Created
November 8, 2018 20:41
-
-
Save jdoss/421dbf5d7cd0586cc3ac6fb8fb8963d5 to your computer and use it in GitHub Desktop.
CIS CoreOS CL / Fedora CoreOS config
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| storage: | |
| disks: | |
| - device: /dev/sda | |
| wipe_table: true | |
| partitions: | |
| # 1.1.6 Ensure separate partition exists for /var | |
| - label: VAR | |
| number: 1 | |
| size: 4MB | |
| # 1.1.11 Ensure separate partition exists for /var/log | |
| - label: LOG | |
| number: 2 | |
| size: 4MB | |
| # 1.1.12 Ensure separate partition exists for /var/log/audit | |
| - label: AUDIT | |
| number: 3 | |
| size: 4MB | |
| # 1.1.13 Ensure separate partition exists for /home | |
| - label: HOME | |
| number: 4 | |
| size: 4MB | |
| filesystems: | |
| # 1.1.6 Ensure separate partition exists for /var | |
| - name: var | |
| mount: | |
| device: /dev/disk/by-partlabel/VAR | |
| format: ext4 | |
| create: | |
| options: [ -L, VAR ] | |
| # 1.1.11 Ensure separate partition exists for /var/log | |
| - name: log | |
| mount: | |
| device: /dev/disk/by-partlabel/LOG | |
| format: ext4 | |
| create: | |
| options: [ -L, LOG ] | |
| # 1.1.12 Ensure separate partition exists for /var/log/audit | |
| - name: audit | |
| mount: | |
| device: /dev/disk/by-partlabel/AUDIT | |
| format: ext4 | |
| create: | |
| options: [ -L, AUDIT ] | |
| # 1.1.13 Ensure separate partition exists for /home | |
| - name: home | |
| mount: | |
| device: /dev/disk/by-partlabel/HOME | |
| format: ext4 | |
| create: | |
| options: [ -L, HOME ] | |
| # - name: boot | |
| # mount: | |
| # device: /dev/disk/by-partlabel/EFI-SYSTEM | |
| # format: vfat | |
| files: | |
| # 1.1.17 Ensure noexec option set on /dev/shm partition | |
| - path: /etc/fstab | |
| filesystem: root | |
| contents: | |
| inline: | | |
| tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 | |
| # 1.6.1.2 Ensure the SELinux state is enforcing | |
| - path: /etc/selinux/config | |
| filesystem: root | |
| contents: | |
| inline: | | |
| SELINUX=enforcing | |
| SELINUXTYPE=mcs | |
| # 1.7.1.2 Ensure local login warning banner is configured properly | |
| - path: /etc/issue | |
| filesystem: root | |
| mode: 0644 | |
| contents: | |
| inline: | | |
| Authorized uses only. All activity may be monitored and reported. | |
| # 1.7.1.3 Ensure remote login warning banner is configured properly | |
| - path: /etc/issue.net | |
| filesystem: root | |
| mode: 0644 | |
| contents: | |
| inline: | | |
| Authorized uses only. All activity may be monitored and reported. | |
| # 1.1.1.1 Ensure mounting of cramfs filesystems is disabled | |
| # 1.1.1.2 Ensure mounting of freevxfs filesystems is disabled | |
| # 1.1.1.3 Ensure mounting of jffs2 filesystems is disabled | |
| # 1.1.1.4 Ensure mounting of hfs filesystems is disabled | |
| # 1.1.1.5 Ensure mounting of hfsplus filesystems is disabled | |
| # 1.1.1.6 Ensure mounting of squashfs filesystems is disabled | |
| # 1.1.1.7 Ensure mounting of udf filesystems is disabled | |
| # 1.1.1.8 Ensure mounting of FAT filesystems is disabled | |
| # 3.5.1 Ensure DCCP is disabled | |
| # 3.5.2 Ensure SCTP is disabled | |
| # 3.5.3 Ensure RDS is disabled | |
| # 3.5.4 Ensure TIPC is disabled | |
| - path: /etc/modprobe.d/cis.conf | |
| filesystem: root | |
| mode: 0600 | |
| contents: | |
| inline: | | |
| install cramfs /bin/true | |
| install freevxfs /bin/true | |
| install jffs2 /bin/true | |
| install hfs /bin/true | |
| install hfsplus /bin/true | |
| install squashfs /bin/true | |
| install udf /bin/true | |
| install dccp /bin/true | |
| install sctp /bin/true | |
| install rds /bin/true | |
| install tipc /bin/true | |
| # 3.1.1 Ensure IP forwarding is disabled | |
| # 3.1.2 Ensure packet redirect sending is disabled | |
| # 3.2.2 Ensure ICMP redirects are not accepted | |
| # 3.2.3 Ensure secure ICMP redirects are not accepted | |
| # 3.2.4 Ensure suspicious packets are logged | |
| # 3.3.1 Ensure IPv6 router advertisements are not accepted | |
| # 3.3.2 Ensure IPv6 redirects are not accepted | |
| - path: /etc/sysctl.d/cis.conf | |
| filesystem: root | |
| mode: 0600 | |
| contents: | |
| inline: | | |
| net.ipv4.ip_forward = 0 | |
| net.ipv4.conf.all.send_redirects = 0 | |
| net.ipv4.conf.default.send_redirects = 0 | |
| net.ipv4.conf.all.accept_redirects = 0 | |
| net.ipv4.conf.default.accept_redirects = 0 | |
| net.ipv4.conf.all.secure_redirects = 0 | |
| net.ipv4.conf.default.secure_redirects = 0 | |
| net.ipv4.conf.all.log_martians = 1 | |
| net.ipv4.conf.default.log_martians = 1 | |
| net.ipv6.conf.all.accept_ra = 0 | |
| net.ipv6.conf.default.accept_ra = 0 | |
| net.ipv6.conf.all.accept_redirects = 0 | |
| net.ipv6.conf.default.accept_redirects = 0 | |
| # 5.6 Ensure access to the su command is restricted | |
| - path: /etc/pam.d/su | |
| filesystem: root | |
| mode: 0644 | |
| contents: | |
| inline: | | |
| auth sufficient pam_rootok.so | |
| auth required pam_wheel.so debug use_uid | |
| auth required pam_unix.so | |
| account required pam_unix.so | |
| session required pam_unix.so | |
| - path: /etc/pam.d/system-auth | |
| filesystem: root | |
| mode: 0644 | |
| contents: | |
| inline: | | |
| auth required pam_env.so | |
| auth sufficient pam_unix.so try_first_pass likeauth nullok | |
| auth sufficient pam_sss.so use_first_pass | |
| auth required pam_deny.so | |
| account required pam_unix.so | |
| account required pam_sss.so ignore_unknown_user ignore_authinfo_unavail | |
| account optional pam_permit.so | |
| password required pam_pwhistory.so remember=5 | |
| password sufficient pam_unix.so use_authtok try_first_pass nullok sha512 shadow minlen=8 | |
| password sufficient pam_sss.so use_authtok | |
| password required pam_deny.so | |
| session required pam_limits.so | |
| session required pam_env.so | |
| session required pam_unix.so | |
| session optional pam_permit.so | |
| session optional pam_sss.so | |
| -session optional pam_systemd.so | |
| # The following bash script completes several hardening tasks which are | |
| # impossible using current functionality in ignition | |
| - path: /root/hardener.sh | |
| filesystem: root | |
| mode: 0700 | |
| contents: | |
| inline: | | |
| #!/bin/bash | |
| # This script performs various hardening persuant to the CIS Distribution Independent Linux Benchmark | |
| # 6.2.8 Ensure users' home directories permissions are 750 or more restrictive | |
| chmod -R 750 /home/core | |
| # 5.4.4 Ensure default user umask is 027 or more restrictive | |
| sed -i '/^umask/c\# This line hardened according to the CIS Distribution Independent Linux Benchmark, Section 5.4.4\numask 027' /etc/profile | |
| sed -i '/^UMASK/c\# This line hardened according to the CIS Distribution Independent Linux Benchmark, Section 5.4.4\nUMASK 027' /etc/login.defs | |
| # 5.4.1.4 Ensure inactive password lock is 30 days or less | |
| useradd -D -f 30 | |
| sed -i '/^PASS_MAX_DAYS/c\# This line hardened according to the CIS Distribution Independent Linux Benchmark, Section 5.4.1.1\nPASS_MAX_DAYS 90' /etc/login.defs | |
| sed -i '/^PASS_MIN_DAYS/c\# This line hardened according to the CIS Distribution Independent Linux Benchmark, Section 5.4.1.2\nPASS_MIN_DAYS 7' /etc/login.defs | |
| chage --inactive 30 --maxdays 90 --mindays 7 --warndays 7 core | |
| # 5.2 SSH Server Configuration | |
| rm -f /etc/ssh/sshd_config | |
| cp /usr/share/ssh/sshd_config /etc/ssh/sshd_config | |
| # 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured | |
| chown root:root /etc/ssh/sshd_config | |
| chmod og-rwx /etc/ssh/sshd_config | |
| # 5.2.2 Ensure SSH Protocol is set to 2 | |
| # 5.2.3 Ensure SSH LogLevel is set to INFO | |
| # 5.2.4 Ensure SSH MaxAuthTries is set to 4 or less | |
| # 5.2.5 Ensure SSH IgnoreRHosts is enabled | |
| # 5.2.6 Ensure SSH HostbasedAuthentication is disabled | |
| # 5.2.7 Ensure SSH root login is disabled | |
| # 5.2.8 Ensure SSH PermitEmptyPasswords is disabled | |
| # 5.2.9 Ensure SSH PermitUserEnvironment is disabled | |
| # 5.2.10 Ensure only approved ciphers are used | |
| # 5.2.11 Ensure Idle Timeout Interval is configured | |
| # 5.2.13 Ensure SSH LoginGraceTime is set to one minute or less | |
| # 5.2.14 Ensure SSH access is limited | |
| # 5.2.15 Ensure SSH warning banner is configured | |
| cat <<EOF >> /etc/ssh/sshd_config | |
| # The following configurations added in accordance with the CIS Distribution Independent Linux Benchmark, Section 5.2 | |
| Banner /etc/issue.net | |
| Protocol 2 | |
| LogLevel INFO | |
| X11Forwarding no | |
| MaxAuthTries 4 | |
| IgnoreRhosts yes | |
| HostbasedAuthentication no | |
| PermitRootLogin no | |
| PermitEmptyPasswords no | |
| PermitUserEnvironment no | |
| Ciphers aes256-ctr,aes192-ctr,aes128-ctr | |
| MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected] | |
| ClientAliveInterval 300 | |
| ClientAliveCountMax 0 | |
| LoginGraceTime 60 | |
| AllowUsers core | |
| EOF | |
| # 3.6 Firewall configuration | |
| # Flush IPtables rules | |
| iptables -F | |
| # 3.6.2 Ensure default deny firewall policy | |
| iptables -P INPUT DROP | |
| iptables -P OUTPUT DROP | |
| iptables -P FORWARD DROP | |
| # 3.6.3 Ensure loopback traffic is configured | |
| iptables -A INPUT -i lo -j ACCEPT | |
| iptables -A OUTPUT -o lo -j ACCEPT | |
| iptables -A INPUT -s 127.0.0.0/8 -j DROP | |
| # 3.6.4 Ensure outbound and established connections are configured | |
| iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT | |
| iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT | |
| iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT | |
| iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT | |
| iptables -A INPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT | |
| iptables -A INPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT | |
| # 3.6.5 Ensure firewall rules exist for all open ports | |
| iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT | |
| systemd: | |
| units: | |
| # 1.1.5 Ensure noexec option set on /tmp partition | |
| - name: tmp.mount | |
| dropins: | |
| - name: noexec.conf | |
| contents: | | |
| [Mount] | |
| Options=mode=1777,strictatime,nosuid,nodev,noexec | |
| # 1.1.6 Ensure separate partition exists for /var | |
| - name: var.mount | |
| contents: | | |
| [Unit] | |
| Conflicts=umount.target | |
| Before=local-fs.target umount.target | |
| [Mount] | |
| What=/dev/disk/by-label/VAR | |
| Where=/var | |
| # 1.1.7 Ensure separate partition exists for /var/tmp | |
| # 1.1.8 Ensure nodev option set on /var/tmp partition | |
| # 1.1.9 Ensure nosuid option set on /var/tmp partition | |
| # 1.1.10 Ensure noexec option set on /var/tmp partition | |
| - name: var-tmp.mount | |
| enable: true | |
| contents: | | |
| [Unit] | |
| DefaultDependencies=no | |
| Conflicts=umount.target | |
| Before=local-fs.target umount.target | |
| After=swap.target | |
| [Mount] | |
| What=tmpfs | |
| Where=/var/tmp | |
| Type=tmpfs | |
| Options=mode=1777,strictatime,nosuid,nodev,noexec | |
| [Install] | |
| RequiredBy=local-fs.target | |
| # 1.1.11 Ensure separate partition exists for /var/log | |
| - name: var-log.mount | |
| enable: true | |
| contents: | | |
| [Unit] | |
| DefaultDependencies=no | |
| Conflicts=umount.target | |
| Before=local-fs.target umount.target | |
| [Mount] | |
| What=/dev/disk/by-label/LOG | |
| Where=/var/log | |
| [Install] | |
| RequiredBy=local-fs.target | |
| # 1.1.12 Ensure separate partition exists for /var/log/audit | |
| - name: var-log-audit.mount | |
| enable: true | |
| contents: | | |
| [Unit] | |
| DefaultDependencies=no | |
| Conflicts=umount.target | |
| Before=local-fs.target umount.target | |
| [Mount] | |
| What=/dev/disk/by-label/AUDIT | |
| Where=/var/log/audit | |
| [Install] | |
| RequiredBy=local-fs.target | |
| # 1.1.13 Ensure separate partition exists for /home | |
| # 1.1.14 Ensure nodev option set on /home partition | |
| - name: home.mount | |
| enable: true | |
| contents: | | |
| [Unit] | |
| DefaultDependencies=no | |
| Conflicts=umount.target | |
| Before=local-fs.target umount.target | |
| [Mount] | |
| What=/dev/disk/by-label/HOME | |
| Where=/home | |
| Options=nodev | |
| [Install] | |
| RequiredBy=local-fs.target | |
| # 1.4.1 Ensure permissions on bootloader config are configured | |
| - name: boot.mount | |
| dropins: | |
| - name: noread.conf | |
| contents: | | |
| [Mount] | |
| Options=rw,relatime,fmask=0077,dmask=0022,codepage=437,iocharset=ascii | |
| # Run the hardener on first boot | |
| - name: hardener.service | |
| enable: true | |
| contents: | | |
| [Unit] | |
| Description=CIS Hardener | |
| ConditionFirstBoot=yes | |
| [Service] | |
| Type=oneshot | |
| ExecStart=/root/hardener.sh | |
| [Install] | |
| WantedBy=multi-user.target | |
| passwd: | |
| # 1.4.3 Ensure authentication required for single user mode | |
| # NOTE: The default password for root is `password`. This should be modified for real machines. | |
| users: | |
| - name: root | |
| password_hash: oiTk/Wgmtgmaw |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment