Tuesday, November 17, 2015

How to check ID 's with sudo access in solaris 10

Here i am providing command to list sudo sccess ID's in solaris 10


*********************************************************************************
cat /etc/passwd | cut -d: -f1 | xargs -L1 sudo -l -U | ggrep -B1  "(ALL) ALL" | grep ^User | cut -d" " -f2

*********************************************************************************
Posted by at No comments:
Labels:

Monday, November 9, 2015

Booting procedure in Solaris SPARC architecture

                       Booting procedure in Solaris  SPARC architecture 




The different phases of solaris boot process are describing below.


Power on –> POST –>Boot Device (1-15) –>ufs boot loader –>Kernel –>/file system–>/sbin/init –> /svc/lib/svc.startd

Boot PROM base

The PROM displays the system identification number along with Banner,Hostid, macaddress,prompt chip release, version and physical memory size. This process also contains POST ( Power On Self Test) which is the hardware diagnosis routine and initializes the installed hardware.

We can see the POST messages in a serial through serial console . If serial console is not connected you can see the output of the POST through the command prtdiag -v

Sample output is given below















After the POST the PROM loads the boot compilation program called bootblk

Boot program phase



This phase will start reading the boot program which is available in 1 - 15 sector of the HDD. The OBP (Open Boot PROM) loads the primary boot program called bootblk from the boot device . ( if the bootblk is not present it has to be regenerated by running the command installgrub from a CDROM.)

ufsboot: This is a secondary boot program and this program loads the kernel core image files.

kernel: The kernel file location is /Platform/arch-i/kernel/sparkv9/unix ( if the processor is amd sparkv9 will change to amd etc) . As a part of kernel loading process the kernel banner will display including the kernel version number. The kernel initializes itself and reading modules with the help of ufsboot program untill it will load enough modules to mount the root file system . If the system complains not able to write to the root file system the booting procedure will struck in this phase.


The system parameters which is needed for booting is set at /etc/system file . Its main contents are given below


  • moddir: Changes path of kernel modules.
  • forceload: Forces loading of a kernel module.
  • exclude: Excludes a particular kernel module.
  • rootfs: Specify the system type for the root file system. (ufs is the default.)
  • rootdev: Specify the physical device path for root.
  • set: Set the value of a tuneable system parameter.
  • Init initialization phase



The kernel starts the PID 1 and which starts the /sbin/init process and internally this will starts /lib/svc/bin/svc.started which is responsible for below processes



a. configuring all network devices

b. mounting all file system

c. starts all network services

d. runs rc-scripts which brings the machine to multi user mode



In solaris 10 svc.startd is a separate boot process which is responsible for starting and stopping services during boot process. But the services which starts during start up and ends while down is configured in /etc/init.d directory



Different runlevels in solaris

Init s –>single user mode

Init 1 –> maintenance mode

Init 2 –> multiuser mode (NFS disabled)

Init 3 –> multiuser serve mode (NFS enable to share)

Init 4 –> not implemented for future purpose

Init 5 –> Shutdown & power off

Init 6 –> Shutdown & reboot

Init 0 –> Shutdown & skipped to ok prompt



All these processes as a nutshell i am providing you as a flowchart below










Posted by at No comments:
Labels:

Monday, November 2, 2015

Linux system hardening using python 2.6

 
Here i am providing a script to perform linux system hardening using python 2.6 . Most of the commands used in this script are shell commands which is packed using python processes.

########################################################################
#!/usr/bin/python

import os
import subprocess
import pw


active_services = ['autofs','auditd','crond','iscsi','iscsid','netfs','nfs','nfslock','ntpd','restorecond','snmpd','sshd','syslog','sysstat','acpid','anacron','atd','cpuspeed','lvm2-monitor','messagebus','ntpd','network'
'syslog','vncserver']

for i in active_services:

os.system ("chkconfig +i on")

out = os.system ("echo $?")

if (out == 0):

file = open("/tmp/linuxout.txt","a")
file.write("activated i in the system");
file.close


inactive_services = ['acpid','anacron','apmd','arptables_jf','arpwatch','atd','avahi-dnsconfd','bluetooth','conman','cups','cyrus-imapd','dc_client','dc_server',
'firstboot','dovecot','dund','haldaemon','hidd','hplip','isdn','iptables','ip6tables','winbind','wpa_supplicant','xfs','readahead_early','readahead_later']

for j in inactive_services:

os.system("chkconfig +j off")
out = os.system ("echo $?")

if (out == 0):

file = open("/tmp/linuxout.txt","a")
file.write("disabled j in the system");
file.close

##backing up important files

path = /linux_bkp

os.mkdir (path, 0755)

import shutil

 imp_files = ['/etc/pam.d/system-auth','/etc/grub.conf','/etc/inittab','/etc/sysctl.conf','/etc/sysconfig/init','etc/sysconfig/prelink','/etc/security/limits.conf','/etc/syslog.conf',
 '/etc/audit/audit.conf','/etc/audit/audit.rules','/etc/ssh/sshd_config','/etc/login.defs']

 dst = /linux_bkp

 for i in imp_files:

shutil.copy(i,dst)

file = open ("/tmp/linuxout.txt","a")
file.write("important file i is backedup in /linux_bkp");
file.close


#adding nodev in /dev/shm partition

nodev_chk1 = os.system("cat /etc/fstab|grep -i /dev/shm/|grep -i nodev|wc -l")
nodev_chk2 = os.system("mount|grep -i /dev/shm|grep nodev|wc -l")

i = 1

if i in ("nodev_chk1", "nodev_chk2"):

file = open ("/tmp/linuxout.txt","a")
file.write("nodev is already configured in /dev/shm");
file.close

else:

    os.system("mount -o remount,nodev,noexec,nosuid /dev/shm")

file = open ("/tmp/linuxout.txt","a")
file.write("nodev is configured in /dev/shm");
file.close



#adding nosuid in /dev/shm

nosuid_chk1 = os.system ("cat /etc/fstab |grep -i /dev/shm|grep -i nosuid |wc -l")
nosuid_chk2 = os.system ("mount |grep -i /dev/shm |grep -i nosuid |wc -l")
i = 1

if i in ("nosuid_chk1", "nosuid_chk2"):

file = open ("/tmp/linuxout.txt","a")
file.write("nosuid is already configured in /dev/shm");
file.close

else:

os.system("mount -o remount,nodev,noexec,nosuid /dev/shm")
file.close


#to check aide rpm installed or not

p = subprocess.Popen("rpm -qa |grep -i aide",shell=True)
p.communicate()
var1 = p.returncode

if ( var1 != 0 ):

os.system ("rpm --ivh aide*")

else:

file = open ("/tmp/linuxout.txt","a")
file.write("aide is already installed ")
file.close

#periodic execution of the file integrity

p = subprocess.Popen("crontab -l |grep -i aide",shell=True)

p.communicate()

var1 = p.returncode

if ( var1 != 0):

os.system ("crontab -l > mycron")

os.system ("echo"0 1 * * * /usr/sbin/aide -check" >> mycron")

os.system ("crontab mycron")

file = open ("/tmp/linuxout.txt","a")
file.write("Periodic execution of the file integrity is configured")
file.close

else:

file = open ("/tmp/linuxout.txt","a")
file.write("Periodic execution of the file integrity is already available")
file.close

#Set user and group owner for grub.conf

os.system ("chown:root:root/etc/grub.conf")

file = open ("/tmp/linuxout.txt","a")
file.write("user and group ownership is set for /etc/grub.conf")
file.close

#Set permission on /etc/groub.conf

os.system ("chmod og-rwx /etc/grub.conf")

file = open ("/tmp/linuxout.txt","a")
file.write ("permission is setted for /etc/grub.conf")
file.close

#set authentication for single user mode

p = subprocess.Popen("cat /etc/inittab|grep -i sulogin",shell=True)
p.communicate()
var1 = p.returncode

if (var1 != 0):

os.system("echo ~:S:wait:/sbin/sulogin >> /etc/inittab")

file = open ("/tmp/linuxout.txt","a")
file.write ("authentication is configured for single user mode")
file.close

else:

file = open ("/tmp/linuxout.txt","a")
file.write ("authentication is already configured for single user mode")
file.close


#Disable interactive boot

p = subprocess.Popen("grep 'PROMPT=no' /etc/sysconfig/init",shell=True)

p.communicate()

var1 = p.returncode

if (var1 == 0):

os.system("sed -i 's/PROMPT=yes/PROMPT=no/g' /etc/sysconfig/init")

file = open ("/tmp/linuxout.txt","a")
file.write ("Disabling interactive boot")
file.close

else:

file = open ("/tmp/linuxout.txt","a")
file.write ("Interactive boot is already disabled")
file.close

#Restrict Core Dumps

p = subprocess.Popen ("grep 'hard core 0'/etc/security/limits.conf",shell=True)
p.communicate()
var1 = p.returncode

p = subprocess.Popen ("grep 'fs.suid.dumpable = 0' /etc/sysctl.conf",shell=True)
p.communicate()
var2 = p.returncode

if ( var1 == 0 ) & ( var2 == 0):


file = open ("/tmp/linuxout.txt","a")
file.write ("core dump is already restricted in this server, no action required")
file.close

else:

os.system("echo * hard core 0 >> /etc/security/limits.conf")
os.system("echo fs.suid.dumpable = 0 >> /etc/sysctl.conf")

file = open ("/tmp/linuxout.txt","a")
file.write ("core dump is restricted in this server")
file.close

# Configure ExecShield

p = subprocess.Popen ("grep 'kernel.exec-shield = 1' /etc/sysctl.conf",shell=True)
p.communicate()

var1 = p.returncode

if ( var1 != 0 ):

os.system("echo kernel.exec-shield = 1 >> /etc/sysctl.conf")
file = open ("/tmp/linuxout.txt","a")
file.write ("execShild is configured ")
file.close

else:

file = open ("/tmp/linuxout.txt","a")
file.write ("execShild is configured already ")
file.close


#Disable Prelink

p = subprocess.Popen ("grep 'PRELINKING=no' /etc/sysconfig/prelink",shell=True)
p.communicate()
var1 = p.returncode

if ( var1 != 0 ):

os.system("sed -i 's/PRELINKING=yes/PRELINKING=no/g'  /etc/sysconfig/prelink")
file = open ("/tmp/linuxout.txt","a")
file.write ("prelink is disabled successfully ")
file.close

else:
file = open ("/tmp/linuxout.txt","a")
file.write ("prelink is already disabled")
file.close


#Remove telnet server

p = subprocess.Popen ("rpm -qa |grep telnet-server",shell=True)
p.communicate()
var1 = p.returncode

tntsev = os.system ("rpm -qa |grep -i telnet-server")

if ( var1 == 0 ):

os.system ("rpm -e $tntsev")
file = open ("/tmp/linuxout.txt","a")
file.write ("removed  telnet server")
file.close

else:

file = open ("/tmp/linuxout.txt","a")
file.write ("telnet server is not installed")
file.close


#remove RSH server

p = subprocess.Popen ("rpm -qa |grep -i rsh-server",shell=True)
p.communicate()
var1 = p.returncode

rshsrv = os.system ("rpm -qa |grep -i rsh-server")

if ( var1 == 0 ):

os.system ("rpm -e $rshserv")
file = open ("/tmp/linuxout.txt","a")
file.write ("removed  rsh server")
file.close

else:

file = open ("/tmp/linuxout.txt","a")
file.write ("rsh server is not installed")
file.close

#Remove NIS client

p = subprocess.Popen ("rpm-qa |grep -i ypbind",shell=True)
p.communicate()
var1 = p.returncode

ypbnd = os.system ("rpm -qa |grep -i ypbind")

if ( var1 == 0 ):

os.system ("rpm -e $ypbnd")
file = open ("/tmp/linuxout.txt","a")
file.write ("removed NIS client")
file.close

else:

file = open ("/tmp/linuxout.txt","a")
file.write ("NIS client is not installed")
file.close

#remove NIS server

p = subprocess.Popen ("rpm-qa |grep -i ypserv",shell=True)
p.communicate()
var1 = p.returncode

ypserv = os.system ("rpm -qa |grep -i ypserv")

if ( var1 == 0 ):

os.system ("rpm -e $ypserv")
file = open ("/tmp/linuxout.txt","a")
file.write ("removed NIS server")
file.close

else:

file = open ("/tmp/linuxout.txt","a")
file.write ("NIS server is not installed")
file.close

#remove TFTP

p = subprocess.Popen ("rpm-qa |grep -i tftp",shell=True)
p.communicate()
var1 = p.returncode

tftp = os.system ("rpm -qa |grep -i tftp")

if ( var1 == 0 ):

os.system ("rpm -e $tftp")
file = open ("/tmp/linuxout.txt","a")
file.write ("removed TFTP server")
file.close

else:

file = open ("/tmp/linuxout.txt","a")
file.write ("TFTP server is not installed")
file.close


#remove talk

p = subprocess.Popen ("rpm-qa |grep -i talk",shell=True)
p.communicate()
var1 = p.returncode

tlk = os.system ("rpm -qa |grep -i talk")

if ( var1 == 0 ):

os.system ("rpm -e $tlk")
file = open ("/tmp/linuxout.txt","a")
file.write ("removed TALK server")
file.close

else:

file = open ("/tmp/linuxout.txt","a")
file.write ("TALK server is not installed")
file.close



#remove Davecot

p = subprocess.Popen ("rpm -qa |grep -i davecot",shell=True)
p.communicate()
var1 = p.returncode

devct = os.system ("rpm -qa |grep -i davecot")

if ( var1 == 0 ):

os.system ("rpm -e $devct -nodeps")
file = open ("/tmp/linuxout.txt","a")
file.write ("removed Davecot ")
file.close

else:

file = open ("/tmp/linuxout.txt","a")
file.write ("Davecot is not installed")
file.close

#remove samba

p = subprocess.Popen ("rpm -qa |grep -i samba",shell=True)
p.communicate()
var1 = p.returncode

smb = os.system ("rpm -qa |grep -i samba")

if ( var1 == 0 ):

os.system ("rpm -e $smb -nodeps")
file = open ("/tmp/linuxout.txt","a")
file.write ("removed samba ")
file.close

else:

file = open ("/tmp/linuxout.txt","a")
file.write ("samba is not installed")
file.close

##########secure network configuration###########

P = subprocess.Popen ("/sbin/sysctl net.ipv4.conf.all.send_redirects |grep 1",shell=True)
p.communicate ()
var1 = p.returncode
if ( var1 != 0):

os.system ("/sbin/sysctl -w net.ipv4.conf.all.send_redirects=0")
os.system ("/sbin/sysctl -w net.ipv4.conf.send_redirects=0")
file = open ("/tmp/linuxout.txt","a")
file.write ("Disabling send redirects")
file.close

else:

file = open ("/tmp/linuxout.txt","a")
file.write ("Send redirects configuration is failed")
file.close

#Enable TCP SYN Cookies

P = subprocess.Popen ("/sbin/sysctl net.ipv4.tcp_syncookies |grep 0",shell=True)
p.communicate ()
var1 = p.returncode
if ( var1 != 0):

os.system ("/sbin/sysctl -w net.ipv4.tcp_syncookies=1")
os.system ("/sbin/sysctl -w net.ipv4.route.flush=1")
file = open ("/tmp/linuxout.txt","a")
file.write ("Enabled TCP SYN cookies")
file.close

else:

file = open ("/tmp/linuxout.txt","a")
file.write ("Enabling TCP SYN cookies is failed")
file.close

#Disable IPv6

p = subprocess.Popen ("grep ipv6 /etc/modprobe.conf",shell=True)
p.communicate ()
var1 = p.returncode
if (var1 != 0):

os.system ("echo options ipv6 "disable=1" >> /etc/modprobe.conf")
file = open ("/tmp/linuxout.txt","a")
file.write ("Disabled ipv6")
file.close

else:

file = open ("/tmp/linuxout.txt","a")
file.write ("ipv6 is not enabled")
file.close

#Secure Logging and Auditing functions
#Configure /etc/syslog.conf

os.system ("echo auth,user.* /var/log/messages >> /etc/syslog.conf")
os.system("echo kern.* /var/log/kern.log >> /etc/syslog.conf")
os.system("echo daemon.* /var/log/daemon.log >> /etc/syslog.conf")
os.system ("echo syslog.* /var/log/syslog >> /etc/syslog.conf")
os.system("echo news,uucp,local0,local1,local2,local3,local4,local5,local6.* /var/log/unused.log >> /etc/syslog.conf")

p = subprocess.Popen ("pkill -HUP syslogd",shell=True)
p.communicate ()
var1 = p.returncode
if (var1 == 0):
file = open ("/tmp/linuxout.txt","a")
file.write ("syslog is configured succesfully")
file.close
else:
file = open ("/tmp/linuxout.txt","a")
file.write ("syslog configuration is failed")
file.close

#Create and Set Permissions on syslog Log Files

log_files = ['messages', 'kern.log', 'daemon.log', 'syslog']

os.system ("cd /var/log")

for i in log_files:

os.system ("chown -R root:root /var/log/$i")
os.system ("chmod og-rwx /var/log/$i")

file = open ("/tmp/linuxout.txt","a")
file.write ("permissions are set for log files")
file.close

#Enable auditd service

os.system ("chkconfig auditd on")

file = open ("/tmp/linuxout.txt","a")
file.write ("auditd service is enabled")
file.close

#configure auditd storage size

p = subprocess.Popen ("grep max_log_file = 5 /etc/audit/auditd.conf",shell=True)
p.communicate ()
var1 = p.returncode

if (var1 != 0):

os.system("sed -i 's/max_log_file = 5/#max_log_file = 5/g' /etc/audit/auditd.conf")
os.system ("echo max_log_file = MB >> /etc/audit/auditd.conf")
file = open ("/tmp/linuxout.txt","a")
file.write ("auditd storage size is configured")
file.close
else:

file = open ("/tmp/linuxout.txt","a")
file.write ("auditd storage size is already configured")
file.close

# Keep All Auditing Information

p = subprocess.Popen ("grep max_log_file_action /etc/audit/auditd.conf",shell=True)
p.communicate ()
var1 = p.returncode

if (var1 != 0):
os.system ("echo max_log_file_action = keep_logs >> /etc/audit/auditd.conf")
file = open ("/tmp/linuxout.txt","a")
file.write ("configure auditlog is successful")
file.close
else:

file = open ("/tmp/linuxout.txt","a")
file.write ("configure auditlog is failed")
file.close

#Record Events That Modify Date and Time Information

os_arch = os.system ("getconf LONG_BIT")

if (os_arch == 32):

os.system ("echo -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change >> /etc/audit/audit.rules")
os.system ("echo -a always,exit -F arch=b32 -S clock_settime -k time-change >> /etc/audit/audit.rules")
os.system ("echo -w /etc/localtime -p wa -k time-change >> /etc/audit/audit.rules")
os.system ("pkill -HUP auditd")
file = open ("/tmp/linuxout.txt","a")
file.write ("Date & time configuration details are recorded in audit logs")
file.close

else:

os.system ("echo -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change >> /etc/audit/audit.rules")
os.system ("echo -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change >> /etc/audit/audit.rules")
os.system ("echo -a always,exit -F arch=b64 -S clock_settime -k time-change >> /etc/audit/audit.rules")
os.system ("echo -a always,exit -F arch=b32 -S clock_settime -k time-change >> /etc/audit/audit.rules")
os.system ("echo -w /etc/localtime -p wa -k time-change >> /etc/audit/audit.rules")
os.system ("pkill -HUP auditd")
file = open ("/tmp/linuxout.txt","a")
file.write ("Date & time configuration details are recorded in audit logs")
file.close

#record events that modify usr/group information

os.system ("echo -w /etc/group -p wa -k identity >> /etc/audit/audit.rules")
os.system("echo -w /etc/passwd -p wa -k identity >> /etc/audit/audit.rules")
os.system("echo -w /etc/gshadow -p wa -k identity >> /etc/audit/audit.rules")
os.system ("echo -w /etc/shadow -p wa -k identity >> /etc/audit/audit.rules")
os.system ("echo -w /etc/security/opasswd -p wa -k identity >> /etc/audit/audit.rules")
os.system ("pkill -HUP auditd")
file = open ("/tmp/linuxout.txt","a")
file.write ("User& group modification configuration details are recorded in audit logs")
file.close

#Record Events That Modify the System’s Network Environment

os_arch = os.system ("getconf LONG_BIT")

if (os_arch == 32):

os.system ("echo -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale >> /etc/audit/audit.rules")
os.system ("echo -w /etc/issue -p wa -k system-locale >> /etc/audit/audit.rules")
os.system ("echo -w /etc/issue.net -p wa -k system-locale >> /etc/audit/audit.rules")
os.system ("echo -w /etc/hosts -p wa -k system-locale >> /etc/audit/audit.rules")
os.system ("echo -w /etc/sysconfig/network -p wa -k system-locale >> /etc/audit/audit.rules")
os.system ("pkill -HUP auditd")
file = open ("/tmp/linuxout.txt","a")
file.write ("network configuration changes are recorded in auditlogs from now onwards")
file.close
else:
os.system ("echo -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale >> /etc/audit/audit.rules")
os.system ("echo -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale >> /etc/audit/audit.rules")
os.system ("echo -w /etc/issue -p wa -k system-locale >> /etc/audit/audit.rules")
os.system ("echo -w /etc/issue.net -p wa -k system-locale >> /etc/audit/audit.rules")
os.system ("echo -w /etc/hosts -p wa -k system-locale >> /etc/audit/audit.rules")
os.system ("echo -w /etc/sysconfig/network -p wa -k system-locale >> /etc/audit/audit.rules")
os.system ("pkill -HUP auditd")
file = open ("/tmp/linuxout.txt","a")
file.write ("network configuration changes are recorded in auditlogs from now onwards")
file.close

#Collect Login and Logout Events

p = subprocess.Popen ("grep faillog /etc/audit/audit.rules",shell=True)
p.communicate ()
var1 = p.returncode

if (var1 != 0):
os.system ("echo -w /var/log/faillog -p wa -k logins >> /etc/audit/audit.rules")

p = subprocess.Popen ("grep lastlog /etc/audit/audit.rules",shell=True)
p.communicate ()
var1 = p.returncode

if (var1 != 0):
os.system ("echo -w /var/log/lastlog -p wa -k logins >> /etc/audit/audit.rules")

p = subprocess.Popen ("grep tallylog /etc/audit/audit.rules",shell=True)
p.communicate ()
var1 = p.returncode

if (var1 != 0)
os.system ("echo -w /var/log/tallylog -p -wa -k logins >> /etc/audit/audit.rules")

p = subprocess.Popen ("grep session /etc/audit/audit.rules",shell=True)
p.communicate ()
var1 = p.returncode
if (var1 != 0):
os.system("echo -w /var/log/btmp -p wa -k session >> /etc/audit/audit.rules")

os.system ("pkill -HUP auditd")
file = open ("/tmp/linuxout.txt","a")
file.write ("login and logout events are configured in auditlogs from now onwards")
file.close

#Collect Session Initiation Information

os.system ("echo -w /var/run/utmp -p wa -k session >> /etc/audit/audit.rules")
os.system ("echo -w /var/log/wtmp -p wa -k session >> /etc/audit/audit.rule")
os.system ("pkill -HUP auditd")
file = open ("/tmp/linuxout.txt","a")
file.write ("session initiation info are configured in auditlogs from now onwards")
file.close

#Collect Discretionary Access Control Permission Modification Events

os_arch = os.system ("getconf LONG_BIT")

if (os_arch == 32):
os.system ("echo -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 \ >> /etc/audit/audit.rules")
os.system ("echo -F auid!=4294967295 -k perm_mod >> /etc/audit/audit.rules")
os.system ("echo -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -Slchown -F auid>=500 \ >> /etc/audit/audit.rules")
os.system ("echo -F auid!=4294967295 -k perm_mod >> /etc/audit/audit.rules")
os.system ("echo -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \ >> /etc/audit/audit.rules")
os.system ("echo lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod >> /etc/audit/audit.rules")
os.system ("pkill -HUP auditd")
file = open ("/tmp/linuxout.txt","a")
file.write ("ACL modification info are configured in auditlogs from now onwards")
file.close

else:

os.system ("echo -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 \ >> /etc/audit/audit.rules")
os.system ("echo -F auid!=4294967295 -k perm_mod >> /etc/audit/audit.rules")
os.system ("echo -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 \ >> /etc/audit/audit.rules")
os.system ("echo -F auid!=4294967295 -k perm_mod >> /etc/audit/audit.rules")
os.system ("echo -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 >> /etc/audit/audit.rules")
os.system ("echo -F auid!=4294967295 -k perm_mod >> /etc/audit/audit.rules")
os.system ("echo -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 \ >> /etc/audit/audit.rules")
os.system ("echo -F auid!=4294967295 -k perm_mod >> /etc/audit/audit.rules")
os.system ("echo -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \ >> /etc/audit/audit.rules")
os.system ("echo lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod >> /etc/audit/audit.rules")
os.system ("echo -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \ >> /etc/audit/audit.rules")
os.system ("echo lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod >> /etc/audit/audit.rules")
os.system ("pkill -HUP auditd")
file = open ("/tmp/linuxout.txt","a")
file.write ("ACL modification info are configured in auditlogs from now onwards")
file.close

#Collect Unsuccessful Unauthorized Access Attempts to Files

os_arch = os.system ("getconf LONG_BIT")

if (os_arch == 32):
os.system ("echo -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \ >> /etc/audit/audit.rules")
os.system ("echo -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access >> /etc/audit/audit.rules")
os.system ("echo -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \ >> /etc/audit/audit.rules")
os.system ("echo -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access >> /etc/audit/audit.rules")
os.system ("pkill -HUP auditd")
file = open ("/tmp/linuxout.txt","a")
file.write ("Collect Unsuccessful Unauthorized Access Attempts to Files is updated ")
file.close

else:

os.system ("echo -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate \ >> /etc/audit/audit.rules")
os.system ("echo -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access >> /etc/audit/audit.rules")
os.system ("echo -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \ >> /etc/audit/audit.rules")
os.system ("echo -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access >> /etc/audit/audit.rules")
os.system ("echo -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate \ >> /etc/audit/audit.rules")
os.system ("echo -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access >> /etc/audit/audit.rules")
os.system ("echo -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \ >> /etc/audit/audit.rules")
os.system ("echo -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access >> /etc/audit/audit.rules")
os.system ("pkill -HUP auditd")
file = open ("/tmp/linuxout.txt","a")
file.write ("Collect Unsuccessful Unauthorized Access Attempts to Files is updated ")
file.close

#Collect Successful File System Mounts

os_arch = os.system ("getconf LONG_BIT")

if (os_arch == 32):

os.system ("echo -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts >> /etc/audit/audit.rules")
os.system ("pkill -HUP auditd")
file = open ("/tmp/linuxout.txt","a")
file.write ("Configuration to Collect Successful File System Mounts is configured in audit rules")
file.close

else:

os.system ("echo -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts >> /etc/audit/audit.rules")
os.system ("pkill -HUP auditd")
file = open ("/tmp/linuxout.txt","a")
file.write ("Configuration to Collect Successful File System Mounts is configured in audit rules")
file.close

#Collect File Deletion Events by User

os_arch = os.system ("getconf LONG_BIT")

if (os_arch == 32):

os.system ("echo -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 \ >> /etc/audit/audit.rules")
os.system ("echo -F auid!=4294967295 -k delete >> /etc/audit/audit.rules")
os.system ("pkill -HUP auditd")
file = open ("/tmp/linuxout.txt","a")
file.write ("Configuration to Collect File Deletion Events by User is configured in audit rules")
file.close

else:

os.system ("echo -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 \ >> /etc/audit/audit.rules")
os.system ("echo -F auid!=4294967295 -k delete >> /etc/audit/audit.rules")
os.system ("echo -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 \ >> /etc/audit/audit.rules")
os.system ("echo -F auid!=4294967295 -k delete")
os.system ("pkill -HUP auditd")
file = open ("/tmp/linuxout.txt","a")
file.write ("Configuration to Collect File Deletion Events by User is configured in audit rules")
file.close

#Collect Changes to System Administration Scope (sudoers)

p = subprocess.Popen ("grep sudoers /etc/audit/audit.rules",shell=True)
p.communicate ()
var1 = p.returncode

if (var1 != 0):

os.system ("echo -w /etc/sudoers -p wa -k scope >> /etc/audit/audit.rules")
os.system ("pkill -HUP auditd")
file = open ("/tmp/linuxout.txt","a")
file.write ("Configuration to Collect Changes to System Administration Scope (sudoers) is configured in audit rules")
file.close
else:

file = open ("/tmp/linuxout.txt","a")
file.write ("Configuration to Collect Changes to System Administration Scope (sudoers) is already configured in audit rules")
file.close

#Collect System Administrator Actions

p = subprocess.Popen ("grep sudo.log /etc/audit/audit.rules",shell=True)
p.communicate ()
var1 = p.returncode

if (var1 != 0):

os.system ("echo -w /var/log/sudo.log -p wa -k actions >> /etc/audit/audit.rules")
os.system ("pkill -HUP auditd")
file = open ("/tmp/linuxout.txt","a")
file.write ("Configuration to Collect  System Administration actions configured in audit rules")
file.close
else:

file = open ("/tmp/linuxout.txt","a")
file.write ("Configuration to Collect  System Administration actions already configured in audit rules")
file.close

#Collect Kernel Module Loading and Unloading

p = subprocess.Popen ("grep modules /etc/audit/audit.rules",shell=True)
p.communicate ()
var1 = p.returncode

if (var1 != 0):

os.system ("echo -w /sbin/insmod -p x -k modules >> /etc/audit/audit.rules")
os.system ("echo -w /sbin/rmmod -p x -k modules >> /etc/audit/audit.rules")
os.system ("echo -w /sbin/modprobe -p x -k modules >> /etc/audit/audit.rules")
os.system ("echo -a always,exit -S init_module -S delete_module -k modules >> /etc/audit/audit.rules")
os.system ("pkill -HUP auditd")
file = open ("/tmp/linuxout.txt","a")
file.write ("Configuration to Collect  kernel module loading and unloading is configured in audit rules")
file.close

else:

file = open ("/tmp/linuxout.txt","a")
file.write ("Configuration to Collect  kernel module loading and unloading is already configured in audit rules")
file.close


# Configure logrotate

p = subprocess.Popen ("ls -l /etc/logrotate.d/syslog",shell=True)
p.communicate()
var1 = p.returncode

if (var1 != 0):

os.system ("echo /var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron {daily compress } >> /etc/logrotate.d/syslogd")
file = open ("/tmp/linuxout.txt","a")
file.write ("logrotate is configured succesfully ")
file.close

else:

   file = open ("/tmp/linuxout.txt","a")
file.write ("logrotate is already configured ")
file.close

####Secure System Access, Authentication & Authorization#######

#enable cron in startup

 os.system ("chkconfig cron on")
 file = open ("/tmp/linuxout.txt","a")
 file.write ("enabled cron in startup ")
 file.close

 #set owner and group permission for cron.hourly,cron.daily,cron.monthly

os.system ("chown root:root /etc/cron.hourly")
os.system ("chmod og-rwx /etc/cron.hourly")
os.system ("chown root:root /etc/cron.daily")
os.system ("chmod og-rwx /etc/cron.daily")
os.system ("chown root:root /etc/cron.monthly")
os.system ("chmod og-rwx /etc/cron.monthly")
file = open ("/tmp/linuxout.txt","a")
file.write ("owner and group permission for cron.hourly and cron.daily,cron.monthly is configured")
file.close

#Set User/Group Owner and Permission on /etc/cron.d

os.system ("chown root:root /etc/cron.d")
os.system ("chmod og-rwx /etc/cron.d")
p = subprocess.Popen ("stat -c "%a %u %g" /etc/cron.d | egrep ".00 0 0",shell=True)
p.communicate()
var1 = p.returncode

if (var1 == 0):
file = open ("/tmp/linuxout.txt","a")
file.write (" User/Group Owner and Permission on /etc/cron.d is configured succesfully")
file.close
else:

file = open ("/tmp/linuxout.txt","a")
file.write (" User/Group Owner and Permission on /etc/cron.d is failed")
file.close

#Set SSH Protocol to 2

ssh_port = subprocess.check_output("cat /etc/ssh/ssh_config |grep Protocol |awk '{print $2}',shell=True")
if (ssh_prot == 1):
os.system ("sed -i 's/#Protocol 2,1/Protocol 2/g' /etc/ssh/sshd_config")
file = open ("/tmp/linuxout.txt","a")
file.write ("ssh protocol is succesfully changed from 2,1 to 2")
file.close
else:
os.system ("sed -i 's/Protocol 2,1/Protocol 2/g' /etc/ssh/sshd_config")
file = open ("/tmp/linuxout.txt","a")
file.write ("ssh protocol is changed from 2,1 to 2")
file.close

#Set LogLevel to VERBOSE

ssh_log = subprocess.check_output ("cat /etc/ssh/ssh_config |grep LogLevel |awk '{print $2}',shell=True")

if (ssh_log == INFO):
os.system ("sed -i 's/#LogLevel INFO /LogLevel VERBOSE/g'  /etc/ssh/sshd_config")
file = open ("/tmp/linuxout.txt","a")
file.write ("ssh protocol log level succesfully changed from INFO to VERBOSE")
file.close
else:
file = open ("/tmp/linuxout.txt","a")
file.write ("ssh protocol log level change is failed")
file.close

#Set Permissions on /etc/sshd_config

os.system ("chown root:root /etc/ssh/sshd_config")
os.system ("chmod 644 /etc/ssh/sshd_config")
p = subprocess.Popen ("stat -c "%a %u %g" /etc/ssh/sshd_config | egrep ".00 0 0"",shell=True)
p.communicate()
var1 = p.returncode
if (var1 == 0):
file = open ("/tmp/linuxout.txt","a")
file.write ("ssh protocol permission changed succesfully")
file.close
else:
file = open ("/tmp/linuxout.txt","a")
file.write ("ssh protocol permission change is failed")
file.close

#Set SSH MaxAuthTries to 5 or Less

ssh_tries = subprocess.check_output ("cat /etc/ssh/ssh_config |grep MaxAuthTries |awk '{print $2}',shell=True")

if (ssh_tries == 6):
os.system ("sed -i 's/#MaxAuthTries 6/MaxAuthTries 5/g'  /etc/ssh/sshd_config")
file = open ("/tmp/linuxout.txt","a")
file.write ("ssh protocol max tries are changed to 5 or less")
file.close
else:
file = open ("/tmp/linuxout.txt","a")
file.write ("ssh protocol max tries are change is failed")
file.close

#Disable hostbased authentication in sshd



ssh_host = subprocess.check_output ("cat /etc/ssh/sshd_config |grep "HostbasedAuthentication no" |awk '{print $2}',shell=True")
if (ssh_host == no):
os.system ("sed -i 's/#HostbasedAuthentication no/HostbasedAuthentication no/g'  /etc/ssh/sshd_config")
file = open ("/tmp/linuxout.txt","a")
file.write ("ssh hostbased authentication is disabled succesfully")
file.close
else:
file = open ("/tmp/linuxout.txt","a")
file.write ("ssh hostbased authentication is disable is failed")
file.close

###########Adding alternate user in the system#############

username = raw_input("Please enter username:")
password = raw_input("Please enter password:")
try:
pwd.getpwnam(username)
except KeyError:
     os.system (useradd -m -p $password $username)
else:
     print "User, %s is already exists" %username
continue

#Disable SSH Root Login

ssh_root = subprocess.check_output ("cat /etc/ssh/sshd_config |grep PermitRootLogin |awk '{print $2}',shell=True")
if (ssh_root == yes):
os.system ("sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g'  /etc/ssh/sshd_config")
file = open ("/tmp/linuxout.txt","a")
file.write ("ssh root login is disabled succesfully")
file.close
else:
file = open ("/tmp/linuxout.txt","a")
file.write ("ssh root login is already disabled ")
file.close

#Use Only Approved Ciphers

    os.system ("echo Ciphers aes128-ctr,aes192-ctr,aes256-ctr >> /etc/ssh/sshd_config")
    file = open ("/tmp/linuxout.txt","a")
file.write ("approved ciphers are configured succesfully")
file.close
#configure the banner

    file = open ("/etc/issue","a")
file.write ("""************************************************************NOTICE*** SECURITY POLICY****************************************************************
    WARNING! This is an  secure computer system and may be accessed only by authorized users. These computer systems are provided for business purposes and must be used in an ethical lawful manner. All data contained here is owned by company authority ., and may be monitored, examined, intercepted, blocked, deleted, captured and disclosed in any manner, by authorized personnel. Individuals or groups using this system in excess of their authorization will have all access terminated. Unauthorized use or misuse of this system is strictly prohibited and may be subject to disciplinary action.
    **************************************************************NOTICE*** SECURITY POLICY******************************************************""")
    file.close

p = subprocess.Popen ("grep Banner /etc/ssh/sshd_config",shell=True)
    p.communicate ()
    var1 = p.returncode
if (var1 == 0):
   os.system ("sed -i 's/Banner/#Banner/g' /etc/ssh/sshd_config")
os.system ("echo Banner /etc/issue >> /etc/ssh/sshd_config")
file = open ("/tmp/linuxout.txt","a")
       file.write ("banner is configured succesfully")
       file.close

else:

file = open ("/tmp/linuxout.txt","a")
       file.write ("banner is already configured ")
       file.close

###Configure PAM

p = subprocess.Popen ("grep ^password.*pam_cracklib.so.* /etc/pam.d/system-auth,shell=True")
p.communicate ()
var1 = p.returncode
    if (var1 == 0):
os.system ("sed -i 's/^password.*requisite.*pam_cracklib.so.*/password required pam_cracklib.so try_first_pass retry=3 minlen=14,dcredit=-1,ucredit=-1,ocredit=-1 lcredit=-1/g' /etc/pam.d/system-auth")
file = open ("/tmp/linuxout.txt","a")
file.write ("PAM is configured succesfully")
file.close
##Set Strong Password Creation Policy Using pam_passwdqc

P = subprocess.Popen ("grep ^password.*pam_passwdqc.so.* /etc/pam.d/system-auth,shell=True")
p.communicate ()
var1 = p.returncode
    if (var1 == 0):
os.system ("sed -i 's/^password.*requisite.*pam_passwdqc.so.*/password    requisite     pam_passwdqc.so min=disabled,disabled,16,12,8/g' /etc/pam.d/system-auth")
file = open ("/tmp/linuxout.txt","a")
file.write ("Strong password is configured succesfully in PAM")
file.close

###Upgrade Password Hashing Algorithm to SHA-512

p = subprocess.Popen ("authconfig --test|grep hasing|grep sha512,shell=True")
p.communicate ()
var1 = p.returncode
if (var1 == 0):
file = open ("/tmp/linuxout.txt","a")
file.write ("Password hashing algorithm is already avilable in this system")
file.close
else:
os.system ("authconfig --passalgo=sha512 --update")

###Limit Password Reuse

p = subprocess.Popen ("grep ^password.*pam_unix.so.* /etc/pam.d/system-auth,shell=True")
p.communicate ()
var1 = p.returncode
if (var1 == 0):
os.system ("sed -i 's/password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok/password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=3/g' /etc/pam.d/system-auth")
file = open ("/tmp/linuxout.txt","a")
file.write ("Password reusing algoritham is configured in the system")
file.close
###Set Password Expiration Days

os.system ("sed -i 's/PASS_MAX_DAYS/#PASS_MAX_DAYS/g' /etc/login.defs")
os.system ("echo PASS_MAX_DAYS 90 >> /etc/login.defs")
os.system ("chage --maxdays 90 omadmin")
file = open ("/tmp/linuxout.txt","a")
file.write ("Password expiration date configured as 90 in the system")
file.close

###Set Password Change Minimum Number of Days

os.system ("sed -i 's/PASS_MIN_DAYS/#PASS_MIN_DAYS/g' /etc/login.defs")
os.system ("echo PASS_MIN_DAYS 7 >> /etc/login.defs")
os.system ("chage --mindays 7 omadmin")
file = open ("/tmp/linuxout.txt","a")
file.write ("Password change minimum number of days are configured as 7 in the system")
file.close

###Set Default Group Account (root)

  os.system ("usermod -g 0 root")
  dfpass = subprocess.check_output ("grep root /etc/passwd | awk -F ":" '{print $4}'")
    if (dfpass == 0):
file = open ("/tmp/linuxout.txt","a")
   file.write ("Default group account is configured for root)
file.close
###Set Warning Banner for Standard Login Services

p = subprocess.Popen ("cat /etc/motd |grep computer system,shell=True")
p.communicate ()
var1 = p.returncode
if (var1 != 0):
os.system ("echo "This is a secure computer system. Authorized uses only. All activity may be monitored and reported." >> /etc/motd")
os.system ("chown root:root /etc/motd")
os.system ("chown root:root /etc/issue")
os.system ("chmod 644 /etc/motd")
os.system ("chmod 644 /etc/issue")
       file = open ("/tmp/linuxout.txt","a")
       file.write ("Warning banner is configured","a")
   file.close




































































Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)