Navigation

← Previous Changeset
Next Changeset →

Changeset 142

Timestamp:

12/18/07 15:54:02 (1 year ago)

Author:

slawrence

Message:

Fixed kickstart errors

Files:

trunk/RHEL5.1/kickstart/clip.ks (modified) (21 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

trunk/RHEL5.1/kickstart/clip.ks

r141	r142
403	403	# /var/{run,log}/{wtmp,utmp} files to 664.
404	404
	405	## (GEN001260: CAT II) (Previously â G037) The SA will ensure all system log
	406	## files have permissions of 640, or more restrictive.
	407	find /var/log/ -type f -exec chmod 640 '{}' \;
	408	sed -i "s/chmod 0664/chmod 0640/" /etc/rc.d/rc.sysinit
	409
405	410	## (GEN005400: CAT II) (Previously â G656) The SA will ensure the owner of the
406	411	## /etc/syslog.conf file is root with permissions of 640, or more restrictive.
…	…
424	429	chmod 600 /var/log/cron
425	430
426		~~## (GEN001260: CAT II) (Previously â G037) The SA will ensure all system log~~
427		~~## files have permissions of 640, or more restrictive.~~
428		~~## TODO: Is this correct?~~
429		~~perl -npe 's%chmod 0664 /var/run/utmp /var/log/wtmp%chmod 0644 /var/run/utmp /var/log/wtmp%g' -i /etc/rc.d/rc.sysinit~~
430	431
431	432	# 4.B.4.a(6)(c)
…	…
434	435	# for 5 years (e.g., tape backup).
435	436
	437	# FIXME: Logs are supposed to be kept for 5 years. That isn't really realistic to have
	438	# logrotate rotate for 5 years. A backup system should be implemented. This probably
	439	# shouldn't be in the ks.
	440	:<<-COMMENTBLOCK
436	441	for logconf in `ls -1 /etc/logrotate.conf`
437	442	do
…	…
439	444	perl -npe 's/\#compress/compress/' -i $logconf
440	445	done
	446	COMMENTBLOCK
441	447
442	448	## (GEN002860: CAT II) (Previously â G674) The SA and/or IAO will ensure old
…	…
460	466	## auditing.
461	467	chkconfig auditd on
	468	cat <<-EOF > /etc/audit/audit.rules
	469	# Remove any existing rules
	470	-D
	471	# Increase buffer size to handle the increased number of messages.
	472	-b 8192
	473	EOF
462	474
463	475	## (GEN002680: CAT II) (Previously â G094) The SA will ensure audit data files
…	…
468	480	## have permissions of 640, or more restrictive.
469	481	chmod 600 /var/log/audit/*
	482	chmod 600 /etc/audit/audit.rules
470	483
471	484	# 4.B.4.a(6)(d)(1)
…	…
479	492	# Commented rules do not insert w/o an error.
480	493
481		## (GEN002720-GEN002840: CAT II) (Previously â G100-G106) The SA will configure the
482		## auditing system to audit the following events for all users and root:
483		## FIXME: This should be split up
484		cat <<-EOF > /etc/audit.rules
485		## Remove any existing rules
486		-D
487		## Increase buffer size to handle the increased number of messages.
488		## Feel free to increase this if the machine panic's
489		-b 8192
490		## Set failure mode to panic
491		# -f 2
492		#
493		# GEN002720
494		## Audits for failed attempts to access files and programs.
	494	## (GEN002720: CAT II) The SA will configure the auditing system to audit
	495	## logon (unsuccessful and successful) and logout (successful)
	496	cat <<-EOF >> /etc/audit/audit.rules
	497	-a exit,always -w /bin/login -p x
	498	-a exit,possible -w /bin/logout -F success=0
	499	EOF
	500
	501	## (GEN002740: CAT II) The SA will configure the auditing system to audit
	502	## discretionary access control permission modification (unsuccessful and
	503	## successful use of chown/chmod)
	504	cat <<-EOF >> /etc/audit/audit.rules
	505	-a exit,always -S chmod
	506	-a exit,always -S chown
	507	-a exit,always -S chown32
	508	-a exit,always -S fchmod
	509	-a exit,always -S fchown
	510	-a exit,always -S fchown32
	511	-a exit,always -S lchown
	512	-a exit,always -S lchown32
	513	EOF
	514
	515	## (GEN002760: CAT II) The SA will configure the auditing system to audit
	516	## unauthorized access attempts to files (unsuccessful)
	517	cat <<-EOF >> /etc/audit/audit.rules
	518	-a exit,always -S open -F success!=0
495	519	-a exit,always -S mknod -F success=0
496		-a exit,possible -S open -F success=0
497		-a exit,possible -S pipe -F success=0
498		-a exit,possible -S mkdir -F success=0
499		-a exit,possible -S creat -F success=0
500		#LEAK
501		# MOD
502		-a exit,possible -S truncate -F success=0
503		-a exit,possible -S truncate64 -F success=0
504		-a exit,possible -S ftruncate -F success=0
505		-a exit,possible -S ftruncate64 -F success=0
506
507		# GEN002740
508		## Audit for files and programs deleted by user
509		-a exit,possible -S unlink -F success!=0
510		-a exit,possible -S rmdir -F success!=0
511		-a exit,possible -w /bin/rm -F success=0 -F success!=0
512		-a exit,possible -S rename -F success!=0
513
514		# GEN002760
515		## Audit all administrative actions
516		# AUD_it
517		# Backup_export
518		# Dev_change
519		# Dev_configure
520		# Dev_create
521		-a exit,possible -S chown -F success!=0
522		-a exit,possible -S chown32 -F success!=0
523		-a exit,possible -S fchown -F success!=0
524		-a exit,possible -S fchown32 -F success!=0
525		-a exit,possible -S lchown -F success!=0
526		-a exit,possible -S lchown32 -F success!=0
527		-a exit,always -S chroot -F success!=0
528		-a exit,always -S mount -F success=0 -F success!=0
529		-a exit,always -S umount -F success=0 -F success!=0
530		-a exit,always -S umount2 -F success=0 -F success!=0
531		-a exit,always -w /usr/sbin/pwck -F success=0 -F success!=0
532		-a exit,always -S adjtimex -F success!=0
533		-a exit,always -S settimeofday -F success!=0
534		-a exit,always -S kill -F success=0 -F success!=0
535
536		#Proc_privilege
537		-a exit,always -w /bin/chgrp -F success=0 -F success!=0
538		-a exit,always -w /usr/bin/newgrp -F success=0 -F success!=0
539		-a exit,always -w /usr/sbin/groupadd -F success=0 -F success!=0
540		-a exit,always -w /usr/sbin/groupmod -F success=0 -F success!=0
541		-a exit,always -w /usr/sbin/groupdel -F success=0 -F success!=0
542		# Restore imports
543
544		# TCBCK_delete
545		-a exit,possible -w /usr/sbin/useradd -F success=0 -F success!=0
546		-a exit,possible -w /usr/sbin/userdel -F success=0 -F success!=0
547		-a exit,possible -w /usr/sbin/usermod -F success=0 -F success!=0
548		-a exit,possible -w /usr/bin/chage -F success=0 -F success!=0
549		-a exit,possible -S reboot -F success!=0
550		# User_setenv
551
552		##
553		## 4.B.4.a(6)(d)(1)
554		#
555		# GEN002780
556		## Audit all security actions
557		-w /bin/login -p x
558		-a exit,possible -w /bin/logout -F success!=0
559		-a exit,possible -S init_module -F success!=0
560		-a exit,possible -S delete_module -F success!=0
561		-a exit,possible -w /bin/su -F success!=0
562
563		# GEN002800
564		## Audit use of privileged commands
565		-a exit,possible -w /usr/bin/setfacl -F success=0 -F success!=0
566		-a exit,possible -w /usr/bin/chacl -F success=0 -F success!=0
567		-a exit,possible -S chmod -F success=0 -F success!=0
568		-a exit,possible -S fchmod -F success=0 -F success!=0
569		-a exit,possible -S link -F success=0 -F success!=0
570		-a exit,possible -S symlink -F success=0 -F success!=0
571		# Proc_realgid
572		# Proc_setuserids
573
574		## ???????????
575		## Audit application and session initiation
576		## Proc_Delete
577		#
578		# ????????????
	520	-a exit,always -S pipe -F success=0
	521	-a exit,always -S mkdir -F success=0
	522	-a exit,always -S creat -F success=0
	523	-a exit,always -S truncate -F success=0
	524	-a exit,always -S truncate64 -F success=0
	525	-a exit,always -S ftruncate -F success=0
	526	-a exit,always -S ftruncate64 -F success=0
579	527	EOF
	528
	529	## (GEN002780: CAT II) The SA will configure the auditing system to audit
	530	## use of privileged commands (unsuccessful and successful)
	531	cat <<-EOF >> /etc/audit/audit.rules
	532	-a exit,always -S chroot
	533	-a exit,always -S mount
	534	-a exit,always -S umount
	535	-a exit,always -S umount2
	536	-a exit,always -S adjtimex
	537	-a exit,always -S settimeofday
	538	-a exit,always -S kill
	539	-a exit,always -S reboot
	540	-a exit,always -w /usr/sbin/pwck
	541	-a exit,always -w /bin/chgrp
	542	-a exit,always -w /usr/bin/newgrp
	543	-a exit,always -w /usr/sbin/groupadd
	544	-a exit,always -w /usr/sbin/groupmod
	545	-a exit,always -w /usr/sbin/groupdel
	546	-a exit,always -w /usr/sbin/useradd
	547	-a exit,always -w /usr/sbin/userdel
	548	-a exit,always -w /usr/sbin/usermod
	549	-a exit,always -w /usr/bin/chage
	550	-a exit,always -w /usr/bin/setfacl
	551	-a exit,always -w /usr/bin/chacl
	552	EOF
	553
	554	# Use of print command (unsuccessful and successful)
	555	# FIXME: what is the print command? lpr/cups?
	556
	557	# Export to media (successful)
	558	# FIXME: How to audit this?
	559
	560	## (GEN002800: CAT II) The SA will configure the auditing system to audit
	561	## files and programs deleted by the user (successful and unsuccessful)
	562	cat <<-EOF >> /etc/audit/audit.rules
	563	-a exit,always -S unlink
	564	-a exit,always -S rmdir
	565	EOF
	566
	567	## (GEN002820: CAT II) The SA will configure the auditing system to audit
	568	## all system administration actions
	569	cat <<-EOF >> /etc/audit/audit.rules
	570	-w /var/log/audit/
	571	-w /etc/auditd.conf
	572	-w /etc/audit
	573	-a exit,always -S acct
	574	-a exit,always -S reboot
	575	-a exit,always -S sched_setparam
	576	-a exit,always -S sched_setscheduler
	577	-a exit,always -S setdomainname
	578	-a exit,always -S setrlimit
	579	-a exit,always -S settimeofday
	580	-a exit,always -S stime
	581	-a exit,always -S swapon
	582	EOF
	583
	584	## (GEN002840: CAT II) The SA will configure the auditing system to audit
	585	## all security personnel actions
	586	cat <<-EOF >> /etc/audit/audit.rules
	587	-a exit,possible -S init_module
	588	-a exit,possible -S delete_module
	589	-a exit,possible -w /bin/su
	590	EOF
	591
580	592
581	593	# 4.B.4.a(6)(d)(3)
…	…
585	597	## (GEN003660: CAT II) The SA will ensure the authentication notice and
586	598	## informational data is logged.
587		echo "auth.notice /var/log/messages" >> /etc/syslog.conf
	599	echo "auth.notice /var/log/messages" >> /etc/syslog.conf
588	600
589	601	## (GEN000440: CAT II) (Previously â G012) The SA will ensure all logon attempts (both
590	602	## successful and unsuccessful) are logged to a system log file.
591		echo "
592		# Log all authentication information
593		auth.* /var/log/authlog" >> /etc/syslog.conf
	603	echo "auth.* /var/log/authlog" >> /etc/syslog.conf
594	604
595	605	## (GEN004440: CAT IV) (Previously â G133) The SA will ensure the sendmail
…	…
716	726	# Message Digest.
717	727
718		~~# FIXME: Find a stig for this, maybe GEN000800~~
719	728	# Make sure rememberd password are safe
720	729	touch /etc/security/opasswd
…	…
739	748	## assigning a false shell in the password file.
740	749	for USERINFO in `cat /etc/shadow`; do
741		if [ -z "`echo $USERINFO \| cut -d: -f2`" ]
742		then
743		/usr/sbin/usermod -L -s /dev/null `echo $USERINFO \| cut -d: -f1`
744		fi
	750	if [ -z "`echo $USERINFO \| cut -d: -f2`" ]
	751	then
	752	/usr/sbin/usermod -L -s /dev/null `echo $USERINFO \| cut -d: -f1`
	753	fi
745	754	done;
746	755
…	…
754	763	# AES with 256-bit key Cycpher Block Chaining
755	764
756		~~#TODO: Find stig for this~~
757		~~perl -npe 's/\#\s+Cipher\s+3des/Ciphers aes256-cbc/' -i /etc/ssh/ssh_config~~
758	765
759	766	## (GEN005500: CAT I) (Previously â G701) The IAO and SA will ensure SSH
…	…
765	772	else
766	773	echo "Protocol 2" >> /etc/ssh/sshd_config
767		fi
	774	fi
	775	echo 'Ciphers aes256-cbc,aes192-cbc,blowfish-cbc,cast128-cbc,aes128-cbc,3des-cbc' >> /etc/ssh/ssh_config
768	776
769	777
…	…
978	986	# KickStart Actions:
979	987
980		## FIXME: Find STIG for this
981		echo 'Ciphers aes256-cbc,aes192-cbc,blowfish-cbc,cast128-cbc,aes128-cbc,3des-cbc' >> /etc/ssh/ssh_config
	988	# GEN005500 already implemented above
982	989
983	990	# 4.B.4.a(26)(a)(4)
…	…
1037	1044
1038	1045	## (GEN003600: CAT II) The SA will ensure network parameters are securely set.
1039		~~## FIXME: This should be a sed replace/append~~
1040		~~cat <<-EOF >~~ /etc/sysctl.conf
1041		~~net.ipv4.ip_forward = 0~~
	1046	sed -i "/net\.ipv4\.conf\.all\.rp_filter/ c\net.ipv4.conf.all.rp_filter = 1" /etc/sysctl.conf
	1047	sed -i "/net\.ipv4\.conf\.default\.accept_source_route/ c\net.ipv4.conf.default.accept_source_route = 0" /etc/sysctl.conf
	1048	cat <<-EOF >> /etc/sysctl.conf
1042	1049	net.ipv4.tcp_max_syn_backlog = 1280
1043	1050	net.ipv4.icmp_echo_ignore_broadcasts = 1
1044		~~net.ipv4.conf.all.rp_filter = 1~~
1045		~~net.ipv4.conf.all.accept_source_route = 0~~
1046	1051	EOF
1047	1052
…	…
1132	1137	sed -i 's/pam_access.so/pam_access.so\ accessfile=\/etc\/security\/access-cron.conf/' /etc/pam.d/crond
1133	1138
1134		# GEN001480: CAT II â The SA will ensure user home directories have initial permissions
1135		# of 700, and never more permissive than 750.
1136		# Correct the Red Hat supplied modes on these directories
1137		## FIXME: This doesn't seem right
1138		chmod 750 /var/crash /var/www/usage /usr/libexec/dovecot
1139
1140		# GEN001560: CAT II â The user, application developers, and the SA will ensure user files
1141		# and directories will have an initial permission no more permissive than
1142		# 700, and never more permissive than 750.
1143
1144		# Change all user files to mode 700
1145		## FIXME: Possible STIG
1146		find /home -name '.*' -type f -exec chmod -R 700 {} \;
1147		find /root -name '.*' -type f -exec chmod -R 700 {} \;
1148
1149		# Script to create symlinks for dangerous files
1150		# FIXME: Possible STIG
	1139	## (GEN001560: CAT II) (Previously â G068) The user, application developers,
	1140	## and the SA will ensure user files and directories will have an initial
	1141	## permission no more permissive than 700, and never more permissive than 750.
	1142	for BASEDIR in /home /root
	1143	do
	1144	find $DIR -type f -exec chmod 600 '{}'\;
	1145	find $DIR -type d -exec chmod 700 '{}'\;
	1146	done
	1147
	1148	## (GEN002040: CAT I) The SA will ensure .rhosts, .shosts, hosts.equiv, nor
	1149	## shosts.equiv are used, unless justified and documented with the IAO.
1151	1150	for file in /root/.rhosts /root/.shosts /etc/hosts.equiv
1152	1151	do
1153	1152	rm -f $file
1154	1153	ln -s /dev/null $file
1155		done
	1154	done
1156	1155
1157	1156	# World Writable files
…	…
1343	1342	## are not used.
1344	1343	for HOMEDIR in `cut -d: -f6 /etc/passwd`; do
1345		if [ -f $HOMEDIR/.forward ]
	1344	if [ -f $HOMEDIR/.forward ]
1346	1345	then
1347	1346	rm $HOMEDIR/.forward
…	…
1388	1387	## access area accessible only by SAs.
1389	1388	sed -i "s/ca\:\:ctrlaltdel/\#ca\:\:ctrlaltdel/" /etc/inittab
1390
1391		~~## FIXME: What is this???~~
1392		~~# /dev/ty perms settings~~
1393		~~# GEN???????????????????????????????????????????????????~~
1394		~~find /dev -name "ty" -exec chmod 700 {} \;~~
1395	1389
1396	1390	## (LNX00320: CAT I) (Previously â L140) The SA will delete accounts that
…	…
2236	2230	# Kickstart Actions: None - PROCEDURAL REQUIREMENT
2237	2231
	2232	# AC-21: Confidentiality of Data at Rest
	2233	# Kickstart Actions:
	2234
	2235	# AC-22: Distinct Level of Access
	2236	# Kickstart Actions: None - PROCEDURAL REQUIREMENT
2238	2237
2239	2238	###################################
…	…
2328	2327	# Kickstart Actions: None - PROCEDURAL REQUIREMENT
2329	2328
	2329	# AU-12: Session Audit
	2330	# Kickstart Actions:
2330	2331
2331	2332	###################################
…	…
2789	2790	# Kickstart Actions: None - PROCEDURAL REQUIREMENT
2790	2791
	2792	# PE-20: Physical Security
	2793	# Kickstart Actions: None - PROCEDURAL REQUIREMENT
	2794
	2795	# PE-21: Environmental Control Training
	2796	# Kickstart Actions: None - PROCEDURAL REQUIREMENT
2791	2797
2792	2798	###################################
…	…
3155	3161	#############################################################################
3156	3162	#############################################################################
3157		~~# GEN001260 (Needs to be at bottom, as it somehow gets reset) --note that the~~
3158		~~# culprit doing the reset is /etc/rc.d/rc.sysinit. I need to find out why~~
3159		~~find /var/log/ -type f -not -perm 644 -exec chmod 644 {} \;~~
3160	3163
3161	3164

Download in other formats:

Unified Diff
Zip Disabled

* Generating other formats may take time.