centos8_cis.cfg

# install
cdrom
text
skipx
firstboot --disable
eula --agreed
poweroff
selinux --enforcing # 1.7.1.1-1.7.1.4

# geography
keyboard --vckeymap=gb --xlayouts='gb'
lang en_GB.UTF-8
timezone Europe/London --isUtc --ntpservers=0.centos.pool.ntp.org,1.centos.pool.ntp.org,2.centos.pool.ntp.org,3.centos.pool.ntp.org

# network
network  --bootproto=static --device=enp1s0 --gateway=192.168.0.1 --ip=192.168.0.92 --netmask=255.255.255.0 --nameserver=192.168.0.1,8.8.8.8 --hostname=localhost.localdomain --noipv6 --activate

# users
auth --enableshadow --passalgo=sha512 # 5.4.4
rootpw password
user --name=simon --groups=wheel --password=password

# disk
ignoredisk --only-use=sda
bootloader --location=mbr --boot-drive=sda --append="console=tty0 console=ttyS0,115200 rd_NO_PLYMOUTH audit=1 audit_backlog_limit=8192" --password=password # 1.5.2, 4.1.1.3-4.1.1.4
clearpart --all --initlabel --drives=sda
part swap --asprimary --fstype="swap" --size=1024
part /boot --fstype xfs --size=200
part pv.01 --size=1 --grow
volgroup vg_root pv.01
logvol / --fstype xfs --name=root --vgname=vg_root --size=5120
logvol /tmp --vgname vg_root --name tmp --size=500 --fsoptions="nodev,nosuid,noexec" # 1.1.3-1.1.5, 1.1.8-1.1.10
logvol /var --vgname vg_root --name var --size=500 # 1.1.6
logvol /var/log --vgname vg_root --name varlog --size=1024 # 1.1.11
logvol /var/log/audit --vgname vg_root --name varlogaudit --size=1024 # 1.1.12
logvol /home --vgname vg_root --name home --size=1024 --grow --fsoptions="nodev" # 1.1.13-1.1.14

# packages
%packages
@core
chrony # 2.2.1.1
-ntp
nftables # 3.4.1.1
net-tools
aide # 1.4.1
-prelink
sudo # 1.3.1
rsyslog # 4.2.1.1
-setroubleshoot # 1.7.1.6
-mcstrans # 1.7.1.7
-tftp-server
-tftp
-xinetd # 2.1.1
-xorg-x11* # 2.2.2
-avahi-daemon # 2.2.4
-cups # 2.2.16
-dhcp # 2.2.15
-openldap-clients # 2.3.3
-bind # 2.2.11
-vsftpd # 2.2.10
-httpd # 2.2.9
-dovecot # 2.2.8
-samba # 2.2.7
-squid # 2.2.6
-ypserv # 2.2.17
-ypbind # 2.3.1
-yp-tools
-rsh-server
-rsh
-talk-server
-talk
-telnet-server
-telnet # 2.3.2
-rsync # 2.2.3
-autofs # 1.1.22
-wpa_supplicant # 3.5
-b43-openfwwf
-iwl*firmware
-tcpdump
-wireshark
-nmap-ncat
-iscsi-initiator-utils*
-fxload
-lsscsi
-ivtv*
-kernel-headers
%end

# services
services --enabled=chronyd,auditd,rsyslog,crond,sshd,nftables # 3.4.3.7, 4.1.1.2, 4.2.1.2, 5.1.1
services --disabled=postfix,rhnsd,nfs,nfs-server,rpcbind,firewalld,ctrl-alt-del,slapd,iptables # 1.2.2, 2.2.5, 2.2.12-2.2.14, 2.2.18, 3.4.2.1, 3.4.2.2
firewall --disabled
%addon com_redhat_kdump --disable --reserve-mb='auto'
%end

%post
# enable trim for ssd
systemctl enable fstrim.timer

# 1.3.2-1.3.3
cat << EOF > /etc/sudoers.d/cis.conf
Defaults use_pty
Defaults logfile="/var/log/sudo.log"
EOF

# 1.1.1.1-1.1.1.4, 1.1.18-1.1.20, 1.1.23, 3.3.1-3.3.4
cat << EOF > /etc/modprobe.d/cis.conf
install cramfs /bin/true
install freevxfs /bin/true
install jffs2 /bin/true
install hfs /bin/true
install hfsplus /bin/true
install squashfs /bin/true
install udf /bin/true
install vfat /bin/true
install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true
blacklist sr_mod
install sr_mod /bin/true
blacklist cdrom
install cdrom /bin/true
blacklist usb_storage
install usb-storage /bin/true
EOF

# 1.1.2, 1.1.7, 1.1.15-1.1.17, 1.1.23
cat << EOF >> /etc/fstab
/tmp      /var/tmp    none    bind    0 0
tmpfs   /dev/shm	tmpfs	defaults,nodev,nosuid,noexec	0 0
EOF

# 1.2.3
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial

# 1.2.4
sed -i 's/gpgcheck=.*$/gpgcheck=1/' /etc/yum.conf
sed -i 's/gpgcheck=.*$/gpgcheck=1/g' /etc/yum.repos.d/*

# 1.5.1
chown root:root /boot/grub2/grub.cfg
chmod 600 /boot/grub2/grub.cfg
chmod 600 /boot/grub2/user.cfg

# 1.6.1
echo '* hard core 0' >> /etc/security/limits.conf
sed -i 's/^.*Storage=.*$/Storage=none/' /etc/systemd/coredump.conf
sed -i 's/^.*ProcessSizeMax=.*$/ProcessSizeMax=0/' /etc/systemd/coredump.conf

# 1.8.1.1-1.8.1.6
cat /dev/null > /etc/motd
cat /dev/null > /etc/issue.net
echo 'Authorized uses only. All activity may be monitored and reported.' > /etc/issue
chown root:root /etc/motd
chown root:root /etc/issue
chown root:root /etc/issue.net
chmod 644 /etc/motd
chmod 644 /etc/issue
chmod 644 /etc/issue.net

# 1.8.2
mkdir -p /etc/dconf/profile/ /etc/dconf/db/gdm.d/
cat << EOF > /etc/dconf/profile/gdm
user-db:user
system-db:gdm
file-db:/usr/share/gdm/greeter-dconf-defaults
EOF

cat << EOF > /etc/dconf/db/gdm.d/01-banner-message
[org/gnome/login-screen]
banner-message-enable=true
banner-message-text='Authorized uses only. All activity may be monitored and reported.'
EOF

# 1.10-1.11, 5.2.20
update-crypto-policies --set FUTURE

# 2.2.1.2
sed -i 's/OPTIONS=.*$/OPTIONS="-4 -u chrony"/' /etc/sysconfig/chronyd

# 1.6.1-1.6.2, 3.1.1-3.1.2, 3.2.1-3.2.9, 3.6
cat << EOF > /etc/sysctl.d/cis.conf
kernel.randomize_va_space = 2
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.lo.accept_redirects = 0
net.ipv6.conf.enp1s0.accept_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.enp1s0.secure_redirects = 0
net.ipv4.conf.lo.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.lo.log_martians = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_syncookies = 1
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv4.tcp_timestamps = 0
kernel.sysrq = 0
fs.suid_dumpable = 0
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_max_orphans = 256
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.conf.lo.proxy_arp = 0
EOF

# 3.4.3.2-3.4.3.6, 3.4.3.8
cat << EOF > /etc/sysconfig/nftables.conf
add table ip filter
add chain ip filter INPUT { type filter hook input priority 0; policy drop; }
add chain ip filter FORWARD { type filter hook forward priority 0; policy drop; }
add chain ip filter OUTPUT { type filter hook output priority 0; policy accept; }
add rule ip filter INPUT ct state related,established accept
add rule ip filter INPUT ct state invalid drop
add rule ip filter INPUT ct state new tcp dport 22 accept
add rule ip filter INPUT iifname "lo" accept
add table ip6 filter
add chain ip6 filter INPUT { type filter hook input priority 0; policy drop; }
add chain ip6 filter FORWARD { type filter hook forward priority 0; policy drop; }
add chain ip6 filter OUTPUT { type filter hook output priority 0; policy drop; }
EOF

# 4.1.2.1-4.1.2.3
sed -i 's/^max_log_file .*$/max_log_file 1024/' /etc/audit/auditd.conf
sed -i 's/^space_left_action.*$/space_left_action email/' /etc/audit/auditd.conf
sed -i 's/^action_mail_acct.*$/action_mail_acct root/' /etc/audit/auditd.conf
sed -i 's/^admin_space_left_action.*$/admin_space_left_action halt/' /etc/audit/auditd.conf
sed -i 's/^max_log_file_action.*$/max_log_file_action keep_logs/' /etc/audit/auditd.conf

# 4.1.3-4.1.17
cat << EOF > /etc/audit/rules.d/cis.rules
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
-w /etc/sysconfig/network-scripts/ -p wa -k system-locale
-w /etc/selinux/ -p wa -k MAC-policy
-w /usr/share/selinux/ -p wa -k MAC-policy
-w /var/log/faillog -p wa -k logins
-w /var/log/tallylog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/run/faillock/ -p wa -k logins
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k logins
-w /var/log/btmp -p wa -k logins
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 \ -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 \ -F auid!=4294967295 -k delete
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope
-w /var/log/sudo.log -p wa -k actions
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
-e 2
EOF

# 4.2.1.3-4.2.1.4
echo '$FileCreateMode 0640' > /etc/rsyslog.d/cis.conf
chown root:root /etc/rsyslog.conf /etc/rsyslog.d/*.conf
chmod 600 /etc/rsyslog.conf /etc/rsyslog.d/*.conf

# 4.2.2.1-4.2.2.3
sed -i 's/^.*ForwardToSyslog.*$/ForwardToSyslog=yes/' /etc/systemd/journald.conf
sed -i 's/^.*Compress.*$/Compress=yes/' /etc/systemd/journald.conf
sed -i 's/^.*Storage.*$/Storage=persistent/' /etc/systemd/journald.conf

# 5.1.2-5.1.8
rm /etc/cron.deny /etc/at.deny
touch /etc/at.allow /etc/cron.allow
chown root:root /etc/*cron* /etc/at.allow
chmod 600 /etc/anacrontab /etc/crontab /etc/cron.allow /etc/at.allow
chmod 700 /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly /etc/cron.d

# 5.2.2-5.2.19
cat <<EOF > /etc/ssh/sshd_config
AddressFamily inet
ListenAddress 192.168.0.92
Protocol 2
AllowUsers simon
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
Ciphers aes256-ctr,aes256-gcm@openssh.com
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
SyslogFacility AUTHPRIV
LogLevel INFO
LoginGraceTime 1m
PermitRootLogin no
StrictModes yes
MaxAuthTries 3
PermitEmptyPasswords no
HostbasedAuthentication no
IgnoreRhosts yes
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
PrintMotd no
PrintLastLog yes
PermitTunnel no
UseDNS no
Banner /etc/issue
PermitUserEnvironment no
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem	sftp	/usr/libexec/openssh/sftp-server
ClientAliveInterval 300
ClientAliveCountMax 0
EOF

mkdir -p /etc/systemd/system/sshd.service.d/
cat <<EOF > /etc/systemd/system/sshd.service.d/local.conf
[Unit]
Wants=network-online.target
After=network-online.target
EOF
systemctl daemon-reload

# 5.2.1
chown root:root /etc/ssh/sshd_config
chmod 600 /etc/ssh/sshd_config

# 5.4.1
sed -i 's/^.*minlen.*$/minlen = 14/' /etc/security/pwquality.conf
sed -i 's/^.*dcredit.*$/dcredit = -1/' /etc/security/pwquality.conf
sed -i 's/^.*ucredit.*$/ucredit = -1/' /etc/security/pwquality.conf
sed -i 's/^.*ocredit.*$/ocredit = -1/' /etc/security/pwquality.conf
sed -i 's/^.*lcredit.*$/lcredit = -1/' /etc/security/pwquality.conf

# 5.4.2-5.4.4, 5.3.1-5.3.3
authselect create-profile cis -b sssd --symlink-meta
cat <<EOF > /etc/authselect/custom/cis/system-auth
auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        required                                     pam_faillock.so preauth silent deny=3 audit unlock_time=900 {include if "with-faillock"}
auth        [success=1 default=ignore]                   pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid {include if "with-smartcard-required"}
auth        [success=done ignore=ignore default=die]     pam_sss.so require_cert_auth ignore_authinfo_unavail   {include if "with-smartcard-required"}
auth        sufficient                                   pam_fprintd.so                                         {include if "with-fingerprint"}
auth        [default=1 ignore=ignore success=ok]         pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok]         pam_localuser.so                                       {exclude if "with-smartcard"}
auth        [default=2 ignore=ignore success=ok]         pam_localuser.so                                       {include if "with-smartcard"}
auth        [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth           {include if "with-smartcard"}
auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok} try_first_pass
auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient                                   pam_sss.so forward_pass
auth        required                                     pam_faillock.so authfail deny=3 unlock_time=900       {include if "with-faillock"}
auth        required                                     pam_deny.so
account     required                                     pam_access.so                                          {include if "with-pamaccess"}
account     required                                     pam_faillock.so                                        {include if "with-faillock"}
account     required                                     pam_unix.so
account     sufficient                                   pam_localuser.so
account     sufficient                                   pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required                                     pam_permit.so
password    requisite                                    pam_pwquality.so try_first_pass local_users_only
password    sufficient                                   pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
password    sufficient                                   pam_sss.so use_authtok
password    required                                     pam_deny.so
password    required                                     pam_pwhistory.so remember=5 use_authtok retry=3
session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
session     optional                                     pam_ecryptfs.so unwrap                                {include if "with-ecryptfs"}
-session    optional                                     pam_systemd.so
session     optional                                     pam_oddjob_mkhomedir.so umask=0077                    {include if "with-mkhomedir"}
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so
session     optional                                     pam_sss.so
EOF

cat <<EOF > /etc/authselect/custom/cis/password-auth
auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        required                                     pam_deny.so # Smartcard authentication is required     {include if "with-smartcard-required"}
auth        required                                     pam_faillock.so preauth silent audit deny=3 unlock_time=900 {include if "with-faillock"}
auth        [default=1 ignore=ignore success=ok]         pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok} try_first_pass
auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient                                   pam_sss.so forward_pass
auth        required                                     pam_faillock.so authfail deny=3 unlock_time=900       {include if "with-faillock"}
auth        required                                     pam_deny.so
account     required                                     pam_access.so                                          {include if "with-pamaccess"}
account     required                                     pam_faillock.so                                        {include if "with-faillock"}
account     required                                     pam_unix.so
account     sufficient                                   pam_localuser.so
account     sufficient                                   pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required                                     pam_permit.so
password    requisite                                    pam_pwquality.so try_first_pass local_users_only
password    sufficient                                   pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
password    sufficient                                   pam_sss.so use_authtok
password    required                                     pam_deny.so
password    required                                     pam_pwhistory.so remember=5 use_authtok retry=3
session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
session     optional                                     pam_ecryptfs.so unwrap                                {include if "with-ecryptfs"}
-session    optional                                     pam_systemd.so
session     optional                                     pam_oddjob_mkhomedir.so umask=0077                    {include if "with-mkhomedir"}
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so
session     optional                                     pam_sss.so
EOF

authselect select custom/cis -q -f with-sudo with-faillock without-nullok

# 4.1, 5.5.1.1-5.5.1.3
sed -i 's/^PASS_MAX_DAYS.*$/PASS_MAX_DAYS 90/' /etc/login.defs
sed -i 's/^PASS_MIN_DAYS.*$/PASS_MIN_DAYS 7/' /etc/login.defs
sed -i 's/^PASS_WARN_AGE.*$/PASS_WARN_AGE 7/' /etc/login.defs
sed -i 's/^UID_MIN.*$/UID_MIN 1000/' /etc/login.defs
echo 'LOGIN_RETRIES 3' >> /etc/login.defs

# 5.5.4
usermod -g 0 root

# 5.5.5
sed -i 's/umask.*$/umask 027/g' /etc/profile
sed -i 's/umask.*$/umask 027/g' /etc/bashrc
sed -i 's/umask.*$/umask 027/g' /etc/csh.cshrc

# 5.5.3
cat << EOF > /etc/profile.d/cis.sh
test -t 0 && mesg n
umask 027
readonly TMOUT=600
export TMOUT
export PATH=/sbin:/bin:/usr/sbin:/usr/bin
EOF

cat << EOF > /etc/profile.d/cis.csh
mesg n 2>/dev/null
umask 027
set autologout=10
set -r autologout=10
setenv PATH /sbin:/bin:/usr/sbin:/usr/bin
EOF

# 5.6
cat /dev/null > /etc/securetty
echo 'auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so' >> /etc/pam.d/login

# 5.7
sed -i 's/^.*auth.*required.*pam_wheel.so.*$/auth required pam_wheel.so use_uid/' /etc/pam.d/su

# 6.1.2-6.1.9
chmod 644 /etc/passwd
chmod 644 /etc/passwd-
chmod 000 /etc/shadow
chmod 000 /etc/shadow-
chmod 000 /etc/gshadow
chmod 000 /etc/gshadow-
chmod 644 /etc/group
chmod 644 /etc/group-
chown root:root /etc/passwd
chown root:root /etc/passwd-
chown root:root /etc/shadow
chown root:root /etc/shadow-
chown root:root /etc/gshadow
chown root:root /etc/gshadow-
chown root:root /etc/group
chown root:root /etc/group-

# 6.2.3
sed -i 's/^PATH.*$/PATH=\$PATH/' /root/.bash_profile
sed -i 's/^PATH.*$/PATH=\$PATH/' /home/simon/.bash_profile
sed -i 's/^PATH.*$/PATH=\$PATH/' /etc/skel/.bash_profile

# 6.2.10-6.2.13
chmod 700 /home/simon
chown simon:simon /home/simon
rm /home/simon/.forward
rm /home/simon/.netrc
rm /home/simon/.rhosts
cat /dev/null > /etc/hosts.equiv
chmod 000 /etc/hosts.equiv
chown root:root /etc/hosts.equiv

# 1.9
yum -y update

# 1.4.2
echo "0 5 * * * /usr/sbin/aide --check" >> /var/spool/cron/root
/usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz'
%end