CentOS 8 System Hardening Script (CIS/Partial)

centos8-syshardening-cispartial.sh

# CentOS 8 Hardening Script (CIS Benchmark Partial)
#!/bin/sh
### FILESYSTEMS
/bin/echo -n '[*] Disabling unneeded filesystems... '
/bin/echo 'install cramfs /bin/true' > /etc/modprobe.d/cramfs.conf
/bin/echo 'install squashfs /bin/true' > /etc/modprobe.d/squashfs.conf
/bin/echo 'install udf /bin/true' > /etc/modprobe.d/udf.conf
/bin/echo 'install usb-storage /bin/true' > /etc/modprobe.d/usb-storage.conf
/bin/echo 'install iscsi_tcp /bin/true' > /etc/modprobe.d/iscsi_tcp.conf
#/bin/echo 'install libiscsi /bin/true' >> /etc/modprobe.d/iscsi_tcp.conf
#/bin/echo 'install libiscsi_tcp /bin/true' >> /etc/modprobe.d/iscsi_tcp.conf
#/bin/echo 'shmfs /dev/shm tmpfs defaults,nosuid,nodev,noexec,size=128M 0 0' >> /etc/fstab
/bin/echo '[OK]'

### STICKY BIT ON R/W DIRECTORIES
/bin/echo -n '[*] Checking sticky bit(s) on world writeable directories... '
/bin/df --local -P | /bin/awk '{if (NR!=1) print $6}' | /bin/xargs -I '{}' /bin/find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) | /bin/grep "."
if [ $? -eq 0 ]
then
    /bin/echo '[*] The above directories must have the sticky bit set (e,g. chmod a+t).'
fi
/bin/echo '[OK]'

### AUTOFS
/bin/echo -n '[*] Disabling autofs... '
/bin/systemctl is-enabled autofs 2>/dev/null
if [ $? -eq 0 ]
then
    /bin/echo '[*] Disabling automounting service...'
    /bin/systemctl --now disable autofs
    /bin/echo '[DISABLED]'
else
    /bin/echo '[OK]'
fi

### FPRINTD
/bin/echo -n '[*] Disabling fprintd... '
/bin/systemctl status fprintd.service 2>/dev/null
if [ $? -ne 4 ]
then
    /bin/echo '[*] Removing fprintd service...'
    /bin/dnf remove -y fprintd    
    /bin/echo '[DISABLED]'
else
    /bin/echo '[OK]'
fi

### PGP PACKAGES SIGNATURES
/bin/echo -n '[*] Verifying package signature checks... '
/bin/awk -v 'RS=[' -F '\n' '/\n\s*enabled\s*=\s*1(\W.*)?$/ && !/\n\s*gpgcheck\s*=\s*1(\W.*)?$/ { t=substr($1, 1, index($1, "]")-1); print t,"does not have gpgcheck enabled." }' /etc/yum.repos.d/*.repo
if [ $? -ne 0 ]
then
    /bin/echo '[WARNING]'
    /bin/echo '[!] GPG signatures checks are not enabled for all repositories!'
else
    /bin/echo '[OK]'
fi

### SUDO
/bin/echo -n '[*] Verifying sudo installation... '
/bin/rpm -q sudo > /dev/null 2>&1
if [ $? -ne 0 ]
then
    /bin/echo '[WARNING]'
    /bin/echo '[!] sudo is not installed!'
    /bin/dnf install -y sudo
else
    /bin/echo '[OK]'
fi

/bin/echo -n '[*] Checking sudo uses pty only... '
/bin/grep -qEi '^\s*Defaults\s+([^#]\S+,\s*)?use_pty\b' /etc/sudoers
if [ $? -eq 1 ]
then
    /bin/echo '[FAIL]'
    /bin/echo '[!] Adding use_pty to /etc/sudoers.'
    /bin/echo 'Defaults use_pty' >> /etc/sudoers
else
    /bin/echo '[OK]'
fi

/bin/echo -n '[*] Checking sudo has dedicated log file... '
/bin/grep -qEi '^\s*Defaults\s+([^#;]+,\s*)?logfile\s*=\s*(")?[^#;]+(")?' /etc/sudoers
if [ $? -eq 1 ]
then
    /bin/echo '[FAIL]'
    /bin/echo '[!] Enabling dedicated sudo logging.'
    /bin/echo 'Defaults logfile="/var/log/sudo.log"' >> /etc/sudoers
else
    /bin/echo '[OK]'
fi

### AIDE
/bin/echo -n '[*] Checking if AIDE is installed... '
/bin/rpm -q aide > /dev/null 2>&1
if [ $? -eq 1 ]
then
    /bin/echo '[FAIL]'
    /bin/echo '[!] Installing AIDE...'
    /bin/dnf install -y aide
    /bin/echo -n '[*] Initializing AIDE database... '
    /sbin/aide --init
    /bin/echo '[OK]'
    /bin/mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
    /bin/chmod 400 /var/lib/aide/aide.db.gz
else
    /bin/echo '[OK]'
fi

/bin/echo -n '[*] Checking if filesystem integrity checks are automated... '
/bin/systemctl is-enabled aidecheck.service > /dev/null 2>&1
if [ $? -eq 1 ]
then
    /bin/echo '[FAIL]'
    /bin/echo '[!] Scheduling filesystem integrity checks...'
    /bin/cat <<EOT >> /etc/systemd/system/aidecheck.service
[Unit]
Description=Aide Filesystem Integrity Check
[Service]
Type=simple
ExecStart=/usr/sbin/aide --check
[Install]
WantedBy=multi-user.target
EOT
    /bin/cat <<EOT >> /etc/systemd/system/aidecheck.timer
[Unit]
Description=Aide check every day at 5AM
[Timer]
OnCalendar=*-*-* 05:00:00
Unit=aidecheck.service
[Install]
WantedBy=multi-user.target
EOT
    /bin/chown root:root /etc/systemd/system/aidecheck.*
    /bin/chmod 0644 /etc/systemd/system/aidecheck.*
    /bin/systemctl daemon-reload
    /bin/systemctl enable aidecheck.service
    /bin/systemctl --now enable aidecheck.timer
    /bin/echo '[SCHEDULED]'
else
    /bin/echo '[OK]'
fi

### CORE DUMP
/bin/echo -n '[*] Verifying core dump configuration... '
/bin/grep -qE "^\s*\*\s+hard\s+core" /etc/security/limits.conf
if [ $? -eq 1 ]
then
    /bin/echo '[FAIL]'
    /bin/echo -n '[!] Disabling/Limiting core dumps...'
    /bin/echo '* hard core 0' >> /etc/security/limits.conf
    /bin/echo 'fs.suid_dumpable = 0' > /etc/sysctl.d/90-coredump.conf
    /sbin/sysctl -w fs.suid_dumpable=0 > /dev/null 2>&1
    /bin/echo 'Storage=none' >> /etc/systemd/coredump.conf
    /bin/echo 'ProcessSizeMax=0' >> /etc/systemd/coredump.conf 
    /bin/systemctl daemon-reload
    /bin/echo '[DISABLED]'
else
    /bin/echo '[OK]'
fi

### NX/XD Support
/bin/echo -n '[*] Checking NX/XD Bit Support... '
/bin/journalctl | grep -q 'protection: active'
if [ $? -ne 0 ]
then
    /bin/echo '[FAIL]'
    /bin/echo '[!] The processor(s) has not NX/XD support.'
else
    /bin/echo '[OK]'
fi

### ASLR Support
/bin/echo -n '[*] Checking ASLR Support... '
sysctl kernel.randomize_va_space | grep -q 2
if [ $? -ne 0 ]
then
    /bin/echo '[FAIL]'
    /bin/echo '[!] Address Space Layout Randomization is not enabled.'
    /bin/echo -n 'Enabling ASLR... '
    /bin/echo 'kernel.randomize_va_space = 2' > /etc/sysctl.d/91-aslr.conf
    /bin/sysctl -w kernel.randomize_va_space=2
    /bin/echo '[OK]'

else
    /bin/echo '[OK]'
fi

### PRELINK
/bin/echo -n '[*] Ensure Prelink is disabled... '
/bin/rpm -q prelink > /dev/null 2>&1
if [ $? -ne 1 ]
then
    /bin/echo '[FAIL]'
    /bin/echo '[!] Prelink is activated.'
    /bin/echo -n 'Removing prelink... '
    /bin/dnf remove prelink -y > /dev/null 2>&1
    /bin/echo '[OK]'

else
    /bin/echo '[OK]'
fi

### SELinux
/bin/echo -n '[*] Ensure SELinux is installed... '
/bin/rpm -q libselinux > /dev/null 2>&1
if [ $? -ne 0 ]
then
    /bin/echo '[FAIL]'
    /bin/echo -n '[!] Installing SELinux... '
    /bin/dnf install libselinux -y > /dev/null 2>&1
    /bin/echo '[OK]'
else
    /bin/echo '[OK]'
fi

/bin/echo -n '[*] Verifying SELinux is not deactivated at boot time... '
/bin/grep -q "^\s*linux" /boot/efi/EFI/centos/grub.cfg | grep -qE "(selinux=0|enforcing=0)"
if [ $? -ne 1 ]
then
    /bin/echo '[FAIL]'
    /bin/echo '[!] Please remove "selinux" or "enforcing" statements of grub.conf.'
else
    /bin/echo '[OK]'
fi

/bin/echo -n '[*] Ensure SELinux is currently in Enforcing mode... '
/sbin/getenforce | grep -q Enforcing
if [ $? -ne 0 ]
then
    /bin/echo '[FAIL]'
    /bin/echo '[!] Please activate SELinux using the "/sbin/setenforce 1" command.'
else
    /bin/echo '[OK]'
fi

/bin/echo -n '[*] Ensure no unconfined processes exists... '
/bin/ps -eZ | /bin/grep -q unconfined_service_t
if [ $? -ne 1 ]
then
    /bin/echo '[FAIL]'
    /bin/echo '[!] Unconfined processes detected:'
    /bin/ps -eZ | /bin/grep unconfined_service_t
else
    /bin/echo '[OK]'
fi

/bin/echo -n '[*] Verifying setroubleshoot is not installed... '
/bin/rpm -q setroubleshoot > /dev/null 2>&1
if [ $? -ne 1 ]
then
    /bin/echo '[FAIL]'
    /bin/echo -n '[!] setroubleshoot is installed, removing... '
    /bin/dnf remove setroubleshoot -y > /dev/null 2>&1
    /bin/echo '[REMOVED]'
else
    /bin/echo '[OK]'
fi

/bin/echo -n '[*] Verifying mcstrans is not installed... '
/bin/rpm -q mcstrans > /dev/null 2>&1
if [ $? -ne 1 ]
then
    /bin/echo '[FAIL]'
    /bin/echo -n '[!] mcstrans is installed, removing... '
    /bin/dnf remove mcstrans -y > /dev/null 2>&1
    /bin/echo '[REMOVED]'
else
    /bin/echo '[OK]'
fi