Navigation

Changeset 120

Timestamp:

12/07/07 12:36:30 (1 year ago)

Author:

slawrence

Message:

Added/fixed STIG scripts

Files:

r113	r120
10	10	echo '==================================================='
11	11	for USERINFO in `cat /etc/shadow`; do
12		if [ -z ~~`echo $USERINFO \| cut -d: -f2`~~ ]
	12	if [ -z "`echo $USERINFO \| cut -d: -f2`" ]
13	13	then
14	14	/usr/sbin/usermod -L -s /dev/null `echo $USERINFO \| cut -d: -f1`

r115	r120
10	10	echo '==================================================='
11	11	echo "" >> /etc/inittab
12		echo "Require password in single-user mode" >> /etc/inittab
	12	echo "#Require password in single-user mode" >> /etc/inittab
13	13	echo "~:S:wait:/sbin/sulogin" >> /etc/inittab

r115	r120
18	18
19	19	# Add a User who is in the users group allowing access to the system
20		adduser -G users,wheel CLIPUser
	20	/usr/sbin/adduser -G users,wheel CLIPUser
21	21	passwd CLIPUser < CLIPUserPassword
22	22

r112	r120
6	6	echo 'Patching GEN001120: Do not allow root remote login'
7	7	echo '==================================================='
8		sed -i "/^#PermitRootLogin/ -c\
	8	sed -i "/^#PermitRootLogin/ c\
9	9	PermitRootLogin no" /etc/ssh/sshd_config

r110	r120
7	7	echo ' skeleton files'
8	8	echo '==================================================='
9		find /etc/skel -t f -exec chmod 644 '{}' \;
	9	find /etc/skel -type f -exec chmod 644 '{}' \;

r110	r120
6	6	echo 'Patching GEN002980: Set permissions of cron.allow'
7	7	echo '==================================================='
	8	touch /etc/cron.allow
8	9	chmod 600 /etc/cron.allow

r110	r120
1	1	#!/bin/bash
2	2
3		## (GEN003060: CAT II) The SA will ensure default system accounts (with the
4		## possible exception of root) will not be listed in the cron.allow file. If
5		## there is only a cron.deny file, the default accounts (with the possible
	3	## (GEN003060: CAT II) The SA will ensure default system accounts (with the
	4	## possible exception of root) will not be listed in the cron.allow file. If
	5	## there is only a cron.deny file, the default accounts (with the possible
6	6	## exception of root) will be listed there.
7	7	echo '==================================================='
8		echo 'Patching GEN003060: Limit default ~~system accounts~~'
	8	echo 'Patching GEN003060: Limit default account'
9	9	echo ' cron abilities'
10	10	echo '==================================================='
11	11	echo 'root' > /etc/cron.allow
12		echo -n > /etc/cron.deny
13		for NAME in `cut -d: -f1 /etc/passwd`; do
14		NAMEID=`id -u $NAME`
15		if [ $NAMEID -lt 500 -a $NAME != 'root' ]; then
16		echo $NAME >> /etc/cron.deny
17		fi
18		done;
	12	awk -F: '{print $1}' /etc/passwd \| grep -v root > /etc/cron.deny

r115	r120
5	5	echo ' Patching GEN003600: Set network parameters'
6	6	echo '==================================================='
7		~~echo~~ <<EOF > /etc/sysctl.conf
	7	cat <<EOF > /etc/sysctl.conf
8	8	net.ipv4.ip_forward = 0
9	9	net.ipv4.tcp_max_syn_backlog = 1280

r115	r120
7	7	echo ' root user only.'
8	8	echo '==================================================='
9		chmod 700 /usr/sbin/traceroute
	9	whereis traceroute \| cut -d " " -f 2 \| xargs chmod 700

r115	r120
7	7	echo ' Patching LNX00340: Disable unnecessary accounts.'
8	8	echo '==================================================='
9		userdel news
10		userdel operator
11		userdel games
12		userdel gopher
13		userdel nfsnobody
	9	/usr/sbin/userdel news
	10	/usr/sbin/userdel operator
	11	/usr/sbin/userdel games
	12	/usr/sbin/userdel gopher
	13	/usr/sbin/userdel nfsnobody

r112	r120
9	9	FILES="/etc/profile /etc/bashrc /etc/environment"
10	10	for FILE in $FILES; do
11		echo "mesg -n" >> $FILE
	11	echo "mesg n" >> $FILE
12	12	done;

r115	r120
6	6	echo 'Patching GEN003860: Disable finger daemon'
7	7	echo '==================================================='
8		chkconfig finger off
	8	/sbin/chkconfig finger off

* Generating other formats may take time.