I have a long mitigation script and upon testing I noticed its not mitigation the target file I have it for any help would be great and I can take out the portion I am dealing with and run it by itself. It is an if statment and its a mystery to me. It is the part that is going to insert the sulogin string to /etc/inittab.
#!/bin/bash +x
exec > /home/scc/stiglog.log 2>&1
set -x
#Script to mitigate common CAT I, II and III's that are common among Linux boxes.
#Insert GRUB MD5 password after "timeout" to mitigate CAT I STIG ID:
#GEN008700 Rule ID: SV-37933r1_rule
if ! grep -q "$string" "$file"
then
echo "The md5 hash does not exist the md5 hash will be inserted"
sed -i -e '14a\
password --md5 $1$LJU/J0$nfb5N24GCqD6EdR8UobBL.' "$file"
else
echo "The md5 hash exists in $file"
fi
#Auditing must be enabled at boot by setting a kernel parameter.
#If auditing is enabled late in the boot process, the actions of startup scripts may not be audited.
#STIG ID: GEN000000-LNX00720 Rule ID: SV-27001r1_rule
then
echo "Doing nothing $string4 kernel parameter is enabled"
fi
if ! grep -q "$string4" "$file"
then
echo "$String4 kernel parameter is missing will be enabled"
sed -i -e "/quiet/ s|$| "$string4"|" "$file"
fi
#Remove "nullok" from system-auth to mitigate CAT I Rule or it may be possible to log into the account #without authentication.
#STIG ID: GEN000560 Rule ID: SV-37259r1_rule
if ! grep -q "$string5" "$file1"
then
echo "Skipping "$string5" is not found"
else
echo ""$string5" is found needs to be removed to avoid use of blank passwords"
sed -i -e 's/"$string5"/g' "$file1"
fi
#Ensure the CTRL-ALT-DELETE key sequence has been disabled and attempts to use the sequence are logged
#Mitigate CAT I STIG ID: GEN000=000-LNX00580 Rule ID: SV-37327r1_rule
if grep -q "$string3" "$file0"
then
echo "Doing nothing "$string1" already disabled"
else
if grep -q "$string1" "$file0"
then
echo "$string1 is found must be disabled and logged"
sed -i -e "s/$string2/$string3/g" "$file0"
sed -i '33a\
ca:nil:ctrlaltdel:/usr/bin/logger -p security.info "Ctrl-Alt-Del was pressed"' "$file0"
fi
fi
#STIG ID: GEN000000-LNX00360 Rule ID: SV-37207r1_rule.
#The X server must have the correct options enabled.
if ! grep -q "server-Standard" "/etc/gdm/custom.conf"
then
echo "The X server options are not enabled in $file3 and will be inserted"
echo "The X server options are enabled /etc/gdm/custom.conf"
fi
#The /etc/access.conf file must have mode 0640 or less permissive.
#STIG ID: GEN000000-LNX00440 Rule ID: SV-37243r1_rule
chmod 0640 /etc/security/access.conf
#The /etc/sysctl.conf file must have mode 0600 or less permissive.
#STIG ID: GEN000000-LNX00520 Rule ID: SV-37258r1_rule
chmod 0600 /etc/sysctl.conf
#The system must require authentication upon booting into single-user and maintenance modes.
#STIG ID: GEN000020 Rule ID: SV-37350r1_rule
if ! grep -q "~:S:wait:/sbin/sulogin" "$file0"
then
echo "The /etc/inittab does not contain authentication into single-user and will be inserted"
sed -i -e '54a\
\#Single User Mode Password' "$file0"
sed -i -e '55a\
~:S:wait:/sbin/sulogin' "$file0"
else
echo "Single User Authentication is enabled in $file0"
fi
#The time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive.
#STIG ID: GEN000252 Rule ID: SV-37417r1_rule
chmod 0640 /etc/ntp.conf
#The system must not have the unnecessary "news" account.
#STIG ID: GEN000290-2 Rule ID: SV-34574r1_rule
userdel news
#The system must not have the unnecessary "gopher" account.
#STIG ID: GEN000290-3 Rule ID: SV-34575r1_rule
userdel gopher
#The system must not have the unnecessary "ftp" account.
#STIG ID: GEN000290-4 Rule ID: SV-34578r1_rule Vuln ID: V-27279
userdel ftp
#The Department of Defense (DoD) login banner must be displayed
#STIG ID: GEN000400 Rule ID: SV-37169r1_rule
if grep -q "$string7" "$file4"
then
echo "DoD Banner enabled"
sed -i -e "s/$string6/$string7/g" "$file4"
fi
#The system must disable accounts after three consecutive unsuccessful login attempts.
#STIG ID: GEN000460 Rule ID: SV-37203r1_rule
if ! grep -q "pam_tally2.so" "$file5"
then
echo "System-auth file is missing pam_tally2 and is not disabling accounts after three unsuccessful login attempts"
sed -i -e '4a\
auth required pam_access.so' "$file5"
sed -i -e '5a\
auth required pam_tally2.so deny=3' "$file5"
sed -i -e '6a\
auth include system-auth-ac' "$file5"
sed -i -e '12a\
account required pam_tally2.so' "$file5"
sed -i -e '13a\
account include system-auth-ac' "$file5"
sed -i -e '18a\
password include system-auth-ac' "$file5"
sed -i -e '23a\
session include system-auth-ac' "$file5"
echo "System is using pam_tally2 and disabling accounts after three unsuccessful login attempts"
fi
#Graphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity
#STIG ID: GEN000500 Rule ID: SV-29796r1_rule
#Users must not be able to change passwords more than once every 24 hours.
#STIG ID: GEN000540 Rule ID: SV-37239r1_rule
echo "Passwords require 1 day minimum before changing"
for i in `cat /etc/passwd | grep ^ | awk -F":" '{print $1} ' | sort `
do echo $i | passwd -n 1 $i
done
#The system must require passwords contain a minimum of 14 characters.
#STIG ID: GEN000580 Rule ID: SV-37260r1_rule
if ! grep -q "minlen=14" "$file7"
then
echo "System-auth required to have passwords contain a minimum of 14 characters"
sed -i -e '17a\
password requisite pam_cracklib.so minlen=14' "$file7"
else
echo "System-auth using minimum of 14 character passwords"
fi
#The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes.
#STIG ID: GEN000590 Rule ID: SV-26313r1_rule
if ! egrep -q "sha512" "$file5"
then
echo "System not using FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes"
echo "Replacing md5 hash with sha512"
sed -i -e "s/md5/sha512/g" "$file5"
else
echo "System using sha512 hash"
fi
#The system must require passwords contain at least one uppercase alphabetic character.
#STIG ID: GEN000600 Rule ID: SV-41826r1_rule
if ! grep -q "ucredit=-1" "$file7"
then
echo "passwords must contain at least one uppercase alphabetic character"
sed -i -e '22a\
password required pam_cracklib.so ucredit=-1' "$file7"
else
echo "System-auth using at least one uppercase alphabetic character in passwords"
fi
#The system must require passwords contain at least one lowercase alphabetic character.
#STIG ID: GEN000610 Rule ID: SV-26321r1_rule
if ! grep -q "ucredit=-1" "$file7"
then
echo "Passwords must contain at least one uppercase alphabetic character."
sed -i -e '22a\
password required pam_cracklib.so ucredit=-1' "$file7"
else
echo "System-auth is using one uppercase alphabetic character in passwords."
fi
#The system must require passwords contain at least one numeric character.
#STIG ID: GEN000620 Rule ID: SV-37281r1_rule
if ! grep -q "dcredit=-1" "$file7"
then
echo "passwords must contain one numerical character"
sed -i -e '22a\
password required pam_cracklib.so dcredit=-1' "$file7"
else
echo "System-auth using at least one numerical character in passwords"
fi
#The system must require passwords contain at least one special character.
#STIG ID: GEN000640 Rule ID: SV-37287r1_rule
if ! grep -q "ocredit=-1" "$file7"
then
echo "passwords must contain one special character"
sed -i -e '22a\
password required pam_cracklib.so ocredit=-1' "$file7"
else
echo "System-auth using at least one special character in passwords"
fi
#The system must require passwords contain no more than three consecutive repeating characters.
#STIG ID: GEN000680 Rule ID: SV-37294r1_rule Vuln ID: V-11975
if ! grep -q "maxrepeat=3" "$file7"
then
echo "The maxrepeat option is missing for limiting excessive repeated characters for passwords"
sed -i -e '24a\
password required pam_cracklib.so maxrepeat=3' "$file7"
else
echo "The maxrepeat option is limited to three repeating characters"
fi
#User passwords must be changed at least every 60 days.
#STIG ID: GEN000700 Rule ID: SV-37298r1_rule
echo "looking at user ID's from 1000 and greater"
echo "User passwords must be changed at least every 60 days"
chmod +w /etc/passwd
chmod +w /etc/shadow
for i in `awk -F: '$3 > 1000 { print $1 }' /etc/passwd`
do
sed -i -e "/$i/ s/\:99999/\:60/g" /etc/shadow
echo "This is a list of users that required 60 day passwords"
echo $i >> /etc/60_days.txt
done
chmod -w /etc/passwd
chmod -w /etc/shadow
#The system must require at least four characters be changed between the old and new passwords during a password change.
#STIG ID: GEN000750 Rule ID: SV-37304r1_rule
if ! grep -q "difok=4" "$file7"
then
echo "Must ensure that old and new passwords have significant differences"
sed -i -e '19a\
password required pam_cracklib.so difok=4' "$file7"
else
echo "System-auth is using rule to allow four characters be changed between the old and new passwords"
fi
#The root account's home directory /root must have mode 0700.
#STIG ID: GEN000920 Rule ID: SV-37355r1_rule
for i in `grep "^root" /etc/passwd | awk -F":" '{print $6}'`
do
if [[ -r "$i" && -w "$i" && -x "$i" ]]
then
echo "/root is not 700 and required to be changed"
chmod 700 $i
else
echo "/root is 700"
fi
done
#The root account's executable search path must be the vendor default and must contain only absolute paths.
#STIG ID: GEN000940 Rule ID: SV-37360r1_rule
echo "Searching for files in /root .bashrc, .cshrc and tcshrc"
if ! grep -q "PATH=$PATH:$HOME/bin" "/root/.bashrc"
then
echo "Root executable search path is missing will be inserted"
sed -i -e '3a\
#User specific environment and startup programs' "/root/.bashrc"
sed -i -e '4a\
PATH=$PATH:$HOME/bin' "/root/.bashrc"
else
echo "The executable search path PATH does exist"
fi
if [ ! -f /root/.cshrc ]
then
touch /home/amagana/.cshrc
if ! grep -q "PATH=$PATH:$HOME/bin" "/root/.cshrc"
then
sed -i -e '2a\
\#User specific environment and startup programs' /root/.cshrc
sed -i -e '3a\
PATH\=\$PATH\:\$HOME/bin' /root/.cshrc
sed -i -e '4a\
' /root/.cshrc
echo "Root executable search path is missing will be inserted"
fi
else
echo "The .cshrc file exists and the executable search path PATH does exist"
fi
if [ ! -f /root/.tcshrc ]
then
touch /root/.tcshrc
if ! grep -q "PATH=$PATH:$HOME/bin" /root/.tcshrc
then
echo "Root executable search path is missing will be inserted"
echo >> /root/.tcshrc
echo >> /root/.tcshrc
sed -i -e '1a\
\#User specific environment and startup programs' /root/.tcshrc
sed -i -e '2a\
PATH\=\$PATH\:\$HOME/bin' /root/.tcshrc
fi
else
echo "The .tcshrc file exists and the executable search path PATH does exist"
fi
Unix OSProgramming Languages-OtherScripting Languages
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
Unlimited question asking, solutions, articles and more.
atom_jelly
ASKER
I appreciate the wisdom of this community when I am in a jam.
atom_jelly
ASKER
Please close.
atom_jelly
ASKER
To be like a duck you must act like a duck.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!