This repo contains a bash script which performs tests against your CentOS system to give an indication of whether the running server may compliy with the CIS v2.2.0 Benchmarks for CentOS. https://learn.cisecurity.org/benchmarks
Only CentOS 7 is supported at this time.
curl -LO https://raw.githubusercontent.com/finalduty/cis_benchmarks_audit/master/cis-audit.sh && chmod 750 cis-audit.sh
# ./cis-audit.sh --help
This script runs tests on the system to check for compliance against the CIS CentOS 7 Benchmarks.
No changes are made to system files by this script.
Options:
-h, --help Prints this help text
--debug Run script with debug output turned on
--level (1,2) Run tests for the specified level only
--include "<test_ids>" Space delimited list of tests to include
--exclude "<test_ids>" Space delimited list of tests to exclude
--nice Lowers the CPU priority of executing tests
--no-colour Disable colouring for STDOUT (Note that output redirected to a file/pipe is never coloured)
Examples:
Exclude tests from section 1.1 and 1.3.2:
cis-audit.sh --exclude "1.1 1.3.2"
Include tests only from section 4.1 but exclude tests from subsection 4.1.1:
cis-audit.sh --include 4.1 --exclude 4.1.1
Run only level 1 tests
cis-audit.sh --level 1
Run level 1 tests and include some but not all SELinux questions
cis-audit.sh --level 1 --include 1.6 --exclude 1.6.1.2
Email output to email@example.com
cis-audit.sh --level 1 | mail -s "CIS Audit Report on $HOSTNAME" email@example.com
Display only Failed tests
cis-audit.sh --level 1 | grep Fail
# ./cis-audit.sh --include 5.2
[00:00:01] (✓) 14 of 14 tests completed
CIS CentOS 7 Benchmark v2.2.0 Results
---------------------------------------
ID Description Scoring Level Result Duration
-- ----------- ------- ----- ------ --------
5 Access Authentication and Authorization
5.2 SSH Server Configuration
5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured Scored 1 Pass 33ms
5.2.2 Ensure SSH Protocol is set to 2 Scored 1 Pass 5ms
5.2.3 Ensure SSH LogLevel is set to INFO Scored 1 Pass 6ms
5.2.4 Ensure SSH X11 forwarding is disabled Scored 1 Pass 4ms
5.2.5 Ensure SSH MaxAuthTries is set to 4 or less Scored 1 Pass 9ms
5.2.6 Ensure SSH IgnoreRhosts is enabled Scored 1 Pass 5ms
5.2.7 Ensure SSH HostbasedAuthentication is disabled Scored 1 Pass 5ms
5.2.8 Ensure SSH root login is disabled Scored 1 Fail 8ms
5.2.9 Ensure SSH PermitEmptyPasswords is disabled Scored 1 Pass 5ms
5.2.10 Ensure SSH PermitUserEnvironment is disabled Scored 1 Pass 8ms
5.2.11 Ensure only approved ciphers are used Scored 1 Pass 16ms
5.2.12 Ensure only approved MAC algorithms are used Scored 1 Pass 45ms
5.2.13 Ensure SSH Idle Timeout Interval is configured Scored 1 Fail 15ms
5.2.14 Ensure SSH LoginGraceTime is set to one minute or less Scored 1 Pass 11ms
5.2.15 Ensure SSH access is limited Skipped 1
5.2.16 Ensure SSH warning banner is configured Scored 1 Pass 6ms
Passed 13 of 15 tests in 1 seconds (1 Skipped, 0 Errors)
3.7 - Ensure wireless interfaces are disabled (Not Scored)
This test deviates from the audit steps specified in the standard. The assumption here is that if you are on a server then you shouldn't have the wireless-tools
package installed so you wouldn't even be able to use any wireless interfaces, and if you're on a laptop, you almost certainly do want wireless access.
4.1.4 - Ensure events that modify date and time information are collected (Scored)
4.1.5 - Ensure events that modify user/group information are collected (Scored)
4.1.6 - Ensure events that modify the system's network environment are collected (Scored)
4.1.7 - Ensure events that modify the system's Mandatory Access Controls are collected (Scored)
4.1.8 - Ensure login and logout events are collected (Scored)
4.1.9 - Ensure session initiation information is collected (Scored)
4.1.10 - Ensure discretionary access control permission modification events are collected (Scored)
4.1.11 - Ensure unsuccessful unauthorized file access attempts are collected (Scored)
4.1.12 - Ensure use of privileged commands is collected (Scored)
4.1.13 - Ensure successful file system mounts are collected (Scored)
4.1.14 - Ensure file deletion events by users are collected (Scored)
4.1.15 - Ensure changes to system administration scope (sudoers) is collected (Scored)
4.1.16 - Ensure system administrator actions (sudolog) are collected (Scored)
4.1.17 - Ensure kernel module loading and unloading is collected (Scored)
The way that the tests are described in v2.2.0 of the standard do not directly reflect what is returned when querying the system. As such, the 'expected' output for these tests differs slightly to what is defined in the standard.
Users will find that when applying the recommended configurations per the standard, that the verify command displays it slightly differently. For instance, in 4.1.4
, when applying the recommendations as below:
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
The output from auditctl -l
actually shows:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change
-a always,exit -F arch=b32 -S stime,settimeofday,adjtimex -F key=time-change
4.1.8 - Ensure login and logout events are collected (Scored)
4.1.9 - Ensure session initiation information is collected (Scored)
The way the v2.2.0 standard lists the requirements to pass 4.1.8
and 4.1.9
conflicts with each other when looking at the 'logins' terms used.
This tool deviates from the standard here and includes the 'logins' portions of 4.1.9
in the tests for 4.1.8
instead of the ones specified in the standard. It is anticipated that users going for compliance against these two recommendations would do so at the same time and therefore should not notice any difference between the test results and the standard.
The standard recommends that umask permissions be set to 027 or higher. Currently this test only checks for 027, so a more restrictive umask such as 077 would fail. Further, it does not test the /etc/profile/*.sh files on the system.
I will leave it this way until someone needs a more restrictive umask test - Just add an issue if this is you 👍
This is not a replacement for a full audit and a passing result from this script does not necessarily mean that you are compliant (but it should give you a good idea of where to start).
The script will never make changes to your system, but it will write temporary data to to /tmp/.cis-audit* (which is cleaned up afterwards).
This script can run multiple tests at a time and it is possible that some tests could have an adverse impact on your system(s). There is an adjustable limit for the number of concurrent tests as well as a nicing argument which can help keep load down.
No warranty is offered and no responsibility will be taken for damage to systems resulting from the use of this script.