hardening script

1. #!/bin/sh
2. #Author: Samir Ahmed
3. #Date: 23.8.2014
4. #Purpose: To harden the systems according to the ISO requirements
5.  
6. ############users and ssh key names#############
7. admin_list="admin1 admin2 admin3 admin4 admin5 admin6" #add the admins names to the list
8. j=1
9. for i in $admin_list
10. do
11. sysadmin[$j]=$i #this should be an admin name
12. j=`expr $j + 1`
13. done
14. ############users and ssh key names#############
15. #############putty keys########################
16. putty_key1="${sysadmin[1]}_public_key"
17. putty_key2="${sysadmin[2]}_public_key"
18. putty_key3="${sysadmin[3]}_public_key"
19. putty_key4="${sysadmin[4]}_public_key"
20. putty_key5="${sysadmin[5]}_public_key"
21. putty_key6="${sysadmin[6]}_public_key"
22. #############system keys########################
23. #######system puplic keys######
24. linux_puplic_key1="${sysadmin[1]}_sys_public_key"
25. linux_puplic_key2="${sysadmin[2]}_sys_public_key"
26. linux_puplic_key3="${sysadmin[3]}_sys_public_key"
27. linux_puplic_key4="${sysadmin[4]}_sys_public_key"
28. linux_puplic_key5="${sysadmin[5]}_sys_public_key"
29. linux_puplic_key6="${sysadmin[6]}_sys_public_key"
30. #######system private keys######
31. linux_private_key1="${sysadmin[1]}_sys_private_key"
32. linux_private_key2="${sysadmin[2]}_sys_private_key"
33. linux_private_key3="${sysadmin[3]}_sys_private_key"
34. linux_private_key4="${sysadmin[4]}_sys_private_key"
35. linux_private_key5="${sysadmin[5]}_sys_private_key"
36. linux_private_key6="${sysadmin[6]}_sys_private_key"
37.  
38. ############checking the existence of public keys#########
39. if [ ! -f ${sysadmin[1]}_public_key ]
40. then
41. echo "putty ${sysadmin[1]}_public_key is not found"
42. exit 155
43. fi
44. if [ ! -f ${sysadmin[2]}_public_key ]
45. then
46. echo "putty ${sysadmin[2]}_public_key is not found"
47. exit 155
48. fi
49. if [ ! -f ${sysadmin[3]}_public_key ]
50. then
51. echo "putty ${sysadmin[3]}_public_key is not found"
52. exit 155
53. fi
54. if [ ! -f ${sysadmin[4]}_public_key ]
55. then
56. echo "putty ${sysadmin[4]}_public_key is not found"
57. exit 155
58. fi
59. if [ ! -f ${sysadmin[5]}_public_key ]
60. then
61. echo "putty ${sysadmin[5]}_public_key is not found"
62. exit 155
63. fi
64. if [ ! -f ${sysadmin[6]}_public_key ]
65. then
66. echo "putty ${sysdmin6}_public_key is not found"
67. exit 155
68. fi
69. ############checking the existence of public keys#########
70. if [ ! -f $linux_puplic_key1 ]
71. then
72. echo "linux $linux_puplic_key1 is not found"
73. exit 155
74. fi
75. if [ ! -f $linux_puplic_key2 ]
76. then
77. echo "linux $linux_puplic_key2 is not found"
78. exit 155
79. fi
80. if [ ! -f $linux_puplic_key3 ]
81. then
82. echo "linux $linux_puplic_key3 is not found"
83. exit 155
84. fi
85. if [ ! -f $linux_puplic_key4 ]
86. then
87. echo "linux $linux_puplic_key4 is not found"
88. exit 155
89. fi
90. if [ ! -f $linux_puplic_key5 ]
91. then
92. echo "linux $linux_puplic_key5 is not found"
93. exit 155
94. fi
95. if [ ! -f $linux_puplic_key6 ]
96. then
97. echo "linux $linux_puplic_key6 is not found"
98. exit 155
99. fi
100. ############checking the existence of private keys#########
101. if [ ! -f $linux_private_key1 ]
102. then
103. echo "linux $linux_private_key1 is not found"
104. exit 155
105. fi
106. if [ ! -f $linux_private_key2 ]
107. then
108. echo "linux $linux_private_key2 is not found"
109. exit 155
110. fi
111. if [ ! -f $linux_private_key3 ]
112. then
113. echo "linux $linux_private_key3 is not found"
114. exit 155
115. fi
116. if [ ! -f $linux_private_key4 ]
117. then
118. echo "linux $linux_private_key4 is not found"
119. exit 155
120. fi
121. if [ ! -f $linux_private_key5 ]
122. then
123. echo "linux $linux_private_key5 is not found"
124. exit 155
125. fi
126. if [ ! -f $linux_private_key6 ]
127. then
128. echo "linux $linux_private_key6 is not found"
129. exit 155
130. fi
131.  
132. >harden.log
133. echo "hardening $HOSTNAME .." >> harden.log
134.  
135. Groupadmin="sysadmin"
136. grep -w $Groupadmin /etc/group 1>&2 > /dev/null
137. if [ $? -ne 0 ]
138. then
139. groupadd $Groupadmin
140. echo -e "done group creating \t\t\t\t\t\t\t\t\t\t\t `date`" >> harden.log
141. fi
142. grep -w ${sysadmin[4]} /etc/passwd 1>&2 > /dev/null
143. if [ $? -ne 0 ]
144. then
145. useradd -g $Groupadmin -m ${sysadmin[4]}
146. echo -e "done ${sysadmin[4]} creating \t\t\t\t\t\t\t\t\t\t\t `date`" >> harden.log
147. else
148. Groupvar=`grep -w ${Groupadmin} /etc/group | awk -F':' '{print $3}'`
149. Uservar=`grep -w ${sysadmin[4]} /etc/passwd | awk -F':' '{print $4}'`
150. if [ $Groupvar -ne $Uservar ]
151. then
152. usermod -g $Groupadmin ${sysadmin[4]}
153. echo -e "user group changed \t\t\t\t\t\t\t\t\t\t\t `date`" >> harden.log
154. fi
155. fi
156. grep -w ${sysadmin[1]} /etc/passwd 1>&2 > /dev/null
157. if [ $? -ne 0 ]
158. then
159. useradd -g $Groupadmin -m ${sysadmin[1]}
160. echo -e "done ${sysadmin[1]} creating \t\t\t\t\t\t\t\t\t\t\t `date`" >> harden.log
161. else
162. Groupvar=`grep -w ${Groupadmin} /etc/group | awk -F':' '{print $3}'`
163. Uservar=`grep -w ${sysadmin[1]} /etc/passwd | awk -F':' '{print $4}'`
164. if [ $Groupvar -ne $Uservar ]
165. then
166. usermod -g $Groupadmin ${sysadmin[1]}
167. echo -e "user group changed \t\t\t\t\t\t\t\t\t\t\t `date`" >> harden.log
168. fi
169. fi
170. grep -w ${sysadmin[2]} /etc/passwd 1>&2 > /dev/null
171. if [ $? -ne 0 ]
172. then
173. useradd -g $Groupadmin -m ${sysadmin[2]}
174. echo -e "done ${sysadmin[2]} creating \t\t\t\t\t\t\t\t\t\t\t `date`" >> harden.log
175. else
176. Groupvar=`grep -w ${Groupadmin} /etc/group | awk -F':' '{print $3}'`
177. Uservar=`grep -w ${sysadmin[2]} /etc/passwd | awk -F':' '{print $4}'`
178. if [ $Groupvar -ne $Uservar ]
179. then
180. usermod -g $Groupadmin ${sysadmin[2]}
181. echo -e "user group changed \t\t\t\t\t\t\t\t\t\t\t `date`" >> harden.log
182. fi
183. fi
184. grep -w ${sysadmin[6]} /etc/passwd 1>&2 > /dev/null
185. if [ $? -ne 0 ]
186. then
187. useradd -g $Groupadmin -m ${sysadmin[6]}
188. echo -e "done ${sysadmin[6]} creating \t\t\t\t\t\t\t\t\t\t\t `date`" >> harden.log
189. else
190. Groupvar=`grep -w ${Groupadmin} /etc/group | awk -F':' '{print $3}'`
191. Uservar=`grep -w ${sysadmin[6]} /etc/passwd | awk -F':' '{print $4}'`
192. if [ $Groupvar -ne $Uservar ]
193. then
194. usermod -g $Groupadmin ${sysadmin[6]}
195. echo -e "user group changed \t\t\t\t\t\t\t\t\t\t\t `date`" >> harden.log
196. fi
197. fi
198. grep -w ${sysadmin[3]} /etc/passwd 1>&2 > /dev/null
199. if [ $? -ne 0 ]
200. then
201. useradd -g $Groupadmin -m ${sysadmin[3]}
202. echo -e "done ${sysadmin[3]} creating \t\t\t\t\t\t\t\t\t\t\t `date`" >> harden.log
203. Groupvar=`grep -w ${Groupadmin} /etc/group | awk -F':' '{print $3}'`
204. Uservar=`grep -w ${sysadmin[3]} /etc/passwd | awk -F':' '{print $4}'`
205. if [ $Groupvar -ne $Uservar ]
206. then
207. usermod -g $Groupadmin ${sysadmin[3]}
208. echo -e "user group changed \t\t\t\t\t\t\t\t\t\t\t `date`" >> harden.log
209. fi
210. fi
211. grep -w ${sysadmin[5]} /etc/passwd 1>&2 > /dev/null
212. if [ $? -ne 0 ]
213. then
214. useradd -g $Groupadmin -m ${sysadmin[5]}
215. echo -e "done ${sysadmin[5]} creating \t\t\t\t\t\t\t\t\t\t\t `date`" >> harden.log
216. fi
217. echo "############starting of new conf#############" >> /etc/login.defs_backup`date +%F`
218. cp /etc/login.defs /etc/login.defs_backup`date +%S`
219. echo "############starting of new conf#############" >> /etc/pam.d/system-auth_backup_`date +%F`
220. cp /etc/pam.d/system-auth /etc/pam.d/system-auth_backup_`date +%s`
221. sed -ie 's/^PASS_MAX_DAYS.*$/PASS_MAX_DAYS 90/;s/^PASS_MIN_DAYS.*$/PASS_MIN_DAYS 1/;s/^PASS_MIN_LEN.*$/PASS_MIN_LEN 8/' /etc/login.defs
222. sed -ie 's/^password requisite.*$/password requisite pam_cracklib.so try_first_pass type= minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 retry=5/;s/^password sufficient.*$/password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5/' /etc/pam.d/system-auth
223.  
224. ####keys deployment
225. for i in $admin_list
226. do
227. mkdir -p /home/${i}/.ssh
228. touch /home/${i}/.ssh/authorized_keys
229. cat ${i}_public_key >> /home/${i}/.ssh/authorized_keys
230. echo -e "${i} public key copied \t\t\t\t\t\t\t\t\t\t `date`" >> harden.log
231. chown -R ${i}.${Groupadmin} /home/${i}/.ssh
232. done
233. #####systems keys addition
234. for i in $admin_list
235. do
236. cp -f ${i}_sys_private_key /home/${i}/.ssh/id_rsa
237. PubKey_Content="`cat ${i}_sys_public_key`"
238. grep "$PubKey_Content" /home/${i}/.ssh/authorized_keys 2>&1 > /dev/null
239. if [ $? -ne 0 ]
240. then
241. cat ${i}_sys_public_key >> /home/${i}/.ssh/authorized_keys
242. fi
243. chown -R ${i}.${Groupadmin} /home/${i}/.ssh
244. chmod 600 /home/${i}/.ssh/id_rsa
245. echo -e "${i} Linux keys copied \t\t\t\t\t\t\t\t\t `date`" >> harden.log
246. done
247.  
248. echo "############starting of new conf#############" >> /etc/ssh/sshd_config_backup_`date +%S`
249. cp /etc/ssh/sshd_config /etc/ssh/sshd_config_backup_`date +%S`
250. sed -ie 's/^PermitRootLogin yes.*$/PermitRootLogin no/' /etc/ssh/sshd_config
251.  
252. grep "^PermitRootLogin no" /etc/ssh/sshd_config 1>&2 > /dev/null
253. if [ $? -eq 0 ]
254. then
255. echo -e "Root login set to No \t\t\t\t\t\t\t\t\t\t\t `date`" >> harden.log
256. else
257. echo "PermitRootLogin no" >> /etc/ssh/sshd_config
258. fi
259. ######services#####
260. service iptables stop
261. chkconfig iptables off
262. sed -ie 's/enabled/disabled/' /etc/selinux/config
263. if [ -f /etc/init.d/vmware-tools ]
264. then
265. /etc/init.d/vmware-tools start
266. fi
267.  
268.  
269. cp -f banner /etc/banner
270. grep '^Banner' /etc/ssh/sshd_config 1>&2 >/dev/null
271. if [ $? -eq 0 ]
272. then
273. sed -ie 's/^Banner.*$/Banner \/etc\/banner/' /etc/ssh/sshd_config
274. else
275. sed -ie 's/^#Banner.*$/Banner \/etc\/banner/' /etc/ssh/sshd_config
276. fi
277. service sshd restart
278.  
279. #############sudo################
280. echo "############starting of new conf#############" >> /etc/ssh/sshd_config_backup_`date +%S`
281. cp /etc/sudoers /etc/sudoers_`date +%S`
282. cp -f sudoers /etc/sudoers >> harden.log
283. mkdir -p /UNIXscripts
284. chown -R ${sysadmin[1]}.${Groupadmin} /UNIXscripts
285. chmod 770 /UNIXscripts
286. echo "$HOSTNAME is hardened .." >> harden.log