nozaq / amazon-linux-cis Goto Github PK

View Code? Open in Web Editor NEW

58.0 9.0 44.0 36 KB

Bootstrap script for Amazon Linux to comply CIS Amazon Linux Benchmark v2.0.0

License: MIT License

Python 100.00%

security cis aws amazon-linux hardening

amazon-linux-cis's Introduction

This repositry is no longer maintained in favor of CIS hardened AMIs.

amazon-linux-cis

Bootstrap script for Amazon Linux to comply with CIS Amazon Linux Benchmark v2.0.0.

Usage

$ git clone https://github.com/nozaq/amazon-linux-cis.git .
$ python ./amazon-linux-cis

Available Arguments

Argument (default value)	What it does
--time (169.254.169.123)	Specify the upstream time server
--chrony boolean (true)	Use chrony for time synchronization
--no-backup	Automatic config backup is disabled
--clients comma seperate list	Specify a comma separated list of hostnames and host IP addresses
-v --verbose	Enable verbose logging of utility
--disable-tcp-wrappers	Disable installation of TCP Wrappers package
--disable-pam	Disable the hardening of the PAM module
--disable-iptables	Disable the installation of IPtables
--disable-mount-options	Disable replacing the default /etc/fstab mounting config file

Amazon Linux 2 Support

Although the differences between Amazon Linux and Amazon Linux 2 are extensive (listed here), the majority of the changes to reach CIS compliance for Amazon Linux 2 are minor. Here's the minimum required command line needed to install the hardening on Amazon Linux 2 instances.

python ./amazon-linux-cis --disable-mount-options

Tested Environments

Amazon Linux 2017.09
Amazon Linux AMI 2018.03.0 (HVM)
Amazon Linux 2 - 2017.12

amazon-linux-cis's People

Contributors

Stargazers

Watchers

Forkers

mtunstill mr-brody hieurl gibbsie rezroo atinmittal jordanst3wart muyenzo amsully atlanhq rajalokan timwmg niroliyanage tonylovesdevops lcheng6 malexanderboyd elpardos milanchawla jupiterops keenanlawrence kevinglinski karthiknannapaneni wezell alex-anto directpaylk wanyinglong ivan-karunin sreeniaws9 syllogy maxrodrigo rckasa emresaglam conradmicallef ashish0x01 shivichan borisyukd mcrucovschii ikesir11 raji999 newexploring2020 atharva23 cjmoore7

amazon-linux-cis's Issues

Root account is lock

Hi Nozaq,

i applied this cis bechmark rules to Amazon Linux 2 and after applyting i am not able to ssh .

we are launching an instance with base image as AMAZON LINUX 2 and hardened with CIS benchmarks. the error is defined " can not open the access to console , root account is locked."

Can you please help us in finding the issue behind this.

Additional options to disable

Using Amazon Linux 2 container:

Dockerfile:
FROM amazonlinux:latest

Running: python ./amazon-linux-cis --disable-mount-options --disable-iptables

Returns errors if the following packages aren't installed:

crontabs
update-motd

If I install these packages ( which I don't really want to, but just for testing )

It returns error for:
cannot access ‘/etc/ssh/sshd_config’: No such file or directory

How to run this script in userdata

Where is the issue

Hi Nozaq,

I am trying to harden the amazon linux2 with the bash script you have provided, but the amazon linux is not hardened and the script is also not giving proper out.

Can you please help me in finding where is the issue. Please.

here is the output:
INFO:root:[Config] Upstream time server is set as "169.254.169.123"
INFO:root:[Config] chrony will be used for time synchronization
INFO:root:Backing up /etc/modprobe.d/CIS.conf into /etc/modprobe.d/CIS.conf.bak...
INFO:root:Backing up /etc/sysconfig/init into /etc/sysconfig/init.bak...
INFO:root:Backing up /etc/security/limits.conf into /etc/security/limits.conf.bak...
INFO:root:Backing up /etc/sysctl.conf into /etc/sysctl.conf.bak...
INFO:root:Backing up /etc/motd into /etc/motd.bak...
INFO:root:Backing up /etc/issue into /etc/issue.bak...
INFO:root:Backing up /etc/issue.net into /etc/issue.net.bak...
INFO:root:Backing up /etc/chrony.conf into /etc/chrony.conf.bak...
INFO:root:Backing up /etc/sysconfig/chronyd into /etc/sysconfig/chronyd.bak...
Note: Forwarding request to 'systemctl enable chronyd.service'.
INFO:root:Backing up /etc/postfix/main.cf into /etc/postfix/main.cf.bak...
INFO:root:Backing up /etc/rsyslog.conf into /etc/rsyslog.conf.bak...
INFO:root:Backing up /etc/ssh/sshd_config into /etc/ssh/sshd_config.bak...
INFO:root:Backing up /etc/security/pwquality.conf into /etc/security/pwquality.conf.bak...
INFO:root:Backing up /etc/login.defs into /etc/login.defs.bak...
INFO:root:Backing up /etc/bashrc into /etc/bashrc.bak...
INFO:root:Backing up /etc/profile into /etc/profile.bak...
INFO:root:Backing up /etc/pam.d/su into /etc/pam.d/su.bak...

Update script to CIS benchmark 2.1.0

Support for Amazon Linux 2 (2017.12)

This mini utility to change elements of Amazon Linux is perfect for Packer bootstrapping to create a custom AMI without configuration management tools.

Although there are some major changes in Amazon Linux 2, this utility can still cover most of the changes without much alteration. On an initial run (against the latest Amazon Linux 2 AMI - amzn2-ami-hvm-2017.12.0.20180509-x86_64-*), these things broke...

Chrony service would not enable (removal of init.d in Amazon Linux 2)
Applying the fstab configuration would break the new AMI from bootstrapping (root locked error message)

[I have a solution to allow this python application to work for Amazon Linux 2 - I'll generate a diff against my fork and create a pull request]

The script is breaking ARM instances so they will not boot

The bit in the script that checks the fstab seems to be incompatible with ARM instances. It seems to be removing a mount point necessary for booting ARM instances.

The last additional line in the files does not take the line break well

First of all congratulations on this great project, it is wonderful.
The last line added in the files has problems with the line break, I have tested the project with the latest AMI available for Amazon Linux 2, the ID of the AMI is ami-00c03f7f7f2ec15c3.

Greetings.
.
.
.
net.ipv6.conf.default.accept_ra = 0[root@ip-172-31-43-135 ~]#