# cp -fa /usb/yum.repos.d/* /mnt/sysimage/etc/yum.repos.d/ # cp /etc/resolv.conf /mnt/sysimage/etc/resolv.conf chroot /mnt/sysimage #echo "$(PWD)" ############# Adding Security Enhancements ############################ ################# User Login Security Changes ##################### # GEN000020 (G001) # GEN000040 (G002) # GEN000060 (G003) # Require root password for single user mode echo "Locking down GEN000020, GEN000040, GEN000060" echo "Require the root pw when booting into single user mode" >> /usr/lib/systemd/systemd-initctl echo "~~:S:wait:/sbin/sulogin" >> /usr/lib/systemd/systemd-initctl echo "GEN000020, GEN000040,GEN000060 Complete" ## Prevent entering interactive boot perl -npe 's/PROMPT=yes/PROMPT=no/' -i /etc/sysconfig/init echo "Interactive Boot disabled" # LNX00580 (L222) echo "Locking down LNX00580" perl -npe 's/ca::ctrlaltdel:\/sbin\/shutdown/#ca::ctrlaltdel:\/sbin\/shutdown/' -i /usr/lib/systemd/systemd-initctl echo "LNX00580 Complete" # We'll get to the updated versions once we configure pam. # GEN000700 # Change the password expiration time from undefined to 60 days echo "Locking down GEN000700" perl -npe 's/PASS_MAX_DAYS\s+99999/PASS_MAX_DAYS 60/' -i /etc/login.defs chage -M 60 root echo "GEN000700 Complete" # GEN000540 # Ensure that the user cannot change their password more than once a day. echo "Locking down GEN000540" perl -npe 's/PASS_MIN_DAYS\s+0/PASS_MIN_DAYS 1/g' -i /etc/login.defs echo "GEN000540 Complete" # GEN000480 (G015) echo "Locking down GEN000480" echo "Make the user wait 5 minutes if they fail after LOGIN_RETRIES" >> /etc/login.defs echo "FAIL_DELAY 300" >> /etc/login.defs echo "GEN000480 Complete" # GEN000820 echo "Locking down GEN000820" perl -npe 's/PASS_MIN_LEN\s+5/PASS_MIN_LEN 20/' -i /etc/login.defs #STIG specifies using following, but it's not a valid parameter #echo "PASS_MIN_LENGTH 20" >> /etc/login.defs echo "GEN000820 Complete" ## As of RHEL/CentOS 5.3, authconfig supports SHA password encryption ## This cannot be set by default using auth earlier in the KS, so it must be done in %post echo "Using SHA512 for the password algorithm" authconfig --passalgo=sha512 --update echo "Done" ###### PAM Modifications # These modifications apply to GEN000460, GEN000600 and GEN000620 touch /var/log/tallylog touch /etc/pam.d/system-auth-local cat << 'EOF' > /etc/pam.d/system-auth-local #%PAM-1.0 # Auth Section auth required pam_tally2.so unlock_time=1800 onerr=fail no_magic_root auth required pam_faildelay.so delay=300 auth include system-auth-ac # Accounts Section account required pam_tally2.so account include system-auth-ac # Password Section password required pam_pwhistory.so use_authtok remember=10 retry=3 password requisite pam_passwdqc.so min=disabled,disabled,16,12,8 password include system-auth-ac # Session Section ## By default we're only going to log what root does ## This gets really verbose if we log more. ## If you want to log everyone, remove disable=* session required pam_tty_audit.so disable=* enable=root session include system-auth-ac EOF # Create some basic shell rules for users. echo "Idle users will be removed after 30 minutes" echo "readonly TMOUT=1800" >> /etc/profile.d/os-security.sh echo "readonly HISTFILE" >> /etc/profile.d/os-security.sh chmod +x /etc/profile.d/os-security.sh # GEN002560 # Reset the umasks for all users to 077 echo "Locking down GEN002560" perl -npe 's/umask\s+0\d2/umask 077/g' -i /etc/bashrc perl -npe 's/umask\s+0\d2/umask 077/g' -i /etc/csh.cshrc echo "GEN002560 Complete" ## Require GUI consoles to lock if idle longer than 30 minutes. if [ -f /etc/gconf/gconf.xml.mandatory ]; then gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gnome-screensaver/idle_activation_enabled true gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool --set /apps/gnome-screensaver/lock_enabled true gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type string \ --set /apps/gnome-screensaver/mode blank-only gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type int \ --set /apps/gnome-screensaver/idle_delay 30 fi ## No one gets to run cron or at jobs unless we say so. echo "Locking down Cron" touch /etc/cron.allow chmod 600 /etc/cron.allow awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/cron.deny echo "Locking down AT" touch /etc/at.allow chmod 600 /etc/at.allow awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/at.deny # GEN000400 (G010) echo "Locking down GEN000400" # Set the /etc/issue file to something scary. This one has no linefeeds, so it will wrap accordingly. # Change this to your own banner for organizations outside the Scary Zone # cat << 'EOF' >/etc/issue # *************************************************************************************************************************************************************************************************************************************** # *************************************************************************************************************************************************************************************************************************************** # ******************** THIS IS A SECURE SHARED SERVER RUN BY AND MANAGED BY THE STAFF OF AMERIDEA LLC, AS A SERVICE BOTH TO INTERNAL STAFF AND PARTNERS AND TO TEH PUBLIC (MOSTLY FOR OPEN SOURCE PROJECTS IN NEED OF A PLACE FOR HOSTING REPOS / GRABBING FROM A CENTRAL REPOS FROM OUR REPOS. AUTHORIZED OR UNAUTHORIZED CONNECTIONS TO / USE OF THIS SYSTEM ARE SUBJECT TO MONITORING, WHICH MAY INCLUDE BUT IS NOT LIMITED TO, KEYLOGGING,IP TRAFFIC / IP ADDRESS CHANGES / PROXY USE, NETWORK USAGE (NAMELY # OVERLY HIGH OR ABUSIVE ******USE OF BANDWIDTH, OR RESOURCES, CONNECTING TO UNSAFE / UNAPPROVED SITES -- FOR EXAMPLE {SEARCHES FOR / TO PORN/ASSASINATION TECHNIQUES/PENTESTING (NAMELY NON ACADEMIC SEARCHS(ING)),POSSIBLE QoS # FEATURES. IF YOU DO NOT CONSENT TO SUCH******MONITORING ** IMMEDIATELY STOPPING USING / DISCONNECT ANY REMOTE SESSIONS ** THERE ARE NO EXCEPTIONS, AUTHENICATING / USING THIS SYSTEM IS GRANTED AS A PRIVELEDGE PRESUANT TO SUCH # MONITORING TO ENSURE THE SAFETY /SANITY OF THE SYSTEM******AND ANY /ALL NETWORKS ATTACHED TO IT... ATTEMPTS TO BYPASS ANY OF THESE CHECKS/SAFETIES WILL BE DEEMED AS A CASE OF UNAUTHORIZED USE AS ARE ANY WILLFULL ATTEMPTS TO # OBVISCATE SUCH ACTIONS THIS INCLUDES USING OR ASKING OTHERS TO USE ******THEIR VALID CREDENTIALS TO ACCESS MATERIAL/SERVICES THAT YOU ARE NOT ALLOWED TO. ALL UNAUTHORIZED ACTIONS WILL BE PROSECUTED UNDER THE APPLICABLE # CAMPUS,LOCAL,STATE,FEDERAL,INTERNATIONAL POLICIES,LAWS,STATUTES OF THE SYSTEMS' LOCALE******AND THAT OF THE USER IN QUESTION (IF THEY ARE NOT THE SAME)...THIS IS YOUR ONE AND ONLY WARNING....IF YOU CONTINUE TO CONNECT /USE THIS # SYSTEM IT IS A CONFIRMATION OF YOUR CONSENT TO SUCH MONITORING AND IS LOGGED AS SUCH UPON LOGIN...*** # *************************************************************************************************************************************************************************************************************************************** # *************************************************************************************************************************************************************************************************************************************** # ****************** # EOF # echo "GEN000400 Completed" # The banner above works great for shell logins, but won't work for gui logins. if [ -f /etc/gdm/PreSession/Default ]; then # GEN000420 (G011) # This part creates the same login banner once your username and password has been entered. This has linefeeds in it. # Text needs to be cleaned up a touch. echo "Locking down GEN000420" perl -npe 's/exit\s0/\n/' -i /etc/gdm/PreSession/Default # cat << 'EOF' >> /etc/gdm/PreSession/Default # /usr/bin/gdialog --yesno "Agree = 'OK' Disagree = 'Cancel' # *************************************************************************************************************************************************************************************************************************************** # *************************************************************************************************************************************************************************************************************************************** # ********************AUTHORIZED OR UNAUTHORIZED CONNECTIONS TO / USE OF THIS SYSTEM ARE SUBJECT TO MONITORING, WHICH MAY INCLUDE BUT IS NOT LIMITED TO, KEYLOGGING,IP TRAFFIC / IP ADDRESS CHANGES / PROXY USE, NETWORK USAGE (NAMELY # OVERLY HIGH OR ABUSIVE ******USE OF BANDWIDTH, OR RESOURCES, CONNECTING TO UNSAFE / UNAPPROVED SITES -- FOR EXAMPLE {SEARCHES FOR / TO PORN/ASSASINATION TECHNIQUES/PENTESTING (NAMELY NON ACADEMIC SEARCHS(ING)),POSSIBLE QoS # FEATURES. IF YOU DO NOT CONSENT TO SUCH******MONITORING ** IMMEDIATELY STOPPING USING / DISCONNECT ANY REMOTE SESSIONS ** THERE ARE NO EXCEPTIONS, AUTHENICATING / USING THIS SYSTEM IS GRANTED AS A PRIVELEDGE PRESUANT TO SUCH # MONITORING TO ENSURE THE SAFETY /SANITY OF THE SYSTEM******AND ANY /ALL NETWORKS ATTACHED TO IT... ATTEMPTS TO BYPASS ANY OF THESE CHECKS/SAFETIES WILL BE DEEMED AS A CASE OF UNAUTHORIZED USE AS ARE ANY WILLFULL ATTEMPTS TO # OBVISCATE SUCH ACTIONS THIS INCLUDES USING OR ASKING OTHERS TO USE ******THEIR VALID CREDENTIALS TO ACCESS MATERIAL/SERVICES THAT YOU ARE NOT ALLOWED TO. ALL UNAUTHORIZED ACTIONS WILL BE PROSECUTED UNDER THE APPLICABLE # CAMPUS,LOCAL,STATE,FEDERAL,INTERNATIONAL POLICIES,LAWS,STATUTES OF THE SYSTEMS' LOCALE******AND THAT OF THE USER IN QUESTION (IF THEY ARE NOT THE SAME)...THIS IS YOUR ONE AND ONLY WARNING....IF YOU CONTINUE TO CONNECT /USE THIS # SYSTEM IT IS A CONFIRMATION OF YOUR CONSENT TO SUCH MONITORING AND IS LOGGED AS SUCH UPON LOGIN...*** # *************************************************************************************************************************************************************************************************************************************** # *************************************************************************************************************************************************************************************************************************************** # ****************** # Agree = 'OK' Disagree = 'Cancel'" # if ( test 1 -eq $? ); then # /usr/bin/gdialog --infobox "Logging out in 10 Seconds" 1 20 & # sleep 10 # exit 1 # fi # exit 0 # EOF # echo "GEN000420 Completed" # fi ################## File and Directory Security ######################### # Restrict mount points with noexec, nosuid, and nodev where applicable # GEN002420 echo "Locking down GEN002420" FSTAB=/etc/fstab SED=/bin/sed #nosuid on /home if [ $(grep "[[:blank:]]\/home[[:blank:]]" ${FSTAB} | grep -c "nosuid") -eq 0 ]; then MNT_OPTS=$(grep "[[:blank:]]\/home[[:blank:]]" ${FSTAB} | awk '{print $4}') ${SED} -i "s/\([[:blank:]]\/home.*${MNT_OPTS}\)/\1,nosuid/" ${FSTAB} fi # nosuid on /sys if [ $(grep "[[:blank:]]\/sys[[:blank:]]" ${FSTAB} | grep -c "nosuid") -eq 0 ]; then MNT_OPTS=$(grep "[[:blank:]]\/sys[[:blank:]]" ${FSTAB} | awk '{print $4}') ${SED} -i "s/\([[:blank:]]\/sys.*${MNT_OPTS}\)/\1,nosuid/" ${FSTAB} fi ## nosuid on /boot if [ $(grep "[[:blank:]]\/boot[[:blank:]]" ${FSTAB} | grep -c "nosuid") -eq 0 ]; then MNT_OPTS=$(grep "[[:blank:]]\/boot[[:blank:]]" ${FSTAB} | awk '{print $4}') ${SED} -i "s/\([[:blank:]]\/boot.*${MNT_OPTS}\)/\1,nosuid/" ${FSTAB} fi # nodev on /usr if [ $(grep "[[:blank:]]\/usr[[:blank:]]" ${FSTAB} | grep -c "nodev") -eq 0 ]; then MNT_OPTS=$(grep "[[:blank:]]\/usr[[:blank:]]" ${FSTAB} | awk '{print $4}') ${SED} -i "s/\([[:blank:]]\/usr.*${MNT_OPTS}\)/\1,nodev/" ${FSTAB} fi #nodev on /home if [ $(grep "[[:blank:]]\/home[[:blank:]]" ${FSTAB} | grep -c "nodev") -eq 0 ]; then MNT_OPTS=$(grep "[[:blank:]]\/home[[:blank:]]" ${FSTAB} | awk '{print $4}') ${SED} -i "s/\([[:blank:]]\/home.*${MNT_OPTS}\)/\1,nodev/" ${FSTAB} fi # nodev on /usr/local if [ $(grep "[[:blank:]]\/usr/local[[:blank:]]" ${FSTAB} | grep -c "nodev") -eq 0 ]; then MNT_OPTS=$(grep "[[:blank:]]\/usr/local[[:blank:]]" ${FSTAB} | awk '{print $4}') ${SED} -i "s/\([[:blank:]]\/usr\/local.*${MNT_OPTS}\)/\1,nodev/" ${FSTAB} fi # nodev and noexec on /tmp if [ $(grep "[[:blank:]]\/tmp[[:blank:]]" ${FSTAB} | grep -c "nodev") -eq 0 ]; then MNT_OPTS=$(grep "[[:blank:]]\/tmp[[:blank:]]" ${FSTAB} | awk '{print $4}') ${SED} -i "s/\([[:blank:]]\/tmp.*${MNT_OPTS}\)/\1,nodev,noexec/" ${FSTAB} fi # nodev and noexec on /var/tmp if [ $(grep "[[:blank:]]\/var/tmp[[:blank:]]" ${FSTAB} | grep -c "nodev") -eq 0 ]; then MNT_OPTS=$(grep "[[:blank:]]\/tmp[[:blank:]]" ${FSTAB} | awk '{print $4}') ${SED} -i "s/\([[:blank:]]\/var/tmp.*${MNT_OPTS}\)/\1,nodev,noexec/" ${FSTAB} fi # nodev on /var if [ $(grep "[[:blank:]]\/var[[:blank:]]" ${FSTAB} | grep -c "nodev") -eq 0 ]; then MNT_OPTS=$(grep "[[:blank:]]\/var[[:blank:]]" ${FSTAB} | awk '{print $4}') ${SED} -i "s/\([[:blank:]]\/var.*${MNT_OPTS}\)/\1,nodev/" ${FSTAB} fi echo "GEN002420 Complete" # By default /root has permissions of 750. Change this to 700 # GEN000920 (G023) echo "Locking down GEN000920" # Correct the permissions on /root to a DISA allowed 700 chmod 700 /root echo "GEN000920 Complete" # GEN002680 (G094) # reset permissions on audit logs echo "Locking down GEN002680" chmod 700 /var/log/audit chmod 600 /var/log/audit/* echo "GEN002680 Complete" # GEN003080 echo "Locking down GEN003080" chmod 600 /etc/crontab chmod 700 /usr/share/logwatch/scripts/logwatch.pl echo "GEN003080 Complete" # GEN003520 ( RHEL5 default anyway ) echo "Locking down GEN003520" chmod 700 /var/crash chown -R root.root /var/crash echo "GEN003520 Complete" # GEN006520 echo "Locking down GEN006520" chmod 740 /etc/rc.d/init.d/iptables chmod 740 /sbin/iptables chmod 740 /usr/share/logwatch/scripts/services/iptables echo "GEN006520 Complete" # GEN001560 echo "Locking down GEN001560" chmod -R 700 /etc/skel echo "GEN001560 Complete" # GEN005400 (G656) # Reset the permissions to a DISA-blessed rw-r----- echo "Locking down GEN005400" chmod 640 /etc/syslog.conf echo "GEN005400 Complete" # LNX00440 (L046) # Set mode to DISA-blessed rw-r------ echo "Locking down LNX00440" chmod 640 /etc/security/access.conf echo "LNX00440 Complete" # GEN001260 echo "Locking down GEN001260" perl -npe 's%chmod 0664 /var/run/utmp /var/log/wtmp%chmod 0644 /var/run/utmp /var/log/wtmp%g' -i /etc/rc.d/rc.sysinit echo "GEN001260" # LNX00520 (L208) echo "Locking down LNX00520" chmod 600 /etc/sysctl.conf echo "LNX00520 Complete" # Add some enhancements to sysctl cat << 'EOF' >> /etc/sysctl.conf net.ipv4.ip_forward = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.tcp_max_syn_backlog = 1280 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.tcp_timestamps = 0 kernel.exec-shield = 1 kernel.randomize_va_space = 1 EOF ########## Turn off the uneeded stuff ############# # IAVA0410 (G592) and GEN003700 # Turn off unneeded services # You may want to leave sendmail enabled but the STIG says otherwise # I mark this as mitigated by the firewall, and not accepting outside # connections. The NSA RHEL5 guide has a full service list # with recommendations echo "Locking down IAVA0410 and GEN003700" /sbin/chkconfig bluetooth off /sbin/chkconfig irda on /sbin/chkconfig lm_sensors on /sbin/chkconfig portmap off /sbin/chkconfig rawdevices on /sbin/chkconfig rpcgssd off /sbin/chkconfig rpcidmapd off /sbin/chkconfig rpcsvcgssd off /sbin/chkconfig sendmail off /sbin/chkconfig xinetd off /sbin/chkconfig kudzu off echo "IAVA0410 and GEN003700 Complete" ######### Remove useless users ############## # This isn't strictly needed as they have a default shell of nologin # but we're removing them anyway to be safe. echo "Locking down LNX0034 and GEN004840" /usr/sbin/userdel shutdown /usr/sbin/userdel halt /usr/sbin/userdel games /usr/sbin/userdel operator /usr/sbin/userdel ftp /usr/sbin/userdel news /usr/sbin/userdel gopher echo "LNX0034 and GEN004840 Complete" ############# SSH restrictions ############### # # Uncomment this if you have physical access to the machine. # This will lock root out from ssh. # GEN001120 (G500) # We need to restrict ssh root logins; echo "Locking down GEN001120" perl -npe 's/#PermitRootLogin yes/PermitRootLogin no/' -i /etc/ssh/sshd_config echo "GEN001120 Complete" #GEN005540 echo "Locking down GEN005540" perl -npe 's/^#Banner \/some\/path/Banner \/etc\/issue/g' -i /etc/ssh/sshd_config echo "GEN005540 Complete" perl -npe 's/^#ServerKeyBits 768/ServerKeyBits 4098/g' -i /etc/ssh/sshd_config perl -npe 's/^#MaxAuthTries 6/MaxAuthTries 3/g' -i /etc/ssh/sshd_config ################ Configure a better default firewall ############### cat << 'EOF' > /etc/sysconfig/iptables #Drop anything we aren't explicitly allowing. All outbound traffic is okay *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type echo-reply -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type time-exceeded -j ACCEPT # Accept Pings -A RH-Firewall-1-INPUT -p icmp --icmp-type echo-request -j ACCEPT # Log anything on eth0 claiming it's from a local or non-routable network # If you're using one of these local networks, remove it from the list below -A INPUT -i eth0 -s 172.16.0.0/12 -j LOG --log-prefix "IP DROP SPOOF B: " -A INPUT -i eth0 -s 192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF C: " -A INPUT -i eth0 -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP SPOOF E: " -A INPUT -i eth0 -d 127.0.0.0/8 -j LOG --log-prefix "IP DROP LOOPBACK: " # Accept any established connections -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Accept ssh traffic. Restrict this to known ips if possible. -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT #Log and drop everything else -A RH-Firewall-1-INPUT -j LOG -A RH-Firewall-1-INPUT -j DROP COMMIT EOF ###### Check to see if we have network access for updates ########## # For RHEL systems, change the profile name and key # Documentation for activation keys can be found at # http://kbase.redhat.com/faq/docs/DOC-2475 2>/dev/null >/dev/tcp/google.com/80 if [ $? -eq 0 ]; then echo "Networking is working" || echo "Networking is down" fi dnf -y clean all dnf -y upgrade else echo "There's no network. No updates performed" fi echo "Building a initial AIDE DB..." /usr/sbin/aide -i echo "Initial AIDE DB complete" echo "" echo "Copping initial AIDE DB to initial baseline AIDE DB..." cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz echo "done copping initital AIDE DB" echo "" echo "" echo "Please review your AIDE configuration, default DB locations," echo "cron jobs, etc. to fit your needs" echo "" echo "GEN02440 and GEN2380 Complete" EOF