Add some of the missing BASH remediations

- Scripts initially provided in ComplianceAsCode#2494
redhatrises · Jan 16, 2018 · 5f32969 · 5f32969
1 parent 80e805b
commit 5f32969
Show file tree

Hide file tree

Showing 15 changed files with 108 additions and 24 deletions.
diff --git a/rhel7/fixes/bash/accounts_have_homedir_login_defs.sh b/rhel7/fixes/bash/accounts_have_homedir_login_defs.sh
@@ -0,0 +1,7 @@
+# platform = Red Hat Enterprise Linux 7
+
+if ! grep -q ^CREATE_HOME /etc/login.defs; then
+	echo "CREATE_HOME     yes" >> /etc/login.defs
+else
+	sed -i "s/^\(CREATE_HOME\).*/\1 yes/g" /etc/login.defs
+fi
diff --git a/rhel7/fixes/bash/disable_ctrlaltdel_reboot.sh b/rhel7/fixes/bash/disable_ctrlaltdel_reboot.sh
@@ -1,4 +1,4 @@
 # platform = Red Hat Enterprise Linux 7
 # The process to disable ctrl+alt+del has changed in RHEL7. 
 # Reference: https://access.redhat.com/solutions/1123873
-ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
+systemctl mask ctrl-alt-del.target
diff --git a/rhel7/fixes/bash/disable_prelink.sh b/rhel7/fixes/bash/disable_prelink.sh
@@ -1,16 +1,12 @@
 # platform = Red Hat Enterprise Linux 7
-#
-# Disable prelinking altogether
-#
-if grep -q ^PRELINKING /etc/sysconfig/prelink
-then
-  sed -i 's/PRELINKING.*/PRELINKING=no/g' /etc/sysconfig/prelink
-else
-  echo -e "\n# Set PRELINKING=no per security requirements" >> /etc/sysconfig/prelink
-  echo "PRELINKING=no" >> /etc/sysconfig/prelink
-fi
 
-#
-# Undo previous prelink changes to binaries
-#
-/usr/sbin/prelink -ua
+if rpm --quiet -q prelink; then
+	if grep -q ^PRELINKING /etc/sysconfig/prelink
+	then
+		sed -i 's/PRELINKING.*/PRELINKING=no/g' /etc/sysconfig/prelink
+	else
+		echo -e '\n# Set PRELINKING=no per security requirements' >> /etc/sysconfig/prelink
+		echo 'PRELINKING=no' >> /etc/sysconfig/prelink
+	fi
+	/usr/sbin/prelink -ua
+fi
diff --git a/rhel7/fixes/bash/gnome_gdm_disable_automatic_login.sh b/rhel7/fixes/bash/gnome_gdm_disable_automatic_login.sh
@@ -0,0 +1,12 @@
+# platform = Red Hat Enterprise Linux 7
+
+if rpm --quiet -q gdm
+then
+	if ! grep -q "^AutomaticLoginEnable=" /etc/gdm/custom.conf
+	then
+		sed -i "/^\[daemon\]/a \
+		AutomaticLoginEnable=False" /etc/gdm/custom.conf
+	else
+		sed -i "s/^AutomaticLoginEnable=.*/AutomaticLoginEnable=False/g" /etc/gdm/custom.conf
+	fi
+fi
diff --git a/rhel7/fixes/bash/gnome_gdm_disable_guest_login.sh b/rhel7/fixes/bash/gnome_gdm_disable_guest_login.sh
@@ -0,0 +1,12 @@
+# platform = Red Hat Enterprise Linux 7
+
+if rpm --quiet -q gdm
+then
+	if ! grep -q "^TimedLoginEnable=" /etc/gdm/custom.conf
+	then
+		sed -i "/^\[daemon\]/a \
+		TimedLoginEnable=False" /etc/gdm/custom.conf
+	else
+		sed -i "s/^TimedLoginEnable=.*/TimedLoginEnable=False/g" /etc/gdm/custom.conf
+	fi
+fi
diff --git a/rhel7/fixes/bash/install_smartcard_packages.sh b/rhel7/fixes/bash/install_smartcard_packages.sh
@@ -0,0 +1,8 @@
+# platform = Red Hat Enterprise Linux 7
+
+# include remediation functions library
+. /usr/share/scap-security-guide/remediation_functions
+
+package_command install esc
+package_command install pam_pkcs11
+package_command install authconfig-gtk
diff --git a/rhel7/fixes/bash/no_host_based_files.sh b/rhel7/fixes/bash/no_host_based_files.sh
@@ -0,0 +1,5 @@
+# platform = Red Hat Enterprise Linux 7
+
+if [ -f /etc/hosts.equiv ]; then
+        /bin/rm -f /etc/hosts.equiv
+fi
diff --git a/rhel7/fixes/bash/postfix_prevent_unrestricted_relay.sh b/rhel7/fixes/bash/postfix_prevent_unrestricted_relay.sh
@@ -0,0 +1,7 @@
+# platform = Red Hat Enterprise Linux 7
+
+if ! grep -q ^smtpd_client_restrictions /etc/postfix/main.cf; then
+	echo "smtpd_client_restrictions = permit_mynetworks,reject" >> /etc/postfix/main.cf
+else
+	sed -i "s/^smtpd_client_restrictions.*/smtpd_client_restrictions = permit_mynetworks,reject/g" /etc/postfix/main.cf
+fi
diff --git a/rhel7/fixes/bash/rsyslog_cron_logging.sh b/rhel7/fixes/bash/rsyslog_cron_logging.sh
@@ -0,0 +1,5 @@
+# platform = Red Hat Enterprise Linux 7
+
+if ! grep "^\s*cron\.\*\s*/var/log/cron$" /etc/rsyslog.conf /etc/rsyslog.d/*.conf; then
+	echo "cron.*                                                  /var/log/cron\n" >> /etc/rsyslog.d/cron.conf
+fi
diff --git a/rhel7/fixes/bash/smartcard_configure_cert_checking.sh b/rhel7/fixes/bash/smartcard_configure_cert_checking.sh
@@ -0,0 +1,8 @@
+# platform = Red Hat Enterprise Linux 7
+
+# Install required packages
+if ! rpm --quiet -q pam_pkcs11; then yum -y -d 1 install pam_pkcs11; fi
+
+if grep "^\s*cert_policy" /etc/pam_pkcs11/pam_pkcs11.conf | grep -qv "ocsp_on"; then
+	sed -i "/^\s*#/! s/cert_policy.*/cert_policy = ca, ocsp_on, signature;/g" /etc/pam_pkcs11/pam_pkcs11.conf
+fi
diff --git a/rhel7/fixes/bash/snmpd_not_default_password.sh b/rhel7/fixes/bash/snmpd_not_default_password.sh
@@ -0,0 +1,5 @@
+# platform = Red Hat Enterprise Linux 7
+
+if grep -s "public\|private" /etc/snmp/snmpd.conf | grep -qv "^#"; then
+	sed -i "/^\s*#/b;/public\|private/ s/^/#/" /etc/snmp/snmpd.conf
+fi
diff --git a/rhel7/fixes/bash/xwindows_runlevel_setting.sh b/rhel7/fixes/bash/xwindows_runlevel_setting.sh
@@ -0,0 +1,3 @@
+# platform = Red Hat Enterprise Linux 7
+
+systemctl set-default multi-user.target
diff --git a/shared/fixes/bash/accounts_password_pam_unix_remember.sh b/shared/fixes/bash/accounts_password_pam_unix_remember.sh
@@ -2,8 +2,14 @@
 . /usr/share/scap-security-guide/remediation_functions
 populate var_password_pam_unix_remember
 
-if grep -q "remember=" /etc/pam.d/system-auth; then   
-	sed -i --follow-symlinks "s/\(^password.*sufficient.*pam_unix.so.*\)\(\(remember *= *\)[^ $]*\)/\1remember=$var_password_pam_unix_remember/" /etc/pam.d/system-auth
-else
-	sed -i --follow-symlinks "/^password[[:space:]]\+sufficient[[:space:]]\+pam_unix.so/ s/$/ remember=$var_password_pam_unix_remember/" /etc/pam.d/system-auth
-fi
+AUTH_FILES[0]="/etc/pam.d/system-auth"
+AUTH_FILES[1]="/etc/pam.d/password-auth"
+
+for pamFile in "${AUTH_FILES[@]}"
+do
+	if grep -q "remember=" $pamFile; then
+		sed -i --follow-symlinks "s/\(^password.*sufficient.*pam_unix.so.*\)\(\(remember *= *\)[^ $]*\)/\1remember=$var_password_pam_unix_remember/" $pamFile
+	else
+		sed -i --follow-symlinks "/^password[[:space:]]\+sufficient[[:space:]]\+pam_unix.so/ s/$/ remember=$var_password_pam_unix_remember/" $pamFile
+	fi
+done
diff --git a/shared/fixes/bash/no_rsh_trust_files.sh b/shared/fixes/bash/no_rsh_trust_files.sh
@@ -1,3 +1,6 @@
 # platform = multi_platform_rhel
 find /home -maxdepth 2 -type f -name .rhosts -exec rm -f '{}' \;
-rm -f /etc/hosts.equiv
+
+if [ -f /etc/hosts.equiv ]; then
+	/bin/rm -f /etc/hosts.equiv
+fi
diff --git a/shared/fixes/bash/set_password_hashing_algorithm_systemauth.sh b/shared/fixes/bash/set_password_hashing_algorithm_systemauth.sh
@@ -1,4 +1,11 @@
 # platform = multi_platform_rhel
-if ! grep -q "^password.*sufficient.*pam_unix.so.*sha512" /etc/pam.d/system-auth; then   
-	sed -i --follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/$/ sha512/" /etc/pam.d/system-auth
-fi
+
+AUTH_FILES[0]="/etc/pam.d/system-auth"
+AUTH_FILES[1]="/etc/pam.d/password-auth"
+
+for pamFile in "${AUTH_FILES[@]}"
+do
+	if ! grep -q "^password.*sufficient.*pam_unix.so.*sha512" $pamFile; then
+		sed -i --follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/$/ sha512/" $pamFile
+	fi
+done