Rhel 7 Hardening Script V1 2x3h3u
This document was ed by and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this report form. Report 3i3n4
Overview 26281t
& View Rhel 7 Hardening Script V1 as PDF for free.
More details 6y5l6z
- Words: 2,641
- Pages: 9
##Filesystem Configurations #Disabling Kernel Modules that aren't required in /etc/modprobe.d/CIS.conf #creats CIS.conf if doesnt exist. ls -ld /etc/modprobe.d/CIS.conf >/dev/null 2>&1 || touch /etc/modprobe.d/CIS.conf #Putting below line in any file name with extension .conf in /etc/modprobe.d/ will be acted upon and disable the kernel fs module. this can be checked by a grep to lsmod command. grep -q "install cramfs /bin/true" /etc/modprobe.d/CIS.conf || echo 'install cramfs /bin/true' >> /etc/modprobe.d/CIS.conf grep -q "install freevxfs /bin/true" /etc/modprobe.d/CIS.conf || echo 'install freevxfs /bin/true' >> /etc/modprobe.d/CIS.conf grep -q "install jffs2 /bin/true" /etc/modprobe.d/CIS.conf || echo 'install jffs2 /bin/true' >> /etc/modprobe.d/CIS.conf grep -q "install hfs /bin/true" /etc/modprobe.d/CIS.conf || echo 'install hfs /bin/true' >> /etc/modprobe.d/CIS.conf grep -q "install hfsplus /bin/true" /etc/modprobe.d/CIS.conf || echo 'install hfsplus /bin/true' >> /etc/modprobe.d/CIS.conf grep -q "install squashfs /bin/true" /etc/modprobe.d/CIS.conf || echo 'install squashfs /bin/true' >> /etc/modprobe.d/CIS.conf grep -q "install udf /bin/true" /etc/modprobe.d/CIS.conf || echo 'install udf /bin/true' >> /etc/modprobe.d/CIS.conf grep -q "install vfat /bin/true" /etc/modprobe.d/CIS.conf || echo 'install vfat /bin/true' >> /etc/modprobe.d/CIS.conf #ensuring seperate filesystems is in place with required mount options. mount | grep -qiw /tmp || echo "/tmp not found as a seperate mount point. Please create." mount | grep -wi /tmp | grep -w nodev || echo "nodev mount option is not set in /tmp mount point. Please add." mount | grep -wi /tmp | grep -w nosuid || echo "nosuid mount option is not set in /tmp mount point. Please add." mount | grep -wi /tmp | grep -w noexec || echo "noexec mount option is not set in /tmp mount point. Please add." mount | grep -qi "/var " || echo "/var not found as a seperate mount point. Please create." mount | grep -qi "/var/tmp " || echo "/var/tmp not found as a seperate mount point. Please create." mount | grep -i "/var/tmp " | grep -w nodev || echo "nodev mount option is not set in /var/tmp mount point. Please add." mount | grep -i "/var/tmp " | grep -w nosuid || echo "nosuid mount option is not set in /var/tmp mount point. Please add." mount | grep -i "/var/tmp " | grep -w noexec || echo "noexec mount option is not set in /var/tmp mount point. Please add." mount | grep -qi "/var/log " || echo "/var/log not found as a seperate mount point. Please create." mount | grep -qi "/var/log/audit " || echo "/var/log/audit not found as a seperate mount point. Please create." mount | grep -qiw /home || echo "/home not found as a seperate mount point. Please create." mount | grep -i "/home " | grep -w nodev || echo "nodev mount option is not set in /home mount point. Please add." mount | grep "/dev/shm " | grep -iq nodev || echo "nodev option is not set in /dev/shm filesystem. please add" mount | grep "/dev/shm " | grep -iq nosuid || echo "nosuid option is not set in /dev/shm filesystem. please add" mount | grep "/dev/shm " | grep -iq noexec || echo "noexec option is not set in /dev/shm filesystem. please add" #stop and disable autofs if it exists.
systemctl stop autofs 2>/dev/null 1>&2 systemctl disable autofs 2>/dev/null 1>&2 #Ensure gpgcheck is globally activated sed -i '/^gpgcheck/c gpgcheck=1' /etc/yum.conf #Ensure GPG keys are configured. rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n' || echo "gpg keys are either not installe or not configured correctly. please check." #subscribe with redhat and auto . subscription-manager --name adecco.unix -- iasykwf12027 --auto-attach #disbale rhnsd Demon chkconfig rhnsd of #Ensure AIDE is installed and configured. yum install aide -y aide --init mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz #Ensure filesystem integrity is regularly checked echo '0 5 * * * /usr/sbin/aide --check' > /tmp/filenew crontab -u root -l | cat - /tmp/filenew | crontab -u root rm -f /tmp/filenew #bootloader permission should be 600 chmod og-rwx /boot/grub2/grub.cfg #Ensure authentication required for single more grep /sbin/su /usr/lib/systemd/system/rescue.service grep /sbin/su /usr/lib/systemd/system/emergency.service #ensure core_dumps are restricted. dump_param=`sysctl fs.suid_dumpable` if [ "$dump_param" != "fs.suid_dumpable = 0" ]; then >> /etc/sysctl.conf ;sysctl -p >/dev/null;fi
echo "fs.suid_dumpable = 0"
#ensure NX dmesg | grep NX | grep -q "(Execute Disable) protection: active" || echo "Please ensure NX " #ensure ASLR is enabled randomize_param=`sysctl kernel.randomize_va_space` if [ "$randomize_param" != "kernel.randomize_va_space = 2" ]; then echo "kernel.randomize_va_space = 2" >> /etc/sysctl.conf ;sysctl -p >/dev/null;fi #ensure prelink is disabled rpm -q prelink >/dev/null if [ $? != 0 ]; then yum remove prelink >/dev/null 2>/dev/null;fi #Ensure SELinux is not disabled in bootloader configuration cat /boot/grub2/grub.cfg |grep "^\s*linux" | grep -v -q selinux=0 || echo "please check selinux in grub file. it should not be disabled." cat /boot/grub2/grub.cfg |grep "^\s*linux" | grep -v -q enforcing=0 || echo "please check selinux in grub file. it should not be disabled." #Ensure the SELinux state is enforcing rpm -q libselinux >/dev/null || yum install libselinux -q -y
sed -i '/^SELINUX=/c SELINUX=enforcing' /etc/selinux/config setenforce 1 #Ensure SELinux policy is configured sed -i '/^SELINUXTYPE=/c SELINUXTYPE=targeted' /etc/selinux/config #Ensure SETroubleshoot is not installed rpm -q setroubleshoot >/dev/null && yum remove setroubleshoot -q -y #Ensure the MCS Translation Service (mcstrans) is not installed rpm -q mcstrans >/dev/null && yum remove mcstrans -q -y ##Warning Banners #Ensure local warning banner is configured properly echo "This system, its hardware, software and data is owned by Adecco and only authorized s are allowed to gain access to it.Your usage of Adecco technology may be monitored, logged and subject to investigation according to applicable laws. By continuing beyond this point and logging in, you agree to abide by the above conditions and the Adecco Group Policies and Standards.Unauthorized use of Adecco technology or breach of Adecco Group Policies and Standards is prohibited and may be subject to disciplinary action, which may include criminal and/or civil penalties" > /etc/issue #Ensure remote warning banner is configured properly echo "This system, its hardware, software and data is owned by Adecco and only authorized s are allowed to gain access to it.Your usage of Adecco technology may be monitored, logged and subject to investigation according to applicable laws. By continuing beyond this point and logging in, you agree to abide by the above conditions and the Adecco Group Policies and Standards.Unauthorized use of Adecco technology or breach of Adecco Group Policies and Standards is prohibited and may be subject to disciplinary action, which may include criminal and/or civil penalties" > /etc/issue.net #Ensure permissions chown root:root /etc/motd chmod 644 /etc/motd chown root:root /etc/issue chmod 644 /etc/issue chown root:root /etc/issue.net chmod 644 /etc/issue.net #ensure time is syncronised. rpm -q ntp >/dev/null || yum install ntp -q -y echo please that below listed time servers are one of npintde000123, npintde000124, npintnl000119 or npintnl000120. cat /etc/ntp.conf | grep ^server if [ $? != 0 ]; then echo "if you there is no time server shown. please check ntp manually.";fi #Ensure Avahi Server is not enabled rpm -q avahi >/dev/null && yum remove avahi -q -y #Ensure IP forwarding is disabled ipv4forward_param=`sysctl net.ipv4.ip_forward` if [ "$ipv4forward_param" != "net.ipv4.ip_forward = 0" ]; then echo "net.ipv4.ip_forward = 0" >> /etc/sysctl.conf ;sysctl -p >/dev/null;fi #Ensure packet redirect sending is disabled ipv4allredirects_param=`sysctl net.ipv4.conf.all.send_redirects`
if [ "$ipv4allredirects_param" != "net.ipv4.conf.all.send_redirects = 0" ]; then echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf ;sysctl -p >/dev/null;fi ipv4defaultredirect_param=`sysctl net.ipv4.conf.default.send_redirects` if [ "$ipv4defaultredirect_param" != "net.ipv4.conf.default.send_redirects = 0" ]; then echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf ;sysctl -p >/dev/null;fi #Ensure IP forwarding is disabled echo 'net.ipv4.ip_forward=0' >> /etc/sysctl.conf sysctl -w net.ipv4.ip_forward=0 sysctl -w net.ipv4.route.flush=1 #Ensure packet redirect sending is disabled echo 'net.ipv4.conf.all.send_redirects = 0' >> /etc/sysctl.conf echo 'net.ipv4.conf.default.send_redirects = 0' >> /etc/sysctl.conf sysctl -w net.ipv4.conf.all.send_redirects=0 sysctl -w net.ipv4.conf.default.send_redirects=0 sysctl -w net.ipv4.route.flush=1 #Ensure source routed packets are not accepted echo 'net.ipv4.conf.all.accept_source_route = 0' >> /etc/sysctl.conf echo 'net.ipv4.conf.default.accept_source_route = 0' >> /etc/sysctl.conf sysctl -w net.ipv4.conf.all.accept_source_route=0 sysctl -w net.ipv4.conf.default.accept_source_route=0 sysctl -w net.ipv4.route.flush=1 #Ensure ICMP redirects are not accepted echo 'net.ipv4.conf.all.accept_redirects = 0' >> /etc/sysctl.conf echo 'net.ipv4.conf.default.accept_redirects = 0' >> /etc/sysctl.conf sysctl -w net.ipv4.conf.all.accept_redirects=0 sysctl -w net.ipv4.conf.default.accept_redirects=0 sysctl -w net.ipv4.route.flush=1 #Ensure secure ICMP redirects are not accepted echo 'net.ipv4.conf.all.secure_redirects = 0' >> /etc/sysctl.conf echo 'net.ipv4.conf.default.secure_redirects = 0' >> /etc/sysctl.conf sysctl -w net.ipv4.conf.all.secure_redirects=0 sysctl -w net.ipv4.conf.default.secure_redirects=0 sysctl -w net.ipv4.route.flush=1 #Ensure suspicious packets are logged echo 'net.ipv4.conf.all.log_martians = 1' >> /etc/sysctl.conf echo 'net.ipv4.conf.default.log_martians = 1' >> /etc/sysctl.conf sysctl -w net.ipv4.conf.all.log_martians=1 sysctl -w net.ipv4.conf.default.log_martians=1 sysctl -w net.ipv4.route.flush=1 #Ensure broadcast ICMP requests are ignored echo 'net.ipv4.icmp_echo_ignore_broadcasts = 1' >> /etc/sysctl.conf sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 sysctl -w net.ipv4.route.flush=1 #Ensure bogus ICMP responses are ignored echo 'net.ipv4.icmp_ignore_bogus_error_responses = 1' >> /etc/sysctl.conf sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 sysctl -w net.ipv4.route.flush=1
#Ensure Reverse Path Filtering is enabled echo 'net.ipv4.conf.all.rp_filter = 1' >> /etc/sysctl.conf echo 'net.ipv4.conf.default.rp_filter = 1' >> /etc/sysctl.conf sysctl -w net.ipv4.conf.all.rp_filter=1 sysctl -w net.ipv4.conf.default.rp_filter=1 sysctl -w net.ipv4.route.flush=1 #Ensure T SYN Cookies is enabled echo 'net.ipv4.t_syncookies = 1' >> /etc/sysctl.conf sysctl -w net.ipv4.t_syncookies=1 sysctl -w net.ipv4.route.flush=1 #Ensure IPv6 router ments are not accepted echo 'net.ipv6.conf.all.accept_ra = 0' >> /etc/sysctl.conf echo 'net.ipv6.conf.default.accept_ra = 0' >> /etc/sysctl.conf sysctl -w net.ipv6.conf.all.accept_ra=0 sysctl -w net.ipv6.conf.default.accept_ra=0 sysctl -w net.ipv6.route.flush=1 #Ensure IPv6 redirects are not accepted echo 'net.ipv6.conf.all.accept_redirects = 0' >> /etc/sysctl.conf echo 'net.ipv6.conf.default.accept_redirects = 0' >> /etc/sysctl.conf sysctl -w net.ipv6.conf.all.accept_redirects=0 sysctl -w net.ipv6.conf.default.accept_redirects=0 sysctl -w net.ipv6.route.flush=1 #Ensure IPv6 is disabled echo 'options ipv6 disable=1' >> /etc/modprobe.d/CIS.conf #Ensure T Wrappers is installed #yum install t_wrappers -y #Ensure permissions on /etc/hosts.allow are configured chown root:root /etc/hosts.allow chmod 644 /etc/hosts.allow #Ensure permissions on /etc/hosts.deny are 644 chown root:root /etc/hosts.deny chmod 644 /etc/hosts.deny #Ensure DC,SCTP,RDS,TIPC is disabled echo 'install dc /bin/true' >> /etc/modprobe.d/CIS.conf echo 'install sctp /bin/true' >> /etc/modprobe.d/CIS.conf echo 'install rds /bin/true' >> /etc/modprobe.d/CIS.conf echo 'install tipc /bin/true' >> /etc/modprobe.d/CIS.conf grep -q "install dc /bin/true" /etc/modprobe.d/CIS.conf || echo 'install dc /bin/true' >> /etc/modprobe.d/CIS.conf grep -q "install sctp /bin/true" /etc/modprobe.d/CIS.conf || echo 'install sctp /bin/true' >> /etc/modprobe.d/CIS.conf grep -q "install rds /bin/true" /etc/modprobe.d/CIS.conf || echo 'install rds /bin/true' >> /etc/modprobe.d/CIS.conf grep -q "install tipc /bin/true" /etc/modprobe.d/CIS.conf || echo 'install tipc /bin/true' >> /etc/modprobe.d/CIS.conf ##Logging and Auditing sed -i '/max_log_file/c max_log_file = 24' /etc/audit/auditd.conf
sed -i '/space_left_action/c space_left_action = email' /etc/audit/auditd.conf sed -i '/action_mail_acct/c action_mail_acct = root' /etc/audit/auditd.conf #sed -i '/_space_left_action/c _space_left_action = halt' /etc/audit/auditd.conf echo '_space_left_action = halt' >> /etc/audit/auditd.conf echo 'max_log_file_action = keep_logs' >> /etc/audit/auditd.conf service auditd reload systemctl enable auditd #Ensuring all events are recorded in auditd daemon. echo '## This file is automatically generated from /etc/audit/rules.d -D -b 8192 -f 1 -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change -w /etc/group -p wa -k identity -w /etc/wd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/owd -p wa -k identity -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/sysconfig/network -p wa -k system-locale -w /etc/selinux/ -p wa -k MAC-policy -w /var/log/faillog -p wa -k s -w /var/log/lastlog -p wa -k s -w /var/log/tallylog -p wa -k s -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /var/log/btmp -p wa -k session -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid! =4294967295 -k perm_mod -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid! =4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete -w /etc/sudoers -p wa -k scope -w /var/log/sudo.log -p wa -k actions -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit -F arch=b64 -S init_module -S delete_module -k modules -e 2' > /etc/audit/audit.rules #Ensure rsyslog Service is enabled rsyslog_status=`systemctl is-active rsyslog` if [ $rsyslog_status != "active" ]; then echo "rsyslog should be in active state. Starting rsyslog";systemctl start rsyslog ;fi #Ensure rsyslog default file permissions configured echo '$FileCreateMode 0640' >> /etc/rsyslog.conf #Configure cron systemctl enable crond #Ensure permissions chown root:root /etc/crontab chmod og-rwx /etc/crontab chown root:root /etc/cron.hourly chmod og-rwx /etc/cron.hourly chown root:root /etc/cron.daily chmod og-rwx /etc/cron.daily chown root:root /etc/cron.weekly chmod og-rwx /etc/cron.weekly chown root:root /etc/cron.monthly chmod og-rwx /etc/cron.monthly chown root:root /etc/cron.d chmod og-rwx /etc/cron.d rm -f rm -f touch touch
/etc/cron.deny /etc/at.deny /etc/cron.allow /etc/at.allow
chmod og-rwx /etc/cron.allow chmod og-rwx /etc/at.allow chown root:root /etc/cron.allow chown root:root /etc/at.allow chown root:root /etc/ssh/sshd_config chmod og-rwx /etc/ssh/sshd_config sed -i '/Protocol/c Protocol 2' /etc/ssh/sshd_config sed -i '/LogLevel/c LogLevel INFO' /etc/ssh/sshd_config
sed -i '/^X11Forwarding/c X11Forwarding no' /etc/ssh/sshd_config sed -i '/MaxAuthTries/c MaxAuthTries 4' /etc/ssh/sshd_config sed -i '/IgnoreRhosts/c IgnoreRhosts yes' /etc/ssh/sshd_config sed -i '/^#HostbasedAuthentication/c HostbasedAuthentication no' /etc/ssh/sshd_config sed -i '/^#PermitRoot/c PermitRoot no' /etc/ssh/sshd_config sed -i '/PermitEmptys/c PermitEmptys no' /etc/ssh/sshd_config #sed -i '/^Ciphers/c Ciphers aes256-ctr,aes192-ctr,aes128-ctr' /etc/ssh/sshd_config echo 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config echo 'MACs hmac-sha1,[email protected],hmac-ripemd160' >> /etc/ssh/sshd_config sed -i '/ClientAliveInterval/c ClientAliveInterval 300' /etc/ssh/sshd_config sed -i '/ClientAliveCountMax/c ClientAliveCountMax 0' /etc/ssh/sshd_config sed -i '/GraceTime/c GraceTime 60' /etc/ssh/sshd_config sed -i '/Banner/c Banner \/etc\/issue.net' /etc/ssh/sshd_config ##Configure PAM echo '#%PAM-1.0 # This file is auto-generated. # changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_tally2.so per_ onerr=fail deny=5 no_magic_root audit auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_ auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so
required required sufficient sufficient required
pam_unix.so pam_tally2.so reset no_magic_root pam_local.so pam_succeed_if.so uid < 1000 quiet pam_permit.so
requisite pam_pwquality.so try_first_ local_s_only retry=5 authtok_type= minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 sufficient pam_unix.so sha512 shadow nullok try_first_ use_authtok =5 required pam_deny.so session session -session session use_uid session
optional pam_keyinit.so revoke required pam_limits.so optional pam_systemd.so [success=1 default=ignore] pam_succeed_if.so service in crond quiet required
pam_unix.so' > /etc/pam.d/system-auth
echo '#%PAM-1.0 # This file is auto-generated. # changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_tally2.so per_ onerr=fail deny=5 no_magic_root audit auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_ auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so
required
pam_unix.so
required sufficient sufficient required
pam_tally2.so reset no_magic_root pam_local.so pam_succeed_if.so uid < 1000 quiet pam_permit.so
requisite pam_pwquality.so try_first_ local_s_only retry=5 authtok_type= minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 sufficient pam_unix.so sha512 shadow nullok try_first_ use_authtok =5 required pam_deny.so session session -session session use_uid session
optional pam_keyinit.so revoke required pam_limits.so optional pam_systemd.so [success=1 default=ignore] pam_succeed_if.so service in crond quiet required
pam_unix.so' > /etc/pam.d/-auth
# expiration policies sed -i '/^_MAX_DAYS/c _MAX_DAYS sed -i '/^_MIN_DAYS/c _MIN_DAYS sed -i '/^_WARN_AGE/c _WARN_AGE add -D -f 30 #Ensure Permissions chown root:root /etc/wd chmod 644 /etc/wd chown root:root /etc/shadow chmod 644 /etc/shadow chown root:root /etc/group chmod 644 /etc/group chown root:root /etc/gshadow chmod 644 /etc/gshadow
90' /etc/.defs 7' /etc/.defs 7' /etc/.defs
systemctl stop autofs 2>/dev/null 1>&2 systemctl disable autofs 2>/dev/null 1>&2 #Ensure gpgcheck is globally activated sed -i '/^gpgcheck/c gpgcheck=1' /etc/yum.conf #Ensure GPG keys are configured. rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n' || echo "gpg keys are either not installe or not configured correctly. please check." #subscribe with redhat and auto . subscription-manager --name adecco.unix -- iasykwf12027 --auto-attach #disbale rhnsd Demon chkconfig rhnsd of #Ensure AIDE is installed and configured. yum install aide -y aide --init mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz #Ensure filesystem integrity is regularly checked echo '0 5 * * * /usr/sbin/aide --check' > /tmp/filenew crontab -u root -l | cat - /tmp/filenew | crontab -u root rm -f /tmp/filenew #bootloader permission should be 600 chmod og-rwx /boot/grub2/grub.cfg #Ensure authentication required for single more grep /sbin/su /usr/lib/systemd/system/rescue.service grep /sbin/su /usr/lib/systemd/system/emergency.service #ensure core_dumps are restricted. dump_param=`sysctl fs.suid_dumpable` if [ "$dump_param" != "fs.suid_dumpable = 0" ]; then >> /etc/sysctl.conf ;sysctl -p >/dev/null;fi
echo "fs.suid_dumpable = 0"
#ensure NX dmesg | grep NX | grep -q "(Execute Disable) protection: active" || echo "Please ensure NX " #ensure ASLR is enabled randomize_param=`sysctl kernel.randomize_va_space` if [ "$randomize_param" != "kernel.randomize_va_space = 2" ]; then echo "kernel.randomize_va_space = 2" >> /etc/sysctl.conf ;sysctl -p >/dev/null;fi #ensure prelink is disabled rpm -q prelink >/dev/null if [ $? != 0 ]; then yum remove prelink >/dev/null 2>/dev/null;fi #Ensure SELinux is not disabled in bootloader configuration cat /boot/grub2/grub.cfg |grep "^\s*linux" | grep -v -q selinux=0 || echo "please check selinux in grub file. it should not be disabled." cat /boot/grub2/grub.cfg |grep "^\s*linux" | grep -v -q enforcing=0 || echo "please check selinux in grub file. it should not be disabled." #Ensure the SELinux state is enforcing rpm -q libselinux >/dev/null || yum install libselinux -q -y
sed -i '/^SELINUX=/c SELINUX=enforcing' /etc/selinux/config setenforce 1 #Ensure SELinux policy is configured sed -i '/^SELINUXTYPE=/c SELINUXTYPE=targeted' /etc/selinux/config #Ensure SETroubleshoot is not installed rpm -q setroubleshoot >/dev/null && yum remove setroubleshoot -q -y #Ensure the MCS Translation Service (mcstrans) is not installed rpm -q mcstrans >/dev/null && yum remove mcstrans -q -y ##Warning Banners #Ensure local warning banner is configured properly echo "This system, its hardware, software and data is owned by Adecco and only authorized s are allowed to gain access to it.Your usage of Adecco technology may be monitored, logged and subject to investigation according to applicable laws. By continuing beyond this point and logging in, you agree to abide by the above conditions and the Adecco Group Policies and Standards.Unauthorized use of Adecco technology or breach of Adecco Group Policies and Standards is prohibited and may be subject to disciplinary action, which may include criminal and/or civil penalties" > /etc/issue #Ensure remote warning banner is configured properly echo "This system, its hardware, software and data is owned by Adecco and only authorized s are allowed to gain access to it.Your usage of Adecco technology may be monitored, logged and subject to investigation according to applicable laws. By continuing beyond this point and logging in, you agree to abide by the above conditions and the Adecco Group Policies and Standards.Unauthorized use of Adecco technology or breach of Adecco Group Policies and Standards is prohibited and may be subject to disciplinary action, which may include criminal and/or civil penalties" > /etc/issue.net #Ensure permissions chown root:root /etc/motd chmod 644 /etc/motd chown root:root /etc/issue chmod 644 /etc/issue chown root:root /etc/issue.net chmod 644 /etc/issue.net #ensure time is syncronised. rpm -q ntp >/dev/null || yum install ntp -q -y echo please that below listed time servers are one of npintde000123, npintde000124, npintnl000119 or npintnl000120. cat /etc/ntp.conf | grep ^server if [ $? != 0 ]; then echo "if you there is no time server shown. please check ntp manually.";fi #Ensure Avahi Server is not enabled rpm -q avahi >/dev/null && yum remove avahi -q -y #Ensure IP forwarding is disabled ipv4forward_param=`sysctl net.ipv4.ip_forward` if [ "$ipv4forward_param" != "net.ipv4.ip_forward = 0" ]; then echo "net.ipv4.ip_forward = 0" >> /etc/sysctl.conf ;sysctl -p >/dev/null;fi #Ensure packet redirect sending is disabled ipv4allredirects_param=`sysctl net.ipv4.conf.all.send_redirects`
if [ "$ipv4allredirects_param" != "net.ipv4.conf.all.send_redirects = 0" ]; then echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf ;sysctl -p >/dev/null;fi ipv4defaultredirect_param=`sysctl net.ipv4.conf.default.send_redirects` if [ "$ipv4defaultredirect_param" != "net.ipv4.conf.default.send_redirects = 0" ]; then echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf ;sysctl -p >/dev/null;fi #Ensure IP forwarding is disabled echo 'net.ipv4.ip_forward=0' >> /etc/sysctl.conf sysctl -w net.ipv4.ip_forward=0 sysctl -w net.ipv4.route.flush=1 #Ensure packet redirect sending is disabled echo 'net.ipv4.conf.all.send_redirects = 0' >> /etc/sysctl.conf echo 'net.ipv4.conf.default.send_redirects = 0' >> /etc/sysctl.conf sysctl -w net.ipv4.conf.all.send_redirects=0 sysctl -w net.ipv4.conf.default.send_redirects=0 sysctl -w net.ipv4.route.flush=1 #Ensure source routed packets are not accepted echo 'net.ipv4.conf.all.accept_source_route = 0' >> /etc/sysctl.conf echo 'net.ipv4.conf.default.accept_source_route = 0' >> /etc/sysctl.conf sysctl -w net.ipv4.conf.all.accept_source_route=0 sysctl -w net.ipv4.conf.default.accept_source_route=0 sysctl -w net.ipv4.route.flush=1 #Ensure ICMP redirects are not accepted echo 'net.ipv4.conf.all.accept_redirects = 0' >> /etc/sysctl.conf echo 'net.ipv4.conf.default.accept_redirects = 0' >> /etc/sysctl.conf sysctl -w net.ipv4.conf.all.accept_redirects=0 sysctl -w net.ipv4.conf.default.accept_redirects=0 sysctl -w net.ipv4.route.flush=1 #Ensure secure ICMP redirects are not accepted echo 'net.ipv4.conf.all.secure_redirects = 0' >> /etc/sysctl.conf echo 'net.ipv4.conf.default.secure_redirects = 0' >> /etc/sysctl.conf sysctl -w net.ipv4.conf.all.secure_redirects=0 sysctl -w net.ipv4.conf.default.secure_redirects=0 sysctl -w net.ipv4.route.flush=1 #Ensure suspicious packets are logged echo 'net.ipv4.conf.all.log_martians = 1' >> /etc/sysctl.conf echo 'net.ipv4.conf.default.log_martians = 1' >> /etc/sysctl.conf sysctl -w net.ipv4.conf.all.log_martians=1 sysctl -w net.ipv4.conf.default.log_martians=1 sysctl -w net.ipv4.route.flush=1 #Ensure broadcast ICMP requests are ignored echo 'net.ipv4.icmp_echo_ignore_broadcasts = 1' >> /etc/sysctl.conf sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 sysctl -w net.ipv4.route.flush=1 #Ensure bogus ICMP responses are ignored echo 'net.ipv4.icmp_ignore_bogus_error_responses = 1' >> /etc/sysctl.conf sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 sysctl -w net.ipv4.route.flush=1
#Ensure Reverse Path Filtering is enabled echo 'net.ipv4.conf.all.rp_filter = 1' >> /etc/sysctl.conf echo 'net.ipv4.conf.default.rp_filter = 1' >> /etc/sysctl.conf sysctl -w net.ipv4.conf.all.rp_filter=1 sysctl -w net.ipv4.conf.default.rp_filter=1 sysctl -w net.ipv4.route.flush=1 #Ensure T SYN Cookies is enabled echo 'net.ipv4.t_syncookies = 1' >> /etc/sysctl.conf sysctl -w net.ipv4.t_syncookies=1 sysctl -w net.ipv4.route.flush=1 #Ensure IPv6 router ments are not accepted echo 'net.ipv6.conf.all.accept_ra = 0' >> /etc/sysctl.conf echo 'net.ipv6.conf.default.accept_ra = 0' >> /etc/sysctl.conf sysctl -w net.ipv6.conf.all.accept_ra=0 sysctl -w net.ipv6.conf.default.accept_ra=0 sysctl -w net.ipv6.route.flush=1 #Ensure IPv6 redirects are not accepted echo 'net.ipv6.conf.all.accept_redirects = 0' >> /etc/sysctl.conf echo 'net.ipv6.conf.default.accept_redirects = 0' >> /etc/sysctl.conf sysctl -w net.ipv6.conf.all.accept_redirects=0 sysctl -w net.ipv6.conf.default.accept_redirects=0 sysctl -w net.ipv6.route.flush=1 #Ensure IPv6 is disabled echo 'options ipv6 disable=1' >> /etc/modprobe.d/CIS.conf #Ensure T Wrappers is installed #yum install t_wrappers -y #Ensure permissions on /etc/hosts.allow are configured chown root:root /etc/hosts.allow chmod 644 /etc/hosts.allow #Ensure permissions on /etc/hosts.deny are 644 chown root:root /etc/hosts.deny chmod 644 /etc/hosts.deny #Ensure DC,SCTP,RDS,TIPC is disabled echo 'install dc /bin/true' >> /etc/modprobe.d/CIS.conf echo 'install sctp /bin/true' >> /etc/modprobe.d/CIS.conf echo 'install rds /bin/true' >> /etc/modprobe.d/CIS.conf echo 'install tipc /bin/true' >> /etc/modprobe.d/CIS.conf grep -q "install dc /bin/true" /etc/modprobe.d/CIS.conf || echo 'install dc /bin/true' >> /etc/modprobe.d/CIS.conf grep -q "install sctp /bin/true" /etc/modprobe.d/CIS.conf || echo 'install sctp /bin/true' >> /etc/modprobe.d/CIS.conf grep -q "install rds /bin/true" /etc/modprobe.d/CIS.conf || echo 'install rds /bin/true' >> /etc/modprobe.d/CIS.conf grep -q "install tipc /bin/true" /etc/modprobe.d/CIS.conf || echo 'install tipc /bin/true' >> /etc/modprobe.d/CIS.conf ##Logging and Auditing sed -i '/max_log_file/c max_log_file = 24' /etc/audit/auditd.conf
sed -i '/space_left_action/c space_left_action = email' /etc/audit/auditd.conf sed -i '/action_mail_acct/c action_mail_acct = root' /etc/audit/auditd.conf #sed -i '/_space_left_action/c _space_left_action = halt' /etc/audit/auditd.conf echo '_space_left_action = halt' >> /etc/audit/auditd.conf echo 'max_log_file_action = keep_logs' >> /etc/audit/auditd.conf service auditd reload systemctl enable auditd #Ensuring all events are recorded in auditd daemon. echo '## This file is automatically generated from /etc/audit/rules.d -D -b 8192 -f 1 -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change -w /etc/group -p wa -k identity -w /etc/wd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/owd -p wa -k identity -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/sysconfig/network -p wa -k system-locale -w /etc/selinux/ -p wa -k MAC-policy -w /var/log/faillog -p wa -k s -w /var/log/lastlog -p wa -k s -w /var/log/tallylog -p wa -k s -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /var/log/btmp -p wa -k session -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid! =4294967295 -k perm_mod -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid! =4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete -w /etc/sudoers -p wa -k scope -w /var/log/sudo.log -p wa -k actions -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit -F arch=b64 -S init_module -S delete_module -k modules -e 2' > /etc/audit/audit.rules #Ensure rsyslog Service is enabled rsyslog_status=`systemctl is-active rsyslog` if [ $rsyslog_status != "active" ]; then echo "rsyslog should be in active state. Starting rsyslog";systemctl start rsyslog ;fi #Ensure rsyslog default file permissions configured echo '$FileCreateMode 0640' >> /etc/rsyslog.conf #Configure cron systemctl enable crond #Ensure permissions chown root:root /etc/crontab chmod og-rwx /etc/crontab chown root:root /etc/cron.hourly chmod og-rwx /etc/cron.hourly chown root:root /etc/cron.daily chmod og-rwx /etc/cron.daily chown root:root /etc/cron.weekly chmod og-rwx /etc/cron.weekly chown root:root /etc/cron.monthly chmod og-rwx /etc/cron.monthly chown root:root /etc/cron.d chmod og-rwx /etc/cron.d rm -f rm -f touch touch
/etc/cron.deny /etc/at.deny /etc/cron.allow /etc/at.allow
chmod og-rwx /etc/cron.allow chmod og-rwx /etc/at.allow chown root:root /etc/cron.allow chown root:root /etc/at.allow chown root:root /etc/ssh/sshd_config chmod og-rwx /etc/ssh/sshd_config sed -i '/Protocol/c Protocol 2' /etc/ssh/sshd_config sed -i '/LogLevel/c LogLevel INFO' /etc/ssh/sshd_config
sed -i '/^X11Forwarding/c X11Forwarding no' /etc/ssh/sshd_config sed -i '/MaxAuthTries/c MaxAuthTries 4' /etc/ssh/sshd_config sed -i '/IgnoreRhosts/c IgnoreRhosts yes' /etc/ssh/sshd_config sed -i '/^#HostbasedAuthentication/c HostbasedAuthentication no' /etc/ssh/sshd_config sed -i '/^#PermitRoot/c PermitRoot no' /etc/ssh/sshd_config sed -i '/PermitEmptys/c PermitEmptys no' /etc/ssh/sshd_config #sed -i '/^Ciphers/c Ciphers aes256-ctr,aes192-ctr,aes128-ctr' /etc/ssh/sshd_config echo 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config echo 'MACs hmac-sha1,[email protected],hmac-ripemd160' >> /etc/ssh/sshd_config sed -i '/ClientAliveInterval/c ClientAliveInterval 300' /etc/ssh/sshd_config sed -i '/ClientAliveCountMax/c ClientAliveCountMax 0' /etc/ssh/sshd_config sed -i '/GraceTime/c GraceTime 60' /etc/ssh/sshd_config sed -i '/Banner/c Banner \/etc\/issue.net' /etc/ssh/sshd_config ##Configure PAM echo '#%PAM-1.0 # This file is auto-generated. # changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_tally2.so per_ onerr=fail deny=5 no_magic_root audit auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_ auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so
required required sufficient sufficient required
pam_unix.so pam_tally2.so reset no_magic_root pam_local.so pam_succeed_if.so uid < 1000 quiet pam_permit.so
requisite pam_pwquality.so try_first_ local_s_only retry=5 authtok_type= minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 sufficient pam_unix.so sha512 shadow nullok try_first_ use_authtok =5 required pam_deny.so session session -session session use_uid session
optional pam_keyinit.so revoke required pam_limits.so optional pam_systemd.so [success=1 default=ignore] pam_succeed_if.so service in crond quiet required
pam_unix.so' > /etc/pam.d/system-auth
echo '#%PAM-1.0 # This file is auto-generated. # changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_tally2.so per_ onerr=fail deny=5 no_magic_root audit auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_ auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so
required
pam_unix.so
required sufficient sufficient required
pam_tally2.so reset no_magic_root pam_local.so pam_succeed_if.so uid < 1000 quiet pam_permit.so
requisite pam_pwquality.so try_first_ local_s_only retry=5 authtok_type= minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 sufficient pam_unix.so sha512 shadow nullok try_first_ use_authtok =5 required pam_deny.so session session -session session use_uid session
optional pam_keyinit.so revoke required pam_limits.so optional pam_systemd.so [success=1 default=ignore] pam_succeed_if.so service in crond quiet required
pam_unix.so' > /etc/pam.d/-auth
# expiration policies sed -i '/^_MAX_DAYS/c _MAX_DAYS sed -i '/^_MIN_DAYS/c _MIN_DAYS sed -i '/^_WARN_AGE/c _WARN_AGE add -D -f 30 #Ensure Permissions chown root:root /etc/wd chmod 644 /etc/wd chown root:root /etc/shadow chmod 644 /etc/shadow chown root:root /etc/group chmod 644 /etc/group chown root:root /etc/gshadow chmod 644 /etc/gshadow
90' /etc/.defs 7' /etc/.defs 7' /etc/.defs
Related Documents 3h463d
Rhel 7 Hardening Script V1 2x3h3u
October 2021 0
Rhel 7 Hardening Script V2 5c361d
April 2020 20
Rhel-5-6-7-cheatsheet.pdf 6b3xa
November 2022 0
Number Script V1 2m4v6q
October 2019 54
Surface Hardening 1sb5a
June 2020 6