├── README.md └── centos6-cis-benchmarks.ks /README.md: -------------------------------------------------------------------------------- 1 | # CIS Security Benchmark Kickstarts 2 | ---- 3 | The kickstart files in this repository will give you a system which meets almost all of the scored standards from the [CIS Security Benchmarks](http://benchmarks.cisecurity.org/). The non-scored checks are excluded and I've also excluded adjustments that don't make sense for most environments (see comments in the kickstart for details). 4 | 5 | ### Disclaimers 6 | 7 | * The kickstart files are Apache 2 Licensed 8 | * I'm not affilated with the Center For Internet Security in any way 9 | * These kickstarts aren't approved by the Center For Internet Security 10 | * These kickstarts might not make your system any more secure than it was before you started 11 | * These kickstarts may cause your server to leave the rack and chase cars 12 | 13 | ### Requirements & Caveats 14 | 15 | The kickstarts are currently set up for **KVM-based environments.** If that's not accurate for your server environment, look for this string in the kickstart: 16 | 17 | --driveorder=vda 18 | 19 | Change `vda` to reflect whatever is accurate for your environment. For example, you may want to change this to `xvda` for Xen VM's or `sda` for physical servers with SATA drives. 20 | 21 | I'd recommend starting with a **minimum disk size of 20GB** for these kickstarts. Adjust the `logvol` lines to smaller sizes if your disk happens to be smaller. 22 | 23 | #### Enjoy! 24 | *-- Major Hayden* -------------------------------------------------------------------------------- /centos6-cis-benchmarks.ks: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # 3 | # Copyright 2013 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | install 18 | url --url=http://mirrors.kernel.org/centos/6/os/x86_64/ 19 | text 20 | lang en_US.UTF-8 21 | keyboard us 22 | network --onboot yes --device eth0 --bootproto dhcp --ipv6 auto 23 | rootpw qwerty 24 | 25 | # CIS 4.7 26 | firewall --enabled --ssh 27 | 28 | # CIS 6.3.1 29 | authconfig --enableshadow --passalgo=sha512 30 | 31 | # CIS 1.4.2-1.4.3 (targeted is enabled by default w/enforcing) 32 | selinux --enforcing 33 | 34 | timezone --utc America/Chicago 35 | services --enabled network,sshd 36 | zerombr 37 | 38 | clearpart --all 39 | part /boot --fstype ext4 --size=250 40 | part swap --size=1024 41 | part pv.01 --size=1 --grow 42 | volgroup vg_root pv.01 43 | logvol / --vgname vg_root --name root --fstype=ext4 --size=10240 44 | # CIS 1.1.1-1.1.4 45 | logvol /tmp --vgname vg_root --name tmp --size=500 --fsoptions="nodev,nosuid,noexec" 46 | # CIS 1.1.5 47 | logvol /var --vgname vg_root --name var --size=500 48 | # CIS 1.1.7 49 | logvol /var/log --vgname vg_root --name log --size=1024 50 | # CIS 1.1.8 51 | logvol /var/log/audit --vgname vg_root --name audit --size=1024 52 | # CIS 1.1.9-1.1.0 53 | logvol /home --vgname vg_root --name home --size=1024 --grow --fsoptions="nodev" 54 | 55 | # CIS 1.4.1, 5.2.3 56 | bootloader --location=mbr --driveorder=vda --append="selinux=1 audit=1" 57 | reboot 58 | 59 | %packages 60 | @core 61 | setroubleshoot-server 62 | aide # CIS 1.3.2 63 | selinux-policy-targeted # CIS 1.4.3 64 | -setroubleshoot # CIS 1.4.4 65 | -mcstrans # CIS 1.4.5 66 | -telnet-server # CIS 2.1.1 67 | -telnet # CIS 2.1.2 68 | -rsh-server # CIS 2.1.3 69 | -rsh # CIS 2.1.4 70 | -ypbind # CIS 2.1.5 71 | -ypserv # CIS 2.1.6 72 | -tftp # CIS 2.1.7 73 | -tftp-server # CIS 2.1.8 74 | -talk-server # CIS 2.1.10 75 | -xinetd # CIS 2.1.11 76 | -@"X Window System" # CIS 3.2 77 | -dhcp # CIS 3.5 78 | ntp # CIS 3.6 79 | postfix # CIS 3.16 80 | rsyslog # CIS 5.1.2 81 | cronie-anacron # CIS 6.1.1 82 | pam_passwdqc # CIS 6.3.3 83 | 84 | %post --log=/root/postinstall.log 85 | 86 | ############################################################################### 87 | # /etc/fstab 88 | echo -e "\n# CIS Benchmark Adjustments" >> /etc/fstab 89 | # CIS 1.1.6 90 | echo "/tmp /var/tmp none bind 0 0" >> /etc/fstab 91 | # CIS 1.1.14-1.1.16 92 | awk '$2~"^/dev/shm$"{$4="nodev,noexec,nosuid"}1' OFS="\t" /etc/fstab >> /tmp/fstab 93 | mv /tmp/fstab /etc/fstab 94 | restorecon -v /etc/fstab && chmod 644 /etc/fstab 95 | 96 | # CIS 1.3.2 97 | echo "0 5 * * * /usr/sbin/aide --check" >> /var/spool/cron/root 98 | 99 | # CIS 1.5.5 100 | sed -i 's/^PROMPT=yes$/PROMPT=no/' /etc/sysconfig/init 101 | 102 | ############################################################################### 103 | # /etc/sysctl.conf 104 | cat << 'EOF' >> /etc/sysctl.conf 105 | 106 | # CIS Benchmark Adjustments 107 | kernel.exec-shield = 1 # CIS 1.6.2 108 | kernel.randomize_va_space = 2 # CIS 1.6.3 109 | net.ipv4.ip_forward = 0 # CIS 4.1.1 110 | net.ipv4.conf.all.send_redirects = 0 # CIS 4.1.2 111 | net.ipv4.conf.default.send_redirects = 0 # CIS 4.1.2 112 | net.ipv4.conf.all.accept_source_route = 0 # CIS 4.2.1 113 | net.ipv4.conf.default.accept_source_route = 0 # CIS 4.2.1 114 | net.ipv4.conf.all.accept_redirects = 0 # CIS 4.2.2 115 | net.ipv4.conf.default.accept_redirects = 0 # CIS 4.2.2 116 | net.ipv4.conf.all.secure_redirects = 0 # CIS 4.2.3 117 | net.ipv4.conf.default.secure_redirects = 0 # CIS 4.2.3 118 | net.ipv4.conf.all.log_martians = 1 # CIS 4.2.4 119 | net.ipv4.conf.default.log_martians = 1 # CIS 4.2.4 120 | net.ipv4.icmp_echo_ignore_broadcasts = 1 # CIS 4.2.5 121 | net.ipv4.icmp_ignore_bogus_error_responses = 1 # CIS 4.2.6 122 | net.ipv4.conf.all.rp_filter = 1 # CIS 4.2.7 123 | net.ipv4.conf.default.rp_filter = 1 # CIS 4.2.7 124 | net.ipv4.tcp_syncookies = 1 # CIS 4.2.8 125 | EOF 126 | 127 | ############################################################################### 128 | # /etc/audit/audit.rules 129 | cat << 'EOF' >> /etc/audit/audit.rules 130 | 131 | # CIS Benchmark Adjustments 132 | 133 | # CIS 5.2.4 134 | -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change 135 | -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change 136 | -a always,exit -F arch=b64 -S clock_settime -k time-change 137 | -a always,exit -F arch=b32 -S clock_settime -k time-change 138 | -w /etc/localtime -p wa -k time-change 139 | 140 | # CIS 5.2.5 141 | -w /etc/group -p wa -k identity 142 | -w /etc/passwd -p wa -k identity 143 | -w /etc/gshadow -p wa -k identity 144 | -w /etc/shadow -p wa -k identity 145 | -w /etc/security/opasswd -p wa -k identity 146 | 147 | # CIS 5.2.6 148 | -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale 149 | -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale 150 | -w /etc/issue -p wa -k system-locale 151 | -w /etc/issue.net -p wa -k system-locale 152 | -w /etc/hosts -p wa -k system-locale 153 | -w /etc/sysconfig/network -p wa -k system-locale 154 | 155 | # CIS 5.2.7 156 | -w /etc/selinux/ -p wa -k MAC-policy 157 | 158 | # CIS 5.2.8 159 | -w /var/log/faillog -p wa -k logins 160 | -w /var/log/lastlog -p wa -k logins 161 | -w /var/log/tallylog -p wa -k logins 162 | 163 | # CIS 5.2.9 164 | -w /var/run/utmp -p wa -k session 165 | -w /var/log/wtmp -p wa -k session 166 | -w /var/log/btmp -p wa -k session 167 | 168 | # CIS 5.2.10 169 | -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod 170 | -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod 171 | -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod 172 | -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod 173 | -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod 174 | -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod 175 | 176 | # CIS 5.2.11 177 | -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access 178 | -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access 179 | -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access 180 | -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access 181 | 182 | # CIS 5.2.13 183 | -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts 184 | -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts 185 | 186 | # CIS 5.2.14 187 | -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete 188 | -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete 189 | 190 | # CIS 5.2.15 191 | -w /etc/sudoers -p wa -k scope 192 | 193 | # CIS 5.2.16 194 | -w /var/log/sudo.log -p wa -k actions 195 | 196 | # CIS 5.2.17 197 | -w /sbin/insmod -p x -k modules 198 | -w /sbin/rmmod -p x -k modules 199 | -w /sbin/modprobe -p x -k modules 200 | -a always,exit -F arch=b64 -S init_module -S delete_module -k modules 201 | -a always,exit -F arch=b32 -S init_module -S delete_module -k modules 202 | EOF 203 | 204 | # CIS 5.2.12 205 | echo -e "\n# CIS 5.2.12" >> /etc/audit/audit.rules 206 | find PART -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged" }' >> /etc/audit/audit.rules 207 | 208 | # CIS 5.2.18 209 | echo -e "\n# CIS 5.2.18" 210 | echo "-e 2" >> /etc/audit/audit.rules 211 | 212 | # CIS 2.1.12 213 | chkconfig chargen-dgram off 214 | # CIS 2.1.13 215 | chkconfig chargen-stream off 216 | # CIS 2.1.14 217 | chkconfig daytime-dgram off 218 | # CIS 2.1.15 219 | chkconfig daytime-stream off 220 | # CIS 2.1.16 221 | chkconfig echo-dgram off 222 | # CIS 2.1.17 223 | chkconfig echo-stream off 224 | # CIS 2.1.18 225 | chkconfig tcpmux-server off 226 | 227 | # CIS 3.1 228 | echo "\n# CIS Benchmarks" 229 | echo "umask 027" >> /etc/sysconfig/init 230 | 231 | # CIS 3.3 232 | chkconfig avahi-daemon off 233 | # CIS 3.4 234 | chkconfig cups off 235 | # CIS 3.6 (ntp.conf defaults meet requirements) 236 | chkconfig ntpd on 237 | # CIS 3.16 (postfix defaults meet requirements) 238 | chkconfig sendmail off 239 | alternatives --set mta /usr/sbin/sendmail.postfix 240 | chkconfig postfix on 241 | # CIS 5.1.3 242 | chkconfig syslog off && chkconfig rsyslog on 243 | # CIS 5.2.2 244 | chkconfig auditd on 245 | # CIS 6.1.2 246 | chkconfig crond on 247 | 248 | # CIS 6.2.4 249 | sed -i 's/^#X11Forwarding no$/X11Forwarding no/' /etc/ssh/sshd_config 250 | sed -i '/^X11Forwarding yes$/d' /etc/ssh/sshd_config 251 | # CIS 6.2.5 252 | sed -i 's/^.*MaxAuthTries.*$/MaxAuthTries 4/' /etc/ssh/sshd_config 253 | # CIS 6.2.8 254 | sed -i 's/^#PermitRootLogin.*$/PermitRootLogin no/' /etc/ssh/sshd_config 255 | # CIS 6.2.11 256 | echo -e "\n# CIS Benchmarks\n# CIS 6.2.12" >> /etc/ssh/sshd_config 257 | echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr" >> /etc/ssh/sshd_config 258 | # CIS 6.2.12 259 | sed -i 's/^.*ClientAliveInterval.*$/ClientAliveInterval 300/' /etc/ssh/sshd_config 260 | sed -i 's/^.*ClientAliveCountMax.*$/ClientAliveCountMax 0/' /etc/ssh/sshd_config 261 | # CIS 6.2.14 262 | echo "Unauthorized access is prohibited." > /etc/ssh/sshd_banner 263 | echo -e "\n# CIS 6.2.14" >> /etc/ssh/sshd_config 264 | echo "Banner /etc/ssh/sshd_banner" >> /etc/ssh/sshd_config 265 | 266 | # CIS 6.3.2 267 | sed -i 's/password.+requisite.+pam_cracklib.so/password required pam_cracklib.so try_first_pass retry=3 minlen=14,dcredit=-1,ucredit=-1,ocredit=-1 lcredit=-1/' /etc/pam.d/system-auth 268 | # CIS 6.3.3 269 | sed -i -e '/pam_cracklib.so/{:a;n;/^$/!ba;i\password requisite pam_passwdqc.so min=disabled,disabled,16,12,8' -e '}' /etc/pam.d/system-auth 270 | # CIS 6.3.6 271 | sed -i 's/^\(password.*sufficient.*pam_unix.so.*\)$/\1 remember=5/' /etc/pam.d/system-auth 272 | # CIS 6.5 273 | sed -i 's/^#\(auth.*required.*pam_wheel.so.*\)$/\1/' /etc/pam.d/su 274 | 275 | # CIS 7.1.1-7.1.3 276 | sed -i 's/^PASS_MAX_DAYS.*$/PASS_MAX_DAYS 90/' /etc/login.defs 277 | sed -i 's/^PASS_MIN_DAYS.*$/PASS_MIN_DAYS 7/' /etc/login.defs 278 | sed -i 's/^PASS_WARN_AGE.*$/PASS_WARN_AGE 7/' /etc/login.defs 279 | 280 | # CIS 8.1 281 | echo "Authorized uses only. All activity may be monitored and reported." > /etc/motd 282 | echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue 283 | echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue.net 284 | 285 | %end 286 | --------------------------------------------------------------------------------