### Install and Initialize AIDE (Linux) Source: https://www.tenable.com/audits/items/CIS_Fedora_28_Family_Linux_Server_L1_v2.0 This snippet demonstrates the commands to install Advanced Intrusion Detection Environment (AIDE) on a Linux system using dnf package manager, and subsequently initialize and configure AIDE by creating its database. ```shell # dnf install aide # aide --init # mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz ``` -------------------------------- ### Install Multifactor Authentication Packages on Linux Source: https://www.tenable.com/audits/items/CIS_Red_Hat_EL7_STIG_v2.0 This command installs the necessary packages for multifactor authentication on a Linux system. It is specifically designed for systems using 'yum' as their package manager, such as Red Hat Enterprise Linux. The command ensures that 'esc' and 'pam_pkcs11' are installed, which are crucial for enhanced authentication security. ```shell # yum install esc pam_pkcs11 ``` -------------------------------- ### Download and Deploy auditd Logging Manifest (Shell) Source: https://www.tenable.com/audits/items/CIS_Google_Kubernetes_Engine_GKE_v1.5 This snippet shows how to download the example Kubernetes manifests for the auditd logging daemonset using `curl` and then deploy them using `kubectl`. Ensure you have `kubectl` configured for your GKE cluster. ```shell curl https://raw.githubusercontent.com/GoogleCloudPlatform/k8s-node-tools/master/os-audit/cos-auditd-logging.yaml > cos-auditd-logging.yaml kubectl apply -f cos-auditd-logging.yaml ``` -------------------------------- ### Install sudo Package (Debian/Ubuntu) Source: https://www.tenable.com/audits/items/CIS_Ubuntu_18.04_LXD_Container_v1.0 Installs the sudo package, which allows permitted users to execute commands as the superuser or another user. This can be done with the standard sudo package or the sudo-ldap package for LDAP integration. Dependencies include the apt package manager. ```bash # apt install sudo ``` ```bash # apt install sudo-ldap ``` -------------------------------- ### Verify auditd Logging Pods (Shell) Source: https://www.tenable.com/audits/items/CIS_Google_Kubernetes_Engine_GKE_v1.5 This command verifies that the auditd logging pods have started successfully within the specified namespace. If a different namespace was used in the manifest, replace 'cos-auditd' accordingly. ```shell kubectl get pods --namespace=cos-auditd ``` -------------------------------- ### Configure RHN RPM Repository Connection (Shell) Source: https://www.tenable.com/audits/items/CIS_Red_Hat_EL5_v2.2 This snippet details the process of registering a system with the Red Hat Network (RHN) to ensure regular patch updates. It includes the command to initiate the registration and notes the expected outcome of a successful registration, such as the system appearing on the RHN website and subscription to update channels. This is crucial for reducing vulnerability exposure time. ```bash # rhn register ``` -------------------------------- ### Remove GNOME Display Manager via DNF Source: https://www.tenable.com/audits/items/CIS_Oracle_Linux_10_v1.0 Instructions to remove the GNOME Display Manager (GDM) and its associated graphical user interface (GUI) from a system using the DNF package manager. This process involves installing a minimal base group, removing the 'Server with GUI' group, installing the 'Server' group, and rebooting the system. ```shell # dnf groupinstall -y "Minimal Install" # dnf groupremove -y "Server with GUI" # dnf groupinstall -y "Server" # reboot ``` -------------------------------- ### Enable GKE Sandbox using gcloud CLI Source: https://www.tenable.com/audits/items/CIS_Google_Kubernetes_Engine_GKE_v1.6 This command creates a new node pool in a GKE cluster with GKE Sandbox enabled, utilizing Container-Optimized OS with containerd. Ensure you replace placeholders with your specific cluster and zone details. This is an alternative to using the Google Cloud Console. ```bash gcloud container node-pools create --zone --cluster --image-type=cos_containerd --sandbox="type=gvisor" ``` -------------------------------- ### Bash Command - Load System Configuration with sysctl Source: https://www.tenable.com/audits/items/CIS_Oracle_Linux_8_v4.0 Command to load and apply all system configuration files using the sysctl utility. This command reads configuration from /etc/sysctl.conf and /etc/sysctl.d/ directories to apply kernel parameter settings immediately without requiring a system reboot. ```bash # sysctl --system ``` -------------------------------- ### Set Permissions and Enable AIDE Systemd Timer Source: https://www.tenable.com/audits/items/CIS_Fedora_19_Family_Linux_Server_L1_v1.0 Configures file ownership and permissions for systemd AIDE units, then enables and starts the timer. This ensures proper security controls and activates the scheduled filesystem integrity checks. All commands require root privileges. ```bash chown root:root /etc/systemd/system/aidecheck.* chmod 0644 /etc/systemd/system/aidecheck.* systemctl daemon-reload systemctl enable aidecheck.service systemctl --now enable aidecheck.timer ``` -------------------------------- ### Linux Audit Rules for System Network Environment (64-bit) Source: https://www.tenable.com/audits/items/CIS_Debian_Linux_10_v2.0 This snippet defines audit rules for 64-bit Linux systems to monitor changes to hostnames, domain names, and network-related configuration files. It utilizes the 'auditd' service to log these events, tagging them with 'system-locale'. ```bash # printf " -a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale -a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/networks -p wa -k system-locale -w /etc/network/ -p wa -k system-locale " >> /etc/audit/rules.d/50-system_locale.rules # augenrules --load # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi ``` -------------------------------- ### Find and Sort File Extensions (Bash) Source: https://www.tenable.com/audits/items/CIS_Apache_HTTP_Server_2.4_v2.2 This command helps identify existing file extensions on the web server. It uses 'find' to locate files and 'awk' to extract extensions, then 'sort -u' to get unique, sorted extensions. Customize the 'htdocs' path as needed. ```bash find */htdocs -type f -name '*.*' | awk -F. '{print $NF }' | sort -u ``` -------------------------------- ### Configure /etc/motd Permissions (Unix) Source: https://www.tenable.com/audits/items/CIS_Google_Container_Optimized_OS_v1.1 Ensures the /etc/motd file has correct ownership and permissions to prevent unauthorized modification. This is crucial for displaying accurate messages of the day to logged-in users. Note that on Container-Optimized OS, these steps must be performed after every boot. ```sh # chown root:root /etc/motd # chmod 644 /etc/motd ``` -------------------------------- ### Configure Azure AD Guest User Access Restriction with PowerShell Source: https://www.tenable.com/audits/items/CIS_Microsoft_Azure_Foundations_v2.1 This PowerShell script configures the guest user access restriction level in Azure Active Directory. It sets the policy to restrict guest user access to their own directory objects and verifies the change. Ensure you have the necessary Azure AD PowerShell module installed. ```powershell Set-AzureADMSAuthorizationPolicy -GuestUserRoleId '2af84b1e-32c8-42b7-82bc-daa82404023b' Get-AzureADMSAuthorizationPolicy ```