Changeset 175

Show
Ignore:
Timestamp:
03/17/08 08:09:49 (9 months ago)
Author:
jjarrett
Message:

Corrected Makefile Logic

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved
  • trunk/RHEL5/Makefile

    r69 r175  
    1 SUBDIRS=scripts conf man pam_tally3 
     1SUBDIRS=pam_tally3 scripts conf man 
    22 
    33export PREFIX=/usr 
  • trunk/RHEL5/kickstart/clip.ks

    r124 r175  
    1 # Kickstart installation script for clip 
    2  
    3 ################### 
    4 # Command section # 
    5 ################### 
    6  
    7 auth --enableshadow --enablemd5 
     1## Version .04  January 2008 ## 
     2
     3#  Date Created  : 2007-02-06 # 
     4
     5#  CHANGELOG: 
     6#  - 2007-02-07:  Finished Mapping existing STIG scripts to DCID 6/3 
     7#                 Sections. [St. Laurent] 
     8#  - 2007-12-xx:  Initiated updates to reflect DCID PL4 Requirements 
     9#                 [Tresys] 
     10#  - 2008-01-xx:  Added/updated STIG scripts. Finalized kickstart 
     11#                 procedures. [Tresys] 
     12
     13
     14#  Profile Name: dcid-6-3-PL4-ks.1.0.txt 
     15#  Profile Label: dcid-6-3-PL4-ks.1.0.txt 
     16
     17# Details: This KickStart file lists out DCID 6/3 Policy at the PL4 
     18#          Confidentiality level.  Security settings are applied and 
     19#          mapped to each specific PL4 section in DCID 6/3. 
     20
     21#          By setting these security features in a KickStart file 
     22#          allows for an auditor to have a high degree of assurance 
     23#          that a system is being setup meeting the security  
     24#          requirements the same (correct way) every time. 
     25
     26#          A SHA-1 should be created to ensure a degree of 
     27#          resistance to unauthorized modification. 
     28
     29## Version .02  February 2007 ## 
     30## Version .03  December 2007 ## 
     31## Version .04  January 2008 ## 
     32 
     33 
     34 
     35# The "install" command tells the system to install a fresh system 
     36# rather than upgrade an existing system.  You must specify the type 
     37# of installation in the form of:  cdrom, harddrive, nfs, url (ftp 
     38# http installation).  The "install" command and the installation 
     39# method command must be on separate lines. Examples:  
     40# url --url http://<server>/<dir> 
     41#     --url ftp://<username>:<password>@<server>/<dir>    
     42#           Passwd is in CLEAR with ftp!!!  Not to be used. 
     43# harddrive --partition=hda2--dir=/path/to/install-tree 
     44# nfs --server=nfsserver.example.com --dir=/path/to/install-tree 
    845install 
     46 
     47# Perform the kickstart install in Text Mode.  Installs are 
     48# performed in graphical mode by default. 
    949text 
    10 skipx 
     50 
     51# Defaults to a CD based install - disable if using URL or someother media 
     52# Use the network option if installing from a remote installation tree. 
     53cdrom 
     54 
     55# Configure network information for the system.  The "network"  
     56# option configures networking information for installations from an 
     57# installation tree on a remote server via NFS, FTP, or HTTP. DHCP  
     58# uses a DHCP server to get the network configuration information. 
     59#network --bootproto dhcp 
     60 
     61# Perform a remote install.  
     62# The network option is required if performing a remote install 
     63#url --url http://<server>/<dir> 
     64#url --ftp ftp://<username>:<password>@<server>/<dir>  
     65 
     66 
     67# The "lang" command sets the language to use during installation. 
     68lang en_US 
     69 
     70# The "langsupport" to install on the system.  The --default switch 
     71# must be used if more than one language is specified. 
     72langsupport --default en_US en_US 
     73 
     74# The "keyboard" command is required to set the system keyboard type. 
     75keyboard us 
     76 
     77# The "mouse" command is required to configure the mouse type.  
     78# Giving no options will attempt to automatically detect the mouse. 
     79mouse 
     80 
     81 
     82##### WARNING: THIS WILL ERASE YOUR SYSTEM ##### 
     83# A full backup should be performed before installation. 
     84zerombr yes 
     85clearpart --all 
     86 
     87 
     88# PARTITION NOTES 
     89# The following options are required under 'Disk Partition Information'  
     90# section in ks.cfg file, for creating the Logical Volume Manager (LVM)  
     91# partitions using kickstart. 
     92  
     93   #Disk partitioning information 
     94   #part pv.<id>  
     95   #volgroup <name> <partition> 
     96   #logvol <mountpoint> --vgname=<volume_group_name> --size=<size> --name=<name> 
     97 
     98   #EXAMPLE using LVM 
     99   #part /boot --fstype ext3 --size=150 
     100   #part swap --size=1024 
     101   #part pv.01 --size=1 --grow 
     102   #volgroup vg_root pv.01 
     103   #logvol  /  --vgname=vg_root  --size=8192  --name=lv_root 
     104   #logvol  /var  --vgname=vg_root  --size=4096  --name=lv_var 
     105   #logvol  /tmp  --vgname=vg_root  --size=2048  --name=lv_tmp 
     106   #logvol  /spare  --vgname=vg_root  --size=1  --grow  --name=lv_spare 
     107 
     108partition /boot --fstype "ext3" --size=128  
     109partition pv.2 --size=0 --grow  
     110volgroup VolGroup00 pv.2 
     111logvol swap --fstype swap --name=swapVol --vgname=VolGroup00 --size=512 
     112logvol / --fstype ext3 --name=rootVol --vgname=VolGroup00 --size=1024 --grow 
     113logvol /var --fstype ext3 --name=varVol --vgname=VolGroup00 --size=1024 --grow 
     114logvol /home --fstype ext3 --name=homeVol --vgname=VolGroup00 --size=256 --grow 
     115logvol /tmp --fstype ext3 --name=tmpVol --vgname=VolGroup00 --size=1024 --grow 
     116 
     117 
     118# Specifies how the GRUB bootloader should be installed. 
     119# Set a password to prevent any non-stadard boot options. 
     120# The password should be changed after installation. 
     121bootloader --location mbr --password Dodiis_Redhat4321 
     122 
     123# Set the root password. 
     124# This should be changed after installation. 
    11125rootpw 123)(*qweASD 
    12 bootloader --location=mbr --password=123)(*qweASD 
    13  
    14 ################ 
    15 # Partitioning # 
    16 ################ 
    17  
    18 clearpart --linux 
    19 part /boot --size=128 
    20 part swap  --recommended 
    21 part pv.01 --size=1 --grow 
    22 volgroup clipvg pv.01 
    23 # Using Logical Volume Management lets the user resize partitions later. 
    24 # STIG requires separate /var and /home. 
    25 logvol /var  --vgname=clipvg --size=1024     --name=var 
    26 logvol /home --vgname=clipvg --size=1024     --name=hom
    27 logvol /     --vgname=clipvg --size=1 --grow --name=root 
    28  
    29  
    30 #################### 
    31 # Packages section # 
    32 #################### 
     126 
     127# Set the authentication options for the system. 
     128# Similar to the authconfig command. 
     129auth --enablemd5 --enableshadow 
     130 
     131# Set the timezone 
     132timezone --utc America/New_York 
     133 
     134# Enable selinux 
     135selinux --enforcing 
     136 
     137# Enable the firewall  
     138firewall --enabled --port=22:tcp --port=161:tcp --port=1002:tcp 
     139 
     140# Reboot after installation is complet
     141reboot 
     142 
     143 
     144 
     145 
     146# Install Packages.  This is site specific. 
    33147%packages --resolvedeps 
    34148@base 
     
    36150aide 
    37151sysstat 
    38 -setools 
    39 #audit 
    40 #pam 
    41 #pam-devel 
    42 #python-devel 
    43 #subversion 
    44 #tcl           
    45 #tcl-devel 
    46 #tk 
    47 #tk-devel 
     152setools 
     153audit 
    48154##################################### 
    49155# Remove tcpdump per STIG gen003865 # 
     
    89195-ethereal 
    90196-ethereal-gnome 
    91 -tcpdump 
    92197-xchat 
    93198-vino 
     
    150255-perl-XML-NamespaceSupport 
    151256 
    152 ############################ 
    153 # Pre/post install section # 
    154 ############################ 
     257 
     258%pre 
     259 
     260 
     261 
     262##### No changes should be made beyond this point ##### 
     263 
     264 
     265 
    155266%post 
    156 #!/bin/sh 
    157  
    158 out_file="installer.sh" 
    159 out_file_path="/root" 
    160  
    161 # DO NOT MODIFY anything below here 
    162 SERVICES_REQ="atd auditd crond iptables network syslog" 
    163  
    164 # Deactivate all services first 
    165 active=`chkconfig --list | grep -i "3:on" | cut -d" " -f1` 
    166 echo "Removing services from runlevel 3: " 
    167 for service in $active 
     267# Log %post errors 
     268########################################################################## 
     269# The post section of this kickstart file takes care of the secure 
     270# configuraton of Red Hat according to DCID 6/3. 
     271
     272# Levels of Concern: 
     273# Confidentiality PL4 
     274# [ PL4 ] 
     275########################################################################## 
     276 
     277 
     278# The Red Hat provided GPG key Red Hat uses to sign all of our RPM packages 
     279rpm --import /usr/share/rhn/RPM-GPG-KEY 
     280 
     281 
     282 
     283 
     284 
     285########################################################################## 
     286# UNIX STIG v5r1 
     287########################################################################## 
     288 
     289## (GEN000020: CAT II) (Previously – G001) The IAO and SA will ensure, if 
     290## configurable, the UNIX host is configured to require a password for access 
     291## to single-user and maintenance modes. 
     292echo "" >> /etc/inittab 
     293echo "#Require password in single-user mode" >> /etc/inittab 
     294echo "~~:S:wait:/sbin/sulogin" >> /etc/inittab 
     295 
     296## (GEN000400: CAT II) (Previously – G010) The SA will ensure a logon-warning banner is 
     297## displayed on all devices and sessions at the initial logon. 
     298cat <<-EOF > /etc/issue 
     299        You are accessing a U.S. Government (USG) information system (IS) that is 
     300        provided for USG-authorized use only. 
     301 
     302        By using this IS, you consent to the following conditions: 
     303 
     304        -The USG routinely monitors communications occurring on this IS, and any 
     305        device attached to this IS, for purposes including, but not limited to, 
     306        penetration testing, COMSEC monitoring, network defense, quality control, 
     307        and employee misconduct, law enforcement, and counterintelligence 
     308        investigations. 
     309        -At any time, the USG may inspect and/or seize data stored on this IS and 
     310        any device attached to this IS. 
     311        -Communications occurring on or data stored on this IS, or any device 
     312        attached to this IS, are not private. They are subject to routine 
     313        monitoring and search. 
     314        -Any communications occurring on or data stored on this IS, or any device 
     315        attached to this IS, may be disclosed or used for any USG-authorized purpose. 
     316        -Security protections may be utilized on this IS to protect certain interests 
     317        that are important to the USG. For example, passwords, access cards, 
     318        encryption or biometric access controls provide security for the benefit of 
     319        the USG. These protections are not provided for your benefit or privacy and 
     320        may be modified or elimiated at the USG's discretion. 
     321 
     322EOF 
     323sed -i "/^#Banner/ c\Banner /etc/issue" /etc/ssh/sshd_config 
     324sed -i  "s/^\(PATH=.*\)/\/usr\/bin\/gdialog --yesno \"\`cat \/etc\/issue\`\"\nif( test 1 -eq \$\? ); then\n  \/usr\/bin\/gdialog --infobox \"Logging out in 10 Seconds\" 1 20 \&\n  sleep 10\n  exit 1\nfi\n\n\1/" /etc/gdm/PreSession/Default 
     325 
     326## (GEN000440: CAT II) (Previously – G012) The SA will ensure all logon attempts (both 
     327## successful and unsuccessful) are logged to a system log file. 
     328echo "auth.*                                                    /var/log/authlog" >> /etc/syslog.conf 
     329 
     330## (GEN000460: CAT II) (Previously – G013) The SA will ensure, after three consecutive 
     331## failed logon attempts for an account, the account is locked for 15 minutes or until 
     332## the SA unlocks the account. 
     333sed -i '/^auth.*pam_deny/ a\ 
     334auth\t   required\t  /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root' /etc/pam.d/system-auth 
     335sed -i '/^account.*pam_unix/ a\ 
     336account\t required\t  /lib/security/$ISA/pam_tally.so per_user deny=3 no_magic_root reset' /etc/pam.d/system-auth 
     337 
     338## (GEN000480: CAT II) (Previously – G015) The SA will ensure the logon delay between 
     339## logon prompts after a failed logon is set to at least four seconds. 
     340echo "FAIL_DELAY                      4" >> /etc/login.defs 
     341 
     342## (GEN000500: CAT II) (Previously – G605) The SA will configure systems to log 
     343## out interactive processes (i.e., terminal sessions, ssh sessions, etc.,) 
     344## after 15 minutes of inactivity or ensure a password protected screen lock 
     345## mechanism is used and is set to lock the screen after 15 minutes of 
     346## inactivity. 
     347echo "TMOUT=900" >> /etc/profile 
     348 
     349## (GEN000540: CAT II) (Previously – G004) The SA will ensure passwords are 
     350## not changed more than once a day. 
     351sed -i '/^PASS_MIN_DAYS/ c\PASS_MIN_DAYS\t1' /etc/login.defs 
     352 
     353## (GEN000560: CAT I) (Previously – G018) The SA will ensure each account in 
     354## the /etc/passwd file has a password assigned or is disabled in the 
     355## password, shadow, or equivalent, file by disabling the password and/or by 
     356## assigning a false shell in the password file. 
     357for USERINFO in `cat /etc/shadow`; do 
     358if [ -z "`echo $USERINFO | cut -d: -f2`" ] 
     359then 
     360        /usr/sbin/usermod -L -s /dev/null `echo $USERINFO | cut -d: -f1` 
     361fi 
     362done; 
     363 
     364## (GEN000580: CAT II) (Previously – G019) The IAO will ensure all passwords contain a 
     365## minimum of eight characters. 
     366sed -i "s/PASS_MIN_LEN[ \t]*[0-9]*/PASS_MIN_LEN\t8/" /etc/login.defs 
     367 
     368## (GEN000600: CAT II) (Previously – G019) The IAO will ensure passwords include at 
     369## least two alphabetic characters, one of which must be capitalized. 
     370sed -i s/minlen\=8/minlen\=9/ /etc/pam.d/system-auth 
     371sed -i "s/difok\=3/difok\=3 dcredit\=-2 ucredit\=-2 ocredit\=-2 lcredit\=-2/" /etc/pam.d/system-auth 
     372# Running the authconfig tool WILL clobber these changes! 
     373# Taking the executable permissions off of /usr/sbin/authconfig 
     374chmod ugo-x /usr/sbin/authconfig 
     375 
     376## (GEN000700: CAT II) (Previously – G020) The SA will ensure passwords are 
     377## changed at least every 90 days. 
     378sed -i '/^PASS_MAX_DAYS/ c\PASS_MAX_DAYS\t90' /etc/login.defs 
     379 
     380## (GEN000800: CAT II) (Previously – G606) The SA will ensure passwords will not be 
     381## reused within the last ten changes. 
     382sed -i "s/shadow/shadow remember\=10/" /etc/pam.d/system-auth 
     383 
     384## (GEN000920: CAT II) (Previously – G023) The SA will ensure the root account 
     385## home directory (other than ‘/’) has permissions of 700. Do not change the 
     386## permissions of the ‘/’ directory to anything other than 0755. 
     387chmod 700 /root 
     388 
     389## (GEN000980: CAT II) (Previously – G026) The SA will ensure root can only log 
     390## on as root from the system console, and then only when necessary to perform 
     391## system maintenance. 
     392echo "console" > /etc/securetty 
     393 
     394## (GEN001020: CAT II) The IAO will enforce users requiring root privileges to 
     395## log on to their personal account and invoke the /bin/su - command to switch 
     396## user to root. 
     397# Configure sshd and login to consult pam_access.so 
     398sed -i '/^account/ a\account\t\trequired\tpam_access.so' /etc/pam.d/sshd 
     399sed -i '/^account.*auth$/ a\account\t   required\tpam_access.so' /etc/pam.d/login 
     400# Configure pam_access to refuse direct logins for accounts not in users group 
     401sed -i '/^# All other/d' /etc/security/access.conf 
     402echo "# Restrict direct login to accounts in the users group" >> /etc/security/access.conf 
     403echo "-:ALL EXCEPT users :ALL" >> /etc/security/access.conf 
     404# Add a User who is in the users group allowing access to the system 
     405adduser -G users,wheel clipuser 
     406echo "123)(*qweASD" | passwd --stdin clipuser 
     407# Cron was previously set to use /etc/security/access.conf, which did 
     408# nothing by default. We don't want to block root from using cron. 
     409# So, we create a blank config file and direct crond to use that instead. 
     410touch /etc/security/access-cron.conf 
     411chmod 644 /etc/security/access-cron.conf 
     412sed -i 's/pam_access.so/pam_access.so\ accessfile=\/etc\/security\/access-cron.conf/' /etc/pam.d/crond 
     413 
     414## (GEN001080: CAT III) (Previously – G229) The SA will ensure the root shell 
     415## is not located in /usr if /usr is partitioned. 
     416/usr/sbin/usermod -s /bin/bash root 
     417 
     418## (GEN001120: CAT II) (Previously – G500) The SA will configure the 
     419## encryption program for direct root access only from the system console. 
     420sed -i "/^#PermitRootLogin/ c\PermitRootLogin no" /etc/ssh/sshd_config 
     421 
     422## (GEN001260: CAT II) (Previously – G037) The SA will ensure all system log 
     423## files have permissions of 640, or more restrictive. 
     424find /var/log/ -type f -exec chmod 640 '{}' \; 
     425sed -i "s/chmod 0664/chmod 0640/" /etc/rc.d/rc.sysinit 
     426 
     427## (GEN001280: CAT III) (Previously – G042) The SA will ensure all manual page 
     428## files (i.e.,files in the man and cat directories) have permissions of 644, 
     429## or more restrictive. 
     430find /usr/share/man -type f -not -perm 644 -exec chmod 644 {} \; 
     431 
     432## (GEN001380: CAT II) (Previously – G048) The SA will ensure the /etc/passwd  
     433## file has permissions of 644, or more restrictive. 
     434chmod 644 /etc/passwd 
     435 
     436## (GEN001400: CAT I) (Previously – G047) The SA will ensure the owner of the  
     437## /etc/passwd and /etc/shadow files (or equivalent) is root. 
     438chown root /etc/passwd 
     439chown root /etc/shadow 
     440 
     441## (GEN001420: CAT II) (Previously – G050) The SA will ensure the /etc/shadow  
     442## file (or equivalent) has permissions of 400. 
     443chmod 400 /etc/shadow 
     444 
     445## (GEN001460: CAT IV) (Previously – G052) The SA will ensure all home 
     446## directories defined in the /etc/passwd file exist. 
     447for HOMEDIR in `cut -d: -f6 /etc/passwd`; do 
     448if [  ! -d $HOMEDIR ] 
     449then 
     450        mkdir $HOMEDIR 
     451fi 
     452done; 
     453 
     454## (GEN001560: CAT II) (Previously – G068) The user, application developers, 
     455## and the SA will ensure user files and directories will have an initial 
     456## permission no more permissive than 700, and never more permissive than 750. 
     457for BASEDIR  in /home/* /root 
    168458do 
    169     echo $service 
    170     `chkconfig --level 3 $service off` 
     459        find $BASEDIR -type f -exec chmod 600 '{}' \; 
     460        find $BASEDIR -type d -exec chmod 700 '{}' \; 
    171461done 
    172462 
    173 # Now activate only the required services 
    174 echo "Adding required services to runlevel 3: " 
    175 for service in $SERVICES_REQ 
     463## (GEN001580: CAT II) (Previously – G058) The SA will ensure run control 
     464## scripts have permissions of 755, or more restrictive. 
     465chmod 755 /etc/rc.d/init.d/* 
     466 
     467## (GEN001620: CAT II) (Previously – G061) The SA will ensure run control 
     468## scripts files do not have the suid or sgid bit set. 
     469chmod ug-s /etc/rc.d/init.d/* 
     470 
     471## (GEN001660: CAT II) (Previously – G611) The SA will ensure the owner of run 
     472## control scripts is root. 
     473chown root /etc/rc.d/init.d/* 
     474 
     475## (GEN001680: CAT II) (Previously – G612) The SA will ensure the group owner 
     476## of run control scripts is root, sys, bin, other, or the system default. 
     477chgrp root /etc/rc.d/init.d/* 
     478 
     479## (GEN001720: CAT II) The SA will ensure global initialization files have 
     480## permissions of 644, or more restrictive. 
     481chmod 644 /etc/{profile,bashrc,environment} 
     482 
     483## (GEN001740: CAT II) The SA will ensure the owner of global initialization 
     484## files is root. 
     485chown root /etc/{profile,bashrc,environment} 
     486 
     487## (GEN001760: CAT II) The SA will ensure the group owner of global 
     488## initialization files is root, sys, bin, other, or the system default. 
     489chgrp root /etc/{profile,bashrc,environment} 
     490 
     491## (GEN001780: CAT III) (Previously – G112) The SA will ensure global 
     492## initialization files contain the command mesg –n. 
     493for FILE in /etc/{profile,bashrc,environment}; do 
     494        echo "mesg n" >> $FILE 
     495done; 
     496 
     497## (GEN001800: CAT II) (Previously – G038) The SA will ensure all 
     498## default/skeleton dot files have permissions of 644, or more restrictive. 
     499find /etc/skel -type f -exec chmod 644 '{}' \; 
     500 
     501## (GEN001820: CAT II) The SA will ensure the owner of all default/skeleton 
     502## dot files is root or bin. 
     503find /etc/skel -type f -exec chown root '{}' \; 
     504 
     505## (GEN002040: CAT I) The SA will ensure .rhosts, .shosts, hosts.equiv, nor 
     506## shosts.equiv are used, unless justified and documented with the IAO. 
     507for file in /root/.rhosts /root/.shosts /etc/hosts.equiv 
    176508do 
    177     echo $servic
    178     `chkconfig --level 3 $service on` 
     509       rm -f $fil
     510        ln -s /dev/null $file 
    179511done 
    180512 
    181 # Save an installer script to root's homedir 
    182  
    183 echo "Saving an install script to root's home directory." 
    184 cat >> $out_file_path/$out_file <<'EOF' 
    185 #!/bin/sh 
    186 VERSION="2.0" 
    187 RELEASE="1" 
    188 UNAME="/bin/uname" 
    189 WGET="/usr/bin/wget" 
    190 SHA1SUM="/usr/bin/sha1sum" 
    191 ID="/usr/bin/id" 
    192 RPM="/bin/rpm" 
    193 SETENFORCE="/usr/sbin/setenforce" 
    194  
    195 RPM_OPTS1="--force -Uvh" 
    196 RPM_OPTS2="-ivh" 
    197  
    198 ARCH=$($UNAME -i) 
    199 ARCH_64="x86_64" 
    200 ARCH_32="i386" 
    201  
    202 URL="http://oss.tresys.com/projects/clip/chrome/site/files/rhel5" 
    203 LSPP_URL="http://people.redhat.com/sgrubb/files/lspp" 
    204 LSPP_PAM_RPM="pam-0.99.6.2-3.22.el5.$ARCH.rpm" 
    205 CLIP_RPM="clip-$VERSION-$RELEASE.$ARCH.rpm" 
    206 REFPOL_RPM="selinux-policy-clip-$VERSION-$RELEASE.noarch.rpm" 
    207 CLIP_SHA1="$CLIP_RPM.sha1" 
    208 REFPOL_SHA1="$REFPOL_RPM.sha1" 
    209  
    210 USAGE="This script will use wget to download and install \n \ 
    211 $CLIP_RPM and\n \ 
    212 $REFPOL_RPM\n \ 
    213 from $URL and\n \ 
    214 $LSPP_PAM_RPM\n \ 
    215 from $LSPP_URL\n \ 
    216 Internet connectivity is required. \n \ 
    217 To install, invoke $0 with the -i option." 
    218  
    219 download() { 
    220         $WGET $URL/$CLIP_RPM &&    \ 
    221         $WGET $URL/$CLIP_SHA1 &&   \ 
    222         $WGET $URL/refpolicy/$REFPOL_RPM &&  \ 
    223         $WGET $URL/refpolicy/$REFPOL_SHA1 && \ 
    224         $WGET $LSPP_URL/$LSPP_PAM_RPM 
    225         if [ $? -ne 0 ]; then 
    226                 echo "RPM download failed. Terminating." 
    227                 exit 1 
     513## (GEN002120: CAT II) (Previously – G069) The SA will ensure the /etc/shells 
     514## (or equivalent) file exits. 
     515cat <<-EOF > /etc/shells 
     516/bin/sh 
     517/bin/bash 
     518/sbin/nologin 
     519/bin/tcsh 
     520/bin/csh 
     521/bin/ksh 
     522EOF 
     523 
     524## (GEN002160: CAT I) (Previously – G072) The SA will ensure no shell has the 
     525## suid bit set. 
     526for SHELL in `cat /etc/shells`; do 
     527        chmod u-s $SHELL 
     528done 
     529 
     530## (GEN002180: CAT II) (Previously – G073) The SA will ensure no shell has the 
     531## sgid bit set. 
     532for SHELL in `cat /etc/shells`; do 
     533        chmod g-s $SHELL 
     534done 
     535 
     536## (GEN002200: CAT II) (Previously – G074) The SA will ensure the owner of all 
     537## shells is root or bin. 
     538for SHELL in `cat /etc/shells`; do 
     539        chown root $SHELL 
     540done 
     541 
     542## (GEN002220: CAT II) (Previously – G075) The SA will ensure all shells 
     543## (excluding /dev/null and sdshell) have permissions of 755, or more 
     544## restrictive. 
     545for SHELL in `cat /etc/shells`; do 
     546        chmod 755 $SHELL 
     547done 
     548 
     549## (GEN002320: CAT II) (Previously – G501) The SA will ensure the audio devices 
     550## have permissions of 644, or more restrictive. 
     551sed -i -r "/sound|snd|mixer/ d" /etc/security/console.perms.d/50-default.perms 
     552echo "SUBSYSTEM==\"sound|snd\", OWNER=\"root\", GROUP=\"root\", MODE=\"0644\"" > /etc/udev/rules.d/55-audio-perms.rules 
     553 
     554## (GEN002340: CAT II) (Previously – G502) The SA will ensure the owner of 
     555## audio devices is root. 
     556# see GEN002320 
     557 
     558## (GEN002360: CAT II) (Previously – G504) The SA will ensure the group owner 
     559## of audio devices is root, sys, or bin. 
     560# see GEN002320 
     561 
     562## (GEN002420: CAT II) (Previously – G086) The SA will ensure user filesystems, 
     563## removable media, and remote filesystems will be mounted with the nosuid 
     564## option. 
     565FSTAB=/etc/fstab 
     566SED=/bin/sed 
     567#nosuid and acl on /home 
     568if [ $(grep " \/home " ${FSTAB} | grep -c "nosuid") -eq 0 ]; then 
     569        MNT_OPTS=$(grep " \/home " ${FSTAB} | awk '{print $4}') 
     570        ${SED} -i "s/\( \/home.*${MNT_OPTS}\)/\1,nosuid,acl/" ${FSTAB} 
     571fi 
     572#nosuid and acl on /sys 
     573if [ $(grep " \/sys " ${FSTAB} | grep -c "nosuid") -eq 0 ]; then 
     574        MNT_OPTS=$(grep " \/sys " ${FSTAB} | awk '{print $4}') 
     575        ${SED} -i "s/\( \/sys.*${MNT_OPTS}\)/\1,nosuid,acl/" ${FSTAB} 
     576fi 
     577#nosuid and acl on /boot 
     578if [ $(grep " \/boot " ${FSTAB} | grep -c "nosuid") -eq 0 ]; then 
     579        MNT_OPTS=$(grep " \/boot " ${FSTAB} | awk '{print $4}') 
     580        ${SED} -i "s/\( \/boot.*${MNT_OPTS}\)/\1,nosuid,acl/" ${FSTAB} 
     581fi 
     582#nodev and acl on /usr 
     583if [ $(grep " \/usr " ${FSTAB} | grep -c "nodev") -eq 0 ]; then 
     584        MNT_OPTS=$(grep " \/usr " ${FSTAB} | awk '{print $4}') 
     585                ${SED} -i "s/\( \/usr.*${MNT_OPTS}\)/\1,nodev,acl/" ${FSTAB} 
     586fi 
     587#nodev and acl on /home 
     588if [ $(grep " \/home " ${FSTAB} | grep -c "nodev") -eq 0 ]; then 
     589        MNT_OPTS=$(grep " \/home " ${FSTAB} | awk '{print $4}') 
     590        ${SED} -i "s/\( \/home.*${MNT_OPTS}\)/\1,nodev,acl/" ${FSTAB} 
     591fi 
     592#nodev and acl on /usr/local 
     593if [ $(grep " \/usr\/local " ${FSTAB} | grep -c "nodev") -eq 0 ]; then 
     594        MNT_OPTS=$(grep " \/usr\/local " ${FSTAB} | awk '{print $4}') 
     595        ${SED} -i "s/\( \/usr\/local.*${MNT_OPTS}\)/\1,nodev,acl/" ${FSTAB} 
     596fi 
     597 
     598## (GEN002560: CAT II) (Previously – G089) The SA will ensure the system and 
     599## user umask is 077. 
     600echo "umask 077" >> /etc/bashrc 
     601 
     602## (GEN002640: CAT II) (Previously – G092) The SA will ensure logon capability 
     603## to default system accounts (e.g., bin, lib, uucp, news, sys, guest, daemon, 
     604## and any default account not normally logged onto) will be disabled by 
     605## making the default shell /bin/false, /usr/bin/false, /sbin/false, 
     606## /sbin/nologin, or /dev/null, and by locking the password. 
     607for NAME in `cut -d: -f1 /etc/passwd`; do 
     608        NAMEID=`id -u $NAME` 
     609        if [ $NAMEID -lt 500 -a $NAME != 'root' ]; then 
     610                /usr/sbin/usermod -L -s /dev/null $NAME 
    228611        fi 
    229 
    230  
    231 check() { 
    232         $SHA1SUM $CLIP_SHA1 && \ 
    233         $SHA1SUM $REFPOL_SHA1 && \ 
    234         $RPM --checksig $LSPP_PAM_RPM 
    235         if [ $? -ne 0 ]; then 
    236                 echo "Download verification failed. Terminating." 
    237                 exit 1 
     612done 
     613 
     614## (GEN002660: CAT II) (Previously – G093) The SA will configure and implement 
     615## auditing. 
     616chkconfig auditd on 
     617cat <<-EOF > /etc/audit/audit.rules 
     618        # Remove any existing rules 
     619        -D 
     620        # Increase buffer size to handle the increased number of messages. 
     621        -b 8192 
     622EOF 
     623 
     624## (GEN002680: CAT II) (Previously – G094) The SA will ensure audit data files 
     625## and directories will be readable only by personnel authorized by the IAO. 
     626chmod 700 /var/log/audit 
     627 
     628## (GEN002700: CAT I) (Previously – G095) The SA will ensure audit data files 
     629## have permissions of 640, or more restrictive. 
     630touch /var/log/audit/audit.log 
     631chmod 640 /var/log/audit/* 
     632chmod 640 /etc/audit/audit.rules 
     633 
     634## (GEN002720: CAT II) The SA will configure the auditing system to audit 
     635## logon (unsuccessful and successful) and logout (successful) 
     636cat <<-EOF >> /etc/audit/audit.rules 
     637        -a exit,always -w /bin/login -p x 
     638        -a exit,always -w /bin/logout -F success=0 
     639EOF 
     640 
     641## (GEN002740: CAT II) The SA will configure the auditing system to audit 
     642## discretionary access control permission modification (unsuccessful and 
     643## successful use of chown/chmod) 
     644cat <<-EOF >> /etc/audit/audit.rules 
     645        -a exit,always -S chmod 
     646        -a exit,always -S chown 
     647        -a exit,always -S chown32 
     648        -a exit,always -S fchmod 
     649        -a exit,always -S fchown 
     650        -a exit,always -S fchown32 
     651        -a exit,always -S lchown 
     652        -a exit,always -S lchown32 
     653EOF 
     654 
     655## (GEN002760: CAT II) The SA will configure the auditing system to audit 
     656## unauthorized access attempts to files (unsuccessful) 
     657cat <<-EOF >> /etc/audit/audit.rules 
     658        -a exit,always -S open -F success!=0 
     659        -a exit,always -S mknod -F success=0 
     660        -a exit,always -S pipe -F success=0 
     661        -a exit,always -S mkdir -F success=0 
     662        -a exit,always -S creat -F success=0 
     663        -a exit,always -S truncate -F success=0 
     664        -a exit,always -S truncate64 -F success=0 
     665        -a exit,always -S ftruncate -F success=0 
     666        -a exit,always -S ftruncate64 -F success=0 
     667EOF 
     668 
     669## (GEN002780: CAT II) The SA will configure the auditing system to audit 
     670## use of privileged commands (unsuccessful and successful) 
     671cat <<-EOF >> /etc/audit/audit.rules 
     672        -a exit,always -S chroot 
     673        -a exit,always -S mount 
     674        -a exit,always -S umount 
     675        -a exit,always -S umount2 
     676        -a exit,always -S adjtimex 
     677        -a exit,always -S kill 
     678        -a exit,always -w /usr/sbin/pwck 
     679        -a exit,always -w /bin/chgrp 
     680        -a exit,always -w /usr/bin/newgrp 
     681        -a exit,always -w /usr/sbin/groupadd 
     682        -a exit,always -w /usr/sbin/groupmod 
     683        -a exit,always -w /usr/sbin/groupdel 
     684        -a exit,always -w /usr/sbin/useradd 
     685        -a exit,always -w /usr/sbin/userdel 
     686        -a exit,always -w /usr/sbin/usermod 
     687        -a exit,always -w /usr/bin/chage 
     688        -a exit,always -w /usr/bin/setfacl 
     689        -a exit,always -w /usr/bin/chacl 
     690EOF 
     691 
     692## (GEN002800: CAT II) The SA will configure the auditing system to audit 
     693## files and programs deleted by the user (successful and unsuccessful) 
     694cat <<-EOF >> /etc/audit/audit.rules 
     695        -a exit,always -S unlink 
     696        -a exit,always -S rmdir 
     697EOF 
     698 
     699## (GEN002820: CAT II) The SA will configure the auditing system to audit 
     700## all system administration actions 
     701cat <<-EOF >> /etc/audit/audit.rules 
     702        -w /var/log/audit/ 
     703        -w /etc/auditd.conf 
     704        -w /etc/audit 
     705        -a exit,always -S acct 
     706        -a exit,always -S reboot 
     707        -a exit,always -S sched_setparam 
     708        -a exit,always -S sched_setscheduler 
     709        -a exit,always -S setdomainname 
     710        -a exit,always -S setrlimit 
     711        -a exit,always -S settimeofday 
     712        -a exit,always -S stime 
     713        -a exit,always -S swapon 
     714EOF 
     715 
     716## (GEN002840: CAT II) The SA will configure the auditing system to audit 
     717## all security personnel actions 
     718cat <<-EOF >> /etc/audit/audit.rules 
     719        -a exit,always -S init_module 
     720        -a exit,always -S delete_module 
     721        -a exit,always -w /bin/su 
     722EOF 
     723 
     724## (GEN002860: CAT II) (Previously – G674) The SA and/or IAO will ensure old 
     725## audit logs are closed and new audit logs are started daily. 
     726cat <<-EOF > /etc/logrotate.d/audit 
     727        /var/log/audit/audit.log 
     728        { 
     729            daily 
     730            notifempty 
     731            missingok 
     732            postrotate 
     733            /sbin/service auditd restart 2> /dev/null > /dev/null || true 
     734            endscript 
     735        } 
     736EOF 
     737 
     738## (GEN002980: CAT II) The SA will ensure the cron.allow 
     739## file has permissions of 600, or more restrictive. 
     740chmod 600 /etc/cron.allow 
     741 
     742## (GEN003040: CAT II) The SA will ensure the owner of crontabs is root or the 
     743## crontab creator. 
     744chown root /etc/cron.hourly/* 
     745chown root /etc/cron.daily/* 
     746chown root /etc/cron.weekly/* 
     747chown root /etc/cron.monthly/* 
     748chown root /etc/cron.d/* 
     749chown root /var/spool/cron/* 
     750 
     751## (GEN003060: CAT II) The SA will ensure default system accounts (with the 
     752## possible exception of root) will not be listed in the cron.allow file. If 
     753## there is only a cron.deny file, the default accounts (with the possible 
     754## exception of root) will be listed there. 
     755echo 'root' > /etc/cron.allow 
     756awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/cron.deny 
     757 
     758## (GEN003080: CAT II) (Previously – G205) The SA will ensure crontabs have 
     759## permissions of 600, or more restrictive, (700 for some Linux crontabs, which 
     760## is detailed in the UNIX Checklist). 
     761chmod -R 600 /etc/cron.daily 
     762chmod -R 600 /etc/cron.hourly 
     763chmod -R 600 /etc/cron.weekly 
     764chmod -R 600 /etc/cron.monthly 
     765chmod 600 /etc/crontab 
     766chmod -R 600 /etc/cron.d 
     767 
     768## (GEN003100: CAT II) (Previously – G206) The SA will ensure cron and crontab 
     769## directories have permissions of 755, or more restrictive. 
     770chmod 755 /etc/cron.hourly 
     771chmod 755 /etc/cron.daily 
     772chmod 755 /etc/cron.weekly 
     773chmod 755 /etc/cron.monthly 
     774chmod 755 /etc/cron.d 
     775chmod 755 /var/spool/cron 
     776 
     777## (GEN003120: CAT II) (Previously – G207) The SA will ensure the owner of the 
     778## cron and crontab directories is root or bin. 
     779chown root /etc/cron.hourly 
     780chown root /etc/cron.daily 
     781chown root /etc/cron.weekly 
     782chown root /etc/cron.monthly 
     783chown root /etc/cron.d 
     784chown root /var/spool/cron 
     785 
     786## (GEN003140: CAT II) (Previously – G208) The SA will ensure the group owner 
     787## of the cron and crontab directories is root, sys, or bin. 
     788chgrp root /etc/cron.hourly 
     789chgrp root /etc/cron.daily 
     790chgrp root /etc/cron.weekly 
     791chgrp root /etc/cron.monthly 
     792chgrp root /etc/cron.d 
     793chgrp root /var/spool/cron 
     794 
     795## (GEN003180: CAT II) (Previously – G210) The SA will ensure cron logs have 
     796## permissions of 600, or more restrictive. 
     797touch /var/log/cron 
     798chmod 600 /var/log/cron 
     799 
     800## (GEN003200: CAT II)  The SA will ensure the cron.deny 
     801## file has permissions of 600, or more restrictive. 
     802chmod 600 /etc/cron.deny 
     803 
     804## (GEN003240: CAT II) The SA will ensure the owner and 
     805## group owner of the cron.allow file is root. 
     806chown root:root /etc/cron.allow 
     807 
     808## (GEN003260: CAT II) The SA will ensure the owner and 
     809## group owner of the cron.deny file is root. 
     810chown root:root /etc/cron.deny 
     811 
     812## (GEN003300: CAT II) (Previously – G212) The SA will ensure the at.deny file 
     813## is not empty. 
     814awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/at.deny 
     815 
     816## (GEN003320: CAT II) (Previously – G213) The SA will ensure default system 
     817## accounts (with the possible exception of root) are not listed in the 
     818## at.allow file. If there is only an at.deny file, the default accounts 
     819## (with the possible exception of root) will be listed there. 
     820echo "root" > /etc/at.allow 
     821 
     822## (GEN003340: CAT II) (Previously – G214) The SA will ensure the at.allow and 
     823## at.deny files have permissions of 600, or more restrictive. 
     824chmod 600 /etc/at.allow 
     825chmod 600 /etc/at.deny 
     826 
     827## (GEN003400: CAT II) (Previously – G625) The SA will ensure the at (or 
     828## equivalent) directory has permissions of 755, or more restrictive. 
     829chmod 755 /var/spool/at/spool 
     830 
     831## (GEN003420: CAT II) (Previously – G626) The SA will ensure the owner and 
     832## group owner of the at (or equivalent) directory is root, sys, bin, or daemon. 
     833chown root:root /var/spool/at/spool 
     834 
     835## (GEN003460: CAT II) (Previously – G629) The SA will ensure the owner and 
     836## group owner of the at.allow file is root. 
     837chown root:root /etc/at.allow 
     838 
     839## (GEN003480: CAT II) (Previously – G630) The SA will ensure the owner and 
     840## group owner of the at.deny file is root. 
     841chown root:root /etc/at.deny 
     842 
     843## (GEN003500: CAT III) The SA will ensure core dumps are disabled or 
     844## restricted. 
     845echo "* - core 0" >> /etc/security/limits.conf 
     846 
     847## (GEN003520: CAT III) The SA will ensure the owner and group owner of the 
     848## core dump  data directory is root with permissions of 700, or more 
     849## restrictive. 
     850chown root:root /var/crash 
     851chmod -R 700 /var/crash 
     852 
     853## (GEN003600: CAT II) The SA will ensure network parameters are securely set. 
     854sed -i "/net\.ipv4\.conf\.default\.rp_filter/ c\net.ipv4.conf.default.rp_filter = 1" /etc/sysctl.conf 
     855sed -i "/net\.ipv4\.conf\.default\.accept_source_route/ c\net.ipv4.conf.default.accept_source_route = 0" /etc/sysctl.conf 
     856cat <<-EOF >> /etc/sysctl.conf 
     857        net.ipv4.tcp_max_syn_backlog = 1280 
     858        net.ipv4.icmp_echo_ignore_broadcasts = 1 
     859EOF 
     860 
     861## (GEN003660: CAT II) The SA will ensure the authentication notice and 
     862## informational data is logged. 
     863echo "auth.notice                                               /var/log/messages" >> /etc/syslog.conf 
     864 
     865## (GEN003700: CAT II) The SA will ensure inetd (xinetd for Linux) is disabled 
     866## if all inetd/xinetd based services are disabled. 
     867/sbin/chkconfig bluetooth off 
     868/sbin/chkconfig irda off 
     869/sbin/chkconfig lm_sensors off 
     870/sbin/chkconfig portmap off 
     871/sbin/chkconfig rawdevices off 
     872/sbin/chkconfig rpcgssd off 
     873/sbin/chkconfig rpcidmapd off 
     874/sbin/chkconfig rpcsvcgssd off 
     875/sbin/chkconfig sendmail off 
     876/sbin/chkconfig xinetd off 
     877 
     878## (GEN003740: CAT II) (Previously – G108) The SA will ensure the inetd.conf 
     879## (xinetd.conf for Linux) file has permissions of 440, or more restrictive. 
     880## The Linux xinetd.d directory will have permissions of 755, or more 
     881## restrictive. This is to include any directories defined in the includedir 
     882## parameter. 
     883chmod 755 /etc/xinetd.d 
     884chmod 440 /etc/xinetd.conf 
     885 
     886## (GEN003760: CAT II) (Previously – G109) The SA will ensure the owner of the 
     887## services file is root or bin. 
     888chown root /etc/services 
     889 
     890## (GEN003780: CAT II) (Previously – G110) The SA will ensure the services 
     891## file has permissions of 644, or more restrictive. 
     892chmod 644 /etc/services 
     893 
     894## (GEN003860: CAT III) (Previously – V046) The SA will ensure finger is not 
     895## enabled. 
     896/sbin/chkconfig finger off 
     897 
     898## (GEN003960: CAT II) (Previously – G631) The SA will ensure the owner of 
     899## the traceroute command is root. 
     900chown root /bin/traceroute 
     901 
     902## (GEN003980: CAT II) (Previously – G632) The SA will ensure the group 
     903## owner of the traceroute command is root, sys, or bin. 
     904chgrp root /bin/traceroute 
     905 
     906## (GEN004000: CAT II) (Previously – G633) The SA will ensure the traceroute 
     907## command has permissions of 700, or more restrictive. 
     908chmod 700 /bin/traceroute 
     909 
     910## (GEN004360: CAT II) (Previously – G127) The SA will ensure the aliases file 
     911## is owned by root. 
     912chown root /etc/aliases 
     913 
     914## (GEN004380: CAT II) (Previously – G128) The SA will ensure the aliases file 
     915## has permissions of 644, or more restrictive. 
     916chmod 644 /etc/aliases 
     917 
     918## (GEN004440: CAT IV) (Previously – G133) The SA will ensure the sendmail 
     919## logging level (the detail level of e-mail tracing and debugging 
     920## information) in the sendmail.cf file is set to a value no lower than 
     921## nine (9). 
     922sed -i '/LogLevel/ c\O LogLevel=9' /etc/mail/sendmail.cf 
     923 
     924## (GEN004480: CAT II) (Previously – G135) The SA will ensure the owner of the 
     925## critical sendmail log file is root. 
     926chown root /var/log/maillog 
     927 
     928## (GEN004500: CAT II) (Previously – G136) The SA will ensure the critical 
     929## sendmail log file has permissions of 644, or more restrictive. 
     930chmod 644 /var/log/maillog 
     931 
     932## (GEN004540: CAT II) The SA will ensure the help sendmail command is 
     933## disabled. 
     934mv /etc/mail/helpfile /etc/mail/helpfile.bak 
     935echo "" > /etc/mail/helpfile 
     936 
     937## (GEN004560: CAT II) (Previously – G646) To help mask the e-mail version, 
     938## the SA will use the following in place of the original sendmail greeting 
     939## message: 
     940##   O SmtpGreetingMessage= Mail Server Ready ; $b 
     941sed -i '/SmtpGreetingMessage/ c\O SmtpGreetingMessage= Mail Server Ready ; $b' /etc/mail/sendmail.cf 
     942 
     943## (GEN004580: CAT I) (Previously – G647) The SA will ensure .forward files 
     944## are not used. 
     945for HOMEDIR in `cut -d: -f6 /etc/passwd`; do 
     946if [ -f $HOMEDIR/.forward ] 
     947then 
     948        rm $HOMEDIR/.forward 
     949fi 
     950done; 
     951 
     952## (GEN004640: CAT I) (Previously – V126) The SA will ensure the decode entry 
     953## is disabled (deleted or commented out) from the alias file. 
     954sed --in-place s/^decode\:/\#decode\:/ /etc/aliases 
     955/usr/bin/newaliases 
     956 
     957## (GEN004880: CAT II) (Previously – G140) The SA will ensure the ftpusers 
     958## file exists. 
     959touch /etc/ftpusers 
     960 
     961## (GEN004900: CAT II) (Previously – G141) The SA will ensure the ftpusers 
     962## file contains the usernames of users not allowed to use FTP, and contains, 
     963## at a minimum, the system pseudo-users usernames and root. 
     964echo -n > /etc/ftpusers 
     965for NAME in `cut -d: -f1 /etc/passwd`; do 
     966        NAMEID=`id -u $NAME` 
     967        if [ $NAMEID -lt 500 ]; then 
     968                echo $NAME >> /etc/ftpusers 
    238969        fi 
    239 
    240  
    241 inst() { 
    242         $SETENFORCE 0 
    243         for i in $LSPP_PAM_RPM $CLIP_RPM; do 
    244                 echo "Installing $i" 
    245                 $RPM $RPM_OPTS1 $i 
    246                 if [ $? -ne 0 ]; then 
    247                         echo "Installation of $i failed. Terminating." 
    248                         exit 1 
    249                 fi 
    250         done 
     970done; 
     971 
     972## (GEN004920: CAT II) (Previously – G142) The SA will ensure the owner of the 
     973## ftpusers file is root. 
     974chown root /etc/ftpusers 
     975 
     976## (GEN004940: CAT II) (Previously – G143) The SA will ensure the ftpusers 
     977## file has permissions of 640, or more restrictive. 
     978chmod 640 /etc/ftpusers 
     979 
     980## (GEN005000: CAT I) (Previously – G649) The SA will implement the anonymous 
     981## FTP account with a non-functional shell such as /bin/false. 
     982/usr/sbin/usermod -s /dev/null ftp 
     983 
     984## (GEN005360: CAT II) The SA will ensure the owner of the snmpd.conf file is root with a group 
     985## owner of sys and the owner of MIB files is root with a group owner of sys or the application. 
     986chown root:sys /etc/snmp/snmpd.conf 
     987 
     988## (GEN005400: CAT II) (Previously – G656) The SA will ensure the owner of the 
     989## /etc/syslog.conf file is root with permissions of 640, or more restrictive. 
     990chown root /etc/syslog.conf 
     991chmod 640 /etc/syslog.conf 
     992 
     993## (GEN005420: CAT II) (Previously – G657) The SA will ensure the group owner 
     994## of the /etc/syslog.conf file is root, sys, or bin. 
     995chgrp root /etc/syslog.conf 
     996 
     997## (GEN005500: CAT I) (Previously – G701) The IAO and SA will ensure SSH 
     998## Protocol version 1 is not used, nor will Protocol version 1 compatibility 
     999## mode be used. 
     1000if [ `grep -c "^Protocol" /etc/ssh/sshd_config` -gt 0 ] 
     1001then 
     1002        sed -i "/^Protocol/ c\Protocol 2" /etc/ssh/sshd_config 
     1003else 
     1004        echo "Protocol 2" >> /etc/ssh/sshd_config 
     1005fi 
     1006echo 'Ciphers aes256-cbc,aes192-cbc,blowfish-cbc,cast128-cbc,aes128-cbc,3des-cbc' >> /etc/ssh/ssh_config 
     1007 
     1008## (GEN005600: CAT II) The SA will ensure IP forwarding is disabled if the 
     1009## system is not dedicated as a router. 
     1010sed -i "/net\.ipv4\.ip_forward/ c\net.ipv4.ip_forward = 0" /etc/sysctl.conf 
     1011 
     1012## (GEN005740: CAT II) (Previously – G178) The SA will ensure the owner of the 
     1013## export configuration file is root. 
     1014chown root /etc/exports 
     1015 
     1016## (GEN005760: CAT III) (Previously – G179) The SA will ensure the export 
     1017## configuration file has permissions of 644, or more restrictive. 
     1018chmod 644 /etc/exports 
     1019 
     1020## (GEN006100: CAT II) (Previously – L050) The SA will ensure the owner of 
     1021## the/etc/samba/smb.conf file is root. 
     1022chown root /etc/samba/smb.conf 
     1023 
     1024## (GEN006120: CAT II) (Previously – L051) The SA will ensure the group owner 
     1025## of the /etc/samba/smb.conf file is root. 
     1026chgrp root /etc/samba/smb.conf 
     1027 
     1028## (GEN006140: CAT II) (Previously – L052) The SA will ensure the 
     1029## /etc/samba/smb.conf file has permissions of 644, or more restrictive. 
     1030chmod 644 /etc/samba/smb.conf 
     1031 
     1032## (GEN006160: CAT II) (Previously – L054) The SA will ensure the owner of 
     1033## smbpasswd is root. 
     1034chown root /usr/bin/smbpasswd 
     1035 
     1036## (GEN006180: CAT II) (Previously – L055) The SA will ensure group owner of 
     1037## smbpasswd is root. 
     1038chgrp root /usr/bin/smbpasswd 
     1039 
     1040## (GEN006200: CAT II) (Previously – L057) The SA will configure permissions 
     1041## for smbpasswd to 600, or more restrictive. 
     1042chmod 600 /usr/bin/smbpasswd 
     1043 
     1044## (GEN006260: CAT II) (Previously – L154) The SA will ensure the 
     1045## /etc/news/hosts.nntp file has permissions of 600, or more restrictive. 
     1046chmod 600 /etc/news/hosts.nntp 
     1047 
     1048## (GEN006300: CAT II) (Previously – L158) The SA will ensure the 
     1049## /etc/news/nnrp.access file has permissions of 600, or more restrictive. 
     1050chmod 600 /etc/news/nnrp.access 
     1051 
     1052## (GEN006320: CAT II) (Previously – L160) The SA will ensure the 
     1053## /etc/news/passwd.nntp file has permissions of 600, or more restrictive. 
     1054chmod 600 /etc/news/passwd.nntp 
     1055 
     1056## (GEN006340: CAT II) (Previously – L162) The SA will ensure the owner of all 
     1057## files under the /etc/news subdirectory is root or news. 
     1058chown -R root /etc/news/* 
     1059 
     1060## (GEN006360: CAT II) (Previously – L164) The SA will ensure the group owner 
     1061## of all files in /etc/news is root or news. 
     1062chgrp -R root /etc/news/* 
     1063 
     1064## (GEN006280: CAT II) (Previously – L156) The SA will ensure the 
     1065## /etc/news/hosts.nntp.nolimit file has permissions of 600, or more 
     1066## restrictive. 
     1067chmod 600 /etc/news/hosts.nntp.nolimit 
     1068 
     1069## (GEN006520: CAT II) (Previously – G189) The SA will ensure security tools 
     1070## and databases have permissions of 740, or more restrictive. 
     1071chmod 740 /etc/rc.d/init.d/iptables 
     1072chmod 740 /sbin/iptables 
     1073chmod 740 /usr/share/logwatch/scripts/services/iptables 
     1074 
     1075## (GEN006620: CAT II) The SA will ensure an access control program (e.g., 
     1076## TCP_WRAPPERS) hosts.deny and hosts.allow files (or equivalent) are used to 
     1077## grant or deny system access to specific hosts. 
     1078echo "ALL: ALL" > /etc/hosts.deny 
     1079 
     1080## (LNX00160: CAT II) (Previously – L074) The SA will ensure the grub.conf 
     1081## file has permissions of 600, or more restrictive. 
     1082chmod 600 /boot/grub/grub.conf 
     1083 
     1084## (LNX00220: CAT II) (Previously – L080) The SA will ensure the lilo.conf 
     1085## file has permissions of 600 or more restrictive. 
     1086chmod 600 /etc/lilo.conf 
     1087 
     1088## (LNX00320: CAT I) (Previously – L140) The SA will delete accounts that 
     1089## provide a special privilege such as shutdown and halt. 
     1090/usr/sbin/userdel shutdown 
     1091/usr/sbin/userdel halt 
     1092/usr/sbin/userdel sync 
     1093 
     1094## (LNX00340: CAT II) (Previously – L142) The SA will delete accounts that 
     1095## provide no operational purpose, such as games or operator, and will delete 
     1096## the associated software. 
     1097/usr/sbin/userdel news 
     1098/usr/sbin/userdel operator 
     1099/usr/sbin/userdel games 
     1100/usr/sbin/userdel gopher 
     1101/usr/sbin/userdel nfsnobody 
     1102 
     1103## (LNX00360: CAT II) (Previously – L032) The SA will enable the X server 
     1104## –audit (at level 4) and –s option (with 15 minutes as the timeout time) 
     1105## options. 
     1106cat <<-EOF >> /etc/gdm/custom.conf 
     1107        [server-Standard] 
     1108        name=Standard server 
     1109        command=/usr/bin/Xorg -br -audit 4 -s 15 
     1110        flexible=true 
     1111EOF 
     1112 
     1113## (LNX00400: CAT II) (Previously – L044) The SA will ensure the owner of the 
     1114## /etc/login.access or /etc/security/access.conf file is root. 
     1115chown root /etc/security/access.conf 
     1116 
     1117## (LNX00420: CAT II) (Previously – L045) The SA will ensure the group owner 
     1118## of the /etc/login.access or /etc/security/access.conf file is root. 
     1119chgrp root /etc/security/access.conf 
     1120 
     1121## (LNX00440: CAT II) (Previously – L046) The SA will ensure /etc/login.access 
     1122## or /etc/security/access.conf file will be 640, or more restrictive. 
     1123chmod 640 /etc/security/access.conf 
     1124 
     1125## (LNX00480: CAT II) (Previously – L204) The SA will ensure the owner of the 
     1126## /etc/sysctl.conf file is root. 
     1127chown root /etc/sysctl.conf 
     1128 
     1129## (LNX00500: CAT II) (Previously – L206) The SA will ensure the group owner 
     1130## of the /etc/sysctl.conf file is root. 
     1131chgrp root /etc/sysctl.conf 
     1132 
     1133## (LNX00520: CAT II) (Previously – L208) The SA will ensure the 
     1134## /etc/sysctl.conf file has permissions of 600, or more restrictive. 
     1135chmod 600 /etc/sysctl.conf 
     1136 
     1137## (LNX00580: CAT I) (Previously – L222) The SA will disable the 
     1138## Ctrl-Alt-Delete sequence unless the system is located in a controlled 
     1139## access area accessible only by SAs. 
     1140sed -i "s/ca\:\:ctrlaltdel/\#ca\:\:ctrlaltdel/" /etc/inittab 
     1141 
     1142## (LNX00620: CAT II) The SA will ensure the group owner of the /etc/securetty 
     1143## file is root, sys, or bin. 
     1144chgrp root /etc/securetty 
     1145 
     1146