{"id":26786172,"url":"https://github.com/derekahn/centos-hardening","last_synced_at":"2025-04-19T18:24:09.039Z","repository":{"id":77593161,"uuid":"172962116","full_name":"derekahn/centos-hardening","owner":"derekahn","description":"Walkthrough in hardening centos","archived":false,"fork":false,"pushed_at":"2019-03-18T22:48:56.000Z","size":18,"stargazers_count":7,"open_issues_count":0,"forks_count":8,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-03-29T11:36:00.938Z","etag":null,"topics":["centos7","cis-benchmark","devops","hardening-steps","linux","security"],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/derekahn.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-02-27T17:46:36.000Z","updated_at":"2023-07-04T17:00:08.000Z","dependencies_parsed_at":null,"dependency_job_id":"381a6e63-5c71-4940-8329-0bb07a3c23ab","html_url":"https://github.com/derekahn/centos-hardening","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/derekahn%2Fcentos-hardening","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/derekahn%2Fcentos-hardening/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/derekahn%2Fcentos-hardening/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/derekahn%2Fcentos-hardening/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/derekahn","download_url":"https://codeload.github.com/derekahn/centos-hardening/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249762281,"owners_count":21321905,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["centos7","cis-benchmark","devops","hardening-steps","linux","security"],"created_at":"2025-03-29T11:35:54.197Z","updated_at":"2025-04-19T18:24:09.031Z","avatar_url":"https://github.com/derekahn.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Centos Hardening\n\nWalkthrough in hardening centos\n\n### First and foremost add and configure vim:\n\n```bash\n$ sudo yum update\n$ sudo yum upgrade\n$ sudo yum -y install vim-enhanced\n```\n\n### Set vimrc for all users\n\n```bash\n$ sudo vi /etc/vimrc\n```\n\n```vim\n\" Map leader to space\nlet mapleader = \"\\\u003cSpace\u003e\"\nlet g:mapleader = \"\\\u003cSpace\u003e\"\n\ncolo torte\nsyntax enable\n\nset autoindent\nset smartindent\nset backspace=eol,start,indent\n\nset expandtab\nset tabstop=2\nset shiftwidth=2\nset ruler\nset ignorecase\nset smartcase\n\n\" Exit insert mode with `jj`\ninoremap jj \u003cESC\u003e\n\n\" Map movement to homerow\nmap H ^\nmap L $\n\n\" Show current line number\nset number\n\n\" Show relative line numbers\nset relativenumber\n\n\" highlights parentheses\nset showmatch\n\n\" highlights matched words\n\" if not, specify [ set nohlsearch ]\nset hlsearch\n\n\" highlights parentheses\nset showmatch\n\n\" change colors for comments if it's set [ syntax on ]\nhighlight Comment ctermfg=LightCyan\n\n\" Visualize break ( $ ) or tab ( ^I )\nset list\n\n\" wrap lines\n\" if not, specify [ set nowrap ]\nset wrap\n```\n\n## Protect that bootloader\n\nProtection through authentication\n\n```bash\n# Switch to root user\n$ sudo su\n\n# Set a password you won't forget\n$ grub2-setpassword\nEnter password:\nConfirm password:\n\n```\n\n### Software maintenance\n\n```bash\n# switch to root\n$ sudo su\n\n# C2S/CIS: CCE-26989-4 (High)\n$ gpgcheck=1\n\n$ yum update\n\n$ yum check-update\n\n$ yum --security upgrade\n\n$ yum -y install cronie\n\n$ yum -y install psacct\n\n$ yum remove cronie-anacron\n\n```\n\n### Turn off daemons πŸ‘Ώ\n\n```bash\n# C2S/CIS: CCE-80230-6 (Medium)\n# From C2S/CIS: All of these daemons (nfslock, rpcgssd, and rpcidmapd)\n# run with elevated privileges, and many listen for network connections.\n$ systemctl disable rpcbind.service\n\n# C2S/CIS: CCE-80237-1 (Unknown)\n# From C2S/CIS: Unnecessary services should be disabled to decrease the attack surface of the system.\n$ systemctl disable nfs.service\n\n# Disable Secure RPC Client Service\n$ systemctl disable rpcsvcgssd\n\n# Disable Secure RPC Server Service\n$ systemctl disable rpcidmapd\n\n# Disable distribute hardware interrupts across processors on a multiprocessor system\n$ systemctl disable irqbalance\n\n# Kdump is a kernel feature which is used to capture crash dumps when the system or kernel crash\n$ systemctl disable irqbalance\n\n# Kdump is a kernel feature which is used to capture crash dumps when the system or kernel crash\n$ systemctl disable nfslock\n\n$ systemctl enable irqbalance\n$ systemctl enable psacct\n$ systemctl enable crond\n\n\n```\n\n### Turn on some daemons 😈\n\n[chrony](https://chrony.tuxfamily.org/comparison.html):\n\n\u003e chrony is a versatile implementation of the Network Time Protocol (NTP). It can synchronise the system clock with NTP servers, reference clocks (e.g. GPS receiver), and manual input using wristwatch and keyboard. It can also operate as an NTPv4 (RFC 5905) server and peer to provide a time service to other computers in the network.\n\n\u003e It is designed to perform well in a wide range of conditions, including intermittent network connections, heavily congested networks, changing temperatures (ordinary computer clocks are sensitive to temperature), and systems that do not run continuosly, or run on a virtual machine.\n\n\u003e Typical accuracy between two machines synchronised over the Internet is within a few milliseconds; on a LAN, accuracy is typically in tens of microseconds. With hardware timestamping, or a hardware reference clock, sub-microsecond accuracy may be possible.\n\n\u003e Two programs are included in chrony, chronyd is a daemon that can be started at boot time and chronyc is a command-line interface program which can be used to monitor chronyd’s performance and to change various operating parameters whilst it is running.\n\n```bash\n# C2S/CIS: CCE-27323-5 (Medium)\n# From C2S/CIS: Due to its usage for maintenance and\n# security-supporting tasks,enabling the cron daemon is essential.\n$ systemctl enable crond.service\n\n# C2S/CIS: CCE-27361-5 (Medium)\n# From C2S/CIS: Access control methods provide the ability to enhance system security\n# posture by restricting services and known good IP addresses and address ranges.\n$ yum install tcp_wrappers\n\n# C2S/CIS: CCE-27444-9 (Medium)\n# From C2S/CIS: Synchronizing time is essential for authentication services such as Kerberos,\n# but it is also important for maintaining accurate logs and auditing possible security breaches.\n$ systemctl enable chronyd\n```\n\n## Accounts and Access\n\n### Set sensible umask values\n\nA misconfigured `umask` value could result in files with excessive permissions that can be read or written to by unauthorized users.\n\nC2S/CIS: CCE-80202-5 (unknown); C2S/CIS: CCE-80204-1 (unknown)\n\n```bash\n# switch to root\n$ sudo su\n\n$ vim /etc/profile\n\n# append this to bottom of file:\numask 027\n\n$ source !$\n\n$ vim /etc/bashrc\n\n# append this to bottom of file:\numask 027\n\n$ source !$\n```\n\n## Login Banner\n\nC2S/CIS: CCE-27303-7 (Medium)\n\n```bash\n$ vim /etc/motd\n$ service ssd restart\n```\n\nCOPY 🍝\n\n```shell\n########################################################################################################################\n# UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED #\n# You must have explicit, authorized permission to access or configure this device. #\n# Unauthorized attempts and actions to access or use this system may result in civil and/or criminal penalties. #\n# All activities performed on this device are logged and monitored. #\n# Disconnect IMMEDIATELY if you are not an authorized user! #\n########################################################################################################################\n```\n\n### Set password expiration\n\nC2S/CIS: CCE-26486-1 (unknown); C2S/CIS: CCE-27002-5 (Medium); C2S/CIS: CCE-27051-2 (Medium)\n\n```bash\n# switch to root user\n$ sudo su\n\n# edit file\n$ vim /etc/login.defs\n\n# Set below:\nPASS_WARN_AGE 7\nPASS_MIN_DAYS 7\nPASS_MAX_DAYS 90\n```\n\n### Set account expiration\n\nC2S/CIS: CCE-27355-7 (Medium)\n\n```bash\n$ sudo su\n\n$ vim /etc/default/useradd\n\n# Set below:\nINACTIVE=30\n```\n\n### Restrict root\n\nC2S/CIS: CCE-27175-9 (High)\n\nVerify only root has UID 0\n\n```bash\n# Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account.\n$ awk -F: '$3 == 0 \u0026\u0026 $1 != \"root\" { print $1 }' /etc/passwd | xargs passwd -l root\n```\n\n### Protect direct root logins\n\nC2S/CIS: CCE-27294-8 (Medium)\n\nDisabling direct root logins ensures proper accountability and multifactor authentication to privileged accounts.\n\n```bash\n$ echo \u003e /etc/securetty\n```\n\n### Verify that all world-writable directories have sticky bits set\n\nC2S/CIS: CCE-80130-8 (Unknown)\n\nFailing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure.\n\n```bash\n# To verify no world writable directories exist without the sticky bit set:\n$ df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \\( -perm -0002 -a ! -perm -1000 \\) 2\u003e/dev/null\n```\n\n### Disable core dumps\n\nC2S/CIS: CCE-26900-1 (Unknown); C2S/CIS: CCE-80169-6 (Unknown)\n\nThe core dump files may also contain sensitive information, or unnecessarily occupy large amounts of disk space.\n\nYou can restrict access to core dumps to certain users or groups, as described in the limits.conf(5) manual page.\n\n```bash\n$ sudo su\n\n$ touch /etc/sysctl.d/hardening.conf\n$ echo 'fs.suid_dumpable = 0' \u003e !$\n\n$ vim /etc/security/limits.conf\n\n* hard core 0\n```\n\n## OpenSSH\n\n```bash\n$ sudo su\n\n$ vim /etc/ssh/sshd_config\n```\n\n```vim\n\" C2S/CIS: CCE-27471-2 (High)\n\" Explicitly disallow SSH login from accounts with empty passwords\nPermitEmptyPasswords no\n\n\" C2S/CIS: CCE-27082-7 (Medium)\n\" Sets the number of client alive messages\nClientAliveCountMax 0\n\n\" C2S/CIS: CCE-27433-2 (Medium)\n\" Set short time period\nClientAliveInterval 300\n\n\" C2S/CIS: CCE-27363-1 (Medium)\n\" Override environment options\nPermitUserEnvironment no\n\n\" C2S/CIS: CCE-27320-1 (High)\n\" Set correct protocol version\nProtocol 2\n\n\" C2S/CIS: CCE-27377-1 (Medium)\n\" Support for .rhosts\nIgnoreRhosts yes\n\n\" C2S/CIS: CCE-80645-5 (Medium)\n\" Set specific log level\nLogLevel INFO\n\n\" C2S/CIS: CCE-27295-5 (High)\n\" Set algorithms which are FIPS-approved\nLogLevel INFO\n\n\" C2S/CIS: CCE-27413-4 (Medium)\n\" Disable host-based authentication\nHostbasedAuthentication no\n\n\" C2S/CIS: No-CCE (Medium)\n\" Set authentication attempt limit\nMaxAuthTries 4\n\n\" C2S/CIS: CCE-27445-6 (Medium)\n\" Disable root login via SSH\nPermitRootLogin no\n```\n\n## Network Stack\n\nHardens the network layer\n\n```bash\n$ sudo su\n\n$ vim /etc/sysctl.d/network-stack.conf\n```\n\nCOPY 🍝:\n\n```conf\nnet.ipv6.conf.all.accept_redirects = 0\nnet.ipv6.conf.default.accept_redirects = 0\n\nnet.ipv6.conf.default.accept_ra = 0\nnet.ipv6.conf.all.accept_ra = 0\n\nnet.ipv6.conf.all.disable_ipv6 = 1\n\nnet.ipv4.conf.default.accept_source_route = 0\n\nnet.ipv4.conf.all.accept_source_route = 0\n\nnet.ipv4.icmp_ignore_bogus_error_responses = 1\n\nnet.ipv4.conf.default.accept_redirects = 0\n\nnet.ipv4.conf.all.accept_redirects = 0\n\nnet.ipv4.conf.default.rp_filter = 1\n\nnet.ipv4.conf.all.rp_filter = 1\n\nnet.ipv4.conf.default.secure_redirects = 0\n\nnet.ipv4.conf.all.secure_redirects = 0\n\nnet.ipv4.conf.all.accept_source_route = 0\n\nnet.ipv4.conf.default.log_martians = 1\nnet.ipv4.conf.all.log_martians = 1\n\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\n\nnet.ipv4.ip_forward = 0\n\nnet.ipv4.conf.default.send_redirects = 0\n\nnet.ipv4.conf.all.send_redirects = 0\n```\n\n```bash\n# relaod config\n$ sysctl -p\n```\n\n### Disable Zeroconf Networking\n\nZeroconf network typically occours when you fail to get an address via DHCP, the interface will be assigned a 169.254.0.0 address.\n\n```bash\n$ echo \"NOZEROCONF=yes\" \u003e\u003e /etc/sysconfig/network\n```\n\n### Deny All TCP Wrappers\n\nTCP wrappers can provide a quick and easy method for controlling access to applications linked to them. Examples of TCP Wrapper aware applications are sshd, and portmap.\n\nBelow commands block all but SSH:\n\n```bash\n$ sudo su\n$ echo \"ALL:ALL\" \u003e\u003e /etc/hosts.deny\n$ echo \"sshd:ALL\" \u003e\u003e /etc/hosts.allow\n```\n\n## Kernel modules\n\n### Prevent kernel modules being loaded\n\nAlthough security vulnerabilities in kernel networking code are not frequently discovered, the consequences can be dramatic.\n\n```bash\n# Switch to root user\n$ sudo su\n\n# Create \u0026 edit modules.conf\n$ vim /etc/modprobe.d/modules.conf\n```\n\nCOPY 🍝:\n\n```conf\ninstall dccp /bin/true\ninstall sctp /bin/true\n```\n\n## Prompt OS update installation\n\n```bash\n$ yum -y install yum-cron\n$ chkconfig yum-cron on\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fderekahn%2Fcentos-hardening","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fderekahn%2Fcentos-hardening","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fderekahn%2Fcentos-hardening/lists"}