AfroThundr3007730/centos_hardening.sh

## centos_hardening.sh
#!/bin/bash
# If you selected the STIG config during install, some of these will be configured already.
# All of these are mentioned in the STIG, but some of them must be done manually.

# FIPS all the things.
yum install -y dracut-fips
# Regenerate ramdisk (current kernel)
dracut -f "/boot/initramfs-$(uname -r).img" "$(uname -r)"
# Append 'fips=1' to GRUB_CMDLINE_LINUX
grep 'fips=1' /proc/cmdline ||
    sed -i '/GRUB_CMDLINE_LINUX/ s/"$/ fips=1"/' /etc/default/grub
# Find because it can be in multiple places
grub2-mkconfig | tee "$(find /boot -name "grub.cfg")"

# Remove rescue kernel
yum remove -y dracut-config-rescue
rm -f /boot/*rescue*
grub2-mkconfig | tee "$(find /boot -name "grub.cfg")"

# Limit to 2 kernels installed
sed -i '/installonly_limit/ s/.*/installonly_limit=2/' /etc/yum.conf
# Probably want these
yum install -y yum-utils
package-cleanup --oldkernels --count=2
# Or just wait for the next yum update

# Password protect GRUB
grub2-setpassword
grub2-mkconfig | tee "$(find /boot -name "grub.cfg")"

# You should have an IDS
yum install -y aide
systemctl enable aide

# Switching to iptables
yum install -y iptables-services
systemctl disable firewalld
systemctl enable iptables && systemctl enable ip6tables
# Add your rules, then save (minimal ruleset below)
# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A INPUT -p icmp -j ACCEPT
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
# iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
# iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
# ip6tables -A INPUT -i lo -j ACCEPT
# ip6tables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
# ip6tables -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
# ip6tables -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
# ip6tables -P INPUT DROP
# ip6tables -P FORWARD DROP
service iptables save && service ip6tables save

# SElinux: Some of these are pulled in automatically
yum instal -y policycoreutils{,-restorecond,-console,-devel} setools{,-libs,-console} \
    selinux-policy-{targeted,dev,mls} libsemanage checkpolicy
setenforce 1
# Append 'selinux=1' to GRUB_CMDLINE_LINUX (along with the boot UUID)
grep "/boot[[:space:]]" /etc/fstab &&
    bootarg="boot=$(awk '/\/boot[[:space:]]/ {print $1}' /etc/fstab)"
grep 'selinux=1' /proc/cmdline ||
    sed -i "/GRUB_CMDLINE_LINUX/ s/\"$/ $bootarg selinux=1\"/" /etc/default/grub
grub2-mkconfig | tee "$(find /boot -name "grub.cfg")"
# Relabel filesystem now and on reboot
touch /.autorelabel && restorecon -R /

# Locking down SElinux users and roles
semanage login -l
# Remember the defaults if you break things
semanage login -a -s staff_u -r s0-s0:c0.c1023 %wheel
semanage login -m -s root root
semanage login -m -s user_u -r s0 __default__
# Make sudo play nice with role transitions
awk '/^%wheel/ && /ROLE=sysadm_r/ && /TYPE=sysadm_t/ {e=1}; END {exit !e}' /etc/sudoers ||
    sed -i '/^%wheel/ s/.*/%wheel ALL=(ALL:ALL) ROLE=sysadm_r TYPE=sysadm_t ALL, ! \/bin\/su/' \
    /etc/sudoers
# Test this from a fresh session in another VT or SSH in again (check 'id Z' as user and as root)

# See all the new things selinux broke, some can be fixed with 'setsebool -P <boolean_name> 1'
audit2allow -a

# For AV, check my gist on ClamAV on CentOS
	#!/bin/bash
	# If you selected the STIG config during install, some of these will be configured already.
	# All of these are mentioned in the STIG, but some of them must be done manually.

	# FIPS all the things.
	yum install -y dracut-fips
	# Regenerate ramdisk (current kernel)
	dracut -f "/boot/initramfs-$(uname -r).img" "$(uname -r)"
	# Append 'fips=1' to GRUB_CMDLINE_LINUX
	grep 'fips=1' /proc/cmdline \|\|
	sed -i '/GRUB_CMDLINE_LINUX/ s/"$/ fips=1"/' /etc/default/grub
	# Find because it can be in multiple places
	grub2-mkconfig \| tee "$(find /boot -name "grub.cfg")"

	# Remove rescue kernel
	yum remove -y dracut-config-rescue
	rm -f /boot/rescue
	grub2-mkconfig \| tee "$(find /boot -name "grub.cfg")"

	# Limit to 2 kernels installed
	sed -i '/installonly_limit/ s/.*/installonly_limit=2/' /etc/yum.conf
	# Probably want these
	yum install -y yum-utils
	package-cleanup --oldkernels --count=2
	# Or just wait for the next yum update

	# Password protect GRUB
	grub2-setpassword
	grub2-mkconfig \| tee "$(find /boot -name "grub.cfg")"

	# You should have an IDS
	yum install -y aide
	systemctl enable aide

	# Switching to iptables
	yum install -y iptables-services
	systemctl disable firewalld
	systemctl enable iptables && systemctl enable ip6tables
	# Add your rules, then save (minimal ruleset below)
	# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
	# iptables -A INPUT -p icmp -j ACCEPT
	# iptables -A INPUT -i lo -j ACCEPT
	# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
	# iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
	# iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
	# iptables -P INPUT DROP
	# iptables -P FORWARD DROP
	# ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
	# ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
	# ip6tables -A INPUT -i lo -j ACCEPT
	# ip6tables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
	# ip6tables -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
	# ip6tables -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
	# ip6tables -P INPUT DROP
	# ip6tables -P FORWARD DROP
	service iptables save && service ip6tables save

	# SElinux: Some of these are pulled in automatically
	yum instal -y policycoreutils{,-restorecond,-console,-devel} setools{,-libs,-console} \
	selinux-policy-{targeted,dev,mls} libsemanage checkpolicy
	setenforce 1
	# Append 'selinux=1' to GRUB_CMDLINE_LINUX (along with the boot UUID)
	grep "/boot[[:space:]]" /etc/fstab &&
	bootarg="boot=$(awk '/\/boot[[:space:]]/ {print $1}' /etc/fstab)"
	grep 'selinux=1' /proc/cmdline \|\|
	sed -i "/GRUB_CMDLINE_LINUX/ s/\"$/ $bootarg selinux=1\"/" /etc/default/grub
	grub2-mkconfig \| tee "$(find /boot -name "grub.cfg")"
	# Relabel filesystem now and on reboot
	touch /.autorelabel && restorecon -R /

	# Locking down SElinux users and roles
	semanage login -l
	# Remember the defaults if you break things
	semanage login -a -s staff_u -r s0-s0:c0.c1023 %wheel
	semanage login -m -s root root
	semanage login -m -s user_u -r s0 __default__
	# Make sudo play nice with role transitions
	awk '/^%wheel/ && /ROLE=sysadm_r/ && /TYPE=sysadm_t/ {e=1}; END {exit !e}' /etc/sudoers \|\|
	sed -i '/^%wheel/ s/.*/%wheel ALL=(ALL:ALL) ROLE=sysadm_r TYPE=sysadm_t ALL, ! \/bin\/su/' \
	/etc/sudoers
	# Test this from a fresh session in another VT or SSH in again (check 'id Z' as user and as root)

	# See all the new things selinux broke, some can be fixed with 'setsebool -P <boolean_name> 1'
	audit2allow -a

	# For AV, check my gist on ClamAV on CentOS