creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-13 22:54:53 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/hardening-linux-endpoint-with-cis-benchmark/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

2.2 KiB
Raw Blame History

API Reference: Linux CIS Benchmark Hardening

CIS Benchmark Sections

Section Topic
1 Initial Setup (filesystem, updates, secure boot)
2 Services (inetd, special purpose)
3 Network Configuration (parameters, firewall)
4 Logging and Auditing (auditd, rsyslog)
5 Access, Authentication, Authorization (SSH, PAM)
6 System Maintenance (file permissions)

Key sysctl Parameters

Network Hardening

sysctl -w net.ipv4.ip_forward=0
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv4.conf.all.accept_source_route=0
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.all.log_martians=1
sysctl -w net.ipv4.tcp_syncookies=1

Persistent Configuration

# /etc/sysctl.d/99-hardening.conf
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0

SSH Hardening (/etc/ssh/sshd_config)

Parameter Recommended Value
PermitRootLogin no
PasswordAuthentication no
Protocol 2
MaxAuthTries 4
ClientAliveInterval 300
ClientAliveCountMax 3
X11Forwarding no
AllowTcpForwarding no

Service Management

Disable unnecessary services

systemctl disable avahi-daemon
systemctl disable cups
systemctl disable rpcbind
systemctl mask service_name

Check enabled services

systemctl list-unit-files --type=service --state=enabled

Audit Rules (/etc/audit/rules.d/)

Monitor critical files

-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/sudoers -p wa -k sudoers

Monitor system calls

-a always,exit -F arch=b64 -S execve -k exec
-a always,exit -F arch=b64 -S mount -k mounts

File Permissions

File Owner Permissions
/etc/passwd root:root 644
/etc/shadow root:shadow 000 or 640
/etc/group root:root 644
/etc/gshadow root:shadow 000 or 640

Automated Tools

OpenSCAP

oscap xccdf eval --profile cis \
    --results results.xml \
    /usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml

Lynis

lynis audit system --cronjob --quiet
Reference in New Issue View Git Blame Copy Permalink