aix:script_security_aix
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision | |||
|
aix:script_security_aix [2023/06/08 17:23] manu |
aix:script_security_aix [2023/06/08 17:24] (current) manu [Version 2] |
||
|---|---|---|---|
| Line 1475: | Line 1475: | ||
| } | } | ||
| + | check_inetd () | ||
| + | { | ||
| + | # Check /etc/inetd.conf | ||
| + | echo "#***************************" | ||
| + | echo "#** Check /etc/inetd.conf **" | ||
| + | echo "#***************************" | ||
| + | exclusion="^omni|^nrpe|^swat" | ||
| + | grep -v '^#' /etc/inetd.conf | egrep -v "$exclusion" > /dev/null 2>&1 | ||
| + | if [ $? -ne 0 ] | ||
| + | then | ||
| + | printf "\E[32;1m""# /etc/inetd.conf OK"" $1\E[0m\n" | ||
| + | else | ||
| + | if [ -f /usr/sbin/lsnim ] | ||
| + | then | ||
| + | exclude="^ftp|^telnet|^shell|^login|^exec|^bootps|^tftp" | ||
| + | else | ||
| + | if [ -f /usr/ios/cli/ioscli ] | ||
| + | then | ||
| + | exclude="^ftp|^telnet|^caa_cfg" | ||
| + | else | ||
| + | exclude="none" | ||
| + | fi | ||
| + | fi | ||
| + | grep -v '^#' /etc/inetd.conf | egrep -v "$exclude" | awk '{print $1,$3}' | while read i j | ||
| + | do | ||
| + | printf "\E[31;1m""chsubserver -d -p $(echo $j | sed 's/6//') -v $i -r inetd"" $1\E[0m\n" | ||
| + | done | ||
| + | fi | ||
| + | |||
| + | cat << EOF > $list_files | ||
| + | talk,ntalk rule="4.1.1.2 Disable talk/ntalk" level=1 | ||
| + | bootps rule="4.1.5.1 Disable bootps" level=1 | ||
| + | chargen rule="4.1.5.2 Disable chargen" level=1 | ||
| + | comsat rule="4.1.5.3 Disable comsat" level=1 | ||
| + | daytime rule="4.1.5.4 Disable daytime" level=1 | ||
| + | discard rule="4.1.5.5 Disable discard" level=1 | ||
| + | echo rule="4.1.5.6 Disable echo" level=1 | ||
| + | exec rule="4.1.5.7 Disable exec" level=1 | ||
| + | finger rule="4.1.5.8 Disable finger" level=1 | ||
| + | ftp rule="4.1.5.9 Disable ftp" level=1 | ||
| + | imap2 rule="4.1.5.10 Disable imap2" level=1 | ||
| + | instsrv rule="4.1.5.11 Disable instsrv" level=1 | ||
| + | klogin rule="4.1.5.12 Disable klogin" level=1 | ||
| + | kshell rule="4.1.5.13 Disable kshell" level=1 | ||
| + | login rule="4.1.5.14 Disable login" level=1 | ||
| + | netstat rule="4.1.5.15 Disable netstat" level=1 | ||
| + | ntalk rule="4.1.5.16 Disable ntalk" level=1 | ||
| + | pcnfsd rule="4.1.5.17 Disable pcnfsd" level=1 | ||
| + | pop3 rule="4.1.5.18 Disable pop3" level=1 | ||
| + | rexd rule="4.1.5.19 Disable rexd" level=1 | ||
| + | rquotad rule="4.1.5.20 Disable rquotad" level=1 | ||
| + | rstatd rule="4.1.5.21 Disable rstatd" level=1 | ||
| + | rusersd rule="4.1.5.22 Disable rusersd" level=1 | ||
| + | rwalld rule="4.1.5.23 Disable rwalld" level=1 | ||
| + | shell rule="4.1.5.24 Disable shell" level=1 | ||
| + | sprayd rule="4.1.5.25 Disable sprayd" level=1 | ||
| + | xmquery rule="4.1.5.26 Disable xmquery" level=1 | ||
| + | talk rule="4.1.5.27 Disable talk" level=1 | ||
| + | telnet rule="4.1.5.28 Disable telnet" level=1 | ||
| + | tftp rule="4.1.5.29 Disable tftp" level=1 | ||
| + | time rule="4.1.5.30 Disable time" level=1 | ||
| + | uucp rule="4.1.5.31 Disable uucp" level=1 | ||
| + | cmsd rule="4.5.1.2 Disable cmsd (CDE)" level=1 | ||
| + | dtspc rule="4.5.1.4 Disable dtspc (CDE)" level=2 | ||
| + | EOF | ||
| + | |||
| + | cat $list_files | while read param rule level | ||
| + | do | ||
| + | RC=0 | ||
| + | for sub in $(echo $param | tr ',' '\n') | ||
| + | do | ||
| + | cat /etc/inetd.conf | sed 's/\ /:/g' | grep -q "^$sub:" > /dev/null 2>&1 | ||
| + | if [ $? -eq 0 ] | ||
| + | then | ||
| + | cat /etc/inetd.conf | tr -s ' ' | sed 's/\ /:/g' | grep "^$sub:" | awk -F':' '{print $1,$3}' | while read i j | ||
| + | do | ||
| + | printf "\E[31;1m""chsubserver -d -p $(echo $j | sed 's/6//') -v $i -r inetd"" $1\E[0m\n" | ||
| + | done | ||
| + | (( RC = RC + 1 )) | ||
| + | fi | ||
| + | done | ||
| + | if [[ $RC == "0" ]] | ||
| + | then | ||
| + | echo "# $rule $level OK" | ||
| + | else | ||
| + | echo "# $rule $level NOK" | ||
| + | fi | ||
| + | done | ||
| + | |||
| + | } | ||
| + | |||
| + | check_rctcpip () | ||
| + | { | ||
| + | # Check /etc/rc.tcpip | ||
| + | echo "#*************************" | ||
| + | echo "#** Check /etc/rc.tcpip **" | ||
| + | echo "#*************************" | ||
| + | |||
| + | cat << EOF > $list_files | ||
| + | aixmidb rule="4.1.2.2 Disable aixmidb" level=1 | ||
| + | dhcpcd rule="4.1.2.3 Disable dhcpcd" level=1 | ||
| + | dhcprd rule="4.1.2.4 Disable dhcprd" level=1 | ||
| + | dhcpsd rule="4.1.2.5 Disable dhcpsd" level=1 | ||
| + | dpid2 rule="4.1.2.6 Disable dpid2" level=1 | ||
| + | gated rule="4.1.2.7 Disable gated" level=1 | ||
| + | hostmibd rule="4.1.2.8 Disable hostmibd" level=1 | ||
| + | mrouted rule="4.1.2.9 Disable mrouted" level=2 | ||
| + | named rule="4.1.2.10 Disable named" level=1 | ||
| + | routed rule="4.1.2.12 Disable routed" level=1 | ||
| + | rwhod rule="4.1.2.13 Disable rwhod" level=1 | ||
| + | sendmail rule="4.1.2.14 Disable sendmail" level=1 | ||
| + | snmpd rule="4.1.2.15 Disable snmpd" level=1 | ||
| + | snmpmibd rule="4.1.2.16 Disable snmpmibd" level=1 | ||
| + | timed rule="4.1.2.17 Disable timed" level=1 | ||
| + | autoconf6 rule="4.1.3.1 Disable autoconf6" level=1 | ||
| + | ndpd-host rule="4.1.3.2 Disable ndpd-host" level=1 | ||
| + | ndpd-router rule="4.1.3.3 Disable ndpd-router" level=1 | ||
| + | EOF | ||
| + | |||
| + | cat $list_files | while read param rule level | ||
| + | do | ||
| + | cat /etc/rc.tcpip | tr -d "\011" | sed 's/^\ //g' | grep -v '^#' | sed '/^$/d' | grep '^start' | grep -q "$param" | ||
| + | if [ $? -ne 0 ] | ||
| + | then | ||
| + | printf "\E[32;1m""# /etc/rc.tcpip OK"" $1\E[0m\n" | ||
| + | echo "# $rule $level OK" | ||
| + | else | ||
| + | if [ $(ls /usr/sbin/lsnim > /dev/null 2>&1;echo $?) -eq 0 ] | ||
| + | then | ||
| + | echo $param | egrep -q "xntpd|inetd|syslogd|portmap" | ||
| + | if [ $? -eq 0 ] | ||
| + | then | ||
| + | printf "\E[32;1m""# /etc/rc.tcpip on NIM server OK"" $1\E[0m\n" | ||
| + | echo "# $rule $level comment="'"'NIM server'"'"NOK" | ||
| + | else | ||
| + | printf "\E[31;1m""chrctcp -S -d $param"" $1\E[0m\n" | ||
| + | echo "# $rule $level NOK" | ||
| + | fi | ||
| + | else | ||
| + | printf "\E[31;1m""chrctcp -S -d $param"" $1\E[0m\n" | ||
| + | echo "# $rule $level NOK" | ||
| + | fi | ||
| + | fi | ||
| + | done | ||
| + | |||
| + | grep "^start " /etc/rc.tcpip | egrep -v "xntpd|inetd|syslogd" > /dev/null 2>&1 | ||
| + | if [ $? -ne 0 ] | ||
| + | then | ||
| + | printf "\E[32;1m""# /etc/rc.tcpip OK"" $1\E[0m\n" | ||
| + | else | ||
| + | if [ $(ls /usr/sbin/lsnim > /dev/null 2>&1;echo $?) -eq 0 ] | ||
| + | then | ||
| + | grep "^start " /etc/rc.tcpip | egrep -v "xntpd|inetd|syslogd|portmap" > /dev/null 2>&1 | ||
| + | if [ $? -ne 0 ] | ||
| + | then | ||
| + | printf "\E[32;1m""# /etc/rc.tcpip on NIM server OK"" $1\E[0m\n" | ||
| + | else | ||
| + | for service in $(grep "^start " /etc/rc.tcpip | egrep -v "xntpd|inetd|syslogd|portmap"| awk '{print $2}' | rev | cut -d'/' -f1 | rev) | ||
| + | do | ||
| + | printf "\E[31;1m""chrctcp -S -d $service"" $1\E[0m\n" | ||
| + | done | ||
| + | fi | ||
| + | else | ||
| + | for service in $(grep "^start " /etc/rc.tcpip | egrep -v "xntpd|inetd|syslogd" | awk '{print $2}' | rev | cut -d'/' -f1 | rev) | ||
| + | do | ||
| + | printf "\E[31;1m""chrctcp -S -d $service"" $1\E[0m\n" | ||
| + | done | ||
| + | fi | ||
| + | fi | ||
| + | } | ||
| + | |||
| + | check_files_permission () | ||
| + | { | ||
| + | # Check file permissions | ||
| + | echo "#****************************" | ||
| + | echo "#** Check file permissions **" | ||
| + | echo "#****************************" | ||
| + | |||
| + | cat << EOF > $list_files | ||
| + | f /usr/bin/rcp root system 000 nocheck | ||
| + | f /usr/bin/rlogin root bin 000 nocheck | ||
| + | f /usr/bin/rsh root system 000 nocheck | ||
| + | f /usr/sbin/rlogind root system 000 nocheck | ||
| + | f /usr/sbin/rshd root system 000 nocheck | ||
| + | f /usr/sbin/tftpd root system 000 nocheck | ||
| + | f /etc/ssh/sshd_config root system 644 | ||
| + | f /etc/ssh/ssh_config root system 644 | ||
| + | f /etc/security/passwd root security 600 | ||
| + | d /etc/security root security 750 | ||
| + | f /etc/group root security 644 | ||
| + | f /etc/passwd root security 644 | ||
| + | d /etc/security/audit root audit 750 | ||
| + | d /audit root audit 750 | ||
| + | f /root/smit.log root system 640 | ||
| + | f /var/adm/cron/log root cron 660 | ||
| + | f /var/adm/cron/cron.allow bin cron 640 | ||
| + | f /var/adm/cron/at.allow bin cron 640 | ||
| + | d /var/spool/cron/crontabs root cron 770 | ||
| + | f /etc/motd bin bin 444 | ||
| + | #f /var/adm/ras/* - - o-r | ||
| + | f /var/ct/RMstart.log root system 640 | ||
| + | f /var/tmp/dpid2.log root system 640 | ||
| + | f /var/tmp/hostmibd.log root system 640 | ||
| + | f /var/tmp/snmpd.log root system 640 | ||
| + | d /var/adm/sa adm adm 766 | ||
| + | f /usr/dt/bin/dtaction root sys 555 | ||
| + | f /usr/dt/bin/dtappgather root bin 555 | ||
| + | f /usr/dt/bin/dtprintinfo root bin 555 | ||
| + | f /usr/dt/bin/dtsession root bin 555 | ||
| + | f /etc/dt/config/Xservers root bin 555 | ||
| + | EOF | ||
| + | |||
| + | if [ $(ls /usr/sbin/lsnim > /dev/null 2>&1;echo $?) -eq 0 ] | ||
| + | then | ||
| + | cat $list_files | grep -v "nocheck" > $list_files.1 | ||
| + | mv $list_files.1 $list_files | ||
| + | fi | ||
| + | |||
| + | cat $list_files | while read type full owner group perm nocheck | ||
| + | do | ||
| + | if [ $type = "f" ] | ||
| + | then | ||
| + | if [ -f $full ] | ||
| + | then | ||
| + | owner_curr=$(ls -l $full | awk '{print $3"."$4}') | ||
| + | if [ "$owner_curr" != $(echo "$owner.$group") ] | ||
| + | then | ||
| + | printf "\E[31;1m""chown $(echo "$owner.$group") $full"" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# file $full owner OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | perm_curr=$(convert_perm_file $full | awk '{print $1}') | ||
| + | if [[ $perm_curr == "0" ]] | ||
| + | then | ||
| + | perm_curr="000" | ||
| + | fi | ||
| + | if [ "$perm_curr" != "$perm" ] | ||
| + | then | ||
| + | printf "\E[31;1m""chmod $perm $full"" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# file $full permission OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | fi | ||
| + | else | ||
| + | if [ $type = "d" ] | ||
| + | then | ||
| + | if [ -d $full ] | ||
| + | then | ||
| + | owner_curr=$(ls -ld $full | awk '{print $3"."$4}') | ||
| + | if [ "$owner_curr" != $(echo "$owner.$group") ] | ||
| + | then | ||
| + | printf "\E[31;1m""chown $(echo "$owner.$group") $full"" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# directory $full owner OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | perm_curr=$(convert_perm_dir $full | awk '{print $1}') | ||
| + | if [ "$perm_curr" != "$perm" ] | ||
| + | then | ||
| + | printf "\E[31;1m""chmod $perm $full"" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# directory $full permission OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | fi | ||
| + | fi | ||
| + | fi | ||
| + | done | ||
| + | |||
| + | rule="3.7 check staff writable files" | ||
| + | level=1 | ||
| + | label=3.7_staff_writable_files | ||
| + | outfile=$outputdir/${label} | ||
| + | if [[ $(find / \( -fstype jfs -o -fstype jfs2 \) -type f -perm -g+w -group staff | wc -l | awk '{print $1}') == "0" ]] | ||
| + | then | ||
| + | echo "# rule="'"'$rule'"'" level=$level OK" | ||
| + | else | ||
| + | find / \( -fstype jfs -o -fstype jfs2 \) -type f -perm -g+w -group staff -ls > $outfile | ||
| + | echo "# rule="'"'$rule'"'" level=$level NOK" | ||
| + | fi | ||
| + | |||
| + | rule="3.8 check nouser, nogroup files" | ||
| + | level=1 | ||
| + | label=3.8_nouser_nogroup_files | ||
| + | outfile=$outputdir/${label} | ||
| + | if [[ $(find / \( -fstype jfs -o -fstype jfs2 \) \( -type d -o -type f \) \( -nouser -o -nogroup \) -ls | wc -l | awk '{print $1}') == "0" ]] | ||
| + | then | ||
| + | echo "# rule="'"'$rule'"'" level=$level OK" | ||
| + | else | ||
| + | find / \( -fstype jfs -o -fstype jfs2 \) \( -type d -o -type f \) \( -nouser -o -nogroup \) -ls > $outfile | ||
| + | echo "# rule="'"'$rule'"'" level=$level NOK" | ||
| + | fi | ||
| + | |||
| + | } | ||
| + | |||
| + | convert_perm_file () | ||
| + | { | ||
| + | for file in $(ls $*) | ||
| + | do | ||
| + | if [ -f $file ] | ||
| + | then | ||
| + | ls -l $file | awk 'BEGIN { | ||
| + | v["r1"]=400; v["w2"]=200; v["x3"]=100; v["s3"]=4100; v["S3"]=4000 | ||
| + | v["r4"]=40 ; v["w5"]=20 ; v["x6"]=10 ; v["s6"]=2010; v["S6"]=2000 | ||
| + | v["r7"]=4 ; v["w8"]=2 ; v["x9"]=1 ; v["t9"]=1001; v["T9"]=1000} | ||
| + | {val=0 | ||
| + | for (i=1;i<=9;i++) val=val+v[substr($0,i+1,1)i] | ||
| + | printf "%4d %s\n",val,$NF}' | ||
| + | fi | ||
| + | done | ||
| + | } | ||
| + | |||
| + | convert_perm_dir () | ||
| + | { | ||
| + | dir=$(echo $1) | ||
| + | ls -ld $dir | awk 'BEGIN { | ||
| + | v["r1"]=400; v["w2"]=200; v["x3"]=100; v["s3"]=4100; v["S3"]=4000 | ||
| + | v["r4"]=40 ; v["w5"]=20 ; v["x6"]=10 ; v["s6"]=2010; v["S6"]=2000 | ||
| + | v["r7"]=4 ; v["w8"]=2 ; v["x9"]=1 ; v["t9"]=1001; v["T9"]=1000} | ||
| + | {val=0 | ||
| + | for (i=1;i<=9;i++) val=val+v[substr($0,i+1,1)i] | ||
| + | printf "%4d %s\n",val,$NF}' | ||
| + | } | ||
| + | |||
| + | network_option () | ||
| + | { | ||
| + | # Network Options | ||
| + | echo "#***********************" | ||
| + | echo "#** Network Options **" | ||
| + | echo "#***********************" | ||
| + | |||
| + | cat << EOF > $list_files | ||
| + | no clean_partial_conns 1 rule="4.2.1 no clean_partial_conns" level=1 | ||
| + | no bcastping 0 rule="4.2.2 no bcastping" level=1 | ||
| + | no directed_broadcast 0 rule="4.2.3 no directed_broadcast" level=1 | ||
| + | no icmpaddressmask 0 rule="4.2.4 no icmpaddressmask" level=1 | ||
| + | no ipforwarding 0 rule="4.2.5 no ipforwarding" level=1 | ||
| + | no ipignoreredirects 1 rule="4.2.6 no ipignoreredirects" level=1 | ||
| + | no ipsendredirects 0 rule="4.2.7 no ipsendredirects" level=1 | ||
| + | no ipsrcrouteforward 0 rule="4.2.8 no ipsrcrouteforward" level=1 | ||
| + | no ipsrcrouterecv 0 rule="4.2.9 no ipsrcrouterecv" level=1 | ||
| + | no ipsrcroutesend 0 rule="4.2.10 no ipsrcroutesend" level=1 | ||
| + | no ip6srcrouteforward 0 rule="4.2.11 no ip6srcrouteforward" level=1 | ||
| + | nfso portcheck 1 rule="4.2.12 no portcheck" level=1 | ||
| + | nfso nfs_use_reserved_ports 1 rule="4.2.12 no nfs_use_reserved_ports" level=1 | ||
| + | no nonlocsrcroute 0 rule="4.2.13 no nonlocsrcroute" level=1 | ||
| + | no sockthresh 60 rule="4.2.14 no sockthresh" level=1 | ||
| + | no tcp_pmtu_discover 0 rule="4.2.15 no tcp_pmtu_discover" level=1 | ||
| + | no tcp_tcpsecure 7 rule="4.2.16 no tcp_tcpsecure" level=1 | ||
| + | no udp_pmtu_discover 0 rule="4.2.17 no udp_pmtu_discover" level=1 | ||
| + | no ip6forwarding 0 rule="4.2.18 no ip6forwarding" level=1 | ||
| + | EOF | ||
| + | |||
| + | cat $list_files | while read cmd param val rule level | ||
| + | do | ||
| + | val_cur=$($cmd -o $param | awk '{print $3}') | ||
| + | if [ "$val" -ne "$val_cur" ] | ||
| + | then | ||
| + | printf "\E[31;1m""$cmd -p -o $param=$val"" $1\E[0m\n" | ||
| + | echo "# $rule $level NOK" | ||
| + | else | ||
| + | printf "\E[32;1m""# parameter $cmd $param OK"" $1\E[0m\n" | ||
| + | echo "# $rule $level OK" | ||
| + | fi | ||
| + | done | ||
| + | |||
| + | |||
| + | |||
| + | cat << EOF > $list_files | ||
| + | no ipsrcrouteforward 0 | ||
| + | no ipignoreredirects 1 | ||
| + | no clean_partial_conns 1 | ||
| + | no ipsrcroutesend 0 | ||
| + | no ipforwarding 0 | ||
| + | no ipsendredirects 0 | ||
| + | no ip6srcrouteforward 0 | ||
| + | no ip6forwarding 0 | ||
| + | no directed_broadcast 0 | ||
| + | no tcp_pmtu_discover 0 | ||
| + | no bcastping 0 | ||
| + | no icmpaddressmask 0 | ||
| + | no udp_pmtu_discover 0 | ||
| + | no ipsrcrouterecv 0 | ||
| + | no nonlocsrcroute 0 | ||
| + | no tcp_tcpsecure 7 | ||
| + | no sockthresh 60 | ||
| + | no rfc1323 1 | ||
| + | no tcp_sendspace 262144 | ||
| + | no tcp_recvspace 262144 | ||
| + | no udp_sendspace 65536 | ||
| + | no udp_recvspace 655360 | ||
| + | no tcp_mssdflt 1448 | ||
| + | EOF | ||
| + | |||
| + | # For NFS with Linux, add the following settings | ||
| + | #nfso portcheck 1 | ||
| + | #nfso nfs_use_reserved_ports 1 | ||
| + | |||
| + | cat $list_files | while read i j k | ||
| + | do | ||
| + | val_ref=$(echo $k) | ||
| + | val_cur=$($i -o $j | awk '{print $3}') | ||
| + | if [ "$val_cur" -ne "$val_ref" ] | ||
| + | then | ||
| + | printf "\E[31;1m""$i -p -o $j=$k"" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# parameter $j OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | done | ||
| + | |||
| + | echo "no sb_max 1048576" | while read i j k | ||
| + | do | ||
| + | val_ref=$(echo $k) | ||
| + | val_cur=$($i -o $j | awk '{print $3}') | ||
| + | if [ "$val_cur" -lt "$val_ref" ] | ||
| + | then | ||
| + | printf "\E[31;1m""$i -p -o $j=$k"" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# parameter $j OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | done | ||
| + | } | ||
| + | |||
| + | check_audit () | ||
| + | { | ||
| + | # Check Audit | ||
| + | echo "#***********************" | ||
| + | echo "#** Check audit **" | ||
| + | echo "#***********************" | ||
| + | |||
| + | df -g /audit | grep audit > /dev/null 2>&1 | ||
| + | if [ $? -ne 0 ] | ||
| + | then | ||
| + | printf "\E[31;1m""mklv -tjfs2 -y auditlv rootvg 2G;crfs -vjfs2 -m /audit -d auditlv -Ayes;mount /audit"" $1\E[0m\n" | ||
| + | printf "\E[31;1m""chown root.audit /audit;chmod 750 /audit"" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# Filesystem /audit OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | |||
| + | if [[ $(lssec -f /usr/lib/security/mkuser.default -s user -a auditclasses | awk '{print $2}' | awk -F'=' '{print $2}' | wc -c | awk '{print $1}') == "1" ]] | ||
| + | then | ||
| + | printf "\E[31;1m""chsec -f /usr/lib/security/mkuser.default -s user -a auditclasses=general,SRC,cron,tcpip"" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# User auditclasses OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | |||
| + | grep 'audit' /etc/inittab > /dev/null 2>&1 | ||
| + | if [ $? -ne 0 ] | ||
| + | then | ||
| + | printf "\E[31;1m"'echo ":audit:2:boot:audit start > /dev/console 2>&1" >> /etc/inittab'" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# Audit process started in inittab OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | } | ||
| + | |||
| + | check_syslog () | ||
| + | { | ||
| + | # Check Syslog | ||
| + | echo "#***********************" | ||
| + | echo "#** Check syslog **" | ||
| + | echo "#***********************" | ||
| + | |||
| + | odmget -q subsysname="syslogd" SRCsubsys | grep cmdargs | cut -d'=' -f2- | grep '\-r' | grep '\-n' > /dev/null 2>&1 | ||
| + | if [ $? -ne 0 ] | ||
| + | then | ||
| + | printf "\E[31;1m"'chssys -s syslogd -a "-r -n"'" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# Syslog started with option -r and -n OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | } | ||
| + | |||
| + | check_snmp () | ||
| + | { | ||
| + | # Check SNMP config file | ||
| + | echo "#***********************" | ||
| + | echo "#** Check SNMP **" | ||
| + | echo "#***********************" | ||
| + | |||
| + | grep "^community[[:blank:]]*private" /etc/snmpd.conf > /dev/null 2>&1 | ||
| + | if [ $? -eq 0 ] | ||
| + | then | ||
| + | printf "\E[31;1m""/opt/freeware/bin/sed -i '/private/ s/^/#/g' /etc/snmp.conf"" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# /etc/snmp.conf OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | } | ||
| + | |||
| + | check_cron () | ||
| + | { | ||
| + | # Check cron authorization | ||
| + | echo "#***********************" | ||
| + | echo "#** Check crontabs **" | ||
| + | echo "#***********************" | ||
| + | |||
| + | if [ ! -f /var/adm/cron/cron.allow ] | ||
| + | then | ||
| + | printf "\E[31;1m"'ls /var/spool/cron/crontabs | egrep -v "esaadmin|sys|uucp" > /var/adm/cron/cron.allow'" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# /var/adm/cron/cron.allow exists OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | |||
| + | if [ ! -f /var/adm/cron/at.allow ] | ||
| + | then | ||
| + | printf "\E[31;1m"'ls /var/spool/cron/crontabs | egrep -v "esaadmin|sys|uucp" > /var/adm/cron/at.allow'" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# /var/adm/cron/at.allow exists OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | |||
| + | rule="1.3.3 check mksysb" | ||
| + | level=none | ||
| + | if [ $(grep mksysb /var/spool/cron/crontabs/root > /dev/null 2>&1; echo $?) -eq "0" ] | ||
| + | then | ||
| + | echo "# rule="'"'$rule'"'" level=$level OK" | ||
| + | else | ||
| + | printf "\E[31;1m""echo '30 8 * * 0 /root/scripts/mksysb.sh > /dev/null 2>&1' >> /var/spool/cron/crontabs/root"" $1\E[0m\n" | ||
| + | echo "# rule="'"'$rule'"'" level=$level NOK" | ||
| + | fi | ||
| + | |||
| + | } | ||
| + | |||
| + | check_sshd_config () | ||
| + | { | ||
| + | # Check sshd_config file | ||
| + | echo "#****************************" | ||
| + | echo "#** Check sshd_config file **" | ||
| + | echo "#****************************" | ||
| + | |||
| + | SSHD_CONFIG=/etc/ssh/sshd_config | ||
| + | |||
| + | rule="4.5.3.1 OpenSSH min version" | ||
| + | level=1 | ||
| + | version=$(lslpp -Lc | grep openssh | grep server | cut -d':' -f3 | cut -d'.' -f1,2) | ||
| + | if [ $(echo $version | cut -d'.' -f1) -lt "7" ] | ||
| + | then | ||
| + | printf "\E[31;1m""# Please upgrade OpenSSH to version higher or equal to 8.1"" $1\E[0m\n" | ||
| + | echo "# rule="'"'$rule'"'" level=$level NOK" | ||
| + | else | ||
| + | if [ $(echo $version | cut -d'.' -f2) -lt "1" ] | ||
| + | then | ||
| + | printf "\E[31;1m""# Please upgrade OpenSSH to version higher or equal to 8.1"" $1\E[0m\n" | ||
| + | echo "# rule="'"'$rule'"'" level=$level NOK" | ||
| + | else | ||
| + | printf "\E[32;1m""# Openssh version OK"" $1\E[0m\n" | ||
| + | echo "# rule="'"'$rule'"'" level=$level OK" | ||
| + | fi | ||
| + | fi | ||
| + | |||
| + | rule="4.5.3.2 OpenSSH host.equiv" | ||
| + | level=1 | ||
| + | if [[ $(ls /etc/shosts.equiv /etc/rhosts.equiv 2>/dev/null | wc -l | awk '{print $1}') -eq "0" ]] | ||
| + | then | ||
| + | printf "\E[32;1m""# No /etc/*host.equiv file OK"" $1\E[0m\n" | ||
| + | echo "# rule="'"'$rule'"'" level=$level OK" | ||
| + | else | ||
| + | printf "\E[31;1m""rm $(ls /etc/shosts.equiv /etc/rhosts.equiv 2>/dev/null)"" $1\E[0m\n" | ||
| + | echo "# rule="'"'$rule'"'" level=$level NOK" | ||
| + | fi | ||
| + | |||
| + | rule="4.5.3.3 OpenSSH .shosts" | ||
| + | level=1 | ||
| + | if [[ $(ls `cat /etc/passwd | cut -d':' -f6 | sort -u | sed 's/$/\/.shosts/' | tr -s '/' | tr '\n' ' ' ; echo` 2>/dev/null | wc -l | awk '{print $1}') -eq "0" ]] | ||
| + | then | ||
| + | printf "\E[32;1m""# No "'$HOME/shosts'" file OK"" $1\E[0m\n" | ||
| + | echo "# rule="'"'$rule'"'" level=$level OK" | ||
| + | else | ||
| + | printf "\E[31;1m""rm $(ls `cat /etc/passwd | cut -d':' -f6 | sort -u | sed 's/$/\/.shosts/' | tr -s '/' | tr '\n' ' ' ; echo` 2>/dev/null)"" $1\E[0m\n" | ||
| + | echo "# rule="'"'$rule'"'" level=$level NOK" | ||
| + | fi | ||
| + | |||
| + | banner="Unauthorized use of this system is prohibited." | ||
| + | rule="4.5.3.6 OpenSSH banner" | ||
| + | level=1 | ||
| + | if [[ $(grep "^Banner[[:blank:]]" $SSHD_CONFIG | wc -l | awk '{print $1}') -eq "0" ]] | ||
| + | then | ||
| + | printf "\E[31;1m""echo "'"'"$(echo $banner)"'"'' > /etc/ssh/ssh_banner'" $1\E[0m\n" | ||
| + | printf "\E[31;1m""$LINUX_SED -i "'"''/^#Banner/a Banner /etc/ssh/ssh_banner''"'" $SSHD_CONFIG"" $1\E[0m\n" | ||
| + | echo "# rule="'"'$rule'"'" level=$level NOK" | ||
| + | else | ||
| + | printf "\E[32;1m""# Openssh banner OK"" $1\E[0m\n" | ||
| + | echo "# rule="'"'$rule'"'" level=$level OK" | ||
| + | fi | ||
| + | |||
| + | cat << EOF > $list_files | ||
| + | HostbasedAuthentication no rule="4.5.3.7 OpenSSH HostbasedAuthentication" level=1 | ||
| + | IgnoreRhosts yes rule="4.5.3.8 OpenSSH IgnoreRhosts" level=1 | ||
| + | PermitEmptyPasswords no rule="4.5.3.9 OpenSSH PermitEmptyPasswords" level=1 | ||
| + | LogLevel INFO rule="4.5.3.10 OpenSSH LogLevel" level=1 | ||
| + | MaxAuthTries 4 rule="4.5.3.12 OpenSSH MaxAuthTries" level=1 | ||
| + | PermitUserEnvironment no rule="4.5.3.13 OpenSSH PermitUserEnvironment" level=1 | ||
| + | EOF | ||
| + | |||
| + | cat $list_files | while read param val rule level | ||
| + | do | ||
| + | grep "^$param:" $SSHD_CONFIG | tr -s ' ' | sed 's/\ /:/g' |sed 's/$/:/' | grep -q "$param:$val:" > /dev/null 2>&1 | ||
| + | if [ $? -eq 0 ] | ||
| + | then | ||
| + | printf "\E[32;1m""# Openssh $param OK"" $1\E[0m\n" | ||
| + | echo "# $rule $level OK" | ||
| + | else | ||
| + | printf "\E[31;1m""$LINUX_SED -i "'"''/^#'$param'/s/.*/'$param'\ '$val'/''"'" $SSHD_CONFIG"" $1\E[0m\n" | ||
| + | echo "# $rule $level NOK" | ||
| + | fi | ||
| + | done | ||
| + | |||
| + | cat << EOF > $list_files | ||
| + | RekeyLimit 1G 3600 rule="4.5.3.18 OpenSSH ReKeyLimit" level=1 | ||
| + | EOF | ||
| + | |||
| + | cat $list_files | while read param val1 val2 rule level | ||
| + | do | ||
| + | grep "^$param:" $SSHD_CONFIG | tr -s ' ' | sed 's/\ /:/g' |sed 's/$/:/' | grep -q "$param:$val1:$val2:" > /dev/null 2>&1 | ||
| + | if [ $? -eq 0 ] | ||
| + | then | ||
| + | printf "\E[32;1m""# Openssh $param OK"" $1\E[0m\n" | ||
| + | echo "# $rule $level OK" | ||
| + | else | ||
| + | printf "\E[31;1m""$LINUX_SED -i "'"''/^#'$param'/s/.*/'$param'\ '$val1\ $val2'/''"'" $SSHD_CONFIG"" $1\E[0m\n" | ||
| + | echo "# $rule $level NOK" | ||
| + | fi | ||
| + | done | ||
| + | |||
| + | |||
| + | |||
| + | |||
| + | weak_algo="diffie-hellman-group1-sha1|diffie-hellman-group14-sha1|diffie-hellman-group-exchange-sha1" # in egrep format | ||
| + | rule="4.5.3.15 OpenSSH KexAlgorithms" | ||
| + | level=1 | ||
| + | if [[ $(/usr/sbin/sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep kexalgorithms | tr ',' '\n' | sed 's/kexalgorithms\ //' | egrep "$weak_algo" | wc -l | awk '{print $1}') -eq "0" ]] | ||
| + | then | ||
| + | printf "\E[32;1m""# Openssh KexAlgorithms OK"" $1\E[0m\n" | ||
| + | echo "# rule="'"'$rule'"'" level=$level OK" | ||
| + | else | ||
| + | echo "# Weak algorithms: $(/usr/sbin/sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep kexalgorithms | tr ',' '\n' | sed 's/kexalgorithms\ //' | egrep "$weak_algo")" | ||
| + | printf "\E[31;1m""# Openssh unsecure algorithms NOK"" $1\E[0m\n" | ||
| + | echo "# rule="'"'$rule'"'" level=$level NOK" | ||
| + | fi | ||
| + | |||
| + | weak_algo="3des-cbc|aes128-cbc|aes192-cbc|aes256-cbc|arcfour|arcfour128|arcfour256|blowfish-cbc|cast128-cbc|rijndael-cbc@lysator.liu.se" # in egrep format | ||
| + | rule="4.5.3.16 OpenSSH Ciphers" | ||
| + | level=1 | ||
| + | if [[ $(/usr/sbin/sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep ciphers | tr ',' '\n' | sed 's/ciphers\ //' | egrep "$weak_algo" | wc -l | awk '{print $1}') -eq "0" ]] | ||
| + | then | ||
| + | printf "\E[32;1m""# Openssh Ciphers OK"" $1\E[0m\n" | ||
| + | echo "# rule="'"'$rule'"'" level=$level OK" | ||
| + | else | ||
| + | echo "# Weak algorithms: $(/usr/sbin/sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep ciphers | tr ',' '\n' | sed 's/ciphers\ //' | egrep "$weak_algo")" | ||
| + | printf "\E[31;1m""# Openssh unsecure ciphers NOK"" $1\E[0m\n" | ||
| + | echo "# rule="'"'$rule'"'" level=$level NOK" | ||
| + | fi | ||
| + | |||
| + | weak_algo="hmac-md5|hmac-md5-96|hmac-ripemd160|hmac-sha1|hmac-sha1-96|umac-64@openssh.com|umac-128@openssh.com|hmac-md5-etm@openssh.com|hmac-md5-96-etm@openssh.com|hmac-ripemd160-etm@openssh.com|hmac-sha1-etm@openssh.com|hmac-sha1-96-etm@openssh.com|umac-64-etm@openssh.com|umac-128-etm@openssh.com" | ||
| + | rule="4.5.3.17 OpenSSH MACs" | ||
| + | level=1 | ||
| + | if [[ $(/usr/sbin/sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep macs | tr ',' '\n' | sed 's/macs\ //' | egrep "$weak_algo" | wc -l | awk '{print $1}') -eq "0" ]] | ||
| + | then | ||
| + | printf "\E[32;1m""# Openssh MACs OK"" $1\E[0m\n" | ||
| + | echo "# rule="'"'$rule'"'" level=$level OK" | ||
| + | else | ||
| + | echo "# Weak algorithms: $(/usr/sbin/sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep macs | tr ',' '\n' | sed 's/macs\ //' | egrep "$weak_algo")" | ||
| + | printf "\E[31;1m""# Openssh unsecure macs NOK"" $1\E[0m\n" | ||
| + | echo "# rule="'"'$rule'"'" level=$level NOK" | ||
| + | fi | ||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | grep '^Port' $SSHD_CONFIG > /dev/null 2>&1 | ||
| + | if [ $? -ne 0 ] | ||
| + | then | ||
| + | printf "\E[31;1m""$LINUX_SED -i 's/^#Port\ 22/Port\ 22/' $SSHD_CONFIG"" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# Port OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | |||
| + | grep '^ListenAddress ' $SSHD_CONFIG | grep -v '::' > /dev/null 2>&1 | ||
| + | if [ $? -ne 0 ] | ||
| + | then | ||
| + | printf "\E[31;1m""$LINUX_SED -i 's/^#ListenAddress\ 0.0.0.0/ListenAddress\ 0.0.0.0/' $SSHD_CONFIG"" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# ListenAddress IPV4 OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | |||
| + | grep '^ListenAddress ' $SSHD_CONFIG | grep '::' > /dev/null 2>&1 | ||
| + | if [ $? -eq 0 ] | ||
| + | then | ||
| + | printf "\E[31;1m""$LINUX_SED -i 's/^ListenAddress\ ::/#ListenAddress\ ::/' $SSHD_CONFIG"" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# ListenAddress IPV6 OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | |||
| + | grep '^Protocol 2' $SSHD_CONFIG > /dev/null 2>&1 | ||
| + | if [ $? -ne 0 ] | ||
| + | then | ||
| + | printf "\E[31;1m""$LINUX_SED -i 's/^#Protocol\ 2/Protocol\ 2/' $SSHD_CONFIG"" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# Protocol ssh version 2 only OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | |||
| + | # Ciphers be careful could prevent from login | ||
| + | #grep '^Ciphers' $SSHD_CONFIG > /dev/null 2>&1 | ||
| + | #if [ $? -ne 0 ] | ||
| + | #then | ||
| + | # printf "\E[31;1m"$LINUX_SED" -i '"'/^Protocol/a \\ | ||
| + | #\\ | ||
| + | ## SSH protocol v2 specific options \\ | ||
| + | #Ciphers aes256-ctr,aes192-ctr,aes128-ctr'"' "$SSHD_CONFIG" $1\E[0m\n" | ||
| + | #else | ||
| + | # printf "\E[32;1m""# Ciphers OK"" $1\E[0m\n" | ||
| + | #fi | ||
| + | |||
| + | grep '^SyslogFacility AUTH' $SSHD_CONFIG > /dev/null 2>&1 | ||
| + | if [ $? -ne 0 ] | ||
| + | then | ||
| + | printf "\E[31;1m""$LINUX_SED -i 's/^#SyslogFacility\ AUTH/SyslogFacility\ AUTH/' $SSHD_CONFIG"" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# SyslogFacility OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | |||
| + | grep '^LogLevel INFO' $SSHD_CONFIG > /dev/null 2>&1 | ||
| + | if [ $? -ne 0 ] | ||
| + | then | ||
| + | printf "\E[31;1m""$LINUX_SED -i 's/^#LogLevel\ INFO/LogLevel\ INFO/' $SSHD_CONFIG"" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# LogLevel OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | |||
| + | if [ ! -f "/etc/ssh/ssh_host_ecdsa_key" ] | ||
| + | then | ||
| + | printf "\E[31;1m""echo | ssh-keygen -q -t ecdsa -b 521 -N '' -f /etc/ssh/ssh_host_ecdsa_key"" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# ECDSA ssh key exists OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | |||
| + | grep '^PidFile' $SSHD_CONFIG > /dev/null 2>&1 | ||
| + | if [ $? -ne 0 ] | ||
| + | then | ||
| + | printf "\E[31;1m""$LINUX_SED -i 's/^#PidFile\ \\\/var\\\/run\\\/sshd.pid/PidFile\ \\\/var\\\/run\\\/sshd.pid/' $SSHD_CONFIG"" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# PidFile OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | |||
| + | if [ ! -d "/var/run" ] | ||
| + | then | ||
| + | printf "\E[31;1m""mkdir -p /var/run"" $1\E[0m\n" | ||
| + | else | ||
| + | printf "\E[32;1m""# ssh PID directory exists OK"" $1\E[0m\n" | ||
| + | fi | ||
| + | } | ||
| + | |||
| + | |||
| + | check_installed_packages () | ||
| + | { | ||
| + | # Check installed packages | ||
| + | echo "#******************************" | ||
| + | echo "#** Check installed packages **" | ||
| + | echo "#******************************" | ||
| + | |||
| + | cat << EOF > $list_files | ||
| + | cas.agent rule="None" level=none | ||
| + | bos.net.nis.client rule="4.4.1.1 Deinstall NIS Client" level=2 | ||
| + | bos.net.nis.server rule="4.4.1.2 Deinstall NIS Server" level=2 | ||
| + | X11.Dt rule="4.5.1.1 Deinstall CDE" level=1 | ||
| + | EOF | ||
| + | |||
| + | cat $list_files |while read package rule level | ||
| + | do | ||
| + | if [ $(lslpp -Lc | grep -q $package; echo $?) -eq "0" ] | ||
| + | then | ||
| + | printf "\E[31;1m""installp -u $package"" $1\E[0m\n" | ||
| + | echo "# $rule $level NOK" | ||
| + | else | ||
| + | echo "# $rule $level OK" | ||
| + | fi | ||
| + | done | ||
| + | } | ||
| + | |||
| + | |||
| + | ########### | ||
| + | ########### | ||
| + | main() | ||
| + | { | ||
| + | check_sys0 | ||
| + | check_user_policy | ||
| + | network_option | ||
| + | disable_login_system | ||
| + | check_local_user_group | ||
| + | check_profile | ||
| + | check_inittab | ||
| + | check_inetd | ||
| + | check_rctcpip | ||
| + | check_files_permission | ||
| + | check_snmp | ||
| + | check_audit | ||
| + | check_syslog | ||
| + | check_cron | ||
| + | check_sshd_config | ||
| + | check_installed_packages | ||
| + | |||
| + | echo "### All output files are located into: $outputdir" | ||
| + | } | ||
| + | |||
| + | main | tee $logname 2>&1 | ||
| + | echo | ||
| + | grep rule $logname | grep -v 'rule="None"' | sort # $LINUX_SORT -t. -k 1,1n -k 2,2n -k 3,3n | ||
| </code> | </code> | ||
aix/script_security_aix.1686237811.txt.gz ยท Last modified: 2023/06/08 17:23 by manu
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
