remediate

#!/bin/bash -x
#
# Copyright (c) 2020, 2023 NVI, Inc.
#
# This file is part of FSL11 Linux distribution.
# (see http://github.com/nvi-inc/fsl11).
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#

set -e
#
if ! [ $(id -u) = 0 ]; then
   echo "This script must be run as root."
   exit 1
fi
#
# 1.1 Filesystem Configuration
#
# 1.1.1 Disable unused filesystems
#
touch /etc/modprobe.d/CIS.conf
cat >>/etc/modprobe.d/CIS.conf <<EOT
# 1.1.1.1
install freevxfs /bin/true
# 1.1.1.2
install jffs2 /bin/true
# 1.1.1.3
install hfs /bin/true
# 1.1.1.4
install hfsplus /bin/true
# 1.1.1.5
install squashfs /bin/true
# 1.1.1.6
install udf /bin/true
# 1.1.1.7
# Can't disable vfat, used by /boot/efi
#install vfat /bin/true
EOT
#
# these fail, not needed
#rmmod freevxfs
#rmmod jffs2
#rmmod hfs
#rmmod hfsplus
#rmmod squashfs
#rmmod udf
#rmmod vfat
#
# 1.1.3-1.1.5 Ensure nodevi,nosuid,noexec options set on /tmp partition
#
sed -i 's/ \/tmp \+ext4 \+defaults/&,nodev,nosuid,noexec/' /etc/fstab
#
# moved to end because it interfers with needed 'apt-get install' commands
#mount -o remount,nodev,nosuid,noexec /tmp
#
# 1.1.8-10 Ensure nodevi,nosuid,noexec options set on /var/tmp partition
#
sed -i 's/ \/var\/tmp \+ext4 \+defaults/&,nodev,nosuid,noexec/' /etc/fstab
#
mount -o remount,nodev,nosuid,noexec /var/tmp
#
# 1.1.14 Ensure nodev option set on /home partition
#
sed -i 's/ \/home \+ext4 \+defaults/&,nodev/' /etc/fstab
#
mount -o remount,nodev /home
#
# 1.1.15-17 Ensure nodev,nosuid,noexec  option set on /dev/shm partition
#
cat >>/etc/fstab <<EOT
tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0
EOT
#
#mount -o remount,noexec /dev/shm
#
# 1.1.23 Disable USB Storage
#
touch /etc/modprobe.d/CIS.conf
cat >>/etc/modprobe.d/CIS.conf <<EOT
# 1.1.23
install usb-storage /bin/true
EOT
#
# this fails, not needed
#rmmod usb-storage
#
# 1.3 Configure sudo
#
# 1.3.2-3 Ensure sudo commands use pty AND logfile
#
sed -i '/^Defaults\tenv_reset/a Defaults\tuse_pty\nDefaults\tlogfile="/var/log/sudo.log"' /etc/sudoers
#
# 1.4.1 Ensure AIDE is italled
#
apt-get -y install aide aide-common
aideinit
#
# 1.4.2 Ensure filesystem integrity is regularly checked
#
# this no longer needed, AIDE handles this itself
#
# 1.5.1 Ensure permissions on bootloader config are configured
#
# Must be redone after each update-grub
#
chown root:root /boot/grub/grub.cfg
chmod og-rwx /boot/grub/grub.cfg
#
# 1.5.2 Ensure bootloader password is set
#
#must be done later
#
# 1.6.2 Ensure address space layout randomization (ASLR) is enabled
#
touch /etc/sysctl.d/CIS.conf
cat >>/etc/sysctl.d/CIS.conf <<EOT
# 1.6.2
kernel.randomize_va_space = 2
EOT
#
sysctl -w kernel.randomize_va_space=2
#
# 1.6.4 Ensure core dumps are restricted
#
touch /etc/security/limits.d/CIS.conf 
cat >>/etc/security/limits.d/CIS.conf <<EOT
# 1.6.4
* hard core 0
EOT
touch /etc/sysctl.d/CIS.conf
cat >>/etc/sysctl.d/CIS.conf <<EOT
# 1.6.4
fs.suid_dumpable = 0
EOT
#
sysctl -w fs.suid_dumpable=0
#
# 1.7.1.1 Ensure AppArmor is installed
#
apt-get -y install apparmor apparmor-utils
#
# 1.7.1.2 Ensure AppArmor is enabled in the bootloader configuration
#
sed -i 's/^GRUB_CMDLINE_LINUX=\"[^"]\+/& apparmor=1 security=apparmor/' /etc/default/grub
update-grub
chmod og-rwx /boot/grub/grub.cfg
#
# 1.7.1.4 Ensure all AppArmor Profiles are enforcing
#
# must be done after reboot?
aa-enforce /etc/apparmor.d/*
#
# 1.8.1.1 Ensure message of the day is configured properly
#
mv /etc/motd /etc/motd.CIS
touch /etc/motd
#
# 1.8.1.2 Ensure local login warning banner is configured properly
#
mv /etc/issue /etc/issue.CIS
echo "Authorized uses only. All activity may be monitored and reported. \l" > /etc/issue
#
# 1.8.1.3 Ensure remote login warning banner is configured properly
#
mv /etc/issue.net /etc/issue.net.CIS
echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue.net
#
# 1.8.2 Ensure GDM login banner is configured
#
sed -i "/^# banner-message-text='Welcome'/a banner-message-enable=true\nbanner-message-text='Authorized uses only. All activity may be monitored and reported.'" /etc/gdm3/greeter.dconf-defaults
#
# 1.8.1.4 Ensure permissions on /etc/motd are configured
#
chown root:root /etc/motd
chmod u-x,go-wx,a+r /etc/motd
#
# 2.2.1.4 Ensure ntp is configured
#
# actually makes it less secure
#
sed -i 's/ignore # was: \(.*\)limited/\1# CIS 2.2.14 was: ignore/' /etc/ntp.conf
#
# 2.2.2 Ensure X Window System is not installed
#
# we require X11
#
# 2.2.4 Ensure CUPS is not enabled
#
#We need CUPS to print
#
# 2.2.16 Ensure rsync service is not enabled
#
systemctl --now disable rsync
#
# 2.3.4 Ensure telnet client is not installed
#
apt-get -y purge telnet
#
# 3.1.1 Disable IPv6
#
sed -i 's/^GRUB_CMDLINE_LINUX=\"[^"]\+/& ipv6.disable=1/' /etc/default/grub
update-grub
chmod og-rwx /boot/grub/grub.cfg
#
# 3.1.2 Ensure wireless interfaces are disabled
#
nmcli radio all off
#
# 3.2 Network Parameters (Host Only)
#
touch /etc/sysctl.d/CIS.conf
cat >>/etc/sysctl.d/CIS.conf <<EOT
# 3.2.1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# 3.2.2
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0
EOT
# 3.2.1
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv4.conf.default.send_redirects=0
sysctl -w net.ipv4.route.flush=1
#
# 3.3 Network Parameters (Host and Router)
#
touch /etc/sysctl.d/CIS.conf
cat >>/etc/sysctl.d/CIS.conf <<EOT
# 3.3.1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#net.ipv6.conf.default.accept_source_route = 0
# 3.3.2
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
#net.ipv6.conf.default.accept_redirects = 0
# 3.3.3
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
# 3.3.4
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
# 3.3.5
net.ipv4.icmp_echo_ignore_broadcasts = 1
# 3.3.6
net.ipv4.icmp_ignore_bogus_error_responses = 1
# 3.3.7
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# 3.3.8
net.ipv4.tcp_syncookies = 1
# 3.3.9
#net.ipv6.conf.all.accept_ra = 0
#net.ipv6.conf.default.accept_ra = 0
EOT
#
# 3.3.4
#
# Added to CISfix service (at the end of this script) because it doesn't work
# after boot for some reason
#
# 3.3.1
sysctl -w net.ipv4.conf.all.accept_source_route=0
sysctl -w net.ipv4.conf.default.accept_source_route=0
sysctl -w net.ipv4.route.flush=1
#sysctl -w net.ipv6.conf.all.accept_source_route=0
#sysctl -w net.ipv6.conf.default.accept_source_route=0
#sysctl -w net.ipv6.route.flush=1
# 3.3.2
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.default.accept_redirects=0
sysctl -w net.ipv4.route.flush=1
#sysctl -w net.ipv6.conf.all.accept_redirects=0
#sysctl -w net.ipv6.conf.default.accept_redirects=0
#sysctl -w net.ipv6.route.flush=1
# 3.3.3
sysctl -w net.ipv4.conf.all.secure_redirects=0
sysctl -w net.ipv4.conf.default.secure_redirects=0
sysctl -w net.ipv4.route.flush=1
# 3.3.4
sysctl -w net.ipv4.conf.all.log_martians=1
sysctl -w net.ipv4.conf.default.log_martians=1
sysctl -w net.ipv4.route.flush=1
# 3.3.5
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
sysctl -w net.ipv4.route.flush=1
# 3.3.6
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
sysctl -w net.ipv4.route.flush=1
# 3.3.7
sysctl -w net.ipv4.conf.all.rp_filter=1
sysctl -w net.ipv4.conf.default.rp_filter=1
sysctl -w net.ipv4.route.flush=1
# 3.3.8
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.route.flush=1
# 3.3.9
#sysctl -w net.ipv6.conf.all.accept_ra=0
#sysctl -w net.ipv6.conf.default.accept_ra=0
#sysctl -w net.ipv6.route.flush=1
#
# 3.4 Uncommon Network Protocols
#
cat >>/etc/modprobe.d/CIS.conf <<EOT
# 3.4.1
install dccp /bin/true
# 3.4.2
install sctp /bin/true
# 3.4.3
install rds /bin/true
# 3.4.4
install tipc /bin/true
EOT
#
# 3.5 Firewall Configuration
#
apt-get -y install ufw
ufw allow OpenSSH
ufw logging on
ufw --force enable
#
# 3.5.2.3 Ensure loopback traffic is configured
#
#ufw allow in on lo
ufw deny in from 127.0.0.0/8
#
# 4.1 Configure System Accounting (auditd)
#
# 4.1.1.1 Ensure auditd is installed

#
apt-get -y install auditd audispd-plugins
#
# 4.1.1.2 Ensure auditd service is enabled
#
systemctl --now enable auditd
#
# 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled
# 4.1.1.4 Ensure audit_backlog_limit is sufficient
#
sed -i 's/^GRUB_CMDLINE_LINUX=\"[^"]\+/& audit=1 audit_backlog_limit=8192/' /etc/default/grub
update-grub
chmod og-rwx /boot/grub/grub.cfg
#
# 4.1.2 Configure Data Retention
#
sed -i 's/^\(max_log_file_action\).*/#&\n# CIS 4.1.2.2\n\1 = keep_logs/' /etc/audit/auditd.conf
sed -i 's/^\(space_left_action\).*/#&\n# CIS 4.1.2.3\n\1 = email/' /etc/audit/auditd.conf
sed -i 's/^\(admin_space_left_action\).*/#&\n# CIS 4.1.2.3\n\1 = halt/' /etc/audit/auditd.conf
#
# 4.1.3 Ensure events that modify date and time information are collected
#
touch /etc/audit/rules.d/CIS.rules
cat >>/etc/audit/rules.d/CIS.rules <<EOT
# CIS 4.1.3
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
EOT
#
# 4.1.4 Ensure events that modify user/group information are collected
#
touch /etc/audit/rules.d/CIS.rules
cat >>/etc/audit/rules.d/CIS.rules <<EOT
# CIS 4.1.4
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
EOT
#
# 4.1.5 Ensure events that modify the system's network environment are collected
#
touch /etc/audit/rules.d/CIS.rules
cat >>/etc/audit/rules.d/CIS.rules <<EOT
# CIS 4.1.5
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/network -p wa -k system-locale
EOT
#
# 4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected
#
touch /etc/audit/rules.d/CIS.rules
cat >>/etc/audit/rules.d/CIS.rules <<EOT
# CIS 4.1.6
-w /etc/apparmor/ -p wa -k MAC-policy
-w /etc/apparmor.d/ -p wa -k MAC-policy
EOT
#
# 4.1.7 Ensure login and logout events are collected
#
touch /etc/audit/rules.d/CIS.rules
cat >>/etc/audit/rules.d/CIS.rules <<EOT
# CIS 4.1.7
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins
EOT
#
# 4.1.8 Ensure session initiation information is collected
#
touch /etc/audit/rules.d/CIS.rules
cat >>/etc/audit/rules.d/CIS.rules <<EOT
# CIS 4.1.8
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k logins
-w /var/log/btmp -p wa -k logins
EOT
#
# 4.1.9 Ensure discretionary access control permission modification events are collected
#
touch /etc/audit/rules.d/CIS.rules
cat >>/etc/audit/rules.d/CIS.rules <<EOT
# CIS 4.1.9
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
EOT
#
# 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected
#
touch /etc/audit/rules.d/CIS.rules
cat >>/etc/audit/rules.d/CIS.rules <<EOT
# CIS 4.1.10
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
EOT
#
# 4.1.11 Ensure use of privileged commands is collected
#
touch /etc/audit/rules.d/CIS-suid.rules
cat >>/etc/audit/rules.d/CIS-suid.rules <<EOT
# CIS 4.1.11
EOT
find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print \
"-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 \
-k privileged" }' >> /etc/audit/rules.d/CIS-suid.rules
#
# 4.1.12 Ensure successful file system mounts are collected
#
touch /etc/audit/rules.d/CIS.rules
cat >>/etc/audit/rules.d/CIS.rules <<EOT
# CIS 4.1.12
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
EOT
#
# 4.1.13 Ensure file deletion events by users are collected
#
touch /etc/audit/rules.d/CIS.rules
cat >>/etc/audit/rules.d/CIS.rules <<EOT
# CIS 4.1.13
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
EOT
#
# 4.1.14 Ensure changes to system administration scope (sudoers) is collected
#
touch /etc/audit/rules.d/CIS.rules
cat >>/etc/audit/rules.d/CIS.rules <<EOT
#CIS 4.1.14
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope
EOT
#
# 4.1.15 Ensure system administrator actions (sudolog) are collected
#
touch /etc/audit/rules.d/CIS.rules
cat >>/etc/audit/rules.d/CIS.rules <<EOT
# CIS 4.1.15
-w /var/log/sudo.log -p wa -k actions
EOT
#
# 4.1.16 Ensure kernel module loading and unloading is collected
#
touch /etc/audit/rules.d/CIS.rules
cat >>/etc/audit/rules.d/CIS.rules <<EOT
# CIS 4.1.16
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
-a always,exit -F arch=b32 -S init_module -S delete_module -k modules
EOT
#
# 4.1.17 Ensure the audit configuration is immutable
#
touch /etc/audit/rules.d/99-finalize.rules
cat >> /etc/audit/rules.d/99-finalize.rules <<EOT
# CIS 4.1.17
-e 2
EOT
#
# 4.2 Configure Logging
#
# 4.2.1 Configure rsyslog
#
# 4.2.2.1
#apt-get -y install rsyslog
# 4.2.1.2
#systemctl --now enable rsyslog
# 4.2.1.4
#touch /etc/rsyslog.conf
#cat >>/etc/rsyslog.conf <<EOT
#$FileCreateMode 0640
#EOT
#4.2.1.5
# to be configured later
#touch /etc/rsyslog.conf
#cat >>/etc/rsyslog.conf <<EOT
#*.* @@<FQDN or ip of loghost>
#EOT
# or
#touch /etc/rsyslog.conf
#cat >>/etc/rsyslog.conf <<EOT
#<files to sent to the remote log server> action(type="omfwd" target="<FQDN or ip of loghost>" port="<port number>" protocol="tcp"
#action.resumeRetryCount="<number of re-tries>"
#queue.type="linkList" queue.size=<number of messages to q
#EOT
#
# 4.2.2 Configure journald
#
touch /etc/systemd/journald.conf
cat >>/etc/systemd/journald.conf <<EOT
ForwardToSyslog=yes
Compress=yes
Storage=persistent
EOT
#
# 4.2.3 Ensure permissions on all logfiles are configured
#
# Added to CISfix service (at the end of this script) because it doesn't work
# after boot for some reason
#
# CIS actually doesn't check the directories and changing them breaks things including email
#find /var/log -type f -exec chmod g-wx,o-rwx "{}" + -o -type d -exec chmod g-w,o-rwx "{}" +
find /var/log -type f -exec chmod g-wx,o-rwx "{}" +
#
# 5.1.2 Ensure permissions on /etc/crontab are configured
#
chown root:root /etc/crontab
chmod og-rwx /etc/crontab
#
# 5.1.3 Ensure permissions on /etc/cron.hourly are configured
#
chown root:root /etc/cron.hourly
chmod og-rwx /etc/cron.hourly
#
# 5.1.4 Ensure permissions on /etc/cron.daily are configured
#
chown root:root /etc/cron.daily
chmod og-rwx /etc/cron.daily
#
# 5.1.5 Ensure permissions on /etc/cron.weekly are configured
#
chown root:root /etc/cron.weekly
chmod og-rwx /etc/cron.weekly
#
# 5.1.6 Ensure permissions on /etc/cron.monthly are configured
#
chown root:root /etc/cron.monthly
chmod og-rwx /etc/cron.monthly
#
# 5.1.7 Ensure permissions on /etc/cron.d are configured
#
chown root:root /etc/cron.d
chmod og-rwx /etc/cron.d
#
# 5.1.8 Ensure at/cron is restricted to authorized users
#
rm -f /etc/cron.deny
touch /etc/cron.allow
chown root:root /etc/cron.allow
chmod og-rwx /etc/cron.allow
rm -f /etc/at.deny
touch /etc/at.allow
chown root:root /etc/at.allow
chmod og-rwx /etc/at.allow
#
# 5.2 SSH Server Configuration
#
# 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured
#
chown root:root /etc/ssh/sshd_config
chmod og-rwx /etc/ssh/sshd_config
#
# 5.2.4-5.2.18
#
touch /etc/ssh/sshd_config
cat >>/etc/ssh/sshd_config <<EOT
# CIS 5.2.6
# we require X11
#X11Forwarding no
# CIS 5.2.7
MaxAuthTries 4
# 5.2.10
PermitRootLogin no
# 5.2.14
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
# 5.2.16
ClientAliveInterval 300
ClientAliveCountMax 0
# 5.2.17
LoginGraceTime 60
# 5.2.18
DenyGroups rtx
# 5.2.19
Banner /etc/issue.net
# 5.2.21
AllowTcpForwarding no
# 5.2.22
maxstartups 10:30:60
EOT
#
# activate changes
#
systemctl reload sshd
#
# 5.3 Configure PAM
#
# 5.3.1 Ensure password creation requirements are configured
#
apt-get -y install libpam-pwquality
#
touch /etc/security/pwquality.conf 
cat >>/etc/security/pwquality.conf <<EOT
#
# CIS 5.3.1
minlen = 14
minclass = 4
EOT
#
# actually installed by libpam-pwquality, just need to comment out the old one
sed -i 's/^\(password\s\+requisite\)\s\+pam_deny\.so.*/# CIS 5.3.1 - new version above from installing libpam-pwquality\n#&/' /etc/pam.d/common-password
#
# 5.3.2 Ensure lockout for failed password attempts is configured
#
sed -i '/^# pam-auth-update(8) for details\./a # CIS 5.3.2\nauth\trequired\t\t\tpam_faillock.so preauth silent' /etc/pam.d/common-auth
sed -i '/^auth\s\+\[success=1 default=ignore\]/a # CIS 5.3.2\nauth\t[default=die]\t\t\tpam_faillock.so authfail audit silent deny=5 unlock_time=900' /etc/pam.d/common-auth
sed -i 's/^auth\s\+requisite\s\+pam_deny\.so.*/# CIS 5.3.2\n#&/' /etc/pam.d/common-auth
#
sed -i '/^# pam-auth-update(8) for details\./a \\n# CIS 5.3.2\naccount\trequired\t\t\tpam_faillock.so' /etc/pam.d/common-account
#
# 5.3.3 Ensure password reuse is limited
#
sed -i 's/^\(password\s\+required\).*/# CIS 5.3.3\n#&\n\1\t\t\tpam_pwhistory.so remember=24/' /etc/pam.d/common-password
#
# 5.3.4 Ensure password hashing algorithm is SHA-512
#
sed -i 's/^\(password\s\+\[.*\]\s\+pam_unix.so\)\(.*\)/# CIS 5.3.4\n#&\n\1 sha512\2/' /etc/pam.d/common-password
#
# 5.4.1.1 Ensure password expiration is 365 days or less
#
sed -i 's/^\(PASS_MAX_DAYS\s\+\).*/# CIS 5.4.1.1\n\#&\n\1 60\n#/' /etc/login.defs
chage --maxdays 60 desktop
chage --maxdays 60 root
chage --maxdays 60 oper
chage --maxdays 60 prog
#
# 5.4.1.2 Ensure minimum days between password changes is configured
#
sed -i 's/^\(PASS_MIN_DAYS\s\+\).*/# CIS 5.4.1.2\n#&\n\1 1\n#/' /etc/login.defs
chage --mindays 1 desktop
chage --mindays 1 root
chage --mindays 1 oper
chage --mindays 1 prog
#
# 5.4.1.4 Ensure inactive password lock is 30 days or less
#
useradd -D -f 30
chage --inactive 30 desktop
chage --inactive 30 oper
chage --inactive 30 prog
# don't for root, per Chip
#
# 5.4.2 Ensure system accounts are secured
#
#    all are secured
#
# 5.4.4 Ensure default user umask is 027 or more restrictive
#
sed -i '0,/^ *$/s/^ *$/\n# CIS 5.4.4\numask 027\n#\n/' /etc/bash.bashrc
sed -i '0,/^ *$/s/^ *$/\n# CIS 5.4.4\numask 027\n#\n/' /etc/profile
for FILE in /etc/profile.d/*.sh; do
	sed -i '0,/^ *$/s/^ *$/\n# CIS 5.4.4\numask 027\n#\n/' "$FILE"
done
sed -i '0,/^ *$/s/^ *$/\n# CIS 5.4.4\numask 027\n#\n/' /etc/csh.login
#
# 5.4.5 Ensure default user shell timeout is 900 seconds orq less
#
sed -i '0,/^ *$/s/^ *$/\n# CIS 5.4.5\nTMOUT=900\n#\n/' /etc/profile
sed -i '0,/^ *$/s/^ *$/\n# CIS 5.4.5\nTMOUT=900\n#\n/' /etc/bash.bashrc
for FILE in /etc/profile.d/*.sh; do
	sed -i '0,/^ *$/s/^ *$/\n# CIS 5.4.5\nTMOUT=900\n#\n/' "$FILE"
done
sed -i '0,/^ *$/s/^ *$/\n# CIS 5.4.5\nset autologout = 15\n#\n/' /etc/csh.login
#
# 5.6 Ensure access to the su command is restricted
#
groupadd sugroup
touch /etc/pam.d/su
cat >>/etc/pam.d/su <<EOT
# CIS 5.6
auth required pam_wheel.so use_uid group=sugroup
EOT
#
# 6.1.6 Ensure permissions on /etc/passwd- are configured
#
chown root:root /etc/passwd-
chmod u-x,go-rwx /etc/passwd-
#
# 6.1.7 Ensure permissions on /etc/shadow- are configured
#
chown root:shadow /etc/shadow-
chmod u-x,go-rwx /etc/shadow-
#
# 6.1.8 Ensure permissions on /etc/group- are configured
#
chown root:root /etc/group-
chmod u-x,go-rwx /etc/group-
#
# 6.1.11 Ensure no unowned files or directories exist
# 6.1.12 Ensure no ungrouped files or directories exist
#
# Added to CISfix service (at the end of this script) because it doesn't work
# after boot for some reason
#
if [ -d /var/cache/private/fwupdmgr ]; then
	chown -R root:root /var/cache/private/fwupdmgr
fi
#
# 6.2.8 Ensure users' home directories permissions are 750 or more restrictive
#
chmod 0750 /home/desktop
chmod 0750 /usr2/oper
chmod 0750 /usr2/prog
#
# create a startup to fix things that need to be refixed after booting
#
systemctl disable CISfix || :
rm -f /etc/systemd/system/CISfix.service
touch /etc/systemd/system/CISfix.service
cat >>/etc/systemd/system/CISfix.service <<EOT
[Unit]
Description=CIS fix on startup

[Service]
Type=oneshot
ExecStart=/usr/local/sbin/CISfix
RemainAfterExit=true

[Install]
WantedBy=multi-user.target
EOT
rm -f /usr/local/sbin/CISfix
touch /usr/local/sbin/CISfix
cat >> /usr/local/sbin/CISfix <<EOT
#!/bin/bash
set -e
# CIS 1.5.1
chmod og-rwx /boot/grub/grub.cfg
# CIS 3.3.4
sysctl -w net.ipv4.conf.all.log_martians=1
sysctl -w net.ipv4.conf.default.log_martians=1
sysctl -w net.ipv4.route.flush=1
# CIS 4.2.3
# CIS actually doesn't check the directories and changing them breaks things including email
#find /var/log -type f -exec chmod g-wx,o-rwx "{}" + -o -type d -exec chmod g-w,o-rwx "{}" +
find /var/log -type f -exec chmod g-wx,o-rwx "{}" +
# CIS 6.1.6
chmod u-x,go-rwx /etc/passwd-
# CIS 6.1.7
chmod u-x,go-rwx /etc/shadow-
# 6.1.8
chmod u-x,go-rwx /etc/group-
# CIS 6.1.11
# CIS 6.1.12
if [ -d /var/cache/private/fwupdmgr ]; then
	chown -R root:root /var/cache/private/fwupdmgr
fi
exit 0
EOT
chmod u+x /usr/local/sbin/CISfix
systemctl enable CISfix.service
#
# 1.1.3-1.1.5 Ensure nodevi,nosuid,noexec options set on /tmp partition
#
# moved to end because it interfers with needed 'apt-get install' commands
mount -o remount,nodev,nosuid,noexec /tmp