Skip to content

Commit 8c9b5da

Browse files
hyderhyder
authored
Merge pull request #84 from kumar-dhanagopal/cleanup
cleanup
2 parents 95ff4a8 + 116ddd6 commit 8c9b5da

File tree

1 file changed

+0
-161
lines changed

1 file changed

+0
-161
lines changed

modules/base/bastion/scripts/bastion.template.sh

Lines changed: 0 additions & 161 deletions
Original file line numberDiff line numberDiff line change
@@ -8,164 +8,3 @@ yum update --security
88
sed -i -e "s/autoinstall\s=\sno/# autoinstall = yes/g" /etc/uptrack/uptrack.conf
99

1010
uptrack-upgrade
11-
12-
touch /etc/modprobe.d/blacklist-filesystems.conf
13-
echo "blacklist cramfs" >> /etc/modprobe.d/blacklist-filesystems.conf
14-
echo "blacklist freevxfs" >> /etc/modprobe.d/blacklist-filesystems.conf
15-
echo "blacklist jffs2" >> /etc/modprobe.d/blacklist-filesystems.conf
16-
echo "blacklist hfs" >> /etc/modprobe.d/blacklist-filesystems.conf
17-
echo "blacklist hfsplus" >> /etc/modprobe.d/blacklist-filesystems.conf
18-
echo "blacklist squashfs" >> /etc/modprobe.d/blacklist-filesystems.conf
19-
echo "blacklist udf" >> /etc/modprobe.d/blacklist-filesystems.conf
20-
21-
rmmod cramfs freevxfs jffs2 hfs hfsplus squashfs udf
22-
23-
sed -i -e "s/Options=mode=1777,strictatime/Options=mode=1777,strictatime,noexec,nodev,nosuid/g" /etc/systemd/system/local-fs.target.wants/tmp.mount
24-
mount -o remount,nodev /tmp
25-
mount -o remount,nosuid /tmp
26-
mount -o remount,noexec /tmp
27-
28-
yum install -y aide
29-
aide --init
30-
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
31-
32-
echo "0 5 * * 5 root /usr/sbin/aide --update" >> /etc/crontab
33-
34-
echo "0 6 * * 5 root mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz" >> /etc/crontab
35-
36-
echo "0 2 * * * root /usr/sbin/aide --check" >> /etc/crontab
37-
38-
echo "* hard core 0" >> /etc/security/limits.conf
39-
echo "fs.suid_dumpable = 0" >> /etc/sysctl.conf
40-
sysctl -w fs.suid_dumpable=0
41-
42-
ntpdate 169.254.169.254
43-
sed -i -e "s/server\s0.rhel.pool.ntp.org\siburst/# server 0.rhel.pool.ntp.org iburst/g" /etc/ntp.conf
44-
sed -i -e "s/server\s1.rhel.pool.ntp.org\siburst/# server 1.rhel.pool.ntp.org iburst/g" /etc/ntp.conf
45-
sed -i -e "s/server\s2.rhel.pool.ntp.org\siburst/# server 2.rhel.pool.ntp.org iburst/g" /etc/ntp.conf
46-
sed -i -e "s/server\s3.rhel.pool.ntp.org\siburst/# server 3.rhel.pool.ntp.org iburst\nserver 169.254.169.254 iburst/g" /etc/ntp.conf
47-
48-
systemctl enable ntpd
49-
systemctl start ntpd
50-
51-
systemctl stop chronyd
52-
systemctl disable chronyd
53-
54-
systemctl disable rpcbind
55-
56-
sed -i -e "s/inet_interfaces\s=\slocalhost/inet_interfaces = loopback-only/g" /etc/postfix/main.cf
57-
systemctl stop postfix.service
58-
systemctl disable postfix.service
59-
60-
echo "net.ipv4.ip_forward = 0" >> /etc/sysctl.conf
61-
sysctl -w net.ipv4.ip_forward=0
62-
63-
echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf
64-
echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf
65-
sysctl -w net.ipv4.conf.all.send_redirects=0
66-
sysctl -w net.ipv4.conf.default.send_redirects=0
67-
68-
echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf
69-
echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
70-
sysctl -w net.ipv4.conf.all.accept_source_route=0
71-
sysctl -w net.ipv4.conf.default.accept_source_route=0
72-
73-
74-
echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
75-
echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.conf
76-
sysctl -w net.ipv4.conf.all.accept_redirects=0
77-
sysctl -w net.ipv4.conf.default.accept_redirects=0
78-
79-
echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.conf
80-
echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.conf
81-
sysctl -w net.ipv4.conf.all.secure_redirects=0
82-
sysctl -w net.ipv4.conf.default.secure_redirects=0
83-
84-
echo "net.ipv4.conf.all.log_martians = 1" >> /etc/sysctl.conf
85-
echo "net.ipv4.conf.default.log_martians = 1" >> /etc/sysctl.conf
86-
sysctl -w net.ipv4.conf.all.log_martians=1
87-
sysctl -w net.ipv4.conf.default.log_martians=1
88-
89-
echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.conf
90-
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
91-
92-
echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.conf
93-
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
94-
95-
echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf
96-
echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.conf
97-
98-
echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
99-
sysctl -w net.ipv4.tcp_syncookies=1
100-
101-
sysctl -w net.ipv4.route.flush=1
102-
103-
echo "net.ipv6.conf.all.accept_ra = 0" >> /etc/sysctl.conf
104-
echo "net.ipv6.conf.default.accept_ra = 0" >> /etc/sysctl.conf
105-
sysctl -w net.ipv6.conf.all.accept_ra=0
106-
sysctl -w net.ipv6.conf.default.accept_ra=0
107-
108-
echo "net.ipv6.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
109-
echo "net.ipv6.conf.default.accept_redirects = 0" >> /etc/sysctl.conf
110-
sysctl -w net.ipv6.conf.all.accept_redirects=0
111-
sysctl -w net.ipv6.conf.default.accept_redirects=0
112-
113-
sysctl -w net.ipv6.route.flush=1
114-
115-
touch /etc/modprobe.d/blacklist-protocols.conf
116-
echo "blacklist sctp" >> /etc/modprobe.d/blacklist-protocols.conf
117-
echo "blacklist rds" >> /etc/modprobe.d/blacklist-protocols.conf
118-
echo "blacklist tipc" >> /etc/modprobe.d/blacklist-protocols.conf
119-
120-
echo "max_log_file = 20MB" >> /etc/audit/auditd.conf
121-
122-
echo "$FileCreateMode 0640" >> /etc/rsyslog.conf
123-
124-
chown root:root /etc/cron.hourly
125-
chmod og-rwx /etc/cron.hourly
126-
127-
chown root:root /etc/cron.daily
128-
chmod og-rwx /etc/cron.daily
129-
130-
chown root:root /etc/cron.weekly
131-
chmod og-rwx /etc/cron.weekly
132-
133-
chown root:root /etc/cron.monthly
134-
chmod og-rwx /etc/cron.monthly
135-
136-
chown root:root /etc/cron.d
137-
chmod og-rwx /etc/cron.d
138-
139-
rm -f /etc/cron.deny
140-
rm -f /etc/at.deny
141-
touch /etc/cron.allow
142-
touch /etc/at.allow
143-
chmod og-rwx /etc/cron.allow
144-
chmod og-rwx /etc/at.allow
145-
chown root:root /etc/cron.allow
146-
chown root:root /etc/at.allow
147-
148-
echo "Protocol 2" >> /etc/ssh/sshd_config
149-
sed -i -e "s/#LogLevel\sINFO/LogLevel INFO/g" /etc/ssh/sshd_config
150-
sed -i -e "s/X11Forwarding\syes/X11Forwarding no/g" /etc/ssh/sshd_config
151-
sed -i -e "s/#MaxAuthTries\s6/MaxAuthTries 3/g" /etc/ssh/sshd_config
152-
sed -i -e "s/#IgnoreRhosts\syes/IgnoreRhosts yes/g" /etc/ssh/sshd_config
153-
sed -i -e "s/#HostbasedAuthentication\sno/HostbasedAuthentication no/g" /etc/ssh/sshd_config
154-
sed -i -e "s/#PermitEmptyPasswords\sno/PermitEmptyPasswords no/g" /etc/ssh/sshd_config
155-
sed -i -e "s/#PermitUserEnvironment\sno/PermitUserEnvironment no/g" /etc/ssh/sshd_config
156-
echo "ClientAliveInterval 300" >> /etc/ssh/sshd_config
157-
echo "ClientAliveCountMax 100" >> /etc/ssh/sshd_config
158-
echo "LoginGraceTime 60" >> /etc/ssh/sshd_config
159-
systemctl reload sshd
160-
161-
sed -i -e "s/minlen\s=\s8/minlen = 14/g" /etc/security/pwquality.conf
162-
sed -i -e "s/password\s\s\s\ssufficient\s\s\s\spam_unix.so\ssha512\sshadow\snullok\stry_first_pass\suse_authtok/password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=4/g" /etc/pam.d/password-auth
163-
164-
echo "TMOUT=900" >> /etc/bashrc
165-
echo "TMOUT=900" >> /etc/profile
166-
167-
chown root:root /etc/passwd-
168-
chmod u-x,go-wx /etc/passwd-
169-
170-
chown root:root /etc/group-
171-
chmod u-x,go-wx /etc/group-

0 commit comments

Comments
 (0)