Skip to content

Add new CIS hardening controls #552

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
sumitmishra-spectro wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Add new CIS hardening controls #552

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c2b2471
Add new CIS hardening controls with idempotent implementations
Feb 26, 2026
1f4e8d9
Add CUSTOM_KUBEADM_PROVIDER_IMAGE support for custom provider testing
Mar 2, 2026
ee5ccf1
Remove NTP hardening from CIS controls
Mar 2, 2026
683534b
Remove CUSTOM_KUBEADM_PROVIDER_IMAGE override
Mar 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
120 changes: 119 additions & 1 deletion cis-harden/harden.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,25 @@ update_config_files() {
return 0
}

##########################################################################
# Idempotent config update - removes old values and sets new one
##########################################################################
update_config_idempotent() {
local search_str="$1"
local new_value="$2"
local config_file="$3"

if [[ ! -f ${config_file} ]]; then
touch "${config_file}"
fi

# Remove all existing lines (commented or uncommented)
sed -i "/^[#[:space:]]*${search_str}/d" "${config_file}"

# Add the new value once
echo "${new_value}" >> "${config_file}"
}


##########################################################################
# Determine the Operating system
Expand Down Expand Up @@ -781,6 +800,100 @@ harden_journald() {
return 0
}

##########################################################################
# CIS 5.2.2, 5.2.3, 5.2.4 - Configure sudo hardening
##########################################################################
configure_sudo() {
echo "Configuring sudo hardening with idempotent sudoers.d files"

# CIS 5.2.2 - Sudo use pty
echo "Defaults use_pty" > /etc/sudoers.d/10-cis-pty
chmod 440 /etc/sudoers.d/10-cis-pty

# CIS 5.2.3 - Sudo log file
echo "Defaults logfile=/var/log/sudo.log" > /etc/sudoers.d/10-cis-logfile
chmod 440 /etc/sudoers.d/10-cis-logfile

# CIS 5.2.4 - Require password for escalation
cat > /etc/sudoers.d/10-cis-password << 'EOF'
Defaults !targetpw
Defaults !rootpw
Defaults !runaspw
EOF
chmod 440 /etc/sudoers.d/10-cis-password

echo "Sudo hardening configured successfully"
return 0
}

##########################################################################
# CIS 5.4.3.3 - Configure default umask
##########################################################################
configure_umask() {
echo "Configuring default umask to 027"
local umask_line="umask 027"

# Configure /etc/profile
if [[ -f /etc/profile ]]; then
if ! grep -q "^umask 027" /etc/profile; then
sed -i '/^umask/d' /etc/profile
echo "$umask_line" >> /etc/profile
fi
fi

# Configure /etc/bash.bashrc
if [[ -f /etc/bash.bashrc ]]; then
if ! grep -q "^umask 027" /etc/bash.bashrc; then
sed -i '/^umask/d' /etc/bash.bashrc
echo "$umask_line" >> /etc/bash.bashrc
fi
fi

# Configure /etc/profile.d/umask.sh
echo "$umask_line" > /etc/profile.d/umask.sh
chmod 644 /etc/profile.d/umask.sh

echo "Default umask configured"
return 0
}

##########################################################################
# Disable unnecessary services (Ubuntu only)
##########################################################################
disable_services() {
if [[ ${OS_FLAVOUR} == "ubuntu" ]]; then
echo "Masking apport crash reporting service"
systemctl stop apport.service 2>/dev/null || true
systemctl disable apport.service 2>/dev/null || true
systemctl mask apport.service 2>/dev/null || true

echo "Masking rpcbind service"
systemctl stop rpcbind.service 2>/dev/null || true
systemctl stop rpcbind.socket 2>/dev/null || true
systemctl disable rpcbind.service 2>/dev/null || true
systemctl disable rpcbind.socket 2>/dev/null || true
systemctl mask rpcbind.service 2>/dev/null || true
systemctl mask rpcbind.socket 2>/dev/null || true
fi

return 0
}

##########################################################################
# Restrict coredumps via systemd
##########################################################################
harden_coredump() {
echo "Restricting coredumps via systemd"
mkdir -p /etc/systemd/coredump.conf.d
cat > /etc/systemd/coredump.conf.d/disable-coredump.conf << EOF
[Coredump]
Storage=none
ProcessSizeMax=0
EOF

return 0
}

##########################################################################
# Login Banner
##########################################################################
Expand Down Expand Up @@ -1114,13 +1227,17 @@ cp /etc/os-release /etc/os-release.bak
OS_FLAVOUR="linux"
get_os
upgrade_packages
configure_sudo
configure_umask
harden_sysctl
harden_ssh
harden_boot
harden_password_files
harden_system
disable_services
remove_services
disable_modules
harden_coredump
harden_journald
harden_audit
harden_banner
Expand All @@ -1130,4 +1247,5 @@ cleanup_cache

mv /etc/os-release.bak /etc/os-release

exit 0
echo "CIS hardening completed successfully"
exit 0