Navigation

← Previous Changeset
Next Changeset →

Changeset 115

Timestamp:

11/29/07 12:41:57 (1 year ago)

Author:

slawrence

Message:

Fixed/cleaned up STIG scripts

Files:

trunk/RHEL5/scripts/stig-fix/cat1/gen004640.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat1/lnx00320.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat1/lnx00580.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen000020.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen000400.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen000440.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen000460.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen000480.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen000580.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen000600.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen000700.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen000800.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen000820.sh (deleted)
trunk/RHEL5/scripts/stig-fix/cat2/gen000920.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen000980.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen001020.sh (modified) (2 diffs)
trunk/RHEL5/scripts/stig-fix/cat2/gen001260.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen001420.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen001680.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen001820.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen002180.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen002200.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen002220.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen002320.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen002420.sh (added)
trunk/RHEL5/scripts/stig-fix/cat2/gen002560.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen002820.sh (deleted)
trunk/RHEL5/scripts/stig-fix/cat2/gen002860.sh (added)
trunk/RHEL5/scripts/stig-fix/cat2/gen002960.sh (deleted)
trunk/RHEL5/scripts/stig-fix/cat2/gen003080.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen003480.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen003600.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen003660.sh (added)
trunk/RHEL5/scripts/stig-fix/cat2/gen003700.sh (added)
trunk/RHEL5/scripts/stig-fix/cat2/gen003740.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen003865.sh (deleted)
trunk/RHEL5/scripts/stig-fix/cat2/gen004000.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen004500.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen004540.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen004820.sh (deleted)
trunk/RHEL5/scripts/stig-fix/cat2/gen005360.sh (added)
trunk/RHEL5/scripts/stig-fix/cat2/gen005400.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen006520.sh (added)
trunk/RHEL5/scripts/stig-fix/cat2/gen006620.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/lnx00340.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/lnx00400.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/lnx00440.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/lnx00520.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat3/gen001280.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat3/gen003520.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat3/gen003860.sh (added)
trunk/RHEL5/scripts/stig-fix/cat3/gen004560.sh (deleted)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

trunk/RHEL5/scripts/stig-fix/cat1/gen004640.sh

r106	r115
1	1	#!/bin/sh
2	2
	3	## (GEN004640: CAT I) (Previously â V126) The SA will ensure the decode entry
	4	## is disabled (deleted or commented out) from the alias file.
3	5	echo '==================================================='
4		echo 'Patching Gen004640: Disable decode in alias file'
5		echo '==================================================='
	6	echo 'Patching GEN004640: Disable decode in alias file'
	7	echo '==================================================='
6	8	sed --in-place s/^decode\:/\#decode\:/ /etc/aliases

trunk/RHEL5/scripts/stig-fix/cat1/lnx00320.sh

r106	r115
1	1	#!/bin/sh
2	2
3		#Remove unnecessary privileged users from /etc/passwd
	3	## (LNX00320: CAT I) (Previously â L140) The SA will delete accounts that
	4	## provide a special privilege such as shutdown and halt.
4	5	echo '==================================================='
5	6	echo 'Patching LNX00320: Deleting accounts providing'
6		echo ' special privilege.'
	7	echo ' special privilege.'
7	8	echo '==================================================='
8		sed -i /shutdown/d /etc/passwd
9		sed -i /halt/d /etc/passwd
10		sed -i /sync/d /etc/passwd
11		sed -i /operator/d /etc/passwd
	9	userdel shutdown
	10	userdel halt
	11	userdel sync

trunk/RHEL5/scripts/stig-fix/cat1/lnx00580.sh

r106	r115
1	1	#!/bin/sh
2	2
3		# Disable CTRL-ALT-DEL on the system
	3	## (LNX00580: CAT I) (Previously â L222) The SA will disable the
	4	## Ctrl-Alt-Delete sequence unless the system is located in a controlled
	5	## access area accessible only by SAs.
4	6	echo '==================================================='
5		echo ' Patching LNX00580: Disable CTRL-ALT-DELETE'
	7	echo ' Patching LNX00580: Disable CTRL-ALT-DELETE'
6	8	echo '==================================================='
7	9	sed --in-place s/ca\:\:ctrlaltdel/\#ca\:\:ctrlaltdel/ /etc/inittab

trunk/RHEL5/scripts/stig-fix/cat2/gen000020.sh

r106	r115
1	1	#!/bin/sh
2	2
3		# Put a password on single-user mode
	3	## (GEN000020: CAT II) (Previously â G001) The IAO and SA will ensure, if
	4	## configurable, the UNIX host is configured to require a password for access
	5	## to single-user and maintenance modes.
4	6	echo '==================================================='
5	7	echo ' Patching GEN000020: Configuring Password for'
6	8	echo ' single-user and maintenance'
7		echo ' modes.'
	9	echo ' modes.'
8	10	echo '==================================================='
9	11	echo "" >> /etc/inittab

trunk/RHEL5/scripts/stig-fix/cat2/gen000400.sh

r106	r115
1	1	#!/bin/sh
2	2
3		# Change banner for local logins
4		# This can be modified as long as it still meets STIG requirement GEN000420.
5		# Namely, the banner must advise that:
6		# - The system is a DOD system.
7		# - The system is subject to monitoring.
8		# - Monitoring is authorized in accordance with applicable laws and
9		# regulations and conducted for purposes of systems management and
10		# protection, protection against improper or unauthorized use or access,
11		# and verification of applicable security features or procedures.
12		# - Use of the system constitutes consent to monitoring
13		# - This system is for authorized US government use only.
	3	## (GEN000400: CAT II) (Previously â G010) The SA will ensure a logon-warning banner is
	4	## displayed on all devices and sessions at the initial logon.
14	5	echo '==================================================='
15		echo ' Patching GEN000400: Providing logon-warning banner'
	6	echo ' Patching GEN000400: Providing logon-warning banner'
16	7	echo '==================================================='
17	8	echo "THIS IS A DEPARTMENT OF DEFENSE COMPUTER SYSTEM. THIS COMPUTER SYSTEM,

trunk/RHEL5/scripts/stig-fix/cat2/gen000440.sh

r106	r115
1	1	#!/bin/sh
2	2
3		# Make syslog log all authentication information
	3	## (GEN000440: CAT II) (Previously â G012) The SA will ensure all logon attempts (both
	4	## successful and unsuccessful) are logged to a system log file.
4	5	echo '==================================================='
5		echo ' Patching GEN00440: ensuring logon attempts logged.'
	6	echo ' Patching GEN000440: ensuring logon attempts logged.'
6	7	echo '==================================================='
7	8	echo "
8	9	# Log all authentication information
9		auth.* /var/log/authlog" >> /etc/syslog.conf
	10	auth.* /var/log/authlog" >> /etc/syslog.conf

trunk/RHEL5/scripts/stig-fix/cat2/gen000460.sh

r106	r115
1	1	#!/bin/sh
2	2
3		# Lock a user out after 3 failed logins
	3	## (GEN000460: CAT II) (Previously â G013) The SA will ensure, after three consecutive
	4	## failed logon attempts for an account, the account is locked for 15 minutes or until
	5	## the SA unlocks the account.
4	6	echo '==================================================='
5		echo ' Patching GEN000460: Disable after 3 consecutive'
	7	echo ' Patching GEN000460: Disable after 3 consecutive'
6	8	echo ' failed attempts per account'
7	9	echo '==================================================='

trunk/RHEL5/scripts/stig-fix/cat2/gen000480.sh

r106	r115
1	1	#!/bin/sh
2	2
3		# ~~Make the system wait 4 seconds after a failed login attempt.~~
4		# ~~Slows brute-forcing of passwor~~ds.
	3	## (GEN000480: CAT II) (Previously â G015) The SA will ensure the logon delay between
	4	## logon prompts after a failed logon is set to at least four seconds.
5	5	echo '==================================================='
6		echo ' Patching GEN000480: Set logon delay to 4 seconds.'
	6	echo ' Patching GEN000480: Set logon delay to 4 seconds.'
7	7	echo '==================================================='
8	8	echo "

trunk/RHEL5/scripts/stig-fix/cat2/gen000580.sh

r106	r115
1	1	#!/bin/sh
2	2
3		# Set minimum password length to 9 characters.
	3	## (GEN000580: CAT II) (Previously â G019) The IAO will ensure all passwords contain a
	4	## minimum of eight characters.
4	5	echo '==================================================='
5		echo ' Patching GEN000580: Set minimum Password length.'
	6	echo ' Patching GEN000580: Set minimum Password length.'
6	7	echo '==================================================='
7		sed --in-place "s/PASS_MIN_LEN[ \t][0-9]/PASS_MIN_LEN\t9/" /etc/login.defs
	8	sed --in-place "s/PASS_MIN_LEN[ \t][0-9]/PASS_MIN_LEN\t8/" /etc/login.defs

trunk/RHEL5/scripts/stig-fix/cat2/gen000600.sh

r106	r115
1	1	#!/bin/sh
2	2
3		# Enforce stricter password standards.
4		# - Minimum length is now 9
5		# - Must have 2 upper-case letters
6		# - Must have 2 lower-case letters
7		# - Must have 2 digits
8		# - Must have 2 other characters
	3	## (GEN000600: CAT II) (Previously â G019) The IAO will ensure passwords include at
	4	## least two alphabetic characters, one of which must be capitalized.
9	5	echo '==================================================='
10		echo ' Patching GEN000600: Enforce more secure passwords.'
	6	echo ' Patching GEN000600: Enforce more secure passwords.'
11	7	echo '==================================================='
12	8	sed -i s/minlen\=8/minlen\=9/ /etc/pam.d/system-auth

trunk/RHEL5/scripts/stig-fix/cat2/gen000700.sh

r110	r115
1	1	#!/bin/bash
2	2
3		## (GEN000700: CAT II) (Previously â G020) The SA will ensure passwords are
	3	## (GEN000700: CAT II) (Previously â G020) The SA will ensure passwords are
4	4	## changed at least every 90 days.
5	5	echo '==================================================='

trunk/RHEL5/scripts/stig-fix/cat2/gen000800.sh

r106	r115
1	1	#!/bin/sh
2	2
3		# Make the system remember the last 5 passwords a user used.
	3	## (GEN000800: CAT II) (Previously â G606) The SA will ensure passwords will not be
	4	## reused within the last ten changes.
4	5	echo '==================================================='
5		echo ' Patching GEN00080~~: Disallow duplication passwords.'~~
	6	echo ' Patching GEN000800: Disallow duplication passwords.'
6	7	echo '==================================================='
7		sed -i "s/shadow/shadow remember\=5/" /etc/pam.d/system-auth
	8	sed -i "s/shadow/shadow remember\=10/" /etc/pam.d/system-auth

trunk/RHEL5/scripts/stig-fix/cat2/gen000920.sh

r106	r115
1	1	#!/bin/sh
2	2
3		# Ensure that /root is only readable by the root user.
	3	## (GEN000920: CAT II) (Previously â G023) The SA will ensure the root account
	4	## home directory (other than â/â) has permissions of 700. Do not change the
	5	## permissions of the â/â directory to anything other than 0755.
4	6	echo '==================================================='
5		echo ' Patching GEN000920: /root is only readable by root'
	7	echo ' Patching GEN000920: /root is only readable by root'
6	8	echo '==================================================='
7	9	chmod -R 700 /root

trunk/RHEL5/scripts/stig-fix/cat2/gen000980.sh

r106	r115
1	1	#!/bin/sh
2	2
3		# There should only be one entry in /etc/securetty
	3	## (GEN000980: CAT II) (Previously â G026) The SA will ensure root can only log
	4	## on as root from the system console, and then only when necessary to perform
	5	## system maintenance.
4	6	echo '==================================================='
5	7	echo ' Patching GEN000980: Ensure only one secure TTY.'

trunk/RHEL5/scripts/stig-fix/cat2/gen001020.sh

r106	r115
1	1	#!/bin/sh
2	2
3		# ~~Restrict direct logins to users that are in the "users" group.~~
4		# ~~Users will have to "su" to root or other shared accounts.~~
5
	3	## (GEN001020: CAT II) The IAO will enforce users requiring root privileges to
	4	## log on to their personal account and invoke the /bin/su - command to switch
	5	## user to root.
6	6	echo '==================================================='
7		echo ' Patching GEN001020: root privilege must be gained'
	7	echo ' Patching GEN001020: root privilege must be gained'
8	8	echo ' via switch from user account.'
9	9	echo '==================================================='
…	…
21	21	passwd CLIPUser < CLIPUserPassword
22	22
23
24	23	# Cron was previously set to use /etc/security/access.conf, which did
25	24	# nothing by default. We don't want to block root from using cron.

trunk/RHEL5/scripts/stig-fix/cat2/gen001260.sh

r106	r115
1	1	#!/bin/sh
2	2
	3	## (GEN001260: CAT II) (Previously â G037) The SA will ensure all system log
	4	## files have permissions of 640, or more restrictive.
3	5	echo '==================================================='
4		echo ' Patching GEN001260: Setting permissions of system'
	6	echo ' Patching GEN001260: Setting permissions of system'
5	7	echo ' log files.'
6	8	echo '==================================================='

trunk/RHEL5/scripts/stig-fix/cat2/gen001420.sh

r110	r115
4	4	## file (or equivalent) has permissions of 400.
5	5	echo '==================================================='
6		echo 'Patching GEN001429: Set permissions of /etc/shadow'
	6	echo 'Patching GEN001420: Set permissions of /etc/shadow'
7	7	echo '==================================================='
8	8	chmod 400 /etc/shadow

trunk/RHEL5/scripts/stig-fix/cat2/gen001680.sh

r110	r115
4	4	## of run control scripts is root, sys, bin, other, or the system default.
5	5	echo '==================================================='
6		echo 'Patching GEN004680: Set group owner of run control'
	6	echo 'Patching GEN001680: Set group owner of run control'
7	7	echo ' scripts'
8	8	echo '==================================================='

trunk/RHEL5/scripts/stig-fix/cat2/gen001820.sh

r110	r115
1	1	#!/bin/bash
2	2
3		## (GEN001820: CAT II) The SA will ensure the owner of all default/skeleton
4		# dot files is root or bin.
	3	## (GEN001820: CAT II) The SA will ensure the owner of all default/skeleton
	4	## dot files is root or bin.
5	5	echo '==================================================='
6	6	echo 'Patching GEN001820: Set owner of default/skel files'

trunk/RHEL5/scripts/stig-fix/cat2/gen002180.sh

r110	r115
4	4	## sgid bit set.
5	5	echo '==================================================='
6		echo 'Patching GEN002160: No shells have sgid bit set'
	6	echo 'Patching GEN002180: No shells have sgid bit set'
7	7	echo '==================================================='
8	8	for SHELL in `cat /etc/shells`; do

trunk/RHEL5/scripts/stig-fix/cat2/gen002200.sh

r110	r115
4	4	## shells is root or bin.
5	5	echo '==================================================='
6		echo 'Patching GEN002160: Set shell owners to root'
	6	echo 'Patching GEN002200: Set shell owners to root'
7	7	echo '==================================================='
8	8	for SHELL in `cat /etc/shells`; do

trunk/RHEL5/scripts/stig-fix/cat2/gen002220.sh

r112	r115
1	1	#!/bin/bash
2	2
3		## (GEN002220: CAT II) (Previously â G075) The SA will ensure all shells
4		## (excluding /dev/null and sdshell) have permissions of 755, or more
	3	## (GEN002220: CAT II) (Previously â G075) The SA will ensure all shells
	4	## (excluding /dev/null and sdshell) have permissions of 755, or more
5	5	## restrictive.
6	6	echo '==================================================='

trunk/RHEL5/scripts/stig-fix/cat2/gen002320.sh

r106	r115
1	1	#!/bin/sh
2	2
	3	## (GEN002320: CAT II) (Previously â G501) The SA will ensure the audio devices
	4	## have permissions of 644, or more restrictive.
3	5	echo '==================================================='
4		echo ' Patching GEN002320: Setting permissions on audio'
	6	echo ' Patching GEN002320: Setting permissions on audio'
5	7	echo ' devices.'
6	8	echo '==================================================='

trunk/RHEL5/scripts/stig-fix/cat2/gen002560.sh

r106	r115
1	1	#!/bin/sh
2	2
3		# Default umask to 077 so that newly-created files are only accessible by owner
	3	## (GEN002560: CAT II) (Previously â G089) The SA will ensure the system and
	4	## user umask is 077.
4	5	echo '==================================================='
5	6	echo ' Patching GEN002560: Set default umask.'

trunk/RHEL5/scripts/stig-fix/cat2/gen003080.sh

r106	r115
1	1	#!/bin/sh
2	2
3		# By STIG definition, crontab files are only readable by root.
	3	## (GEN003080: CAT II) (Previously â G205) The SA will ensure crontabs have
	4	## permissions of 600, or more restrictive, (700 for some Linux crontabs, which
	5	## is detailed in the UNIX Checklist).
4	6	echo '==================================================='
5		echo ' Patching GEN003080: Only allow root access to '
6		echo ' crontab files.'
	7	echo ' Patching GEN003080: Set permissions of crontabs'
7	8	echo '==================================================='
8	9	chmod -R 600 /etc/cron.daily

trunk/RHEL5/scripts/stig-fix/cat2/gen003480.sh

r110	r115
4	4	## group owner of the at.deny file is root.
5	5	echo '==================================================='
6		echo 'Patching GEN003680: Set owner and group owner of'
	6	echo 'Patching GEN003480: Set owner and group owner of'
7	7	echo ' the at.deny file'
8	8	echo '==================================================='

trunk/RHEL5/scripts/stig-fix/cat2/gen003600.sh

r106	r115
1	1	#!/bin/sh
2	2
3		# ~~Modify some kernel tunables to decrease risk of DoS attack~~.
	3	## (GEN003600: CAT II) The SA will ensure network parameters are securely set.
4	4	echo '==================================================='
5		echo ' Patching GEN003600: Tune kernel decreasing risk'
6		echo ' of a DoS attack.'
	5	echo ' Patching GEN003600: Set network parameters'
7	6	echo '==================================================='
8		echo "
9		# Increase the size of the unestablished connection queue
	7	echo <<EOF > /etc/sysctl.conf
	8	net.ipv4.ip_forward = 0
10	9	net.ipv4.tcp_max_syn_backlog = 1280
	10	net.ipv4.conf.all.accept_source_route =0
	11	net.ipv4.icmp_echo_ignore_broadcasts = 1
	12	EOF
11	13
12		~~# Do not respond to echo request broadcasts~~
13		~~net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.conf~~

trunk/RHEL5/scripts/stig-fix/cat2/gen003740.sh

r106	r115
1	1	#!/bin/sh
2	2
3		# STIG-defined permissions for xinetd configuration files
	3	## (GEN003740: CAT II) (Previously â G108) The SA will ensure the inetd.conf
	4	## (xinetd.conf for Linux) file has permissions of 440, or more restrictive.
	5	## The Linux xinetd.d directory will have permissions of 755, or more
	6	## restrictive. This is to include any directories defined in the includedir
	7	## parameter.
4	8	echo '==================================================='
5		echo ' Patching GEN003740: Set permissions for xinetd'
	9	echo ' Patching GEN003740: Set permissions for xinetd'
6	10	echo ' configuration files.'
7	11	echo '==================================================='

trunk/RHEL5/scripts/stig-fix/cat2/gen004000.sh

r106	r115
1	1	#!/bin/sh
2	2
3		# Ensure that only root can use traceroute
	3	## (GEN004000: CAT II) (Previously â G633) The SA will ensure the traceroute
	4	## command has permissions of 700, or more restrictive.
4	5	echo '==================================================='
5		echo ' Patching GEN004000: Limit access to traceroute to'
	6	echo ' Patching GEN004000: Limit access to traceroute to'
6	7	echo ' root user only.'
7	8	echo '==================================================='

trunk/RHEL5/scripts/stig-fix/cat2/gen004500.sh

r112	r115
1	1	#!/bin/bash
2	2
3		## (GEN004500: CAT II) (Previously â G136) The SA will ensure the critical
	3	## (GEN004500: CAT II) (Previously â G136) The SA will ensure the critical
4	4	## sendmail log file has permissions of 644, or more restrictive.
5	5	echo '==================================================='
6		echo 'Patching GEN004480: Set mail log file permissions'
	6	echo 'Patching GEN004500: Set mail log file permissions'
7	7	echo '==================================================='
8	8	chmod 644 /var/log/maillog

trunk/RHEL5/scripts/stig-fix/cat2/gen004540.sh

r106	r115
1	1	#!/bin/sh
2	2
3		# Disable sendmail "help" command by emptying the help file
	3	## (GEN004540: CAT II) The SA will ensure the help sendmail command is
	4	## disabled.
4	5	echo '==================================================='
5		echo ' Patching GEN004540: Disable sendmail help.'
	6	echo ' Patching GEN004540: Disable sendmail help.'
6	7	echo '==================================================='
7	8	mv /etc/mail/helpfile /etc/mail/helpfile.bak

trunk/RHEL5/scripts/stig-fix/cat2/gen005400.sh

r106	r115
1	1	#!/bin/sh
2	2
3		# Ensure that only root can modify syslog.conf
	3	## (GEN005400: CAT II) (Previously â G656) The SA will ensure the owner of the
	4	## /etc/syslog.conf file is root with permissions of 640, or more restrictive.
4	5	echo '==================================================='
5		echo ' Patching GEN005400: Only allow root access to '
6		echo ' syslog.conf file.'
	6	echo ' Patching GEN005400: Set syslog.conf permissions'
7	7	echo '==================================================='
	8	chown root /etc/syslog.conf
8	9	chmod 640 /etc/syslog.conf

trunk/RHEL5/scripts/stig-fix/cat2/gen006620.sh

r106	r115
1	1	#!/bin/sh
2	2
3		# By default, deny all services from serving incoming traffic.
4		# The system administrator should edit this to enable desired daemons.
	3	## (GEN006620: CAT II) The SA will ensure an access control program (e.g.,
	4	## TCP_WRAPPERS) hosts.deny and hosts.allow files (or equivalent) are used to
	5	## grant or deny system access to specific hosts.
5	6	echo '==================================================='
6		echo ' Patching GEN006620: ~~Disable all services.'~~
	7	echo ' Patching GEN006620: Set hosts.deny file'
7	8	echo '==================================================='
8	9	echo "

trunk/RHEL5/scripts/stig-fix/cat2/lnx00340.sh

r106	r115
1	1	#!/bin/sh
2	2
3		# Remove unnecessary accounts from /etc/passwd
	3	## (LNX00340: CAT II) (Previously â L142) The SA will delete accounts that
	4	## provide no operational purpose, such as games or operator, and will delete
	5	## the associated software.
4	6	echo '==================================================='
5		echo ' Patching LNX00340: Disable unnecessary accounts.'
	7	echo ' Patching LNX00340: Disable unnecessary accounts.'
6	8	echo '==================================================='
7		sed -i /news/d /etc/passwd
8		sed -i /operator/d /etc/passwd
9		sed -i /games/d /etc/passwd
10		sed -i /gopher/d /etc/passwd
11		sed -i /nfsnobody/d /etc/passwd
	9	userdel news
	10	userdel operator
	11	userdel games
	12	userdel gopher
	13	userdel nfsnobody

trunk/RHEL5/scripts/stig-fix/cat2/lnx00400.sh

r114	r115
2	2
3	3	## (LNX00400: CAT II) (Previously â L044) The SA will ensure the owner of the
4		# ~~/etc/login.access or /etc/security/access.conf file is root.~~
	4	## /etc/login.access or /etc/security/access.conf file is root.
5	5	echo '==================================================='
6	6	echo 'Patching LNX00400: Set access.conf owner'

trunk/RHEL5/scripts/stig-fix/cat2/lnx00440.sh

r106	r115
1	1	#!/bin/sh
2	2
3		# Ensure that only root can modify access.conf
	3	## (LNX00440: CAT II) (Previously â L046) The SA will ensure /etc/login.access
	4	## or /etc/security/access.conf file will be 640, or more restrictive.
4	5	echo '==================================================='
5		echo ' Patching LNX00580: Only allow root access to '
6		echo ' access.conf file.'
	6	echo ' Patching LNX00440: Set access.conf permissions'
7	7	echo '==================================================='
8	8	chmod 640 /etc/security/access.conf

trunk/RHEL5/scripts/stig-fix/cat2/lnx00520.sh

r106	r115
1	1	#!/bin/sh
2	2
3		# Ensure that only root can use sysctl.conf
	3	## (LNX00520: CAT II) (Previously â L208) The SA will ensure the
	4	## /etc/sysctl.conf file has permissions of 600, or more restrictive.
4	5	echo '==================================================='
5		echo ' Patching LNX00520: Only allow root access to '
6		echo ' sysctl.conf file.'
	6	echo ' Patching LNX00520: Set sysctl.conf permission'
7	7	echo '==================================================='
8	8	chmod 600 /etc/sysctl.conf

trunk/RHEL5/scripts/stig-fix/cat3/gen001280.sh

r106	r115
1	1	#!/bin/sh
2	2
3		# Ensure that only root can modify man pages
	3	## (GEN001280: CAT III) (Previously â G042) The SA will ensure all manual page
	4	## files (i.e.,files in the man and cat directories) have permissions of 644,
	5	## or more restrictive.
4	6	echo '==================================================='
5		echo ' Patching GEN001280: Only allow root access to man'
6		echo ' pages.'
	7	echo ' Patching GEN001280: Set manual page permissions'
7	8	echo '==================================================='
8	9	chmod -R 644 /usr/share/man

trunk/RHEL5/scripts/stig-fix/cat3/gen003520.sh

r106	r115
1	1	#!/bin/sh
2	2
3		# Ensure that only root can see crash logs.
	3	## (GEN003520: CAT III) The SA will ensure the owner and group owner of the
	4	## core dump data directory is root with permissions of 700, or more
	5	## restrictive.
4	6	echo '==================================================='
5		echo ' Patching GEN003520: Only allow root access to '
6		echo ' crash logs.'
	7	echo ' Patching GEN003520: Set crash log dir permissions'
7	8	echo '==================================================='
8	9	chmod -R 700 /var/crash

Download in other formats:

Unified Diff
Zip Disabled

* Generating other formats may take time.