInterval and ClientAliveCountMax control
# the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no
# activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set,
# sshd will send client alive messages at every ClientAliveInterval interval. When the number of consecutive
# client alive messages are sent with no response from the client, the ssh session is terminated. For example,
# if the ClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session
# will be terminated after 45 seconds of idle time. Rationale Having no timeout value associated with a connection could
# allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't
# lock the screen). Setting a timeout value at least reduces the risk of this happening.. While the recommended setting
# is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0.
# In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent.
###Recommendation###
# Edit the /etc/ssh/sshd_config file to set the parameters according to site policy:
# ClientAliveInterval 300 ClientAliveCountMax 0
######
cat /etc/ssh/sshd_config | grep -v ClientAliveInterval > /etc/ssh/sshd_config.new
echo "ClientAliveInterval 300" >> /etc/ssh/sshd_config.new
cp /etc/ssh/sshd_config.new /etc/ssh/sshd_config
rm /etc/ssh/sshd_config.new
cat /etc/ssh/sshd_config | grep -v ClientAliveCountMax > /etc/ssh/sshd_config.new
echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config.new
cp /etc/ssh/sshd_config.new /etc/ssh/sshd_config
rm /etc/ssh/sshd_config.new
# 5.2.17 Ensure SSH LoginGraceTime is set to one minute or less (worked)
###Description###
# The LoginGraceTime parameter specifies the time allowed for successful authentication to the SSH server.
# The longer the Grace period is the more open unauthenticated connections can exist. Like other session
# controls in this session the Grace Period should be limited to appropriate organizational limits to ensure
# the service is available for needed access. Rationale Setting the LoginGraceTime parameter to a low
# number will minimize the risk of successful brute force attacks to the SSH server. It will also limit
# the number of concurrent unauthenticated connections While the recommended setting is 60 seconds (1 Minute),
# set the number based on site policy.
######
cat /etc/ssh/sshd_config | grep -v LoginGraceTime > /etc/ssh/sshd_config.new
echo "LoginGraceTime 60">>/etc/ssh/sshd_config.new
cp /etc/ssh/sshd_config.new /etc/ssh/sshd_config
rm /etc/ssh/sshd_config.new