├── .final_builds ├── jobs │ └── harden │ │ └── index.yml ├── license │ └── index.yml └── packages │ └── harden │ └── index.yml ├── .gitattributes ├── .github ├── pull_request_template.md └── workflows │ └── security-considerations.yml ├── .gitignore ├── CODEOWNERS ├── CONTRIBUTING.md ├── LICENSE.md ├── README.md ├── SECURITY.md ├── config ├── blobs.yml └── final.yml ├── jobs └── harden │ ├── monit │ ├── spec │ └── templates │ ├── .placeholder │ ├── bin │ └── post-deploy │ └── files │ └── etc │ ├── audit │ └── audit.rules │ ├── bash.bashrc │ ├── default │ └── grub │ ├── issue │ ├── login.defs │ ├── logrotate.conf │ ├── logrotate.d │ ├── alternatives │ ├── dpkg │ └── ubuntu-advantage-tools │ ├── modprobe.d │ └── 18Fhardened.conf │ ├── pam.d │ ├── common-auth │ ├── common-password │ ├── login │ └── su │ ├── profile │ ├── securetty │ ├── security │ ├── faillock.conf │ ├── limits.conf │ └── pwquality.conf │ ├── ssh │ └── sshd_config │ ├── sysctl.conf │ ├── systemd │ └── journald.conf │ └── update-motd.d │ └── 00-header └── releases └── fisma ├── fisma-1.yml ├── fisma-2.yml ├── fisma-3.yml └── index.yml /.final_builds/jobs/harden/index.yml: -------------------------------------------------------------------------------- 1 | --- 2 | builds: 3 | a474b662fe42cd360a3bc1ad9c9aa4624a12f347: 4 | version: a474b662fe42cd360a3bc1ad9c9aa4624a12f347 5 | sha1: 6055417776581641549434225604e8f828f3b196 6 | blobstore_id: b08efa7c-9f3d-4313-87a1-9a294b591f55 7 | format-version: '2' 8 | -------------------------------------------------------------------------------- /.final_builds/license/index.yml: -------------------------------------------------------------------------------- 1 | --- 2 | builds: 3 | cbc3b15f61fec179f7d9f8f7eba00eb91ba15b59: 4 | version: cbc3b15f61fec179f7d9f8f7eba00eb91ba15b59 5 | sha1: b7b58bc79e86c58f7ecbe29aeab60ba14bea04f4 6 | blobstore_id: 47fd70e5-7641-4719-b853-89d1c2ef8faa 7 | format-version: '2' 8 | -------------------------------------------------------------------------------- /.final_builds/packages/harden/index.yml: -------------------------------------------------------------------------------- 1 | --- 2 | builds: 3 | e9fb1d9e80bc6d3bdc319b23d03db620b3b46f7c: 4 | version: e9fb1d9e80bc6d3bdc319b23d03db620b3b46f7c 5 | sha1: 5d5ffb0e35c58473654a0241bc7116da77b637b4 6 | blobstore_id: 518671a9-5bc4-43a7-ade4-f0f8dd751626 7 | format-version: '2' 8 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | config/*.yml -whitespace 2 | releases/*.yml -whitespace 3 | -------------------------------------------------------------------------------- /.github/pull_request_template.md: -------------------------------------------------------------------------------- 1 | ## Changes proposed in this pull request: 2 | - 3 | - 4 | - 5 | 6 | ## security considerations 7 | [Note the any security considerations here, or make note of why there are none] 8 | -------------------------------------------------------------------------------- /.github/workflows/security-considerations.yml: -------------------------------------------------------------------------------- 1 | name: Security Considerations 2 | 3 | on: 4 | pull_request: 5 | types: [opened, edited, reopened] 6 | branches: [main, master, develop] 7 | 8 | jobs: 9 | security-considerations: 10 | runs-on: ubuntu-latest 11 | steps: 12 | - uses: cloud-gov/security-considerations-action@main 13 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | config/dev.yml 2 | config/private.yml 3 | releases/*.tgz 4 | dev_releases 5 | blobs 6 | .blobs 7 | .dev_builds 8 | .idea 9 | .final_builds/jobs/**/*.tgz 10 | .final_builds/packages/**/*.tgz 11 | credentials.yml 12 | -------------------------------------------------------------------------------- /CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @cloud-gov/platform-ops 2 | 3 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | ## Welcome! 2 | 3 | We're so glad you're thinking about contributing to an 18F open source project! If you're unsure or afraid of anything, just ask or submit the issue or pull request anyways. The worst that can happen is that you'll be politely asked to change something. We appreciate any sort of contribution, and don't want a wall of rules to get in the way of that. 4 | 5 | Before contributing, we encourage you to read our CONTRIBUTING policy (you are here), our LICENSE, and our README, all of which should be in this repository. If you have any questions, or want to read more about our underlying policies, you can consult the 18F Open Source Policy GitHub repository at https://github.com/18f/open-source-policy, or just shoot us an email/official government letterhead note to [18f@gsa.gov](mailto:18f@gsa.gov). 6 | 7 | ## Public domain 8 | 9 | This project is in the public domain within the United States, and 10 | copyright and related rights in the work worldwide are waived through 11 | the [CC0 1.0 Universal public domain dedication](https://creativecommons.org/publicdomain/zero/1.0/). 12 | 13 | All contributions to this project will be released under the CC0 14 | dedication. By submitting a pull request, you are agreeing to comply 15 | with this waiver of copyright interest. 16 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | As a work of the United States Government, this project is in the 2 | public domain within the United States. 3 | 4 | Additionally, we waive copyright and related rights in the work 5 | worldwide through the CC0 1.0 Universal public domain dedication. 6 | 7 | ## CC0 1.0 Universal Summary 8 | 9 | This is a human-readable summary of the [Legal Code (read the full text)](https://creativecommons.org/publicdomain/zero/1.0/legalcode). 10 | 11 | ### No Copyright 12 | 13 | The person who associated a work with this deed has dedicated the work to 14 | the public domain by waiving all of his or her rights to the work worldwide 15 | under copyright law, including all related and neighboring rights, to the 16 | extent allowed by law. 17 | 18 | You can copy, modify, distribute and perform the work, even for commercial 19 | purposes, all without asking permission. 20 | 21 | ### Other Information 22 | 23 | In no way are the patent or trademark rights of any person affected by CC0, 24 | nor are the rights that other persons may have in the work or in how the 25 | work is used, such as publicity or privacy rights. 26 | 27 | Unless expressly stated otherwise, the person who associated a work with 28 | this deed makes no warranties about the work, and disclaims liability for 29 | all uses of the work, to the fullest extent permitted by applicable law. 30 | When using or citing the work, you should not imply endorsement by the 31 | author or the affirmer. 32 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # System Hardening BOSH Release 2 | 3 | [BOSH Release](http://bosh.io/docs/release.html) to run hardening tasks in a system, for use with [cloud.gov](https://cloud.gov). 4 | 5 | ## See also 6 | 7 | * [The FISMA Ready Ubuntu machine image](https://github.com/fisma-ready/ubuntu-lts) 8 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | 2 | **Reporting Security Issues** 3 | 4 | Please refrain from reporting security vulnerabilities through public GitHub issues. 5 | 6 | Instead, kindly report them via the information provided in [cloud.gov's security.txt](https://cloud.gov/.well-known/security.txt). 7 | 8 | When reporting, include the following details (as much as possible) to help us understand the nature and extent of the potential issue: 9 | 10 | - Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.) 11 | - Full paths of related source file(s) 12 | - Location of affected source code (tag/branch/commit or direct URL) 13 | - Any special configuration required to reproduce the issue 14 | - Step-by-step instructions to reproduce the issue 15 | - Proof-of-concept or exploit code (if available) 16 | - Impact of the issue, including potential exploitation by attackers 17 | 18 | Providing this information will facilitate a quicker triage of your report. 19 | -------------------------------------------------------------------------------- /config/blobs.yml: -------------------------------------------------------------------------------- 1 | --- {} 2 | -------------------------------------------------------------------------------- /config/final.yml: -------------------------------------------------------------------------------- 1 | --- 2 | blobstore: 3 | provider: s3 4 | options: 5 | bucket_name: 18f-boshrelease-blob 6 | 7 | final_name: fisma-jammy -------------------------------------------------------------------------------- /jobs/harden/monit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cloud-gov/harden-boshrelease/b279bc1d02353cc30f30cd5c7fcf210a32541c04/jobs/harden/monit -------------------------------------------------------------------------------- /jobs/harden/spec: -------------------------------------------------------------------------------- 1 | --- 2 | name: harden 3 | templates: 4 | .placeholder: .placeholder 5 | bin/post-deploy: bin/post-deploy 6 | files/etc/securetty: files/etc/securetty 7 | files/etc/security/limits.conf: files/etc/security/limits.conf 8 | files/etc/security/pwquality.conf: files/etc/security/pwquality.conf 9 | files/etc/security/faillock.conf: files/etc/security/faillock.conf 10 | files/etc/modprobe.d/18Fhardened.conf: files/etc/modprobe.d/18Fhardened.conf 11 | files/etc/update-motd.d/00-header: files/etc/update-motd.d/00-header 12 | files/etc/default/grub: files/etc/default/grub 13 | files/etc/pam.d/common-auth: files/etc/pam.d/common-auth 14 | files/etc/pam.d/su: files/etc/pam.d/su 15 | files/etc/pam.d/common-password: files/etc/pam.d/common-password 16 | files/etc/pam.d/login: files/etc/pam.d/login 17 | files/etc/ssh/sshd_config: files/etc/ssh/sshd_config 18 | files/etc/audit/audit.rules: files/etc/audit/audit.rules 19 | files/etc/profile: files/etc/profile 20 | files/etc/issue: files/etc/issue 21 | files/etc/bash.bashrc: files/etc/bash.bashrc 22 | files/etc/sysctl.conf: files/etc/sysctl.conf 23 | files/etc/login.defs: files/etc/login.defs 24 | packages: [] 25 | properties: {} 26 | -------------------------------------------------------------------------------- /jobs/harden/templates/.placeholder: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cloud-gov/harden-boshrelease/b279bc1d02353cc30f30cd5c7fcf210a32541c04/jobs/harden/templates/.placeholder -------------------------------------------------------------------------------- /jobs/harden/templates/bin/post-deploy: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | 4 | echo "---> Starting hardening process" 5 | 6 | # cheap hack - nessus for some reason assumes it knows the absolute path 7 | # check first to make sure grep doesn't exist 8 | [[ -e /usr/bin/grep ]] || ln -s /bin/grep /usr/bin/grep 9 | 10 | cd /var/vcap/jobs/harden/files 11 | 12 | ### 13 | # /etc/modprobe.d Safe Defaults 14 | # See https://github.com/18F/ubuntu/blob/master/hardening.md 15 | ### 16 | 17 | cp etc/modprobe.d/18Fhardened.conf /etc/modprobe.d/18Fhardened.conf 18 | chmod 0644 /etc/modprobe.d/18Fhardened.conf 19 | chown root:root /etc/modprobe.d/18Fhardened.conf 20 | 21 | ### 22 | # grub changes (workaround while we work with Nessus to fix scans) 23 | ### 24 | 25 | cp etc/default/grub /etc/default/grub 26 | chmod 0600 /etc/default/grub 27 | 28 | ### 29 | # Redirect protections 30 | # See https://github.com/18F/ubuntu/blob/master/hardening.md#redirect-protections 31 | ### 32 | 33 | cp etc/sysctl.conf /etc/sysctl.conf 34 | chmod 0644 /etc/sysctl.conf 35 | chown root:root /etc/sysctl.conf 36 | 37 | IPV4_SETTINGS[0]="net.ipv4.conf.default.rp_filter=1" 38 | IPV4_SETTINGS[1]="net.ipv4.conf.all.rp_filter=1" 39 | IPV4_SETTINGS[2]="net.ipv4.conf.all.accept_redirects=0" 40 | IPV4_SETTINGS[3]="net.ipv4.conf.default.accept_redirects=0" 41 | IPV4_SETTINGS[4]="net.ipv4.conf.all.secure_redirects=0" 42 | IPV4_SETTINGS[5]="net.ipv4.conf.default.secure_redirects=0" 43 | IPV4_SETTINGS[6]="net.ipv4.conf.all.send_redirects=0" 44 | IPV4_SETTINGS[7]="net.ipv4.conf.default.send_redirects=0" 45 | IPV4_SETTINGS[8]="net.ipv4.conf.all.accept_source_route=0" 46 | IPV4_SETTINGS[9]="net.ipv4.conf.default.accept_source_route=0" 47 | IPV4_SETTINGS[10]="net.ipv4.conf.all.log_martians=1" 48 | IPV4_SETTINGS[11]="net.ipv4.conf.default.log_martians=1" 49 | IPV4_SETTINGS[12]="net.ipv4.icmp_echo_ignore_broadcasts=1" 50 | IPV4_SETTINGS[13]="net.ipv4.icmp_ignore_bogus_error_responses=1" 51 | IPV4_SETTINGS[14]="net.ipv4.tcp_syncookies=1" 52 | IPV4_SETTINGS[15]="net.ipv4.route.flush=1" 53 | 54 | IPV6_SETTINGS[0]="net.ipv6.conf.all.accept_redirects=0" 55 | IPV6_SETTINGS[1]="net.ipv6.conf.all.accept_source_route=0" 56 | IPV6_SETTINGS[2]="net.ipv6.conf.default.accept_source_route=0" 57 | IPV6_SETTINGS[3]="net.ipv6.conf.all.accept_ra=0" 58 | IPV6_SETTINGS[4]="net.ipv6.conf.default.accept_ra=0" 59 | IPV6_SETTINGS[5]="net.ipv6.conf.all.accept_redirects=0" 60 | IPV6_SETTINGS[6]="net.ipv6.conf.default.accept_redirects=0" 61 | IPV6_SETTINGS[6]="net.ipv6.route.flush=1" 62 | 63 | 64 | if [ ! -f /etc/sysctl.conf.orig ]; then 65 | cp /etc/sysctl.conf /etc/sysctl.conf.orig 66 | # ensure there's a \n at the end of the file 67 | echo "" >> /etc/sysctl.conf.orig 68 | fi 69 | 70 | cp /etc/sysctl.conf.orig /etc/sysctl.conf 71 | 72 | for setting in "${IPV4_SETTINGS[@]}"; do 73 | /sbin/sysctl -w $setting 74 | echo "${setting}" >> /etc/sysctl.conf 75 | done 76 | 77 | # only harden ipv6 settings, if ipv6 is enabled 78 | if [ -d /proc/sys/net/ipv6 ]; then 79 | for setting in "${IPV6_SETTINGS[@]}"; do 80 | /sbin/sysctl -w $setting 81 | echo "${setting}" >> /etc/sysctl.conf 82 | done 83 | fi 84 | 85 | # reload all sysctl settings 86 | # error handling is disabled, ipv6 settings will auto apply if enabled 87 | set +e 88 | /sbin/sysctl -p /etc/sysctl.conf 89 | set -e 90 | 91 | 92 | ### 93 | # Audit Strategy! 94 | # See https://github.com/18F/ubuntu/blob/master/hardening.md#audit-strategy 95 | ### 96 | 97 | mkdir -p /etc/audit 98 | cp etc/audit/audit.rules /etc/audit/audit.rules 99 | chmod -R 0640 /etc/audit 100 | chown -R root:root /etc/audit 101 | 102 | 103 | ### 104 | # System Access, Authentication and Authorization 105 | # See https://github.com/18F/ubuntu/blob/master/hardening.md#system-access-authentication-and-authorization 106 | ### 107 | 108 | rm -f /etc/at.deny 109 | 110 | CRON_FILES[0]="/etc/cron.allow" 111 | CRON_FILES[1]="/etc/at.allow" 112 | CRON_FILES[2]="/etc/crontab" 113 | CRON_FILES[3]="/etc/cron.hourly" 114 | CRON_FILES[4]="/etc/cron.daily" 115 | CRON_FILES[5]="/etc/cron.weekly" 116 | CRON_FILES[6]="/etc/cron.monthly" 117 | CRON_FILES[7]="/etc/cron.d" 118 | 119 | for file in "${CRON_FILES[@]}"; do 120 | chmod 0600 $file 121 | chown root:root $file 122 | done 123 | 124 | 125 | ### 126 | # Password Policy 127 | # See https://github.com/18F/ubuntu/blob/master/hardening.md#password-policy 128 | ### 129 | 130 | apt update 131 | apt-get upgrade -y libpam-pwquality 132 | 133 | cp etc/pam.d/common-password /etc/pam.d/common-password 134 | cp etc/pam.d/common-auth /etc/pam.d/common-auth 135 | cp etc/pam.d/login /etc/pam.d/login 136 | cp etc/pam.d/su /etc/pam.d/su 137 | cp etc/login.defs /etc/login.defs 138 | cp etc/security/pwquality.conf /etc/security/pwquality.conf 139 | cp etc/security/faillock.conf /etc/security/faillock.conf 140 | 141 | chown root:root /etc/pam.d/common-password /etc/pam.d/common-auth /etc/pam.d/login /etc/login.defs /etc/security/pwquality.conf /etc/security/faillock.conf 142 | chmod 0644 /etc/pam.d/common-password /etc/pam.d/common-auth /etc/pam.d/login /etc/login.defs /etc/security/pwquality.conf /etc/security/faillock.conf 143 | 144 | ### 145 | # SSH Settings 146 | # See https://github.com/18F/ubuntu/blob/master/hardening.md#ssh-settings 147 | ### 148 | 149 | cp etc/ssh/sshd_config /etc/ssh/sshd_config 150 | chmod 0600 /etc/ssh/sshd_config 151 | 152 | ### 153 | # Set warning banner for login services 154 | ### 155 | 156 | cp etc/issue /etc/issue 157 | cp etc/issue /etc/issue.net 158 | cp etc/update-motd.d/00-header /etc/update-motd.d/00-header 159 | touch /etc/motd 160 | 161 | ISSUE_FILES[0]="/etc/issue" 162 | ISSUE_FILES[1]="/etc/issue.net" 163 | ISSUE_FILES[2]="/etc/motd" 164 | ISSUE_FILES[3]="/etc/update-motd.d/00-header" 165 | 166 | for file in "${ISSUE_FILES[@]}"; do 167 | chmod 0644 $file 168 | chown root:root $file 169 | done 170 | 171 | ### 172 | # Restrict Core Dumps 173 | ### 174 | 175 | cp etc/security/limits.conf /etc/security/limits.conf 176 | 177 | ### 178 | # Change permissions on home directory 179 | ### 180 | 181 | chmod 0750 /home/vcap 182 | chmod 0750 /var/mail 183 | 184 | 185 | ### 186 | # Ensure syslog emits at least one entry each minute 187 | ### 188 | sed -i 's/^#\($ModLoad immark\)/\1/' /etc/rsyslog.conf 189 | sed -i 's/^\($ModLoad imuxsock\)/#\1/' /etc/rsyslog.conf 190 | sed -i 's/^\($SystemLogSocketName\)/#\1/' /etc/rsyslog.conf 191 | sed -i 's/^\($RepeatedMsgReduction on\)/#\1/' /etc/rsyslog.conf 192 | 193 | cat << 'EOF' > /etc/rsyslog.d/00-heartbeat.conf 194 | $MarkMessagePeriod 60 195 | $ActionWriteAllMarkmessages on 196 | 197 | module(load="imuxsock" SysSock.IgnoreOwnMessages="off" SysSock.RateLimit.Interval="0" SysSock.Name="/run/systemd/journal/syslog") 198 | EOF 199 | 200 | service rsyslog restart 201 | 202 | ### 203 | # Ensure rpcbind does not run at start (Nessus check 6.7) 204 | ### 205 | set +e 206 | sed -i 's/^\(start.*\)/\#\1/' /etc/init/rpcbind-boot.conf 207 | service rpcbind stop || true 208 | set -e 209 | 210 | ### 211 | # remove rsync 212 | ### 213 | 214 | sudo apt-get -y remove rsync 215 | sudo apt -y purge rsync 216 | 217 | ### 218 | # remove chrony 219 | ### 220 | 221 | # sudo apt -y purge chrony # Needed for bosh-agent to configure ntp, chronyc is hardcoded into the agent 222 | 223 | ### 224 | # Limit logfile access 225 | ### 226 | chmod -R 0600 /var/log/* 227 | 228 | ### 229 | # drop in profile files to pick up umask 230 | ### 231 | cp etc/bash.bashrc /etc/bash.bashrc 232 | cp etc/profile /etc/profile 233 | 234 | chown root: /etc/bash.bashrc /etc/profile 235 | chmod 0644 /etc/bash.bashrc /etc/profile 236 | 237 | ### 238 | # shadow 239 | ### 240 | chown root:shadow /etc/shadow /etc/gshadow 241 | 242 | ### 243 | # disable inactive users after 30 days 244 | ### 245 | useradd -D -f 30 246 | 247 | #### 248 | # enforce password settings 249 | ### 250 | 251 | chage --mindays 1 root 252 | chage --maxdays 90 root 253 | chage --maxdays 90 vcap 254 | chage --inactive 30 root 255 | chage --inactive 30 vcap 256 | 257 | ### 258 | # set secure consoles 259 | ### 260 | 261 | cp etc/securetty /etc/securetty 262 | chown root: /etc/securetty 263 | chmod 0644 /etc/securetty 264 | 265 | ### 266 | # clean up after systemd-timesyncd 267 | ### 268 | 269 | set +e 270 | rm /var/lib/private/systemd/timesync/clock 271 | rmdir /var/lib/private/systemd/timesync 272 | set -e 273 | 274 | ### 275 | # install tcpwrappers 276 | ### 277 | apt-get upgrade -y tcpd 278 | 279 | ### 280 | # Ensure bootloader permissions are not overridden 281 | ### 282 | # sed -ri 's/chmods+[0-7][0-7][0-7]s+${grub_cfg}.new/chmod 400 ${grub_cfg}.new/' /usr/sbin/grub-mkconfig 283 | # sed -ri 's/ && ! grep '^password' ${grub_cfg}.new >/dev/null//' /usr/sbin/grub-mkconfig 284 | 285 | ### 286 | # Set grub permissions 287 | ### 288 | chown root:root /boot/grub/grub.cfg 289 | chmod u-wx,go-rwx /boot/grub/grub.cfg 290 | 291 | ### 292 | # Stop and mask timesyncd 293 | ### 294 | #systemctl stop systemd-timesyncd.service 295 | #systemctl mask systemd-timesyncd.service 296 | 297 | ### 298 | # Disable ipv6 forwarding 299 | ### 300 | #grep -Els '^s*net.ipv6.conf.all.forwardings*=s*1' /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | while read filename; do sed -ri 's/^s*(net.ipv6.conf.all.forwardings*)(=)(s*S+b).*$/# *REMOVED* 1/' $filename; done; sysctl -w net.ipv6.conf.all.forwarding=0; sysctl -w net.ipv6.route.flush=1 301 | 302 | ### 303 | # Set permissions for log files 304 | ### 305 | find /var/log -type f -exec chmod g-wx,o-rwx '{}' + -o -type d -exec chmod g-w,o-rwx '{}' + 306 | 307 | ### 308 | # Update sudoers file 309 | ### 310 | cat << 'EOF' >> /etc/sudoers 311 | Defaults use_pty 312 | Defaults logfile=/var/log/sudo.log 313 | EOF 314 | 315 | # add empty group specified for use of su command. 316 | if [ ! "$(getent group sugroup)" ]; then 317 | groupadd sugroup 318 | fi 319 | 320 | 321 | echo "---> Finished hardening process" 322 | if [[ -f /var/vcap/jobs/aide/bin/update-aide-db ]]; then 323 | echo "---> Updating AIDE db" 324 | set +e # aide returns non-zero on db changes 325 | /var/vcap/jobs/aide/bin/update-aide-db 326 | set -e 327 | fi 328 | -------------------------------------------------------------------------------- /jobs/harden/templates/files/etc/audit/audit.rules: -------------------------------------------------------------------------------- 1 | # This file contains the auditctl rules that are loaded 2 | # whenever the audit daemon is started via the initscripts. 3 | # The rules are simply the parameters that would be passed 4 | # to auditctl. 5 | 6 | # First rule - delete all 7 | -D 8 | 9 | # Increase the buffers to survive stress events. 10 | # Make this bigger for busy systems 11 | -b 320 12 | 13 | # Feel free to add below this line. See auditctl man page 14 | 15 | # Date/time: 16 | 17 | -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change 18 | -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change 19 | -a always,exit -F arch=b64 -S clock_settime -k time-change 20 | -a always,exit -F arch=b32 -S clock_settime -k time-change 21 | -w /etc/localtime -p wa -k time-change 22 | 23 | 24 | # User/passwords: 25 | 26 | -w /etc/group -p wa -k identity 27 | -w /etc/passwd -p wa -k identity 28 | -w /etc/gshadow -p wa -k identity 29 | -w /etc/shadow -p wa -k identity 30 | -w /etc/security/opasswd -p wa -k identity 31 | 32 | 33 | # Network stuff: 34 | 35 | -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale 36 | -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale 37 | -w /etc/issue -p wa -k system-locale 38 | -w /etc/issue.net -p wa -k system-locale 39 | -w /etc/hosts -p wa -k system-locale 40 | -w /etc/network -p wa -k system-locale 41 | 42 | # SELinux - should this be AppArmon now? 43 | 44 | -w /etc/selinux/ -p wa -k MAC-policy 45 | 46 | # Login and logout: 47 | 48 | -w /var/log/faillog -p wa -k logins 49 | -w /var/log/lastlog -p wa -k logins 50 | -w /var/log/tallylog -p wa -k logins 51 | 52 | # Permission modifications: 53 | 54 | -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod 55 | -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod 56 | -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod 57 | -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod 58 | -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod 59 | -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod 60 | 61 | # Unauthorized access: 62 | 63 | -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access 64 | -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access 65 | -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access 66 | -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access 67 | 68 | # Collect filesystem mounts: 69 | 70 | -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts 71 | -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts 72 | 73 | # File deletion 74 | 75 | -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete 76 | -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete 77 | 78 | # Change to sysadmin scope 79 | 80 | -w /etc/sudoers -p wa -k scope 81 | 82 | # kernel loading 83 | 84 | -w /sbin/insmod -p x -k modules 85 | -w /sbin/rmmod -p x -k modules 86 | -w /sbin/modprobe -p x -k modules 87 | -a always,exit arch=b64 -S init_module -S delete_module -k modules 88 | 89 | # Make audit config immutable - this must be the last line. Rules only propogate on reboot 90 | -e 2 91 | -------------------------------------------------------------------------------- /jobs/harden/templates/files/etc/bash.bashrc: -------------------------------------------------------------------------------- 1 | # System-wide .bashrc file for interactive bash(1) shells. 2 | 3 | # To enable the settings / commands in this file for login shells as well, 4 | # this file has to be sourced in /etc/profile. 5 | 6 | # If not running interactively, don't do anything 7 | [ -z "$PS1" ] && return 8 | 9 | # check the window size after each command and, if necessary, 10 | # update the values of LINES and COLUMNS. 11 | shopt -s checkwinsize 12 | 13 | # set variable identifying the chroot you work in (used in the prompt below) 14 | if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then 15 | debian_chroot=$(cat /etc/debian_chroot) 16 | fi 17 | 18 | # set a fancy prompt (non-color, overwrite the one in /etc/profile) 19 | PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ ' 20 | 21 | # Commented out, don't overwrite xterm -T "title" -n "icontitle" by default. 22 | # If this is an xterm set the title to user@host:dir 23 | #case "$TERM" in 24 | #xterm*|rxvt*) 25 | # PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME}: ${PWD}\007"' 26 | # ;; 27 | #*) 28 | # ;; 29 | #esac 30 | 31 | # enable bash completion in interactive shells 32 | #if ! shopt -oq posix; then 33 | # if [ -f /usr/share/bash-completion/bash_completion ]; then 34 | # . /usr/share/bash-completion/bash_completion 35 | # elif [ -f /etc/bash_completion ]; then 36 | # . /etc/bash_completion 37 | # fi 38 | #fi 39 | 40 | # sudo hint 41 | if [ ! -e "$HOME/.sudo_as_admin_successful" ] && [ ! -e "$HOME/.hushlogin" ] ; then 42 | case " $(groups) " in *\ admin\ *|*\ sudo\ *) 43 | if [ -x /usr/bin/sudo ]; then 44 | cat <<-EOF 45 | To run a command as administrator (user "root"), use "sudo ". 46 | See "man sudo_root" for details. 47 | 48 | EOF 49 | fi 50 | esac 51 | fi 52 | 53 | # if the command-not-found package is installed, use it 54 | if [ -x /usr/lib/command-not-found -o -x /usr/share/command-not-found/command-not-found ]; then 55 | function command_not_found_handle { 56 | # check because c-n-f could've been removed in the meantime 57 | if [ -x /usr/lib/command-not-found ]; then 58 | /usr/lib/command-not-found -- "$1" 59 | return $? 60 | elif [ -x /usr/share/command-not-found/command-not-found ]; then 61 | /usr/share/command-not-found/command-not-found -- "$1" 62 | return $? 63 | else 64 | printf "%s: command not found\n" "$1" >&2 65 | return 127 66 | fi 67 | } 68 | fi 69 | 70 | # everything above is from BOSH 71 | umask 027 72 | 73 | #add default timeout 74 | readonly TMOUT=900 ; export TMOUT 75 | -------------------------------------------------------------------------------- /jobs/harden/templates/files/etc/default/grub: -------------------------------------------------------------------------------- 1 | # If you change this file, run 'update-grub' afterwards to update 2 | # /boot/grub/grub.cfg. 3 | # For full documentation of the options in this file, see: 4 | # info -f grub -n 'Simple configuration' 5 | 6 | GRUB_DEFAULT=0 7 | GRUB_HIDDEN_TIMEOUT=0 8 | GRUB_HIDDEN_TIMEOUT_QUIET=true 9 | GRUB_TIMEOUT=0 10 | GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian` 11 | GRUB_CMDLINE_LINUX_DEFAULT="console=tty0 console=ttyS0,115200n8" 12 | GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0 selinux=0 cgroup_enable=memory swapaccount=1 earlyprintk=ttyS0 rootdelay=300 ipv6.disable=1 audit=1" 13 | 14 | # Uncomment to enable BadRAM filtering, modify to suit your needs 15 | # This works with Linux (no patch required) and with any kernel that obtains 16 | # the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...) 17 | #GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef" 18 | 19 | # Uncomment to disable graphical terminal (grub-pc only) 20 | #GRUB_TERMINAL=console 21 | 22 | # The resolution used on graphical terminal 23 | # note that you can use only modes which your graphic card supports via VBE 24 | # you can see them in real GRUB with the command `vbeinfo' 25 | #GRUB_GFXMODE=640x480 26 | 27 | # Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux 28 | #GRUB_DISABLE_LINUX_UUID=true 29 | 30 | # Uncomment to disable generation of recovery mode menu entries 31 | #GRUB_DISABLE_RECOVERY="true" 32 | 33 | # Uncomment to get a beep at grub start 34 | #GRUB_INIT_TUNE="480 440 1" 35 | -------------------------------------------------------------------------------- /jobs/harden/templates/files/etc/issue: -------------------------------------------------------------------------------- 1 | This is a U.S. government service. Your use indicates your consent to monitoring, recording, and no expectation of privacy. Misuse is subject to criminal and civil penalties. 2 | -------------------------------------------------------------------------------- /jobs/harden/templates/files/etc/login.defs: -------------------------------------------------------------------------------- 1 | # 2 | # /etc/login.defs - Configuration control definitions for the login package. 3 | # 4 | # Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. 5 | # If unspecified, some arbitrary (and possibly incorrect) value will 6 | # be assumed. All other items are optional - if not specified then 7 | # the described action or option will be inhibited. 8 | # 9 | # Comment lines (lines beginning with "#") and blank lines are ignored. 10 | # 11 | # Modified for Linux. --marekm 12 | 13 | # REQUIRED for useradd/userdel/usermod 14 | # Directory where mailboxes reside, _or_ name of file, relative to the 15 | # home directory. If you _do_ define MAIL_DIR and MAIL_FILE, 16 | # MAIL_DIR takes precedence. 17 | # 18 | # Essentially: 19 | # - MAIL_DIR defines the location of users mail spool files 20 | # (for mbox use) by appending the username to MAIL_DIR as defined 21 | # below. 22 | # - MAIL_FILE defines the location of the users mail spool files as the 23 | # fully-qualified filename obtained by prepending the user home 24 | # directory before $MAIL_FILE 25 | # 26 | # NOTE: This is no more used for setting up users MAIL environment variable 27 | # which is, starting from shadow 4.0.12-1 in Debian, entirely the 28 | # job of the pam_mail PAM modules 29 | # See default PAM configuration files provided for 30 | # login, su, etc. 31 | # 32 | # This is a temporary situation: setting these variables will soon 33 | # move to /etc/default/useradd and the variables will then be 34 | # no more supported 35 | MAIL_DIR /var/mail 36 | #MAIL_FILE .mail 37 | 38 | # 39 | # Enable logging and display of /var/log/faillog login failure info. 40 | # This option conflicts with the pam_tally PAM module. 41 | # 42 | FAILLOG_ENAB yes 43 | 44 | # 45 | # Enable display of unknown usernames when login failures are recorded. 46 | # 47 | # WARNING: Unknown usernames may become world readable. 48 | # See #290803 and #298773 for details about how this could become a security 49 | # concern 50 | LOG_UNKFAIL_ENAB no 51 | 52 | # 53 | # Enable logging of successful logins 54 | # 55 | LOG_OK_LOGINS no 56 | 57 | # 58 | # Enable "syslog" logging of su activity - in addition to sulog file logging. 59 | # SYSLOG_SG_ENAB does the same for newgrp and sg. 60 | # 61 | SYSLOG_SU_ENAB yes 62 | SYSLOG_SG_ENAB yes 63 | 64 | # 65 | # If defined, all su activity is logged to this file. 66 | # 67 | #SULOG_FILE /var/log/sulog 68 | 69 | # 70 | # If defined, file which maps tty line to TERM environment parameter. 71 | # Each line of the file is in a format something like "vt100 tty01". 72 | # 73 | #TTYTYPE_FILE /etc/ttytype 74 | 75 | # 76 | # If defined, login failures will be logged here in a utmp format 77 | # last, when invoked as lastb, will read /var/log/btmp, so... 78 | # 79 | FTMP_FILE /var/log/btmp 80 | 81 | # 82 | # If defined, the command name to display when running "su -". For 83 | # example, if this is defined as "su" then a "ps" will display the 84 | # command is "-su". If not defined, then "ps" would display the 85 | # name of the shell actually being run, e.g. something like "-sh". 86 | # 87 | SU_NAME su 88 | 89 | # 90 | # If defined, file which inhibits all the usual chatter during the login 91 | # sequence. If a full pathname, then hushed mode will be enabled if the 92 | # user's name or shell are found in the file. If not a full pathname, then 93 | # hushed mode will be enabled if the file exists in the user's home directory. 94 | # 95 | HUSHLOGIN_FILE .hushlogin 96 | #HUSHLOGIN_FILE /etc/hushlogins 97 | 98 | # 99 | # *REQUIRED* The default PATH settings, for superuser and normal users. 100 | # 101 | # (they are minimal, add the rest in the shell startup files) 102 | ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 103 | ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games 104 | 105 | # 106 | # Terminal permissions 107 | # 108 | # TTYGROUP Login tty will be assigned this group ownership. 109 | # TTYPERM Login tty will be set to this permission. 110 | # 111 | # If you have a "write" program which is "setgid" to a special group 112 | # which owns the terminals, define TTYGROUP to the group number and 113 | # TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign 114 | # TTYPERM to either 622 or 600. 115 | # 116 | # In Debian /usr/bin/bsd-write or similar programs are setgid tty 117 | # However, the default and recommended value for TTYPERM is still 0600 118 | # to not allow anyone to write to anyone else console or terminal 119 | 120 | # Users can still allow other people to write them by issuing 121 | # the "mesg y" command. 122 | 123 | TTYGROUP tty 124 | TTYPERM 0600 125 | 126 | # 127 | # Login configuration initializations: 128 | # 129 | # ERASECHAR Terminal ERASE character ('\010' = backspace). 130 | # KILLCHAR Terminal KILL character ('\025' = CTRL/U). 131 | # UMASK Default "umask" value. 132 | # 133 | # The ERASECHAR and KILLCHAR are used only on System V machines. 134 | # 135 | # UMASK is the default umask value for pam_umask and is used by 136 | # useradd and newusers to set the mode of the new home directories. 137 | # 022 is the "historical" value in Debian for UMASK 138 | # 027, or even 077, could be considered better for privacy 139 | # There is no One True Answer here : each sysadmin must make up his/her 140 | # mind. 141 | # 142 | # If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value 143 | # for private user groups, i. e. the uid is the same as gid, and username is 144 | # the same as the primary group name: for these, the user permissions will be 145 | # used as group permissions, e. g. 022 will become 002. 146 | # 147 | # Prefix these values with "0" to get octal, "0x" to get hexadecimal. 148 | # 149 | ERASECHAR 0177 150 | KILLCHAR 025 151 | UMASK 077 152 | 153 | # 154 | # Password aging controls: 155 | # 156 | # PASS_MAX_DAYS Maximum number of days a password may be used. 157 | # PASS_MIN_DAYS Minimum number of days allowed between password changes. 158 | # PASS_WARN_AGE Number of days warning given before a password expires. 159 | # 160 | PASS_MAX_DAYS 90 161 | PASS_MIN_DAYS 1 162 | PASS_WARN_AGE 10 163 | 164 | # 165 | # Min/max values for automatic uid selection in useradd 166 | # 167 | UID_MIN 1000 168 | UID_MAX 60000 169 | # System accounts 170 | #SYS_UID_MIN 100 171 | #SYS_UID_MAX 999 172 | 173 | # 174 | # Min/max values for automatic gid selection in groupadd 175 | # 176 | GID_MIN 1000 177 | GID_MAX 60000 178 | # System accounts 179 | #SYS_GID_MIN 100 180 | #SYS_GID_MAX 999 181 | 182 | # 183 | # Max number of login retries if password is bad. This will most likely be 184 | # overriden by PAM, since the default pam_unix module has it's own built 185 | # in of 3 retries. However, this is a safe fallback in case you are using 186 | # an authentication module that does not enforce PAM_MAXTRIES. 187 | # 188 | LOGIN_RETRIES 5 189 | 190 | # 191 | # Max time in seconds for login 192 | # 193 | LOGIN_TIMEOUT 60 194 | 195 | # 196 | # Which fields may be changed by regular users using chfn - use 197 | # any combination of letters "frwh" (full name, room number, work 198 | # phone, home phone). If not defined, no changes are allowed. 199 | # For backward compatibility, "yes" = "rwh" and "no" = "frwh". 200 | # 201 | CHFN_RESTRICT rwh 202 | 203 | # 204 | # Should login be allowed if we can't cd to the home directory? 205 | # Default in no. 206 | # 207 | DEFAULT_HOME yes 208 | 209 | # 210 | # If defined, this command is run when removing a user. 211 | # It should remove any at/cron/print jobs etc. owned by 212 | # the user to be removed (passed as the first argument). 213 | # 214 | #USERDEL_CMD /usr/sbin/userdel_local 215 | 216 | # 217 | # Enable setting of the umask group bits to be the same as owner bits 218 | # (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is 219 | # the same as gid, and username is the same as the primary group name. 220 | # 221 | # If set to yes, userdel will remove the user´s group if it contains no 222 | # more members, and useradd will create by default a group with the name 223 | # of the user. 224 | # 225 | USERGROUPS_ENAB yes 226 | 227 | # 228 | # Instead of the real user shell, the program specified by this parameter 229 | # will be launched, although its visible name (argv[0]) will be the shell's. 230 | # The program may do whatever it wants (logging, additional authentification, 231 | # banner, ...) before running the actual shell. 232 | # 233 | # FAKE_SHELL /bin/fakeshell 234 | 235 | # 236 | # If defined, either full pathname of a file containing device names or 237 | # a ":" delimited list of device names. Root logins will be allowed only 238 | # upon these devices. 239 | # 240 | # This variable is used by login and su. 241 | # 242 | #CONSOLE /etc/consoles 243 | #CONSOLE console:tty01:tty02:tty03:tty04 244 | 245 | # 246 | # List of groups to add to the user's supplementary group set 247 | # when logging in on the console (as determined by the CONSOLE 248 | # setting). Default is none. 249 | # 250 | # Use with caution - it is possible for users to gain permanent 251 | # access to these groups, even when not logged in on the console. 252 | # How to do it is left as an exercise for the reader... 253 | # 254 | # This variable is used by login and su. 255 | # 256 | #CONSOLE_GROUPS floppy:audio:cdrom 257 | 258 | # 259 | # If set to "yes", new passwords will be encrypted using the MD5-based 260 | # algorithm compatible with the one used by recent releases of FreeBSD. 261 | # It supports passwords of unlimited length and longer salt strings. 262 | # Set to "no" if you need to copy encrypted passwords to other systems 263 | # which don't understand the new algorithm. Default is "no". 264 | # 265 | # This variable is deprecated. You should use ENCRYPT_METHOD. 266 | # 267 | #MD5_CRYPT_ENAB no 268 | 269 | # 270 | # If set to MD5 , MD5-based algorithm will be used for encrypting password 271 | # If set to SHA256, SHA256-based algorithm will be used for encrypting password 272 | # If set to SHA512, SHA512-based algorithm will be used for encrypting password 273 | # If set to DES, DES-based algorithm will be used for encrypting password (default) 274 | # Overrides the MD5_CRYPT_ENAB option 275 | # 276 | # Note: It is recommended to use a value consistent with 277 | # the PAM modules configuration. 278 | # 279 | ENCRYPT_METHOD SHA512 280 | 281 | # 282 | # Only used if ENCRYPT_METHOD is set to SHA256 or SHA512. 283 | # 284 | # Define the number of SHA rounds. 285 | # With a lot of rounds, it is more difficult to brute forcing the password. 286 | # But note also that it more CPU resources will be needed to authenticate 287 | # users. 288 | # 289 | # If not specified, the libc will choose the default number of rounds (5000). 290 | # The values must be inside the 1000-999999999 range. 291 | # If only one of the MIN or MAX values is set, then this value will be used. 292 | # If MIN > MAX, the highest value will be used. 293 | # 294 | # SHA_CRYPT_MIN_ROUNDS 5000 295 | # SHA_CRYPT_MAX_ROUNDS 5000 296 | 297 | ################# OBSOLETED BY PAM ############## 298 | # # 299 | # These options are now handled by PAM. Please # 300 | # edit the appropriate file in /etc/pam.d/ to # 301 | # enable the equivelants of them. 302 | # 303 | ############### 304 | 305 | #MOTD_FILE 306 | #DIALUPS_CHECK_ENAB 307 | #LASTLOG_ENAB 308 | #MAIL_CHECK_ENAB 309 | #OBSCURE_CHECKS_ENAB 310 | #PORTTIME_CHECKS_ENAB 311 | #SU_WHEEL_ONLY 312 | #CRACKLIB_DICTPATH 313 | #PASS_CHANGE_TRIES 314 | #PASS_ALWAYS_WARN 315 | #ENVIRON_FILE 316 | #NOLOGINS_FILE 317 | #ISSUE_FILE 318 | #PASS_MIN_LEN 319 | #PASS_MAX_LEN 320 | #ULIMIT 321 | #ENV_HZ 322 | #CHFN_AUTH 323 | #CHSH_AUTH 324 | #FAIL_DELAY 325 | 326 | ################# OBSOLETED ####################### 327 | # # 328 | # These options are no more handled by shadow. # 329 | # # 330 | # Shadow utilities will display a warning if they # 331 | # still appear. # 332 | # # 333 | ################################################### 334 | 335 | # CLOSE_SESSIONS 336 | # LOGIN_STRING 337 | # NO_PASSWORD_CONSOLE 338 | # QMAIL_DIR 339 | 340 | 341 | 342 | -------------------------------------------------------------------------------- /jobs/harden/templates/files/etc/logrotate.conf: -------------------------------------------------------------------------------- 1 | #logrotate configuration 2 | # see "man logrotate" for details 3 | # rotate log files weekly 4 | weekly 5 | 6 | # use the syslog group by default, since this is the owning group 7 | # of /var/log/syslog. 8 | su root syslog 9 | 10 | # keep 4 weeks worth of backlogs 11 | rotate 4 12 | # remove files older than 60 days 13 | maxage 60 14 | 15 | # create new (empty) log files after rotating old ones 16 | create 17 | 18 | # uncomment this if you want your log files compressed 19 | #compress 20 | 21 | # packages drop log rotation information into this directory 22 | include /etc/logrotate.d 23 | 24 | # # no packages own wtmp, or btmp -- we'll rotate them here 25 | # /var/log/wtmp { 26 | # missingok 27 | # monthly 28 | # create 0664 root utmp 29 | # rotate 1 30 | # } 31 | # 32 | # /var/log/btmp { 33 | # missingok 34 | # monthly 35 | # create 0660 root utmp 36 | # rotate 1 37 | # } 38 | 39 | # no packages own wtmp, or btmp -- we'll rotate them here 40 | /var/log/wtmp { 41 | missingok 42 | create 0640 root utmp 43 | rotate 4 44 | nodateext 45 | size 5M 46 | notifempty 47 | compress 48 | delaycompress 49 | } 50 | 51 | /var/log/btmp { 52 | missingok 53 | create 0640 root utmp 54 | rotate 4 55 | nodateext 56 | size 5M 57 | notifempty 58 | compress 59 | delaycompress 60 | } 61 | -------------------------------------------------------------------------------- /jobs/harden/templates/files/etc/logrotate.d/alternatives: -------------------------------------------------------------------------------- 1 | /var/log/alternatives.log { 2 | monthly 3 | rotate 12 4 | compress 5 | delaycompress 6 | missingok 7 | notifempty 8 | create 0640 root utmp 9 | } -------------------------------------------------------------------------------- /jobs/harden/templates/files/etc/logrotate.d/dpkg: -------------------------------------------------------------------------------- 1 | /var/log/dpkg.log { 2 | monthly 3 | rotate 12 4 | compress 5 | delaycompress 6 | missingok 7 | notifempty 8 | create 0640 root utmp 9 | } -------------------------------------------------------------------------------- /jobs/harden/templates/files/etc/logrotate.d/ubuntu-advantage-tools: -------------------------------------------------------------------------------- 1 | # use the root group by default, since this is the owning group 2 | # of /var/log/ubuntu-advantage*.log files. 3 | /var/log/ubuntu-advantage*.log { 4 | su root root 5 | create 0640 root utmp 6 | rotate 6 7 | monthly 8 | compress 9 | delaycompress 10 | missingok 11 | notifempty 12 | } -------------------------------------------------------------------------------- /jobs/harden/templates/files/etc/modprobe.d/18Fhardened.conf: -------------------------------------------------------------------------------- 1 | # This file, 18Fhardened.conf, works to prevent module loading 2 | # even though most online advice is to use `blacklist` files or 3 | # files named for the module itself. Confirmed on Ubuntu 18.04 4 | # by Peter Burkholder, 2020-10-20, with strace and direct testing. 5 | 6 | # Filesystems 7 | 8 | install cramfs /bin/true 9 | install freevxfs /bin/true 10 | install jffs2 /bin/true 11 | install hfs /bin/true 12 | install hfsplus /bin/true 13 | install squashfs /bin/true 14 | install udf /bin/true 15 | 16 | # Protocols 17 | 18 | install dccp /bin/true 19 | install sctp /bin/true 20 | install rds /bin/true 21 | install tipc /bin/true 22 | -------------------------------------------------------------------------------- /jobs/harden/templates/files/etc/pam.d/common-auth: -------------------------------------------------------------------------------- 1 | # 2 | # /etc/pam.d/common-auth - authentication settings common to all services 3 | # 4 | # This file is included from other service-specific PAM config files, 5 | # and should contain a list of the authentication modules that define 6 | # the central authentication scheme for use on the system 7 | # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the 8 | # traditional Unix authentication mechanisms. 9 | # 10 | # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. 11 | # To take advantage of this, it is recommended that you configure any 12 | # local modules either before or after the default block, and use 13 | # pam-auth-update to manage selection of other modules. See 14 | # pam-auth-update(8) for details. 15 | 16 | # here are the per-package modules (the "Primary" block) 17 | auth required pam_faillock.so preauth onerr=fail audit silent deny=5 unlock_time=900 18 | auth [success=1 default=ignore] pam_unix.so 19 | auth [default=die] pam_faillock.so authfail 20 | auth sufficient pam_faillock.so authsucc 21 | # here's the fallback if no module succeeds 22 | auth requisite pam_deny.so 23 | # prime the stack with a positive return value if there isn't one already; 24 | # this avoids us returning an error just because nothing sets a success code 25 | # since the modules above will each just jump around 26 | auth required pam_permit.so 27 | # and here are more per-package modules (the "Additional" block) 28 | # end of pam-auth-update config 29 | -------------------------------------------------------------------------------- /jobs/harden/templates/files/etc/pam.d/common-password: -------------------------------------------------------------------------------- 1 | # 2 | # /etc/pam.d/common-password - password-related modules common to all services 3 | # 4 | # This file is included from other service-specific PAM config files, 5 | # and should contain a list of modules that define the services to be 6 | # used to change user passwords. The default is pam_unix. 7 | 8 | # Explanation of pam_unix options: 9 | # 10 | # The "sha512" option enables salted SHA512 passwords. Without this option, 11 | # the default is Unix crypt. Prior releases used the option "md5". 12 | # 13 | # The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in 14 | # login.defs. 15 | # 16 | # See the pam_unix manpage for other options. 17 | 18 | # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. 19 | # To take advantage of this, it is recommended that you configure any 20 | # local modules either before or after the default block, and use 21 | # pam-auth-update to manage selection of other modules. See 22 | # pam-auth-update(8) for details. 23 | 24 | # here are the per-package modules (the "Primary" block) 25 | password requisite pam_pwquality.so try_first_pass retry=3 26 | password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass remember=5 sha512 27 | password sufficient pam_unix.so remember=5 sha512 28 | # here's the fallback if no module succeeds 29 | password requisite pam_deny.so 30 | # prime the stack with a positive return value if there isn't one already; 31 | # this avoids us returning an error just because nothing sets a success code 32 | # since the modules above will each just jump around 33 | password required pam_permit.so 34 | # and here are more per-package modules (the "Additional" block) 35 | # end of pam-auth-update config 36 | 37 | #include the remember option and conform to site policy 38 | password required pam_pwhistory.so remember=5 -------------------------------------------------------------------------------- /jobs/harden/templates/files/etc/pam.d/login: -------------------------------------------------------------------------------- 1 | # 2 | # The PAM configuration file for the Shadow `login' service 3 | # 4 | 5 | # Enforce a minimal delay in case of failure (in microseconds). 6 | # (Replaces the `FAIL_DELAY' setting from login.defs) 7 | # Note that other modules may require another minimal delay. (for example, 8 | # to disable any delay, you should add the nodelay option to pam_unix) 9 | auth optional pam_faildelay.so delay=3000000 10 | 11 | # Outputs an issue file prior to each login prompt (Replaces the 12 | # ISSUE_FILE option from login.defs). Uncomment for use 13 | # auth required pam_issue.so issue=/etc/issue 14 | 15 | # Disallows root logins except on tty's listed in /etc/securetty 16 | # (Replaces the `CONSOLE' setting from login.defs) 17 | # 18 | # With the default control of this module: 19 | # [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] 20 | # root will not be prompted for a password on insecure lines. 21 | # if an invalid username is entered, a password is prompted (but login 22 | # will eventually be rejected) 23 | # 24 | # You can change it to a "requisite" module if you think root may mis-type 25 | # her login and should not be prompted for a password in that case. But 26 | # this will leave the system as vulnerable to user enumeration attacks. 27 | # 28 | # You can change it to a "required" module if you think it permits to 29 | # guess valid user names of your system (invalid user names are considered 30 | # as possibly being root on insecure lines), but root passwords may be 31 | # communicated over insecure lines. 32 | auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so 33 | 34 | # Disallows other than root logins when /etc/nologin exists 35 | # (Replaces the `NOLOGINS_FILE' option from login.defs) 36 | auth requisite pam_nologin.so 37 | 38 | # SELinux needs to be the first session rule. This ensures that any 39 | # lingering context has been cleared. Without out this it is possible 40 | # that a module could execute code in the wrong domain. 41 | # When the module is present, "required" would be sufficient (When SELinux 42 | # is disabled, this returns success.) 43 | session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close 44 | 45 | # This module parses environment configuration file(s) 46 | # and also allows you to use an extended config 47 | # file /etc/security/pam_env.conf. 48 | # 49 | # parsing /etc/environment needs "readenv=1" 50 | session required pam_env.so readenv=1 51 | # locale variables are also kept into /etc/default/locale in etch 52 | # reading this file *in addition to /etc/environment* does not hurt 53 | session required pam_env.so readenv=1 envfile=/etc/default/locale 54 | 55 | # Standard Un*x authentication. 56 | @include common-auth 57 | 58 | # This allows certain extra groups to be granted to a user 59 | # based on things like time of day, tty, service, and user. 60 | # Please edit /etc/security/group.conf to fit your needs 61 | # (Replaces the `CONSOLE_GROUPS' option in login.defs) 62 | auth optional pam_group.so 63 | 64 | # Uncomment and edit /etc/security/time.conf if you need to set 65 | # time restrainst on logins. 66 | # (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs 67 | # as well as /etc/porttime) 68 | # account requisite pam_time.so 69 | 70 | # Uncomment and edit /etc/security/access.conf if you need to 71 | # set access limits. 72 | # (Replaces /etc/login.access file) 73 | # account required pam_access.so 74 | 75 | # Sets up user limits according to /etc/security/limits.conf 76 | # (Replaces the use of /etc/limits in old login) 77 | session required pam_limits.so 78 | 79 | # Prints the last login info upon succesful login 80 | # (Replaces the `LASTLOG_ENAB' option from login.defs) 81 | session optional pam_lastlog.so 82 | 83 | # Prints the message of the day upon succesful login. 84 | # (Replaces the `MOTD_FILE' option in login.defs) 85 | # This includes a dynamically generated part from /run/motd.dynamic 86 | # and a static (admin-editable) part from /etc/motd. 87 | session optional pam_motd.so motd=/run/motd.dynamic noupdate 88 | session optional pam_motd.so 89 | 90 | # Prints the status of the user's mailbox upon succesful login 91 | # (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 92 | # 93 | # This also defines the MAIL environment variable 94 | # However, userdel also needs MAIL_DIR and MAIL_FILE variables 95 | # in /etc/login.defs to make sure that removing a user 96 | # also removes the user's mail spool file. 97 | # See comments in /etc/login.defs 98 | session optional pam_mail.so standard 99 | 100 | # Standard Un*x account and session 101 | @include common-account 102 | @include common-session 103 | @include common-password 104 | 105 | # SELinux needs to intervene at login time to ensure that the process 106 | # starts in the proper default security context. Only sessions which are 107 | # intended to run in the user's context should be run after this. 108 | session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open 109 | # When the module is present, "required" would be sufficient (When SELinux 110 | # is disabled, this returns success.) 111 | auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900 112 | -------------------------------------------------------------------------------- /jobs/harden/templates/files/etc/pam.d/su: -------------------------------------------------------------------------------- 1 | # 2 | # The PAM configuration file for the Shadow `su' service 3 | # 4 | 5 | # This allows root to su without passwords (normal operation) 6 | auth sufficient pam_rootok.so 7 | 8 | # Uncomment this to force users to be a member of group root 9 | # before they can use `su'. You can also add "group=foo" 10 | # to the end of this line if you want to use a group other 11 | # than the default "root" (but this may have side effect of 12 | # denying "root" user, unless she's a member of "foo" or explicitly 13 | # permitted earlier by e.g. "sufficient pam_rootok.so"). 14 | # (Replaces the `SU_WHEEL_ONLY' option from login.defs) 15 | # auth required pam_wheel.so 16 | 17 | # Uncomment this if you want wheel members to be able to 18 | # su without a password. 19 | # auth sufficient pam_wheel.so trust 20 | 21 | # Uncomment this if you want members of a specific group to not 22 | # be allowed to use su at all. 23 | # auth required pam_wheel.so deny group=nosu 24 | 25 | # Uncomment and edit /etc/security/time.conf if you need to set 26 | # time restrainst on su usage. 27 | # (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs 28 | # as well as /etc/porttime) 29 | # account requisite pam_time.so 30 | 31 | # This module parses environment configuration file(s) 32 | # and also allows you to use an extended config 33 | # file /etc/security/pam_env.conf. 34 | # 35 | # parsing /etc/environment needs "readenv=1" 36 | session required pam_env.so readenv=1 37 | # locale variables are also kept into /etc/default/locale in etch 38 | # reading this file *in addition to /etc/environment* does not hurt 39 | session required pam_env.so readenv=1 envfile=/etc/default/locale 40 | 41 | # Defines the MAIL environment variable 42 | # However, userdel also needs MAIL_DIR and MAIL_FILE variables 43 | # in /etc/login.defs to make sure that removing a user 44 | # also removes the user's mail spool file. 45 | # See comments in /etc/login.defs 46 | # 47 | # "nopen" stands to avoid reporting new mail when su'ing to another user 48 | session optional pam_mail.so nopen 49 | 50 | # Sets up user limits, please uncomment and read /etc/security/limits.conf 51 | # to enable this functionality. 52 | # (Replaces the use of /etc/limits in old login) 53 | session required pam_limits.so 54 | 55 | # The standard Unix authentication modules, used with 56 | # NIS (man nsswitch) as well as normal /etc/passwd and 57 | # /etc/shadow entries. 58 | @include common-auth 59 | @include common-account 60 | @include common-session 61 | 62 | 63 | auth required pam_wheel.so use_uid group=sugroup 64 | -------------------------------------------------------------------------------- /jobs/harden/templates/files/etc/profile: -------------------------------------------------------------------------------- 1 | # /etc/profile: system-wide .profile file for the Bourne shell (sh(1)) 2 | # and Bourne compatible shells (bash(1), ksh(1), ash(1), ...). 3 | 4 | if [ "$PS1" ]; then 5 | if [ "$BASH" ] && [ "$BASH" != "/bin/sh" ]; then 6 | # The file bash.bashrc already sets the default PS1. 7 | # PS1='\h:\w\$ ' 8 | if [ -f /etc/bash.bashrc ]; then 9 | . /etc/bash.bashrc 10 | fi 11 | else 12 | if [ "`id -u`" -eq 0 ]; then 13 | PS1='# ' 14 | else 15 | PS1='$ ' 16 | fi 17 | fi 18 | fi 19 | 20 | if [ -d /etc/profile.d ]; then 21 | for i in /etc/profile.d/*.sh; do 22 | if [ -r $i ]; then 23 | . $i 24 | fi 25 | done 26 | unset i 27 | fi 28 | 29 | # everything above is from BOSH 30 | umask 027 31 | 32 | # add default timeout 33 | readonly TMOUT=900 ; export TMOUT 34 | -------------------------------------------------------------------------------- /jobs/harden/templates/files/etc/securetty: -------------------------------------------------------------------------------- 1 | console 2 | -------------------------------------------------------------------------------- /jobs/harden/templates/files/etc/security/faillock.conf: -------------------------------------------------------------------------------- 1 | # Don't print informative messages. 2 | # Enabled if option is present. 3 | # silent 4 | # 5 | # Don't log informative messages via syslog. 6 | # Enabled if option is present. 7 | # no_log_info 8 | # 9 | # Only track failed user authentications attempts for local users 10 | # in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users. 11 | # The `faillock` command will also no longer track user failed 12 | # authentication attempts. Enabling this option will prevent a 13 | # double-lockout scenario where a user is locked out locally and 14 | # in the centralized mechanism. 15 | # Enabled if option is present. 16 | # local_users_only 17 | # 18 | # Deny access if the number of consecutive authentication failures 19 | # for this user during the recent interval exceeds n tries. 20 | # The default is 3. 21 | deny = 4 22 | # 23 | # The length of the interval during which the consecutive 24 | # authentication failures must happen for the user account 25 | # lock out is n seconds. 26 | # The default is 900 (15 minutes). 27 | fail_interval = 900 28 | # 29 | # The access will be re-enabled after n seconds after the lock out. 30 | # The value 0 has the same meaning as value `never` - the access 31 | # will not be re-enabled without resetting the faillock 32 | # entries by the `faillock` command. 33 | # The default is 600 (10 minutes). 34 | unlock_time = 600 35 | # 36 | # Root account can become locked as well as regular accounts. 37 | # Enabled if option is present. 38 | # even_deny_root 39 | # 40 | # This option implies the `even_deny_root` option. 41 | # Allow access after n seconds to root account after the 42 | # account is locked. In case the option is not specified 43 | # the value is the same as of the `unlock_time` option. 44 | # root_unlock_time = 900 45 | # 46 | # If a group name is specified with this option, members 47 | # of the group will be handled by this module the same as 48 | # the root account (the options `even_deny_root>` and 49 | # `root_unlock_time` will apply to them. 50 | # By default, the option is not set. 51 | # admin_group = -------------------------------------------------------------------------------- /jobs/harden/templates/files/etc/security/limits.conf: -------------------------------------------------------------------------------- 1 | * hard core 0 2 | vcap hard nofile 65535 3 | -------------------------------------------------------------------------------- /jobs/harden/templates/files/etc/security/pwquality.conf: -------------------------------------------------------------------------------- 1 | minlen=14 2 | dcredit=-1 3 | ucredit=-1 4 | ocredit=-1 5 | lcredit=-1 6 | -------------------------------------------------------------------------------- /jobs/harden/templates/files/etc/ssh/sshd_config: -------------------------------------------------------------------------------- 1 | # Package generated configuration file 2 | # See the sshd_config(5) manpage for details 3 | 4 | # What ports, IPs and protocols we listen for 5 | Port 22 6 | # Use these options to restrict which interfaces/protocols sshd will bind to 7 | #ListenAddress :: 8 | #ListenAddress 0.0.0.0 9 | Protocol 2 10 | # HostKeys for protocol version 2 11 | HostKey /etc/ssh/ssh_host_rsa_key 12 | HostKey /etc/ssh/ssh_host_dsa_key 13 | HostKey /etc/ssh/ssh_host_ecdsa_key 14 | HostKey /etc/ssh/ssh_host_ed25519_key 15 | #Privilege Separation is turned on for security 16 | UsePrivilegeSeparation yes 17 | 18 | # Lifetime and size of ephemeral version 1 server key 19 | KeyRegenerationInterval 3600 20 | ServerKeyBits 1024 21 | 22 | # Logging 23 | SyslogFacility AUTH 24 | LogLevel INFO 25 | 26 | # Authentication: 27 | LoginGraceTime 60 28 | PermitRootLogin no 29 | StrictModes yes 30 | 31 | RSAAuthentication yes 32 | PubkeyAuthentication yes 33 | #AuthorizedKeysFile %h/.ssh/authorized_keys 34 | 35 | # Don't read the user's ~/.rhosts and ~/.shosts files 36 | IgnoreRhosts yes 37 | # For this to work you will also need host keys in /etc/ssh_known_hosts 38 | RhostsRSAAuthentication no 39 | # similar for protocol version 2 40 | HostbasedAuthentication no 41 | # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication 42 | #IgnoreUserKnownHosts yes 43 | 44 | # To enable empty passwords, change to yes (NOT RECOMMENDED) 45 | PermitEmptyPasswords no 46 | 47 | # Change to yes to enable challenge-response passwords (beware issues with 48 | # some PAM modules and threads) 49 | ChallengeResponseAuthentication no 50 | 51 | # Change to no to disable tunnelled clear text passwords 52 | PasswordAuthentication no 53 | 54 | # Kerberos options 55 | #KerberosAuthentication no 56 | #KerberosGetAFSToken no 57 | #KerberosOrLocalPasswd yes 58 | #KerberosTicketCleanup yes 59 | 60 | # GSSAPI options 61 | #GSSAPIAuthentication no 62 | #GSSAPICleanupCredentials yes 63 | 64 | X11Forwarding no 65 | X11DisplayOffset 10 66 | PrintMotd no 67 | PrintLastLog yes 68 | TCPKeepAlive yes 69 | #UseLogin no 70 | 71 | MaxStartups 10:30:60 72 | MaxSessions 10 73 | Banner /etc/issue.net 74 | 75 | # Allow client to pass locale environment variables 76 | AcceptEnv LANG LC_* 77 | 78 | Subsystem sftp /usr/lib/openssh/sftp-server 79 | 80 | # Set this to 'yes' to enable PAM authentication, account processing, 81 | # and session processing. If this is enabled, PAM authentication will 82 | # be allowed through the ChallengeResponseAuthentication and 83 | # PasswordAuthentication. Depending on your PAM configuration, 84 | # PAM authentication via ChallengeResponseAuthentication may bypass 85 | # the setting of "PermitRootLogin without-password". 86 | # If you just want the PAM account and session checks to run without 87 | # PAM authentication, then enable this but set PasswordAuthentication 88 | # and ChallengeResponseAuthentication to 'no'. 89 | UsePAM yes 90 | 91 | MaxAuthTries 4 92 | PermitUserEnvironment no 93 | Ciphers aes128-ctr,aes192-ctr,aes256-ctr 94 | ClientAliveInterval 300 95 | ClientAliveCountMax 0 96 | 97 | AllowGroups vcap admin bosh_sshers 98 | 99 | MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com 100 | 101 | KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 102 | -------------------------------------------------------------------------------- /jobs/harden/templates/files/etc/sysctl.conf: -------------------------------------------------------------------------------- 1 | # 2 | # /etc/sysctl.conf - Configuration file for setting system variables 3 | # See /etc/sysctl.d/ for additional system variables. 4 | # See sysctl.conf (5) for information. 5 | # 6 | 7 | #kernel.domainname = example.com 8 | 9 | # Uncomment the following to stop low-level messages on console 10 | #kernel.printk = 3 4 1 3 11 | 12 | kernel.randomize_va_space = 2 13 | 14 | ##############################################################3 15 | # Functions previously found in netbase 16 | # 17 | 18 | # Uncomment the next two lines to enable Spoof protection (reverse-path filter) 19 | # Turn on Source Address Verification in all interfaces to 20 | # prevent some spoofing attacks 21 | net.ipv4.conf.default.rp_filter=1 22 | net.ipv4.conf.all.rp_filter=1 23 | 24 | # Uncomment the next line to enable TCP/IP SYN cookies 25 | # See http://lwn.net/Articles/277146/ 26 | # Note: This may impact IPv6 TCP sessions too 27 | #net.ipv4.tcp_syncookies=1 28 | 29 | # Uncomment the next line to enable packet forwarding for IPv4 30 | #net.ipv4.ip_forward=1 31 | net.ipv4.icmp_echo_ignore_broadcasts=1 32 | net.ipv4.icmp_ignore_bogus_error_responses=1 33 | net.ipv4.tcp_syncookies=1 34 | 35 | # Uncomment the next line to enable packet forwarding for IPv6 36 | # Enabling this option disables Stateless Address Autoconfiguration 37 | # based on Router Advertisements for this host 38 | #net.ipv6.conf.all.forwarding=1 39 | 40 | 41 | ################################################################### 42 | # Additional settings - these settings can improve the network 43 | # security of the host and prevent against some network attacks 44 | # including spoofing attacks and man in the middle attacks through 45 | # redirection. Some network environments, however, require that these 46 | # settings are disabled so review and enable them as needed. 47 | # 48 | 49 | # Do not accept ICMP redirects (prevent MITM attacks) 50 | net.ipv4.conf.all.accept_redirects=0 51 | net.ipv6.conf.all.accept_redirects=0 52 | net.ipv4.conf.default.accept_redirects=0 53 | net.ipv6.conf.default.accept_redirects=0 54 | 55 | # _or_ 56 | # Accept ICMP redirects only for gateways listed in our default 57 | # gateway list (enabled by default) 58 | net.ipv4.conf.all.secure_redirects=0 59 | net.ipv4.conf.default.secure_redirects=0 60 | 61 | # Do not send ICMP redirects (we are not a router) 62 | net.ipv4.conf.all.send_redirects=0 63 | net.ipv4.conf.default.send_redirects=0 64 | 65 | # Do not accept IP source route packets (we are not a router) 66 | net.ipv4.conf.all.accept_source_route=0 67 | net.ipv6.conf.all.accept_source_route=0 68 | net.ipv4.conf.default.accept_source_route=0 69 | net.ipv6.conf.default.accept_source_route=0 70 | 71 | # 72 | # Log Martian Packets 73 | net.ipv4.conf.all.log_martians=1 74 | net.ipv4.conf.default.log_martians=1 75 | # 76 | 77 | # Prevent core dumps 78 | fs.suid_dumpable=0 79 | 80 | # http://www.isssource.com/fixing-an-internet-security-threat 81 | net.ipv4.tcp_challenge_ack_limit = 999999999 82 | 83 | # Increase maximum directories for clamav 84 | fs.inotify.max_user_watches=65536 85 | -------------------------------------------------------------------------------- /jobs/harden/templates/files/etc/systemd/journald.conf: -------------------------------------------------------------------------------- 1 | # This file is part of systemd. 2 | # 3 | # systemd is free software; you can redistribute it and/or modify it 4 | # under the terms of the GNU Lesser General Public License as published by 5 | # the Free Software Foundation; either version 2.1 of the License, or 6 | # (at your option) any later version. 7 | # 8 | # Entries in this file show the compile time defaults. 9 | # You can change settings by editing this file. 10 | # Defaults can be restored by simply deleting this file. 11 | # 12 | # See journald.conf(5) for details. 13 | 14 | [Journal] 15 | Storage=persistent 16 | Compress=yes 17 | #Seal=yes 18 | #SplitMode=uid 19 | #SyncIntervalSec=5m 20 | #RateLimitIntervalSec=30s 21 | #RateLimitBurst=1000 22 | #SystemMaxUse= 23 | #SystemKeepFree= 24 | #SystemMaxFileSize= 25 | #SystemMaxFiles=100 26 | #RuntimeMaxUse= 27 | #RuntimeKeepFree= 28 | #RuntimeMaxFileSize= 29 | #RuntimeMaxFiles=100 30 | #MaxRetentionSec= 31 | #MaxFileSec=1month 32 | ForwardToSyslog=yes 33 | #ForwardToKMsg=no 34 | #ForwardToConsole=no 35 | #ForwardToWall=yes 36 | #TTYPath=/dev/console 37 | #MaxLevelStore=debug 38 | #MaxLevelSyslog=debug 39 | #MaxLevelKMsg=notice 40 | #MaxLevelConsole=info 41 | #MaxLevelWall=emerg 42 | #LineMax=48K -------------------------------------------------------------------------------- /jobs/harden/templates/files/etc/update-motd.d/00-header: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # 00-header - create the header of the MOTD 4 | # Copyright (C) 2009-2010 Canonical Ltd. 5 | # 6 | # Authors: Dustin Kirkland 7 | # 8 | # This program is free software; you can redistribute it and/or modify 9 | # it under the terms of the GNU General Public License as published by 10 | # the Free Software Foundation; either version 2 of the License, or 11 | # (at your option) any later version. 12 | # 13 | # This program is distributed in the hope that it will be useful, 14 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 15 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 | # GNU General Public License for more details. 17 | # 18 | # You should have received a copy of the GNU General Public License along 19 | # with this program; if not, write to the Free Software Foundation, Inc., 20 | # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 21 | 22 | [ -r /etc/lsb-release ] && . /etc/lsb-release 23 | 24 | if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then 25 | # Fall back to using the very slow lsb_release utility 26 | DISTRIB_DESCRIPTION=$(lsb_release -s -d) 27 | fi 28 | 29 | printf "\033[44m \033[0m\n" 30 | printf "\033[44m \033[0m\n" 31 | printf "\033[44m \033[0m\n" 32 | printf "\033[44m \033[0m\n" 33 | printf "\033[44m \033[0m\n" 34 | printf "\033[44m \033[0m\n" 35 | printf "\033[44m \033[0m\n" 36 | printf "\033[44m \033[47m \033[44m\033[47m \033[44m\033[47m \033[44m \033[47m \033[44m\033[47m \033[44m\033[47m \033[44m\033[47m \033[44m\033[47m \033[44m \033[47m \033[44m\033[47m \033[44m\033[47m \033[44m\033[47m \033[44m\033[47m \033[44m \033[0m\n" 37 | printf "\033[44m \033[47m \033[44m \033[47m \033[44m \033[47m \033[44m \033[47m \033[44m \033[0m\n" 38 | printf "\033[44m \033[47m \033[44m \033[47m \033[44m\033[47m \033[44m\033[47m \033[44m\033[47m \033[44m\033[47m \033[44m \033[47m \033[44m \033[0m\n" 39 | printf "\033[44m \033[47m \033[44m \033[47m \033[44m \033[47m \033[44m \033[47m \033[44m \033[0m\n" 40 | printf "\033[44m \033[47m \033[44m \033[47m \033[44m \033[47m \033[44m \033[47m \033[44m\033[47m \033[44m\033[47m \033[44m\033[47m \033[44m \033[0m\n" 41 | printf "\033[44m \033[47m \033[44m \033[47m \033[44m \033[47m \033[44m \033[47m \033[44m \033[0m\n" 42 | printf "\033[44m \033[47m \033[44m \033[47m \033[44m \033[47m \033[44m \033[47m \033[44m \033[0m\n" 43 | printf "\033[44m \033[47m \033[44m \033[47m \033[44m\033[47m \033[44m\033[47m \033[44m\033[47m \033[44m\033[47m \033[44m \033[47m \033[44m \033[0m\n" 44 | printf "\033[44m \033[0m\n" 45 | 46 | printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)" 47 | printf "You are accessing a system operated by 18F, a division of the General Services Administration of the United States Government. \nBy accessing this system, you are consenting to monitoring and have no expectation of privacy. \n" 48 | -------------------------------------------------------------------------------- /releases/fisma/fisma-1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | packages: 3 | - name: harden 4 | version: 7f3ddc156f5adc0cb3b013b04c92dc1dce5c7195 5 | fingerprint: 7f3ddc156f5adc0cb3b013b04c92dc1dce5c7195 6 | sha1: dc325431f9028be6978fd8ab587c6db63e403270 7 | dependencies: [] 8 | jobs: 9 | - name: harden 10 | version: a474b662fe42cd360a3bc1ad9c9aa4624a12f347 11 | fingerprint: a474b662fe42cd360a3bc1ad9c9aa4624a12f347 12 | sha1: 9b45c0d98fa3e9bdb669b97301300beb8f106f0e 13 | license: 14 | version: cbc3b15f61fec179f7d9f8f7eba00eb91ba15b59 15 | fingerprint: cbc3b15f61fec179f7d9f8f7eba00eb91ba15b59 16 | sha1: 37c7419a7f734428f7bb7f63012d01b31f6a4630 17 | commit_hash: bee31a78 18 | uncommitted_changes: true 19 | name: fisma 20 | version: '1' 21 | -------------------------------------------------------------------------------- /releases/fisma/fisma-2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | packages: 3 | - name: harden 4 | version: e9fb1d9e80bc6d3bdc319b23d03db620b3b46f7c 5 | fingerprint: e9fb1d9e80bc6d3bdc319b23d03db620b3b46f7c 6 | sha1: 5d5ffb0e35c58473654a0241bc7116da77b637b4 7 | dependencies: [] 8 | jobs: 9 | - name: harden 10 | version: a474b662fe42cd360a3bc1ad9c9aa4624a12f347 11 | fingerprint: a474b662fe42cd360a3bc1ad9c9aa4624a12f347 12 | sha1: 9b45c0d98fa3e9bdb669b97301300beb8f106f0e 13 | license: 14 | version: cbc3b15f61fec179f7d9f8f7eba00eb91ba15b59 15 | fingerprint: cbc3b15f61fec179f7d9f8f7eba00eb91ba15b59 16 | sha1: 37c7419a7f734428f7bb7f63012d01b31f6a4630 17 | commit_hash: 907553e5 18 | uncommitted_changes: true 19 | name: fisma 20 | version: '2' 21 | -------------------------------------------------------------------------------- /releases/fisma/fisma-3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | packages: 3 | - name: harden 4 | version: e9fb1d9e80bc6d3bdc319b23d03db620b3b46f7c 5 | fingerprint: e9fb1d9e80bc6d3bdc319b23d03db620b3b46f7c 6 | sha1: 5d5ffb0e35c58473654a0241bc7116da77b637b4 7 | dependencies: [] 8 | jobs: 9 | - name: harden 10 | version: a474b662fe42cd360a3bc1ad9c9aa4624a12f347 11 | fingerprint: a474b662fe42cd360a3bc1ad9c9aa4624a12f347 12 | sha1: 6055417776581641549434225604e8f828f3b196 13 | license: 14 | version: cbc3b15f61fec179f7d9f8f7eba00eb91ba15b59 15 | fingerprint: cbc3b15f61fec179f7d9f8f7eba00eb91ba15b59 16 | sha1: b7b58bc79e86c58f7ecbe29aeab60ba14bea04f4 17 | commit_hash: 907553e5 18 | uncommitted_changes: true 19 | name: fisma 20 | version: '3' 21 | -------------------------------------------------------------------------------- /releases/fisma/index.yml: -------------------------------------------------------------------------------- 1 | --- 2 | builds: 3 | cc160063-276b-41a3-949e-a00bb0180e0d: 4 | version: '1' 5 | 0c4ffef6-eb54-45a7-8e09-027cad71add5: 6 | version: '2' 7 | ca7d7d3c-3134-43f1-b078-175cd5472c12: 8 | version: '3' 9 | format-version: '2' 10 | --------------------------------------------------------------------------------