##Filesystem Configurations

#Disabling Kernel Modules that aren't required in /etc/modprobe.d/[Link]

#creats [Link] if doesnt exist.
ls -ld /etc/modprobe.d/[Link] >/dev/null 2>&1 || touch /etc/modprobe.d/[Link]
#Putting below line in any file name with extension .conf in /etc/modprobe.d/ will
be acted upon and disable the kernel fs module. this can be checked by a grep to
lsmod command.
grep -q "install cramfs /bin/true" /etc/modprobe.d/[Link] || echo 'install cramfs
/bin/true' >> /etc/modprobe.d/[Link]
grep -q "install freevxfs /bin/true" /etc/modprobe.d/[Link] || echo 'install
freevxfs /bin/true' >> /etc/modprobe.d/[Link]
grep -q "install jffs2 /bin/true" /etc/modprobe.d/[Link] || echo 'install
jffs2 /bin/true' >> /etc/modprobe.d/[Link]
grep -q "install hfs /bin/true" /etc/modprobe.d/[Link] || echo 'install hfs
/bin/true' >> /etc/modprobe.d/[Link]
grep -q "install hfsplus /bin/true" /etc/modprobe.d/[Link] || echo 'install
hfsplus /bin/true' >> /etc/modprobe.d/[Link]
grep -q "install squashfs /bin/true" /etc/modprobe.d/[Link] || echo 'install
squashfs /bin/true' >> /etc/modprobe.d/[Link]
grep -q "install udf /bin/true" /etc/modprobe.d/[Link] || echo 'install udf
/bin/true' >> /etc/modprobe.d/[Link]
grep -q "install vfat /bin/true" /etc/modprobe.d/[Link] || echo 'install vfat
/bin/true' >> /etc/modprobe.d/[Link]

#ensuring seperate filesystems is in place with required mount options.

mount | grep -qiw /tmp || echo "/tmp not found as a seperate mount point. Please
create."
mount | grep -wi /tmp | grep -w nodev || echo "nodev mount option is not set in
/tmp mount point. Please add."
mount | grep -wi /tmp | grep -w nosuid || echo "nosuid mount option is not set
in /tmp mount point. Please add."
mount | grep -wi /tmp | grep -w noexec || echo "noexec mount option is not set
in /tmp mount point. Please add."
mount | grep -qi "/var " || echo "/var not found as a seperate mount point. Please
create."
mount | grep -qi "/var/tmp " || echo "/var/tmp not found as a seperate mount point.
Please create."
mount | grep -i "/var/tmp " | grep -w nodev || echo "nodev mount option is not set
in /var/tmp mount point. Please add."
mount | grep -i "/var/tmp " | grep -w nosuid || echo "nosuid mount option is not
set in /var/tmp mount point. Please add."
mount | grep -i "/var/tmp " | grep -w noexec || echo "noexec mount option is not
set in /var/tmp mount point. Please add."
mount | grep -qi "/var/log " || echo "/var/log not found as a seperate mount point.
Please create."
mount | grep -qi "/var/log/audit " || echo "/var/log/audit not found as a seperate
mount point. Please create."
mount | grep -qiw /home || echo "/home not found as a seperate mount point. Please
create."
mount | grep -i "/home " | grep -w nodev || echo "nodev mount option is not set
in /home mount point. Please add."
mount | grep "/dev/shm " | grep -iq nodev || echo "nodev option is not set in
/dev/shm filesystem. please add"
mount | grep "/dev/shm " | grep -iq nosuid || echo "nosuid option is not set in
/dev/shm filesystem. please add"
mount | grep "/dev/shm " | grep -iq noexec || echo "noexec option is not set in
/dev/shm filesystem. please add"

#stop and disable autofs if it exists.

systemctl stop autofs 2>/dev/null 1>&2
systemctl disable autofs 2>/dev/null 1>&2

#Ensure gpgcheck is globally activated

sed -i '/^gpgcheck/c gpgcheck=1' /etc/[Link]

#Ensure GPG keys are configured.

rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n' || echo
"gpg keys are either not installe or not configured correctly. please check."

#subscribe with redhat and auto register.

subscription-manager register --username [Link] --password iasykwf12027
--auto-attach

#disbale rhnsd Demon

chkconfig rhnsd of

#Ensure AIDE is installed and configured.

yum install aide -y
aide --init
mv /var/lib/aide/[Link] /var/lib/aide/[Link]
#Ensure filesystem integrity is regularly checked
echo '0 5 * * * /usr/sbin/aide --check' > /tmp/filenew
crontab -u root -l | cat - /tmp/filenew | crontab -u root -
rm -f /tmp/filenew

#bootloader permission should be 600

chmod og-rwx /boot/grub2/[Link]

#Ensure authentication required for single usermore

grep /sbin/sulogin /usr/lib/systemd/system/[Link]
grep /sbin/sulogin /usr/lib/systemd/system/[Link]

#ensure core_dumps are restricted.

dump_param=`sysctl fs.suid_dumpable`
if [ "$dump_param" != "fs.suid_dumpable = 0" ]; then echo "fs.suid_dumpable = 0"
>> /etc/[Link] ;sysctl -p >/dev/null;fi

#ensure NX support
dmesg | grep NX | grep -q "(Execute Disable) protection: active" || echo "Please
ensure NX support"

#ensure ASLR is enabled

randomize_param=`sysctl kernel.randomize_va_space`
if [ "$randomize_param" != "kernel.randomize_va_space = 2" ]; then echo
"kernel.randomize_va_space = 2" >> /etc/[Link] ;sysctl -p >/dev/null;fi

#ensure prelink is disabled

rpm -q prelink >/dev/null
if [ $? != 0 ]; then yum remove prelink >/dev/null 2>/dev/null;fi

#Ensure SELinux is not disabled in bootloader configuration

cat /boot/grub2/[Link] |grep "^\s*linux" | grep -v -q selinux=0 || echo "please
check selinux in grub file. it should not be disabled."
cat /boot/grub2/[Link] |grep "^\s*linux" | grep -v -q enforcing=0 || echo "please
check selinux in grub file. it should not be disabled."

#Ensure the SELinux state is enforcing

rpm -q libselinux >/dev/null || yum install libselinux -q -y
sed -i '/^SELINUX=/c SELINUX=enforcing' /etc/selinux/config
setenforce 1
#Ensure SELinux policy is configured
sed -i '/^SELINUXTYPE=/c SELINUXTYPE=targeted' /etc/selinux/config

#Ensure SETroubleshoot is not installed

rpm -q setroubleshoot >/dev/null && yum remove setroubleshoot -q -y
#Ensure the MCS Translation Service (mcstrans) is not installed
rpm -q mcstrans >/dev/null && yum remove mcstrans -q -y

##Warning Banners
#Ensure local login warning banner is configured properly
echo "This system, its hardware, software and data is owned by Adecco and only
authorized users are allowed to gain access to [Link] usage of Adecco technology
may be monitored, logged and subject to investigation according to applicable laws.
By continuing beyond this point and logging in, you agree to abide by the above
conditions and the Adecco Group Policies and [Link] use of Adecco
technology or breach of Adecco Group Policies and Standards is prohibited and may
be subject to disciplinary action, which may include criminal and/or civil
penalties" > /etc/issue

#Ensure remote login warning banner is configured properly

echo "This system, its hardware, software and data is owned by Adecco and only
authorized users are allowed to gain access to [Link] usage of Adecco technology
may be monitored, logged and subject to investigation according to applicable laws.
By continuing beyond this point and logging in, you agree to abide by the above
conditions and the Adecco Group Policies and [Link] use of Adecco
technology or breach of Adecco Group Policies and Standards is prohibited and may
be subject to disciplinary action, which may include criminal and/or civil
penalties" > /etc/[Link]

#Ensure permissions
chown root:root /etc/motd
chmod 644 /etc/motd

chown root:root /etc/issue

chmod 644 /etc/issue

chown root:root /etc/[Link]

chmod 644 /etc/[Link]

#ensure time is syncronised.

rpm -q ntp >/dev/null || yum install ntp -q -y
echo please verify that below listed time servers are one of npintde000123,
npintde000124, npintnl000119 or npintnl000120.
cat /etc/[Link] | grep ^server
if [ $? != 0 ]; then echo "if you there is no time server shown. please check ntp
manually.";fi

#Ensure Avahi Server is not enabled

rpm -q avahi >/dev/null && yum remove avahi -q -y

#Ensure IP forwarding is disabled

ipv4forward_param=`sysctl net.ipv4.ip_forward`
if [ "$ipv4forward_param" != "net.ipv4.ip_forward = 0" ]; then echo
"net.ipv4.ip_forward = 0" >> /etc/[Link] ;sysctl -p >/dev/null;fi

#Ensure packet redirect sending is disabled

ipv4allredirects_param=`sysctl [Link].send_redirects`
if [ "$ipv4allredirects_param" != "[Link].send_redirects = 0" ]; then
echo "[Link].send_redirects = 0" >> /etc/[Link] ;sysctl -p
>/dev/null;fi

ipv4defaultredirect_param=`sysctl [Link].send_redirects`
if [ "$ipv4defaultredirect_param" != "[Link].send_redirects = 0" ];
then echo "[Link].send_redirects = 0" >> /etc/[Link] ;sysctl
-p >/dev/null;fi

#Ensure IP forwarding is disabled

echo 'net.ipv4.ip_forward=0' >> /etc/[Link]

sysctl -w net.ipv4.ip_forward=0
sysctl -w [Link]=1

#Ensure packet redirect sending is disabled

echo '[Link].send_redirects = 0' >> /etc/[Link]
echo '[Link].send_redirects = 0' >> /etc/[Link]
sysctl -w [Link].send_redirects=0
sysctl -w [Link].send_redirects=0
sysctl -w [Link]=1

#Ensure source routed packets are not accepted

echo '[Link].accept_source_route = 0' >> /etc/[Link]
echo '[Link].accept_source_route = 0' >> /etc/[Link]
sysctl -w [Link].accept_source_route=0
sysctl -w [Link].accept_source_route=0
sysctl -w [Link]=1

#Ensure ICMP redirects are not accepted

echo '[Link].accept_redirects = 0' >> /etc/[Link]
echo '[Link].accept_redirects = 0' >> /etc/[Link]
sysctl -w [Link].accept_redirects=0
sysctl -w [Link].accept_redirects=0
sysctl -w [Link]=1

#Ensure secure ICMP redirects are not accepted

echo '[Link].secure_redirects = 0' >> /etc/[Link]
echo '[Link].secure_redirects = 0' >> /etc/[Link]
sysctl -w [Link].secure_redirects=0
sysctl -w [Link].secure_redirects=0
sysctl -w [Link]=1

#Ensure suspicious packets are logged

echo '[Link].log_martians = 1' >> /etc/[Link]
echo '[Link].log_martians = 1' >> /etc/[Link]
sysctl -w [Link].log_martians=1
sysctl -w [Link].log_martians=1
sysctl -w [Link]=1

#Ensure broadcast ICMP requests are ignored

echo 'net.ipv4.icmp_echo_ignore_broadcasts = 1' >> /etc/[Link]
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
sysctl -w [Link]=1

#Ensure bogus ICMP responses are ignored

echo 'net.ipv4.icmp_ignore_bogus_error_responses = 1' >> /etc/[Link]
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
sysctl -w [Link]=1
#Ensure Reverse Path Filtering is enabled
echo '[Link].rp_filter = 1' >> /etc/[Link]
echo '[Link].rp_filter = 1' >> /etc/[Link]
sysctl -w [Link].rp_filter=1
sysctl -w [Link].rp_filter=1
sysctl -w [Link]=1

#Ensure TCP SYN Cookies is enabled

echo 'net.ipv4.tcp_syncookies = 1' >> /etc/[Link]
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w [Link]=1

#Ensure IPv6 router advertisements are not accepted

echo '[Link].accept_ra = 0' >> /etc/[Link]
echo '[Link].accept_ra = 0' >> /etc/[Link]
sysctl -w [Link].accept_ra=0
sysctl -w [Link].accept_ra=0
sysctl -w [Link]=1

#Ensure IPv6 redirects are not accepted

echo '[Link].accept_redirects = 0' >> /etc/[Link]
echo '[Link].accept_redirects = 0' >> /etc/[Link]
sysctl -w [Link].accept_redirects=0
sysctl -w [Link].accept_redirects=0
sysctl -w [Link]=1

#Ensure IPv6 is disabled

echo 'options ipv6 disable=1' >> /etc/modprobe.d/[Link]

#Ensure TCP Wrappers is installed

#yum install tcp_wrappers -y

#Ensure permissions on /etc/[Link] are configured

chown root:root /etc/[Link]
chmod 644 /etc/[Link]

#Ensure permissions on /etc/[Link] are 644

chown root:root /etc/[Link]
chmod 644 /etc/[Link]

#Ensure DCCP,SCTP,RDS,TIPC is disabled

echo 'install dccp /bin/true' >> /etc/modprobe.d/[Link]
echo 'install sctp /bin/true' >> /etc/modprobe.d/[Link]
echo 'install rds /bin/true' >> /etc/modprobe.d/[Link]
echo 'install tipc /bin/true' >> /etc/modprobe.d/[Link]

grep -q "install dccp /bin/true" /etc/modprobe.d/[Link] || echo 'install dccp

/bin/true' >> /etc/modprobe.d/[Link]
grep -q "install sctp /bin/true" /etc/modprobe.d/[Link] || echo 'install sctp
/bin/true' >> /etc/modprobe.d/[Link]
grep -q "install rds /bin/true" /etc/modprobe.d/[Link] || echo 'install rds
/bin/true' >> /etc/modprobe.d/[Link]
grep -q "install tipc /bin/true" /etc/modprobe.d/[Link] || echo 'install tipc
/bin/true' >> /etc/modprobe.d/[Link]

##Logging and Auditing

sed -i '/max_log_file/c max_log_file = 24' /etc/audit/[Link]

sed -i '/space_left_action/c space_left_action = email' /etc/audit/[Link]
sed -i '/action_mail_acct/c action_mail_acct = root' /etc/audit/[Link]
#sed -i '/admin_space_left_action/c admin_space_left_action = halt'
/etc/audit/[Link]
echo 'admin_space_left_action = halt' >> /etc/audit/[Link]
echo 'max_log_file_action = keep_logs' >> /etc/audit/[Link]
service auditd reload
systemctl enable auditd

#Ensuring all events are recorded in auditd daemon.

echo '## This file is automatically generated from /etc/audit/rules.d
-D
-b 8192
-f 1
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/[Link] -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
-w /etc/selinux/ -p wa -k MAC-policy
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!
=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!
=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000
-F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000
-F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S
lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S
lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F
exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F
exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F
exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F
exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F
auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F
auid>=1000 -F auid!=4294967295 -k delete
-w /etc/sudoers -p wa -k scope
-w /var/log/[Link] -p wa -k actions
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
-e 2' > /etc/audit/[Link]

#Ensure rsyslog Service is enabled

rsyslog_status=`systemctl is-active rsyslog`
if [ $rsyslog_status != "active" ]; then echo "rsyslog should be in active state.
Starting rsyslog";systemctl start rsyslog ;fi

#Ensure rsyslog default file permissions configured

echo '$FileCreateMode 0640' >> /etc/[Link]

#Configure cron
systemctl enable crond

#Ensure permissions

chown root:root /etc/crontab

chmod og-rwx /etc/crontab

chown root:root /etc/[Link]

chmod og-rwx /etc/[Link]

chown root:root /etc/[Link]

chmod og-rwx /etc/[Link]

chown root:root /etc/[Link]

chmod og-rwx /etc/[Link]

chown root:root /etc/[Link]

chmod og-rwx /etc/[Link]

chown root:root /etc/cron.d

chmod og-rwx /etc/cron.d

rm -f /etc/[Link]
rm -f /etc/[Link]
touch /etc/[Link]
touch /etc/[Link]

chmod og-rwx /etc/[Link]

chmod og-rwx /etc/[Link]

chown root:root /etc/[Link]

chown root:root /etc/[Link]

chown root:root /etc/ssh/sshd_config

chmod og-rwx /etc/ssh/sshd_config

sed -i '/Protocol/c Protocol 2' /etc/ssh/sshd_config

sed -i '/LogLevel/c LogLevel INFO' /etc/ssh/sshd_config
sed -i '/^X11Forwarding/c X11Forwarding no' /etc/ssh/sshd_config
sed -i '/MaxAuthTries/c MaxAuthTries 4' /etc/ssh/sshd_config
sed -i '/IgnoreRhosts/c IgnoreRhosts yes' /etc/ssh/sshd_config
sed -i '/^#HostbasedAuthentication/c HostbasedAuthentication no'
/etc/ssh/sshd_config
sed -i '/^#PermitRootLogin/c PermitRootLogin no' /etc/ssh/sshd_config
sed -i '/PermitEmptyPasswords/c PermitEmptyPasswords no' /etc/ssh/sshd_config
#sed -i '/^Ciphers/c Ciphers aes256-ctr,aes192-ctr,aes128-ctr' /etc/ssh/sshd_config
echo 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config
echo 'MACs hmac-sha1,umac-64@[Link],hmac-ripemd160' >> /etc/ssh/sshd_config
sed -i '/ClientAliveInterval/c ClientAliveInterval 300' /etc/ssh/sshd_config
sed -i '/ClientAliveCountMax/c ClientAliveCountMax 0' /etc/ssh/sshd_config
sed -i '/LoginGraceTime/c LoginGraceTime 60' /etc/ssh/sshd_config
sed -i '/Banner/c Banner \/etc\/[Link]' /etc/ssh/sshd_config

##Configure PAM

echo '#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally2.so per_user onerr=fail deny=5 no_magic_root
audit
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so

account required pam_unix.so

account required pam_tally2.so reset no_magic_root
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so

password requisite pam_pwquality.so try_first_pass local_users_only retry=5

authtok_type= minlen=8 lcredit=-1 ucredit=-1 dcredit=-1
password sufficient pam_unix.so sha512 shadow nullok try_first_pass
use_authtok remember=5
password required pam_deny.so

session optional pam_keyinit.so revoke

session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
session required pam_unix.so' > /etc/pam.d/system-auth

echo '#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally2.so per_user onerr=fail deny=5 no_magic_root
audit
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so

account required pam_unix.so

account required pam_tally2.so reset no_magic_root
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so

password requisite pam_pwquality.so try_first_pass local_users_only retry=5

authtok_type= minlen=8 lcredit=-1 ucredit=-1 dcredit=-1
password sufficient pam_unix.so sha512 shadow nullok try_first_pass
use_authtok remember=5
password required pam_deny.so

session optional pam_keyinit.so revoke

session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
session required pam_unix.so' > /etc/pam.d/password-auth

#password expiration policies

sed -i '/^PASS_MAX_DAYS/c PASS_MAX_DAYS 90' /etc/[Link]
sed -i '/^PASS_MIN_DAYS/c PASS_MIN_DAYS 7' /etc/[Link]
sed -i '/^PASS_WARN_AGE/c PASS_WARN_AGE 7' /etc/[Link]
useradd -D -f 30

#Ensure Permissions

chown root:root /etc/passwd

chmod 644 /etc/passwd

chown root:root /etc/shadow

chmod 644 /etc/shadow

chown root:root /etc/group

chmod 644 /etc/group

chown root:root /etc/gshadow

chmod 644 /etc/gshadow