Apr 272013

There are many, many sites that address how to secure/harden Linux.  I have visited some of them to help me formulize several scripts to secure CentOS 5.5 and Red Hat 5.5.  By applying the settings contained in the below scripts, 95% of the USGCB benchmark was addressed — SCAP 1.1 Content – USGCB Red Hat Enterprise Linux (RHEL) 5 Desktop).

Script 1

The first script is straightforward in that its only function is to use the chkconfig command to delete unnecessary packages.  Each package or group of packages is accompanied by a comment explaining why it should be removed.  Please submit comments if you identify any other packages that should be deleted and I’ll include them in a post update.

# This script turns off certain packages using "chkconfig --del" 
# Explanations for why the various packages aren't needed are in
# comments below. Also, there is one package added using the
# "chkconfig on" command. This can be applied to other packages
# as needed
logger "install-chkconfigs:*** Turning off unneeeded services ***"
# anacron is normally for desktops and laptops, it assumes the device is not always on
chkconfig --del anacron
# Replaced by HAL and pm-utils. Used when power button is pushed and other power capabilities.
chkconfig --del acpid
# apmd is for power management on laptops to conserve battery consumption
chkconfig --del apmd
# No need for at for future execution of commands on most servers, so disabled
chkconfig --del atd 
# Used to automount various file systems and/or directories 
chkconfig --del autofs 
# Used to automatically find network resources like printers 
chkconfig --del avahi-daemon 
# allows local configuration of dns for avahi-daemon services 
chkconfig --del avahi-dnsconfd 
# No need for bluetooth on a server in most cases, so disabled 
chkconfig --del bluetooth 
# cpuspeed helps control power consumption on laptops, not needed on servers 
chkconfig --del cpuspeed 
# Printing, not used so disabled 
chkconfig --del cups 
chkconfig --del cups-config-daemon 
# General purpose mouse not needed on most servers 
chkconfig --del gpm 
# hidd is more bluetooth support, specifically for keyboards and mice 
chkconfig --del hidd 
# HP Linux imaging and printing, not needed on most servers 
chkconfig --del hplip 
# The script in the next section shows how to disable ipv6 in modprobe.conf 
# This will also turn off iptables for ipv6 since it's not needed if ipv6 isn't running 
chkconfig --del ip6tables 
# If iscsi isn't used on your server, disable it 
chkconfig --del iscsi 
chkconfig --del iscsid 
# Most servers will not need isdn, so disable 
chkconfig --del isdn 
# Used to help debug kernel crashes. Not needed unless problems arise 
chkconfig --del kdump 
# Detects new hardware, not needed unless making a change 
chkconfig --del kudzu 
# Used for Xen virtualization, not needed if your server isn't running virtualization 
chkconfig --del libvirtd 
# mcstrans used for SELinux security context translation into easy reading, not needed 
chkconfig --del mcstrans 
# Used for software RAID, not needed for hardware RAID implementations 
chkconfig --del mdmonitor 
# netfs not needed of there are no NFS mounts, so next 3 services disabled 
chkconfig --del netfs 
chkconfig --del nfs 
chkconfig --del nfslock 
# openibd only needed to map the Ipv4 and IPv6 addresschkco 
chkconfig --del openibd 
# Only needed if your server makes use of smartcards 
chkconfig --del pcscd 
# Converts rpc services into port numbers, but not needed in many server implementations 
chkconfig --del portmap 
# Next two services help startup programs load quicker, but they are not needed 
# More helpful for laptops that boot frequently 
chkconfig --del readahead_early 
chkconfig --del readahead_later 
# Polls the Red Hat network to see if there are any actions needed, etc. 
chkconfig --del rhnsd 
# The next three services are used with NFS. Disable if not using NFS 
chkconfig --del rpcgssd 
chkconfig --del rpcidmapd 
chkconfig --del rpcsvcgssd 
# Disable if not using as a sendmail server. Listening on port 25 is bad 
chkconfig --del sendmail 
# Disk monitoring is not normally used, so turn off 
chkconfig --del smartd 
# VNC is useful, but dangerous if not properly implemented or encrypted 
chkconfig --del vncserver 
# Filesystem not normally implemented, so it is better to disable it 
chkconfig --del xfs 
# Services are normally started using scripts (/etc/init.d) so xinetd isn't needed 
chkconfig --del xinetd 
# Provided notifications of updates 
chkconfig --del yum-updatesd 
logger "install-chkconfigs:*** Turning on neeeded services ***" 
chkconfig ntpd on

I definitely recommend you go through the above script with a lot of deliberation to make sure you don’t remove or disable a service that is integral to your server’s operation.  

Script 2

The next script is the meat of the security settings.  It is extremely important that you at least familiarize yourself with each line of the script before implementing it.  Otherwise you may change something that is essential to your server’s functionality.  I tested these scripts on both development and test boxes prior to implementing on an operation machine.  I suggest you do the same.

#!/bin/bash # Created by Craig Naylor and Brian Callicott 7/9/2012 # This script makes many configuration changes related to security for # servers running RedHat 5.x. See comments below for details on what # specifically is changed by this script # # Also, search /var/log/messages on install-security to make sure # specific sections of the script ran after implementing this script # # This script is called from the mcs_setup script logger "install-security:***** Configuring pam module for security ****" # The below line ensures that 24 passwords are remembered sed -i".tmp" 's/password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok/password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=24/' /etc/pam.d/system-auth-ac # Set deny for Failed Password Attempts sed -i".tmp" 's/auth required pam_deny.so/auth required pam_deny.so\nauth required pam_tally2.so deny=5 even_deny_root unlock_time=1200/' /etc/pam.d/system-auth-ac # Set Password Credit Requirements The values of -1 say that at least 1 digit, 1 uppercase, 1 lowercase and one other character is required (other is usually a special character). # The difok=5 options means at least 5 characters must be different from the previous password. I am unsure of the default value. sed -i".tmp" 's/pam_cracklib.so try_first_pass retry=3/pam_cracklib.so try_first_pass retry=3 minlen=14 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 difok=5/' /etc/pam.d/system-auth-ac logger "install-security:***** Set password age parameters *****" # Set minimum age to 1 day sed -i".tmp" 's/PASS_MIN_DAYS\t0/PASS_MIN_DAYS\t1/' /etc/login.defs # Set minimum password length to 14 chracters. Not sure whether this takes precedence over minlen=14 above. # I have not experimented, but when they are both set I know for a fact minimum password length is 14. sed -i".tmp" 's/PASS_MIN_LEN\t5/PASS_MIN_LEN\t14/' /etc/login.defs # Set warn age to 14 days, which is when a user will be told their password is about to expire. sed -i".tmp" 's/PASS_WARN_AGE\t7/PASS_WARN_AGE\t14/' /etc/login.defs # Set maximum days that a user password is valid to 90 days sed -i".tmp" 's/PASS_MAX_DAYS\t99999/PASS_MAX_DAYS\t90/' /etc/login.defs logger "install-security:***** Set snmpd.conf *****" # Change your public snmp community string from the default of public or comment out the line. # The private community string is not set by default. # In this example, the server I configured was being polled by an NMS so the public string was # configured so that read only access to certain server parameters could be accessed. sed -i".tmp" 's/com2sec notConfigUser default public/com2sec notConfigUser default CraigMadeUsChangeIt/' /etc/snmp/snmpd.conf logger "install-security:**** Fix loose file permissions ****" # The logger command above is self-explanatory chmod 700 /root find /usr/share/doc -type f -exec chmod 644 {} \; find /usr/share/man -type f -exec chmod 644 {} \; find /usr/local/share/man -type f -exec chmod 644 {} \; # File permissions specific to cron rm -f cron.deny at.deny echo root > cron.allow echo root > at.allow chown root:root cron.allow at.allow chmod 400 cron.allow at.allow chown root:root /etc/crontab chmod 400 /etc/crontab chown -R root:root /var/spool/cron chmod -R go-rwx /var/spool/cron chmod 700 /var/spool/cron cd /etc chmod -R go-rwx cron.hourly cron.daily cron.weekly cron.monthly cron.d # logger "install-security:***** Edit the shell configuration files to change default mask to 077 *****" # The logger command above is self-explanatory # Be careful implementing the below commands since they can cause some applications # to break. Albeit poorly written applications. sed -i".tmp" 's/umask 002/umask 077/' /etc/bashrc sed -i".tmp" 's/umask 022/umask 077/' /etc/bashrc sed -i".tmp" 's/umask 002/umask 077/' /etc/csh.cshrc sed -i".tmp" 's/umask 022/umask 077/' /etc/csh.cshrc sed -i".tmp" 's/umask 002/umask 077/' /etc/profile sed -i".tmp" 's/umask 022/umask 077/' /etc/profile sed -i".tmp" 's/umask 002/umask 077/' /root/.bashrc sed -i".tmp" 's/umask 022/umask 077/' /root/.bashrc sed -i".tmp" 's/umask 002/umask 077/' /root/.bash_profile sed -i".tmp" 's/umask 022/umask 077/' /root/.bash_profile sed -i".tmp" 's/umask 002/umask 077/' /root/.cshrc sed -i".tmp" 's/umask 022/umask 077/' /root/.cshrc sed -i".tmp" 's/umask 002/umask 077/' /root/.tcshrc sed -i".tmp" 's/umask 022/umask 077/' /root/.tcshrc logger "install-security:***** Add a line to /etc/sysconfig/network *****" # Remove route for automatic network configuration. # Absolutely no need for ZeroConf to be enabled on a server. echo "NOZEROCONF=yes" >> /etc/sysconfig/network logger "install-security:***** Tighten up SSH *****" # The sshd_config file is not part of this script, but is a separate file. rm -f /etc/ssh/sshd_config cp -pf /post_install_stuff/files/ssh.stuff /etc/ssh/sshd_config chmod 600 /etc/ssh/sshd_config service sshd restart logger "install-security:***** Configure a lockout time for the screen *****" # The gconftool-2 configuration below sets idle timeout for the display to 15 minutes # and then locks it. gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gnome-screensaver/idle_activation_enabled true # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gnome-screensaver/lock_enabled true # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type string \ --set /apps/gnome-screensaver/mode blank-only # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type int \ --set /apps/gnome-screensaver/idle_delay 15 logger "install-security:***** Cleanup some unnecessary packages *****" # How many packages you remove is up to you. The chkconfig --del commands from the first script above # may be enough. If you are worried that an intruder may gain access and activate installed packages # then it is better to erase/delete them. yum -y erase bluez* yum -y erase anacron inetd xinetd irda-utils yum -y erase sendmail yum -y erase httpd yum -y erase gimp gimp-libs gimp-print gimp-print-utils logger "install-security:***** Disable interactive login during boot *****" # Needed so that someone can’t hit “I” during bootup and interrupt the process and # insert bad things during the startup sequence. sed -i".tmp" 's/PROMPT=yes/PROMPT=no /' /etc/sysconfig/init #logger "install:***** Setting Default Runlevel *****" # You may not be able to get away with setting your servers runlevel to 3. # Experiment to determine if this is appropriate. sed -i '{s/id\:5/id\:3/g}' /etc/inittab logger "install-security:***** Update /etc/issue *****" # The below banner is adequate if you run a US Government resource. Change as appropriate # for environmnet. echo >> /etc/issue echo "This US Government computer is for authorized users only. By accessing" >> /etc/issue echo "this system you are consenting to complete monitoring with no expectation" >> /etc/issue echo "of privacy. Unauthorized access or use may subject you to disciplinary" >> /etc/issue echo "action and criminal prosecution." >> /etc/issue logger "install-security:***** Update /etc/modprobe.conf *****" # append the following lines to /etc/modprobe.conf in order to prevent the usage of uncommon file # system types and to prevent loading the IPv6 module and other uncommon protocols as well as Bluetooth logger "install-security:***** Edit /etc/modprobe.conf *****" echo >> /etc/modprobe.conf echo "install cramfs /bin/true" >> /etc/modprobe.conf echo "install freevxfs /bin/true" >> /etc/modprobe.conf echo "install jffs2 /bin/true" >> /etc/modprobe.conf echo "install hfs /bin/true" >> /etc/modprobe.conf echo "install hfsplus /bin/true" >> /etc/modprobe.conf echo "install squashfs /bin/true" >> /etc/modprobe.conf echo "install udf /bin/true" >> /etc/modprobe.conf echo >> /etc/modprobe.conf echo "install ipv6 /bin/true" >> /etc/modprobe.conf echo "install dccp /bin/true" >> /etc/modprobe.conf echo "install sctp /bin/true" >> /etc/modprobe.conf echo "install rds /bin/true" >> /etc/modprobe.conf echo "install tipc /bin/true" >> /etc/modprobe.conf echo >> /etc/modprobe.conf echo "alias net-pf-31 off" >> /etc/modprobe.conf echo "alias bluetooth off" >> /etc/modprobe.conf echo "alias net-pf-10 off" >> /etc/modprobe.conf logger "install-security:***** Edit /etc/fstab *****" # So normal users cannot create device files and access them sed -i".tmp" 's/\/dev\/VolGroup00\/LogVol02 \/var ext3 defaults 1 2/\/dev\/VolGroup00\/LogVol02 \/var ext3 defaults,nodev 1 2/' /etc/fstab sed -i".tmp" 's/\/dev\/VolGroup01\/LogVol00 \/home ext3 defaults 1 2/\/dev\/VolGroup01\/LogVol00 \/home ext3 defaults,nodev 1 2/' /etc/fstab sed -i".tmp" 's/\/dev\/shm tmpfs defaults/\/dev\/shm tmpfs nosuid,nodev,noexec/' /etc/fstab logger "install-security:***** Edit /etc/security/limits.conf *****" # Prevents core dumps sed -i".tmp" '/# End of file/d' /etc/security/limits.conf echo "* hard core 0" >> /etc/security/limits.conf echo >> /etc/security/limits.conf echo "# End of file" >> /etc/security/limits.conf logger "install-security:***** Edit /etc/sysctl.conf *****" echo >> /etc/sysctl.conf echo "# To ensure that core dumps can never be made by setuid programs" >> /etc/sysctl.conf echo "fs.suid_dumpable = 0" >> /etc/sysctl.conf echo "kernel.suid_dumpable = 0" >> /etc/sysctl.conf echo >> /etc/sysctl.conf echo "# Server will not be used as a firewall or gateway net.ipv4 changes needed" >> /etc/sysctl.conf echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.conf echo "net.ipv4.conf.all.log_martians = 1" >> /etc/sysctl.conf echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.conf echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.conf echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.conf echo "net.ipv4.icmp_ignore_bogus_error_messages = 1" >> /etc/sysctl.conf echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.conf echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf logger "install-security:***** Edit /etc/audit/auditd.conf to make file size 1 GB and number of logs 10 *****" # logger command above self-explanatory sed -i".tmp" 's/num_logs = 4/num_logs = 10/' /etc/audit/auditd.conf sed -i".tmp" 's/max_log_file = 5/max_log_file = 1000/' /etc/audit/auditd.conf logger "install-security:***** Remove all wireless drivers *****" # logger command above self-explanatory rm -rf /lib/modules/2.6.18-308.1.1.el5/kernel/drivers/net/wireless/ rm -rf /lib/modules/2.6.18-308.1.1.el5PAE/kernel/drivers/net/wireless/ logger "install-security:***** Edit /etc/grub.conf *****" # Enable kernel auditing. Recommend you do some research on your particular implementation # before putting this into effect. sed -i 's/kernel \/vmlinuz-2.6.18-308.11.1.el5PAE ro root=\/dev\/VolGroup00\/LogVol00 rhgb quiet/kernel \/vmlinuz-2.6.18-308.11.1.el5PAE ro root=\/dev\/VolGroup00\/LogVol00 rhgb quiet audit=1/' /boot/grub/grub.conf logger "install-security:***** Create Warning Banners for GUI Login Users *****" echo >> /etc/gdm/custom.conf echo "InfoMsgFile=/etc/issue" >> /etc/gdm/custom.conf logger "install-security:***** Configure audit.d *****" # The audit.rules file is not part of this script. A separate script is needed for # this to work. cp /etc/audit/audit.rules /etc/audit/audit.rules.bak rm -f /etc/audit/audit.rules cp -pf /post_install_stuff/files/audit.rules /etc/audit/audit.rules chmod 640 /etc/audit/audit.rules service auditd restart # The following line puts the sudoers file back to the way it was. # The next two lines can probably be commented out. I changed the # sudoers file to implement an automated install. sed -i".tmp" 's/#Defaults requiretty/Defaults requiretty/' /etc/sudoers sed -i".tmp" 's/%wheel\tALL=(ALL)\tNOPASSWD: ALL/# %wheel\tALL=(ALL)\tNOPASSWD: ALL/' /etc/sudoers logger "install-security: ***** Clean up tmp files *****" # logger command above self-explanatory rm -rf /etc/pam.d/*.tmp rm -rf /etc/*.tmp rm -rf /etc/audit/*.tmp rm -rf /etc/security/*.tmp rm -rf /etc/sysconfig/*.tmp

Script 3

This script is actually a configuration file that’s referenced by the above script (Script 2). The above script removes the existing SSH config file (/etc/ssh/sshd_config) and replaces it with the below sshd_config file. SSH is then restarted so the changes take effect.

The main differences between the replaced sshd_config file and the one below is that logging is turned on, root is not permitted to log on, ciphers are more stringent, and only one user (appuser in this example) is identified that can login using SSH.

# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # # Customized on 8/1/2012. # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. #Port 22 #Protocol 2,1 Protocol 2 #AddressFamily any #ListenAddress #ListenAddress :: # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 768 # Logging # obsoletes QuietMode and FascistLogging SyslogFacility AUTH SyslogFacility AUTHPRIV LogLevel INFO # Authentication: LoginGraceTime 2m PermitRootLogin no StrictModes yes MaxAuthTries 6 #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes PermitEmptyPasswords no PasswordAuthentication yes # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no GSSAPIAuthentication yes #GSSAPICleanupCredentials yes GSSAPICleanupCredentials yes # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication mechanism. # Depending on your PAM configuration, this may bypass the setting of # PasswordAuthentication, PermitEmptyPasswords, and # "PermitRootLogin without-password". If you just want the PAM account and # session checks to run without PAM authentication, then enable this but set # ChallengeResponseAuthentication=no #UsePAM no UsePAM yes # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes PermitUserEnvironment no #Compression delayed ClientAliveInterval 900 ClientAliveCountMax 0 #ShowPatchLevel no #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 #PermitTunnel no #ChrootDirectory none # no default banner path Banner /etc/issue # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server Ciphers aes128-ctr,aes192-ctr,aes256-ctr AllowUsers appuser


Script 4

This final script is another configuration file that’s referenced by Script 2. It is recommended that you familiarize yourself with the auditctl rules.

# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
# First rule - delete all

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320

# Feel free to add below this line. See auditctl man page
-e 2
-w /etc/selinux/ -p wa -k MAC-policy
-w /etc/sudoers -p wa -k actions
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -S init_module -S delete_module -k modules
-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change

This concludes the CentOS/RHEL Security Script section of this blog.  Please let me know if you have any additional recommendations to include in the above scripts.

Additional Reading