aix:script_security_aix
This is an old revision of the document!
Check security on AIX
I use in my scripts a .env file to specify logpath and logname
root@nim /root/scripts > cat .env # global variables for all scripts export binpath=/root/scripts export sn=`basename $0 | cut -d. -f1` export HOSTNAME=`/usr/bin/hostname` export logpath=/root/scripts/logs export logname=$logpath/$sn.log export configfile=$binpath/$sn.cfg export destination="myemail@google.com" export mail_undeliverable="myemail@google.com"
This script required rpm packages : sed, coreutils
root@nim /root/scripts > cat ./check_security.sh
#!/bin/ksh93
#@(#) Check security
# This script doesn't modify something to your system, just list what is right and wrong
# Print in red all commands to modify your settings
# Print in green all parameters that need no change, following by OK
# Version 1.0 08-2014
dir=`dirname $0`
if [ -f $dir/.env ]
then
. $dir/.env
else
path_script=$dir
export sn=`basename $0 | cut -d. -f1`
export logname=/tmp/$sn.log
fi
list_files=$logpath/list_files.txt
#####################################################
# Function to print with the timestamp in bold white
#####################################################
#
function print_white
{
printf "\E[22;1m"$1*" - $1\E[0m\n"
echo
}
#
#####################################################
# Function to print with the timestamp in bold green
#####################################################
#
function print_green
{
printf "\E[32;1m"$*" - $1\E[0m\n"
echo
}
#
#####################################################
# Function to print with timestamp in bold red
#####################################################
#
function print_red
{
printf "\E[31;1m"$1"$1\E[0m\n"
}
check_sys0 ()
{
echo "#***********************"
echo "#** device sys0 check **"
echo "#***********************"
if [ $(uname -v | awk '{print $1}') -lt 7 ]
then
param=(max_logname maxuproc ncargs)
value=(256 8192 1024)
else
param=(max_logname ngroups_allowed maxuproc ncargs)
value=(256 2048 8192 1024)
fi
nbval=$(echo ${#value[*]})
count=0
while [ "$count" -lt "$nbval" ]
do
val1=${param[$count]}
if [ $(lsattr -El sys0 | awk '{print $1}' | grep $val1 > /dev/null; echo $?) -eq 0 ]
then
if [ $(lsattr -El sys0 -a ${param[$count]} | awk '{print $2}') -lt $(echo ${value[$count]}) ]
then
printf "\E[31;1m""chdev -l sys0 -a ${param[$count]}=${value[$count]}"" $1\E[0m\n"
else
printf "\E[32;1m""# Value parameter ${param[$count]} for sys0 is ${value[$count]} : OK"" $1\E[0m\n"
fi
fi
(( count = count + 1 ))
done
}
check_user_policy ()
{
# User Policy check
echo "#***********************"
echo "#** User Policy check **"
echo "#***********************"
cat << EOF > $list_files
user default mindiff=0
user default minage=1
user default maxage=13
user default minlen=8
user default minalpha=2
user default minother=1
user default maxrepeats=0
user default histexpire=13
user default minloweralpha=1
user default minupperalpha=1
user default mindigit=0
user default minspecialchar=0
user default histsize=8
user default maxexpired=3
user default loginretries=5
login.cfg default logininterval=300
login.cfg default logindisable=10
login.cfg default loginreenable=360
login.cfg default logindelay=10
login.cfg usw logintimeout=30
login.cfg usw pwd_algorithm=ssha512
EOF
lsuser -R files -a maxage ALL | sed -e 's/^/;/' -e 's/\ /;/' | egrep -v ";ext|;usr|;daemon;|;bin;|;sys;|;adm;|;nobody;|;lp;|;invscout;|;ipsec;|;snapp;|;sshd;|;lpd;|;pconsole;|;esaadmin;" | sed 's/;/\ /g' | while read i j
do
if [ "$j" != "maxage=0" ]
then
printf "\E[31;1m""chuser -R files maxage=0 $i"" $1\E[0m\n"
fi
done
lsuser -R files -a maxexpired root | awk '{print $2}' | grep -v 'maxexpired=-1' > /dev/null 2>&1
if [ $? -eq 0 ]
then
printf "\E[31;1m""chuser -R files maxexpired=-1 root"" $1\E[0m\n"
fi
cat $list_files | while read i j k
do
val_ref=$(echo $k | cut -d'=' -f2)
param=$(echo $k | cut -d'=' -f1)
val_cur=$(lssec -f /etc/security/$i -s $j -a $param | awk '{print $2}' | cut -d'=' -f2)
if [ "$val_cur" != "$val_ref" ]
then
printf "\E[31;1m""chsec -f /etc/security/$i -s $j -a $k"" $1\E[0m\n"
else
printf "\E[32;1m""# parameter $param OK"" $1\E[0m\n"
fi
done
}
check_local_user_group()
{
# Check local users and groups
echo "#************************************"
echo "#** Check local users and groups **"
echo "#************************************"
# Check local users starting with usr or ext
egrep "^usr|^ext" /etc/passwd > /dev/null 2>&1
if [ $? -eq 0 ]
then
lssec -f /etc/security/user -s default -a SYSTEM | grep LDAP > /dev/null 2>&1
if [ $? -eq 0 ]
then
printf "\E[31;1m""User ext or usr exists on local Please remove them using : rmuser -R files -p <user>"" $1\E[0m\n"
egrep "^usr|^ext" /etc/passwd
else
printf "\E[32;1m""# User ext or usr exists on local but there is no LDAP: OK"" $1\E[0m\n"
fi
else
printf "\E[32;1m""# No local user defined : OK"" $1\E[0m\n"
fi
# Check users in system group
num=$(cat /etc/group | grep '^system' | cut -d ':' -f4- | sed 's/,/\ /g' | sed -e 's/root//' -e 's/pconsole//' -e 's/esaadmin//' -e 's/srvproxy//' | sed 's/\ //g' | wc -c | awk '{print $1}')
if [ $num -ne 1 ]
then
printf "\E[31;1m""User exists in system group, Please change the group"" $1\E[0m\n"
cat /etc/group | grep '^system' | cut -d ':' -f4- | sed 's/,/\ /g' | sed -e 's/root//' -e 's/pconsole//' -e 's/esaadmin//'
else
printf "\E[32;1m""# No users in system group except system users OK"" $1\E[0m\n"
fi
# Check guest user
egrep "^guest:" /etc/passwd > /dev/null 2>&1
if [ $? -eq 0 ]
then
for i in $(egrep "^guest:" /etc/passwd | cut -d':' -f1)
do
printf "\E[31;1m""rmuser -R files -p $i"" $1\E[0m\n"
done
else
printf "\E[32;1m""# No user guest OK"" $1\E[0m\n"
fi
# Check lpd and printq user
egrep "^lpd:|^prinq:" /etc/passwd > /dev/null 2>&1
if [ $? -eq 0 ]
then
cat /etc/qconfig | grep -v '^*' > $logpath/tempo
if [ -s $logpath/tempo ]
then
printf "\E[32;1m""# Users lpd and printq exists, printers are defined OK"" $1\E[0m\n"
else
for i in $(egrep "^prinq:" /etc/passwd | cut -d':' -f1)
do
printf "\E[31;1m""rmuser -R files -p $i"" $1\E[0m\n"
done
fi
else
printf "\E[32;1m""# No user lpd or printq OK"" $1\E[0m\n"
fi
}
disable_login_system ()
{
# Disable login and rlogin for system users
echo "#************************************"
echo "#** Disable login for system users **"
echo "#************************************"
cat << EOF > $list_files
daemon login=false rlogin=false
bin login=false rlogin=false
sys login=false rlogin=false
adm login=false rlogin=false
nobody login=false rlogin=false
uucp login=false rlogin=false
nuucp login=false rlogin=false
lpd login=false rlogin=false
root login=true rlogin=true
EOF
cat $list_files | while read user login_ref rlogin_ref
do
if [ "$user" != "root" ] && [ $(test -e /usr/ios/cli/ioscli;echo $?) ]
then
grep "$user" /etc/passwd > /dev/null 2>&1
if [ $? -eq 0 ]
then
login_curr=$(lsuser -R files -a login $user | awk '{print $2}')
rlogin_curr=$(lsuser -R files -a rlogin $user | awk '{print $2}')
if [ "$login_curr" != "$login_ref" ]
then
printf "\E[31;1m""chuser -R files $login_ref $user"" $1\E[0m\n"
else
printf "\E[32;1m""# parameter $login_ref $user OK"" $1\E[0m\n"
fi
if [ "$rlogin_curr" != "$rlogin_ref" ]
then
printf "\E[31;1m""chuser -R files $rlogin_ref $user"" $1\E[0m\n"
else
printf "\E[32;1m""# parameter $rlogin_ref $user OK"" $1\E[0m\n"
fi
fi
else
if [ ! -e /usr/ios/cli/ioscli ]
then
grep "$user" /etc/passwd > /dev/null 2>&1
if [ $? -eq 0 ]
then
login_curr=$(lsuser -R files -a login $user | awk '{print $2}')
rlogin_curr=$(lsuser -R files -a rlogin $user | awk '{print $2}')
if [ "$login_curr" != "$login_ref" ]
then
printf "\E[31;1m""chuser -R files $login_ref $user"" $1\E[0m\n"
else
printf "\E[32;1m""# parameter $login_ref $user OK"" $1\E[0m\n"
fi
if [ "$rlogin_curr" != "$rlogin_ref" ]
then
printf "\E[31;1m""chuser -R files $rlogin_ref $user"" $1\E[0m\n"
else
printf "\E[32;1m""# parameter $rlogin_ref $user OK"" $1\E[0m\n"
fi
fi
fi
fi
done
#cat << EOF > $list_files
#root sugroups=sysadmin su=true
#EOF
#cat $list_files | while read user sugroups_ref su_ref
#do
# sugroups_curr=$(lssec -f /etc/security/user -s root -a sugroups | awk '{print $2}')
# su_curr=$(lssec -f /etc/security/user -s root -a su | awk '{print $2}')
# if [[ "$sugroups_curr" != "$sugroups_ref" || "$su_curr" != "$su_ref" ]]
# then
# printf "\E[31;1m""chsec -f /etc/security/user -s $user -a $sugroups_ref -a $su_ref"" $1\E[0m\n"
# else
# printf "\E[32;1m""# Parameter sugroups and su for user $user OK"" $1\E[0m\n"
# fi
#done
}
check_inittab ()
{
# Check /etc/inittab
echo "#************************"
echo "#** Check /etc/inittab **"
echo "#************************"
cat /etc/qconfig | grep -v '^*' > $logpath/tempo
if [ -s $logpath/tempo ]
then
printf "\E[32;1m""# printers are defined , printer services won't be checked OK"" $1\E[0m\n"
else
for inittab in qdaemon lpd piobe
do
grep "^$inittab:" /etc/inittab | grep -qv ":off:" > /dev/null 2>&1
if [ $? -eq 0 ]
then
line=$(grep "^$inittab:" /etc/inittab)
begin=$(echo $line | cut -d':' -f1,2)
end=$(echo $line | cut -d':' -f4-)
newline=$(echo "'""$begin:off:$end""'")
printf "\E[31;1m""chitab $newline"" $1\E[0m\n"
else
printf "\E[32;1m""# Parameter $inittab not exists OK"" $1\E[0m\n"
fi
done
fi
listsvc="cas_agent i4ls rcncs httpdlite pmd dt rcml mkatmpvc atmsvcd sniinst writesrv naudio naudio2 pconsole webserverstart platform_agent cimservices dt_nogb rcitm rcnetwlm director_agent climgrcim install_assist pmperfrec cfgperf"
if [ -e /usr/es/sbin/cluster/utilities/clmgr ]
then
listsvc=$(echo "$listsvc xmdaily")
else
if [ ! -e /usr/ios/cli/ioscli ]
then
listsvc=$(echo "$listsvc clcomd clusterconf xmdaily")
fi
fi
for inittab in $listsvc
do
grep "^$inittab:" /etc/inittab | grep -qv ":off:" > /dev/null 2>&1
if [ $? -eq 0 ]
then
line=$(grep "^$inittab:" /etc/inittab)
begin=$(echo $line | cut -d':' -f1,2)
end=$(echo $line | cut -d':' -f4-)
newline=$(echo "'""$begin:off:$end""'")
printf "\E[31;1m""chitab $newline"" $1\E[0m\n"
else
printf "\E[32;1m""# Parameter $inittab not exists OK"" $1\E[0m\n"
fi
done
# Remove old IBM Director Agent, no more supported
if [ -e /etc/rc.d/rc2.d/*itca*TivoliCommonAgent0 ]
then
for file in $(ls /etc/rc.d/rc2.d/*itca*TivoliCommonAgent0)
do
printf "\E[31;1m""rm -f $file"" $1\E[0m\n"
done
fi
# rcnfs required for mksysb, NIM and NMON
}
check_inetd ()
{
# Check /etc/inetd.conf
echo "#***************************"
echo "#** Check /etc/inetd.conf **"
echo "#***************************"
grep -v '^#' /etc/inetd.conf | grep -v '^swat' > /dev/null 2>&1
if [ $? -ne 0 ]
then
printf "\E[32;1m""# /etc/inetd.conf OK"" $1\E[0m\n"
else
if [ -f /usr/sbin/lsnim ]
then
exclude="^ftp|^telnet|^shell|^login|^exec|^bootps|^tftp"
else
if [ -f /usr/ios/cli/ioscli ]
then
exclude="^ftp|^telnet|^caa_cfg"
else
exclude="none"
fi
fi
grep -v '^#' /etc/inetd.conf | egrep -v "$exclude" | awk '{print $1,$3}' | while read i j
do
printf "\E[31;1m""chsubserver -d -p $(echo $j | sed 's/6//') -v $i -r inetd"" $1\E[0m\n"
done
fi
}
check_rctcpip ()
{
# Check /etc/rc.tcpip
echo "#*************************"
echo "#** Check /etc/rc.tcpip **"
echo "#*************************"
grep "^start " /etc/rc.tcpip | egrep -v "xntpd|inetd|syslogd" > /dev/null 2>&1
if [ $? -ne 0 ]
then
printf "\E[32;1m""# /etc/rc.tcpip OK"" $1\E[0m\n"
else
if [ $(ls /usr/sbin/lsnim > /dev/null 2>&1;echo $?) -eq 0 ]
then
grep "^start " /etc/rc.tcpip | egrep -v "xntpd|inetd|syslogd|portmap" > /dev/null 2>&1
if [ $? -ne 0 ]
then
printf "\E[32;1m""# /etc/rc.tcpip on NIM server OK"" $1\E[0m\n"
else
for service in $(grep "^start " /etc/rc.tcpip | egrep -v "xntpd|inetd|syslogd|portmap"| awk '{print $2}' | rev | cut -d'/' -f1 | rev)
do
printf "\E[31;1m""chrctcp -S -d $service"" $1\E[0m\n"
done
fi
else
for service in $(grep "^start " /etc/rc.tcpip | egrep -v "xntpd|inetd|syslogd" | awk '{print $2}' | rev | cut -d'/' -f1 | rev)
do
printf "\E[31;1m""chrctcp -S -d $service"" $1\E[0m\n"
done
fi
fi
}
check_files_permission ()
{
# Check file permissions
echo "#****************************"
echo "#** Check file permissions **"
echo "#****************************"
cat << EOF > $list_files
f /usr/bin/rcp root system 000 nocheck
f /usr/bin/rlogin root bin 000 nocheck
f /usr/bin/rsh root system 000 nocheck
f /usr/sbin/rlogind root system 000 nocheck
f /usr/sbin/rshd root system 000 nocheck
f /usr/sbin/tftpd root system 000 nocheck
f /etc/ssh/sshd_config root system 644
f /etc/ssh/ssh_config root system 644
f /etc/security/passwd root security 600
d /etc/security root security 750
f /etc/group root security 644
f /etc/passwd root security 644
d /etc/security/audit root audit 750
d /audit root audit 750
f /root/smit.log root system 640
f /var/adm/cron/log root cron 660
f /var/adm/cron/cron.allow bin cron 640
f /var/adm/cron/at.allow bin cron 640
d /var/spool/cron/crontabs root cron 770
f /etc/motd bin bin 444
#f /var/adm/ras/* - - o-r
f /var/ct/RMstart.log root system 640
f /var/tmp/dpid2.log root system 640
f /var/tmp/hostmibd.log root system 640
f /var/tmp/snmpd.log root system 640
d /var/adm/sa adm adm 766
f /usr/dt/bin/dtaction root sys 555
f /usr/dt/bin/dtappgather root bin 555
f /usr/dt/bin/dtprintinfo root bin 555
f /usr/dt/bin/dtsession root bin 555
f /etc/dt/config/Xservers root bin 555
EOF
if [ $(ls /usr/sbin/lsnim > /dev/null 2>&1;echo $?) -eq 0 ]
then
cat $list_files | grep -v "nocheck" > $list_files.1
mv $list_files.1 $list_files
fi
cat $list_files | while read type full owner group perm nocheck
do
if [ $type = "f" ]
then
if [ -f $full ]
then
owner_curr=$(ls -l $full | awk '{print $3"."$4}')
if [ "$owner_curr" != $(echo "$owner.$group") ]
then
printf "\E[31;1m""chown $(echo "$owner.$group") $full"" $1\E[0m\n"
else
printf "\E[32;1m""# file $full owner OK"" $1\E[0m\n"
fi
perm_curr=$(convert_perm_file $full | awk '{print $1}')
if [[ $perm_curr == "0" ]]
then
perm_curr="000"
fi
if [ "$perm_curr" != "$perm" ]
then
printf "\E[31;1m""chmod $perm $full"" $1\E[0m\n"
else
printf "\E[32;1m""# file $full permission OK"" $1\E[0m\n"
fi
fi
else
if [ $type = "d" ]
then
if [ -d $full ]
then
owner_curr=$(ls -ld $full | awk '{print $3"."$4}')
if [ "$owner_curr" != $(echo "$owner.$group") ]
then
printf "\E[31;1m""chown $(echo "$owner.$group") $full"" $1\E[0m\n"
else
printf "\E[32;1m""# directory $full owner OK"" $1\E[0m\n"
fi
perm_curr=$(convert_perm_dir $full | awk '{print $1}')
if [ "$perm_curr" != "$perm" ]
then
printf "\E[31;1m""chmod $perm $full"" $1\E[0m\n"
else
printf "\E[32;1m""# directory $full permission OK"" $1\E[0m\n"
fi
fi
fi
fi
done
}
convert_perm_file ()
{
for file in $(ls $*)
do
if [ -f $file ]
then
ls -l $file | awk 'BEGIN {
v["r1"]=400; v["w2"]=200; v["x3"]=100; v["s3"]=4100; v["S3"]=4000
v["r4"]=40 ; v["w5"]=20 ; v["x6"]=10 ; v["s6"]=2010; v["S6"]=2000
v["r7"]=4 ; v["w8"]=2 ; v["x9"]=1 ; v["t9"]=1001; v["T9"]=1000}
{val=0
for (i=1;i<=9;i++) val=val+v[substr($0,i+1,1)i]
printf "%4d %s\n",val,$NF}'
fi
done
}
convert_perm_dir ()
{
dir=$(echo $1)
ls -ld $dir | awk 'BEGIN {
v["r1"]=400; v["w2"]=200; v["x3"]=100; v["s3"]=4100; v["S3"]=4000
v["r4"]=40 ; v["w5"]=20 ; v["x6"]=10 ; v["s6"]=2010; v["S6"]=2000
v["r7"]=4 ; v["w8"]=2 ; v["x9"]=1 ; v["t9"]=1001; v["T9"]=1000}
{val=0
for (i=1;i<=9;i++) val=val+v[substr($0,i+1,1)i]
printf "%4d %s\n",val,$NF}'
}
network_option ()
{
# Network Options
echo "#***********************"
echo "#** Network Options **"
echo "#***********************"
cat << EOF > $list_files
no ipsrcrouteforward 0
no ipignoreredirects 1
no clean_partial_conns 1
no ipsrcroutesend 0
no ipforwarding 0
no ipsendredirects 0
no ip6srcrouteforward 0
no directed_broadcast 0
no tcp_pmtu_discover 0
no bcastping 0
no icmpaddressmask 0
no udp_pmtu_discover 0
no ipsrcrouterecv 0
no nonlocsrcroute 0
no tcp_tcpsecure 7
no sockthresh 60
no rfc1323 1
no tcp_sendspace 262144
no tcp_recvspace 262144
no udp_sendspace 65536
no udp_recvspace 655360
no tcp_mssdflt 1448
EOF
# For NFS with Linux, add the following settings
#nfso portcheck 1
#nfso nfs_use_reserved_ports 1
cat $list_files | while read i j k
do
val_ref=$(echo $k)
val_cur=$($i -o $j | awk '{print $3}')
if [ "$val_cur" -ne "$val_ref" ]
then
printf "\E[31;1m""$i -p -o $j=$k"" $1\E[0m\n"
else
printf "\E[32;1m""# parameter $j OK"" $1\E[0m\n"
fi
done
echo "no sb_max 1048576" | while read i j k
do
val_ref=$(echo $k)
val_cur=$($i -o $j | awk '{print $3}')
if [ "$val_cur" -lt "$val_ref" ]
then
printf "\E[31;1m""$i -p -o $j=$k"" $1\E[0m\n"
else
printf "\E[32;1m""# parameter $j OK"" $1\E[0m\n"
fi
done
}
check_audit ()
{
# Check Audit
echo "#***********************"
echo "#** Check audit **"
echo "#***********************"
df -g /audit | grep audit > /dev/null 2>&1
if [ $? -ne 0 ]
then
printf "\E[31;1m""mklv -tjfs2 -y auditlv rootvg 2G;crfs -vjfs2 -m /audit -d auditlv -Ayes;mount /audit"" $1\E[0m\n"
printf "\E[31;1m""chown root.audit /audit;chmod 750 /audit"" $1\E[0m\n"
else
printf "\E[32;1m""# Filesystem /audit OK"" $1\E[0m\n"
fi
if [[ $(lssec -f /usr/lib/security/mkuser.default -s user -a auditclasses | awk '{print $2}' | awk -F'=' '{print $2}' | wc -c | awk '{print $1}') == "1" ]]
then
printf "\E[31;1m""chsec -f /usr/lib/security/mkuser.default -s user -a auditclasses=general,SRC,cron,tcpip"" $1\E[0m\n"
else
printf "\E[32;1m""# User auditclasses OK"" $1\E[0m\n"
fi
grep 'audit' /etc/inittab > /dev/null 2>&1
if [ $? -ne 0 ]
then
printf "\E[31;1m"'echo ":audit:2:boot:audit start > /dev/console 2>&1" >> /etc/inittab'" $1\E[0m\n"
else
printf "\E[32;1m""# Audit process started in inittab OK"" $1\E[0m\n"
fi
}
check_syslog ()
{
# Check Syslog
echo "#***********************"
echo "#** Check syslog **"
echo "#***********************"
odmget -q subsysname="syslogd" SRCsubsys | grep cmdargs | cut -d'=' -f2- | grep '\-r' | grep '\-n' > /dev/null 2>&1
if [ $? -ne 0 ]
then
printf "\E[31;1m"'chssys -s syslogd -a "-r -n"'" $1\E[0m\n"
else
printf "\E[32;1m""# Syslog started with option -r and -n OK"" $1\E[0m\n"
fi
}
check_snmp ()
{
# Check SNMP config file
echo "#***********************"
echo "#** Check SNMP **"
echo "#***********************"
grep "^community[[:blank:]]*private" /etc/snmpd.conf > /dev/null 2>&1
if [ $? -eq 0 ]
then
printf "\E[31;1m""/opt/freeware/bin/sed -i '/private/ s/^/#/g' /etc/snmp.conf"" $1\E[0m\n"
else
printf "\E[32;1m""# /etc/snmp.conf OK"" $1\E[0m\n"
fi
}
check_cron ()
{
# Check cron authorization
echo "#***********************"
echo "#** Check crontabs **"
echo "#***********************"
if [ ! -f /var/adm/cron/cron.allow ]
then
printf "\E[31;1m"'ls /var/spool/cron/crontabs | egrep -v "esaadmin|sys|uucp" > /var/adm/cron/cron.allow'" $1\E[0m\n"
else
printf "\E[32;1m""# /var/adm/cron/cron.allow exists OK"" $1\E[0m\n"
fi
if [ ! -f /var/adm/cron/at.allow ]
then
printf "\E[31;1m"'ls /var/spool/cron/crontabs | egrep -v "esaadmin|sys|uucp" > /var/adm/cron/at.allow'" $1\E[0m\n"
else
printf "\E[32;1m""# /var/adm/cron/at.allow exists OK"" $1\E[0m\n"
fi
}
check_sshd_config ()
{
# Check sshd_config file
echo "#****************************"
echo "#** Check sshd_config file **"
echo "#****************************"
SSHD_CONFIG=/etc/ssh/sshd_config
LINUX_SED=/opt/freeware/bin/sed
grep '^Port' $SSHD_CONFIG > /dev/null 2>&1
if [ $? -ne 0 ]
then
printf "\E[31;1m""$LINUX_SED -i 's/^#Port\ 22/Port\ 22/' $SSHD_CONFIG"" $1\E[0m\n"
else
printf "\E[32;1m""# Port OK"" $1\E[0m\n"
fi
grep '^ListenAddress ' $SSHD_CONFIG | grep -v '::' > /dev/null 2>&1
if [ $? -ne 0 ]
then
printf "\E[31;1m""$LINUX_SED -i 's/^#ListenAddress\ 0.0.0.0/ListenAddress\ 0.0.0.0/' $SSHD_CONFIG"" $1\E[0m\n"
else
printf "\E[32;1m""# ListenAddress IPV4 OK"" $1\E[0m\n"
fi
grep '^ListenAddress ' $SSHD_CONFIG | grep '::' > /dev/null 2>&1
if [ $? -eq 0 ]
then
printf "\E[31;1m""$LINUX_SED -i 's/^ListenAddress\ ::/#ListenAddress\ ::/' $SSHD_CONFIG"" $1\E[0m\n"
else
printf "\E[32;1m""# ListenAddress IPV6 OK"" $1\E[0m\n"
fi
grep '^Protocol 2' $SSHD_CONFIG > /dev/null 2>&1
if [ $? -ne 0 ]
then
printf "\E[31;1m""$LINUX_SED -i 's/^#Protocol\ 2/Protocol\ 2/' $SSHD_CONFIG"" $1\E[0m\n"
else
printf "\E[32;1m""# Protocol ssh version 2 only OK"" $1\E[0m\n"
fi
# Ciphers be careful could prevent from login
#grep '^Ciphers' $SSHD_CONFIG > /dev/null 2>&1
#if [ $? -ne 0 ]
#then
# printf "\E[31;1m"$LINUX_SED" -i '"'/^Protocol/a \\
#\\
## SSH protocol v2 specific options \\
#Ciphers aes256-ctr,aes192-ctr,aes128-ctr'"' "$SSHD_CONFIG" $1\E[0m\n"
#else
# printf "\E[32;1m""# Ciphers OK"" $1\E[0m\n"
#fi
grep '^SyslogFacility AUTH' $SSHD_CONFIG > /dev/null 2>&1
if [ $? -ne 0 ]
then
printf "\E[31;1m""$LINUX_SED -i 's/^#SyslogFacility\ AUTH/SyslogFacility\ AUTH/' $SSHD_CONFIG"" $1\E[0m\n"
else
printf "\E[32;1m""# SyslogFacility OK"" $1\E[0m\n"
fi
grep '^LogLevel INFO' $SSHD_CONFIG > /dev/null 2>&1
if [ $? -ne 0 ]
then
printf "\E[31;1m""$LINUX_SED -i 's/^#LogLevel\ INFO/LogLevel\ INFO/' $SSHD_CONFIG"" $1\E[0m\n"
else
printf "\E[32;1m""# LogLevel OK"" $1\E[0m\n"
fi
if [ ! -f "/etc/ssh/ssh_host_ecdsa_key" ]
then
printf "\E[31;1m""echo | ssh-keygen -q -t ecdsa -b 521 -N '' -f /etc/ssh/ssh_host_ecdsa_key"" $1\E[0m\n"
else
printf "\E[32;1m""# ECDSA ssh key exists OK"" $1\E[0m\n"
fi
grep '^PidFile' $SSHD_CONFIG > /dev/null 2>&1
if [ $? -ne 0 ]
then
printf "\E[31;1m""$LINUX_SED -i 's/^#PidFile\ \\\/var\\\/run\\\/sshd.pid/PidFile\ \\\/var\\\/run\\\/sshd.pid/' $SSHD_CONFIG"" $1\E[0m\n"
else
printf "\E[32;1m""# PidFile OK"" $1\E[0m\n"
fi
if [ ! -d "/var/run" ]
then
printf "\E[31;1m""mkdir -p /var/run"" $1\E[0m\n"
else
printf "\E[32;1m""# ssh PID directory exists OK"" $1\E[0m\n"
fi
}
check_sys0
check_user_policy
network_option
disable_login_system
check_local_user_group
check_inittab
check_inetd
check_rctcpip
check_files_permission
check_snmp
check_audit
check_syslog
check_cron
check_sshd_config
Check users with admin rights on AIX
root@nim /root/scripts > cat ./check_admin.sh
#!/bin/ksh93
#set -x
#@(#) List all administrative users and groups
# version 1.0 08-2014
dir=`dirname $0`
. $dir/.env
GROUP_ADMIN=";system;bin;sys;adm;uucp;mail;security;cron;printq;audit;ecs;shutdown;lp;invscout;snapp;pconsole;esaadmin"
USER_ADMIN="lpd;nobody;daemon;root;nuucp;system;bin;sys;adm;uucp;mail;security;cron;printq;audit;ecs;shutdown;lp;invscout;snapp;pconsole;esaadmin"
LINUX_SED=/opt/freeware/bin/sed
TMPFILE=/tmp/aaa
HOSTNAME=$(hostname)
GREP_GROUP=$(echo $GROUP_ADMIN | sed -e "s/;/;\|\^/g" -e "s/^/\^/" -e "s/$/;/" -e "s/^/\'/" -e "s/$/\'/")
LDAP_CLIENT=$(/usr/sbin/ls-secldapclntd > /dev/null 2>&1;echo $?)
echo "#**********************************"
echo "#******** Admin Groups ********"
echo "#**********************************"
if [ $LDAP_CLIENT -eq 0 ]
then
echo "#### Admin groups on LDAP ####"
lsgroup -R LDAP -a admin ALL | grep -v "admin=false" | sed "s/\ /;/" | egrep -v $GREP_GROUP
fi
echo "\n#### Admin groups on Local ####"
if [ -e /usr/bin/dsh ]
then
dsh "lsgroup -R files -a admin ALL | grep -v 'admin=false' | sed 's/\ /;/' | egrep -v $GREP_GROUP"
else
lsgroup -R files -a admin ALL | grep -v 'admin=false' | sed 's/\ /;/' | egrep -v $GREP_GROUP
fi
echo "\n#***************************************"
echo "#******** Users in Admin Groups ********"
echo "#***************************************"
if [ $LDAP_CLIENT -eq 0 ]
then
echo "\n#### Users in Admin groups on LDAP ####"
lsgroup -R LDAP -a admin users ALL | grep -v "admin=false" | awk '{print $1";"$3}' | sed -e 's/users=/,/' -e 's/^/;/' -e 's/$/,/' > $TMPFILE
for i in $(echo $USER_ADMIN | sed 's/;/\ /g')
do
$LINUX_SED -i "s/,$i,/,/g" $TMPFILE
done
cat $TMPFILE | sed 's/;/\ /g' | while read begin end
do
line=$(echo $end | sed -e 's/,/\ /g')
if [[ $(echo $line | awk '{print $1}') != "" ]]
then
echo "group=$begin,users=$line"
fi
done
fi
echo "\n#### Users in Admin groups on Local ####"
if [ -e /usr/bin/dsh ]
then
dsh "lsgroup -R files -a admin users ALL | grep -v 'admin=false'" | awk '{print $1";"$2";"$4}' | sed -e 's/users=/,/' -e 's/$/,/' > $TMPFILE
else
lsgroup -R files -a admin users ALL | grep -v 'admin=false' | awk '{print $1";"$3}' | sed -e 's/users=/,/' -e 's/$/,/' | sed "s/^/$HOSTNAME:;/" > $TMPFILE
fi
for i in $(echo $USER_ADMIN | sed 's/;/\ /g')
do
$LINUX_SED -i "s/,$i,/,/g" $TMPFILE
done
cat $TMPFILE | sed -e 's/;/\ /g' -e 's/://' | while read host_name begin end
do
line=$(echo $end | sed -e 's/,/\ /g')
if [[ $(echo $line | awk '{print $1}') != "" ]]
then
echo "$host_name:group=$begin,users=$line"
fi
done
echo "\n#***************************************"
echo "#******** Users with admin FLAG ********"
echo "#***************************************"
if [ $LDAP_CLIENT -eq 0 ]
then
echo "\n#### Users with admin FLAG on LDAP ####"
lsuser -R LDAP -a admin ALL | grep -v 'admin=false'
fi
echo "\n#### Users with admin FLAG on Local ####"
if [ -e /usr/bin/dsh ]
then
dsh "lsuser -R files -a admin ALL | grep -v 'admin=false'" | awk '{print $1";"$2}' | sed -e 's/$/;/' -e 's/://' > $TMPFILE
else
lsuser -R files -a admin ALL | grep -v 'admin=false' | awk '{print $1}' | sed 's/$/;/' | sed "s/^/$HOSTNAME:;/" > $TMPFILE
fi
for i in $(echo $USER_ADMIN | sed 's/;/\ /g')
do
$LINUX_SED -i "s/;$i;//" $TMPFILE
done
cat $TMPFILE | sort | uniq | while read line
do
end=$(echo $line | sed 's/;/\ /' | awk '{print $2}')
if [[ $(echo $end | awk '{print $1}') != "" ]]
then
echo "$line admin=true"
fi
done
aix/script_security_aix.1609532498.txt.gz · Last modified: 2021/01/01 21:21 by 127.0.0.1
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
