Sie sind auf Seite 1von 9

##Filesystem Configurations

#Disabling Kernel Modules that aren't required in /etc/modprobe.d/CIS.conf

#creats CIS.conf if doesnt exist.
ls -ld /etc/modprobe.d/CIS.conf >/dev/null 2>&1 || touch /etc/modprobe.d/CIS.conf
#Putting below line in any file name with extension .conf in /etc/modprobe.d/ will
be acted upon and disable the kernel fs module. this can be checked by a grep to
lsmod command.
grep -q "install cramfs /bin/true" /etc/modprobe.d/CIS.conf || echo 'install cramfs
/bin/true' >> /etc/modprobe.d/CIS.conf
grep -q "install freevxfs /bin/true" /etc/modprobe.d/CIS.conf || echo 'install
freevxfs /bin/true' >> /etc/modprobe.d/CIS.conf
grep -q "install jffs2 /bin/true" /etc/modprobe.d/CIS.conf || echo 'install
jffs2 /bin/true' >> /etc/modprobe.d/CIS.conf
grep -q "install hfs /bin/true" /etc/modprobe.d/CIS.conf || echo 'install hfs
/bin/true' >> /etc/modprobe.d/CIS.conf
grep -q "install hfsplus /bin/true" /etc/modprobe.d/CIS.conf || echo 'install
hfsplus /bin/true' >> /etc/modprobe.d/CIS.conf
grep -q "install squashfs /bin/true" /etc/modprobe.d/CIS.conf || echo 'install
squashfs /bin/true' >> /etc/modprobe.d/CIS.conf
grep -q "install udf /bin/true" /etc/modprobe.d/CIS.conf || echo 'install udf
/bin/true' >> /etc/modprobe.d/CIS.conf
grep -q "install vfat /bin/true" /etc/modprobe.d/CIS.conf || echo 'install vfat
/bin/true' >> /etc/modprobe.d/CIS.conf

#ensuring seperate filesystems is in place with required mount options.

mount | grep -qiw /tmp || echo "/tmp not found as a seperate mount point. Please
mount | grep -wi /tmp | grep -w nodev || echo "nodev mount option is not set in
/tmp mount point. Please add."
mount | grep -wi /tmp | grep -w nosuid || echo "nosuid mount option is not set
in /tmp mount point. Please add."
mount | grep -wi /tmp | grep -w noexec || echo "noexec mount option is not set
in /tmp mount point. Please add."
mount | grep -qi "/var " || echo "/var not found as a seperate mount point. Please
mount | grep -qi "/var/tmp " || echo "/var/tmp not found as a seperate mount point.
Please create."
mount | grep -i "/var/tmp " | grep -w nodev || echo "nodev mount option is not set
in /var/tmp mount point. Please add."
mount | grep -i "/var/tmp " | grep -w nosuid || echo "nosuid mount option is not
set in /var/tmp mount point. Please add."
mount | grep -i "/var/tmp " | grep -w noexec || echo "noexec mount option is not
set in /var/tmp mount point. Please add."
mount | grep -qi "/var/log " || echo "/var/log not found as a seperate mount point.
Please create."
mount | grep -qi "/var/log/audit " || echo "/var/log/audit not found as a seperate
mount point. Please create."
mount | grep -qiw /home || echo "/home not found as a seperate mount point. Please
mount | grep -i "/home " | grep -w nodev || echo "nodev mount option is not set
in /home mount point. Please add."
mount | grep "/dev/shm " | grep -iq nodev || echo "nodev option is not set in
/dev/shm filesystem. please add"
mount | grep "/dev/shm " | grep -iq nosuid || echo "nosuid option is not set in
/dev/shm filesystem. please add"
mount | grep "/dev/shm " | grep -iq noexec || echo "noexec option is not set in
/dev/shm filesystem. please add"

#stop and disable autofs if it exists.

systemctl stop autofs 2>/dev/null 1>&2
systemctl disable autofs 2>/dev/null 1>&2

#Ensure gpgcheck is globally activated

sed -i '/^gpgcheck/c gpgcheck=1' /etc/yum.conf

#Ensure GPG keys are configured.

rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n' || echo
"gpg keys are either not installe or not configured correctly. please check."

#subscribe with redhat and auto register.

subscription-manager register --username adecco.unix --password iasykwf12027

#disbale rhnsd Demon

chkconfig rhnsd of

#Ensure AIDE is installed and configured.

yum install aide -y
aide --init
mv /var/lib/aide/ /var/lib/aide/aide.db.gz
#Ensure filesystem integrity is regularly checked
echo '0 5 * * * /usr/sbin/aide --check' > /tmp/filenew
crontab -u root -l | cat - /tmp/filenew | crontab -u root -
rm -f /tmp/filenew

#bootloader permission should be 600

chmod og-rwx /boot/grub2/grub.cfg

#Ensure authentication required for single usermore

grep /sbin/sulogin /usr/lib/systemd/system/rescue.service
grep /sbin/sulogin /usr/lib/systemd/system/emergency.service

#ensure core_dumps are restricted.

dump_param=`sysctl fs.suid_dumpable`
if [ "$dump_param" != "fs.suid_dumpable = 0" ]; then echo "fs.suid_dumpable = 0"
>> /etc/sysctl.conf ;sysctl -p >/dev/null;fi

#ensure NX support
dmesg | grep NX | grep -q "(Execute Disable) protection: active" || echo "Please
ensure NX support"

#ensure ASLR is enabled

randomize_param=`sysctl kernel.randomize_va_space`
if [ "$randomize_param" != "kernel.randomize_va_space = 2" ]; then echo
"kernel.randomize_va_space = 2" >> /etc/sysctl.conf ;sysctl -p >/dev/null;fi

#ensure prelink is disabled

rpm -q prelink >/dev/null
if [ $? != 0 ]; then yum remove prelink >/dev/null 2>/dev/null;fi

#Ensure SELinux is not disabled in bootloader configuration

cat /boot/grub2/grub.cfg |grep "^\s*linux" | grep -v -q selinux=0 || echo "please
check selinux in grub file. it should not be disabled."
cat /boot/grub2/grub.cfg |grep "^\s*linux" | grep -v -q enforcing=0 || echo "please
check selinux in grub file. it should not be disabled."

#Ensure the SELinux state is enforcing

rpm -q libselinux >/dev/null || yum install libselinux -q -y
sed -i '/^SELINUX=/c SELINUX=enforcing' /etc/selinux/config
setenforce 1
#Ensure SELinux policy is configured
sed -i '/^SELINUXTYPE=/c SELINUXTYPE=targeted' /etc/selinux/config

#Ensure SETroubleshoot is not installed

rpm -q setroubleshoot >/dev/null && yum remove setroubleshoot -q -y
#Ensure the MCS Translation Service (mcstrans) is not installed
rpm -q mcstrans >/dev/null && yum remove mcstrans -q -y

##Warning Banners
#Ensure local login warning banner is configured properly
echo "This system, its hardware, software and data is owned by Adecco and only
authorized users are allowed to gain access to it.Your usage of Adecco technology
may be monitored, logged and subject to investigation according to applicable laws.
By continuing beyond this point and logging in, you agree to abide by the above
conditions and the Adecco Group Policies and Standards.Unauthorized use of Adecco
technology or breach of Adecco Group Policies and Standards is prohibited and may
be subject to disciplinary action, which may include criminal and/or civil
penalties" > /etc/issue

#Ensure remote login warning banner is configured properly

echo "This system, its hardware, software and data is owned by Adecco and only
authorized users are allowed to gain access to it.Your usage of Adecco technology
may be monitored, logged and subject to investigation according to applicable laws.
By continuing beyond this point and logging in, you agree to abide by the above
conditions and the Adecco Group Policies and Standards.Unauthorized use of Adecco
technology or breach of Adecco Group Policies and Standards is prohibited and may
be subject to disciplinary action, which may include criminal and/or civil
penalties" > /etc/

#Ensure permissions
chown root:root /etc/motd
chmod 644 /etc/motd

chown root:root /etc/issue

chmod 644 /etc/issue

chown root:root /etc/

chmod 644 /etc/

#ensure time is syncronised.

rpm -q ntp >/dev/null || yum install ntp -q -y
echo please verify that below listed time servers are one of npintde000123,
npintde000124, npintnl000119 or npintnl000120.
cat /etc/ntp.conf | grep ^server
if [ $? != 0 ]; then echo "if you there is no time server shown. please check ntp

#Ensure Avahi Server is not enabled

rpm -q avahi >/dev/null && yum remove avahi -q -y

#Ensure IP forwarding is disabled

ipv4forward_param=`sysctl net.ipv4.ip_forward`
if [ "$ipv4forward_param" != "net.ipv4.ip_forward = 0" ]; then echo
"net.ipv4.ip_forward = 0" >> /etc/sysctl.conf ;sysctl -p >/dev/null;fi

#Ensure packet redirect sending is disabled

ipv4allredirects_param=`sysctl net.ipv4.conf.all.send_redirects`
if [ "$ipv4allredirects_param" != "net.ipv4.conf.all.send_redirects = 0" ]; then
echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf ;sysctl -p

ipv4defaultredirect_param=`sysctl net.ipv4.conf.default.send_redirects`
if [ "$ipv4defaultredirect_param" != "net.ipv4.conf.default.send_redirects = 0" ];
then echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf ;sysctl
-p >/dev/null;fi

#Ensure IP forwarding is disabled

echo 'net.ipv4.ip_forward=0' >> /etc/sysctl.conf

sysctl -w net.ipv4.ip_forward=0
sysctl -w net.ipv4.route.flush=1

#Ensure packet redirect sending is disabled

echo 'net.ipv4.conf.all.send_redirects = 0' >> /etc/sysctl.conf
echo 'net.ipv4.conf.default.send_redirects = 0' >> /etc/sysctl.conf
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv4.conf.default.send_redirects=0
sysctl -w net.ipv4.route.flush=1

#Ensure source routed packets are not accepted

echo 'net.ipv4.conf.all.accept_source_route = 0' >> /etc/sysctl.conf
echo 'net.ipv4.conf.default.accept_source_route = 0' >> /etc/sysctl.conf
sysctl -w net.ipv4.conf.all.accept_source_route=0
sysctl -w net.ipv4.conf.default.accept_source_route=0
sysctl -w net.ipv4.route.flush=1

#Ensure ICMP redirects are not accepted

echo 'net.ipv4.conf.all.accept_redirects = 0' >> /etc/sysctl.conf
echo 'net.ipv4.conf.default.accept_redirects = 0' >> /etc/sysctl.conf
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.default.accept_redirects=0
sysctl -w net.ipv4.route.flush=1

#Ensure secure ICMP redirects are not accepted

echo 'net.ipv4.conf.all.secure_redirects = 0' >> /etc/sysctl.conf
echo 'net.ipv4.conf.default.secure_redirects = 0' >> /etc/sysctl.conf
sysctl -w net.ipv4.conf.all.secure_redirects=0
sysctl -w net.ipv4.conf.default.secure_redirects=0
sysctl -w net.ipv4.route.flush=1

#Ensure suspicious packets are logged

echo 'net.ipv4.conf.all.log_martians = 1' >> /etc/sysctl.conf
echo 'net.ipv4.conf.default.log_martians = 1' >> /etc/sysctl.conf
sysctl -w net.ipv4.conf.all.log_martians=1
sysctl -w net.ipv4.conf.default.log_martians=1
sysctl -w net.ipv4.route.flush=1

#Ensure broadcast ICMP requests are ignored

echo 'net.ipv4.icmp_echo_ignore_broadcasts = 1' >> /etc/sysctl.conf
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
sysctl -w net.ipv4.route.flush=1

#Ensure bogus ICMP responses are ignored

echo 'net.ipv4.icmp_ignore_bogus_error_responses = 1' >> /etc/sysctl.conf
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
sysctl -w net.ipv4.route.flush=1
#Ensure Reverse Path Filtering is enabled
echo 'net.ipv4.conf.all.rp_filter = 1' >> /etc/sysctl.conf
echo 'net.ipv4.conf.default.rp_filter = 1' >> /etc/sysctl.conf
sysctl -w net.ipv4.conf.all.rp_filter=1
sysctl -w net.ipv4.conf.default.rp_filter=1
sysctl -w net.ipv4.route.flush=1

#Ensure TCP SYN Cookies is enabled

echo 'net.ipv4.tcp_syncookies = 1' >> /etc/sysctl.conf
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.route.flush=1

#Ensure IPv6 router advertisements are not accepted

echo 'net.ipv6.conf.all.accept_ra = 0' >> /etc/sysctl.conf
echo 'net.ipv6.conf.default.accept_ra = 0' >> /etc/sysctl.conf
sysctl -w net.ipv6.conf.all.accept_ra=0
sysctl -w net.ipv6.conf.default.accept_ra=0
sysctl -w net.ipv6.route.flush=1

#Ensure IPv6 redirects are not accepted

echo 'net.ipv6.conf.all.accept_redirects = 0' >> /etc/sysctl.conf
echo 'net.ipv6.conf.default.accept_redirects = 0' >> /etc/sysctl.conf
sysctl -w net.ipv6.conf.all.accept_redirects=0
sysctl -w net.ipv6.conf.default.accept_redirects=0
sysctl -w net.ipv6.route.flush=1

#Ensure IPv6 is disabled

echo 'options ipv6 disable=1' >> /etc/modprobe.d/CIS.conf

#Ensure TCP Wrappers is installed

#yum install tcp_wrappers -y

#Ensure permissions on /etc/hosts.allow are configured

chown root:root /etc/hosts.allow
chmod 644 /etc/hosts.allow

#Ensure permissions on /etc/hosts.deny are 644

chown root:root /etc/hosts.deny
chmod 644 /etc/hosts.deny

#Ensure DCCP,SCTP,RDS,TIPC is disabled

echo 'install dccp /bin/true' >> /etc/modprobe.d/CIS.conf
echo 'install sctp /bin/true' >> /etc/modprobe.d/CIS.conf
echo 'install rds /bin/true' >> /etc/modprobe.d/CIS.conf
echo 'install tipc /bin/true' >> /etc/modprobe.d/CIS.conf

grep -q "install dccp /bin/true" /etc/modprobe.d/CIS.conf || echo 'install dccp

/bin/true' >> /etc/modprobe.d/CIS.conf
grep -q "install sctp /bin/true" /etc/modprobe.d/CIS.conf || echo 'install sctp
/bin/true' >> /etc/modprobe.d/CIS.conf
grep -q "install rds /bin/true" /etc/modprobe.d/CIS.conf || echo 'install rds
/bin/true' >> /etc/modprobe.d/CIS.conf
grep -q "install tipc /bin/true" /etc/modprobe.d/CIS.conf || echo 'install tipc
/bin/true' >> /etc/modprobe.d/CIS.conf

##Logging and Auditing

sed -i '/max_log_file/c max_log_file = 24' /etc/audit/auditd.conf

sed -i '/space_left_action/c space_left_action = email' /etc/audit/auditd.conf
sed -i '/action_mail_acct/c action_mail_acct = root' /etc/audit/auditd.conf
#sed -i '/admin_space_left_action/c admin_space_left_action = halt'
echo 'admin_space_left_action = halt' >> /etc/audit/auditd.conf
echo 'max_log_file_action = keep_logs' >> /etc/audit/auditd.conf
service auditd reload
systemctl enable auditd

#Ensuring all events are recorded in auditd daemon.

echo '## This file is automatically generated from /etc/audit/rules.d
-b 8192
-f 1
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/ -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
-w /etc/selinux/ -p wa -k MAC-policy
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!
=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!
=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000
-F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000
-F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S
lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S
lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F
exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F
exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F
exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F
exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F
auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F
auid>=1000 -F auid!=4294967295 -k delete
-w /etc/sudoers -p wa -k scope
-w /var/log/sudo.log -p wa -k actions
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
-e 2' > /etc/audit/audit.rules

#Ensure rsyslog Service is enabled

rsyslog_status=`systemctl is-active rsyslog`
if [ $rsyslog_status != "active" ]; then echo "rsyslog should be in active state.
Starting rsyslog";systemctl start rsyslog ;fi

#Ensure rsyslog default file permissions configured

echo '$FileCreateMode 0640' >> /etc/rsyslog.conf

#Configure cron
systemctl enable crond

#Ensure permissions

chown root:root /etc/crontab

chmod og-rwx /etc/crontab

chown root:root /etc/cron.hourly

chmod og-rwx /etc/cron.hourly

chown root:root /etc/cron.daily

chmod og-rwx /etc/cron.daily

chown root:root /etc/cron.weekly

chmod og-rwx /etc/cron.weekly

chown root:root /etc/cron.monthly

chmod og-rwx /etc/cron.monthly

chown root:root /etc/cron.d

chmod og-rwx /etc/cron.d

rm -f /etc/cron.deny
rm -f /etc/at.deny
touch /etc/cron.allow
touch /etc/at.allow

chmod og-rwx /etc/cron.allow

chmod og-rwx /etc/at.allow

chown root:root /etc/cron.allow

chown root:root /etc/at.allow

chown root:root /etc/ssh/sshd_config

chmod og-rwx /etc/ssh/sshd_config

sed -i '/Protocol/c Protocol 2' /etc/ssh/sshd_config

sed -i '/LogLevel/c LogLevel INFO' /etc/ssh/sshd_config
sed -i '/^X11Forwarding/c X11Forwarding no' /etc/ssh/sshd_config
sed -i '/MaxAuthTries/c MaxAuthTries 4' /etc/ssh/sshd_config
sed -i '/IgnoreRhosts/c IgnoreRhosts yes' /etc/ssh/sshd_config
sed -i '/^#HostbasedAuthentication/c HostbasedAuthentication no'
sed -i '/^#PermitRootLogin/c PermitRootLogin no' /etc/ssh/sshd_config
sed -i '/PermitEmptyPasswords/c PermitEmptyPasswords no' /etc/ssh/sshd_config
#sed -i '/^Ciphers/c Ciphers aes256-ctr,aes192-ctr,aes128-ctr' /etc/ssh/sshd_config
echo 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config
echo 'MACs hmac-sha1,,hmac-ripemd160' >> /etc/ssh/sshd_config
sed -i '/ClientAliveInterval/c ClientAliveInterval 300' /etc/ssh/sshd_config
sed -i '/ClientAliveCountMax/c ClientAliveCountMax 0' /etc/ssh/sshd_config
sed -i '/LoginGraceTime/c LoginGraceTime 60' /etc/ssh/sshd_config
sed -i '/Banner/c Banner \/etc\/' /etc/ssh/sshd_config

##Configure PAM

echo '#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required
auth required per_user onerr=fail deny=5 no_magic_root
auth sufficient
auth sufficient nullok try_first_pass
auth requisite uid >= 1000 quiet_success
auth required

account required

account required reset no_magic_root
account sufficient
account sufficient uid < 1000 quiet
account required

password requisite try_first_pass local_users_only retry=5

authtok_type= minlen=8 lcredit=-1 ucredit=-1 dcredit=-1
password sufficient sha512 shadow nullok try_first_pass
use_authtok remember=5
password required

session optional revoke

session required
-session optional
session [success=1 default=ignore] service in crond quiet
session required' > /etc/pam.d/system-auth

echo '#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required
auth required per_user onerr=fail deny=5 no_magic_root
auth sufficient
auth sufficient nullok try_first_pass
auth requisite uid >= 1000 quiet_success
auth required

account required

account required reset no_magic_root
account sufficient
account sufficient uid < 1000 quiet
account required

password requisite try_first_pass local_users_only retry=5

authtok_type= minlen=8 lcredit=-1 ucredit=-1 dcredit=-1
password sufficient sha512 shadow nullok try_first_pass
use_authtok remember=5
password required

session optional revoke

session required
-session optional
session [success=1 default=ignore] service in crond quiet
session required' > /etc/pam.d/password-auth

#password expiration policies

sed -i '/^PASS_MAX_DAYS/c PASS_MAX_DAYS 90' /etc/login.defs
sed -i '/^PASS_MIN_DAYS/c PASS_MIN_DAYS 7' /etc/login.defs
sed -i '/^PASS_WARN_AGE/c PASS_WARN_AGE 7' /etc/login.defs
useradd -D -f 30

#Ensure Permissions

chown root:root /etc/passwd

chmod 644 /etc/passwd

chown root:root /etc/shadow

chmod 644 /etc/shadow

chown root:root /etc/group

chmod 644 /etc/group

chown root:root /etc/gshadow

chmod 644 /etc/gshadow

Das könnte Ihnen auch gefallen