Changeset 218

Timestamp:

07/24/08 08:53:37 (4 months ago)

Author:

slawrence

Message:

Backport 5.2 stig/ks changes to 5.1, including:
- Use different audit rules for 32-bit and 64-bit archs
- Fix installation of audit.rules
- Specify audit dispatcher in auditd.conf
- Specifiy dispatcher in auditd.conf
- Use pam_passwdqc instead of pam_cracklib
- Update password minimum length and max days
- Use different audit rules for 32 and 64 bit archs
- Permission updates to meet stigs

Files:

• trunk/RHEL5.1/RPM/clip.spec (modified) (2 diffs)
• trunk/RHEL5.1/conf/audit/audit-i386.rules (added)
• trunk/RHEL5.1/conf/audit/audit-x86_64.rules (added)
• trunk/RHEL5.1/conf/audit/audit.rules (deleted)
• trunk/RHEL5.1/conf/audit/auditd.conf (modified) (1 diff)
• trunk/RHEL5.1/conf/pam/system-auth.pam (modified) (1 diff)
• trunk/RHEL5.1/kickstart/clip.ks (modified) (21 diffs)
• trunk/RHEL5.1/rpmify (modified) (1 diff)
• trunk/RHEL5.1/scripts/installer.in (modified) (3 diffs)
• trunk/RHEL5.1/scripts/stig-fix/cat2/gen000400.sh (modified) (1 diff)
• trunk/RHEL5.1/scripts/stig-fix/cat2/gen000460.sh (modified) (2 diffs)
• trunk/RHEL5.1/scripts/stig-fix/cat2/gen000500.sh (modified) (1 diff)
• trunk/RHEL5.1/scripts/stig-fix/cat2/gen000580.sh (modified) (1 diff)
• trunk/RHEL5.1/scripts/stig-fix/cat2/gen000700.sh (modified) (1 diff)
• trunk/RHEL5.1/scripts/stig-fix/cat2/gen002560.sh (modified) (1 diff)
• trunk/RHEL5.1/scripts/stig-fix/cat2/gen002660.sh (modified) (1 diff)
• trunk/RHEL5.1/scripts/stig-fix/cat2/gen002740.sh (modified) (1 diff)
• trunk/RHEL5.1/scripts/stig-fix/cat2/gen002760.sh (modified) (1 diff)
• trunk/RHEL5.1/scripts/stig-fix/cat2/gen002780.sh (modified) (1 diff)
• trunk/RHEL5.1/scripts/stig-fix/cat2/gen002820.sh (modified) (1 diff)
• trunk/RHEL5.1/scripts/stig-fix/cat2/gen004500.sh (modified) (1 diff)
• trunk/RHEL5.1/scripts/stig-fix/cat2/gen004540.sh (modified) (1 diff)
• trunk/RHEL5.1/scripts/stig-fix/cat2/lnx00340.sh (modified) (1 diff)
• trunk/RHEL5.1/scripts/stig-fix/cat3/gen001780.sh (modified) (1 diff)

trunk/RHEL5.1/RPM/clip.spec

@@ -2 +2 @@
-Name: clip
-Version: 2.0
-1
+2
-License: GPL
-Group: System Environment/Base
@@ -37 +37 @@
-%defattr(-,root,root,-)
-/usr/share/clip/conf/audit/auditd.conf
-
+
+
-/usr/share/clip/conf/pam/login.pam
-/usr/share/clip/conf/pam/newrole.pam

trunk/RHEL5.1/conf/audit/auditd.conf

@@ -9 +9 @@
-freq = 20
-num_logs = 4
-
+
-max_log_file = 5 
-max_log_file_action = ROTATE

trunk/RHEL5.1/conf/pam/system-auth.pam

@@ -10 +10 @@
-account     required      pam_unix.so
-account     required      pam_tally3.so
-cracklib.so try_first_pass retry=3 minlen=12 difok=3 dcredit=-2 ucredit=-2 ocredit=-2 lcredit=-2
+passwdqc.so min=disabled,disabled,disabled,disabled,14 max=40 passphrase=0 match=0 similar=deny random=0 enforce=everyone retry=3
-password    required      pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=12
-

trunk/RHEL5.1/kickstart/clip.ks

@@ -344 +344 @@
-        encryption or biometric access controls provide security for the benefit of
-        the USG. These protections are not provided for your benefit or privacy and
-
+n
-
-EOF
@@ -359 +359 @@
-cat <<-EOF > /etc/pam.d/system-auth
-#%PAM-1.0
- quiet
+
-
-auth        required      pam_env.so
@@ -366 +366 @@
-account     required      pam_unix.so
-account     required      pam_tally.so
-cracklib.so try_first_pass retry=3 minlen=12 difok=3 dcredit=-2 ucredit=-2 ocredit=-2 lcredit=-2
+passwdqc.so min=disabled,disabled,disabled,disabled,14 max=40 passphrase=0 match=0 similar=deny random=0 enforce=everyone retry=3 
-password    required      pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=12
-
@@ -384 +384 @@
-## mechanism is used and is set to lock the screen after 15 minutes of
-## inactivity.
-
+readonly 
-
-## (GEN000540: CAT II) (Previously – G004) The SA will ensure passwords are
@@ -403 +403 @@
-## (GEN000580: CAT II) (Previously – G019) The IAO will ensure all passwords contain a
-## minimum of eight characters.
-8
+14
-
-## (GEN000600: CAT II) (Previously – G019) The IAO will ensure passwords include at
@@ -411 +411 @@
-## (GEN000700: CAT II) (Previously – G020) The SA will ensure passwords are
-## changed at least every 90 days.
-9
+6
-
-## (GEN000800: CAT II) (Previously – G606) The SA will ensure passwords will not be
@@ -516 +516 @@
-## (GEN001780: CAT III) (Previously – G112) The SA will ensure global
-## initialization files contain the command mesg –n.
-,environment
+
-        echo "mesg n" >> $FILE
-done;
@@ -623 +623 @@
-## (GEN002560: CAT II) (Previously – G089) The SA will ensure the system and
-## user umask is 077.
-
+
+
+
-
-## (GEN002640: CAT II) (Previously – G092) The SA will ensure logon capability
@@ -655 +657 @@
-EOF
-
+cat <<-EOF > /etc/audit/auditd.conf
+        log_file = /var/log/audit/audit.log
+        log_format = RAW
+        priority_boost = 3
+        flush = INCREMENTAL
+        freq = 20
+        num_logs = 4
+        dispatcher = /sbin/audispd
+        max_log_file = 5 
+        max_log_file_action = ROTATE
+        space_left = 75
+        space_left_action = SYSLOG
+        action_mail_acct = root
+        admin_space_left = 50
+        admin_space_left_action = HALT
+        disk_full_action = HALT
+        disk_error_action = HALT
+EOF
+
-## (GEN002680: CAT II) (Previously – G094) The SA will ensure audit data files
-## and directories will be readable only by personnel authorized by the IAO.
@@ -678 +699 @@
-cat <<-EOF >> /etc/audit/audit.rules
-        # DAC permission changes
-        -a exit,always -S chmod -S chown -S chown32 -S fchmod -S fchown -S fchown32 -S lchown -S lchown32
-
-EOF
+echo -n "-a exit,always -S chmod -S chown -S fchmod -S fchown -S lchown" >> /etc/audit/audit.rules
+if [ "$(uname -i)" != "x86_64" ]
+then
+        echo -n " -S chown32 -S fchown32 -S lchown32" >> /etc/audit/audit.rules
+fi
+echo -e "\n" >> /etc/audit/audit.rules
-
-## (GEN002760: CAT II) The SA will configure the auditing system to audit
@@ -686 +711 @@
-cat <<-EOF >> /etc/audit/audit.rules
-        # unauthorized file access attempts
-        -a exit,always -F success=0 -S open -S mknod -S pipe -S mkdir -S creat -S truncate -S truncate64 -S ftruncate -S ftruncate64
-
-EOF
+echo "-a exit,always -S open -F success=0" >> /etc/audit/audit.rules
+echo -n "-a exit,always -F success=0 -S mknod -S pipe -S mkdir -S creat -S truncate -S ftruncate" >> /etc/audit/audit.rules
+if [ "$(uname -i)" != "x86_64" ]
+then
+        echo -n " -S truncate64 -S ftruncate64" >> /etc/audit/audit.rules
+fi
+echo -e "\n" >> /etc/audit/audit.rules
-
-## (GEN002780: CAT II) The SA will configure the auditing system to audit
@@ -694 +724 @@
-cat <<-EOF >> /etc/audit/audit.rules
-        # privileged commands
-        -a exit,always -S chroot -S mount -S umount -S umount2 -S adjtimex -S kill
-        -w /usr/sbin/pwck
-        -w /bin/chgrp
@@ -707 +736 @@
-        -w /usr/bin/setfacl
-        -w /usr/bin/chacl
-
-EOF
+echo -n "-a exit,always -S chroot -S mount -S umount2 -S adjtimex -S kill" >> /etc/audit/audit.rules
+if [ "$(uname -i)" != "x86_64" ]
+then
+        echo -n " -S umount" >> /etc/audit/audit.rules
+fi
+echo -e "\n" >> /etc/audit/audit.rules
-
-## (GEN002800: CAT II) The SA will configure the auditing system to audit
@@ -722 +756 @@
-cat <<-EOF >> /etc/audit/audit.rules
-        # system administration actions
-        # these two lines could be the cause of problems with filling audit logs and preventing system usage after installation
-        -w /var/log/audit/audit.log
-        -w /var/log/audit/audit[1-4].log
@@ -741 +774 @@
-        -w /var/run/utmp
-        -w /var/run/wtmp
-        -a exit,always -S acct -S reboot -S sched_setparam -S sched_setscheduler -S setdomainname -S setrlimit -S settimeofday -S stime -S swapon
-
-EOF
+echo -n "-a exit,always -S acct -S reboot -S sched_setparam -S sched_setscheduler -S setdomainname -S setrlimit -S settimeofday -S swapon" >> /etc/audit/audit.rules
+if [ "$(uname -i)" != "x86_64" ]
+then
+        echo -n " -S stime" >> /etc/audit/audit.rules
+fi
+echo -e "\n" >> /etc/audit/audit.rules
-
-## (GEN002840: CAT II) The SA will configure the auditing system to audit
@@ -771 +808 @@
-## file has permissions of 600, or more restrictive.
-chmod 600 /etc/cron.allow
+# see bottom of file
-
-## (GEN003040: CAT II) The SA will ensure the owner of crontabs is root or the
@@ -964 +1002 @@
-## (GEN004500: CAT II) (Previously – G136) The SA will ensure the critical
-## sendmail log file has permissions of 644, or more restrictive.
-4
+0
-
-## (GEN004540: CAT II) The SA will ensure the help sendmail command is
@@ -970 +1008 @@
-mv /etc/mail/helpfile /etc/mail/helpfile.bak
-echo "" > /etc/mail/helpfile
+sed -i '/HelpFile/s/^/#/' /etc/mail/sendmail.cf
-
-## (GEN004560: CAT II) (Previously – G646) To help mask the e-mail version,
@@ -1127 +1166 @@
-/usr/sbin/userdel halt
-/usr/sbin/userdel sync
+/usr/sbin/userdel ftp
-
-## (LNX00340: CAT II) (Previously – L142) The SA will delete accounts that
@@ -1188 +1228 @@
-chmod 640 /etc/securetty
-
+
+#check numbers of chvt 
+chvt 3 
+clear 
+echo "Please choose a root password" 
+passwd root 
+echo "Please choose a password for clipuser" 
+passwd clipuser 
+clear 
+chvt 7
-
-
@@ -3644 +3694 @@
-# Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
+# see GEN002980
+# something above is changing cron.allow to 644
+# putting this here deals with that until I can figure out what is doing it
+chmod 600 /etc/cron.allow
+
-eject
-

trunk/RHEL5.1/rpmify

@@ -2 +2 @@
-
-VERSION="2.0"
-1
+2
-ARCH=$(uname -i)
-OS="RHEL5"

trunk/RHEL5.1/scripts/installer.in

@@ -38 +38 @@
-
-InstallAudit() {
+
-    Copy $AUDITDIR/auditd.conf /etc/audit/auditd.conf
-
+
+
+
+
+
+
+
-    auditctl -R /etc/audit/audit.rules
-}
@@ -53 +60 @@
-        for f in $MANDIR/*.8; do
-                Copy $f /usr/share/man/man8/$(basename $f)
-        done
-}
-
-# Install a collection of scripts to make CLIP 
-# STIG-compliant. 
-# Since these scripts are not likely to be found on the system,
-# cp and not Copy() is used to install these files. 
-InstallStig() {
-        for d in $(ls -R $STIGFIXDIR); do
-                cp -r $d /usr/share/clip/scripts/stig-fix &2>/dev/null
-        done
-}
@@ -92 +89 @@
-InstallPam
-InstallMan
-InstallStig
-#RunStigFixes

trunk/RHEL5.1/scripts/stig-fix/cat2/gen000400.sh

@@ -28 +28 @@
-encryption or biometric access controls provide security for the benefit of 
-the USG. These protections are not provided for your benefit or privacy and 
-
+n
-
-EOF

trunk/RHEL5.1/scripts/stig-fix/cat2/gen000460.sh

@@ -10 +10 @@
-cat <<-EOF > /etc/pam.d/system-auth
-#%PAM-1.0
- quiet
+
-
-auth        required      pam_env.so
@@ -17 +17 @@
-account     required      pam_unix.so
-account     required     pam_tally.so
-cracklib.so try_first_pass retry=3 minlen=12 difok=3 dcredit=-2 ucredit=-2 ocredit=-2 lcredit=-2
+passwdqc.so min=disabled,disabled,disabled,disabled,14 max=40 passphrase=0 match=0 similar=deny random=0 enforce=everyone retry=3
-password    required      pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=12
-

trunk/RHEL5.1/scripts/stig-fix/cat2/gen000500.sh

@@ -9 +9 @@
-echo 'Patching GEN000500: Set inactive shell timeout'
-echo '==================================================='
-
+readonly 

trunk/RHEL5.1/scripts/stig-fix/cat2/gen000580.sh

@@ -6 +6 @@
-echo ' Patching GEN000580: Set minimum Password length.'
-echo '==================================================='
-8
+14

trunk/RHEL5.1/scripts/stig-fix/cat2/gen000700.sh

@@ -7 +7 @@
-echo '                    between password changes'
-echo '==================================================='
-9
+6

trunk/RHEL5.1/scripts/stig-fix/cat2/gen002560.sh

@@ -6 +6 @@
-echo ' Patching GEN002560: Set default umask.'
-echo '==================================================='
-
-
-
+
+

trunk/RHEL5.1/scripts/stig-fix/cat2/gen002660.sh

@@ -22 +22 @@
-EOF
-
+cat <<-EOF > /etc/audit/auditd.conf
+        log_file = /var/log/audit/audit.log
+        log_format = RAW
+        priority_boost = 3
+        flush = INCREMENTAL
+        freq = 20
+        num_logs = 4
+        dispatcher = /sbin/audispd
+        max_log_file = 5 
+        max_log_file_action = ROTATE
+        space_left = 75
+        space_left_action = SYSLOG
+        action_mail_acct = root
+        admin_space_left = 50
+        admin_space_left_action = HALT
+        disk_full_action = HALT
+        disk_error_action = HALT
+EOF
+

trunk/RHEL5.1/scripts/stig-fix/cat2/gen002740.sh

@@ -8 +8 @@
-echo '==================================================='
-cat <<-EOF >> /etc/audit/audit.rules
-
-
-
+
-EOF
+echo -n "-a exit,always -S chmod -S chown -S fchmod -S fchown -S lchown" >> /etc/audit/audit.rules
+if [ "$(uname -i)" != "x86_64" ]
+then
+    echo -n " -S chown32 -S fchown32 -S lchown32" >> /etc/audit/audit.rules
+fi
+echo -e "\n" >> /etc/audit/audit.rules

trunk/RHEL5.1/scripts/stig-fix/cat2/gen002760.sh

@@ -7 +7 @@
-echo '==================================================='
-cat <<-EOF >> /etc/audit/audit.rules
-
-
-
+
-EOF
+echo "-a exit,always -S open -F success=0" >> /etc/audit/audit.rules
+echo -n "-a exit,always -F success=0 -S mknod -S pipe -S mkdir -S creat -S truncate -S ftruncate" >> /etc/audit/audit.rules
+if [ "$(uname -i)" != "x86_64" ]
+then
+    echo -n " -S truncate64 -S ftruncate64" >> /etc/audit/audit.rules
+fi
+echo -e "\n" >> /etc/audit/audit.rules

trunk/RHEL5.1/scripts/stig-fix/cat2/gen002780.sh

@@ -7 +7 @@
-echo '==================================================='
-cat <<-EOF >> /etc/audit/audit.rules
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
-EOF
+echo -n "-a exit,always -S chroot -S mount -S umount2 -S adjtimex -S kill" >> /etc/audit/audit.rules
+if [ "$(uname -i)" != "x86_64" ]
+then
+    echo -n " -S umount" >> /etc/audit/audit.rules
+fi
+echo -e "\n" >> /etc/audit/audit.rules

trunk/RHEL5.1/scripts/stig-fix/cat2/gen002820.sh

@@ -7 +7 @@
-echo '==================================================='
-cat <<-EOF >> /etc/audit/audit.rules
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-EOF
+echo -n "-a exit,always -S acct -S reboot -S sched_setparam -S sched_setscheduler -S setdomainname -S setrlimit -S settimeofday -S swapon" >> /etc/audit/    audit.rules
+if [ "$(uname -i)" != "x86_64" ]
+then
+    echo -n " -S stime" >> /etc/audit/audit.rules
+fi
+echo -e "\n" >> /etc/audit/audit.rules

trunk/RHEL5.1/scripts/stig-fix/cat2/gen004500.sh

@@ -6 +6 @@
-echo 'Patching GEN004500: Set mail log file permissions'
-echo '==================================================='
-4
+0

trunk/RHEL5.1/scripts/stig-fix/cat2/gen004540.sh

@@ -8 +8 @@
-mv /etc/mail/helpfile /etc/mail/helpfile.bak
-echo "" > /etc/mail/helpfile
+sed -i '/HelpFile/s/^/#/' /etc/mail/sendmail.cf

trunk/RHEL5.1/scripts/stig-fix/cat2/lnx00340.sh

@@ -12 +12 @@
-/usr/sbin/userdel gopher
-/usr/sbin/userdel nfsnobody
+/usr/sbin/userdel ftp

trunk/RHEL5.1/scripts/stig-fix/cat3/gen001780.sh

@@ -7 +7 @@
-echo '                    initialization files'
-echo '==================================================='
-,environment
+
-        echo "mesg n" >> $FILE
-done;