def enable_aide():
"""1.3 Filesystem Integrity Checking"""
try:
cron_job = '0 5 * * * /usr/bin/aide.wrapper --config /etc/aide/aide.conf --check'
try:
Package('aide').install()
except Exception, e:
logging.error('Package "aide" has no installation candidate')
try:
Package('aide-common').install()
except Exception, e:
logging.error('Package "aide-common" has no installation candidate')
def configure_chrony(upstream):
"""2.2.1 Time Synchronization"""
try:
# 2.2.1.1 Ensure time synchronization is in use
Package('ntp').remove()
Package('chrony').install()
# 2.2.1.3 Ensure chrony is configured
PropertyFile('/etc/chrony/chrony.conf', ' ').override({
'server': upstream
}).write()
except Exception, e:
logging.error('Error when attemp to execute 2.2.1.configure_chrony()', exc_info=True)
def configure_pam():
"""5.3 Configure PAM"""
try:
Package('libpam-pwquality').install()
PropertyFile('/etc/ssh/sshd_config', ' ').override({
'password requisite': 'pam_pwquality.so retry=3'
}).write()
PropertyFile('/etc/security/pwquality.conf', '=').override({
'minlen': '14',
'dcredit': '-1',
'ucredit': '-1',
'ocredit': '-1',
'lcredit': '-1',
}).write()
#"""5.3.2 Ensure lockout for failed password attempts is configured """
PropertyFile('/etc/ssh/sshd_config', ' ').override({
'auth required': 'pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900'
}).write()
#"""5.3.3 Ensure password reuse is limited"""
PropertyFile('/etc/ssh/sshd_config', ' ').override({
'password required': 'pam_pwhistory.so remember=5'
}).write()
#"""5.3.4 Ensure password hashing algorithm is SHA-512 """
PropertyFile('/etc/ssh/sshd_config', ' ').override({
'password': '******'
}).write()
except Exception, e:
logging.error('Error when attemp to execute 5.3.configure_pam()', exc_info=True)
def configure_rsyslog():
"""4.2.1 Configure rsyslog"""
try:
Package('rsyslog').install()
Service('rsyslog').enable()
PropertyFile('/etc/rsyslog.conf', ' ').override({
'*.emerg': ':omusrmsg:*',
'mail.*': '-/var/log/mail',
'mail.info': '-/var/log/mail.info',
'mail.warning': '-/var/log/mail.warn',
'mail.err': '/var/log/mail.err',
'news.crit': '-/var/log/news/news.crit',
'news.err': '-/var/log/news/news.err',
'news.notice': '-/var/log/news/news.notice',
'*.=warning;*.=err': '-/var/log/warn',
'*.crit': '/var/log/warn',
'*.*;mail.none;news.none': '-/var/log/messages',
'local0,local1.*': '-/var/log/localmessages',
'local2,local3.*': '-/var/log/localmessages',
'local4,local5.*': '-/var/log/localmessages',
'local6,local7.*': '-/var/log/localmessages ',
'$FileCreateMode': '0640'
}).write()
exec_shell('pkill -HUP rsyslogd') ##reload rsyslogd
#"""4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host"""
#"""4.2.1.5 Ensure remote rsyslog messages are only accepted on designated log hosts. """
PropertyFile('/etc/rsyslog.conf', ' ').override({
'$ModLoad': 'imtcp',
'$InputTCPServerRun': '514'
}).write()
exec_shell('pkill -HUP rsyslogd') ##reload rsyslogd
except Exception, e:
logging.error('Error when attemp to execute 4.2.1.configure_rsyslog()', exc_info=True)
def configure_tcp_wrappers(hosts):
"""3.4 TCP Wrappers"""
try:
# 3.4.1 Ensure TCP Wrappers is installed
Package('tcpd').install()
if hosts:
# 3.4.2 Ensure /etc/hosts.allow is configured
#Type host : <net>/<mask>. Ex: 192.168.1.0/255.255.255.0
allowed_hosts = ','.join(hosts)
exec_shell('echo "ALL: {}" > /etc/hosts.allow'.format(allowed_hosts))
# 3.4.3 Ensure /etc/hosts.deny is configured
exec_shell('echo "ALL: ALL" > /etc/hosts.deny')
# 3.4.4 Ensure permissions on /etc/hosts.allow are configured
exec_shell([
'chown root:root /etc/hosts.allow',
'chmod 644 /etc/hosts.allow'
])
# 3.4.5 Ensure permissions on /etc/hosts.deny are configured
exec_shell([
'chown root:root /etc/hosts.deny',
'chmod 644 /etc/hosts.deny'
])
except Exception, e:
logging.error('Error when attemp to execute 3.4.configure_tcp_wrappers()', exc_info=True)
def configure_ntp(upstream):
"""2.2.1 Time Synchronization"""
try:
# 2.2.1.1 Ensure time synchronization is in use
Package('chrony').remove()
Package('ntp').install()
# 2.2.1.2 Ensure ntp is configured
PropertyFile('/etc/ntp.conf', ' ').override({
'restrict default': None,
'restrict -4 default': 'kod nomodify notrap nopeer noquery',
'restrict -6 default': 'kod nomodify notrap nopeer noquery',
'server': upstream
}).write()
PropertyFile('/etc/init.d/ntp', '=').override({
'RUNASUSER': '******'
}).write()
except Exception, e:
logging.error('Error when attemp to execute 2.2.1.configure_ntp()', exc_info=True)
def remove_insecure_clients():
"""2.3 Service Clients"""
try:
packages = [
'nis', 'rsh-client', 'rsh-redone-client',
'talk', 'telnet' , 'ldap-utils'
]
for package in packages:
Package(package).remove()
except Exception, e:
logging.error('Error when attemp to execute 2.3.remove_insecure_clients()', exc_info=True)
def configure_syslog_ng():
try:
#"""4.2.2 Configure syslog-ng"""
Package('syslog-ng').install()
exec_shell('update-rc.d syslog-ng enable')
#"""4.2.2.3-4.2.2.5 Ensure syslog-ng default file permissions configured """
tmp= [
'options { chain_hostnames(off); flush_lines(0); perm(0640); stats_freq(3600); threaded(yes); };',
'destination logserver { tcp("logfile.example.com" port(514)); };log { source(src); destination(logserver); };',
'source net{ tcp(); };destination remote { file("/var/log/remote/${FULLHOST}-log"); };log { source(net); destination(remote); };'
]
File('/etc/syslog-ng/syslog-ng.conf').write('{}').format(tmp)
except Exception, e:
logging.error('Error when attemp to execute 4.2.2-5.configure_syslog_ng()', exc_info=True)
def apply_process_hardenings():
"""1.5"""
# 1.5.1
try:
PropertyFile('/etc/security/limits.conf', '').override({
'* hard core':'0'
}).write()
PropertyFile('/etc/sysctl.conf', '=').override({
'fs.suid_dumpable':'0'
}).write()
# 1.5.3 Ensure ASLD is enable
PropertyFile('/etc/sysctl.conf', ' = ').override({
'kernel.randomize_va_space': '2'
}).write()
# 1.5.4 Ensure prelink is disable
Package('prelink').remove()
except Exception, e:
logging.error('Error when attemp to execute 1.5.apply_process_hardenings()', exc_info=True)
def configure_iptables():
"""3.6 Firewall Configuration"""
try:
Package('iptables').install()
exec_shell([
'iptables -F',
'iptables -P INPUT DROP',
'iptables -P OUTPUT DROP',
'iptables -P FORWARD DROP',
'iptables -A INPUT -i lo -j ACCEPT',
'iptables -A OUTPUT -o lo -j ACCEPT',
'iptables -A INPUT -s 127.0.0.0/8 -j DROP',
'iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT',
'iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT',
'iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT',
'iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT',
'iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT',
'iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT',
'iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT',
'iptables-save'
])
except Exception, e:
logging.error('Error when attemp to execute 3.6.configure_iptables()', exc_info=True)
def remove_x11_packages():
"""2.2.2 Ensure X Window System is not installed"""
try:
Package('xserver-xorg*').remove()
except Exception, e:
logging.error('Error when attemp to execute 2.2.2.remove_x11_packages()', exc_info=True)