aix:scripts_check_cis
AIX script CIS Benchmark
Alternative is to use a client PowerSC (apply the right security level)
% pscxpert -f /etc/security/aixpert/custom/CISv1.xml CIS Security Benchmark for AIX 7.1 % pscxpert -f /etc/security/aixpert/custom/CISv2_Lev1.xml CIS Security Benchmark for AIX 7.2 % pscxpert -f /etc/security/aixpert/custom/CISv2_Lev2.xml CIS Security Benchmark for AIX 7.2 % pscxpert -f /etc/security/aixpert/custom/GDPRv1.xml General Data Protection Regulation (GDPR)
This script 'll only list if compliant or not
root@aix /root# cat scripts/cis.sh
#!/usr/bin/ksh93
#@(#) Check security
# This script doesn't modify something to your system, just list what is right and wrong
# Print in red all commands to modify your settings
# Print in green all parameters that need no change, following by Pass
# Version 1.0 06-2023 EIF (compliance CIS for AIX)
# Version 1.1 08-2024 EIF (compliance CIS for AIX)
dir=`dirname $0`
if [ -f $dir/.env ]
then
. $dir/.env
else
path_script=$dir
export sn=`basename $0 | cut -d. -f1`
export logpath=/tmp
export logname=$logpath/$sn.log
fi
DATE=$(date "+%Y%m%d%H%M%S")
LINUX_SED=/opt/freeware/bin/sed
LINUX_STAT=/opt/freeware/bin/stat
LINUX_SORT=/opt/freeware/bin/sort
MONTH=$(date '+%m')
DAY=$(date '+%d')
HEADER="$(date '+%H:%M:%S');$(hostname -s);NA;NA;1.0.0;#scap_org.cisecurity_comp_1.0.0_CIS_IBM_AIX_7_2_Benchmark-xccdf;CIS AIX;NA;Level 1 - Server;Level_1_-_Server;rule"
FOOTER=";"
cisoutput=$(echo "$logpath/$(hostname -s)-CIS_AIX_7_Benchmark-$(date '+%Y%m%dT%H%M%SZ').csv")
list_files=$logpath/list_files.txt
outputcis=$logpath/CIS_AIX7.2_v1.0.0
output=$logname
prefix=sec_files_out_
outputdir=$logpath/${prefix}${DATE}
mkdir $outputdir
tempo=$logpath/tmp_cis
# Result
RESP_OK='Pass'
RESP_NOK='Fail'
RESP_MANUAL='Manual'
RESP_UNKN='Unknown'
# Cleanup
find $logpath -type d -name "${prefix}*" -ctime +5 -exec rm -r {} \; 2>/dev/null
#-----------------------------------------
print_output()
{
# args
header=$1
ruleno=$2
descr=$(echo "$3")
result=$4
echo "$ruleno;$descr;$result" | sed 's/\|/\ /g'
}
#-----------------------------------------
check_section_2_1()
{
# args
head=h1
rule="2.1"
desc="Collect system configuration regularly"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
file1=/var/log/syslog/inventory.log
val=0
val1=$(ls $file1 > /dev/null 2>&1; echo $?)
(( val = val + val1 ))
if [ "$val" != "0" ]
then
res=$RESP_NOK
val1=$(cat /etc/syslog.conf | grep "local1.info" | grep -q "$file1"; echo $?)
(( val = val + val1 ))
if [ "$val" != "0" ]
then
res=$RESP_NOK
val1=$(cat /etc/syslog.conf | sed '/^$/d' | grep -v '^#' | grep "^local1.info" | awk '{print $2}' | grep -q "\@"; echo $?)
(( val = val + val1 ))
if [ "$val" != "0" ]
then
res=$RESP_NOK
val1=$(crontab -l | grep -v '^#' | grep "lsconf" | grep -q "logger"; echo $?)
(( val = val + val1 ))
if [ "$val" != "0" ]
then
res=$RESP_NOK
else
res=$RESP_OK
fi
fi
fi
else
res=$RESP_OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_2_7()
{
# args
head=h1
rule="2.7"
desc="Remove Unused Symbolic Links"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
find -L / \( -fstype jfs -o -fstype jfs2 \) -type l -ls 2>/dev/null | cut -d'/' -f2- | sed 's/^/\//' | sed 's/\->/;/' | sed 's/\ ;/;/' | sed 's/;\ /;/' > $tempo.1
cat /dev/null > $tempo
for line in $(cat $tempo.1 | sed 's/\ /|/g')
do
word1=$(echo $line | cut -d';' -f1 | sed 's/\|/\ /g')
word2=$(echo $line | cut -d';' -f2 | sed 's/\|/\ /g')
val=$(echo $word2 | grep -c '^/')
if [[ "$val" -eq "1" ]]
then
if [ ! -e $word2 ]
then
echo $word1 >> $tempo
fi
else
dir1=$(echo $word1 | rev | cut -d'/' -f2- | rev)
word3=$(echo "$dir1/$word2")
if [ ! -e $word3 ]
then
echo $word1 >> $tempo
fi
fi
done > $tempo
if [ ! -s $tempo ]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
cp $tempo /tmp/link.txt
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_3_3()
{
# args
head=h1
rule="3.3"
desc="Ensure default user umask is 027 or more restrictive"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(lssec -f /etc/security/user -s default -a umask | grep -q 'umask=27';echo $?)
if [ "$val" != "0" ]
then
res=$RESP_NOK
else
res=$RESP_OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_3_4()
{
# args
head=h1
rule="3.4"
desc="Remove group write permission from default groups - exceptions must be in TSD and audit"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(find / \( -fstype jfs -o -fstype jfs2 \) -type f -perm -g+w -ls | wc -l | awk '{print $1}')
if [[ "$val" == "0" ]]
then
res=$RESP_OK
else
res=$RESP_MANUAL
echo "$rule;$desc1;val=$val" >> $logname
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_3_5()
{
# args
head=h1
rule="3.5"
desc="Application Data with requirement for world writable directories"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(find / \( -fstype jfs -o -fstype jfs2 \) -type d -perm -o+w ! -perm -1000 -ls | wc -l | awk '{print $1}')
if [[ "$val" == "0" ]]
then
res=$RESP_OK
else
res=$RESP_MANUAL
echo "$rule;$desc1;val=$val" >> $logname
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_3_6()
{
# args
head=h1
rule="3.6"
desc="Ensure there are no world writable files - exceptions must be in TSD and audit"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(find / \( -fstype jfs -o -fstype jfs2 \) -type f -perm -o+w | wc -l | awk '{print $1}')
if [[ "$val" == "0" ]]
then
res=$RESP_OK
else
res=$RESP_MANUAL
echo "$rule;$desc1;val=$val" >> $logname
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_3_7()
{
# args
head=h1
rule="3.7"
desc="Ensure there are no 'staff' writable files - exceptions must be in TSD and audit"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(find / \( -fstype jfs -o -fstype jfs2 \) -type f -perm -g+w -group staff | wc -l | awk '{print $1}')
if [[ "$val" == "0" ]]
then
res=$RESP_OK
else
res=$RESP_MANUAL
echo "$rule;$desc1;val=$val" >> $logname
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_3_8()
{
# args
head=h1
rule="3.8"
desc="Ensure all files and directories are owned by a user (uid) and assigned to a group (gid)"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(find / \( -fstype jfs -o -fstype jfs2 \) \( -type d -o -type f \) \( -nouser -o -nogroup \) -ls | wc -l | awk '{print $1}')
if [[ "$val" == "0" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
echo "$rule;$desc1;val=$val" >> $logname
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_1_3_1()
{
# args
head=h1
rule="4.1.3.1"
desc="autoconf6"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(cat /etc/rc.tcpip | grep '^start ' | grep -q "autoconf6";echo $?)
if [ "$val" -eq "0" ]
then
res=$RESP_NOK
else
res=$RESP_OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_1_3_2()
{
# args
head=h1
rule="4.1.3.2"
desc="ndpd-host"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(cat /etc/rc.tcpip | grep '^start ' | grep -q "ndpd-host";echo $?)
if [ "$val" -eq "0" ]
then
res=$RESP_NOK
else
res=$RESP_OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_1_3_3()
{
# args
head=h1
rule="4.1.3.3"
desc="ndpd-router"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(cat /etc/rc.tcpip | grep '^start ' | grep -q "ndpd-router";echo $?)
if [ "$val" -eq "0" ]
then
res=$RESP_NOK
else
res=$RESP_OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_2_18()
{
# args
head=h1
rule="4.2.18"
desc="ip6forwarding"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(no -o ip6forwarding | sed 's/\ //g' | grep -q 'ip6forwarding=0'; echo $?)
if [ "$val" -eq "0" ]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_3_1()
{
# args
head=h1
rule="4.3.1"
desc="Ensure that IP Security is available"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(lsdev -Cc ipsec 2>/dev/null | grep Available | wc -l | awk '{print $1}')
if [ "$val" == "2" ]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_3_2()
{
# args
head=h1
rule="4.3.2"
desc="Ensure loopback traffic is blocked on external interfaces"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val1=$(lsfilt -v 4 -O 2>/dev/null | grep 127.0.0.0 | wc -l | awk '{print $1}')
val2=$(lsfilt -v 6 -O 2>/dev/null | grep ::1 | wc -l | awk '{print $1}')
(( val = val1 + val2 ))
if [ "$val" == "2" ]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_3_3()
{
# args
head=h1
rule="4.3.3"
desc="Ensure that IPsec filters are active"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val1=$(lsfilt -v4 -O -a 2>/dev/null | grep -q inactive | awk '{print $1}')
val2=$(lsfilt -v6 -O -a 2>/dev/null | grep -q inactive | awk '{print $1}')
(( val = val1 + val2 ))
if [ "$val" == "0" ]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_5_1_7()
{
# args
head=h1
rule="4.5.1.7"
desc="CDE - screensaver lock"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
if [ -e /etc/dt/config/*/sys.resources ]
then
val=$(egrep "dtsession\*saverTimeout:|dtsession\*lockTimeout:" /etc/dt/config/*/sys.resources | rev | cut -d' ' -f1 | rev | awk '{print $1}' | sort -u)
if [ "$val" == "10" ]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
else
res=$RESP_OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_5_2_1()
{
# args
head=h1
rule="4.5.2.1"
desc="FTPD: Disable root access to ftpd"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(grep -q "root" /etc/ftpusers 2>/dev/null; echo $?)
if [ "$val" -ne "0" ]
then
res=$RESP_NOK
else
res=$RESP_OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_5_2_2()
{
# args
head=h1
rule="4.5.2.2"
desc="FTPD: Display acceptable usage policy during login"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
# If ftp is disable, doesn't check
val=$(grep -c "^ftp[[:blank:]]" /etc/inetd.conf)
if [[ $val -gt 0 ]]
then
val=$(lslpp -Lc | grep "bos.msg.en_US.net.tcp.client" | wc -l | awk '{print $1}')
if [ "$val" == "0" ]
then
res=$RESP_NOK
else
if [ `lslpp -L "bos.msg.en_US.net.tcp.client" >/dev/null && print $(dspcat /usr/lib/nls/msg/en_US/ftpd.cat 1 9) | grep -q "Authorized"; echo $?` -ne "0" ]
then
res=$RESP_NOK
else
res=$RESP_OK
fi
fi
else
res=$RESP_OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_5_2_3()
{
# args
head=h1
rule="4.5.2.3"
desc="FTPD: Prevent world access and group write to files"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
# If ftp is disable, doesn't check
val=$(grep -c "^ftp[[:blank:]]" /etc/inetd.conf)
if [[ $val -gt 0 ]]
then
val=$(grep "^ftp[[:blank:]]" /etc/inetd.conf |awk '{print $6, $7, $8, $9, $10}' | grep -c "027")
if [ "$val" == "1" ]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
else
res=$RESP_OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_5_3_1()
{
# args
head=h1
rule="4.5.3.1"
desc="OpenSSH: Minimum version is 8.1"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val1=$(sshd -i </dev/null | cut -d'_' -f 2)
val=$(echo "$val1 8.1" | awk '{print ($1 >= $2)}')
if [[ "$val" -eq "1" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_5_3_4()
{
# args
head=h1
rule="4.5.3.4"
desc="sshd_config: Restrict users and groups allowed access via OpenSSH"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(/usr/bin/egrep -c "^(AllowUsers|AllowGroups|DenyUsers|DenyGroups)[[:blank:]]" /etc/ssh/sshd_config)
if [[ "$val" -gt "0" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_5_3_5()
{
# args
head=h1
rule="4.5.3.5"
desc="sshd_config: PermitRootLogin is 'prohibit-password' or 'no'"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(/usr/bin/egrep "^PermitRootLogin" /etc/ssh/sshd_config | cut -d' ' -f2- | egrep -c "prohibit-password|no|forced-commands-only")
if [[ "$val" -eq "0" ]]
then
res=$RESP_NOK
else
res=$RESP_OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_5_3_6()
{
# args
head=h1
rule="4.5.3.6"
desc="sshd_config: Banner exists and message contains 'Only authorized users allowed'"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(grep "^Banner[[:blank:]]" /etc/ssh/sshd_config | grep -c '/etc/ssh/ssh_banner')
if [ "$val" == "1" ]
then
val=$(grep -c 'Unauthorized' /etc/ssh/ssh_banner)
if [ "$val" == "1" ]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_5_3_7()
{
# args
head=h1
rule="4.5.3.7"
desc="sshd_config: HostbasedAuthentication is 'no'"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(grep "^HostbasedAuthentication[[:blank:]]" /etc/ssh/sshd_config | rev | cut -d' ' -f1 | rev)
if [[ "$val" == "no" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_5_3_8()
{
# args
head=h1
rule="4.5.3.8"
desc="sshd_config: IgnoreRhosts is 'yes' or 'shosts-only'"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(grep "^IgnoreRhosts[[:blank:]]" /etc/ssh/sshd_config | rev | cut -d' ' -f1 | rev)
if [[ "$val" == "yes" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_5_3_9()
{
# args
head=h1
rule="4.5.3.9"
desc="sshd_config: PermitEmptyPasswords is 'no'"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(grep "^PermitEmptyPasswords[[:blank:]]" /etc/ssh/sshd_config | rev | cut -d' ' -f1 | rev)
if [[ "$val" == "no" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_5_3_10()
{
# args
head=h1
rule="4.5.3.10"
desc="sshd_config: LogLevel is 'INFO' or 'VERBOSE'"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(grep "^LogLevel[[:blank:]]" /etc/ssh/sshd_config | egrep -c "INFO|VERBOSE")
if [[ "$val" -eq "0" ]]
then
res=$RESP_NOK
else
res=$RESP_OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_5_3_11()
{
# args
head=h1
rule="4.5.3.11"
desc="sshd_config: sftp-server arguments include '-u 027 -f AUTH -l INFO'"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(cat /etc/ssh/sshd_config | tr '\t' ' ' | tr -s ' ' | grep "^Subsystem[[:blank:]]sftp" | grep sftp-server | grep -c "027")
if [[ "$val" -eq "0" ]]
then
res=$RESP_NOK
else
res=$RESP_OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_5_3_12()
{
# args
head=h1
rule="4.5.3.12"
desc="sshd_config: MaxAuthTries is '4'"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(sshd -T | grep maxauthtries | rev | awk '{print $1}' | rev)
if [ "$val" -gt "4" ]
then
res=$RESP_NOK
else
res=$RESP_OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_5_3_13()
{
# args
head=h1
rule="4.5.3.13"
desc="sshd_config: PermitUserEnvironment is 'no'"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(grep "^PermitUserEnvironment[[:blank:]]" /etc/ssh/sshd_config | rev | cut -d' ' -f1 | rev)
if [[ "$val" == "no" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_5_3_14()
{
# args
head=h1
rule="4.5.3.14"
desc="sshd_config: Use Conditional exception(s)."
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(/usr/bin/egrep -cp "^Match " /etc/ssh/sshd_config)
if [[ "$val" -eq "0" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_5_3_15()
{
# args
head=h1
rule="4.5.3.15"
desc="sshd_config, ssh_config: KexAlgorithms"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | grep -v '^#' | awk '{print $1}')" | grep '^kexalgorithms' | tr ',' '\n' | egrep -c "diffie-hellman-group1-sha1|diffie-hellman-group14-sha1|diffie-hellman-group-exchange-sha1")
if [[ "$val" -eq "0" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_5_3_16()
{
# args
head=h1
rule="4.5.3.16"
desc="sshd_config, ssh_config: Ciphers"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
cat > $tempo << EOF
aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com
EOF
cat $tempo | tr ',' '\n' | sort -u > $tempo.1
sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | grep -v '^#' | awk '{print $1}')" | grep ciphers | cut -d' ' -f2- | tr ',' '\n' | sort -u > $tempo
val=$(sdiff -sw 80 $tempo $tempo.1 | wc -l | awk '{print $1}')
if [[ "$val" -eq "0" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_5_3_17()
{
# args
head=h1
rule="4.5.3.17"
desc="sshd_config, ssh_config: MACs - Message Authtification Codes"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
# List of Weak algorithms
cat > $tempo << EOF
hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-sha1,hmac-sha1-96,umac-64@openssh.com,umac-128@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com
EOF
cat $tempo | tr ',' '\n' | sort -u > $tempo.1
sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | grep -v '^#' | awk '{print $1}')" | grep macs | cut -d' ' -f2- | tr ',' '
\n' | sort -u | sed 's/$/;/g' > $tempo
val=0
for mac in $(cat $tempo.1)
do
val1=$(grep -c "^${mac};" $tempo)
(( val = val + val1 ))
done
if [[ "$val" -eq "0" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_5_3_18()
{
# args
head=h1
rule="4.5.3.18"
desc="sshd_config, ssh_config: ReKeyLimit"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | grep -v '^#' | awk '{print $1}')" | grep rekeylimit | cut -d' ' -f2- | tr -s ' ' | tr ' ' '\n' | sort -u | tail -1)
if [[ "$val" != "0" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_6_5()
{
# args
head=h1
rule="4.6.5"
desc="Unattended terminal session timeout is 900 seconds (or less)"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(echo `egrep -c "TMOUT|TIMEOUT" /etc/profile` `readonly | /usr/bin/egrep -c -e "TMOUT|TIMEOUT"` | tr ' ' '\n' | sed '/^$/d' | sort | tail -1)
if [[ "$val" -gt "2" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_1_1()
{
# args
head=h1
rule="4.7.1.1"
desc="Home directory must exist"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=0
for home in $(lsuser -R files -a home ALL | awk '{print $2}' | sed 's/home=//' | sort -u)
do
val1=$(ls -d $home > /dev/null 2>&1; echo $?)
(( val = val + val1 ))
done
if [[ "$val" -eq "0" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_1_2()
{
# args
head=h1
rule="4.7.1.2"
desc="Home directory must be owned by account, or special account"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
lsuser -R files -a id home account_locked ALL | while read name ids homes locks rest
do
uid=$(echo ${ids} | cut -f2 -d =)
home=$(echo ${homes} | cut -f2 -d =)
locked=$(echo ${locks} | cut -f2 -d =)
if [[ ${home} == "/dev/null" || ${locked} == "true" ]]; then
continue
elif [[ ! -d ${home} ]]; then
/usr/bin/printf "%-32s does not exist; Recommend Lock Account [%s]\n" ${home} ${name}
continue
else
/usr/bin/perl -e '$user=$ARGV[0]; $hd=$ARGV[1]; $uid=$ARGV[2]; $huid=((stat $hd)[4]);
if ($huid != $uid && $huid != 0) {
exit(1); # triggers command after OR (||)
}' ${name} ${home} ${uid} || \
/usr/bin/printf "Recommend Lock Account: %s does not own %s\n" ${name} ${home}
fi
done > $tempo
if [ ! -s $tempo ]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_1_3()
{
# args
head=h1
rule="4.7.1.3"
desc="Home directory: write access restricted to 'owner'"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
lsuser -R files -a id home ALL | while read name ids homes rest
do
uid_check=$(echo ${ids} | cut -f2 -d =)
if [[ ${uid_check} -ge 200 ]]
then
home=$(echo ${homes} | cut -f2 -d =)
if [[ ${home} == "/dev/null" ]]
then
continue
else
if [[ ! -d ${home} ]]
then
/usr/bin/printf "%-32s does not exist; recommend to lock account named [%s]\n" ${home} ${name}
else
if [[ ${home} != "/" && ${home} != "/dev/null" ]]
then
/usr/bin/perl -e '$f=$ARGV[0]; $m=(stat $f)[2]; \
printf("Recommend chmod on: %s: to remove group or world write mode\n", $f) if $m & 022; \
printf("Recommend remove ACL on: %s\n ", $f) if $m & 0200000000; \
exit($m & 0200000022)' ${home} || (ls -led ${home} && (aclget ${home} | grep -ip Enabled))
fi
fi
fi
fi
done > $tempo
if [ ! -s $tempo ]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_1_4()
{
# args
head=h1
rule="4.7.1.4"
desc="AUDIT subsystem: /audit and /etc/security/audit"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
if [ -e /audit ]
then
val=$($LINUX_STAT -c "%U:%G:%a:%n:" /audit)
if [[ "$val" == "root:audit:2750:/audit:" ]]
then
val=$($LINUX_STAT -c "%U:%G:%a:%n:" /etc/security/audit)
if [[ "$val" == "root:audit:2750:/etc/security/audit:" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
else
res=$RESP_NOK
fi
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_1_5()
{
# args
head=h1
rule="4.7.1.5"
desc="SECURITY Subsystems: /etc/security"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
EXCLUDE="security/(aixpert|audit|ice)"
find /etc/security -type d | \
/usr/bin/egrep -v ${EXCLUDE} | \
/usr/bin/sort | xargs ls -led | \
/usr/bin/awk '{print $1 " " $3 " " $4 " " $9}' | \
/usr/bin/grep -v drwxr-s---- > $tempo
if [ ! -s $tempo ]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_1_6()
{
# args
head=h1
rule="4.7.1.6"
desc="/var/adm/ras"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$($LINUX_STAT -c "%F:%a:%n:" /var/adm/ras/* | grep -v '^directory:' | cut -d':' -f2- | cut -c3- | grep -c -v '^0:')
if [[ "$val" -eq "0" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_1_7()
{
# args
head=h1
rule="4.7.1.7"
desc="/var/adm/sa"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$($LINUX_STAT -c "%U:%G:%a:%n:" /var/adm/sa)
if [[ "$val" == "adm:adm:755:/var/adm/sa:" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_1_8()
{
# args
head=h1
rule="4.7.1.8"
desc="/var/spool/cron/crontabs"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$($LINUX_STAT -c "%U:%G:%a:%n:" /var/spool/cron/crontabs)
if [[ "$val" == "root:cron:770:/var/spool/cron/crontabs:" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_1_9()
{
# args
head=h1
rule="4.7.1.9"
desc="Ensure all directories in root PATH deny write access to all"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
echo "/:${PATH}" | tr ':' '\n' | grep "^/" | sort -u | while read DIR
do
DIR=${DIR:-$(pwd)}
while [[ -d ${DIR} ]]
do
[[ "$(ls -ld ${DIR})" = @(d???????w? *) ]] && print " WARNING ${DIR} is world writable"
[[ "$(ls -ld ${DIR})" = @(d????w???? *) ]] && print " WARNING ${DIR} is group writable"
[[ "$(ls -ld ${DIR} |awk '{print $3}')" != @(root|bin) ]] && print " WARNING ${DIR} is not owned by root or bin"
DIR=${DIR%/*}
done
done > $tempo
if [ ! -s $tempo ]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_1_10()
{
# args
head=h1
rule="4.7.1.10"
desc="Ensure root user has a dedicated home directory"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(lsuser -a home root | awk '{print $2}')
if [[ "$val" == "home=/root" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_1_11()
{
# args
head=h1
rule="4.7.1.11"
desc="/etc/security/audit"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$($LINUX_STAT -c "%U:%G:%a:%n:" /etc/security/audit)
if [[ "$val" == "root:audit:750:/etc/security/audit:" || "$val" == "root:audit:2750:/etc/security/audit:" ]]
then
val=$($LINUX_STAT -c "%a:%n:" /etc/security/audit/* | grep -c -v '^640:')
if [[ "$val" -eq "0" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_2_2()
{
# args
head=h1
rule="4.7.2.2"
desc="Verify Trust of suid, sgid, acl, and trusted-bit files and programs"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
find / \( -fstype jfs -o -fstype jfs2 \) \( -perm -04000 -o -perm -02000 \) -type f -ls > $tempo
if [ ! -s $tempo ]
then
res=$RESP_OK
else
res=$RESP_MANUAL
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_2_3()
{
# args
head=h1
rule="4.7.2.3"
desc="crontab entries - owned by userid"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
crontab -l |egrep -v '^#' |awk '{print $6}' |grep "^/" |sort -u | while read DIR
do
DIR=${DIR:-$(pwd)}
while [[ -a ${DIR} ]]
do
[[ "$(ls -ld ${DIR})" = @(????????w? *) ]] && print " WARNING ${DIR} is world writable"
[[ "$(ls -ld ${DIR})" = @(?????w???? *) ]] && print " WARNING ${DIR} is group writable"
[[ "$(ls -ld ${DIR} |awk '{print $3}')" != @(root|bin) ]] && print " WARNING ${DIR} is not owned by root or bin"
DIR=${DIR%/*}
done
done > $tempo
if [ ! -s $tempo ]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_2_4()
{
# args
head=h1
rule="4.7.2.4"
desc="Home directory configuration files"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
lsuser -R files -a home ALL | cut -f2 -d= | egrep -v "^/$|/etc|/bin|/var|/usr|/usr/sys" |while read homedir
do
if [[ -d ${homedir} ]]
then
#echo "Listing all user confguration files in '${homedir}'"
ls -a ${homedir} | egrep "^\.[a-z]" | while read file
do
if [[ -f "${homedir}/${file}" ]]
then
val=$(ls -l "${homedir}/${file}" | cut -c5- | awk '{print $1}' | grep -c w)
if [[ "$val" -ne "0" ]]
then
echo "${homedir}/${file} write permissions g or o"
fi
fi
done
else
echo "ERROR - no home directory for '${homedir}'"
fi
done > $tempo
if [ ! -s $tempo ]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_2_5()
{
# args
head=h1
rule="4.7.2.5"
desc="/smit.log"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
file1=$(lsuser -a home root | awk '{print $2}' | sed 's/home=//' | sed 's/$/\/smit.log/')
val=$($LINUX_STAT -c "%U:%G:%a:%n:" $file1)
if [[ "$val" == "root:system:640:$file1:" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_2_6()
{
# args
head=h1
rule="4.7.2.6"
desc="/etc/group"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$($LINUX_STAT -c "%U:%G:%a:%n:" /etc/group)
if [[ "$val" == "root:security:644:/etc/group:" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_2_7()
{
# args
head=h1
rule="4.7.2.7"
desc="/etc/inetd.conf"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$($LINUX_STAT -c "%U:%G:%a:%n:" /etc/inetd.conf)
if [[ "$val" == "root:system:644:/etc/inetd.conf:" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_2_8()
{
# args
head=h1
rule="4.7.2.8"
desc="/etc/motd"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$($LINUX_STAT -c "%U:%G:%a:%n:" /etc/motd)
if [[ "$val" == "bin:bin:644:/etc/motd:" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_2_9()
{
# args
head=h1
rule="4.7.2.9"
desc="/etc/passwd"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$($LINUX_STAT -c "%U:%G:%a:%n:" /etc/passwd)
if [[ "$val" == "root:security:644:/etc/passwd:" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_2_10()
{
# args
head=h1
rule="4.7.2.10"
desc="/etc/ssh/ssh_config"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$($LINUX_STAT -c "%U:%G:%a:%n:" /etc/ssh/ssh_config)
if [[ "$val" == "root:system:644:/etc/ssh/ssh_config:" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_2_11()
{
# args
head=h1
rule="4.7.2.11"
desc="/etc/ssh/sshd_config"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$($LINUX_STAT -c "%U:%G:%a:%n:" /etc/ssh/sshd_config)
if [[ "$val" == "root:system:644:/etc/ssh/sshd_config:" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_2_12()
{
# args
head=h1
rule="4.7.2.12"
desc="/var/adm/cron/at.allow"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
if [ -e /var/adm/cron/at.allow ]
then
val=$($LINUX_STAT -c "%U:%G:%a:%n:" /var/adm/cron/at.allow)
if [[ "$val" == "root:sys:400:/var/adm/cron/at.allow:" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_2_13()
{
# args
head=h1
rule="4.7.2.13"
desc="/var/adm/cron/cron.allow"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
if [ -e /var/adm/cron/cron.allow ]
then
val=$($LINUX_STAT -c "%U:%G:%a:%n:" /var/adm/cron/cron.allow)
if [[ "$val" == "root:sys:400:/var/adm/cron/cron.allow:" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_2_14()
{
# args
head=h1
rule="4.7.2.14"
desc="/var/ct/RMstart.log"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
if [ -e "/var/ct/RMstart.log" ]
then
val=$($LINUX_STAT -c "%U:%G:%a:%n:" /var/ct/RMstart.log)
if [[ "$val" == "root:system:640:/var/ct/RMstart.log:" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_2_15()
{
# args
head=h1
rule="4.7.2.15"
desc="/var/adm/cron/log"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
if [ -e "/var/adm/cron/log" ]
then
val=$($LINUX_STAT -c "%U:%G:%a:%n:" /var/adm/cron/log)
if [[ "$val" == "bin:cron:660:/var/adm/cron/log:" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_2_16()
{
# args
head=h1
rule="4.7.2.16"
desc="/var/tmp/dpid2.log"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
if [ -e "/var/tmp/dpid2.log" ]
then
val=$($LINUX_STAT -c "%U:%G:%a:%n:" /var/tmp/dpid2.log)
if [[ "$val" == "root:system:640:/var/tmp/dpid2.log:" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
else
res=$RESP_OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_2_17()
{
# args
head=h1
rule="4.7.2.17"
desc="/var/tmp/hostmibd.log"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
if [ -e "/var/tmp/hostmibd.log" ]
then
val=$($LINUX_STAT -c "%U:%G:%a:%n:" /var/tmp/hostmibd.log)
if [[ "$val" == "root:system:640:/var/tmp/hostmibd.log:" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_2_18()
{
# args
head=h1
rule="4.7.2.18"
desc="/var/tmp/snmpd.log"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
if [ -e "/var/tmp/snmpd.log" ]
then
val=$($LINUX_STAT -c "%U:%G:%a:%n:" /var/tmp/snmpd.log)
if [[ "$val" == "root:system:640:/var/tmp/snmpd.log:" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
else
res=$RESP_OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_9()
{
# args
head=h1
rule="4.9"
desc="Ensure root access is controlled"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
lsuser -a login rlogin su sugroups root | tr '=' ' ' | read user a1 login a2 rlogin a3 su a4 sugroups
[[ ${su} != "false" && ${sugroups} == "ALL" ]] && echo "failed : ${a3}==${su}, ${a4}==${sugroups}" > $tempo
[[ ${login} == "true" || ${rlogin} == "true" ]] && echo "failed : ${a1}==${login}, ${a2}==${rlogin}" >> $tempo
if [ ! -s $tempo ]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_10()
{
# args
head=h1
rule="4.10"
desc="Disable core dumps"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
rc1=$(lssec -f /etc/security/limits -s default -a core -a core_hard | sed 's/\ /;/g' | sed 's/$/;/' | grep -q 'default;core=0;core_hard=0;'; echo $?)
rc2=$(lsattr -El sys0 -a fullcore | sed 's/\ /;/g' | sed 's/$/;/' | grep -q 'fullcore;false;Enable;full;CORE;dump;True;'; echo $?)
(( rc = rc1 + rc2 ))
if [[ "$rc" == "0" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_11()
{
# args
head=h1
rule="4.11"
desc="Remove current working directory from default /etc/environment PATH"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(grep "^PATH=" /etc/environment |awk '/((:[ \t]*:)|(:[ \t]*$)|(^[\t]*:)|(^.:)|(:.$)|(:.:))/')
if [[ "$val" == "" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_12()
{
# args
head=h1
rule="4.12"
desc="Lock historical users"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
ACCOUNTS=daemon,bin,sys,adm,uucp,nobody,lpd,lp,invscout,ipsec,nuucp,sshd
for usr in $(echo $ACCOUNTS | sed 's/,/\ /g')
do
lsuser -a account_locked $usr 2>/dev/null
done | grep -v 'account_locked=true' > $tempo
if [ -s $tempo ]
then
res=$RESP_NOK
else
res=$RESP_OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_13()
{
# args
head=h1
rule="4.13"
desc="Remove current working directory from root's PATH"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(su - root -c "echo ${PATH}" |awk '/((:[ \t]*:)|(:[ \t]*$)|(^[\t]*:)|(^.:)|(:.$)|(:.:))/')
if [[ "$val" == "" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_14()
{
# args
head=h1
rule="4.14"
desc="Configuration: /etc/motd"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
res="TODO"
if [ -e /audit ]
then
val=$(cat /etc/motd | grep -c 'PROPER AUTHORIZATION')
if [[ "$val" == "1" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_1_1_1()
{
# args
head=h1
rule="5.1.1.1"
desc="histexpire"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(lssec -f /etc/security/user -s default -a histexpire | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "default;histexpire=52;" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_1_1_2()
{
# args
head=h1
rule="5.1.1.2"
desc="histsize"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(lssec -f /etc/security/user -s default -a histsize | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "default;histsize=0;" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_1_1_3()
{
# args
head=h1
rule="5.1.1.3"
desc="minage"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(lssec -f /etc/security/user -s default -a minage | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "default;minage=1;" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_1_2()
{
# args
head=h1
rule="5.1.2"
desc="All accounts must have a hashed password"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
egrep -p "password = +$" /etc/security/passwd | grep ":" | awk -F: '{ print $1 } ' | while read user rest
do
print "Locking account ${user} due to blank password"
done > $tempo
if [ ! -s $tempo ]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_1_3()
{
# args
head=h1
rule="5.1.3"
desc="All usernames and UIDs must be unique"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(cut -d: -f 3 /etc/passwd | sort -n | uniq -d;cut -d: -f 1 /etc/passwd | sort | uniq -d)
if [[ "$val" == "" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_1_4()
{
# args
head=h1
rule="5.1.4"
desc="All group names and GIDs must be unique"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(cut -d: -f 3 /etc/group | sort -n | uniq -d;cut -d: -f 1 /etc/group | sort | uniq -d)
if [[ "$val" == "" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_1_5()
{
# args
head=h1
rule="5.1.5"
desc="Establish and Maintain an Inventory of Administrator accounts"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=""
lsuser -R files -a admin ALL | grep 'admin=true' | sed 's/\ /;/g' | cut -d';' -f1 | sort > $tempo
echo "adm,bin,daemon,invscout,ipsec,lp,lpd,nobody,nuucp,root,smmsp,snapp,sshd,sys,uucp" | tr ',' '\n' | sort > $tempo.1
val=$(sdiff -s $tempo $tempo.1 | grep '<' | awk '{print $1}' | tr '\n' ',' | sed 's/,//g')
if [[ "$val" == "" ]]
then
res=$RESP_OK
else
res=$RESP_MANUAL
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_1_6()
{
# args
head=h1
rule="5.1.6"
desc="Establish and Maintain an Inventory of User Accounts"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(lsuser -R files -a admin ALL | grep 'admin=false' | awk '{print $1}' | sort | tr '\n' ',' | sed 's/,$//')
res=$RESP_MANUAL
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_2_1()
{
# args
head=h1
rule="5.2.1"
desc="Ensure new passwords are controlled by password attributes (disable NOCHECK)"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(grep NOCHECK /etc/security/passwd)
if [[ "$val" == "" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_2_2()
{
# args
head=h1
rule="5.2.2"
desc="pwd_algorithm"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(lssec -f /etc/security/login.cfg -s usw -a pwd_algorithm | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "usw;pwd_algorithm=ssha512;" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_2_3()
{
# args
head=h1
rule="5.2.3"
desc="Ensure passwords are not hashed using 'crypt'"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
grep 'password[[:blank:]]= .............$' /etc/security/passwd | while read pass equals cryptedhash
do
user=$(grep -p $cryptedhash /etc/security/passwd | egrep '[a-zA-z0-9]+:$' | sed -e s/:$//)
print ${user}: needs to update passwd
done > $tempo
if [ ! -s $tempo ]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_2_4()
{
# args
head=h1
rule="5.2.4"
desc="Ensure password policy is enforced for all users"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(grep NOCHECK /etc/security/passwd)
if [[ "$val" == "" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_2_5()
{
# args
head=h1
rule="5.2.5"
desc="minlen"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(lssec -f /etc/security/user -s default -a minlen | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "default;minlen=14;" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_2_6()
{
# args
head=h1
rule="5.2.6"
desc="mindiff"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(lssec -f /etc/security/user -s default -a mindiff | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "default;mindiff=4;" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_2_7()
{
# args
head=h1
rule="5.2.7"
desc="minalpha"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(lssec -f /etc/security/user -s default -a minalpha | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "default;minalpha=3;" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_2_8()
{
# args
head=h1
rule="5.2.8"
desc="minother"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(lssec -f /etc/security/user -s default -a minother | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "default;minother=3;" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_2_9()
{
# args
head=h1
rule="5.2.9"
desc="maxrepeats"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(lssec -f /etc/security/user -s default -a maxrepeats | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "default;maxrepeats=4;" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_2_10()
{
# args
head=h1
rule="5.2.10"
desc="mindigit"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(lssec -f /etc/security/user -s default -a mindigit | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "default;mindigit=1;" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_2_11()
{
# args
head=h1
rule="5.2.11"
desc="minloweralpha"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(lssec -f /etc/security/user -s default -a minloweralpha | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "default;minloweralpha=1;" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_2_12()
{
# args
head=h1
rule="5.2.12"
desc="minupperalpha"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(lssec -f /etc/security/user -s default -a minupperalpha | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "default;minupperalpha=1;" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_2_13()
{
# args
head=h1
rule="5.2.13"
desc="minspecialchar"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(lssec -f /etc/security/user -s default -a minspecialchar | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "default;minspecialchar=1;" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_3_1()
{
# args
head=h1
rule="5.3.1"
desc="adm"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
usr=adm
val=$(lsuser -a account_locked login rlogin $usr 2>/dev/null | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "$usr;account_locked=true;login=false;rlogin=false;" || "$val" == "" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_3_2()
{
# args
head=h1
rule="5.3.2"
desc="bin"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
usr=bin
val=$(lsuser -a account_locked login rlogin $usr 2>/dev/null | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "$usr;account_locked=true;login=false;rlogin=false;" || "$val" == "" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_3_3()
{
# args
head=h1
rule="5.3.3"
desc="daemon"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
usr=daemon
val=$(lsuser -a account_locked login rlogin $usr 2>/dev/null | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "$usr;account_locked=true;login=false;rlogin=false;" || "$val" == "" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_3_4()
{
# args
head=h1
rule="5.3.4"
desc="guest"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
usr=guest
val=$(lsuser -a account_locked login rlogin $usr 2>/dev/null | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "$usr;account_locked=true;login=false;rlogin=false;" || "$val" == "" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_3_5()
{
# args
head=h1
rule="5.3.5"
desc="lpd"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
usr=ldp
val=$(lsuser -a account_locked login rlogin $usr 2>/dev/null | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "$usr;account_locked=true;login=false;rlogin=false;" || "$val" == "" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_3_6()
{
# args
head=h1
rule="5.3.6"
desc="nobody"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
usr=nobody
val=$(lsuser -a account_locked login rlogin $usr 2>/dev/null | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "$usr;account_locked=true;login=false;rlogin=false;" || "$val" == "" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_3_7()
{
# args
head=h1
rule="5.3.7"
desc="nuucp"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
usr=nuucp
val=$(lsuser -a account_locked login rlogin $usr 2>/dev/null | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "$usr;account_locked=true;login=false;rlogin=false;" || "$val" == "" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_3_8()
{
# args
head=h1
rule="5.3.8"
desc="sys"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
usr=sys
val=$(lsuser -a account_locked login rlogin $usr 2>/dev/null | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "$usr;account_locked=true;login=false;rlogin=false;" || "$val" == "" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_3_9()
{
# args
head=h1
rule="5.3.9"
desc="uucp"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
usr=uucp
val=$(lsuser -a account_locked login rlogin $usr 2>/dev/null | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "$usr;account_locked=true;login=false;rlogin=false;" || "$val" == "" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_3_10()
{
# args
head=h1
rule="5.3.10"
desc="Ensure System Accounts cannot access system using ftp."
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(lssrc -ls inetd | grep -c ftpd)
if [[ "$val" -eq "0" ]]
then
res=$RESP_OK
else
if [ -e /etc/ftpusers ]
then
rc=0
lsuser -R files -a id ALL | sed 's/id=//' | while read usr uid
do
if [[ "$uid" -lt "200" ]]
then
rc1=$(cat /etc/ftpusers | sed 's/$/;/' | grep -q "^${usr};"; echo $?)
(( rc = rc + rc1 ))
fi
done
if [[ "$rc" == "0" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
else
res=$RESP_NOK
fi
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_6()
{
# args
head=h1
rule="5.6"
desc="maxage"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(lssec -f /etc/security/user -s default -a maxage | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "default;maxage=13;" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_7()
{
# args
head=h1
rule="5.7"
desc="maxexpired"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(lssec -f /etc/security/user -s default -a maxexpired | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "default;maxexpired=4;" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_6_3_1()
{
# args
head=h1
rule="6.3.1"
desc="Privilege escalation: sudo"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
#min version: 1.9.5p2
val=$(sudo --version | grep -vi sudoers | grep version | rev | awk '{print $1}' | rev | sed 's/p/\./')
val1=$(echo $val | cut -d'.' -f1)
val2=$(echo $val | cut -d'.' -f2)
val3=$(echo $val | cut -d'.' -f3)
val4=$(echo $val | cut -d'.' -f4)
if [[ "$val1" -lt "1" ]]
then
rc=1
else
if [[ "$val1" -gt "1" ]]
then
rc=0
else
if [[ "$val2" -lt "9" ]]
then
rc=1
else
if [[ "$val2" -gt "9" ]]
then
rc=0
else
if [[ "$val3" -lt "5" ]]
then
rc=1
else
if [[ "$val3" -ge "5" ]]
then
rc=0
else
rc=1
fi
fi
fi
fi
fi
fi
rc2=$(visudo -c > /dev/null 2>&1; echo $?)
(( rc1 = rc + rc2 ))
if [[ "$rc1" -eq "0" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_6_3_2()
{
# args
head=h1
rule="6.3.2"
desc="Ensure sudo logging is active"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(grep -Ei '^\s*Defaults\s+logfile=\S+' /etc/sudoers /etc/sudoers.d/*)
if [[ "$val" == "" ]]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_6_4()
{
# args
head=h1
rule="6.4"
desc="Adding authorized users in at.allow"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
if [ -s /var/adm/cron/at.allow ]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_6_6()
{
# args
head=h1
rule="6.6"
desc="Adding authorised users in cron.allow"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
if [ -s /var/adm/cron/cron.allow ]
then
res=$RESP_OK
else
res=$RESP_NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_7_1()
{
# args
head=h1
rule="7.1"
desc="Use FLRT regularly"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
res=$RESP_MANUAL
print_output $head $rule $desc1 $res
}
#-----------------------------------------
# MAIN
#-----------------------------------------
main ()
{
check_section_2_1
check_section_2_7
check_section_3_3
check_section_3_4
check_section_3_5
check_section_3_6
check_section_3_7
check_section_3_8
check_section_4_1_3_1
check_section_4_1_3_2
check_section_4_1_3_3
check_section_4_2_18
check_section_4_3_1
check_section_4_3_2
check_section_4_3_3
check_section_4_5_1_7
check_section_4_5_2_1
check_section_4_5_2_2
check_section_4_5_2_3
check_section_4_5_3_1
check_section_4_5_3_4
check_section_4_5_3_5
check_section_4_5_3_6
check_section_4_5_3_7
check_section_4_5_3_8
check_section_4_5_3_9
check_section_4_5_3_10
check_section_4_5_3_11
check_section_4_5_3_12
check_section_4_5_3_13
check_section_4_5_3_14
check_section_4_5_3_15
check_section_4_5_3_16
check_section_4_5_3_17
check_section_4_5_3_18
check_section_4_6_5
check_section_4_7_1_1
check_section_4_7_1_2
check_section_4_7_1_3
check_section_4_7_1_4
check_section_4_7_1_5
check_section_4_7_1_6
check_section_4_7_1_7
check_section_4_7_1_8
check_section_4_7_1_9
check_section_4_7_1_10
check_section_4_7_1_11
check_section_4_7_2_2
check_section_4_7_2_3
check_section_4_7_2_4
check_section_4_7_2_5
check_section_4_7_2_6
check_section_4_7_2_7
check_section_4_7_2_8
check_section_4_7_2_9
check_section_4_7_2_10
check_section_4_7_2_11
#check_section_4_7_2_12
check_section_4_7_2_13
check_section_4_7_2_14
check_section_4_7_2_15
check_section_4_7_2_16
check_section_4_7_2_17
check_section_4_7_2_18
check_section_4_9
check_section_4_10
check_section_4_11
check_section_4_12
check_section_4_13
check_section_4_14
check_section_5_1_1_1
check_section_5_1_1_2
check_section_5_1_1_3
check_section_5_1_2
check_section_5_1_3
check_section_5_1_4
check_section_5_1_5
check_section_5_1_6
check_section_5_2_1
check_section_5_2_2
check_section_5_2_3
check_section_5_2_4
check_section_5_2_5
check_section_5_2_6
check_section_5_2_7
check_section_5_2_8
check_section_5_2_9
check_section_5_2_10
check_section_5_2_11
check_section_5_2_12
check_section_5_2_13
check_section_5_3_1
check_section_5_3_2
check_section_5_3_3
check_section_5_3_4
check_section_5_3_5
check_section_5_3_6
check_section_5_3_7
check_section_5_3_8
check_section_5_3_9
check_section_5_3_10
check_section_5_6
check_section_5_7
check_section_6_3_1
check_section_6_3_2
check_section_6_4
check_section_6_6
check_section_7_1
}
main | tee $cisoutput
cat $cisoutput | sed "s/^/$HEADER/" | sed 's/^/\//' | sed "s/^/$DAY/" | sed 's/^/\//' | sed "s/^/$MONTH/" | sed "s/$/$FOOTER/" > ${cisoutput}.1
cat ${cisoutput}.1 | sed 's/^/"/' | sed 's/;/","/g' | sed 's/$/"/' > ${cisoutput}
OLD version
root@aix /root# cat scripts/cis.sh
#!/usr/bin/ksh93
#@(#) Check security
# This script doesn't modify something to your system, just list what is right and wrong
# Print in red all commands to modify your settings
# Print in green all parameters that need no change, following by OK
# Version 1.0 06-2023 EIF (compliance CIS for AIX)
dir=`dirname $0`
if [ -f $dir/.env ]
then
. $dir/.env
else
path_script=$dir
export sn=`basename $0 | cut -d. -f1`
export logpath=/tmp
export logname=$logpath/$sn.log
fi
DATE=$(date "+%Y%m%d%H%M%S")
LINUX_SED=/opt/freeware/bin/sed
LINUX_STAT=/opt/freeware/bin/stat
LINUX_SORT=/opt/freeware/bin/sort
list_files=$logpath/list_files.txt
outputcis=$logpath/CIS_AIX7.2_v1.0.0
output=$logname
prefix=sec_files_out_
outputdir=$logpath/${prefix}${DATE}
mkdir $outputdir
tempo=$logpath/tmp_cis
# Cleanup
find $logpath -type d -name "${prefix}*" -ctime +5 -exec rm -r {} \; 2>/dev/null
#-----------------------------------------
print_output()
{
# args
header=$1
ruleno=$2
descr=$(echo "$3")
result=$4
echo "$ruleno;$descr;$result" | sed 's/\|/\ /g'
}
#-----------------------------------------
check_section_2_1()
{
# args
head=h1
rule="2.1"
desc="Collect system configuration regularly"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
file1=/var/log/syslog/inventory.log
val=0
val1=$(ls $file1 > /dev/null 2>&1; echo $?)
(( val = val + val1 ))
if [ "$val" != "0" ]
then
res=NOK
val1=$(cat /etc/syslog.conf | grep "local1.info" | grep -q "$file1"; echo $?)
(( val = val + val1 ))
if [ "$val" != "0" ]
then
res=NOK
val1=$(cat /etc/syslog.conf | sed '/^$/d' | grep -v '^#' | grep "^local1.info" | awk '{print $2}' | grep -q "\@"; echo $?)
(( val = val + val1 ))
if [ "$val" != "0" ]
then
res=NOK
val1=$(crontab -l | grep -v '^#' | grep "lsconf" | grep -q "logger"; echo $?)
(( val = val + val1 ))
if [ "$val" != "0" ]
then
res=NOK
else
res=OK
fi
fi
fi
else
res=OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_2_7()
{
# args
head=h1
rule="2.7"
desc="Remove Unused Symbolic Links"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
find -L / \( -fstype jfs -o -fstype jfs2 \) -type l -ls 2>/dev/null | cut -d'/' -f2- | sed 's/^/\//' | sed 's/\->/;/' | sed 's/\ ;/;/' | sed 's/;\ /;/' > $tempo.1
cat /dev/null > $tempo
for line in $(cat $tempo.1 | sed 's/\ /|/g')
do
word1=$(echo $line | cut -d';' -f1 | sed 's/\|/\ /g')
word2=$(echo $line | cut -d';' -f2 | sed 's/\|/\ /g')
val=$(echo $word2 | grep -c '^/')
if [[ "$val" -eq "1" ]]
then
if [ ! -e $word2 ]
then
echo $word1 >> $tempo
fi
else
dir1=$(echo $word1 | rev | cut -d'/' -f2- | rev)
word3=$(echo "$dir1/$word2")
if [ ! -e $word3 ]
then
echo $word1 >> $tempo
fi
fi
done > $tempo
if [ ! -s $tempo ]
then
res=OK
else
res=NOK
fi
#cp $tempo /root/link.txt
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_3_3()
{
# args
head=h1
rule="3.3"
desc="Ensure default user umask is 027 or more restrictive"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(lssec -f /etc/security/user -s default -a umask | grep -q 'umask=27';echo $?)
if [ "$val" != "0" ]
then
res=NOK
else
res=OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_3_4()
{
# args
head=h1
rule="3.4"
desc="Remove group write permission from default groups - exceptions must be in TSD and audit"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(find / \( -fstype jfs -o -fstype jfs2 \) -type f -perm -g+w -ls | wc -l | awk '{print $1}')
if [[ "$val" == "0" ]]
then
res=OK
else
res=Manual
echo "$rule;$desc1;val=$val" >> $logname
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_3_5()
{
# args
head=h1
rule="3.5"
desc="Application Data with requirement for world writable directories"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(find / \( -fstype jfs -o -fstype jfs2 \) -type d -perm -o+w ! -perm -1000 -ls | wc -l | awk '{print $1}')
if [[ "$val" == "0" ]]
then
res=OK
else
res=NOK
echo "$rule;$desc1;val=$val" >> $logname
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_3_6()
{
# args
head=h1
rule="3.6"
desc="Ensure there are no world writable files - exceptions must be in TSD and audit"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(find / \( -fstype jfs -o -fstype jfs2 \) -type f -perm -o+w | wc -l | awk '{print $1}')
if [[ "$val" == "0" ]]
then
res=OK
else
res=NOK
echo "$rule;$desc1;val=$val" >> $logname
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_3_7()
{
# args
head=h1
rule="3.7"
desc="Ensure there are no 'staff' writable files - exceptions must be in TSD and audit"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(find / \( -fstype jfs -o -fstype jfs2 \) -type f -perm -g+w -group staff | wc -l | awk '{print $1}')
if [[ "$val" == "0" ]]
then
res=OK
else
res=NOK
echo "$rule;$desc1;val=$val" >> $logname
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_3_8()
{
# args
head=h1
rule="3.8"
desc="Ensure all files and directories are owned by a user (uid) and assigned to a group (gid)"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(find / \( -fstype jfs -o -fstype jfs2 \) \( -type d -o -type f \) \( -nouser -o -nogroup \) -ls | wc -l | awk '{print $1}')
if [[ "$val" == "0" ]]
then
res=OK
else
res=NOK
echo "$rule;$desc1;val=$val" >> $logname
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_1_3_1()
{
# args
head=h1
rule="4.1.3.1"
desc="autoconf6"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(cat /etc/rc.tcpip | grep '^start ' | grep -q "autoconf6";echo $?)
if [ "$val" -eq "0" ]
then
res=NOK
else
res=OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_1_3_2()
{
# args
head=h1
rule="4.1.3.2"
desc="ndpd-host"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(cat /etc/rc.tcpip | grep '^start ' | grep -q "ndpd-host";echo $?)
if [ "$val" -eq "0" ]
then
res=NOK
else
res=OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_1_3_3()
{
# args
head=h1
rule="4.1.3.3"
desc="ndpd-router"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(cat /etc/rc.tcpip | grep '^start ' | grep -q "ndpd-router";echo $?)
if [ "$val" -eq "0" ]
then
res=NOK
else
res=OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_2_18()
{
# args
head=h1
rule="4.2.18"
desc="ip6forwarding"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(no -o ip6forwarding | sed 's/\ //g' | grep -q 'ip6forwarding=0'; echo $?)
if [ "$val" -eq "0" ]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_3_1()
{
# args
head=h1
rule="4.3.1"
desc="Ensure that IP Security is available"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(lsdev -Cc ipsec 2>/dev/null | grep Available | wc -l | awk '{print $1}')
if [ "$val" == "2" ]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_3_2()
{
# args
head=h1
rule="4.3.2"
desc="Ensure loopback traffic is blocked on external interfaces"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val1=$(lsfilt -v 4 -O 2>/dev/null | grep 127.0.0.0 | wc -l | awk '{print $1}')
val2=$(lsfilt -v 6 -O 2>/dev/null | grep ::1 | wc -l | awk '{print $1}')
(( val = val1 + val2 ))
if [ "$val" == "2" ]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_3_3()
{
# args
head=h1
rule="4.3.3"
desc="Ensure that IPsec filters are active"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val1=$(lsfilt -v4 -O -a 2>/dev/null | grep -q inactive | awk '{print $1}')
val2=$(lsfilt -v6 -O -a 2>/dev/null | grep -q inactive | awk '{print $1}')
(( val = val1 + val2 ))
if [ "$val" == "0" ]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_5_1_7()
{
# args
head=h1
rule="4.5.1.7"
desc="CDE - screensaver lock"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
if [ -e /etc/dt/config/*/sys.resources ]
then
val=$(egrep "dtsession\*saverTimeout:|dtsession\*lockTimeout:" /etc/dt/config/*/sys.resources | rev | cut -d' ' -f1 | rev | awk '{print $1}' | sort -u)
if [ "$val" == "10" ]
then
res=OK
else
res=NOK
fi
else
res=OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_5_2_1()
{
# args
head=h1
rule="4.5.2.1"
desc="FTPD: Disable root access to ftpd"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(grep -q "root" /etc/ftpusers 2>/dev/null; echo $?)
if [ "$val" -ne "0" ]
then
res=NOK
else
res=OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_5_2_2()
{
# args
head=h1
rule="4.5.2.2"
desc="FTPD: Display acceptable usage policy during login"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
# If ftp is disable, doesn't check
val=$(grep -c "^ftp[[:blank:]]" /etc/inetd.conf)
if [[ $val -gt 0 ]]
then
val=$(lslpp -Lc | grep "bos.msg.en_US.net.tcp.client" | wc -l | awk '{print $1}')
if [ "$val" == "0" ]
then
res=NOK
else
if [ `lslpp -L "bos.msg.en_US.net.tcp.client" >/dev/null && print $(dspcat /usr/lib/nls/msg/en_US/ftpd.cat 1 9) | grep -q "Authorized"; echo $?` -ne "0" ]
then
res=NOK
else
res=OK
fi
fi
else
res=OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_5_2_3()
{
# args
head=h1
rule="4.5.2.3"
desc="FTPD: Prevent world access and group write to files"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
# If ftp is disable, doesn't check
val=$(grep -c "^ftp[[:blank:]]" /etc/inetd.conf)
if [[ $val -gt 0 ]]
then
val=$(grep "^ftp[[:blank:]]" /etc/inetd.conf |awk '{print $6, $7, $8, $9, $10}' | grep -c "027")
if [ "$val" == "1" ]
then
res=OK
else
res=NOK
fi
else
res=OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_5_3_1()
{
# args
head=h1
rule="4.5.3.1"
desc="OpenSSH: Minimum version is 8.1"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val1=$(sshd -i </dev/null | cut -d'_' -f 2)
val=$(echo "$val1 8.1" | awk '{print ($1 >= $2)}')
if [[ "$val" -eq "1" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_5_3_4()
{
# args
head=h1
rule="4.5.3.4"
desc="sshd_config: Restrict users and groups allowed access via OpenSSH"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(/usr/bin/egrep -c "^(AllowUsers|AllowGroups|DenyUsers|DenyGroups)[[:blank:]]" /etc/ssh/sshd_config)
if [[ "$val" -gt "0" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_5_3_5()
{
# args
head=h1
rule="4.5.3.5"
desc="sshd_config: PermitRootLogin is 'prohibit-password' or 'no'"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(/usr/bin/egrep "^PermitRootLogin" /etc/ssh/sshd_config | cut -d' ' -f2- | egrep -c "prohibit-password|no|forced-commands-only")
if [[ "$val" -eq "0" ]]
then
res=NOK
else
res=OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_5_3_6()
{
# args
head=h1
rule="4.5.3.6"
desc="sshd_config: Banner exists and message contains 'Only authorized users allowed'"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(grep "^Banner[[:blank:]]" /etc/ssh/sshd_config | grep -c '/etc/ssh/ssh_banner')
if [ "$val" == "1" ]
then
val=$(grep -c 'Unauthorized' /etc/ssh/ssh_banner)
if [ "$val" == "1" ]
then
res=OK
else
res=NOK
fi
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_5_3_7()
{
# args
head=h1
rule="4.5.3.7"
desc="sshd_config: HostbasedAuthentication is 'no'"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(grep "^HostbasedAuthentication[[:blank:]]" /etc/ssh/sshd_config | rev | cut -d' ' -f1 | rev)
if [[ "$val" == "no" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_5_3_8()
{
# args
head=h1
rule="4.5.3.8"
desc="sshd_config: IgnoreRhosts is 'yes' or 'shosts-only'"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(grep "^IgnoreRhosts[[:blank:]]" /etc/ssh/sshd_config | rev | cut -d' ' -f1 | rev)
if [[ "$val" == "yes" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_5_3_9()
{
# args
head=h1
rule="4.5.3.9"
desc="sshd_config: PermitEmptyPasswords is 'no'"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(grep "^PermitEmptyPasswords[[:blank:]]" /etc/ssh/sshd_config | rev | cut -d' ' -f1 | rev)
if [[ "$val" == "no" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_5_3_10()
{
# args
head=h1
rule="4.5.3.10"
desc="sshd_config: LogLevel is 'INFO' or 'VERBOSE'"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(grep "^LogLevel[[:blank:]]" /etc/ssh/sshd_config | egrep -c "INFO|VERBOSE")
if [[ "$val" -eq "0" ]]
then
res=NOK
else
res=OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_5_3_11()
{
# args
head=h1
rule="4.5.3.11"
desc="sshd_config: sftp-server arguments include '-u 027 -f AUTH -l INFO'"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(grep "^Subsystem[[:blank:]]sftp" /etc/ssh/sshd_config | grep sftp-server | grep -c "027")
if [[ "$val" -eq "0" ]]
then
res=NOK
else
res=OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_5_3_12()
{
# args
head=h1
rule="4.5.3.12"
desc="sshd_config: MaxAuthTries is '4'"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(sshd -T | grep maxauthtries | rev | awk '{print $1}' | rev)
if [ "$val" -gt "4" ]
then
res=NOK
else
res=OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_5_3_13()
{
# args
head=h1
rule="4.5.3.13"
desc="sshd_config: PermitUserEnvironment is 'no'"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(grep "^PermitUserEnvironment[[:blank:]]" /etc/ssh/sshd_config | rev | cut -d' ' -f1 | rev)
if [[ "$val" == "no" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_5_3_14()
{
# args
head=h1
rule="4.5.3.14"
desc="sshd_config: Use Conditional exception(s)."
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(/usr/bin/egrep -cp "^Match " /etc/ssh/sshd_config)
if [[ "$val" -eq "0" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_5_3_15()
{
# args
head=h1
rule="4.5.3.15"
desc="sshd_config, ssh_config: KexAlgorithms"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | grep -v '^#' | awk '{print $1}')" | grep '^kexalgorithms' | tr ',' '\n' | egrep -c "diffie-hellman-group1-sha1|diffie-hellman-group14-sha1|diffie-hellman-group-exchange-sha1")
if [[ "$val" -eq "0" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_5_3_16()
{
# args
head=h1
rule="4.5.3.16"
desc="sshd_config, ssh_config: Ciphers"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
cat > $tempo << EOF
aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com
EOF
cat $tempo | tr ',' '\n' | sort -u > $tempo.1
sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | grep -v '^#' | awk '{print $1}')" | grep ciphers | cut -d' ' -f2- | tr ',' '\n' | sort -u > $tempo
val=$(sdiff -sw 80 $tempo $tempo.1 | wc -l | awk '{print $1}')
if [[ "$val" -eq "0" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_5_3_17()
{
# args
head=h1
rule="4.5.3.17"
desc="sshd_config, ssh_config: MACs - Message Authtification Codes"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
# List of Weak algorithms
cat > $tempo << EOF
hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-sha1,hmac-sha1-96,umac-64@openssh.com,umac-128@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com
EOF
cat $tempo | tr ',' '\n' | sort -u > $tempo.1
sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | grep -v '^#' | awk '{print $1}')" | grep macs | cut -d' ' -f2- | tr ',' '
\n' | sort -u | sed 's/$/;/g' > $tempo
val=0
for mac in $(cat $tempo.1)
do
val1=$(grep -c "^${mac};" $tempo)
(( val = val + val1 ))
done
if [[ "$val" -eq "0" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_5_3_18()
{
# args
head=h1
rule="4.5.3.18"
desc="sshd_config, ssh_config: ReKeyLimit"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | grep -v '^#' | awk '{print $1}')" | grep rekeylimit | cut -d' ' -f2- | tr -s ' ' | tr ' ' '\n' | sort -u | tail -1)
if [[ "$val" != "0" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_6_5()
{
# args
head=h1
rule="4.6.5"
desc="Unattended terminal session timeout is 900 seconds (or less)"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(echo `egrep -c "TMOUT|TIMEOUT" /etc/profile` `readonly | /usr/bin/egrep -c -e "TMOUT|TIMEOUT"` | tr ' ' '\n' | sed '/^$/d' | sort | tail -1)
if [[ "$val" -gt "2" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_1_1()
{
# args
head=h1
rule="4.7.1.1"
desc="Home directory must exist"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=0
for home in $(lsuser -R files -a home ALL | awk '{print $2}' | sed 's/home=//' | sort -u)
do
val1=$(ls -d $home > /dev/null 2>&1; echo $?)
(( val = val + val1 ))
done
if [[ "$val" -eq "0" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_1_2()
{
# args
head=h1
rule="4.7.1.2"
desc="Home directory must be owned by account, or special account"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
lsuser -R files -a id home account_locked ALL | while read name ids homes locks rest
do
uid=$(echo ${ids} | cut -f2 -d =)
home=$(echo ${homes} | cut -f2 -d =)
locked=$(echo ${locks} | cut -f2 -d =)
if [[ ${home} == "/dev/null" || ${locked} == "true" ]]; then
continue
elif [[ ! -d ${home} ]]; then
/usr/bin/printf "%-32s does not exist; Recommend Lock Account [%s]\n" ${home} ${name}
continue
else
/usr/bin/perl -e '$user=$ARGV[0]; $hd=$ARGV[1]; $uid=$ARGV[2]; $huid=((stat $hd)[4]);
if ($huid != $uid && $huid != 0) {
exit(1); # triggers command after OR (||)
}' ${name} ${home} ${uid} || \
/usr/bin/printf "Recommend Lock Account: %s does not own %s\n" ${name} ${home}
fi
done > $tempo
if [ ! -s $tempo ]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_1_3()
{
# args
head=h1
rule="4.7.1.3"
desc="Home directory: write access restricted to 'owner'"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
lsuser -R files -a id home ALL | while read name ids homes rest
do
uid_check=$(echo ${ids} | cut -f2 -d =)
if [[ ${uid_check} -ge 200 ]]
then
home=$(echo ${homes} | cut -f2 -d =)
if [[ ${home} == "/dev/null" ]]
then
continue
else
if [[ ! -d ${home} ]]
then
/usr/bin/printf "%-32s does not exist; recommend to lock account named [%s]\n" ${home} ${name}
else
if [[ ${home} != "/" && ${home} != "/dev/null" ]]
then
/usr/bin/perl -e '$f=$ARGV[0]; $m=(stat $f)[2]; \
printf("Recommend chmod on: %s: to remove group or world write mode\n", $f) if $m & 022; \
printf("Recommend remove ACL on: %s\n ", $f) if $m & 0200000000; \
exit($m & 0200000022)' ${home} || (ls -led ${home} && (aclget ${home} | grep -ip Enabled))
fi
fi
fi
fi
done > $tempo
if [ ! -s $tempo ]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_1_4()
{
# args
head=h1
rule="4.7.1.4"
desc="AUDIT subsystem: /audit and /etc/security/audit"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
if [ -e /audit ]
then
val=$($LINUX_STAT -c "%U:%G:%a:%n:" /audit)
if [[ "$val" == "root:audit:2750:/audit:" ]]
then
val=$($LINUX_STAT -c "%U:%G:%a:%n:" /etc/security/audit)
if [[ "$val" == "root:audit:2750:/etc/security/audit:" ]]
then
res=OK
else
res=NOK
fi
else
res=NOK
fi
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_1_5()
{
# args
head=h1
rule="4.7.1.5"
desc="SECURITY Subsystems: /etc/security"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
EXCLUDE="security/(aixpert|audit|ice)"
find /etc/security -type d | \
/usr/bin/egrep -v ${EXCLUDE} | \
/usr/bin/sort | xargs ls -led | \
/usr/bin/awk '{print $1 " " $3 " " $4 " " $9}' | \
/usr/bin/grep -v drwxr-s---- > $tempo
if [ ! -s $tempo ]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_1_6()
{
# args
head=h1
rule="4.7.1.6"
desc="/var/adm/ras"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$($LINUX_STAT -c "%F:%a:%n:" /var/adm/ras/* | grep -v '^directory:' | cut -d':' -f2- | cut -c3- | grep -c -v '^0:')
if [[ "$val" -eq "0" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_1_7()
{
# args
head=h1
rule="4.7.1.7"
desc="/var/adm/sa"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$($LINUX_STAT -c "%U:%G:%a:%n:" /var/adm/sa)
if [[ "$val" == "adm:adm:755:/var/adm/sa:" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_1_8()
{
# args
head=h1
rule="4.7.1.8"
desc="/var/spool/cron/crontabs"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$($LINUX_STAT -c "%U:%G:%a:%n:" /var/spool/cron/crontabs)
if [[ "$val" == "root:cron:770:/var/spool/cron/crontabs:" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_1_9()
{
# args
head=h1
rule="4.7.1.9"
desc="Ensure all directories in root PATH deny write access to all"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
echo "/:${PATH}" | tr ':' '\n' | grep "^/" | sort -u | while read DIR
do
DIR=${DIR:-$(pwd)}
while [[ -d ${DIR} ]]
do
[[ "$(ls -ld ${DIR})" = @(d???????w? *) ]] && print " WARNING ${DIR} is world writable"
[[ "$(ls -ld ${DIR})" = @(d????w???? *) ]] && print " WARNING ${DIR} is group writable"
[[ "$(ls -ld ${DIR} |awk '{print $3}')" != @(root|bin) ]] && print " WARNING ${DIR} is not owned by root or bin"
DIR=${DIR%/*}
done
done > $tempo
if [ ! -s $tempo ]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_1_10()
{
# args
head=h1
rule="4.7.1.10"
desc="Ensure root user has a dedicated home directory"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(lsuser -a home root | awk '{print $2}')
if [[ "$val" == "home=/root" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_1_11()
{
# args
head=h1
rule="4.7.1.11"
desc="/etc/security/audit"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$($LINUX_STAT -c "%U:%G:%a:%n:" /etc/security/audit)
if [[ "$val" == "root:audit:750:/etc/security/audit:" || "$val" == "root:audit:2750:/etc/security/audit:" ]]
then
val=$($LINUX_STAT -c "%a:%n:" /etc/security/audit/* | grep -c -v '^640:')
if [[ "$val" -eq "0" ]]
then
res=OK
else
res=NOK
fi
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_2_2()
{
# args
head=h1
rule="4.7.2.2"
desc="Verify Trust of suid, sgid, acl, and trusted-bit files and programs"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
find / \( -fstype jfs -o -fstype jfs2 \) \( -perm -04000 -o -perm -02000 \) -type f -ls > $tempo
if [ ! -s $tempo ]
then
res=OK
else
res=Manual
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_2_3()
{
# args
head=h1
rule="4.7.2.3"
desc="crontab entries - owned by userid"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
crontab -l |egrep -v '^#' |awk '{print $6}' |grep "^/" |sort -u | while read DIR
do
DIR=${DIR:-$(pwd)}
while [[ -a ${DIR} ]]
do
[[ "$(ls -ld ${DIR})" = @(????????w? *) ]] && print " WARNING ${DIR} is world writable"
[[ "$(ls -ld ${DIR})" = @(?????w???? *) ]] && print " WARNING ${DIR} is group writable"
[[ "$(ls -ld ${DIR} |awk '{print $3}')" != @(root|bin) ]] && print " WARNING ${DIR} is not owned by root or bin"
DIR=${DIR%/*}
done
done > $tempo
if [ ! -s $tempo ]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_2_4()
{
# args
head=h1
rule="4.7.2.4"
desc="Home directory configuration files"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
lsuser -R files -a home ALL | cut -f2 -d= | egrep -v "^/$|/etc|/bin|/var|/usr|/usr/sys" |while read homedir
do
if [[ -d ${homedir} ]]
then
#echo "Listing all user confguration files in '${homedir}'"
ls -a ${homedir} | egrep "^\.[a-z]" | while read file
do
if [[ -f "${homedir}/${file}" ]]
then
val=$(ls -l "${homedir}/${file}" | cut -c5- | awk '{print $1}' | grep -c w)
if [[ "$val" -ne "0" ]]
then
echo "${homedir}/${file} write permissions g or o"
fi
fi
done
else
echo "ERROR - no home directory for '${homedir}'"
fi
done > $tempo
if [ ! -s $tempo ]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_2_5()
{
# args
head=h1
rule="4.7.2.5"
desc="/smit.log"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
file1=$(lsuser -a home root | awk '{print $2}' | sed 's/home=//' | sed 's/$/\/smit.log/')
val=$($LINUX_STAT -c "%U:%G:%a:%n:" $file1)
if [[ "$val" == "root:system:640:$file1:" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_2_6()
{
# args
head=h1
rule="4.7.2.6"
desc="/etc/group"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$($LINUX_STAT -c "%U:%G:%a:%n:" /etc/group)
if [[ "$val" == "root:security:644:/etc/group:" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_2_7()
{
# args
head=h1
rule="4.7.2.7"
desc="/etc/inetd.conf"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$($LINUX_STAT -c "%U:%G:%a:%n:" /etc/inetd.conf)
if [[ "$val" == "root:system:644:/etc/inetd.conf:" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_2_8()
{
# args
head=h1
rule="4.7.2.8"
desc="/etc/motd"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$($LINUX_STAT -c "%U:%G:%a:%n:" /etc/motd)
if [[ "$val" == "bin:bin:644:/etc/motd:" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_2_9()
{
# args
head=h1
rule="4.7.2.9"
desc="/etc/passwd"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$($LINUX_STAT -c "%U:%G:%a:%n:" /etc/passwd)
if [[ "$val" == "root:security:644:/etc/passwd:" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_2_10()
{
# args
head=h1
rule="4.7.2.10"
desc="/etc/ssh/ssh_config"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$($LINUX_STAT -c "%U:%G:%a:%n:" /etc/ssh/ssh_config)
if [[ "$val" == "root:system:644:/etc/ssh/ssh_config:" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_2_11()
{
# args
head=h1
rule="4.7.2.11"
desc="/etc/ssh/sshd_config"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$($LINUX_STAT -c "%U:%G:%a:%n:" /etc/ssh/sshd_config)
if [[ "$val" == "root:system:644:/etc/ssh/sshd_config:" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_2_12()
{
# args
head=h1
rule="4.7.2.12"
desc="/var/adm/cron/at.allow"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
if [ -e /var/adm/cron/at.allow ]
then
val=$($LINUX_STAT -c "%U:%G:%a:%n:" /var/adm/cron/at.allow)
if [[ "$val" == "root:sys:400:/var/adm/cron/at.allow:" ]]
then
res=OK
else
res=NOK
fi
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_2_13()
{
# args
head=h1
rule="4.7.2.13"
desc="/var/adm/cron/cron.allow"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
if [ -e /var/adm/cron/cron.allow ]
then
val=$($LINUX_STAT -c "%U:%G:%a:%n:" /var/adm/cron/cron.allow)
if [[ "$val" == "root:sys:400:/var/adm/cron/cron.allow:" ]]
then
res=OK
else
res=NOK
fi
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_2_14()
{
# args
head=h1
rule="4.7.2.14"
desc="/var/ct/RMstart.log"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
if [ -e "/var/ct/RMstart.log" ]
then
val=$($LINUX_STAT -c "%U:%G:%a:%n:" /var/ct/RMstart.log)
if [[ "$val" == "root:system:640:/var/ct/RMstart.log:" ]]
then
res=OK
else
res=NOK
fi
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_2_15()
{
# args
head=h1
rule="4.7.2.15"
desc="/var/adm/cron/log"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
if [ -e "/var/adm/cron/log" ]
then
val=$($LINUX_STAT -c "%U:%G:%a:%n:" /var/adm/cron/log)
if [[ "$val" == "bin:cron:660:/var/adm/cron/log:" ]]
then
res=OK
else
res=NOK
fi
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_2_16()
{
# args
head=h1
rule="4.7.2.16"
desc="/var/tmp/dpid2.log"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
if [ -e "/var/tmp/dpid2.log" ]
then
val=$($LINUX_STAT -c "%U:%G:%a:%n:" /var/tmp/dpid2.log)
if [[ "$val" == "root:system:640:/var/tmp/dpid2.log:" ]]
then
res=OK
else
res=NOK
fi
else
res=OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_2_17()
{
# args
head=h1
rule="4.7.2.17"
desc="/var/tmp/hostmibd.log"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
if [ -e "/var/tmp/hostmibd.log" ]
then
val=$($LINUX_STAT -c "%U:%G:%a:%n:" /var/tmp/hostmibd.log)
if [[ "$val" == "root:system:640:/var/tmp/hostmibd.log:" ]]
then
res=OK
else
res=NOK
fi
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_7_2_18()
{
# args
head=h1
rule="4.7.2.18"
desc="/var/tmp/snmpd.log"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
if [ -e "/var/tmp/snmpd.log" ]
then
val=$($LINUX_STAT -c "%U:%G:%a:%n:" /var/tmp/snmpd.log)
if [[ "$val" == "root:system:640:/var/tmp/snmpd.log:" ]]
then
res=OK
else
res=NOK
fi
else
res=OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_9()
{
# args
head=h1
rule="4.9"
desc="Ensure root access is controlled"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
lsuser -a login rlogin su sugroups root | tr '=' ' ' | read user a1 login a2 rlogin a3 su a4 sugroups
[[ ${su} != "false" && ${sugroups} == "ALL" ]] && echo "failed : ${a3}==${su}, ${a4}==${sugroups}" > $tempo
[[ ${login} == "true" || ${rlogin} == "true" ]] && echo "failed : ${a1}==${login}, ${a2}==${rlogin}" >> $tempo
if [ ! -s $tempo ]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_10()
{
# args
head=h1
rule="4.10"
desc="Disable core dumps"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
rc1=$(lssec -f /etc/security/limits -s default -a core -a core_hard | sed 's/\ /;/g' | sed 's/$/;/' | grep -q 'default;core=0;core_hard=0;'; echo $?)
rc2=$(lsattr -El sys0 -a fullcore | sed 's/\ /;/g' | sed 's/$/;/' | grep -q 'fullcore;false;Enable;full;CORE;dump;True;'; echo $?)
(( rc = rc1 + rc2 ))
if [[ "$rc" == "0" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_11()
{
# args
head=h1
rule="4.11"
desc="Remove current working directory from default /etc/environment PATH"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(grep "^PATH=" /etc/environment |awk '/((:[ \t]*:)|(:[ \t]*$)|(^[\t]*:)|(^.:)|(:.$)|(:.:))/')
if [[ "$val" == "" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_12()
{
# args
head=h1
rule="4.12"
desc="Lock historical users"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
ACCOUNTS=daemon,bin,sys,adm,uucp,nobody,lpd,lp,invscout,ipsec,nuucp,sshd
for usr in $(echo $ACCOUNTS | sed 's/,/\ /g')
do
lsuser -a account_locked $usr 2>/dev/null
done | grep -v 'account_locked=true' > $tempo
if [ -s $tempo ]
then
res=NOK
else
res=OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_13()
{
# args
head=h1
rule="4.13"
desc="Remove current working directory from root's PATH"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(su - root -c "echo ${PATH}" |awk '/((:[ \t]*:)|(:[ \t]*$)|(^[\t]*:)|(^.:)|(:.$)|(:.:))/')
if [[ "$val" == "" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_14()
{
# args
head=h1
rule="4.14"
desc="Configuration: /etc/motd"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
res="TODO"
if [ -e /audit ]
then
val=$(cat /etc/motd | grep -c 'PROPER AUTHORIZATION')
if [[ "$val" == "1" ]]
then
res=OK
else
res=NOK
fi
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_1_1_1()
{
# args
head=h1
rule="5.1.1.1"
desc="histexpire"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(lssec -f /etc/security/user -s default -a histexpire | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "default;histexpire=52;" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_1_1_2()
{
# args
head=h1
rule="5.1.1.2"
desc="histsize"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(lssec -f /etc/security/user -s default -a histsize | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "default;histsize=0;" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_1_1_3()
{
# args
head=h1
rule="5.1.1.3"
desc="minage"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(lssec -f /etc/security/user -s default -a minage | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "default;minage=1;" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_1_2()
{
# args
head=h1
rule="5.1.2"
desc="All accounts must have a hashed password"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
egrep -p "password = +$" /etc/security/passwd | grep ":" | awk -F: '{ print $1 } ' | while read user rest
do
print "Locking account ${user} due to blank password"
done > $tempo
if [ ! -s $tempo ]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_1_3()
{
# args
head=h1
rule="5.1.3"
desc="All usernames and UIDs must be unique"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(cut -d: -f 3 /etc/passwd | sort -n | uniq -d;cut -d: -f 1 /etc/passwd | sort | uniq -d)
if [[ "$val" == "" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_1_4()
{
# args
head=h1
rule="5.1.4"
desc="All group names and GIDs must be unique"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(cut -d: -f 3 /etc/group | sort -n | uniq -d;cut -d: -f 1 /etc/group | sort | uniq -d)
if [[ "$val" == "" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_1_5()
{
# args
head=h1
rule="5.1.5"
desc="Establish and Maintain an Inventory of Administrator accounts"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
res="TODO"
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_1_6()
{
# args
head=h1
rule="5.1.6"
desc="Establish and Maintain an Inventory of User Accounts"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
res="TODO"
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_2_1()
{
# args
head=h1
rule="5.2.1"
desc="Ensure new passwords are controlled by password attributes (disable NOCHECK)"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(grep NOCHECK /etc/security/passwd)
if [[ "$val" == "" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_2_2()
{
# args
head=h1
rule="5.2.2"
desc="pwd_algorithm"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(lssec -f /etc/security/login.cfg -s usw -a pwd_algorithm | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "usw;pwd_algorithm=ssha512;" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_2_3()
{
# args
head=h1
rule="5.2.3"
desc="Ensure passwords are not hashed using 'crypt'"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
grep 'password[[:blank:]]= .............$' /etc/security/passwd | while read pass equals cryptedhash
do
user=$(grep -p $cryptedhash /etc/security/passwd | egrep '[a-zA-z0-9]+:$' | sed -e s/:$//)
print ${user}: needs to update passwd
done > $tempo
if [ ! -s $tempo ]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_2_4()
{
# args
head=h1
rule="5.2.4"
desc="Ensure password policy is enforced for all users"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(grep NOCHECK /etc/security/passwd)
if [[ "$val" == "" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_2_5()
{
# args
head=h1
rule="5.2.5"
desc="minlen"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(lssec -f /etc/security/user -s default -a minlen | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "default;minlen=14;" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_2_6()
{
# args
head=h1
rule="5.2.6"
desc="mindiff"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(lssec -f /etc/security/user -s default -a mindiff | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "default;mindiff=4;" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_2_7()
{
# args
head=h1
rule="5.2.7"
desc="minalpha"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(lssec -f /etc/security/user -s default -a minalpha | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "default;minalpha=3;" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_2_8()
{
# args
head=h1
rule="5.2.8"
desc="minother"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(lssec -f /etc/security/user -s default -a minother | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "default;minother=3;" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_2_9()
{
# args
head=h1
rule="5.2.9"
desc="maxrepeats"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(lssec -f /etc/security/user -s default -a maxrepeats | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "default;maxrepeats=4;" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_2_10()
{
# args
head=h1
rule="5.2.10"
desc="mindigit"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(lssec -f /etc/security/user -s default -a mindigit | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "default;mindigit=1;" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_2_11()
{
# args
head=h1
rule="5.2.11"
desc="minloweralpha"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(lssec -f /etc/security/user -s default -a minloweralpha | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "default;minloweralpha=1;" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_2_12()
{
# args
head=h1
rule="5.2.12"
desc="minupperalpha"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(lssec -f /etc/security/user -s default -a minupperalpha | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "default;minupperalpha=1;" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_2_13()
{
# args
head=h1
rule="5.2.13"
desc="minspecialchar"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(lssec -f /etc/security/user -s default -a minspecialchar | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "default;minspecialchar=1;" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_3_1()
{
# args
head=h1
rule="5.3.1"
desc="adm"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
usr=adm
val=$(lsuser -a account_locked login rlogin $usr 2>/dev/null | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "$usr;account_locked=true;login=false;rlogin=false;" || "$val" == "" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_3_2()
{
# args
head=h1
rule="5.3.2"
desc="bin"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
usr=bin
val=$(lsuser -a account_locked login rlogin $usr 2>/dev/null | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "$usr;account_locked=true;login=false;rlogin=false;" || "$val" == "" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_3_3()
{
# args
head=h1
rule="5.3.3"
desc="daemon"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
usr=daemon
val=$(lsuser -a account_locked login rlogin $usr 2>/dev/null | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "$usr;account_locked=true;login=false;rlogin=false;" || "$val" == "" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_3_4()
{
# args
head=h1
rule="5.3.4"
desc="guest"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
usr=guest
val=$(lsuser -a account_locked login rlogin $usr 2>/dev/null | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "$usr;account_locked=true;login=false;rlogin=false;" || "$val" == "" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_3_5()
{
# args
head=h1
rule="5.3.5"
desc="lpd"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
usr=ldp
val=$(lsuser -a account_locked login rlogin $usr 2>/dev/null | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "$usr;account_locked=true;login=false;rlogin=false;" || "$val" == "" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_3_6()
{
# args
head=h1
rule="5.3.6"
desc="nobody"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
usr=nobody
val=$(lsuser -a account_locked login rlogin $usr 2>/dev/null | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "$usr;account_locked=true;login=false;rlogin=false;" || "$val" == "" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_3_7()
{
# args
head=h1
rule="5.3.7"
desc="nuucp"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
usr=nuucp
val=$(lsuser -a account_locked login rlogin $usr 2>/dev/null | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "$usr;account_locked=true;login=false;rlogin=false;" || "$val" == "" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_3_8()
{
# args
head=h1
rule="5.3.8"
desc="sys"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
usr=sys
val=$(lsuser -a account_locked login rlogin $usr 2>/dev/null | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "$usr;account_locked=true;login=false;rlogin=false;" || "$val" == "" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_3_9()
{
# args
head=h1
rule="5.3.9"
desc="uucp"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
usr=uucp
val=$(lsuser -a account_locked login rlogin $usr 2>/dev/null | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "$usr;account_locked=true;login=false;rlogin=false;" || "$val" == "" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_3_10()
{
# args
head=h1
rule="5.3.10"
desc="Ensure System Accounts cannot access system using ftp."
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(lssrc -ls inetd | grep -c ftpd)
if [[ "$val" -eq "0" ]]
then
res=OK
else
if [ -e /etc/ftpusers ]
then
rc=0
lsuser -R files -a id ALL | sed 's/id=//' | while read usr uid
do
if [[ "$uid" -lt "200" ]]
then
rc1=$(cat /etc/ftpusers | sed 's/$/;/' | grep -q "^${usr};"; echo $?)
(( rc = rc + rc1 ))
fi
done
if [[ "$rc" == "0" ]]
then
res=OK
else
res=NOK
fi
else
res=NOK
fi
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_6()
{
# args
head=h1
rule="5.6"
desc="maxage"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(lssec -f /etc/security/user -s default -a maxage | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "default;maxage=13;" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_5_7()
{
# args
head=h1
rule="5.7"
desc="maxexpired"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(lssec -f /etc/security/user -s default -a maxexpired | sed 's/\ /;/g' | sed 's/$/;/')
if [[ "$val" == "default;maxexpired=4;" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_6_3_1()
{
# args
head=h1
rule="6.3.1"
desc="Privilege escalation: sudo"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
#min version: 1.9.5p2
val=$(sudo --version | grep -vi sudoers | grep version | rev | awk '{print $1}' | rev | sed 's/p/\./')
val1=$(echo $val | cut -d'.' -f1)
val2=$(echo $val | cut -d'.' -f2)
val3=$(echo $val | cut -d'.' -f3)
val4=$(echo $val | cut -d'.' -f4)
if [[ "$val1" -lt "1" ]]
then
rc=1
else
if [[ "$val1" -gt "1" ]]
then
rc=0
else
if [[ "$val2" -lt "9" ]]
then
rc=1
else
if [[ "$val2" -gt "9" ]]
then
rc=0
else
if [[ "$val3" -lt "5" ]]
then
rc=1
else
if [[ "$val3" -ge "5" ]]
then
rc=0
else
rc=1
fi
fi
fi
fi
fi
fi
rc2=$(visudo -c > /dev/null 2>&1; echo $?)
(( rc1 = rc + rc2 ))
if [[ "$rc1" -eq "0" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_6_3_2()
{
# args
head=h1
rule="6.3.2"
desc="Ensure sudo logging is active"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(grep -Ei '^\s*Defaults\s+logfile=\S+' /etc/sudoers /etc/sudoers.d/*)
if [[ "$val" == "" ]]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_6_4()
{
# args
head=h1
rule="6.4"
desc="Adding authorized users in at.allow"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
if [ -s /var/adm/cron/at.allow ]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_6_6()
{
# args
head=h1
rule="6.6"
desc="Adding authorised users in cron.allow"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
if [ -s /var/adm/cron/cron.allow ]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_7_1()
{
# args
head=h1
rule="7.1"
desc="Use FLRT regularly"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
res="Manual"
print_output $head $rule $desc1 $res
}
check_section_2_1
check_section_2_7
check_section_3_3
check_section_3_4
#check_section_3_5
#check_section_3_6
#check_section_3_7
#check_section_3_8
check_section_4_1_3_1
check_section_4_1_3_2
check_section_4_1_3_3
check_section_4_2_18
check_section_4_3_1
check_section_4_3_2
check_section_4_3_3
check_section_4_5_1_7
check_section_4_5_2_1
check_section_4_5_2_2
check_section_4_5_2_3
check_section_4_5_3_1
check_section_4_5_3_4
check_section_4_5_3_5
check_section_4_5_3_6
check_section_4_5_3_7
check_section_4_5_3_8
check_section_4_5_3_9
check_section_4_5_3_10
check_section_4_5_3_11
check_section_4_5_3_12
check_section_4_5_3_13
check_section_4_5_3_14
check_section_4_5_3_15
check_section_4_5_3_16
check_section_4_5_3_17
check_section_4_5_3_18
check_section_4_6_5
check_section_4_7_1_1
check_section_4_7_1_2
check_section_4_7_1_3
check_section_4_7_1_4
check_section_4_7_1_5
check_section_4_7_1_6
check_section_4_7_1_7
check_section_4_7_1_8
check_section_4_7_1_9
check_section_4_7_1_10
check_section_4_7_1_11
check_section_4_7_2_2
check_section_4_7_2_3
check_section_4_7_2_4
check_section_4_7_2_5
check_section_4_7_2_6
check_section_4_7_2_7
check_section_4_7_2_8
check_section_4_7_2_9
check_section_4_7_2_10
check_section_4_7_2_11
#check_section_4_7_2_12
check_section_4_7_2_13
check_section_4_7_2_14
check_section_4_7_2_15
check_section_4_7_2_16
check_section_4_7_2_17
check_section_4_7_2_18
check_section_4_9
check_section_4_10
check_section_4_11
check_section_4_12
check_section_4_13
check_section_4_14
check_section_5_1_1_1
check_section_5_1_1_2
check_section_5_1_1_3
check_section_5_1_2
check_section_5_1_3
check_section_5_1_4
check_section_5_1_5
check_section_5_1_6
check_section_5_2_1
check_section_5_2_2
check_section_5_2_3
check_section_5_2_4
check_section_5_2_5
check_section_5_2_6
check_section_5_2_7
check_section_5_2_8
check_section_5_2_9
check_section_5_2_10
check_section_5_2_11
check_section_5_2_12
check_section_5_2_13
check_section_5_3_1
check_section_5_3_2
check_section_5_3_3
check_section_5_3_4
check_section_5_3_5
check_section_5_3_6
check_section_5_3_7
check_section_5_3_8
check_section_5_3_9
check_section_5_3_10
check_section_5_6
check_section_5_7
check_section_6_3_1
check_section_6_3_2
check_section_6_4
check_section_6_6
check_section_7_1
aix/scripts_check_cis.txt · Last modified: 2024/09/06 23:17 by manu
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
