troubleshooting Question

Script not executing

Avatar of atom_jelly
atom_jellyFlag for United States of America asked on
Programming Languages-OtherUnix OSScripting Languages
11 Comments8 Solutions1339 ViewsLast Modified:
Hello,

I have a long mitigation script and upon testing I noticed its not mitigation the target file I have it for any help would be great and I can take out the portion I am dealing with and run it by itself. It is an if statment and its a mystery to me. It is the part that is going to insert the sulogin string to /etc/inittab.


#!/bin/bash +x
exec > /home/scc/stiglog.log 2>&1
set -x

#Script to mitigate common CAT I, II and III's that are common among Linux boxes.

# This section sets/resets permissions and ownership of critical files.
#
#
chmod -R 755 /etc/init.d/*
chmod -R 700 /root
touch /etc/.login
chmod -R 644 /etc/.login
chmod -R 644 /etc/profile
chmod -R 644 /etc/bashrc
chmod -R 644 /etc/environment
touch /etc/security/environ
chmod -R 644 /etc/security/environ
chmod -R 644 /etc/skel
touch /dev/audio
chmod -R 644 /dev/audio
chmod -R 640 /var/log/*
touch /etc/cron.allow
chmod -R 600 /etc/cron.allow
touch /etc/cron.deny
chmod -R 700 /etc/cron.deny
chmod -R 600 /var/spool/cron/
chmod -R 600 /etc/cron.d/
chmod -R 600 /etc/crontab
chmod -R 700 /etc/cron.daily/
chmod -R 700 /etc/cron.hourly/
chmod -R 700 /etc/cron.monthly/
chmod -R 700 /etc/cron.weekly/
chmod -R 600 /var/log/cron
touch /etc/at.allow
chmod -R 700 /etc/at.allow
chmod -R 755 /var/spool/at/spool
chmod -R 700 /var/crash
chmod -R 600 /etc/sysctl.conf
chmod -R 755 /etc/xinetd.conf
chmod -R 755 /etc/xinetd.d
chmod -R 644 /etc/services
chmod -R 700 /bin/traceroute
chmod -R 640 /etc/syslog.conf
chmod -R 600 /etc/grub.conf
chmod -R 755 /usr/lib/*
chmod -R 640 /etc/security/access.conf
chmod -R 640 /etc/securetty
chmod -R 644 /usr/share/man
chmod -R 644 /usr/share/info
touch /usr/share/infopage
chmod -R 644 /usr/share/infopage
chmod -R 744 /selinux
chmod -R 744 /sys/class/scsi_host/*
#
#
# This section sets/resets file ownership.
#
#
chown root:root /etc/.login
chown root:root /etc/profile
chown root:root /etc/bashrc
chown root:root /etc/environment
chown root:root /etc/security/environ
chown root:root /dev/audio
chown root:root /var/spool/cron/
chown root:root /etc/cron.d/
chown root:root /etc/crontab
chown root:root /etc/cron.daily/
chown root:root /etc/cron.hourly/
chown root:root /etc/cron.monthly/
chown root:root /etc/cron.weekly/
chown root:root /var/spool/at/
chown root:root /etc/sysctl.conf
chown root:root /etc/xinetd.conf
chown root:root /etc/xinetd.d
chown root:root /etc/services
chown root:root /bin/traceroute
chown root:root /etc/syslog.conf
chown root:root /etc/security/access.conf
chown root:root /etc/securetty
#
#
# This section removes unnecessary users.
# Thanks to Bill Bowers/ESI for much of this module.
#
userdel lp
userdel sync

#Mitigates CAT I GEN000000-LNX00320  Rule ID: SV-37181r1_rule

userdel shutdown
userdel halt

userdel news
userdel gopher
userdel operator
userdel games
userdel mail
userdel uucp
userdel ftp
userdel netdump
# Remove a few more users - scz, 02Dec2009
userdel adm
userdel pcap
userdel avahi-autoipd
userdel sabayon
#
#

#This section mitigates grub.conf, system-auth, /etc/inittab
#
file="/boot/grub/grub.conf"
file0="/etc/inittab"
file1="/etc/pam.d/system-auth"
file2="/var/log/btmp"
file3="/etc/gdm/custom.conf"
file4="/etc/ssh/sshd_config
file5="/etc/pam.d/system-auth-ac
file6="system-auth"
file7="/etc/pam.d/system-auth"
string="password"
string1="ctrlaltdel"
string2="ca::"
string3="#ca::"
string4="audit=1"
string5="nullok"
string6="#Banner"
string7="Banner"

#Insert GRUB MD5 password after "timeout" to mitigate CAT I STIG ID:
#GEN008700 Rule ID: SV-37933r1_rule

if ! grep -q "$string" "$file"

then

    echo "The md5 hash does not exist the md5 hash will be inserted"

sed -i -e '14a\
password --md5 $1$LJU/J0$nfb5N24GCqD6EdR8UobBL.' "$file"

else

    echo "The md5 hash exists in $file"
fi


#Auditing must be enabled at boot by setting a kernel parameter.
#If auditing is enabled late in the boot process, the actions of startup scripts may not be audited.
#STIG ID: GEN000000-LNX00720  Rule ID: SV-27001r1_rule

echo "Backup grub.conf /boot/grub/grub.conf..."
/bin/cp /boot/grub/grub.conf /boot/grub/backup.grub.conf_`date +%m-%d-20%y-%H%M`


if grep -q "$string4" "$file"

then
   echo "Doing nothing $string4 kernel parameter is enabled"
fi

if ! grep -q "$string4" "$file"
then
   echo "$String4 kernel parameter is missing will be enabled"
    sed -i -e  "/quiet/ s|$| "$string4"|" "$file"
fi


#Remove "nullok" from system-auth to mitigate CAT I Rule or it may be possible to log into the account #without authentication.
#STIG ID: GEN000560 Rule ID: SV-37259r1_rule


if ! grep -q "$string5" "$file1"

then
    echo "Skipping "$string5" is not found"
else
   echo ""$string5" is found needs to be removed to avoid use of blank passwords"
   sed -i -e 's/"$string5"/g' "$file1"
fi


#Ensure the CTRL-ALT-DELETE key sequence has been disabled and attempts to use the sequence are logged
#Mitigate CAT I STIG ID: GEN000=000-LNX00580  Rule ID: SV-37327r1_rule


if grep -q "$string3" "$file0"
then
  echo "Doing nothing "$string1" already disabled"
else
  if grep -q "$string1" "$file0"
  then
    echo "$string1 is found must be disabled and logged"
    sed -i -e "s/$string2/$string3/g" "$file0"
    sed -i '33a\
ca:nil:ctrlaltdel:/usr/bin/logger -p security.info "Ctrl-Alt-Del was pressed"' "$file0"
  fi
fi

#STIG ID: GEN000000-LNX00360  Rule ID: SV-37207r1_rule.
#The X server must have the correct options enabled.

if ! grep -q "server-Standard" "/etc/gdm/custom.conf"

then

  echo "The X server options are not enabled in $file3 and will be inserted"

sed -i -e '41a\
\[server-Standard\]\
name=Standard server\
command=/usr/bin/Xorg -br -audit 4 -s 15\
chooser=false\
handled=true\
flexible=true\
priority=0' "$file"

exec gdm-safe-restart

else

 echo "The X server options are enabled /etc/gdm/custom.conf"

fi

#The /etc/access.conf file must have mode 0640 or less permissive.
#STIG ID: GEN000000-LNX00440  Rule ID: SV-37243r1_rule

chmod 0640 /etc/security/access.conf


#The /etc/sysctl.conf file must have mode 0600 or less permissive.
#STIG ID: GEN000000-LNX00520  Rule ID: SV-37258r1_rule

chmod 0600 /etc/sysctl.conf

#The system must require authentication upon booting into single-user and maintenance modes.
#STIG ID: GEN000020  Rule ID: SV-37350r1_rule

if ! grep -q "~:S:wait:/sbin/sulogin" "$file0"

then

  echo "The /etc/inittab does not contain authentication into single-user and will be inserted"

sed -i -e '54a\
\#Single User Mode Password' "$file0"

sed -i -e '55a\
~:S:wait:/sbin/sulogin' "$file0"

else

  echo "Single User Authentication is enabled in $file0"

fi


#The time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive.
#STIG ID: GEN000252  Rule ID: SV-37417r1_rule


chmod 0640 /etc/ntp.conf


#The system must not have the unnecessary "news" account.
#STIG ID: GEN000290-2  Rule ID: SV-34574r1_rule

userdel news

#The system must not have the unnecessary "gopher" account.
#STIG ID: GEN000290-3  Rule ID: SV-34575r1_rule


userdel gopher

#The system must not have the unnecessary "ftp" account.
#STIG ID: GEN000290-4  Rule ID: SV-34578r1_rule  Vuln ID: V-27279

userdel ftp


#The Department of Defense (DoD) login banner must be displayed
#STIG ID: GEN000400  Rule ID: SV-37169r1_rule

if grep -q "$string7" "$file4"
then
  echo "DoD Banner enabled"
  sed -i -e "s/$string6/$string7/g" "$file4"
fi

#The system must disable accounts after three consecutive unsuccessful login attempts.
#STIG ID: GEN000460  Rule ID: SV-37203r1_rule

if ! grep -q "pam_tally2.so" "$file5"

then

  echo "System-auth file is missing pam_tally2 and is not disabling accounts after three unsuccessful login attempts"

sed -i -e '4a\
auth        required      pam_access.so' "$file5"
sed -i -e '5a\
auth        required      pam_tally2.so deny=3' "$file5"
sed -i -e '6a\
auth        include       system-auth-ac' "$file5"
sed -i -e '12a\
account     required      pam_tally2.so' "$file5"
sed -i -e '13a\
account     include       system-auth-ac' "$file5"
sed -i -e '18a\
password    include       system-auth-ac' "$file5"
sed -i -e '23a\
session     include       system-auth-ac' "$file5"

cp "$file5" "system-auth-local"
unlink "$file6"
ln -s /etc/pam.d/system-auth-local "$file6"

else

  echo "System is using pam_tally2 and disabling accounts after three unsuccessful login attempts"

fi


#Graphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity
#STIG ID: GEN000500  Rule ID: SV-29796r1_rule

gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type bool --set /apps/gnome-screensaver/idle_activation_enabled true



#The graphical desktop environment must set the idle timeout to no more than 15 minutes.
#STIG ID: GEN000500-2  Rule ID: SV-34582r1_rule

echo "graphical desktop sessions should lock after 15 minutes"


gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type int --set /apps/gnome-screensaver/idle_delay 15

#Graphical desktop environments provided by the system must have automatic lock enabled.
#STIG ID: GEN000500-3  Rule ID: SV-34583r1_rule

echo "graphical desktop sessions required to lock the session after 15 minutes of inactivity"

gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type bool --set /apps/gnome-screensaver/lock_enabled true

#Users must not be able to change passwords more than once every 24 hours.
#STIG ID: GEN000540  Rule ID: SV-37239r1_rule

echo "Passwords require 1 day minimum before changing"

for i in `cat /etc/passwd | grep ^ |  awk -F":" '{print $1} ' | sort `
do echo $i | passwd -n 1 $i
done

#The system must require passwords contain a minimum of 14 characters.
#STIG ID: GEN000580  Rule ID: SV-37260r1_rule

if ! grep -q "minlen=14" "$file7"

then

  echo "System-auth required to have passwords contain a minimum of 14 characters"

sed -i -e '17a\
password    requisite     pam_cracklib.so minlen=14' "$file7"

else

  echo "System-auth using minimum of 14 character passwords"

fi

#The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes.
#STIG ID: GEN000590  Rule ID: SV-26313r1_rule

if ! egrep -q "sha512" "$file5"

then

  echo "System not using FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes"
  echo "Replacing md5 hash with sha512"

sed -i -e "s/md5/sha512/g" "$file5"

else

 echo "System using sha512 hash"

fi

#The system must require passwords contain at least one uppercase alphabetic character.
#STIG ID: GEN000600  Rule ID: SV-41826r1_rule

if ! grep -q "ucredit=-1" "$file7"

then
 echo "passwords must contain at least one uppercase alphabetic character"

sed -i -e '22a\
password    required     pam_cracklib.so ucredit=-1' "$file7"

else

  echo "System-auth using at least one uppercase alphabetic character in passwords"

fi


#The system must require passwords contain at least one lowercase alphabetic character.
#STIG ID: GEN000610  Rule ID: SV-26321r1_rule

if ! grep -q "ucredit=-1" "$file7"

then
 echo "Passwords must contain at least one uppercase alphabetic character."

sed -i -e '22a\
password    required     pam_cracklib.so ucredit=-1' "$file7"

else

  echo "System-auth is using one uppercase alphabetic character in passwords."

fi

#The system must require passwords contain at least one numeric character.
#STIG ID: GEN000620  Rule ID: SV-37281r1_rule

if ! grep -q "dcredit=-1" "$file7"

then
 echo "passwords must contain one numerical character"

sed -i -e '22a\
password    required     pam_cracklib.so dcredit=-1' "$file7"

else

  echo "System-auth using at least one numerical character in passwords"

fi


#The system must require passwords contain at least one special character.
#STIG ID: GEN000640  Rule ID: SV-37287r1_rule

if ! grep -q "ocredit=-1" "$file7"

then
 echo "passwords must contain one special character"

sed -i -e '22a\
password    required     pam_cracklib.so ocredit=-1' "$file7"

else

  echo "System-auth using at least one special character in passwords"

fi


#The system must require passwords contain no more than three consecutive repeating characters.
#STIG ID: GEN000680  Rule ID: SV-37294r1_rule  Vuln ID: V-11975

if ! grep -q "maxrepeat=3" "$file7"

then
 echo "The maxrepeat option is missing for limiting excessive repeated characters for passwords"

sed -i -e '24a\
password    required     pam_cracklib.so maxrepeat=3' "$file7"

else

  echo "The maxrepeat option is limited to three repeating characters"

fi


#User passwords must be changed at least every 60 days.
#STIG ID: GEN000700  Rule ID: SV-37298r1_rule

cp /etc/passwd /etc/backup_passwd_`date +%m-%d-20%y-%H%M`
cp /etc/shadow /etc/backup_shadow_`date +%m-%d-20%y-%H%M`

echo "looking at user ID's from 1000 and greater"
echo "User passwords must be changed at least every 60 days"

chmod +w /etc/passwd
chmod +w /etc/shadow

for i in `awk -F: '$3 > 1000 { print $1 }' /etc/passwd`

do  

    sed -i -e  "/$i/ s/\:99999/\:60/g" /etc/shadow
    echo "This is a list of users that required 60 day passwords"
    echo $i >> /etc/60_days.txt

done

chmod -w /etc/passwd
chmod -w /etc/shadow


#The system must require at least four characters be changed between the old and new passwords during a password change.
#STIG ID: GEN000750  Rule ID: SV-37304r1_rule


if ! grep -q "difok=4" "$file7"

then
 echo "Must ensure that old and new passwords have significant differences"

sed -i -e '19a\
password    required     pam_cracklib.so difok=4' "$file7"

else

  echo "System-auth is using rule to allow four characters be changed between the old and new passwords"

fi


#The root account's home directory /root must have mode 0700.
#STIG ID: GEN000920  Rule ID: SV-37355r1_rule

for i in `grep "^root" /etc/passwd | awk -F":" '{print $6}'`

do

if [[ -r "$i" && -w "$i" && -x "$i"  ]]

then
 echo "/root is not 700 and required to be changed"
 chmod 700 $i

else
 echo "/root is 700"

fi
done


#The root account's executable search path must be the vendor default and must contain only absolute paths.
#STIG ID: GEN000940  Rule ID: SV-37360r1_rule

echo "Searching for files in /root .bashrc, .cshrc and tcshrc"

if ! grep -q "PATH=$PATH:$HOME/bin" "/root/.bashrc"

then

  echo "Root executable search path is missing  will be inserted"

sed -i -e '3a\
#User specific environment and startup programs' "/root/.bashrc"

sed -i -e '4a\
PATH=$PATH:$HOME/bin' "/root/.bashrc"

else

  echo "The executable search path PATH does exist"

fi



if [ ! -f /root/.cshrc ]

then

  touch /home/amagana/.cshrc

  if ! grep -q "PATH=$PATH:$HOME/bin" "/root/.cshrc"

  then

sed -i -e '2a\
\#User specific environment and startup programs' /root/.cshrc

sed -i -e '3a\
PATH\=\$PATH\:\$HOME/bin' /root/.cshrc

sed -i -e '4a\
                        ' /root/.cshrc

echo "Root executable search path is missing  will be inserted"

  fi

else

  echo "The .cshrc file exists and the executable search path PATH does exist"

fi


if [ ! -f /root/.tcshrc ]

then

  touch /root/.tcshrc

  if ! grep -q "PATH=$PATH:$HOME/bin" /root/.tcshrc

  then
echo "Root executable search path is missing  will be inserted"
echo        >> /root/.tcshrc
echo        >> /root/.tcshrc

sed -i -e '1a\
\#User specific environment and startup programs' /root/.tcshrc

sed -i -e '2a\
PATH\=\$PATH\:\$HOME/bin' /root/.tcshrc


  fi

else

  echo "The .tcshrc file exists and the executable search path PATH does exist"

fi
ASKER CERTIFIED SOLUTION
Join our community to see this answer!
Unlock 8 Answers and 11 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 8 Answers and 11 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros