def enable_aide(): """1.3 Filesystem Integrity Checking""" try: cron_job = '0 5 * * * /usr/bin/aide.wrapper --config /etc/aide/aide.conf --check' try: Package('aide').install() except Exception, e: logging.error('Package "aide" has no installation candidate') try: Package('aide-common').install() except Exception, e: logging.error('Package "aide-common" has no installation candidate')
def configure_chrony(upstream): """2.2.1 Time Synchronization""" try: # 2.2.1.1 Ensure time synchronization is in use Package('ntp').remove() Package('chrony').install() # 2.2.1.3 Ensure chrony is configured PropertyFile('/etc/chrony/chrony.conf', ' ').override({ 'server': upstream }).write() except Exception, e: logging.error('Error when attemp to execute 2.2.1.configure_chrony()', exc_info=True)
def configure_pam(): """5.3 Configure PAM""" try: Package('libpam-pwquality').install() PropertyFile('/etc/ssh/sshd_config', ' ').override({ 'password requisite': 'pam_pwquality.so retry=3' }).write() PropertyFile('/etc/security/pwquality.conf', '=').override({ 'minlen': '14', 'dcredit': '-1', 'ucredit': '-1', 'ocredit': '-1', 'lcredit': '-1', }).write() #"""5.3.2 Ensure lockout for failed password attempts is configured """ PropertyFile('/etc/ssh/sshd_config', ' ').override({ 'auth required': 'pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900' }).write() #"""5.3.3 Ensure password reuse is limited""" PropertyFile('/etc/ssh/sshd_config', ' ').override({ 'password required': 'pam_pwhistory.so remember=5' }).write() #"""5.3.4 Ensure password hashing algorithm is SHA-512 """ PropertyFile('/etc/ssh/sshd_config', ' ').override({ 'password': '******' }).write() except Exception, e: logging.error('Error when attemp to execute 5.3.configure_pam()', exc_info=True)
def configure_rsyslog(): """4.2.1 Configure rsyslog""" try: Package('rsyslog').install() Service('rsyslog').enable() PropertyFile('/etc/rsyslog.conf', ' ').override({ '*.emerg': ':omusrmsg:*', 'mail.*': '-/var/log/mail', 'mail.info': '-/var/log/mail.info', 'mail.warning': '-/var/log/mail.warn', 'mail.err': '/var/log/mail.err', 'news.crit': '-/var/log/news/news.crit', 'news.err': '-/var/log/news/news.err', 'news.notice': '-/var/log/news/news.notice', '*.=warning;*.=err': '-/var/log/warn', '*.crit': '/var/log/warn', '*.*;mail.none;news.none': '-/var/log/messages', 'local0,local1.*': '-/var/log/localmessages', 'local2,local3.*': '-/var/log/localmessages', 'local4,local5.*': '-/var/log/localmessages', 'local6,local7.*': '-/var/log/localmessages ', '$FileCreateMode': '0640' }).write() exec_shell('pkill -HUP rsyslogd') ##reload rsyslogd #"""4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host""" #"""4.2.1.5 Ensure remote rsyslog messages are only accepted on designated log hosts. """ PropertyFile('/etc/rsyslog.conf', ' ').override({ '$ModLoad': 'imtcp', '$InputTCPServerRun': '514' }).write() exec_shell('pkill -HUP rsyslogd') ##reload rsyslogd except Exception, e: logging.error('Error when attemp to execute 4.2.1.configure_rsyslog()', exc_info=True)
def configure_tcp_wrappers(hosts): """3.4 TCP Wrappers""" try: # 3.4.1 Ensure TCP Wrappers is installed Package('tcpd').install() if hosts: # 3.4.2 Ensure /etc/hosts.allow is configured #Type host : <net>/<mask>. Ex: 192.168.1.0/255.255.255.0 allowed_hosts = ','.join(hosts) exec_shell('echo "ALL: {}" > /etc/hosts.allow'.format(allowed_hosts)) # 3.4.3 Ensure /etc/hosts.deny is configured exec_shell('echo "ALL: ALL" > /etc/hosts.deny') # 3.4.4 Ensure permissions on /etc/hosts.allow are configured exec_shell([ 'chown root:root /etc/hosts.allow', 'chmod 644 /etc/hosts.allow' ]) # 3.4.5 Ensure permissions on /etc/hosts.deny are configured exec_shell([ 'chown root:root /etc/hosts.deny', 'chmod 644 /etc/hosts.deny' ]) except Exception, e: logging.error('Error when attemp to execute 3.4.configure_tcp_wrappers()', exc_info=True)
def configure_ntp(upstream): """2.2.1 Time Synchronization""" try: # 2.2.1.1 Ensure time synchronization is in use Package('chrony').remove() Package('ntp').install() # 2.2.1.2 Ensure ntp is configured PropertyFile('/etc/ntp.conf', ' ').override({ 'restrict default': None, 'restrict -4 default': 'kod nomodify notrap nopeer noquery', 'restrict -6 default': 'kod nomodify notrap nopeer noquery', 'server': upstream }).write() PropertyFile('/etc/init.d/ntp', '=').override({ 'RUNASUSER': '******' }).write() except Exception, e: logging.error('Error when attemp to execute 2.2.1.configure_ntp()', exc_info=True)
def remove_insecure_clients(): """2.3 Service Clients""" try: packages = [ 'nis', 'rsh-client', 'rsh-redone-client', 'talk', 'telnet' , 'ldap-utils' ] for package in packages: Package(package).remove() except Exception, e: logging.error('Error when attemp to execute 2.3.remove_insecure_clients()', exc_info=True)
def configure_syslog_ng(): try: #"""4.2.2 Configure syslog-ng""" Package('syslog-ng').install() exec_shell('update-rc.d syslog-ng enable') #"""4.2.2.3-4.2.2.5 Ensure syslog-ng default file permissions configured """ tmp= [ 'options { chain_hostnames(off); flush_lines(0); perm(0640); stats_freq(3600); threaded(yes); };', 'destination logserver { tcp("logfile.example.com" port(514)); };log { source(src); destination(logserver); };', 'source net{ tcp(); };destination remote { file("/var/log/remote/${FULLHOST}-log"); };log { source(net); destination(remote); };' ] File('/etc/syslog-ng/syslog-ng.conf').write('{}').format(tmp) except Exception, e: logging.error('Error when attemp to execute 4.2.2-5.configure_syslog_ng()', exc_info=True)
def apply_process_hardenings(): """1.5""" # 1.5.1 try: PropertyFile('/etc/security/limits.conf', '').override({ '* hard core':'0' }).write() PropertyFile('/etc/sysctl.conf', '=').override({ 'fs.suid_dumpable':'0' }).write() # 1.5.3 Ensure ASLD is enable PropertyFile('/etc/sysctl.conf', ' = ').override({ 'kernel.randomize_va_space': '2' }).write() # 1.5.4 Ensure prelink is disable Package('prelink').remove() except Exception, e: logging.error('Error when attemp to execute 1.5.apply_process_hardenings()', exc_info=True)
def configure_iptables(): """3.6 Firewall Configuration""" try: Package('iptables').install() exec_shell([ 'iptables -F', 'iptables -P INPUT DROP', 'iptables -P OUTPUT DROP', 'iptables -P FORWARD DROP', 'iptables -A INPUT -i lo -j ACCEPT', 'iptables -A OUTPUT -o lo -j ACCEPT', 'iptables -A INPUT -s 127.0.0.0/8 -j DROP', 'iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT', 'iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT', 'iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT', 'iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT', 'iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT', 'iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT', 'iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT', 'iptables-save' ]) except Exception, e: logging.error('Error when attemp to execute 3.6.configure_iptables()', exc_info=True)
def remove_x11_packages(): """2.2.2 Ensure X Window System is not installed""" try: Package('xserver-xorg*').remove() except Exception, e: logging.error('Error when attemp to execute 2.2.2.remove_x11_packages()', exc_info=True)