Monday, November 2, 2015

Linux system hardening using python 2.6

 
Here i am providing a script to perform linux system hardening using python 2.6 . Most of the commands used in this script are shell commands which is packed using python processes.

########################################################################
#!/usr/bin/python

import os
import subprocess
import pw


active_services = ['autofs','auditd','crond','iscsi','iscsid','netfs','nfs','nfslock','ntpd','restorecond','snmpd','sshd','syslog','sysstat','acpid','anacron','atd','cpuspeed','lvm2-monitor','messagebus','ntpd','network'
'syslog','vncserver']

for i in active_services:

os.system ("chkconfig +i on")

out = os.system ("echo $?")

if (out == 0):

file = open("/tmp/linuxout.txt","a")
file.write("activated i in the system");
file.close


inactive_services = ['acpid','anacron','apmd','arptables_jf','arpwatch','atd','avahi-dnsconfd','bluetooth','conman','cups','cyrus-imapd','dc_client','dc_server',
'firstboot','dovecot','dund','haldaemon','hidd','hplip','isdn','iptables','ip6tables','winbind','wpa_supplicant','xfs','readahead_early','readahead_later']

for j in inactive_services:

os.system("chkconfig +j off")
out = os.system ("echo $?")

if (out == 0):

file = open("/tmp/linuxout.txt","a")
file.write("disabled j in the system");
file.close

##backing up important files

path = /linux_bkp

os.mkdir (path, 0755)

import shutil

 imp_files = ['/etc/pam.d/system-auth','/etc/grub.conf','/etc/inittab','/etc/sysctl.conf','/etc/sysconfig/init','etc/sysconfig/prelink','/etc/security/limits.conf','/etc/syslog.conf',
 '/etc/audit/audit.conf','/etc/audit/audit.rules','/etc/ssh/sshd_config','/etc/login.defs']

 dst = /linux_bkp

 for i in imp_files:

shutil.copy(i,dst)

file = open ("/tmp/linuxout.txt","a")
file.write("important file i is backedup in /linux_bkp");
file.close


#adding nodev in /dev/shm partition

nodev_chk1 = os.system("cat /etc/fstab|grep -i /dev/shm/|grep -i nodev|wc -l")
nodev_chk2 = os.system("mount|grep -i /dev/shm|grep nodev|wc -l")

i = 1

if i in ("nodev_chk1", "nodev_chk2"):

file = open ("/tmp/linuxout.txt","a")
file.write("nodev is already configured in /dev/shm");
file.close

else:

    os.system("mount -o remount,nodev,noexec,nosuid /dev/shm")

file = open ("/tmp/linuxout.txt","a")
file.write("nodev is configured in /dev/shm");
file.close



#adding nosuid in /dev/shm

nosuid_chk1 = os.system ("cat /etc/fstab |grep -i /dev/shm|grep -i nosuid |wc -l")
nosuid_chk2 = os.system ("mount |grep -i /dev/shm |grep -i nosuid |wc -l")
i = 1

if i in ("nosuid_chk1", "nosuid_chk2"):

file = open ("/tmp/linuxout.txt","a")
file.write("nosuid is already configured in /dev/shm");
file.close

else:

os.system("mount -o remount,nodev,noexec,nosuid /dev/shm")
file.close


#to check aide rpm installed or not

p = subprocess.Popen("rpm -qa |grep -i aide",shell=True)
p.communicate()
var1 = p.returncode

if ( var1 != 0 ):

os.system ("rpm --ivh aide*")

else:

file = open ("/tmp/linuxout.txt","a")
file.write("aide is already installed ")
file.close

#periodic execution of the file integrity

p = subprocess.Popen("crontab -l |grep -i aide",shell=True)

p.communicate()

var1 = p.returncode

if ( var1 != 0):

os.system ("crontab -l > mycron")

os.system ("echo"0 1 * * * /usr/sbin/aide -check" >> mycron")

os.system ("crontab mycron")

file = open ("/tmp/linuxout.txt","a")
file.write("Periodic execution of the file integrity is configured")
file.close

else:

file = open ("/tmp/linuxout.txt","a")
file.write("Periodic execution of the file integrity is already available")
file.close

#Set user and group owner for grub.conf

os.system ("chown:root:root/etc/grub.conf")

file = open ("/tmp/linuxout.txt","a")
file.write("user and group ownership is set for /etc/grub.conf")
file.close

#Set permission on /etc/groub.conf

os.system ("chmod og-rwx /etc/grub.conf")

file = open ("/tmp/linuxout.txt","a")
file.write ("permission is setted for /etc/grub.conf")
file.close

#set authentication for single user mode

p = subprocess.Popen("cat /etc/inittab|grep -i sulogin",shell=True)
p.communicate()
var1 = p.returncode

if (var1 != 0):

os.system("echo ~:S:wait:/sbin/sulogin >> /etc/inittab")

file = open ("/tmp/linuxout.txt","a")
file.write ("authentication is configured for single user mode")
file.close

else:

file = open ("/tmp/linuxout.txt","a")
file.write ("authentication is already configured for single user mode")
file.close


#Disable interactive boot

p = subprocess.Popen("grep 'PROMPT=no' /etc/sysconfig/init",shell=True)

p.communicate()

var1 = p.returncode

if (var1 == 0):

os.system("sed -i 's/PROMPT=yes/PROMPT=no/g' /etc/sysconfig/init")

file = open ("/tmp/linuxout.txt","a")
file.write ("Disabling interactive boot")
file.close

else:

file = open ("/tmp/linuxout.txt","a")
file.write ("Interactive boot is already disabled")
file.close

#Restrict Core Dumps

p = subprocess.Popen ("grep 'hard core 0'/etc/security/limits.conf",shell=True)
p.communicate()
var1 = p.returncode

p = subprocess.Popen ("grep 'fs.suid.dumpable = 0' /etc/sysctl.conf",shell=True)
p.communicate()
var2 = p.returncode

if ( var1 == 0 ) & ( var2 == 0):


file = open ("/tmp/linuxout.txt","a")
file.write ("core dump is already restricted in this server, no action required")
file.close

else:

os.system("echo * hard core 0 >> /etc/security/limits.conf")
os.system("echo fs.suid.dumpable = 0 >> /etc/sysctl.conf")

file = open ("/tmp/linuxout.txt","a")
file.write ("core dump is restricted in this server")
file.close

# Configure ExecShield

p = subprocess.Popen ("grep 'kernel.exec-shield = 1' /etc/sysctl.conf",shell=True)
p.communicate()

var1 = p.returncode

if ( var1 != 0 ):

os.system("echo kernel.exec-shield = 1 >> /etc/sysctl.conf")
file = open ("/tmp/linuxout.txt","a")
file.write ("execShild is configured ")
file.close

else:

file = open ("/tmp/linuxout.txt","a")
file.write ("execShild is configured already ")
file.close


#Disable Prelink

p = subprocess.Popen ("grep 'PRELINKING=no' /etc/sysconfig/prelink",shell=True)
p.communicate()
var1 = p.returncode

if ( var1 != 0 ):

os.system("sed -i 's/PRELINKING=yes/PRELINKING=no/g'  /etc/sysconfig/prelink")
file = open ("/tmp/linuxout.txt","a")
file.write ("prelink is disabled successfully ")
file.close

else:
file = open ("/tmp/linuxout.txt","a")
file.write ("prelink is already disabled")
file.close


#Remove telnet server

p = subprocess.Popen ("rpm -qa |grep telnet-server",shell=True)
p.communicate()
var1 = p.returncode

tntsev = os.system ("rpm -qa |grep -i telnet-server")

if ( var1 == 0 ):

os.system ("rpm -e $tntsev")
file = open ("/tmp/linuxout.txt","a")
file.write ("removed  telnet server")
file.close

else:

file = open ("/tmp/linuxout.txt","a")
file.write ("telnet server is not installed")
file.close


#remove RSH server

p = subprocess.Popen ("rpm -qa |grep -i rsh-server",shell=True)
p.communicate()
var1 = p.returncode

rshsrv = os.system ("rpm -qa |grep -i rsh-server")

if ( var1 == 0 ):

os.system ("rpm -e $rshserv")
file = open ("/tmp/linuxout.txt","a")
file.write ("removed  rsh server")
file.close

else:

file = open ("/tmp/linuxout.txt","a")
file.write ("rsh server is not installed")
file.close

#Remove NIS client

p = subprocess.Popen ("rpm-qa |grep -i ypbind",shell=True)
p.communicate()
var1 = p.returncode

ypbnd = os.system ("rpm -qa |grep -i ypbind")

if ( var1 == 0 ):

os.system ("rpm -e $ypbnd")
file = open ("/tmp/linuxout.txt","a")
file.write ("removed NIS client")
file.close

else:

file = open ("/tmp/linuxout.txt","a")
file.write ("NIS client is not installed")
file.close

#remove NIS server

p = subprocess.Popen ("rpm-qa |grep -i ypserv",shell=True)
p.communicate()
var1 = p.returncode

ypserv = os.system ("rpm -qa |grep -i ypserv")

if ( var1 == 0 ):

os.system ("rpm -e $ypserv")
file = open ("/tmp/linuxout.txt","a")
file.write ("removed NIS server")
file.close

else:

file = open ("/tmp/linuxout.txt","a")
file.write ("NIS server is not installed")
file.close

#remove TFTP

p = subprocess.Popen ("rpm-qa |grep -i tftp",shell=True)
p.communicate()
var1 = p.returncode

tftp = os.system ("rpm -qa |grep -i tftp")

if ( var1 == 0 ):

os.system ("rpm -e $tftp")
file = open ("/tmp/linuxout.txt","a")
file.write ("removed TFTP server")
file.close

else:

file = open ("/tmp/linuxout.txt","a")
file.write ("TFTP server is not installed")
file.close


#remove talk

p = subprocess.Popen ("rpm-qa |grep -i talk",shell=True)
p.communicate()
var1 = p.returncode

tlk = os.system ("rpm -qa |grep -i talk")

if ( var1 == 0 ):

os.system ("rpm -e $tlk")
file = open ("/tmp/linuxout.txt","a")
file.write ("removed TALK server")
file.close

else:

file = open ("/tmp/linuxout.txt","a")
file.write ("TALK server is not installed")
file.close



#remove Davecot

p = subprocess.Popen ("rpm -qa |grep -i davecot",shell=True)
p.communicate()
var1 = p.returncode

devct = os.system ("rpm -qa |grep -i davecot")

if ( var1 == 0 ):

os.system ("rpm -e $devct -nodeps")
file = open ("/tmp/linuxout.txt","a")
file.write ("removed Davecot ")
file.close

else:

file = open ("/tmp/linuxout.txt","a")
file.write ("Davecot is not installed")
file.close

#remove samba

p = subprocess.Popen ("rpm -qa |grep -i samba",shell=True)
p.communicate()
var1 = p.returncode

smb = os.system ("rpm -qa |grep -i samba")

if ( var1 == 0 ):

os.system ("rpm -e $smb -nodeps")
file = open ("/tmp/linuxout.txt","a")
file.write ("removed samba ")
file.close

else:

file = open ("/tmp/linuxout.txt","a")
file.write ("samba is not installed")
file.close

##########secure network configuration###########

P = subprocess.Popen ("/sbin/sysctl net.ipv4.conf.all.send_redirects |grep 1",shell=True)
p.communicate ()
var1 = p.returncode
if ( var1 != 0):

os.system ("/sbin/sysctl -w net.ipv4.conf.all.send_redirects=0")
os.system ("/sbin/sysctl -w net.ipv4.conf.send_redirects=0")
file = open ("/tmp/linuxout.txt","a")
file.write ("Disabling send redirects")
file.close

else:

file = open ("/tmp/linuxout.txt","a")
file.write ("Send redirects configuration is failed")
file.close

#Enable TCP SYN Cookies

P = subprocess.Popen ("/sbin/sysctl net.ipv4.tcp_syncookies |grep 0",shell=True)
p.communicate ()
var1 = p.returncode
if ( var1 != 0):

os.system ("/sbin/sysctl -w net.ipv4.tcp_syncookies=1")
os.system ("/sbin/sysctl -w net.ipv4.route.flush=1")
file = open ("/tmp/linuxout.txt","a")
file.write ("Enabled TCP SYN cookies")
file.close

else:

file = open ("/tmp/linuxout.txt","a")
file.write ("Enabling TCP SYN cookies is failed")
file.close

#Disable IPv6

p = subprocess.Popen ("grep ipv6 /etc/modprobe.conf",shell=True)
p.communicate ()
var1 = p.returncode
if (var1 != 0):

os.system ("echo options ipv6 "disable=1" >> /etc/modprobe.conf")
file = open ("/tmp/linuxout.txt","a")
file.write ("Disabled ipv6")
file.close

else:

file = open ("/tmp/linuxout.txt","a")
file.write ("ipv6 is not enabled")
file.close

#Secure Logging and Auditing functions
#Configure /etc/syslog.conf

os.system ("echo auth,user.* /var/log/messages >> /etc/syslog.conf")
os.system("echo kern.* /var/log/kern.log >> /etc/syslog.conf")
os.system("echo daemon.* /var/log/daemon.log >> /etc/syslog.conf")
os.system ("echo syslog.* /var/log/syslog >> /etc/syslog.conf")
os.system("echo news,uucp,local0,local1,local2,local3,local4,local5,local6.* /var/log/unused.log >> /etc/syslog.conf")

p = subprocess.Popen ("pkill -HUP syslogd",shell=True)
p.communicate ()
var1 = p.returncode
if (var1 == 0):
file = open ("/tmp/linuxout.txt","a")
file.write ("syslog is configured succesfully")
file.close
else:
file = open ("/tmp/linuxout.txt","a")
file.write ("syslog configuration is failed")
file.close

#Create and Set Permissions on syslog Log Files

log_files = ['messages', 'kern.log', 'daemon.log', 'syslog']

os.system ("cd /var/log")

for i in log_files:

os.system ("chown -R root:root /var/log/$i")
os.system ("chmod og-rwx /var/log/$i")

file = open ("/tmp/linuxout.txt","a")
file.write ("permissions are set for log files")
file.close

#Enable auditd service

os.system ("chkconfig auditd on")

file = open ("/tmp/linuxout.txt","a")
file.write ("auditd service is enabled")
file.close

#configure auditd storage size

p = subprocess.Popen ("grep max_log_file = 5 /etc/audit/auditd.conf",shell=True)
p.communicate ()
var1 = p.returncode

if (var1 != 0):

os.system("sed -i 's/max_log_file = 5/#max_log_file = 5/g' /etc/audit/auditd.conf")
os.system ("echo max_log_file = MB >> /etc/audit/auditd.conf")
file = open ("/tmp/linuxout.txt","a")
file.write ("auditd storage size is configured")
file.close
else:

file = open ("/tmp/linuxout.txt","a")
file.write ("auditd storage size is already configured")
file.close

# Keep All Auditing Information

p = subprocess.Popen ("grep max_log_file_action /etc/audit/auditd.conf",shell=True)
p.communicate ()
var1 = p.returncode

if (var1 != 0):
os.system ("echo max_log_file_action = keep_logs >> /etc/audit/auditd.conf")
file = open ("/tmp/linuxout.txt","a")
file.write ("configure auditlog is successful")
file.close
else:

file = open ("/tmp/linuxout.txt","a")
file.write ("configure auditlog is failed")
file.close

#Record Events That Modify Date and Time Information

os_arch = os.system ("getconf LONG_BIT")

if (os_arch == 32):

os.system ("echo -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change >> /etc/audit/audit.rules")
os.system ("echo -a always,exit -F arch=b32 -S clock_settime -k time-change >> /etc/audit/audit.rules")
os.system ("echo -w /etc/localtime -p wa -k time-change >> /etc/audit/audit.rules")
os.system ("pkill -HUP auditd")
file = open ("/tmp/linuxout.txt","a")
file.write ("Date & time configuration details are recorded in audit logs")
file.close

else:

os.system ("echo -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change >> /etc/audit/audit.rules")
os.system ("echo -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change >> /etc/audit/audit.rules")
os.system ("echo -a always,exit -F arch=b64 -S clock_settime -k time-change >> /etc/audit/audit.rules")
os.system ("echo -a always,exit -F arch=b32 -S clock_settime -k time-change >> /etc/audit/audit.rules")
os.system ("echo -w /etc/localtime -p wa -k time-change >> /etc/audit/audit.rules")
os.system ("pkill -HUP auditd")
file = open ("/tmp/linuxout.txt","a")
file.write ("Date & time configuration details are recorded in audit logs")
file.close

#record events that modify usr/group information

os.system ("echo -w /etc/group -p wa -k identity >> /etc/audit/audit.rules")
os.system("echo -w /etc/passwd -p wa -k identity >> /etc/audit/audit.rules")
os.system("echo -w /etc/gshadow -p wa -k identity >> /etc/audit/audit.rules")
os.system ("echo -w /etc/shadow -p wa -k identity >> /etc/audit/audit.rules")
os.system ("echo -w /etc/security/opasswd -p wa -k identity >> /etc/audit/audit.rules")
os.system ("pkill -HUP auditd")
file = open ("/tmp/linuxout.txt","a")
file.write ("User& group modification configuration details are recorded in audit logs")
file.close

#Record Events That Modify the System’s Network Environment

os_arch = os.system ("getconf LONG_BIT")

if (os_arch == 32):

os.system ("echo -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale >> /etc/audit/audit.rules")
os.system ("echo -w /etc/issue -p wa -k system-locale >> /etc/audit/audit.rules")
os.system ("echo -w /etc/issue.net -p wa -k system-locale >> /etc/audit/audit.rules")
os.system ("echo -w /etc/hosts -p wa -k system-locale >> /etc/audit/audit.rules")
os.system ("echo -w /etc/sysconfig/network -p wa -k system-locale >> /etc/audit/audit.rules")
os.system ("pkill -HUP auditd")
file = open ("/tmp/linuxout.txt","a")
file.write ("network configuration changes are recorded in auditlogs from now onwards")
file.close
else:
os.system ("echo -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale >> /etc/audit/audit.rules")
os.system ("echo -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale >> /etc/audit/audit.rules")
os.system ("echo -w /etc/issue -p wa -k system-locale >> /etc/audit/audit.rules")
os.system ("echo -w /etc/issue.net -p wa -k system-locale >> /etc/audit/audit.rules")
os.system ("echo -w /etc/hosts -p wa -k system-locale >> /etc/audit/audit.rules")
os.system ("echo -w /etc/sysconfig/network -p wa -k system-locale >> /etc/audit/audit.rules")
os.system ("pkill -HUP auditd")
file = open ("/tmp/linuxout.txt","a")
file.write ("network configuration changes are recorded in auditlogs from now onwards")
file.close

#Collect Login and Logout Events

p = subprocess.Popen ("grep faillog /etc/audit/audit.rules",shell=True)
p.communicate ()
var1 = p.returncode

if (var1 != 0):
os.system ("echo -w /var/log/faillog -p wa -k logins >> /etc/audit/audit.rules")

p = subprocess.Popen ("grep lastlog /etc/audit/audit.rules",shell=True)
p.communicate ()
var1 = p.returncode

if (var1 != 0):
os.system ("echo -w /var/log/lastlog -p wa -k logins >> /etc/audit/audit.rules")

p = subprocess.Popen ("grep tallylog /etc/audit/audit.rules",shell=True)
p.communicate ()
var1 = p.returncode

if (var1 != 0)
os.system ("echo -w /var/log/tallylog -p -wa -k logins >> /etc/audit/audit.rules")

p = subprocess.Popen ("grep session /etc/audit/audit.rules",shell=True)
p.communicate ()
var1 = p.returncode
if (var1 != 0):
os.system("echo -w /var/log/btmp -p wa -k session >> /etc/audit/audit.rules")

os.system ("pkill -HUP auditd")
file = open ("/tmp/linuxout.txt","a")
file.write ("login and logout events are configured in auditlogs from now onwards")
file.close

#Collect Session Initiation Information

os.system ("echo -w /var/run/utmp -p wa -k session >> /etc/audit/audit.rules")
os.system ("echo -w /var/log/wtmp -p wa -k session >> /etc/audit/audit.rule")
os.system ("pkill -HUP auditd")
file = open ("/tmp/linuxout.txt","a")
file.write ("session initiation info are configured in auditlogs from now onwards")
file.close

#Collect Discretionary Access Control Permission Modification Events

os_arch = os.system ("getconf LONG_BIT")

if (os_arch == 32):
os.system ("echo -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 \ >> /etc/audit/audit.rules")
os.system ("echo -F auid!=4294967295 -k perm_mod >> /etc/audit/audit.rules")
os.system ("echo -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -Slchown -F auid>=500 \ >> /etc/audit/audit.rules")
os.system ("echo -F auid!=4294967295 -k perm_mod >> /etc/audit/audit.rules")
os.system ("echo -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \ >> /etc/audit/audit.rules")
os.system ("echo lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod >> /etc/audit/audit.rules")
os.system ("pkill -HUP auditd")
file = open ("/tmp/linuxout.txt","a")
file.write ("ACL modification info are configured in auditlogs from now onwards")
file.close

else:

os.system ("echo -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 \ >> /etc/audit/audit.rules")
os.system ("echo -F auid!=4294967295 -k perm_mod >> /etc/audit/audit.rules")
os.system ("echo -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 \ >> /etc/audit/audit.rules")
os.system ("echo -F auid!=4294967295 -k perm_mod >> /etc/audit/audit.rules")
os.system ("echo -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 >> /etc/audit/audit.rules")
os.system ("echo -F auid!=4294967295 -k perm_mod >> /etc/audit/audit.rules")
os.system ("echo -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 \ >> /etc/audit/audit.rules")
os.system ("echo -F auid!=4294967295 -k perm_mod >> /etc/audit/audit.rules")
os.system ("echo -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \ >> /etc/audit/audit.rules")
os.system ("echo lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod >> /etc/audit/audit.rules")
os.system ("echo -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \ >> /etc/audit/audit.rules")
os.system ("echo lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod >> /etc/audit/audit.rules")
os.system ("pkill -HUP auditd")
file = open ("/tmp/linuxout.txt","a")
file.write ("ACL modification info are configured in auditlogs from now onwards")
file.close

#Collect Unsuccessful Unauthorized Access Attempts to Files

os_arch = os.system ("getconf LONG_BIT")

if (os_arch == 32):
os.system ("echo -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \ >> /etc/audit/audit.rules")
os.system ("echo -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access >> /etc/audit/audit.rules")
os.system ("echo -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \ >> /etc/audit/audit.rules")
os.system ("echo -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access >> /etc/audit/audit.rules")
os.system ("pkill -HUP auditd")
file = open ("/tmp/linuxout.txt","a")
file.write ("Collect Unsuccessful Unauthorized Access Attempts to Files is updated ")
file.close

else:

os.system ("echo -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate \ >> /etc/audit/audit.rules")
os.system ("echo -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access >> /etc/audit/audit.rules")
os.system ("echo -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \ >> /etc/audit/audit.rules")
os.system ("echo -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access >> /etc/audit/audit.rules")
os.system ("echo -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate \ >> /etc/audit/audit.rules")
os.system ("echo -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access >> /etc/audit/audit.rules")
os.system ("echo -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \ >> /etc/audit/audit.rules")
os.system ("echo -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access >> /etc/audit/audit.rules")
os.system ("pkill -HUP auditd")
file = open ("/tmp/linuxout.txt","a")
file.write ("Collect Unsuccessful Unauthorized Access Attempts to Files is updated ")
file.close

#Collect Successful File System Mounts

os_arch = os.system ("getconf LONG_BIT")

if (os_arch == 32):

os.system ("echo -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts >> /etc/audit/audit.rules")
os.system ("pkill -HUP auditd")
file = open ("/tmp/linuxout.txt","a")
file.write ("Configuration to Collect Successful File System Mounts is configured in audit rules")
file.close

else:

os.system ("echo -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts >> /etc/audit/audit.rules")
os.system ("pkill -HUP auditd")
file = open ("/tmp/linuxout.txt","a")
file.write ("Configuration to Collect Successful File System Mounts is configured in audit rules")
file.close

#Collect File Deletion Events by User

os_arch = os.system ("getconf LONG_BIT")

if (os_arch == 32):

os.system ("echo -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 \ >> /etc/audit/audit.rules")
os.system ("echo -F auid!=4294967295 -k delete >> /etc/audit/audit.rules")
os.system ("pkill -HUP auditd")
file = open ("/tmp/linuxout.txt","a")
file.write ("Configuration to Collect File Deletion Events by User is configured in audit rules")
file.close

else:

os.system ("echo -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 \ >> /etc/audit/audit.rules")
os.system ("echo -F auid!=4294967295 -k delete >> /etc/audit/audit.rules")
os.system ("echo -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 \ >> /etc/audit/audit.rules")
os.system ("echo -F auid!=4294967295 -k delete")
os.system ("pkill -HUP auditd")
file = open ("/tmp/linuxout.txt","a")
file.write ("Configuration to Collect File Deletion Events by User is configured in audit rules")
file.close

#Collect Changes to System Administration Scope (sudoers)

p = subprocess.Popen ("grep sudoers /etc/audit/audit.rules",shell=True)
p.communicate ()
var1 = p.returncode

if (var1 != 0):

os.system ("echo -w /etc/sudoers -p wa -k scope >> /etc/audit/audit.rules")
os.system ("pkill -HUP auditd")
file = open ("/tmp/linuxout.txt","a")
file.write ("Configuration to Collect Changes to System Administration Scope (sudoers) is configured in audit rules")
file.close
else:

file = open ("/tmp/linuxout.txt","a")
file.write ("Configuration to Collect Changes to System Administration Scope (sudoers) is already configured in audit rules")
file.close

#Collect System Administrator Actions

p = subprocess.Popen ("grep sudo.log /etc/audit/audit.rules",shell=True)
p.communicate ()
var1 = p.returncode

if (var1 != 0):

os.system ("echo -w /var/log/sudo.log -p wa -k actions >> /etc/audit/audit.rules")
os.system ("pkill -HUP auditd")
file = open ("/tmp/linuxout.txt","a")
file.write ("Configuration to Collect  System Administration actions configured in audit rules")
file.close
else:

file = open ("/tmp/linuxout.txt","a")
file.write ("Configuration to Collect  System Administration actions already configured in audit rules")
file.close

#Collect Kernel Module Loading and Unloading

p = subprocess.Popen ("grep modules /etc/audit/audit.rules",shell=True)
p.communicate ()
var1 = p.returncode

if (var1 != 0):

os.system ("echo -w /sbin/insmod -p x -k modules >> /etc/audit/audit.rules")
os.system ("echo -w /sbin/rmmod -p x -k modules >> /etc/audit/audit.rules")
os.system ("echo -w /sbin/modprobe -p x -k modules >> /etc/audit/audit.rules")
os.system ("echo -a always,exit -S init_module -S delete_module -k modules >> /etc/audit/audit.rules")
os.system ("pkill -HUP auditd")
file = open ("/tmp/linuxout.txt","a")
file.write ("Configuration to Collect  kernel module loading and unloading is configured in audit rules")
file.close

else:

file = open ("/tmp/linuxout.txt","a")
file.write ("Configuration to Collect  kernel module loading and unloading is already configured in audit rules")
file.close


# Configure logrotate

p = subprocess.Popen ("ls -l /etc/logrotate.d/syslog",shell=True)
p.communicate()
var1 = p.returncode

if (var1 != 0):

os.system ("echo /var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron {daily compress } >> /etc/logrotate.d/syslogd")
file = open ("/tmp/linuxout.txt","a")
file.write ("logrotate is configured succesfully ")
file.close

else:

   file = open ("/tmp/linuxout.txt","a")
file.write ("logrotate is already configured ")
file.close

####Secure System Access, Authentication & Authorization#######

#enable cron in startup

 os.system ("chkconfig cron on")
 file = open ("/tmp/linuxout.txt","a")
 file.write ("enabled cron in startup ")
 file.close

 #set owner and group permission for cron.hourly,cron.daily,cron.monthly

os.system ("chown root:root /etc/cron.hourly")
os.system ("chmod og-rwx /etc/cron.hourly")
os.system ("chown root:root /etc/cron.daily")
os.system ("chmod og-rwx /etc/cron.daily")
os.system ("chown root:root /etc/cron.monthly")
os.system ("chmod og-rwx /etc/cron.monthly")
file = open ("/tmp/linuxout.txt","a")
file.write ("owner and group permission for cron.hourly and cron.daily,cron.monthly is configured")
file.close

#Set User/Group Owner and Permission on /etc/cron.d

os.system ("chown root:root /etc/cron.d")
os.system ("chmod og-rwx /etc/cron.d")
p = subprocess.Popen ("stat -c "%a %u %g" /etc/cron.d | egrep ".00 0 0",shell=True)
p.communicate()
var1 = p.returncode

if (var1 == 0):
file = open ("/tmp/linuxout.txt","a")
file.write (" User/Group Owner and Permission on /etc/cron.d is configured succesfully")
file.close
else:

file = open ("/tmp/linuxout.txt","a")
file.write (" User/Group Owner and Permission on /etc/cron.d is failed")
file.close

#Set SSH Protocol to 2

ssh_port = subprocess.check_output("cat /etc/ssh/ssh_config |grep Protocol |awk '{print $2}',shell=True")
if (ssh_prot == 1):
os.system ("sed -i 's/#Protocol 2,1/Protocol 2/g' /etc/ssh/sshd_config")
file = open ("/tmp/linuxout.txt","a")
file.write ("ssh protocol is succesfully changed from 2,1 to 2")
file.close
else:
os.system ("sed -i 's/Protocol 2,1/Protocol 2/g' /etc/ssh/sshd_config")
file = open ("/tmp/linuxout.txt","a")
file.write ("ssh protocol is changed from 2,1 to 2")
file.close

#Set LogLevel to VERBOSE

ssh_log = subprocess.check_output ("cat /etc/ssh/ssh_config |grep LogLevel |awk '{print $2}',shell=True")

if (ssh_log == INFO):
os.system ("sed -i 's/#LogLevel INFO /LogLevel VERBOSE/g'  /etc/ssh/sshd_config")
file = open ("/tmp/linuxout.txt","a")
file.write ("ssh protocol log level succesfully changed from INFO to VERBOSE")
file.close
else:
file = open ("/tmp/linuxout.txt","a")
file.write ("ssh protocol log level change is failed")
file.close

#Set Permissions on /etc/sshd_config

os.system ("chown root:root /etc/ssh/sshd_config")
os.system ("chmod 644 /etc/ssh/sshd_config")
p = subprocess.Popen ("stat -c "%a %u %g" /etc/ssh/sshd_config | egrep ".00 0 0"",shell=True)
p.communicate()
var1 = p.returncode
if (var1 == 0):
file = open ("/tmp/linuxout.txt","a")
file.write ("ssh protocol permission changed succesfully")
file.close
else:
file = open ("/tmp/linuxout.txt","a")
file.write ("ssh protocol permission change is failed")
file.close

#Set SSH MaxAuthTries to 5 or Less

ssh_tries = subprocess.check_output ("cat /etc/ssh/ssh_config |grep MaxAuthTries |awk '{print $2}',shell=True")

if (ssh_tries == 6):
os.system ("sed -i 's/#MaxAuthTries 6/MaxAuthTries 5/g'  /etc/ssh/sshd_config")
file = open ("/tmp/linuxout.txt","a")
file.write ("ssh protocol max tries are changed to 5 or less")
file.close
else:
file = open ("/tmp/linuxout.txt","a")
file.write ("ssh protocol max tries are change is failed")
file.close

#Disable hostbased authentication in sshd



ssh_host = subprocess.check_output ("cat /etc/ssh/sshd_config |grep "HostbasedAuthentication no" |awk '{print $2}',shell=True")
if (ssh_host == no):
os.system ("sed -i 's/#HostbasedAuthentication no/HostbasedAuthentication no/g'  /etc/ssh/sshd_config")
file = open ("/tmp/linuxout.txt","a")
file.write ("ssh hostbased authentication is disabled succesfully")
file.close
else:
file = open ("/tmp/linuxout.txt","a")
file.write ("ssh hostbased authentication is disable is failed")
file.close

###########Adding alternate user in the system#############

username = raw_input("Please enter username:")
password = raw_input("Please enter password:")
try:
pwd.getpwnam(username)
except KeyError:
     os.system (useradd -m -p $password $username)
else:
     print "User, %s is already exists" %username
continue

#Disable SSH Root Login

ssh_root = subprocess.check_output ("cat /etc/ssh/sshd_config |grep PermitRootLogin |awk '{print $2}',shell=True")
if (ssh_root == yes):
os.system ("sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g'  /etc/ssh/sshd_config")
file = open ("/tmp/linuxout.txt","a")
file.write ("ssh root login is disabled succesfully")
file.close
else:
file = open ("/tmp/linuxout.txt","a")
file.write ("ssh root login is already disabled ")
file.close

#Use Only Approved Ciphers

    os.system ("echo Ciphers aes128-ctr,aes192-ctr,aes256-ctr >> /etc/ssh/sshd_config")
    file = open ("/tmp/linuxout.txt","a")
file.write ("approved ciphers are configured succesfully")
file.close
#configure the banner

    file = open ("/etc/issue","a")
file.write ("""************************************************************NOTICE*** SECURITY POLICY****************************************************************
    WARNING! This is an  secure computer system and may be accessed only by authorized users. These computer systems are provided for business purposes and must be used in an ethical lawful manner. All data contained here is owned by company authority ., and may be monitored, examined, intercepted, blocked, deleted, captured and disclosed in any manner, by authorized personnel. Individuals or groups using this system in excess of their authorization will have all access terminated. Unauthorized use or misuse of this system is strictly prohibited and may be subject to disciplinary action.
    **************************************************************NOTICE*** SECURITY POLICY******************************************************""")
    file.close

p = subprocess.Popen ("grep Banner /etc/ssh/sshd_config",shell=True)
    p.communicate ()
    var1 = p.returncode
if (var1 == 0):
   os.system ("sed -i 's/Banner/#Banner/g' /etc/ssh/sshd_config")
os.system ("echo Banner /etc/issue >> /etc/ssh/sshd_config")
file = open ("/tmp/linuxout.txt","a")
       file.write ("banner is configured succesfully")
       file.close

else:

file = open ("/tmp/linuxout.txt","a")
       file.write ("banner is already configured ")
       file.close

###Configure PAM

p = subprocess.Popen ("grep ^password.*pam_cracklib.so.* /etc/pam.d/system-auth,shell=True")
p.communicate ()
var1 = p.returncode
    if (var1 == 0):
os.system ("sed -i 's/^password.*requisite.*pam_cracklib.so.*/password required pam_cracklib.so try_first_pass retry=3 minlen=14,dcredit=-1,ucredit=-1,ocredit=-1 lcredit=-1/g' /etc/pam.d/system-auth")
file = open ("/tmp/linuxout.txt","a")
file.write ("PAM is configured succesfully")
file.close
##Set Strong Password Creation Policy Using pam_passwdqc

P = subprocess.Popen ("grep ^password.*pam_passwdqc.so.* /etc/pam.d/system-auth,shell=True")
p.communicate ()
var1 = p.returncode
    if (var1 == 0):
os.system ("sed -i 's/^password.*requisite.*pam_passwdqc.so.*/password    requisite     pam_passwdqc.so min=disabled,disabled,16,12,8/g' /etc/pam.d/system-auth")
file = open ("/tmp/linuxout.txt","a")
file.write ("Strong password is configured succesfully in PAM")
file.close

###Upgrade Password Hashing Algorithm to SHA-512

p = subprocess.Popen ("authconfig --test|grep hasing|grep sha512,shell=True")
p.communicate ()
var1 = p.returncode
if (var1 == 0):
file = open ("/tmp/linuxout.txt","a")
file.write ("Password hashing algorithm is already avilable in this system")
file.close
else:
os.system ("authconfig --passalgo=sha512 --update")

###Limit Password Reuse

p = subprocess.Popen ("grep ^password.*pam_unix.so.* /etc/pam.d/system-auth,shell=True")
p.communicate ()
var1 = p.returncode
if (var1 == 0):
os.system ("sed -i 's/password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok/password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=3/g' /etc/pam.d/system-auth")
file = open ("/tmp/linuxout.txt","a")
file.write ("Password reusing algoritham is configured in the system")
file.close
###Set Password Expiration Days

os.system ("sed -i 's/PASS_MAX_DAYS/#PASS_MAX_DAYS/g' /etc/login.defs")
os.system ("echo PASS_MAX_DAYS 90 >> /etc/login.defs")
os.system ("chage --maxdays 90 omadmin")
file = open ("/tmp/linuxout.txt","a")
file.write ("Password expiration date configured as 90 in the system")
file.close

###Set Password Change Minimum Number of Days

os.system ("sed -i 's/PASS_MIN_DAYS/#PASS_MIN_DAYS/g' /etc/login.defs")
os.system ("echo PASS_MIN_DAYS 7 >> /etc/login.defs")
os.system ("chage --mindays 7 omadmin")
file = open ("/tmp/linuxout.txt","a")
file.write ("Password change minimum number of days are configured as 7 in the system")
file.close

###Set Default Group Account (root)

  os.system ("usermod -g 0 root")
  dfpass = subprocess.check_output ("grep root /etc/passwd | awk -F ":" '{print $4}'")
    if (dfpass == 0):
file = open ("/tmp/linuxout.txt","a")
   file.write ("Default group account is configured for root)
file.close
###Set Warning Banner for Standard Login Services

p = subprocess.Popen ("cat /etc/motd |grep computer system,shell=True")
p.communicate ()
var1 = p.returncode
if (var1 != 0):
os.system ("echo "This is a secure computer system. Authorized uses only. All activity may be monitored and reported." >> /etc/motd")
os.system ("chown root:root /etc/motd")
os.system ("chown root:root /etc/issue")
os.system ("chmod 644 /etc/motd")
os.system ("chmod 644 /etc/issue")
       file = open ("/tmp/linuxout.txt","a")
       file.write ("Warning banner is configured","a")
   file.close




































































Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)