From b41ef63c8093eb78264d9e8cf1064e5d95caf2c6 Mon Sep 17 00:00:00 2001 From: Gabe Date: Fri, 12 Jan 2018 10:31:40 -0700 Subject: [PATCH] Add some of the missing BASH remediations - Scripts initially provided in #2494 --- .../bash/accounts_have_homedir_login_defs.sh | 7 ++++++ rhel7/fixes/bash/disable_ctrlaltdel_reboot.sh | 2 +- rhel7/fixes/bash/disable_prelink.sh | 24 ++++++++----------- .../bash/gnome_gdm_disable_automatic_login.sh | 12 ++++++++++ .../bash/gnome_gdm_disable_guest_login.sh | 12 ++++++++++ .../fixes/bash/install_smartcard_packages.sh | 8 +++++++ rhel7/fixes/bash/no_host_based_files.sh | 5 ++++ .../postfix_prevent_unrestricted_relay.sh | 7 ++++++ rhel7/fixes/bash/rsyslog_cron_logging.sh | 5 ++++ .../bash/smartcard_configure_cert_checking.sh | 8 +++++++ .../fixes/bash/snmpd_not_default_password.sh | 5 ++++ rhel7/fixes/bash/xwindows_runlevel_setting.sh | 3 +++ .../accounts_password_pam_unix_remember.sh | 16 +++++++++---- shared/fixes/bash/no_rsh_trust_files.sh | 5 +++- ...t_password_hashing_algorithm_systemauth.sh | 13 +++++++--- 15 files changed, 108 insertions(+), 24 deletions(-) create mode 100644 rhel7/fixes/bash/accounts_have_homedir_login_defs.sh create mode 100644 rhel7/fixes/bash/gnome_gdm_disable_automatic_login.sh create mode 100644 rhel7/fixes/bash/gnome_gdm_disable_guest_login.sh create mode 100644 rhel7/fixes/bash/install_smartcard_packages.sh create mode 100644 rhel7/fixes/bash/no_host_based_files.sh create mode 100644 rhel7/fixes/bash/postfix_prevent_unrestricted_relay.sh create mode 100644 rhel7/fixes/bash/rsyslog_cron_logging.sh create mode 100644 rhel7/fixes/bash/smartcard_configure_cert_checking.sh create mode 100644 rhel7/fixes/bash/snmpd_not_default_password.sh create mode 100644 rhel7/fixes/bash/xwindows_runlevel_setting.sh diff --git a/rhel7/fixes/bash/accounts_have_homedir_login_defs.sh b/rhel7/fixes/bash/accounts_have_homedir_login_defs.sh new file mode 100644 index 000000000000..ec746b57a5f3 --- /dev/null +++ b/rhel7/fixes/bash/accounts_have_homedir_login_defs.sh @@ -0,0 +1,7 @@ +# platform = Red Hat Enterprise Linux 7 + +if ! grep -q ^CREATE_HOME /etc/login.defs; then + echo "CREATE_HOME yes" >> /etc/login.defs +else + sed -i "s/^CREATE_HOME.*/CREATE_HOME yes/g" /etc/login.defs +fi diff --git a/rhel7/fixes/bash/disable_ctrlaltdel_reboot.sh b/rhel7/fixes/bash/disable_ctrlaltdel_reboot.sh index ab98380fe18d..1fbac74e6538 100644 --- a/rhel7/fixes/bash/disable_ctrlaltdel_reboot.sh +++ b/rhel7/fixes/bash/disable_ctrlaltdel_reboot.sh @@ -1,4 +1,4 @@ # platform = Red Hat Enterprise Linux 7 # The process to disable ctrl+alt+del has changed in RHEL7. # Reference: https://access.redhat.com/solutions/1123873 -ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target +systemctl mask ctrl-alt-del.target diff --git a/rhel7/fixes/bash/disable_prelink.sh b/rhel7/fixes/bash/disable_prelink.sh index 039c158b60ab..627288174953 100644 --- a/rhel7/fixes/bash/disable_prelink.sh +++ b/rhel7/fixes/bash/disable_prelink.sh @@ -1,16 +1,12 @@ # platform = Red Hat Enterprise Linux 7 -# -# Disable prelinking altogether -# -if grep -q ^PRELINKING /etc/sysconfig/prelink -then - sed -i 's/PRELINKING.*/PRELINKING=no/g' /etc/sysconfig/prelink -else - echo -e "\n# Set PRELINKING=no per security requirements" >> /etc/sysconfig/prelink - echo "PRELINKING=no" >> /etc/sysconfig/prelink -fi -# -# Undo previous prelink changes to binaries -# -/usr/sbin/prelink -ua +if rpm --quiet -q prelink; then + if grep -q ^PRELINKING /etc/sysconfig/prelink + then + sed -i 's/PRELINKING.*/PRELINKING=no/g' /etc/sysconfig/prelink + else + echo -e "\n# Set PRELINKING=no per security requirements" >> /etc/sysconfig/prelink + echo "PRELINKING=no" >> /etc/sysconfig/prelink + fi + /usr/sbin/prelink -ua +fi diff --git a/rhel7/fixes/bash/gnome_gdm_disable_automatic_login.sh b/rhel7/fixes/bash/gnome_gdm_disable_automatic_login.sh new file mode 100644 index 000000000000..3d0316a476ef --- /dev/null +++ b/rhel7/fixes/bash/gnome_gdm_disable_automatic_login.sh @@ -0,0 +1,12 @@ +# platform = Red Hat Enterprise Linux 7 + +if rpm --quiet -q gdm +then + if ! grep -q "^AutomaticLoginEnable=" /etc/gdm/custom.conf + then + sed -i "/^\[daemon\]/a \ + AutomaticLoginEnable=False" /etc/gdm/custom.conf + else + sed -i "s/^AutomaticLoginEnable=.*/AutomaticLoginEnable=False/g" /etc/gdm/custom.conf + fi +fi diff --git a/rhel7/fixes/bash/gnome_gdm_disable_guest_login.sh b/rhel7/fixes/bash/gnome_gdm_disable_guest_login.sh new file mode 100644 index 000000000000..fb0b7786511b --- /dev/null +++ b/rhel7/fixes/bash/gnome_gdm_disable_guest_login.sh @@ -0,0 +1,12 @@ +# platform = Red Hat Enterprise Linux 7 + +if rpm --quiet -q gdm +then + if ! grep -q "^TimedLoginEnable=" /etc/gdm/custom.conf + then + sed -i "/^\[daemon\]/a \ + TimedLoginEnable=False" /etc/gdm/custom.conf + else + sed -i "s/^TimedLoginEnable=.*/TimedLoginEnable=False/g" /etc/gdm/custom.conf + fi +fi diff --git a/rhel7/fixes/bash/install_smartcard_packages.sh b/rhel7/fixes/bash/install_smartcard_packages.sh new file mode 100644 index 000000000000..297988a5da3a --- /dev/null +++ b/rhel7/fixes/bash/install_smartcard_packages.sh @@ -0,0 +1,8 @@ +# platform = Red Hat Enterprise Linux 7 + +# include remediation functions library +. /usr/share/scap-security-guide/remediation_functions + +package_command install esc +package_command install pam_pkcs11 +package_command install authconfig-gtk diff --git a/rhel7/fixes/bash/no_host_based_files.sh b/rhel7/fixes/bash/no_host_based_files.sh new file mode 100644 index 000000000000..f32fe67ad041 --- /dev/null +++ b/rhel7/fixes/bash/no_host_based_files.sh @@ -0,0 +1,5 @@ +# platform = Red Hat Enterprise Linux 7 + +if [ -f /etc/hosts.equiv ]; then + /bin/rm -f /etc/hosts.equiv +fi diff --git a/rhel7/fixes/bash/postfix_prevent_unrestricted_relay.sh b/rhel7/fixes/bash/postfix_prevent_unrestricted_relay.sh new file mode 100644 index 000000000000..98d6ba305676 --- /dev/null +++ b/rhel7/fixes/bash/postfix_prevent_unrestricted_relay.sh @@ -0,0 +1,7 @@ +# platform = Red Hat Enterprise Linux 7 + +if ! grep -q ^smtpd_client_restrictions /etc/postfix/main.cf; then + echo "smtpd_client_restrictions = permit_mynetworks,reject" >> /etc/postfix/main.cf +else + sed -i "s/^smtpd_client_restrictions.*/smtpd_client_restrictions = permit_mynetworks,reject/g" /etc/postfix/main.cf +fi diff --git a/rhel7/fixes/bash/rsyslog_cron_logging.sh b/rhel7/fixes/bash/rsyslog_cron_logging.sh new file mode 100644 index 000000000000..a2b6076911c8 --- /dev/null +++ b/rhel7/fixes/bash/rsyslog_cron_logging.sh @@ -0,0 +1,5 @@ +# platform = Red Hat Enterprise Linux 7 + +if ! grep "^\s*cron\.\*\s*\/var\/log\/cron$" /etc/rsyslog.conf /etc/rsyslog.d/*.conf; then + echo "cron.* /var/log/cron\n" >> /etc/rsyslog.d/cron.conf +fi diff --git a/rhel7/fixes/bash/smartcard_configure_cert_checking.sh b/rhel7/fixes/bash/smartcard_configure_cert_checking.sh new file mode 100644 index 000000000000..d244073106f0 --- /dev/null +++ b/rhel7/fixes/bash/smartcard_configure_cert_checking.sh @@ -0,0 +1,8 @@ +# platform = Red Hat Enterprise Linux 7 + +# Install required packages +if ! rpm --quiet -q pam_pkcs11; then yum -y -d 1 install pam_pkcs11; fi + +if grep "^\s*cert_policy" /etc/pam_pkcs11/pam_pkcs11.conf | grep -qv "ocsp_on"; then + sed -i "/^\s*#/! s/cert_policy.*/cert_policy = ca, ocsp_on, signature;/g" /etc/pam_pkcs11/pam_pkcs11.conf +fi diff --git a/rhel7/fixes/bash/snmpd_not_default_password.sh b/rhel7/fixes/bash/snmpd_not_default_password.sh new file mode 100644 index 000000000000..290792c78421 --- /dev/null +++ b/rhel7/fixes/bash/snmpd_not_default_password.sh @@ -0,0 +1,5 @@ +# platform = Red Hat Enterprise Linux 7 + +if grep -s "public\|private" /etc/snmp/snmpd.conf | grep -qv "^#"; then + sed -i "/^#/b;/public\|private/ s/^/#/" /etc/snmp/snmpd.conf +fi diff --git a/rhel7/fixes/bash/xwindows_runlevel_setting.sh b/rhel7/fixes/bash/xwindows_runlevel_setting.sh new file mode 100644 index 000000000000..07abfd2e96c6 --- /dev/null +++ b/rhel7/fixes/bash/xwindows_runlevel_setting.sh @@ -0,0 +1,3 @@ +# platform = Red Hat Enterprise Linux 7 + +systemctl set-default multi-user.target diff --git a/shared/fixes/bash/accounts_password_pam_unix_remember.sh b/shared/fixes/bash/accounts_password_pam_unix_remember.sh index 9a574df72f83..7da3b0c51dd8 100644 --- a/shared/fixes/bash/accounts_password_pam_unix_remember.sh +++ b/shared/fixes/bash/accounts_password_pam_unix_remember.sh @@ -2,8 +2,14 @@ . /usr/share/scap-security-guide/remediation_functions populate var_password_pam_unix_remember -if grep -q "remember=" /etc/pam.d/system-auth; then - sed -i --follow-symlinks "s/\(^password.*sufficient.*pam_unix.so.*\)\(\(remember *= *\)[^ $]*\)/\1remember=$var_password_pam_unix_remember/" /etc/pam.d/system-auth -else - sed -i --follow-symlinks "/^password[[:space:]]\+sufficient[[:space:]]\+pam_unix.so/ s/$/ remember=$var_password_pam_unix_remember/" /etc/pam.d/system-auth -fi +AUTH_FILES[0]="/etc/pam.d/system-auth" +AUTH_FILES[1]="/etc/pam.d/password-auth" + +for pamFile in "${AUTH_FILES[@]}" +do + if grep -q "remember=" $pamFile; then + sed -i --follow-symlinks "s/\(^password.*sufficient.*pam_unix.so.*\)\(\(remember *= *\)[^ $]*\)/\1remember=$var_password_pam_unix_remember/" $pamFile + else + sed -i --follow-symlinks "/^password[[:space:]]\+sufficient[[:space:]]\+pam_unix.so/ s/$/ remember=$var_password_pam_unix_remember/" $pamFile + fi +done diff --git a/shared/fixes/bash/no_rsh_trust_files.sh b/shared/fixes/bash/no_rsh_trust_files.sh index 0214fbbb506b..355cc0b1f450 100644 --- a/shared/fixes/bash/no_rsh_trust_files.sh +++ b/shared/fixes/bash/no_rsh_trust_files.sh @@ -1,3 +1,6 @@ # platform = multi_platform_rhel find /home -maxdepth 2 -type f -name .rhosts -exec rm -f '{}' \; -rm -f /etc/hosts.equiv + +if [ -f /etc/hosts.equiv ]; then + /bin/rm -f /etc/hosts.equiv +fi diff --git a/shared/fixes/bash/set_password_hashing_algorithm_systemauth.sh b/shared/fixes/bash/set_password_hashing_algorithm_systemauth.sh index b50e15a365e8..d0a718bbb87d 100644 --- a/shared/fixes/bash/set_password_hashing_algorithm_systemauth.sh +++ b/shared/fixes/bash/set_password_hashing_algorithm_systemauth.sh @@ -1,4 +1,11 @@ # platform = multi_platform_rhel -if ! grep -q "^password.*sufficient.*pam_unix.so.*sha512" /etc/pam.d/system-auth; then - sed -i --follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/$/ sha512/" /etc/pam.d/system-auth -fi + +AUTH_FILES[0]="/etc/pam.d/system-auth" +AUTH_FILES[1]="/etc/pam.d/password-auth" + +for pamFile in "${AUTH_FILES[@]}" +do + if ! grep -q "^password.*sufficient.*pam_unix.so.*sha512" $pamFile; then + sed -i --follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/$/ sha512/" $pamFile + fi +done