{"id":10,"date":"2015-07-08T15:35:18","date_gmt":"2015-07-08T15:35:18","guid":{"rendered":"http:\/\/virtorbis.virtcompute.com\/?p=10"},"modified":"2015-07-08T16:06:23","modified_gmt":"2015-07-08T16:06:23","slug":"rhel-security-hardening","status":"publish","type":"post","link":"https:\/\/virtorbis.virtcompute.com\/?p=10","title":{"rendered":"RHEL security hardening"},"content":{"rendered":"

#!\/bin\/bash
\necho \"RHEL Security hardening script\"
\necho \"Please check the settings and modify if any required\"
\necho \"If you do not wish to run the script you can abort in next 10 seconds\"
\nsleep 15<\/p>\n

echo \"1. checking packages which should not be installed:\"
\nfor package in inetd xinetd ypserv tftp-server telnet-server rsh-serve
\ndo
\nif ! rpm -qa | grep $package >& \/etc\/null;
\nthen
\necho \"package $package is not installed\"
\nelse
\necho \"The $package is installed. Erasing it now.\"
\nyum erase $package
\nfi
\ndone
\nsleep 2
\necho \" \"<\/p>\n

echo \"2. Linux kernel hardening:\"
\ncp \/etc\/sysctl.conf \/etc\/sysctl.conf.backup
\necho \"net.ipv4.ip_forward = 0\" >> \/etc\/sysctl.conf
\necho \"net.ipv4.conf.default.accept_redirects = 0\" >> \/etc\/sysctl.conf
\necho \"net.ipv4.conf.all.accept_redirects = 0\" >> \/etc\/sysctl.conf
\necho \"net.ipv4.conf.all.accept_source_route = 0\" >> \/etc\/sysctl.conf
\necho \"net.ipv4.tcp_syncookies = 1\" >> \/etc\/sysctl.conf
\necho \"net.ipv4.conf.all.log_martians = 1\" >> \/etc\/sysctl.conf
\necho \"net.ipv4.conf.all.rp_filter = 1\" >> \/etc\/sysctl.conf
\necho \"net.ipv4.conf.default.secure_redirects = 0\" >> \/etc\/sysctl.conf
\necho \"net.ipv4.conf.all.secure_redirects = 0\" >> \/etc\/sysctl.conf
\nsleep 2
\necho \"Changes in \/etc\/sysctl.conf file are done.\"
\nsleep 1
\necho \" \"<\/p>\n

echo \"3. Checking SElinux settings:\"
\nx=`cat \/etc\/sysconfig\/selinux | grep ^SELINUX | head -n 1 | awk -F= '{print $2}'`
\nif [ $x == enforcing ]
\nthen
\necho \"SElinux is enabled\"
\necho \"Changing it to disabled\"
\nsed -i 's\/^SELINUX=enforcing\/SELINUX=disabled\/' \/etc\/sysconfig\/selinux
\nelse
\necho \"SElinux in disabled mode\"
\nfi
\necho \" \"
\nsleep 2<\/p>\n

echo \"4. Stopping iptables:\"
\n\/etc\/init.d\/iptables stop
\nsleep 2
\n\/etc\/init.d\/ip6tables stop
\nsleep 2
\nchkconfig --level 345 iptables off
\nsleep 2
\nchkconfig --level 345 ip6tables off
\nsleep 2
\necho \" \"<\/p>\n

echo \"6. Enabling SSH settings:\"
\ncp \/etc\/ssh\/sshd_config \/etc\/ssh\/sshd_config.bkp
\nsed -i 's\/^#PermitRootLogin yes\/PermitRootLogin yes\/' \/etc\/ssh\/sshd_config
\necho \" PermitRootLogin yes \"
\nsed -i 's\/^Protocol 2\/Protocol 2\/' \/etc\/ssh\/sshd_config
\necho \" Protocol 2 \"
\nsed -i 's\/^#AllowTcpForwarding yes\/AllowTcpForwarding no\/' \/etc\/ssh\/sshd_config
\necho \" AllowTcpForwarding no \"
\nsed -i 's\/^X11Forwarding yes\/X11Forwarding yes\/' \/etc\/ssh\/sshd_config
\necho \" X11Forwarding no \"
\nsed -i 's\/^#StrictModes yes\/StrictModes yes\/' \/etc\/ssh\/sshd_config
\necho \" StrictModes yes \"
\nsed -i 's\/^#IgnoreRhosts yes\/IgnoreRhosts yes\/' \/etc\/ssh\/sshd_config
\necho \" IgnoreRhosts yes \"
\nsed -i 's\/^#HostbasedAuthentication no\/HostbasedAuthentication no\/' \/etc\/ssh\/sshd_config
\necho \" HostbasedAuthentication no \"
\nsed -i 's\/^#RhostsRSAAuthentication no\/RhostsRSAAuthentication no\/' \/etc\/ssh\/sshd_config
\necho \" RhostsRSAAuthentication no \"
\nsleep 2
\necho \" \"<\/p>\n

echo \"7. Changing different parameters of password aging \/etc\/login\/defs\"
\necho \" \"
\nsed -i '\/^PASS_MAX_DAYS\/c\\PASS_MAX_DAYS 90' \/etc\/login.defs
\nsed -i '\/^PASS_MIN_DAYS\/c\\PASS_MIN_DAYS 7' \/etc\/login.defs
\nsed -i '\/^PASS_MIN_LEN\/c\\PASS_MIN_LEN 8' \/etc\/login.defs
\nsed -i '\/^PASS_WARN_AGE\/c\\PASS_WARN_AGE 14' \/etc\/login.defs
\necho \"Changes in \/etc\/login.defs file are done\"
\nsleep 2
\necho \" \"<\/p>\n

echo \"8. Verifying empty password accounts:\"
\nx=`awk -F: '($2 == \"\") {print}' \/etc\/shadow | wc -l`
\nif [ $x -lt 1 ]
\nthen
\necho \"No account is password less\"
\nelse
\necho \"At least 1 account is password less.Check the configuration file\"
\nfi
\nsleep 2
\necho \" \"<\/p>\n

echo \"9. Checking if No Non-Root Accounts Have UID Set To 0:\"
\nx=`awk -F: '($3 == \"0\") {print}' \/etc\/passwd | awk -F: '{print $1}'`
\nif [ $x == root ]
\nthen
\necho \"No account other than ROOT has UID 0\"
\nelse
\necho \"***** Check the file. More than one accounts have UID 0\"
\nfi
\nsleep 2
\necho \" \"<\/p>\n

echo \"10. \/etc\/pam.d\/system-auth settings\"
\ncp \/etc\/pam.d\/system-auth \/etc\/pam.d\/system-auth.bkp
\nsed -i 's\/^password required pam_cracklib.so try_first_pass retry=3\/password requisite pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 difok=3 try_first_pass\/' \/etc\/pam\/d\/system-atuh
\nsed -i 's\/^password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok\/password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=20\/' \/etc\/pam\/d\/system-auth
\nsleep 2
\necho \" settings performed\"
\nsleep 2
\necho \" \"
\necho \" checking for \/etc\/security\/opasswd file\"
\nif [ -f \/etc\/security\/opasswd ];
\nthen
\necho \"File $file exists.\"
\nelse
\necho \"File $file does NOT exists.\"
\ntouch \/etc\/security\/opasswd
\nfi
\nsleep 2<\/p>\n

echo \"11. Account policy attributes:\"
\nsed -i 's\/^INACTIVE=-1\/INACTIVE=10' \/etc\/ssh\/sshd_config
\nsleep 2
\necho \" \"<\/p>\n

echo \"10. Setting 'Banner' and 'Motd'\"
\necho \" \"
\necho \"************************************************************************\" > \/etc\/motd
\necho -e \"* WARNING! By accessing and using this system you are consenting to *\" >> \/etc\/motd
\necho \"* system monitoring for law enforcement and other purposes. *\" >> \/etc\/motd
\necho \"* UNAUTHORIZED USE OF THIS COMPUTER SYSTEM MAY SUBJECT YOU TO CRIMINAL *\" >> \/etc\/motd
\necho \"* PROSECUTION AND PENALTIES. *\" >> \/etc\/motd
\necho \"************************************************************************\" >> \/etc\/motd
\ncp \/etc\/motd \/etc\/issue
\necho \"Banner is set.\"
\nsleep 2
\necho \" Settings are performed successfully on the server \"<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"

#!\/bin\/bash echo “RHEL Security hardening script” echo “Please check the settings and modify if any required” echo “If you do not wish to run the script you can abort in next 10 seconds” sleep 15 echo “1. checking packages which should not be installed:” for package in inetd xinetd ypserv tftp-server telnet-server rsh-serve do if […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[10,7,9,8],"class_list":["post-10","post","type-post","status-publish","format-standard","hentry","category-linux","tag-linux","tag-rhel","tag-script","tag-security"],"_links":{"self":[{"href":"https:\/\/virtorbis.virtcompute.com\/index.php?rest_route=\/wp\/v2\/posts\/10","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/virtorbis.virtcompute.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/virtorbis.virtcompute.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/virtorbis.virtcompute.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/virtorbis.virtcompute.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=10"}],"version-history":[{"count":3,"href":"https:\/\/virtorbis.virtcompute.com\/index.php?rest_route=\/wp\/v2\/posts\/10\/revisions"}],"predecessor-version":[{"id":17,"href":"https:\/\/virtorbis.virtcompute.com\/index.php?rest_route=\/wp\/v2\/posts\/10\/revisions\/17"}],"wp:attachment":[{"href":"https:\/\/virtorbis.virtcompute.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=10"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/virtorbis.virtcompute.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=10"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/virtorbis.virtcompute.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=10"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}