aix:scripts_check_cis
This is an old revision of the document!
AIX script CIS Benchmark
This script 'll only list if compliant or not
root@aix /root# cat scripts/cis.sh
#!/usr/bin/ksh93
#@(#) Check security
# This script doesn't modify something to your system, just list what is right and wrong
# Print in red all commands to modify your settings
# Print in green all parameters that need no change, following by OK
# Version 1.0 06-2023 EIF (compliance CIS for AIX)
dir=`dirname $0`
if [ -f $dir/.env ]
then
. $dir/.env
else
path_script=$dir
export sn=`basename $0 | cut -d. -f1`
export logpath=/tmp
export logname=$logpath/$sn.log
fi
DATE=$(date "+%Y%m%d%H%M%S")
LINUX_SED=/opt/freeware/bin/sed
LINUX_STAT=/opt/freeware/bin/stat
LINUX_SORT=/opt/freeware/bin/sort
list_files=$logpath/list_files.txt
outputcis=$logpath/CIS_AIX7.2_v1.0.0
output=$logname
prefix=sec_files_out_
outputdir=$logpath/${prefix}${DATE}
mkdir $outputdir
tempo=$logpath/tmp_cis
# Cleanup
find $logpath -type d -name "${prefix}*" -ctime +5 -exec rm -r {} \; 2>/dev/null
#-----------------------------------------
print_output()
{
# args
header=$1
ruleno=$2
descr=$(echo "$3")
result=$4
echo "$ruleno;$descr;$result" | sed 's/\|/\ /g'
}
#-----------------------------------------
check_section_2_1()
{
# args
head=h1
rule="2.1"
desc="Collect system configuration regularly"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
file1=/var/log/syslog/inventory.log
val=0
val1=$(ls $file1 > /dev/null 2>&1; echo $?)
(( val = val + val1 ))
if [ "$val" != "0" ]
then
res=NOK
val1=$(cat /etc/syslog.conf | grep "local1.info" | grep -q "$file1"; echo $?)
(( val = val + val1 ))
if [ "$val" != "0" ]
then
res=NOK
val1=$(cat /etc/syslog.conf | sed '/^$/d' | grep -v '^#' | grep "^local1.info" | awk '{print $2}' | grep -q "\@"; echo $?)
(( val = val + val1 ))
if [ "$val" != "0" ]
then
res=NOK
val1=$(crontab -l | grep -v '^#' | grep "lsconf" | grep -q "logger"; echo $?)
(( val = val + val1 ))
if [ "$val" != "0" ]
then
res=NOK
else
res=OK
fi
fi
fi
else
res=OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_2_7()
{
# args
head=h1
rule="2.7"
desc="Remove Unused Symbolic Links"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
find -L / \( -fstype jfs -o -fstype jfs2 \) -type l -ls 2>/dev/null | cut -d'/' -f2- | sed 's/^/\//' | sed 's/\->/;/' | sed 's/\ ;/;/' | sed 's/;\ /;/' > $tempo.1
cat /dev/null > $tempo
for line in $(cat $tempo.1 | sed 's/\ /|/g')
do
word1=$(echo $line | cut -d';' -f1 | sed 's/\|/\ /g')
word2=$(echo $line | cut -d';' -f2 | sed 's/\|/\ /g')
val=$(echo $word2 | grep -c '^/')
if [[ "$val" -eq "1" ]]
then
if [ ! -e $word2 ]
then
echo $word1 >> $tempo
fi
else
dir1=$(echo $word1 | rev | cut -d'/' -f2- | rev)
word3=$(echo "$dir1/$word2")
if [ ! -e $word3 ]
then
echo $word1 >> $tempo
fi
fi
done > $tempo
if [ ! -s $tempo ]
then
res=OK
else
res=NOK
fi
cp $tempo /root/link.txt
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_3_3()
{
# args
head=h1
rule="3.3"
desc="Ensure default user umask is 027 or more restrictive"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(lssec -f /etc/security/user -s default -a umask | grep -q 'umask=27';echo $?)
if [ "$val" != "0" ]
then
res=NOK
else
res=OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_3_4()
{
# args
head=h1
rule="3.4"
desc="Remove group write permission from default groups - exceptions must be in TSD and audit"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(find / \( -fstype jfs -o -fstype jfs2 \) -type f -perm -g+w -ls | wc -l | awk '{print $1}')
if [[ "$val" == "0" ]]
then
res=OK
else
res=Manual
echo "$rule;$desc1;val=$val" >> $logname
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_3_5()
{
# args
head=h1
rule="3.5"
desc="Application Data with requirement for world writable directories"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(find / \( -fstype jfs -o -fstype jfs2 \) -type d -perm -o+w ! -perm -1000 -ls | wc -l | awk '{print $1}')
if [[ "$val" == "0" ]]
then
res=OK
else
res=NOK
echo "$rule;$desc1;val=$val" >> $logname
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_3_6()
{
# args
head=h1
rule="3.6"
desc="Ensure there are no world writable files - exceptions must be in TSD and audit"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(find / \( -fstype jfs -o -fstype jfs2 \) -type f -perm -o+w | wc -l | awk '{print $1}')
if [[ "$val" == "0" ]]
then
res=OK
else
res=NOK
echo "$rule;$desc1;val=$val" >> $logname
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_3_7()
{
# args
head=h1
rule="3.7"
desc="Ensure there are no 'staff' writable files - exceptions must be in TSD and audit"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(find / \( -fstype jfs -o -fstype jfs2 \) -type f -perm -g+w -group staff | wc -l | awk '{print $1}')
if [[ "$val" == "0" ]]
then
res=OK
else
res=NOK
echo "$rule;$desc1;val=$val" >> $logname
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_3_8()
{
# args
head=h1
rule="3.8"
desc="Ensure all files and directories are owned by a user (uid) and assigned to a group (gid)"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(find / \( -fstype jfs -o -fstype jfs2 \) \( -type d -o -type f \) \( -nouser -o -nogroup \) -ls | wc -l | awk '{print $1}')
if [[ "$val" == "0" ]]
then
res=OK
else
res=NOK
echo "$rule;$desc1;val=$val" >> $logname
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_1_3_1()
{
# args
head=h1
rule="4.1.3.1"
desc="autoconf6"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(cat /etc/rc.tcpip | grep '^start ' | grep -q "autoconf6";echo $?)
if [ "$val" -eq "0" ]
then
res=NOK
else
res=OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_1_3_2()
{
# args
head=h1
rule="4.1.3.2"
desc="ndpd-host"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(cat /etc/rc.tcpip | grep '^start ' | grep -q "ndpd-host";echo $?)
if [ "$val" -eq "0" ]
then
res=NOK
else
res=OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_1_3_3()
{
# args
head=h1
rule="4.1.3.3"
desc="ndpd-router"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(cat /etc/rc.tcpip | grep '^start ' | grep -q "ndpd-router";echo $?)
if [ "$val" -eq "0" ]
then
res=NOK
else
res=OK
fi
print_output $head $rule $desc1 $res
}
#-----------------------------------------
check_section_4_2_18()
{
# args
head=h1
rule="4.2.18"
desc="ip6forwarding"
res=""
desc1=$(echo $desc | tr -s ' ' | sed 's/\ /|/g')
val=$(no -o ip6forwarding | sed 's/\ //g' | grep -q 'ip6forwarding=0'; echo $?)
if [ "$val" -eq "0" ]
then
res=OK
else
res=NOK
fi
print_output $head $rule $desc1 $res
}
aix/scripts_check_cis.1717778577.txt.gz · Last modified: 2024/06/07 18:42 by manu
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
