KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
316915408ede77b6a178e0baf8ac80f026094c6a
football/chroot-overlay/etc/sudoers.d/cis-hardening
Charles N Wyble 1d74ae7ff1 feat: implement CIS Debian Benchmark hardening controls 
- Add kernel hardening via sysctl (network, system, ARP hardening)
- Implement password quality requirements (14 char, complexity)
- Configure password aging policies (90 day max)
- Add PAM authentication hardening with faillock
- Implement sudo restrictions and least privilege

CIS Benchmark Controls Implemented:
- Section 1: Filesystem Permissions
- Section 3: Network Parameters
- Section 4: Logging and Auditing
- Section 5: Access Control

Security Features:
- Kernel parameter hardening (randomization, core dumps)
- Strong password policies (complexity, aging, lockout)
- Sudo access logging and restrictions
- Authentication failure account lockout

Compliance:
- CIS Debian 13 Benchmark: Section 1, 3, 4, 5
- CMMC Level 3: AC, IA, CM domains
- FedRAMP Moderate: AC, IA, CM controls

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>
2026-01-13 12:33:11 -05:00

55 lines
1.5 KiB
Plaintext
Raw Blame History

# CIS Benchmark Sudo Configuration
# Implements least privilege principle
# ============================================================================
# Defaults
# ============================================================================
# Use lecture mode
Defaults lecture = always
Defaults lecture_file = /etc/sudoers.d/lecture
# Log all sudo commands
Defaults logfile = /var/log/sudo.log
Defaults log_input, log_output
# Secure path
Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
# Ignore duplicate passwords in terminal
Defaults !tty_tickets
# Require password for sudo
Defaults !targetpw
# Set timestamp timeout (5 minutes)
Defaults timestamp_timeout = 5
# Require authentication
Defaults !authenticate
# No insults
Defaults !insults
# ============================================================================
# User Permissions
# ============================================================================
# User account can run sudo with password
user ALL=(ALL:ALL) ALL
# ============================================================================
# Security Restrictions
# ============================================================================
# No root login via sudo
root ALL=(ALL) ALL
# Disable ability to run commands as other users without password
Defaults env_reset
Defaults env_delete = "EDITOR VISUAL PAGER DISPLAY XAUTHORITY"
Defaults !env_editor
# Disable running as specific users
Defaults!/usr/bin/su !root
Reference in New Issue View Git Blame Copy Permalink