#!/bin/sh
#store password in encryption format
authconfig --passalgo=sha512 --update
#set password Creation Requirement parameter using pam_cracklib
sed -i 's/try_first_pass retry=3 type=/try_first_pass retry=3 minlen=8 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1/g' /etc/pam.d/system-auth
grep pam_cracklib.so /etc/pam.d/system-auth
sleep 1
#Limit password Reuse
sed -i 's/pam_unix.so sha512 shadow nullok try_first_pass use_authtok/pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5'/g /etc/pam.d/system-auth
grep pam_unix.so /etc/pam.d/system-auth
sleep 1
#Set Password Expiration Days
sed -i 's/PASS_MAX_DAYS [^ ]*/PASS_MAX_DAYS 42/g' /etc/login.defs
sed -i 's/PASS_MIN_DAYS [^ ]*/PASS_MIN_DAYS 1/g' /etc/login.defs
sed -i 's/PASS_MIN_LEN [^ ]*/PASS_MIN_LEN 8/g' /etc/login.defs
sed -i 's/PASS_WARN_AGE [^ ]*/PASS_WARN_AGE 7/g' /etc/login.defs
awk '/PASS_MAX_DAYS [^ ]*/ { print $0}' /etc/login.defs
awk '/PASS_MIN_DAYS [^ ]*/ { print $0}' /etc/login.defs
awk '/PASS_WARN_AGE [^ ]*/ { print $0}' /etc/login.defs
sleep 5
# lock inactive user accounts
useradd -D -f 35
awk '/INACTIVE[^ ]*/ { print $0}' /etc/default/useradd
sleep 3
#set user/gruop owner ans permission on crontab
chown root:root /etc/crontab
chmod og-rwx /etc/crontab
ls -ld /etc/crontab
sleep 1
#restrict deamon
rm /etc/at.deny
touch /etc/at.allow
chown root:root /etc/at.allow
chmod og-rwx /etc/at.allow
#Restrict at/cron to authorized users
/bin/rm /etc/cron.deny
touch /etc/cron.allow
/bin/rm /etc/at.deny
chmod og-rwx /etc/cron.allow
chmod og-rwx /etc/at.allow
chown root:root /etc/cron.allow
chown root:root /etc/at.allow
#Set SHH Protocal to 2
sed -i 's/Protocol [^ ]*/Protocol 2/g' /etc/ssh/sshd_config
awk '/Protocol 2/{print $0}' /etc/ssh/sshd_config
#Disable SSH root login
sed -i 's/#PermitRootLogin [^ ]*/PermitRootLogin no/g' /etc/ssh/sshd_config
awk '/PermitRootLogin[^ ]*/{print $0}' /etc/ssh/sshd_config
#Set SSH PermitEmptyPassword to No
sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/g' /etc/ssh/sshd_config
awk '/PermitEmptyPasswords[^ ]*/{print $0}' /etc/ssh/sshd_config
#Do NOT Allow Users to Set Environment Options
sed -i 's/#PermitUserEnvironment no/PermitUserEnvironment no/g' /etc/ssh/sshd_config
awk '/PermitUserEnvironment[^ ]*/{print $0}' /etc/ssh/sshd_config
#Use Only Approved Cipher inCounter mode
sed -i '140i\Ciphers aes128-ctr,aes192-ctr,aes256-ctr\' /etc/ssh/sshd_config
awk '/Ciphers aes128-ctr,aes192-ctr,aes256-ctr/{print $0}' /etc/ssh/sshd_config
sleep 5
#Set Idel Timeout Interval for userlogin
sed -i 's/#ClientAliveInterval [^ ]*/ClientAliveInterval 300/g' /etc/ssh/sshd_config
sed -i 's/#ClientAliveCountMax [^ ]*/ClientAliveCountMax 0/g' /etc/ssh/sshd_config
awk '/ClientAliveInterval[^ ]*/{print $0}' /etc/ssh/sshd_config
awk '/ClientAliveCountMax 0[^ ]*/{print $0}' /etc/ssh/sshd_config
sleep 3
service sshd restart
#restrict access to critical files
chown root:root /etc/passwd /etc/shadow /etc/group
chmod 644 /etc/passwd /etc/group
chmod 400 /etc/shadow
ls -ld /etc/passwd /etc/shadow /etc/group
sleep 2
#Secure Boot loader setting
sed -i 's/default=[^ ]*/default=0/g' /etc/grub.conf
sed -i 's/timeout=[^ ]*/timeout=15/g' /etc/grub.conf
awk '/default=[^ ]*/{print $0}' /etc/grub.conf
awk '/timeout=[^ ]*/{print $0}' /etc/grub.conf
#Remove the non-Essential Services
chkconfig apmd off
chkconfig atd off
chkconfig autofs off
chkconfig chargen off
chkconfig chargen-dup off
chkconfig cups off
chkconfig cups-lpd off
chkconfig daytime-udp off
chkconfig echo off
chkconfig echo-udp off
chkconfig eklogin off
chkconfig gssftp off
chkconfig httpd off
chkconfig irda off
chkconfig irqbalance off
chkconfig isdn off
chkconfig klogin off
chkconfig krb-telnet off
chkconfig kshell off
chkconfig mdmonitor off
chkconfig mdmpd off
chkconfig microcode_ctl off
chkconfig named off
chkconfig netdump off
chkconfig netfs off
chkconfig nfs off
chkconfig nfslock off
chkconfig pcmcia off
chkconfig portmap off
chkconfig pssacct off
chkconfig random off
chkconfig rawdevices off
chkconfig rhnsd off
chkconfig rsync off
chkconfig saslauthd off
chkconfig sendmail off
chkconfig smartd off
chkconfig smb off
chkconfig snmpd off
chkconfig snmptrapd off
chkconfig swat off
chkconfig time off
chkconfig time-udp off
chkconfig vncserver off
chkconfig windbind off
chkconfig --list | grep '3:off'
sleep 2
#Remove OS information from Login Waring Banner
#cat /dev/null > /etc/issue.net
#cat /dev/null > /etc/motd
#Set SELINUX Policy
sed -i 's/SELINUXTYPE=[^ ]*/SELINUXTYPE=targeted/g' /etc/selinux/config
#block nonessential user accounts in the system
userdel lp
userdel sync
userdel shutdown
userdel Uupc
userdel ftp # disabling FTP
userdel games
userdel nscd
userdel gopher
userdel operator
userdel nobody #disabling FTP
#Set password for single user mode
sed -i '26i\~~:S:wait:/sbin/sulogin\' /etc/inittab
#configure strong permissions on TFTP
chmod 754 /usr/bin/tftpboot
#configure strong permission on temporary folders
cd /
chmod 1777 tmp
chmod 1777 utmp
chmod 1777 utmpx
#configure rsyslog
yum install rsyslog*
chkconfig rsyslog on
service rsyslog start
#configure strong permission on log files
chmod 622 /var/log/messages
chmod 622 /var/log/secure
chmod 622 /var/log/spooler
chmod 622 /var/log/maillog
chmod 622 /var/log/cron
chmod 622 /var/log/boot.log
#Configure Audit Log Storage Size
sed -i 's/max_log_file = [^ ]*/max_log_file = 100/g' /etc/audit/auditd.conf
awk '/max_log_file = [^ ]*/{print $0}' /etc/audit/auditd.conf
#configure Strong System Mask
sed -i 's/umask [^ ]*/umask 022/g' /etc/bashrc
#Keep All Auditing Information
sed -i 's/max_log_file_action =[^ ]*/max_log_file_action =keep_logs/g' /etc/audit/auditd.conf
awk '/max_log_file_action = [^ ]*/{print $0}' /etc/audit/auditd.conf
#Login and logon Events should be audited
echo "-w /var/log/faillog -p wa -k logins" >> /etc/audit/audit.rules
echo "-w /var/log/lastlog -p wa -k logins" >> /etc/audit/audit.rules
echo "-w /var/log/tallylog -p wa -k logins" >> /etc/audit/audit.rules
pkill -HUP -P 1 auditd
awk '/ -p wa -k logins/ {print $0}' /etc/audit/audit.rules
awk '/ -p wa -k logins/ {print $0}' /etc/audit/audit.rules
awk '/ -p wa -k logins/ {print $0}' /etc/audit/audit.rules
sleep 2
#Enable login banner in the system
#echo "Access to this system is restricted to authorized users only If you are not authorized users, please exit now." >> /etc/issue.net
#echo "Access to this system is restricted to authorized users only. If you are not authorized users, please exit now." >> /etc/motd
#Permission on /etc/passwd
/bin/chmod 644 /etc/passwd
ls -ld /etc/passwd
#permission on /etc/shadow
/bin/chmod 000 /etc/shadow
ls -ld /etc/shadow
#permission on /etc/gshadow
/bin/chmod 000 /etc/gshadow
ls -ld /etc/gshadow
#permission on /etc/group
/bin/chown 644 /etc/group
ls -ld /etc/group
#verify user/group Ownership on /etc/passwd
/bin/chown root:root /etc/passwd
ls -lrt /etc/passwd
#verify user/group Ownership on /etc/shadow
/bin/chown root:root /etc/shadow
ls -lrt /etc/shadow
#verify user/group Ownership on /etc/gshadow
/bin/chown root:root /etc/gshadow
ls -lrt /etc/gshadow
#verify user/group Ownership on /etc/group
chown root:root /etc/group
ls -lrt /etc/group
sleep 2
#store password in encryption format
authconfig --passalgo=sha512 --update
#set password Creation Requirement parameter using pam_cracklib
sed -i 's/try_first_pass retry=3 type=/try_first_pass retry=3 minlen=8 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1/g' /etc/pam.d/system-auth
grep pam_cracklib.so /etc/pam.d/system-auth
sleep 1
#Limit password Reuse
sed -i 's/pam_unix.so sha512 shadow nullok try_first_pass use_authtok/pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5'/g /etc/pam.d/system-auth
grep pam_unix.so /etc/pam.d/system-auth
sleep 1
#Set Password Expiration Days
sed -i 's/PASS_MAX_DAYS [^ ]*/PASS_MAX_DAYS 42/g' /etc/login.defs
sed -i 's/PASS_MIN_DAYS [^ ]*/PASS_MIN_DAYS 1/g' /etc/login.defs
sed -i 's/PASS_MIN_LEN [^ ]*/PASS_MIN_LEN 8/g' /etc/login.defs
sed -i 's/PASS_WARN_AGE [^ ]*/PASS_WARN_AGE 7/g' /etc/login.defs
awk '/PASS_MAX_DAYS [^ ]*/ { print $0}' /etc/login.defs
awk '/PASS_MIN_DAYS [^ ]*/ { print $0}' /etc/login.defs
awk '/PASS_WARN_AGE [^ ]*/ { print $0}' /etc/login.defs
sleep 5
# lock inactive user accounts
useradd -D -f 35
awk '/INACTIVE[^ ]*/ { print $0}' /etc/default/useradd
sleep 3
#set user/gruop owner ans permission on crontab
chown root:root /etc/crontab
chmod og-rwx /etc/crontab
ls -ld /etc/crontab
sleep 1
#restrict deamon
rm /etc/at.deny
touch /etc/at.allow
chown root:root /etc/at.allow
chmod og-rwx /etc/at.allow
#Restrict at/cron to authorized users
/bin/rm /etc/cron.deny
touch /etc/cron.allow
/bin/rm /etc/at.deny
chmod og-rwx /etc/cron.allow
chmod og-rwx /etc/at.allow
chown root:root /etc/cron.allow
chown root:root /etc/at.allow
#Set SHH Protocal to 2
sed -i 's/Protocol [^ ]*/Protocol 2/g' /etc/ssh/sshd_config
awk '/Protocol 2/{print $0}' /etc/ssh/sshd_config
#Disable SSH root login
sed -i 's/#PermitRootLogin [^ ]*/PermitRootLogin no/g' /etc/ssh/sshd_config
awk '/PermitRootLogin[^ ]*/{print $0}' /etc/ssh/sshd_config
#Set SSH PermitEmptyPassword to No
sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/g' /etc/ssh/sshd_config
awk '/PermitEmptyPasswords[^ ]*/{print $0}' /etc/ssh/sshd_config
#Do NOT Allow Users to Set Environment Options
sed -i 's/#PermitUserEnvironment no/PermitUserEnvironment no/g' /etc/ssh/sshd_config
awk '/PermitUserEnvironment[^ ]*/{print $0}' /etc/ssh/sshd_config
#Use Only Approved Cipher inCounter mode
sed -i '140i\Ciphers aes128-ctr,aes192-ctr,aes256-ctr\' /etc/ssh/sshd_config
awk '/Ciphers aes128-ctr,aes192-ctr,aes256-ctr/{print $0}' /etc/ssh/sshd_config
sleep 5
#Set Idel Timeout Interval for userlogin
sed -i 's/#ClientAliveInterval [^ ]*/ClientAliveInterval 300/g' /etc/ssh/sshd_config
sed -i 's/#ClientAliveCountMax [^ ]*/ClientAliveCountMax 0/g' /etc/ssh/sshd_config
awk '/ClientAliveInterval[^ ]*/{print $0}' /etc/ssh/sshd_config
awk '/ClientAliveCountMax 0[^ ]*/{print $0}' /etc/ssh/sshd_config
sleep 3
service sshd restart
#restrict access to critical files
chown root:root /etc/passwd /etc/shadow /etc/group
chmod 644 /etc/passwd /etc/group
chmod 400 /etc/shadow
ls -ld /etc/passwd /etc/shadow /etc/group
sleep 2
#Secure Boot loader setting
sed -i 's/default=[^ ]*/default=0/g' /etc/grub.conf
sed -i 's/timeout=[^ ]*/timeout=15/g' /etc/grub.conf
awk '/default=[^ ]*/{print $0}' /etc/grub.conf
awk '/timeout=[^ ]*/{print $0}' /etc/grub.conf
#Remove the non-Essential Services
chkconfig apmd off
chkconfig atd off
chkconfig autofs off
chkconfig chargen off
chkconfig chargen-dup off
chkconfig cups off
chkconfig cups-lpd off
chkconfig daytime-udp off
chkconfig echo off
chkconfig echo-udp off
chkconfig eklogin off
chkconfig gssftp off
chkconfig httpd off
chkconfig irda off
chkconfig irqbalance off
chkconfig isdn off
chkconfig klogin off
chkconfig krb-telnet off
chkconfig kshell off
chkconfig mdmonitor off
chkconfig mdmpd off
chkconfig microcode_ctl off
chkconfig named off
chkconfig netdump off
chkconfig netfs off
chkconfig nfs off
chkconfig nfslock off
chkconfig pcmcia off
chkconfig portmap off
chkconfig pssacct off
chkconfig random off
chkconfig rawdevices off
chkconfig rhnsd off
chkconfig rsync off
chkconfig saslauthd off
chkconfig sendmail off
chkconfig smartd off
chkconfig smb off
chkconfig snmpd off
chkconfig snmptrapd off
chkconfig swat off
chkconfig time off
chkconfig time-udp off
chkconfig vncserver off
chkconfig windbind off
chkconfig --list | grep '3:off'
sleep 2
#Remove OS information from Login Waring Banner
#cat /dev/null > /etc/issue.net
#cat /dev/null > /etc/motd
#Set SELINUX Policy
sed -i 's/SELINUXTYPE=[^ ]*/SELINUXTYPE=targeted/g' /etc/selinux/config
#block nonessential user accounts in the system
userdel lp
userdel sync
userdel shutdown
userdel Uupc
userdel ftp # disabling FTP
userdel games
userdel nscd
userdel gopher
userdel operator
userdel nobody #disabling FTP
#Set password for single user mode
sed -i '26i\~~:S:wait:/sbin/sulogin\' /etc/inittab
#configure strong permissions on TFTP
chmod 754 /usr/bin/tftpboot
#configure strong permission on temporary folders
cd /
chmod 1777 tmp
chmod 1777 utmp
chmod 1777 utmpx
#configure rsyslog
yum install rsyslog*
chkconfig rsyslog on
service rsyslog start
#configure strong permission on log files
chmod 622 /var/log/messages
chmod 622 /var/log/secure
chmod 622 /var/log/spooler
chmod 622 /var/log/maillog
chmod 622 /var/log/cron
chmod 622 /var/log/boot.log
#Configure Audit Log Storage Size
sed -i 's/max_log_file = [^ ]*/max_log_file = 100/g' /etc/audit/auditd.conf
awk '/max_log_file = [^ ]*/{print $0}' /etc/audit/auditd.conf
#configure Strong System Mask
sed -i 's/umask [^ ]*/umask 022/g' /etc/bashrc
#Keep All Auditing Information
sed -i 's/max_log_file_action =[^ ]*/max_log_file_action =keep_logs/g' /etc/audit/auditd.conf
awk '/max_log_file_action = [^ ]*/{print $0}' /etc/audit/auditd.conf
#Login and logon Events should be audited
echo "-w /var/log/faillog -p wa -k logins" >> /etc/audit/audit.rules
echo "-w /var/log/lastlog -p wa -k logins" >> /etc/audit/audit.rules
echo "-w /var/log/tallylog -p wa -k logins" >> /etc/audit/audit.rules
pkill -HUP -P 1 auditd
awk '/ -p wa -k logins/ {print $0}' /etc/audit/audit.rules
awk '/ -p wa -k logins/ {print $0}' /etc/audit/audit.rules
awk '/ -p wa -k logins/ {print $0}' /etc/audit/audit.rules
sleep 2
#Enable login banner in the system
#echo "Access to this system is restricted to authorized users only If you are not authorized users, please exit now." >> /etc/issue.net
#echo "Access to this system is restricted to authorized users only. If you are not authorized users, please exit now." >> /etc/motd
#Permission on /etc/passwd
/bin/chmod 644 /etc/passwd
ls -ld /etc/passwd
#permission on /etc/shadow
/bin/chmod 000 /etc/shadow
ls -ld /etc/shadow
#permission on /etc/gshadow
/bin/chmod 000 /etc/gshadow
ls -ld /etc/gshadow
#permission on /etc/group
/bin/chown 644 /etc/group
ls -ld /etc/group
#verify user/group Ownership on /etc/passwd
/bin/chown root:root /etc/passwd
ls -lrt /etc/passwd
#verify user/group Ownership on /etc/shadow
/bin/chown root:root /etc/shadow
ls -lrt /etc/shadow
#verify user/group Ownership on /etc/gshadow
/bin/chown root:root /etc/gshadow
ls -lrt /etc/gshadow
#verify user/group Ownership on /etc/group
chown root:root /etc/group
ls -lrt /etc/group
sleep 2
No comments:
Post a Comment