def configure_ntp(upstream):
"""2.2.1 Time Synchronization"""
# 2.2.1.1 Ensure time synchronization is in use
Package('chrony').remove()
Package('ntp').install()
# 2.2.1.2 Ensure ntp is configured
PropertyFile('/etc/ntp.conf', ' ').override({
'restrict default': None,
'restrict -4 default': 'kod nomodify notrap nopeer noquery',
'restrict -6 default': 'kod nomodify notrap nopeer noquery',
'server': upstream
}).write()
PropertyFile('/etc/sysconfig/ntpd', '=').override({
'OPTIONS': '"-u ntp:ntp"'
}).write()
def remove_insecure_clients():
"""2.3 Service Clients"""
packages = [
'ypbind', 'rsh', 'talk',
'telnet', 'openldap-clients'
]
for package in packages:
Package(package).remove()
def configure_chrony(upstream):
"""2.2.1 Time Synchronization"""
# 2.2.1.1 Ensure time synchronization is in use
Package('ntp').remove()
Package('chrony').install()
# 2.2.1.3 Ensure chrony is configured
PropertyFile('/etc/chrony.conf', ' ').override({
'server': upstream
}).write()
PropertyFile('/etc/sysconfig/chronyd', '=').override({
'OPTIONS': '"-u chrony"'
}).write()
exec_shell([
'chkconfig chronyd on',
])
def configure_mac():
"""1.6. Mandatory Access Control"""
Package('selinux-policy').install()
Package('selinux-policy-targeted').install()
Package('policycoreutils-python').install()
kernel=exec_shell([
'cat /boot/grub/menu.lst | grep ^kernel'
])
# add selinux=1
if not 'selinux' in kernel:
boot = exec_shell([
'cat /boot/grub/menu.lst | sed -E "s/^(kernel.*)$/\\1 selinux=1/"'
])
else:
boot = exec_shell([
'cat /boot/grub/menu.lst | sed -E "s/(selinux)=0/\\1=1/g"'
])
File('/boot/grub/menu.lst').write(boot)
# add security=selinux
if not 'security' in kernel:
boot = exec_shell([
'cat /boot/grub/menu.lst | sed -E "s/^(kernel.*)$/\\1 security=selinux/"'
])
else:
boot = exec_shell([
'cat /boot/grub/menu.lst | sed -E "s/^(kernel.*security=)[^ ]*(.*)/\\1selinux\\2/g"'
])
File('/boot/grub/menu.lst').write(boot)
boot = exec_shell([
'cat /boot/grub/menu.lst | sed -E "s/(enforcing)=0/\\1=1/g"'
])
File('/boot/grub/menu.lst').write(boot)
exec_shell([
'echo "SELINUX=enforcing\nSELINUXTYPE=targeted" > /etc/selinux/config',
'chown root:root /etc/selinux/config',
'chmod 0600 /etc/selinux/config',
'touch /.autorelabel'
])
def enable_aide():
"""1.3 Filesystem Integrity Checking"""
cron_job = '0 5 * * * /usr/sbin/aide --check'
Package('aide').install()
return exec_shell([
'aide --init',
'mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz',
'(crontab -u root -l 2>/dev/null | grep -v /usr/sbin/aide; echo "{}") | crontab -'.format(cron_job)
])
def configure_iptables():
"""3.6 Firewall Configuration"""
Package('iptables').install()
exec_shell([
'iptables -F',
'iptables -P INPUT DROP',
'iptables -P OUTPUT DROP',
'iptables -P FORWARD DROP',
'iptables -A INPUT -i lo -j ACCEPT',
'iptables -A OUTPUT -o lo -j ACCEPT',
'iptables -A INPUT -s 127.0.0.0/8 -j DROP',
'iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT',
'iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT',
'iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT',
'iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT',
'iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT',
'iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT',
'iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT',
'iptables -A INPUT -p tcp --dport 3306 -m state --state NEW -j ACCEPT',
'iptables -A INPUT -p tcp --dport 8443 -m state --state NEW -j ACCEPT',
'iptables -A INPUT -p tcp --dport 8000 -m state --state NEW -j ACCEPT',
'iptables-save'
])
Package('iptables-services').install()
exec_shell([
'ip6tables -A INPUT -i lo -j ACCEPT',
'ip6tables -A OUTPUT -o lo -j ACCEPT' ,
'ip6tables -A INPUT -s ::1 -j DROP ',
'ip6tables -P INPUT DROP',
'ip6tables -P OUTPUT DROP',
'ip6tables -P FORWARD DROP',
'ip6tables-save'
])
def apply_process_hardenings():
"""1.5 Additional Process Hardening"""
# 1.5.1 Ensure core dumps are restricted
PropertyFile('/etc/security/limits.conf', ' ').override({
'* hard core': '0'
}).write()
PropertyFile('/etc/sysctl.conf', ' = ').override({
'fs.suid_dumpable': '0'
}).write()
# 1.5.3 Ensure address space layout randomization (ASLR) is enable
PropertyFile('/etc/sysctl.conf', ' = ').override({
'kernel.randomize_va_space': '2'
}).write()
# 1.5.4 Ensure prelink is disabled
Package('prelink').remove()
def configure_tcp_wrappers(hosts):
"""3.4 TCP Wrappers"""
# 3.4.1 Ensure TCP Wrappers is installed
Package('tcp_wrappers').install()
if hosts:
# 3.4.2 Ensure /etc/hosts.allow is configured
allowed_hosts = ','.join(hosts)
exec_shell('echo "ALL: {}" > /etc/hosts.allow'.format(allowed_hosts))
# 3.4.3 Ensure /etc/hosts.deny is configured
exec_shell('echo "ALL: ALL" > /etc/hosts.deny')
# 3.4.4 Ensure permissions on /etc/hosts.allow are configured
exec_shell(
['chown root:root /etc/hosts.allow', 'chmod 644 /etc/hosts.allow'])
# 3.4.5 Ensure permissions on /etc/hosts.deny are configured
exec_shell(
['chown root:root /etc/hosts.deny', 'chmod 644 /etc/hosts.deny'])
def configure_rsyslog():
"""4.2.1 Configure rsyslog"""
Package('rsyslog').install()
PropertyFile('/etc/rsyslog.conf', ' ').override({
'*.emerg': ':omusrmsg:*',
'mail.*': '-/var/log/mail',
'mail.info': '-/var/log/mail.info',
'mail.warning': '-/var/log/mail.warn',
'mail.err': '/var/log/mail.err',
'news.crit': '-/var/log/news/news.crit',
'news.err': '-/var/log/news/news.err',
'news.notice': '-/var/log/news/news.notice',
'*.=warning;*.=err': '-/var/log/warn',
'*.crit': '/var/log/warn',
'*.*;mail.none;news.none': '-/var/log/messages',
'local0,local1.*': '-/var/log/localmessages',
'local2,local3.*': '-/var/log/localmessages',
'local4,local5.*': '-/var/log/localmessages',
'local6,local7.*': '-/var/log/localmessages ',
'$FileCreateMode': '0640'
}).write()
def remove_x11_packages():
"""2.2.2 Ensure X Window System is not installed"""
Package('xorg-x11*').remove()
def ensure_updated():
"""1.8 Ensure updates, patches, and additional security software are installed"""
Package.update_all()