AIX Hardening Example Script

#!
/usr/bin/ksh
# Purpose: AIX Hardening Script Reference.

# Owner: Abstract Initiative, LLC. http://www.AbstractInitiative.com/
# LICENSE
# This script and its contents are the property of Abstract Initiative, LLC.
# License is granted to use, modify, enhance, and share to everyone.
# Selling or marketing this script or its contents without written and signed
# permission by an Abstract Initiative, LLC managing member is in violation of
# this license and the party or parties at fault agree to consideration payable
# to Abstract Initiative, LLC for the amount of twice the advertised or
contracted
# sale price in addition to legal fees incurred by Abstract Initiative, LLC in
# pursuit of protecting its properties.
#
# Abstract Initiative, LLC can not and will not be held responsible for any
# damage, risk, or liability incurred as the result of using this script. By
# using, modifying, enhancing, or sharing this script, you assume this
# responsibility. Please test in a non impactful environment first.
#
#
echo ".oO Increasing /var to 2GB"
chfs -a size=2G /var
#
echo ".oO Setting login header"
chsec -f /etc/security/login.cfg -s default \
-a herald="Unauthorized use of this system is strictly prohibited\n\n\rlogin:"
#
echo ".oO Setting /etc/security/login.cfg settings"
chsec -f /etc/security/login.cfg -s default -a sak_enabled=false
chsec -f /etc/security/login.cfg -s default -a logindisable=3
chsec -f /etc/security/login.cfg -s default -a logininterval=60
chsec -f /etc/security/login.cfg -s default -a loginreenable=30
chsec -f /etc/security/login.cfg -s default -a logindelay=5
#
echo "TMOUT=3600; TIMEOUT=3600; export readonly TMOUT TIMEOUT" >>
/etc/security/.profile
#
echo ".oO Removing /etc/rc.dt"
rm /etc/rc.dt
#
echo ".oO Restricting xwd, xwud, and xhost"
find /usr -type f -name xwd -exec chown root {} \;
find /usr -type f -name xwud -exec chown root {} \;
find /usr -type f -name xhost -exec chown root {} \;
find /usr -type f -name xwd -exec chmod go-rwx {} \;

find /usr -type f -name xwud -exec chmod go-rwx {} \;
find /usr -type f -name xhost -exec chmod go-rwx {} \;
#
echo ".oO Restricting /etc/security/user defaults and restricting root remote
login"
cp -p /etc/security/user /etc/security/user_orig
chsec -f /etc/security/user -s default -a admin=false
chsec -f /etc/security/user -s default -a auth1=SYSTEM
chsec -f /etc/security/user -s default -a auth2=none
chsec -f /etc/security/user -s default -a daemon=false
chsec -f /etc/security/user -s default -a login=true
chsec -f /etc/security/user -s default -a rlogin=false
chsec -f /etc/security/user -s root -a rlogin=false
chsec -f /etc/security/user -s default -a su=true
chsec -f /etc/security/user -s default -a umask=027
chsec -f /etc/security/user -s default -a loginretries=3
chsec -f /etc/security/user -s default -a dictionlist=/usr/share/dict/words
chsec -f /etc/security/user -s default -a histexpire=26
chsec -f /etc/security/user -s default -a histsize=4
chsec -f /etc/security/user -s default -a maxage=13
chsec -f /etc/security/user -s default -a maxexpired=2
chsec -f /etc/security/user -s default -a maxrepeats=3
chsec -f /etc/security/user -s default -a minage=0
chsec -f /etc/security/user -s default -a minalpha=4
chsec -f /etc/security/user -s default -a mindiff=3
chsec -f /etc/security/user -s default -a minlen=8
chsec -f /etc/security/user -s default -a minother=2
chsec -f /etc/security/user -s default -a pwdwarntime=14
#
echo ".oO Removing unnecessary users"
rmuser -p uucp
rmuser -p nuucp
rmuser -p lpd
rmuser -p lp
rmuser -p imnadm
rmuser -p guest
echo ".oO Removing unnecessary groups"
rmgroup uucp
rmgroup printq
rmgroup imnadm
rmgroup lp
#
echo ".oO Removing .netrc files"
find / -type f -name ".netrc" -exec rm -f {} \;
#
echo ".oO Creating a list of setuid files in /tmp/setuid.list"
find / -perm -04000 > /tmp/setuid.list
echo ".oO Creating a list of setgid files in /tmp/setgid.list"
find / -perm -02000 > /tmp/setgid.list
#
echo ".oO Commenting out /etc/inetd.conf"
cp -p /etc/inetd.conf /etc/inetd.conf.orig
cat /etc/inetd.conf | sed -e 's/^/\#/g' > /tmp/inetd.conf.good
cp /tmp/inetd.conf.good /etc/inetd.conf
touch -r /etc/inetd.conf.orig /etc/inetd.conf
#
echo ".oO Stopping the inetd SRC"
stopsrc -s inetd
#
echo ".oO Removing /etc/hosts.equiv"
rm /etc/hosts.equiv
#
echo ".oO Removing piobe, qdaemon, writesrv, and uprintfd from /etc/inittab"
rmitab piobe
rmitab qdaemon
rmitab writesrv
rmitab uprintfd
echo "***An SSH Server Should Be Installed If One Isn't Already"
# no
echo ".oO Setting /usr/sbin/no options"
/usr/sbin/no -p -o bcastping=0
/usr/sbin/no -p -o clean_partial_conns=1
/usr/sbin/no -p -o icmpaddressmask=0
/usr/sbin/no -p -o ip6srcrouteforward=0
/usr/sbin/no -p -o ipforwarding=0
/usr/sbin/no -p -o ipignoreredirects=1
/usr/sbin/no -p -o ipsendredirects=0
/usr/sbin/no -p -o ipsrcrouteforward=0
/usr/sbin/no -p -o ipsrcrouterecv=0
/usr/sbin/no -p -o nonlocsrcroute=0
/usr/sbin/no -p -o tcp_pmtu_discover=0
/usr/sbin/no -p -o udp_pmtu_discover=0
# NFS
echo ".oO NFS Security (put in /etc/rc.local)"
echo "/usr/sbin/nfso -o portcheck=1" >> /etc/rc.local
chown root /etc/rc.local
chmod 755 /etc/rc.local
mkitab "rclocal:2:once:/etc/rc.local"
# /etc/rc.tcpip
echo ".oO Cleaning up /etc/rc.tcpip. Original file is backed up at
/etc/rc.tcpip.ORIG"
cp -p /etc/rc.tcpip /etc/rc.tcpip.ORIG
cat /etc/rc.tcpip | sed -e 's/start \/usr\/sbin\/ndpd-host/#start
\/usr\/sbin\/ndpd-host/g' |\
sed -e 's/start \/usr\/sbin\/autoconf6/#start \/usr\/sbin\/autoconf6/g' |\
sed -e 's/start \/usr\/sbin\/binld/#start \/usr\/sbin\/binld/g' |\
sed -e 's/start \/usr\/sbin\/dhcpcd/#start \/usr\/sbin\/dhcpcd/g' |\
sed -e 's/start \/usr\/sbin\/dhcprd/#start \/usr\/sbin\/dhcprd/g' |\
sed -e 's/start \/usr\/sbin\/dhcpsd/#start \/usr\/sbin\/dhcpsd/g' |\
sed -e 's/start \/usr\/sbin\/dpid2/#start \/usr\/sbin\/dpid2/g' |\
sed -e 's/start \/usr\/sbin\/gated/#start \/usr\/sbin\/gated/g' |\
sed -e 's/start \/usr\/sbin\/hostmibd/#start \/usr\/sbin\/hostmibd/g' |\
sed -e 's/start \/usr\/sbin\/inetd/#start \/usr\/sbin\/inetd/g' |\
sed -e 's/start \/usr\/sbin\/lpd/#start \/usr\/sbin\/lpd/g' |\
sed -e 's/start \/usr\/sbin\/mrouted/#start \/usr\/sbin\/mrouted/g' |\
sed -e 's/start \/usr\/sbin\/named/#start \/usr\/sbin\/named/g' |\
sed -e 's/start \/usr\/sbin\/ndpd-router/#start \/usr\/sbin\/ndpd-router/g'
|\
sed -e 's/start \/usr\/sbin\/pxed/#start \/usr\/sbin\/pxed/g' |\
sed -e 's/start \/usr\/sbin\/routed/#start \/usr\/sbin\/routed/g' |\
sed -e 's/start \/usr\/sbin\/rwhod/#start \/usr\/sbin\/rwhod/g' |\
sed -e 's/start \/usr\/sbin\/snmpd/#start \/usr\/sbin\/snmpd/g' |\
sed -e 's/start \/usr\/sbin\/timed/#start \/usr\/sbin\/timed/g' |\
> /tmp/rctcp
cp /tmp/rctcp /etc/rc.tcpip
touch -r /etc/rc.tcpip.ORIG /etc/rc.tcpip
echo ".oO Complete."

exit 0

AIX Hardening Example Script

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

AIX Hardening Example Script

Încărcat de

Drepturi de autor:

Formate disponibile

#!

# Purpose: AIX Hardening Script Reference.

find /usr -type f -name xwd -exec chmod go-rwx {} \;

echo ".oO Complete."

S-ar putea să vă placă și