Navigation

← Previous Changeset
Next Changeset →

Changeset 187

Timestamp:

04/24/08 15:46:25 (7 months ago)

Author:

slawrence

Message:

Updated stigs to match recent kickstart changes (RHEL5 was very behind in changes)

Files:

trunk/RHEL4/scripts/stig-fix/cat2/gen002740.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat2/gen002760.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat2/gen002780.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat2/gen002800.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat2/gen002820.sh (modified) (1 diff)
trunk/RHEL4/scripts/stig-fix/cat2/gen002840.sh (modified) (1 diff)
trunk/RHEL5.1/scripts/Makefile (modified) (1 diff)
trunk/RHEL5.1/scripts/stig-fix/cat2/gen002720.sh (modified) (1 diff)
trunk/RHEL5.1/scripts/stig-fix/cat2/gen002740.sh (modified) (1 diff)
trunk/RHEL5.1/scripts/stig-fix/cat2/gen002760.sh (modified) (1 diff)
trunk/RHEL5.1/scripts/stig-fix/cat2/gen002780.sh (modified) (1 diff)
trunk/RHEL5.1/scripts/stig-fix/cat2/gen002800.sh (modified) (1 diff)
trunk/RHEL5.1/scripts/stig-fix/cat2/gen002820.sh (modified) (1 diff)
trunk/RHEL5.1/scripts/stig-fix/cat2/gen002840.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat1/gen002040.sh (added)
trunk/RHEL5/scripts/stig-fix/cat1/gen002700.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat1/gen004640.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat1/gen005500.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat1/lnx00580.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/CLIPUserPassword (deleted)
trunk/RHEL5/scripts/stig-fix/cat2/gen000020.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen000400.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen000460.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen000600.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen000700.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen000800.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen000920.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen001020.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen001120.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen001260.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen001560.sh (added)
trunk/RHEL5/scripts/stig-fix/cat2/gen001720.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen001740.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen001760.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen002120.sh (modified) (2 diffs)
trunk/RHEL5/scripts/stig-fix/cat2/gen002320.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen002340.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen002360.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen002660.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen002720.sh (added)
trunk/RHEL5/scripts/stig-fix/cat2/gen002740.sh (added)
trunk/RHEL5/scripts/stig-fix/cat2/gen002760.sh (added)
trunk/RHEL5/scripts/stig-fix/cat2/gen002780.sh (added)
trunk/RHEL5/scripts/stig-fix/cat2/gen002800.sh (added)
trunk/RHEL5/scripts/stig-fix/cat2/gen002820.sh (added)
trunk/RHEL5/scripts/stig-fix/cat2/gen002840.sh (added)
trunk/RHEL5/scripts/stig-fix/cat2/gen003600.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen003740.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen003960.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen003980.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen004000.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat2/gen006620.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat3/gen001280.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat3/gen001780.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat3/gen003500.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat3/gen003520.sh (modified) (1 diff)
trunk/RHEL5/scripts/stig-fix/cat4/gen004440.sh (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

trunk/RHEL4/scripts/stig-fix/cat2/gen002740.sh

r179	r187
8	8	echo '==================================================='
9	9	cat <<-EOF >> /etc/audit.rules
10		-a exit,always -S chmod
11		-a exit,always -S chown
12		-a exit,always -S chown32
13		-a exit,always -S fchmod
14		-a exit,always -S fchown
15		-a exit,always -S fchown32
16		-a exit,always -S lchown
17		-a exit,always -S lchown32
	10	-a exit,always -S chmod -S chown -S chown32 -S fchmod -S fchown -S fchown32 -S lchown -S lchown32
18	11	EOF

trunk/RHEL4/scripts/stig-fix/cat2/gen002760.sh

r179	r187
7	7	echo '==================================================='
8	8	cat <<-EOF >> /etc/audit.rules
9		-a exit,always -S open -F success!=0
10		-a exit,always -S mknod -F success=0
11		-a exit,always -S pipe -F success=0
12		-a exit,always -S mkdir -F success=0
13		-a exit,always -S creat -F success=0
14		-a exit,always -S truncate -F success=0
15		-a exit,always -S truncate64 -F success=0
16		-a exit,always -S ftruncate -F success=0
17		-a exit,always -S ftruncate64 -F success=0
	9	-a exit,always -F success=0 -S open -S mknod -S pipe -S mkdir -S creat -S truncate -S truncate64 -S ftruncate -S ftruncate64
18	10	EOF

trunk/RHEL4/scripts/stig-fix/cat2/gen002780.sh

r179	r187
7	7	echo '==================================================='
8	8	cat <<-EOF >> /etc/audit.rules
9		-a exit,always -S chroot
10		-a exit,always -S mount
11		-a exit,always -S umount
12		-a exit,always -S umount2
13		-a exit,always -S adjtimex
14		-a exit,always -S kill
	9	-a exit,always -S chroot -S mount -S umount -S umount2 -S adjtimex -S kill
15	10	-w /usr/sbin/pwck
16	11	-w /bin/chgrp

trunk/RHEL4/scripts/stig-fix/cat2/gen002800.sh

r179	r187
7	7	echo '==================================================='
8	8	cat <<-EOF >> /etc/audit.rules
9		-a exit,always -S unlink
10		-a exit,always -S rmdir
	9	-a exit,always -S unlink -S rmdir
11	10	EOF

trunk/RHEL4/scripts/stig-fix/cat2/gen002820.sh

r179	r187
10	10	-w /etc/auditd.conf
11	11	-w /etc/audit.rules
12		-a exit,always -S acct
13		-a exit,always -S reboot
14		-a exit,always -S sched_setparam
15		-a exit,always -S sched_setscheduler
16		-a exit,always -S setdomainname
17		-a exit,always -S setrlimit
18		-a exit,always -S settimeofday
19		-a exit,always -S stime
20		-a exit,always -S swapon
	12	-a exit,always -S acct -S reboot -S sched_setparam -S sched_setscheduler -S setdomainname -S setrlimit -S settimeofday -S stime -S swapon
21	13	EOF

trunk/RHEL4/scripts/stig-fix/cat2/gen002840.sh

r179	r187
7	7	echo '==================================================='
8	8	cat <<-EOF >> /etc/audit.rules
9		-a exit,always -S init_module
10		-a exit,always -S delete_module
	9	-a exit,always -S init_module -S delete_module
11	10	-w /bin/su
12	11	EOF

trunk/RHEL5.1/scripts/Makefile

r109	r187
22	22	test -d $(DESTDIR)$(SHAREDIR)/scripts/stig-fix/cat3 \|\| install -m 755 -d \
23	23	$(DESTDIR)$(SHAREDIR)/scripts/stig-fix/cat3
24		# test -d .conf \|\| install -m 644 .conf \
	24	test -d .conf \|\| install -m 644 .conf \
25	25	#$(DESTDIR)$(SYSCONFDIR)
26	26

trunk/RHEL5.1/scripts/stig-fix/cat2/gen002720.sh

r144	r187
7	7	echo '==================================================='
8	8	cat <<-EOF >> /etc/audit/audit.rules
9		-~~a exit,always -~~w /bin/login -p x
10		-~~a exit,always -w /bin/logout -F success=0~~
	9	-w /bin/login -p x
	10	-w /bin/logout -p x
11	11	EOF

trunk/RHEL5.1/scripts/stig-fix/cat2/gen002740.sh

r144	r187
8	8	echo '==================================================='
9	9	cat <<-EOF >> /etc/audit/audit.rules
10		-a exit,always -S chmod
11		-a exit,always -S chown
12		-a exit,always -S chown32
13		-a exit,always -S fchmod
14		-a exit,always -S fchown
15		-a exit,always -S fchown32
16		-a exit,always -S lchown
17		-a exit,always -S lchown32
	10	-a exit,always -S chmod -S chown -S chown32 -S fchmod -S fchown -S fchown32 -S lchown -S lchown32
18	11	EOF

trunk/RHEL5.1/scripts/stig-fix/cat2/gen002760.sh

r144	r187
7	7	echo '==================================================='
8	8	cat <<-EOF >> /etc/audit/audit.rules
9		-a exit,always -S open -F success!=0
10		-a exit,always -S mknod -F success=0
11		-a exit,always -S pipe -F success=0
12		-a exit,always -S mkdir -F success=0
13		-a exit,always -S creat -F success=0
14		-a exit,always -S truncate -F success=0
15		-a exit,always -S truncate64 -F success=0
16		-a exit,always -S ftruncate -F success=0
17		-a exit,always -S ftruncate64 -F success=0
	9	-a exit,always -F success=0 -S open -S mknod -S pipe -S mkdir -S creat -S truncate -S truncate64 -S ftruncate -S ftruncate64
18	10	EOF

trunk/RHEL5.1/scripts/stig-fix/cat2/gen002780.sh

r144	r187
7	7	echo '==================================================='
8	8	cat <<-EOF >> /etc/audit/audit.rules
9		-a exit,always -S chroot
10		-a exit,always -S mount
11		-a exit,always -S umount
12		-a exit,always -S umount2
13		-a exit,always -S adjtimex
14		-a exit,always -S kill
15		-a exit,always -w /usr/sbin/pwck
16		-a exit,always -w /bin/chgrp
17		-a exit,always -w /usr/bin/newgrp
18		-a exit,always -w /usr/sbin/groupadd
19		-a exit,always -w /usr/sbin/groupmod
20		-a exit,always -w /usr/sbin/groupdel
21		-a exit,always -w /usr/sbin/useradd
22		-a exit,always -w /usr/sbin/userdel
23		-a exit,always -w /usr/sbin/usermod
24		-a exit,always -w /usr/bin/chage
25		-a exit,always -w /usr/bin/setfacl
26		-a exit,always -w /usr/bin/chacl
	9	-a exit,always -S chroot -S mount -S umount -S umount2 -S adjtimex -S kill
	10	-w /usr/sbin/pwck
	11	-w /bin/chgrp
	12	-w /usr/bin/newgrp
	13	-w /usr/sbin/groupadd
	14	-w /usr/sbin/groupmod
	15	-w /usr/sbin/groupdel
	16	-w /usr/sbin/useradd
	17	-w /usr/sbin/userdel
	18	-w /usr/sbin/usermod
	19	-w /usr/bin/chage
	20	-w /usr/bin/setfacl
	21	-w /usr/bin/chacl
27	22	EOF

trunk/RHEL5.1/scripts/stig-fix/cat2/gen002800.sh

r144	r187
7	7	echo '==================================================='
8	8	cat <<-EOF >> /etc/audit/audit.rules
9		-a exit,always -S unlink
10		-a exit,always -S rmdir
	9	-a exit,always -S unlink -S rmdir
11	10	EOF

trunk/RHEL5.1/scripts/stig-fix/cat2/gen002820.sh

r144	r187
7	7	echo '==================================================='
8	8	cat <<-EOF >> /etc/audit/audit.rules
9		-a exit,always -w /var/log/audit/
10		-a exit,always -w /etc/auditd.conf
11		-a exit,always -w /etc/audit
12		-a exit,always -S acct
13		-a exit,always -S reboot
14		-a exit,always -S sched_setparam
15		-a exit,always -S sched_setscheduler
16		-a exit,always -S setdomainname
17		-a exit,always -S setrlimit
18		-a exit,always -S settimeofday
19		-a exit,always -S stime
20		-a exit,always -S swapon
	9	-w /var/log/audit/
	10	-w /etc/auditd.conf
	11	-w /etc/audit
	12	-a exit,always -S acct -S reboot -S sched_setparam -S sched_setscheduler -S setdomainname -S setrlimit -S settimeofday -S stime -S swapon
21	13	EOF

trunk/RHEL5.1/scripts/stig-fix/cat2/gen002840.sh

r144	r187
7	7	echo '==================================================='
8	8	cat <<-EOF >> /etc/audit/audit.rules
9		-a exit,always -S init_module
10		-a exit,always -S delete_module
11		-a exit,always -w /bin/su
	9	-a exit,always -S init_module -S delete_module
	10	-w /bin/su
12	11	EOF

trunk/RHEL5/scripts/stig-fix/cat1/gen002700.sh

r120	r187
6	6	echo 'Patching GEN002700: Set audit file permissions'
7	7	echo '==================================================='
8		chmod 600 /var/log/audit/*
	8	chmod 640 /var/log/audit/*
	9	chmod 640 /etc/audit/audit.rules

trunk/RHEL5/scripts/stig-fix/cat1/gen004640.sh

r115 r187

7 7 echo '==================================================='
8 8 sed --in-place s/^decode\:/\#decode\:/ /etc/aliases
9 /usr/bin/newaliases

trunk/RHEL5/scripts/stig-fix/cat1/gen005500.sh

r113	r187
13	13	echo "Protocol 2" >> /etc/ssh/sshd_config
14	14	fi
	15	echo 'Ciphers aes256-cbc,aes192-cbc,blowfish-cbc,cast128-cbc,aes128-cbc,3des-cbc' >> /etc/ssh/ssh_config

trunk/RHEL5/scripts/stig-fix/cat1/lnx00580.sh

r115	r187
7	7	echo ' Patching LNX00580: Disable CTRL-ALT-DELETE'
8	8	echo '==================================================='
9		sed --in-place ~~s/ca\:\:ctrlaltdel/\#ca\:\:ctrlaltdel/~~ /etc/inittab
	9	sed --in-place "s/ca\:\:ctrlaltdel/\#ca\:\:ctrlaltdel/" /etc/inittab

trunk/RHEL5/scripts/stig-fix/cat2/gen000020.sh

r120	r187
11	11	echo "" >> /etc/inittab
12	12	echo "#Require password in single-user mode" >> /etc/inittab
13		echo "~:S:wait:/sbin/sulogin" >> /etc/inittab
	13	echo "~~:S:wait:/sbin/sulogin" >> /etc/inittab

trunk/RHEL5/scripts/stig-fix/cat2/gen000400.sh

r115	r187
6	6	echo ' Patching GEN000400: Providing logon-warning banner'
7	7	echo '==================================================='
8		echo "THIS IS A DEPARTMENT OF DEFENSE COMPUTER SYSTEM. THIS COMPUTER SYSTEM,
9		INCLUDING ALL RELATED EQUIPMENT, NETWORKS, AND NETWORK DEVICES
10		(SPECIFICALLY INCLUDING INTERNET ACCESS), ARE PROVIDED ONLY FOR AUTHORIZED
11		US GOVERNMENT USE. DOD COMPUTER SYSTEMS MAY BE MONITORED FOR ALL LAWFUL
12		PURPOSES, INCLUDING TO ENSURE THEIR USE IS AUTHORIZED, FOR MANAGEMENT OF
13		THE SYSTEM, TO FACILITATE PROTECTION AGAINST UNAUTHORIZED ACCESS, AND TO
14		VERIFY SECURITY PROCEDURES, SURVIVABILITY, AND OPERATIONAL SECURITY.
15		MONITORING INCLUDES ACTIVE ATTACKS BY AUTHORIZED DOD ENTITIES TO TEST OR
16		VERIFY THE SECURITY OF THIS SYSTEM. DURING MONITORING, INFORMATION MAY BE
17		EXAMINED, RECORDED, COPIED, AND USED FOR AUTHORIZED PURPOSES.
18		ALL INFORMATION, INCLUDING PERSONAL INFORMATION, PLACED ON OR SENT OVER THIS
19		SYSTEM, MAY BE MONITORED.
	8	cat <<-EOF > /etc/issue
	9	You are accessing a U.S. Government (USG) information system (IS) that is
	10	provided for USG-authorized use only.
20	11
21		USE OF THIS DOD COMPUTER SYSTEM, AUTHORIZED OR UNAUTHORIZED, CONSTITUTES
22		CONSENT TO MONITORING OF THIS SYSTEM. UNAUTHORIZED USE MAY SUBJECT YOU
23		TO CRIMINAL PROSECUTION. EVIDENCE OF UNAUTHORIZED USE COLLECTED DURING
24		MONITORING MAY BE USED FOR ADMINISTRATIVE, CRIMINAL, OR OTHER ADVERSE ACTION.
25		USE OF THIS SYSTEM CONSTITUTES CONSENT TO MONITORING FOR THESE PURPOSES.
26		" > /etc/issue
	12	By using this IS, you consent to the following conditions:
	13
	14	-The USG routinely monitors communications occurring on this IS, and any
	15	device attached to this IS, for purposes including, but not limited to,
	16	penetration testing, COMSEC monitoring, network defense, quality control,
	17	and employee misconduct, law enforcement, and counterintelligence
	18	investigations.
	19	-At any time, the USG may inspect and/or seize data stored on this IS and
	20	any device attached to this IS.
	21	-Communications occurring on or data stored on this IS, or any device
	22	attached to this IS, are not private. They are subject to routine
	23	monitoring and search.
	24	-Any communications occurring on or data stored on this IS, or any device
	25	attached to this IS, may be disclosed or used for any USG-authorized purpose.
	26	-Security protections may be utilized on this IS to protect certain interests
	27	that are important to the USG. For example, passwords, access cards,
	28	encryption or biometric access controls provide security for the benefit of
	29	the USG. These protections are not provided for your benefit or privacy and
	30	may be modified or elimiated at the USG's discretion.
	31
	32	EOF
27	33
28	34	# Change banner for SSH logins so that it matches the above
29		sed --in-place /banner/d /etc/ssh/sshd_config
30		sed --in-place /Banner/d /etc/ssh/sshd_config
31		echo "
32		# use the same banner as local logins
33		Banner /etc/issue" >> /etc/ssh/sshd_config
	35	sed -i "/^#Banner/ c\Banner /etc/issue" /etc/ssh/sshd_config
	36
	37	# Add code to /etc/gdm/PreSession/Default so graphical login shows etc/issue
	38	sed -i "s/^$PATH=.*$/\/usr\/bin\/gdialog --yesno \"\`cat \/etc\/issue\`\"\nif( test 1 -eq \$\? ); then\n \/usr\/bin\/gdialog --infobox \"Logging out in 10 Seconds\" 1 20 \&\n sleep 10\n exit 1\nfi\n\n\1/" /etc/gdm/PreSession/Default

trunk/RHEL5/scripts/stig-fix/cat2/gen000460.sh

r115	r187
8	8	echo ' failed attempts per account'
9	9	echo '==================================================='
10		sed -i '/^auth.*pam_deny/ a\
11		auth\t required\t /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root' /etc/pam.d/system-auth
	10	cat <<-EOF > /etc/pam.d/system-auth
	11	#%PAM-1.0
	12	auth required pam_tally.so deny=3 onerr=fail unlock_time=900 quiet
12	13
13		sed -i '/^account.*pam_unix/ a\
14		account\t required\t /lib/security/$ISA/pam_tally.so per_user deny=3 no_magic_root reset' /etc/pam.d/system-auth
	14	auth required pam_env.so
	15	auth required pam_unix.so nullok try_first_pass audit
	16
	17	account required pam_unix.so
	18	account required pam_tally.so
	19	password required pam_cracklib.so try_first_pass retry=3 minlen=12 difok=3 dcredit=-2 ucredit=-2 ocredit=-2 lcredit=-2
	20	password required pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=12
	21
	22	session optional pam_keyinit.so revoke
	23	session required pam_limits.so
	24	session required pam_unix.so
	25	EOF
	26
	27	# auth config overwrites these changes, make it non executable
	28	chmod ugo-x /usr/sbin/authconfig

trunk/RHEL5/scripts/stig-fix/cat2/gen000600.sh

r115	r187
6	6	echo ' Patching GEN000600: Enforce more secure passwords.'
7	7	echo '==================================================='
8		sed -i s/minlen\=8/minlen\=9/ /etc/pam.d/system-auth
9		sed -i "s/difok\=3/difok\=3 dcredit\=-2 ucredit\=-2 ocredit\=-2 lcredit\=-2/" /etc/pam.d/system-auth
10
11		# Running the authconfig tool WILL clobber these changes!
12		# Taking the executable permissions off of /usr/sbin/authconfig
13
14		chmod ugo-x /usr/sbin/authconfig
	8	# See GEN000460

trunk/RHEL5/scripts/stig-fix/cat2/gen000700.sh

r115	r187
7	7	echo ' between password changes'
8	8	echo '==================================================='
9		sed -i '/^PASS_MAX_DAYS/ c\
10		PASS_MAX_DAYS\t90' /etc/login.defs
	9	sed -i '/^PASS_MAX_DAYS/ c\PASS_MAX_DAYS\t90' /etc/login.defs

trunk/RHEL5/scripts/stig-fix/cat2/gen000800.sh

r115	r187
6	6	echo ' Patching GEN000800: Disallow duplication passwords.'
7	7	echo '==================================================='
8		sed -i "s/shadow/shadow remember\=10/" /etc/pam.d/system-auth
	8	# See GEN000460

trunk/RHEL5/scripts/stig-fix/cat2/gen000920.sh

r115	r187
7	7	echo ' Patching GEN000920: /root is only readable by root'
8	8	echo '==================================================='
9		chmod -R 700 /root
	9	chmod 700 /root

trunk/RHEL5/scripts/stig-fix/cat2/gen001020.sh

r175	r187
8	8	echo ' via switch from user account.'
9	9	echo '==================================================='
10		# Configure sshd and login to consult pam_access.so
11		sed -i '/^account/ a\account\t\trequired\tpam_access.so' /etc/pam.d/sshd
12		sed -i '/^account.*auth$/ a\account\t required\tpam_access.so' /etc/pam.d/login
13
14		# Configure pam_access to refuse direct logins for accounts not in users group
15		sed -i '/^# All other/d' /etc/security/access.conf
16		echo "# Restrict direct login to accounts in the "users" group
17		-:ALL EXCEPT users :ALL" >> /etc/security/access.conf
	10	sed -i '/^account.*auth$/ a\account\t\trequired\tpam_access.so' /etc/pam.d/sshd
	11	sed -i '/^account.*auth$/ a\account\t\trequired\tpam_access.so' /etc/pam.d/login
	12	echo "-:ALL EXCEPT users :ALL" >> /etc/security/access.conf
18	13
19	14	# Add a User who is in the users group allowing access to the system
20	15	/usr/sbin/adduser -G users,wheel clipuser
21	16	echo "123)(*qweASD" \| passwd --stdin clipuser
22
23		~~# Cron was previously set to use /etc/security/access.conf, which did~~
24		~~# nothing by default. We don't want to block root from using cron.~~
25		~~# So, we create a blank config file and direct crond to use that instead.~~
26		~~touch /etc/security/access-cron.conf~~
27		~~chmod 644 /etc/security/access-cron.conf~~
28		~~sed -i 's/pam_access.so/pam_access.so\ accessfile=\/etc\/security\/access-cron.conf/' /etc/pam.d/crond~~
29
30

trunk/RHEL5/scripts/stig-fix/cat2/gen001120.sh

r120	r187
6	6	echo 'Patching GEN001120: Do not allow root remote login'
7	7	echo '==================================================='
8		sed -i "/^#PermitRootLogin/ c\
9		PermitRootLogin no" /etc/ssh/sshd_config
	8	sed -i "/^#PermitRootLogin/ c\PermitRootLogin no" /etc/ssh/sshd_config

trunk/RHEL5/scripts/stig-fix/cat2/gen001260.sh

r115	r187
7	7	echo ' log files.'
8	8	echo '==================================================='
9		chmod 640 /var/log/wtmp
	9	find /var/log/ -type f -exec chmod 640 '{}' \;
	10	sed -i "s/chmod 0664/chmod 0640/" /etc/rc.d/rc.sysinit

trunk/RHEL5/scripts/stig-fix/cat2/gen001720.sh

r112	r187
7	7	echo ' initialization files'
8	8	echo '==================================================='
9		FILES="/etc/profile /etc/bashrc /etc/environment"
10		chmod 644 $FILES
	9	chmod 644 /etc/{profile,bashrc,environment}

trunk/RHEL5/scripts/stig-fix/cat2/gen001740.sh

r112	r187
7	7	echo ' initialization files'
8	8	echo '==================================================='
9		FILES="/etc/profile /etc/bashrc /etc/environment"
10		chown root $FILES
	9	chown root /etc/{profile,bashrc,environment}

trunk/RHEL5/scripts/stig-fix/cat2/gen001760.sh

r112	r187
7	7	echo ' initialization files'
8	8	echo '==================================================='
9		FILES="/etc/profile /etc/bashrc /etc/environment"
10		chgrp root $FILES
	9	chgrp root /etc/{profile,bashrc,environment}

trunk/RHEL5/scripts/stig-fix/cat2/gen002120.sh

r113	r187
6	6	echo 'Patching GEN002120: Set /etc/shells'
7	7	echo '==================================================='
8		echo "
	8	cat <<EOF > /etc/shells
9	9	/bin/sh
10	10	/bin/bash
…	…
12	12	/bin/tcsh
13	13	/bin/csh
14		/bin/ksh" > /etc/shells
	14	/bin/ksh
	15	EOF

trunk/RHEL5/scripts/stig-fix/cat2/gen002320.sh

r115	r187
7	7	echo ' devices.'
8	8	echo '==================================================='
9		chmod 644 /dev/audio
	9	# prevent pam from changing the owner when logging in
	10	sed -i -r "/sound\|snd\|mixer/ d" /etc/security/console.perms.d/50-default.perms
	11	# have udev set the permissions/owner/group
	12	echo "SUBSYSTEM==\"sound\|snd\", OWNER=\"root\", GROUP=\"root\", MODE=\"0644\"" > /etc/udev/rules.d/55-audio-perms.rules

trunk/RHEL5/scripts/stig-fix/cat2/gen002340.sh

r110	r187
6	6	echo 'Patching GEN002340: Set owner of audio device'
7	7	echo '==================================================='
8		chown root /dev/audio
	8	# see GEN002320

trunk/RHEL5/scripts/stig-fix/cat2/gen002360.sh

r110	r187
6	6	echo 'Patching GEN002360: Set group of audio device'
7	7	echo '==================================================='
8		chgrp root /dev/audio
	8	# see GEN002320

trunk/RHEL5/scripts/stig-fix/cat2/gen002660.sh

r120	r187
7	7	echo '==================================================='
8	8	/sbin/chkconfig auditd on
	9	cat <<-EOF > /etc/audit/audit.rules
	10	# Remove any existing rules
	11	-D
	12	# Increase buffer size to handle the increased number of messages.
	13	-b 8192
	14	EOF
	15

trunk/RHEL5/scripts/stig-fix/cat2/gen003600.sh

r120	r187
5	5	echo ' Patching GEN003600: Set network parameters'
6	6	echo '==================================================='
7		~~cat <<EOF >~~ /etc/sysctl.conf
8		net.ipv4.ip_forward = 0
9		net.ipv4.tcp_max_syn_backlog = 1280
10		~~net.ipv4.conf.all.accept_source_route =~~0
11		net.ipv4.icmp_echo_ignore_broadcasts = 1
	7	sed -i "/net\.ipv4\.conf\.default\.rp_filter/ c\net.ipv4.conf.default.rp_filter = 1" /etc/sysctl.conf
	8	sed -i "/net\.ipv4\.conf\.default\.accept_source_route/ c\net.ipv4.conf.default.accept_source_route = 0" /etc/sysctl.conf
	9	cat <<-EOF >> /etc/sysctl.conf
	10	net.ipv4.tcp_max_syn_backlog = 1280
	11	net.ipv4.icmp_echo_ignore_broadcasts = 1
12	12	EOF
13

trunk/RHEL5/scripts/stig-fix/cat2/gen003740.sh

r115	r187
10	10	echo ' configuration files.'
11	11	echo '==================================================='
12		chmod -R 755 /etc/xinetd.d
13		chmod 400 /etc/xinetd.conf
	12	chmod 755 /etc/xinetd.d
	13	chmod 440 /etc/xinetd.conf

trunk/RHEL5/scripts/stig-fix/cat2/gen003960.sh

r110	r187
6	6	echo 'Patching GEN003960: Set traceroute comand owner'
7	7	echo '==================================================='
8		whereis traceroute \| cut -d " " -f 2 \| xargs chown root
	8	chown root /bin/traceroute

trunk/RHEL5/scripts/stig-fix/cat2/gen003980.sh

r110	r187
7	7	echo ' traceroute command'
8	8	echo '==================================================='
9		whereis traceroute \| cut -d " " -f 2 \| xargs chgrp root
	9	chgrp root /bin/traceroute

trunk/RHEL5/scripts/stig-fix/cat2/gen004000.sh

r120	r187
7	7	echo ' root user only.'
8	8	echo '==================================================='
9		whereis traceroute \| cut -d " " -f 2 \| xargs chmod 700
	9	chmod 700 /bin/traceroute

trunk/RHEL5/scripts/stig-fix/cat2/gen006620.sh

r115	r187
7	7	echo ' Patching GEN006620: Set hosts.deny file'
8	8	echo '==================================================='
9		echo "
10		ALL: ALL" >> /etc/hosts.deny
	9	echo "ALL: ALL" > /etc/hosts.deny

trunk/RHEL5/scripts/stig-fix/cat3/gen001280.sh

r115	r187
7	7	echo ' Patching GEN001280: Set manual page permissions'
8	8	echo '==================================================='
9		chmod -R 644 /usr/share/man
	9	find /usr/share/man -type f -exec chmod 644 {} \;

trunk/RHEL5/scripts/stig-fix/cat3/gen001780.sh

r120	r187
7	7	echo ' initialization files'
8	8	echo '==================================================='
9		FILES="/etc/profile /etc/bashrc /etc/environment"
10		for FILE in $FILES; do
	9	for FILE in /etc/{profile,bashrc,environment}; do
11	10	echo "mesg n" >> $FILE
12	11	done;

trunk/RHEL5/scripts/stig-fix/cat3/gen003500.sh

r110	r187
6	6	echo 'Patching GEN003500: Disable core dumps'
7	7	echo '==================================================='
8		echo "
9		* soft core 0
10		* hard core 0" >> /etc/security/limits.conf
	8	echo "* - core 0" >> /etc/security/limits.conf

trunk/RHEL5/scripts/stig-fix/cat3/gen003520.sh

r115	r187
7	7	echo ' Patching GEN003520: Set crash log dir permissions'
8	8	echo '==================================================='
	9	chown root:root /var/crash
9	10	chmod -R 700 /var/crash

trunk/RHEL5/scripts/stig-fix/cat4/gen004440.sh

r112	r187
8	8	echo 'Patching GEN004440: Set sendmail logging level'
9	9	echo '==================================================='
10		sed -i '/LogLevel/ c\
11		O LogLevel=9' /etc/mail/sendmail.cf
	10	sed -i '/LogLevel/ c\O LogLevel=9' /etc/mail/sendmail.cf

Download in other formats:

Unified Diff
Zip Disabled

* Generating other formats may take time.

r115	r187
7	7	echo '==================================================='
8	8	sed --in-place s/^decode\:/\#decode\:/ /etc/aliases
	9	/usr/bin/newaliases