aix:scripts_check_cis
This is an old revision of the document!
AIX script CIS Benchmark
This script 'll only list if compliant or not
#!/usr/bin/bash
#@(#) Check security
# This script doesn't modify something to your system, just list what is right and wrong
# Print in red all commands to modify your settings
# Print in green all parameters that need no change, following by OK
# Version 1.0 06-2023 EIF (compliance CIS for AIX)
dir=`dirname $0`
if [ -f $dir/.env ]
then
. $dir/.env
else
path_script=$dir
export sn=`basename $0 | cut -d. -f1`
export logname=/tmp/$sn.log
fi
DATE=$(date "+%Y%m%d%H%M%S")
LINUX_SED=/opt/freeware/bin/sed
LINUX_STAT=/opt/freeware/bin/stat
LINUX_SORT=/opt/freeware/bin/sort
list_files=$logpath/list_files.txt
outputcis=$logpath/CIS_AIX7.2_v1.0.0
output=$logname
prefix=sec_files_out_
outputdir=$logpath/${prefix}${DATE}
mkdir $outputdir
# Cleanup
find $logpath -type d -name "${prefix}*" -ctime +5 -exec rm -r {} \; 2>/dev/null
#-----------------------------------------
print_output()
{
# args
header=$1
ruleno=$2
descr=$(echo "$3")
result=$4
echo "$ruleno;$descr;$result" | sed 's/\|/\ /g'
}
#-----------------------------------------
check_section_2_1()
{
# args
head=h1
rule="2.1"
desc="Collect system configuration regularly"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
file1=/var/log/syslog/inventory.log
val=0
val1=$(ls $file1 > /dev/null 2>&1; echo $?)
(( val = val + val1 ))
if [ "$val" != "0" ]
then
res=NOK
val1=$(cat /etc/syslog.conf | grep "local1.info" | grep -q "$file1"; echo $?)
(( val = val + val1 ))
if [ "$val" != "0" ]
then
res=NOK
val1=$(cat /etc/syslog.conf | sed '/^$/d' | grep -v '^#' | grep "^local1.info" | awk '{print $2}' | grep -q "\@"; echo $?)
(( val = val + val1 ))
if [ "$val" != "0" ]
then
res=NOK
val1=$(crontab -l | grep -v '^#' | grep "lsconf" | grep -q "logger"; echo $?)
(( val = val + val1 ))
if [ "$val" != "0" ]
then
res=NOK
else
res=OK
fi
fi
fi
else
res=OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_2_7()
{
# args
head=h1
rule="2.7"
desc="Remove Unused Symbolic Links"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
#### TODO remove orphan symlink
res=OK
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_3_3()
{
# args
head=h1
rule="3.3"
desc="Ensure default user umask is 027 or more restrictive"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(lssec -f /etc/security/user -s default -a umask | grep -q 'umask=27';echo $?)
if [ "$val" != "0" ]
then
res=NOK
else
res=OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_3_4()
{
# args
head=h1
rule="3.4"
desc="Remove group write permission from default groups - exceptions must be in TSD and audit"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(find / \( -fstype jfs -o -fstype jfs2 \) -type f -perm -g+w -ls | wc -l | awk '{print $1}')
if [[ "$val" == "0" ]]
then
res=OK
else
res=NOK
echo "$rule;$desc1;val=$val" >> $logname
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_3_5()
{
# args
head=h1
rule="3.5"
desc="Application Data with requirement for world writable directories"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(find / \( -fstype jfs -o -fstype jfs2 \) -type d -perm -o+w ! -perm -1000 -ls | wc -l | awk '{print $1}')
if [[ "$val" == "0" ]]
then
res=OK
else
res=NOK
echo "$rule;$desc1;val=$val" >> $logname
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_3_6()
{
# args
head=h1
rule="3.6"
desc="Ensure there are no world writable files - exceptions must be in TSD and audit"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(find / \( -fstype jfs -o -fstype jfs2 \) -type f -perm -o+w | wc -l | awk '{print $1}')
if [[ "$val" == "0" ]]
then
res=OK
else
res=NOK
echo "$rule;$desc1;val=$val" >> $logname
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_3_7()
{
# args
head=h1
rule="3.7"
desc="Ensure there are no 'staff' writable files - exceptions must be in TSD and audit"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(find / \( -fstype jfs -o -fstype jfs2 \) -type f -perm -g+w -group staff | wc -l | awk '{print $1}')
if [[ "$val" == "0" ]]
then
res=OK
else
res=NOK
echo "$rule;$desc1;val=$val" >> $logname
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_3_8()
{
# args
head=h1
rule="3.8"
desc="Ensure all files and directories are owned by a user (uid) and assigned to a group (gid)"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(find / \( -fstype jfs -o -fstype jfs2 \) \( -type d -o -type f \) \( -nouser -o -nogroup \) -ls | wc -l | awk '{print $1}')
if [[ "$val" == "0" ]]
then
res=OK
else
res=NOK
echo "$rule;$desc1;val=$val" >> $logname
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_1_3_1()
{
# args
head=h1
rule="4.1.3.1"
desc="autoconf6"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(cat /etc/rc.tcpip | grep '^start ' | grep -q "autoconf6";echo $?)
if [ "$val" -eq "0" ]
then
res=NOK
else
res=OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_1_3_2()
{
# args
head=h1
rule="4.1.3.2"
desc="ndpd-host"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(cat /etc/rc.tcpip | grep '^start ' | grep -q "ndpd-host";echo $?)
if [ "$val" -eq "0" ]
then
res=NOK
else
res=OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_1_3_3()
{
# args
head=h1
rule="4.1.3.3"
desc="ndpd-router"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(cat /etc/rc.tcpip | grep '^start ' | grep -q "ndpd-router";echo $?)
if [ "$val" -eq "0" ]
then
res=NOK
else
res=OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_2_18()
{
# args
head=h1
rule="4.2.18"
desc="ip6forwarding"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(no -o ip6forwarding | sed 's/\ //g' | grep -q 'ip6forwarding=0'; echo $?)
if [ "$val" -eq "0" ]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_3_1()
{
# args
head=h1
rule="4.3.1"
desc="Ensure that IP Security is available"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(no -o ip6forwarding | sed 's/\ //g' | grep -q 'ip6forwarding=0'; echo $?)
if [ "$val" -eq "0" ]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
check_section_2_1
check_section_2_7
check_section_3_3
check_section_3_4
check_section_3_5
check_section_3_6
check_section_3_7
check_section_3_8
check_section_4_1_3_1
check_section_4_1_3_2
check_section_4_1_3_3
check_section_4_2_18
check_section_4_3_1
cat > tmpfile < EOF
4.2.18 ip6forwarding
4.3.1 Ensure that IP Security is available
4.3.2 Ensure loopback traffic is blocked on external interfaces
4.3.3 Ensure that IPsec filters are active
4.5.1.7 CDE - screensaver lock
4.5.2.1 FTPD: Disable root access to ftpd
4.5.2.2 FTPD: Display acceptable usage policy during login
4.5.2.3 FTPD: Prevent world access and group write to files
4.5.3.1 OpenSSH: Minimum version is 8.1
4.5.3.6 sshd_config: Banner exists and message contains "Only authorized users allowed"
4.5.3.7 sshd_config: HostbasedAuthentication is 'no'
4.5.3.8 sshd_config: IgnoreRhosts is 'yes' or 'shosts-only'
4.5.3.9 sshd_config: PermitEmptyPasswords is 'no'
4.5.3.10 sshd_config: LogLevel is 'INFO' or 'VERBOSE'
4.5.3.11 sshd_config: sftp-server arguments include '-u 027 -f AUTH -l INFO'
4.5.3.12 sshd_config: MaxAuthTries is '4'
4.5.3.13 sshd_config: PermitUserEnvironment is 'no'
4.5.3.15 sshd_config, ssh_config: KexAlgorithms
4.5.3.16 sshd_config, ssh_config: Ciphers
4.5.3.17 sshd_config, ssh_config: MACs - Message Authtification Codes
4.5.3.18 sshd_config, ssh_config: ReKeyLimit
4.6.5 Unattended terminal session timeout is 900 seconds (or less)
4.7.1.1 Home directory must exist
4.7.1.2 Home directory must be owned by account, or special account
4.7.1.3 Home directory: write access restricted to 'owner'
4.7.1.4 AUDIT subsystem: /audit and /etc/security/audit
4.7.1.5 SECURITY Subsystems: /etc/security
4.7.1.6 /var/adm/ras
4.7.1.7 /var/adm/sa
4.7.1.8 /var/spool/cron/crontabs
4.7.1.9 Ensure all directories in root PATH deny write access to all
4.7.1.10 Ensure root user has a dedicated home directory
4.7.1.11 /etc/security/audit
4.7.2.2 Verify Trust of suid, sgid, acl, and trusted-bit files and programs
4.7.2.3 crontab entries - owned by userid
4.7.2.4 Home directory configuration files
4.7.2.5 /smit.log
4.7.2.6 /etc/group
4.7.2.7 /etc/inetd.conf
4.7.2.8 /etc/motd
4.7.2.9 /etc/passwd
4.7.2.10 /etc/ssh/ssh_config
4.7.2.11 /etc/ssh/sshd_config
4.7.2.13 /var/adm/cron/cron.allow
4.7.2.14 /var/ct/RMstart.log
4.7.2.15 /var/adm/cron/log
4.7.2.16 /var/tmp/dpid2.log
4.7.2.17 /var/tmp/hostmibd.log
4.7.2.18 /var/tmp/snmpd.log
4.9 Ensure root access is controlled
4.10 Disable core dumps
4.11 Remove current working directory from default /etc/environment PATH
4.12 Lock historical users
4.13 Remove current working directory from root's PATH
4.14 Configuration: /etc/motd
5.1.1.1 histsize
5.1.1.2 minage
5.1.1.3 All accounts must have a hashed password
5.1.2 All usernames and UIDs must be unique
5.1.3 All group names and GIDs must be unique
5.1.4 Establish and Maintain an Inventory of Administrator accounts
5.1.5 Establish and Maintain an Inventory of User Accounts
5.1.6 Ensure new passwords are controlled by password attributes (disable NOCHECK)
5.2.1 pwd_algorithm
5.2.2 Ensure passwords are not hashed using 'crypt'
5.2.3 Ensure password policy is enforced for all users
5.2.4 minlen
5.2.5 mindiff
5.2.6 minalpha
5.2.7 minother
5.2.8 maxrepeats
5.2.9 mindigit
5.2.10 minloweralpha
5.2.11 minupperalpha
5.2.12 minspecialchar
5.2.13 adm
5.3.1 bin
5.3.2 daemon
5.3.3 guest
5.3.4 lpd
5.3.5 nobody
5.3.6 nuucp
5.3.7 sys
5.3.8 uucp
5.3.9 Ensure System Accounts cannot access system using ftp.
5.3.10 maxage
5.6 maxexpired
5.7 Privilege escalation: sudo
6.4 Adding authorized users in at.allow
6.6 Adding authorised users in cron.allow
EOF
aix/scripts_check_cis.1705939690.txt.gz · Last modified: 2024/01/22 17:08 by manu
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
