Cis harden script with increased controls. #545
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ble) - Revert to custom hardening script designed for ISO build environment - Add CIS Level 2 specific controls while maintaining build compatibility New CIS Level 2 controls added: - Sysctl: kernel.yama.ptrace_scope, kernel.dmesg_restrict, kernel.kptr_restrict, kernel.perf_event_paranoid, net.ipv6.conf.all.forwarding - SSH: GSSAPIAuthentication, UsePAM, AllowTcpForwarding, TCPKeepAlive, AllowAgentForwarding, DisableForwarding - Services: Disable avahi-daemon, cups, rpcbind, nfs-server, bluetooth, apport, autofs - Packages: Remove avahi-daemon, cups, rpcbind, nfs-kernel-server, vsftpd, apache2, nginx, samba, squid, snmpd - Modules: Added blacklist entries for cramfs, freevxfs, jffs2, hfs, hfsplus - Journald: Configure Compress=yes, Storage=persistent, ForwardToSyslog=no This script writes configuration files during ISO build that will be applied at boot time, avoiding issues with the OpenSCAP-generated script that requires a running system. Co-Authored-By: Warp <[email protected]>
- Add AIDE package for file integrity monitoring (CIS 1.3.1) - Add SSH PubkeyAuthentication setting (CIS 5.2.6) - Add session audit rules for utmp/wtmp/btmp (CIS 4.1.3.*) - Disable kdump service (CIS 1.6.1) Co-Authored-By: Warp <[email protected]>
Co-Authored-By: Warp <[email protected]>
Match fix.sh approach - use noninteractive mode instead of --no-install-recommends to avoid postfix dialog prompt. Co-Authored-By: Warp <[email protected]>
- CIS 1.3.2: Initialize AIDE database with aideinit - CIS 1.7.1.2: Enable AppArmor service (also install base apparmor package) - CIS 4.2.1.2: Enable rsyslog service - CIS 5.5.1: Install vlock for screen locking Co-Authored-By: Warp <[email protected]>
Add documentation for the CIS_HARDENING build parameter that enables CIS Ubuntu 22.04 LTS Benchmark security controls during image build. Note: Should be used for Palette appliance builds only. Co-Authored-By: Warp <[email protected]>
- Use pam_tally2 instead of pam_faillock on Ubuntu 20.04 - Use SHA512 encryption instead of yescrypt on Ubuntu 20.04 - Update README with generic CIS hardening description - Add version detection for Ubuntu-specific PAM modules Co-Authored-By: Warp <[email protected]>
sumitmishra-spectro
force-pushed
the
cis-harden-new
branch
from
6067800 to
be68f58
Compare
* PCOM-51 changes to main (#539) * 1.34.2 Kubernet versions for all distros released (#541) * PE-8132: update third party image (#542) --------- Co-authored-by: Zulfihar Ali Ahamed <[email protected]> Co-authored-by: abhijithspectro <[email protected]> Co-authored-by: Akhilesh Verma <[email protected]>
sumitmishra-spectro
force-pushed
the
cis-harden-new
branch
from
be68f58 to
17fe9d0
Compare
arunbalasc
reviewed
Feb 9, 2026
arunbalasc
left a comment
arunbalasc
left a comment
There was a problem hiding this comment.
a) First pass restrict changes to ubuntu only, as they are tested and then rhel and centos can be addressed.
b) Journald logs - Making them persistent will affect disk storage recommendations.
c) IPV6 related changes are not tested.
d) after ssh changes, test remote shell
- Revert RHEL/CentOS changes to original behavior - Guard new kernel hardening (sysctl) with Ubuntu check - Guard journald hardening function with Ubuntu check - Remove IPv6 forwarding change - Remove journald persistent storage change - Keep Ubuntu 20.04/22.04 PAM compatibility (pam_tally2/pam_faillock) - Keep Ubuntu 20.04/22.04 encryption compatibility (SHA512/yescrypt) Co-Authored-By: Warp <[email protected]>
* PCOM-51 changes to main (#539) * 1.34.2 Kubernet versions for all distros released (#541) * PE-8132: update third party image (#542) * Update spectro third party image to 4.8 (#546) --------- Co-authored-by: Zulfihar Ali Ahamed <[email protected]> Co-authored-by: abhijithspectro <[email protected]> Co-authored-by: Akhilesh Verma <[email protected]> Co-authored-by: Santhosh <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Cis harden script with increased controls.
script is still optional.
Jira ticket - https://spectrocloud.atlassian.net/browse/PS-1140 for more details.