MyCode/Website
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Website/SecureIt.sh

3984 lines
141 KiB
Bash
Raw Permalink Blame History

#!/bin/bash
###############################################################################
#### Hardening Script for Oracle Linux, Centos/Redhat and Ubuntu Servers. ####
#### Author: Phil Connor 02/10/2020 ####
#### Contact: contact@mylinux.work ####
#### Version 3.30.03.26.22 ####
#### ####
#### To Use chmod to 755 or simply type bash <SecureIt.sh> ####
###############################################################################
clear
export TERM=xterm-256color
############################
#### User Configuration ####
############################
RSWP=8 # <-- Set the required swap size
TCPPORTS=( 22 53 1521 5666 7001 7002 8000 9090 10000 ) # <-- Firwall ports that you need open, don't remove 22 unless you will only contecting with a console
TCP6PORTS=( 22 ) # <-- IPv6 is disabled but Nessus scans requires it configured
UDPPORTS=( 53 ) # <-- Gotta have DNS
UDP6PORTS=( 53 ) # <-- Gotta have DNS
##########################
#### System Variables ####
##########################
BACKUP="/root/config_Backups"
BOOTLD="/boot/grub2/user.cfg"
BOOTLDCE="/boot/efi/EFI/centos/"
BOOTLDRH="/boot/efi/EFI/redhat/"
BOOTLDUB="/boot/grub/user.cfg"
CRON_RH="/var/spool/cron/root"
CRON_UB="/var/spool/cron/crontab/root"
FIREIP="echo ${VLANIP// /}"
IPTBL="/etc/sysconfig/iptables"
IP6TBL="/etc/sysconfig/ip6tables"
IPTBLUB="/etc/iptables/rules.v4"
IP6TBLUB="/etc/iptables/rules.v6"
GRUBCFG="/boot/grub2/grub.cfg"
GRUBCFGCE="/boot/efi/EFI/centos/grub.cfg"
GRUBCFGRH="/boot/efi/EFI/redhat/grub.cfg"
GRUBCFGUB="/boot/grub/grub.cfg"
HOSTNAME=$(uname -n)
LOG=${BACKUP}/install.log
MODPRO="/etc/modprobe.d/cis.conf"
MYIP=$(netstat -putan | awk '/:22 / && /ESTABLISHED/ {split($5,result,":"); print result[1]}')
NTP_FILE="/etc/ntp.conf"
if [ "$(command -v lsb_release)" ]; then
OS=$(lsb_release -i | awk '{print $3}' | tr '[:upper:]' '[:lower:]')
OSVER=$(lsb_release -r | awk '{print $2}' | awk -F. '{print $1}')
else
OS=$(grep PRETTY_NAME /etc/os-release | sed 's/PRETTY_NAME=//g' | tr -d '="' | awk '{print $1}' | tr '[:upper:]' '[:lower:]')
OSVER=$(grep VERSION_ID /etc/os-release | sed 's/VERSION_ID=//g' | tr -d '="' | awk -F. '{print $1}')
fi
SSHD_FILE='/etc/ssh/sshd_config'
TMPMNT="/usr/lib/systemd/system"
########################
#### Menu Variables ####
########################
H1=20
R1=3
R2=6
R3=11
W1=80
###########################################################
#### Detect Package Manger from OS and OSVer Variables ####
###########################################################
if [[ ${OS} = alma || ${OS} = amazon || ${OS} = centos || ${OS} = red || ${OS} = rocky || ${OS} = oracle ]]; then
if [ "${OSVER}" = 7 ]; then
PAKMGR="yum -y"
else
PAKMGR="dnf -y"
fi
elif [ "${OS}" = ubuntu ]; then
PAKMGR="apt -y"
fi
##############################################
#### Check to see if running as Root User ####
##############################################
function check_root() {
{
if [ $EUID -ne 0 ]; then
echo ""
echo "Script Installation has been Halted!"
echo ""
echo "You Must Run This Script as the \"ROOT\" User"
exit
fi
}
}
#################################
#### Config backup directory ####
#################################
function backup() {
{
for dir in ${BACKUP}; do
[[ ! -d "$dir" ]] && mkdir "$dir"
touch ${BACKUP}/install.log
done
}
}
#######################
#### Copy Function ####
#######################
function no_show() {
{
expand | awk 'NR == 1 {match($0, /^ */); l = RLENGTH + 1}
{print substr($0, l)}'
}
}
##########################
#### Spinner Function ####
##########################
function _spinner() {
{
local on_success="COMPLETE"
local on_fail="ERROR"
local green="\e[1;32m"
local red="\e[1;31m"
local nc="\e[0m"
case $1 in
start)
((column=$(tput cols)-${#2}-8))
echo -ne "\e[7m ${2} \e[0m \n"
printf "%${column}s"
i=1
sp='/-\|/-\:'
delay=${SPINNER_DELAY:-0.15}
while :
do
printf "\b%s${sp:i++%${#sp}:1}"
sleep "$delay"
done
;;
stop)
if [[ -z ${3} ]]; then
echo "spinner is not running.."
exit 1
fi
kill "$3" > /dev/null 2>&1
echo -en "\b["
if [[ $2 -eq 0 ]]; then
echo -en "${green}${on_success}${nc}"
else
echo -en "${red}${on_fail}${nc}"
fi
echo -e "]"
;;
*)
echo "invalid argument, try {start/stop}"
exit 1
;;
esac
}
}
#######################
#### Spinner Start ####
#######################
function start_spinner {
{
echo ""
_spinner "start" "${1}" &
_sp_pid=$!
echo ""
disown
}
}
######################
#### Spinner Stop ####
######################
function stop_spinner {
{
echo ""
_spinner "stop" "$1" $_sp_pid
unset _sp_pid
echo ""
}
}
#########################
#### Warning Message ####
#########################
function warn_message() {
{
whiptail --backtitle "SecureIt contact@mylinux.work" --title "*** WARNING ***" --yes-button "CONFIRM" --no-button "Exit" --defaultno --yesno " Running this script will harden this server to CIS Benchmark settings.
It will change server configuration and will affect server operation
ONLY RUN THIS SCRIPT IF YOU KNOW WHAT YOU ARE DOING!
You must select CONFIRM to continue." ${H1} ${W1}
exitstatus=$?
if [ ${exitstatus} = 0 ]; then
private_ip
else
exit
fi
}
}
#############################
#### Get VLAN IP address ####
#############################
function private_ip() {
{
VLANIP=$(whiptail --backtitle "SecureIt contact@mylinux.work" --title "Server Connect IP" --ok-button "Continue" --cancel-button "Exit" --inputbox " What is the IP/Sub or VLAN/Sub you use to connect to this server?
Examples are 192.168.0.0/24
or 192.168.1.21/32
or 10.0.10.0/16
Your current SSH Connection IP is Shown and can be changed if required" ${H1} ${W1} "${MYIP}"/32 3>&1 1>&2 2>&3)
exitstatus=$?
if [ ${exitstatus} = 0 ]; then
time_zone
else
exit
fi
}
}
######################
#### Get TimeZone ####
######################
function time_zone() {
{
# shellcheck disable=SC2046
TIMEZONE=$(whiptail --backtitle "SecureIt contact@mylinux.work" --title "Server TimeZone" --ok-button "Continue" --cancel-button "Exit" --menu " What is your Server Timezone?
Example Central" ${H1} ${W1} ${R3} $(find /usr/share/zoneinfo/US/* | cut -d '/' -f 6 | sort | sed "s/$/ ./" | tr '\n' ' ';) 3>&1 1>&2 2>&3)
exitstatus=$?
if [ ${exitstatus} = 0 ]; then
max_count
else
exit
fi
}
}
##################################
#### Get Auto Disconnect Time ####
##################################
function max_count() {
{
MAXCOUNT=$(whiptail --backtitle "SecureIt contact@mylinux.work" --title "Server Disconnect" --ok-button "Continue" --cancel-button "Exit" --radiolist " What is the MAX time you want before auto disconnect?" ${H1} ${W1} ${R1} \
"1" "5 mins" OFF \
"2" "10 mins" OFF \
"3" "15 mins" ON 3>&1 1>&2 2>&3)
exitstatus=$?
if [ ${exitstatus} = 0 ]; then
max_logs
else
exit
fi
}
}
################################
#### Get Audit logs Setting ####
################################
function max_logs() {
{
MAXLOGS=$(whiptail --backtitle "SecureIt contact@mylinux.work" --title "Audit Logs" --ok-button "Continue" --cancel-button "Exit" --inputbox " If you plan on archiving the audit logs leave \"ignore\" here
If you have tons of room change this to \"KEEP_LOGS\"" ${H1} ${W1} ignore 3>&1 1>&2 2>&3)
exitstatus=$?
if [ ${exitstatus} = 0 ]; then
syslog_server
else
exit
fi
}
}
###########################
#### Get Syslog Server ####
###########################
function syslog_server() {
{
SYSLOG=$(whiptail --backtitle "SecureIt contact@mylinux.work" --title "SysLog Server" --ok-button "Continue" --cancel-button "Exit" --inputbox " What is the Name or IP of your SysLog Server?" ${H1} ${W1} 3>&1 1>&2 2>&3)
exitstatus=$?
if [ ${exitstatus} = 0 ]; then
srv_type
else
exit
fi
}
}
##########################
#### Get Server Usage ####
##########################
function srv_type() {
{
SRVTYPE=$(whiptail --backtitle "SecureIt contact@mylinux.work" --title "Server Disconnect" --ok-button "Continue" --cancel-button "Exit" --radiolist " What is the use or purpose of this server?" ${H1} ${W1} ${R1} \
"1" "EBS Server" OFF \
"2" "Weblogic Server" OFF \
"3" "Regular Server" ON 3>&1 1>&2 2>&3)
exitstatus=$?
if [ ${exitstatus} = 0 ]; then
grub_password
else
exit
fi
}
}
#########################
#### Get Grub Passwd ####
#########################
function grub_password() {
{
GPASS=$(whiptail --backtitle "SecureIt contact@mylinux.work" --title "Grub Password" --ok-button "Continue" --cancel-button "Exit" --inputbox " What do you want your Grub Password to be?" ${H1} ${W1} 3>&1 1>&2 2>&3)
exitstatus=$?
if [ ${exitstatus} = 0 ]; then
if [ "${OS}" = ubuntu ]; then
G2PASSWD="$(echo -e "${GPASS}\n$GPASS" | grub-mkpasswd-pbkdf2 2>/dev/null | tail --lines=1 | awk -F " " '{print $7}')"
main_menu
else
G2PASSWD="$(echo -e "${GPASS}\n$GPASS" | grub2-mkpasswd-pbkdf2 2>/dev/null | tail --lines=1 | awk -F " " '{print $7}')"
main_menu
fi
else
exit
fi
}
}
#############################
#### OS Select Main Menu ####
#############################
function main_menu() {
{
while true; do
CHOICE=$(whiptail --backtitle "SecureIt contact@mylinux.work" --title "OS Select Main" --ok-button "Continue" --cancel-button "Exit" --menu " Please Select Your Linux Distro" ${H1} ${W1} ${R2} \
"1)" "Oracle Linux" \
"2)" "RedHat/CentOS/Rocky/Alma" \
"3)" "Ubuntu *** Testing ***" 3>&2 2>&1 1>&3)
exitstatus=$?
if [ ${exitstatus} = 0 ]; then
case ${CHOICE} in
"1)")
oracle_menu
;;
"2)")
redhat_menu
;;
"3)")
ubuntu_menu
;;
"4)")
;;
esac
else
exit
fi
done
}
}
#####################
#### Oracle Menu ####
#####################
function oracle_menu() {
{
while true; do
CHOICE=$(whiptail --backtitle "SecureIt contact@mylinux.work" --title "Oracle Linux" --ok-button "Install" --cancel-button "Exit" --menu " Please Select Your Oracle Version" ${H1} ${W1} ${R2} \
"1)" "OCI Oracle Linux 7" \
"2)" "OCI Oracle Linux 8" \
"3)" "Oracle Linux 7" \
"4)" "Oracle Linux 8" 3>&2 2>&1 1>&3)
exitstatus=$?
if [ ${exitstatus} = 0 ]; then
case ${CHOICE} in
"1)")
oci_oracle_ebs_setup
oci_rh_ub_common
oci_only
complete
;;
"2)")
oci_oracle_ebs_setup
oci_rh_ub_common
oci_only
complete
;;
"3)")
oci_rh_ub_common
complete
;;
"4)")
oci_rh_ub_common
complete
;;
esac
else
exit
fi
done
}
}
#####################
#### Redhat Menu ####
#####################
function redhat_menu() {
{
while true; do
CHOICE=$(whiptail --backtitle "SecureIt contact@mylinux.work" --title "Redhat/Centos Linux" --ok-button "Install" --cancel-button "Exit" --menu " Please Select Your Redhat/CentOS Version" ${H1} ${W1} ${R2} \
"1)" "OCI CentOS 7" \
"2)" "OCI CentOS 8" \
"3)" "AWS Redhat/Centos 7" \
"4)" "AWS Redhat/Centos 8" \
"5)" "Redhat/CentOS/Rocky/Alma 7" \
"6)" "Redhat/CentOS/Rocky/Alma 8" \
"7)" "Redhat/Centos/Rocky/Alma 9" 3>&2 2>&1 1>&3)
exitstatus=$?
if [ ${exitstatus} = 0 ]; then
case ${CHOICE} in
"1)")
oci_rh_ub_common
oci_only
complete
;;
"2)")
oci_rh_ub_common
oci_only
complete
;;
"3)")
oci_rh_ub_common
aws_only
complete
;;
"4)")
oci_rh_ub_common
aws_only
complete
;;
"5)")
oci_rh_ub_common
complete
;;
"6)")
oci_rh_ub_common
complete
;;
"7)")
oci_rh_ub_common
complete
;;
esac
else
exit
fi
done
}
}
#####################
#### Ubuntu Menu ####
#####################
function ubuntu_menu() {
{
while true; do
CHOICE=$(whiptail --backtitle "SecureIt contact@mylinux.work" --title "Ubuntu Linux" --ok-button "Install" --cancel-button "Exit" --menu " Please Select Your Ubuntu Version" ${H1} ${W1} ${R2} \
"1)" "OCI Ubuntu" \
"2)" "AWS Ubuntu" \
"2)" "Ubuntu" 3>&2 2>&1 1>&3)
exitstatus=$?
if [ ${exitstatus} = 0 ]; then
case ${CHOICE} in
"1)")
oci_rh_ub_common
oci_only
complete
;;
"2)")
oci_rh_ub_common
aws_only
complete
;;
"3)")
oci_rh_ub_common
complete
;;
esac
else
exit
fi
done
}
}
##########################
#### Install Complete ####
##########################
function complete() {
{
whiptail --backtitle "SecureIt contact@mylinux.work" --title "Configuration Complete" --msgbox " This script has configured and hardened this server to
CIS Level 1 Benchmark settings.
It is recommended that you try to ssh to the sever as any user
or root to make sure you can connect and once you know all is working
properly the system should be rebooted.
Please select \"OK\" to EXIT." ${H1} ${W1} 3>&1 1>&2 2>&3
exitstatus=$?
if [ ${exitstatus} = 0 ]; then
exit
fi
}
}
#####################################################################
### The following is in line with the CIS BenchMark Manual v3.0.0 ###
#####################################################################
#############################
#### Make Swap if Needed ####
#############################
function make_swap() {
{
start_spinner 'Configuring Additional Swap Space...'
echo ""
if [ "${SRVTYPE}" -ne 3 ]; then
# size of swapfile in gigabytes
swpsize="$RSWP"
# how large the swap needs to be total in mb's
swpneed=$((swpsize * 1024))
# / part dir file list
dir=$(ls -la --block-size=M /)
# does the swap file already exist?
swpexist=$(echo "$dir" | grep -i swap | awk '{ print $5 }' | tr -d 'M"')
# what is the name of the swap file if it exist
swpname=$(echo "$dir" | grep -i swap | awk '{ print $9 }')
# Is there any swap present if yes what size is it
swppres=$(free -m | sed -n '3 p' | awk '{ print $2 }')
# If the swap file already exist is it large enough?
if (( swpneed < swpexist )) || (( swpneed < swppres )); then
echo -e '\e[01;37m ======================================================================='
echo -e '\e[01;32m ====================================================================='
echo -e '\e[01;32m ==== \e[01;37m A Large Enough Swapfile was Found! No Changes Needed... \e[01;32m ===='
echo -e '\e[01;32m ====================================================================='
echo -e '\e[01;37m ======================================================================='
elif (( swpneed > swpexist )) || (( swpneed > swppres )); then
echo -e '\e[01;37m =================================================================================='
echo -e '\e[01;31m ================================================================================'
echo -e '\e[01;31m ==== \e[01;37m A Large Enough Swapfile was not found! Creating Larger SwapFile... \e[01;31m ===='
echo -e '\e[01;31m ================================================================================'
echo -e '\e[01;37m =================================================================================='
# Turn off existing swap if needing replacement
if echo "$dir" | grep -i swap; then
swapoff /"${swpname}"
rm -f /"$swpname"
fi
# Create the swapfile and make it active
fallocate -l ${swpsize}g /.SwapFile
chmod 600 /.SwapFile
mkswap /.SwapFile
swapon /.SwapFile
echo -e '\e[01;37m =============================================================================='
echo -e '\e[01;32m ============================================================================'
echo -e '\e[01;32m ==== \e[01;37m Checking whether the swap space was mounted and active or not! \e[01;32m ===='
echo -e '\e[01;32m ============================================================================'
echo -e '\e[01;37m =============================================================================='
R=$(swapon -s)
if [ -n "$R" ]; then
echo -e '\e[01;32m ============'
echo -e '\e[01;32m ============'
echo -e '\e[01;32m ============================================================================'
echo -e "\e[01;37m$R"
echo -e '\e[01;32m ============================================================================'
echo -e '\e[01;37m =============================================================================='
else
echo -e '\e[01;31m ============'
echo -e '\e[01;31m ============'
echo -e '\e[01;31m ============================================================================'
echo -e "\e[01;37m Something Went Wrong no Swap was Loaded"
echo -e '\e[01;31m ============================================================================'
echo -e '\e[01;37m =============================================================================='
fi
# Check to see if the created swap is losted in the fstab file
if ! grep -q "SwapFile" /etc/fstab; then
echo "/.SwapFile swap swap defaults 0 0" >> /etc/fstab
fi
fi
fi
stop_spinner $?
} | tee -a $LOG
}
############################
#### Set Sever TimeZone ####
############################
function time_set() {
{
start_spinner 'Setting System TimeZone...'
echo ""
timedatectl set-timezone US/"${TIMEZONE}"
stop_spinner $?
} | tee -a $LOG
}
########################################
### 1.1.1 Disable Unused Filesystems ###
########################################
function disable_filesystems() {
{
start_spinner 'Disabling Unused Filesystems...'
echo ""
touch ${MODPRO}
#### 1.1.1.1 Ensure mounting of cramfs is disabled ####
echo "install cramfs /bin/true" > ${MODPRO}
lsmod | grep -qi cramfs
if [ $? != 1 ]; then
rmmod cramfs
fi
#### 1.1.1.2 Ensure mounting of freevxf filesystem 1s disabled ####
echo "install freevxfs /bin/true" >> ${MODPRO}
lsmod | grep -qi freevxfs
if [ $? != 1 ]; then
rmmod freevxfs
fi
#### 1.1.1.3 Ensure mounting of jiffs2 filesystem is disabled ####
echo "install jffs2 /bin/true" >> ${MODPRO}
lsmod | grep -qi jffs2
if [ $? != 1 ]; then
rmmod jffs2
fi
#### 1.1.1.4 Ensure mounting of hfs filesystem is disabled ####
echo "install hfs /bin/true" >> ${MODPRO}
lsmod | grep -qi hfs
if [ $? != 1 ]; then
rmmod hfs
fi
#### 1.1.1.5 Ensure mounting of hfsplus filesystem is disabled ####
echo "install hfsplus /bin/true" >> ${MODPRO}
lsmod | grep -qi hfsplus
if [ $? != 1 ]; then
rmmod hfsplus
fi
#### 1.1.1.6 Ensure mounting of squashfs filesystem is disabled ####
echo "install squashfs /bin/true" >> ${MODPRO}
lsmod | grep -qi squashfs
if [ $? != 1 ]; then
rmmod squashfs
fi
#### 1.1.1.7 Ensure mounting of udf filesystem is disabled ####
echo "install udf /bin/true" >> ${MODPRO}
lsmod | grep -qi udf
if [ $? != 1 ]; then
rmmod udf
fi
#### 1.1.1.8 Ensure mounting of FAT filesystem is disabled ####
echo "install fat /bin/true" >> ${MODPRO}
lsmod | grep -qi fat
if [ $? != 1 ]; then
rmmod fat
fi
#####################################
#### Additonal Unsed Filesystems ####
#####################################
echo "install cifs /bin/true" >> ${MODPRO}
lsmod | grep -qi cifs
if [ $? != 1 ]; then
rmmod cifs
fi
echo "install nfs /bin/true" >> ${MODPRO}
lsmod | grep -qi nfs
if [ $? != 1 ]; then
rmmod nfs
fi
echo "install nfsv3 /bin/true" >> ${MODPRO}
lsmod | grep -qi nfsv3
if [ $? != 1 ]; then
rmmod nfsv3
fi
echo "install nfsv4 /bin/true" >> ${MODPRO}
lsmod | grep -qi nfsv4
if [ $? != 1 ]; then
rmmod nfsv4
fi
echo "install gfs2 /bin/true" >> ${MODPRO}
lsmod | grep -qi gfs2
if [ $? != 1 ]; then
rmmod gfs2
fi
echo "install usb-storage /bin/true" >> ${MODPRO}
lsmod | grep -qi usb-storage
if [ $? != 1 ]; then
rmmod usb-storage
fi
echo "install bnep /bin/true" >> ${MODPRO}
lsmod | grep -qi bnep
if [ $? != 1 ]; then
rmmod bnep
fi
echo "install bluetooth /bin/true" >> ${MODPRO}
lsmod | grep -qi bluetooth
if [ $? != 1 ]; then
rmmod bluetooth
fi
echo "install btusb /bin/true" >> ${MODPRO}
lsmod | grep -qi btusb
if [ $? != 1 ]; then
rmmod btusb
fi
echo "install net-pf-31 /bin/true" >> ${MODPRO}
lsmod | grep -qi net-pf-31
if [ $? != 1 ]; then
rmmod net-pf-31
fi
echo "install appletalk /bin/true" >> ${MODPRO}
lsmod | grep -qi appletalk
if [ $? != 1 ]; then
rmmod appletalk
fi
{
echo "blacklist usb-storage"
echo "blacklist firewire-core"
echo "options ipv6 disable=1"
} >> ${MODPRO}
stop_spinner $?
} | tee -a $LOG
}
######################################################
#### 1.1.2 Ensure seprate partion exists for /tmp ####
######################################################
function tmp_directory() {
{
start_spinner 'Ensuring a Seprate Partion Exists for /tmp...'
echo ""
#### Copy Conf Files for Backup ####
xargs -n 1 cp -v /etc/fstab <<< ""${BACKUP} /etc/fstab.bak""
#### Check to see if /tmp is a mount ####
mount | grep /tmp
if ! 1; then
umount /tmp
fi
#### /tmp Mount Changes Ubuntu ####
if [ "${OS}" = ubuntu ]; then
xargs -n 1 cp -v /usr/share/systemd/tmp.mount <<< ""${BACKUP} /usr/share/systemd/tmp.mount.bak""
grep nosuid /usr/share/systemd/tmp.mount
if ! 1; then
sed -i 's/Options=mode=1777,strictatime,nosuid,nodev/Options=mode=1777,strictatime,nosuid,nodev,noexec/g' /usr/share/systemd/tmp.mount
else
sed -i 's/Options=mode=1777,strictatime/Options=mode=1777,strictatime,nosuid,nodev,noexec/g' /usr/share/systemd/tmp.mount
fi
#### /tmp Mount Changes RedHat ####
elif [ "${OS}" = oracle ]; then
xargs -n 1 cp -v /usr/lib/systemd/system/tmp.mount <<< ""${BACKUP} /usr/lib/systemd/system/tmp.mount.bak""
if [ "${OSVER}" = 7 ]; then
sed -i 's/Options=mode=1777,strictatime/Options=mode=1777,strictatime,nosuid,nodev,noexec/g' $TMPMNT/tmp.mount
fi
if [ "${OSVER}" = 8 ] || [ "${OSVER}" = 9 ]; then
sed -i 's/Options=mode=1777,strictatime,nosuid,nodev/Options=mode=1777,strictatime,nosuid,nodev,noexec/g' $TMPMNT/tmp.mount
fi
elif [[ ${OS} = centos || ${OS} = red || ${OS} = rocky || ${OS} = alma ]]; then
if [ "${OSVER}" = 7 ]; then
sed -i 's/Options=mode=1777,strictatime/Options=mode=1777,strictatime,nosuid,nodev,noexec/g' $TMPMNT/tmp.mount
fi
if [ "${OSVER}" = 8 ]; then
sed -i 's/Options=mode=1777,strictatime,nosuid,nodev/Options=mode=1777,strictatime,nosuid,nodev,noexec/g' $TMPMNT/tmp.mount
fi
if [ "${OSVER}" = 9 ]; then
sed -i 's/Options=mode=1777,strictatime,nosuid,nodev,size=50%,nr_inodes=1m/Options=mode=1777,strictatime,nosuid,nodev,noexec,size=50%,nr_inodes=1m/g' $TMPMNT/tmp.mount
fi
else
xargs -n 1 cp -v /etc/systemd/system/local-fs.target.wants/tmp.mount <<< ""${BACKUP} /etc/systemd/system/local-fs.target.wants/tmp.mount.bak""
no_show << EOF > /etc/systemd/system/local-fs.target.wants/tmp.mount
[Mount]
What=tmpfs
Where=/tmp
Type=tmpfs
Options=mode=1777,strictatime,noexec,nodev,nosuid
EOF
fi
#### Setting /tmp to persist thru reboots ####
if ! grep -w /tmp /etc/fstab; then
echo "tmpfs /tmp tmpfs defaults,nodev,nosuid,noexec 0 0" >> /etc/fstab
fi
mount /tmp
#### 1.1.3, 1.1.4 & 1.1.5 Ensure noexec, nosuid and nodev option set on /tmp partition ####
#### mount -o remount,noexec,nosuid,nodev /tmp
#### Setting /var/tmp to persist thru reboots ####
if ! grep -w /var/tmp /etc/fstab; then
echo "/tmp /var/tmp none rw,noexec,nosuid,nodev,bind 0 0" >> /etc/fstab
fi
#### Binding mount /var/tmp directory to /tmp ####
mount -o rw,noexec,nosuid,nodev,bind /tmp/ /var/tmp/
#### 1.1.8, 1.1.9 & 1.1.10 Ensure noexec, nosuid and nodev option set on /var/tmp partition ####
mount -o remount,noexec,nosuid,nodev /var/tmp
#### Setting /dev/shm to persist thru reboots ####
if [ "${SRVTYPE}" -ne 2 ]; then
if ! grep -w /dev/shm /etc/fstab; then
echo "tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec,relatime 0 0" >> /etc/fstab
#### 1.1.15, 1.1.16 and 1.1.17 Ensure noexec, nosuid and nodev option set on /dev/shm partition ####
mount -o remount,noexec,nosuid,nodev,relatime /dev/shm
fi
fi
#### Ensure noexec and nodev option set on /dev partition ####
mount -o remount,noexec /dev
#### Setting /dev to persist thru reboots ####
if ! grep -w devtmpfs /etc/fstab; then
echo "devtmpfs /dev devtmpfs defaults,noexec 0 0" >> /etc/fstab
fi
stop_spinner $?
} | tee -a $LOG
}
#############################################################################
#### 1.1.21 Ensure Sticky Bit is set on "All" World-Writable Directories ####
#############################################################################
function stickybit() {
{
start_spinner 'Setting Sticky Bit on "All" World-Writable Directories...'
echo ""
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
stop_spinner $?
} | tee -a $LOG
}
##############################################
#### 1.2.2 Ensure GPG Keys are Configured ####
##############################################
function gpgkeys() {
{
start_spinner 'Checking GPG Keys are Configured...'
echo ""
if [ "${OS}" = ubuntu ]; then
apt-cache policy
${PKGMGR} update 2>&1 1>/dev/null | sed -ne 's/.*NO_PUBKEY //p' |
while read -r key; do
echo 'Processing key:' "$key"
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys "$key"
done
apt-key adv --refresh-keys --keyserver keyserver.ubuntu.com
apt-key list
else
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY*
rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'
grep ^gpgcheck /etc/yum.repos.d/* >> ${LOG} 2>&1
### 1.2.3 Verify that gpgcheck is Globally Activated ###
grep -Eq "^(\s*)gpgcheck\s*=\s*\S+(\s*#.*)?\s*$" /etc/yum.conf && sed -ri "s/^(\s*)gpgcheck\s*=\s*\S+(\s*#.*)?\s*$/\1gpgcheck=1\2/" /etc/yum.conf || echo "gpgcheck=1" >> /etc/yum.conf
fi
stop_spinner $?
} | tee -a $LOG
}
########################################
#### 1.3.1 Ensure Aide is Installed ####
########################################
function aide_install() {
{
start_spinner 'Installing and Configuring AIDE...'
echo ""
if [ "${OS}" = ubuntu ]; then
debconf-set-selections <<< ""postfix postfix/mailname string "${HOSTNAME}"""
debconf-set-selections <<< "postfix postfix/main_mailer_type string 'Local Only'"
${PAKMGR} install aide aide-common --assume-yes
aideinit
update-aide.conf
if [ ! -f ${CRON_UB} ]; then
touch ${CRON_UB}
crontab ${CRON_UB}
fi
if ! grep -qi "aide" ${CRON_UB}; then
echo "0 5 * * * /usr/bin/aide.wrapper --check" >> ${CRON_UB}
fi
else
${PAKMGR} install aide
aide --init
mv -f /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
if [ ! -f ${CRON_RH} ]; then
touch ${CRON_RH}
crontab ${CRON_RH}
fi
if ! grep -qi "aide" ${CRON_RH}; then
echo "0 5 * * * /usr/sbin/aide --check" >> ${CRON_RH}
fi
fi
stop_spinner $?
} | tee -a $LOG
}
###########################
#### 1.3 Sudo Commands ####
###########################
function sudo_changes() {
{
start_spinner 'Configuring Sudo Settings...'
echo ""
if [ ! -f /etc/sudoers.d/cis ]; then
touch /etc/sudoers.d/cis
chmod 440 /etc/sudoers.d/cis
fi
#### 1.3.2 Ensure Sudo Commands use Pty ####
echo "Defaults use_pty" >> /etc/sudoers.d/cis
#### 1.3.3 Ensure Sudo Log File Exists ####
echo "Defaults logfile=\"/var/log/sudo.log\"" >> /etc/sudoers.d/cis
stop_spinner $?
} | tee -a $LOG
}
##################################
#### 1.4 Secure Boot Settings ####
##################################
function boot_load() {
{
start_spinner 'Securing Boot Settings...'
echo ""
#### 1.4.1 Ensure permissions on bootloader config are configured ####
if [ "${OS}" = "ubuntu" ]; then
touch ${BOOTLDUB}
chmod 600 ${BOOTLDUB}
chown root.root ${BOOTLDUB}
else
touch ${BOOTLD}
chmod 600 ${BOOTLD}
chown root.root ${BOOTLD}
fi
#### Config /boot/efi permissions in fstab !!! This is for OCI !!! I have not seen this on any other cloud provider ####
mount | grep /boot/efi
if [ $? != 1 ]; then
umount /boot/efi
if [ "${OS}" = oracle ]; then
if [ "${OSVER}" = 7 ]; then
sed -i 's/defaults,uid=0,gid=0,umask=0077,shortname=winnt,_netdev,_netdev,x-initrd.mount/defaults,uid=0,gid=0,umask=0077,fmask=0177,shortname=winnt,_netdev,_netdev,x-initrd.mount/g' /etc/fstab
elif [ "${OSVER}" = 8 ]; then
sed -i 's/defaults,uid=0,gid=0,umask=077,shortname=winnt/defaults,uid=0,gid=0,umask=077,fmask=0177,shortname=winnt/g' /etc/fstab
fi
fi
if [ "${OS}" = centos ]; then
sed -i 's/vfat[[:blank:]]*defaults/vfat defaults,uid=0,gid=0,umask=0077,fmask=0177/g' /etc/fstab
fi
mount /boot/efi
fi
#### 1.4.2 Ensure bootloader password is set ####
if [ "${OS}" = centos ]; then
echo GRUB2_PASSWORD="${G2PASSWD}" > ${BOOTLD}
cp ${BOOTLD} ${BOOTLDCE}
elif [ "${OS}" = ubuntu ]; then
echo GRUB2_PASSWORD="${G2PASSWD}" > ${BOOTLDUB}
else
echo GRUB2_PASSWORD="${G2PASSWD}" > ${BOOTLD}
cp ${BOOTLD} ${BOOTLDRH}
fi
stop_spinner $?
} | tee -a $LOG
}
################################################
#### 1.5.1 Ensure core dumps are restricted ####
################################################
function core_dumps() {
{
start_spinner 'Restricting Core Dumps...'
echo ""
xargs -n 1 cp -v /etc/security/limits.conf <<<"${BACKUP} /etc/security/limits.conf.bak"
echo '* hard core 0' >> /etc/security/limits.conf
stop_spinner $?
} | tee -a $LOG
}
###########################################################################
#### 1.5.3 Ensure address space layout randomization (ASLR) is enabled ####
###########################################################################
function sysctl_conf() {
{
start_spinner 'Configuring Sysctl and Tuning Kernel Parameters...'
echo ""
xargs -n 1 cp -v /etc/sysctl.conf <<< "${BACKUP} /etc/sysctl.conf.bak"
no_show << "EOF" > /etc/sysctl.conf
##################################################################################################
#### Hardened SysCtl Configuration File edited to match CIS level 1 requirements ####
#### for questions or changles please contact Phil Connor contact@mylinux.work ####
##################################################################################################
#### Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
#### Controls whether core dumps will append the PID to the core filename.
#### Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
##################################
#### GENERAL SECURITY OPTIONS ####
##################################
#### Automatically Reboot Server 30 Seconds after a Kernel Panic
vm.panic_on_oom = 1
kernel.panic = 30
kernel.panic_on_oops = 30
#### Enable ExecShield
#kernel.exec-shield = 1
kernel.dmesg_restrict = 1
kernel.kptr_restrict = 1
kernel.yama.ptrace_scope = 1
#### 1.5.3 Ensure address space layout randomization (ASLR) is enabled
kernel.randomize_va_space = 2
#################################
#### COMMUNICATIONS SECURITY ####
#################################
#### 3.1.1 Ensure IP forwarding is disabled
net.ipv4.ip_forward = 0
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.default.forwarding = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.default.forwarding = 0
#### 3.1.2 Ensure packet redirect sending is disabled
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
#### 3.2.1 Ensure source routed packets are not accepted
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
#### 3.2.2 Ensure ICMP redirects are not accepted
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
#### 3.2.3 Ensure secure ICMP redirects are not accepted
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
#### 3.2.4 Ensure suspicious packets are logged
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
#### 3.2.5 Ensure broadcast ICMP requests are ignored
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.tcp_timestamps = 0
#### 3.2.6 Ensure bogus ICMP responses are ignored
net.ipv4.icmp_ignore_bogus_error_responses = 1
#### 3.2.7 Ensure Reverse Path Filtering is enabled
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
#### 3.2.8 Ensure TCP SYN Cookies is enabled
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_syn_retries = 5
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_max_syn_backlog = 4096
#### 3.3.1 Ensure IPv6 router advertisements are not accepted
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0
#### 3.3.1.1 Ensure IPv6 router advertisements are not accepted
net.ipv4.conf.all.accept_source_route=0
net.ipv6.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
net.ipv6.conf.default.accept_source_route=0
#### 3.3.2 Ensure IPv6 redirects are not accepted
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
#### 3.3.3 Ensure IPv6 is disabled
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
#### Reduce KeepAlive
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 15
fs.suid_dumpable = 0
#########################
#### Oracle Settings ####
#########################
# oracle-ebs-server-R12-preinstall setting for fs.file-max is 6815744
fs.file-max = 6815744
# oracle-ebs-server-R12-preinstall setting for kernel.sem is '256 32000 100 142'
kernel.sem = 256 32000 100 142
# oracle-ebs-server-R12-preinstall setting for kernel.shmmni is 4096
kernel.shmmni=4096
# oracle-ebs-server-R12-preinstall setting for kernel.shmall is 1073741824 on x86_64
# oracle-ebs-server-R12-preinstall setting for kernel.shmall is 2097152 on i386
kernel.shmall=1073741824
# oracle-ebs-server-R12-preinstall setting for kernel.shmmax is 4398046511104 on x86_64
# oracle-ebs-server-R12-preinstall setting for kernel.shmmax is 4294967295 on i386
kernel.shmmax=4398046511104
# oracle-ebs-server-R12-preinstall setting for kernel.panic_on_oops is 1
kernel.panic_on_oops=1
# oracle-ebs-server-R12-preinstall setting for kernel.msgmax is 8192
kernel.msgmax = 8192
# oracle-ebs-server-R12-preinstall setting for kernel.msgmni is 2878
kernel.msgmni=2878
# oracle-ebs-server-R12-preinstall setting for kernel.msgmnb is 65535
kernel.msgmnb=65535
# oracle-ebs-server-R12-preinstall setting for net.core.rmem_default is 262144
net.core.rmem_default=262144
# oracle-ebs-server-R12-preinstall setting for net.core.rmem_max is 4194304
net.core.rmem_max=4194304
# oracle-ebs-server-R12-preinstall setting for net.core.wmem_default is 262144
net.core.wmem_default=262144
# oracle-ebs-server-R12-preinstall setting for net.core.wmem_max is 1048576
net.core.wmem_max=1048576
# oracle-ebs-server-R12-preinstall setting for fs.aio-max-nr is 1048576
fs.aio-max-nr = 1048576
# oracle-ebs-server-R12-preinstall setting for net.ipv4.ip_local_port_range is 9000 65500
net.ipv4.ip_local_port_range = 9000 65500
EOF
sysctl -p
stop_spinner $?
} | tee -a $LOG
}
##########################################
#### 1.5.4 Ensure prelink is disabled ####
##########################################
function pre_link() {
{
start_spinner 'Disabling and removing Prelink...'
echo ""
if [ -f /usr/sbin/prelink ]; then
prelink -ua
${PAKMGR} remove prelink
fi
stop_spinner $?
} | tee -a $LOG
}
########################################################
#### 1.6.1.4 Ensure SETroubleshoot is not installed ####
########################################################
function se_troubleshoot_mcs() {
{
start_spinner 'Removing SE Troubleshoot and MCS Translation Service...'
echo ""
if [[ ${OS} = centos || ${OS} = red || ${OS} = oracle || ${OS} = rocky || ${OS} = alma ]]; then
if [ -f /usr/bin/setroubleshoot ]; then
${PAKMGR} remove setroubleshoot
fi
fi
#### 1.6.1.5 Ensure the MCS Translation Service (mcstrans) is not installed ####
if [ "${OS}" = ubuntu ]; then
systemctl list-units --type=service --all | grep mcstrans
if ! 1; then
${PAKMGR} remove policycoreutils
fi
else
systemctl list-units --type=service --all | grep mcstrans
if ! 1; then
${PAKMGR} remove mcstrans
fi
fi
stop_spinner $?
} | tee -a $LOG
}
######################################################
#### 1.6.1.6 Ensure no unconfigured daemons exist ####
######################################################
function unconf_daemons() {
{
start_spinner 'Ensuring no unconfigered daemons exist...'
echo ""
process=$(ps -eZ)
echo "${process}" | grep -E "initrc" | grep -Evw "tr|ps|grep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'
stop_spinner $?
} | tee -a $LOG
}
###########################################
#### 1.6.2 Ensure SELinux is installed ####
###########################################
function se_linux() {
{
start_spinner 'Ensuring SELinux is installed...'
echo ""
if [ "${OS}" = ubuntu ]; then
${PAKMGR} install libselinux1
else
if ! rpm -qa libselinux; then
${PAKMGR} install libselinux
fi
fi
stop_spinner $?
} | tee -a $LOG
}
##################################################################
#### 1.7.1.1 Ensure message of the day is configured properly ####
##################################################################
function banners() {
{
start_spinner 'Configuring all Message Banners...'
echo ""
if [ "${OS}" = ubuntu ]; then
chmod -x /etc/update-motd.d/*
touch /etc/motd
else
xargs -n 1 cp -v /etc/motd <<< "${BACKUP} /etc/motd.bak"
fi
echo " All activities performed on this system will be monitored." > /etc/motd
#### 1.7.1.2 Ensure local login warning banner is configured properly ####
xargs -n 1 cp -v /etc/issue <<< "${BACKUP} /etc/issue.bak"
echo " All activities performed on this system will be monitored." > /etc/issue
#### 1.7.1.3 Ensure remote login warning banner is configured properly ####
xargs -n 1 cp -v /etc/issue.net <<< "${BACKUP} /etc/issue.net.bak"
echo " All activities performed on this system will be monitored." > /etc/issue.net
#### 1.7.1.4 Ensure permissions on /etc/motd ore configured ####
chmod 644 /etc/motd
chown root.root /etc/motd
#### 1.7.1.5 Ensure permissions on /etc/issue are configured ####
chmod 644 /etc/issue
chown root.root /etc/issue
#### 1.7.1.6 Ensure permissions on /etc/issue.net are configured ####
chmod 644 /etc/issue.net
chown root.root /etc/issue.net
stop_spinner $?
} | tee -a $LOG
}
#####################################################################################
#### 1.8 ensure updates, patches, and additional security software are installed ####
#####################################################################################
function update_security() {
{
start_spinner 'Checking and Installing Security Updates...'
echo ""
if [ "${OS}" = ubuntu ]; then
${PAKMGR} autoremove
${PAKMGR} update
"${PAKMGR} install -y --only-upgrade $(apt-get --just-print upgrade | awk 'tolower($4) ~ /.*security.*/ || tolower($5) ~ /.*security.*/ {print $2}' | sort | uniq)"
else
${PAKMGR} clean all
${PAKMGR} check-update --security
${PAKMGR} update --security
fi
stop_spinner $?
} | tee -a $LOG
}
############################
#### 2.1 inetd Services ####
############################
function inet_service() {
{
start_spinner 'Disabling Unused/Unsecure inetd Services...'
echo ""
#### 2.1.1 Ensure chargen services are not enabled ####
if [ "${OS}" = ubuntu ]; then
grep -R "^chargen" /etc/inetd.*
if ! 2; then
systemctl stop chargen
systemctl disable chargen
fi
else
systemctl is-enabled chargen-dgram
if ! 1; then
systemctl stop chargen-dgram
systemctl disable chargen-dgram
fi
systemctl is-enabled chargen-stream
if ! 1; then
systemctl stop chargen-stream
systemctl disable chargen-stream
fi
fi
#### 2.1.2 Ensure daytime services are not enabled ####
if [ "${OS}" = ubuntu ]; then
grep -R "^daytime" /etc/inetd.*
if ! 2; then
systemctl stop daytime
systemctl disable daytime
fi
else
systemctl is-enabled daytime-dgram
if ! 1; then
systemctl stop daytime-dgram
systemctl disable daytime-dgram
fi
systemctl is-enabled daytime-stream
if ! 1; then
systemctl stop daytime-stream
systemctl disable daytime-stream
fi
fi
#### 2.1.3 Ensure discard services are not enabled ####
if [ "${OS}" = ubuntu ]; then
grep -R "^discard" /etc/inetd.*
if ! 2; then
systemctl stop discard
systemctl disable discard
fi
else
systemctl is-enabled discard-dgram
if ! 1; then
systemctl stop discard-dgram
systemctl disable discard-dgram
fi
systemctl is-enabled discard-stream
if ! 1; then
systemctl stop discard-stream
systemctl disable discard-stream
fi
fi
#### 2.1.4 Ensure echo services are not Enabled ####
if [ "${OS}" = ubuntu ]; then
grep -R "^echo" /etc/inetd.*
if ! 2; then
systemctl stop echo
systemctl disable echo
fi
else
systemctl is-enabled echo-stream
if ! 1; then
systemctl stop echo-stream
systemctl disable echo-stream
fi
fi
#### 2.1.5 Ensure time services are not enabled ####
if [ "${OS}" = ubuntu ]; then
grep -R "^time" /etc/inetd.*
if ! 2; then
systemctl stop time
systemctl disable time
fi
else
systemctl is-enabled time-dgram
if ! 1; then
systemctl stop time-dgram
systemctl disable time-dgram
fi
systemctl is-enabled time-stream
if ! 1; then
systemctl stop time-stream
systemctl disable time-stream
fi
fi
#### 2.1.6 Ensure rsh server is not enabled Ubuntu ####
if [ "${OS}" = ubuntu ]; then
grep -R "^shell" /etc/inetd.*
if ! 2; then
systemctl stop shell
systemctl disable shell
fi
grep -R "^login" /etc/inetd.*
if ! 2; then
systemctl stop login
systemctl disable login
fi
grep -R "^exec" /etc/inetd.*
if ! 2; then
systemctl stop exec
systemctl disable exec
fi
fi
#### 2.1.6 Ensure tftp server is not enabled Others ####
systemctl is-enabled tftp
if ! 1; then
systemctl stop tftp
systemctl disable tftp
fi
#### 2.1.7 Ensure talk server is not enabled Ubuntu ####
if [ "${OS}" = ubuntu ]; then
grep -R "^talk" /etc/inetd.*
if ! 2; then
systemctl stop talk
systemctl disable talk
fi
grep -R "^ntalk" /etc/inetd.*
if ! 2; then
systemctl stop ntalk
systemctl disable ntalk
fi
fi
#### 2.1.9 Ensure tftp server is not enabled Ubuntu ####
if [ "${OS}" = ubuntu ]; then
grep -R "^tftp" /etc/inetd.*
if ! 2; then
systemctl stop tftp
systemctl disable tftp
fi
fi
#### 2.1.8 Ensure telnet server is not enabled Ubuntu ####
if [ "${OS}" = ubuntu ]; then
grep -R "^telnet" /etc/inetd.*
if ! 2; then
systemctl stop telnet
systemctl disable telnet
fi
fi
#### 2.1.10 Ensure xinetd is not enabled All ####
systemctl is-enabled xinetd
if ! 1; then
systemctl stop xinetd
systemctl disable xinetd
fi
stop_spinner $?
} | tee -a $LOG
}
#######################################################
#### 2.2.1.1 Ensure time synchronization is in use ####
#######################################################
#### 2.2.1.2 Ensure ntp is configured ####
function ntp_config() {
{
start_spinner 'Configuring NTP Service...'
echo ""
if [ "${OS}" = ubuntu ]; then
DEBIAN_FRONTEND=noninteractive ${PAKMGR} install ntp
else
${PAKMGR} install ntp
fi
if [ "${OS}" = centos ]; then
var1=${OS}
elif [ "${OS}" = ubuntu ]; then
var1=${OS}
else
var1=rhel
fi
if [ "${OS}" = centos ]; then
sed -i 's/OPTIONS="-g"/OPTIONS="-u ntp:ntp"/g' /etc/sysconfig/ntpd
if ! grep -qi "server 127.127.1.0" ${NTP_FILE}; then
echo "server 127.127.1.0 #local clock" >> ${NTP_FILE}
echo "fudge 127.127.1.0 stratum 10" >> ${NTP_FILE}
fi
if ! grep -qi "disable monitor" ${NTP_FILE}; then
echo "disable monitor" >> ${NTP_FILE}
fi
systemctl enable --now ntpd
elif [ "${OS}" = ubuntu ]; then
if ! grep -qi "server 127.127.1.0" ${NTP_FILE}; then
echo "server 127.127.1.0 #local clock" >> ${NTP_FILE}
echo "fudge 127.127.1.0 stratum 10" >> ${NTP_FILE}
fi
if ! grep -qi "disable monitor" ${NTP_FILE}; then
echo "disable monitor" >> ${NTP_FILE}
fi
if ! grep -qi "RUNASUSER=ntp" /etc/init.d/ntp; then
echo "RUNASUSER=ntp" >> /etc/init.d/ntp
fi
else
xargs -n 1 cp -v ${NTP_FILE} <<< ""${BACKUP} ${NTP_FILE}.bak""
sed -i 's/restrict default nomodify notrap nopeer noquery/restrict default nomodify notrap nopeer noquery/p' ${NTP_FILE}
sed -i '8 s/restrict default nomodify notrap nopeer noquery/restrict -4 default kod nomodify notrap nopeer noquery/g' ${NTP_FILE}
sed -i '9 s/restrict default nomodify notrap nopeer noquery/restrict -6 default kod nomodify notrap nopeer noquery/g' ${NTP_FILE}
sed -i 's/OPTIONS="-g"/OPTIONS="-u ntp:ntp"/g' /etc/sysconfig/ntpd
if ! grep -qi "server 127.127.1.0" "${NTP_FILE}"; then
echo "server 127.127.1.0 #local clock" >> ${NTP_FILE}
echo "fudge 127.127.1.0 stratum 10" >> ${NTP_FILE}
fi
if ! grep -qi "disable monitor" ${NTP_FILE}; then
echo "disable monitor" >> ${NTP_FILE}
fi
systemctl enable --now ntpd
systemctl restart ntpd
fi
sed -i "s/#server 0.$var1.pool.ntp.org iburst/server 0.$var1.pool.ntp.org iburst/g" ${NTP_FILE}
sed -i "s/#server 1.$var1.pool.ntp.org iburst/server 1.$var1.pool.ntp.org iburst/g" ${NTP_FILE}
sed -i "s/#server 2.$var1.pool.ntp.org iburst/server 2.$var1.pool.ntp.org iburst/g" ${NTP_FILE}
sed -i "s/#server 3.$var1.pool.ntp.org iburst/server 3.$var1.pool.ntp.org iburst/g" ${NTP_FILE}
systemctl enable --now ntp
systemctl enable --now systemd-timesyncd
stop_spinner $?
} | tee -a $LOG
}
#### 2.2.1.3 Ensure chrony is configured ####
function chrony_cfg() {
{
start_spinner 'Configuring Chrony Service...'
echo ""
if [[ ${OS} = centos || ${OS} = red || ${OS} = oracle || ${OS} = rocky || ${OS} = alma ]]; then
if [ "${OSVER}" = 8 ] || [ "${OSVER}" = 9 ]; then
${PAKMGR} install chrony ntpstat
fi
elif [ "${OS}" = ubuntu ]; then
DEBIAN_FRONTEND=noninteractive ${PAKMGR} install chrony
else
${PAKMGR} install chrony
fi
if [ "${OS}" = centos ]; then
var1=${OS}
else
var1=rhel
fi
if [[ ${OS} = centos || ${OS} = red || ${OS} = oracle || ${OS} = rocky || ${OS} = alma ]]; then
if [ "${OSVER}" = 7 ]; then
if ! grep $var1.pool.ntp.org /etc/chrony.conf; then
echo '#################################################################'
echo '#### Using public servers from the pool.ntp.org project. ####'
echo '#### Added for CIS Level 1 Compatibility for questions ####'
echo '#### Contact Phil Connor contact@mylinux.work ####'
echo '#################################################################'
echo "server 0.$var1.pool.ntp.org iburst"
echo "server 1.$var1.pool.ntp.org iburst"
echo "server 2.$var1.pool.ntp.org iburst"
echo "server 3.$var1.pool.ntp.org iburst"
sed -i "s/#server 0.$var1.pool.ntp.org iburst/server 0.$var1.pool.ntp.org iburst/g" /etc/chrony.conf
sed -i "s/#server 1.$var1.pool.ntp.org iburst/server 1.$var1.pool.ntp.org iburst/g" /etc/chrony.conf
sed -i "s/#server 2.$var1.pool.ntp.org iburst/server 2.$var1.pool.ntp.org iburst/g" /etc/chrony.conf
sed -i "s/#server 3.$var1.pool.ntp.org iburst/server 3.$var1.pool.ntp.org iburst/g" /etc/chrony.conf
sed -i 's/server 169.254.169.254 iburst/#server 169.254.169.254 iburst/g' /etc/chrony.conf
sed -i 's/OPTIONS=""/OPTIONS="-u chrony"/g' /etc/sysconfig/chronyd
fi
fi
fi
if [ "${OSVER}" = 8 ] || [ "${OSVER}" = 9 ]; then
if ! grep $var1.pool.ntp.org /etc/chrony.conf; then
chronyd -q 'server 2.rhel.pool.ntp.org iburst'
sed -i 's/OPTIONS="-F 2"/OPTIONS="-u chrony"/g' /etc/sysconfig/chronyd
chronyc sourcestats -v
fi
systemctl enable --now chronyd
fi
if [ "${OS}" = ubuntu ]; then
if grep -q 'OPTIONS=.*' /etc/sysconfig/chronyd; then
sed -i -E -e 's/\s*-u\s+\w+\s*/ /' -e 's/^([\s]*OPTIONS=["]?[^"]*)("?)/\1 -u chrony\2/' /etc/sysconfig/chronyd
if [ ! -f /etc/sysconfig/chronyd ]; then
touch /etc/sysconfig/chronyd
echo "OPTIONS="-u chrony"" /etc/sysconfig/chronyd
fi
fi
chronyc sourcestats -v
fi
stop_spinner $?
} | tee -a $LOG
}
#######################################################
#### 2.2.2 Ensure X Window System is not installed ####
#######################################################
function unsecure_services() {
{
start_spinner 'Removing X11 and Disabling Insecure Protocols...'
echo ""
if [ "${OS}" = ubuntu ]; then
${PAKMGR} remove xorg*
${PAKMGR} remove xserver-xorg*
else
${PAKMGR} remove xorg-x11*
fi
a=( "$(systemctl list-units --type=service --all)" )
#### 2.2.3 Ensure Avahi Server is not installed ####
if echo "${a[@]}" | grep avahi-daemon.service; then
systemctl stop avahi-daemon
systemctl disable avahi-daemon
fi
### 2.2.4 Ensure CUPS is not enabled ###
if echo "${a[@]}" | grep cups.service; then
systemctl stop cups
systemctl disable cups
fi
#### 2.2.5 Ensure DHCP Server is not enabled ####
if [ "${OS}" = ubuntu ]; then
if echo "${a[@]}" | grep isc-dhcp-server.service; then
systemctl stop isc-dhcp-server
systemctl disable isc-dhcp-server
fi
else
if echo "${a[@]}" | grep dhcpd.service; then
systemctl stop dhcpd
systemctl disable dhcpd
fi
fi
#### 2.2.6 Ensure LDAP Server is not enabled ####
if echo "${a[@]}" | grep slapd.service; then
systemctl stop slapd
systemctl disable slapd
fi
#### 2.2.7 Ensure NFS and RPC are not enabled ####
if [ "${OS}" = ubuntu ]; then
if echo "${a[@]}" | grep nfs-kernel-server.service; then
systemctl stop nfs-kernel-server
systemctl disable nfs-kernel-server
fi
else
if echo "${a[@]}" | grep nfs-server.service; then
systemctl stop nfs-server
systemctl disable nfs-server
fi
if echo "${a[@]}" | grep nfs.service; then
systemctl stop nfs
systemctl disable nfs
fi
fi
if echo "${a[@]}" | grep rpcbind.service; then
systemctl stop rpcbind
systemctl disable rpcbind
fi
#### 2.2.8 Ensure DNS Server is not enabled ####
if echo "${a[@]}" | grep named.service; then
systemctl stop named
systemctl disable named
fi
if [ "${OS}" = ubuntu ]; then
if echo "${a[@]}" | grep bind9.service; then
systemctl stop bind9
systemctl disable bind9
fi
fi
#### 2.2.9 Ensure FTP Server is not enabled ####
if echo "${a[@]}" | grep vsftpd.service; then
systemctl stop vsftpd
systemctl disable vsftpd
fi
#### 2.2.10 Ensure HTTP Server is not enabled ####
if [ "${OS}" = ubuntu ]; then
if echo "${a[@]}" | grep apache2.service; then
systemctl stop apache2
systemctl disable apache2
fi
else
if echo "${a[@]}" | grep httpd.service; then
systemctl stop httpd
systemctl disable httpd
fi
fi
#### 2.2.11 Ensure IMAP and POP3 server are not enabled ####
if echo "${a[@]}" | grep dovecot.service; then
systemctl stop dovecot
systemctl disable dovecot
fi
#### 2.2.12 Ensure Samba is not enabled ####
if echo "${a[@]}" | grep smb.service; then
systemctl stop smb
systemctl disable smb
fi
#### 2.2.13 Ensure HTTP Proxy Server is not enabled ####
if echo "${a[@]}" | grep squid.service; then
systemctl stop squid
systemctl disable squid
fi
#### 2.2.14 Ensure SNMP Server is not enabled ####
if echo "${a[@]}" | grep snmpd.service; then
systemctl stop snmpd
systemctl disable snmpd
fi
stop_spinner $?
} | tee -a $LOG
}
#############################################################################
#### 2.2.15 Ensure mail transfer agent is configured for local-only mode ####
#############################################################################
function mail_config() {
{
start_spinner 'Configuring Postfix MTA...'
echo ""
if [ "${OS}" = ubuntu ]; then
debconf-set-selections <<< ""postfix postfix/mailname string "${HOSTNAME}"""
debconf-set-selections <<< "postfix postfix/main_mailer_type string 'Local Only'"
DEBIAN_FRONTEND=noninteractive ${PAKMGR} install postfix --assume-yes
sed -i 's/inet_interfaces = all/inet_interfaces = localhost/g' /etc/postfix/main.cf
else
${PAKMGR} install postfix
sed -i 's/inet_interfaces = localhost/inet_interfaces = loopback-only/g' /etc/postfix/main.cf
fi
# shellcheck disable=SC2016
sed -i 's/#smtpd_banner = $myhostname ESMTP $mail_name/smtpd_banner = $myhostname ESMTP/g' /etc/postfix/main.cf
# shellcheck disable=SC2016
sed -i 's/smtpd_banner = $myhostname ESMTP ($mail_version)/#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)/g' /etc/postfix/main.cf
if ! grep -qi "mailbox_size_limit" /etc/postfix/main.cf; then
echo "mailbox_size_limit = 0" >> /etc/postfix/main.cf
fi
postconf -e message_size_limit=0
postconf -e mailbox_size_limit = 0
systemctl enable --now postfix
stop_spinner $?
} | tee -a $LOG
}
################################################
#### 2.2.x Disable Additional inet Services ####
################################################
function addon_inet_services() {
{
start_spinner 'Disabling Additional Unsecure Services...'
echo ""
a=( "$(systemctl list-units --type=service --all)" )
### 2.2.16 Ensure NIS Server is not enabled ###
if [[ ${OS} = centos || ${OS} = red || ${OS} = oracle || ${OS} = rocky || ${OS} = alma ]]; then
if echo "${a[@]}" | grep ypserv.service; then
systemctl stop ypserv
systemctl disable ypserv
fi
### 2.2.16 Ensure rsync service is not enabled Ubuntu ###
elif [ "${OS}" = ubuntu ]; then
if echo "${a[@]}" | grep rsync.service; then
systemctl stop rsync
systemctl disable rsync
fi
fi
### 2.1.17 Ensure rsh server is not enabled ###
if [[ ${OS} = centos || ${OS} = red || ${OS} = oracle ]]; then
if echo "${a[@]}" | grep rsh.socket.service; then
systemctl stop rsh.socket
systemctl disable rsh.socket
fi
if echo "${a[@]}" | grep rlogin.socket.service; then
systemctl stop rlogin.socket
systemctl disable rlogin.socket
fi
if echo "${a[@]}" | grep rexec.socket.service; then
systemctl stop rexec.socket
systemctl disable rexec.socket
fi
### 2.2.17 Ensure NIS Server is not enabled Ubuntu ###
elif [ "${OS}" = ubuntu ]; then
if echo "${a[@]}" | grep nis.service; then
systemctl stop nis
systemctl disable nis
fi
fi
### 2.2.18 Ensure talk server is not enabled ###
if [[ ${OS} = centos || ${OS} = red || ${OS} = oracle ]]; then
if echo "${a[@]}" | grep ntalk.service; then
systemctl stop ntalk
systemctl disable ntalk
fi
### 2.2.19 Ensure telnet server is not enabled ###
if echo "${a[@]}" | grep telnet.socket.service; then
systemctl stop telnet.socket
systemctl disable telnet-socket
fi
### 2.2.20 Ensure tftp server is not enabled ###
if echo "${a[@]}" | grep tftp.socket.service; then
systemctl stop tftp.socket
systemctl disable tftp-socket
fi
### 2.2.21 Ensure rsync service is not enabled ###
if echo "${a[@]}" | grep rsyncd.service; then
systemctl stop rsyncd
systemctl disable rsyncd
fi
fi
stop_spinner $?
} | tee -a $LOG
}
###############################################################
#### 2.3 Ensure Insecure Service Clients are not Installed ####
###############################################################
function service_clients() {
{
start_spinner 'Removing Insecure Service Clients...'
echo ""
a=( "$(systemctl list-units --type=service --all)" )
#### 2.3.1 Ensure NIS Client is not installed ####
if [ "${OS}" = ubuntu ]; then
if echo "${a[@]}" | grep nis.service; then
${PAKMGR} remove nis
fi
else
if echo "${a[@]}" | grep ypbind.service; then
${PAKMGR} remove ypbind
fi
fi
#### 2.3.2 Ensure rsh client is not installed ####
if [ "${OS}" = ubuntu ]; then
if echo "${a[@]}" | grep rsh-client.service; then
${PAKMGR} remove rsh-client rsh-redone-client
fi
else
if echo "${a[@]}" | grep rsh.service; then
${PAKMGR} remove rsh
fi
fi
#### 2.3.3 Ensure talk client is not installed ####
if echo "${a[@]}" | grep talk.service; then
${PAKMGR} remove talk
fi
#### 2.3.4 Ensure telnet client is not installed ####
if echo "${a[@]}" | grep telnet.service; then
${PAKMGR} remove telnet
fi
#### 2.3.5 Ensure LDAP client is not installed ####
if [ "${OS}" = ubuntu ]; then
if echo "${a[@]}" | grep libnss-ldap.service; then
${PAKMGR} remove libnss-ldap
fi
if echo "${a[@]}" | grep libpam-ldap.service; then
${PAKMGR} remove libpam-ldap
fi
if echo "${a[@]}" | grep ldap-utils.service; then
${PAKMGR} remove ldap-utils
fi
else
if echo "${a[@]}" | grep openldap-clients.service; then
${PAKMGR} remove openldap-clients
fi
fi
stop_spinner $?
} | tee -a $LOG
}
##########################
#### 3.4 TCP Wrappers ####
##########################
function tcp_wrappers() {
{
start_spinner 'Configuring TCP Wrappers...'
echo ""
#### 3.4.1 Ensure TCP Wrappers is installed ####
if [ "${OS}" = ubuntu ]; then
${PAKMGR} install tcpd
else
${PAKMGR} list | grep tcp_wrappers
if ! 1; then
${PAKMGR} install tcp_wrappers
fi
fi
#### 3.4.2 Ensure /etc/hosts.allow is configured ####
echo ALL:"${VLANIP}" > /etc/hosts.allow
#### 3.4.3 Ensure /etc/hosts.deny is configured ####
echo "ALL:ALL" >> /etc/hosts.deny
#### 3.4.4 Ensure permissions on /etc/hosts.allow are configured ####
chown root.root /etc/hosts.allow
chmod 644 /etc/hosts.allow
#### 3.4.5 Ensure permissions on /etc/hosts.deny are configured ####
chown root.root /etc/hosts.deny
chmod 644 /etc/hosts.deny
stop_spinner $?
}
}
########################################
#### 3.5 Uncommon Network Protocols ####
########################################
function uncommon_protocols() {
{
start_spinner 'Disabling Uncommon Network Protocols...'
echo ""
MODPRO="/etc/modprobe.d/cis.conf"
#### 3.5.1 Ensure DCCP is disabled ####
echo "install dccp /bin/true" >> ${MODPRO}
lsmod | grep -qi dccp
if ! 1; then
rmmod dccp
fi
#### 3.5.2 Ensure SCTP is disabled ####
echo "install sctp /bin/true" >> ${MODPRO}
lsmod | grep -qi sctp
if ! 1; then
rmmod sctp
fi
#### 3.5.3 ensure RDS is disabled ####
echo "install rds /bin/true" >> ${MODPRO}
lsmod | grep -qi rds
if ! 1; then
rmmod rds
fi
#### 3.5.4 Ensure TIPC is disabled ####
echo "install tipc /bin/true" >> ${MODPRO}
lsmod | grep -qi tipc
if ! 1; then
rmmod tipc
fi
stop_spinner $?
} | tee -a $LOG
}
########################################
#### 3.6 Firewall Configuration AWS ####
########################################
function iptables_config() {
{
start_spinner 'Configuring IP Tables...'
echo ""
### 3.6.1 Ensure iptables is installed ###
if [ "${OS}" = ubuntu ]; then
ufw --force disable
debconf-set-selections <<< "iptables-persistent iptables-persistent/autosave_v4 boolean true"
debconf-set-selections <<< "iptables-persistent iptables-persistent/autosave_v6 boolean true"
DEBIAN_FRONTEND=noninteractive ${PAKMGR} install iptables
DEBIAN_FRONTEND=noninteractive ${PAKMGR} install iptables-persistent --assume-yes
service netfilter-persistent start
service netfilter-persistent save
else
systemctl stop firewalld.service
systemctl mask firewalld.service
systemctl daemon-reload
${PAKMGR} install iptables-utils iptables-services
fi
#### 3.6.2 Ensure default deny firewall policy ####
#### Configure IPv4 ####
if [[ ${OS} = centos || ${OS} = red || ${OS} = oracle || ${OS} = rocky || ${OS} = alma ]]; then
systemctl enable --now iptables
cp $IPTBL $BACKUP
mv -f ${IPTBL} ${IPTBL}.bak
touch ${IPTBL}
fi
# Flush Iptables rules
iptables -F
# Forcing SYN packets check
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Forcing Fragments packets check
iptables -A INPUT -f -j DROP
# Dropping malformed XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
# Drop all NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Limiting pings to 1 per second
iptables -N PACKET
iptables -A DEFAULT_RULES -p icmp -m limit --limit 3/sec --limit-burst 25 -j ACCEPT
# Setup Connection Tracking
iptables -N STATE_TRACK
iptables -A STATE_TRACK -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A STATE_TRACK -m state --state INVALID -j DROP
# Discouraging Port Scanning
iptables -N PORTSCAN
iptables -A PORTSCAN -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A PORTSCAN -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A PORTSCAN -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -A PORTSCAN -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A PORTSCAN -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A PORTSCAN -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A PORTSCAN -p tcp --tcp-flags ALL ALL -j DROP
iptables -A PORTSCAN -p tcp --tcp-flags ALL NONE -j DROP
iptables -A PORTSCAN -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
iptables -A PORTSCAN -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
iptables -A PORTSCAN -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -N COMMON
iptables -A COMMON -j STATE_TRACK
iptables -A COMMON -j PORTSCAN
iptables -A COMMON -j PACKET
iptables -A INPUT -j COMMON
iptables -A OUTPUT -j COMMON
iptables -A FORWARD -j COMMON
iptables -A FORWARD -j PACKET
# Ensure loopback traffic is configured
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A OUTPUT -o lo -j ACCEPT
# Ensure outbound and established connections are configured
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -j LOG --log-prefix "iptables_output "
# Add Network Connection IP
iptables -A INPUT -s "${FIREIP}" -d "${FIREIP}" -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -s "${FIREIP}" -d "${FIREIP}" -m state --state NEW,ESTABLISHED -j ACCEPT
# Open inbound ssh(22) connections and linit connects to 10 every 10 seconds
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 10 --hitcount 10 -j DROP
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
# Default deny Firewall policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
for port in "${TCPPORTS[@]}"
do
echo "Opening TCP Port $port"
/sbin/iptables -A INPUT -p tcp -m tcp --dport "$port" -j ACCEPT
done
# Open UDP Ports
for port in "${UDPPORTS[@]}"
do
echo "Opening UDP Port $port"
/sbin/iptables -A INPUT -p udp -m udp --dport "$port" -j ACCEPT
done
# Save and Start IPTables
if [[ ${OS} = centos || ${OS} = red || ${OS} = oracle || ${OS} = rocky || ${OS} = alma ]]; then
iptables-save > ${IPTBL}
systemctl restart iptables
elif [ "${OS}" = ubuntu ]; then
iptables-save > ${IPTBLUB}
sed -i '/:ufw-/d' ${IPTBLUB}
sed -i '/-j ufw-/d' ${IPTBLUB}
iptables-restore < ${IPTBLUB}
fi
# Configure IPv6 Firewall Ensure Default Deny Policy
if [[ ${OS} = centos || ${OS} = red || ${OS} = oracle || ${OS} = rocky || ${OS} = alma ]]; then
cp $IPTBL $BACKUP
mv -f $IP6TBL $IP6TBL.bak
touch $IP6TBL
systemctl enable ip6tables
fi
# Flush Iptables rules
ip6tables -F
# Default deny Firewall policy
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
ip6tables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Forcing Fragments packets check
ip6tables -A INPUT -f -j DROP
# Dropping malformed XMAS packets
ip6tables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
# Drop all NULL packets
ip6tables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Limiting pings to 1 per second
ip6tables -N PACKET
ip6tables -A DEFAULT_RULES -p icmp -m limit --limit 3/sec --limit-burst 25 -j ACCEPT
# Setup Connection Tracking
ip6tables -N STATE_TRACK
ip6tables -A STATE_TRACK -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A STATE_TRACK -m state --state INVALID -j DROP
# Discouraging Port Scanning
ip6tables -N PORTSCAN
ip6tables -A PORTSCAN -p tcp --tcp-flags ACK,FIN FIN -j DROP
ip6tables -A PORTSCAN -p tcp --tcp-flags ACK,PSH PSH -j DROP
ip6tables -A PORTSCAN -p tcp --tcp-flags ACK,URG URG -j DROP
ip6tables -A PORTSCAN -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
ip6tables -A PORTSCAN -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
ip6tables -A PORTSCAN -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
ip6tables -A PORTSCAN -p tcp --tcp-flags ALL ALL -j DROP
ip6tables -A PORTSCAN -p tcp --tcp-flags ALL NONE -j DROP
ip6tables -A PORTSCAN -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
ip6tables -A PORTSCAN -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
ip6tables -A PORTSCAN -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
ip6tables -N COMMON
ip6tables -A COMMON -j STATE_TRACK
ip6tables -A COMMON -j PORTSCAN
ip6tables -A COMMON -j PACKET
ip6tables -A INPUT -j COMMON
ip6tables -A OUTPUT -j COMMON
ip6tables -A FORWARD -j COMMON
ip6tables -A FORWARD -j PACKET
# Ensure loopback traffic is configured
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -s 127.0.0.0/8 -j DROP
ip6tables -A OUTPUT -o lo -j ACCEPT
# Ensure outbound and established connections are configured
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -j LOG --log-prefix "iptables_output "
for port in "${TCP6PORTS[@]}"
do
echo "Opening TCP Port $port"
ip6tables -A INPUT -p tcp -m tcp --dport "$port" -j ACCEPT
done
# Open UDP Ports
for port in "${UDP6PORTS[@]}"
do
echo "Opening UDP Port $port"
ip6tables -A INPUT -p udp -m udp --dport "$port" -j ACCEPT
done
# Save and Start IPTables
if [[ ${OS} = ubuntu ]]; then
ip6tables-save > ${IP6TBLUB}
sed -i '/:ufw6-/d' ${IP6TBLUB}
sed -i '/-j ufw6-/d' ${IPTBLUB}
ip6tables-restore < ${IP6TBLUB}
else
ip6tables-save > ${IP6TBL}
systemctl restart ip6tables
fi
stop_spinner $?
} | tee -a $LOG
}
##################################################
#### 3.6a Addional Firewall Configuration AWS ####
##################################################
function iptables_aws() {
{
start_spinner 'Adding AWS Required Rules to IP Tables...'
echo ""
iptables -t nat -A PREROUTING -p tcp -d 169.254.170.2 --dport 80 -j DNAT --to-destination 127.0.0.1:51679
iptables -t nat -A OUTPUT -d 169.254.170.2 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 51679
iptables-save > /etc/sysconfig/iptables
systemctl restart iptables
stop_spinner $?
} | tee -a $LOG
}
##################################################
#### 3.6b Addional Firewall Configuration OCI ####
##################################################
function oci_iptables() {
{
start_spinner 'Adding OCI Required Rules to IP Tables...'
echo ""
iptables -A OUTPUT -d 169.254.0.0/16 -m state --state NEW,ESTABLISHED -p tcp -m tcp -j REJECT --reject-with tcp-reset -m comment --comment "OCI Required - DO NOT REMOVE"
iptables -A OUTPUT -d 169.254.0.0/16 -m state --state NEW,ESTABLISHED -p udp -m udp -j REJECT -m comment --comment "OCI Required - DO NOT REMOVE"
iptables -A OUTPUT -d 169.254.0.2/32 -m state --state NEW,ESTABLISHED -p tcp -m tcp --dport 80 -j ACCEPT -m comment --comment "OCI Required - DO NOT REMOVE"
iptables -A OUTPUT -d 169.254.0.2/32 -m state --state NEW,ESTABLISHED -p tcp -m owner --uid-owner root -m tcp --dport 3260 -j ACCEPT -m comment --comment "OCI Required - DO NOT REMOVE"
iptables -A OUTPUT -d 169.254.0.3/32 -m state --state NEW,ESTABLISHED -p tcp -m owner --uid-owner root -m tcp --dport 80 -j ACCEPT -m comment --comment "OCI Required - DO NOT REMOVE"
iptables -A OUTPUT -d 169.254.0.4/32 -m state --state NEW,ESTABLISHED -p tcp -m tcp --dport 80 -j ACCEPT -m comment --comment "OCI Required - DO NOT REMOVE"
iptables -A OUTPUT -d 169.254.2.0/24 -m state --state NEW,ESTABLISHED -p tcp -m owner --uid-owner root -m tcp --dport 3260 -j ACCEPT -m comment --comment "OCI Required - DO NOT REMOVE"
iptables -A OUTPUT -d 169.254.4.0/24 -m state --state NEW,ESTABLISHED -p tcp -m owner --uid-owner root -m tcp --dport 3260 -j ACCEPT -m comment --comment "OCI Required - DO NOT REMOVE"
iptables -A OUTPUT -d 169.254.5.0/24 -m state --state NEW,ESTABLISHED -p tcp -m owner --uid-owner root -m tcp --dport 3260 -j ACCEPT -m comment --comment "OCI Required - DO NOT REMOVE"
iptables -A OUTPUT -d 169.254.169.254/32 -m state --state NEW,ESTABLISHED -p tcp -m tcp --dport 53 -j ACCEPT -m comment --comment "OCI Required - DO NOT REMOVE"
iptables -A OUTPUT -d 169.254.169.254/32 -m state --state NEW,ESTABLISHED -p udp -m udp --dport 53 -j ACCEPT -m comment --comment "OCI Required - DO NOT REMOVE"
iptables -A OUTPUT -d 169.254.169.254/32 -m state --state NEW,ESTABLISHED -p udp -m udp --dport 67 -j ACCEPT -m comment --comment "OCI Required - DO NOT REMOVE"
iptables -A OUTPUT -d 169.254.169.254/32 -m state --state NEW,ESTABLISHED -p udp -m udp --dport 69 -j ACCEPT -m comment --comment "OCI Required - DO NOT REMOVE"
iptables -A OUTPUT -d 169.254.169.254/32 -m state --state NEW,ESTABLISHED -p udp -m udp --dport 80 -j ACCEPT -m comment --comment "OCI Required - DO NOT REMOVE"
iptables -A OUTPUT -d 169.254.169.254/32 -m state --state NEW,ESTABLISHED -p udp -m udp --dport 123 -j ACCEPT -m comment --comment "OCI Required - DO NOT REMOVE"
# Save and Start IPTables
if [ "${OS}" = ubuntu ]; then
iptables-save > ${IPTBLUB}
sed -i '/:ufw-/d' ${IPTBLUB}
sed -i '/-j ufw-/d' ${IPTBLUB}
iptables-restore < ${IPTBLUB}
else
iptables-save > ${IPTBL}
systemctl restart iptables
fi
stop_spinner $?
} | tee -a $LOG
}
#########################################
#### 4.1 Configure System Accounting ####
#########################################
function auditd_accounting() {
{
start_spinner 'Configuring Auditd Service...'
echo ""
#### 4.1.1.1 Ensure audit log storage size is configured ####
#### !!! Our current default configuration is 8MB !!! ####
#### 4.1.1.2 Ensure system is disabled when audit logs are full ####
if [ "${OS}" = ubuntu ]; then
debconf-set-selections <<< ""postfix postfix/mailname string "${HOSTNAME}"""
debconf-set-selections <<< "postfix postfix/main_mailer_type string 'Local Only'"
DEBIAN_FRONTEND=noninteractive ${PAKMGR} install auditd --assume-yes
else
${PAKMGR} install audit
fi
xargs -n 1 cp -v /etc/audit/auditd.conf <<< ""${BACKUP} /etc/audit/auditd.conf.bak""
### 4.1.1.3 Ensure audit logs are not automaticlly deleted ###
sed -i 's/^space_left_action.*$/space_left_action = email/' /etc/audit/auditd.conf
sed -i 's/^action_mail_acct.*$/action_mail_acct = root/' /etc/audit/auditd.conf
sed -i 's/^admin_space_left_action.*$/admin_space_left_action = halt/' /etc/audit/auditd.conf
# shellcheck disable=SC2086
sed -i ""s/max_log_file_action = ROTATE/max_log_file_action = \"${MAXLOGS}\"/g"" /etc/audit/auditd.conf
### 4.1.2 Ensure auditd service is enabled ####
service auditd reload
if ! systemctl is-enabled auditd; then
systemctl enable --now auditd
fi
### 4.1.3 Ensure auditing for processes that start prior to auditd is enabled"
xargs -n 1 cp -v /etc/default/grub <<< ""${BACKUP} /etc/default/grub.bak""
if ! grep "audit=1" /etc/default/grub; then
sed -i '/^GRUB_CMDLINE_LINUX=/ s/\(\"[^\"]*\)$/ audit=1 &/' /etc/default/grub
fi
if [ "${OS}" = ubuntu ]; then
grub-mkconfig -o ${BACKUP}/grub.cfg
else
grub2-mkconfig -o ${BACKUP}/grub.cfg
fi
if [[ ${OS} = red || ${OS} = oracle || ${OS} = rocky || ${OS} = alma ]]; then
cp ${BACKUP}/grub.cfg ${GRUBCFGRH}
cp ${BACKUP}/grub.cfg ${GRUBCFG}
elif [ "${OS}" = ubuntu ]; then
cp ${BACKUP}/grub.cfg ${GRUBCFGUB}
elif [ "${OS}" = centos ]; then
cp ${BACKUP}/grub.cfg ${GRUBCFGCE}
cp ${BACKUP}/grub.cfg ${GRUBCFG}
fi
if ! dmesg | grep '[NX|DX]*Execute Disable'; then
echo 0 > /proc/sys/kernel/exec-shield
fi
### 4.1.4 Ensure events that modify date and time information are collected ###
if [[ ${OS} = centos || ${OS} = red || ${OS} = oracle || ${OS} = rocky || ${OS} = alma ]]; then
sed -i 's/RefuseManualStop=yes/RefuseManualStop=no/g' /lib/systemd/system/auditd.service
systemctl daemon-reload
fi
xargs -n 1 cp -v /etc/audit/rules.d/audit.rules <<< ""${BACKUP} /etc/audit/rules.d/audit.rules.bak""
sed -i 's/RefuseManualStop=yes/RefuseManualStop=no/g' /lib/systemd/system/auditd.service
systemctl daemon-reload
{
echo '##################################################################################################'
echo '#### Audit Rules File edited to match CIS level 1 requirements ####'
echo '#### for questions or changes please contact Phil Connor contact@mylinux.work ####'
echo '##################################################################################################'
echo ''
echo '#### First rule - delete all rules ####'
echo '-D'
echo ''
echo '#### 4.1.4 Ensure events that modify date and time information are collected ####'
echo '-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change'
echo '-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change'
echo '-a always,exit -F arch=b64 -S clock_settime -k time-change'
echo '-a always,exit -F arch=b32 -S clock_settime -k time-change'
echo '-w /etc/localtime -p wa -k time-change'
echo ''
echo '#### 4.1.5 Ensure events that modify user/group information are collected ####'
echo '-w /etc/group -p wa -k identity'
echo '-w /etc/passwd -p wa -k identity'
echo '-w /etc/gshadow -p wa -k identity'
echo '-w /etc/shadow -p wa -k identity'
echo '-w /etc/security/opasswd -p wa -k identity'
echo ''
echo '#### 4.1.6 Ensure events that modify the system'\''s network environment are collected ####'
echo '-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale'
echo '-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale'
echo '-w /etc/issue -p wa -k system-locale'
echo '-w /etc/issue.net -p wa -k system-locale'
echo '-w /etc/hosts -p wa -k system-locale'
echo '-w /etc/network -p wa -k system-locale'
echo '-w /etc/networks -p wa -k system-locale'
echo ''
echo '#### 4.1.7 Ensure events that modify the system'\''s Mandatory Access Controls (MAC'\''s) are collected ####'
echo '-w /etc/selinux/ -p wa -k MAC-policy'
echo '-w /etc/apparmor/ -p wa -k MAC-policy'
echo '-w /etc/apparmor.d/ -p wa -k MAC-policy'
echo ''
echo '#### 4.1.8 Ensure login and logout events are collected ####'
echo '-w /var/log/faillog -p wa -k logins'
echo '-w /var/log/lastlog -p wa -k logins'
echo '-w /var/log/tallylog -p wa -k logins'
echo ''
echo '#### 4.1.9 Ensure session initiation information is collected ###'
echo '-w /var/run/utmp -p wa -k session'
echo '-w /var/run/wtmp -p wa -k session'
echo '-w /var/run/btmp -p wa -k session'
echo ''
echo '#### 4.1.10 Ensure discretionary access control permission modification events are collected ####'
echo '-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod'
echo '-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod'
echo '-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
echo '-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
echo '-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
echo '-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
echo ''
echo '#### 4.1.11 Ensure unsuccessful unauthorized file access attempts are collected ####'
echo '-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
echo '-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
echo '-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
echo '-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
echo ''
echo '#### 4.1.12 Ensure use of privileged commands is collected ####'
echo "$RULES"
echo ''
echo '#### 4.1.13 Ensure successful file system mounts are collected ####'
echo '-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts'
echo '-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts'
echo ''
echo '#### 4.1.14 Ensure file deletion events by users are collected ####'
echo '-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete'
echo '-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete'
echo ''
echo '#### 4.1.15 Ensure changes to system administration scope (sudoers) is collected ####'
echo '-w /etc/sudoers -p wa -k scope'
echo '-w /etc/sudoers.d -p wa -k scope'
echo ''
echo '#### 4.1.16 Ensure system administrator actions (sudolog) are collected ####'
echo '-w /var/log/sudo.log -p wa -k actions'
echo ''
echo '#### 4.1.17 Ensure kernel module loading and unloading is collected ####'
echo '-w /sbin/insmod -p x -k modules'
echo '-w /sbin/rmmod -p x -k modules'
echo '-w /sbin/modprobe -p x -k modules'
echo '-a always,exit -F arch=b64 -S init_module -S delete_module -k modules'
echo ''
echo '#### 4.1.18 Ensure the audit configuration is immutable ####'
echo '-e 2'
} > /etc/audit/rules.d/audit.rules
service auditd restart
stop_spinner $?
} | tee -a $LOG
}
#################################
#### 4.2.1 Configure rsyslog ####
#################################
function rsyslog_service() {
{
if [[ ${OS} = centos || ${OS} = red || ${OS} = oracle || ${OS} = rocky || ${OS} = alma ]]; then
if [ "${OSVER}" = 7 ]; then
os7_rsyslog
elif [[ ${OSVER} = 8 || ${OSVER} = 9 ]]; then
os8_rsyslog
fi
elif [ "${OS}" = ubuntu ]; then
ub_rsyslog
fi
}
}
function os7_rsyslog() {
{
start_spinner 'Configuring Rsyslog Service...'
echo ""
### 4.2.1.1 Ensure rsyslog Service is enabled ###
systemctl enable --now rsyslog
### 4.2.1.2 Ensure logging is configured ###
xargs -n 1 cp -v /etc/rsyslog.conf <<< ""${BACKUP} /etc/rsyslog.conf.bak""
cat > /etc/rsyslog.conf << 'EOF'
##################################################################################################
#### Hardened Rsyslog Configuration File edited to match CIS level 1 requirements ####
#### for questions or changles please contact Phil Connor contact@mylinux.work ####
##################################################################################################
#################
#### MODULES ####
#################
# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
# Enable non-kernel facility klog messages
# $KLogPermitNonKernelFacility on
###########################
#### GLOBAL DIRECTIVES ####
###########################
# Reset UMASK
$umask 0000
# Set file creation pewrmissions
$FileCreateMode 0640
# Set previously cleared UMASK
$umask 0177
# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on
# File to store the position in the journal
$IMJournalStateFile imjournal.state
###############
#### RULES ####
###############
# ### Log Anything of Level WARN or Higher. ###
*.warn;mail.none;news.none;authpriv.none;cron.none /var/log/messages
# ### Secure Logging Anything of Level WARN or Higher ###
authpriv.* /var/log/secure
# ### All Mail Logs ###
mail.* -/var/log/mail
# ### Cron Log ###
cron.* /var/log/cron
# ### Everybody Gets Emergency Messages ###
*.emerg :omusrmsg:*
*.=warning;*.=err -/var/log/warn
*.crit /var/log/warn
# ### News Error Logs ###
news.crit -/var/log/news/news.crit
news.err -/var/log/news/news.err
news.notice -/var/log/news/news.notice
# ### Local and Boot Messages ###
local0,local1.* -/var/log/localmessages
local2,local3.* -/var/log/localmessages
local4,local5.* -/var/log/localmessages
local6.* -/var/log/localmessages
local7.* /var/log/boot.log
###############################
#### Begin Forwarding Rule ####
###############################
# ### The Remote SysLog Server host is: name/ip:port, e.g. 192.168.0.1:514, port optional ###
#*.* @@syslog
EOF
echo "
*.* @@${SYSLOG}
####################################
#### End of the Forwarding Rule ####
####################################
" >> /etc/rsyslog.conf
sed -i 's/^[\t]*//' /etc/rsyslog.conf
touch /var/log/warn /var/log/news.crit /var/log/news.err /var/log/news.notice /var/log/localmessages
chmod og-rwx /var/log/warn /var/log/news.crit /var/log/news.err /var/log/news.notice /var/log/localmessages
chown root:root /var/log/warn /var/log/news.crit /var/log/news.err /var/log/news.notice /var/log/localmessages
sed -i 's/*.* @@/#*.* @@/g' /etc/rsyslog.conf
pkill -hup rsyslog
stop_spinner $?
}
}
function os8_rsyslog() {
{
start_spinner 'Configuring Rsyslog Service...'
echo ""
### 4.2.1.1 Ensure rsyslog Service is enabled ###
systemctl enable rsyslog
### 4.2.1.2 Ensure logging is configured ###
xargs -n 1 cp -v /etc/rsyslog.conf <<< ""${BACKUP} /etc/rsyslog.conf.bak""
cat > /etc/rsyslog.conf << 'EOF'
##################################################################################################
#### Hardened Rsyslog Configuration File edited to match CIS level 1 requirements ####
#### for questions or changles please contact Phil Connor contact@mylinux.work ####
##################################################################################################
#################
#### MODULES ####
#################
module(load="imuxsock" # provides support for local system logging (e.g. via logger command)
SysSock.Use="off") # Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
module(load="imjournal" # provides access to the systemd journal
StateFile="imjournal.state") # File to store the position in the journal
#module(load="imklog") # reads kernel messages (the same are read from journald)
#module(load"immark") # provides --MARK-- message capability
# Provides Rsyslog Forwarding
module(load="omfwd")
# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
#module(load="imudp") # needs to be done just once
#input(type="imudp" port="514")
# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
#module(load="imtcp") # needs to be done just once
#input(type="imtcp" port="514")
###########################
#### GLOBAL DIRECTIVES ####
###########################
# Reset UMASK
$umask 0000
# Set file creation pewrmissions
$FileCreateMode 0640
# Set previously cleared UMASK
$umask 0177
# Where to place auxiliary files
global(workDirectory="/var/lib/rsyslog")
# Use default timestamp format
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")
# Include all config files in /etc/rsyslog.d/
include(file="/etc/rsyslog.d/*.conf" mode="optional")
###############
#### RULES ####
###############
# ### Log Anything of Level WARN or Higher. ###
*.warn;mail.none;news.none;authpriv.none;cron.none /var/log/messages
# ### Secure Logging Anything of Level WARN or Higher ###
authpriv.* /var/log/secure
# ### All Mail Logs ###
mail.* -/var/log/mail
# ### Cron Log ###
cron.* /var/log/cron
# ### Everybody Gets Emergency Messages ###
*.emerg :omusrmsg:*
*.=warning;*.=err -/var/log/warn
*.crit /var/log/warn
# ### News Error Logs ###
news.crit -/var/log/news/news.crit
news.err -/var/log/news/news.err
news.notice -/var/log/news/news.notice
# ### Local and Boot Messages ###
local0,local1.* -/var/log/localmessages
local2,local3.* -/var/log/localmessages
local4,local5.* -/var/log/localmessages
local6.* -/var/log/localmessages
local7.* /var/log/boot.log
###############################
#### Begin Forwarding Rule ####
###############################
#action(type="omfwd"
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#queue.filename="fwdRule1" # unique name prefix for spool files
#queue.maxdiskspace="1g" # 1gb space limit (use as much as possible)
#queue.saveonshutdown="on" # save messages to disk on shutdown
#queue.type="LinkedList" # run asynchronously
#action.resumeRetryCount="-1" # infinite retries if host is down
# Remote Logging (we use TCP for reliable delivery)
# remote_host is: name/ip, e.g. 192.168.0.1, port optional e.g. 10514
# Target="remote_host" Port="XXX" Protocol="tcp")
EOF
echo "
Target=\"${SYSLOG}" Port="514" Protocol="tcp\"
####################################
#### End of the Forwarding Rule ####
####################################
" >> /etc/rsyslog.conf
sed -i 's/^[\t]*//' /etc/rsyslog.conf
touch /var/log/warn /var/log/news.crit /var/log/news.err /var/log/news.notice /var/log/localmessages
chmod og-rwx /var/log/warn /var/log/news.crit /var/log/news.err /var/log/news.notice /var/log/localmessages
chown root:root /var/log/warn /var/log/news.crit /var/log/news.err /var/log/news.notice /var/log/localmessages
sed -i 's/Target="" Port="514" Protocol="tcp"/#Target="" Port="514" Protocol="tcp"/g' /etc/rsyslog.conf
pkill -hup rsyslog
stop_spinner $?
}
}
function ub_rsyslog() {
{
start_spinner 'Configuring Rsyslog Service...'
echo ""
service rsyslog stop
mknod -m 640 /dev/xconsole c 1 3
chown syslog:adm /dev/xconsole
### 4.2.1.1 Ensure rsyslog Service is enabled ###
systemctl enable rsyslog
### 4.2.1.2 Ensure logging is configured ###
xargs -n 1 cp -v /etc/rsyslog.conf <<< ""${BACKUP} /etc/rsyslog.conf.bak""
no_show << "EOF" > /etc/rsyslog.conf
##################################################################################################
#### Hardened Rsyslog Configuration File edited to match CIS level 1 requirements ####
#### for questions or changles please contact Phil Connor contact@mylinux.work ####
##################################################################################################
#################
#### MODULES ####
#################
module(load="imuxsock") # provides support for local system logging
#module(load="immark") # provides --MARK-- message capability
# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")
# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")
# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")
###########################
#### GLOBAL DIRECTIVES ####
###########################
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Filter duplicated messages
$RepeatedMsgReduction on
# Reset UMASK
$Umask 0000
# Set the default permissions for all log files.
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0177
$PrivDropToUser syslog
$PrivDropToGroup syslog
# Where to place spool and state files
$WorkDirectory /var/spool/rsyslog
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
###############################
#### Begin Forwarding Rule ####
###############################
$PreserveFQDN on
$ActionQueueFileName queue
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1
# ### The Remote SysLog Server host is: name/ip:port, e.g. 192.168.0.1:514, port optional ###
#*.* @@syslog
EOF
echo "
*.* @@${SYSLOG}:514
####################################
#### End of the Forwarding Rule ####
####################################
" >> /etc/rsyslog.conf
sed -i 's/^[\t]*//' /etc/rsyslog.conf
xargs -n 1 cp -v /etc/rsyslog.d/50-default.conf <<< ""${BACKUP} /etc/rsyslog.d/50-default.conf.bak""
no_show << "EOF" > /etc/rsyslog.d/50-default.conf
##################################################################################################
#### Hardened Rsyslog Configuration File edited to match CIS level 1 requirements ####
#### for questions or changles please contact Phil Connor contact@mylinux.work ####
##################################################################################################
###############
#### RULES ####
###############
# Default rules for rsyslog.
#
# For more information see rsyslog.conf(5) and /etc/rsyslog.conf
#
# First some standard log files. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
#daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
#lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
#user.* -/var/log/user.log
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
#mail.info -/var/log/mail.info
#mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
#
# Logging for INN news system.
#
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice
#
# Some "catch-all" log files.
#
#*.=debug;\
# auth,authpriv.none;\
# news.none;mail.none -/var/log/debug
#*.=info;*.=notice;*.=warn;\
# auth,authpriv.none;\
# cron,daemon.none;\
# mail,news.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg :omusrmsg:*
#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
# news.=crit;news.=err;news.=notice;\
# *.=debug;*.=info;\
# *.=notice;*.=warn /dev/tty8
# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
# you must invoke `xconsole' with the `-file' option:
#
# $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
# busy site..
#
daemon.*;mail.*;\
news.err;\
*.=debug;*.=info;\
*.=notice;*.=warn |/dev/xconsole
EOF
touch /var/log/warn /var/log/news.crit /var/log/news.err /var/log/news.notice /var/log/localmessages
chmod og-rwx /var/log/warn /var/log/news.crit /var/log/news.err /var/log/news.notice /var/log/localmessages
chown root:root /var/log/warn /var/log/news.crit /var/log/news.err /var/log/news.notice /var/log/localmessages
sed -i 's/*.* @@[[:blank:]]*:514/#*.* @@/g' /etc/rsyslog.conf
systemctl start rsyslog
pkill -hup rsyslog
stop_spinner $?
} | tee -a $LOG
}
####################################################
#### 4.2.1.2 Ensure Journald Service is enabled ####
####################################################
function journald_config() {
{
start_spinner 'Configuring Journald Log Retension...'
echo ""
### 4.2.2.1 Ensure journald is configured to send logs to rsyslog ###
sed -i 's/#ForwardToSyslog=yes/ForwardToSyslog=yes/g' /etc/systemd/journald.conf
### 4.2.2.2 Ensure journald is configured to compress large log files ###
sed -i 's/#Compress=yes/Compress=yes/g' /etc/systemd/journald.conf
### 4.2.2.3 Ensure journald is configured to write logfiles to persistent disk ###
sed -i 's/#Storage=auto/Storage=persistent/g' /etc/systemd/journald.conf
stop_spinner $?
} | tee -a $LOG
}
##################################
#### 4.2.2 Configure journald ####
##################################
function logfile_permissions() {
{
start_spinner 'Configuring Permissions on all Logfiles...'
echo ""
### 4.2.4 Ensure permissions on all logfiles are configured ###
find /var/log -type f -exec chmod g-wx,o-rwx {} +
### 4.3 Ensure logrotate is configured ###
cp /etc/logrotate.conf $BACKUP
sed -i 's/ create 0664 root utmp/ create 0640 root utmp/g' /etc/logrotate.conf
if [[ ${OS} = centos || ${OS} = red || ${OS} = oracle ]]; then
if [ "${OSVER}" = 8 ]; then
sed -i 's/ create 0664 root utmp/ create 0640 root utmp/g' /etc/logrotate.d/btmp
sed -i 's/ create 0664 root utmp/ create 0640 root utmp/g' /etc/logrotate.d/wtmp
fi
fi
stop_spinner $?
} | tee -a $LOG
}
#############################################
#### 5.1.1 Ensure cron daemon is enabled ####
#############################################
function crond_enabled() {
{
start_spinner 'Configuring Permissions on Cron Daemon...'
echo ""
### 5.1.1.1 Ensure cron daemon is enabled ###
if [ "${OS}" = ubuntu ]; then
if ! systemctl is-enabled cron; then
systemctl enable cron
fi
else
if ! systemctl is-enabled crond; then
systemctl enable crond
fi
fi
### Ensure permissions on /etc/crontab are configured ###
chown root.root /etc/crontab
chmod og-rwx /etc/crontab
### 5.1.3 Ensure permissions on /etc/cron.hourly are configured ###
chown root.root /etc/cron.hourly
chmod og-rwx /etc/cron.hourly
### 5.1.4 Ensure permissions on /etc/cron.daily are configured ###
chown root.root /etc/cron.daily
chmod og-rwx /etc/cron.daily
### 5.1.5 Ensure permissions on /etc/cron.weekly are configured ###
chown root.root /etc/cron.weekly
chmod og-rwx /etc/cron.weekly
### 5.1.6 Ensure permissions on ?etc/cron.monthly are configured ###
chown root.root /etc/cron.monthly
chmod og-rwx /etc/cron.monthly
### 5.1.7 Ensure permissions on /etc/cron.d are configured ###
chown root.root /etc/cron.d
chmod og-rwx /etc/cron.d
### 5.1.8 Ensure at/cron is restricted to authorized users ###
stat /etc/cron.deny
if [ $? != 1 ]; then
rm -rf /etc/cron.deny
fi
stat /etc/at.deny
if [ $? != 1 ]; then
rm -rf /etc/at.deny
fi
if ! stat /etc/cron.allow; then
touch /etc/cron.allow
chown root.root /etc/cron.allow
chmod og-rwx /etc/cron.allow
fi
if ! stat /etc/at.allow; then
touch /etc/at.allow
chown root.root /etc/at.allow
chmod og-rwx /etc/cron.allow
fi
stop_spinner $?
} | tee -a $LOG
}
######################################
#### 5.2 SSH Server Configuration ####
######################################
function config_sshd() {
{
start_spinner 'Configuring SSh Server...'
echo ""
### 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured ###
xargs -n 1 cp -v ${SSHD_FILE} <<< ""${BACKUP} ${SSHD_FILE}.bak""
chown root.root ${SSHD_FILE}
chmod og-rwx ${SSHD_FILE}
### 5.2.2. Ensure SSH Protocol is set to 2 ###
if ! grep -qi "Protocol 2" ${SSHD_FILE}; then
echo 'Protocol 2' >> ${SSHD_FILE}
else
sed -i 's/#Protocol 2/Protocol 2/g' ${SSHD_FILE}
fi
### 5.2.3 Ensure SSH LogLevel is set to info ###
if ! grep -qi "LogLevel INFO" ${SSHD_FILE}; then
echo "LogLevel INFO" ${SSHD_FILE}
else
sed -i 's/#LogLevel INFO/LogLevel INFO/g' ${SSHD_FILE}
fi
### 5.2.4 Ensure SSH X11 forwarding is disabled ###
if ! grep -qi "X11Forwarding yes" ${SSHD_FILE}; then
echo "X11Forwarding no" ${SSHD_FILE}
else
sed -i 's/X11Forwarding yes/X11Forwarding no/g' ${SSHD_FILE}
fi
### 5.2.5 Ensure SSH MaxAuthTries is set to 4 or less ###
if ! grep -qi "MaxAuthTries 6" ${SSHD_FILE}; then
echo "MaxAuthTries 4" >> ${SSHD_FILE}
else
sed -i 's/#MaxAuthTries 6/MaxAuthTries 4/g' ${SSHD_FILE}
fi
### 5.2.6 Ensure SSH IgnoreRhosts is enabled ###
if ! grep -qi "IgnoreRhosts yes" ${SSHD_FILE}; then
echo "IgnoreRhosts yes" >> ${SSHD_FILE}
else
sed -i 's/#IgnoreRhosts yes/IgnoreRhosts yes/g' ${SSHD_FILE}
fi
### 5.2.7 Ensure SSH HostbasedAuthentication is disabled ###
if ! grep -qi "HostbasedAuthentication no" ${SSHD_FILE}; then
echo "HostbasedAuthentication no" >> ${SSHD_FILE}
else
sed -i 's/#HostbasedAuthentication no/HostbasedAuthentication no/g' ${SSHD_FILE}
fi
### 5.2.8 Ensure SSH root login is disabled ###
if [[ ${OS} = centos || ${OS} = red || ${OS} = oracle ]]; then
if ! grep -qi "#PermitRootLogin" ${SSHD_FILE}; then
sed -i 's/PermitRootLogin yes/PermitRootLogin no/g' ${SSHD_FILE}
else
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g' ${SSHD_FILE}
fi
elif [ "${OS}" = ubuntu ]; then
if ! grep -qi "prohibit-password" ${SSHD_FILE}; then
sed -i 's/PermitRootLogin prohibit-password/PermitRootLogin no/g' ${SSHD_FILE}
fi
fi
### Ensure SSH PermitEmptyPasswords is disabled ###
sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/g' ${SSHD_FILE}
### 5.2.10 Ensure SSH PermitUserEnvironment is disables ###
if ! grep -qi "#PermitUserEnvironment" ${SSHD_FILE}; then
echo "PermitUserEnvironment no" >> ${SSHD_FILE}
else
sed -i 's/#PermitUserEnvironment no/PermitUserEnvironment no/g' ${SSHD_FILE}
fi
### 5.2.11 Ensure ony approved MAC algorithms are used ###
if ! grep -qi "MACs" ${SSHD_FILE}; then
echo "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256" >> ${SSHD_FILE}
else
sed -i 's/MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com/MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256/g' ${SSHD_FILE}
fi
if ! grep -qi "#ClientAliveInterval" ${SSHD_FILE}; then
echo "ClientAliveInterval 300" >> ${SSHD_FILE}
else
sed -i 's/#ClientAliveInterval 0/ClientAliveInterval 300/g' ${SSHD_FILE}
fi
if ! grep -qi "#ClientAliveCountMax" ${SSHD_FILE}; then
echo "ClientAliveCountMax ${MAXCOUNT}" >> ${SSHD_FILE}
else
sed -i "s/#ClientAliveCountMax 3/ClientAliveCountMax \"${MAXCOUNT}\"/g" ${SSHD_FILE}
fi
### 5.2.13 Ensure SSH LoginGraceTime is set to one minute or less ###
if ! grep -qi "LoginGraceTime 120" ${SSHD_FILE}; then
sed -i 's/#LoginGraceTime 2m/LoginGraceTime 60/g' ${SSHD_FILE}
else
sed -i 's/LoginGraceTime 120/LoginGraceTime 60/g' ${SSHD_FILE}
fi
### 5.2.14 Ensure SSH access is limited ###
echo 'AllowUsers *@*' >> ${SSHD_FILE}
### 5.2.15 Ensure SSH warning banner is configured ###
if ! grep -qi "#Banner none" ${SSHD_FILE}; then
sed -i 's/#Banner \/etc\/issue.net/Banner \/etc\/issue.net/g' ${SSHD_FILE}
else
sed -i 's/#Banner none/Banner \/etc\/issue.net/g' ${SSHD_FILE}
fi
### 5.2.16 Ensure only strong Key Exchange algorithms are used ###
if ! grep -qi "kexalgorithms" ${SSHD_FILE}; then
echo "KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256" >> ${SSHD_FILE}
fi
### 5.2.21 Ensure SSH MaxStartups is configured ###
if ! grep -qi "maxstartups" ${SSHD_FILE}; then
echo "MaxStartups 10:30:60" >> ${SSHD_FILE}
else
sed -i 's/#MaxStartups 10:30:100/MaxStartups 10:30:60/g' ${SSHD_FILE}
fi
### Configuring additional SSH settings ###
if ! grep -qi "#MaxSessions" ${SSHD_FILE}; then
echo "MaxSessions 2" >> ${SSHD_FILE}
else
sed -i 's/#MaxSessions 10/MaxSessions 2/g' ${SSHD_FILE}
fi
if ! grep -qi "#AllowAgentForwarding" ${SSHD_FILE}; then
echo "AllowAgentForwarding no" >> ${SSHD_FILE}
else
sed -i 's/#AllowAgentForwarding yes/AllowAgentForwarding no/g' ${SSHD_FILE}
fi
if ! grep -qi "#AllowTcpForwarding" ${SSHD_FILE}; then
echo "AllowTcpForwarding no" >> ${SSHD_FILE}
else
sed -i 's/#AllowTcpForwarding yes/AllowTcpForwarding no/g' ${SSHD_FILE}
fi
sed -i 's/#PrintMotd yes/PrintMotd no/g' ${SSHD_FILE}
if ! grep -qi "PrintLastLog" ${SSHD_FILE}; then
echo "PrintLastLog no" >> ${SSHD_FILE}
else
sed -i 's/#PrintLastLog yes/PrintLastLog no/g' ${SSHD_FILE}
fi
if ! grep -qi "TCPKeepAlive" ${SSHD_FILE}; then
sed -i 's/TCPKeepAlive yes/TCPKeepAlive no/g' ${SSHD_FILE}
else
sed -i 's/#TCPKeepAlive yes/TCPKeepAlive no/g' ${SSHD_FILE}
fi
if ! grep -qi "Compression" ${SSHD_FILE}; then
echo "Compression no" >> ${SSHD_FILE}
else
sed -i 's/#Compression delayed/Compression no/g' ${SSHD_FILE}
fi
if ! grep -qi "UseDNS" ${SSHD_FILE}; then
echo "UseDNS no" >> ${SSHD_FILE}
else
sed -i 's/#UseDNS yes/UseDNS no/g' ${SSHD_FILE}
sed -i 's/#UseDNS no/UseDNS no/g' ${SSHD_FILE}
fi
if ! grep -qi "#PasswordAuthentication" ${SSHD_FILE}; then
sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/g' ${SSHD_FILE}
else
sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' ${SSHD_FILE}
fi
echo 'Ciphers aes128-ctr,aes192-ctr,aes256-ctr' >> ${SSHD_FILE}
systemctl restart sshd
stop_spinner $?
} | tee -a $LOG
}
###########################
#### 5.3 Configure PAM ####
###########################
function config_pam() {
{
start_spinner 'Configuring PAM Server...'
echo ""
### 5.3.1 Ensure password creation requirements are configured ###
if [[ ${OS} = centos || ${OS} = red || ${OS} = oracle ]]; then
xargs -n 1 cp -v /etc/security/pwquality.conf <<< ""${BACKUP} /etc/security/pwquality.conf.bak""
sed -i 's/minlen = 8/minlen = 14/g' /etc/security/pwquality.conf
### 5.3.2 Ensure lockout for failed password attempts is configured ###
xargs -n 1 cp -v /etc/pam.d/password-auth <<< ""${BACKUP} /etc/pam.d/password-auth.bak""
no_show << EOF > /etc/pam.d/password-auth
########################################################################################
#### This password-auth file edited to match CIS level 1 requirements for questions ####
#### or changes please contact Phil Connor contact@mylinux.work ####
#### Please don't edit it unless you know what your doing ####
########################################################################################
#%PAM-1.0
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900
auth [success=1 default=bad] pam_unix.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900
auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
account required pam_faillock.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= enforce_for_root
password required pam_pwhistory.so remember=5 use_authlok
password sufficient pam_unix.so remember=5 sha512 shadow try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
##########################################
#### Logging key strokes of all USERS ####
##########################################
session required pam_tty_audit.so disable=* enable=* log_passwd
EOF
xargs -n 1 cp -v /etc/pam.d/system-auth <<< ""${BACKUP} /etc/pam.d/system-auth.bak""
no_show << EOF > /etc/pam.d/system-auth
######################################################################################
#### This system-auth file edited to match CIS level 1 requirements for questions ####
#### or changes please contact Phil Connor contact@mylinux.work ####
#### Please don't edit it unless you know what your doing ####
######################################################################################
#%PAM-1.0
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900
auth [success=1 default=bad] pam_unix.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900
auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
account required pam_faillock.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= enforce_for_root
password required pam_pwhistory.so remember=5 use_authlok
password sufficient pam_unix.so remember=5 sha512 shadow try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
##########################################
#### Logging key strokes of all USERS ####
##########################################
session required pam_tty_audit.so disable=* enable=* log_passwd
EOF
fi
if [ "${OS}" = ubuntu ]; then
debconf-set-selections <<< ""postfix postfix/mailname string "${HOSTNAME}"""
debconf-set-selections <<< "postfix postfix/main_mailer_type string 'Local Only'"
${PAKMGR} remove libpam-cracklib
${PAKMGR} install libpam-pwquality --assume-yes
xargs -n 1 cp -v /etc/pam.d/common-password<<< ""${BACKUP} /etc/pam.d/common-password.bak""
#sed -i 's/password[[:blank:]]*requisite[[:blank:]]*pam_pwquality.so retry=3/password requisite pam_pwquality.so retry=3 difok=3 reject_username enforce_for_root/g' /etc/pam.d/common-password
sed -i 's/# minlen = 8/minlen = 14/g' /etc/security/pwquality.conf
sed -i 's/# dcredit = 0/dcredit=-1/g' /etc/security/pwquality.conf
sed -i 's/# ucredit = 0/ucredit=-1/g' /etc/security/pwquality.conf
sed -i 's/# ocredit = 0/ocredit=-1/g' /etc/security/pwquality.conf
sed -i 's/# lcredit = 0/lcredit=-1/g' /etc/security/pwquality.conf
no_show << EOF >> /etc/pam.d/common-password
################################################
#### 5.3.3 Ensure password reuse is limited ####
################################################
password required pam_unix.so remember=5
EOF
no_show << EOF >> /etc/pam.d/common-auth
#########################################################################
#### 5.3.2 Ensure lockout for failed password attempts is configured ####
#########################################################################
auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900
##########################################
#### Logging key strokes of all USERS ####
##########################################
session required pam_tty_audit.so disable=* enable=* log_passwd
EOF
fi
stop_spinner $?
} | tee -a $LOG
}
############################################
#### 5.4 User Accounts and Environments ####
############################################
function accounts() {
{
start_spinner 'Configuring User Accts and Environments...'
echo ""
LODEFS="/etc/login.defs"
#### 5.4.1.1 Ensure password expiration is 90 days or less ####
#### 5.4.1.2 Ensure minimum days between password changes is 7 days or more ####
#### 5.4.1.3 Ensure password expiration warning days is 7 or more ####
if [ -e ${LODEFS} ]; then
cp ${LODEFS} ${LODEFS}.tmp
awk '($1 ~ /^PASS_MAX_DAYS/) { $2="90" }
($1 ~ /^PASS_MIN_DAYS/) { $2="7" }
($1 ~ /^PASS_WARN_AGE/) { $2="10" }
($1 ~ /^PASS_MIN_LEN/) { $2="14" }
{ print }' ${LODEFS}.tmp > ${LODEFS}
rm ${LODEFS}.tmp
fi
cut -d: -f1 /etc/passwd | while read -r NAME
do
uid=$(id -u "${NAME}")
if [ "${uid}" -ge 1000 ] && [ "${uid}" != 65534 ]; then
chage -M 90 -m 7 -W 10 -I 30 "${NAME}"
fi
done
if [ "${OS}" = ubuntu ]; then
no_show << EOF >> ${LODEFS}
##################################################################
#### Make it More Difficult to Bruteforce the Hashed Password ####
##################################################################
SHA_CRYPT_MIN_ROUNDS 5000
SHA_CRYPT_MAX_ROUNDS 10000
EOF
sed -i 's/pam_faildelay.so delay=3000000/pam_faildelay.so delay=300000000/g' /etc/pam.d/login
else
no_show << EOF >> ${LODEFS}
############################################################################
#### Establish a forced five-second minimum delay between failed logins ####
############################################################################
FAIL_DELAY 5
##################################################################
#### Make it More Difficult to Bruteforce the Hashed Password ####
##################################################################
SHA_CRYPT_MIN_ROUNDS 5000
SHA_CRYPT_MAX_ROUNDS 10000
EOF
fi
chown root:root ${LODEFS}
chmod 0640 ${LODEFS}
#### 5.4.1.4 Ensure inactive password lock is 30 days or less ####
useradd -D -f 30
stop_spinner $?
} | tee -a $LOG
}
######################################################
#### 5.4 User Accounts and Environments Continued ####
######################################################
function config_users_permissions() {
{
start_spinner 'Configuring User Permissions...'
echo ""
#### 5.4.2 Ensure system accounts are non-login ####
awk -F: '($3 < 1000) {print $1 }' /etc/passwd | while read -r user
do
if [ "$user" != "root" ]; then
usermod -L "$user"
if [ "$user" != "sync" ] && [ "$user" != "shutdown" ] && [ "$user" != "halt" ]; then
usermod -s /usr/sbin/nologin "$user"
fi
fi
done
#### 5.4.3 Ensure default group for the root account is GID 0 ####
usermod -g 0 root
groupadd dev
groupadd dba
touch /etc/sudoers.d/cis_conf
chmod 440 /etc/sudoers.d/cis_conf
if [ "${OS}" = ubuntu ]; then
sed -i 's/sudo:x:27:/sudo:x:27:root,ubuntu/g' /etc/group
sed -i 's/sudo:*::/sudo:*::root,ubuntu/g' /etc/gshadow
sed -i 's/%sudo[[:blank:]]*ALL=(ALL:ALL)[[:blank:]]*ALL/%sudo ALL=\(ALL:ALL\) NOPASSWD:ALL/g' /etc/sudoers
else
grep -qi "wheel" /etc/group
if [ $? != 1 ]; then
sed -i 's/%wheel[[:blank:]]*ALL=(ALL)[[:blank:]]*ALL/# %wheel ALL=\(ALL\) ALL/g' /etc/sudoers
sed -i 's/^#\s*\(%wheel\s*ALL=(ALL)\s*NOPASSWD:\s*ALL\)/\1/' /etc/sudoers
sed -i 's/wheel:x:10:opc/wheel:x:10:root,opc/g' /etc/group
sed -i 's/wheel:::opc/wheel:::root,opc/g' /etc/gshadow
fi
fi
{
echo "####################"
echo "#### Networking ####"
echo "####################"
} >> /etc/sudoers.d/local_conf
if [ "${OS}" = ubuntu ]; then
{
echo "Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /sbin/iptables, /sbin/mii-tool"
echo ""
} >> /etc/sudoers.d/local_conf
else
{
echo "Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool"
echo ""
} >> /etc/sudoers.d/local_conf
fi
{
echo "#################################################"
echo "#### Installation and management of software ####"
echo "#################################################"
} >> /etc/sudoers.d/cis_conf
if [ "${OS}" = ubuntu ]; then
{
echo "Cmnd_Alias SOFTWARE = usr/bin/apt, /usr/bin/dpkg, /usr/bin/apt-get"
echo ""
} >> /etc/sudoers.d/local_conf
else
{
echo "Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum"
echo ""
} >> /etc/sudoers.d/local_conf
fi
{
echo "##################"
echo "#### Services ####"
echo "##################"
echo "Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable"
echo ""
echo "######################################"
echo "#### Updating the locate database ####"
echo "######################################"
echo "Cmnd_Alias LOCATE = /usr/bin/updatedb"
echo ""
echo "#################"
echo "#### Storage ####"
echo "#################"
echo "Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount"
echo ""
echo "################################"
echo "#### Delegating permissions ####"
echo "################################"
echo "Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp"
echo ""
echo "###################"
echo "#### Processes ####"
echo "###################"
echo "Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall"
echo ""
echo "#################"
echo "#### Drivers ####"
echo "#################"
echo "Cmnd_Alias DRIVERS = /sbin/modprobe"
echo ""
echo "###########################################################################"
echo "#### Reboot and ShutDown removed from DBA's and Developers 3/4/20 - PC ####"
echo "###########################################################################"
echo "Cmnd_Alias SHUTDOWN = /sbin/shutdown, /sbin/reboot, /sbin/halt, /sbin/poweroff"
echo ""
echo "###########################"
echo "#### Our System Groups ####"
echo "###########################"
echo "%dba ALL= NOPASSWD: /usr/bin/su - applmgr, /usr/bin/su - oracle, !NETWORKING, !SOFTWARE, !SERVICES, !STORAGE, !DELEGATING, !PROCESSES, !LOCATE, !DRIVERS, !SHUTDOWN"
echo "%dev ALL= NOPASSWD: /usr/bin/su - applmgr, !NETWORKING, !SOFTWARE, !SERVICES, !STORAGE, !DELEGATING, !PROCESSES, !LOCATE, !DRIVERS, !SHUTDOWN"
} >> /etc/sudoers.d/local_conf
#### 5.4.4 Ensure default user umask is 027 or more restrictive ####
if [ "${OS}" = "ubuntu" ]; then
grep -Eq "^(\s*)umask\s+\S+(\s*#.*)?\s*$" /etc/bash.bashrc && sed -ri "s/^(\s*)umask\s+\S+(\s*#.*)?\s*$/\1umask 027\2/" /etc/bash.bashrc || echo "umask 027" >> /etc/bash.bashrc
else
grep -Eq "^(\s*)umask\s+\S+(\s*#.*)?\s*$" /etc/bashrc && sed -ri "s/^(\s*)umask\s+\S+(\s*#.*)?\s*$/\1umask 027\2/" /etc/bashrc || echo "umask 027" >> /etc/bashrc
fi
grep -Eq "^(\s*)umask\s+\S+(\s*#.*)?\s*$" /etc/profile && sed -ri "s/^(\s*)umask\s+\S+(\s*#.*)?\s*$/\1umask 027\2/" /etc/profile || echo "umask 027" >> /etc/profile
#### 5.4.5 Ensure default user shell timeout is 900 seconds or less ####
if grep TMOUT=900 /etc/bashrc; then
sed -i 's/TMOUT=900/#TMOUT=900/g' /etc/bashrc
fi
if grep TMOUT=900 /etc/profile; then
sed -i 's/TMOUT=900/#TMOUT=900/g' /etc/profile
fi
cat >> /etc/profile << 'EOF'
if [ "$(id -nu)" == "root" ] || [ "$(id -nu)" == "opc" ]; then
TMOUT=3600
readonly TMOUT
export TMOUT
else
TMOUT=900
readonly TMOUT
export TMOUT
fi
EOF
cat >> /etc/bashrc << 'EOF'
if [ "$(id -nu)" == "root" ] || [ "$(id -nu)" == "opc" ]; then
if ! echo $TMOUT | grep -q 3600; then
TMOUT=3600
readonly TMOUT
export TMOUT
fi
else
if ! echo $TMOUT | grep -q 900; then
TMOUT=900
readonly TMOUT
export TMOUT
fi
fi
EOF
#### 5.4.5A Ensure default user umask is configured - system wide ####
sed -ri 's/^([^#]+\s+)?(umask\s+)(\S+\s*)(\s+.*)?$/\1\2 027\4/' /etc/login.defs
sed -ri 's/^([^#]+\s+)?(umask\s+)(\S+\s*)(\s+.*)?$/\1\2 027\4/' /etc/profile
sed -ri 's/^([^#]+\s+)?(umask\s+)(\S+\s*)(\s+.*)?$/\1\2 027\4/' /etc/bashrc
touch /etc/profile.d/cis_profile.sh
chmod 644 /etc/profile.d/cis_profile.sh
echo "
################################
### Added for CIS Compliance ###
################################
umask 077
" > /etc/profile.d/cis_profile.sh
#### 5.5 Ensure root login is restricted to system console ####
xargs -n 1 cp -v /etc/securetty <<< ""${BACKUP} /etc/securetty.bak""
echo "console" > /etc/securetty
### 5.6 Ensure access to the su command is restricted ###
PAMSU="/etc/pam.d/su"
if [[ ${OS} = centos || ${OS} = red || ${OS} = oracle ]]; then
xargs -n 1 cp -v ${PAMSU} <<< ""${BACKUP} ${PAMSU}.bak""
if [ -e ${PAMSU} ]; then
cp ${PAMSU} ${PAMSU}.tmp
awk '( $1=="#auth" && $2=="required" && $3~"pam_wheel.so" ) { print "auth\t\trequired\t",$3,"\tuse_uid"; next };
{ print }' ${PAMSU}.tmp > ${PAMSU}
chown root:root ${PAMSU}
chmod 0644 ${PAMSU}
rm ${PAMSU}.tmp
fi
elif [ "${OS}" = ubuntu ]; then
sed -i 's/# auth[[:blank:]]*required[[:blank:]]*pam_wheel.so/auth required pam_wheel.so use_uid/g' /etc/pam.d/su
sed -i 's/auth required pam_wheel.so use_uid deny group=nosu/#auth required pam_wheel.so deny group=nosu/g' /etc/pam.d/su
fi
stop_spinner $?
} | tee -a $LOG
}
################################
#### 6.1 System Permissions ####
################################
function audit_file_permissions() {
{
start_spinner 'Auditing File Permissions...'
echo ""
### 6.1.1 Audit system file permissions ###
if [[ ${OS} = centos || ${OS} = red || ${OS} = oracle ]]; then
rpm -Va --nomtime --nosize --nomd5 --nolinkto
elif [ "${OS}" = ubuntu ]; then
${PAKMGR} install debsums
debsums -s
fi
### 6.1.2 Ensure permissions on /etc/passwd are configured ###
chmod 644 /etc/passwd
chown root.root /etc/passwd
### 6.1.3 Ensure permissions on /etc/shadow are configured ###
chmod 000 /etc/shadow
chown root.root /etc/shadow
### 6.1.4 Ensure permissions on /etc/group are configured ###
chmod 644 /etc/group
chown root.root /etc/group
### 6.1.5 Ensure permissions on /etc/gshadow are configured ###
chmod 000 /etc/gshadow
chown root:root /etc/gshadow
### 6.1.6 Ensure permissions on /etc/passwd- are configured ###
chmod 644 /etc/passwd-
chown root.root /etc/passwd-
### 6.1.7 Ensure permissions on /etc/shadow- are configured ###
chmod 000 /etc/shadow-
chown root.root /etc/shadow-
### 6.1.4 Ensure permissions on /etc/group- are configured ###
chmod 644 /etc/group-
chown root.root /etc/group-
### 6.1.5 Ensure permissions on /etc/gshadow- are configured ###
chmod 000 /etc/gshadow-
chown root:root /etc/gshadow-
stop_spinner $?
} | tee -a $LOG
}
####################################
#### 6.1.1 World Writable Files ####
####################################
function world_writable_files() {
{
start_spinner 'Resetting Permissions on all World Writable, Unowned and Ungrouped Files...'
echo ""
#### 6.1.10 Ensure no world writable files exist ####
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002
#### 6.1.11 Ensure no unowned files or directories exist ####
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -ls
#### 6.1.12 Ensure no ungrouped files or directories exist ####
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -ls
#### 6.1.12 Audit SUID executables ####
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -4000 -print
#### 6.1.14 Audit SGID executables ####
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -2000 -print
stop_spinner $?
} | tee -a $LOG
}
#####################################
#### 6.2 User and Group Settings ####
#####################################
function user_group_settings() {
{
start_spinner 'Configuring User and Group Settings...'
echo ""
#### 6.2.1 Ensure password fields are not empty ####
awk -F: '($2 == "" ) { print $1 " does not have a password "}' /etc/shadow
#### 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd ####
grep '^+:' /etc/passwd
#### 6.2.3 Ensure no legacy "+" entries exist in /etc/shadow ####
grep '^+:' /etc/shadow
#### 6.2.4 Ensure no legacy "+" entries exist in /etc/group ####
grep '^+:' /etc/group
#### 6.2.5 Ensure root is the only UID 0 account ####
awk -F: '($3 == 0) { print $1 }' /etc/passwd
#### 6.2.6 Ensure root PATH Intergrity ####
if [ "$(echo "$PATH" | grep ::)" != "" ]; then
echo "Empty Directory in PATH (::)"
fi
if [ "$(echo "$PATH" | grep :$)" != "" ]; then
echo "Trailing : in PATH"
fi
p=$(echo "$PATH" | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g')
set -- "$p"
while [ "$1" != "" ];
do
if [ "$1" = "." ]; then
echo "PATH contains ."
shift
continue
fi
if [ -d "$1" ]; then
# shellcheck disable=SC2012
dirperm=$(ls -ldH "$1" | cut -f1 -d" ")
if [ "$(echo "${dirperm}" | cut -c6)" != "-" ]; then
echo "Group Write permission set on directory $1"
fi
if [ "$(echo "${dirperm}" | cut -c9)" != "-" ]; then
echo "Other Write permission set on directory $1"
fi
# shellcheck disable=SC2012
dirown=$(ls -ldH "$1" | awk '{print $3}')
if [ "${dirown}" != "root" ] ; then
echo "$1 is not owned by root"
fi
else
echo "$1 is not a directory"
fi
shift
done
stop_spinner $?
} | tee -a $LOG
}
########################################################
#### 6.2 User and Group Settings Continued - Part 1 ####
########################################################
function home_directories() {
{
start_spinner 'Checking and Configuring User Directories...'
echo ""
#### 6.2.7 Ensure all users' home directories exist ####
awk -F: '{ print $1 " " $3 " " $6 }' /etc/passwd | while read -r user uid dir
do
if [ "${uid}" -ge 500 ] && [ -d "${dir}" ] && [ "${user}" != "nfsnobody" ]; then
owner=$(stat -L -c "%U" "${dir}")
if [ "${owner}" != "${user}" ]; then
echo "The home directory (${dir}) of user ${user} is owned by ${owner}."
fi
fi
done
#### 6.2.8 Ensure users' home directories permissions are 750 or more restrictive ####
grep -Ev '(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($8 == "PS" && $7 != "/sbin/nologin") { print $6 }' | while read -r dir
do
# shellcheck disable=SC2012
dirperm=$(ls -ld "${dir}" | cut -f1 -d" ")
if [ "$( echo "${dirperm}" | cut -c6 )" != "-" ]; then
echo "Group Write permission set on directory $dir"
fi
if [ "$( echo "${dirperm}" | cut -c8 )" != "-" ]; then
echo "Other Read permission set on directory $dir"
fi
if [ "$( echo "${dirperm}" | cut -c9 )" != "-" ]; then
echo "Other Write permission set on directory $dir"
fi
if [ "$( echo "${dirperm}" | cut -c10 )" != "-" ]; then
echo "Other Execute permission set on directory $dir"
fi
done
#### 6.2.9 Ensure users own their home directories ####
awk -F: '{ print $1 " " $3 " " $6 }' /etc/passwd | while read -r user uid dir
do
if [ "$uid" -ge 500 ] && [ ! -d "$dir" ] && [ "$user" != "nfsnobody" ]; then
echo "The home directory ($dir) of user $user does not exist."
fi
done
stop_spinner $?
} | tee -a $LOG
}
########################################################
#### 6.2 User and Group Settings Continued - Part 2 ####
########################################################
function dot_files() {
{
start_spinner 'Checking and Configuring Hidden Files and Directories...'
echo ""
#### 6.2.10 Ensure users' dot files are not group or world writable ####
grep -Ev '(root|sync|halt|shutdown)' /etc/passwd | awk -F: '($7 != "/sbin/nologin") { print $6 }' | while read -r dir
do
for file in "$dir"/.[A-Za-z0-9]*
do
if [ ! -h "${file}" ] && [ -f "${file}" ]; then
# shellcheck disable=SC2012
fileperm=$(ls -ld "$file" | cut -f1 -d" ")
if [ "$(echo "$fileperm" | cut -c6 )" != "-" ]; then
echo "Group Write permission set on file $file"
fi
if [ "$(echo "$fileperm" | cut -c9 )" != "-" ]; then
echo "Other Write permission set on file $file"
fi
fi
done
done
awk -F: '($3 >= 500) { print $6 }' /etc/passwd | while read -r DIR
do
for FILE in "$DIR"/.[A-Za-z0-9]*
do
if [ ! -h "$FILE" ] && [ -f "$FILE" ]; then
chmod go-w "$FILE"
fi
done
done
#### 6.2.11 Ensure no users have .forward files ####
awk -F: '{ print $6 }' /etc/passwd | while read -r dir
do
if [ ! -h "$dir/.forward" ] && [ -f "$dir/.forward" ]; then
echo ".forward file $dir/.forward exists"
fi
done
#### 6.2.12 Ensure no users have .netrc files ####
awk -F: '{ print $6 }' /etc/passwd | while read -r dir
do
if [ ! -h "$dir/.netrc" ] && [ -f "$dir/.netrc" ]; then
echo ".netrc file $dir/.netrc exists"
fi
done
#### Ensure users' .netrc Files are not group or world accessible ####
grep -Ev '(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "/sbin/nologin") { print $6 }' | while read -r dir
do
for file in $dir/.netrc
do
if [ ! -h "$file" ] && [ -f "$file" ]; then
# shellcheck disable=SC2012
fileperm=$(ls -ld "$file" | cut -f1 -d" ")
if [ "$(echo "$fileperm" | cut -c5 )" != "-" ]; then
echo "Group Read set on $file"
fi
if [ "$(echo "$fileperm" | cut -c6 )" != "-" ]; then
echo "Group Write set on $file"
fi
if [ "$(echo "$fileperm" | cut -c7 )" != "-" ]; then
echo "Group Execute set on $file"
fi
if [ "$(echo "$fileperm" | cut -c8 )" != "-" ]; then
echo "Other Read set on $file"
fi
if [ "$(echo "$fileperm" | cut -c9 )" != "-" ]; then
echo "Other Write set on $file"
fi
if [ "$(echo "$fileperm" | cut -c10 )" != "-" ]; then
echo "Other Execute set on $file"
fi
fi
done
done
#### Ensure no users have .rhosts files ####
grep -Ev '(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "/sbin/nologin") { print $6 }' | while read -r dir
do
for file in $dir/.rhosts; do
if [ ! -h "$file" ] && [ -f "$file" ]; then
echo ".rhosts file in $dir"
fi
done
done
stop_spinner $?
} | tee -a $LOG
}
########################################################
#### 6.2 User and Group Settings Continued - Part 3 ####
########################################################
function group_gid_uid() {
{
start_spinner 'Checking that all Group and UserIDs are valid...'
echo ""
#### Ensure all groups in etc/passwd exist in /etc/group ####
cut -s -d: -f4 /etc/passwd | sort -u | while read -r i
do
if ! grep -q -P "^.*?:x:$i:" /etc/group; then
echo "Group $i is referenced by /etc/passwd but does not exist in /etc/group"
fi
done
#### Ensure no duplicate UIDs exist ####
cut -f3 -d":" /etc/passwd | sort -n | uniq -c | while read -r x
do
[ -z "${x}" ] && break
# shellcheck disable=SC2086
set - ${x}
if [ "$1" -gt 1 ]; then
users=$(awk -F: '($3 == n) { print $1 }' n="$2" /etc/passwd | xargs)
echo "Duplicate UID ($2): ${users}"
fi
done
#### 6.2.17 Ensure no duplicate GIDs exist ####
cut -f3 -d":" /etc/group | sort -n | uniq -c | while read -r x
do
[ -z "${x}" ] && break
# shellcheck disable=SC2086
set - ${x}
if [ "$1" -gt 1 ]; then
grps=$(gawk -F: '($3 == n) { print $1 }' n="$2" /etc/group | xargs)
echo "Duplicate GID ($2): ${grps}" >> ${LOG} 2>&1
fi
done
#### 6.2.18 Ensure no duplicate user names exist ####
cut -f1 -d":" /etc/passwd | sort -n | /usr/bin/uniq -c | while read -r x
do
[ -z "${x}" ] && break
# shellcheck disable=SC2086
set - ${x}
if [ "$1" -gt 1 ]; then
uids=$(gawk -F: '($1 == n) { print $3 }' n="$2" /etc/passwd | xargs)
echo "Duplicate User Name ($2): ${uids}"
fi
done
#### 6.2.19 Ensure no duplicate group names exist ####
cut -f1 -d":" /etc/group | sort -n | uniq -c | while read -r x
do
[ -z "${x}" ] && break
set - "${x}"
if [ "$1" -gt 1 ]; then
gids=$(gawk -F: '($1 == n) { print $3 }' n="$2" /etc/group | xargs)
echo "Duplicate Group Name ($2): ${gids}"
fi
done
stop_spinner $?
} | tee -a $LOG
}
#########################################
#### Auto Unattended Security Upates ####
#########################################
function auto_updates() {
{
start_spinner 'Configuring Auto Security Updates...'
echo ""
if [[ ${OS} = centos || ${OS} = red || ${OS} = oracle || ${OS} = rocky || ${OS} = alma ]]; then
if [ "${OSVER}" = 7 ]; then
${PAKMGR} install yum-cron
sed -i 's/update_cmd = default/update_cmd = security/g' /etc/yum/yum-cron.conf
sed -i 's/apply_updates = no/apply_updates = yes/g' /etc/yum/yum-cron.conf
sed -i 's/download_updates = no/download_updates = yes/g' /etc/yum/yum-cron-hourly.conf
systemctl enable yum-cron
systemctl start yum-cron
fi
if [ "${OSVER}" = 8 ]; then
${PAKMGR} install dnf-automatic
sed -i 's/upgrade_type = default/upgrade_type = security/g' /etc/dnf/automatic.conf
sed -i 's/apply_updates = no/apply_updates = yes/g' /etc/dnf/automatic.conf
systemctl enable --now dnf-automatic.timer
fi
elif [ "${OS}" = ubuntu ]; then
${PAKMGR} install unattended-upgrades apticron
touch /etc/apt/apt.conf.d/20auto-upgrades
no_show << EOF > /etc/apt/apt.conf.d/20auto-upgrades
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
EOF
sed -i 's/\/\/Unattended-Upgrade\:\:Mail "root";/Unattended-Upgrade\:\:Mail "root";/g' /etc/apt/apt.conf.d/50unattended-upgrades
fi
stop_spinner $?
} | tee -a $LOG
}
#######################################################
#### Install SysStat Redhat/CentOS 7 and 8, Ubuntu ####
#######################################################
function install_sysstat() {
{
start_spinner 'Installing and Configuring SysStat...'
echo ""
${PAKMGR} install sysstat
if [ "${OS}" = ubuntu ]; then
sed -i 's/ENABLED="false"/ENABLED="true"/g' /etc/default/sysstat
no_show << EOF > /etc/cron.d/sysstat
# The first element of the path is a directory where the debian-sa1
# script is located
PATH=/usr/lib/sysstat:/usr/sbin:/usr/sbin:/usr/bin:/sbin:/bin
# Activity reports every 10 minutes everyday
5-55/10 * * * * root command -v debian-sa1 > /dev/null && debian-sa1 1 1
# Additional run at 23:59 to rotate the statistics file
59 23 * * * root command -v debian-sa1 > /dev/null && debian-sa1 60 2
EOF
else
if [ ! -d /var/log/sa ]; then
mkdir /var/log/sa
fi
fi
systemctl enable sysstat
systemctl start sysstat
stop_spinner $?
} | tee -a $LOG
}
##############################################################
#### Install RootKit Hunter Redhat/CentOS 7 and 8, Ubuntu ####
##############################################################
function install_rkhunter() {
{
start_spinner 'Installing and Configuring RKHunter...'
echo ""
if [[ ${OS} = centos || ${OS} = red || ${OS} = rocky || ${OS} = alma ]]; then
${PAKMGR} install epel-release
${PAKMGR} install rkhunter
elif [ "${OS}" = oracle ]; then
if [ "${OSVER}" = 7 ]; then
${PAKMGR} install oracle-epel-release-el7
sed -i 's/enabled=0/enabled=1/g' /etc/yum.repos.d/oracle-epel-ol7.repo
fi
if [ "${OSVER}" = 8 ]; then
${PAKMGR} install oracle-epel-release-el8
sed -i 's/enabled=0/enabled=1/g' /etc/yum.repos.d/oracle-epel-ol8.repo
fi
${PAKMGR} install rkhunter
elif [ "${OS}" = ubuntu ]; then
debconf-set-selections <<< ""postfix postfix/mailname string "${HOSTNAME}"""
debconf-set-selections <<< "postfix postfix/main_mailer_type string 'Local Only'"
DEBIAN_FRONTEND=noninteractive ${PAKMGR} install rkhunter >> ${LOG} 2>&1
fi
rkhunter --update
rkhunter --propupd
sed -i 's/ALLOW_SSH_ROOT_USER=unset/ALLOW_SSH_ROOT_USER=no/g' /etc/rkhunter.conf
stop_spinner $?
} | tee -a $LOG
}
###################################################
#### Install LMD Redhat/CentOS 7 and 8, Ubuntu ####
###################################################
function install_lmd() {
{
start_spinner 'Installing and Configuring MalDetect...'
echo ""
if [[ ${OS} = centos || ${OS} = red || ${OS} = rocky || ${OS} = alma ]]; then
${PAKMGR} install epel-release
${PAKMGR} install mailx inotify-tools tar wget
elif [ "${OS}" = oracle ]; then
if [ "${OSVER}" = 7 ]; then
${PAKMGR} install oracle-epel-release-el7
sed -i 's/enabled=0/enabled=1/g' /etc/yum.repos.d/oracle-epel-ol7.repo
fi
if [ "${OSVER}" = 8 ]; then
${PAKMGR} install oracle-epel-release-el8
sed -i 's/enabled=0/enabled=1/g' /etc/yum.repos.d/oracle-epel-ol8.repo
fi
${PAKMGR} install mailx inotify-tools tar wget
elif [ "${OS}" = ubuntu ]; then
export DEBIAN_FRONTEND=noninteractive
${PAKMGR} install inotify-tools wget
fi
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xvzf maldetect-current.tar.gz
cd maldetect-1* || return $?
./install.sh
cd .. || return $?
rm -rf maldetect-*
if [ "${OS}" = ubuntu ]; then
ln -s /usr/local/maldetect/maldet /bin/maldet
hash -r
fi
sed -i 's/email_alert="0"/email_alert="1"/g' /usr/local/maldetect/conf.maldet
sed -i 's/email_addr="you@domain.com"/email_addr="root@localhost"/g' /usr/local/maldetect/conf.maldet
sed -i 's/quarantine_hits="0"/quarantine_hits="1"/g' /usr/local/maldetect/conf.maldet
sed -i 's/quarantine_clean="0"/quarantine_clean="1"/g' /usr/local/maldetect/conf.maldet
if [[ ${OS} = centos || ${OS} = red || ${OS} = oracle ]]; then
${PAKMGR} install clamav clamav-devel
elif [ "${OS}" = ubuntu ]; then
export DEBIAN_FRONTEND=noninteractive
${PAKMGR} install clamav clamav-daemon clamdscan clamav-freshclam
fi
freshclam
stop_spinner $?
} | tee -a $LOG
}
##########################
#### Install Logwatch ####
##########################
function install_logwatch() {
{
start_spinner 'Installing and Configuring LogWatch...'
${PAKMGR} install logwatch
LOG_ZZ=/usr/share/logwatch/default.conf/services/zz-disk_space.conf
# shellcheck disable=SC2016
sed -i 's/#$show_home_dir_sizes = 1/$show_home_dir_sizes = 1/g' $LOG_ZZ
# shellcheck disable=SC2016
sed -i 's/#$home_dir = "\/home"/$home_dir = "\/home"/g' $LOG_ZZ
# shellcheck disable=SC2016
sed -i 's/#$show_mail_dir_sizes = 1/#$show_mail_dir_sizes = 1/g' $LOG_ZZ
# shellcheck disable=SC2016
sed -i 's/#$mail_dir = "\/var\/spool\/mail/$mail_dir = "\/var\/spool\/mail/g' $LOG_ZZ
# shellcheck disable=SC2016
sed -i 's/#$show_disk_usage = 1/$show_disk_usage = 1/g' $LOG_ZZ
# shellcheck disable=SC2016
sed -i 's/$HTTP_IGNORE_ERROR_HACKS = 0/$HTTP_IGNORE_ERROR_HACKS = 1/g' /usr/share/logwatch/default.conf/services/http.conf
sed -i 's/Detail = Low/Detail = Med/g' /usr/share/logwatch/default.conf/logwatch.conf
stop_spinner $?
} | tee -a $LOG
}
###############################
#### Oracle EBS PreInstall ####
###############################
function oci_oracle_ebs_setup() {
{
start_spinner 'Configuring Server for Oracle EBS/WebLogic...'
if [ "${SRVTYPE}" != 3 ]; then
if [[ ${OS} = centos || ${OS} = red || ${OS} = rocky || ${OS} = alma ]]; then
${PAKMGR} install oracle-ebs-server-R12-preinstall openmotif21
oci-network-config -X ens3
sed -i 's/PRESERVE_HOSTINFO=0/PRESERVE_HOSTINFO=2/g' /etc/oci-hostname.conf
groupadd dba
groupadd dev
touch /etc/oraInst.loc
chmod 600 /etc/oraInst.loc
chown applmgr. /etc/oraInst.loc
elif [ "${OS}" = ubuntu ]; then
echo ""
echo -e "\e[7m**** !EBS PreInstall for Ubuntu is not supported! ****\e[0m"
echo ""
fi
fi
if [ "${SRVTYPE}" == 3 ]; then
oci-network-config -X ens3
sed -i 's/PRESERVE_HOSTINFO=0/PRESERVE_HOSTINFO=2/g' /etc/oci-hostname.conf
fi
} | tee -a $LOG
}
########################
#### Function Calls ####
########################
function oci_rh_ub_common() {
{
check_root
backup
make_swap
time_set
disable_filesystems
tmp_directory
stickybit
gpgkeys
aide_install
sudo_changes
boot_load
core_dumps
sysctl_conf
pre_link
se_troubleshoot_mcs
unconf_daemons
se_linux
banners
inet_service
ntp_config
chrony_cfg
update_security
unsecure_services
mail_config
addon_inet_services
service_clients
tcp_wrappers
auto_updates
uncommon_protocols
iptables_config
audit_accounting
rsyslog_service
journald_config
logfile_permissions
crond_enabled
compress_auditd
config_sshd
config_pam
accounts
config_users_permissions
audit_file_permissions
world_writable_files
user_group_settings
home_directories
dot_files
group_gid_uid
install_sysstat
install_rkhunter
install_lmd
install_logwatch
}
}
##################
#### OCI Only ####
##################
function oci_only() {
{
oci_iptables
}
}
##################
#### AWS Only ####
##################
function aws_only() {
{
aws_iptables
}
}
warn_message
Reference in New Issue View Git Blame Copy Permalink