CyberPatriot scripts/checklists created by a CyberPatriot student (me) for my team's personal use on Unix-based VMs. Not authorized for use by other teams.
- Read the README
- Do all forensics questions
- Do any tasks outlined in the README (ex. creating groups)
- Manage users in accordance with the README
- Add user
adduser $user
- Delete user
deluser $user; delgroup $user
- Change insecure passwords with
passwd $user
- All of the above can also be done with the GUI on Ubuntu
- Change users who should or should not be administrator
- Add user
- Manage groups inn accordance with the README
- Add group
addgroup $group
- Delete group
delgroup $group
- Add group
- Aduit
/etc/sudoers
(look for people who should not have sudo) - Update mirrors in
/etc/apt/sources.list
by adding these lines:deb http://security.ubuntu.com/ubuntu/ deb mirror://mirrors.ubuntu.com/mirrors.txt xenial main restricted universe multiverse deb mirror://mirrors.ubuntu.com/mirrors.txt xenial-updates main restricted universe multiverse deb mirror://mirrors.ubuntu.com/mirrors.txt xenial-backports main restricted universe multiverse deb mirror://mirrors.ubuntu.com/mirrors.txt xenial-security main restricted universe multiverse
- Remove unwanted packages with
apt-get purge $package
or by using the GUI - Update package list and upgrade installed packages
apt-get update
apt-get upgrade
- Update the kernel with
apt-get install linux-image-$(uname -r)
- Audit system crontabs in
/etc/crontab
and user crontabs usingcrontab -e -u $user
(or in/var/spool/cron/crontabs/$user
) - Audit permissions and contents of home directories and system files using
ls -lA
. It is good to know what most of the core system files contain and do to save time during competition. Some examples of cor system files:/etc/rc.local
/etc/login.defs
/etc/crontab
/etc/sysctl.conf
- Configures the kernel. Hardening: https://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening//etc/passwd
- Users/etc/shadow
- Password hashes/etc/group
- Groups/etc/sudoers
- Who can use sudo/var/log/*
- System logs. Usually all readable by everyone except forauth.log*
,btmp*
,dmesg
,kern.log*
,syslog*
, andufw.log*
(list everyone readable files withls -lA | grep "^\-......r.."
)/etc/hosts
- This should exist, but be empty except for some standard lines (ex:127.0.0.1 localhost
). If unsure, just look up the default contents on Google and copy/paste into the file./etc/apt/sources.list
/etc/securetty
- If the file does not exists, root can use any terminal. This is a potential security vulnerability./etc/apt/apt.conf.d/10periodic
- https://qznc.github.io/my-homeserver/hardening.html#automatic-security-updates. Add (or edit) the following lines:APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::AutocleanInterval "7"; APT::Periodic::Unattended-Upgrade "1";
- Other:
# Make shared memory read only echo "none /run/shm tmpfs ro,noexec 0 0" > /etc/fstab mount -a # Change some settings echo 0 > /proc/sys/kernel/sysrq echo 1 > /proc/sys/net/ipv4/tcp_rfc1337 # Check this folder /usr/sbin/<user> MYSQL: /etc/mysql/my.cnf bind-address=localhost PHP: /etc/php5/apache2/php.ini expose_php=0
- SSH (CIS 5.2)
chown root:root /etc/ssh/sshd_config chmod og-rwx /etc/ssh/sshd_config # Add or change these lines in /etc/ssh/sshd_config Protocol 2 LogLevel INFO X11Forwarding no MaxAuthTries 4 IgnoreRhosts yes HostbasedAuthentication no PermitRootLogin no PermitEmptyPasswords no PermitUserEnvironment no MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com ClientAliveInterval 300 ClientAliveCountMax 0 LoginGraceTime 60 # Reload changes service sshd reload
- Password lock (CIS 5.4.1.4)
useradd -D -f 30 # Sets default chage --list <user> chage --inactive 30 <user>
- init.sh Run this first. Installs xcopy (used by other scripts) and sets up aliases
- basic.sh Standard security fixes
- audit_setup.sh Setup and run auditd with a best practices rules file
- rookit_scan.sh Install chkrookit and rkhunter and check for rootkits