#!/bin/sh
#---------------------------------------------------------------------------#
# Copyright 2010 Ansil Hameed #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation, either version 3 of the License, or #
# (at your option) any later version. #
# #
# This program is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program. If not, see . #
#---------------------------------------------------------------------------#
#=================================================================#
# CHECK SECURITY POLICY FOR AIX 5300-10-01 #
# () #
# Date :- 25-September-2010 #
#=================================================================#
VERSION="1.0.0b"
TMP_FILE_INDEX=$$
HTML_FILE_REM="/tmp/hard_html_remarks.html"
export auth_val="FALSE"
#==========================================#
# Clean up procedure for unexpected exit #
#==========================================#
main_exit()
{
stty echo
clear
read opt?"Do you really want to exit..?[y/n]:- "
if [ "${opt}" == "y" -a ! -z "${opt}" ]
then
rm -f /tmp/etc_security_user_${TMP_FILE_INDEX}_${TMP_FILE_INDEX}
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_1
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_2
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_3
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_4
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_5
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_6
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_7
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_8
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_9
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_10
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_11
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_12
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_13
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_14
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_15
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_16
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_17
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_18
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_19
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_20
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_21
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_22
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_23
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_24
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_25
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_26
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_27
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_28
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_29
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_30
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_31
exit
else
if [ "${auth_val}" == "TRUE" ]
then
main_page
else
main_login
fi
fi
}
#======================================#
# Clean up procedure for normal exit #
#======================================#
norm_exit()
{
rm -f /tmp/etc_security_user_${TMP_FILE_INDEX}
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}
}
#==========================================================================#
# All Policy Rules Messages in 'tbl_auth()' Function #
# This frame work will allow you to add more rules easly #
#==========================================================================#
tbl_auth()
{
trap 'main_exit' 1 2 3 15
case ${1} in
1) echo "+---------------------------------------------+"
echo "| AIX_01 Remote Login By Unauthenicated users |"
echo "+---------------------------------------------+"
;;
2) echo "+------------------------------+"
echo "| AIX_02 Users with FTP Access |"
echo "+------------------------------+"
;;
3) echo "+--------------------------+"
echo "| AIX_03 XDMCP port status |"
echo "+--------------------------+"
;;
4) echo "+-------------------------------------------------+"
echo "| AIX_04 Session timeout for unattended terminals |"
echo "+-------------------------------------------------+"
;;
5) echo "+--------------------------+"
echo "| AIX_05 Remote root login |"
echo "+--------------------------+"
;;
6) echo "+-------------------------------+"
echo "| AIX_06 Non essential accounts |"
echo "+-------------------------------+"
;;
7) echo "+---------------------------------------------+"
echo "| AIX_07 Password and account policy settings |"
echo "+---------------------------------------------+"
;;
8) echo "+---------------------------------------+"
echo "| AIX_08 Accounts with empty passwords |"
echo "+---------------------------------------+"
;;
9) echo "+-------------------------------+"
echo "| AIX_09 Accounts with root UID |"
echo "+-------------------------------+"
;;
10) echo "+---------------------------+"
echo "| AIX_10 System UMASK value |"
echo "+---------------------------+"
;;
11) echo "+----------------------+"
echo "| AIX_11 Login Banners |"
echo "+----------------------+"
;;
12) echo "+------------------------------+"
echo "| AIX_12 SNMP Service settings |"
echo "+------------------------------+"
;;
13) echo "+--------------------------------------------+"
echo "| AIX_13 Password and Group file permissions |"
echo "+--------------------------------------------+"
;;
14) echo "+--------------------------------------------+"
echo "| AIX_14 Sticky bit on world writable dirs |"
echo "+--------------------------------------------+"
;;
15) echo "+---------------------------------------------+"
echo "| AIX_15 Unauthorized SUID system executables |"
echo "+---------------------------------------------+"
;;
16) echo "+---------------------------------------------+"
echo "| AIX_16 Unauthorized SGID system executables |"
echo "+---------------------------------------------+"
;;
17) echo "+---------------------------------------------+"
echo "| AIX_17 Unowned files and Directories |"
echo "+---------------------------------------------+"
;;
18) echo "+----------------------------------------+"
echo "| AIX_18 CRON and AT permission |"
echo "+----------------------------------------+"
;;
19) echo "+---------------------------------------------+"
echo "| AIX_19 Insecure permission on crontab files |"
echo "+---------------------------------------------+"
;;
20) echo "+--------------------------------------------------+"
echo "| AIX_20 Permission on network configuration files |"
echo "+--------------------------------------------------+"
;;
21) echo "+--------------------------------------------+"
echo "| AIX_21 Permission on user home directories |"
echo "+--------------------------------------------+"
;;
22) echo "+--------------------------------+"
echo "| AIX_22 Permission on log files |"
echo "+--------------------------------+"
;;
23) echo "+--------------------------------+"
echo "| AIX_23 Message send to syslog |"
echo "+--------------------------------+"
;;
24) echo "+-------------------------------------+"
echo "| AIX_24 Remote logging using syslog |"
echo "+-------------------------------------+"
;;
25) echo "+------------------------------+"
echo "| AIX_25 Kernel level auditing |"
echo "+------------------------------+"
;;
26) echo "+-------------------------------+"
echo "| AIX_26 Non essential services |"
echo "+-------------------------------+"
;;
27) echo "+--------------------------------+"
echo "| AIX_27 Network TCP/IP settings |"
echo "+--------------------------------+"
;;
28) echo "+---------------------------+"
echo "| AIX_28 Core dump settings |"
echo "+---------------------------+"
;;
29) echo "+------------------------------------------------+"
echo "| AIX_29 NFS client requests to privileged ports |"
echo "+------------------------------------------------+"
;;
30) echo "+--------------------+"
echo "| AIX_30 Patch level |"
echo "+--------------------+"
;;
31) echo "+------------------------------------------------+"
echo "| AIX_31 Weak file system security configuration |"
echo "+------------------------------------------------+"
;;
*) echo "No Mesage"
;;
esac
}
#==========================================================================#
# Main Menu Page #
#==========================================================================#
main_page()
{
#------------------------------------------------------#
# Main Menu . #
# Created using "tput cup" and "echo escape" codes #
#------------------------------------------------------#
trap 'main_exit' 1 2 3 15
trap 'norm_exit' 0
clear
tput cup 4 14
echo "\033[44m SBI DWP Policy Scanner Version 1.0 \033[0m"
tput cup 5 14
echo "\033[44m \033[0m\033[45m Enter your option \033[44m \033[0m"
tput cup 6 14
echo "\033[44m \033[0m1.Scan All policies \033[44m \033[0m"
tput cup 7 14
echo "\033[44m \033[0m2.Scan policies using index number \033[44m \033[0m"
tput cup 8 14
echo "\033[44m \033[0m3.Generate Report (html) \033[44m \033[0m"
tput cup 9 14
echo "\033[44m \033[0m4.Exit \033[44m \033[0m"
tput cup 10 14
echo "\033[44m \033[0m \033[44m \033[0m"
tput cup 11 14
echo "\033[44m ANSILh[at]gmail[dot]com \033[0m"
tput cup 12 14
#-----------------------------------------------------#
# Here the scipt reads your options #
#-----------------------------------------------------#
read opt?"Enter your option:-"
case ${opt} in
1)
echo "Scan all"
scan_all
;;
2)
echo "Scan with index"
scan_index
;;
3)
#echo "Exit"
clear
html_report_gen
;;
4)
#echo "Exit"
clear
exit 0
;;
*)
echo "Invalid option"
main_page
;;
esac
}
#==========================================================================#
# All Policy Rules are Categerized Here #
#==========================================================================#
scan_all()
{
trap 'main_exit' 1 2 3 15
clear
tput cup 4 14
echo "\033[44m Select Section \033[0m"
tput cup 5 14
echo "\033[44m \033[0m \033[44m \033[0m"
tput cup 6 14
echo "\033[44m \033[0m1.System Access,Authentication And Authorization \033[44m \033[0m"
tput cup 7 14
echo "\033[44m \033[0m2.File And Directory Permission \033[44m \033[0m"
tput cup 8 14
echo "\033[44m \033[0m3.Logs and Audit Trails \033[44m \033[0m"
tput cup 9 14
echo "\033[44m \033[0m4.Network and Service settings \033[44m \033[0m"
tput cup 10 14
echo "\033[44m \033[0m5.Patch and other settings \033[44m \033[0m"
tput cup 11 14
echo "\033[44m \033[0m6.Back \033[44m \033[0m"
tput cup 12 14
echo "\033[44m \033[0m7.Exit \033[44m \033[0m"
tput cup 13 14
echo "\033[44m \033[0m \033[44m \033[0m"
tput cup 14 14
echo "\033[44m \033[0m"
tput cup 15 14
read opt?"Enter your option:-"
if [ -z "${opt}" ]
then
scan_all
fi
if [ ${opt} -eq 1 ]
then
#------------------------------------------------------------#
# System Access,Authentication And Authorization #
#------------------------------------------------------------#
tbl_auth_1
tbl_auth_2
tbl_auth_3
tbl_auth_4
tbl_auth_5
tbl_auth_6
tbl_auth_7
tbl_auth_8
tbl_auth_9
tbl_auth_10
tbl_auth_11
tbl_auth_12
echo "Press any key to continue..."
read
scan_all
elif [ ${opt} -eq 2 ]
then
#------------------------------------------------------------#
# File And Directory Permissions #
#------------------------------------------------------------#
tbl_auth_13
tbl_auth_14
tbl_auth_15
tbl_auth_16
tbl_auth_17
tbl_auth_18
tbl_auth_19
tbl_auth_20
tbl_auth_21
tbl_auth_22
echo "Press any key to continue..."
read
scan_all
elif [ ${opt} -eq 3 ]
then
#------------------------------------------------------------#
# Logs and Audit Trails #
#------------------------------------------------------------#
tbl_auth_23
tbl_auth_24
tbl_auth_25
echo "Press any key to continue..."
read
scan_all
elif [ ${opt} -eq 4 ]
then
#------------------------------------------------------------#
# Network and Service settings #
#------------------------------------------------------------#
tbl_auth_26
tbl_auth_27
tbl_auth_28
tbl_auth_29
echo "Press any key to continue..."
read
scan_all
elif [ ${opt} -eq 5 ]
then
#------------------------------------------------------------#
# Patch and other settings #
#------------------------------------------------------------#
tbl_auth_30
tbl_auth_31
echo "Press any key to continue..."
read
scan_all
elif [ ${opt} -eq 6 ]
then
main_page
elif [ ${opt} -eq 7 ]
then
#echo "exit"
clear
exit 0
else
scan_all
fi
}
#==========================================================================#
# Scan Policy By Index #
#==========================================================================#
scan_index()
{
trap 'main_exit' 1 2 3 15
clear
tput cup 4 14
echo "\033[44m Scan By Index \033[0m"
tput cup 5 14
echo "\033[44m \033[0mx - to exit \033[44m \033[0m"
tput cup 6 14
echo "\033[44m \033[0mb - to back \033[44m \033[0m"
tput cup 7 14
echo "\033[44m \033[0ml - to list index \033[44m \033[0m"
tput cup 8 14
echo "\033[44m \033[0m"
tput cup 9 14
read index_no?"Enter index number:-"
if [ -z "${index_no}" ]
then
scan_index
fi
case ${index_no} in
'x')
exit 0
;;
'b')
main_page
;;
'l')
list_index
;;
esac
if [ $index_no -ge 1 -a $index_no -le 31 ] 2>/dev/null
then
clear
tbl_auth_${index_no}
else
echo "Policy not exist...Type l for Policy Index"
fi
echo "Press any key to continue...."
read
scan_index
}
#==========================================================================#
# Main Entrance of The Program(Authentication) #
# The authentication has two parts #
# 1.If the user already authenticated and pressed ^c ,the user must get #
# the first 'after login' screen #
# 2.If the user has not authenticated and pressed ^c(AT LOGIN PROMPT) #
# the user must be challenged for authentication again #
#==========================================================================#
main_login()
{
trap 'main_exit' 1 2 3 15
clear
read usr_nm?"Enter user name :-"
stty -echo
read pass?"Enter password:-"
stty echo
if [ ! -z ${usr_nm} -a ! -z ${pass} ]
then
if [ "${usr_nm}" == "hardadmin" -a "${pass}" == "123pass" ]
then
# Call functions from here
echo "Login OK"
export auth_val="TRUE"
main_page
exit 0
else
echo "Invalid login credentials"
exit
fi
else
echo "Invalid login credentials"
exit
fi
}
#==========================================================================#
# List All Policy Rules #
#==========================================================================#
list_index()
{
trap 'main_exit' 1 2 3 15
clear
x=1;
while [ $x -ne 32 ]
do
tbl_auth ${x}
x=`expr $x + 1`
done
echo "Press any key to continue....."
read
scan_index
}
#==========================================================================#
index_1()
{
trap 'main_exit' 1 2 3 15
clear
echo "\033[35m===============================================\033[0m"
echo "\033[32mSYSTEM ACCESS, AUTHENTICATION AND AUTHORIZATION\033[0m"
echo "\033[35m===============================================\033[0m"
}
#==========================================================================#
tbl_auth_1()
{
#----------------------------------------------------------------#
# The function will check existance of #
# 1).rhost #
# 2).netrc #
# 3)hosts.equiv #
#----------------------------------------------------------------#
trap 'main_exit' 1 2 3 15
p_stat="TRUE"
tbl_auth 1
if [ "${1}" == "html" ]
then
echo "">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_1
echo "AIX_01 Remote Login By Unauthenicated users
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_1
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_1
fi
if [ -f /.rhosts ]
then
echo "\033[31m* .rhosts file exists \033[0m"
if [ "${1}" == "html" ]
then
echo "The .rhost file exists.">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_1
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_1
p_stat="FALSE"
fi
else
echo "\033[32m* .rhosts file not exists \033[0m"
fi
if [ -f /.netrc ]
then
echo "\033[31m* .netrc file exists \033[0m"
if [ "${1}" == "html" ]
then
echo "The .netrc file exists.">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_1
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_1
p_stat="FALSE"
fi
else
echo "\033[32m* .netrc file not exists \033[0m"
fi
if [ -f /etc/hosts.equiv ]
then
echo "\033[31m* /etc/hosts.equiv file exists \033[0m"
if [ "${1}" == "html" ]
then
echo "The /etc/hosts.equiv file exists.">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_1
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_1
p_stat="FALSE"
fi
else
echo "\033[32m* /etc/hosts.equiv file not exists \033[0m"
fi
if [ "${1}" == "html" ]
then
echo "Back to Top">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_1
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_1
fi
if [ "${p_stat}" != "TRUE" ]
then
html_stat="ERROR"
html_tr_cl="red"
rm_msg="Click Here For Details"
stat_ln=""
stat_ln_e=""
cat ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_1 >>${HTML_FILE_REM}_${TMP_FILE_INDEX}
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_1
else
html_stat="OK"
html_tr_cl="green"
rm_msg="Everything is Fine"
stat_ln=""
stat_ln_e=""
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_1
fi
if [ "${1}" == "html" ]
then
echo "">>html_report.html
echo "| Remote Login By Unauthenicated users | ${html_stat} | ${stat_ln}${rm_msg}${stat_ln_e} | ">>html_report.html
echo "
">>html_report.html
fi
}
#==========================================================================#
tbl_auth_2()
{
#----------------------------------------------------------------#
# Which users have FTP access #
# Any user with super user privileges must be denied for #
#----------------------------------------------------------------#
trap 'main_exit' 1 2 3 15
tbl_auth 2
p_stat="TRUE"
if [ "${1}" == "html" ]
then
echo "">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_2
echo "AIX_02 Users with FTP Access
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_2
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_2
fi
if [ -f /etc/ftpusers ]
then
# check for system usres with users in /etc/ftpusers
while read line
do
got_usr_flg=0
usr_id=`echo $line|awk -F ":" '{print $3}'`
if [ ${usr_id} == 0 ]
then
usr_id_chk=`echo $line |awk -F ":" '{print $1}'`
while read ftp_line
do
if [ ! -z "${ftp_line}" ]
then
if [ $ftp_line == $usr_id_chk ]
then
echo "* \033[32m$ftp_line is in /etc/ftpusers\033[0m"
got_usr_flg=1
fi
fi
done${usr_id_chk} not in /etc/ftpusers">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_2
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_2
p_stat="FALSE"
fi
done /etc/ftpusers file not exists">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_2
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_2
p_stat="FALSE"
fi
if [ "${1}" == "html" ]
then
echo "Back to Top">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_2
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_2
fi
if [ "${p_stat}" != "TRUE" ]
then
html_stat="ERROR"
html_tr_cl="red"
rm_msg="Click Here For Details"
stat_ln=""
stat_ln_e=""
cat ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_2 >>${HTML_FILE_REM}_${TMP_FILE_INDEX}
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_2
else
html_stat="OK"
html_tr_cl="green"
rm_msg="Everything is Fine"
stat_ln=""
stat_ln_e=""
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_2
fi
if [ "${1}" == "html" ]
then
echo "">>html_report.html
echo "| Users with FTP Access | ${html_stat} | ${rm_msg} | " >>html_report.html
echo "
">>html_report.html
fi
}
#==========================================================================#
tbl_auth_3()
{
#-----------------------------------------------#
# Disable XDMCP login #
#-----------------------------------------------#
trap 'main_exit' 1 2 3 15
p_stat="TRUE"
tbl_auth 3
if [ "${1}" == "html" ]
then
echo "">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_3
echo "AIX_03 XDMCP port status
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_3
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_3
fi
if [ -f /etc/dt/config/Xconfig ]
then
dt_val=`grep Dtlogin.requestPort /etc/dt/config/Xconfig|grep -v ^# |awk -F ":" '{print $2}'`
if [ $dt_val != 0 ]
then
echo "\033[31m* Dtlogin.requestPort in /etc/dt/config/Xconfig is not zero\033[0m"
if [ "${1}" == "html" ]
then
echo "Dtlogin.requestPort in /etc/dt/config/Xconfig is not zero">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_3
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_3
p_stat="FALSE"
fi
else
echo "\033[32m* Dtlogin.requestPort in /etc/dt/config/Xconfig is zero\033[0m"
fi
else
echo "\033[31m* /etc/dt/config/Xconfig not exists \033[0m"
if [ "${1}" == "html" ]
then
echo "/etc/dt/config/Xconfig not exists">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_3
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_3
p_stat="FALSE"
fi
fi
if [ "${1}" == "html" ]
then
echo "Back to Top">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_3
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_3
fi
if [ "${p_stat}" != "TRUE" ]
then
html_stat="ERROR"
html_tr_cl="red"
rm_msg="Click Here For Details"
stat_ln=""
stat_ln_e=""
cat ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_3 >>${HTML_FILE_REM}_${TMP_FILE_INDEX}
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_3
else
html_stat="OK"
html_tr_cl="green"
rm_msg="Everything is Fine"
stat_ln=""
stat_ln_e=""
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_3
fi
if [ "${1}" == "html" ]
then
echo "">>html_report.html
echo "| XDMCP port status | ${html_stat} | ${stat_ln}${rm_msg}${stat_ln_e} | ">>html_report.html
echo "
">>html_report.html
fi
}
#==========================================================================#
tbl_auth_4()
{
#---------------------------------------------------------------#
# Session time out for un attented terminals #
# including X sessions #
#---------------------------------------------------------------#
trap 'main_exit' 1 2 3 15
tbl_auth 4
p_stat="TRUE"
if [ "${1}" == "html" ]
then
echo "">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_4
echo "AIX_04 Session timeout for unattended terminals
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_4
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_4
fi
tmout_var=`grep TMOUT= /etc/security/.profile`
if [ ! -z $tmout_var ]
then
tmout_pr=`echo $tmout_var |awk -F "=" '{print $2}'`
if [ $tmout_pr == 600 ]
then
echo "\033[32m* TMOUT value is 600\033[0m"
else
echo "\033[31m* TMOUT value is $tmout_pr \033[0m"
if [ "${1}" == "html" ]
then
echo "TMOUT value is ${tmout_pr} .Need to set 600">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_4
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_4
p_stat="FALSE"
fi
fi
else
echo "\033[31m* TMOUT value is not set\033[0m"
if [ "${1}" == "html" ]
then
echo "TMOUT value is not set">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_4
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_4
p_stat="FALSE"
fi
fi
timeout_var=`grep TIMEOUT= /etc/security/.profile`
if [ ! -z $timeout_var ]
then
timeout_pr=`echo $timeout_var |awk -F "=" '{print $2}'`
if [ $timeout_pr == 600 ]
then
echo "\033[32m* TIMEOUT value is 600\033[0m"
else
echo "\033[31m* TIMEOUT value is $timeout_pr \033[0m"
if [ "${1}" == "html" ]
then
echo "TIMEOUT value is $timeout_pr Need to set 600">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_4
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_4
p_stat="FALSE"
fi
fi
else
echo "\033[31m* TIMEOUT value is not set\033[0m"
if [ "${1}" == "html" ]
then
echo "TIMEOUT value is not set">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_4
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_4
p_stat="FALSE"
fi
fi
dir_list=`ls -lrt /usr/dt/config/ |grep ^d |awk -F " " '{print $9}'`
for dir_nm in `echo $dir_list`
do
if [ -f /usr/dt/config/${dir_nm}/sys.resources ]
then
svr_tmout=`grep saverTimeout /usr/dt/config/${dir_nm}/sys.resources`
svr_tmout_val=`echo $svr_tmout |awk -F ":" '{print $2}'`
if [ $svr_tmout_val != 10 ]
then
echo "\033[31m* dtsession*saverTimeout value in /usr/dt/config/${dir_nm} is $svr_tmout_val \033[0m"
if [ "${1}" == "html" ]
then
echo "dtsession*saverTimeout value in /usr/dt/config/${dir_nm} is ${svr_tmout_val}">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_4
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_4
p_stat="FALSE"
fi
else
echo "\033[32m* dtsession*saverTimeout value in /usr/dt/config/${dir_nm} is 10 \033[0m"
fi
lck_tmout=`grep lockTimeout /usr/dt/config/${dir_nm}/sys.resources`
lck_tmout_val=`echo $lck_tmout |awk -F ":" '{print $2}'`
if [ $lck_tmout_val != 10 ]
then
echo "\033[31m* dtsession*lockTimeout value in /usr/dt/config/${dir_nm} is $lck_tmout_val \033[0m"
if [ "${1}" == "html" ]
then
echo "dtsession*lockTimeout value in /usr/dt/config/${dir_nm} is ${lck_tmout_val}">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_4
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_4
p_stat="FALSE"
fi
else
echo "\033[32m* dtsession*lockTimeout value in /usr/dt/config/${dir_nm} is 10 \033[0m"
fi
fi
done
if [ "${1}" == "html" ]
then
echo "Back to Top">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_4
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_4
fi
if [ "${p_stat}" != "TRUE" ]
then
html_stat="ERROR"
html_tr_cl="red"
rm_msg="Click Here For Details"
stat_ln=""
stat_ln_e=""
cat ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_4 >>${HTML_FILE_REM}_${TMP_FILE_INDEX}
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_4
else
html_stat="OK"
html_tr_cl="green"
rm_msg="Everything is Fine"
stat_ln=""
stat_ln_e=""
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_4
fi
if [ "${1}" == "html" ]
then
echo "">>html_report.html
echo "| Session timeout for unattended terminals | ${html_stat} | ${stat_ln}${rm_msg}${stat_ln_e} | ">>html_report.html
echo "
">>html_report.html
fi
}
#==========================================================================#
tbl_auth_5()
{
#--------------------------------------------------------------#
# Deny remote root login #
# Allow system group for su to root #
#--------------------------------------------------------------#
trap 'main_exit' 1 2 3 15
tbl_auth 5
p_stat="TRUE"
if [ "${1}" == "html" ]
then
echo "">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_5
echo "AIX_05 Remote root login
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_5
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_5
fi
root_login=`lsuser -f root|grep login= |head -n 1`
root_login_val=`echo $root_login|awk -F "=" '{print $2}'`
root_rlogin=`lsuser -f root|grep rlogin=`
root_rlogin_val=`echo $root_rlogin|awk -F "=" '{print $2}'`
root_su=`lsuser -f root |grep su=`
root_su_val=`echo $root_su| awk -F "=" '{print $2}'`
root_sugrp=`lsuser -f root |grep sugroups`
root_sugrp_val=`echo $root_sugrp | awk -F "=" '{print $2}'`
if [ $root_login_val == true ]
then
echo "\033[32m* root login is TRUE \033[0m"
else
echo "\033[31m* root login is $root_login_val \033[0m"
if [ "${1}" == "html" ]
then
echo "root login is ${root_login_val}">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_5
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_5
p_stat="FALSE"
fi
fi
if [ $root_rlogin_val == false ]
then
echo "\033[32m* root rlogin is FALSE\033[0m"
else
echo "\033[31m* root rlogin is $root_rlogin_val\033[0m"
if [ "${1}" == "html" ]
then
echo "root rlogin is ${root_rlogin_val}">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_5
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_5
p_stat="FALSE"
fi
fi
if [ $root_su_val == true ]
then
echo "\033[32m* root su is TRUE \033[0m"
else
echo "\033[31m* root su is $root_su_val \033[0m"
if [ "${1}" == "html" ]
then
echo "root su is ${root_su_val}">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_5
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_5
p_stat="FALSE"
fi
fi
if [ $root_sugrp_val == 'system' ]
then
echo "\033[32m* root sugroup are system \033[0m"
else
echo "\033[31m* root sugroup are $root_sugrp_val \033[0m"
if [ "${1}" == "html" ]
then
echo "root sugroup are $root_sugrp_val">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_5
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_5
p_stat="FALSE"
fi
fi
if [ "${1}" == "html" ]
then
echo "Back to Top">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_5
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_5
fi
if [ "${p_stat}" != "TRUE" ]
then
html_stat="ERROR"
html_tr_cl="red"
rm_msg="Click Here For Details"
stat_ln=""
stat_ln_e=""
cat ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_5 >>${HTML_FILE_REM}_${TMP_FILE_INDEX}
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}
else
html_stat="OK"
html_tr_cl="green"
rm_msg="Everything is Fine"
stat_ln=""
stat_ln_e=""
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}
fi
if [ "${1}" == "html" ]
then
echo "">>html_report.html
echo "| Remote root login | ${html_stat} | ${stat_ln}${rm_msg}${stat_ln_e} | ">>html_report.html
echo "
">>html_report.html
fi
}
#==========================================================================#
tbl_auth_6()
{
#-------------------------------------------------------------#
# Remove users having zero use #
#-------------------------------------------------------------#
#* This function need some tuning and will be done in next release*#
trap 'main_exit' 1 2 3 15
tbl_auth 6
if [ "${1}" == "html" ]
then
echo "">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_6
echo "AIX_06 Non essential accounts
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_6
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_6
fi
while read line
do
usr_nm=`echo $line | awk -F ":" '{print $1}'`
if [ $usr_nm == daemon ]
then
usr_nm_shell=`echo $line | awk -F ":" '{print $7}'`
if [ ! -z $usr_nm_shell -a $usr_nm_shell != /dev/null ]
then
echo "\033[31m* The shell for user $usr_nm is $usr_nm_shell \033[0m"
if [ "${1}" == "html" ]
then
echo "The shell for user ${usr_nm} is ${usr_nm_shell} ">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_6
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_6
p_stat="FALSE"
fi
else
echo "\033[32m* The shell for user $usr_nm is /dev/null\033[0m"
fi
fi
if [ $usr_nm == bin ]
then
usr_nm_shell=`echo $line | awk -F ":" '{print $7}'`
if [ ! -z $usr_nm_shell -a $usr_nm_shell != /dev/null ]
then
echo "\033[31m* The shell for user $usr_nm is $usr_nm_shell \033[0m"
if [ "${1}" == "html" ]
then
echo "The shell for user ${usr_nm} is ${usr_nm_shell}">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_6
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_6
p_stat="FALSE"
fi
else
echo "\033[32m* The shell for user $usr_nm is /dev/null\033[0m"
fi
fi
if [ $usr_nm == sys ]
then
usr_nm_shell=`echo $line | awk -F ":" '{print $7}'`
if [ ! -z $usr_nm_shell -a $usr_nm_shell != /dev/null ]
then
echo "\033[31m* The shell for user $usr_nm is $usr_nm_shell \033[0m"
if [ "${1}" == "html" ]
then
echo "The shell for user ${usr_nm} is ${usr_nm_shell}">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_6
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_6
p_stat="FALSE"
fi
else
echo "\033[32m* The shell for user $usr_nm is /dev/null\033[0m"
fi
fi
if [ $usr_nm == adm ]
then
usr_nm_shell=`echo $line | awk -F ":" '{print $7}'`
if [ ! -z $usr_nm_shell -a $usr_nm_shell != /dev/null ]
then
echo "\033[31m* The shell for user $usr_nm is $usr_nm_shell \033[0m"
if [ "${1}" == "html" ]
then
echo "The shell for user $usr_nm is $usr_nm_shell">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_6
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_6
p_stat="FALSE"
fi
else
echo "\033[32m* The shell for user $usr_nm is /dev/null\033[0m"
fi
fi
if [ $usr_nm == uucp ]
then
usr_nm_shell=`echo $line | awk -F ":" '{print $7}'`
if [ ! -z $usr_nm_shell -a $usr_nm_shell != /dev/null ]
then
echo "\033[31m* The shell for user $usr_nm is $usr_nm_shell \033[0m"
if [ "${1}" == "html" ]
then
echo "The shell for user $usr_nm is $usr_nm_shell">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_6
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_6
p_stat="FALSE"
fi
else
echo "\033[32m* The shell for user $usr_nm is /dev/null\033[0m"
fi
fi
if [ $usr_nm == nuucp ]
then
usr_nm_shell=`echo $line | awk -F ":" '{print $7}'`
if [ ! -z $usr_nm_shell -a $usr_nm_shell != /dev/null ]
then
echo "\033[31m* The shell for user $usr_nm is $usr_nm_shell \033[0m"
if [ "${1}" == "html" ]
then
echo "The shell for user ${usr_nm} is ${usr_nm_shell}">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_6
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_6
p_stat="FALSE"
fi
else
echo "\033[32m* The shell for user $usr_nm is /dev/null\033[0m"
fi
fi
if [ $usr_nm == printq ]
then
usr_nm_shell=`echo $line | awk -F ":" '{print $7}'`
if [ ! -z $usr_nm_shell -a $usr_nm_shell != /dev/null ]
then
echo "\033[31m* The shell for user ${usr_nm} is ${usr_nm_shell} \033[0m"
if [ "${1}" == "html" ]
then
echo "The shell for user ${usr_nm} is ${usr_nm_shell}">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_6
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_6
p_stat="FALSE"
fi
else
echo "\033[32m* The shell for user ${usr_nm} is /dev/null\033[0m"
fi
fi
if [ $usr_nm == guest ]
then
usr_nm_shell=`echo $line | awk -F ":" '{print $7}'`
if [ ! -z $usr_nm_shell -a $usr_nm_shell != /dev/null ]
then
echo "\033[31m* The shell for user ${usr_nm} is ${usr_nm_shell} \033[0m"
if [ "${1}" == "html" ]
then
echo "The shell for user ${usr_nm} is ${usr_nm_shell}">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_6
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_6
p_stat="FALSE"
fi
else
echo "\033[32m* The shell for user $usr_nm is /dev/null\033[0m"
fi
fi
if [ $usr_nm == nobody ]
then
usr_nm_shell=`echo $line | awk -F ":" '{print $7}'`
if [ ! -z $usr_nm_shell -a $usr_nm_shell != /dev/null ]
then
echo "\033[31m* The shell for user $usr_nm is $usr_nm_shell \033[0m"
if [ "${1}" == "html" ]
then
echo "The shell for user ${usr_nm} is ${usr_nm_shell}">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_6
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_6
p_stat="FALSE"
fi
else
echo "\033[32m* The shell for user $usr_nm is /dev/null\033[0m"
fi
fi
if [ $usr_nm == lpd ]
then
usr_nm_shell=`echo $line | awk -F ":" '{print $7}'`
if [ ! -z $usr_nm_shell -a $usr_nm_shell != /dev/null ]
then
echo "\033[31m* The shell for user $usr_nm is $usr_nm_shell \033[0m"
if [ "${1}" == "html" ]
then
echo "The shell for user ${usr_nm} is ${usr_nm_shell}">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_6
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_6
p_stat="FALSE"
fi
else
echo "\033[32m* The shell for user $usr_nm is /dev/null\033[0m"
fi
fi
if [ $usr_nm == sshd ]
then
usr_nm_shell=`echo $line | awk -F ":" '{print $7}'`
if [ ! -z $usr_nm_shell -a $usr_nm_shell != /dev/null ]
then
echo "\033[31m* The shell for user $usr_nm is $usr_nm_shell \033[0m"
if [ "${1}" == "html" ]
then
echo "The shell for user ${usr_nm} is ${usr_nm_shell}">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_6
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_6
p_stat="FALSE"
fi
else
echo "\033[32m* The shell for user $usr_nm is /dev/null\033[0m"
fi
fi
doneBack to Top">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_6
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_6
fi
if [ "${p_stat}" != "TRUE" ]
then
html_stat="ERROR"
html_tr_cl="red"
rm_msg="Click Here For Details"
stat_ln=""
stat_ln_e=""
cat ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_6 >>${HTML_FILE_REM}_${TMP_FILE_INDEX}
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_6
else
html_stat="OK"
html_tr_cl="green"
rm_msg="Everything is Fine"
stat_ln=""
stat_ln_e=""
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_6
fi
if [ "${1}" == "html" ]
then
echo "">>html_report.html
echo "| Non essential accounts | ${html_stat} | ${stat_ln}${rm_msg}${stat_ln_e} | ">>html_report.html
echo "
">>html_report.html
fi
}
#==========================================================================#
tbl_auth_7()
{
#---------------------------------------------------------------#
# User password policy #
# The fuction contains three inner functions for evaluating #
# a)Default values #
# b)Current user values #
# c)Values according to policy #
#---------------------------------------------------------------#
trap 'main_exit' 1 2 3 15
tbl_auth 7
p_stat="TRUE"
#-----------------------------------#
# Change Values According To Policy #
#-----------------------------------#
pre_rules='mindiff=4 minage=1 maxage=13 minlen=8 minalpha=2 histexpire=26 maxrepeats=2 histsize=4 maxexpired=2 minother=2 pwdwarntime=14 dictionlist=/usr/share/dict/words loginretries=5'
if [ "${1}" == "html" ]
then
echo "">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_7
echo "AIX_07 Password and account policy settings
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_7
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_7
fi
sed -e '/^\*/d' -e '/^$/d' /etc/security/user >/tmp/etc_security_user_${TMP_FILE_INDEX}
default_values=""
scan_individual()
{
trap 'main_exit' 1 2 3 15
user_names_one="${1}"
user_pre_rules_att_found="NO"
user_fine="YES"
echo "Checking Password Policy for user ${user_names_one}"
echo "-------------------------------------------------"
for pre_rules_att in ${pre_rules}
do
user_pre_rules_att_found=NO
if [ -z "${user_attr_val}" ]
then
break
fi
for user_attr_val_att in ${user_attr_val}
do
user_pre_rule_var=`echo ${pre_rules_att} |awk -F "=" '{print $1}'`
user_pre_rule_val=`echo ${pre_rules_att} |awk -F "=" '{print $2}'`
user_default_var=`echo ${user_attr_val_att} |awk -F "=" '{print $1}'`
user_default_val=`echo ${user_attr_val_att} |awk -F "=" '{print $2}'`
if [ "${user_pre_rule_var}" == "${user_default_var}" ]
then
if [ ! -z "${user_default_val}" -a "${user_pre_rule_val}" == "${user_default_val}" ]
then
echo "\033[35m${user_pre_rule_var}\033[0m is \033[32mOK\033[0m"
else
echo "\033[35m${user_pre_rule_var}\033[0m is found in ${user_names_one} but value is \033[31mNOT OK\033[0m"
if [ "${2}" == "html" ]
then
echo "${user_pre_rule_var} is found in ${user_names_one} but value is NOT OK">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_7
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_7
p_stat="FALSE"
fi
user_fine="NO"
fi
user_pre_rules_att_found=YES
fi
done
if [ "${user_pre_rules_att_found}" == "NO" ]
then
# Check the user_pre_rule_var value is in default values
default_user_attr_found="NO"
for default_attr_val in ${default_values}
do
default_attr_val_var=`echo ${default_attr_val}|awk -F "=" '{print $1}'`
default_attr_val_val=`echo ${default_attr_val}|awk -F "=" '{print $2}'`
if [ "${default_attr_val_var}" == "${user_pre_rule_var}" ]
then
if [ "${default_attr_val_val}" == "${user_pre_rule_val}" ]
then
default_user_attr_found="OK"
elif [ "${default_attr_val_val}" != "${user_pre_rule_val}" ]
then
echo "Check default value for ${user_pre_rule_val}"
default_user_attr_found="OK"
user_fine="NO"
if [ "${1}" == "html" ]
then
echo "Check default value for ${user_pre_rule_val}">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_7
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_7
p_stat="FALSE"
fi
fi
fi
done
if [ "${default_user_attr_found}" == "NO" ]
then
echo "The attribute ${user_pre_rule_var} is not found default"
echo "Add this value in default first"
user_fine="NO"
if [ "${1}" == "html" ]
then
echo "The attribute ${user_pre_rule_var} is not found default">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_7
echo "Add this value in default first">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_7
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_7
p_stat="FALSE"
fi
fi
fi
done
if [ "${user_fine}" == "YES" ]
then
echo "\033[32mPolicy for user ${user_names_one} is fine\033[0m"
elif [ ${user_fine} == "NO" ]
then
echo "-------------------------------------------------"
echo "\033[31mReview password policy for user ${user_names_one}\033[0m"
fi
echo "-------------------------------------------------"
}
get_user_attr()
{
trap 'main_exit' 1 2 3 15
user_attr_val=""
# Check whether parameter passed is NULL or NOT
if [ -z ${1} ]
then
echo "Null value passed"
return 1
fi
if [ "${1}" == "default:" ]
then
return 1
fi
user_found=NULL
while read user_line
do
user_user_chk=`echo ${user_line} |grep :$`
if [ ! -z "${user_user_chk}" -a "${user_user_chk}" == "${1}" -a "${user_user_chk}" ]
then
user_found=OK
user_found_name=${user_user_chk}
elif [ ${user_found} == OK ]
then
if [ ! -z "${user_user_chk}" -a "${user_found_name}" != "${user_user_chk}" ]
then
break
fi
user_file_var=`echo ${user_line}|awk -F "=" '{print $1}`
user_file_var=`echo ${user_file_var}|sed -e 's/ *,/,/g' -e 's/, */,/g' -e 's/^ *//' -e 's/ *$//'`
user_file_val=`echo ${user_line}|awk -F "=" '{print $2}`
user_file_val=`echo ${user_file_val}|sed -e 's/ *,/,/g' -e 's/, */,/g' -e 's/^ *//' -e 's/ *$//'`
user_attr_val="${user_attr_val} ${user_file_var}=${user_file_val}"
fi
done/tmp/etc_security_user_${TMP_FILE_INDEX}
found_user=NULL
while read line
do
star_chk=`echo ${line} |grep -v ^*`
user_chk=`echo ${line} |grep :$`
if [ ! -z ${star_chk} ]
then
if [ ! -z ${user_chk} ]
then
if [ ${found_user} != "OK" -a ${user_chk} == "default:" ]
then
found_user=OK
else
break
fi
elif [ ! -z ${line} ]
then
if [ ${found_user} == "OK" ]
then
var_name=`echo $line|awk -F "=" '{print $1}`
var_name_trim=`echo $var_name|sed -e 's/ *,/,/g' -e 's/, */,/g' -e 's/^ *//' -e 's/ *$//'`
var_val=`echo $line|awk -F "=" '{print $2}`
var_val_trim=`echo $var_val|sed -e 's/ *,/,/g' -e 's/, */,/g' -e 's/^ *//' -e 's/ *$//'`
line="${var_name_trim}=${var_val_trim}"
default_values="${default_values} ${line}"
fi
fi
fi
done>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_7
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_7
p_stat="FALSE"
fi
fi
pre_rules_att_found=YES
fi
done
if [ ${pre_rules_att_found} == "NO" ]
then
echo "\033[35m${pre_rule_var}\033[0m is \033[31mNOT FOUND IN\033[0m \033[35mdefault\033[0m"
if [ "${2}" == "html" ]
then
echo "${pre_rule_var} is NOT FOUND IN default">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_7
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_7
p_stat="FALSE"
fi
fi
done
echo "---------------------------------------------"
fi
}
comp_user_attr()
{
trap 'main_exit' 1 2 3 15
user_names=`sed -n -e '/:$/p' /tmp/etc_security_user_${TMP_FILE_INDEX}`
for user_names_one in ${user_names}
do
if [ "${user_names_one}" == "default:" ]
then
continue
fi
get_user_attr ${user_names_one}
if [ "${1}" == "html" ]
then
scan_individual ${user_names_one} html
else
scan_individual ${user_names_one}
fi
done
}
if [ "${1}" == "html" ]
then
html_val="html"
fi
main user ${html_val}
comp_user_attr ${html_val}
if [ "${1}" == "html" ]
then
echo "Back to Top">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_7
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_7
fi
if [ "${p_stat}" != "TRUE" ]
then
html_stat="ERROR"
html_tr_cl="red"
rm_msg="Click Here For Details"
stat_ln=""
stat_ln_e=""
else
html_stat="OK"
html_tr_cl="green"
rm_msg="Everything is Fine"
stat_ln=""
stat_ln_e=""
fi
if [ "${1}" == "html" ]
then
echo "">>html_report.html
echo "| Password and account policy settings | ${html_stat} | ${stat_ln}${rm_msg}${stat_ln_e} | ">>html_report.html
echo "
">>html_report.html
fi
}
#==========================================================================#
tbl_auth_8()
{
#-------------------------------------------------------#
# Check any user have blank passwords/no passwor set #
#-------------------------------------------------------#
trap 'main_exit' 1 2 3 15
tbl_auth 8
p_stat="TRUE"
echo "Reading /etc/security/passwd "
echo "============================="
echo "Password NOT set for below users"
if [ "${1}" == "html" ]
then
echo "">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_7
echo "AIX_08 Accounts with empty passwords
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_7
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_7
fi
while read line
do
var_1=`echo ${line}|grep -v ^*|grep :$`
if [ ! -z ${var_1} ]
then
usr_nm=`echo "${line}"|grep :$|awk -F ":" '{ print $1}'`
else
var_2=`echo "${line}"|grep -v ^*|awk -F "=" '{ print $1}'`
if [ ! -z $var_2]
then
var_3=`echo "${line}"|awk -F "=" '{ print $2}'`
var_3=`echo "${var_3}" | sed -e 's/ *,/,/g' -e 's/, */,/g' -e 's/^ *//' -e 's/ *$//'`
if [ ${var_2} == password ]
then
if [ -z "${var_3}" -o "${var_3}" == "*" ]
then
echo "\033[31m${usr_nm}\033[0m"
if [ "${1}" == "html" ]
then
echo "${usr_nm}">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_7
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_7
p_stat="FALSE"
fi
fi
fi
fi
fi
done >${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_7
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_7
p_stat="FALSE"
fi
fi
doneBack to Top">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_7
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_7
fi
if [ "${p_stat}" != "TRUE" ]
then
html_stat="ERROR"
html_tr_cl="red"
rm_msg="Click Here For Details"
stat_ln=""
stat_ln_e=""
cat ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_7 >>${HTML_FILE_REM}_${TMP_FILE_INDEX}
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_7
else
html_stat="OK"
html_tr_cl="green"
rm_msg="Everything is Fine"
stat_ln=""
stat_ln_e=""
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_7
fi
if [ "${1}" == "html" ]
then
echo "">>html_report.html
echo "| Accounts with empty passwords | ${html_stat} | ${stat_ln}${rm_msg}${stat_ln_e} | ">>html_report.html
echo "
">>html_report.html
fi
}
#==========================================================================#
tbl_auth_9()
{
#-----------------------------------------------------------------#
# Check for more than one super user #
#-----------------------------------------------------------------#
trap 'main_exit' 1 2 3 15
tbl_auth 9
p_stat="TRUE"
flg=0
if [ "${1}" == "html" ]
then
echo "">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_9
echo "AIX_09 Accounts with root UID
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_9
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_9
fi
while read line
do
uid_val=`echo "${line}"|awk -F ":" '{print $3}'`
uid_nm=`echo "${line}"|awk -F ":" '{print $1}'`
if [ ${uid_val} == 0 -a ${uid_nm} != root ]
then
echo "\033[32mUID is zero for ${uid_nm} \033[0m"
flg=1
if [ "${1}" == "html" ]
then
echo "UID is zero for ${uid_nm}">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_9
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_9
p_stat="FALSE"
fi
fi
doneBack to Top">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_9
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_9
fi
if [ "${p_stat}" != "TRUE" ]
then
html_stat="ERROR"
html_tr_cl="red"
rm_msg="Click Here For Details"
stat_ln=""
stat_ln_e=""
cat ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_9 >>${HTML_FILE_REM}_${TMP_FILE_INDEX}
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_9
else
html_stat="OK"
html_tr_cl="green"
rm_msg="Everything is Fine"
stat_ln=""
stat_ln_e=""
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_9
fi
if [ "${1}" == "html" ]
then
echo "">>html_report.html
echo "| Accounts with root UID | ${html_stat} | ${stat_ln}${rm_msg}${stat_ln_e} | ">>html_report.html
echo "
">>html_report.html
fi
}
#==========================================================================#
tbl_auth_10()
{
#------------------------------------------------------------#
# Check for systems default UMASK value #
#------------------------------------------------------------#
trap 'main_exit' 1 2 3 15
flg=0
tbl_auth 10
p_stat="TRUE"
if [ "${1}" == "html" ]
then
echo "">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_10
echo "AIX_10 System UMASK value
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_10
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_10
fi
cat /etc/security/user |grep -v ^* >/tmp/sec_usr_$$.log
while read line
do
var_1=`echo ${line}|grep :$`
if [ ! -z ${var_1} ]
then
usr_nm=`echo "${line}"|grep :$|awk -F ":" '{ print $1}'`
else
var_2=`echo "${line}"|awk -F "=" '{ print $1}'`
if [ ! -z $var_2]
then
var_3=`echo "${line}"|awk -F "=" '{ print $2}'`
var_3=`echo "${var_3}" | sed -e 's/ *,/,/g' -e 's/, */,/g' -e 's/^ *//' -e 's/ *$//'`
if [ ${var_2} == umask ]
then
if [ ${var_3} != 22 -a ${var_3} != 022 ]
then
echo "\033[31mUMASK not 022 for ${usr_nm}\033[0m"
flg=1
if [ "${1}" == "html" ]
then
echo "UMASK not 022 for ${usr_nm}">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_10
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_10
p_stat="FALSE"
fi
fi
fi
fi
fi
done Back to Top">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_10
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_10
fi
if [ "${p_stat}" != "TRUE" ]
then
html_stat="ERROR"
html_tr_cl="red"
rm_msg="Click Here For Details"
stat_ln=""
stat_ln_e=""
cat ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_10 >>${HTML_FILE_REM}_${TMP_FILE_INDEX}
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_10
else
html_stat="OK"
html_tr_cl="green"
rm_msg="Everything is Fine"
stat_ln=""
stat_ln_e=""
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_10
fi
if [ "${1}" == "html" ]
then
echo "">>html_report.html
echo "| System UMASK value | ${html_stat} | ${stat_ln}${rm_msg}${stat_ln_e} | ">>html_report.html
echo "
">>html_report.html
fi
}
#==========================================================================#
tbl_auth_11()
{
#-----------------------------------------------------------------#
# Check login banners #
# Here the script will check the below sentance #
# "This system is for the use of authorized users only." #
#-----------------------------------------------------------------#
trap 'main_exit' 1 2 3 15
tbl_auth 11
p_stat="TRUE"
if [ "${1}" == "html" ]
then
echo "">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_11
echo "AIX_11 Login Banners
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_11
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_11
fi
banner_org=`cat /etc/security/login.cfg|grep -v ^*|grep herald|grep "This system is for the use of authorized users only."`
if [ ! -z ${banner_org} ]
then
echo "\033[32m* Banner is OK\033[0m"
else
echo "\033[31m* Banner is NOT OK\033[0m"
if [ "${1}" == "html" ]
then
echo "Banner is NOT OK">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_11
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_11
p_stat="FALSE"
fi
fi
if [ "${1}" == "html" ]
then
echo "Back to Top">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_11
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_11
fi
if [ "${p_stat}" != "TRUE" ]
then
html_stat="ERROR"
html_tr_cl="red"
rm_msg="Click Here For Details"
stat_ln=""
stat_ln_e=""
cat ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_11 >>${HTML_FILE_REM}_${TMP_FILE_INDEX}
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_11
else
html_stat="OK"
html_tr_cl="green"
rm_msg="Everything is Fine"
stat_ln=""
stat_ln_e=""
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_11
fi
if [ "${1}" == "html" ]
then
echo "">>html_report.html
echo "| Login Banners | ${html_stat} | ${stat_ln}${rm_msg}${stat_ln_e} | ">>html_report.html
echo "
">>html_report.html
fi
}
#==========================================================================#
tbl_auth_12()
{
#-------------------------------------------------------------#
# Check snmp service and its settings #
#-------------------------------------------------------------#
trap 'main_exit' 1 2 3 15
tbl_auth 12
p_stat="TRUE"
if [ "${1}" == "html" ]
then
echo "">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_12
echo "AIX_12 SNMP Service settings
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_12
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_12
fi
snmp_ena=`cat /etc/snmpd.conf|grep readWrite|grep ^community`
snmp_dis=`cat /etc/snmpd.conf|grep readWrite|grep ^#community`
if [ ! -z ${snmp_com} ]
then
echo "\033[31mSNMP Service enabled in config file with readWrite community\033[0m"
if [ "${1}" == "html" ]
then
echo "SNMP Service enabled in config file with readWrite community">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_12
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_12
p_stat="FALSE"
fi
fi
if [ ! -z ${snmp_dis} ]
then
echo "\033[32mFollowing commented lines found in /etc/snmpd.conf"
cat /etc/snmpd.conf|grep readWrite|grep ^#community
echo "\033[0m"
fi
if [ "${1}" == "html" ]
then
echo "Back to Top">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_12
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_12
fi
if [ "${p_stat}" != "TRUE" ]
then
html_stat="ERROR"
html_tr_cl="red"
rm_msg="Click Here For Details"
stat_ln=""
stat_ln_e=""
cat ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_12 >>${HTML_FILE_REM}_${TMP_FILE_INDEX}
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_12
else
html_stat="OK"
html_tr_cl="green"
rm_msg="Everything is Fine"
stat_ln=""
stat_ln_e=""
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_12
fi
if [ "${1}" == "html" ]
then
echo "">>html_report.html
echo "| SNMP Service settings | ${html_stat} | ${stat_ln}${rm_msg}${stat_ln_e} | ">>html_report.html
echo "
">>html_report.html
fi
}
#==========================================================================#
#***************************************************************************
# Second part starts *
#***************************************************************************
tbl_auth_13()
{
#-----------------------------------------------------------------#
# Only root user can make changes to password and group files #
#-----------------------------------------------------------------#
trap 'main_exit' 1 2 3 15
tbl_auth 13
per_val=`ls -lrt /etc/passwd|awk '{print $1}'`
p_stat="TRUE"
if [ "${1}" == "html" ]
then
echo "">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_13
echo "AIX_13 Password and Group file permissions
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_13
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_13
fi
if [ ${per_val} == '-rw-r--r--' ]
then
echo "\033[32mPassword file is Ok\033[0m"
else
echo "\033[31mPassword file Not OK\033[0m"
if [ "${1}" == "html" ]
then
echo "Password file(/etc/passwd) Not OK" >>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_13
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_13
p_stat="FALSE"
fi
fi
per_val=`ls -lrt /etc/group|awk '{print $1}'`
if [ ${per_val} == '-rw-r--r--' ]
then
echo "\033[32mGroup file is Ok\033[0m"
else
echo "\033[31mGroup file is Not OK\033[0m"
if [ "${1}" == "html" ]
then
echo "Group file(/etc/group) is Not OK" >>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_13
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_13
p_stat="FALSE"
fi
fi
per_val=`ls -ld /etc/security|awk '{print $1}'`
if [ ${per_val} == 'drwxr-x---' ]
then
echo "\033[32mSecurity directory is Ok\033[0m"
else
echo "\033[31mSecurity directory is Not OK\033[0m"
if [ "${1}" == "html" ]
then
echo "Security directory is Not OK" >>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_13
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_13
p_stat="FALSE"
fi
fi
if [ "${1}" == "html" ]
then
echo "Back to Top">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_13
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_13
fi
if [ "${p_stat}" != "TRUE" ]
then
html_stat="ERROR"
html_tr_cl="red"
rm_msg="Click Here For Details"
stat_ln=""
stat_ln_e=""
cat ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_13 >>${HTML_FILE_REM}_${TMP_FILE_INDEX}
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_13
else
html_stat="OK"
html_tr_cl="green"
rm_msg="Everything is Fine"
stat_ln=""
stat_ln_e=""
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_13
fi
if [ "${1}" == "html" ]
then
echo "">>html_report.html
echo "| Password and Group file permissions | ${html_stat} | ${stat_ln}${rm_msg}${stat_ln_e} | ">>html_report.html
echo "
">>html_report.html
fi
}
#==========================================================================#
tbl_auth_14()
{
#------------------------------------------------------------------#
# No other user can delete any files in a world writable directory #
# that was owned by a different user #
#------------------------------------------------------------------#
trap 'main_exit' 1 2 3 15
tbl_auth 14
p_stat="TRUE"
if [ "${1}" == "html" ]
then
echo "">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_14
echo "AIX_14 Sticky bit on world writable dirs
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_14
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_14
fi
stk_bit=`ls -ld /tmp|awk '{print $1}'|grep t$`
if [ ! -z ${stk_bit} ]
then
echo "\033[32mSticky bit is enabled for /tmp\033[0m"
else
echo "\033[31mSticky bit is not enabled for /tmp\033[0m"
if [ "${1}" == "html" ]
then
echo "Sticky bit is not enabled for /tmp">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_14
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_14
p_stat="FALSE"
fi
fi
if [ "${1}" == "html" ]
then
echo "Back to Top">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_14
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_14
fi
if [ "${p_stat}" != "TRUE" ]
then
html_stat="ERROR"
html_tr_cl="red"
rm_msg="Click Here For Details"
stat_ln=""
stat_ln_e=""
cat ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_14 >>${HTML_FILE_REM}_${TMP_FILE_INDEX}
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_14
else
html_stat="OK"
html_tr_cl="green"
rm_msg="Everything is Fine"
stat_ln=""
stat_ln_e=""
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_14
fi
if [ "${1}" == "html" ]
then
echo "">>html_report.html
echo "| Sticky bit on world writable dirs | ${html_stat} | ${stat_ln}${rm_msg}${stat_ln_e} | ">>html_report.html
echo "
">>html_report.html
fi
}
#==========================================================================#
tbl_auth_15()
{
#--------------------------------------------------------------------#
# Find out which files have SUID permissions(Very important rule) #
#--------------------------------------------------------------------#
trap 'main_exit' 1 2 3 15
tbl_auth 15
p_stat="TRUE"
if [ "${1}" == "html" ]
then
echo "">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_15
echo "AIX_15 Unauthorized SUID system executables
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_15
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_15
fi
echo "The file list will be in /tmp/suid_harden_$$.log"
find / -type f \( -perm -04000 \) -exec ls {} \; >/tmp/suid_harden_$$.log
file_stat=`cat /tmp/suid_harden_$$.log`
if [ ! -z "${file_stat}" ]
then
if [ "${1}" == "html" ]
then
echo "Some files have SUID attribute on">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_15
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_15
for file_nm_suid in `cat /tmp/suid_harden_$$.log`
do
proc_detect=`echo ${file_nm_suid}|grep ^/proc`
if [ -z "${proc_detect}" ]
then
echo "${file_nm_suid}">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_15
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_15
fi
done
p_stat="FALSE"
fi
fi
if [ "${1}" == "html" ]
then
echo "Back to Top">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_15
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_15
fi
if [ "${p_stat}" != "TRUE" ]
then
html_stat="ERROR"
html_tr_cl="red"
rm_msg="Click Here For Details"
stat_ln=""
stat_ln_e=""
cat ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_15 >>${HTML_FILE_REM}_${TMP_FILE_INDEX}
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_15
else
html_stat="OK"
html_tr_cl="green"
rm_msg="Everything is Fine"
stat_ln=""
stat_ln_e=""
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_15
fi
if [ "${1}" == "html" ]
then
echo "">>html_report.html
echo "| Unauthorized SUID system executables | ${html_stat} | ${stat_ln}${rm_msg}${stat_ln_e} | ">>html_report.html
echo "
">>html_report.html
fi
}
#==========================================================================#
tbl_auth_16()
{
#--------------------------------------------------------------------#
# Find out which files have SGID permissions(Very important rule) #
#--------------------------------------------------------------------#
trap 'main_exit' 1 2 3 15
tbl_auth 16
p_stat="TRUE"
if [ "${1}" == "html" ]
then
echo "">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_16
echo "AIX_16 Unauthorized SGID system executables
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_16
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_16
fi
echo "The file list will be in /tmp/sgid_harden_$$.log"
find / -type f \( -perm -02000 \) -exec ls {} \; >/tmp/sgid_harden_$$.log
file_stat=`cat /tmp/sgid_harden_$$.log`
if [ ! -z "${file_stat}" ]
then
if [ "${1}" == "html" ]
then
echo "Some Files Have SGID attribute ON">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_16
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_16
for file_nm_sgid in `cat /tmp/sgid_harden_$$.log`
do
proc_detect=`echo ${file_nm_sgid}|grep ^/proc`
if [ -z "${proc_detect}" ]
then
echo "${file_nm_sgid}">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_16
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_16
fi
done
p_stat="FALSE"
fi
fi
if [ "${1}" == "html" ]
then
echo "Back to Top">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_16
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_16
fi
if [ "${p_stat}" != "TRUE" ]
then
html_stat="ERROR"
html_tr_cl="red"
rm_msg="Click Here For Details"
stat_ln=""
stat_ln_e=""
cat ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_16 >>${HTML_FILE_REM}_${TMP_FILE_INDEX}
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_16
else
html_stat="OK"
html_tr_cl="green"
rm_msg="Everything is Fine"
stat_ln=""
stat_ln_e=""
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_16
fi
if [ "${1}" == "html" ]
then
echo "">>html_report.html
echo "| Unauthorized SGID system executables | ${html_stat} | ${stat_ln}${rm_msg}${stat_ln_e} | ">>html_report.html
echo "
">>html_report.html
fi
}
#==========================================================================#
tbl_auth_17()
{
#--------------------------------------------------------------#
# Findout un-owned files and directories #
#--------------------------------------------------------------#
trap 'main_exit' 1 2 3 15
tbl_auth 17
p_stat="TRUE"
if [ "${1}" == "html" ]
then
echo "">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_17
echo "AIX_17 Unowned files and Directories
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_17
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_17
fi
echo "The file list will be in /tmp/noon_harden_$$.log"
find / -nouser -print >/tmp/noon_harden_$$.log
file_stat=`cat /tmp/noon_harden_$$.log`
if [ ! -z "${file_stat}" ]
then
if [ "${1}" == "html" ]
then
echo "Some files have No Ownership">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_17
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_17
for file_nm_noon in `cat /tmp/noon_harden_$$.log`
do
proc_detect=`echo ${file_nm_noon}|grep ^/proc`
if [ -z "${proc_detect}" ]
then
echo "${file_nm_noon}">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_17
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_17
fi
done
p_stat="FALSE"
fi
fi
if [ "${1}" == "html" ]
then
echo "Back to Top">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_17
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_17
fi
if [ "${p_stat}" != "TRUE" ]
then
html_stat="ERROR"
html_tr_cl="red"
rm_msg="Click Here For Details"
stat_ln=""
stat_ln_e=""
cat ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_17 >>${HTML_FILE_REM}_${TMP_FILE_INDEX}
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_17
else
html_stat="OK"
html_tr_cl="green"
rm_msg="Everything is Fine"
stat_ln=""
stat_ln_e=""
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_17
fi
if [ "${1}" == "html" ]
then
echo "">>html_report.html
echo "| Unowned files and Directories | ${html_stat} | ${stat_ln}${rm_msg}${stat_ln_e} | ">>html_report.html
echo "
">>html_report.html
fi
}
#==========================================================================#
tbl_auth_18()
{
#-------------------------------------------------------------------#
# Which user can create and modify CRON and AT jobs #
#-------------------------------------------------------------------#
trap 'main_exit' 1 2 3 15
tbl_auth 18
p_stat="TRUE"
if [ "${1}" == "html" ]
then
echo "">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_18
echo "AIX_18 CRON and AT permission
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_18
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_18
fi
if [ -f '/var/adm/cron/cron.deny' ]
then
echo "\033[31m/var/adm/cron/cron.deny file exists\033[0m"
if [ "${1}" == "html" ]
then
echo "/var/adm/cron/cron.deny file not exists">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_18
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_18
p_stat="FALSE"
fi
else
echo "\033[32m/var/adm/cron/cron.deny file not exists\033[0m"
fi
if [ -f '/var/adm/cron/at.deny' ]
then
echo "\033[31m/var/adm/cron/at.deny file exists\033[0m"
if [ "${1}" == "html" ]
then
echo "/var/adm/cron/at.deny file not exists">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_18
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_18
p_stat="FALSE"
fi
else
echo "\033[32m/var/adm/cron/at.deny file not exists\033[0m"
fi
echo "---------------------------------------"
if [ -f '/var/adm/cron/cron.allow' ]
then
echo "\033[32m/var/adm/cron/cron.allow file exists\033[0m"
cron_root=`cat /var/adm/cron/cron.allow`
if [ ! -z ${cron_root} -a ${cron_root} == 'root' ]
then
echo "\033[32mCRON allowed for root only\033[0m"
else
echo "\033[31mUnusual entry in /var/adm/cron/cron.allow\033[0m"
if [ "${1}" == "html" ]
then
echo "Unusual entry in /var/adm/cron/cron.allow">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_18
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_18
p_stat="FALSE"
fi
fi
else
echo "\033[31m/var/adm/cron/cron.allow file not exists\033[0m"
if [ "${1}" == "html" ]
then
echo "/var/adm/cron/cron.allow file not exists">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_18
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_18
p_stat="FALSE"
fi
fi
echo "---------------------------------------"
if [ -f '/var/adm/cron/at.allow' ]
then
echo "\033[32m/var/adm/cron/at.allow file exists\033[0m"
at_root=`cat /var/adm/cron/at.allow`
if [ ! -z ${at_root} -a ${at_root} == 'root' ]
then
echo "\033[32mAT allowed for root only\033[0m"
else
echo "\033[31mUnusual entry in /var/adm/cron/at.allow\033[0m"
if [ "${1}" == "html" ]
then
echo "Unusual entry in /var/adm/cron/at.allow">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_18
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_18
p_stat="FALSE"
fi
fi
else
echo "\033[31m/var/adm/cron/at.allow file not exists\033[0m"
if [ "${1}" == "html" ]
then
echo "/var/adm/cron/at.allow file not exists">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_18
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_18
p_stat="FALSE"
fi
fi
if [ "${1}" == "html" ]
then
echo "Back to Top">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_18
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_18
fi
if [ "${p_stat}" != "TRUE" ]
then
html_stat="ERROR"
html_tr_cl="red"
rm_msg="Click Here For Details"
stat_ln=""
stat_ln_e=""
cat ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_18 >>${HTML_FILE_REM}_${TMP_FILE_INDEX}
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_18
else
html_stat="OK"
html_tr_cl="green"
rm_msg="Everything is Fine"
stat_ln=""
stat_ln_e=""
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_18
fi
if [ "${1}" == "html" ]
then
echo "">>html_report.html
echo "| CRON and AT permission | ${html_stat} | ${stat_ln}${rm_msg}${stat_ln_e} | ">>html_report.html
echo "
">>html_report.html
fi
}
#==========================================================================#
tbl_auth_19()
{
#-------------------------------------------------------------------#
# Check permissions of crontab files #
#-------------------------------------------------------------------#
trap 'main_exit' 1 2 3 15
p_stat="TRUE"
if [ "${1}" == "html" ]
then
echo "">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_19
echo "AIX_19 Insecure permission on crontab files
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_19
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_19
fi
cron_own=`ls -l /var/spool/cron/crontabs|awk '{print $3}'|grep -v ^$|grep -v root`
if [ ! -z ${cron_own} ]
then
echo "\033[31mCheck ownership of files inside /var/spool/cron/crontabs\033[0m"
if [ "${1}" == "html" ]
then
echo "Check ownership of files inside /var/spool/cron/crontabs">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_19
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_19
p_stat="FALSE"
fi
else
echo "\033[32mOwnership of files in /var/spool/cron/crontabs is root\033[0m"
fi
cron_perm=`ls -l /var/spool/cron/crontabs|awk '{print $1}'|grep -v "\-rwxrwx\-\-\-"|grep -v total`
if [ ! -z ${cron_perm} ]
then
echo "\033[31mCheck permission of files inside /var/spool/cron/crontabs\033[0m"
if [ "${1}" == "html" ]
then
echo "Check permission of files inside /var/spool/cron/crontabs">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_19
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_19
p_stat="FALSE"
fi
else
echo "\033[32mPermissions of files in /var/spool/cron/crontabs is 770\033[0m"
fi
if [ "${1}" == "html" ]
then
echo "Back to Top">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_19
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_19
fi
if [ "${p_stat}" != "TRUE" ]
then
html_stat="ERROR"
html_tr_cl="red"
rm_msg="Click Here For Details"
stat_ln=""
stat_ln_e=""
cat ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_19 >>${HTML_FILE_REM}_${TMP_FILE_INDEX}
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_19
else
html_stat="OK"
html_tr_cl="green"
rm_msg="Everything is Fine"
stat_ln=""
stat_ln_e=""
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_19
fi
if [ "${1}" == "html" ]
then
echo "">>html_report.html
echo "| Insecure permission on crontab files | ${html_stat} | ${rm_msg} | " >>html_report.html
echo "
">>html_report.html
fi
}
#==========================================================================#
tbl_auth_20()
{
#------------------------------------------------------------------#
# Check permission and ownership ofnetwork configuration files #
# a)rc.tcpip #
# b)rc.net #
#------------------------------------------------------------------#
trap 'main_exit' 1 2 3 15
tbl_auth 20
p_stat="TRUE"
if [ "${1}" == "html" ]
then
echo "">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_20
echo "AIX_20 Permission on network configuration files
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_20
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_20
fi
rc_tcpip=`ls -l /etc/rc.tcpip|awk '{print $3}'`
rc_net=`ls -l /etc/rc.net|awk '{print $3}'`
rc_tcpip_perm=`ls -l /etc/rc.tcpip|awk '{print $1}'`
rc_net_perm=`ls -l /etc/rc.net|awk '{print $1}'`
if [ ! -z ${rc_tcpip} -a ${rc_tcpip} != 'root' ]
then
echo "\033[31mCheck ownership of /etc/rc.tcpip\033[0m"
if [ "${1}" == "html" ]
then
echo "Check ownership of /etc/rc.tcpip">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_20
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_20
p_stat="FALSE"
fi
else
echo "\033[32mOwnership of /etc/rc.tcpip is root\033[0m"
fi
if [ ! -z ${rc_net} -a ${rc_net} != 'root' ]
then
echo "\033[31mCheck ownership of /etc/rc.net\033[0m"
if [ "${1}" == "html" ]
then
echo "Check ownership of /etc/rc.net">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_20
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_20
p_stat="FALSE"
fi
else
echo "\033[32mOwnership of /etc/rc.net is root\033[0m"
fi
if [ ${rc_tcpip_perm} != '-rwx------' ]
then
echo "\033[31mCheck permission of /etc/rc.tcpip\033[0m"
if [ "${1}" == "html" ]
then
echo "Check permission of /etc/rc.tcpip">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_20
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_20
p_stat="FALSE"
fi
else
echo "\033[32mPermission of /etc/rc.tcpip is 700\033[0m"
fi
if [ ${rc_net_perm} != '-rwx------' ]
then
echo "\033[31mCheck permission of /etc/rc.net\033[0m"
if [ "${1}" == "html" ]
then
echo "Check permission of /etc/rc.net">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_20
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_20
p_stat="FALSE"
fi
else
echo "\033[32mPermission of /etc/rc.net is 700\033[0m"
fi
if [ "${1}" == "html" ]
then
echo "Back to Top">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_20
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_20
fi
if [ "${p_stat}" != "TRUE" ]
then
html_stat="ERROR"
html_tr_cl="red"
rm_msg="Click Here For Details"
stat_ln=""
stat_ln_e=""
cat ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_20 >>${HTML_FILE_REM}_${TMP_FILE_INDEX}
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_20
else
html_stat="OK"
html_tr_cl="green"
rm_msg="Everything is Fine"
stat_ln=""
stat_ln_e=""
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_20
fi
if [ "${1}" == "html" ]
then
echo "">>html_report.html
echo "| Permission on network configuration files | ${html_stat} | ${stat_ln}${rm_msg}${stat_ln_e} | ">>html_report.html
echo "
">>html_report.html
fi
}
#==========================================================================#
tbl_auth_21()
{
#-------------------------------------------------------------------#
# Check user home directory permissions #
# No user can enter into any other users home #
#-------------------------------------------------------------------#
trap 'main_exit' 1 2 3 15
tbl_auth 21
flg=0
p_stat="TRUE"
if [ "${1}" == "html" ]
then
echo "">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_21
echo "AIX_21 Permission on user home directories
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_21
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_21
fi
for x in `ls /home`;do
if [ -d /home/${x} -a ${x} != 'lost+found' ]
then
hom_dir=`ls -ld /home/$x |awk '{ print $1}'`
if [ $hom_dir == 'drwxr-x---' ]
then
echo "\033[32m/home/$x - 750\033[0m"
else
echo "\033[31mCheck permission of /home/$x\033[0m"
flg=1
if [ "${1}" == "html" ]
then
echo "Check permission of /home/${x}">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_21
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_21
p_stat="FALSE"
fi
fi
fi
done
if [ $flg -eq 0 ]
then
echo "\033[32mAll directories in /home are with permission 750\033[0m"
fi
if [ "${1}" == "html" ]
then
echo "Back to Top">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_21
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_21
fi
if [ "${p_stat}" != "TRUE" ]
then
html_stat="ERROR"
html_tr_cl="red"
rm_msg="Click Here For Details"
stat_ln=""
stat_ln_e=""
cat ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_21 >>${HTML_FILE_REM}_${TMP_FILE_INDEX}
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_21
else
html_stat="OK"
html_tr_cl="green"
rm_msg="Everything is Fine"
stat_ln=""
stat_ln_e=""
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_21
fi
if [ "${1}" == "html" ]
then
echo "">>html_report.html
echo "| Permission on user home directories | ${html_stat} | ${stat_ln}${rm_msg}${stat_ln_e} | ">>html_report.html
echo "
">>html_report.html
fi
}
#==========================================================================#
tbl_auth_22()
{
#------------------------------------------------------------#
# Permission on log files #
# Only authorised user can view/modify logs #
# You can add more files in to list #
#------------------------------------------------------------#
trap 'main_exit' 1 2 3 15
tbl_auth 22
p_stat="TRUE"
if [ "${1}" == "html" ]
then
echo "">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_22
echo "AIX_22 Permission on log files
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_22
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_22
fi
#------------------------------------------------------------#
# Here you can add more files #
# MUST BE WHITE SPACE SEPARATED #
#------------------------------------------------------------#
files_list="/smit.log /var/adm/cron/log /var/tmp/dpid2.log /var/tmp/hostmidb.log /var/tmp/snmpd.log /var/ct/RMstart.log /var/adm/sulog /var/adm/authlog /var/adm/syslog"
for file_nm in `echo ${files_list}`;do
if [ -f ${file_nm} ]
then
ans=`ls -l ${file_nm}|awk '{print $1}'`
rw_val=`expr substr $ans 8 2`
if [ ${rw_val} == '--' ]
then
echo "\033[32mFile permission of $file_nm is OK\033[0m"
else
echo "\033[31mFile permission of $file_nm is NOT OK\033[0m"
if [ "${1}" == "html" ]
then
echo "File permission of ${file_nm} is NOT OK">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_22
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_22
p_stat="FALSE"
fi
fi
else
echo "File ${file_nm} not exists"
if [ "${1}" == "html" ]
then
echo "File ${file_nm} not exists">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_22
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_22
if [ "${p_stat}" != "FALSE" ]
then
p_stat="EXEPTION"
fi
fi
fi
done
if [ "${1}" == "html" ]
then
echo "Back to Top">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_22
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_22
fi
if [ "${p_stat}" == "FALSE" ]
then
html_stat="ERROR"
html_tr_cl="red"
rm_msg="Click Here For Details"
stat_ln=""
stat_ln_e=""
cat ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_22 >>${HTML_FILE_REM}_${TMP_FILE_INDEX}
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_22
elif [ "${p_stat}" == "EXEPTION" ]
then
html_stat="EXEPTION"
html_tr_cl="magenta"
rm_msg="Click Here For Details"
stat_ln=""
stat_ln_e=""
cat ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_22 >>${HTML_FILE_REM}_${TMP_FILE_INDEX}
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_22
else
html_stat="OK"
html_tr_cl="green"
rm_msg="Everything is Fine"
stat_ln=""
stat_ln_e=""
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_22
fi
if [ "${1}" == "html" ]
then
echo "">>html_report.html
echo "| Permission on log files | ${html_stat} | ${stat_ln}${rm_msg}${stat_ln_e} | ">>html_report.html
echo "
">>html_report.html
fi
}
#==========================================================================#
tbl_auth_23()
{
#------------------------------------------------------------#
# Logging level of syslogd to write information on syslog #
#------------------------------------------------------------#
trap 'main_exit' 1 2 3 15
tbl_auth 23
p_stat="TRUE"
if [ "${1}" == "html" ]
then
echo "">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_23
echo "AIX_23 Message send to syslog
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_23
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_23
fi
if [ -f /var/adm/syslog ]
then
if [ `ls -l /var/adm/syslog |awk '{print $3"-"$4}'` != 'root-system' ]
then
echo "\033[31mOwnership of /var/adm/syslog is not ok\033[0m"
if [ "${1}" == "html" ]
then
echo "Ownership of /var/adm/syslog is not ok">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_23
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_23
p_stat="FALSE"
fi
else
echo "\033[32mOwnership of /var/adm/syslog is ok\033[0m"
fi
if [ `ls -l /var/adm/syslog |awk '{print $1}'` != '-rw-r-----' ]
then
echo "\033[31mPermission of /var/adm/syslog is not ok\033[0m"
if [ "${1}" == "html" ]
then
echo "Permission of /var/adm/syslog is not ok">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_23
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_23
p_stat="FALSE"
fi
else
echo "\033[32mPermission of /var/adm/syslog is ok\033[0m"
fi
fi
if [ -f /var/adm/authlog ]
then
if [ `ls -l /var/adm/authlog|awk '{print $1}'` != '-rw-------' ]
then
echo "\033[31mPermission of /var/adm/authlog is not ok\033[0m"
if [ "${1}" == "html" ]
then
echo "Permission of /var/adm/authlog is not ok">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_23
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_23
p_stat="FALSE"
fi
else
echo "\033[32mPermission of /var/adm/authlog is ok\033[0m"
fi
fi
auth_info=`cat /etc/syslog.conf|grep -v ^#|grep "*.info;auth.none"`
auth_info_v1=`echo ${auth_info}|awk '{print $1}'`
auth_info_v2=`echo ${auth_info}|awk '{print $2}'`
if [ ${auth_info_v1} == "*.info;auth.none" -a ${auth_info_v2} == "/var/adm/syslog" ]
then
echo "\033[32mLoging enabled for *.info;auth.none to /var/adm/syslog\033[0m"
else
echo "\033[31mLoging not enabled in /var/adm/syslog\033[0m"
if [ "${1}" == "html" ]
then
echo "Loging not enabled in /var/adm/syslog">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_23
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_23
p_stat="FALSE"
fi
fi
auth_info=`cat /etc/syslog.conf|grep -v ^#|grep "auth.info"`
auth_info_v1=`echo ${auth_info}|awk '{print $1}'`
auth_info_v2=`echo ${auth_info}|awk '{print $2}'`
if [ ${auth_info_v1} == "auth.info" -a ${auth_info_v2} == "/var/adm/authlog" ]
then
echo "\033[32mLoging enabled for auth.info to /var/adm/authlog\033[0m"
else
echo "\033[31mLoging not enabled in /var/adm/authlog\033[0m"
if [ "${1}" == "html" ]
then
echo "Loging not enabled in /var/adm/authlog">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_23
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_23
p_stat="FALSE"
fi
fi
if [ "${1}" == "html" ]
then
echo "Back to Top">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_23
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_23
fi
if [ "${p_stat}" != "TRUE" ]
then
html_stat="ERROR"
html_tr_cl="red"
rm_msg="Click Here For Details"
stat_ln=""
stat_ln_e=""
cat ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_23 >>${HTML_FILE_REM}_${TMP_FILE_INDEX}
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_23
else
html_stat="OK"
html_tr_cl="green"
rm_msg="Everything is Fine"
stat_ln=""
stat_ln_e=""
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_23
fi
if [ "${1}" == "html" ]
then
echo "">>html_report.html
echo "| Message send to syslog | ${html_stat} | ${stat_ln}${rm_msg}${stat_ln_e} | ">>html_report.html
echo "
">>html_report.html
fi
}
#==========================================================================#
tbl_auth_24()
{
trap 'main_exit' 1 2 3 15
tbl_auth 24
echo "Not Implemented"
if [ "${1}" == "html" ]
then
echo "">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_24
echo "AIX_24 Remote logging using syslog
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_24
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_24
echo "Remote logging server must be configured before implemeting this policy">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_24
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_24
echo "The policy checking is not yet implemented">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_24
echo "May be next time...">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_24
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_24
fi
if [ "${1}" == "html" ]
then
echo "Back to Top">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_24
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_24
html_stat="EXCEPTION"
html_tr_cl="magenta"
rm_msg="Click Here For Details"
stat_ln=""
stat_ln_e=""
cat ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_24 >>${HTML_FILE_REM}_${TMP_FILE_INDEX}
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_24
fi
if [ "${1}" == "html" ]
then
echo "">>html_report.html
echo "| Remote logging using syslog | ${html_stat} | ${stat_ln}${rm_msg}${stat_ln_e} | ">>html_report.html
echo "
">>html_report.html
fi
}
#==========================================================================#
tbl_auth_25()
{
trap 'main_exit' 1 2 3 15
tbl_auth 25
echo "Not Implemented"
if [ "${1}" == "html" ]
then
echo "">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_25
echo "AIX_25 Kernel level auditing
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_25
echo "The policy checking is not yet implemented">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_25
echo "May be next time...">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_25
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_25
fi
if [ "${1}" == "html" ]
then
echo "Back to Top">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_25
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_25
html_stat="EXCEPTION"
html_tr_cl="magenta"
rm_msg="Click Here For Details"
stat_ln=""
stat_ln_e=""
cat ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_25 >>${HTML_FILE_REM}_${TMP_FILE_INDEX}
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_25
fi
if [ "${1}" == "html" ]
then
echo "">>html_report.html
echo "| Kernel level auditing | ${html_stat} | ${stat_ln}${rm_msg}${stat_ln_e} | ">>html_report.html
echo "
">>html_report.html
fi
}
#==========================================================================#
tbl_auth_26()
{
#--------------------------------------------------------------------#
# No essential services #
# Be carefull while choosing services #
# May be one service depends on other #
# eg:- "nfs" depends on "portmap" #
#--------------------------------------------------------------------#
trap 'main_exit' 1 2 3 15
tbl_auth 26
p_stat="TRUE"
if [ "${1}" == "html" ]
then
echo "">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_26
echo "AIX_26 Non essential services
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_26
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_26
fi
echo "Checking /etc/inetd.conf"
#-------------------------------------------------------------------#
# Here you can add or remove services /etc/inetd.conf #
#-------------------------------------------------------------------#
sev_list='ftp telnet shell kshell login klogin exec echo discard chargen daytime time ttdbserver dtspc ntalk rstatd rusersd rwalld sprayd pcnfsd cmsd tftp rquotd'
file_srv_list=`cat /etc/inetd.conf |grep -v ^# |awk '{ print $1 }'`
for cmp_srv in $file_srv_list;do
flg=0
for cmp_srv_1 in $sev_list;do
if [ $cmp_srv_1 == $cmp_srv ]
then
echo "\033[31mService \033[35m$cmp_srv\033[31m is not disabled\033[0m"
flg=1
if [ "${1}" == "html" ]
then
echo "Service ${cmp_srv} is not disabled in /etc/inetd.conf">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_26
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_26
p_stat="FALSE"
fi
fi
done
done
echo "Checking /etc/rc.tcpip"
serv_nm_fl=`cat /etc/rc.tcpip |grep \$src_running\"$|grep ^start |awk '{print $2}'`
#-------------------------------------------------------------------#
# Here you can add or remove services /etc/rc.tcpip #
#-------------------------------------------------------------------#
serv_nm='sendmail routed gated named timed rwhod mrouted snmpd hostmibd dpid2 lpd portmap autoconf6'
for srv_nm_1 in $serv_nm_fl;do
for srv_nm_2 in $serv_nm;do
if [ `basename $srv_nm_1` == $srv_nm_2 ]
then
echo "\033[31mService \033[35m$srv_nm_2\033[31m is not disabled\033[0m"
if [ "${1}" == "html" ]
then
echo "Service ${srv_nm_2} is not disabled in /etc/rc.tcpip">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_26
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_26
p_stat="FALSE"
fi
fi
done
done
echo "Checking /etc/inittab"
x=`cat /etc/inittab|grep -v ^#|grep -v ^* |awk -F ":" '{print $1}'|grep -v ^$`
#-------------------------------------------------------------------#
# Here you can add or remove services in /etc/inittab #
#-------------------------------------------------------------------#
y='piobe writesrv i4ls httpdlite'
for init_srv in $x;do
for init_srv_l in $y;do
if [ $init_srv_l == $init_srv ]
then
echo "\033[31mSevice \033[35m$init_srv_l\033[31m not disabled\033[0m"
if [ "${1}" == "html" ]
then
echo "Sevice ${init_srv_l} is not disabled in /etc/inittab">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_26
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_26
p_stat="FALSE"
fi
fi
done
done
if [ "${1}" == "html" ]
then
echo "Back to Top">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_26
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_26
fi
if [ "${p_stat}" != "TRUE" ]
then
html_stat="ERROR"
html_tr_cl="red"
rm_msg="Click Here For Details"
stat_ln=""
stat_ln_e=""
cat ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_26 >>${HTML_FILE_REM}_${TMP_FILE_INDEX}
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_26
else
html_stat="OK"
html_tr_cl="green"
rm_msg="Everything is Fine"
stat_ln=""
stat_ln_e=""
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_26
fi
if [ "${1}" == "html" ]
then
echo "">>html_report.html
echo "| Non essential services | ${html_stat} | ${stat_ln}${rm_msg}${stat_ln_e} | " >>html_report.html
echo "
">>html_report.html
fi
}
#==========================================================================#
tbl_auth_27()
{
#-----------------------------------------------------------------#
# Check network settings #
#-----------------------------------------------------------------#
trap 'main_exit' 1 2 3 15
tbl_auth 27
p_stat="TRUE"
if [ "${1}" == "html" ]
then
echo "">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_27
echo "AIX_27 Network TCP/IP settings
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_27
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_27
fi
x='bcastping=0 clean_partial_conns=1 directed_broadcast=0 icmpaddressmask=0 ipforwarding=0 ipignoreredirects=1 ipsendredirects=0 ip6srcrouteforward=0 ipsrcrouterecv=0 ipsrcroutesend=0 nonlocsrcroute=0 tcp_icmpsecure=1 ip_nfrag=200 tcp_pmtu_discover=0 tcp_tcpsecure=7 udp_pmtu_discover=0'
for list_1 in $x;do
cmp_var=`echo $list_1 |awk -F "=" '{print $1}'`
cmp_val=`echo $list_1 |awk -F "=" '{print $2}'`
org_val=`no -o $cmp_var`
org_val_ext=`echo $org_val|awk -F "=" '{print $2}'|sed -e 's/ *,/,/g' -e 's/, */,/g' -e 's/^ *//' -e 's/ *$//'`
if [ $org_val_ext == $cmp_val ]
then
echo "$cmp_var \033[32mis \033[0m$cmp_val"
else
echo "$cmp_var \033[31mis not \033[0m$cmp_val"
if [ "${1}" == "html" ]
then
echo "$cmp_var is not $cmp_val">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_27
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_27
p_stat="FALSE"
fi
fi
done
if [ "${1}" == "html" ]
then
echo "Back to Top">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_27
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_27
fi
if [ "${p_stat}" != "TRUE" ]
then
html_stat="ERROR"
html_tr_cl="red"
rm_msg="Click Here For Details"
stat_ln=""
stat_ln_e=""
cat ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_27 >>${HTML_FILE_REM}_${TMP_FILE_INDEX}
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_27
else
html_stat="OK"
html_tr_cl="green"
rm_msg="Everything is Fine"
stat_ln=""
stat_ln_e=""
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_27
fi
if [ "${1}" == "html" ]
then
echo "">>html_report.html
echo "| Network TCP/IP settings | ${html_stat} | ${stat_ln}${rm_msg}${stat_ln_e} | " >>html_report.html
echo "
">>html_report.html
fi
}
#==========================================================================#
tbl_auth_28()
{
#-------------------------------------------------#
# core dump file size limits #
#-------------------------------------------------#
trap 'main_exit' 1 2 3 15
tbl_auth 28
p_stat="TRUE"
if [ "${1}" == "html" ]
then
echo "">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_28
echo "AIX_28 Core dump settings
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_28
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_28
fi
lmt=`cat /etc/security/limits |grep "core = 0"`
if [ ! -z $lmt ]
then
echo "core \033[32mvalue is ok in /etc/security/limits\033[0m"
else
echo "core \033[31mvalue is not ok in /etc/security/limits\033[0m"
if [ "${1}" == "html" ]
then
echo "core value is not ok in /etc/security/limits">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_28
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_28
p_stat="FALSE"
fi
fi
lmt=`cat /etc/security/limits |grep "core_hard = 0"`
if [ ! -z $lmt ]
then
echo "core_hard \033[32mvalue is ok in /etc/security/limits\033[0m"
else
echo "core_hard \033[31mvalue is not ok in /etc/security/limits\033[0m"
if [ "${1}" == "html" ]
then
echo "core_hard value is not ok in /etc/security/limits">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_28
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_28
p_stat="FALSE"
fi
fi
if [ `cat /etc/profile |grep -v ^# |grep -v ^*|grep -v ^$|grep ulimit|awk '{print $1$2$3}'` == 'ulimit-c0' ]
then
echo "ulimit \033[32mok in /etc/profile\033[0m"
else
echo "ulimit \033[31mnot ok in /etc/profile\033[0m"
if [ "${1}" == "html" ]
then
echo "ulimit not ok in /etc/profile">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_28
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_28
p_stat="FALSE"
fi
fi
if [ `lsattr -El sys0 -a fullcore|awk '{print $2}'` == 'false' ]
then
echo "\033[32mAttribute of \033[0mfullcore\033[32m in \033[0msys0\033[32m is ok\033[0m"
else
echo "\033[31mAttribute of \033[0mfullcore\033[31m in \033[0msys0\033[31m is not ok\033[0m"
if [ "${1}" == "html" ]
then
echo "Attribute of fullcore in sys0 is not ok">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_28
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_28
p_stat="FALSE"
fi
fi
if [ "${1}" == "html" ]
then
echo "Back to Top">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_28
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_28
fi
if [ "${p_stat}" != "TRUE" ]
then
html_stat="ERROR"
html_tr_cl="red"
rm_msg="Click Here For Details"
stat_ln=""
stat_ln_e=""
cat ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_28 >>${HTML_FILE_REM}_${TMP_FILE_INDEX}
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_28
else
html_stat="OK"
html_tr_cl="green"
rm_msg="Everything is Fine"
stat_ln=""
stat_ln_e=""
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_28
fi
if [ "${1}" == "html" ]
then
echo "">>html_report.html
echo "| Core dump settings | ${html_stat} | ${stat_ln}${rm_msg}${stat_ln_e} | ">>html_report.html
echo "
">>html_report.html
fi
}
#==========================================================================#
tbl_auth_29()
{
#---------------------------------------------------#
# NFS tunables and settings #
#---------------------------------------------------#
trap 'main_exit' 1 2 3 15
tbl_auth 29
if [ "${1}" == "html" ]
then
echo "">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_29
echo "AIX_29 NFS client requests to privileged ports
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_29
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_29
fi
x=`nfso -o portcheck |awk '{print $3}'`
if [ $x == 1 ]
then
echo "portcheck \033[32mvalue in \033[0mnfso\033[32m is ok\033[0m"
else
echo "portcheck \033[31mvalue in \033[0mnfso\033[31m is not ok\033[0m"
if [ "${1}" == "html" ]
then
echo "portcheck value in nfso is not ok">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_29
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_29
p_stat="FALSE"
fi
fi
x=`nfso -o nfs_use_reserved_ports |awk '{print $3}'`
if [ $x == 1 ]
then
echo "nfs_use_reserved_ports \033[32mvalue in \033[0mnfso\033[32m is ok\033[0m"
else
echo "nfs_use_reserved_ports \033[31mvalue in \033[0mnfso\033[31m is not ok\033[0m"
if [ "${1}" == "html" ]
then
echo "nfs_use_reserved_ports value in nfso is not ok">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_29
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_29
p_stat="FALSE"
fi
fi
if [ "${1}" == "html" ]
then
echo "Back to Top">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_29
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_29
fi
if [ "${p_stat}" != "TRUE" ]
then
html_stat="ERROR"
html_tr_cl="red"
rm_msg="Click Here For Details"
stat_ln=""
stat_ln_e=""
cat ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_29 >>${HTML_FILE_REM}_${TMP_FILE_INDEX}
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_29
else
html_stat="OK"
html_tr_cl="green"
rm_msg="Everything is Fine"
stat_ln=""
stat_ln_e=""
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_29
fi
if [ "${1}" == "html" ]
then
echo "">>html_report.html
echo "| NFS client requests to privileged ports | ${html_stat} | ${stat_ln}${rm_msg}${stat_ln_e} | ">>html_report.html
echo "
">>html_report.html
fi
}
#==========================================================================#
tbl_auth_30()
{
#-------------------------------------------------------#
# Recomented patch level - NOT IMPLEMENTED #
#-------------------------------------------------------#
trap 'main_exit' 1 2 3 15
tbl_auth 30
echo "Not Implemented"
if [ "${1}" == "html" ]
then
echo "">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_30
echo "AIX_30 Patch level
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_30
echo "The policy checking is not yet implemented">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_30
echo "May be next time...">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_30
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_30
fi
if [ "${1}" == "html" ]
then
echo "Back to Top">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_30
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_30
html_stat="EXCEPTION"
html_tr_cl="magenta"
rm_msg="Click Here For Details"
stat_ln=""
stat_ln_e=""
cat ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_30 >>${HTML_FILE_REM}_${TMP_FILE_INDEX}
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_30
fi
if [ "${1}" == "html" ]
then
echo "">>html_report.html
echo "| Patch level | ${html_stat} | ${stat_ln}${rm_msg}${stat_ln_e} | ">>html_report.html
echo "
">>html_report.html
fi
}
#==========================================================================#
tbl_auth_31()
{
#-------------------------------------------------------------#
# Week file system configuration #
#-------------------------------------------------------------#
trap 'main_exit' 1 2 3 15
tbl_auth 31
echo "Not Implemented"
if [ "${1}" == "html" ]
then
echo "">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_31
echo "AIX_31 Weak file system security configuration
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_31
echo "The policy checking is not yet implemented">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_31
echo "May be next time...">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_31
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_31
fi
if [ "${1}" == "html" ]
then
echo "Back to Top">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_31
echo "
">>${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_31
html_stat="EXCEPTION"
html_tr_cl="magenta"
rm_msg="Click Here For Details"
stat_ln=""
stat_ln_e=""
cat ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_31 >>${HTML_FILE_REM}_${TMP_FILE_INDEX}
rm -f ${HTML_FILE_REM}_${TMP_FILE_INDEX}_tbl_auth_31
fi
if [ "${1}" == "html" ]
then
echo "">>html_report.html
echo "| Weak file system security configuration | ${html_stat} | ${stat_ln}${rm_msg}${stat_ln_e} | ">>html_report.html
echo "
">>html_report.html
fi
}
#==========================================================================#
#--------------------------------------------------------------------------#
# HTML Report Generaton Part
#--------------------------------------------------------------------------#
html_start()
{
echo "">html_report.html
echo "">>html_report.html
echo "">>html_report.html
echo "">>html_report.html
echo "Server Hardening Status Report
">>html_report.html
echo "
">>html_report.html
echo "Host Name \t :`hostname`
">>html_report.html
# Get Ip address and provide the list
cnt=1
for ip_addr in `ifconfig -a|sed -n -e '/inet6/d' -e '/127.0.0.1/d' -e '/inet/p'|awk '{print $2}'`
do
echo "IP Address ${cnt} \t:${ip_addr}
">>html_report.html
cnt=`expr ${cnt} + 1`
done
echo "Report Generation Date :`date +%d\/%m\/%y\ %I\:%M\:%S\ %p`
">>html_report.html
echo "
">>html_report.html
echo ""
echo "">>html_report.html
echo "">>html_report.html
echo "| Policy | Status | Remarks | ">>html_report.html
echo "
">>html_report.html
}
#==========================================================================#
html_end()
{
echo "">>html_report.html
echo "">>html_report.html
}
#==========================================================================#
html_report_gen()
{
html_start
tbl_auth_1 html
tbl_auth_2 html
tbl_auth_3 html
tbl_auth_4 html
tbl_auth_5 html
tbl_auth_6 html
tbl_auth_7 html
tbl_auth_8 html
tbl_auth_9 html
tbl_auth_10 html
tbl_auth_11 html
tbl_auth_12 html
tbl_auth_13 html
tbl_auth_14 html
tbl_auth_15 html
tbl_auth_16 html
tbl_auth_17 html
tbl_auth_18 html
tbl_auth_19 html
tbl_auth_20 html
tbl_auth_21 html
tbl_auth_22 html
tbl_auth_23 html
tbl_auth_24 html
tbl_auth_25 html
tbl_auth_26 html
tbl_auth_27 html
tbl_auth_28 html
tbl_auth_29 html
tbl_auth_30 html
tbl_auth_31 html
echo "
">>html_report.html
cat ${HTML_FILE_REM}_${TMP_FILE_INDEX} >>html_report.html
html_end
read opt?"Press Any Key To Continue....."
main_page
}
#==========================================================================#
# Program Execution Starting Point......!!! #
#==========================================================================#
main_login
=== audit.pl ===