#!/bin/bash #CIS Security Audit Script #Author: HCL #CIS RHEL audit script path /tmp/hostname_cis_report.txt echo echo echo echo echo echo echo
"*********************************************************" "CIS Security Audit Script" "Red Hat 7.5" "" "WARNING: This script is only for Red Hat 7.5, please use correct script" "for target operating system" "*********************************************************"
exec > >(tee "/tmp/`hostname`_cis_report.txt") 2>&1 echo "CIS Security Audit Report" echo "*DATE*" date echo "*OS*" cat /etc/redhat-release echo "*KERNEL*" uname -a echo "*HOST*" hostname echo "" echo "******1.1 Disable Unused File Systems******" echo "" echo "" echo "1.1.1 Ensure mounting of cramfs filesystems is disabled" echo "$ modprobe -n -v cramfs" modprobe -n -v cramfs echo "$ lsmod | grep -c cramfs" lsmod | grep -c cramfs echo "1.1.2 Ensure mounting of freevxfs filesystems is disabled" echo "$ modprobe -n -v freevxfs" modprobe -n -v freevxfs echo "$ lsmod | grep -c freevxfs" lsmod | grep -c freevxfs echo "1.1.3 Ensure mounting of jffs2 filesystems is disabled" echo "$ modprobe -n -v jffs2" modprobe -n -v jffs2 echo "$ lsmod | grep -c jffs2" lsmod | grep -c jffs2 echo "1.1.4 Ensure mounting of hfs filesystems is disabled" echo "$ modprobe -n -v hfs" modprobe -n -v hfs echo "$ lsmod | grep -c hfs" lsmod | grep -c hfs echo "1.1.5 Ensure mounting of hfsplus filesystems is disabled" echo "$ modprobe -n -v hfsplus" modprobe -n -v hfsplus echo "$ lsmod | grep -c hfsplus" lsmod | grep -c hfsplus
echo "1.1.6 Ensure mounting of squashfs filesystems is disabled" echo "$ modprobe -n -v squashfs" modprobe -n -v squashfs echo "$ lsmod | grep -c squashfs" lsmod | grep -c squashfs echo "1.1.7 Ensure mounting of udf filesystems is disabled" echo "$ modprobe -n -v udf" modprobe -n -v udf echo "$ lsmod | grep -c udf" lsmod | grep -c udf echo "1.1.8 Ensure mounting of FAT filesystems is disabled" echo "$ modprobe -n -v vfat" modprobe -n -v vfat echo "$ lsmod | grep -c vfat" lsmod | grep -c vfat echo "1.1.9 Ensure separate partition exists for /tmp" echo "$ mount | grep /tmp" mount | grep /tmp echo "" echo "1.1.10 , 1.1.11 , 1.1.12" echo "Check nodev,nosuid,noexec are set on /tmp" echo "$ mount | grep /tmp" mount | grep /tmp echo "1.1.13 Ensure separate partition exists for /var" echo "$ mount | grep /var" mount | grep /var echo "" echo "1.1.14 Ensure separate partition exists for /var/tmp" echo "$ mount | grep /var/tmp" mount | grep /var/tmp echo "" echo "1.1.15 , 1.1.16 , 1.1.17" echo "Check nodev,nosuid,noexec are set on /var/tmp" echo "$ mount | grep /var/tmp" mount | grep /var/tmp echo "1.1.18 Ensure separate partition exists for /var/log" echo "$ mount | grep /var/log" mount | grep /var/log echo "1.1.19 Ensure separate partition exists for /var/log/audit" echo "$ mount | grep /var/log/audit" mount | grep /var/log/audit echo "1.1.20 Ensure separate partition exists for /home" echo "$ mount | grep /home" mount | grep /home echo "" echo "1.1.21 Ensure nodev option set on /home partition" echo "$ mount | grep /home" mount | grep /home
echo "" echo "1.1.22 , 1.1.23" echo "Check nodev, noexec are set on /dev/shm" echo "$ mount | grep /dev/shm" mount | grep /dev/shm echo "" echo "1.1.24, 1.1.25, 1.1.26" echo "Check nodev, nosuid, noexec is set on removable media partitions" echo "$ mount " mount echo "" echo "1.1.27 Ensure sticky bit is set on all world-writable directories" echo "$ df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null" df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null echo "" echo "1.1.28 Disable Automounting" echo "$ systemctl is-enabled autofs " systemctl is-enabled autofs echo "" echo "******1.2 Configure Software Updates******" echo "" export https_proxy=proxy-ida.emea.adecco.net:8080 echo "" echo "1.2.1 Ensure package manager repositories are configured" echo "$ yum repolist " yum repolist echo echo echo grep
"" "1.2.2 Ensure gpgcheck is globally activated" "$ ygrep ^gpgcheck /etc/yum.conf " ^gpgcheck /etc/yum.conf
echo "" echo "1.2.3 Ensure GPG keys are configured" echo "$ rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n' " rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n' echo "" echo "1.2.4 Ensure Red Hat Network or Subscription Manager connection is configured" echo "$ subscription-manager identity" subscription-manager identity echo "" echo "******1.3 Filesystem Integrity Checking******" echo "" echo "" echo "1.3.1" echo "Check if AIDE is installed" echo "$ rpm -q aide" rpm -q aide
echo "" echo "1.3.2" echo "Check if filesystem is regularly checked" echo "$ crontab -u root -l | grep aide" crontab -u root -l | grep aide echo "" echo "******1.4 Secure Boot Settings******" echo "" echo echo echo echo stat
"" "1.4.1" "Check if permissions on bootloader config are configured" "$ stat /boot/grub2/grub.cfg" /boot/grub2/grub.cfg
echo echo echo echo grep
"" "1.4.2" "Check if bootloader is set" "$ grep '"^set supers"' /boot/grub2/grub.cfg" "^set supers" /boot/grub2/grub.cfg
echo "$ grep '"^"' /boot/grub2/grub.cfg" grep "^" /boot/grub2/grub.cfg echo echo echo echo grep
"" "1.4.3" "Check if authentication is required for single mode" "$ grep /sbin/su /usr/lib/systemd/system/rescue.service" /sbin/su /usr/lib/systemd/system/rescue.service
echo "$ grep /sbin/su /usr/lib/systemd/system/emergency.service" grep /sbin/su /usr/lib/systemd/system/emergency.service echo "" echo "******1.5 Additional Process Hardening******" echo "" echo echo echo echo grep
"" "1.5.1" "Check if core dumps are restricted" "$ grep '"hard core"' /etc/security/limits.conf /etc/security/limits.d/*" "hard core" /etc/security/limits.conf /etc/security/limits.d/*
echo "$ sysctl fs.suid_dumpable" sysctl fs.suid_dumpable echo "" echo "1.5.2" echo "Check if XD/NX is enabled" echo "$ dmesg | grep NX" dmesg | grep NX echo "" echo "1.5.3" echo "Check if address space layout randomization (ASLR) is enabled" echo "$ sysctl kernel.randomize_va_space" sysctl kernel.randomize_va_space
echo "" echo "1.5.4" echo "Check if prelink is disabled" echo "$ rpm -q prelink" rpm -q prelink echo "" echo ""******1.6 Mandatory Access Controls****** echo "" echo echo echo echo
"" "1.6.1" "Ensure SELinux is not disabled in bootloader configuration" ""
echo "$ grep "^\s*linux" /boot/grub2/grub.cfg" grep "^\s*linux" /boot/grub2/grub.cfg echo "" echo "1.6.2 Ensure the SELinux state is enforcing" echo "$ sestatus" sestatus echo "" echo "1.6.3 Ensure SELinux policy is configured" echo "$ sestatus" sestatus echo "" echo "1.6.4 Ensure SETroubleshoot is not installed" echo "$ rpm -q setroubleshoot" rpm -q setroubleshoot echo "" echo "1.6.5 Ensure no unconfined daemons exist" echo "$ ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'" ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }' echo "" echo "1.6.6" echo "Check if SELinux is installed" echo "$ rpm -q libselinux" rpm -q libselinux echo "" echo ""******1.7 Warning Banners****** echo "" echo "" echo "1.7.1 Ensure message of the day is configured properly" echo "$ cat /etc/motd" cat /etc/motd echo "" echo "1.7.2 Ensure local warning banner is configured properly" echo "$ cat /etc/issue"
cat /etc/issue echo "" echo "1.7.3 Ensure remote warning banner is configured properly" echo "$ cat /etc/issue.net" cat /etc/issue.net echo echo echo stat
"" "1.7.4 Ensure permissions on /etc/motd are configured" "$ stat /etc/motd" /etc/motd
echo echo echo stat
"" "1.7.5 Ensure permissions on /etc/issue are configured" "$ stat /etc/issue" /etc/issue
echo "" echo "1.7.6" echo "Check if SELinux is installed" echo "$ rpm -q libselinux" rpm -q libselinux echo "" echo "1.7.7 Ensure GDM banner is configured" echo "$ cat /etc/dconf/profile/gdm" cat /etc/dconf/profile/gdm echo "" echo "1.7.8 Ensure updates, patches, and additional security software are installed" echo "Check if SELinux is installed" echo "$ yum check-update" yum check-update echo "" echo ""******1.8 Services****** echo "" echo "" echo "1.8.1 Ensure chargen services are not enabled" echo "$ chkconfig --list" chkconfig --list echo "" echo "1.8.2 Ensure daytime services are not enabled" echo "$ chkconfig --list" chkconfig --list echo "" echo "1.8.3 Ensure discard services are not enabled" echo "$ chkconfig --list" chkconfig --list echo "" echo "1.8.4 Ensure echo services are not enabled" echo "$ chkconfig --list" chkconfig --list
echo "" echo "1.8.5 Ensure time services are not enabled" echo "$ chkconfig --list" chkconfig --list echo "" echo "1.8.6 Ensure rsh server is not enabled" echo "$ systemctl is-enabled rsh.socket" systemctl is-enabled rsh.socket echo "" echo "1.8.7 Ensure talk server is not enabled" echo "$ systemctl is-enabled ntalk" systemctl is-enabled ntalk echo "" echo "1.8.8 Ensure telnet server is not enabled" echo "$ systemctl is-enabled telnet.socket" systemctl is-enabled telnet.socket echo "" echo "1.8.9 Ensure tftp server is not enabled" echo "$ systemctl is-enabled tftp.socket" systemctl is-enabled tftp.socket echo "" echo "1.8.10 Ensure rsync service is not enabled" echo "$ systemctl is-enabled rsyncd" systemctl is-enabled rsyncd echo "" echo "1.8.11 Ensure xinetd is not enabled" echo "$ systemctl is-enabled xinetd" systemctl is-enabled xinetd echo "" echo ""******1.9 Special Purpose Services******"" echo "" echo "" echo "1.9.1 Ensure time synchronization is in use" echo "$ rpm -q ntp" rpm -q ntp echo echo echo grep
"" "1.9.2 Ensure ntp is configured" "$ grep "^restrict" /etc/ntp.conf" "^restrict" /etc/ntp.conf
echo "" echo "1.9.3 Ensure chrony is configured" echo "$ Not Applicable as NTP Configured" echo "" echo "1.9.4 Ensure X Window System is not installed" echo "$ rpm -qa xorg-x11*" rpm -qa xorg-x11* echo ""
echo "1.9.5 Ensure AVAHI server is not enabled" echo "$ systemctl is-enabled avahi-daemon" systemctl is-enabled avahi-daemon echo "" echo "1.9.6 Ensure CUPS is not enabled" echo "$ systemctl is-enabled cups" systemctl is-enabled cups echo "" echo "1.9.7 Ensure DH server is not enabled" echo "$ systemctl is-enabled dhd" systemctl is-enabled dhd echo "" echo "1.9.8 Ensure LDAP server is not enabled" echo "$ systemctl is-enabled slapd" systemctl is-enabled slapd echo "" echo "1.9.9 Ensure NFS and RPC are not enabled" echo "$ systemctl is-enabled nfs" systemctl is-enabled nfs echo "" echo "1.9.10 Ensure DNS server is not enabled" echo "$ systemctl is-enabled named" systemctl is-enabled named echo "" echo "1.9.11 Ensure FTP server is not enabled" echo "$ systemctl is-enabled vsftpd" systemctl is-enabled vsftpd echo "" echo "1.9.12 Ensure HTTP server is not enabled" echo "$ systemctl is-enabled httpd" systemctl is-enabled httpd echo "" echo "1.9.13 Ensure IMAP and POP3 server is not enabled" echo "$ systemctl is-enabled dovecot" systemctl is-enabled dovecot echo "" echo "1.9.14 Ensure SAMBA server is not enabled" echo "$ systemctl is-enabled smb" systemctl is-enabled smb echo "" echo "1.9.15 Ensure HTTP Proxy server is not enabled" echo "$ systemctl is-enabled squid" systemctl is-enabled squid echo "" echo "1.9.16 Ensure SNMP server is not enabled" echo "$ systemctl is-enabled snmpd" systemctl is-enabled snmpd
echo "" echo "1.9.17 Ensure mail transfer agent is configured for loca-only mode" echo "$ netstat -an | grep LIST | grep '":25[[:space:]]"'" netstat -an | grep LIST | grep ":25[[:space:]]" echo "" echo "1.9.18 Ensure NIS server is not enabled" echo "$ systemctl is-enabled ypserv" systemctl is-enabled ypserv echo "" echo "******1.10 Service Clients******" echo "" echo "" echo "1.10.1 Ensure NIS Client is not installed" echo "$ rpm -q ypbind" rpm -q ypbind echo "" echo "1.10.2 Ensure rsh client is not installed" echo "$ rpm -q rsh" rpm -q rsh echo "" echo "1.10.3 Ensure talk client is not installed" echo "$ rpm -q talk" rpm -q talk echo "" echo "1.10.4 Ensure telnet client is not installed" echo "$ rpm -q telnet" rpm -q telnet echo "" echo "1.10.5 Ensure LDAP client is not installed" echo "$ rpm -q openldap-clients" rpm -q openldap-clients echo "" echo "******1.11 Network Configuration******" echo "" echo "" echo "1.11.1 Ensure IP forwarding is disabled" echo "$ sysctl net.ipv4.ip_forward" sysctl net.ipv4.ip_forward echo "" echo "1.11.2 Ensure packet redirect sending is disabled" echo "$ sysctl net.ipv4.conf.all.send_redirects" sysctl net.ipv4.conf.all.send_redirects echo "$ sysctl net.ipv4.conf.default.send_redirects" sysctl net.ipv4.conf.default.send_redirects echo "" echo "1.11.3 Ensure source routed packets are not accepted" echo "$ sysctl net.ipv4.conf.all.accept_source_route" sysctl net.ipv4.conf.all.accept_source_route
echo "$ sysctl net.ipv4.conf.default.accept_source_route" sysctl net.ipv4.conf.default.accept_source_route echo "" echo "1.11.4 Check ICMP redicrects are not accepted" echo "$ sysctl net.ipv4.conf.all.accept_redirects" sysctl net.ipv4.conf.all.accept_redirects echo "$ sysctl net.ipv4.conf.default.accept_redirects" sysctl net.ipv4.conf.default.accept_redirects echo "" echo "1.11.5 Check secure ICMP redirects are not accepted" echo "$ sysctl net.ipv4.conf.all.secure_redirects" sysctl net.ipv4.conf.all.secure_redirects echo "$ sysctl net.ipv4.conf.default.secure_redirects" sysctl net.ipv4.conf.default.secure_redirects echo "" echo "1.11.6 Check if suspicious packets are logged" echo "$ sysctl net.ipv4.conf.all.log_martians" sysctl net.ipv4.conf.all.log_martians echo "$ sysctl net.ipv4.conf.default.log_martians" sysctl net.ipv4.conf.default.log_martians echo "" echo "1.11.7 Ensure broadcast ICMP requests are ignored" echo "$ sysctl net.ipv4.icmp_echo_ignore_broadcasts" sysctl net.ipv4.icmp_echo_ignore_broadcasts echo "" echo "1.11.8 Ensure bogus ICMP responses are ignored" echo "$ sysctl net.ipv4.icmp_ignore_bogus_error_responses" sysctl net.ipv4.icmp_ignore_bogus_error_responses echo "" echo "1.11.9 Ensure Reverse Path Filtering is enabled" echo "$ sysctl net.ipv4.conf.all.rp_filter" sysctl net.ipv4.conf.all.rp_filter echo "$ sysctl net.ipv4.conf.default.rp_filter" sysctl net.ipv4.conf.default.rp_filter echo "" echo "1.11.10 Ensure T SYN Cookies is enabled" echo "$ sysctl net.ipv4.t_syncookies" sysctl net.ipv4.t_syncookies echo "" echo "1.11.11 Ensure IPv6 router ments are not accepted" echo "$ sysctl net.ipv6.conf.all.accept_ra" sysctl net.ipv6.conf.all.accept_ra echo "$ sysctl net.ipv6.conf.default.accept_ra" sysctl net.ipv6.conf.default.accept_ra echo "" echo "1.11.12 Ensure IPv6 redirects are not accepted" echo "$ sysctl net.ipv6.conf.all.accept_redirects" sysctl net.ipv6.conf.all.accept_redirects echo "$ sysctl net.ipv6.conf.default.accept_redirects" sysctl net.ipv6.conf.default.accept_redirects
echo "" echo "1.11.13 Ensure IPv6 is disabled" echo "$ modprobe -c | grep ipv6" modprobe -c | grep ipv6 echo "" echo "1.11.14 Ensure T Wrappers is installed" echo "$ rpm -q t_wrappers" rpm -q t_wrappers echo "" echo "1.11.15 Ensure /etc/hosts.allow is configured" echo "$ cat /etc/hosts.allow" cat /etc/hosts.allow echo "" echo "1.11.16 Ensure /etc/hosts.deny is configured" echo "$ cat /etc/hosts.deny" cat /etc/hosts.deny echo echo echo stat
"" "1.11.17 Ensure permissions on /etc/hosts.allow are configured" "$ stat /etc/hosts.allow" /etc/hosts.allow
echo echo echo stat
"" "1.11.18 Ensure permissions on /etc/hosts.deny are 644" "$ stat /etc/hosts.deny" /etc/hosts.deny
echo "" echo "******1.12 Uncommon Network Protocols******" echo "" echo "" echo "1.12.1 Ensure DC is disabled" echo "$ modprobe -n -v dc" modprobe -n -v dc echo "$ lsmod | grep dc" lsmod | grep dc echo "" echo "1.12.2 Ensure SCTP is disabled" echo "$ modprobe -n -v sctp" modprobe -n -v sctp echo "$ lsmod | grep sctp" lsmod | grep sctp echo "" echo "1.12.3 Ensure RDS is disabled" echo "$ modprobe -n -v rds" modprobe -n -v rds echo "$ lsmod | grep rds" lsmod | grep rds echo "" echo "1.12.4 Ensure TIPC is disabled" echo "$ modprobe -n -v tipc"
modprobe -n -v tipc echo "$ lsmod | grep tipc" lsmod | grep tipc echo "" echo "******1.13 Firewall Configuration******" echo "" echo "" echo "1.13.1 Check if iptables is installed" echo "$ rpm -q iptables" rpm -q iptables echo "" echo "1.13.2 Ensure default deny firewall policy" echo "$ iptables -L" iptables -L echo "" echo "1.13.3 Ensure loopback traffic is configured" echo "$ iptables -L INPUT -v -n" iptables -L INPUT -v -n echo "$ iptables -L OUTPUT -v -n" iptables -L OUTPUT -v -n echo "" echo "1.13.4 Ensure outbound and established connections are configured" echo "$ iptables -L -v -n" iptables -L -v -n echo "" echo "1.13.5 Ensure firewall rules exist for all open ports" echo "$ iptables -L -v -n" iptables -L -v -n echo "" echo "1.13.4 Ensure outbound and established connections are configured" echo "$ iptables -L -v -n" iptables -L -v -n echo "" echo "1.13.5 Ensure firewall rules exist for all open ports" echo "$ netstat -ln" netstat -ln echo "" echo "1.13.6 Ensure wireless interfaces are disabled" echo "$ iwconfig" iwconfig echo "$ ip link show up" ip link show up echo "" echo "******1.14 Logging and Auditing******" echo "" echo "" echo "1.14.1 Configure System ing" echo "$ service auditd reload"
service auditd reload echo "" echo "1.14.2 Ensure audit log storage size is configured" echo "$ service auditd reload" service auditd reload echo echo echo grep echo grep echo grep
"" "1.14.3 Ensure system is disabled when audit logs are full" "$ grep space_left_action /etc/audit/auditd.conf" space_left_action /etc/audit/auditd.conf "$ grep action_mail_acct /etc/audit/auditd.conf" action_mail_acct /etc/audit/auditd.conf "$ grep _space_left_action /etc/audit/auditd.conf" _space_left_action /etc/audit/auditd.conf
echo echo echo grep
"" "1.14.4 Ensure audit logs are not automatically deleted" "$ grep max_log_file_action /etc/audit/auditd.conf" max_log_file_action /etc/audit/auditd.conf
echo "" echo "1.14.5 Ensure auditd service is enabled" echo "$ systemctl is-enabled auditd" systemctl is-enabled auditd echo echo echo grep
"" "1.14.6 Ensure auditing for processes that start prior to auditd is enabled" "$ grep "^\s*linux" /boot/grub2/grub.cfg" "^\s*linux" /boot/grub2/grub.cfg
echo echo echo grep
"" "1.14.7 Ensure events that modify date and time information are collected" "$ grep time-change /etc/audit/audit.rules" time-change /etc/audit/audit.rules
echo echo echo grep
"" "1.14.8 Ensure events that modify /group information are collected" "$ grep identity /etc/audit/audit.rules" identity /etc/audit/audit.rules
echo "" echo "1.14.9 Ensure events that modify the system's network environment are collected" echo "$ grep system-locale /etc/audit/audit.rules" grep system-locale /etc/audit/audit.rules echo "" echo "1.14.10 Ensure events that modify the system's Mandatory Access Controls are collected" echo "$ grep MAC-policy /etc/audit/audit.rules" grep MAC-policy /etc/audit/audit.rules echo echo echo grep
"" "1.14.11 Ensure and events are collected" "$ grep s /etc/audit/audit.rules" s /etc/audit/audit.rules
echo ""
echo "1.14.12 Ensure session initiation information is collected" echo "$ grep session /etc/audit/audit.rules" grep session /etc/audit/audit.rules echo "" echo "1.14.13 Ensure discretionary access control permission modification events are collected" echo "$ grep perm_mod /etc/audit/audit.rules" grep perm_mod /etc/audit/audit.rules echo echo echo grep
"" "1.14.14 Ensure unsuccessful unauthorized file access attempts are collected" "$ grep access /etc/audit/audit.rules" access /etc/audit/audit.rules
echo "" echo "1.14.15 Ensure use of privileged commands is collected" echo "$ find <partition> -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }'" find <partition> -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }' echo echo echo grep
"" "1.14.16 Ensure successful file system mounts are collected" "$ grep mounts /etc/audit/audit.rules" mounts /etc/audit/audit.rules
echo echo echo grep
"" "1.14.17 Ensure file deletion events by s are collected" "$ grep delete /etc/audit/audit.rules" delete /etc/audit/audit.rules
echo echo echo grep
"" "1.14.18 Ensure changes to system istration scope (sudoers) is collected" "$ grep scope /etc/audit/audit.rules" scope /etc/audit/audit.rules
echo echo echo grep
"" "1.14.19 Ensure system actions (sudolog) are collected" "$ grep actions /etc/audit/audit.rules" actions /etc/audit/audit.rules
echo echo echo grep
"" "1.14.20 Ensure kernel module loading and unloading is collected" "$ grep modules /etc/audit/audit.rules" modules /etc/audit/audit.rules
echo echo echo grep
"" "1.14.21 Ensure the audit configuration is immutable" "$ grep "^\s*[^#]" /etc/audit/audit.rules | tail -1" "^\s*[^#]" /etc/audit/audit.rules | tail -1
echo "" echo "******1.15 Configure Logging******" echo "" echo ""
echo "1.15.1 echo "Check if rsyslog is enabled" echo "$ systemctl is-enabled rsyslog" systemctl is-enabled rsyslog echo "" echo "1.15.2 Check if logging is configured" echo "$ ls -al /var/log" ls -al /var/log echo echo echo grep
"" "1.15.3 Ensure rsyslog default file permissions configured" "$ grep ^\$FileCreateMode /etc/rsyslog.conf" ^\$FileCreateMode /etc/rsyslog.conf
echo echo echo grep
"" "1.15.4 Ensure rsyslog is configured to send logs to a remote log host" "$ grep "^*.*[^I][^I]*@" /etc/rsyslog.conf" "^*.*[^I][^I]*@" /etc/rsyslog.conf
echo "" echo "1.15.5 Ensure remote rsyslog messages are only accepted on designated log hosts" echo "$ grep '$ModLoad imt.so' /etc/rsyslog.conf" grep '$ModLoad imt.so' /etc/rsyslog.conf echo "$ grep '$InputTServerRun' /etc/rsyslog.conf" grep '$InputTServerRun' /etc/rsyslog.conf echo "" echo "1.15.6 Ensure syslog-ng service is enabled" echo "$ systemctl is-enabled syslog-ng" systemctl is-enabled syslog-ng echo "" echo "1.15.7 Ensure logging is configured" echo "$ ls -l /var/log/" ls -l /var/log/ echo echo echo grep
"" "1.15.8 Ensure syslog-ng default file permissions configured" "$ grep ^options /etc/syslog-ng/syslog-ng.conf" ^options /etc/syslog-ng/syslog-ng.conf
echo "" echo "1.15.9 Ensure syslog-ng is configured to send logs to a remote log host" echo "$ cat /etc/syslog-ng/syslog-ng.conf" cat /etc/syslog-ng/syslog-ng.conf echo "" echo "1.15.10 Ensure remote syslog-ng messages are only accepted on designated log hosts" echo "$ cat /etc/syslog-ng/syslog-ng.conf" cat /etc/syslog-ng/syslog-ng.conf echo "" echo "1.15.11 Ensure rsyslog or syslog-ng is installed" echo "$ rpm -q rsyslog" rpm -q rsyslog echo "$ rpm -q syslog-ng" rpm -q syslog-ng
echo echo echo find
"" "1.15.12 Ensure permissions on all logfiles are configured" "$ find /var/log -type f -ls" /var/log -type f -ls
echo "" echo "1.15.13 Ensure logrotate is configured" echo "$ cat /etc/logrotate.conf" cat /etc/logrotate.conf echo "$ cat /etc/logrotate.d/*" cat /etc/logrotate.d/* echo "" echo "******1.16 Access, Authentication and Authorisation******" echo "" echo "" echo "1.16.1 Configure cron" echo "$ systemctl is-enabled crond" systemctl is-enabled crond echo echo echo stat
"" "1.16.2 Ensure permissions on /etc/crontab are configured" "$ stat /etc/crontab" /etc/crontab
echo echo echo stat
"" "1.16.3 Ensure permissions on /etc/cron.hourly are configured" "$ stat /etc/cron.hourly" /etc/cron.hourly
echo echo echo stat
"" "1.16.4 Ensure permissions on /etc/cron.daily are configured" "$ stat /etc/cron.daily" /etc/cron.daily
echo echo echo stat
"" "1.16.5 Ensure permissions on /etc/cron.weekly are configured" "$ stat /etc/cron.weekly" /etc/cron.weekly
echo echo echo stat
"" "1.16.6 Ensure permissions on /etc/cron.monthly are configured" "$ stat /etc/cron.monthly" /etc/cron.monthly
echo echo echo stat
"" "1.16.7 Ensure permissions on /etc/cron.d are configured" "$ stat /etc/cron.d" /etc/cron.d
echo echo echo stat echo stat
"" "1.16.8 Ensure at/cron is restricted to authorized s" "$ stat /etc/cron.deny" /etc/cron.deny "$ stat /etc/at.deny" /etc/at.deny
echo echo echo stat
"" "1.16.9 Ensure permissions on /etc/ssh/sshd_config are configured" "$ stat /etc/ssh/sshd_config" /etc/ssh/sshd_config
echo echo echo grep
"" "1.16.10 Ensure SSH Protocol is set to 2" "$ grep "^Protocol" /etc/ssh/sshd_config" "^Protocol" /etc/ssh/sshd_config
echo echo echo grep
"" "1.16.11 Ensure SSH LogLevel is set to INFO" "$ grep "^LogLevel" /etc/ssh/sshd_config" "^LogLevel" /etc/ssh/sshd_config
echo echo echo grep
"" "1.16.12 Ensure SSH X11 forwarding is disabled" "$ grep "^X11Forwarding" /etc/ssh/sshd_config" "^X11Forwarding" /etc/ssh/sshd_config
echo echo echo grep
"" "1.16.13 Ensure SSH MaxAuthTries is set to 4 or less" "$ grep "^MaxAuthTries" /etc/ssh/sshd_config" "^MaxAuthTries" /etc/ssh/sshd_config
echo echo echo grep
"" "1.16.14 Ensure SSH IgnoreRhosts is enabled" "$ grep "^IgnoreRhosts" /etc/ssh/sshd_config" "^IgnoreRhosts" /etc/ssh/sshd_config
echo echo echo grep
"" "1.16.15 Ensure SSH HostbasedAuthentication is disabled" "$ grep "^HostbasedAuthentication" /etc/ssh/sshd_config" "^HostbasedAuthentication" /etc/ssh/sshd_config
echo echo echo grep
"" "1.16.16 Ensure SSH root is disabled" "$ grep "^PermitRoot" /etc/ssh/sshd_config" "^PermitRoot" /etc/ssh/sshd_config
echo echo echo grep
"" "1.16.17 Ensure SSH PermitEmptys is disabled" "$ grep "^PermitEmptys" /etc/ssh/sshd_config" "^PermitEmptys" /etc/ssh/sshd_config
echo echo echo grep
"" "1.16.18 Ensure SSH PermitEnvironment is disabled" "$ grep PermitEnvironment /etc/ssh/sshd_config" PermitEnvironment /etc/ssh/sshd_config
echo echo echo grep
"" "1.16.19 Ensure only approved ciphers are used" "$ grep "Ciphers" /etc/ssh/sshd_config" "Ciphers" /etc/ssh/sshd_config
echo echo echo grep
"" "1.16.20 Ensure only approved MAC algorithms are used" "$ grep "MACs" /etc/ssh/sshd_config" "MACs" /etc/ssh/sshd_config
echo echo echo grep echo grep
"" "1.16.21 Ensure SSH Idle Timeout Interval is configured" "$ grep "^ClientAliveInterval" /etc/ssh/sshd_config" "^ClientAliveInterval" /etc/ssh/sshd_config "$ grep "^ClientAliveCountMax" /etc/ssh/sshd_config" "^ClientAliveCountMax" /etc/ssh/sshd_config
echo echo echo grep
"" "1.16.22 Ensure SSH GraceTime is set to one minute or less" "$ grep "^GraceTime" /etc/ssh/sshd_config" "^GraceTime" /etc/ssh/sshd_config
echo echo echo grep echo grep echo grep echo grep
"" "1.16.23 Ensure SSH access is limited" "$ grep "^Allows" /etc/ssh/sshd_config" "^Allows" /etc/ssh/sshd_config "$ grep "^AllowGroups" /etc/ssh/sshd_config" "^AllowGroups" /etc/ssh/sshd_config "$ grep "^Denys" /etc/ssh/sshd_config" "^Denys" /etc/ssh/sshd_config "$ grep "^DenyGroups" /etc/ssh/sshd_config" "^DenyGroups" /etc/ssh/sshd_config
echo echo echo grep
"" "1.16.24 Ensure SSH warning banner is configured" "$ grep "^Banner" /etc/ssh/sshd_config" "^Banner" /etc/ssh/sshd_config
echo "" echo "******1.17 Configure PAM******" echo "" echo echo echo grep echo grep echo grep echo grep echo grep echo grep echo grep
"" "1.17.1 Ensure creation requirements are configured" "$ grep pam_pwquality.so /etc/pam.d/-auth" pam_pwquality.so /etc/pam.d/-auth "$ grep pam_pwquality.so /etc/pam.d/system-auth" pam_pwquality.so /etc/pam.d/system-auth "$ grep ^minlen /etc/security/pwquality.conf" ^minlen /etc/security/pwquality.conf "$ grep ^dcredit /etc/security/pwquality.conf" ^dcredit /etc/security/pwquality.conf "$ grep ^lcredit /etc/security/pwquality.conf" ^lcredit /etc/security/pwquality.conf "$ grep ^ocredit /etc/security/pwquality.conf" ^ocredit /etc/security/pwquality.conf "$ grep ^ucredit /etc/security/pwquality.conf" ^ucredit /etc/security/pwquality.conf
echo "" echo "1.17.2 Ensure lockout for failed attempts is configured" echo "$ cat /etc/pam.d/-auth" cat /etc/pam.d/-auth echo "$ cat /etc/pam.d/system-auth" cat /etc/pam.d/system-auth echo "" echo "1.17.3 Ensure reuse is limited"
echo "$ egrep '^\s+sufficient\s+pam_unix.so' /etc/pam.d/-auth" egrep '^\s+sufficient\s+pam_unix.so' /etc/pam.d/-auth echo "$ egrep '^\s+sufficient\s+pam_unix.so' /etc/pam.d/system-auth" egrep '^\s+sufficient\s+pam_unix.so' /etc/pam.d/system-auth echo "" echo "1.17.4 Ensure hashing algorithm is SHA-512" echo "$ egrep '^\s+sufficient\s+pam_unix.so' /etc/pam.d/-auth" egrep '^\s+sufficient\s+pam_unix.so' /etc/pam.d/-auth echo "$ egrep '^\s+sufficient\s+pam_unix.so' /etc/pam.d/system-auth" egrep '^\s+sufficient\s+pam_unix.so' /etc/pam.d/system-auth echo "" echo "******1.18 System File Permissions******" echo "" echo echo echo grep
"" "1.18.1 Set Shadow Suite Parameters" "$ grep _MAX_DAYS /etc/.defs" _MAX_DAYS /etc/.defs
echo echo echo grep
"" "1.18.2 Ensure minimum days between changes is 7 or more" "$ grep _MIN_DAYS /etc/.defs" _MIN_DAYS /etc/.defs
echo echo echo grep
"" "1.18.3 Ensure expiration warning days is 7 or more" "$ grep _WARN_AGE /etc/.defs" _WARN_AGE /etc/.defs
echo "" echo "1.18.4 Ensure inactive lock is 30 days or less" echo "$ add -D | grep INACTIVE" add -D | grep INACTIVE echo "" echo "1.18.5 Ensure system s are non-" echo "$ egrep -v "^\+" /etc/wd | awk -F: '($1!="root" && $1!="sync" && $1! ="shutdown" && $1!="halt" && $3<1000 && $7!="/sbin/no" && $7!="/bin/false") {print}'" egrep -v "^\+" /etc/wd | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/sbin/no" && $7!="/bin/false") {print}' echo echo echo grep
"" "1.18.6 Ensure default group for the root is GID 0" "$ grep "^root:" /etc/wd | cut -f4 -d:" "^root:" /etc/wd | cut -f4 -d:
echo echo echo grep echo grep
"" "1.18.7 Ensure default umask is 027 or more restrictive" "$ grep "^umask" /etc/bashrc" "^umask" /etc/bashrc "$ grep "^umask" /etc/profile" "^umask" /etc/profile
echo "" echo "1.18.8 Ensure root is restricted to system console" echo "$ cat /etc/securetty"
cat /etc/securetty echo echo echo grep echo grep
"" "1.18.9 Ensure access to the su command is restricted" "$ grep pam_wheel.so /etc/pam.d/su" pam_wheel.so /etc/pam.d/su "$ grep wheel /etc/group" wheel /etc/group
echo "" echo "******1.19 Maintenance******" echo "" echo echo echo stat
"" "1.19.1 Ensure permissions on /etc/wd are configured" "$ stat /etc/wd" /etc/wd
echo echo echo stat
"" "1.19.2 Ensure permissions on /etc/shadow are configured" "$ stat /etc/shadow" /etc/shadow
echo echo echo stat
"" "1.19.3 Ensure permissions on /etc/group are configured" "$ stat /etc/group" /etc/group
echo echo echo stat
"" "1.19.4 Run the following chown to set permissions on /etc/gshadow" "$ stat /etc/gshadow" /etc/gshadow
echo echo echo stat
"" "1.19.5 Ensure permissions on /etc/wd- are configured" "$ stat /etc/wd-" /etc/wd-
echo echo echo stat
"" "1.19.6 Ensure permissions on /etc/shadow- are configured" "$ stat /etc/shadow-" /etc/shadow-
echo echo echo stat
"" "1.19.7 Ensure permissions on /etc/group- are configured" "$ stat /etc/group-" /etc/group-
echo echo echo stat
"" "1.19.8 Ensure permissions on /etc/gshadow- are configured" "$ stat /etc/gshadow-" /etc/gshadow-
echo "" echo "1.19.9 Ensure no world writable files exist" echo "$ df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002" df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002
echo "" echo "1.19.10 Ensure no unowned files or directories exist" echo "$ df --local -P | awk {'if (NR!=1) print $6' | xargs -I '{}' find '{}' -xdev -no" df --local -P | awk {'if (NR!=1) print $6' | xargs -I '{}' find '{}' -xdev -no echo "" echo "1.19.11 Ensure no ungrouped files or directories exist" echo "$ df --local -P | awk {'if (NR!=1) print $6' | xargs -I '{}' find '{}' -xdev -nogroup" df --local -P | awk {'if (NR!=1) print $6' | xargs -I '{}' find '{}' -xdev -nogroup echo "" echo "1.19.12 Audit SUID executables" echo "$ df --local -P | awk {'if (NR!=1) print $6' | xargs -I '{}' find '{}' -xdev -type f -perm -4000" df --local -P | awk {'if (NR!=1) print $6' | xargs -I '{}' find '{}' -xdev -type f -perm -4000 echo "" echo "1.19.13 Audit SGID executables" echo "$ df --local -P | awk {'if (NR!=1) print $6' | xargs -I '{}' find '{}' -xdev -type f -perm -2000" df --local -P | awk {'if (NR!=1) print $6' | xargs -I '{}' find '{}' -xdev -type f -perm -2000 echo "" echo "******1.20 and Group Settings******" echo "" echo "" echo "1.20.1 Ensure fields are not empty" echo "$ cat /etc/shadow | awk -F: '($2 == "" ) { print $1 " does not have a "}'" cat /etc/shadow | awk -F: '($2 == "" ) { print $1 " does not have a "}' echo echo echo grep
"" "1.20.2 Ensure no legacy "+" entries exist in /etc/wd" "$ grep '^+:' /etc/wd" '^+:' /etc/wd
echo echo echo grep
"" "1.20.3 Ensure no legacy "+" entries exist in /etc/shadow" "$ grep '^+:' /etc/shadow" '^+:' /etc/shadow
echo echo echo grep
"" "1.20.4 Ensure no legacy "+" entries exist in /etc/group" "$ grep '^+:' /etc/group" '^+:' /etc/group
echo "" echo "1.20.5 Ensure root is the only UID 0 " echo "$ cat /etc/wd | awk -F: '($3 == 0) { print $1 }'" cat /etc/wd | awk -F: '($3 == 0) { print $1 }' echo "" echo "1.20.6 Ensure root PATH Integrity"
echo "$ #!/bin/bash if [ "`echo $PATH | grep ::`" != "" ]; then echo "Empty Directory in PATH (::)" fi if [ "`echo $PATH | grep :$`" != "" ]; then echo "Trailing : in PATH" fi p=`echo $PATH | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g'` set -- $p while [ "$1" != "" ]; do if [ "$1" = "." ]; then echo "PATH contains ." shift continue fi if [ -d $1 ]; then dirperm=`ls -ldH $1 | cut -f1 -d" "` if [ `echo $dirperm | cut -c6` != "-" ]; then echo "Group Write permission set on directory $1" fi if [ `echo $dirperm | cut -c9` != "-" ]; then echo "Other Write permission set on directory $1" fi dirown=`ls -ldH $1 | awk '{print $3}'` if [ "$dirown" != "root" ] ; then echo $1 is not owned by root'" #!/bin/bash if [ "`echo $PATH | grep ::`" != "" ]; then echo "Empty Directory in PATH (::)" fi if [ "`echo $PATH | grep :$`" != "" ]; then echo "Trailing : in PATH" fi p=`echo $PATH | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g'` set -- $p while [ "$1" != "" ]; do if [ "$1" = "." ]; then echo "PATH contains ." shift continue fi if [ -d $1 ]; then dirperm=`ls -ldH $1 | cut -f1 -d" "` if [ `echo $dirperm | cut -c6` != "-" ]; then echo "Group Write permission set on directory $1" fi if [ `echo $dirperm | cut -c9` != "-" ]; then echo "Other Write permission set on directory $1" fi dirown=`ls -ldH $1 | awk '{print $3}'` if [ "$dirown" != "root" ] ; then echo $1 is not owned by root echo "" echo "1.20.7 Ensure all s' home directories exist" echo "$ #!/bin/bash cat /etc/wd | awk -F: '{ print $1 " " $3 " " $6 }' | while read uid dir; do if [ $uid -ge 1000 -a ! -d "$dir" -a $ != "nfsnobody" ]; then echo "The home directory ($dir) of $ does not exist." fi done" #!/bin/bash cat /etc/wd | awk -F: '{ print $1 " " $3 " " $6 }' | while read uid dir; do if [ $uid -ge 1000 -a ! -d "$dir" -a $ != "nfsnobody" ]; then echo "The home directory ($dir) of $ does not exist." fi done echo "" echo "1.20.8 Ensure s' home directories permissions are 750 or more restrictive" echo "$ #!/bin/bash for dir in `cat /etc/wd | egrep -v '(root|halt|sync| shutdown)' | awk -F: '($7 != "/sbin/no") { print $6 }'`; do dirperm=`ls -ld $dir | cut -f1 -d" "` if [ `echo $dirperm | cut -c6` != "-" ]; then echo "Group Write permission set on directory $dir" fi if [ `echo $dirperm | cut -c8` != "-" ]; then echo "Other Read permission set on directory $dir" fi if [ `echo $dirperm | cut -c9` != "-" ]; then echo "Other Write permission set on directory $dir" fi if [ `echo $dirperm | cut -c10` != "-" ]; then echo "Other Execute permission set on directory $dir" fi done" #!/bin/bash for dir in `cat /etc/wd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/no") { print $6 }'`; do dirperm=`ls -ld $dir | cut -f1 -d" "` if [ `echo $dirperm | cut -c6` != "-" ]; then echo "Group Write permission set on directory $dir" fi if [ `echo $dirperm | cut -c8` != "-" ]; then echo "Other Read permission set on directory $dir" fi if [ `echo $dirperm | cut -c9` != "-" ]; then echo "Other Write permission set on directory $dir" fi if [ `echo $dirperm | cut -c10` != "-" ]; then echo "Other Execute permission set on directory $dir" fi done echo "" echo "1.20.9 Ensure s own their home directories" echo "$ #!/bin/bash cat /etc/wd | awk -F: '{ print $1 " " $3 " " $6 }' | while read uid dir; do if [ $uid -ge 1000 -a -d "$dir" -a $ != "nfsnobody" ]; then owner=$(stat -L -c "%U" "$dir") if [ "$owner" != "$" ]; then echo "The home directory ($dir) of $ is owned by $owner." fi fi done" #!/bin/bash cat /etc/wd | awk -F: '{ print $1 " " $3 " " $6 }' | while read uid dir; do if [ $uid -ge 1000 -a -d "$dir" -a $ != "nfsnobody" ]; then owner=$(stat -L -c "%U" "$dir") if [ "$owner" != "$" ]; then echo "The home directory ($dir) of $ is owned by $owner." fi fi done
echo "" echo "1.20.10 Ensure s' dot files are not group or world writable" echo "$ #!/bin/bash for dir in `cat /etc/wd | egrep -v '(root|sync|halt| shutdown)' | awk -F: '($7 != "/sbin/no") { print $6 }'`; do for file in $dir/. [A-Za-z0-9]*; do if [ ! -h "$file" -a -f "$file" ]; then fileperm=`ls -ld $file | cut -f1 -d" "` if [ `echo $fileperm | cut -c6` != "-" ]; then echo "Group Write permission set on file $file" fi if [ `echo $fileperm | cut -c9` != "-" ]; then echo "Other Write permission set on file $file" fi fi done done" #!/bin/bash for dir in `cat /etc/wd | egrep -v '(root|sync|halt|shutdown)' | awk -F: '($7 != "/sbin/no") { print $6 }'`; do for file in $dir/.[A-Za-z0-9]*; do if [ ! -h "$file" -a -f "$file" ]; then fileperm=`ls -ld $file | cut -f1 -d" "` if [ `echo $fileperm | cut -c6` != "-" ]; then echo "Group Write permission set on file $file" fi if [ `echo $fileperm | cut -c9` != "-" ]; then echo "Other Write permission set on file $file" fi fi done done echo "" echo "1.20.11 Ensure no s have .forward files" echo "$ #!/bin/bash for dir in `cat /etc/wd |\ ! -h "$dir/.forward" -a -f "$dir/.forward" ]; then $dir/.forward exists" fi done" #!/bin/bash for dir in `cat /etc/wd |\ awk -F: "$dir/.forward" -a -f "$dir/.forward" ]; then echo exists" fi done
awk -F: '{ print $6 }'`; do if [ echo ".forward file '{ print $6 }'`; do if [ ! -h ".forward file $dir/.forward
echo "" echo "1.20.12 Ensure no s have .netrc files" echo "$ #!/bin/bash for dir in `cat /etc/wd |\ awk -F: '{ print $6 }'`; do if [ ! -h "$dir/.netrc" -a -f "$dir/.netrc" ]; then echo ".netrc file $dir/.netrc exists" fi done" #!/bin/bash for dir in `cat /etc/wd |\ awk -F: '{ print $6 }'`; do if [ ! -h "$dir/.netrc" -a -f "$dir/.netrc" ]; then echo ".netrc file $dir/.netrc exists" fi done echo "" echo "1.20.13 Ensure s' .netrc Files are not group or world accessible" echo "$ #!/bin/bash for dir in `cat /etc/wd | egrep -v '(root|sync|halt| shutdown)' | awk -F: '($7 != "/sbin/no") { print $6 }'`; do for file in $dir/.netrc; do if [ ! -h "$file" -a -f "$file" ]; then fileperm=`ls -ld $file | cut -f1 -d" "` if [ `echo $fileperm | cut -c5` != "-" ]; then echo "Group Read set on $file" fi if [ `echo $fileperm | cut -c6` != "-" ]; then echo "Group Write set on $file" fi if [ `echo $fileperm | cut -c7` != "-" ]; then echo "Group Execute set on $file" fi if [ `echo $fileperm | cut -c8` != "-" ]; then echo "Other Read set on $file" fi if [ `echo $fileperm | cut -c9` != "-" ]; then echo "Other Write set on $file" fi if [ `echo $fileperm | cut -c10` != "-" ]; then echo "Other Execute set on $file" fi fi done done" #!/bin/bash for dir in `cat /etc/wd | egrep -v '(root|sync|halt|shutdown)' | awk -F: '($7 != "/sbin/no") { print $6 }'`; do for file in $dir/.netrc; do if [ ! -h "$file" -a -f "$file" ]; then fileperm=`ls -ld $file | cut -f1 -d" "` if [ `echo $fileperm | cut -c5` != "-" ]; then echo "Group Read set on $file" fi if [ `echo $fileperm | cut -c6` != "-" ]; then echo "Group Write set on $file" fi if [ `echo $fileperm | cut -c7` != "-" ]; then echo "Group Execute set on $file" fi if [ `echo $fileperm | cut -c8` != "-" ]; then echo "Other Read set on $file" fi if [ `echo $fileperm | cut -c9` != "-" ]; then echo "Other Write set on $file" fi if [ `echo $fileperm | cut -c10` != "-" ]; then echo "Other Execute set on $file" fi fi done done echo "" echo "1.20.14 Ensure no s have .rhosts files" echo "$ #!/bin/bash for dir in `cat /etc/wd | egrep -v '(root|halt|sync|
shutdown)' | awk -F: '($7 != "/sbin/no") { print $6 }'`; do for file in $dir/.rhosts; do if [ ! -h "$file" -a -f "$file" ]; then echo ".rhosts file in $dir" fi done done" #!/bin/bash for dir in `cat /etc/wd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/no") { print $6 }'`; do for file in $dir/.rhosts; do if [ ! -h "$file" -a -f "$file" ]; then echo ".rhosts file in $dir" fi done done echo "" echo "1.20.15 Ensure all groups in /etc/wd exist in /etc/group" echo "$ #!/bin/bash for i in $(cut -s -d: -f4 /etc/wd | sort -u ); do grep -q -P "^.*?:[^:]*:$i:" /etc/group if [ $? -ne 0 ]; then echo "Group $i is referenced by /etc/wd but does not exist in /etc/group" fi done" #!/bin/bash for i in $(cut -s -d: -f4 /etc/wd | sort -u ); do grep -q -P "^.*?: [^:]*:$i:" /etc/group if [ $? -ne 0 ]; then echo "Group $i is referenced by /etc/wd but does not exist in /etc/group" fi done echo "" echo "1.20.16 Ensure no duplicate UIDs exist" echo "$ #!/bin/bash cat /etc/wd | cut -f3 -d":" | sort -n | uniq -c | while read x ; do [ -z "${x}" ] && break set - $x if [ $1 -gt 1 ]; then s=`awk -F: '($3 == n) { print $1 }' n=$2 /etc/wd | xargs` echo "Duplicate UID ($2): $ {s}" fi done" #!/bin/bash cat /etc/wd | cut -f3 -d":" | sort -n | uniq -c | while read x ; do [ -z "${x}" ] && break set - $x if [ $1 -gt 1 ]; then s=`awk -F: '($3 == n) { print $1 }' n=$2 /etc/wd | xargs` echo "Duplicate UID ($2): ${s}" fi done echo "" echo "1.20.17 Ensure no duplicate GIDs exist" echo "$ #!/bin/bash cat /etc/group | cut -f3 -d":" | sort -n | uniq -c | while read x ; do [ -z "${x}" ] && break set - $x if [ $1 -gt 1 ]; then groups=`awk -F: '($3 == n) { print $1 }' n=$2 /etc/group | xargs` echo "Duplicate GID ($2): ${groups}" fi done" #!/bin/bash cat /etc/group | cut -f3 -d":" | sort -n | uniq -c | while read x ; do [ -z "${x}" ] && break set - $x if [ $1 -gt 1 ]; then groups=`awk -F: '($3 == n) { print $1 }' n=$2 /etc/group | xargs` echo "Duplicate GID ($2): ${groups}" fi done echo "" echo "1.20.18 Ensure no duplicate names exist" echo "$ #!/bin/bash cat /etc/wd | cut -f1 -d":" | sort -n | uniq -c | while read x ; do [ -z "${x}" ] && break set - $x if [ $1 -gt 1 ]; then uids=`awk -F: '($1 == n) { print $3 }' n=$2 /etc/wd | xargs` echo "Duplicate Name ($2): ${uids}" fi done" #!/bin/bash cat /etc/wd | cut -f1 -d":" | sort -n | uniq -c | while read x ; do [ -z "${x}" ] && break set - $x if [ $1 -gt 1 ]; then uids=`awk -F: '($1 == n) { print $3 }' n=$2 /etc/wd | xargs` echo "Duplicate Name ($2): ${uids}" fi done echo "" echo "1.20.19 Ensure no duplicate group names exist" echo "$ #!/bin/bash cat /etc/group | cut -f1 -d":" | sort -n | uniq -c | while read x ; do [ -z "${x}" ] && break set - $x if [ $1 -gt 1 ]; then gids=`gawk -F: '($1 == n) { print $3 }' n=$2 /etc/group | xargs` echo "Duplicate Group Name ($2): ${gids}" fi done" #!/bin/bash cat /etc/group | cut -f1 -d":" | sort -n | uniq -c | while read x ; do [ -z "${x}" ] && break set - $x if [ $1 -gt 1 ]; then gids=`gawk -F: '($1 == n) { print $3 }' n=$2 /etc/group | xargs` echo "Duplicate Group Name ($2): ${gids}" fi done echo ""
echo "******End of Report******" echo ""