creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-13 22:54:53 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/hardening-linux-endpoint-with-cis-benchmark/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

99 lines
2.2 KiB
Markdown
Raw Blame History

# API Reference: Linux CIS Benchmark Hardening
## CIS Benchmark Sections
| Section | Topic |
|---------|-------|
| 1 | Initial Setup (filesystem, updates, secure boot) |
| 2 | Services (inetd, special purpose) |
| 3 | Network Configuration (parameters, firewall) |
| 4 | Logging and Auditing (auditd, rsyslog) |
| 5 | Access, Authentication, Authorization (SSH, PAM) |
| 6 | System Maintenance (file permissions) |
## Key sysctl Parameters
### Network Hardening
```bash
sysctl -w net.ipv4.ip_forward=0
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv4.conf.all.accept_source_route=0
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.all.log_martians=1
sysctl -w net.ipv4.tcp_syncookies=1
```
### Persistent Configuration
```bash
# /etc/sysctl.d/99-hardening.conf
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
```
## SSH Hardening (/etc/ssh/sshd_config)
| Parameter | Recommended Value |
|-----------|-------------------|
| PermitRootLogin | no |
| PasswordAuthentication | no |
| Protocol | 2 |
| MaxAuthTries | 4 |
| ClientAliveInterval | 300 |
| ClientAliveCountMax | 3 |
| X11Forwarding | no |
| AllowTcpForwarding | no |
## Service Management
### Disable unnecessary services
```bash
systemctl disable avahi-daemon
systemctl disable cups
systemctl disable rpcbind
systemctl mask service_name
```
### Check enabled services
```bash
systemctl list-unit-files --type=service --state=enabled
```
## Audit Rules (/etc/audit/rules.d/)
### Monitor critical files
```bash
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/sudoers -p wa -k sudoers
```
### Monitor system calls
```bash
-a always,exit -F arch=b64 -S execve -k exec
-a always,exit -F arch=b64 -S mount -k mounts
```
## File Permissions
| File | Owner | Permissions |
|------|-------|-------------|
| `/etc/passwd` | root:root | 644 |
| `/etc/shadow` | root:shadow | 000 or 640 |
| `/etc/group` | root:root | 644 |
| `/etc/gshadow` | root:shadow | 000 or 640 |
## Automated Tools
### OpenSCAP
```bash
oscap xccdf eval --profile cis \
--results results.xml \
/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml
```
### Lynis
```bash
lynis audit system --cronjob --quiet
```
Reference in New Issue View Git Blame Copy Permalink