Skip to main content

Hardening Script for Ubuntu CIS 2.1 Bechmark


echo
echo Hardening Script CIS_Ubuntu_Linux_14.04_LTS_Benchmark_v2.1.0
function set_parameter
{
sed -i -e "s|^$2.*|$2$3|" $1
egrep "^$2*" $1 > /dev/null ||echo "$2$3" >> $1
}

#---------------------------------------------------------------------------------------------------------------
function add_line
{
egrep "^$2" $1 > /dev/null || echo "$2" >> $1
}
#---------------------------------------------------------------------------------------------------------------


echo ------------------------------------------------------------------------

echo 1.1.1.1 Ensure mounting of cramfs filesystems is disabled scored
touch /etc/modprobe.d/CIS.conf
add_line /etc/modprobe.d/CIS.conf "install cramfs /bin/true"
rmmod cramfs
echo ------------------------------------------------------------------------

echo 1.1.1.2 Ensure mounting of freevxfs filesystems is disabled scored
add_line /etc/modprobe.d/CIS.conf "install freevxfs /bin/true"
rmmod freevfs
echo ------------------------------------------------------------------------

echo 1.1.1.3 Ensure mounting of jffs2 filesystems is disabled scored
add_line /etc/modprobe.d/CIS.conf "install jffs2 /bin/true"
rmmod jffs2
echo ------------------------------------------------------------------------

echo 1.1.1.4 Ensure mounting of hfs filesystems is disabled scored
add_line /etc/modprobe.d/CIS.conf "install hfs /bin/true"
rmmod hfs
echo ------------------------------------------------------------------------

echo 1.1.1.5 Ensure mounting of hfsplus filesystems is disabled scored
add_line /etc/modprobe.d/CIS.conf "install hfsplus /bin/true"
rmmod hfsplus
echo ------------------------------------------------------------------------

echo 1.1.1.6 Ensure mounting of udf filesystems is disabled scored
add_line /etc/modprobe.d/CIS.conf "install udf /bin/true"
rmmod udf
echo ------------------------------------------------------------------------

echo 1.1.2 Ensure separate partition exists for /tmp scored
echo /tmp create in diffrent partion as per unattended   installation
mount |grep tmp
echo ------------------------------------------------------------------------

echo 1.1.3 Ensure nodev option set on /tmp partition scored
#add_line /etc/fstab "/dev/sda6 /tmp rw,nosuid,nodev,noexec,relatime 0 0"
#mount -o remount,nodev /tmp
echo ------------------------------------------------------------------------

echo 1.1.4 Ensure nosuid option set on /tmp partition scored
#mount -o remount,nosuid /tmp
echo ------------------------------------------------------------------------

echo 1.1.5 Ensure separate partition exists for /var scored
#add_line /etc/fstab "/dev/sda8 /var/tmp rw,nosuid,nodev,noexec,relatime 0 0"
echo ------------------------------------------------------------------------

echo 1.1.6 Ensure separate partition exists for /var/tmp scored
#mount | grep /var/tmp
echo ------------------------------------------------------------------------

echo 1.1.7 Ensure nodev option set on /var/tmp partition scored
#mount -o remount,nodev /var/tmp
echo ------------------------------------------------------------------------

echo 1.1.8 Ensure nosuid option set on /var/tmp partition scored
#mount -o remount,nosuid /var/tmp
echo ------------------------------------------------------------------------

echo 1.1.9 Ensure noexec option set on /var/tmp partition scored
#mount -o remount,noexec /var/tmp
echo ------------------------------------------------------------------------

echo 1.1.10 Ensure separate partition exists for /var/log scored
#add_line /etc/fstab "/dev/sda9 /var/log rw,relatime,data=ordered 0 0"
echo ------------------------------------------------------------------------

echo 1.1.11 Ensure separate partition exists for /var/log/audit scored
mount | grep /var/log/audit

echo ------------------------------------------------------------------------
echo 1.1.12 Ensure separate partition exists for /home scored
mount | grep /home

echo ------------------------------------------------------------------------
echo 1.1.13 Ensure nodev option set on          partition scored
#mount -o remount,nodev /home

echo ------------------------------------------------------------------------
echo 1.1.14 Ensure nodev option set on /run/shm partition scored
#add_line /etc/fstab "tmpfs on /run/shm type tmpfs (rw,nosuid,nodev,noexec,relatime)"
#mount -o remount,nodev /run/shm
echo ------------------------------------------------------------------------
echo 1.1.15 Ensure nosuid option set on /run/shm partition scored
echo ------------------------------------------------------------------------
echo 1.1.16 Ensure noexec option set on /run/shm partition scored
echo ------------------------------------------------------------------------
echo 1.1.17 Ensure nodev option set on removable media partitions notscored
echo ------------------------------------------------------------------------
echo 1.1.20 Ensure sticky bit is set on all world-writable directories scored
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
echo ------------------------------------------------------------------------
echo 1.1.21 Disable Automounting scored
rm -f /etc/init/autofs.conf
echo ------------------------------------------------------------------------
echo 1.3.2 Ensure filesystem integrity is regularly checked scored
apt-get install aide -y
add_line /var/spool/cron/crontabs/root "0 5 * * * /usr/bin/aide --config /etc/aide/aide.conf --check"
echo ------------------------------------------------------------------------
echo 1.4.1 Ensure permissions on bootloader config are configured scored
chown root:root /boot/grub/grub.cfg
chmod og-rwx /boot/grub/grub.cfg
echo ------------------------------------------------------------------------
echo 1.4.2 Ensure bootloader password is set scored
touch /etc/grub.d/01_password
add_line /etc/grub.d/01_password  "cat << EOF "
echo  "set superusers="'"grub"'""  >> /etc/grub.d/01_password
add_line /etc/grub.d/01_password  "password_pbkdf2  grub  grub.pbkdf2.sha512.10000.13ECE3802F4E9CD0AE856982B3193D2328A442E43829C7A1A35DC9BC9E5DCCAC3BB1DC9095A2F4847040D6020FC5E18ED641A016DB94AB65A5544C17B3CE87C3.9C3E89F92D54E042A7E5517C5E1E760A8041A57503DEA45DA91963A8E3FFD1822D2148CC2FE5605E288FCA261FAE8B9E168370138F045DC88A9667216A1DF720"
echo  "EOF"  >> /etc/grub.d/01_password
cat > /etc/grub.d/10_linux << 'EOP'
#! /bin/sh
set -e

# grub-mkconfig helper script.
# Copyright (C) 2006,2007,2008,2009,2010  Free Software Foundation, Inc.
#
# GRUB is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# GRUB is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with GRUB.  If not, see .

prefix="/usr"
exec_prefix="/usr"
datarootdir="/usr/share"
ubuntu_recovery="1"
quiet_boot="1"
quick_boot="1"
gfxpayload_dynamic="1"
vt_handoff="1"

. "${datarootdir}/grub/grub-mkconfig_lib"

export TEXTDOMAIN=grub
export TEXTDOMAINDIR="${datarootdir}/locale"

CLASS="--class gnu-linux --class gnu --class os --unrestricted"
SUPPORTED_INITS="sysvinit:/lib/sysvinit/init systemd:/lib/systemd/systemd upstart:/sbin/upstart"

if [ "x${GRUB_DISTRIBUTOR}" = "x" ] ; then
  OS=GNU/Linux
else
  case ${GRUB_DISTRIBUTOR} in
    Ubuntu|Kubuntu)
      OS="${GRUB_DISTRIBUTOR}"
      ;;
    *)
      OS="${GRUB_DISTRIBUTOR} GNU/Linux"
   ;;
  esac
  CLASS="--class $(echo ${GRUB_DISTRIBUTOR} | tr 'A-Z' 'a-z' | cut -d' ' -f1|LC_ALL=C sed 's,[^[:alnum:]_],_,g') ${CLASS}"
fi

# loop-AES arranges things so that /dev/loop/X can be our root device, but
# the initrds that Linux uses don't like that.
case ${GRUB_DEVICE} in
  /dev/loop/*|/dev/loop[0-9])
    GRUB_DEVICE=`losetup ${GRUB_DEVICE} | sed -e "s/^[^(]*(\([^)]\+\)).*/\1/"`
    # We can't cope with devices loop-mounted from files here.
    case ${GRUB_DEVICE} in
      /dev/*) ;;
      *) exit 0 ;;
    esac
  ;;
esac

if [ "x${GRUB_DEVICE_UUID}" = "x" ] || [ "x${GRUB_DISABLE_LINUX_UUID}" = "xtrue" ] \
    || ! test -e "/dev/disk/by-uuid/${GRUB_DEVICE_UUID}" \
    || uses_abstraction "${GRUB_DEVICE}" lvm; then
  LINUX_ROOT_DEVICE=${GRUB_DEVICE}
else
  LINUX_ROOT_DEVICE=UUID=${GRUB_DEVICE_UUID}
fi

case x"$GRUB_FS" in
    xbtrfs)
        rootsubvol="`make_system_path_relative_to_its_root /`"
        rootsubvol="${rootsubvol#/}"
        if [ "x${rootsubvol}" != x ]; then
            GRUB_CMDLINE_LINUX="rootflags=subvol=${rootsubvol} ${GRUB_CMDLINE_LINUX}"
        fi;;
    xzfs)
        rpool=`${grub_probe} --device ${GRUB_DEVICE} --target=fs_label 2>/dev/null || true`
        bootfs="`make_system_path_relative_to_its_root / | sed -e "s,@$,,"`"
        LINUX_ROOT_DEVICE="ZFS=${rpool}${bootfs}"
        ;;
esac

title_correction_code=

if [ -x /lib/recovery-mode/recovery-menu ]; then
    GRUB_CMDLINE_LINUX_RECOVERY=recovery
else
    GRUB_CMDLINE_LINUX_RECOVERY=single
fi
if [ "$ubuntu_recovery" = 1 ]; then
    GRUB_CMDLINE_LINUX_RECOVERY="$GRUB_CMDLINE_LINUX_RECOVERY nomodeset"
fi

if [ "$vt_handoff" = 1 ]; then
  for word in $GRUB_CMDLINE_LINUX_DEFAULT; do
    if [ "$word" = splash ]; then
      GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT \$vt_handoff"
    fi
  done
fi

linux_entry ()
{
  os="$1"
  version="$2"
  type="$3"
  args="$4"

  if [ -z "$boot_device_id" ]; then
      boot_device_id="$(grub_get_device_id "${GRUB_DEVICE}")"
  fi
  if [ x$type != xsimple ] ; then
      case $type in
          recovery)
              title="$(gettext_printf "%s, with Linux %s (%s)" "${os}" "${version}" "$(gettext "${GRUB_RECOVERY_TITLE}")")" ;;
          init-*)
              title="$(gettext_printf "%s, with Linux %s (%s)" "${os}" "${version}" "${type#init-}")" ;;
          *)
              title="$(gettext_printf "%s, with Linux %s" "${os}" "${version}")" ;;
      esac
      if [ x"$title" = x"$GRUB_ACTUAL_DEFAULT" ] || [ x"Previous Linux versions>$title" = x"$GRUB_ACTUAL_DEFAULT" ]; then
          replacement_title="$(echo "Advanced options for ${OS}" | sed 's,>,>>,g')>$(echo "$title" | sed 's,>,>>,g')"
          quoted="$(echo "$GRUB_ACTUAL_DEFAULT" | grub_quote)"
          title_correction_code="${title_correction_code}if [ \"x\$default\" = '$quoted' ]; then default='$(echo "$replacement_title" | grub_quote)'; fi;"
  grub_warn "$(gettext_printf "Please don't use old title \`%s' for GRUB_DEFAULT, use \`%s' (for versions before 2.00) or \`%s' (for 2.00 or later)" "$GRUB_ACTUAL_DEFAULT" "$replacement_title" "gnulinux-advanced-$boot_device_id>gnulinux-$version-$type-$boot_device_id")"
      fi
      echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
  else
      echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
  fi
  if [ "$quick_boot" = 1 ]; then
      echo "    recordfail" | sed "s/^/$submenu_indentation/"
  fi
  if [ x$type != xrecovery ] ; then
      save_default_entry | grub_add_tab
  fi

  # Use ELILO's generic "efifb" when it's known to be available.
  # FIXME: We need an interface to select vesafb in case efifb can't be used.
  if [ "x$GRUB_GFXPAYLOAD_LINUX" = x ]; then
      echo "    load_video" | sed "s/^/$submenu_indentation/"
  else
      if [ "x$GRUB_GFXPAYLOAD_LINUX" != xtext ]; then
          echo "        load_video" | sed "s/^/$submenu_indentation/"
      fi
  fi
  if ([ "$ubuntu_recovery" = 0 ] || [ x$type != xrecovery ]) && \
     ([ "x$GRUB_GFXPAYLOAD_LINUX" != x ] || [ "$gfxpayload_dynamic" = 1 ]); then
      echo "    gfxmode \$linux_gfx_mode" | sed "s/^/$submenu_indentation/"
  fi

  echo "        insmod gzio" | sed "s/^/$submenu_indentation/"
  echo "        if [ x\$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi" | sed "s/^/$submenu_indentation/"

  if [ x$dirname = x/ ]; then
    if [ -z "${prepare_root_cache}" ]; then
      prepare_root_cache="$(prepare_grub_to_access_device ${GRUB_DEVICE} | grub_add_tab)"
    fi
    printf '%s\n' "${prepare_root_cache}" | sed "s/^/$submenu_indentation/"
  else
    if [ -z "${prepare_boot_cache}" ]; then
      prepare_boot_cache="$(prepare_grub_to_access_device ${GRUB_DEVICE_BOOT} | grub_add_tab)"
    fi
    printf '%s\n' "${prepare_boot_cache}" | sed "s/^/$submenu_indentation/"
  fi
 if [ x"$quiet_boot" = x0 ] || [ x"$type" != xsimple ]; then
    message="$(gettext_printf "Loading Linux %s ..." ${version})"
    sed "s/^/$submenu_indentation/" << EOF
        echo    '$(echo "$message" | grub_quote)'
EOF
  fi
  if test -d /sys/firmware/efi && test -e "${linux}.efi.signed"; then
    sed "s/^/$submenu_indentation/" << EOF
        linux   ${rel_dirname}/${basename}.efi.signed root=${linux_root_device_thisversion} ro ${args}
EOF
  else
    if [ x"$GRUB_FORCE_PARTUUID" = x ]; then
        sed "s/^/$submenu_indentation/" << EOF
        linux   ${rel_dirname}/${basename} root=${linux_root_device_thisversion} ro ${args}
EOF
    else
        sed "s/^/$submenu_indentation/" << EOF
        linux   ${rel_dirname}/${basename} root=PARTUUID=${GRUB_FORCE_PARTUUID} ro ${args}
EOF
    fi
  fi
  if test -n "${initrd}" && [ x"$GRUB_DISABLE_INITRD" != xtrue ]; then
    # TRANSLATORS: ramdisk isn't identifier. Should be translated.
    if [ x"$quiet_boot" = x0 ] || [ x"$type" != xsimple ]; then
      message="$(gettext_printf "Loading initial ramdisk ...")"
      sed "s/^/$submenu_indentation/" << EOF
        echo    '$(echo "$message" | grub_quote)'
EOF
    fi
    sed "s/^/$submenu_indentation/" << EOF
        initrd  ${rel_dirname}/${initrd}
EOF
  fi
  sed "s/^/$submenu_indentation/" << EOF
}
EOF
}

machine=`uname -m`
case "x$machine" in
    xi?86 | xx86_64)
        list=`for i in /boot/vmlinuz-* /vmlinuz-* /boot/kernel-* ; do
                  if grub_file_is_not_garbage "$i" ; then echo -n "$i " ; fi
              done` ;;
    *)
        list=`for i in /boot/vmlinuz-* /boot/vmlinux-* /vmlinuz-* /vmlinux-* /boot/kernel-* ; do
                  if grub_file_is_not_garbage "$i" ; then echo -n "$i " ; fi
             done` ;;
esac

case "$machine" in
    i?86) GENKERNEL_ARCH="x86" ;;
    mips|mips64) GENKERNEL_ARCH="mips" ;;
    mipsel|mips64el) GENKERNEL_ARCH="mipsel" ;;
    arm*) GENKERNEL_ARCH="arm" ;;
    *) GENKERNEL_ARCH="$machine" ;;
esac

prepare_boot_cache=
prepare_root_cache=
boot_device_id=
title_correction_code=

cat << 'EOF'
function gfxmode {
        set gfxpayload="${1}"
EOF
if [ "$vt_handoff" = 1 ]; then
  cat << 'EOF'
        if [ "${1}" = "keep" ]; then
                set vt_handoff=vt.handoff=7
        else
                set vt_handoff=
        fi
EOF
fi
cat << EOF
}
EOF

# Use ELILO's generic "efifb" when it's known to be available.
# FIXME: We need an interface to select vesafb in case efifb can't be used.
if [ "x$GRUB_GFXPAYLOAD_LINUX" != x ] || [ "$gfxpayload_dynamic" = 0 ]; then
  echo "set linux_gfx_mode=$GRUB_GFXPAYLOAD_LINUX"
else
  cat << EOF
if [ "\${recordfail}" != 1 ]; then
  if [ -e \${prefix}/gfxblacklist.txt ]; then
    if hwmatch \${prefix}/gfxblacklist.txt 3; then
      if [ \${match} = 0 ]; then
        set linux_gfx_mode=keep
      else
        set linux_gfx_mode=text
      fi
    else
      set linux_gfx_mode=text
    fi
  else
    set linux_gfx_mode=keep
  fi
else
  set linux_gfx_mode=text
fi
EOF
fi
cat << EOF
export linux_gfx_mode
EOF

# Extra indentation to add to menu entries in a submenu. We're not in a submenu
# yet, so it's empty. In a submenu it will be equal to '\t' (one tab).
submenu_indentation=""

is_top_level=true
while [ "x$list" != "x" ] ; do
  linux=`version_find_latest $list`
  case $linux in
    *.efi.signed)
      # We handle these in linux_entry.
      list=`echo $list | tr ' ' '\n' | grep -vx $linux | tr '\n' ' '`
      continue
      ;;
  esac

 gettext_printf "Found linux image: %s\n" "$linux" >&2
  basename=`basename $linux`
  dirname=`dirname $linux`
  rel_dirname=`make_system_path_relative_to_its_root $dirname`
  version=`echo $basename | sed -e "s,^[^0-9]*-,,g"`
  alt_version=`echo $version | sed -e "s,\.old$,,g"`
  linux_root_device_thisversion="${LINUX_ROOT_DEVICE}"

  initrd=
  for i in "initrd.img-${version}" "initrd-${version}.img" "initrd-${version}.gz" \
           "initrd-${version}" "initramfs-${version}.img" \
           "initrd.img-${alt_version}" "initrd-${alt_version}.img" \
           "initrd-${alt_version}" "initramfs-${alt_version}.img" \
           "initramfs-genkernel-${version}" \
           "initramfs-genkernel-${alt_version}" \
           "initramfs-genkernel-${GENKERNEL_ARCH}-${version}" \
           "initramfs-genkernel-${GENKERNEL_ARCH}-${alt_version}"; do
    if test -e "${dirname}/${i}" ; then
      initrd="$i"
      break
    fi
  done

  config=
  for i in "${dirname}/config-${version}" "${dirname}/config-${alt_version}" "/etc/kernels/kernel-config-${version}" ; do
    if test -e "${i}" ; then
      config="${i}"
      break
    fi
  done

  initramfs=
  if test -n "${config}" ; then
      initramfs=`grep CONFIG_INITRAMFS_SOURCE= "${config}" | cut -f2 -d= | tr -d \"`
  fi

  if test -n "${initrd}" ; then
    gettext_printf "Found initrd image: %s\n" "${dirname}/${initrd}" >&2
  elif test -z "${initramfs}" ; then
    # "UUID=" and "ZFS=" magic is parsed by initrd or initramfs.  Since there's
    # no initrd or builtin initramfs, it can't work here.
    linux_root_device_thisversion=${GRUB_DEVICE}
  fi
 if [ "x$is_top_level" = xtrue ] && [ "x${GRUB_DISABLE_SUBMENU}" != xy ]; then
    linux_entry "${OS}" "${version}" simple \
    "${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}"

    submenu_indentation="$grub_tab"

    if [ -z "$boot_device_id" ]; then
        boot_device_id="$(grub_get_device_id "${GRUB_DEVICE}")"
    fi
    # TRANSLATORS: %s is replaced with an OS name
    echo "submenu '$(gettext_printf "Advanced options for %s" "${OS}" | grub_quote)' \$menuentry_id_option 'gnulinux-advanced-$boot_device_id' {"
    is_top_level=false
  fi

  linux_entry "${OS}" "${version}" advanced \
              "${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}"
  for supported_init in ${SUPPORTED_INITS}; do
    init_path="${supported_init#*:}"
    if [ -x "${init_path}" ] && [ "$(readlink -f /sbin/init)" != "${init_path}" ]; then
      linux_entry "${OS}" "${version}" "init-${supported_init%%:*}" \
                  "${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT} init=${init_path}"
    fi
  done
  if [ "x${GRUB_DISABLE_RECOVERY}" != "xtrue" ]; then
    linux_entry "${OS}" "${version}" recovery \
                "${GRUB_CMDLINE_LINUX_RECOVERY} ${GRUB_CMDLINE_LINUX}"
  fi

  list=`echo $list | tr ' ' '\n' | fgrep -vx "$linux" | tr '\n' ' '`
done

# If at least one kernel was found, then we need to
# add a closing '}' for the submenu command.
if [ x"$is_top_level" != xtrue ]; then
  echo '}'
fi
 echo "$title_correction_code"
EOP

chmod a+x /etc/grub.d/01_password

update-grub
echo ------------------------------------------------------------------------
1.4.3 Ensure authentication required for single user mode scored
grep ^root:[*\!]: /etc/shadow
echo ------------------------------------------------------------------------
echo 1.5.1 Ensure core dumps are restricted scored
add_line  /etc/security/limits.conf  "* hard core 0"
add_line  /etc/sysctl.conf  "fs.suid_dumpable = 0"
sysctl -p fs.suid_dumpable=0
echo ------------------------------------------------------------------------
echo 1.5.3 Ensure address space layout randomization ASLR is enabled scored
add_line  /etc/sysctl.conf  "kernel.randomize_va_space=2"
sysctl -w kernel.randomize_va_space=2
echo ------------------------------------------------------------------------
echo 1.5.4 Ensure prelink is disabled scored
apt-get remove prelink
echo ------------------------------------------------------------------------
1.6.1.1 Ensure SELinux is not disabled in bootloader configuration
echo the SELinux is enable and no disable on boot
echo ------------------------------------------------------------------------
echo 1.6.1.2 Ensure the SELinux state is enforcing scored
echo ------------------------------------------------------------------------
echo 1.6.1.3 Ensure SELinux policy is configured scored
rm -f /etc/selinux/config
touch /etc/selinux/config
cat > /etc/selinux/config << 'EOF'
SELINUX=enforcing
SELINUXTYPE=default
SETLOCALDEFS=0
EOF
restorecon /etc/selinux/config
echo ------------------------------------------------------------------------
echo 1.6.1.4 Ensure no unconfined daemons exist scored
 ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'
echo ------------------------------------------------------------------------
echo 1.6.2.2 Ensure all AppArmor Profiles are enforcing scored
apt install apparmor-utils -y
aa-enforce /etc/apparmor.d/*
echo ------------------------------------------------------------------------
echo 1.6.3 Ensure SELinux or AppArmor are installed scored
apt-get install selinux  -y
echo 1.7.1.1 Ensure message of the day is configured properly scored
echo ------------------------------------------------------------------------
echo "This is a private compuyteter system and restricts access and use to authorized persons only.  Use of and/or access to this system and/or any information obtained via this system is subject to policies and procedures governing such use.  Unauthorized or improper use of or access to this system, or any portion of it, either directly or indirectly, or any attempt to deny service to authorized users or to alter, damage or destroy information, or otherwise to interfere with the system or its operation, is strictly prohibited.  Any party using or accessing, or attempting to use or access this system without express authority may be subject to severe disciplinary action and/or civil and criminal penalties in accordance with applicable law.  All access to this system is monitored.  Any person who uses or accesses this system expressly consents to such monitoring and recording.  We may furnish information obtained by its monitoring and recording activity to law enforcement officials if such monitoring and recording reveals possible evidence of unlawful activity." > /etc/motd
chown root:root /etc/motd
chmod 644 /etc/motd
echo ------------------------------------------------------------------------
echo 1.7.1.2 Ensure local login warning banner is configured properly notscored
echo "This is a private computer system and restricts access and use to authorized persons only.  Use of and/or access to this system and/or any information obtained via this system is subject to policies and procedures governing such use.  Unauthorized or improper use of or access to this system, or any portion of it, either directly or indirectly, or any attempt to deny service to authorized users or to alter, damage or destroy information, or otherwise to interfere with the system or its operation, is strictly prohibited.  Any party using or accessing, or attempting to use or access this system without express authority may be subject to severe disciplinary action and/or civil and criminal penalties in accordance with applicable law.  All access to this system is monitored.  Any person who uses or accesses this system expressly consents to such monitoring and recording.  We may furnish information obtained by its monitoring and recording activity to law enforcement officials if such monitoring and recording reveals possible evidence of unlawful activity." > /etc/issue.net
set_parameter /etc/ssh/sshd_config "Banner" " /etc/issue.net"
echo ------------------------------------------------------------------------
echo 1.7.1.5 Ensure permissions on /etc/issue are configured scored
chown root:root /etc/issue
chmod 644 /etc/issue
echo ------------------------------------------------------------------------
echo 1.7.2 Ensure GDM login banner is configured scored
echo GDM is not installed
echo ------------------------------------------------------------------------
echo 2.2.1.3 Ensure chrony is configured scored
apt install chrony
add_line /etc/chrony/chrony.conf "server  192.168.16.2"
add_line /etc/chrony/chrony.conf "server  192.168.16.5"
systemctl enable chrony
echo ------------------------------------------------------------------------
echo 2.2.2 Ensure X Window System is not installed scored
apt-get remove xserver-xorg*
echo ------------------------------------------------------------------------
echo 2.2.10 Ensure HTTP server is not enabled scored
update-rc.d apache2 disable
echo ------------------------------------------------------------------------
echo 2.2.11 2.2.12  2.2.13 2.2.14  remove unnecessary services
apt-remove squid samba dovecot snmpd
echo ------------------------------------------------------------------------
echo 2.2.15 Ensure mail transfer agent is configured for local-only mode
set_parameter /etc/postfix/main.cf "inet_interfaces" " = loopback-only"
echo ------------------------------------------------------------------------
echp 2.2.16 Ensure rsync service is not enabled scored
set_parameter /etc/default/rsync "RSYNC_ENABLE" "=false"
echo ------------------------------------------------------------------------
echo 2.2.17 Ensure NIS Server is not enabled scored
apt remove ypserv
echo ------------------------------------------------------------------------
echo 2.3.1 2.3.2 2.3.3  2.3.4 2.35  Ensure nis rsh clients is not installed scored
apt-get remove nis
apt-get remove rsh-client rsh-redone-client talk telnet ldap-utils
echo ------------------------------------------------------------------------
add_line /etc/sysctl.conf "net.ipv4.ip_forward = 0"
sysctl -w net.ipv4.ip_forward=0
sysctl -w net.ipv4.route.flush=1
echo ------------------------------------------------------------------------
echo 3.1.2 Ensure packet redirect sending is disabled scored
add_line /etc/sysctl.conf "net.ipv4.conf.all.send_redirects = 0"
add_line /etc/sysctl.conf "net.ipv4.conf.default.send_redirects = 0"
sysctl -w net.ipv4.conf.default.send_redirects=0
sysctl -w net.ipv4.route.flush=1
echo ------------------------------------------------------------------------
echo 3.2.1 Ensure source routed packets are not accepted Scored
add_line /etc/sysctl.conf "net.ipv4.conf.all.accept_source_route = 0"
add_line /etc/sysctl.conf "net.ipv4.conf.default.accept_source_route = 0"
echo ------------------------------------------------------------------------
echo 3.2.2 Ensure ICMP redirects are not accepted scored
add_line /etc/sysctl.conf "net.ipv4.conf.all.accept_redirects = 0"
add_line /etc/sysctl.conf "net.ipv4.conf.default.accept_redirects = 0"
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.default.accept_redirects=0
sysctl -w net.ipv4.route.flush=1
echo ------------------------------------------------------------------------
echo 3.2.3 Ensure secure ICMP redirects are not accepted scored
add_line /etc/sysctl.conf "net.ipv4.conf.all.secure_redirects = 0"
add_line /etc/sysctl.conf "net.ipv4.conf.default.secure_redirects = 0"
sysctl -w net.ipv4.conf.all.secure_redirects=0
sysctl -w net.ipv4.conf.default.secure_redirects=0
sysctl -w net.ipv4.route.flush=1
echo ------------------------------------------------------------------------
echo 3.2.4 Ensure suspicious packets are logged scored
add_line /etc/sysctl.conf "net.ipv4.conf.all.log_martians = 1"
add_line /etc/sysctl.conf "net.ipv4.conf.default.log_martians = 1"
sysctl -p
echo ------------------------------------------------------------------------
echo 3.2.5 Ensure broadcast ICMP requests are ignored Scored
add_line /etc/sysctl.conf  "net.ipv4.icmp_echo_ignore_broadcasts = 1"
sysctl -p
echo ------------------------------------------------------------------------
echo 3.2.6 Ensure bogus ICMP responses are ignored scored
add_line /etc/sysctl.conf "net.ipv4.icmp_ignore_bogus_error_responses = 1"
sysctl -p
sysctl -w net.ipv4.route.flush=1
echo -----------------------------------------------------------------------
echo 3.2.7 Ensure Reverse Path Filtering is enabled
add_line /etc/sysctl.conf "net.ipv4.conf.all.rp_filter = 1"
add_line /etc/sysctl.conf "net.ipv4.conf.default.rp_filter = 1"
echo -----------------------------------------------------------------------
echo 3.2.8 Ensure TCP SYN Cookies is enabled
add_line /etc/sysctl.conf  "net.ipv4.tcp_syncookies = 1"
echo -----------------------------------------------------------------------
echo 3.4.1 Ensure TCP Wrappers is installed
apt-get install tcpd
echo -----------------------------------------------------------------------
echo 3.4.2 Ensure /etc/hosts.allow is configured
echo "ALL:  192.168.15.0/255.255.255.0, 192.168.16.0/255.255.255.0, 192.168.27.0/255.255.255.0" >/etc/hosts.allow
echo -----------------------------------------------------------------------
echo 3.4.3 Ensure /etc/hosts.deny is configured
echo "ALL: ALL" >> /etc/hosts.deny
echo -----------------------------------------------------------------------
echo 3.4.4 Ensure permissions on /etc/hosts.allow are configured
chown root:root /etc/hosts.allow
chmod 644 /etc/hosts.allow
echo -----------------------------------------------------------------------
echo 3.4.5 Ensure permissions on /etc/hosts.deny are configured
chown root:root /etc/hosts.deny
chmod 644 /etc/hosts.deny
echo -----------------------------------------------------------------------
echo 3.6.1 Ensure iptables is installed
apt-get install iptables
echo -----------------------------------------------------------------------
echo 3.6.2 Ensure default firewall policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DRO
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
echo -----------------------------------------------------------------------
echo 4.1.1 Configure Data Retention
apt install -y auditd audispd-plugins
echo -----------------------------------------------------------------------
echo 4.1.1.2 Ensure system is disabled when audit logs are full
set_parameter  /etc/audit/auditd.conf "space_left_action" " = email"
set_parameter  /etc/audit/auditd.conf "action_mail_acct" " = root"
set_parameter  /etc/audit/auditd.conf "admin_space_left_action" " = halt"
set_parameter  /etc/audit/auditd.conf "max_log_file" " = 10"
set_parameter  /etc/audit/auditd.conf "max_log_file_action" " = keep_logs"
echo -----------------------------------------------------------------------
echo 4.1.2 Ensure auditd service is enabled
update-rc.d auditd enable
echo -----------------------------------------------------------------------
echo 4.1.3 Ensure auditing for processes that start prior to auditd is enabled
cat > /etc/default/grub << 'EOF'
# If you change this file, run 'update-grub' afterwards to update
# /boot/grub/grub.cfg.
# For full documentation of the options in this file, see:
#   info -f grub -n 'Simple configuration'

GRUB_DEFAULT=0
GRUB_TIMEOUT_STYLE=hidden
GRUB_TIMEOUT=10
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX="audit=1"

# Uncomment to enable BadRAM filtering, modify to suit your needs
# This works with Linux (no patch required) and with any kernel that obtains
# the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...)
#GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef"

# Uncomment to disable graphical terminal (grub-pc only)
#GRUB_TERMINAL=console

# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'
#GRUB_GFXMODE=640x480

# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux
#GRUB_DISABLE_LINUX_UUID=true

# Uncomment to disable generation of recovery mode menu entries
#GRUB_DISABLE_RECOVERY="true"

# Uncomment to get a beep at grub start
#GRUB_INIT_TUNE="480 440 1"
EOF
update-grub
echo -----------------------------------------------------------------------
echo 4.1.4 Ensure events that modify date and time information are collected



echo -----------------------------------------------------------------------
echo 4.1.5 Ensure events that modify user/group information are collected
echo '# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.

# First rule - delete all
-D

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 8192

# Feel free to add below this line. See auditctl man page
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k timechange
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
-a exit,always -F arch=b32 -S open -F success=0
-a exit,always -F arch=b64 -S open -F success=0
-a exit,always -F arch=b32 -S unlink -S rmdir
-a exit,always -F arch=b64 -S unlink -S rmdir
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S clock_settime -k time-change
-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/staprun -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/locate -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/write -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/ksu -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/suexec -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/fusermount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/ntfs-3g -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/ping -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/ksu -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/arping -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/expiry -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/mlocate -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/traceroute6.iputils -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/bsd-write -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/dotlockfile -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/mount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/dbus-1.0/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/evolution/camel-lock-helper-1.2 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/x86_64-linux-gnu/sssd/ldap_child -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/x86_64-linux-gnu/sssd/p11_child -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/x86_64-linux-gnu/sssd/proxy_child -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/x86_64-linux-gnu/sssd/selinux_child -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/x86_64-linux-gnu/sssd/krb5_child -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/eject/dmcrypt-get-device -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/cockpit/cockpit-session -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/policykit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/sbin/pam_extrausers_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/xorg/Xorg.wrap -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/landscape/apt-update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/pppd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/umount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/su -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/ping6 -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/lib64/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/sbin/netreport -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/sbin/mount.nfs -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b64 -S clock_settime -k timechange
-a exit,always -F arch=b32 -S chmod -S fchmod -S chown -S chown -S fchown
-a exit,always -F arch=b64 -S chmod -S fchmod -S chown -S chown -S fchown
-a exit,always -F arch=b32 -S sched_setparam -S sched_setscheduler
-a exit,always -F arch=b64 -S sched_setparam -S sched_setscheduler
-a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale
-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a always,exit -F arch=b32 -S init_module -S delete_module -k modules
-a exit,always -F arch=b32 -S settimeofday -S setrlimit -S setdomainname
-a exit,always -F arch=b64 -S settimeofday -S setrlimit -S setdomainname
-a exit,always -F arch=b32 -S stime -S acct -S reboot -S swapon
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-w /sbin/modprobe -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/insmod -p x -k modules
-w /etc/sudoers -p wa -k scope
-w /var/log/sudo.log -p wa -k actions
-w /var/log/wtmp -p wa -k session
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /etc/group -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/hosts -p wa -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/localtime -p wa -k time-change
-w /etc/passwd -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-w /etc/selinux/ -p wa -k MAC-policy
-w /usr/share/selinux/ -p wa -k MAC-policy
-w /etc/shadow -p wa -k identity
-w /etc/sudoers -p wa -k actions
-w /etc/sysconfig/network -p wa -k system-locale
-w /etc/audit/audit.rules
-w /etc/audit/auditd.conf
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope
-w /var/log/sudo.log -p wa -k actions
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
-f 1
-e 2' > /etc/audit/audit.rules
chmod 600 /etc/audit/audit.rules
chown root:root /etc/audit/audit.rules
echo 4.2.1.2 Ensure logging is configured
cat > /etc/rsyslog.d/50-default.conf << 'EOF'
*.emerg :omusrmsg:*
mail.* -/var/log/mail
mail.info -/var/log/mail.info
mail.warning -/var/log/mail.warn
mail.err /var/log/mail.err
news.crit -/var/log/news/news.crit
news.err -/var/log/news/news.err
news.notice -/var/log/news/news.notice
*.=warning;*.=err -/var/log/warn
*.crit /var/log/warn
*.*;mail.none;news.none -/var/log/messages
local0,local1.* -/var/log/localmessages
local2,local3.* -/var/log/localmessages
local4,local5.* -/var/log/localmessages
local6,local7.* -/var/log/localmessages
EOF
pkill -HUP rsyslogd
echo -----------------------------------------------------------------------
echo 4.2.1.3 Ensure rsyslog default file permissions configured
echo done
echo -----------------------------------------------------------------------
echo 4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host
echo need to setup or not need it in this case
echo -----------------------------------------------------------------------
echo 4.2.3 Ensure rsyslog or syslog-ng is installed
apt-get install rsyslog
echo 4.2.4 Ensure permissions on all logfiles are configured
chmod -R g-wx,o-rwx /var/log/*
echo -----------------------------------------------------------------------
echo 5.1.1 Ensure cron daemon is enabled
systemctl enable cron
echo 5.1.2 Ensure permissions on /etc/crontab are configured
chown root:root /etc/crontab
chmod og-rwx /etc/crontab
echo -----------------------------------------------------------------------
5.1.3 Ensure permissions on /etc/cron.hourly are configured
chown root:root /etc/cron.hourly
chmod og-rwx /etc/cron.hourly
echo -----------------------------------------------------------------------
5.1.4 Ensure permissions on /etc/cron.daily are configured
chown root:root /etc/cron.daily
chmod og-rwx /etc/cron.daily
echo -----------------------------------------------------------------------
5.1.5 Ensure permissions on /etc/cron.weekly are configured
chown root:root /etc/cron.weekly
chmod og-rwx /etc/cron.weekly
echo -----------------------------------------------------------------------
5.1.6 Ensure permissions on /etc/cron.monthly are configured
chown root:root /etc/cron.monthly
chmod og-rwx /etc/cron.monthly
echo -----------------------------------------------------------------------
5.1.7 Ensure permissions on /etc/cron.d are configured
chown root:root /etc/cron.d
chmod og-rwx /etc/cron.d
echo -----------------------------------------------------------------------
5.1.8 Ensure at/cron is restricted to authorized users
rm /etc/cron.deny
rm /etc/at.deny
touch /etc/cron.allow
touch /etc/at.allow
chmod og-rwx /etc/cron.allow
chmod og-rwx /etc/at.allow
chown root:root /etc/cron.allow
chown root:root /etc/at.allow
echo -----------------------------------------------------------------------
echo 5.2 SSH Server Configuration
chown root:root /etc/ssh/sshd_config
chmod og-rwx /etc/ssh/sshd_config

cat > /etc/ssh/sshd_config << 'EOF'
UsePAM yes
X11Forwarding no
PrintMotd no
MaxAuthTries 4
PermitEmptyPasswords no
PermitRootLogin no
PermitUserEnvironment no
ChallengeResponseAuthentication no
LogLevel INFO
IgnoreRhosts yes
AcceptEnv LANG LC_*
HostbasedAuthentication no
# override default of no subsystems
Subsystem       sftp    /usr/lib/openssh/sftp-server
Banner /etc/issue.net
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
ClientAliveInterval 300
ClientAliveCountMax 0
LoginGraceTime 60
AllowUsers linux
AllowGroups
DenyUsers 
DenyGroups
EOF

echo 5.3.1 Ensure password creation requirements are configured

cat > /etc/security/pwquality.conf << EOF
minlen = 14
dcredit = -1
ucredit = -1
ocredit = -1
lcredit = -1
EOF





echo -----------------------------------------------------------------------
echo "#5.3.2 Ensure lockout for failed password attempts is configured  CIS 2.1 Benchmark" >>  /etc/pam.d/common-auth
echo "auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900" >>  /etc/pam.d/common-auth
echo -----------------------------------------------------------------------
echo "#5.3.3 Ensure password reuse is limited CIS 2.1 Benchmark"
echo "password required pam_pwhistory.so remember=5" >> /etc/pam.d/common-password
echo -----------------------------------------------------------------------
echo "#5.3.4 Ensure password hashing algorithm is SHA-512 CIS 2.1 Benchmark"
echo "password [success=1 default=ignore] pam_unix.so sha512" >> /etc/pam.d/common-password
echo -----------------------------------------------------------------------
echo 5.4.1.1 Ensure password expiration is 365 days or less
set_parameter  /etc/login.defs "PASS_MAX_DAYS" "  90"
echo -----------------------------------------------------------------------
echo 5.4.1.2 Ensure minimum days between password changes is 7 or more
set_parameter  /etc/login.defs "PASS_MIN_DAYS" "  7"
echo -----------------------------------------------------------------------
echo 5.4.1.3 Ensure password expiration warning days is 7 or more
set_parameter  /etc/login.defs "PASS_WARN_AGE" "  7"
echo -----------------------------------------------------------------------
echo 5.4.3 Ensure default group for the root account is GID 0
usermod -g 0 root
echo -----------------------------------------------------------------------
6.1.3 Ensure permissions on /etc/shadow are configured
chown root:shadow /etc/shadow
chmod o-rwx,g-wx /etc/shadow
echo -----------------------------------------------------------------------
6.1.4 Ensure permissions on /etc/group are configured
chown root:root /etc/group
chmod 644 /etc/group
echo -----------------------------------------------------------------------
echo 6.1.5 Ensure permissions on /etc/gshadow are configured
chown root:shadow /etc/gshadow
chmod o-rwx,g-rw /etc/gshadow
echo -----------------------------------------------------------------------
echo 6.1.6 Ensure permissions on /etc/passwd- are configured
chown root:root /etc/passwd
chmod u-x,go-wx /etc/passwd
echo -----------------------------------------------------------------------
echo 61.7 Ensure permissions on /etc/shadow- are configured
chown root:root /etc/shadow-
chown root:shadow /etc/shadow-
chmod o-rwx,g-rw /etc/shadow
echo -----------------------------------------------------------------------
echo 6.1.8 Ensure permissions on /etc/group- are configured
chown root:root /etc/group
chmod u-x,go-wx /etc/group
echo -----------------------------------------------------------------------
echo 6.1.9 Ensure permissions on /etc/gshadow- are configured
chown root:root /etc/gshadow
chown root:shadow /etc/gshadow
chmod o-rwx,g-rw /etc/gshadow
echo -----------------------------------------------------------------------
echo 6.1.10 Ensure no world writable files exist
find / -xdev -type f  -perm -0002
echo -----------------------------------------------------------------------
echo 6.1.11 Ensure no unowned files or directories exist
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser
echo -----------------------------------------------------------------------
echo 6.1.12 Ensure no ungrouped files or directories exist
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup
echo -----------------------------------------------------------------------
echo 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd
grep '^\+:' /etc/passwd
echo -----------------------------------------------------------------------
echo 6.2.3 Ensure no legacy "+" entries exist in /etc/shadow
grep '^\+:' /etc/shadow
echo -----------------------------------------------------------------------
echo 6.2.4 Ensure no legacy "+" entries exist in /etc/group
 grep '^\+:' /etc/group
echo -----------------------------------------------------------------------
echo 6.2.5 Ensure root is the only UID 0 account
cat /etc/passwd | awk -F: '($3 == 0) { print $1 }'
echo -----------------------------------------------------------------------
echo 6.2.6 Ensure root PATH Integrity
echo
if [ "`echo $PATH | grep :: `" != "" ]; then
 echo "Empty Directory in PATH (::)"
fi
if [ "`echo $PATH | grep :$`" != "" ]; then
echo "Trailing : in PATH"
fi
p=`echo $PATH | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g'`
set -- $p
while [ "$1" != "" ]; do
if [ "$1" = "." ]; then
echo "PATH contains ."
shift
continue
fi
if [ -d $1 ]; then
 dirperm=`ls -ldH $1 | cut -f1 -d" "`
 if [ `echo $dirperm | cut -c6 ` != "-" ]; then
 echo "Group Write permission set on directory $1"
 fi
 if [ `echo $dirperm | cut -c9 ` != "-" ]; then
 echo "Other Write permission set on directory $1"
 fi
 dirown=`ls -ldH $1 | awk '{print $3}'`
 if [ "$dirown" != "root" ] ; then
 echo $1 is not owned by root
341 | P a g e
 fi
else
 echo $1 is not a directory
fi
shift
done
echo -----------------------------------------------------------------------
echo 6.2.7 Ensure all users home directories exist
cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
 if [ ! -d "$dir" ]; then
 echo "The home directory ($dir) of user $user does not exist."
 fi
done
echo -----------------------------------------------------------------------
echo 6.2.8 Ensure users home directories permissions are 750 or more restrictive
cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
 if [ ! -d "$dir" ]; then
 echo "The home directory ($dir) of user $user does not exist."
 else
 dirperm=`ls -ld $dir | cut -f1 -d" "`
 if [ `echo $dirperm | cut -c6` != "-" ]; then
 echo "Group Write permission set on the home directory ($dir) of user
$user"
 fi
 if [ `echo $dirperm | cut -c8` != "-" ]; then
 echo "Other Read permission set on the home directory ($dir) of user
$user"
 fi
 if [ `echo $dirperm | cut -c9` != "-" ]; then
 echo "Other Write permission set on the home directory ($dir) of user
$user"
 fi
 if [ `echo $dirperm | cut -c10` != "-" ]; then
 echo "Other Execute permission set on the home directory ($dir) of user
$user"
 fi
 fi
done

echo -----------------------------------------------------------------------
echo 6.2.9 Ensure users own their home directories
cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
 if [ ! -d "$dir" ]; then
 echo "The home directory ($dir) of user $user does not exist."
 else
 owner=$(stat -L -c "%U" "$dir")
 if [ "$owner" != "$user" ]; then
 echo "The home directory ($dir) of user $user is owned by $owner."
 fi
fi
done
echo -----------------------------------------------------------------------
echo 6.2.10 Ensure users dot files are not group or world writable
cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
 if [ ! -d "$dir" ]; then
 echo "The home directory ($dir) of user $user does not exist."
 else
 for file in $dir/.[A-Za-z0-9]*; do
 if [ ! -h "$file" -a -f "$file" ]; then
 fileperm=`ls -ld $file | cut -f1 -d" "`
 if [ `echo $fileperm | cut -c6` != "-" ]; then
 echo "Group Write permission set on file $file"
 fi
 if [ `echo $fileperm | cut -c9` != "-" ]; then
 echo "Other Write permission set on file $file"
 fi
 fi
 done
 fi
done
echo -----------------------------------------------------------------------
echo 6.2.11 Ensure no users have .forward files
echo
cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
 if [ ! -d "$dir" ]; then
 echo "The home directory ($dir) of user $user does not exist."
 else
 if [ ! -h "$dir/.forward" -a -f "$dir/.forward" ]; then
 echo ".forward file $dir/.forward exists"
 fi
 fi
done

echo -----------------------------------------------------------------------
echo 6.2.12 Ensure no users have .netrc files
echo
cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
 if [ ! -d "$dir" ]; then
 echo "The home directory ($dir) of user $user does not exist."
 else
 if [ ! -h "$dir/.netrc" -a -f "$dir/.netrc" ]; then
 echo ".netrc file $dir/.netrc exists"
 fi
 fi
done
echo -----------------------------------------------------------------------
echo 6.2.13 Ensure users .netrc Files are not group or world accessible
echo
cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
 if [ ! -d "$dir" ]; then
 echo "The home directory ($dir) of user $user does not exist."
 else
 for file in $dir/.netrc; do
 if [ ! -h "$file" -a -f "$file" ]; then
 fileperm=`ls -ld $file | cut -f1 -d" "`
 if [ `echo $fileperm | cut -c5` != "-" ]; then
 echo "Group Read set on $file"
 fi
 if [ `echo $fileperm | cut -c6` != "-" ]; then
 echo "Group Write set on $file"
 fi
 if [ `echo $fileperm | cut -c7` != "-" ]; then
 echo "Group Execute set on $file"
 fi
 if [ `echo $fileperm | cut -c8` != "-" ]; then
 echo "Other Read set on $file"
 fi
 if [ `echo $fileperm | cut -c9` != "-" ]; then
 echo "Other Write set on $file"
 fi
 if [ `echo $fileperm | cut -c10` != "-" ]; then
 echo "Other Execute set on $file"
 fi
354 | P a g e
 fi
 done
 fi
done
echo -----------------------------------------------------------------------
echo 6.2.14 Ensure no users have .rhosts files
echo
cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
 if [ ! -d "$dir" ]; then
 echo "The home directory ($dir) of user $user does not exist."
 else
 for file in $dir/.rhosts; do
 if [ ! -h "$file" -a -f "$file" ]; then
 echo ".rhosts file in $dir"
 fi
 done
 fi
done
echo -----------------------------------------------------------------------
echo 6.2.15 Ensure all groups in /etc/passwd exist in /etc/group
echo
for i in $(cut -s -d: -f4 /etc/passwd | sort -u ); do grep -q -P "^.*?:[^:]*:$i:" /etc/group
if [ $? -ne 0 ]; then 
   echo "Group $i is referenced by /etc/passwd but does not exist in
/etc/group"
fi
done
echo -----------------------------------------------------------------------
6.2.16 Ensure no duplicate UIDs exist
echo
cat /etc/passwd | cut -f3 -d":" | sort -n | uniq -c | while read x ; do
[ -z "${x}" ] && break
set - $x
if [ $1 -gt 1 ]; then
 users=`awk -F: '($3 == n) { print $1 }' n=$2 /etc/passwd | xargs`
 echo "Duplicate UID ($2): ${users}"
fi
done
echo -----------------------------------------------------------------------
echo 6.2.17 Ensure no duplicate GIDs exist
echo
cat /etc/group | cut -f3 -d":" | sort -n | uniq -c | while read x ; do
[ -z "${x}" ] && break
set - $x
if [ $1 -gt 1 ]; then
 groups=`awk -F: '($3 == n) { print $1 }' n=$2 /etc/group | xargs`
 echo "Duplicate GID ($2): ${groups}"
fi
done
echo -----------------------------------------------------------------------
echo 6.2.17 Ensure no duplicate GIDs exist
echo
cat /etc/group | cut -f3 -d":" | sort -n | uniq -c | while read x ; do
[ -z "${x}" ] && break
set - $x
if [ $1 -gt 1 ]; then
 groups=`awk -F: '($3 == n) { print $1 }' n=$2 /etc/group | xargs`
 echo "Duplicate GID ($2): ${groups}"
fi
done
echo -----------------------------------------------------------------------
echo 6.2.18 Ensure no duplicate user names exist
echo
cat /etc/passwd | cut -f1 -d":" | sort -n | uniq -c | while read x ; do
[ -z "${x}" ] && break
set - $x
if [ $1 -gt 1 ]; then
 uids=`awk -F: '($1 == n) { print $3 }' n=$2 /etc/passwd | xargs`
 echo "Duplicate User Name ($2): ${uids}"
fi
done
echo -----------------------------------------------------------------------
echo 6.2.19 Ensure no duplicate group names exist
echo
cat /etc/group | cut -f1 -d":" | sort -n | uniq -c | while read x ; do
[ -z "${x}" ] && break
set - $x
if [ $1 -gt 1 ]; then
 gids=`gawk -F: '($1 == n) { print $3 }' n=$2 /etc/group | xargs`
 echo "Duplicate Group Name ($2): ${gids}"
fi
done
echo -----------------------------------------------------------------------
echo 6.2.20 Ensure shadow group is empty
grep ^shadow:[^:]*:[^:]*:[^:]+ /etc/group
awk -F: '($4 == "") { print }' /etc/passwd

echo -----------------------------------------------------------------------
echo Hardening Completed
echo -----------------------------------------------------------------------




Displaying Hardening ubuntu 14.txt.

Comments

  1. Ajeet RaiNovember 1, 2019 at 1:18 AM

    can we set the all required changes through this script

    ReplyDelete

Post a Comment

Popular posts from this blog

How to clean all the foreman task and locked task

1.- First make su to postgres user su -s /bin/bash - postgres  2.-Execute psql psql  3.- connect to the foreman database \c foreman;  4.- Delete all the foreman task and foreman task locks delete from foreman_tasks_tasks;  delete from foreman_tasks_locks;  5.- Quit from postgres and exit \q  exit  6. Restart all the services for s in {qpidd,pulp_celerybeat,pulp_ resource_manager,pulp_workers, httpd}; do sudo service $s restart; done  Update in todays foreman you can clean the task using the following command: foreman-rake foreman_tasks:cleanup
Read more

CentOS 7 Server Hardening Guide

CentOS 7 Server Hardening Guide 1. System Settings – Disk Partitioning and Post installation 1.1 Disk Encryption with Kickstart The easiest way to encrypt a partition is during Kickstart installation. This can be achieved by adding the –encrypted and –passphrase= options to the definition of a physical LVM volume. Our Kickstart template is provided below. Note that the template requires a 32GB disk. #version=CentOS7.5 # System authorisation information auth --enableshadow --passalgo=sha512 # Use CDROM installation media cdrom ignoredisk --only-use=sda # Keyboard layouts keyboard --vckeymap=gb --xlayouts='gb' # System language lang en_GB.UTF-8 # SELinux selinux --enforcing # Network information network --bootproto=dhcp --device=eth0 --onboot=on --activate network --hostname=ks-c7.example.com # Plaintext root password: PleaseChangeMe rootpw --iscrypted $6$nS0mBJyS$q/QgCof5unWrT9W3qngTISueSDhDHVNntDqd8sOcgmHp2lq4f/niUbjCmoEzaf3EWQ2x3z/k0eIZa
Read more

How to restrict users to send only mail to the local domain in Zimbra

How to restrict users to send only mail to the local domain in Zimbra 1. Open file /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf and add this line below reject_non_fqdn_recipient. This is example on my system permit_sasl_authenticated check_sender_access lmdb:/opt/zimbra/postfix/conf/restricted_senders permit_mynetworks 2. Open file /opt/zimbra/conf/zmconfigd.cf and add those lines before RESTART mta. This is example on my system POSTCONF smtpd_restriction_classes local_only POSTCONF local_only FILE postfix_check_recipient_access.cf RESTART mta 3. Create a file /opt/zimbra/conf/postfix_check_recipient_access.cf and add the following line.  check_recipient_access lmdb:/opt/zimbra/postfix/conf/local_domains, reject 4. Create a file "/opt/zimbra/postfix/conf/restricted_senders" and list all the users, whom you want to restrict. Follow this syntax: user@yourdomain.com local_only 5. Create a file "/opt/zimbra/postfix/con
Read more