Rhel 7 Hardening Script V2 5c361d
This document was ed by and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this report form. Report 3i3n4
Overview 26281t
& View Rhel 7 Hardening Script V2 as PDF for free.
More details 6y5l6z
- Words: 6,890
- Pages: 25
#!/bin/bash #CIS Security Audit Script #Author: HCL #CIS RHEL audit script path /tmp/hostname_cis_report.txt echo echo echo echo echo echo echo
"*********************************************************" "CIS Security Audit Script" "Red Hat 7.5" "" "WARNING: This script is only for Red Hat 7.5, please use correct script" "for target operating system" "*********************************************************"
exec > >(tee "/tmp/`hostname`_cis_report.txt") 2>&1 echo "CIS Security Audit Report" echo "*DATE*" date echo "*OS*" cat /etc/redhat-release echo "*KERNEL*" uname -a echo "*HOST*" hostname echo "" echo "******1.1 Disable Unused File Systems******" echo "" echo "" echo "1.1.1 Ensure mounting of cramfs filesystems is disabled" echo "$ modprobe -n -v cramfs" modprobe -n -v cramfs echo "$ lsmod | grep -c cramfs" lsmod | grep -c cramfs echo "1.1.2 Ensure mounting of freevxfs filesystems is disabled" echo "$ modprobe -n -v freevxfs" modprobe -n -v freevxfs echo "$ lsmod | grep -c freevxfs" lsmod | grep -c freevxfs echo "1.1.3 Ensure mounting of jffs2 filesystems is disabled" echo "$ modprobe -n -v jffs2" modprobe -n -v jffs2 echo "$ lsmod | grep -c jffs2" lsmod | grep -c jffs2 echo "1.1.4 Ensure mounting of hfs filesystems is disabled" echo "$ modprobe -n -v hfs" modprobe -n -v hfs echo "$ lsmod | grep -c hfs" lsmod | grep -c hfs echo "1.1.5 Ensure mounting of hfsplus filesystems is disabled" echo "$ modprobe -n -v hfsplus" modprobe -n -v hfsplus echo "$ lsmod | grep -c hfsplus" lsmod | grep -c hfsplus
echo "1.1.6 Ensure mounting of squashfs filesystems is disabled" echo "$ modprobe -n -v squashfs" modprobe -n -v squashfs echo "$ lsmod | grep -c squashfs" lsmod | grep -c squashfs echo "1.1.7 Ensure mounting of udf filesystems is disabled" echo "$ modprobe -n -v udf" modprobe -n -v udf echo "$ lsmod | grep -c udf" lsmod | grep -c udf echo "1.1.8 Ensure mounting of FAT filesystems is disabled" echo "$ modprobe -n -v vfat" modprobe -n -v vfat echo "$ lsmod | grep -c vfat" lsmod | grep -c vfat echo "1.1.9 Ensure separate partition exists for /tmp" echo "$ mount | grep /tmp" mount | grep /tmp echo "" echo "1.1.10 , 1.1.11 , 1.1.12" echo "Check nodev,nosuid,noexec are set on /tmp" echo "$ mount | grep /tmp" mount | grep /tmp echo "1.1.13 Ensure separate partition exists for /var" echo "$ mount | grep /var" mount | grep /var echo "" echo "1.1.14 Ensure separate partition exists for /var/tmp" echo "$ mount | grep /var/tmp" mount | grep /var/tmp echo "" echo "1.1.15 , 1.1.16 , 1.1.17" echo "Check nodev,nosuid,noexec are set on /var/tmp" echo "$ mount | grep /var/tmp" mount | grep /var/tmp echo "1.1.18 Ensure separate partition exists for /var/log" echo "$ mount | grep /var/log" mount | grep /var/log echo "1.1.19 Ensure separate partition exists for /var/log/audit" echo "$ mount | grep /var/log/audit" mount | grep /var/log/audit echo "1.1.20 Ensure separate partition exists for /home" echo "$ mount | grep /home" mount | grep /home echo "" echo "1.1.21 Ensure nodev option set on /home partition" echo "$ mount | grep /home" mount | grep /home
echo "" echo "1.1.22 , 1.1.23" echo "Check nodev, noexec are set on /dev/shm" echo "$ mount | grep /dev/shm" mount | grep /dev/shm echo "" echo "1.1.24, 1.1.25, 1.1.26" echo "Check nodev, nosuid, noexec is set on removable media partitions" echo "$ mount " mount echo "" echo "1.1.27 Ensure sticky bit is set on all world-writable directories" echo "$ df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null" df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null echo "" echo "1.1.28 Disable Automounting" echo "$ systemctl is-enabled autofs " systemctl is-enabled autofs echo "" echo "******1.2 Configure Software Updates******" echo "" export https_proxy=proxy-ida.emea.adecco.net:8080 echo "" echo "1.2.1 Ensure package manager repositories are configured" echo "$ yum repolist " yum repolist echo echo echo grep
"" "1.2.2 Ensure gpgcheck is globally activated" "$ ygrep ^gpgcheck /etc/yum.conf " ^gpgcheck /etc/yum.conf
echo "" echo "1.2.3 Ensure GPG keys are configured" echo "$ rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n' " rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n' echo "" echo "1.2.4 Ensure Red Hat Network or Subscription Manager connection is configured" echo "$ subscription-manager identity" subscription-manager identity echo "" echo "******1.3 Filesystem Integrity Checking******" echo "" echo "" echo "1.3.1" echo "Check if AIDE is installed" echo "$ rpm -q aide" rpm -q aide
echo "" echo "1.3.2" echo "Check if filesystem is regularly checked" echo "$ crontab -u root -l | grep aide" crontab -u root -l | grep aide echo "" echo "******1.4 Secure Boot Settings******" echo "" echo echo echo echo stat
"" "1.4.1" "Check if permissions on bootloader config are configured" "$ stat /boot/grub2/grub.cfg" /boot/grub2/grub.cfg
echo echo echo echo grep
"" "1.4.2" "Check if bootloader is set" "$ grep '"^set supers"' /boot/grub2/grub.cfg" "^set supers" /boot/grub2/grub.cfg
echo "$ grep '"^"' /boot/grub2/grub.cfg" grep "^" /boot/grub2/grub.cfg echo echo echo echo grep
"" "1.4.3" "Check if authentication is required for single mode" "$ grep /sbin/su /usr/lib/systemd/system/rescue.service" /sbin/su /usr/lib/systemd/system/rescue.service
echo "$ grep /sbin/su /usr/lib/systemd/system/emergency.service" grep /sbin/su /usr/lib/systemd/system/emergency.service echo "" echo "******1.5 Additional Process Hardening******" echo "" echo echo echo echo grep
"" "1.5.1" "Check if core dumps are restricted" "$ grep '"hard core"' /etc/security/limits.conf /etc/security/limits.d/*" "hard core" /etc/security/limits.conf /etc/security/limits.d/*
echo "$ sysctl fs.suid_dumpable" sysctl fs.suid_dumpable echo "" echo "1.5.2" echo "Check if XD/NX is enabled" echo "$ dmesg | grep NX" dmesg | grep NX echo "" echo "1.5.3" echo "Check if address space layout randomization (ASLR) is enabled" echo "$ sysctl kernel.randomize_va_space" sysctl kernel.randomize_va_space
echo "" echo "1.5.4" echo "Check if prelink is disabled" echo "$ rpm -q prelink" rpm -q prelink echo "" echo ""******1.6 Mandatory Access Controls****** echo "" echo echo echo echo
"" "1.6.1" "Ensure SELinux is not disabled in bootloader configuration" ""
echo "$ grep "^\s*linux" /boot/grub2/grub.cfg" grep "^\s*linux" /boot/grub2/grub.cfg echo "" echo "1.6.2 Ensure the SELinux state is enforcing" echo "$ sestatus" sestatus echo "" echo "1.6.3 Ensure SELinux policy is configured" echo "$ sestatus" sestatus echo "" echo "1.6.4 Ensure SETroubleshoot is not installed" echo "$ rpm -q setroubleshoot" rpm -q setroubleshoot echo "" echo "1.6.5 Ensure no unconfined daemons exist" echo "$ ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'" ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }' echo "" echo "1.6.6" echo "Check if SELinux is installed" echo "$ rpm -q libselinux" rpm -q libselinux echo "" echo ""******1.7 Warning Banners****** echo "" echo "" echo "1.7.1 Ensure message of the day is configured properly" echo "$ cat /etc/motd" cat /etc/motd echo "" echo "1.7.2 Ensure local warning banner is configured properly" echo "$ cat /etc/issue"
cat /etc/issue echo "" echo "1.7.3 Ensure remote warning banner is configured properly" echo "$ cat /etc/issue.net" cat /etc/issue.net echo echo echo stat
"" "1.7.4 Ensure permissions on /etc/motd are configured" "$ stat /etc/motd" /etc/motd
echo echo echo stat
"" "1.7.5 Ensure permissions on /etc/issue are configured" "$ stat /etc/issue" /etc/issue
echo "" echo "1.7.6" echo "Check if SELinux is installed" echo "$ rpm -q libselinux" rpm -q libselinux echo "" echo "1.7.7 Ensure GDM banner is configured" echo "$ cat /etc/dconf/profile/gdm" cat /etc/dconf/profile/gdm echo "" echo "1.7.8 Ensure updates, patches, and additional security software are installed" echo "Check if SELinux is installed" echo "$ yum check-update" yum check-update echo "" echo ""******1.8 Services****** echo "" echo "" echo "1.8.1 Ensure chargen services are not enabled" echo "$ chkconfig --list" chkconfig --list echo "" echo "1.8.2 Ensure daytime services are not enabled" echo "$ chkconfig --list" chkconfig --list echo "" echo "1.8.3 Ensure discard services are not enabled" echo "$ chkconfig --list" chkconfig --list echo "" echo "1.8.4 Ensure echo services are not enabled" echo "$ chkconfig --list" chkconfig --list
echo "" echo "1.8.5 Ensure time services are not enabled" echo "$ chkconfig --list" chkconfig --list echo "" echo "1.8.6 Ensure rsh server is not enabled" echo "$ systemctl is-enabled rsh.socket" systemctl is-enabled rsh.socket echo "" echo "1.8.7 Ensure talk server is not enabled" echo "$ systemctl is-enabled ntalk" systemctl is-enabled ntalk echo "" echo "1.8.8 Ensure telnet server is not enabled" echo "$ systemctl is-enabled telnet.socket" systemctl is-enabled telnet.socket echo "" echo "1.8.9 Ensure tftp server is not enabled" echo "$ systemctl is-enabled tftp.socket" systemctl is-enabled tftp.socket echo "" echo "1.8.10 Ensure rsync service is not enabled" echo "$ systemctl is-enabled rsyncd" systemctl is-enabled rsyncd echo "" echo "1.8.11 Ensure xinetd is not enabled" echo "$ systemctl is-enabled xinetd" systemctl is-enabled xinetd echo "" echo ""******1.9 Special Purpose Services******"" echo "" echo "" echo "1.9.1 Ensure time synchronization is in use" echo "$ rpm -q ntp" rpm -q ntp echo echo echo grep
"" "1.9.2 Ensure ntp is configured" "$ grep "^restrict" /etc/ntp.conf" "^restrict" /etc/ntp.conf
echo "" echo "1.9.3 Ensure chrony is configured" echo "$ Not Applicable as NTP Configured" echo "" echo "1.9.4 Ensure X Window System is not installed" echo "$ rpm -qa xorg-x11*" rpm -qa xorg-x11* echo ""
echo "1.9.5 Ensure AVAHI server is not enabled" echo "$ systemctl is-enabled avahi-daemon" systemctl is-enabled avahi-daemon echo "" echo "1.9.6 Ensure CUPS is not enabled" echo "$ systemctl is-enabled cups" systemctl is-enabled cups echo "" echo "1.9.7 Ensure DH server is not enabled" echo "$ systemctl is-enabled dhd" systemctl is-enabled dhd echo "" echo "1.9.8 Ensure LDAP server is not enabled" echo "$ systemctl is-enabled slapd" systemctl is-enabled slapd echo "" echo "1.9.9 Ensure NFS and RPC are not enabled" echo "$ systemctl is-enabled nfs" systemctl is-enabled nfs echo "" echo "1.9.10 Ensure DNS server is not enabled" echo "$ systemctl is-enabled named" systemctl is-enabled named echo "" echo "1.9.11 Ensure FTP server is not enabled" echo "$ systemctl is-enabled vsftpd" systemctl is-enabled vsftpd echo "" echo "1.9.12 Ensure HTTP server is not enabled" echo "$ systemctl is-enabled httpd" systemctl is-enabled httpd echo "" echo "1.9.13 Ensure IMAP and POP3 server is not enabled" echo "$ systemctl is-enabled dovecot" systemctl is-enabled dovecot echo "" echo "1.9.14 Ensure SAMBA server is not enabled" echo "$ systemctl is-enabled smb" systemctl is-enabled smb echo "" echo "1.9.15 Ensure HTTP Proxy server is not enabled" echo "$ systemctl is-enabled squid" systemctl is-enabled squid echo "" echo "1.9.16 Ensure SNMP server is not enabled" echo "$ systemctl is-enabled snmpd" systemctl is-enabled snmpd
echo "" echo "1.9.17 Ensure mail transfer agent is configured for loca-only mode" echo "$ netstat -an | grep LIST | grep '":25[[:space:]]"'" netstat -an | grep LIST | grep ":25[[:space:]]" echo "" echo "1.9.18 Ensure NIS server is not enabled" echo "$ systemctl is-enabled ypserv" systemctl is-enabled ypserv echo "" echo "******1.10 Service Clients******" echo "" echo "" echo "1.10.1 Ensure NIS Client is not installed" echo "$ rpm -q ypbind" rpm -q ypbind echo "" echo "1.10.2 Ensure rsh client is not installed" echo "$ rpm -q rsh" rpm -q rsh echo "" echo "1.10.3 Ensure talk client is not installed" echo "$ rpm -q talk" rpm -q talk echo "" echo "1.10.4 Ensure telnet client is not installed" echo "$ rpm -q telnet" rpm -q telnet echo "" echo "1.10.5 Ensure LDAP client is not installed" echo "$ rpm -q openldap-clients" rpm -q openldap-clients echo "" echo "******1.11 Network Configuration******" echo "" echo "" echo "1.11.1 Ensure IP forwarding is disabled" echo "$ sysctl net.ipv4.ip_forward" sysctl net.ipv4.ip_forward echo "" echo "1.11.2 Ensure packet redirect sending is disabled" echo "$ sysctl net.ipv4.conf.all.send_redirects" sysctl net.ipv4.conf.all.send_redirects echo "$ sysctl net.ipv4.conf.default.send_redirects" sysctl net.ipv4.conf.default.send_redirects echo "" echo "1.11.3 Ensure source routed packets are not accepted" echo "$ sysctl net.ipv4.conf.all.accept_source_route" sysctl net.ipv4.conf.all.accept_source_route
echo "$ sysctl net.ipv4.conf.default.accept_source_route" sysctl net.ipv4.conf.default.accept_source_route echo "" echo "1.11.4 Check ICMP redicrects are not accepted" echo "$ sysctl net.ipv4.conf.all.accept_redirects" sysctl net.ipv4.conf.all.accept_redirects echo "$ sysctl net.ipv4.conf.default.accept_redirects" sysctl net.ipv4.conf.default.accept_redirects echo "" echo "1.11.5 Check secure ICMP redirects are not accepted" echo "$ sysctl net.ipv4.conf.all.secure_redirects" sysctl net.ipv4.conf.all.secure_redirects echo "$ sysctl net.ipv4.conf.default.secure_redirects" sysctl net.ipv4.conf.default.secure_redirects echo "" echo "1.11.6 Check if suspicious packets are logged" echo "$ sysctl net.ipv4.conf.all.log_martians" sysctl net.ipv4.conf.all.log_martians echo "$ sysctl net.ipv4.conf.default.log_martians" sysctl net.ipv4.conf.default.log_martians echo "" echo "1.11.7 Ensure broadcast ICMP requests are ignored" echo "$ sysctl net.ipv4.icmp_echo_ignore_broadcasts" sysctl net.ipv4.icmp_echo_ignore_broadcasts echo "" echo "1.11.8 Ensure bogus ICMP responses are ignored" echo "$ sysctl net.ipv4.icmp_ignore_bogus_error_responses" sysctl net.ipv4.icmp_ignore_bogus_error_responses echo "" echo "1.11.9 Ensure Reverse Path Filtering is enabled" echo "$ sysctl net.ipv4.conf.all.rp_filter" sysctl net.ipv4.conf.all.rp_filter echo "$ sysctl net.ipv4.conf.default.rp_filter" sysctl net.ipv4.conf.default.rp_filter echo "" echo "1.11.10 Ensure T SYN Cookies is enabled" echo "$ sysctl net.ipv4.t_syncookies" sysctl net.ipv4.t_syncookies echo "" echo "1.11.11 Ensure IPv6 router ments are not accepted" echo "$ sysctl net.ipv6.conf.all.accept_ra" sysctl net.ipv6.conf.all.accept_ra echo "$ sysctl net.ipv6.conf.default.accept_ra" sysctl net.ipv6.conf.default.accept_ra echo "" echo "1.11.12 Ensure IPv6 redirects are not accepted" echo "$ sysctl net.ipv6.conf.all.accept_redirects" sysctl net.ipv6.conf.all.accept_redirects echo "$ sysctl net.ipv6.conf.default.accept_redirects" sysctl net.ipv6.conf.default.accept_redirects
echo "" echo "1.11.13 Ensure IPv6 is disabled" echo "$ modprobe -c | grep ipv6" modprobe -c | grep ipv6 echo "" echo "1.11.14 Ensure T Wrappers is installed" echo "$ rpm -q t_wrappers" rpm -q t_wrappers echo "" echo "1.11.15 Ensure /etc/hosts.allow is configured" echo "$ cat /etc/hosts.allow" cat /etc/hosts.allow echo "" echo "1.11.16 Ensure /etc/hosts.deny is configured" echo "$ cat /etc/hosts.deny" cat /etc/hosts.deny echo echo echo stat
"" "1.11.17 Ensure permissions on /etc/hosts.allow are configured" "$ stat /etc/hosts.allow" /etc/hosts.allow
echo echo echo stat
"" "1.11.18 Ensure permissions on /etc/hosts.deny are 644" "$ stat /etc/hosts.deny" /etc/hosts.deny
echo "" echo "******1.12 Uncommon Network Protocols******" echo "" echo "" echo "1.12.1 Ensure DC is disabled" echo "$ modprobe -n -v dc" modprobe -n -v dc echo "$ lsmod | grep dc" lsmod | grep dc echo "" echo "1.12.2 Ensure SCTP is disabled" echo "$ modprobe -n -v sctp" modprobe -n -v sctp echo "$ lsmod | grep sctp" lsmod | grep sctp echo "" echo "1.12.3 Ensure RDS is disabled" echo "$ modprobe -n -v rds" modprobe -n -v rds echo "$ lsmod | grep rds" lsmod | grep rds echo "" echo "1.12.4 Ensure TIPC is disabled" echo "$ modprobe -n -v tipc"
modprobe -n -v tipc echo "$ lsmod | grep tipc" lsmod | grep tipc echo "" echo "******1.13 Firewall Configuration******" echo "" echo "" echo "1.13.1 Check if iptables is installed" echo "$ rpm -q iptables" rpm -q iptables echo "" echo "1.13.2 Ensure default deny firewall policy" echo "$ iptables -L" iptables -L echo "" echo "1.13.3 Ensure loopback traffic is configured" echo "$ iptables -L INPUT -v -n" iptables -L INPUT -v -n echo "$ iptables -L OUTPUT -v -n" iptables -L OUTPUT -v -n echo "" echo "1.13.4 Ensure outbound and established connections are configured" echo "$ iptables -L -v -n" iptables -L -v -n echo "" echo "1.13.5 Ensure firewall rules exist for all open ports" echo "$ iptables -L -v -n" iptables -L -v -n echo "" echo "1.13.4 Ensure outbound and established connections are configured" echo "$ iptables -L -v -n" iptables -L -v -n echo "" echo "1.13.5 Ensure firewall rules exist for all open ports" echo "$ netstat -ln" netstat -ln echo "" echo "1.13.6 Ensure wireless interfaces are disabled" echo "$ iwconfig" iwconfig echo "$ ip link show up" ip link show up echo "" echo "******1.14 Logging and Auditing******" echo "" echo "" echo "1.14.1 Configure System ing" echo "$ service auditd reload"
service auditd reload echo "" echo "1.14.2 Ensure audit log storage size is configured" echo "$ service auditd reload" service auditd reload echo echo echo grep echo grep echo grep
"" "1.14.3 Ensure system is disabled when audit logs are full" "$ grep space_left_action /etc/audit/auditd.conf" space_left_action /etc/audit/auditd.conf "$ grep action_mail_acct /etc/audit/auditd.conf" action_mail_acct /etc/audit/auditd.conf "$ grep _space_left_action /etc/audit/auditd.conf" _space_left_action /etc/audit/auditd.conf
echo echo echo grep
"" "1.14.4 Ensure audit logs are not automatically deleted" "$ grep max_log_file_action /etc/audit/auditd.conf" max_log_file_action /etc/audit/auditd.conf
echo "" echo "1.14.5 Ensure auditd service is enabled" echo "$ systemctl is-enabled auditd" systemctl is-enabled auditd echo echo echo grep
"" "1.14.6 Ensure auditing for processes that start prior to auditd is enabled" "$ grep "^\s*linux" /boot/grub2/grub.cfg" "^\s*linux" /boot/grub2/grub.cfg
echo echo echo grep
"" "1.14.7 Ensure events that modify date and time information are collected" "$ grep time-change /etc/audit/audit.rules" time-change /etc/audit/audit.rules
echo echo echo grep
"" "1.14.8 Ensure events that modify /group information are collected" "$ grep identity /etc/audit/audit.rules" identity /etc/audit/audit.rules
echo "" echo "1.14.9 Ensure events that modify the system's network environment are collected" echo "$ grep system-locale /etc/audit/audit.rules" grep system-locale /etc/audit/audit.rules echo "" echo "1.14.10 Ensure events that modify the system's Mandatory Access Controls are collected" echo "$ grep MAC-policy /etc/audit/audit.rules" grep MAC-policy /etc/audit/audit.rules echo echo echo grep
"" "1.14.11 Ensure and events are collected" "$ grep s /etc/audit/audit.rules" s /etc/audit/audit.rules
echo ""
echo "1.14.12 Ensure session initiation information is collected" echo "$ grep session /etc/audit/audit.rules" grep session /etc/audit/audit.rules echo "" echo "1.14.13 Ensure discretionary access control permission modification events are collected" echo "$ grep perm_mod /etc/audit/audit.rules" grep perm_mod /etc/audit/audit.rules echo echo echo grep
"" "1.14.14 Ensure unsuccessful unauthorized file access attempts are collected" "$ grep access /etc/audit/audit.rules" access /etc/audit/audit.rules
echo "" echo "1.14.15 Ensure use of privileged commands is collected" echo "$ find <partition> -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }'" find <partition> -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }' echo echo echo grep
"" "1.14.16 Ensure successful file system mounts are collected" "$ grep mounts /etc/audit/audit.rules" mounts /etc/audit/audit.rules
echo echo echo grep
"" "1.14.17 Ensure file deletion events by s are collected" "$ grep delete /etc/audit/audit.rules" delete /etc/audit/audit.rules
echo echo echo grep
"" "1.14.18 Ensure changes to system istration scope (sudoers) is collected" "$ grep scope /etc/audit/audit.rules" scope /etc/audit/audit.rules
echo echo echo grep
"" "1.14.19 Ensure system actions (sudolog) are collected" "$ grep actions /etc/audit/audit.rules" actions /etc/audit/audit.rules
echo echo echo grep
"" "1.14.20 Ensure kernel module loading and unloading is collected" "$ grep modules /etc/audit/audit.rules" modules /etc/audit/audit.rules
echo echo echo grep
"" "1.14.21 Ensure the audit configuration is immutable" "$ grep "^\s*[^#]" /etc/audit/audit.rules | tail -1" "^\s*[^#]" /etc/audit/audit.rules | tail -1
echo "" echo "******1.15 Configure Logging******" echo "" echo ""
echo "1.15.1 echo "Check if rsyslog is enabled" echo "$ systemctl is-enabled rsyslog" systemctl is-enabled rsyslog echo "" echo "1.15.2 Check if logging is configured" echo "$ ls -al /var/log" ls -al /var/log echo echo echo grep
"" "1.15.3 Ensure rsyslog default file permissions configured" "$ grep ^\$FileCreateMode /etc/rsyslog.conf" ^\$FileCreateMode /etc/rsyslog.conf
echo echo echo grep
"" "1.15.4 Ensure rsyslog is configured to send logs to a remote log host" "$ grep "^*.*[^I][^I]*@" /etc/rsyslog.conf" "^*.*[^I][^I]*@" /etc/rsyslog.conf
echo "" echo "1.15.5 Ensure remote rsyslog messages are only accepted on designated log hosts" echo "$ grep '$ModLoad imt.so' /etc/rsyslog.conf" grep '$ModLoad imt.so' /etc/rsyslog.conf echo "$ grep '$InputTServerRun' /etc/rsyslog.conf" grep '$InputTServerRun' /etc/rsyslog.conf echo "" echo "1.15.6 Ensure syslog-ng service is enabled" echo "$ systemctl is-enabled syslog-ng" systemctl is-enabled syslog-ng echo "" echo "1.15.7 Ensure logging is configured" echo "$ ls -l /var/log/" ls -l /var/log/ echo echo echo grep
"" "1.15.8 Ensure syslog-ng default file permissions configured" "$ grep ^options /etc/syslog-ng/syslog-ng.conf" ^options /etc/syslog-ng/syslog-ng.conf
echo "" echo "1.15.9 Ensure syslog-ng is configured to send logs to a remote log host" echo "$ cat /etc/syslog-ng/syslog-ng.conf" cat /etc/syslog-ng/syslog-ng.conf echo "" echo "1.15.10 Ensure remote syslog-ng messages are only accepted on designated log hosts" echo "$ cat /etc/syslog-ng/syslog-ng.conf" cat /etc/syslog-ng/syslog-ng.conf echo "" echo "1.15.11 Ensure rsyslog or syslog-ng is installed" echo "$ rpm -q rsyslog" rpm -q rsyslog echo "$ rpm -q syslog-ng" rpm -q syslog-ng
echo echo echo find
"" "1.15.12 Ensure permissions on all logfiles are configured" "$ find /var/log -type f -ls" /var/log -type f -ls
echo "" echo "1.15.13 Ensure logrotate is configured" echo "$ cat /etc/logrotate.conf" cat /etc/logrotate.conf echo "$ cat /etc/logrotate.d/*" cat /etc/logrotate.d/* echo "" echo "******1.16 Access, Authentication and Authorisation******" echo "" echo "" echo "1.16.1 Configure cron" echo "$ systemctl is-enabled crond" systemctl is-enabled crond echo echo echo stat
"" "1.16.2 Ensure permissions on /etc/crontab are configured" "$ stat /etc/crontab" /etc/crontab
echo echo echo stat
"" "1.16.3 Ensure permissions on /etc/cron.hourly are configured" "$ stat /etc/cron.hourly" /etc/cron.hourly
echo echo echo stat
"" "1.16.4 Ensure permissions on /etc/cron.daily are configured" "$ stat /etc/cron.daily" /etc/cron.daily
echo echo echo stat
"" "1.16.5 Ensure permissions on /etc/cron.weekly are configured" "$ stat /etc/cron.weekly" /etc/cron.weekly
echo echo echo stat
"" "1.16.6 Ensure permissions on /etc/cron.monthly are configured" "$ stat /etc/cron.monthly" /etc/cron.monthly
echo echo echo stat
"" "1.16.7 Ensure permissions on /etc/cron.d are configured" "$ stat /etc/cron.d" /etc/cron.d
echo echo echo stat echo stat
"" "1.16.8 Ensure at/cron is restricted to authorized s" "$ stat /etc/cron.deny" /etc/cron.deny "$ stat /etc/at.deny" /etc/at.deny
echo echo echo stat
"" "1.16.9 Ensure permissions on /etc/ssh/sshd_config are configured" "$ stat /etc/ssh/sshd_config" /etc/ssh/sshd_config
echo echo echo grep
"" "1.16.10 Ensure SSH Protocol is set to 2" "$ grep "^Protocol" /etc/ssh/sshd_config" "^Protocol" /etc/ssh/sshd_config
echo echo echo grep
"" "1.16.11 Ensure SSH LogLevel is set to INFO" "$ grep "^LogLevel" /etc/ssh/sshd_config" "^LogLevel" /etc/ssh/sshd_config
echo echo echo grep
"" "1.16.12 Ensure SSH X11 forwarding is disabled" "$ grep "^X11Forwarding" /etc/ssh/sshd_config" "^X11Forwarding" /etc/ssh/sshd_config
echo echo echo grep
"" "1.16.13 Ensure SSH MaxAuthTries is set to 4 or less" "$ grep "^MaxAuthTries" /etc/ssh/sshd_config" "^MaxAuthTries" /etc/ssh/sshd_config
echo echo echo grep
"" "1.16.14 Ensure SSH IgnoreRhosts is enabled" "$ grep "^IgnoreRhosts" /etc/ssh/sshd_config" "^IgnoreRhosts" /etc/ssh/sshd_config
echo echo echo grep
"" "1.16.15 Ensure SSH HostbasedAuthentication is disabled" "$ grep "^HostbasedAuthentication" /etc/ssh/sshd_config" "^HostbasedAuthentication" /etc/ssh/sshd_config
echo echo echo grep
"" "1.16.16 Ensure SSH root is disabled" "$ grep "^PermitRoot" /etc/ssh/sshd_config" "^PermitRoot" /etc/ssh/sshd_config
echo echo echo grep
"" "1.16.17 Ensure SSH PermitEmptys is disabled" "$ grep "^PermitEmptys" /etc/ssh/sshd_config" "^PermitEmptys" /etc/ssh/sshd_config
echo echo echo grep
"" "1.16.18 Ensure SSH PermitEnvironment is disabled" "$ grep PermitEnvironment /etc/ssh/sshd_config" PermitEnvironment /etc/ssh/sshd_config
echo echo echo grep
"" "1.16.19 Ensure only approved ciphers are used" "$ grep "Ciphers" /etc/ssh/sshd_config" "Ciphers" /etc/ssh/sshd_config
echo echo echo grep
"" "1.16.20 Ensure only approved MAC algorithms are used" "$ grep "MACs" /etc/ssh/sshd_config" "MACs" /etc/ssh/sshd_config
echo echo echo grep echo grep
"" "1.16.21 Ensure SSH Idle Timeout Interval is configured" "$ grep "^ClientAliveInterval" /etc/ssh/sshd_config" "^ClientAliveInterval" /etc/ssh/sshd_config "$ grep "^ClientAliveCountMax" /etc/ssh/sshd_config" "^ClientAliveCountMax" /etc/ssh/sshd_config
echo echo echo grep
"" "1.16.22 Ensure SSH GraceTime is set to one minute or less" "$ grep "^GraceTime" /etc/ssh/sshd_config" "^GraceTime" /etc/ssh/sshd_config
echo echo echo grep echo grep echo grep echo grep
"" "1.16.23 Ensure SSH access is limited" "$ grep "^Allows" /etc/ssh/sshd_config" "^Allows" /etc/ssh/sshd_config "$ grep "^AllowGroups" /etc/ssh/sshd_config" "^AllowGroups" /etc/ssh/sshd_config "$ grep "^Denys" /etc/ssh/sshd_config" "^Denys" /etc/ssh/sshd_config "$ grep "^DenyGroups" /etc/ssh/sshd_config" "^DenyGroups" /etc/ssh/sshd_config
echo echo echo grep
"" "1.16.24 Ensure SSH warning banner is configured" "$ grep "^Banner" /etc/ssh/sshd_config" "^Banner" /etc/ssh/sshd_config
echo "" echo "******1.17 Configure PAM******" echo "" echo echo echo grep echo grep echo grep echo grep echo grep echo grep echo grep
"" "1.17.1 Ensure creation requirements are configured" "$ grep pam_pwquality.so /etc/pam.d/-auth" pam_pwquality.so /etc/pam.d/-auth "$ grep pam_pwquality.so /etc/pam.d/system-auth" pam_pwquality.so /etc/pam.d/system-auth "$ grep ^minlen /etc/security/pwquality.conf" ^minlen /etc/security/pwquality.conf "$ grep ^dcredit /etc/security/pwquality.conf" ^dcredit /etc/security/pwquality.conf "$ grep ^lcredit /etc/security/pwquality.conf" ^lcredit /etc/security/pwquality.conf "$ grep ^ocredit /etc/security/pwquality.conf" ^ocredit /etc/security/pwquality.conf "$ grep ^ucredit /etc/security/pwquality.conf" ^ucredit /etc/security/pwquality.conf
echo "" echo "1.17.2 Ensure lockout for failed attempts is configured" echo "$ cat /etc/pam.d/-auth" cat /etc/pam.d/-auth echo "$ cat /etc/pam.d/system-auth" cat /etc/pam.d/system-auth echo "" echo "1.17.3 Ensure reuse is limited"
echo "$ egrep '^\s+sufficient\s+pam_unix.so' /etc/pam.d/-auth" egrep '^\s+sufficient\s+pam_unix.so' /etc/pam.d/-auth echo "$ egrep '^\s+sufficient\s+pam_unix.so' /etc/pam.d/system-auth" egrep '^\s+sufficient\s+pam_unix.so' /etc/pam.d/system-auth echo "" echo "1.17.4 Ensure hashing algorithm is SHA-512" echo "$ egrep '^\s+sufficient\s+pam_unix.so' /etc/pam.d/-auth" egrep '^\s+sufficient\s+pam_unix.so' /etc/pam.d/-auth echo "$ egrep '^\s+sufficient\s+pam_unix.so' /etc/pam.d/system-auth" egrep '^\s+sufficient\s+pam_unix.so' /etc/pam.d/system-auth echo "" echo "******1.18 System File Permissions******" echo "" echo echo echo grep
"" "1.18.1 Set Shadow Suite Parameters" "$ grep _MAX_DAYS /etc/.defs" _MAX_DAYS /etc/.defs
echo echo echo grep
"" "1.18.2 Ensure minimum days between changes is 7 or more" "$ grep _MIN_DAYS /etc/.defs" _MIN_DAYS /etc/.defs
echo echo echo grep
"" "1.18.3 Ensure expiration warning days is 7 or more" "$ grep _WARN_AGE /etc/.defs" _WARN_AGE /etc/.defs
echo "" echo "1.18.4 Ensure inactive lock is 30 days or less" echo "$ add -D | grep INACTIVE" add -D | grep INACTIVE echo "" echo "1.18.5 Ensure system s are non-" echo "$ egrep -v "^\+" /etc/wd | awk -F: '($1!="root" && $1!="sync" && $1! ="shutdown" && $1!="halt" && $3<1000 && $7!="/sbin/no" && $7!="/bin/false") {print}'" egrep -v "^\+" /etc/wd | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/sbin/no" && $7!="/bin/false") {print}' echo echo echo grep
"" "1.18.6 Ensure default group for the root is GID 0" "$ grep "^root:" /etc/wd | cut -f4 -d:" "^root:" /etc/wd | cut -f4 -d:
echo echo echo grep echo grep
"" "1.18.7 Ensure default umask is 027 or more restrictive" "$ grep "^umask" /etc/bashrc" "^umask" /etc/bashrc "$ grep "^umask" /etc/profile" "^umask" /etc/profile
echo "" echo "1.18.8 Ensure root is restricted to system console" echo "$ cat /etc/securetty"
cat /etc/securetty echo echo echo grep echo grep
"" "1.18.9 Ensure access to the su command is restricted" "$ grep pam_wheel.so /etc/pam.d/su" pam_wheel.so /etc/pam.d/su "$ grep wheel /etc/group" wheel /etc/group
echo "" echo "******1.19 Maintenance******" echo "" echo echo echo stat
"" "1.19.1 Ensure permissions on /etc/wd are configured" "$ stat /etc/wd" /etc/wd
echo echo echo stat
"" "1.19.2 Ensure permissions on /etc/shadow are configured" "$ stat /etc/shadow" /etc/shadow
echo echo echo stat
"" "1.19.3 Ensure permissions on /etc/group are configured" "$ stat /etc/group" /etc/group
echo echo echo stat
"" "1.19.4 Run the following chown to set permissions on /etc/gshadow" "$ stat /etc/gshadow" /etc/gshadow
echo echo echo stat
"" "1.19.5 Ensure permissions on /etc/wd- are configured" "$ stat /etc/wd-" /etc/wd-
echo echo echo stat
"" "1.19.6 Ensure permissions on /etc/shadow- are configured" "$ stat /etc/shadow-" /etc/shadow-
echo echo echo stat
"" "1.19.7 Ensure permissions on /etc/group- are configured" "$ stat /etc/group-" /etc/group-
echo echo echo stat
"" "1.19.8 Ensure permissions on /etc/gshadow- are configured" "$ stat /etc/gshadow-" /etc/gshadow-
echo "" echo "1.19.9 Ensure no world writable files exist" echo "$ df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002" df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002
echo "" echo "1.19.10 Ensure no unowned files or directories exist" echo "$ df --local -P | awk {'if (NR!=1) print $6' | xargs -I '{}' find '{}' -xdev -no" df --local -P | awk {'if (NR!=1) print $6' | xargs -I '{}' find '{}' -xdev -no echo "" echo "1.19.11 Ensure no ungrouped files or directories exist" echo "$ df --local -P | awk {'if (NR!=1) print $6' | xargs -I '{}' find '{}' -xdev -nogroup" df --local -P | awk {'if (NR!=1) print $6' | xargs -I '{}' find '{}' -xdev -nogroup echo "" echo "1.19.12 Audit SUID executables" echo "$ df --local -P | awk {'if (NR!=1) print $6' | xargs -I '{}' find '{}' -xdev -type f -perm -4000" df --local -P | awk {'if (NR!=1) print $6' | xargs -I '{}' find '{}' -xdev -type f -perm -4000 echo "" echo "1.19.13 Audit SGID executables" echo "$ df --local -P | awk {'if (NR!=1) print $6' | xargs -I '{}' find '{}' -xdev -type f -perm -2000" df --local -P | awk {'if (NR!=1) print $6' | xargs -I '{}' find '{}' -xdev -type f -perm -2000 echo "" echo "******1.20 and Group Settings******" echo "" echo "" echo "1.20.1 Ensure fields are not empty" echo "$ cat /etc/shadow | awk -F: '($2 == "" ) { print $1 " does not have a "}'" cat /etc/shadow | awk -F: '($2 == "" ) { print $1 " does not have a "}' echo echo echo grep
"" "1.20.2 Ensure no legacy "+" entries exist in /etc/wd" "$ grep '^+:' /etc/wd" '^+:' /etc/wd
echo echo echo grep
"" "1.20.3 Ensure no legacy "+" entries exist in /etc/shadow" "$ grep '^+:' /etc/shadow" '^+:' /etc/shadow
echo echo echo grep
"" "1.20.4 Ensure no legacy "+" entries exist in /etc/group" "$ grep '^+:' /etc/group" '^+:' /etc/group
echo "" echo "1.20.5 Ensure root is the only UID 0 " echo "$ cat /etc/wd | awk -F: '($3 == 0) { print $1 }'" cat /etc/wd | awk -F: '($3 == 0) { print $1 }' echo "" echo "1.20.6 Ensure root PATH Integrity"
echo "$ #!/bin/bash if [ "`echo $PATH | grep ::`" != "" ]; then echo "Empty Directory in PATH (::)" fi if [ "`echo $PATH | grep :$`" != "" ]; then echo "Trailing : in PATH" fi p=`echo $PATH | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g'` set -- $p while [ "$1" != "" ]; do if [ "$1" = "." ]; then echo "PATH contains ." shift continue fi if [ -d $1 ]; then dirperm=`ls -ldH $1 | cut -f1 -d" "` if [ `echo $dirperm | cut -c6` != "-" ]; then echo "Group Write permission set on directory $1" fi if [ `echo $dirperm | cut -c9` != "-" ]; then echo "Other Write permission set on directory $1" fi dirown=`ls -ldH $1 | awk '{print $3}'` if [ "$dirown" != "root" ] ; then echo $1 is not owned by root'" #!/bin/bash if [ "`echo $PATH | grep ::`" != "" ]; then echo "Empty Directory in PATH (::)" fi if [ "`echo $PATH | grep :$`" != "" ]; then echo "Trailing : in PATH" fi p=`echo $PATH | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g'` set -- $p while [ "$1" != "" ]; do if [ "$1" = "." ]; then echo "PATH contains ." shift continue fi if [ -d $1 ]; then dirperm=`ls -ldH $1 | cut -f1 -d" "` if [ `echo $dirperm | cut -c6` != "-" ]; then echo "Group Write permission set on directory $1" fi if [ `echo $dirperm | cut -c9` != "-" ]; then echo "Other Write permission set on directory $1" fi dirown=`ls -ldH $1 | awk '{print $3}'` if [ "$dirown" != "root" ] ; then echo $1 is not owned by root echo "" echo "1.20.7 Ensure all s' home directories exist" echo "$ #!/bin/bash cat /etc/wd | awk -F: '{ print $1 " " $3 " " $6 }' | while read uid dir; do if [ $uid -ge 1000 -a ! -d "$dir" -a $ != "nfsnobody" ]; then echo "The home directory ($dir) of $ does not exist." fi done" #!/bin/bash cat /etc/wd | awk -F: '{ print $1 " " $3 " " $6 }' | while read uid dir; do if [ $uid -ge 1000 -a ! -d "$dir" -a $ != "nfsnobody" ]; then echo "The home directory ($dir) of $ does not exist." fi done echo "" echo "1.20.8 Ensure s' home directories permissions are 750 or more restrictive" echo "$ #!/bin/bash for dir in `cat /etc/wd | egrep -v '(root|halt|sync| shutdown)' | awk -F: '($7 != "/sbin/no") { print $6 }'`; do dirperm=`ls -ld $dir | cut -f1 -d" "` if [ `echo $dirperm | cut -c6` != "-" ]; then echo "Group Write permission set on directory $dir" fi if [ `echo $dirperm | cut -c8` != "-" ]; then echo "Other Read permission set on directory $dir" fi if [ `echo $dirperm | cut -c9` != "-" ]; then echo "Other Write permission set on directory $dir" fi if [ `echo $dirperm | cut -c10` != "-" ]; then echo "Other Execute permission set on directory $dir" fi done" #!/bin/bash for dir in `cat /etc/wd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/no") { print $6 }'`; do dirperm=`ls -ld $dir | cut -f1 -d" "` if [ `echo $dirperm | cut -c6` != "-" ]; then echo "Group Write permission set on directory $dir" fi if [ `echo $dirperm | cut -c8` != "-" ]; then echo "Other Read permission set on directory $dir" fi if [ `echo $dirperm | cut -c9` != "-" ]; then echo "Other Write permission set on directory $dir" fi if [ `echo $dirperm | cut -c10` != "-" ]; then echo "Other Execute permission set on directory $dir" fi done echo "" echo "1.20.9 Ensure s own their home directories" echo "$ #!/bin/bash cat /etc/wd | awk -F: '{ print $1 " " $3 " " $6 }' | while read uid dir; do if [ $uid -ge 1000 -a -d "$dir" -a $ != "nfsnobody" ]; then owner=$(stat -L -c "%U" "$dir") if [ "$owner" != "$" ]; then echo "The home directory ($dir) of $ is owned by $owner." fi fi done" #!/bin/bash cat /etc/wd | awk -F: '{ print $1 " " $3 " " $6 }' | while read uid dir; do if [ $uid -ge 1000 -a -d "$dir" -a $ != "nfsnobody" ]; then owner=$(stat -L -c "%U" "$dir") if [ "$owner" != "$" ]; then echo "The home directory ($dir) of $ is owned by $owner." fi fi done
echo "" echo "1.20.10 Ensure s' dot files are not group or world writable" echo "$ #!/bin/bash for dir in `cat /etc/wd | egrep -v '(root|sync|halt| shutdown)' | awk -F: '($7 != "/sbin/no") { print $6 }'`; do for file in $dir/. [A-Za-z0-9]*; do if [ ! -h "$file" -a -f "$file" ]; then fileperm=`ls -ld $file | cut -f1 -d" "` if [ `echo $fileperm | cut -c6` != "-" ]; then echo "Group Write permission set on file $file" fi if [ `echo $fileperm | cut -c9` != "-" ]; then echo "Other Write permission set on file $file" fi fi done done" #!/bin/bash for dir in `cat /etc/wd | egrep -v '(root|sync|halt|shutdown)' | awk -F: '($7 != "/sbin/no") { print $6 }'`; do for file in $dir/.[A-Za-z0-9]*; do if [ ! -h "$file" -a -f "$file" ]; then fileperm=`ls -ld $file | cut -f1 -d" "` if [ `echo $fileperm | cut -c6` != "-" ]; then echo "Group Write permission set on file $file" fi if [ `echo $fileperm | cut -c9` != "-" ]; then echo "Other Write permission set on file $file" fi fi done done echo "" echo "1.20.11 Ensure no s have .forward files" echo "$ #!/bin/bash for dir in `cat /etc/wd |\ ! -h "$dir/.forward" -a -f "$dir/.forward" ]; then $dir/.forward exists" fi done" #!/bin/bash for dir in `cat /etc/wd |\ awk -F: "$dir/.forward" -a -f "$dir/.forward" ]; then echo exists" fi done
awk -F: '{ print $6 }'`; do if [ echo ".forward file '{ print $6 }'`; do if [ ! -h ".forward file $dir/.forward
echo "" echo "1.20.12 Ensure no s have .netrc files" echo "$ #!/bin/bash for dir in `cat /etc/wd |\ awk -F: '{ print $6 }'`; do if [ ! -h "$dir/.netrc" -a -f "$dir/.netrc" ]; then echo ".netrc file $dir/.netrc exists" fi done" #!/bin/bash for dir in `cat /etc/wd |\ awk -F: '{ print $6 }'`; do if [ ! -h "$dir/.netrc" -a -f "$dir/.netrc" ]; then echo ".netrc file $dir/.netrc exists" fi done echo "" echo "1.20.13 Ensure s' .netrc Files are not group or world accessible" echo "$ #!/bin/bash for dir in `cat /etc/wd | egrep -v '(root|sync|halt| shutdown)' | awk -F: '($7 != "/sbin/no") { print $6 }'`; do for file in $dir/.netrc; do if [ ! -h "$file" -a -f "$file" ]; then fileperm=`ls -ld $file | cut -f1 -d" "` if [ `echo $fileperm | cut -c5` != "-" ]; then echo "Group Read set on $file" fi if [ `echo $fileperm | cut -c6` != "-" ]; then echo "Group Write set on $file" fi if [ `echo $fileperm | cut -c7` != "-" ]; then echo "Group Execute set on $file" fi if [ `echo $fileperm | cut -c8` != "-" ]; then echo "Other Read set on $file" fi if [ `echo $fileperm | cut -c9` != "-" ]; then echo "Other Write set on $file" fi if [ `echo $fileperm | cut -c10` != "-" ]; then echo "Other Execute set on $file" fi fi done done" #!/bin/bash for dir in `cat /etc/wd | egrep -v '(root|sync|halt|shutdown)' | awk -F: '($7 != "/sbin/no") { print $6 }'`; do for file in $dir/.netrc; do if [ ! -h "$file" -a -f "$file" ]; then fileperm=`ls -ld $file | cut -f1 -d" "` if [ `echo $fileperm | cut -c5` != "-" ]; then echo "Group Read set on $file" fi if [ `echo $fileperm | cut -c6` != "-" ]; then echo "Group Write set on $file" fi if [ `echo $fileperm | cut -c7` != "-" ]; then echo "Group Execute set on $file" fi if [ `echo $fileperm | cut -c8` != "-" ]; then echo "Other Read set on $file" fi if [ `echo $fileperm | cut -c9` != "-" ]; then echo "Other Write set on $file" fi if [ `echo $fileperm | cut -c10` != "-" ]; then echo "Other Execute set on $file" fi fi done done echo "" echo "1.20.14 Ensure no s have .rhosts files" echo "$ #!/bin/bash for dir in `cat /etc/wd | egrep -v '(root|halt|sync|
shutdown)' | awk -F: '($7 != "/sbin/no") { print $6 }'`; do for file in $dir/.rhosts; do if [ ! -h "$file" -a -f "$file" ]; then echo ".rhosts file in $dir" fi done done" #!/bin/bash for dir in `cat /etc/wd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/no") { print $6 }'`; do for file in $dir/.rhosts; do if [ ! -h "$file" -a -f "$file" ]; then echo ".rhosts file in $dir" fi done done echo "" echo "1.20.15 Ensure all groups in /etc/wd exist in /etc/group" echo "$ #!/bin/bash for i in $(cut -s -d: -f4 /etc/wd | sort -u ); do grep -q -P "^.*?:[^:]*:$i:" /etc/group if [ $? -ne 0 ]; then echo "Group $i is referenced by /etc/wd but does not exist in /etc/group" fi done" #!/bin/bash for i in $(cut -s -d: -f4 /etc/wd | sort -u ); do grep -q -P "^.*?: [^:]*:$i:" /etc/group if [ $? -ne 0 ]; then echo "Group $i is referenced by /etc/wd but does not exist in /etc/group" fi done echo "" echo "1.20.16 Ensure no duplicate UIDs exist" echo "$ #!/bin/bash cat /etc/wd | cut -f3 -d":" | sort -n | uniq -c | while read x ; do [ -z "${x}" ] && break set - $x if [ $1 -gt 1 ]; then s=`awk -F: '($3 == n) { print $1 }' n=$2 /etc/wd | xargs` echo "Duplicate UID ($2): $ {s}" fi done" #!/bin/bash cat /etc/wd | cut -f3 -d":" | sort -n | uniq -c | while read x ; do [ -z "${x}" ] && break set - $x if [ $1 -gt 1 ]; then s=`awk -F: '($3 == n) { print $1 }' n=$2 /etc/wd | xargs` echo "Duplicate UID ($2): ${s}" fi done echo "" echo "1.20.17 Ensure no duplicate GIDs exist" echo "$ #!/bin/bash cat /etc/group | cut -f3 -d":" | sort -n | uniq -c | while read x ; do [ -z "${x}" ] && break set - $x if [ $1 -gt 1 ]; then groups=`awk -F: '($3 == n) { print $1 }' n=$2 /etc/group | xargs` echo "Duplicate GID ($2): ${groups}" fi done" #!/bin/bash cat /etc/group | cut -f3 -d":" | sort -n | uniq -c | while read x ; do [ -z "${x}" ] && break set - $x if [ $1 -gt 1 ]; then groups=`awk -F: '($3 == n) { print $1 }' n=$2 /etc/group | xargs` echo "Duplicate GID ($2): ${groups}" fi done echo "" echo "1.20.18 Ensure no duplicate names exist" echo "$ #!/bin/bash cat /etc/wd | cut -f1 -d":" | sort -n | uniq -c | while read x ; do [ -z "${x}" ] && break set - $x if [ $1 -gt 1 ]; then uids=`awk -F: '($1 == n) { print $3 }' n=$2 /etc/wd | xargs` echo "Duplicate Name ($2): ${uids}" fi done" #!/bin/bash cat /etc/wd | cut -f1 -d":" | sort -n | uniq -c | while read x ; do [ -z "${x}" ] && break set - $x if [ $1 -gt 1 ]; then uids=`awk -F: '($1 == n) { print $3 }' n=$2 /etc/wd | xargs` echo "Duplicate Name ($2): ${uids}" fi done echo "" echo "1.20.19 Ensure no duplicate group names exist" echo "$ #!/bin/bash cat /etc/group | cut -f1 -d":" | sort -n | uniq -c | while read x ; do [ -z "${x}" ] && break set - $x if [ $1 -gt 1 ]; then gids=`gawk -F: '($1 == n) { print $3 }' n=$2 /etc/group | xargs` echo "Duplicate Group Name ($2): ${gids}" fi done" #!/bin/bash cat /etc/group | cut -f1 -d":" | sort -n | uniq -c | while read x ; do [ -z "${x}" ] && break set - $x if [ $1 -gt 1 ]; then gids=`gawk -F: '($1 == n) { print $3 }' n=$2 /etc/group | xargs` echo "Duplicate Group Name ($2): ${gids}" fi done echo ""
echo "******End of Report******" echo ""
"*********************************************************" "CIS Security Audit Script" "Red Hat 7.5" "" "WARNING: This script is only for Red Hat 7.5, please use correct script" "for target operating system" "*********************************************************"
exec > >(tee "/tmp/`hostname`_cis_report.txt") 2>&1 echo "CIS Security Audit Report" echo "*DATE*" date echo "*OS*" cat /etc/redhat-release echo "*KERNEL*" uname -a echo "*HOST*" hostname echo "" echo "******1.1 Disable Unused File Systems******" echo "" echo "" echo "1.1.1 Ensure mounting of cramfs filesystems is disabled" echo "$ modprobe -n -v cramfs" modprobe -n -v cramfs echo "$ lsmod | grep -c cramfs" lsmod | grep -c cramfs echo "1.1.2 Ensure mounting of freevxfs filesystems is disabled" echo "$ modprobe -n -v freevxfs" modprobe -n -v freevxfs echo "$ lsmod | grep -c freevxfs" lsmod | grep -c freevxfs echo "1.1.3 Ensure mounting of jffs2 filesystems is disabled" echo "$ modprobe -n -v jffs2" modprobe -n -v jffs2 echo "$ lsmod | grep -c jffs2" lsmod | grep -c jffs2 echo "1.1.4 Ensure mounting of hfs filesystems is disabled" echo "$ modprobe -n -v hfs" modprobe -n -v hfs echo "$ lsmod | grep -c hfs" lsmod | grep -c hfs echo "1.1.5 Ensure mounting of hfsplus filesystems is disabled" echo "$ modprobe -n -v hfsplus" modprobe -n -v hfsplus echo "$ lsmod | grep -c hfsplus" lsmod | grep -c hfsplus
echo "1.1.6 Ensure mounting of squashfs filesystems is disabled" echo "$ modprobe -n -v squashfs" modprobe -n -v squashfs echo "$ lsmod | grep -c squashfs" lsmod | grep -c squashfs echo "1.1.7 Ensure mounting of udf filesystems is disabled" echo "$ modprobe -n -v udf" modprobe -n -v udf echo "$ lsmod | grep -c udf" lsmod | grep -c udf echo "1.1.8 Ensure mounting of FAT filesystems is disabled" echo "$ modprobe -n -v vfat" modprobe -n -v vfat echo "$ lsmod | grep -c vfat" lsmod | grep -c vfat echo "1.1.9 Ensure separate partition exists for /tmp" echo "$ mount | grep /tmp" mount | grep /tmp echo "" echo "1.1.10 , 1.1.11 , 1.1.12" echo "Check nodev,nosuid,noexec are set on /tmp" echo "$ mount | grep /tmp" mount | grep /tmp echo "1.1.13 Ensure separate partition exists for /var" echo "$ mount | grep /var" mount | grep /var echo "" echo "1.1.14 Ensure separate partition exists for /var/tmp" echo "$ mount | grep /var/tmp" mount | grep /var/tmp echo "" echo "1.1.15 , 1.1.16 , 1.1.17" echo "Check nodev,nosuid,noexec are set on /var/tmp" echo "$ mount | grep /var/tmp" mount | grep /var/tmp echo "1.1.18 Ensure separate partition exists for /var/log" echo "$ mount | grep /var/log" mount | grep /var/log echo "1.1.19 Ensure separate partition exists for /var/log/audit" echo "$ mount | grep /var/log/audit" mount | grep /var/log/audit echo "1.1.20 Ensure separate partition exists for /home" echo "$ mount | grep /home" mount | grep /home echo "" echo "1.1.21 Ensure nodev option set on /home partition" echo "$ mount | grep /home" mount | grep /home
echo "" echo "1.1.22 , 1.1.23" echo "Check nodev, noexec are set on /dev/shm" echo "$ mount | grep /dev/shm" mount | grep /dev/shm echo "" echo "1.1.24, 1.1.25, 1.1.26" echo "Check nodev, nosuid, noexec is set on removable media partitions" echo "$ mount " mount echo "" echo "1.1.27 Ensure sticky bit is set on all world-writable directories" echo "$ df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null" df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null echo "" echo "1.1.28 Disable Automounting" echo "$ systemctl is-enabled autofs " systemctl is-enabled autofs echo "" echo "******1.2 Configure Software Updates******" echo "" export https_proxy=proxy-ida.emea.adecco.net:8080 echo "" echo "1.2.1 Ensure package manager repositories are configured" echo "$ yum repolist " yum repolist echo echo echo grep
"" "1.2.2 Ensure gpgcheck is globally activated" "$ ygrep ^gpgcheck /etc/yum.conf " ^gpgcheck /etc/yum.conf
echo "" echo "1.2.3 Ensure GPG keys are configured" echo "$ rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n' " rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n' echo "" echo "1.2.4 Ensure Red Hat Network or Subscription Manager connection is configured" echo "$ subscription-manager identity" subscription-manager identity echo "" echo "******1.3 Filesystem Integrity Checking******" echo "" echo "" echo "1.3.1" echo "Check if AIDE is installed" echo "$ rpm -q aide" rpm -q aide
echo "" echo "1.3.2" echo "Check if filesystem is regularly checked" echo "$ crontab -u root -l | grep aide" crontab -u root -l | grep aide echo "" echo "******1.4 Secure Boot Settings******" echo "" echo echo echo echo stat
"" "1.4.1" "Check if permissions on bootloader config are configured" "$ stat /boot/grub2/grub.cfg" /boot/grub2/grub.cfg
echo echo echo echo grep
"" "1.4.2" "Check if bootloader is set" "$ grep '"^set supers"' /boot/grub2/grub.cfg" "^set supers" /boot/grub2/grub.cfg
echo "$ grep '"^"' /boot/grub2/grub.cfg" grep "^" /boot/grub2/grub.cfg echo echo echo echo grep
"" "1.4.3" "Check if authentication is required for single mode" "$ grep /sbin/su /usr/lib/systemd/system/rescue.service" /sbin/su /usr/lib/systemd/system/rescue.service
echo "$ grep /sbin/su /usr/lib/systemd/system/emergency.service" grep /sbin/su /usr/lib/systemd/system/emergency.service echo "" echo "******1.5 Additional Process Hardening******" echo "" echo echo echo echo grep
"" "1.5.1" "Check if core dumps are restricted" "$ grep '"hard core"' /etc/security/limits.conf /etc/security/limits.d/*" "hard core" /etc/security/limits.conf /etc/security/limits.d/*
echo "$ sysctl fs.suid_dumpable" sysctl fs.suid_dumpable echo "" echo "1.5.2" echo "Check if XD/NX is enabled" echo "$ dmesg | grep NX" dmesg | grep NX echo "" echo "1.5.3" echo "Check if address space layout randomization (ASLR) is enabled" echo "$ sysctl kernel.randomize_va_space" sysctl kernel.randomize_va_space
echo "" echo "1.5.4" echo "Check if prelink is disabled" echo "$ rpm -q prelink" rpm -q prelink echo "" echo ""******1.6 Mandatory Access Controls****** echo "" echo echo echo echo
"" "1.6.1" "Ensure SELinux is not disabled in bootloader configuration" ""
echo "$ grep "^\s*linux" /boot/grub2/grub.cfg" grep "^\s*linux" /boot/grub2/grub.cfg echo "" echo "1.6.2 Ensure the SELinux state is enforcing" echo "$ sestatus" sestatus echo "" echo "1.6.3 Ensure SELinux policy is configured" echo "$ sestatus" sestatus echo "" echo "1.6.4 Ensure SETroubleshoot is not installed" echo "$ rpm -q setroubleshoot" rpm -q setroubleshoot echo "" echo "1.6.5 Ensure no unconfined daemons exist" echo "$ ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'" ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }' echo "" echo "1.6.6" echo "Check if SELinux is installed" echo "$ rpm -q libselinux" rpm -q libselinux echo "" echo ""******1.7 Warning Banners****** echo "" echo "" echo "1.7.1 Ensure message of the day is configured properly" echo "$ cat /etc/motd" cat /etc/motd echo "" echo "1.7.2 Ensure local warning banner is configured properly" echo "$ cat /etc/issue"
cat /etc/issue echo "" echo "1.7.3 Ensure remote warning banner is configured properly" echo "$ cat /etc/issue.net" cat /etc/issue.net echo echo echo stat
"" "1.7.4 Ensure permissions on /etc/motd are configured" "$ stat /etc/motd" /etc/motd
echo echo echo stat
"" "1.7.5 Ensure permissions on /etc/issue are configured" "$ stat /etc/issue" /etc/issue
echo "" echo "1.7.6" echo "Check if SELinux is installed" echo "$ rpm -q libselinux" rpm -q libselinux echo "" echo "1.7.7 Ensure GDM banner is configured" echo "$ cat /etc/dconf/profile/gdm" cat /etc/dconf/profile/gdm echo "" echo "1.7.8 Ensure updates, patches, and additional security software are installed" echo "Check if SELinux is installed" echo "$ yum check-update" yum check-update echo "" echo ""******1.8 Services****** echo "" echo "" echo "1.8.1 Ensure chargen services are not enabled" echo "$ chkconfig --list" chkconfig --list echo "" echo "1.8.2 Ensure daytime services are not enabled" echo "$ chkconfig --list" chkconfig --list echo "" echo "1.8.3 Ensure discard services are not enabled" echo "$ chkconfig --list" chkconfig --list echo "" echo "1.8.4 Ensure echo services are not enabled" echo "$ chkconfig --list" chkconfig --list
echo "" echo "1.8.5 Ensure time services are not enabled" echo "$ chkconfig --list" chkconfig --list echo "" echo "1.8.6 Ensure rsh server is not enabled" echo "$ systemctl is-enabled rsh.socket" systemctl is-enabled rsh.socket echo "" echo "1.8.7 Ensure talk server is not enabled" echo "$ systemctl is-enabled ntalk" systemctl is-enabled ntalk echo "" echo "1.8.8 Ensure telnet server is not enabled" echo "$ systemctl is-enabled telnet.socket" systemctl is-enabled telnet.socket echo "" echo "1.8.9 Ensure tftp server is not enabled" echo "$ systemctl is-enabled tftp.socket" systemctl is-enabled tftp.socket echo "" echo "1.8.10 Ensure rsync service is not enabled" echo "$ systemctl is-enabled rsyncd" systemctl is-enabled rsyncd echo "" echo "1.8.11 Ensure xinetd is not enabled" echo "$ systemctl is-enabled xinetd" systemctl is-enabled xinetd echo "" echo ""******1.9 Special Purpose Services******"" echo "" echo "" echo "1.9.1 Ensure time synchronization is in use" echo "$ rpm -q ntp" rpm -q ntp echo echo echo grep
"" "1.9.2 Ensure ntp is configured" "$ grep "^restrict" /etc/ntp.conf" "^restrict" /etc/ntp.conf
echo "" echo "1.9.3 Ensure chrony is configured" echo "$ Not Applicable as NTP Configured" echo "" echo "1.9.4 Ensure X Window System is not installed" echo "$ rpm -qa xorg-x11*" rpm -qa xorg-x11* echo ""
echo "1.9.5 Ensure AVAHI server is not enabled" echo "$ systemctl is-enabled avahi-daemon" systemctl is-enabled avahi-daemon echo "" echo "1.9.6 Ensure CUPS is not enabled" echo "$ systemctl is-enabled cups" systemctl is-enabled cups echo "" echo "1.9.7 Ensure DH server is not enabled" echo "$ systemctl is-enabled dhd" systemctl is-enabled dhd echo "" echo "1.9.8 Ensure LDAP server is not enabled" echo "$ systemctl is-enabled slapd" systemctl is-enabled slapd echo "" echo "1.9.9 Ensure NFS and RPC are not enabled" echo "$ systemctl is-enabled nfs" systemctl is-enabled nfs echo "" echo "1.9.10 Ensure DNS server is not enabled" echo "$ systemctl is-enabled named" systemctl is-enabled named echo "" echo "1.9.11 Ensure FTP server is not enabled" echo "$ systemctl is-enabled vsftpd" systemctl is-enabled vsftpd echo "" echo "1.9.12 Ensure HTTP server is not enabled" echo "$ systemctl is-enabled httpd" systemctl is-enabled httpd echo "" echo "1.9.13 Ensure IMAP and POP3 server is not enabled" echo "$ systemctl is-enabled dovecot" systemctl is-enabled dovecot echo "" echo "1.9.14 Ensure SAMBA server is not enabled" echo "$ systemctl is-enabled smb" systemctl is-enabled smb echo "" echo "1.9.15 Ensure HTTP Proxy server is not enabled" echo "$ systemctl is-enabled squid" systemctl is-enabled squid echo "" echo "1.9.16 Ensure SNMP server is not enabled" echo "$ systemctl is-enabled snmpd" systemctl is-enabled snmpd
echo "" echo "1.9.17 Ensure mail transfer agent is configured for loca-only mode" echo "$ netstat -an | grep LIST | grep '":25[[:space:]]"'" netstat -an | grep LIST | grep ":25[[:space:]]" echo "" echo "1.9.18 Ensure NIS server is not enabled" echo "$ systemctl is-enabled ypserv" systemctl is-enabled ypserv echo "" echo "******1.10 Service Clients******" echo "" echo "" echo "1.10.1 Ensure NIS Client is not installed" echo "$ rpm -q ypbind" rpm -q ypbind echo "" echo "1.10.2 Ensure rsh client is not installed" echo "$ rpm -q rsh" rpm -q rsh echo "" echo "1.10.3 Ensure talk client is not installed" echo "$ rpm -q talk" rpm -q talk echo "" echo "1.10.4 Ensure telnet client is not installed" echo "$ rpm -q telnet" rpm -q telnet echo "" echo "1.10.5 Ensure LDAP client is not installed" echo "$ rpm -q openldap-clients" rpm -q openldap-clients echo "" echo "******1.11 Network Configuration******" echo "" echo "" echo "1.11.1 Ensure IP forwarding is disabled" echo "$ sysctl net.ipv4.ip_forward" sysctl net.ipv4.ip_forward echo "" echo "1.11.2 Ensure packet redirect sending is disabled" echo "$ sysctl net.ipv4.conf.all.send_redirects" sysctl net.ipv4.conf.all.send_redirects echo "$ sysctl net.ipv4.conf.default.send_redirects" sysctl net.ipv4.conf.default.send_redirects echo "" echo "1.11.3 Ensure source routed packets are not accepted" echo "$ sysctl net.ipv4.conf.all.accept_source_route" sysctl net.ipv4.conf.all.accept_source_route
echo "$ sysctl net.ipv4.conf.default.accept_source_route" sysctl net.ipv4.conf.default.accept_source_route echo "" echo "1.11.4 Check ICMP redicrects are not accepted" echo "$ sysctl net.ipv4.conf.all.accept_redirects" sysctl net.ipv4.conf.all.accept_redirects echo "$ sysctl net.ipv4.conf.default.accept_redirects" sysctl net.ipv4.conf.default.accept_redirects echo "" echo "1.11.5 Check secure ICMP redirects are not accepted" echo "$ sysctl net.ipv4.conf.all.secure_redirects" sysctl net.ipv4.conf.all.secure_redirects echo "$ sysctl net.ipv4.conf.default.secure_redirects" sysctl net.ipv4.conf.default.secure_redirects echo "" echo "1.11.6 Check if suspicious packets are logged" echo "$ sysctl net.ipv4.conf.all.log_martians" sysctl net.ipv4.conf.all.log_martians echo "$ sysctl net.ipv4.conf.default.log_martians" sysctl net.ipv4.conf.default.log_martians echo "" echo "1.11.7 Ensure broadcast ICMP requests are ignored" echo "$ sysctl net.ipv4.icmp_echo_ignore_broadcasts" sysctl net.ipv4.icmp_echo_ignore_broadcasts echo "" echo "1.11.8 Ensure bogus ICMP responses are ignored" echo "$ sysctl net.ipv4.icmp_ignore_bogus_error_responses" sysctl net.ipv4.icmp_ignore_bogus_error_responses echo "" echo "1.11.9 Ensure Reverse Path Filtering is enabled" echo "$ sysctl net.ipv4.conf.all.rp_filter" sysctl net.ipv4.conf.all.rp_filter echo "$ sysctl net.ipv4.conf.default.rp_filter" sysctl net.ipv4.conf.default.rp_filter echo "" echo "1.11.10 Ensure T SYN Cookies is enabled" echo "$ sysctl net.ipv4.t_syncookies" sysctl net.ipv4.t_syncookies echo "" echo "1.11.11 Ensure IPv6 router ments are not accepted" echo "$ sysctl net.ipv6.conf.all.accept_ra" sysctl net.ipv6.conf.all.accept_ra echo "$ sysctl net.ipv6.conf.default.accept_ra" sysctl net.ipv6.conf.default.accept_ra echo "" echo "1.11.12 Ensure IPv6 redirects are not accepted" echo "$ sysctl net.ipv6.conf.all.accept_redirects" sysctl net.ipv6.conf.all.accept_redirects echo "$ sysctl net.ipv6.conf.default.accept_redirects" sysctl net.ipv6.conf.default.accept_redirects
echo "" echo "1.11.13 Ensure IPv6 is disabled" echo "$ modprobe -c | grep ipv6" modprobe -c | grep ipv6 echo "" echo "1.11.14 Ensure T Wrappers is installed" echo "$ rpm -q t_wrappers" rpm -q t_wrappers echo "" echo "1.11.15 Ensure /etc/hosts.allow is configured" echo "$ cat /etc/hosts.allow" cat /etc/hosts.allow echo "" echo "1.11.16 Ensure /etc/hosts.deny is configured" echo "$ cat /etc/hosts.deny" cat /etc/hosts.deny echo echo echo stat
"" "1.11.17 Ensure permissions on /etc/hosts.allow are configured" "$ stat /etc/hosts.allow" /etc/hosts.allow
echo echo echo stat
"" "1.11.18 Ensure permissions on /etc/hosts.deny are 644" "$ stat /etc/hosts.deny" /etc/hosts.deny
echo "" echo "******1.12 Uncommon Network Protocols******" echo "" echo "" echo "1.12.1 Ensure DC is disabled" echo "$ modprobe -n -v dc" modprobe -n -v dc echo "$ lsmod | grep dc" lsmod | grep dc echo "" echo "1.12.2 Ensure SCTP is disabled" echo "$ modprobe -n -v sctp" modprobe -n -v sctp echo "$ lsmod | grep sctp" lsmod | grep sctp echo "" echo "1.12.3 Ensure RDS is disabled" echo "$ modprobe -n -v rds" modprobe -n -v rds echo "$ lsmod | grep rds" lsmod | grep rds echo "" echo "1.12.4 Ensure TIPC is disabled" echo "$ modprobe -n -v tipc"
modprobe -n -v tipc echo "$ lsmod | grep tipc" lsmod | grep tipc echo "" echo "******1.13 Firewall Configuration******" echo "" echo "" echo "1.13.1 Check if iptables is installed" echo "$ rpm -q iptables" rpm -q iptables echo "" echo "1.13.2 Ensure default deny firewall policy" echo "$ iptables -L" iptables -L echo "" echo "1.13.3 Ensure loopback traffic is configured" echo "$ iptables -L INPUT -v -n" iptables -L INPUT -v -n echo "$ iptables -L OUTPUT -v -n" iptables -L OUTPUT -v -n echo "" echo "1.13.4 Ensure outbound and established connections are configured" echo "$ iptables -L -v -n" iptables -L -v -n echo "" echo "1.13.5 Ensure firewall rules exist for all open ports" echo "$ iptables -L -v -n" iptables -L -v -n echo "" echo "1.13.4 Ensure outbound and established connections are configured" echo "$ iptables -L -v -n" iptables -L -v -n echo "" echo "1.13.5 Ensure firewall rules exist for all open ports" echo "$ netstat -ln" netstat -ln echo "" echo "1.13.6 Ensure wireless interfaces are disabled" echo "$ iwconfig" iwconfig echo "$ ip link show up" ip link show up echo "" echo "******1.14 Logging and Auditing******" echo "" echo "" echo "1.14.1 Configure System ing" echo "$ service auditd reload"
service auditd reload echo "" echo "1.14.2 Ensure audit log storage size is configured" echo "$ service auditd reload" service auditd reload echo echo echo grep echo grep echo grep
"" "1.14.3 Ensure system is disabled when audit logs are full" "$ grep space_left_action /etc/audit/auditd.conf" space_left_action /etc/audit/auditd.conf "$ grep action_mail_acct /etc/audit/auditd.conf" action_mail_acct /etc/audit/auditd.conf "$ grep _space_left_action /etc/audit/auditd.conf" _space_left_action /etc/audit/auditd.conf
echo echo echo grep
"" "1.14.4 Ensure audit logs are not automatically deleted" "$ grep max_log_file_action /etc/audit/auditd.conf" max_log_file_action /etc/audit/auditd.conf
echo "" echo "1.14.5 Ensure auditd service is enabled" echo "$ systemctl is-enabled auditd" systemctl is-enabled auditd echo echo echo grep
"" "1.14.6 Ensure auditing for processes that start prior to auditd is enabled" "$ grep "^\s*linux" /boot/grub2/grub.cfg" "^\s*linux" /boot/grub2/grub.cfg
echo echo echo grep
"" "1.14.7 Ensure events that modify date and time information are collected" "$ grep time-change /etc/audit/audit.rules" time-change /etc/audit/audit.rules
echo echo echo grep
"" "1.14.8 Ensure events that modify /group information are collected" "$ grep identity /etc/audit/audit.rules" identity /etc/audit/audit.rules
echo "" echo "1.14.9 Ensure events that modify the system's network environment are collected" echo "$ grep system-locale /etc/audit/audit.rules" grep system-locale /etc/audit/audit.rules echo "" echo "1.14.10 Ensure events that modify the system's Mandatory Access Controls are collected" echo "$ grep MAC-policy /etc/audit/audit.rules" grep MAC-policy /etc/audit/audit.rules echo echo echo grep
"" "1.14.11 Ensure and events are collected" "$ grep s /etc/audit/audit.rules" s /etc/audit/audit.rules
echo ""
echo "1.14.12 Ensure session initiation information is collected" echo "$ grep session /etc/audit/audit.rules" grep session /etc/audit/audit.rules echo "" echo "1.14.13 Ensure discretionary access control permission modification events are collected" echo "$ grep perm_mod /etc/audit/audit.rules" grep perm_mod /etc/audit/audit.rules echo echo echo grep
"" "1.14.14 Ensure unsuccessful unauthorized file access attempts are collected" "$ grep access /etc/audit/audit.rules" access /etc/audit/audit.rules
echo "" echo "1.14.15 Ensure use of privileged commands is collected" echo "$ find <partition> -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }'" find <partition> -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }' echo echo echo grep
"" "1.14.16 Ensure successful file system mounts are collected" "$ grep mounts /etc/audit/audit.rules" mounts /etc/audit/audit.rules
echo echo echo grep
"" "1.14.17 Ensure file deletion events by s are collected" "$ grep delete /etc/audit/audit.rules" delete /etc/audit/audit.rules
echo echo echo grep
"" "1.14.18 Ensure changes to system istration scope (sudoers) is collected" "$ grep scope /etc/audit/audit.rules" scope /etc/audit/audit.rules
echo echo echo grep
"" "1.14.19 Ensure system actions (sudolog) are collected" "$ grep actions /etc/audit/audit.rules" actions /etc/audit/audit.rules
echo echo echo grep
"" "1.14.20 Ensure kernel module loading and unloading is collected" "$ grep modules /etc/audit/audit.rules" modules /etc/audit/audit.rules
echo echo echo grep
"" "1.14.21 Ensure the audit configuration is immutable" "$ grep "^\s*[^#]" /etc/audit/audit.rules | tail -1" "^\s*[^#]" /etc/audit/audit.rules | tail -1
echo "" echo "******1.15 Configure Logging******" echo "" echo ""
echo "1.15.1 echo "Check if rsyslog is enabled" echo "$ systemctl is-enabled rsyslog" systemctl is-enabled rsyslog echo "" echo "1.15.2 Check if logging is configured" echo "$ ls -al /var/log" ls -al /var/log echo echo echo grep
"" "1.15.3 Ensure rsyslog default file permissions configured" "$ grep ^\$FileCreateMode /etc/rsyslog.conf" ^\$FileCreateMode /etc/rsyslog.conf
echo echo echo grep
"" "1.15.4 Ensure rsyslog is configured to send logs to a remote log host" "$ grep "^*.*[^I][^I]*@" /etc/rsyslog.conf" "^*.*[^I][^I]*@" /etc/rsyslog.conf
echo "" echo "1.15.5 Ensure remote rsyslog messages are only accepted on designated log hosts" echo "$ grep '$ModLoad imt.so' /etc/rsyslog.conf" grep '$ModLoad imt.so' /etc/rsyslog.conf echo "$ grep '$InputTServerRun' /etc/rsyslog.conf" grep '$InputTServerRun' /etc/rsyslog.conf echo "" echo "1.15.6 Ensure syslog-ng service is enabled" echo "$ systemctl is-enabled syslog-ng" systemctl is-enabled syslog-ng echo "" echo "1.15.7 Ensure logging is configured" echo "$ ls -l /var/log/" ls -l /var/log/ echo echo echo grep
"" "1.15.8 Ensure syslog-ng default file permissions configured" "$ grep ^options /etc/syslog-ng/syslog-ng.conf" ^options /etc/syslog-ng/syslog-ng.conf
echo "" echo "1.15.9 Ensure syslog-ng is configured to send logs to a remote log host" echo "$ cat /etc/syslog-ng/syslog-ng.conf" cat /etc/syslog-ng/syslog-ng.conf echo "" echo "1.15.10 Ensure remote syslog-ng messages are only accepted on designated log hosts" echo "$ cat /etc/syslog-ng/syslog-ng.conf" cat /etc/syslog-ng/syslog-ng.conf echo "" echo "1.15.11 Ensure rsyslog or syslog-ng is installed" echo "$ rpm -q rsyslog" rpm -q rsyslog echo "$ rpm -q syslog-ng" rpm -q syslog-ng
echo echo echo find
"" "1.15.12 Ensure permissions on all logfiles are configured" "$ find /var/log -type f -ls" /var/log -type f -ls
echo "" echo "1.15.13 Ensure logrotate is configured" echo "$ cat /etc/logrotate.conf" cat /etc/logrotate.conf echo "$ cat /etc/logrotate.d/*" cat /etc/logrotate.d/* echo "" echo "******1.16 Access, Authentication and Authorisation******" echo "" echo "" echo "1.16.1 Configure cron" echo "$ systemctl is-enabled crond" systemctl is-enabled crond echo echo echo stat
"" "1.16.2 Ensure permissions on /etc/crontab are configured" "$ stat /etc/crontab" /etc/crontab
echo echo echo stat
"" "1.16.3 Ensure permissions on /etc/cron.hourly are configured" "$ stat /etc/cron.hourly" /etc/cron.hourly
echo echo echo stat
"" "1.16.4 Ensure permissions on /etc/cron.daily are configured" "$ stat /etc/cron.daily" /etc/cron.daily
echo echo echo stat
"" "1.16.5 Ensure permissions on /etc/cron.weekly are configured" "$ stat /etc/cron.weekly" /etc/cron.weekly
echo echo echo stat
"" "1.16.6 Ensure permissions on /etc/cron.monthly are configured" "$ stat /etc/cron.monthly" /etc/cron.monthly
echo echo echo stat
"" "1.16.7 Ensure permissions on /etc/cron.d are configured" "$ stat /etc/cron.d" /etc/cron.d
echo echo echo stat echo stat
"" "1.16.8 Ensure at/cron is restricted to authorized s" "$ stat /etc/cron.deny" /etc/cron.deny "$ stat /etc/at.deny" /etc/at.deny
echo echo echo stat
"" "1.16.9 Ensure permissions on /etc/ssh/sshd_config are configured" "$ stat /etc/ssh/sshd_config" /etc/ssh/sshd_config
echo echo echo grep
"" "1.16.10 Ensure SSH Protocol is set to 2" "$ grep "^Protocol" /etc/ssh/sshd_config" "^Protocol" /etc/ssh/sshd_config
echo echo echo grep
"" "1.16.11 Ensure SSH LogLevel is set to INFO" "$ grep "^LogLevel" /etc/ssh/sshd_config" "^LogLevel" /etc/ssh/sshd_config
echo echo echo grep
"" "1.16.12 Ensure SSH X11 forwarding is disabled" "$ grep "^X11Forwarding" /etc/ssh/sshd_config" "^X11Forwarding" /etc/ssh/sshd_config
echo echo echo grep
"" "1.16.13 Ensure SSH MaxAuthTries is set to 4 or less" "$ grep "^MaxAuthTries" /etc/ssh/sshd_config" "^MaxAuthTries" /etc/ssh/sshd_config
echo echo echo grep
"" "1.16.14 Ensure SSH IgnoreRhosts is enabled" "$ grep "^IgnoreRhosts" /etc/ssh/sshd_config" "^IgnoreRhosts" /etc/ssh/sshd_config
echo echo echo grep
"" "1.16.15 Ensure SSH HostbasedAuthentication is disabled" "$ grep "^HostbasedAuthentication" /etc/ssh/sshd_config" "^HostbasedAuthentication" /etc/ssh/sshd_config
echo echo echo grep
"" "1.16.16 Ensure SSH root is disabled" "$ grep "^PermitRoot" /etc/ssh/sshd_config" "^PermitRoot" /etc/ssh/sshd_config
echo echo echo grep
"" "1.16.17 Ensure SSH PermitEmptys is disabled" "$ grep "^PermitEmptys" /etc/ssh/sshd_config" "^PermitEmptys" /etc/ssh/sshd_config
echo echo echo grep
"" "1.16.18 Ensure SSH PermitEnvironment is disabled" "$ grep PermitEnvironment /etc/ssh/sshd_config" PermitEnvironment /etc/ssh/sshd_config
echo echo echo grep
"" "1.16.19 Ensure only approved ciphers are used" "$ grep "Ciphers" /etc/ssh/sshd_config" "Ciphers" /etc/ssh/sshd_config
echo echo echo grep
"" "1.16.20 Ensure only approved MAC algorithms are used" "$ grep "MACs" /etc/ssh/sshd_config" "MACs" /etc/ssh/sshd_config
echo echo echo grep echo grep
"" "1.16.21 Ensure SSH Idle Timeout Interval is configured" "$ grep "^ClientAliveInterval" /etc/ssh/sshd_config" "^ClientAliveInterval" /etc/ssh/sshd_config "$ grep "^ClientAliveCountMax" /etc/ssh/sshd_config" "^ClientAliveCountMax" /etc/ssh/sshd_config
echo echo echo grep
"" "1.16.22 Ensure SSH GraceTime is set to one minute or less" "$ grep "^GraceTime" /etc/ssh/sshd_config" "^GraceTime" /etc/ssh/sshd_config
echo echo echo grep echo grep echo grep echo grep
"" "1.16.23 Ensure SSH access is limited" "$ grep "^Allows" /etc/ssh/sshd_config" "^Allows" /etc/ssh/sshd_config "$ grep "^AllowGroups" /etc/ssh/sshd_config" "^AllowGroups" /etc/ssh/sshd_config "$ grep "^Denys" /etc/ssh/sshd_config" "^Denys" /etc/ssh/sshd_config "$ grep "^DenyGroups" /etc/ssh/sshd_config" "^DenyGroups" /etc/ssh/sshd_config
echo echo echo grep
"" "1.16.24 Ensure SSH warning banner is configured" "$ grep "^Banner" /etc/ssh/sshd_config" "^Banner" /etc/ssh/sshd_config
echo "" echo "******1.17 Configure PAM******" echo "" echo echo echo grep echo grep echo grep echo grep echo grep echo grep echo grep
"" "1.17.1 Ensure creation requirements are configured" "$ grep pam_pwquality.so /etc/pam.d/-auth" pam_pwquality.so /etc/pam.d/-auth "$ grep pam_pwquality.so /etc/pam.d/system-auth" pam_pwquality.so /etc/pam.d/system-auth "$ grep ^minlen /etc/security/pwquality.conf" ^minlen /etc/security/pwquality.conf "$ grep ^dcredit /etc/security/pwquality.conf" ^dcredit /etc/security/pwquality.conf "$ grep ^lcredit /etc/security/pwquality.conf" ^lcredit /etc/security/pwquality.conf "$ grep ^ocredit /etc/security/pwquality.conf" ^ocredit /etc/security/pwquality.conf "$ grep ^ucredit /etc/security/pwquality.conf" ^ucredit /etc/security/pwquality.conf
echo "" echo "1.17.2 Ensure lockout for failed attempts is configured" echo "$ cat /etc/pam.d/-auth" cat /etc/pam.d/-auth echo "$ cat /etc/pam.d/system-auth" cat /etc/pam.d/system-auth echo "" echo "1.17.3 Ensure reuse is limited"
echo "$ egrep '^\s+sufficient\s+pam_unix.so' /etc/pam.d/-auth" egrep '^\s+sufficient\s+pam_unix.so' /etc/pam.d/-auth echo "$ egrep '^\s+sufficient\s+pam_unix.so' /etc/pam.d/system-auth" egrep '^\s+sufficient\s+pam_unix.so' /etc/pam.d/system-auth echo "" echo "1.17.4 Ensure hashing algorithm is SHA-512" echo "$ egrep '^\s+sufficient\s+pam_unix.so' /etc/pam.d/-auth" egrep '^\s+sufficient\s+pam_unix.so' /etc/pam.d/-auth echo "$ egrep '^\s+sufficient\s+pam_unix.so' /etc/pam.d/system-auth" egrep '^\s+sufficient\s+pam_unix.so' /etc/pam.d/system-auth echo "" echo "******1.18 System File Permissions******" echo "" echo echo echo grep
"" "1.18.1 Set Shadow Suite Parameters" "$ grep _MAX_DAYS /etc/.defs" _MAX_DAYS /etc/.defs
echo echo echo grep
"" "1.18.2 Ensure minimum days between changes is 7 or more" "$ grep _MIN_DAYS /etc/.defs" _MIN_DAYS /etc/.defs
echo echo echo grep
"" "1.18.3 Ensure expiration warning days is 7 or more" "$ grep _WARN_AGE /etc/.defs" _WARN_AGE /etc/.defs
echo "" echo "1.18.4 Ensure inactive lock is 30 days or less" echo "$ add -D | grep INACTIVE" add -D | grep INACTIVE echo "" echo "1.18.5 Ensure system s are non-" echo "$ egrep -v "^\+" /etc/wd | awk -F: '($1!="root" && $1!="sync" && $1! ="shutdown" && $1!="halt" && $3<1000 && $7!="/sbin/no" && $7!="/bin/false") {print}'" egrep -v "^\+" /etc/wd | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/sbin/no" && $7!="/bin/false") {print}' echo echo echo grep
"" "1.18.6 Ensure default group for the root is GID 0" "$ grep "^root:" /etc/wd | cut -f4 -d:" "^root:" /etc/wd | cut -f4 -d:
echo echo echo grep echo grep
"" "1.18.7 Ensure default umask is 027 or more restrictive" "$ grep "^umask" /etc/bashrc" "^umask" /etc/bashrc "$ grep "^umask" /etc/profile" "^umask" /etc/profile
echo "" echo "1.18.8 Ensure root is restricted to system console" echo "$ cat /etc/securetty"
cat /etc/securetty echo echo echo grep echo grep
"" "1.18.9 Ensure access to the su command is restricted" "$ grep pam_wheel.so /etc/pam.d/su" pam_wheel.so /etc/pam.d/su "$ grep wheel /etc/group" wheel /etc/group
echo "" echo "******1.19 Maintenance******" echo "" echo echo echo stat
"" "1.19.1 Ensure permissions on /etc/wd are configured" "$ stat /etc/wd" /etc/wd
echo echo echo stat
"" "1.19.2 Ensure permissions on /etc/shadow are configured" "$ stat /etc/shadow" /etc/shadow
echo echo echo stat
"" "1.19.3 Ensure permissions on /etc/group are configured" "$ stat /etc/group" /etc/group
echo echo echo stat
"" "1.19.4 Run the following chown to set permissions on /etc/gshadow" "$ stat /etc/gshadow" /etc/gshadow
echo echo echo stat
"" "1.19.5 Ensure permissions on /etc/wd- are configured" "$ stat /etc/wd-" /etc/wd-
echo echo echo stat
"" "1.19.6 Ensure permissions on /etc/shadow- are configured" "$ stat /etc/shadow-" /etc/shadow-
echo echo echo stat
"" "1.19.7 Ensure permissions on /etc/group- are configured" "$ stat /etc/group-" /etc/group-
echo echo echo stat
"" "1.19.8 Ensure permissions on /etc/gshadow- are configured" "$ stat /etc/gshadow-" /etc/gshadow-
echo "" echo "1.19.9 Ensure no world writable files exist" echo "$ df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002" df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002
echo "" echo "1.19.10 Ensure no unowned files or directories exist" echo "$ df --local -P | awk {'if (NR!=1) print $6' | xargs -I '{}' find '{}' -xdev -no" df --local -P | awk {'if (NR!=1) print $6' | xargs -I '{}' find '{}' -xdev -no echo "" echo "1.19.11 Ensure no ungrouped files or directories exist" echo "$ df --local -P | awk {'if (NR!=1) print $6' | xargs -I '{}' find '{}' -xdev -nogroup" df --local -P | awk {'if (NR!=1) print $6' | xargs -I '{}' find '{}' -xdev -nogroup echo "" echo "1.19.12 Audit SUID executables" echo "$ df --local -P | awk {'if (NR!=1) print $6' | xargs -I '{}' find '{}' -xdev -type f -perm -4000" df --local -P | awk {'if (NR!=1) print $6' | xargs -I '{}' find '{}' -xdev -type f -perm -4000 echo "" echo "1.19.13 Audit SGID executables" echo "$ df --local -P | awk {'if (NR!=1) print $6' | xargs -I '{}' find '{}' -xdev -type f -perm -2000" df --local -P | awk {'if (NR!=1) print $6' | xargs -I '{}' find '{}' -xdev -type f -perm -2000 echo "" echo "******1.20 and Group Settings******" echo "" echo "" echo "1.20.1 Ensure fields are not empty" echo "$ cat /etc/shadow | awk -F: '($2 == "" ) { print $1 " does not have a "}'" cat /etc/shadow | awk -F: '($2 == "" ) { print $1 " does not have a "}' echo echo echo grep
"" "1.20.2 Ensure no legacy "+" entries exist in /etc/wd" "$ grep '^+:' /etc/wd" '^+:' /etc/wd
echo echo echo grep
"" "1.20.3 Ensure no legacy "+" entries exist in /etc/shadow" "$ grep '^+:' /etc/shadow" '^+:' /etc/shadow
echo echo echo grep
"" "1.20.4 Ensure no legacy "+" entries exist in /etc/group" "$ grep '^+:' /etc/group" '^+:' /etc/group
echo "" echo "1.20.5 Ensure root is the only UID 0 " echo "$ cat /etc/wd | awk -F: '($3 == 0) { print $1 }'" cat /etc/wd | awk -F: '($3 == 0) { print $1 }' echo "" echo "1.20.6 Ensure root PATH Integrity"
echo "$ #!/bin/bash if [ "`echo $PATH | grep ::`" != "" ]; then echo "Empty Directory in PATH (::)" fi if [ "`echo $PATH | grep :$`" != "" ]; then echo "Trailing : in PATH" fi p=`echo $PATH | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g'` set -- $p while [ "$1" != "" ]; do if [ "$1" = "." ]; then echo "PATH contains ." shift continue fi if [ -d $1 ]; then dirperm=`ls -ldH $1 | cut -f1 -d" "` if [ `echo $dirperm | cut -c6` != "-" ]; then echo "Group Write permission set on directory $1" fi if [ `echo $dirperm | cut -c9` != "-" ]; then echo "Other Write permission set on directory $1" fi dirown=`ls -ldH $1 | awk '{print $3}'` if [ "$dirown" != "root" ] ; then echo $1 is not owned by root'" #!/bin/bash if [ "`echo $PATH | grep ::`" != "" ]; then echo "Empty Directory in PATH (::)" fi if [ "`echo $PATH | grep :$`" != "" ]; then echo "Trailing : in PATH" fi p=`echo $PATH | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g'` set -- $p while [ "$1" != "" ]; do if [ "$1" = "." ]; then echo "PATH contains ." shift continue fi if [ -d $1 ]; then dirperm=`ls -ldH $1 | cut -f1 -d" "` if [ `echo $dirperm | cut -c6` != "-" ]; then echo "Group Write permission set on directory $1" fi if [ `echo $dirperm | cut -c9` != "-" ]; then echo "Other Write permission set on directory $1" fi dirown=`ls -ldH $1 | awk '{print $3}'` if [ "$dirown" != "root" ] ; then echo $1 is not owned by root echo "" echo "1.20.7 Ensure all s' home directories exist" echo "$ #!/bin/bash cat /etc/wd | awk -F: '{ print $1 " " $3 " " $6 }' | while read uid dir; do if [ $uid -ge 1000 -a ! -d "$dir" -a $ != "nfsnobody" ]; then echo "The home directory ($dir) of $ does not exist." fi done" #!/bin/bash cat /etc/wd | awk -F: '{ print $1 " " $3 " " $6 }' | while read uid dir; do if [ $uid -ge 1000 -a ! -d "$dir" -a $ != "nfsnobody" ]; then echo "The home directory ($dir) of $ does not exist." fi done echo "" echo "1.20.8 Ensure s' home directories permissions are 750 or more restrictive" echo "$ #!/bin/bash for dir in `cat /etc/wd | egrep -v '(root|halt|sync| shutdown)' | awk -F: '($7 != "/sbin/no") { print $6 }'`; do dirperm=`ls -ld $dir | cut -f1 -d" "` if [ `echo $dirperm | cut -c6` != "-" ]; then echo "Group Write permission set on directory $dir" fi if [ `echo $dirperm | cut -c8` != "-" ]; then echo "Other Read permission set on directory $dir" fi if [ `echo $dirperm | cut -c9` != "-" ]; then echo "Other Write permission set on directory $dir" fi if [ `echo $dirperm | cut -c10` != "-" ]; then echo "Other Execute permission set on directory $dir" fi done" #!/bin/bash for dir in `cat /etc/wd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/no") { print $6 }'`; do dirperm=`ls -ld $dir | cut -f1 -d" "` if [ `echo $dirperm | cut -c6` != "-" ]; then echo "Group Write permission set on directory $dir" fi if [ `echo $dirperm | cut -c8` != "-" ]; then echo "Other Read permission set on directory $dir" fi if [ `echo $dirperm | cut -c9` != "-" ]; then echo "Other Write permission set on directory $dir" fi if [ `echo $dirperm | cut -c10` != "-" ]; then echo "Other Execute permission set on directory $dir" fi done echo "" echo "1.20.9 Ensure s own their home directories" echo "$ #!/bin/bash cat /etc/wd | awk -F: '{ print $1 " " $3 " " $6 }' | while read uid dir; do if [ $uid -ge 1000 -a -d "$dir" -a $ != "nfsnobody" ]; then owner=$(stat -L -c "%U" "$dir") if [ "$owner" != "$" ]; then echo "The home directory ($dir) of $ is owned by $owner." fi fi done" #!/bin/bash cat /etc/wd | awk -F: '{ print $1 " " $3 " " $6 }' | while read uid dir; do if [ $uid -ge 1000 -a -d "$dir" -a $ != "nfsnobody" ]; then owner=$(stat -L -c "%U" "$dir") if [ "$owner" != "$" ]; then echo "The home directory ($dir) of $ is owned by $owner." fi fi done
echo "" echo "1.20.10 Ensure s' dot files are not group or world writable" echo "$ #!/bin/bash for dir in `cat /etc/wd | egrep -v '(root|sync|halt| shutdown)' | awk -F: '($7 != "/sbin/no") { print $6 }'`; do for file in $dir/. [A-Za-z0-9]*; do if [ ! -h "$file" -a -f "$file" ]; then fileperm=`ls -ld $file | cut -f1 -d" "` if [ `echo $fileperm | cut -c6` != "-" ]; then echo "Group Write permission set on file $file" fi if [ `echo $fileperm | cut -c9` != "-" ]; then echo "Other Write permission set on file $file" fi fi done done" #!/bin/bash for dir in `cat /etc/wd | egrep -v '(root|sync|halt|shutdown)' | awk -F: '($7 != "/sbin/no") { print $6 }'`; do for file in $dir/.[A-Za-z0-9]*; do if [ ! -h "$file" -a -f "$file" ]; then fileperm=`ls -ld $file | cut -f1 -d" "` if [ `echo $fileperm | cut -c6` != "-" ]; then echo "Group Write permission set on file $file" fi if [ `echo $fileperm | cut -c9` != "-" ]; then echo "Other Write permission set on file $file" fi fi done done echo "" echo "1.20.11 Ensure no s have .forward files" echo "$ #!/bin/bash for dir in `cat /etc/wd |\ ! -h "$dir/.forward" -a -f "$dir/.forward" ]; then $dir/.forward exists" fi done" #!/bin/bash for dir in `cat /etc/wd |\ awk -F: "$dir/.forward" -a -f "$dir/.forward" ]; then echo exists" fi done
awk -F: '{ print $6 }'`; do if [ echo ".forward file '{ print $6 }'`; do if [ ! -h ".forward file $dir/.forward
echo "" echo "1.20.12 Ensure no s have .netrc files" echo "$ #!/bin/bash for dir in `cat /etc/wd |\ awk -F: '{ print $6 }'`; do if [ ! -h "$dir/.netrc" -a -f "$dir/.netrc" ]; then echo ".netrc file $dir/.netrc exists" fi done" #!/bin/bash for dir in `cat /etc/wd |\ awk -F: '{ print $6 }'`; do if [ ! -h "$dir/.netrc" -a -f "$dir/.netrc" ]; then echo ".netrc file $dir/.netrc exists" fi done echo "" echo "1.20.13 Ensure s' .netrc Files are not group or world accessible" echo "$ #!/bin/bash for dir in `cat /etc/wd | egrep -v '(root|sync|halt| shutdown)' | awk -F: '($7 != "/sbin/no") { print $6 }'`; do for file in $dir/.netrc; do if [ ! -h "$file" -a -f "$file" ]; then fileperm=`ls -ld $file | cut -f1 -d" "` if [ `echo $fileperm | cut -c5` != "-" ]; then echo "Group Read set on $file" fi if [ `echo $fileperm | cut -c6` != "-" ]; then echo "Group Write set on $file" fi if [ `echo $fileperm | cut -c7` != "-" ]; then echo "Group Execute set on $file" fi if [ `echo $fileperm | cut -c8` != "-" ]; then echo "Other Read set on $file" fi if [ `echo $fileperm | cut -c9` != "-" ]; then echo "Other Write set on $file" fi if [ `echo $fileperm | cut -c10` != "-" ]; then echo "Other Execute set on $file" fi fi done done" #!/bin/bash for dir in `cat /etc/wd | egrep -v '(root|sync|halt|shutdown)' | awk -F: '($7 != "/sbin/no") { print $6 }'`; do for file in $dir/.netrc; do if [ ! -h "$file" -a -f "$file" ]; then fileperm=`ls -ld $file | cut -f1 -d" "` if [ `echo $fileperm | cut -c5` != "-" ]; then echo "Group Read set on $file" fi if [ `echo $fileperm | cut -c6` != "-" ]; then echo "Group Write set on $file" fi if [ `echo $fileperm | cut -c7` != "-" ]; then echo "Group Execute set on $file" fi if [ `echo $fileperm | cut -c8` != "-" ]; then echo "Other Read set on $file" fi if [ `echo $fileperm | cut -c9` != "-" ]; then echo "Other Write set on $file" fi if [ `echo $fileperm | cut -c10` != "-" ]; then echo "Other Execute set on $file" fi fi done done echo "" echo "1.20.14 Ensure no s have .rhosts files" echo "$ #!/bin/bash for dir in `cat /etc/wd | egrep -v '(root|halt|sync|
shutdown)' | awk -F: '($7 != "/sbin/no") { print $6 }'`; do for file in $dir/.rhosts; do if [ ! -h "$file" -a -f "$file" ]; then echo ".rhosts file in $dir" fi done done" #!/bin/bash for dir in `cat /etc/wd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/no") { print $6 }'`; do for file in $dir/.rhosts; do if [ ! -h "$file" -a -f "$file" ]; then echo ".rhosts file in $dir" fi done done echo "" echo "1.20.15 Ensure all groups in /etc/wd exist in /etc/group" echo "$ #!/bin/bash for i in $(cut -s -d: -f4 /etc/wd | sort -u ); do grep -q -P "^.*?:[^:]*:$i:" /etc/group if [ $? -ne 0 ]; then echo "Group $i is referenced by /etc/wd but does not exist in /etc/group" fi done" #!/bin/bash for i in $(cut -s -d: -f4 /etc/wd | sort -u ); do grep -q -P "^.*?: [^:]*:$i:" /etc/group if [ $? -ne 0 ]; then echo "Group $i is referenced by /etc/wd but does not exist in /etc/group" fi done echo "" echo "1.20.16 Ensure no duplicate UIDs exist" echo "$ #!/bin/bash cat /etc/wd | cut -f3 -d":" | sort -n | uniq -c | while read x ; do [ -z "${x}" ] && break set - $x if [ $1 -gt 1 ]; then s=`awk -F: '($3 == n) { print $1 }' n=$2 /etc/wd | xargs` echo "Duplicate UID ($2): $ {s}" fi done" #!/bin/bash cat /etc/wd | cut -f3 -d":" | sort -n | uniq -c | while read x ; do [ -z "${x}" ] && break set - $x if [ $1 -gt 1 ]; then s=`awk -F: '($3 == n) { print $1 }' n=$2 /etc/wd | xargs` echo "Duplicate UID ($2): ${s}" fi done echo "" echo "1.20.17 Ensure no duplicate GIDs exist" echo "$ #!/bin/bash cat /etc/group | cut -f3 -d":" | sort -n | uniq -c | while read x ; do [ -z "${x}" ] && break set - $x if [ $1 -gt 1 ]; then groups=`awk -F: '($3 == n) { print $1 }' n=$2 /etc/group | xargs` echo "Duplicate GID ($2): ${groups}" fi done" #!/bin/bash cat /etc/group | cut -f3 -d":" | sort -n | uniq -c | while read x ; do [ -z "${x}" ] && break set - $x if [ $1 -gt 1 ]; then groups=`awk -F: '($3 == n) { print $1 }' n=$2 /etc/group | xargs` echo "Duplicate GID ($2): ${groups}" fi done echo "" echo "1.20.18 Ensure no duplicate names exist" echo "$ #!/bin/bash cat /etc/wd | cut -f1 -d":" | sort -n | uniq -c | while read x ; do [ -z "${x}" ] && break set - $x if [ $1 -gt 1 ]; then uids=`awk -F: '($1 == n) { print $3 }' n=$2 /etc/wd | xargs` echo "Duplicate Name ($2): ${uids}" fi done" #!/bin/bash cat /etc/wd | cut -f1 -d":" | sort -n | uniq -c | while read x ; do [ -z "${x}" ] && break set - $x if [ $1 -gt 1 ]; then uids=`awk -F: '($1 == n) { print $3 }' n=$2 /etc/wd | xargs` echo "Duplicate Name ($2): ${uids}" fi done echo "" echo "1.20.19 Ensure no duplicate group names exist" echo "$ #!/bin/bash cat /etc/group | cut -f1 -d":" | sort -n | uniq -c | while read x ; do [ -z "${x}" ] && break set - $x if [ $1 -gt 1 ]; then gids=`gawk -F: '($1 == n) { print $3 }' n=$2 /etc/group | xargs` echo "Duplicate Group Name ($2): ${gids}" fi done" #!/bin/bash cat /etc/group | cut -f1 -d":" | sort -n | uniq -c | while read x ; do [ -z "${x}" ] && break set - $x if [ $1 -gt 1 ]; then gids=`gawk -F: '($1 == n) { print $3 }' n=$2 /etc/group | xargs` echo "Duplicate Group Name ($2): ${gids}" fi done echo ""
echo "******End of Report******" echo ""
Related Documents 3h463d
Rhel 7 Hardening Script V2 5c361d
April 2020 20
Rhel 7 Hardening Script V1 2x3h3u
October 2021 0
Rhel-5-6-7-cheatsheet.pdf 6b3xa
November 2022 0
Script Bitssurfer V2.txt 145m3m
December 2019 99
Windows 7 Total V2 2c5l1y
February 2021 0