Navigation

← Previous Changeset
Next Changeset →

Changeset 175

Timestamp:

03/17/08 08:09:49 (9 months ago)

Author:

jjarrett

Message:

Corrected Makefile Logic

Files:

trunk/RHEL5/Makefile (modified) (1 diff)
trunk/RHEL5/kickstart/clip.ks (modified) (4 diffs)
trunk/RHEL5/rpmify (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen001020.sh (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

trunk/RHEL5/Makefile

r69 r175

1 SUBDIRS=~~scripts conf man pam_tally3~~
1 SUBDIRS=pam_tally3 scripts conf man
2 2
3 3 export PREFIX=/usr

trunk/RHEL5/kickstart/clip.ks

r124	r175
1		# Kickstart installation script for clip
2
3		###################
4		# Command section #
5		###################
6
7		auth --enableshadow --enablemd5
	1	## Version .04 January 2008 ##
	2	#
	3	# Date Created : 2007-02-06 #
	4	#
	5	# CHANGELOG:
	6	# - 2007-02-07: Finished Mapping existing STIG scripts to DCID 6/3
	7	# Sections. [St. Laurent]
	8	# - 2007-12-xx: Initiated updates to reflect DCID PL4 Requirements
	9	# [Tresys]
	10	# - 2008-01-xx: Added/updated STIG scripts. Finalized kickstart
	11	# procedures. [Tresys]
	12	#
	13	#
	14	# Profile Name: dcid-6-3-PL4-ks.1.0.txt
	15	# Profile Label: dcid-6-3-PL4-ks.1.0.txt
	16	#
	17	# Details: This KickStart file lists out DCID 6/3 Policy at the PL4
	18	# Confidentiality level. Security settings are applied and
	19	# mapped to each specific PL4 section in DCID 6/3.
	20	#
	21	# By setting these security features in a KickStart file
	22	# allows for an auditor to have a high degree of assurance
	23	# that a system is being setup meeting the security
	24	# requirements the same (correct way) every time.
	25	#
	26	# A SHA-1 should be created to ensure a degree of
	27	# resistance to unauthorized modification.
	28	#
	29	## Version .02 February 2007 ##
	30	## Version .03 December 2007 ##
	31	## Version .04 January 2008 ##
	32
	33
	34
	35	# The "install" command tells the system to install a fresh system
	36	# rather than upgrade an existing system. You must specify the type
	37	# of installation in the form of: cdrom, harddrive, nfs, url (ftp
	38	# http installation). The "install" command and the installation
	39	# method command must be on separate lines. Examples:
	40	# url --url http://<server>/<dir>
	41	# --url ftp://<username>:<password>@<server>/<dir>
	42	# Passwd is in CLEAR with ftp!!! Not to be used.
	43	# harddrive --partition=hda2--dir=/path/to/install-tree
	44	# nfs --server=nfsserver.example.com --dir=/path/to/install-tree
8	45	install
	46
	47	# Perform the kickstart install in Text Mode. Installs are
	48	# performed in graphical mode by default.
9	49	text
10		skipx
	50
	51	# Defaults to a CD based install - disable if using URL or someother media
	52	# Use the network option if installing from a remote installation tree.
	53	cdrom
	54
	55	# Configure network information for the system. The "network"
	56	# option configures networking information for installations from an
	57	# installation tree on a remote server via NFS, FTP, or HTTP. DHCP
	58	# uses a DHCP server to get the network configuration information.
	59	#network --bootproto dhcp
	60
	61	# Perform a remote install.
	62	# The network option is required if performing a remote install
	63	#url --url http://<server>/<dir>
	64	#url --ftp ftp://<username>:<password>@<server>/<dir>
	65
	66
	67	# The "lang" command sets the language to use during installation.
	68	lang en_US
	69
	70	# The "langsupport" to install on the system. The --default switch
	71	# must be used if more than one language is specified.
	72	langsupport --default en_US en_US
	73
	74	# The "keyboard" command is required to set the system keyboard type.
	75	keyboard us
	76
	77	# The "mouse" command is required to configure the mouse type.
	78	# Giving no options will attempt to automatically detect the mouse.
	79	mouse
	80
	81
	82	##### WARNING: THIS WILL ERASE YOUR SYSTEM #####
	83	# A full backup should be performed before installation.
	84	zerombr yes
	85	clearpart --all
	86
	87
	88	# PARTITION NOTES
	89	# The following options are required under 'Disk Partition Information'
	90	# section in ks.cfg file, for creating the Logical Volume Manager (LVM)
	91	# partitions using kickstart.
	92
	93	#Disk partitioning information
	94	#part pv.<id>
	95	#volgroup <name> <partition>
	96	#logvol <mountpoint> --vgname=<volume_group_name> --size=<size> --name=<name>
	97
	98	#EXAMPLE using LVM
	99	#part /boot --fstype ext3 --size=150
	100	#part swap --size=1024
	101	#part pv.01 --size=1 --grow
	102	#volgroup vg_root pv.01
	103	#logvol / --vgname=vg_root --size=8192 --name=lv_root
	104	#logvol /var --vgname=vg_root --size=4096 --name=lv_var
	105	#logvol /tmp --vgname=vg_root --size=2048 --name=lv_tmp
	106	#logvol /spare --vgname=vg_root --size=1 --grow --name=lv_spare
	107
	108	partition /boot --fstype "ext3" --size=128
	109	partition pv.2 --size=0 --grow
	110	volgroup VolGroup00 pv.2
	111	logvol swap --fstype swap --name=swapVol --vgname=VolGroup00 --size=512
	112	logvol / --fstype ext3 --name=rootVol --vgname=VolGroup00 --size=1024 --grow
	113	logvol /var --fstype ext3 --name=varVol --vgname=VolGroup00 --size=1024 --grow
	114	logvol /home --fstype ext3 --name=homeVol --vgname=VolGroup00 --size=256 --grow
	115	logvol /tmp --fstype ext3 --name=tmpVol --vgname=VolGroup00 --size=1024 --grow
	116
	117
	118	# Specifies how the GRUB bootloader should be installed.
	119	# Set a password to prevent any non-stadard boot options.
	120	# The password should be changed after installation.
	121	bootloader --location mbr --password Dodiis_Redhat4321
	122
	123	# Set the root password.
	124	# This should be changed after installation.
11	125	rootpw 123)(*qweASD
12		bootloader --location=mbr --password=123)(*qweASD
13
14		#~~###############~~
15		# Partitioning #
16		################
17
18		clearpart --linux
19		part /boot --size=128
20		part swap --recommended
21		part pv.01 --size=1 --grow
22		volgroup clipvg pv.01
23		# ~~Using Logical Volume Management lets the user resize partitions later.~~
24		# STIG requires separate /var and /home.
25		logvol /var --vgname=clipvg --size=1024 --name=var
26		~~logvol /home --vgname=clipvg --size=1024 --name=hom~~e
27		~~logvol / --vgname=clipvg --size=1 --grow --name=r~~oot
28
29
30		####################
31		# Packages section #
32		#~~###################~~
	126
	127	# Set the authentication options for the system.
	128	# Similar to the authconfig command.
	129	auth --enablemd5 --enableshadow
	130
	131	# Set the timezone
	132	timezone --utc America/New_York
	133
	134	# Enable selinux
	135	selinux --enforcing
	136
	137	# Enable the firewall
	138	firewall --enabled --port=22:tcp --port=161:tcp --port=1002:tcp
	139
	140	# Reboot after installation is complete
	141	reboot
	142
	143
	144
	145
	146	# Install Packages. This is site specific.
33	147	%packages --resolvedeps
34	148	@base
…	…
36	150	aide
37	151	sysstat
38		-setools
39		#audit
40		#pam
41		#pam-devel
42		#python-devel
43		#subversion
44		#tcl
45		#tcl-devel
46		#tk
47		#tk-devel
	152	setools
	153	audit
48	154	#####################################
49	155	# Remove tcpdump per STIG gen003865 #
…	…
89	195	-ethereal
90	196	-ethereal-gnome
91		~~-tcpdump~~
92	197	-xchat
93	198	-vino
…	…
150	255	-perl-XML-NamespaceSupport
151	256
152		############################
153		# Pre/post install section #
154		############################
	257
	258	%pre
	259
	260
	261
	262	##### No changes should be made beyond this point #####
	263
	264
	265
155	266	%post
156		#!/bin/sh
157
158		out_file="installer.sh"
159		out_file_path="/root"
160
161		# DO NOT MODIFY anything below here
162		SERVICES_REQ="atd auditd crond iptables network syslog"
163
164		# Deactivate all services first
165		active=`chkconfig --list \| grep -i "3:on" \| cut -d" " -f1`
166		echo "Removing services from runlevel 3: "
167		for service in $active
	267	# Log %post errors
	268	##########################################################################
	269	# The post section of this kickstart file takes care of the secure
	270	# configuraton of Red Hat according to DCID 6/3.
	271	#
	272	# Levels of Concern:
	273	# Confidentiality PL4
	274	# [ PL4 ]
	275	##########################################################################
	276
	277
	278	# The Red Hat provided GPG key Red Hat uses to sign all of our RPM packages
	279	rpm --import /usr/share/rhn/RPM-GPG-KEY
	280
	281
	282
	283
	284
	285	##########################################################################
	286	# UNIX STIG v5r1
	287	##########################################################################
	288
	289	## (GEN000020: CAT II) (Previously â G001) The IAO and SA will ensure, if
	290	## configurable, the UNIX host is configured to require a password for access
	291	## to single-user and maintenance modes.
	292	echo "" >> /etc/inittab
	293	echo "#Require password in single-user mode" >> /etc/inittab
	294	echo "~~:S:wait:/sbin/sulogin" >> /etc/inittab
	295
	296	## (GEN000400: CAT II) (Previously â G010) The SA will ensure a logon-warning banner is
	297	## displayed on all devices and sessions at the initial logon.
	298	cat <<-EOF > /etc/issue
	299	You are accessing a U.S. Government (USG) information system (IS) that is
	300	provided for USG-authorized use only.
	301
	302	By using this IS, you consent to the following conditions:
	303
	304	-The USG routinely monitors communications occurring on this IS, and any
	305	device attached to this IS, for purposes including, but not limited to,
	306	penetration testing, COMSEC monitoring, network defense, quality control,
	307	and employee misconduct, law enforcement, and counterintelligence
	308	investigations.
	309	-At any time, the USG may inspect and/or seize data stored on this IS and
	310	any device attached to this IS.
	311	-Communications occurring on or data stored on this IS, or any device
	312	attached to this IS, are not private. They are subject to routine
	313	monitoring and search.
	314	-Any communications occurring on or data stored on this IS, or any device
	315	attached to this IS, may be disclosed or used for any USG-authorized purpose.
	316	-Security protections may be utilized on this IS to protect certain interests
	317	that are important to the USG. For example, passwords, access cards,
	318	encryption or biometric access controls provide security for the benefit of
	319	the USG. These protections are not provided for your benefit or privacy and
	320	may be modified or elimiated at the USG's discretion.
	321
	322	EOF
	323	sed -i "/^#Banner/ c\Banner /etc/issue" /etc/ssh/sshd_config
	324	sed -i "s/^$PATH=.*$/\/usr\/bin\/gdialog --yesno \"\`cat \/etc\/issue\`\"\nif( test 1 -eq \$\? ); then\n \/usr\/bin\/gdialog --infobox \"Logging out in 10 Seconds\" 1 20 \&\n sleep 10\n exit 1\nfi\n\n\1/" /etc/gdm/PreSession/Default
	325
	326	## (GEN000440: CAT II) (Previously â G012) The SA will ensure all logon attempts (both
	327	## successful and unsuccessful) are logged to a system log file.
	328	echo "auth.* /var/log/authlog" >> /etc/syslog.conf
	329
	330	## (GEN000460: CAT II) (Previously â G013) The SA will ensure, after three consecutive
	331	## failed logon attempts for an account, the account is locked for 15 minutes or until
	332	## the SA unlocks the account.
	333	sed -i '/^auth.*pam_deny/ a\
	334	auth\t required\t /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root' /etc/pam.d/system-auth
	335	sed -i '/^account.*pam_unix/ a\
	336	account\t required\t /lib/security/$ISA/pam_tally.so per_user deny=3 no_magic_root reset' /etc/pam.d/system-auth
	337
	338	## (GEN000480: CAT II) (Previously â G015) The SA will ensure the logon delay between
	339	## logon prompts after a failed logon is set to at least four seconds.
	340	echo "FAIL_DELAY 4" >> /etc/login.defs
	341
	342	## (GEN000500: CAT II) (Previously â G605) The SA will configure systems to log
	343	## out interactive processes (i.e., terminal sessions, ssh sessions, etc.,)
	344	## after 15 minutes of inactivity or ensure a password protected screen lock
	345	## mechanism is used and is set to lock the screen after 15 minutes of
	346	## inactivity.
	347	echo "TMOUT=900" >> /etc/profile
	348
	349	## (GEN000540: CAT II) (Previously â G004) The SA will ensure passwords are
	350	## not changed more than once a day.
	351	sed -i '/^PASS_MIN_DAYS/ c\PASS_MIN_DAYS\t1' /etc/login.defs
	352
	353	## (GEN000560: CAT I) (Previously â G018) The SA will ensure each account in
	354	## the /etc/passwd file has a password assigned or is disabled in the
	355	## password, shadow, or equivalent, file by disabling the password and/or by
	356	## assigning a false shell in the password file.
	357	for USERINFO in `cat /etc/shadow`; do
	358	if [ -z "`echo $USERINFO \| cut -d: -f2`" ]
	359	then
	360	/usr/sbin/usermod -L -s /dev/null `echo $USERINFO \| cut -d: -f1`
	361	fi
	362	done;
	363
	364	## (GEN000580: CAT II) (Previously â G019) The IAO will ensure all passwords contain a
	365	## minimum of eight characters.
	366	sed -i "s/PASS_MIN_LEN[ \t][0-9]/PASS_MIN_LEN\t8/" /etc/login.defs
	367
	368	## (GEN000600: CAT II) (Previously â G019) The IAO will ensure passwords include at
	369	## least two alphabetic characters, one of which must be capitalized.
	370	sed -i s/minlen\=8/minlen\=9/ /etc/pam.d/system-auth
	371	sed -i "s/difok\=3/difok\=3 dcredit\=-2 ucredit\=-2 ocredit\=-2 lcredit\=-2/" /etc/pam.d/system-auth
	372	# Running the authconfig tool WILL clobber these changes!
	373	# Taking the executable permissions off of /usr/sbin/authconfig
	374	chmod ugo-x /usr/sbin/authconfig
	375
	376	## (GEN000700: CAT II) (Previously â G020) The SA will ensure passwords are
	377	## changed at least every 90 days.
	378	sed -i '/^PASS_MAX_DAYS/ c\PASS_MAX_DAYS\t90' /etc/login.defs
	379
	380	## (GEN000800: CAT II) (Previously â G606) The SA will ensure passwords will not be
	381	## reused within the last ten changes.
	382	sed -i "s/shadow/shadow remember\=10/" /etc/pam.d/system-auth
	383
	384	## (GEN000920: CAT II) (Previously â G023) The SA will ensure the root account
	385	## home directory (other than â/â) has permissions of 700. Do not change the
	386	## permissions of the â/â directory to anything other than 0755.
	387	chmod 700 /root
	388
	389	## (GEN000980: CAT II) (Previously â G026) The SA will ensure root can only log
	390	## on as root from the system console, and then only when necessary to perform
	391	## system maintenance.
	392	echo "console" > /etc/securetty
	393
	394	## (GEN001020: CAT II) The IAO will enforce users requiring root privileges to
	395	## log on to their personal account and invoke the /bin/su - command to switch
	396	## user to root.
	397	# Configure sshd and login to consult pam_access.so
	398	sed -i '/^account/ a\account\t\trequired\tpam_access.so' /etc/pam.d/sshd
	399	sed -i '/^account.*auth$/ a\account\t required\tpam_access.so' /etc/pam.d/login
	400	# Configure pam_access to refuse direct logins for accounts not in users group
	401	sed -i '/^# All other/d' /etc/security/access.conf
	402	echo "# Restrict direct login to accounts in the users group" >> /etc/security/access.conf
	403	echo "-:ALL EXCEPT users :ALL" >> /etc/security/access.conf
	404	# Add a User who is in the users group allowing access to the system
	405	adduser -G users,wheel clipuser
	406	echo "123)(*qweASD" \| passwd --stdin clipuser
	407	# Cron was previously set to use /etc/security/access.conf, which did
	408	# nothing by default. We don't want to block root from using cron.
	409	# So, we create a blank config file and direct crond to use that instead.
	410	touch /etc/security/access-cron.conf
	411	chmod 644 /etc/security/access-cron.conf
	412	sed -i 's/pam_access.so/pam_access.so\ accessfile=\/etc\/security\/access-cron.conf/' /etc/pam.d/crond
	413
	414	## (GEN001080: CAT III) (Previously â G229) The SA will ensure the root shell
	415	## is not located in /usr if /usr is partitioned.
	416	/usr/sbin/usermod -s /bin/bash root
	417
	418	## (GEN001120: CAT II) (Previously â G500) The SA will configure the
	419	## encryption program for direct root access only from the system console.
	420	sed -i "/^#PermitRootLogin/ c\PermitRootLogin no" /etc/ssh/sshd_config
	421
	422	## (GEN001260: CAT II) (Previously â G037) The SA will ensure all system log
	423	## files have permissions of 640, or more restrictive.
	424	find /var/log/ -type f -exec chmod 640 '{}' \;
	425	sed -i "s/chmod 0664/chmod 0640/" /etc/rc.d/rc.sysinit
	426
	427	## (GEN001280: CAT III) (Previously â G042) The SA will ensure all manual page
	428	## files (i.e.,files in the man and cat directories) have permissions of 644,
	429	## or more restrictive.
	430	find /usr/share/man -type f -not -perm 644 -exec chmod 644 {} \;
	431
	432	## (GEN001380: CAT II) (Previously â G048) The SA will ensure the /etc/passwd
	433	## file has permissions of 644, or more restrictive.
	434	chmod 644 /etc/passwd
	435
	436	## (GEN001400: CAT I) (Previously â G047) The SA will ensure the owner of the
	437	## /etc/passwd and /etc/shadow files (or equivalent) is root.
	438	chown root /etc/passwd
	439	chown root /etc/shadow
	440
	441	## (GEN001420: CAT II) (Previously â G050) The SA will ensure the /etc/shadow
	442	## file (or equivalent) has permissions of 400.
	443	chmod 400 /etc/shadow
	444
	445	## (GEN001460: CAT IV) (Previously â G052) The SA will ensure all home
	446	## directories defined in the /etc/passwd file exist.
	447	for HOMEDIR in `cut -d: -f6 /etc/passwd`; do
	448	if [ ! -d $HOMEDIR ]
	449	then
	450	mkdir $HOMEDIR
	451	fi
	452	done;
	453
	454	## (GEN001560: CAT II) (Previously â G068) The user, application developers,
	455	## and the SA will ensure user files and directories will have an initial
	456	## permission no more permissive than 700, and never more permissive than 750.
	457	for BASEDIR in /home/* /root
168	458	do
169		echo $service
170		`chkconfig --level 3 $service off`
	459	find $BASEDIR -type f -exec chmod 600 '{}' \;
	460	find $BASEDIR -type d -exec chmod 700 '{}' \;
171	461	done
172	462
173		# Now activate only the required services
174		echo "Adding required services to runlevel 3: "
175		for service in $SERVICES_REQ
	463	## (GEN001580: CAT II) (Previously â G058) The SA will ensure run control
	464	## scripts have permissions of 755, or more restrictive.
	465	chmod 755 /etc/rc.d/init.d/*
	466
	467	## (GEN001620: CAT II) (Previously â G061) The SA will ensure run control
	468	## scripts files do not have the suid or sgid bit set.
	469	chmod ug-s /etc/rc.d/init.d/*
	470
	471	## (GEN001660: CAT II) (Previously â G611) The SA will ensure the owner of run
	472	## control scripts is root.
	473	chown root /etc/rc.d/init.d/*
	474
	475	## (GEN001680: CAT II) (Previously â G612) The SA will ensure the group owner
	476	## of run control scripts is root, sys, bin, other, or the system default.
	477	chgrp root /etc/rc.d/init.d/*
	478
	479	## (GEN001720: CAT II) The SA will ensure global initialization files have
	480	## permissions of 644, or more restrictive.
	481	chmod 644 /etc/{profile,bashrc,environment}
	482
	483	## (GEN001740: CAT II) The SA will ensure the owner of global initialization
	484	## files is root.
	485	chown root /etc/{profile,bashrc,environment}
	486
	487	## (GEN001760: CAT II) The SA will ensure the group owner of global
	488	## initialization files is root, sys, bin, other, or the system default.
	489	chgrp root /etc/{profile,bashrc,environment}
	490
	491	## (GEN001780: CAT III) (Previously â G112) The SA will ensure global
	492	## initialization files contain the command mesg ân.
	493	for FILE in /etc/{profile,bashrc,environment}; do
	494	echo "mesg n" >> $FILE
	495	done;
	496
	497	## (GEN001800: CAT II) (Previously â G038) The SA will ensure all
	498	## default/skeleton dot files have permissions of 644, or more restrictive.
	499	find /etc/skel -type f -exec chmod 644 '{}' \;
	500
	501	## (GEN001820: CAT II) The SA will ensure the owner of all default/skeleton
	502	## dot files is root or bin.
	503	find /etc/skel -type f -exec chown root '{}' \;
	504
	505	## (GEN002040: CAT I) The SA will ensure .rhosts, .shosts, hosts.equiv, nor
	506	## shosts.equiv are used, unless justified and documented with the IAO.
	507	for file in /root/.rhosts /root/.shosts /etc/hosts.equiv
176	508	do
177		~~echo $servic~~e
178		`chkconfig --level 3 $service on`
	509	rm -f $file
	510	ln -s /dev/null $file
179	511	done
180	512
181		# Save an installer script to root's homedir
182
183		echo "Saving an install script to root's home directory."
184		cat >> $out_file_path/$out_file <<'EOF'
185		#!/bin/sh
186		VERSION="2.0"
187		RELEASE="1"
188		UNAME="/bin/uname"
189		WGET="/usr/bin/wget"
190		SHA1SUM="/usr/bin/sha1sum"
191		ID="/usr/bin/id"
192		RPM="/bin/rpm"
193		SETENFORCE="/usr/sbin/setenforce"
194
195		RPM_OPTS1="--force -Uvh"
196		RPM_OPTS2="-ivh"
197
198		ARCH=$($UNAME -i)
199		ARCH_64="x86_64"
200		ARCH_32="i386"
201
202		URL="http://oss.tresys.com/projects/clip/chrome/site/files/rhel5"
203		LSPP_URL="http://people.redhat.com/sgrubb/files/lspp"
204		LSPP_PAM_RPM="pam-0.99.6.2-3.22.el5.$ARCH.rpm"
205		CLIP_RPM="clip-$VERSION-$RELEASE.$ARCH.rpm"
206		REFPOL_RPM="selinux-policy-clip-$VERSION-$RELEASE.noarch.rpm"
207		CLIP_SHA1="$CLIP_RPM.sha1"
208		REFPOL_SHA1="$REFPOL_RPM.sha1"
209
210		USAGE="This script will use wget to download and install \n \
211		$CLIP_RPM and\n \
212		$REFPOL_RPM\n \
213		from $URL and\n \
214		$LSPP_PAM_RPM\n \
215		from $LSPP_URL\n \
216		Internet connectivity is required. \n \
217		To install, invoke $0 with the -i option."
218
219		download() {
220		$WGET $URL/$CLIP_RPM && \
221		$WGET $URL/$CLIP_SHA1 && \
222		$WGET $URL/refpolicy/$REFPOL_RPM && \
223		$WGET $URL/refpolicy/$REFPOL_SHA1 && \
224		$WGET $LSPP_URL/$LSPP_PAM_RPM
225		if [ $? -ne 0 ]; then
226		echo "RPM download failed. Terminating."
227		exit 1
	513	## (GEN002120: CAT II) (Previously â G069) The SA will ensure the /etc/shells
	514	## (or equivalent) file exits.
	515	cat <<-EOF > /etc/shells
	516	/bin/sh
	517	/bin/bash
	518	/sbin/nologin
	519	/bin/tcsh
	520	/bin/csh
	521	/bin/ksh
	522	EOF
	523
	524	## (GEN002160: CAT I) (Previously â G072) The SA will ensure no shell has the
	525	## suid bit set.
	526	for SHELL in `cat /etc/shells`; do
	527	chmod u-s $SHELL
	528	done
	529
	530	## (GEN002180: CAT II) (Previously â G073) The SA will ensure no shell has the
	531	## sgid bit set.
	532	for SHELL in `cat /etc/shells`; do
	533	chmod g-s $SHELL
	534	done
	535
	536	## (GEN002200: CAT II) (Previously â G074) The SA will ensure the owner of all
	537	## shells is root or bin.
	538	for SHELL in `cat /etc/shells`; do
	539	chown root $SHELL
	540	done
	541
	542	## (GEN002220: CAT II) (Previously â G075) The SA will ensure all shells
	543	## (excluding /dev/null and sdshell) have permissions of 755, or more
	544	## restrictive.
	545	for SHELL in `cat /etc/shells`; do
	546	chmod 755 $SHELL
	547	done
	548
	549	## (GEN002320: CAT II) (Previously â G501) The SA will ensure the audio devices
	550	## have permissions of 644, or more restrictive.
	551	sed -i -r "/sound\|snd\|mixer/ d" /etc/security/console.perms.d/50-default.perms
	552	echo "SUBSYSTEM==\"sound\|snd\", OWNER=\"root\", GROUP=\"root\", MODE=\"0644\"" > /etc/udev/rules.d/55-audio-perms.rules
	553
	554	## (GEN002340: CAT II) (Previously â G502) The SA will ensure the owner of
	555	## audio devices is root.
	556	# see GEN002320
	557
	558	## (GEN002360: CAT II) (Previously â G504) The SA will ensure the group owner
	559	## of audio devices is root, sys, or bin.
	560	# see GEN002320
	561
	562	## (GEN002420: CAT II) (Previously â G086) The SA will ensure user filesystems,
	563	## removable media, and remote filesystems will be mounted with the nosuid
	564	## option.
	565	FSTAB=/etc/fstab
	566	SED=/bin/sed
	567	#nosuid and acl on /home
	568	if [ $(grep " \/home " ${FSTAB} \| grep -c "nosuid") -eq 0 ]; then
	569	MNT_OPTS=$(grep " \/home " ${FSTAB} \| awk '{print $4}')
	570	${SED} -i "s/$ \/home.*${MNT_OPTS}$/\1,nosuid,acl/" ${FSTAB}
	571	fi
	572	#nosuid and acl on /sys
	573	if [ $(grep " \/sys " ${FSTAB} \| grep -c "nosuid") -eq 0 ]; then
	574	MNT_OPTS=$(grep " \/sys " ${FSTAB} \| awk '{print $4}')
	575	${SED} -i "s/$ \/sys.*${MNT_OPTS}$/\1,nosuid,acl/" ${FSTAB}
	576	fi
	577	#nosuid and acl on /boot
	578	if [ $(grep " \/boot " ${FSTAB} \| grep -c "nosuid") -eq 0 ]; then
	579	MNT_OPTS=$(grep " \/boot " ${FSTAB} \| awk '{print $4}')
	580	${SED} -i "s/$ \/boot.*${MNT_OPTS}$/\1,nosuid,acl/" ${FSTAB}
	581	fi
	582	#nodev and acl on /usr
	583	if [ $(grep " \/usr " ${FSTAB} \| grep -c "nodev") -eq 0 ]; then
	584	MNT_OPTS=$(grep " \/usr " ${FSTAB} \| awk '{print $4}')
	585	${SED} -i "s/$ \/usr.*${MNT_OPTS}$/\1,nodev,acl/" ${FSTAB}
	586	fi
	587	#nodev and acl on /home
	588	if [ $(grep " \/home " ${FSTAB} \| grep -c "nodev") -eq 0 ]; then
	589	MNT_OPTS=$(grep " \/home " ${FSTAB} \| awk '{print $4}')
	590	${SED} -i "s/$ \/home.*${MNT_OPTS}$/\1,nodev,acl/" ${FSTAB}
	591	fi
	592	#nodev and acl on /usr/local
	593	if [ $(grep " \/usr\/local " ${FSTAB} \| grep -c "nodev") -eq 0 ]; then
	594	MNT_OPTS=$(grep " \/usr\/local " ${FSTAB} \| awk '{print $4}')
	595	${SED} -i "s/$ \/usr\/local.*${MNT_OPTS}$/\1,nodev,acl/" ${FSTAB}
	596	fi
	597
	598	## (GEN002560: CAT II) (Previously â G089) The SA will ensure the system and
	599	## user umask is 077.
	600	echo "umask 077" >> /etc/bashrc
	601
	602	## (GEN002640: CAT II) (Previously â G092) The SA will ensure logon capability
	603	## to default system accounts (e.g., bin, lib, uucp, news, sys, guest, daemon,
	604	## and any default account not normally logged onto) will be disabled by
	605	## making the default shell /bin/false, /usr/bin/false, /sbin/false,
	606	## /sbin/nologin, or /dev/null, and by locking the password.
	607	for NAME in `cut -d: -f1 /etc/passwd`; do
	608	NAMEID=`id -u $NAME`
	609	if [ $NAMEID -lt 500 -a $NAME != 'root' ]; then
	610	/usr/sbin/usermod -L -s /dev/null $NAME
228	611	fi
229		}
230
231		check() {
232		$SHA1SUM $CLIP_SHA1 && \
233		$SHA1SUM $REFPOL_SHA1 && \
234		$RPM --checksig $LSPP_PAM_RPM
235		if [ $? -ne 0 ]; then
236		echo "Download verification failed. Terminating."
237		exit 1
	612	done
	613
	614	## (GEN002660: CAT II) (Previously â G093) The SA will configure and implement
	615	## auditing.
	616	chkconfig auditd on
	617	cat <<-EOF > /etc/audit/audit.rules
	618	# Remove any existing rules
	619	-D
	620	# Increase buffer size to handle the increased number of messages.
	621	-b 8192
	622	EOF
	623
	624	## (GEN002680: CAT II) (Previously â G094) The SA will ensure audit data files
	625	## and directories will be readable only by personnel authorized by the IAO.
	626	chmod 700 /var/log/audit
	627
	628	## (GEN002700: CAT I) (Previously â G095) The SA will ensure audit data files
	629	## have permissions of 640, or more restrictive.
	630	touch /var/log/audit/audit.log
	631	chmod 640 /var/log/audit/*
	632	chmod 640 /etc/audit/audit.rules
	633
	634	## (GEN002720: CAT II) The SA will configure the auditing system to audit
	635	## logon (unsuccessful and successful) and logout (successful)
	636	cat <<-EOF >> /etc/audit/audit.rules
	637	-a exit,always -w /bin/login -p x
	638	-a exit,always -w /bin/logout -F success=0
	639	EOF
	640
	641	## (GEN002740: CAT II) The SA will configure the auditing system to audit
	642	## discretionary access control permission modification (unsuccessful and
	643	## successful use of chown/chmod)
	644	cat <<-EOF >> /etc/audit/audit.rules
	645	-a exit,always -S chmod
	646	-a exit,always -S chown
	647	-a exit,always -S chown32
	648	-a exit,always -S fchmod
	649	-a exit,always -S fchown
	650	-a exit,always -S fchown32
	651	-a exit,always -S lchown
	652	-a exit,always -S lchown32
	653	EOF
	654
	655	## (GEN002760: CAT II) The SA will configure the auditing system to audit
	656	## unauthorized access attempts to files (unsuccessful)
	657	cat <<-EOF >> /etc/audit/audit.rules
	658	-a exit,always -S open -F success!=0
	659	-a exit,always -S mknod -F success=0
	660	-a exit,always -S pipe -F success=0
	661	-a exit,always -S mkdir -F success=0
	662	-a exit,always -S creat -F success=0
	663	-a exit,always -S truncate -F success=0
	664	-a exit,always -S truncate64 -F success=0
	665	-a exit,always -S ftruncate -F success=0
	666	-a exit,always -S ftruncate64 -F success=0
	667	EOF
	668
	669	## (GEN002780: CAT II) The SA will configure the auditing system to audit
	670	## use of privileged commands (unsuccessful and successful)
	671	cat <<-EOF >> /etc/audit/audit.rules
	672	-a exit,always -S chroot
	673	-a exit,always -S mount
	674	-a exit,always -S umount
	675	-a exit,always -S umount2
	676	-a exit,always -S adjtimex
	677	-a exit,always -S kill
	678	-a exit,always -w /usr/sbin/pwck
	679	-a exit,always -w /bin/chgrp
	680	-a exit,always -w /usr/bin/newgrp
	681	-a exit,always -w /usr/sbin/groupadd
	682	-a exit,always -w /usr/sbin/groupmod
	683	-a exit,always -w /usr/sbin/groupdel
	684	-a exit,always -w /usr/sbin/useradd
	685	-a exit,always -w /usr/sbin/userdel
	686	-a exit,always -w /usr/sbin/usermod
	687	-a exit,always -w /usr/bin/chage
	688	-a exit,always -w /usr/bin/setfacl
	689	-a exit,always -w /usr/bin/chacl
	690	EOF
	691
	692	## (GEN002800: CAT II) The SA will configure the auditing system to audit
	693	## files and programs deleted by the user (successful and unsuccessful)
	694	cat <<-EOF >> /etc/audit/audit.rules
	695	-a exit,always -S unlink
	696	-a exit,always -S rmdir
	697	EOF
	698
	699	## (GEN002820: CAT II) The SA will configure the auditing system to audit
	700	## all system administration actions
	701	cat <<-EOF >> /etc/audit/audit.rules
	702	-w /var/log/audit/
	703	-w /etc/auditd.conf
	704	-w /etc/audit
	705	-a exit,always -S acct
	706	-a exit,always -S reboot
	707	-a exit,always -S sched_setparam
	708	-a exit,always -S sched_setscheduler
	709	-a exit,always -S setdomainname
	710	-a exit,always -S setrlimit
	711	-a exit,always -S settimeofday
	712	-a exit,always -S stime
	713	-a exit,always -S swapon
	714	EOF
	715
	716	## (GEN002840: CAT II) The SA will configure the auditing system to audit
	717	## all security personnel actions
	718	cat <<-EOF >> /etc/audit/audit.rules
	719	-a exit,always -S init_module
	720	-a exit,always -S delete_module
	721	-a exit,always -w /bin/su
	722	EOF
	723
	724	## (GEN002860: CAT II) (Previously â G674) The SA and/or IAO will ensure old
	725	## audit logs are closed and new audit logs are started daily.
	726	cat <<-EOF > /etc/logrotate.d/audit
	727	/var/log/audit/audit.log
	728	{
	729	daily
	730	notifempty
	731	missingok
	732	postrotate
	733	/sbin/service auditd restart 2> /dev/null > /dev/null \|\| true
	734	endscript
	735	}
	736	EOF
	737
	738	## (GEN002980: CAT II) The SA will ensure the cron.allow
	739	## file has permissions of 600, or more restrictive.
	740	chmod 600 /etc/cron.allow
	741
	742	## (GEN003040: CAT II) The SA will ensure the owner of crontabs is root or the
	743	## crontab creator.
	744	chown root /etc/cron.hourly/*
	745	chown root /etc/cron.daily/*
	746	chown root /etc/cron.weekly/*
	747	chown root /etc/cron.monthly/*
	748	chown root /etc/cron.d/*
	749	chown root /var/spool/cron/*
	750
	751	## (GEN003060: CAT II) The SA will ensure default system accounts (with the
	752	## possible exception of root) will not be listed in the cron.allow file. If
	753	## there is only a cron.deny file, the default accounts (with the possible
	754	## exception of root) will be listed there.
	755	echo 'root' > /etc/cron.allow
	756	awk -F: '{print $1}' /etc/passwd \| grep -v root > /etc/cron.deny
	757
	758	## (GEN003080: CAT II) (Previously â G205) The SA will ensure crontabs have
	759	## permissions of 600, or more restrictive, (700 for some Linux crontabs, which
	760	## is detailed in the UNIX Checklist).
	761	chmod -R 600 /etc/cron.daily
	762	chmod -R 600 /etc/cron.hourly
	763	chmod -R 600 /etc/cron.weekly
	764	chmod -R 600 /etc/cron.monthly
	765	chmod 600 /etc/crontab
	766	chmod -R 600 /etc/cron.d
	767
	768	## (GEN003100: CAT II) (Previously â G206) The SA will ensure cron and crontab
	769	## directories have permissions of 755, or more restrictive.
	770	chmod 755 /etc/cron.hourly
	771	chmod 755 /etc/cron.daily
	772	chmod 755 /etc/cron.weekly
	773	chmod 755 /etc/cron.monthly
	774	chmod 755 /etc/cron.d
	775	chmod 755 /var/spool/cron
	776
	777	## (GEN003120: CAT II) (Previously â G207) The SA will ensure the owner of the
	778	## cron and crontab directories is root or bin.
	779	chown root /etc/cron.hourly
	780	chown root /etc/cron.daily
	781	chown root /etc/cron.weekly
	782	chown root /etc/cron.monthly
	783	chown root /etc/cron.d
	784	chown root /var/spool/cron
	785
	786	## (GEN003140: CAT II) (Previously â G208) The SA will ensure the group owner
	787	## of the cron and crontab directories is root, sys, or bin.
	788	chgrp root /etc/cron.hourly
	789	chgrp root /etc/cron.daily
	790	chgrp root /etc/cron.weekly
	791	chgrp root /etc/cron.monthly
	792	chgrp root /etc/cron.d
	793	chgrp root /var/spool/cron
	794
	795	## (GEN003180: CAT II) (Previously â G210) The SA will ensure cron logs have
	796	## permissions of 600, or more restrictive.
	797	touch /var/log/cron
	798	chmod 600 /var/log/cron
	799
	800	## (GEN003200: CAT II) The SA will ensure the cron.deny
	801	## file has permissions of 600, or more restrictive.
	802	chmod 600 /etc/cron.deny
	803
	804	## (GEN003240: CAT II) The SA will ensure the owner and
	805	## group owner of the cron.allow file is root.
	806	chown root:root /etc/cron.allow
	807
	808	## (GEN003260: CAT II) The SA will ensure the owner and
	809	## group owner of the cron.deny file is root.
	810	chown root:root /etc/cron.deny
	811
	812	## (GEN003300: CAT II) (Previously â G212) The SA will ensure the at.deny file
	813	## is not empty.
	814	awk -F: '{print $1}' /etc/passwd \| grep -v root > /etc/at.deny
	815
	816	## (GEN003320: CAT II) (Previously â G213) The SA will ensure default system
	817	## accounts (with the possible exception of root) are not listed in the
	818	## at.allow file. If there is only an at.deny file, the default accounts
	819	## (with the possible exception of root) will be listed there.
	820	echo "root" > /etc/at.allow
	821
	822	## (GEN003340: CAT II) (Previously â G214) The SA will ensure the at.allow and
	823	## at.deny files have permissions of 600, or more restrictive.
	824	chmod 600 /etc/at.allow
	825	chmod 600 /etc/at.deny
	826
	827	## (GEN003400: CAT II) (Previously â G625) The SA will ensure the at (or
	828	## equivalent) directory has permissions of 755, or more restrictive.
	829	chmod 755 /var/spool/at/spool
	830
	831	## (GEN003420: CAT II) (Previously â G626) The SA will ensure the owner and
	832	## group owner of the at (or equivalent) directory is root, sys, bin, or daemon.
	833	chown root:root /var/spool/at/spool
	834
	835	## (GEN003460: CAT II) (Previously â G629) The SA will ensure the owner and
	836	## group owner of the at.allow file is root.
	837	chown root:root /etc/at.allow
	838
	839	## (GEN003480: CAT II) (Previously â G630) The SA will ensure the owner and
	840	## group owner of the at.deny file is root.
	841	chown root:root /etc/at.deny
	842
	843	## (GEN003500: CAT III) The SA will ensure core dumps are disabled or
	844	## restricted.
	845	echo "* - core 0" >> /etc/security/limits.conf
	846
	847	## (GEN003520: CAT III) The SA will ensure the owner and group owner of the
	848	## core dump data directory is root with permissions of 700, or more
	849	## restrictive.
	850	chown root:root /var/crash
	851	chmod -R 700 /var/crash
	852
	853	## (GEN003600: CAT II) The SA will ensure network parameters are securely set.
	854	sed -i "/net\.ipv4\.conf\.default\.rp_filter/ c\net.ipv4.conf.default.rp_filter = 1" /etc/sysctl.conf
	855	sed -i "/net\.ipv4\.conf\.default\.accept_source_route/ c\net.ipv4.conf.default.accept_source_route = 0" /etc/sysctl.conf
	856	cat <<-EOF >> /etc/sysctl.conf
	857	net.ipv4.tcp_max_syn_backlog = 1280
	858	net.ipv4.icmp_echo_ignore_broadcasts = 1
	859	EOF
	860
	861	## (GEN003660: CAT II) The SA will ensure the authentication notice and
	862	## informational data is logged.
	863	echo "auth.notice /var/log/messages" >> /etc/syslog.conf
	864
	865	## (GEN003700: CAT II) The SA will ensure inetd (xinetd for Linux) is disabled
	866	## if all inetd/xinetd based services are disabled.
	867	/sbin/chkconfig bluetooth off
	868	/sbin/chkconfig irda off
	869	/sbin/chkconfig lm_sensors off
	870	/sbin/chkconfig portmap off
	871	/sbin/chkconfig rawdevices off
	872	/sbin/chkconfig rpcgssd off
	873	/sbin/chkconfig rpcidmapd off
	874	/sbin/chkconfig rpcsvcgssd off
	875	/sbin/chkconfig sendmail off
	876	/sbin/chkconfig xinetd off
	877
	878	## (GEN003740: CAT II) (Previously â G108) The SA will ensure the inetd.conf
	879	## (xinetd.conf for Linux) file has permissions of 440, or more restrictive.
	880	## The Linux xinetd.d directory will have permissions of 755, or more
	881	## restrictive. This is to include any directories defined in the includedir
	882	## parameter.
	883	chmod 755 /etc/xinetd.d
	884	chmod 440 /etc/xinetd.conf
	885
	886	## (GEN003760: CAT II) (Previously â G109) The SA will ensure the owner of the
	887	## services file is root or bin.
	888	chown root /etc/services
	889
	890	## (GEN003780: CAT II) (Previously â G110) The SA will ensure the services
	891	## file has permissions of 644, or more restrictive.
	892	chmod 644 /etc/services
	893
	894	## (GEN003860: CAT III) (Previously â V046) The SA will ensure finger is not
	895	## enabled.
	896	/sbin/chkconfig finger off
	897
	898	## (GEN003960: CAT II) (Previously â G631) The SA will ensure the owner of
	899	## the traceroute command is root.
	900	chown root /bin/traceroute
	901
	902	## (GEN003980: CAT II) (Previously â G632) The SA will ensure the group
	903	## owner of the traceroute command is root, sys, or bin.
	904	chgrp root /bin/traceroute
	905
	906	## (GEN004000: CAT II) (Previously â G633) The SA will ensure the traceroute
	907	## command has permissions of 700, or more restrictive.
	908	chmod 700 /bin/traceroute
	909
	910	## (GEN004360: CAT II) (Previously â G127) The SA will ensure the aliases file
	911	## is owned by root.
	912	chown root /etc/aliases
	913
	914	## (GEN004380: CAT II) (Previously â G128) The SA will ensure the aliases file
	915	## has permissions of 644, or more restrictive.
	916	chmod 644 /etc/aliases
	917
	918	## (GEN004440: CAT IV) (Previously â G133) The SA will ensure the sendmail
	919	## logging level (the detail level of e-mail tracing and debugging
	920	## information) in the sendmail.cf file is set to a value no lower than
	921	## nine (9).
	922	sed -i '/LogLevel/ c\O LogLevel=9' /etc/mail/sendmail.cf
	923
	924	## (GEN004480: CAT II) (Previously â G135) The SA will ensure the owner of the
	925	## critical sendmail log file is root.
	926	chown root /var/log/maillog
	927
	928	## (GEN004500: CAT II) (Previously â G136) The SA will ensure the critical
	929	## sendmail log file has permissions of 644, or more restrictive.
	930	chmod 644 /var/log/maillog
	931
	932	## (GEN004540: CAT II) The SA will ensure the help sendmail command is
	933	## disabled.
	934	mv /etc/mail/helpfile /etc/mail/helpfile.bak
	935	echo "" > /etc/mail/helpfile
	936
	937	## (GEN004560: CAT II) (Previously â G646) To help mask the e-mail version,
	938	## the SA will use the following in place of the original sendmail greeting
	939	## message:
	940	## O SmtpGreetingMessage= Mail Server Ready ; $b
	941	sed -i '/SmtpGreetingMessage/ c\O SmtpGreetingMessage= Mail Server Ready ; $b' /etc/mail/sendmail.cf
	942
	943	## (GEN004580: CAT I) (Previously â G647) The SA will ensure .forward files
	944	## are not used.
	945	for HOMEDIR in `cut -d: -f6 /etc/passwd`; do
	946	if [ -f $HOMEDIR/.forward ]
	947	then
	948	rm $HOMEDIR/.forward
	949	fi
	950	done;
	951
	952	## (GEN004640: CAT I) (Previously â V126) The SA will ensure the decode entry
	953	## is disabled (deleted or commented out) from the alias file.
	954	sed --in-place s/^decode\:/\#decode\:/ /etc/aliases
	955	/usr/bin/newaliases
	956
	957	## (GEN004880: CAT II) (Previously â G140) The SA will ensure the ftpusers
	958	## file exists.
	959	touch /etc/ftpusers
	960
	961	## (GEN004900: CAT II) (Previously â G141) The SA will ensure the ftpusers
	962	## file contains the usernames of users not allowed to use FTP, and contains,
	963	## at a minimum, the system pseudo-users usernames and root.
	964	echo -n > /etc/ftpusers
	965	for NAME in `cut -d: -f1 /etc/passwd`; do
	966	NAMEID=`id -u $NAME`
	967	if [ $NAMEID -lt 500 ]; then
	968	echo $NAME >> /etc/ftpusers
238	969	fi
239		}
240
241		inst() {
242		$SETENFORCE 0
243		for i in $LSPP_PAM_RPM $CLIP_RPM; do
244		echo "Installing $i"
245		$RPM $RPM_OPTS1 $i
246		if [ $? -ne 0 ]; then
247		echo "Installation of $i failed. Terminating."
248		exit 1
249		fi
250		done
	970	done;
	971
	972	## (GEN004920: CAT II) (Previously â G142) The SA will ensure the owner of the
	973	## ftpusers file is root.
	974	chown root /etc/ftpusers
	975
	976	## (GEN004940: CAT II) (Previously â G143) The SA will ensure the ftpusers
	977	## file has permissions of 640, or more restrictive.
	978	chmod 640 /etc/ftpusers
	979
	980	## (GEN005000: CAT I) (Previously â G649) The SA will implement the anonymous
	981	## FTP account with a non-functional shell such as /bin/false.
	982	/usr/sbin/usermod -s /dev/null ftp
	983
	984	## (GEN005360: CAT II) The SA will ensure the owner of the snmpd.conf file is root with a group
	985	## owner of sys and the owner of MIB files is root with a group owner of sys or the application.
	986	chown root:sys /etc/snmp/snmpd.conf
	987
	988	## (GEN005400: CAT II) (Previously â G656) The SA will ensure the owner of the
	989	## /etc/syslog.conf file is root with permissions of 640, or more restrictive.
	990	chown root /etc/syslog.conf
	991	chmod 640 /etc/syslog.conf
	992
	993	## (GEN005420: CAT II) (Previously â G657) The SA will ensure the group owner
	994	## of the /etc/syslog.conf file is root, sys, or bin.
	995	chgrp root /etc/syslog.conf
	996
	997	## (GEN005500: CAT I) (Previously â G701) The IAO and SA will ensure SSH
	998	## Protocol version 1 is not used, nor will Protocol version 1 compatibility
	999	## mode be used.
	1000	if [ `grep -c "^Protocol" /etc/ssh/sshd_config` -gt 0 ]
	1001	then
	1002	sed -i "/^Protocol/ c\Protocol 2" /etc/ssh/sshd_config
	1003	else
	1004	echo "Protocol 2" >> /etc/ssh/sshd_config
	1005	fi
	1006	echo 'Ciphers aes256-cbc,aes192-cbc,blowfish-cbc,cast128-cbc,aes128-cbc,3des-cbc' >> /etc/ssh/ssh_config
	1007
	1008	## (GEN005600: CAT II) The SA will ensure IP forwarding is disabled if the
	1009	## system is not dedicated as a router.
	1010	sed -i "/net\.ipv4\.ip_forward/ c\net.ipv4.ip_forward = 0" /etc/sysctl.conf
	1011
	1012	## (GEN005740: CAT II) (Previously â G178) The SA will ensure the owner of the
	1013	## export configuration file is root.
	1014	chown root /etc/exports
	1015
	1016	## (GEN005760: CAT III) (Previously â G179) The SA will ensure the export
	1017	## configuration file has permissions of 644, or more restrictive.
	1018	chmod 644 /etc/exports
	1019
	1020	## (GEN006100: CAT II) (Previously â L050) The SA will ensure the owner of
	1021	## the/etc/samba/smb.conf file is root.
	1022	chown root /etc/samba/smb.conf
	1023
	1024	## (GEN006120: CAT II) (Previously â L051) The SA will ensure the group owner
	1025	## of the /etc/samba/smb.conf file is root.
	1026	chgrp root /etc/samba/smb.conf
	1027
	1028	## (GEN006140: CAT II) (Previously â L052) The SA will ensure the
	1029	## /etc/samba/smb.conf file has permissions of 644, or more restrictive.
	1030	chmod 644 /etc/samba/smb.conf
	1031
	1032	## (GEN006160: CAT II) (Previously â L054) The SA will ensure the owner of
	1033	## smbpasswd is root.
	1034	chown root /usr/bin/smbpasswd
	1035
	1036	## (GEN006180: CAT II) (Previously â L055) The SA will ensure group owner of
	1037	## smbpasswd is root.
	1038	chgrp root /usr/bin/smbpasswd
	1039
	1040	## (GEN006200: CAT II) (Previously â L057) The SA will configure permissions
	1041	## for smbpasswd to 600, or more restrictive.
	1042	chmod 600 /usr/bin/smbpasswd
	1043
	1044	## (GEN006260: CAT II) (Previously â L154) The SA will ensure the
	1045	## /etc/news/hosts.nntp file has permissions of 600, or more restrictive.
	1046	chmod 600 /etc/news/hosts.nntp
	1047
	1048	## (GEN006300: CAT II) (Previously â L158) The SA will ensure the
	1049	## /etc/news/nnrp.access file has permissions of 600, or more restrictive.
	1050	chmod 600 /etc/news/nnrp.access
	1051
	1052	## (GEN006320: CAT II) (Previously â L160) The SA will ensure the
	1053	## /etc/news/passwd.nntp file has permissions of 600, or more restrictive.
	1054	chmod 600 /etc/news/passwd.nntp
	1055
	1056	## (GEN006340: CAT II) (Previously â L162) The SA will ensure the owner of all
	1057	## files under the /etc/news subdirectory is root or news.
	1058	chown -R root /etc/news/*
	1059
	1060	## (GEN006360: CAT II) (Previously â L164) The SA will ensure the group owner
	1061	## of all files in /etc/news is root or news.
	1062	chgrp -R root /etc/news/*
	1063
	1064	## (GEN006280: CAT II) (Previously â L156) The SA will ensure the
	1065	## /etc/news/hosts.nntp.nolimit file has permissions of 600, or more
	1066	## restrictive.
	1067	chmod 600 /etc/news/hosts.nntp.nolimit
	1068
	1069	## (GEN006520: CAT II) (Previously â G189) The SA will ensure security tools
	1070	## and databases have permissions of 740, or more restrictive.
	1071	chmod 740 /etc/rc.d/init.d/iptables
	1072	chmod 740 /sbin/iptables
	1073	chmod 740 /usr/share/logwatch/scripts/services/iptables
	1074
	1075	## (GEN006620: CAT II) The SA will ensure an access control program (e.g.,
	1076	## TCP_WRAPPERS) hosts.deny and hosts.allow files (or equivalent) are used to
	1077	## grant or deny system access to specific hosts.
	1078	echo "ALL: ALL" > /etc/hosts.deny
	1079
	1080	## (LNX00160: CAT II) (Previously â L074) The SA will ensure the grub.conf
	1081	## file has permissions of 600, or more restrictive.
	1082	chmod 600 /boot/grub/grub.conf
	1083
	1084	## (LNX00220: CAT II) (Previously â L080) The SA will ensure the lilo.conf
	1085	## file has permissions of 600 or more restrictive.
	1086	chmod 600 /etc/lilo.conf
	1087
	1088	## (LNX00320: CAT I) (Previously â L140) The SA will delete accounts that
	1089	## provide a special privilege such as shutdown and halt.
	1090	/usr/sbin/userdel shutdown
	1091	/usr/sbin/userdel halt
	1092	/usr/sbin/userdel sync
	1093
	1094	## (LNX00340: CAT II) (Previously â L142) The SA will delete accounts that
	1095	## provide no operational purpose, such as games or operator, and will delete
	1096	## the associated software.
	1097	/usr/sbin/userdel news
	1098	/usr/sbin/userdel operator
	1099	/usr/sbin/userdel games
	1100	/usr/sbin/userdel gopher
	1101	/usr/sbin/userdel nfsnobody
	1102
	1103	## (LNX00360: CAT II) (Previously â L032) The SA will enable the X server
	1104	## âaudit (at level 4) and âs option (with 15 minutes as the timeout time)
	1105	## options.
	1106	cat <<-EOF >> /etc/gdm/custom.conf
	1107	[server-Standard]
	1108	name=Standard server
	1109	command=/usr/bin/Xorg -br -audit 4 -s 15
	1110	flexible=true
	1111	EOF
	1112
	1113	## (LNX00400: CAT II) (Previously â L044) The SA will ensure the owner of the
	1114	## /etc/login.access or /etc/security/access.conf file is root.
	1115	chown root /etc/security/access.conf
	1116
	1117	## (LNX00420: CAT II) (Previously â L045) The SA will ensure the group owner
	1118	## of the /etc/login.access or /etc/security/access.conf file is root.
	1119	chgrp root /etc/security/access.conf
	1120
	1121	## (LNX00440: CAT II) (Previously â L046) The SA will ensure /etc/login.access
	1122	## or /etc/security/access.conf file will be 640, or more restrictive.
	1123	chmod 640 /etc/security/access.conf
	1124
	1125	## (LNX00480: CAT II) (Previously â L204) The SA will ensure the owner of the
	1126	## /etc/sysctl.conf file is root.
	1127	chown root /etc/sysctl.conf
	1128
	1129	## (LNX00500: CAT II) (Previously â L206) The SA will ensure the group owner
	1130	## of the /etc/sysctl.conf file is root.
	1131	chgrp root /etc/sysctl.conf
	1132
	1133	## (LNX00520: CAT II) (Previously â L208) The SA will ensure the
	1134	## /etc/sysctl.conf file has permissions of 600, or more restrictive.
	1135	chmod 600 /etc/sysctl.conf
	1136
	1137	## (LNX00580: CAT I) (Previously â L222) The SA will disable the
	1138	## Ctrl-Alt-Delete sequence unless the system is located in a controlled
	1139	## access area accessible only by SAs.
	1140	sed -i "s/ca\:\:ctrlaltdel/\#ca\:\:ctrlaltdel/" /etc/inittab
	1141
	1142	## (LNX00620: CAT II) The SA will ensure the group owner of the /etc/securetty
	1143	## file is root, sys, or bin.
	1144	chgrp root /etc/securetty
	1145
	1146

r69	r175
1		SUBDIRS=~~scripts conf man pam_tally3~~
	1	SUBDIRS=pam_tally3 scripts conf man
2	2
3	3	export PREFIX=/usr

Navigation

Changeset 175

Legend:

trunk/RHEL5/Makefile

trunk/RHEL5/kickstart/clip.ks