#!/bin/bash
#
# Script Hardening Slackware 13.1 verson 0.1 03-09-2011
# By Thiago Laurito
# http://slackdummies.blogspot.com

# Variaveis de ambiente
POS="\033[100G"
VERDE="\033[;32;1m"
VERMELHO="\033[;31;1m"
NORMAL="\033[00m"
OK="echo -e $POS [ ${VERDE}OK${NORMAL}]"
FAILED="echo -e $POS [ ${VERMELHO}FAILED${NORMAL} ]"

# Comenta CTRL-ALT-DELETE.
INITTAB=/etc/inittab

if [ -e "$INITTAB" ];
then
    echo -n "Ctrlaltdel Inittab"
    sed -i 's/ca::ctrlaltdel:/#ca::ctrlaltdel:/g' $INITTAB && $OK || $FAILED ;
        echo "# Require the root pw when booting into single user mode" >> "$INITTAB" ;
    echo "~~:S:wait:/sbin/sulogin" >> "$INITTAB"
else
    echo -n "Exiting error File Not Found" ; exit
fi

# SSH Seguro.

SSHD=/etc/ssh/sshd_config
if [ -e "$SSHD" ];
then
    echo -n "UsePrivilegeSeparation"
    sed -i 's/#UsePrivilegeSeparation yes/UsePrivilegeSeparation no/g' "$SSHD" && $OK || $FAILED ;
    echo -n "Protocol Version 2"
    sed -i 's/#Protocol 2/Protocol 2/g' "$SSHD" && $OK || $FAILED ;
    echo -n "StrictModes"
    sed -i 's/#StrictModes no/StrictModes yes/g' "$SSHD" && $OK || $FAILED ;
    echo -n "AllowTcpForwarding"
    sed -i 's/#AllowTcpForwarding yes/AllowTcpForwarding no/g' "$SSHD" && $OK || $FAILED ;
    echo -n "X11Forwarding"
    sed -i 's/#X11Forwarding yes/X11Forwarding no/g' "$SSHD" && $OK || $FAILED ;
    echo -n "IgnoreRhosts"
    sed -i 's/#IgnoreRhosts no/IgnoreRhosts yes/g' "$SSHD"  && $OK || $FAILED ;
        echo -n "HostbasedAuthentication"
    sed -i 's/#HostbasedAuthentication yes/HostbasedAuthentication no/g' "$SSHD"  && $OK || $FAILED ;
    echo -n "RhoststsRSAAuthentication"
    sed -i 's/#RhostsRSAAuthentication yes/RhostsRSAAuthentication no/g' "$SSHD" && $OK || $FAILED ;
else
    echo -n "Exiting error File Not Found" ; exit
fi

# Permissao Segura em /etc/shadow.

SHADOW=/etc/shadow
if [ -e "$SHADOW" ];
then
    echo -n "Security Permission" "$SHADOW"
    chmod 600 "$SHADOW" && $OK || $FAILED
else
    echo -n "Exiting error File Not Found" ; exit
fi

# Acesso Root em apenas 2 TTY.

STTY=/etc/securetty

if [ -e "$STTY" ] ;
then
    echo -n "TTY Security"
    sed -i 's/tty3/#tty3/g' "$STTY" && $OK || $FAILED ;
    sed -i 's/tty4/#tty4/g' "$STTY" ;
    sed -i 's/tty5/#tty5/g' "$STTY" ;
    sed -i 's/tty6/#tty6/g' "$STTY"
else
    echo -n "Exiting error File Not Found" ; exit
fi

# Politicas de Login.

LOGIND=/etc/login.defs

if [ -e "$LOGIND" ];
then
    echo -n "Alter PASS_MIN_LEN "$LOGIND" "
    sed -i 's/PASS_MIN_LEN  5/PASS_MIN_LEN  8/g' "$LOGIND" && $OK || $FAILED ;
    echo -n "Passwords expire every 180 days"
    perl -npe 's/PASS_MAX_DAYS\s+99999/PASS_MAX_DAYS 180/' -i "$LOGIND" && $OK || $FAILED ;
    echo -n "Passwords may only be changed once a day"
    perl -npe 's/PASS_MIN_DAYS\s+0/PASS_MIN_DAYS 1/g' -i "$LOGIND" && $OK || $FAILED

else
    echo -n "Exiting error File Not Found" ; exit
fi

# Desabilita Modulo USB-STORAGE e WIRELESS.

MBLACK=/etc/modprobe.d/blacklist.conf
if [ -e "$MBLACK" ] ;
then
    echo -n "Disabling USB Mass Storage"
    echo "blacklist usb-storage" >> "$MBLACK" && $OK || $FAILED ;
    echo -n "Disabling Wireless Modules"
    for i in $(find /lib/modules/`uname -r`/kernel/drivers/net/wireless -name "*.ko" -type f) ; do echo blacklist $i >> "$MBLACK" ; done && $OK || $FAILED
else

    echo -n "Exiting error File Not Found" ; exit
fi

# Tratamento de usuarios inativos apos login.

IDLEU=/etc/profile.d/usecurity.sh
if [ -e "$IDLEU" ];
then
    echo
else
    echo -n "Create "$IDLEU" "
    touch "$IDLEU" && $OK || $FAILED;
    echo -n "Idle users will be removed after 15 minutes"
    echo "readonly TMOUT=900" >> "$IDLEU" && $OK || $FAILED ;
    echo "readonly HISTFILE" >> "$IDLEU" && $OK || $FAILED ;
    chmod +x "$IDLEU"
fi

# Restringindo cron e at apenas para root.

CRALLOW=/etc/cron.allow
if [ -e "$CRALLOW" ];
then
    echo
else
    echo -n "Locking down Cron"
    touch "$CRALLOW" && $OK || $FAILED ;
    chmod 600 /etc/cron.allow
    awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/cron.deny
fi

ATLLOW=/etc/at.allow
if [ -e "$ATLLOW" ];
then
    echo
else
    echo -n "Locking down AT"
    touch "$ATLLOW" && $OK || $FAILED ;
    chmod 600 /etc/at.allow
    awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/at.deny
fi

# Parametros de Seguranca para o Kernel.

SYSCTL=/etc/sysctl.conf
if [ -e "$SYSCTL" ] ;
then
     echo
else
    touch "$SYSCTL"
    echo -n "Protect SYN Floods"
    echo "net.ipv4.tcp_syncookies=1" >> "$SYSCTL" && $Ok || $FAILED ;

    echo -n "Block Broadcast Response"
    echo "net.ipv4.icmp_echo_ignore_broadcasts=1" >> "$SYSCTL" && $OK || $FAILED ;

    echo -n "Enable protection for bad icmp error messages"
    echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> "$SYSCTL" && $OK || $FAILED ;

    echo -n "Enable syncookies for SYN flood attack protection"
    echo "net.ipv4.tcp_syncookies = 1" >> "$SYSCTL" && $OK || $FAILED ;

    echo -n "Log spoofed, source routed, and redirect packets"
    echo "net.ipv4.conf.all.log_martians = 1" >> "$SYSCTL" && $OK || $FAILED ;
    echo "net.ipv4.conf.default.log_martians = 1" >> "$SYSCTL" ;

    echo -n "Don't allow source routed packets"
    echo "net.ipv4.conf.all.accept_source_route = 0" >> "$SYSCTL" && $OK || $FAILED ;
    echo "net.ipv4.conf.default.accept_source_route = 0" >> "$SYSCTL";

    echo -n "Turn on reverse path filtering"
    echo "net.ipv4.conf.all.rp_filter = 1" >> "$SYSCTL" && $OK || $FAILED ;
    echo "net.ipv4.conf.default.rp_filter = 1" >> "$SYSCTL" ;

    echo -n "Don't allow outsiders to alter the routing tables"
    echo "net.ipv4.conf.all.accept_redirects = 0" >> "$SYSCTL" && $OK || $FAILED;
    echo "net.ipv4.conf.default.accept_redirects = 0" >> "$SYSCTL" ;
    echo "net.ipv4.conf.all.secure_redirects = 0" >> "$SYSCTL" ;
    echo "net.ipv4.conf.default.secure_redirects = 0" >> "$SYSCTL" ;

    echo -n "Don't pass traffic between networks or act as a router"
    echo "net.ipv4.ip_forward = 0" >> "$SYSCTL" && $OK || $FAILED ;
    echo "net.ipv4.conf.all.send_redirects = 0" >> "$SYSCTL" ;
    echo "net.ipv4.conf.default.send_redirects = 0" >> "$SYSCTL" ;

    echo -n "Disable Core Dumps"
    echo "fs.suid_dumpable = 0" >> "$SYSCTL" && $OK || $FAILED ;

fi

# Desabilitando relacao de confianca.

HEQUIV=/etc/hosts.equiv
if [ -e "$HEQUIV" ];
then
    echo
else
    echo >/etc/hosts.equiv ;
    echo >/etc/.netrc ;
    echo >/etc/r.hosts ;
    /bin/chmod 400 /etc/hosts.equiv ;
    /bin/chmod 400 /etc/.netrc ;
    /bin/chmod 400 /etc/r.hosts ;
fi

# Remove arquivos com SUID desnecessario.
# /usr/bin/find / -type f \( -perm -004000 -o -perm -002000 \) -exec ls -lg {} \; 2>/dev/null

SPATH=/bin/chmod
"$SPATH" -s /usr/bin/chsh
"$SPATH" -s /usr/bin/gpasswd
"$SPATH" -s /usr/bin/chfn
"$SPATH" -s /usr/bin/wall
"$SPATH" -s /usr/bin/screen
"$SPATH" -s /usr/bin/rcp
"$SPATH" -s /usr/bin/rsh
"$SPATH" -s /sbin/mount.nfs
"$SPATH" -s /sbin/umount.nfs
"$SPATH" -s /bin/ping
"$SPATH" -s /bin/ping6
"$SPATH" -s /bin/umount
"$SPATH" -s /bin/mount

# Restringir somente para root.
for a in /var/log/*; do [ -f $a ] && chmod 600 $a; [ -d $a ] && chmod 700 $a; done

# Bloqueia o password de usuarios do sistema.

USERM=/usr/sbin/usermod

# Block system users passwords
$USERM -L bin
$USERM -L daemon
$USERM -L adm
$USERM -L lp
$USERM -L mail
$USERM -L news
$USERM -L uucp
$USERM -L operator
$USERM -L games
$USERM -L smmsp
$USERM -L haldaemon