#!/usr/bin/env bash
echo "
# Core dump Settings"
if [ ! -d /etc/systemd/coredump.conf.d/ ]; then
mkdir /etc/systemd/coredump.conf.d/
fi
if grep -Psq -- '^h*[Coredump]' /etc/systemd/coredump.conf.d/60-coredump.conf; then
echo "[Coredump]" >> /etc/systemd/coredump.conf.d/60-coredump.conf
fi
echo "# Ensure Core Dump backtraces are disabled - Storage=none"
# Variables
file="/etc/systemd/coredump.conf.d/60-coredump.conf"
search_string="Storage"
check_line="Storage=none"
replace_line="Storage=none"
# Check if the string is present in the file
if grep -q "$search_string" "$file"; then
# Check if the specific line is present
if grep -qF "$check_line" "$file"; then
echo "The line '$check_line' is already present in the file."
else
# Replace the line containing the search string with the new line
sed -i "/$search_string/c\\$replace_line" "$file"
echo "The line containing '$search_string' was replaced with '$replace_line'."
fi
else
echo "The string '$search_string' was not found in the file and added."
echo "$replace_line" >> "$file"
fi
echo "
# Ensure suspicious packets are logged "
if grep -Fsxq "net.ipv4.conf.all.log_martians = 1" "/etc/sysctl.d/60-netipv4_sysctl.conf"; then
echo "The line net.ipv4.conf.all.log_martians = 1 is present in sysctl.conf"
else
{
echo "The line net.ipv4.conf.all.log_martians = 1 is not present in sysctl.conf. Adding it"
[ ! -d /etc/sysctl.d/ ] && mkdir /etc/sysctl.d/
echo "net.ipv4.conf.all.log_martians = 1" >> /etc/sysctl.d/60-netipv4_sysctl.conf
sysctl -w net.ipv4.conf.all.log_martians=1
sysctl -w net.ipv4.route.flush=1
}
fi
if grep -Fsxq "net.ipv4.conf.default.log_martians = 1" "/etc/sysctl.d/60-netipv4_sysctl.conf"; then
echo "The line net.ipv4.conf.default.log_martians = 1 is present in sysctl.conf"
else
{
echo "The line net.ipv4.conf.default.log_martians = 1 is not present in sysctl.conf. Adding it"
[ ! -d /etc/sysctl.d/ ] && mkdir /etc/sysctl.d/
echo "net.ipv4.conf.default.log_martians = 1" >> /etc/sysctl.d/60-netipv4_sysctl.conf
sysctl -w net.ipv4.conf.all.log_martians=1
sysctl -w net.ipv4.route.flush=1
}
fi
if grep -Fsxq "net.ipv4.ip_forward = 0" "/etc/sysctl.d/60-netipv4_sysctl.conf"; then
echo "The line net.ipv4.ip_forward = 0 is present in sysctl.conf"
else
{
echo "The line net.ipv4.ip_forward = 0 is not present in sysctl.conf. Adding it"
[ ! -d /etc/sysctl.d/ ] && mkdir /etc/sysctl.d/
echo "net.ipv4.ip_forward = 0" >> /etc/sysctl.d/60-netipv4_sysctl.conf
sysctl -w net.ipv4.ip_forward=0
sysctl -w net.ipv4.route.flush=1
}
fi
echo "
# Ensure permissions on /etc/cron.weekly are configured"
if [ ! -d "/etc/cron.weekly" ]; then
echo "Folder /etc/cron.weekly does not exist."
else
{
owner=$(ls -ld "/etc/cron.weekly" | awk '{print $3}')
permissions=$(ls -ld "/etc/cron.weekly" | awk '{print $1}')
if [ "$owner" != "root" ]; then
chown root:root /etc/cron.weekly
echo "Ownership changed to root"
fi
if [ "$permissions" != "drwx------." ]; then
chmod og-rwx /etc/cron.weekly
echo "Permissions changed to root"
fi
echo `ls -ld /etc/cron.weekly`
}
fi
echo "
# Ensure sshd MaxAuthTries is set to 4"
# Variables
file="/etc/ssh/sshd_config"
search_string="MaxAuthTries"
check_line="MaxAuthTries 4"
replace_line="MaxAuthTries 4"
# Check if the string is present in the file
if grep -q "$search_string" "$file"; then
# Check if the specific line is present
if grep -qF "$check_line" "$file"; then
echo "The line '$check_line' is already present in the file."
else
# Replace the line containing the search string with the new line
sed -i "/$search_string/c\\$replace_line" "$file"
echo "The line containing '$search_string' was replaced with '$replace_line'."
fi
else
echo "The string '$search_string' was not found in the file and added."
echo "$replace_line" >> "$file"
fi
echo "
# Ensure sshd ClientAliveInterval 15 configured"
# Variables
file="/etc/ssh/sshd_config"
search_string="ClientAliveInterval"
check_line="ClientAliveInterval 15"
replace_line="ClientAliveInterval 15"
# Check if the string is present in the file
if grep -q "$search_string" "$file"; then
# Check if the specific line is present
if grep -qF "$check_line" "$file"; then
echo "The line '$check_line' is already present in the file."
else
# Replace the line containing the search string with the new line
sed -i "/$search_string/c\\$replace_line" "$file"
echo "The line containing '$search_string' was replaced with '$replace_line'."
fi
else
echo "The string '$search_string' was not found in the file and added."
echo "$replace_line" >> "$file"
fi
echo "
# Ensure sshd ClientAliveCountMax 3 configured"
# Variables
file="/etc/ssh/sshd_config"
search_string="ClientAliveCountMax"
check_line="ClientAliveCountMax 3"
replace_line="ClientAliveCountMax 3"
# Check if the string is present in the file
if grep -q "$search_string" "$file"; then
# Check if the specific line is present
if grep -qF "$check_line" "$file"; then
echo "The line '$check_line' is already present in the file."
else
# Replace the line containing the search string with the new line
sed -i "/$search_string/c\\$replace_line" "$file"
echo "The line containing '$search_string' was replaced with '$replace_line'."
fi
else
echo "The string '$search_string' was not found in the file and added."
echo "$replace_line" >> "$file"
fi
echo "
# Ensure Core Dump backtraces are disabled - ProcessSizeMax=0"
# Variables
file="/etc/systemd/coredump.conf.d/60-coredump.conf"
search_string="ProcessSizeMax"
check_line="ProcessSizeMax=0"
replace_line="ProcessSizeMax=0"
# Check if the string is present in the file
if grep -q "$search_string" "$file"; then
# Check if the specific line is present
if grep -qF "$check_line" "$file"; then
echo "The line '$check_line' is already present in the file."
else
# Replace the line containing the search string with the new line
sed -i "/$search_string/c\\$replace_line" "$file"
echo "The line containing '$search_string' was replaced with '$replace_line'."
fi
else
echo "The string '$search_string' was not found in the file and added."
echo "$replace_line" >> "$file"
fi
echo "
# Ensure password history remember is configured /etc/security/pwhistory.conf - remember = 24"
# Variables
file="/etc/security/pwhistory.conf"
search_string="remember"
check_line="remember = 24"
replace_line="remember = 24"
# Check if the string is present in the file
if grep -q "$search_string" "$file"; then
# Check if the specific line is present
if grep -qF "$check_line" "$file"; then
echo "The line '$check_line' is already present in the file."
else
# Replace the line containing the search string with the new line
sed -i "/$search_string/c\\$replace_line" "$file"
echo "The line containing '$search_string' was replaced with '$replace_line'."
fi
else
echo "The string '$search_string' was not found in the file and added."
echo "$replace_line" >> "$file"
fi
echo "
Ensure systemd-journal-remote is installed - systemd-journal-remote-0.0.0-0"
if rpm -q systemd-journal-remote &> /dev/null; then
echo "systemd-journal-remote is installed."
else
echo "systemd-journal-remote is not installed. Installing now..."
dnf install -y systemd-journal-remote
echo "rpm systemd-journal-remote is installed"
fi
echo "
Ensure Defaults logfile=/var/log/sudo.log entry exists in /etc/sudoers file"
# Variables
file="/etc/sudoers"
search_string="Defaults logfile"
check_line='Defaults logfile="/var/log/sudo.log"'
replace_line='Defaults logfile="/var/log/sudo.log"'
# Check if the string is present in the file
if grep -q "$search_string" "$file"; then
# Check if the specific line is present
if grep -qF "$check_line" "$file"; then
echo "The line '$check_line' is already present in the file."
else
# Replace the line containing the search string with the new line
sed -i "/$search_string/c\\$replace_line" "$file"
echo "The line containing '$search_string' was replaced with '$replace_line'."
fi
else
echo "The string '$search_string' was not found in the file and added."
echo "$replace_line" >> "$file"
fi
echo "
Ensure password failed attempts lockout is configured. In file /etc/security/faillock.conf check entry deny = 5"
# Variables
file="/etc/security/faillock.conf"
search_string="deny ="
check_line="deny = 5"
replace_line="deny = 5"
# Check if the string is present in the file
if grep -q "$search_string" "$file"; then
# Check if the specific line is present
if grep -qF "$check_line" "$file"; then
echo "The line '$check_line' is already present in the file."
else
# Replace the line containing the search string with the new line
sed -i "/$search_string/c\\$replace_line" "$file"
echo "The line containing '$search_string' was replaced with '$replace_line'."
fi
else
echo "The string '$search_string' was not found in the file and added."
echo "$replace_line" >> "$file"
fi
echo "
Ensure tcp syn cookies is enabled. In file /etc/sysctl.d/60-netipv4_sysctl.conf check for net.ipv4.tcp_syncookies = 1"
# Variables
file="/etc/sysctl.d/60-netipv4_sysctl.conf"
search_string="net.ipv4.tcp_syncookies"
check_line="net.ipv4.tcp_syncookies = 1"
replace_line="net.ipv4.tcp_syncookies = 1"
# Check if the string is present in the file
if grep -q "$search_string" "$file"; then
# Check if the specific line is present
if grep -qF "$check_line" "$file"; then
echo "The line '$check_line' is already present in the file."
else
# Replace the line containing the search string with the new line
sed -i "/$search_string/c\\$replace_line" "$file"
echo "The line containing '$search_string' was replaced with '$replace_line'."
fi
else
echo "The string '$search_string' was not found in the file and added."
echo "$replace_line" >> "$file"
fi
echo "
# Ensure password maximum sequential characters is configured"
if [ ! -d /etc/security/pwquality.conf.d/ ]; then
mkdir /etc/security/pwquality.conf.d/
fi
# Variables
file="/etc/security/pwquality.conf.d/50-pwmaxsequence.conf"
search_string="maxsequence"
check_line="maxsequence = 3"
replace_line="maxsequence = 3"
# Check if the string is present in the file
if grep -q "$search_string" "$file"; then
# Check if the specific line is present
if grep -qF "$check_line" "$file"; then
echo "The line '$check_line' is already present in the file."
else
# Replace the line containing the search string with the new line
sed -ri 's/^s*maxsequences*=/# &/' /etc/security/pwquality.conf
sed -i "/$search_string/c\\$replace_line" "$file"
echo "The line containing '$search_string' was replaced with '$replace_line'."
fi
else
echo "The string '$search_string' was not found in the file and added."
sed -ri 's/^s*maxsequences*=/# &/' /etc/security/pwquality.conf
echo "$replace_line" >> "$file"
fi
echo "
# Ensure password number of changed characters is configured"
# Variables
file="/etc/security/pwquality.conf.d/50-pwdifok.conf"
search_string="difok"
check_line="difok = 2"
replace_line="difok = 2"
# Check if the string is present in the file
if grep -q "$search_string" "$file"; then
# Check if the specific line is present
if grep -qF "$check_line" "$file"; then
echo "The line '$check_line' is already present in the file."
else
# Replace the line containing the search string with the new line
sed -ri 's/^s*difoks*=/# &/' /etc/security/pwquality.conf
sed -i "/$search_string/c\\$replace_line" "$file"
echo "The line containing '$search_string' was replaced with '$replace_line'."
fi
else
echo "The string '$search_string' was not found in the file and added."
sed -ri 's/^s*difoks*=/# &/' /etc/security/pwquality.conf
echo "$replace_line" >> "$file"
fi
echo "
# Ensure local login warning banner is configured properly"
echo "Authorized users only. All activity may be monitored and reported." > /etc/issue
echo "Authorized users only. All activity may be monitored and reported." > /etc/issue.net
echo "
# Ensure usb-storage kernel module is not available"
{
unset a_output2; l_output3="" l_dl="" # unset arrays and clear variables
l_mod_name="usb-storage" # set module name
l_mod_type="drivers" # set module type
l_mod_path="$(readlink -f /lib/modules/**/kernel/$l_mod_type | sort -u)"
f_module_fix()
{
l_dl="y" # Set to ignore duplicate checks
a_showconfig=() # Create array with modprobe output
while IFS= read -r l_showconfig; do
a_showconfig+=("$l_showconfig")
done < <(modprobe --showconfig | grep -P -- 'b(install|blacklist)h+'"${l_mod_name//-/_}"'b')
if lsmod | grep "$l_mod_name" &> /dev/null; then # Check if the module is currently loaded
a_output2+=(" - unloading kernel module: \"$l_mod_name\"")
modprobe -r "$l_mod_name" 2>/dev/null; rmmod "$l_mod_name" 2>/dev/null
fi
if ! grep -Pq -- 'binstallh+'"${l_mod_name//-/_}"'h+/bin/(true|false)b' <<< "${a_showconfig[*]}"; then
a_output2+=(" - setting kernel module: \"$l_mod_name\" to \"/bin/false\"")
printf '%s
' "install $l_mod_name /bin/false" >> /etc/modprobe.d/"$l_mod_name".conf
fi
if ! grep -Pq -- 'bblacklisth+'"${l_mod_name//-/_}"'b' <<< "${a_showconfig[*]}"; then
a_output2+=(" - denylisting kernel module: \"$l_mod_name\"")
printf '%s
' "blacklist $l_mod_name" >> /etc/modprobe.d/"$l_mod_name".conf
fi
}
for l_mod_base_directory in $l_mod_path; do # Check if the module exists on the system
if [ -d "$l_mod_base_directory/${l_mod_name/-//}" ] && [ -n "$(ls -A $l_mod_base_directory/${l_mod_name/-//})" ]; then
l_output3="$l_output3
- \"$l_mod_base_directory\""
[[ "$l_mod_name" =~ overlay ]] && l_mod_name="${l_mod_name::-2}"
[ "$l_dl" != "y" ] && f_module_fix
else
echo -e " - kernel module: \"$l_mod_name\" doesn't exist in \"$l_mod_base_directory\""
fi
done
[ -n "$l_output3" ] && echo -e "
-- INFO --
- module: \"$l_mod_name\" exists in:$l_output3"
[ "${#a_output2[@]}" -gt 0 ] && printf '%s
' "${a_output2[@]}"
echo -e "
- remediation of kernel module: \"$l_mod_name\" complete
"
}
echo "
# Ensure password complexity is configured"
# Variables
file="/etc/security/pwquality.conf.d/50-pwcomplexity.conf"
search_string="minclass"
check_line="minclass = 4"
replace_line="minclass = 4"
# Check if the string is present in the file
if grep -q "$search_string" "$file"; then
# Check if the specific line is present
if grep -qF "$check_line" "$file"; then
echo "The line '$check_line' is already present in the file."
else
# Replace the line containing the search string with the new line
sed -ri 's/^s*minclasss*=/# &/' /etc/security/pwquality.conf
sed -i "/$search_string/c\\$replace_line" "$file"
echo "The line containing '$search_string' was replaced with '$replace_line'."
fi
else
echo "The string '$search_string' was not found in the file and added."
sed -ri 's/^s*minclasss*=/# &/' /etc/security/pwquality.conf
echo "$replace_line" >> "$file"
fi
sed -ri 's/^s*[dulo]credits*=/# &/' /etc/security/pwquality.conf
printf '%s
' "dcredit = -1" "ucredit = -1" "ocredit = -1" "lcredit = -1" > /etc/security/pwquality.conf.d/50-pwcomplexity.conf
echo "
# Ensure permissions on /etc/ssh/sshd_config are configured"
{
chmod u-x,og-rwx /etc/ssh/sshd_config
chown root:root /etc/ssh/sshd_config
while IFS= read -r -d $'0' l_file; do
if [ -e "$l_file" ]; then
chmod u-x,og-rwx "$l_file"
chown root:root "$l_file"
fi
done < <(find /etc/ssh/sshd_config.d -type f -print0 2>/dev/null)
}
echo "
# Ensure journald Compress is configured"
if [ ! -d /etc/systemd/journald.conf.d/ ] ; then
mkdir /etc/systemd/coredump.conf.d/
fi
# Variables
file="/etc/systemd/journald.conf.d/60-journald.conf"
search_string="Compress"
check_line="Compress=yes"
replace_line="Compress=yes"
# Check if the string is present in the file
if grep -q "$search_string" "$file"; then
# Check if the specific line is present
if grep -qF "$check_line" "$file"; then
echo "The line '$check_line' is already present in the file."
else
# Replace the line containing the search string with the new line
sed -i "/$search_string/c\\$replace_line" "$file"
echo "The line containing '$search_string' was replaced with '$replace_line'."
fi
else
echo "The string '$search_string' was not found in the file and added."
echo "$replace_line" >> "$file"
fi
echo "
# Ensure journald Storage is configured"
# Variables
file="/etc/systemd/journald.conf.d/60-journald.conf"
search_string="Storage"
check_line="Storage=persistent"
replace_line="Storage=persistent"
# Check if the string is present in the file
if grep -q "$search_string" "$file"; then
# Check if the specific line is present
if grep -qF "$check_line" "$file"; then
echo "The line '$check_line' is already present in the file."
else
# Replace the line containing the search string with the new line
sed -i "/$search_string/c\\$replace_line" "$file"
echo "The line containing '$search_string' was replaced with '$replace_line'."
fi
else
echo "The string '$search_string' was not found in the file and added."
echo "$replace_line" >> "$file"
fi
echo "
# Ensure journald ForwardToSyslog is configured"
# Variables
file="/etc/systemd/journald.conf.d/60-journald.conf"
search_string="ForwardToSyslog"
check_line="ForwardToSyslog=yes"
replace_line="ForwardToSyslog=yes"
# Check if the string is present in the file
if grep -q "$search_string" "$file"; then
# Check if the specific line is present
if grep -qF "$check_line" "$file"; then
echo "The line '$check_line' is already present in the file."
else
# Replace the line containing the search string with the new line
sed -i "/$search_string/c\\$replace_line" "$file"
echo "The line containing '$search_string' was replaced with '$replace_line'."
fi
else
echo "The string '$search_string' was not found in the file and added."
echo "$replace_line" >> "$file"
fi
echo "
# Ensure sshd LoginGraceTime is configured"
# Variables
file="/etc/ssh/sshd_config"
search_string="LoginGraceTime"
check_line="LoginGraceTime 60"
replace_line="LoginGraceTime 60"
# Check if the string is present in the file
if grep -q "$search_string" "$file"; then
# Check if the specific line is present
if grep -qF "$check_line" "$file"; then
echo "The line '$check_line' is already present in the file."
else
# Replace the line containing the search string with the new line
sed -i "/$search_string/c\\$replace_line" "$file"
echo "The line containing '$search_string' was replaced with '$replace_line'."
fi
else
echo "The string '$search_string' was not found in the file and added."
echo "$replace_line" >> "$file"
fi
echo "
#Ensure rsyslog log file creation mode is configured"
# Variables
file="/etc/rsyslog.conf"
search_string="FileCreateMode"
check_line='FileCreateMode="0640"'
replace_line='FileCreateMode="0640" # Set the access permissions for the state file'
# Check if the string is present in the file
if grep -q "$search_string" "$file"; then
# Check if the specific line is present
if grep -qF "$check_line" "$file"; then
echo "The line '$check_line' is already present in the file."
else
# Replace the line containing the search string with the new line
sed -i "/$search_string/c\\$replace_line" "$file"
echo "The line containing '$search_string' was replaced with '$replace_line'."
systemctl restart rsyslog
echo "Service rsyslog restarted"
fi
else
echo "The string '$search_string' was not found in the file /etc/rsyslog.conf"
fi
echo "
# Ensure sshd Banner is configured"
printf '%s
' "Authorized users only. All activity may be monitored and reported." > "$(sshd -T | awk '$1 == "banner" {print $2}')"
echo "
#Ensure address space layout randomization is enabled"
# Variables
file="/etc/sysctl.d/60-kernel_sysctl.conf"
search_string="kernel.randomize_va_space"
check_line="kernel.randomize_va_space = 2"
replace_line="kernel.randomize_va_space = 2"
# Check if the string is present in the file
if grep -q "$search_string" "$file"; then
# Check if the specific line is present
if grep -qF "$check_line" "$file"; then
echo "The line '$check_line' is already present in the file."
else
# Replace the line containing the search string with the new line
sed -i "/$search_string/c\\$replace_line" "$file"
echo "The line containing '$search_string' was replaced with '$replace_line'."
sysctl -w kernel.randomize_va_space=2
fi
else
echo "The string '$search_string' was not found in the file and added."
echo "$replace_line" >> "$file"
fi
echo "
# Ensure systemd-journal-upload is enabled and active"
systemctl unmask systemd-journal-upload.service
systemctl --now enable systemd-journal-upload.service
echo "
# systemd-journal-upload is enabled and active"
echo "
#Ensure pam_unix does not include nullok"
{
l_module_name="unix"
l_profile_name="$(head -1 /etc/authselect/authselect.conf)"
if [[ ! "$l_profile_name" =~ ^custom/ ]]; then
echo " - Follow Recommendation \"Ensure custom authselect profile is used\" and then return to this Recommendation"
else
grep -P -- "bpam_$l_module_name.sob" /etc/authselect/$l_profile_name/{password,system}-auth
fi
}
echo "
#Ensure crontab is restricted to authorized users"
{
[ ! -e "/etc/cron.allow" ] && touch /etc/cron.allow
chown root:root /etc/cron.allow
chmod u-x,g-wx,o-rwx /etc/cron.allow
}
{
[ -e "/etc/cron.deny" ] && chown root:root /etc/cron.deny
[ -e "/etc/cron.deny" ] && chmod u-x,g-wx,o-rwx /etc/cron.deny
}
echo "crontab is restricted to authorized users"
echo "
# Ensure sshd MaxStartups is configured"
# Variables
file="/etc/ssh/sshd_config"
search_string="MaxStartups"
check_line="MaxStartups 10:30:60"
replace_line="MaxStartups 10:30:60"
# Check if the string is present in the file
if grep -q "$search_string" "$file"; then
# Check if the specific line is present
if grep -qF "$check_line" "$file"; then
echo "The line '$check_line' is already present in the file."
else
# Replace the line containing the search string with the new line
sed -i "/$search_string/c\\$replace_line" "$file"
echo "The line containing '$search_string' was replaced with '$replace_line'."
fi
else
echo "The string '$search_string' was not found in the file and added."
echo "$replace_line" >> "$file"
fi
echo "
# Ensure ipv6 router advertisements are not accepted"
# Variables
file="/etc/sysctl.d/60-netipv6_sysctl.conf"
search_string="net.ipv6.conf.all.accept_ra"
check_line="net.ipv6.conf.all.accept_ra = 0"
replace_line="net.ipv6.conf.all.accept_ra = 0"
# Check if the string is present in the file
if grep -q "$search_string" "$file"; then
# Check if the specific line is present
if grep -qF "$check_line" "$file"; then
echo "The line '$check_line' is already present in the file."
else
# Replace the line containing the search string with the new line
sed -i "/$search_string/c\\$replace_line" "$file"
echo "The line containing '$search_string' was replaced with '$replace_line'."
sysctl -w net.ipv6.conf.all.accept_ra=0
sysctl -w net.ipv6.route.flush=1
fi
else
echo "The string '$search_string' was not found in the file and added."
echo "$replace_line" >> "$file"
sysctl -w net.ipv6.conf.all.accept_ra=0
sysctl -w net.ipv6.route.flush=1
fi
# Variables
file="/etc/sysctl.d/60-netipv6_sysctl.conf"
search_string="net.ipv6.conf.default.accept_ra"
check_line="net.ipv6.conf.default.accept_ra = 0"
replace_line="net.ipv6.conf.default.accept_ra = 0"
# Check if the string is present in the file
if grep -q "$search_string" "$file"; then
# Check if the specific line is present
if grep -qF "$check_line" "$file"; then
echo "The line '$check_line' is already present in the file."
else
# Replace the line containing the search string with the new line
sed -i "/$search_string/c\\$replace_line" "$file"
echo "The line containing '$search_string' was replaced with '$replace_line'."
sysctl -w net.ipv6.conf.default.accept_ra=0
sysctl -w net.ipv6.route.flush=1
fi
else
echo "The string '$search_string' was not found in the file and added."
echo "$replace_line" >> "$file"
sysctl -w net.ipv6.conf.default.accept_ra=0
sysctl -w net.ipv6.route.flush=1
fi
echo "
# Ensure gpgcheck is globally activated"
sed -i 's/^gpgchecks*=s*.*/gpgcheck=1/' /etc/dnf/dnf.conf
find /etc/yum.repos.d/ -name "*.repo" -exec echo "Checking:" {} \; -exec sed -i 's/^\s*gpgcheck\s*=.*/gpgcheck=1/' {} \;
echo "
# gpgcheck global activation done"
echo "
# Ensure filesystem integrity is regularly checked"
echo "[Unit]
Description=Aide Check
[Service]
Type=simple
ExecStart=/usr/sbin/aide --check
[Install]
WantedBy=multi-user.target
" > /etc/systemd/system/aidecheck.service
echo "[Unit]
Description=Aide check every day at 5AM
[Timer]
OnCalendar=*-*-* 05:00:00
Unit=aidecheck.service
[Install]
WantedBy=multi-user.target
" > /etc/systemd/system/aidecheck.timer
chown root:root /etc/systemd/system/aidecheck.*
chmod 0644 /etc/systemd/system/aidecheck.*
systemctl daemon-reload
systemctl enable aidecheck.service
systemctl --now enable aidecheck.timer
echo "
Ensure secure icmp redirects are not accepted"
# Variables
file="/etc/sysctl.d/60-netipv4_sysctl.conf"
search_string="net.ipv4.conf.all.secure_redirects"
check_line="net.ipv4.conf.all.secure_redirects = 0"
replace_line="net.ipv4.conf.all.secure_redirects = 0"
# Check if the string is present in the file
if grep -q "$search_string" "$file"; then
# Check if the specific line is present
if grep -qF "$check_line" "$file"; then
echo "The line '$check_line' is already present in the file."
else
# Replace the line containing the search string with the new line
sed -i "/$search_string/c\\$replace_line" "$file"
echo "The line containing '$search_string' was replaced with '$replace_line'."
sysctl -w net.ipv4.conf.all.secure_redirects=0
sysctl -w net.ipv4.route.flush=1
fi
else
echo "The string '$search_string' was not found in the file and added."
echo "$replace_line" >> "$file"
sysctl -w net.ipv4.conf.all.secure_redirects=0
sysctl -w net.ipv4.route.flush=1
fi
echo "
Ensure secure icmp redirects are not accepted"
# Variables
file="/etc/sysctl.d/60-netipv4_sysctl.conf"
search_string="net.ipv4.conf.default.secure_redirects"
check_line="net.ipv4.conf.default.secure_redirects = 0"
replace_line="net.ipv4.conf.default.secure_redirects = 0"
# Check if the string is present in the file
if grep -q "$search_string" "$file"; then
# Check if the specific line is present
if grep -qF "$check_line" "$file"; then
echo "The line '$check_line' is already present in the file."
else
# Replace the line containing the search string with the new line
sed -i "/$search_string/c\\$replace_line" "$file"
echo "The line containing '$search_string' was replaced with '$replace_line'."
sysctl -w net.ipv4.conf.default.secure_redirects=0
sysctl -w net.ipv4.route.flush=1
fi
else
echo "The string '$search_string' was not found in the file and added."
echo "$replace_line" >> "$file"
sysctl -w net.ipv4.conf.default.secure_redirects=0
sysctl -w net.ipv4.route.flush=1
fi
echo "
# Ensure bogus icmp responses are ignored"
# Variables
file="/etc/sysctl.d/60-netipv4_sysctl.conf"
search_string="net.ipv4.icmp_ignore_bogus_error_responses"
check_line="net.ipv4.icmp_ignore_bogus_error_responses = 1"
replace_line="net.ipv4.icmp_ignore_bogus_error_responses = 1"
# Check if the string is present in the file
if grep -q "$search_string" "$file"; then
# Check if the specific line is present
if grep -qF "$check_line" "$file"; then
echo "The line '$check_line' is already present in the file."
else
# Replace the line containing the search string with the new line
sed -i "/$search_string/c\\$replace_line" "$file"
echo "The line containing '$search_string' was replaced with '$replace_line'."
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
sysctl -w net.ipv4.route.flush=1
fi
else
echo "The string '$search_string' was not found in the file and added."
echo "$replace_line" >> "$file"
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
sysctl -w net.ipv4.route.flush=1
fi
echo "
# Ensure packet redirect sending is disabled"
# Variables
file="/etc/sysctl.d/60-netipv4_sysctl.conf"
search_string="net.ipv4.conf.all.send_redirects"
check_line="net.ipv4.conf.all.send_redirects = 0"
replace_line="net.ipv4.conf.all.send_redirects = 0"
# Check if the string is present in the file
if grep -q "$search_string" "$file"; then
# Check if the specific line is present
if grep -qF "$check_line" "$file"; then
echo "The line '$check_line' is already present in the file."
else
# Replace the line containing the search string with the new line
sed -i "/$search_string/c\\$replace_line" "$file"
echo "The line containing '$search_string' was replaced with '$replace_line'."
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv4.route.flush=1
fi
else
echo "The string '$search_string' was not found in the file and added."
echo "$replace_line" >> "$file"
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv4.route.flush=1
fi
echo "
# Ensure packet redirect sending is disabled"
# Variables
file="/etc/sysctl.d/60-netipv4_sysctl.conf"
search_string="net.ipv4.conf.default.send_redirects"
check_line="net.ipv4.conf.default.send_redirects = 0"
replace_line="net.ipv4.conf.default.send_redirects = 0"
# Check if the string is present in the file
if grep -q "$search_string" "$file"; then
# Check if the specific line is present
if grep -qF "$check_line" "$file"; then
echo "The line '$check_line' is already present in the file."
else
# Replace the line containing the search string with the new line
sed -i "/$search_string/c\\$replace_line" "$file"
echo "The line containing '$search_string' was replaced with '$replace_line'."
sysctl -w net.ipv4.conf.default.send_redirects=0
sysctl -w net.ipv4.route.flush=1
fi
else
echo "The string '$search_string' was not found in the file and added."
echo "$replace_line" >> "$file"
sysctl -w net.ipv4.conf.default.send_redirects=0
sysctl -w net.ipv4.route.flush=1
fi
echo "
Ensure password unlock time is configured. In file /etc/security/faillock.conf check unlock_time = 900"
# Variables
file="/etc/security/faillock.conf"
search_string="unlock_time"
check_line="# unlock_time"
replace_line="unlock_time = 900"
# Check if the string is present in the file
if grep -q "$search_string" "$file"; then
# Check if the specific line is present
if grep -q "$check_line" "$file"; then
# Replace the line containing the search string with the new line
sed -i "/$check_line/c\\$replace_line" "$file"
echo "The line containing '$search_string' was replaced with '$replace_line'."
else
echo "The line '$check_line' is already present in the file."
fi
else
echo "The string '$search_string' was not found in the file and added."
echo "$replace_line" >> "$file"
fi
echo "
# Ensure permissions on /etc/cron.monthly are configured"
chown root:root /etc/cron.monthly/
chmod og-rwx /etc/cron.monthly/
echo "
# Ensure permissions on /etc/cron.d are configured"
chown root:root /etc/cron.d/
chmod og-rwx /etc/cron.d/
echo "
# Ensure permissions on /etc/cron.daily are configured"
chown root:root /etc/cron.daily/
chmod og-rwx /etc/cron.daily/
echo "
# Ensure permissions on /etc/cron.hourly are configured"
chown root:root /etc/cron.hourly/
chmod og-rwx /etc/cron.hourly/
echo "
# Ensure permissions on /etc/crontab are configured"
chown root:root /etc/crontab
chmod og-rwx /etc/crontab
echo "
# Ensure AIDE is installed"
if rpm -q aide &> /dev/null; then
echo "AIDE is installed."
else
echo "AIDE is not installed."
dnf install -y aide
aide --init
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
echo "rpm aide is installed and configured now"
fi
echo "
# Ensure default user shell timeout is configured"
printf '%s
' "# Set TMOUT to 900 seconds" "typeset -xr TMOUT=900" > /etc/profile.d/50-tmout.sh
echo "
Ensure icmp redirects are not accepted. In file /etc/sysctl.d/60-netipv4_sysctl.conf check for net.ipv4.conf.all.accept_redirects = 0"
# Variables
file="/etc/sysctl.d/60-netipv4_sysctl.conf"
search_string="net.ipv4.conf.all.accept_redirects"
check_line="net.ipv4.conf.all.accept_redirects = 0"
replace_line="net.ipv4.conf.all.accept_redirects = 0"
# Check if the string is present in the file
if grep -q "$search_string" "$file"; then
# Check if the specific line is present
if grep -qF "$check_line" "$file"; then
echo "The line '$check_line' is already present in the file."
else
# Replace the line containing the search string with the new line
sed -i "/$search_string/c\\$replace_line" "$file"
echo "The line containing '$search_string' was replaced with '$replace_line'."
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.route.flush=1
fi
else
echo "The string '$search_string' was not found in the file and added."
echo "$replace_line" >> "$file"
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.route.flush=1
fi
echo "
Ensure icmp redirects are not accepted. In file /etc/sysctl.d/60-netipv4_sysctl.conf check for net.ipv4.conf.all.accept_redirects = 0"
# Variables
file="/etc/sysctl.d/60-netipv4_sysctl.conf"
search_string="net.ipv4.conf.default.accept_redirects"
check_line="net.ipv4.conf.default.accept_redirects = 0"
replace_line="net.ipv4.conf.default.accept_redirects = 0"
# Check if the string is present in the file
if grep -q "$search_string" "$file"; then
# Check if the specific line is present
if grep -qF "$check_line" "$file"; then
echo "The line '$check_line' is already present in the file."
else
# Replace the line containing the search string with the new line
sed -i "/$search_string/c\\$replace_line" "$file"
echo "The line containing '$search_string' was replaced with '$replace_line'."
sysctl -w net.ipv4.conf.default.accept_redirects=0
sysctl -w net.ipv4.route.flush=1
fi
else
echo "The string '$search_string' was not found in the file and added."
echo "$replace_line" >> "$file"
sysctl -w net.ipv4.conf.default.accept_redirects=0
sysctl -w net.ipv4.route.flush=1
fi
echo "
Ensure broadcast icmp requests are ignored net.ipv4.icmp_echo_ignore_broadcasts = 1 to /etc/sysctl.d/60-netipv4_sysctl.conf"
# Variables
file="/etc/sysctl.d/60-netipv4_sysctl.conf"
search_string="net.ipv4.icmp_echo_ignore_broadcasts"
check_line="net.ipv4.icmp_echo_ignore_broadcasts = 1"
replace_line="net.ipv4.icmp_echo_ignore_broadcasts = 1"
# Check if the string is present in the file
if grep -q "$search_string" "$file"; then
# Check if the specific line is present
if grep -qF "$check_line" "$file"; then
echo "The line '$check_line' is already present in the file."
else
# Replace the line containing the search string with the new line
sed -i "/$search_string/c\\$replace_line" "$file"
echo "The line containing '$search_string' was replaced with '$replace_line'."
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
sysctl -w net.ipv4.route.flush=1
fi
else
echo "The string '$search_string' was not found in the file and added."
echo "$replace_line" >> "$file"
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
sysctl -w net.ipv4.route.flush=1
fi
echo "
Ensure reverse path filtering is enabled. In file /etc/sysctl.d/60-netipv4_sysctl.conf check for net.ipv4.conf.all.rp_filter = 1"
# Variables
file="/etc/sysctl.d/60-netipv4_sysctl.conf"
search_string="net.ipv4.conf.all.rp_filter"
check_line="net.ipv4.conf.all.rp_filter = 1"
replace_line="net.ipv4.conf.all.rp_filter = 1"
# Check if the string is present in the file
if grep -q "$search_string" "$file"; then
# Check if the specific line is present
if grep -qF "$check_line" "$file"; then
echo "The line '$check_line' is already present in the file."
else
# Replace the line containing the search string with the new line
sed -i "/$search_string/c\\$replace_line" "$file"
echo "The line containing '$search_string' was replaced with '$replace_line'."
sysctl -w net.ipv4.conf.all.rp_filter=1
sysctl -w net.ipv4.route.flush=1
fi
else
echo "The string '$search_string' was not found in the file and added."
echo "$replace_line" >> "$file"
sysctl -w net.ipv4.conf.all.rp_filter=1
sysctl -w net.ipv4.route.flush=1
fi
echo "
Ensure icmp redirects are not accepted. In file /etc/sysctl.d/60-netipv4_sysctl.conf check for net.ipv4.conf.all.accept_redirects = 0"
# Variables
file="/etc/sysctl.d/60-netipv4_sysctl.conf"
search_string="net.ipv4.conf.all.accept_redirects"
check_line="net.ipv4.conf.all.accept_redirects = 0"
replace_line="net.ipv4.conf.all.accept_redirects = 0"
# Check if the string is present in the file
if grep -q "$search_string" "$file"; then
# Check if the specific line is present
if grep -qF "$check_line" "$file"; then
echo "The line '$check_line' is already present in the file."
else
# Replace the line containing the search string with the new line
sed -i "/$search_string/c\\$replace_line" "$file"
echo "The line containing '$search_string' was replaced with '$replace_line'."
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.route.flush=1
fi
else
echo "The string '$search_string' was not found in the file and added."
echo "$replace_line" >> "$file"
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.route.flush=1
fi
echo "
Ensure reverse path filtering is enabled. In file /etc/sysctl.d/60-netipv4_sysctl.conf check for net.ipv4.conf.default.rp_filter = 1"
# Variables
file="/etc/sysctl.d/60-netipv4_sysctl.conf"
search_string="net.ipv4.conf.default.rp_filter"
check_line="net.ipv4.conf.default.rp_filter = 1"
replace_line="net.ipv4.conf.default.rp_filter = 1"
# Check if the string is present in the file
if grep -q "$search_string" "$file"; then
# Check if the specific line is present
if grep -qF "$check_line" "$file"; then
echo "The line '$check_line' is already present in the file."
else
# Replace the line containing the search string with the new line
sed -i "/$search_string/c\\$replace_line" "$file"
echo "The line containing '$search_string' was replaced with '$replace_line'."
sysctl -w net.ipv4.conf.default.rp_filter=1
sysctl -w net.ipv4.route.flush=1
fi
else
echo "The string '$search_string' was not found in the file and added."
echo "$replace_line" >> "$file"
sysctl -w net.ipv4.conf.default.rp_filter=1
sysctl -w net.ipv4.route.flush=1
fi
echo "
# Ensure source routed packets are not accepted. net.ipv6.conf.all.accept_source_route = 0 to /etc/sysctl.d/60-netipv6_sysctl.conf"
# Variables
file="/etc/sysctl.d/60-netipv6_sysctl.conf"
search_string="net.ipv6.conf.all.accept_source_route"
check_line="net.ipv6.conf.all.accept_source_route = 0"
replace_line="net.ipv6.conf.all.accept_source_route = 0"
# Check if the string is present in the file
if grep -q "$search_string" "$file"; then
# Check if the specific line is present
if grep -qF "$check_line" "$file"; then
echo "The line '$check_line' is already present in the file."
else
# Replace the line containing the search string with the new line
sed -i "/$search_string/c\\$replace_line" "$file"
echo "The line containing '$search_string' was replaced with '$replace_line'."
sysctl -w net.ipv6.conf.all.accept_source_route=0
sysctl -w net.ipv6.route.flush=1
fi
else
echo "The string '$search_string' was not found in the file and added."
echo "$replace_line" >> "$file"
sysctl -w net.ipv6.conf.all.accept_source_route=0
sysctl -w net.ipv6.route.flush=1
fi
echo "
# Ensure source routed packets are not accepted. net.ipv6.conf.default.accept_source_route = 0 to /etc/sysctl.d/60-netipv6_sysctl.conf"
# Variables
file="/etc/sysctl.d/60-netipv6_sysctl.conf"
search_string="net.ipv6.conf.default.accept_source_route"
check_line="net.ipv6.conf.default.accept_source_route = 0"
replace_line="net.ipv6.conf.default.accept_source_route = 0"
# Check if the string is present in the file
if grep -q "$search_string" "$file"; then
# Check if the specific line is present
if grep -qF "$check_line" "$file"; then
echo "The line '$check_line' is already present in the file."
else
# Replace the line containing the search string with the new line
sed -i "/$search_string/c\\$replace_line" "$file"
echo "The line containing '$search_string' was replaced with '$replace_line'."
sysctl -w net.ipv6.conf.default.accept_source_route=0
sysctl -w net.ipv6.route.flush=1
fi
else
echo "The string '$search_string' was not found in the file and added."
echo "$replace_line" >> "$file"
sysctl -w net.ipv6.conf.default.accept_source_route=0
sysctl -w net.ipv6.route.flush=1
fi
echo "
Ensure icmp redirects are not accepted. In file /etc/sysctl.d/60-netipv4_sysctl.conf check for net.ipv4.conf.all.accept_source_route = 0"
# Variables
file="/etc/sysctl.d/60-netipv4_sysctl.conf"
search_string="net.ipv4.conf.all.accept_source_route"
check_line="net.ipv4.conf.all.accept_source_route = 0"
replace_line="net.ipv4.conf.all.accept_source_route = 0"
# Check if the string is present in the file
if grep -q "$search_string" "$file"; then
# Check if the specific line is present
if grep -qF "$check_line" "$file"; then
echo "The line '$check_line' is already present in the file."
else
# Replace the line containing the search string with the new line
sed -i "/$search_string/c\\$replace_line" "$file"
echo "The line containing '$search_string' was replaced with '$replace_line'."
sysctl -w net.ipv4.conf.all.accept_source_route=0
sysctl -w net.ipv4.route.flush=1
fi
else
echo "The string '$search_string' was not found in the file and added."
echo "$replace_line" >> "$file"
sysctl -w net.ipv4.conf.all.accept_source_route=0
sysctl -w net.ipv4.route.flush=1
fi
echo "
Ensure icmp redirects are not accepted. In file /etc/sysctl.d/60-netipv4_sysctl.conf check for net.ipv4.conf.default.accept_source_route = 0"
# Variables
file="/etc/sysctl.d/60-netipv4_sysctl.conf"
search_string="net.ipv4.conf.default.accept_source_route"
check_line="net.ipv4.conf.default.accept_source_route = 0"
replace_line="net.ipv4.conf.default.accept_source_route = 0"
# Check if the string is present in the file
if grep -q "$search_string" "$file"; then
# Check if the specific line is present
if grep -qF "$check_line" "$file"; then
echo "The line '$check_line' is already present in the file."
else
# Replace the line containing the search string with the new line
sed -i "/$search_string/c\\$replace_line" "$file"
echo "The line containing '$search_string' was replaced with '$replace_line'."
sysctl -w net.ipv4.conf.default.accept_source_route=0
sysctl -w net.ipv4.route.flush=1
fi
else
echo "The string '$search_string' was not found in the file and added."
echo "$replace_line" >> "$file"
sysctl -w net.ipv4.conf.default.accept_source_route=0
sysctl -w net.ipv4.route.flush=1
fi
