#!/bin/bash   : ' #SYNOPSIS     Quick win script for remediation of CentOS Linux 7 baseline misconfigurations. .DESCRIPTION     This script aims to remediate all possible OS baseline misconfigurations from CIS for CentOS Linux 7 based Virtual machines.   .NOTES       Copyright (c) ZCSPM. All rights reserved.     Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights  to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is  furnished to do so, subject to the following conditions:     The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.       Version: 1.0     # PREREQUISITE   .EXAMPLE Ensure that you are logged in as root user. Use su command for the same.     Command to execute : bash CIS_CentOS_Linux7_Benchmark_v2_2_0_Remediation.sh .INPUTS   .OUTPUTS     None ' RED='\033[1;31m' GREEN='\033[1;32m' YELLOW='\033[1;33m' BLUE='\033[1;35m' NC='\033[0m' success=0 fail=0 yum update -y && yum install wget -y ########################################################################################################################### ##Category 1.1 Initial Setup - Filesystem Configuration echo echo -e "${BLUE}1.1 Initial Setup - Filesystem Configuration${NC}" #Ensure mounting of cramfs filesystems is disabled echo echo -e "${RED}1.1.1.1${NC} Ensure mounting of cramfs filesystems is disabled" modprobe -n -v cramfs | grep "^install /bin/true$" || echo "install cramfs /bin/true" >> /etc/modprobe.d/CIS.conf policystatus=$? lsmod | egrep "^cramfs\s" && rmmod cramfs if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure mounting of cramfs filesystems is disabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure mounting of cramfs filesystems is disabled" fail=$((fail + 1)) fi #Ensure mounting of freevxfs filesystems is disabled echo echo -e "${RED}1.1.1.2${NC} Ensure mounting of freevxfs filesystems is disabled" modprobe -n -v freevxfs | grep "^install /bin/true$" || echo "install freevxfs /bin/true" >> /etc/modprobe.d/CIS.conf policystatus=$? lsmod | egrep "^freevxfs\s" && rmmod freevxfs if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure mounting of freevxfs filesystems is disabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure mounting of freevxfs filesystems is disabled" fail=$((fail + 1)) fi #Ensure mounting of jffs2 filesystems is disabled echo echo -e "${RED}1.1.1.3${NC} Ensure mounting of jffs2 filesystems is disabled" modprobe -n -v jffs2 | grep "^install /bin/true$" || echo "install jffs2 /bin/true" >> /etc/modprobe.d/CIS.conf policystatus=$? lsmod | egrep "^jffs2\s" && rmmod jffs2 if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure mounting of jffs2 filesystems is disabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure mounting of jffs2 filesystems is disabled" fail=$((fail + 1)) fi #Ensure mounting of hfs filesystems is disabled echo echo -e "${RED}1.1.1.4${NC} Ensure mounting of hfs filesystems is disabled" modprobe -n -v hfs | grep "^install /bin/true$" || echo "install hfs /bin/true" >> /etc/modprobe.d/CIS.conf policystatus=$? lsmod | egrep "^hfs\s" && rmmod hfs if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure mounting of hfs filesystems is disabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure mounting of hfs filesystems is disabled" fail=$((fail + 1)) fi #Ensure mounting of hfsplus filesystems is disabled echo echo -e "${RED}1.1.1.5${NC} Ensure mounting of hfsplus filesystems is disabled" modprobe -n -v hfsplus | grep "^install /bin/true$" || echo "install hfsplus /bin/true" >> /etc/modprobe.d/CIS.conf policystatus=$? lsmod | egrep "^hfsplus\s" && rmmod hfsplus if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure mounting of hfsplus filesystems is disabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure mounting of hfsplus filesystems is disabled" fail=$((fail + 1)) fi #Ensure mounting of squashfs filesystems is disabled echo echo -e "${RED}1.1.1.6${NC} Ensure mounting of squashfs filesystems is disabled" modprobe -n -v squashfs | grep "^install /bin/true$" || echo "install squashfs /bin/true" >> /etc/modprobe.d/CIS.conf policystatus=$? lsmod | egrep "^squashfs\s" && rmmod squashfs if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure mounting of squashfs filesystems is disabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure mounting of squashfs filesystems is disabled" fail=$((fail + 1)) fi #Ensure mounting of udf filesystems is disabled echo echo -e "${RED}1.1.1.7${NC} Ensure mounting of udf filesystems is disabled" modprobe -n -v udf | grep "^install /bin/true$" || echo "install udf /bin/true" >> /etc/modprobe.d/CIS.conf policystatus=$? lsmod | egrep "^udf\s" && rmmod udf if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure mounting of udf filesystems is disabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure mounting of udf filesystems is disabled" fail=$((fail + 1)) fi #Ensure mounting of FAT filesystems is disabled echo echo -e "${RED}1.1.1.8${NC} Ensure mounting of FAT filesystems is disabled" modprobe -n -v vfat | grep "^install /bin/true$" || echo "install vfat /bin/true" >> /etc/modprobe.d/CIS.conf policystatus=$? lsmod | egrep "^vfat\s" && rmmod vfat if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure mounting of FAT filesystems is disabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure mounting of FAT filesystems is disabled" fail=$((fail + 1)) fi #Ensure sticky bit is set on all world-writable directories echo echo -e "${RED}1.1.21${NC} Ensure sticky bit is set on all world-writable directories" df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure sticky bit is set on all world-writable directories" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure sticky bit is set on all world-writable directories" fail=$((fail + 1)) fi #Disable Automounting echo echo -e "${RED}1.1.22${NC} Disable Automounting" systemctl disable autofs.service policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Disable Automounting" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Disable Automounting" fail=$((fail + 1)) fi ############################################################################################################################ ##Category 1.2 Initial Setup - Configure Software Updates echo echo -e "${BLUE}1.2 Initial Setup - Configure Software Updates${NC}" #Ensure gpgcheck is globally activated echo echo -e "${RED}1.2.3${NC} Ensure gpgcheck is globally activated" egrep -q "^(\s*)gpgcheck\s*=\s*\S+(\s*#.*)?\s*$" /etc/yum.conf && sed -ri "s/^(\s*)gpgcheck\s*=\s*\S+(\s*#.*)?\s*$/\1gpgcheck=1\2/" /etc/yum.conf || echo "gpgcheck=1" >> /etc/yum.conf for file in /etc/yum.repos.d/*; do egrep -q "^(\s*)gpgcheck\s*=\s*\S+(\s*#.*)?\s*$" $file && sed -ri "s/^(\s*)gpgcheck\s*=\s*\S+(\s*#.*)?\s*$/\1gpgcheck=1\2/" $file || echo "gpgcheck=1" >> $file done policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure gpgcheck is globally activated" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure gpgcheck is globally activated" fail=$((fail + 1)) fi ############################################################################################################################ ##Category 1.3 Initial Setup - Filesystem Integrity Checking echo echo -e "${BLUE}1.3 Initial Setup - Filesystem Integrity Checking${NC}" #Ensure AIDE is installed echo echo -e "${RED}1.3.1${NC} Ensure AIDE is installed" yum -y install aide && aide --init && mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure AIDE is installed" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure AIDE is installed" fail=$((fail + 1)) fi #Ensure filesystem integrity is regularly checked echo echo -e "${RED}1.3.2${NC} Ensure filesystem integrity is regularly checked" (crontab -u root -l; crontab -u root -l | egrep -q "^0 5 \* \* \* /usr/sbin/aide --check$" || echo "0 5 * * * /usr/sbin/aide --check" ) | crontab -u root - policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure filesystem integrity is regularly checked" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure filesystem integrity is regularly checked" fail=$((fail + 1)) fi ############################################################################################################################ ##Category 1.4 Initial Setup - Secure Boot Settings echo echo -e "${BLUE}1.4 Initial Setup - Secure Boot Settings${NC}"   #Ensure permissions on bootloader config are configured echo echo -e "${RED}1.4.1${NC} Ensure permissions on bootloader config are configured" chown root:root /boot/grub2/grub.cfg && chmod og-rwx /boot/grub2/grub.cfg && chown root:root /boot/grub2/user.cfg && chmod og-rwx /boot/grub2/user.cfg policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure permissions on bootloader config are configured" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure permissions on bootloader config are configured" fail=$((fail + 1)) fi #Ensure authentication required for single user mode echo echo -e "${RED}1.4.3${NC} Ensure authentication required for single user mode" egrep -q "^\s*ExecStart" /usr/lib/systemd/system/rescue.service && sed -ri "s/(^[[:space:]]*ExecStart[[:space:]]*=[[:space:]]*).*$/\1-\/bin\/sh -c \"\/sbin\/sulogin; \/usr\/bin\/systemctl --fail --no-block default\"/" /usr/lib/systemd/system/rescue.service || echo "ExecStart=-/bin/sh -c \"/sbin/sulogin; /usr/bin/systemctl --fail --no-block default\"" >> /usr/lib/systemd/system/rescue.service egrep -q "^\s*ExecStart" /usr/lib/systemd/system/emergency.service && sed -ri "s/(^[[:space:]]*ExecStart[[:space:]]*=[[:space:]]*).*$/\1-\/bin\/sh -c \"\/sbin\/sulogin; \/usr\/bin\/systemctl --fail --no-block default\"/" /usr/lib/systemd/system/emergency.service || echo "ExecStart=-/bin/sh -c \"/sbin/sulogin; /usr/bin/systemctl --fail --no-block default\"" >> /usr/lib/systemd/system/emergency.service echo -e "${GREEN}Remediated:${NC} Ensure authentication required for single user mode" success=$((success + 1)) ############################################################################################################################ ##Category 1.5 Initial Setup - Additional Process Hardening echo echo -e "${BLUE}1.5 Initial Setup - Additional Process Hardening${NC}" #Ensure core dumps are restricted echo echo -e "${RED}1.5.1${NC} Ensure core dumps are restricted" egrep -q "^(\s*)\*\s+hard\s+core\s+\S+(\s*#.*)?\s*$" /etc/security/limits.conf && sed -ri "s/^(\s*)\*\s+hard\s+core\s+\S+(\s*#.*)?\s*$/\1* hard core 0\2/" /etc/security/limits.conf || echo "* hard core 0" >> /etc/security/limits.conf egrep -q "^(\s*)fs.suid_dumpable\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)fs.suid_dumpable\s*=\s*\S+(\s*#.*)?\s*$/\1fs.suid_dumpable = 0\2/" /etc/sysctl.conf || echo "fs.suid_dumpable = 0" >> /etc/sysctl.conf echo -e "${GREEN}Remediated:${NC} Ensure core dumps are restricted" success=$((success + 1))   #Ensure address space layout randomization (ASLR) is enabled echo echo -e "${RED}1.5.3${NC} Ensure address space layout randomization (ASLR) is enabled" egrep -q "^(\s*)kernel.randomize_va_space\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)kernel.randomize_va_space\s*=\s*\S+(\s*#.*)?\s*$/\1kernel.randomize_va_space = 2\2/" /etc/sysctl.conf || echo "kernel.randomize_va_space = 2" >> /etc/sysctl.conf policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure address space layout randomization (ASLR) is enabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure address space layout randomization (ASLR) is enabled" fail=$((fail + 1)) fi   #Ensure prelink is disabled echo echo -e "${RED}1.5.4${NC} Ensure prelink is disabled" prelink -ua && yum remove prelink policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure prelink is disabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure prelink is disabled" fail=$((fail + 1)) fi ############################################################################################################################ ##Category 1.6 Initial Setup - Mandatory Access Control echo echo -e "${BLUE}1.6 Initial Setup - Mandatory Access Control${NC}" #Ensure SELinux is not disabled in bootloader configuration echo echo -e "${RED}1.6.1.1${NC} Ensure SELinux is not disabled in bootloader configuration" sed -ri "s/^(\s*)GRUB_CMDLINE_LINUX=\"selinux=0\"\s*=\s*\S+(\s*#.*)?\s*$/\1GRUB_CMDLINE_LINUX=\"\"\2/" /etc/default/grub sed -ri "s/^(\s*)GRUB_CMDLINE_LINUX=\"enforcing=0\"\s*=\s*\S+(\s*#.*)?\s*$/\1GRUB_CMDLINE_LINUX=\"\"\2/" /etc/default/grub grub2-mkconfig -o /boot/grub2/grub.cfg echo -e "${GREEN}Remediated:${NC} Ensure SELinux is not disabled in bootloader configuration" success=$((success + 1)) #Ensure the SELinux state is enforcing echo echo -e "${RED}1.6.1.2${NC} Ensure the SELinux state is enforcing" egrep -q "^(\s*)SELINUX\s*=\s*\S+(\s*#.*)?\s*$" /etc/selinux/config && sed -ri "s/^(\s*)SELINUX\s*=\s*\S+(\s*#.*)?\s*$/\1SELINUX=enforcing\2/" /etc/selinux/config || echo "SELINUX=enforcing" >> /etc/selinux/config policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure the SELinux state is enforcing" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure the SELinux state is enforcing" fail=$((fail + 1)) fi #Ensure SELinux policy is configured echo echo -e "${RED}1.6.1.3${NC} Ensure SELinux policy is configured" egrep -q "^(\s*)SELINUXTYPE\s*=\s*\S+(\s*#.*)?\s*$" /etc/selinux/config && sed -ri "s/^(\s*)SELINUXTYPE\s*=\s*\S+(\s*#.*)?\s*$/\1SELINUXTYPE=targeted\2/" /etc/selinux/config || echo "SELINUXTYPE=targeted" >> /etc/selinux/config policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure SELinux policy is configured" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure SELinux policy is configured" fail=$((fail + 1)) fi #Ensure SETroubleshoot is not installed echo echo -e "${RED}1.6.1.4${NC} Ensure SETroubleshoot is not installed" yum remove setroubleshoot policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure SETroubleshoot is not installed" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure SETroubleshoot is not installed" fail=$((fail + 1)) fi #Ensure the MCS Translation Service (mcstrans) is not installed echo echo -e "${RED}1.6.1.5${NC} Ensure the MCS Translation Service (mcstrans) is not installed" yum remove mcstrans policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure the MCS Translation Service (mcstrans) is not installed" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure the MCS Translation Service (mcstrans) is not installed" fail=$((fail + 1)) fi #Ensure SELinux is installed echo echo -e "${RED}1.6.2${NC} Ensure SELinux is installed" rpm -q libselinux || yum -y install libselinux policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure SELinux is installed" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure SELinux is installed" fail=$((fail + 1)) fi ############################################################################################################################ ##Category 1.7 Initial Setup - Warning Banners echo echo -e "${BLUE}1.7 Initial Setup - Warning Banners${NC}" #Ensure message of the day is configured properly echo echo -e "${RED}1.7.1.1${NC} Ensure message of the day is configured properly" sed -ri 's/(\\v|\\r|\\m|\\s)//g' /etc/motd policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure message of the day is configured properly" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure message of the day is configured properly" fail=$((fail + 1)) fi #Ensure local login warning banner is configured properly echo echo -e "${RED}1.7.1.2${NC} Ensure local login warning banner is configured properly" echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure local login warning banner is configured properly" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure local login warning banner is configured properly" fail=$((fail + 1)) fi #Ensure remote login warning banner is configured properly echo echo -e "${RED}1.7.1.3${NC} Ensure remote login warning banner is configured properly" echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure remote login warning banner is configured properly" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure remote login warning banner is configured properly" fail=$((fail + 1)) fi #Ensure permissions on /etc/motd are configured echo echo -e "${RED}1.7.1.4${NC} Ensure permissions on /etc/motd are configured" chown root:root /etc/motd && chmod 644 /etc/motd policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure permissions on /etc/motd are configured" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure permissions on /etc/motd are configured" fail=$((fail + 1)) fi #Ensure permissions on /etc/issue are configured echo echo -e "${RED}1.7.1.5${NC} Ensure permissions on /etc/issue are configured" chown root:root /etc/issue && chmod 644 /etc/issue policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure permissions on /etc/issue are configured" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure permissions on /etc/issue are configured" fail=$((fail + 1)) fi #Ensure permissions on /etc/issue.net are configured echo echo -e "${RED}1.7.1.6${NC} Ensure permissions on /etc/issue.net are configured" chown root:root /etc/issue.net && chmod 644 /etc/issue.net policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure permissions on /etc/issue.net are configured" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure permissions on /etc/issue.net are configured" fail=$((fail + 1)) fi #Ensure updates, patches, and additional security software are installed echo echo -e "${RED}1.8${NC} Ensure updates, patches, and additional security software are installed" yum update --security policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure updates, patches, and additional security software are installed" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure updates, patches, and additional security software are installed" fail=$((fail + 1)) fi ############################################################################################################################ ##Category 2.1 Services - inetd Services echo echo -e "${BLUE}2.1 Services - inetd Services${NC}"   #Ensure chargen services are not enabled echo echo -e "${RED}2.1.1${NC} Ensure chargen services are not enabled" chkconfig chargen-dgram off && chkconfig chargen-stream off policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure chargen services are not enabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure chargen services are not enabled" fail=$((fail + 1)) fi #Ensure daytime services are not enabled echo echo -e "${RED}2.1.2${NC} Ensure daytime services are not enabled" chkconfig daytime-dgram off && chkconfig daytime-stream off policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure daytime services are not enabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure daytime services are not enabled" fail=$((fail + 1)) fi #Ensure discard services are not enabled echo echo -e "${RED}2.1.3${NC} Ensure discard services are not enabled" chkconfig discard-dgram off && chkconfig discard-stream off policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure discard services are not enabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure discard services are not enabled" fail=$((fail + 1)) fi #Ensure echo services are not enabled echo echo -e "${RED}2.1.4${NC} Ensure echo services are not enabled" chkconfig echo-dgram off && chkconfig echo-stream off policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure echo services are not enabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure echo services are not enabled" fail=$((fail + 1)) fi #Ensure time services are not enabled echo echo -e "${RED}2.1.5${NC} Ensure time services are not enabled" chkconfig time-dgram off && chkconfig time-stream off policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure time services are not enabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure time services are not enabled" fail=$((fail + 1)) fi #Ensure tftp server is not enabled echo echo -e "${RED}2.1.6${NC} Ensure tftp server is not enabled" chkconfig tftp off policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure tftp server is not enabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure tftp server is not enabled" fail=$((fail + 1)) fi #Ensure xinetd is not enabled echo echo -e "${RED}2.1.7${NC} Ensure xinetd is not enabled" systemctl disable xinetd policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure xinetd is not enabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure xinetd is not enabled" fail=$((fail + 1)) fi ############################################################################################################################ ##Category 2.2 Services - Special Purpose Services echo echo -e "${BLUE}2.2 Services - Special Purpose Services${NC}" #Ensure time synchronization is in use echo echo -e "${RED}2.2.1.1${NC} Ensure time synchronization is in use" rpm -q ntp || rpm -q chrony || yum -y install chrony policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure time synchronization is in use" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure time synchronization is in use" fail=$((fail + 1)) fi #Ensure ntp is configured echo echo -e "${RED}2.2.1.2${NC} Ensure ntp is configured" if rpm -q ntp >/dev/null; then egrep -q "^\s*restrict(\s+-4)?\s+default(\s+\S+)*(\s*#.*)?\s*$" /etc/ntp.conf && sed -ri "s/^(\s*)restrict(\s+-4)?\s+default(\s+[^[:space:]#]+)*(\s+#.*)?\s*$/\1restrict\2 default kod nomodify notrap nopeer noquery\4/" /etc/ntp.conf || echo "restrict default kod nomodify notrap nopeer noquery" >> /etc/ntp.conf egrep -q "^\s*restrict\s+-6\s+default(\s+\S+)*(\s*#.*)?\s*$" /etc/ntp.conf && sed -ri "s/^(\s*)restrict\s+-6\s+default(\s+[^[:space:]#]+)*(\s+#.*)?\s*$/\1restrict -6 default kod nomodify notrap nopeer noquery\3/" /etc/ntp.conf || echo "restrict -6 default kod nomodify notrap nopeer noquery" >> /etc/ntp.conf egrep -q "^(\s*)OPTIONS\s*=\s*\"(([^\"]+)?-u\s[^[:space:]\"]+([^\"]+)?|([^\"]+))\"(\s*#.*)?\s*$" /etc/sysconfig/ntpd && sed -ri '/^(\s*)OPTIONS\s*=\s*\"([^\"]*)\"(\s*#.*)?\s*$/ {/^(\s*)OPTIONS\s*=\s*\"[^\"]*-u\s+\S+[^\"]*\"(\s*#.*)?\s*$/! s/^(\s*)OPTIONS\s*=\s*\"([^\"]*)\"(\s*#.*)?\s*$/\1OPTIONS=\"\2 -u ntp:ntp\"\3/ }' /etc/sysconfig/ntpd && sed -ri "s/^(\s*)OPTIONS\s*=\s*\"([^\"]+\s+)?-u\s[^[:space:]\"]+(\s+[^\"]+)?\"(\s*#.*)?\s*$/\1OPTIONS=\"\2\-u ntp:ntp\3\"\4/" /etc/sysconfig/ntpd || echo "OPTIONS=\"-u ntp:ntp\"" >> /etc/sysconfig/ntpd fi echo -e "${GREEN}Remediated:${NC} Ensure ntp is configured" success=$((success + 1)) #Ensure chrony is configured echo echo -e "${RED}2.2.1.3${NC} Ensure chrony is configured" if rpm -q chrony >/dev/null; then egrep -q "^(\s*)OPTIONS\s*=\s*\"(([^\"]+)?-u\s[^[:space:]\"]+([^\"]+)?|([^\"]+))\"(\s*#.*)?\s*$" /etc/sysconfig/chronyd && sed -ri '/^(\s*)OPTIONS\s*=\s*\"([^\"]*)\"(\s*#.*)?\s*$/ {/^(\s*)OPTIONS\s*=\s*\"[^\"]*-u\s+\S+[^\"]*\"(\s*#.*)?\s*$/! s/^(\s*)OPTIONS\s*=\s*\"([^\"]*)\"(\s*#.*)?\s*$/\1OPTIONS=\"\2 -u chrony\"\3/ }' /etc/sysconfig/chronyd && sed -ri "s/^(\s*)OPTIONS\s*=\s*\"([^\"]+\s+)?-u\s[^[:space:]\"]+(\s+[^\"]+)?\"(\s*#.*)?\s*$/\1OPTIONS=\"\2\-u chrony\3\"\4/" /etc/sysconfig/chronyd || echo "OPTIONS=\"-u chrony\"" >> /etc/sysconfig/chronyd fi policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure chrony is configured" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure chrony is configured" fail=$((fail + 1)) fi #Ensure X Window System is not installed echo echo -e "${RED}2.2.2${NC} Ensure X Window System is not installed" yum remove xorg-x11* policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure X Window System is not installed" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure X Window System is not installed" fail=$((fail + 1)) fi #Ensure Avahi Server is not enabled echo echo -e "${RED}2.2.3${NC} Ensure Avahi Server is not enabled" systemctl disable avahi-daemon policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure Avahi Server is not enabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure Avahi Server is not enabled" fail=$((fail + 1)) fi   #Ensure CUPS is not enabled echo echo -e "${RED}2.2.4${NC} Ensure CUPS is not enabled" systemctl disable cups policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure CUPS is not enabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure CUPS is not enabled" fail=$((fail + 1)) fi   #Ensure DHCP Server is not enabled echo echo -e "${RED}2.2.5${NC} Ensure DHCP Server is not enabled" systemctl disable dhcpd policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure DHCP Server is not enabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure DHCP Server is not enabled" fail=$((fail + 1)) fi #Ensure LDAP server is not enabled echo echo -e "${RED}2.2.6${NC} Ensure LDAP server is not enabled" systemctl disable slapd policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure LDAP server is not enabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure LDAP server is not enabled" fail=$((fail + 1)) fi #Ensure NFS and RPC are not enabled echo echo -e "${RED}2.2.7${NC} Ensure NFS and RPC are not enabled" systemctl disable nfs && systemctl disable nfs-server && systemctl disable rpcbind policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure NFS and RPC are not enabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure NFS and RPC are not enabled" fail=$((fail + 1)) fi #Ensure DNS Server is not enabled echo echo -e "${RED}2.2.8${NC} Ensure DNS Server is not enabled" systemctl disable named policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure DNS Server is not enabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure DNS Server is not enabled" fail=$((fail + 1)) fi #Ensure FTP Server is not enabled echo echo -e "${RED}2.2.9${NC} Ensure FTP Server is not enabled" systemctl disable vsftpd policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure FTP Server is not enabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure FTP Server is not enabled" fail=$((fail + 1)) fi #Ensure HTTP server is not enabled echo echo -e "${RED}2.2.10${NC} Ensure HTTP server is not enabled" systemctl disable httpd policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure HTTP server is not enabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure HTTP server is not enabled" fail=$((fail + 1)) fi #Ensure IMAP and POP3 server is not enabled echo echo -e "${RED}2.2.11${NC} Ensure IMAP and POP3 server is not enabled" systemctl disable dovecot policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure IMAP and POP3 server is not enabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure IMAP and POP3 server is not enabled" fail=$((fail + 1)) fi #Ensure Samba is not enabled echo echo -e "${RED}2.2.12${NC} Ensure Samba is not enabled" systemctl disable smb policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure Samba is not enabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure Samba is not enabled" fail=$((fail + 1)) fi #Ensure HTTP Proxy Server is not enabled echo echo -e "${RED}2.2.13${NC} Ensure HTTP Proxy Server is not enabled" systemctl disable squid policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure HTTP Proxy Server is not enabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure HTTP Proxy Server is not enabled" fail=$((fail + 1)) fi #Ensure SNMP Server is not enabled echo echo -e "${RED}2.2.14${NC} Ensure SNMP Server is not enabled" systemctl disable snmpd policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure SNMP Server is not enabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure SNMP Server is not enabled" fail=$((fail + 1)) fi #Ensure mail transfer agent is configured for local-only mode echo echo -e "${RED}2.2.15${NC} Ensure mail transfer agent is configured for local-only mode" egrep -q "^(\s*)inet_interfaces\s*=\s*\S+(\s*#.*)?\s*$" /etc/postfix/main.cf && sed -ri "s/^(\s*)inet_interfaces\s*=\s*\S+(\s*#.*)?\s*$/\1inet_interfaces = loopback-only\2/" /etc/postfix/main.cf || echo "inet_interfaces = loopback-only" >> /etc/postfix/main.cf systemctl restart postfix echo -e "${GREEN}Remediated:${NC} Ensure mail transfer agent is configured for local-only mode" success=$((success + 1)) #Ensure NIS Server is not enabled echo echo -e "${RED}2.2.16${NC} Ensure NIS Server is not enabled" systemctl disable ypserv policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure NIS Server is not enabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure NIS Server is not enabled" fail=$((fail + 1)) fi   #Ensure rsh server is not enabled echo echo -e "${RED}2.2.17${NC} Ensure rsh server is not enabled" systemctl disable rsh.socket.service && systemctl disable rlogin.socket.service && systemctl disable rexec.socket.service policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure rsh server is not enabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure rsh server is not enabled" fail=$((fail + 1)) fi   #Ensure telnet server is not enabled echo echo -e "${RED}2.2.18${NC} Ensure telnet server is not enabled" systemctl disable telnet.socket.service policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure telnet server is not enabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure telnet server is not enabled" fail=$((fail + 1)) fi #Ensure tftp server is not enabled echo echo -e "${RED}2.2.19${NC} Ensure tftp server is not enabled" systemctl disable tftp.socket policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure tftp server is not enabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure tftp server is not enabled" fail=$((fail + 1)) fi #Ensure rsync service is not enabled echo echo -e "${RED}2.2.20${NC} Ensure rsync service is not enabled" systemctl disable rsyncd policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure rsync service is not enabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure rsync service is not enabled" fail=$((fail + 1)) fi #Ensure talk server is not enabled echo echo -e "${RED}2.2.21${NC} Ensure talk server is not enabled" systemctl disable ntalk policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure talk server is not enabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure talk server is not enabled" fail=$((fail + 1)) fi ############################################################################################################################ ##Category 2.3 Services - Service Clients echo echo -e "${BLUE}2.3 Services - Service Clients${NC}" #Ensure NIS Client is not installed echo echo -e "${RED}2.3.1${NC} Ensure NIS Client is not installed" yum remove ypbind policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure NIS Client is not installed" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure NIS Client is not installed" fail=$((fail + 1)) fi   #Ensure rsh client is not installed echo echo -e "${RED}2.3.2${NC} Ensure rsh client is not installed" yum remove rsh policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure rsh client is not installed" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure rsh client is not installed" fail=$((fail + 1)) fi #Ensure talk client is not installed echo echo -e "${RED}2.3.3${NC} Ensure talk client is not installed" yum remove talk policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure talk client is not installed" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure talk client is not installed" fail=$((fail + 1)) fi   #Ensure telnet client is not installed echo echo -e "${RED}2.3.4${NC} Ensure telnet client is not installed" yum -y remove telnet policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure telnet client is not installed" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure telnet client is not installed" fail=$((fail + 1)) fi #Ensure LDAP client is not installed echo echo -e "${RED}2.3.5${NC} Ensure LDAP client is not installed" yum remove openldap-clients policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure LDAP client is not installed" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure LDAP client is not installed" fail=$((fail + 1)) fi ############################################################################################################################ ##Category 3.1 Network Configuration - Network Parameters (Host Only) echo echo -e "${BLUE}3.1 Network Configuration - Network Parameters (Host Only)${NC}"   #Ensure IP forwarding is disabled echo echo -e "${RED}3.1.1${NC} Ensure IP forwarding is disabled" egrep -q "^(\s*)net.ipv4.ip_forward\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.ip_forward\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.ip_forward = 0\2/" /etc/sysctl.conf || echo "net.ipv4.ip_forward = 0" >> /etc/sysctl.conf policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure IP forwarding is disabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure IP forwarding is disabled" fail=$((fail + 1)) fi #Ensure packet redirect sending is disabled echo echo -e "${RED}3.1.2${NC} Ensure packet redirect sending is disabled" egrep -q "^(\s*)net.ipv4.conf.all.send_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.send_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.send_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf egrep -q "^(\s*)net.ipv4.conf.default.send_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.send_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.send_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf sysctl -w net.ipv4.conf.all.send_redirects=0 sysctl -w net.ipv4.conf.default.send_redirects=0 sysctl -w net.ipv4.route.flush=1 echo -e "${GREEN}Remediated:${NC} Ensure packet redirect sending is disabled" success=$((success + 1)) ############################################################################################################################ ##Category 3.2 Network Configuration - Network Parameters (Host and Router) echo echo -e "${BLUE}3.2 Network Configuration - Network Parameters (Host and Router)${NC}"   #Ensure source routed packets are not accepted echo echo -e "${RED}3.2.1${NC} Ensure source routed packets are not accepted" egrep -q "^(\s*)net.ipv4.conf.all.accept_source_route\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.accept_source_route\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.accept_source_route = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf egrep -q "^(\s*)net.ipv4.conf.default.accept_source_route\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.accept_source_route\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.accept_source_route = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf echo -e "${GREEN}Remediated:${NC} Ensure source routed packets are not accepted" success=$((success + 1)) #Ensure ICMP redirects are not accepted echo echo -e "${RED}3.2.2${NC} Ensure ICMP redirects are not accepted" egrep -q "^(\s*)net.ipv4.conf.all.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.accept_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf egrep -q "^(\s*)net.ipv4.conf.default.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.accept_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.conf sysctl -w net.ipv4.conf.all.accept_redirects=0 sysctl -w net.ipv4.conf.default.accept_redirects=0 sysctl -w net.ipv4.route.flush=1 echo -e "${GREEN}Remediated:${NC} Ensure ICMP redirects are not accepted" success=$((success + 1)) #Ensure secure ICMP redirects are not accepted echo echo -e "${RED}3.2.3${NC} Ensure secure ICMP redirects are not accepted" egrep -q "^(\s*)net.ipv4.conf.all.secure_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.secure_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.secure_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.conf egrep -q "^(\s*)net.ipv4.conf.default.secure_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.secure_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.secure_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.conf sysctl -w net.ipv4.conf.all.secure_redirects=0 sysctl -w net.ipv4.conf.default.secure_redirects=0 sysctl -w net.ipv4.route.flush=1 echo -e "${GREEN}Remediated:${NC} Ensure secure ICMP redirects are not accepted" success=$((success + 1)) #Ensure suspicious packets are logged echo echo -e "${RED}3.2.4${NC} Ensure suspicious packets are logged" egrep -q "^(\s*)net.ipv4.conf.all.log_martians\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.log_martians\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.log_martians = 1\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.log_martians = 1" >> /etc/sysctl.conf egrep -q "^(\s*)net.ipv4.conf.default.log_martians\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.log_martians\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.log_martians = 1\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.log_martians = 1" >> /etc/sysctl.conf sysctl -w net.ipv4.conf.all.log_martians=1 sysctl -w net.ipv4.conf.default.log_martians=1 sysctl -w net.ipv4.route.flush=1 echo -e "${GREEN}Remediated:${NC} Ensure suspicious packets are logged" success=$((success + 1)) #Ensure broadcast ICMP requests are ignored echo echo -e "${RED}3.2.5${NC} Ensure broadcast ICMP requests are ignored" egrep -q "^(\s*)net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.icmp_echo_ignore_broadcasts = 1\2/" /etc/sysctl.conf || echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.conf sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 sysctl -w net.ipv4.route.flush=1 echo -e "${GREEN}Remediated:${NC} Ensure broadcast ICMP requests are ignored" success=$((success + 1))   #Ensure bogus ICMP responses are ignored echo echo -e "${RED}3.2.6${NC} Ensure bogus ICMP responses are ignored" egrep -q "^(\s*)net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.icmp_ignore_bogus_error_responses = 1\2/" /etc/sysctl.conf || echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.conf sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 sysctl -w net.ipv4.route.flush=1 echo -e "${GREEN}Remediated:${NC} Ensure bogus ICMP responses are ignored" success=$((success + 1))   #Ensure Reverse Path Filtering is enabled echo echo -e "${RED}3.2.7${NC} Ensure Reverse Path Filtering is enabled" egrep -q "^(\s*)net.ipv4.conf.all.rp_filter\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.rp_filter\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.rp_filter = 1\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf egrep -q "^(\s*)net.ipv4.conf.default.rp_filter\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.rp_filter\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.rp_filter = 1\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.conf sysctl -w net.ipv4.conf.all.rp_filter=1 sysctl -w net.ipv4.conf.default.rp_filter=1 sysctl -w net.ipv4.route.flush=1 echo -e "${GREEN}Remediated:${NC} Ensure Reverse Path Filtering is enabled" success=$((success + 1))   #Ensure TCP SYN Cookies is enabled echo echo -e "${RED}3.2.8${NC} Ensure TCP SYN Cookies is enabled" egrep -q "^(\s*)net.ipv4.tcp_syncookies\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.tcp_syncookies\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.tcp_syncookies = 1\2/" /etc/sysctl.conf || echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf sysctl -w net.ipv4.tcp_syncookies=1 sysctl -w net.ipv4.route.flush=1 echo -e "${GREEN}Remediated:${NC} Ensure TCP SYN Cookies is enabled" success=$((success + 1)) ############################################################################################################################ ##Category 3.3 Network Configuration - IPv6 echo echo -e "${BLUE}3.3 Network Configuration - IPv6${NC}" #Ensure IPv6 router advertisements are not accepted echo echo -e "${RED}3.3.1${NC} Ensure IPv6 router advertisements are not accepted" egrep -q "^(\s*net.ipv6.conf.all.accept_ra\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv6.conf.all.accept_ra\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv6.conf.all.accept_ra = 0\2/" /etc/sysctl.conf || echo "net.ipv6.conf.all.accept_ra = 0" >> /etc/sysctl.conf egrep -q "^(\s*)net.ipv6.conf.default.accept_ra\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv6.conf.default.accept_ra\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv6.conf.default.accept_ra = 0\2/" /etc/sysctl.conf || echo "net.ipv6.conf.default.accept_ra = 0" >> /etc/sysctl.conf sysctl -w net.ipv6.conf.all.accept_ra=0 sysctl -w net.ipv6.conf.default.accept_ra=0 sysctl -w net.ipv6.route.flush=1 echo -e "${GREEN}Remediated:${NC} Ensure IPv6 router advertisements are not accepted" success=$((success + 1)) #Ensure IPv6 redirects are not accepted echo echo -e "${RED}3.3.2${NC} Ensure IPv6 redirects are not accepted" egrep -q "^(\s*net.ipv6.conf.all.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv6.conf.all.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv6.conf.all.accept_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv6.conf.all.accept_redirects = 0" >> /etc/sysctl.conf egrep -q "^(\s*)net.ipv6.conf.default.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv6.conf.default.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv6.conf.default.accept_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv6.conf.default.accept_redirects = 0" >> /etc/sysctl.conf sysctl -w net.ipv6.conf.all.accept_redirects=0 sysctl -w net.ipv6.conf.default.accept_redirects=0 sysctl -w net.ipv6.route.flush=1 echo -e "${GREEN}Remediated:${NC} Ensure IPv6 redirects are not accepted" success=$((success + 1)) #Ensure IPv6 is disabled echo echo -e "${RED}3.3.3${NC} Ensure IPv6 is disabled" egrep -q "^(\s*)GRUB_CMDLINE_LINUX\s*=\s*\S+(\s*#.*)?\s*$" /etc/default/grub && sed -ri "s/^(\s*)GRUB_CMDLINE_LINUX\s*=\s*\S+(\s*#.*)?\s*$/\1GRUB_CMDLINE_LINUX=\"ipv6.disable=1\"\2/" /etc/default/grub || echo "GRUB_CMDLINE_LINUX=\"ipv6.disable=1\"" >> /etc/default/grub grub2-mkconfig > /boot/grub2/grub.cfg echo -e "${GREEN}Remediated:${NC} Ensure IPv6 is disabled" success=$((success + 1)) ############################################################################################################################ ##Category 3.4 Network Configuration - TCP Wrappers echo echo -e "${BLUE}3.4 Network Configuration - TCP Wrappers${NC}" #Ensure TCP Wrappers is installed echo echo -e "${RED}3.4.1${NC} Ensure TCP Wrappers is installed" yum install tcp_wrappers policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure TCP Wrappers is installed" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure TCP Wrappers is installed" fail=$((fail + 1)) fi #Ensure /etc/hosts.deny is configured echo echo -e "${RED}3.4.3${NC} Ensure /etc/hosts.deny is configured" echo "ALL: ALL" >> /etc/hosts.deny policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure /etc/hosts.deny is configured" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure /etc/hosts.deny is configured" fail=$((fail + 1)) fi #Ensure permissions on /etc/hosts.allow are configured echo echo -e "${RED}3.4.4${NC} Ensure permissions on /etc/hosts.allow are configured" chown root:root /etc/hosts.allow && chmod 644 /etc/hosts.allow policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure permissions on /etc/hosts.allow are configured" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure permissions on /etc/hosts.allow are configured" fail=$((fail + 1)) fi #Ensure permissions on /etc/hosts.deny are configured echo echo -e "${RED}3.4.5${NC} Ensure permissions on /etc/hosts.deny are configured" chown root:root /etc/hosts.deny && chmod 644 /etc/hosts.deny policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure permissions on /etc/hosts.deny are configured" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure permissions on /etc/hosts.deny are configured" fail=$((fail + 1)) fi ############################################################################################################################ ##Category 3.5 Network Configuration - Uncommon Network Protocols echo echo -e "${BLUE}3.5 Network Configuration - Uncommon Network Protocols${NC}" #Ensure DCCP is disabled echo echo -e "${RED}3.5.1${NC} Ensure DCCP is disabled" modprobe -n -v dccp | grep "^install /bin/true$" || echo "install dccp /bin/true" >> /etc/modprobe.d/CIS.conf policystatus=$? lsmod | egrep "^dccp\s" && rmmod dccp policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure DCCP is disabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure DCCP is disabled" fail=$((fail + 1)) fi #Ensure SCTP is disabled echo echo -e "${RED}3.5.2${NC} Ensure SCTP is disabled" modprobe -n -v sctp | grep "^install /bin/true$" || echo "install sctp /bin/true" >> /etc/modprobe.d/CIS.conf policystatus=$? lsmod | egrep "^sctp\s" && rmmod sctp policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure SCTP is disabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure SCTP is disabled" fail=$((fail + 1)) fi #Ensure RDS is disabled echo echo -e "${RED}3.5.3${NC} Ensure RDS is disabled" modprobe -n -v rds | grep "^install /bin/true$" || echo "install rds /bin/true" >> /etc/modprobe.d/CIS.conf policystatus=$? lsmod | egrep "^rds\s" && rmmod rds policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure RDS is disabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure RDS is disabled" fail=$((fail + 1)) fi #Ensure TIPC is disabled echo echo -e "${RED}3.5.4${NC} Ensure TIPC is disabled" modprobe -n -v tipc | grep "^install /bin/true$" || echo "install tipc /bin/true" >> /etc/modprobe.d/CIS.conf policystatus=$? lsmod | egrep "^tipc\s" && rmmod tipc if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure TIPC is disabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure TIPC is disabled" fail=$((fail + 1)) fi ############################################################################################################################ ##Category 3.6 Network Configuration - Firewall Configuration echo echo -e "${BLUE}3.6 Network Configuration - Firewall Configuration${NC}" #Ensure iptables is installed echo echo -e "${RED}3.6.1${NC} Ensure iptables is installed" yum install iptables && policystatus=$? policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure iptables is installed" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure iptables is installed" fail=$((fail + 1)) fi #Ensure default deny firewall policy echo echo -e "${RED}3.6.2${NC} Ensure default deny firewall policy" iptables -P INPUT DROP && iptables -P OUTPUT DROP && iptables -P FORWARD DROP policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure default deny firewall policy" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure default deny firewall policy" fail=$((fail + 1)) fi #Ensure loopback traffic is configured echo echo -e "${RED}3.6.3${NC} Ensure loopback traffic is configured" iptables -A INPUT -i lo -j ACCEPT && iptables -A OUTPUT -o lo -j ACCEPT && iptables -A INPUT -s 127.0.0.0/8 -j DROP policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure loopback traffic is configured" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure loopback traffic is configured" fail=$((fail + 1)) fi #Ensure outbound and established connections are configured echo echo -e "${RED}3.6.4${NC} Ensure outbound and established connections are configured" iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT echo -e "${GREEN}Remediated:${NC} Ensure outbound and established connections are configured"   ############################################################################################################################ ##Category 4.1 Logging and Auditing - Configure System Accounting (auditd) echo echo -e "${BLUE}4.1 Logging and Auditing - Configure System Accounting (auditd)${NC}" #Ensure system is disabled when audit logs are full echo echo -e "${RED}4.1.1.2${NC} Ensure system is disabled when audit logs are full" egrep -q "^(\s*)space_left_action\s*=\s*\S+(\s*#.*)?\s*$" /etc/audit/auditd.conf && sed -ri "s/^(\s*)space_left_action\s*=\s*\S+(\s*#.*)?\s*$/\1space_left_action = email\2/" /etc/audit/auditd.conf || echo "space_left_action = email" >> /etc/audit/auditd.conf egrep -q "^(\s*)action_mail_acct\s*=\s*\S+(\s*#.*)?\s*$" /etc/audit/auditd.conf && sed -ri "s/^(\s*)action_mail_acct\s*=\s*\S+(\s*#.*)?\s*$/\1action_mail_acct = root\2/" /etc/audit/auditd.conf || echo "action_mail_acct = root" >> /etc/audit/auditd.conf egrep -q "^(\s*)admin_space_left_action\s*=\s*\S+(\s*#.*)?\s*$" /etc/audit/auditd.conf && sed -ri "s/^(\s*)admin_space_left_action\s*=\s*\S+(\s*#.*)?\s*$/\1admin_space_left_action = halt\2/" /etc/audit/auditd.conf || echo "admin_space_left_action = halt" >> /etc/audit/auditd.conf echo -e "${GREEN}Remediated:${NC} Ensure system is disabled when audit logs are full" success=$((success + 1)) #Ensure audit logs are not automatically deleted echo echo -e "${RED}4.1.1.3${NC} Ensure audit logs are not automatically deleted" egrep -q "^(\s*)max_log_file_action\s*=\s*\S+(\s*#.*)?\s*$" /etc/audit/auditd.conf && sed -ri "s/^(\s*)max_log_file_action\s*=\s*\S+(\s*#.*)?\s*$/\1max_log_file_action = keep_logs\2/" /etc/audit/auditd.conf || echo "max_log_file_action = keep_logs" >> /etc/audit/auditd.conf policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure audit logs are not automatically deleted" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure audit logs are not automatically deleted" fail=$((fail + 1)) fi #Ensure auditd service is enabled echo echo -e "${RED}4.1.2${NC} Ensure auditd service is enabled" systemctl enable auditd policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure auditd service is enabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure auditd service is enabled" fail=$((fail + 1)) fi #Ensure auditing for processes that start prior to auditd is enabled echo echo -e "${RED}4.1.3${NC} Ensure auditing for processes that start prior to auditd is enabled" egrep -q "^(\s*)GRUB_CMDLINE_LINUX\s*=\s*\S+(\s*#.*)?\s*$" /etc/default/grub && sed -ri "s/^(\s*)GRUB_CMDLINE_LINUX\s*=\s*\S+(\s*#.*)?\s*$/\1GRUB_CMDLINE_LINUX = \"audit=1\"\2/" /etc/default/grub || echo "GRUB_CMDLINE_LINUX = \"audit=1\"" >> /etc/default/grub grub2-mkconfig -o /boot/grub2/grub.cfg echo -e "${GREEN}Remediated:${NC} Ensure auditing for processes that start prior to auditd is enabled" #Ensure events that modify date and time information are collected echo echo -e "${RED}4.1.4${NC} Ensure events that modify date and time information are collected" egrep "^-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+-S\s+adjtimex\s+-S\s+settimeofday\s+-S\s+stime\s+-k\s+time-change\s*$" /etc/audit/rules.d/audit.rules || echo "-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change" >> /etc/audit/rules.d/audit.rules egrep "^-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+-S\s+clock_settime\s+-k\s+time-change\s*$" /etc/audit/rules.d/audit.rules || echo "-a always,exit -F arch=b32 -S clock_settime -k time-change" >> /etc/audit/rules.d/audit.rules egrep "^-w\s+/etc/localtime\s+-p\s+wa\s+-k\s+time-change\s*$" /etc/audit/rules.d/audit.rules || echo "-w /etc/localtime -p wa -k time-change" >> /etc/audit/rules.d/audit.rules uname -p | grep -q 'x86_64' && egrep "^-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+-S\s+adjtimex\s+-S\s+settimeofday\s+-k\s+time-change\s*$" /etc/audit/rules.d/audit.rules || echo "-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change" >> /etc/audit/rules.d/audit.rules uname -p | grep -q 'x86_64' && egrep "^-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+-S\s+clock_settime\s+-k\s+time-change\s*$" /etc/audit/rules.d/audit.rules || echo "-a always,exit -F arch=b64 -S clock_settime -k time-change" >> /etc/audit/rules.d/audit.rules echo -e "${GREEN}Remediated:${NC} Ensure events that modify date and time information are collected" #Ensure events that modify user/group information are collected echo echo -e "${RED}4.1.5${NC} Ensure events that modify user/group information are collected" egrep "^-w\s+/etc/group\s+-p\s+wa\s+-k\s+identity\s*$" /etc/audit/rules.d/audit.rules || echo "-w /etc/group -p wa -k identity" >> /etc/audit/rules.d/audit.rules egrep "^-w\s+/etc/passwd\s+-p\s+wa\s+-k\s+identity\s*$" /etc/audit/rules.d/audit.rules || echo "-w /etc/passwd -p wa -k identity" >> /etc/audit/rules.d/audit.rules egrep "^-w\s+/etc/gshadow\s+-p\s+wa\s+-k\s+identity\s*$" /etc/audit/rules.d/audit.rules || echo "-w /etc/gshadow -p wa -k identity" >> /etc/audit/rules.d/audit.rules egrep "^-w\s+/etc/shadow\s+-p\s+wa\s+-k\s+identity\s*$" /etc/audit/rules.d/audit.rules || echo "-w /etc/shadow -p wa -k identity" >> /etc/audit/rules.d/audit.rules egrep "^-w\s+/etc/security/opasswd\s+-p\s+wa\s+-k\s+identity\s*$" /etc/audit/rules.d/audit.rules || echo "-w /etc/security/opasswd -p wa -k identity" >> /etc/audit/rules.d/audit.rules echo -e "${GREEN}Remediated:${NC} Ensure events that modify user/group information are collected" success=$((success + 1)) #Ensure events that modify the system's network environment are collected echo echo -e "${RED}4.1.6${NC} Ensure events that modify the system's network environment are collected" egrep "^-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+-S\s+sethostname\s+-S\s+setdomainname\s+-k\s+system-locale\s*$" /etc/audit/rules.d/audit.rules || echo "-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale" >> /etc/audit/rules.d/audit.rules egrep "^-w\s+/etc/issue\s+-p\s+wa\s+-k\s+system-locale\s*$" /etc/audit/rules.d/audit.rules || echo "-w /etc/issue -p wa -k system-locale" >> /etc/audit/rules.d/audit.rules egrep "^-w\s+/etc/issue.net\s+-p\s+wa\s+-k\s+system-locale\s*$" /etc/audit/rules.d/audit.rules || echo "-w /etc/issue.net -p wa -k system-locale" >> /etc/audit/rules.d/audit.rules egrep "^-w\s+/etc/hosts\s+-p\s+wa\s+-k\s+system-locale\s*$" /etc/audit/rules.d/audit.rules || echo "-w /etc/hosts -p wa -k system-locale" >> /etc/audit/rules.d/audit.rules egrep "^-w\s+/etc/sysconfig/network\s+-p\s+wa\s+-k\s+system-locale\s*$" /etc/audit/rules.d/audit.rules || echo "-w /etc/sysconfig/network -p wa -k system-locale" >> /etc/audit/rules.d/audit.rules uname -p | grep -q 'x86_64' && egrep "^-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+-S\s+sethostname\s+-S\s+setdomainname\s+-k\s+system-locale\s*$" /etc/audit/rules.d/audit.rules || echo "-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale" >> /etc/audit/rules.d/audit.rules echo -e "${GREEN}Remediated:${NC} Ensure events that modify the system's network environment are collected" #Ensure events that modify the system's Mandatory Access Controls are collected echo echo -e "${RED}4.1.7${NC} Ensure events that modify the system's Mandatory Access Controls are collected" egrep "^-w\s+/etc/selinux/\s+-p\s+wa\s+-k\s+MAC-policy\s*$" /etc/audit/rules.d/audit.rules || echo "-w /etc/selinux/ -p wa -k MAC-policy" >> /etc/audit/rules.d/audit.rules echo -e "${GREEN}Remediated:${NC} Ensure events that modify the system's Mandatory Access Controls are collected" success=$((success + 1)) #Ensure login and logout events are collected echo echo -e "${RED}4.1.8${NC} Ensure login and logout events are collected" egrep "^-w\s+/var/run/faillock/\s+-p\s+wa\s+-k\s+logins\s*$" /etc/audit/rules.d/audit.rules || echo "-w /var/run/faillock/ -p wa -k logins" >> /etc/audit/rules.d/audit.rules egrep "^-w\s+/var/log/lastlog\s+-p\s+wa\s+-k\s+logins\s*$" /etc/audit/rules.d/audit.rules || echo "-w /var/log/lastlog -p wa -k logins" >> /etc/audit/rules.d/audit.rules echo -e "${GREEN}Remediated:${NC} Ensure login and logout events are collected" success=$((success + 1)) #Ensure session initiation information is collected echo echo -e "${RED}4.1.9${NC} Ensure session initiation information is collected" egrep "^-w\s+/var/run/utmp\s+-p\s+wa\s+-k\s+session\s*$" /etc/audit/rules.d/audit.rules || echo "-w /var/run/utmp -p wa -k session" >> /etc/audit/rules.d/audit.rules egrep "^-w\s+/var/log/wtmp\s+-p\s+wa\s+-k\s+session\s*$" /etc/audit/rules.d/audit.rules || echo "-w /var/log/wtmp -p wa -k session" >> /etc/audit/rules.d/audit.rules egrep "^-w\s+/var/log/btmp\s+-p\s+wa\s+-k\s+session\s*$" /etc/audit/rules.d/audit.rules || echo "-w /var/log/btmp -p wa -k session" >> /etc/audit/rules.d/audit.rules echo -e "${GREEN}Remediated:${NC} Ensure session initiation information is collected" success=$((success + 1)) #Ensure discretionary access control permission modification events are collected echo echo -e "${RED}4.1.10${NC} Ensure discretionary access control permission modification events are collected" egrep "^-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+-S\s+chmod\s+-S\s+fchmod\s+-S\s+fchmodat\s+-F\s+auid>=1000\s+-F\s+auid!=4294967295\s+-k\s+perm_mod\s*$" /etc/audit/rules.d/audit.rules || echo "-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod" >> /etc/audit/rules.d/audit.rules egrep "^-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+-S\s+chown\s+-S\s+fchown\s+-S\s+fchownat\s+-S\s+lchown\s+-F\s+auid>=1000\s+-F\s+auid!=4294967295\s+-k\s+perm_mod\s*$" /etc/audit/rules.d/audit.rules || echo "-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod" >> /etc/audit/rules.d/audit.rules egrep "^-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+-S\s+setxattr\s+-S\s+lsetxattr\s+-S\s+fsetxattr\s+-S\s+removexattr\s+-S\s+lremovexattr\s+-S\s+fremovexattr\s+-F\s+auid>=1000\s+-F\s+auid!=4294967295\s+-k\s+perm_mod\s*$" /etc/audit/rules.d/audit.rules || echo "-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod" >> /etc/audit/rules.d/audit.rules uname -p | grep -q 'x86_64' && egrep "^-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+-S\s+chmod\s+-S\s+fchmod\s+-S\s+fchmodat\s+-F\s+auid>=1000\s+-F\s+auid!=4294967295\s+-k\s+perm_mod\s*$" /etc/audit/rules.d/audit.rules || echo "-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod" >> /etc/audit/rules.d/audit.rules uname -p | grep -q 'x86_64' && egrep "^-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+-S\s+chown\s+-S\s+fchown\s+-S\s+fchownat\s+-S\s+lchown\s+-F\s+auid>=1000\s+-F\s+auid!=4294967295\s+-k\s+perm_mod\s*$" /etc/audit/rules.d/audit.rules || echo "-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod" >> /etc/audit/rules.d/audit.rules uname -p | grep -q 'x86_64' && egrep "^-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+-S\s+setxattr\s+-S\s+lsetxattr\s+-S\s+fsetxattr\s+-S\s+removexattr\s+-S\s+lremovexattr\s+-S\s+fremovexattr\s+-F\s+auid>=1000\s+-F\s+auid!=4294967295\s+-k\s+perm_mod\s*$" /etc/audit/rules.d/audit.rules || echo "-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod" >> /etc/audit/rules.d/audit.rules echo -e "${GREEN}Remediated:${NC} Ensure discretionary access control permission modification events are collected" #Ensure unsuccessful unauthorized file access attempts are collected echo echo -e "${RED}4.1.11${NC} Ensure unsuccessful unauthorized file access attempts are collected" egrep "^-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+-S\s+creat\s+-S\s+open\s+-S\s+openat\s+-S\s+truncate\s+-S\s+ftruncate\s+-F\s+exit=-EACCES\s+-F\s+auid>=1000\s+-F\s+auid!=4294967295\s+-k\s+access\s*$" /etc/audit/rules.d/audit.rules || echo "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access" >> /etc/audit/rules.d/audit.rules egrep "^-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+-S\s+creat\s+-S\s+open\s+-S\s+openat\s+-S\s+truncate\s+-S\s+ftruncate\s+-F\s+exit=-EPERM\s+-F\s+auid>=1000\s+-F\s+auid!=4294967295\s+-k\s+access\s*$" /etc/audit/rules.d/audit.rules || echo "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access" >> /etc/audit/rules.d/audit.rules uname -p | grep -q 'x86_64' && egrep "^-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+-S\s+creat\s+-S\s+open\s+-S\s+openat\s+-S\s+truncate\s+-S\s+ftruncate\s+-F\s+exit=-EACCES\s+-F\s+auid>=1000\s+-F\s+auid!=4294967295\s+-k\s+access\s*$" /etc/audit/rules.d/audit.rules || echo "-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access" >> /etc/audit/rules.d/audit.rules uname -p | grep -q 'x86_64' && egrep "^-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+-S\s+creat\s+-S\s+open\s+-S\s+openat\s+-S\s+truncate\s+-S\s+ftruncate\s+-F\s+exit=-EPERM\s+-F\s+auid>=1000\s+-F\s+auid!=4294967295\s+-k\s+access\s*$" /etc/audit/rules.d/audit.rules || echo "-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access" >> /etc/audit/rules.d/audit.rules echo -e "${GREEN}Remediated:${NC} Ensure unsuccessful unauthorized file access attempts are collected" #Ensure use of privileged commands is collected echo echo -e "${RED}4.1.12${NC} Ensure use of privileged commands is collected" for file in `find / -xdev \( -perm -4000 -o -perm -2000 \) -type f`; do egrep -q "^\s*-a\s+(always,exit|exit,always)\s+-F\s+path=$file\s+-F\s+perm=x\s+-F\s+auid>=1000\s+-F\s+auid!=4294967295\s+-k\s+privileged\s*(#.*)?$" /etc/audit/rules.d/audit.rules || echo "-a always,exit -F path=$file -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/audit.rules; done policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure use of privileged commands is collected" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure use of privileged commands is collected" fail=$((fail + 1)) fi #Ensure successful file system mounts are collected echo echo -e "${RED}4.1.13${NC} Ensure successful file system mounts are collected" egrep "^-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+-S\s+mount\s+-F\s+auid>=1000\s+-F\s+auid!=4294967295\s+-k\s+mounts\s*$" /etc/audit/rules.d/audit.rules || echo "-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts" >> /etc/audit/rules.d/audit.rules uname -p | grep -q 'x86_64' && egrep "^-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+-S\s+mount\s+-F\s+auid>=1000\s+-F\s+auid!=4294967295\s+-k\s+mounts\s*$" /etc/audit/rules.d/audit.rules || echo "-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts" >> /etc/audit/rules.d/audit.rules echo -e "${GREEN}Remediated:${NC} Ensure successful file system mounts are collected" success=$((success + 1)) #Ensure file deletion events by users are collected echo echo -e "${RED}4.1.14${NC} Ensure file deletion events by users are collected" egrep "^-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+-S\s+unlink\s+-S\s+unlinkat\s+-S\s+rename\s+-S\s+renameat\s+-F\s+auid>=1000\s+-F\s+auid!=4294967295\s+-k\s+delete\s*$" /etc/audit/rules.d/audit.rules || echo "-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete" >> /etc/audit/rules.d/audit.rules uname -p | grep -q 'x86_64' && egrep "^-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+-S\s+unlink\s+-S\s+unlinkat\s+-S\s+rename\s+-S\s+renameat\s+-F\s+auid>=1000\s+-F\s+auid!=4294967295\s+-k\s+delete\s*$" /etc/audit/rules.d/audit.rules || echo "-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete" >> /etc/audit/rules.d/audit.rules echo -e "${GREEN}Remediated:${NC} Ensure file deletion events by users are collected" success=$((success + 1)) #Ensure changes to system administration scope (sudoers) is collected echo echo -e "${RED}4.1.15${NC} Ensure changes to system administration scope (sudoers) is collected" egrep "^-w\s+/etc/sudoers\s+-p\s+wa\s+-k\s+scope\s*$" /etc/audit/rules.d/audit.rules || echo "-w /etc/sudoers -p wa -k scope" >> /etc/audit/rules.d/audit.rules egrep "^-w\s+/etc/sudoers.d\s+-p\s+wa\s+-k\s+scope\s*$" /etc/audit/rules.d/audit.rules || echo "-w /etc/sudoers.d -p wa -k scope" >> /etc/audit/rules.d/audit.rules echo -e "${GREEN}Remediated:${NC} Ensure changes to system administration scope (sudoers) is collected" success=$((success + 1)) #Ensure system administrator actions (sudolog) are collected echo echo -e "${RED}4.1.16${NC} Ensure system administrator actions (sudolog) are collected" egrep "^-w\s+/var/log/sudo.log\s+-p\s+wa\s+-k\s+actions\s*$" /etc/audit/rules.d/audit.rules || echo "-w /var/log/sudo.log -p wa -k actions" >> /etc/audit/rules.d/audit.rules policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure system administrator actions (sudolog) are collected" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure system administrator actions (sudolog) are collected" fail=$((fail + 1)) fi #Ensure kernel module loading and unloading is collected echo echo -e "${RED}4.1.17${NC} Ensure kernel module loading and unloading is collected" egrep "^-w\s+/sbin/insmod\s+-p\s+x\s+-k\s+modules\s*$" /etc/audit/rules.d/audit.rules || echo "-w /sbin/insmod -p x -k modules" >> /etc/audit/rules.d/audit.rules egrep "^-w\s+/sbin/rmmod\s+-p\s+x\s+-k\s+modules\s*$" /etc/audit/rules.d/audit.rules || echo "-w /sbin/rmmod -p x -k modules" >> /etc/audit/rules.d/audit.rules egrep "^-w\s+/sbin/modprobe\s+-p\s+x\s+-k\s+modules\s*$" /etc/audit/rules.d/audit.rules || echo "-w /sbin/modprobe -p x -k modules" >> /etc/audit/rules.d/audit.rules uname -p | grep -q 'x86_64' || egrep "^-a\s+(always,exit|exit,always)\s+arch=b32\s+-S\s+init_module\s+-S\s+delete_module\s+-k\s+modules\s*$" /etc/audit/rules.d/audit.rules || echo "-a always,exit arch=b32 -S init_module -S delete_module -k modules" >> /etc/audit/rules.d/audit.rules uname -p | grep -q 'x86_64' && egrep "^-a\s+(always,exit|exit,always)\s+arch=b64\s+-S\s+init_module\s+-S\s+delete_module\s+-k\s+modules\s*$" /etc/audit/rules.d/audit.rules || echo "-a always,exit arch=b64 -S init_module -S delete_module -k modules" >> /etc/audit/rules.d/audit.rules echo -e "${GREEN}Remediated:${NC} Ensure kernel module loading and unloading is collected" success=$((success + 1)) #Ensure the audit configuration is immutable echo echo -e "${RED}4.1.18${NC} Ensure the audit configuration is immutable" grep "-e 2" /etc/audit/audit.rules || echo "-e 2" >> /etc/audit/audit.rules policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure the audit configuration is immutable" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure the audit configuration is immutable" fail=$((fail + 1)) fi ############################################################################################################################ ##Category 4.2 Logging and Auditing - Configure rsyslog echo echo -e "${BLUE}4.2 Logging and Auditing - Configure rsyslog${NC}"   #Ensure rsyslog Service is enabled echo echo -e "${RED}4.2.1.1${NC} Ensure rsyslog Service is enabled" systemctl enable rsyslog policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure rsyslog Service is enabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure rsyslog Service is enabled" fail=$((fail + 1)) fi   #Ensure rsyslog default file permissions configured echo echo -e "${RED}4.2.1.3${NC} Ensure rsyslog default file permissions configured" grep "$FileCreateMode 0640" /etc/rsyslog.conf || echo "$""FileCreateMode 0640" >> /etc/rsyslog.conf grep "$FileCreateMode 0640" /etc/rsyslog.d/*.conf || echo "$""FileCreateMode 0640" >> /etc/rsyslog.d/*.conf echo -e "${GREEN}Remediated:${NC} Ensure rsyslog default file permissions configured"   #Ensure remote rsyslog messages are only accepted on designated log hosts echo echo -e "${RED}4.2.1.5${NC} Ensure remote rsyslog messages are only accepted on designated log hosts" sed -i -e 's/#$ModLoad imtcp/$ModLoad imtcp/g' /etc/rsyslog.conf grep "$ModLoad imtcp" /etc/rsyslog.conf || echo "$""ModLoad imtcp" >> /etc/rsyslog.conf sed -i -e 's/#$InputTCPServerRun 514/$InputTCPServerRun 514/g' /etc/rsyslog.conf grep "$InputTCPServerRun 514" /etc/rsyslog.conf || echo "$""InputTCPServerRun 514" >> /etc/rsyslog.conf pkill -HUP rsyslogd echo -e "${GREEN}Remediated:${NC} Ensure remote rsyslog messages are only accepted on designated log hosts"   #Ensure syslog-ng service is enabled echo echo -e "${RED}4.2.2.1${NC} Ensure syslog-ng service is enabled" yum install syslog-ng && systemctl enable syslog-ng policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure syslog-ng service is enabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure syslog-ng service is enabled" fail=$((fail + 1)) fi #Ensure rsyslog or syslog-ng is installed echo echo -e "${RED}4.2.3${NC} Ensure rsyslog or syslog-ng is installed" yum install rsyslog && yum install syslog-ng policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure rsyslog or syslog-ng is installed" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure rsyslog or syslog-ng is installed" fail=$((fail + 1)) fi #Ensure permissions on all logfiles are configured echo echo -e "${RED}4.2.4${NC} Ensure permissions on all logfiles are configured" find /var/log -type f -exec chmod g-wx,o-rwx {} + policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure permissions on all logfiles are configured" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure permissions on all logfiles are configured" fail=$((fail + 1)) fi ############################################################################################################################ ##Category 5.1 Access, Authentication and Authorization - Configure cron echo echo -e "${BLUE}5.1 Access, Authentication and Authorization - Configure cron${NC}"   #Ensure cron daemon is enabled echo echo -e "${RED}5.1.1${NC} Ensure cron daemon is enabled" systemctl enable crond policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure cron daemon is enabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure cron daemon is enabled" fail=$((fail + 1)) fi #Ensure permissions on /etc/crontab are configured echo echo -e "${RED}5.1.2${NC} Ensure permissions on /etc/crontab are configured" chown root:root /etc/crontab && chmod og-rwx /etc/crontab policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure permissions on /etc/crontab are configured" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure permissions on /etc/crontab are configured" fail=$((fail + 1)) fi #Ensure permissions on /etc/cron.hourly are configured echo echo -e "${RED}5.1.3${NC} Ensure permissions on /etc/cron.hourly are configured" chown root:root /etc/cron.hourly && chmod og-rwx /etc/cron.hourly policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure permissions on /etc/cron.hourly are configured" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure permissions on /etc/cron.hourly are configured" fail=$((fail + 1)) fi #Ensure permissions on /etc/cron.daily are configured echo echo -e "${RED}5.1.4${NC} Ensure permissions on /etc/cron.daily are configured" chown root:root /etc/cron.daily && chmod og-rwx /etc/cron.daily policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure permissions on /etc/cron.daily are configured" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure permissions on /etc/cron.daily are configured" fail=$((fail + 1)) fi #Ensure permissions on /etc/cron.weekly are configured echo echo -e "${RED}5.1.5${NC} Ensure permissions on /etc/cron.weekly are configured" chown root:root /etc/cron.weekly && chmod og-rwx /etc/cron.weekly policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure permissions on /etc/cron.weekly are configured" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure permissions on /etc/cron.weekly are configured" fail=$((fail + 1)) fi #Ensure permissions on /etc/cron.monthly are configured echo echo -e "${RED}5.1.6${NC} Ensure permissions on /etc/cron.monthly are configured" chown root:root /etc/cron.monthly && chmod og-rwx /etc/cron.monthly policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure permissions on /etc/cron.monthly are configured" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure permissions on /etc/cron.monthly are configured" fail=$((fail + 1)) fi #Ensure permissions on /etc/cron.d are configured echo echo -e "${RED}5.1.7${NC} Ensure permissions on /etc/cron.d are configured" chown root:root /etc/cron.d && chmod og-rwx /etc/cron.d policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure permissions on /etc/cron.d are configured" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure permissions on /etc/cron.d are configured" fail=$((fail + 1)) fi #Ensure at/cron is restricted to authorized users echo echo -e "${RED}5.1.8${NC} Ensure at/cron is restricted to authorized users" rm /etc/cron.deny rm /etc/at.deny touch /etc/cron.allow touch /etc/at.allow chmod og-rwx /etc/cron.allow chmod og-rwx /etc/at.allow chown root:root /etc/cron.allow chown root:root /etc/at.allow echo -e "${GREEN}Remediated:${NC} Ensure at/cron is restricted to authorized users" success=$((success + 1)) ############################################################################################################################ ##Category 5.2 Access, Authentication and Authorization - SSH Server Configuration echo echo -e "${BLUE}5.2 Access, Authentication and Authorization - SSH Server Configuration${NC}" #Ensure permissions on /etc/ssh/sshd_config are configured echo echo -e "${RED}5.2.1${NC} Ensure permissions on /etc/ssh/sshd_config are configured" chown root:root /etc/ssh/sshd_config && chmod og-rwx /etc/ssh/sshd_config policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure permissions on /etc/ssh/sshd_config are configured" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure permissions on /etc/ssh/sshd_config are configured" fail=$((fail + 1)) fi   #Ensure SSH Protocol is set to 2 echo echo -e "${RED}5.2.2${NC} Ensure SSH Protocol is set to 2" egrep -q "^(\s*)Protocol\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)Protocol\s+\S+(\s*#.*)?\s*$/\1Protocol 2\2/" /etc/ssh/sshd_config || echo "Protocol 2" >> /etc/ssh/sshd_config policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure SSH Protocol is set to 2" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure SSH Protocol is set to 2" fail=$((fail + 1)) fi #Ensure SSH LogLevel is set to INFO echo echo -e "${RED}5.2.3${NC} Ensure SSH LogLevel is set to INFO" egrep -q "^(\s*)LogLevel\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)LogLevel\s+\S+(\s*#.*)?\s*$/\1LogLevel INFO\2/" /etc/ssh/sshd_config || echo "LogLevel INFO" >> /etc/ssh/sshd_config policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure SSH LogLevel is set to INFO" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure SSH LogLevel is set to INFO" fail=$((fail + 1)) fi #Ensure SSH X11 forwarding is disabled echo echo -e "${RED}5.2.4${NC} Ensure SSH X11 forwarding is disabled" egrep -q "^(\s*)X11Forwarding\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)X11Forwarding\s+\S+(\s*#.*)?\s*$/\1X11Forwarding no\2/" /etc/ssh/sshd_config || echo "X11Forwarding no" >> /etc/ssh/sshd_config policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure SSH X11 forwarding is disabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure SSH X11 forwarding is disabled" fail=$((fail + 1)) fi #Ensure SSH MaxAuthTries is set to 4 or less echo echo -e "${RED}5.2.5${NC} Ensure SSH MaxAuthTries is set to 4 or less" egrep -q "^(\s*)MaxAuthTries\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)MaxAuthTries\s+\S+(\s*#.*)?\s*$/\1MaxAuthTries 4\2/" /etc/ssh/sshd_config || echo "MaxAuthTries 4" >> /etc/ssh/sshd_config policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure SSH MaxAuthTries is set to 4 or less" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure SSH MaxAuthTries is set to 4 or less" fail=$((fail + 1)) fi #Ensure SSH IgnoreRhosts is enabled echo echo -e "${RED}5.2.6${NC} Ensure SSH IgnoreRhosts is enabled" egrep -q "^(\s*)IgnoreRhosts\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)IgnoreRhosts\s+\S+(\s*#.*)?\s*$/\1IgnoreRhosts yes\2/" /etc/ssh/sshd_config || echo "IgnoreRhosts yes" >> /etc/ssh/sshd_config policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure SSH IgnoreRhosts is enabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure SSH IgnoreRhosts is enabled" fail=$((fail + 1)) fi   #Ensure SSH HostbasedAuthentication is disabled echo echo -e "${RED}5.2.7${NC} Ensure SSH HostbasedAuthentication is disabled" egrep -q "^(\s*)HostbasedAuthentication\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)HostbasedAuthentication\s+\S+(\s*#.*)?\s*$/\1HostbasedAuthentication no\2/" /etc/ssh/sshd_config || echo "HostbasedAuthentication no" >> /etc/ssh/sshd_config policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure SSH HostbasedAuthentication is disabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure SSH HostbasedAuthentication is disabled" fail=$((fail + 1)) fi #Ensure SSH root login is disabled echo echo -e "${RED}5.2.8${NC} Ensure SSH root login is disabled" egrep -q "^(\s*)PermitRootLogin\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)PermitRootLogin\s+\S+(\s*#.*)?\s*$/\1PermitRootLogin no\2/" /etc/ssh/sshd_config || echo "PermitRootLogin no" >> /etc/ssh/sshd_config policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure SSH root login is disabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure SSH root login is disabled" fail=$((fail + 1)) fi   #Ensure SSH PermitEmptyPasswords is disabled echo echo -e "${RED}5.2.9${NC} Ensure SSH PermitEmptyPasswords is disabled" egrep -q "^(\s*)PermitEmptyPasswords\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)PermitEmptyPasswords\s+\S+(\s*#.*)?\s*$/\1PermitEmptyPasswords no\2/" /etc/ssh/sshd_config || echo "PermitEmptyPasswords no" >> /etc/ssh/sshd_config policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure SSH PermitEmptyPasswords is disabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure SSH PermitEmptyPasswords is disabled" fail=$((fail + 1)) fi   #Ensure SSH PermitUserEnvironment is disabled echo echo -e "${RED}5.2.10${NC} Ensure SSH PermitUserEnvironment is disabled" egrep -q "^(\s*)PermitUserEnvironment\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)PermitUserEnvironment\s+\S+(\s*#.*)?\s*$/\1PermitUserEnvironment no\2/" /etc/ssh/sshd_config || echo "PermitUserEnvironment no" >> /etc/ssh/sshd_config policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure SSH PermitUserEnvironment is disabled" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure SSH PermitUserEnvironment is disabled" fail=$((fail + 1)) fi   #Ensure only approved MAC algorithms are used echo echo -e "${RED}5.2.11${NC} Ensure only approved MAC algorithms are used" egrep -q "^(\s*)MACs\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)MACs\s+\S+(\s*#.*)?\s*$/\1MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\2/" /etc/ssh/sshd_config || echo "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256" >> /etc/ssh/sshd_config policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure only approved MAC algorithms are used" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure only approved MAC algorithms are used" fail=$((fail + 1)) fi #Ensure SSH Idle Timeout Interval is configured echo echo -e "${RED}5.2.12${NC} Ensure SSH Idle Timeout Interval is configured" egrep -q "^(\s*)ClientAliveInterval\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)ClientAliveInterval\s+\S+(\s*#.*)?\s*$/\1ClientAliveInterval 300\2/" /etc/ssh/sshd_config || echo "ClientAliveInterval 300" >> /etc/ssh/sshd_config egrep -q "^(\s*)ClientAliveCountMax\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)ClientAliveCountMax\s+\S+(\s*#.*)?\s*$/\1ClientAliveCountMax 0\2/" /etc/ssh/sshd_config || echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config echo -e "${GREEN}Remediated:${NC} Ensure SSH Idle Timeout Interval is configured" success=$((success + 1)) #Ensure SSH LoginGraceTime is set to one minute or less echo echo -e "${RED}5.2.13${NC} Ensure SSH LoginGraceTime is set to one minute or less" egrep -q "^(\s*)LoginGraceTime\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)LoginGraceTime\s+\S+(\s*#.*)?\s*$/\1LoginGraceTime 60\2/" /etc/ssh/sshd_config || echo "LoginGraceTime 60" >> /etc/ssh/sshd_config policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure SSH LoginGraceTime is set to one minute or less" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure SSH LoginGraceTime is set to one minute or less" fail=$((fail + 1)) fi #Ensure SSH warning banner is configured echo echo -e "${RED}5.2.15${NC} Ensure SSH warning banner is configured" egrep -q "^(\s*)Banner\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)Banner\s+\S+(\s*#.*)?\s*$/\1Banner /etc/issue.net\2/" /etc/ssh/sshd_config || echo "Banner /etc/issue.net" >> /etc/ssh/sshd_config policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure SSH warning banner is configured" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure SSH warning banner is configured" fail=$((fail + 1)) fi ############################################################################################################################ ##Category 5.3 Access, Authentication and Authorization - Configure PAM echo echo -e "${BLUE}5.3 Access, Authentication and Authorization - Configure PAM${NC}" #Ensure password creation requirements are configured echo echo -e "${RED}5.3.1${NC} Ensure password creation requirements are configured" egrep -q "^\s*password\s+requisite\s+pam_pwquality.so\s+" /etc/pam.d/password-auth && sed -ri '/^\s*password\s+requisite\s+pam_pwquality.so\s+/ { /^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*(\s+try_first_pass)(\s+.*)?$/! s/^(\s*password\s+requisite\s+pam_pwquality.so\s+)(.*)$/\1try_first_pass \2/ }' /etc/pam.d/password-auth && sed -ri '/^\s*password\s+requisite\s+pam_pwquality.so\s+/ { /^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*(\s+retry=[0-9]+)(\s+.*)?$/! s/^(\s*password\s+requisite\s+pam_pwquality.so\s+)(.*)$/\1retry=3 \2/ }' /etc/pam.d/password-auth && sed -ri 's/(^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*\s+)retry=[0-9]+(\s+.*)?$/\1retry=3\3/' /etc/pam.d/password-auth || echo "password requisite pam_pwquality.so try_first_pass retry=3" >> /etc/pam.d/password-auth egrep -q "^\s*password\s+requisite\s+pam_pwquality.so\s+" /etc/pam.d/system-auth && sed -ri '/^\s*password\s+requisite\s+pam_pwquality.so\s+/ { /^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*(\s+try_first_pass)(\s+.*)?$/! s/^(\s*password\s+requisite\s+pam_pwquality.so\s+)(.*)$/\1try_first_pass \2/ }' /etc/pam.d/system-auth && sed -ri '/^\s*password\s+requisite\s+pam_pwquality.so\s+/ { /^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*(\s+retry=[0-9]+)(\s+.*)?$/! s/^(\s*password\s+requisite\s+pam_pwquality.so\s+)(.*)$/\1retry=3 \2/ }' /etc/pam.d/system-auth && sed -ri 's/(^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*\s+)retry=[0-9]+(\s+.*)?$/\1retry=3\3/' /etc/pam.d/system-auth || echo "password requisite pam_pwquality.so try_first_pass retry=3" >> /etc/pam.d/system-auth egrep -q "^(\s*)minlen\s*=\s*\S+(\s*#.*)?\s*$" /etc/security/pwquality.conf && sed -ri "s/^(\s*)minlen\s*=\s*\S+(\s*#.*)?\s*$/\minlen=14\2/" /etc/security/pwquality.conf || echo "minlen=14" >> /etc/security/pwquality.conf egrep -q "^(\s*)dcredit\s*=\s*\S+(\s*#.*)?\s*$" /etc/security/pwquality.conf && sed -ri "s/^(\s*)dcredit\s*=\s*\S+(\s*#.*)?\s*$/\dcredit=-1\2/" /etc/security/pwquality.conf || echo "dcredit=-1" >> /etc/security/pwquality.conf egrep -q "^(\s*)ucredit\s*=\s*\S+(\s*#.*)?\s*$" /etc/security/pwquality.conf && sed -ri "s/^(\s*)ucredit\s*=\s*\S+(\s*#.*)?\s*$/\ucredit=-1\2/" /etc/security/pwquality.conf || echo "ucredit=-1" >> /etc/security/pwquality.conf egrep -q "^(\s*)ocredit\s*=\s*\S+(\s*#.*)?\s*$" /etc/security/pwquality.conf && sed -ri "s/^(\s*)ocredit\s*=\s*\S+(\s*#.*)?\s*$/\ocredit=-1\2/" /etc/security/pwquality.conf || echo "ocredit=-1" >> /etc/security/pwquality.conf egrep -q "^(\s*)lcredit\s*=\s*\S+(\s*#.*)?\s*$" /etc/security/pwquality.conf && sed -ri "s/^(\s*)lcredit\s*=\s*\S+(\s*#.*)?\s*$/\lcredit=-1\2/" /etc/security/pwquality.conf || echo "lcredit=-1" >> /etc/security/pwquality.conf echo -e "${GREEN}Remediated:${NC} Ensure password creation requirements are configured" success=$((success + 1)) #Ensure password reuse is limited echo echo -e "${RED}5.3.3${NC} Ensure password reuse is limited" egrep -q "^\s*password\s+sufficient\s+pam_unix.so(\s+.*)$" /etc/pam.d/password-auth && sed -ri '/^\s*password\s+sufficient\s+pam_unix.so\s+/ { /^\s*password\s+sufficient\s+pam_unix.so(\s+\S+)*(\s+remember=[0-9]+)(\s+.*)?$/! s/^(\s*password\s+sufficient\s+pam_unix.so\s+)(.*)$/\1remember=5 \2/ }' /etc/pam.d/password-auth && sed -ri 's/(^\s*password\s+sufficient\s+pam_unix.so(\s+\S+)*\s+)remember=[0-9]+(\s+.*)?$/\1remember=5\3/' /etc/pam.d/password-auth || echo "password sufficient pam_unix.so remember=5" >> /etc/pam.d/password-auth egrep -q "^\s*password\s+sufficient\s+pam_unix.so(\s+.*)$" /etc/pam.d/system-auth && sed -ri '/^\s*password\s+sufficient\s+pam_unix.so\s+/ { /^\s*password\s+sufficient\s+pam_unix.so(\s+\S+)*(\s+remember=[0-9]+)(\s+.*)?$/! s/^(\s*password\s+sufficient\s+pam_unix.so\s+)(.*)$/\1remember=5 \2/ }' /etc/pam.d/system-auth && sed -ri 's/(^\s*password\s+sufficient\s+pam_unix.so(\s+\S+)*\s+)remember=[0-9]+(\s+.*)?$/\1remember=5\3/' /etc/pam.d/system-auth || echo "password sufficient pam_unix.so remember=5" >> /etc/pam.d/system-auth echo -e "${GREEN}Remediated:${NC} Ensure password reuse is limited" success=$((success + 1)) #Ensure password hashing algorithm is SHA-512 echo echo -e "${RED}5.3.4${NC} Ensure password hashing algorithm is SHA-512" egrep -q "^\s*password\s+sufficient\s+pam_unix.so\s+" /etc/pam.d/password-auth && sed -ri '/^\s*password\s+sufficient\s+pam_unix.so\s+/ { /^\s*password\s+sufficient\s+pam_unix.so(\s+\S+)*(\s+sha512)(\s+.*)?$/! s/^(\s*password\s+sufficient\s+pam_unix.so\s+)(.*)$/\1sha512 \2/ }' /etc/pam.d/password-auth || echo "password sufficient pam_unix.so sha512" >> /etc/pam.d/password-auth egrep -q "^\s*password\s+sufficient\s+pam_unix.so\s+" /etc/pam.d/system-auth && sed -ri '/^\s*password\s+sufficient\s+pam_unix.so\s+/ { /^\s*password\s+sufficient\s+pam_unix.so(\s+\S+)*(\s+sha512)(\s+.*)?$/! s/^(\s*password\s+sufficient\s+pam_unix.so\s+)(.*)$/\1sha512 \2/ }' /etc/pam.d/system-auth || echo "password sufficient pam_unix.so sha512" >> /etc/pam.d/system-auth echo -e "${GREEN}Remediated:${NC} Ensure password hashing algorithm is SHA-512" success=$((success + 1)) ############################################################################################################################ ##Category 5.4 Access, Authentication and Authorization - User Accounts and Environment echo echo -e "${BLUE}5.4 Access, Authentication and Authorization - User Accounts and Environment${NC}" #Ensure password expiration is 365 days or less echo echo -e "${RED}5.4.1.1${NC} Ensure password expiration is 365 days or less" egrep -q "^(\s*)PASS_MAX_DAYS\s+\S+(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_MAX_DAYS\s+\S+(\s*#.*)?\s*$/\PASS_MAX_DAYS 90\2/" /etc/login.defs || echo "PASS_MAX_DAYS 90" >> /etc/login.defs getent passwd | cut -f1 -d ":" | xargs -n1 chage --maxdays 90 echo -e "${GREEN}Remediated:${NC} Ensure password expiration is 365 days or less" success=$((success + 1)) #Ensure minimum days between password changes is 7 or more echo echo -e "${RED}5.4.1.2${NC} Ensure minimum days between password changes is 7 or more" egrep -q "^(\s*)PASS_MIN_DAYS\s+\S+(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_MIN_DAYS\s+\S+(\s*#.*)?\s*$/\PASS_MIN_DAYS 7\2/" /etc/login.defs || echo "PASS_MIN_DAYS 7" >> /etc/login.defs getent passwd | cut -f1 -d ":" | xargs -n1 chage --mindays 7 echo -e "${GREEN}Remediated:${NC} Ensure minimum days between password changes is 7 or more" success=$((success + 1)) #Ensure password expiration warning days is 7 or more echo echo -e "${RED}5.4.1.3${NC} Ensure password expiration warning days is 7 or more" egrep -q "^(\s*)PASS_WARN_AGE\s+\S+(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_WARN_AGE\s+\S+(\s*#.*)?\s*$/\PASS_WARN_AGE 7\2/" /etc/login.defs || echo "PASS_WARN_AGE 7" >> /etc/login.defs getent passwd | cut -f1 -d ":" | xargs -n1 chage --warndays 7 echo -e "${GREEN}Remediated:${NC} Ensure password expiration warning days is 7 or more" success=$((success + 1)) #Ensure inactive password lock is 30 days or less echo echo -e "${RED}5.4.1.4${NC} Ensure inactive password lock is 30 days or less" useradd -D -f 30 && getent passwd | cut -f1 -d ":" | xargs -n1 chage --inactive 30 policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure inactive password lock is 30 days or less" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure inactive password lock is 30 days or less" fail=$((fail + 1)) fi #Ensure system accounts are non-login echo echo -e "${RED}5.4.2${NC} Ensure system accounts are non-login" for user in `awk -F: '($3 < 1000) {print $1 }' /etc/passwd`; do if [ $user != "root" ]; then /usr/sbin/usermod -L $user if [ $user != "sync" ] && [ $user != "shutdown" ] && [ $user != "halt" ]; then /usr/sbin/usermod -s /sbin/nologin $user fi fi done policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure system accounts are non-login" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure system accounts are non-login" fail=$((fail + 1)) fi #Ensure default group for the root account is GID 0 echo echo -e "${RED}5.4.3${NC} Ensure default group for the root account is GID 0" usermod -g 0 root policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure default group for the root account is GID 0" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure default group for the root account is GID 0" fail=$((fail + 1)) fi #Ensure default user umask is 027 or more restrictive echo echo -e "${RED}5.4.4${NC} Ensure default user umask is 027 or more restrictive" egrep -q "^(\s*)umask\s+\S+(\s*#.*)?\s*$" /etc/bashrc && sed -ri "s/^(\s*)umask\s+\S+(\s*#.*)?\s*$/\1umask 077\2/" /etc/bashrc || echo "umask 077" >> /etc/bashrc egrep -q "^(\s*)umask\s+\S+(\s*#.*)?\s*$" /etc/profile && sed -ri "s/^(\s*)umask\s+\S+(\s*#.*)?\s*$/\1umask 077\2/" /etc/profile || echo "umask 077" >> /etc/profile egrep -q "^(\s*)umask\s+\S+(\s*#.*)?\s*$" /etc/profile.d/*.sh && sed -ri "s/^(\s*)umask\s+\S+(\s*#.*)?\s*$/\1umask 077\2/" /etc/profile.d/*.sh || echo "umask 077" >> /etc/profile.d/*.sh echo -e "${GREEN}Remediated:${NC} Ensure default user umask is 027 or more restrictive" #Ensure default user shell timeout is 900 seconds or less echo echo -e "${RED}5.4.5${NC} Ensure default user shell timeout is 900 seconds or less" egrep -q "^(\s*)TMOUT\s+\S+(\s*#.*)?\s*$" /etc/bashrc && sed -ri "s/^(\s*)TMOUT\s+\S+(\s*#.*)?\s*$/\1TMOUT=600\2/" /etc/bashrc || echo "TMOUT=600" >> /etc/bashrc egrep -q "^(\s*)TMOUT\s+\S+(\s*#.*)?\s*$" /etc/profile && sed -ri "s/^(\s*)TMOUT\s+\S+(\s*#.*)?\s*$/\1TMOUT=600\2/" /etc/profile || echo "TMOUT=600" >> /etc/profile egrep -q "^(\s*)TMOUT\s+\S+(\s*#.*)?\s*$" /etc/profile.d/*.sh && sed -ri "s/^(\s*)TMOUT\s+\S+(\s*#.*)?\s*$/\1TMOUT=600\2/" /etc/profile.d/*.sh || echo "TMOUT=600" >> /etc/profile.d/*.sh echo -e "${GREEN}Remediated:${NC} Ensure default user shell timeout is 900 seconds or less" #Ensure access to the su command is restricted echo echo -e "${RED}5.6${NC} Ensure access to the su command is restricted" egrep -q "^\s*auth\s+required\s+pam_wheel.so(\s+.*)?$" /etc/pam.d/su && sed -ri '/^\s*auth\s+required\s+pam_wheel.so(\s+.*)?$/ { /^\s*auth\s+required\s+pam_wheel.so(\s+\S+)*(\s+use_uid)(\s+.*)?$/! s/^(\s*auth\s+required\s+pam_wheel.so)(\s+.*)?$/\1 use_uid\2/ }' /etc/pam.d/su || echo "auth required pam_wheel.so use_uid" >> /etc/pam.d/su policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure access to the su command is restricted" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure access to the su command is restricted" fail=$((fail + 1)) fi ############################################################################################################################ ##Category 6.1 System Maintenance - System File Permissions echo echo -e "${BLUE}6.1 System Maintenance - System File Permissions${NC}"   #Ensure permissions on /etc/passwd are configured echo echo -e "${RED}6.1.2${NC} Ensure permissions on /etc/passwd are configured" chown root:root /etc/passwd && chmod 644 /etc/passwd policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure permissions on /etc/passwd are configured" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure permissions on /etc/passwd are configured" fail=$((fail + 1)) fi #Ensure permissions on /etc/shadow are configured echo echo -e "${RED}6.1.3${NC} Ensure permissions on /etc/shadow are configured" chown root:root /etc/shadow && chmod 000 /etc/shadow policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure permissions on /etc/shadow are configured" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure permissions on /etc/shadow are configured" fail=$((fail + 1)) fi   #Ensure permissions on /etc/group are configured echo echo -e "${RED}6.1.4${NC} Ensure permissions on /etc/group are configured" chown root:root /etc/group && chmod 644 /etc/group policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure permissions on /etc/group are configured" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure permissions on /etc/group are configured" fail=$((fail + 1)) fi #Ensure permissions on /etc/gshadow are configured echo echo -e "${RED}6.1.5${NC} Ensure permissions on /etc/gshadow are configured" chown root:root /etc/gshadow && chmod 000 /etc/gshadow policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure permissions on /etc/gshadow are configured" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure permissions on /etc/gshadow are configured" fail=$((fail + 1)) fi #Ensure permissions on /etc/passwd- are configured echo echo -e "${RED}6.1.6${NC} Ensure permissions on /etc/passwd- are configured" chown root:root /etc/passwd- && chmod u-x,go-wx /etc/passwd- policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure permissions on /etc/passwd- are configured" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure permissions on /etc/passwd- are configured" fail=$((fail + 1)) fi #Ensure permissions on /etc/shadow- are configured echo echo -e "${RED}6.1.7${NC} Ensure permissions on /etc/shadow- are configured" chown root:root /etc/shadow- && chmod 000 /etc/shadow- policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure permissions on /etc/shadow- are configured" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure permissions on /etc/shadow- are configured" fail=$((fail + 1)) fi #Ensure permissions on /etc/group- are configured echo echo -e "${RED}6.1.8${NC} Ensure permissions on /etc/group- are configured" chown root:root /etc/group- && chmod u-x,go-wx /etc/group- policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure permissions on /etc/group- are configured" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure permissions on /etc/group- are configured" fail=$((fail + 1)) fi #Ensure permissions on /etc/gshadow- are configured echo echo -e "${RED}6.1.9${NC} Ensure permissions on /etc/gshadow- are configured" chown root:root /etc/gshadow- && chmod 000 /etc/gshadow- policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure permissions on /etc/gshadow- are configured" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure permissions on /etc/gshadow- are configured" fail=$((fail + 1)) fi ############################################################################################################################ ##Category 6.2 System Maintenance - User and Group Settings echo echo -e "${BLUE}6.2 System Maintenance - User and Group Settings${NC}" #Ensure no legacy '+' entries exist in /etc/passwd echo echo -e "${RED}6.2.2${NC} Ensure no legacy '+' entries exist in /etc/passwd" sed -ri '/^\+:.*$/ d' /etc/passwd policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure no legacy '+' entries exist in /etc/passwd" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure no legacy '+' entries exist in /etc/passwd" fail=$((fail + 1)) fi #Ensure no legacy '+' entries exist in /etc/shadow echo echo -e "${RED}6.2.3${NC} Ensure no legacy '+' entries exist in /etc/shadow" sed -ri '/^\+:.*$/ d' /etc/shadow policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure no legacy '+' entries exist in /etc/shadow" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure no legacy '+' entries exist in /etc/shadow" fail=$((fail + 1)) fi #Ensure no legacy '+' entries exist in /etc/group echo echo -e "${RED}6.2.4${NC} Ensure no legacy '+' entries exist in /etc/group" sed -ri '/^\+:.*$/ d' /etc/group policystatus=$? if [[ "$policystatus" -eq 0 ]]; then echo -e "${GREEN}Remediated:${NC} Ensure no legacy '+' entries exist in /etc/group" success=$((success + 1)) else echo -e "${RED}UnableToRemediate:${NC} Ensure no legacy '+' entries exist in /etc/group" fail=$((fail + 1)) fi ############################################################################################################################ echo echo -e "${GREEN}Remediation script for CentOS Linux 7 executed successfully!!${NC}" echo echo -e "${YELLOW}Summary:${NC}" echo -e "${YELLOW}Remediation Passed:${NC} $success" echo -e "${YELLOW}Remediation Failed:${NC} $fail" ###########################################################################################################################