ZCSPM offers bash scripts for hardening the CentOS 7 OS on your Microsoft Azure Virtual Machine. Make sure you test the scripts on a testing environment before running them on a production environment.

Hardening Script for ZCSPM supported Security Policies

Azure_CSBP_CentOS_Linux7_Remediation.sh: ZCSPM can remediate about 27 security policies to harden CentOS 7 on an Azure virtual machine.

• See the 27 security policies remediated
  Policy Title 1

  Ensure address space layout randomization (ASLR) is enabled

  Ensure Avahi Server is not enabled

  Ensure bogus ICMP responses are ignored

  Ensure broadcast ICMP requests are ignored

  Ensure cron daemon is enabled

  Ensure CUPS is not enabled

  Ensure DHCP Server is not enabled

  Ensure IP forwarding is disabled

  Ensure permissions on /etc/group are configured

  Ensure permissions on /etc/passwd are configured

  1 to 10 of 27

  Page 1 of 3

  Close

To run the Zscaler-recommended hardening script:

1. Make sure you are logged in to the virtual machine as a root user.
2. Open the bash terminal and download the script from GitHub using the following command:

wget https://raw.githubusercontent.com/Cloudneeti/os-harderning-scripts/master/CentOS7/Azure_CSBP_CentOS_Linux7_Remediation.sh -O Azure_CSBP_CentOS_Linux7_Remediation.sh

3. Switch to root using the following command:

sudo su

4. Run the script using the following command:

bash Azure_CSBP_CentOS_Linux7_Remediation.sh

You can scan the relevant cloud account in the ZCSPM Admin Portal and view the security policy results.

Hardening script for CIS Compliance

CIS_CentOS_Linux7_Benchmark_v2_2_0_Remediation.sh: ZCSPM offers a more extensive script which remediates 142 out of 223 security policies for the CIS CentOS 7 Benchmark.

ZCSPM cannot remediate 81 security policies because either the appropriate APIs and commands are unavailable for automatic remediation, or they need user inputs and have to be manually remediated.

• See the 142 remediated security policies
  Policy Title 1

  Disable Automounting

  Ensure /etc/hosts.deny is configured

  Ensure access to the su command is restricted

  Ensure AIDE is installed

  Ensure at/cron is restricted to authorized users

  Ensure audit logs are not automatically deleted

  Ensure auditd service is enabled

  Ensure authentication required for single user mode

  Ensure Avahi Server is not enabled

  Ensure bogus ICMP responses are ignored

  1 to 10 of 142

  Page 1 of 15

  Close
• See the 81 security policies which cannot be remediated
  Policy Title 1

  Audit SGID executables

  Audit SUID executables

  Audit system file permissions

  Ensure /etc/hosts.allow is configured

  Ensure address space layout randomization (ASLR) is enabled

  Ensure all groups in /etc/passwd exist in /etc/group

  Ensure all users last password change date is in the past

  Ensure all users' home directories exist

  Ensure audit log storage size is configured

  Ensure auditing for processes that start prior to auditd is enabled

  1 to 10 of 81

  Page 1 of 9

  Close

To run the CIS compliance hardening script:

1. Make sure you are logged in to the virtual machine as a root user.
2. Open the terminal and download the script from GitHub using the following command::

wget https://raw.githubusercontent.com/Cloudneeti/os-harderning-scripts/master/CentOS7/CIS_CentOS_Linux7_Benchmark_v2_2_0_Remediation.sh -O CIS_CentOS_Linux7_Benchmark_v2_2_0_Remediation.sh

3. Switch to root using the following command::

sudo su

4. Run the script using the following command:

bash CIS_CentOS_Linux7_Benchmark_v2_2_0_Remediation.sh