Solved

Script not executing

Posted on 2013-01-03
11
1,217 Views
Last Modified: 2013-01-13
Hello,

I have a long mitigation script and upon testing I noticed its not mitigation the target file I have it for any help would be great and I can take out the portion I am dealing with and run it by itself. It is an if statment and its a mystery to me. It is the part that is going to insert the sulogin string to /etc/inittab.


#!/bin/bash +x
exec > /home/scc/stiglog.log 2>&1
set -x

#Script to mitigate common CAT I, II and III's that are common among Linux boxes.

# This section sets/resets permissions and ownership of critical files.
#
#
chmod -R 755 /etc/init.d/*
chmod -R 700 /root
touch /etc/.login
chmod -R 644 /etc/.login
chmod -R 644 /etc/profile
chmod -R 644 /etc/bashrc
chmod -R 644 /etc/environment
touch /etc/security/environ
chmod -R 644 /etc/security/environ
chmod -R 644 /etc/skel
touch /dev/audio
chmod -R 644 /dev/audio
chmod -R 640 /var/log/*
touch /etc/cron.allow
chmod -R 600 /etc/cron.allow
touch /etc/cron.deny
chmod -R 700 /etc/cron.deny
chmod -R 600 /var/spool/cron/
chmod -R 600 /etc/cron.d/
chmod -R 600 /etc/crontab
chmod -R 700 /etc/cron.daily/
chmod -R 700 /etc/cron.hourly/
chmod -R 700 /etc/cron.monthly/
chmod -R 700 /etc/cron.weekly/
chmod -R 600 /var/log/cron
touch /etc/at.allow
chmod -R 700 /etc/at.allow
chmod -R 755 /var/spool/at/spool
chmod -R 700 /var/crash
chmod -R 600 /etc/sysctl.conf
chmod -R 755 /etc/xinetd.conf
chmod -R 755 /etc/xinetd.d
chmod -R 644 /etc/services
chmod -R 700 /bin/traceroute
chmod -R 640 /etc/syslog.conf
chmod -R 600 /etc/grub.conf
chmod -R 755 /usr/lib/*
chmod -R 640 /etc/security/access.conf
chmod -R 640 /etc/securetty
chmod -R 644 /usr/share/man
chmod -R 644 /usr/share/info
touch /usr/share/infopage
chmod -R 644 /usr/share/infopage
chmod -R 744 /selinux
chmod -R 744 /sys/class/scsi_host/*
#
#
# This section sets/resets file ownership.
#
#
chown root:root /etc/.login
chown root:root /etc/profile
chown root:root /etc/bashrc
chown root:root /etc/environment
chown root:root /etc/security/environ
chown root:root /dev/audio
chown root:root /var/spool/cron/
chown root:root /etc/cron.d/
chown root:root /etc/crontab
chown root:root /etc/cron.daily/
chown root:root /etc/cron.hourly/
chown root:root /etc/cron.monthly/
chown root:root /etc/cron.weekly/
chown root:root /var/spool/at/
chown root:root /etc/sysctl.conf
chown root:root /etc/xinetd.conf
chown root:root /etc/xinetd.d
chown root:root /etc/services
chown root:root /bin/traceroute
chown root:root /etc/syslog.conf
chown root:root /etc/security/access.conf
chown root:root /etc/securetty
#
#
# This section removes unnecessary users.
# Thanks to Bill Bowers/ESI for much of this module.
#
userdel lp
userdel sync

#Mitigates CAT I GEN000000-LNX00320  Rule ID: SV-37181r1_rule

userdel shutdown
userdel halt

userdel news
userdel gopher
userdel operator
userdel games
userdel mail
userdel uucp
userdel ftp
userdel netdump
# Remove a few more users - scz, 02Dec2009
userdel adm
userdel pcap
userdel avahi-autoipd
userdel sabayon
#
#

#This section mitigates grub.conf, system-auth, /etc/inittab
#
file="/boot/grub/grub.conf"
file0="/etc/inittab"
file1="/etc/pam.d/system-auth"
file2="/var/log/btmp"
file3="/etc/gdm/custom.conf"
file4="/etc/ssh/sshd_config
file5="/etc/pam.d/system-auth-ac
file6="system-auth"
file7="/etc/pam.d/system-auth"
string="password"
string1="ctrlaltdel"
string2="ca::"
string3="#ca::"
string4="audit=1"
string5="nullok"
string6="#Banner"
string7="Banner"

#Insert GRUB MD5 password after "timeout" to mitigate CAT I STIG ID:
#GEN008700 Rule ID: SV-37933r1_rule

if ! grep -q "$string" "$file"

then

    echo "The md5 hash does not exist the md5 hash will be inserted"

sed -i -e '14a\
password --md5 $1$LJU/J0$nfb5N24GCqD6EdR8UobBL.' "$file"

else

    echo "The md5 hash exists in $file"
fi


#Auditing must be enabled at boot by setting a kernel parameter.
#If auditing is enabled late in the boot process, the actions of startup scripts may not be audited.
#STIG ID: GEN000000-LNX00720  Rule ID: SV-27001r1_rule

echo "Backup grub.conf /boot/grub/grub.conf..."
/bin/cp /boot/grub/grub.conf /boot/grub/backup.grub.conf_`date +%m-%d-20%y-%H%M`


if grep -q "$string4" "$file"

then
   echo "Doing nothing $string4 kernel parameter is enabled"
fi

if ! grep -q "$string4" "$file"
then
   echo "$String4 kernel parameter is missing will be enabled"
    sed -i -e  "/quiet/ s|$| "$string4"|" "$file"
fi


#Remove "nullok" from system-auth to mitigate CAT I Rule or it may be possible to log into the account #without authentication.
#STIG ID: GEN000560 Rule ID: SV-37259r1_rule


if ! grep -q "$string5" "$file1"

then
    echo "Skipping "$string5" is not found"
else
   echo ""$string5" is found needs to be removed to avoid use of blank passwords"
   sed -i -e 's/"$string5"/g' "$file1"
fi


#Ensure the CTRL-ALT-DELETE key sequence has been disabled and attempts to use the sequence are logged
#Mitigate CAT I STIG ID: GEN000=000-LNX00580  Rule ID: SV-37327r1_rule


if grep -q "$string3" "$file0"
then
  echo "Doing nothing "$string1" already disabled"
else
  if grep -q "$string1" "$file0"
  then
    echo "$string1 is found must be disabled and logged"
    sed -i -e "s/$string2/$string3/g" "$file0"
    sed -i '33a\
ca:nil:ctrlaltdel:/usr/bin/logger -p security.info "Ctrl-Alt-Del was pressed"' "$file0"
  fi
fi

#STIG ID: GEN000000-LNX00360  Rule ID: SV-37207r1_rule.
#The X server must have the correct options enabled.

if ! grep -q "server-Standard" "/etc/gdm/custom.conf"

then

  echo "The X server options are not enabled in $file3 and will be inserted"

sed -i -e '41a\
\[server-Standard\]\
name=Standard server\
command=/usr/bin/Xorg -br -audit 4 -s 15\
chooser=false\
handled=true\
flexible=true\
priority=0' "$file"

exec gdm-safe-restart

else

 echo "The X server options are enabled /etc/gdm/custom.conf"

fi

#The /etc/access.conf file must have mode 0640 or less permissive.
#STIG ID: GEN000000-LNX00440  Rule ID: SV-37243r1_rule

chmod 0640 /etc/security/access.conf


#The /etc/sysctl.conf file must have mode 0600 or less permissive.
#STIG ID: GEN000000-LNX00520  Rule ID: SV-37258r1_rule

chmod 0600 /etc/sysctl.conf

#The system must require authentication upon booting into single-user and maintenance modes.
#STIG ID: GEN000020  Rule ID: SV-37350r1_rule

if ! grep -q "~:S:wait:/sbin/sulogin" "$file0"

then

  echo "The /etc/inittab does not contain authentication into single-user and will be inserted"

sed -i -e '54a\
\#Single User Mode Password' "$file0"

sed -i -e '55a\
~:S:wait:/sbin/sulogin' "$file0"

else

  echo "Single User Authentication is enabled in $file0"

fi


#The time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive.
#STIG ID: GEN000252  Rule ID: SV-37417r1_rule


chmod 0640 /etc/ntp.conf


#The system must not have the unnecessary "news" account.
#STIG ID: GEN000290-2  Rule ID: SV-34574r1_rule

userdel news

#The system must not have the unnecessary "gopher" account.
#STIG ID: GEN000290-3  Rule ID: SV-34575r1_rule


userdel gopher

#The system must not have the unnecessary "ftp" account.
#STIG ID: GEN000290-4  Rule ID: SV-34578r1_rule  Vuln ID: V-27279

userdel ftp


#The Department of Defense (DoD) login banner must be displayed
#STIG ID: GEN000400  Rule ID: SV-37169r1_rule

if grep -q "$string7" "$file4"
then
  echo "DoD Banner enabled"
  sed -i -e "s/$string6/$string7/g" "$file4"
fi

#The system must disable accounts after three consecutive unsuccessful login attempts.
#STIG ID: GEN000460  Rule ID: SV-37203r1_rule

if ! grep -q "pam_tally2.so" "$file5"

then

  echo "System-auth file is missing pam_tally2 and is not disabling accounts after three unsuccessful login attempts"

sed -i -e '4a\
auth        required      pam_access.so' "$file5"
sed -i -e '5a\
auth        required      pam_tally2.so deny=3' "$file5"
sed -i -e '6a\
auth        include       system-auth-ac' "$file5"
sed -i -e '12a\
account     required      pam_tally2.so' "$file5"
sed -i -e '13a\
account     include       system-auth-ac' "$file5"
sed -i -e '18a\
password    include       system-auth-ac' "$file5"
sed -i -e '23a\
session     include       system-auth-ac' "$file5"

cp "$file5" "system-auth-local"
unlink "$file6"
ln -s /etc/pam.d/system-auth-local "$file6"

else

  echo "System is using pam_tally2 and disabling accounts after three unsuccessful login attempts"

fi


#Graphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity
#STIG ID: GEN000500  Rule ID: SV-29796r1_rule

gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type bool --set /apps/gnome-screensaver/idle_activation_enabled true



#The graphical desktop environment must set the idle timeout to no more than 15 minutes.
#STIG ID: GEN000500-2  Rule ID: SV-34582r1_rule

echo "graphical desktop sessions should lock after 15 minutes"


gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type int --set /apps/gnome-screensaver/idle_delay 15

#Graphical desktop environments provided by the system must have automatic lock enabled.
#STIG ID: GEN000500-3  Rule ID: SV-34583r1_rule

echo "graphical desktop sessions required to lock the session after 15 minutes of inactivity"

gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type bool --set /apps/gnome-screensaver/lock_enabled true

#Users must not be able to change passwords more than once every 24 hours.
#STIG ID: GEN000540  Rule ID: SV-37239r1_rule

echo "Passwords require 1 day minimum before changing"

for i in `cat /etc/passwd | grep ^ |  awk -F":" '{print $1} ' | sort `
do echo $i | passwd -n 1 $i
done

#The system must require passwords contain a minimum of 14 characters.
#STIG ID: GEN000580  Rule ID: SV-37260r1_rule

if ! grep -q "minlen=14" "$file7"

then

  echo "System-auth required to have passwords contain a minimum of 14 characters"

sed -i -e '17a\
password    requisite     pam_cracklib.so minlen=14' "$file7"

else

  echo "System-auth using minimum of 14 character passwords"

fi

#The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes.
#STIG ID: GEN000590  Rule ID: SV-26313r1_rule

if ! egrep -q "sha512" "$file5"

then

  echo "System not using FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes"
  echo "Replacing md5 hash with sha512"

sed -i -e "s/md5/sha512/g" "$file5"

else

 echo "System using sha512 hash"

fi

#The system must require passwords contain at least one uppercase alphabetic character.
#STIG ID: GEN000600  Rule ID: SV-41826r1_rule

if ! grep -q "ucredit=-1" "$file7"

then
 echo "passwords must contain at least one uppercase alphabetic character"

sed -i -e '22a\
password    required     pam_cracklib.so ucredit=-1' "$file7"

else

  echo "System-auth using at least one uppercase alphabetic character in passwords"

fi


#The system must require passwords contain at least one lowercase alphabetic character.
#STIG ID: GEN000610  Rule ID: SV-26321r1_rule

if ! grep -q "ucredit=-1" "$file7"

then
 echo "Passwords must contain at least one uppercase alphabetic character."

sed -i -e '22a\
password    required     pam_cracklib.so ucredit=-1' "$file7"

else

  echo "System-auth is using one uppercase alphabetic character in passwords."

fi

#The system must require passwords contain at least one numeric character.
#STIG ID: GEN000620  Rule ID: SV-37281r1_rule

if ! grep -q "dcredit=-1" "$file7"

then
 echo "passwords must contain one numerical character"

sed -i -e '22a\
password    required     pam_cracklib.so dcredit=-1' "$file7"

else

  echo "System-auth using at least one numerical character in passwords"

fi


#The system must require passwords contain at least one special character.
#STIG ID: GEN000640  Rule ID: SV-37287r1_rule

if ! grep -q "ocredit=-1" "$file7"

then
 echo "passwords must contain one special character"

sed -i -e '22a\
password    required     pam_cracklib.so ocredit=-1' "$file7"

else

  echo "System-auth using at least one special character in passwords"

fi


#The system must require passwords contain no more than three consecutive repeating characters.
#STIG ID: GEN000680  Rule ID: SV-37294r1_rule  Vuln ID: V-11975

if ! grep -q "maxrepeat=3" "$file7"

then
 echo "The maxrepeat option is missing for limiting excessive repeated characters for passwords"

sed -i -e '24a\
password    required     pam_cracklib.so maxrepeat=3' "$file7"

else

  echo "The maxrepeat option is limited to three repeating characters"

fi


#User passwords must be changed at least every 60 days.
#STIG ID: GEN000700  Rule ID: SV-37298r1_rule

cp /etc/passwd /etc/backup_passwd_`date +%m-%d-20%y-%H%M`
cp /etc/shadow /etc/backup_shadow_`date +%m-%d-20%y-%H%M`

echo "looking at user ID's from 1000 and greater"
echo "User passwords must be changed at least every 60 days"

chmod +w /etc/passwd
chmod +w /etc/shadow

for i in `awk -F: '$3 > 1000 { print $1 }' /etc/passwd`

do  

    sed -i -e  "/$i/ s/\:99999/\:60/g" /etc/shadow
    echo "This is a list of users that required 60 day passwords"
    echo $i >> /etc/60_days.txt

done

chmod -w /etc/passwd
chmod -w /etc/shadow


#The system must require at least four characters be changed between the old and new passwords during a password change.
#STIG ID: GEN000750  Rule ID: SV-37304r1_rule


if ! grep -q "difok=4" "$file7"

then
 echo "Must ensure that old and new passwords have significant differences"

sed -i -e '19a\
password    required     pam_cracklib.so difok=4' "$file7"

else

  echo "System-auth is using rule to allow four characters be changed between the old and new passwords"

fi


#The root account's home directory /root must have mode 0700.
#STIG ID: GEN000920  Rule ID: SV-37355r1_rule

for i in `grep "^root" /etc/passwd | awk -F":" '{print $6}'`

do

if [[ -r "$i" && -w "$i" && -x "$i"  ]]

then
 echo "/root is not 700 and required to be changed"
 chmod 700 $i

else
 echo "/root is 700"

fi
done


#The root account's executable search path must be the vendor default and must contain only absolute paths.
#STIG ID: GEN000940  Rule ID: SV-37360r1_rule

echo "Searching for files in /root .bashrc, .cshrc and tcshrc"

if ! grep -q "PATH=$PATH:$HOME/bin" "/root/.bashrc"

then

  echo "Root executable search path is missing  will be inserted"

sed -i -e '3a\
#User specific environment and startup programs' "/root/.bashrc"

sed -i -e '4a\
PATH=$PATH:$HOME/bin' "/root/.bashrc"

else

  echo "The executable search path PATH does exist"

fi



if [ ! -f /root/.cshrc ]

then

  touch /home/amagana/.cshrc

  if ! grep -q "PATH=$PATH:$HOME/bin" "/root/.cshrc"

  then

sed -i -e '2a\
\#User specific environment and startup programs' /root/.cshrc

sed -i -e '3a\
PATH\=\$PATH\:\$HOME/bin' /root/.cshrc

sed -i -e '4a\
                        ' /root/.cshrc

echo "Root executable search path is missing  will be inserted"

  fi

else

  echo "The .cshrc file exists and the executable search path PATH does exist"

fi


if [ ! -f /root/.tcshrc ]

then

  touch /root/.tcshrc

  if ! grep -q "PATH=$PATH:$HOME/bin" /root/.tcshrc

  then
echo "Root executable search path is missing  will be inserted"
echo        >> /root/.tcshrc
echo        >> /root/.tcshrc

sed -i -e '1a\
\#User specific environment and startup programs' /root/.tcshrc

sed -i -e '2a\
PATH\=\$PATH\:\$HOME/bin' /root/.tcshrc


  fi

else

  echo "The .tcshrc file exists and the executable search path PATH does exist"

fi
0
Comment
Question by:atom_jelly
11 Comments
 
LVL 68

Assisted Solution

by:woolmilkporc
woolmilkporc earned 250 total points
ID: 38741741
Could it be that "file0" (/etc/inittab) doesn't have that many lines (54)?

sed will silently (RC 0) fail if there are fewer lines.
0
 
LVL 84

Assisted Solution

by:ozo
ozo earned 83 total points
ID: 38741988
What do you mean by "mitigation"?
0
 
LVL 4

Assisted Solution

by:palicos
palicos earned 83 total points
ID: 38743109
Yes agreerging to the above statement what do you mean by mitigation. Reading your script it seems you are setting up a password policy but that can only be clear if you explain bit more about the problem, like wise we can execute the script and then response you back the exact error.
0
 

Assisted Solution

by:atom_jelly
atom_jelly earned 0 total points
ID: 38743496
My apologies to ozo and palicos,

I meant to say that this script is created to fix some findings that under DISA are required to be changed.
0
 
LVL 68

Assisted Solution

by:woolmilkporc
woolmilkporc earned 250 total points
ID: 38743534
Did you see my comment (ID: 38741741) above?
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Assisted Solution

by:atom_jelly
atom_jelly earned 0 total points
ID: 38743777
hello woolmilkporc,

Can i insert blank lines with sed and still have the other sed statements insert those strings into file0?
0
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 250 total points
ID: 38743859
Why would you want to insert blank lines?

Is there any reason why /etc/inittab must have that many lines?

You could insert your desired statements at the end of the file or following a line containing a well-known pattern instead of inserting them at a particular line number.

Anyway, you can of course add a blank line at the end

sed -i -e '$a\
' "$file0"

alternatively

sed -i G "$file0"

or several blank lines

sed -i -e '$a\
\
\
\
\
\
\
\
' "$file0"

alternatively

sed -i 'G;G;G;G;G;G;G;G' "$file0"

but you can add your lines at the end as well:

sed -i -e '$a\
\#Single User Mode Password' "$file0"
sed -i -e '$a\
~:S:wait:/sbin/sulogin' "$file0"
0
 
LVL 48

Assisted Solution

by:Tintin
Tintin earned 84 total points
ID: 38744872
If the line number isn't important, why not just do

echo "value" >>file
0
 

Author Comment

by:atom_jelly
ID: 38754587
I appreciate the wisdom of this community when I am in a jam.
0
 

Author Comment

by:atom_jelly
ID: 38760116
Please close.
0
 

Author Closing Comment

by:atom_jelly
ID: 38771563
To be like a duck you must act like a duck.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Batch, VBS, and scripts in general are incredibly useful for repetitive tasks.  Some tasks can take a while to complete and it can be annoying to check back only to discover that your script finished 5 minutes ago.  Some scripts may complete nearly …
The purpose of this article is to demonstrate how we can use conditional statements using Python.
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…
In this fifth video of the Xpdf series, we discuss and demonstrate the PDFdetach utility, which is able to list and, more importantly, extract attachments that are embedded in PDF files. It does this via a command line interface, making it suitable …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now