CyberPatriot scripts/checklists created by a CyberPatriot student (me) for my team's personal use on Unix-based VMs. Not authorized for use by other teams.
- Read the README
- Do all forensics questions
- Do any tasks outlined in the README (ex. creating groups)
- Manage users in accordance with the README
- Add user
adduser $user - Delete user
deluser $user; delgroup $user - Change insecure passwords with
passwd $user - All of the above can also be done with the GUI on Ubuntu
- Change users who should or should not be administrator
- Add user
- Manage groups inn accordance with the README
- Add group
addgroup $group - Delete group
delgroup $group
- Add group
- Aduit
/etc/sudoers(look for people who should not have sudo) - Update mirrors in
/etc/apt/sources.listby adding these lines:deb http://security.ubuntu.com/ubuntu/ deb mirror://mirrors.ubuntu.com/mirrors.txt xenial main restricted universe multiverse deb mirror://mirrors.ubuntu.com/mirrors.txt xenial-updates main restricted universe multiverse deb mirror://mirrors.ubuntu.com/mirrors.txt xenial-backports main restricted universe multiverse deb mirror://mirrors.ubuntu.com/mirrors.txt xenial-security main restricted universe multiverse - Remove unwanted packages with
apt-get purge $packageor by using the GUI - Update package list and upgrade installed packages
apt-get updateapt-get upgrade
- Update the kernel with
apt-get install linux-image-$(uname -r) - Audit system crontabs in
/etc/crontaband user crontabs usingcrontab -e -u $user(or in/var/spool/cron/crontabs/$user) - Audit permissions and contents of home directories and system files using
ls -lA. It is good to know what most of the core system files contain and do to save time during competition. Some examples of cor system files:/etc/rc.local/etc/login.defs/etc/crontab/etc/sysctl.conf- Configures the kernel. Hardening: https://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening//etc/passwd- Users/etc/shadow- Password hashes/etc/group- Groups/etc/sudoers- Who can use sudo/var/log/*- System logs. Usually all readable by everyone except forauth.log*,btmp*,dmesg,kern.log*,syslog*, andufw.log*(list everyone readable files withls -lA | grep "^\-......r..")/etc/hosts- This should exist, but be empty except for some standard lines (ex:127.0.0.1 localhost). If unsure, just look up the default contents on Google and copy/paste into the file./etc/apt/sources.list/etc/securetty- If the file does not exists, root can use any terminal. This is a potential security vulnerability./etc/apt/apt.conf.d/10periodic- https://qznc.github.io/my-homeserver/hardening.html#automatic-security-updates. Add (or edit) the following lines:APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::AutocleanInterval "7"; APT::Periodic::Unattended-Upgrade "1";
- Other:
# Make shared memory read only echo "none /run/shm tmpfs ro,noexec 0 0" > /etc/fstab mount -a # Change some settings echo 0 > /proc/sys/kernel/sysrq echo 1 > /proc/sys/net/ipv4/tcp_rfc1337 # Check this folder /usr/sbin/<user> MYSQL: /etc/mysql/my.cnf bind-address=localhost PHP: /etc/php5/apache2/php.ini expose_php=0 - SSH (CIS 5.2)
chown root:root /etc/ssh/sshd_config chmod og-rwx /etc/ssh/sshd_config # Add or change these lines in /etc/ssh/sshd_config Protocol 2 LogLevel INFO X11Forwarding no MaxAuthTries 4 IgnoreRhosts yes HostbasedAuthentication no PermitRootLogin no PermitEmptyPasswords no PermitUserEnvironment no MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com ClientAliveInterval 300 ClientAliveCountMax 0 LoginGraceTime 60 # Reload changes service sshd reload - Password lock (CIS 5.4.1.4)
useradd -D -f 30 # Sets default chage --list <user> chage --inactive 30 <user>
- init.sh Run this first. Installs xcopy (used by other scripts) and sets up aliases
- basic.sh Standard security fixes
- audit_setup.sh Setup and run auditd with a best practices rules file
- rookit_scan.sh Install chkrookit and rkhunter and check for rootkits