EL7 PCI Hardening GuideOpenSSH server config#Edit /etc/ssh/sshd_config to look like the following:Protocol 2 (This is default in EL7)PasswordAuthentication yes (This is default in EL7)PermitEmptyPasswords no (Uncomment)PermitRootLogin no (This needs to be changed from yes to no)StrictModes yes (Uncomment)Banner /etc/message (Don't need a custom location just a banner in place)Optional: Port 3404 (Uncomment and change port from 22 to your liking)Restart the daemon after making the changes:systemctl restart sshd.serviceMake changes to the firewall policy in case you decided to change the port:firewall-cmd --permanent --add-port=3404/tcpfirewall-cmd --reloadLimit history size#Edit /etc/bashrc and append the following lines at the end of the file:export HISTSIZE=10export HISTFILESIZE=10Idle logout timeout#Edit /etc/profile and append the following line at the end of the file:export TMOUT=360Disable physical restart by keyboard shortcut#Disable CTRL+ALT+DELETE keyboard shortcut:systemctl mask ctrl-alt-delete.target#Lock all frivolous accounts like games, operator, gopher, ftp, lp, uucp, news: Lock out unneeded accountsRun: awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd and identify all such accounts, usually all have a UID below 500 but there are exceptions and in case the shell isn't /sbin/nologin, make it so by issuing, usermod -s /sbin/nologin usernameAfter identifying the accounts lock them by issuing the command below:usermod -L usernameRemove unneeded packages#Remove unneeded packages:yum remove package-name but you'd want to see the full list of installed packages first by issuing, rpm -qa | lessSetup password policy#Edit /etc/login.defs to look exactly like below: PASS_MAX_DAYS 45PASS_MIN_DAYS 0PASS_MIN_LEN 8PASS_WARN_AGE 7For existing users, run the following commands:chage -M 45 usernamechage -W 7 usernameVerify once that the changes were made successfully:chage -l user#Optional: Set immutable bit on the following files:chattr +i /etc/passwd*chattr +i /etc/group*chattr +i /etc/gshadow*Warning: Each time you create a new user it'll throw an error, adduser: cannot open /etc/passwd or something similar#Edit /etc/pam.d/password-auth and add the following line at the top of auth section:auth required pam_tally2.so file=/var/log/tallylog deny=3 even_deny_root unlock_time=900Add the following line to the top of account section:account required pam_tally2.so#Edit /etc/security/pwquality.conf and assign difok,minlen,dcredit,ucredit,lcredit,ocredit,minclass,maxrepeat,maxclassrepeat & gecoscheck the following values: difok = 5 minlen = 8 dcredit = 1 ucredit = 1 lcredit = 1 ocredit = 1 minclass = 1 maxrepeat = 1 maxclassrepeat = 1 gecoscheck = 1After updating the file execute, the following command to apply the changes:authconfig --updateallInstall HIDS #Install Tripwire and setup according to your requirements:yum install tripwiretripwire-setup-keyfilestripwire --initInstall Antivirus#Install ClamAV:yum install clamav clamd (RPMforge or Atomic repos required)Setup NTP#Install chrony if not already installed by issuing yum install chrony and comment out all the existing time servers and add your own in /etc/chrony.conf:server serverip/domain iburstSetup centralized logging#Edit /etc/rsyslog.conf and append the following line at the bottom:*.* @logserverip/domain:514Restart the daemon after making the changes:systemctl restart rsyslog.serviceDisable ipv6 if not in use#Edit /etc/sysctl.conf and append the following line at the bottom to disable ipv6 on all adapters:net.ipv6.conf.all.disable_ipv6 = 1After saving the file issue command, sysctl -p to apply the configNote: You may or may not need to mail yourself the logs of Tripwire and ClamAV for which you'll need to setup cron jobs. Youd want to sure only server admins have sudo rights on your servers and even if others do have sudo rights, theyre limited to few specific commands only.A sample banner:******************************************************************************** !!! WARNING !!! ****** THIS IS A PRIVATE AND PROPRIETARY SYSTEM. ANY UNAUTHORIZED ACCESS ****** TO OR MISUSE OF SYSTEMS OR DATA MAY RESULT IN CIVIL AND/OR CRIMINAL ****** PROSECUTION, EMPLOYEE DISCIPLINE UP TO AND INCLUDING DISCHARGE, OR ****** THE TERMINATION OF VENDOR/SERVICE CONTRACTS. *********************************************************************************** !-!-! ACCESS AND USE OF THIS SYSTEM IS MONITORED !-!-! ********************************************************************************