#!/bin/bash######################################### cyberpatriot ubuntu h

1. #!/bin/bash
2.  
3. ########################################
4. # cyberpatriot ubuntu hardening script
5. ########################################
6.  
7. sudo apt-get install libpam-cracklib --force-yes -y
8. sudo apt-get update -y
9. sudo apt-get dist-upgrade -y
10.  
11. # check to see if there is a pam_tally.so line - add if absent, replace if necessary
12. tallyExists=$(grep -c pam_tally.so /etc/pam.d/common-auth)
13.  
14. if [ "$tallyExists" -eq 0 ]; then
15. sudo bash -c 'echo "auth optional pam_tally.so deny=5 unlock_time=900 onerr=fail audit even_deny_root_account silent" >> /etc/pam.d/common-auth'
16. else
17. sudo perl -pi -e 's/.*pam_tally.so.*/auth optional pam_tally.so deny=5 unlock_time=900 onerr=fail audit even_deny_root_account silent/g' /etc/pam.d/common-auth
18. fi
19.  
20. # check to see if there is a pam_cracklib.so line - add if absent, replace if necessary
21. cracklibExists=$(grep pam_cracklib.so /etc/pam.d/common-password)
22.  
23. if [ "$cracklibExists" -eq 0 ]; then
24. sudo bash -c 'echo "password requisite pam_cracklib.so retry=3 minlen=8 difok=3 reject_username minclass=3 maxrepeat=2 dcredit=1 ucredit=1 lcredit=1 ocredit=1" >> /etc/pam.d/common-password'
25. else
26. sudo perl -pi -e 's/.*pam_cracklib.so.*/password requisite pam_cracklib.so retry=3 minlen=8 difok=3 reject_username minclass=3 maxrepeat=2 dcredit=1 ucredit=1 lcredit=1 ocredit=1/g' /etc/pam.d/common-password
27. fi
28.  
29. # check to see if there is a pam_pwhistory.so line - add if absent, replace if necessary
30. historyExists=$(grep c pam_pwhistory.so /etc/pam.d/common-password)
31.  
32. if [ "$historyExists" -eq 0 ]; then
33. sudo bash -c 'echo "password requisite pam_pwhistory.so use_authok remember=24 enforce_for_root" >> /etc/pam.d/common-password'
34. else
35. sudo perl -pi -e 's/.*pam_pwhistory.so.*/password requisite pam_pwhistory.so use_authok remember=24 enforce_for_root/g' /etc/pam.d/common-password
36. fi
37.  
38. # check to see if there is a pam_unix.so line - add if absent, replace if necessary
39. unixExists=$(grep c pam_unix.so /etc/pam.d/common-password)
40.  
41. if [ "$unixExists" -eq 0 ]; then
42. sudo bash -c 'echo "password [success=1 default=ignore] pam_unix.so obscure use_authtok sha512 shadow" >> /etc/pam.d/common-password'
43. else
44. sudo perl -pi -e 's/.*pam_unix.so.*/password [success=1 default=ignore] pam_unix.so obscure use_authtok sha512 shadow/g' /etc/pam.d/common-password
45. fi
46.  
47. # check to see if there is a PASS_MIN_DAYS line - add if absent, replace if necessary
48. minDaysExists=$(< /etc/login.defs grep -v \#|grep c PASS_MIN_DAYS)
49.  
50. if [ "$minDaysExists" -eq 0 ]; then
51. sudo bash -c 'echo "PASS_MIN_DAYS 7" >> /etc/login.defs'
52. else
53. sudo perl -pi -e 's/^PASS_MIN_DAYS.*/PASS_MIN_DAYS 7/g' /etc/login.defs
54. fi
55.  
56. # check to see if there is a PASS_MAX_DAYS line - add if absent, replace if necessary
57. maxDaysExists=$(< /etc/login.defs grep -v \#|grep c PASS_MAX_DAYS)
58.  
59. if [ "$maxDaysExists" -eq 0 ]; then
60. sudo bash -c 'echo "PASS_MAX_DAYS 90" >> /etc/login.defs'
61. else
62. sudo perl -pi -e 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/g' /etc/login.defs
63. fi
64.  
65. # check to see if there is a PASS_WARN_AGE line - add if absent, replace if necessary
66. warnAgeExists=$(< /etc/login.defs grep -v \#|grep c PASS_WARN_AGE)
67.  
68. if [ "$warnAgeExists" -eq 0 ]; then
69. sudo bash -c 'echo "PASS_WARN_AGE 14" >> /etc/login.defs'
70. else
71. sudo perl -pi -e 's/^PASS_WARN_AGE.*/PASS_WARN_AGE 14/g' /etc/login.defs
72. fi
73.  
74. echo "########################################"
75. echo "# check out these ports, make sure they look non-suspicious"
76. echo "########################################"
77. netstat -an|grep LISTEN|grep -v ING
78. echo "########################################"
79. echo "# To find what process is using a port, run the following"
80. echo "# sudo lsof -i :<portnumber>"
81. echo "########################################"
82.  
83. echo "########################################"
84. echo "# check out these crontabs, make sure they look non-suspicious"
85. echo "########################################"
86. while IFS= read -r user
87. do
88. cut -f1 -d: /etc/passwd;
89. echo "$user"; sudo crontab -u "$user" -l;
90. done
91. echo "########################################"
92.  
93. echo "########################################"
94. echo "# check out these admins, make sure they should be administrators"
95. echo "########################################"
96. < /etc/group grep admin
97. echo "########################################"
98.  
99. echo "########################################"
100. echo "# check out these running services"
101. echo "########################################"
102. sudo service --status-all 2>&1 | grep +
103. echo "########################################"
104. echo "# to remove a serivce:"
105. echo "# sudo apt-get -y autoremove --purge <package>"
106. echo "# probably leave ssh and vmware-tools* alone"
107. echo "########################################"
108.  
109. echo "########################################"
110. echo "# check out /etc/passwd"
111. echo "########################################"
112. cat /etc/passwd
113. echo "########################################"
114. echo "# make sure none of the fields have plain text password in them"
115. echo "########################################"
116.  
117. echo "########################################"
118. echo "# if you need telnet:"
119. echo "remove from /etc/xinet.d/telnet:"
120. echo " server_args = -L /usr/local/bin/autologin"
121. echo "add to /etc/xinet.d/telnet:"
122. echo " only_from = 127.0.0.1 192.168.1.0/24"
123. echo "remove ubuntu line from /etc/issue.net"
124. echo "comment out all lines in /etc/update-motd.d/00-header"
125. echo "comment out all lines in /etc/update-motd.d/10-help-test"
126. echo "########################################"