forked from Trietptm-on-Security/cis-audit-scripts
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcis_centos_check_formatted_public.sh
618 lines (470 loc) · 12.3 KB
/
cis_centos_check_formatted_public.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
#!/bin/bash -
#CIS Security Audit Script
#Last Updated Date: 3-1-17
#Author: Matt Wilson
#This script will run LEVEL ONE checks on the Center for Internet Security
#checklist. It will dump the report to /root/cis_report.txt for review.
#The output results can be crosschecked for their status and the sysadmin
#responsible can determine if the change can be made or not.
echo "*********************************************************"
echo "CIS Security Audit Script"
echo "CentOS 7 Check"
echo "Auditing for all LEVEL ONE hardening"
echo "Output can be found in /root/cis_report.txt"
echo "NOTE: Run only in a bash shell"
echo ""
echo "WARNING: This script is only for CentOS 7, please use correct script"
echo "for target operating system"
echo "*********************************************************"
exec > >(tee "/root/cis_report.txt") 2>&1
echo "CIS Security Audit Report"
echo "*DATE*"
date
echo "*OS*"
cat /etc/centos-release
echo "*KERNEL*"
uname -a
echo "*HOST*"
hostname
echo ""
echo "******1.1.1 Disable Unused File Systems******"
echo ""
echo ""
echo "1.1.1.1 Ensure mounting of cramfs filesystems is disabled"
echo "$ modprobe -n -v cramfs"
modprobe -n -v cramfs
echo "$ lsmod | grep -c cramfs"
lsmod | grep -c cramfs
echo "1.1.1.2 Ensure mounting of freevxfs filesystems is disabled"
echo "$ modprobe -n -v freevxfs"
modprobe -n -v freevxfs
echo "$ lsmod | grep -c freevxfs"
lsmod | grep -c freevxfs
echo "1.1.1.3 Ensure mounting of jffs2 filesystems is disabled"
echo "$ modprobe -n -v jffs2"
modprobe -n -v jffs2
echo "$ lsmod | grep -c jffs2"
lsmod | grep -c jffs2
echo "1.1.1.4 Ensure mounting of hfs filesystems is disabled"
echo "$ modprobe -n -v hfs"
modprobe -n -v hfs
echo "$ lsmod | grep -c hfs"
lsmod | grep -c hfs
echo "1.1.1.5 Ensure mounting of hfsplus filesystems is disabled"
echo "$ modprobe -n -v hfsplus"
modprobe -n -v hfsplus
echo "$ lsmod | grep -c hfsplus"
lsmod | grep -c hfsplus
echo "1.1.1.6 Ensure mounting of squashfs filesystems is disabled"
echo "$ modprobe -n -v squashfs"
modprobe -n -v squashfs
echo "$ lsmod | grep -c squashfs"
lsmod | grep -c squashfs
echo "1.1.1.7 Ensure mounting of udf filesystems is disabled"
echo "$ modprobe -n -v udf"
modprobe -n -v udf
echo "$ lsmod | grep -c udf"
lsmod | grep -c udf
echo "1.1.1.8 Ensure mounting of FAT filesystems is disabled"
echo "$ modprobe -n -v vfat"
modprobe -n -v vfat
echo "$ lsmod | grep -c vfat"
lsmod | grep -c vfat
echo ""
echo "1.1.3 , 1.1.4 , 1.1.5"
echo "Check nodev,nosuid,noexec are set on /tmp"
echo ""
echo "$ mount | grep /tmp"
mount | grep /tmp
echo ""
echo "1.1.8 , 1.1.9 , 1.1.10"
echo "Check nodev,nosuid,noexec are set on /var/tmp"
echo ""
echo "$ mount | grep /tmp"
mount | grep /var/tmp
echo ""
echo "1.1.14"
echo "Check nodev is set on /home"
echo ""
echo "$ mount | grep /home"
mount | grep /home
echo ""
echo "1.1.15 , 1.1.16 , 1.1.17"
echo "Check nodev,nosuid,noexec are set on /dev/shm"
echo ""
echo "$ mount | grep /dev/shm"
mount | grep /dev/shm
echo ""
echo "******1.3 Filesystem Integrity Checking******"
echo ""
echo ""
echo "1.3.1"
echo "Check if AIDE is installed"
echo ""
echo "$ rpm -q aide"
rpm -q aide
echo ""
echo "1.3.2"
echo "Check if filesystem is regularly checked"
echo ""
echo "$ crontab -u root -l | grep aide"
crontab -u root -l | grep aide
echo "$ grep -r aide /etc/cron.* /etc/crontab"
grep -r aide /etc/cron.* /etc/crontab
echo ""
echo "******1.4 Secure Boot Settings******"
echo ""
echo ""
echo "1.4.1"
echo "Check if permissions on bootloader config are configured"
echo ""
echo "$ stat /boot/grub2/grub.cfg"
stat /boot/grub2/grub.cfg
echo ""
echo "1.4.2"
echo "Check if bootloader password is set"
echo ""
echo "$ grep '"^set superusers"' /boot/grub2/grub.cfg"
grep "^set superusers" /boot/grub2/grub.cfg
echo "$ grep '"^password"' /boot/grub2/grub.cfg"
grep "^password" /boot/grub2/grub.cfg
echo ""
echo "1.4.3"
echo "Check if authentication is required for single user mode"
echo ""
echo "$ grep /sbin/sulogin /usr/lib/systemd/system/rescue.service"
grep /sbin/sulogin /usr/lib/systemd/system/rescue.service
echo "$ grep /sbin/sulogin /usr/lib/systemd/system/emergency.service"
grep /sbin/sulogin /usr/lib/systemd/system/emergency.service
echo ""
echo "******1.5 Additional Process Hardening******"
echo ""
echo ""
echo "1.5.1"
echo "Check if core dumps are restricted"
echo ""
echo "$ grep '"hard core"' /etc/security/limits.conf /etc/security/limits.d/*"
grep "hard core" /etc/security/limits.conf /etc/security/limits.d/*
echo "$ sysctl fs.suid_dumpable"
sysctl fs.suid_dumpable
echo ""
echo "1.5.2"
echo "Check if XD/NX support is enabled"
echo ""
echo "$ dmesg | grep NX"
dmesg | grep NX
echo ""
echo "1.5.3"
echo "Check if address space layout randomization (ASLR) is enabled"
echo ""
echo "$ sysctl kernel.randomize_va_space"
sysctl kernel.randomize_va_space
echo ""
echo "1.5.4"
echo "Check if prelink is disabled"
echo ""
echo "$ rpm -q prelink"
rpm -q prelink
echo ""
echo ""******1.6 Mandatory Access Controls******
echo ""
echo ""
echo "1.6.2"
echo "Check if SELinux is installed"
echo ""
echo "$ rpm -q libselinux"
rpm -q libselinux
echo ""
echo ""******2.2 Special Purpose Services******""
echo ""
echo ""
echo "2.2.1"
echo ""
echo "2.2.1.1 Check if time synchronization is in use"
echo ""
echo "$ rpm -q ntp"
rpm -q ntp
echo ""
echo "2.2.1.2 Check if ntp is properly configured"
echo ""
echo "$ grep '"^restrict"' /etc/ntp.conf"
grep "^restrict" /etc/ntp.conf
echo "$ grep '"^server"' /etc/ntp.conf"
grep "^server" /etc/ntp.conf
echo "$ grep '"^OPTIONS"' /etc/sysconfig/ntpd"
grep "^OPTIONS" /etc/sysconfig/ntpd
echo "$ grep '"^ExecStart"' /usr/lib/systemd/system/ntpd.service"
grep "^ExecStart" /usr/lib/systemd/system/ntpd.service
echo ""
echo "2.2.3"
echo "Ensure AVAHI server is not enabled"
echo ""
echo "$ systemctl is-enabled avahi-daemon"
systemctl is-enabled avahi-daemon
echo ""
echo "2.2.4"
echo "Ensure CUPS is not enabled"
echo ""
echo "$ systemctl is-enabled cups"
systemctl is-enabled cups
echo ""
echo "2.2.5"
echo "Ensure DHCP server is not enabled"
echo ""
echo "$ systemctl is-enabled dhcpd"
systemctl is-enabled dhcpd
echo ""
echo "2.2.6"
echo "Ensure LDAP server is not enabled"
echo ""
echo "$ systemctl is-enabled slapd"
systemctl is-enabled slapd
echo ""
echo "2.2.8"
echo "Ensure DNS server is not enabled"
echo ""
echo "$ systemctl is-enabled named"
systemctl is-enabled named
echo ""
echo "2.2.9"
echo "Ensure FTP server is not enabled"
echo ""
echo "$ systemctl is-enabled vsftpd"
systemctl is-enabled vsftpd
echo ""
echo "2.2.10"
echo "Ensure HTTP server is not enabled"
echo ""
echo "$ systemctl is-enabled httpd"
systemctl is-enabled httpd
echo ""
echo "2.2.11"
echo "Ensure IMAP and POP3 server is not enabled"
echo ""
echo "$ systemctl is-enabled dovecot"
systemctl is-enabled dovecot
echo ""
echo "2.2.12"
echo "Ensure SAMBA server is not enabled"
echo ""
echo "$ systemctl is-enabled smb"
systemctl is-enabled smb
echo ""
echo "2.2.13"
echo "Ensure HTTP Proxy server is not enabled"
echo ""
echo "$ systemctl is-enabled squid"
systemctl is-enabled squid
echo ""
echo "2.2.14"
echo "Ensure SNMP server is not enabled"
echo ""
echo "$ systemctl is-enabled snmpd"
systemctl is-enabled snmpd
echo ""
echo "2.2.15"
echo "Ensure mail transfer agent is configured for loca-only mode"
echo ""
echo "$ netstat -an | grep LIST | grep '":25[[:space:]]"'"
netstat -an | grep LIST | grep ":25[[:space:]]"
echo ""
echo "2.2.16"
echo "Ensure NIS server is not enabled"
echo ""
echo "$ systemctl is-enabled ypserv"
systemctl is-enabled ypserv
echo ""
echo "2.2.17"
echo "Ensure rsh server is not enabled"
echo ""
echo "$ systemctl is-enabled rsh.socket"
systemctl is-enabled rsh.socket
echo "$ systemctl is-enabled rlogin.socket"
systemctl is-enabled rlogin.socket
echo "$ systemctl is-enabled rexec.socket"
systemctl is-enabled rexec.socket
echo ""
echo "2.2.18"
echo "Ensure telnet server is not enabled"
echo ""
echo "$ systemctl is-enabled telnet.socket"
systemctl is-enabled telnet.socket
echo ""
echo "2.2.19"
echo "Ensure tftp server is not enabled"
echo ""
echo "$ systemctl is-enabled tftp.socket"
systemctl is-enabled tftp.socket
echo ""
echo "2.2.20"
echo "Ensure rsync server is not enabled"
echo ""
echo "$ systemctl is-enabled rsyncd"
systemctl is-enabled rsyncd
echo ""
echo "2.2.21"
echo "Ensure talk server is not enabled"
echo ""
echo "$ systemctl is-enabled ntalk"
systemctl is-enabled ntalk
echo ""
echo "******3.2 Network Parameters******"
echo ""
echo ""
echo "3.2.1"
echo "Check source routed packets are not accepted"
echo ""
echo "$ sysctl net.ipv4.conf.all.accept_source_route"
sysctl net.ipv4.conf.all.accept_source_route
echo "$ sysctl net.ipv4.conf.default.accept_source_route"
sysctl net.ipv4.conf.default.accept_source_route
echo ""
echo "3.2.2"
echo "Check ICMP redicrects are not accepted"
echo ""
echo "$ sysctl net.ipv4.conf.all.accept_redirects"
sysctl net.ipv4.conf.all.accept_redirects
echo "$ sysctl net.ipv4.conf.default.accept_redirects"
sysctl net.ipv4.conf.default.accept_redirects
echo ""
echo "3.2.3"
echo "Check secure ICMP redirects are not accepted"
echo ""
echo "$ sysctl net.ipv4.conf.all.secure_redirects"
sysctl net.ipv4.conf.all.secure_redirects
echo "$ sysctl net.ipv4.conf.default.secure_redirects"
sysctl net.ipv4.conf.default.secure_redirects
echo ""
echo "3.2.4"
echo "Check if suspicious packets are logged"
echo ""
echo "$ sysctl net.ipv4.conf.all.log_martians"
sysctl net.ipv4.conf.all.log_martians
echo "$ sysctl net.ipv4.conf.default.log_martians"
sysctl net.ipv4.conf.default.log_martians
echo ""
echo "******3.3 IPv6******"
echo ""
echo ""
echo "3.3.3"
echo "Check if ipv6 is disabled"
echo ""
echo "$ modprobe -c | grep ipv6"
modprobe -c | grep ipv6
echo ""
echo "******3.6 Firewall Configuration******"
echo ""
echo ""
echo "3.6.1"
echo "Check if iptables is installed"
echo ""
echo "$ rpm -q iptables"
rpm -q iptables
echo ""
echo "******4.2.1 Configure rsyslog******"
echo ""
echo ""
echo "4.2.1.1"
echo "Check if rsyslog is enabled"
echo ""
echo "$ systemctl is-enabled rsyslog"
systemctl is-enabled rsyslog
echo ""
echo "4.2.1.2"
echo "Check if logging is configured"
echo ""
echo "$ ls -al /var/log"
ls -al /var/log
echo ""
echo "******5.2 SSH Server Configuration******"
echo ""
echo ""
echo "5.2.1"
echo "Check if permissions on /etc/ssh/sshd_config are configured"
echo ""
echo "$ stat /etc/ssh/sshd_config"
stat /etc/ssh/sshd_config
echo ""
echo "5.2.2"
echo "Check if SSH protocal is set to 2"
echo ""
echo "$ grep '"^Protocol"' /etc/ssh/sshd_config"
grep "^Protocol" /etc/ssh/sshd_config
echo ""
echo "5.2.3"
echo "Check if SSH LogLevel is set to INFO"
echo ""
echo "$ grep '"^LogLevel"' /etc/ssh/sshd_config"
grep "^LogLevel" /etc/ssh/sshd_config
echo ""
echo "5.2.4"
echo "Check if SSH X11 forwarding is disabled"
echo ""
echo "$ grep '"^X11Forwarding"' /etc/ssh/sshd_config"
grep "^X11Forwarding" /etc/ssh/sshd_config
echo ""
echo "5.2.11"
echo "Check if only approved ciphers are used"
echo ""
echo "$ grep '"Ciphers"' /etc/ssh/sshd_config"
grep "Ciphers" /etc/ssh/sshd_config
echo ""
echo "******6.1 System File Permissions******"
echo ""
echo ""
echo "6.1.2"
echo "Check if permissions on /etc/passwd are configured"
echo ""
echo "$ stat /etc/passwd"
stat /etc/passwd
echo ""
echo "6.1.3"
echo "Check if permissions on /etc/shadow are configured"
echo ""
echo "$ stat /etc/shadow"
stat /etc/shadow
echo ""
echo "6.1.4"
echo "Check if permissions on /etc/group are configured"
echo ""
echo "$ stat /etc/group"
stat /etc/group
echo ""
echo "6.1.5"
echo "Check if permissions on /etc/gshadow are configured"
echo ""
echo "$ stat /etc/gshadow"
stat /etc/gshadow
echo ""
echo "6.1.6"
echo "Check if permissions on /etc/passwd- are configured"
echo ""
echo "$ stat /etc/passwd-"
stat /etc/passwd-
echo ""
echo "6.1.7"
echo "Check if permissions on /etc/shadow- are configured"
echo ""
echo "$ stat /etc/shadow-"
stat /etc/shadow-
echo ""
echo "6.1.8"
echo "Check if permissions on /etc/group- are configured"
echo ""
echo "$ stat /etc/group-"
stat /etc/group-
echo ""
echo "6.1.9"
echo "Check if permissions on /etc/gshadow- are configured"
echo ""
echo "$ stat /etc/gshadow-"
stat /etc/gshadow-
echo ""
echo "******6.2 User and Group Settings******"
echo ""
echo ""
echo "6.2.5"
echo "Check if root is the only UID 0 account"
echo ""
echo "$ cat /etc/passwd | awk -F: '($3 == 0) { print $1 }'"
cat /etc/passwd | awk -F: '($3 == 0) { print $1 }'