Setup script sets APT flags and permission checks.

RHEL-07-040520

Enable ufw, use /etc/sysctl.conf, and allow port 22 from $FW_ADMIN.

CCE-26828-4, CCE-27106-4

Disable dccp sctp rds tipc protocols.

CCE-80137-3, CCE-80138-1, CCE-80139-9, CCE-80140-7, CCE-80141-5, CCE-80142-3, CCE-80143-1, UBTU-16-010070

Disable cramfs freevxfs jffs2 hfs hfsplus squashfs udf vfat file systems.

Disable coredumps and crash shells, set DefaultLimitNOFILE and DefaultLimitNPROC to 1024.

Compress logs, forward to syslog and make log storage persistent.

Add four NTP-servers with a latency < 50ms from $NTPSERVERPOOL.

Configure /tmp/ and /var/tmp/. Remove floppy drivers from /etc/fstab and add hidepid=2 to /proc.

CCE-27078-5

Undo prelinking, and remove prelink package.

CCE-26895-3, UBTU-16-010010, UBTU-16-010560, UBTU-16-010570

Configure dpkg and apt-get. apt-get update and upgrade.

V-72315

/etc/hosts.allow and /etc/hosts.deny restrictions.

CCE-80205-8, UBTU-16-010150, UBTU-16-010170, UBTU-16-010190, UBTU-16-010210, UBTU-16-010220, UBTU-16-010640

Modify /etc/login.defs, e.g. UMASK, password age limits and SHA_CRYPT_MAX_ROUNDS.

Update $SYSCTL with $SYSCTL_CONF.

CCE-80169-6, V-72049

Set hard and soft limits.

UBTU-16-010280

Set /bin/false as default shell when adding users.

Limit /etc/securetty to console, and root from 127.0.0.1 in /etc/security/access.conf.

UBTU-16-010050, UBTU-16-010500, UBTU-16-010600

Installs acct aide-common apparmor-profiles apparmor-utils auditd debsums haveged libpam-apparmor libpam-cracklib libpam-tmpdir openssh-server postfix rkhunter vlock.

Removes avahi* beep popularity-contest rsh* talk* telnet* tftp* yp-tools ypbind xinetd.

CCE-27471-2, CCE-27082-7, CCE-27433-2, CCE-27314-4, CCE-27363-1, CCE-27413-4, CCE-80222-3, CCE-80223-1, CCE-80225-6, CCE-80224-9, CCE-27445-6, UBTU-16-030200, UBTU-16-030210, UBTU-16-030270, UBTU-16-030350

Configure the OpenSSH-daemon.

UBTU-16-010090, UBTU-16-010100, UBTU-16-010110, UBTU-16-010120, UBTU-16-010120, UBTU-16-010130, UBTU-16-010140, UBTU-16-010180, UBTU-16-010230, UBTU-16-010240, UBTU-16-010250, UBTU-16-010290, UBTU-16-010320, UBTU-16-010340

Configure pam_cracklib.so and pam_tally2.so.

CCE-27323-5, CCE-80345-2

Allow root to use cron. Mask atd.

CCE-27511-5, UBTU-16-010630

Disable Ctrl-alt-delete.

CCE-27407-6, UBTU-16-020000

Configure auditd, use $AUDITD_RULES and set failure mode $AUDITD_MODE.

CCE-27327-6, CCE-27277-3, UBTU-16-010580

Disable bluetooth bnep btusb firewire-core n_hdlc net-pf-31 pcspkr soundcore thunderbolt usb-midi usb-storage kernel modules.

CCE-27096-7, UBTU-16-020000, UBTU-16-020010

Configure aide .

CCE-27406-8

Remove hosts.equiv and .rhosts.

UBTU-16-010650

Remove games gnats irc list news sync uucp users.

Remove suid bits from /bin/fusermount /bin/mount /bin/ping /bin/ping6 /bin/su /bin/umount /usr/bin/bsd-write/usr/bin/chage /usr/bin/chfn /usr/bin/chsh /usr/bin/mlocate /usr/bin/mtr /usr/bin/newgrp /usr/bin/pkexec/usr/bin/traceroute6.iputils /usr/bin/wall /usr/sbin/pppd.

CCE-80202-5, UBTU-16-010060

Set bash and /etc/profile umask.

UBTU-16-010600, UBTU-16-010610, UBTU-16-010620

Enforce present apparmor profiles.

UBTU-16-010780

Set root path to /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin, and user path to /usr/local/bin:/usr/bin:/bin.

Configure systemd/logind.conf and use KillUserProcesses.

Configure systemd/resolved.conf.

Configure rkhunter.

Update /etc/issue /etc/issue.net /etc/motd.

Disable apport, ubuntu-report and popularity-contest.

Lock the root user account.

Disable coredumps with systemd/coredump.conf.

Disable the VRFY command, configure smtpd_banner, smtpd_client_restrictions and inet_interfaces.

Disable motd-news.

Install and configure usbguard.

Restrict compiler access.

If verbose, show systemd-delta.

Print if a reboot is required.

Download && Use