CIS benchmark for RHE7

Latest response

We are working with IBM bigfix and configuring CIS benchmark for RHE7 wanted to ask if anyone have a template done so we could check and compare

Responses

Here are some hardning tips i can share with you. Hope it will be useful for your somewhere.

!/bin/bash Title: RHEL 7 Hardening Author: Kamal Kishore Date: 01/09/2018

#

DESCRIPTION: MODIFY / CHANGE / UPDATE / CONFIGURE

#

Configure File Systems

# touch /etc/modprobe.d/CIS.conf echo "install freevxfs /bin/true" >> /etc/modprobe.d/CIS.conf echo "install jffs2 /bin/true" >> /etc/modprobe.d/CIS.conf echo "install hfs /bin/true" >> /etc/modprobe.d/CIS.conf echo "install hfsplus /bin/true" >> /etc/modprobe.d/CIS.conf echo "install squashfs /bin/true" >> /etc/modprobe.d/CIS.conf echo "install udf /bin/true" >> /etc/modprobe.d/CIS.conf echo "install sctp /bin/true" >> /etc/modprobe.d/CIS.conf echo "install rds /bin/true" >> /etc/modprobe.d/CIS.conf echo "install tipc /bin/true" >> /etc/modprobe.d/CIS.conf # # sed -i.date +%d%m%Y_%H:%M.%S 's/gpgcheck=0/gpgcheck=1/g' /etc/yum.conf #

Configure SELinux

sed -i.date +%d%m%Y_%H:%M.%S '/selinux=0/d' /etc/grub.conf sed -i.date +%d%m%Y_%H:%M.%S '/enforcing=0/d' /etc/grub.conf sed -i.date +%d%m%Y_%H:%M.%S 's/SELINUX=disabled/SELINUX=enforcing/g' /etc/selinux/config sed -i.date +%d%m%Y_%H:%M.%S 's/SELINUX=permissive/SELINUX=enforcing/g' /etc/selinux/config # # cp /etc/grub.conf /etc/grub.conf.date +%d%m%Y_%H:%M.%S chown root:root /etc/grub.conf chmod og-rwx /etc/grub.conf # # sed -i.date +%d%m%Y_%H:%M.%S "/SINGLE/s/sushell/sulogin/" /etc/sysconfig/init sed -i.date +%d%m%Y_%H:%M.%S 's/PROMPT=yes/PROMPT=no/g' /etc/sysconfig/init cp /etc/sysconfig/init /etc/sysconfig/init.date +%d%m%Y_%H:%M.%S echo "umask 027" >> /etc/sysconfig/init # # cp /etc/security/limits.conf /etc/security/limits.conf.date +%d%m%Y_%H:%M.%S echo "* hard core 0" >> /etc/security/limits.conf cp /etc/sysctl.conf /etc/sysctl.conf.date +%d%m%Y_%H:%M.%S echo "fs.suid_dumpable = 0" >> /etc/sysctl.conf echo "kernel.exec-shield = 1" >> /etc/sysctl.conf echo "kernel.randomize_va_space = 2" >> /etc/sysctl.conf echo "net.ipv4.conf.all.send_redirects=0" >> /etc/sysctl.conf echo "net.ipv4.conf.default.send_redirects=0" >> /etc/sysctl.conf echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf echo "net.ipv4.conf.all.accept_redirects=0" >> /etc/sysctl.conf echo "net.ipv4.conf.default.accept_redirects=0" >> /etc/sysctl.conf echo "net.ipv4.conf.all.secure_redirects=0" >> /etc/sysctl.conf echo "net.ipv4.conf.default.secure_redirects=0" >> /etc/sysctl.conf echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.conf echo "net.ipv4.icmp_ignore_bogus_error_responses=1" >> /etc/sysctl.conf echo "net.ipv4.conf.all.rp_filter=1" >> /etc/sysctl.conf echo "net.ipv6.conf.all.accept_ra=0" >> /etc/sysctl.conf echo "net.ipv6.conf.default.accept_ra=0" >> /etc/sysctl.conf echo "net.ipv6.conf.all.accept_redirects=0" >> /etc/sysctl.conf echo "net.ipv6.conf.default.accept_redirects=0" >> /etc/sysctl.conf sysctl -w net.ipv4.ip_forward=0 /sbin/sysctl -w net.ipv4.conf.all.send_redirects=0 /sbin/sysctl -w net.ipv4.conf.default.send_redirects=0 /sbin/sysctl -w net.ipv4.conf.all.accept_source_route=0 /sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0 /sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0 /sbin/sysctl -w net.ipv4.conf.all.secure_redirects=0 /sbin/sysctl -w net.ipv4.conf.default.secure_redirects=0 sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 /sbin/sysctl -w net.ipv4.conf.all.rp_filter=1 /sbin/sysctl -w net.ipv6.conf.all.accept_ra=0 /sbin/sysctl -w net.ipv6.conf.default.accept_ra=0 sysctl -w net.ipv6.conf.all.accept_redirects=0 sysctl -w net.ipv6.conf.default.accept_redirects=0 /sbin/sysctl -w net.ipv4.route.flush=1 /sbin/sysctl -w net.ipv6.route.flush=1 # # sed -i.date +%d%m%Y_%H:%M.%S 's/id:5:initdefault/id:3:initdefault/g' /etc/inittab # # sed -i.date +%d%m%Y_%H:%M.%S 's/NETWORKING_IPV6=yes/NETWORKING_IPV6=no/g' /etc/sysconfig/network sed -i.date +%d%m%Y_%H:%M.%S 's/IPV6INIT=yes/IPV6INIT=no/g' /etc/sysconfig/network touch /etc/modprobe.d/ipv6.conf echo "options ipv6 disable=1" >> /etc/modprobe.d/ipv6.conf # # touch /etc/hosts.allow chmod 644 /etc/hosts.allow touch /etc/hosts.deny chmod 644 /etc/hosts.deny # #

Disable Network Protocols

echo "install dccp /bin/true" >> /etc/modprobe.d/CIS.conf echo "install sctp /bin/true" >> /etc/modprobe.d/CIS.conf echo "install rds /bin/true" >> /etc/modprobe.d/CIS.conf echo "install tipc /bin/true" >> /etc/modprobe.d/CIS.conf # #

System Maintenance

/bin/chmod 644 /etc/passwd /bin/chmod 000 /etc/shadow /bin/chmod 000 /etc/gshadow chmod 644 /etc/group chown root:root /etc/passwd /bin/chown root:root /etc/shadow chown root:root /etc/gshadow /bin/chown root:root /etc/group usermod -g 0 root useradd -D -f 35 # #

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.