-
Notifications
You must be signed in to change notification settings - Fork 0
/
cis-centos-7-benchmark-2.1.0
534 lines (452 loc) · 31.6 KB
/
cis-centos-7-benchmark-2.1.0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
# CentOS 7 Secure Template Build, Lean OS Footprint
# for securing existing/already-deployed hosts with some CIS recommended configuration guidelines
#
# ----------------------------------------------------------------------------------------------------------
# Based on CentOS-7-x86_64-Minimal-1810.iso
#
# SHA256: 38d5d51d9d100fd73df031ffd6bd8b1297ce24660dc8c13a3b8b4534a4bd291c
# SHA1: 5833cb3189a61c02abf50fb8c2db16cfa669bc3c
# MD5: bd43d41e01c2a46b3cb23eb9139dce4b
#
# CIS CentOS Linux 7 Benchmark 2.1.0 - 06-02-2016
# Check https://www.cisecurity.org/benchmark/centos_linux/ for updates.
#
# The following assumes defaults as set from install media. Any defaults which already comply to
# CIS recommendations are not mentioned here.
#
# Step 1: Determine strong passwords for root and GRUB.
# Step 2: Determine a logon warning banner (generic example used here). All networking values
# (IP, mask, gateway, primary and secondary DNS) is expected to be configured statically.
# Step 3: After OS install completes, run through the commands here.
# Step 4: Profit?
#
# ----------------------------------------------------------------------------------------------------------
# 1.1.2, 1.1.6, 1.1.7, 1.1.11, 1.1.12, 1.1.13, Ensure separate partition exists for /tmp, /var, /var/tmp, /var/log, /var/log/audit, /home.
# Below is an example based on a 25 GB disk. Season to taste.
#
# /boot 512 MB
# /home 1024 MB
# /tmp 512 MB
# /usr 5120 MB
# /var 2048 MB
# /var/tmp 512 MB
# /var/log 10240 MB
# /var/log/audit 512 MB
# swap 2048 MB (highly dependent on system use, allocated memory, if hibernation is required, etc.)
# / Remaining available disk space
#
# ----------------------------------------------------------------------------------------------------------
echo 'CIS CentOS Linux 7 Benchmark 2.1.0 auto-configuration starting...'
echo ''
#
echo '1.1.1 - 1.1.1.8, disable unused filesystems'
echo "install cramfs /bin/true" >> /etc/modprobe.d/cis-benchmark-hardening.conf
echo "install freevxfs /bin/true" >> /etc/modprobe.d/cis-benchmark-hardening.conf
echo "install jffs2 /bin/true" >> /etc/modprobe.d/cis-benchmark-hardening.conf
echo "install hfs /bin/true" >> /etc/modprobe.d/cis-benchmark-hardening.conf
echo "install hfsplus /bin/true" >> /etc/modprobe.d/cis-benchmark-hardening.conf
echo "install squashfs /bin/true" >> /etc/modprobe.d/cis-benchmark-hardening.conf
echo "install udf /bin/true" >> /etc/modprobe.d/cis-benchmark-hardening.conf
echo "install vfat /bin/true" >> /etc/modprobe.d/cis-benchmark-hardening.conf
echo '1.1.2 Ensure separate partition exists for /tmp'
echo "[Mount]" >> /etc/systemd/system/local-fs.target.wants/tmp.mount
echo "Options=mode=1777,strictatime,noexec,nodev,nosuid" >> /etc/systemd/system/local-fs.target.wants/tmp.mount
echo '1.1.3 - 1.1.17, nodev, nosuid, noexec options'
sed -i 's/^\/dev\/mapper\/centos-tmp/#\/dev\/mapper\/centos-tmp/' /etc/fstab
echo "/dev/mapper/centos-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0" >> /etc/fstab
sed -i 's/^\/dev\/mapper\/centos-var_tmp/#\/dev\/mapper\/centos-var_tmp/' /etc/fstab
echo "/dev/mapper/centos-var_tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0" >> /etc/fstab
sed -i 's/^\/dev\/mapper\/centos-home/#\/dev\/mapper\/centos-home/' /etc/fstab
echo "/dev/mapper/centos-home /home xfs defaults,nodev 0 0" >> /etc/fstab
echo "tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0" >> /etc/fstab
echo '1.2.2 Ensure GPG keys are configured'
rpm --import /etc/pki/rpm-gpg/*
echo '1.3.1 Ensure AIDE is installed'
checkrpmaide=$(rpm -qa | grep '^aide-' | cut -d '-' -f1)
if [ "$checkrpmaide" != "aide" ]; then
echo 'AIDE is not installed, now running yum -y install aide'
yum -y install aide
fi
echo 'Initializing AIDE, this may take a while'
aide --init
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
echo '1.3.2 Ensure filesystem integrity is regularly checked'
(crontab -l ; echo "0 5 * * * /usr/sbin/aide --check") 2>&1 | grep -v "no crontab" | sort | uniq | crontab -
echo '1.4.1 Ensure permissions on bootloader config are configured'
chown root:root /boot/grub2/grub.cfg
chmod og-rwx /boot/grub2/grub.cfg
echo '1.4.3 Ensure authentication required for single user mode'
sed -i 's/\/usr\/sbin\/sulogin/\/sbin\/sulogin/' /usr/lib/systemd/system/rescue.service
sed -i 's/\/usr\/sbin\/sulogin/\/sbin\/sulogin/' /usr/lib/systemd/system/emergency.service
echo '1.5.1 Ensure core dumps are restricted'
sed -i "54i * hard core 0" /etc/security/limits.conf
echo '1.7.1.1 Ensure message of the day is configured properly'
cat /dev/null > /etc/motd
echo "- - - - - - - - - - - W A R N I N G - - - - - - - - - - -" >> /etc/motd
echo "" >> /etc/motd
echo "This system is for the use of authorized users only. " >> /etc/motd
echo "Individuals using this computer system without" >> /etc/motd
echo "authority, or in excess of their authority, are subject" >> /etc/motd
echo "to having all of their activities on this system" >> /etc/motd
echo "monitored and recorded by system personnel. In the" >> /etc/motd
echo "course of monitoring individuals improperly using this" >> /etc/motd
echo "system, or in the course of system maintenance, the" >> /etc/motd
echo "activities of authorized users may also be monitored. " >> /etc/motd
echo "Anyone using this system expressly consents to such" >> /etc/motd
echo "monitoring and is advised that if such monitoring" >> /etc/motd
echo "reveals possible evidence of criminal activity, system" >> /etc/motd
echo "personnel may provide the evidence of such monitoring" >> /etc/motd
echo "to law enforcement officials." >> /etc/motd
echo "" >> /etc/motd
echo "Access is restricted to authorized users only." >> /etc/motd
echo "Unauthorized access is a violation of state and federal," >> /etc/motd
echo "civil and criminal laws." >> /etc/motd
echo "" >> /etc/motd
echo "DISCONNECT IMMEDIATELY if you do not agree to the " >> /etc/motd
echo "conditions stated in this warning." >> /etc/motd
echo "" >> /etc/motd
echo "- - - - - - - - - - - - - - - - - - - - - - - - - - - - -" >> /etc/motd
echo "" >> /etc/motd
echo '1.7.1.2 Ensure local login warning banner is configured properly'
cat /dev/null > /etc/issue
echo "- - - - - - - - - - - W A R N I N G - - - - - - - - - - -" >> /etc/issue
echo "" >> /etc/issue
echo "This system is for the use of authorized users only. " >> /etc/issue
echo "Individuals using this computer system without" >> /etc/issue
echo "authority, or in excess of their authority, are subject" >> /etc/issue
echo "to having all of their activities on this system" >> /etc/issue
echo "monitored and recorded by system personnel. In the" >> /etc/issue
echo "course of monitoring individuals improperly using this" >> /etc/issue
echo "system, or in the course of system maintenance, the" >> /etc/issue
echo "activities of authorized users may also be monitored. " >> /etc/issue
echo "Anyone using this system expressly consents to such" >> /etc/issue
echo "monitoring and is advised that if such monitoring" >> /etc/issue
echo "reveals possible evidence of criminal activity, system" >> /etc/issue
echo "personnel may provide the evidence of such monitoring" >> /etc/issue
echo "to law enforcement officials." >> /etc/issue
echo "" >> /etc/issue
echo "Access is restricted to authorized users only." >> /etc/issue
echo "Unauthorized access is a violation of state and federal," >> /etc/issue
echo "civil and criminal laws." >> /etc/issue
echo "" >> /etc/issue
echo "DISCONNECT IMMEDIATELY if you do not agree to the " >> /etc/issue
echo "conditions stated in this warning." >> /etc/issue
echo "" >> /etc/issue
echo "- - - - - - - - - - - - - - - - - - - - - - - - - - - - -" >> /etc/issue
echo "" >> /etc/issue
echo '1.7.1.3 Ensure remote login warning banner is configured properly'
cat /dev/null > /etc/issue.net
echo "- - - - - - - - - - - W A R N I N G - - - - - - - - - - -" >> /etc/issue.net
echo "" >> /etc/issue.net
echo "This system is for the use of authorized users only. " >> /etc/issue.net
echo "Individuals using this computer system without" >> /etc/issue.net
echo "authority, or in excess of their authority, are subject" >> /etc/issue.net
echo "to having all of their activities on this system" >> /etc/issue.net
echo "monitored and recorded by system personnel. In the" >> /etc/issue.net
echo "course of monitoring individuals improperly using this" >> /etc/issue.net
echo "system, or in the course of system maintenance, the" >> /etc/issue.net
echo "activities of authorized users may also be monitored. " >> /etc/issue.net
echo "Anyone using this system expressly consents to such" >> /etc/issue.net
echo "monitoring and is advised that if such monitoring" >> /etc/issue.net
echo "reveals possible evidence of criminal activity, system" >> /etc/issue.net
echo "personnel may provide the evidence of such monitoring" >> /etc/issue.net
echo "to law enforcement officials." >> /etc/issue.net
echo "" >> /etc/issue.net
echo "Access is restricted to authorized users only." >> /etc/issue.net
echo "Unauthorized access is a violation of state and federal," >> /etc/issue.net
echo "civil and criminal laws." >> /etc/issue.net
echo "" >> /etc/issue.net
echo "DISCONNECT IMMEDIATELY if you do not agree to the " >> /etc/issue.net
echo "conditions stated in this warning." >> /etc/issue.net
echo "" >> /etc/issue.net
echo "- - - - - - - - - - - - - - - - - - - - - - - - - - - - -" >> /etc/issue.net
echo "" >> /etc/issue.net
echo '2.2.1.3 Ensure chrony is configured'
checkrpmchrony=$(rpm -qa | grep '^chrony-' | cut -d '-' -f1)
if [ "$checkrpmchrony" != "chrony" ]; then
echo 'chrony is not installed, now running yum -y install chrony'
yum -y install chrony
fi
sed -i 's/OPTIONS=""/OPTIONS="-u chrony"/' /etc/sysconfig/chronyd
echo '3.1.2 Ensure packet redirect sending is disabled'
echo 'net.ipv4.conf.all.send_redirects = 0' >> /etc/sysctl.conf
echo 'net.ipv4.conf.default.send_redirects = 0' >> /etc/sysctl.conf
echo '3.2.2 Ensure ICMP redirects are not accepted'
echo 'net.ipv4.conf.all.accept_redirects = 0' >> /etc/sysctl.conf
echo 'net.ipv4.conf.default.accept_redirects = 0' >> /etc/sysctl.conf
echo '3.2.3 Ensure secure ICMP redirects are not accepted'
echo 'net.ipv4.conf.all.secure_redirects = 0 ' >> /etc/sysctl.conf
echo 'net.ipv4.conf.default.secure_redirects = 0' >> /etc/sysctl.conf
echo '3.2.4 Ensure suspicious packets are logged'
echo 'net.ipv4.conf.all.log_martians = 1' >> /etc/sysctl.conf
echo 'net.ipv4.conf.default.log_martians = 1' >> /etc/sysctl.conf
echo '3.3.1 Ensure IPv6 router advertisements are not accepted'
echo 'net.ipv6.conf.all.accept_ra = 0' >> /etc/sysctl.conf
echo 'net.ipv6.conf.default.accept_ra = 0' >> /etc/sysctl.conf
echo '3.3.2 Ensure IPv6 redirects are not accepted'
echo 'net.ipv6.conf.all.accept_redirects = 0' >> /etc/sysctl.conf
echo 'net.ipv6.conf.default.accept_redirects = 0' >> /etc/sysctl.conf
echo '3.3.3 Ensure IPv6 is disabled'
echo "options ipv6 disable=1" >> /etc/modprobe.d/cis-benchmark-hardening.conf
echo '3.4.1 Ensure TCP Wrappers is installed'
checkrpmtcpwrappers=$(rpm -qa | grep -v 'tcp_wrappers-libs' | grep '^tcp_wrappers-' | cut -d '-' -f1 | uniq)
if [ "$checkrpmtcpwrappers" != "tcp_wrappers" ]; then
echo 'tcp_wrappers is not installed, now running yum -y install tcp_wrappers'
yum -y install tcp_wrappers
fi
echo '3.4.2 Ensure /etc/hosts.allow is configured'
# Note that this is a relatively insecure configuration! The IP ranges below should be changed to
# just your management source network instead!
echo "sshd : 10.0.0.0/8" >> /etc/hosts.allow
echo "sshd : 172.16.0.0/12" >> /etc/hosts.allow
echo "sshd : 192.168.0.0/16" >> /etc/hosts.allow
echo '3.4.3 Ensure /etc/hosts.deny is configured'
echo "ALL: ALL" >> /etc/hosts.deny
echo '3.5.1 Ensure DCCP is disabled'
echo "install dccp /bin/true" >> /etc/modprobe.d/cis-benchmark-hardening.conf
echo '3.5.2 Ensure SCTP is disabled'
echo "install sctp /bin/true" >> /etc/modprobe.d/cis-benchmark-hardening.conf
echo '3.5.3 Ensure RDS is disabled'
echo "install rds /bin/true" >> /etc/modprobe.d/cis-benchmark-hardening.conf
echo '3.5.4 Ensure TIPC is disabled'
echo "install tipc /bin/true" >> /etc/modprobe.d/cis-benchmark-hardening.conf
echo '3.6 Firewall Configuration'
# Basic setup to comply with CIS recommendations
# This section will likely require significant tweaking depending on environment requirements.
# RFC1918 addresses are set as "management" sources in this example which is almost certainly too wide
# and should be reduced as practical.
#
# Note: firewalld is installed/enabled by default, and this example assumes firewalld is replaced by iptables
#
yum -y install iptables-services
systemctl stop firewalld && systemctl disable firewalld
systemctl enable iptables && systemctl start iptables
cp /etc/sysconfig/iptables-config /etc/sysconfig/iptables-config.backup
iptables -F
iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -s 10.0.0.0/8 -p tcp --sport 1024:65535 --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -s 172.16.0.0/12 -p tcp --sport 1024:65535 --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -s 192.168.0.0/16 -p tcp --sport 1024:65535 --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -s 10.0.0.0/8 -p icmp --icmp-type 8 -m state --state NEW -j ACCEPT
iptables -A INPUT -s 172.16.0.0/12 -p icmp --icmp-type 8 -m state --state NEW -j ACCEPT
iptables -A INPUT -s 192.168.0.0/16 -p icmp --icmp-type 8 -m state --state NEW -j ACCEPT
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
service iptables save
echo '4.1.1.2 Ensure system is disabled when audit logs are full'
cp /etc/audit/auditd.conf /etc/audit/auditd.conf.backup
sed -i 's/space_left_action = SYSLOG/space_left_action = email/' /etc/audit/auditd.conf
sed -i 's/admin_space_left_action = SUSPEND/admin_space_left_action = halt/' /etc/audit/auditd.conf
echo '4.1.1.3 Ensure audit logs are not automatically deleted'
sed -i 's/max_log_file_action = ROTATE/max_log_file_action = keep_logs/' /etc/audit/auditd.conf
echo '4.1.3 Ensure auditing for processes that start prior to auditd is enabled'
cp /etc/default/grub /etc/default/grub.backup
sed -i 's/GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos\/root rd.lvm.lv=centos\/swap rd.lvm.lv=centos\/usr rhgb quiet"/GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos\/root rd.lvm.lv=centos\/swap rd.lvm.lv=centos\/usr rhgb quiet audit=1"/' /etc/default/grub
grub2-mkconfig > /boot/grub2/grub.cfg
# Note: due to the issue referenced in https://access.redhat.com/solutions/1505033, rules will be written to /etc/audit/rules.d/cis-recommended.rules instead of what's mentioned in the CIS benchmark.
echo '4.1.4 Ensure events that modify date and time information are collected'
echo "-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F arch=b64 -S clock_settime -k time-change" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F arch=b32 -S clock_settime -k time-change" >> /etc/audit/rules.d/cis-recommended.rules
echo "-w /etc/localtime -p wa -k time-change" >> /etc/audit/rules.d/cis-recommended.rules
echo '4.1.5 Ensure events that modify user/group information are collected'
echo "-w /etc/group -p wa -k identity" >> /etc/audit/rules.d/cis-recommended.rules
echo "-w /etc/passwd -p wa -k identity" >> /etc/audit/rules.d/cis-recommended.rules
echo "-w /etc/gshadow -p wa -k identity" >> /etc/audit/rules.d/cis-recommended.rules
echo "-w /etc/shadow -p wa -k identity" >> /etc/audit/rules.d/cis-recommended.rules
echo "-w /etc/security/opasswd -p wa -k identity" >> /etc/audit/rules.d/cis-recommended.rules
echo "4.1.6 Ensure events that modify the system's network environment are collected"
echo "-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale" >> /etc/audit/rules.d/cis-recommended.rules
echo "-w /etc/issue -p wa -k system-locale" >> /etc/audit/rules.d/cis-recommended.rules
echo "-w /etc/issue.net -p wa -k system-locale" >> /etc/audit/rules.d/cis-recommended.rules
echo "-w /etc/hosts -p wa -k system-locale" >> /etc/audit/rules.d/cis-recommended.rules
echo "-w /etc/sysconfig/network -p wa -k system-locale" >> /etc/audit/rules.d/cis-recommended.rules
echo "4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected"
echo "-w /etc/selinux/ -p wa -k MAC-policy" >> /etc/audit/rules.d/cis-recommended.rules
echo '4.1.8 Ensure login and logout events are collected'
echo "-w /var/log/lastlog -p wa -k logins" >> /etc/audit/rules.d/cis-recommended.rules
echo "-w /var/run/faillock/ -p wa -k logins" >> /etc/audit/rules.d/cis-recommended.rules
echo '4.1.9 Ensure session initiation information is collected'
echo "-w /var/run/utmp -p wa -k session" >> /etc/audit/rules.d/cis-recommended.rules
echo "-w /var/log/wtmp -p wa -k session" >> /etc/audit/rules.d/cis-recommended.rules
echo "-w /var/log/btmp -p wa -k session" >> /etc/audit/rules.d/cis-recommended.rules
echo '4.1.10 Ensure discretionary access control permission modification events are collected'
echo "-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod" >> /etc/audit/rules.d/cis-recommended.rules
echo '4.1.11 Ensure unsuccessful unauthorized file access attempts are collected'
echo "-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access" >> /etc/audit/rules.d/cis-recommended.rules
echo '4.1.12 Ensure use of privileged commands is collected'
#
# Note: the following accounts for /usr only - if there are other partitions this list should be updated
echo "-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/bin/write -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/sbin/netreport -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/libexec/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/cis-recommended.rules
echo '4.1.13 Ensure successful file system mounts are collected'
echo "-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts" >> /etc/audit/rules.d/cis-recommended.rules
echo '4.1.14 Ensure file deletion events by users are collected'
echo "-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete" >> /etc/audit/rules.d/cis-recommended.rules
echo '4.1.15 Ensure changes to system administration scope (sudoers) is collected'
echo "-w /etc/sudoers -p wa -k scope" >> /etc/audit/rules.d/cis-recommended.rules
echo "-w /etc/sudoers.d -p wa -k scope" >> /etc/audit/rules.d/cis-recommended.rules
echo '4.1.16 Ensure system administrator actions (sudolog) are collected'
echo "-w /var/log/sudo.log -p wa -k actions" >> /etc/audit/rules.d/cis-recommended.rules
echo '4.1.17 Ensure kernel module loading and unloading is collected'
echo "-w /sbin/insmod -p x -k modules" >> /etc/audit/rules.d/cis-recommended.rules
echo "-w /sbin/rmmod -p x -k modules" >> /etc/audit/rules.d/cis-recommended.rules
echo "-w /sbin/modprobe -p x -k modules" >> /etc/audit/rules.d/cis-recommended.rules
echo "-a always,exit arch=b64 -S init_module -S delete_module -k modules" >> /etc/audit/rules.d/cis-recommended.rules
echo '4.1.18 Ensure the audit configuration is immutable'
echo "-e 2" >> /etc/audit/rules.d/cis-recommended.rules
echo '4.2.4 Ensure permissions on all logfiles are configured'
find /var/log -type f -exec chmod g-wx,o-rwx {} +
echo '4.3 Ensure logrotate is configured'
cp /etc/logrotate.conf /etc/logrotate.conf.backup
sed -i 's/# rotate log files weekly/# rotate log files daily/' /etc/logrotate.conf
sed -i 's/^weekly/daily/' /etc/logrotate.conf
sed -i 's/# keep 4 weeks worth of backlogs/# keep 30 days worth of backlogs/' /etc/logrotate.conf
sed -i 's/^rotate 4/rotate 30/' /etc/logrotate.conf
sed -i 's/^#compress/compress/' /etc/logrotate.conf
sed -i 's/rotate 7/rotate 30/' /etc/logrotate.d/bootlog
rm -f /etc/logrotate.d/wpa_supplicant
echo "/var/log/messages" >> /etc/logrotate.d/syslog-ng
echo "/var/log/secure" >> /etc/logrotate.d/syslog-ng
echo "/var/log/maillog" >> /etc/logrotate.d/syslog-ng
echo "/var/log/spooler" >> /etc/logrotate.d/syslog-ng
echo "/var/log/boot.log" >> /etc/logrotate.d/syslog-ng
echo "/var/log/cron" >> /etc/logrotate.d/syslog-ng
echo "/var/log/kern" >> /etc/logrotate.d/syslog-ng
echo "{" >> /etc/logrotate.d/syslog-ng
echo -e "\trotate 30" >> /etc/logrotate.d/syslog-ng
echo -e "\tdaily" >> /etc/logrotate.d/syslog-ng
echo -e "\tmissingok" >> /etc/logrotate.d/syslog-ng
echo -e "\tnotifempty" >> /etc/logrotate.d/syslog-ng
echo -e "\tcompress" >> /etc/logrotate.d/syslog-ng
echo -e "\tpostrotate" >> /etc/logrotate.d/syslog-ng
echo -e "\t\tinvoke-rc.d syslog-ng reload > /dev/null" >> /etc/logrotate.d/syslog-ng
echo -e "\tendscript" >> /etc/logrotate.d/syslog-ng
echo "}" >> /etc/logrotate.d/syslog-ng
echo '5.1.2 Ensure permissions on /etc/crontab are configured'
chmod 0600 /etc/crontab
echo '5.1.3 Ensure permissions on /etc/cron.hourly are configured'
chmod 0600 /etc/cron.hourly
echo '5.1.4 Ensure permissions on /etc/cron.daily are configured'
chmod 0600 /etc/cron.daily
echo '5.1.5 Ensure permissions on /etc/cron.weekly are configured'
chmod 0600 /etc/cron.weekly
echo '5.1.6 Ensure permissions on /etc/cron.monthly are configured'
chmod 0600 /etc/cron.monthly
echo '5.1.7 Ensure permissions on /etc/cron.d are configured'
chmod 0600 /etc/cron.d
echo '5.1.8 Ensure at/cron is restricted to authorized users'
rm -f /etc/cron.deny
touch /etc/cron.allow
touch /etc/at.allow
chmod og-rwx /etc/cron.allow
chmod og-rwx /etc/at.allow
chown root:root /etc/cron.allow
chown root:root /etc/at.allow
echo '5.2.2 Ensure SSH Protocol is set to 2'
echo "Protocol 2" >> /etc/ssh/sshd_config
echo '5.2.3 Ensure SSH LogLevel is set to INFO'
sed -i 's/#LogLevel INFO/LogLevel INFO/' /etc/ssh/sshd_config
echo '5.2.4 Ensure SSH X11 forwarding is disabled'
sed -i 's/X11Forwarding yes/X11Forwarding no/' /etc/ssh/sshd_config
echo '5.2.5 Ensure SSH MaxAuthTries is set to 4 or less'
sed -i 's/#MaxAuthTries 6/MaxAuthTries 4/' /etc/ssh/sshd_config
echo '5.2.6 Ensure SSH IgnoreRhosts is enabled'
sed -i 's/#IgnoreRhosts yes/IgnoreRhosts yes/' /etc/ssh/sshd_config
echo '5.2.7 Ensure SSH HostbasedAuthentication is disabled'
sed -i 's/#HostbasedAuthentication no/HostbasedAuthentication no/' /etc/ssh/sshd_config
echo '5.2.8 Ensure SSH root login is disabled'
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
echo '5.2.9 Ensure SSH PermitEmptyPasswords is disabled'
sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/' /etc/ssh/sshd_config
echo '5.2.10 Ensure SSH PermitUserEnvironment is disabled'
sed -i 's/#PermitUserEnvironment no/PermitUserEnvironment no/' /etc/ssh/sshd_config
echo '5.2.11 Ensure only approved ciphers are used'
echo "Ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config
echo '5.2.12 Ensure only approved MAC algorithms are used'
echo "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com" >> /etc/ssh/sshd_config
echo '5.2.13 Ensure SSH Idle Timeout Interval is configured'
sed -i 's/#ClientAliveInterval 0/ClientAliveInterval 300/' /etc/ssh/sshd_config
sed -i 's/#ClientAliveCountMax 3/ClientAliveCountMax 0/' /etc/ssh/sshd_config
echo '5.2.14 Ensure SSH LoginGraceTime is set to one minute or less'
sed -i 's/#LoginGraceTime 2m/LoginGraceTime 60/' /etc/ssh/sshd_config
echo '5.2.16 Ensure SSH warning banner is configured'
sed -i 's/#Banner none/Banner \/etc\/issue.net/' /etc/ssh/sshd_config
echo '5.3.1 Ensure password creation requirements are configured'
sed -i 's/password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=/password requisite pam_pwquality.so try_first_pass retry=3/' /etc/pam.d/password-auth
sed -i 's/password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=/password requisite pam_pwquality.so try_first_pass retry=3/' /etc/pam.d/system-auth
sed -i 's/# minlen = 9/minlen = 14/' /etc/security/pwquality.conf
sed -i 's/# dcredit = 1/dcredit = 1/' /etc/security/pwquality.conf
sed -i 's/# lcredit = 1/lcredit = 1/' /etc/security/pwquality.conf
sed -i 's/# ocredit = 1/ocredit = 1/' /etc/security/pwquality.conf
sed -i 's/# ucredit = 1/ucredit = 1/' /etc/security/pwquality.conf
echo '5.3.3 Ensure password reuse is limited'
sed -i 's/password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok/password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5/' /etc/pam.d/password-auth
sed -i 's/password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok/password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5/' /etc/pam.d/system-auth
echo '5.4.1.1 Ensure password expiration is 90 days or less'
sed -i 's/PASS_MAX_DAYS\t99999/PASS_MAX_DAYS\t90/' /etc/login.defs
echo '5.4.1.2 Ensure minimum days between password changes is 7 or more'
sed -i 's/PASS_MIN_DAYS\t0/PASS_MIN_DAYS\t7/' /etc/login.defs
echo '5.4.1.4 Ensure inactive password lock is 30 days or less'
useradd -D -f 30
echo '5.4.4 Ensure default user umask is 027 or more restrictive'
sed -i 's/umask 002/umask 027/' /etc/bashrc
sed -i 's/umask 022/umask 027/' /etc/bashrc
sed -i 's/umask 002/umask 027/' /etc/profile
sed -i 's/umask 022/umask 027/' /etc/profile
echo '5.6 Ensure access to the su command is restricted'
sed -i 's/#auth\t\trequired\tpam_wheel.so use_uid/auth\t\trequired\tpam_wheel.so use_uid/' /etc/pam.d/su
echo '6.1.1 Audit system file permissions'
# Correction may need to be applied depending on the result.
rpm -Va --nomtime --nosize --nomd5 --nolinkto > /root/cis-6.1.1-audit-system-file-permissions
echo '6.1.6 Ensure permissions on /etc/passwd- are configured'
chmod 600 /etc/passwd-
echo '6.1.8 Ensure permissions on /etc/group- are configured'
chmod 600 /etc/group-
echo ''
echo 'End of CIS Benchmark auto-configuration. Yay.'
echo ''