Last active
October 29, 2018 14:50
-
-
Save AfroThundr3007730/6c0b034e851195bdfe94289e0051fdc2 to your computer and use it in GitHub Desktop.
Notes on hardening a CentOS box (assuming the STIG policy was selected during install)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# If you selected the STIG config during install, some of these will be configured already. | |
# All of these are mentioned in the STIG, but some of them must be done manually. | |
# FIPS all the things. | |
yum install -y dracut-fips | |
# Regenerate ramdisk (current kernel) | |
dracut -f "/boot/initramfs-$(uname -r).img" "$(uname -r)" | |
# Append 'fips=1' to GRUB_CMDLINE_LINUX | |
grep 'fips=1' /proc/cmdline || | |
sed -i '/GRUB_CMDLINE_LINUX/ s/"$/ fips=1"/' /etc/default/grub | |
# Find because it can be in multiple places | |
grub2-mkconfig | tee "$(find /boot -name "grub.cfg")" | |
# Remove rescue kernel | |
yum remove -y dracut-config-rescue | |
rm -f /boot/*rescue* | |
grub2-mkconfig | tee "$(find /boot -name "grub.cfg")" | |
# Limit to 2 kernels installed | |
sed -i '/installonly_limit/ s/.*/installonly_limit=2/' /etc/yum.conf | |
# Probably want these | |
yum install -y yum-utils | |
package-cleanup --oldkernels --count=2 | |
# Or just wait for the next yum update | |
# Password protect GRUB | |
grub2-setpassword | |
grub2-mkconfig | tee "$(find /boot -name "grub.cfg")" | |
# You should have an IDS | |
yum install -y aide | |
systemctl enable aide | |
# Switching to iptables | |
yum install -y iptables-services | |
systemctl disable firewalld | |
systemctl enable iptables && systemctl enable ip6tables | |
# Add your rules, then save (minimal ruleset below) | |
# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
# iptables -A INPUT -p icmp -j ACCEPT | |
# iptables -A INPUT -i lo -j ACCEPT | |
# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | |
# iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited | |
# iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited | |
# iptables -P INPUT DROP | |
# iptables -P FORWARD DROP | |
# ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
# ip6tables -A INPUT -p ipv6-icmp -j ACCEPT | |
# ip6tables -A INPUT -i lo -j ACCEPT | |
# ip6tables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | |
# ip6tables -A INPUT -j REJECT --reject-with icmp6-adm-prohibited | |
# ip6tables -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited | |
# ip6tables -P INPUT DROP | |
# ip6tables -P FORWARD DROP | |
service iptables save && service ip6tables save | |
# SElinux: Some of these are pulled in automatically | |
yum instal -y policycoreutils{,-restorecond,-console,-devel} setools{,-libs,-console} \ | |
selinux-policy-{targeted,dev,mls} libsemanage checkpolicy | |
setenforce 1 | |
# Append 'selinux=1' to GRUB_CMDLINE_LINUX (along with the boot UUID) | |
grep "/boot[[:space:]]" /etc/fstab && | |
bootarg="boot=$(awk '/\/boot[[:space:]]/ {print $1}' /etc/fstab)" | |
grep 'selinux=1' /proc/cmdline || | |
sed -i "/GRUB_CMDLINE_LINUX/ s/\"$/ $bootarg selinux=1\"/" /etc/default/grub | |
grub2-mkconfig | tee "$(find /boot -name "grub.cfg")" | |
# Relabel filesystem now and on reboot | |
touch /.autorelabel && restorecon -R / | |
# Locking down SElinux users and roles | |
semanage login -l | |
# Remember the defaults if you break things | |
semanage login -a -s staff_u -r s0-s0:c0.c1023 %wheel | |
semanage login -m -s root root | |
semanage login -m -s user_u -r s0 __default__ | |
# Make sudo play nice with role transitions | |
awk '/^%wheel/ && /ROLE=sysadm_r/ && /TYPE=sysadm_t/ {e=1}; END {exit !e}' /etc/sudoers || | |
sed -i '/^%wheel/ s/.*/%wheel ALL=(ALL:ALL) ROLE=sysadm_r TYPE=sysadm_t ALL, ! \/bin\/su/' \ | |
/etc/sudoers | |
# Test this from a fresh session in another VT or SSH in again (check 'id Z' as user and as root) | |
# See all the new things selinux broke, some can be fixed with 'setsebool -P <boolean_name> 1' | |
audit2allow -a | |
# For AV, check my gist on ClamAV on CentOS |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment