From ead90b85fd1dc71cdddaa67f2db9eed0b6982784 Mon Sep 17 00:00:00 2001 From: Girish Mahabir Date: Tue, 23 May 2023 18:47:44 +0400 Subject: [PATCH 01/33] Initial Commit with base. --- DebianServer_10/helpers.sh | 50 ++ DebianServer_10/jshilder-CIS.sh | 678 +++++++++++++++++++ DebianServer_10/templates/audit-CIS.rules | 88 +++ DebianServer_10/templates/auditd-CIS.conf | 34 + DebianServer_10/templates/bye-CIS | 7 + DebianServer_10/templates/common-auth-CIS | 27 + DebianServer_10/templates/common-passwd-CIS | 38 ++ DebianServer_10/templates/iptables-CIS.sh | 40 ++ DebianServer_10/templates/login.defs-CIS | 338 +++++++++ DebianServer_10/templates/motd-CIS | 8 + DebianServer_10/templates/pwquality-CIS.conf | 9 + DebianServer_10/templates/sshd_config-CIS | 40 ++ DebianServer_10/templates/sysctl-CIS.conf | 123 ++++ DebianServer_10/templates/welcome-CIS | 22 + 14 files changed, 1502 insertions(+) create mode 100644 DebianServer_10/helpers.sh create mode 100644 DebianServer_10/jshilder-CIS.sh create mode 100644 DebianServer_10/templates/audit-CIS.rules create mode 100644 DebianServer_10/templates/auditd-CIS.conf create mode 100644 DebianServer_10/templates/bye-CIS create mode 100644 DebianServer_10/templates/common-auth-CIS create mode 100644 DebianServer_10/templates/common-passwd-CIS create mode 100644 DebianServer_10/templates/iptables-CIS.sh create mode 100644 DebianServer_10/templates/login.defs-CIS create mode 100644 DebianServer_10/templates/motd-CIS create mode 100644 DebianServer_10/templates/pwquality-CIS.conf create mode 100644 DebianServer_10/templates/sshd_config-CIS create mode 100644 DebianServer_10/templates/sysctl-CIS.conf create mode 100644 DebianServer_10/templates/welcome-CIS diff --git a/DebianServer_10/helpers.sh b/DebianServer_10/helpers.sh new file mode 100644 index 0000000..ec00dee --- /dev/null +++ b/DebianServer_10/helpers.sh @@ -0,0 +1,50 @@ +#!/bin/bash + +spinner () +{ + bar=" ++++++++++++++++++++++++++++++++++++++++++++++++++++++++" + barlength=${#bar} + i=0 + while ((i < 100)); do + n=$((i*barlength / 100)) + printf "\e[00;34m\r[%-${barlength}s]\e[00m" "${bar:0:n}" + ((i += RANDOM%5+2)) + sleep 0.02 + done +} + + + +# Show "Done." +function say_done() { + echo " " + echo -e "Done." + say_continue +} + + +# Ask to Continue +function say_continue() { + echo -n " To EXIT Press x Key, Press ENTER to Continue" + read acc + if [ "$acc" == "x" ]; then + exit + fi + echo " " +} + + +# Obtain Server IP +function __get_ip() { + serverip=$(ip route get 1 | awk '{print $7;exit}') + echo $serverip +} + + +# Copy Local Config Files +function tunning() { + whoapp=$1 + cp templates/$whoapp /root/.$whoapp + cp templates/$whoapp /home/$username/.$whoapp + chown $username:$username /home/$username/.$whoapp +} diff --git a/DebianServer_10/jshilder-CIS.sh b/DebianServer_10/jshilder-CIS.sh new file mode 100644 index 0000000..001727b --- /dev/null +++ b/DebianServer_10/jshilder-CIS.sh @@ -0,0 +1,678 @@ +#!/bin/bash + +# JShielder v2.4 +# Deployer for Debian 10 Server +# +# Girish Mahabir +# Twitter = @girishmahabir +#Credits to Center for Internet Security CIS and Jason Soto for the base work. + +source helpers.sh + +############################################################################################################## + +f_banner(){ +echo +echo " + + ██╗███████╗██╗ ██╗██╗███████╗██╗ ██████╗ ███████╗██████╗ + ██║██╔════╝██║ ██║██║██╔════╝██║ ██╔══██╗██╔════╝██╔══██╗ + ██║███████╗███████║██║█████╗ ██║ ██║ ██║█████╗ ██████╔╝ +██ ██║╚════██║██╔══██║██║██╔══╝ ██║ ██║ ██║██╔══╝ ██╔══██╗ +╚█████╔╝███████║██║ ██║██║███████╗███████╗██████╔╝███████╗██║ ██║ +╚════╝ ╚══════╝╚═╝ ╚═╝╚═╝╚══════╝╚══════╝╚═════╝ ╚══════╝╚═╝ ╚═╝ + +CIS Benchmark Hardening +For Debian 10 +Developed By Jason Soto & Modified by Girish Mahabir +" +echo +echo + +} + + +############################################################################################################## + +# Check if running with root User + +clear +f_banner + + +check_root() { +if [ $EUID -ne 0 ]; then + echo "Permission Denied" + echo "Can only be run by root" + exit +else + clear + f_banner + cat templates/welcome-CIS +fi +} + +############################################################################################################## + +check_root +say_continue + +# Setting a root password. +echo -e "Let's set a root password" +passwd root + +# Unattended Upgrades +apt install -y unattended-upgrades apt-listchanges bsd-mailx +echo "APT::Periodic::AutocleanInterval "7";" >> /etc/apt/apt.conf.d/20auto-upgrades +systemctl enable --now unattended-upgrades + +############################################################################################################## + +echo -e "" +echo -e "Disabling unused filesystems" +apt install -y spinner +spinner +sleep 2 + +#1.1.1.1 Ensure Mounting of cramfs is disabled (Scored) + +echo "install cramfs /bin/true" >> /etc/modprobe.d/CIS.conf + +#1.1.1.2 Ensure mounting of freevxfs filesystems is disabled (Scored) + +echo "install freevxfs /bin/true" >> /etc/modprobe.d/CIS.conf + +#1.1.1.3 Ensure mounting of jffs2 filesystems is disabled (Scored) + +echo "install jffs2 /bin/true" >> /etc/modprobe.d/CIS.conf + +#1.1.1.4 Ensure mounting of hfs filesystems is disabled (Scored) + +echo "install hfs /bin/true" >> /etc/modprobe.d/CIS.conf + +#1.1.1.5 Ensure mounting of hfsplus filesystems is disabled (Scored) + +echo "install hfsplus /bin/true" >> /etc/modprobe.d/CIS.conf + +#1.1.1.6 Ensure mounting of squashfs filesystems is disabled (Scored) + +echo "install squashfs /bin/true" >> /etc/modprobe.d/CIS.conf + +#1.1.1.7 Ensure mounting of udf filesystems is disabled (Scored) + +echo "install udf /bin/true" >> /etc/modprobe.d/CIS.conf + +#1.1.1.8 Ensure mounting of FAT filesystems is disabled (Scored) + +echo "install vfat /bin/true" >> /etc/modprobe.d/CIS.conf + + + +#1.1.17 Ensure nodev option set on removable media partitions (Not Scored) +#1.1.18 Ensure nosuid option set on removable media partitions (Not Scored) +#1.1.19 Ensure noexec option set on removable media partitions (Not Scored) + +#1.1.20 Ensure sticky bit is set on all world-writable directories (Scored) + +clear +f_banner + +echo -e "" +echo -e "Setting Sticky bit on all world-writable directories" +sleep 2 +spinner + +df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t + +#1.1.21 Disable Automounting (Scored) + + +#1.2 Configure Software Updates + + +#1.2.1 Ensure package manager repositories are configured (Not Scored) + +#1.2.2 Ensure GPG keys are configured (Not Scored) + +#1.3 Filesystem Integrity Checking + +#1.3.1 Ensure AIDE is installed (Scored) + +clear +f_banner +echo -e "" +echo -e "NOT Installing and configuring AIDE" + +apt-get install -y aide +aideinit + +# Configure cron job for AIDE +echo "0 5 * * * /usr/bin/aide.wrapper --config /etc/aide/aide.conf --check" >> /etc/cron.d/aide + +#1.3.2 Ensure filesystem integrity is regularly checked (Scored) + + +#1.4 Secure Boot Settings +#1.4.1 Ensure permissions on bootloader config are configured (Scored) + +clear +f_banner + +echo -e "" +echo -e "Securing Boot Settings" +spinner +sleep 2 + +chown root:root /boot/grub/grub.cfg +chmod og-rwx /boot/grub/grub.cfg + +#1.4.2 Ensure bootloader password is set (Scored) + +# echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" +# echo -e "\e[93m[+]\e[00m We will now Set a Bootloader Password" +# echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" +# echo "" + +# grub-mkpasswd-pbkdf2 | tee grubpassword.tmp +# grubpassword=$(cat grubpassword.tmp | sed -e '1,2d' | cut -d ' ' -f7) +# echo " set superusers="root" " >> /etc/grub.d/40_custom +# echo " password_pbkdf2 root $grubpassword " >> /etc/grub.d/40_custom +# rm grubpassword.tmp +# update-grub + +#1.4.3 Ensure authentication required for single user mode (Scored) + + +#1.5 Additional Process Hardening +#1.5.1 Ensure core dumps are restricted (Scored) + +echo "* hard core 0" >> /etc/security/limits.conf +cp templates/sysctl-CIS.conf /etc/sysctl.conf +sysctl -e -p + +#1.5.2 Ensure XD/NX support is enabled (Not Scored) +#1.5.3 Ensure address space layout randomization (ASLR) is enabled (Scored) + #already set on sysctl.conf template file + + +#1.5.4 Ensure prelink is disabled (Scored) + # not installed by default on Clean Ubuntu install, will add condition later on + +#1.6 Mandatory Access Control +#1.6.1.1 Ensure SELinux is not disabled in bootloader configuration (Scored) N/A +#1.6.1.2 Ensure the SELinux state is enforcing (Scored) N/A +#1.6.1.3 Ensure SELinux policy is configured (Scored) N/A +#1.6.1.4 Ensure no unconfined daemons exist (Scored) N/A +#1.6.2.1 Ensure AppArmor is not disabled in bootloader configuration (Scored) +#1.6.2.2 Ensure all AppArmor Profiles are enforcing (Scored) +#1.6.3 Ensure SELinux or AppArmor are installed (Not Scored) + +#1.7 Warning Banners +#1.7.1.1 Ensure message of the day is configured properly (Scored) +#1.7.1.2 Ensure local login warning banner is configured properly (Not Scored) +#1.7.1.3 Ensure remote login warning banner is configured properly (Not Scored) +cat templates/motd-CIS > /etc/motd +cat templates/motd-CIS > /etc/issue +cat templates/motd-CIS > /etc/issue.net + +#1.7.1.4 Ensure permissions on /etc/motd are configured (Not Scored) +#1.7.1.5 Ensure permissions on /etc/issue are configured (Scored) +#1.7.1.6 Ensure permissions on /etc/issue.net are configured (Not Scored) + +chown root:root /etc/motd /etc/issue /etc/issue.net +chmod 644 /etc/motd /etc/issue /etc/issue.net + +#1.7.2 Ensure GDM login banner is configured (Scored) +#1.8 Ensure updates, patches, and additional security software are installed (Not Scored) + +apt-get -y update +apt-get -y upgrade + +############################################################ + + +### NOT ENABLED ON CLEAN INSTALL +## Will configure later on for current install ## + + +#2 Services +#2.1 inetd Services +#2.1.1 Ensure chargen services are not enabled (Scored) +#.1.2 Ensure daytime services are not enabled (Scored) +#2.1.3 Ensure discard services are not enabled (Scored) +#2.1.4 Ensure echo services are not enabled (Scored) +#2.1.5 Ensure time services are not enabled (Scored) +#2.1.6 Ensure rsh server is not enabled (Scored) +#2.1.7 Ensure talk server is not enabled (Scored) +#2.1.8 Ensure telnet server is not enabled (Scored) +#2.1.9 Ensure tftp server is not enabled (Scored) +#2.1.10 Ensure xinetd is not enabled (Scored) + +############################################################## +#2.2 Special Purpose Services +#2.2.1.1 Ensure time synchronization is in use (Not Scored) +#2.2.1.2 Ensure ntp is configured (Scored) +#2.2.1.3 Ensure chrony is configured (Scored) + + +#2.2.2 Ensure X Window System is not installed (Scored) +#2.2.3 Ensure Avahi Server is not enabled (Scored) +#2.2.4 Ensure CUPS is not enabled (Scored) +#2.2.5 Ensure DHCP Server is not enabled (Scored) +#2.2.6 Ensure LDAP server is not enabled (Scored) +#2.2.7 Ensure NFS and RPC are not enabled (Scored) +#2.2.8 Ensure DNS Server is not enabled (Scored) +#2.2.9 Ensure FTP Server is not enabled (Scored) +#2.2.10 Ensure HTTP server is not enabled (Scored) +#2.2.11 Ensure IMAP and POP3 server is not enabled (Scored) +#2.2.12 Ensure Samba is not enabled (Scored) +#2.2.13 Ensure HTTP Proxy Server is not enabled (Scored) +#2.2.14 Ensure SNMP Server is not enabled (Scored) +#2.2.15 Ensure mail transfer agent is configured for local-only mode (Scored) +#2.2.16 Ensure rsync service is not enabled (Scored) +#2.2.17 Ensure NIS Server is not enabled (Scored) +#2.3 Service Clients +#2.3.1 Ensure NIS Client is not installed (Scored) +#2.3.2 Ensure rsh client is not installed (Scored) +#2.3.3 Ensure talk client is not installed (Scored) +#2.3.4 Ensure telnet client is not installed (Scored) + +apt-get remove -y telnet + +#2.3.5 Ensure LDAP client is not installed (Scored) + +####################################################################### + +#3 Network Configuration +#.1 Network Parameters (Host Only) +#.1.1 Ensure IP forwarding is disabled (Scored) +#.1.2 Ensure packet redirect sending is disabled (Scored) +#.2 Network Parameters (Host and Router) +#.2.1 Ensure source routed packets are not accepted (Scored) +#.2.2 Ensure ICMP redirects are not accepted (Scored) +#.2.3 Ensure secure ICMP redirects are not accepted (Scored) +#3.2.4 Ensure suspicious packets are logged (Scored) +#3.2.5 Ensure broadcast ICMP requests are ignored (Scored) +#3.2.6 Ensure bogus ICMP responses are ignored (Scored) +#3.2.7 Ensure Reverse Path Filtering is enabled (Scored) +#3.2.8 Ensure TCP SYN Cookies is enabled (Scored) +#3.3 IPv6 +#3.3.1 Ensure IPv6 router advertisements are not accepted (Not Scored) +#3.3.2 Ensure IPv6 redirects are not accepted (Not Scored) + +## VALUES SET WITH SYSCTL TEMPLATE COPIED ON PREVIOUS STEP + +######################################################################## + +#3.3.3 Ensure IPv6 is disabled (Not Scored) + +sed -i 's/GRUB_CMDLINE_LINUX=""/GRUB_CMDLINE_LINUX="ipv6.disable=1"/g' /etc/default/grub +update-grub + +#3.4 TCP Wrappers +#.4.1 Ensure TCP Wrappers is installed (Scored) + # Installed by default + + +#.4.2 Ensure /etc/hosts.allow is configured (Scored) + +clear +f_banner + +echo -e "" +echo -e "Setting hosts.allow and hosts.deny" +spinner +sleep 2 + +echo "ALL: 10.0.0.0/255.0.0.0" >> /etc/hosts.allow +echo "ALL: 192.168.0.0/255.255.0.0" >> /etc/hosts.allow +echo "ALL: 172.16.0.0/255.240.0.0" >> /etc/hosts.allow + +#3.4.3 Ensure /etc/hosts.deny is configured (Scored) + +echo "ALL: ALL" >> /etc/hosts.deny + +#3.4.4 Ensure permissions on /etc/hosts.allow are configured (Scored) + +chown root:root /etc/hosts.allow +chmod 644 /etc/hosts.allow + +#3.4.5 Ensure permissions on /etc/hosts.deny are 644 (Scored) + +chown root:root /etc/hosts.deny +chmod 644 /etc/hosts.deny + +#3.5 Uncommon Network Protocols +#3.5.1 Ensure DCCP is disabled (Not Scored) + +clear +f_banner + +echo -e "" +echo -e "Disabling uncommon Network Protocols" +spinner +sleep 2 + +echo "install dccp /bin/true" >> /etc/modprobe.d/CIS.conf + +#3.5.2 Ensure SCTP is disabled (Not Scored) + +echo "install sctp /bin/true" >> /etc/modprobe.d/CIS.conf + +#3.5.3 Ensure RDS is disabled (Not Scored) + +echo "install rds /bin/true" >> /etc/modprobe.d/CIS.conf + +#3.5.4 Ensure TIPC is disabled (Not Scored) + +echo "install tipc /bin/true" >> /etc/modprobe.d/CIS.conf + +#3.6 Firewall Configuration +#3.6.1 Ensure iptables is installed (Scored) +#3.6.2 Ensure default deny firewall policy (Scored) +#3.6.3 Ensure loopback traffic is configured (Scored) +#3.6.4 Ensure outbound and established connections are configured (Not Scored) + +clear +f_banner + +echo -e "" +echo -e "Setting up Iptables Rules" +spinner +sleep 1 + +apt install -y iptables-persistent + +sh templates/iptables-CIS.sh +cp templates/iptables-CIS.sh /etc/init.d/ + +netfilter-persistent save + +#3.6.5 Ensure firewall rules exist for all open ports (Scored) +#3.7 Ensure wireless interfaces are disabled (Not Scored) + +#4 Logging and Auditing +#.1 Configure System Accounting (auditd) + +clear +f_banner +echo -e "" +echo -e "Installing and configuring Auditd" + +spinner +sleep 1 + +apt-get install -y auditd audispd-plugins + +#.1.1.1 Ensure audit log storage size is configured (Not Scored) +#.1.1.2 Ensure system is disabled when audit logs are full (Scored) +#4.1.1.3 Ensure audit logs are not automatically deleted (Scored) + +cp templates/auditd-CIS.conf /etc/audit/auditd.conf + +#4.1.2 Ensure auditd service is enabled (Scored) + +systemctl enable auditd + +#4.1.3 Ensure auditing for processes that start prior to auditd is enabled (Scored) + +sed -i 's/GRUB_CMDLINE_LINUX="ipv6.disable=1"/GRUB_CMDLINE_LINUX="ipv6.disable=1\ audit=1"/g' /etc/default/grub + +#4.1.4 Ensure events that modify date and time information are collected(Scored) +#4.1.5 Ensure events that modify user/group information are collected (Scored) +#4.1.6 Ensure events that modify the system's network environment are collected (Scored) +#4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected (Scored) +#.1.8 Ensure login and logout events are collected (Scored) +#4.1.9 Ensure session initiation information is collected (Scored) +#4.1.10 Ensure discretionary access control permission modification events are collected (Scored) +#4.1.11 Ensure unsuccessful unauthorized file access attempts are collected (Scored) +#4.1.12 Ensure use of privileged commands is collected (Scored) +#4.1.13 Ensure successful file system mounts are collected (Scored) #4.1.14 Ensure file deletion events by users are collected (Scored) +#4.1.15 Ensure changes to system administration scope (sudoers) is collected (Scored) +#4.1.16 Ensure system administrator actions (sudolog) are collected (Scored) +#4.1.17 Ensure kernel module loading and unloading is collected (Scored) +#4.1.18 Ensure the audit configuration is immutable (Scored) + + +cp templates/audit-CIS.rules /etc/audit/audit.rules + +find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print \ +"-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 \ +-k privileged" } ' >> /etc/audit/audit.rules + +echo " " >> /etc/audit/audit.rules +echo "#End of Audit Rules" >> /etc/audit/audit.rules +echo "-e 2" >>/etc/audit/audit.rules + +cp /etc/audit/audit.rules /etc/audit/rules.d/audit.rules + +#4.2 Configure Logging +#4.2.1.1 Ensure rsyslog Service is enabled (Scored) +#4.2.1.2 Ensure logging is configured (Not Scored) +#4.2.1.3 Ensure rsyslog default file permissions configured (Scored) +#4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host (Scored) +#4.2.1.5 Ensure remote rsyslog messages are only accepted on designated log hosts. (Not Scored) +#4.2.2.1 Ensure syslog-ng service is enabled (Scored) +#4.2.2.2 Ensure logging is configured (Not Scored) +#4.2.2.3 Ensure syslog-ng default file permissions configured (Scored) +#4.2.2.4 Ensure syslog-ng is configured to send logs to a remote log host (Scored) +#4.2.2.5 Ensure remote syslog-ng messages are only accepted on designated log hosts (Not Scored) +#4.2.3 Ensure rsyslog or syslog-ng is installed (Scored) + +#4.2.4 Ensure permissions on all logfiles are configured (Scored) + +chmod -R g-wx,o-rwx /var/log/* + +#4.3 Ensure logrotate is configured (Not Scored) + + +#5 Access, Authentication and Authorization +#.1 Configure cron +#.1.1 Ensure cron daemon is enabled (Scored) +#5.1.2 Ensure permissions on /etc/crontab are configured (Scored) +#5.1.3 Ensure permissions on /etc/cron.hourly are configured (Scored) +#5.1.4 Ensure permissions on /etc/cron.daily are configured (Scored) +#5.1.5 Ensure permissions on /etc/cron.weekly are configured (Scored) +#5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored) +#5.1.7 Ensure permissions on /etc/cron.d are configured (Scored) + +chown root:root /etc/cron* +chmod og-rwx /etc/cron* + +#5.1.8 Ensure at/cron is restricted to authorized users (Scored) + +touch /etc/cron.allow +touch /etc/at.allow + +chmod og-rwx /etc/cron.allow /etc/at.allow +chown root:root /etc/cron.allow /etc/at.allow + +#5.2 SSH Server Configuration +#5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured (Scored) + +#Permissions set after template copy on Line 493 + +#5.2.2 Ensure SSH Protocol is set to 2 (Scored) +#5.2.3 Ensure SSH LogLevel is set to INFO (Scored) +#5.2.4 Ensure SSH X11 forwarding is disabled (Scored) +#5.2.5 Ensure SSH MaxAuthTries is set to 4 or less (Scored) +#5.2.6 Ensure SSH IgnoreRhosts is enabled (Scored) +#5.2.7 Ensure SSH HostbasedAuthentication is disabled (Scored) +#5.2.8 Ensure SSH root login is disabled (Scored) +#5.2.9 Ensure SSH PermitEmptyPasswords is disabled (Scored) +#5.2.10 Ensure SSH PermitUserEnvironment is disabled (Scored) +#5.2.11 Ensure only approved MAC algorithms are used (Scored) +#5.2.12 Ensure SSH Idle Timeout Interval is configured (Scored) +#5.2.13 Ensure SSH LoginGraceTime is set to one minute or less (Scored) +#5.2.14 Ensure SSH access is limited (Scored) +#5.2.15 Ensure SSH warning banner is configured (Scored) + +##Create user for SSH Access + +echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" +echo -e "\e[93m[+]\e[00m We will now Create a New User for SSH Access" +echo -e "\e[34m---------------------------------------------------------------------------------------------------------\e[00m" +echo "" +echo -n " Type the new username: "; read username +adduser $username + +echo -n " Securing SSH..." +sed s/USERNAME/$username/g templates/sshd_config-CIS > /etc/ssh/sshd_config; echo "OK" +service ssh restart + +chown root:root /etc/ssh/sshd_config +chmod og-rwx /etc/ssh/sshd_config + +#5.3 Configure PAM +#5.3.1 Ensure password creation requirements are configured (Scored) +#5.3.2 Ensure lockout for failed password attempts is configured (Not Scored) +#5.3.3 Ensure password reuse is limited (Scored) +#5.3.4 Ensure password hashing algorithm is SHA-512 (Scored) + +clear +f_banner + +echo -e "" +echo -e "Configuring PAM" +spinner +sleep 2 + +cp templates/common-passwd-CIS /etc/pam.d/common-passwd +cp templates/pwquality-CIS.conf /etc/security/pwquality.conf +cp templates/common-auth-CIS /etc/pam.d/common-auth + +#5.4 User Accounts and Environment +#5.4.1.1 Ensure password expiration is 90 days or less (Scored) +#5.4.1.2 Ensure minimum days between password changes is 7 or more (Scored) +#5.4.1.3 Ensure password expiration warning days is 7 or more (Scored) + +cp templates/login.defs-CIS /etc/login.defs + +#5.4.1.4 Ensure inactive password lock is 30 days or less (Scored) + +useradd -D -f 30 + +#5.4.2 Ensure system accounts are non-login (Scored) + +for user in `awk -F: '($3 < 1000) {print $1 }' /etc/passwd`; do + if [ $user != "root" ]; then + usermod -L $user + if [ $user != "sync" ] && [ $user != "shutdown" ] && [ $user != "halt" ]; then + usermod -s /usr/sbin/nologin $user + fi + fi +done + +#5.4.3 Ensure default group for the root account is GID 0 (Scored) + +usermod -g 0 root + +#5.4.4 Ensure default user umask is 027 or more restrictive (Scored) + +sed -i s/umask\ 022/umask\ 027/g /etc/init.d/rc + +#5.5 Ensure root login is restricted to system console (Not Scored) +#5.6 Ensure access to the su command is restricted (Scored) + +#6 System Maintenance +#6.1 System File Permissions +#6.1.1 Audit system file permissions (Not Scored) +#6.1.2 Ensure permissions on /etc/passwd are configured (Scored) +clear +f_banner +echo -e "" +echo -e "Setting System File Permissions" +spinner +sleep 2 + + +chown root:root /etc/passwd +chmod 644 /etc/passwd + +#6.1.3 Ensure permissions on /etc/shadow are configured (Scored) + +chown root:shadow /etc/shadow +chmod o-rwx,g-wx /etc/shadow + +#6.1.4 Ensure permissions on /etc/group are configured (Scored) + +chown root:root /etc/group +chmod 644 /etc/group + +#6.1.5 Ensure permissions on /etc/gshadow are configured (Scored) + +chown root:shadow /etc/gshadow +chmod o-rwx,g-rw /etc/gshadow + +#6.1.6 Ensure permissions on /etc/passwd - are configured (Scored) + +chown root:root /etc/passwd- +chmod 600 /etc/passwd- + +#6.1.7 Ensure permissions on /etc/shadow - are configured (Scored) + +chown root:root /etc/shadow- +chmod 600 /etc/shadow- + +#6.1.8 Ensure permissions on /etc/group - are configured (Scored) + +chown root:root /etc/group- +chmod 600 /etc/group- + +#6.1.9 Ensure permissions on /etc/gshadow - are configured (Scored) + +chown root:root /etc/gshadow- +chmod 600 /etc/gshadow- + +#6.1.10 Ensure no world writable files exist (Scored) +#6.1.11 Ensure no unowned files or directories exist (Scored) +#6.1.12 Ensure no ungrouped files or directories exist (Scored) +#6.1.13 Audit SUID executables (Not Scored) +#6.1.14 Audit SGID executables (Not Scored) +#6.2 User an d Group Settings +#6.2.1 Ensure password fields are not empty (Scored) +#6.2.2 Ensure no legacy "+" entries exist in /etc/passwd (Scored) +#6.2.3 Ensure no legacy "+" entries exist in /etc/shadow (Scored) +#6.2.4 Ensure no legacy "+" entries exist in /etc/group (Scored) +#6.2.5 Ensure root is the only UID 0 account (Scored) +#6.2.6 Ensure root PATH Integrity (Scored) +#6.2.7 Ensure all users' home directories exist (Scored) +#6.2.8 Ensure users' home directories permissions are 750 or more restrictive (Scored) +#6.2.9 Ensure users own their home directories (Scored) +#6.2.10 Ensure users' dot files are not group or world writable (Scored) +#6.2.11 Ensure no users have .forward files (Scored) +#6.2.12 Ensure no users have .netrc files (Scored) +#6.2.13 Ensure users' .netrc Files are not group or world accessible (Scored) +#6.2.14 Ensure no users have .rhosts files (Scored) +#6.2.15 Ensure all groups in /etc/passwd exist in /etc/group (Scored) +#6.2.16 Ensure no duplicate UIDs e xist (Scored) +#6.2.17 Ensure no duplicate GIDs exist (Scored) +#6.2.18 Ensure no duplicate user names exist (Scored) +#6.2.19 Ensure no duplicate group names exist (Scored) +#6.2.20 Ensure shadow group is empty (Scored) + +clear +f_banner + +cat templates/bye-CIS +say_continue + + +# Ensure public key is in $username/.ssh/authorized_keys +if [ -f /home/$username/.ssh/authorized_keys ]; then + echo -e "Authorized Key file already exists for $username" +else + echo -e "Authorized Key file does not exist for $username" + echo -e "Creating Authorized Key file for $username" + mkdir /home/$username/.ssh + touch /home/$username/.ssh/authorized_keys + chown -R $username:$username /home/$username/.ssh + echo -e "Please add the allowed keys to the authorized_keys file." +fi + + +# Remove debian cloud-init user from /etc/sudoers.d/debian-cloud-init +# and /etc/sudoers.d/90-cloud-init-users +rm /etc/sudoers.d/*cloud-init* +# Add sudo log file path to /etc/sudoers.d/logging +echo -e "Defaults logfile=/var/log/sudo.log" > /etc/sudoers.d/logging \ No newline at end of file diff --git a/DebianServer_10/templates/audit-CIS.rules b/DebianServer_10/templates/audit-CIS.rules new file mode 100644 index 0000000..e273afe --- /dev/null +++ b/DebianServer_10/templates/audit-CIS.rules @@ -0,0 +1,88 @@ +# First rule - delete all +-D + +#Ensure events that modify date and time information are collected + +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +#Ensure events that modify user/group information are collected + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +#Ensure events that modify the system's network environment are collected + +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale +-w /etc/networks -p wa -k system-locale + +#Ensure events that modify system's MAC are collected + +-w /etc/apparmor/ -p wa -k MAC-policy +-w /etc/apparmor.d/ -p wa -k MAC-policy + +#Ensure login and logouts events are collected + +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins + +#Ensure session initiation information is collected + +-w /var/run/utmp -p wa -k session +-w /var/run/wtmp -p wa -k session +-w /var/run/btmp -p wa -k session + +#Ensure discretionary access control permission modification events are collected + +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + +#Ensure unsuccessful unauthorized file access attempts are collected + +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + +#Ensure successful file system mounts are collected + +-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts + +#Ensure file deletion events by users are collected + +-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +#Ensure changes to system administration scope (sudoers) is collected + +-w /etc/sudoers -p wa -k scope +-w /etc/sudoers.d -p wa -k scope + +#Ensure system administrator actions (sudolog) are collected + +-w /var/log/sudo.log -p wa -k actions + +#Ensure kernel module loading and unloading is collected + +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +#Ensure use of Privileged commands is collected \ No newline at end of file diff --git a/DebianServer_10/templates/auditd-CIS.conf b/DebianServer_10/templates/auditd-CIS.conf new file mode 100644 index 0000000..21b7a1c --- /dev/null +++ b/DebianServer_10/templates/auditd-CIS.conf @@ -0,0 +1,34 @@ + +# +# This file controls the configuration of the audit daemon +# Configured according to CIS Benchmark +# + +log_file = /var/log/audit/audit.log +log_format = RAW +log_group = root +priority_boost = 4 +flush = INCREMENTAL +freq = 20 +num_logs = 5 +disp_qos = lossy +dispatcher = /sbin/audispd +name_format = NONE +##name = mydomain +max_log_file = 6 +max_log_file_action = keep_logs +space_left = 75 +space_left_action = email +action_mail_acct = root +admin_space_left = 50 +admin_space_left_action = halt +disk_full_action = SUSPEND +disk_error_action = SUSPEND +##tcp_listen_port = +tcp_listen_queue = 5 +tcp_max_per_addr = 1 +##tcp_client_ports = 1024-65535 +tcp_client_max_idle = 0 +enable_krb5 = no +krb5_principal = auditd +##krb5_key_file = /etc/audit/audit.key \ No newline at end of file diff --git a/DebianServer_10/templates/bye-CIS b/DebianServer_10/templates/bye-CIS new file mode 100644 index 0000000..032735e --- /dev/null +++ b/DebianServer_10/templates/bye-CIS @@ -0,0 +1,7 @@ + + MESSAGE: + + Congratulations, We Finished Hardening the system following CIS + Benchmark + + This Server should be Rebooted now. diff --git a/DebianServer_10/templates/common-auth-CIS b/DebianServer_10/templates/common-auth-CIS new file mode 100644 index 0000000..64596d2 --- /dev/null +++ b/DebianServer_10/templates/common-auth-CIS @@ -0,0 +1,27 @@ +# +# /etc/pam.d/common-auth - authentication settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +auth [success=1 default=ignore] pam_unix.so nullok_secure +# here's the fallback if no module succeeds +auth requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +auth required pam_permit.so +auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900 + +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config \ No newline at end of file diff --git a/DebianServer_10/templates/common-passwd-CIS b/DebianServer_10/templates/common-passwd-CIS new file mode 100644 index 0000000..079df58 --- /dev/null +++ b/DebianServer_10/templates/common-passwd-CIS @@ -0,0 +1,38 @@ +# +# /etc/pam.d/common-password - password-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define the services to be +# used to change user passwords. The default is pam_unix. + +# Explanation of pam_unix options: +# +# The "sha512" option enables salted SHA512 passwords. Without this option, +# the default is Unix crypt. Prior releases used the option "md5". +# +# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in +# login.defs. +# +# See the pam_unix manpage for other options. + +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +password requisite pam_pwquality.so try_first_pass retry=3 +password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 +# here's the fallback if no module succeeds +password requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +password required pam_permit.so + +#CIS +password sufficient pam_unix.so remember=5 + +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config \ No newline at end of file diff --git a/DebianServer_10/templates/iptables-CIS.sh b/DebianServer_10/templates/iptables-CIS.sh new file mode 100644 index 0000000..26af642 --- /dev/null +++ b/DebianServer_10/templates/iptables-CIS.sh @@ -0,0 +1,40 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: iptables +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Applies Iptable Rules +# Description: +### END INIT INFO + + +# Flush Iptables rules + iptables -F + +# Default deny Firewall policy + iptables -P INPUT DROP + iptables -P OUTPUT DROP + iptables -P FORWARD DROP + +# Ensure loopback traffic is configured + iptables -A INPUT -i lo -j ACCEPT + iptables -A OUTPUT -o lo -j ACCEPT + iptables -A INPUT -s 127.0.0.0/8 -j DROP + +# Ensure outbound and established connections are configured + iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT + iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT + iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT + iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT + iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT + iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT + +# Open inbound ssh(22) connections + iptables -A INPUT -p tcp --dport 10022 -m state --state NEW -j ACCEPT + +# Disable IPV6 + ip6tables -P INPUT DROP + ip6tables -P OUTPUT DROP + ip6tables -P FORWARD DROP \ No newline at end of file diff --git a/DebianServer_10/templates/login.defs-CIS b/DebianServer_10/templates/login.defs-CIS new file mode 100644 index 0000000..bcf378f --- /dev/null +++ b/DebianServer_10/templates/login.defs-CIS @@ -0,0 +1,338 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK is the default umask value for pam_umask and is used by +# useradd and newusers to set the mode of the new home directories. +# 022 is the "historical" value in Debian for UMASK +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up his/her +# mind. +# +# If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value +# for private user groups, i. e. the uid is the same as gid, and username is +# the same as the primary group name: for these, the user permissions will be +# used as group permissions, e. g. 022 will become 002. +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +UMASK 027 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 90 +PASS_MIN_DAYS 7 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +#SYS_UID_MIN 100 +#SYS_UID_MAX 999 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +#SYS_GID_MIN 100 +#SYS_GID_MAX 999 + +# +# Max number of login retries if password is bad. This will most likely be +# overriden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default in no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# Enable setting of the umask group bits to be the same as owner bits +# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is +# the same as gid, and username is the same as the primary group name. +# +# If set to yes, userdel will remove the user´s group if it contains no +# more members, and useradd will create by default a group with the name +# of the user. +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is deprecated. You should use ENCRYPT_METHOD. +# +#MD5_CRYPT_ENAB no + +# +# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# Overrides the MD5_CRYPT_ENAB option +# +# Note: It is recommended to use a value consistent with +# the PAM modules configuration. +# +ENCRYPT_METHOD SHA512 + +# +# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute forcing the password. +# But note also that it more CPU resources will be needed to authenticate +# users. +# +# If not specified, the libc will choose the default number of rounds (5000). +# The values must be inside the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +# SHA_CRYPT_MIN_ROUNDS 5000 +# SHA_CRYPT_MAX_ROUNDS 5000 + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivelants of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#CRACKLIB_DICTPATH +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR \ No newline at end of file diff --git a/DebianServer_10/templates/motd-CIS b/DebianServer_10/templates/motd-CIS new file mode 100644 index 0000000..3c4e7a7 --- /dev/null +++ b/DebianServer_10/templates/motd-CIS @@ -0,0 +1,8 @@ +################################################################################ + + All connections are monitored and recorded + Unauthorized access to this server is prohibited +Any intrusion attempts will be reported to all Law Enforcement Agencies + Avoid Legal Charges, Disconnect NOW if you're not an authorized user! + +################################################################################ diff --git a/DebianServer_10/templates/pwquality-CIS.conf b/DebianServer_10/templates/pwquality-CIS.conf new file mode 100644 index 0000000..140ed52 --- /dev/null +++ b/DebianServer_10/templates/pwquality-CIS.conf @@ -0,0 +1,9 @@ +# Configuration for systemwide password quality limits +#Configured following CIS Benchmark by Jshielder + + +minlen=14 +dcredit=-1 +ucredit=-1 +ocredit=-1 +lcredit=-1 \ No newline at end of file diff --git a/DebianServer_10/templates/sshd_config-CIS b/DebianServer_10/templates/sshd_config-CIS new file mode 100644 index 0000000..a8b6d0d --- /dev/null +++ b/DebianServer_10/templates/sshd_config-CIS @@ -0,0 +1,40 @@ +Port 10022 +Protocol 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com +MACs umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512 +KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 +SyslogFacility AUTH +ClientAliveCountMax 3 +ClientAliveInterval 60 +Compression no +LogLevel VERBOSE +MaxAuthTries 3 +MaxSessions 3 +LoginGraceTime 30 +PermitRootLogin no +StrictModes yes +PubkeyAuthentication yes +AuthorizedKeysFile .ssh/authorized_keys +IgnoreRhosts yes +HostbasedAuthentication no +PermitEmptyPasswords no +ChallengeResponseAuthentication no +PasswordAuthentication no +X11Forwarding no +AllowTcpForwarding no +AllowAgentForwarding no +PermitUserEnvironment no +X11DisplayOffset 10 +PrintMotd no +PrintLastLog yes +TCPKeepAlive no +AcceptEnv LANG LC_* +Subsystem sftp /usr/lib/openssh/sftp-server +UsePAM yes +UseDNS no +maxstartups 10:30:60 +Banner /etc/issue.net +AllowUsers USERNAME \ No newline at end of file diff --git a/DebianServer_10/templates/sysctl-CIS.conf b/DebianServer_10/templates/sysctl-CIS.conf new file mode 100644 index 0000000..ce2b5f4 --- /dev/null +++ b/DebianServer_10/templates/sysctl-CIS.conf @@ -0,0 +1,123 @@ +# Kernel sysctl configuration file for Ubuntu +# Modified by Jason Soto +# +# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and +# sysctl.conf(5) for more details. + +# Controls IP packet forwarding +net.ipv4.ip_forward = 0 + +# Controls source route verification +net.ipv4.conf.default.rp_filter = 1 + +# Do not accept source routing +net.ipv4.conf.default.accept_source_route = 0 + +# Controls the System Request debugging functionality of the kernel +kernel.sysrq = 0 + +# Controls whether core dumps will append the PID to the core filename. +# Useful for debugging multi-threaded applications. +kernel.core_uses_pid = 1 + +# Controls the use of TCP syncookies +net.ipv4.tcp_syncookies = 1 + +# Disable netfilter on bridges. +net.bridge.bridge-nf-call-ip6tables = 0 +net.bridge.bridge-nf-call-iptables = 0 +net.bridge.bridge-nf-call-arptables = 0 + +# Controls the default maxmimum size of a mesage queue +kernel.msgmnb = 65536 + +# Controls the maximum size of a message, in bytes +kernel.msgmax = 65536 + +# Controls the maximum shared segment size, in bytes +kernel.shmmax = 68719476736 + +# Controls the maximum number of shared memory segments, in pages +kernel.shmall = 4294967296 + +######### GENERAL SECURITY OPTIONS ################ + +# Automatically Reboot Server in 30 Seconds after a Kernel Panic +vm.panic_on_oom = 1 +kernel.panic = 30 +kernel.panic_on_oops = 30 + +# Enable ExecShield +kernel.exec-shield = 1 + +kernel.dmesg_restrict = 1 +kernel.kptr_restrict = 2 +kernel.randomize_va_space = 2 + +########## COMMUNICATIONS SECURITY ############## +# No Redirections +net.ipv4.conf.all.send_redirects = 0 +net.ipv4.conf.default.send_redirects = 0 + +# Do not Accept Packets with SRR +net.ipv4.conf.all.accept_source_route = 0 + +# Do not accept Redirections +net.ipv4.conf.all.accept_redirects = 0 +net.ipv4.conf.all.secure_redirects = 0 +net.ipv4.conf.default.secure_redirects = 0 +net.ipv6.conf.all.accept_redirects = 0 +net.ipv6.conf.all.secure_redirects = 0 +net.ipv6.conf.default.secure_redirects = 0 + +# Do not Accept source routed Packets +net.ipv4.conf.all.accept_source_route = 0 +net.ipv4.conf.default.accept_source_route = 0 + +# Disable Packets Forwarding +net.ipv4.ip_forward = 0 +net.ipv4.conf.all.forwarding = 0 +net.ipv4.conf.default.forwarding = 0 +net.ipv6.conf.all.forwarding = 0 +net.ipv6.conf.default.forwarding = 0 + +# Log Suspicious Packets +net.ipv4.conf.all.log_martians = 1 +net.ipv4.conf.default.log_martians = 1 +net.ipv4.conf.default.accept_source_route = 0 +net.ipv4.conf.default.accept_redirects = 0 +net.ipv4.conf.default.secure_redirects = 0 +net.ipv6.conf.default.accept_redirects = 0 + +# Ignore ICMP ECHO or TIMESTAMP sent by broadcast/multicast +net.ipv4.icmp_echo_ignore_broadcasts = 1 +net.ipv4.tcp_timestamps = 0 + +# Protect Against 'syn flood attack' +net.ipv4.tcp_syncookies = 1 +net.ipv4.tcp_syn_retries = 5 +net.ipv4.tcp_synack_retries = 2 +net.ipv4.tcp_max_syn_backlog = 4096 + +# Enable Reverse Source Validation (Protects Against IP Spoofing) +net.ipv4.conf.all.rp_filter = 1 +net.ipv4.conf.default.rp_filter = 1 + +# Ignore Bogus Error Response +net.ipv4.icmp_ignore_bogus_error_responses = 1 + +# Reduce KeepAlive +net.ipv4.tcp_keepalive_time = 300 +net.ipv4.tcp_keepalive_probes = 5 +net.ipv4.tcp_keepalive_intvl = 15 + +#Ensure IPv6 router advertisement are not accepted +net.ipv6.conf.all.accept_ra = 0 +net.ipv6.conf.default.accept_ra = 0 + +# Disable IPv6 +net.ipv6.conf.all.disable_ipv6 = 1 +net.ipv6.conf.default.disable_ipv6 = 1 +net.ipv6.conf.lo.disable_ipv6 = 1 + +fs.suid_dumpable = 0 \ No newline at end of file diff --git a/DebianServer_10/templates/welcome-CIS b/DebianServer_10/templates/welcome-CIS new file mode 100644 index 0000000..dc9d400 --- /dev/null +++ b/DebianServer_10/templates/welcome-CIS @@ -0,0 +1,22 @@ +================================================================================ + Following Items Must be configured During initial System Install + +1.1.2 Ensure separate partition exists for /tmp (Scored) +1.1.3 Ensure nodev option set on /tmp partition (Scored) +1.1.4 Ensure nosuid option set on /tmp partition (Scored) +1.1.5 Ensure separate partition exists for /var (Scored) +1.1.6 Ensure separate partition exists for /var/tmp (Scored) +1.1.7 Ensure nodev option set on /var/tmp partition (Scored) +1.1.8 Ensure nosuid option set on /var/tmp partition (Scored) +1.1.9 Ensure noexec option set on /var/tmp partition (Scored) +1.1.10 Ensure separate partition exists for /var/log (Scored) +1.1.11 Ensure separate partition exists for /var/log/audit (Scored) +1.1.12 Ensure separate partition exists for /home (Scored) +1.1.13 Ensure nodev option set on /home partition (Scored) +1.1.14 Ensure nodev option set on /dev/shm partition (Scored) +1.1.15 Ensure nosuid option set on /dev/shm partition (Scored) +1.1.16 Ensure noexec option set on /dev/shm partition (Scored) + +If you did not configure this on initial system install, we recommend you perform +a reinstall and perform the above as Best Security Practice. +================================================================================ From 925bde5b365aa8e7e5da712a1576b5b2cdd66e22 Mon Sep 17 00:00:00 2001 From: Girish Mahabir Date: Wed, 24 May 2023 13:48:04 +0400 Subject: [PATCH 02/33] Added 99-finalize.rules for audit, sudoers use_pty, su group creation and journalctl storage and compression set. --- DebianServer_10/jshilder-CIS.sh | 29 +++++++++++++++++++- DebianServer_10/templates/common-account-CIS | 2 ++ 2 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 DebianServer_10/templates/common-account-CIS diff --git a/DebianServer_10/jshilder-CIS.sh b/DebianServer_10/jshilder-CIS.sh index 001727b..3957d17 100644 --- a/DebianServer_10/jshilder-CIS.sh +++ b/DebianServer_10/jshilder-CIS.sh @@ -443,6 +443,7 @@ find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print \ echo " " >> /etc/audit/audit.rules echo "#End of Audit Rules" >> /etc/audit/audit.rules echo "-e 2" >>/etc/audit/audit.rules +echo "-e 2" >>/etc/audit/audit.d/99-finalize.rules cp /etc/audit/audit.rules /etc/audit/rules.d/audit.rules @@ -540,6 +541,7 @@ sleep 2 cp templates/common-passwd-CIS /etc/pam.d/common-passwd cp templates/pwquality-CIS.conf /etc/security/pwquality.conf cp templates/common-auth-CIS /etc/pam.d/common-auth +cat templates/common-account >> /etc/pam.d/common-account #5.4 User Accounts and Environment #5.4.1.1 Ensure password expiration is 90 days or less (Scored) @@ -675,4 +677,29 @@ fi # and /etc/sudoers.d/90-cloud-init-users rm /etc/sudoers.d/*cloud-init* # Add sudo log file path to /etc/sudoers.d/logging -echo -e "Defaults logfile=/var/log/sudo.log" > /etc/sudoers.d/logging \ No newline at end of file +echo -e "Defaults logfile=/var/log/sudo.log" > /etc/sudoers.d/logging +# Add sudo use_pty to /etc/sudoers.d/use_pty +echo -e "Defaults use_pty" > /etc/sudoers.d/use_pty + + +# Create an empty group that will be specified for use of the su command. +# The group should be named according to site policy. +# Example # groupadd sugroup Add the following line to the /etc/pam.d/su file, +# specifying the empty group: auth required pam_wheel.so use_uid group=sugroup +groupadd sugroup +echo -e "auth required pam_wheel.so use_uid group=sugroup" >> /etc/pam.d/su +# Do you want to add the $username to the sugroup? (y/n) +read -p "Do you want to add the $username to the sugroup? (y/n) " -n 1 -r +echo -e "" +if [[ $REPLY =~ ^[Yy]$ ]] +then + usermod -a -G sugroup $username +fi + +# Journalctl configuration +# In /etc/systemd/journald.conf, Remove the # from the following lines: +# Storage=persistent +# Compress=yes + +sed -i 's/#Storage=auto/Storage=persistent/g' /etc/systemd/journald.conf +sed -i 's/#Compress=yes/Compress=yes/g' /etc/systemd/journald.con \ No newline at end of file diff --git a/DebianServer_10/templates/common-account-CIS b/DebianServer_10/templates/common-account-CIS new file mode 100644 index 0000000..ae58fba --- /dev/null +++ b/DebianServer_10/templates/common-account-CIS @@ -0,0 +1,2 @@ +# Note: If a user has been locked out because they have reached the maximum consecutive failure count defined by deny= in the pam_tally2.so module, the user can be unlocked by issuing the command /sbin/pam_tally2 -u --reset. +account requisite pam_deny.so account required pam_tally2.so \ No newline at end of file From 910d35ba2f99227fdfd8df4504c58f9acc91dd85 Mon Sep 17 00:00:00 2001 From: Girish Mahabir Date: Tue, 30 May 2023 09:20:24 +0400 Subject: [PATCH 03/33] Re-arranged folders and adapted JShielder script. --- DebianServer_10/jshilder-CIS.sh | 64 ++++++++++++++----- .../templates/{ => audit}/audit-CIS.rules | 0 .../templates/{ => audit}/auditd-CIS.conf | 0 .../templates/{ => iptables}/iptables-CIS.sh | 2 +- .../templates/{ => pam}/common-account-CIS | 0 .../templates/{ => pam}/common-auth-CIS | 0 .../templates/{ => pam}/common-passwd-CIS | 0 .../templates/{ => pam}/pwquality-CIS.conf | 0 .../templates/{ => sshd}/sshd_config-CIS | 2 +- .../templates/{ => sysctl}/sysctl-CIS.conf | 0 DebianServer_10/templates/{ => texts}/bye-CIS | 0 .../templates/{ => texts}/motd-CIS | 0 .../templates/{ => texts}/welcome-CIS | 0 13 files changed, 49 insertions(+), 19 deletions(-) rename DebianServer_10/templates/{ => audit}/audit-CIS.rules (100%) rename DebianServer_10/templates/{ => audit}/auditd-CIS.conf (100%) rename DebianServer_10/templates/{ => iptables}/iptables-CIS.sh (94%) rename DebianServer_10/templates/{ => pam}/common-account-CIS (100%) rename DebianServer_10/templates/{ => pam}/common-auth-CIS (100%) rename DebianServer_10/templates/{ => pam}/common-passwd-CIS (100%) rename DebianServer_10/templates/{ => pam}/pwquality-CIS.conf (100%) rename DebianServer_10/templates/{ => sshd}/sshd_config-CIS (99%) rename DebianServer_10/templates/{ => sysctl}/sysctl-CIS.conf (100%) rename DebianServer_10/templates/{ => texts}/bye-CIS (100%) rename DebianServer_10/templates/{ => texts}/motd-CIS (100%) rename DebianServer_10/templates/{ => texts}/welcome-CIS (100%) diff --git a/DebianServer_10/jshilder-CIS.sh b/DebianServer_10/jshilder-CIS.sh index 3957d17..3f16af6 100644 --- a/DebianServer_10/jshilder-CIS.sh +++ b/DebianServer_10/jshilder-CIS.sh @@ -48,7 +48,7 @@ if [ $EUID -ne 0 ]; then else clear f_banner - cat templates/welcome-CIS + cat templates/texts/welcome-CIS fi } @@ -187,7 +187,7 @@ chmod og-rwx /boot/grub/grub.cfg #1.5.1 Ensure core dumps are restricted (Scored) echo "* hard core 0" >> /etc/security/limits.conf -cp templates/sysctl-CIS.conf /etc/sysctl.conf +cp templates/sysctl/sysctl-CIS.conf /etc/sysctl.conf sysctl -e -p #1.5.2 Ensure XD/NX support is enabled (Not Scored) @@ -211,9 +211,9 @@ sysctl -e -p #1.7.1.1 Ensure message of the day is configured properly (Scored) #1.7.1.2 Ensure local login warning banner is configured properly (Not Scored) #1.7.1.3 Ensure remote login warning banner is configured properly (Not Scored) -cat templates/motd-CIS > /etc/motd -cat templates/motd-CIS > /etc/issue -cat templates/motd-CIS > /etc/issue.net +cat templates/texts/motd-CIS > /etc/motd +cat templates/texts/motd-CIS > /etc/issue +cat templates/texts/motd-CIS > /etc/issue.net #1.7.1.4 Ensure permissions on /etc/motd are configured (Not Scored) #1.7.1.5 Ensure permissions on /etc/issue are configured (Scored) @@ -383,11 +383,17 @@ sleep 1 apt install -y iptables-persistent -sh templates/iptables-CIS.sh -cp templates/iptables-CIS.sh /etc/init.d/ +sh templates/iptables/iptables-CIS.sh +cp templates/iptables/iptables-CIS.sh /etc/init.d/ netfilter-persistent save +# Replace the default rules file with the CIS rules file +# Replace 62716 with the port the user entered for ssh +sed -i 's/62716/$sshport/g' /etc/iptables/rules.v4 + +netfilter-persistent reload + #3.6.5 Ensure firewall rules exist for all open ports (Scored) #3.7 Ensure wireless interfaces are disabled (Not Scored) @@ -408,7 +414,7 @@ apt-get install -y auditd audispd-plugins #.1.1.2 Ensure system is disabled when audit logs are full (Scored) #4.1.1.3 Ensure audit logs are not automatically deleted (Scored) -cp templates/auditd-CIS.conf /etc/audit/auditd.conf +cp templates/audit/auditd-CIS.conf /etc/audit/auditd.conf #4.1.2 Ensure auditd service is enabled (Scored) @@ -434,7 +440,7 @@ sed -i 's/GRUB_CMDLINE_LINUX="ipv6.disable=1"/GRUB_CMDLINE_LINUX="ipv6.disable=1 #4.1.18 Ensure the audit configuration is immutable (Scored) -cp templates/audit-CIS.rules /etc/audit/audit.rules +cp templates/audit/audit-CIS.rules /etc/audit/audit.rules find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print \ "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 \ @@ -518,7 +524,10 @@ echo -n " Type the new username: "; read username adduser $username echo -n " Securing SSH..." -sed s/USERNAME/$username/g templates/sshd_config-CIS > /etc/ssh/sshd_config; echo "OK" +sed s/USERNAME/$username/g templates/sshd/sshd_config-CIS > /etc/ssh/sshd_config; echo "OK" +# get ssh port from user +echo -n " Type the SSH Port: "; read sshport +sed -i s/PORT/$sshport/g /etc/ssh/sshd_config; echo "OK" service ssh restart chown root:root /etc/ssh/sshd_config @@ -538,10 +547,10 @@ echo -e "Configuring PAM" spinner sleep 2 -cp templates/common-passwd-CIS /etc/pam.d/common-passwd -cp templates/pwquality-CIS.conf /etc/security/pwquality.conf -cp templates/common-auth-CIS /etc/pam.d/common-auth -cat templates/common-account >> /etc/pam.d/common-account +cp templates/pam/common-passwd-CIS /etc/pam.d/common-passwd +cp templates/pam/pwquality-CIS.conf /etc/security/pwquality.conf +cp templates/pam/common-auth-CIS /etc/pam.d/common-auth +cat templates/pam/common-account >> /etc/pam.d/common-account #5.4 User Accounts and Environment #5.4.1.1 Ensure password expiration is 90 days or less (Scored) @@ -610,6 +619,7 @@ chmod o-rwx,g-rw /etc/gshadow chown root:root /etc/passwd- chmod 600 /etc/passwd- +chmod u-x,go-rwx /etc/passwd- #6.1.7 Ensure permissions on /etc/shadow - are configured (Scored) @@ -619,7 +629,7 @@ chmod 600 /etc/shadow- #6.1.8 Ensure permissions on /etc/group - are configured (Scored) chown root:root /etc/group- -chmod 600 /etc/group- +chmod u-x,go-rwx /etc/group- #6.1.9 Ensure permissions on /etc/gshadow - are configured (Scored) @@ -656,7 +666,7 @@ chmod 600 /etc/gshadow- clear f_banner -cat templates/bye-CIS +cat templates/texts/bye-CIS say_continue @@ -702,4 +712,24 @@ fi # Compress=yes sed -i 's/#Storage=auto/Storage=persistent/g' /etc/systemd/journald.conf -sed -i 's/#Compress=yes/Compress=yes/g' /etc/systemd/journald.con \ No newline at end of file +sed -i 's/#Compress=yes/Compress=yes/g' /etc/systemd/journald.conf + +# Echo Essential informations for the user to be able to connect back to the server. +echo -e "Please note the following information to be able to connect back to the server:" +echo -e "IP Address: $(hostname -I)" +echo -e "Username: $username" +echo -e "Password: THE PASSWORD YOU CHOSE" +echo -e "Port: $port" +echo -e "Please note that the root user is disabled by default." +echo -e "Please note that the $username user is allowed to switch to root using the su command." +echo -e "Please note that SUDO has not been configured yet." + +# Reboot to apply changes, ask the user if he wants to reboot now. +read -p "Do you want to reboot now? (y/n) " -n 1 -r +echo -e "" +if [[ $REPLY =~ ^[Yy]$ ]] +then + reboot +fi + +# End of script \ No newline at end of file diff --git a/DebianServer_10/templates/audit-CIS.rules b/DebianServer_10/templates/audit/audit-CIS.rules similarity index 100% rename from DebianServer_10/templates/audit-CIS.rules rename to DebianServer_10/templates/audit/audit-CIS.rules diff --git a/DebianServer_10/templates/auditd-CIS.conf b/DebianServer_10/templates/audit/auditd-CIS.conf similarity index 100% rename from DebianServer_10/templates/auditd-CIS.conf rename to DebianServer_10/templates/audit/auditd-CIS.conf diff --git a/DebianServer_10/templates/iptables-CIS.sh b/DebianServer_10/templates/iptables/iptables-CIS.sh similarity index 94% rename from DebianServer_10/templates/iptables-CIS.sh rename to DebianServer_10/templates/iptables/iptables-CIS.sh index 26af642..3695f32 100644 --- a/DebianServer_10/templates/iptables-CIS.sh +++ b/DebianServer_10/templates/iptables/iptables-CIS.sh @@ -32,7 +32,7 @@ iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT # Open inbound ssh(22) connections - iptables -A INPUT -p tcp --dport 10022 -m state --state NEW -j ACCEPT + iptables -A INPUT -p tcp --dport 62716 -m state --state NEW -j ACCEPT # Disable IPV6 ip6tables -P INPUT DROP diff --git a/DebianServer_10/templates/common-account-CIS b/DebianServer_10/templates/pam/common-account-CIS similarity index 100% rename from DebianServer_10/templates/common-account-CIS rename to DebianServer_10/templates/pam/common-account-CIS diff --git a/DebianServer_10/templates/common-auth-CIS b/DebianServer_10/templates/pam/common-auth-CIS similarity index 100% rename from DebianServer_10/templates/common-auth-CIS rename to DebianServer_10/templates/pam/common-auth-CIS diff --git a/DebianServer_10/templates/common-passwd-CIS b/DebianServer_10/templates/pam/common-passwd-CIS similarity index 100% rename from DebianServer_10/templates/common-passwd-CIS rename to DebianServer_10/templates/pam/common-passwd-CIS diff --git a/DebianServer_10/templates/pwquality-CIS.conf b/DebianServer_10/templates/pam/pwquality-CIS.conf similarity index 100% rename from DebianServer_10/templates/pwquality-CIS.conf rename to DebianServer_10/templates/pam/pwquality-CIS.conf diff --git a/DebianServer_10/templates/sshd_config-CIS b/DebianServer_10/templates/sshd/sshd_config-CIS similarity index 99% rename from DebianServer_10/templates/sshd_config-CIS rename to DebianServer_10/templates/sshd/sshd_config-CIS index a8b6d0d..fd15deb 100644 --- a/DebianServer_10/templates/sshd_config-CIS +++ b/DebianServer_10/templates/sshd/sshd_config-CIS @@ -1,4 +1,4 @@ -Port 10022 +Port PORT Protocol 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key diff --git a/DebianServer_10/templates/sysctl-CIS.conf b/DebianServer_10/templates/sysctl/sysctl-CIS.conf similarity index 100% rename from DebianServer_10/templates/sysctl-CIS.conf rename to DebianServer_10/templates/sysctl/sysctl-CIS.conf diff --git a/DebianServer_10/templates/bye-CIS b/DebianServer_10/templates/texts/bye-CIS similarity index 100% rename from DebianServer_10/templates/bye-CIS rename to DebianServer_10/templates/texts/bye-CIS diff --git a/DebianServer_10/templates/motd-CIS b/DebianServer_10/templates/texts/motd-CIS similarity index 100% rename from DebianServer_10/templates/motd-CIS rename to DebianServer_10/templates/texts/motd-CIS diff --git a/DebianServer_10/templates/welcome-CIS b/DebianServer_10/templates/texts/welcome-CIS similarity index 100% rename from DebianServer_10/templates/welcome-CIS rename to DebianServer_10/templates/texts/welcome-CIS From 4af16e8d2b9d9b7d67249a079aafd976229d594f Mon Sep 17 00:00:00 2001 From: Girish Mahabir Date: Mon, 5 Jun 2023 09:32:44 +0400 Subject: [PATCH 04/33] Updated Iptables script, Updated how the port is updated in the script and fixed common-account-CIS bug. --- DebianServer_10/jshilder-CIS.sh | 20 ++++++++----------- .../templates/iptables/iptables-CIS.sh | 2 +- 2 files changed, 9 insertions(+), 13 deletions(-) diff --git a/DebianServer_10/jshilder-CIS.sh b/DebianServer_10/jshilder-CIS.sh index 3f16af6..07ab043 100644 --- a/DebianServer_10/jshilder-CIS.sh +++ b/DebianServer_10/jshilder-CIS.sh @@ -381,17 +381,11 @@ echo -e "Setting up Iptables Rules" spinner sleep 1 -apt install -y iptables-persistent - sh templates/iptables/iptables-CIS.sh -cp templates/iptables/iptables-CIS.sh /etc/init.d/ - -netfilter-persistent save # Replace the default rules file with the CIS rules file -# Replace 62716 with the port the user entered for ssh -sed -i 's/62716/$sshport/g' /etc/iptables/rules.v4 - +apt install -y iptables-persistent +netfilter-persistent save netfilter-persistent reload #3.6.5 Ensure firewall rules exist for all open ports (Scored) @@ -527,7 +521,9 @@ echo -n " Securing SSH..." sed s/USERNAME/$username/g templates/sshd/sshd_config-CIS > /etc/ssh/sshd_config; echo "OK" # get ssh port from user echo -n " Type the SSH Port: "; read sshport -sed -i s/PORT/$sshport/g /etc/ssh/sshd_config; echo "OK" +sed -i s/PORT/$sshport/g /etc/ssh/sshd_config; +sed -i s/PORT/$sshport/g templates/iptables/iptables-CIS.sh; +echo "OK" service ssh restart chown root:root /etc/ssh/sshd_config @@ -550,7 +546,7 @@ sleep 2 cp templates/pam/common-passwd-CIS /etc/pam.d/common-passwd cp templates/pam/pwquality-CIS.conf /etc/security/pwquality.conf cp templates/pam/common-auth-CIS /etc/pam.d/common-auth -cat templates/pam/common-account >> /etc/pam.d/common-account +cat templates/pam/common-account-CIS >> /etc/pam.d/common-account #5.4 User Accounts and Environment #5.4.1.1 Ensure password expiration is 90 days or less (Scored) @@ -719,10 +715,10 @@ echo -e "Please note the following information to be able to connect back to the echo -e "IP Address: $(hostname -I)" echo -e "Username: $username" echo -e "Password: THE PASSWORD YOU CHOSE" -echo -e "Port: $port" +echo -e "Port: $sshport" echo -e "Please note that the root user is disabled by default." echo -e "Please note that the $username user is allowed to switch to root using the su command." -echo -e "Please note that SUDO has not been configured yet." +echo -e "Please note that SUDO has not been configured yet."; # Reboot to apply changes, ask the user if he wants to reboot now. read -p "Do you want to reboot now? (y/n) " -n 1 -r diff --git a/DebianServer_10/templates/iptables/iptables-CIS.sh b/DebianServer_10/templates/iptables/iptables-CIS.sh index 3695f32..ba245d3 100644 --- a/DebianServer_10/templates/iptables/iptables-CIS.sh +++ b/DebianServer_10/templates/iptables/iptables-CIS.sh @@ -32,7 +32,7 @@ iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT # Open inbound ssh(22) connections - iptables -A INPUT -p tcp --dport 62716 -m state --state NEW -j ACCEPT + iptables -A INPUT -p tcp --dport PORT -m state --state NEW -j ACCEPT # Disable IPV6 ip6tables -P INPUT DROP From 6ffffd1b8e235eee72fb16b4011e388eff86df81 Mon Sep 17 00:00:00 2001 From: Girish Mahabir Date: Mon, 5 Jun 2023 09:45:11 +0400 Subject: [PATCH 05/33] Removed Reboot section. --- DebianServer_10/jshilder-CIS.sh | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/DebianServer_10/jshilder-CIS.sh b/DebianServer_10/jshilder-CIS.sh index 07ab043..6b049cf 100644 --- a/DebianServer_10/jshilder-CIS.sh +++ b/DebianServer_10/jshilder-CIS.sh @@ -718,14 +718,6 @@ echo -e "Password: THE PASSWORD YOU CHOSE" echo -e "Port: $sshport" echo -e "Please note that the root user is disabled by default." echo -e "Please note that the $username user is allowed to switch to root using the su command." -echo -e "Please note that SUDO has not been configured yet."; - -# Reboot to apply changes, ask the user if he wants to reboot now. -read -p "Do you want to reboot now? (y/n) " -n 1 -r -echo -e "" -if [[ $REPLY =~ ^[Yy]$ ]] -then - reboot -fi - +echo -e "Please note that SUDO has not been configured yet." +echo -e "Please reboot the server to apply all the changes."; # End of script \ No newline at end of file From 705d953dec904030264908216a43778dc47d5d07 Mon Sep 17 00:00:00 2001 From: Girish Mahabir Date: Mon, 5 Jun 2023 10:03:13 +0400 Subject: [PATCH 06/33] Optimized sed for ssh port. --- DebianServer_10/jshilder-CIS.sh | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/DebianServer_10/jshilder-CIS.sh b/DebianServer_10/jshilder-CIS.sh index 6b049cf..b7c2ba6 100644 --- a/DebianServer_10/jshilder-CIS.sh +++ b/DebianServer_10/jshilder-CIS.sh @@ -521,9 +521,7 @@ echo -n " Securing SSH..." sed s/USERNAME/$username/g templates/sshd/sshd_config-CIS > /etc/ssh/sshd_config; echo "OK" # get ssh port from user echo -n " Type the SSH Port: "; read sshport -sed -i s/PORT/$sshport/g /etc/ssh/sshd_config; -sed -i s/PORT/$sshport/g templates/iptables/iptables-CIS.sh; -echo "OK" +sed -i s/PORT/$sshport/g /etc/ssh/sshd_config templates/iptables/iptables-CIS.sh; echo "OK" service ssh restart chown root:root /etc/ssh/sshd_config From 89d44b92f1cb591c6218c5d76f4a90cb036decf5 Mon Sep 17 00:00:00 2001 From: Girish Mahabir Date: Mon, 5 Jun 2023 11:18:06 +0400 Subject: [PATCH 07/33] Fixed SSH Port Issue. --- DebianServer_10/jshilder-CIS.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/DebianServer_10/jshilder-CIS.sh b/DebianServer_10/jshilder-CIS.sh index b7c2ba6..1acdde8 100644 --- a/DebianServer_10/jshilder-CIS.sh +++ b/DebianServer_10/jshilder-CIS.sh @@ -380,7 +380,9 @@ echo -e "" echo -e "Setting up Iptables Rules" spinner sleep 1 - +# Get SSH Port. +echo -n " Type the SSH Port: "; read sshport +sed -i s/PORT/$sshport/g templates/iptables/iptables-CIS.sh; echo "OK" sh templates/iptables/iptables-CIS.sh # Replace the default rules file with the CIS rules file @@ -519,9 +521,7 @@ adduser $username echo -n " Securing SSH..." sed s/USERNAME/$username/g templates/sshd/sshd_config-CIS > /etc/ssh/sshd_config; echo "OK" -# get ssh port from user -echo -n " Type the SSH Port: "; read sshport -sed -i s/PORT/$sshport/g /etc/ssh/sshd_config templates/iptables/iptables-CIS.sh; echo "OK" +sed -i s/PORT/$sshport/g /etc/ssh/sshd_config; echo "OK" service ssh restart chown root:root /etc/ssh/sshd_config From 7414f7e5e26d29e458bae0cc0b6b37d669d28807 Mon Sep 17 00:00:00 2001 From: Girish Mahabir Date: Mon, 5 Jun 2023 12:02:23 +0400 Subject: [PATCH 08/33] Add $user to su group by default. --- DebianServer_10/jshilder-CIS.sh | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/DebianServer_10/jshilder-CIS.sh b/DebianServer_10/jshilder-CIS.sh index 1acdde8..f553d77 100644 --- a/DebianServer_10/jshilder-CIS.sh +++ b/DebianServer_10/jshilder-CIS.sh @@ -380,6 +380,7 @@ echo -e "" echo -e "Setting up Iptables Rules" spinner sleep 1 +echo -e "" # Get SSH Port. echo -n " Type the SSH Port: "; read sshport sed -i s/PORT/$sshport/g templates/iptables/iptables-CIS.sh; echo "OK" @@ -663,7 +664,6 @@ f_banner cat templates/texts/bye-CIS say_continue - # Ensure public key is in $username/.ssh/authorized_keys if [ -f /home/$username/.ssh/authorized_keys ]; then echo -e "Authorized Key file already exists for $username" @@ -685,20 +685,13 @@ echo -e "Defaults logfile=/var/log/sudo.log" > /etc/sudoers.d/logging # Add sudo use_pty to /etc/sudoers.d/use_pty echo -e "Defaults use_pty" > /etc/sudoers.d/use_pty - # Create an empty group that will be specified for use of the su command. # The group should be named according to site policy. # Example # groupadd sugroup Add the following line to the /etc/pam.d/su file, # specifying the empty group: auth required pam_wheel.so use_uid group=sugroup groupadd sugroup echo -e "auth required pam_wheel.so use_uid group=sugroup" >> /etc/pam.d/su -# Do you want to add the $username to the sugroup? (y/n) -read -p "Do you want to add the $username to the sugroup? (y/n) " -n 1 -r -echo -e "" -if [[ $REPLY =~ ^[Yy]$ ]] -then - usermod -a -G sugroup $username -fi +usermod -a -G sugroup $username # Journalctl configuration # In /etc/systemd/journald.conf, Remove the # from the following lines: From d9d633b94cd84ae6b4a0dde9b419b30bcf98a4a5 Mon Sep 17 00:00:00 2001 From: Girish Mahabir Date: Mon, 5 Jun 2023 14:48:47 +0400 Subject: [PATCH 09/33] Added some more configs + added ipv6 lo rules + Re-arranged some lines. --- DebianServer_10/jshilder-CIS.sh | 20 +++++++++++++------ .../templates/audit/audit-CIS.rules | 2 ++ .../templates/iptables/iptables-CIS.sh | 7 ++++++- .../templates/pam/pwquality-CIS.conf | 2 -- 4 files changed, 22 insertions(+), 9 deletions(-) diff --git a/DebianServer_10/jshilder-CIS.sh b/DebianServer_10/jshilder-CIS.sh index f553d77..4b10add 100644 --- a/DebianServer_10/jshilder-CIS.sh +++ b/DebianServer_10/jshilder-CIS.sh @@ -5,7 +5,7 @@ # # Girish Mahabir # Twitter = @girishmahabir -#Credits to Center for Internet Security CIS and Jason Soto for the base work. +# Credits to Center for Internet Security CIS and Jason Soto for the base work. source helpers.sh @@ -106,6 +106,9 @@ echo "install udf /bin/true" >> /etc/modprobe.d/CIS.conf echo "install vfat /bin/true" >> /etc/modprobe.d/CIS.conf +#1.1.23 Ensure mounting USB devices is disabled (Scored) +echo "install usb-storage /bin/true" >> /etc/modprobe.d/CIS.conf +rmmod usb-storage #1.1.17 Ensure nodev option set on removable media partitions (Not Scored) @@ -148,6 +151,7 @@ aideinit # Configure cron job for AIDE echo "0 5 * * * /usr/bin/aide.wrapper --config /etc/aide/aide.conf --check" >> /etc/cron.d/aide +service cron restart #1.3.2 Ensure filesystem integrity is regularly checked (Scored) @@ -310,9 +314,7 @@ sed -i 's/GRUB_CMDLINE_LINUX=""/GRUB_CMDLINE_LINUX="ipv6.disable=1"/g' /etc/defa update-grub #3.4 TCP Wrappers -#.4.1 Ensure TCP Wrappers is installed (Scored) - # Installed by default - +#.4.1 Ensure TCP Wrappers is installed (Scored) Installed by default #.4.2 Ensure /etc/hosts.allow is configured (Scored) @@ -464,7 +466,7 @@ cp /etc/audit/audit.rules /etc/audit/rules.d/audit.rules #4.2.3 Ensure rsyslog or syslog-ng is installed (Scored) #4.2.4 Ensure permissions on all logfiles are configured (Scored) - +echo "create 0640 root utmp" >> /etc/logrotate.conf chmod -R g-wx,o-rwx /var/log/* #4.3 Ensure logrotate is configured (Not Scored) @@ -530,6 +532,8 @@ chmod og-rwx /etc/ssh/sshd_config #5.3 Configure PAM #5.3.1 Ensure password creation requirements are configured (Scored) +apt install libpam-pwquality -y + #5.3.2 Ensure lockout for failed password attempts is configured (Not Scored) #5.3.3 Ensure password reuse is limited (Scored) #5.3.4 Ensure password hashing algorithm is SHA-512 (Scored) @@ -577,6 +581,11 @@ usermod -g 0 root sed -i s/umask\ 022/umask\ 027/g /etc/init.d/rc +# 5.4.5 Ensure default user shell timeout is 900 seconds or less +echo "readonly TMOUT=900 ; export TMOUT" >> /etc/bash.bashrc +echo "readonly TMOUT=900 ; export TMOUT" >> /etc/profile +echo "readonly TMOUT=900 ; export TMOUT" >> /etc/profile.d/*.sh + #5.5 Ensure root login is restricted to system console (Not Scored) #5.6 Ensure access to the su command is restricted (Scored) @@ -622,7 +631,6 @@ chown root:root /etc/shadow- chmod 600 /etc/shadow- #6.1.8 Ensure permissions on /etc/group - are configured (Scored) - chown root:root /etc/group- chmod u-x,go-rwx /etc/group- diff --git a/DebianServer_10/templates/audit/audit-CIS.rules b/DebianServer_10/templates/audit/audit-CIS.rules index e273afe..ece2a9b 100644 --- a/DebianServer_10/templates/audit/audit-CIS.rules +++ b/DebianServer_10/templates/audit/audit-CIS.rules @@ -42,6 +42,8 @@ -w /var/run/utmp -p wa -k session -w /var/run/wtmp -p wa -k session -w /var/run/btmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins #Ensure discretionary access control permission modification events are collected diff --git a/DebianServer_10/templates/iptables/iptables-CIS.sh b/DebianServer_10/templates/iptables/iptables-CIS.sh index ba245d3..af7e6a7 100644 --- a/DebianServer_10/templates/iptables/iptables-CIS.sh +++ b/DebianServer_10/templates/iptables/iptables-CIS.sh @@ -37,4 +37,9 @@ # Disable IPV6 ip6tables -P INPUT DROP ip6tables -P OUTPUT DROP - ip6tables -P FORWARD DROP \ No newline at end of file + ip6tables -P FORWARD DROP + +# 3.5.4.2.2 Ensure IPv6 loopback traffic is configured. + ip6tables -A INPUT -i lo -j ACCEPT + ip6tables -A OUTPUT -o lo -j ACCEPT + ip6tables -A INPUT -s ::1 -j DROP \ No newline at end of file diff --git a/DebianServer_10/templates/pam/pwquality-CIS.conf b/DebianServer_10/templates/pam/pwquality-CIS.conf index 140ed52..9e8f2cd 100644 --- a/DebianServer_10/templates/pam/pwquality-CIS.conf +++ b/DebianServer_10/templates/pam/pwquality-CIS.conf @@ -1,7 +1,5 @@ # Configuration for systemwide password quality limits #Configured following CIS Benchmark by Jshielder - - minlen=14 dcredit=-1 ucredit=-1 From 4cab1801e778097176bec118cac47419d067051f Mon Sep 17 00:00:00 2001 From: Girish Mahabir Date: Tue, 13 Jun 2023 18:22:00 +0400 Subject: [PATCH 10/33] Removed some unused paths from ENV, Added CONSOLE: console:tty0:tty1:tty01 , added SHA_CRYPT_MIN_ROUNDS 5000 and SHA_CRYPT_MAX_ROUNDS 100000 --- DebianServer_10/templates/login.defs-CIS | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/DebianServer_10/templates/login.defs-CIS b/DebianServer_10/templates/login.defs-CIS index bcf378f..e868ca5 100644 --- a/DebianServer_10/templates/login.defs-CIS +++ b/DebianServer_10/templates/login.defs-CIS @@ -100,7 +100,7 @@ HUSHLOGIN_FILE .hushlogin # # (they are minimal, add the rest in the shell startup files) ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin -ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin # # Terminal permissions @@ -240,7 +240,7 @@ USERGROUPS_ENAB yes # This variable is used by login and su. # #CONSOLE /etc/consoles -#CONSOLE console:tty01:tty02:tty03:tty04 +CONSOLE console:tty0:tty1:tty01 # # List of groups to add to the user's supplementary group set @@ -291,8 +291,8 @@ ENCRYPT_METHOD SHA512 # If only one of the MIN or MAX values is set, then this value will be used. # If MIN > MAX, the highest value will be used. # -# SHA_CRYPT_MIN_ROUNDS 5000 -# SHA_CRYPT_MAX_ROUNDS 5000 +SHA_CRYPT_MIN_ROUNDS 5000 +SHA_CRYPT_MAX_ROUNDS 100000 ################# OBSOLETED BY PAM ############## # # From 64caeda54ed12167363f2ff92bf01f2adc83cfad Mon Sep 17 00:00:00 2001 From: Girish Mahabir Date: Tue, 13 Jun 2023 18:22:33 +0400 Subject: [PATCH 11/33] Re-factored common-account-cis file to be more readable. --- DebianServer_10/templates/pam/common-account-CIS | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/DebianServer_10/templates/pam/common-account-CIS b/DebianServer_10/templates/pam/common-account-CIS index ae58fba..caf1d8c 100644 --- a/DebianServer_10/templates/pam/common-account-CIS +++ b/DebianServer_10/templates/pam/common-account-CIS @@ -1,2 +1,5 @@ -# Note: If a user has been locked out because they have reached the maximum consecutive failure count defined by deny= in the pam_tally2.so module, the user can be unlocked by issuing the command /sbin/pam_tally2 -u --reset. +# Note: If a user has been locked out because they have reached the maximum +# consecutive failure count defined by deny= in the pam_tally2.so module, the user +# can be unlocked by issuing the command /sbin/pam_tally2 -u --reset. + account requisite pam_deny.so account required pam_tally2.so \ No newline at end of file From 87d4bf81021e9098aa5ab6c2e6746791653cb400 Mon Sep 17 00:00:00 2001 From: Girish Mahabir Date: Tue, 13 Jun 2023 18:24:18 +0400 Subject: [PATCH 12/33] Added full binary path to the bash script. --- .../templates/iptables/iptables-CIS.sh | 54 +++++++++---------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/DebianServer_10/templates/iptables/iptables-CIS.sh b/DebianServer_10/templates/iptables/iptables-CIS.sh index af7e6a7..cc1ac9a 100644 --- a/DebianServer_10/templates/iptables/iptables-CIS.sh +++ b/DebianServer_10/templates/iptables/iptables-CIS.sh @@ -10,36 +10,36 @@ ### END INIT INFO -# Flush Iptables rules - iptables -F +# Flush /sbin/iptables rules + /sbin/iptables -F # Default deny Firewall policy - iptables -P INPUT DROP - iptables -P OUTPUT DROP - iptables -P FORWARD DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP # Ensure loopback traffic is configured - iptables -A INPUT -i lo -j ACCEPT - iptables -A OUTPUT -o lo -j ACCEPT - iptables -A INPUT -s 127.0.0.0/8 -j DROP + /sbin/iptables -A INPUT -i lo -j ACCEPT + /sbin/iptables -A OUTPUT -o lo -j ACCEPT + /sbin/iptables -A INPUT -s 127.0.0.0/8 -j DROP # Ensure outbound and established connections are configured - iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT - iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT - iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT - iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT - iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT - iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT - -# Open inbound ssh(22) connections - iptables -A INPUT -p tcp --dport PORT -m state --state NEW -j ACCEPT - -# Disable IPV6 - ip6tables -P INPUT DROP - ip6tables -P OUTPUT DROP - ip6tables -P FORWARD DROP - -# 3.5.4.2.2 Ensure IPv6 loopback traffic is configured. - ip6tables -A INPUT -i lo -j ACCEPT - ip6tables -A OUTPUT -o lo -j ACCEPT - ip6tables -A INPUT -s ::1 -j DROP \ No newline at end of file + /sbin/iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT + /sbin/iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT + /sbin/iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT + /sbin/iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT + /sbin/iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT + /sbin/iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT + +# Open inbound ssh(23) connections + /sbin/iptables -A INPUT -p tcp --dport PORT -m state --state NEW -j ACCEPT + +# Disable IPV7 + /sbin/ip6tables -P INPUT DROP + /sbin/ip6tables -P OUTPUT DROP + /sbin/ip6tables -P FORWARD DROP + +# 4.5.4.2.2 Ensure IPv6 loopback traffic is configured. + /sbin/ip6tables -A INPUT -i lo -j ACCEPT + /sbin/ip6tables -A OUTPUT -o lo -j ACCEPT + /sbin/ip6tables -A INPUT -s ::1 -j DROP \ No newline at end of file From b19bbf07ff2c8e8dc999cf4cf33a04c35f75ea7c Mon Sep 17 00:00:00 2001 From: Girish Mahabir Date: Tue, 13 Jun 2023 18:34:54 +0400 Subject: [PATCH 13/33] Added Shell Timeout file with script. --- DebianServer_10/templates/shell/shell-tmout-CIS | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 DebianServer_10/templates/shell/shell-tmout-CIS diff --git a/DebianServer_10/templates/shell/shell-tmout-CIS b/DebianServer_10/templates/shell/shell-tmout-CIS new file mode 100644 index 0000000..99da3be --- /dev/null +++ b/DebianServer_10/templates/shell/shell-tmout-CIS @@ -0,0 +1,3 @@ +if [ "$TMOUT" != 900 ]; then + readonly TMOUT=900 ; export TMOUT +fi \ No newline at end of file From a622d8663a5787d9bf59112338f17e5e5ab5a072 Mon Sep 17 00:00:00 2001 From: Girish Mahabir Date: Tue, 13 Jun 2023 18:37:18 +0400 Subject: [PATCH 14/33] Added CIS Related IPTables Script to /etc/init.d/ , Modified corrected bug for auditd immutable file correction , added cron to fix log permissions every 30 mins, commented pam/common-account file for now , Re-adapted shell timeout , Added Section for the manual steps. --- DebianServer_10/jshilder-CIS.sh | 44 +++++++++++++++++++++++++++------ 1 file changed, 37 insertions(+), 7 deletions(-) diff --git a/DebianServer_10/jshilder-CIS.sh b/DebianServer_10/jshilder-CIS.sh index 4b10add..ab60eb5 100644 --- a/DebianServer_10/jshilder-CIS.sh +++ b/DebianServer_10/jshilder-CIS.sh @@ -388,6 +388,11 @@ echo -n " Type the SSH Port: "; read sshport sed -i s/PORT/$sshport/g templates/iptables/iptables-CIS.sh; echo "OK" sh templates/iptables/iptables-CIS.sh +cp templates/iptables/iptables-CIS.sh /etc/init.d/ +chmod +x /etc/init.d/iptables-CIS.sh +ln -s /etc/init.d/iptables-CIS.sh /etc/rc2.d/S99iptables-CIS.sh + + # Replace the default rules file with the CIS rules file apt install -y iptables-persistent netfilter-persistent save @@ -447,8 +452,10 @@ find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print \ echo " " >> /etc/audit/audit.rules echo "#End of Audit Rules" >> /etc/audit/audit.rules -echo "-e 2" >>/etc/audit/audit.rules -echo "-e 2" >>/etc/audit/audit.d/99-finalize.rules +echo "-e 2" >> /etc/audit/audit.rules +echo "-e 2" >> /etc/audit/audit.rules.prev +echo "-e 2" >> /etc/audit/audit-stop.rules +echo "-e 2" >> /etc/audit/rules.d/99-finalize.rules cp /etc/audit/audit.rules /etc/audit/rules.d/audit.rules @@ -464,6 +471,9 @@ cp /etc/audit/audit.rules /etc/audit/rules.d/audit.rules #4.2.2.4 Ensure syslog-ng is configured to send logs to a remote log host (Scored) #4.2.2.5 Ensure remote syslog-ng messages are only accepted on designated log hosts (Not Scored) #4.2.3 Ensure rsyslog or syslog-ng is installed (Scored) +# find /var/log -type f -exec chmod g-wx,o-rwx "{}" + -o -type d -exec chmod g-w,o-rwx "{}" + +# Add the above line to /etc/cron.d/CIS to be executed every 30 minutes +echo "*/30 * * * * root find /var/log -type f -exec chmod g-wx,o-rwx "{}" + -o -type d -exec chmod g-w,o-rwx "{}" +" >> /etc/cron.d/CIS #4.2.4 Ensure permissions on all logfiles are configured (Scored) echo "create 0640 root utmp" >> /etc/logrotate.conf @@ -549,7 +559,7 @@ sleep 2 cp templates/pam/common-passwd-CIS /etc/pam.d/common-passwd cp templates/pam/pwquality-CIS.conf /etc/security/pwquality.conf cp templates/pam/common-auth-CIS /etc/pam.d/common-auth -cat templates/pam/common-account-CIS >> /etc/pam.d/common-account +# cat templates/pam/common-account-CIS >> /etc/pam.d/common-account #5.4 User Accounts and Environment #5.4.1.1 Ensure password expiration is 90 days or less (Scored) @@ -582,9 +592,17 @@ usermod -g 0 root sed -i s/umask\ 022/umask\ 027/g /etc/init.d/rc # 5.4.5 Ensure default user shell timeout is 900 seconds or less -echo "readonly TMOUT=900 ; export TMOUT" >> /etc/bash.bashrc -echo "readonly TMOUT=900 ; export TMOUT" >> /etc/profile -echo "readonly TMOUT=900 ; export TMOUT" >> /etc/profile.d/*.sh +cat templates/shell/shell-tmout-CIS >> /etc/bash.bashrc +cat templates/shell/shell-tmout-CIS >> /etc/profile + +for file in /etc/profile.d/*.sh; do + if grep -q 'TMOUT' "$file"; then + echo "TMOUT is configured in $file" + else + echo "\n" >> "$file" + cat templates/shell/shell-tmout-CIS >> "$file" + fi +done #5.5 Ensure root login is restricted to system console (Not Scored) #5.6 Ensure access to the su command is restricted (Scored) @@ -630,7 +648,8 @@ chmod u-x,go-rwx /etc/passwd- chown root:root /etc/shadow- chmod 600 /etc/shadow- -#6.1.8 Ensure permissions on /etc/group - are configured (Scored) +#6.1.8 Ensure permissions on /etc/group- are configured (Scored) + chown root:root /etc/group- chmod u-x,go-rwx /etc/group- @@ -719,4 +738,15 @@ echo -e "Please note that the root user is disabled by default." echo -e "Please note that the $username user is allowed to switch to root using the su command." echo -e "Please note that SUDO has not been configured yet." echo -e "Please reboot the server to apply all the changes."; + +# Echo some blank lines +echo -e "\n\n"; +# Some manual work is required to complete the setup. +echo -e "Please note that the following manual work is required to complete the setup:\n" +echo -e "Add '0 5 * * * /usr/bin/aide.wrapper --config /etc/aide/aide.conf --check' to the crontab of the root user." +echo -e "Copy the required ssh keys to the /home/$username/.ssh/authorized_keys file." +echo -e "RUN: chown root:root /etc/group- && chmod u-x,go-rwx /etc/group-" + + + # End of script \ No newline at end of file From eb02f30bf60b221bb3a25fd7e8c66438142e98bd Mon Sep 17 00:00:00 2001 From: Girish Mahabir Date: Tue, 20 Jun 2023 12:40:31 +0400 Subject: [PATCH 15/33] Fixed PAM Login Issue. --- DebianServer_10/jshilder-CIS.sh | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/DebianServer_10/jshilder-CIS.sh b/DebianServer_10/jshilder-CIS.sh index ab60eb5..6532480 100644 --- a/DebianServer_10/jshilder-CIS.sh +++ b/DebianServer_10/jshilder-CIS.sh @@ -559,7 +559,7 @@ sleep 2 cp templates/pam/common-passwd-CIS /etc/pam.d/common-passwd cp templates/pam/pwquality-CIS.conf /etc/security/pwquality.conf cp templates/pam/common-auth-CIS /etc/pam.d/common-auth -# cat templates/pam/common-account-CIS >> /etc/pam.d/common-account +cp templates/pam/common-account-CIS /etc/pam.d/common-account #5.4 User Accounts and Environment #5.4.1.1 Ensure password expiration is 90 days or less (Scored) @@ -599,7 +599,6 @@ for file in /etc/profile.d/*.sh; do if grep -q 'TMOUT' "$file"; then echo "TMOUT is configured in $file" else - echo "\n" >> "$file" cat templates/shell/shell-tmout-CIS >> "$file" fi done @@ -724,7 +723,6 @@ usermod -a -G sugroup $username # In /etc/systemd/journald.conf, Remove the # from the following lines: # Storage=persistent # Compress=yes - sed -i 's/#Storage=auto/Storage=persistent/g' /etc/systemd/journald.conf sed -i 's/#Compress=yes/Compress=yes/g' /etc/systemd/journald.conf @@ -743,10 +741,7 @@ echo -e "Please reboot the server to apply all the changes."; echo -e "\n\n"; # Some manual work is required to complete the setup. echo -e "Please note that the following manual work is required to complete the setup:\n" -echo -e "Add '0 5 * * * /usr/bin/aide.wrapper --config /etc/aide/aide.conf --check' to the crontab of the root user." +echo -e "Add '0 5 * * * /usr/bin/aide.wrapper --config /etc/aide/aide.conf --check' to the crontab of the root user `crontab -uroot -e`" echo -e "Copy the required ssh keys to the /home/$username/.ssh/authorized_keys file." echo -e "RUN: chown root:root /etc/group- && chmod u-x,go-rwx /etc/group-" - - - # End of script \ No newline at end of file From 020463891079165b42274038e6e8c2a2bdb25b45 Mon Sep 17 00:00:00 2001 From: Girish Mahabir Date: Tue, 20 Jun 2023 12:40:52 +0400 Subject: [PATCH 16/33] Fixed Pam Issue files updated. --- .../templates/pam/common-account-CIS | 27 ++++++++++++++++++- DebianServer_10/templates/pam/common-auth-CIS | 2 +- 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/DebianServer_10/templates/pam/common-account-CIS b/DebianServer_10/templates/pam/common-account-CIS index caf1d8c..bc917d2 100644 --- a/DebianServer_10/templates/pam/common-account-CIS +++ b/DebianServer_10/templates/pam/common-account-CIS @@ -1,5 +1,30 @@ # Note: If a user has been locked out because they have reached the maximum # consecutive failure count defined by deny= in the pam_tally2.so module, the user # can be unlocked by issuing the command /sbin/pam_tally2 -u --reset. +# DEBUG TIP: tail -F /var/log/auth.log and watch pam_tally2 --user {user} +# +# /etc/pam.d/common-account - authorization settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authorization modules that define +# the central access policy for use on the system. The default is to +# only deny service to users whose accounts are expired in /etc/shadow. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. +# -account requisite pam_deny.so account required pam_tally2.so \ No newline at end of file +# here are the per-package modules (the "Primary" block) +account required pam_tally2.so onerr=fail +account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so +# here's the fallback if no module succeeds +account requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +account required pam_permit.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config diff --git a/DebianServer_10/templates/pam/common-auth-CIS b/DebianServer_10/templates/pam/common-auth-CIS index 64596d2..522c8ca 100644 --- a/DebianServer_10/templates/pam/common-auth-CIS +++ b/DebianServer_10/templates/pam/common-auth-CIS @@ -14,6 +14,7 @@ # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) +auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900 auth [success=1 default=ignore] pam_unix.so nullok_secure # here's the fallback if no module succeeds auth requisite pam_deny.so @@ -21,7 +22,6 @@ auth requisite pam_deny.so # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so -auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900 # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config \ No newline at end of file From 04753f80589a438486f302a91f077f3f245999bf Mon Sep 17 00:00:00 2001 From: Girish Mahabir Date: Tue, 20 Jun 2023 12:47:30 +0400 Subject: [PATCH 17/33] Fixed bug in shell script "unknown character \n" --- DebianServer_10/templates/shell/shell-tmout-CIS | 2 ++ 1 file changed, 2 insertions(+) diff --git a/DebianServer_10/templates/shell/shell-tmout-CIS b/DebianServer_10/templates/shell/shell-tmout-CIS index 99da3be..31d1d55 100644 --- a/DebianServer_10/templates/shell/shell-tmout-CIS +++ b/DebianServer_10/templates/shell/shell-tmout-CIS @@ -1,3 +1,5 @@ + + if [ "$TMOUT" != 900 ]; then readonly TMOUT=900 ; export TMOUT fi \ No newline at end of file From 0f37dea621cd49a16ecfac4f035ba2abbaa26f59 Mon Sep 17 00:00:00 2001 From: Girish Mahabir Date: Tue, 20 Jun 2023 14:20:40 +0400 Subject: [PATCH 18/33] Bash ` bug on an echo line, resolved. --- DebianServer_10/jshilder-CIS.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/DebianServer_10/jshilder-CIS.sh b/DebianServer_10/jshilder-CIS.sh index 6532480..8cd3560 100644 --- a/DebianServer_10/jshilder-CIS.sh +++ b/DebianServer_10/jshilder-CIS.sh @@ -741,7 +741,7 @@ echo -e "Please reboot the server to apply all the changes."; echo -e "\n\n"; # Some manual work is required to complete the setup. echo -e "Please note that the following manual work is required to complete the setup:\n" -echo -e "Add '0 5 * * * /usr/bin/aide.wrapper --config /etc/aide/aide.conf --check' to the crontab of the root user `crontab -uroot -e`" +echo -e "Add '0 5 * * * /usr/bin/aide.wrapper --config /etc/aide/aide.conf --check' to the crontab of the root user crontab -uroot -e" echo -e "Copy the required ssh keys to the /home/$username/.ssh/authorized_keys file." echo -e "RUN: chown root:root /etc/group- && chmod u-x,go-rwx /etc/group-" # End of script \ No newline at end of file From ef7b7063c47448c2b2985e2e1d877b3f75f030d9 Mon Sep 17 00:00:00 2001 From: Girish Mahabir Date: Sun, 25 Jun 2023 06:39:57 +0400 Subject: [PATCH 19/33] Added Solutions for CIS 1.x. --- DebianServer_11/debian11-CIS.sh | 570 ++++++++++++++++++ .../templates/aide/aidecheck.service | 8 + .../templates/aide/aidecheck.timer | 8 + 3 files changed, 586 insertions(+) create mode 100644 DebianServer_11/debian11-CIS.sh create mode 100644 DebianServer_11/templates/aide/aidecheck.service create mode 100644 DebianServer_11/templates/aide/aidecheck.timer diff --git a/DebianServer_11/debian11-CIS.sh b/DebianServer_11/debian11-CIS.sh new file mode 100644 index 0000000..38986be --- /dev/null +++ b/DebianServer_11/debian11-CIS.sh @@ -0,0 +1,570 @@ +# 1.1.2.1: Ensure /tmp is a separate partition. (On Installation) +# 1.1.2.2: Ensure nodev option set on /tmp partition. (Requires separate partition) +# 1.1.2.3: Ensure noexec option set on /tmp partition. (Requires separate partition) +# 1.1.2.4: Ensure nosuid option set on /tmp partition. (Requires separate partition) +# 1.1.3.1: Ensure separate partition exists for /var. (On Installation) +# 1.1.3.2: Ensure nodev option set on /var partition. (Requires separate partition) +# 1.1.3.3: Ensure nosuid option set on /var partition. (Requires separate partition) +# 1.1.4.1: Ensure separate partition exists for /var/tmp. (On Installation) +# 1.1.4.2: Ensure noexec option set on /var/tmp partition. (Requires seperate partition) +# 1.1.4.3: Ensure nosuid option set on /var/tmp partition. (Requires seperate partition) +# 1.1.4.4: Ensure nodev option set on /var/tmp partition. (Requires seperate partition) +# 1.1.5.1: Ensure separate partition exists for /var/log. (On Installation) +# 1.1.5.2: Ensure nodev option set on /var/log partition. (Requires seperate partition) +# 1.1.5.3: Ensure noexec option set on /var/log partition. (Requires seperate partition) +# 1.1.5.4: Ensure nosuid option set on /var/log partition. (Requires seperate partition) +# 1.1.6.1: Ensure separate partition exists for /var/log/audit. (On Installation) +# 1.1.6.2: Ensure noexec option set on /var/log/audit partition. (Requires seperate partition) +# 1.1.6.3: Ensure nodev option set on /var/log/audit partition. (Requires seperate partition) +# 1.1.6.4: Ensure nosuid option set on /var/log/audit partition. (Requires seperate partition) +# 1.1.7.1: Ensure separate partition exists for /home. (On Installation) +# 1.1.7.2: Ensure nodev option set on /home partition. (Requires seperate partition) +# 1.1.7.3: Ensure nosuid option set on /home partition. (Requires seperate partition) +# 1.1.8.1: Ensure nodev option set on /dev/shm partition. (Requires seperate partition) +# 1.1.8.2: Ensure noexec option set on /dev/shm partition. (Requires seperate partition) +# 1.1.8.3: Ensure nosuid option set on /dev/shm partition. (Requires seperate partition) +# 1.1.9: Disable Automounting. +## Check if autofs is installed or if there're packages depending on it. +if [ $(dpkg-query -W -f='${Status}' autofs 2>/dev/null | grep -c "ok installed") -eq 0 ]; then + echo "autofs is not installed" +else + echo "autofs is installed" + apt remove --purge autofs -y +fi +if + +# 1.3.1: Ensure AIDE is installed. +apt-get install -y aide +aideinit + +# 1.3.2: Ensure filesystem integrity is regularly checked. +# Configure cron job for AIDE +echo "0 5 * * * /usr/bin/aide.wrapper --config /etc/aide/aide.conf --check" >> /etc/cron.d/aide +service cron restart + +cp templates/aide/aidecheck.service /etc/systemd/system/aidecheck.service +cp templates/aide/aidecheck.timer /etc/systemd/system/aidecheck.timer + +chmod 644 /etc/systemd/system/aidecheck.* +systemctl daemon-reload +systemctl enable --now aidecheck.service aidecheck.timer + +# 1.4.1: Ensure bootloader password is set. (Skipped - Would require manual intervention on reboot). + +# grub-mkpasswd-pbkdf2 | tee grubpassword.tmp +# grubpassword=$(cat grubpassword.tmp | sed -e '1,2d' | cut -d ' ' -f7) +# echo " set superusers="root" " >> /etc/grub.d/40_custom +# echo " password_pbkdf2 root $grubpassword " >> /etc/grub.d/40_custom +# rm grubpassword.tmp +# update-grub + +# 1.4.2: Ensure permissions on bootloader config are configured. +chown root:root /boot/grub/grub.cfg +chmod u-wx,go-rwx /boot/grub/grub.cfg. + +# 1.4.3: Ensure authentication required for single user mode. (Scored) +passwd root + +# 1.5.2: Ensure prelink is not installed. +apt remove --purge prelink -y + +# 1.5.3: Ensure Automatic Error Reporting is not enabled (Scored) +# 1.5.4: Ensure core dumps are restricted. +echo "* hard core 0" >> /etc/security/limits.conf +cp templates/sysctl/sysctl-CIS.conf /etc/sysctl.conf +sysctl -e -p + +## Check if systemd-coredump is installed. +if [ $(dpkg-query -W -f='${Status}' systemd-coredump 2>/dev/null | grep -c "ok installed") -eq 0 ]; then + echo "systemd-coredump is not installed" +else + echo "systemd-coredump is installed" + # Edit /etc/systemd/coredump.conf + sed -i 's/#Storage=external/Storage=none/g' /etc/systemd/coredump.conf + sed -i 's/#ProcessSizeMax=2G/ProcessSizeMax=0/g' /etc/systemd/coredump.conf +fi + +# 1.6.1.1: Ensure AppArmor is installed. +apt install apparmor apparmor-utils -y + +# 1.6.1.2: Ensure AppArmor is enabled in the bootloader configuration. +# Edit /etc/default/grub +sed -i 's/GRUB_CMDLINE_LINUX=""/GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor"/g' /etc/default/grub +update-grub + +# 1.6.1.3: Ensure all AppArmor Profiles are in enforce or complain mode. +aa-enforce /etc/apparmor.d/* +# aa-complain /etc/apparmor.d/* + +# 1.6.1.4: Ensure all AppArmor Profiles are enforcing (Scored on 1.6.1.3) +# 1.7.1: Ensure message of the day is configured properly. +# 1.7.2: Ensure local login warning banner is configured properly. +# 1.7.3: Ensure remote login warning banner is configured properly. +cat templates/texts/motd-CIS > /etc/motd +cat templates/texts/motd-CIS > /etc/issue +cat templates/texts/motd-CIS > /etc/issue.net +# 1.7.4: Ensure permissions on /etc/motd are configured. +# 1.7.5: Ensure permissions on /etc/issue are configured. +# 1.7.6: Ensure permissions on /etc/issue.net are configured. +chown root:root /etc/motd /etc/issue /etc/issue.net +chmod u-x,go-wx /etc/motd /etc/issue /etc/issue.net + +# 1.8.1: Ensure GNOME Display Manager is removed. (Scored) +# 1.8.10: Ensure XDCMP is not enabled (Scored) + +# 1.9: Ensure updates, patches, and additional security software are installed. +apt update -y && apt upgrade -y && apt dist-upgrade -y + +# 2.1.2.2: Ensure chrony is running as user _chrony. + + +# 2.1.2.3: Ensure chrony is enabled and running. + + +# 2.1.3.1: Ensure systemd-timesyncd configured with authorized timeserver. + + +# 2.1.3.2: Ensure systemd-timesyncd is enabled and running. + + +# 2.1.4.1: Ensure ntp access control is configured. + + +# 2.1.4.2: Ensure ntp is configured with authorized timeserver. + + +# 2.1.4.3: Ensure ntp is running as user ntp. + + +# 2.1.4.4: Ensure ntp is enabled and running. + + +# 2.2.1: Ensure X Window System is not installed. + + +# 2.2.2: Ensure Avahi Server is not installed. + + +# 2.2.3: Ensure CUPS is not installed. + + +# 2.2.4: Ensure DHCP Server is not installed. + + +# 2.2.5: Ensure LDAP server is not installed. + + +# 2.2.6: Ensure NFS is not installed. + + +# 2.2.7: Ensure DNS Server is not installed. + + +# 2.2.8: Ensure FTP Server is not installed. + + +# 2.2.9: Ensure HTTP server is not installed. + + +# 2.2.10: Ensure IMAP and POP3 server are not installed. + + +# 2.2.11: Ensure Samba is not installed. + + +# 2.2.12: Ensure HTTP Proxy Server is not installed. + + +# 2.2.13: Ensure SNMP Server is not installed. + + +# 2.2.14: Ensure NIS Server is not installed. + + +# 2.2.15: Ensure mail transfer agent is configured for local-only mode. + + +# 2.2.16: Ensure rsync service is either not installed or masked. + + +# 2.3.1: Ensure NIS Client is not installed. + + +# 2.3.2: Ensure rsh client is not installed. + + +# 2.3.3: Ensure talk client is not installed. + + +# 2.3.4: Ensure telnet client is not installed. + + +# 2.3.5: Ensure LDAP client is not installed. + + +# 2.3.6: Ensure RPC is not installed. + + +# 3.5.1.1: Ensure ufw is installed. + + +# 3.5.1.2: Ensure iptables-persistent is not installed with ufw. + + +# 3.5.1.3: Ensure ufw service is enabled. + + +# 3.5.1.4: Ensure ufw loopback traffic is configured. + + +# 3.5.1.7: Ensure ufw default deny firewall policy. + + +# 3.5.2.1: Ensure nftables is installed. + + +# 3.5.2.2: Ensure ufw is uninstalled or disabled with nftables. + + +# 3.5.2.3: Ensure iptables are flushed with nftables. + + +# 3.5.2.4: Ensure a nftables table exists. + + +# 3.5.2.5: Ensure nftables base chains exist. + + +# 3.5.2.6: Ensure nftables loopback traffic is configured. + + +# 3.5.2.8: Ensure nftables default deny firewall policy. + + +# 3.5.2.9: Ensure nftables service is enabled. + + +# 3.5.3.1.1: Ensure iptables packages are installed. + + +# 3.5.3.1.2: Ensure nftables is not installed with iptables. + + +# 3.5.3.1.3: Ensure ufw is uninstalled or disabled with iptables. + + +# 3.5.3.2.1: Ensure iptables default deny firewall policy. + + +# 3.5.3.2.2: Ensure iptables loopback traffic is configured. + + +# 3.5.3.3.1: Ensure ip6tables default deny firewall policy. + + +# 3.5.3.3.2: Ensure ip6tables loopback traffic is configured. + + +# 4.1.1.1: Ensure auditd is installed. + + +# 4.1.1.2: Ensure auditd service is enabled and active. + + +# 4.1.1.3: Ensure auditing for processes that start prior to auditd is enabled. + + +# 4.1.1.4: Ensure audit_backlog_limit is sufficient. + + +# 4.1.2.1: Ensure audit log storage size is configured. + + +# 4.1.2.2: Ensure audit logs are not automatically deleted. + + +# 4.1.2.3: Ensure system is disabled when audit logs are full. + + +# 4.1.3.1: Ensure changes to system administration scope (sudoers) is collected. + + +# 4.1.3.2: Ensure actions as another user are always logged. + + +# 4.1.3.4: Ensure events that modify date and time information are collected. + + +# 4.1.3.5: Ensure events that modify the system's network environment are collected. + + +# 4.1.3.7: Ensure unsuccessful file access attempts are collected. + + +# 4.1.3.8: Ensure events that modify user/group information are collected. + + +# 4.1.3.9: Ensure discretionary access control permission modification events are collected. + + +# 4.1.3.10: Ensure successful file system mounts are collected. + + +# 4.1.3.11: Ensure session initiation information is collected. + + +# 4.1.3.12: Ensure login and logout events are collected. + + +# 4.1.3.13: Ensure file deletion events by users are collected. + + +# 4.1.3.14: Ensure events that modify the system's Mandatory Access Controls are collected. + + +# 4.1.3.15: Ensure successful and unsuccessful attempts to use the chcon command are recorded. + + +# 4.1.3.16: Ensure successful and unsuccessful attempts to use the setfacl command are recorded. + + +# 4.1.3.17: Ensure successful and unsuccessful attempts to use the chacl command are recorded. + + +# 4.1.3.18: Ensure successful and unsuccessful attempts to use the usermod command are recorded. + + +# 4.1.3.19: Ensure kernel module loading unloading and modification is collected. + + +# 4.1.3.20: Ensure the audit configuration is immutable. + + +# 4.1.3.21: Ensure the running and on disk configuration is the same. + + +# 4.1.4.3: Ensure only authorized groups are assigned ownership of audit log files. + + +# 4.1.4.5: Ensure audit configuration files are 640 or more restrictive. + + +# 4.1.4.6: Ensure audit configuration files are owned by root. + + +# 4.1.4.7: Ensure audit configuration files belong to group root. + + +# 4.1.4.8: Ensure audit tools are 755 or more restrictive. + + +# 4.1.4.9: Ensure audit tools are owned by root. + + +# 4.1.4.10: Ensure audit tools belong to group root. + + +# 4.2.1.1.1: Ensure systemd-journal-remote is installed. + + +# 4.2.1.1.3: Ensure systemd-journal-remote is enabled. + + +# 4.2.1.1.4: Ensure journald is not configured to recieve logs from a remote client. + + +# 4.2.1.2: Ensure journald service is enabled. + + +# 4.2.1.3: Ensure journald is configured to compress large log files. + + +# 4.2.1.4: Ensure journald is configured to write logfiles to persistent disk. + + +# 4.2.1.5: Ensure journald is not configured to send logs to rsyslog. + + +# 4.2.2.1: Ensure rsyslog is installed. + + +# 4.2.2.2: Ensure rsyslog service is enabled. + + +# 4.2.2.3: Ensure journald is configured to send logs to rsyslog. + + +# 4.2.2.4: Ensure rsyslog default file permissions are configured. + + +# 4.2.2.7: Ensure rsyslog is not configured to receive logs from a remote client. + + +# 5.1.1: Ensure cron daemon is enabled and running. + + +# 5.1.2: Ensure permissions on /etc/crontab are configured. + + +# 5.1.3: Ensure permissions on /etc/cron.hourly are configured. + + +# 5.1.4: Ensure permissions on /etc/cron.daily are configured. + + +# 5.1.5: Ensure permissions on /etc/cron.weekly are configured. + + +# 5.1.6: Ensure permissions on /etc/cron.monthly are configured. + + +# 5.1.7: Ensure permissions on /etc/cron.d are configured. + + +# 5.1.8: Ensure cron is restricted to authorized users. + + +# 5.1.9: Ensure at is restricted to authorized users. + + +# 5.2.1: Ensure permissions on /etc/ssh/sshd_config are configured. + + +# 5.2.4: Ensure SSH access is limited. + + +# 5.2.5: Ensure SSH LogLevel is appropriate. + + +# 5.2.6: Ensure SSH PAM is enabled. + + +# 5.2.7: Ensure SSH root login is disabled. + + +# 5.2.8: Ensure SSH HostbasedAuthentication is disabled. + + +# 5.2.9: Ensure SSH PermitEmptyPasswords is disabled. + + +# 5.2.10: Ensure SSH PermitUserEnvironment is disabled. + + +# 5.2.11: Ensure SSH IgnoreRhosts is enabled. + + +# 5.2.12: Ensure SSH X11 forwarding is disabled. + + +# 5.2.13: Ensure only strong Ciphers are used. + + +# 5.2.14: Ensure only strong MAC algorithms are used. + + +# 5.2.15: Ensure only strong Key Exchange algorithms are used. + + +# 5.2.16: Ensure SSH AllowTcpForwarding is disabled. + + +# 5.2.17: Ensure SSH warning banner is configured. + + +# 5.2.18: Ensure SSH MaxAuthTries is set to 4 or less. + + +# 5.2.19: Ensure SSH MaxStartups is configured. + + +# 5.2.20: Ensure SSH MaxSessions is set to 10 or less. + + +# 5.2.21: Ensure SSH LoginGraceTime is set to one minute or less. + + +# 5.2.22: Ensure SSH Idle Timeout Interval is configured. + + +# 5.3.1: Ensure sudo is installed. + + +# 5.3.2: Ensure sudo commands use pty. + + +# 5.3.3: Ensure sudo log file exists. + + +# 5.3.4: Ensure users must provide password for privilege escalation. + + +# 5.3.5: Ensure re-authentication for privilege escalation is not disabled globally. + + +# 5.3.6: Ensure sudo authentication timeout is configured correctly. + + +# 5.3.7: Ensure access to the su command is restricted. + + +# 5.4.1: Ensure password creation requirements are configured. + + +# 5.4.2: Ensure lockout for failed password attempts is configured. + + +# 5.4.3: Ensure password reuse is limited. + + +# 5.4.4: Ensure password hashing algorithm is up to date with the latest standards. + + +# 5.5.1.1: Ensure minimum days between password changes is configured. + + +# 5.5.1.2: Ensure password expiration is 365 days or less. + + +# 5.5.1.3: Ensure password expiration warning days is 7 or more. + + +# 5.5.1.4: Ensure inactive password lock is 30 days or less. + + +# 5.5.3: Ensure default group for the root account is GID 0. + + +# 6.1.1: Ensure permissions on /etc/passwd are configured. + + +# 6.1.2: Ensure permissions on /etc/passwd- are configured. + + +# 6.1.3: Ensure permissions on /etc/group are configured. + + +# 6.1.4: Ensure permissions on /etc/group- are configured. + + +# 6.1.5: Ensure permissions on /etc/shadow are configured. + + +# 6.1.6: Ensure permissions on /etc/shadow- are configured. + + +# 6.1.7: Ensure permissions on /etc/gshadow are configured. + + +# 6.1.8: Ensure permissions on /etc/gshadow- are configured. + + +# 6.2.1: Ensure accounts in /etc/passwd use shadowed passwords. + + +# 6.2.2: Ensure /etc/shadow password fields are not empty. + + +# 6.2.10: Ensure root is the only UID 0 account. + + diff --git a/DebianServer_11/templates/aide/aidecheck.service b/DebianServer_11/templates/aide/aidecheck.service new file mode 100644 index 0000000..98aeb15 --- /dev/null +++ b/DebianServer_11/templates/aide/aidecheck.service @@ -0,0 +1,8 @@ +[Unit] +Description=Aide Check + +[Service] +Type=simple ExecStart=/usr/bin/aide.wrapper --config /etc/aide/aide.conf --check + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/DebianServer_11/templates/aide/aidecheck.timer b/DebianServer_11/templates/aide/aidecheck.timer new file mode 100644 index 0000000..eafb96a --- /dev/null +++ b/DebianServer_11/templates/aide/aidecheck.timer @@ -0,0 +1,8 @@ +[Unit] +Description=Aide check every day at 5AM + +[Timer] +OnCalendar=*-*-* 05:00:00 +Unit=aidecheck.service + +[Install] WantedBy=multi-user.target \ No newline at end of file From 437a172d409be635fc92a6f33fdc109029c7112e Mon Sep 17 00:00:00 2001 From: Girish Mahabir Date: Sun, 25 Jun 2023 08:35:24 +0400 Subject: [PATCH 20/33] Added Solution for CIS 2.x. --- DebianServer_11/debian11-CIS.sh | 134 ++++++------------ DebianServer_11/templates/ntp/ntp.conf | 64 +++++++++ .../templates/sysctl/sysctl-CIS.conf | 123 ++++++++++++++++ .../systemd-timesyncd.conf/timesyncd.conf | 4 + 4 files changed, 237 insertions(+), 88 deletions(-) create mode 100644 DebianServer_11/templates/ntp/ntp.conf create mode 100644 DebianServer_11/templates/sysctl/sysctl-CIS.conf create mode 100644 DebianServer_11/templates/systemd-timesyncd.conf/timesyncd.conf diff --git a/DebianServer_11/debian11-CIS.sh b/DebianServer_11/debian11-CIS.sh index 38986be..21cbd1d 100644 --- a/DebianServer_11/debian11-CIS.sh +++ b/DebianServer_11/debian11-CIS.sh @@ -116,110 +116,68 @@ chmod u-x,go-wx /etc/motd /etc/issue /etc/issue.net apt update -y && apt upgrade -y && apt dist-upgrade -y # 2.1.2.2: Ensure chrony is running as user _chrony. - +echo "user _chrony" >> /etc/chrony/conf.d/chrony_user.conf # 2.1.2.3: Ensure chrony is enabled and running. +systemctl unmask chrony.service +systemctl enable --now chrony.service -# 2.1.3.1: Ensure systemd-timesyncd configured with authorized timeserver. +# IF CHRONY IS NOT USED, USE NTP +# apt remove --purge chrony -y +# 2.1.3.1: Ensure systemd-timesyncd configured with authorized timeserver. +apt install systemd-timesyncd -y +mkdir /etc/systemd/timesyncd.conf.d +cp templates/timesyncd/timesyncd.conf /etc/systemd/timesyncd.conf.d/50-timesyncd.conf # 2.1.3.2: Ensure systemd-timesyncd is enabled and running. +systemctl mask --now systemd-timesyncd.service +## if chrony is used, disable systemd-timesyncd +# systemctl disable --now systemd-timesyncd.service +# systemctl mask systemd-timesyncd.service -# 2.1.4.1: Ensure ntp access control is configured. - - +# 2.1.4.1: Ensure ntp access control is configured. (scored) # 2.1.4.2: Ensure ntp is configured with authorized timeserver. +cp templates/ntp/ntp.conf /etc/ntp.conf +system restart ntp - -# 2.1.4.3: Ensure ntp is running as user ntp. - - +# 2.1.4.3: Ensure ntp is running as user ntp (Scored) # 2.1.4.4: Ensure ntp is enabled and running. - +systemctl enable --now ntp.service # 2.2.1: Ensure X Window System is not installed. - - -# 2.2.2: Ensure Avahi Server is not installed. - - -# 2.2.3: Ensure CUPS is not installed. - - -# 2.2.4: Ensure DHCP Server is not installed. - - -# 2.2.5: Ensure LDAP server is not installed. - - -# 2.2.6: Ensure NFS is not installed. - - -# 2.2.7: Ensure DNS Server is not installed. - - -# 2.2.8: Ensure FTP Server is not installed. - - -# 2.2.9: Ensure HTTP server is not installed. - - -# 2.2.10: Ensure IMAP and POP3 server are not installed. - - -# 2.2.11: Ensure Samba is not installed. - - -# 2.2.12: Ensure HTTP Proxy Server is not installed. - - -# 2.2.13: Ensure SNMP Server is not installed. - - -# 2.2.14: Ensure NIS Server is not installed. - - -# 2.2.15: Ensure mail transfer agent is configured for local-only mode. - - -# 2.2.16: Ensure rsync service is either not installed or masked. - - -# 2.3.1: Ensure NIS Client is not installed. - - -# 2.3.2: Ensure rsh client is not installed. - - -# 2.3.3: Ensure talk client is not installed. - - -# 2.3.4: Ensure telnet client is not installed. - - -# 2.3.5: Ensure LDAP client is not installed. - - -# 2.3.6: Ensure RPC is not installed. - - -# 3.5.1.1: Ensure ufw is installed. - - +apt purge xserver-xorg* -y + +# 2.2.2: Ensure Avahi Server is not installed. (Scored) +# 2.2.3: Ensure CUPS is not installed. (Scored) +# 2.2.4: Ensure DHCP Server is not installed. (Scored) +# 2.2.5: Ensure LDAP server is not installed. (Scored) +# 2.2.6: Ensure NFS is not installed. (Scored) +# 2.2.7: Ensure DNS Server is not installed. (Scored) +# 2.2.8: Ensure FTP Server is not installed. (Scored) +# 2.2.9: Ensure HTTP server is not installed. (Scored) +# 2.2.10: Ensure IMAP and POP3 server are not installed. (Scored) +# 2.2.11: Ensure Samba is not installed. (Scored) +# 2.2.12: Ensure HTTP Proxy Server is not installed. (Scored) +# 2.2.13: Ensure SNMP Server is not installed. (Scored) +# 2.2.14: Ensure NIS Server is not installed. (Scored) +# 2.2.15: Ensure mail transfer agent is configured for local-only mode. (Scored) +# 2.2.16: Ensure rsync service is either not installed or masked. (Scored) +# 2.3.1: Ensure NIS Client is not installed. (Scored) +# 2.3.2: Ensure rsh client is not installed. (Scored) +# 2.3.3: Ensure talk client is not installed. (Scored) +# 2.3.4: Ensure telnet client is not installed. (Scored) +# 2.3.5: Ensure LDAP client is not installed. (Scored) +# 2.3.6: Ensure RPC is not installed. (Scored) + +# 3.5.1.1: Ensure ufw is installed. (Not Applicable) # 3.5.1.2: Ensure iptables-persistent is not installed with ufw. - -# 3.5.1.3: Ensure ufw service is enabled. - - -# 3.5.1.4: Ensure ufw loopback traffic is configured. - - -# 3.5.1.7: Ensure ufw default deny firewall policy. - - +# 3.5.1.3: Ensure ufw service is enabled. (Not Applicable) +# 3.5.1.4: Ensure ufw loopback traffic is configured. (Not Applicable) +# 3.5.1.7: Ensure ufw default deny firewall policy. (Not Applicable) # 3.5.2.1: Ensure nftables is installed. diff --git a/DebianServer_11/templates/ntp/ntp.conf b/DebianServer_11/templates/ntp/ntp.conf new file mode 100644 index 0000000..9be8e06 --- /dev/null +++ b/DebianServer_11/templates/ntp/ntp.conf @@ -0,0 +1,64 @@ +# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help + +driftfile /var/lib/ntp/ntp.drift + +# Leap seconds definition provided by tzdata +leapfile /usr/share/zoneinfo/leap-seconds.list + +# Enable this if you want statistics to be logged. +#statsdir /var/log/ntpstats/ + +statistics loopstats peerstats clockstats +filegen loopstats file loopstats type day enable +filegen peerstats file peerstats type day enable +filegen clockstats file clockstats type day enable + + +# You do need to talk to an NTP server or two (or three). +#server ntp.your-provider.example +server time.nist.gov iburst +server time-a-g.nist.gov iburst +server time-b-g.nist.gov iburst +server time-c-g.nist.gov iburst + +# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will +# pick a different set every time it starts up. Please consider joining the +# pool: +# pool 0.debian.pool.ntp.org iburst +# pool 1.debian.pool.ntp.org iburst +# pool 2.debian.pool.ntp.org iburst +# pool 3.debian.pool.ntp.org iburst + + +# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for +# details. The web page +# might also be helpful. +# +# Note that "restrict" applies to both servers and clients, so a configuration +# that might be intended to block requests from certain clients could also end +# up blocking replies from your own upstream servers. + +# By default, exchange time with everybody, but don't allow configuration. +restrict -4 default kod notrap nomodify nopeer noquery limited +restrict -6 default kod notrap nomodify nopeer noquery limited + +# Local users may interrogate the ntp server more closely. +restrict 127.0.0.1 +restrict ::1 + +# Needed for adding pool entries +restrict source notrap nomodify noquery + +# Clients from this (example!) subnet have unlimited access, but only if +# cryptographically authenticated. +#restrict 192.168.123.0 mask 255.255.255.0 notrust + + +# If you want to provide time to your local subnet, change the next line. +# (Again, the address is an example only.) +#broadcast 192.168.123.255 + +# If you want to listen to time broadcasts on your local subnet, de-comment the +# next lines. Please do this only if you trust everybody on the network! +#disable auth +#broadcastclient \ No newline at end of file diff --git a/DebianServer_11/templates/sysctl/sysctl-CIS.conf b/DebianServer_11/templates/sysctl/sysctl-CIS.conf new file mode 100644 index 0000000..ce2b5f4 --- /dev/null +++ b/DebianServer_11/templates/sysctl/sysctl-CIS.conf @@ -0,0 +1,123 @@ +# Kernel sysctl configuration file for Ubuntu +# Modified by Jason Soto +# +# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and +# sysctl.conf(5) for more details. + +# Controls IP packet forwarding +net.ipv4.ip_forward = 0 + +# Controls source route verification +net.ipv4.conf.default.rp_filter = 1 + +# Do not accept source routing +net.ipv4.conf.default.accept_source_route = 0 + +# Controls the System Request debugging functionality of the kernel +kernel.sysrq = 0 + +# Controls whether core dumps will append the PID to the core filename. +# Useful for debugging multi-threaded applications. +kernel.core_uses_pid = 1 + +# Controls the use of TCP syncookies +net.ipv4.tcp_syncookies = 1 + +# Disable netfilter on bridges. +net.bridge.bridge-nf-call-ip6tables = 0 +net.bridge.bridge-nf-call-iptables = 0 +net.bridge.bridge-nf-call-arptables = 0 + +# Controls the default maxmimum size of a mesage queue +kernel.msgmnb = 65536 + +# Controls the maximum size of a message, in bytes +kernel.msgmax = 65536 + +# Controls the maximum shared segment size, in bytes +kernel.shmmax = 68719476736 + +# Controls the maximum number of shared memory segments, in pages +kernel.shmall = 4294967296 + +######### GENERAL SECURITY OPTIONS ################ + +# Automatically Reboot Server in 30 Seconds after a Kernel Panic +vm.panic_on_oom = 1 +kernel.panic = 30 +kernel.panic_on_oops = 30 + +# Enable ExecShield +kernel.exec-shield = 1 + +kernel.dmesg_restrict = 1 +kernel.kptr_restrict = 2 +kernel.randomize_va_space = 2 + +########## COMMUNICATIONS SECURITY ############## +# No Redirections +net.ipv4.conf.all.send_redirects = 0 +net.ipv4.conf.default.send_redirects = 0 + +# Do not Accept Packets with SRR +net.ipv4.conf.all.accept_source_route = 0 + +# Do not accept Redirections +net.ipv4.conf.all.accept_redirects = 0 +net.ipv4.conf.all.secure_redirects = 0 +net.ipv4.conf.default.secure_redirects = 0 +net.ipv6.conf.all.accept_redirects = 0 +net.ipv6.conf.all.secure_redirects = 0 +net.ipv6.conf.default.secure_redirects = 0 + +# Do not Accept source routed Packets +net.ipv4.conf.all.accept_source_route = 0 +net.ipv4.conf.default.accept_source_route = 0 + +# Disable Packets Forwarding +net.ipv4.ip_forward = 0 +net.ipv4.conf.all.forwarding = 0 +net.ipv4.conf.default.forwarding = 0 +net.ipv6.conf.all.forwarding = 0 +net.ipv6.conf.default.forwarding = 0 + +# Log Suspicious Packets +net.ipv4.conf.all.log_martians = 1 +net.ipv4.conf.default.log_martians = 1 +net.ipv4.conf.default.accept_source_route = 0 +net.ipv4.conf.default.accept_redirects = 0 +net.ipv4.conf.default.secure_redirects = 0 +net.ipv6.conf.default.accept_redirects = 0 + +# Ignore ICMP ECHO or TIMESTAMP sent by broadcast/multicast +net.ipv4.icmp_echo_ignore_broadcasts = 1 +net.ipv4.tcp_timestamps = 0 + +# Protect Against 'syn flood attack' +net.ipv4.tcp_syncookies = 1 +net.ipv4.tcp_syn_retries = 5 +net.ipv4.tcp_synack_retries = 2 +net.ipv4.tcp_max_syn_backlog = 4096 + +# Enable Reverse Source Validation (Protects Against IP Spoofing) +net.ipv4.conf.all.rp_filter = 1 +net.ipv4.conf.default.rp_filter = 1 + +# Ignore Bogus Error Response +net.ipv4.icmp_ignore_bogus_error_responses = 1 + +# Reduce KeepAlive +net.ipv4.tcp_keepalive_time = 300 +net.ipv4.tcp_keepalive_probes = 5 +net.ipv4.tcp_keepalive_intvl = 15 + +#Ensure IPv6 router advertisement are not accepted +net.ipv6.conf.all.accept_ra = 0 +net.ipv6.conf.default.accept_ra = 0 + +# Disable IPv6 +net.ipv6.conf.all.disable_ipv6 = 1 +net.ipv6.conf.default.disable_ipv6 = 1 +net.ipv6.conf.lo.disable_ipv6 = 1 + +fs.suid_dumpable = 0 \ No newline at end of file diff --git a/DebianServer_11/templates/systemd-timesyncd.conf/timesyncd.conf b/DebianServer_11/templates/systemd-timesyncd.conf/timesyncd.conf new file mode 100644 index 0000000..78a1701 --- /dev/null +++ b/DebianServer_11/templates/systemd-timesyncd.conf/timesyncd.conf @@ -0,0 +1,4 @@ +[Time] +# Note: Servers added to these line(s) should follow local site policy. +NTP=time.nist.gov +FallbackNTP=time-a-g.nist.gov time-b-g.nist.gov time-c-g.nist.gov \ No newline at end of file From 074a177db55a0608b3539ea0afdf4929846ba9a1 Mon Sep 17 00:00:00 2001 From: Girish Mahabir Date: Sun, 25 Jun 2023 09:03:27 +0400 Subject: [PATCH 21/33] Added Solutions for CIS 4.x and added Variable for GRUB_CMDLINE_LINUX_OPTIONS. --- DebianServer_11/debian11-CIS.sh | 49 +++++++------------ .../templates/iptables/iptables.sh | 33 +++++++++++++ 2 files changed, 50 insertions(+), 32 deletions(-) create mode 100644 DebianServer_11/templates/iptables/iptables.sh diff --git a/DebianServer_11/debian11-CIS.sh b/DebianServer_11/debian11-CIS.sh index 21cbd1d..666163c 100644 --- a/DebianServer_11/debian11-CIS.sh +++ b/DebianServer_11/debian11-CIS.sh @@ -1,3 +1,8 @@ +#!/bin/bash + +# GLOBAL VARS +GRUB_CMDLINE_LINUX_OPTIONS="apparmor=1 security=apparmor audit=1 audit_backlog_limit=8192" + # 1.1.2.1: Ensure /tmp is a separate partition. (On Installation) # 1.1.2.2: Ensure nodev option set on /tmp partition. (Requires separate partition) # 1.1.2.3: Ensure noexec option set on /tmp partition. (Requires separate partition) @@ -88,8 +93,7 @@ fi apt install apparmor apparmor-utils -y # 1.6.1.2: Ensure AppArmor is enabled in the bootloader configuration. -# Edit /etc/default/grub -sed -i 's/GRUB_CMDLINE_LINUX=""/GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor"/g' /etc/default/grub +sed -i "/^GRUB_CMDLINE_LINUX=/ s/\"\$/ $GRUB_CMDLINE_LINUX_OPTIONS\"/" "/etc/default/grub" update-grub # 1.6.1.3: Ensure all AppArmor Profiles are in enforce or complain mode. @@ -172,69 +176,50 @@ apt purge xserver-xorg* -y # 2.3.5: Ensure LDAP client is not installed. (Scored) # 2.3.6: Ensure RPC is not installed. (Scored) +# USING IPTABLES! # 3.5.1.1: Ensure ufw is installed. (Not Applicable) # 3.5.1.2: Ensure iptables-persistent is not installed with ufw. +apt install iptables-persistent -y # 3.5.1.3: Ensure ufw service is enabled. (Not Applicable) # 3.5.1.4: Ensure ufw loopback traffic is configured. (Not Applicable) # 3.5.1.7: Ensure ufw default deny firewall policy. (Not Applicable) # 3.5.2.1: Ensure nftables is installed. - +apt remove -y nftables # 3.5.2.2: Ensure ufw is uninstalled or disabled with nftables. - - # 3.5.2.3: Ensure iptables are flushed with nftables. - - # 3.5.2.4: Ensure a nftables table exists. - - # 3.5.2.5: Ensure nftables base chains exist. - - # 3.5.2.6: Ensure nftables loopback traffic is configured. - - # 3.5.2.8: Ensure nftables default deny firewall policy. - - # 3.5.2.9: Ensure nftables service is enabled. - - # 3.5.3.1.1: Ensure iptables packages are installed. +apt install -y iptables - -# 3.5.3.1.2: Ensure nftables is not installed with iptables. - - +# 3.5.3.1.2: Ensure nftables is not installed with iptables. (Scored) # 3.5.3.1.3: Ensure ufw is uninstalled or disabled with iptables. - +apt remove -y ufw # 3.5.3.2.1: Ensure iptables default deny firewall policy. - - # 3.5.3.2.2: Ensure iptables loopback traffic is configured. - - # 3.5.3.3.1: Ensure ip6tables default deny firewall policy. - - # 3.5.3.3.2: Ensure ip6tables loopback traffic is configured. +## Take user input for the ssh port +read -p "Enter the SSH port: " ssh_port +sed -i "s/PORT/$ssh_port/g" templates/iptables/iptables.sh +bash templates/iptables/iptables.sh +netfilter-persistent save # 4.1.1.1: Ensure auditd is installed. - # 4.1.1.2: Ensure auditd service is enabled and active. - # 4.1.1.3: Ensure auditing for processes that start prior to auditd is enabled. - # 4.1.1.4: Ensure audit_backlog_limit is sufficient. - # 4.1.2.1: Ensure audit log storage size is configured. diff --git a/DebianServer_11/templates/iptables/iptables.sh b/DebianServer_11/templates/iptables/iptables.sh new file mode 100644 index 0000000..30ec8ec --- /dev/null +++ b/DebianServer_11/templates/iptables/iptables.sh @@ -0,0 +1,33 @@ +# Flush /sbin/iptables rules + /sbin/iptables -F + +# Default deny Firewall policy + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + +# Ensure loopback traffic is configured + /sbin/iptables -A INPUT -i lo -j ACCEPT + /sbin/iptables -A OUTPUT -o lo -j ACCEPT + /sbin/iptables -A INPUT -s 127.0.0.0/8 -j DROP + +# Ensure outbound and established connections are configured + /sbin/iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT + /sbin/iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT + /sbin/iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT + /sbin/iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT + /sbin/iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT + /sbin/iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT + +# Open inbound ssh connections + /sbin/iptables -A INPUT -p tcp --dport PORT -m state --state NEW -j ACCEPT + +# Disable IPV7 + /sbin/ip6tables -P INPUT DROP + /sbin/ip6tables -P OUTPUT DROP + /sbin/ip6tables -P FORWARD DROP + +# 4.5.4.2.2 Ensure IPv6 loopback traffic is configured. + /sbin/ip6tables -A INPUT -i lo -j ACCEPT + /sbin/ip6tables -A OUTPUT -o lo -j ACCEPT + /sbin/ip6tables -A INPUT -s ::1 -j DROP \ No newline at end of file From ec146250e855732149911621506f1c5f46686297 Mon Sep 17 00:00:00 2001 From: Girish Mahabir Date: Tue, 27 Jun 2023 17:58:11 +0400 Subject: [PATCH 22/33] Added CIS Solution from 4.x -> 5.3.7. Also modified past variable ssh_port -> sshport to match previous choice. --- .../templates/audit/auditd-CIS.conf | 11 +- DebianServer_11/debian11-CIS.sh | 201 ++++++++---------- DebianServer_11/templates/auditd/audit.rules | 102 +++++++++ DebianServer_11/templates/auditd/auditd.conf | 4 + .../templates/sshd/sshd_config-CIS | 40 ++++ 5 files changed, 234 insertions(+), 124 deletions(-) create mode 100644 DebianServer_11/templates/auditd/audit.rules create mode 100644 DebianServer_11/templates/auditd/auditd.conf create mode 100644 DebianServer_11/templates/sshd/sshd_config-CIS diff --git a/DebianServer_10/templates/audit/auditd-CIS.conf b/DebianServer_10/templates/audit/auditd-CIS.conf index 21b7a1c..0c1c924 100644 --- a/DebianServer_10/templates/audit/auditd-CIS.conf +++ b/DebianServer_10/templates/audit/auditd-CIS.conf @@ -1,4 +1,3 @@ - # # This file controls the configuration of the audit daemon # Configured according to CIS Benchmark @@ -15,11 +14,11 @@ disp_qos = lossy dispatcher = /sbin/audispd name_format = NONE ##name = mydomain -max_log_file = 6 -max_log_file_action = keep_logs +max_log_file = 6 # CIS 4.1.2.1 +max_log_file_action = keep_logs # CIS 4.1.2.2 space_left = 75 -space_left_action = email -action_mail_acct = root +space_left_action = email # CIS 4.1.2.3 +action_mail_acct = root admin_space_left = 50 admin_space_left_action = halt disk_full_action = SUSPEND @@ -31,4 +30,4 @@ tcp_max_per_addr = 1 tcp_client_max_idle = 0 enable_krb5 = no krb5_principal = auditd -##krb5_key_file = /etc/audit/audit.key \ No newline at end of file +##krb5_key_file = /etc/audit/audit.key diff --git a/DebianServer_11/debian11-CIS.sh b/DebianServer_11/debian11-CIS.sh index 666163c..699bdba 100644 --- a/DebianServer_11/debian11-CIS.sh +++ b/DebianServer_11/debian11-CIS.sh @@ -206,250 +206,215 @@ apt remove -y ufw # 3.5.3.3.1: Ensure ip6tables default deny firewall policy. # 3.5.3.3.2: Ensure ip6tables loopback traffic is configured. ## Take user input for the ssh port -read -p "Enter the SSH port: " ssh_port -sed -i "s/PORT/$ssh_port/g" templates/iptables/iptables.sh +read -p "Enter the SSH port: " sshport +sed -i "s/PORT/$sshport/g" templates/iptables/iptables.sh bash templates/iptables/iptables.sh netfilter-persistent save # 4.1.1.1: Ensure auditd is installed. +apt-get install -y auditd audispd-plugins # 4.1.1.2: Ensure auditd service is enabled and active. +systemctl --now enable auditd # 4.1.1.3: Ensure auditing for processes that start prior to auditd is enabled. +sed -i "/^GRUB_CMDLINE_LINUX=/ s/\"\$/ $GRUB_CMDLINE_LINUX_OPTIONS\"/" "/etc/default/grub" # 4.1.1.4: Ensure audit_backlog_limit is sufficient. +sed -i "/^GRUB_CMDLINE_LINUX=/ s/\"\$/ $GRUB_CMDLINE_LINUX_OPTIONS\"/" "/etc/default/grub" +update-grub # 4.1.2.1: Ensure audit log storage size is configured. - - # 4.1.2.2: Ensure audit logs are not automatically deleted. - - # 4.1.2.3: Ensure system is disabled when audit logs are full. - +cp templates/auditd/auditd.conf /etc/audit/auditd.conf # 4.1.3.1: Ensure changes to system administration scope (sudoers) is collected. - - # 4.1.3.2: Ensure actions as another user are always logged. - - # 4.1.3.4: Ensure events that modify date and time information are collected. - - # 4.1.3.5: Ensure events that modify the system's network environment are collected. - - # 4.1.3.7: Ensure unsuccessful file access attempts are collected. - - # 4.1.3.8: Ensure events that modify user/group information are collected. - - # 4.1.3.9: Ensure discretionary access control permission modification events are collected. - - # 4.1.3.10: Ensure successful file system mounts are collected. - - # 4.1.3.11: Ensure session initiation information is collected. - - # 4.1.3.12: Ensure login and logout events are collected. - - # 4.1.3.13: Ensure file deletion events by users are collected. - - # 4.1.3.14: Ensure events that modify the system's Mandatory Access Controls are collected. - - # 4.1.3.15: Ensure successful and unsuccessful attempts to use the chcon command are recorded. - - # 4.1.3.16: Ensure successful and unsuccessful attempts to use the setfacl command are recorded. - - # 4.1.3.17: Ensure successful and unsuccessful attempts to use the chacl command are recorded. - - # 4.1.3.18: Ensure successful and unsuccessful attempts to use the usermod command are recorded. - - # 4.1.3.19: Ensure kernel module loading unloading and modification is collected. - +cp templates/auditd/audit.rules /etc/audit/rules.d/50-scope.rules # 4.1.3.20: Ensure the audit configuration is immutable. - +echo "#End of Audit Rules" >> /etc/audit/audit.rules +echo "-e 2" >> /etc/audit/audit.rules +echo "-e 2" >> /etc/audit/audit.rules.prev +echo "-e 2" >> /etc/audit/audit-stop.rules +echo "-e 2" >> /etc/audit/rules.d/99-finalize.rules # 4.1.3.21: Ensure the running and on disk configuration is the same. - +if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then + echo "Reboot required to load rules"; + augenrules --load; +fi # 4.1.4.3: Ensure only authorized groups are assigned ownership of audit log files. +find $(dirname $(awk -F"=" '/^\s*log_file/ {print $2}' /etc/audit/auditd.conf | xargs)) -type f \( ! -group adm -a ! -group root \) -exec chgrp adm {} + +chgrp adm /var/log/audit/ +systemctl restart auditd # 4.1.4.5: Ensure audit configuration files are 640 or more restrictive. - +ind /etc/audit/ -type f \( -name '*.conf' -o -name '*.rules' \) -exec chmod u-x,g-wx,o-rwx {} + # 4.1.4.6: Ensure audit configuration files are owned by root. - +find /etc/audit/ -type f \( -name '*.conf' -o -name '*.rules' \) ! -user root -exec chown root {} + # 4.1.4.7: Ensure audit configuration files belong to group root. - +find /etc/audit/ -type f \( -name '*.conf' -o -name '*.rules' \) ! -group root -exec chgrp root {} + # 4.1.4.8: Ensure audit tools are 755 or more restrictive. - +chmod go-w /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules # 4.1.4.9: Ensure audit tools are owned by root. - +chown root /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules # 4.1.4.10: Ensure audit tools belong to group root. - +chmod go-w /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules +chown root:root /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules # 4.2.1.1.1: Ensure systemd-journal-remote is installed. - +apt install systemd-journal-remote -y # 4.2.1.1.3: Ensure systemd-journal-remote is enabled. - +#systemctl --now enable systemd-journal-upload.service # 4.2.1.1.4: Ensure journald is not configured to recieve logs from a remote client. - +systemctl --now disable systemd-journal-remote.socket # 4.2.1.2: Ensure journald service is enabled. +# By default the systemd-journald service does not +# have an [Install] section and thus cannot be enabled / disabled. +# It is meant to be referenced as Requires or Wants by other unit files. +# As such, if the status of systemd-journald is not static, investigate why. -# 4.2.1.3: Ensure journald is configured to compress large log files. +# 4.2.1.3: Ensure journald is configured to compress large log files. +sed -i 's/#Compress=yes/Compress=yes/g' /etc/systemd/journald.conf # 4.2.1.4: Ensure journald is configured to write logfiles to persistent disk. - +sed -i 's/#Storage=auto/Storage=persistent/g' /etc/systemd/journald.conf # 4.2.1.5: Ensure journald is not configured to send logs to rsyslog. - +sed -i 's/#ForwardToSyslog=no/ForwardToSyslog=yes/g' /etc/systemd/journald.conf +systemctl restart systemd-journald # 4.2.2.1: Ensure rsyslog is installed. - +apt install rsyslog -y # 4.2.2.2: Ensure rsyslog service is enabled. - - # 4.2.2.3: Ensure journald is configured to send logs to rsyslog. - - -# 4.2.2.4: Ensure rsyslog default file permissions are configured. - - -# 4.2.2.7: Ensure rsyslog is not configured to receive logs from a remote client. - +# 4.2.2.4: Ensure rsyslog default file permissions are configured. (Scored by default) +# 4.2.2.7: Ensure rsyslog is not configured to receive logs from a remote client. (Scored by default) # 5.1.1: Ensure cron daemon is enabled and running. - +systemctl --now enable cron # 5.1.2: Ensure permissions on /etc/crontab are configured. - +chown root:root /etc/crontab +chmod og-rwx /etc/crontab # 5.1.3: Ensure permissions on /etc/cron.hourly are configured. - +chown root:root /etc/cron.hourly/ +chmod og-rwx /etc/cron.hourly/ # 5.1.4: Ensure permissions on /etc/cron.daily are configured. - +chown root:root /etc/cron.daily/ +chmod og-rwx /etc/cron.daily/ # 5.1.5: Ensure permissions on /etc/cron.weekly are configured. - +chown root:root /etc/cron.weekly/ +chmod og-rwx /etc/cron.weekly/ # 5.1.6: Ensure permissions on /etc/cron.monthly are configured. - +chown root:root /etc/cron.monthly/ +chmod og-rwx /etc/cron.monthly/ # 5.1.7: Ensure permissions on /etc/cron.d are configured. - +chown root:root /etc/cron.d/ +chmod og-rwx /etc/cron.d/ # 5.1.8: Ensure cron is restricted to authorized users. - +touch /etc/cron.allow +chmod g-wx,o-rwx /etc/cron.allow +chown root:root /etc/cron.allow # 5.1.9: Ensure at is restricted to authorized users. - +rm /etc/at.deny +touch /etc/at.allow +chmod g-wx,o-rwx /etc/at.allow +chown root:root /etc/at.allow # 5.2.1: Ensure permissions on /etc/ssh/sshd_config are configured. - +chown root:root /etc/ssh/sshd_config +chmod og-rwx /etc/ssh/sshd_config # 5.2.4: Ensure SSH access is limited. - - # 5.2.5: Ensure SSH LogLevel is appropriate. - - # 5.2.6: Ensure SSH PAM is enabled. - - # 5.2.7: Ensure SSH root login is disabled. - - # 5.2.8: Ensure SSH HostbasedAuthentication is disabled. - - # 5.2.9: Ensure SSH PermitEmptyPasswords is disabled. - - # 5.2.10: Ensure SSH PermitUserEnvironment is disabled. - - # 5.2.11: Ensure SSH IgnoreRhosts is enabled. - - # 5.2.12: Ensure SSH X11 forwarding is disabled. - - # 5.2.13: Ensure only strong Ciphers are used. - - # 5.2.14: Ensure only strong MAC algorithms are used. - - # 5.2.15: Ensure only strong Key Exchange algorithms are used. - - # 5.2.16: Ensure SSH AllowTcpForwarding is disabled. - - # 5.2.17: Ensure SSH warning banner is configured. - - # 5.2.18: Ensure SSH MaxAuthTries is set to 4 or less. - - # 5.2.19: Ensure SSH MaxStartups is configured. - - # 5.2.20: Ensure SSH MaxSessions is set to 10 or less. - - # 5.2.21: Ensure SSH LoginGraceTime is set to one minute or less. - - # 5.2.22: Ensure SSH Idle Timeout Interval is configured. - +echo "Creating SSH user..." +adduser $username +cp templates/sshd/sshd_config-CIS /etc/ssh/sshd_config +sed s/USERNAME/$username/g templates/sshd/sshd_config-CIS > /etc/ssh/sshd_config; +sed -i s/PORT/$sshport/g /etc/ssh/sshd_config; +service ssh restart # 5.3.1: Ensure sudo is installed. - +apt install sudo -y # 5.3.2: Ensure sudo commands use pty. - +echo -e "Defaults use_pty" > /etc/sudoers.d/use_pty # 5.3.3: Ensure sudo log file exists. - +echo -e "Defaults logfile=/var/log/sudo.log" > /etc/sudoers.d/logging # 5.3.4: Ensure users must provide password for privilege escalation. - +sed -i '/NOPASSWD/d' /etc/sudoers +sed -i '/NOPASSWD/d' /etc/sudoers.d/* # 5.3.5: Ensure re-authentication for privilege escalation is not disabled globally. - +sed -i '/!authenticate/d' /etc/sudoers +sed -i '/!authenticate/d' /etc/sudoers.d/* # 5.3.6: Ensure sudo authentication timeout is configured correctly. - +sed -i 's/env_reset/env_reset,timestamp_timeout=60/g' /etc/sudoers +sed -i 's/env_reset/env_reset,timestamp_timeout=60/g' /etc/sudoers.d/* # 5.3.7: Ensure access to the su command is restricted. - +groupadd sugroup +echo -e "auth required pam_wheel.so use_uid group=sugroup" >> /etc/pam.d/su +usermod -a -G sugroup $username # 5.4.1: Ensure password creation requirements are configured. diff --git a/DebianServer_11/templates/auditd/audit.rules b/DebianServer_11/templates/auditd/audit.rules new file mode 100644 index 0000000..5d15746 --- /dev/null +++ b/DebianServer_11/templates/auditd/audit.rules @@ -0,0 +1,102 @@ +# First rule - delete all +-D + +# Ensure changes to system administration scope (sudoers) is collected (CIS 4.1.3.1) + +-w /etc/sudoers -p wa -k scope +-w /etc/sudoers.d -p wa -k scope + +# Ensure actions as another user are always logged (CIS 4.1.3.2) +-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation +-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation + +# Ensure events that modify date and time information are collected (CIS 4.1.3.4) + +-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change +-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +# Ensure events that modify the system's network environment are collected (CIS 4.1.3.5) +-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/networks -p wa -k system-locale +-w /etc/network/ -p wa -k system-locale + +# Ensure unsuccessful unauthorized file access attempts are collected (CIS 4.1.3.7) + +-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=10000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access + +# Ensure events that modify user/group information are collected (CIS 4.1.3.8) + +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +# Ensure discretionary access control permission modification events are collected (CIS 4.1.3.9) + +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + +# Ensure successful file system mounts are collected (CIS 4.1.3.10) + +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts +-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k mounts + +# Ensure session initiation information is collected (CIS 4.1.3.11) + +-w /var/run/utmp -p wa -k session +-w /var/run/wtmp -p wa -k session +-w /var/run/btmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins + +# Ensure login and logouts events are collected (CIS 4.1.3.12) + +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/run/faillock -p wa -k logins + +# Ensure file deletion events by users are collected (CIS 4.1.3.13) + +-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=1000 -F auid!=unset -F key=delete +-a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>=1000 -F auid!=unset -F key=delete + +# Ensure events that modify system's Mandatory Access Controls are collected (CIS 4.1.3.14) + +-w /etc/apparmor/ -p wa -k MAC-policy +-w /etc/apparmor.d/ -p wa -k MAC-policy + +# Ensure successful and unsuccessful attempts to use the chcon command are recorded (CIS 4.1.3.15) + +-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng + +# Ensure successful and unsuccessful attempts to use the setfacl command are recorded (CIS 4.1.3.16) + +-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng + +# Ensure successful and unsuccessful attempts to use the chacl command are recorded (CIS 4.1.3.17) + +-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng + +# Ensure successful and unsuccessful attempts to use the usermod command are recorded (CIS 4.1.3.18) + +-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k usermod + +# Ensure kernel module loading unloading and modification is collected (CIS 4.1.3.19) + +-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=1000 -F auid!=unset -k kernel_modules +-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k kernel_modules \ No newline at end of file diff --git a/DebianServer_11/templates/auditd/auditd.conf b/DebianServer_11/templates/auditd/auditd.conf new file mode 100644 index 0000000..71f2ae0 --- /dev/null +++ b/DebianServer_11/templates/auditd/auditd.conf @@ -0,0 +1,4 @@ +max_log_file = 6 # CIS 4.1.2.1 +max_log_file_action = keep_logs # CIS 4.1.2.2 +space_left_action = email # CIS 4.1.2.3 +log_group = adm \ No newline at end of file diff --git a/DebianServer_11/templates/sshd/sshd_config-CIS b/DebianServer_11/templates/sshd/sshd_config-CIS new file mode 100644 index 0000000..2cb1c87 --- /dev/null +++ b/DebianServer_11/templates/sshd/sshd_config-CIS @@ -0,0 +1,40 @@ +Port PORT +Protocol 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 +SyslogFacility AUTH +ClientAliveCountMax 3 +ClientAliveInterval 60 +Compression no +LogLevel VERBOSE +MaxAuthTries 3 +MaxSessions 3 +LoginGraceTime 30 +PermitRootLogin no +StrictModes yes +PubkeyAuthentication yes +AuthorizedKeysFile .ssh/authorized_keys +IgnoreRhosts yes +HostbasedAuthentication no +PermitEmptyPasswords no +ChallengeResponseAuthentication no +PasswordAuthentication no +X11Forwarding no +AllowTcpForwarding no +AllowAgentForwarding no +PermitUserEnvironment no +X11DisplayOffset 10 +PrintMotd no +PrintLastLog yes +TCPKeepAlive no +AcceptEnv LANG LC_* +Subsystem sftp /usr/lib/openssh/sftp-server +UsePAM yes +UseDNS no +maxstartups 10:30:60 +Banner /etc/issue.net +AllowUsers USERNAME \ No newline at end of file From 94ee64039d22aee1940b033bf7c934730eefe811 Mon Sep 17 00:00:00 2001 From: Girish Mahabir Date: Tue, 27 Jun 2023 22:00:59 +0400 Subject: [PATCH 23/33] Added Solutions for CIS 5.5.X -> 6.X. Remaining pam configurations. --- DebianServer_11/debian11-CIS.sh | 69 ++++++++++++------- .../templates/pam/pwquality-CIS.conf | 7 ++ 2 files changed, 50 insertions(+), 26 deletions(-) create mode 100644 DebianServer_11/templates/pam/pwquality-CIS.conf diff --git a/DebianServer_11/debian11-CIS.sh b/DebianServer_11/debian11-CIS.sh index 699bdba..d6f127f 100644 --- a/DebianServer_11/debian11-CIS.sh +++ b/DebianServer_11/debian11-CIS.sh @@ -417,62 +417,79 @@ echo -e "auth required pam_wheel.so use_uid group=sugroup" >> /etc/pam.d/su usermod -a -G sugroup $username # 5.4.1: Ensure password creation requirements are configured. +apt install libpam-pwquality -y +cat templates/pam/pwquality-CIS.conf >> /etc/security/pwquality.conf - -# 5.4.2: Ensure lockout for failed password attempts is configured. - - -# 5.4.3: Ensure password reuse is limited. - - -# 5.4.4: Ensure password hashing algorithm is up to date with the latest standards. - +# 5.4.2: Ensure lockout for failed password attempts is configured. [[[ WORK ON THIS! ]]] +# 5.4.3: Ensure password reuse is limited. [[[ WORK ON THIS! ]]] +# 5.4.4: Ensure password hashing algorithm is up to date with the latest standards. [[[ WORK ON THIS! ]]] # 5.5.1.1: Ensure minimum days between password changes is configured. - +sed -i 's/PASS_MIN_DAYS\t0/PASS_MIN_DAYS\t1/g' /etc/login.defs # 5.5.1.2: Ensure password expiration is 365 days or less. - +sed -i 's/PASS_MAX_DAYS\t99999/PASS_MAX_DAYS\t90/g' /etc/login.defs # 5.5.1.3: Ensure password expiration warning days is 7 or more. - +sed -i 's/PASS_WARN_AGE\t7/PASS_WARN_AGE\t7/g' /etc/login.defs # 5.5.1.4: Ensure inactive password lock is 30 days or less. - +chage --inactive 30 # 5.5.3: Ensure default group for the root account is GID 0. - +if [ $(grep "^root:" /etc/passwd | cut -f4 -d:) -eq 0 ]; then + echo "Default group for root is GID 0" +else + usermod -g 0 root +fi # 6.1.1: Ensure permissions on /etc/passwd are configured. - +chmod u-x,go-wx /etc/passwd +chown root:root /etc/passwd # 6.1.2: Ensure permissions on /etc/passwd- are configured. - +chmod u-x,go-wx /etc/passwd- +chown root:root /etc/passwd- # 6.1.3: Ensure permissions on /etc/group are configured. - +chmod u-x,go-wx /etc/group +chown root:root /etc/group # 6.1.4: Ensure permissions on /etc/group- are configured. - +chmod u-x,go-wx /etc/group- +chown root:root /etc/group- # 6.1.5: Ensure permissions on /etc/shadow are configured. - +chown root:shadow /etc/shadow +chmod u-x,g-wx,o-rwx /etc/shadow # 6.1.6: Ensure permissions on /etc/shadow- are configured. - +chown root:shadow /etc/shadow- +chmod u-x,g-wx,o-rwx /etc/shadow- # 6.1.7: Ensure permissions on /etc/gshadow are configured. - +chown root:shadow /etc/gshadow +chmod u-x,g-rw,o-rwx /etc/gshadow # 6.1.8: Ensure permissions on /etc/gshadow- are configured. - +chown root:shadow /etc/gshadow- +chmod u-x,g-rw,o-rwx /etc/gshadow- # 6.2.1: Ensure accounts in /etc/passwd use shadowed passwords. - +sed -e 's/^\([a-zA-Z0-9_]*\):[^:]*:/\1:x:/' -i /etc/passwd # 6.2.2: Ensure /etc/shadow password fields are not empty. - +if [ $(awk -F: '($2 == "" ) { print $1 " does not have a password "}' /etc/shadow) ]; then + echo "All users have a password" +else + # Lock all users with a password + awk -F: '($2 == "" ) { print $1 " does not have a password "}' /etc/shadow | while read -r user; do passwd -l $user; done +fi # 6.2.10: Ensure root is the only UID 0 account. - - +# Remove any users other than root with UID 0 or assign them a new UID if appropriate. +awk -F: '($3 == 0) { print $1 }' /etc/passwd | while read -r user; do + if [ $user != "root" ]; then + echo "User $user is UID 0, please assign a new UID or remove the user." + fi +done \ No newline at end of file diff --git a/DebianServer_11/templates/pam/pwquality-CIS.conf b/DebianServer_11/templates/pam/pwquality-CIS.conf new file mode 100644 index 0000000..9e8f2cd --- /dev/null +++ b/DebianServer_11/templates/pam/pwquality-CIS.conf @@ -0,0 +1,7 @@ +# Configuration for systemwide password quality limits +#Configured following CIS Benchmark by Jshielder +minlen=14 +dcredit=-1 +ucredit=-1 +ocredit=-1 +lcredit=-1 \ No newline at end of file From 8ad98e31845664d7fdfe21cb67f19f19ace8dd80 Mon Sep 17 00:00:00 2001 From: Girish Mahabir Date: Tue, 4 Jul 2023 15:56:22 +0400 Subject: [PATCH 24/33] Removed comments and added space left params to resolve bug. --- DebianServer_11/templates/auditd/auditd.conf | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/DebianServer_11/templates/auditd/auditd.conf b/DebianServer_11/templates/auditd/auditd.conf index 71f2ae0..b78e1a0 100644 --- a/DebianServer_11/templates/auditd/auditd.conf +++ b/DebianServer_11/templates/auditd/auditd.conf @@ -1,4 +1,8 @@ -max_log_file = 6 # CIS 4.1.2.1 -max_log_file_action = keep_logs # CIS 4.1.2.2 -space_left_action = email # CIS 4.1.2.3 -log_group = adm \ No newline at end of file +max_log_file = 6 +max_log_file_action = keep_logs +space_left_action = email +log_group = adm +action_mail_acct = root +admin_space_left_action = single +space_left = 75 +admin_space_left = 50 From a155b1e93fe51e90f2b9f7ae4b5d043ea5c77bce Mon Sep 17 00:00:00 2001 From: Girish Mahabir Date: Tue, 4 Jul 2023 15:56:48 +0400 Subject: [PATCH 25/33] Moved `-w /etc/sudoers -p wa -k scope ` to a separate line. --- DebianServer_11/templates/auditd/audit.rules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/DebianServer_11/templates/auditd/audit.rules b/DebianServer_11/templates/auditd/audit.rules index 5d15746..c7b1a57 100644 --- a/DebianServer_11/templates/auditd/audit.rules +++ b/DebianServer_11/templates/auditd/audit.rules @@ -3,7 +3,7 @@ # Ensure changes to system administration scope (sudoers) is collected (CIS 4.1.3.1) --w /etc/sudoers -p wa -k scope +-w /etc/sudoers -p wa -k scope -w /etc/sudoers.d -p wa -k scope # Ensure actions as another user are always logged (CIS 4.1.3.2) From 7fa9e8c632bcb89667990cd25918d5bfd4bc7c02 Mon Sep 17 00:00:00 2001 From: Girish Mahabir Date: Tue, 4 Jul 2023 15:57:15 +0400 Subject: [PATCH 26/33] Adapted script based on 1st run behaviour. --- .../{debian11-CIS.sh => jshielder-CIS.sh} | 71 +++++++++++++------ 1 file changed, 50 insertions(+), 21 deletions(-) rename DebianServer_11/{debian11-CIS.sh => jshielder-CIS.sh} (92%) diff --git a/DebianServer_11/debian11-CIS.sh b/DebianServer_11/jshielder-CIS.sh similarity index 92% rename from DebianServer_11/debian11-CIS.sh rename to DebianServer_11/jshielder-CIS.sh index d6f127f..22aaeb5 100644 --- a/DebianServer_11/debian11-CIS.sh +++ b/DebianServer_11/jshielder-CIS.sh @@ -36,7 +36,6 @@ else echo "autofs is installed" apt remove --purge autofs -y fi -if # 1.3.1: Ensure AIDE is installed. apt-get install -y aide @@ -68,6 +67,7 @@ chown root:root /boot/grub/grub.cfg chmod u-wx,go-rwx /boot/grub/grub.cfg. # 1.4.3: Ensure authentication required for single user mode. (Scored) +echo "Changing Root Password for Single User Mode: " passwd root # 1.5.2: Ensure prelink is not installed. @@ -149,6 +149,7 @@ system restart ntp # 2.1.4.3: Ensure ntp is running as user ntp (Scored) # 2.1.4.4: Ensure ntp is enabled and running. +systemctl unmask ntp.service systemctl enable --now ntp.service # 2.2.1: Ensure X Window System is not installed. @@ -206,7 +207,7 @@ apt remove -y ufw # 3.5.3.3.1: Ensure ip6tables default deny firewall policy. # 3.5.3.3.2: Ensure ip6tables loopback traffic is configured. ## Take user input for the ssh port -read -p "Enter the SSH port: " sshport +read -rp "Enter the SSH port: " sshport sed -i "s/PORT/$sshport/g" templates/iptables/iptables.sh bash templates/iptables/iptables.sh @@ -264,12 +265,15 @@ fi # 4.1.4.3: Ensure only authorized groups are assigned ownership of audit log files. find $(dirname $(awk -F"=" '/^\s*log_file/ {print $2}' /etc/audit/auditd.conf | xargs)) -type f \( ! -group adm -a ! -group root \) -exec chgrp adm {} + + +sed -ri 's/^\s*#?\s*log_group\s*=\s*\S+(\s*#.*)?.*$/log_group = adm\1/' /etc/audit/auditd.conf + chgrp adm /var/log/audit/ -systemctl restart auditd +systemctl enable --now auditd # 4.1.4.5: Ensure audit configuration files are 640 or more restrictive. -ind /etc/audit/ -type f \( -name '*.conf' -o -name '*.rules' \) -exec chmod u-x,g-wx,o-rwx {} + +find /etc/audit/ -type f \( -name '*.conf' -o -name '*.rules' \) -exec chmod u-x,g-wx,o-rwx {} + # 4.1.4.6: Ensure audit configuration files are owned by root. find /etc/audit/ -type f \( -name '*.conf' -o -name '*.rules' \) ! -user root -exec chown root {} + @@ -355,7 +359,10 @@ chmod g-wx,o-rwx /etc/cron.allow chown root:root /etc/cron.allow # 5.1.9: Ensure at is restricted to authorized users. -rm /etc/at.deny +if [ ! -f /etc/at.deny ]; then + rm /etc/at.deny +fi + touch /etc/at.allow chmod g-wx,o-rwx /etc/at.allow chown root:root /etc/at.allow @@ -384,10 +391,16 @@ chmod og-rwx /etc/ssh/sshd_config # 5.2.21: Ensure SSH LoginGraceTime is set to one minute or less. # 5.2.22: Ensure SSH Idle Timeout Interval is configured. echo "Creating SSH user..." -adduser $username +read -r -p "Enter username: " username +adduser "$username" cp templates/sshd/sshd_config-CIS /etc/ssh/sshd_config -sed s/USERNAME/$username/g templates/sshd/sshd_config-CIS > /etc/ssh/sshd_config; -sed -i s/PORT/$sshport/g /etc/ssh/sshd_config; +sed "s/USERNAME/$username/g" templates/sshd/sshd_config-CIS > /etc/ssh/sshd_config; +sed -i "s/PORT/$sshport/g" /etc/ssh/sshd_config; + +mkdir -p /home/"$username"/.ssh +cp ~/.ssh/authorized_keys /home/"$username"/.ssh/authorized_keys +chown -R "$username":"$username" /home/"$username"/.ssh + service ssh restart # 5.3.1: Ensure sudo is installed. @@ -408,13 +421,13 @@ sed -i '/!authenticate/d' /etc/sudoers sed -i '/!authenticate/d' /etc/sudoers.d/* # 5.3.6: Ensure sudo authentication timeout is configured correctly. -sed -i 's/env_reset/env_reset,timestamp_timeout=60/g' /etc/sudoers -sed -i 's/env_reset/env_reset,timestamp_timeout=60/g' /etc/sudoers.d/* +sed -i 's/env_reset/env_reset,timestamp_timeout=10/g' /etc/sudoers +sed -i 's/env_reset/env_reset,timestamp_timeout=10/g' /etc/sudoers.d/* # 5.3.7: Ensure access to the su command is restricted. groupadd sugroup echo -e "auth required pam_wheel.so use_uid group=sugroup" >> /etc/pam.d/su -usermod -a -G sugroup $username +usermod -a -G sugroup "$username" # 5.4.1: Ensure password creation requirements are configured. apt install libpam-pwquality -y @@ -426,18 +439,32 @@ cat templates/pam/pwquality-CIS.conf >> /etc/security/pwquality.conf # 5.5.1.1: Ensure minimum days between password changes is configured. sed -i 's/PASS_MIN_DAYS\t0/PASS_MIN_DAYS\t1/g' /etc/login.defs +for user in $(awk -F: '($2 != "x") {print $1 }' /etc/shadow); do + chage --mindays 1 "$user" +done # 5.5.1.2: Ensure password expiration is 365 days or less. sed -i 's/PASS_MAX_DAYS\t99999/PASS_MAX_DAYS\t90/g' /etc/login.defs +for user in $(awk -F: '($2 != "x") {print $1 }' /etc/shadow); do + chage --maxdays 90 "$user" +done # 5.5.1.3: Ensure password expiration warning days is 7 or more. sed -i 's/PASS_WARN_AGE\t7/PASS_WARN_AGE\t7/g' /etc/login.defs +for user in $(awk -F: '($2 != "x") {print $1 }' /etc/shadow); do + chage --warndays 7 "$user" +done + # 5.5.1.4: Ensure inactive password lock is 30 days or less. -chage --inactive 30 +useradd -D -f 30 + +for user in $(awk -F: '($2 != "x") {print $1 }' /etc/shadow); do + chage --inactive 30 "$user" +done # 5.5.3: Ensure default group for the root account is GID 0. -if [ $(grep "^root:" /etc/passwd | cut -f4 -d:) -eq 0 ]; then +if [ "$(grep '^root:' /etc/passwd | cut -f4 -d:)" -eq 0 ]; then echo "Default group for root is GID 0" else usermod -g 0 root @@ -460,36 +487,38 @@ chmod u-x,go-wx /etc/group- chown root:root /etc/group- # 6.1.5: Ensure permissions on /etc/shadow are configured. -chown root:shadow /etc/shadow +chown root:root /etc/shadow chmod u-x,g-wx,o-rwx /etc/shadow # 6.1.6: Ensure permissions on /etc/shadow- are configured. -chown root:shadow /etc/shadow- +chown root:root /etc/shadow- chmod u-x,g-wx,o-rwx /etc/shadow- # 6.1.7: Ensure permissions on /etc/gshadow are configured. -chown root:shadow /etc/gshadow +chown root:root /etc/gshadow chmod u-x,g-rw,o-rwx /etc/gshadow # 6.1.8: Ensure permissions on /etc/gshadow- are configured. -chown root:shadow /etc/gshadow- +chown root:root /etc/gshadow- chmod u-x,g-rw,o-rwx /etc/gshadow- # 6.2.1: Ensure accounts in /etc/passwd use shadowed passwords. sed -e 's/^\([a-zA-Z0-9_]*\):[^:]*:/\1:x:/' -i /etc/passwd # 6.2.2: Ensure /etc/shadow password fields are not empty. -if [ $(awk -F: '($2 == "" ) { print $1 " does not have a password "}' /etc/shadow) ]; then +if [ $(awk -F: '($2 == "" ) { print $1 " does not have a password "}' /etc/shadow) ]; +then echo "All users have a password" else # Lock all users with a password - awk -F: '($2 == "" ) { print $1 " does not have a password "}' /etc/shadow | while read -r user; do passwd -l $user; done + awk -F: '($2 == "" ) { print $1 " does not have a password "}' /etc/shadow | while read -r user; do passwd -l "$user"; done fi # 6.2.10: Ensure root is the only UID 0 account. # Remove any users other than root with UID 0 or assign them a new UID if appropriate. awk -F: '($3 == 0) { print $1 }' /etc/passwd | while read -r user; do - if [ $user != "root" ]; then + if [ "$user" != "root" ]; then echo "User $user is UID 0, please assign a new UID or remove the user." fi -done \ No newline at end of file +done + From 5cf1156fda7cd234b3a8dcdb1bd8f6ee20b763ee Mon Sep 17 00:00:00 2001 From: Girish Mahabir Date: Tue, 11 Jul 2023 16:15:08 +0400 Subject: [PATCH 27/33] Completed the PAM Section, tests still in progress tho. --- DebianServer_11/jshielder-CIS.sh | 21 ++++--- DebianServer_11/templates/pam/common-account | 26 ++++++++ DebianServer_11/templates/pam/common-auth | 28 +++++++++ DebianServer_11/templates/pam/common-password | 34 ++++++++++ DebianServer_11/templates/pam/faillock.conf | 62 +++++++++++++++++++ .../templates/pam/pwquality-CIS.conf | 3 +- 6 files changed, 166 insertions(+), 8 deletions(-) create mode 100644 DebianServer_11/templates/pam/common-account create mode 100644 DebianServer_11/templates/pam/common-auth create mode 100644 DebianServer_11/templates/pam/common-password create mode 100644 DebianServer_11/templates/pam/faillock.conf diff --git a/DebianServer_11/jshielder-CIS.sh b/DebianServer_11/jshielder-CIS.sh index 22aaeb5..175d063 100644 --- a/DebianServer_11/jshielder-CIS.sh +++ b/DebianServer_11/jshielder-CIS.sh @@ -49,6 +49,7 @@ service cron restart cp templates/aide/aidecheck.service /etc/systemd/system/aidecheck.service cp templates/aide/aidecheck.timer /etc/systemd/system/aidecheck.timer + chmod 644 /etc/systemd/system/aidecheck.* systemctl daemon-reload systemctl enable --now aidecheck.service aidecheck.timer @@ -64,7 +65,7 @@ systemctl enable --now aidecheck.service aidecheck.timer # 1.4.2: Ensure permissions on bootloader config are configured. chown root:root /boot/grub/grub.cfg -chmod u-wx,go-rwx /boot/grub/grub.cfg. +chmod u-wx,go-rwx /boot/grub/grub.cfg # 1.4.3: Ensure authentication required for single user mode. (Scored) echo "Changing Root Password for Single User Mode: " @@ -264,11 +265,11 @@ if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then fi # 4.1.4.3: Ensure only authorized groups are assigned ownership of audit log files. -find $(dirname $(awk -F"=" '/^\s*log_file/ {print $2}' /etc/audit/auditd.conf | xargs)) -type f \( ! -group adm -a ! -group root \) -exec chgrp adm {} + +chown root:root auditd.conf -sed -ri 's/^\s*#?\s*log_group\s*=\s*\S+(\s*#.*)?.*$/log_group = adm\1/' /etc/audit/auditd.conf +sed -ri 's/^\s*#?\s*log_group\s*=\s*\S+(\s*#.*)?.*$/log_group = root\1/' /etc/audit/auditd.conf -chgrp adm /var/log/audit/ +chgrp root /var/log/audit/ systemctl enable --now auditd @@ -433,9 +434,15 @@ usermod -a -G sugroup "$username" apt install libpam-pwquality -y cat templates/pam/pwquality-CIS.conf >> /etc/security/pwquality.conf -# 5.4.2: Ensure lockout for failed password attempts is configured. [[[ WORK ON THIS! ]]] -# 5.4.3: Ensure password reuse is limited. [[[ WORK ON THIS! ]]] -# 5.4.4: Ensure password hashing algorithm is up to date with the latest standards. [[[ WORK ON THIS! ]]] +# 5.4.2: Ensure lockout for failed password attempts is configured. +cp templates/pam/common-account /etc/pam.d/common-account +cp templates/pam/common-auth /etc/pam.d/common-auth +cp templates/pam/faillock.conf /etc/security/faillock.conf + +# 5.4.3: Ensure password reuse is limited. +# 5.4.4: Ensure password hashing algorithm is up to date with the latest standards. +cp templates/login.defs /etc/login.defs +cp templates/pam/common-password /etc/pam.d/common-password # 5.5.1.1: Ensure minimum days between password changes is configured. sed -i 's/PASS_MIN_DAYS\t0/PASS_MIN_DAYS\t1/g' /etc/login.defs diff --git a/DebianServer_11/templates/pam/common-account b/DebianServer_11/templates/pam/common-account new file mode 100644 index 0000000..4f848cb --- /dev/null +++ b/DebianServer_11/templates/pam/common-account @@ -0,0 +1,26 @@ +# +# /etc/pam.d/common-account - authorization settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authorization modules that define +# the central access policy for use on the system. The default is to +# only deny service to users whose accounts are expired in /etc/shadow. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. +# + +# here are the per-package modules (the "Primary" block) +account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so +# here's the fallback if no module succeeds +account requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +account required pam_permit.so +account required pam_faillock.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config \ No newline at end of file diff --git a/DebianServer_11/templates/pam/common-auth b/DebianServer_11/templates/pam/common-auth new file mode 100644 index 0000000..4df4ec1 --- /dev/null +++ b/DebianServer_11/templates/pam/common-auth @@ -0,0 +1,28 @@ +# /etc/pam.d/common-auth - authentication settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +auth required pam_faillock.so preauth # Added to enable faillock +auth [success=1 default=ignore] pam_unix.so nullok +auth [default=die] pam_faillock.so authfail # Added to enable faillock +auth sufficient pam_faillock.so authsucc # Added to enable faillock +# here's the fallback if no module succeeds +auth requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +auth required pam_permit.so +# and here are more per-package modules (the "Additional" block) +auth optional pam_cap.so +# end of pam-auth-update config diff --git a/DebianServer_11/templates/pam/common-password b/DebianServer_11/templates/pam/common-password new file mode 100644 index 0000000..92bd922 --- /dev/null +++ b/DebianServer_11/templates/pam/common-password @@ -0,0 +1,34 @@ +# +# /etc/pam.d/common-password - password-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define the services to be +# used to change user passwords. The default is pam_unix. + +# Explanation of pam_unix options: +# The "yescrypt" option enables +#hashed passwords using the yescrypt algorithm, introduced in Debian +#11. Without this option, the default is Unix crypt. Prior releases +#used the option "sha512"; if a shadow password hash will be shared +#between Debian 11 and older releases replace "yescrypt" with "sha512" +#for compatibility . The "obscure" option replaces the old +#`OBSCURE_CHECKS_ENAB' option in login.defs. See the pam_unix manpage +#for other options. + +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +password requisite pam_pwquality.so retry=3 +password [success=1 default=ignore] try_first_pass remember=5 pam_unix.so obscure use_authtok yescrypt +# here's the fallback if no module succeeds +password requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +password required pam_permit.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config diff --git a/DebianServer_11/templates/pam/faillock.conf b/DebianServer_11/templates/pam/faillock.conf new file mode 100644 index 0000000..ce51847 --- /dev/null +++ b/DebianServer_11/templates/pam/faillock.conf @@ -0,0 +1,62 @@ +# Configuration for locking the user after multiple failed +# authentication attempts. +# +# The directory where the user files with the failure records are kept. +# The default is /var/run/faillock. +# dir = /var/run/faillock +# +# Will log the user name into the system log if the user is not found. +# Enabled if option is present. +# audit +# +# Don't print informative messages. +# Enabled if option is present. +# silent +# +# Don't log informative messages via syslog. +# Enabled if option is present. +# no_log_info +# +# Only track failed user authentications attempts for local users +# in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users. +# The `faillock` command will also no longer track user failed +# authentication attempts. Enabling this option will prevent a +# double-lockout scenario where a user is locked out locally and +# in the centralized mechanism. +# Enabled if option is present. +# local_users_only +# +# Deny access if the number of consecutive authentication failures +# for this user during the recent interval exceeds n tries. +# The default is 3. +deny = 4 +# +# The length of the interval during which the consecutive +# authentication failures must happen for the user account +# lock out is n seconds. +# The default is 900 (15 minutes). +fail_interval = 900 +# +# The access will be re-enabled after n seconds after the lock out. +# The value 0 has the same meaning as value `never` - the access +# will not be re-enabled without resetting the faillock +# entries by the `faillock` command. +# The default is 600 (10 minutes). +unlock_time = 600 +# +# Root account can become locked as well as regular accounts. +# Enabled if option is present. +# even_deny_root +# +# This option implies the `even_deny_root` option. +# Allow access after n seconds to root account after the +# account is locked. In case the option is not specified +# the value is the same as of the `unlock_time` option. +# root_unlock_time = 900 +# +# If a group name is specified with this option, members +# of the group will be handled by this module the same as +# the root account (the options `even_deny_root>` and +# `root_unlock_time` will apply to them. +# By default, the option is not set. +# admin_group = diff --git a/DebianServer_11/templates/pam/pwquality-CIS.conf b/DebianServer_11/templates/pam/pwquality-CIS.conf index 9e8f2cd..304705a 100644 --- a/DebianServer_11/templates/pam/pwquality-CIS.conf +++ b/DebianServer_11/templates/pam/pwquality-CIS.conf @@ -1,6 +1,7 @@ # Configuration for systemwide password quality limits #Configured following CIS Benchmark by Jshielder -minlen=14 +minclass=5 +minlen=15 dcredit=-1 ucredit=-1 ocredit=-1 From 57adeae6152d7a8604a321906aa635604e39334f Mon Sep 17 00:00:00 2001 From: Girish Mahabir Date: Tue, 11 Jul 2023 16:15:39 +0400 Subject: [PATCH 28/33] Added pool to ntp configuration. --- DebianServer_11/templates/ntp/ntp.conf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/DebianServer_11/templates/ntp/ntp.conf b/DebianServer_11/templates/ntp/ntp.conf index 9be8e06..5a59aef 100644 --- a/DebianServer_11/templates/ntp/ntp.conf +++ b/DebianServer_11/templates/ntp/ntp.conf @@ -24,10 +24,10 @@ server time-c-g.nist.gov iburst # pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will # pick a different set every time it starts up. Please consider joining the # pool: -# pool 0.debian.pool.ntp.org iburst -# pool 1.debian.pool.ntp.org iburst -# pool 2.debian.pool.ntp.org iburst -# pool 3.debian.pool.ntp.org iburst +pool 0.debian.pool.ntp.org iburst +pool 1.debian.pool.ntp.org iburst +pool 2.debian.pool.ntp.org iburst +pool 3.debian.pool.ntp.org iburst # Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for From 8a6ece296163c1ba16f973953685151a97f69dfd Mon Sep 17 00:00:00 2001 From: Girish Mahabir Date: Tue, 11 Jul 2023 16:15:55 +0400 Subject: [PATCH 29/33] Prepared login.defs file. --- DebianServer_11/templates/login.defs | 29 ++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 DebianServer_11/templates/login.defs diff --git a/DebianServer_11/templates/login.defs b/DebianServer_11/templates/login.defs new file mode 100644 index 0000000..a19aacb --- /dev/null +++ b/DebianServer_11/templates/login.defs @@ -0,0 +1,29 @@ +MAIL_DIR /var/mail +FAILLOG_ENAB yes +LOG_UNKFAIL_ENAB no +LOG_OK_LOGINS no +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes +FTMP_FILE /var/log/btmp +SU_NAME su +HUSHLOGIN_FILE .hushlogin +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games +TTYGROUP tty +TTYPERM 0600 +ERASECHAR 0177 +KILLCHAR 025 +UMASK 022 +PASS_MAX_DAYS 90 +PASS_MIN_DAYS 1 +PASS_WARN_AGE 7 +UID_MIN 1000 +UID_MAX 60000 +GID_MIN 1000 +GID_MAX 60000 +LOGIN_RETRIES 5 +LOGIN_TIMEOUT 60 +CHFN_RESTRICT rwh +DEFAULT_HOME yes +USERGROUPS_ENAB yes +ENCRYPT_METHOD yescrypt \ No newline at end of file From 43ee6de1ff0b3f2039d637b3acfcfab8e2a19692 Mon Sep 17 00:00:00 2001 From: Girish Mahabir Date: Tue, 11 Jul 2023 16:16:13 +0400 Subject: [PATCH 30/33] Tested and adapted the audit rules. --- DebianServer_11/templates/auditd/audit.rules | 12 ++++++------ DebianServer_11/templates/auditd/auditd.conf | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/DebianServer_11/templates/auditd/audit.rules b/DebianServer_11/templates/auditd/audit.rules index c7b1a57..cf079e8 100644 --- a/DebianServer_11/templates/auditd/audit.rules +++ b/DebianServer_11/templates/auditd/audit.rules @@ -3,7 +3,7 @@ # Ensure changes to system administration scope (sudoers) is collected (CIS 4.1.3.1) --w /etc/sudoers -p wa -k scope +-w /etc/sudoers -p wa -k scope -w /etc/sudoers.d -p wa -k scope # Ensure actions as another user are always logged (CIS 4.1.3.2) @@ -17,9 +17,10 @@ -w /etc/localtime -p wa -k time-change # Ensure events that modify the system's network environment are collected (CIS 4.1.3.5) + -a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale -a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale --w /etc/issue -p wa -k system-locale +-w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/networks -p wa -k system-locale @@ -57,8 +58,8 @@ # Ensure session initiation information is collected (CIS 4.1.3.11) -w /var/run/utmp -p wa -k session --w /var/run/wtmp -p wa -k session --w /var/run/btmp -p wa -k session +-w /var/log/wtmp -p wa -k session +-w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k logins -w /var/log/btmp -p wa -k logins @@ -67,7 +68,6 @@ -w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/log/tallylog -p wa -k logins --w /var/log/lastlog -p wa -k logins -w /var/run/faillock -p wa -k logins # Ensure file deletion events by users are collected (CIS 4.1.3.13) @@ -90,7 +90,7 @@ # Ensure successful and unsuccessful attempts to use the chacl command are recorded (CIS 4.1.3.17) --a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng +-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd # Ensure successful and unsuccessful attempts to use the usermod command are recorded (CIS 4.1.3.18) diff --git a/DebianServer_11/templates/auditd/auditd.conf b/DebianServer_11/templates/auditd/auditd.conf index b78e1a0..6765bb2 100644 --- a/DebianServer_11/templates/auditd/auditd.conf +++ b/DebianServer_11/templates/auditd/auditd.conf @@ -1,7 +1,7 @@ max_log_file = 6 max_log_file_action = keep_logs space_left_action = email -log_group = adm +log_group = root action_mail_acct = root admin_space_left_action = single space_left = 75 From 61b6b572a06921c51ad1f76309267b458e4710af Mon Sep 17 00:00:00 2001 From: Girish Mahabir Date: Tue, 11 Jul 2023 16:16:29 +0400 Subject: [PATCH 31/33] AIDE Checker and Timer Tested and adapted. --- DebianServer_11/templates/aide/aidecheck.service | 3 ++- DebianServer_11/templates/aide/aidecheck.timer | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/DebianServer_11/templates/aide/aidecheck.service b/DebianServer_11/templates/aide/aidecheck.service index 98aeb15..09f2a10 100644 --- a/DebianServer_11/templates/aide/aidecheck.service +++ b/DebianServer_11/templates/aide/aidecheck.service @@ -2,7 +2,8 @@ Description=Aide Check [Service] -Type=simple ExecStart=/usr/bin/aide.wrapper --config /etc/aide/aide.conf --check +Type=simple +ExecStart=/usr/bin/aide --check --config /etc/aide/aide.conf [Install] WantedBy=multi-user.target \ No newline at end of file diff --git a/DebianServer_11/templates/aide/aidecheck.timer b/DebianServer_11/templates/aide/aidecheck.timer index eafb96a..b38ea4b 100644 --- a/DebianServer_11/templates/aide/aidecheck.timer +++ b/DebianServer_11/templates/aide/aidecheck.timer @@ -5,4 +5,5 @@ Description=Aide check every day at 5AM OnCalendar=*-*-* 05:00:00 Unit=aidecheck.service -[Install] WantedBy=multi-user.target \ No newline at end of file +[Install] +WantedBy=multi-user.target \ No newline at end of file From 79ed600ac3ccda77345e280e372c2454b1f3da23 Mon Sep 17 00:00:00 2001 From: Girish Mahabir Date: Wed, 20 Sep 2023 14:33:57 +0400 Subject: [PATCH 32/33] Fixed some missed rules, typos etc. --- DebianServer_11/helpers.sh | 50 +++++++++++++++++++ DebianServer_11/jshielder-CIS.sh | 5 +- DebianServer_11/templates/auditd/audit.rules | 2 +- DebianServer_11/templates/auditd/auditd.conf | 1 + DebianServer_11/templates/pam/common-password | 2 +- jshielder.sh | 21 ++++++-- 6 files changed, 73 insertions(+), 8 deletions(-) create mode 100644 DebianServer_11/helpers.sh diff --git a/DebianServer_11/helpers.sh b/DebianServer_11/helpers.sh new file mode 100644 index 0000000..ec00dee --- /dev/null +++ b/DebianServer_11/helpers.sh @@ -0,0 +1,50 @@ +#!/bin/bash + +spinner () +{ + bar=" ++++++++++++++++++++++++++++++++++++++++++++++++++++++++" + barlength=${#bar} + i=0 + while ((i < 100)); do + n=$((i*barlength / 100)) + printf "\e[00;34m\r[%-${barlength}s]\e[00m" "${bar:0:n}" + ((i += RANDOM%5+2)) + sleep 0.02 + done +} + + + +# Show "Done." +function say_done() { + echo " " + echo -e "Done." + say_continue +} + + +# Ask to Continue +function say_continue() { + echo -n " To EXIT Press x Key, Press ENTER to Continue" + read acc + if [ "$acc" == "x" ]; then + exit + fi + echo " " +} + + +# Obtain Server IP +function __get_ip() { + serverip=$(ip route get 1 | awk '{print $7;exit}') + echo $serverip +} + + +# Copy Local Config Files +function tunning() { + whoapp=$1 + cp templates/$whoapp /root/.$whoapp + cp templates/$whoapp /home/$username/.$whoapp + chown $username:$username /home/$username/.$whoapp +} diff --git a/DebianServer_11/jshielder-CIS.sh b/DebianServer_11/jshielder-CIS.sh index 175d063..aa182d2 100644 --- a/DebianServer_11/jshielder-CIS.sh +++ b/DebianServer_11/jshielder-CIS.sh @@ -145,6 +145,7 @@ systemctl mask --now systemd-timesyncd.service # 2.1.4.1: Ensure ntp access control is configured. (scored) # 2.1.4.2: Ensure ntp is configured with authorized timeserver. +apt install -y ntp cp templates/ntp/ntp.conf /etc/ntp.conf system restart ntp @@ -459,8 +460,8 @@ done # 5.5.1.3: Ensure password expiration warning days is 7 or more. sed -i 's/PASS_WARN_AGE\t7/PASS_WARN_AGE\t7/g' /etc/login.defs -for user in $(awk -F: '($2 != "x") {print $1 }' /etc/shadow); do - chage --warndays 7 "$user" +for i in $(awk -F: '{ print $1}' /etc/passwd); do + chage --warndays 7 $i; done # 5.5.1.4: Ensure inactive password lock is 30 days or less. diff --git a/DebianServer_11/templates/auditd/audit.rules b/DebianServer_11/templates/auditd/audit.rules index cf079e8..356d688 100644 --- a/DebianServer_11/templates/auditd/audit.rules +++ b/DebianServer_11/templates/auditd/audit.rules @@ -90,7 +90,7 @@ # Ensure successful and unsuccessful attempts to use the chacl command are recorded (CIS 4.1.3.17) --a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd +-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng # Ensure successful and unsuccessful attempts to use the usermod command are recorded (CIS 4.1.3.18) diff --git a/DebianServer_11/templates/auditd/auditd.conf b/DebianServer_11/templates/auditd/auditd.conf index 6765bb2..cf4e51c 100644 --- a/DebianServer_11/templates/auditd/auditd.conf +++ b/DebianServer_11/templates/auditd/auditd.conf @@ -2,6 +2,7 @@ max_log_file = 6 max_log_file_action = keep_logs space_left_action = email log_group = root +log_file = /var/log/audit/audit.log action_mail_acct = root admin_space_left_action = single space_left = 75 diff --git a/DebianServer_11/templates/pam/common-password b/DebianServer_11/templates/pam/common-password index 92bd922..5fca458 100644 --- a/DebianServer_11/templates/pam/common-password +++ b/DebianServer_11/templates/pam/common-password @@ -23,7 +23,7 @@ # here are the per-package modules (the "Primary" block) password requisite pam_pwquality.so retry=3 -password [success=1 default=ignore] try_first_pass remember=5 pam_unix.so obscure use_authtok yescrypt +password [success=1 default=ignore] try_first_pass remember=5 pam_unix.so obscure use_authtok # here's the fallback if no module succeeds password requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; diff --git a/jshielder.sh b/jshielder.sh index f751c70..fa67d96 100755 --- a/jshielder.sh +++ b/jshielder.sh @@ -69,8 +69,10 @@ echo "2. Ubuntu Server 18.04 LTS" echo "3. Linux CentOS 7 (Coming Soon)" echo "4. Debian GNU/Linux 8 (Coming Soon)" echo "5. Debian GNU/Linux 9 (Coming Soon)" -echo "6. Red Hat Linux 7 (Coming Soon)" -echo "7. Exit" +echo "6. Debian GNU/Linux 10 CIS ONLY" +echo "7. Debian GNU/Linux 11 CIS ONLY" +echo "8. Red Hat Linux 7 (Coming Soon)" +echo "9. Exit" echo read menu @@ -88,11 +90,22 @@ chmod +x jshielder.sh ./jshielder.sh ;; -8) +6) +cd DebianServer_10/ +chmod +x jshielder-CIS.sh +./jshielder-CIS.sh +;; + +7) +cd DebianServer_11/ +chmod +x jshielder-CIS.sh +./jshielder-CIS.sh + +9) break ;; *) ;; esac -done +done \ No newline at end of file From 5afb6132ef507533f44077f517f790f8dade30e5 Mon Sep 17 00:00:00 2001 From: Girish Mahabir Date: Mon, 2 Oct 2023 09:44:54 +0400 Subject: [PATCH 33/33] Updated Debian 11 CIS CI (Added Additional Rules) --- DebianServer_11/jshielder-CIS.sh | 41 +++++++++++++++++++ DebianServer_11/templates/auditd/audit.rules | 35 +++++++++++++++- .../templates/sshd/sshd_config-CIS | 14 ++++++- 3 files changed, 87 insertions(+), 3 deletions(-) diff --git a/DebianServer_11/jshielder-CIS.sh b/DebianServer_11/jshielder-CIS.sh index aa182d2..769d47d 100644 --- a/DebianServer_11/jshielder-CIS.sh +++ b/DebianServer_11/jshielder-CIS.sh @@ -530,3 +530,44 @@ awk -F: '($3 == 0) { print $1 }' /etc/passwd | while read -r user; do fi done +# Disable disable_freevxfs +echo "install freevxfs /bin/true" > /etc/modprobe.d/freevxfs.conf +rmmod freevxfs + +# Disable disable_jffs2 +echo "install jffs2 /bin/true" > /etc/modprobe.d/jffs2.conf +rmmod jffs2 + +# Disable disable_hfs, disable_hfsplus, disable_udf +echo "install hfs /bin/true" >> /etc/modprobe.d/CIS.conf +echo "install hfsplus /bin/true" >> /etc/modprobe.d/CIS.conf +echo "install udf /bin/true" >> /etc/modprobe.d/CIS.conf + +rmmod hfs hfsplus udf + +# Disable squashfs (will impact snaps) # Skipping for now. +# FAT is used by vfat, which is used by the EFI system partition # Skipping for now. + + +# Fix Logrotate Create Permissions +grep -rlE -w "create" /etc/logrotate.d/ | xargs sed -i 's/create[[:space:]]*[0-7]\{4\}/create 640/' +find /var/log -type f -exec chmod 640 {} \; + + +# Fix home directory permissions being too open. +chmod -R 0740 /home/* +sed -i 's/^DIR_MODE=.*/DIR_MODE=740/' /etc/adduser.conf + +# Remove some packages +apt remove --purge tcpdump -y + +# Search & Remove TMOUT from /etc/bash.bashrc, /etc/profile, and all files ending in *.sh in the /etc/profile.d/ directory +sed -i '/TMOUT/d' /etc/bash.bashrc /etc/profile /etc/profile.d/*.sh + +# Configure TMOUT +echo "readonly TMOUT=900 ; export TMOUT" >> /etc/profile.d/tmout.sh + +# Disable USB Storage +echo 'ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"' > /etc/udev/rules.d/01-usblockdown.rules + + diff --git a/DebianServer_11/templates/auditd/audit.rules b/DebianServer_11/templates/auditd/audit.rules index 356d688..cf97e00 100644 --- a/DebianServer_11/templates/auditd/audit.rules +++ b/DebianServer_11/templates/auditd/audit.rules @@ -13,7 +13,7 @@ # Ensure events that modify date and time information are collected (CIS 4.1.3.4) -a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change --a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change +-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change -w /etc/localtime -p wa -k time-change # Ensure events that modify the system's network environment are collected (CIS 4.1.3.5) @@ -99,4 +99,35 @@ # Ensure kernel module loading unloading and modification is collected (CIS 4.1.3.19) -a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=1000 -F auid!=unset -k kernel_modules --a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k kernel_modules \ No newline at end of file +-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k kernel_modules + +### Additional ### +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-w /etc/selinux/ -p wa -k MAC-policy +-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/write.ul -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/expiry -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/dotlockfile -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/lib/dbus-1.0/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/lib/x86_64-linux-gnu/utempter/utempter -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/sbin/exim4 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-w /var/log/auth.log -p wa -k sudoaction +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +### Additional ### \ No newline at end of file diff --git a/DebianServer_11/templates/sshd/sshd_config-CIS b/DebianServer_11/templates/sshd/sshd_config-CIS index 2cb1c87..f5979b7 100644 --- a/DebianServer_11/templates/sshd/sshd_config-CIS +++ b/DebianServer_11/templates/sshd/sshd_config-CIS @@ -23,6 +23,16 @@ HostbasedAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no PasswordAuthentication no +KbdInteractiveAuthentication no +KerberosAuthentication no +GSSAPIAuthentication no +GSSAPIKeyExchange no +UsePrivilegeSeparation sandbox +RekeyLimit 512M 6h +AllowStreamLocalForwarding no +PermitTunnel no +PermitUserRC no +GatewayPorts no X11Forwarding no AllowTcpForwarding no AllowAgentForwarding no @@ -37,4 +47,6 @@ UsePAM yes UseDNS no maxstartups 10:30:60 Banner /etc/issue.net -AllowUsers USERNAME \ No newline at end of file +AllowUsers USERNAME +DenyUsers *nobody +DenyGroups *nobody \ No newline at end of file