def configure_ntp(upstream): """2.2.1 Time Synchronization""" # 2.2.1.1 Ensure time synchronization is in use Package('chrony').remove() Package('ntp').install() # 2.2.1.2 Ensure ntp is configured PropertyFile('/etc/ntp.conf', ' ').override({ 'restrict default': None, 'restrict -4 default': 'kod nomodify notrap nopeer noquery', 'restrict -6 default': 'kod nomodify notrap nopeer noquery', 'server': upstream }).write() PropertyFile('/etc/sysconfig/ntpd', '=').override({ 'OPTIONS': '"-u ntp:ntp"' }).write()
def remove_insecure_clients(): """2.3 Service Clients""" packages = [ 'ypbind', 'rsh', 'talk', 'telnet', 'openldap-clients' ] for package in packages: Package(package).remove()
def configure_chrony(upstream): """2.2.1 Time Synchronization""" # 2.2.1.1 Ensure time synchronization is in use Package('ntp').remove() Package('chrony').install() # 2.2.1.3 Ensure chrony is configured PropertyFile('/etc/chrony.conf', ' ').override({ 'server': upstream }).write() PropertyFile('/etc/sysconfig/chronyd', '=').override({ 'OPTIONS': '"-u chrony"' }).write() exec_shell([ 'chkconfig chronyd on', ])
def configure_mac(): """1.6. Mandatory Access Control""" Package('selinux-policy').install() Package('selinux-policy-targeted').install() Package('policycoreutils-python').install() kernel=exec_shell([ 'cat /boot/grub/menu.lst | grep ^kernel' ]) # add selinux=1 if not 'selinux' in kernel: boot = exec_shell([ 'cat /boot/grub/menu.lst | sed -E "s/^(kernel.*)$/\\1 selinux=1/"' ]) else: boot = exec_shell([ 'cat /boot/grub/menu.lst | sed -E "s/(selinux)=0/\\1=1/g"' ]) File('/boot/grub/menu.lst').write(boot) # add security=selinux if not 'security' in kernel: boot = exec_shell([ 'cat /boot/grub/menu.lst | sed -E "s/^(kernel.*)$/\\1 security=selinux/"' ]) else: boot = exec_shell([ 'cat /boot/grub/menu.lst | sed -E "s/^(kernel.*security=)[^ ]*(.*)/\\1selinux\\2/g"' ]) File('/boot/grub/menu.lst').write(boot) boot = exec_shell([ 'cat /boot/grub/menu.lst | sed -E "s/(enforcing)=0/\\1=1/g"' ]) File('/boot/grub/menu.lst').write(boot) exec_shell([ 'echo "SELINUX=enforcing\nSELINUXTYPE=targeted" > /etc/selinux/config', 'chown root:root /etc/selinux/config', 'chmod 0600 /etc/selinux/config', 'touch /.autorelabel' ])
def enable_aide(): """1.3 Filesystem Integrity Checking""" cron_job = '0 5 * * * /usr/sbin/aide --check' Package('aide').install() return exec_shell([ 'aide --init', 'mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz', '(crontab -u root -l 2>/dev/null | grep -v /usr/sbin/aide; echo "{}") | crontab -'.format(cron_job) ])
def configure_iptables(): """3.6 Firewall Configuration""" Package('iptables').install() exec_shell([ 'iptables -F', 'iptables -P INPUT DROP', 'iptables -P OUTPUT DROP', 'iptables -P FORWARD DROP', 'iptables -A INPUT -i lo -j ACCEPT', 'iptables -A OUTPUT -o lo -j ACCEPT', 'iptables -A INPUT -s 127.0.0.0/8 -j DROP', 'iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT', 'iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT', 'iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT', 'iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT', 'iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT', 'iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT', 'iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT', 'iptables -A INPUT -p tcp --dport 3306 -m state --state NEW -j ACCEPT', 'iptables -A INPUT -p tcp --dport 8443 -m state --state NEW -j ACCEPT', 'iptables -A INPUT -p tcp --dport 8000 -m state --state NEW -j ACCEPT', 'iptables-save' ]) Package('iptables-services').install() exec_shell([ 'ip6tables -A INPUT -i lo -j ACCEPT', 'ip6tables -A OUTPUT -o lo -j ACCEPT' , 'ip6tables -A INPUT -s ::1 -j DROP ', 'ip6tables -P INPUT DROP', 'ip6tables -P OUTPUT DROP', 'ip6tables -P FORWARD DROP', 'ip6tables-save' ])
def apply_process_hardenings(): """1.5 Additional Process Hardening""" # 1.5.1 Ensure core dumps are restricted PropertyFile('/etc/security/limits.conf', ' ').override({ '* hard core': '0' }).write() PropertyFile('/etc/sysctl.conf', ' = ').override({ 'fs.suid_dumpable': '0' }).write() # 1.5.3 Ensure address space layout randomization (ASLR) is enable PropertyFile('/etc/sysctl.conf', ' = ').override({ 'kernel.randomize_va_space': '2' }).write() # 1.5.4 Ensure prelink is disabled Package('prelink').remove()
def configure_tcp_wrappers(hosts): """3.4 TCP Wrappers""" # 3.4.1 Ensure TCP Wrappers is installed Package('tcp_wrappers').install() if hosts: # 3.4.2 Ensure /etc/hosts.allow is configured allowed_hosts = ','.join(hosts) exec_shell('echo "ALL: {}" > /etc/hosts.allow'.format(allowed_hosts)) # 3.4.3 Ensure /etc/hosts.deny is configured exec_shell('echo "ALL: ALL" > /etc/hosts.deny') # 3.4.4 Ensure permissions on /etc/hosts.allow are configured exec_shell( ['chown root:root /etc/hosts.allow', 'chmod 644 /etc/hosts.allow']) # 3.4.5 Ensure permissions on /etc/hosts.deny are configured exec_shell( ['chown root:root /etc/hosts.deny', 'chmod 644 /etc/hosts.deny'])
def configure_rsyslog(): """4.2.1 Configure rsyslog""" Package('rsyslog').install() PropertyFile('/etc/rsyslog.conf', ' ').override({ '*.emerg': ':omusrmsg:*', 'mail.*': '-/var/log/mail', 'mail.info': '-/var/log/mail.info', 'mail.warning': '-/var/log/mail.warn', 'mail.err': '/var/log/mail.err', 'news.crit': '-/var/log/news/news.crit', 'news.err': '-/var/log/news/news.err', 'news.notice': '-/var/log/news/news.notice', '*.=warning;*.=err': '-/var/log/warn', '*.crit': '/var/log/warn', '*.*;mail.none;news.none': '-/var/log/messages', 'local0,local1.*': '-/var/log/localmessages', 'local2,local3.*': '-/var/log/localmessages', 'local4,local5.*': '-/var/log/localmessages', 'local6,local7.*': '-/var/log/localmessages ', '$FileCreateMode': '0640' }).write()
def remove_x11_packages(): """2.2.2 Ensure X Window System is not installed""" Package('xorg-x11*').remove()
def ensure_updated(): """1.8 Ensure updates, patches, and additional security software are installed""" Package.update_all()