Skip to content

Latest commit

 

History

History
161 lines (125 loc) · 6.85 KB

Quickstart-Amazon-Linux.md

File metadata and controls

161 lines (125 loc) · 6.85 KB

Amazon Linux (2014.03 HVM ami-76817c1e) quickstart (64 bit)

Note: This Quickstart is fragile and may fail

# Download OpenSCAP RPMs for Amazon Linux. (Thanks to Owen for building the RPMs)
# Note: This is experimental, no signing yet of RPMs

wget http://0e01fbc32a350ec514ac-c80f4f0ac7f2efb7e499607e5e8fd7f4.r76.cf5.rackcdn.com/openscap-1.0.3-2.amzn1.x86_64.rpm
wget http://0e01fbc32a350ec514ac-c80f4f0ac7f2efb7e499607e5e8fd7f4.r76.cf5.rackcdn.com/openscap-devel-1.0.3-2.amzn1.x86_64.rpm
wget http://0e01fbc32a350ec514ac-c80f4f0ac7f2efb7e499607e5e8fd7f4.r76.cf5.rackcdn.com/openscap-engine-sce-1.0.3-2.amzn1.x86_64.rpm
wget http://0e01fbc32a350ec514ac-c80f4f0ac7f2efb7e499607e5e8fd7f4.r76.cf5.rackcdn.com/openscap-engine-sce-devel-1.0.3-2.amzn1.x86_64.rpm
wget http://0e01fbc32a350ec514ac-c80f4f0ac7f2efb7e499607e5e8fd7f4.r76.cf5.rackcdn.com/openscap-extra-probes-1.0.3-2.amzn1.x86_64.rpm
wget http://0e01fbc32a350ec514ac-c80f4f0ac7f2efb7e499607e5e8fd7f4.r76.cf5.rackcdn.com/openscap-python-1.0.3-2.amzn1.x86_64.rpm
wget http://0e01fbc32a350ec514ac-c80f4f0ac7f2efb7e499607e5e8fd7f4.r76.cf5.rackcdn.com/openscap-utils-1.0.3-2.amzn1.x86_64.rpm

# Retrieve CentOS SCAP-Security-Guide RPM

wget http://mirror.centos.org/centos/6/os/x86_64/Packages/scap-security-guide-0.1.18-3.el6.noarch.rpm

# Install the OpenSCAP RPMs using localinstall method
sudo yum --nogpgcheck localinstall -y *.rpm

# Install SCAP-Security-Guide
sudo yum install --enablerepo=epel scap-security-guide -y

# Install Lynx
sudo yum install lynx -y

# Install govready using curl. govready will install OpenSCAP and SCAP-Security-Content
curl -Lk io.govready.org/install | sudo bash

# Set a password for root
sudo passwd root


# Switch to root so scanner can run all tests properly
su -

# Create a directory and cd into it
mkdir myfisma
cd myfisma

# Initialize the directory
govready init

# Import Amazon cpe-dictionary.xml and cpe-oval.xml SCAP data into local scap/content directory
govready import https://raw.githubusercontent.com/GovReady/govready/master/templates/ssg-amzn2014.03.2hvm-cpe-dictionary.xml
govready import https://raw.githubusercontent.com/GovReady/govready/master/templates/ssg-amzn2014.03.2hvm-cpe-oval.xml

# Update GovReadyfile using sed command (or update the CPE line manually using a text editor)
sed -i 's:^CPE.*:CPE = scap/content/ssg-amzn2014.03.2hvm-cpe-dictionary.xml:' GovReadyfile

# Update ssg-rhel6-xccdf.xml to include CPE definition for Amazon Linux
# Note: This sed statement is fragile if ssg-rhel6-xccdf.xml format changes.
sed  -i "/cpe:\/o:redhat:enterprise_linux:6::client/a \  <platform idref=\"cpe:\/o:amazon:linux:2014:3:hvm\"/>" /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml

# Run a scan
govready scan

# List results
ls -l scans

# View a report - from the command line, old school style using lynx browser
# Example - your file name may differ
lynx scans/results.html

# (Temporary until next govready release) Make some changes to the 'fix' script...
# as root:
cd scans
# Prevent AWS error: "kernel.exec-shield" is an unknown key
sed -i 's/^sysctl -q -n -w kernel.exec-shield=1/#sysctl -q -n -w kernel.exec-shield=1/' fix.sh

# Run fix script generated by most recent OpenSCAP scan
govready fix

# Make some additional manual updates that the fix script may have missed.

# CCE-26647-8 Rule ID: ensure_gpgcheck_never_disabled
sed -i 's/gpgcheck=0/gpgcheck=1/' /etc/yum.repos.d/amzn-nosrc.repo
sed -i 's/gpgcheck=0/gpgcheck=1/' /etc/yum.repos.d/amzn-nosrc.repo.rpmsave

# CCE-27072-8 Rule ID: sshd_allow_only_protocol2
sed -i 's/^#Protocol 2/Protocol 2/' /etc/ssh/sshd_config

# CCE-26887-0 Rule ID: sshd_disable_empty_passwords
sed -i 's/^#PermitEmptyPasswords.*/PermitEmptyPasswords no/g' /etc/ssh/sshd_config

# CCE-26949-8 Rule ID: permissions_grub_conf
chmod 600 /boot/grub/grub.conf

# CCE-27166-8 Rule ID: sysctl_ipv6_default_accept_redirects
sysctl -w net.ipv6.conf.default.accept_redirects=0
#
# If net.ipv6.conf.default.accept_redirects present in /etc/sysctl.conf, change value to "0"
#    else, add "net.ipv6.conf.default.accept_redirects = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv6.conf.default.accept_redirects /etc/sysctl.conf ; then
    sed -i 's/^net.ipv6.conf.default.accept_redirects.*/net.ipv6.conf.default.accept_redirects = 0/g' /etc/sysctl.conf
else
    echo "" >> /etc/sysctl.conf
    echo "# Set net.ipv6.conf.default.accept_redirects to 0 per security requirements" >> /etc/sysctl.conf
    echo "net.ipv6.conf.default.accept_redirects = 0" >> /etc/sysctl.conf
fi

# CCE-27001-7 Rule ID: sysctl_ipv4_all_send_redirects
sysctl -w net.ipv4.conf.all.send_redirects=0
#
# If net.ipv4.conf.all.send_redirects present in /etc/sysctl.conf, change value to "0"
#    else, add "net.ipv4.conf.all.send_redirects = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.all.send_redirects /etc/sysctl.conf ; then
    sed -i 's/^net.ipv4.conf.all.send_redirects.*/net.ipv4.conf.all.send_redirects = 0/g' /etc/sysctl.conf
else
    echo "" >> /etc/sysctl.conf
    echo "# Set net.ipv4.conf.all.send_redirects to 0 per security requirements" >> /etc/sysctl.conf
    echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf
fi

# CCE-27112-2 Rule ID: sshd_enable_warning_banner
cat <<EOF > /etc/issue
**************************** -- WARNING -- ****************************
* This system is for the use of authorized users only. Individuals    *
* using this computer system without authority or in excess of their  *
* authority are subject to having all their activities on this system *
* monitored and recorded by system personnel. Anyone using this       *
* system expressly consents to such monitoring and is advised that    *
* if such monitoring reveals possible evidence of criminal activity   *
* system personal may provide the evidence of such monitoring to law  *
* enforcement officials.                                              *
***********************************************************************
EOF
if ! grep --silent ^Banner /etc/ssh/sshd_config ; then
    echo "" >> /etc/ssh/sshd_config
    echo "# Add SSH Warning banner per security requirements" >> /etc/ssh/sshd_config
    echo "Banner /etc/issue" >> /etc/ssh/sshd_config
    /etc/init.d/sshd reload
fi

# Run the scan again.
govready scan
# Compare before and after scans.
# Compares rules with 'pass' results in most recent scan to results in second most recent scan.
govready compare

# Compare before and after scans to see if anything fails passed in second most recent scan.
govready compare fail

# Information and evaluation of individual rule (rule must be listed in results.xml file)
govready rule configure_auditd_num_logs

# See available profiles (e.g., baselines)
govready profiles

# Run a scan for a different profile (e.g., baseline)
govready scan usgcb-rhel6-server

# Run an autogenerated fix script from available remediations in the SCAP content
# Example - your file name may differ
bash scan/usgcb-rhel6-server-fix-0822-1552.sh