aix:script_security_aix
Table of Contents
Check security on AIX
Version 1
I use in my scripts a .env file to specify logpath and logname
root@nim /root/scripts > cat .env # global variables for all scripts export binpath=/root/scripts export sn=`basename $0 | cut -d. -f1` export HOSTNAME=`/usr/bin/hostname` export logpath=/root/scripts/logs export logname=$logpath/$sn.log export configfile=$binpath/$sn.cfg export destination="myemail@google.com" export mail_undeliverable="myemail@google.com"
This script required rpm packages : sed, coreutils
root@nim /root/scripts > cat ./check_security.sh
#!/bin/ksh93
#@(#) Check security
# This script doesn't modify something to your system, just list what is right and wrong
# Print in red all commands to modify your settings
# Print in green all parameters that need no change, following by OK
# Version 1.0 08-2014
dir=`dirname $0`
if [ -f $dir/.env ]
then
. $dir/.env
else
path_script=$dir
export sn=`basename $0 | cut -d. -f1`
export logname=/tmp/$sn.log
fi
list_files=$logpath/list_files.txt
#####################################################
# Function to print with the timestamp in bold white
#####################################################
#
function print_white
{
printf "\E[22;1m"$1*" - $1\E[0m\n"
echo
}
#
#####################################################
# Function to print with the timestamp in bold green
#####################################################
#
function print_green
{
printf "\E[32;1m"$*" - $1\E[0m\n"
echo
}
#
#####################################################
# Function to print with timestamp in bold red
#####################################################
#
function print_red
{
printf "\E[31;1m"$1"$1\E[0m\n"
}
check_sys0 ()
{
echo "#***********************"
echo "#** device sys0 check **"
echo "#***********************"
if [ $(uname -v | awk '{print $1}') -lt 7 ]
then
param=(max_logname maxuproc ncargs)
value=(256 8192 1024)
else
param=(max_logname ngroups_allowed maxuproc ncargs)
value=(256 2048 8192 1024)
fi
nbval=$(echo ${#value[*]})
count=0
while [ "$count" -lt "$nbval" ]
do
val1=${param[$count]}
if [ $(lsattr -El sys0 | awk '{print $1}' | grep $val1 > /dev/null; echo $?) -eq 0 ]
then
if [ $(lsattr -El sys0 -a ${param[$count]} | awk '{print $2}') -lt $(echo ${value[$count]}) ]
then
printf "\E[31;1m""chdev -l sys0 -a ${param[$count]}=${value[$count]}"" $1\E[0m\n"
else
printf "\E[32;1m""# Value parameter ${param[$count]} for sys0 is ${value[$count]} : OK"" $1\E[0m\n"
fi
fi
(( count = count + 1 ))
done
}
check_user_policy ()
{
# User Policy check
echo "#***********************"
echo "#** User Policy check **"
echo "#***********************"
cat << EOF > $list_files
user default mindiff=0
user default minage=1
user default maxage=13
user default minlen=8
user default minalpha=2
user default minother=1
user default maxrepeats=0
user default histexpire=13
user default minloweralpha=1
user default minupperalpha=1
user default mindigit=0
user default minspecialchar=0
user default histsize=8
user default maxexpired=3
user default loginretries=5
login.cfg default logininterval=300
login.cfg default logindisable=10
login.cfg default loginreenable=360
login.cfg default logindelay=10
login.cfg usw logintimeout=30
login.cfg usw pwd_algorithm=ssha512
EOF
lsuser -R files -a maxage ALL | sed -e 's/^/;/' -e 's/\ /;/' | egrep -v ";ext|;usr|;daemon;|;bin;|;sys;|;adm;|;nobody;|;lp;|;invscout;|;ipsec;|;snapp;|;sshd;|;lpd;|;pconsole;|;esaadmin;" | sed 's/;/\ /g' | while read i j
do
if [ "$j" != "maxage=0" ]
then
printf "\E[31;1m""chuser -R files maxage=0 $i"" $1\E[0m\n"
fi
done
lsuser -R files -a maxexpired root | awk '{print $2}' | grep -v 'maxexpired=-1' > /dev/null 2>&1
if [ $? -eq 0 ]
then
printf "\E[31;1m""chuser -R files maxexpired=-1 root"" $1\E[0m\n"
fi
cat $list_files | while read i j k
do
val_ref=$(echo $k | cut -d'=' -f2)
param=$(echo $k | cut -d'=' -f1)
val_cur=$(lssec -f /etc/security/$i -s $j -a $param | awk '{print $2}' | cut -d'=' -f2)
if [ "$val_cur" != "$val_ref" ]
then
printf "\E[31;1m""chsec -f /etc/security/$i -s $j -a $k"" $1\E[0m\n"
else
printf "\E[32;1m""# parameter $param OK"" $1\E[0m\n"
fi
done
}
check_local_user_group()
{
# Check local users and groups
echo "#************************************"
echo "#** Check local users and groups **"
echo "#************************************"
# Check local users starting with usr or ext
egrep "^usr|^ext" /etc/passwd > /dev/null 2>&1
if [ $? -eq 0 ]
then
lssec -f /etc/security/user -s default -a SYSTEM | grep LDAP > /dev/null 2>&1
if [ $? -eq 0 ]
then
printf "\E[31;1m""User ext or usr exists on local Please remove them using : rmuser -R files -p <user>"" $1\E[0m\n"
egrep "^usr|^ext" /etc/passwd
else
printf "\E[32;1m""# User ext or usr exists on local but there is no LDAP: OK"" $1\E[0m\n"
fi
else
printf "\E[32;1m""# No local user defined : OK"" $1\E[0m\n"
fi
# Check users in system group
num=$(cat /etc/group | grep '^system' | cut -d ':' -f4- | sed 's/,/\ /g' | sed -e 's/root//' -e 's/pconsole//' -e 's/esaadmin//' -e 's/srvproxy//' | sed 's/\ //g' | wc -c | awk '{print $1}')
if [ $num -ne 1 ]
then
printf "\E[31;1m""User exists in system group, Please change the group"" $1\E[0m\n"
cat /etc/group | grep '^system' | cut -d ':' -f4- | sed 's/,/\ /g' | sed -e 's/root//' -e 's/pconsole//' -e 's/esaadmin//'
else
printf "\E[32;1m""# No users in system group except system users OK"" $1\E[0m\n"
fi
# Check guest user
egrep "^guest:" /etc/passwd > /dev/null 2>&1
if [ $? -eq 0 ]
then
for i in $(egrep "^guest:" /etc/passwd | cut -d':' -f1)
do
printf "\E[31;1m""rmuser -R files -p $i"" $1\E[0m\n"
done
else
printf "\E[32;1m""# No user guest OK"" $1\E[0m\n"
fi
# Check lpd and printq user
egrep "^lpd:|^prinq:" /etc/passwd > /dev/null 2>&1
if [ $? -eq 0 ]
then
cat /etc/qconfig | grep -v '^*' > $logpath/tempo
if [ -s $logpath/tempo ]
then
printf "\E[32;1m""# Users lpd and printq exists, printers are defined OK"" $1\E[0m\n"
else
for i in $(egrep "^prinq:" /etc/passwd | cut -d':' -f1)
do
printf "\E[31;1m""rmuser -R files -p $i"" $1\E[0m\n"
done
fi
else
printf "\E[32;1m""# No user lpd or printq OK"" $1\E[0m\n"
fi
}
disable_login_system ()
{
# Disable login and rlogin for system users
echo "#************************************"
echo "#** Disable login for system users **"
echo "#************************************"
cat << EOF > $list_files
daemon login=false rlogin=false
bin login=false rlogin=false
sys login=false rlogin=false
adm login=false rlogin=false
nobody login=false rlogin=false
uucp login=false rlogin=false
nuucp login=false rlogin=false
lpd login=false rlogin=false
root login=true rlogin=true
EOF
cat $list_files | while read user login_ref rlogin_ref
do
if [ "$user" != "root" ] && [ $(test -e /usr/ios/cli/ioscli;echo $?) ]
then
grep "$user" /etc/passwd > /dev/null 2>&1
if [ $? -eq 0 ]
then
login_curr=$(lsuser -R files -a login $user | awk '{print $2}')
rlogin_curr=$(lsuser -R files -a rlogin $user | awk '{print $2}')
if [ "$login_curr" != "$login_ref" ]
then
printf "\E[31;1m""chuser -R files $login_ref $user"" $1\E[0m\n"
else
printf "\E[32;1m""# parameter $login_ref $user OK"" $1\E[0m\n"
fi
if [ "$rlogin_curr" != "$rlogin_ref" ]
then
printf "\E[31;1m""chuser -R files $rlogin_ref $user"" $1\E[0m\n"
else
printf "\E[32;1m""# parameter $rlogin_ref $user OK"" $1\E[0m\n"
fi
fi
else
if [ ! -e /usr/ios/cli/ioscli ]
then
grep "$user" /etc/passwd > /dev/null 2>&1
if [ $? -eq 0 ]
then
login_curr=$(lsuser -R files -a login $user | awk '{print $2}')
rlogin_curr=$(lsuser -R files -a rlogin $user | awk '{print $2}')
if [ "$login_curr" != "$login_ref" ]
then
printf "\E[31;1m""chuser -R files $login_ref $user"" $1\E[0m\n"
else
printf "\E[32;1m""# parameter $login_ref $user OK"" $1\E[0m\n"
fi
if [ "$rlogin_curr" != "$rlogin_ref" ]
then
printf "\E[31;1m""chuser -R files $rlogin_ref $user"" $1\E[0m\n"
else
printf "\E[32;1m""# parameter $rlogin_ref $user OK"" $1\E[0m\n"
fi
fi
fi
fi
done
#cat << EOF > $list_files
#root sugroups=sysadmin su=true
#EOF
#cat $list_files | while read user sugroups_ref su_ref
#do
# sugroups_curr=$(lssec -f /etc/security/user -s root -a sugroups | awk '{print $2}')
# su_curr=$(lssec -f /etc/security/user -s root -a su | awk '{print $2}')
# if [[ "$sugroups_curr" != "$sugroups_ref" || "$su_curr" != "$su_ref" ]]
# then
# printf "\E[31;1m""chsec -f /etc/security/user -s $user -a $sugroups_ref -a $su_ref"" $1\E[0m\n"
# else
# printf "\E[32;1m""# Parameter sugroups and su for user $user OK"" $1\E[0m\n"
# fi
#done
}
check_inittab ()
{
# Check /etc/inittab
echo "#************************"
echo "#** Check /etc/inittab **"
echo "#************************"
cat /etc/qconfig | grep -v '^*' > $logpath/tempo
if [ -s $logpath/tempo ]
then
printf "\E[32;1m""# printers are defined , printer services won't be checked OK"" $1\E[0m\n"
else
for inittab in qdaemon lpd piobe
do
grep "^$inittab:" /etc/inittab | grep -qv ":off:" > /dev/null 2>&1
if [ $? -eq 0 ]
then
line=$(grep "^$inittab:" /etc/inittab)
begin=$(echo $line | cut -d':' -f1,2)
end=$(echo $line | cut -d':' -f4-)
newline=$(echo "'""$begin:off:$end""'")
printf "\E[31;1m""chitab $newline"" $1\E[0m\n"
else
printf "\E[32;1m""# Parameter $inittab not exists OK"" $1\E[0m\n"
fi
done
fi
listsvc="cas_agent i4ls rcncs httpdlite pmd dt rcml mkatmpvc atmsvcd sniinst writesrv naudio naudio2 pconsole webserverstart platform_agent cimservices dt_nogb rcitm rcnetwlm director_agent climgrcim install_assist pmperfrec cfgperf"
if [ -e /usr/es/sbin/cluster/utilities/clmgr ]
then
listsvc=$(echo "$listsvc xmdaily")
else
if [ ! -e /usr/ios/cli/ioscli ]
then
listsvc=$(echo "$listsvc clcomd clusterconf xmdaily")
fi
fi
for inittab in $listsvc
do
grep "^$inittab:" /etc/inittab | grep -qv ":off:" > /dev/null 2>&1
if [ $? -eq 0 ]
then
line=$(grep "^$inittab:" /etc/inittab)
begin=$(echo $line | cut -d':' -f1,2)
end=$(echo $line | cut -d':' -f4-)
newline=$(echo "'""$begin:off:$end""'")
printf "\E[31;1m""chitab $newline"" $1\E[0m\n"
else
printf "\E[32;1m""# Parameter $inittab not exists OK"" $1\E[0m\n"
fi
done
# Remove old IBM Director Agent, no more supported
if [ -e /etc/rc.d/rc2.d/*itca*TivoliCommonAgent0 ]
then
for file in $(ls /etc/rc.d/rc2.d/*itca*TivoliCommonAgent0)
do
printf "\E[31;1m""rm -f $file"" $1\E[0m\n"
done
fi
# rcnfs required for mksysb, NIM and NMON
}
check_inetd ()
{
# Check /etc/inetd.conf
echo "#***************************"
echo "#** Check /etc/inetd.conf **"
echo "#***************************"
grep -v '^#' /etc/inetd.conf | grep -v '^swat' > /dev/null 2>&1
if [ $? -ne 0 ]
then
printf "\E[32;1m""# /etc/inetd.conf OK"" $1\E[0m\n"
else
if [ -f /usr/sbin/lsnim ]
then
exclude="^ftp|^telnet|^shell|^login|^exec|^bootps|^tftp"
else
if [ -f /usr/ios/cli/ioscli ]
then
exclude="^ftp|^telnet|^caa_cfg"
else
exclude="none"
fi
fi
grep -v '^#' /etc/inetd.conf | egrep -v "$exclude" | awk '{print $1,$3}' | while read i j
do
printf "\E[31;1m""chsubserver -d -p $(echo $j | sed 's/6//') -v $i -r inetd"" $1\E[0m\n"
done
fi
}
check_rctcpip ()
{
# Check /etc/rc.tcpip
echo "#*************************"
echo "#** Check /etc/rc.tcpip **"
echo "#*************************"
grep "^start " /etc/rc.tcpip | egrep -v "xntpd|inetd|syslogd" > /dev/null 2>&1
if [ $? -ne 0 ]
then
printf "\E[32;1m""# /etc/rc.tcpip OK"" $1\E[0m\n"
else
if [ $(ls /usr/sbin/lsnim > /dev/null 2>&1;echo $?) -eq 0 ]
then
grep "^start " /etc/rc.tcpip | egrep -v "xntpd|inetd|syslogd|portmap" > /dev/null 2>&1
if [ $? -ne 0 ]
then
printf "\E[32;1m""# /etc/rc.tcpip on NIM server OK"" $1\E[0m\n"
else
for service in $(grep "^start " /etc/rc.tcpip | egrep -v "xntpd|inetd|syslogd|portmap"| awk '{print $2}' | rev | cut -d'/' -f1 | rev)
do
printf "\E[31;1m""chrctcp -S -d $service"" $1\E[0m\n"
done
fi
else
for service in $(grep "^start " /etc/rc.tcpip | egrep -v "xntpd|inetd|syslogd" | awk '{print $2}' | rev | cut -d'/' -f1 | rev)
do
printf "\E[31;1m""chrctcp -S -d $service"" $1\E[0m\n"
done
fi
fi
}
check_files_permission ()
{
# Check file permissions
echo "#****************************"
echo "#** Check file permissions **"
echo "#****************************"
cat << EOF > $list_files
f /usr/bin/rcp root system 000 nocheck
f /usr/bin/rlogin root bin 000 nocheck
f /usr/bin/rsh root system 000 nocheck
f /usr/sbin/rlogind root system 000 nocheck
f /usr/sbin/rshd root system 000 nocheck
f /usr/sbin/tftpd root system 000 nocheck
f /etc/ssh/sshd_config root system 644
f /etc/ssh/ssh_config root system 644
f /etc/security/passwd root security 600
d /etc/security root security 750
f /etc/group root security 644
f /etc/passwd root security 644
d /etc/security/audit root audit 750
d /audit root audit 750
f /root/smit.log root system 640
f /var/adm/cron/log root cron 660
f /var/adm/cron/cron.allow bin cron 640
f /var/adm/cron/at.allow bin cron 640
d /var/spool/cron/crontabs root cron 770
f /etc/motd bin bin 444
#f /var/adm/ras/* - - o-r
f /var/ct/RMstart.log root system 640
f /var/tmp/dpid2.log root system 640
f /var/tmp/hostmibd.log root system 640
f /var/tmp/snmpd.log root system 640
d /var/adm/sa adm adm 766
f /usr/dt/bin/dtaction root sys 555
f /usr/dt/bin/dtappgather root bin 555
f /usr/dt/bin/dtprintinfo root bin 555
f /usr/dt/bin/dtsession root bin 555
f /etc/dt/config/Xservers root bin 555
EOF
if [ $(ls /usr/sbin/lsnim > /dev/null 2>&1;echo $?) -eq 0 ]
then
cat $list_files | grep -v "nocheck" > $list_files.1
mv $list_files.1 $list_files
fi
cat $list_files | while read type full owner group perm nocheck
do
if [ $type = "f" ]
then
if [ -f $full ]
then
owner_curr=$(ls -l $full | awk '{print $3"."$4}')
if [ "$owner_curr" != $(echo "$owner.$group") ]
then
printf "\E[31;1m""chown $(echo "$owner.$group") $full"" $1\E[0m\n"
else
printf "\E[32;1m""# file $full owner OK"" $1\E[0m\n"
fi
perm_curr=$(convert_perm_file $full | awk '{print $1}')
if [[ $perm_curr == "0" ]]
then
perm_curr="000"
fi
if [ "$perm_curr" != "$perm" ]
then
printf "\E[31;1m""chmod $perm $full"" $1\E[0m\n"
else
printf "\E[32;1m""# file $full permission OK"" $1\E[0m\n"
fi
fi
else
if [ $type = "d" ]
then
if [ -d $full ]
then
owner_curr=$(ls -ld $full | awk '{print $3"."$4}')
if [ "$owner_curr" != $(echo "$owner.$group") ]
then
printf "\E[31;1m""chown $(echo "$owner.$group") $full"" $1\E[0m\n"
else
printf "\E[32;1m""# directory $full owner OK"" $1\E[0m\n"
fi
perm_curr=$(convert_perm_dir $full | awk '{print $1}')
if [ "$perm_curr" != "$perm" ]
then
printf "\E[31;1m""chmod $perm $full"" $1\E[0m\n"
else
printf "\E[32;1m""# directory $full permission OK"" $1\E[0m\n"
fi
fi
fi
fi
done
}
convert_perm_file ()
{
for file in $(ls $*)
do
if [ -f $file ]
then
ls -l $file | awk 'BEGIN {
v["r1"]=400; v["w2"]=200; v["x3"]=100; v["s3"]=4100; v["S3"]=4000
v["r4"]=40 ; v["w5"]=20 ; v["x6"]=10 ; v["s6"]=2010; v["S6"]=2000
v["r7"]=4 ; v["w8"]=2 ; v["x9"]=1 ; v["t9"]=1001; v["T9"]=1000}
{val=0
for (i=1;i<=9;i++) val=val+v[substr($0,i+1,1)i]
printf "%4d %s\n",val,$NF}'
fi
done
}
convert_perm_dir ()
{
dir=$(echo $1)
ls -ld $dir | awk 'BEGIN {
v["r1"]=400; v["w2"]=200; v["x3"]=100; v["s3"]=4100; v["S3"]=4000
v["r4"]=40 ; v["w5"]=20 ; v["x6"]=10 ; v["s6"]=2010; v["S6"]=2000
v["r7"]=4 ; v["w8"]=2 ; v["x9"]=1 ; v["t9"]=1001; v["T9"]=1000}
{val=0
for (i=1;i<=9;i++) val=val+v[substr($0,i+1,1)i]
printf "%4d %s\n",val,$NF}'
}
network_option ()
{
# Network Options
echo "#***********************"
echo "#** Network Options **"
echo "#***********************"
cat << EOF > $list_files
no ipsrcrouteforward 0
no ipignoreredirects 1
no clean_partial_conns 1
no ipsrcroutesend 0
no ipforwarding 0
no ipsendredirects 0
no ip6srcrouteforward 0
no directed_broadcast 0
no tcp_pmtu_discover 0
no bcastping 0
no icmpaddressmask 0
no udp_pmtu_discover 0
no ipsrcrouterecv 0
no nonlocsrcroute 0
no tcp_tcpsecure 7
no sockthresh 60
no rfc1323 1
no tcp_sendspace 262144
no tcp_recvspace 262144
no udp_sendspace 65536
no udp_recvspace 655360
no tcp_mssdflt 1448
EOF
# For NFS with Linux, add the following settings
#nfso portcheck 1
#nfso nfs_use_reserved_ports 1
cat $list_files | while read i j k
do
val_ref=$(echo $k)
val_cur=$($i -o $j | awk '{print $3}')
if [ "$val_cur" -ne "$val_ref" ]
then
printf "\E[31;1m""$i -p -o $j=$k"" $1\E[0m\n"
else
printf "\E[32;1m""# parameter $j OK"" $1\E[0m\n"
fi
done
echo "no sb_max 1048576" | while read i j k
do
val_ref=$(echo $k)
val_cur=$($i -o $j | awk '{print $3}')
if [ "$val_cur" -lt "$val_ref" ]
then
printf "\E[31;1m""$i -p -o $j=$k"" $1\E[0m\n"
else
printf "\E[32;1m""# parameter $j OK"" $1\E[0m\n"
fi
done
}
check_audit ()
{
# Check Audit
echo "#***********************"
echo "#** Check audit **"
echo "#***********************"
df -g /audit | grep audit > /dev/null 2>&1
if [ $? -ne 0 ]
then
printf "\E[31;1m""mklv -tjfs2 -y auditlv rootvg 2G;crfs -vjfs2 -m /audit -d auditlv -Ayes;mount /audit"" $1\E[0m\n"
printf "\E[31;1m""chown root.audit /audit;chmod 750 /audit"" $1\E[0m\n"
else
printf "\E[32;1m""# Filesystem /audit OK"" $1\E[0m\n"
fi
if [[ $(lssec -f /usr/lib/security/mkuser.default -s user -a auditclasses | awk '{print $2}' | awk -F'=' '{print $2}' | wc -c | awk '{print $1}') == "1" ]]
then
printf "\E[31;1m""chsec -f /usr/lib/security/mkuser.default -s user -a auditclasses=general,SRC,cron,tcpip"" $1\E[0m\n"
else
printf "\E[32;1m""# User auditclasses OK"" $1\E[0m\n"
fi
grep 'audit' /etc/inittab > /dev/null 2>&1
if [ $? -ne 0 ]
then
printf "\E[31;1m"'echo ":audit:2:boot:audit start > /dev/console 2>&1" >> /etc/inittab'" $1\E[0m\n"
else
printf "\E[32;1m""# Audit process started in inittab OK"" $1\E[0m\n"
fi
}
check_syslog ()
{
# Check Syslog
echo "#***********************"
echo "#** Check syslog **"
echo "#***********************"
odmget -q subsysname="syslogd" SRCsubsys | grep cmdargs | cut -d'=' -f2- | grep '\-r' | grep '\-n' > /dev/null 2>&1
if [ $? -ne 0 ]
then
printf "\E[31;1m"'chssys -s syslogd -a "-r -n"'" $1\E[0m\n"
else
printf "\E[32;1m""# Syslog started with option -r and -n OK"" $1\E[0m\n"
fi
}
check_snmp ()
{
# Check SNMP config file
echo "#***********************"
echo "#** Check SNMP **"
echo "#***********************"
grep "^community[[:blank:]]*private" /etc/snmpd.conf > /dev/null 2>&1
if [ $? -eq 0 ]
then
printf "\E[31;1m""/opt/freeware/bin/sed -i '/private/ s/^/#/g' /etc/snmp.conf"" $1\E[0m\n"
else
printf "\E[32;1m""# /etc/snmp.conf OK"" $1\E[0m\n"
fi
}
check_cron ()
{
# Check cron authorization
echo "#***********************"
echo "#** Check crontabs **"
echo "#***********************"
if [ ! -f /var/adm/cron/cron.allow ]
then
printf "\E[31;1m"'ls /var/spool/cron/crontabs | egrep -v "esaadmin|sys|uucp" > /var/adm/cron/cron.allow'" $1\E[0m\n"
else
printf "\E[32;1m""# /var/adm/cron/cron.allow exists OK"" $1\E[0m\n"
fi
if [ ! -f /var/adm/cron/at.allow ]
then
printf "\E[31;1m"'ls /var/spool/cron/crontabs | egrep -v "esaadmin|sys|uucp" > /var/adm/cron/at.allow'" $1\E[0m\n"
else
printf "\E[32;1m""# /var/adm/cron/at.allow exists OK"" $1\E[0m\n"
fi
}
check_sshd_config ()
{
# Check sshd_config file
echo "#****************************"
echo "#** Check sshd_config file **"
echo "#****************************"
SSHD_CONFIG=/etc/ssh/sshd_config
LINUX_SED=/opt/freeware/bin/sed
grep '^Port' $SSHD_CONFIG > /dev/null 2>&1
if [ $? -ne 0 ]
then
printf "\E[31;1m""$LINUX_SED -i 's/^#Port\ 22/Port\ 22/' $SSHD_CONFIG"" $1\E[0m\n"
else
printf "\E[32;1m""# Port OK"" $1\E[0m\n"
fi
grep '^ListenAddress ' $SSHD_CONFIG | grep -v '::' > /dev/null 2>&1
if [ $? -ne 0 ]
then
printf "\E[31;1m""$LINUX_SED -i 's/^#ListenAddress\ 0.0.0.0/ListenAddress\ 0.0.0.0/' $SSHD_CONFIG"" $1\E[0m\n"
else
printf "\E[32;1m""# ListenAddress IPV4 OK"" $1\E[0m\n"
fi
grep '^ListenAddress ' $SSHD_CONFIG | grep '::' > /dev/null 2>&1
if [ $? -eq 0 ]
then
printf "\E[31;1m""$LINUX_SED -i 's/^ListenAddress\ ::/#ListenAddress\ ::/' $SSHD_CONFIG"" $1\E[0m\n"
else
printf "\E[32;1m""# ListenAddress IPV6 OK"" $1\E[0m\n"
fi
grep '^Protocol 2' $SSHD_CONFIG > /dev/null 2>&1
if [ $? -ne 0 ]
then
printf "\E[31;1m""$LINUX_SED -i 's/^#Protocol\ 2/Protocol\ 2/' $SSHD_CONFIG"" $1\E[0m\n"
else
printf "\E[32;1m""# Protocol ssh version 2 only OK"" $1\E[0m\n"
fi
# Ciphers be careful could prevent from login
#grep '^Ciphers' $SSHD_CONFIG > /dev/null 2>&1
#if [ $? -ne 0 ]
#then
# printf "\E[31;1m"$LINUX_SED" -i '"'/^Protocol/a \\
#\\
## SSH protocol v2 specific options \\
#Ciphers aes256-ctr,aes192-ctr,aes128-ctr'"' "$SSHD_CONFIG" $1\E[0m\n"
#else
# printf "\E[32;1m""# Ciphers OK"" $1\E[0m\n"
#fi
grep '^SyslogFacility AUTH' $SSHD_CONFIG > /dev/null 2>&1
if [ $? -ne 0 ]
then
printf "\E[31;1m""$LINUX_SED -i 's/^#SyslogFacility\ AUTH/SyslogFacility\ AUTH/' $SSHD_CONFIG"" $1\E[0m\n"
else
printf "\E[32;1m""# SyslogFacility OK"" $1\E[0m\n"
fi
grep '^LogLevel INFO' $SSHD_CONFIG > /dev/null 2>&1
if [ $? -ne 0 ]
then
printf "\E[31;1m""$LINUX_SED -i 's/^#LogLevel\ INFO/LogLevel\ INFO/' $SSHD_CONFIG"" $1\E[0m\n"
else
printf "\E[32;1m""# LogLevel OK"" $1\E[0m\n"
fi
if [ ! -f "/etc/ssh/ssh_host_ecdsa_key" ]
then
printf "\E[31;1m""echo | ssh-keygen -q -t ecdsa -b 521 -N '' -f /etc/ssh/ssh_host_ecdsa_key"" $1\E[0m\n"
else
printf "\E[32;1m""# ECDSA ssh key exists OK"" $1\E[0m\n"
fi
grep '^PidFile' $SSHD_CONFIG > /dev/null 2>&1
if [ $? -ne 0 ]
then
printf "\E[31;1m""$LINUX_SED -i 's/^#PidFile\ \\\/var\\\/run\\\/sshd.pid/PidFile\ \\\/var\\\/run\\\/sshd.pid/' $SSHD_CONFIG"" $1\E[0m\n"
else
printf "\E[32;1m""# PidFile OK"" $1\E[0m\n"
fi
if [ ! -d "/var/run" ]
then
printf "\E[31;1m""mkdir -p /var/run"" $1\E[0m\n"
else
printf "\E[32;1m""# ssh PID directory exists OK"" $1\E[0m\n"
fi
}
check_sys0
check_user_policy
network_option
disable_login_system
check_local_user_group
check_inittab
check_inetd
check_rctcpip
check_files_permission
check_snmp
check_audit
check_syslog
check_cron
check_sshd_config
Check users with admin rights on AIX
root@nim /root/scripts > cat ./check_admin.sh
#!/bin/ksh93
#set -x
#@(#) List all administrative users and groups
# version 1.0 08-2014
dir=`dirname $0`
. $dir/.env
GROUP_ADMIN=";system;bin;sys;adm;uucp;mail;security;cron;printq;audit;ecs;shutdown;lp;invscout;snapp;pconsole;esaadmin"
USER_ADMIN="lpd;nobody;daemon;root;nuucp;system;bin;sys;adm;uucp;mail;security;cron;printq;audit;ecs;shutdown;lp;invscout;snapp;pconsole;esaadmin"
LINUX_SED=/opt/freeware/bin/sed
TMPFILE=/tmp/aaa
HOSTNAME=$(hostname)
GREP_GROUP=$(echo $GROUP_ADMIN | sed -e "s/;/;\|\^/g" -e "s/^/\^/" -e "s/$/;/" -e "s/^/\'/" -e "s/$/\'/")
LDAP_CLIENT=$(/usr/sbin/ls-secldapclntd > /dev/null 2>&1;echo $?)
echo "#**********************************"
echo "#******** Admin Groups ********"
echo "#**********************************"
if [ $LDAP_CLIENT -eq 0 ]
then
echo "#### Admin groups on LDAP ####"
lsgroup -R LDAP -a admin ALL | grep -v "admin=false" | sed "s/\ /;/" | egrep -v $GREP_GROUP
fi
echo "\n#### Admin groups on Local ####"
if [ -e /usr/bin/dsh ]
then
dsh "lsgroup -R files -a admin ALL | grep -v 'admin=false' | sed 's/\ /;/' | egrep -v $GREP_GROUP"
else
lsgroup -R files -a admin ALL | grep -v 'admin=false' | sed 's/\ /;/' | egrep -v $GREP_GROUP
fi
echo "\n#***************************************"
echo "#******** Users in Admin Groups ********"
echo "#***************************************"
if [ $LDAP_CLIENT -eq 0 ]
then
echo "\n#### Users in Admin groups on LDAP ####"
lsgroup -R LDAP -a admin users ALL | grep -v "admin=false" | awk '{print $1";"$3}' | sed -e 's/users=/,/' -e 's/^/;/' -e 's/$/,/' > $TMPFILE
for i in $(echo $USER_ADMIN | sed 's/;/\ /g')
do
$LINUX_SED -i "s/,$i,/,/g" $TMPFILE
done
cat $TMPFILE | sed 's/;/\ /g' | while read begin end
do
line=$(echo $end | sed -e 's/,/\ /g')
if [[ $(echo $line | awk '{print $1}') != "" ]]
then
echo "group=$begin,users=$line"
fi
done
fi
echo "\n#### Users in Admin groups on Local ####"
if [ -e /usr/bin/dsh ]
then
dsh "lsgroup -R files -a admin users ALL | grep -v 'admin=false'" | awk '{print $1";"$2";"$4}' | sed -e 's/users=/,/' -e 's/$/,/' > $TMPFILE
else
lsgroup -R files -a admin users ALL | grep -v 'admin=false' | awk '{print $1";"$3}' | sed -e 's/users=/,/' -e 's/$/,/' | sed "s/^/$HOSTNAME:;/" > $TMPFILE
fi
for i in $(echo $USER_ADMIN | sed 's/;/\ /g')
do
$LINUX_SED -i "s/,$i,/,/g" $TMPFILE
done
cat $TMPFILE | sed -e 's/;/\ /g' -e 's/://' | while read host_name begin end
do
line=$(echo $end | sed -e 's/,/\ /g')
if [[ $(echo $line | awk '{print $1}') != "" ]]
then
echo "$host_name:group=$begin,users=$line"
fi
done
echo "\n#***************************************"
echo "#******** Users with admin FLAG ********"
echo "#***************************************"
if [ $LDAP_CLIENT -eq 0 ]
then
echo "\n#### Users with admin FLAG on LDAP ####"
lsuser -R LDAP -a admin ALL | grep -v 'admin=false'
fi
echo "\n#### Users with admin FLAG on Local ####"
if [ -e /usr/bin/dsh ]
then
dsh "lsuser -R files -a admin ALL | grep -v 'admin=false'" | awk '{print $1";"$2}' | sed -e 's/$/;/' -e 's/://' > $TMPFILE
else
lsuser -R files -a admin ALL | grep -v 'admin=false' | awk '{print $1}' | sed 's/$/;/' | sed "s/^/$HOSTNAME:;/" > $TMPFILE
fi
for i in $(echo $USER_ADMIN | sed 's/;/\ /g')
do
$LINUX_SED -i "s/;$i;//" $TMPFILE
done
cat $TMPFILE | sort | uniq | while read line
do
end=$(echo $line | sed 's/;/\ /' | awk '{print $2}')
if [[ $(echo $end | awk '{print $1}') != "" ]]
then
echo "$line admin=true"
fi
done
Version 2
#!/bin/ksh93
#@(#) Check security
# This script doesn't modify something to your system, just list what is right and wrong
# Print in red all commands to modify your settings
# Print in green all parameters that need no change, following by OK
# Version 1.0 08-2014
dir=`dirname $0`
if [ -f $dir/.env ]
then
. $dir/.env
else
path_script=$dir
export sn=`basename $0 | cut -d. -f1`
export logname=/tmp/$sn.log
fi
DATE=$(date "+%Y%m%d%H%M%S")
LINUX_SED=/opt/freeware/bin/sed
LINUX_STAT=/opt/freeware/bin/stat
LINUX_SORT=/opt/freeware/bin/sort
list_files=$logpath/list_files.txt
outputcis=$logpath/CIS_AIX7.2_v1.0.0
output=$logname
outputdir=$logpath/sec_files_out_${DATE}
mkdir $outputdir
#####################################################
# Function to print with the timestamp in bold white
#####################################################
#
function print_white
{
printf "\E[22;1m"$1*" - $1\E[0m\n"
echo
}
#
#####################################################
# Function to print with the timestamp in bold green
#####################################################
#
function print_green
{
printf "\E[32;1m"$*" - $1\E[0m\n"
echo
}
#
#####################################################
# Function to print with timestamp in bold red
#####################################################
#
function print_red
{
printf "\E[31;1m"$1"$1\E[0m\n"
}
check_sys0 ()
{
echo "#***********************"
echo "#** device sys0 check **"
echo "#***********************"
if [ $(uname -v | awk '{print $1}') -lt 7 ]
then
param=(max_logname maxuproc ncargs)
value=(256 8192 1024)
else
param=(max_logname ngroups_allowed maxuproc ncargs)
value=(256 2048 8192 1024)
fi
nbval=$(echo ${#value[*]})
count=0
while [ "$count" -lt "$nbval" ]
do
val1=${param[$count]}
if [ $(lsattr -El sys0 | awk '{print $1}' | grep $val1 > /dev/null; echo $?) -eq 0 ]
then
if [ $(lsattr -El sys0 -a ${param[$count]} | awk '{print $2}') -lt $(echo ${value[$count]}) ]
then
printf "\E[31;1m""chdev -l sys0 -a ${param[$count]}=${value[$count]}"" $1\E[0m\n"
else
printf "\E[32;1m""# Value parameter ${param[$count]} for sys0 is ${value[$count]} : OK"" $1\E[0m\n"
fi
fi
(( count = count + 1 ))
done
}
check_user_policy ()
{
# User Policy check
echo "#***********************"
echo "#** User Policy check **"
echo "#***********************"
rule="5.2.1 passwords disable NOCHECK"
level=1
grep -p NOCHECK /etc/security/passwd > $list_files
if [ -s "$list_files" ]
then
grep -p lastupdate /etc/security/passwd | /usr/bin/egrep ":$" | sed -e 's/://' | while read USER
do
printf "\E[31;1m""/usr/bin/pwdadm -c $USER"" $1\E[0m\n"
done
echo "# rule="'"'$rule'"'" level=$level NOK"
else
printf "\E[32;1m""# parameter password NOCHECK OK"" $1\E[0m\n"
echo "# rule="'"'$rule'"'" level=$level OK"
fi
rule="4.6.3 passwords herald"
level=1
if [[ $(lssec -f /etc/security/login.cfg -s default -a herald | cut -d'=' -f2-) == "" ]]
then
printf "\E[31;1m""chsec -f /etc/security/login.cfg -s default -a herald="'"Unauthorized use of this system is prohibited.\\nlogin:"'" $1\E[0m\n"
echo "# rule="'"'$rule'"'" level=$level NOK"
else
printf "\E[32;1m""# parameter herald OK"" $1\E[0m\n"
echo "# rule="'"'$rule'"'" level=$level OK"
fi
cat << EOF > $list_files
user default mindiff=4 rule="5.2.6 passwd policy mindiff" level=1
user default minage=1 rule="5.1.1.3 passwd policy minage" level=1
user default maxage=13 rule="5.6 passwd policy maxage" level=1
user default minlen=12 rule="5.2.5 passwd policy minlen 14 (CUSTOM ! Not CIS)" level=1
user default minalpha=2 rule="5.2.7 passwd policy minalpha 3 (CUSTOM ! Not CIS)" level=1
user default minother=1 rule="5.2.8 passwd policy minother 3 (CUSTOM ! Not CIS)" level=1
user default maxrepeats=4 rule="5.2.9 passwd policy maxrepeats" level=1
user default histexpire=52 rule="5.1.1.1 passwd policy histexpire" level=1
user default minloweralpha=1 rule="5.2.11 passwd policy minloweralpha" level=1
user default minupperalpha=1 rule="5.2.12 passwd policy minupperalpha" level=1
user default mindigit=1 rule="5.2.10 passwd policy mindigit" level=1
user default minspecialchar=1 rule="5.2.13 passwd policy minspecialchar" level=1
user default histsize=0 rule="5.1.1.2 passwd policy histsize" level=1
user default maxexpired=4 rule="5.7 passwd policy maxexpired" level=1
user default loginretries=5 rule="4.6.4 passwd policy loginretries" level=1
login.cfg default logininterval=300
login.cfg default logindisable=10
login.cfg default loginreenable=360
login.cfg default logindelay=10 rule="4.6.2 passwd policy logindelay" level=1
login.cfg usw logintimeout=30 rule="4.6.1 passwd policy logintimeout" level=1
login.cfg usw pwd_algorithm=ssha512 rule="5.2.2 pwd_algorithm" level=1
EOF
cat $list_files | while read i j k rule level
do
val_ref=$(echo $k | cut -d'=' -f2)
param=$(echo $k | cut -d'=' -f1)
val_cur=$(lssec -f /etc/security/$i -s $j -a $param | awk '{print $2}' | cut -d'=' -f2)
if [ "$val_cur" != "$val_ref" ]
then
printf "\E[31;1m""chsec -f /etc/security/$i -s $j -a $k"" $1\E[0m\n"
echo "# $rule $level NOK"
else
printf "\E[32;1m""# parameter $param OK"" $1\E[0m\n"
echo "# $rule $level OK"
fi
done
lsuser -R files -a maxage ALL | sed -e 's/^/;/' -e 's/\ /;/' | egrep -v ";ext|;usr|;daemon;|;bin;|;sys;|;adm;|;nobody;|;lp;|;invscout;|;ipsec;|;snapp;|;sshd;|;lpd;|;pconsole;|;esaadmin;" | sed 's/;/\ /g' | while read i j
do
if [ "$j" != "maxage=0" ]
then
printf "\E[31;1m""chuser -R files maxage=0 $i"" $1\E[0m\n"
fi
done
lsuser -R files -a maxexpired root | awk '{print $2}' | grep -v 'maxexpired=-1' > /dev/null 2>&1
if [ $? -eq 0 ]
then
printf "\E[31;1m""chuser -R files maxexpired=-1 root"" $1\E[0m\n"
fi
}
check_profile ()
{
# Check settings in /etc/profile and environment
echo "#************************************"
echo "#** Check environment **"
echo "#************************************"
rule="4.11 environment PATH"
level=1
if [[ $(grep "^PATH=" /etc/environment |awk '/((:[ \t]*:)|(:[ \t]*$)|(^[ \t]*:)|(^.:)|(:.$)|(:.:))/') == "" ]]
then
echo "# rule="'"'$rule'"'" level=$level OK"
else
val=$(grep "^PATH=" /etc/environment |awk '/((:[ \t]*:)|(:[ \t]*$)|(^[\t]*:)|(^.:)|(:.$)|(:.:))/')
printf "\E[31;1m""$LINUX_SED -i "'"''/^PATH=/s/.*/'$val'/''"'" /etc/environment"" $1\E[0m\n"
echo "# rule="'"'$rule'"'" level=$level NOK"
fi
rule="4.13 Remove current working directory from root's PATH"
level=1
if [[ $(su - root -c "echo ${PATH}" |awk '/((:[ \t]*:)|(:[ \t]*$)|(^[\t]*:)|(^.:)|(:.$)|(:.:))/') == "" ]]
then
echo "# rule="'"'$rule'"'" level=$level OK"
else
echo "# rule="'"'$rule'"'" level=$level NOK"
fi
rule="4.14 Configuration: /etc/motd"
level=1
RC=0
if [ $(grep -qi authorized /etc/motd; echo $?) -ne "0" ]
then
(( RC = RC + 1 ))
fi
if [[ $($LINUX_STAT -c "%U:%G:%a:%n:" /etc/motd) != 'bin:bin:644:/etc/motd:' ]]
then
(( RC = RC + 1 ))
printf "\E[31;1m""chmod u=rw,go=r /etc/motd"" $1\E[0m\n"
printf "\E[31;1m""chown bin:bin /etc/motd"" $1\E[0m\n"
fi
if [[ $RC == "0" ]]
then
echo "# rule="'"'$rule'"'" level=$level OK"
else
echo "# rule="'"'$rule'"'" level=$level NOK"
fi
}
check_local_user_group()
{
# Check local users and groups
echo "#************************************"
echo "#** Check local users and groups **"
echo "#************************************"
# Check local users starting with usr or ext
egrep "^usr|^ext" /etc/passwd > /dev/null 2>&1
if [ $? -eq 0 ]
then
lssec -f /etc/security/user -s default -a SYSTEM | grep LDAP > /dev/null 2>&1
if [ $? -eq 0 ]
then
printf "\E[31;1m""User ext or usr exists on local Please remove them using : rmuser -R files -p <user>"" $1\E[0m\n"
egrep "^usr|^ext" /etc/passwd
else
printf "\E[32;1m""# User ext or usr exists on local but there is no LDAP: OK"" $1\E[0m\n"
fi
else
printf "\E[32;1m""# No local user defined : OK"" $1\E[0m\n"
fi
# Check users in system group
num=$(cat /etc/group | grep '^system' | cut -d ':' -f4- | sed 's/,/\ /g' | sed -e 's/root//' -e 's/pconsole//' -e 's/esaadmin//' -e 's/srvproxy//' | sed 's/\ //g' | wc -c | awk '{print $1}')
if [ $num -ne 1 ]
then
printf "\E[31;1m""User exists in system group, Please change the group"" $1\E[0m\n"
cat /etc/group | grep '^system' | cut -d ':' -f4- | sed 's/,/\ /g' | sed -e 's/root//' -e 's/pconsole//' -e 's/esaadmin//'
else
printf "\E[32;1m""# No users in system group except system users OK"" $1\E[0m\n"
fi
# Check guest user
egrep "^guest:" /etc/passwd > /dev/null 2>&1
if [ $? -eq 0 ]
then
for i in $(egrep "^guest:" /etc/passwd | cut -d':' -f1)
do
printf "\E[31;1m""rmuser -R files -p $i"" $1\E[0m\n"
done
else
printf "\E[32;1m""# No user guest OK"" $1\E[0m\n"
fi
# Check lpd and printq user
egrep "^lpd:|^prinq:" /etc/passwd > /dev/null 2>&1
if [ $? -eq 0 ]
then
cat /etc/qconfig | grep -v '^*' > $logpath/tempo
if [ -s $logpath/tempo ]
then
printf "\E[32;1m""# Users lpd and printq exists, printers are defined OK"" $1\E[0m\n"
else
for i in $(egrep "^prinq:" /etc/passwd | cut -d':' -f1)
do
printf "\E[31;1m""rmuser -R files -p $i"" $1\E[0m\n"
done
fi
else
printf "\E[32;1m""# No user lpd or printq OK"" $1\E[0m\n"
fi
# Check homedir
rule="4.7.1.2 Homedir exist"
level=1
RC=0
lsuser -R files -a pgrp home account_locked ALL |grep -v 'account_locked=true' | while read usr pgrp home dummy
do
h=$(echo $home | cut -d'=' -f2)
ls -ld $h > /dev/null 2>&1
if [ $? -ne "0" ]
then
(( RC = RC + 1 ))
grp=$(echo $pgrp | cut -d'=' -f2)
printf "\E[31;1m""mkdir -p $h"" $1\E[0m\n"
printf "\E[31;1m""chown -R $usr:$grp $h"" $1\E[0m\n"
fi
done
if [[ $RC == "0" ]]
then
printf "\E[32;1m""# Users Homedir OK"" $1\E[0m\n"
echo "# rule="'"'$rule'"'" level=$level OK"
else
printf "\E[31;1m""# Users Homedir NOK"" $1\E[0m\n"
echo "# rule="'"'$rule'"'" level=$level NOK"
fi
}
disable_login_system ()
{
# Disable login and rlogin for system users
echo "#************************************"
echo "#** Disable login for system users **"
echo "#************************************"
cat << EOF > $list_files
daemon account_locked=true login=false rlogin=false rule="5.3.3 lock account daemon" level=1
bin account_locked=true login=false rlogin=false rule="5.3.2 lock account bin" level=1
sys account_locked=true login=false rlogin=false rule="5.3.8 lock account sys" level=1
adm account_locked=true login=false rlogin=false rule="5.3.1 lock account adm" level=1
nobody account_locked=true login=false rlogin=false rule="5.3.6 lock account nobody" level=1
guest account_locked=true login=false rlogin=false rule="5.3.4 lock account guest" level=1
uucp account_locked=true login=false rlogin=false rule="5.3.9 lock account uucp" level=1
nuucp account_locked=true login=false rlogin=false rule="5.3.7 lock account nuucp" level=1
lpd account_locked=true login=false rlogin=false rule="5.3.5 lock account lpd" level=1
root account_locked=false login=true rlogin=true rule="None" level=none
EOF
cat $list_files | while read user locked_ref login_ref rlogin_ref rule level
do
count=0
if [ "$user" != "root" ] && [ $(test -e /usr/ios/cli/ioscli;echo $?) ]
then
grep "$user" /etc/passwd > /dev/null 2>&1
if [ $? -eq 0 ]
then
login_curr=$(lsuser -R files -a login $user | awk '{print $2}')
rlogin_curr=$(lsuser -R files -a rlogin $user | awk '{print $2}')
locked_curr=$(lsuser -R files -a account_locked $user | awk '{print $2}')
if [ "$login_curr" != "$login_ref" ]
then
printf "\E[31;1m""chuser -R files $login_ref $user"" $1\E[0m\n"
(( count = count + 1 ))
else
printf "\E[32;1m""# parameter $login_ref $user OK"" $1\E[0m\n"
fi
if [ "$rlogin_curr" != "$rlogin_ref" ]
then
printf "\E[31;1m""chuser -R files $rlogin_ref $user"" $1\E[0m\n"
(( count = count + 1 ))
else
printf "\E[32;1m""# parameter $rlogin_ref $user OK"" $1\E[0m\n"
fi
if [ "$locked_curr" != "$locked_ref" ]
then
printf "\E[31;1m""chuser -R files $locked_ref $user"" $1\E[0m\n"
(( count = count + 1 ))
else
printf "\E[32;1m""# parameter $locked_ref $user OK"" $1\E[0m\n"
fi
fi
else
if [ ! -e /usr/ios/cli/ioscli ]
then
grep "$user" /etc/passwd > /dev/null 2>&1
if [ $? -eq 0 ]
then
login_curr=$(lsuser -R files -a login $user | awk '{print $2}')
rlogin_curr=$(lsuser -R files -a rlogin $user | awk '{print $2}')
locked_curr=$(lsuser -R files -a account_locked $user | awk '{print $2}')
if [ "$login_curr" != "$login_ref" ]
then
printf "\E[31;1m""chuser -R files $login_ref $user"" $1\E[0m\n"
(( count = count + 1 ))
else
printf "\E[32;1m""# parameter $login_ref $user OK"" $1\E[0m\n"
fi
if [ "$rlogin_curr" != "$rlogin_ref" ]
then
printf "\E[31;1m""chuser -R files $rlogin_ref $user"" $1\E[0m\n"
(( count = count + 1 ))
else
printf "\E[32;1m""# parameter $rlogin_ref $user OK"" $1\E[0m\n"
fi
if [ "$locked_curr" != "$locked_ref" ]
then
printf "\E[31;1m""chuser -R files $locked_ref $user"" $1\E[0m\n"
(( count = count + 1 ))
else
printf "\E[32;1m""# parameter $locked_ref $user OK"" $1\E[0m\n"
fi
fi
fi
fi
grep "$user" /etc/passwd > /dev/null 2>&1
if [ $? -eq 0 ]
then
if [ "$count" != "0" ]
then
echo "# $rule $level NOK"
else
echo "# $rule $level OK"
fi
else
echo "# $rule $level OK"
fi
done
rule="4.12 Lock historical users"
level=1
ACCOUNTS=$(egrep '^daemon:|^bin:|^sys:|^adm:|^uucp:|^nobody:|^lpd:|^lp:|^invscout:|^ipsec:|^nuucp:|^sshd:' /etc/passwd | cut -d':' -f1 | tr '\n' ',' | sed 's/,$//')
if [[ $(lsuser -a account_locked ${ACCOUNTS} | grep -v account_locked=true | wc -l | awk '{print $1}') -eq "0" ]]
then
echo "# rule="'"'$rule'"'" level=$level OK"
else
echo "# rule="'"'$rule'"'" level=$level NOK"
fi
}
check_inittab ()
{
# Check /etc/inittab
echo "#************************"
echo "#** Check /etc/inittab **"
echo "#************************"
cat << EOF > $list_files
piobe rule="4.1.1.4 Disable piobe" level=1
qdaemon rule="4.1.1.5 Disable qdaemon" level=1
EOF
cat $list_files | while read param rule level
do
grep "^$param:" /etc/inittab | grep -qv ":off:" > /dev/null 2>&1
if [ $? -eq 0 ]
then
if [[ $(cat /etc/qconfig | grep -v '^*' | sed '/^$/d' | wc -l | awk '{print $1}') == "0" ]]
then
line=$(grep "^$param:" /etc/inittab)
begin=$(echo $line | cut -d':' -f1,2)
end=$(echo $line | cut -d':' -f4-)
newline=$(echo "'""$begin:off:$end""'")
printf "\E[31;1m""chitab $newline"" $1\E[0m\n"
if [[ $(lssrc -a | grep active | awk '{print $1}' | grep "^$param" | sed 's/$/:/' ) == "$param:" ]]
then
printf "\E[31;1m""stopsrc -s $param"" $1\E[0m\n"
fi
echo "# $rule $level NOK"
else
echo "# $rule $level comment="'"'"printers available"'"'" NOK"
fi
else
printf "\E[32;1m""# Parameter $inittab not exists OK"" $1\E[0m\n"
echo "# $rule $level OK"
fi
done
listsvc="i4ls rcncs httpdlite pmd rcml mkatmpvc atmsvcd sniinst naudio naudio2 pconsole webserverstart platform_agent cimservices rcitm rcnetwlm director_agent climgrcim install_assist pmperfrec cfgperf"
if [ -e /usr/es/sbin/cluster/utilities/clmgr ]
then
listsvc=$(echo "$listsvc xmdaily")
else
if [ ! -e /usr/ios/cli/ioscli ]
then
listsvc=$(echo "$listsvc clcomd clusterconf xmdaily")
fi
fi
for inittab in $listsvc
do
grep "^$inittab:" /etc/inittab | grep -qv ":off:" > /dev/null 2>&1
if [ $? -eq 0 ]
then
line=$(grep "^$inittab:" /etc/inittab)
begin=$(echo $line | cut -d':' -f1,2)
end=$(echo $line | cut -d':' -f4-)
newline=$(echo "'""$begin:off:$end""'")
printf "\E[31;1m""chitab $newline"" $1\E[0m\n"
else
printf "\E[32;1m""# Parameter $inittab not exists OK"" $1\E[0m\n"
fi
done
cat << EOF > $list_files
writesrv rule="4.1.1.1 Disable writesrv" level=1
dt rule="4.1.1.3 Disable dt" level=1
dt rule="4.5.1.3 Disable dt CDE" level=1
dt_nogb rule="4.1.1.3 Disable dt" level=1
cas_agent rule="4.1.1.7 Disable cas_agent" level=1
EOF
cat $list_files | while read param rule level
do
grep "^$param:" /etc/inittab | grep -qv ":off:" > /dev/null 2>&1
if [ $? -eq 0 ]
then
line=$(grep "^$param:" /etc/inittab)
begin=$(echo $line | cut -d':' -f1,2)
end=$(echo $line | cut -d':' -f4-)
newline=$(echo "'""$begin:off:$end""'")
printf "\E[31;1m""chitab $newline"" $1\E[0m\n"
if [[ $(lssrc -a | grep active | awk '{print $1}' | grep "^$param" | sed 's/$/:/' ) == "$param:" ]]
then
printf "\E[31;1m""stopsrc -s $param"" $1\E[0m\n"
fi
echo "# $rule $level NOK"
else
printf "\E[32;1m""# Parameter $inittab not exists OK"" $1\E[0m\n"
echo "# $rule $level OK"
fi
done
# Remove old IBM Director Agent, no more supported
if [ -e /etc/rc.d/rc2.d/*itca*TivoliCommonAgent0 ]
then
for file in $(ls /etc/rc.d/rc2.d/*itca*TivoliCommonAgent0)
do
printf "\E[31;1m""rm -f $file"" $1\E[0m\n"
done
fi
# rcnfs required for mksysb, NIM and NMON
}
check_inetd ()
{
# Check /etc/inetd.conf
echo "#***************************"
echo "#** Check /etc/inetd.conf **"
echo "#***************************"
exclusion="^omni|^nrpe|^swat"
grep -v '^#' /etc/inetd.conf | egrep -v "$exclusion" > /dev/null 2>&1
if [ $? -ne 0 ]
then
printf "\E[32;1m""# /etc/inetd.conf OK"" $1\E[0m\n"
else
if [ -f /usr/sbin/lsnim ]
then
exclude="^ftp|^telnet|^shell|^login|^exec|^bootps|^tftp"
else
if [ -f /usr/ios/cli/ioscli ]
then
exclude="^ftp|^telnet|^caa_cfg"
else
exclude="none"
fi
fi
grep -v '^#' /etc/inetd.conf | egrep -v "$exclude" | awk '{print $1,$3}' | while read i j
do
printf "\E[31;1m""chsubserver -d -p $(echo $j | sed 's/6//') -v $i -r inetd"" $1\E[0m\n"
done
fi
cat << EOF > $list_files
talk,ntalk rule="4.1.1.2 Disable talk/ntalk" level=1
bootps rule="4.1.5.1 Disable bootps" level=1
chargen rule="4.1.5.2 Disable chargen" level=1
comsat rule="4.1.5.3 Disable comsat" level=1
daytime rule="4.1.5.4 Disable daytime" level=1
discard rule="4.1.5.5 Disable discard" level=1
echo rule="4.1.5.6 Disable echo" level=1
exec rule="4.1.5.7 Disable exec" level=1
finger rule="4.1.5.8 Disable finger" level=1
ftp rule="4.1.5.9 Disable ftp" level=1
imap2 rule="4.1.5.10 Disable imap2" level=1
instsrv rule="4.1.5.11 Disable instsrv" level=1
klogin rule="4.1.5.12 Disable klogin" level=1
kshell rule="4.1.5.13 Disable kshell" level=1
login rule="4.1.5.14 Disable login" level=1
netstat rule="4.1.5.15 Disable netstat" level=1
ntalk rule="4.1.5.16 Disable ntalk" level=1
pcnfsd rule="4.1.5.17 Disable pcnfsd" level=1
pop3 rule="4.1.5.18 Disable pop3" level=1
rexd rule="4.1.5.19 Disable rexd" level=1
rquotad rule="4.1.5.20 Disable rquotad" level=1
rstatd rule="4.1.5.21 Disable rstatd" level=1
rusersd rule="4.1.5.22 Disable rusersd" level=1
rwalld rule="4.1.5.23 Disable rwalld" level=1
shell rule="4.1.5.24 Disable shell" level=1
sprayd rule="4.1.5.25 Disable sprayd" level=1
xmquery rule="4.1.5.26 Disable xmquery" level=1
talk rule="4.1.5.27 Disable talk" level=1
telnet rule="4.1.5.28 Disable telnet" level=1
tftp rule="4.1.5.29 Disable tftp" level=1
time rule="4.1.5.30 Disable time" level=1
uucp rule="4.1.5.31 Disable uucp" level=1
cmsd rule="4.5.1.2 Disable cmsd (CDE)" level=1
dtspc rule="4.5.1.4 Disable dtspc (CDE)" level=2
EOF
cat $list_files | while read param rule level
do
RC=0
for sub in $(echo $param | tr ',' '\n')
do
cat /etc/inetd.conf | sed 's/\ /:/g' | grep -q "^$sub:" > /dev/null 2>&1
if [ $? -eq 0 ]
then
cat /etc/inetd.conf | tr -s ' ' | sed 's/\ /:/g' | grep "^$sub:" | awk -F':' '{print $1,$3}' | while read i j
do
printf "\E[31;1m""chsubserver -d -p $(echo $j | sed 's/6//') -v $i -r inetd"" $1\E[0m\n"
done
(( RC = RC + 1 ))
fi
done
if [[ $RC == "0" ]]
then
echo "# $rule $level OK"
else
echo "# $rule $level NOK"
fi
done
}
check_rctcpip ()
{
# Check /etc/rc.tcpip
echo "#*************************"
echo "#** Check /etc/rc.tcpip **"
echo "#*************************"
cat << EOF > $list_files
aixmidb rule="4.1.2.2 Disable aixmidb" level=1
dhcpcd rule="4.1.2.3 Disable dhcpcd" level=1
dhcprd rule="4.1.2.4 Disable dhcprd" level=1
dhcpsd rule="4.1.2.5 Disable dhcpsd" level=1
dpid2 rule="4.1.2.6 Disable dpid2" level=1
gated rule="4.1.2.7 Disable gated" level=1
hostmibd rule="4.1.2.8 Disable hostmibd" level=1
mrouted rule="4.1.2.9 Disable mrouted" level=2
named rule="4.1.2.10 Disable named" level=1
routed rule="4.1.2.12 Disable routed" level=1
rwhod rule="4.1.2.13 Disable rwhod" level=1
sendmail rule="4.1.2.14 Disable sendmail" level=1
snmpd rule="4.1.2.15 Disable snmpd" level=1
snmpmibd rule="4.1.2.16 Disable snmpmibd" level=1
timed rule="4.1.2.17 Disable timed" level=1
autoconf6 rule="4.1.3.1 Disable autoconf6" level=1
ndpd-host rule="4.1.3.2 Disable ndpd-host" level=1
ndpd-router rule="4.1.3.3 Disable ndpd-router" level=1
EOF
cat $list_files | while read param rule level
do
cat /etc/rc.tcpip | tr -d "\011" | sed 's/^\ //g' | grep -v '^#' | sed '/^$/d' | grep '^start' | grep -q "$param"
if [ $? -ne 0 ]
then
printf "\E[32;1m""# /etc/rc.tcpip OK"" $1\E[0m\n"
echo "# $rule $level OK"
else
if [ $(ls /usr/sbin/lsnim > /dev/null 2>&1;echo $?) -eq 0 ]
then
echo $param | egrep -q "xntpd|inetd|syslogd|portmap"
if [ $? -eq 0 ]
then
printf "\E[32;1m""# /etc/rc.tcpip on NIM server OK"" $1\E[0m\n"
echo "# $rule $level comment="'"'NIM server'"'"NOK"
else
printf "\E[31;1m""chrctcp -S -d $param"" $1\E[0m\n"
echo "# $rule $level NOK"
fi
else
printf "\E[31;1m""chrctcp -S -d $param"" $1\E[0m\n"
echo "# $rule $level NOK"
fi
fi
done
grep "^start " /etc/rc.tcpip | egrep -v "xntpd|inetd|syslogd" > /dev/null 2>&1
if [ $? -ne 0 ]
then
printf "\E[32;1m""# /etc/rc.tcpip OK"" $1\E[0m\n"
else
if [ $(ls /usr/sbin/lsnim > /dev/null 2>&1;echo $?) -eq 0 ]
then
grep "^start " /etc/rc.tcpip | egrep -v "xntpd|inetd|syslogd|portmap" > /dev/null 2>&1
if [ $? -ne 0 ]
then
printf "\E[32;1m""# /etc/rc.tcpip on NIM server OK"" $1\E[0m\n"
else
for service in $(grep "^start " /etc/rc.tcpip | egrep -v "xntpd|inetd|syslogd|portmap"| awk '{print $2}' | rev | cut -d'/' -f1 | rev)
do
printf "\E[31;1m""chrctcp -S -d $service"" $1\E[0m\n"
done
fi
else
for service in $(grep "^start " /etc/rc.tcpip | egrep -v "xntpd|inetd|syslogd" | awk '{print $2}' | rev | cut -d'/' -f1 | rev)
do
printf "\E[31;1m""chrctcp -S -d $service"" $1\E[0m\n"
done
fi
fi
}
check_files_permission ()
{
# Check file permissions
echo "#****************************"
echo "#** Check file permissions **"
echo "#****************************"
cat << EOF > $list_files
f /usr/bin/rcp root system 000 nocheck
f /usr/bin/rlogin root bin 000 nocheck
f /usr/bin/rsh root system 000 nocheck
f /usr/sbin/rlogind root system 000 nocheck
f /usr/sbin/rshd root system 000 nocheck
f /usr/sbin/tftpd root system 000 nocheck
f /etc/ssh/sshd_config root system 644
f /etc/ssh/ssh_config root system 644
f /etc/security/passwd root security 600
d /etc/security root security 750
f /etc/group root security 644
f /etc/passwd root security 644
d /etc/security/audit root audit 750
d /audit root audit 750
f /root/smit.log root system 640
f /var/adm/cron/log root cron 660
f /var/adm/cron/cron.allow bin cron 640
f /var/adm/cron/at.allow bin cron 640
d /var/spool/cron/crontabs root cron 770
f /etc/motd bin bin 444
#f /var/adm/ras/* - - o-r
f /var/ct/RMstart.log root system 640
f /var/tmp/dpid2.log root system 640
f /var/tmp/hostmibd.log root system 640
f /var/tmp/snmpd.log root system 640
d /var/adm/sa adm adm 766
f /usr/dt/bin/dtaction root sys 555
f /usr/dt/bin/dtappgather root bin 555
f /usr/dt/bin/dtprintinfo root bin 555
f /usr/dt/bin/dtsession root bin 555
f /etc/dt/config/Xservers root bin 555
EOF
if [ $(ls /usr/sbin/lsnim > /dev/null 2>&1;echo $?) -eq 0 ]
then
cat $list_files | grep -v "nocheck" > $list_files.1
mv $list_files.1 $list_files
fi
cat $list_files | while read type full owner group perm nocheck
do
if [ $type = "f" ]
then
if [ -f $full ]
then
owner_curr=$(ls -l $full | awk '{print $3"."$4}')
if [ "$owner_curr" != $(echo "$owner.$group") ]
then
printf "\E[31;1m""chown $(echo "$owner.$group") $full"" $1\E[0m\n"
else
printf "\E[32;1m""# file $full owner OK"" $1\E[0m\n"
fi
perm_curr=$(convert_perm_file $full | awk '{print $1}')
if [[ $perm_curr == "0" ]]
then
perm_curr="000"
fi
if [ "$perm_curr" != "$perm" ]
then
printf "\E[31;1m""chmod $perm $full"" $1\E[0m\n"
else
printf "\E[32;1m""# file $full permission OK"" $1\E[0m\n"
fi
fi
else
if [ $type = "d" ]
then
if [ -d $full ]
then
owner_curr=$(ls -ld $full | awk '{print $3"."$4}')
if [ "$owner_curr" != $(echo "$owner.$group") ]
then
printf "\E[31;1m""chown $(echo "$owner.$group") $full"" $1\E[0m\n"
else
printf "\E[32;1m""# directory $full owner OK"" $1\E[0m\n"
fi
perm_curr=$(convert_perm_dir $full | awk '{print $1}')
if [ "$perm_curr" != "$perm" ]
then
printf "\E[31;1m""chmod $perm $full"" $1\E[0m\n"
else
printf "\E[32;1m""# directory $full permission OK"" $1\E[0m\n"
fi
fi
fi
fi
done
rule="3.7 check staff writable files"
level=1
label=3.7_staff_writable_files
outfile=$outputdir/${label}
if [[ $(find / \( -fstype jfs -o -fstype jfs2 \) -type f -perm -g+w -group staff | wc -l | awk '{print $1}') == "0" ]]
then
echo "# rule="'"'$rule'"'" level=$level OK"
else
find / \( -fstype jfs -o -fstype jfs2 \) -type f -perm -g+w -group staff -ls > $outfile
echo "# rule="'"'$rule'"'" level=$level NOK"
fi
rule="3.8 check nouser, nogroup files"
level=1
label=3.8_nouser_nogroup_files
outfile=$outputdir/${label}
if [[ $(find / \( -fstype jfs -o -fstype jfs2 \) \( -type d -o -type f \) \( -nouser -o -nogroup \) -ls | wc -l | awk '{print $1}') == "0" ]]
then
echo "# rule="'"'$rule'"'" level=$level OK"
else
find / \( -fstype jfs -o -fstype jfs2 \) \( -type d -o -type f \) \( -nouser -o -nogroup \) -ls > $outfile
echo "# rule="'"'$rule'"'" level=$level NOK"
fi
}
convert_perm_file ()
{
for file in $(ls $*)
do
if [ -f $file ]
then
ls -l $file | awk 'BEGIN {
v["r1"]=400; v["w2"]=200; v["x3"]=100; v["s3"]=4100; v["S3"]=4000
v["r4"]=40 ; v["w5"]=20 ; v["x6"]=10 ; v["s6"]=2010; v["S6"]=2000
v["r7"]=4 ; v["w8"]=2 ; v["x9"]=1 ; v["t9"]=1001; v["T9"]=1000}
{val=0
for (i=1;i<=9;i++) val=val+v[substr($0,i+1,1)i]
printf "%4d %s\n",val,$NF}'
fi
done
}
convert_perm_dir ()
{
dir=$(echo $1)
ls -ld $dir | awk 'BEGIN {
v["r1"]=400; v["w2"]=200; v["x3"]=100; v["s3"]=4100; v["S3"]=4000
v["r4"]=40 ; v["w5"]=20 ; v["x6"]=10 ; v["s6"]=2010; v["S6"]=2000
v["r7"]=4 ; v["w8"]=2 ; v["x9"]=1 ; v["t9"]=1001; v["T9"]=1000}
{val=0
for (i=1;i<=9;i++) val=val+v[substr($0,i+1,1)i]
printf "%4d %s\n",val,$NF}'
}
network_option ()
{
# Network Options
echo "#***********************"
echo "#** Network Options **"
echo "#***********************"
cat << EOF > $list_files
no clean_partial_conns 1 rule="4.2.1 no clean_partial_conns" level=1
no bcastping 0 rule="4.2.2 no bcastping" level=1
no directed_broadcast 0 rule="4.2.3 no directed_broadcast" level=1
no icmpaddressmask 0 rule="4.2.4 no icmpaddressmask" level=1
no ipforwarding 0 rule="4.2.5 no ipforwarding" level=1
no ipignoreredirects 1 rule="4.2.6 no ipignoreredirects" level=1
no ipsendredirects 0 rule="4.2.7 no ipsendredirects" level=1
no ipsrcrouteforward 0 rule="4.2.8 no ipsrcrouteforward" level=1
no ipsrcrouterecv 0 rule="4.2.9 no ipsrcrouterecv" level=1
no ipsrcroutesend 0 rule="4.2.10 no ipsrcroutesend" level=1
no ip6srcrouteforward 0 rule="4.2.11 no ip6srcrouteforward" level=1
nfso portcheck 1 rule="4.2.12 no portcheck" level=1
nfso nfs_use_reserved_ports 1 rule="4.2.12 no nfs_use_reserved_ports" level=1
no nonlocsrcroute 0 rule="4.2.13 no nonlocsrcroute" level=1
no sockthresh 60 rule="4.2.14 no sockthresh" level=1
no tcp_pmtu_discover 0 rule="4.2.15 no tcp_pmtu_discover" level=1
no tcp_tcpsecure 7 rule="4.2.16 no tcp_tcpsecure" level=1
no udp_pmtu_discover 0 rule="4.2.17 no udp_pmtu_discover" level=1
no ip6forwarding 0 rule="4.2.18 no ip6forwarding" level=1
EOF
cat $list_files | while read cmd param val rule level
do
val_cur=$($cmd -o $param | awk '{print $3}')
if [ "$val" -ne "$val_cur" ]
then
printf "\E[31;1m""$cmd -p -o $param=$val"" $1\E[0m\n"
echo "# $rule $level NOK"
else
printf "\E[32;1m""# parameter $cmd $param OK"" $1\E[0m\n"
echo "# $rule $level OK"
fi
done
cat << EOF > $list_files
no ipsrcrouteforward 0
no ipignoreredirects 1
no clean_partial_conns 1
no ipsrcroutesend 0
no ipforwarding 0
no ipsendredirects 0
no ip6srcrouteforward 0
no ip6forwarding 0
no directed_broadcast 0
no tcp_pmtu_discover 0
no bcastping 0
no icmpaddressmask 0
no udp_pmtu_discover 0
no ipsrcrouterecv 0
no nonlocsrcroute 0
no tcp_tcpsecure 7
no sockthresh 60
no rfc1323 1
no tcp_sendspace 262144
no tcp_recvspace 262144
no udp_sendspace 65536
no udp_recvspace 655360
no tcp_mssdflt 1448
EOF
# For NFS with Linux, add the following settings
#nfso portcheck 1
#nfso nfs_use_reserved_ports 1
cat $list_files | while read i j k
do
val_ref=$(echo $k)
val_cur=$($i -o $j | awk '{print $3}')
if [ "$val_cur" -ne "$val_ref" ]
then
printf "\E[31;1m""$i -p -o $j=$k"" $1\E[0m\n"
else
printf "\E[32;1m""# parameter $j OK"" $1\E[0m\n"
fi
done
echo "no sb_max 1048576" | while read i j k
do
val_ref=$(echo $k)
val_cur=$($i -o $j | awk '{print $3}')
if [ "$val_cur" -lt "$val_ref" ]
then
printf "\E[31;1m""$i -p -o $j=$k"" $1\E[0m\n"
else
printf "\E[32;1m""# parameter $j OK"" $1\E[0m\n"
fi
done
}
check_audit ()
{
# Check Audit
echo "#***********************"
echo "#** Check audit **"
echo "#***********************"
df -g /audit | grep audit > /dev/null 2>&1
if [ $? -ne 0 ]
then
printf "\E[31;1m""mklv -tjfs2 -y auditlv rootvg 2G;crfs -vjfs2 -m /audit -d auditlv -Ayes;mount /audit"" $1\E[0m\n"
printf "\E[31;1m""chown root.audit /audit;chmod 750 /audit"" $1\E[0m\n"
else
printf "\E[32;1m""# Filesystem /audit OK"" $1\E[0m\n"
fi
if [[ $(lssec -f /usr/lib/security/mkuser.default -s user -a auditclasses | awk '{print $2}' | awk -F'=' '{print $2}' | wc -c | awk '{print $1}') == "1" ]]
then
printf "\E[31;1m""chsec -f /usr/lib/security/mkuser.default -s user -a auditclasses=general,SRC,cron,tcpip"" $1\E[0m\n"
else
printf "\E[32;1m""# User auditclasses OK"" $1\E[0m\n"
fi
grep 'audit' /etc/inittab > /dev/null 2>&1
if [ $? -ne 0 ]
then
printf "\E[31;1m"'echo ":audit:2:boot:audit start > /dev/console 2>&1" >> /etc/inittab'" $1\E[0m\n"
else
printf "\E[32;1m""# Audit process started in inittab OK"" $1\E[0m\n"
fi
}
check_syslog ()
{
# Check Syslog
echo "#***********************"
echo "#** Check syslog **"
echo "#***********************"
odmget -q subsysname="syslogd" SRCsubsys | grep cmdargs | cut -d'=' -f2- | grep '\-r' | grep '\-n' > /dev/null 2>&1
if [ $? -ne 0 ]
then
printf "\E[31;1m"'chssys -s syslogd -a "-r -n"'" $1\E[0m\n"
else
printf "\E[32;1m""# Syslog started with option -r and -n OK"" $1\E[0m\n"
fi
}
check_snmp ()
{
# Check SNMP config file
echo "#***********************"
echo "#** Check SNMP **"
echo "#***********************"
grep "^community[[:blank:]]*private" /etc/snmpd.conf > /dev/null 2>&1
if [ $? -eq 0 ]
then
printf "\E[31;1m""/opt/freeware/bin/sed -i '/private/ s/^/#/g' /etc/snmp.conf"" $1\E[0m\n"
else
printf "\E[32;1m""# /etc/snmp.conf OK"" $1\E[0m\n"
fi
}
check_cron ()
{
# Check cron authorization
echo "#***********************"
echo "#** Check crontabs **"
echo "#***********************"
if [ ! -f /var/adm/cron/cron.allow ]
then
printf "\E[31;1m"'ls /var/spool/cron/crontabs | egrep -v "esaadmin|sys|uucp" > /var/adm/cron/cron.allow'" $1\E[0m\n"
else
printf "\E[32;1m""# /var/adm/cron/cron.allow exists OK"" $1\E[0m\n"
fi
if [ ! -f /var/adm/cron/at.allow ]
then
printf "\E[31;1m"'ls /var/spool/cron/crontabs | egrep -v "esaadmin|sys|uucp" > /var/adm/cron/at.allow'" $1\E[0m\n"
else
printf "\E[32;1m""# /var/adm/cron/at.allow exists OK"" $1\E[0m\n"
fi
rule="1.3.3 check mksysb"
level=none
if [ $(grep mksysb /var/spool/cron/crontabs/root > /dev/null 2>&1; echo $?) -eq "0" ]
then
echo "# rule="'"'$rule'"'" level=$level OK"
else
printf "\E[31;1m""echo '30 8 * * 0 /root/scripts/mksysb.sh > /dev/null 2>&1' >> /var/spool/cron/crontabs/root"" $1\E[0m\n"
echo "# rule="'"'$rule'"'" level=$level NOK"
fi
}
check_sshd_config ()
{
# Check sshd_config file
echo "#****************************"
echo "#** Check sshd_config file **"
echo "#****************************"
SSHD_CONFIG=/etc/ssh/sshd_config
rule="4.5.3.1 OpenSSH min version"
level=1
version=$(lslpp -Lc | grep openssh | grep server | cut -d':' -f3 | cut -d'.' -f1,2)
if [ $(echo $version | cut -d'.' -f1) -lt "7" ]
then
printf "\E[31;1m""# Please upgrade OpenSSH to version higher or equal to 8.1"" $1\E[0m\n"
echo "# rule="'"'$rule'"'" level=$level NOK"
else
if [ $(echo $version | cut -d'.' -f2) -lt "1" ]
then
printf "\E[31;1m""# Please upgrade OpenSSH to version higher or equal to 8.1"" $1\E[0m\n"
echo "# rule="'"'$rule'"'" level=$level NOK"
else
printf "\E[32;1m""# Openssh version OK"" $1\E[0m\n"
echo "# rule="'"'$rule'"'" level=$level OK"
fi
fi
rule="4.5.3.2 OpenSSH host.equiv"
level=1
if [[ $(ls /etc/shosts.equiv /etc/rhosts.equiv 2>/dev/null | wc -l | awk '{print $1}') -eq "0" ]]
then
printf "\E[32;1m""# No /etc/*host.equiv file OK"" $1\E[0m\n"
echo "# rule="'"'$rule'"'" level=$level OK"
else
printf "\E[31;1m""rm $(ls /etc/shosts.equiv /etc/rhosts.equiv 2>/dev/null)"" $1\E[0m\n"
echo "# rule="'"'$rule'"'" level=$level NOK"
fi
rule="4.5.3.3 OpenSSH .shosts"
level=1
if [[ $(ls `cat /etc/passwd | cut -d':' -f6 | sort -u | sed 's/$/\/.shosts/' | tr -s '/' | tr '\n' ' ' ; echo` 2>/dev/null | wc -l | awk '{print $1}') -eq "0" ]]
then
printf "\E[32;1m""# No "'$HOME/shosts'" file OK"" $1\E[0m\n"
echo "# rule="'"'$rule'"'" level=$level OK"
else
printf "\E[31;1m""rm $(ls `cat /etc/passwd | cut -d':' -f6 | sort -u | sed 's/$/\/.shosts/' | tr -s '/' | tr '\n' ' ' ; echo` 2>/dev/null)"" $1\E[0m\n"
echo "# rule="'"'$rule'"'" level=$level NOK"
fi
banner="Unauthorized use of this system is prohibited."
rule="4.5.3.6 OpenSSH banner"
level=1
if [[ $(grep "^Banner[[:blank:]]" $SSHD_CONFIG | wc -l | awk '{print $1}') -eq "0" ]]
then
printf "\E[31;1m""echo "'"'"$(echo $banner)"'"'' > /etc/ssh/ssh_banner'" $1\E[0m\n"
printf "\E[31;1m""$LINUX_SED -i "'"''/^#Banner/a Banner /etc/ssh/ssh_banner''"'" $SSHD_CONFIG"" $1\E[0m\n"
echo "# rule="'"'$rule'"'" level=$level NOK"
else
printf "\E[32;1m""# Openssh banner OK"" $1\E[0m\n"
echo "# rule="'"'$rule'"'" level=$level OK"
fi
cat << EOF > $list_files
HostbasedAuthentication no rule="4.5.3.7 OpenSSH HostbasedAuthentication" level=1
IgnoreRhosts yes rule="4.5.3.8 OpenSSH IgnoreRhosts" level=1
PermitEmptyPasswords no rule="4.5.3.9 OpenSSH PermitEmptyPasswords" level=1
LogLevel INFO rule="4.5.3.10 OpenSSH LogLevel" level=1
MaxAuthTries 4 rule="4.5.3.12 OpenSSH MaxAuthTries" level=1
PermitUserEnvironment no rule="4.5.3.13 OpenSSH PermitUserEnvironment" level=1
EOF
cat $list_files | while read param val rule level
do
grep "^$param:" $SSHD_CONFIG | tr -s ' ' | sed 's/\ /:/g' |sed 's/$/:/' | grep -q "$param:$val:" > /dev/null 2>&1
if [ $? -eq 0 ]
then
printf "\E[32;1m""# Openssh $param OK"" $1\E[0m\n"
echo "# $rule $level OK"
else
printf "\E[31;1m""$LINUX_SED -i "'"''/^#'$param'/s/.*/'$param'\ '$val'/''"'" $SSHD_CONFIG"" $1\E[0m\n"
echo "# $rule $level NOK"
fi
done
cat << EOF > $list_files
RekeyLimit 1G 3600 rule="4.5.3.18 OpenSSH ReKeyLimit" level=1
EOF
cat $list_files | while read param val1 val2 rule level
do
grep "^$param:" $SSHD_CONFIG | tr -s ' ' | sed 's/\ /:/g' |sed 's/$/:/' | grep -q "$param:$val1:$val2:" > /dev/null 2>&1
if [ $? -eq 0 ]
then
printf "\E[32;1m""# Openssh $param OK"" $1\E[0m\n"
echo "# $rule $level OK"
else
printf "\E[31;1m""$LINUX_SED -i "'"''/^#'$param'/s/.*/'$param'\ '$val1\ $val2'/''"'" $SSHD_CONFIG"" $1\E[0m\n"
echo "# $rule $level NOK"
fi
done
weak_algo="diffie-hellman-group1-sha1|diffie-hellman-group14-sha1|diffie-hellman-group-exchange-sha1" # in egrep format
rule="4.5.3.15 OpenSSH KexAlgorithms"
level=1
if [[ $(/usr/sbin/sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep kexalgorithms | tr ',' '\n' | sed 's/kexalgorithms\ //' | egrep "$weak_algo" | wc -l | awk '{print $1}') -eq "0" ]]
then
printf "\E[32;1m""# Openssh KexAlgorithms OK"" $1\E[0m\n"
echo "# rule="'"'$rule'"'" level=$level OK"
else
echo "# Weak algorithms: $(/usr/sbin/sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep kexalgorithms | tr ',' '\n' | sed 's/kexalgorithms\ //' | egrep "$weak_algo")"
printf "\E[31;1m""# Openssh unsecure algorithms NOK"" $1\E[0m\n"
echo "# rule="'"'$rule'"'" level=$level NOK"
fi
weak_algo="3des-cbc|aes128-cbc|aes192-cbc|aes256-cbc|arcfour|arcfour128|arcfour256|blowfish-cbc|cast128-cbc|rijndael-cbc@lysator.liu.se" # in egrep format
rule="4.5.3.16 OpenSSH Ciphers"
level=1
if [[ $(/usr/sbin/sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep ciphers | tr ',' '\n' | sed 's/ciphers\ //' | egrep "$weak_algo" | wc -l | awk '{print $1}') -eq "0" ]]
then
printf "\E[32;1m""# Openssh Ciphers OK"" $1\E[0m\n"
echo "# rule="'"'$rule'"'" level=$level OK"
else
echo "# Weak algorithms: $(/usr/sbin/sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep ciphers | tr ',' '\n' | sed 's/ciphers\ //' | egrep "$weak_algo")"
printf "\E[31;1m""# Openssh unsecure ciphers NOK"" $1\E[0m\n"
echo "# rule="'"'$rule'"'" level=$level NOK"
fi
weak_algo="hmac-md5|hmac-md5-96|hmac-ripemd160|hmac-sha1|hmac-sha1-96|umac-64@openssh.com|umac-128@openssh.com|hmac-md5-etm@openssh.com|hmac-md5-96-etm@openssh.com|hmac-ripemd160-etm@openssh.com|hmac-sha1-etm@openssh.com|hmac-sha1-96-etm@openssh.com|umac-64-etm@openssh.com|umac-128-etm@openssh.com"
rule="4.5.3.17 OpenSSH MACs"
level=1
if [[ $(/usr/sbin/sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep macs | tr ',' '\n' | sed 's/macs\ //' | egrep "$weak_algo" | wc -l | awk '{print $1}') -eq "0" ]]
then
printf "\E[32;1m""# Openssh MACs OK"" $1\E[0m\n"
echo "# rule="'"'$rule'"'" level=$level OK"
else
echo "# Weak algorithms: $(/usr/sbin/sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep macs | tr ',' '\n' | sed 's/macs\ //' | egrep "$weak_algo")"
printf "\E[31;1m""# Openssh unsecure macs NOK"" $1\E[0m\n"
echo "# rule="'"'$rule'"'" level=$level NOK"
fi
grep '^Port' $SSHD_CONFIG > /dev/null 2>&1
if [ $? -ne 0 ]
then
printf "\E[31;1m""$LINUX_SED -i 's/^#Port\ 22/Port\ 22/' $SSHD_CONFIG"" $1\E[0m\n"
else
printf "\E[32;1m""# Port OK"" $1\E[0m\n"
fi
grep '^ListenAddress ' $SSHD_CONFIG | grep -v '::' > /dev/null 2>&1
if [ $? -ne 0 ]
then
printf "\E[31;1m""$LINUX_SED -i 's/^#ListenAddress\ 0.0.0.0/ListenAddress\ 0.0.0.0/' $SSHD_CONFIG"" $1\E[0m\n"
else
printf "\E[32;1m""# ListenAddress IPV4 OK"" $1\E[0m\n"
fi
grep '^ListenAddress ' $SSHD_CONFIG | grep '::' > /dev/null 2>&1
if [ $? -eq 0 ]
then
printf "\E[31;1m""$LINUX_SED -i 's/^ListenAddress\ ::/#ListenAddress\ ::/' $SSHD_CONFIG"" $1\E[0m\n"
else
printf "\E[32;1m""# ListenAddress IPV6 OK"" $1\E[0m\n"
fi
grep '^Protocol 2' $SSHD_CONFIG > /dev/null 2>&1
if [ $? -ne 0 ]
then
printf "\E[31;1m""$LINUX_SED -i 's/^#Protocol\ 2/Protocol\ 2/' $SSHD_CONFIG"" $1\E[0m\n"
else
printf "\E[32;1m""# Protocol ssh version 2 only OK"" $1\E[0m\n"
fi
# Ciphers be careful could prevent from login
#grep '^Ciphers' $SSHD_CONFIG > /dev/null 2>&1
#if [ $? -ne 0 ]
#then
# printf "\E[31;1m"$LINUX_SED" -i '"'/^Protocol/a \\
#\\
## SSH protocol v2 specific options \\
#Ciphers aes256-ctr,aes192-ctr,aes128-ctr'"' "$SSHD_CONFIG" $1\E[0m\n"
#else
# printf "\E[32;1m""# Ciphers OK"" $1\E[0m\n"
#fi
grep '^SyslogFacility AUTH' $SSHD_CONFIG > /dev/null 2>&1
if [ $? -ne 0 ]
then
printf "\E[31;1m""$LINUX_SED -i 's/^#SyslogFacility\ AUTH/SyslogFacility\ AUTH/' $SSHD_CONFIG"" $1\E[0m\n"
else
printf "\E[32;1m""# SyslogFacility OK"" $1\E[0m\n"
fi
grep '^LogLevel INFO' $SSHD_CONFIG > /dev/null 2>&1
if [ $? -ne 0 ]
then
printf "\E[31;1m""$LINUX_SED -i 's/^#LogLevel\ INFO/LogLevel\ INFO/' $SSHD_CONFIG"" $1\E[0m\n"
else
printf "\E[32;1m""# LogLevel OK"" $1\E[0m\n"
fi
if [ ! -f "/etc/ssh/ssh_host_ecdsa_key" ]
then
printf "\E[31;1m""echo | ssh-keygen -q -t ecdsa -b 521 -N '' -f /etc/ssh/ssh_host_ecdsa_key"" $1\E[0m\n"
else
printf "\E[32;1m""# ECDSA ssh key exists OK"" $1\E[0m\n"
fi
grep '^PidFile' $SSHD_CONFIG > /dev/null 2>&1
if [ $? -ne 0 ]
then
printf "\E[31;1m""$LINUX_SED -i 's/^#PidFile\ \\\/var\\\/run\\\/sshd.pid/PidFile\ \\\/var\\\/run\\\/sshd.pid/' $SSHD_CONFIG"" $1\E[0m\n"
else
printf "\E[32;1m""# PidFile OK"" $1\E[0m\n"
fi
if [ ! -d "/var/run" ]
then
printf "\E[31;1m""mkdir -p /var/run"" $1\E[0m\n"
else
printf "\E[32;1m""# ssh PID directory exists OK"" $1\E[0m\n"
fi
}
check_installed_packages ()
{
# Check installed packages
echo "#******************************"
echo "#** Check installed packages **"
echo "#******************************"
cat << EOF > $list_files
cas.agent rule="None" level=none
bos.net.nis.client rule="4.4.1.1 Deinstall NIS Client" level=2
bos.net.nis.server rule="4.4.1.2 Deinstall NIS Server" level=2
X11.Dt rule="4.5.1.1 Deinstall CDE" level=1
EOF
cat $list_files |while read package rule level
do
if [ $(lslpp -Lc | grep -q $package; echo $?) -eq "0" ]
then
printf "\E[31;1m""installp -u $package"" $1\E[0m\n"
echo "# $rule $level NOK"
else
echo "# $rule $level OK"
fi
done
}
###########
###########
main()
{
check_sys0
check_user_policy
network_option
disable_login_system
check_local_user_group
check_profile
check_inittab
check_inetd
check_rctcpip
check_files_permission
check_snmp
check_audit
check_syslog
check_cron
check_sshd_config
check_installed_packages
echo "### All output files are located into: $outputdir"
}
main | tee $logname 2>&1
echo
grep rule $logname | grep -v 'rule="None"' | sort # $LINUX_SORT -t. -k 1,1n -k 2,2n -k 3,3n
aix/script_security_aix.txt · Last modified: 2023/06/08 17:24 by manu
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
