Differences

This shows you the differences between two versions of the page.

--- aix:scripts_check_cis [2024/06/07 18:40]
manu
+++ aix:scripts_check_cis [2024/09/06 23:17] (current)
manu
@@ Line 1: / Line 1: @@
 ====== AIX script CIS Benchmark ======
+Alternative is to use a client PowerSC (apply the right security level)
+<cli>
+% pscxpert -f /etc/security/aixpert/custom/CISv1.xml 	CIS Security Benchmark for AIX 7.1
+% pscxpert -f /etc/security/aixpert/custom/CISv2_Lev1.xml 	CIS Security Benchmark for AIX 7.2
+% pscxpert -f /etc/security/aixpert/custom/CISv2_Lev2.xml 	CIS Security Benchmark for AIX 7.2
+% pscxpert -f /etc/security/aixpert/custom/GDPRv1.xml	General Data Protection Regulation (GDPR)
+</cli>
 This script 'll only list if compliant or not
+<cli prompt='#'>
+root@aix /root# cat scripts/cis.sh
+</cli>
+<code>
+#!/usr/bin/ksh93
+#@(#) Check security
+# This script doesn't modify something to your system, just list what is right and wrong
+# Print in red all commands to modify your settings
+# Print in green all parameters that need no change, following by Pass
+# Version 1.0  06-2023 EIF (compliance CIS for AIX)
+# Version 1.1  08-2024 EIF (compliance CIS for AIX)
+dir=`dirname $0`
+if [ -f $dir/.env ]
+then
+  . $dir/.env
+else
+  path_script=$dir
+  export sn=`basename $0 | cut -d. -f1`
+  export logpath=/tmp
+  export logname=$logpath/$sn.log
+fi
+DATE=$(date "+%Y%m%d%H%M%S")
+LINUX_SED=/opt/freeware/bin/sed
+LINUX_STAT=/opt/freeware/bin/stat
+LINUX_SORT=/opt/freeware/bin/sort
+MONTH=$(date '+%m')
+DAY=$(date '+%d')
+HEADER="$(date '+%H:%M:%S');$(hostname -s);NA;NA;1.0.0;#scap_org.cisecurity_comp_1.0.0_CIS_IBM_AIX_7_2_Benchmark-xccdf;CIS AIX;NA;Level 1 - Server;Level_1_-_Server;rule"
+FOOTER=";"
+cisoutput=$(echo "$logpath/$(hostname -s)-CIS_AIX_7_Benchmark-$(date '+%Y%m%dT%H%M%SZ').csv")
+list_files=$logpath/list_files.txt
+outputcis=$logpath/CIS_AIX7.2_v1.0.0
+output=$logname
+prefix=sec_files_out_
+outputdir=$logpath/${prefix}${DATE}
+mkdir $outputdir
+tempo=$logpath/tmp_cis
+# Result
+RESP_OK='Pass'
+RESP_NOK='Fail'
+RESP_MANUAL='Manual'
+RESP_UNKN='Unknown'
+# Cleanup
+find $logpath -type d -name "${prefix}*" -ctime +5 -exec rm -r {} \; 2>/dev/null
+#-----------------------------------------
+print_output()
+{
+# args
+header=$1
+ruleno=$2
+descr=$(echo "$3")
+result=$4
+echo "$ruleno;$descr;$result" | sed 's/\|/\ /g'
+}
+#-----------------------------------------
+check_section_2_1()
+{
+# args
+head=h1
+rule="2.1"
+desc="Collect system configuration regularly"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+file1=/var/log/syslog/inventory.log
+val=0
+val1=$(ls $file1 > /dev/null 2>&1; echo $?)
+(( val = val + val1 ))
+if [ "$val" != "0" ]
+then
+  res=$RESP_NOK
+  val1=$(cat /etc/syslog.conf | grep "local1.info" | grep -q "$file1"; echo $?)
+  (( val = val + val1 ))
+  if [ "$val" != "0" ]
+  then
+    res=$RESP_NOK
+    val1=$(cat /etc/syslog.conf | sed '/^$/d' | grep -v '^#' | grep "^local1.info" | awk '{print $2}' | grep -q "\@"; echo $?)
+    (( val = val + val1 ))
+    if [ "$val" != "0" ]
+    then
+      res=$RESP_NOK
+      val1=$(crontab -l | grep -v '^#' | grep "lsconf" | grep -q "logger"; echo $?)
+      (( val = val + val1 ))
+      if [ "$val" != "0" ]
+      then
+        res=$RESP_NOK
+      else
+        res=$RESP_OK
+      fi
+    fi
+  fi
+else
+  res=$RESP_OK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_2_7()
+{
+# args
+head=h1
+rule="2.7"
+desc="Remove Unused Symbolic Links"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+find -L / \( -fstype jfs -o -fstype jfs2 \) -type l -ls 2>/dev/null | cut -d'/' -f2- | sed 's/^/\//' | sed 's/\->/;/' | sed 's/\ ;/;/' | sed 's/;\ /;/' > $tempo.1
+cat /dev/null > $tempo
+for line in $(cat $tempo.1 | sed 's/\ /|/g')
+do
+  word1=$(echo $line | cut -d';' -f1 | sed 's/\|/\ /g')
+  word2=$(echo $line | cut -d';' -f2 | sed 's/\|/\ /g')
+  val=$(echo $word2 | grep -c '^/')
+  if [[ "$val" -eq "1" ]]
+  then
+    if [ ! -e $word2 ]
+    then
+      echo $word1 >> $tempo
+    fi
+  else
+    dir1=$(echo $word1 | rev | cut -d'/' -f2- | rev)
+    word3=$(echo "$dir1/$word2")
+    if [ ! -e $word3 ]
+    then
+      echo $word1 >> $tempo
+    fi
+  fi
+done > $tempo
+if [ ! -s $tempo ]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+cp $tempo /tmp/link.txt
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_3_3()
+{
+# args
+head=h1
+rule="3.3"
+desc="Ensure default user umask is 027 or more restrictive"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(lssec -f /etc/security/user -s default -a umask | grep -q 'umask=27';echo $?)
+if [ "$val" != "0" ]
+then
+  res=$RESP_NOK
+else
+  res=$RESP_OK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_3_4()
+{
+# args
+head=h1
+rule="3.4"
+desc="Remove group write permission from default groups - exceptions must be in TSD and audit"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(find / \( -fstype jfs -o -fstype jfs2 \) -type f -perm -g+w -ls | wc -l | awk '{print $1}')
+if [[ "$val" == "0" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_MANUAL
+  echo "$rule;$desc1;val=$val" >> $logname
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_3_5()
+{
+# args
+head=h1
+rule="3.5"
+desc="Application Data with requirement for world writable directories"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(find / \( -fstype jfs -o -fstype jfs2 \) -type d -perm -o+w ! -perm -1000 -ls | wc -l | awk '{print $1}')
+if [[ "$val" == "0" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_MANUAL
+  echo "$rule;$desc1;val=$val" >> $logname
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_3_6()
+{
+# args
+head=h1
+rule="3.6"
+desc="Ensure there are no world writable files - exceptions must be in TSD and audit"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(find / \( -fstype jfs -o -fstype jfs2 \) -type f -perm -o+w | wc -l | awk '{print $1}')
+if [[ "$val" == "0" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_MANUAL
+  echo "$rule;$desc1;val=$val" >> $logname
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_3_7()
+{
+# args
+head=h1
+rule="3.7"
+desc="Ensure there are no 'staff' writable files - exceptions must be in TSD and audit"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(find / \( -fstype jfs -o -fstype jfs2 \) -type f -perm -g+w -group staff | wc -l | awk '{print $1}')
+if [[ "$val" == "0" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_MANUAL
+  echo "$rule;$desc1;val=$val" >> $logname
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_3_8()
+{
+# args
+head=h1
+rule="3.8"
+desc="Ensure all files and directories are owned by a user (uid) and assigned to a group (gid)"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(find / \( -fstype jfs -o -fstype jfs2 \) \( -type d -o -type f \) \( -nouser -o -nogroup \) -ls | wc -l | awk '{print $1}')
+if [[ "$val" == "0" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+  echo "$rule;$desc1;val=$val" >> $logname
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_1_3_1()
+{
+# args
+head=h1
+rule="4.1.3.1"
+desc="autoconf6"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(cat /etc/rc.tcpip | grep '^start ' | grep -q "autoconf6";echo $?)
+if [ "$val" -eq "0" ]
+then
+  res=$RESP_NOK
+else
+  res=$RESP_OK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_1_3_2()
+{
+# args
+head=h1
+rule="4.1.3.2"
+desc="ndpd-host"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(cat /etc/rc.tcpip | grep '^start ' | grep -q "ndpd-host";echo $?)
+if [ "$val" -eq "0" ]
+then
+  res=$RESP_NOK
+else
+  res=$RESP_OK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_1_3_3()
+{
+# args
+head=h1
+rule="4.1.3.3"
+desc="ndpd-router"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(cat /etc/rc.tcpip | grep '^start ' | grep -q "ndpd-router";echo $?)
+if [ "$val" -eq "0" ]
+then
+  res=$RESP_NOK
+else
+  res=$RESP_OK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_2_18()
+{
+# args
+head=h1
+rule="4.2.18"
+desc="ip6forwarding"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(no -o ip6forwarding | sed 's/\ //g' | grep -q 'ip6forwarding=0'; echo $?)
+if [ "$val" -eq "0" ]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_3_1()
+{
+# args
+head=h1
+rule="4.3.1"
+desc="Ensure that IP Security is available"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(lsdev -Cc ipsec 2>/dev/null | grep Available | wc -l | awk '{print  $1}')
+if [ "$val" == "2" ]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_3_2()
+{
+# args
+head=h1
+rule="4.3.2"
+desc="Ensure loopback traffic is blocked on external interfaces"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val1=$(lsfilt -v 4 -O 2>/dev/null | grep 127.0.0.0 | wc -l | awk '{print  $1}')
+val2=$(lsfilt -v 6 -O 2>/dev/null | grep ::1 | wc -l | awk '{print  $1}')
+(( val = val1 + val2 ))
+if [ "$val" == "2" ]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_3_3()
+{
+# args
+head=h1
+rule="4.3.3"
+desc="Ensure that IPsec filters are active"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val1=$(lsfilt -v4 -O -a 2>/dev/null | grep -q inactive | awk '{print  $1}')
+val2=$(lsfilt -v6 -O -a 2>/dev/null | grep -q inactive | awk '{print  $1}')
+(( val = val1 + val2 ))
+if [ "$val" == "0" ]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_5_1_7()
+{
+# args
+head=h1
+rule="4.5.1.7"
+desc="CDE - screensaver lock"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+if [ -e /etc/dt/config/*/sys.resources ]
+then
+  val=$(egrep "dtsession\*saverTimeout:|dtsession\*lockTimeout:" /etc/dt/config/*/sys.resources | rev | cut -d' ' -f1 | rev | awk '{print  $1}' | sort -u)
+  if [ "$val" == "10" ]
+  then
+    res=$RESP_OK
+  else
+    res=$RESP_NOK
+  fi
+else
+  res=$RESP_OK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_5_2_1()
+{
+# args
+head=h1
+rule="4.5.2.1"
+desc="FTPD: Disable root access to ftpd"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(grep -q "root" /etc/ftpusers 2>/dev/null; echo $?)
+if [ "$val" -ne "0" ]
+then
+  res=$RESP_NOK
+else
+  res=$RESP_OK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_5_2_2()
+{
+# args
+head=h1
+rule="4.5.2.2"
+desc="FTPD: Display acceptable usage policy during login"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+# If ftp is disable, doesn't check
+val=$(grep -c "^ftp[[:blank:]]" /etc/inetd.conf)
+if [[ $val -gt 0 ]]
+then
+  val=$(lslpp -Lc | grep "bos.msg.en_US.net.tcp.client" | wc -l | awk '{print  $1}')
+  if [ "$val" == "0" ]
+  then
+    res=$RESP_NOK
+  else
+    if [ `lslpp -L "bos.msg.en_US.net.tcp.client" >/dev/null && print $(dspcat /usr/lib/nls/msg/en_US/ftpd.cat 1 9) | grep -q "Authorized"; echo $?` -ne "0" ]
+    then
+      res=$RESP_NOK
+    else
+      res=$RESP_OK
+    fi
+  fi
+else
+  res=$RESP_OK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_5_2_3()
+{
+# args
+head=h1
+rule="4.5.2.3"
+desc="FTPD: Prevent world access and group write to files"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+# If ftp is disable, doesn't check
+val=$(grep -c "^ftp[[:blank:]]" /etc/inetd.conf)
+if [[ $val -gt 0 ]]
+then
+  val=$(grep "^ftp[[:blank:]]" /etc/inetd.conf |awk '{print $6, $7, $8, $9, $10}' | grep -c "027")
+  if [ "$val" == "1" ]
+  then
+    res=$RESP_OK
+  else
+    res=$RESP_NOK
+  fi
+else
+  res=$RESP_OK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_5_3_1()
+{
+# args
+head=h1
+rule="4.5.3.1"
+desc="OpenSSH: Minimum version is 8.1"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val1=$(sshd -i </dev/null | cut -d'_' -f 2)
+val=$(echo "$val1 8.1" | awk '{print ($1 >= $2)}')
+if [[ "$val" -eq "1" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_5_3_4()
+{
+# args
+head=h1
+rule="4.5.3.4"
+desc="sshd_config: Restrict users and groups allowed access via OpenSSH"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(/usr/bin/egrep -c "^(AllowUsers|AllowGroups|DenyUsers|DenyGroups)[[:blank:]]" /etc/ssh/sshd_config)
+if [[ "$val" -gt "0" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_5_3_5()
+{
+# args
+head=h1
+rule="4.5.3.5"
+desc="sshd_config: PermitRootLogin is 'prohibit-password' or 'no'"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(/usr/bin/egrep "^PermitRootLogin" /etc/ssh/sshd_config | cut -d' ' -f2- | egrep -c "prohibit-password|no|forced-commands-only")
+if [[ "$val" -eq "0" ]]
+then
+  res=$RESP_NOK
+else
+  res=$RESP_OK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_5_3_6()
+{
+# args
+head=h1
+rule="4.5.3.6"
+desc="sshd_config: Banner exists and message contains 'Only authorized users allowed'"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(grep "^Banner[[:blank:]]" /etc/ssh/sshd_config | grep -c '/etc/ssh/ssh_banner')
+if [ "$val" == "1" ]
+then
+  val=$(grep -c 'Unauthorized' /etc/ssh/ssh_banner)
+  if [ "$val" == "1" ]
+  then
+    res=$RESP_OK
+  else
+    res=$RESP_NOK
+  fi
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_5_3_7()
+{
+# args
+head=h1
+rule="4.5.3.7"
+desc="sshd_config: HostbasedAuthentication is 'no'"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(grep "^HostbasedAuthentication[[:blank:]]" /etc/ssh/sshd_config | rev | cut -d' ' -f1 | rev)
+if [[ "$val" == "no" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_5_3_8()
+{
+# args
+head=h1
+rule="4.5.3.8"
+desc="sshd_config: IgnoreRhosts is 'yes' or 'shosts-only'"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(grep "^IgnoreRhosts[[:blank:]]" /etc/ssh/sshd_config | rev | cut -d' ' -f1 | rev)
+if [[ "$val" == "yes" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_5_3_9()
+{
+# args
+head=h1
+rule="4.5.3.9"
+desc="sshd_config: PermitEmptyPasswords is 'no'"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(grep "^PermitEmptyPasswords[[:blank:]]" /etc/ssh/sshd_config | rev | cut -d' ' -f1 | rev)
+if [[ "$val" == "no" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_5_3_10()
+{
+# args
+head=h1
+rule="4.5.3.10"
+desc="sshd_config: LogLevel is 'INFO' or 'VERBOSE'"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(grep "^LogLevel[[:blank:]]" /etc/ssh/sshd_config | egrep -c "INFO|VERBOSE")
+if [[ "$val" -eq "0" ]]
+then
+  res=$RESP_NOK
+else
+  res=$RESP_OK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_5_3_11()
+{
+# args
+head=h1
+rule="4.5.3.11"
+desc="sshd_config: sftp-server arguments include '-u 027 -f AUTH -l INFO'"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(cat /etc/ssh/sshd_config | tr '\t' ' ' | tr -s ' ' | grep "^Subsystem[[:blank:]]sftp" | grep sftp-server | grep -c "027")
+if [[ "$val" -eq "0" ]]
+then
+  res=$RESP_NOK
+else
+  res=$RESP_OK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_5_3_12()
+{
+# args
+head=h1
+rule="4.5.3.12"
+desc="sshd_config: MaxAuthTries is '4'"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(sshd -T | grep maxauthtries | rev | awk '{print $1}' | rev)
+if [ "$val" -gt "4" ]
+then
+  res=$RESP_NOK
+else
+  res=$RESP_OK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_5_3_13()
+{
+# args
+head=h1
+rule="4.5.3.13"
+desc="sshd_config: PermitUserEnvironment is 'no'"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(grep "^PermitUserEnvironment[[:blank:]]" /etc/ssh/sshd_config | rev | cut -d' ' -f1 | rev)
+if [[ "$val" == "no" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_5_3_14()
+{
+# args
+head=h1
+rule="4.5.3.14"
+desc="sshd_config: Use Conditional exception(s)."
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(/usr/bin/egrep -cp "^Match " /etc/ssh/sshd_config)
+if [[ "$val" -eq "0" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_5_3_15()
+{
+# args
+head=h1
+rule="4.5.3.15"
+desc="sshd_config, ssh_config: KexAlgorithms"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | grep -v '^#' | awk '{print $1}')" | grep '^kexalgorithms' | tr ',' '\n' | egrep -c "diffie-hellman-group1-sha1|diffie-hellman-group14-sha1|diffie-hellman-group-exchange-sha1")
+if [[ "$val" -eq "0" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_5_3_16()
+{
+# args
+head=h1
+rule="4.5.3.16"
+desc="sshd_config, ssh_config: Ciphers"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+cat > $tempo << EOF
+aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com
+EOF
+cat $tempo | tr ',' '\n' | sort -u > $tempo.1
+sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | grep -v '^#' | awk '{print $1}')" | grep ciphers | cut -d' ' -f2- | tr ',' '\n' | sort -u > $tempo
+val=$(sdiff -sw 80 $tempo $tempo.1 | wc -l | awk '{print $1}')
+if [[ "$val" -eq "0" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_5_3_17()
+{
+# args
+head=h1
+rule="4.5.3.17"
+desc="sshd_config, ssh_config: MACs - Message Authtification Codes"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+# List of Weak algorithms
+cat > $tempo << EOF
+hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-sha1,hmac-sha1-96,umac-64@openssh.com,umac-128@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com
+EOF
+cat $tempo | tr ',' '\n' | sort -u > $tempo.1
+sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | grep -v '^#' | awk '{print $1}')" | grep macs | cut -d' ' -f2- | tr ',' '
+\n' | sort -u | sed 's/$/;/g' > $tempo
+val=0
+for mac in $(cat $tempo.1)
+do
+  val1=$(grep -c "^${mac};" $tempo)
+  (( val = val + val1 ))
+done
+if [[ "$val" -eq "0" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_5_3_18()
+{
+# args
+head=h1
+rule="4.5.3.18"
+desc="sshd_config, ssh_config: ReKeyLimit"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | grep -v '^#' | awk '{print $1}')" | grep rekeylimit | cut -d' ' -f2- | tr -s ' ' | tr ' ' '\n' | sort -u | tail -1)
+if [[ "$val" != "0" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_6_5()
+{
+# args
+head=h1
+rule="4.6.5"
+desc="Unattended terminal session timeout is 900 seconds (or less)"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(echo `egrep -c "TMOUT|TIMEOUT" /etc/profile` `readonly | /usr/bin/egrep -c -e "TMOUT|TIMEOUT"` | tr ' ' '\n' | sed '/^$/d' | sort | tail -1)
+if [[ "$val" -gt "2" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_1_1()
+{
+# args
+head=h1
+rule="4.7.1.1"
+desc="Home directory must exist"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=0
+for home in $(lsuser -R files -a home ALL | awk '{print $2}' | sed 's/home=//' | sort -u)
+do
+  val1=$(ls -d $home > /dev/null 2>&1; echo $?)
+  (( val = val + val1 ))
+done
+if [[ "$val" -eq "0" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_1_2()
+{
+# args
+head=h1
+rule="4.7.1.2"
+desc="Home directory must be owned by account, or special account"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+lsuser -R files -a id home account_locked ALL | while read name ids homes locks rest
+do
+  uid=$(echo ${ids} | cut -f2 -d =)
+  home=$(echo ${homes} | cut -f2 -d =)
+  locked=$(echo ${locks} | cut -f2 -d =)
+  if [[ ${home} == "/dev/null" || ${locked} == "true" ]]; then
+  continue
+  elif [[ ! -d ${home} ]]; then
+  /usr/bin/printf "%-32s does not exist; Recommend Lock Account [%s]\n" ${home} ${name}
+  continue
+  else
+  /usr/bin/perl -e '$user=$ARGV[0]; $hd=$ARGV[1]; $uid=$ARGV[2]; $huid=((stat $hd)[4]);
+  if ($huid != $uid && $huid != 0) {
+  exit(1); # triggers command after OR (||)
+  }' ${name} ${home} ${uid} || \
+  /usr/bin/printf "Recommend Lock Account: %s does not own %s\n" ${name} ${home}
+  fi
+done > $tempo
+if [ ! -s $tempo ]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_1_3()
+{
+# args
+head=h1
+rule="4.7.1.3"
+desc="Home directory: write access restricted to 'owner'"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+lsuser -R files -a id home ALL | while read name ids homes rest
+do
+  uid_check=$(echo ${ids} | cut -f2 -d =)
+  if [[ ${uid_check} -ge 200 ]]
+  then
+    home=$(echo ${homes} | cut -f2 -d =)
+    if [[ ${home} == "/dev/null" ]]
+    then
+      continue
+        else
+          if [[ ! -d ${home} ]]
+          then
+        /usr/bin/printf "%-32s does not exist; recommend to lock account named [%s]\n" ${home} ${name}
+      else
+            if [[ ${home} != "/" && ${home} != "/dev/null" ]]
+        then
+              /usr/bin/perl -e '$f=$ARGV[0]; $m=(stat $f)[2]; \
+ printf("Recommend chmod on: %s: to remove group or world write mode\n", $f) if $m & 022; \
+ printf("Recommend remove ACL on: %s\n ", $f) if $m & 0200000000; \
+ exit($m & 0200000022)' ${home} || (ls -led ${home} && (aclget ${home} | grep -ip Enabled))
+        fi
+      fi
+    fi
+  fi
+done > $tempo
+if [ ! -s $tempo ]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_1_4()
+{
+# args
+head=h1
+rule="4.7.1.4"
+desc="AUDIT subsystem: /audit and /etc/security/audit"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+if [ -e /audit ]
+then
+  val=$($LINUX_STAT -c "%U:%G:%a:%n:" /audit)
+  if [[ "$val" == "root:audit:2750:/audit:" ]]
+  then
+    val=$($LINUX_STAT -c "%U:%G:%a:%n:" /etc/security/audit)
+    if [[ "$val" == "root:audit:2750:/etc/security/audit:" ]]
+    then
+      res=$RESP_OK
+    else
+      res=$RESP_NOK
+    fi
+  else
+    res=$RESP_NOK
+  fi
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_1_5()
+{
+# args
+head=h1
+rule="4.7.1.5"
+desc="SECURITY Subsystems: /etc/security"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+EXCLUDE="security/(aixpert|audit|ice)"
+find /etc/security -type d | \
+/usr/bin/egrep -v ${EXCLUDE} | \
+/usr/bin/sort | xargs ls -led | \
+/usr/bin/awk '{print $1 " " $3 " " $4 " " $9}' | \
+/usr/bin/grep -v drwxr-s---- > $tempo
+if [ ! -s $tempo ]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_1_6()
+{
+# args
+head=h1
+rule="4.7.1.6"
+desc="/var/adm/ras"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$($LINUX_STAT -c "%F:%a:%n:" /var/adm/ras/* | grep -v '^directory:' | cut -d':' -f2- | cut -c3- | grep -c -v '^0:')
+if [[ "$val" -eq "0" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_1_7()
+{
+# args
+head=h1
+rule="4.7.1.7"
+desc="/var/adm/sa"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$($LINUX_STAT -c "%U:%G:%a:%n:" /var/adm/sa)
+if [[ "$val" == "adm:adm:755:/var/adm/sa:" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_1_8()
+{
+# args
+head=h1
+rule="4.7.1.8"
+desc="/var/spool/cron/crontabs"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$($LINUX_STAT -c "%U:%G:%a:%n:" /var/spool/cron/crontabs)
+if [[ "$val" == "root:cron:770:/var/spool/cron/crontabs:" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_1_9()
+{
+# args
+head=h1
+rule="4.7.1.9"
+desc="Ensure all directories in root PATH deny write access to all"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+echo "/:${PATH}" | tr ':' '\n' | grep "^/" | sort -u | while read DIR
+do
+  DIR=${DIR:-$(pwd)}
+  while [[ -d ${DIR} ]]
+  do
+    [[ "$(ls -ld ${DIR})" = @(d???????w? *) ]] && print " WARNING ${DIR} is world writable"
+    [[ "$(ls -ld ${DIR})" = @(d????w???? *) ]] && print " WARNING ${DIR} is group writable"
+    [[ "$(ls -ld ${DIR} |awk '{print $3}')" != @(root|bin) ]] && print " WARNING ${DIR} is not owned by root or bin"
+    DIR=${DIR%/*}
+  done
+done > $tempo
+if [ ! -s $tempo ]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_1_10()
+{
+# args
+head=h1
+rule="4.7.1.10"
+desc="Ensure root user has a dedicated home directory"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(lsuser -a home root | awk '{print $2}')
+if [[ "$val" == "home=/root" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_1_11()
+{
+# args
+head=h1
+rule="4.7.1.11"
+desc="/etc/security/audit"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$($LINUX_STAT -c "%U:%G:%a:%n:" /etc/security/audit)
+if [[ "$val" == "root:audit:750:/etc/security/audit:" || "$val" == "root:audit:2750:/etc/security/audit:" ]]
+then
+  val=$($LINUX_STAT -c "%a:%n:" /etc/security/audit/* | grep -c -v '^640:')
+  if [[ "$val" -eq "0" ]]
+  then
+    res=$RESP_OK
+  else
+    res=$RESP_NOK
+  fi
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_2_2()
+{
+# args
+head=h1
+rule="4.7.2.2"
+desc="Verify Trust of suid, sgid, acl, and trusted-bit files and programs"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+find / \( -fstype jfs -o -fstype jfs2 \) \( -perm -04000 -o -perm -02000 \) -type f -ls > $tempo
+if [ ! -s $tempo ]
+then
+  res=$RESP_OK
+else
+  res=$RESP_MANUAL
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_2_3()
+{
+# args
+head=h1
+rule="4.7.2.3"
+desc="crontab entries - owned by userid"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+crontab -l |egrep -v '^#' |awk '{print $6}' |grep "^/" |sort -u | while read DIR
+do
+  DIR=${DIR:-$(pwd)}
+  while [[ -a ${DIR} ]]
+  do
+    [[ "$(ls -ld ${DIR})" = @(????????w? *) ]] && print " WARNING ${DIR} is world writable"
+    [[ "$(ls -ld ${DIR})" = @(?????w???? *) ]] && print " WARNING ${DIR} is group writable"
+    [[ "$(ls -ld ${DIR} |awk '{print $3}')" != @(root|bin) ]] && print " WARNING ${DIR} is not owned by root or bin"
+    DIR=${DIR%/*}
+  done
+done > $tempo
+if [ ! -s $tempo ]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_2_4()
+{
+# args
+head=h1
+rule="4.7.2.4"
+desc="Home directory configuration files"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+lsuser -R files -a home ALL | cut -f2 -d= | egrep -v "^/$|/etc|/bin|/var|/usr|/usr/sys" |while read homedir
+do
+  if [[ -d ${homedir} ]]
+  then
+    #echo "Listing all user confguration files in '${homedir}'"
+    ls -a ${homedir} | egrep "^\.[a-z]" | while read file
+    do
+      if [[ -f "${homedir}/${file}" ]]
+      then
+        val=$(ls -l "${homedir}/${file}" | cut -c5- | awk '{print $1}' | grep -c w)
+        if [[ "$val" -ne "0" ]]
+        then
+          echo "${homedir}/${file} write permissions g or o"
+        fi
+      fi
+    done
+  else
+    echo "ERROR - no home directory for '${homedir}'"
+  fi
+done > $tempo
+if [ ! -s $tempo ]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_2_5()
+{
+# args
+head=h1
+rule="4.7.2.5"
+desc="/smit.log"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+file1=$(lsuser -a home root | awk '{print $2}' | sed 's/home=//' | sed 's/$/\/smit.log/')
+val=$($LINUX_STAT -c "%U:%G:%a:%n:" $file1)
+if [[ "$val" == "root:system:640:$file1:" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_2_6()
+{
+# args
+head=h1
+rule="4.7.2.6"
+desc="/etc/group"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$($LINUX_STAT -c "%U:%G:%a:%n:" /etc/group)
+if [[ "$val" == "root:security:644:/etc/group:" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_2_7()
+{
+# args
+head=h1
+rule="4.7.2.7"
+desc="/etc/inetd.conf"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$($LINUX_STAT -c "%U:%G:%a:%n:" /etc/inetd.conf)
+if [[ "$val" == "root:system:644:/etc/inetd.conf:" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_2_8()
+{
+# args
+head=h1
+rule="4.7.2.8"
+desc="/etc/motd"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$($LINUX_STAT -c "%U:%G:%a:%n:" /etc/motd)
+if [[ "$val" == "bin:bin:644:/etc/motd:" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_2_9()
+{
+# args
+head=h1
+rule="4.7.2.9"
+desc="/etc/passwd"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$($LINUX_STAT -c "%U:%G:%a:%n:" /etc/passwd)
+if [[ "$val" == "root:security:644:/etc/passwd:" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_2_10()
+{
+# args
+head=h1
+rule="4.7.2.10"
+desc="/etc/ssh/ssh_config"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$($LINUX_STAT -c "%U:%G:%a:%n:" /etc/ssh/ssh_config)
+if [[ "$val" == "root:system:644:/etc/ssh/ssh_config:" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_2_11()
+{
+# args
+head=h1
+rule="4.7.2.11"
+desc="/etc/ssh/sshd_config"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$($LINUX_STAT -c "%U:%G:%a:%n:" /etc/ssh/sshd_config)
+if [[ "$val" == "root:system:644:/etc/ssh/sshd_config:" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_2_12()
+{
+# args
+head=h1
+rule="4.7.2.12"
+desc="/var/adm/cron/at.allow"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+if [ -e /var/adm/cron/at.allow ]
+then
+  val=$($LINUX_STAT -c "%U:%G:%a:%n:" /var/adm/cron/at.allow)
+  if [[ "$val" == "root:sys:400:/var/adm/cron/at.allow:" ]]
+  then
+    res=$RESP_OK
+  else
+    res=$RESP_NOK
+  fi
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_2_13()
+{
+# args
+head=h1
+rule="4.7.2.13"
+desc="/var/adm/cron/cron.allow"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+if [ -e /var/adm/cron/cron.allow ]
+then
+  val=$($LINUX_STAT -c "%U:%G:%a:%n:" /var/adm/cron/cron.allow)
+  if [[ "$val" == "root:sys:400:/var/adm/cron/cron.allow:" ]]
+  then
+    res=$RESP_OK
+  else
+    res=$RESP_NOK
+  fi
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_2_14()
+{
+# args
+head=h1
+rule="4.7.2.14"
+desc="/var/ct/RMstart.log"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+if [ -e "/var/ct/RMstart.log" ]
+then
+  val=$($LINUX_STAT -c "%U:%G:%a:%n:" /var/ct/RMstart.log)
+  if [[ "$val" == "root:system:640:/var/ct/RMstart.log:" ]]
+  then
+    res=$RESP_OK
+  else
+    res=$RESP_NOK
+  fi
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_2_15()
+{
+# args
+head=h1
+rule="4.7.2.15"
+desc="/var/adm/cron/log"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+if [ -e "/var/adm/cron/log" ]
+then
+  val=$($LINUX_STAT -c "%U:%G:%a:%n:" /var/adm/cron/log)
+  if [[ "$val" == "bin:cron:660:/var/adm/cron/log:" ]]
+  then
+    res=$RESP_OK
+  else
+    res=$RESP_NOK
+  fi
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_2_16()
+{
+# args
+head=h1
+rule="4.7.2.16"
+desc="/var/tmp/dpid2.log"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+if [ -e "/var/tmp/dpid2.log" ]
+then
+  val=$($LINUX_STAT -c "%U:%G:%a:%n:" /var/tmp/dpid2.log)
+  if [[ "$val" == "root:system:640:/var/tmp/dpid2.log:" ]]
+  then
+    res=$RESP_OK
+  else
+    res=$RESP_NOK
+  fi
+else
+  res=$RESP_OK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_2_17()
+{
+# args
+head=h1
+rule="4.7.2.17"
+desc="/var/tmp/hostmibd.log"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+if [ -e "/var/tmp/hostmibd.log" ]
+then
+  val=$($LINUX_STAT -c "%U:%G:%a:%n:" /var/tmp/hostmibd.log)
+  if [[ "$val" == "root:system:640:/var/tmp/hostmibd.log:" ]]
+  then
+    res=$RESP_OK
+  else
+    res=$RESP_NOK
+  fi
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_2_18()
+{
+# args
+head=h1
+rule="4.7.2.18"
+desc="/var/tmp/snmpd.log"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+if [ -e "/var/tmp/snmpd.log" ]
+then
+  val=$($LINUX_STAT -c "%U:%G:%a:%n:" /var/tmp/snmpd.log)
+  if [[ "$val" == "root:system:640:/var/tmp/snmpd.log:" ]]
+  then
+    res=$RESP_OK
+  else
+    res=$RESP_NOK
+  fi
+else
+  res=$RESP_OK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_9()
+{
+# args
+head=h1
+rule="4.9"
+desc="Ensure root access is controlled"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+lsuser -a login rlogin su sugroups root | tr '=' ' ' | read user a1 login a2 rlogin a3 su a4 sugroups
+[[ ${su} != "false" && ${sugroups} == "ALL" ]] && echo "failed : ${a3}==${su}, ${a4}==${sugroups}" > $tempo
+[[ ${login} == "true" || ${rlogin} == "true" ]] && echo "failed : ${a1}==${login}, ${a2}==${rlogin}" >> $tempo
+if [ ! -s $tempo ]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_10()
+{
+# args
+head=h1
+rule="4.10"
+desc="Disable core dumps"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+rc1=$(lssec -f /etc/security/limits -s default -a core -a core_hard | sed 's/\ /;/g' | sed 's/$/;/' | grep -q 'default;core=0;core_hard=0;'; echo $?)
+rc2=$(lsattr -El sys0 -a fullcore | sed 's/\ /;/g' | sed 's/$/;/' | grep -q 'fullcore;false;Enable;full;CORE;dump;True;'; echo $?)
+(( rc = rc1 + rc2 ))
+if [[ "$rc" == "0" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_11()
+{
+# args
+head=h1
+rule="4.11"
+desc="Remove current working directory from default /etc/environment PATH"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(grep "^PATH=" /etc/environment |awk '/((:[ \t]*:)|(:[ \t]*$)|(^[\t]*:)|(^.:)|(:.$)|(:.:))/')
+if [[ "$val" == "" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_12()
+{
+# args
+head=h1
+rule="4.12"
+desc="Lock historical users"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+ACCOUNTS=daemon,bin,sys,adm,uucp,nobody,lpd,lp,invscout,ipsec,nuucp,sshd
+for usr in $(echo $ACCOUNTS | sed 's/,/\ /g')
+do
+lsuser -a account_locked $usr 2>/dev/null
+done | grep -v 'account_locked=true' > $tempo
+if [ -s $tempo ]
+then
+  res=$RESP_NOK
+else
+  res=$RESP_OK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_13()
+{
+# args
+head=h1
+rule="4.13"
+desc="Remove current working directory from root's PATH"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(su - root -c "echo ${PATH}" |awk '/((:[ \t]*:)|(:[ \t]*$)|(^[\t]*:)|(^.:)|(:.$)|(:.:))/')
+if [[ "$val" == "" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_14()
+{
+# args
+head=h1
+rule="4.14"
+desc="Configuration: /etc/motd"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+res="TODO"
+if [ -e /audit ]
+then
+  val=$(cat /etc/motd | grep -c 'PROPER AUTHORIZATION')
+  if [[ "$val" == "1" ]]
+  then
+    res=$RESP_OK
+  else
+    res=$RESP_NOK
+  fi
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_1_1_1()
+{
+# args
+head=h1
+rule="5.1.1.1"
+desc="histexpire"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(lssec -f /etc/security/user -s default -a histexpire | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "default;histexpire=52;" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_1_1_2()
+{
+# args
+head=h1
+rule="5.1.1.2"
+desc="histsize"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(lssec -f /etc/security/user -s default -a histsize | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "default;histsize=0;" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_1_1_3()
+{
+# args
+head=h1
+rule="5.1.1.3"
+desc="minage"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(lssec -f /etc/security/user -s default -a minage | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "default;minage=1;" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_1_2()
+{
+# args
+head=h1
+rule="5.1.2"
+desc="All accounts must have a hashed password"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+egrep -p "password = +$" /etc/security/passwd | grep ":" | awk -F: '{ print $1 } ' | while read user rest
+do
+  print "Locking account ${user} due to blank password"
+done > $tempo
+if [ ! -s $tempo ]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_1_3()
+{
+# args
+head=h1
+rule="5.1.3"
+desc="All usernames and UIDs must be unique"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(cut -d: -f 3 /etc/passwd | sort -n | uniq -d;cut -d: -f 1 /etc/passwd | sort | uniq -d)
+if [[ "$val" == "" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_1_4()
+{
+# args
+head=h1
+rule="5.1.4"
+desc="All group names and GIDs must be unique"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(cut -d: -f 3 /etc/group | sort -n | uniq -d;cut -d: -f 1 /etc/group | sort | uniq -d)
+if [[ "$val" == "" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_1_5()
+{
+# args
+head=h1
+rule="5.1.5"
+desc="Establish and Maintain an Inventory of Administrator accounts"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=""
+lsuser -R files -a admin ALL | grep 'admin=true' | sed 's/\ /;/g' | cut -d';' -f1 | sort > $tempo
+echo "adm,bin,daemon,invscout,ipsec,lp,lpd,nobody,nuucp,root,smmsp,snapp,sshd,sys,uucp" | tr ',' '\n'  | sort > $tempo.1
+val=$(sdiff -s $tempo $tempo.1 | grep '<' | awk '{print $1}' | tr '\n' ',' | sed 's/,//g')
+if [[ "$val" == "" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_MANUAL
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_1_6()
+{
+# args
+head=h1
+rule="5.1.6"
+desc="Establish and Maintain an Inventory of User Accounts"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(lsuser -R files -a admin ALL | grep 'admin=false' | awk '{print $1}' | sort | tr '\n' ',' | sed 's/,$//')
+res=$RESP_MANUAL
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_2_1()
+{
+# args
+head=h1
+rule="5.2.1"
+desc="Ensure new passwords are controlled by password attributes (disable NOCHECK)"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(grep NOCHECK /etc/security/passwd)
+if [[ "$val" == "" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_2_2()
+{
+# args
+head=h1
+rule="5.2.2"
+desc="pwd_algorithm"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(lssec -f /etc/security/login.cfg -s usw -a pwd_algorithm | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "usw;pwd_algorithm=ssha512;" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_2_3()
+{
+# args
+head=h1
+rule="5.2.3"
+desc="Ensure passwords are not hashed using 'crypt'"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+grep 'password[[:blank:]]= .............$' /etc/security/passwd | while read pass equals cryptedhash
+do
+  user=$(grep -p $cryptedhash /etc/security/passwd | egrep '[a-zA-z0-9]+:$' | sed -e s/:$//)
+  print ${user}: needs to update passwd
+done > $tempo
+if [ ! -s $tempo ]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_2_4()
+{
+# args
+head=h1
+rule="5.2.4"
+desc="Ensure password policy is enforced for all users"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(grep NOCHECK /etc/security/passwd)
+if [[ "$val" == "" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_2_5()
+{
+# args
+head=h1
+rule="5.2.5"
+desc="minlen"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(lssec -f /etc/security/user -s default -a minlen | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "default;minlen=14;" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_2_6()
+{
+# args
+head=h1
+rule="5.2.6"
+desc="mindiff"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(lssec -f /etc/security/user -s default -a mindiff | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "default;mindiff=4;" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_2_7()
+{
+# args
+head=h1
+rule="5.2.7"
+desc="minalpha"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(lssec -f /etc/security/user -s default -a minalpha | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "default;minalpha=3;" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_2_8()
+{
+# args
+head=h1
+rule="5.2.8"
+desc="minother"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(lssec -f /etc/security/user -s default -a minother | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "default;minother=3;" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_2_9()
+{
+# args
+head=h1
+rule="5.2.9"
+desc="maxrepeats"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(lssec -f /etc/security/user -s default -a maxrepeats | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "default;maxrepeats=4;" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_2_10()
+{
+# args
+head=h1
+rule="5.2.10"
+desc="mindigit"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(lssec -f /etc/security/user -s default -a mindigit | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "default;mindigit=1;" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_2_11()
+{
+# args
+head=h1
+rule="5.2.11"
+desc="minloweralpha"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(lssec -f /etc/security/user -s default -a minloweralpha | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "default;minloweralpha=1;" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_2_12()
+{
+# args
+head=h1
+rule="5.2.12"
+desc="minupperalpha"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(lssec -f /etc/security/user -s default -a minupperalpha | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "default;minupperalpha=1;" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_2_13()
+{
+# args
+head=h1
+rule="5.2.13"
+desc="minspecialchar"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(lssec -f /etc/security/user -s default -a minspecialchar | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "default;minspecialchar=1;" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_3_1()
+{
+# args
+head=h1
+rule="5.3.1"
+desc="adm"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+usr=adm
+val=$(lsuser -a account_locked login rlogin $usr 2>/dev/null | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "$usr;account_locked=true;login=false;rlogin=false;" || "$val" == "" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_3_2()
+{
+# args
+head=h1
+rule="5.3.2"
+desc="bin"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+usr=bin
+val=$(lsuser -a account_locked login rlogin $usr 2>/dev/null | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "$usr;account_locked=true;login=false;rlogin=false;" || "$val" == "" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_3_3()
+{
+# args
+head=h1
+rule="5.3.3"
+desc="daemon"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+usr=daemon
+val=$(lsuser -a account_locked login rlogin $usr 2>/dev/null | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "$usr;account_locked=true;login=false;rlogin=false;" || "$val" == "" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_3_4()
+{
+# args
+head=h1
+rule="5.3.4"
+desc="guest"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+usr=guest
+val=$(lsuser -a account_locked login rlogin $usr 2>/dev/null | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "$usr;account_locked=true;login=false;rlogin=false;" || "$val" == "" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_3_5()
+{
+# args
+head=h1
+rule="5.3.5"
+desc="lpd"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+usr=ldp
+val=$(lsuser -a account_locked login rlogin $usr 2>/dev/null | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "$usr;account_locked=true;login=false;rlogin=false;" || "$val" == "" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_3_6()
+{
+# args
+head=h1
+rule="5.3.6"
+desc="nobody"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+usr=nobody
+val=$(lsuser -a account_locked login rlogin $usr 2>/dev/null | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "$usr;account_locked=true;login=false;rlogin=false;" || "$val" == "" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_3_7()
+{
+# args
+head=h1
+rule="5.3.7"
+desc="nuucp"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+usr=nuucp
+val=$(lsuser -a account_locked login rlogin $usr 2>/dev/null | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "$usr;account_locked=true;login=false;rlogin=false;" || "$val" == "" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_3_8()
+{
+# args
+head=h1
+rule="5.3.8"
+desc="sys"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+usr=sys
+val=$(lsuser -a account_locked login rlogin $usr 2>/dev/null | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "$usr;account_locked=true;login=false;rlogin=false;" || "$val" == "" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_3_9()
+{
+# args
+head=h1
+rule="5.3.9"
+desc="uucp"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+usr=uucp
+val=$(lsuser -a account_locked login rlogin $usr 2>/dev/null | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "$usr;account_locked=true;login=false;rlogin=false;" || "$val" == "" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_3_10()
+{
+# args
+head=h1
+rule="5.3.10"
+desc="Ensure System Accounts cannot access system using ftp."
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(lssrc -ls inetd | grep -c ftpd)
+if [[ "$val" -eq "0" ]]
+then
+  res=$RESP_OK
+else
+  if [ -e /etc/ftpusers ]
+  then
+    rc=0
+    lsuser -R files -a id ALL | sed 's/id=//' | while read usr uid
+    do
+      if [[ "$uid" -lt "200" ]]
+      then
+        rc1=$(cat /etc/ftpusers | sed 's/$/;/' | grep -q "^${usr};"; echo $?)
+        (( rc = rc + rc1 ))
+      fi
+    done
+    if [[ "$rc" == "0" ]]
+    then
+      res=$RESP_OK
+    else
+      res=$RESP_NOK
+    fi
+  else
+    res=$RESP_NOK
+  fi
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_6()
+{
+# args
+head=h1
+rule="5.6"
+desc="maxage"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(lssec -f /etc/security/user -s default -a maxage | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "default;maxage=13;" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_7()
+{
+# args
+head=h1
+rule="5.7"
+desc="maxexpired"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(lssec -f /etc/security/user -s default -a maxexpired | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "default;maxexpired=4;" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_6_3_1()
+{
+# args
+head=h1
+rule="6.3.1"
+desc="Privilege escalation: sudo"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+#min version: 1.9.5p2
+val=$(sudo --version | grep -vi sudoers  | grep version | rev | awk '{print $1}' | rev | sed 's/p/\./')
+val1=$(echo $val | cut -d'.' -f1)
+val2=$(echo $val | cut -d'.' -f2)
+val3=$(echo $val | cut -d'.' -f3)
+val4=$(echo $val | cut -d'.' -f4)
+if [[ "$val1" -lt "1" ]]
+then
+  rc=1
+else
+  if [[ "$val1" -gt "1" ]]
+  then
+    rc=0
+  else
+    if [[ "$val2" -lt "9" ]]
+    then
+      rc=1
+    else
+      if [[ "$val2" -gt "9" ]]
+      then
+        rc=0
+      else
+        if [[ "$val3" -lt "5" ]]
+        then
+          rc=1
+        else
+          if [[ "$val3" -ge "5" ]]
+          then
+            rc=0
+          else
+            rc=1
+          fi
+        fi
+      fi
+    fi
+  fi
+fi
+rc2=$(visudo -c > /dev/null 2>&1; echo $?)
+(( rc1 = rc + rc2 ))
+if [[ "$rc1" -eq "0" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_6_3_2()
+{
+# args
+head=h1
+rule="6.3.2"
+desc="Ensure sudo logging is active"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(grep -Ei '^\s*Defaults\s+logfile=\S+' /etc/sudoers /etc/sudoers.d/*)
+if [[ "$val" == "" ]]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_6_4()
+{
+# args
+head=h1
+rule="6.4"
+desc="Adding authorized users in at.allow"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+if [ -s /var/adm/cron/at.allow ]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_6_6()
+{
+# args
+head=h1
+rule="6.6"
+desc="Adding authorised users in cron.allow"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+if [ -s /var/adm/cron/cron.allow ]
+then
+  res=$RESP_OK
+else
+  res=$RESP_NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_7_1()
+{
+# args
+head=h1
+rule="7.1"
+desc="Use FLRT regularly"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+res=$RESP_MANUAL
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+# MAIN
+#-----------------------------------------
+main ()
+{
+check_section_2_1
+check_section_2_7
+check_section_3_3
+check_section_3_4
+check_section_3_5
+check_section_3_6
+check_section_3_7
+check_section_3_8
+check_section_4_1_3_1
+check_section_4_1_3_2
+check_section_4_1_3_3
+check_section_4_2_18
+check_section_4_3_1
+check_section_4_3_2
+check_section_4_3_3
+check_section_4_5_1_7
+check_section_4_5_2_1
+check_section_4_5_2_2
+check_section_4_5_2_3
+check_section_4_5_3_1
+check_section_4_5_3_4
+check_section_4_5_3_5
+check_section_4_5_3_6
+check_section_4_5_3_7
+check_section_4_5_3_8
+check_section_4_5_3_9
+check_section_4_5_3_10
+check_section_4_5_3_11
+check_section_4_5_3_12
+check_section_4_5_3_13
+check_section_4_5_3_14
+check_section_4_5_3_15
+check_section_4_5_3_16
+check_section_4_5_3_17
+check_section_4_5_3_18
+check_section_4_6_5
+check_section_4_7_1_1
+check_section_4_7_1_2
+check_section_4_7_1_3
+check_section_4_7_1_4
+check_section_4_7_1_5
+check_section_4_7_1_6
+check_section_4_7_1_7
+check_section_4_7_1_8
+check_section_4_7_1_9
+check_section_4_7_1_10
+check_section_4_7_1_11
+check_section_4_7_2_2
+check_section_4_7_2_3
+check_section_4_7_2_4
+check_section_4_7_2_5
+check_section_4_7_2_6
+check_section_4_7_2_7
+check_section_4_7_2_8
+check_section_4_7_2_9
+check_section_4_7_2_10
+check_section_4_7_2_11
+#check_section_4_7_2_12
+check_section_4_7_2_13
+check_section_4_7_2_14
+check_section_4_7_2_15
+check_section_4_7_2_16
+check_section_4_7_2_17
+check_section_4_7_2_18
+check_section_4_9
+check_section_4_10
+check_section_4_11
+check_section_4_12
+check_section_4_13
+check_section_4_14
+check_section_5_1_1_1
+check_section_5_1_1_2
+check_section_5_1_1_3
+check_section_5_1_2
+check_section_5_1_3
+check_section_5_1_4
+check_section_5_1_5
+check_section_5_1_6
+check_section_5_2_1
+check_section_5_2_2
+check_section_5_2_3
+check_section_5_2_4
+check_section_5_2_5
+check_section_5_2_6
+check_section_5_2_7
+check_section_5_2_8
+check_section_5_2_9
+check_section_5_2_10
+check_section_5_2_11
+check_section_5_2_12
+check_section_5_2_13
+check_section_5_3_1
+check_section_5_3_2
+check_section_5_3_3
+check_section_5_3_4
+check_section_5_3_5
+check_section_5_3_6
+check_section_5_3_7
+check_section_5_3_8
+check_section_5_3_9
+check_section_5_3_10
+check_section_5_6
+check_section_5_7
+check_section_6_3_1
+check_section_6_3_2
+check_section_6_4
+check_section_6_6
+check_section_7_1
+}
+main | tee $cisoutput
+cat $cisoutput | sed "s/^/$HEADER/" | sed 's/^/\//' | sed "s/^/$DAY/" | sed 's/^/\//' | sed "s/^/$MONTH/" | sed "s/$/$FOOTER/" > ${cisoutput}.1
+cat ${cisoutput}.1 | sed 's/^/"/' | sed 's/;/","/g' | sed 's/$/"/' > ${cisoutput}
+</code>
+===== OLD version =====
+----------------------------------------------------------------------------
 <cli prompt='#'>
@@ Line 138: / Line 2949: @@
 fi
-cp $tempo /root/link.txt
+#cp $tempo /root/link.txt
 print_output $head $rule $desc1 $res
 }
@@ Line 803: / Line 3613: @@
 desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
-val=$(sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | grep -v '^#' | awk '{print $1}')" | grep kexalgorithms | tr ',' '\n' | egrep -c "diffie-hellman-group1-sha1|diffie-hellman-group14-sha1|diffie-hellman-group-exchange-sha1")
+val=$(sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | grep -v '^#' | awk '{print $1}')" | grep '^kexalgorithms' | tr ',' '\n' | egrep -c "diffie-hellman-group1-sha1|diffie-hellman-group14-sha1|diffie-hellman-group-exchange-sha1")
 if [[ "$val" -eq "0" ]]
 then
@@ Line 947: / Line 3757: @@
 check_section_4_7_1_2()
 {
+# args
+head=h1
+rule="4.7.1.2"
+desc="Home directory must be owned by account, or special account"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+lsuser -R files -a id home account_locked ALL | while read name ids homes locks rest
+do
+  uid=$(echo ${ids} | cut -f2 -d =)
+  home=$(echo ${homes} | cut -f2 -d =)
+  locked=$(echo ${locks} | cut -f2 -d =)
+  if [[ ${home} == "/dev/null" || ${locked} == "true" ]]; then
+  continue
+  elif [[ ! -d ${home} ]]; then
+  /usr/bin/printf "%-32s does not exist; Recommend Lock Account [%s]\n" ${home} ${name}
+  continue
+  else
+  /usr/bin/perl -e '$user=$ARGV[0]; $hd=$ARGV[1]; $uid=$ARGV[2]; $huid=((stat $hd)[4]);
+  if ($huid != $uid && $huid != 0) {
+  exit(1); # triggers command after OR (||)
+  }' ${name} ${home} ${uid} || \
+  /usr/bin/printf "Recommend Lock Account: %s does not own %s\n" ${name} ${home}
+  fi
+done > $tempo
+if [ ! -s $tempo ]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_1_3()
+{
+# args
+head=h1
+rule="4.7.1.3"
+desc="Home directory: write access restricted to 'owner'"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+lsuser -R files -a id home ALL | while read name ids homes rest
+do
+  uid_check=$(echo ${ids} | cut -f2 -d =)
+  if [[ ${uid_check} -ge 200 ]]
+  then
+    home=$(echo ${homes} | cut -f2 -d =)
+    if [[ ${home} == "/dev/null" ]]
+    then
+      continue
+        else
+          if [[ ! -d ${home} ]]
+          then
+        /usr/bin/printf "%-32s does not exist; recommend to lock account named [%s]\n" ${home} ${name}
+      else
+            if [[ ${home} != "/" && ${home} != "/dev/null" ]]
+        then
+              /usr/bin/perl -e '$f=$ARGV[0]; $m=(stat $f)[2]; \
+ printf("Recommend chmod on: %s: to remove group or world write mode\n", $f) if $m & 022; \
+ printf("Recommend remove ACL on: %s\n ", $f) if $m & 0200000000; \
+ exit($m & 0200000022)' ${home} || (ls -led ${home} && (aclget ${home} | grep -ip Enabled))
+        fi
+      fi
+    fi
+  fi
+done > $tempo
+if [ ! -s $tempo ]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_1_4()
+{
+# args
+head=h1
+rule="4.7.1.4"
+desc="AUDIT subsystem: /audit and /etc/security/audit"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+if [ -e /audit ]
+then
+  val=$($LINUX_STAT -c "%U:%G:%a:%n:" /audit)
+  if [[ "$val" == "root:audit:2750:/audit:" ]]
+  then
+    val=$($LINUX_STAT -c "%U:%G:%a:%n:" /etc/security/audit)
+    if [[ "$val" == "root:audit:2750:/etc/security/audit:" ]]
+    then
+      res=OK
+    else
+      res=NOK
+    fi
+  else
+    res=NOK
+  fi
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_1_5()
+{
+# args
+head=h1
+rule="4.7.1.5"
+desc="SECURITY Subsystems: /etc/security"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+EXCLUDE="security/(aixpert|audit|ice)"
+find /etc/security -type d | \
+/usr/bin/egrep -v ${EXCLUDE} | \
+/usr/bin/sort | xargs ls -led | \
+/usr/bin/awk '{print $1 " " $3 " " $4 " " $9}' | \
+/usr/bin/grep -v drwxr-s---- > $tempo
+if [ ! -s $tempo ]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_1_6()
+{
+# args
+head=h1
+rule="4.7.1.6"
+desc="/var/adm/ras"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$($LINUX_STAT -c "%F:%a:%n:" /var/adm/ras/* | grep -v '^directory:' | cut -d':' -f2- | cut -c3- | grep -c -v '^0:')
+if [[ "$val" -eq "0" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_1_7()
+{
+# args
+head=h1
+rule="4.7.1.7"
+desc="/var/adm/sa"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$($LINUX_STAT -c "%U:%G:%a:%n:" /var/adm/sa)
+if [[ "$val" == "adm:adm:755:/var/adm/sa:" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_1_8()
+{
+# args
+head=h1
+rule="4.7.1.8"
+desc="/var/spool/cron/crontabs"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$($LINUX_STAT -c "%U:%G:%a:%n:" /var/spool/cron/crontabs)
+if [[ "$val" == "root:cron:770:/var/spool/cron/crontabs:" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_1_9()
+{
+# args
+head=h1
+rule="4.7.1.9"
+desc="Ensure all directories in root PATH deny write access to all"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+echo "/:${PATH}" | tr ':' '\n' | grep "^/" | sort -u | while read DIR
+do
+  DIR=${DIR:-$(pwd)}
+  while [[ -d ${DIR} ]]
+  do
+    [[ "$(ls -ld ${DIR})" = @(d???????w? *) ]] && print " WARNING ${DIR} is world writable"
+    [[ "$(ls -ld ${DIR})" = @(d????w???? *) ]] && print " WARNING ${DIR} is group writable"
+    [[ "$(ls -ld ${DIR} |awk '{print $3}')" != @(root|bin) ]] && print " WARNING ${DIR} is not owned by root or bin"
+    DIR=${DIR%/*}
+  done
+done > $tempo
+if [ ! -s $tempo ]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_1_10()
+{
+# args
+head=h1
+rule="4.7.1.10"
+desc="Ensure root user has a dedicated home directory"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(lsuser -a home root | awk '{print $2}')
+if [[ "$val" == "home=/root" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_1_11()
+{
+# args
+head=h1
+rule="4.7.1.11"
+desc="/etc/security/audit"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$($LINUX_STAT -c "%U:%G:%a:%n:" /etc/security/audit)
+if [[ "$val" == "root:audit:750:/etc/security/audit:" || "$val" == "root:audit:2750:/etc/security/audit:" ]]
+then
+  val=$($LINUX_STAT -c "%a:%n:" /etc/security/audit/* | grep -c -v '^640:')
+  if [[ "$val" -eq "0" ]]
+  then
+    res=OK
+  else
+    res=NOK
+  fi
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_2_2()
+{
+# args
+head=h1
+rule="4.7.2.2"
+desc="Verify Trust of suid, sgid, acl, and trusted-bit files and programs"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+find / \( -fstype jfs -o -fstype jfs2 \) \( -perm -04000 -o -perm -02000 \) -type f -ls > $tempo
+if [ ! -s $tempo ]
+then
+  res=OK
+else
+  res=Manual
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_2_3()
+{
+# args
+head=h1
+rule="4.7.2.3"
+desc="crontab entries - owned by userid"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+crontab -l |egrep -v '^#' |awk '{print $6}' |grep "^/" |sort -u | while read DIR
+do
+  DIR=${DIR:-$(pwd)}
+  while [[ -a ${DIR} ]]
+  do
+    [[ "$(ls -ld ${DIR})" = @(????????w? *) ]] && print " WARNING ${DIR} is world writable"
+    [[ "$(ls -ld ${DIR})" = @(?????w???? *) ]] && print " WARNING ${DIR} is group writable"
+    [[ "$(ls -ld ${DIR} |awk '{print $3}')" != @(root|bin) ]] && print " WARNING ${DIR} is not owned by root or bin"
+    DIR=${DIR%/*}
+  done
+done > $tempo
+if [ ! -s $tempo ]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_2_4()
+{
+# args
+head=h1
+rule="4.7.2.4"
+desc="Home directory configuration files"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+lsuser -R files -a home ALL | cut -f2 -d= | egrep -v "^/$|/etc|/bin|/var|/usr|/usr/sys" |while read homedir
+do
+  if [[ -d ${homedir} ]]
+  then
+    #echo "Listing all user confguration files in '${homedir}'"
+    ls -a ${homedir} | egrep "^\.[a-z]" | while read file
+    do
+      if [[ -f "${homedir}/${file}" ]]
+      then
+        val=$(ls -l "${homedir}/${file}" | cut -c5- | awk '{print $1}' | grep -c w)
+        if [[ "$val" -ne "0" ]]
+        then
+          echo "${homedir}/${file} write permissions g or o"
+        fi
+      fi
+    done
+  else
+    echo "ERROR - no home directory for '${homedir}'"
+  fi
+done > $tempo
+if [ ! -s $tempo ]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_2_5()
+{
+# args
+head=h1
+rule="4.7.2.5"
+desc="/smit.log"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+file1=$(lsuser -a home root | awk '{print $2}' | sed 's/home=//' | sed 's/$/\/smit.log/')
+val=$($LINUX_STAT -c "%U:%G:%a:%n:" $file1)
+if [[ "$val" == "root:system:640:$file1:" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_2_6()
+{
+# args
+head=h1
+rule="4.7.2.6"
+desc="/etc/group"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$($LINUX_STAT -c "%U:%G:%a:%n:" /etc/group)
+if [[ "$val" == "root:security:644:/etc/group:" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_2_7()
+{
+# args
+head=h1
+rule="4.7.2.7"
+desc="/etc/inetd.conf"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$($LINUX_STAT -c "%U:%G:%a:%n:" /etc/inetd.conf)
+if [[ "$val" == "root:system:644:/etc/inetd.conf:" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_2_8()
+{
+# args
+head=h1
+rule="4.7.2.8"
+desc="/etc/motd"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$($LINUX_STAT -c "%U:%G:%a:%n:" /etc/motd)
+if [[ "$val" == "bin:bin:644:/etc/motd:" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_2_9()
+{
+# args
+head=h1
+rule="4.7.2.9"
+desc="/etc/passwd"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$($LINUX_STAT -c "%U:%G:%a:%n:" /etc/passwd)
+if [[ "$val" == "root:security:644:/etc/passwd:" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_2_10()
+{
+# args
+head=h1
+rule="4.7.2.10"
+desc="/etc/ssh/ssh_config"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$($LINUX_STAT -c "%U:%G:%a:%n:" /etc/ssh/ssh_config)
+if [[ "$val" == "root:system:644:/etc/ssh/ssh_config:" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_2_11()
+{
+# args
+head=h1
+rule="4.7.2.11"
+desc="/etc/ssh/sshd_config"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$($LINUX_STAT -c "%U:%G:%a:%n:" /etc/ssh/sshd_config)
+if [[ "$val" == "root:system:644:/etc/ssh/sshd_config:" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_2_12()
+{
+# args
+head=h1
+rule="4.7.2.12"
+desc="/var/adm/cron/at.allow"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+if [ -e /var/adm/cron/at.allow ]
+then
+  val=$($LINUX_STAT -c "%U:%G:%a:%n:" /var/adm/cron/at.allow)
+  if [[ "$val" == "root:sys:400:/var/adm/cron/at.allow:" ]]
+  then
+    res=OK
+  else
+    res=NOK
+  fi
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_2_13()
+{
+# args
+head=h1
+rule="4.7.2.13"
+desc="/var/adm/cron/cron.allow"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+if [ -e /var/adm/cron/cron.allow ]
+then
+  val=$($LINUX_STAT -c "%U:%G:%a:%n:" /var/adm/cron/cron.allow)
+  if [[ "$val" == "root:sys:400:/var/adm/cron/cron.allow:" ]]
+  then
+    res=OK
+  else
+    res=NOK
+  fi
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_2_14()
+{
+# args
+head=h1
+rule="4.7.2.14"
+desc="/var/ct/RMstart.log"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+if [ -e "/var/ct/RMstart.log" ]
+then
+  val=$($LINUX_STAT -c "%U:%G:%a:%n:" /var/ct/RMstart.log)
+  if [[ "$val" == "root:system:640:/var/ct/RMstart.log:" ]]
+  then
+    res=OK
+  else
+    res=NOK
+  fi
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_2_15()
+{
+# args
+head=h1
+rule="4.7.2.15"
+desc="/var/adm/cron/log"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+if [ -e "/var/adm/cron/log" ]
+then
+  val=$($LINUX_STAT -c "%U:%G:%a:%n:" /var/adm/cron/log)
+  if [[ "$val" == "bin:cron:660:/var/adm/cron/log:" ]]
+  then
+    res=OK
+  else
+    res=NOK
+  fi
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_2_16()
+{
+# args
+head=h1
+rule="4.7.2.16"
+desc="/var/tmp/dpid2.log"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+if [ -e "/var/tmp/dpid2.log" ]
+then
+  val=$($LINUX_STAT -c "%U:%G:%a:%n:" /var/tmp/dpid2.log)
+  if [[ "$val" == "root:system:640:/var/tmp/dpid2.log:" ]]
+  then
+    res=OK
+  else
+    res=NOK
+  fi
+else
+  res=OK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_2_17()
+{
+# args
+head=h1
+rule="4.7.2.17"
+desc="/var/tmp/hostmibd.log"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+if [ -e "/var/tmp/hostmibd.log" ]
+then
+  val=$($LINUX_STAT -c "%U:%G:%a:%n:" /var/tmp/hostmibd.log)
+  if [[ "$val" == "root:system:640:/var/tmp/hostmibd.log:" ]]
+  then
+    res=OK
+  else
+    res=NOK
+  fi
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_7_2_18()
+{
+# args
+head=h1
+rule="4.7.2.18"
+desc="/var/tmp/snmpd.log"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+if [ -e "/var/tmp/snmpd.log" ]
+then
+  val=$($LINUX_STAT -c "%U:%G:%a:%n:" /var/tmp/snmpd.log)
+  if [[ "$val" == "root:system:640:/var/tmp/snmpd.log:" ]]
+  then
+    res=OK
+  else
+    res=NOK
+  fi
+else
+  res=OK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_9()
+{
+# args
+head=h1
+rule="4.9"
+desc="Ensure root access is controlled"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+lsuser -a login rlogin su sugroups root | tr '=' ' ' | read user a1 login a2 rlogin a3 su a4 sugroups
+[[ ${su} != "false" && ${sugroups} == "ALL" ]] && echo "failed : ${a3}==${su}, ${a4}==${sugroups}" > $tempo
+[[ ${login} == "true" || ${rlogin} == "true" ]] && echo "failed : ${a1}==${login}, ${a2}==${rlogin}" >> $tempo
+if [ ! -s $tempo ]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_10()
+{
+# args
+head=h1
+rule="4.10"
+desc="Disable core dumps"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+rc1=$(lssec -f /etc/security/limits -s default -a core -a core_hard | sed 's/\ /;/g' | sed 's/$/;/' | grep -q 'default;core=0;core_hard=0;'; echo $?)
+rc2=$(lsattr -El sys0 -a fullcore | sed 's/\ /;/g' | sed 's/$/;/' | grep -q 'fullcore;false;Enable;full;CORE;dump;True;'; echo $?)
+(( rc = rc1 + rc2 ))
+if [[ "$rc" == "0" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_11()
+{
+# args
+head=h1
+rule="4.11"
+desc="Remove current working directory from default /etc/environment PATH"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(grep "^PATH=" /etc/environment |awk '/((:[ \t]*:)|(:[ \t]*$)|(^[\t]*:)|(^.:)|(:.$)|(:.:))/')
+if [[ "$val" == "" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_12()
+{
+# args
+head=h1
+rule="4.12"
+desc="Lock historical users"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+ACCOUNTS=daemon,bin,sys,adm,uucp,nobody,lpd,lp,invscout,ipsec,nuucp,sshd
+for usr in $(echo $ACCOUNTS | sed 's/,/\ /g')
+do
+lsuser -a account_locked $usr 2>/dev/null
+done | grep -v 'account_locked=true' > $tempo
+if [ -s $tempo ]
+then
+  res=NOK
+else
+  res=OK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_13()
+{
+# args
+head=h1
+rule="4.13"
+desc="Remove current working directory from root's PATH"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(su - root -c "echo ${PATH}" |awk '/((:[ \t]*:)|(:[ \t]*$)|(^[\t]*:)|(^.:)|(:.$)|(:.:))/')
+if [[ "$val" == "" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_4_14()
+{
+# args
+head=h1
+rule="4.14"
+desc="Configuration: /etc/motd"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+res="TODO"
+if [ -e /audit ]
+then
+  val=$(cat /etc/motd | grep -c 'PROPER AUTHORIZATION')
+  if [[ "$val" == "1" ]]
+  then
+    res=OK
+  else
+    res=NOK
+  fi
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_1_1_1()
+{
+# args
+head=h1
+rule="5.1.1.1"
+desc="histexpire"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(lssec -f /etc/security/user -s default -a histexpire | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "default;histexpire=52;" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_1_1_2()
+{
+# args
+head=h1
+rule="5.1.1.2"
+desc="histsize"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(lssec -f /etc/security/user -s default -a histsize | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "default;histsize=0;" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_1_1_3()
+{
+# args
+head=h1
+rule="5.1.1.3"
+desc="minage"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(lssec -f /etc/security/user -s default -a minage | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "default;minage=1;" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_1_2()
+{
+# args
+head=h1
+rule="5.1.2"
+desc="All accounts must have a hashed password"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+egrep -p "password = +$" /etc/security/passwd | grep ":" | awk -F: '{ print $1 } ' | while read user rest
+do
+  print "Locking account ${user} due to blank password"
+done > $tempo
+if [ ! -s $tempo ]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_1_3()
+{
+# args
+head=h1
+rule="5.1.3"
+desc="All usernames and UIDs must be unique"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(cut -d: -f 3 /etc/passwd | sort -n | uniq -d;cut -d: -f 1 /etc/passwd | sort | uniq -d)
+if [[ "$val" == "" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_1_4()
+{
+# args
+head=h1
+rule="5.1.4"
+desc="All group names and GIDs must be unique"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(cut -d: -f 3 /etc/group | sort -n | uniq -d;cut -d: -f 1 /etc/group | sort | uniq -d)
+if [[ "$val" == "" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_1_5()
+{
+# args
+head=h1
+rule="5.1.5"
+desc="Establish and Maintain an Inventory of Administrator accounts"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+res="TODO"
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_1_6()
+{
+# args
+head=h1
+rule="5.1.6"
+desc="Establish and Maintain an Inventory of User Accounts"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+res="TODO"
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_2_1()
+{
+# args
+head=h1
+rule="5.2.1"
+desc="Ensure new passwords are controlled by password attributes (disable NOCHECK)"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(grep NOCHECK /etc/security/passwd)
+if [[ "$val" == "" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_2_2()
+{
+# args
+head=h1
+rule="5.2.2"
+desc="pwd_algorithm"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(lssec -f /etc/security/login.cfg -s usw -a pwd_algorithm | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "usw;pwd_algorithm=ssha512;" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_2_3()
+{
+# args
+head=h1
+rule="5.2.3"
+desc="Ensure passwords are not hashed using 'crypt'"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+grep 'password[[:blank:]]= .............$' /etc/security/passwd | while read pass equals cryptedhash
+do
+  user=$(grep -p $cryptedhash /etc/security/passwd | egrep '[a-zA-z0-9]+:$' | sed -e s/:$//)
+  print ${user}: needs to update passwd
+done > $tempo
+if [ ! -s $tempo ]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_2_4()
+{
+# args
+head=h1
+rule="5.2.4"
+desc="Ensure password policy is enforced for all users"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(grep NOCHECK /etc/security/passwd)
+if [[ "$val" == "" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_2_5()
+{
+# args
+head=h1
+rule="5.2.5"
+desc="minlen"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(lssec -f /etc/security/user -s default -a minlen | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "default;minlen=14;" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_2_6()
+{
+# args
+head=h1
+rule="5.2.6"
+desc="mindiff"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(lssec -f /etc/security/user -s default -a mindiff | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "default;mindiff=4;" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_2_7()
+{
+# args
+head=h1
+rule="5.2.7"
+desc="minalpha"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(lssec -f /etc/security/user -s default -a minalpha | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "default;minalpha=3;" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_2_8()
+{
+# args
+head=h1
+rule="5.2.8"
+desc="minother"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(lssec -f /etc/security/user -s default -a minother | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "default;minother=3;" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_2_9()
+{
+# args
+head=h1
+rule="5.2.9"
+desc="maxrepeats"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(lssec -f /etc/security/user -s default -a maxrepeats | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "default;maxrepeats=4;" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_2_10()
+{
+# args
+head=h1
+rule="5.2.10"
+desc="mindigit"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(lssec -f /etc/security/user -s default -a mindigit | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "default;mindigit=1;" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_2_11()
+{
+# args
+head=h1
+rule="5.2.11"
+desc="minloweralpha"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(lssec -f /etc/security/user -s default -a minloweralpha | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "default;minloweralpha=1;" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_2_12()
+{
+# args
+head=h1
+rule="5.2.12"
+desc="minupperalpha"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(lssec -f /etc/security/user -s default -a minupperalpha | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "default;minupperalpha=1;" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_2_13()
+{
+# args
+head=h1
+rule="5.2.13"
+desc="minspecialchar"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(lssec -f /etc/security/user -s default -a minspecialchar | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "default;minspecialchar=1;" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_3_1()
+{
+# args
+head=h1
+rule="5.3.1"
+desc="adm"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+usr=adm
+val=$(lsuser -a account_locked login rlogin $usr 2>/dev/null | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "$usr;account_locked=true;login=false;rlogin=false;" || "$val" == "" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_3_2()
+{
+# args
+head=h1
+rule="5.3.2"
+desc="bin"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+usr=bin
+val=$(lsuser -a account_locked login rlogin $usr 2>/dev/null | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "$usr;account_locked=true;login=false;rlogin=false;" || "$val" == "" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_3_3()
+{
+# args
+head=h1
+rule="5.3.3"
+desc="daemon"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+usr=daemon
+val=$(lsuser -a account_locked login rlogin $usr 2>/dev/null | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "$usr;account_locked=true;login=false;rlogin=false;" || "$val" == "" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_3_4()
+{
+# args
+head=h1
+rule="5.3.4"
+desc="guest"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+usr=guest
+val=$(lsuser -a account_locked login rlogin $usr 2>/dev/null | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "$usr;account_locked=true;login=false;rlogin=false;" || "$val" == "" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_3_5()
+{
+# args
+head=h1
+rule="5.3.5"
+desc="lpd"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+usr=ldp
+val=$(lsuser -a account_locked login rlogin $usr 2>/dev/null | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "$usr;account_locked=true;login=false;rlogin=false;" || "$val" == "" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_3_6()
+{
+# args
+head=h1
+rule="5.3.6"
+desc="nobody"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+usr=nobody
+val=$(lsuser -a account_locked login rlogin $usr 2>/dev/null | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "$usr;account_locked=true;login=false;rlogin=false;" || "$val" == "" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_3_7()
+{
+# args
+head=h1
+rule="5.3.7"
+desc="nuucp"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+usr=nuucp
+val=$(lsuser -a account_locked login rlogin $usr 2>/dev/null | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "$usr;account_locked=true;login=false;rlogin=false;" || "$val" == "" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_3_8()
+{
+# args
+head=h1
+rule="5.3.8"
+desc="sys"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+usr=sys
+val=$(lsuser -a account_locked login rlogin $usr 2>/dev/null | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "$usr;account_locked=true;login=false;rlogin=false;" || "$val" == "" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_3_9()
+{
+# args
+head=h1
+rule="5.3.9"
+desc="uucp"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+usr=uucp
+val=$(lsuser -a account_locked login rlogin $usr 2>/dev/null | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "$usr;account_locked=true;login=false;rlogin=false;" || "$val" == "" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_3_10()
+{
+# args
+head=h1
+rule="5.3.10"
+desc="Ensure System Accounts cannot access system using ftp."
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(lssrc -ls inetd | grep -c ftpd)
+if [[ "$val" -eq "0" ]]
+then
+  res=OK
+else
+  if [ -e /etc/ftpusers ]
+  then
+    rc=0
+    lsuser -R files -a id ALL | sed 's/id=//' | while read usr uid
+    do
+      if [[ "$uid" -lt "200" ]]
+      then
+        rc1=$(cat /etc/ftpusers | sed 's/$/;/' | grep -q "^${usr};"; echo $?)
+        (( rc = rc + rc1 ))
+      fi
+    done
+    if [[ "$rc" == "0" ]]
+    then
+      res=OK
+    else
+      res=NOK
+    fi
+  else
+    res=NOK
+  fi
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_6()
+{
+# args
+head=h1
+rule="5.6"
+desc="maxage"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(lssec -f /etc/security/user -s default -a maxage | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "default;maxage=13;" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_5_7()
+{
+# args
+head=h1
+rule="5.7"
+desc="maxexpired"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(lssec -f /etc/security/user -s default -a maxexpired | sed 's/\ /;/g' | sed 's/$/;/')
+if [[ "$val" == "default;maxexpired=4;" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_6_3_1()
+{
+# args
+head=h1
+rule="6.3.1"
+desc="Privilege escalation: sudo"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+#min version: 1.9.5p2
+val=$(sudo --version | grep -vi sudoers  | grep version | rev | awk '{print $1}' | rev | sed 's/p/\./')
+val1=$(echo $val | cut -d'.' -f1)
+val2=$(echo $val | cut -d'.' -f2)
+val3=$(echo $val | cut -d'.' -f3)
+val4=$(echo $val | cut -d'.' -f4)
+if [[ "$val1" -lt "1" ]]
+then
+  rc=1
+else
+  if [[ "$val1" -gt "1" ]]
+  then
+    rc=0
+  else
+    if [[ "$val2" -lt "9" ]]
+    then
+      rc=1
+    else
+      if [[ "$val2" -gt "9" ]]
+      then
+        rc=0
+      else
+        if [[ "$val3" -lt "5" ]]
+        then
+          rc=1
+        else
+          if [[ "$val3" -ge "5" ]]
+          then
+            rc=0
+          else
+            rc=1
+          fi
+        fi
+      fi
+    fi
+  fi
+fi
+rc2=$(visudo -c > /dev/null 2>&1; echo $?)
+(( rc1 = rc + rc2 ))
+if [[ "$rc1" -eq "0" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_6_3_2()
+{
+# args
+head=h1
+rule="6.3.2"
+desc="Ensure sudo logging is active"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+val=$(grep -Ei '^\s*Defaults\s+logfile=\S+' /etc/sudoers /etc/sudoers.d/*)
+if [[ "$val" == "" ]]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_6_4()
+{
+# args
+head=h1
+rule="6.4"
+desc="Adding authorized users in at.allow"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+if [ -s /var/adm/cron/at.allow ]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_6_6()
+{
+# args
+head=h1
+rule="6.6"
+desc="Adding authorised users in cron.allow"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+if [ -s /var/adm/cron/cron.allow ]
+then
+  res=OK
+else
+  res=NOK
+fi
+print_output $head $rule $desc1 $res
+}
+#-----------------------------------------
+check_section_7_1()
+{
+# args
+head=h1
+rule="7.1"
+desc="Use FLRT regularly"
+res=""
+desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
+res="Manual"
+print_output $head $rule $desc1 $res
+}
+check_section_2_1
+check_section_2_7
+check_section_3_3
+check_section_3_4
+#check_section_3_5
+#check_section_3_6
+#check_section_3_7
+#check_section_3_8
+check_section_4_1_3_1
+check_section_4_1_3_2
+check_section_4_1_3_3
+check_section_4_2_18
+check_section_4_3_1
+check_section_4_3_2
+check_section_4_3_3
+check_section_4_5_1_7
+check_section_4_5_2_1
+check_section_4_5_2_2
+check_section_4_5_2_3
+check_section_4_5_3_1
+check_section_4_5_3_4
+check_section_4_5_3_5
+check_section_4_5_3_6
+check_section_4_5_3_7
+check_section_4_5_3_8
+check_section_4_5_3_9
+check_section_4_5_3_10
+check_section_4_5_3_11
+check_section_4_5_3_12
+check_section_4_5_3_13
+check_section_4_5_3_14
+check_section_4_5_3_15
+check_section_4_5_3_16
+check_section_4_5_3_17
+check_section_4_5_3_18
+check_section_4_6_5
+check_section_4_7_1_1
+check_section_4_7_1_2
+check_section_4_7_1_3
+check_section_4_7_1_4
+check_section_4_7_1_5
+check_section_4_7_1_6
+check_section_4_7_1_7
+check_section_4_7_1_8
+check_section_4_7_1_9
+check_section_4_7_1_10
+check_section_4_7_1_11
+check_section_4_7_2_2
+check_section_4_7_2_3
+check_section_4_7_2_4
+check_section_4_7_2_5
+check_section_4_7_2_6
+check_section_4_7_2_7
+check_section_4_7_2_8
+check_section_4_7_2_9
+check_section_4_7_2_10
+check_section_4_7_2_11
+#check_section_4_7_2_12
+check_section_4_7_2_13
+check_section_4_7_2_14
+check_section_4_7_2_15
+check_section_4_7_2_16
+check_section_4_7_2_17
+check_section_4_7_2_18
+check_section_4_9
+check_section_4_10
+check_section_4_11
+check_section_4_12
+check_section_4_13
+check_section_4_14
+check_section_5_1_1_1
+check_section_5_1_1_2
+check_section_5_1_1_3
+check_section_5_1_2
+check_section_5_1_3
+check_section_5_1_4
+check_section_5_1_5
+check_section_5_1_6
+check_section_5_2_1
+check_section_5_2_2
+check_section_5_2_3
+check_section_5_2_4
+check_section_5_2_5
+check_section_5_2_6
+check_section_5_2_7
+check_section_5_2_8
+check_section_5_2_9
+check_section_5_2_10
+check_section_5_2_11
+check_section_5_2_12
+check_section_5_2_13
+check_section_5_3_1
+check_section_5_3_2
+check_section_5_3_3
+check_section_5_3_4
+check_section_5_3_5
+check_section_5_3_6
+check_section_5_3_7
+check_section_5_3_8
+check_section_5_3_9
+check_section_5_3_10
+check_section_5_6
+check_section_5_7
+check_section_6_3_1
+check_section_6_3_2
+check_section_6_4
+check_section_6_6
+check_section_7_1
+</code>

wiki

User Tools

Site Tools

Differences

Page Tools