diff --git a/packer/apply_cis_rules b/packer/apply_cis_rules index 6b34353e..6918b66d 100755 --- a/packer/apply_cis_rules +++ b/packer/apply_cis_rules @@ -90,3 +90,82 @@ if __name__ == '__main__': with open('/etc/audit/auditd.conf', 'w') as f: f.write(auditd) + sysctl_conf = ''' +# xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra +net.ipv6.conf.all.accept_ra = 0 + +# xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects +net.ipv6.conf.all.accept_redirects = 0 + +# xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route +net.ipv6.conf.all.accept_source_route = 0 + +# xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding +net.ipv6.conf.all.forwarding = 0 + +# xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra +net.ipv6.conf.default.accept_ra = 0 + +# xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects +net.ipv6.conf.default.accept_redirects = 0 + +# xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route +net.ipv6.conf.default.accept_source_route = 0 + +# xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects +net.ipv4.conf.all.accept_redirects = 0 + +# xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route +net.ipv4.conf.all.accept_source_route = 0 + +# xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians +net.ipv4.conf.all.log_martians = 1 + +# xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter +net.ipv4.conf.all.rp_filter = 1 + +# xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects +net.ipv4.conf.all.secure_redirects = 0 + +# xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects +net.ipv4.conf.default.accept_redirects = 0 + +# xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route +net.ipv4.conf.default.accept_source_route = 0 + +# xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians +net.ipv4.conf.default.log_martians = 1 + +# xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter +net.ipv4.conf.default.rp_filter = 1 + +# xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects +net.ipv4.conf.default.secure_redirects = 0 + +# xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts +net.ipv4.icmp_echo_ignore_broadcasts = 1 + +# xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses +net.ipv4.icmp_ignore_bogus_error_responses = 1 + +# xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies +net.ipv4.tcp_syncookies = 1 + +# xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects +net.ipv4.conf.all.send_redirects = 0 + +# xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects +net.ipv4.conf.default.send_redirects = 0 + +# xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward +net.ipv4.ip_forward = 0 + +# xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable +fs.suid_dumpable = 0 + +# xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space +kernel.randomize_va_space = 2 +'''[1:-1] + with open('/etc/sysctl.d/99-cis-rules.conf', 'w') as f: + f.write(sysctl_conf) + run('sysctl -p /etc/sysctl.d/99-cis-rules.conf', shell=True, check=True)