forked from robinku07/Remediation-kits
-
Notifications
You must be signed in to change notification settings - Fork 0
/
CIS-Ubuntu-16.04-Remediation-Kit.sh
executable file
·1106 lines (932 loc) · 66.1 KB
/
CIS-Ubuntu-16.04-Remediation-Kit.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
#!/bin/bash
PROFILE=${1:-Level 1}
if [ "$PROFILE" = "Level 1" ] || [ "$PROFILE" = "Level 2" ]; then
echo \*\*\*\* Executing Level 1 profile remediation
#Restricting the Various File Systems Mounting CIS-1.1.1.1 to CIS-1.1.1.8
echo
echo \*\*\*\* Disabling\ mounting\ of\ freevxfs,\ jffs2,\ hfs,\ hfsplus,\ swuashfs,\ udf,\ vfat,\ dccp,\ sctp,\ rds\ and\ tipx \ filesystems
echo "install cramfs /bin/true
install freevxfs /bin/true
install jffs2 /bin/true
install hfs /bin/true
install hfsplus /bin/true
install squashfs /bin/true
install udf /bin/true
install vfat /bin/true
install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true" > /etc/modprobe.d/CIS.conf
# Create Separate Partition for /tmp CIS-1.1.2
echo
echo \*\*\*\* Create\ Separate\ Partition\ for\ /tmp
echo Create\ Separate\ Partition\ for\ /tmp not configured.
# Set nodev option for /tmp Partition CIS-1.1.3
echo
echo \*\*\*\* Set\ nodev\ option\ for\ /tmp\ Partition
egrep -q "^(\s*\S+\s+)/tmp(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$" /etc/fstab && sed -ri "s/^(\s*\S+\s+)/tmp(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$/\1/tmp\2nodev\3\4/" /etc/fstab
# Set nosuid option for /tmp Partition CIS-1.1.4
echo
echo \*\*\*\* Set\ nosuid\ option\ for\ /tmp\ Partition
egrep -q "^(\s*\S+\s+)/tmp(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$" /etc/fstab && sed -ri "s/^(\s*\S+\s+)/tmp(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$/\1/tmp\2nosuid\3\4/" /etc/fstab
# # Set noexec option for /tmp Partition
# echo
# echo \*\*\*\* Set\ noexec\ option\ for\ /tmp\ Partition
# egrep -q "^(\s*\S+\s+)/tmp(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$" /etc/fstab && sed -ri "s/^(\s*\S+\s+)/tmp(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$/\1/tmp\2noexec\3\4/" /etc/fstab
# Create Separate Partition for /var CIS-1.1.5
echo
echo \*\*\*\* Create\ Separate\ Partition\ for\ /var
echo Create\ Separate\ Partition\ for\ /var not configured.
# Bind Mount the /var/tmp directory to /tmp CIS-1.1.6
echo
echo \*\*\*\* Bind\ Mount\ the\ /var/tmp\ directory\ to\ /tmp
echo Bind\ Mount\ the\ /var/tmp\ directory\ to\ /tmp not configured.
# Set Nodev option for /var/tmp Partition CIS-1.1.7
echo
echo \*\*\*\* Set\ nodev\ option\ for\ /var/tmp\ Partition
egrep -q "^(\s*\S+\s+)/var/tmp(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$" /etc/fstab && sed -ri "s/^(\s*\S+\s+)/var/tmp(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$/\1/var/tmp\2nodev\3\4/" /etc/fstab
# Set nosuid option for /var/tmp Partition CIS-1.1.8
echo
echo \*\*\*\* Set\ nosuid\ option\ for\ /var/tmp\ Partition
egrep -q "^(\s*\S+\s+)/var/tmp(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$" /etc/fstab && sed -ri "s/^(\s*\S+\s+)/var/tmp(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$/\1/var/tmp\2nosuid\3\4/" /etc/fstab
# Set noexec option for /var/tmp Partition CIS-1.1.9
echo
echo \*\*\*\* Set\ noexec\ option\ for\ /var/tmp\ Partition
egrep -q "^(\s*\S+\s+)/var/tmp(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$" /etc/fstab && sed -ri "s/^(\s*\S+\s+)/var/tmp(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$/\1/var/tmp\2noexec\3\4/" /etc/fstab
# Create Separate Partition for /var/log CIS-1.1.10
echo
echo \*\*\*\* Create\ Separate\ Partition\ for\ /var/log
echo Create\ Separate\ Partition\ for\ /var/log not configured.
# Create Separate Partition for /var/log/audit CIS-1.1.11
echo
echo \*\*\*\* Create\ Separate\ Partition\ for\ /var/log/audit
echo Create\ Separate\ Partition\ for\ /var/log/audit not configured.
# Create Separate Partition for /home CIS-1.1.12
echo
echo \*\*\*\* Create\ Separate\ Partition\ for\ /home
echo Create\ Separate\ Partition\ for\ /home not configured.
# Add nodev Option to /home CIS-1.1.13
echo
echo \*\*\*\* Add\ nodev\ Option\ to\ /home
egrep -q "^(\s*\S+\s+)/home(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$" /etc/fstab && sed -ri "s/^(\s*\S+\s+)/home(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$/\1/home\2nodev\3\4/" /etc/fstab
# Add nodev Option to /dev/shm Partition CIS-1.1.14
echo
echo \*\*\*\* Add\ nodev\ Option\ to\ /dev/shm\ Partition
egrep -q "^(\s*\S+\s+)/dev/shm(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$" /etc/fstab && sed -ri "s/^(\s*\S+\s+)/dev/shm(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$/\1/dev/shm\2nodev\3\4/" /etc/fstab
# Add nosuid Option to /dev/shm Partition CIS-1.1.15
echo
echo \*\*\*\* Add\ nosuid\ Option\ to\ /dev/shm\ Partition
egrep -q "^(\s*\S+\s+)/dev/shm(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$" /etc/fstab && sed -ri "s/^(\s*\S+\s+)/dev/shm(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$/\1/dev/shm\2nosuid\3\4/" /etc/fstab
# Add noexec Option to /dev/shm Partition CIS-1.1.16
echo
echo \*\*\*\* Add\ noexec\ Option\ to\ /dev/shm\ Partition
egrep -q "^(\s*\S+\s+)/dev/shm(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$" /etc/fstab && sed -ri "s/^(\s*\S+\s+)/dev/shm(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$/\1/dev/shm\2noexec\3\4/" /etc/fstab
echo "tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0" >> /etc/fstab
mount -o remount /dev/shm
# Set Sticky Bit on All World-Writable Directories CIS-1.1.20
echo
echo \*\*\*\* Set\ Sticky\ Bit\ on\ All\ World-Writable\ Directories
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null | xargs chmod a+t
# Disable Automounting CIS-1.1.21
echo
echo \*\*\*\* Disable\ Automounting
systemctl is-enabled autofs && systemctl disable autofs
update-rc.d autofs disable
# Install AIDE CIS-1.3.1
echo
echo \*\*\*\* Installing\ AIDE
echo "postfix postfix/mailname string $(hostname)" | debconf-set-selections
# debconf-set-selections <<< "postfix postfix/mailname string $(hostname)"
echo "postfix postfix/main_mailer_type string 'Local Only'" | debconf-set-selections
# debconf-set-selections <<< "postfix postfix/main_mailer_type string 'Local Only'"
dpkg -s aide || apt-get -y install aide
# Implement Periodic Execution of File Integrity CIS-1.3.2
echo
echo \*\*\*\* Implement\ Periodic\ Execution\ of\ File\ Integrity
(crontab -u root -l; crontab -u root -l | egrep -q "^0 5 \* \* \* /usr/sbin/aide --check$" || echo "0 5 * * * /usr/sbin/aide --check" ) | crontab -u root -
# Set User/Group Owner on bootloader config CIS-1.4.1
echo
echo \*\*\*\* Set\ User/Group\ Owner\ on\ bootloader\ config
chown 0:0 /boot/grub/grub.cfg
# Set Permissions on bootloader config CIS-1.4.1
echo
echo \*\*\*\* Set\ Permissions\ on\ bootloader\ config
chmod g-r-w-x,o-r-w-x /boot/grub/grub.cfg
# Set Boot Loader Password CIS-1.4.2
echo
echo \*\*\*\* Set\ Boot\ Loader\ Password
echo Set\ Boot\ Loader\ Password not configured.
# Require Authentication for Single-User Mode CIS-1.4.3
echo
echo \*\*\*\* Require\ Authentication\ for\ Single-User\ Mode
echo Require\ Authentication\ for\ Single-User\ Mode not configured.
# Restrict Core Dumps CIS-1.5.1
echo
echo \*\*\*\* Restrict\ Core\ Dumps
egrep -q "^(\s*)\*\s+hard\s+core\s+\S+(\s*#.*)?\s*$" /etc/security/limits.conf && sed -ri "s/^(\s*)\*\s+hard\s+core\s+\S+(\s*#.*)?\s*$/\1* hard core 0\2/" /etc/security/limits.conf || echo "* hard core 0" >> /etc/security/limits.conf
egrep -q "^(\s*)fs.suid_dumpable\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)fs.suid_dumpable\s*=\s*\S+(\s*#.*)?\s*$/\1fs.suid_dumpable = 0\2/" /etc/sysctl.conf || echo "fs.suid_dumpable = 0" >> /etc/sysctl.conf
sysctl -w fs.suid_dumpable=0
systemctl stop apport
dpkg -s apport && apt-get purge -y apport
systemctl stop whoopsie
dpkg -s whoopsie && apt-get purge -y whoopsie
# Enable Randomized Virtual Memory Region Placement CIS-1.5.3
echo
echo \*\*\*\* Enable\ Randomized\ Virtual\ Memory\ Region\ Placement
egrep -q "^(\s*)kernel.randomize_va_space\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)kernel.randomize_va_space\s*=\s*\S+(\s*#.*)?\s*$/\1kernel.randomize_va_space = 2\2/" /etc/sysctl.conf || echo "kernel.randomize_va_space = 2" >> /etc/sysctl.conf
sysctl -w kernel.randomize_va_space=2
# Disable Prelink CIS-1.5.4
echo
echo \*\*\*\* Disable\ Prelink
dpkg -s prelink && apt-get -y purge prelink
# Ensure NIS is not installed CIS-2.2.17 and CIS-2.3.1
echo
echo \*\*\*\* Ensure\ NIS\ is\ not\ installed
systemctl is-enabled nis && systemctl disable nis
dpkg -s nis && apt-get -y purge nis
# Ensure rsh server is not enabled CIS-2.1.6
echo
echo \*\*\*\* Ensure\ rsh\ server\ is\ not\ enabled
dpkg -s rsh-server && apt-get purge -y rsh-server
dpkg -s rsh-redone-server && apt-get purge -y rsh-redone-server
# Ensure rsh client is not installed CIS-2.3.2
echo
echo \*\*\*\* Ensure\ rsh\ client\ is\ not\ installed
dpkg -s rsh-client && apt-get -y remove rsh-client
dpkg -s rsh-redone-client && apt-get -y remove rsh-redone-client
# Ensure talk server is not enabled CIS-2.1.7
echo
echo \*\*\*\* Ensure\ talk\ server\ is\ not\ enabled
sed -ri "s/^talk/#talk/" /etc/inetd.conf
sed -ri "s/^ntalk/#ntalk/" /etc/inetd.conf
dpkg -s talkd && apt-get purge -y talkd
# Ensure talk client is not installed CIS-2.3.3
echo
echo \*\*\*\* Ensure\ talk\ client\ is\ not\ installed
dpkg -s talk && apt-get -y remove talk
# Ensure telnet client is not installed CIS-2.3.4
echo
echo \*\*\*\* Ensure\ telnet\ client\ is\ not\ installed
dpkg -s telnet && apt-get purge -y telnet
# Ensure LDAP client is not installed CIS-2.3.5
echo
echo \*\*\*\* Ensure\ LDAP\ client\ is\ not\ installed
dpkg -s ldap-utils && apt-get purge -y ldap-utils
# Ensure telnet server is not enabled CIS-2.1.8
echo
echo \*\*\*\* Ensure\ telnet\ server\ is\ not\ enabled
sed -ri "s/^telnet/#telnet/" /etc/inetd.conf
if [ -f /etc/xinetd.d/telnet ]; then
sed -ri "s/^(\s+)disable(\s+)=(\s+)no/\tdisable\t\t= yes/g" /etc/xinetd.d/telnet
fi
dpkg -s telnetd && apt-get purge -y telnetd
# Ensure tftp-server is not enabled CIS-2.1.9
echo
echo \*\*\*\* Ensure\ tftp-server\ is\ not\ enabled
sed -ri "s/^tftp/#tftp/" /etc/inetd.conf
if [ -f /etc/xinetd.d/tftp ]; then
sed -ri "s/^(\s+)disable(\s+)=(\s+)no/\tdisable\t\t= yes/g" /etc/xinetd.d/tftp
fi
dpkg -s tftpd && apt-get purge -y tftpd
# Ensure xinetd is not enabled CIS-2.1.10
echo
echo \*\*\*\* Ensure\ xinetd\ is\ not\ enabled
update-rc.d xinetd disable
systemctl disable xinetd
# Ensure chargen is not enabled CIS-2.1.1
echo
echo \*\*\*\* Ensure\ chargen\ is\ not\ enabled
if [ -f /etc/xinetd.d/chargen ]; then
sed -ri "s/^(\s+)disable(\s+)=(\s+)no/\tdisable\t\t= yes/g" /etc/xinetd.d/chargen
fi
# Ensure daytime is not enabled CIS-2.1.2
echo
echo \*\*\*\* Ensure\ daytime\ is\ not\ enabled
if [ -f /etc/xinetd.d/daytime ]; then
sed -ri "s/^(\s+)disable(\s+)=(\s+)no/\tdisable\t\t= yes/g" /etc/xinetd.d/daytime
fi
# Ensure echo is not enabled CIS-2.1.4
echo
echo \*\*\*\* Ensure\ echo\ is\ not\ enabled
if [ -f /etc/xinetd.d/echo ]; then
sed -ri "s/^(\s+)disable(\s+)=(\s+)no/\tdisable\t\t= yes/g" /etc/xinetd.d/echo
fi
# Ensure discard is not enabled CIS-2.1.3
echo
echo \*\*\*\* Ensure\ discard\ is\ not\ enabled
if [ -f /etc/xinetd.d/discard ]; then
sed -ri "s/^(\s+)disable(\s+)=(\s+)no/\tdisable\t\t= yes/g" /etc/xinetd.d/discard
fi
# Ensure time is not enabled CIS-2.1.5
echo
echo \*\*\*\* Ensure\ time\ is\ not\ enabled
if [ -f /etc/xinetd.d/time ]; then
sed -ri "s/^(\s+)disable(\s+)=(\s+)no/\tdisable\t\t= yes/g" /etc/xinetd.d/time
fi
# Ensure the X Window system is not installed CIS-2.2.2
echo
echo \*\*\*\* Ensure\ the\ X\ Window\ system\ is\ not\ installed
apt-get -y purge xserver-xorg-core*
# Ensure Avahi Server is not enabled CIS-2.2.3
echo
echo \*\*\*\* Ensure\ Avahi\ Server\ is\ not\ enabled
dpkg -s avahi-daemon && apt-get purge -y avahi-daemon
systemctl disable avahi-daemon
# Ensure CUPS is not enabled CIS-2.2.4
echo
echo \*\*\*\* Ensure\ CUPS\ is\ not\ enabled
systemctl disable cups
dpkg -s cups && apt-get purge -y cups
# Ensure DHCP Server is not enabled CIS-2.2.5
echo
echo \*\*\*\* Ensure\ DHCP\ Server\ is\ not\ enabled
systemctl disable isc-dhcp-server
systemctl disable isc-dhcp-server6
# Configure Network Time Protocol (NTP) CIS-2.2.1.2
echo
echo \*\*\*\* Configure\ Network\ Time\ Protocol\ \(NTP\)
dpkg -s ntp || apt-get -y install ntp
egrep -q "^\s*restrict(\s+-4)?\s+default(\s+\S+)*(\s*#.*)?\s*$" /etc/ntp.conf && sed -ri "s/^(\s*)restrict(\s+-4)?\s+default(\s+[^[:space:]#]+)*(\s+#.*)?\s*$/\1restrict\2 default kod nomodify notrap nopeer noquery\4/" /etc/ntp.conf || echo "restrict default kod nomodify notrap nopeer noquery" >> /etc/ntp.conf
egrep -q "^\s*restrict\s+-6\s+default(\s+\S+)*(\s*#.*)?\s*$" /etc/ntp.conf && sed -ri "s/^(\s*)restrict\s+-6\s+default(\s+[^[:space:]#]+)*(\s+#.*)?\s*$/\1restrict -6 default kod nomodify notrap nopeer noquery\3/" /etc/ntp.conf || echo "restrict -6 default kod nomodify notrap nopeer noquery" >> /etc/ntp.conf
egrep -q "^(\s*)OPTIONS\s*=\s*\"(([^\"]+)?-u\s[^[:space:]\"]+([^\"]+)?|([^\"]+))\"(\s*#.*)?\s*$" /etc/default/ntp && sed -ri '/^(\s*)OPTIONS\s*=\s*\"([^\"]*)\"(\s*#.*)?\s*$/ {/^(\s*)OPTIONS\s*=\s*\"[^\"]*-u\s+\S+[^\"]*\"(\s*#.*)?\s*$/! s/^(\s*)OPTIONS\s*=\s*\"([^\"]*)\"(\s*#.*)?\s*$/\1OPTIONS=\"\2 -u ntp:ntp\"\3/ }' /etc/default/ntp && sed -ri "s/^(\s*)OPTIONS\s*=\s*\"([^\"]+\s+)?-u\s[^[:space:]\"]+(\s+[^\"]+)?\"(\s*#.*)?\s*$/\1OPTIONS=\"\2\-u ntp:ntp\3\"\4/" /etc/default/ntp || echo "OPTIONS=\"-u ntp:ntp\"" >> /etc/default/ntp
echo Configure\ Network\ Time\ Protocol\ \(NTP\) - server not configured.
# Ensure LDAP is not enabled CIS-2.2.6
echo
echo \*\*\*\* Ensure\ LDAP\ is\ not\ enabled
systemctl disable slapd
dpkg -s slapd && apt-get -y purge slapd
# Ensure NFS and RPC are not enabled CIS-2.2.7
echo
echo \*\*\*\* Ensure\ NFS\ and\ rpcbind\ are\ not\ enabled
systemctl disable nfs-kernel-server
systemctl disable rpcbind
# Ensure DNS Server is not enabled CIS-2.2.8
echo
echo \*\*\*\* Ensure\ DNS\ Server\ is\ not\ enabled
systemctl disable bind9
# Ensure FTP Server is not enabled CIS-2.2.9
echo
echo \*\*\*\* Ensure\ FTP\ Server\ is\ not\ enabled
systemctl disable vsftpd
dpkg -s vsftpd && apt-get purge -y vsftpd
dpkg -s proftpd && apt-get purge -y proftpd
dpkg -s pure-ftpd && apt-get purge -y pure-ftpd
# Ensure HTTP server is not enabled CIS-2.2.10
echo
echo \*\*\*\* Ensure\ HTTP\ Server\ is\ not\ enabled
systemctl disable apache2
# Ensure IMAP and POP3 server is not enabled CIS-2.2.11
echo
echo \*\*\*\* Ensure\ IMAP\ and\ POP3\ Server\ is\ not\ enabled
systemctl is-enabled dovecot && systemctl disable dovecot
systemctl is-enabled cyrus-imapd && systemctl disable cyrus-imapd
# Ensure Samba is not enabled CIS-2.2.12
echo
echo \*\*\*\* Ensure\ Samba\ is\ not\ enabled
systemctl is-enabled smbd && systemctl disable smbd
systemctl is-enabled samba && systemctl disable samba
# Ensure HTTP Proxy Server is not enabled CIS-2.2.13
echo
echo \*\*\*\* Ensure\ HTTP\ proxy\ Server\ is\ not\ enabled
systemctl is-enabled squid && systemctl disable squid
# Ensure SNMP Server is not enabled CIS-2.2.14
echo
echo \*\*\*\* Ensure\ SNMP\ Server\ is\ not\ enabled
systemctl is-enabled snmpd && systemctl disable snmpd
# Configure Mail Transfer Agent for Local-Only Mode CIS-2.2.15
echo
echo \*\*\*\* Configure\ Mail\ Transfer\ Agent\ for\ Local-Only\ Mode
echo Configure\ Mail\ Transfer\ Agent\ for\ Local-Only\ Mode Linux custom object not configured.
if [ -f /etc/postfix/main.cf ]; then
sed -ri "s/^inet_interfaces\s*=\s*.*/inet_interfaces = localhost/g" /etc/postfix/main.cf
fi
# Ensure rsync service is not enabled CIS-2.2.16
echo
echo \*\*\*\* Ensure\ rsync\ service\ is\ not\ enabled
dpkg -s rsync && sed -ri "s/^(\s*RSYNC_ENABLE\s*=\s*)\S+(\s*)/\1false\2/" /etc/default/rsync
systemctl is-enabled rsync && systemctl disable rsync
# Disable IP Forwarding CIS-3.1.1
echo
echo \*\*\*\* Disable\ IP\ Forwarding
egrep -q "^(\s*)net.ipv4.ip_forward\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.ip_forward\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.ip_forward = 0\2/" /etc/sysctl.conf || echo "net.ipv4.ip_forward = 0" >> /etc/sysctl.conf
sysctl -w net.ipv4.ip_forward=0
# Disable Send Packet Redirects CIS-3.1.2
echo
echo \*\*\*\* Disable\ Send\ Packet\ Redirects
egrep -q "^(\s*)net.ipv4.conf.all.send_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.send_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.send_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf
egrep -q "^(\s*)net.ipv4.conf.default.send_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.send_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.send_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf
sysctl -w net.ipv4.conf.default.send_redirects=0
sysctl -w net.ipv4.conf.all.send_redirects=0
# Disable Source Routed Packet Acceptance CIS-3.2.1
echo
echo \*\*\*\* Disable\ Source\ Routed\ Packet\ Acceptance
egrep -q "^(\s*)net.ipv4.conf.all.accept_source_route\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.accept_source_route\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.accept_source_route = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf
egrep -q "^(\s*)net.ipv4.conf.default.accept_source_route\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.accept_source_route\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.accept_source_route = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
sysctl -w net.ipv4.conf.all.accept_source_route=0
sysctl -w net.ipv4.conf.default.accept_source_route=0
# Disable ICMP Redirect Acceptance CIS-3.2.2
echo
echo \*\*\*\* Disable\ ICMP\ Redirect\ Acceptance
egrep -q "^(\s*)net.ipv4.conf.all.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.accept_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
egrep -q "^(\s*)net.ipv4.conf.default.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.accept_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.conf
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.default.accept_redirects=0
# Disable Secure ICMP Redirect Acceptance CIS-3.2.3
echo
echo \*\*\*\* Disable\ Secure\ ICMP\ Redirect\ Acceptance
egrep -q "^(\s*)net.ipv4.conf.all.secure_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.secure_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.secure_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.conf
egrep -q "^(\s*)net.ipv4.conf.default.secure_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.secure_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.secure_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.conf
sysctl -w net.ipv4.conf.all.secure_redirects=0
sysctl -w net.ipv4.conf.default.secure_redirects=0
# Log Suspicious Packets CIS-3.2.4
echo
echo \*\*\*\* Log\ Suspicious\ Packets
egrep -q "^(\s*)net.ipv4.conf.all.log_martians\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.log_martians\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.log_martians = 1\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.log_martians = 1" >> /etc/sysctl.conf
egrep -q "^(\s*)net.ipv4.conf.default.log_martians\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.log_martians\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.log_martians = 1\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.log_martians = 1" >> /etc/sysctl.conf
sysctl -w net.ipv4.conf.all.log_martians=1
sysctl -w net.ipv4.conf.default.log_martians=1
# Enable Ignore Broadcast Requests CIS-3.2.5
echo
echo \*\*\*\* Enable\ Ignore\ Broadcast\ Requests
egrep -q "^(\s*)net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.icmp_echo_ignore_broadcasts = 1\2/" /etc/sysctl.conf || echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.conf
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
# Enable Bad Error Message Protection CIS-3.2.6
echo
echo \*\*\*\* Enable\ Bad\ Error\ Message\ Protection
egrep -q "^(\s*)net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.icmp_ignore_bogus_error_responses = 1\2/" /etc/sysctl.conf || echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.conf
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
# Enable RFC-recommended Source Route Validation CIS-3.2.7
echo
echo \*\*\*\* Enable\ RFC-recommended\ Source\ Route\ Validation
egrep -q "^(\s*)net.ipv4.conf.all.rp_filter\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.rp_filter\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.rp_filter = 1\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf
egrep -q "^(\s*)net.ipv4.conf.default.rp_filter\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.rp_filter\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.rp_filter = 1\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.conf
sysctl -w net.ipv4.conf.default.rp_filter=1
sysctl -w net.ipv4.conf.all.rp_filter=1
# Enable TCP SYN Cookies CIS-3.2.8
echo
echo \*\*\*\* Enable\ TCP\ SYN\ Cookies
egrep -q "^(\s*)net.ipv4.tcp_syncookies\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.tcp_syncookies\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.tcp_syncookies = 1\2/" /etc/sysctl.conf || echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
sysctl -w net.ipv4.tcp_syncookies=1
# Install TCP Wrappers CIS-3.4.1
echo
echo \*\*\*\* Install\ TCP\ Wrappers
dpkg -s tcpd || apt-get -y install tcpd
# Ensure /etc/hosts.allow is configured CIS-3.4.2
echo
echo \*\*\*\* Ensure\ /etc/hosts.allow\ is\ configured
egrep -q "^ALL:\s*ALL" /etc/hosts.allow || echo "sshd: ALL" >> /etc/hosts.allow
# Ensure /etc/hosts.deny is configured CIS-3.4.3
echo
echo \*\*\*\* Ensure\ /etc/hosts.deny\ is\ configured
egrep -q "^ALL:\s*ALL" /etc/hosts.deny || echo "ALL: ALL" >> /etc/hosts.deny
# Verify Permissions on /etc/hosts.allow CIS-3.4.4
echo
echo \*\*\*\* Verify\ Permissions\ on\ /etc/hosts.allow
chmod u+r+w-x,g+r-w-x,o+r-w-x /etc/hosts.allow
# Verify Permissions on /etc/hosts.deny CIS-3.4.5
echo
echo \*\*\*\* Verify\ Permissions\ on\ /etc/hosts.deny
chmod u+r+w-x,g+r-w-x,o+r-w-x /etc/hosts.deny
# Ensure Firewall is active CIS-3.6.1
echo
echo \*\*\*\* Ensure\ Firewall\ is\ active
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | sudo debconf-set-selections
echo iptables-persistent iptables-persistent/autosave_v6 boolean true | sudo debconf-set-selections
dpkg -s iptables || apt-get -y install iptables
dpkg -s iptables-persistent || apt-get -y install iptables-persistent
update-rc.d netfilter-persistent enable
# Ensure default deny firewall policy CIS-3.6.2
echo
echo \*\*\*\* Ensure\ default\ deny\ firewall\ policy
# Flush IPtables rules
iptables -F
# Ensure default deny firewall policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Ensure loopback traffic is configured CIS-3.6.3
echo
echo \*\*\*\* Ensure\ loopback\ traffic\ is\ configured
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -s 127.0.0.0/8 -j DROP
# Ensure outbound and established connections are configured CIS-3.6.4
iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT
mkdir -p /etc/iptables
# Open inbound ssh(tcp port 22) connections CIS-3.6.5
echo
echo \*\*\*\* Ensure\ firewall\ rules\ exist\ for\ all\ open\ ports
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables-save > /etc/iptables/rules.v4
# Install the rsyslog package CIS-4.2.3
echo
echo \*\*\*\* Install\ the\ rsyslog\ package
dpkg -s rsyslog || apt-get -y install rsyslog
# Ensure the rsyslog Service is activated CIS-4.2.1.1
echo
echo \*\*\*\* Ensure\ the\ rsyslog\ Service\ is\ activated
systemctl enable rsyslog
# Create and Set Permissions on rsyslog Log Files CIS-4.2.1.3
echo
echo \*\*\*\* Ensure\ rsyslog\ default\ file\ permissions\ configured
egrep -q '^(\$)FileCreateMode(\s.*)0[1,5,6][1,4]0$' /etc/rsyslog.conf || sed -ri 's/^\$FileCreateMode\s*.*/\$FileCreateMode 0640/' /etc/rsyslog.conf
# Configure rsyslog to Send Logs to a Remote Log Host CIS-4.2.1.4
echo
echo \*\*\*\* Configure\ rsyslog\ to\ Send\ Logs\ to\ a\ Remote\ Log\ Host
echo Configure\ rsyslog\ to\ Send\ Logs\ to\ a\ Remote\ Log\ Host not configured.
# Ensure permissions on all logfiles are configured CIS-4.2.4
echo
echo \*\*\*\* Ensure\ permissions\ on\ all\ logfiles\ are\ configured
chmod -R g-wx,o-rwx /var/log/*
# Enable cron Daemon CIS-5.1.1
echo
echo \*\*\*\* Enable\ cron\ Daemon
systemctl is-enabled cron || systemctl enable cron
systemctl enable anacron
# Set User/Group Owner and Permission on /etc/crontab CIS-5.1.2
echo
echo \*\*\*\* Set\ User/Group\ Owner\ and\ Permission\ on\ /etc/crontab
chmod u-x,g-r-w-x,o-r-w-x /etc/crontab
chown 0:0 /etc/crontab
# Set User/Group Owner and Permission on /etc/cron.hourly CIS-5.1.3
echo
echo \*\*\*\* Set\ User/Group\ Owner\ and\ Permission\ on\ /etc/cron.hourly
chmod u-x,g-r-w-x,o-r-w-x /etc/cron.hourly/
chown 0:0 /etc/cron.hourly/
# Set User/Group Owner and Permission on /etc/cron.daily CIS-5.1.4
echo
echo \*\*\*\* Set\ User/Group\ Owner\ and\ Permission\ on\ /etc/cron.daily
chmod u-x,g-r-w-x,o-r-w-x /etc/cron.daily/
chown 0:0 /etc/cron.daily/
# Set User/Group Owner and Permission on /etc/cron.weekly CIS-5.1.5
echo
echo \*\*\*\* Set\ User/Group\ Owner\ and\ Permission\ on\ /etc/cron.weekly
chmod u-x,g-r-w-x,o-r-w-x /etc/cron.weekly/
chown 0:0 /etc/cron.weekly/
# Set User/Group Owner and Permission on /etc/cron.monthly CIS-5.1.6
echo
echo \*\*\*\* Set\ User/Group\ Owner\ and\ Permission\ on\ /etc/cron.monthly
chmod u-x,g-r-w-x,o-r-w-x /etc/cron.monthly/
chown 0:0 /etc/cron.monthly/
# Set User/Group Owner and Permission on /etc/cron.d CIS-5.1.7
echo
echo \*\*\*\* Set\ User/Group\ Owner\ and\ Permission\ on\ /etc/cron.d
chmod u-x,g-r-w-x,o-r-w-x /etc/cron.d/
chown 0:0 /etc/cron.d/
# Restrict at/cron to Authorized Users CIS-5.1.8
echo
echo \*\*\*\* Restrict\ at/cron\ to\ Authorized\ Users
rm -rf /etc/cron.deny
touch /etc/cron.allow
chmod g-r-w-x,o-r-w-x /etc/cron.allow
chown 0:0 /etc/cron.allow
rm -rf /etc/at.deny
touch /etc/at.allow
chmod g-r-w-x,o-r-w-x /etc/at.allow
chown 0:0 /etc/at.allow
# Set Password Creation Requirement Parameters Using pam_pwquality CIS-5.3.1
echo
dpkg -s libpam-pwquality || apt-get install -y libpam-pwquality
echo \*\*\*\* Set\ Password\ Creation\ Requirement\ Parameters\ Using\ pam_pwquality
egrep -q "^\s*password\s+requisite\s+pam_pwquality.so\s+" /etc/pam.d/common-password && sed -ri '/^\s*password\s+requisite\s+pam_pwquality.so\s+/ { /^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*(\s+try_first_pass)(\s+.*)?$/! s/^(\s*password\s+requisite\s+pam_pwquality.so\s+)(.*)$/\1try_first_pass \2/ }' /etc/pam.d/common-password || echo Set\ Password\ Creation\ Requirement\ Parameters\ Using\ pam_pwquality - /etc/pam.d/common-password not configured.
egrep -q "^\s*password\s+requisite\s+pam_pwquality.so\s+" /etc/pam.d/common-password && sed -ri '/^\s*password\s+requisite\s+pam_pwquality.so\s+/ { /^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*(\s+retry=[0-9]+)(\s+.*)?$/! s/^(\s*password\s+requisite\s+pam_pwquality.so\s+)(.*)$/\1retry=3 \2/ }' /etc/pam.d/common-password && sed -ri 's/(^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*\s+)retry=[0-9]+(\s+.*)?$/\1retry=3\3/' /etc/pam.d/common-password || echo Set\ Password\ Creation\ Requirement\ Parameters\ Using\ pam_pwquality - /etc/pam.d/common-password not configured.
egrep -q "^\s*password\s+requisite\s+pam_pwquality.so\s+" /etc/pam.d/common-password && sed -ri '/^\s*password\s+requisite\s+pam_pwquality.so\s+/ { /^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*(\s+minlen=[0-9]+)(\s+.*)?$/! s/^(\s*password\s+requisite\s+pam_pwquality.so\s+)(.*)$/\1minlen=14 \2/ }' /etc/pam.d/common-password && sed -ri 's/(^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*\s+)minlen=[0-9]+(\s+.*)?$/\1minlen=14\3/' /etc/pam.d/common-password || echo Set\ Password\ Creation\ Requirement\ Parameters\ Using\ pam_pwquality - /etc/pam.d/common-password not configured.
egrep -q "^\s*password\s+requisite\s+pam_pwquality.so\s+" /etc/pam.d/common-password && sed -ri '/^\s*password\s+requisite\s+pam_pwquality.so\s+/ { /^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*(\s+dcredit=-?[0-9]+)(\s+.*)?$/! s/^(\s*password\s+requisite\s+pam_pwquality.so\s+)(.*)$/\1dcredit=-1 \2/ }' /etc/pam.d/common-password && sed -ri 's/(^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*\s+)dcredit=-?[0-9]+(\s+.*)?$/\1dcredit=-1\3/' /etc/pam.d/common-password || echo Set\ Password\ Creation\ Requirement\ Parameters\ Using\ pam_pwquality - /etc/pam.d/common-password not configured.
egrep -q "^\s*password\s+requisite\s+pam_pwquality.so\s+" /etc/pam.d/common-password && sed -ri '/^\s*password\s+requisite\s+pam_pwquality.so\s+/ { /^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*(\s+ucredit=-?[0-9]+)(\s+.*)?$/! s/^(\s*password\s+requisite\s+pam_pwquality.so\s+)(.*)$/\1ucredit=-1 \2/ }' /etc/pam.d/common-password && sed -ri 's/(^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*\s+)ucredit=-?[0-9]+(\s+.*)?$/\1ucredit=-1\3/' /etc/pam.d/common-password || echo Set\ Password\ Creation\ Requirement\ Parameters\ Using\ pam_pwquality - /etc/pam.d/common-password not configured.
egrep -q "^\s*password\s+requisite\s+pam_pwquality.so\s+" /etc/pam.d/common-password && sed -ri '/^\s*password\s+requisite\s+pam_pwquality.so\s+/ { /^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*(\s+ocredit=-?[0-9]+)(\s+.*)?$/! s/^(\s*password\s+requisite\s+pam_pwquality.so\s+)(.*)$/\1ocredit=-1 \2/ }' /etc/pam.d/common-password && sed -ri 's/(^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*\s+)ocredit=-?[0-9]+(\s+.*)?$/\1ocredit=-1\3/' /etc/pam.d/common-password || echo Set\ Password\ Creation\ Requirement\ Parameters\ Using\ pam_pwquality - /etc/pam.d/common-password not configured.
egrep -q "^\s*password\s+requisite\s+pam_pwquality.so\s+" /etc/pam.d/common-password && sed -ri '/^\s*password\s+requisite\s+pam_pwquality.so\s+/ { /^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*(\s+lcredit=-?[0-9]+)(\s+.*)?$/! s/^(\s*password\s+requisite\s+pam_pwquality.so\s+)(.*)$/\1lcredit=-1 \2/ }' /etc/pam.d/common-password && sed -ri 's/(^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*\s+)lcredit=-?[0-9]+(\s+.*)?$/\1lcredit=-1\3/' /etc/pam.d/common-password || echo Set\ Password\ Creation\ Requirement\ Parameters\ Using\ pam_pwquality - /etc/pam.d/common-password not configured.
echo "minlen=14
dcredit=-1
ucredit=-1
ocredit=-1
lcredit=-1" >> /etc/security/pwquality.conf
# Limit Password Reuse CIS-5.3.3
echo
echo \*\*\*\* Ensure\ password\ Reuse
egrep -q "^\s*password\s+\[\S+\s+\S+\]\s+pam_unix.so\s+\S*.*" /etc/pam.d/common-password && sed -ri '/^\s*password\s+\[\S+\s+\S+\]\s+pam_unix.so\s+\S*.*/ { /^\s*password\s+\[\S+\s+\S+\]\s+pam_unix.so\s+\S*.*(\s+remember=5)(\s+.*)?$/! s/^(\s*password\s+\[\S+\s+\S+\]\s+pam_unix.so\s+\S*.*\s+)(.*)$/\1remember=5 \2/ }' /etc/pam.d/common-password || echo Ensure\ password\ Reuse\ - /etc/pam.d/common-password not configured.
# echo
# echo \*\*\*\* Limit\ Password\ Reuse
# egrep -q "^\s*password\s+sufficient\s+pam_unix.so(\s+.*)$" /etc/pam.d/common-password && sed -ri '/^\s*password\s+sufficient\s+pam_unix.so\s+/ { /^\s*password\s+sufficient\s+pam_unix.so(\s+\S+)*(\s+remember=[0-9]+)(\s+.*)?$/! s/^(\s*password\s+sufficient\s+pam_unix.so\s+)(.*)$/\1remember=5 \2/ }' /etc/pam.d/common-password && sed -ri 's/(^\s*password\s+sufficient\s+pam_unix.so(\s+\S+)*\s+)remember=[0-9]+(\s+.*)?$/\1remember=5\3/' /etc/pam.d/common-password || echo Limit\ Password\ Reuse - /etc/pam.d/common-password not configured.
# Ensure password hashing algorithm is SHA-512 CIS-5.3.4
echo
echo \*\*\*\* Ensure\ password\ hashing\ algorithm\ is\ SHA-512
egrep -q "^\s*password\s+\[\S+\s+\S+\]\s+pam_unix.so\s+\S*.*" /etc/pam.d/common-password && sed -ri '/^\s*password\s+\[\S+\s+\S+\]\s+pam_unix.so\s+\S*.*/ { /^\s*password\s+\[\S+\s+\S+\]\s+pam_unix.so\s+\S*.*(\s+sha512)(\s+.*)?$/! s/^(\s*password\s+\[\S+\s+\S+\]\s+pam_unix.so\s+\S*.*\s+)(.*)$/\1sha512 \2/ }' /etc/pam.d/common-password || echo Ensure\ password\ hashing\ algorithm\ is\ SHA-512 - /etc/pam.d/common-password not configured.
# Set SSH Protocol to 2 CIS-5.2.2
echo
echo \*\*\*\* Set\ SSH\ Protocol\ to\ 2
egrep -q "^(\s*)Protocol\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)Protocol\s+\S+(\s*#.*)?\s*$/\1Protocol 2\2/" /etc/ssh/sshd_config || echo "Protocol 2" >> /etc/ssh/sshd_config
# Set LogLevel to INFO CIS-5.2.3
echo
echo \*\*\*\* Set\ LogLevel\ to\ INFO
egrep -q "^(\s*)LogLevel\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)LogLevel\s+\S+(\s*#.*)?\s*$/\1LogLevel INFO\2/" /etc/ssh/sshd_config || echo "LogLevel INFO" >> /etc/ssh/sshd_config
# Set Permissions on /etc/ssh/sshd_config CIS-5.2.1
echo
echo \*\*\*\* Set\ Permissions\ on\ /etc/ssh/sshd_config
chown 0:0 /etc/ssh/sshd_config
chmod u+r+w-x,g-r-w-x,o-r-w-x /etc/ssh/sshd_config
# Disable SSH X11 Forwarding CIS-5.2.4
echo
echo \*\*\*\* Disable\ SSH\ X11\ Forwarding
egrep -q "^(\s*)X11Forwarding\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)X11Forwarding\s+\S+(\s*#.*)?\s*$/\1X11Forwarding no\2/" /etc/ssh/sshd_config || echo "X11Forwarding no" >> /etc/ssh/sshd_config
# Set SSH MaxAuthTries to 4 or Less CIS-5.2.5
echo
echo \*\*\*\* Set\ SSH\ MaxAuthTries\ to\ 4\ or\ Less
echo >> /etc/ssh/sshd_config
egrep -q "^(\s*)MaxAuthTries\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)MaxAuthTries\s+\S+(\s*#.*)?\s*$/\1MaxAuthTries 4\2/" /etc/ssh/sshd_config || echo "MaxAuthTries 4" >> /etc/ssh/sshd_config
# Set SSH IgnoreRhosts to Yes CIS-5.2.6
echo
echo \*\*\*\* Set\ SSH\ IgnoreRhosts\ to\ Yes
egrep -q "^(\s*)IgnoreRhosts\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)IgnoreRhosts\s+\S+(\s*#.*)?\s*$/\1IgnoreRhosts yes\2/" /etc/ssh/sshd_config || echo "IgnoreRhosts yes" >> /etc/ssh/sshd_config
# Set SSH HostbasedAuthentication to No CIS-5.2.7
echo
echo \*\*\*\* Set\ SSH\ HostbasedAuthentication\ to\ No
egrep -q "^(\s*)HostbasedAuthentication\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)HostbasedAuthentication\s+\S+(\s*#.*)?\s*$/\1HostbasedAuthentication no\2/" /etc/ssh/sshd_config || echo "HostbasedAuthentication no" >> /etc/ssh/sshd_config
# Disable SSH Root Login CIS-5.2.8
echo
echo \*\*\*\* Disable\ SSH\ Root\ Login
egrep -q "^(\s*)PermitRootLogin\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)PermitRootLogin\s+\S+(\s*#.*)?\s*$/\1PermitRootLogin no\2/" /etc/ssh/sshd_config || echo "PermitRootLogin no" >> /etc/ssh/sshd_config
# Set SSH PermitEmptyPasswords to No CIS-5.2.9
echo
echo \*\*\*\* Set\ SSH\ PermitEmptyPasswords\ to\ No
egrep -q "^(\s*)PermitEmptyPasswords\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)PermitEmptyPasswords\s+\S+(\s*#.*)?\s*$/\1PermitEmptyPasswords no\2/" /etc/ssh/sshd_config || echo "PermitEmptyPasswords no" >> /etc/ssh/sshd_config
# Ensure SSH PermitUserEnvironment is disabled CIS-5.2.10
echo
echo \*\*\*\* Ensure\ SSH\ PermitUserEnvironment\ is\ disabled
egrep -q "^(\s*)PermitUserEnvironment\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)PermitUserEnvironment\s+\S+(\s*#.*)?\s*$/\1PermitUserEnvironment no\2/" /etc/ssh/sshd_config || echo "PermitUserEnvironment no" >> /etc/ssh/sshd_config
# Use Only Approved Cipher in Counter Mode CIS-5.2.11 --- Need Some Re-work
echo
echo \*\*\*\* Use\ Only\ Approved\ Cipher\ in\ Counter\ Mode
egrep -q "^(\s*)Ciphers\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)Ciphers\s+\S+(\s*#.*)?\s*$/\1Ciphers aes128-ctr,aes192-ctr,aes256-ctr\2/" /etc/ssh/sshd_config || echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr" >> /etc/ssh/sshd_config
echo
echo \*\*\*\* Use\ Only\ Approved\ MACs\ in\ Counter\ Mode
egrep -q "^(\s*)MACs\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)MACs\s+\S+(\s*#.*)?\s*$/\1MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]\2/" /etc/ssh/sshd_config || echo "MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]" >> /etc/ssh/sshd_config
# Set Idle Timeout Interval for User Login CIS-5.2.12
echo
echo \*\*\*\* Set\ Idle\ Timeout\ Interval\ for\ User\ Login
egrep -q "^(\s*)ClientAliveInterval\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)ClientAliveInterval\s+\S+(\s*#.*)?\s*$/\1ClientAliveInterval 300\2/" /etc/ssh/sshd_config || echo "ClientAliveInterval 300" >> /etc/ssh/sshd_config
egrep -q "^(\s*)ClientAliveCountMax\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)ClientAliveCountMax\s+\S+(\s*#.*)?\s*$/\1ClientAliveCountMax 0\2/" /etc/ssh/sshd_config || echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config
# Ensure SSH LoginGraceTime is set to one minute or less CIS-5.2.13
echo
echo \*\*\*\* Ensure\ SSH\ LoginGraceTime\ is\ set\ to\ one\ minute\ or\ less
egrep -q "^(\s*)LoginGraceTime\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)LoginGraceTime\s+\S+(\s*#.*)?\s*$/\1LoginGraceTime 60\2/" /etc/ssh/sshd_config || echo "LoginGraceTime 60" >> /etc/ssh/sshd_config
# Limit Access via SSH CIS-5.2.14 (We can not decide the membership)
echo
echo \*\*\*\* Limit\ Access\ via\ SSH
echo Limit\ Access\ via\ SSH not configured.
# Set SSH Banner CIS-5.2.14
echo
echo \*\*\*\* Set\ SSH\ Banner
egrep -q "^(\s*)Banner\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)Banner\s+\S+(\s*#.*)?\s*$/\1Banner \/etc\/issue.net\2/" /etc/ssh/sshd_config || echo "Banner /etc/issue.net" >> /etc/ssh/sshd_config
# Restrict Access to the su Command CIS-5.6
echo
echo \*\*\*\* Restrict\ Access\ to\ the\ su\ Command
egrep -q "^\s*auth\s+required\s+pam_wheel.so(\s+.*)?$" /etc/pam.d/su && sed -ri '/^\s*auth\s+required\s+pam_wheel.so(\s+.*)?$/ { /^\s*auth\s+required\s+pam_wheel.so(\s+\S+)*(\s+use_uid)(\s+.*)?$/! s/^(\s*auth\s+required\s+pam_wheel.so)(\s+.*)?$/\1 use_uid\2/ }' /etc/pam.d/su || echo "auth required pam_wheel.so use_uid" >> /etc/pam.d/su
groupadd -r wheel
usermod -G wheel root
# Set Password Expiration Days CIS-5.4.1.1
echo
echo \*\*\*\* Set\ Password\ Expiration\ Days
egrep -q "^(\s*)PASS_MAX_DAYS\s+\S+(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_MAX_DAYS\s+\S+(\s*#.*)?\s*$/\1PASS_MAX_DAYS 90\2/" /etc/login.defs || echo "PASS_MAX_DAYS 90" >> /etc/login.defs
egrep "^[^:]+:[^\!\*]" /etc/shadow | cut -f1 -d ":" | xargs -n1 chage --maxdays 90
# Set Password Change Minimum Number of Days CIS-5.4.1.2
echo
echo \*\*\*\* Set\ Password\ Change\ Minimum\ Number\ of\ Days
egrep -q "^(\s*)PASS_MIN_DAYS\s+\S+(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_MIN_DAYS\s+\S+(\s*#.*)?\s*$/\1PASS_MIN_DAYS 7\2/" /etc/login.defs || echo "PASS_MIN_DAYS 7" >> /etc/login.defs
egrep "^[^:]+:[^\!\*]" /etc/shadow | cut -f1 -d ":" | xargs -n1 chage --mindays 7
# Set Password Expiring Warning Days CIS-5.4.1.3
echo
echo \*\*\*\* Set\ Password\ Expiring\ Warning\ Days
egrep -q "^(\s*)PASS_WARN_AGE\s+\S+(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_WARN_AGE\s+\S+(\s*#.*)?\s*$/\1PASS_WARN_AGE 7\2/" /etc/login.defs || echo "PASS_WARN_AGE 7" >> /etc/login.defs
egrep "^[^:]+:[^\!\*]" /etc/shadow | cut -f1 -d ":" | xargs -n1 chage --warndays 7
# Ensure inactive password lock is 30 days or less CIS-5.4.1.4
echo
echo \*\*\*\* Ensure\ inactive\ password\ lock\ is\ 30\ days\ or\ less
egrep -q "^(\s*)INACTIVE\s*=" /etc/default/useradd && sed -ri "s/^(\s*)INACTIVE\s*=\s*\S+$/\1INACTIVE=30/" /etc/default/useradd || echo "INACTIVE=30" >> /etc/default/useradd
egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1
# Disable System Accounts CIS-5.4.2
echo
echo \*\*\*\* Disable\ System\ Accounts
for user in `awk -F: '($3 < 1000) {print $1 }' /etc/passwd`; do
if [ $user != "root" ]
then
/usr/sbin/usermod -L $user
if [ $user != "sync" ] && [ $user != "shutdown" ] && [ $user != "halt" ]
then
/usr/sbin/usermod -s /usr/sbin/nologin $user
fi
fi
done
# Set Default Group for root Account CIS-5.4.3
echo
echo \*\*\*\* Set\ Default\ Group\ for\ root\ Account
usermod -g 0 root
# Set Default umask for Users CIS-5.4.4
echo
echo \*\*\*\* Set\ Default\ umask\ for\ Users
egrep -q "^(\s*)umask\s+\S+(\s*#.*)?\s*$" /etc/bash.bashrc && sed -ri "s/^(\s*)umask\s+\S+(\s*#.*)?\s*$/\1umask 077\2/" /etc/bash.bashrc || echo "umask 077" >> /etc/bash.bashrc
egrep -q "^(\s*)umask\s+\S+(\s*#.*)?\s*$" /etc/profile.d/cis.sh && sed -ri "s/^(\s*)umask\s+\S+(\s*#.*)?\s*$/\1umask 077\2/" /etc/profile.d/cis.sh || echo "umask 077" >> /etc/profile.d/cis.sh
# Lock Inactive User Accounts
# echo
# echo \*\*\*\* Lock\ Inactive\ User\ Accounts
# useradd -D -f 35
# Set Warning Banner for Standard Login Services CIS-1.7.1.4 to CIS-1.7.1.6
echo
echo \*\*\*\* Permission\ on\ /etc/motd,\ /etc/issue,\ /etc/issue.net\ are\ Configured
chmod u+r+w-x,g+r-w-x,o+r-w-x /etc/motd
chown 0:0 /etc/motd
chmod u+r+w-x,g+r-w-x,o+r-w-x /etc/issue
chown 0:0 /etc/issue
chmod u+r+w-x,g+r-w-x,o+r-w-x /etc/issue.net
chown 0:0 /etc/issue.net
# Remove OS Information from Login Warning Banners CIS-1.7.1.1 to CIS-1.7.1.3
echo
echo \*\*\*\* Remove\ OS\ Information\ from\ Login\ Warning\ Banners
sed -ri 's/(\\v|\\r|\\m|\\s)//g' /etc/issue
sed -ri 's/(\\v|\\r|\\m|\\s)//g' /etc/issue.net
sed -ri 's/(\\v|\\r|\\m|\\s)//g' /etc/motd
# We are not remediating the CIS-1.7.2 as we are not using Graphical Interface for any of the Server
# Verify Permissions on /etc/passwd CIS-6.1.2
echo
echo \*\*\*\* Verify\ Permissions\ on\ /etc/passwd
chown 0:0 /etc/passwd
chmod u+r+w-x,g+r-w-x,o+r-w-x /etc/passwd
# Verify Permissions on /etc/shadow CIS-6.1.3
echo
echo \*\*\*\* Verify\ Permissions\ on\ /etc/shadow
chown 0:42 /etc/shadow
chmod u+r+w-x,g+r-w-x,o-r-w-x /etc/shadow
# Verify Permissions on /etc/group CIS-6.1.4
echo
echo \*\*\*\* Verify\ Permissions\ on\ /etc/group
chown 0:0 /etc/group
chmod u+r+w-x,g+r-w-x,o+r-w-x /etc/group
# Ensure permissions on /etc/gshadow are configured CIS-6.1.5
echo
echo \*\*\*\* Verify\ Permissions\ on\ /etc/gshadow
chown 0:42 /etc/gshadow
chmod u+r+w-x,g-r-w-x,o-r-w-x /etc/gshadow
# Ensure permissions on /etc/passwd- are configured CIS-6.1.6
echo
echo \*\*\*\* Verify\ Permissions\ on\ /etc/passwd-
chown 0:0 /etc/passwd-
chmod u+r+w-x,g-r-w-x,o-r-w-x /etc/passwd-
# Ensure permissions on /etc/shadow- are configured CIS-6.1.7
echo
echo \*\*\*\* Verify\ Permissions\ on\ /etc/shadow-
chown 0:0 /etc/shadow-
chmod u+r+w-x,g-r-w-x,o-r-w-x /etc/shadow-
# Ensure permissions on /etc/group- are configured CIS-6.1.8
echo
echo \*\*\*\* Verify\ Permissions\ on\ /etc/group-
chown 0:0 /etc/group-
chmod u+r+w-x,g-r-w-x,o-r-w-x /etc/group-
# Ensure permissions on /etc/gshadow- are configured CIS-6.1.9
echo
echo \*\*\*\* Verify\ Permissions\ on\ /etc/gshadow-
chown 0:0 /etc/gshadow-
chmod u+r+w-x,g-r-w-x,o-r-w-x /etc/gshadow-
# Ensure no world writable files exist CIS-6.1.10
echo
echo \*\*\*\* Ensure\ no\ world\ writable\ files\ exist
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I \'{}\' find \'{}\' -xdev -type f -perm -0002 -exec chmod o-w {} \;
# Find Un-owned Files and Directories CIS-6.1.11
echo
echo \*\*\*\* Find\ Un-owned\ Files\ and\ Directories
echo Find\ Un-owned\ Files\ and\ Directories Linux custom object not configured.
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I \'{}\' find \'{}\' -xdev -nouser -exec chown -R 0:0 {} \;
# Find Un-grouped Files and Directories CIS-6.1.12
echo
echo \*\*\*\* Find\ Un-grouped\ Files\ and\ Directories
echo Find\ Un-grouped\ Files\ and\ Directories Linux custom object not configured.
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -exec chgrp -R 0 {} \;
# Ensure Password Fields are Not Empty CIS-6.2.1
echo
echo \*\*\*\* Ensure\ Password\ Fields\ are\ Not\ Empty
echo Ensure\ Password\ Fields\ are\ Not\ Empty not configured.
# Verify No Legacy "+" Entries Exist in /etc/passwd File CIS-6.2.2
echo
echo \*\*\*\* Verify\ No\ Legacy\ \"\;\+\"\;\ Entries\ Exist\ in\ /etc/passwd\ File
sed -ri '/^\+:.*$/ d' /etc/passwd
# Verify No Legacy "+" Entries Exist in /etc/shadow File CIS-6.2.3
echo
echo \*\*\*\* Verify\ No\ Legacy\ \"\;\+\"\;\ Entries\ Exist\ in\ /etc/shadow\ File
sed -ri '/^\+:.*$/ d' /etc/shadow
# Verify No Legacy "+" Entries Exist in /etc/group File CIS-6.2.4
echo
echo \*\*\*\* Verify\ No\ Legacy\ \"\;\+\"\;\ Entries\ Exist\ in\ /etc/group\ File
sed -ri '/^\+:.*$/ d' /etc/group
# Verify No UID 0 Accounts Exist Other Than root CIS-6.2.5
echo
echo \*\*\*\* Verify\ No\ UID\ 0\ Accounts\ Exist\ Other\ Than\ root
echo Verify\ No\ UID\ 0\ Accounts\ Exist\ Other\ Than\ root not configured.
# Ensure root PATH Integrity CIS-6.2.6
echo
echo \*\*\*\* Ensure\ root\ PATH\ Integrity
echo Ensure\ root\ PATH\ Integrity Linux custom object not configured.
# Ensure all users' home directories exist CIS-6.2.7
echo
echo \*\*\*\* Ensure\ all\ users\ home\ directories\ exist
cat /etc/passwd | awk -F: '{ print $1 " " $3 " " $6 }' | while read user uid dir; do
if [ $uid -ge 1000 -a ! -d "$dir" -a $user != "nfsnobody" ]; then
echo "The home directory ($dir) of user $user does not exist."
echo "Creating Directory ($dir)for $user "
mkdir -p $dir
chown -R $user:$user $dir
fi
done
# Check Permissions on User Home Directories CIS-6.2.8
echo
echo \*\*\*\* Check\ Permissions\ on\ User\ Home\ Directories
echo Check\ Permissions\ on\ User\ Home\ Directories Linux custom object not configured
# Check User Dot File Permissions CIS-6.2.10
echo
echo \*\*\*\* Check\ User\ Dot\ File\ Permissions
echo Check\ User\ Dot\ File\ Permissions Linux custom object not configured.
# Check Permissions on User .netrc Files CIS-6.2.13
echo
echo \*\*\*\* Check\ Permissions\ on\ User\ .netrc\ Files
echo Check\ Permissions\ on\ User\ .netrc\ Files Linux custom object not configured.
# Check for Presence of User .rhosts Files CIS-6.2.14
echo
echo \*\*\*\* Check\ for\ Presence\ of\ User\ .rhosts\ Files
echo Check\ for\ Presence\ of\ User\ .rhosts\ Files Linux custom object not configured.
# Ensure all groups in /etc/passwd exist in /etc/group CIS-6.2.15
echo
echo \*\*\*\* Check\ Groups\ in\ /etc/passwd
echo Check\ Groups\ in\ /etc/passwd Linux custom object not configured.
# Check That Users Are Assigned Valid Home Directories
echo
echo \*\*\*\* Check\ That\ Users\ Are\ Assigned\ Valid\ Home\ Directories
echo Check\ That\ Users\ Are\ Assigned\ Valid\ Home\ Directories Linux custom object not configured.
# Check User Home Directory Ownership CIS-6.2.9
echo
echo \*\*\*\* Check\ User\ Home\ Directory\ Ownership
echo Check\ User\ Home\ Directory\ Ownership Linux custom object not configured.
# Check for Duplicate UIDs CIS-6.2.16
echo
echo \*\*\*\* Check\ for\ Duplicate\ UIDs
echo Check\ for\ Duplicate\ UIDs Linux custom object not configured.
# Check for Duplicate GIDs CIS-6.2.17
echo
echo \*\*\*\* Check\ for\ Duplicate\ GIDs
echo Check\ for\ Duplicate\ GIDs Linux custom object not configured.
# Check for Duplicate User Names CIS-6.2.18
echo
echo \*\*\*\* Check\ for\ Duplicate\ User\ Names
echo Check\ for\ Duplicate\ User\ Names Linux custom object not configured.
# Check for Duplicate Group Names CIS-6.2.19
echo
echo \*\*\*\* Check\ for\ Duplicate\ Group\ Names
echo Check\ for\ Duplicate\ Group\ Names Linux custom object not configured.
# Check for Presence of User .netrc Files CIS-6.2.12
echo
echo \*\*\*\* Check\ for\ Presence\ of\ User\ .netrc\ Files
echo Check\ for\ Presence\ of\ User\ .netrc\ Files Linux custom object not configured.
# Check for Presence of User .forward Files CIS-6.2.11
echo
echo \*\*\*\* Check\ for\ Presence\ of\ User\ .forward\ Files
echo Check\ for\ Presence\ of\ User\ .forward\ Files Linux custom object not configured.
# Ensure shadow group is empty CIS-6.2.20
echo
echo \*\*\*\* Ensure\ shadow\ group\ is\ empty
echo Ensure\ shadow\ group\ is\ empty Linux custom object not configured.
# Specially Added for CIS-6.2.9
usermod -d /nonexistent/_apt _apt
usermod -d /nonexistent/nobody nobody
mkdir -p /nonexistent/nobody
mkdir -p /nonexistent/_apt
chown nobody /nonexistent/nobody
chown _apt /nonexistent/_apt
fi
if [ "$PROFILE" = "Level 2" ]; then
echo \*\*\*\* Executing Level 2 profile remediation
# Activate AppArmor
echo
echo \*\*\*\* Activate\ AppArmor
echo AppArmor requires reboot to fully apply, may require manual remediation
dpkg -s apparmor || apt-get -y install apparmor
dpkg -s apparmor-profiles || apt-get -y install apparmor-profiles
dpkg -s apparmor-utils || apt-get -y install apparmor-utils
egrep -q "^(\s*)GRUB_CMDLINE_LINUX\s*=\s*\"([^\"]+)?\"(\s*#.*)?\s*$" /etc/default/grub && sed -ri '/^(\s*)GRUB_CMDLINE_LINUX\s*=\s*\"([^\"]*)?\"(\s*#.*)?\s*$/ {/^(\s*)GRUB_CMDLINE_LINUX\s*=\s*\"([^\"]+\s+)?apparmor=\S+(\s+[^\"]+)?\"(\s*#.*)?\s*$/! s/^(\s*GRUB_CMDLINE_LINUX\s*=\s*\"([^\"]+)?)(\"(\s*#.*)?\s*)$/\1 apparmor=1\3/ }' /etc/default/grub && sed -ri "s/^((\s*)GRUB_CMDLINE_LINUX\s*=\s*\"([^\"]+\s+)?)apparmor=\S+((\s+[^\"]+)?\"(\s*#.*)?\s*)$/\1apparmor=1\4/" /etc/default/grub || echo "GRUB_CMDLINE_LINUX=\"apparmor=1\"" >> /etc/default/grub
egrep -q "^(\s*)GRUB_CMDLINE_LINUX\s*=\s*\"([^\"]+)?\"(\s*#.*)?\s*$" /etc/default/grub && sed -ri '/^(\s*)GRUB_CMDLINE_LINUX\s*=\s*\"([^\"]*)?\"(\s*#.*)?\s*$/ {/^(\s*)GRUB_CMDLINE_LINUX\s*=\s*\"([^\"]+\s+)?security=\S+(\s+[^\"]+)?\"(\s*#.*)?\s*$/! s/^(\s*GRUB_CMDLINE_LINUX\s*=\s*\"([^\"]+)?)(\"(\s*#.*)?\s*)$/\1 security=apparmor\3/ }' /etc/default/grub && sed -ri "s/^((\s*)GRUB_CMDLINE_LINUX\s*=\s*\"([^\"]+\s+)?)security=\S+((\s+[^\"]+)?\"(\s*#.*)?\s*)$/\1security=apparmor\4/" /etc/default/grub || echo "GRUB_CMDLINE_LINUX=\"security=apparmor\"" >> /etc/default/grub
update-grub
aa-enforce /etc/apparmor.d/*
# Keep All Auditing Information
echo
echo \*\*\*\* Keep\ All\ Auditing\ Information
egrep -q "^(\s*)max_log_file_action\s*=\s*\S+(\s*#.*)?\s*$" /etc/audit/auditd.conf && sed -ri "s/^(\s*)max_log_file_action\s*=\s*\S+(\s*#.*)?\s*$/\1max_log_file_action = keep_logs\2/" /etc/audit/auditd.conf || echo "max_log_file_action = keep_logs" >> /etc/audit/auditd.conf
# Install and Enable auditd Service
echo
echo \*\*\*\* Install\ and\ Enable\ auditd\ Service
dpkg -s auditd || apt-get -y install auditd
systemctl enable auditd
# Enable Auditing for Processes That Start Prior to auditd
echo
echo \*\*\*\* Enable\ Auditing\ for\ Processes\ That\ Start\ Prior\ to\ auditd
egrep -q "^(\s*)GRUB_CMDLINE_LINUX\s*=\s*\"([^\"]+)?\"(\s*#.*)?\s*$" /etc/default/grub && sed -ri '/^(\s*)GRUB_CMDLINE_LINUX\s*=\s*\"([^\"]*)?\"(\s*#.*)?\s*$/ {/^(\s*)GRUB_CMDLINE_LINUX\s*=\s*\"([^\"]+\s+)?audit=\S+(\s+[^\"]+)?\"(\s*#.*)?\s*$/! s/^(\s*GRUB_CMDLINE_LINUX\s*=\s*\"([^\"]+)?)(\"(\s*#.*)?\s*)$/\1 audit=1\3/ }' /etc/default/grub && sed -ri "s/^((\s*)GRUB_CMDLINE_LINUX\s*=\s*\"([^\"]+\s+)?)audit=\S+((\s+[^\"]+)?\"(\s*#.*)?\s*)$/\1audit=1\4/" /etc/default/grub || echo "GRUB_CMDLINE_LINUX=\"audit=1\"" >> /etc/default/grub
update-grub
# Record Events That Modify Date and Time Information
echo
echo \*\*\*\* Record\ Events\ That\ Modify\ Date\ and\ Time\ Information
uname -p | grep -q 'x86_64' && egrep -q "^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+adjtimex\s+-S\s+settimeofday\s+-k\s+time-change\s*(#.*)?$" /etc/audit/audit.rules || echo "-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change" >> /etc/audit/audit.rules
egrep -q "^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+adjtimex\s+-S\s+settimeofday\s+-S\s+stime\s+-k\s+time-change\s*(#.*)?$" /etc/audit/audit.rules || echo "-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change" >> /etc/audit/audit.rules
uname -p | grep -q 'x86_64' && egrep -q "^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+clock_settime\s+-k\s+time-change\s*(#.*)?$" /etc/audit/audit.rules || echo "-a always,exit -F arch=b64 -S clock_settime -k time-change" >> /etc/audit/audit.rules
egrep -q "^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+clock_settime\s+-k\s+time-change\s*(#.*)?$" /etc/audit/audit.rules || echo "-a always,exit -F arch=b32 -S clock_settime -k time-change" >> /etc/audit/audit.rules
egrep -q "^\s*-w\s+/etc/localtime\s+-p\s+wa\s+-k\s+time-change\s*(#.*)?$" /etc/audit/audit.rules || echo "-w /etc/localtime -p wa -k time-change" >> /etc/audit/audit.rules
# Record Events That Modify User/Group Information