CentOS Linux 7 VM Baseline Hardening
A collection of scripts that will help to harden operating system baseline configuration supported by Cloudneeti as defined in CIS CentOS Linux 7 benchmark v2.2.0. This remediates policies, compliance status can be validated for below policies listed here.
Note: The scripts are designed to harden the operating system baseline configurations, Please test it on the test/staging system before applying to the production system.
| Configuration script | Number of policies remediated | Cloud Account Type |
|---|---|---|
| CentOS Linux 7 VM baseline policies for Cloud Security Best Practices | 26 | Azure |
| CentOS Linux 7 VM baseline policies for CIS Benchmark CentOS Linux 7 Version 2.2.0 | 151 | Azure |
Prerequisites
The below steps are required for executing script to harden operating system baseline configuration
| Activity | Description |
|---|---|
| 1. Download and review Bash script to harden operating system baseline configuration | The PowerShell script is used to harden operating system baseline configuration: Azure - CentOS Linux 7 VM baseline policies for CSBP Azure - CentOS Linux 7 VM baseline policies for CIS Benchmark CentOS Linux 7 Version 2.2.0 |
Execute OS Baseline Hardening script
CentOS Linux 7 VM baseline policies for Cloud Security Best Practices
Below steps are performed on Virtual Machine, as a root user
-
Open bash and switch user to root
sudo su -
Download script
wget https://raw.githubusercontent.com/Cloudneeti/os-harderning-scripts/master/CentOS7/Azure_CSBP_CentOS_Linux7_Remediation.sh -O Azure_CSBP_CentOS_Linux7_Remediation.sh -
Execute the script as a root user
bash Azure_CSBP_CentOS_Linux7_Remediation.sh
-
Script will update baseline configuration to harden operating system.
-
Scan related Cloud Account in Cloudneeti or wait for scheduled scan
-
Verify policy results in CSBP Benchmark on Cloudneeti portal
CentOS Linux 7 VM baseline policies for CIS Benchmark CentOS Linux 7 Version 2.2.0
Below steps are performed on Virtual Machine as a root user
-
Open bash and switch user to root
sudo su -
Download script
wget https://raw.githubusercontent.com/Cloudneeti/os-harderning-scripts/master/CentOS7/CIS_CentOS_Linux7_Benchmark_v2_2_0_Remediation.sh -O CIS_CentOS_Linux7_Benchmark_v2_2_0_Remediation.sh -
Execute the script as a root user
bash CIS_CentOS_Linux7_Benchmark_v2_2_0_Remediation.sh
-
Script will update baseline configuration to harden operating system for 121 policies.
Remediation policy list
CSBP CentOS Linux 7 Version 2.2.0
| Category Name | Policy Name |
|---|---|
| CentOS 7 - Network Configuration | CentOS 7 - Ensure wireless interfaces are disabled |
| CentOS 7 - Network Configuration | CentOS 7 - Ensure IP forwarding is disabled |
| CentOS 7 - Network Configuration | CentOS 7 - Ensure broadcast ICMP requests are ignored |
| CentOS 7 - Network Configuration | CentOS 7 - Ensure bogus ICMP responses are ignored |
| CentOS 7 - Network Configuration | CentOS 7 - Ensure Reverse Path Filtering is enabled |
| CentOS 7 - Network Configuration | CentOS 7 - Ensure TCP SYN Cookies is enabled |
| CentOS 7 - Logging and Auditing | CentOS 7 - Ensure logrotate is configured |
| CentOS 7 - Logging and Auditing | CentOS 7 - Ensure rsyslog Service is enabled |
| CentOS 7 - Logging and Auditing | CentOS 7 - Ensure rsyslog or syslog-ng is installed |
| CentOS 7 - Initial Setup | CentOS 7 - Ensure nodev option set on removable media partitions |
| CentOS 7 - Initial Setup | CentOS 7 - Ensure nosuid option set on removable media partitions |
| CentOS 7 - Initial Setup | CentOS 7 - Ensure noexec option set on removable media partitions |
| CentOS 7 - Initial Setup | CentOS 7 - Ensure XD/NX support is enabled |
| CentOS 7 - Initial Setup | CentOS 7 - Ensure address space layout randomization (ASLR) is enabled |
| CentOS 7 - Services | CentOS 7 - Ensure rsh server is not enabled |
| CentOS 7 - Services | CentOS 7 - Ensure telnet server is not enabled |
| CentOS 7 - Services | CentOS 7 - Ensure Avahi Server is not enabled |
| CentOS 7 - Services | CentOS 7 - Ensure CUPS is not enabled |
| CentOS 7 - Services | CentOS 7 - Ensure DHCP Server is not enabled |
| CentOS 7 - Services | CentOS 7 - Ensure rsh client is not installed |
| CentOS 7 - Services | CentOS 7 - Ensure telnet client is not installed |
| CentOS 7 - Access, Authentication and Authorization | CentOS 7 - Ensure cron daemon is enabled |
| CentOS 7 - Access, Authentication and Authorization | CentOS 7 - Ensure SSH PermitUserEnvironment is disabled |
| CentOS 7 - System Maintenance | CentOS 7 - Ensure permissions on /etc/passwd are configured |
| CentOS 7 - System Maintenance | CentOS 7 - Ensure permissions on /etc/group are configured |
| CentOS 7 - System Maintenance | CentOS 7 - Ensure root is the only UID 0 account |