From c4aa9e3973a8a7d750d2264c59060b49a2b880db Mon Sep 17 00:00:00 2001 From: Charles Date: Sun, 10 Nov 2024 16:53:18 -0500 Subject: [PATCH] More changes than we can count --- Containerfile | 35 +- README.md | 9 +- chrony.conf | 11 + net-privacy.conf | 9 + scap.sh | 1962 ---------------------------------------------- tunables.conf | 115 +++ 6 files changed, 163 insertions(+), 1978 deletions(-) create mode 100644 chrony.conf create mode 100644 net-privacy.conf delete mode 100644 scap.sh create mode 100644 tunables.conf diff --git a/Containerfile b/Containerfile index 811cc57..c9f8561 100644 --- a/Containerfile +++ b/Containerfile @@ -1,7 +1,17 @@ +# Based on Calcite FROM ghcr.io/charles8191/calcite/9 -ARG LIBREWOLF_VERSION=132.0-1 -COPY scap.sh /scap.sh -RUN sed -i 's,rockylinux.org,github.com/charles8191/netherite,g' /usr/lib/os-release && \ +# Adding configuration files +ADD net-privacy.conf /usr/lib/NetworkManager/conf.d/30-net-privacy.conf +ADD chrony.conf /etc/chrony.conf +ADD tunables.conf /usr/lib/sysctl.d/tunables.conf +RUN \ +set -x && \ +# Install mimalloc +curl --create-dirs -Lo /usr/lib64/libmimalloc-secure.so https://github.com/charles8191/mimalloc-secure/raw/refs/heads/main/libmimalloc-secure.so && \ +chmod +x /usr/lib64/libmimalloc-secure.so && \ +echo "/usr/lib64/libmimalloc-secure.so" > /etc/ld.so.preload && \ +# Branding +sed -i 's,rockylinux.org,github.com/charles8191/netherite,g' /usr/lib/os-release && \ sed -i 's,Rocky Linux,Netherite,g' /usr/lib/os-release && \ sed -i 's,Rocky,Netherite,g' /usr/lib/os-release && \ sed -i 's,rockylinux,netherite,g' /usr/lib/os-release && \ @@ -11,17 +21,18 @@ sed -i 's,ID_LIKE="rhel centos fedora",ID_LIKE="rhel centos fedora rocky",g' /us sed -i 's,BUG_REPORT_URL,JUNK_BUG_REPORT_URL,g' /usr/lib/os-release && \ sed -i 's,ROCKY_SUPPORT_PRODUCT,JUNK_ROCKY_SUPPORT_PRODUCT,g' /usr/lib/os-release && \ sed -i 's,REDHAT_SUPPORT_PRODUCT,JUNK_REDHAT_SUPPORT_PRODUCT,g' /usr/lib/os-release && \ +# LibreWolf curl --create-dirs -Lo /pubkey.gpg https://repo.librewolf.net/pubkey.gpg && \ rpm --import /pubkey.gpg && \ rm -vf /pubkey.gpg && \ +curl -fsSL https://repo.librewolf.net/librewolf.repo | tee /etc/yum.repos.d/librewolf.repo && \ +dnf swap firefox librewolf -y && \ +# firewalld (breaks the kickstart if not present) dnf install firewalld -y && \ -dnf swap firefox https://repo.librewolf.net/pool/librewolf-${LIBREWOLF_VERSION}-linux-x86_64-rpm.rpm -y && \ -curl --create-dirs -Lo /usr/lib/libhardened_malloc.so https://github.com/charles8191/hardened_malloc/raw/refs/heads/main/libhardened_malloc.so && \ -chmod +x /usr/lib/libhardened_malloc.so && \ -echo "/usr/lib/libhardened_malloc.so" > /etc/ld.so.preload && \ -curl --create-dirs -Lo /etc/chrony.conf https://github.com/GrapheneOS/infrastructure/raw/refs/heads/main/chrony.conf && \ -curl --create-dirs -Lo /usr/local/lib/sysctl.d/local.conf https://github.com/GrapheneOS/infrastructure/raw/refs/heads/main/sysctl.d/local.conf && \ -curl --create-dirs -Lo /usr/lib/NetworkManager/conf.d/30-nm-privacy.conf https://github.com/divestedcg/Brace/raw/refs/heads/master/brace/usr/lib/NetworkManager/conf.d/30-nm-privacy.conf && \ -(bash /scap.sh || true) && \ +# SCAP +dnf install openscap openscap-scanner scap-security-guide -y && \ +oscap xccdf generate fix --profile xccdf_org.ssgproject.content_profile_anssi_bp28_minimal --fix-type bash /usr/share/xml/scap/ssg/content/ssg-rl9-ds.xml > /scap.sh && \ +(bash /scap.sh || true) && rm -vf /scap.sh && \ -dnf clean all +# Clean +dnf clean all \ No newline at end of file diff --git a/README.md b/README.md index c2dcdd9..9d30b06 100644 --- a/README.md +++ b/README.md @@ -10,12 +10,13 @@ Netherite is a secure & private operating system based on [Calcite](https://gith ## Features -- [hardened_malloc](https://github.com/GrapheneOS/hardened_malloc) from GrapheneOS using [hardened_malloc binary](https://github.com/charles8191/hardened_malloc) -- Mostly ANSSI-BP-028 Minimal compliant (because it is a solid base for adding extra security) +- [mimalloc](https://github.com/microsoft/mimalloc) (secure mode) using [mimalloc-secure binary](https://github.com/charles8191/mimalloc-secure) +- Some remediations from ANSSI-BP-028 Minimal - [LibreWolf](https://librewolf.net/) instead of Firefox -- [Some configuration files from GrapheneOS infrastructure](https://github.com/GrapheneOS/infrastructure) +- Custom chrony config +- Custom kernel tunables - Modified `os-release` file -- [Enhanced NetworkManager privacy](https://github.com/divestedcg/Brace/blob/master/brace/usr/lib/NetworkManager/conf.d/30-nm-privacy.conf) from Brace +- Enhanced NetworkManager privacy ## Installation diff --git a/chrony.conf b/chrony.conf new file mode 100644 index 0000000..0ed48bc --- /dev/null +++ b/chrony.conf @@ -0,0 +1,11 @@ +pool pool.ntp.org +pool time.cloudflare.com +pool time.google.com +pool time.windows.com +pool nts.ntp.se +pool time.esa.int +pool ntp.time.nl +minsources 2 +driftfile /var/lib/chrony/drift +makestep 0.1 3 +rtcsync \ No newline at end of file diff --git a/net-privacy.conf b/net-privacy.conf new file mode 100644 index 0000000..cf0e177 --- /dev/null +++ b/net-privacy.conf @@ -0,0 +1,9 @@ +[connection] +ipv6.ip6-privacy=2 + +[connection-mac-randomization] +ethernet.cloned-mac-address=stable +wifi.cloned-mac-address=random + +[connectivity] +uri= \ No newline at end of file diff --git a/scap.sh b/scap.sh deleted file mode 100644 index 8084d06..0000000 --- a/scap.sh +++ /dev/null @@ -1,1962 +0,0 @@ -#!/usr/bin/env bash -############################################################################### -# -# Bash Remediation Script for ANSSI-BP-028 (minimal) -# -# Profile Description: -# This profile contains configurations that align to ANSSI-BP-028 v2.0 at the minimal hardening level. -# ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. -# ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. -# A copy of the ANSSI-BP-028 can be found at the ANSSI website: -# https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ -# An English version of the ANSSI-BP-028 can also be found at the ANSSI website: -# https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system -# -# Profile ID: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal -# Benchmark ID: xccdf_org.ssgproject.content_benchmark_RHEL-9 -# Benchmark Version: 0.1.74 -# XCCDF Version: 1.2 -# -# This file was generated by OpenSCAP 1.3.10 using: -# $ oscap xccdf generate fix --profile xccdf_org.ssgproject.content_profile_anssi_bp28_minimal --fix-type bash xccdf-file.xml -# -# This Bash Remediation Script is generated from an OpenSCAP profile without preliminary evaluation. -# It attempts to fix every selected rule, even if the system is already compliant. -# -# How to apply this Bash Remediation Script: -# $ sudo ./remediation-script.sh -# -############################################################################### - -############################################################################### -# BEGIN fix (1 / 47) for 'xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed' -############################################################################### -(>&2 echo "Remediating rule 1/47: 'xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed'"); ( - -if ! rpm -q --quiet "dnf-automatic" ; then - dnf install -y "dnf-automatic" -fi - -) # END fix for 'xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed' - -############################################################################### -# BEGIN fix (2 / 47) for 'xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates' -############################################################################### -(>&2 echo "Remediating rule 2/47: 'xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates'"); ( - -found=false - -# set value in all files if they contain section or key -for f in $(echo -n "/etc/dnf/automatic.conf"); do - if [ ! -e "$f" ]; then - continue - fi - - # find key in section and change value - if grep -qzosP "[[:space:]]*\[commands\]([^\n\[]*\n+)+?[[:space:]]*apply_updates" "$f"; then - - sed -i "s/apply_updates[^(\n)]*/apply_updates=yes/" "$f" - - found=true - - # find section and add key = value to it - elif grep -qs "[[:space:]]*\[commands\]" "$f"; then - - sed -i "/[[:space:]]*\[commands\]/a apply_updates=yes" "$f" - - found=true - fi -done - -# if section not in any file, append section with key = value to FIRST file in files parameter -if ! $found ; then - file=$(echo "/etc/dnf/automatic.conf" | cut -f1 -d ' ') - mkdir -p "$(dirname "$file")" - - echo -e "[commands]\napply_updates=yes" >> "$file" - -fi - -) # END fix for 'xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates' - -############################################################################### -# BEGIN fix (3 / 47) for 'xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only' -############################################################################### -(>&2 echo "Remediating rule 3/47: 'xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only'"); ( - -found=false - -# set value in all files if they contain section or key -for f in $(echo -n "/etc/dnf/automatic.conf"); do - if [ ! -e "$f" ]; then - continue - fi - - # find key in section and change value - if grep -qzosP "[[:space:]]*\[commands\]([^\n\[]*\n+)+?[[:space:]]*upgrade_type" "$f"; then - - sed -i "s/upgrade_type[^(\n)]*/upgrade_type=security/" "$f" - - found=true - - # find section and add key = value to it - elif grep -qs "[[:space:]]*\[commands\]" "$f"; then - - sed -i "/[[:space:]]*\[commands\]/a upgrade_type=security" "$f" - - found=true - fi -done - -# if section not in any file, append section with key = value to FIRST file in files parameter -if ! $found ; then - file=$(echo "/etc/dnf/automatic.conf" | cut -f1 -d ' ') - mkdir -p "$(dirname "$file")" - - echo -e "[commands]\nupgrade_type=security" >> "$file" - -fi - -) # END fix for 'xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only' - -############################################################################### -# BEGIN fix (4 / 47) for 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated' -############################################################################### -(>&2 echo "Remediating rule 4/47: 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated'"); ( -# Remediation is applicable only in certain platforms -if rpm --quiet -q dnf; then - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^gpgcheck") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "1" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^gpgcheck\\>" "/etc/dnf/dnf.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^gpgcheck\\>.*/$escaped_formatted_output/gi" "/etc/dnf/dnf.conf" -else - if [[ -s "/etc/dnf/dnf.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/dnf/dnf.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/dnf/dnf.conf" - fi - cce="" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/dnf/dnf.conf" >> "/etc/dnf/dnf.conf" - printf '%s\n' "$formatted_output" >> "/etc/dnf/dnf.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - -) # END fix for 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated' - -############################################################################### -# BEGIN fix (5 / 47) for 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages' -############################################################################### -(>&2 echo "Remediating rule 5/47: 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages'"); ( -# Remediation is applicable only in certain platforms -if rpm --quiet -q dnf; then - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^localpkg_gpgcheck") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "1" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^localpkg_gpgcheck\\>" "/etc/dnf/dnf.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^localpkg_gpgcheck\\>.*/$escaped_formatted_output/gi" "/etc/dnf/dnf.conf" -else - if [[ -s "/etc/dnf/dnf.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/dnf/dnf.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/dnf/dnf.conf" - fi - cce="" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/dnf/dnf.conf" >> "/etc/dnf/dnf.conf" - printf '%s\n' "$formatted_output" >> "/etc/dnf/dnf.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - -) # END fix for 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages' - -############################################################################### -# BEGIN fix (6 / 47) for 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled' -############################################################################### -(>&2 echo "Remediating rule 6/47: 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled'"); ( - -sed -i 's/gpgcheck\s*=.*/gpgcheck=1/g' /etc/yum.repos.d/* - -) # END fix for 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled' - -############################################################################### -# BEGIN fix (7 / 47) for 'xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed' -############################################################################### -(>&2 echo "Remediating rule 7/47: 'xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed'"); ( -# The two fingerprints below are retrieved from https://access.redhat.com/security/team/key -readonly REDHAT_RELEASE_FINGERPRINT="567E347AD0044ADE55BA8A5F199E2F91FD431D51" -readonly REDHAT_AUXILIARY_FINGERPRINT="7E4624258C406535D56D6F135054E4A45A6340B3" - -# Location of the key we would like to import (once it's integrity verified) -readonly REDHAT_RELEASE_KEY="/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" - -RPM_GPG_DIR_PERMS=$(stat -c %a "$(dirname "$REDHAT_RELEASE_KEY")") - -# Verify /etc/pki/rpm-gpg directory permissions are safe -if [ "${RPM_GPG_DIR_PERMS}" -le "755" ] -then - # If they are safe, try to obtain fingerprints from the key file - # (to ensure there won't be e.g. CRC error). - - readarray -t GPG_OUT < <(gpg --show-keys --with-fingerprint --with-colons "$REDHAT_RELEASE_KEY" | grep -A1 "^pub" | grep "^fpr" | cut -d ":" -f 10) - - GPG_RESULT=$? - # No CRC error, safe to proceed - if [ "${GPG_RESULT}" -eq "0" ] - then - echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}" || { - # If $REDHAT_RELEASE_KEY file doesn't contain any keys with unknown fingerprint, import it - rpm --import "${REDHAT_RELEASE_KEY}" - } - fi -fi - -) # END fix for 'xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed' - -############################################################################### -# BEGIN fix (8 / 47) for 'xccdf_org.ssgproject.content_rule_security_patches_up_to_date' -############################################################################### -(>&2 echo "Remediating rule 8/47: 'xccdf_org.ssgproject.content_rule_security_patches_up_to_date'"); ( -(>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_security_patches_up_to_date' IS MISSING!") - -) # END fix for 'xccdf_org.ssgproject.content_rule_security_patches_up_to_date' - -############################################################################### -# BEGIN fix (9 / 47) for 'xccdf_org.ssgproject.content_rule_timer_dnf-automatic_enabled' -############################################################################### -(>&2 echo "Remediating rule 9/47: 'xccdf_org.ssgproject.content_rule_timer_dnf-automatic_enabled'"); ( - -SYSTEMCTL_EXEC='/usr/bin/systemctl' -"$SYSTEMCTL_EXEC" start 'dnf-automatic.timer' -"$SYSTEMCTL_EXEC" enable 'dnf-automatic.timer' - -) # END fix for 'xccdf_org.ssgproject.content_rule_timer_dnf-automatic_enabled' - -############################################################################### -# BEGIN fix (10 / 47) for 'xccdf_org.ssgproject.content_rule_enable_authselect' -############################################################################### -(>&2 echo "Remediating rule 10/47: 'xccdf_org.ssgproject.content_rule_enable_authselect'"); ( - -var_authselect_profile='minimal' - - -authselect current - -if test "$?" -ne 0; then - authselect select "$var_authselect_profile" - - if test "$?" -ne 0; then - if rpm --quiet --verify pam; then - authselect select --force "$var_authselect_profile" - else - echo "authselect is not used but files from the 'pam' package have been altered, so the authselect configuration won't be forced." >&2 - fi - fi -fi - -) # END fix for 'xccdf_org.ssgproject.content_rule_enable_authselect' - -############################################################################### -# BEGIN fix (11 / 47) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember' -############################################################################### -(>&2 echo "Remediating rule 11/47: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember'"); ( -# Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_password_pam_unix_remember='2' - - - - - - -if [ -f /usr/bin/authselect ]; then - if authselect list-features sssd | grep -q with-pwhistory; then - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - authselect enable-feature with-pwhistory - - authselect apply-changes -b - else - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - if ! grep -qP "^\s*password\s+requisite\s+pam_pwhistory.so\s*.*" "$PAM_FILE_PATH"; then - # Line matching group + control + module was not found. Check group + module. - if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then - # The control is updated only if one single line matches. - sed -i -E --follow-symlinks "s/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1requisite \2/" "$PAM_FILE_PATH" - else - LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1) - if [ ! -z $LAST_MATCH_LINE ]; then - sed -i --follow-symlinks $LAST_MATCH_LINE" a password requisite pam_pwhistory.so" "$PAM_FILE_PATH" - else - echo "password requisite pam_pwhistory.so" >> "$PAM_FILE_PATH" - fi - fi - fi - fi -else - if ! grep -qP "^\s*password\s+requisite\s+pam_pwhistory.so\s*.*" "/etc/pam.d/system-auth"; then - # Line matching group + control + module was not found. Check group + module. - if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "/etc/pam.d/system-auth")" -eq 1 ]; then - # The control is updated only if one single line matches. - sed -i -E --follow-symlinks "s/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1requisite \2/" "/etc/pam.d/system-auth" - else - LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "/etc/pam.d/system-auth" | tail -n 1 | cut -d: -f 1) - if [ ! -z $LAST_MATCH_LINE ]; then - sed -i --follow-symlinks $LAST_MATCH_LINE" a password requisite pam_pwhistory.so" "/etc/pam.d/system-auth" - else - echo "password requisite pam_pwhistory.so" >> "/etc/pam.d/system-auth" - fi - fi - fi -fi - -PWHISTORY_CONF="/etc/security/pwhistory.conf" -if [ -f $PWHISTORY_CONF ]; then - regex="^\s*remember\s*=" - line="remember = $var_password_pam_unix_remember" - if ! grep -q $regex $PWHISTORY_CONF; then - echo $line >> $PWHISTORY_CONF - else - sed -i --follow-symlinks 's|^\s*\(remember\s*=\s*\)\(\S\+\)|\1'"$var_password_pam_unix_remember"'|g' $PWHISTORY_CONF - fi - if [ -e "/etc/pam.d/system-auth" ] ; then - PAM_FILE_PATH="/etc/pam.d/system-auth" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - fi - - if grep -qP "^\s*password\s.*\bpam_pwhistory.so\s.*\bremember\b" "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks "s/(.*password.*pam_pwhistory.so.*)\bremember\b=?[[:alnum:]]*(.*)/\1\2/g" "$PAM_FILE_PATH" - fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi - else - echo "/etc/pam.d/system-auth was not found" >&2 - fi -else - PAM_FILE_PATH="/etc/pam.d/system-auth" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - fi - if ! grep -qP "^\s*password\s+requisite\s+pam_pwhistory.so\s*.*" "$PAM_FILE_PATH"; then - # Line matching group + control + module was not found. Check group + module. - if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then - # The control is updated only if one single line matches. - sed -i -E --follow-symlinks "s/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1requisite \2/" "$PAM_FILE_PATH" - else - echo "password requisite pam_pwhistory.so" >> "$PAM_FILE_PATH" - fi - fi - # Check the option - if ! grep -qP "^\s*password\s+requisite\s+pam_pwhistory.so\s*.*\sremember\b" "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks "/\s*password\s+requisite\s+pam_pwhistory.so.*/ s/$/ remember=$var_password_pam_unix_remember/" "$PAM_FILE_PATH" - else - sed -i -E --follow-symlinks "s/(\s*password\s+requisite\s+pam_pwhistory.so\s+.*)(remember=)[[:alnum:]]+\s*(.*)/\1\2$var_password_pam_unix_remember \3/" "$PAM_FILE_PATH" - fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - -) # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember' - -############################################################################### -# BEGIN fix (12 / 47) for 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny' -############################################################################### -(>&2 echo "Remediating rule 12/47: 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny'"); ( -# Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_accounts_passwords_pam_faillock_deny='3' - - -if [ -f /usr/bin/authselect ]; then - if ! authselect check; then -echo " -authselect integrity check failed. Remediation aborted! -This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. -It is not recommended to manually edit the PAM files when authselect tool is available. -In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." -exit 1 -fi -authselect enable-feature with-faillock - -authselect apply-changes -b -else - -AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") -for pam_file in "${AUTH_FILES[@]}" -do - if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then - sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth required pam_faillock.so preauth silent' "$pam_file" - sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth required pam_faillock.so authfail' "$pam_file" - sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account required pam_faillock.so' "$pam_file" - fi - sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file" -done - -fi - -AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") - -FAILLOCK_CONF="/etc/security/faillock.conf" -if [ -f $FAILLOCK_CONF ]; then - regex="^\s*deny\s*=" - line="deny = $var_accounts_passwords_pam_faillock_deny" - if ! grep -q $regex $FAILLOCK_CONF; then - echo $line >> $FAILLOCK_CONF - else - sed -i --follow-symlinks 's|^\s*\(deny\s*=\s*\)\(\S\+\)|\1'"$var_accounts_passwords_pam_faillock_deny"'|g' $FAILLOCK_CONF - fi - for pam_file in "${AUTH_FILES[@]}" - do - if [ -e "$pam_file" ] ; then - PAM_FILE_PATH="$pam_file" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "$pam_file") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - fi - - if grep -qP "^\s*auth\s.*\bpam_faillock.so\s.*\bdeny\b" "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks "s/(.*auth.*pam_faillock.so.*)\bdeny\b=?[[:alnum:]]*(.*)/\1\2/g" "$PAM_FILE_PATH" - fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi - else - echo "$pam_file was not found" >&2 - fi - done -else - for pam_file in "${AUTH_FILES[@]}" - do - if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*deny' "$pam_file"; then - sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ deny='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file" - sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ deny='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file" - else - sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"deny"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file" - sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"deny"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file" - fi - done -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - -) # END fix for 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny' - -############################################################################### -# BEGIN fix (13 / 47) for 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root' -############################################################################### -(>&2 echo "Remediating rule 13/47: 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root'"); ( -# Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -if [ -f /usr/bin/authselect ]; then - if ! authselect check; then -echo " -authselect integrity check failed. Remediation aborted! -This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. -It is not recommended to manually edit the PAM files when authselect tool is available. -In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." -exit 1 -fi -authselect enable-feature with-faillock - -authselect apply-changes -b -else - -AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") -for pam_file in "${AUTH_FILES[@]}" -do - if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then - sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth required pam_faillock.so preauth silent' "$pam_file" - sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth required pam_faillock.so authfail' "$pam_file" - sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account required pam_faillock.so' "$pam_file" - fi - sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file" -done - -fi - -AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") - -FAILLOCK_CONF="/etc/security/faillock.conf" -if [ -f $FAILLOCK_CONF ]; then - regex="^\s*even_deny_root" - line="even_deny_root" - if ! grep -q $regex $FAILLOCK_CONF; then - echo $line >> $FAILLOCK_CONF - fi - for pam_file in "${AUTH_FILES[@]}" - do - if [ -e "$pam_file" ] ; then - PAM_FILE_PATH="$pam_file" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "$pam_file") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - fi - - if grep -qP "^\s*auth\s.*\bpam_faillock.so\s.*\beven_deny_root\b" "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks "s/(.*auth.*pam_faillock.so.*)\beven_deny_root\b=?[[:alnum:]]*(.*)/\1\2/g" "$PAM_FILE_PATH" - fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi - else - echo "$pam_file was not found" >&2 - fi - done -else - for pam_file in "${AUTH_FILES[@]}" - do - if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*even_deny_root' "$pam_file"; then - sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ even_deny_root/' "$pam_file" - sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ even_deny_root/' "$pam_file" - fi - done -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - -) # END fix for 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root' - -############################################################################### -# BEGIN fix (14 / 47) for 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval' -############################################################################### -(>&2 echo "Remediating rule 14/47: 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval'"); ( -# Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_accounts_passwords_pam_faillock_fail_interval='900' - - -if [ -f /usr/bin/authselect ]; then - if ! authselect check; then -echo " -authselect integrity check failed. Remediation aborted! -This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. -It is not recommended to manually edit the PAM files when authselect tool is available. -In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." -exit 1 -fi -authselect enable-feature with-faillock - -authselect apply-changes -b -else - -AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") -for pam_file in "${AUTH_FILES[@]}" -do - if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then - sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth required pam_faillock.so preauth silent' "$pam_file" - sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth required pam_faillock.so authfail' "$pam_file" - sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account required pam_faillock.so' "$pam_file" - fi - sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file" -done - -fi - -AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") - -FAILLOCK_CONF="/etc/security/faillock.conf" -if [ -f $FAILLOCK_CONF ]; then - regex="^\s*fail_interval\s*=" - line="fail_interval = $var_accounts_passwords_pam_faillock_fail_interval" - if ! grep -q $regex $FAILLOCK_CONF; then - echo $line >> $FAILLOCK_CONF - else - sed -i --follow-symlinks 's|^\s*\(fail_interval\s*=\s*\)\(\S\+\)|\1'"$var_accounts_passwords_pam_faillock_fail_interval"'|g' $FAILLOCK_CONF - fi - for pam_file in "${AUTH_FILES[@]}" - do - if [ -e "$pam_file" ] ; then - PAM_FILE_PATH="$pam_file" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "$pam_file") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - fi - - if grep -qP "^\s*auth\s.*\bpam_faillock.so\s.*\bfail_interval\b" "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks "s/(.*auth.*pam_faillock.so.*)\bfail_interval\b=?[[:alnum:]]*(.*)/\1\2/g" "$PAM_FILE_PATH" - fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi - else - echo "$pam_file was not found" >&2 - fi - done -else - for pam_file in "${AUTH_FILES[@]}" - do - if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*fail_interval' "$pam_file"; then - sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ fail_interval='"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file" - sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ fail_interval='"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file" - else - sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"fail_interval"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'\3/' "$pam_file" - sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"fail_interval"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'\3/' "$pam_file" - fi - done -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - -) # END fix for 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval' - -############################################################################### -# BEGIN fix (15 / 47) for 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time' -############################################################################### -(>&2 echo "Remediating rule 15/47: 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time'"); ( -# Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_accounts_passwords_pam_faillock_unlock_time='900' - - -if [ -f /usr/bin/authselect ]; then - if ! authselect check; then -echo " -authselect integrity check failed. Remediation aborted! -This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. -It is not recommended to manually edit the PAM files when authselect tool is available. -In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." -exit 1 -fi -authselect enable-feature with-faillock - -authselect apply-changes -b -else - -AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") -for pam_file in "${AUTH_FILES[@]}" -do - if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then - sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth required pam_faillock.so preauth silent' "$pam_file" - sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth required pam_faillock.so authfail' "$pam_file" - sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account required pam_faillock.so' "$pam_file" - fi - sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file" -done - -fi - -AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") - -FAILLOCK_CONF="/etc/security/faillock.conf" -if [ -f $FAILLOCK_CONF ]; then - regex="^\s*unlock_time\s*=" - line="unlock_time = $var_accounts_passwords_pam_faillock_unlock_time" - if ! grep -q $regex $FAILLOCK_CONF; then - echo $line >> $FAILLOCK_CONF - else - sed -i --follow-symlinks 's|^\s*\(unlock_time\s*=\s*\)\(\S\+\)|\1'"$var_accounts_passwords_pam_faillock_unlock_time"'|g' $FAILLOCK_CONF - fi - for pam_file in "${AUTH_FILES[@]}" - do - if [ -e "$pam_file" ] ; then - PAM_FILE_PATH="$pam_file" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "$pam_file") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - fi - - if grep -qP "^\s*auth\s.*\bpam_faillock.so\s.*\bunlock_time\b" "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks "s/(.*auth.*pam_faillock.so.*)\bunlock_time\b=?[[:alnum:]]*(.*)/\1\2/g" "$PAM_FILE_PATH" - fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi - else - echo "$pam_file was not found" >&2 - fi - done -else - for pam_file in "${AUTH_FILES[@]}" - do - if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*unlock_time' "$pam_file"; then - sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ unlock_time='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file" - sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ unlock_time='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file" - else - sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"unlock_time"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'\3/' "$pam_file" - sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"unlock_time"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'\3/' "$pam_file" - fi - done -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - -) # END fix for 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time' - -############################################################################### -# BEGIN fix (16 / 47) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit' -############################################################################### -(>&2 echo "Remediating rule 16/47: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit'"); ( -# Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_password_pam_dcredit='-1' - - - - - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^dcredit") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_dcredit" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^dcredit\\>" "/etc/security/pwquality.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^dcredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" -else - if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" - fi - cce="" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" - printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - -) # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit' - -############################################################################### -# BEGIN fix (17 / 47) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit' -############################################################################### -(>&2 echo "Remediating rule 17/47: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit'"); ( -# Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_password_pam_lcredit='-1' - - - - - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^lcredit") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_lcredit" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^lcredit\\>" "/etc/security/pwquality.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^lcredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" -else - if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" - fi - cce="" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" - printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - -) # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit' - -############################################################################### -# BEGIN fix (18 / 47) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass' -############################################################################### -(>&2 echo "Remediating rule 18/47: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass'"); ( -# Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_password_pam_minclass='4' - - - - - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^minclass") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_minclass" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^minclass\\>" "/etc/security/pwquality.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^minclass\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" -else - if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" - fi - cce="" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" - printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - -) # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass' - -############################################################################### -# BEGIN fix (19 / 47) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen' -############################################################################### -(>&2 echo "Remediating rule 19/47: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen'"); ( -# Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_password_pam_minlen='15' - - - - - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^minlen") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_minlen" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^minlen\\>" "/etc/security/pwquality.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^minlen\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" -else - if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" - fi - cce="" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" - printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - -) # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen' - -############################################################################### -# BEGIN fix (20 / 47) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit' -############################################################################### -(>&2 echo "Remediating rule 20/47: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit'"); ( -# Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_password_pam_ocredit='-1' - - - - - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^ocredit") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_ocredit" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^ocredit\\>" "/etc/security/pwquality.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^ocredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" -else - if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" - fi - cce="" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" - printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - -) # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit' - -############################################################################### -# BEGIN fix (21 / 47) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry' -############################################################################### -(>&2 echo "Remediating rule 21/47: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry'"); ( -# Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_password_pam_retry='3' - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^retry") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_retry" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^retry\\>" "/etc/security/pwquality.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^retry\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" -else - if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" - fi - cce="" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" - printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" -fi - - if [ -e "/etc/pam.d/password-auth" ] ; then - PAM_FILE_PATH="/etc/pam.d/password-auth" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - fi - -if grep -qP "^\s*password\s.*\bpam_pwquality.so\s.*\bretry\b" "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks "s/(.*password.*pam_pwquality.so.*)\bretry\b=?[[:alnum:]]*(.*)/\1\2/g" "$PAM_FILE_PATH" -fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi -else - echo "/etc/pam.d/password-auth was not found" >&2 -fi - - if [ -e "/etc/pam.d/system-auth" ] ; then - PAM_FILE_PATH="/etc/pam.d/system-auth" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - fi - -if grep -qP "^\s*password\s.*\bpam_pwquality.so\s.*\bretry\b" "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks "s/(.*password.*pam_pwquality.so.*)\bretry\b=?[[:alnum:]]*(.*)/\1\2/g" "$PAM_FILE_PATH" -fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi -else - echo "/etc/pam.d/system-auth was not found" >&2 -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - -) # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry' - -############################################################################### -# BEGIN fix (22 / 47) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit' -############################################################################### -(>&2 echo "Remediating rule 22/47: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit'"); ( -# Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_password_pam_ucredit='-1' - - - - - - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^ucredit") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_ucredit" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^ucredit\\>" "/etc/security/pwquality.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^ucredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" -else - if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" - fi - cce="" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" - printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - -) # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit' - -############################################################################### -# BEGIN fix (23 / 47) for 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth' -############################################################################### -(>&2 echo "Remediating rule 23/47: 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth'"); ( -# Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_password_hashing_algorithm_pam='sha512' - - -PAM_FILE_PATH="/etc/pam.d/system-auth" -CONTROL="sufficient" - -if [ -e "$PAM_FILE_PATH" ] ; then - PAM_FILE_PATH="$PAM_FILE_PATH" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "$PAM_FILE_PATH") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - fi - if ! grep -qP "^\s*password\s+$CONTROL\s+pam_unix.so\s*.*" "$PAM_FILE_PATH"; then - # Line matching group + control + module was not found. Check group + module. - if [ "$(grep -cP '^\s*password\s+.*\s+pam_unix.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then - # The control is updated only if one single line matches. - sed -i -E --follow-symlinks "s/^(\s*password\s+).*(\bpam_unix.so.*)/\1$CONTROL \2/" "$PAM_FILE_PATH" - else - echo "password $CONTROL pam_unix.so" >> "$PAM_FILE_PATH" - fi - fi - # Check the option - if ! grep -qP "^\s*password\s+$CONTROL\s+pam_unix.so\s*.*\s$var_password_hashing_algorithm_pam\b" "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks "/\s*password\s+$CONTROL\s+pam_unix.so.*/ s/$/ $var_password_hashing_algorithm_pam/" "$PAM_FILE_PATH" - fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi -else - echo "$PAM_FILE_PATH was not found" >&2 -fi - -# Ensure only the correct hashing algorithm option is used. -declare -a HASHING_ALGORITHMS_OPTIONS=("sha512" "yescrypt" "gost_yescrypt" "blowfish" "sha256" "md5" "bigcrypt") - -for hash_option in "${HASHING_ALGORITHMS_OPTIONS[@]}"; do - if [ "$hash_option" != "$var_password_hashing_algorithm_pam" ]; then - if grep -qP "^\s*password\s+.*\s+pam_unix.so\s+.*\b$hash_option\b" "$PAM_FILE_PATH"; then - if [ -e "$PAM_FILE_PATH" ] ; then - PAM_FILE_PATH="$PAM_FILE_PATH" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "$PAM_FILE_PATH") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - fi - -if grep -qP "^\s*password\s+.*\s+pam_unix.so\s.*\b$hash_option\b" "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks "s/(.*password.*.*.*pam_unix.so.*)\s$hash_option=?[[:alnum:]]*(.*)/\1\2/g" "$PAM_FILE_PATH" -fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi -else - echo "$PAM_FILE_PATH was not found" >&2 -fi - fi - fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - -) # END fix for 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth' - -############################################################################### -# BEGIN fix (24 / 47) for 'xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs' -############################################################################### -(>&2 echo "Remediating rule 24/47: 'xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs'"); ( -# Remediation is applicable only in certain platforms -if rpm --quiet -q shadow-utils; then - -var_accounts_password_minlen_login_defs='15' - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^PASS_MIN_LEN") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s %s" "$stripped_key" "$var_accounts_password_minlen_login_defs" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^PASS_MIN_LEN\\>" "/etc/login.defs"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - LC_ALL=C sed -i --follow-symlinks "s/^PASS_MIN_LEN\\>.*/$escaped_formatted_output/gi" "/etc/login.defs" -else - if [[ -s "/etc/login.defs" ]] && [[ -n "$(tail -c 1 -- "/etc/login.defs" || true)" ]]; then - LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/login.defs" - fi - cce="" - printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/login.defs" >> "/etc/login.defs" - printf '%s\n' "$formatted_output" >> "/etc/login.defs" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - -) # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs' - -############################################################################### -# BEGIN fix (25 / 47) for 'xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_root' -############################################################################### -(>&2 echo "Remediating rule 25/47: 'xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_root'"); ( - -var_accounts_maximum_age_root='365' - -chage -M $var_accounts_maximum_age_root root - -) # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_root' - -############################################################################### -# BEGIN fix (26 / 47) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth' -############################################################################### -(>&2 echo "Remediating rule 26/47: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth'"); ( -# Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_password_pam_unix_rounds='65536' - - - -if [ -e "/etc/pam.d/password-auth" ] ; then - PAM_FILE_PATH="/etc/pam.d/password-auth" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "/etc/pam.d/password-auth") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - fi - if ! grep -qP "^\s*password\s+sufficient\s+pam_unix.so\s*.*" "$PAM_FILE_PATH"; then - # Line matching group + control + module was not found. Check group + module. - if [ "$(grep -cP '^\s*password\s+.*\s+pam_unix.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then - # The control is updated only if one single line matches. - sed -i -E --follow-symlinks "s/^(\s*password\s+).*(\bpam_unix.so.*)/\1sufficient \2/" "$PAM_FILE_PATH" - else - echo "password sufficient pam_unix.so" >> "$PAM_FILE_PATH" - fi - fi - # Check the option - if ! grep -qP "^\s*password\s+sufficient\s+pam_unix.so\s*.*\srounds\b" "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks "/\s*password\s+sufficient\s+pam_unix.so.*/ s/$/ rounds=$var_password_pam_unix_rounds/" "$PAM_FILE_PATH" - else - sed -i -E --follow-symlinks "s/(\s*password\s+sufficient\s+pam_unix.so\s+.*)(rounds=)[[:alnum:]]+\s*(.*)/\1\2$var_password_pam_unix_rounds \3/" "$PAM_FILE_PATH" - fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi -else - echo "/etc/pam.d/password-auth was not found" >&2 -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - -) # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth' - -############################################################################### -# BEGIN fix (27 / 47) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth' -############################################################################### -(>&2 echo "Remediating rule 27/47: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth'"); ( -# Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_password_pam_unix_rounds='65536' - - -if [ -e "/etc/pam.d/system-auth" ] ; then - PAM_FILE_PATH="/etc/pam.d/system-auth" - if [ -f /usr/bin/authselect ]; then - - if ! authselect check; then - echo " - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - exit 1 - fi - - CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') - # If not already in use, a custom profile is created preserving the enabled features. - if [[ ! $CURRENT_PROFILE == custom/* ]]; then - ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') - authselect create-profile hardening -b $CURRENT_PROFILE - CURRENT_PROFILE="custom/hardening" - - authselect apply-changes -b --backup=before-hardening-custom-profile - authselect select $CURRENT_PROFILE - for feature in $ENABLED_FEATURES; do - authselect enable-feature $feature; - done - - authselect apply-changes -b --backup=after-hardening-custom-profile - fi - PAM_FILE_NAME=$(basename "/etc/pam.d/system-auth") - PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" - - authselect apply-changes -b - fi - if ! grep -qP "^\s*password\s+sufficient\s+pam_unix.so\s*.*" "$PAM_FILE_PATH"; then - # Line matching group + control + module was not found. Check group + module. - if [ "$(grep -cP '^\s*password\s+.*\s+pam_unix.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then - # The control is updated only if one single line matches. - sed -i -E --follow-symlinks "s/^(\s*password\s+).*(\bpam_unix.so.*)/\1sufficient \2/" "$PAM_FILE_PATH" - else - echo "password sufficient pam_unix.so" >> "$PAM_FILE_PATH" - fi - fi - # Check the option - if ! grep -qP "^\s*password\s+sufficient\s+pam_unix.so\s*.*\srounds\b" "$PAM_FILE_PATH"; then - sed -i -E --follow-symlinks "/\s*password\s+sufficient\s+pam_unix.so.*/ s/$/ rounds=$var_password_pam_unix_rounds/" "$PAM_FILE_PATH" - else - sed -i -E --follow-symlinks "s/(\s*password\s+sufficient\s+pam_unix.so\s+.*)(rounds=)[[:alnum:]]+\s*(.*)/\1\2$var_password_pam_unix_rounds \3/" "$PAM_FILE_PATH" - fi - if [ -f /usr/bin/authselect ]; then - - authselect apply-changes -b - fi -else - echo "/etc/pam.d/system-auth was not found" >&2 -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - -) # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth' - -############################################################################### -# BEGIN fix (28 / 47) for 'xccdf_org.ssgproject.content_rule_dir_perms_world_writable_root_owned' -############################################################################### -(>&2 echo "Remediating rule 28/47: 'xccdf_org.ssgproject.content_rule_dir_perms_world_writable_root_owned'"); ( - -# At least under containerized env /proc can have files w/o possilibity to -# modify even as root. And touching /proc is not good idea anyways. -find / -path /proc -prune -o \ - -not -fstype afs -not -fstype ceph -not -fstype cifs -not -fstype smb3 -not -fstype smbfs \ - -not -fstype sshfs -not -fstype ncpfs -not -fstype ncp -not -fstype nfs -not -fstype nfs4 \ - -not -fstype gfs -not -fstype gfs2 -not -fstype glusterfs -not -fstype gpfs \ - -not -fstype pvfs2 -not -fstype ocfs2 -not -fstype lustre -not -fstype davfs \ - -not -fstype fuse.sshfs -type d -perm -0002 -uid +0 -exec chown root {} \; - -) # END fix for 'xccdf_org.ssgproject.content_rule_dir_perms_world_writable_root_owned' - -############################################################################### -# BEGIN fix (29 / 47) for 'xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits' -############################################################################### -(>&2 echo "Remediating rule 29/47: 'xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits'"); ( -df --local -P | awk '{if (NR!=1) print $6}' \ -| xargs -I '$6' find '$6' -xdev -type d \ -\( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \ --exec chmod a+t {} + - -) # END fix for 'xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits' - -############################################################################### -# BEGIN fix (30 / 47) for 'xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_sgid' -############################################################################### -(>&2 echo "Remediating rule 30/47: 'xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_sgid'"); ( -(>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_sgid' IS MISSING!") - -) # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_sgid' - -############################################################################### -# BEGIN fix (31 / 47) for 'xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_suid' -############################################################################### -(>&2 echo "Remediating rule 31/47: 'xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_suid'"); ( -(>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_suid' IS MISSING!") - -) # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_suid' - -############################################################################### -# BEGIN fix (32 / 47) for 'xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable' -############################################################################### -(>&2 echo "Remediating rule 32/47: 'xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable'"); ( - -FILTER_NODEV=$(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) -PARTITIONS=$(findmnt -n -l -k -it $FILTER_NODEV | awk '{ print $1 }') -for PARTITION in $PARTITIONS; do - find "${PARTITION}" -xdev -type f -perm -002 -exec chmod o-w {} \; 2>/dev/null -done - -# Ensure /tmp is also fixed whem tmpfs is used. -if grep "^tmpfs /tmp" /proc/mounts; then - find /tmp -xdev -type f -perm -002 -exec chmod o-w {} \; 2>/dev/null -fi - -) # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable' - -############################################################################### -# BEGIN fix (33 / 47) for 'xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned' -############################################################################### -(>&2 echo "Remediating rule 33/47: 'xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned'"); ( -(>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned' IS MISSING!") - -) # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned' - -############################################################################### -# BEGIN fix (34 / 47) for 'xccdf_org.ssgproject.content_rule_no_files_unowned_by_user' -############################################################################### -(>&2 echo "Remediating rule 34/47: 'xccdf_org.ssgproject.content_rule_no_files_unowned_by_user'"); ( -(>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_no_files_unowned_by_user' IS MISSING!") - -) # END fix for 'xccdf_org.ssgproject.content_rule_no_files_unowned_by_user' - -############################################################################### -# BEGIN fix (35 / 47) for 'xccdf_org.ssgproject.content_rule_package_dhcp_removed' -############################################################################### -(>&2 echo "Remediating rule 35/47: 'xccdf_org.ssgproject.content_rule_package_dhcp_removed'"); ( - -# CAUTION: This remediation script will remove dhcp-server -# from the system, and may remove any packages -# that depend on dhcp-server. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "dhcp-server" ; then - - dnf remove -y "dhcp-server" - -fi - -) # END fix for 'xccdf_org.ssgproject.content_rule_package_dhcp_removed' - -############################################################################### -# BEGIN fix (36 / 47) for 'xccdf_org.ssgproject.content_rule_package_sendmail_removed' -############################################################################### -(>&2 echo "Remediating rule 36/47: 'xccdf_org.ssgproject.content_rule_package_sendmail_removed'"); ( -# Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# CAUTION: This remediation script will remove sendmail -# from the system, and may remove any packages -# that depend on sendmail. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "sendmail" ; then - - dnf remove -y "sendmail" - -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - -) # END fix for 'xccdf_org.ssgproject.content_rule_package_sendmail_removed' - -############################################################################### -# BEGIN fix (37 / 47) for 'xccdf_org.ssgproject.content_rule_package_xinetd_removed' -############################################################################### -(>&2 echo "Remediating rule 37/47: 'xccdf_org.ssgproject.content_rule_package_xinetd_removed'"); ( -# Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -# CAUTION: This remediation script will remove xinetd -# from the system, and may remove any packages -# that depend on xinetd. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "xinetd" ; then - - dnf remove -y "xinetd" - -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - -) # END fix for 'xccdf_org.ssgproject.content_rule_package_xinetd_removed' - -############################################################################### -# BEGIN fix (38 / 47) for 'xccdf_org.ssgproject.content_rule_package_ypbind_removed' -############################################################################### -(>&2 echo "Remediating rule 38/47: 'xccdf_org.ssgproject.content_rule_package_ypbind_removed'"); ( - -# CAUTION: This remediation script will remove ypbind -# from the system, and may remove any packages -# that depend on ypbind. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "ypbind" ; then - - dnf remove -y "ypbind" - -fi - -) # END fix for 'xccdf_org.ssgproject.content_rule_package_ypbind_removed' - -############################################################################### -# BEGIN fix (39 / 47) for 'xccdf_org.ssgproject.content_rule_package_ypserv_removed' -############################################################################### -(>&2 echo "Remediating rule 39/47: 'xccdf_org.ssgproject.content_rule_package_ypserv_removed'"); ( - -# CAUTION: This remediation script will remove ypserv -# from the system, and may remove any packages -# that depend on ypserv. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "ypserv" ; then - - dnf remove -y "ypserv" - -fi - -) # END fix for 'xccdf_org.ssgproject.content_rule_package_ypserv_removed' - -############################################################################### -# BEGIN fix (40 / 47) for 'xccdf_org.ssgproject.content_rule_package_rsh-server_removed' -############################################################################### -(>&2 echo "Remediating rule 40/47: 'xccdf_org.ssgproject.content_rule_package_rsh-server_removed'"); ( - -# CAUTION: This remediation script will remove rsh-server -# from the system, and may remove any packages -# that depend on rsh-server. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "rsh-server" ; then - - dnf remove -y "rsh-server" - -fi - -) # END fix for 'xccdf_org.ssgproject.content_rule_package_rsh-server_removed' - -############################################################################### -# BEGIN fix (41 / 47) for 'xccdf_org.ssgproject.content_rule_package_rsh_removed' -############################################################################### -(>&2 echo "Remediating rule 41/47: 'xccdf_org.ssgproject.content_rule_package_rsh_removed'"); ( - -# CAUTION: This remediation script will remove rsh -# from the system, and may remove any packages -# that depend on rsh. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "rsh" ; then - - dnf remove -y "rsh" - -fi - -) # END fix for 'xccdf_org.ssgproject.content_rule_package_rsh_removed' - -############################################################################### -# BEGIN fix (42 / 47) for 'xccdf_org.ssgproject.content_rule_package_talk-server_removed' -############################################################################### -(>&2 echo "Remediating rule 42/47: 'xccdf_org.ssgproject.content_rule_package_talk-server_removed'"); ( - -# CAUTION: This remediation script will remove talk-server -# from the system, and may remove any packages -# that depend on talk-server. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "talk-server" ; then - - dnf remove -y "talk-server" - -fi - -) # END fix for 'xccdf_org.ssgproject.content_rule_package_talk-server_removed' - -############################################################################### -# BEGIN fix (43 / 47) for 'xccdf_org.ssgproject.content_rule_package_talk_removed' -############################################################################### -(>&2 echo "Remediating rule 43/47: 'xccdf_org.ssgproject.content_rule_package_talk_removed'"); ( - -# CAUTION: This remediation script will remove talk -# from the system, and may remove any packages -# that depend on talk. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "talk" ; then - - dnf remove -y "talk" - -fi - -) # END fix for 'xccdf_org.ssgproject.content_rule_package_talk_removed' - -############################################################################### -# BEGIN fix (44 / 47) for 'xccdf_org.ssgproject.content_rule_package_telnet-server_removed' -############################################################################### -(>&2 echo "Remediating rule 44/47: 'xccdf_org.ssgproject.content_rule_package_telnet-server_removed'"); ( - -# CAUTION: This remediation script will remove telnet-server -# from the system, and may remove any packages -# that depend on telnet-server. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "telnet-server" ; then - - dnf remove -y "telnet-server" - -fi - -) # END fix for 'xccdf_org.ssgproject.content_rule_package_telnet-server_removed' - -############################################################################### -# BEGIN fix (45 / 47) for 'xccdf_org.ssgproject.content_rule_package_telnet_removed' -############################################################################### -(>&2 echo "Remediating rule 45/47: 'xccdf_org.ssgproject.content_rule_package_telnet_removed'"); ( - -# CAUTION: This remediation script will remove telnet -# from the system, and may remove any packages -# that depend on telnet. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "telnet" ; then - - dnf remove -y "telnet" - -fi - -) # END fix for 'xccdf_org.ssgproject.content_rule_package_telnet_removed' - -############################################################################### -# BEGIN fix (46 / 47) for 'xccdf_org.ssgproject.content_rule_package_tftp-server_removed' -############################################################################### -(>&2 echo "Remediating rule 46/47: 'xccdf_org.ssgproject.content_rule_package_tftp-server_removed'"); ( - -# CAUTION: This remediation script will remove tftp-server -# from the system, and may remove any packages -# that depend on tftp-server. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "tftp-server" ; then - - dnf remove -y "tftp-server" - -fi - -) # END fix for 'xccdf_org.ssgproject.content_rule_package_tftp-server_removed' - -############################################################################### -# BEGIN fix (47 / 47) for 'xccdf_org.ssgproject.content_rule_package_tftp_removed' -############################################################################### -(>&2 echo "Remediating rule 47/47: 'xccdf_org.ssgproject.content_rule_package_tftp_removed'"); ( - -# CAUTION: This remediation script will remove tftp -# from the system, and may remove any packages -# that depend on tftp. Execute this -# remediation AFTER testing on a non-production -# system! - -if rpm -q --quiet "tftp" ; then - - dnf remove -y "tftp" - -fi - -) # END fix for 'xccdf_org.ssgproject.content_rule_package_tftp_removed' diff --git a/tunables.conf b/tunables.conf new file mode 100644 index 0000000..fa8a72b --- /dev/null +++ b/tunables.conf @@ -0,0 +1,115 @@ +fs.file-max = 65535 +fs.protected_hardlinks = 1 +fs.protected_symlinks = 1 +fs.suid_dumpable = 0 +kernel.core_uses_pid = 1 +kernel.ctrl-alt-del = 0 +kernel.kptr_restrict = 2 +kernel.maps_protect = 1 +kernel.msgmax = 65535 +kernel.msgmnb = 65535 +kernel.pid_max = 65535 +kernel.randomize_va_space = 2 +kernel.shmall = 268435456 +kernel.shmmax = 268435456 +kernel.sysrq = 0 +net.core.default_qdisc = fq +net.core.dev_weight = 64 +net.core.netdev_max_backlog = 16384 +net.core.optmem_max = 65535 +net.core.rmem_default = 262144 +net.core.rmem_max = 16777216 +net.core.somaxconn = 32768 +net.core.wmem_default = 262144 +net.core.wmem_max = 16777216 +net.ipv4.conf.all.accept_redirects = 0 +net.ipv4.conf.all.accept_source_route = 0 +net.ipv4.conf.all.bootp_relay = 0 +net.ipv4.conf.all.forwarding = 0 +net.ipv4.conf.all.log_martians = 1 +net.ipv4.conf.all.proxy_arp = 0 +net.ipv4.conf.all.rp_filter = 1 +net.ipv4.conf.all.secure_redirects = 0 +net.ipv4.conf.all.send_redirects = 0 +net.ipv4.conf.default.accept_redirects = 0 +net.ipv4.conf.default.accept_source_route = 0 +net.ipv4.conf.default.forwarding = 0 +net.ipv4.conf.default.log_martians = 1 +net.ipv4.conf.default.rp_filter = 1 +net.ipv4.conf.default.secure_redirects = 0 +net.ipv4.conf.default.send_redirects = 0 +net.ipv4.conf.lo.accept_redirects = 0 +net.ipv4.conf.lo.accept_source_route = 0 +net.ipv4.conf.lo.log_martians = 0 +net.ipv4.conf.lo.rp_filter = 1 +net.ipv4.icmp_echo_ignore_all = 1 +net.ipv4.icmp_echo_ignore_broadcasts = 1 +net.ipv4.icmp_ignore_bogus_error_responses = 1 +net.ipv4.ip_forward = 0 +net.ipv4.ip_local_port_range = 2000 65000 +net.ipv4.ipfrag_high_thresh = 262144 +net.ipv4.ipfrag_low_thresh = 196608 +net.ipv4.neigh.default.gc_interval = 30 +net.ipv4.neigh.default.gc_thresh1 = 32 +net.ipv4.neigh.default.gc_thresh2 = 1024 +net.ipv4.neigh.default.gc_thresh3 = 2048 +net.ipv4.neigh.default.proxy_qlen = 96 +net.ipv4.neigh.default.unres_qlen = 6 +net.ipv4.route.flush = 1 +net.ipv4.tcp_congestion_control = htcp +net.ipv4.tcp_ecn = 1 +net.ipv4.tcp_fastopen = 3 +net.ipv4.tcp_fin_timeout = 15 +net.ipv4.tcp_keepalive_intvl = 15 +net.ipv4.tcp_keepalive_probes = 5 +net.ipv4.tcp_keepalive_time = 1800 +net.ipv4.tcp_max_orphans = 16384 +net.ipv4.tcp_max_syn_backlog = 2048 +net.ipv4.tcp_max_tw_buckets = 1440000 +net.ipv4.tcp_moderate_rcvbuf = 1 +net.ipv4.tcp_no_metrics_save = 1 +net.ipv4.tcp_orphan_retries = 0 +net.ipv4.tcp_reordering = 3 +net.ipv4.tcp_retries1 = 3 +net.ipv4.tcp_retries2 = 15 +net.ipv4.tcp_rfc1337 = 1 +net.ipv4.tcp_rmem = 8192 87380 16777216 +net.ipv4.tcp_sack = 0 +net.ipv4.tcp_slow_start_after_idle = 0 +net.ipv4.tcp_syn_retries = 5 +net.ipv4.tcp_synack_retries = 2 +net.ipv4.tcp_syncookies = 1 +net.ipv4.tcp_timestamps = 1 +net.ipv4.tcp_tw_recycle = 0 +net.ipv4.tcp_tw_reuse = 1 +net.ipv4.tcp_window_scaling = 0 +net.ipv4.tcp_wmem = 8192 65536 16777216 +net.ipv4.udp_rmem_min = 16384 +net.ipv4.udp_wmem_min = 16384 +net.ipv6.conf.all.accept_ra=0 +net.ipv6.conf.all.accept_redirects = 0 +net.ipv6.conf.all.accept_source_route = 0 +net.ipv6.conf.all.autoconf = 0 +net.ipv6.conf.all.forwarding = 0 +net.ipv6.conf.default.accept_ra_defrtr = 0 +net.ipv6.conf.default.accept_ra_pinfo = 0 +net.ipv6.conf.default.accept_ra_rtr_pref = 0 +net.ipv6.conf.default.accept_ra=0 +net.ipv6.conf.default.accept_redirects = 0 +net.ipv6.conf.default.accept_source_route = 0 +net.ipv6.conf.default.autoconf = 0 +net.ipv6.conf.default.dad_transmits = 0 +net.ipv6.conf.default.forwarding = 0 +net.ipv6.conf.default.max_addresses = 1 +net.ipv6.conf.default.router_solicitations = 0 +net.ipv6.ip6frag_high_thresh = 262144 +net.ipv6.ip6frag_low_thresh = 196608 +net.ipv6.route.flush = 1 +net.unix.max_dgram_qlen = 50 +vm.dirty_background_ratio = 5 +vm.dirty_ratio = 30 +vm.min_free_kbytes = 65535 +vm.mmap_min_addr = 4096 +vm.overcommit_memory = 0 +vm.overcommit_ratio = 50 +vm.swappiness = 30 \ No newline at end of file