#!/bin/bash
echo "RHEL Security hardening script"
echo "Please check the settings and modify if any required"
echo "If you do not wish to run the script you can abort in next 10 seconds"
sleep 15
echo "1. checking packages which should not be installed:"
for package in inetd xinetd ypserv tftp-server telnet-server rsh-serve
do
if ! rpm -qa | grep $package >& /etc/null;
then
echo "package $package is not installed"
else
echo "The $package is installed. Erasing it now."
yum erase $package
fi
done
sleep 2
echo " "
echo "2. Linux kernel hardening:"
cp /etc/sysctl.conf /etc/sysctl.conf.backup
echo "net.ipv4.ip_forward = 0" >> /etc/sysctl.conf
echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf
echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.log_martians = 1" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf
echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.conf
sleep 2
echo "Changes in /etc/sysctl.conf file are done."
sleep 1
echo " "
echo "3. Checking SElinux settings:"
x=`cat /etc/sysconfig/selinux | grep ^SELINUX | head -n 1 | awk -F= '{print $2}'`
if [ $x == enforcing ]
then
echo "SElinux is enabled"
echo "Changing it to disabled"
sed -i 's/^SELINUX=enforcing/SELINUX=disabled/' /etc/sysconfig/selinux
else
echo "SElinux in disabled mode"
fi
echo " "
sleep 2
echo "4. Stopping iptables:"
/etc/init.d/iptables stop
sleep 2
/etc/init.d/ip6tables stop
sleep 2
chkconfig --level 345 iptables off
sleep 2
chkconfig --level 345 ip6tables off
sleep 2
echo " "
echo "6. Enabling SSH settings:"
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bkp
sed -i 's/^#PermitRootLogin yes/PermitRootLogin yes/' /etc/ssh/sshd_config
echo " PermitRootLogin yes "
sed -i 's/^Protocol 2/Protocol 2/' /etc/ssh/sshd_config
echo " Protocol 2 "
sed -i 's/^#AllowTcpForwarding yes/AllowTcpForwarding no/' /etc/ssh/sshd_config
echo " AllowTcpForwarding no "
sed -i 's/^X11Forwarding yes/X11Forwarding yes/' /etc/ssh/sshd_config
echo " X11Forwarding no "
sed -i 's/^#StrictModes yes/StrictModes yes/' /etc/ssh/sshd_config
echo " StrictModes yes "
sed -i 's/^#IgnoreRhosts yes/IgnoreRhosts yes/' /etc/ssh/sshd_config
echo " IgnoreRhosts yes "
sed -i 's/^#HostbasedAuthentication no/HostbasedAuthentication no/' /etc/ssh/sshd_config
echo " HostbasedAuthentication no "
sed -i 's/^#RhostsRSAAuthentication no/RhostsRSAAuthentication no/' /etc/ssh/sshd_config
echo " RhostsRSAAuthentication no "
sleep 2
echo " "
echo "7. Changing different parameters of password aging /etc/login/defs"
echo " "
sed -i '/^PASS_MAX_DAYS/c\PASS_MAX_DAYS 90' /etc/login.defs
sed -i '/^PASS_MIN_DAYS/c\PASS_MIN_DAYS 7' /etc/login.defs
sed -i '/^PASS_MIN_LEN/c\PASS_MIN_LEN 8' /etc/login.defs
sed -i '/^PASS_WARN_AGE/c\PASS_WARN_AGE 14' /etc/login.defs
echo "Changes in /etc/login.defs file are done"
sleep 2
echo " "
echo "8. Verifying empty password accounts:"
x=`awk -F: '($2 == "") {print}' /etc/shadow | wc -l`
if [ $x -lt 1 ]
then
echo "No account is password less"
else
echo "At least 1 account is password less.Check the configuration file"
fi
sleep 2
echo " "
echo "9. Checking if No Non-Root Accounts Have UID Set To 0:"
x=`awk -F: '($3 == "0") {print}' /etc/passwd | awk -F: '{print $1}'`
if [ $x == root ]
then
echo "No account other than ROOT has UID 0"
else
echo "***** Check the file. More than one accounts have UID 0"
fi
sleep 2
echo " "
echo "10. /etc/pam.d/system-auth settings"
cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bkp
sed -i 's/^password required pam_cracklib.so try_first_pass retry=3/password requisite pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 difok=3 try_first_pass/' /etc/pam/d/system-atuh
sed -i 's/^password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok/password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=20/' /etc/pam/d/system-auth
sleep 2
echo " settings performed"
sleep 2
echo " "
echo " checking for /etc/security/opasswd file"
if [ -f /etc/security/opasswd ];
then
echo "File $file exists."
else
echo "File $file does NOT exists."
touch /etc/security/opasswd
fi
sleep 2
echo "11. Account policy attributes:"
sed -i 's/^INACTIVE=-1/INACTIVE=10' /etc/ssh/sshd_config
sleep 2
echo " "
echo "10. Setting 'Banner' and 'Motd'"
echo " "
echo "************************************************************************" > /etc/motd
echo -e "* WARNING! By accessing and using this system you are consenting to *" >> /etc/motd
echo "* system monitoring for law enforcement and other purposes. *" >> /etc/motd
echo "* UNAUTHORIZED USE OF THIS COMPUTER SYSTEM MAY SUBJECT YOU TO CRIMINAL *" >> /etc/motd
echo "* PROSECUTION AND PENALTIES. *" >> /etc/motd
echo "************************************************************************" >> /etc/motd
cp /etc/motd /etc/issue
echo "Banner is set."
sleep 2
echo " Settings are performed successfully on the server "