-
Notifications
You must be signed in to change notification settings - Fork 0
/
checklist.yml
277 lines (235 loc) · 4.86 KB
/
checklist.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
---
# My example
filesystem:
# 1.1.1.1
disable_cramfs_filesystem: yes
# 1.1.1.2
disable_freevxfs_filesystem: yes
# 1.1.1.3
disable_jffs2_filesystem: yes
# 1.1.1.4
disable_hfs_filesystem: yes
# 1.1.1.5
disable_hfsplus_filesystem: yes
# 1.1.1.6
disable_squashfs_filesystem: yes
# 1.1.1.7
disable_udf_filesystem: yes
# 1.1.1.8
disable_vfat_filesystem: yes
# 1.1.2
tmp_partition_create: yes
# 1.1.3
tmp_partition_nodev: yes
# 1.1.4
tmp_partition_nosuid: yes
# 1.1.5
tmp_partition_noexec: no
# 1.1.7
var_tmp_partition_create: yes
# 1.1.8
var_tmp_partition_nodev: no
# 1.1.9
var_tmp_partition_nosuid: yes
# 1.1.10
var_tmp_partition_noexec: yes
#1.1.14
home_partition_nodev: no
#1.1.15
dev_shm_nodev: no
#1.1.16
dev_shm_nosuid: yes
#1.1.17
dev_shm_noexec: no
#1.1.18
removable_medias_nodev: yes
#1.1.19
removable_medias_nosuid: no
#1.1.20
removable_medias_noexec: yes
#1.1.21
sticky_bit_world_writable_dirs: yes
integr_check:
#1.3.1
install_aide: yes
#1.3.2
regular_check: yes
bootloader:
#1.4.1
file_perm: yes
#1.4.1
grub_pass: yes
#1.4.1
single_user_mode_pass: yes
addit_proc_harden:
#1.5.1
disable_core_dumps: yes
#1.5.3
enable_aslr: yes
#1.5.4
disable_prelink: yes
warn_banner:
#1.7.1.1
message_day: yes
#1.7.1.2
local_login: yes
#1.7.1.3
remote_login: yes
#1.7.2
gdm: yes
#1.8
update_patch: yes
auditd:
install: yes
# 4.1.1.1
configure_log_storage_size: yes
# 4.1.1.2
disable_system: yes
# 4.1.3
save_logs: yes
# 4.1.2
enable_service: yes
# 4.1.3
process_prior_auditd: yes
# 4.1.4
date_time: yes
#4.1.5
user_group: yes
#4.1.6
network_environ: yes
#4.1.7
mac: yes
#4.1.8
login_logout: yes
#4.1.9
session_init: yes
#4.1.10
dac: yes
#4.1.11
unsuccess_file_access: yes
#4.1.12
priv_commands: yes
#4.1.13
success_mount: yes
#4.1.14
file_delete: yes
#4.1.15
sudoers: yes
#4.1.16
sudo_log: yes
#4.1.17
module_load_unload: yes
# #4.1.18
immutable: yes
log:
#4.2.3
# install: yes
#4.2.1.1
enable_rsyslog: yes
#4.2.1.2
config_rsyslog: yes
#4.2.1.3
rsyslog_file_perm: yes
#4.2.2.1
enable_syslogng: yes
#4.2.2.2
config_syslogng: yes
#4.2.2.3
syslogng_file_perm: yes
#4.2.4
file_perm: yes
#4.3
logrotate: yes
# Your example.
ssh:
# This will be hardened. You have to do a check in your task to this variable.
# The check in the task is done like this : when: sshd.protocole_version_2
protocole_version_2: yes
# This won't be hardened
log_level_info: no
disable_x11_forwarding: yes
enable_IgnoreRhosts: yes
disable_HostbasedAuthentication: yes
disable_root_login: no
ssh_limit: no
set_ClientAliveInterval_300_and_ClientAliveCountMax_4: yes
set_LoginGraceTime_1minute: no
pam:
allow_3_tries_before_failure: yes
set_policy: yes
lockout_failed_attempts: yes
password_reuse_limit_and_sha512_as_default: no
services:
# 2.1 inetd services
disable_chargen_service: yes
disable_daytime_service: yes
disable_discard_service: yes
disable_echo_service: yes
disable_time_service: yes
disable_tftp_service: yes
disable_xinetd_service: yes
# 2.2 server services (special purpose services)
disable_x_windows: yes
disable_avahi_server: no
disable_cups: yes
disable_dhcp_server: no
disable_ldap_server: yes
disable_nfs: no
disable_nfs_server: yes
disable_rpc: yes
disable_dns_server: no
disable_ftp_server: no
disable_http_server: yes
disable_imap_pop3: yes
disable_http_proxy_server: yes
disable_snmp: yes
disable_nis: no
disable_samba_server: yes
disable_talk_server: no
disable_telnet_server: yes
disable_tftp_server: yes
disable_rsync: yes
# 2.3 services client
uninstall_ypbind: yes
uninstall_rsh: yes
uninstall_talk: yes
uninstall_telnet: yes
uninstall_openldap_clients: yes
configure_chrony: no
configure_ntp: yes
network:
# IPV4
disable_ip_forwarding: yes
disable_packet_redirect: yes
# IPV6
ignore_router_advertisements_ipv6: yes
ignore_packet_redirect_ipv6: yes
deactivate_ipv6: yes
# Uncommon network protocols
disable_dccp: yes
disable_sctp: yes
disable_rds: yes
disable_tipc: yes
# firewall
configure_loopback_traffic: yes
configure_iptables: yes
# tcp wrappers
install_tcp_wrappers: yes
configure_outbound_established_connections: yes
ignore_source_routed_packets: yes
ignore_icmp_redirects: yes
ignore_secure_icmp_redirects: yes
log_suspicious_packets: yes
ignore_broadcast_icmp: yes
ignore_bogus_icmp: yes
reverse_path_filtering: yes
tcp_syn_cookies: yes
user_and_accounts:
passwd_expiration: yes
min_between_passwd_change: yes
passwd_expriration_warning: yes
inactive_account_lock: yes
default_group_root_0: yes
user_shell_timeout: yes
restricted_root_login_physical_consoles: yes
restricted_su: yes