troubleshooting Question
Script not executing
asked on
Hello,
I have a long mitigation script and upon testing I noticed its not mitigation the target file I have it for any help would be great and I can take out the portion I am dealing with and run it by itself. It is an if statment and its a mystery to me. It is the part that is going to insert the sulogin string to /etc/inittab.
#!/bin/bash +x
exec > /home/scc/stiglog.log 2>&1
set -x
#Script to mitigate common CAT I, II and III's that are common among Linux boxes.
# This section sets/resets permissions and ownership of critical files.
#
#
chmod -R 755 /etc/init.d/*
chmod -R 700 /root
touch /etc/.login
chmod -R 644 /etc/.login
chmod -R 644 /etc/profile
chmod -R 644 /etc/bashrc
chmod -R 644 /etc/environment
touch /etc/security/environ
chmod -R 644 /etc/security/environ
chmod -R 644 /etc/skel
touch /dev/audio
chmod -R 644 /dev/audio
chmod -R 640 /var/log/*
touch /etc/cron.allow
chmod -R 600 /etc/cron.allow
touch /etc/cron.deny
chmod -R 700 /etc/cron.deny
chmod -R 600 /var/spool/cron/
chmod -R 600 /etc/cron.d/
chmod -R 600 /etc/crontab
chmod -R 700 /etc/cron.daily/
chmod -R 700 /etc/cron.hourly/
chmod -R 700 /etc/cron.monthly/
chmod -R 700 /etc/cron.weekly/
chmod -R 600 /var/log/cron
touch /etc/at.allow
chmod -R 700 /etc/at.allow
chmod -R 755 /var/spool/at/spool
chmod -R 700 /var/crash
chmod -R 600 /etc/sysctl.conf
chmod -R 755 /etc/xinetd.conf
chmod -R 755 /etc/xinetd.d
chmod -R 644 /etc/services
chmod -R 700 /bin/traceroute
chmod -R 640 /etc/syslog.conf
chmod -R 600 /etc/grub.conf
chmod -R 755 /usr/lib/*
chmod -R 640 /etc/security/access.conf
chmod -R 640 /etc/securetty
chmod -R 644 /usr/share/man
chmod -R 644 /usr/share/info
touch /usr/share/infopage
chmod -R 644 /usr/share/infopage
chmod -R 744 /selinux
chmod -R 744 /sys/class/scsi_host/*
#
#
# This section sets/resets file ownership.
#
#
chown root:root /etc/.login
chown root:root /etc/profile
chown root:root /etc/bashrc
chown root:root /etc/environment
chown root:root /etc/security/environ
chown root:root /dev/audio
chown root:root /var/spool/cron/
chown root:root /etc/cron.d/
chown root:root /etc/crontab
chown root:root /etc/cron.daily/
chown root:root /etc/cron.hourly/
chown root:root /etc/cron.monthly/
chown root:root /etc/cron.weekly/
chown root:root /var/spool/at/
chown root:root /etc/sysctl.conf
chown root:root /etc/xinetd.conf
chown root:root /etc/xinetd.d
chown root:root /etc/services
chown root:root /bin/traceroute
chown root:root /etc/syslog.conf
chown root:root /etc/security/access.conf
chown root:root /etc/securetty
#
#
# This section removes unnecessary users.
# Thanks to Bill Bowers/ESI for much of this module.
#
userdel lp
userdel sync
#Mitigates CAT I GEN000000-LNX00320 Rule ID: SV-37181r1_rule
userdel shutdown
userdel halt
userdel news
userdel gopher
userdel operator
userdel games
userdel mail
userdel uucp
userdel ftp
userdel netdump
# Remove a few more users - scz, 02Dec2009
userdel adm
userdel pcap
userdel avahi-autoipd
userdel sabayon
#
#
#This section mitigates grub.conf, system-auth, /etc/inittab
#
file="/boot/grub/grub.conf
file0="/etc/inittab"
file1="/etc/pam.d/system-a
file2="/var/log/btmp"
file3="/etc/gdm/custom.con
file4="/etc/ssh/sshd_confi
file5="/etc/pam.d/system-a
file6="system-auth"
file7="/etc/pam.d/system-a
string="password"
string1="ctrlaltdel"
string2="ca::"
string3="#ca::"
string4="audit=1"
string5="nullok"
string6="#Banner"
string7="Banner"
#Insert GRUB MD5 password after "timeout" to mitigate CAT I STIG ID:
#GEN008700 Rule ID: SV-37933r1_rule
if ! grep -q "$string" "$file"
then
echo "The md5 hash does not exist the md5 hash will be inserted"
sed -i -e '14a\
password --md5 $1$LJU/J0$nfb5N24GCqD6EdR8
else
echo "The md5 hash exists in $file"
fi
#Auditing must be enabled at boot by setting a kernel parameter.
#If auditing is enabled late in the boot process, the actions of startup scripts may not be audited.
#STIG ID: GEN000000-LNX00720 Rule ID: SV-27001r1_rule
echo "Backup grub.conf /boot/grub/grub.conf..."
/bin/cp /boot/grub/grub.conf /boot/grub/backup.grub.con
if grep -q "$string4" "$file"
then
echo "Doing nothing $string4 kernel parameter is enabled"
fi
if ! grep -q "$string4" "$file"
then
echo "$String4 kernel parameter is missing will be enabled"
sed -i -e "/quiet/ s|$| "$string4"|" "$file"
fi
#Remove "nullok" from system-auth to mitigate CAT I Rule or it may be possible to log into the account #without authentication.
#STIG ID: GEN000560 Rule ID: SV-37259r1_rule
if ! grep -q "$string5" "$file1"
then
echo "Skipping "$string5" is not found"
else
echo ""$string5" is found needs to be removed to avoid use of blank passwords"
sed -i -e 's/"$string5"/g' "$file1"
fi
#Ensure the CTRL-ALT-DELETE key sequence has been disabled and attempts to use the sequence are logged
#Mitigate CAT I STIG ID: GEN000=000-LNX00580 Rule ID: SV-37327r1_rule
if grep -q "$string3" "$file0"
then
echo "Doing nothing "$string1" already disabled"
else
if grep -q "$string1" "$file0"
then
echo "$string1 is found must be disabled and logged"
sed -i -e "s/$string2/$string3/g" "$file0"
sed -i '33a\
ca:nil:ctrlaltdel:/usr/bin
fi
fi
#STIG ID: GEN000000-LNX00360 Rule ID: SV-37207r1_rule.
#The X server must have the correct options enabled.
if ! grep -q "server-Standard" "/etc/gdm/custom.conf"
then
echo "The X server options are not enabled in $file3 and will be inserted"
sed -i -e '41a\
\[server-Standard\]\
name=Standard server\
command=/usr/bin/Xorg -br -audit 4 -s 15\
chooser=false\
handled=true\
flexible=true\
priority=0' "$file"
exec gdm-safe-restart
else
echo "The X server options are enabled /etc/gdm/custom.conf"
fi
#The /etc/access.conf file must have mode 0640 or less permissive.
#STIG ID: GEN000000-LNX00440 Rule ID: SV-37243r1_rule
chmod 0640 /etc/security/access.conf
#The /etc/sysctl.conf file must have mode 0600 or less permissive.
#STIG ID: GEN000000-LNX00520 Rule ID: SV-37258r1_rule
chmod 0600 /etc/sysctl.conf
#The system must require authentication upon booting into single-user and maintenance modes.
#STIG ID: GEN000020 Rule ID: SV-37350r1_rule
if ! grep -q "~:S:wait:/sbin/sulogin" "$file0"
then
echo "The /etc/inittab does not contain authentication into single-user and will be inserted"
sed -i -e '54a\
\#Single User Mode Password' "$file0"
sed -i -e '55a\
~:S:wait:/sbin/sulogin' "$file0"
else
echo "Single User Authentication is enabled in $file0"
fi
#The time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive.
#STIG ID: GEN000252 Rule ID: SV-37417r1_rule
chmod 0640 /etc/ntp.conf
#The system must not have the unnecessary "news" account.
#STIG ID: GEN000290-2 Rule ID: SV-34574r1_rule
userdel news
#The system must not have the unnecessary "gopher" account.
#STIG ID: GEN000290-3 Rule ID: SV-34575r1_rule
userdel gopher
#The system must not have the unnecessary "ftp" account.
#STIG ID: GEN000290-4 Rule ID: SV-34578r1_rule Vuln ID: V-27279
userdel ftp
#The Department of Defense (DoD) login banner must be displayed
#STIG ID: GEN000400 Rule ID: SV-37169r1_rule
if grep -q "$string7" "$file4"
then
echo "DoD Banner enabled"
sed -i -e "s/$string6/$string7/g" "$file4"
fi
#The system must disable accounts after three consecutive unsuccessful login attempts.
#STIG ID: GEN000460 Rule ID: SV-37203r1_rule
if ! grep -q "pam_tally2.so" "$file5"
then
echo "System-auth file is missing pam_tally2 and is not disabling accounts after three unsuccessful login attempts"
sed -i -e '4a\
auth required pam_access.so' "$file5"
sed -i -e '5a\
auth required pam_tally2.so deny=3' "$file5"
sed -i -e '6a\
auth include system-auth-ac' "$file5"
sed -i -e '12a\
account required pam_tally2.so' "$file5"
sed -i -e '13a\
account include system-auth-ac' "$file5"
sed -i -e '18a\
password include system-auth-ac' "$file5"
sed -i -e '23a\
session include system-auth-ac' "$file5"
cp "$file5" "system-auth-local"
unlink "$file6"
ln -s /etc/pam.d/system-auth-loc
else
echo "System is using pam_tally2 and disabling accounts after three unsuccessful login attempts"
fi
#Graphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity
#STIG ID: GEN000500 Rule ID: SV-29796r1_rule
gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/g
#The graphical desktop environment must set the idle timeout to no more than 15 minutes.
#STIG ID: GEN000500-2 Rule ID: SV-34582r1_rule
echo "graphical desktop sessions should lock after 15 minutes"
gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/g
#Graphical desktop environments provided by the system must have automatic lock enabled.
#STIG ID: GEN000500-3 Rule ID: SV-34583r1_rule
echo "graphical desktop sessions required to lock the session after 15 minutes of inactivity"
gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/g
#Users must not be able to change passwords more than once every 24 hours.
#STIG ID: GEN000540 Rule ID: SV-37239r1_rule
echo "Passwords require 1 day minimum before changing"
for i in `cat /etc/passwd | grep ^ | awk -F":" '{print $1} ' | sort `
do echo $i | passwd -n 1 $i
done
#The system must require passwords contain a minimum of 14 characters.
#STIG ID: GEN000580 Rule ID: SV-37260r1_rule
if ! grep -q "minlen=14" "$file7"
then
echo "System-auth required to have passwords contain a minimum of 14 characters"
sed -i -e '17a\
password requisite pam_cracklib.so minlen=14' "$file7"
else
echo "System-auth using minimum of 14 character passwords"
fi
#The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes.
#STIG ID: GEN000590 Rule ID: SV-26313r1_rule
if ! egrep -q "sha512" "$file5"
then
echo "System not using FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes"
echo "Replacing md5 hash with sha512"
sed -i -e "s/md5/sha512/g" "$file5"
else
echo "System using sha512 hash"
fi
#The system must require passwords contain at least one uppercase alphabetic character.
#STIG ID: GEN000600 Rule ID: SV-41826r1_rule
if ! grep -q "ucredit=-1" "$file7"
then
echo "passwords must contain at least one uppercase alphabetic character"
sed -i -e '22a\
password required pam_cracklib.so ucredit=-1' "$file7"
else
echo "System-auth using at least one uppercase alphabetic character in passwords"
fi
#The system must require passwords contain at least one lowercase alphabetic character.
#STIG ID: GEN000610 Rule ID: SV-26321r1_rule
if ! grep -q "ucredit=-1" "$file7"
then
echo "Passwords must contain at least one uppercase alphabetic character."
sed -i -e '22a\
password required pam_cracklib.so ucredit=-1' "$file7"
else
echo "System-auth is using one uppercase alphabetic character in passwords."
fi
#The system must require passwords contain at least one numeric character.
#STIG ID: GEN000620 Rule ID: SV-37281r1_rule
if ! grep -q "dcredit=-1" "$file7"
then
echo "passwords must contain one numerical character"
sed -i -e '22a\
password required pam_cracklib.so dcredit=-1' "$file7"
else
echo "System-auth using at least one numerical character in passwords"
fi
#The system must require passwords contain at least one special character.
#STIG ID: GEN000640 Rule ID: SV-37287r1_rule
if ! grep -q "ocredit=-1" "$file7"
then
echo "passwords must contain one special character"
sed -i -e '22a\
password required pam_cracklib.so ocredit=-1' "$file7"
else
echo "System-auth using at least one special character in passwords"
fi
#The system must require passwords contain no more than three consecutive repeating characters.
#STIG ID: GEN000680 Rule ID: SV-37294r1_rule Vuln ID: V-11975
if ! grep -q "maxrepeat=3" "$file7"
then
echo "The maxrepeat option is missing for limiting excessive repeated characters for passwords"
sed -i -e '24a\
password required pam_cracklib.so maxrepeat=3' "$file7"
else
echo "The maxrepeat option is limited to three repeating characters"
fi
#User passwords must be changed at least every 60 days.
#STIG ID: GEN000700 Rule ID: SV-37298r1_rule
cp /etc/passwd /etc/backup_passwd_`date +%m-%d-20%y-%H%M`
cp /etc/shadow /etc/backup_shadow_`date +%m-%d-20%y-%H%M`
echo "looking at user ID's from 1000 and greater"
echo "User passwords must be changed at least every 60 days"
chmod +w /etc/passwd
chmod +w /etc/shadow
for i in `awk -F: '$3 > 1000 { print $1 }' /etc/passwd`
do
sed -i -e "/$i/ s/\:99999/\:60/g" /etc/shadow
echo "This is a list of users that required 60 day passwords"
echo $i >> /etc/60_days.txt
done
chmod -w /etc/passwd
chmod -w /etc/shadow
#The system must require at least four characters be changed between the old and new passwords during a password change.
#STIG ID: GEN000750 Rule ID: SV-37304r1_rule
if ! grep -q "difok=4" "$file7"
then
echo "Must ensure that old and new passwords have significant differences"
sed -i -e '19a\
password required pam_cracklib.so difok=4' "$file7"
else
echo "System-auth is using rule to allow four characters be changed between the old and new passwords"
fi
#The root account's home directory /root must have mode 0700.
#STIG ID: GEN000920 Rule ID: SV-37355r1_rule
for i in `grep "^root" /etc/passwd | awk -F":" '{print $6}'`
do
if [[ -r "$i" && -w "$i" && -x "$i" ]]
then
echo "/root is not 700 and required to be changed"
chmod 700 $i
else
echo "/root is 700"
fi
done
#The root account's executable search path must be the vendor default and must contain only absolute paths.
#STIG ID: GEN000940 Rule ID: SV-37360r1_rule
echo "Searching for files in /root .bashrc, .cshrc and tcshrc"
if ! grep -q "PATH=$PATH:$HOME/bin" "/root/.bashrc"
then
echo "Root executable search path is missing will be inserted"
sed -i -e '3a\
#User specific environment and startup programs' "/root/.bashrc"
sed -i -e '4a\
PATH=$PATH:$HOME/bin' "/root/.bashrc"
else
echo "The executable search path PATH does exist"
fi
if [ ! -f /root/.cshrc ]
then
touch /home/amagana/.cshrc
if ! grep -q "PATH=$PATH:$HOME/bin" "/root/.cshrc"
then
sed -i -e '2a\
\#User specific environment and startup programs' /root/.cshrc
sed -i -e '3a\
PATH\=\$PATH\:\$HOME/bin' /root/.cshrc
sed -i -e '4a\
' /root/.cshrc
echo "Root executable search path is missing will be inserted"
fi
else
echo "The .cshrc file exists and the executable search path PATH does exist"
fi
if [ ! -f /root/.tcshrc ]
then
touch /root/.tcshrc
if ! grep -q "PATH=$PATH:$HOME/bin" /root/.tcshrc
then
echo "Root executable search path is missing will be inserted"
echo >> /root/.tcshrc
echo >> /root/.tcshrc
sed -i -e '1a\
\#User specific environment and startup programs' /root/.tcshrc
sed -i -e '2a\
PATH\=\$PATH\:\$HOME/bin' /root/.tcshrc
fi
else
echo "The .tcshrc file exists and the executable search path PATH does exist"
fi
I have a long mitigation script and upon testing I noticed its not mitigation the target file I have it for any help would be great and I can take out the portion I am dealing with and run it by itself. It is an if statment and its a mystery to me. It is the part that is going to insert the sulogin string to /etc/inittab.
#!/bin/bash +x
exec > /home/scc/stiglog.log 2>&1
set -x
#Script to mitigate common CAT I, II and III's that are common among Linux boxes.
# This section sets/resets permissions and ownership of critical files.
#
#
chmod -R 755 /etc/init.d/*
chmod -R 700 /root
touch /etc/.login
chmod -R 644 /etc/.login
chmod -R 644 /etc/profile
chmod -R 644 /etc/bashrc
chmod -R 644 /etc/environment
touch /etc/security/environ
chmod -R 644 /etc/security/environ
chmod -R 644 /etc/skel
touch /dev/audio
chmod -R 644 /dev/audio
chmod -R 640 /var/log/*
touch /etc/cron.allow
chmod -R 600 /etc/cron.allow
touch /etc/cron.deny
chmod -R 700 /etc/cron.deny
chmod -R 600 /var/spool/cron/
chmod -R 600 /etc/cron.d/
chmod -R 600 /etc/crontab
chmod -R 700 /etc/cron.daily/
chmod -R 700 /etc/cron.hourly/
chmod -R 700 /etc/cron.monthly/
chmod -R 700 /etc/cron.weekly/
chmod -R 600 /var/log/cron
touch /etc/at.allow
chmod -R 700 /etc/at.allow
chmod -R 755 /var/spool/at/spool
chmod -R 700 /var/crash
chmod -R 600 /etc/sysctl.conf
chmod -R 755 /etc/xinetd.conf
chmod -R 755 /etc/xinetd.d
chmod -R 644 /etc/services
chmod -R 700 /bin/traceroute
chmod -R 640 /etc/syslog.conf
chmod -R 600 /etc/grub.conf
chmod -R 755 /usr/lib/*
chmod -R 640 /etc/security/access.conf
chmod -R 640 /etc/securetty
chmod -R 644 /usr/share/man
chmod -R 644 /usr/share/info
touch /usr/share/infopage
chmod -R 644 /usr/share/infopage
chmod -R 744 /selinux
chmod -R 744 /sys/class/scsi_host/*
#
#
# This section sets/resets file ownership.
#
#
chown root:root /etc/.login
chown root:root /etc/profile
chown root:root /etc/bashrc
chown root:root /etc/environment
chown root:root /etc/security/environ
chown root:root /dev/audio
chown root:root /var/spool/cron/
chown root:root /etc/cron.d/
chown root:root /etc/crontab
chown root:root /etc/cron.daily/
chown root:root /etc/cron.hourly/
chown root:root /etc/cron.monthly/
chown root:root /etc/cron.weekly/
chown root:root /var/spool/at/
chown root:root /etc/sysctl.conf
chown root:root /etc/xinetd.conf
chown root:root /etc/xinetd.d
chown root:root /etc/services
chown root:root /bin/traceroute
chown root:root /etc/syslog.conf
chown root:root /etc/security/access.conf
chown root:root /etc/securetty
#
#
# This section removes unnecessary users.
# Thanks to Bill Bowers/ESI for much of this module.
#
userdel lp
userdel sync
#Mitigates CAT I GEN000000-LNX00320 Rule ID: SV-37181r1_rule
userdel shutdown
userdel halt
userdel news
userdel gopher
userdel operator
userdel games
userdel mail
userdel uucp
userdel ftp
userdel netdump
# Remove a few more users - scz, 02Dec2009
userdel adm
userdel pcap
userdel avahi-autoipd
userdel sabayon
#
#
#This section mitigates grub.conf, system-auth, /etc/inittab
#
file="/boot/grub/grub.conf
file0="/etc/inittab"
file1="/etc/pam.d/system-a
file2="/var/log/btmp"
file3="/etc/gdm/custom.con
file4="/etc/ssh/sshd_confi
file5="/etc/pam.d/system-a
file6="system-auth"
file7="/etc/pam.d/system-a
string="password"
string1="ctrlaltdel"
string2="ca::"
string3="#ca::"
string4="audit=1"
string5="nullok"
string6="#Banner"
string7="Banner"
#Insert GRUB MD5 password after "timeout" to mitigate CAT I STIG ID:
#GEN008700 Rule ID: SV-37933r1_rule
if ! grep -q "$string" "$file"
then
echo "The md5 hash does not exist the md5 hash will be inserted"
sed -i -e '14a\
password --md5 $1$LJU/J0$nfb5N24GCqD6EdR8
else
echo "The md5 hash exists in $file"
fi
#Auditing must be enabled at boot by setting a kernel parameter.
#If auditing is enabled late in the boot process, the actions of startup scripts may not be audited.
#STIG ID: GEN000000-LNX00720 Rule ID: SV-27001r1_rule
echo "Backup grub.conf /boot/grub/grub.conf..."
/bin/cp /boot/grub/grub.conf /boot/grub/backup.grub.con
if grep -q "$string4" "$file"
then
echo "Doing nothing $string4 kernel parameter is enabled"
fi
if ! grep -q "$string4" "$file"
then
echo "$String4 kernel parameter is missing will be enabled"
sed -i -e "/quiet/ s|$| "$string4"|" "$file"
fi
#Remove "nullok" from system-auth to mitigate CAT I Rule or it may be possible to log into the account #without authentication.
#STIG ID: GEN000560 Rule ID: SV-37259r1_rule
if ! grep -q "$string5" "$file1"
then
echo "Skipping "$string5" is not found"
else
echo ""$string5" is found needs to be removed to avoid use of blank passwords"
sed -i -e 's/"$string5"/g' "$file1"
fi
#Ensure the CTRL-ALT-DELETE key sequence has been disabled and attempts to use the sequence are logged
#Mitigate CAT I STIG ID: GEN000=000-LNX00580 Rule ID: SV-37327r1_rule
if grep -q "$string3" "$file0"
then
echo "Doing nothing "$string1" already disabled"
else
if grep -q "$string1" "$file0"
then
echo "$string1 is found must be disabled and logged"
sed -i -e "s/$string2/$string3/g" "$file0"
sed -i '33a\
ca:nil:ctrlaltdel:/usr/bin
fi
fi
#STIG ID: GEN000000-LNX00360 Rule ID: SV-37207r1_rule.
#The X server must have the correct options enabled.
if ! grep -q "server-Standard" "/etc/gdm/custom.conf"
then
echo "The X server options are not enabled in $file3 and will be inserted"
sed -i -e '41a\
\[server-Standard\]\
name=Standard server\
command=/usr/bin/Xorg -br -audit 4 -s 15\
chooser=false\
handled=true\
flexible=true\
priority=0' "$file"
exec gdm-safe-restart
else
echo "The X server options are enabled /etc/gdm/custom.conf"
fi
#The /etc/access.conf file must have mode 0640 or less permissive.
#STIG ID: GEN000000-LNX00440 Rule ID: SV-37243r1_rule
chmod 0640 /etc/security/access.conf
#The /etc/sysctl.conf file must have mode 0600 or less permissive.
#STIG ID: GEN000000-LNX00520 Rule ID: SV-37258r1_rule
chmod 0600 /etc/sysctl.conf
#The system must require authentication upon booting into single-user and maintenance modes.
#STIG ID: GEN000020 Rule ID: SV-37350r1_rule
if ! grep -q "~:S:wait:/sbin/sulogin" "$file0"
then
echo "The /etc/inittab does not contain authentication into single-user and will be inserted"
sed -i -e '54a\
\#Single User Mode Password' "$file0"
sed -i -e '55a\
~:S:wait:/sbin/sulogin' "$file0"
else
echo "Single User Authentication is enabled in $file0"
fi
#The time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive.
#STIG ID: GEN000252 Rule ID: SV-37417r1_rule
chmod 0640 /etc/ntp.conf
#The system must not have the unnecessary "news" account.
#STIG ID: GEN000290-2 Rule ID: SV-34574r1_rule
userdel news
#The system must not have the unnecessary "gopher" account.
#STIG ID: GEN000290-3 Rule ID: SV-34575r1_rule
userdel gopher
#The system must not have the unnecessary "ftp" account.
#STIG ID: GEN000290-4 Rule ID: SV-34578r1_rule Vuln ID: V-27279
userdel ftp
#The Department of Defense (DoD) login banner must be displayed
#STIG ID: GEN000400 Rule ID: SV-37169r1_rule
if grep -q "$string7" "$file4"
then
echo "DoD Banner enabled"
sed -i -e "s/$string6/$string7/g" "$file4"
fi
#The system must disable accounts after three consecutive unsuccessful login attempts.
#STIG ID: GEN000460 Rule ID: SV-37203r1_rule
if ! grep -q "pam_tally2.so" "$file5"
then
echo "System-auth file is missing pam_tally2 and is not disabling accounts after three unsuccessful login attempts"
sed -i -e '4a\
auth required pam_access.so' "$file5"
sed -i -e '5a\
auth required pam_tally2.so deny=3' "$file5"
sed -i -e '6a\
auth include system-auth-ac' "$file5"
sed -i -e '12a\
account required pam_tally2.so' "$file5"
sed -i -e '13a\
account include system-auth-ac' "$file5"
sed -i -e '18a\
password include system-auth-ac' "$file5"
sed -i -e '23a\
session include system-auth-ac' "$file5"
cp "$file5" "system-auth-local"
unlink "$file6"
ln -s /etc/pam.d/system-auth-loc
else
echo "System is using pam_tally2 and disabling accounts after three unsuccessful login attempts"
fi
#Graphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity
#STIG ID: GEN000500 Rule ID: SV-29796r1_rule
gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/g
#The graphical desktop environment must set the idle timeout to no more than 15 minutes.
#STIG ID: GEN000500-2 Rule ID: SV-34582r1_rule
echo "graphical desktop sessions should lock after 15 minutes"
gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/g
#Graphical desktop environments provided by the system must have automatic lock enabled.
#STIG ID: GEN000500-3 Rule ID: SV-34583r1_rule
echo "graphical desktop sessions required to lock the session after 15 minutes of inactivity"
gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/g
#Users must not be able to change passwords more than once every 24 hours.
#STIG ID: GEN000540 Rule ID: SV-37239r1_rule
echo "Passwords require 1 day minimum before changing"
for i in `cat /etc/passwd | grep ^ | awk -F":" '{print $1} ' | sort `
do echo $i | passwd -n 1 $i
done
#The system must require passwords contain a minimum of 14 characters.
#STIG ID: GEN000580 Rule ID: SV-37260r1_rule
if ! grep -q "minlen=14" "$file7"
then
echo "System-auth required to have passwords contain a minimum of 14 characters"
sed -i -e '17a\
password requisite pam_cracklib.so minlen=14' "$file7"
else
echo "System-auth using minimum of 14 character passwords"
fi
#The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes.
#STIG ID: GEN000590 Rule ID: SV-26313r1_rule
if ! egrep -q "sha512" "$file5"
then
echo "System not using FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes"
echo "Replacing md5 hash with sha512"
sed -i -e "s/md5/sha512/g" "$file5"
else
echo "System using sha512 hash"
fi
#The system must require passwords contain at least one uppercase alphabetic character.
#STIG ID: GEN000600 Rule ID: SV-41826r1_rule
if ! grep -q "ucredit=-1" "$file7"
then
echo "passwords must contain at least one uppercase alphabetic character"
sed -i -e '22a\
password required pam_cracklib.so ucredit=-1' "$file7"
else
echo "System-auth using at least one uppercase alphabetic character in passwords"
fi
#The system must require passwords contain at least one lowercase alphabetic character.
#STIG ID: GEN000610 Rule ID: SV-26321r1_rule
if ! grep -q "ucredit=-1" "$file7"
then
echo "Passwords must contain at least one uppercase alphabetic character."
sed -i -e '22a\
password required pam_cracklib.so ucredit=-1' "$file7"
else
echo "System-auth is using one uppercase alphabetic character in passwords."
fi
#The system must require passwords contain at least one numeric character.
#STIG ID: GEN000620 Rule ID: SV-37281r1_rule
if ! grep -q "dcredit=-1" "$file7"
then
echo "passwords must contain one numerical character"
sed -i -e '22a\
password required pam_cracklib.so dcredit=-1' "$file7"
else
echo "System-auth using at least one numerical character in passwords"
fi
#The system must require passwords contain at least one special character.
#STIG ID: GEN000640 Rule ID: SV-37287r1_rule
if ! grep -q "ocredit=-1" "$file7"
then
echo "passwords must contain one special character"
sed -i -e '22a\
password required pam_cracklib.so ocredit=-1' "$file7"
else
echo "System-auth using at least one special character in passwords"
fi
#The system must require passwords contain no more than three consecutive repeating characters.
#STIG ID: GEN000680 Rule ID: SV-37294r1_rule Vuln ID: V-11975
if ! grep -q "maxrepeat=3" "$file7"
then
echo "The maxrepeat option is missing for limiting excessive repeated characters for passwords"
sed -i -e '24a\
password required pam_cracklib.so maxrepeat=3' "$file7"
else
echo "The maxrepeat option is limited to three repeating characters"
fi
#User passwords must be changed at least every 60 days.
#STIG ID: GEN000700 Rule ID: SV-37298r1_rule
cp /etc/passwd /etc/backup_passwd_`date +%m-%d-20%y-%H%M`
cp /etc/shadow /etc/backup_shadow_`date +%m-%d-20%y-%H%M`
echo "looking at user ID's from 1000 and greater"
echo "User passwords must be changed at least every 60 days"
chmod +w /etc/passwd
chmod +w /etc/shadow
for i in `awk -F: '$3 > 1000 { print $1 }' /etc/passwd`
do
sed -i -e "/$i/ s/\:99999/\:60/g" /etc/shadow
echo "This is a list of users that required 60 day passwords"
echo $i >> /etc/60_days.txt
done
chmod -w /etc/passwd
chmod -w /etc/shadow
#The system must require at least four characters be changed between the old and new passwords during a password change.
#STIG ID: GEN000750 Rule ID: SV-37304r1_rule
if ! grep -q "difok=4" "$file7"
then
echo "Must ensure that old and new passwords have significant differences"
sed -i -e '19a\
password required pam_cracklib.so difok=4' "$file7"
else
echo "System-auth is using rule to allow four characters be changed between the old and new passwords"
fi
#The root account's home directory /root must have mode 0700.
#STIG ID: GEN000920 Rule ID: SV-37355r1_rule
for i in `grep "^root" /etc/passwd | awk -F":" '{print $6}'`
do
if [[ -r "$i" && -w "$i" && -x "$i" ]]
then
echo "/root is not 700 and required to be changed"
chmod 700 $i
else
echo "/root is 700"
fi
done
#The root account's executable search path must be the vendor default and must contain only absolute paths.
#STIG ID: GEN000940 Rule ID: SV-37360r1_rule
echo "Searching for files in /root .bashrc, .cshrc and tcshrc"
if ! grep -q "PATH=$PATH:$HOME/bin" "/root/.bashrc"
then
echo "Root executable search path is missing will be inserted"
sed -i -e '3a\
#User specific environment and startup programs' "/root/.bashrc"
sed -i -e '4a\
PATH=$PATH:$HOME/bin' "/root/.bashrc"
else
echo "The executable search path PATH does exist"
fi
if [ ! -f /root/.cshrc ]
then
touch /home/amagana/.cshrc
if ! grep -q "PATH=$PATH:$HOME/bin" "/root/.cshrc"
then
sed -i -e '2a\
\#User specific environment and startup programs' /root/.cshrc
sed -i -e '3a\
PATH\=\$PATH\:\$HOME/bin' /root/.cshrc
sed -i -e '4a\
' /root/.cshrc
echo "Root executable search path is missing will be inserted"
fi
else
echo "The .cshrc file exists and the executable search path PATH does exist"
fi
if [ ! -f /root/.tcshrc ]
then
touch /root/.tcshrc
if ! grep -q "PATH=$PATH:$HOME/bin" /root/.tcshrc
then
echo "Root executable search path is missing will be inserted"
echo >> /root/.tcshrc
echo >> /root/.tcshrc
sed -i -e '1a\
\#User specific environment and startup programs' /root/.tcshrc
sed -i -e '2a\
PATH\=\$PATH\:\$HOME/bin' /root/.tcshrc
fi
else
echo "The .tcshrc file exists and the executable search path PATH does exist"
fi
Learn from the best
Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.
Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 8 Answers and 11 Comments.
Try for 7 days”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.
Our community of experts have been thoroughly vetted for their expertise and industry experience.
The Most Valuable Expert award recognizes technology experts who passionately share their knowledge with the community, demonstrate the core values of this platform, and go the extra mile in all aspects of their contributions. This award is based off of nominations by EE users and experts. Multiple MVEs may be awarded each year.
The Distinguished Expert awards are presented to the top veteran and rookie experts to earn the most points in the top 50 topics.