Skip to content

Instantly share code, notes, and snippets.

@Subhasis180689
Last active July 16, 2020 07:28
Show Gist options
  • Save Subhasis180689/0afd09d5db3cd3defdda73081b27b918 to your computer and use it in GitHub Desktop.
Save Subhasis180689/0afd09d5db3cd3defdda73081b27b918 to your computer and use it in GitHub Desktop.
#!/bin/bash
#To set permissions on all existing log files.
find -L /var/log -type f -exec chmod g-wx,o-rwx {} +;
#TMOUT determines the shell timeout for users, where time is in seconds.
echo "export TMOUT=600" >> /etc/bashrc;
echo "export TMOUT=600" >> /etc/profile;
#/var/run/utmp file tracks all currently logged in users.
#The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events and /var/log/btmp keeps track of failed login attempts.
echo -e "-w /var/run/utmp -p wa -k session \n-w /var/log/wtmp -p wa -k logins \n-w /var/log/btmp -p wa -k logins" >> /etc/audit/rules.d/cisscan.rules;
#Capture events where the system date and/or time has been modified.Rationale Unexpected changes in system date and/or time could be a sign of malicious activity on the system.
echo -e "-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change \n-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change \n-a always,exit -F arch=b64 -S clock_settime -k time-change \n-a always,exit -F arch=b32 -S clock_settime -k time-change \n-w /etc/localtime -p wa -k time-change" >> /etc/audit/rules.d/cisscan.rules;
#Monitor the loading and unloading of kernel modules, this could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module and attempting to use a different program to load and unload modules.Possibly compromising the security of the system.
echo -e "-w /sbin/insmod -p x -k modules \n-w /sbin/rmmod -p x -k modules \n-w /sbin/modprobe -p x -k modules \n-a always,exit arch=b64 -S init_module -S delete_module -k modules" >> /etc/audit/rules.d/cisscan.rules;
#Monitor for unsuccessful attempts to access files for non-privileged user.
echo -e "-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access \n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access \n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access \n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access" >> /etc/audit/rules.d/cisscan.rules;
#Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd. Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts
echo -e "-w /etc/group -p wa -k identity \n-w /etc/passwd -p wa -k identity \n-w /etc/gshadow -p wa -k identity \n-w /etc/shadow -p wa -k identity \n-w /etc/security/opasswd -p wa -k identity" >> /etc/audit/rules.d/cisscan.rules;
#Monitor the use of the mount system call when it is used by a non-privileged user.
echo -e "-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts \n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts" >> /etc/audit/rules.d/cisscan.rules;
#Record changes to network environment files or system calls.
echo -e "-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale \n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale \n-w /etc/issue -p wa -k system-locale \n-w /etc/issue.net -p wa -k system-locale \n-w /etc/hosts -p wa -k system-locale \n-w /etc/sysconfig/network -p wa -k system-locale" >> /etc/audit/rules.d/cisscan.rules;
#Monitor login and logout events.
echo -e "-w /var/log/lastlog -p wa -k logins \n-w /var/run/faillock/ -p wa -k logins" >> /etc/audit/rules.d/cisscan.rules;
#(1)Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands.
#(2)"-w /etc/selinux/" monitor any write access or attribute changes to the /etc/selinux.
#(3)Setting the flag "-e 2" forces audit to be put in immutable mode.
echo -e "-w /var/log/sudo.log -p wa -k actions \n-w /etc/selinux/ -p wa -k MAC-policy \n-e 2" >> /etc/audit/rules.d/cisscan.rules;
#Setting a hard limit on core dumps prevents users from overriding the soft variable
echo "* hard core 0" >> /etc/security/limits.conf;
#It is still possible for even known gateways to be compromised.Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways.
#(net.ipv4.conf.all.send_redirects = 0)An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system.
#(net.ipv6.conf.all.accept_ra = 0)disables the system's ability to accept IPv6 router advertisements.
echo -e "net.ipv4.conf.all.secure_redirects = 0 \nnet.ipv4.conf.default.secure_redirects = 0 \nnet.ipv4.conf.all.send_redirects = 0 \nnet.ipv4.conf.default.send_redirects = 0 \nnet.ipv6.conf.all.accept_ra = 0 \nsysctl -w net.ipv6.conf.default.accept_ra = 0 \nfs.suid_dumpable = 0 \nnet.ipv4.ip_forward = 0" >> /etc/sysctl.conf;
#To set the active kernel parameters as updated above in "/etc/sysctl.conf".
sysctl -w net.ipv4.conf.all.secure_redirects=0;
sysctl -w net.ipv4.conf.default.secure_redirects=0;
sysctl -w net.ipv4.conf.all.send_redirects=0;
sysctl -w net.ipv4.conf.default.send_redirects=0;
sysctl -w net.ipv6.conf.all.accept_ra=0;
sysctl -w net.ipv6.conf.default.accept_ra=0;
sysctl -w fs.suid_dumpable=0;
#ipv4 is not redirecting with below conf
#sysctl -w net.ipv4.ip_forward=0;
sysctl -w net.ipv4.route.flush=1;
#(LogLevel INFO)records login activity of SSH users,
#(MaxAuthTries)maximum number of authentication attempts permitted per connection,
#(PermitRootLogin)Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su,
#(Banner)Banners are used to warn connecting users of the particular site's policy regarding connection,
#(PermitUserEnvironment)Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls,
#(Protocol)SSH2 is more advanced and secure,
#(IgnoreRhosts)forces users to enter a password when authenticating with ssh,
#(PermitEmptyPasswords)Disallowing remote shell access to accounts that have an empty password,
#(LoginGraceTime)time allowed for successful authentication to the SSH server,
#(HostbasedAuthentication)specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client host authentication,
#(ClientAliveInterval & CountMax)control the timeout of ssh.
echo -e "LogLevel INFO \nMaxAuthTries 4 \nPermitRootLogin no \nBanner /etc/issue.net \nPermitUserEnvironment no \nProtocol 2 \nIgnoreRhosts yes \nPermitEmptyPasswords no \nLoginGraceTime 60 \nHostbasedAuthentication no \nClientAliveInterval 300 \nClientAliveCountMax 0" >> /etc/ssh/sshd_config;
#User accounts that have been inactive for over a given period of time can be automatically disabled.
useradd -D -f 30;
#Look into the shared excel sheet for more details.
echo -e "install squashfs /bin/true \ninstall cramfs /bin/true \ninstall hfsplus /bin/true \ninstall udf /bin/true \ninstall freevxfs /bin/true" >> /etc/modprobe.d/CIS.conf;
#Ability to tunnel X11 traffic through the connection to enable remote graphic connections.Disable X11 forwarding unless there is an operational requirement to use.
sed -i 's/X11Forwarding yes/X11Forwarding no/g' /etc/ssh/sshd_config;
#Only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron.
rm -rf /etc/cron.deny /etc/at.deny;
touch /etc/cron.allow /etc/at.allow;
chown root:root /etc/cron.allow /etc/at.allow /etc/cron.d /etc/cron.weekly /etc/cron.hourly;
chmod og-rwx /etc/cron.allow /etc/at.allow /etc/cron.d /etc/cron.weekly /etc/cron.hourly;
#Limits the types of MAC algorithms that SSH can use during communication.
echo "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com" >> /etc/ssh/sshd_config;
#Periodic checking of the filesystem integrity is needed to detect changes to the filesystem.Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion
echo "$(crontab -l ; echo '0 5 * * * /usr/sbin/aide --check')" | crontab -;
#Forcing users not to reuse their past 5 passwords
echo "password sufficient pam_unix.so remember=5" >> /etc/pam.d/password-auth;
echo "password sufficient pam_unix.so remember=5" >> /etc/pam.d/system-auth;
#controls what permissions will be applied to these newly created files
echo '$FileCreateMode 0640' >> /etc/rsyslog.conf;
#To meet or exceed the default targeted policy.
echo "SELINUXTYPE=targeted" >> /etc/selinux/config;
#AIDE takes a snapshot of filesystem state including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system
yum install -y aide;
aide --init;
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz;
#Audit events need to be captured on processes that start up prior to auditd , so that potential malicious activity cannot go undetected
sed -i 's/GRUB_CMDLINE_LINUX="console=tty0 crashkernel=auto console=ttyS0,115200"/GRUB_CMDLINE_LINUX="audit=1"/g' /etc/default/grub;
grub2-mkconfig > /boot/grub2/grub.cfg;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment