rhel9_cis.cfg

# install
cdrom
text
skipx
firstboot --disable
eula --agreed
poweroff

# geography
keyboard --vckeymap=gb --xlayouts='gb'
lang en_GB.UTF-8
timezone Europe/London --utc
timesource --ntp-server uk.pool.ntp.org

# network
network --bootproto=static --device=enp1s0 --gateway=192.168.1.1 --ip=192.168.1.50 --nameserver=192.168.1.1 --netmask=255.255.255.0 --noipv6 --activate
network --hostname=rhel9cis

# users
group --name=staff
group --name=wheel
rootpw password
user --name=simon --password=password --shell=/bin/bash --groups=staff,wheel

# 1.1.3.1 Ensure separate partition exists for /var
# 1.1.3.2 Ensure nodev option set on /var partition
# 1.1.3.3 Ensure noexec option set on /var partition
# 1.1.3.4 Ensure nosuid option set on /var partition
# 1.1.4.1 Ensure separate partition exists for /var/tmp
# 1.1.4.2 Ensure noexec option set on /var/tmp partition
# 1.1.4.3 Ensure nosuid option set on /var/tmp partition
# 1.1.4.4 Ensure nodev option set on /var/tmp partition
# 1.1.5.1 Ensure separate partition exists for /var/log
# 1.1.5.2 Ensure nodev option set on /var/log partition
# 1.1.5.3 Ensure noexec option set on /var/log partition
# 1.1.5.4 Ensure nosuid option set on /var/log partition
# 1.1.6.1 Ensure separate partition exists for /var/log/audit
# 1.1.6.2 Ensure noexec option set on /var/log/audit partition
# 1.1.6.3 Ensure nodev option set on /var/log/audit partition
# 1.1.6.4 Ensure nosuid option set on /var/log/audit partition
# 1.1.7.1 Ensure separate partition exists for /home
# 1.1.7.2 Ensure nodev option set on /home partition
# 1.1.7.3 Ensure nosuid option set on /home partition
# 1.1.7.4 Ensure usrquota option set on /home partition
# 1.1.7.5 Ensure grpquota option set on /home partition
# 1.4.1 Ensure bootloader password is set
# 1.6.1.2 Ensure SELinux is not disabled in bootloader configuration
# 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled
# 4.1.1.4 Ensure audit_backlog_limit is sufficient
ignoredisk --only-use=sda
bootloader --location=mbr --boot-drive=sda --append="audit=1 selinux=1 enforcing=1 audit_backlog_limit=8192 page_poison=1 vsyscall=none slub_debug=P pti=on" --password=password
clearpart --all --initlabel --drives=sda
part /boot --fstype xfs --size=1024 --fsoptions="nodev,nosuid,noexec"
part pv.01 --size=1 --grow --ondisk=sda --asprimary
volgroup rootvg pv.01
logvol swap             --fstype swap   --vgname=rootvg --name=swap     --size=1024
logvol /                --fstype xfs    --vgname=rootvg --name=root     --size=8192
logvol /var             --fstype xfs    --vgname=rootvg --name=var      --size=8192    --fsoptions="nodev,nosuid,noexec"
logvol /var/tmp         --fstype xfs    --vgname=rootvg --name=vartmp   --size=1024     --fsoptions="nodev,nosuid,noexec"
logvol /var/log         --fstype xfs    --vgname=rootvg --name=log      --size=1024     --fsoptions="nodev,nosuid,noexec"
logvol /var/log/audit   --fstype xfs    --vgname=rootvg --name=audit    --size=1024     --fsoptions="nodev,nosuid,noexec"
logvol /home            --fstype xfs    --vgname=rootvg --name=home     --size=1024     --fsoptions="quota,usrquota,grpquota,nodev,nosuid,noexec"

# 1.1.9 Disable Automounting
# 1.3.1 Ensure AIDE is installed
# 1.6.1.1 Ensure SELinux is installed
# 1.6.1.6 Ensure SETroubleshoot is not installed
# 1.6.1.7 Ensure the MCS Translation Service (mcstrans) is not installed
# 1.8.1 Ensure GNOME Display Manager is removed
# 2.1.1 Ensure time synchronization is in use
# 2.2.2 Ensure X11 Server components are not installed
# 2.2.3 Ensure Avahi Server is not installed
# 2.2.4 Ensure CUPS is not installed
# 2.2.5 Ensure DHCP Server is not installed
# 2.2.7 Ensure DNS Server is not installed
# 2.2.8 Ensure FTP Server is not installed
# 2.2.9 Ensure vsftp Server is not installed
# 2.2.10 Ensure vnc server is not installed
# 2.2.11 Ensure a web server is not installed
# 2.2.12 Ensure IMAP and POP3 server is not installed
# 2.2.13 Ensure Samba is not installed
# 2.2.14 Ensure HTTP Proxy Server is not installed
# 2.2.15 Ensure net-snmp is not installed
# 2.2.17 Ensure telnet-server is not installed
# 2.2.19 Ensure nfs-utils is not installed or the nfs-server service is masked
# 2.2.20 Ensure rpcbind is not installed or the rpcbind services are masked
# 2.2.21 Ensure rsync is not installed or the rsyncd service is masked
# 2.3.4 Ensure telnet client is not installed
# 2.3.5 Ensure LDAP client is not installed
# 3.4.2.1 Ensure nftables is installed
# 3.4.2.2 Ensure firewalld is either not installed or masked with nftables
# 4.1.1.1 Ensure auditd is installed
# 4.2.1.1 Ensure rsyslog is installed
# 5.3.1 Ensure sudo is installed
%packages
@core
chrony
nftables
net-tools
aide
audit
audit-libs
libselinux
policycoreutils-python-utils
rsyslog
rsyslog-gnutls
openssl-pkcs11
opensc
tmux
bzip2
unzip
java-11-openjdk-headless
sudo
curl
tar
-kernel-modules-extra
-tigervnc-server*
-gdm
-httpd
-nginx
-tuned
-iprutils
-sssd*
-gtk3
-firewalld
-libreswan
-setroubleshoot
-mcstrans
-prelink
-xorg-x11-server-common
-avahi-daemon
-avahi
-net-snmp
-cups
-dhcp
-dhcp-server
-openldap-clients
-bind
-dnsmasq
-ftp
-vsftpd
-dovecot
-cyrus-imapd
-samba
-squid
-telnet*
-autofs
-wpa_supplicant
-b43-openfwwf
-iwl*
-tcpdump
-wireshark*
-nmap*
-iscsi-initiator-utils*
-fxload
-lsscsi
-ivtv*
-kernel-headers
-rsync
-nfs-utils
-rpcbind
%end

# 1.6.1.4 Ensure the SELinux state is enforcing
# 1.6.1.3 Ensure SELinux policy is configured
# 3.4.2.10 Ensure nftables service is enabled
# 4.1.1.2 Ensure auditd service is enabled
# 4.2.1.2 Ensure rsyslog Service is enabled
# 5.1.1 Ensure cron daemon is enabled
services --enabled=chronyd,auditd,rsyslog,crond,sshd,nftables
services --disabled=postfix,tmp.mount,rhnsd,nfs,nfs-server,rpcbind,slapd,nis-domainname
firewall --disabled
selinux --enforcing
%addon com_redhat_kdump --disable --reserve-mb='auto'
%end

# post
%post

# 1.1.1.1 Ensure mounting of cramfs filesystems is disabled
echo "install cramfs /bin/false" > /etc/modprobe.d/cramfs.conf
echo "blacklist cramfs" >> /etc/modprobe.d/cramfs.conf

# 1.1.1.2 Ensure mounting of squashfs filesystems is disabled
echo "install squashfs /bin/false" > /etc/modprobe.d/squashfs.conf
echo "blacklist squashfs" >> /etc/modprobe.d/squashfs.conf

# 1.1.1.3 Ensure mounting of udf filesystems is disabled
echo "install udf /bin/false" > /etc/modprobe.d/udf.conf
echo "blacklist udf" >> /etc/modprobe.d/udf.conf

# 1.1.10 Disable USB Storage
echo "install usb-storage /bin/false" > /etc/modprobe.d/usb_storage.conf
echo "blacklist usb-storage" >> /etc/modprobe.d/usb_storage.conf

# 3.1.2 Ensure SCTP is disabled
echo 'install sctp /bin/true' > /etc/modprobe.d/sctp.conf

# extra module blacklist
cat << EOF > /etc/modprobe.d/cisextra.conf
install vfat /bin/true
install tipc /bin/true
blacklist sr_mod
install sr_mod /bin/true
blacklist cdrom
install cdrom /bin/true
blacklist bluetooth
install bluetooth /bin/true
blacklist bnep
install bnep /bin/true
blacklist uvcvideo
blacklist atm
install atm /bin/true
blacklist can
install can /bin/true
EOF

# 1.5.2 Ensure address space layout randomization (ASLR) is enabled
echo 'kernel.randomize_va_space = 2' > /etc/sysctl.d/60-aslr.conf

# 3.1.1 Verify if IPv6 is enabled on the system
cat << EOF > /etc/sysctl.d/60-ipv6.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
EOF

# 3.2.1 Ensure IP forwarding is disabled
cat << EOF > /etc/sysctl.d/60-ipforwarding.conf
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.lo.forwarding = 0
EOF

# 3.2.2 Ensure packet redirect sending is disabled
# 3.3.2 Ensure ICMP redirects are not accepted
# 3.3.3 Ensure secure ICMP redirects are not accepted
cat << EOF > /etc/sysctl.d/60-redirects.conf
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.lo.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.lo.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
EOF

# 3.3.1 Ensure source routed packets are not accepted
cat << EOF > /etc/sysctl.d/60-sourceroute.conf
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
net.ipv6.conf.lo.accept_source_route = 0
EOF

# 3.3.4 Ensure suspicious packets are logged
cat << EOF > /etc/sysctl.d/60-martians.conf
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.lo.log_martians = 1
EOF

# 3.3.5 Ensure broadcast ICMP requests are ignored
echo 'net.ipv4.icmp_echo_ignore_broadcasts = 1' > /etc/sysctl.d/60-broadcasts.conf

# 3.3.6 Ensure bogus ICMP responses are ignored
echo 'net.ipv4.icmp_ignore_bogus_error_responses = 1' > /etc/sysctl.d/60-bogus.conf

# 3.3.7 Ensure Reverse Path Filtering is enabled
cat << EOF > /etc/sysctl.d/60-rpfilter.conf
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
EOF

# 3.3.8 Ensure TCP SYN Cookies is enabled
echo 'net.ipv4.tcp_syncookies = 1' > /etc/sysctl.d/60-cookies.conf

# 3.3.9 Ensure IPv6 router advertisements are not accepted
cat << EOF > /etc/sysctl.d/60-acceptra.conf
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0
net.ipv6.conf.lo.accept_ra = 0
EOF

# extra sysctl settings
cat << EOF > /etc/sysctl.d/60-cisextra.conf
vm.max_map_count = 262144
user.max_user_namespaces = 0
kernel.core_pattern = |/bin/false
kernel.kexec_load_disabled = 1
kernel.dmesg_restrict = 1
kernel.perf_event_paranoid = 2
kernel.unprivileged_bpf_disabled = 1
kernel.yama.ptrace_scope = 1
kernel.kptr_restrict = 1
kernel.sysrq = 0
fs.protected_symlinks = 1
fs.protected_hardlinks = 1
net.core.bpf_jit_harden = 2
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_max_orphans = 256
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.conf.lo.proxy_arp = 0
net.ipv4.tcp_invalid_ratelimit = 500
net.ipv4.tcp_fin_timeout = 60
EOF

# 1.2.2 Ensure gpgcheck is globally activated
sed -i 's/^gpgcheck\s*=.*/gpgcheck=1/g' /etc/dnf/dnf.conf
sed -i 's/^gpgcheck\s*=.*/gpgcheck=1/g' /etc/yum.conf
sed -i 's/^gpgcheck\s*=.*/gpgcheck=1/g' /etc/yum.repos.d/*
echo 'clean_requirements_on_remove=1' >> /etc/yum.conf

# 5.3.2 Ensure sudo commands use pty
# 5.3.3 Ensure sudo log file exists
# 5.3.6 Ensure sudo authentication timeout is configured correctly
cat << "EOF" > /etc/sudoers.d/01_cis
Defaults use_pty
Defaults logfile="/var/log/sudo.log"
Defaults timestamp_timeout=0
Defaults !targetpw
Defaults !rootpw
Defaults !runaspw
EOF

# 5.3.4 Ensure users must provide password for escalation
sed -i '/^.*NOPASSWD.*$/d' /etc/sudoers
sed -i '/^.*wheel.*$/d' /etc/sudoers

# 5.3.5 Ensure re-authentication for privilege escalation is not disabled globally
sed -i '/^.*!authenticate.*$/d' /etc/sudoers

# 5.3.7 Ensure access to the su command is restricted
# 5.4.1 Create custom authselect profile
# 5.4.2 Select authselect profile
# 5.4.3 Ensure authselect includes with-faillock
# 5.5.3 Ensure password reuse is limited
authselect create-profile cis -b minimal --symlink-meta
authselect select custom/cis without-nullok with-faillock with-pamaccess --force

cat << "EOF" > /etc/authselect/custom/cis/password-auth
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        required      pam_faillock.so preauth silent
auth        sufficient    pam_unix.so try_first_pass
auth        required      pam_faillock.so authfail
auth        required      pam_deny.so
account     required      pam_access.so
account     required      pam_faillock.so
account     required      pam_unix.so
password    requisite     pam_pwquality.so try_first_pass
password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok rounds=5000
password    required      pam_pwhistory.so remember=24
password    required      pam_deny.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
EOF

ln -rsf /etc/authselect/custom/cis/password-auth /etc/authselect/custom/cis/system-auth

cat << "EOF" > /etc/pam.d/su
auth        sufficient  pam_rootok.so
auth        required    pam_wheel.so use_uid
auth        substack    system-auth
auth        include     postlogin
account     sufficient  pam_succeed_if.so uid = 0 use_uid quiet
account     include     system-auth
password    include     system-auth
session     include     system-auth
session     include     postlogin
session     optional    pam_xauth.so
EOF

cat << "EOF" > /etc/pam.d/login
auth       substack     system-auth
auth       include      postlogin
auth       [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so noconsole
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    required     pam_limits.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    include      postlogin
-session   optional     pam_ck_connector.so
EOF

cat /dev/null > /etc/securetty

# 5.5.1 Ensure password creation requirements are configured
cat << EOF > /etc/security/pwquality.conf.d/cis.conf
minlen = 16
minclass = 4
dcredit = -1
ucredit = -1
ocredit = -1
lcredit = -1
maxrepeat = 3
difok = 8
maxclassrepeat = 4
dictcheck = 1
EOF

sed -i 's/^.*PASS_MIN_LEN.*$/PASS_MIN_LEN 16/g' /etc/login.defs

# 5.5.2 Ensure lockout for failed password attempts is configured
cat << EOF > /etc/security/faillock.conf
unlock_time = 900
deny = 3
fail_interval = 900
silent
audit
EOF

sed -i 's/^.*LOGIN_RETRIES.*$/LOGIN_RETRIES 3/g' /etc/login.defs
sed -i 's/^.*FAIL_DELAY.*$/FAIL_DELAY 4/g' /etc/login.defs

# 5.5.4 Ensure password hashing algorithm is SHA-512
sed -i 's/^.*ENCRYPT_METHOD.*$/ENCRYPT_METHOD SHA512/g' /etc/login.defs
sed -i 's/^.*crypt_style.*$/crypt_style = sha512/g' /etc/libuser.conf

# 5.6.1.1 Ensure password expiration is 365 days or less
sed -i 's/^.*PASS_MAX_DAYS.*$/PASS_MAX_DAYS 30/g' /etc/login.defs

# 5.6.1.2 Ensure minimum days between password changes is 7 or more
sed -i 's/^.*PASS_MIN_DAYS.*$/PASS_MIN_DAYS 7/g' /etc/login.defs

# 5.6.1.3 Ensure password expiration warning days is 7 or more
sed -i 's/^.*PASS_WARN_AGE.*$/PASS_WARN_AGE 7/g' /etc/login.defs

# 5.6.1.4 Ensure inactive password lock is 30 days or less
sed -i 's/^.*INACTIVE.*$/INACTIVE=1/g' /etc/default/useradd

# 5.6.3 Ensure default user shell timeout is 900 seconds or less
# 5.6.5 Ensure default user umask is 027 or more restrictive
cat << EOF > /etc/profile.d/cis.sh
umask 027
readonly TMOUT=600
export TMOUT
export PATH=/sbin:/bin:/usr/sbin:/usr/bin
EOF

cat << EOF > /etc/profile.d/cis.csh
umask 027
set autologout=10
set -r autologout=10
setenv PATH /sbin:/bin:/usr/sbin:/usr/bin
EOF

sed -i 's/^.*UMASK.*$/UMASK 027/g' /etc/login.defs
sed -i 's/umask\s\+[0-9]\+/umask 027/g' /etc/bashrc
sed -i 's/umask\s\+[0-9]\+/umask 027/g' /etc/profile
sed -i 's/umask\s\+[0-9]\+/umask 027/g' /etc/csh.cshrc

# 5.6.4 Ensure default group for the root account is GID 0
usermod -g 0 root

# 1.4.2 Ensure permissions on bootloader config are configured
sed -i 's/^GRUB_TIMEOUT=.*$/GRUB_TIMEOUT=3/'
grub2-mkconfig --output=/boot/grub2/grub.cfg
chmod 600 /boot/grub2/grub.cfg
chown root:root /boot/grub2/grub.cfg
chmod 600 /boot/grub2/grubenv
chown root:root /boot/grub2/grubenv
chmod 600 /boot/grub2/user.cfg
chown root:root /boot/grub2/user.cfg

# 1.5.1 Ensure core dumps are restricted
echo '* hard core 0' > /etc/security/limits.d/core.conf
echo 'fs.suid_dumpable = 0' > /etc/sysctl.d/core.conf
sed -i 's/^.*Storage=.*$/Storage=none/g' /etc/systemd/coredump.conf
sed -i 's/^.*ProcessSizeMax=.*$/ProcessSizeMax=0/g' /etc/systemd/coredump.conf
echo '* hard maxlogins 10 ' >> /etc/security/limits.conf
systemctl mask systemd-coredump.socket

# 1.7.1 Ensure message of the day is configured properly
# 1.7.4 Ensure permissions on /etc/motd are configured
# 1.7.2 Ensure local login warning banner is configured properly
# 1.7.5 Ensure permissions on /etc/issue are configured
# 1.7.3 Ensure remote login warning banner is configured properly
# 1.7.6 Ensure permissions on /etc/issue.net are configured
echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue
chown root:root /etc/issue
chmod 644 /etc/issue
cat /dev/null > /etc/motd
cp /etc/issue /etc/issue.net
chmod 644 /etc/issue /etc/issue.net /etc/motd
chown root:root /etc/issue /etc/issue.net /etc/motd

# 3.1.4 Ensure wireless interfaces are disabled
cat << "EOF" > /usr/local/bin/fbradio.sh
#!/bin/sh
nmcli radio all off
rm /usr/local/bin/fbradio.sh /etc/systemd/system/fbradio.service /etc/systemd/system/multi-user.target.wants/fbradio.service
systemctl daemon-reload
EOF
chmod 755 /usr/local/bin/fbradio.sh
chown root.root /usr/local/bin/fbradio.sh

cat << "EOF" > /etc/systemd/system/fbradio.service
[Unit]
Description=Runs nmcli on first boot
After=network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/fbradio.sh

[Install]
WantedBy=multi-user.target
EOF
systemctl enable fbradio.service
restorecon /usr/local/bin/fbradio.sh

# 4.1.3.1 Ensure changes to system administration scope (sudoers) is collected
cat << EOF > /etc/audit/rules.d/50-scope.rules
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d -p wa -k scope
EOF

# 4.1.3.2 Ensure actions as another user are always logged
cat << EOF > /etc/audit/rules.d/50-user_emulation.rules
-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation
-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation
EOF

# 4.1.3.3 Ensure events that modify the sudo log file are collected
echo '-w /var/log/sudo.log -p wa -k sudo_log_file' > /etc/audit/rules.d/50-sudo.rules

# 4.1.3.4 Ensure events that modify date and time information are collected
cat << EOF > /etc/audit/rules.d/50-time-change.rules
-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change
-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
EOF

# 4.1.3.5 Ensure events that modify the system's network environment are collected
cat << EOF > /etc/audit/rules.d/50-system_local.rules
-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
-w /etc/sysconfig/network-scripts/ -p wa -k system-locale
EOF

# 4.1.3.6 Ensure use of privileged commands are collected
cat << EOF > /etc/audit/rules.d/50-privileged.rules
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/fusermount -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/write -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged
EOF

# 4.1.3.7 Ensure unsuccessful file access attempts are collected
cat << EOF > /etc/audit/rules.d/50-access.rules
-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
EOF

# 4.1.3.8 Ensure events that modify user/group information are collected
cat << EOF > /etc/audit/rules.d/50-identity.rules
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
EOF

# 4.1.3.9 Ensure discretionary access control permission modification events are collected
cat << EOF > /etc/audit/rules.d/50-perm_mod.rules
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
EOF

# 4.1.3.10 Ensure successful file system mounts are collected
cat << EOF > /etc/audit/rules.d/50-mounts.rules
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k mounts
EOF

# 4.1.3.11 Ensure session initiation information is collected
cat << EOF > /etc/audit/rules.d/50-session.rules
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session
EOF

# 4.1.3.12 Ensure login and logout events are collected
cat << EOF > /etc/audit/rules.d/50-login.rules
-w /var/log/lastlog -p wa -k logins
-w /var/run/faillock -p wa -k logins
EOF

# 4.1.3.13 Ensure file deletion events by users are collected
cat << EOF > /etc/audit/rules.d/50-delete.rules
-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=1000 -F auid!=unset -F key=delete
-a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>=1000 -F auid!=unset -F key=delete
EOF

# 4.1.3.14 Ensure events that modify the system's Mandatory Access Controls are collected
cat << EOF > /etc/audit/rules.d/50-MAC-policy.rules
-w /etc/selinux -p wa -k MAC-policy
-w /usr/share/selinux -p wa -k MAC-policy
EOF

# 4.1.3.15 Ensure successful and unsuccessful attempts to use the chcon command are recorded
# 4.1.3.16 Ensure successful and unsuccessful attempts to use the setfacl command are recorded
# 4.1.3.17 Ensure successful and unsuccessful attempts to use the chacl command are recorded
cat << EOF > /etc/audit/rules.d/50-perm_chng.rules
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng
EOF

# 4.1.3.18 Ensure successful and unsuccessful attempts to use the usermod command are recorded
echo '-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k usermod' > /etc/audit/rules.d/50-usermod.rules

# 4.1.3.19 Ensure kernel module loading unloading and modification is collected
cat << EOF > /etc/audit/rules.d/50-kernel_modules.rules
-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=1000 -F auid!=unset -k kernel_modules
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k kernel_modules
EOF

# 4.1.3.20 Ensure the audit configuration is immutable
echo '-e 2' > /etc/audit/rules.d/99-finalize.rules
augenrules

# 4.1.4.1 Ensure audit log files are not read or write-accessible by unauthorized users
chmod 600 /var/log/audit/*

# 4.1.4.2 Ensure only authorized users own audit log files
# 4.1.4.3 Ensure only authorized groups ownership of audit log files
chown root:root /var/log/audit/*

# 4.1.4.4 Ensure the audit log directory is 0750 or more restrictive
chmod 700 /var/log/audit

# 4.1.4.5 Ensure audit configuration files are 0640 or more restrictive
chmod -R 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*

# 4.1.4.6 Ensure only authorized accounts own the audit configuration files
# 4.1.4.7 Ensure only authorized groups own the audit configuration files
chown root:root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*

# sane auditd settings
sed -i 's/^max_log_file\s*=\s*.*$/max_log_file = 64/g' /etc/audit/auditd.conf
sed -i 's/^num_logs\s*=\s*.*$/num_logs = 60/g' /etc/audit/auditd.conf
sed -i 's/^overflow_action\s*=\s*.*$/overflow_action = SYSLOG/g' /etc/audit/auditd.conf
sed -i 's/^space_left\s*=\s*.*$/space_left = 25%/g' /etc/audit/auditd.conf
sed -i 's/^disk_full_action.*$/disk_full_action = SYSLOG/g' /etc/audit/auditd.conf
sed -i 's/^disk_error_action.*$/disk_error_action = SYSLOG/g' /etc/audit/auditd.conf
sed -i 's/^name_format.*$/name_format = hostname/g' /etc/audit/auditd.conf
sed -i 's/^max_log_file_action.*$/max_log_file_action = ROTATE/g' /etc/audit/auditd.conf
sed -i 's/^space_left_action.*$/space_left_action = SYSLOG/g' /etc/audit/auditd.conf
sed -i 's/^admin_space_left_action.*$/admin_space_left_action = ROTATE/g' /etc/audit/auditd.conf

# 4.2.1.3 Ensure rsyslog default file permissions configured
# 4.2.1.4 Ensure logging is configured
cat << "EOF" > /etc/rsyslog.d/cis.conf
$FileCreateMode 0640
*.emerg                                  :omusrmsg:*
auth,authpriv.*                          /var/log/secure
mail.*                                  -/var/log/mail
mail.info                               -/var/log/mail.info
mail.warning                            -/var/log/mail.warn
mail.err                                 /var/log/mail.err
cron.*                                   /var/log/cron
*.=warning;*.=err                       -/var/log/warn
*.crit                                   /var/log/warn
*.*;mail.none;news.none                 -/var/log/messages
local0,local1.*                         -/var/log/localmessages
local2,local3.*                         -/var/log/localmessages
local4,local5.*                         -/var/log/localmessages
local6,local7.*                         -/var/log/localmessages
EOF
chmod 644 /etc/rsyslog.d/cis.conf
chown root.root /etc/rsyslog.d/cis.conf
sed -i 's/^auth.*$/auth,authpriv.*;daemon.* \/var\/log\/secure/g' /etc/rsyslog.conf

# 4.2.2.1 Ensure journald is configured to send logs to rsyslog
sed -i 's/^.*ForwardToSyslog.*$/ForwardToSyslog=yes/g' /etc/systemd/journald.conf

# 4.2.2.2 Ensure journald is configured to compress large log files
sed -i 's/^.*Compress.*$/Compress=yes/g' /etc/systemd/journald.conf

# 4.2.2.3 Ensure journald is configured to write logfiles to persistent disk
sed -i 's/^.*Storage.*$/Storage=persistent/g' /etc/systemd/journald.conf

# 4.3 Ensure logrotate is configured
cat << "EOF" > /etc/logrotate.d/cis
/var/log/localmessages
/var/log/sudo.log
{
    weekly
    missingok
    rotate 4
    compress
    notifempty
    sharedscripts
    create 0600 root root
    postrotate
        /usr/bin/systemctl kill -s HUP rsyslog.service >/dev/null 2>&1 || true
    endscript
}
EOF
chmod 644 /etc/logrotate.d/cis
chown root:root /etc/logrotate.d/cis
sed -i 's/^#.*compress$/compress/g' /etc/logrotate.conf
sed -i 's/^rotate 4/rotate 13/' /etc/logrotate.conf

# 5.1.2 Ensure permissions on /etc/crontab are configured
# 5.1.3 Ensure permissions on /etc/cron.hourly are configured
# 5.1.4 Ensure permissions on /etc/cron.daily are configured
# 5.1.5 Ensure permissions on /etc/cron.weekly are configured
# 5.1.6 Ensure permissions on /etc/cron.monthly are configured
# 5.1.7 Ensure permissions on /etc/cron.d are configured
chmod 600 /etc/crontab /etc/cron.allow /etc/at.allow
chown root:root /etc/crontab /etc/cron.allow /etc/at.allow
chmod 700 /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly /etc/cron.d
chown root:root /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly /etc/cron.d

# 5.1.8 Ensure cron is restricted to authorized users
# 5.1.9 Ensure at is restricted to authorized users
cat /dev/null > /etc/cron.allow
cat /dev/null > /etc/at.allow
rm /etc/cron.deny /etc/at.deny

# 5.2.2 Ensure SSH access is limited
# 5.2.5 Ensure SSH LogLevel is appropriate
# 5.2.6 Ensure SSH X11 forwarding is disabled
# 5.2.7 Ensure SSH MaxAuthTries is set to 4 or less
# 5.2.8 Ensure SSH IgnoreRhosts is enabled
# 5.2.9 Ensure SSH HostbasedAuthentication is disabled
# 5.2.10 Ensure SSH root login is disabled
# 5.2.11 Ensure SSH PermitEmptyPasswords is disabled
# 5.2.12 Ensure SSH PermitUserEnvironment is disabled
# 5.2.13 Ensure SSH Idle Timeout Interval is configured
# 5.2.14 Ensure SSH LoginGraceTime is set to one minute or less
# 5.2.15 Ensure SSH warning banner is configured
# 5.2.16 Ensure SSH PAM is enabled
# 5.2.17 Ensure SSH AllowTcpForwarding is disabled
# 5.2.18 Ensure SSH MaxStartups is configured
# 5.2.19 Ensure SSH MaxSessions is set to 10 or less
cat <<EOF > /etc/ssh/sshd_config
AddressFamily inet
ListenAddress 0.0.0.0
Protocol 2
AllowGroups staff
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512
Ciphers chacha20-poly1305@openssh.com,aes256-ctr
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
SyslogFacility AUTHPRIV
LogLevel INFO
LoginGraceTime 60
PermitRootLogin no
StrictModes yes
MaxAuthTries 3
PermitEmptyPasswords no
HostbasedAuthentication no
IgnoreRhosts yes
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication no
GSSAPICleanupCredentials no
UsePAM yes
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
X11UseLocalhost yes
PrintMotd no
PrintLastLog yes
PermitTunnel no
UseDNS no
Banner /etc/issue.net
PermitUserEnvironment no
ClientAliveInterval 900
ClientAliveCountMax 0
KerberosAuthentication no
Compression no
IgnoreUserKnownHosts yes
MaxStartups 10:30:60
MaxSessions 4
RekeyLimit 1G 1h
Subsystem sftp /usr/libexec/openssh/sftp-server
EOF

sed -i 's/^.*StrictHostKeyChecking.*$/StrictHostKeyChecking ask/g' /etc/ssh/ssh_config

# 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured
chmod 600 /etc/ssh/sshd_config
chown root:root /etc/ssh/sshd_config

# 1.11 Ensure system-wide crypto policy is not legacy
update-crypto-policies --set FUTURE
sed -i 's/^.*CRYPTO_POLICY.*$/CRYPTO_POLICY=/' /etc/sysconfig/sshd

# 6.1.3 Ensure permissions on /etc/passwd are configured
# 6.1.4 Ensure permissions on /etc/shadow are configured
# 6.1.5 Ensure permissions on /etc/group are configured
# 6.1.6 Ensure permissions on /etc/gshadow are configured
# 6.1.7 Ensure permissions on /etc/passwd- are configured
# 6.1.8 Ensure permissions on /etc/shadow- are configured
# 6.1.9 Ensure permissions on /etc/group- are configured
# 6.1.10 Ensure permissions on /etc/gshadow- are configured
chmod 644 /etc/passwd /etc/passwd- /etc/group /etc/group-
chmod 000 /etc/shadow /etc/shadow- /etc/gshadow /etc/gshadow-
chown root.root /etc/passwd /etc/passwd- /etc/group /etc/group-
chown root.root /etc/shadow /etc/shadow- /etc/gshadow /etc/gshadow-
chmod 700 /root /home/simon

# 6.2.2 Ensure root PATH Integrity
sed -i 's/^.*PATH=.*/PATH=$PATH/g' /etc/skel/.bashrc /root/.bashrc

# 6.2.7 Ensure no users have .forward files
find /home -name .forward -exec rm {} \;

# 6.2.8 Ensure no users have .netrc files
find /home -name .netrc -exec rm {} \;

# 6.2.10 Ensure no users have .rhosts files
find /home -name .rhosts -exec rm {} \;

# 2.1.2 Ensure chrony is configured
sed -i 's/OPTIONS=.*$/OPTIONS="-4 -u chrony"/' /etc/sysconfig/chronyd
cat << EOF >> /etc/chrony.conf
port 0
cmdport 0
EOF

# 1.1.2.1 Ensure /tmp is a separate partition
# 1.1.2.2 Ensure nodev option set on /tmp partition
# 1.1.2.3 Ensure noexec option set on /tmp partition
# 1.1.2.4 Ensure nosuid option set on /tmp partition
# 1.1.8.1 Ensure nodev option set on /dev/shm partition
# 1.1.8.2 Ensure noexec option set on /dev/shm partition
# 1.1.8.3 Ensure nosuid option set on /dev/shm partition
cat << EOF >> /etc/fstab
tmpfs   /dev/shm    tmpfs   defaults,nodev,nosuid,noexec,size=2G    0 0
tmpfs   /tmp        tmpfs   defaults,nodev,nosuid,noexec,size=2G    0 0
EOF

# 3.4.2 Configure nftables
echo 'include "/etc/nftables/cis-filter"' > /etc/sysconfig/nftables.conf
cat << EOF > /etc/nftables/cis-filter
#!/usr/sbin/nft -f

# default chains
add table ip filter
add chain ip filter INPUT { type filter hook input priority 0; policy drop; }
add chain ip filter FORWARD { type filter hook forward priority 0; policy drop; }
add chain ip filter OUTPUT { type filter hook output priority 0; policy accept; }

# input rules
add rule ip filter INPUT iif lo accept
add rule ip filter INPUT ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop
add rule ip filter INPUT ct state related,established accept
add rule ip filter INPUT ct state invalid drop
add rule ip filter INPUT ct state new tcp dport 22 accept

# drop ipv6
add table ip6 filter
add chain ip6 filter INPUT { type filter hook input priority 0; policy drop; }
add chain ip6 filter FORWARD { type filter hook forward priority 0; policy drop; }
add chain ip6 filter OUTPUT { type filter hook output priority 0; policy drop; }
EOF

# 4.1.4.11 Ensure cryptographic mechanisms are used to protect the integrity of audit tools
cat << "EOF" >> /etc/aide.conf
/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512
EOF

# disable 169.254.0.0/16 route
echo 'NOZEROCONF=yes' > /etc/sysconfig/network

# false/debug shells
sed -i '/^.*\/nologin$/d' /etc/shells
systemctl mask debug-shell.service

# delete users
userdel -rf ftp
groupdel -f ftp
userdel -rf games
groupdel -f games

# empty hosts.equiv
cat /dev/null > /etc/hosts.equiv
chown root.root /etc/hosts.equiv
chmod 000 /etc/hosts.equiv

# disable ctrl-alt-delete
systemctl mask ctrl-alt-del.target
sed -i 's/^.*StorageCtrlAltDelBurstAction=.*$/StorageCtrlAltDelBurstAction=none/g' /etc/systemd/system.conf

# rebuild initrd to remove modules
dracut -f -H --regenerate-all

# enable trim
systemctl enable fstrim.timer

# 1.3.2 Ensure filesystem integrity is regularly checked
aide --init
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
echo "0 5 * * * /usr/sbin/aide --check" > /tmp/crontab.root
crontab /tmp/crontab.root
rm /tmp/crontab.root
%end