-f 1

[acygne]

Love this project! I performed this install on a test VM and then ran nessus against it and a few items were found.

STIG 030010 shut down the system if it fails to audit log grep "f 1" /etc/audit/rules.d/audit.rules || echo '-f 1' >> /etc/audit/rules.d/audit.rules

STIG 010270 remember=5 not in /etc/pam.d/system-auth-ac

STIG 040510 firewall-cmd --direct --permanent --add-rule ipv4 filter IN_public_allow 0 -m -tcp -p tcp -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

STIG 020100 this is a finding, but usb storage is disabled in another way echo blacklist usb-storage >> /etc/modprobe.d/blacklist.conf

STIG 040680 postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'

STIG 040160 sed -i "s|TMOUT=900|TMOUT=600|g" /etc/profile.d/autologout.sh

That is all I've found so far. There were some smartcard stuff an some other random things that I don't think can be addressed in this project. Overall I'm impressed and I plan to utilize this project on future builds.

[fcaviggia]

Great, I'll try to update those items and in the ones I maintained on Red Hat Gov...

[fcaviggia]

You might want to check the settings in the supplemental.sh script - I do a lot of the random hardening there.

For example, on STIG 010270 is set in /etc/pam.d/system-auth-local and password-auth-local as remember=24...

For STIG 020100 usb-storage is blocked on line 618....

Autologout (STIG 040160) is done on lines 396-413...

[acygne]

Interesting. How do I include supplemental.sh in the iso build, or is this something I need to run post install?

[fcaviggia]

It's already part of the build it's called by the main kickstart in https://github.com/fcaviggia/hardened-centos7-kickstart/blob/master/config/hardening/hardened-centos.cfg on line 164.

[acygne]

I wiped my VM. And did a fresh install and re-evaluated those findings above. They are still there. It is almost as if the supplemental.sh isn't getting called. I'm going to rebuild the hardened iso, do another re-install and report back here. Maybe I'm doing something wrong, but I don't know what it could be.

[fcaviggia]

I'll try and check it out this weekend - I'm a bit swamped this week with stuff.

[acygne]

in supplemental.sh I see the line that states ln -sf /etc/pam.d/system-auth-local /etc/pam.d/system-auth cp -f /etc/pam.d/system-auth-local /etc/pam.d/system-auth-ac

which means that all those 3 files should have the same contents. Well on a freshly spun up system the fiels /etc/pam.d/system-auth-local and /etc/pam.d/system-auth-ac are not the same file size and returned different md5sum. It is as though this cp command does not execute properly.

[fcaviggia]

Hmm. Wonder if the following would fix it? cat /etc/pam.d/system-auth-local > /etc/pam.d/system-auth-ac Sometimes using copy does not work, but there are other ways to work around it.

[acygne]

I see the new cat commands in the supplemental.sh. But still the two files are still not identical. [root@ hardening]# ls -l /etc/pam.d/system-* lrwxrwxrwx. 1 root root 28 Jan 13 07:07 /etc/pam.d/system-auth -> /etc/pam.d/system-auth-local -rw-r--r--. 1 root root 1291 Jan 13 07:07 /etc/pam.d/system-auth-ac -rw-r--r--. 1 root root 1287 Jan 13 07:07 /etc/pam.d/system-auth-local

Does something else maybe modify the files after the supplemental.sh?

Autologout (STIG 040160) is 600 min not 900.

I plan to get this newly build system scanned in the next few days so I will get back with the results.