aix:script_security_aix
Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision | ||
|
aix:script_security_aix [2021/01/01 21:21] 127.0.0.1 external edit |
aix:script_security_aix [2023/06/08 17:24] (current) manu [Version 2] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ==== Check security on AIX ==== | + | ====== Check security on AIX ====== |
| + | |||
| + | ===== Version 1 ===== | ||
| I use in my scripts a .env file to specify logpath and logname | I use in my scripts a .env file to specify logpath and logname | ||
| Line 930: | Line 932: | ||
| fi | fi | ||
| done | done | ||
| + | </code> | ||
| + | |||
| + | ===== Version 2 ===== | ||
| + | |||
| + | <code> | ||
| + | #!/bin/ksh93 | ||
| + | #@(#) Check security | ||
| + | # This script doesn't modify something to your system, just list what is right and wrong | ||
| + | # Print in red all commands to modify your settings | ||
| + | # Print in green all parameters that need no change, following by OK | ||
| + | # Version 1.0 08-2014 | ||
| + | |||
| + | dir=`dirname $0` | ||
| + | if [ -f $dir/.env ] | ||
| + | then | ||
| + | . $dir/.env | ||
| + | else | ||
| + | path_script=$dir | ||
| + | export sn=`basename $0 | cut -d. -f1` | ||
| + | export logname=/tmp/$sn.log | ||
| + | fi | ||
| + | |||
| + | DATE=$(date "+%Y%m%d%H%M%S") | ||
| + | LINUX_SED=/opt/freeware/bin/sed | ||
| + | LINUX_STAT=/opt/freeware/bin/stat | ||
| + | LINUX_SORT=/opt/freeware/bin/sort | ||
| + | |||
| + | |||
| + | list_files=$logpath/list_files.txt | ||
| + | outputcis=$logpath/CIS_AIX7.2_v1.0.0 | ||
| + | output=$logname | ||
| + | outputdir=$logpath/sec_files_out_${DATE} | ||
| + | mkdir $outputdir | ||
| + | |||
| + | ##################################################### | ||
| + | # Function to print with the timestamp in bold white | ||
| + | ##################################################### | ||
| + | # | ||
| + | function print_white | ||
| + | { | ||
| + | printf "\E[22;1m"$1*" - $1\E[0m\n" | ||
| + | echo | ||
| + | } | ||
| + | # | ||
| + | ##################################################### | ||
| + | # Function to print with the timestamp in bold green | ||
| + | ##################################################### | ||
| + | # | ||
| + | function print_green | ||
| + | { | ||
| + | printf "\E[32;1m"$*" - $1\E[0m\n" | ||
| + | echo | ||
| + | } | ||
| + | # | ||
| + | ##################################################### | ||
| + | # Function to print with timestamp in bold red | ||
| + | ##################################################### | ||
| + | # | ||
| + | function print_red | ||
| + | { | ||
| + | printf "\E[31;1m"$1"$1\E[0m\n" | ||
| + | } | ||
| + | |||
| + | check_sys0 () | ||
| + | { | ||
| + | echo "#***********************" | ||
| + | echo "#** device sys0 check **" | ||
| + | echo "#***********************" | ||
| + | |||
| + | if [ $(uname -v | awk '{print $1}') -lt 7 ] | ||
| + | then | ||
| + | param=(max_logname maxuproc ncargs) | ||
| + | value=(256 8192 1024) | ||
| + | else | ||
| + | param=(max_logname ngroups_allowed maxuproc ncargs) | ||
| + | value=(256 2048 8192 1024) | ||
| + | fi | ||
| + | |||
| + | nbval=$(echo ${#value[*]}) | ||
| + | count=0 | ||
| + | while [ "$count" -lt "$nbval" ] | ||
| + | do | ||
| + | val1=${param[$count]} | ||
| + | if [ $(lsattr -El sys0 | awk '{print $1}' | grep $val1 > /dev/null; echo $?) -eq 0 ] | ||
| + | then | ||
| + | if [ $(lsattr -El sys0 -a ${param[$count]} | awk '{print $2}') -lt $(echo ${value[$count]}) ] | ||
| + | then | ||
| + | printf "\E[31;1m""chdev -l sys0 -a ${param[$count]}=${value[$count]}"" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# Value parameter ${param[$count]} for sys0 is ${value[$count]} : OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | fi | ||
| + | (( count = count + 1 )) | ||
| + | done | ||
| + | } | ||
| + | |||
| + | check_user_policy () | ||
| + | { | ||
| + | # User Policy check | ||
| + | echo "#***********************" | ||
| + | echo "#** User Policy check **" | ||
| + | echo "#***********************" | ||
| + | |||
| + | rule="5.2.1 passwords disable NOCHECK" | ||
| + | level=1 | ||
| + | grep -p NOCHECK /etc/security/passwd > $list_files | ||
| + | if [ -s "$list_files" ] | ||
| + | then | ||
| + | grep -p lastupdate /etc/security/passwd | /usr/bin/egrep ":$" | sed -e 's/://' | while read USER | ||
| + | do | ||
| + | printf "\E[31;1m""/usr/bin/pwdadm -c $USER"" $1\E[0m\n" | ||
| + | done | ||
| + | echo "# rule="'"'$rule'"'" level=$level NOK" | ||
| + | else | ||
| + | printf "\E[32;1m""# parameter password NOCHECK OK"" $1\E[0m\n" | ||
| + | echo "# rule="'"'$rule'"'" level=$level OK" | ||
| + | fi | ||
| + | |||
| + | rule="4.6.3 passwords herald" | ||
| + | level=1 | ||
| + | if [[ $(lssec -f /etc/security/login.cfg -s default -a herald | cut -d'=' -f2-) == "" ]] | ||
| + | then | ||
| + | printf "\E[31;1m""chsec -f /etc/security/login.cfg -s default -a herald="'"Unauthorized use of this system is prohibited.\\nlogin:"'" $1\E[0m\n" | ||
| + | echo "# rule="'"'$rule'"'" level=$level NOK" | ||
| + | else | ||
| + | printf "\E[32;1m""# parameter herald OK"" $1\E[0m\n" | ||
| + | echo "# rule="'"'$rule'"'" level=$level OK" | ||
| + | fi | ||
| + | |||
| + | |||
| + | |||
| + | cat << EOF > $list_files | ||
| + | user default mindiff=4 rule="5.2.6 passwd policy mindiff" level=1 | ||
| + | user default minage=1 rule="5.1.1.3 passwd policy minage" level=1 | ||
| + | user default maxage=13 rule="5.6 passwd policy maxage" level=1 | ||
| + | user default minlen=12 rule="5.2.5 passwd policy minlen 14 (CUSTOM ! Not CIS)" level=1 | ||
| + | user default minalpha=2 rule="5.2.7 passwd policy minalpha 3 (CUSTOM ! Not CIS)" level=1 | ||
| + | user default minother=1 rule="5.2.8 passwd policy minother 3 (CUSTOM ! Not CIS)" level=1 | ||
| + | user default maxrepeats=4 rule="5.2.9 passwd policy maxrepeats" level=1 | ||
| + | user default histexpire=52 rule="5.1.1.1 passwd policy histexpire" level=1 | ||
| + | user default minloweralpha=1 rule="5.2.11 passwd policy minloweralpha" level=1 | ||
| + | user default minupperalpha=1 rule="5.2.12 passwd policy minupperalpha" level=1 | ||
| + | user default mindigit=1 rule="5.2.10 passwd policy mindigit" level=1 | ||
| + | user default minspecialchar=1 rule="5.2.13 passwd policy minspecialchar" level=1 | ||
| + | user default histsize=0 rule="5.1.1.2 passwd policy histsize" level=1 | ||
| + | user default maxexpired=4 rule="5.7 passwd policy maxexpired" level=1 | ||
| + | user default loginretries=5 rule="4.6.4 passwd policy loginretries" level=1 | ||
| + | login.cfg default logininterval=300 | ||
| + | login.cfg default logindisable=10 | ||
| + | login.cfg default loginreenable=360 | ||
| + | login.cfg default logindelay=10 rule="4.6.2 passwd policy logindelay" level=1 | ||
| + | login.cfg usw logintimeout=30 rule="4.6.1 passwd policy logintimeout" level=1 | ||
| + | login.cfg usw pwd_algorithm=ssha512 rule="5.2.2 pwd_algorithm" level=1 | ||
| + | EOF | ||
| + | |||
| + | cat $list_files | while read i j k rule level | ||
| + | do | ||
| + | val_ref=$(echo $k | cut -d'=' -f2) | ||
| + | param=$(echo $k | cut -d'=' -f1) | ||
| + | val_cur=$(lssec -f /etc/security/$i -s $j -a $param | awk '{print $2}' | cut -d'=' -f2) | ||
| + | if [ "$val_cur" != "$val_ref" ] | ||
| + | then | ||
| + | printf "\E[31;1m""chsec -f /etc/security/$i -s $j -a $k"" $1\E[0m\n" | ||
| + | echo "# $rule $level NOK" | ||
| + | else | ||
| + | printf "\E[32;1m""# parameter $param OK"" $1\E[0m\n" | ||
| + | echo "# $rule $level OK" | ||
| + | fi | ||
| + | done | ||
| + | |||
| + | lsuser -R files -a maxage ALL | sed -e 's/^/;/' -e 's/\ /;/' | egrep -v ";ext|;usr|;daemon;|;bin;|;sys;|;adm;|;nobody;|;lp;|;invscout;|;ipsec;|;snapp;|;sshd;|;lpd;|;pconsole;|;esaadmin;" | sed 's/;/\ /g' | while read i j | ||
| + | do | ||
| + | if [ "$j" != "maxage=0" ] | ||
| + | then | ||
| + | printf "\E[31;1m""chuser -R files maxage=0 $i"" $1\E[0m\n" | ||
| + | fi | ||
| + | done | ||
| + | |||
| + | lsuser -R files -a maxexpired root | awk '{print $2}' | grep -v 'maxexpired=-1' > /dev/null 2>&1 | ||
| + | if [ $? -eq 0 ] | ||
| + | then | ||
| + | printf "\E[31;1m""chuser -R files maxexpired=-1 root"" $1\E[0m\n" | ||
| + | fi | ||
| + | |||
| + | } | ||
| + | |||
| + | check_profile () | ||
| + | { | ||
| + | # Check settings in /etc/profile and environment | ||
| + | echo "#************************************" | ||
| + | echo "#** Check environment **" | ||
| + | echo "#************************************" | ||
| + | |||
| + | rule="4.11 environment PATH" | ||
| + | level=1 | ||
| + | if [[ $(grep "^PATH=" /etc/environment |awk '/((:[ \t]*:)|(:[ \t]*$)|(^[ \t]*:)|(^.:)|(:.$)|(:.:))/') == "" ]] | ||
| + | then | ||
| + | echo "# rule="'"'$rule'"'" level=$level OK" | ||
| + | else | ||
| + | val=$(grep "^PATH=" /etc/environment |awk '/((:[ \t]*:)|(:[ \t]*$)|(^[\t]*:)|(^.:)|(:.$)|(:.:))/') | ||
| + | printf "\E[31;1m""$LINUX_SED -i "'"''/^PATH=/s/.*/'$val'/''"'" /etc/environment"" $1\E[0m\n" | ||
| + | echo "# rule="'"'$rule'"'" level=$level NOK" | ||
| + | fi | ||
| + | |||
| + | rule="4.13 Remove current working directory from root's PATH" | ||
| + | level=1 | ||
| + | if [[ $(su - root -c "echo ${PATH}" |awk '/((:[ \t]*:)|(:[ \t]*$)|(^[\t]*:)|(^.:)|(:.$)|(:.:))/') == "" ]] | ||
| + | then | ||
| + | echo "# rule="'"'$rule'"'" level=$level OK" | ||
| + | else | ||
| + | echo "# rule="'"'$rule'"'" level=$level NOK" | ||
| + | fi | ||
| + | |||
| + | rule="4.14 Configuration: /etc/motd" | ||
| + | level=1 | ||
| + | RC=0 | ||
| + | if [ $(grep -qi authorized /etc/motd; echo $?) -ne "0" ] | ||
| + | then | ||
| + | (( RC = RC + 1 )) | ||
| + | fi | ||
| + | if [[ $($LINUX_STAT -c "%U:%G:%a:%n:" /etc/motd) != 'bin:bin:644:/etc/motd:' ]] | ||
| + | then | ||
| + | (( RC = RC + 1 )) | ||
| + | printf "\E[31;1m""chmod u=rw,go=r /etc/motd"" $1\E[0m\n" | ||
| + | printf "\E[31;1m""chown bin:bin /etc/motd"" $1\E[0m\n" | ||
| + | fi | ||
| + | if [[ $RC == "0" ]] | ||
| + | then | ||
| + | echo "# rule="'"'$rule'"'" level=$level OK" | ||
| + | else | ||
| + | echo "# rule="'"'$rule'"'" level=$level NOK" | ||
| + | fi | ||
| + | |||
| + | } | ||
| + | |||
| + | check_local_user_group() | ||
| + | { | ||
| + | # Check local users and groups | ||
| + | echo "#************************************" | ||
| + | echo "#** Check local users and groups **" | ||
| + | echo "#************************************" | ||
| + | |||
| + | # Check local users starting with usr or ext | ||
| + | egrep "^usr|^ext" /etc/passwd > /dev/null 2>&1 | ||
| + | if [ $? -eq 0 ] | ||
| + | then | ||
| + | lssec -f /etc/security/user -s default -a SYSTEM | grep LDAP > /dev/null 2>&1 | ||
| + | if [ $? -eq 0 ] | ||
| + | then | ||
| + | printf "\E[31;1m""User ext or usr exists on local Please remove them using : rmuser -R files -p <user>"" $1\E[0m\n" | ||
| + | egrep "^usr|^ext" /etc/passwd | ||
| + | else | ||
| + | printf "\E[32;1m""# User ext or usr exists on local but there is no LDAP: OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | else | ||
| + | printf "\E[32;1m""# No local user defined : OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | |||
| + | # Check users in system group | ||
| + | num=$(cat /etc/group | grep '^system' | cut -d ':' -f4- | sed 's/,/\ /g' | sed -e 's/root//' -e 's/pconsole//' -e 's/esaadmin//' -e 's/srvproxy//' | sed 's/\ //g' | wc -c | awk '{print $1}') | ||
| + | if [ $num -ne 1 ] | ||
| + | then | ||
| + | printf "\E[31;1m""User exists in system group, Please change the group"" $1\E[0m\n" | ||
| + | cat /etc/group | grep '^system' | cut -d ':' -f4- | sed 's/,/\ /g' | sed -e 's/root//' -e 's/pconsole//' -e 's/esaadmin//' | ||
| + | else | ||
| + | printf "\E[32;1m""# No users in system group except system users OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | |||
| + | # Check guest user | ||
| + | egrep "^guest:" /etc/passwd > /dev/null 2>&1 | ||
| + | if [ $? -eq 0 ] | ||
| + | then | ||
| + | for i in $(egrep "^guest:" /etc/passwd | cut -d':' -f1) | ||
| + | do | ||
| + | printf "\E[31;1m""rmuser -R files -p $i"" $1\E[0m\n" | ||
| + | done | ||
| + | else | ||
| + | printf "\E[32;1m""# No user guest OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | |||
| + | # Check lpd and printq user | ||
| + | egrep "^lpd:|^prinq:" /etc/passwd > /dev/null 2>&1 | ||
| + | if [ $? -eq 0 ] | ||
| + | then | ||
| + | cat /etc/qconfig | grep -v '^*' > $logpath/tempo | ||
| + | if [ -s $logpath/tempo ] | ||
| + | then | ||
| + | printf "\E[32;1m""# Users lpd and printq exists, printers are defined OK"" $1\E[0m\n" | ||
| + | else | ||
| + | for i in $(egrep "^prinq:" /etc/passwd | cut -d':' -f1) | ||
| + | do | ||
| + | printf "\E[31;1m""rmuser -R files -p $i"" $1\E[0m\n" | ||
| + | done | ||
| + | fi | ||
| + | else | ||
| + | printf "\E[32;1m""# No user lpd or printq OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | |||
| + | # Check homedir | ||
| + | rule="4.7.1.2 Homedir exist" | ||
| + | level=1 | ||
| + | RC=0 | ||
| + | lsuser -R files -a pgrp home account_locked ALL |grep -v 'account_locked=true' | while read usr pgrp home dummy | ||
| + | do | ||
| + | h=$(echo $home | cut -d'=' -f2) | ||
| + | ls -ld $h > /dev/null 2>&1 | ||
| + | if [ $? -ne "0" ] | ||
| + | then | ||
| + | (( RC = RC + 1 )) | ||
| + | grp=$(echo $pgrp | cut -d'=' -f2) | ||
| + | printf "\E[31;1m""mkdir -p $h"" $1\E[0m\n" | ||
| + | printf "\E[31;1m""chown -R $usr:$grp $h"" $1\E[0m\n" | ||
| + | fi | ||
| + | done | ||
| + | if [[ $RC == "0" ]] | ||
| + | then | ||
| + | printf "\E[32;1m""# Users Homedir OK"" $1\E[0m\n" | ||
| + | echo "# rule="'"'$rule'"'" level=$level OK" | ||
| + | else | ||
| + | printf "\E[31;1m""# Users Homedir NOK"" $1\E[0m\n" | ||
| + | echo "# rule="'"'$rule'"'" level=$level NOK" | ||
| + | fi | ||
| + | |||
| + | } | ||
| + | |||
| + | disable_login_system () | ||
| + | { | ||
| + | # Disable login and rlogin for system users | ||
| + | echo "#************************************" | ||
| + | echo "#** Disable login for system users **" | ||
| + | echo "#************************************" | ||
| + | |||
| + | cat << EOF > $list_files | ||
| + | daemon account_locked=true login=false rlogin=false rule="5.3.3 lock account daemon" level=1 | ||
| + | bin account_locked=true login=false rlogin=false rule="5.3.2 lock account bin" level=1 | ||
| + | sys account_locked=true login=false rlogin=false rule="5.3.8 lock account sys" level=1 | ||
| + | adm account_locked=true login=false rlogin=false rule="5.3.1 lock account adm" level=1 | ||
| + | nobody account_locked=true login=false rlogin=false rule="5.3.6 lock account nobody" level=1 | ||
| + | guest account_locked=true login=false rlogin=false rule="5.3.4 lock account guest" level=1 | ||
| + | uucp account_locked=true login=false rlogin=false rule="5.3.9 lock account uucp" level=1 | ||
| + | nuucp account_locked=true login=false rlogin=false rule="5.3.7 lock account nuucp" level=1 | ||
| + | lpd account_locked=true login=false rlogin=false rule="5.3.5 lock account lpd" level=1 | ||
| + | root account_locked=false login=true rlogin=true rule="None" level=none | ||
| + | EOF | ||
| + | |||
| + | cat $list_files | while read user locked_ref login_ref rlogin_ref rule level | ||
| + | do | ||
| + | count=0 | ||
| + | if [ "$user" != "root" ] && [ $(test -e /usr/ios/cli/ioscli;echo $?) ] | ||
| + | then | ||
| + | grep "$user" /etc/passwd > /dev/null 2>&1 | ||
| + | if [ $? -eq 0 ] | ||
| + | then | ||
| + | login_curr=$(lsuser -R files -a login $user | awk '{print $2}') | ||
| + | rlogin_curr=$(lsuser -R files -a rlogin $user | awk '{print $2}') | ||
| + | locked_curr=$(lsuser -R files -a account_locked $user | awk '{print $2}') | ||
| + | if [ "$login_curr" != "$login_ref" ] | ||
| + | then | ||
| + | printf "\E[31;1m""chuser -R files $login_ref $user"" $1\E[0m\n" | ||
| + | (( count = count + 1 )) | ||
| + | else | ||
| + | printf "\E[32;1m""# parameter $login_ref $user OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | if [ "$rlogin_curr" != "$rlogin_ref" ] | ||
| + | then | ||
| + | printf "\E[31;1m""chuser -R files $rlogin_ref $user"" $1\E[0m\n" | ||
| + | (( count = count + 1 )) | ||
| + | else | ||
| + | printf "\E[32;1m""# parameter $rlogin_ref $user OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | if [ "$locked_curr" != "$locked_ref" ] | ||
| + | then | ||
| + | printf "\E[31;1m""chuser -R files $locked_ref $user"" $1\E[0m\n" | ||
| + | (( count = count + 1 )) | ||
| + | else | ||
| + | printf "\E[32;1m""# parameter $locked_ref $user OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | fi | ||
| + | else | ||
| + | if [ ! -e /usr/ios/cli/ioscli ] | ||
| + | then | ||
| + | grep "$user" /etc/passwd > /dev/null 2>&1 | ||
| + | if [ $? -eq 0 ] | ||
| + | then | ||
| + | login_curr=$(lsuser -R files -a login $user | awk '{print $2}') | ||
| + | rlogin_curr=$(lsuser -R files -a rlogin $user | awk '{print $2}') | ||
| + | locked_curr=$(lsuser -R files -a account_locked $user | awk '{print $2}') | ||
| + | if [ "$login_curr" != "$login_ref" ] | ||
| + | then | ||
| + | printf "\E[31;1m""chuser -R files $login_ref $user"" $1\E[0m\n" | ||
| + | (( count = count + 1 )) | ||
| + | else | ||
| + | printf "\E[32;1m""# parameter $login_ref $user OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | if [ "$rlogin_curr" != "$rlogin_ref" ] | ||
| + | then | ||
| + | printf "\E[31;1m""chuser -R files $rlogin_ref $user"" $1\E[0m\n" | ||
| + | (( count = count + 1 )) | ||
| + | else | ||
| + | printf "\E[32;1m""# parameter $rlogin_ref $user OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | if [ "$locked_curr" != "$locked_ref" ] | ||
| + | then | ||
| + | printf "\E[31;1m""chuser -R files $locked_ref $user"" $1\E[0m\n" | ||
| + | (( count = count + 1 )) | ||
| + | else | ||
| + | printf "\E[32;1m""# parameter $locked_ref $user OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | fi | ||
| + | fi | ||
| + | fi | ||
| + | grep "$user" /etc/passwd > /dev/null 2>&1 | ||
| + | if [ $? -eq 0 ] | ||
| + | then | ||
| + | if [ "$count" != "0" ] | ||
| + | then | ||
| + | echo "# $rule $level NOK" | ||
| + | else | ||
| + | echo "# $rule $level OK" | ||
| + | fi | ||
| + | else | ||
| + | echo "# $rule $level OK" | ||
| + | fi | ||
| + | done | ||
| + | |||
| + | rule="4.12 Lock historical users" | ||
| + | level=1 | ||
| + | ACCOUNTS=$(egrep '^daemon:|^bin:|^sys:|^adm:|^uucp:|^nobody:|^lpd:|^lp:|^invscout:|^ipsec:|^nuucp:|^sshd:' /etc/passwd | cut -d':' -f1 | tr '\n' ',' | sed 's/,$//') | ||
| + | |||
| + | if [[ $(lsuser -a account_locked ${ACCOUNTS} | grep -v account_locked=true | wc -l | awk '{print $1}') -eq "0" ]] | ||
| + | then | ||
| + | echo "# rule="'"'$rule'"'" level=$level OK" | ||
| + | else | ||
| + | echo "# rule="'"'$rule'"'" level=$level NOK" | ||
| + | fi | ||
| + | |||
| + | } | ||
| + | |||
| + | check_inittab () | ||
| + | { | ||
| + | # Check /etc/inittab | ||
| + | echo "#************************" | ||
| + | echo "#** Check /etc/inittab **" | ||
| + | echo "#************************" | ||
| + | |||
| + | cat << EOF > $list_files | ||
| + | piobe rule="4.1.1.4 Disable piobe" level=1 | ||
| + | qdaemon rule="4.1.1.5 Disable qdaemon" level=1 | ||
| + | EOF | ||
| + | |||
| + | cat $list_files | while read param rule level | ||
| + | do | ||
| + | grep "^$param:" /etc/inittab | grep -qv ":off:" > /dev/null 2>&1 | ||
| + | if [ $? -eq 0 ] | ||
| + | then | ||
| + | if [[ $(cat /etc/qconfig | grep -v '^*' | sed '/^$/d' | wc -l | awk '{print $1}') == "0" ]] | ||
| + | then | ||
| + | line=$(grep "^$param:" /etc/inittab) | ||
| + | begin=$(echo $line | cut -d':' -f1,2) | ||
| + | end=$(echo $line | cut -d':' -f4-) | ||
| + | newline=$(echo "'""$begin:off:$end""'") | ||
| + | printf "\E[31;1m""chitab $newline"" $1\E[0m\n" | ||
| + | if [[ $(lssrc -a | grep active | awk '{print $1}' | grep "^$param" | sed 's/$/:/' ) == "$param:" ]] | ||
| + | then | ||
| + | printf "\E[31;1m""stopsrc -s $param"" $1\E[0m\n" | ||
| + | fi | ||
| + | echo "# $rule $level NOK" | ||
| + | else | ||
| + | echo "# $rule $level comment="'"'"printers available"'"'" NOK" | ||
| + | fi | ||
| + | else | ||
| + | printf "\E[32;1m""# Parameter $inittab not exists OK"" $1\E[0m\n" | ||
| + | echo "# $rule $level OK" | ||
| + | fi | ||
| + | done | ||
| + | |||
| + | listsvc="i4ls rcncs httpdlite pmd rcml mkatmpvc atmsvcd sniinst naudio naudio2 pconsole webserverstart platform_agent cimservices rcitm rcnetwlm director_agent climgrcim install_assist pmperfrec cfgperf" | ||
| + | if [ -e /usr/es/sbin/cluster/utilities/clmgr ] | ||
| + | then | ||
| + | listsvc=$(echo "$listsvc xmdaily") | ||
| + | else | ||
| + | if [ ! -e /usr/ios/cli/ioscli ] | ||
| + | then | ||
| + | listsvc=$(echo "$listsvc clcomd clusterconf xmdaily") | ||
| + | fi | ||
| + | fi | ||
| + | |||
| + | for inittab in $listsvc | ||
| + | do | ||
| + | grep "^$inittab:" /etc/inittab | grep -qv ":off:" > /dev/null 2>&1 | ||
| + | if [ $? -eq 0 ] | ||
| + | then | ||
| + | line=$(grep "^$inittab:" /etc/inittab) | ||
| + | begin=$(echo $line | cut -d':' -f1,2) | ||
| + | end=$(echo $line | cut -d':' -f4-) | ||
| + | newline=$(echo "'""$begin:off:$end""'") | ||
| + | printf "\E[31;1m""chitab $newline"" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# Parameter $inittab not exists OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | done | ||
| + | |||
| + | cat << EOF > $list_files | ||
| + | writesrv rule="4.1.1.1 Disable writesrv" level=1 | ||
| + | dt rule="4.1.1.3 Disable dt" level=1 | ||
| + | dt rule="4.5.1.3 Disable dt CDE" level=1 | ||
| + | dt_nogb rule="4.1.1.3 Disable dt" level=1 | ||
| + | cas_agent rule="4.1.1.7 Disable cas_agent" level=1 | ||
| + | EOF | ||
| + | |||
| + | cat $list_files | while read param rule level | ||
| + | do | ||
| + | grep "^$param:" /etc/inittab | grep -qv ":off:" > /dev/null 2>&1 | ||
| + | if [ $? -eq 0 ] | ||
| + | then | ||
| + | line=$(grep "^$param:" /etc/inittab) | ||
| + | begin=$(echo $line | cut -d':' -f1,2) | ||
| + | end=$(echo $line | cut -d':' -f4-) | ||
| + | newline=$(echo "'""$begin:off:$end""'") | ||
| + | printf "\E[31;1m""chitab $newline"" $1\E[0m\n" | ||
| + | if [[ $(lssrc -a | grep active | awk '{print $1}' | grep "^$param" | sed 's/$/:/' ) == "$param:" ]] | ||
| + | then | ||
| + | printf "\E[31;1m""stopsrc -s $param"" $1\E[0m\n" | ||
| + | fi | ||
| + | echo "# $rule $level NOK" | ||
| + | else | ||
| + | printf "\E[32;1m""# Parameter $inittab not exists OK"" $1\E[0m\n" | ||
| + | echo "# $rule $level OK" | ||
| + | fi | ||
| + | done | ||
| + | |||
| + | # Remove old IBM Director Agent, no more supported | ||
| + | if [ -e /etc/rc.d/rc2.d/*itca*TivoliCommonAgent0 ] | ||
| + | then | ||
| + | for file in $(ls /etc/rc.d/rc2.d/*itca*TivoliCommonAgent0) | ||
| + | do | ||
| + | printf "\E[31;1m""rm -f $file"" $1\E[0m\n" | ||
| + | done | ||
| + | fi | ||
| + | |||
| + | # rcnfs required for mksysb, NIM and NMON | ||
| + | } | ||
| + | |||
| + | check_inetd () | ||
| + | { | ||
| + | # Check /etc/inetd.conf | ||
| + | echo "#***************************" | ||
| + | echo "#** Check /etc/inetd.conf **" | ||
| + | echo "#***************************" | ||
| + | exclusion="^omni|^nrpe|^swat" | ||
| + | grep -v '^#' /etc/inetd.conf | egrep -v "$exclusion" > /dev/null 2>&1 | ||
| + | if [ $? -ne 0 ] | ||
| + | then | ||
| + | printf "\E[32;1m""# /etc/inetd.conf OK"" $1\E[0m\n" | ||
| + | else | ||
| + | if [ -f /usr/sbin/lsnim ] | ||
| + | then | ||
| + | exclude="^ftp|^telnet|^shell|^login|^exec|^bootps|^tftp" | ||
| + | else | ||
| + | if [ -f /usr/ios/cli/ioscli ] | ||
| + | then | ||
| + | exclude="^ftp|^telnet|^caa_cfg" | ||
| + | else | ||
| + | exclude="none" | ||
| + | fi | ||
| + | fi | ||
| + | grep -v '^#' /etc/inetd.conf | egrep -v "$exclude" | awk '{print $1,$3}' | while read i j | ||
| + | do | ||
| + | printf "\E[31;1m""chsubserver -d -p $(echo $j | sed 's/6//') -v $i -r inetd"" $1\E[0m\n" | ||
| + | done | ||
| + | fi | ||
| + | |||
| + | cat << EOF > $list_files | ||
| + | talk,ntalk rule="4.1.1.2 Disable talk/ntalk" level=1 | ||
| + | bootps rule="4.1.5.1 Disable bootps" level=1 | ||
| + | chargen rule="4.1.5.2 Disable chargen" level=1 | ||
| + | comsat rule="4.1.5.3 Disable comsat" level=1 | ||
| + | daytime rule="4.1.5.4 Disable daytime" level=1 | ||
| + | discard rule="4.1.5.5 Disable discard" level=1 | ||
| + | echo rule="4.1.5.6 Disable echo" level=1 | ||
| + | exec rule="4.1.5.7 Disable exec" level=1 | ||
| + | finger rule="4.1.5.8 Disable finger" level=1 | ||
| + | ftp rule="4.1.5.9 Disable ftp" level=1 | ||
| + | imap2 rule="4.1.5.10 Disable imap2" level=1 | ||
| + | instsrv rule="4.1.5.11 Disable instsrv" level=1 | ||
| + | klogin rule="4.1.5.12 Disable klogin" level=1 | ||
| + | kshell rule="4.1.5.13 Disable kshell" level=1 | ||
| + | login rule="4.1.5.14 Disable login" level=1 | ||
| + | netstat rule="4.1.5.15 Disable netstat" level=1 | ||
| + | ntalk rule="4.1.5.16 Disable ntalk" level=1 | ||
| + | pcnfsd rule="4.1.5.17 Disable pcnfsd" level=1 | ||
| + | pop3 rule="4.1.5.18 Disable pop3" level=1 | ||
| + | rexd rule="4.1.5.19 Disable rexd" level=1 | ||
| + | rquotad rule="4.1.5.20 Disable rquotad" level=1 | ||
| + | rstatd rule="4.1.5.21 Disable rstatd" level=1 | ||
| + | rusersd rule="4.1.5.22 Disable rusersd" level=1 | ||
| + | rwalld rule="4.1.5.23 Disable rwalld" level=1 | ||
| + | shell rule="4.1.5.24 Disable shell" level=1 | ||
| + | sprayd rule="4.1.5.25 Disable sprayd" level=1 | ||
| + | xmquery rule="4.1.5.26 Disable xmquery" level=1 | ||
| + | talk rule="4.1.5.27 Disable talk" level=1 | ||
| + | telnet rule="4.1.5.28 Disable telnet" level=1 | ||
| + | tftp rule="4.1.5.29 Disable tftp" level=1 | ||
| + | time rule="4.1.5.30 Disable time" level=1 | ||
| + | uucp rule="4.1.5.31 Disable uucp" level=1 | ||
| + | cmsd rule="4.5.1.2 Disable cmsd (CDE)" level=1 | ||
| + | dtspc rule="4.5.1.4 Disable dtspc (CDE)" level=2 | ||
| + | EOF | ||
| + | |||
| + | cat $list_files | while read param rule level | ||
| + | do | ||
| + | RC=0 | ||
| + | for sub in $(echo $param | tr ',' '\n') | ||
| + | do | ||
| + | cat /etc/inetd.conf | sed 's/\ /:/g' | grep -q "^$sub:" > /dev/null 2>&1 | ||
| + | if [ $? -eq 0 ] | ||
| + | then | ||
| + | cat /etc/inetd.conf | tr -s ' ' | sed 's/\ /:/g' | grep "^$sub:" | awk -F':' '{print $1,$3}' | while read i j | ||
| + | do | ||
| + | printf "\E[31;1m""chsubserver -d -p $(echo $j | sed 's/6//') -v $i -r inetd"" $1\E[0m\n" | ||
| + | done | ||
| + | (( RC = RC + 1 )) | ||
| + | fi | ||
| + | done | ||
| + | if [[ $RC == "0" ]] | ||
| + | then | ||
| + | echo "# $rule $level OK" | ||
| + | else | ||
| + | echo "# $rule $level NOK" | ||
| + | fi | ||
| + | done | ||
| + | |||
| + | } | ||
| + | |||
| + | check_rctcpip () | ||
| + | { | ||
| + | # Check /etc/rc.tcpip | ||
| + | echo "#*************************" | ||
| + | echo "#** Check /etc/rc.tcpip **" | ||
| + | echo "#*************************" | ||
| + | |||
| + | cat << EOF > $list_files | ||
| + | aixmidb rule="4.1.2.2 Disable aixmidb" level=1 | ||
| + | dhcpcd rule="4.1.2.3 Disable dhcpcd" level=1 | ||
| + | dhcprd rule="4.1.2.4 Disable dhcprd" level=1 | ||
| + | dhcpsd rule="4.1.2.5 Disable dhcpsd" level=1 | ||
| + | dpid2 rule="4.1.2.6 Disable dpid2" level=1 | ||
| + | gated rule="4.1.2.7 Disable gated" level=1 | ||
| + | hostmibd rule="4.1.2.8 Disable hostmibd" level=1 | ||
| + | mrouted rule="4.1.2.9 Disable mrouted" level=2 | ||
| + | named rule="4.1.2.10 Disable named" level=1 | ||
| + | routed rule="4.1.2.12 Disable routed" level=1 | ||
| + | rwhod rule="4.1.2.13 Disable rwhod" level=1 | ||
| + | sendmail rule="4.1.2.14 Disable sendmail" level=1 | ||
| + | snmpd rule="4.1.2.15 Disable snmpd" level=1 | ||
| + | snmpmibd rule="4.1.2.16 Disable snmpmibd" level=1 | ||
| + | timed rule="4.1.2.17 Disable timed" level=1 | ||
| + | autoconf6 rule="4.1.3.1 Disable autoconf6" level=1 | ||
| + | ndpd-host rule="4.1.3.2 Disable ndpd-host" level=1 | ||
| + | ndpd-router rule="4.1.3.3 Disable ndpd-router" level=1 | ||
| + | EOF | ||
| + | |||
| + | cat $list_files | while read param rule level | ||
| + | do | ||
| + | cat /etc/rc.tcpip | tr -d "\011" | sed 's/^\ //g' | grep -v '^#' | sed '/^$/d' | grep '^start' | grep -q "$param" | ||
| + | if [ $? -ne 0 ] | ||
| + | then | ||
| + | printf "\E[32;1m""# /etc/rc.tcpip OK"" $1\E[0m\n" | ||
| + | echo "# $rule $level OK" | ||
| + | else | ||
| + | if [ $(ls /usr/sbin/lsnim > /dev/null 2>&1;echo $?) -eq 0 ] | ||
| + | then | ||
| + | echo $param | egrep -q "xntpd|inetd|syslogd|portmap" | ||
| + | if [ $? -eq 0 ] | ||
| + | then | ||
| + | printf "\E[32;1m""# /etc/rc.tcpip on NIM server OK"" $1\E[0m\n" | ||
| + | echo "# $rule $level comment="'"'NIM server'"'"NOK" | ||
| + | else | ||
| + | printf "\E[31;1m""chrctcp -S -d $param"" $1\E[0m\n" | ||
| + | echo "# $rule $level NOK" | ||
| + | fi | ||
| + | else | ||
| + | printf "\E[31;1m""chrctcp -S -d $param"" $1\E[0m\n" | ||
| + | echo "# $rule $level NOK" | ||
| + | fi | ||
| + | fi | ||
| + | done | ||
| + | |||
| + | grep "^start " /etc/rc.tcpip | egrep -v "xntpd|inetd|syslogd" > /dev/null 2>&1 | ||
| + | if [ $? -ne 0 ] | ||
| + | then | ||
| + | printf "\E[32;1m""# /etc/rc.tcpip OK"" $1\E[0m\n" | ||
| + | else | ||
| + | if [ $(ls /usr/sbin/lsnim > /dev/null 2>&1;echo $?) -eq 0 ] | ||
| + | then | ||
| + | grep "^start " /etc/rc.tcpip | egrep -v "xntpd|inetd|syslogd|portmap" > /dev/null 2>&1 | ||
| + | if [ $? -ne 0 ] | ||
| + | then | ||
| + | printf "\E[32;1m""# /etc/rc.tcpip on NIM server OK"" $1\E[0m\n" | ||
| + | else | ||
| + | for service in $(grep "^start " /etc/rc.tcpip | egrep -v "xntpd|inetd|syslogd|portmap"| awk '{print $2}' | rev | cut -d'/' -f1 | rev) | ||
| + | do | ||
| + | printf "\E[31;1m""chrctcp -S -d $service"" $1\E[0m\n" | ||
| + | done | ||
| + | fi | ||
| + | else | ||
| + | for service in $(grep "^start " /etc/rc.tcpip | egrep -v "xntpd|inetd|syslogd" | awk '{print $2}' | rev | cut -d'/' -f1 | rev) | ||
| + | do | ||
| + | printf "\E[31;1m""chrctcp -S -d $service"" $1\E[0m\n" | ||
| + | done | ||
| + | fi | ||
| + | fi | ||
| + | } | ||
| + | |||
| + | check_files_permission () | ||
| + | { | ||
| + | # Check file permissions | ||
| + | echo "#****************************" | ||
| + | echo "#** Check file permissions **" | ||
| + | echo "#****************************" | ||
| + | |||
| + | cat << EOF > $list_files | ||
| + | f /usr/bin/rcp root system 000 nocheck | ||
| + | f /usr/bin/rlogin root bin 000 nocheck | ||
| + | f /usr/bin/rsh root system 000 nocheck | ||
| + | f /usr/sbin/rlogind root system 000 nocheck | ||
| + | f /usr/sbin/rshd root system 000 nocheck | ||
| + | f /usr/sbin/tftpd root system 000 nocheck | ||
| + | f /etc/ssh/sshd_config root system 644 | ||
| + | f /etc/ssh/ssh_config root system 644 | ||
| + | f /etc/security/passwd root security 600 | ||
| + | d /etc/security root security 750 | ||
| + | f /etc/group root security 644 | ||
| + | f /etc/passwd root security 644 | ||
| + | d /etc/security/audit root audit 750 | ||
| + | d /audit root audit 750 | ||
| + | f /root/smit.log root system 640 | ||
| + | f /var/adm/cron/log root cron 660 | ||
| + | f /var/adm/cron/cron.allow bin cron 640 | ||
| + | f /var/adm/cron/at.allow bin cron 640 | ||
| + | d /var/spool/cron/crontabs root cron 770 | ||
| + | f /etc/motd bin bin 444 | ||
| + | #f /var/adm/ras/* - - o-r | ||
| + | f /var/ct/RMstart.log root system 640 | ||
| + | f /var/tmp/dpid2.log root system 640 | ||
| + | f /var/tmp/hostmibd.log root system 640 | ||
| + | f /var/tmp/snmpd.log root system 640 | ||
| + | d /var/adm/sa adm adm 766 | ||
| + | f /usr/dt/bin/dtaction root sys 555 | ||
| + | f /usr/dt/bin/dtappgather root bin 555 | ||
| + | f /usr/dt/bin/dtprintinfo root bin 555 | ||
| + | f /usr/dt/bin/dtsession root bin 555 | ||
| + | f /etc/dt/config/Xservers root bin 555 | ||
| + | EOF | ||
| + | |||
| + | if [ $(ls /usr/sbin/lsnim > /dev/null 2>&1;echo $?) -eq 0 ] | ||
| + | then | ||
| + | cat $list_files | grep -v "nocheck" > $list_files.1 | ||
| + | mv $list_files.1 $list_files | ||
| + | fi | ||
| + | |||
| + | cat $list_files | while read type full owner group perm nocheck | ||
| + | do | ||
| + | if [ $type = "f" ] | ||
| + | then | ||
| + | if [ -f $full ] | ||
| + | then | ||
| + | owner_curr=$(ls -l $full | awk '{print $3"."$4}') | ||
| + | if [ "$owner_curr" != $(echo "$owner.$group") ] | ||
| + | then | ||
| + | printf "\E[31;1m""chown $(echo "$owner.$group") $full"" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# file $full owner OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | perm_curr=$(convert_perm_file $full | awk '{print $1}') | ||
| + | if [[ $perm_curr == "0" ]] | ||
| + | then | ||
| + | perm_curr="000" | ||
| + | fi | ||
| + | if [ "$perm_curr" != "$perm" ] | ||
| + | then | ||
| + | printf "\E[31;1m""chmod $perm $full"" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# file $full permission OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | fi | ||
| + | else | ||
| + | if [ $type = "d" ] | ||
| + | then | ||
| + | if [ -d $full ] | ||
| + | then | ||
| + | owner_curr=$(ls -ld $full | awk '{print $3"."$4}') | ||
| + | if [ "$owner_curr" != $(echo "$owner.$group") ] | ||
| + | then | ||
| + | printf "\E[31;1m""chown $(echo "$owner.$group") $full"" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# directory $full owner OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | perm_curr=$(convert_perm_dir $full | awk '{print $1}') | ||
| + | if [ "$perm_curr" != "$perm" ] | ||
| + | then | ||
| + | printf "\E[31;1m""chmod $perm $full"" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# directory $full permission OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | fi | ||
| + | fi | ||
| + | fi | ||
| + | done | ||
| + | |||
| + | rule="3.7 check staff writable files" | ||
| + | level=1 | ||
| + | label=3.7_staff_writable_files | ||
| + | outfile=$outputdir/${label} | ||
| + | if [[ $(find / \( -fstype jfs -o -fstype jfs2 \) -type f -perm -g+w -group staff | wc -l | awk '{print $1}') == "0" ]] | ||
| + | then | ||
| + | echo "# rule="'"'$rule'"'" level=$level OK" | ||
| + | else | ||
| + | find / \( -fstype jfs -o -fstype jfs2 \) -type f -perm -g+w -group staff -ls > $outfile | ||
| + | echo "# rule="'"'$rule'"'" level=$level NOK" | ||
| + | fi | ||
| + | |||
| + | rule="3.8 check nouser, nogroup files" | ||
| + | level=1 | ||
| + | label=3.8_nouser_nogroup_files | ||
| + | outfile=$outputdir/${label} | ||
| + | if [[ $(find / \( -fstype jfs -o -fstype jfs2 \) \( -type d -o -type f \) \( -nouser -o -nogroup \) -ls | wc -l | awk '{print $1}') == "0" ]] | ||
| + | then | ||
| + | echo "# rule="'"'$rule'"'" level=$level OK" | ||
| + | else | ||
| + | find / \( -fstype jfs -o -fstype jfs2 \) \( -type d -o -type f \) \( -nouser -o -nogroup \) -ls > $outfile | ||
| + | echo "# rule="'"'$rule'"'" level=$level NOK" | ||
| + | fi | ||
| + | |||
| + | } | ||
| + | |||
| + | convert_perm_file () | ||
| + | { | ||
| + | for file in $(ls $*) | ||
| + | do | ||
| + | if [ -f $file ] | ||
| + | then | ||
| + | ls -l $file | awk 'BEGIN { | ||
| + | v["r1"]=400; v["w2"]=200; v["x3"]=100; v["s3"]=4100; v["S3"]=4000 | ||
| + | v["r4"]=40 ; v["w5"]=20 ; v["x6"]=10 ; v["s6"]=2010; v["S6"]=2000 | ||
| + | v["r7"]=4 ; v["w8"]=2 ; v["x9"]=1 ; v["t9"]=1001; v["T9"]=1000} | ||
| + | {val=0 | ||
| + | for (i=1;i<=9;i++) val=val+v[substr($0,i+1,1)i] | ||
| + | printf "%4d %s\n",val,$NF}' | ||
| + | fi | ||
| + | done | ||
| + | } | ||
| + | |||
| + | convert_perm_dir () | ||
| + | { | ||
| + | dir=$(echo $1) | ||
| + | ls -ld $dir | awk 'BEGIN { | ||
| + | v["r1"]=400; v["w2"]=200; v["x3"]=100; v["s3"]=4100; v["S3"]=4000 | ||
| + | v["r4"]=40 ; v["w5"]=20 ; v["x6"]=10 ; v["s6"]=2010; v["S6"]=2000 | ||
| + | v["r7"]=4 ; v["w8"]=2 ; v["x9"]=1 ; v["t9"]=1001; v["T9"]=1000} | ||
| + | {val=0 | ||
| + | for (i=1;i<=9;i++) val=val+v[substr($0,i+1,1)i] | ||
| + | printf "%4d %s\n",val,$NF}' | ||
| + | } | ||
| + | |||
| + | network_option () | ||
| + | { | ||
| + | # Network Options | ||
| + | echo "#***********************" | ||
| + | echo "#** Network Options **" | ||
| + | echo "#***********************" | ||
| + | |||
| + | cat << EOF > $list_files | ||
| + | no clean_partial_conns 1 rule="4.2.1 no clean_partial_conns" level=1 | ||
| + | no bcastping 0 rule="4.2.2 no bcastping" level=1 | ||
| + | no directed_broadcast 0 rule="4.2.3 no directed_broadcast" level=1 | ||
| + | no icmpaddressmask 0 rule="4.2.4 no icmpaddressmask" level=1 | ||
| + | no ipforwarding 0 rule="4.2.5 no ipforwarding" level=1 | ||
| + | no ipignoreredirects 1 rule="4.2.6 no ipignoreredirects" level=1 | ||
| + | no ipsendredirects 0 rule="4.2.7 no ipsendredirects" level=1 | ||
| + | no ipsrcrouteforward 0 rule="4.2.8 no ipsrcrouteforward" level=1 | ||
| + | no ipsrcrouterecv 0 rule="4.2.9 no ipsrcrouterecv" level=1 | ||
| + | no ipsrcroutesend 0 rule="4.2.10 no ipsrcroutesend" level=1 | ||
| + | no ip6srcrouteforward 0 rule="4.2.11 no ip6srcrouteforward" level=1 | ||
| + | nfso portcheck 1 rule="4.2.12 no portcheck" level=1 | ||
| + | nfso nfs_use_reserved_ports 1 rule="4.2.12 no nfs_use_reserved_ports" level=1 | ||
| + | no nonlocsrcroute 0 rule="4.2.13 no nonlocsrcroute" level=1 | ||
| + | no sockthresh 60 rule="4.2.14 no sockthresh" level=1 | ||
| + | no tcp_pmtu_discover 0 rule="4.2.15 no tcp_pmtu_discover" level=1 | ||
| + | no tcp_tcpsecure 7 rule="4.2.16 no tcp_tcpsecure" level=1 | ||
| + | no udp_pmtu_discover 0 rule="4.2.17 no udp_pmtu_discover" level=1 | ||
| + | no ip6forwarding 0 rule="4.2.18 no ip6forwarding" level=1 | ||
| + | EOF | ||
| + | |||
| + | cat $list_files | while read cmd param val rule level | ||
| + | do | ||
| + | val_cur=$($cmd -o $param | awk '{print $3}') | ||
| + | if [ "$val" -ne "$val_cur" ] | ||
| + | then | ||
| + | printf "\E[31;1m""$cmd -p -o $param=$val"" $1\E[0m\n" | ||
| + | echo "# $rule $level NOK" | ||
| + | else | ||
| + | printf "\E[32;1m""# parameter $cmd $param OK"" $1\E[0m\n" | ||
| + | echo "# $rule $level OK" | ||
| + | fi | ||
| + | done | ||
| + | |||
| + | |||
| + | |||
| + | cat << EOF > $list_files | ||
| + | no ipsrcrouteforward 0 | ||
| + | no ipignoreredirects 1 | ||
| + | no clean_partial_conns 1 | ||
| + | no ipsrcroutesend 0 | ||
| + | no ipforwarding 0 | ||
| + | no ipsendredirects 0 | ||
| + | no ip6srcrouteforward 0 | ||
| + | no ip6forwarding 0 | ||
| + | no directed_broadcast 0 | ||
| + | no tcp_pmtu_discover 0 | ||
| + | no bcastping 0 | ||
| + | no icmpaddressmask 0 | ||
| + | no udp_pmtu_discover 0 | ||
| + | no ipsrcrouterecv 0 | ||
| + | no nonlocsrcroute 0 | ||
| + | no tcp_tcpsecure 7 | ||
| + | no sockthresh 60 | ||
| + | no rfc1323 1 | ||
| + | no tcp_sendspace 262144 | ||
| + | no tcp_recvspace 262144 | ||
| + | no udp_sendspace 65536 | ||
| + | no udp_recvspace 655360 | ||
| + | no tcp_mssdflt 1448 | ||
| + | EOF | ||
| + | |||
| + | # For NFS with Linux, add the following settings | ||
| + | #nfso portcheck 1 | ||
| + | #nfso nfs_use_reserved_ports 1 | ||
| + | |||
| + | cat $list_files | while read i j k | ||
| + | do | ||
| + | val_ref=$(echo $k) | ||
| + | val_cur=$($i -o $j | awk '{print $3}') | ||
| + | if [ "$val_cur" -ne "$val_ref" ] | ||
| + | then | ||
| + | printf "\E[31;1m""$i -p -o $j=$k"" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# parameter $j OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | done | ||
| + | |||
| + | echo "no sb_max 1048576" | while read i j k | ||
| + | do | ||
| + | val_ref=$(echo $k) | ||
| + | val_cur=$($i -o $j | awk '{print $3}') | ||
| + | if [ "$val_cur" -lt "$val_ref" ] | ||
| + | then | ||
| + | printf "\E[31;1m""$i -p -o $j=$k"" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# parameter $j OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | done | ||
| + | } | ||
| + | |||
| + | check_audit () | ||
| + | { | ||
| + | # Check Audit | ||
| + | echo "#***********************" | ||
| + | echo "#** Check audit **" | ||
| + | echo "#***********************" | ||
| + | |||
| + | df -g /audit | grep audit > /dev/null 2>&1 | ||
| + | if [ $? -ne 0 ] | ||
| + | then | ||
| + | printf "\E[31;1m""mklv -tjfs2 -y auditlv rootvg 2G;crfs -vjfs2 -m /audit -d auditlv -Ayes;mount /audit"" $1\E[0m\n" | ||
| + | printf "\E[31;1m""chown root.audit /audit;chmod 750 /audit"" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# Filesystem /audit OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | |||
| + | if [[ $(lssec -f /usr/lib/security/mkuser.default -s user -a auditclasses | awk '{print $2}' | awk -F'=' '{print $2}' | wc -c | awk '{print $1}') == "1" ]] | ||
| + | then | ||
| + | printf "\E[31;1m""chsec -f /usr/lib/security/mkuser.default -s user -a auditclasses=general,SRC,cron,tcpip"" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# User auditclasses OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | |||
| + | grep 'audit' /etc/inittab > /dev/null 2>&1 | ||
| + | if [ $? -ne 0 ] | ||
| + | then | ||
| + | printf "\E[31;1m"'echo ":audit:2:boot:audit start > /dev/console 2>&1" >> /etc/inittab'" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# Audit process started in inittab OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | } | ||
| + | |||
| + | check_syslog () | ||
| + | { | ||
| + | # Check Syslog | ||
| + | echo "#***********************" | ||
| + | echo "#** Check syslog **" | ||
| + | echo "#***********************" | ||
| + | |||
| + | odmget -q subsysname="syslogd" SRCsubsys | grep cmdargs | cut -d'=' -f2- | grep '\-r' | grep '\-n' > /dev/null 2>&1 | ||
| + | if [ $? -ne 0 ] | ||
| + | then | ||
| + | printf "\E[31;1m"'chssys -s syslogd -a "-r -n"'" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# Syslog started with option -r and -n OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | } | ||
| + | |||
| + | check_snmp () | ||
| + | { | ||
| + | # Check SNMP config file | ||
| + | echo "#***********************" | ||
| + | echo "#** Check SNMP **" | ||
| + | echo "#***********************" | ||
| + | |||
| + | grep "^community[[:blank:]]*private" /etc/snmpd.conf > /dev/null 2>&1 | ||
| + | if [ $? -eq 0 ] | ||
| + | then | ||
| + | printf "\E[31;1m""/opt/freeware/bin/sed -i '/private/ s/^/#/g' /etc/snmp.conf"" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# /etc/snmp.conf OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | } | ||
| + | |||
| + | check_cron () | ||
| + | { | ||
| + | # Check cron authorization | ||
| + | echo "#***********************" | ||
| + | echo "#** Check crontabs **" | ||
| + | echo "#***********************" | ||
| + | |||
| + | if [ ! -f /var/adm/cron/cron.allow ] | ||
| + | then | ||
| + | printf "\E[31;1m"'ls /var/spool/cron/crontabs | egrep -v "esaadmin|sys|uucp" > /var/adm/cron/cron.allow'" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# /var/adm/cron/cron.allow exists OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | |||
| + | if [ ! -f /var/adm/cron/at.allow ] | ||
| + | then | ||
| + | printf "\E[31;1m"'ls /var/spool/cron/crontabs | egrep -v "esaadmin|sys|uucp" > /var/adm/cron/at.allow'" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# /var/adm/cron/at.allow exists OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | |||
| + | rule="1.3.3 check mksysb" | ||
| + | level=none | ||
| + | if [ $(grep mksysb /var/spool/cron/crontabs/root > /dev/null 2>&1; echo $?) -eq "0" ] | ||
| + | then | ||
| + | echo "# rule="'"'$rule'"'" level=$level OK" | ||
| + | else | ||
| + | printf "\E[31;1m""echo '30 8 * * 0 /root/scripts/mksysb.sh > /dev/null 2>&1' >> /var/spool/cron/crontabs/root"" $1\E[0m\n" | ||
| + | echo "# rule="'"'$rule'"'" level=$level NOK" | ||
| + | fi | ||
| + | |||
| + | } | ||
| + | |||
| + | check_sshd_config () | ||
| + | { | ||
| + | # Check sshd_config file | ||
| + | echo "#****************************" | ||
| + | echo "#** Check sshd_config file **" | ||
| + | echo "#****************************" | ||
| + | |||
| + | SSHD_CONFIG=/etc/ssh/sshd_config | ||
| + | |||
| + | rule="4.5.3.1 OpenSSH min version" | ||
| + | level=1 | ||
| + | version=$(lslpp -Lc | grep openssh | grep server | cut -d':' -f3 | cut -d'.' -f1,2) | ||
| + | if [ $(echo $version | cut -d'.' -f1) -lt "7" ] | ||
| + | then | ||
| + | printf "\E[31;1m""# Please upgrade OpenSSH to version higher or equal to 8.1"" $1\E[0m\n" | ||
| + | echo "# rule="'"'$rule'"'" level=$level NOK" | ||
| + | else | ||
| + | if [ $(echo $version | cut -d'.' -f2) -lt "1" ] | ||
| + | then | ||
| + | printf "\E[31;1m""# Please upgrade OpenSSH to version higher or equal to 8.1"" $1\E[0m\n" | ||
| + | echo "# rule="'"'$rule'"'" level=$level NOK" | ||
| + | else | ||
| + | printf "\E[32;1m""# Openssh version OK"" $1\E[0m\n" | ||
| + | echo "# rule="'"'$rule'"'" level=$level OK" | ||
| + | fi | ||
| + | fi | ||
| + | |||
| + | rule="4.5.3.2 OpenSSH host.equiv" | ||
| + | level=1 | ||
| + | if [[ $(ls /etc/shosts.equiv /etc/rhosts.equiv 2>/dev/null | wc -l | awk '{print $1}') -eq "0" ]] | ||
| + | then | ||
| + | printf "\E[32;1m""# No /etc/*host.equiv file OK"" $1\E[0m\n" | ||
| + | echo "# rule="'"'$rule'"'" level=$level OK" | ||
| + | else | ||
| + | printf "\E[31;1m""rm $(ls /etc/shosts.equiv /etc/rhosts.equiv 2>/dev/null)"" $1\E[0m\n" | ||
| + | echo "# rule="'"'$rule'"'" level=$level NOK" | ||
| + | fi | ||
| + | |||
| + | rule="4.5.3.3 OpenSSH .shosts" | ||
| + | level=1 | ||
| + | if [[ $(ls `cat /etc/passwd | cut -d':' -f6 | sort -u | sed 's/$/\/.shosts/' | tr -s '/' | tr '\n' ' ' ; echo` 2>/dev/null | wc -l | awk '{print $1}') -eq "0" ]] | ||
| + | then | ||
| + | printf "\E[32;1m""# No "'$HOME/shosts'" file OK"" $1\E[0m\n" | ||
| + | echo "# rule="'"'$rule'"'" level=$level OK" | ||
| + | else | ||
| + | printf "\E[31;1m""rm $(ls `cat /etc/passwd | cut -d':' -f6 | sort -u | sed 's/$/\/.shosts/' | tr -s '/' | tr '\n' ' ' ; echo` 2>/dev/null)"" $1\E[0m\n" | ||
| + | echo "# rule="'"'$rule'"'" level=$level NOK" | ||
| + | fi | ||
| + | |||
| + | banner="Unauthorized use of this system is prohibited." | ||
| + | rule="4.5.3.6 OpenSSH banner" | ||
| + | level=1 | ||
| + | if [[ $(grep "^Banner[[:blank:]]" $SSHD_CONFIG | wc -l | awk '{print $1}') -eq "0" ]] | ||
| + | then | ||
| + | printf "\E[31;1m""echo "'"'"$(echo $banner)"'"'' > /etc/ssh/ssh_banner'" $1\E[0m\n" | ||
| + | printf "\E[31;1m""$LINUX_SED -i "'"''/^#Banner/a Banner /etc/ssh/ssh_banner''"'" $SSHD_CONFIG"" $1\E[0m\n" | ||
| + | echo "# rule="'"'$rule'"'" level=$level NOK" | ||
| + | else | ||
| + | printf "\E[32;1m""# Openssh banner OK"" $1\E[0m\n" | ||
| + | echo "# rule="'"'$rule'"'" level=$level OK" | ||
| + | fi | ||
| + | |||
| + | cat << EOF > $list_files | ||
| + | HostbasedAuthentication no rule="4.5.3.7 OpenSSH HostbasedAuthentication" level=1 | ||
| + | IgnoreRhosts yes rule="4.5.3.8 OpenSSH IgnoreRhosts" level=1 | ||
| + | PermitEmptyPasswords no rule="4.5.3.9 OpenSSH PermitEmptyPasswords" level=1 | ||
| + | LogLevel INFO rule="4.5.3.10 OpenSSH LogLevel" level=1 | ||
| + | MaxAuthTries 4 rule="4.5.3.12 OpenSSH MaxAuthTries" level=1 | ||
| + | PermitUserEnvironment no rule="4.5.3.13 OpenSSH PermitUserEnvironment" level=1 | ||
| + | EOF | ||
| + | |||
| + | cat $list_files | while read param val rule level | ||
| + | do | ||
| + | grep "^$param:" $SSHD_CONFIG | tr -s ' ' | sed 's/\ /:/g' |sed 's/$/:/' | grep -q "$param:$val:" > /dev/null 2>&1 | ||
| + | if [ $? -eq 0 ] | ||
| + | then | ||
| + | printf "\E[32;1m""# Openssh $param OK"" $1\E[0m\n" | ||
| + | echo "# $rule $level OK" | ||
| + | else | ||
| + | printf "\E[31;1m""$LINUX_SED -i "'"''/^#'$param'/s/.*/'$param'\ '$val'/''"'" $SSHD_CONFIG"" $1\E[0m\n" | ||
| + | echo "# $rule $level NOK" | ||
| + | fi | ||
| + | done | ||
| + | |||
| + | cat << EOF > $list_files | ||
| + | RekeyLimit 1G 3600 rule="4.5.3.18 OpenSSH ReKeyLimit" level=1 | ||
| + | EOF | ||
| + | |||
| + | cat $list_files | while read param val1 val2 rule level | ||
| + | do | ||
| + | grep "^$param:" $SSHD_CONFIG | tr -s ' ' | sed 's/\ /:/g' |sed 's/$/:/' | grep -q "$param:$val1:$val2:" > /dev/null 2>&1 | ||
| + | if [ $? -eq 0 ] | ||
| + | then | ||
| + | printf "\E[32;1m""# Openssh $param OK"" $1\E[0m\n" | ||
| + | echo "# $rule $level OK" | ||
| + | else | ||
| + | printf "\E[31;1m""$LINUX_SED -i "'"''/^#'$param'/s/.*/'$param'\ '$val1\ $val2'/''"'" $SSHD_CONFIG"" $1\E[0m\n" | ||
| + | echo "# $rule $level NOK" | ||
| + | fi | ||
| + | done | ||
| + | |||
| + | |||
| + | |||
| + | |||
| + | weak_algo="diffie-hellman-group1-sha1|diffie-hellman-group14-sha1|diffie-hellman-group-exchange-sha1" # in egrep format | ||
| + | rule="4.5.3.15 OpenSSH KexAlgorithms" | ||
| + | level=1 | ||
| + | if [[ $(/usr/sbin/sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep kexalgorithms | tr ',' '\n' | sed 's/kexalgorithms\ //' | egrep "$weak_algo" | wc -l | awk '{print $1}') -eq "0" ]] | ||
| + | then | ||
| + | printf "\E[32;1m""# Openssh KexAlgorithms OK"" $1\E[0m\n" | ||
| + | echo "# rule="'"'$rule'"'" level=$level OK" | ||
| + | else | ||
| + | echo "# Weak algorithms: $(/usr/sbin/sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep kexalgorithms | tr ',' '\n' | sed 's/kexalgorithms\ //' | egrep "$weak_algo")" | ||
| + | printf "\E[31;1m""# Openssh unsecure algorithms NOK"" $1\E[0m\n" | ||
| + | echo "# rule="'"'$rule'"'" level=$level NOK" | ||
| + | fi | ||
| + | |||
| + | weak_algo="3des-cbc|aes128-cbc|aes192-cbc|aes256-cbc|arcfour|arcfour128|arcfour256|blowfish-cbc|cast128-cbc|rijndael-cbc@lysator.liu.se" # in egrep format | ||
| + | rule="4.5.3.16 OpenSSH Ciphers" | ||
| + | level=1 | ||
| + | if [[ $(/usr/sbin/sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep ciphers | tr ',' '\n' | sed 's/ciphers\ //' | egrep "$weak_algo" | wc -l | awk '{print $1}') -eq "0" ]] | ||
| + | then | ||
| + | printf "\E[32;1m""# Openssh Ciphers OK"" $1\E[0m\n" | ||
| + | echo "# rule="'"'$rule'"'" level=$level OK" | ||
| + | else | ||
| + | echo "# Weak algorithms: $(/usr/sbin/sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep ciphers | tr ',' '\n' | sed 's/ciphers\ //' | egrep "$weak_algo")" | ||
| + | printf "\E[31;1m""# Openssh unsecure ciphers NOK"" $1\E[0m\n" | ||
| + | echo "# rule="'"'$rule'"'" level=$level NOK" | ||
| + | fi | ||
| + | |||
| + | weak_algo="hmac-md5|hmac-md5-96|hmac-ripemd160|hmac-sha1|hmac-sha1-96|umac-64@openssh.com|umac-128@openssh.com|hmac-md5-etm@openssh.com|hmac-md5-96-etm@openssh.com|hmac-ripemd160-etm@openssh.com|hmac-sha1-etm@openssh.com|hmac-sha1-96-etm@openssh.com|umac-64-etm@openssh.com|umac-128-etm@openssh.com" | ||
| + | rule="4.5.3.17 OpenSSH MACs" | ||
| + | level=1 | ||
| + | if [[ $(/usr/sbin/sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep macs | tr ',' '\n' | sed 's/macs\ //' | egrep "$weak_algo" | wc -l | awk '{print $1}') -eq "0" ]] | ||
| + | then | ||
| + | printf "\E[32;1m""# Openssh MACs OK"" $1\E[0m\n" | ||
| + | echo "# rule="'"'$rule'"'" level=$level OK" | ||
| + | else | ||
| + | echo "# Weak algorithms: $(/usr/sbin/sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep macs | tr ',' '\n' | sed 's/macs\ //' | egrep "$weak_algo")" | ||
| + | printf "\E[31;1m""# Openssh unsecure macs NOK"" $1\E[0m\n" | ||
| + | echo "# rule="'"'$rule'"'" level=$level NOK" | ||
| + | fi | ||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | grep '^Port' $SSHD_CONFIG > /dev/null 2>&1 | ||
| + | if [ $? -ne 0 ] | ||
| + | then | ||
| + | printf "\E[31;1m""$LINUX_SED -i 's/^#Port\ 22/Port\ 22/' $SSHD_CONFIG"" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# Port OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | |||
| + | grep '^ListenAddress ' $SSHD_CONFIG | grep -v '::' > /dev/null 2>&1 | ||
| + | if [ $? -ne 0 ] | ||
| + | then | ||
| + | printf "\E[31;1m""$LINUX_SED -i 's/^#ListenAddress\ 0.0.0.0/ListenAddress\ 0.0.0.0/' $SSHD_CONFIG"" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# ListenAddress IPV4 OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | |||
| + | grep '^ListenAddress ' $SSHD_CONFIG | grep '::' > /dev/null 2>&1 | ||
| + | if [ $? -eq 0 ] | ||
| + | then | ||
| + | printf "\E[31;1m""$LINUX_SED -i 's/^ListenAddress\ ::/#ListenAddress\ ::/' $SSHD_CONFIG"" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# ListenAddress IPV6 OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | |||
| + | grep '^Protocol 2' $SSHD_CONFIG > /dev/null 2>&1 | ||
| + | if [ $? -ne 0 ] | ||
| + | then | ||
| + | printf "\E[31;1m""$LINUX_SED -i 's/^#Protocol\ 2/Protocol\ 2/' $SSHD_CONFIG"" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# Protocol ssh version 2 only OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | |||
| + | # Ciphers be careful could prevent from login | ||
| + | #grep '^Ciphers' $SSHD_CONFIG > /dev/null 2>&1 | ||
| + | #if [ $? -ne 0 ] | ||
| + | #then | ||
| + | # printf "\E[31;1m"$LINUX_SED" -i '"'/^Protocol/a \\ | ||
| + | #\\ | ||
| + | ## SSH protocol v2 specific options \\ | ||
| + | #Ciphers aes256-ctr,aes192-ctr,aes128-ctr'"' "$SSHD_CONFIG" $1\E[0m\n" | ||
| + | #else | ||
| + | # printf "\E[32;1m""# Ciphers OK"" $1\E[0m\n" | ||
| + | #fi | ||
| + | |||
| + | grep '^SyslogFacility AUTH' $SSHD_CONFIG > /dev/null 2>&1 | ||
| + | if [ $? -ne 0 ] | ||
| + | then | ||
| + | printf "\E[31;1m""$LINUX_SED -i 's/^#SyslogFacility\ AUTH/SyslogFacility\ AUTH/' $SSHD_CONFIG"" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# SyslogFacility OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | |||
| + | grep '^LogLevel INFO' $SSHD_CONFIG > /dev/null 2>&1 | ||
| + | if [ $? -ne 0 ] | ||
| + | then | ||
| + | printf "\E[31;1m""$LINUX_SED -i 's/^#LogLevel\ INFO/LogLevel\ INFO/' $SSHD_CONFIG"" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# LogLevel OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | |||
| + | if [ ! -f "/etc/ssh/ssh_host_ecdsa_key" ] | ||
| + | then | ||
| + | printf "\E[31;1m""echo | ssh-keygen -q -t ecdsa -b 521 -N '' -f /etc/ssh/ssh_host_ecdsa_key"" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# ECDSA ssh key exists OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | |||
| + | grep '^PidFile' $SSHD_CONFIG > /dev/null 2>&1 | ||
| + | if [ $? -ne 0 ] | ||
| + | then | ||
| + | printf "\E[31;1m""$LINUX_SED -i 's/^#PidFile\ \\\/var\\\/run\\\/sshd.pid/PidFile\ \\\/var\\\/run\\\/sshd.pid/' $SSHD_CONFIG"" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# PidFile OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | |||
| + | if [ ! -d "/var/run" ] | ||
| + | then | ||
| + | printf "\E[31;1m""mkdir -p /var/run"" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# ssh PID directory exists OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | } | ||
| + | |||
| + | |||
| + | check_installed_packages () | ||
| + | { | ||
| + | # Check installed packages | ||
| + | echo "#******************************" | ||
| + | echo "#** Check installed packages **" | ||
| + | echo "#******************************" | ||
| + | |||
| + | cat << EOF > $list_files | ||
| + | cas.agent rule="None" level=none | ||
| + | bos.net.nis.client rule="4.4.1.1 Deinstall NIS Client" level=2 | ||
| + | bos.net.nis.server rule="4.4.1.2 Deinstall NIS Server" level=2 | ||
| + | X11.Dt rule="4.5.1.1 Deinstall CDE" level=1 | ||
| + | EOF | ||
| + | |||
| + | cat $list_files |while read package rule level | ||
| + | do | ||
| + | if [ $(lslpp -Lc | grep -q $package; echo $?) -eq "0" ] | ||
| + | then | ||
| + | printf "\E[31;1m""installp -u $package"" $1\E[0m\n" | ||
| + | echo "# $rule $level NOK" | ||
| + | else | ||
| + | echo "# $rule $level OK" | ||
| + | fi | ||
| + | done | ||
| + | } | ||
| + | |||
| + | |||
| + | ########### | ||
| + | ########### | ||
| + | main() | ||
| + | { | ||
| + | check_sys0 | ||
| + | check_user_policy | ||
| + | network_option | ||
| + | disable_login_system | ||
| + | check_local_user_group | ||
| + | check_profile | ||
| + | check_inittab | ||
| + | check_inetd | ||
| + | check_rctcpip | ||
| + | check_files_permission | ||
| + | check_snmp | ||
| + | check_audit | ||
| + | check_syslog | ||
| + | check_cron | ||
| + | check_sshd_config | ||
| + | check_installed_packages | ||
| + | |||
| + | echo "### All output files are located into: $outputdir" | ||
| + | } | ||
| + | |||
| + | main | tee $logname 2>&1 | ||
| + | echo | ||
| + | grep rule $logname | grep -v 'rule="None"' | sort # $LINUX_SORT -t. -k 1,1n -k 2,2n -k 3,3n | ||
| + | |||
| </code> | </code> | ||
aix/script_security_aix.1609532498.txt.gz · Last modified: 2021/01/01 21:21 by 127.0.0.1
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
