Changeset 141
- Timestamp:
- 12/17/07 15:27:35 (1 year ago)
- Files:
-
- trunk/RHEL5.1/kickstart/clip.ks (modified) (14 diffs)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
trunk/RHEL5.1/kickstart/clip.ks
r140 r141 416 416 chmod 644 /var/log/maillog 417 417 418 ## (GEN004480: CAT II) (Previously â G135) The SA will ensure the owner of the 419 ## critical sendmail log file is root. 420 chown root /var/log/maillog 421 418 422 ## (GEN003180: CAT II) (Previously â G210) The SA will ensure cron logs have 419 423 ## permissions of 600, or more restrictive. … … 589 593 auth.* /var/log/authlog" >> /etc/syslog.conf 590 594 595 ## (GEN004440: CAT IV) (Previously â G133) The SA will ensure the sendmail 596 ## logging level (the detail level of e-mail tracing and debugging 597 ## information) in the sendmail.cf file is set to a value no lower than 598 ## nine (9). 599 sed -i '/LogLevel/ c\O LogLevel=9' /etc/mail/sendmail.cf 600 591 601 592 602 # 4.B.4.a(7) … … 673 683 sed -i "s/difok\=3/difok\=3 dcredit\=-2 ucredit\=-2 ocredit\=-2 lcredit\=-2/" /etc/pam.d/system-auth 674 684 675 676 685 # Running the authconfig tool WILL clobber these changes! 677 686 # Taking the executable permissions off of /usr/sbin/authconfig … … 725 734 chmod 400 /etc/shadow 726 735 736 ## (GEN000560: CAT I) (Previously â G018) The SA will ensure each account in 737 ## the /etc/passwd file has a password assigned or is disabled in the 738 ## password, shadow, or equivalent, file by disabling the password and/or by 739 ## assigning a false shell in the password file. 740 for USERINFO in `cat /etc/shadow`; do 741 if [ -z "`echo $USERINFO | cut -d: -f2`" ] 742 then 743 /usr/sbin/usermod -L -s /dev/null `echo $USERINFO | cut -d: -f1` 744 fi 745 done; 727 746 728 747 # 4.B.4.a(12) … … 734 753 # the /etc/ssh/ssh_config file to use stronger encryption. 735 754 # AES with 256-bit key Cycpher Block Chaining 736 755 756 #TODO: Find stig for this 737 757 perl -npe 's/\#\s+Cipher\s+3des/Ciphers aes256-cbc/' -i /etc/ssh/ssh_config 738 758 … … 789 809 # to be easily done using pam_passwdqc 790 810 # Further restricting root logins 811 ## TODO: Find stig for this 791 812 cat <<-EOF > /etc/pam.d/su 792 813 # %PAM-1.0 … … 1075 1096 echo "console" > /etc/securetty 1076 1097 1098 ## (LNX00620: CAT II) The SA will ensure the group owner of the /etc/securetty 1099 ## file is root, sys, or bin. 1100 chgrp root /etc/securetty 1101 1102 ## (LNX00640: CAT II) The SA will ensure the owner of the /etc/securetty file 1103 ## is root. 1104 chown root /etc/securetty 1105 1106 ## (LNX00660: CAT II) The SA will ensure the /etc/securetty file has 1107 ## permissions of 640, or more restrictive. 1108 chmod 640 /etc/securetty 1109 1077 1110 ## (GEN001020: CAT II) The IAO will enforce users requiring root privileges to 1078 1111 ## log on to their personal account and invoke the /bin/su - command to switch … … 1123 1156 1124 1157 # World Writable files 1125 ## FIXME: Doesn't really do anything 1158 ( 1159 OUTFILE=/root/system.ww.`date +%Y:%m:%d`.txt 1160 echo -n > $OUTFILE 1126 1161 for part in `awk '($3== "ext2" || $3 == "ext3") { print $2 }' /etc/fstab` 1127 1162 do 1128 find $part -xdev -type f -perm -0002 -print > /root/system.ww.txt 1129 gzip --best /root/system.ww.`date +%Y:%m:d`.txt 1163 find $part -xdev -type f -perm -0002 >> $OUTFILE 1130 1164 done 1165 gzip --best $OUTFILE 1166 ) 1131 1167 1132 1168 # SUID | SGID files 1133 ## FIXME: Doesn't really do anything 1169 ( 1170 OUTFILE=/root/system.suid-sgid.`date +%Y:%m:%d`.txt 1171 echo -n > $OUTFILE 1134 1172 for part in `awk '($3== "ext2" || $3 == "ext3") { print $2 }' /etc/fstab` 1135 1173 do 1136 find $part -xdev -type f -perm -4000 -o -perm -2000 -print > /root/system.suid-sgid.txt 1137 gzip --best /root/system.suid-sgid.`date +%Y:%m:%d`.txt 1174 find $part -xdev -type f -perm -4000 -o -perm -2000 >> $OUTFILE 1138 1175 done 1139 1140 # GEN006580: CAT II â The SA will ensure an access control program 1141 # (e.g., TCP_WRAPPERS) is implemented on all UNIX hosts connected to a network. 1142 ## FIXME: SHould this be gen 6620? 1143 echo "ALL:ALL" > /etc/hosts.deny 1144 echo "sshd:ALL" > /etc/hosts.allow 1145 1146 ## (GEN002960: CAT II) The SA will control access 1147 ## to the cron utilities via the cron.allow and/or cron.deny file(s). 1148 echo root > /etc/cron.allow 1176 gzip --best $OUTFILE 1177 ) 1178 1179 ## (GEN006620: CAT II) The SA will ensure an access control program (e.g., 1180 ## TCP_WRAPPERS) hosts.deny and hosts.allow files (or equivalent) are used to 1181 ## grant or deny system access to specific hosts. 1182 echo "ALL: ALL" > /etc/hosts.deny 1183 1184 ## (GEN003060: CAT II) The SA will ensure default system accounts (with the 1185 ## possible exception of root) will not be listed in the cron.allow file. If 1186 ## there is only a cron.deny file, the default accounts (with the possible 1187 ## exception of root) will be listed there. 1188 echo 'root' > /etc/cron.allow 1149 1189 awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/cron.deny 1150 1190 … … 1274 1314 chgrp root /var/spool/cron 1275 1315 1316 ## (GEN003500: CAT III) The SA will ensure core dumps are disabled or 1317 ## restricted. 1318 echo "* - core 0" >> /etc/security/limits.conf 1319 1276 1320 ## (GEN003520: CAT III) The SA will ensure the owner and group owner of the 1277 1321 ## core dump data directory is root with permissions of 700, or more … … 1290 1334 ## O SmtpGreetingMessage= Mail Server Ready ; $b 1291 1335 sed -i '/SmtpGreetingMessage/ c\O SmtpGreetingMessage= Mail Server Ready ; $b' /etc/mail/sendmail.cf 1336 1337 ## (GEN004540: CAT II) The SA will ensure the help sendmail command is 1338 ## disabled. 1339 mv /etc/mail/helpfile /etc/mail/helpfile.bak 1340 echo "" > /etc/mail/helpfile 1341 1342 ## (GEN004580: CAT I) (Previously â G647) The SA will ensure .forward files 1343 ## are not used. 1344 for HOMEDIR in `cut -d: -f6 /etc/passwd`; do 1345 if [ -f $HOMEDIR/.forward ] 1346 then 1347 rm $HOMEDIR/.forward 1348 fi 1349 done; 1292 1350 1293 1351 ## (GEN004360: CAT II) (Previously â G127) The SA will ensure the aliases file … … 1314 1372 EOF 1315 1373 1374 ## (LNX00480: CAT II) (Previously â L204) The SA will ensure the owner of the 1375 ## /etc/sysctl.conf file is root. 1376 chown root /etc/sysctl.conf 1377 1378 ## (LNX00500: CAT II) (Previously â L206) The SA will ensure the group owner 1379 ## of the /etc/sysctl.conf file is root. 1380 chgrp root /etc/sysctl.conf 1381 1316 1382 ## (LNX00520: CAT II) (Previously â L208) The SA will ensure the 1317 1383 ## /etc/sysctl.conf file has permissions of 600, or more restrictive. … … 1343 1409 /usr/sbin/userdel nfsnobody 1344 1410 1411 ## (GEN002640: CAT II) (Previously â G092) The SA will ensure logon capability 1412 ## to default system accounts (e.g., bin, lib, uucp, news, sys, guest, daemon, 1413 ## and any default account not normally logged onto) will be disabled by 1414 ## making the default shell /bin/false, /usr/bin/false, /sbin/false, 1415 ## /sbin/nologin, or /dev/null, and by locking the password. 1416 for NAME in `cut -d: -f1 /etc/passwd`; do 1417 NAMEID=`id -u $NAME` 1418 if [ $NAMEID -lt 500 -a $NAME != 'root' ]; then 1419 /usr/sbin/usermod -L -s /dev/null $NAME 1420 fi 1421 done 1422 1423 ## (GEN001080: CAT III) (Previously â G229) The SA will ensure the root shell 1424 ## is not located in /usr if /usr is partitioned. 1425 /usr/sbin/usermod -s /bin/bash root 1426 1427 ## (GEN001460: CAT IV) (Previously â G052) The SA will ensure all home 1428 ## directories defined in the /etc/passwd file exist. 1429 for HOMEDIR in `cut -d: -f6 /etc/passwd`; do 1430 if [ ! -d $HOMEDIR ] 1431 then 1432 mkdir $HOMEDIR 1433 fi 1434 done; 1435 1345 1436 ## (GEN004640: CAT I) (Previously â V126) The SA will ensure the decode entry 1346 1437 ## is disabled (deleted or commented out) from the alias file. … … 1348 1439 /usr/bin/newaliases 1349 1440 1441 ## (LNX00400: CAT II) (Previously â L044) The SA will ensure the owner of the 1442 ## /etc/login.access or /etc/security/access.conf file is root. 1443 chown root /etc/security/access.conf 1444 1445 ## (LNX00420: CAT II) (Previously â L045) The SA will ensure the group owner 1446 ## of the /etc/login.access or /etc/security/access.conf file is root. 1447 chgrp root /etc/security/access.conf 1448 1350 1449 ## (LNX00440: CAT II) (Previously â L046) The SA will ensure /etc/login.access 1351 1450 ## or /etc/security/access.conf file will be 640, or more restrictive. 1352 1451 chmod 640 /etc/security/access.conf 1452 1453 ## (LNX00160: CAT II) (Previously â L074) The SA will ensure the grub.conf 1454 ## file has permissions of 600, or more restrictive. 1455 chmod 600 /boot/grub/grub.conf 1456 1457 ## (LNX00220: CAT II) (Previously â L080) The SA will ensure the lilo.conf 1458 ## file has permissions of 600 or more restrictive. 1459 chmod 600 /etc/lilo.conf 1353 1460 1354 1461 ## (GEN006100: CAT II) (Previously â L050) The SA will ensure the owner of … … 1416 1523 ## of all files in /etc/news is root or news. 1417 1524 chgrp -R root /etc/news/* 1418 1419 # GEN000960 1420 # FIXME: Wrong number, I don't think this is a stig 1421 # Maybe it is about deleting unused system users 1422 # If we're not running an POP/IMAP server, remove the user dovecot 1423 rpm -q dovecot 2>&1 > /dev/null 1424 if [ $? = "1" ] 1425 then 1426 userdel dovecot 1427 else 1428 echo "dovecot package installed, not deleting user dovecot" 1429 fi 1430 1431 # If we're not running named, delete the user 1432 rpm -q bind 2>&1 > /dev/null 1433 if [ $? = "1" ] 1434 then 1435 userdel named 1436 else 1437 echo "bind package installed, not deleting user named" 1438 fi 1525 1526 ## (GEN001580: CAT II) (Previously â G058) The SA will ensure run control 1527 ## scripts have permissions of 755, or more restrictive. 1528 chmod 755 /etc/rc.d/init.d/* 1529 1530 ## (GEN001620: CAT II) (Previously â G061) The SA will ensure run control 1531 ## scripts files do not have the suid or sgid bit set. 1532 chmod ug-s /etc/rc.d/init.d/* 1533 1534 ## (GEN001660: CAT II) (Previously â G611) The SA will ensure the owner of run 1535 ## control scripts is root. 1536 chown root /etc/rc.d/init.d/* 1537 1538 ## (GEN001680: CAT II) (Previously â G612) The SA will ensure the group owner 1539 ## of run control scripts is root, sys, bin, other, or the system default. 1540 chgrp root /etc/rc.d/init.d/* 1541 1542 ## (GEN001720: CAT II) The SA will ensure global initialization files have 1543 ## permissions of 644, or more restrictive. 1544 chmod 644 /etc/{profile,bashrc,environment} 1545 1546 ## (GEN001740: CAT II) The SA will ensure the owner of global initialization 1547 ## files is root. 1548 chown root /etc/{profile,bashrc,environment} 1549 1550 ## (GEN001760: CAT II) The SA will ensure the group owner of global 1551 ## initialization files is root, sys, bin, other, or the system default. 1552 chgrp root /etc/{profile,bashrc,environment} 1553 1554 ## (GEN001780: CAT III) (Previously â G112) The SA will ensure global 1555 ## initialization files contain the command mesg ân. 1556 for FILE in /etc/{profile,bashrc,environment}; do 1557 echo "mesg n" >> $FILE 1558 done; 1559 1560 ## (GEN002120: CAT II) (Previously â G069) The SA will ensure the /etc/shells 1561 ## (or equivalent) file exits. 1562 cat <<-EOF > /etc/shells 1563 /bin/sh 1564 /bin/bash 1565 /sbin/nologin 1566 /bin/tcsh 1567 /bin/csh 1568 /bin/ksh 1569 EOF 1570 1571 ## (GEN002160: CAT I) (Previously â G072) The SA will ensure no shell has the 1572 ## suid bit set. 1573 for SHELL in `cat /etc/shells`; do 1574 chmod u-s $SHELL 1575 done 1576 1577 ## (GEN002180: CAT II) (Previously â G073) The SA will ensure no shell has the 1578 ## sgid bit set. 1579 for SHELL in `cat /etc/shells`; do 1580 chmod g-s $SHELL 1581 done 1582 1583 ## (GEN002200: CAT II) (Previously â G074) The SA will ensure the owner of all 1584 ## shells is root or bin. 1585 for SHELL in `cat /etc/shells`; do 1586 chown root $SHELL 1587 done 1588 1589 ## (GEN002220: CAT II) (Previously â G075) The SA will ensure all shells 1590 ## (excluding /dev/null and sdshell) have permissions of 755, or more 1591 ## restrictive. 1592 for SHELL in `cat /etc/shells`; do 1593 chmod 755 $SHELL 1594 done 1595 1596 ## (GEN002320: CAT II) (Previously â G501) The SA will ensure the audio devices 1597 ## have permissions of 644, or more restrictive. 1598 chmod 644 /dev/audio 1599 1600 ## (GEN002340: CAT II) (Previously â G502) The SA will ensure the owner of 1601 ## audio devices is root. 1602 chown root /dev/audio 1603 1604 ## (GEN002360: CAT II) (Previously â G504) The SA will ensure the group owner 1605 ## of audio devices is root, sys, or bin. 1606 chgrp root /dev/audio 1607 1608 ## (GEN004880: CAT II) (Previously â G140) The SA will ensure the ftpusers 1609 ## file exists. 1610 touch /etc/ftpusers 1611 1612 ## (GEN004900: CAT II) (Previously â G141) The SA will ensure the ftpusers 1613 ## file contains the usernames of users not allowed to use FTP, and contains, 1614 ## at a minimum, the system pseudo-users usernames and root. 1615 echo -n > /etc/ftpusers 1616 for NAME in `cut -d: -f1 /etc/passwd`; do 1617 NAMEID=`id -u $NAME` 1618 if [ $NAMEID -lt 500 ]; then 1619 echo $NAME >> /etc/ftpusers 1620 fi 1621 done; 1622 1623 ## (GEN004920: CAT II) (Previously â G142) The SA will ensure the owner of the 1624 ## ftpusers file is root. 1625 chown root /etc/ftpusers 1626 1627 ## (GEN004940: CAT II) (Previously â G143) The SA will ensure the ftpusers 1628 ## file has permissions of 640, or more restrictive. 1629 chmod 640 /etc/ftpusers 1630 1631 ## (GEN005000: CAT I) (Previously â G649) The SA will implement the anonymous 1632 ## FTP account with a non-functional shell such as /bin/false. 1633 /usr/sbin/usermod -s /dev/null ftp 1439 1634 1440 1635 # 4.B.4.b(6)
