-f 1 #22
Comments
|
Great, I'll try to update those items and in the ones I maintained on Red Hat Gov... |
|
You might want to check the settings in the supplemental.sh script - I do a lot of the random hardening there. For example, on STIG 010270 is set in /etc/pam.d/system-auth-local and password-auth-local as remember=24... For STIG 020100 usb-storage is blocked on line 618.... Autologout (STIG 040160) is done on lines 396-413... |
|
Interesting. How do I include supplemental.sh in the iso build, or is this something I need to run post install? |
|
It's already part of the build it's called by the main kickstart in https://github.com/fcaviggia/hardened-centos7-kickstart/blob/master/config/hardening/hardened-centos.cfg on line 164. |
|
I wiped my VM. And did a fresh install and re-evaluated those findings above. They are still there. It is almost as if the supplemental.sh isn't getting called. I'm going to rebuild the hardened iso, do another re-install and report back here. Maybe I'm doing something wrong, but I don't know what it could be. |
|
I'll try and check it out this weekend - I'm a bit swamped this week with stuff. |
|
in supplemental.sh I see the line that states which means that all those 3 files should have the same contents. Well on a freshly spun up system the fiels /etc/pam.d/system-auth-local and /etc/pam.d/system-auth-ac are not the same file size and returned different md5sum. It is as though this cp command does not execute properly. |
|
Hmm. Wonder if the following would fix it? |
|
I see the new cat commands in the supplemental.sh. But still the two files are still not identical. Does something else maybe modify the files after the supplemental.sh? Autologout (STIG 040160) is 600 min not 900. I plan to get this newly build system scanned in the next few days so I will get back with the results. |
Love this project! I performed this install on a test VM and then ran nessus against it and a few items were found.
STIG 030010
shut down the system if it fails to audit log
grep "f 1" /etc/audit/rules.d/audit.rules || echo '-f 1' >> /etc/audit/rules.d/audit.rules
STIG 010270
remember=5 not in /etc/pam.d/system-auth-ac
STIG 040510
firewall-cmd --direct --permanent --add-rule ipv4 filter IN_public_allow 0 -m -tcp -p tcp -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
STIG 020100
this is a finding, but usb storage is disabled in another way
echo blacklist usb-storage >> /etc/modprobe.d/blacklist.conf
STIG 040680
postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'
STIG 040160
sed -i "s|TMOUT=900|TMOUT=600|g" /etc/profile.d/autologout.sh
That is all I've found so far. There were some smartcard stuff an some other random things that I don't think can be addressed in this project. Overall I'm impressed and I plan to utilize this project on future builds.
The text was updated successfully, but these errors were encountered: