Navigation

← Previous Changeset
Next Changeset →

Changeset 197

Timestamp:

06/10/08 12:23:51 (4 months ago)

Author:

slawrence

Message:

Update stigs/kickstart to meet latest stig update.
Update stigs/kickstart to audit different system calls on 64-bit and 32-bit machines.

Files:

trunk/RHEL5.2/kickstart/clip.ks (modified) (11 diffs)
trunk/RHEL5.2/scripts/stig-fix/cat2/gen000580.sh (modified) (1 diff)
trunk/RHEL5.2/scripts/stig-fix/cat2/gen000700.sh (modified) (1 diff)
trunk/RHEL5.2/scripts/stig-fix/cat2/gen002560.sh (modified) (1 diff)
trunk/RHEL5.2/scripts/stig-fix/cat2/gen002740.sh (modified) (1 diff)
trunk/RHEL5.2/scripts/stig-fix/cat2/gen002760.sh (modified) (1 diff)
trunk/RHEL5.2/scripts/stig-fix/cat2/gen002780.sh (modified) (1 diff)
trunk/RHEL5.2/scripts/stig-fix/cat2/gen002820.sh (modified) (1 diff)
trunk/RHEL5.2/scripts/stig-fix/cat2/gen004500.sh (modified) (1 diff)
trunk/RHEL5.2/scripts/stig-fix/cat2/gen004540.sh (modified) (1 diff)
trunk/RHEL5.2/scripts/stig-fix/cat2/lnx00340.sh (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

trunk/RHEL5.2/kickstart/clip.ks

r195	r197
412	412	## (GEN000580: CAT II) (Previously â G019) The IAO will ensure all passwords contain a
413	413	## minimum of eight characters.
414		sed -i "s/PASS_MIN_LEN[ \t][0-9]/PASS_MIN_LEN\t8/" /etc/login.defs
	414	sed -i "s/PASS_MIN_LEN[ \t][0-9]/PASS_MIN_LEN\t14/" /etc/login.defs
415	415
416	416	## (GEN000600: CAT II) (Previously â G019) The IAO will ensure passwords include at
…	…
420	420	## (GEN000700: CAT II) (Previously â G020) The SA will ensure passwords are
421	421	## changed at least every 90 days.
422		sed -i '/^PASS_MAX_DAYS/ c\PASS_MAX_DAYS\t90' /etc/login.defs
	422	sed -i '/^PASS_MAX_DAYS/ c\PASS_MAX_DAYS\t60' /etc/login.defs
423	423
424	424	## (GEN000800: CAT II) (Previously â G606) The SA will ensure passwords will not be
…	…
633	633	## user umask is 077.
634	634	echo "umask 077" >> /etc/bashrc
	635	echo "umask 077" >> /etc/csh.cshrc
635	636
636	637	## (GEN002640: CAT II) (Previously â G092) The SA will ensure logon capability
…	…
687	688	cat <<-EOF >> /etc/audit/audit.rules
688	689	# DAC permission changes
689		~~-a exit,always -S chmod -S chown -S chown32 -S fchmod -S fchown -S fchown32 -S lchown -S lchown32~~
690
691	690	EOF
	691	echo -n "-a exit,always -S chmod -S chown -S fchmod -S fchown -S lchown" >> /etc/audit/audit.rules
	692	if [ "$(uname -i)" != "x86_64" ]
	693	then
	694	echo -n " -S chown32 -S fchown32 -S lchown32" >> /etc/audit/audit.rules
	695	fi
	696	echo -e "\n" >> /etc/audit/audit.rules
692	697
693	698	## (GEN002760: CAT II) The SA will configure the auditing system to audit
…	…
695	700	cat <<-EOF >> /etc/audit/audit.rules
696	701	# unauthorized file access attempts
697		~~-a exit,always -F success=0 -S open -S mknod -S pipe -S mkdir -S creat -S truncate -S truncate64 -S ftruncate -S ftruncate64~~
698
699	702	EOF
	703	echo -n "-a exit,always -F success=0 -S open -S mknod -S pipe -S mkdir -S creat -S truncate -S ftruncate" >> /etc/audit/audit.rules
	704	if [ "$(uname -i)" != "x86_64" ]
	705	then
	706	echo -n " -S truncate64 -S ftruncate64" >> /etc/audit/audit.rules
	707	fi
	708	echo -e "\n" >> /etc/audit/audit.rules
700	709
701	710	## (GEN002780: CAT II) The SA will configure the auditing system to audit
…	…
703	712	cat <<-EOF >> /etc/audit/audit.rules
704	713	# privileged commands
705		~~-a exit,always -S chroot -S mount -S umount -S umount2 -S adjtimex -S kill~~
706	714	-w /usr/sbin/pwck
707	715	-w /bin/chgrp
…	…
716	724	-w /usr/bin/setfacl
717	725	-w /usr/bin/chacl
718
719	726	EOF
	727	echo -n "-a exit,always -S chroot -S mount -S umount2 -S adjtimex -S kill" >> /etc/audit/audit.rules
	728	if [ "$(uname -i)" != "x86_64" ]
	729	then
	730	echo -n " -S umount" >> /etc/audit/audit.rules
	731	fi
	732	echo -e "\n" >> /etc/audit/audit.rules
720	733
721	734	## (GEN002800: CAT II) The SA will configure the auditing system to audit
…	…
750	763	-w /var/run/utmp
751	764	-w /var/run/wtmp
752		~~-a exit,always -S acct -S reboot -S sched_setparam -S sched_setscheduler -S setdomainname -S setrlimit -S settimeofday -S stime -S swapon~~
753
754	765	EOF
	766	echo -n "-a exit,always -S acct -S reboot -S sched_setparam -S sched_setscheduler -S setdomainname -S setrlimit -S settimeofday -S swapon" >> /etc/audit/audit.rules
	767	if [ "$(uname -i)" != "x86_64" ]
	768	then
	769	echo -n " -S stime" >> /etc/audit/audit.rules
	770	fi
	771	echo -e "\n" >> /etc/audit/audit.rules
755	772
756	773	## (GEN002840: CAT II) The SA will configure the auditing system to audit
…	…
973	990	## (GEN004500: CAT II) (Previously â G136) The SA will ensure the critical
974	991	## sendmail log file has permissions of 644, or more restrictive.
975		chmod 644 /var/log/maillog
	992	chmod 640 /var/log/maillog
976	993
977	994	## (GEN004540: CAT II) The SA will ensure the help sendmail command is
…	…
979	996	mv /etc/mail/helpfile /etc/mail/helpfile.bak
980	997	echo "" > /etc/mail/helpfile
	998	sed -i '/HelpFile/s/^/#/' /etc/mail/sendmail.cf
981	999
982	1000	## (GEN004560: CAT II) (Previously â G646) To help mask the e-mail version,
…	…
1136	1154	/usr/sbin/userdel halt
1137	1155	/usr/sbin/userdel sync
	1156	/usr/sbin/userdel ftp
1138	1157
1139	1158	## (LNX00340: CAT II) (Previously â L142) The SA will delete accounts that

trunk/RHEL5.2/scripts/stig-fix/cat2/gen000580.sh

r115	r197
6	6	echo ' Patching GEN000580: Set minimum Password length.'
7	7	echo '==================================================='
8		sed --in-place "s/PASS_MIN_LEN[ \t][0-9]/PASS_MIN_LEN\t8/" /etc/login.defs
	8	sed --in-place "s/PASS_MIN_LEN[ \t][0-9]/PASS_MIN_LEN\t14/" /etc/login.defs

trunk/RHEL5.2/scripts/stig-fix/cat2/gen000700.sh

r144	r197
7	7	echo ' between password changes'
8	8	echo '==================================================='
9		sed -i '/^PASS_MAX_DAYS/ c\PASS_MAX_DAYS\t90' /etc/login.defs
	9	sed -i '/^PASS_MAX_DAYS/ c\PASS_MAX_DAYS\t60' /etc/login.defs

trunk/RHEL5.2/scripts/stig-fix/cat2/gen002560.sh

r115	r197
6	6	echo ' Patching GEN002560: Set default umask.'
7	7	echo '==================================================='
8		echo "
9		# New files are only accessible to their owner by default.
10		umask 077" >> /etc/bashrc
	8	echo "umask 077" >> /etc/bashrc
	9	echo "umask 077" >> /etc/csh.cshrc

trunk/RHEL5.2/scripts/stig-fix/cat2/gen002740.sh

r192	r197
8	8	echo '==================================================='
9	9	cat <<-EOF >> /etc/audit/audit.rules
10		# DAC permission changes
11		-a exit,always -S chmod -S chown -S chown32 -S fchmod -S fchown -S fchown32 -S lchown -S lchown32
12
	10	# DAC permission changes
13	11	EOF
	12	echo -n "-a exit,always -S chmod -S chown -S fchmod -S fchown -S lchown" >> /etc/audit/audit.rules
	13	if [ "$(uname -i)" != "x86_64" ]
	14	then
	15	echo -n " -S chown32 -S fchown32 -S lchown32" >> /etc/audit/audit.rules
	16	fi
	17	echo -e "\n" >> /etc/audit/audit.rules

trunk/RHEL5.2/scripts/stig-fix/cat2/gen002760.sh

r192	r197
7	7	echo '==================================================='
8	8	cat <<-EOF >> /etc/audit/audit.rules
9		# unauthorized file access attempts
10		-a exit,always -F success=0 -S open -S mknod -S pipe -S mkdir -S creat -S truncate -S truncate64 -S ftruncate -S ftruncate64
11
	9	# unauthorized file access attempts
12	10	EOF
	11	echo -n "-a exit,always -F success=0 -S open -S mknod -S pipe -S mkdir -S creat -S truncate -S ftruncate" >> /etc/audit/audit.rules
	12	if [ "$(uname -i)" != "x86_64" ]
	13	then
	14	echo -n " -S truncate64 -S ftruncate64" >> /etc/audit/audit.rules
	15	fi
	16	echo -e "\n" >> /etc/audit/audit.rules

trunk/RHEL5.2/scripts/stig-fix/cat2/gen002780.sh

r192	r197
7	7	echo '==================================================='
8	8	cat <<-EOF >> /etc/audit/audit.rules
9		# privileged commands
10		-a exit,always -S chroot -S mount -S umount -S umount2 -S adjtimex -S kill
11		-w /usr/sbin/pwck
12		-w /bin/chgrp
13		-w /usr/bin/newgrp
14		-w /usr/sbin/groupadd
15		-w /usr/sbin/groupmod
16		-w /usr/sbin/groupdel
17		-w /usr/sbin/useradd
18		-w /usr/sbin/userdel
19		-w /usr/sbin/usermod
20		-w /usr/bin/chage
21		-w /usr/bin/setfacl
22		-w /usr/bin/chacl
23
	9	# privileged commands
	10	-w /usr/sbin/pwck
	11	-w /bin/chgrp
	12	-w /usr/bin/newgrp
	13	-w /usr/sbin/groupadd
	14	-w /usr/sbin/groupmod
	15	-w /usr/sbin/groupdel
	16	-w /usr/sbin/useradd
	17	-w /usr/sbin/userdel
	18	-w /usr/sbin/usermod
	19	-w /usr/bin/chage
	20	-w /usr/bin/setfacl
	21	-w /usr/bin/chacl
24	22	EOF
	23	echo -n "-a exit,always -S chroot -S mount -S umount2 -S adjtimex -S kill" >> /etc/audit/audit.rules
	24	if [ "$(uname -i)" != "x86_64" ]
	25	then
	26	echo -n " -S umount" >> /etc/audit/audit.rules
	27	fi
	28	echo -e "\n" >> /etc/audit/audit.rules

trunk/RHEL5.2/scripts/stig-fix/cat2/gen002820.sh

r192	r197
7	7	echo '==================================================='
8	8	cat <<-EOF >> /etc/audit/audit.rules
9		# system administration actions
10		# these two lines could be the cause of problems with filling audit logs and preventing system usage after installation
11		-w /var/log/audit/audit.log
12		-w /var/log/audit/audit[1-4].log
13		-w /var/log/messages
14		-w /var/log/lastlog
15		-w /var/log/faillog
16		-w /etc/audit/auditd.conf -p wa
17		-w /etc/audit/audit.rules -p wa
18		-w /etc/selinux/config -p wa
19		-w /etc/passwd -p wa
20		-w /etc/shadow -p wa
21		-w /etc/group -p wa
22		-w /etc/ssh/sshd_config
23		-w /etc/pam.d
24		-w /etc/login.defs
25		-w /etc/rc.d/init.d
26		-w /etc/inittab -p wa
27		-w /var/run/utmp
28		-w /var/run/wtmp
29		-a exit,always -S acct -S reboot -S sched_setparam -S sched_setscheduler -S setdomainname -S setrlimit -S settimeofday -S stime -S swapon
30
	9	# system administration actions
	10	# these two lines could be the cause of problems with filling audit logs and preventing system usage after installation
	11	-w /var/log/audit/audit.log
	12	-w /var/log/audit/audit[1-4].log
	13	-w /var/log/messages
	14	-w /var/log/lastlog
	15	-w /var/log/faillog
	16	-w /etc/audit/auditd.conf -p wa
	17	-w /etc/audit/audit.rules -p wa
	18	-w /etc/selinux/config -p wa
	19	-w /etc/passwd -p wa
	20	-w /etc/shadow -p wa
	21	-w /etc/group -p wa
	22	-w /etc/ssh/sshd_config
	23	-w /etc/pam.d
	24	-w /etc/login.defs
	25	-w /etc/rc.d/init.d
	26	-w /etc/inittab -p wa
	27	-w /var/run/utmp
	28	-w /var/run/wtmp
31	29	EOF
	30	echo -n "-a exit,always -S acct -S reboot -S sched_setparam -S sched_setscheduler -S setdomainname -S setrlimit -S settimeofday -S swapon" >> /etc/audit/ audit.rules
	31	if [ "$(uname -i)" != "x86_64" ]
	32	then
	33	echo -n " -S stime" >> /etc/audit/audit.rules
	34	fi
	35	echo -e "\n" >> /etc/audit/audit.rules

trunk/RHEL5.2/scripts/stig-fix/cat2/gen004500.sh

r115	r197
6	6	echo 'Patching GEN004500: Set mail log file permissions'
7	7	echo '==================================================='
8		chmod 644 /var/log/maillog
	8	chmod 640 /var/log/maillog

trunk/RHEL5.2/scripts/stig-fix/cat2/gen004540.sh

r115 r197

8 8 mv /etc/mail/helpfile /etc/mail/helpfile.bak
9 9 echo "" > /etc/mail/helpfile
10 sed -i '/HelpFile/s/^/#/' /etc/mail/sendmail.cf
trunk/RHEL5.2/scripts/stig-fix/cat2/lnx00340.sh

r121 r197

12 12 /usr/sbin/userdel gopher
13 13 /usr/sbin/userdel nfsnobody
14 /usr/sbin/userdel ftp

Download in other formats:

Unified Diff
Zip Disabled

* Generating other formats may take time.

r121	r197
12	12	/usr/sbin/userdel gopher
13	13	/usr/sbin/userdel nfsnobody
	14	/usr/sbin/userdel ftp