alphabet-compliance: Add compliance scripts for COS-93
These scripts will be executed before compliance checker
to bring the VM compliant state.
The sections referred in the scripts are from
https://www.cisecurity.org/benchmark/distribution_independent_linux/
Change-Id: If76f18aceb2de96bca461be380b713786258fc6c
diff --git a/README b/README
deleted file mode 100644
index fcb42d2..0000000
--- a/README
+++ /dev/null
@@ -1 +0,0 @@
-README for Compliance Repository
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..8d1fe64
--- /dev/null
+++ b/README.md
@@ -0,0 +1,2 @@
+# Compliance Scripts for Container-Optimized OS
+These are experimental scripts developed for Alphabet compliance.
diff --git a/alphabet-compliance/scripts/1117-disable-udf-mounting.sh b/alphabet-compliance/scripts/1117-disable-udf-mounting.sh
new file mode 100644
index 0000000..c2c0ccc
--- /dev/null
+++ b/alphabet-compliance/scripts/1117-disable-udf-mounting.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+## Section 1.1.1.7 Ensure mounting of udf filesystems is disabled ##
+echo "install udf /bin/true" > /etc/modprobe.d/udf.conf
diff --git a/alphabet-compliance/scripts/1510-restrict-core-dumps.sh b/alphabet-compliance/scripts/1510-restrict-core-dumps.sh
new file mode 100644
index 0000000..989e86d
--- /dev/null
+++ b/alphabet-compliance/scripts/1510-restrict-core-dumps.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+## Section: 1.5.1 Ensure core dumps are restricted ##
+echo "* hard core 0" >> /etc/security/limits.conf
+cat <<EOF >> /etc/systemd/coredump.conf
+Storage=none
+ProcessSizeMax=0
+EOF
+systemctl daemon-reload
+sysctl -w fs.suid_dumpable=0
diff --git a/alphabet-compliance/scripts/3110-disable-ip-forwarding.sh b/alphabet-compliance/scripts/3110-disable-ip-forwarding.sh
new file mode 100644
index 0000000..c89a9b5
--- /dev/null
+++ b/alphabet-compliance/scripts/3110-disable-ip-forwarding.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+## Section 3.1.1 Ensure IP forwarding is disabled ##
+sysctl -w net.ipv4.ip_forward=0
+sysctl -w net.ipv6.conf.all.forwarding=0
+sysctl -w net.ipv4.route.flush=1
+sysctl -w net.ipv6.route.flush=1
diff --git a/alphabet-compliance/scripts/3230-disable-secure-redirects.sh b/alphabet-compliance/scripts/3230-disable-secure-redirects.sh
new file mode 100644
index 0000000..a4afac9
--- /dev/null
+++ b/alphabet-compliance/scripts/3230-disable-secure-redirects.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+## Section: 3.2.3 Ensure secure ICMP redirects are not accepted ##
+sysctl -w net.ipv4.conf.all.secure_redirects=0
+sysctl -w net.ipv4.conf.default.secure_redirects=0
+sysctl -w net.ipv4.route.flush=1
diff --git a/alphabet-compliance/scripts/3240-log-suspicious-packets.sh b/alphabet-compliance/scripts/3240-log-suspicious-packets.sh
new file mode 100644
index 0000000..e095b8d
--- /dev/null
+++ b/alphabet-compliance/scripts/3240-log-suspicious-packets.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+## Section 3.2.4 Ensure suspicious packets are logged ##
+sysctl -w net.ipv4.conf.all.log_martians=1
+sysctl -w net.ipv4.conf.default.log_martians=1
+sysctl -w net.ipv4.route.flush=1
diff --git a/alphabet-compliance/scripts/3290-disable-IPv6-router-ads.sh b/alphabet-compliance/scripts/3290-disable-IPv6-router-ads.sh
new file mode 100644
index 0000000..eda7dee
--- /dev/null
+++ b/alphabet-compliance/scripts/3290-disable-IPv6-router-ads.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+## Section: 3.2.9 Ensure IPv6 router advertisements are not accepted ##
+sysctl -w net.ipv6.conf.all.accept_ra=0
+sysctl -w net.ipv6.route.flush=1
diff --git a/alphabet-compliance/scripts/3512-configure-IPv6-loopback.sh b/alphabet-compliance/scripts/3512-configure-IPv6-loopback.sh
new file mode 100644
index 0000000..066163a
--- /dev/null
+++ b/alphabet-compliance/scripts/3512-configure-IPv6-loopback.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+## Section 3.5.1.2 Ensure IPv6 loopback traffic is configured ##
+ip6tables -A INPUT -s ::1 -j DROP
diff --git a/alphabet-compliance/scripts/3522-configure-loopback.sh b/alphabet-compliance/scripts/3522-configure-loopback.sh
new file mode 100644
index 0000000..6232e2e
--- /dev/null
+++ b/alphabet-compliance/scripts/3522-configure-loopback.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+## Section 3.5.2.2 Ensure loopback traffic is configured ##
+iptables -A INPUT -s 127.0.0.0/8 -j DROP
diff --git a/alphabet-compliance/scripts/4222-compress-large-log-files.sh b/alphabet-compliance/scripts/4222-compress-large-log-files.sh
new file mode 100644
index 0000000..a4f00ff
--- /dev/null
+++ b/alphabet-compliance/scripts/4222-compress-large-log-files.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+## Section: 4.2.2.2 Ensure journald is configured to compress large log files ##
+sed -i 's/^#Compress=yes/Compress=yes/' /etc/systemd/journald.conf
+systemctl force-reload systemd-journald
diff --git a/alphabet-compliance/scripts/4230-set-permissions-of-log-files.sh b/alphabet-compliance/scripts/4230-set-permissions-of-log-files.sh
new file mode 100644
index 0000000..0253898
--- /dev/null
+++ b/alphabet-compliance/scripts/4230-set-permissions-of-log-files.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+## Section: 4.2.3 Ensure permissions on all logfiles are configured ##
+sudo find /var/log -type f -exec chmod g-wx,o-rwx "{}" + -o \
+ -type d -exec chmod g-w,o-rwx "{}" +
diff --git a/alphabet-compliance/scripts/5214-configure-MAC-algorithms.sh b/alphabet-compliance/scripts/5214-configure-MAC-algorithms.sh
new file mode 100644
index 0000000..e5653e4
--- /dev/null
+++ b/alphabet-compliance/scripts/5214-configure-MAC-algorithms.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+## Section: 5.2.14 Ensure only strong MAC algorithms are used ##
+echo "MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,\
+hmac-sha2-256,hmac-sha2-512" >> /etc/ssh/sshd_config
diff --git a/alphabet-compliance/scripts/5216-configure-ssh-idle-timeout.sh b/alphabet-compliance/scripts/5216-configure-ssh-idle-timeout.sh
new file mode 100644
index 0000000..e4851ba
--- /dev/null
+++ b/alphabet-compliance/scripts/5216-configure-ssh-idle-timeout.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+## Section: 5.2.16 Ensure SSH Idle Timeout Interval is configured ##
+sed -i 's/^ClientAliveInterval .*$/ClientAliveInterval 300/' \
+ /etc/ssh/sshd_config
+echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config
diff --git a/alphabet-compliance/scripts/5217-configure-ssh-LoginGraceTime.sh b/alphabet-compliance/scripts/5217-configure-ssh-LoginGraceTime.sh
new file mode 100644
index 0000000..35651f7
--- /dev/null
+++ b/alphabet-compliance/scripts/5217-configure-ssh-LoginGraceTime.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+## Section: 5.2.17 Ensure SSH LoginGraceTime is set to one minute or less ##
+echo "LoginGraceTime 60" >> /etc/ssh/sshd_config
diff --git a/alphabet-compliance/scripts/5219-configure-ssh-banner.sh b/alphabet-compliance/scripts/5219-configure-ssh-banner.sh
new file mode 100644
index 0000000..e16e93a
--- /dev/null
+++ b/alphabet-compliance/scripts/5219-configure-ssh-banner.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+## Section: 5.2.19 Ensure SSH warning banner is configured ##
+echo "Banner /etc/issue.net" >> /etc/ssh/sshd_config
+touch /etc/issue.net
diff --git a/alphabet-compliance/scripts/5221-disable-ssh-AllowTcpForwarding.sh b/alphabet-compliance/scripts/5221-disable-ssh-AllowTcpForwarding.sh
new file mode 100644
index 0000000..f5dc60d
--- /dev/null
+++ b/alphabet-compliance/scripts/5221-disable-ssh-AllowTcpForwarding.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+## Section: 5.2.21 Ensure SSH AllowTcpForwarding is disabled ##
+sed -i 's/^AllowTcpForwarding .*$/AllowTcpForwarding no/' /etc/ssh/sshd_config
diff --git a/alphabet-compliance/scripts/5222-configure-ssh-MaxStartups.sh b/alphabet-compliance/scripts/5222-configure-ssh-MaxStartups.sh
new file mode 100644
index 0000000..1230d86
--- /dev/null
+++ b/alphabet-compliance/scripts/5222-configure-ssh-MaxStartups.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+## Section: 5.2.22 Ensure SSH MaxStartups is configured ##
+echo "maxstartups 10:30:60" >> /etc/ssh/sshd_config
diff --git a/alphabet-compliance/scripts/5223-configure-ssh-MaxSessions.sh b/alphabet-compliance/scripts/5223-configure-ssh-MaxSessions.sh
new file mode 100644
index 0000000..78610d3
--- /dev/null
+++ b/alphabet-compliance/scripts/5223-configure-ssh-MaxSessions.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+## Section: 5.2.23 Ensure SSH MaxSessions is set to 4 or less ##
+echo "MaxSessions 4" >> /etc/ssh/sshd_config
diff --git a/alphabet-compliance/scripts/5229-reload-sshconfig.sh b/alphabet-compliance/scripts/5229-reload-sshconfig.sh
new file mode 100644
index 0000000..a2113cf
--- /dev/null
+++ b/alphabet-compliance/scripts/5229-reload-sshconfig.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+## Reload sshd_config for changes in section 5.2.*
+systemctl force-reload sshd
diff --git a/alphabet-compliance/scripts/5310-configure-password-requirements.sh b/alphabet-compliance/scripts/5310-configure-password-requirements.sh
new file mode 100644
index 0000000..11d583b
--- /dev/null
+++ b/alphabet-compliance/scripts/5310-configure-password-requirements.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+## Section: 5.3.1 Ensure password creation requirements are configured ##
+sed -i 's/^min.*$/min=disabled,disabled,disabled,disabled,14/' \
+ /etc/security/passwdqc.conf
diff --git a/alphabet-compliance/scripts/5330-configure-password-reuse.sh b/alphabet-compliance/scripts/5330-configure-password-reuse.sh
new file mode 100644
index 0000000..f5372eb
--- /dev/null
+++ b/alphabet-compliance/scripts/5330-configure-password-reuse.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+## Section: 5.3.3 Ensure password reuse is limited (Not Scored) ##
+sed -i '0,/password/s//password required pam_pwhistory.so remember=5\n&/' \
+ /etc/pam.d/system-auth
+sed -i 's/password.*pam_unix.so/& remember=5/' /etc/pam.d/system-auth
diff --git a/alphabet-compliance/scripts/5340-set-password-hashing-algorithm.sh b/alphabet-compliance/scripts/5340-set-password-hashing-algorithm.sh
new file mode 100644
index 0000000..e7da5fb
--- /dev/null
+++ b/alphabet-compliance/scripts/5340-set-password-hashing-algorithm.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+## Section: 5.3.4 Ensure password hashing algorithm is SHA-512 (Not Scored) ##
+sed -i '/password/s/md5/sha2/' /etc/pam.d/system-auth
diff --git a/alphabet-compliance/scripts/5411-configure-password-expiration.sh b/alphabet-compliance/scripts/5411-configure-password-expiration.sh
new file mode 100644
index 0000000..f35c307
--- /dev/null
+++ b/alphabet-compliance/scripts/5411-configure-password-expiration.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+## Section: 5.4.1.1 Ensure password expiration is 365 days or less ##
+sed -i 's/^PASS_MAX_DAYS\t.*$/PASS_MAX_DAYS 365/' /etc/login.defs
diff --git a/alphabet-compliance/scripts/5412-configure-password-change-timeframe.sh b/alphabet-compliance/scripts/5412-configure-password-change-timeframe.sh
new file mode 100644
index 0000000..a3b917a
--- /dev/null
+++ b/alphabet-compliance/scripts/5412-configure-password-change-timeframe.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+## Section: 5.4.1.2 Ensure minimum days between password changes is 7 or more ##
+sed -i 's/^PASS_MIN_DAYS\t.*$/PASS_MIN_DAYS 7/' /etc/login.defs
diff --git a/alphabet-compliance/scripts/5414-configure-inactive-password-timeframe.sh b/alphabet-compliance/scripts/5414-configure-inactive-password-timeframe.sh
new file mode 100644
index 0000000..29bbeb2
--- /dev/null
+++ b/alphabet-compliance/scripts/5414-configure-inactive-password-timeframe.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+## Section: 5.4.1.4 Ensure inactive password lock is 30 days or less ##
+useradd -D -f 30
diff --git a/alphabet-compliance/scripts/5420-configure-system-accounts.sh b/alphabet-compliance/scripts/5420-configure-system-accounts.sh
new file mode 100644
index 0000000..d1b7415
--- /dev/null
+++ b/alphabet-compliance/scripts/5420-configure-system-accounts.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+## Section: 5.4.2 Ensure system accounts are secured ##
+usermod -s $(which nologin) chronos
+usermod -L chronos
diff --git a/alphabet-compliance/scripts/5440-configure-default-user-umask.sh b/alphabet-compliance/scripts/5440-configure-default-user-umask.sh
new file mode 100644
index 0000000..7b9cd85
--- /dev/null
+++ b/alphabet-compliance/scripts/5440-configure-default-user-umask.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+## Section: 5.4.4 Ensure default user umask is 027 or more restrictive ##
+sed -i 's/^umask .*$/umask 027/' /etc/profile
+echo "umask 027" >> /etc/profile.d/*
+echo "umask 027" >> /etc/bash/bashrc
diff --git a/alphabet-compliance/scripts/5450-configure-default-shell-timeout.sh b/alphabet-compliance/scripts/5450-configure-default-shell-timeout.sh
new file mode 100644
index 0000000..cc61a4e
--- /dev/null
+++ b/alphabet-compliance/scripts/5450-configure-default-shell-timeout.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+## Section: 5.4.5 Ensure default user shell timeout is 900 seconds or less ##
+echo "TMOUT=900" >> /etc/profile
+echo "TMOUT=900" >> /etc/bash/bashrc
