There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.
Script not executing
Hello,
I have a long mitigation script and upon testing I noticed its not mitigation the target file I have it for any help would be great and I can take out the portion I am dealing with and run it by itself. It is an if statment and its a mystery to me. It is the part that is going to insert the sulogin string to /etc/inittab.
#!/bin/bash +x
exec > /home/scc/stiglog.log 2>&1
set -x
#Script to mitigate common CAT I, II and III's that are common among Linux boxes.
# This section sets/resets permissions and ownership of critical files.
#
#
chmod -R 755 /etc/init.d/*
chmod -R 700 /root
touch /etc/.login
chmod -R 644 /etc/.login
chmod -R 644 /etc/profile
chmod -R 644 /etc/bashrc
chmod -R 644 /etc/environment
touch /etc/security/environ
chmod -R 644 /etc/security/environ
chmod -R 644 /etc/skel
touch /dev/audio
chmod -R 644 /dev/audio
chmod -R 640 /var/log/*
touch /etc/cron.allow
chmod -R 600 /etc/cron.allow
touch /etc/cron.deny
chmod -R 700 /etc/cron.deny
chmod -R 600 /var/spool/cron/
chmod -R 600 /etc/cron.d/
chmod -R 600 /etc/crontab
chmod -R 700 /etc/cron.daily/
chmod -R 700 /etc/cron.hourly/
chmod -R 700 /etc/cron.monthly/
chmod -R 700 /etc/cron.weekly/
chmod -R 600 /var/log/cron
touch /etc/at.allow
chmod -R 700 /etc/at.allow
chmod -R 755 /var/spool/at/spool
chmod -R 700 /var/crash
chmod -R 600 /etc/sysctl.conf
chmod -R 755 /etc/xinetd.conf
chmod -R 755 /etc/xinetd.d
chmod -R 644 /etc/services
chmod -R 700 /bin/traceroute
chmod -R 640 /etc/syslog.conf
chmod -R 600 /etc/grub.conf
chmod -R 755 /usr/lib/*
chmod -R 640 /etc/security/access.conf
chmod -R 640 /etc/securetty
chmod -R 644 /usr/share/man
chmod -R 644 /usr/share/info
touch /usr/share/infopage
chmod -R 644 /usr/share/infopage
chmod -R 744 /selinux
chmod -R 744 /sys/class/scsi_host/*
#
#
# This section sets/resets file ownership.
#
#
chown root:root /etc/.login
chown root:root /etc/profile
chown root:root /etc/bashrc
chown root:root /etc/environment
chown root:root /etc/security/environ
chown root:root /dev/audio
chown root:root /var/spool/cron/
chown root:root /etc/cron.d/
chown root:root /etc/crontab
chown root:root /etc/cron.daily/
chown root:root /etc/cron.hourly/
chown root:root /etc/cron.monthly/
chown root:root /etc/cron.weekly/
chown root:root /var/spool/at/
chown root:root /etc/sysctl.conf
chown root:root /etc/xinetd.conf
chown root:root /etc/xinetd.d
chown root:root /etc/services
chown root:root /bin/traceroute
chown root:root /etc/syslog.conf
chown root:root /etc/security/access.conf
chown root:root /etc/securetty
#
#
# This section removes unnecessary users.
# Thanks to Bill Bowers/ESI for much of this module.
#
userdel lp
userdel sync
#Mitigates CAT I GEN000000-LNX00320 Rule ID: SV-37181r1_rule
userdel shutdown
userdel halt
userdel news
userdel gopher
userdel operator
userdel games
userdel mail
userdel uucp
userdel ftp
userdel netdump
# Remove a few more users - scz, 02Dec2009
userdel adm
userdel pcap
userdel avahi-autoipd
userdel sabayon
#
#
#This section mitigates grub.conf, system-auth, /etc/inittab
#
file="/boot/grub/grub.conf
file0="/etc/inittab"
file1="/etc/pam.d/system-a
file2="/var/log/btmp"
file3="/etc/gdm/custom.con
file4="/etc/ssh/sshd_confi
file5="/etc/pam.d/system-a
file6="system-auth"
file7="/etc/pam.d/system-a
string="password"
string1="ctrlaltdel"
string2="ca::"
string3="#ca::"
string4="audit=1"
string5="nullok"
string6="#Banner"
string7="Banner"
#Insert GRUB MD5 password after "timeout" to mitigate CAT I STIG ID:
#GEN008700 Rule ID: SV-37933r1_rule
if ! grep -q "$string" "$file"
then
echo "The md5 hash does not exist the md5 hash will be inserted"
sed -i -e '14a\
password --md5 $1$LJU/J0$nfb5N24GCqD6EdR8
else
echo "The md5 hash exists in $file"
fi
#Auditing must be enabled at boot by setting a kernel parameter.
#If auditing is enabled late in the boot process, the actions of startup scripts may not be audited.
#STIG ID: GEN000000-LNX00720 Rule ID: SV-27001r1_rule
echo "Backup grub.conf /boot/grub/grub.conf..."
/bin/cp /boot/grub/grub.conf /boot/grub/backup.grub.con
if grep -q "$string4" "$file"
then
echo "Doing nothing $string4 kernel parameter is enabled"
fi
if ! grep -q "$string4" "$file"
then
echo "$String4 kernel parameter is missing will be enabled"
sed -i -e "/quiet/ s|$| "$string4"|" "$file"
fi
#Remove "nullok" from system-auth to mitigate CAT I Rule or it may be possible to log into the account #without authentication.
#STIG ID: GEN000560 Rule ID: SV-37259r1_rule
if ! grep -q "$string5" "$file1"
then
echo "Skipping "$string5" is not found"
else
echo ""$string5" is found needs to be removed to avoid use of blank passwords"
sed -i -e 's/"$string5"/g' "$file1"
fi
#Ensure the CTRL-ALT-DELETE key sequence has been disabled and attempts to use the sequence are logged
#Mitigate CAT I STIG ID: GEN000=000-LNX00580 Rule ID: SV-37327r1_rule
if grep -q "$string3" "$file0"
then
echo "Doing nothing "$string1" already disabled"
else
if grep -q "$string1" "$file0"
then
echo "$string1 is found must be disabled and logged"
sed -i -e "s/$string2/$string3/g" "$file0"
sed -i '33a\
ca:nil:ctrlaltdel:/usr/bin
fi
fi
#STIG ID: GEN000000-LNX00360 Rule ID: SV-37207r1_rule.
#The X server must have the correct options enabled.
if ! grep -q "server-Standard" "/etc/gdm/custom.conf"
then
echo "The X server options are not enabled in $file3 and will be inserted"
sed -i -e '41a\
\[server-Standard\]\
name=Standard server\
command=/usr/bin/Xorg -br -audit 4 -s 15\
chooser=false\
handled=true\
flexible=true\
priority=0' "$file"
exec gdm-safe-restart
else
echo "The X server options are enabled /etc/gdm/custom.conf"
fi
#The /etc/access.conf file must have mode 0640 or less permissive.
#STIG ID: GEN000000-LNX00440 Rule ID: SV-37243r1_rule
chmod 0640 /etc/security/access.conf
#The /etc/sysctl.conf file must have mode 0600 or less permissive.
#STIG ID: GEN000000-LNX00520 Rule ID: SV-37258r1_rule
chmod 0600 /etc/sysctl.conf
#The system must require authentication upon booting into single-user and maintenance modes.
#STIG ID: GEN000020 Rule ID: SV-37350r1_rule
if ! grep -q "~:S:wait:/sbin/sulogin" "$file0"
then
echo "The /etc/inittab does not contain authentication into single-user and will be inserted"
sed -i -e '54a\
\#Single User Mode Password' "$file0"
sed -i -e '55a\
~:S:wait:/sbin/sulogin' "$file0"
else
echo "Single User Authentication is enabled in $file0"
fi
#The time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive.
#STIG ID: GEN000252 Rule ID: SV-37417r1_rule
chmod 0640 /etc/ntp.conf
#The system must not have the unnecessary "news" account.
#STIG ID: GEN000290-2 Rule ID: SV-34574r1_rule
userdel news
#The system must not have the unnecessary "gopher" account.
#STIG ID: GEN000290-3 Rule ID: SV-34575r1_rule
userdel gopher
#The system must not have the unnecessary "ftp" account.
#STIG ID: GEN000290-4 Rule ID: SV-34578r1_rule Vuln ID: V-27279
userdel ftp
#The Department of Defense (DoD) login banner must be displayed
#STIG ID: GEN000400 Rule ID: SV-37169r1_rule
if grep -q "$string7" "$file4"
then
echo "DoD Banner enabled"
sed -i -e "s/$string6/$string7/g" "$file4"
fi
#The system must disable accounts after three consecutive unsuccessful login attempts.
#STIG ID: GEN000460 Rule ID: SV-37203r1_rule
if ! grep -q "pam_tally2.so" "$file5"
then
echo "System-auth file is missing pam_tally2 and is not disabling accounts after three unsuccessful login attempts"
sed -i -e '4a\
auth required pam_access.so' "$file5"
sed -i -e '5a\
auth required pam_tally2.so deny=3' "$file5"
sed -i -e '6a\
auth include system-auth-ac' "$file5"
sed -i -e '12a\
account required pam_tally2.so' "$file5"
sed -i -e '13a\
account include system-auth-ac' "$file5"
sed -i -e '18a\
password include system-auth-ac' "$file5"
sed -i -e '23a\
session include system-auth-ac' "$file5"
cp "$file5" "system-auth-local"
unlink "$file6"
ln -s /etc/pam.d/system-auth-loc
else
echo "System is using pam_tally2 and disabling accounts after three unsuccessful login attempts"
fi
#Graphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity
#STIG ID: GEN000500 Rule ID: SV-29796r1_rule
gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/g
#The graphical desktop environment must set the idle timeout to no more than 15 minutes.
#STIG ID: GEN000500-2 Rule ID: SV-34582r1_rule
echo "graphical desktop sessions should lock after 15 minutes"
gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/g
#Graphical desktop environments provided by the system must have automatic lock enabled.
#STIG ID: GEN000500-3 Rule ID: SV-34583r1_rule
echo "graphical desktop sessions required to lock the session after 15 minutes of inactivity"
gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/g
#Users must not be able to change passwords more than once every 24 hours.
#STIG ID: GEN000540 Rule ID: SV-37239r1_rule
echo "Passwords require 1 day minimum before changing"
for i in `cat /etc/passwd | grep ^ | awk -F":" '{print $1} ' | sort `
do echo $i | passwd -n 1 $i
done
#The system must require passwords contain a minimum of 14 characters.
#STIG ID: GEN000580 Rule ID: SV-37260r1_rule
if ! grep -q "minlen=14" "$file7"
then
echo "System-auth required to have passwords contain a minimum of 14 characters"
sed -i -e '17a\
password requisite pam_cracklib.so minlen=14' "$file7"
else
echo "System-auth using minimum of 14 character passwords"
fi
#The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes.
#STIG ID: GEN000590 Rule ID: SV-26313r1_rule
if ! egrep -q "sha512" "$file5"
then
echo "System not using FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes"
echo "Replacing md5 hash with sha512"
sed -i -e "s/md5/sha512/g" "$file5"
else
echo "System using sha512 hash"
fi
#The system must require passwords contain at least one uppercase alphabetic character.
#STIG ID: GEN000600 Rule ID: SV-41826r1_rule
if ! grep -q "ucredit=-1" "$file7"
then
echo "passwords must contain at least one uppercase alphabetic character"
sed -i -e '22a\
password required pam_cracklib.so ucredit=-1' "$file7"
else
echo "System-auth using at least one uppercase alphabetic character in passwords"
fi
#The system must require passwords contain at least one lowercase alphabetic character.
#STIG ID: GEN000610 Rule ID: SV-26321r1_rule
if ! grep -q "ucredit=-1" "$file7"
then
echo "Passwords must contain at least one uppercase alphabetic character."
sed -i -e '22a\
password required pam_cracklib.so ucredit=-1' "$file7"
else
echo "System-auth is using one uppercase alphabetic character in passwords."
fi
#The system must require passwords contain at least one numeric character.
#STIG ID: GEN000620 Rule ID: SV-37281r1_rule
if ! grep -q "dcredit=-1" "$file7"
then
echo "passwords must contain one numerical character"
sed -i -e '22a\
password required pam_cracklib.so dcredit=-1' "$file7"
else
echo "System-auth using at least one numerical character in passwords"
fi
#The system must require passwords contain at least one special character.
#STIG ID: GEN000640 Rule ID: SV-37287r1_rule
if ! grep -q "ocredit=-1" "$file7"
then
echo "passwords must contain one special character"
sed -i -e '22a\
password required pam_cracklib.so ocredit=-1' "$file7"
else
echo "System-auth using at least one special character in passwords"
fi
#The system must require passwords contain no more than three consecutive repeating characters.
#STIG ID: GEN000680 Rule ID: SV-37294r1_rule Vuln ID: V-11975
if ! grep -q "maxrepeat=3" "$file7"
then
echo "The maxrepeat option is missing for limiting excessive repeated characters for passwords"
sed -i -e '24a\
password required pam_cracklib.so maxrepeat=3' "$file7"
else
echo "The maxrepeat option is limited to three repeating characters"
fi
#User passwords must be changed at least every 60 days.
#STIG ID: GEN000700 Rule ID: SV-37298r1_rule
cp /etc/passwd /etc/backup_passwd_`date +%m-%d-20%y-%H%M`
cp /etc/shadow /etc/backup_shadow_`date +%m-%d-20%y-%H%M`
echo "looking at user ID's from 1000 and greater"
echo "User passwords must be changed at least every 60 days"
chmod +w /etc/passwd
chmod +w /etc/shadow
for i in `awk -F: '$3 > 1000 { print $1 }' /etc/passwd`
do
sed -i -e "/$i/ s/\:99999/\:60/g" /etc/shadow
echo "This is a list of users that required 60 day passwords"
echo $i >> /etc/60_days.txt
done
chmod -w /etc/passwd
chmod -w /etc/shadow
#The system must require at least four characters be changed between the old and new passwords during a password change.
#STIG ID: GEN000750 Rule ID: SV-37304r1_rule
if ! grep -q "difok=4" "$file7"
then
echo "Must ensure that old and new passwords have significant differences"
sed -i -e '19a\
password required pam_cracklib.so difok=4' "$file7"
else
echo "System-auth is using rule to allow four characters be changed between the old and new passwords"
fi
#The root account's home directory /root must have mode 0700.
#STIG ID: GEN000920 Rule ID: SV-37355r1_rule
for i in `grep "^root" /etc/passwd | awk -F":" '{print $6}'`
do
if [[ -r "$i" && -w "$i" && -x "$i" ]]
then
echo "/root is not 700 and required to be changed"
chmod 700 $i
else
echo "/root is 700"
fi
done
#The root account's executable search path must be the vendor default and must contain only absolute paths.
#STIG ID: GEN000940 Rule ID: SV-37360r1_rule
echo "Searching for files in /root .bashrc, .cshrc and tcshrc"
if ! grep -q "PATH=$PATH:$HOME/bin" "/root/.bashrc"
then
echo "Root executable search path is missing will be inserted"
sed -i -e '3a\
#User specific environment and startup programs' "/root/.bashrc"
sed -i -e '4a\
PATH=$PATH:$HOME/bin' "/root/.bashrc"
else
echo "The executable search path PATH does exist"
fi
if [ ! -f /root/.cshrc ]
then
touch /home/amagana/.cshrc
if ! grep -q "PATH=$PATH:$HOME/bin" "/root/.cshrc"
then
sed -i -e '2a\
\#User specific environment and startup programs' /root/.cshrc
sed -i -e '3a\
PATH\=\$PATH\:\$HOME/bin' /root/.cshrc
sed -i -e '4a\
' /root/.cshrc
echo "Root executable search path is missing will be inserted"
fi
else
echo "The .cshrc file exists and the executable search path PATH does exist"
fi
if [ ! -f /root/.tcshrc ]
then
touch /root/.tcshrc
if ! grep -q "PATH=$PATH:$HOME/bin" /root/.tcshrc
then
echo "Root executable search path is missing will be inserted"
echo >> /root/.tcshrc
echo >> /root/.tcshrc
sed -i -e '1a\
\#User specific environment and startup programs' /root/.tcshrc
sed -i -e '2a\
PATH\=\$PATH\:\$HOME/bin' /root/.tcshrc
fi
else
echo "The .tcshrc file exists and the executable search path PATH does exist"
fi
I have a long mitigation script and upon testing I noticed its not mitigation the target file I have it for any help would be great and I can take out the portion I am dealing with and run it by itself. It is an if statment and its a mystery to me. It is the part that is going to insert the sulogin string to /etc/inittab.
#!/bin/bash +x
exec > /home/scc/stiglog.log 2>&1
set -x
#Script to mitigate common CAT I, II and III's that are common among Linux boxes.
# This section sets/resets permissions and ownership of critical files.
#
#
chmod -R 755 /etc/init.d/*
chmod -R 700 /root
touch /etc/.login
chmod -R 644 /etc/.login
chmod -R 644 /etc/profile
chmod -R 644 /etc/bashrc
chmod -R 644 /etc/environment
touch /etc/security/environ
chmod -R 644 /etc/security/environ
chmod -R 644 /etc/skel
touch /dev/audio
chmod -R 644 /dev/audio
chmod -R 640 /var/log/*
touch /etc/cron.allow
chmod -R 600 /etc/cron.allow
touch /etc/cron.deny
chmod -R 700 /etc/cron.deny
chmod -R 600 /var/spool/cron/
chmod -R 600 /etc/cron.d/
chmod -R 600 /etc/crontab
chmod -R 700 /etc/cron.daily/
chmod -R 700 /etc/cron.hourly/
chmod -R 700 /etc/cron.monthly/
chmod -R 700 /etc/cron.weekly/
chmod -R 600 /var/log/cron
touch /etc/at.allow
chmod -R 700 /etc/at.allow
chmod -R 755 /var/spool/at/spool
chmod -R 700 /var/crash
chmod -R 600 /etc/sysctl.conf
chmod -R 755 /etc/xinetd.conf
chmod -R 755 /etc/xinetd.d
chmod -R 644 /etc/services
chmod -R 700 /bin/traceroute
chmod -R 640 /etc/syslog.conf
chmod -R 600 /etc/grub.conf
chmod -R 755 /usr/lib/*
chmod -R 640 /etc/security/access.conf
chmod -R 640 /etc/securetty
chmod -R 644 /usr/share/man
chmod -R 644 /usr/share/info
touch /usr/share/infopage
chmod -R 644 /usr/share/infopage
chmod -R 744 /selinux
chmod -R 744 /sys/class/scsi_host/*
#
#
# This section sets/resets file ownership.
#
#
chown root:root /etc/.login
chown root:root /etc/profile
chown root:root /etc/bashrc
chown root:root /etc/environment
chown root:root /etc/security/environ
chown root:root /dev/audio
chown root:root /var/spool/cron/
chown root:root /etc/cron.d/
chown root:root /etc/crontab
chown root:root /etc/cron.daily/
chown root:root /etc/cron.hourly/
chown root:root /etc/cron.monthly/
chown root:root /etc/cron.weekly/
chown root:root /var/spool/at/
chown root:root /etc/sysctl.conf
chown root:root /etc/xinetd.conf
chown root:root /etc/xinetd.d
chown root:root /etc/services
chown root:root /bin/traceroute
chown root:root /etc/syslog.conf
chown root:root /etc/security/access.conf
chown root:root /etc/securetty
#
#
# This section removes unnecessary users.
# Thanks to Bill Bowers/ESI for much of this module.
#
userdel lp
userdel sync
#Mitigates CAT I GEN000000-LNX00320 Rule ID: SV-37181r1_rule
userdel shutdown
userdel halt
userdel news
userdel gopher
userdel operator
userdel games
userdel mail
userdel uucp
userdel ftp
userdel netdump
# Remove a few more users - scz, 02Dec2009
userdel adm
userdel pcap
userdel avahi-autoipd
userdel sabayon
#
#
#This section mitigates grub.conf, system-auth, /etc/inittab
#
file="/boot/grub/grub.conf
file0="/etc/inittab"
file1="/etc/pam.d/system-a
file2="/var/log/btmp"
file3="/etc/gdm/custom.con
file4="/etc/ssh/sshd_confi
file5="/etc/pam.d/system-a
file6="system-auth"
file7="/etc/pam.d/system-a
string="password"
string1="ctrlaltdel"
string2="ca::"
string3="#ca::"
string4="audit=1"
string5="nullok"
string6="#Banner"
string7="Banner"
#Insert GRUB MD5 password after "timeout" to mitigate CAT I STIG ID:
#GEN008700 Rule ID: SV-37933r1_rule
if ! grep -q "$string" "$file"
then
echo "The md5 hash does not exist the md5 hash will be inserted"
sed -i -e '14a\
password --md5 $1$LJU/J0$nfb5N24GCqD6EdR8
else
echo "The md5 hash exists in $file"
fi
#Auditing must be enabled at boot by setting a kernel parameter.
#If auditing is enabled late in the boot process, the actions of startup scripts may not be audited.
#STIG ID: GEN000000-LNX00720 Rule ID: SV-27001r1_rule
echo "Backup grub.conf /boot/grub/grub.conf..."
/bin/cp /boot/grub/grub.conf /boot/grub/backup.grub.con
if grep -q "$string4" "$file"
then
echo "Doing nothing $string4 kernel parameter is enabled"
fi
if ! grep -q "$string4" "$file"
then
echo "$String4 kernel parameter is missing will be enabled"
sed -i -e "/quiet/ s|$| "$string4"|" "$file"
fi
#Remove "nullok" from system-auth to mitigate CAT I Rule or it may be possible to log into the account #without authentication.
#STIG ID: GEN000560 Rule ID: SV-37259r1_rule
if ! grep -q "$string5" "$file1"
then
echo "Skipping "$string5" is not found"
else
echo ""$string5" is found needs to be removed to avoid use of blank passwords"
sed -i -e 's/"$string5"/g' "$file1"
fi
#Ensure the CTRL-ALT-DELETE key sequence has been disabled and attempts to use the sequence are logged
#Mitigate CAT I STIG ID: GEN000=000-LNX00580 Rule ID: SV-37327r1_rule
if grep -q "$string3" "$file0"
then
echo "Doing nothing "$string1" already disabled"
else
if grep -q "$string1" "$file0"
then
echo "$string1 is found must be disabled and logged"
sed -i -e "s/$string2/$string3/g" "$file0"
sed -i '33a\
ca:nil:ctrlaltdel:/usr/bin
fi
fi
#STIG ID: GEN000000-LNX00360 Rule ID: SV-37207r1_rule.
#The X server must have the correct options enabled.
if ! grep -q "server-Standard" "/etc/gdm/custom.conf"
then
echo "The X server options are not enabled in $file3 and will be inserted"
sed -i -e '41a\
\[server-Standard\]\
name=Standard server\
command=/usr/bin/Xorg -br -audit 4 -s 15\
chooser=false\
handled=true\
flexible=true\
priority=0' "$file"
exec gdm-safe-restart
else
echo "The X server options are enabled /etc/gdm/custom.conf"
fi
#The /etc/access.conf file must have mode 0640 or less permissive.
#STIG ID: GEN000000-LNX00440 Rule ID: SV-37243r1_rule
chmod 0640 /etc/security/access.conf
#The /etc/sysctl.conf file must have mode 0600 or less permissive.
#STIG ID: GEN000000-LNX00520 Rule ID: SV-37258r1_rule
chmod 0600 /etc/sysctl.conf
#The system must require authentication upon booting into single-user and maintenance modes.
#STIG ID: GEN000020 Rule ID: SV-37350r1_rule
if ! grep -q "~:S:wait:/sbin/sulogin" "$file0"
then
echo "The /etc/inittab does not contain authentication into single-user and will be inserted"
sed -i -e '54a\
\#Single User Mode Password' "$file0"
sed -i -e '55a\
~:S:wait:/sbin/sulogin' "$file0"
else
echo "Single User Authentication is enabled in $file0"
fi
#The time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive.
#STIG ID: GEN000252 Rule ID: SV-37417r1_rule
chmod 0640 /etc/ntp.conf
#The system must not have the unnecessary "news" account.
#STIG ID: GEN000290-2 Rule ID: SV-34574r1_rule
userdel news
#The system must not have the unnecessary "gopher" account.
#STIG ID: GEN000290-3 Rule ID: SV-34575r1_rule
userdel gopher
#The system must not have the unnecessary "ftp" account.
#STIG ID: GEN000290-4 Rule ID: SV-34578r1_rule Vuln ID: V-27279
userdel ftp
#The Department of Defense (DoD) login banner must be displayed
#STIG ID: GEN000400 Rule ID: SV-37169r1_rule
if grep -q "$string7" "$file4"
then
echo "DoD Banner enabled"
sed -i -e "s/$string6/$string7/g" "$file4"
fi
#The system must disable accounts after three consecutive unsuccessful login attempts.
#STIG ID: GEN000460 Rule ID: SV-37203r1_rule
if ! grep -q "pam_tally2.so" "$file5"
then
echo "System-auth file is missing pam_tally2 and is not disabling accounts after three unsuccessful login attempts"
sed -i -e '4a\
auth required pam_access.so' "$file5"
sed -i -e '5a\
auth required pam_tally2.so deny=3' "$file5"
sed -i -e '6a\
auth include system-auth-ac' "$file5"
sed -i -e '12a\
account required pam_tally2.so' "$file5"
sed -i -e '13a\
account include system-auth-ac' "$file5"
sed -i -e '18a\
password include system-auth-ac' "$file5"
sed -i -e '23a\
session include system-auth-ac' "$file5"
cp "$file5" "system-auth-local"
unlink "$file6"
ln -s /etc/pam.d/system-auth-loc
else
echo "System is using pam_tally2 and disabling accounts after three unsuccessful login attempts"
fi
#Graphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity
#STIG ID: GEN000500 Rule ID: SV-29796r1_rule
gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/g
#The graphical desktop environment must set the idle timeout to no more than 15 minutes.
#STIG ID: GEN000500-2 Rule ID: SV-34582r1_rule
echo "graphical desktop sessions should lock after 15 minutes"
gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/g
#Graphical desktop environments provided by the system must have automatic lock enabled.
#STIG ID: GEN000500-3 Rule ID: SV-34583r1_rule
echo "graphical desktop sessions required to lock the session after 15 minutes of inactivity"
gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/g
#Users must not be able to change passwords more than once every 24 hours.
#STIG ID: GEN000540 Rule ID: SV-37239r1_rule
echo "Passwords require 1 day minimum before changing"
for i in `cat /etc/passwd | grep ^ | awk -F":" '{print $1} ' | sort `
do echo $i | passwd -n 1 $i
done
#The system must require passwords contain a minimum of 14 characters.
#STIG ID: GEN000580 Rule ID: SV-37260r1_rule
if ! grep -q "minlen=14" "$file7"
then
echo "System-auth required to have passwords contain a minimum of 14 characters"
sed -i -e '17a\
password requisite pam_cracklib.so minlen=14' "$file7"
else
echo "System-auth using minimum of 14 character passwords"
fi
#The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes.
#STIG ID: GEN000590 Rule ID: SV-26313r1_rule
if ! egrep -q "sha512" "$file5"
then
echo "System not using FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes"
echo "Replacing md5 hash with sha512"
sed -i -e "s/md5/sha512/g" "$file5"
else
echo "System using sha512 hash"
fi
#The system must require passwords contain at least one uppercase alphabetic character.
#STIG ID: GEN000600 Rule ID: SV-41826r1_rule
if ! grep -q "ucredit=-1" "$file7"
then
echo "passwords must contain at least one uppercase alphabetic character"
sed -i -e '22a\
password required pam_cracklib.so ucredit=-1' "$file7"
else
echo "System-auth using at least one uppercase alphabetic character in passwords"
fi
#The system must require passwords contain at least one lowercase alphabetic character.
#STIG ID: GEN000610 Rule ID: SV-26321r1_rule
if ! grep -q "ucredit=-1" "$file7"
then
echo "Passwords must contain at least one uppercase alphabetic character."
sed -i -e '22a\
password required pam_cracklib.so ucredit=-1' "$file7"
else
echo "System-auth is using one uppercase alphabetic character in passwords."
fi
#The system must require passwords contain at least one numeric character.
#STIG ID: GEN000620 Rule ID: SV-37281r1_rule
if ! grep -q "dcredit=-1" "$file7"
then
echo "passwords must contain one numerical character"
sed -i -e '22a\
password required pam_cracklib.so dcredit=-1' "$file7"
else
echo "System-auth using at least one numerical character in passwords"
fi
#The system must require passwords contain at least one special character.
#STIG ID: GEN000640 Rule ID: SV-37287r1_rule
if ! grep -q "ocredit=-1" "$file7"
then
echo "passwords must contain one special character"
sed -i -e '22a\
password required pam_cracklib.so ocredit=-1' "$file7"
else
echo "System-auth using at least one special character in passwords"
fi
#The system must require passwords contain no more than three consecutive repeating characters.
#STIG ID: GEN000680 Rule ID: SV-37294r1_rule Vuln ID: V-11975
if ! grep -q "maxrepeat=3" "$file7"
then
echo "The maxrepeat option is missing for limiting excessive repeated characters for passwords"
sed -i -e '24a\
password required pam_cracklib.so maxrepeat=3' "$file7"
else
echo "The maxrepeat option is limited to three repeating characters"
fi
#User passwords must be changed at least every 60 days.
#STIG ID: GEN000700 Rule ID: SV-37298r1_rule
cp /etc/passwd /etc/backup_passwd_`date +%m-%d-20%y-%H%M`
cp /etc/shadow /etc/backup_shadow_`date +%m-%d-20%y-%H%M`
echo "looking at user ID's from 1000 and greater"
echo "User passwords must be changed at least every 60 days"
chmod +w /etc/passwd
chmod +w /etc/shadow
for i in `awk -F: '$3 > 1000 { print $1 }' /etc/passwd`
do
sed -i -e "/$i/ s/\:99999/\:60/g" /etc/shadow
echo "This is a list of users that required 60 day passwords"
echo $i >> /etc/60_days.txt
done
chmod -w /etc/passwd
chmod -w /etc/shadow
#The system must require at least four characters be changed between the old and new passwords during a password change.
#STIG ID: GEN000750 Rule ID: SV-37304r1_rule
if ! grep -q "difok=4" "$file7"
then
echo "Must ensure that old and new passwords have significant differences"
sed -i -e '19a\
password required pam_cracklib.so difok=4' "$file7"
else
echo "System-auth is using rule to allow four characters be changed between the old and new passwords"
fi
#The root account's home directory /root must have mode 0700.
#STIG ID: GEN000920 Rule ID: SV-37355r1_rule
for i in `grep "^root" /etc/passwd | awk -F":" '{print $6}'`
do
if [[ -r "$i" && -w "$i" && -x "$i" ]]
then
echo "/root is not 700 and required to be changed"
chmod 700 $i
else
echo "/root is 700"
fi
done
#The root account's executable search path must be the vendor default and must contain only absolute paths.
#STIG ID: GEN000940 Rule ID: SV-37360r1_rule
echo "Searching for files in /root .bashrc, .cshrc and tcshrc"
if ! grep -q "PATH=$PATH:$HOME/bin" "/root/.bashrc"
then
echo "Root executable search path is missing will be inserted"
sed -i -e '3a\
#User specific environment and startup programs' "/root/.bashrc"
sed -i -e '4a\
PATH=$PATH:$HOME/bin' "/root/.bashrc"
else
echo "The executable search path PATH does exist"
fi
if [ ! -f /root/.cshrc ]
then
touch /home/amagana/.cshrc
if ! grep -q "PATH=$PATH:$HOME/bin" "/root/.cshrc"
then
sed -i -e '2a\
\#User specific environment and startup programs' /root/.cshrc
sed -i -e '3a\
PATH\=\$PATH\:\$HOME/bin' /root/.cshrc
sed -i -e '4a\
' /root/.cshrc
echo "Root executable search path is missing will be inserted"
fi
else
echo "The .cshrc file exists and the executable search path PATH does exist"
fi
if [ ! -f /root/.tcshrc ]
then
touch /root/.tcshrc
if ! grep -q "PATH=$PATH:$HOME/bin" /root/.tcshrc
then
echo "Root executable search path is missing will be inserted"
echo >> /root/.tcshrc
echo >> /root/.tcshrc
sed -i -e '1a\
\#User specific environment and startup programs' /root/.tcshrc
sed -i -e '2a\
PATH\=\$PATH\:\$HOME/bin' /root/.tcshrc
fi
else
echo "The .tcshrc file exists and the executable search path PATH does exist"
fi
Asked:
-
5
3
- +2
8 Solutions
Yes agreerging to the above statement what do you mean by mitigation. Reading your script it seems you are setting up a password policy but that can only be clear if you explain bit more about the problem, like wise we can execute the script and then response you back the exact error.
My apologies to ozo and palicos,
I meant to say that this script is created to fix some findings that under DISA are required to be changed.
I meant to say that this script is created to fix some findings that under DISA are required to be changed.
hello woolmilkporc,
Can i insert blank lines with sed and still have the other sed statements insert those strings into file0?
Can i insert blank lines with sed and still have the other sed statements insert those strings into file0?
Why would you want to insert blank lines?
Is there any reason why /etc/inittab must have that many lines?
You could insert your desired statements at the end of the file or following a line containing a well-known pattern instead of inserting them at a particular line number.
Anyway, you can of course add a blank line at the end
sed -i -e '$a\
' "$file0"
alternatively
sed -i G "$file0"
or several blank lines
sed -i -e '$a\
\
\
\
\
\
\
\
' "$file0"
alternatively
sed -i 'G;G;G;G;G;G;G;G' "$file0"
but you can add your lines at the end as well:
sed -i -e '$a\
\#Single User Mode Password' "$file0"
sed -i -e '$a\
~:S:wait:/sbin/sulogin' "$file0"
Is there any reason why /etc/inittab must have that many lines?
You could insert your desired statements at the end of the file or following a line containing a well-known pattern instead of inserting them at a particular line number.
Anyway, you can of course add a blank line at the end
sed -i -e '$a\
' "$file0"
alternatively
sed -i G "$file0"
or several blank lines
sed -i -e '$a\
\
\
\
\
\
\
\
' "$file0"
alternatively
sed -i 'G;G;G;G;G;G;G;G' "$file0"
but you can add your lines at the end as well:
sed -i -e '$a\
\#Single User Mode Password' "$file0"
sed -i -e '$a\
~:S:wait:/sbin/sulogin' "$file0"
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
Join & Write a Comment Already a member? Login.
Featured Post
Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.
One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.
Tackle projects and never again get stuck behind a technical roadblock.
Join Now
sed will silently (RC 0) fail if there are fewer lines.