diff --git a/DebianServer_10/helpers.sh b/DebianServer_10/helpers.sh new file mode 100644 index 0000000..ec00dee --- /dev/null +++ b/DebianServer_10/helpers.sh @@ -0,0 +1,50 @@ +#!/bin/bash + +spinner () +{ + bar=" ++++++++++++++++++++++++++++++++++++++++++++++++++++++++" + barlength=${#bar} + i=0 + while ((i < 100)); do + n=$((i*barlength / 100)) + printf "\e[00;34m\r[%-${barlength}s]\e[00m" "${bar:0:n}" + ((i += RANDOM%5+2)) + sleep 0.02 + done +} + + + +# Show "Done." +function say_done() { + echo " " + echo -e "Done." + say_continue +} + + +# Ask to Continue +function say_continue() { + echo -n " To EXIT Press x Key, Press ENTER to Continue" + read acc + if [ "$acc" == "x" ]; then + exit + fi + echo " " +} + + +# Obtain Server IP +function __get_ip() { + serverip=$(ip route get 1 | awk '{print $7;exit}') + echo $serverip +} + + +# Copy Local Config Files +function tunning() { + whoapp=$1 + cp templates/$whoapp /root/.$whoapp + cp templates/$whoapp /home/$username/.$whoapp + chown $username:$username /home/$username/.$whoapp +} diff --git a/DebianServer_10/jshilder-CIS.sh b/DebianServer_10/jshilder-CIS.sh new file mode 100644 index 0000000..8cd3560 --- /dev/null +++ b/DebianServer_10/jshilder-CIS.sh @@ -0,0 +1,747 @@ +#!/bin/bash + +# JShielder v2.4 +# Deployer for Debian 10 Server +# +# Girish Mahabir +# Twitter = @girishmahabir +# Credits to Center for Internet Security CIS and Jason Soto for the base work. + +source helpers.sh + +############################################################################################################## + +f_banner(){ +echo +echo " + + ██╗███████╗██╗ ██╗██╗███████╗██╗ ██████╗ ███████╗██████╗ + ██║██╔════╝██║ ██║██║██╔════╝██║ ██╔══██╗██╔════╝██╔══██╗ + ██║███████╗███████║██║█████╗ ██║ ██║ ██║█████╗ ██████╔╝ +██ ██║╚════██║██╔══██║██║██╔══╝ ██║ ██║ ██║██╔══╝ ██╔══██╗ +╚█████╔╝███████║██║ ██║██║███████╗███████╗██████╔╝███████╗██║ ██║ +╚════╝ ╚══════╝╚═╝ ╚═╝╚═╝╚══════╝╚══════╝╚═════╝ ╚══════╝╚═╝ ╚═╝ + +CIS Benchmark Hardening +For Debian 10 +Developed By Jason Soto & Modified by Girish Mahabir +" +echo +echo + +} + + +############################################################################################################## + +# Check if running with root User + +clear +f_banner + + +check_root() { +if [ $EUID -ne 0 ]; then + echo "Permission Denied" + echo "Can only be run by root" + exit +else + clear + f_banner + cat templates/texts/welcome-CIS +fi +} + +############################################################################################################## + +check_root +say_continue + +# Setting a root password. +echo -e "Let's set a root password" +passwd root + +# Unattended Upgrades +apt install -y unattended-upgrades apt-listchanges bsd-mailx +echo "APT::Periodic::AutocleanInterval "7";" >> /etc/apt/apt.conf.d/20auto-upgrades +systemctl enable --now unattended-upgrades + +############################################################################################################## + +echo -e "" +echo -e "Disabling unused filesystems" +apt install -y spinner +spinner +sleep 2 + +#1.1.1.1 Ensure Mounting of cramfs is disabled (Scored) + +echo "install cramfs /bin/true" >> /etc/modprobe.d/CIS.conf + +#1.1.1.2 Ensure mounting of freevxfs filesystems is disabled (Scored) + +echo "install freevxfs /bin/true" >> /etc/modprobe.d/CIS.conf + +#1.1.1.3 Ensure mounting of jffs2 filesystems is disabled (Scored) + +echo "install jffs2 /bin/true" >> /etc/modprobe.d/CIS.conf + +#1.1.1.4 Ensure mounting of hfs filesystems is disabled (Scored) + +echo "install hfs /bin/true" >> /etc/modprobe.d/CIS.conf + +#1.1.1.5 Ensure mounting of hfsplus filesystems is disabled (Scored) + +echo "install hfsplus /bin/true" >> /etc/modprobe.d/CIS.conf + +#1.1.1.6 Ensure mounting of squashfs filesystems is disabled (Scored) + +echo "install squashfs /bin/true" >> /etc/modprobe.d/CIS.conf + +#1.1.1.7 Ensure mounting of udf filesystems is disabled (Scored) + +echo "install udf /bin/true" >> /etc/modprobe.d/CIS.conf + +#1.1.1.8 Ensure mounting of FAT filesystems is disabled (Scored) + +echo "install vfat /bin/true" >> /etc/modprobe.d/CIS.conf + +#1.1.23 Ensure mounting USB devices is disabled (Scored) +echo "install usb-storage /bin/true" >> /etc/modprobe.d/CIS.conf +rmmod usb-storage + + +#1.1.17 Ensure nodev option set on removable media partitions (Not Scored) +#1.1.18 Ensure nosuid option set on removable media partitions (Not Scored) +#1.1.19 Ensure noexec option set on removable media partitions (Not Scored) + +#1.1.20 Ensure sticky bit is set on all world-writable directories (Scored) + +clear +f_banner + +echo -e "" +echo -e "Setting Sticky bit on all world-writable directories" +sleep 2 +spinner + +df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t + +#1.1.21 Disable Automounting (Scored) + + +#1.2 Configure Software Updates + + +#1.2.1 Ensure package manager repositories are configured (Not Scored) + +#1.2.2 Ensure GPG keys are configured (Not Scored) + +#1.3 Filesystem Integrity Checking + +#1.3.1 Ensure AIDE is installed (Scored) + +clear +f_banner +echo -e "" +echo -e "NOT Installing and configuring AIDE" + +apt-get install -y aide +aideinit + +# Configure cron job for AIDE +echo "0 5 * * * /usr/bin/aide.wrapper --config /etc/aide/aide.conf --check" >> /etc/cron.d/aide +service cron restart + +#1.3.2 Ensure filesystem integrity is regularly checked (Scored) + + +#1.4 Secure Boot Settings +#1.4.1 Ensure permissions on bootloader config are configured (Scored) + +clear +f_banner + +echo -e "" +echo -e "Securing Boot Settings" +spinner +sleep 2 + +chown root:root /boot/grub/grub.cfg +chmod og-rwx /boot/grub/grub.cfg + +#1.4.2 Ensure bootloader password is set (Scored) + +# echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" +# echo -e "\e[93m[+]\e[00m We will now Set a Bootloader Password" +# echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" +# echo "" + +# grub-mkpasswd-pbkdf2 | tee grubpassword.tmp +# grubpassword=$(cat grubpassword.tmp | sed -e '1,2d' | cut -d ' ' -f7) +# echo " set superusers="root" " >> /etc/grub.d/40_custom +# echo " password_pbkdf2 root $grubpassword " >> /etc/grub.d/40_custom +# rm grubpassword.tmp +# update-grub + +#1.4.3 Ensure authentication required for single user mode (Scored) + + +#1.5 Additional Process Hardening +#1.5.1 Ensure core dumps are restricted (Scored) + +echo "* hard core 0" >> /etc/security/limits.conf +cp templates/sysctl/sysctl-CIS.conf /etc/sysctl.conf +sysctl -e -p + +#1.5.2 Ensure XD/NX support is enabled (Not Scored) +#1.5.3 Ensure address space layout randomization (ASLR) is enabled (Scored) + #already set on sysctl.conf template file + + +#1.5.4 Ensure prelink is disabled (Scored) + # not installed by default on Clean Ubuntu install, will add condition later on + +#1.6 Mandatory Access Control +#1.6.1.1 Ensure SELinux is not disabled in bootloader configuration (Scored) N/A +#1.6.1.2 Ensure the SELinux state is enforcing (Scored) N/A +#1.6.1.3 Ensure SELinux policy is configured (Scored) N/A +#1.6.1.4 Ensure no unconfined daemons exist (Scored) N/A +#1.6.2.1 Ensure AppArmor is not disabled in bootloader configuration (Scored) +#1.6.2.2 Ensure all AppArmor Profiles are enforcing (Scored) +#1.6.3 Ensure SELinux or AppArmor are installed (Not Scored) + +#1.7 Warning Banners +#1.7.1.1 Ensure message of the day is configured properly (Scored) +#1.7.1.2 Ensure local login warning banner is configured properly (Not Scored) +#1.7.1.3 Ensure remote login warning banner is configured properly (Not Scored) +cat templates/texts/motd-CIS > /etc/motd +cat templates/texts/motd-CIS > /etc/issue +cat templates/texts/motd-CIS > /etc/issue.net + +#1.7.1.4 Ensure permissions on /etc/motd are configured (Not Scored) +#1.7.1.5 Ensure permissions on /etc/issue are configured (Scored) +#1.7.1.6 Ensure permissions on /etc/issue.net are configured (Not Scored) + +chown root:root /etc/motd /etc/issue /etc/issue.net +chmod 644 /etc/motd /etc/issue /etc/issue.net + +#1.7.2 Ensure GDM login banner is configured (Scored) +#1.8 Ensure updates, patches, and additional security software are installed (Not Scored) + +apt-get -y update +apt-get -y upgrade + +############################################################ + + +### NOT ENABLED ON CLEAN INSTALL +## Will configure later on for current install ## + + +#2 Services +#2.1 inetd Services +#2.1.1 Ensure chargen services are not enabled (Scored) +#.1.2 Ensure daytime services are not enabled (Scored) +#2.1.3 Ensure discard services are not enabled (Scored) +#2.1.4 Ensure echo services are not enabled (Scored) +#2.1.5 Ensure time services are not enabled (Scored) +#2.1.6 Ensure rsh server is not enabled (Scored) +#2.1.7 Ensure talk server is not enabled (Scored) +#2.1.8 Ensure telnet server is not enabled (Scored) +#2.1.9 Ensure tftp server is not enabled (Scored) +#2.1.10 Ensure xinetd is not enabled (Scored) + +############################################################## +#2.2 Special Purpose Services +#2.2.1.1 Ensure time synchronization is in use (Not Scored) +#2.2.1.2 Ensure ntp is configured (Scored) +#2.2.1.3 Ensure chrony is configured (Scored) + + +#2.2.2 Ensure X Window System is not installed (Scored) +#2.2.3 Ensure Avahi Server is not enabled (Scored) +#2.2.4 Ensure CUPS is not enabled (Scored) +#2.2.5 Ensure DHCP Server is not enabled (Scored) +#2.2.6 Ensure LDAP server is not enabled (Scored) +#2.2.7 Ensure NFS and RPC are not enabled (Scored) +#2.2.8 Ensure DNS Server is not enabled (Scored) +#2.2.9 Ensure FTP Server is not enabled (Scored) +#2.2.10 Ensure HTTP server is not enabled (Scored) +#2.2.11 Ensure IMAP and POP3 server is not enabled (Scored) +#2.2.12 Ensure Samba is not enabled (Scored) +#2.2.13 Ensure HTTP Proxy Server is not enabled (Scored) +#2.2.14 Ensure SNMP Server is not enabled (Scored) +#2.2.15 Ensure mail transfer agent is configured for local-only mode (Scored) +#2.2.16 Ensure rsync service is not enabled (Scored) +#2.2.17 Ensure NIS Server is not enabled (Scored) +#2.3 Service Clients +#2.3.1 Ensure NIS Client is not installed (Scored) +#2.3.2 Ensure rsh client is not installed (Scored) +#2.3.3 Ensure talk client is not installed (Scored) +#2.3.4 Ensure telnet client is not installed (Scored) + +apt-get remove -y telnet + +#2.3.5 Ensure LDAP client is not installed (Scored) + +####################################################################### + +#3 Network Configuration +#.1 Network Parameters (Host Only) +#.1.1 Ensure IP forwarding is disabled (Scored) +#.1.2 Ensure packet redirect sending is disabled (Scored) +#.2 Network Parameters (Host and Router) +#.2.1 Ensure source routed packets are not accepted (Scored) +#.2.2 Ensure ICMP redirects are not accepted (Scored) +#.2.3 Ensure secure ICMP redirects are not accepted (Scored) +#3.2.4 Ensure suspicious packets are logged (Scored) +#3.2.5 Ensure broadcast ICMP requests are ignored (Scored) +#3.2.6 Ensure bogus ICMP responses are ignored (Scored) +#3.2.7 Ensure Reverse Path Filtering is enabled (Scored) +#3.2.8 Ensure TCP SYN Cookies is enabled (Scored) +#3.3 IPv6 +#3.3.1 Ensure IPv6 router advertisements are not accepted (Not Scored) +#3.3.2 Ensure IPv6 redirects are not accepted (Not Scored) + +## VALUES SET WITH SYSCTL TEMPLATE COPIED ON PREVIOUS STEP + +######################################################################## + +#3.3.3 Ensure IPv6 is disabled (Not Scored) + +sed -i 's/GRUB_CMDLINE_LINUX=""/GRUB_CMDLINE_LINUX="ipv6.disable=1"/g' /etc/default/grub +update-grub + +#3.4 TCP Wrappers +#.4.1 Ensure TCP Wrappers is installed (Scored) Installed by default + +#.4.2 Ensure /etc/hosts.allow is configured (Scored) + +clear +f_banner + +echo -e "" +echo -e "Setting hosts.allow and hosts.deny" +spinner +sleep 2 + +echo "ALL: 10.0.0.0/255.0.0.0" >> /etc/hosts.allow +echo "ALL: 192.168.0.0/255.255.0.0" >> /etc/hosts.allow +echo "ALL: 172.16.0.0/255.240.0.0" >> /etc/hosts.allow + +#3.4.3 Ensure /etc/hosts.deny is configured (Scored) + +echo "ALL: ALL" >> /etc/hosts.deny + +#3.4.4 Ensure permissions on /etc/hosts.allow are configured (Scored) + +chown root:root /etc/hosts.allow +chmod 644 /etc/hosts.allow + +#3.4.5 Ensure permissions on /etc/hosts.deny are 644 (Scored) + +chown root:root /etc/hosts.deny +chmod 644 /etc/hosts.deny + +#3.5 Uncommon Network Protocols +#3.5.1 Ensure DCCP is disabled (Not Scored) + +clear +f_banner + +echo -e "" +echo -e "Disabling uncommon Network Protocols" +spinner +sleep 2 + +echo "install dccp /bin/true" >> /etc/modprobe.d/CIS.conf + +#3.5.2 Ensure SCTP is disabled (Not Scored) + +echo "install sctp /bin/true" >> /etc/modprobe.d/CIS.conf + +#3.5.3 Ensure RDS is disabled (Not Scored) + +echo "install rds /bin/true" >> /etc/modprobe.d/CIS.conf + +#3.5.4 Ensure TIPC is disabled (Not Scored) + +echo "install tipc /bin/true" >> /etc/modprobe.d/CIS.conf + +#3.6 Firewall Configuration +#3.6.1 Ensure iptables is installed (Scored) +#3.6.2 Ensure default deny firewall policy (Scored) +#3.6.3 Ensure loopback traffic is configured (Scored) +#3.6.4 Ensure outbound and established connections are configured (Not Scored) + +clear +f_banner + +echo -e "" +echo -e "Setting up Iptables Rules" +spinner +sleep 1 +echo -e "" +# Get SSH Port. +echo -n " Type the SSH Port: "; read sshport +sed -i s/PORT/$sshport/g templates/iptables/iptables-CIS.sh; echo "OK" +sh templates/iptables/iptables-CIS.sh + +cp templates/iptables/iptables-CIS.sh /etc/init.d/ +chmod +x /etc/init.d/iptables-CIS.sh +ln -s /etc/init.d/iptables-CIS.sh /etc/rc2.d/S99iptables-CIS.sh + + +# Replace the default rules file with the CIS rules file +apt install -y iptables-persistent +netfilter-persistent save +netfilter-persistent reload + +#3.6.5 Ensure firewall rules exist for all open ports (Scored) +#3.7 Ensure wireless interfaces are disabled (Not Scored) + +#4 Logging and Auditing +#.1 Configure System Accounting (auditd) + +clear +f_banner +echo -e "" +echo -e "Installing and configuring Auditd" + +spinner +sleep 1 + +apt-get install -y auditd audispd-plugins + +#.1.1.1 Ensure audit log storage size is configured (Not Scored) +#.1.1.2 Ensure system is disabled when audit logs are full (Scored) +#4.1.1.3 Ensure audit logs are not automatically deleted (Scored) + +cp templates/audit/auditd-CIS.conf /etc/audit/auditd.conf + +#4.1.2 Ensure auditd service is enabled (Scored) + +systemctl enable auditd + +#4.1.3 Ensure auditing for processes that start prior to auditd is enabled (Scored) + +sed -i 's/GRUB_CMDLINE_LINUX="ipv6.disable=1"/GRUB_CMDLINE_LINUX="ipv6.disable=1\ audit=1"/g' /etc/default/grub + +#4.1.4 Ensure events that modify date and time information are collected(Scored) +#4.1.5 Ensure events that modify user/group information are collected (Scored) +#4.1.6 Ensure events that modify the system's network environment are collected (Scored) +#4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected (Scored) +#.1.8 Ensure login and logout events are collected (Scored) +#4.1.9 Ensure session initiation information is collected (Scored) +#4.1.10 Ensure discretionary access control permission modification events are collected (Scored) +#4.1.11 Ensure unsuccessful unauthorized file access attempts are collected (Scored) +#4.1.12 Ensure use of privileged commands is collected (Scored) +#4.1.13 Ensure successful file system mounts are collected (Scored) #4.1.14 Ensure file deletion events by users are collected (Scored) +#4.1.15 Ensure changes to system administration scope (sudoers) is collected (Scored) +#4.1.16 Ensure system administrator actions (sudolog) are collected (Scored) +#4.1.17 Ensure kernel module loading and unloading is collected (Scored) +#4.1.18 Ensure the audit configuration is immutable (Scored) + + +cp templates/audit/audit-CIS.rules /etc/audit/audit.rules + +find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print \ +"-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 \ +-k privileged" } ' >> /etc/audit/audit.rules + +echo " " >> /etc/audit/audit.rules +echo "#End of Audit Rules" >> /etc/audit/audit.rules +echo "-e 2" >> /etc/audit/audit.rules +echo "-e 2" >> /etc/audit/audit.rules.prev +echo "-e 2" >> /etc/audit/audit-stop.rules +echo "-e 2" >> /etc/audit/rules.d/99-finalize.rules + +cp /etc/audit/audit.rules /etc/audit/rules.d/audit.rules + +#4.2 Configure Logging +#4.2.1.1 Ensure rsyslog Service is enabled (Scored) +#4.2.1.2 Ensure logging is configured (Not Scored) +#4.2.1.3 Ensure rsyslog default file permissions configured (Scored) +#4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host (Scored) +#4.2.1.5 Ensure remote rsyslog messages are only accepted on designated log hosts. (Not Scored) +#4.2.2.1 Ensure syslog-ng service is enabled (Scored) +#4.2.2.2 Ensure logging is configured (Not Scored) +#4.2.2.3 Ensure syslog-ng default file permissions configured (Scored) +#4.2.2.4 Ensure syslog-ng is configured to send logs to a remote log host (Scored) +#4.2.2.5 Ensure remote syslog-ng messages are only accepted on designated log hosts (Not Scored) +#4.2.3 Ensure rsyslog or syslog-ng is installed (Scored) +# find /var/log -type f -exec chmod g-wx,o-rwx "{}" + -o -type d -exec chmod g-w,o-rwx "{}" + +# Add the above line to /etc/cron.d/CIS to be executed every 30 minutes +echo "*/30 * * * * root find /var/log -type f -exec chmod g-wx,o-rwx "{}" + -o -type d -exec chmod g-w,o-rwx "{}" +" >> /etc/cron.d/CIS + +#4.2.4 Ensure permissions on all logfiles are configured (Scored) +echo "create 0640 root utmp" >> /etc/logrotate.conf +chmod -R g-wx,o-rwx /var/log/* + +#4.3 Ensure logrotate is configured (Not Scored) + + +#5 Access, Authentication and Authorization +#.1 Configure cron +#.1.1 Ensure cron daemon is enabled (Scored) +#5.1.2 Ensure permissions on /etc/crontab are configured (Scored) +#5.1.3 Ensure permissions on /etc/cron.hourly are configured (Scored) +#5.1.4 Ensure permissions on /etc/cron.daily are configured (Scored) +#5.1.5 Ensure permissions on /etc/cron.weekly are configured (Scored) +#5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored) +#5.1.7 Ensure permissions on /etc/cron.d are configured (Scored) + +chown root:root /etc/cron* +chmod og-rwx /etc/cron* + +#5.1.8 Ensure at/cron is restricted to authorized users (Scored) + +touch /etc/cron.allow +touch /etc/at.allow + +chmod og-rwx /etc/cron.allow /etc/at.allow +chown root:root /etc/cron.allow /etc/at.allow + +#5.2 SSH Server Configuration +#5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured (Scored) + +#Permissions set after template copy on Line 493 + +#5.2.2 Ensure SSH Protocol is set to 2 (Scored) +#5.2.3 Ensure SSH LogLevel is set to INFO (Scored) +#5.2.4 Ensure SSH X11 forwarding is disabled (Scored) +#5.2.5 Ensure SSH MaxAuthTries is set to 4 or less (Scored) +#5.2.6 Ensure SSH IgnoreRhosts is enabled (Scored) +#5.2.7 Ensure SSH HostbasedAuthentication is disabled (Scored) +#5.2.8 Ensure SSH root login is disabled (Scored) +#5.2.9 Ensure SSH PermitEmptyPasswords is disabled (Scored) +#5.2.10 Ensure SSH PermitUserEnvironment is disabled (Scored) +#5.2.11 Ensure only approved MAC algorithms are used (Scored) +#5.2.12 Ensure SSH Idle Timeout Interval is configured (Scored) +#5.2.13 Ensure SSH LoginGraceTime is set to one minute or less (Scored) +#5.2.14 Ensure SSH access is limited (Scored) +#5.2.15 Ensure SSH warning banner is configured (Scored) + +##Create user for SSH Access + +echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" +echo -e "\e[93m[+]\e[00m We will now Create a New User for SSH Access" +echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" +echo "" +echo -n " Type the new username: "; read username +adduser $username + +echo -n " Securing SSH..." +sed s/USERNAME/$username/g templates/sshd/sshd_config-CIS > /etc/ssh/sshd_config; echo "OK" +sed -i s/PORT/$sshport/g /etc/ssh/sshd_config; echo "OK" +service ssh restart + +chown root:root /etc/ssh/sshd_config +chmod og-rwx /etc/ssh/sshd_config + +#5.3 Configure PAM +#5.3.1 Ensure password creation requirements are configured (Scored) +apt install libpam-pwquality -y + +#5.3.2 Ensure lockout for failed password attempts is configured (Not Scored) +#5.3.3 Ensure password reuse is limited (Scored) +#5.3.4 Ensure password hashing algorithm is SHA-512 (Scored) + +clear +f_banner + +echo -e "" +echo -e "Configuring PAM" +spinner +sleep 2 + +cp templates/pam/common-passwd-CIS /etc/pam.d/common-passwd +cp templates/pam/pwquality-CIS.conf /etc/security/pwquality.conf +cp templates/pam/common-auth-CIS /etc/pam.d/common-auth +cp templates/pam/common-account-CIS /etc/pam.d/common-account + +#5.4 User Accounts and Environment +#5.4.1.1 Ensure password expiration is 90 days or less (Scored) +#5.4.1.2 Ensure minimum days between password changes is 7 or more (Scored) +#5.4.1.3 Ensure password expiration warning days is 7 or more (Scored) + +cp templates/login.defs-CIS /etc/login.defs + +#5.4.1.4 Ensure inactive password lock is 30 days or less (Scored) + +useradd -D -f 30 + +#5.4.2 Ensure system accounts are non-login (Scored) + +for user in `awk -F: '($3 < 1000) {print $1 }' /etc/passwd`; do + if [ $user != "root" ]; then + usermod -L $user + if [ $user != "sync" ] && [ $user != "shutdown" ] && [ $user != "halt" ]; then + usermod -s /usr/sbin/nologin $user + fi + fi +done + +#5.4.3 Ensure default group for the root account is GID 0 (Scored) + +usermod -g 0 root + +#5.4.4 Ensure default user umask is 027 or more restrictive (Scored) + +sed -i s/umask\ 022/umask\ 027/g /etc/init.d/rc + +# 5.4.5 Ensure default user shell timeout is 900 seconds or less +cat templates/shell/shell-tmout-CIS >> /etc/bash.bashrc +cat templates/shell/shell-tmout-CIS >> /etc/profile + +for file in /etc/profile.d/*.sh; do + if grep -q 'TMOUT' "$file"; then + echo "TMOUT is configured in $file" + else + cat templates/shell/shell-tmout-CIS >> "$file" + fi +done + +#5.5 Ensure root login is restricted to system console (Not Scored) +#5.6 Ensure access to the su command is restricted (Scored) + +#6 System Maintenance +#6.1 System File Permissions +#6.1.1 Audit system file permissions (Not Scored) +#6.1.2 Ensure permissions on /etc/passwd are configured (Scored) +clear +f_banner +echo -e "" +echo -e "Setting System File Permissions" +spinner +sleep 2 + + +chown root:root /etc/passwd +chmod 644 /etc/passwd + +#6.1.3 Ensure permissions on /etc/shadow are configured (Scored) + +chown root:shadow /etc/shadow +chmod o-rwx,g-wx /etc/shadow + +#6.1.4 Ensure permissions on /etc/group are configured (Scored) + +chown root:root /etc/group +chmod 644 /etc/group + +#6.1.5 Ensure permissions on /etc/gshadow are configured (Scored) + +chown root:shadow /etc/gshadow +chmod o-rwx,g-rw /etc/gshadow + +#6.1.6 Ensure permissions on /etc/passwd - are configured (Scored) + +chown root:root /etc/passwd- +chmod 600 /etc/passwd- +chmod u-x,go-rwx /etc/passwd- + +#6.1.7 Ensure permissions on /etc/shadow - are configured (Scored) + +chown root:root /etc/shadow- +chmod 600 /etc/shadow- + +#6.1.8 Ensure permissions on /etc/group- are configured (Scored) + +chown root:root /etc/group- +chmod u-x,go-rwx /etc/group- + +#6.1.9 Ensure permissions on /etc/gshadow - are configured (Scored) + +chown root:root /etc/gshadow- +chmod 600 /etc/gshadow- + +#6.1.10 Ensure no world writable files exist (Scored) +#6.1.11 Ensure no unowned files or directories exist (Scored) +#6.1.12 Ensure no ungrouped files or directories exist (Scored) +#6.1.13 Audit SUID executables (Not Scored) +#6.1.14 Audit SGID executables (Not Scored) +#6.2 User an d Group Settings +#6.2.1 Ensure password fields are not empty (Scored) +#6.2.2 Ensure no legacy "+" entries exist in /etc/passwd (Scored) +#6.2.3 Ensure no legacy "+" entries exist in /etc/shadow (Scored) +#6.2.4 Ensure no legacy "+" entries exist in /etc/group (Scored) +#6.2.5 Ensure root is the only UID 0 account (Scored) +#6.2.6 Ensure root PATH Integrity (Scored) +#6.2.7 Ensure all users' home directories exist (Scored) +#6.2.8 Ensure users' home directories permissions are 750 or more restrictive (Scored) +#6.2.9 Ensure users own their home directories (Scored) +#6.2.10 Ensure users' dot files are not group or world writable (Scored) +#6.2.11 Ensure no users have .forward files (Scored) +#6.2.12 Ensure no users have .netrc files (Scored) +#6.2.13 Ensure users' .netrc Files are not group or world accessible (Scored) +#6.2.14 Ensure no users have .rhosts files (Scored) +#6.2.15 Ensure all groups in /etc/passwd exist in /etc/group (Scored) +#6.2.16 Ensure no duplicate UIDs e xist (Scored) +#6.2.17 Ensure no duplicate GIDs exist (Scored) +#6.2.18 Ensure no duplicate user names exist (Scored) +#6.2.19 Ensure no duplicate group names exist (Scored) +#6.2.20 Ensure shadow group is empty (Scored) + +clear +f_banner + +cat templates/texts/bye-CIS +say_continue + +# Ensure public key is in $username/.ssh/authorized_keys +if [ -f /home/$username/.ssh/authorized_keys ]; then + echo -e "Authorized Key file already exists for $username" +else + echo -e "Authorized Key file does not exist for $username" + echo -e "Creating Authorized Key file for $username" + mkdir /home/$username/.ssh + touch /home/$username/.ssh/authorized_keys + chown -R $username:$username /home/$username/.ssh + echo -e "Please add the allowed keys to the authorized_keys file." +fi + + +# Remove debian cloud-init user from /etc/sudoers.d/debian-cloud-init +# and /etc/sudoers.d/90-cloud-init-users +rm /etc/sudoers.d/*cloud-init* +# Add sudo log file path to /etc/sudoers.d/logging +echo -e "Defaults logfile=/var/log/sudo.log" > /etc/sudoers.d/logging +# Add sudo use_pty to /etc/sudoers.d/use_pty +echo -e "Defaults use_pty" > /etc/sudoers.d/use_pty + +# Create an empty group that will be specified for use of the su command. +# The group should be named according to site policy. +# Example # groupadd sugroup Add the following line to the /etc/pam.d/su file, +# specifying the empty group: auth required pam_wheel.so use_uid group=sugroup +groupadd sugroup +echo -e "auth required pam_wheel.so use_uid group=sugroup" >> /etc/pam.d/su +usermod -a -G sugroup $username + +# Journalctl configuration +# In /etc/systemd/journald.conf, Remove the # from the following lines: +# Storage=persistent +# Compress=yes +sed -i 's/#Storage=auto/Storage=persistent/g' /etc/systemd/journald.conf +sed -i 's/#Compress=yes/Compress=yes/g' /etc/systemd/journald.conf + +# Echo Essential informations for the user to be able to connect back to the server. +echo -e "Please note the following information to be able to connect back to the server:" +echo -e "IP Address: $(hostname -I)" +echo -e "Username: $username" +echo -e "Password: THE PASSWORD YOU CHOSE" +echo -e "Port: $sshport" +echo -e "Please note that the root user is disabled by default." +echo -e "Please note that the $username user is allowed to switch to root using the su command." +echo -e "Please note that SUDO has not been configured yet." +echo -e "Please reboot the server to apply all the changes."; + +# Echo some blank lines +echo -e "\n\n"; +# Some manual work is required to complete the setup. +echo -e "Please note that the following manual work is required to complete the setup:\n" +echo -e "Add '0 5 * * * /usr/bin/aide.wrapper --config /etc/aide/aide.conf --check' to the crontab of the root user crontab -uroot -e" +echo -e "Copy the required ssh keys to the /home/$username/.ssh/authorized_keys file." +echo -e "RUN: chown root:root /etc/group- && chmod u-x,go-rwx /etc/group-" +# End of script \ No newline at end of file diff --git a/DebianServer_10/templates/audit/audit-CIS.rules b/DebianServer_10/templates/audit/audit-CIS.rules new file mode 100644 index 0000000..ece2a9b --- /dev/null +++ b/DebianServer_10/templates/audit/audit-CIS.rules @@ -0,0 +1,90 @@ +# First rule - delete all +-D + +#Ensure events that modify date and time information are collected + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +#Ensure events that modify user/group information are collected + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +#Ensure events that modify the system's network environment are collected + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale +-w /etc/networks -p wa -k system-locale + +#Ensure events that modify system's MAC are collected + +-w /etc/apparmor/ -p wa -k MAC-policy +-w /etc/apparmor.d/ -p wa -k MAC-policy + +#Ensure login and logouts events are collected + +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins + +#Ensure session initiation information is collected + +-w /var/run/utmp -p wa -k session +-w /var/run/wtmp -p wa -k session +-w /var/run/btmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins + +#Ensure discretionary access control permission modification events are collected + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +#Ensure unsuccessful unauthorized file access attempts are collected + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +#Ensure successful file system mounts are collected + +-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +#Ensure file deletion events by users are collected + +-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +#Ensure changes to system administration scope (sudoers) is collected + +-w /etc/sudoers -p wa -k scope +-w /etc/sudoers.d -p wa -k scope + +#Ensure system administrator actions (sudolog) are collected + +-w /var/log/sudo.log -p wa -k actions + +#Ensure kernel module loading and unloading is collected + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +#Ensure use of Privileged commands is collected \ No newline at end of file diff --git a/DebianServer_10/templates/audit/auditd-CIS.conf b/DebianServer_10/templates/audit/auditd-CIS.conf new file mode 100644 index 0000000..0c1c924 --- /dev/null +++ b/DebianServer_10/templates/audit/auditd-CIS.conf @@ -0,0 +1,33 @@ +# +# This file controls the configuration of the audit daemon +# Configured according to CIS Benchmark +# + +log_file = /var/log/audit/audit.log +log_format = RAW +log_group = root +priority_boost = 4 +flush = INCREMENTAL +freq = 20 +num_logs = 5 +disp_qos = lossy +dispatcher = /sbin/audispd +name_format = NONE +##name = mydomain +max_log_file = 6 # CIS 4.1.2.1 +max_log_file_action = keep_logs # CIS 4.1.2.2 +space_left = 75 +space_left_action = email # CIS 4.1.2.3 +action_mail_acct = root +admin_space_left = 50 +admin_space_left_action = halt +disk_full_action = SUSPEND +disk_error_action = SUSPEND +##tcp_listen_port = +tcp_listen_queue = 5 +tcp_max_per_addr = 1 +##tcp_client_ports = 1024-65535 +tcp_client_max_idle = 0 +enable_krb5 = no +krb5_principal = auditd +##krb5_key_file = /etc/audit/audit.key diff --git a/DebianServer_10/templates/iptables/iptables-CIS.sh b/DebianServer_10/templates/iptables/iptables-CIS.sh new file mode 100644 index 0000000..cc1ac9a --- /dev/null +++ b/DebianServer_10/templates/iptables/iptables-CIS.sh @@ -0,0 +1,45 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: iptables +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Applies Iptable Rules +# Description: +### END INIT INFO + + +# Flush /sbin/iptables rules + /sbin/iptables -F + +# Default deny Firewall policy + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + +# Ensure loopback traffic is configured + /sbin/iptables -A INPUT -i lo -j ACCEPT + /sbin/iptables -A OUTPUT -o lo -j ACCEPT + /sbin/iptables -A INPUT -s 127.0.0.0/8 -j DROP + +# Ensure outbound and established connections are configured + /sbin/iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT + /sbin/iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT + /sbin/iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT + /sbin/iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT + /sbin/iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT + /sbin/iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT + +# Open inbound ssh(23) connections + /sbin/iptables -A INPUT -p tcp --dport PORT -m state --state NEW -j ACCEPT + +# Disable IPV7 + /sbin/ip6tables -P INPUT DROP + /sbin/ip6tables -P OUTPUT DROP + /sbin/ip6tables -P FORWARD DROP + +# 4.5.4.2.2 Ensure IPv6 loopback traffic is configured. + /sbin/ip6tables -A INPUT -i lo -j ACCEPT + /sbin/ip6tables -A OUTPUT -o lo -j ACCEPT + /sbin/ip6tables -A INPUT -s ::1 -j DROP \ No newline at end of file diff --git a/DebianServer_10/templates/login.defs-CIS b/DebianServer_10/templates/login.defs-CIS new file mode 100644 index 0000000..e868ca5 --- /dev/null +++ b/DebianServer_10/templates/login.defs-CIS @@ -0,0 +1,338 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK is the default umask value for pam_umask and is used by +# useradd and newusers to set the mode of the new home directories. +# 022 is the "historical" value in Debian for UMASK +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up his/her +# mind. +# +# If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value +# for private user groups, i. e. the uid is the same as gid, and username is +# the same as the primary group name: for these, the user permissions will be +# used as group permissions, e. g. 022 will become 002. +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +UMASK 027 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 90 +PASS_MIN_DAYS 7 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +#SYS_UID_MIN 100 +#SYS_UID_MAX 999 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +#SYS_GID_MIN 100 +#SYS_GID_MAX 999 + +# +# Max number of login retries if password is bad. This will most likely be +# overriden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default in no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# Enable setting of the umask group bits to be the same as owner bits +# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is +# the same as gid, and username is the same as the primary group name. +# +# If set to yes, userdel will remove the user´s group if it contains no +# more members, and useradd will create by default a group with the name +# of the user. +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +CONSOLE console:tty0:tty1:tty01 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is deprecated. You should use ENCRYPT_METHOD. +# +#MD5_CRYPT_ENAB no + +# +# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# Overrides the MD5_CRYPT_ENAB option +# +# Note: It is recommended to use a value consistent with +# the PAM modules configuration. +# +ENCRYPT_METHOD SHA512 + +# +# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute forcing the password. +# But note also that it more CPU resources will be needed to authenticate +# users. +# +# If not specified, the libc will choose the default number of rounds (5000). +# The values must be inside the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +SHA_CRYPT_MIN_ROUNDS 5000 +SHA_CRYPT_MAX_ROUNDS 100000 + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivelants of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#CRACKLIB_DICTPATH +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR \ No newline at end of file diff --git a/DebianServer_10/templates/pam/common-account-CIS b/DebianServer_10/templates/pam/common-account-CIS new file mode 100644 index 0000000..bc917d2 --- /dev/null +++ b/DebianServer_10/templates/pam/common-account-CIS @@ -0,0 +1,30 @@ +# Note: If a user has been locked out because they have reached the maximum +# consecutive failure count defined by deny= in the pam_tally2.so module, the user +# can be unlocked by issuing the command /sbin/pam_tally2 -u --reset. +# DEBUG TIP: tail -F /var/log/auth.log and watch pam_tally2 --user {user} +# +# /etc/pam.d/common-account - authorization settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authorization modules that define +# the central access policy for use on the system. The default is to +# only deny service to users whose accounts are expired in /etc/shadow. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. +# + +# here are the per-package modules (the "Primary" block) +account required pam_tally2.so onerr=fail +account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so +# here's the fallback if no module succeeds +account requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +account required pam_permit.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config diff --git a/DebianServer_10/templates/pam/common-auth-CIS b/DebianServer_10/templates/pam/common-auth-CIS new file mode 100644 index 0000000..522c8ca --- /dev/null +++ b/DebianServer_10/templates/pam/common-auth-CIS @@ -0,0 +1,27 @@ +# +# /etc/pam.d/common-auth - authentication settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900 +auth [success=1 default=ignore] pam_unix.so nullok_secure +# here's the fallback if no module succeeds +auth requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +auth required pam_permit.so + +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config \ No newline at end of file diff --git a/DebianServer_10/templates/pam/common-passwd-CIS b/DebianServer_10/templates/pam/common-passwd-CIS new file mode 100644 index 0000000..079df58 --- /dev/null +++ b/DebianServer_10/templates/pam/common-passwd-CIS @@ -0,0 +1,38 @@ +# +# /etc/pam.d/common-password - password-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define the services to be +# used to change user passwords. The default is pam_unix. + +# Explanation of pam_unix options: +# +# The "sha512" option enables salted SHA512 passwords. Without this option, +# the default is Unix crypt. Prior releases used the option "md5". +# +# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in +# login.defs. +# +# See the pam_unix manpage for other options. + +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +password requisite pam_pwquality.so try_first_pass retry=3 +password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 +# here's the fallback if no module succeeds +password requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +password required pam_permit.so + +#CIS +password sufficient pam_unix.so remember=5 + +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config \ No newline at end of file diff --git a/DebianServer_10/templates/pam/pwquality-CIS.conf b/DebianServer_10/templates/pam/pwquality-CIS.conf new file mode 100644 index 0000000..9e8f2cd --- /dev/null +++ b/DebianServer_10/templates/pam/pwquality-CIS.conf @@ -0,0 +1,7 @@ +# Configuration for systemwide password quality limits +#Configured following CIS Benchmark by Jshielder +minlen=14 +dcredit=-1 +ucredit=-1 +ocredit=-1 +lcredit=-1 \ No newline at end of file diff --git a/DebianServer_10/templates/shell/shell-tmout-CIS b/DebianServer_10/templates/shell/shell-tmout-CIS new file mode 100644 index 0000000..31d1d55 --- /dev/null +++ b/DebianServer_10/templates/shell/shell-tmout-CIS @@ -0,0 +1,5 @@ + + +if [ "$TMOUT" != 900 ]; then + readonly TMOUT=900 ; export TMOUT +fi \ No newline at end of file diff --git a/DebianServer_10/templates/sshd/sshd_config-CIS b/DebianServer_10/templates/sshd/sshd_config-CIS new file mode 100644 index 0000000..fd15deb --- /dev/null +++ b/DebianServer_10/templates/sshd/sshd_config-CIS @@ -0,0 +1,40 @@ +Port PORT +Protocol 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com +MACs umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512 +KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 +SyslogFacility AUTH +ClientAliveCountMax 3 +ClientAliveInterval 60 +Compression no +LogLevel VERBOSE +MaxAuthTries 3 +MaxSessions 3 +LoginGraceTime 30 +PermitRootLogin no +StrictModes yes +PubkeyAuthentication yes +AuthorizedKeysFile .ssh/authorized_keys +IgnoreRhosts yes +HostbasedAuthentication no +PermitEmptyPasswords no +ChallengeResponseAuthentication no +PasswordAuthentication no +X11Forwarding no +AllowTcpForwarding no +AllowAgentForwarding no +PermitUserEnvironment no +X11DisplayOffset 10 +PrintMotd no +PrintLastLog yes +TCPKeepAlive no +AcceptEnv LANG LC_* +Subsystem sftp /usr/lib/openssh/sftp-server +UsePAM yes +UseDNS no +maxstartups 10:30:60 +Banner /etc/issue.net +AllowUsers USERNAME \ No newline at end of file diff --git a/DebianServer_10/templates/sysctl/sysctl-CIS.conf b/DebianServer_10/templates/sysctl/sysctl-CIS.conf new file mode 100644 index 0000000..ce2b5f4 --- /dev/null +++ b/DebianServer_10/templates/sysctl/sysctl-CIS.conf @@ -0,0 +1,123 @@ +# Kernel sysctl configuration file for Ubuntu +# Modified by Jason Soto +# +# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and +# sysctl.conf(5) for more details. + +# Controls IP packet forwarding +net.ipv4.ip_forward = 0 + +# Controls source route verification +net.ipv4.conf.default.rp_filter = 1 + +# Do not accept source routing +net.ipv4.conf.default.accept_source_route = 0 + +# Controls the System Request debugging functionality of the kernel +kernel.sysrq = 0 + +# Controls whether core dumps will append the PID to the core filename. +# Useful for debugging multi-threaded applications. +kernel.core_uses_pid = 1 + +# Controls the use of TCP syncookies +net.ipv4.tcp_syncookies = 1 + +# Disable netfilter on bridges. +net.bridge.bridge-nf-call-ip6tables = 0 +net.bridge.bridge-nf-call-iptables = 0 +net.bridge.bridge-nf-call-arptables = 0 + +# Controls the default maxmimum size of a mesage queue +kernel.msgmnb = 65536 + +# Controls the maximum size of a message, in bytes +kernel.msgmax = 65536 + +# Controls the maximum shared segment size, in bytes +kernel.shmmax = 68719476736 + +# Controls the maximum number of shared memory segments, in pages +kernel.shmall = 4294967296 + +######### GENERAL SECURITY OPTIONS ################ + +# Automatically Reboot Server in 30 Seconds after a Kernel Panic +vm.panic_on_oom = 1 +kernel.panic = 30 +kernel.panic_on_oops = 30 + +# Enable ExecShield +kernel.exec-shield = 1 + +kernel.dmesg_restrict = 1 +kernel.kptr_restrict = 2 +kernel.randomize_va_space = 2 + +########## COMMUNICATIONS SECURITY ############## +# No Redirections +net.ipv4.conf.all.send_redirects = 0 +net.ipv4.conf.default.send_redirects = 0 + +# Do not Accept Packets with SRR +net.ipv4.conf.all.accept_source_route = 0 + +# Do not accept Redirections +net.ipv4.conf.all.accept_redirects = 0 +net.ipv4.conf.all.secure_redirects = 0 +net.ipv4.conf.default.secure_redirects = 0 +net.ipv6.conf.all.accept_redirects = 0 +net.ipv6.conf.all.secure_redirects = 0 +net.ipv6.conf.default.secure_redirects = 0 + +# Do not Accept source routed Packets +net.ipv4.conf.all.accept_source_route = 0 +net.ipv4.conf.default.accept_source_route = 0 + +# Disable Packets Forwarding +net.ipv4.ip_forward = 0 +net.ipv4.conf.all.forwarding = 0 +net.ipv4.conf.default.forwarding = 0 +net.ipv6.conf.all.forwarding = 0 +net.ipv6.conf.default.forwarding = 0 + +# Log Suspicious Packets +net.ipv4.conf.all.log_martians = 1 +net.ipv4.conf.default.log_martians = 1 +net.ipv4.conf.default.accept_source_route = 0 +net.ipv4.conf.default.accept_redirects = 0 +net.ipv4.conf.default.secure_redirects = 0 +net.ipv6.conf.default.accept_redirects = 0 + +# Ignore ICMP ECHO or TIMESTAMP sent by broadcast/multicast +net.ipv4.icmp_echo_ignore_broadcasts = 1 +net.ipv4.tcp_timestamps = 0 + +# Protect Against 'syn flood attack' +net.ipv4.tcp_syncookies = 1 +net.ipv4.tcp_syn_retries = 5 +net.ipv4.tcp_synack_retries = 2 +net.ipv4.tcp_max_syn_backlog = 4096 + +# Enable Reverse Source Validation (Protects Against IP Spoofing) +net.ipv4.conf.all.rp_filter = 1 +net.ipv4.conf.default.rp_filter = 1 + +# Ignore Bogus Error Response +net.ipv4.icmp_ignore_bogus_error_responses = 1 + +# Reduce KeepAlive +net.ipv4.tcp_keepalive_time = 300 +net.ipv4.tcp_keepalive_probes = 5 +net.ipv4.tcp_keepalive_intvl = 15 + +#Ensure IPv6 router advertisement are not accepted +net.ipv6.conf.all.accept_ra = 0 +net.ipv6.conf.default.accept_ra = 0 + +# Disable IPv6 +net.ipv6.conf.all.disable_ipv6 = 1 +net.ipv6.conf.default.disable_ipv6 = 1 +net.ipv6.conf.lo.disable_ipv6 = 1 + +fs.suid_dumpable = 0 \ No newline at end of file diff --git a/DebianServer_10/templates/texts/bye-CIS b/DebianServer_10/templates/texts/bye-CIS new file mode 100644 index 0000000..032735e --- /dev/null +++ b/DebianServer_10/templates/texts/bye-CIS @@ -0,0 +1,7 @@ + + MESSAGE: + + Congratulations, We Finished Hardening the system following CIS + Benchmark + + This Server should be Rebooted now. diff --git a/DebianServer_10/templates/texts/motd-CIS b/DebianServer_10/templates/texts/motd-CIS new file mode 100644 index 0000000..3c4e7a7 --- /dev/null +++ b/DebianServer_10/templates/texts/motd-CIS @@ -0,0 +1,8 @@ +################################################################################ + + All connections are monitored and recorded + Unauthorized access to this server is prohibited +Any intrusion attempts will be reported to all Law Enforcement Agencies + Avoid Legal Charges, Disconnect NOW if you're not an authorized user! + +################################################################################ diff --git a/DebianServer_10/templates/texts/welcome-CIS b/DebianServer_10/templates/texts/welcome-CIS new file mode 100644 index 0000000..dc9d400 --- /dev/null +++ b/DebianServer_10/templates/texts/welcome-CIS @@ -0,0 +1,22 @@ +================================================================================ + Following Items Must be configured During initial System Install + +1.1.2 Ensure separate partition exists for /tmp (Scored) +1.1.3 Ensure nodev option set on /tmp partition (Scored) +1.1.4 Ensure nosuid option set on /tmp partition (Scored) +1.1.5 Ensure separate partition exists for /var (Scored) +1.1.6 Ensure separate partition exists for /var/tmp (Scored) +1.1.7 Ensure nodev option set on /var/tmp partition (Scored) +1.1.8 Ensure nosuid option set on /var/tmp partition (Scored) +1.1.9 Ensure noexec option set on /var/tmp partition (Scored) +1.1.10 Ensure separate partition exists for /var/log (Scored) +1.1.11 Ensure separate partition exists for /var/log/audit (Scored) +1.1.12 Ensure separate partition exists for /home (Scored) +1.1.13 Ensure nodev option set on /home partition (Scored) +1.1.14 Ensure nodev option set on /dev/shm partition (Scored) +1.1.15 Ensure nosuid option set on /dev/shm partition (Scored) +1.1.16 Ensure noexec option set on /dev/shm partition (Scored) + +If you did not configure this on initial system install, we recommend you perform +a reinstall and perform the above as Best Security Practice. +================================================================================ diff --git a/DebianServer_11/helpers.sh b/DebianServer_11/helpers.sh new file mode 100644 index 0000000..ec00dee --- /dev/null +++ b/DebianServer_11/helpers.sh @@ -0,0 +1,50 @@ +#!/bin/bash + +spinner () +{ + bar=" ++++++++++++++++++++++++++++++++++++++++++++++++++++++++" + barlength=${#bar} + i=0 + while ((i < 100)); do + n=$((i*barlength / 100)) + printf "\e[00;34m\r[%-${barlength}s]\e[00m" "${bar:0:n}" + ((i += RANDOM%5+2)) + sleep 0.02 + done +} + + + +# Show "Done." +function say_done() { + echo " " + echo -e "Done." + say_continue +} + + +# Ask to Continue +function say_continue() { + echo -n " To EXIT Press x Key, Press ENTER to Continue" + read acc + if [ "$acc" == "x" ]; then + exit + fi + echo " " +} + + +# Obtain Server IP +function __get_ip() { + serverip=$(ip route get 1 | awk '{print $7;exit}') + echo $serverip +} + + +# Copy Local Config Files +function tunning() { + whoapp=$1 + cp templates/$whoapp /root/.$whoapp + cp templates/$whoapp /home/$username/.$whoapp + chown $username:$username /home/$username/.$whoapp +} diff --git a/DebianServer_11/jshielder-CIS.sh b/DebianServer_11/jshielder-CIS.sh new file mode 100644 index 0000000..769d47d --- /dev/null +++ b/DebianServer_11/jshielder-CIS.sh @@ -0,0 +1,573 @@ +#!/bin/bash + +# GLOBAL VARS +GRUB_CMDLINE_LINUX_OPTIONS="apparmor=1 security=apparmor audit=1 audit_backlog_limit=8192" + +# 1.1.2.1: Ensure /tmp is a separate partition. (On Installation) +# 1.1.2.2: Ensure nodev option set on /tmp partition. (Requires separate partition) +# 1.1.2.3: Ensure noexec option set on /tmp partition. (Requires separate partition) +# 1.1.2.4: Ensure nosuid option set on /tmp partition. (Requires separate partition) +# 1.1.3.1: Ensure separate partition exists for /var. (On Installation) +# 1.1.3.2: Ensure nodev option set on /var partition. (Requires separate partition) +# 1.1.3.3: Ensure nosuid option set on /var partition. (Requires separate partition) +# 1.1.4.1: Ensure separate partition exists for /var/tmp. (On Installation) +# 1.1.4.2: Ensure noexec option set on /var/tmp partition. (Requires seperate partition) +# 1.1.4.3: Ensure nosuid option set on /var/tmp partition. (Requires seperate partition) +# 1.1.4.4: Ensure nodev option set on /var/tmp partition. (Requires seperate partition) +# 1.1.5.1: Ensure separate partition exists for /var/log. (On Installation) +# 1.1.5.2: Ensure nodev option set on /var/log partition. (Requires seperate partition) +# 1.1.5.3: Ensure noexec option set on /var/log partition. (Requires seperate partition) +# 1.1.5.4: Ensure nosuid option set on /var/log partition. (Requires seperate partition) +# 1.1.6.1: Ensure separate partition exists for /var/log/audit. (On Installation) +# 1.1.6.2: Ensure noexec option set on /var/log/audit partition. (Requires seperate partition) +# 1.1.6.3: Ensure nodev option set on /var/log/audit partition. (Requires seperate partition) +# 1.1.6.4: Ensure nosuid option set on /var/log/audit partition. (Requires seperate partition) +# 1.1.7.1: Ensure separate partition exists for /home. (On Installation) +# 1.1.7.2: Ensure nodev option set on /home partition. (Requires seperate partition) +# 1.1.7.3: Ensure nosuid option set on /home partition. (Requires seperate partition) +# 1.1.8.1: Ensure nodev option set on /dev/shm partition. (Requires seperate partition) +# 1.1.8.2: Ensure noexec option set on /dev/shm partition. (Requires seperate partition) +# 1.1.8.3: Ensure nosuid option set on /dev/shm partition. (Requires seperate partition) +# 1.1.9: Disable Automounting. +## Check if autofs is installed or if there're packages depending on it. +if [ $(dpkg-query -W -f='${Status}' autofs 2>/dev/null | grep -c "ok installed") -eq 0 ]; then + echo "autofs is not installed" +else + echo "autofs is installed" + apt remove --purge autofs -y +fi + +# 1.3.1: Ensure AIDE is installed. +apt-get install -y aide +aideinit + +# 1.3.2: Ensure filesystem integrity is regularly checked. +# Configure cron job for AIDE +echo "0 5 * * * /usr/bin/aide.wrapper --config /etc/aide/aide.conf --check" >> /etc/cron.d/aide +service cron restart + +cp templates/aide/aidecheck.service /etc/systemd/system/aidecheck.service +cp templates/aide/aidecheck.timer /etc/systemd/system/aidecheck.timer + + +chmod 644 /etc/systemd/system/aidecheck.* +systemctl daemon-reload +systemctl enable --now aidecheck.service aidecheck.timer + +# 1.4.1: Ensure bootloader password is set. (Skipped - Would require manual intervention on reboot). + +# grub-mkpasswd-pbkdf2 | tee grubpassword.tmp +# grubpassword=$(cat grubpassword.tmp | sed -e '1,2d' | cut -d ' ' -f7) +# echo " set superusers="root" " >> /etc/grub.d/40_custom +# echo " password_pbkdf2 root $grubpassword " >> /etc/grub.d/40_custom +# rm grubpassword.tmp +# update-grub + +# 1.4.2: Ensure permissions on bootloader config are configured. +chown root:root /boot/grub/grub.cfg +chmod u-wx,go-rwx /boot/grub/grub.cfg + +# 1.4.3: Ensure authentication required for single user mode. (Scored) +echo "Changing Root Password for Single User Mode: " +passwd root + +# 1.5.2: Ensure prelink is not installed. +apt remove --purge prelink -y + +# 1.5.3: Ensure Automatic Error Reporting is not enabled (Scored) +# 1.5.4: Ensure core dumps are restricted. +echo "* hard core 0" >> /etc/security/limits.conf +cp templates/sysctl/sysctl-CIS.conf /etc/sysctl.conf +sysctl -e -p + +## Check if systemd-coredump is installed. +if [ $(dpkg-query -W -f='${Status}' systemd-coredump 2>/dev/null | grep -c "ok installed") -eq 0 ]; then + echo "systemd-coredump is not installed" +else + echo "systemd-coredump is installed" + # Edit /etc/systemd/coredump.conf + sed -i 's/#Storage=external/Storage=none/g' /etc/systemd/coredump.conf + sed -i 's/#ProcessSizeMax=2G/ProcessSizeMax=0/g' /etc/systemd/coredump.conf +fi + +# 1.6.1.1: Ensure AppArmor is installed. +apt install apparmor apparmor-utils -y + +# 1.6.1.2: Ensure AppArmor is enabled in the bootloader configuration. +sed -i "/^GRUB_CMDLINE_LINUX=/ s/\"\$/ $GRUB_CMDLINE_LINUX_OPTIONS\"/" "/etc/default/grub" +update-grub + +# 1.6.1.3: Ensure all AppArmor Profiles are in enforce or complain mode. +aa-enforce /etc/apparmor.d/* +# aa-complain /etc/apparmor.d/* + +# 1.6.1.4: Ensure all AppArmor Profiles are enforcing (Scored on 1.6.1.3) +# 1.7.1: Ensure message of the day is configured properly. +# 1.7.2: Ensure local login warning banner is configured properly. +# 1.7.3: Ensure remote login warning banner is configured properly. +cat templates/texts/motd-CIS > /etc/motd +cat templates/texts/motd-CIS > /etc/issue +cat templates/texts/motd-CIS > /etc/issue.net +# 1.7.4: Ensure permissions on /etc/motd are configured. +# 1.7.5: Ensure permissions on /etc/issue are configured. +# 1.7.6: Ensure permissions on /etc/issue.net are configured. +chown root:root /etc/motd /etc/issue /etc/issue.net +chmod u-x,go-wx /etc/motd /etc/issue /etc/issue.net + +# 1.8.1: Ensure GNOME Display Manager is removed. (Scored) +# 1.8.10: Ensure XDCMP is not enabled (Scored) + +# 1.9: Ensure updates, patches, and additional security software are installed. +apt update -y && apt upgrade -y && apt dist-upgrade -y + +# 2.1.2.2: Ensure chrony is running as user _chrony. +echo "user _chrony" >> /etc/chrony/conf.d/chrony_user.conf + +# 2.1.2.3: Ensure chrony is enabled and running. +systemctl unmask chrony.service +systemctl enable --now chrony.service + + +# IF CHRONY IS NOT USED, USE NTP +# apt remove --purge chrony -y + +# 2.1.3.1: Ensure systemd-timesyncd configured with authorized timeserver. +apt install systemd-timesyncd -y +mkdir /etc/systemd/timesyncd.conf.d +cp templates/timesyncd/timesyncd.conf /etc/systemd/timesyncd.conf.d/50-timesyncd.conf + +# 2.1.3.2: Ensure systemd-timesyncd is enabled and running. +systemctl mask --now systemd-timesyncd.service + +## if chrony is used, disable systemd-timesyncd +# systemctl disable --now systemd-timesyncd.service +# systemctl mask systemd-timesyncd.service + +# 2.1.4.1: Ensure ntp access control is configured. (scored) +# 2.1.4.2: Ensure ntp is configured with authorized timeserver. +apt install -y ntp +cp templates/ntp/ntp.conf /etc/ntp.conf +system restart ntp + +# 2.1.4.3: Ensure ntp is running as user ntp (Scored) +# 2.1.4.4: Ensure ntp is enabled and running. +systemctl unmask ntp.service +systemctl enable --now ntp.service + +# 2.2.1: Ensure X Window System is not installed. +apt purge xserver-xorg* -y + +# 2.2.2: Ensure Avahi Server is not installed. (Scored) +# 2.2.3: Ensure CUPS is not installed. (Scored) +# 2.2.4: Ensure DHCP Server is not installed. (Scored) +# 2.2.5: Ensure LDAP server is not installed. (Scored) +# 2.2.6: Ensure NFS is not installed. (Scored) +# 2.2.7: Ensure DNS Server is not installed. (Scored) +# 2.2.8: Ensure FTP Server is not installed. (Scored) +# 2.2.9: Ensure HTTP server is not installed. (Scored) +# 2.2.10: Ensure IMAP and POP3 server are not installed. (Scored) +# 2.2.11: Ensure Samba is not installed. (Scored) +# 2.2.12: Ensure HTTP Proxy Server is not installed. (Scored) +# 2.2.13: Ensure SNMP Server is not installed. (Scored) +# 2.2.14: Ensure NIS Server is not installed. (Scored) +# 2.2.15: Ensure mail transfer agent is configured for local-only mode. (Scored) +# 2.2.16: Ensure rsync service is either not installed or masked. (Scored) +# 2.3.1: Ensure NIS Client is not installed. (Scored) +# 2.3.2: Ensure rsh client is not installed. (Scored) +# 2.3.3: Ensure talk client is not installed. (Scored) +# 2.3.4: Ensure telnet client is not installed. (Scored) +# 2.3.5: Ensure LDAP client is not installed. (Scored) +# 2.3.6: Ensure RPC is not installed. (Scored) + +# USING IPTABLES! +# 3.5.1.1: Ensure ufw is installed. (Not Applicable) +# 3.5.1.2: Ensure iptables-persistent is not installed with ufw. +apt install iptables-persistent -y + +# 3.5.1.3: Ensure ufw service is enabled. (Not Applicable) +# 3.5.1.4: Ensure ufw loopback traffic is configured. (Not Applicable) +# 3.5.1.7: Ensure ufw default deny firewall policy. (Not Applicable) +# 3.5.2.1: Ensure nftables is installed. +apt remove -y nftables + +# 3.5.2.2: Ensure ufw is uninstalled or disabled with nftables. +# 3.5.2.3: Ensure iptables are flushed with nftables. +# 3.5.2.4: Ensure a nftables table exists. +# 3.5.2.5: Ensure nftables base chains exist. +# 3.5.2.6: Ensure nftables loopback traffic is configured. +# 3.5.2.8: Ensure nftables default deny firewall policy. +# 3.5.2.9: Ensure nftables service is enabled. +# 3.5.3.1.1: Ensure iptables packages are installed. +apt install -y iptables + +# 3.5.3.1.2: Ensure nftables is not installed with iptables. (Scored) +# 3.5.3.1.3: Ensure ufw is uninstalled or disabled with iptables. +apt remove -y ufw + +# 3.5.3.2.1: Ensure iptables default deny firewall policy. +# 3.5.3.2.2: Ensure iptables loopback traffic is configured. +# 3.5.3.3.1: Ensure ip6tables default deny firewall policy. +# 3.5.3.3.2: Ensure ip6tables loopback traffic is configured. +## Take user input for the ssh port +read -rp "Enter the SSH port: " sshport +sed -i "s/PORT/$sshport/g" templates/iptables/iptables.sh +bash templates/iptables/iptables.sh + +netfilter-persistent save + +# 4.1.1.1: Ensure auditd is installed. +apt-get install -y auditd audispd-plugins + +# 4.1.1.2: Ensure auditd service is enabled and active. +systemctl --now enable auditd + +# 4.1.1.3: Ensure auditing for processes that start prior to auditd is enabled. +sed -i "/^GRUB_CMDLINE_LINUX=/ s/\"\$/ $GRUB_CMDLINE_LINUX_OPTIONS\"/" "/etc/default/grub" + +# 4.1.1.4: Ensure audit_backlog_limit is sufficient. +sed -i "/^GRUB_CMDLINE_LINUX=/ s/\"\$/ $GRUB_CMDLINE_LINUX_OPTIONS\"/" "/etc/default/grub" +update-grub + +# 4.1.2.1: Ensure audit log storage size is configured. +# 4.1.2.2: Ensure audit logs are not automatically deleted. +# 4.1.2.3: Ensure system is disabled when audit logs are full. +cp templates/auditd/auditd.conf /etc/audit/auditd.conf + +# 4.1.3.1: Ensure changes to system administration scope (sudoers) is collected. +# 4.1.3.2: Ensure actions as another user are always logged. +# 4.1.3.4: Ensure events that modify date and time information are collected. +# 4.1.3.5: Ensure events that modify the system's network environment are collected. +# 4.1.3.7: Ensure unsuccessful file access attempts are collected. +# 4.1.3.8: Ensure events that modify user/group information are collected. +# 4.1.3.9: Ensure discretionary access control permission modification events are collected. +# 4.1.3.10: Ensure successful file system mounts are collected. +# 4.1.3.11: Ensure session initiation information is collected. +# 4.1.3.12: Ensure login and logout events are collected. +# 4.1.3.13: Ensure file deletion events by users are collected. +# 4.1.3.14: Ensure events that modify the system's Mandatory Access Controls are collected. +# 4.1.3.15: Ensure successful and unsuccessful attempts to use the chcon command are recorded. +# 4.1.3.16: Ensure successful and unsuccessful attempts to use the setfacl command are recorded. +# 4.1.3.17: Ensure successful and unsuccessful attempts to use the chacl command are recorded. +# 4.1.3.18: Ensure successful and unsuccessful attempts to use the usermod command are recorded. +# 4.1.3.19: Ensure kernel module loading unloading and modification is collected. +cp templates/auditd/audit.rules /etc/audit/rules.d/50-scope.rules + +# 4.1.3.20: Ensure the audit configuration is immutable. +echo "#End of Audit Rules" >> /etc/audit/audit.rules +echo "-e 2" >> /etc/audit/audit.rules +echo "-e 2" >> /etc/audit/audit.rules.prev +echo "-e 2" >> /etc/audit/audit-stop.rules +echo "-e 2" >> /etc/audit/rules.d/99-finalize.rules + +# 4.1.3.21: Ensure the running and on disk configuration is the same. +if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then + echo "Reboot required to load rules"; + augenrules --load; +fi + +# 4.1.4.3: Ensure only authorized groups are assigned ownership of audit log files. +chown root:root auditd.conf + +sed -ri 's/^\s*#?\s*log_group\s*=\s*\S+(\s*#.*)?.*$/log_group = root\1/' /etc/audit/auditd.conf + +chgrp root /var/log/audit/ + +systemctl enable --now auditd + +# 4.1.4.5: Ensure audit configuration files are 640 or more restrictive. +find /etc/audit/ -type f \( -name '*.conf' -o -name '*.rules' \) -exec chmod u-x,g-wx,o-rwx {} + + +# 4.1.4.6: Ensure audit configuration files are owned by root. +find /etc/audit/ -type f \( -name '*.conf' -o -name '*.rules' \) ! -user root -exec chown root {} + + +# 4.1.4.7: Ensure audit configuration files belong to group root. +find /etc/audit/ -type f \( -name '*.conf' -o -name '*.rules' \) ! -group root -exec chgrp root {} + + +# 4.1.4.8: Ensure audit tools are 755 or more restrictive. +chmod go-w /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules + +# 4.1.4.9: Ensure audit tools are owned by root. +chown root /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules + +# 4.1.4.10: Ensure audit tools belong to group root. +chmod go-w /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules +chown root:root /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules + +# 4.2.1.1.1: Ensure systemd-journal-remote is installed. +apt install systemd-journal-remote -y + +# 4.2.1.1.3: Ensure systemd-journal-remote is enabled. +#systemctl --now enable systemd-journal-upload.service + +# 4.2.1.1.4: Ensure journald is not configured to recieve logs from a remote client. +systemctl --now disable systemd-journal-remote.socket + +# 4.2.1.2: Ensure journald service is enabled. + +# By default the systemd-journald service does not +# have an [Install] section and thus cannot be enabled / disabled. +# It is meant to be referenced as Requires or Wants by other unit files. +# As such, if the status of systemd-journald is not static, investigate why. + + +# 4.2.1.3: Ensure journald is configured to compress large log files. +sed -i 's/#Compress=yes/Compress=yes/g' /etc/systemd/journald.conf + +# 4.2.1.4: Ensure journald is configured to write logfiles to persistent disk. +sed -i 's/#Storage=auto/Storage=persistent/g' /etc/systemd/journald.conf + +# 4.2.1.5: Ensure journald is not configured to send logs to rsyslog. +sed -i 's/#ForwardToSyslog=no/ForwardToSyslog=yes/g' /etc/systemd/journald.conf +systemctl restart systemd-journald + +# 4.2.2.1: Ensure rsyslog is installed. +apt install rsyslog -y + +# 4.2.2.2: Ensure rsyslog service is enabled. +# 4.2.2.3: Ensure journald is configured to send logs to rsyslog. +# 4.2.2.4: Ensure rsyslog default file permissions are configured. (Scored by default) +# 4.2.2.7: Ensure rsyslog is not configured to receive logs from a remote client. (Scored by default) + +# 5.1.1: Ensure cron daemon is enabled and running. +systemctl --now enable cron + +# 5.1.2: Ensure permissions on /etc/crontab are configured. +chown root:root /etc/crontab +chmod og-rwx /etc/crontab + +# 5.1.3: Ensure permissions on /etc/cron.hourly are configured. +chown root:root /etc/cron.hourly/ +chmod og-rwx /etc/cron.hourly/ + +# 5.1.4: Ensure permissions on /etc/cron.daily are configured. +chown root:root /etc/cron.daily/ +chmod og-rwx /etc/cron.daily/ + +# 5.1.5: Ensure permissions on /etc/cron.weekly are configured. +chown root:root /etc/cron.weekly/ +chmod og-rwx /etc/cron.weekly/ + +# 5.1.6: Ensure permissions on /etc/cron.monthly are configured. +chown root:root /etc/cron.monthly/ +chmod og-rwx /etc/cron.monthly/ + +# 5.1.7: Ensure permissions on /etc/cron.d are configured. +chown root:root /etc/cron.d/ +chmod og-rwx /etc/cron.d/ + +# 5.1.8: Ensure cron is restricted to authorized users. +touch /etc/cron.allow +chmod g-wx,o-rwx /etc/cron.allow +chown root:root /etc/cron.allow + +# 5.1.9: Ensure at is restricted to authorized users. +if [ ! -f /etc/at.deny ]; then + rm /etc/at.deny +fi + +touch /etc/at.allow +chmod g-wx,o-rwx /etc/at.allow +chown root:root /etc/at.allow + +# 5.2.1: Ensure permissions on /etc/ssh/sshd_config are configured. +chown root:root /etc/ssh/sshd_config +chmod og-rwx /etc/ssh/sshd_config + +# 5.2.4: Ensure SSH access is limited. +# 5.2.5: Ensure SSH LogLevel is appropriate. +# 5.2.6: Ensure SSH PAM is enabled. +# 5.2.7: Ensure SSH root login is disabled. +# 5.2.8: Ensure SSH HostbasedAuthentication is disabled. +# 5.2.9: Ensure SSH PermitEmptyPasswords is disabled. +# 5.2.10: Ensure SSH PermitUserEnvironment is disabled. +# 5.2.11: Ensure SSH IgnoreRhosts is enabled. +# 5.2.12: Ensure SSH X11 forwarding is disabled. +# 5.2.13: Ensure only strong Ciphers are used. +# 5.2.14: Ensure only strong MAC algorithms are used. +# 5.2.15: Ensure only strong Key Exchange algorithms are used. +# 5.2.16: Ensure SSH AllowTcpForwarding is disabled. +# 5.2.17: Ensure SSH warning banner is configured. +# 5.2.18: Ensure SSH MaxAuthTries is set to 4 or less. +# 5.2.19: Ensure SSH MaxStartups is configured. +# 5.2.20: Ensure SSH MaxSessions is set to 10 or less. +# 5.2.21: Ensure SSH LoginGraceTime is set to one minute or less. +# 5.2.22: Ensure SSH Idle Timeout Interval is configured. +echo "Creating SSH user..." +read -r -p "Enter username: " username +adduser "$username" +cp templates/sshd/sshd_config-CIS /etc/ssh/sshd_config +sed "s/USERNAME/$username/g" templates/sshd/sshd_config-CIS > /etc/ssh/sshd_config; +sed -i "s/PORT/$sshport/g" /etc/ssh/sshd_config; + +mkdir -p /home/"$username"/.ssh +cp ~/.ssh/authorized_keys /home/"$username"/.ssh/authorized_keys +chown -R "$username":"$username" /home/"$username"/.ssh + +service ssh restart + +# 5.3.1: Ensure sudo is installed. +apt install sudo -y + +# 5.3.2: Ensure sudo commands use pty. +echo -e "Defaults use_pty" > /etc/sudoers.d/use_pty + +# 5.3.3: Ensure sudo log file exists. +echo -e "Defaults logfile=/var/log/sudo.log" > /etc/sudoers.d/logging + +# 5.3.4: Ensure users must provide password for privilege escalation. +sed -i '/NOPASSWD/d' /etc/sudoers +sed -i '/NOPASSWD/d' /etc/sudoers.d/* + +# 5.3.5: Ensure re-authentication for privilege escalation is not disabled globally. +sed -i '/!authenticate/d' /etc/sudoers +sed -i '/!authenticate/d' /etc/sudoers.d/* + +# 5.3.6: Ensure sudo authentication timeout is configured correctly. +sed -i 's/env_reset/env_reset,timestamp_timeout=10/g' /etc/sudoers +sed -i 's/env_reset/env_reset,timestamp_timeout=10/g' /etc/sudoers.d/* + +# 5.3.7: Ensure access to the su command is restricted. +groupadd sugroup +echo -e "auth required pam_wheel.so use_uid group=sugroup" >> /etc/pam.d/su +usermod -a -G sugroup "$username" + +# 5.4.1: Ensure password creation requirements are configured. +apt install libpam-pwquality -y +cat templates/pam/pwquality-CIS.conf >> /etc/security/pwquality.conf + +# 5.4.2: Ensure lockout for failed password attempts is configured. +cp templates/pam/common-account /etc/pam.d/common-account +cp templates/pam/common-auth /etc/pam.d/common-auth +cp templates/pam/faillock.conf /etc/security/faillock.conf + +# 5.4.3: Ensure password reuse is limited. +# 5.4.4: Ensure password hashing algorithm is up to date with the latest standards. +cp templates/login.defs /etc/login.defs +cp templates/pam/common-password /etc/pam.d/common-password + +# 5.5.1.1: Ensure minimum days between password changes is configured. +sed -i 's/PASS_MIN_DAYS\t0/PASS_MIN_DAYS\t1/g' /etc/login.defs +for user in $(awk -F: '($2 != "x") {print $1 }' /etc/shadow); do + chage --mindays 1 "$user" +done + +# 5.5.1.2: Ensure password expiration is 365 days or less. +sed -i 's/PASS_MAX_DAYS\t99999/PASS_MAX_DAYS\t90/g' /etc/login.defs +for user in $(awk -F: '($2 != "x") {print $1 }' /etc/shadow); do + chage --maxdays 90 "$user" +done + +# 5.5.1.3: Ensure password expiration warning days is 7 or more. +sed -i 's/PASS_WARN_AGE\t7/PASS_WARN_AGE\t7/g' /etc/login.defs + +for i in $(awk -F: '{ print $1}' /etc/passwd); do + chage --warndays 7 $i; +done + +# 5.5.1.4: Ensure inactive password lock is 30 days or less. +useradd -D -f 30 + +for user in $(awk -F: '($2 != "x") {print $1 }' /etc/shadow); do + chage --inactive 30 "$user" +done + +# 5.5.3: Ensure default group for the root account is GID 0. +if [ "$(grep '^root:' /etc/passwd | cut -f4 -d:)" -eq 0 ]; then + echo "Default group for root is GID 0" +else + usermod -g 0 root +fi + +# 6.1.1: Ensure permissions on /etc/passwd are configured. +chmod u-x,go-wx /etc/passwd +chown root:root /etc/passwd + +# 6.1.2: Ensure permissions on /etc/passwd- are configured. +chmod u-x,go-wx /etc/passwd- +chown root:root /etc/passwd- + +# 6.1.3: Ensure permissions on /etc/group are configured. +chmod u-x,go-wx /etc/group +chown root:root /etc/group + +# 6.1.4: Ensure permissions on /etc/group- are configured. +chmod u-x,go-wx /etc/group- +chown root:root /etc/group- + +# 6.1.5: Ensure permissions on /etc/shadow are configured. +chown root:root /etc/shadow +chmod u-x,g-wx,o-rwx /etc/shadow + +# 6.1.6: Ensure permissions on /etc/shadow- are configured. +chown root:root /etc/shadow- +chmod u-x,g-wx,o-rwx /etc/shadow- + +# 6.1.7: Ensure permissions on /etc/gshadow are configured. +chown root:root /etc/gshadow +chmod u-x,g-rw,o-rwx /etc/gshadow + +# 6.1.8: Ensure permissions on /etc/gshadow- are configured. +chown root:root /etc/gshadow- +chmod u-x,g-rw,o-rwx /etc/gshadow- + +# 6.2.1: Ensure accounts in /etc/passwd use shadowed passwords. +sed -e 's/^\([a-zA-Z0-9_]*\):[^:]*:/\1:x:/' -i /etc/passwd + +# 6.2.2: Ensure /etc/shadow password fields are not empty. +if [ $(awk -F: '($2 == "" ) { print $1 " does not have a password "}' /etc/shadow) ]; +then + echo "All users have a password" +else + # Lock all users with a password + awk -F: '($2 == "" ) { print $1 " does not have a password "}' /etc/shadow | while read -r user; do passwd -l "$user"; done +fi + +# 6.2.10: Ensure root is the only UID 0 account. +# Remove any users other than root with UID 0 or assign them a new UID if appropriate. +awk -F: '($3 == 0) { print $1 }' /etc/passwd | while read -r user; do + if [ "$user" != "root" ]; then + echo "User $user is UID 0, please assign a new UID or remove the user." + fi +done + +# Disable disable_freevxfs +echo "install freevxfs /bin/true" > /etc/modprobe.d/freevxfs.conf +rmmod freevxfs + +# Disable disable_jffs2 +echo "install jffs2 /bin/true" > /etc/modprobe.d/jffs2.conf +rmmod jffs2 + +# Disable disable_hfs, disable_hfsplus, disable_udf +echo "install hfs /bin/true" >> /etc/modprobe.d/CIS.conf +echo "install hfsplus /bin/true" >> /etc/modprobe.d/CIS.conf +echo "install udf /bin/true" >> /etc/modprobe.d/CIS.conf + +rmmod hfs hfsplus udf + +# Disable squashfs (will impact snaps) # Skipping for now. +# FAT is used by vfat, which is used by the EFI system partition # Skipping for now. + + +# Fix Logrotate Create Permissions +grep -rlE -w "create" /etc/logrotate.d/ | xargs sed -i 's/create[[:space:]]*[0-7]\{4\}/create 640/' +find /var/log -type f -exec chmod 640 {} \; + + +# Fix home directory permissions being too open. +chmod -R 0740 /home/* +sed -i 's/^DIR_MODE=.*/DIR_MODE=740/' /etc/adduser.conf + +# Remove some packages +apt remove --purge tcpdump -y + +# Search & Remove TMOUT from /etc/bash.bashrc, /etc/profile, and all files ending in *.sh in the /etc/profile.d/ directory +sed -i '/TMOUT/d' /etc/bash.bashrc /etc/profile /etc/profile.d/*.sh + +# Configure TMOUT +echo "readonly TMOUT=900 ; export TMOUT" >> /etc/profile.d/tmout.sh + +# Disable USB Storage +echo 'ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"' > /etc/udev/rules.d/01-usblockdown.rules + + diff --git a/DebianServer_11/templates/aide/aidecheck.service b/DebianServer_11/templates/aide/aidecheck.service new file mode 100644 index 0000000..09f2a10 --- /dev/null +++ b/DebianServer_11/templates/aide/aidecheck.service @@ -0,0 +1,9 @@ +[Unit] +Description=Aide Check + +[Service] +Type=simple +ExecStart=/usr/bin/aide --check --config /etc/aide/aide.conf + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/DebianServer_11/templates/aide/aidecheck.timer b/DebianServer_11/templates/aide/aidecheck.timer new file mode 100644 index 0000000..b38ea4b --- /dev/null +++ b/DebianServer_11/templates/aide/aidecheck.timer @@ -0,0 +1,9 @@ +[Unit] +Description=Aide check every day at 5AM + +[Timer] +OnCalendar=*-*-* 05:00:00 +Unit=aidecheck.service + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/DebianServer_11/templates/auditd/audit.rules b/DebianServer_11/templates/auditd/audit.rules new file mode 100644 index 0000000..cf97e00 --- /dev/null +++ b/DebianServer_11/templates/auditd/audit.rules @@ -0,0 +1,133 @@ +# First rule - delete all +-D + +# Ensure changes to system administration scope (sudoers) is collected (CIS 4.1.3.1) + +-w /etc/sudoers -p wa -k scope +-w /etc/sudoers.d -p wa -k scope + +# Ensure actions as another user are always logged (CIS 4.1.3.2) +-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation +-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation + +# Ensure events that modify date and time information are collected (CIS 4.1.3.4) + +-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change +-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +# Ensure events that modify the system's network environment are collected (CIS 4.1.3.5) + +-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/networks -p wa -k system-locale +-w /etc/network/ -p wa -k system-locale + +# Ensure unsuccessful unauthorized file access attempts are collected (CIS 4.1.3.7) + +-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=10000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access + +# Ensure events that modify user/group information are collected (CIS 4.1.3.8) + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +# Ensure discretionary access control permission modification events are collected (CIS 4.1.3.9) + +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + +# Ensure successful file system mounts are collected (CIS 4.1.3.10) + +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts +-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k mounts + +# Ensure session initiation information is collected (CIS 4.1.3.11) + +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k session +-w /var/log/btmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins + +# Ensure login and logouts events are collected (CIS 4.1.3.12) + +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins +-w /var/run/faillock -p wa -k logins + +# Ensure file deletion events by users are collected (CIS 4.1.3.13) + +-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=1000 -F auid!=unset -F key=delete +-a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>=1000 -F auid!=unset -F key=delete + +# Ensure events that modify system's Mandatory Access Controls are collected (CIS 4.1.3.14) + +-w /etc/apparmor/ -p wa -k MAC-policy +-w /etc/apparmor.d/ -p wa -k MAC-policy + +# Ensure successful and unsuccessful attempts to use the chcon command are recorded (CIS 4.1.3.15) + +-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng + +# Ensure successful and unsuccessful attempts to use the setfacl command are recorded (CIS 4.1.3.16) + +-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng + +# Ensure successful and unsuccessful attempts to use the chacl command are recorded (CIS 4.1.3.17) + +-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng + +# Ensure successful and unsuccessful attempts to use the usermod command are recorded (CIS 4.1.3.18) + +-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k usermod + +# Ensure kernel module loading unloading and modification is collected (CIS 4.1.3.19) + +-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=1000 -F auid!=unset -k kernel_modules +-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k kernel_modules + +### Additional ### +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-w /etc/selinux/ -p wa -k MAC-policy +-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/write.ul -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/expiry -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/dotlockfile -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/lib/dbus-1.0/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/lib/x86_64-linux-gnu/utempter/utempter -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/sbin/exim4 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-w /var/log/auth.log -p wa -k sudoaction +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +### Additional ### \ No newline at end of file diff --git a/DebianServer_11/templates/auditd/auditd.conf b/DebianServer_11/templates/auditd/auditd.conf new file mode 100644 index 0000000..cf4e51c --- /dev/null +++ b/DebianServer_11/templates/auditd/auditd.conf @@ -0,0 +1,9 @@ +max_log_file = 6 +max_log_file_action = keep_logs +space_left_action = email +log_group = root +log_file = /var/log/audit/audit.log +action_mail_acct = root +admin_space_left_action = single +space_left = 75 +admin_space_left = 50 diff --git a/DebianServer_11/templates/iptables/iptables.sh b/DebianServer_11/templates/iptables/iptables.sh new file mode 100644 index 0000000..30ec8ec --- /dev/null +++ b/DebianServer_11/templates/iptables/iptables.sh @@ -0,0 +1,33 @@ +# Flush /sbin/iptables rules + /sbin/iptables -F + +# Default deny Firewall policy + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + +# Ensure loopback traffic is configured + /sbin/iptables -A INPUT -i lo -j ACCEPT + /sbin/iptables -A OUTPUT -o lo -j ACCEPT + /sbin/iptables -A INPUT -s 127.0.0.0/8 -j DROP + +# Ensure outbound and established connections are configured + /sbin/iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT + /sbin/iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT + /sbin/iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT + /sbin/iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT + /sbin/iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT + /sbin/iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT + +# Open inbound ssh connections + /sbin/iptables -A INPUT -p tcp --dport PORT -m state --state NEW -j ACCEPT + +# Disable IPV7 + /sbin/ip6tables -P INPUT DROP + /sbin/ip6tables -P OUTPUT DROP + /sbin/ip6tables -P FORWARD DROP + +# 4.5.4.2.2 Ensure IPv6 loopback traffic is configured. + /sbin/ip6tables -A INPUT -i lo -j ACCEPT + /sbin/ip6tables -A OUTPUT -o lo -j ACCEPT + /sbin/ip6tables -A INPUT -s ::1 -j DROP \ No newline at end of file diff --git a/DebianServer_11/templates/login.defs b/DebianServer_11/templates/login.defs new file mode 100644 index 0000000..a19aacb --- /dev/null +++ b/DebianServer_11/templates/login.defs @@ -0,0 +1,29 @@ +MAIL_DIR /var/mail +FAILLOG_ENAB yes +LOG_UNKFAIL_ENAB no +LOG_OK_LOGINS no +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes +FTMP_FILE /var/log/btmp +SU_NAME su +HUSHLOGIN_FILE .hushlogin +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games +TTYGROUP tty +TTYPERM 0600 +ERASECHAR 0177 +KILLCHAR 025 +UMASK 022 +PASS_MAX_DAYS 90 +PASS_MIN_DAYS 1 +PASS_WARN_AGE 7 +UID_MIN 1000 +UID_MAX 60000 +GID_MIN 1000 +GID_MAX 60000 +LOGIN_RETRIES 5 +LOGIN_TIMEOUT 60 +CHFN_RESTRICT rwh +DEFAULT_HOME yes +USERGROUPS_ENAB yes +ENCRYPT_METHOD yescrypt \ No newline at end of file diff --git a/DebianServer_11/templates/ntp/ntp.conf b/DebianServer_11/templates/ntp/ntp.conf new file mode 100644 index 0000000..5a59aef --- /dev/null +++ b/DebianServer_11/templates/ntp/ntp.conf @@ -0,0 +1,64 @@ +# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help + +driftfile /var/lib/ntp/ntp.drift + +# Leap seconds definition provided by tzdata +leapfile /usr/share/zoneinfo/leap-seconds.list + +# Enable this if you want statistics to be logged. +#statsdir /var/log/ntpstats/ + +statistics loopstats peerstats clockstats +filegen loopstats file loopstats type day enable +filegen peerstats file peerstats type day enable +filegen clockstats file clockstats type day enable + + +# You do need to talk to an NTP server or two (or three). +#server ntp.your-provider.example +server time.nist.gov iburst +server time-a-g.nist.gov iburst +server time-b-g.nist.gov iburst +server time-c-g.nist.gov iburst + +# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will +# pick a different set every time it starts up. Please consider joining the +# pool: +pool 0.debian.pool.ntp.org iburst +pool 1.debian.pool.ntp.org iburst +pool 2.debian.pool.ntp.org iburst +pool 3.debian.pool.ntp.org iburst + + +# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for +# details. The web page +# might also be helpful. +# +# Note that "restrict" applies to both servers and clients, so a configuration +# that might be intended to block requests from certain clients could also end +# up blocking replies from your own upstream servers. + +# By default, exchange time with everybody, but don't allow configuration. +restrict -4 default kod notrap nomodify nopeer noquery limited +restrict -6 default kod notrap nomodify nopeer noquery limited + +# Local users may interrogate the ntp server more closely. +restrict 127.0.0.1 +restrict ::1 + +# Needed for adding pool entries +restrict source notrap nomodify noquery + +# Clients from this (example!) subnet have unlimited access, but only if +# cryptographically authenticated. +#restrict 192.168.123.0 mask 255.255.255.0 notrust + + +# If you want to provide time to your local subnet, change the next line. +# (Again, the address is an example only.) +#broadcast 192.168.123.255 + +# If you want to listen to time broadcasts on your local subnet, de-comment the +# next lines. Please do this only if you trust everybody on the network! +#disable auth +#broadcastclient \ No newline at end of file diff --git a/DebianServer_11/templates/pam/common-account b/DebianServer_11/templates/pam/common-account new file mode 100644 index 0000000..4f848cb --- /dev/null +++ b/DebianServer_11/templates/pam/common-account @@ -0,0 +1,26 @@ +# +# /etc/pam.d/common-account - authorization settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authorization modules that define +# the central access policy for use on the system. The default is to +# only deny service to users whose accounts are expired in /etc/shadow. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. +# + +# here are the per-package modules (the "Primary" block) +account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so +# here's the fallback if no module succeeds +account requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +account required pam_permit.so +account required pam_faillock.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config \ No newline at end of file diff --git a/DebianServer_11/templates/pam/common-auth b/DebianServer_11/templates/pam/common-auth new file mode 100644 index 0000000..4df4ec1 --- /dev/null +++ b/DebianServer_11/templates/pam/common-auth @@ -0,0 +1,28 @@ +# /etc/pam.d/common-auth - authentication settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +auth required pam_faillock.so preauth # Added to enable faillock +auth [success=1 default=ignore] pam_unix.so nullok +auth [default=die] pam_faillock.so authfail # Added to enable faillock +auth sufficient pam_faillock.so authsucc # Added to enable faillock +# here's the fallback if no module succeeds +auth requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +auth required pam_permit.so +# and here are more per-package modules (the "Additional" block) +auth optional pam_cap.so +# end of pam-auth-update config diff --git a/DebianServer_11/templates/pam/common-password b/DebianServer_11/templates/pam/common-password new file mode 100644 index 0000000..5fca458 --- /dev/null +++ b/DebianServer_11/templates/pam/common-password @@ -0,0 +1,34 @@ +# +# /etc/pam.d/common-password - password-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define the services to be +# used to change user passwords. The default is pam_unix. + +# Explanation of pam_unix options: +# The "yescrypt" option enables +#hashed passwords using the yescrypt algorithm, introduced in Debian +#11. Without this option, the default is Unix crypt. Prior releases +#used the option "sha512"; if a shadow password hash will be shared +#between Debian 11 and older releases replace "yescrypt" with "sha512" +#for compatibility . The "obscure" option replaces the old +#`OBSCURE_CHECKS_ENAB' option in login.defs. See the pam_unix manpage +#for other options. + +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +password requisite pam_pwquality.so retry=3 +password [success=1 default=ignore] try_first_pass remember=5 pam_unix.so obscure use_authtok +# here's the fallback if no module succeeds +password requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +password required pam_permit.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config diff --git a/DebianServer_11/templates/pam/faillock.conf b/DebianServer_11/templates/pam/faillock.conf new file mode 100644 index 0000000..ce51847 --- /dev/null +++ b/DebianServer_11/templates/pam/faillock.conf @@ -0,0 +1,62 @@ +# Configuration for locking the user after multiple failed +# authentication attempts. +# +# The directory where the user files with the failure records are kept. +# The default is /var/run/faillock. +# dir = /var/run/faillock +# +# Will log the user name into the system log if the user is not found. +# Enabled if option is present. +# audit +# +# Don't print informative messages. +# Enabled if option is present. +# silent +# +# Don't log informative messages via syslog. +# Enabled if option is present. +# no_log_info +# +# Only track failed user authentications attempts for local users +# in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users. +# The `faillock` command will also no longer track user failed +# authentication attempts. Enabling this option will prevent a +# double-lockout scenario where a user is locked out locally and +# in the centralized mechanism. +# Enabled if option is present. +# local_users_only +# +# Deny access if the number of consecutive authentication failures +# for this user during the recent interval exceeds n tries. +# The default is 3. +deny = 4 +# +# The length of the interval during which the consecutive +# authentication failures must happen for the user account +# lock out is n seconds. +# The default is 900 (15 minutes). +fail_interval = 900 +# +# The access will be re-enabled after n seconds after the lock out. +# The value 0 has the same meaning as value `never` - the access +# will not be re-enabled without resetting the faillock +# entries by the `faillock` command. +# The default is 600 (10 minutes). +unlock_time = 600 +# +# Root account can become locked as well as regular accounts. +# Enabled if option is present. +# even_deny_root +# +# This option implies the `even_deny_root` option. +# Allow access after n seconds to root account after the +# account is locked. In case the option is not specified +# the value is the same as of the `unlock_time` option. +# root_unlock_time = 900 +# +# If a group name is specified with this option, members +# of the group will be handled by this module the same as +# the root account (the options `even_deny_root>` and +# `root_unlock_time` will apply to them. +# By default, the option is not set. +# admin_group = diff --git a/DebianServer_11/templates/pam/pwquality-CIS.conf b/DebianServer_11/templates/pam/pwquality-CIS.conf new file mode 100644 index 0000000..304705a --- /dev/null +++ b/DebianServer_11/templates/pam/pwquality-CIS.conf @@ -0,0 +1,8 @@ +# Configuration for systemwide password quality limits +#Configured following CIS Benchmark by Jshielder +minclass=5 +minlen=15 +dcredit=-1 +ucredit=-1 +ocredit=-1 +lcredit=-1 \ No newline at end of file diff --git a/DebianServer_11/templates/sshd/sshd_config-CIS b/DebianServer_11/templates/sshd/sshd_config-CIS new file mode 100644 index 0000000..f5979b7 --- /dev/null +++ b/DebianServer_11/templates/sshd/sshd_config-CIS @@ -0,0 +1,52 @@ +Port PORT +Protocol 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 +SyslogFacility AUTH +ClientAliveCountMax 3 +ClientAliveInterval 60 +Compression no +LogLevel VERBOSE +MaxAuthTries 3 +MaxSessions 3 +LoginGraceTime 30 +PermitRootLogin no +StrictModes yes +PubkeyAuthentication yes +AuthorizedKeysFile .ssh/authorized_keys +IgnoreRhosts yes +HostbasedAuthentication no +PermitEmptyPasswords no +ChallengeResponseAuthentication no +PasswordAuthentication no +KbdInteractiveAuthentication no +KerberosAuthentication no +GSSAPIAuthentication no +GSSAPIKeyExchange no +UsePrivilegeSeparation sandbox +RekeyLimit 512M 6h +AllowStreamLocalForwarding no +PermitTunnel no +PermitUserRC no +GatewayPorts no +X11Forwarding no +AllowTcpForwarding no +AllowAgentForwarding no +PermitUserEnvironment no +X11DisplayOffset 10 +PrintMotd no +PrintLastLog yes +TCPKeepAlive no +AcceptEnv LANG LC_* +Subsystem sftp /usr/lib/openssh/sftp-server +UsePAM yes +UseDNS no +maxstartups 10:30:60 +Banner /etc/issue.net +AllowUsers USERNAME +DenyUsers *nobody +DenyGroups *nobody \ No newline at end of file diff --git a/DebianServer_11/templates/sysctl/sysctl-CIS.conf b/DebianServer_11/templates/sysctl/sysctl-CIS.conf new file mode 100644 index 0000000..ce2b5f4 --- /dev/null +++ b/DebianServer_11/templates/sysctl/sysctl-CIS.conf @@ -0,0 +1,123 @@ +# Kernel sysctl configuration file for Ubuntu +# Modified by Jason Soto +# +# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and +# sysctl.conf(5) for more details. + +# Controls IP packet forwarding +net.ipv4.ip_forward = 0 + +# Controls source route verification +net.ipv4.conf.default.rp_filter = 1 + +# Do not accept source routing +net.ipv4.conf.default.accept_source_route = 0 + +# Controls the System Request debugging functionality of the kernel +kernel.sysrq = 0 + +# Controls whether core dumps will append the PID to the core filename. +# Useful for debugging multi-threaded applications. +kernel.core_uses_pid = 1 + +# Controls the use of TCP syncookies +net.ipv4.tcp_syncookies = 1 + +# Disable netfilter on bridges. +net.bridge.bridge-nf-call-ip6tables = 0 +net.bridge.bridge-nf-call-iptables = 0 +net.bridge.bridge-nf-call-arptables = 0 + +# Controls the default maxmimum size of a mesage queue +kernel.msgmnb = 65536 + +# Controls the maximum size of a message, in bytes +kernel.msgmax = 65536 + +# Controls the maximum shared segment size, in bytes +kernel.shmmax = 68719476736 + +# Controls the maximum number of shared memory segments, in pages +kernel.shmall = 4294967296 + +######### GENERAL SECURITY OPTIONS ################ + +# Automatically Reboot Server in 30 Seconds after a Kernel Panic +vm.panic_on_oom = 1 +kernel.panic = 30 +kernel.panic_on_oops = 30 + +# Enable ExecShield +kernel.exec-shield = 1 + +kernel.dmesg_restrict = 1 +kernel.kptr_restrict = 2 +kernel.randomize_va_space = 2 + +########## COMMUNICATIONS SECURITY ############## +# No Redirections +net.ipv4.conf.all.send_redirects = 0 +net.ipv4.conf.default.send_redirects = 0 + +# Do not Accept Packets with SRR +net.ipv4.conf.all.accept_source_route = 0 + +# Do not accept Redirections +net.ipv4.conf.all.accept_redirects = 0 +net.ipv4.conf.all.secure_redirects = 0 +net.ipv4.conf.default.secure_redirects = 0 +net.ipv6.conf.all.accept_redirects = 0 +net.ipv6.conf.all.secure_redirects = 0 +net.ipv6.conf.default.secure_redirects = 0 + +# Do not Accept source routed Packets +net.ipv4.conf.all.accept_source_route = 0 +net.ipv4.conf.default.accept_source_route = 0 + +# Disable Packets Forwarding +net.ipv4.ip_forward = 0 +net.ipv4.conf.all.forwarding = 0 +net.ipv4.conf.default.forwarding = 0 +net.ipv6.conf.all.forwarding = 0 +net.ipv6.conf.default.forwarding = 0 + +# Log Suspicious Packets +net.ipv4.conf.all.log_martians = 1 +net.ipv4.conf.default.log_martians = 1 +net.ipv4.conf.default.accept_source_route = 0 +net.ipv4.conf.default.accept_redirects = 0 +net.ipv4.conf.default.secure_redirects = 0 +net.ipv6.conf.default.accept_redirects = 0 + +# Ignore ICMP ECHO or TIMESTAMP sent by broadcast/multicast +net.ipv4.icmp_echo_ignore_broadcasts = 1 +net.ipv4.tcp_timestamps = 0 + +# Protect Against 'syn flood attack' +net.ipv4.tcp_syncookies = 1 +net.ipv4.tcp_syn_retries = 5 +net.ipv4.tcp_synack_retries = 2 +net.ipv4.tcp_max_syn_backlog = 4096 + +# Enable Reverse Source Validation (Protects Against IP Spoofing) +net.ipv4.conf.all.rp_filter = 1 +net.ipv4.conf.default.rp_filter = 1 + +# Ignore Bogus Error Response +net.ipv4.icmp_ignore_bogus_error_responses = 1 + +# Reduce KeepAlive +net.ipv4.tcp_keepalive_time = 300 +net.ipv4.tcp_keepalive_probes = 5 +net.ipv4.tcp_keepalive_intvl = 15 + +#Ensure IPv6 router advertisement are not accepted +net.ipv6.conf.all.accept_ra = 0 +net.ipv6.conf.default.accept_ra = 0 + +# Disable IPv6 +net.ipv6.conf.all.disable_ipv6 = 1 +net.ipv6.conf.default.disable_ipv6 = 1 +net.ipv6.conf.lo.disable_ipv6 = 1 + +fs.suid_dumpable = 0 \ No newline at end of file diff --git a/DebianServer_11/templates/systemd-timesyncd.conf/timesyncd.conf b/DebianServer_11/templates/systemd-timesyncd.conf/timesyncd.conf new file mode 100644 index 0000000..78a1701 --- /dev/null +++ b/DebianServer_11/templates/systemd-timesyncd.conf/timesyncd.conf @@ -0,0 +1,4 @@ +[Time] +# Note: Servers added to these line(s) should follow local site policy. +NTP=time.nist.gov +FallbackNTP=time-a-g.nist.gov time-b-g.nist.gov time-c-g.nist.gov \ No newline at end of file diff --git a/jshielder.sh b/jshielder.sh index f751c70..fa67d96 100755 --- a/jshielder.sh +++ b/jshielder.sh @@ -69,8 +69,10 @@ echo "2. Ubuntu Server 18.04 LTS" echo "3. Linux CentOS 7 (Coming Soon)" echo "4. Debian GNU/Linux 8 (Coming Soon)" echo "5. Debian GNU/Linux 9 (Coming Soon)" -echo "6. Red Hat Linux 7 (Coming Soon)" -echo "7. Exit" +echo "6. Debian GNU/Linux 10 CIS ONLY" +echo "7. Debian GNU/Linux 11 CIS ONLY" +echo "8. Red Hat Linux 7 (Coming Soon)" +echo "9. Exit" echo read menu @@ -88,11 +90,22 @@ chmod +x jshielder.sh ./jshielder.sh ;; -8) +6) +cd DebianServer_10/ +chmod +x jshielder-CIS.sh +./jshielder-CIS.sh +;; + +7) +cd DebianServer_11/ +chmod +x jshielder-CIS.sh +./jshielder-CIS.sh + +9) break ;; *) ;; esac -done +done \ No newline at end of file