Created
July 6, 2020 17:25
-
-
Save mjmenger/4893ed92d5fbe3d17153489df5d953e1 to your computer and use it in GitHub Desktop.
BIG-IP Bash config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
################################################ | |
## BashSRG - Bash STIG/SRG configuration Script | |
## Michael Coleman. M.Coleman@F5.com | |
## Modified by r.eastman@f5.com | |
## Modified by m.menger@f5.com July 6, 2020 - removed/commented gov requirements | |
################################################ | |
#!/bin/sh | |
###change 1 | |
echo | |
echo "###############################################" | |
echo " BASHSRG - Bash STIG/SRG Configuration Script" | |
echo " Michael Coleman. M.Coleman@F5.com. Modified by r.eastman@f5.com on March 5, 2019" | |
echo "###############################################" | |
tmsh modify sys sshd inactivity-timeout 900 | |
MaxAuthTries 3 | |
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes256-cbc | |
MACs hmac-sha1,hmac-ripemd160 | |
LoginGraceTime 60 | |
MaxStartups 5"' | |
tmsh modify sys httpd auth-pam-dashboard-timeout on | |
tmsh modify sys httpd max-clients 10 | |
tmsh modify sys httpd auth-pam-idle-timeout 900 | |
tmsh modify sys httpd ssl-ciphersuite 'DEFAULT:!aNULL:!eNULL:!EXPORT:!EXP:!ADH:!DES:!RC4:!RSA:!LOW:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!DHE' | |
tmsh modify sys httpd ssl-protocol 'all -SSLv2 -SSLv3 -TLSv1' | |
tmsh modify sys httpd redirect-http-to-https enabled | |
tmsh modify sys snmp communities delete { comm-public } | |
tmsh modify sys daemon-log-settings tmm os-log-level informational | |
tmsh modify sys daemon-log-settings tmm ssl-log-level informational | |
tmsh modify sys daemon-log-settings mcpd audit enabled | |
tmsh modify sys daemon-log-settings mcpd log-level notice | |
#tmsh modify auth password-policy expiration-warning 7 | |
#tmsh modify auth password-policy max-duration 90 | |
#tmsh modify auth password-policy max-login-failures 3 | |
#tmsh modify auth password-policy min-duration 1 | |
#tmsh modify auth password-policy minimum-length 8 | |
#tmsh modify auth password-policy password-memory 3 | |
#tmsh modify auth password-policy policy-enforcement enabled | |
#tmsh modify auth password-policy required-lowercase 2 | |
#tmsh modify auth password-policy required-numeric 2 | |
#tmsh modify auth password-policy required-special 2 | |
#tmsh modify auth password-policy required-uppercase 2 | |
tmsh modify sys httpd include '" | |
# File ETAG CVE | |
FileETag MTime Size | |
# CVE-2020-5902 | |
<LocationMatch "\"".*\.\.;.*"\""> | |
Redirect 404 / | |
</LocationMatch>"' | |
tmsh save sys config | |
bigstart restart httpd | |
#tmsh modify sys dns name-servers add { x.x.x.x x.x.x.x } | |
#tmsh modify sys ntp servers add { x.x.x.x x.x.x.x } | |
#tmsh modify sys dns search add { demo.local demo.f5demo.local } | |
#tmsh modify ltm profile client-ssl clientssl ciphers HIGH:!RSA:!DES:!TLSv1:!TLSv1_1:!SSLv3:!ECDHE-RSA-AES256-CBC-SHA:@STRENGTH | |
#tmsh modify ltm profile server-ssl serverssl ciphers HIGH:!RSA:!DES:!TLSv1:!TLSv1_1:!SSLv3:!ECDHE-RSA-AES256-CBC-SHA:@STRENGTH | |
#tmsh create sys management-route ntpservers network x.x.x.x/255.255.0.0 gateway x.x.x.x | |
#tmsh list sys management-route | |
echo "Configuration Complete" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment