Navigation

← Previous Changeset
Next Changeset →

Changeset 179

Timestamp:

04/02/08 09:11:17 (8 months ago)

Author:

slawrence

Message:

Backport RHEL5.1 STIG's and kickstart to RHEL4

Files:

trunk/RHEL4/kickstart/clip.ks (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/CLIPUserPassword (deleted)
trunk/RHEL4/scripts/stig-fix/cat1/gen002040.sh (added)
trunk/RHEL4/scripts/stig-fix/cat1/gen002700.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat1/gen004640.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat1/gen005500.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat1/lnx00580.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat2/CLIPUserPassword (deleted)
trunk/RHEL4/scripts/stig-fix/cat2/gen000020.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat2/gen000400.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat2/gen000460.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat2/gen000600.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat2/gen000700.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat2/gen000800.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat2/gen000920.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat2/gen001020.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat2/gen001120.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat2/gen001260.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat2/gen001560.sh (added)
trunk/RHEL4/scripts/stig-fix/cat2/gen001720.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat2/gen001740.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat2/gen001760.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat2/gen002120.sh (modified) (2 diffs)
trunk/RHEL4/scripts/stig-fix/cat2/gen002320.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat2/gen002340.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat2/gen002360.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat2/gen002660.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat2/gen002720.sh (added)
trunk/RHEL4/scripts/stig-fix/cat2/gen002740.sh (added)
trunk/RHEL4/scripts/stig-fix/cat2/gen002760.sh (added)
trunk/RHEL4/scripts/stig-fix/cat2/gen002780.sh (added)
trunk/RHEL4/scripts/stig-fix/cat2/gen002800.sh (added)
trunk/RHEL4/scripts/stig-fix/cat2/gen002820.sh (added)
trunk/RHEL4/scripts/stig-fix/cat2/gen002840.sh (added)
trunk/RHEL4/scripts/stig-fix/cat2/gen003600.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat2/gen003740.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat2/gen003960.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat2/gen003980.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat2/gen004000.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat2/gen006620.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat3/gen001280.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat3/gen001780.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat3/gen003500.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat3/gen003520.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat4/gen004440.sh (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

trunk/RHEL4/kickstart/clip.ks

r123	r179
1		# Kickstart installation script for clip
2
3		###################
4		# Command section #
5		###################
6
7		auth --enableshadow --enablemd5
	1	## Version .04 January 2008 ##
	2	#
	3	# Date Created : 2007-02-06 #
	4	#
	5	# CHANGELOG:
	6	# - 2007-02-07: Finished Mapping existing STIG scripts to DCID 6/3
	7	# Sections. [St. Laurent]
	8	# - 2007-12-xx: Initiated updates to reflect DCID PL4 Requirements
	9	# [Tresys]
	10	# - 2008-01-xx: Added/updated STIG scripts. Finalized kickstart
	11	# procedures. [Tresys]
	12	# - 2008-02-13: Changed grub password to be standard. Deny
	13	# all icmp requests.
	14	# procedures. [Tresys]
	15	#
	16	#
	17	# Profile Name: dcid-6-3-PL4-ks.1.0.txt
	18	# Profile Label: dcid-6-3-PL4-ks.1.0.txt
	19	#
	20	# Details: This KickStart file lists out DCID 6/3 Policy at the PL4
	21	# Confidentiality level. Security settings are applied and
	22	# mapped to each specific PL4 section in DCID 6/3.
	23	#
	24	# By setting these security features in a KickStart file
	25	# allows for an auditor to have a high degree of assurance
	26	# that a system is being setup meeting the security
	27	# requirements the same (correct way) every time.
	28	#
	29	# A SHA-1 should be created to ensure a degree of
	30	# resistance to unauthorized modification.
	31	#
	32	## Version .02 February 2007 ##
	33	## Version .03 December 2007 ##
	34	## Version .04 January 2008 ##
	35
	36
	37
	38	# The "install" command tells the system to install a fresh system
	39	# rather than upgrade an existing system. You must specify the type
	40	# of installation in the form of: cdrom, harddrive, nfs, url (ftp
	41	# http installation). The "install" command and the installation
	42	# method command must be on separate lines. Examples:
	43	# url --url http://<server>/<dir>
	44	# --url ftp://<username>:<password>@<server>/<dir>
	45	# Passwd is in CLEAR with ftp!!! Not to be used.
	46	# harddrive --partition=hda2--dir=/path/to/install-tree
	47	# nfs --server=nfsserver.example.com --dir=/path/to/install-tree
8	48	install
	49
	50	# Perform the kickstart install in Text Mode. Installs are
	51	# performed in graphical mode by default.
9	52	text
10		skipx
	53
	54	# Defaults to a CD based install - disable if using URL or someother media
	55	# Use the network option if installing from a remote installation tree.
	56	cdrom
	57
	58	# Configure network information for the system. The "network"
	59	# option configures networking information for installations from an
	60	# installation tree on a remote server via NFS, FTP, or HTTP. DHCP
	61	# uses a DHCP server to get the network configuration information.
	62	#network --bootproto dhcp
	63
	64	# Perform a remote install.
	65	# The network option is required if performing a remote install
	66	#url --url http://<server>/<dir>
	67	#url --ftp ftp://<username>:<password>@<server>/<dir>
	68
	69
	70	# The "lang" command sets the language to use during installation.
	71	lang en_US
	72
	73	# The "langsupport" to install on the system. The --default switch
	74	# must be used if more than one language is specified.
	75	langsupport --default en_US en_US
	76
	77	# The "keyboard" command is required to set the system keyboard type.
	78	keyboard us
	79
	80	# The "mouse" command is required to configure the mouse type.
	81	# Giving no options will attempt to automatically detect the mouse.
	82	mouse
	83
	84
	85	##### WARNING: THIS WILL ERASE YOUR SYSTEM #####
	86	# A full backup should be performed before installation.
	87	zerombr yes
	88	clearpart --all
	89
	90
	91	# PARTITION NOTES
	92	# The following options are required under 'Disk Partition Information'
	93	# section in ks.cfg file, for creating the Logical Volume Manager (LVM)
	94	# partitions using kickstart.
	95
	96	#Disk partitioning information
	97	#part pv.<id>
	98	#volgroup <name> <partition>
	99	#logvol <mountpoint> --vgname=<volume_group_name> --size=<size> --name=<name>
	100
	101	#EXAMPLE using LVM
	102	#part /boot --fstype ext3 --size=150
	103	#part swap --size=1024
	104	#part pv.01 --size=1 --grow
	105	#volgroup vg_root pv.01
	106	#logvol / --vgname=vg_root --size=8192 --name=lv_root
	107	#logvol /var --vgname=vg_root --size=4096 --name=lv_var
	108	#logvol /tmp --vgname=vg_root --size=2048 --name=lv_tmp
	109	#logvol /spare --vgname=vg_root --size=1 --grow --name=lv_spare
	110
	111	partition /boot --fstype "ext3" --size=128
	112	partition pv.2 --size=0 --grow
	113	volgroup VolGroup00 pv.2
	114	logvol swap --fstype swap --name=swapVol --vgname=VolGroup00 --size=512
	115	logvol / --fstype ext3 --name=rootVol --vgname=VolGroup00 --size=1024 --grow
	116	logvol /var --fstype ext3 --name=varVol --vgname=VolGroup00 --size=1024 --grow
	117	logvol /home --fstype ext3 --name=homeVol --vgname=VolGroup00 --size=256 --grow
	118	logvol /tmp --fstype ext3 --name=tmpVol --vgname=VolGroup00 --size=1024 --grow
	119
	120
	121	# Specifies how the GRUB bootloader should be installed.
	122	# Set a password to prevent any non-stadard boot options.
	123	# The password should be changed after installation.
	124	bootloader --location mbr --password 123)(*qweASD
	125
	126	# Set the root password.
	127	# This should be changed after installation.
11	128	rootpw 123)(*qweASD
12		bootloader --location=mbr --password=123)(*qweASD
13
14		################
15		# Partitioning #
16		################
17
18		clearpart --linux
19		part /boot --size=128
20		part swap --recommended
21		part pv.01 --size=1 --grow
22		volgroup clipvg pv.01
23		# Using Logical Volume Management lets the user resize partitions later.
24		# STIG requires separate /var and /home.
25		logvol /var --vgname=clipvg --size=1024 --name=var
26		logvol /home --vgname=clipvg --size=1024 --name=home
27		logvol / --vgname=clipvg --size=1 --grow --name=root
28
29		####################
30		# Packages section #
31		####################
	129
	130	# Set the authentication options for the system.
	131	# Similar to the authconfig command.
	132	auth --enablemd5 --enableshadow
	133
	134	# Set the timezone
	135	timezone --utc America/New_York
	136
	137	# Enable selinux
	138	selinux --enforcing
	139
	140	# Enable the firewall
	141	firewall --enabled --port=22:tcp --port=161:tcp --port=1002:tcp
	142
	143	# Reboot after installation is complete
	144	reboot
	145
	146
	147
	148
	149	# Install Packages. This is site specific.
32	150	%packages --resolvedeps
33	151	@base
	152	#policycoreutils-newrole #DNE
	153	#aide #DNE
	154	sysstat
	155	setools
34	156	audit
35		pam
36		pam-devel
37		python-devel
38		subversion
39		tcl
40		tcl-devel
41		tk
42		tk-devel
43
44		############################
45		# Pre/post install section #
46		############################
	157	#####################################
	158	# Remove tcpdump per STIG gen003865 #
	159	#####################################
	160	-tcpdump
	161
	162	#####################################
	163	# Remove Packages for PL4 compliance#
	164	#####################################
	165	-xdelta
	166	-nmap
	167	-emacspeak
	168	-byacc
	169	-gimp-help
	170	-splint
	171	-perl-Crypt-SSLeay
	172	-units
	173	-perl-XML-Grove
	174	-perl-XML-LibXML-Common
	175	-perl-XML-SAX
	176	-perl-XML-Twig
	177	-valgrind
	178	-valgrind-callgrind
	179	-gimp-gap
	180	-cdecl
	181	-perl-XML-Dumper
	182	-kernel-smp-devel
	183	-blas
	184	-lapack
	185	-java-1.4.2-gcj-compat
	186	-kernel-hugemem-devel
	187	-kernel-devel
	188	-perl-XML-Encoding
	189	-gnome-games
	190	-isdn4k-utils
	191	-vnc
	192	-vnc-server
	193	#e2fsprogs
	194	#kernel-smp
	195	-tog-pegasus
	196	-tog-pegasus-devel
	197	-ethereal
	198	-ethereal-gnome
	199	-xchat
	200	-vino
	201	-gaim
	202	-gnome-pilot
	203	-bluez-utils
	204	-bluez-utils-cups
	205	-bluez-hcidump
	206	-bluez-gnome
	207	-yum-updatesd
	208	-wpa_supplicant
	209	-ypbind
	210	-NetworkManager
	211	-NetworkManagerDispatcher
	212	-setools
	213	-telnet
	214	-wireless-tools
	215	#@ office
	216	#@ admin-tools
	217	#@ editors
	218	#@ system-tools
	219	#@ gnome-desktop
	220	#@ dialup
	221	#@ base-x
	222	#@ printing
	223	#@ server-cfg
	224	#@ graphical-internet
	225	#kernel
	226	-python-ldap
	227	-httpd-suexec
	228	-system-config-httpd
	229	-psgml
	230	-emacs-leim
	231	-gimp-data-extras
	232	-xcdroast
	233	-perl-XML-LibXML
	234	-gimp-print-plugin
	235	-xsane-gimp
	236	-gimp
	237	#lvm2
	238	-zsh
	239	#net-snmp-utils
	240	-rhythmbox
	241	-gcc-g77
	242	#grub
	243	-texinfo
	244	-octave
	245	-dia
	246	-perl-LDAP
	247	-oprofile
	248	-emacs
	249	#system-config-printer-gui
	250	-doxygen
	251	-planner
	252	-tux
	253	-indent
	254	-cdparanoia
	255	-gcc-java
	256	-gnomemeeting
	257	#openoffice.org-i18n
	258	#openoffice.org-libs
	259	#openoffice.org
	260	#firefox
	261	-evolution
	262	-xsane
	263	-ctags
	264	-cscope
	265	-sane-frontends
	266	-perl-XML-Parser
	267	-php-mysql
	268	-rcs
	269	-perl-XML-NamespaceSupport
	270	#get rid of rlogin
	271	-rsh
	272
	273	%pre
	274
	275
	276
	277	##### No changes should be made beyond this point #####
	278
	279
	280
47	281	%post
48		#!/bin/sh
49
50		# DO NOT MODIFY anything below here
51		SERVICES_REQ="atd auditd crond iptables network syslog"
52
53		# Deactivate all services first
54		active=`chkconfig --list \| grep -i "3:on" \| cut -d" " -f1`
55		echo "Removing services from runlevel 3: "
56		for service in $active
	282	# Log %post errors
	283	##########################################################################
	284	# The post section of this kickstart file takes care of the secure
	285	# configuraton of Red Hat according to DCID 6/3.
	286	#
	287	# Levels of Concern:
	288	# Confidentiality PL4
	289	# [ PL4 ]
	290	##########################################################################
	291
	292
	293	# The Red Hat provided GPG key Red Hat uses to sign all of our RPM packages
	294	rpm --import /usr/share/rhn/RPM-GPG-KEY
	295
	296
	297
	298
	299
	300	##########################################################################
	301	# UNIX STIG v5r1
	302	##########################################################################
	303
	304	## (GEN000020: CAT II) (Previously â G001) The IAO and SA will ensure, if
	305	## configurable, the UNIX host is configured to require a password for access
	306	## to single-user and maintenance modes.
	307	echo "" >> /etc/inittab
	308	echo "#Require password in single-user mode" >> /etc/inittab
	309	echo "~~:S:wait:/sbin/sulogin" >> /etc/inittab
	310
	311	## (GEN000400: CAT II) (Previously â G010) The SA will ensure a logon-warning banner is
	312	## displayed on all devices and sessions at the initial logon.
	313	cat <<-EOF > /etc/issue
	314	You are accessing a U.S. Government (USG) information system (IS) that is
	315	provided for USG-authorized use only.
	316
	317	By using this IS, you consent to the following conditions:
	318
	319	-The USG routinely monitors communications occurring on this IS, and any
	320	device attached to this IS, for purposes including, but not limited to,
	321	penetration testing, COMSEC monitoring, network defense, quality control,
	322	and employee misconduct, law enforcement, and counterintelligence
	323	investigations.
	324	-At any time, the USG may inspect and/or seize data stored on this IS and
	325	any device attached to this IS.
	326	-Communications occurring on or data stored on this IS, or any device
	327	attached to this IS, are not private. They are subject to routine
	328	monitoring and search.
	329	-Any communications occurring on or data stored on this IS, or any device
	330	attached to this IS, may be disclosed or used for any USG-authorized purpose.
	331	-Security protections may be utilized on this IS to protect certain interests
	332	that are important to the USG. For example, passwords, access cards,
	333	encryption or biometric access controls provide security for the benefit of
	334	the USG. These protections are not provided for your benefit or privacy and
	335	may be modified or elimiated at the USG's discretion.
	336
	337	EOF
	338	sed -i "/^#Banner/ c\Banner /etc/issue" /etc/ssh/sshd_config
	339	sed -i "s/^$PATH=.*$/\/usr\/bin\/gdialog --yesno \"\`cat \/etc\/issue\`\"\nif( test 1 -eq \$\? ); then\n \/usr\/bin\/gdialog --infobox \"Logging out in 10 Seconds\" 1 20 \&\n sleep 10\n exit 1\nfi\n\n\1/" /etc/gdm/PreSession/Default
	340
	341	## (GEN000440: CAT II) (Previously â G012) The SA will ensure all logon attempts (both
	342	## successful and unsuccessful) are logged to a system log file.
	343	echo "auth.* /var/log/authlog" >> /etc/syslog.conf
	344
	345	## (GEN000460: CAT II) (Previously â G013) The SA will ensure, after three consecutive
	346	## failed logon attempts for an account, the account is locked for 15 minutes or until
	347	## the SA unlocks the account.
	348	cat <<-EOF > /etc/pam.d/system-auth
	349	#%PAM-1.0
	350	auth required pam_tally.so deny=3 onerr=fail unlock_time=900 quiet
	351
	352	auth required pam_env.so
	353	auth required pam_unix.so nullok audit
	354
	355	account required pam_unix.so
	356	account required pam_tally.so
	357	password required pam_cracklib.so retry=3 minlen=12 difok=3 dcredit=-2 ucredit=-2 ocredit=-2 lcredit=-2
	358	password required pam_unix.so md5 shadow nullok use_authtok remember=12
	359
	360	session optional pam_keyinit.so revoke
	361	session required pam_limits.so
	362	session required pam_unix.so
	363	EOF
	364	chmod ugo-x /usr/sbin/authconfig
	365
	366	## (GEN000480: CAT II) (Previously â G015) The SA will ensure the logon delay between
	367	## logon prompts after a failed logon is set to at least four seconds.
	368	echo "FAIL_DELAY 4" >> /etc/login.defs
	369
	370	## (GEN000500: CAT II) (Previously â G605) The SA will configure systems to log
	371	## out interactive processes (i.e., terminal sessions, ssh sessions, etc.,)
	372	## after 15 minutes of inactivity or ensure a password protected screen lock
	373	## mechanism is used and is set to lock the screen after 15 minutes of
	374	## inactivity.
	375	echo "TMOUT=900" >> /etc/profile
	376
	377	## (GEN000540: CAT II) (Previously â G004) The SA will ensure passwords are
	378	## not changed more than once a day.
	379	sed -i '/^PASS_MIN_DAYS/ c\PASS_MIN_DAYS\t1' /etc/login.defs
	380
	381	## (GEN000560: CAT I) (Previously â G018) The SA will ensure each account in
	382	## the /etc/passwd file has a password assigned or is disabled in the
	383	## password, shadow, or equivalent, file by disabling the password and/or by
	384	## assigning a false shell in the password file.
	385	for USERINFO in `cat /etc/shadow`; do
	386	if [ -z "`echo $USERINFO \| cut -d: -f2`" ]
	387	then
	388	/usr/sbin/usermod -L -s /dev/null `echo $USERINFO \| cut -d: -f1`
	389	fi
	390	done;
	391
	392	## (GEN000580: CAT II) (Previously â G019) The IAO will ensure all passwords contain a
	393	## minimum of eight characters.
	394	sed -i "s/PASS_MIN_LEN[ \t][0-9]/PASS_MIN_LEN\t8/" /etc/login.defs
	395
	396	## (GEN000600: CAT II) (Previously â G019) The IAO will ensure passwords include at
	397	## least two alphabetic characters, one of which must be capitalized.
	398	# See GEN000460
	399
	400	## (GEN000700: CAT II) (Previously â G020) The SA will ensure passwords are
	401	## changed at least every 90 days.
	402	sed -i '/^PASS_MAX_DAYS/ c\PASS_MAX_DAYS\t90' /etc/login.defs
	403
	404	## (GEN000800: CAT II) (Previously â G606) The SA will ensure passwords will not be
	405	## reused within the last ten changes.
	406	# See GEN000460
	407
	408	## (GEN000920: CAT II) (Previously â G023) The SA will ensure the root account
	409	## home directory (other than â/â) has permissions of 700. Do not change the
	410	## permissions of the â/â directory to anything other than 0755.
	411	chmod 700 /root
	412
	413	## (GEN000980: CAT II) (Previously â G026) The SA will ensure root can only log
	414	## on as root from the system console, and then only when necessary to perform
	415	## system maintenance.
	416	echo "console" > /etc/securetty
	417
	418	## (GEN001020: CAT II) The IAO will enforce users requiring root privileges to
	419	## log on to their personal account and invoke the /bin/su - command to switch
	420	## user to root.
	421	# Configure sshd and login to consult pam_access.so
	422	sed -i '/^account.*auth$/ a\account\t\trequired\tpam_access.so' /etc/pam.d/sshd
	423	sed -i '/^account.*auth$/ a\account\t\trequired\tpam_access.so' /etc/pam.d/login
	424	echo "-:ALL EXCEPT users :ALL" >> /etc/security/access.conf
	425	adduser -G users,wheel clipuser
	426	echo "123)(*qweASD" \| passwd --stdin clipuser
	427
	428	## (GEN001080: CAT III) (Previously â G229) The SA will ensure the root shell
	429	## is not located in /usr if /usr is partitioned.
	430	/usr/sbin/usermod -s /bin/bash root
	431
	432	## (GEN001120: CAT II) (Previously â G500) The SA will configure the
	433	## encryption program for direct root access only from the system console.
	434	sed -i "/^#PermitRootLogin/ c\PermitRootLogin no" /etc/ssh/sshd_config
	435
	436	## (GEN001260: CAT II) (Previously â G037) The SA will ensure all system log
	437	## files have permissions of 640, or more restrictive.
	438	find /var/log/ -type f -exec chmod 640 '{}' \;
	439	sed -i "s/chmod 0664/chmod 0640/" /etc/rc.d/rc.sysinit
	440
	441	## (GEN001280: CAT III) (Previously â G042) The SA will ensure all manual page
	442	## files (i.e.,files in the man and cat directories) have permissions of 644,
	443	## or more restrictive.
	444	find /usr/share/man -type f -not -perm 644 -exec chmod 644 {} \;
	445
	446	## (GEN001380: CAT II) (Previously â G048) The SA will ensure the /etc/passwd
	447	## file has permissions of 644, or more restrictive.
	448	chmod 644 /etc/passwd
	449
	450	## (GEN001400: CAT I) (Previously â G047) The SA will ensure the owner of the
	451	## /etc/passwd and /etc/shadow files (or equivalent) is root.
	452	chown root /etc/passwd
	453	chown root /etc/shadow
	454
	455	## (GEN001420: CAT II) (Previously â G050) The SA will ensure the /etc/shadow
	456	## file (or equivalent) has permissions of 400.
	457	chmod 400 /etc/shadow
	458
	459	## (GEN001460: CAT IV) (Previously â G052) The SA will ensure all home
	460	## directories defined in the /etc/passwd file exist.
	461	for HOMEDIR in `cut -d: -f6 /etc/passwd`; do
	462	if [ ! -d $HOMEDIR ]
	463	then
	464	mkdir $HOMEDIR
	465	fi
	466	done;
	467
	468	## (GEN001560: CAT II) (Previously â G068) The user, application developers,
	469	## and the SA will ensure user files and directories will have an initial
	470	## permission no more permissive than 700, and never more permissive than 750.
	471	for BASEDIR in /home/* /root
57	472	do
58		echo $service
59		`chkconfig --level 3 $service off`
	473	find $BASEDIR -type f -exec chmod 600 '{}' \;
	474	find $BASEDIR -type d -exec chmod 700 '{}' \;
60	475	done
61	476
62		# Now activate only the required services
63		echo "Adding required services to runlevel 3: "
64		for service in $SERVICES_REQ
	477	## (GEN001580: CAT II) (Previously â G058) The SA will ensure run control
	478	## scripts have permissions of 755, or more restrictive.
	479	chmod 755 /etc/rc.d/init.d/*
	480
	481	## (GEN001620: CAT II) (Previously â G061) The SA will ensure run control
	482	## scripts files do not have the suid or sgid bit set.
	483	chmod ug-s /etc/rc.d/init.d/*
	484
	485	## (GEN001660: CAT II) (Previously â G611) The SA will ensure the owner of run
	486	## control scripts is root.
	487	chown root /etc/rc.d/init.d/*
	488
	489	## (GEN001680: CAT II) (Previously â G612) The SA will ensure the group owner
	490	## of run control scripts is root, sys, bin, other, or the system default.
	491	chgrp root /etc/rc.d/init.d/*
	492
	493	## (GEN001720: CAT II) The SA will ensure global initialization files have
	494	## permissions of 644, or more restrictive.
	495	chmod 644 /etc/{profile,bashrc,environment}
	496
	497	## (GEN001740: CAT II) The SA will ensure the owner of global initialization
	498	## files is root.
	499	chown root /etc/{profile,bashrc,environment}
	500
	501	## (GEN001760: CAT II) The SA will ensure the group owner of global
	502	## initialization files is root, sys, bin, other, or the system default.
	503	chgrp root /etc/{profile,bashrc,environment}
	504
	505	## (GEN001780: CAT III) (Previously â G112) The SA will ensure global
	506	## initialization files contain the command mesg ân.
	507	for FILE in /etc/{profile,bashrc,environment}; do
	508	echo "mesg n" >> $FILE
	509	done;
	510
	511	## (GEN001800: CAT II) (Previously â G038) The SA will ensure all
	512	## default/skeleton dot files have permissions of 644, or more restrictive.
	513	find /etc/skel -type f -exec chmod 644 '{}' \;
	514
	515	## (GEN001820: CAT II) The SA will ensure the owner of all default/skeleton
	516	## dot files is root or bin.
	517	find /etc/skel -type f -exec chown root '{}' \;
	518
	519	## (GEN002040: CAT I) The SA will ensure .rhosts, .shosts, hosts.equiv, nor
	520	## shosts.equiv are used, unless justified and documented with the IAO.
	521	for file in /root/.rhosts /root/.shosts /etc/hosts.equiv
65	522	do
66		~~echo $servic~~e
67		`chkconfig --level 3 $service on`
	523	rm -f $file
	524	ln -s /dev/null $file
68	525	done
	526
	527	## (GEN002120: CAT II) (Previously â G069) The SA will ensure the /etc/shells
	528	## (or equivalent) file exits.
	529	cat <<-EOF > /etc/shells
	530	/bin/sh
	531	/bin/bash
	532	/sbin/nologin
	533	/bin/tcsh
	534	/bin/csh
	535	/bin/ksh
	536	EOF
	537
	538	## (GEN002160: CAT I) (Previously â G072) The SA will ensure no shell has the
	539	## suid bit set.
	540	for SHELL in `cat /etc/shells`; do
	541	chmod u-s $SHELL
	542	done
	543
	544	## (GEN002180: CAT II) (Previously â G073) The SA will ensure no shell has the
	545	## sgid bit set.
	546	for SHELL in `cat /etc/shells`; do
	547	chmod g-s $SHELL
	548	done
	549
	550	## (GEN002200: CAT II) (Previously â G074) The SA will ensure the owner of all
	551	## shells is root or bin.
	552	for SHELL in `cat /etc/shells`; do
	553	chown root $SHELL
	554	done
	555
	556	## (GEN002220: CAT II) (Previously â G075) The SA will ensure all shells
	557	## (excluding /dev/null and sdshell) have permissions of 755, or more
	558	## restrictive.
	559	for SHELL in `cat /etc/shells`; do
	560	chmod 755 $SHELL
	561	done
	562
	563	## (GEN002320: CAT II) (Previously â G501) The SA will ensure the audio devices
	564	## have permissions of 644, or more restrictive.
	565	sed -i -r "/sound\|snd\|mixer/ d" /etc/security/console.perms
	566	echo "SUBSYSTEM==\"sound\|snd\", OWNER=\"root\", GROUP=\"root\", MODE=\"0644\"" > /etc/udev/rules.d/55-audio-perms.rules
	567
	568	## (GEN002340: CAT II) (Previously â G502) The SA will ensure the owner of
	569	## audio devices is root.
	570	# see GEN002320
	571
	572	## (GEN002360: CAT II) (Previously â G504) The SA will ensure the group owner
	573	## of audio devices is root, sys, or bin.
	574	# see GEN002320
	575
	576	## (GEN002420: CAT II) (Previously â G086) The SA will ensure user filesystems,
	577	## removable media, and remote filesystems will be mounted with the nosuid
	578	## option.
	579	FSTAB=/etc/fstab
	580	SED=/bin/sed
	581	#nosuid and acl on /home
	582	if [ $(grep " \/home " ${FSTAB} \| grep -c "nosuid") -eq 0 ]; then
	583	MNT_OPTS=$(grep " \/home " ${FSTAB} \| awk '{print $4}')
	584	${SED} -i "s/$ \/home.*${MNT_OPTS}$/\1,nosuid,acl/" ${FSTAB}
	585	fi
	586	#nosuid and acl on /sys
	587	if [ $(grep " \/sys " ${FSTAB} \| grep -c "nosuid") -eq 0 ]; then
	588	MNT_OPTS=$(grep " \/sys " ${FSTAB} \| awk '{print $4}')
	589	${SED} -i "s/$ \/sys.*${MNT_OPTS}$/\1,nosuid,acl/" ${FSTAB}
	590	fi
	591	#nosuid and acl on /boot
	592	if [ $(grep " \/boot " ${FSTAB} \| grep -c "nosuid") -eq 0 ]; then
	593	MNT_OPTS=$(grep " \/boot " ${FSTAB} \| awk '{print $4}')
	594	${SED} -i "s/$ \/boot.*${MNT_OPTS}$/\1,nosuid,acl/" ${FSTAB}
	595	fi
	596	#nodev and acl on /usr
	597	if [ $(grep " \/usr " ${FSTAB} \| grep -c "nodev") -eq 0 ]; then
	598	MNT_OPTS=$(grep " \/usr " ${FSTAB} \| awk '{print $4}')
	599	${SED} -i "s/$ \/usr.*${MNT_OPTS}$/\1,nodev,acl/" ${FSTAB}
	600	fi
	601	#nodev and acl on /home
	602	if [ $(grep " \/home " ${FSTAB} \| grep -c "nodev") -eq 0 ]; then
	603	MNT_OPTS=$(grep " \/home " ${FSTAB} \| awk '{print $4}')
	604	${SED} -i "s/$ \/home.*${MNT_OPTS}$/\1,nodev,acl/" ${FSTAB}
	605	fi
	606	#nodev and acl on /usr/local
	607	if [ $(grep " \/usr\/local " ${FSTAB} \| grep -c "nodev") -eq 0 ]; then
	608	MNT_OPTS=$(grep " \/usr\/local " ${FSTAB} \| awk '{print $4}')
	609	${SED} -i "s/$ \/usr\/local.*${MNT_OPTS}$/\1,nodev,acl/" ${FSTAB}
	610	fi
	611
	612	## (GEN002560: CAT II) (Previously â G089) The SA will ensure the system and
	613	## user umask is 077.
	614	echo "umask 077" >> /etc/bashrc
	615
	616	## (GEN002640: CAT II) (Previously â G092) The SA will ensure logon capability
	617	## to default system accounts (e.g., bin, lib, uucp, news, sys, guest, daemon,
	618	## and any default account not normally logged onto) will be disabled by
	619	## making the default shell /bin/false, /usr/bin/false, /sbin/false,
	620	## /sbin/nologin, or /dev/null, and by locking the password.
	621	for NAME in `cut -d: -f1 /etc/passwd`; do
	622	NAMEID=`id -u $NAME`
	623	if [ $NAMEID -lt 500 -a $NAME != 'root' ]; then
	624	/usr/sbin/usermod -L -s /dev/null $NAME
	625	fi
	626	done
	627
	628	## (GEN002660: CAT II) (Previously â G093) The SA will configure and implement
	629	## auditing.
	630	chkconfig auditd on
	631	cat <<-EOF > /etc/audit.rules
	632	# Remove any existing rules
	633	-D
	634	# Increase buffer size to handle the increased number of messages.
	635	-b 8192
	636	EOF
	637
	638	## (GEN002680: CAT II) (Previously â G094) The SA will ensure audit data files
	639	## and directories will be readable only by personnel authorized by the IAO.
	640	chmod 700 /var/log/audit
	641
	642	## (GEN002700: CAT I) (Previously â G095) The SA will ensure audit data files
	643	## have permissions of 640, or more restrictive.
	644	touch /var/log/audit/audit.log
	645	chmod 640 /var/log/audit/*
	646	chmod 640 /etc/audit.rules
	647
	648	## (GEN002720: CAT II) The SA will configure the auditing system to audit
	649	## logon (unsuccessful and successful) and logout (successful)
	650	cat <<-EOF >> /etc/audit.rules
	651	-w /bin/login -p x
	652	-w /bin/logout -p x
	653	EOF
	654
	655	## (GEN002740: CAT II) The SA will configure the auditing system to audit
	656	## discretionary access control permission modification (unsuccessful and
	657	## successful use of chown/chmod)
	658	cat <<-EOF >> /etc/audit.rules
	659	-a exit,always -S chmod
	660	-a exit,always -S chown
	661	-a exit,always -S chown32
	662	-a exit,always -S fchmod
	663	-a exit,always -S fchown
	664	-a exit,always -S fchown32
	665	-a exit,always -S lchown
	666	-a exit,always -S lchown32
	667	EOF
	668
	669	## (GEN002760: CAT II) The SA will configure the auditing system to audit
	670	## unauthorized access attempts to files (unsuccessful)
	671	cat <<-EOF >> /etc/audit.rules
	672	-a exit,always -S open -F success=0
	673	-a exit,always -S mknod -F success=0
	674	-a exit,always -S pipe -F success=0
	675	-a exit,always -S mkdir -F success=0
	676	-a exit,always -S creat -F success=0
	677	-a exit,always -S truncate -F success=0
	678	-a exit,always -S truncate64 -F success=0
	679	-a exit,always -S ftruncate -F success=0
	680	-a exit,always -S ftruncate64 -F success=0
	681	EOF
	682
	683	## (GEN002780: CAT II) The SA will configure the auditing system to audit
	684	## use of privileged commands (unsuccessful and successful)
	685	cat <<-EOF >> /etc/audit.rules
	686	-a exit,always -S chroot
	687	-a exit,always -S mount
	688	-a exit,always -S umount
	689	-a exit,always -S umount2
	690	-a exit,always -S adjtimex
	691	-a exit,always -S kill
	692	-w /usr/sbin/pwck
	693	-w /bin/chgrp
	694	-w /usr/bin/newgrp
	695	-w /usr/sbin/groupadd
	696	-w /usr/sbin/groupmod
	697	-w /usr/sbin/groupdel
	698	-w /usr/sbin/useradd
	699	-w /usr/sbin/userdel
	700	-w /usr/sbin/usermod
	701	-w /usr/bin/chage
	702	-w /usr/bin/setfacl
	703	-w /usr/bin/chacl
	704	EOF
	705
	706	## (GEN002800: CAT II) The SA will configure the auditing system to audit
	707	## files and programs deleted by the user (successful and unsuccessful)
	708	cat <<-EOF >> /etc/audit.rules
	709	-a exit,always -S unlink
	710	-a exit,always -S rmdir
	711	EOF
	712
	713	## (GEN002820: CAT II) The SA will configure the auditing system to audit
	714	## all system administration actions
	715	cat <<-EOF >> /etc/audit.rules
	716	-w /var/log/audit/
	717	-w /etc/auditd.conf
	718	-w /etc/audit.rules
	719	-a exit,always -S acct
	720	-a exit,always -S reboot
	721	-a exit,always -S sched_setparam
	722	-a exit,always -S sched_setscheduler
	723	-a exit,always -S setdomainname
	724	-a exit,always -S setrlimit
	725	-a exit,always -S settimeofday
	726	-a exit,always -S stime
	727	-a exit,always -S swapon
	728	EOF
	729
	730	## (GEN002840: CAT II) The SA will configure the auditing system to audit
	731	## all security personnel actions
	732	cat <<-EOF >> /etc/audit.rules
	733	-a exit,always -S init_module
	734	-a exit,always -S delete_module
	735	-w /bin/su
	736	EOF
	737
	738	## (GEN002860: CAT II) (Previously â G674) The SA and/or IAO will ensure old
	739	## audit logs are closed and new audit logs are started daily.
	740	cat <<-EOF > /etc/logrotate.d/audit
	741	/var/log/audit/audit.log
	742	{
	743	daily
	744	notifempty
	745	missingok
	746	postrotate
	747	/sbin/service auditd restart 2> /dev/null > /dev/null \|\| true
	748	endscript
	749	}
	750	EOF
	751
	752	## (GEN002980: CAT II) The SA will ensure the cron.allow
	753	## file has permissions of 600, or more restrictive.
	754	chmod 600 /etc/cron.allow
	755
	756	## (GEN003040: CAT II) The SA will ensure the owner of crontabs is root or the
	757	## crontab creator.
	758	chown root /etc/cron.hourly/*
	759	chown root /etc/cron.daily/*
	760	chown root /etc/cron.weekly/*
	761	chown root /etc/cron.monthly/*
	762	chown root /etc/cron.d/*
	763	chown root /var/spool/cron/*
	764
	765	## (GEN003060: CAT II) The SA will ensure default system accounts (with the
	766	## possible exception of root) will not be listed in the cron.allow file. If
	767	## there is only a cron.deny file, the default accounts (with the possible
	768	## exception of root) will be listed there.
	769	echo 'root' > /etc/cron.allow
	770	awk -F: '{print $1}' /etc/passwd \| grep -v root > /etc/cron.deny
	771
	772	## (GEN003080: CAT II) (Previously â G205) The SA will ensure crontabs have
	773	## permissions of 600, or more restrictive, (700 for some Linux crontabs, which
	774	## is detailed in the UNIX Checklist).
	775	chmod -R 600 /etc/cron.daily
	776	chmod -R 600 /etc/cron.hourly
	777	chmod -R 600 /etc/cron.weekly
	778	chmod -R 600 /etc/cron.monthly
	779	chmod 600 /etc/crontab
	780	chmod -R 600 /etc/cron.d
	781
	782	## (GEN003100: CAT II) (Previously â G206) The SA will ensure cron and crontab
	783	## directories have permissions of 755, or more restrictive.
	784	chmod 755 /etc/cron.hourly
	785	chmod 755 /etc/cron.daily
	786	chmod 755 /etc/cron.weekly
	787	chmod 755 /etc/cron.monthly
	788	chmod 755 /etc/cron.d
	789	chmod 755 /var/spool/cron
	790
	791	## (GEN003120: CAT II) (Previously â G207) The SA will ensure the owner of the
	792	## cron and crontab directories is root or bin.
	793	chown root /etc/cron.hourly
	794	chown root /etc/cron.daily
	795	chown root /etc/cron.weekly
	796	chown root /etc/cron.monthly
	797	chown root /etc/cron.d
	798	chown root /var/spool/cron
	799
	800	## (GEN003140: CAT II) (Previously â G208) The SA will ensure the group owner
	801	## of the cron and crontab directories is root, sys, or bin.
	802	chgrp root /etc/cron.hourly
	803	chgrp root /etc/cron.daily
	804	chgrp root /etc/cron.weekly
	805	chgrp root /etc/cron.monthly
	806	chgrp root /etc/cron.d
	807	chgrp root /var/spool/cron
	808
	809	## (GEN003180: CAT II) (Previously â G210) The SA will ensure cron logs have
	810	## permissions of 600, or more restrictive.
	811	touch /var/log/cron
	812	chmod 600 /var/log/cron
	813
	814	## (GEN003200: CAT II) The SA will ensure the cron.deny
	815	## file has permissions of 600, or more restrictive.
	816	chmod 600 /etc/cron.deny
	817
	818	## (GEN003240: CAT II) The SA will ensure the owner and
	819	## group owner of the cron.allow file is root.
	820	chown root:root /etc/cron.allow
	821
	822	## (GEN003260: CAT II) The SA will ensure the owner and
	823	## group owner of the cron.deny file is root.
	824	chown root:root /etc/cron.deny
	825
	826	## (GEN003300: CAT II) (Previously â G212) The SA will ensure the at.deny file
	827	## is not empty.
	828	awk -F: '{print $1}' /etc/passwd \| grep -v root > /etc/at.deny
	829
	830	## (GEN003320: CAT II) (Previously â G213) The SA will ensure default system
	831	## accounts (with the possible exception of root) are not listed in the
	832	## at.allow file. If there is only an at.deny file, the default accounts
	833	## (with the possible exception of root) will be listed there.
	834	echo "root" > /etc/at.allow
	835
	836	## (GEN003340: CAT II) (Previously â G214) The SA will ensure the at.allow and
	837	## at.deny files have permissions of 600, or more restrictive.
	838	chmod 600 /etc/at.allow
	839	chmod 600 /etc/at.deny
	840
	841	## (GEN003400: CAT II) (Previously â G625) The SA will ensure the at (or
	842	## equivalent) directory has permissions of 755, or more restrictive.
	843	chmod 755 /var/spool/at/spool
	844
	845	## (GEN003420: CAT II) (Previously â G626) The SA will ensure the owner and
	846	## group owner of the at (or equivalent) directory is root, sys, bin, or daemon.
	847	chown root:root /var/spool/at/spool
	848
	849	## (GEN003460: CAT II) (Previously â G629) The SA will ensure the owner and
	850	## group owner of the at.allow file is root.
	851	chown root:root /etc/at.allow
	852
	853	## (GEN003480: CAT II) (Previously â G630) The SA will ensure the owner and
	854	## group owner of the at.deny file is root.
	855	chown root:root /etc/at.deny
	856
	857	## (GEN003500: CAT III) The SA will ensure core dumps are disabled or
	858	## restricted.
	859	echo "* - core 0" >> /etc/security/limits.conf
	860
	861	## (GEN003520: CAT III) The SA will ensure the owner and group owner of the
	862	## core dump data directory is root with permissions of 700, or more
	863	## restrictive.
	864	chown root:root /var/crash
	865	chmod -R 700 /var/crash
	866
	867	## (GEN003600: CAT II) The SA will ensure network parameters are securely set.
	868	sed -i "/net\.ipv4\.conf\.default\.rp_filter/ c\net.ipv4.conf.default.rp_filter = 1" /etc/sysctl.conf
	869	sed -i "/net\.ipv4\.conf\.default\.accept_source_route/ c\net.ipv4.conf.default.accept_source_route = 0" /etc/sysctl.conf
	870	cat <<-EOF >> /etc/sysctl.conf
	871	net.ipv4.tcp_max_syn_backlog = 1280
	872	net.ipv4.icmp_echo_ignore_broadcasts = 1
	873	net.ipv4.icmp_echo_ignore_all = 1
	874	EOF
	875
	876	## (GEN003660: CAT II) The SA will ensure the authentication notice and
	877	## informational data is logged.
	878	echo "auth.notice /var/log/messages" >> /etc/syslog.conf
	879
	880	## (GEN003700: CAT II) The SA will ensure inetd (xinetd for Linux) is disabled
	881	## if all inetd/xinetd based services are disabled.
	882	/sbin/chkconfig bluetooth off
	883	/sbin/chkconfig irda off
	884	/sbin/chkconfig lm_sensors off
	885	/sbin/chkconfig portmap off
	886	/sbin/chkconfig rawdevices off
	887	/sbin/chkconfig rpcgssd off
	888	/sbin/chkconfig rpcidmapd off
	889	/sbin/chkconfig rpcsvcgssd off
	890	/sbin/chkconfig sendmail off
	891	/sbin/chkconfig xinetd off
	892	/sbin/chkconfig cups off
	893	/sbin/chkconfig rhnsd off
	894	/sbin/chkconfig autofs off
	895
	896	## (GEN003740: CAT II) (Previously â G108) The SA will ensure the inetd.conf
	897	## (xinetd.conf for Linux) file has permissions of 440, or more restrictive.
	898	## The Linux xinetd.d directory will have permissions of 755, or more
	899	## restrictive. This is to include any directories defined in the includedir
	900	## parameter.
	901	chmod 755 /etc/xinetd.d
	902	chmod 440 /etc/xinetd.conf
	903
	904	## (GEN003760: CAT II) (Previously â G109) The SA will ensure the owner of the
	905	## services file is root or bin.
	906	chown root /etc/services
	907
	908	## (GEN003780: CAT II) (Previously â G110) The SA will ensure the services
	909	## file has permissions of 644, or more restrictive.
	910	chmod 644 /etc/services
	911
	912	## (GEN003860: CAT III) (Previously â V046) The SA will ensure finger is not
	913	## enabled.
	914	/sbin/chkconfig finger off
	915
	916	## (GEN003960: CAT II) (Previously â G631) The SA will ensure the owner of
	917	## the traceroute command is root.
	918	chown root /bin/traceroute
	919
	920	## (GEN003980: CAT II) (Previously â G632) The SA will ensure the group
	921	## owner of the traceroute command is root, sys, or bin.
	922	chgrp root /bin/traceroute
	923
	924	## (GEN004000: CAT II) (Previously â G633) The SA will ensure the traceroute
	925	## command has permissions of 700, or more restrictive.
	926	chmod 700 /bin/traceroute
	927
	928	## (GEN004360: CAT II) (Previously â G127) The SA will ensure the aliases file
	929	## is owned by root.
	930	chown root /etc/aliases
	931
	932	## (GEN004380: CAT II) (Previously â G128) The SA will ensure the aliases file
	933	## has permissions of 644, or more restrictive.
	934	chmod 644 /etc/aliases
	935
	936	## (GEN004440: CAT IV) (Previously â G133) The SA will ensure the sendmail
	937	## logging level (the detail level of e-mail tracing and debugging
	938	## information) in the sendmail.cf file is set to a value no lower than
	939	## nine (9).
	940	sed -i '/LogLevel/ c\O LogLevel=9' /etc/mail/sendmail.cf
	941
	942	## (GEN004480: CAT II) (Previously â G135) The SA will ensure the owner of the
	943	## critical sendmail log file is root.
	944	chown root /var/log/maillog
	945
	946	## (GEN004500: CAT II) (Previously â G136) The SA will ensure the critical
	947	## sendmail log file has permissions of 644, or more restrictive.
	948	chmod 644 /var/log/maillog
	949
	950	## (GEN004540: CAT II) The SA will ensure the help sendmail command is
	951	## disabled.
	952	mv /etc/mail/helpfile /etc/mail/helpfile.bak
	953	echo "" > /etc/mail/helpfile
	954
	955	## (GEN004560: CAT II) (Previously â G646) To help mask the e-mail version,
	956	## the SA will use the following in place of the original sendmail greeting
	957	## message:
	958	## O SmtpGreetingMessage= Mail Server Ready ; $b
	959	sed -i '/SmtpGreetingMessage/ c\O SmtpGreetingMessage= Mail Server Ready ; $b' /etc/mail/sendmail.cf
	960
	961	## (GEN004580: CAT I) (Previously â G647) The SA will ensure .forward files
	962	## are not used.
	963	for HOMEDIR in `cut -d: -f6 /etc/passwd`; do
	964	if [ -f $HOMEDIR/.forward ]
	965	then
	966	rm $HOMEDIR/.forward
	967	fi
	968	done;
	969
	970	## (GEN004640: CAT I) (Previously â V126) The SA will ensure the decode entry
	971	## is disabled (deleted or commented out) from the alias file.
	972	sed --in-place s/^decode\:/\#decode\:/ /etc/aliases
	973	/usr/bin/newaliases
	974
	975	## (GEN004880: CAT II) (Previously â G140) The SA will ensure the ftpusers
	976	## file exists.
	977	touch /etc/ftpusers
	978
	979	## (GEN004900: CAT II) (Previously â G141) The SA will ensure the ftpusers
	980	## file contains the usernames of users not allowed to use FTP, and contains,
	981	## at a minimum, the system pseudo-users usernames and root.
	982	echo -n > /etc/ftpusers
	983	for NAME in `cut -d: -f1 /etc/passwd`; do
	984	NAMEID=`id -u $NAME`
	985	if [ $NAMEID -lt 500 ]; then
	986	echo $NAME >> /etc/ftpusers
	987	fi
	988	done;
	989
	990	## (GEN004920: CAT II) (Previously â G142) The SA will ensure the owner of the
	991	## ftpusers file is root.
	992	chown root /etc/ftpusers
	993
	994	## (GEN004940: CAT II) (Previously â G143) The SA will ensure the ftpusers
	995	## file has permissions of 640, or more restrictive.
	996	chmod 640 /etc/ftpusers
	997
	998	## (GEN005000: CAT I) (Previously â G649) The SA will implement the anonymous
	999