Navigation

← Previous Changeset
Next Changeset →

Changeset 135

Timestamp:

12/11/07 16:16:46 (1 year ago)

Author:

slawrence

Message:

Fixed/formatted kickstart file

Files:

trunk/RHEL5.1/kickstart/clip.ks (modified) (19 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

trunk/RHEL5.1/kickstart/clip.ks

r130	r135
1	1	## Version .02 Feburary 2007 ##
2		#
	2	#
3	3	# Date Created : 2007-02-06 #
4	4	#
…	…
277	277	rpm --import /usr/share/rhn/RPM-GPG-KEY
278	278
279		#
	279
	280
	281
	282
	283	##########################################################################
280	284	# DCID 6/3 PL4
281		#
282		# 4.B.4 Protection Level 4
	285	##########################################################################
	286
	287	## 4.B.4 Protection Level 4
	288
283	289	# 4.B.4.a(1)
284		#
285		# KickStart Actions: None - PROCEDURAL REQUIREMENT
286
287		#
288		# 4.B.4.a(1)(a)
289		# KickStart Actions: None - PROCEDURAL REQUIREMENT
290
291		#
292		# 4.B.4.a(1)(b)
293		# KickStart Actions: None - PROCEDURAL REQUIREMENT
294
295		#
	290	# KickStart Actions: None - PROCEDURAL REQUIREMENT
	291
	292	# 4.B.4.a(1)(a)
	293	# KickStart Actions: None - PROCEDURAL REQUIREMENT
	294
	295	# 4.B.4.a(1)(b)
	296	# KickStart Actions: None - PROCEDURAL REQUIREMENT
	297
	298
296	299	# 4.B.4.a(2)
297	300	# KickStart Actions: All ext3 file systmes have been mounted with the ACL
…	…
301	304	# the mounting of each file system (/etc/fstab).
302	305
303		#
304		# GEN002420
305		echo "Locking down GEN002420"
306
	306
	307	## (GEN002420: CAT II) (Previously â G086) The SA will ensure user filesystems,
	308	## removable media, and remote filesystems will be mounted with the nosuid
	309	## option.
307	310	FSTAB=/etc/fstab
308	311	SED=/bin/sed
…	…
312	315	${SED} -i "s/$ \/home.*${MNT_OPTS}$/\1,nosuid,acl/" ${FSTAB}
313	316	fi
314
315	317	#nosuid and acl on /sys
316	318	if [ $(grep " \/sys " ${FSTAB} \| grep -c "nosuid") -eq 0 ]; then
…	…
318	320	${SED} -i "s/$ \/sys.*${MNT_OPTS}$/\1,nosuid,acl/" ${FSTAB}
319	321	fi
320
321	322	#nosuid and acl on /boot
322	323	if [ $(grep " \/boot " ${FSTAB} \| grep -c "nosuid") -eq 0 ]; then
…	…
324	325	${SED} -i "s/$ \/boot.*${MNT_OPTS}$/\1,nosuid,acl/" ${FSTAB}
325	326	fi
326
327	327	#nodev and acl on /usr
328	328	if [ $(grep " \/usr " ${FSTAB} \| grep -c "nodev") -eq 0 ]; then
…	…
330	330	${SED} -i "s/$ \/usr.*${MNT_OPTS}$/\1,nodev,acl/" ${FSTAB}
331	331	fi
332
333	332	#nodev and acl on /home
334	333	if [ $(grep " \/home " ${FSTAB} \| grep -c "nodev") -eq 0 ]; then
…	…
336	335	${SED} -i "s/$ \/home.*${MNT_OPTS}$/\1,nodev,acl/" ${FSTAB}
337	336	fi
338
339	337	#nodev and acl on /usr/local
340	338	if [ $(grep " \/usr\/local " ${FSTAB} \| grep -c "nodev") -eq 0 ]; then
…	…
342	340	${SED} -i "s/$ \/usr\/local.*${MNT_OPTS}$/\1,nodev,acl/" ${FSTAB}
343	341	fi
344		echo "GEN002420 Complete"
345		#
346
347		#
348		# 4.B.4a(3)
	342
	343
	344	# 4.B.4.a(3)
349	345	# KickStart Actions: None - CLIP policy specific
350		#
351		#
352		# 4.B.4a(4)
	346
	347
	348	# 4.B.4.a(4)
353	349	# KickStart Actions:
354		#
355		#
356		~~# 4.B.4a(4)(a)~~
357		# KickStart Actions:
358		#
359		~~# 4.B.4a(4)(b)~~
360		# KickStart Actions:
361		#
362		~~# 4.B.4a(4)(c)~~
363		# KickStart Actions:
364		#
365		~~# 4.B.4a(4)(d)~~
366		# KickStart Actions:
367		#
368		~~# 4.B.4a(4)(e)~~
369		# KickStart Actions:
370		#
371		~~# 4.B.4a(4)(e)1.~~
372		# KickStart Actions:
373		#
374		~~# 4.B.4a(4)(e)2.~~
375		# KickStart Actions:
376		#
	350
	351	# 4.B.4.a(4)(a)
	352	# KickStart Actions:
	353
	354	# 4.B.4.a(4)(b)
	355	# KickStart Actions:
	356
	357	# 4.B.4.a(4)(c)
	358	# KickStart Actions:
	359
	360	# 4.B.4.a(4)(d)
	361	# KickStart Actions:
	362
	363	# 4.B.4.a(4)(e)
	364	# KickStart Actions:
	365
	366	# 4.B.4.a(4)(e)1.
	367	# KickStart Actions:
	368
	369	# 4.B.4.a(4)(e)2.
	370	# KickStart Actions:
	371
	372
377	373	# 4.B.4.a(5)
378	374	# KickStart Actions: None - PROCEDURAL REQUIREMENT
379		#
380		#
381		# 4.B.4.a(5)(a)
382		# KickStart Actions: None - PROCEDURAL REQUIREMENT
383		#
384		#
385		# 4.B.4.a(5)(b)
386		# KickStart Actions: None - PROCEDURAL REQUIREMENT
387		#
388		#
389		# 4.B.4.a(5)(c)
390		# KickStart Actions: None - PROCEDURAL REQUIREMENT
391
392		#
393		# 4.B.4.a(5)(d)
394		# KickStart Actions: None - PROCEDURAL REQUIREMENT
395		#
396		#
397		#(FOUO)
398		#4.B.4.a(5)(e)
399		#KickStart Actions: None - PROCEDURAL REQUIREMENT
400		#
401		#
	375
	376	# 4.B.4.a(5)(a)
	377	# KickStart Actions: None - PROCEDURAL REQUIREMENT
	378
	379	# 4.B.4.a(5)(b)
	380	# KickStart Actions: None - PROCEDURAL REQUIREMENT
	381
	382	# 4.B.4.a(5)(c)
	383	# KickStart Actions: None - PROCEDURAL REQUIREMENT
	384
	385	# 4.B.4.a(5)(d)
	386	# KickStart Actions: None - PROCEDURAL REQUIREMENT
	387
	388	#(FOUO)
	389	#4.B.4.a(5)(e)
	390	#KickStart Actions: None - PROCEDURAL REQUIREMENT
	391
	392
	393
402	394	# 4.B.4.a(6)
403	395	# KickStart Actions: None
404		#
405		# 4.B.4.a(6)(a)
406		# KickStart Actions: None
407		#
408		#
409		# 4.B.4.a(6)(b)
410		# KickStart Actions: Reset the permissions of /etc/syslog.conf to 640 and set
411		# /var/{run,log}/{wtmp,utmp} files to 664.
412		#
413		# GEN005400
414		# Reset the permissions to a DISA-blessed rw-r-----
415		echo "Locking down GEN005400"
416		chmod 640 /etc/syslog.conf
417		echo "GEN005400 Complete"
418		#
419		# GEN001260
420		echo "Locking down GEN001260"
421		perl -npe 's%chmod 0664 /var/run/utmp /var/log/wtmp%chmod 0644 /var/run/utmp /var/log/wtmp%g' -i /etc/rc.d/rc.sysinit
422		echo "GEN001260 Complete"
423		#
424		# 4.B.4.a(6)(c)
425		# KickStart Actions: Log rotation to 90 days (12 weeks) and turn compression on.
426		# This will have to up'd if system does not retain backups
427		# for 5 years (e.g., tape backup).
428		#
429		for logconf in `ls -1 /etc/logrotate.conf`
430		do
431		perl -npe 's/rotate\s+4/rotate 12/' -i $logconf
432		perl -npe 's/\#compress/compress/' -i $logconf
433		done
434		#
435		# GEN002860 (G674)
436		# Rotate the audit-logs on a daily basis--keep them all
437		cat <<EOF > /etc/logrotate.d/audit
438		/var/log/audit/audit.log
439		{
440		daily
441		notifempty
442		missingok
443		postrotate
444		/sbin/service auditd restart 2> /dev/null > /dev/null \|\| true
445		endscript
446		}
447		EOF
448		echo "GEN002860 Complete"
449		#
450		# 4.B.4.a(6)(d)
451		# KickStart Actions: Turn on the Audit Daemon and set permissions
452		#
453		# GEN002660
454		# Turn on the Audit Daemon
455		echo "Locking down GEN002660"
456		chkconfig auditd on
457		echo "GEN002660 Complete"
458		#
459		# GEN002680 (G094)
460		# Reset permissions on audit logs
461		echo "Locking down GEN002680"
462		chmod 700 /var/log/audit
463		chmod 600 /var/log/audit/*
464		echo "GEN002680 Complete"
465		#
466		#
467		# 4.B.4.a(6)(d)(1)
468		# KickStart Actions: None, This is met with the /var/log/wtmp and
469		# /var/log/utmp files. Permissions have been set
470		# correctly above.
471		# See Section 4.B.4.a(6)(d)(2)
472		#
473		# 4.B.4.a(6)(d)(2)
474		# KickStart Actions: This will require refinement.
475		# Commented rules do not insert w/o an error.
476		#
477		cat <<EOF > /etc/audit.rules
478
479		## Remove any existing rules
480		-D
481		## Increase buffer size to handle the increased number of messages.
482		## Feel free to increase this if the machine panic's
483		-b 8192
484		## Set failure mode to panic
485		# -f 2
486		#
487		# GEN002720
488		## Audits for failed attempts to access files and programs.
489		echo "Locking down GEN002720"
490
491		-a exit,always -S mknod -F success=0
492		-a exit,possible -S open -F success=0
493		-a exit,possible -S pipe -F success=0
494		-a exit,possible -S mkdir -F success=0
495		-a exit,possible -S creat -F success=0
496		#LEAK
497		# MOD
498		-a exit,possible -S truncate -F success=0
499		-a exit,possible -S truncate64 -F success=0
500		-a exit,possible -S ftruncate -F success=0
501		-a exit,possible -S ftruncate64 -F success=0
502		#
503		echo "GEN002720 Complete"
504		#
505		# GEN002740
506		## Audit for files and programs deleted by user
507		echo "Locking down GEN002740"
508		-a exit,possible -S unlink -F success!=0
509		-a exit,possible -S rmdir -F success!=0
510		-a exit,possible -w /bin/rm -F success=0 -F success!=0
511		-a exit,possible -S rename -F success!=0
512		#
513		echo "GEN002740 Complete"
514		#
515		# GEN002760
516		echo "Locking down GEN002760"
517		## Audit all administrative actions
518		# AUD_it
519		# Backup_export
520		# Dev_change
521		# Dev_configure
522		# Dev_create
523		-a exit,possible -S chown -F success!=0
524		-a exit,possible -S chown32 -F success!=0
525		-a exit,possible -S fchown -F success!=0
526		-a exit,possible -S fchown32 -F success!=0
527		-a exit,possible -S lchown -F success!=0
528		-a exit,possible -S lchown32 -F success!=0
529		-a exit,always -S chroot -F success!=0
530		-a exit,always -S mount -F success=0 -F success!=0
531		-a exit,always -S umount -F success=0 -F success!=0
532		-a exit,always -S umount2 -F success=0 -F success!=0
533		-a exit,always -w /usr/sbin/pwck -F success=0 -F success!=0
534		-a exit,always -S adjtimex -F success!=0
535		-a exit,always -S settimeofday -F success!=0
536		-a exit,always -S kill -F success=0 -F success!=0
537		#
538		#Proc_privilege
539		-a exit,always -w /bin/chgrp -F success=0 -F success!=0
540		-a exit,always -w /usr/bin/newgrp -F success=0 -F success!=0
541		-a exit,always -w /usr/sbin/groupadd -F success=0 -F success!=0
542		-a exit,always -w /usr/sbin/groupmod -F success=0 -F success!=0
543		-a exit,always -w /usr/sbin/groupdel -F success=0 -F success!=0
544		# Restore imports
545		#
546		# TCBCK_delete
547		-a exit,possible -w /usr/sbin/useradd -F success=0 -F success!=0
548		-a exit,possible -w /usr/sbin/userdel -F success=0 -F success!=0
549		-a exit,possible -w /usr/sbin/usermod -F success=0 -F success!=0
550		-a exit,possible -w /usr/bin/chage -F success=0 -F success!=0
551		-a exit,possible -S reboot -F success!=0
552		# User_setenv
553		#
554		echo "GEN002760 Complete"
555
556		##
557		## 4.B.4.a(6)(d)(1)
558		#
559		# GEN002780
560		echo "Locking down GEN002780"
561		## Audit all security actions
562		-w /bin/login -p x
563		-a exit,possible -w /bin/logout -F success!=0
564		-a exit,possible -S init_module -F success!=0
565		-a exit,possible -S delete_module -F success!=0
566		-a exit,possible -w /bin/su -F success!=0
567		#
568		echo "GEN002780 Complete"
569		#
570		# GEN002800
571		echo "Locking down GEN002800"
572		## Audit use of privileged commands
573		-a exit,possible -w /usr/bin/setfacl -F success=0 -F success!=0
574		-a exit,possible -w /usr/bin/chacl -F success=0 -F success!=0
575		-a exit,possible -S chmod -F success=0 -F success!=0
576		-a exit,possible -S fchmod -F success=0 -F success!=0
577		-a exit,possible -S link -F success=0 -F success!=0
578		-a exit,possible -S symlink -F success=0 -F success!=0
579		# Proc_realgid
580		# Proc_setuserids
581		#
582		echo "GEN002800 Complete"
583		#
584		## ???????????
585		## Audit application and session initiation
586		## Proc_Delete
587		#
588		# ????????????
589		EOF
590		#
591		# 4.B.4.a(6)(d)(3)
592		# KickStart Actions: All authentication attemps will be monitored
593		# in /var/log/messages.
594		#
595		# GEN003660
596		echo "Locking down GEN003660"
597		echo "auth.notice /var/log/messages" >> /etc/syslog.conf
598		echo "GEN003660 Complete"
599		#
600		#
	396
	397	# 4.B.4.a(6)(a)
	398	# KickStart Actions: None
	399
	400	# 4.B.4.a(6)(b)
	401	# KickStart Actions: Reset the permissions of /etc/syslog.conf to 640 and set
	402	# /var/{run,log}/{wtmp,utmp} files to 664.
	403
	404	## (GEN005400: CAT II) (Previously â G656) The SA will ensure the owner of the
	405	## /etc/syslog.conf file is root with permissions of 640, or more restrictive.
	406	chown root /etc/syslog.conf
	407	chmod 640 /etc/syslog.conf
	408
	409	## (GEN001260: CAT II) (Previously â G037) The SA will ensure all system log
	410	## files have permissions of 640, or more restrictive.
	411	## TODO: Is this correct?
	412	perl -npe 's%chmod 0664 /var/run/utmp /var/log/wtmp%chmod 0644 /var/run/utmp /var/log/wtmp%g' -i /etc/rc.d/rc.sysinit
	413
	414	# 4.B.4.a(6)(c)
	415	# KickStart Actions: Log rotation to 90 days (12 weeks) and turn compression on.
	416	# This will have to up'd if system does not retain backups
	417	# for 5 years (e.g., tape backup).
	418
	419	for logconf in `ls -1 /etc/logrotate.conf`
	420	do
	421	perl -npe 's/rotate\s+4/rotate 12/' -i $logconf
	422	perl -npe 's/\#compress/compress/' -i $logconf
	423	done
	424
	425	## (GEN002860: CAT II) (Previously â G674) The SA and/or IAO will ensure old
	426	## audit logs are closed and new audit logs are started daily.
	427	cat <<-EOF > /etc/logrotate.d/audit
	428	/var/log/audit/audit.log
	429	{
	430	daily
	431	notifempty
	432	missingok
	433	postrotate
	434	/sbin/service auditd restart 2> /dev/null > /dev/null \|\| true
	435	endscript
	436	}
	437	EOF
	438
	439	# 4.B.4.a(6)(d)
	440	# KickStart Actions: Turn on the Audit Daemon and set permissions
	441
	442	## (GEN002660: CAT II) (Previously â G093) The SA will configure and implement
	443	## auditing.
	444	chkconfig auditd on
	445
	446	## (GEN002680: CAT II) (Previously â G094) The SA will ensure audit data files
	447	## and directories will be readable only by personnel authorized by the IAO.
	448	chmod 700 /var/log/audit
	449
	450	## (GEN002700: CAT I) (Previously â G095) The SA will ensure audit data files
	451	## have permissions of 640, or more restrictive.
	452	chmod 600 /var/log/audit/*
	453
	454	# 4.B.4.a(6)(d)(1)
	455	# KickStart Actions: None, This is met with the /var/log/wtmp and
	456	# /var/log/utmp files. Permissions have been set
	457	# correctly above.
	458	# See Section 4.B.4.a(6)(d)(2)
	459
	460	# 4.B.4.a(6)(d)(2)
	461	# KickStart Actions: This will require refinement.
	462	# Commented rules do not insert w/o an error.
	463
	464	## (GEN002720-GEN002840: CAT II) (Previously â G100-G106) The SA will configure the
	465	## auditing system to audit the following events for all users and root:
	466	## FIXME: This should be split up
	467	cat <<-EOF > /etc/audit.rules
	468	## Remove any existing rules
	469	-D
	470	## Increase buffer size to handle the increased number of messages.
	471	## Feel free to increase this if the machine panic's
	472	-b 8192
	473	## Set failure mode to panic
	474	# -f 2
	475	#
	476	# GEN002720
	477	## Audits for failed attempts to access files and programs.
	478	-a exit,always -S mknod -F success=0
	479	-a exit,possible -S open -F success=0
	480	-a exit,possible -S pipe -F success=0
	481	-a exit,possible -S mkdir -F success=0
	482	-a exit,possible -S creat -F success=0
	483	#LEAK
	484	# MOD
	485	-a exit,possible -S truncate -F success=0
	486	-a exit,possible -S truncate64 -F success=0
	487	-a exit,possible -S ftruncate -F success=0
	488	-a exit,possible -S ftruncate64 -F success=0
	489
	490	# GEN002740
	491	## Audit for files and programs deleted by user
	492	-a exit,possible -S unlink -F success!=0
	493	-a exit,possible -S rmdir -F success!=0
	494	-a exit,possible -w /bin/rm -F success=0 -F success!=0
	495	-a exit,possible -S rename -F success!=0
	496
	497	# GEN002760
	498	## Audit all administrative actions
	499	# AUD_it
	500	# Backup_export
	501	# Dev_change
	502	# Dev_configure
	503	# Dev_create
	504	-a exit,possible -S chown -F success!=0
	505	-a exit,possible -S chown32 -F success!=0
	506	-a exit,possible -S fchown -F success!=0
	507	-a exit,possible -S fchown32 -F success!=0
	508	-a exit,possible -S lchown -F success!=0
	509	-a exit,possible -S lchown32 -F success!=0
	510	-a exit,always -S chroot -F success!=0
	511	-a exit,always -S mount -F success=0 -F success!=0
	512	-a exit,always -S umount -F success=0 -F success!=0
	513	-a exit,always -S umount2 -F success=0 -F success!=0
	514	-a exit,always -w /usr/sbin/pwck -F success=0 -F success!=0
	515	-a exit,always -S adjtimex -F success!=0
	516	-a exit,always -S settimeofday -F success!=0
	517	-a exit,always -S kill -F success=0 -F success!=0
	518
	519	#Proc_privilege
	520	-a exit,always -w /bin/chgrp -F success=0 -F success!=0
	521	-a exit,always -w /usr/bin/newgrp -F success=0 -F success!=0
	522	-a exit,always -w /usr/sbin/groupadd -F success=0 -F success!=0
	523	-a exit,always -w /usr/sbin/groupmod -F success=0 -F success!=0
	524	-a exit,always -w /usr/sbin/groupdel -F success=0 -F success!=0
	525	# Restore imports
	526
	527	# TCBCK_delete
	528	-a exit,possible -w /usr/sbin/useradd -F success=0 -F success!=0
	529	-a exit,possible -w /usr/sbin/userdel -F success=0 -F success!=0
	530	-a exit,possible -w /usr/sbin/usermod -F success=0 -F success!=0
	531	-a exit,possible -w /usr/bin/chage -F success=0 -F success!=0
	532	-a exit,possible -S reboot -F success!=0
	533	# User_setenv
	534
	535	##
	536	## 4.B.4.a(6)(d)(1)
	537	#
	538	# GEN002780
	539	## Audit all security actions
	540	-w /bin/login -p x
	541	-a exit,possible -w /bin/logout -F success!=0
	542	-a exit,possible -S init_module -F success!=0
	543	-a exit,possible -S delete_module -F success!=0
	544	-a exit,possible -w /bin/su -F success!=0
	545
	546	# GEN002800
	547	## Audit use of privileged commands
	548	-a exit,possible -w /usr/bin/setfacl -F success=0 -F success!=0
	549	-a exit,possible -w /usr/bin/chacl -F success=0 -F success!=0
	550	-a exit,possible -S chmod -F success=0 -F success!=0
	551	-a exit,possible -S fchmod -F success=0 -F success!=0
	552	-a exit,possible -S link -F success=0 -F success!=0
	553	-a exit,possible -S symlink -F success=0 -F success!=0
	554	# Proc_realgid
	555	# Proc_setuserids
	556
	557	## ???????????
	558	## Audit application and session initiation
	559	## Proc_Delete
	560	#
	561	# ????????????
	562	EOF
	563
	564	# 4.B.4.a(6)(d)(3)
	565	# KickStart Actions: All authentication attemps will be monitored
	566	# in /var/log/messages.
	567
	568	## (GEN003660: CAT II) The SA will ensure the authentication notice and
	569	## informational data is logged.
	570	echo "auth.notice /var/log/messages" >> /etc/syslog.conf
	571
601	572	# 4.B.4.a(7)
602	573	# KickStart Actions: None - PROCEDURAL REQUIREMENT
603		#
604		#
	574
605	575	# 4.B.4.a(8)
606	576	# KickStart Actions: None - PROCEDURAL REQUIREMENT
607	577
608		#
609		# 4.B.4.a(8)(a)
610		# KickStart Actions: None - PROCEDURAL REQUIREMENT
611
612		#
613		# 4.B.4.a(8)(b)
614		# KickStart Actions: None - PROCEDURAL REQUIREMENT
615
616
617		#
	578	# 4.B.4.a(8)(a)
	579	# KickStart Actions: None - PROCEDURAL REQUIREMENT
	580
	581	# 4.B.4.a(8)(b)
	582	# KickStart Actions: None - PROCEDURAL REQUIREMENT
	583
618	584	# 4.B.4.a(9)
619	585	# KickStart Actions: None - PROCEDURAL REQUIREMENT
620	586
621
622
623		# 4.B.4.a(9)(a)
624		# KickStart Actions:
625
626		# 4.B.4.a(9)(b)
627		# KickStart Actions: POLICY
628
629		# 4.B.4.a(9)(c)
630		# KickStart Actions:
631
632		# 4.B.4.a(9)(d)
633		# KickStart Actions:
634
635
636		#
637		#
	587	# 4.B.4.a(9)(a)
	588	# KickStart Actions:
	589
	590	# 4.B.4.a(9)(b)
	591	# KickStart Actions: POLICY
	592
	593	# 4.B.4.a(9)(c)
	594	# KickStart Actions:
	595
	596	# 4.B.4.a(9)(d)
	597	# KickStart Actions:
	598
638	599	# 4.B.4.a(10)
639	600	# KickStart Actions: None - PROCEDURAL REQUIREMENT
640		#
641		# 4.B.4.a(10)(a)
642		# KickStart Actions:
643
644		# 4.B.4.a(10)(b)
645		# KickStart Actions:
646
647
648
649		#
	601
	602	# 4.B.4.a(10)(a)
	603	# KickStart Actions:
	604
	605	# 4.B.4.a(10)(b)
	606	# KickStart Actions:
	607
650	608	# 4.B.4.a(11)
651	609	# KickStart Actions: None
652	610
653
654		#
655		# 4.B.4.a(11)(a)
656		# KickStart Actions: None
657
658		#
659		# 4.B.4.a(11)(b)
660		# KickStart Actions: None
661
662		#
663		# 4.B.4.a(11)(c)
664		# KickStart Actions: The following item have been set to meet this policy.
665		# Note:
666		# Investigating using PAM for preventing 10 recent passwords- doesn't appear
667		# to be easily done using pam_passwdqc
668
669		# Passwd strength
670		cat <<EOF > /etc/pam.d/system-auth
671		# %PAM-1.0
672		# This file is auto-generated.
673		# User changes will be destroyed the next time authconfig is run.
674		auth required /lib/security/$ISA/pam_env.so
675		auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
676		auth required /lib/security/$ISA/pam_deny.so
677		auth required /lib/security/pam_tally.so onerr=fail no_magic_root
678
679		account required /lib/security/$ISA/pam_unix.so
680		account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
681		account required /lib/security/$ISA/pam_permit.so
682		account required /lib/security/pam_tally.so deny=3 reset no_magic_root
683
684		password required /lib/security/$ISA/pam_passwdqc.so enforce=users ask_oldauthok=update
685		password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=10
686		password required /lib/security/$ISA/pam_deny.so
687
688		session required /lib/security/$ISA/pam_limits.so
689		session required /lib/security/$ISA/pam_unix.so
690		EOF
691
692		# Password Strength Settings /etc/login.defs
693		# GEN000
694		echo "Locking down GEN000580"
695		perl -npe 's/PASS_MIN_LEN\s+5/PASS_MIN_LEN 9/' -i /etc/login.defs
696		#STIG specifies using following, but it's not a valid parameter
697		#echo "PASSLENGTH 9" >> /etc/login.defs
698		echo "GEN000580 Complete"
699		#
700		# 4.B.4.a(11)(d)
701		# KickStart Actions: None - PROCEDURAL REQUIREMENT
702		#
703		# 4.B.4.a(11)(e)
704		# KickStart Actions: Change the password expiration time from undefined to 60 days.
705		# Users cannot change passwords more than once a day.
706		#
707		# Change the password expiration time from undefined to 60 days
708		# GEN000700
709		echo "Locking down GEN000700"
710		perl -npe 's/PASS_MAX_DAYS\s+99999/PASS_MAX_DAYS 60/' -i /etc/login.defs
711		chage -M 60 root
712		echo "GEN000700 Complete"
713		#
714		# Ensure that the user cannot change their password more than once a day.
715		# GEN000540
716		echo "Locking down GEN000540"
717		perl -npe 's/PASS_MIN_DAYS\s+0/PASS_MIN_DAYS 1/g' -i /etc/login.defs
718		echo "GEN000540 Complete"
719		#
720		# 4.B.4.a(11)(f)
721		# KickStart Actions: opasswd file creation in /etc/security/opasswd
722		# for non-replication.
723
724		touch /etc/security/opasswd
725		chmod 600 /etc/security/opasswd
726
727		#
728		# 4.B.4.a(11)(g)
729		# Protection of authenticators to perserve confidentiality and
730		# integrity. Red Hat encrypts authenticators using the MD5
731		# Message Digest.
732		# KickStart Actions: Additional I&A Security.
733
734
735		#
	611	# 4.B.4.a(11)(a)
	612	# KickStart Actions: None
	613
	614	# 4.B.4.a(11)(b)
	615	# KickStart Actions: None
	616
	617	# 4.B.4.a(11)(c)
	618	# KickStart Actions: The following item have been set to meet this policy.
	619	# Note:
	620	# Investigating using PAM for preventing 10 recent passwords- doesn't appear
	621	# to be easily done using pam_passwdqc
	622
	623	# Passwd strength
	624	cat <<-EOF > /etc/pam.d/system-auth
	625	# %PAM-1.0
	626	# This file is auto-generated.
	627	# User changes will be destroyed the next time authconfig is run.
	628	auth required /lib/security/$ISA/pam_env.so
	629	auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
	630	auth required /lib/security/$ISA/pam_deny.so
	631	auth required /lib/security/pam_tally.so onerr=fail no_magic_root
	632	account required /lib/security/$ISA/pam_unix.so
	633	account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
	634	account required /lib/security/$ISA/pam_permit.so
	635	account required /lib/security/pam_tally.so deny=3 reset no_magic_root
	636	password required /lib/security/$ISA/pam_passwdqc.so enforce=users #ask_oldauthok=update
	637	password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=10
	638	password required /lib/security/$ISA/pam_deny.so
	639
	640	session required /lib/security/$ISA/pam_limits.so
	641	session required /lib/security/$ISA/pam_unix.so
	642	EOF
	643
	644	## (GEN000580: CAT II) (Previously â G019) The IAO will ensure all passwords contain a
	645	## minimum of eight characters.
	646	sed -i "s/PASS_MIN_LEN[ \t][0-9]/PASS_MIN_LEN\t8/" /etc/login.defs
	647
	648	# 4.B.4.a(11)(d)
	649	# KickStart Actions: None - PROCEDURAL REQUIREMENT
	650
	651	# 4.B.4.a(11)(e)
	652	# KickStart Actions: Change the password expiration time from undefined to 60 days.
	653	# Users cannot change passwords more than once a day.
	654
	655	## (GEN000700: CAT II) (Previously â G020) The SA will ensure passwords are
	656	## changed at least every 90 days.
	657	sed -i '/^PASS_MAX_DAYS/ c\PASS_MAX_DAYS\t90' /etc/login.defs
	658
	659	## (GEN000540: CAT II) (Previously â G004) The SA will ensure passwords are
	660	## not changed more than once a day.
	661	sed -i '/^PASS_MIN_DAYS/ c\PASS_MIN_DAYS\t1' /etc/login.defs
	662
	663	# 4.B.4.a(11)(f)
	664	# KickStart Actions: opasswd file creation in /etc/security/opasswd
	665	# for non-replication.
	666
	667	touch /etc/security/opasswd
	668	chmod 600 /etc/security/opasswd
	669
	670	# 4.B.4.a(11)(g)
	671	# KickStart Actions: Additional I&A Security.
	672	# Protection of authenticators to perserve confidentiality and
	673	# integrity. Red Hat encrypts authenticators using the MD5
	674	# Message Digest.
	675
736	676	# 4.B.4.a(12)
737	677	# KickStart Actions: See 4.B.4.a(9)(c); specifically passwdqc
738	678
739		#
	679
740	680	# 4.B.4.a(13)
741	681	# KickStart Actions: By default ssh uses Triple DES. This script will edit
742	682	# the /etc/ssh/ssh_config file to use stronger encryption.
743	683	# AES with 256-bit key Cycpher Block Chaining
744		#
745		perl -npe 's/\#\s+Cipher\s+3des/Ciphers aes256-cbc/' -i /etc/ssh/ssh_config
746
747
748		#
	684
	685	perl -npe 's/\#\s+Cipher\s+3des/Ciphers aes256-cbc/' -i /etc/ssh/ssh_config
	686
	687
749	688	# 4.B.4.a(14)
750	689	# KickStart Actions: None
751	690
752		# 4.B.4.a(14)(a)
753		# KickStart Actions:
754
755
756		# 4.B.4.a(14)(b)
757		# KickStart Actions:
758
759
760		#
	691	# 4.B.4.a(14)(a)
	692	# KickStart Actions:
	693
	694	# 4.B.4.a(14)(b)
	695	# KickStart Actions:
	696
	697
761	698	# 4.B.4.a(15)
762	699	# KickStart Actions:
763	700
764		# 4.B.4.a(15)(1)
765		# KickStart Actions:
766
767		# 4.B.4.a(15)(b)
768		# KickStart Actions: None - PROCEDURAL REQUIREMENT
769
770		# 4.B.4.a(15)(c)
771		# KickStart Actions:
772
773		# 4.B.4.a(15)(d)
774		# KickStart Actions:
775
776		# 4.B.4.a(15)(e)
777		# KickStart Actions:
778
779		#
780		#
	701	# 4.B.4.a(15)(a)
	702	# KickStart Actions:
	703
	704	# 4.B.4.a(15)(b)
	705	# KickStart Actions: None - PROCEDURAL REQUIREMENT
	706
	707	# 4.B.4.a(15)(c)
	708	# KickStart Actions:
	709
	710	# 4.B.4.a(15)(d)
	711	# KickStart Actions:
	712
	713	# 4.B.4.a(15)(e)
	714	# KickStart Actions:
	715
	716
781	717	# 4.B.4.a(16)
782	718	# KickStart Actions: None - PROCEDURAL REQUIREMENT
783		#
	719
	720
784	721	# 4.B.4.a(17)
785	722	# KickStart Actions: Restrict Root Logins and Least Privilege Enhancements.
786		#
787		#
788		# Further restricting root logins
789		# GEN000xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
790		#investigating by using PAM for preventing 10 recent passwords- doesn't appear
791		# to be easily done using pam_passwdqc
792		# Further restricting root logins
793		echo "Locking down GEN00xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
794		cat << EOF > /etc/pam.d/su
795		# %PAM-1.0
796		auth sufficient /lib/security/$ISA/pam_rootok.so
797		# Uncomment the following line to implicitly trust users in the "wheel" group.
798		# auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid
799		# Uncomment the following line to require a user to be in the "wheel" group.
800		auth required /lib/security/$ISA/pam_wheel.so use_uid
801		auth required /lib/security/$ISA/pam_stack.so service=system-auth
802		account required /lib/security/$ISA/pam_stack.so service=system-auth
803		password required /lib/security/$ISA/pam_stack.so service=system-auth
804		# pam_selinux.so close must be first session rule
805		session required /lib/security/$ISA/pam_selinux.so close
806		session required /lib/security/$ISA/pam_stack.so service=system-auth
807		# pam_selinux.so open and pam_xauth must be last two session rules
808		session required /lib/security/$ISA/pam_selinux.so open multiple
809		session optional /lib/security/$ISA/pam_xauth.so
810		EOF
811		echo "GEN00xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Complete"
812		#
813		# You have to enter a Superuser PW when booting into single user mode
814		# GEN000020
815		# GEN000040
816		echo "Locking down GEN000020, GEN000040"
817		echo "Require the root pw when booting into single user mode" >> /etc/inittab
818		echo "~~:S:wait:/sbin/sulogin" >> /etc/inittab
819		echo "GEN000020, GEN000040 Complete"
820		#
	723
	724	# Further restricting root logins
	725	# GEN000xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
	726	# investigating by using PAM for preventing 10 recent passwords- doesn't appear
	727	# to be easily done using pam_passwdqc
	728	# Further restricting root logins
	729	cat <<-EOF > /etc/pam.d/su
	730	# %PAM-1.0
	731	auth sufficient /lib/security/$ISA/pam_rootok.so
	732	# Uncomment the following line to implicitly trust users in the "wheel" group.
	733	# auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid
	734	# Uncomment the following line to require a user to be in the "wheel" group.
	735	auth required /lib/security/$ISA/pam_wheel.so use_uid
	736	auth required /lib/security/$ISA/pam_stack.so service=system-auth
	737	account required /lib/security/$ISA/pam_stack.so service=system-auth
	738	password required /lib/security/$ISA/pam_stack.so service=system-auth
	739	# pam_selinux.so close must be first session rule
	740	session required /lib/security/$ISA/pam_selinux.so close
	741	session required /lib/security/$ISA/pam_stack.so service=system-auth
	742	# pam_selinux.so open and pam_xauth must be last two session rules
	743	session required /lib/security/$ISA/pam_selinux.so open multiple
	744	session optional /lib/security/$ISA/pam_xauth.so
	745	EOF
	746
	747	## (GEN000020: CAT II) (Previously â G001) The IAO and SA will ensure, if
	748	## configurable, the UNIX host is configured to require a password for access
	749	## to single-user and maintenance modes.
	750	echo "" >> /etc/inittab
	751	echo "#Require password in single-user mode" >> /etc/inittab
	752	echo "~~:S:wait:/sbin/sulogin" >> /etc/inittab
	753
	754
821	755	# 4.B.4.a(18)
822	756	# KickStart Actions: None
823		#
	757
	758
824	759	# 4.B.4.a(19)
825	760	# KickStart Actions: Centralized Time
826	761
827
828		# GEN000240: CAT I: The SA will ensure the outside network time-server is an authoritative
829		# U.S. DOD source for both the NIPRNet and the SIPRNet.
830		echo "Locking down GEN000240"
831		# Recovery and Audit need correct time stamps this was put here.
832		# Could go in multiple places
833		# Pick a US-based clock server. Should be set to a approved USNO NTP Network Time Server
834		# See http://tycho.usno.navy.mil/ntp.html
835		perl -npe 's/^server.*/server clock\.ismc\.ic\.gov/g' -i /etc/ntp.conf
836		echo "GEN000240 Complete"
837		#
	762	# GEN000240: CAT I: The SA will ensure the outside network time-server is an authoritative
	763	# U.S. DOD source for both the NIPRNet and the SIPRNet.
	764	# Recovery and Audit need correct time stamps this was put here.
	765	# Could go in multiple places
	766	# Pick a US-based clock server. Should be set to a approved USNO NTP Network Time Server
	767	# See http://tycho.usno.navy.mil/ntp.html
	768	## FIXME: Need to find an authoritative time server
	769	perl -npe 's/^server.*/server clock\.ismc\.ic\.gov/g' -i /etc/ntp.conf
	770
	771
838	772	# 4.B.4.a(20)
839	773	# KickStart Actions: None
840		#
	774
	775
841	776	# 4.B.4.a(21)
842	777	# KickStart Actions: None
843		#
844		# 4.B.4.a(21)(a)
845		# KickStart Actions: Interactive Shell setting here.
846		# Gnome screen-saver line command tool --> needs to be tested.
847		# gconftool-2 --direct \
848		# --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
849		# --type int \
850		# --set /apps/gnome-screensaver/i