Changeset 121

Show
Ignore:
Timestamp:
12/07/07 13:12:17 (1 year ago)
Author:
slawrence
Message:

Copied STIG scripts to RHEL4 and RHEL5.1

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • trunk/RHEL4/scripts/stig-fix/cat1/gen004640.sh

    r105 r121  
    11#!/bin/sh 
    22 
     3## (GEN004640: CAT I) (Previously – V126) The SA will ensure the decode entry 
     4## is disabled (deleted or commented out) from the alias file. 
    35echo '===================================================' 
    4 echo 'Patching Gen004640: Disable decode in alias file' 
    5 echo '==================================================='  
     6echo 'Patching GEN004640: Disable decode in alias file' 
     7echo '===================================================' 
    68sed --in-place s/^decode\:/\#decode\:/ /etc/aliases 

  • trunk/RHEL4/scripts/stig-fix/cat1/lnx00320.sh

    r105 r121  
    11#!/bin/sh 
    22 
    3 #Remove unnecessary privileged users from /etc/passwd 
     3## (LNX00320: CAT I) (Previously – L140) The SA will delete accounts that 
     4## provide a special privilege such as shutdown and halt. 
    45echo '===================================================' 
    56echo 'Patching LNX00320: Deleting accounts providing' 
    6 echo '                  special privilege.' 
     7echo '                  special privilege.' 
    78echo '===================================================' 
    8 sed -i /shutdown/d /etc/passwd 
    9 sed -i /halt/d /etc/passwd 
    10 sed -i /sync/d /etc/passwd 
    11 sed -i /operator/d /etc/passwd 
     9/usr/sbin/userdel shutdown 
     10/usr/sbin/userdel halt 
     11/usr/sbin/userdel sync 

  • trunk/RHEL4/scripts/stig-fix/cat1/lnx00580.sh

    r105 r121  
    11#!/bin/sh 
    22 
    3 # Disable CTRL-ALT-DEL on the system 
     3## (LNX00580: CAT I) (Previously – L222) The SA will disable the 
     4## Ctrl-Alt-Delete sequence unless the system is located in a controlled 
     5## access area accessible only by SAs. 
    46echo '===================================================' 
    5 echo ' Patching LNX00580: Disable CTRL-ALT-DELETE'  
     7echo ' Patching LNX00580: Disable CTRL-ALT-DELETE' 
    68echo '===================================================' 
    79sed --in-place s/ca\:\:ctrlaltdel/\#ca\:\:ctrlaltdel/ /etc/inittab 

  • trunk/RHEL4/scripts/stig-fix/cat2/gen000020.sh

    r105 r121  
    11#!/bin/sh 
    22 
    3 # Put a password on single-user mode 
     3## (GEN000020: CAT II) (Previously – G001) The IAO and SA will ensure, if 
     4## configurable, the UNIX host is configured to require a password for access 
     5## to single-user and maintenance modes. 
    46echo '===================================================' 
    57echo ' Patching GEN000020: Configuring Password for' 
    68echo '                     single-user and maintenance' 
    7 echo '                     modes.'  
     9echo '                     modes.' 
    810echo '===================================================' 
    911echo "" >> /etc/inittab 
    10 echo "Require password in single-user mode" >> /etc/inittab 
     12echo "#Require password in single-user mode" >> /etc/inittab 
    1113echo "~:S:wait:/sbin/sulogin" >> /etc/inittab 

  • trunk/RHEL4/scripts/stig-fix/cat2/gen000400.sh

    r105 r121  
    11#!/bin/sh 
    22 
    3 # Change banner for local logins 
    4 # This can be modified as long as it still meets STIG requirement GEN000420. 
    5 # Namely, the banner must advise that: 
    6 # - The system is a DOD system. 
    7 # - The system is subject to monitoring. 
    8 # - Monitoring is authorized in accordance with applicable laws and 
    9 #   regulations and conducted for purposes of systems management and 
    10 #   protection, protection against improper or unauthorized use or access, 
    11 #   and verification of applicable security features or procedures. 
    12 # - Use of the system constitutes consent to monitoring 
    13 # - This system is for authorized US government use only. 
     3## (GEN000400: CAT II) (Previously – G010) The SA will ensure a logon-warning banner is 
     4## displayed on all devices and sessions at the initial logon. 
    145echo '===================================================' 
    15 echo ' Patching GEN000400: Providing logon-warning banner'  
     6echo ' Patching GEN000400: Providing logon-warning banner' 
    167echo '===================================================' 
    178echo "THIS IS A DEPARTMENT OF DEFENSE COMPUTER SYSTEM.  THIS COMPUTER SYSTEM, 

  • trunk/RHEL4/scripts/stig-fix/cat2/gen000440.sh

    r105 r121  
    11#!/bin/sh 
    22 
    3 # Make syslog log all authentication information 
     3## (GEN000440: CAT II) (Previously – G012) The SA will ensure all logon attempts (both 
     4## successful and unsuccessful) are logged to a system log file. 
    45echo '===================================================' 
    5 echo ' Patching GEN00440: ensuring logon attempts logged.' 
     6echo ' Patching GEN000440: ensuring logon attempts logged.' 
    67echo '===================================================' 
    78echo " 
    89# Log all authentication information 
    9 auth.*                                                                                                                         /var/log/authlog" >> /etc/syslog.conf 
     10auth.*                                                                  /var/log/authlog" >> /etc/syslog.conf 

  • trunk/RHEL4/scripts/stig-fix/cat2/gen000460.sh

    r105 r121  
    11#!/bin/sh 
    22 
    3 # Lock a user out after 3 failed logins 
     3## (GEN000460: CAT II) (Previously – G013) The SA will ensure, after three consecutive 
     4## failed logon attempts for an account, the account is locked for 15 minutes or until 
     5## the SA unlocks the account. 
    46echo '===================================================' 
    5 echo ' Patching GEN000460: Disable after 3 consecutive'  
     7echo ' Patching GEN000460: Disable after 3 consecutive' 
    68echo '                     failed attempts per account' 
    79echo '===================================================' 

  • trunk/RHEL4/scripts/stig-fix/cat2/gen000480.sh

    r105 r121  
    11#!/bin/sh 
    22 
    3 # Make the system wait 4 seconds after a failed login attempt. 
    4 # Slows brute-forcing of passwords. 
     3## (GEN000480: CAT II) (Previously – G015) The SA will ensure the logon delay between 
     4## logon prompts after a failed logon is set to at least four seconds. 
    55echo '===================================================' 
    6 echo ' Patching GEN000480: Set logon delay to 4 seconds.'  
     6echo ' Patching GEN000480: Set logon delay to 4 seconds.' 
    77echo '===================================================' 
    88echo " 

  • trunk/RHEL4/scripts/stig-fix/cat2/gen000580.sh

    r105 r121  
    11#!/bin/sh 
    22 
    3 # Set minimum password length to 8 characters. 
     3## (GEN000580: CAT II) (Previously – G019) The IAO will ensure all passwords contain a 
     4## minimum of eight characters. 
    45echo '===================================================' 
    5 echo ' Patching GEN000580: Set minimum Password length.'  
     6echo ' Patching GEN000580: Set minimum Password length.' 
    67echo '===================================================' 
    78sed --in-place "s/PASS_MIN_LEN[ \t]*[0-9]*/PASS_MIN_LEN\t8/" /etc/login.defs 

  • trunk/RHEL4/scripts/stig-fix/cat2/gen000600.sh

    r105 r121  
    11#!/bin/sh 
    22 
    3 # Enforce stricter password standards. 
    4 # - Minimum length is now 9 
    5 # - Must have 2 upper-case letters 
    6 # - Must have 2 lower-case letters 
    7 # - Must have 2 digits 
    8 # - Must have 2 other characters 
     3## (GEN000600: CAT II) (Previously – G019) The IAO will ensure passwords include at 
     4## least two alphabetic characters, one of which must be capitalized. 
    95echo '===================================================' 
    10 echo ' Patching GEN000600: Enforce more secure passwords.'  
     6echo ' Patching GEN000600: Enforce more secure passwords.' 
    117echo '===================================================' 
    128sed -i s/minlen\=8/minlen\=9/ /etc/pam.d/system-auth 

  • trunk/RHEL4/scripts/stig-fix/cat2/gen000800.sh

    r105 r121  
    11#!/bin/sh 
    22 
    3 # Make the system remember the last 10 passwords a user used. 
     3## (GEN000800: CAT II) (Previously – G606) The SA will ensure passwords will not be 
     4## reused within the last ten changes. 
    45echo '===================================================' 
    5 echo ' Patching GEN00080: Disallow duplication passwords.'  
     6echo ' Patching GEN000800: Disallow duplication passwords.' 
    67echo '===================================================' 
    78sed -i "s/shadow/shadow remember\=10/" /etc/pam.d/system-auth 

  • trunk/RHEL4/scripts/stig-fix/cat2/gen000920.sh

    r105 r121  
    11#!/bin/sh 
    22 
    3 # Ensure that /root is only readable by the root user. 
     3## (GEN000920: CAT II) (Previously – G023) The SA will ensure the root account 
     4## home directory (other than ‘/’) has permissions of 700. Do not change the 
     5## permissions of the ‘/’ directory to anything other than 0755. 
    46echo '===================================================' 
    5 echo ' Patching GEN000920: /root is only readable by root'  
     7echo ' Patching GEN000920: /root is only readable by root' 
    68echo '===================================================' 
    79chmod -R 700 /root 

  • trunk/RHEL4/scripts/stig-fix/cat2/gen000980.sh

    r105 r121  
    11#!/bin/sh 
    22 
    3 # There should only be one entry in /etc/securetty 
     3## (GEN000980: CAT II) (Previously – G026) The SA will ensure root can only log 
     4## on as root from the system console, and then only when necessary to perform 
     5## system maintenance. 
    46echo '===================================================' 
    57echo ' Patching GEN000980: Ensure only one secure TTY.'  

  • trunk/RHEL4/scripts/stig-fix/cat2/gen001020.sh

    r105 r121  
    11#!/bin/sh 
    22 
    3 # Restrict direct logins to users that are in the "users" group. 
    4 # Users will have to "su" to root or other shared accounts. 
    5  
     3## (GEN001020: CAT II) The IAO will enforce users requiring root privileges to 
     4## log on to their personal account and invoke the /bin/su - command to switch 
     5## user to root. 
    66echo '===================================================' 
    7 echo ' Patching GEN001020: root privilege must be gained'  
     7echo ' Patching GEN001020: root privilege must be gained' 
    88echo '                     via switch from user account.' 
    99echo '===================================================' 
     
    1818 
    1919# Add a User who is in the users group allowing access to the system 
    20 adduser -G users,wheel CLIPUser 
     20/usr/sbin/adduser -G users,wheel CLIPUser 
    2121passwd CLIPUser < CLIPUserPassword 
    22  
    2322 
    2423# Cron was previously set to use /etc/security/access.conf, which did 

  • trunk/RHEL4/scripts/stig-fix/cat2/gen001260.sh

    r105 r121  
    11#!/bin/sh 
    22 
     3## (GEN001260: CAT II) (Previously – G037) The SA will ensure all system log 
     4## files have permissions of 640, or more restrictive. 
    35echo '===================================================' 
    4 echo ' Patching GEN001260: Setting permissions of system'  
     6echo ' Patching GEN001260: Setting permissions of system' 
    57echo '                     log files.' 
    68echo '===================================================' 

  • trunk/RHEL4/scripts/stig-fix/cat2/gen002320.sh

    r105 r121  
    11#!/bin/sh 
    22 
     3## (GEN002320: CAT II) (Previously – G501) The SA will ensure the audio devices 
     4## have permissions of 644, or more restrictive. 
    35echo '===================================================' 
    4 echo ' Patching GEN002320: Setting permissions on audio'  
     6echo ' Patching GEN002320: Setting permissions on audio' 
    57echo '                     devices.' 
    68echo '===================================================' 

  • trunk/RHEL4/scripts/stig-fix/cat2/gen002560.sh

    r105 r121  
    11#!/bin/sh 
    22 
    3 # Default umask to 077 so that newly-created files are only accessible by owner 
     3## (GEN002560: CAT II) (Previously – G089) The SA will ensure the system and 
     4## user umask is 077. 
    45echo '===================================================' 
    56echo ' Patching GEN002560: Set default umask.' 

  • trunk/RHEL4/scripts/stig-fix/cat2/gen002680.sh

    r105 r121  
    1 #!/bin/sh 
     1#!/bin/bash 
    22 
     3## (GEN002680: CAT II) (Previously – G094) The SA will ensure audit data files 
     4## and directories will be readable only by personnel authorized by the IAO. 
    35echo '===================================================' 
    4 echo ' Patching GEN002680: Setting permissions on: '  
    5 echo '                     /etc/security/audit_control' 
     6echo 'Patching GEN002680: Set audit directory permissions' 
    67echo '===================================================' 
    7 chmod 600 /etc/security/audit_control 
     8chmod 700 /var/log/audit 

  • trunk/RHEL4/scripts/stig-fix/cat2/gen003080.sh

    r105 r121  
    11#!/bin/sh 
    22 
    3 # By STIG definition, crontab files are only readable by root. 
     3## (GEN003080: CAT II) (Previously – G205) The SA will ensure crontabs have 
     4## permissions of 600, or more restrictive, (700 for some Linux crontabs, which 
     5## is detailed in the UNIX Checklist). 
    46echo '===================================================' 
    5 echo ' Patching GEN003080: Only allow root access to '  
    6 echo '                     crontab files.' 
     7echo ' Patching GEN003080: Set permissions of crontabs' 
    78echo '===================================================' 
    89chmod -R 600 /etc/cron.daily 

  • trunk/RHEL4/scripts/stig-fix/cat2/gen003320.sh

    r105 r121  
    11#!/bin/sh 
    22 
    3 # Default system accounts are not to be run as at jobs. 
     3## (GEN003320: CAT II) (Previously – G213) The SA will ensure default system  
     4## accounts (with the possible exception of root) are not listed in the  
     5## at.allow file. If there is only an at.deny file, the default accounts  
     6## (with the possible exception of root) will be listed there. 
    47echo '===================================================' 
    5 echo ' Patching GEN003320: Disallow system account access'  
    6 echo '                     as at jobs.' 
     8echo ' Patching GEN003320: Only root may be in at.allow'  
    79echo '===================================================' 
    8 echo "daemon 
    9 bin 
    10 adm 
    11 uucp 
    12 lp 
    13 news 
    14 nobody 
    15 ftp 
    16 sshd 
    17 smmsp" > /etc/at.deny 
     10echo "root" > /etc/at.allow 

  • trunk/RHEL4/scripts/stig-fix/cat2/gen003600.sh

    r105 r121  
    11#!/bin/sh 
    22 
    3 # Modify some kernel tunables to decrease risk of DoS attack
     3## (GEN003600: CAT II) The SA will ensure network parameters are securely set
    44echo '===================================================' 
    5 echo ' Patching GEN003600: Tune kernel decreasing risk'  
    6 echo '                     of a DoS attack.' 
     5echo ' Patching GEN003600: Set network parameters'  
    76echo '===================================================' 
    8 echo " 
    9 # Increase the size of the unestablished connection queue 
     7cat <<EOF > /etc/sysctl.conf 
     8net.ipv4.ip_forward     = 0 
    109net.ipv4.tcp_max_syn_backlog = 1280 
     10net.ipv4.conf.all.accept_source_route =0 
     11net.ipv4.icmp_echo_ignore_broadcasts = 1 
     12EOF 
    1113 
    12 # Do not respond to echo request broadcasts 
    13 net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.conf 

  • trunk/RHEL4/scripts/stig-fix/cat2/gen003740.sh

    r105 r121  
    11#!/bin/sh 
    22 
    3 # STIG-defined permissions for xinetd configuration files 
     3## (GEN003740: CAT II) (Previously – G108) The SA will ensure the inetd.conf 
     4## (xinetd.conf for Linux) file has permissions of 440, or more restrictive. 
     5## The Linux xinetd.d directory will have permissions of 755, or more 
     6## restrictive. This is to include any directories defined in the includedir 
     7## parameter. 
    48echo '===================================================' 
    5 echo ' Patching GEN003740: Set permissions for xinetd'  
     9echo ' Patching GEN003740: Set permissions for xinetd' 
    610echo '                     configuration files.' 
    711echo '===================================================' 

  • trunk/RHEL4/scripts/stig-fix/cat2/gen004000.sh

    r105 r121  
    11#!/bin/sh 
    22 
    3 # Ensure that only root can use traceroute 
     3## (GEN004000: CAT II) (Previously – G633) The SA will ensure the traceroute 
     4## command has permissions of 700, or more restrictive. 
    45echo '===================================================' 
    5 echo ' Patching GEN004000: Limit access to traceroute to'  
     6echo ' Patching GEN004000: Limit access to traceroute to' 
    67echo '                     root user only.' 
    78echo '===================================================' 
    8 chmod 700 /usr/sbin/traceroute 
     9whereis traceroute | cut -d " " -f 2 | xargs chmod 700 

  • trunk/RHEL4/scripts/stig-fix/cat2/gen004540.sh

    r105 r121  
    11#!/bin/sh 
    22 
    3 # Disable sendmail "help" command by emptying the help file 
     3## (GEN004540: CAT II) The SA will ensure the help sendmail command is 
     4## disabled. 
    45echo '===================================================' 
    5 echo ' Patching GEN004540: Disable sendmail help.'  
     6echo ' Patching GEN004540: Disable sendmail help.' 
    67echo '===================================================' 
    78mv /etc/mail/helpfile /etc/mail/helpfile.bak 

  • trunk/RHEL4/scripts/stig-fix/cat2/gen005400.sh

    r105 r121  
    11#!/bin/sh 
    22 
    3 # Ensure that only root can modify syslog.conf 
     3## (GEN005400: CAT II) (Previously – G656) The SA will ensure the owner of the 
     4## /etc/syslog.conf file is root with permissions of 640, or more restrictive. 
    45echo '===================================================' 
    5 echo ' Patching GEN005400: Only allow root access to '  
    6 echo '                     syslog.conf file.' 
     6echo ' Patching GEN005400: Set syslog.conf permissions' 
    77echo '===================================================' 
     8chown root /etc/syslog.conf 
    89chmod 640 /etc/syslog.conf 

  • trunk/RHEL4/scripts/stig-fix/cat2/gen006620.sh

    r105 r121  
    11#!/bin/sh 
    22 
    3 # By default, deny all services from serving incoming traffic. 
    4 # The system administrator should edit this to enable desired daemons. 
     3## (GEN006620: CAT II) The SA will ensure an access control program (e.g., 
     4## TCP_WRAPPERS) hosts.deny and hosts.allow files (or equivalent) are used to 
     5## grant or deny system access to specific hosts. 
    56echo '===================================================' 
    6 echo ' Patching GEN006620: Disable all services.'  
     7echo ' Patching GEN006620: Set hosts.deny file' 
    78echo '===================================================' 
    89echo " 

  • trunk/RHEL4/scripts/stig-fix/cat2/lnx00340.sh

    r105 r121  
    11#!/bin/sh 
    22 
    3 # Remove unnecessary accounts from /etc/passwd 
     3## (LNX00340: CAT II) (Previously – L142) The SA will delete accounts that 
     4## provide no operational purpose, such as games or operator, and will delete 
     5## the associated software. 
    46echo '===================================================' 
    5 echo ' Patching LNX00340: Disable unnecessary accounts.'  
     7echo ' Patching LNX00340: Disable unnecessary accounts.' 
    68echo '===================================================' 
    7 sed -i /news/d /etc/passwd 
    8 sed -i /operator/d /etc/passwd 
    9 sed -i /games/d /etc/passwd 
    10 sed -i /gopher/d /etc/passwd 
    11 sed -i /nfsnobody/d /etc/passwd 
     9/usr/sbin/userdel news 
     10/usr/sbin/userdel operator 
     11/usr/sbin/userdel games 
     12/usr/sbin/userdel gopher 
     13/usr/sbin/userdel nfsnobody 

  • trunk/RHEL4/scripts/stig-fix/cat2/lnx00440.sh

    r105 r121  
    11#!/bin/sh 
    22 
    3 # Ensure that only root can modify access.conf 
     3## (LNX00440: CAT II) (Previously – L046) The SA will ensure /etc/login.access 
     4## or /etc/security/access.conf file will be 640, or more restrictive. 
    45echo '===================================================' 
    5 echo ' Patching LNX00580: Only allow root access to '  
    6 echo '                    access.conf file.' 
     6echo ' Patching LNX00440: Set access.conf permissions' 
    77echo '===================================================' 
    88chmod 640 /etc/security/access.conf 

  • trunk/RHEL4/scripts/stig-fix/cat2/lnx00520.sh

    r105 r121  
    11#!/bin/sh 
    22 
    3 # Ensure that only root can use sysctl.conf 
     3## (LNX00520: CAT II) (Previously – L208) The SA will ensure the 
     4## /etc/sysctl.conf file has permissions of 600, or more restrictive. 
    45echo '===================================================' 
    5 echo ' Patching LNX00520: Only allow root access to '  
    6 echo '                    sysctl.conf file.' 
     6echo ' Patching LNX00520: Set sysctl.conf permission' 
    77echo '===================================================' 
    88chmod 600 /etc/sysctl.conf 

  • trunk/RHEL4/scripts/stig-fix/cat3/gen001280.sh

    r105 r121  
    11#!/bin/sh 
    22 
    3 # Ensure that only root can modify man pages 
     3## (GEN001280: CAT III) (Previously – G042) The SA will ensure all manual page 
     4## files (i.e.,files in the man and cat directories) have permissions of 644, 
     5## or more restrictive. 
    46echo '===================================================' 
    5 echo ' Patching GEN001280: Only allow root access to man'  
    6 echo '                     pages.' 
     7echo ' Patching GEN001280: Set manual page permissions' 
    78echo '===================================================' 
    89chmod -R 644 /usr/share/man 

  • trunk/RHEL4/scripts/stig-fix/cat3/gen003520.sh

    r105 r121  
    11#!/bin/sh 
    22 
    3 # Ensure that only root can see crash logs. 
     3## (GEN003520: CAT III) The SA will ensure the owner and group owner of the 
     4## core dump  data directory is root with permissions of 700, or more 
     5## restrictive. 
    46echo '===================================================' 
    5 echo ' Patching GEN003520: Only allow root access to '  
    6 echo '                     crash logs.' 
     7echo ' Patching GEN003520: Set crash log dir permissions' 
    78echo '===================================================' 
    89chmod -R 700 /var/crash 

  • trunk/RHEL4/scripts/stig-fix/run-fixes.sh

    r105 r121  
    77echo 'Patching Cat III Secuity issues' 
    88for i in `ls cat3`; do cat3/$i; done; 
     9echo 'Patching Cat IV Secuity issues' 
     10for i in `ls cat4`; do cat4/$i; done; 
     11 
    912echo "run-fixes.sh completed" >> /root/stig-fixes-run.txt 

  • trunk/RHEL5.1/scripts/stig-fix/cat1/gen000560.sh

    r113 r121  
    1010echo '===================================================' 
    1111for USERINFO in `cat /etc/shadow`; do 
    12         if [ -z `echo $USERINFO | cut -d: -f2`
     12        if [ -z "`echo $USERINFO | cut -d: -f2`"
    1313        then 
    1414                /usr/sbin/usermod -L -s /dev/null `echo $USERINFO | cut -d: -f1`  

  • trunk/RHEL5.1/scripts/stig-fix/cat1/lnx00320.sh

    r115 r121  
    77echo '                   special privilege.' 
    88echo '===================================================' 
    9 userdel shutdown 
    10 userdel halt 
    11 userdel sync 
     9/usr/sbin/userdel shutdown 
     10/usr/sbin/userdel halt 
     11/usr/sbin/userdel sync 

  • trunk/RHEL5.1/scripts/stig-fix/cat2/gen000020.sh

    r115 r121  
    1010echo '===================================================' 
    1111echo "" >> /etc/inittab 
    12 echo "Require password in single-user mode" >