Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
535 lines (452 sloc) 31.6 KB
# CentOS 7 Secure Template Build, Lean OS Footprint
# for securing existing/already-deployed hosts with some CIS recommended configuration guidelines
#
# ----------------------------------------------------------------------------------------------------------
# Based on CentOS-7-x86_64-Minimal-1810.iso
#
# SHA256: 38d5d51d9d100fd73df031ffd6bd8b1297ce24660dc8c13a3b8b4534a4bd291c
# SHA1: 5833cb3189a61c02abf50fb8c2db16cfa669bc3c
# MD5: bd43d41e01c2a46b3cb23eb9139dce4b
#
# CIS CentOS Linux 7 Benchmark 2.1.0 - 06-02-2016
# Check https://www.cisecurity.org/benchmark/centos_linux/ for updates.
#
# The following assumes defaults as set from install media. Any defaults which already comply to
# CIS recommendations are not mentioned here.
#
# Step 1: Determine strong passwords for root and GRUB.
# Step 2: Determine a logon warning banner (generic example used here). All networking values
# (IP, mask, gateway, primary and secondary DNS) is expected to be configured statically.
# Step 3: After OS install completes, run through the commands here.
# Step 4: Profit?
#
# ----------------------------------------------------------------------------------------------------------
# 1.1.2, 1.1.6, 1.1.7, 1.1.11, 1.1.12, 1.1.13, Ensure separate partition exists for /tmp, /var, /var/tmp, /var/log, /var/log/audit, /home.
# Below is an example based on a 25 GB disk. Season to taste.
#
# /boot 512 MB
# /home 1024 MB
# /tmp 512 MB
# /usr 5120 MB
# /var 2048 MB
# /var/tmp 512 MB
# /var/log 10240 MB
# /var/log/audit 512 MB
# swap 2048 MB (highly dependent on system use, allocated memory, if hibernation is required, etc.)
# / Remaining available disk space
#
# ----------------------------------------------------------------------------------------------------------
echo 'CIS CentOS Linux 7 Benchmark 2.1.0 auto-configuration starting...'
echo ''
#
echo '1.1.1 - 1.1.1.8, disable unused filesystems'
echo "install cramfs /bin/true" >> /etc/modprobe.d/cis-benchmark-hardening.conf
echo "install freevxfs /bin/true" >> /etc/modprobe.d/cis-benchmark-hardening.conf
echo "install jffs2 /bin/true" >> /etc/modprobe.d/cis-benchmark-hardening.conf
echo "install hfs /bin/true" >> /etc/modprobe.d/cis-benchmark-hardening.conf
echo "install hfsplus /bin/true" >> /etc/modprobe.d/cis-benchmark-hardening.conf
echo "install squashfs /bin/true" >> /etc/modprobe.d/cis-benchmark-hardening.conf
echo "install udf /bin/true" >> /etc/modprobe.d/cis-benchmark-hardening.conf
echo "install vfat /bin/true" >> /etc/modprobe.d/cis-benchmark-hardening.conf
echo '1.1.2 Ensure separate partition exists for /tmp'
echo "[Mount]" >> /etc/systemd/system/local-fs.target.wants/tmp.mount
echo "Options=mode=1777,strictatime,noexec,nodev,nosuid" >> /etc/systemd/system/local-fs.target.wants/tmp.mount
echo '1.1.3 - 1.1.17, nodev, nosuid, noexec options'
sed -i 's/^\/dev\/mapper\/centos-tmp/#\/dev\/mapper\/centos-tmp/' /etc/fstab
echo "/dev/mapper/centos-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0" >> /etc/fstab
sed -i 's/^\/dev\/mapper\/centos-var_tmp/#\/dev\/mapper\/centos-var_tmp/' /etc/fstab
echo "/dev/mapper/centos-var_tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0" >> /etc/fstab
sed -i 's/^\/dev\/mapper\/centos-home/#\/dev\/mapper\/centos-home/' /etc/fstab
echo "/dev/mapper/centos-home /home xfs defaults,nodev 0 0" >> /etc/fstab
echo "tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0" >> /etc/fstab
echo '1.2.2 Ensure GPG keys are configured'
rpm --import /etc/pki/rpm-gpg/*
echo '1.3.1 Ensure AIDE is installed'
checkrpmaide=$(rpm -qa | grep '^aide-' | cut -d '-' -f1)
if [ "$checkrpmaide" != "aide" ]; then
echo 'AIDE is not installed, now running yum -y install aide'
yum -y install aide
fi
echo 'Initializing AIDE, this may take a while'
aide --init
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
echo '1.3.2 Ensure filesystem integrity is regularly checked'
(crontab -l ; echo "0 5 * * * /usr/sbin/aide --check") 2>&1 | grep -v "no crontab" | sort | uniq | crontab -
echo '1.4.1 Ensure permissions on bootloader config are configured'
chown root:root /boot/grub2/grub.cfg
chmod og-rwx /boot/grub2/grub.cfg
echo '1.4.3 Ensure authentication required for single user mode'
sed -i 's/\/usr\/sbin\/sulogin/\/sbin\/sulogin/' /usr/lib/systemd/system/rescue.service
sed -i 's/\/usr\/sbin\/sulogin/\/sbin\/sulogin/' /usr/lib/systemd/system/emergency.service
echo '1.5.1 Ensure core dumps are restricted'
sed -i "54i * hard core 0" /etc/security/limits.conf
echo '1.7.1.1 Ensure message of the day is configured properly'
cat /dev/null > /etc/motd
echo "- - - - - - - - - - - W A R N I N G - - - - - - - - - - -" >> /etc/motd
echo "" >> /etc/motd
echo "This system is for the use of authorized users only. " >> /etc/motd
echo "Individuals using this computer system without" >> /etc/motd
echo "authority, or in excess of their authority, are subject" >> /etc/motd
echo "to having all of their activities on this system" >> /etc/motd
echo "monitored and recorded by system personnel. In the" >> /etc/motd
echo "course of monitoring individuals improperly using this" >> /etc/motd
echo "system, or in the course of system maintenance, the" >> /etc/motd
echo "activities of authorized users may also be monitored. " >> /etc/motd
echo "Anyone using this system expressly consents to such" >> /etc/motd
echo "monitoring and is advised that if such monitoring" >> /etc/motd
echo "reveals possible evidence of criminal activity, system" >> /etc/motd
echo "personnel may provide the evidence of such monitoring" >> /etc/motd
echo "to law enforcement officials." >> /etc/motd
echo "" >> /etc/motd
echo "Access is restricted to authorized users only." >> /etc/motd
echo "Unauthorized access is a violation of state and federal," >> /etc/motd
echo "civil and criminal laws." >> /etc/motd
echo "" >> /etc/motd
echo "DISCONNECT IMMEDIATELY if you do not agree to the " >> /etc/motd
echo "conditions stated in this warning." >> /etc/motd
echo "" >> /etc/motd
echo "- - - - - - - - - - - - - - - - - - - - - - - - - - - - -" >> /etc/motd
echo "" >> /etc/motd
echo '1.7.1.2 Ensure local login warning banner is configured properly'
cat /dev/null > /etc/issue
echo "- - - - - - - - - - - W A R N I N G - - - - - - - - - - -" >> /etc/issue
echo "" >> /etc/issue
echo "This system is for the use of authorized users only. " >> /etc/issue
echo "Individuals using this computer system without" >> /etc/issue
echo "authority, or in excess of their authority, are subject" >> /etc/issue
echo "to having all of their activities on this system" >> /etc/issue
echo "monitored and recorded by system personnel. In the" >> /etc/issue
echo "course of monitoring individuals improperly using this" >> /etc/issue
echo "system, or in the course of system maintenance, the" >> /etc/issue
echo "activities of authorized users may also be monitored. " >> /etc/issue
echo "Anyone using this system expressly consents to such" >> /etc/issue
echo "monitoring and is advised that if such monitoring" >> /etc/issue
echo "reveals possible evidence of criminal activity, system" >> /etc/issue
echo "personnel may provide the evidence of such monitoring" >> /etc/issue
echo "to law enforcement officials." >> /etc/issue
echo "" >> /etc/issue
echo "Access is restricted to authorized users only." >> /etc/issue
echo "Unauthorized access is a violation of state and federal," >> /etc/issue
echo "civil and criminal laws." >> /etc/issue
echo "" >> /etc/issue
echo "DISCONNECT IMMEDIATELY if you do not agree to the " >> /etc/issue
echo "conditions stated in this warning." >> /etc/issue
echo "" >> /etc/issue
echo "- - - - - - - - - - - - - - - - - - - - - - - - - - - - -" >> /etc/issue
echo "" >> /etc/issue
echo '1.7.1.3 Ensure remote login warning banner is configured properly'
cat /dev/null > /etc/issue.net
echo "- - - - - - - - - - - W A R N I N G - - - - - - - - - - -" >> /etc/issue.net
echo "" >> /etc/issue.net
echo "This system is for the use of authorized users only. " >> /etc/issue.net
echo "Individuals using this computer system without" >> /etc/issue.net
echo "authority, or in excess of their authority, are subject" >> /etc/issue.net
echo "to having all of their activities on this system" >> /etc/issue.net
echo "monitored and recorded by system personnel. In the" >> /etc/issue.net
echo "course of monitoring individuals improperly using this" >> /etc/issue.net
echo "system, or in the course of system maintenance, the" >> /etc/issue.net
echo "activities of authorized users may also be monitored. " >> /etc/issue.net
echo "Anyone using this system expressly consents to such" >> /etc/issue.net
echo "monitoring and is advised that if such monitoring" >> /etc/issue.net
echo "reveals possible evidence of criminal activity, system" >> /etc/issue.net
echo "personnel may provide the evidence of such monitoring" >> /etc/issue.net
echo "to law enforcement officials." >> /etc/issue.net
echo "" >> /etc/issue.net
echo "Access is restricted to authorized users only." >> /etc/issue.net
echo "Unauthorized access is a violation of state and federal," >> /etc/issue.net
echo "civil and criminal laws." >> /etc/issue.net
echo "" >> /etc/issue.net
echo "DISCONNECT IMMEDIATELY if you do not agree to the " >> /etc/issue.net
echo "conditions stated in this warning." >> /etc/issue.net
echo "" >> /etc/issue.net
echo "- - - - - - - - - - - - - - - - - - - - - - - - - - - - -" >> /etc/issue.net
echo "" >> /etc/issue.net
echo '2.2.1.3 Ensure chrony is configured'
checkrpmchrony=$(rpm -qa | grep '^chrony-' | cut -d '-' -f1)
if [ "$checkrpmchrony" != "chrony" ]; then
echo 'chrony is not installed, now running yum -y install chrony'
yum -y install chrony
fi
sed -i 's/OPTIONS=""/OPTIONS="-u chrony"/' /etc/sysconfig/chronyd
echo '3.1.2 Ensure packet redirect sending is disabled'
echo 'net.ipv4.conf.all.send_redirects = 0' >> /etc/sysctl.conf
echo 'net.ipv4.conf.default.send_redirects = 0' >> /etc/sysctl.conf
echo '3.2.2 Ensure ICMP redirects are not accepted'
echo 'net.ipv4.conf.all.accept_redirects = 0' >> /etc/sysctl.conf
echo 'net.ipv4.conf.default.accept_redirects = 0' >> /etc/sysctl.conf
echo '3.2.3 Ensure secure ICMP redirects are not accepted'
echo 'net.ipv4.conf.all.secure_redirects = 0 ' >> /etc/sysctl.conf
echo 'net.ipv4.conf.default.secure_redirects = 0' >> /etc/sysctl.conf
echo '3.2.4 Ensure suspicious packets are logged'
echo 'net.ipv4.conf.all.log_martians = 1' >> /etc/sysctl.conf
echo 'net.ipv4.conf.default.log_martians = 1' >> /etc/sysctl.conf
echo '3.3.1 Ensure IPv6 router advertisements are not accepted'
echo 'net.ipv6.conf.all.accept_ra = 0' >> /etc/sysctl.conf
echo 'net.ipv6.conf.default.accept_ra = 0' >> /etc/sysctl.conf
echo '3.3.2 Ensure IPv6 redirects are not accepted'
echo 'net.ipv6.conf.all.accept_redirects = 0' >> /etc/sysctl.conf
echo 'net.ipv6.conf.default.accept_redirects = 0' >> /etc/sysctl.conf
echo '3.3.3 Ensure IPv6 is disabled'
echo "options ipv6 disable=1" >> /etc/modprobe.d/cis-benchmark-hardening.conf
echo '3.4.1 Ensure TCP Wrappers is installed'
checkrpmtcpwrappers=$(rpm -qa | grep -v 'tcp_wrappers-libs' | grep '^tcp_wrappers-' | cut -d '-' -f1 | uniq)
if [ "$checkrpmtcpwrappers" != "tcp_wrappers" ]; then
echo 'tcp_wrappers is not installed, now running yum -y install tcp_wrappers'
yum -y install tcp_wrappers
fi
echo '3.4.2 Ensure /etc/hosts.allow is configured'
# Note that this is a relatively insecure configuration! The IP ranges below should be changed to
# just your management source network instead!
echo "sshd : 10.0.0.0/8" >> /etc/hosts.allow
echo "sshd : 172.16.0.0/12" >> /etc/hosts.allow
echo "sshd : 192.168.0.0/16" >> /etc/hosts.allow
echo '3.4.3 Ensure /etc/hosts.deny is configured'
echo "ALL: ALL" >> /etc/hosts.deny
echo '3.5.1 Ensure DCCP is disabled'
echo "install dccp /bin/true" >> /etc/modprobe.d/cis-benchmark-hardening.conf
echo '3.5.2 Ensure SCTP is disabled'
echo "install sctp /bin/true" >> /etc/modprobe.d/cis-benchmark-hardening.conf
echo '3.5.3 Ensure RDS is disabled'
echo "install rds /bin/true" >> /etc/modprobe.d/cis-benchmark-hardening.conf
echo '3.5.4 Ensure TIPC is disabled'
echo "install tipc /bin/true" >> /etc/modprobe.d/cis-benchmark-hardening.conf
echo '3.6 Firewall Configuration'
# Basic setup to comply with CIS recommendations
# This section will likely require significant tweaking depending on environment requirements.
# RFC1918 addresses are set as "management" sources in this example which is almost certainly too wide
# and should be reduced as practical.
#
# Note: firewalld is installed/enabled by default, and this example assumes firewalld is replaced by iptables
#
yum -y install iptables-services
systemctl stop firewalld && systemctl disable firewalld
systemctl enable iptables && systemctl start iptables
cp /etc/sysconfig/iptables-config /etc/sysconfig/iptables-config.backup
iptables -F
iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -s 10.0.0.0/8 -p tcp --sport 1024:65535 --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -s 172.16.0.0/12 -p tcp --sport 1024:65535 --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -s 192.168.0.0/16 -p tcp --sport 1024:65535 --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -s 10.0.0.0/8 -p icmp --icmp-type 8 -m state --state NEW -j ACCEPT
iptables -A INPUT -s 172.16.0.0/12 -p icmp --icmp-type 8 -m state --state NEW -j ACCEPT
iptables -A INPUT -s 192.168.0.0/16 -p icmp --icmp-type 8 -m state --state NEW -j ACCEPT
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
service iptables save
echo '4.1.1.2 Ensure system is disabled when audit logs are full'
cp /etc/audit/auditd.conf /etc/audit/auditd.conf.backup
sed -i 's/space_left_action = SYSLOG/space_left_action = email/' /etc/audit/auditd.conf
sed -i 's/admin_space_left_action = SUSPEND/admin_space_left_action = halt/' /etc/audit/auditd.conf
echo '4.1.1.3 Ensure audit logs are not automatically deleted'
sed -i 's/max_log_file_action = ROTATE/max_log_file_action = keep_logs/' /etc/audit/auditd.conf
echo '4.1.3 Ensure auditing for processes that start prior to auditd is enabled'
cp /etc/default/grub /etc/default/grub.backup
sed -i 's/GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos\/root rd.lvm.lv=centos\/swap rd.lvm.lv=centos\/usr rhgb quiet"/GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos\/root rd.lvm.lv=centos\/swap rd.lvm.lv=centos\/usr rhgb quiet audit=1"/' /etc/default/grub
grub2-mkconfig > /boot/grub2/grub.cfg
# Note: due to the issue referenced in https://access.redhat.com/solutions/1505033, rules will be written to /etc/audit/rules.d/cis-recommended.rules instead of what's mentioned in the CIS benchmark.
echo '4.1.4 Ensure events that modify date and time information are collected'
echo "-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F arch=b64 -S clock_settime -k time-change" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F arch=b32 -S clock_settime -k time-change" >> /etc/audit/rules.d/cis-recommended.rules
echo "-w /etc/localtime -p wa -k time-change" >> /etc/audit/rules.d/cis-recommended.rules
echo '4.1.5 Ensure events that modify user/group information are collected'
echo "-w /etc/group -p wa -k identity" >> /etc/audit/rules.d/cis-recommended.rules
echo "-w /etc/passwd -p wa -k identity" >> /etc/audit/rules.d/cis-recommended.rules
echo "-w /etc/gshadow -p wa -k identity" >> /etc/audit/rules.d/cis-recommended.rules
echo "-w /etc/shadow -p wa -k identity" >> /etc/audit/rules.d/cis-recommended.rules
echo "-w /etc/security/opasswd -p wa -k identity" >> /etc/audit/rules.d/cis-recommended.rules
echo "4.1.6 Ensure events that modify the system's network environment are collected"
echo "-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale" >> /etc/audit/rules.d/cis-recommended.rules
echo "-w /etc/issue -p wa -k system-locale" >> /etc/audit/rules.d/cis-recommended.rules
echo "-w /etc/issue.net -p wa -k system-locale" >> /etc/audit/rules.d/cis-recommended.rules
echo "-w /etc/hosts -p wa -k system-locale" >> /etc/audit/rules.d/cis-recommended.rules
echo "-w /etc/sysconfig/network -p wa -k system-locale" >> /etc/audit/rules.d/cis-recommended.rules
echo "4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected"
echo "-w /etc/selinux/ -p wa -k MAC-policy" >> /etc/audit/rules.d/cis-recommended.rules
echo '4.1.8 Ensure login and logout events are collected'
echo "-w /var/log/lastlog -p wa -k logins" >> /etc/audit/rules.d/cis-recommended.rules
echo "-w /var/run/faillock/ -p wa -k logins" >> /etc/audit/rules.d/cis-recommended.rules
echo '4.1.9 Ensure session initiation information is collected'
echo "-w /var/run/utmp -p wa -k session" >> /etc/audit/rules.d/cis-recommended.rules
echo "-w /var/log/wtmp -p wa -k session" >> /etc/audit/rules.d/cis-recommended.rules
echo "-w /var/log/btmp -p wa -k session" >> /etc/audit/rules.d/cis-recommended.rules
echo '4.1.10 Ensure discretionary access control permission modification events are collected'
echo "-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod" >> /etc/audit/rules.d/cis-recommended.rules
echo '4.1.11 Ensure unsuccessful unauthorized file access attempts are collected'
echo "-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access" >> /etc/audit/rules.d/cis-recommended.rules
echo '4.1.12 Ensure use of privileged commands is collected'
#
# Note: the following accounts for /usr only - if there are other partitions this list should be updated
echo "-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/bin/write -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/sbin/netreport -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/libexec/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo '4.1.13 Ensure successful file system mounts are collected'
echo "-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts" >> /etc/audit/rules.d/cis-recommended.rules
echo '4.1.14 Ensure file deletion events by users are collected'
echo "-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete" >> /etc/audit/rules.d/cis-recommended.rules
echo '4.1.15 Ensure changes to system administration scope (sudoers) is collected'
echo "-w /etc/sudoers -p wa -k scope" >> /etc/audit/rules.d/cis-recommended.rules
echo "-w /etc/sudoers.d -p wa -k scope" >> /etc/audit/rules.d/cis-recommended.rules
echo '4.1.16 Ensure system administrator actions (sudolog) are collected'
echo "-w /var/log/sudo.log -p wa -k actions" >> /etc/audit/rules.d/cis-recommended.rules
echo '4.1.17 Ensure kernel module loading and unloading is collected'
echo "-w /sbin/insmod -p x -k modules" >> /etc/audit/rules.d/cis-recommended.rules
echo "-w /sbin/rmmod -p x -k modules" >> /etc/audit/rules.d/cis-recommended.rules
echo "-w /sbin/modprobe -p x -k modules" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit arch=b64 -S init_module -S delete_module -k modules" >> /etc/audit/rules.d/cis-recommended.rules
echo '4.1.18 Ensure the audit configuration is immutable'
echo "-e 2" >> /etc/audit/rules.d/cis-recommended.rules
echo '4.2.4 Ensure permissions on all logfiles are configured'
find /var/log -type f -exec chmod g-wx,o-rwx {} +
echo '4.3 Ensure logrotate is configured'
cp /etc/logrotate.conf /etc/logrotate.conf.backup
sed -i 's/# rotate log files weekly/# rotate log files daily/' /etc/logrotate.conf
sed -i 's/^weekly/daily/' /etc/logrotate.conf
sed -i 's/# keep 4 weeks worth of backlogs/# keep 30 days worth of backlogs/' /etc/logrotate.conf
sed -i 's/^rotate 4/rotate 30/' /etc/logrotate.conf
sed -i 's/^#compress/compress/' /etc/logrotate.conf
sed -i 's/rotate 7/rotate 30/' /etc/logrotate.d/bootlog
rm -f /etc/logrotate.d/wpa_supplicant
echo "/var/log/messages" >> /etc/logrotate.d/syslog-ng
echo "/var/log/secure" >> /etc/logrotate.d/syslog-ng
echo "/var/log/maillog" >> /etc/logrotate.d/syslog-ng
echo "/var/log/spooler" >> /etc/logrotate.d/syslog-ng
echo "/var/log/boot.log" >> /etc/logrotate.d/syslog-ng
echo "/var/log/cron" >> /etc/logrotate.d/syslog-ng
echo "/var/log/kern" >> /etc/logrotate.d/syslog-ng
echo "{" >> /etc/logrotate.d/syslog-ng
echo -e "\trotate 30" >> /etc/logrotate.d/syslog-ng
echo -e "\tdaily" >> /etc/logrotate.d/syslog-ng
echo -e "\tmissingok" >> /etc/logrotate.d/syslog-ng
echo -e "\tnotifempty" >> /etc/logrotate.d/syslog-ng
echo -e "\tcompress" >> /etc/logrotate.d/syslog-ng
echo -e "\tpostrotate" >> /etc/logrotate.d/syslog-ng
echo -e "\t\tinvoke-rc.d syslog-ng reload > /dev/null" >> /etc/logrotate.d/syslog-ng
echo -e "\tendscript" >> /etc/logrotate.d/syslog-ng
echo "}" >> /etc/logrotate.d/syslog-ng
echo '5.1.2 Ensure permissions on /etc/crontab are configured'
chmod 0600 /etc/crontab
echo '5.1.3 Ensure permissions on /etc/cron.hourly are configured'
chmod 0600 /etc/cron.hourly
echo '5.1.4 Ensure permissions on /etc/cron.daily are configured'
chmod 0600 /etc/cron.daily
echo '5.1.5 Ensure permissions on /etc/cron.weekly are configured'
chmod 0600 /etc/cron.weekly
echo '5.1.6 Ensure permissions on /etc/cron.monthly are configured'
chmod 0600 /etc/cron.monthly
echo '5.1.7 Ensure permissions on /etc/cron.d are configured'
chmod 0600 /etc/cron.d
echo '5.1.8 Ensure at/cron is restricted to authorized users'
rm -f /etc/cron.deny
touch /etc/cron.allow
touch /etc/at.allow
chmod og-rwx /etc/cron.allow
chmod og-rwx /etc/at.allow
chown root:root /etc/cron.allow
chown root:root /etc/at.allow
echo '5.2.2 Ensure SSH Protocol is set to 2'
echo "Protocol 2" >> /etc/ssh/sshd_config
echo '5.2.3 Ensure SSH LogLevel is set to INFO'
sed -i 's/#LogLevel INFO/LogLevel INFO/' /etc/ssh/sshd_config
echo '5.2.4 Ensure SSH X11 forwarding is disabled'
sed -i 's/X11Forwarding yes/X11Forwarding no/' /etc/ssh/sshd_config
echo '5.2.5 Ensure SSH MaxAuthTries is set to 4 or less'
sed -i 's/#MaxAuthTries 6/MaxAuthTries 4/' /etc/ssh/sshd_config
echo '5.2.6 Ensure SSH IgnoreRhosts is enabled'
sed -i 's/#IgnoreRhosts yes/IgnoreRhosts yes/' /etc/ssh/sshd_config
echo '5.2.7 Ensure SSH HostbasedAuthentication is disabled'
sed -i 's/#HostbasedAuthentication no/HostbasedAuthentication no/' /etc/ssh/sshd_config
echo '5.2.8 Ensure SSH root login is disabled'
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
echo '5.2.9 Ensure SSH PermitEmptyPasswords is disabled'
sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/' /etc/ssh/sshd_config
echo '5.2.10 Ensure SSH PermitUserEnvironment is disabled'
sed -i 's/#PermitUserEnvironment no/PermitUserEnvironment no/' /etc/ssh/sshd_config
echo '5.2.11 Ensure only approved ciphers are used'
echo "Ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config
echo '5.2.12 Ensure only approved MAC algorithms are used'
echo "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com" >> /etc/ssh/sshd_config
echo '5.2.13 Ensure SSH Idle Timeout Interval is configured'
sed -i 's/#ClientAliveInterval 0/ClientAliveInterval 300/' /etc/ssh/sshd_config
sed -i 's/#ClientAliveCountMax 3/ClientAliveCountMax 0/' /etc/ssh/sshd_config
echo '5.2.14 Ensure SSH LoginGraceTime is set to one minute or less'
sed -i 's/#LoginGraceTime 2m/LoginGraceTime 60/' /etc/ssh/sshd_config
echo '5.2.16 Ensure SSH warning banner is configured'
sed -i 's/#Banner none/Banner \/etc\/issue.net/' /etc/ssh/sshd_config
echo '5.3.1 Ensure password creation requirements are configured'
sed -i 's/password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=/password requisite pam_pwquality.so try_first_pass retry=3/' /etc/pam.d/password-auth
sed -i 's/password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=/password requisite pam_pwquality.so try_first_pass retry=3/' /etc/pam.d/system-auth
sed -i 's/# minlen = 9/minlen = 14/' /etc/security/pwquality.conf
sed -i 's/# dcredit = 1/dcredit = 1/' /etc/security/pwquality.conf
sed -i 's/# lcredit = 1/lcredit = 1/' /etc/security/pwquality.conf
sed -i 's/# ocredit = 1/ocredit = 1/' /etc/security/pwquality.conf
sed -i 's/# ucredit = 1/ucredit = 1/' /etc/security/pwquality.conf
echo '5.3.3 Ensure password reuse is limited'
sed -i 's/password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok/password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5/' /etc/pam.d/password-auth
sed -i 's/password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok/password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5/' /etc/pam.d/system-auth
echo '5.4.1.1 Ensure password expiration is 90 days or less'
sed -i 's/PASS_MAX_DAYS\t99999/PASS_MAX_DAYS\t90/' /etc/login.defs
echo '5.4.1.2 Ensure minimum days between password changes is 7 or more'
sed -i 's/PASS_MIN_DAYS\t0/PASS_MIN_DAYS\t7/' /etc/login.defs
echo '5.4.1.4 Ensure inactive password lock is 30 days or less'
useradd -D -f 30
echo '5.4.4 Ensure default user umask is 027 or more restrictive'
sed -i 's/umask 002/umask 027/' /etc/bashrc
sed -i 's/umask 022/umask 027/' /etc/bashrc
sed -i 's/umask 002/umask 027/' /etc/profile
sed -i 's/umask 022/umask 027/' /etc/profile
echo '5.6 Ensure access to the su command is restricted'
sed -i 's/#auth\t\trequired\tpam_wheel.so use_uid/auth\t\trequired\tpam_wheel.so use_uid/' /etc/pam.d/su
echo '6.1.1 Audit system file permissions'
# Correction may need to be applied depending on the result.
rpm -Va --nomtime --nosize --nomd5 --nolinkto > /root/cis-6.1.1-audit-system-file-permissions
echo '6.1.6 Ensure permissions on /etc/passwd- are configured'
chmod 600 /etc/passwd-
echo '6.1.8 Ensure permissions on /etc/group- are configured'
chmod 600 /etc/group-
echo ''
echo 'End of CIS Benchmark auto-configuration. Yay.'
echo ''
You can’t perform that action at this time.