Linux Hardening
#!/bin/bash
echo "This script can be used for RHEL
hardening"
echo " "
sleep 2
echo "1. checking some basic packages which should
not be installed:"
for package in inetd xinetd ypserv tftp-server
telnet-server rsh-serve
do
if ! rpm -qa
| grep $package >& /etc/null;
then
echo
"package $package is not installed"
else
echo
"The $package is installed. Erasing it now."
yum erase
$package
fi
done
sleep 2
echo " "
echo "2. Checking SElinux settings:"
x=`cat /etc/sysconfig/selinux | grep ^SELINUX | head -n
1 | awk -F= '{print $2}'`
if [ $x == disabled ]
then
echo
"SElinux is disabled"
echo
"Changing it to enforcing"
sed -i
's/^SELINUX=disabled/SELINUX=enforcing/' /etc/sysconfig/selinux
else
echo
"SElinux is already in enforcing mode"
fi
sleep 2
echo " "
echo "3. Changing different parameters of password
aging"
sed -i '/^PASS_MAX_DAYS/c\PASS_MAX_DAYS 60' /etc/login.defs
sed -i '/^PASS_MIN_DAYS/c\PASS_MIN_DAYS 1' /etc/login.defs
sed -i '/^PASS_MIN_LEN/c\PASS_MIN_LEN 8' /etc/login.defs
sed -i '/^PASS_WARN_AGE/c\PASS_WARN_AGE 15' /etc/login.defs
echo "Changes in /etc/login.defs file are
done"
sleep 2
echo " "
#echo "Restricting use of previous passwords:"
#echo "None applied"
#sleep 2
echo "4. Verifying empty password accounts:"
x=`awk -F: '($2 == "") {print}' /etc/shadow |
wc -l`
if [ $x -lt 1 ]
then
echo "No
account is password less"
else
echo "At
least 1 account is password less.Check the configuration file"
fi
sleep 2
echo " "
echo "5. Checking if No Non-Root Accounts Have UID
Set To 0:"
x=`awk -F: '($3 == "0") {print}' /etc/passwd |
awk -F: '{print $1}'`
if [ $x == root ]
then
echo "No account other than ROOT has UID 0"
else
echo "***** Check the file. More than one accounts
have UID 0"
fi
sleep 2
echo " "
#echo "6. Disabling root login in system"
#sed -i '/^#PermitRootLogin/a PermitRootLogin no'
/etc/ssh/sshd_config
#sed -i 's/^#Port 22/Port 2222/' /etc/ssh/sshd_config
#sleep 2
echo "7. Linux kernel hardening:"
cp /etc/sysctl.conf /etc/sysctl.conf.backup
echo "net.ipv4.conf.all.accept_redirects = 0"
>> /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_source_route =
0" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.forwarding = 0"
>> /etc/sysctl.conf
echo "net.ipv4.conf.all.mc_forwarding = 0"
>> /etc/sysctl.conf
echo "net.ipv4.conf.default.log_martians = 1"
>> /etc/sysctl.conf
echo "net.ipv4.conf.all.log_martians = 1"
>> /etc/sysctl.conf
echo "net.ipv4.tcp_max_syn_backlog = 4096"
>> /etc/sysctl.conf
echo "net.ipv4.tcp_syncookies = 1" >>
/etc/sysctl.conf
sleep 2
echo "Changes in /etc/sysctl.conf file are
done."
sleep 1
echo " "
echo "8. Setting permissions to restrictive for
commonly used commands"
chmod 100 /bin/rpm
chmod 100 /bin/tar
chmod 100 /bin/gzip
chmod 100 /bin/ping
chmod 100 /bin/gunzip
chmod 100 /bin/mount
chmod 100 /bin/umount
chmod 100 /usr/bin/gzip
chmod 100 /usr/bin/gunzip
chmod 100 /usr/bin/who
chmod 100 /usr/bin/lastb
chmod 100 /usr/bin/last
chmod 100 /usr/bin/lastlog
chmod 100 /sbin/arping
#chmod 100 /usr/sbin/traceroute
#chmod 400 /etc/syslog-ng/syslog-ng.conf
chmod 400 /etc/hosts.allow
chmod 400 /etc/hosts.deny
#chmod 400 /etc/sysconfig/syslog
chmod 644 /var/log/wtmp
echo "commands permissions changed"
sleep 1
echo " "
#echo "Disk partitions:"
#echo "***None applied yet***"
#sleep 2
#echo "disabling IPv6:"
#echo "None applied"
#sleep 2
echo "9. disabling 'lp' and 'game' users in passwd
file:"
sed -i 's/^lp/#lp/' /etc/passwd
sed -i 's/^games/#games/' /etc/passwd
sed -i 's/^lp/#lp/' /etc/group
sed -i 's/^games/#games/' /etc/group
echo "Users are disabled"
sleep 1
echo " "
#echo "creating GRUB password:"
#echo "use of gconftool"
#echo "write verify script"
echo "10. Setting 'Banner' and 'Motd'"
echo
"*****************************************************************************"
> /etc/motd
echo -e "!!!WARNING!!!\n" >> /etc/motd
echo " This System is for the use of authorized
company personnel only and by accessing this system you here by consent to the system being
monitored by the company. Any unauthorized use will be considered a breach of
company's Information Security Policies and may be unlawful under law. "
>> /etc/motd
echo
"*****************************************************************************"
>> /etc/motd
cp /etc/issue /etc/issue.net
#cp /etc/issue /etc/motd
echo "Banner is set."
sleep 1
echo " "
No comments:
Post a Comment