Unixchips

Wednesday, June 24, 2015

Linux Hardening script

Here i am providing a detailed script for linux hardening which can be used for RHEL/CentOS 5.x systems. You can enable and disable services as per your project/system requirement . A detailed read me is given below for your better understanding

****************************Linux Hardening Read Me********************

1.copy the script given below to a folder called linuxhardening and copy that to /tmp in server
2. Download and copy below mentioned rpms to the linuxhardening folder

* aide-0.13.1-8.el5.i386.rpm
*rsyslog-3.22.1-7.el5.i386.rpm

3. unzip the linuxhardening.zip

4. give the execute prrmission to linux_updated.sh

5. Execute the script as root

6. Create an alternate user when the script prompts you

7. cross check the report "linuxreport.txt" which is avilable in /tmp after completion of the script.

******************************************************************************

Script is starting from here

#!/bin/bash

#############Linux HardeningScript#####################################
# #
##############Author:Ratheesh Vasudevan###############################

###configuring services###
chkconfig autofs on
chkconfig acpid off
chkconfig anacron off
chkconfig apmd off
chkconfig arptables_jf off
chkconfig arpwatch off
chkconfig atd off
chkconfig avahi-daemon on
chkconfig auditd on
chkconfig autofs on
chkconfig avahi-dnsconfd off
chkconfig bluetooth off
chkconfig conman off
chkconfig cups off
chkconfig cpuspeed on
chkconfig crond on
chkconfig cyrus-imapd off
chkconfig dc_client off
chkconfig dc_server off
chkconfig firstboot off
chkconfig dovecot off
chkconfig dund off
chkconfig haldaemon off
chkconfig hidd off
chkconfig hplip off
chkconfig isdn off
chkconfig iptables off
chkconfig ip6tables off
chkconfig irda off
chkconfig irqbalance on
chkconfig iscsi on
chkconfig iscsid on
chkconfig kdump off
chkconfig kudzu off
chkconfig krb524 off
chkconfig kprop off
chkconfig mcstrans off
chkconfig mailman off
chkconfig mcstrains off
chkconfig microcode_ctl off
chkconfig multipathd off
chkconfig netconsole off
chkconfig netfs on
chkconfig netplugd off
chkconfig nfs on
chkconfig nfslock on
chkconfig ntpd on
chkconfig nscd off
chkconfig pcscd off
chkconfig portmap on
chkconfig rdisc off
chkconfig rhnsd off
chkconfig restorecond on
chkconfig rpcgssd off
chkconfig rpcidmapd off
chkconfig ripd off
chkconfig ripngd off
chkconfig rpcsvcgssd off
chkconfig sendmail off
chkconfig smartd off
chkconfig snmpd on
chkconfig setroubleshoot off
chkconfig sshd on
chkconfig syslog on
chkconfig sysstat on
chkconfig winbind off
chkconfig wpa_supplicant off
chkconfig xfs off
chkconfig ypbind off
chkconfig yum-updatesd off
chkconfig acpid on
chkconfig anacron on
chkconfig atd on
chkconfig cpuspeed on
chkconfig lvm2-monitor on
chkconfig messagebus on
chkconfig ntpd on
chkconfig network on
chkconfig readahead_early off
chkconfig readahead_later off
chkconfig syslog on
chkconfig sshd on
chkconfig vncserver on
chkconfig xend off
chkconfig xfs off
chkconfig zebra off
chkconfig chargen-dgram off
chkconfig chargen-stream off
chkconfig daytime-dgram off
chkconfig daytime-stream off
chkconfig echo-dgram off
chkconfig echo-stream off
chkconfig tcpmux-server off

echo "3.1-Configured necessory services in startup" >> /tmp/linuxreport.txt

########Backing up important files#######################

mkdir /linux_bkp

cp -a /etc/pam.d/system-auth /linux_bkp/system_auth_bkp
cp -a /etc/grub.conf /linux_bkp/grub.conf_bkp
cp -a /etc/inittab /linux_bkp/inittab_bkp
cp -a /etc/sysctl.conf /linux_bkp/sysctl.conf_bkp
cp -a /etc/sysconfig/init /linux_bkp/init_bkp
cp -a /etc/sysconfig/prelink /linux_bkp/prelink_bkp
cp -a /etc/security/limits.conf /linux_bkp/limits.conf_bkp
cp -a /etc/syslog.conf /linux_bkp/syslog.conf_bkp
cp -a /etc/audit/audit.conf /linux_bkp/auditd.conf_bkp
cp -a /etc/audit/audit.rules /linux_bkp/audit.rules_bkp
cp -a /etc/ssh/sshd_config /linux_bkp/sshd_config_bkp
cp -a /etc/login.defs /linux_bkp/login.defs_bkp

echo "Important Files are backedup" >> /tmp/linuxreport.txt

#Adding NODEV in /dev/shm partition

nodev_chk1=`cat /etc/fstab |grep /dev/shm |grep nodev | wc -l`
nodev_chk2=`mount |grep /dev/shm |grep nodev |wc -l`
if [ $nodev_chk1 -gt 0 ] || [ $nodev_chk2 -gt 0 ]; then

mount -o remount,nodev,noexec,nosuid /dev/shm

echo "3.2.1-NODEV is added in /dev/shm " >> /tmp/linuxreport.txt

else

echo "3.2.1-/dev/shm is already mounted with nodev" >> /tmp/linuxreport.txt

fi

#Adding nosuid in /dev/shm partition

nosuid_chk1=`cat /etc/fstab |grep /dev/shm |grep nosuid | wc -l`
nosuid_chk2=`mount |grep /dev/shm |grep nosuid | wc -l`

if [ $nosuid_chk1 -gt 0 ] || [ $nosuid_chk2 -gt 0 ]; then

mount -o remount,nodev,noexec,nosuid /dev/shm

echo "3.2.2-nosuid is added in /dev/shm" >> /tmp/linuxreport.txt

else

echo "3.2.2-/dev/shm is already mounted with nosuid" >> /tmp/linuxreport.txt

fi

#Adding noexec in /dev/shm partition

noexec_chk1=`cat /etc/fstab |grep /dev/shm |grep noexec | wc -l`
noexec_chk2=`mount |grep /dev/shm |grep noexec | wc -l`

if [ $noexec_chk1 -gt 0 ] || [ $noexec_chk2 -gt 0 ]; then

mount -o remount,nodev,noexec,nosuid /dev/shm

echo "3.2.3-noexec is added in /dev/shm" >> /tmp/linuxreport.txt
else

echo "3.2.3-/dev/shm is already mounted with noexec" >> /tmp/linuxreport.txt

fi

#Install AIDE

rpm -qa |grep aide

if [ $? -eq 1 ]; then

cd /tmp/linuxhardening

rpm -ivh aide*.rpm --nodeps

echo "3.4.1-AIDE is installed succesfully" >> /tmp/linuxreport.txt

else

echo "3.4.1-AIDE is already installed" >> /tmp/linuxreport.txt

fi

#3.4.2-Periodic Execution of File integrity

crontab -l |grep aide

if [ $? -eq 1 ]; then

crontab -l > mycron

echo "0 1 * * * /usr/sbin/aide -check" >> mycron

crontab mycron

echo "3.4.2- Periodic execution of file inegrity is configured" >> /tmp/linuxreport.txt

fi

#3.6.1-Set user and group owner for grub.conf

chown root:root /etc/grub.conf

echo "3.6.1-user and owner configuration is done for /etc/grub.conf" >> /tmp/linuxreport.txt

#3.6.2-Set permission on /etc/groub.conf

chmod og-rwx /etc/grub.conf

echo "3.6.2-permission is setted for /etc/grub.conf" >> /tmp/linuxreport.txt

#3.6.4-Set authentication for single user mode

echo ~:S:wait:/sbin/sulogin >> /etc/inittab

if [ $? -eq 0 ]; then

echo "3.6.4-authentication is configured successfully for single user mode" >> /tmp/linuxreport.txt

else

echo "3.6.4-Failed to configure authentication in single user mode" >> /tmp/linuxreport.txt

fi
#3.6.5-Disable interactive boot

grep "PROMPT=no" /etc/sysconfig/init

if [ $? -eq 1 ]; then

echo "3.6.5-Disabling interactive boot" >> /tmp/linuxreport.txt

sed -i 's/PROMPT=yes/PROMPT=no/g' /etc/sysconfig/init

else

echo "3.6.5-Interactive boot is already enabled"

fi

#3.7.1 Restrict Core Dumps

echo * hard core 0 >> /etc/security/limits.conf
echo fs.suid.dumpable = 0 >> /etc/sysctl.conf
echo "3.7.1-core dump is restricted" >> /tmp/linuxreport.txt

#3.7.2 Configure ExecShield

echo kernel.exec-shield = 1 >> /etc/sysctl.conf

echo "3.7.2-Execshield is configured" >> /tmp/linuxreport.txt

#3.7.5 Disable Prelink

sed -i 's/PRELINKING=yes/PRELINKING=no/g' /etc/sysconfig/prelink

echo "3.7.5-Prelinking is disabled" >> /tmp/linuxreport.txt

#3.8.1 Remove telnet server

tntsrv=`rpm -qa |grep telnet-server`

if [ $? -eq 0 ]; then

rpm -e $tntsev

echo "3.8.1-telnet-server is removed" >> /tmp/linuxreport.txt

else

echo "3.8.1-telnet-server is not installed" >> /tmp/linuxreport.txt

fi

#3.8.3 Remove RSH server

rsh=`rpm -qa |grep rsh-server`

if [ $? -eq 0 ]; then

rpm -e $rsh

echo "3.8.3-rsh-server is removed" >> /tmp/linuxreport.txt

else

echo "3.8.3-rsh-server is not installed" >> /tmp/linuxreport.txt

fi

#3.8.4 Remove NIS client

ypb=`rpm -qa |grep ypbind`

if [ $? -eq 0 ]; then

rpm -e $ypb --nodeps

echo "3.8.4-NIS client is removed" >> /tmp/linuxreport.txt

else

echo "3.8.4-NIS client is not installed" >> /tmp/linuxreport.txt

fi

#3.8.5 Remove NIS server

yps=`rpm -qa |grep ypserv`

if [ $? -eq 0 ]; then

rpm -e $yps

echo "3.8.5-NIS server is removed" >> /tmp/linuxreport.txt

else

echo "3.8.5-NIS server is not installed" >> /tmp/linuxreport.txt

fi

#3.8.6 Remove TFTP

tfp=`rpm -qa |grep tftp`

if [ $? -eq 0 ]; then

rpm -e $tfp

echo "3.8.6-tftp server is removed" >> /tmp/linuxreport.txt

else

echo "3.8.6-tftp server is not installed" >> /tmp/linuxreport.txt

fi

#3.8.8 Remove Talk

tlk=`rpm -qa |grep talk`

if [ $? -eq 0 ]; then

rpm -e $tlk

echo "3.8.8-talk is removed" >> /tmp/linuxreport.txt

else

echo "3.8.8-talk is not installed" >> /tmp/linuxreport.txt

fi

#3.8.9 Remove talk-server

tlks=`rpm -qa |grep talk-server`

if [ $? -eq 0 ]; then

rpm -e $tlks

echo "3.8.9-talk server is removed" >> /tmp/linuxreport.txt

else

echo "3.8.9-talk server is not installed" >> /tmp/linuxreport.txt

fi

######3.9#####Secure OS services###################

#3.9.2 Disable print server CUPS

chkconfig cups off

if [ $? -eq 0 ]; then

echo "3.9.2-cups is disabled for this system" >> /tmp/linuxreport.txt

else

echo "3.9.2-cups is not installed" >> /tmp/linuxreport.txt

fi
#3.9.8 Remove Davecot

rpm -qa |grep davecot

if [ $? -eq 0 ]; then

rpm -e davecot*.rpm --nodeps

echo "3.9.8-davecot is removed" >> /tmp/linuxreport.txt

else

echo "3.9.8-davecot is not installed" >> /tmp/linuxreport.txt

fi

#3.9.9 Remove Samba

$smb=`rpm -qa |grep samba |grep -v samba-client`

if [ $? -eq 0 ]; then

rpm -e $smb --nodeps

echo "3.9.9-samba server is removed" >> /tmp/linuxreport.txt

else

echo "3.9.9-samba server is not installed" >> /tmp/linuxreport.txt

fi

######3.10########## Secure Network configuration

#3.10.2 Disable Send packet redirects

/sbin/sysctl net.ipv4.conf.all.send_redirects |grep 1

if [ $? -eq 0 ]; then

/sbin/sysctl -w net.ipv4.conf.all.send_redirects=0
/sbin/sysctl -w net.ipv4.conf.send_redirects =0

echo "3.10.2-Disabling send packet redirects is configured" >> /tmp/linuxreport.txt

else

echo "3.10.2-Disabling send packet redirects is failed" >> /tmp/linuxreport.txt

fi
#3.10.6 Log Suspicious packets

/sbin/sysctl net.ipv4.conf.all.log_martians |grep 0

if [ $? -eq 0 ]; then

/sbin/sysctl -w net.ipv4.conf.all.log_martians=1
/sbin/sysctl -w net.ipv4.route.flush=1

echo "3.10.6-Logging un-routable packets are configured" >> /tmp/linuxreport.txt

else

echo "3.10.6-Logging un-routable packets configuration is failed" >> /tmp/linuxreport.txt

fi

#3.10.8 Enable bad error Message protection

/sbin/sysctl net.ipv4.icmp_ignore_bogus_error_responses |grep 1

if [ $? -eq 1 ]; then

/sbin/sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
/sbin/sysctl -w net.ipv4.route.flush=1

echo "3.10.8-Bad error Message Protection is configured" >> /tmp/linuxreport.txt

else

echo "3.10.8-Bad error Message Protection is configuration is failed" >> /tmp/linuxreport.txt
fi

#3.10.9 Enable TCP SYN Cookies

/sbin/sysctl net.ipv4.tcp_syncookies |grep 0

if [ $? -eq 1 ]; then

/sbin/sysctl -w net.ipv4.tcp_syncookies=1
/sbin/sysctl -w net.ipv4.route.flush=1

echo "3.10.9-TCP SYN Cookies are congigured successfully" >> /tmp/linuxreport.txt

else

echo "3.10.9-TCP SYN Cookies are congiguration is failed" >> /tmp/linuxreport.txt

fi

#3.10.10 Disable IPv6

grep ipv6 /etc/modprobe.conf

if [ $? -eq 1 ]; then

echo options ipv6 "disable=1" >> /etc/modprobe.conf

echo "3.10.10-IPv6 is disabled sucessfully" >> /tmp/linuxreport.txt

else

echo "3.10.10-IPv6 is not installed" >> /tmp/linuxreport.txt

fi

####3.11 Secure Logging and Auditing functions##############################################

#3.11.1 Configure /etc/syslog.conf

echo auth,user.* /var/log/messages >> /etc/syslog.conf

echo kern.* /var/log/kern.log >> /etc/syslog.conf

echo daemon.* /var/log/daemon.log >> /etc/syslog.conf

echo syslog.* /var/log/syslog >> /etc/syslog.conf

echo news,uucp,local0,local1,local2,local3,local4,local5,local6.* /var/log/unused.log >> /etc/syslog.conf

pkill -HUP syslogd

if [ $? -eq 0 ]; then

echo "3.11.1-syslog.conf is configured successfully" >> /tmp/linuxreport.txt

else

echo "3.11.1-syslog.conf is configuration is failed" >> /tmp/linuxreport.txt

fi

#3.11.2 Create and Set Permissions on syslog Log Files
cd /var/log
for LOG in \
messages kern.log daemon.log syslog \

do

chown -R root:root /var/log/$LOG
chmod og-rwx /var/log/$LOG

echo " 3.11.2-Permissions are set for syslog files" >> /tmp/linuxreport.txt
done

#3.11.5 Install the rsyslog package

rpm -qa |grep rsyslog

if [ $? -eq 1 ]; then

cd /tmp/linuxhardening

rpm -ivh rsyslog*.rpm --nodeps

echo "3.11.5-rsyslog is configured" >> /tmp/linuxreport.txt

else

echo "3.11.5-rsyslog is already installed" >> /tmp/linuxreport.txt

fi

#3.11.6 Activate the rsyslog Service

chkconfig syslog off
chkconfig rsyslog on

echo " 3.11.6-rsyslog service is activated successfully" >> /tmp/linuxreport.txt

#3.11.7 configure /etc/rsyslog.conf

echo auth,user.* /var/log/messages >> /etc/rsyslog.conf

echo kern.* /var/log/kern.log >> /etc/rsyslog.conf

echo daemon.* /var/log/daemon.log >> /etc/rsyslog.conf

echo syslog.* /var/log/syslog >> /etc/rsyslog.conf

echo news,uucp,local0,local1,local2,local3,local4,local5,local6.* /var/log/unused.log >> /etc/rsyslog.conf

pkill -HUP rsyslogd

if [ $? -eq 0 ]; then

echo "3.11.7-rsyslog is configured successfully" >> /tmp/linuxreport.txt

else

echo "3.11.7-rsyslog is configuration is failed" >> /tmp/linuxreport.txt

fi

#3.11.8 Create and Set Permissions on rsyslog Log Files

cd /var/log
for LOG in \
messages kern.log daemon.log syslog \

do

chown -R root:root /var/log/$LOG
chmod og-rwx /var/log/$LOG

echo " 3.11.8-Permissions are set for rsyslog files" >> /tmp/linuxreport.txt
done

#3.11.10 Enable auditd Service

chkconfig auditd on

if [ $? -eq 0 ]; then

echo "3.11.10 auditd service is enabled" >> /tmp/linuxreport.txt

else "3.11.10-enabling audit service is failed, please check audit service is installed or not" >> /tmp/linuxreport.txt

fi

#3.11.11 Configure Audit Log Storage Size

sed -i 's/max_log_file = 5/#max_log_file = 5/g' /etc/audit/auditd.conf
echo max_log_file = MB >> /etc/audit/auditd.conf

if [ $? -eq 0 ]; then

echo "3.11.11 Configure Audit Log Storage Size is successful" >> /tmp/linuxreport.txt

else

echo "3.11.11 Configure Audit Log Storage Size is failed" >> /tmp/linuxreport.txt

fi

#3.11.12 Keep All Auditing Information

echo max_log_file_action = keep_logs >> /etc/audit/auditd.conf

if [ $? -eq 0 ]; then

echo "3.11.12 Configure Audit Log is successful" >> /tmp/linuxreport.txt

else

echo "3.11.12 Configure Audit Log is failed" >> /tmp/linuxreport.txt

fi

#3.11.14 Record Events That Modify Date and Time Information

os_arch=`getconf LONG_BIT`

if [ $os_arch -eq 32 ]; then

echo -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change >> /etc/audit/audit.rules

echo -a always,exit -F arch=b32 -S clock_settime -k time-change >> /etc/audit/audit.rules

echo -w /etc/localtime -p wa -k time-change >> /etc/audit/audit.rules

pkill -HUP auditd

echo "3.11.4-Configuration to record Events That Modify Date and Time Information updated successfully for 32bit OS" >> /tmp/linuxreport.txt

else

echo -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change >> /etc/audit/audit.rules

echo -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change >> /etc/audit/audit.rules

echo -a always,exit -F arch=b64 -S clock_settime -k time-change >> /etc/audit/audit.rules

echo -a always,exit -F arch=b32 -S clock_settime -k time-change >> /etc/audit/audit.rules

echo -w /etc/localtime -p wa -k time-change >> /etc/audit/audit.rules

pkill -HUP auditd

echo "3.11.4-Configuration to record Events That Modify Date and Time Information updated successfully for 64bit OS" >> /tmp/linuxreport.txt

fi

#3.11.15 Record Events That Modify User/Group Information

echo -w /etc/group -p wa -k identity >> /etc/audit/audit.rules

echo -w /etc/passwd -p wa -k identity >> /etc/audit/audit.rules

echo -w /etc/gshadow -p wa -k identity >> /etc/audit/audit.rules

echo -w /etc/shadow -p wa -k identity >> /etc/audit/audit.rules

echo -w /etc/security/opasswd -p wa -k identity >> /etc/audit/audit.rules

pkill -HUP auditd

echo "3.11.15-Configuration to record events that modify User/Group information in audit logs" >> /tmp/linuxreport.txt

#3.11.16 Record Events That Modify the System’s Network Environment

os_arch=`getconf LONG_BIT`

if [ $os_arch -eq 32 ]; then

echo -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale >> /etc/audit/audit.rules

echo -w /etc/issue -p wa -k system-locale >> /etc/audit/audit.rules

echo -w /etc/issue.net -p wa -k system-locale >> /etc/audit/audit.rules

echo -w /etc/hosts -p wa -k system-locale >> /etc/audit/audit.rules

echo -w /etc/sysconfig/network -p wa -k system-locale >> /etc/audit/audit.rules

pkill -HUP auditd

echo "3.11.16-Configuration to Record Events That Modify the System’s Network Environment is successfully configured for 32 bit OS" >> /tmp/linuxreport.txt

else

echo -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale >> /etc/audit/audit.rules

echo -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale >> /etc/audit/audit.rules

echo -w /etc/issue -p wa -k system-locale >> /etc/audit/audit.rules

echo -w /etc/issue.net -p wa -k system-locale >> /etc/audit/audit.rules

echo -w /etc/hosts -p wa -k system-locale >> /etc/audit/audit.rules

echo -w /etc/sysconfig/network -p wa -k system-locale >> /etc/audit/audit.rules

pkill -HUP auditd

echo "3.11.16-Configuration to Record Events That Modify the System’s Network Environment is successfully configured for 64 bit OS" >> /tmp/linuxreport.txt

fi

#3.11.17 Collect Login and Logout Events

echo -w /var/log/faillog -p wa -k logins >> /etc/audit/audit.rules

echo -w /var/log/lastlog -p wa -k logins >> /etc/audit/audit.rules

echo -w /var/log/tallylog -p -wa -k logins >> /etc/audit/audit.rules

echo -w /var/log/btmp -p wa -k session >> /etc/audit/audit.rules

pkill -HUP auditd

echo "3.11.17-Configuration to Collect Login and Logout Events is successfully configured in audit rules" >> /tmp/linuxreport.txt

#3.11.18 Collect Session Initiation Information

echo -w /var/run/utmp -p wa -k session >> /etc/audit/audit.rules

echo -w /var/log/wtmp -p wa -k session >> /etc/audit/audit.rules

pkill -HUP auditd

echo "3.11.18-Configuration to Collect Session Initiation Information is successfully configured in audit rules" >> /tmp/linuxreport.txt

#3.11.19 Collect Discretionary Access Control Permission Modification Events

os_arch=`getconf LONG_BIT`

if [ $os_arch -eq 32 ]; then

echo -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 \ >> /etc/audit/audit.rules

echo -F auid!=4294967295 -k perm_mod >> /etc/audit/audit.rules

echo -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -Slchown -F auid>=500 \ >> /etc/audit/audit.rules

echo -F auid!=4294967295 -k perm_mod >> /etc/audit/audit.rules

echo -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \ >> /etc/audit/audit.rules

echo lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod >> /etc/audit/audit.rules

pkill -HUP auditd

echo "3.11.19-Configuration to Collect Discretionary Access Control Permission Modification Events is successfully updated in audit rules for 32 bit OS" >> /tmp/linuxreport.txt

else

echo -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 \ >> /etc/audit/audit.rules

echo -F auid!=4294967295 -k perm_mod >> /etc/audit/audit.rules

echo -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 \ >> /etc/audit/audit.rules

echo -F auid!=4294967295 -k perm_mod >> /etc/audit/audit.rules

echo -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 >> /etc/audit/audit.rules

echo -F auid!=4294967295 -k perm_mod >> /etc/audit/audit.rules

echo -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 \ >> /etc/audit/audit.rules

echo -F auid!=4294967295 -k perm_mod >> /etc/audit/audit.rules

echo -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \ >> /etc/audit/audit.rules

echo lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod >> /etc/audit/audit.rules

echo -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \ >> /etc/audit/audit.rules

echo lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod >> /etc/audit/audit.rules

pkill -HUP auditd

echo "3.11.19-Configuration to Collect Discretionary Access Control Permission Modification Events is successfully updated in audit rules for 64 bit OS" >> /tmp/linuxreport.txt

fi

#3.11.20 Collect Unsuccessful Unauthorized Access Attempts to Files

os_arch=`getconf LONG_BIT`

if [ $os_arch -eq 32 ]; then

echo -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \ >> /etc/audit/audit.rules

echo -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access >> /etc/audit/audit.rules

echo -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \ >> /etc/audit/audit.rules

echo -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access >> /etc/audit/audit.rules

pkill -HUP auditd

echo "3.11.20-Configuration to Collect Unsuccessful Unauthorized Access Attempts to Files is successfully updated in audit rules for 32 bit OS" >> /tmp/linuxreport.txt

else

echo -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate \ >> /etc/audit/audit.rules

echo -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access >> /etc/audit/audit.rules

echo -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \ >> /etc/audit/audit.rules

echo -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access >> /etc/audit/audit.rules

echo -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate \ >> /etc/audit/audit.rules

echo -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access >> /etc/audit/audit.rules

echo -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \ >> /etc/audit/audit.rules

echo -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access >> /etc/audit/audit.rules

pkill -HUP auditd

echo "3.11.20-Configuration to Collect Unsuccessful Unauthorized Access Attempts to Files is successfully updated in audit rules for 64 bit OS" >> /tmp/linuxreport.txt

fi

#3.11.22 Collect Successful File System Mounts

os_arch=`getconf LONG_BIT`

if [ $os_arch -eq 32 ]; then

echo -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts >> /etc/audit/audit.rules

pkill -HUP auditd

echo "3.11.22-Configuration to Collect Successful File System Mounts is configured in audit rules for 32 bit OS" >> /tmp/linuxreport.txt

else

echo -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts >> /etc/audit/audit.rules

echo -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts >> /etc/audit/audit.rules

pkill -HUP auditd

echo "3.11.22-Configuration to Collect Successful File System Mounts is configured in audit rules for 64 bit OS" >> /tmp/linuxreport.txt

fi

#3.11.23 Collect File Deletion Events by User

os_arch=`getconf LONG_BIT`

if [ $os_arch -eq 32 ]; then

echo -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 \ >> /etc/audit/audit.rules

echo -F auid!=4294967295 -k delete >> /etc/audit/audit.rules

pkill -HUP auditd

echo "3.11.23-Configuration to Collect File Deletion Events by User is successfully configured in audit rules for 32 bit OS" >> /tmp/linuxreport.txt

else

echo -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 \ >> /etc/audit/audit.rules

echo -F auid!=4294967295 -k delete >> /etc/audit/audit.rules

echo -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 \ >> /etc/audit/audit.rules

echo -F auid!=4294967295 -k delete

pkill -HUP auditd

echo "3.11.23-Configuration to Collect File Deletion Events by User is successfully configured in audit rules for 64 bit OS" >> /tmp/linuxreport.txt

fi

#3.11.24 Collect Changes to System Administration Scope (sudoers)

echo -w /etc/sudoers -p wa -k scope >> /etc/audit/audit.rules

pkill -HUP auditd

echo "3.11.24-Configuration to Collect Changes to System Administration Scope (sudoers) in audit logs" >> /tmp/linuxreport.txt

#3.11.25Collect System Administrator Actions

echo -w /var/log/sudo.log -p wa -k actions >> /etc/audit/audit.rules

pkill -HUP auditd

echo "3.11.24-Configuration to collect System Administrator Actions in audit logs is configured" >> /tmp/linuxreport.txt

#3.11.26 Collect Kernel Module Loading and Unloading

echo -w /sbin/insmod -p x -k modules >> /etc/audit/audit.rules

echo -w /sbin/rmmod -p x -k modules >> /etc/audit/audit.rules

echo -w /sbin/modprobe -p x -k modules >> /etc/audit/audit.rules

echo -a always,exit -S init_module -S delete_module -k modules >> /etc/audit/audit.rules

pkill -HUP auditd

echo "3.11.26-Configuration to Collect Kernel Module Loading and Unloading in audit rules is configured" >> /tmp/linuxreport.txt

#3.11.27 Make the Audit Configuration Immutable

echo -e2 >> /etc/audit/audit.rules

echo "3.11.27-Audit configuration is made immutable" >> /tmp/linuxreport.txt

#3.11.28 Configure logrotate

ed /etc/logrotate.d/syslog << END
1d
0a
/var/log/messages /var/log/secure /var/log/maillog
/var/log/spooler /var/log/boot.log /var/log/cron {
.
w
q
END

echo "3.11.28-Logrotate for syslog is configured succesfully" >> /tmp/linuxreport.txt

####3.12 Secure System Access, Authentication & Authorization#######

#3.12.1 Enable cron Daemon

chkconfig cron on

if [ $? -eq 0 ]; then

echo "3.12.1-Cron daemon is enabled" >> /tmp/linuxreport.txt

else

echo "3.12.1-Enabling cron daemon is failed" >> /tmp/linuxreport.txt

fi

#3.12.2 Set User/Group Owner and Permission on /etc/crontab

chown root:root /etc/crontab

chmod og-rwx /etc/crontab

stat -c "%a %u %g" /etc/crontab | egrep ".00 0 0"

if [ $? -eq 0 ]; then

echo "3.12.2-User and Owner permission is configured for /etc/crontab" >> /tmp/linuxreport.txt

else

echo "3.12.2-User and Owner permission for /etc/crontab is failed" >> /tmp/linuxreport.txt

fi

#3.12.3 Set User/Group Owner and Permission on /etc/cron.hourly

chown root:root /etc/cron.hourly

chmod og-rwx /etc/cron.hourly

stat -c "%a %u %g" /etc/cron.hourly | egrep ".00 0 0"

if [ $? -eq 0 ]; then

echo "3.12.3-User and Owner permission is configured for /etc/cron.hourly" >> /tmp/linuxreport.txt

else

echo "3.12.3-User and Owner permission is failed for /etc/cron.hourly" >> /tmp/linuxreport.txt

fi

#3.12.5 Set User/Group Owner and Permission on /etc/cron.daily

chown root:root /etc/cron.daily

chmod og-rwx /etc/cron.daily

stat -c "%a %u %g" /etc/cron.daily | egrep ".00 0 0"

if [ $? -eq 0 ]; then

echo "3.12.5-User and Owner permission is configured for /etc/cron.daily" >> /tmp/linuxreport.txt

else "3.12.5-User and Owner permission is failed for /etc/cron.daily" >> /tmp/linuxreport.txt

fi

#3.12.6 Set User/Group Owner and Permission on /etc/cron.weekly

chown root:root /etc/cron.weekly
chmod og-rwx /etc/cron.weekly

stat -c "%a %u %g" /etc/cron.weekly | egrep ".00 0 0"

if [ $? -eq 0 ]; then

echo "3.12.6-User and Owner permission is configured for /etc/cron.weekly" >> /tmp/linuxreport.txt

fi

#3.12.7 Set User/Group Owner and Permission on /etc/cron.monthly

chown root:root /etc/cron.monthly
chmod og-rwx /etc/cron.monthly

stat -c "%a %u %g" /etc/cron.monthly | egrep ".00 0 0"

if [ $? -eq 0 ]; then

echo "3.12.7-User and Owner permission is configured for /etc/cron.monthly" >> /tmp/linuxreport.txt

fi

#3.12.8 Set User/Group Owner and Permission on /etc/cron.d

chown root:root /etc/cron.d

chmod og-rwx /etc/cron.d

stat -c "%a %u %g" /etc/cron.d | egrep ".00 0 0"

if [ $? -eq 0 ]; then

echo "3.122.8-User and Owner permission is configured for /etc/cron.d" >> /tmp/linuxreport.txt

fi

#3.12.10 Set SSH Protocol to 2

ssh_prot=`cat /etc/ssh/sshd_config |grep "#Protocol" |awk -F "," '{print $2}'`

if [ $ssh_prot -eq 1 ]; then

sed -i 's/#Protocol 2,1/Protocol 2/g' /etc/ssh/sshd_config

echo "3.12.10-ssh protocol2 is succesfully configured for this system" >> /tmp/linuxreport.txt

else

sed -i 's/Protocol 2,1/Protocol 2/g' /etc/ssh/sshd_config

echo "3.12.10-ssh protocol is changed from 2,1 to 2" >> /tmp/linuxreport.txt
fi

#3.12.11 Set LogLevel to VERBOSE

sed -i 's/#LogLevel INFO /LogLevel VERBOSE/g' /etc/ssh/sshd_config

echo "3.12.11-ssh LogLevel to VERBOSE is successfully configured" >> /tmp/linuxreport.txt

#3.12.11 Set Permissions on /etc/sshd_config

chown root:root /etc/ssh/sshd_config

chmod 644 /etc/ssh/sshd_config

stat -c "%a %u %g" /etc/ssh/sshd_config | egrep ".00 0 0"

if [ $? -eq 0 ]; then

echo "3.12.11-User and Owner permission is configured for /etc/ssh/sshd_config" >> /tmp/linuxreport.txt

fi

#3.12.13 Set SSH MaxAuthTries to 5 or Less

sed -i 's/#MaxAuthTries 6/MaxAuthTries 5/g' /etc/ssh/sshd_config

echo "3.12.13-ssh MaxAuthTries configured sucessfully" >> /tmp/linuxreport.txt

#3.12.15 Set SSH HostbasedAuthentication to No

sed -i 's/#HostbasedAuthentication no/HostbasedAuthentication no/g' /etc/ssh/sshd_config

echo "3.12.15-Disabled HostbasedAuthentication in ssh" >> /tmp/linuxreport.txt

###################################################################
##Adding Alternate user in the system

read -p "Enter username : " username
read -s -p "Enter password : " password
egrep "^$username" /etc/passwd >/dev/null
if [ $? -eq 0 ]; then
echo "$username exists!"
exit 1
else
pass=$(perl -e 'print crypt($ARGV[0], "password")' $password)
useradd -m -p $pass $username
echo "user '$username' is added in the system"
fi
#3.12.16 Disable SSH Root Login

ssh_root=`cat /etc/ssh/sshd_config |grep "#PermitRootLogin"|awk -F " " '{print $2}'`

if [ "$ssh_root" == "yes" ]; then

sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config

echo "3.12.16-root login is diabled for this server" >> /tmp/linuxreport.txt
fi

#3.12.17 Set SSH PermitEmptyPasswords to No

empty_pass=`cat /etc/ssh/sshd_config |grep "#PermitEmptyPasswords"|awk -F " " '{print $2}'`

if [ "empty_pass" == "no" ]; then

sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/g' /etc/ssh/sshd_config

echo " 3.12.17-ssh PermitEmptyPasswords is diabled for this system" >> /tmp/linuxreport.txt

fi

##3.12.18 Use Only Approved Ciphers

echo Ciphers aes128-ctr,aes192-ctr,aes256-ctr >> /etc/ssh/sshd_config

echo " 3.12.18-Ciphers are updated in ssh" >> /tmp/linuxreport.txt

#3.12.20 Set SSH Banner

cat << EOF >> /etc/issue

************************************************************NOTICE*** SECURITY POLICY****************************************************************
WARNING! This is an secure computer system and may be accessed only by authorized users. These computer systems are provided for business purposes and must be used in an ethical lawful manner. All data contained here is owned by company authority ., and may be monitored, examined, intercepted, blocked, deleted, captured and disclosed in any manner, by authorized personnel. Individuals or groups using this system in excess of their authorization will have all access terminated. Unauthorized use or misuse of this system is strictly prohibited and may be subject to disciplinary action.
**************************************************************NOTICE*** SECURITY POLICY******************************************************
EOF

cat /etc/ssh/sshd_config |grep "#Banner"

if [ $? -eq 0 ]; then

sed -i 's/Banner/#Banner/g' /etc/ssh/sshd_config

echo Banner /etc/issue >> /etc/ssh/sshd_config

echo " 3.12.20-Banner is configured successfuly for this system" >> /tmp/linuxreport.txt

fi

###3.12.21 Configure PAM

grep "^password.*pam_cracklib.so.*" /etc/pam.d/system-auth

if [ $? -eq 0 ]; then

sed -i 's/^password.*requisite.*pam_cracklib.so.*/password required pam_cracklib.so try_first_pass retry=3 minlen=14,dcredit=-1,ucredit=-1,ocredit=-1 lcredit=-1/g' /etc/pam.d/system-auth

echo " 3.12.21-PAM is configured sucessfully " >> /tmp/linuxreport.txt

fi

####3.12.22 Set Strong Password Creation Policy Using pam_passwdqc

grep "^password.*pam_passwdqc.so.*" /etc/pam.d/system-auth

if [ $? -eq 0 ]; then

sed -i 's/^password.*requisite.*pam_passwdqc.so.*/password requisite pam_passwdqc.so min=disabled,disabled,16,12,8/g' /etc/pam.d/system-auth

echo "3.12.22-Strong password creation policy is configured sucessfully" >> /tmp/linuxreport.txt

fi

###3.12.24 Upgrade Password Hashing Algorithm to SHA-512

authconfig --test |grep "hashing" |grep "sha512"

if [ $? -eq 0 ]; then

echo "3.12.24-Password hashing algorithm is already avilable in this system" >> /tmp/linuxreport.txt

else

authconfig --passalgo=sha512 --update

authconfig --test | grep hashing | grep sha512

if [ $? -eq 0 ]; then

echo "3.12.24-Hashing Algorithm is upgraded sucessfully" >> /tmp/linuxreport.txt

fi
fi

###3.12.25 Limit Password Reuse

grep "password.*pam_unix.so.*" /etc/pam.d/system-auth

if [ $? -eq 0 ]; then

sed -i 's/password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok/password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=3/g' /etc/pam.d/system-auth

fi

echo "3.12.25-Limit password reuse is configured sucessfully" >> /tmp/linuxreport.txt

###3.13.2 Set Password Expiration Days

sed -i 's/PASS_MAX_DAYS/#PASS_MAX_DAYS/g' /etc/login.defs

echo PASS_MAX_DAYS 90 >> /etc/login.defs

chage --maxdays 90 omadmin

echo "3.13.2-Password expiration date is configured sucessfully" >> /tmp/linuxreport.txt

####3.13.3 Set Password Change Minimum Number of Days

sed -i 's/PASS_MIN_DAYS/#PASS_MIN_DAYS/g' /etc/login.defs

echo PASS_MIN_DAYS 7 >> /etc/login.defs

chage --mindays 7 omadmin

echo "3.13.3-Password change minimum number of days is configured sucessfully" >> /tmp/linuxreport.txt

###3.13.5 Set Default Group Account (root)

usermod -g 0 root

grep root /etc/passwd | awk -F ":" '{print $4}'

if [ $? -eq 0 ]; then

echo "3.13.5-Default Group Account is set for root" >> /tmp/linuxreport.txt

fi

#####################################################################################################################
#3.13.8 Set Warning Banner for Standard Login Services

cat /etc/motd |grep "OnMobile Global"

if [ $? -ne 0 ]; then

echo "This is a secure computer system. Authorized uses only. All activity may be monitored and reported." >> /etc/motd

echo "This is a secure computer system. Authorized uses only. All activity may be monitored and reported." >> /etc/issue

chown root:root /etc/motd
chown root:root /etc/issue
chmod 644 /etc/motd
chmod 644 /etc/issue

echo "3.13.8-Warning Banner is configured" >> /tmp/linuxreport.txt

else

echo "3.13.8-Warning Banner is already configured" >> /tmp/linuxreport.txt

fi

#######################################################################################################################

Saturday, June 6, 2015

Increasing SWAP LVM in linux

In conventional linux servers swap partition should be always recommended to create as an LVM. This will give us the flexibility to increase the swap space as per our requirement ( mainly for increasing the system performance). But we have to follow some additional steps to increase the swap lvm along with general LVM extension procedure

Existing swap details (here we have to extent the swap called /dev/mapper/swappolvg-swappollv to another 60GB)

[root@localhost01 ~]# swapon -s

Filename Type Size Used Priority

/dev/mapper/rootvg-swaplv partition 8388604 0 -1

/dev/mapper/swappolvg-swappollv partition 57066336 0 -2

1. first we have to off the swap space using below command

#swapoff -v /dev/swappolvg/swappollv

So after that if you check the swap details you can see only 1 swap is active

[root@localhost01 ~]# swapon -s

Filename Type Size Used Priority

/dev/mapper/rootvg-swaplv partition 8388604 0 -1

2. Here the extra disk is added is showing as /dev/xvdo. So need to follow below steps to create a LVM partition for newly added swap space ( i am removing the output of normal lvm creation steps)

format the new disk

#fdisk /dev/xvdo

...........................

create a physical disk

#pvcreate /dev/xvdo1

................................

extent the volume group

# vgextend swappolvg /dev/xvdo1

..............................

extent the logical volume

#lvextend /dev/swappolvg/swappollv /dev/xvdo1

...............................

3. After all these steps now we have to format the swap volume

#mkswap /dev/swappolvg/swappollv

4. Now we have to on the swap volume using below command

#swapon -va

5. Now if we check the swap details we can see that swap in extended

[root@localhost01 ~]# swapon -s

Filename Type Size Used Priority

/dev/mapper/rootvg-swaplv partition 8388604 0 -1

/dev/mapper/swappolvg-swappollv partition 117428220 0 -2

Thursday, May 28, 2015

Enabling and configuring SAR in solaris -10

SAR ( System Activity Report) is a tool which is very familiar for linux systems for performance analysis. Here i am giving the details for configuring the same in solaris -10

1. First we need to check whether sar is enabled in solaris system or not

#svcs -x system/sar

svc:/system/sar:default (system activity reporting package)
State: disabled since Wed Apr 16 16:41:41 2014
Reason: Disabled by an administrator.
See: http://sun.com/msg/SMF-8000-05
See: sar(1M)
Impact: This service is not running.

2. Now we have to enable the sar in the system

#svcadm enable svc:/system/sar:default

3. Check the status again

#svcs -x system/sar

svc:/system/sar:default (system activity reporting package)

State: online since Fri May 15 13:34:38 2015

See: sar(1M)

See: /var/svc/log/system-sar:default.log

Impact: None.

4. Now we need to check the crontab entry for the sys

#crontab -l sys

crontab: you are not authorized to use cron. Sorry.

(this is because sys don't have permission to access the crontab entry so we need to enable the same)

5. Enable the sys for crontab entry by adding sys in /etc/cron.d/cron.allow

6. Now we need to add the below lines in /var/spool/cron/crontabs/sys

0 * * * 0-6 /usr/lib/sa/sa1

20,40 8-17 * * 1-5 /usr/lib/sa/sa1

5 18 * * 1-5 /usr/lib/sa/sa2 -s 8:00 -e 18:01 -i 1200 -A

7. We can check the crontab entry

#crontab -l sys

0 * * * 0-6 /usr/lib/sa/sa1

20,40 8-17 * * 1-5 /usr/lib/sa/sa1

5 18 * * 1-5 /usr/lib/sa/sa2 -s 8:00 -e 18:01 -i 1200 -A

That's it. Now the System Activity Reporter is running every 20 minutes,

and at 18:05 o'clock a daily report is created.

Wednesday, January 7, 2015

Solaris Zones

Solaris zones are a type of virtualization , where we can create isolated and secured environments for applications (for example if you want to configure a solaris 10 server as a DB server and web server you can create separate zones for each of them) . For end user's these zones are look like separate machines . All these changes are in software level and default each solaris 10 machine is installing with global zone. We can access all other zones from the global zones .

Each zones has its own node name virtual network interfaces and storage assigned to it. The other benefits of the zones are it does not require dedicated memory,cpu and physical interface associated with it. It has a security boundary which will prevents interaction of processes associated with one zone with another, also you can configure separate user list for each zones.

A zone can be in one of the following states

1. Configured - configuration was completed and saved
2. Incomplete - State between install or uninstall
3. Installed-The packages are successfully installed.
4. Ready- The virtual platform has been installed.
5. Running- The zone is booted successfully and running
6.Shutting down - The zone is in the progress of shutting down.
7 Down- The zone has completed the shutdown process and down.

Here i am giving detailed steps for zone configuration for your reference

1. First we need to create a zone called testzone (this is an example , you can give any name)

bash-3.00# zonecfg -z testzone
testzone: No such zone configured
Use 'create' to begin configuring a new zone.
zonecfg:testzone> create
zonecfg:testzone> set zonepath=/zones/testzone
zonecfg:testzone> set autoboot=true
(where zonepath is the path where all the configuration files are installed and autoboot indicates zone need to be booted automatically with global or not)

2. You can see the configuration details using below command

onecfg:testzone> info
zonename: testzone
zonepath: /zones/testzone
brand: native
autoboot: true
bootargs:
pool:
limitpriv:
scheduling-class:
ip-type: shared
hostid:
inherit-pkg-dir:
dir: /lib
inherit-pkg-dir:
dir: /platform
inherit-pkg-dir:
dir: /sbin
inherit-pkg-dir:
dir: /usr
zonecfg:testzone> verify
zonecfg:testzone> commit
zonecfg:testzone>

3. Now we can see the zone is in configured status

bash-3.00# zoneadm list -cv
ID NAME STATUS PATH BRAND IP
0 global running / native shared
- testzone configured /zones/testzone native shared

4. Here i am installing the new zone

bash-3.00# zoneadm -z testzone install
Preparing to install zone <testzone>.
Creating list of files to copy from the global zone.
Copying <3022> files to the zone.
Initializing zone product registry.
Determining zone package initialization order.
Preparing to initialize <1459> packages on the zone.
Initialized <1459> packages on zone.
Zone <testzone> is initialized.
The file </zones/testzone/root/var/sadm/system/logs/install_log> contains a log of the zone installation.

5. Now if we check the status we can see the zone is in installed status

bash-3.00# zoneadm list -cv
ID NAME STATUS PATH BRAND IP
0 global running / native shared
- testzone installed /zones/testzone native shared

6. Now we can make the zone as ready status

bash-3.00# zoneadm -z testzone ready

bash-3.00# zoneadm list -cv

ID NAME STATUS PATH BRAND IP

0 global running / native shared

1 testzone ready /zones/testzone native shared

7. You can login to the zone using below command and during the initial login you have select the options as language/terminal etc

bash-3.00# zlogin -C testzone

[Connected to zone 'testzone' console] 157/157

Reading ZFS config: done.

...............................................

Select a Language

0. English

1. Japanese

2. Korean

3. Simplified Chinese

4. Traditional Chinese

Please make a choice (0 - 4), or press h or ? for help: 0

..........................................

select a Locale

0. English (C - 7-bit ASCII)

1. Bengali, India (UTF-8)

2. Chinese, Singapore (UTF-8)

3. English, India (UTF-8)

4. English, Singapore (UTF-8)

5. Gujarati, India (UTF-8)

6. Hindi UTF-8

7. Indonesian (UTF-8)

8. Kannada, India (UTF-8)

9. Malay, Malaysia (UTF-8)

10. Marathi, India (UTF-8)

11. Tamil, India (UTF-8)

12. Telugu, India (UTF-8)

13. Thai TIS620

14. Thai UTF-8

15. Go Back to Previous Screen

Please make a choice (0 - 15), or press h or ? for help: 0

..........................................................

What type of terminal are you using?

1) ANSI Standard CRT

2) DEC VT52

3) DEC VT100

4) Heathkit 19

5) Lear Siegler ADM31

6) PC Console

7) Sun Command Tool

8) Sun Workstation

9) Televideo 910

10) Televideo 925

11) Wyse Model 50

12) X Terminal Emulator (xterms)

13) CDE Terminal Emulator (dtterm)

14) Other

Type the number of your choice and press Return:

You did not enter a selection.

What type of terminal are you using?

1) ANSI Standard CRT

2) DEC VT52

3) DEC VT100

4) Heathkit 19

5) Lear Siegler ADM31

6) PC Console

7) Sun Command Tool

8) Sun Workstation

9) Televideo 910

10) Televideo 925

11) Wyse Model 50

12) X Terminal Emulator (xterms)

13) CDE Terminal Emulator (dtterm)

14) Other

Type the number of your choice and press Return: 1

Creating new rsa public/private host key pair

Creating new dsa public/private host key pair

Configuring network interface addresses:.

- Host Name --------------------------------------------------------------------

Enter the host name which identifies this system on the network. The name

must be unique within your domain; creating a duplicate host name will cause

problems on the network after you install Solaris.

A host name must have at least one character; it can contain letters,

digits, and minus signs (-).

Host name

vm-testzone

........................................................................

-------------------------------------------------------------------------------- Esc-2_Continue Esc-6_Help

Esc-2_Continue Esc-6_Help

- Confirm Information ----------------------------------------------------------

> Confirm the following information. If it is correct, press F2;

to change any information, press F4.

Host name: vm-testzone

Esc-2_Continue Esc-4_Change Esc-6_Help

- Time Zone --------------------------------------------------------------------

On this screen you must specify your default time zone. You can specify a

time zone in three ways: select one of the continents or oceans from the

list, select other - offset from GMT, or other - specify time zone file.

> To make a selection, use the arrow keys to highlight the option and

press Return to mark it [X].

Continents and Oceans

----------------------------------

- [ ] Africa

| [ ] Americas

| [ ] Antarctica

| [ ] Arctic Ocean

| [X] Asia

| [ ] Atlantic Ocean

| [ ] Australia

| [ ] Europe

v [ ] Indian Ocean

-------------------------------------------------------------------------------- Esc-2_Continue Esc-6_Help

Esc-2_Continue Esc-6_Help

- Country or Region ------------------------------------------------------------

> To make a selection, use the arrow keys to highlight the option and

press Return to mark it [X].

Countries and Regions

------------------------

^ [ ] Armenia

| [ ] Azerbaijan

| [ ] Bahrain

| [ ] Bangladesh

| [ ] Bhutan

| [ ] Brunei

| [ ] Cambodia

| [ ] China

| [ ] Cyprus

| [ ] East Timor

| [ ] Georgia

| [ ] Hong Kong

v [X] India

-------------------------------------------------------------------------------- Esc-2_Continue Esc-6_Help

Esc-2_Continue Esc-6_Help

- Confirm Information ----------------------------------------------------------

> Confirm the following information. If it is correct, press F2;

to change any information, press F4.

Time zone: Asia/Calcutta

..............................................

Esc-2_Continue Esc-4_Change Esc-6_Help

- Root Password ----------------------------------------------------------------

Please enter the root password for this system.

The root password may contain alphanumeric and special characters. For

security, the password will not be displayed on the screen as you type it.

> If you do not want a root password, leave both entries blank.

Root password: ********

-------------------------------------------------------------------------------- Esc-2_Continue Esc-6_Help

Esc-2_Continue Esc-6_Help

rebooting system due to change(s) in /etc/default/init

[NOTICE: Zone rebooting]

SunOS Release 5.10 Version Generic_142910-17 32-bit

Hostname: vm-testzone

Reading ZFS config: done.

8. Now we have to assign the IP to the particular zone

bash-3.00# zonecfg -z testzone

zonecfg:testzone> add net

zonecfg:testzone:net> set address=192.168.1.12

zonecfg:testzone:net> set physical=e1000g0

zonecfg:testzone:net> export

zonecfg:testzone:net> end

zonecfg:testzone> export

create -b

set zonepath=/zones/testzone

set autoboot=true

set ip-type=shared

add inherit-pkg-dir

set dir=/lib

end

add inherit-pkg-dir

set dir=/platform

end

add inherit-pkg-dir

set dir=/sbin

end

add inherit-pkg-dir

set dir=/usr

end

add net

set address=192.168.1.12

set physical=e1000g0

end

Now we can see the ip details from global zone

bash-3.00# ifconfig -a

lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1

inet 127.0.0.1 netmask ff000000

lo0:1: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1

zone testzone

inet 127.0.0.1 netmask ff000000

e1000g0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2

inet 192.168.1.11 netmask ffffff00 broadcast 192.168.1.255

ether 8:0:27:fd:ad:b8

e1000g0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2

zone testzone

inet 192.168.1.12 netmask ffffff00 broadcast 192.168.1.255

Hope you got a brief idea about zones..

Thank you..

Monday, December 22, 2014

Procedure to add a new disk in DM multipath

Multipathing (Device Mapper Multipath) is a technology which is available from RHEL 5 for providing redundancy in I/O paths from storage devices . Multiple paths are configured from your server to storage and these physical paths are include HBA,cables and switches.

DM multipath have following capabilities

1. Redundancy

Two types of multipath are available active/active and active/passive . In first case both paths are accessible, but in second case only 1 path is accessible at a time.

2. Improved Performance

DM multipath can detect loading of the I/O paths and dynamically balance the load.

Almost all of the SAN devices are supported in multpathing. The details of the supported devices are given in multipath.conf.defaults file and when ever we need to change we will add the devices in /etc/multipath.conf file

Components which is required for multipathing

Kernel components

dm-multipath module - This particular component reroutes the I/O and supports failover for the paths and groups

multipathd daemon- Monitors the path and takes the action when ever necessary (like failed paths and restored paths)

.Configuration file details

/etc/multipath.conf - Main configuration file and it is located at /etc

multipath.conf.defaults - This is the default file which contains all the supported SAN devices. The location of the file is /usr/share/device-mapper-multipath

kpartx command - This tool is derived from util linux partx package . It is used to set up device mapping for the partitions for any partitioned block device . This tool can be used for non linux partitions which is need to be added with DM-MP.

So now i think you got an idea about the DM multipath architecture, Now let us go for adding a new device to DM setup .

1. First we have to scan the new physical disk

echo "- - -" > /sys/class/scsi_host/host3/scan
echo "- - -" > /sys/class/scsi_host/host4/scan

2. Some times new physical disk will not be visible initially, so need to restart multipath daemon

#service multipathd restart

3. Make alias of the new disk in /etc/multipath.conf file (in this case i have given silverdisk08)

multipath {
wwid put the new uuid no. here
alias silverdisk08
}

* you will get the wwid details of the new disk once you restart the multipath service

4. Now add the disk in multipath

#multipath -f silverdisk08

5. Again restart the multipath daemon

#service multipathd restart

6.Now create a physical disk

#pvcreate /dev/mpath/silverdisk08

7. Extend the file system (you can also go for creating new LVM setup as per your requirement)

#vgextend datavg /dev/silverdisk08

#lvextend -L +94G /dev/mapper/datavg-u2ecllv

#resize2fs /dev/mapper/datavg-u2ecllv

Wednesday, December 17, 2014

root mirroring in solaris-10 using SVM

Root mirroring in solaris-10 using SVM

Root mirroring is a useful method in solaris 10 for redundancy and this is a very useful method for live upgrade , where patches are applied in root environment and if any issue is faced system will be booted from mirrored environment.

Detailed steps

*************

1. First we need to identify the disks attached for mirroring this can be done using format command , in below case c0d0 and c0d1 are available disks

***********************************************

bash-3.00# format

Searching for disks...done

AVAILABLE DISK SELECTIONS:

0. c0d0 <DEFAULT cyl 2085 alt 2 hd 255 sec 63>

/pci@0,0/pci-ide@1,1/ide@0/cmdk@0,0

1. c0d1 <DEFAULT cyl 2086 alt 2 hd 255 sec 63>

/pci@0,0/pci-ide@1,1/ide@0/cmdk@1,0

Specify disk (enter its number): 0

selecting c0d0

Controller working list found

[disk formatted, defect list found]

Warning: Current Disk has mounted partitions.

/dev/dsk/c0d0s0 is currently mounted on /. Please see umount(1M).

/dev/dsk/c0d0s1 is currently used by swap. Please see swap(1M).

FORMAT MENU:

disk - select a disk

type - select (define) a disk type

partition - select (define) a partition table

current - describe the current disk

format - format and analyze the disk

fdisk - run the fdisk program

repair - repair a defective sector

show - translate a disk address

label - write label to the disk

analyze - surface analysis

defect - defect list management

backup - search for backup labels

verify - read and display labels

save - save new disk/partition definitions

volname - set 8-character volume name

!<cmd> - execute <cmd>, then return

quit

format> p (press p)

PARTITION MENU:

0 - change `0' partition

1 - change `1' partition

2 - change `2' partition

3 - change `3' partition

4 - change `4' partition

5 - change `5' partition

6 - change `6' partition

7 - change `7' partition

select - select a predefined table

modify - modify a predefined partition table

name - name the current table

print - display the current table

label - write partition map and label to the disk

!<cmd> - execute <cmd>, then return

quit

partition> p (press p)

Current partition table (original):

Total disk cylinders available: 2085 + 2 (reserved cylinders)

Part Tag Flag Cylinders Size Blocks

0 root wm 820 - 2084 9.69GB (1265/0/0) 20322225

1 swap wu 3 - 133 1.00GB (131/0/0) 2104515

2 backup wm 0 - 2084 15.97GB (2085/0/0) 33495525

3 unassigned wm 0 0 (0/0/0) 0

4 unassigned wm 0 0 (0/0/0) 0

5 unassigned wm 0 0 (0/0/0) 0

6 unassigned wm 0 0 (0/0/0) 0

7 unassigned wm 0 0 (0/0/0) 0

8 boot wu 0 - 0 7.84MB (1/0/0) 16065

9 alternates wu 1 - 2 15.69MB (2/0/0) 32130

In above partition table we can see that 3,4,5,6 are unassigned partitions with in that we can select any partition (in this case i am selecting partition 3)

partition> 3

Part Tag Flag Cylinders Size Blocks

3 unassigned wm 0 0 (0/0/0) 0

Enter partition id tag[unassigned]:

Enter partition permission flags[wm]:

Enter new starting cyl[0]: 134

Enter partition size[0b, 0c, 134e, 0.00mb, 0.00gb]: 3gb

partition> l

Ready to label disk, continue? yes

partition> p

Current partition table (unnamed):

Total disk cylinders available: 2085 + 2 (reserved cylinders)

Part Tag Flag Cylinders Size Blocks

0 root wm 820 - 2084 9.69GB (1265/0/0) 20322225

1 swap wu 3 - 133 1.00GB (131/0/0) 2104515

2 backup wm 0 - 2084 15.97GB (2085/0/0) 33495525

3 unassigned wm 134 - 525 3.00GB (392/0/0) 6297480-------- ( newly created slice)

4 unassigned wm 0 0 (0/0/0) 0

5 unassigned wm 0 0 (0/0/0) 0

6 unassigned wm 0 0 (0/0/0) 0

7 unassigned wm 0 0 (0/0/0) 0

8 boot wu 0 - 0 7.84MB (1/0/0) 16065

9 alternates wu 1 - 2 15.69MB (2/0/0) 32130

2. Secondly we have to create HDD1 partition table same as HDD0

******************************************************

#prtvtoc /dev/rdsk/c0d0s2 | fmthard -s - /dev/rdsk/c0d1s2

(here from partition table we can see that partition 2 contains full back up of the entire disk and same will be copied to new disk HDD1)

3. create the state database in each disk (here i have choose slice no 7 )

*******************************************************

metadb -afc 3 c0d0s7 c0d1s7

a= add the state database

f=force (this is needed for HDD0 which is mounted

c=number of state database in each slice

We can see 3 slices of each disk using below command

bash-3.00# metadb
flags first blk block count
a m p luo 16 8192 /dev/dsk/c0d0s7
a p luo 8208 8192 /dev/dsk/c0d0s7
a p luo 16400 8192 /dev/dsk/c0d0s7
a p luo 16 8192 /dev/dsk/c0d1s7
a p luo 8208 8192 /dev/dsk/c0d1s7
a p luo 16400 8192 /dev/dsk/c0d1s7

4. Initialize each disk
**********************************
HDD0

metainit -f d100 1 1 c0d0s0
metainit -f d101 1 1 c0d0s1
metainit -f d103 1 1 c0d0s3

HDD1

metainit d200 1 1 c0d1s0
metainit d201 1 1 c0d1s1
metainit d203 1 1 c0d1s3

5. Initialize the mirrors
****************************
metainit d0 -m d100
metainit d1 -m d101
metainit d3 -m d103

6.Metaroot and editing of /etc/vfstab to boot to our mirror.
********************************************************

metaroot d0

bash-3.00# cat /etc/vfstab
#device device mount FS fsck mount mount
#to mount to fsck point type pass at boot options
#
fd - /dev/fd fd - no -
/proc - /proc proc - no -
/dev/md/dsk/d1 - - swap - no -
/dev/md/dsk/d0 /dev/md/rdsk/d0 / ufs 1 no -
/devices - /devices devfs - no -
sharefs - /etc/dfs/sharetab sharefs - no -
ctfs - /system/contract ctfs - no -
objfs - /system/object objfs - no -
swap - /tmp tmpfs - yes -
/dev/md/dsk/d3 /dev/md/rdsk/d3 /test1 ufs 2 yes -

7.Reboot the server

8. Attach the mirror disk using below command

bash-3.00# metattach d0 d200
d0: submirror d200 is attached
bash-3.00# metattach d1 d201
d1: submirror d201 is attached
bash-3.00# metattach d3 d203

(we have to wait till the completion of the sync it is purely depends upon the size of the file system)

d3: submirror d203 is attached

9. Next is we will install the grub in mirrored disk as redundant ( in this case c0d1 is our mirrored disk)

bash-3.00# format
Searching for disks...done

AVAILABLE DISK SELECTIONS:
       0. c0d0 <DEFAULT cyl 2085 alt 2 hd 255 sec 63>
          /pci@0,0/pci-ide@1,1/ide@0/cmdk@0,0
       1. c0d1 <DEFAULT cyl 2085 alt 2 hd 255 sec 63>
          /pci@0,0/pci-ide@1,1/ide@0/cmdk@1,0

bash-3.00# installgrub /boot/grub/stage1 /boot/grub/stage2 /dev/rdsk/c0d1s0
stage1 written to partition 0 sector 0 (abs 16065)
stage2 written to partition 0, 273 sectors starting at 50 (abs 16115)

10. We can boot from c0d1 and check the status

Monday, October 21, 2013

Changing the HDD in netapp and assign the same as spare

Some times we used to face HDD failure in netapp and the role of the failed HDD will be taken care by the spare HDD(Raid 4 setup). So the system will throw the error as "Not enough spare disk" So in this case we have to change the failed HDD with a new one ( should be same size and make with the parent one).

If we check the ONTAP gui the failed HDD will show as broken state (0c.00.6)

So first we need to remove the faulty HDD using below mentioned command

#Remove –w 0c.00.06

Then identify the physical disk in the netapp mounted rack which have lights off and remove the HDD physically from the controller .

Insert the new HDD in the same location and wait till the light become green.

Then run the below commands through console ( ssh or telnet)

#priv set advanced

# disk assign 0c.00.06 -s unowned -f

So disk will become orphan state , and next we have to assign the same as spare

#disk unfail -s 0c.00.06

So once we check in GUI we can see that the disk which was in orphan state was assigned as spare to the same controller .

(below case it was 0c.00.2)

Tuesday, April 9, 2013

MySQL hardening script

The MySQL database has become the world's most popular open source database because of its

consistent fast performance, high reliability and ease of use.This script gives some of the

best pracise steps to secure your database from attacks and vulnurabilities for improved

performance .

******************************************************************************

#!/bin/bash

#########################Mysqlhardeningscript################################################################Author:ratheeshvasudevan########################################

read -p "Enter mysql root password" mysqlpass

# Setting password for users

a=`mysql -uroot -p$mysqlpass -Dmysql --execute "select User from mysql.user where length(password) = 0

or password is null;"`

if [ -z "$a" ]; then

echo "Already password is configured for all users" >> /tmp/mysqlhardening.txt

else

for i in $a

`mysql -uroot -p$mysqlpass -Dmysql --execute "UPDATE mysql.user SET password=PASSWORD('onmobile') WHERE user='${i}'and length(password) = 0;"`

`mysql -uroot -p$mysqlpass -Dmysql --execute "flush privileges;"`

echo "password is set to 'onmobile'" >> /tmp/mysqlhardening.txt

done

#Remove Anonymous account

`mysql -uroot -p$mysqlpass -Dmysql --execute "delete from mysql.user where user = '';"`

if [ $? -eq 0 ]; then

echo "Anonymous account is removed" >> /tmp/mysqlhardening.txt

#Remove shutdown privilege for non root users

b=`mysql -uroot -p$mysqlpass -Dmysql --execute "select user from mysql.user where Shutdown_priv = 'Y';" |grep -v "user" |grep -v "host" |grep -v "root"`

if [ -z "$b" ]; then

echo "No non admin users with shutdown privileges" >> /tmp/mysqlhardening.txt

else

for i in $b

mysql -uroot -p$mysqlpass -Dmysql --execute "update mysql.user set Shutdown_priv = 'N' where user='${i}';"

done

echo "removed the shutdown privileges for non admin users" >> /tmp/mysqlhardening.txt

#Remove Create user privilege for non root users

c=`mysql -uroot -p$mysqlpass -Dmysql --execute "select user from mysql.user where Create_user_priv= 'Y';" |grep -v "user" |grep -v "host" |grep -v "root"`

if [ -z "$c" ]; then

echo "No non admin users with create user privileges" >> /tmp/mysqlhardening.txt

else

for i in $c

mysql -uroot -p$mysqlpass -Dmysql --execute "update mysql.user set Create_user_priv='N' where user='${i}';"

done

echo "Removed create user priv for non admin users" >> /tmp/mysqlhardening.txt

#Remove Reload privilege for non admin users

d=`mysql -uroot -p$mysqlpass -Dmysql --execute "select user from mysql.user where Reload_priv = 'Y';" |grep -v "user" |grep -v "root"`

if [ -z "$d" ]; then

echo "No non admin users with reload privileges" >> /tmp/mysqlhardening.txt

else

for i in $d

mysql -uroot -p$mysqlpass -Dmysql --execute "update mysql.user set Reload_priv='N' where user='${i}';"

done

echo "Removed Reload privileges for non admin users" >> /tmp/mysqlhardening.txt

#Remove GRANT Privileges for non admin users

e=`mysql -uroot -p$mysqlpass -Dmysql --execute "select user from mysql.user where Grant_priv = 'Y';" |grep -v "user" |grep -v "root"`

if [ -z "$e" ]; then

echo "No non admin users with GRANT privileges" >> /tmp/mysqlhardening.txt

else

for i in $e

mysql -uroot -p$mysqlpass -Dmysql --execute "update mysql.user set Grant_priv = 'N' where user='${i}';"

done

echo "Removed non admin users with GRANT privileges" >> /tmp/mysqlhardening.txt

#Old password hashing

f=`mysql -uroot -p$mysqlpass -Dmysql --execute "show variables like 'old_passwords';" |grep -v "Variable_name" |grep -v "Value" |awk -F " " '{print $2}'`

if [ `echo "$f" |grep -c "OFF"` -eq 1 ]; then

echo "Old password hashing is disabled already" >> /tmp/mysqlhardening.txt

else

mysql -uroot -p$mysqlpass -Dmysql --execute "set old_passwords = 'OFF';"

echo "old_password is set to OFF" >> /tmp/mysqlhardening.txt

#Remove show database privilege for all non admin users

g=`mysql -uroot -p$mysqlpass -Dmysql --execute "select user from mysql.user where Show_db_priv='Y';" |grep -v "user" |grep -v "root"`

if [ -z "$g" ]; then

echo "No non admin users with Show_db_priv" >> /tmp/mysqlhardening.txt

else

for i in $g

mysql -uroot -p$mysqlpass -Dmysql --execute "update mysql.user set Show_db_priv='N' where user='${i}';"

done

#Adding Secure auth in myql config

h=`mysql -uroot -p$mysqlpass -Dmysql --execute "show variables like 'secure_auth';" | grep -v "Variable_name" |grep -v "Value" |awk -F " " '{print $2}'`

if [ `echo "$h" |grep -c "OFF"` -eq 1 ]; then

sed -i "/^\[mysqld\]/ a\\secure_auth" /etc/my.cnf

else

echo "secure_auth is already configured in this DB" >> /tmp/mysqlhardening.txt

#Removing grant tables option in mysql config

j=`mysql -uroot -p$mysqlpass -Dmysql --execute "show variables like 'skip_grant_tables'" |grep -v "Variable_name" |grep "Value" |awk -F " " '{print $2}'`

if [ `echo "$j" |grep -c "OFF"` -eq 1 ]; then

echo "Grant tables option is already disabled in this DB" >> /tmp/mysqlhardening.txt

elif [ `echo "$j" |grep -c "ON"` -eq 1 ]; then

sed -i 's/skip_grant_tables/#skip_grant_tables/g' /etc/my.cnf

else

echo "Grant tables option is not avilable in this DB" >> /tmp/mysqlhardening.txt

#Removing skip merge option from mysql

k=`mysql -uroot -p$mysqlpass -Dmysql --execute "show variables like 'have_merge_engine'" |grep -v "Variable_name" |grep "Value" |awk -F " " '{print $2}'`

if [ `echo "$k" |grep -c "DISABLED"` -eq 1 ]; then

echo "merge option is already disabled in this DB" >> /tmp/mysqlhardening.txt

elif [ `echo "$k" |grep -c "ENABLED"` -eq 1 ]; then

sed -i 's/skip_merge/#skip_merge/g' /etc/my.cnf

else

echo "merge option is not avilable in this DB" >> /tmp/mysqlhardening.txt

#Removing client password from mysql config

r=`cat /etc/my.cnf |grep -A 4 "\[client\]"|grep "#password"`

cl_en=1

if [ `echo "$r" |grep -c "#password"` -eq 1 ]; then

echo "Client password is not enabled in this DB" >> /tmp/mysqlhardening.txt

else

sed -i 's/password/#password/' /etc/my.cnf

#Disable interactive login

l=`cat /etc/passwd |grep mysql | awk -F ":" '{print $7}'`

if [ `echo "$l" |grep -c "/bin/bash"` -eq 1 ]; then

usermod -s /sbin/nologin mysql

echo "interactive login is disabled for mysql user" >> /tmp/mysqlhardening.txt

else

echo "interactive login is already disabled" >> /tmp/mysqlhardening.txt

#Check file system permissions

m=`mysql -uroot -p$mysqlpass -Dmysql --execute "show variables like 'datadir';" |grep -v "variable_name" |grep -v "Value" |awk -F " " '{print $2}'`

n=`stat --format '%a' $m`

if [ `echo "$n" |grep -c "755"` -eq 1 ]; then

echo "permission is already set for datadir" >> /tmp/mysqlhardening.txt

else

chmod 755 $m

echo "permission is reseted for datadir" >> /tmp/mysqlhardening.txt

#Configuration file permission

o=`stat --format '%a' /etc/my.cnf`

if [ `echo "$o" |grep -c "644"` -eq 1 ]; then

echo "configuration file permission is already set for this DB" >> /tmp/mysqlhardening.txt

else

chmod 644 /etc/my.cnf

echo "Configuration file permisison is set to 644" >> /tmp/mysqlhardening.txt

#Removing test database

p=`mysql -uroot -p$mysqlpass --execute "show databases;" |grep "test"`

if [ -z "$p" ]; then

echo "test database is not available in this DB" >> /tmp/mysqlhardening.txt

else

mysql -uroot -p$mysqlpass --execute "drop database test;"

echo "test database is succesfully removed" >> /tmp/mysqlhardening.txt

echo "Hardening of MysqlDB is completed for this server. Please check /tmp/mysqlhardening.txt for details"

Thursday, January 17, 2013

Oracle Start up script

Usually oracle database can be started or stopped by logging in to the DB as sysdba and applying "startup" and "shutdown immediate" commands. Here i am providing you a script to configure the same in /etc/init.d/ and we can start, stop and check the status of the oracle with PID details .

Sample script

*********************************************************************************

#!/bin/bash

# chkconfig: 35 95 1

# description: init script to start/stop oracle database 10g, TNS listener

# match these values to your environment:

export ORACLE_BASE=/oracle

export ORACLE_HOME=/oracle/product/11.2.0/dbhome_1

export OH=$ORACLE_HOME

export JAVA_HOME=$OH/jdk

export PATH=$OH/bin:$JAVA_HOME/bin:$PATH

export LD_LIBRARY_PATH=$ORACLE_HOME/lib:$LD_LIBRARY_PATH

export ORACLE_SID=MBDB

export ORACLE_USER=oracle

# see how we are called:

case $1 in

start)

echo "Starting Oracle database ..."

su - "$ORACLE_USER" <<EOO

lsnrctl start

sqlplus /nolog <<EOS

connect / as sysdba

startup

EOS

emctl start dbconsole

EOO

;;

stop)

echo "Stopping Oracle database ..."

su - "$ORACLE_USER" <<EOO

emctl stop dbconsole

sqlplus /nolog <<EOS

connect / as sysdba

shutdown immediate

EOS

lsnrctl stop

EOO

;;

restart){

$0 stop

$0 start

}

;;

status)

a=`ps -ef |grep oracle |grep LISTENER |awk -F " " '{print $2}'|head -1`

if [ "$a" > 0 ];then

echo "Oracle is working fine with pid $a"

else

echo "Oracle is not working"

;;

echo "Usage: $0 {start|stop|restart|status}"

;;

esac

*********************************************************************************

Startup output

stop output

status

This script will be useful while configuring oracle in HA ( High Availability ) setups