Navigation

← Previous Changeset
Next Changeset →

Changeset 144

Timestamp:

12/20/07 15:02:06 (1 year ago)

Author:

slawrence

Message:

Update STIGs to match those in the kickstart

Files:

trunk/RHEL5.1/scripts/stig-fix/cat1/gen002040.sh (added)
trunk/RHEL5.1/scripts/stig-fix/cat1/gen002700.sh (modified) (1 diff)
trunk/RHEL5.1/scripts/stig-fix/cat1/gen004640.sh (modified) (1 diff)
trunk/RHEL5.1/scripts/stig-fix/cat1/gen005500.sh (modified) (1 diff)
trunk/RHEL5.1/scripts/stig-fix/cat1/lnx00580.sh (modified) (1 diff)
trunk/RHEL5.1/scripts/stig-fix/cat2/gen000020.sh (modified) (1 diff)
trunk/RHEL5.1/scripts/stig-fix/cat2/gen000400.sh (modified) (2 diffs)
trunk/RHEL5.1/scripts/stig-fix/cat2/gen000700.sh (modified) (1 diff)
trunk/RHEL5.1/scripts/stig-fix/cat2/gen000920.sh (modified) (1 diff)
trunk/RHEL5.1/scripts/stig-fix/cat2/gen001120.sh (modified) (1 diff)
trunk/RHEL5.1/scripts/stig-fix/cat2/gen001260.sh (modified) (1 diff)
trunk/RHEL5.1/scripts/stig-fix/cat2/gen001560.sh (added)
trunk/RHEL5.1/scripts/stig-fix/cat2/gen001720.sh (modified) (1 diff)
trunk/RHEL5.1/scripts/stig-fix/cat2/gen001740.sh (modified) (1 diff)
trunk/RHEL5.1/scripts/stig-fix/cat2/gen001760.sh (modified) (1 diff)
trunk/RHEL5.1/scripts/stig-fix/cat2/gen002120.sh (modified) (2 diffs)
trunk/RHEL5.1/scripts/stig-fix/cat2/gen002660.sh (modified) (1 diff)
trunk/RHEL5.1/scripts/stig-fix/cat2/gen002720.sh (added)
trunk/RHEL5.1/scripts/stig-fix/cat2/gen002740.sh (added)
trunk/RHEL5.1/scripts/stig-fix/cat2/gen002760.sh (added)
trunk/RHEL5.1/scripts/stig-fix/cat2/gen002780.sh (added)
trunk/RHEL5.1/scripts/stig-fix/cat2/gen002800.sh (added)
trunk/RHEL5.1/scripts/stig-fix/cat2/gen002820.sh (added)
trunk/RHEL5.1/scripts/stig-fix/cat2/gen002840.sh (added)
trunk/RHEL5.1/scripts/stig-fix/cat2/gen003600.sh (modified) (1 diff)
trunk/RHEL5.1/scripts/stig-fix/cat2/gen003740.sh (modified) (1 diff)
trunk/RHEL5.1/scripts/stig-fix/cat2/gen003960.sh (modified) (1 diff)
trunk/RHEL5.1/scripts/stig-fix/cat2/gen003980.sh (modified) (1 diff)
trunk/RHEL5.1/scripts/stig-fix/cat2/gen004000.sh (modified) (1 diff)
trunk/RHEL5.1/scripts/stig-fix/cat2/gen006620.sh (modified) (1 diff)
trunk/RHEL5.1/scripts/stig-fix/cat3/gen001280.sh (modified) (1 diff)
trunk/RHEL5.1/scripts/stig-fix/cat3/gen001780.sh (modified) (1 diff)
trunk/RHEL5.1/scripts/stig-fix/cat3/gen003500.sh (modified) (1 diff)
trunk/RHEL5.1/scripts/stig-fix/cat3/gen003520.sh (modified) (1 diff)
trunk/RHEL5.1/scripts/stig-fix/cat4/gen004440.sh (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

trunk/RHEL5.1/scripts/stig-fix/cat1/gen002700.sh

r121	r144
6	6	echo 'Patching GEN002700: Set audit file permissions'
7	7	echo '==================================================='
8		chmod 600 /var/log/audit/*
	8	chmod 640 /var/log/audit/*
	9	chmod 640 /etc/audit/audit.rules

trunk/RHEL5.1/scripts/stig-fix/cat1/gen004640.sh

r115 r144

7 7 echo '==================================================='
8 8 sed --in-place s/^decode\:/\#decode\:/ /etc/aliases
9 /usr/bin/newaliases

trunk/RHEL5.1/scripts/stig-fix/cat1/gen005500.sh

r113	r144
13	13	echo "Protocol 2" >> /etc/ssh/sshd_config
14	14	fi
	15	echo 'Ciphers aes256-cbc,aes192-cbc,blowfish-cbc,cast128-cbc,aes128-cbc,3des-cbc' >> /etc/ssh/ssh_config

trunk/RHEL5.1/scripts/stig-fix/cat1/lnx00580.sh

r115	r144
7	7	echo ' Patching LNX00580: Disable CTRL-ALT-DELETE'
8	8	echo '==================================================='
9		sed --in-place ~~s/ca\:\:ctrlaltdel/\#ca\:\:ctrlaltdel/~~ /etc/inittab
	9	sed --in-place "s/ca\:\:ctrlaltdel/\#ca\:\:ctrlaltdel/" /etc/inittab

trunk/RHEL5.1/scripts/stig-fix/cat2/gen000020.sh

r121	r144
11	11	echo "" >> /etc/inittab
12	12	echo "#Require password in single-user mode" >> /etc/inittab
13		echo "~:S:wait:/sbin/sulogin" >> /etc/inittab
	13	echo "~~:S:wait:/sbin/sulogin" >> /etc/inittab

trunk/RHEL5.1/scripts/stig-fix/cat2/gen000400.sh

r115	r144
6	6	echo ' Patching GEN000400: Providing logon-warning banner'
7	7	echo '==================================================='
8		echo "THIS IS A DEPARTMENT OF DEFENSE COMPUTER SYSTEM. THIS COMPUTER SYSTEM,
	8	cat <<-EOF > /etc/issue
	9	THIS IS A DEPARTMENT OF DEFENSE COMPUTER SYSTEM. THIS COMPUTER SYSTEM,
9	10	INCLUDING ALL RELATED EQUIPMENT, NETWORKS, AND NETWORK DEVICES
10	11	(SPECIFICALLY INCLUDING INTERNET ACCESS), ARE PROVIDED ONLY FOR AUTHORIZED
…	…
24	25	MONITORING MAY BE USED FOR ADMINISTRATIVE, CRIMINAL, OR OTHER ADVERSE ACTION.
25	26	USE OF THIS SYSTEM CONSTITUTES CONSENT TO MONITORING FOR THESE PURPOSES.
26		" > /etc/issue
	27	EOF
27	28
28	29	# Change banner for SSH logins so that it matches the above
29		sed --in-place /banner/d /etc/ssh/sshd_config
30		sed --in-place /Banner/d /etc/ssh/sshd_config
31		echo "
32		# use the same banner as local logins
33		Banner /etc/issue" >> /etc/ssh/sshd_config
	30	sed -i "/^#Banner/ c\Banner /etc/issue" /etc/ssh/sshd_config
	31
	32	# Add code to /etc/gdm/PreSession/Default so graphical login shows etc/issue
	33	sed -i "s/^$PATH=.*$/\/usr\/bin\/gdialog --yesno \"\`cat \/etc\/issue\`\"\nif( test 1 -eq \$\? ); then\n \/usr\/bin\/gdialog --infobox \"Logging out in 10 Seconds\" 1 20 \&\n sleep 10\n exit 1\nfi\n\n\1/" /etc/gdm/PreSession/Default

trunk/RHEL5.1/scripts/stig-fix/cat2/gen000700.sh

r115	r144
7	7	echo ' between password changes'
8	8	echo '==================================================='
9		sed -i '/^PASS_MAX_DAYS/ c\
10		PASS_MAX_DAYS\t90' /etc/login.defs
	9	sed -i '/^PASS_MAX_DAYS/ c\PASS_MAX_DAYS\t90' /etc/login.defs

trunk/RHEL5.1/scripts/stig-fix/cat2/gen000920.sh

r115	r144
7	7	echo ' Patching GEN000920: /root is only readable by root'
8	8	echo '==================================================='
9		chmod -R 700 /root
	9	chmod 700 /root

trunk/RHEL5.1/scripts/stig-fix/cat2/gen001120.sh

r121	r144
6	6	echo 'Patching GEN001120: Do not allow root remote login'
7	7	echo '==================================================='
8		sed -i "/^#PermitRootLogin/ c\
9		PermitRootLogin no" /etc/ssh/sshd_config
	8	sed -i "/^#PermitRootLogin/ c\PermitRootLogin no" /etc/ssh/sshd_config

trunk/RHEL5.1/scripts/stig-fix/cat2/gen001260.sh

r115	r144
7	7	echo ' log files.'
8	8	echo '==================================================='
9		chmod 640 /var/log/wtmp
	9	find /var/log/ -type f -exec chmod 640 '{}' \;
	10	sed -i "s/chmod 0664/chmod 0640/" /etc/rc.d/rc.sysinit

trunk/RHEL5.1/scripts/stig-fix/cat2/gen001720.sh

r112	r144
7	7	echo ' initialization files'
8	8	echo '==================================================='
9		FILES="/etc/profile /etc/bashrc /etc/environment"
10		chmod 644 $FILES
	9	chmod 644 /etc/{profile,bashrc,environment}

trunk/RHEL5.1/scripts/stig-fix/cat2/gen001740.sh

r112	r144
7	7	echo ' initialization files'
8	8	echo '==================================================='
9		FILES="/etc/profile /etc/bashrc /etc/environment"
10		chown root $FILES
	9	chown root /etc/{profile,bashrc,environment}

trunk/RHEL5.1/scripts/stig-fix/cat2/gen001760.sh

r112	r144
7	7	echo ' initialization files'
8	8	echo '==================================================='
9		FILES="/etc/profile /etc/bashrc /etc/environment"
10		chgrp root $FILES
	9	chgrp root /etc/{profile,bashrc,environment}

trunk/RHEL5.1/scripts/stig-fix/cat2/gen002120.sh

r113	r144
6	6	echo 'Patching GEN002120: Set /etc/shells'
7	7	echo '==================================================='
8		echo "
	8	cat <<EOF > /etc/shells
9	9	/bin/sh
10	10	/bin/bash
…	…
12	12	/bin/tcsh
13	13	/bin/csh
14		/bin/ksh" > /etc/shells
	14	/bin/ksh
	15	EOF

trunk/RHEL5.1/scripts/stig-fix/cat2/gen002660.sh

r121	r144
7	7	echo '==================================================='
8	8	/sbin/chkconfig auditd on
	9	cat <<-EOF > /etc/audit/audit.rules
	10	# Remove any existing rules
	11	-D
	12	# Increase buffer size to handle the increased number of messages.
	13	-b 8192
	14	EOF
	15

trunk/RHEL5.1/scripts/stig-fix/cat2/gen003600.sh

r121	r144
5	5	echo ' Patching GEN003600: Set network parameters'
6	6	echo '==================================================='
7		~~cat <<EOF >~~ /etc/sysctl.conf
8		net.ipv4.ip_forward = 0
9		net.ipv4.tcp_max_syn_backlog = 1280
10		~~net.ipv4.conf.all.accept_source_route =~~0
11		net.ipv4.icmp_echo_ignore_broadcasts = 1
	7	sed -i "/net\.ipv4\.conf\.all\.rp_filter/ c\net.ipv4.conf.all.rp_filter = 1" /etc/sysctl.conf
	8	sed -i "/net\.ipv4\.conf\.default\.accept_source_route/ c\net.ipv4.conf.default.accept_source_route = 0" /etc/sysctl.conf
	9	cat <<-EOF >> /etc/sysctl.conf
	10	net.ipv4.tcp_max_syn_backlog = 1280
	11	net.ipv4.icmp_echo_ignore_broadcasts = 1
12	12	EOF
13

trunk/RHEL5.1/scripts/stig-fix/cat2/gen003740.sh

r115	r144
11	11	echo '==================================================='
12	12	chmod -R 755 /etc/xinetd.d
13		chmod 400 /etc/xinetd.conf
	13	chmod 440 /etc/xinetd.conf

trunk/RHEL5.1/scripts/stig-fix/cat2/gen003960.sh

r110	r144
6	6	echo 'Patching GEN003960: Set traceroute comand owner'
7	7	echo '==================================================='
8		whereis traceroute \| cut -d " " -f 2 \| xargs chown root
	8	chown root /bin/traceroute

trunk/RHEL5.1/scripts/stig-fix/cat2/gen003980.sh

r110	r144
7	7	echo ' traceroute command'
8	8	echo '==================================================='
9		whereis traceroute \| cut -d " " -f 2 \| xargs chgrp root
	9	chgrp root /bin/traceroute

trunk/RHEL5.1/scripts/stig-fix/cat2/gen004000.sh

r121	r144
7	7	echo ' root user only.'
8	8	echo '==================================================='
9		whereis traceroute \| cut -d " " -f 2 \| xargs chmod 700
	9	chmod 700 /bin/traceroute

trunk/RHEL5.1/scripts/stig-fix/cat2/gen006620.sh

r115	r144
7	7	echo ' Patching GEN006620: Set hosts.deny file'
8	8	echo '==================================================='
9		echo "
10		ALL: ALL" >> /etc/hosts.deny
	9	echo "ALL: ALL" > /etc/hosts.deny

trunk/RHEL5.1/scripts/stig-fix/cat3/gen001280.sh

r115	r144
7	7	echo ' Patching GEN001280: Set manual page permissions'
8	8	echo '==================================================='
9		chmod -R 644 /usr/share/man
	9	find /usr/share/man -type f -exec chmod 644 {} \;

trunk/RHEL5.1/scripts/stig-fix/cat3/gen001780.sh

r121	r144
7	7	echo ' initialization files'
8	8	echo '==================================================='
9		FILES="/etc/profile /etc/bashrc /etc/environment"
10		for FILE in $FILES; do
	9	for FILE in /etc/{profile,bashrc,environment}; do
11	10	echo "mesg n" >> $FILE
12	11	done;

trunk/RHEL5.1/scripts/stig-fix/cat3/gen003500.sh

r110	r144
6	6	echo 'Patching GEN003500: Disable core dumps'
7	7	echo '==================================================='
8		echo "
9		* soft core 0
10		* hard core 0" >> /etc/security/limits.conf
	8	echo "* - core 0" >> /etc/security/limits.conf

trunk/RHEL5.1/scripts/stig-fix/cat3/gen003520.sh

r115	r144
7	7	echo ' Patching GEN003520: Set crash log dir permissions'
8	8	echo '==================================================='
	9	chown root:root /var/crash
9	10	chmod -R 700 /var/crash

trunk/RHEL5.1/scripts/stig-fix/cat4/gen004440.sh

r112	r144
8	8	echo 'Patching GEN004440: Set sendmail logging level'
9	9	echo '==================================================='
10		sed -i '/LogLevel/ c\
11		O LogLevel=9' /etc/mail/sendmail.cf
	10	sed -i '/LogLevel/ c\O LogLevel=9' /etc/mail/sendmail.cf

Download in other formats:

Unified Diff
Zip Disabled

* Generating other formats may take time.

r115	r144
7	7	echo '==================================================='
8	8	sed --in-place s/^decode\:/\#decode\:/ /etc/aliases
	9	/usr/bin/newaliases