diff --git a/rhel7/fixes/bash/accounts_have_homedir_login_defs.sh b/rhel7/fixes/bash/accounts_have_homedir_login_defs.sh new file mode 100644 index 00000000000..30c8f0aa7a4 --- /dev/null +++ b/rhel7/fixes/bash/accounts_have_homedir_login_defs.sh @@ -0,0 +1,7 @@ +# platform = Red Hat Enterprise Linux 7 + +if ! grep -q ^CREATE_HOME /etc/login.defs; then + echo "CREATE_HOME yes" >> /etc/login.defs +else + sed -i "s/^\(CREATE_HOME\).*/\1 yes/g" /etc/login.defs +fi diff --git a/rhel7/fixes/bash/disable_ctrlaltdel_reboot.sh b/rhel7/fixes/bash/disable_ctrlaltdel_reboot.sh index ab98380fe18..1fbac74e653 100644 --- a/rhel7/fixes/bash/disable_ctrlaltdel_reboot.sh +++ b/rhel7/fixes/bash/disable_ctrlaltdel_reboot.sh @@ -1,4 +1,4 @@ # platform = Red Hat Enterprise Linux 7 # The process to disable ctrl+alt+del has changed in RHEL7. # Reference: https://access.redhat.com/solutions/1123873 -ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target +systemctl mask ctrl-alt-del.target diff --git a/rhel7/fixes/bash/disable_prelink.sh b/rhel7/fixes/bash/disable_prelink.sh index 039c158b60a..816a20ce7e3 100644 --- a/rhel7/fixes/bash/disable_prelink.sh +++ b/rhel7/fixes/bash/disable_prelink.sh @@ -1,16 +1,12 @@ # platform = Red Hat Enterprise Linux 7 -# -# Disable prelinking altogether -# -if grep -q ^PRELINKING /etc/sysconfig/prelink -then - sed -i 's/PRELINKING.*/PRELINKING=no/g' /etc/sysconfig/prelink -else - echo -e "\n# Set PRELINKING=no per security requirements" >> /etc/sysconfig/prelink - echo "PRELINKING=no" >> /etc/sysconfig/prelink -fi -# -# Undo previous prelink changes to binaries -# -/usr/sbin/prelink -ua +if rpm --quiet -q prelink; then + if grep -q ^PRELINKING /etc/sysconfig/prelink + then + sed -i 's/PRELINKING.*/PRELINKING=no/g' /etc/sysconfig/prelink + else + echo -e '\n# Set PRELINKING=no per security requirements' >> /etc/sysconfig/prelink + echo 'PRELINKING=no' >> /etc/sysconfig/prelink + fi + /usr/sbin/prelink -ua +fi diff --git a/rhel7/fixes/bash/gnome_gdm_disable_automatic_login.sh b/rhel7/fixes/bash/gnome_gdm_disable_automatic_login.sh new file mode 100644 index 00000000000..3d0316a476e --- /dev/null +++ b/rhel7/fixes/bash/gnome_gdm_disable_automatic_login.sh @@ -0,0 +1,12 @@ +# platform = Red Hat Enterprise Linux 7 + +if rpm --quiet -q gdm +then + if ! grep -q "^AutomaticLoginEnable=" /etc/gdm/custom.conf + then + sed -i "/^\[daemon\]/a \ + AutomaticLoginEnable=False" /etc/gdm/custom.conf + else + sed -i "s/^AutomaticLoginEnable=.*/AutomaticLoginEnable=False/g" /etc/gdm/custom.conf + fi +fi diff --git a/rhel7/fixes/bash/gnome_gdm_disable_guest_login.sh b/rhel7/fixes/bash/gnome_gdm_disable_guest_login.sh new file mode 100644 index 00000000000..fb0b7786511 --- /dev/null +++ b/rhel7/fixes/bash/gnome_gdm_disable_guest_login.sh @@ -0,0 +1,12 @@ +# platform = Red Hat Enterprise Linux 7 + +if rpm --quiet -q gdm +then + if ! grep -q "^TimedLoginEnable=" /etc/gdm/custom.conf + then + sed -i "/^\[daemon\]/a \ + TimedLoginEnable=False" /etc/gdm/custom.conf + else + sed -i "s/^TimedLoginEnable=.*/TimedLoginEnable=False/g" /etc/gdm/custom.conf + fi +fi diff --git a/rhel7/fixes/bash/install_smartcard_packages.sh b/rhel7/fixes/bash/install_smartcard_packages.sh new file mode 100644 index 00000000000..297988a5da3 --- /dev/null +++ b/rhel7/fixes/bash/install_smartcard_packages.sh @@ -0,0 +1,8 @@ +# platform = Red Hat Enterprise Linux 7 + +# include remediation functions library +. /usr/share/scap-security-guide/remediation_functions + +package_command install esc +package_command install pam_pkcs11 +package_command install authconfig-gtk diff --git a/rhel7/fixes/bash/no_host_based_files.sh b/rhel7/fixes/bash/no_host_based_files.sh new file mode 100644 index 00000000000..f32fe67ad04 --- /dev/null +++ b/rhel7/fixes/bash/no_host_based_files.sh @@ -0,0 +1,5 @@ +# platform = Red Hat Enterprise Linux 7 + +if [ -f /etc/hosts.equiv ]; then + /bin/rm -f /etc/hosts.equiv +fi diff --git a/rhel7/fixes/bash/postfix_prevent_unrestricted_relay.sh b/rhel7/fixes/bash/postfix_prevent_unrestricted_relay.sh new file mode 100644 index 00000000000..98d6ba30567 --- /dev/null +++ b/rhel7/fixes/bash/postfix_prevent_unrestricted_relay.sh @@ -0,0 +1,7 @@ +# platform = Red Hat Enterprise Linux 7 + +if ! grep -q ^smtpd_client_restrictions /etc/postfix/main.cf; then + echo "smtpd_client_restrictions = permit_mynetworks,reject" >> /etc/postfix/main.cf +else + sed -i "s/^smtpd_client_restrictions.*/smtpd_client_restrictions = permit_mynetworks,reject/g" /etc/postfix/main.cf +fi diff --git a/rhel7/fixes/bash/rsyslog_cron_logging.sh b/rhel7/fixes/bash/rsyslog_cron_logging.sh new file mode 100644 index 00000000000..bf6d150d007 --- /dev/null +++ b/rhel7/fixes/bash/rsyslog_cron_logging.sh @@ -0,0 +1,5 @@ +# platform = Red Hat Enterprise Linux 7 + +if ! grep "^\s*cron\.\*\s*/var/log/cron$" /etc/rsyslog.conf /etc/rsyslog.d/*.conf; then + echo "cron.* /var/log/cron\n" >> /etc/rsyslog.d/cron.conf +fi diff --git a/rhel7/fixes/bash/smartcard_configure_cert_checking.sh b/rhel7/fixes/bash/smartcard_configure_cert_checking.sh new file mode 100644 index 00000000000..d244073106f --- /dev/null +++ b/rhel7/fixes/bash/smartcard_configure_cert_checking.sh @@ -0,0 +1,8 @@ +# platform = Red Hat Enterprise Linux 7 + +# Install required packages +if ! rpm --quiet -q pam_pkcs11; then yum -y -d 1 install pam_pkcs11; fi + +if grep "^\s*cert_policy" /etc/pam_pkcs11/pam_pkcs11.conf | grep -qv "ocsp_on"; then + sed -i "/^\s*#/! s/cert_policy.*/cert_policy = ca, ocsp_on, signature;/g" /etc/pam_pkcs11/pam_pkcs11.conf +fi diff --git a/rhel7/fixes/bash/snmpd_not_default_password.sh b/rhel7/fixes/bash/snmpd_not_default_password.sh new file mode 100644 index 00000000000..e2863cebd5d --- /dev/null +++ b/rhel7/fixes/bash/snmpd_not_default_password.sh @@ -0,0 +1,5 @@ +# platform = Red Hat Enterprise Linux 7 + +if grep -s "public\|private" /etc/snmp/snmpd.conf | grep -qv "^#"; then + sed -i "/^\s*#/b;/public\|private/ s/^/#/" /etc/snmp/snmpd.conf +fi diff --git a/rhel7/fixes/bash/xwindows_runlevel_setting.sh b/rhel7/fixes/bash/xwindows_runlevel_setting.sh new file mode 100644 index 00000000000..07abfd2e96c --- /dev/null +++ b/rhel7/fixes/bash/xwindows_runlevel_setting.sh @@ -0,0 +1,3 @@ +# platform = Red Hat Enterprise Linux 7 + +systemctl set-default multi-user.target diff --git a/shared/fixes/bash/accounts_password_pam_unix_remember.sh b/shared/fixes/bash/accounts_password_pam_unix_remember.sh index 9a574df72f8..7da3b0c51dd 100644 --- a/shared/fixes/bash/accounts_password_pam_unix_remember.sh +++ b/shared/fixes/bash/accounts_password_pam_unix_remember.sh @@ -2,8 +2,14 @@ . /usr/share/scap-security-guide/remediation_functions populate var_password_pam_unix_remember -if grep -q "remember=" /etc/pam.d/system-auth; then - sed -i --follow-symlinks "s/\(^password.*sufficient.*pam_unix.so.*\)\(\(remember *= *\)[^ $]*\)/\1remember=$var_password_pam_unix_remember/" /etc/pam.d/system-auth -else - sed -i --follow-symlinks "/^password[[:space:]]\+sufficient[[:space:]]\+pam_unix.so/ s/$/ remember=$var_password_pam_unix_remember/" /etc/pam.d/system-auth -fi +AUTH_FILES[0]="/etc/pam.d/system-auth" +AUTH_FILES[1]="/etc/pam.d/password-auth" + +for pamFile in "${AUTH_FILES[@]}" +do + if grep -q "remember=" $pamFile; then + sed -i --follow-symlinks "s/\(^password.*sufficient.*pam_unix.so.*\)\(\(remember *= *\)[^ $]*\)/\1remember=$var_password_pam_unix_remember/" $pamFile + else + sed -i --follow-symlinks "/^password[[:space:]]\+sufficient[[:space:]]\+pam_unix.so/ s/$/ remember=$var_password_pam_unix_remember/" $pamFile + fi +done diff --git a/shared/fixes/bash/no_rsh_trust_files.sh b/shared/fixes/bash/no_rsh_trust_files.sh index 0214fbbb506..355cc0b1f45 100644 --- a/shared/fixes/bash/no_rsh_trust_files.sh +++ b/shared/fixes/bash/no_rsh_trust_files.sh @@ -1,3 +1,6 @@ # platform = multi_platform_rhel find /home -maxdepth 2 -type f -name .rhosts -exec rm -f '{}' \; -rm -f /etc/hosts.equiv + +if [ -f /etc/hosts.equiv ]; then + /bin/rm -f /etc/hosts.equiv +fi diff --git a/shared/fixes/bash/set_password_hashing_algorithm_systemauth.sh b/shared/fixes/bash/set_password_hashing_algorithm_systemauth.sh index b50e15a365e..d0a718bbb87 100644 --- a/shared/fixes/bash/set_password_hashing_algorithm_systemauth.sh +++ b/shared/fixes/bash/set_password_hashing_algorithm_systemauth.sh @@ -1,4 +1,11 @@ # platform = multi_platform_rhel -if ! grep -q "^password.*sufficient.*pam_unix.so.*sha512" /etc/pam.d/system-auth; then - sed -i --follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/$/ sha512/" /etc/pam.d/system-auth -fi + +AUTH_FILES[0]="/etc/pam.d/system-auth" +AUTH_FILES[1]="/etc/pam.d/password-auth" + +for pamFile in "${AUTH_FILES[@]}" +do + if ! grep -q "^password.*sufficient.*pam_unix.so.*sha512" $pamFile; then + sed -i --follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/$/ sha512/" $pamFile + fi +done