Vamos, aqui podemos resolver tus dudas.
HARDWARE
Esta sección está vacía.
Tema: Configuración de Routers
Fecha: 20.10.2012
Asunto: Tienes alguna duda de configuración de Un Router o Switch?
Tema: Configuración de Sun Solaris (Unix)
Fecha: 21.11.2012
Asunto: Solaris Web Admin
La Administration Tool (admintool) existía en Solaris 9 y a partir de Solaris 10 fue reemplazada por Solaris Management Console o SMC.
Normalmente no existe un link o ícono hacia esa consola, pero puedes accederla desde el entorno gráfico abriendo una consola y ejecutando
# /usr/sbin/smc
Probablemente debas realizar una primera configuración, pero luego es sencillo.
La otra opción sería activar webmin.
Desde consola ejecutas como root:
# /usr/sfw/lib/webmin/setup.sh
# svcadm enable webmin
Luego accedes por navegador web apuntando a https://localhost:10000
Fecha: 21.11.2012
Asunto: Comando sencillo para vaciar un archivo de log
cat /dev/null > mail.log
Fecha: 21.11.2012
Asunto: Hardening Solaris 5.9
Buen dia Si quieren algo mas de seguridad para su servidor puedo compartir algo de informacion para hacerlo mas seguro.
ivanc100@hotmail.com
Fecha: 21.11.2012
Asunto: Re: Hardening Solaris 5.9
Here my first contribution to this blog, it is a script for to verify the security configuration of your Solaris OS.
#!/bin/ksh
##################################################
# Script para verificar el estandar de Seguridad
# en el Sistema Operativo Solaris
##################################################
OS=`/usr/bin/uname -s`
hostname=`/usr/bin/uname -n`
dir_ip=`ifconfig -a| grep inet |grep -v 127.0.0.1 | awk '{print $2}'|tail -1`
fecha=`date`
script_revision(){
# Revision del usuario de root
if [ -f /usr/ucb/whoami ]; then
ID=$(/usr/ucb/whoami)
if [ "$ID" != "root" ]; then
echo "\nERROR: $ID, debes ser root para ejecutar este programa."
exit 1
fi
else
ID=$(/usr/bin/id | cut -d " " -f1 | grep root)
if [ "$ID" -ne 1 ]; then
echo "\nERROR: $ID, debes ser root para ejecutar este programa."
exit 1
fi
fi
#
# Verificando la Version de Sistema Operativo
#
if [ ! "$OS" = "SunOS" ]; then
echo "\nERROR: Este Programa solo trabaja bajo SunOS.\n"
exit 1
fi
#
# Main
#
echo "\nREPORTE:\n========\n"
echo "Nombre del Servidor: $hostname\n"
echo "IP del Servidor: $dir_ip\n"
echo "Timestamp: $fecha\n"
echo "Revision de estandar UNIX Solaris\n"
echo "Script version 2.16\n"
echo "==========================================================================================="
echo
echo "1. Cierre de Puertos"
echo
version=`uname -r`
for i in cachefs chargen cmsd comsat daytime discard dtspc echo exec finger fs ftp gssd krb5_prop kcms ktkt_warn login metad metamhd metamedd name netstat ocfserv pop2 pop3 printer rexd rquota rstatd rusers sadmin shell smserverd smtp snmp sprayd systat talk telnet tftp time ttdbserverd ufsd uucp walld
do
case $version in
5.8|5.9)
servicio=`grep -w $i /etc/inetd.conf|egrep 'stream|dgram'|sed -e 's/ //g' | grep -v ^\#| cut -f1`
servicio1=`grep -w $i /etc/inetd.conf|egrep 'stream|dgram'|grep -v ^\#`
if [ -n "$servicio" ]
then
echo "$i NOK"
echo $servicio1
else
echo "$i OK"
fi
;;
5.10)
servicio=`svcs |grep -w $i | grep online | egrep -v "console-login|name-service-cache"`
if [ -n "$servicio" ]
then
echo "$i NOK"
echo $servicio
else
echo "$i OK"
fi
;;
esac
done
echo
echo "==========================================================================================="
echo
echo "2. Logs de FTP"
echo
version=`uname -r`
case $version in
5.8|5.9)
servicio_ftp=`grep -w ftp /etc/inetd.conf|egrep 'stream|dgram'|sed -e 's/ //g' | grep -v ^\#| cut -f1`
if [ -n "$servicio_ftp" ]
then
log_ftp=`grep -w ftp /etc/inetd.conf | grep tcp | egrep "\-l|\-la|\-al|\-ld|\-dl"`
log_ftp1=`grep -w ftp /etc/inetd.conf | grep tcp`
if [ -n "$log_ftp" ]
then
echo "log_ftp OK"
else
echo "log_ftp NOK"
echo $log_ftp1
fi
else
echo "log_ftp OK"
echo "Deshabilitado servicio FTP"
fi
;;
5.10)
servicio_ftp=`inetadm | grep -w ftp | grep enabled`
if [ -n "$servicio_ftp" ]
then
log_ftp=`grep -w log /etc/ftpd/ftpaccess | grep -w transfers |sed -e 's/ //g' | grep -v ^\#`
log_ftp1=`grep -w log /etc/ftpd/ftpaccess | grep -w transfers`
if [ -n "$log_ftp" ]
then
echo "log_ftp OK"
else
echo "log_ftp NOK"
echo $log_ftp1
fi
else
echo "log_ftp OK"
echo "Deshabilitado servicio FTP"
fi
;;
esac
echo
echo "==========================================================================================="
echo
echo "3. Archivo ftpusers"
echo
version=`uname -r`
case $version in
5.8) archivo_ftp=/etc/ftpusers
servicio_ftp=`grep ftp /etc/inetd.conf|egrep 'stream|dgram'|sed -e 's/ //g' | grep -v ^\#| cut -f1`
;;
5.9) archivo_ftp=/etc/ftpd/ftpusers
servicio_ftp=`grep ftp /etc/inetd.conf|egrep 'stream|dgram'|sed -e 's/ //g' | grep -v ^\#| cut -f1`
;;
5.10) archivo_ftp=/etc/ftpd/ftpusers
servicio_ftp=`inetadm | grep -w ftp | grep enabled`
;;
esac
if [ -n "$servicio_ftp" ]
then
if [ -f "$archivo_ftp" ]
then
tamano=`wc -l $archivo_ftp | awk '{print $1}'`
if [ $tamano -eq 0 ]
then
for i in root daemon bin sys adm lp uucp nuucp smmsp listen nobody noaccess nobody4
do
echo "$i NOK"
echo "$i No existe informacion en el archivo $archivo_ftp"
done
else
for i in root daemon bin sys adm lp uucp nuucp smmsp listen nobody noaccess nobody4
do
usr_ftp=`grep -w $i $archivo_ftp|sed -e 's/ //g'|grep -v ^\#`
usr_ftp1=`grep -w $i $archivo_ftp`
if [ -n "$usr_ftp" ]
then
echo "$i OK"
else
echo "$i NOK"
if [ -n "$usr_ftp1" ]
then
echo $usr_ftp1
else
echo $i no esta en el archivo $archivo_ftp
fi
fi
done
fi
else
for i in root daemon bin sys adm lp uucp nuucp smmsp listen nobody noaccess nobody4
do
echo "$i NOK"
echo "$i No existe el archivo $archivo_ftp"
done
fi
else
for i in root daemon bin sys adm lp uucp nuucp smmsp listen nobody noaccess nobody4
do
echo "$i OK"
echo "Deshabilitado servicio FTP"
done
fi
echo
echo "==========================================================================================="
echo
echo "4. Archivos .netrc"
echo
version=`uname -r`
val_si=0
case $version in
5.8|5.9)
servicio_ftp=`grep -w ftp /etc/inetd.conf|egrep 'stream|dgram'|sed -e 's/ //g' | grep -v ^\#| cut -f1`
if [ -n "$servicio_ftp" ]
then
val_netrc=`cat /etc/passwd | egrep -v "^daemon|^bin|^sys|^adm|^lp|^uucp|^nuucp|^smmsp|^listen|^gdm|^webservd|^nobody|^noaccess|^nobody4"|sed -e 's/ //g' | grep -v ^\#|cut -d: -f1`
case $val_netrc in
root) if [ -f /.netrc ]; then val_si=1; fi;;
*) for i in $val_netrc
do
arch_netrc=`grep $i /etc/passwd | cut -d: -f6|grep -v root`
if [ -f $arch_netrc/.netrc ]
then
val_si=`expr $val_si + 1`
echo $arch_netrc/.netrc
fi
done
;;
esac
case $val_si in
0) echo netrc OK ;;
*) echo netrc NOK ;;
esac
else
echo "netrc OK"
echo "Deshabilitado servicio FTP"
fi
;;
5.10)
servicio_ftp=`inetadm | grep -w ftp | grep enabled`
if [ -n "$servicio_ftp" ]
then
val_netrc=`cat /etc/passwd | egrep -v "^daemon|^bin|^sys|^adm|^lp|^uucp|^nuucp|^smmsp|^listen|^gdm|^webservd|^nobody|^noaccess|^nobody4|^root"|sed -e 's/ //g' | grep -v ^\#|cut -d: -f1`
case $val_netrc in
root) if [ -f /.netrc ]; then val_si=1; fi;;
*) for i in $val_netrc
do
arch_netrc=`grep $i /etc/passwd | cut -d: -f6`
if [ -f $arch_netrc/.netrc ]
then
val_si=`expr $val_si + 1`
echo $arch_netrc/.netrc
fi
done
;;
esac
case $val_si in
0) echo netrc OK ;;
*) echo netrc NOK ;;
esac
else
echo "netrc OK"
echo "Deshabilitado servicio FTP"
fi
;;
esac
echo
echo "==========================================================================================="
echo
echo "5. Shells validos"
echo
if [ -f /etc/shells ]
then
tamano=`wc -l /etc/shells | awk '{print $1}'`
if [ $tamano -eq 0 ]
then
for i in sh csh ksh bash false
do
echo "$i NOK"
echo "$i No existe informacion en el archivo /etc/shells"
done
else
for i in sh bash ksh false tcsh csh
do
count=0
val_shell=`grep -w $i /etc/shells|sed -e 's/ //g' | grep -v ^\#`
for j in `grep -w $i /etc/shells|sed -e 's/ //g' | grep -v ^\#`
do
if [ -f "$j" ]
then
count=`expr $count + 1`
else
count=`expr $count + 0`
fi
done
case $count in
0) echo $i NOK
if [ -n "$val_shell" ]
then
echo ruta mal definida del shell $i $val_shell
else
echo el shell $i no esta definido
fi;;
*) echo $i OK ;;
esac
done
fi
else
for i in sh bash ksh false tcsh csh
do
echo "$i NOK"
echo "$i No existe el archivo /etc/shells"
done
fi
echo
echo "==========================================================================================="
echo
echo "6. Ataques por desbordamiento de buffer"
echo
if [ -f /etc/system ]
then
tamano=`wc -l /etc/system | awk '{print $1}'`
if [ $tamano -eq 0 ]
then
echo "noexec_user_stack NOK"
echo "noexec_user_stack no existe informacion en el archivo /etc/system"
echo "noexec_user_stack_log NOK"
echo "noexec_user_stack_log no existe informacion en el archivo /etc/system"
else
valor_nus=`grep -w noexec_user_stack /etc/system|grep -v noexec_user_stack_log|sed -e 's/ //g'|grep -v ^\#|cut -d"=" -f2`
valor_nus1=`grep -w noexec_user_stack /etc/system|grep -v noexec_user_stack_log`
valor_nusl=`grep -w noexec_user_stack_log /etc/system |sed -e 's/ //g'|grep -v ^\#|cut -d"=" -f2`
valor_nusl1=`grep -w noexec_user_stack_log /etc/system`
case $valor_nus in
1) echo "noexec_user_stack OK" ;;
*) echo "noexec_user_stack NOK"
echo $valor_nus1 ;;
esac
case $valor_nusl in
1) echo "noexec_user_stack_log OK" ;;
*) echo "noexec_user_stack_log NOK"
echo $valor_nusl1 ;;
esac
fi
else
echo "noexec_user_stack NOK"
echo "noexec_user_stack no existe el archivo /etc/system"
echo "noexec_user_stack_log NOK"
echo "noexec_user_stack_log no existe el archivo /etc/system"
fi
echo
echo "==========================================================================================="
echo
echo "7. Reforzar secuencia Inicial de TCP"
echo
if [ -f /etc/default/inetinit ]
then
tamano=`wc -l /etc/default/inetinit | awk '{print $1}'`
if [ $tamano -eq 0 ]
then
echo "tcp_strong_iss NOK"
echo "tcp_strong_iss no contiene informacion el archivo /etc/default/inetinit"
else
val_TS=`grep -w TCP_STRONG_ISS /etc/default/inetinit |sed -e 's/ //g'|grep -v ^\#|cut -d"=" -f2`
val_TS1=`grep -w TCP_STRONG_ISS /etc/default/inetinit|egrep -v "sequence|Set"`
case $val_TS in
2) echo "tcp_strong_iss OK" ;;
*) echo "tcp_strong_iss NOK"
echo $val_TS1 ;;
esac
fi
else
echo "tcp_strong_iss NOK"
echo "tcp_strong_iss no existe el archivo /etc/default/inetinit"
fi
echo
echo "==========================================================================================="
echo
echo "8. Afinar Stack de TCP/IP"
echo
val_rteb=`/usr/sbin/ndd /dev/ip ip_respond_to_echo_broadcast`
if [ -n "$val_rteb" ]
then
case $val_rteb in
0) echo "ip_respond_to_echo_broadcast OK";;
*) echo "ip_respond_to_echo_broadcast NOK"
echo ip_respond_to_echo_broadcast $val_rteb no corresponde al estandar ;;
esac
else
echo "ip_respond_to_echo_broadcast NOK"
echo ip_respond_to_echo_broadcast $val_rteb no tiene un valor defindo
fi
val_ifdb=`/usr/sbin/ndd /dev/ip ip_forward_directed_broadcasts`
if [ -n "$val_ifdb" ]
then
case $val_ifdb in
0) echo "ip_forward_directed_broadcasts OK";;
*) echo "ip_forward_directed_broadcasts NOK"
echo ip_forward_directed_broadcasts $val_ifdb no corresponde al estandar;;
esac
else
echo "ip_forward_directed_broadcasts NOK"
echo ip_forward_directed_broadcasts $val_ifdb no tiene un valor defindo
fi
val_isdm=`/usr/sbin/ndd /dev/ip ip_strict_dst_multihoming`
if [ -n "$val_isdm" ]
then
case $val_isdm in
1) echo "ip_strict_dst_multihoming OK";;
*) echo "ip_strict_dst_multihoming NOK"
echo ip_strict_dst_multihoming $val_isdm no corresponde al estandar;;
esac
else
echo "ip_strict_dst_multihoming NOK"
echo ip_strict_dst_multihoming $val_isdm no tiene un valor defindo
fi
val_iir=`/usr/sbin/ndd /dev/ip ip_ignore_redirect`
if [ -n "$val_iir" ]
then
case $val_iir in
1) echo "ip_ignore_redirect OK";;
*) echo "ip_ignore_redirect NOK"
echo ip_ignore_redirect $val_iir no corresponde al estandar;;
esac
else
echo "ip_ignore_redirect NOK"
echo ip_ignore_redirect $val_iir no tiene un valor defindo
fi
val_ifor=`/usr/sbin/ndd /dev/ip ip_forwarding`
if [ -n "$val_ifor" ]
then
case $val_ifor in
0) echo "ip_forwarding OK";;
*) echo "ip_forwarding NOK"
echo ip_forwarding $val_ifor no corresponde al estandar;;
esac
else
echo "ip_forwarding NOK"
echo ip_forwarding $val_ifor no tiene un valor defindo
fi
val_ifsr=`/usr/sbin/ndd /dev/ip ip_forward_src_routed`
if [ -n "$val_ifsr" ]
then
case $val_ifsr in
0) echo "ip_forward_src_routed OK";;
*) echo "ip_forward_src_routed NOK"
echo ip_forward_src_routed $val_ifsr no corresponde al estandar;;
esac
else
echo "ip_forward_src_routed NOK"
echo ip_forward_src_routed $val_ifsr no tiene un valor defindo
fi
val_iiai=`/usr/sbin/ndd /dev/ip ip_ire_arp_interval`
if [ -n "$val_iiai" ]
then
case $val_iiai in
60000) echo "ip_ire_arp_interval OK";;
*) echo "ip_ire_arp_interval NOK"
echo ip_ire_arp_interval $val_iiai no corresponde al estandar;;
esac
else
echo "ip_ire_arp_interval NOK"
echo ip_ire_arp_interval $val_iiai no tiene un valor defindo
fi
val_aci=`/usr/sbin/ndd /dev/arp arp_cleanup_interval`
if [ -n "$val_aci" ]
then
case $val_aci in
60000) echo "arp_cleanup_interval OK";;
*) echo "arp_cleanup_interval NOK"
echo arp_cleanup_interval $val_aci no corresponde al estandar;;
esac
else
echo "arp_cleanup_interval NOK"
echo arp_cleanup_interval $val_aci no tiene un valor defindo
fi
val_irtt=`/usr/sbin/ndd /dev/ip ip_respond_to_timestamp`
if [ -n "$val_irtt" ]
then
case $val_irtt in
0) echo "ip_respond_to_timestamp OK";;
*) echo "ip_respond_to_timestamp NOK"
echo ip_respond_to_timestamp $val_irtt no corresponde al estandar;;
esac
else
echo "ip_respond_to_timestamp NOK"
echo ip_respond_to_timestamp $val_irtt no tiene un valor defindo
fi
val_irttb=`/usr/sbin/ndd /dev/ip ip_respond_to_timestamp_broadcast`
if [ -n "$val_irttb" ]
then
case $val_irttb in
0) echo "ip_respond_to_timestamp_broadcast OK";;
*) echo "ip_respond_to_timestamp_broadcast NOK"
echo ip_respond_to_timestamp_broadcast $val_irtt no corresponde al estandar;;
esac
else
echo "ip_respond_to_timestamp_broadcast NOK"
echo ip_respond_to_timestamp_broadcast $val_irttb no tiene un valor defindo
fi
echo
echo "==========================================================================================="
echo
echo "9. Run control Scripts"
echo
version=`uname -r`
case $version in
5.8|5.9)
for i in S13kdc.master S14kdc S15nfs.server S34dhcp S71rpc S71ldap.client S72directory S73nfs.client S74autofs S76snmpdx S80lp S80spc S88sendmail S42ncakmod S90samba S99dtlogin S50apache
do
servicio=`ls /etc/rc1.d /etc/rc2.d /etc/rc3.d| grep $i | grep ^S`
if [ -n "$servicio" ]
then
echo "$i NOK"
echo $servicio activo
else
echo "$i OK"
fi
done
for i in S10lu S16boot.server S20sysetup S40llc2 S47pppd S52imq S70sckm S70uucp S72autoinstall S73cachefs.daemon S74capture_uptime S75seaport S76snmpdx S77dmi S80mipagent S81dodatadm.udaplt S81volmgt S82initsma S84appserv S89bdconfig S89PRESERVE S90wbem S90webconsole S91afbinit S91gfbinit S91ifbinit S91jfbinit S91zuluinit S94ncalogd S95cst S98deallocate S99audit S99reboot_config_pvr_runner S99reboot_runner
do
echo $i ND
done
;;
5.10)
for i in S13kdc.master S14kdc S15nfs.server S34dhcp S71rpc S71ldap.client S72directory S73nfs.client S74autofs S76snmpdx S80lp S80spc S88sendmail
do
echo $i ND
done
for i in S42ncakmod S90samba S99dtlogin S50apache S10lu S16boot.server S20sysetup S40llc2 S47pppd S52imq S70sckm S70uucp S72autoinstall S73cachefs.daemon S74capture_uptime S75seaport S76snmpdx S77dmi S80mipagent S81dodatadm.udaplt S81volmgt S82initsma S84appserv S89bdconfig S89PRESERVE S90wbem S90webconsole S91afbinit S91gfbinit S91ifbinit S91jfbinit S91zuluinit S94ncalogd S95cst S98deallocate S99audit S99reboot_config_pvr_runner S99reboot_runner
do
servicio=`ls /etc/rc1.d /etc/rc2.d /etc/rc3.d| grep $i | grep ^S`
if [ -n "$servicio" ]
then
echo "$i NOK"
echo $servicio activo
else
echo "$i OK"
fi
done
;;
esac
echo
echo "==========================================================================================="
echo
echo "10. Banner de login"
echo
if [ -f /etc/issue ]
then
tamano=`wc -l /etc/issue | awk '{print $1}'`
if [ $tamano -eq 0 ]
then
echo "issue OK"
else
mensaje_issue=`egrep "Sun Microsystems|SunOS" /etc/issue`
if [ -n "$mensaje_issue" ]
then
echo "issue NOK"
cat /etc/issue
else
echo "issue OK"
fi
fi
else
echo "issue OK"
fi
if [ -f /etc/motd ]
then
tamano=`wc -l /etc/motd | awk '{print $1}'`
if [ $tamano -eq 0 ]
then
echo "motd OK"
else
mensaje_motd=`grep "EL USO DE ESTE SISTEMA ES EXCLUSIVO PARA LOS FINES AUTORIZADOS POR RADIOMOVIL DIPSA S.A DE C.V. Y ESTA SUJETO A SER AUDITADO EN CUALQUIER MOMENTO. TODA LA INFORMACION AQUI MANEJADA TIENE CARACTER DE CONFIDENCIAL." /etc/motd`
if [ -n "$mensaje_motd" ]
then
echo "motd OK"
else
echo "motd NOK"
cat /etc/motd
fi
fi
else
echo "motd OK"
fi
version=`uname -r`
case $version in
5.8|5.9) archivo_telnetd=/etc/default/telnetd;;
5.10) archivo_telnetd=/etc/telnetd ;;
esac
if [ -f $archivo_telnetd ]
then
tamano=`wc -l $archivo_telnetd | awk '{print $1}'`
if [ $tamano -eq 0 ]
then
echo "telnetd OK"
else
mensaje_telnetd=`grep "Acceso solo a usuarios autorizados. Los accesos son monitoreados" $archivo_telnetd`
if [ -n "$mensaje_telnetd" ]
then
echo "telnetd OK"
else
echo "telnetd NOK"
cat $archivo_telnetd
fi
fi
else
echo "telnetd OK"
fi
echo
echo "==========================================================================================="
echo
echo "11. Seguridad en accesos"
echo
if [ -f /etc/default/login ]
then
tamano=`wc -l /etc/default/login | awk '{print $1}'`
if [ $tamano -eq 0 ]
then
for i in SYSLOG SLEEPTIME RETRIES SYSLOG_FAILED_LOGINS
do
echo $i NOK
echo $i el archivo /etc/default/login no contiene informacion
done
else
val_syslog=`grep SYSLOG /etc/default/login|sed -e 's/ //g'|grep -v ^\#|grep -v SYSLOG_FAILED_LOGINS|cut -d"=" -f2`
val_syslog1=`grep SYSLOG /etc/default/login|grep -v SYSLOG_FAILED_LOGINS|grep -v determines`
case $val_syslog in
YES|yes) echo SYSLOG OK ;;
*) echo SYSLOG NOK
if [ -n "$val_syslog1" ]
then
echo $val_syslog1
else
echo SYSLOG no esta en el archivo /etc/default/login
fi ;;
esac
val_sleeptime=`grep SLEEPTIME /etc/default/login|sed -e 's/ //g'|grep -v ^\#|cut -d"=" -f2`
val_sleeptime1=`grep SLEEPTIME /etc/default/login|grep -v controls`
case $val_sleeptime in
4) echo SLEEPTIME OK ;;
*) echo SLEEPTIME NOK
if [ -n "$val_sleeptime1" ]
then
echo $val_sleeptime1
else
echo SLEEPTIME no esta en el archivo /etc/default/login
fi ;;
esac
val_retries=`grep RETRIES /etc/default/login|sed -e 's/ //g'|grep -v ^\#|cut -d"=" -f2`
val_retries1=`grep RETRIES /etc/default/login|egrep -v "login|variable"`
case $val_retries in
3) echo RETRIES OK ;;
*) echo RETRIES NOK
if [ -n "$val_retries1" ]
then
echo $val_retries1
else
echo RETRIES no esta en el archivo /etc/default/login
fi ;;
esac
val_syslog_fl=`grep SYSLOG_FAILED_LOGINS /etc/default/login|sed -e 's/ //g'|grep -v ^\#|cut -d"=" -f2`
val_syslog_fl1=`grep SYSLOG_FAILED_LOGINS /etc/default/login|egrep -v "login|variable"`
case $val_syslog_fl in
3) echo SYSLOG_FAILED_LOGINS OK ;;
*) echo SYSLOG_FAILED_LOGINS NOK
if [ -n "$val_syslog_fl1" ]
then
echo $val_syslog_fl1
else
echo SYSLOG_FAILED_LOGINS no esta en el archivo /etc/default/login
fi ;;
esac
fi
else
for i in SYSLOG SLEEPTIME RETRIES SYSLOG_FAILED_LOGINS
do
echo "$i NOK"
echo "$i archivo /etc/default/login no existe"
done
fi
echo
echo "==========================================================================================="
echo
echo "12. Crontabs y Atjobs"
echo
for i in daemon bin smtp nuucp listen nobody noaccess
do
cron1=`grep -s $i /etc/cron.d/cron.allow`
cron2=`grep -s $i /etc/cron.d/cron.deny`
cron3=`grep -i all /etc/cron.d/cron.deny`
if [ -n "$cron1" ]
then
echo $i NOK
echo $i esta en el archivo /etc/cron.d/cron.allow
elif [ -n "$cron2" ]
then
echo $i OK
elif [ -n "$cron3" ]
then
echo $i OK
else
echo $i NOK
echo $i no esta en el archivo /etc/cron.d/cron.deny
fi
done
for i in daemon bin smtp nuucp listen nobody noaccess
do
at1=`grep -s $i /etc/cron.d/at.allow`
at2=`grep -s $i /etc/cron.d/at.deny`
at3=`grep -i all /etc/cron.d/at.deny`
if [ -n "$at1" ]
then
echo $i NOK
echo $i esta en el archivo /etc/cron.d/at.allow
elif [ -n "$at2" ]
then
echo $i OK
elif [ -n "$at3" ]
then
echo $i OK
else
echo $i NOK
echo $i no esta en el archivo /etc/cron.d/at.deny
fi
done
echo
echo "==========================================================================================="
echo
echo "13. Usuarios con perfil de root"
echo
val_perf_root=`awk '{FS=":"};{if ($3==0 || $4==1) printf ("%s:%s:%s\n",$1,$3,$4)}' /etc/passwd|sed -e 's/ //g'|egrep -v "root:0:1|daemon:1:1|root:0:0"`
if [ -n "$val_perf_root" ]
then
echo perfil_de_root NOK
echo $val_perf_root
else
echo perfil_de_root OK
fi
echo
echo "==========================================================================================="
echo
echo "14. Usuarios con grupo de root"
echo
val_grp_root=`grep "root::0:" /etc/group | cut -d: -f4`
if [ -n "$val_grp_root" ]
then
val_grp_root_1=`grep "root::0:" /etc/group | cut -d: -f4 | grep root | grep -v root, | grep -v ,root`
if [ -n "$val_grp_root_1" ]
then
echo usuarios_grupo_root_0 OK
else
echo usuarios_grupo_root_0 NOK
echo $val_grp_root
fi
else
echo usuarios_grupo_root_0 OK
fi
val_grp_root=`grep "other::1:" /etc/group | cut -d: -f4`
if [ -n "$val_grp_root" ]
then
val_grp_root_1=`grep "other::1:" /etc/group | cut -d: -f4 | grep root | grep -v root, | grep -v ,root`
if [ -n "$val_grp_root_1" ]
then
echo usuarios_grupo_root_1 OK
else
echo usuarios_grupo_root_1 NOK
echo $val_grp_root
fi
else
echo usuarios_grupo_root_1 OK
fi
echo
echo "==========================================================================================="
echo
echo "15. Passwords"
echo
if [ -f /etc/default/passwd ]
then
tamano=`wc -l /etc/default/passwd | awk '{print $1}'`
if [ $tamano -eq 0 ]
then
echo pass_length NOK
echo max_weeks NOK
echo min_weeks NOK
echo warn_weeks NOK
echo history NOK
echo min_diff NOK
echo min_alpha NOK
echo min_noalpha NOK
echo min_upper NOK
echo min_lower NOK
echo min_special NOK
echo min_digit NOK
echo white_space NOK
echo "El archivo /etc/default/passwd no contiene informacion"
echo
else
long_passwd=`grep PASSLENGTH /etc/default/passwd|grep =|sed -e 's/ //g'|grep -v ^\#|cut -d"=" -f2`
long_passwd1=`grep PASSLENGTH /etc/default/passwd|grep =`
if [ -n "$long_passwd" ]
then
case $long_passwd in
8) echo pass_length OK ;;
*) echo pass_length NOK
echo $long_passwd1 ;;
esac
else
if [ -n "$long_passwd1" ]
then
echo pass_length NOK
echo $long_passwd1
else
echo pass_length NOK
echo No existe PASSLENGTH en el archivo /etc/default/passwd
fi
fi
max_weeks=`grep MAXWEEKS /etc/default/passwd|grep =|sed -e 's/ //g'|grep -v ^\#|cut -d"=" -f2`
max_weeks1=`grep MAXWEEKS /etc/default/passwd|grep =`
if [ -n "$max_weeks" ]
then
case $max_weeks in
8) echo max_weeks OK ;;
*) echo max_weeks NOK
echo $max_weeks1 ;;
esac
else
if [ -n "$max_weeks1" ]
then
echo max_weeks NOK
echo $max_weeks1
else
echo max_weeks NOK
echo No existe MAXWEEKS en el archivo /etc/default/passwd
fi
fi
min_weeks=`grep MINWEEKS /etc/default/passwd|grep =|sed -e 's/ //g'|grep -v ^\#|cut -d"=" -f2`
min_weeks1=`grep MINWEEKS /etc/default/passwd|grep =`
if [ -n "$min_weeks" ]
then
case $min_weeks in
1) echo min_weeks OK ;;
*) echo min_weeks NOK
echo $min_weeks1 ;;
esac
else
if [ -n "$min_weeks1" ]
then
echo min_weeks NOK
echo $min_weeks1
else
echo min_weeks NOK
echo No existe MINWEEKS en el archivo /etc/default/passwd
fi
fi
warn_weeks=`grep WARNWEEKS /etc/default/passwd|grep =|sed -e 's/ //g'|grep -v ^\#|cut -d"=" -f2`
warn_weeks1=`grep WARNWEEKS /etc/default/passwd|grep =`
if [ -n "$warn_weeks" ]
then
case $warn_weeks in
1) echo warn_weeks OK ;;
*) echo warn_weeks NOK
echo $warn_weeks1 ;;
esac
else
if [ -n "$warn_weeks1" ]
then
echo warn_weeks NOK
echo $warn_weeks1
else
echo warn_weeks NOK
echo No existe WARNWEEKS en el archivo /etc/default/passwd
fi
fi
version=`uname -r`
case $version in
5.8|5.9) echo history ND
echo min_diff ND
echo min_alpha ND
echo min_noalpha ND
echo min_upper ND
echo min_lower ND
echo min_special ND
echo min_digit ND
echo white_space ND
echo max_repeat ND
;;
5.10)
history=`grep HISTORY /etc/default/passwd|grep =|sed -e 's/ //g'|grep -v ^\#|cut -d"=" -f2`
history1=`grep HISTORY /etc/default/passwd|grep =`
if [ -n "$history" ]
then
case $history in
4) echo history OK ;;
*) echo history NOK
echo $history1 ;;
esac
else
if [ -n "$history1" ]
then
echo history NOK
echo $history1
else
echo history NOK
echo No existe HISTORY en el archivo /etc/default/passwd
fi
fi
min_diff=`grep MINDIFF /etc/default/passwd|grep =|sed -e 's/ //g'|grep -v ^\#|cut -d"=" -f2`
min_diff1=`grep MINDIFF /etc/default/passwd|grep =`
if [ -n "$min_diff" ]
then
case $min_diff in
3) echo min_diff OK ;;
*) echo min_diff NOK
echo $min_diff1 ;;
esac
else
if [ -n "$min_diff1" ]
then
echo min_diff NOK
echo $min_diff1
else
echo min_diff NOK
echo No existe MINDIFF en el archivo /etc/default/passwd
fi
fi
min_alpha=`grep MINALPHA /etc/default/passwd|grep =|sed -e 's/ //g'|grep -v ^\#|cut -d"=" -f2`
min_alpha1=`grep MINALPHA /etc/default/passwd|grep =`
if [ -n "$min_alpha" ]
then
case $min_alpha in
2) echo min_alpha OK ;;
*) echo min_alpha NOK
echo $min_alpha1 ;;
esac
else
if [ -n "$min_alpha1" ]
then
echo min_alpha NOK
echo $min_alpha1
else
echo min_alpha NOK
echo No existe MINALPHA en el archivo /etc/default/passwd
fi
fi
min_noalpha=`grep MINNONALPHA /etc/default/passwd|grep =|sed -e 's/ //g'|grep ^\#`
min_noalpha1=`grep MINNONALPHA /etc/default/passwd|grep =`
if [ -n "$min_noalpha" ]
then
case $min_noalpha in
0) echo min_noalpha OK ;;
*) echo min_noalpha NOK
echo $min_noalpha1 ;;
esac
else
if [ -n "$min_noalpha1" ]
then
echo min_noalpha NOK
echo $min_noalpha1
else
echo min_noalpha NOK
echo No existe MINNOALPHA en el archivo /etc/default/passwd
fi
fi
min_upper=`grep MINUPPER /etc/default/passwd|grep =|sed -e 's/ //g'|grep -v ^\#|cut -d"=" -f2`
min_upper1=`grep MINUPPER /etc/default/passwd|grep =`
if [ -n "$min_upper" ]
then
case $min_upper in
0) echo min_upper OK ;;
*) echo min_upper NOK
echo $min_upper1 ;;
esac
else
if [ -n "$min_upper1" ]
then
echo min_upper NOK
echo $min_upper1
else
echo min_upper NOK
echo No existe MINUPPER en el archivo /etc/default/passwd
fi
fi
min_lower=`grep MINLOWER /etc/default/passwd|grep =|sed -e 's/ //g'|grep -v ^\#|cut -d"=" -f2`
min_lower1=`grep MINLOWER /etc/default/passwd|grep =`
if [ -n "$min_lower" ]
then
case $min_lower in
0) echo min_lower OK ;;
*) echo min_lower NOK
echo $min_lower1 ;;
esac
else
if [ -n "$min_lower1" ]
then
echo min_lower NOK
echo $min_lower1
else
echo min_lower NOK
echo No existe MINLOWER en el archivo /etc/default/passwd
fi
fi
min_special=`grep MINSPECIAL /etc/default/passwd|grep =|sed -e 's/ //g'|grep -v ^\#|cut -d"=" -f2`
min_special1=`grep MINSPECIAL /etc/default/passwd|grep =`
if [ -n "$min_special" ]
then
case $min_special in
1) echo min_special OK ;;
*) echo min_special NOK
echo $min_special1 ;;
esac
else
if [ -n "$min_special1" ]
then
echo min_special NOK
echo $min_special1
else
echo min_special NOK
echo No existe MINSPECIAL en el archivo /etc/default/passwd
fi
fi
min_digit=`grep MINDIGIT /etc/default/passwd|grep =|sed -e 's/ //g'|grep -v ^\#|cut -d"=" -f2`
min_digit1=`grep MINDIGIT /etc/default/passwd|grep =`
if [ -n "$min_digit" ]
then
case $min_digit in
1) echo min_digit OK ;;
*) echo min_digit NOK
echo $min_digit1 ;;
esac
else
if [ -n "$min_digit1" ]
then
echo min_digit NOK
echo $min_digit1
else
echo min_digit NOK
echo No existe MINDIGIT en el archivo /etc/default/passwd
fi
fi
white_space=`grep WHITESPACE /etc/default/passwd|grep =|sed -e 's/ //g'|grep -v ^\#|cut -d"=" -f2`
white_space1=`grep WHITESPACE /etc/default/passwd|grep =`
if [ -n "$white_space" ]
then
case $white_space in
YES|yes) echo white_space OK ;;
*) echo white_space NOK
echo $white_space1 ;;
esac
else
if [ -n "$white_space1" ]
then
echo white_space NOK
echo $white_space1
else
echo white_space NOK
echo No existe WHITESPACE en el archivo /etc/default/passwd
fi
fi
max_repeat=`grep MAXREPEAT /etc/default/passwd|grep =|sed -e 's/ //g'|grep -v ^\#|cut -d"=" -f2`
max_repeat1=`grep MAXREPEAT /etc/default/passwd|grep =`
if [ -n "$max_repeat" ]
then
case $max_repeat in
2) echo max_repeat OK ;;
*) echo max_repeat NOK
echo $max_repeat1 ;;
esac
else
if [ -n "$max_repeat1" ]
then
echo max_repeat NOK
echo $max_repeat1
else
echo max_repeat NOK
echo No existe MAXREPEAT en el archivo /etc/default/passwd
fi
fi
;;
esac
fi
else
echo pass_length NOK
echo max_weeks NOK
echo min_weeks NOK
echo warn_weeks NOK
echo history NOK
echo min_diff NOK
echo min_alpha NOK
echo min_noalpha NOK
echo min_upper NOK
echo min_lower NOK
echo min_special NOK
echo min_digit NOK
echo white_space NOK
echo "Archivo /etc/default/passwd no existe"
fi
echo
echo "==========================================================================================="
echo
echo "16. Cambio de Password cada 60 dias"
echo
val_no=0
val_si=0
usuarios=`grep -v "*LK*" /etc/shadow | cut -d: -f1`
for i in $usuarios
do
val_passwd=`passwd -s $i | awk '{print $5}'`
case $val_passwd in
56|60)
if [ -n "$val_passwd" ]
then
val_si=`expr $val_si + 1`
else
val_no=`expr $val_no + 1`
echo $i $val_passwd
fi
;;
*) val_no=`expr $val_no + 1`
echo $i $val_passwd
;;
esac
done
case $val_no in
0) echo password_60_dias OK ;;
*) echo password_60_dias NOK ;;
esac
echo
echo "==========================================================================================="
echo
echo "17. Permisos de perfil de usuario"
echo
mascara=`grep "UMASK=" /etc/default/login|cut -d= -f2`
case $mascara in
027|0027|077|0077) echo umask_usuario OK ;;
*)
val_no=0
val_si=0
val_umask=`cat /etc/passwd | egrep -v "^daemon|^bin|^sys|^adm|^lp|^uucp|^nuucp|^smmsp|^listen|^gdm|^webservd|^nobody|^noaccess|^nobody4|^sshd"|sed -e 's/ //g' | grep -v ^\#|cut -d: -f1`
for i in $val_umask
do
usuario=`grep $i /etc/passwd | cut -d: -f1`
case $usuario in
root) valor_profile=`grep "UMASK=" /etc/default/login | grep -v ^\# | cut -d= -f2`
resul_profile=`grep "UMASK=" /etc/default/login`
if [ -n "$valor_profile" ]
then
case $valor_profile in
027|077) val_si=`expr $val_si + 1` ;;
*) if [ -n "$valor_proflle" ]
then
echo "UMASK $usuario MAL profile: NO HAY UN VALOR DEFINIDO"
val_no=`expr $val_no + 1`
else
echo "UMASK $usuario MAL profile: $resul_profile"
val_no=`expr $val_no + 1`
fi
esac
else
valor_profile1=`grep umask /etc/profile| grep -v ^\# | cut -d" " -f2`
resul_profile1=`grep umask /etc/profile`
if [ -n "$valor_profile1" ]
then
case $valor_profile1 in
027) val_si=`expr $val_si + 1` ;;
*) if [ -n "$valor_proflle1" ]
then
echo "UMASK $usuario MAL profile: NO HAY UN VALOR DEFINIDO"
val_no=`expr $val_no + 1`
else
echo "UMASK $usuario MAL /etc/default/login: $resul_profile /etc/profile: $resul_profile1"
val_no=`expr $val_no + 1`
fi
esac
fi
fi
;;
*) arch_profile=`grep $i /etc/passwd | cut -d: -f6`
if [ -f "$arch_profile/.profile" ]
then
valor_profile=`grep -s umask $arch_profile/.profile|grep -v ^\#|tail -1|awk '{print $2}'`
if [ -n "$valor_profile" ]
then
case $valor_profile in
027|077) val_si=`expr $val_si + 1` ;;
*) if [ -n "$valor_proflle" ]
then
echo "UMASK $usuario MAL profile: NO HAY UN VALOR DEFINIDO"
val_no=`expr $val_no + 1`
else
echo "UMASK $usuario MAL profile: $valor_profile"
val_no=`expr $val_no + 1`
fi
;;
esac
else
echo UMASK $usuario MAL: No esta el parametro definido dentro del archivo profile
val_no=`expr $val_no + 1`
fi
else
echo UMASK $usuario MAL: No existe el archivo profile
val_no=`expr $val_no + 1`
fi;;
esac
done
echo
case $val_no in
0) echo umask_usuario OK ;;
*) echo umask_usuario NOK ;;
esac
;;
esac
echo
echo "Valor de umask del Sistema: $mascara"
echo
echo "==========================================================================================="
echo
echo "18. Cuentas Bloqueadas de Usuarios de Sistema"
echo
OK=0
output=""
for i in daemon bin sys adm lp uucp nuucp listen nobody noaccess nobody4 sshd
do
locked=`cat /etc/shadow | grep -w "$i" | cut -d ":" -f2`
if [ ! "$locked" = "*LK*" ]
then
if [ ! "$locked" = "*LK*NP" ]
then
x=" $i\t no esta bloqueado (Status: $locked)\n"
output=`echo "$x$output"`
OK=1
fi
fi
done
if [ "$OK" -eq "0" ]
then
status="OK"
else
status="NOK"
fi
echo "usuarios_sistema_lk: $status\n"
[ "$OK" -eq "1" ] && echo "Los siguientes usuarios de sistema no estan bloqueados:\n$output"
echo
echo "==========================================================================================="
echo
echo "19. Conexiones confiables"
echo
cuenta_rlogin=0
usuario=`cat /etc/passwd | egrep -v "^daemon|^bin|^sys|^adm|^lp|^uucp|^nuucp|^smmsp|^listen|^nobody|^noaccess|^nobody4"|sed -e 's/ //g' | sed -e 's/ //g' | grep -v ^\#|cut -d: -f1`
version=`uname -r`
case $version in
5.8|5.9)
servicio_rlogin=`grep rlogin /etc/inetd.conf|egrep 'stream|dgram'|sed -e 's/ //g'|sed -e 's/ //g'|grep -v ^\#| cut -f1`
;;
5.10)
servicio_rlogin=`inetadm | grep rlogin | grep enabled`
;;
esac
if [ -n "$servicio_rlogin" ]
then
if [ -f /etc/hosts.equiv ]
then
tamano=`wc -l /etc/hosts.equiv | awk '{print $1}'`
if [ $tamano -eq 0 ]
then
echo "host_equiv OK"
else
echo "host_equiv NOK"
fi
else
echo "host_equiv OK"
fi
for i in $usuario
do
case $i in
root) home_directory=/.rhosts
;;
*) home_dir=`grep $i /etc/passwd | cut -d: -f6`
home_directory=`echo $home_dir"/.rhosts"`
;;
esac
if [ -f $home_directory ]
then
cont_rlogin=`cat $home_directory | sed -e 's/ //g'|grep -v ^\#`
if [ -n "$cont_rlogin" ]
then
echo "servicio_rlogin $i MAL"
echo $cont_rlogin
cuenta_rlogin=`expr $cuenta_rlogin + 1`
fi
fi
done
else
echo servicio_rlogin OK
fi
case $cuenta_rlogin in
0) echo politica_rlogin OK ;;
*) echo politica_rlogin NOK ;;
esac
echo
echo "==========================================================================================="
echo
echo "20. TCP Wrappers y ssh"
echo
ps_ssh=`ps -fea|grep sshd |grep -v grep`
if [ -n "$ps_ssh" ]
then
echo ssh OK
else
if [ -f /usr/local/sbin/sshd ]
then
echo ssh OK
else
if [ -f /etc/init.d/sshd ]
then
echo ssh OK
else
echo ssh NOK
fi
fi
fi
if [ -f /usr/sfw/sbin/tcpd ]
then
echo tcp_wrappers OK
else
if [ -f /usr/sbin/tcpd ]
then
echo tcp_wrappers OK
else
if [ -f /usr/local/bin/tcp ]
then
echo tcp_wrappers OK
else
echo tcp_wrappers NOK
fi
fi
fi
if [ -f /etc/hosts.allow ]
then
tamano=`wc -l /etc/hosts.allow | awk '{print $1}'`
if [ $tamano -eq 0 ]
then
echo "hosts.allow NOK"
echo Archivo /etc/hosts.allow no tiene informacion
else
val_hallow=`grep -iw ALL /etc/hosts.allow | sed -e 's/ //g'|grep -v "#"`
val_hallow1=`egrep -i "all|sshd|ftpd|telnetd|rlogind" /etc/hosts.allow| sed -e 's/ //g'|grep -v "#"`
if [ -n "$val_hallow" ]
then
echo hosts.allow NOK
grep -iw ALL /etc/hosts.allow
else
if [ -n "$val_hallow1" ]
then
echo hosts.allow OK
else
echo hosts.allow NOK
egrep -i "all|sshd|ftpd|telnetd|rlogind" /etc/hosts.allow
fi
fi
fi
else
echo "hosts.allow NOK"
echo Archivo /etc/hosts.allow no existe
fi
if [ -f /etc/hosts.deny ]
then
tamano=`wc -l /etc/hosts.deny | awk '{print $1}'`
if [ $tamano -eq 0 ]
then
echo "hosts.deny NOK"
echo Archivo /etc/hosts.deny no tiene informacion
else
val_hdeny=`grep -iw "ALL" /etc/hosts.deny | sed -e 's/ //g'|grep -v "#"|cut -c1-7|grep -iw "ALL:ALL"`
if [ -n "$val_hdeny" ]
then
echo hosts.deny OK
else
echo hosts.deny NOK
cat /etc/hosts.deny
fi
fi
else
echo "hosts.deny NOK"
echo Archivo /etc/hosts.deny no existe
fi
echo
echo "==========================================================================================="
echo
echo "21. Eliminar acceso de root desde red"
echo
if [ -f /etc/default/login ]
then
tamano=`wc -l /etc/default/login | awk '{print $1}'`
if [ $tamano -eq 0 ]
then
echo acceso_root_telnet NOK
echo NO CONTIENE INFORMACION EL ARCHIVO /etc/default/login
else
val_acc_root=`grep -w CONSOLE /etc/default/login|sed -e 's/ //g' | grep -v ^\#`
val_acceso_root=`cat /etc/default/login|sed -e 's/ //g'|grep -w "CONSOLE="`
if [ -n "$val_acc_root" ]
then
echo acceso_root_telnet OK
else
echo acceso_root_telnet NOK
echo $val_acceso_root
fi
fi
else
echo acceso_root_telnet NOK
echo NO EXISTE EL ARCHIVO /etc/default/login
fi
if [ -f /etc/ssh/sshd_config ]
then
tamano=`wc -l /etc/ssh/sshd_config | awk '{print $1}'`
if [ $tamano -eq 0 ]
then
echo acceso_root_ssh NOK
echo NO CONTIENE INFORMACION EL ARCHIVO /etc/ssh/sshd_config
else
val_acc_root=`grep -w PermitRootLogin /etc/ssh/sshd_config|sed -e 's/ //g' | grep -v ^\#|grep PermitRootLoginno`
val_acceso_root=`cat /etc/ssh/sshd_config|grep -w PermitRootLogin`
if [ -n "$val_acc_root" ]
then
echo acceso_root_ssh OK
else
echo acceso_root_ssh NOK
echo $val_acceso_root
fi
fi
else
if [ -f /usr/local/etc/sshd_config ]
then
tamano=`wc -l /usr/local/etc/sshd_config | awk '{print $1}'`
if [ $tamano -eq 0 ]
then
echo acceso_root_ssh NOK
echo NO CONTIENE INFORMACION EL ARCHIVO /usr/local/etc/sshd_config
else
val_acc_root=`grep -w PermitRootLogin /usr/local/etc/sshd_config|sed -e 's/ //g' | grep -v ^\#|grep PermitRootLoginno`
val_acceso_root=`cat /usr/local/etc/sshd_config|grep -w PermitRootLogin`
if [ -n "$val_acc_root" ]
then
echo acceso_root_ssh OK
else
echo acceso_root_ssh NOK
echo $val_acceso_root
fi
fi
else
echo acceso_root_ssh NOK
echo NO EXISTE EL ARCHIVO sshd_config
fi
fi
echo
echo "==========================================================================================="
echo
echo "22. Archivos con informacion sensible"
echo
if [ -f /etc/passwd ]
then
perm_passwd=`ls -l /etc/passwd | awk '{print $1}'`
case $perm_passwd in
-rw-r--r--) echo permisos /etc/passwd OK ;;
*) echo permisos /etc/passwd NOK
echo $perm_passwd ;;
esac
user_passwd=`ls -l /etc/passwd | awk '{print $3}'`
case $user_passwd in
root) echo user /etc/passwd OK ;;
*) echo user /etc/passwd NOK
echo $user_passwd ;;
esac
group_passwd=`ls -l /etc/passwd | awk '{print $4}'`
case $group_passwd in
sys) echo grupo /etc/passwd OK ;;
*) echo grupo /etc/passwd NOK
echo $group_passwd ;;
esac
else
echo permisos /etc/passwd NOK
echo user /etc/passwd NOK
echo grupo /etc/passwd NOK
echo "EL ARCHIVO /etc/passwd NO EXISTE"
fi
if [ -f /etc/shadow ]
then
perm_shadow=`ls -l /etc/shadow | awk '{print $1}'`
case $perm_shadow in
-r--------) echo permisos /etc/shadow OK ;;
*) echo permisos /etc/shadow NOK
echo $perm_shadow ;;
esac
user_shadow=`ls -l /etc/shadow | awk '{print $3}'`
case $user_shadow in
root) echo user /etc/shadow OK ;;
*) echo user /etc/shadow NOK
echo $user_shadow ;;
esac
group_shadow=`ls -l /etc/shadow | awk '{print $4}'`
case $group_shadow in
sys) echo grupo /etc/shadow OK ;;
*) echo grupo /etc/shadow NOK
echo $group_shadow ;;
esac
else
echo permisos /etc/shadow NOK
echo user /etc/shadow NOK
echo grupo /etc/shadow NOK
echo "EL ARCHIVO /etc/shadow NO EXISTE"
fi
if [ -f /etc/hosts.allow ]
then
perm_ha=`ls -l /etc/hosts.allow | awk '{print $1}'`
case $perm_ha in
-r-x------) echo permisos /etc/hosts.allow OK ;;
*) echo permisos /etc/hosts.allow NOK
echo $perm_ha ;;
esac
user_ha=`ls -l /etc/hosts.allow| awk '{print $3}'`
case $user_ha in
root) echo user /etc/hosts.allow OK ;;
*) echo user /etc/hosts.allow NOK
echo $user_ha ;;
esac
group_ha=`ls -l /etc/hosts.allow| awk '{print $4}'`
case $group_ha in
root) echo grupo /etc/hosts.allow OK ;;
*) echo grupo /etc/hosts.allow NOK
echo $group_ha ;;
esac
else
echo permisos /etc/hosts.allow NOK
echo user /etc/hosts.allow NOK
echo grupo /etc/hosts.allow NOK
echo "EL ARCHIVO /etc/hosts.allow NO EXISTE"
fi
if [ -f /etc/hosts.deny ]
then
perm_hd=`ls -l /etc/hosts.deny | awk '{print $1}'`
case $perm_hd in
-r-x------) echo permisos /etc/hosts.deny OK ;;
*) echo permisos /etc/hosts.deny NOK
echo $perm_hd ;;
esac
user_hd=`ls -l /etc/hosts.deny| awk '{print $3}'`
case $user_hd in
root) echo user /etc/hosts.deny OK ;;
*) echo user /etc/hosts.deny NOK
echo $user_hd ;;
esac
group_hd=`ls -l /etc/hosts.deny| awk '{print $4}'`
case $group_hd in
root) echo grupo /etc/hosts.deny OK ;;
*) echo grupo /etc/hosts.deny NOK
echo $group_hd ;;
esac
else
echo permisos /etc/hosts.deny NOK
echo user /etc/hosts.deny NOK
echo grupo /etc/hosts.deny NOK
echo "EL ARCHIVO /etc/hosts.deny NO EXISTE"
fi
echo
echo "==========================================================================================="
echo
#####################################################################
########################## HERRAMIENTAS LIBRES#####################
#####################################################################
echo
echo "===========================HERRAMIENTAS LIBRES ==========================================================="
echo
echo
echo "==========================================================================================="
echo
####################
# Revision NPASSWD #
####################
echo
if [ -f /usr/lib/passwd/npasswd ]
then
echo Archivo_npasswd OK
else
echo Archivo_npasswd NOK
fi
if [ -f /usr/lib/passwd/passwd.conf ]
then
val_matchtries=`grep -w MatchTries /usr/lib/passwd/passwd.conf | sed -e 's/ //g' | sed -e 's/ //g' |grep -v ^\#`
if [ -n "$val_matchtries" ]
then
case $val_matchtries in
MatchTries2) echo Matchtries OK ;;
*) echo Matchtries NOK ;;
esac
else
echo Matchtries NOK
grep -w MatchTries /usr/lib/passwd/passwd.conf
fi
val_alphaonly=`grep -w 'passwd.AlphaOnly' /usr/lib/passwd/passwd.conf | sed -e 's/ //g' | sed -e 's/ //g' |grep -v ^\#`
if [ -n "$val_alphaonly" ]
then
case $val_alphaonly in
passwd.AlphaOnlyfalse) echo AlphaOnly OK ;;
*) echo AlphaOnly NOK ;;
esac
else
echo AlphaOnly NOK
grep -w 'passwd.AlphaOnly' /usr/lib/passwd/passwd.conf
fi
val_charclasses=`grep -w 'passwd.CharClasses' /usr/lib/passwd/passwd.conf|sed -e 's/ //g'|sed -e 's/ //g'|grep -v ^\#`
if [ -n "$val_charclasses" ]
then
case $val_charclasses in
passwd.CharClasses3) echo CharClasses OK ;;
*) echo CharClasses NOK ;;
esac
else
echo CharClasses NOK
grep -w 'passwd.CharClasses' /usr/lib/passwd/passwd.conf
fi
val_lenghtwarn=`grep -w 'passwd.LengthWarn' /usr/lib/passwd/passwd.conf|sed -e 's/ //g'|sed -e 's/ //g'|grep -v ^\#`
if [ -n "$val_lenghtwarn" ]
then
case $val_lenghtwarn in
passwd.LengthWarntrue) echo LengthWarn OK ;;
*) echo LengthWarn NOK ;;
esac
else
echo LengthWarn NOK
grep -w 'passwd.LengthWarn' /usr/lib/passwd/passwd.conf
fi
val_maxpassword=`grep -w 'passwd.MaxPassword' /usr/lib/passwd/passwd.conf|sed -e 's/ //g'|sed -e 's/ //g'|grep -v ^\#`
if [ -n "$val_maxpassword" ]
then
case $val_maxpassword in
passwd.MaxPassword8) echo Maxpassword OK ;;
*) echo Maxpassword NOK ;;
esac
else
echo MaxPassword NOK
grep -w 'passwd.MaxPassword' /usr/lib/passwd/passwd.conf
fi
val_maxrepeat=`grep -w 'passwd.MaxRepeat' /usr/lib/passwd/passwd.conf|sed -e 's/ //g'|sed -e 's/ //g'|grep -v ^\#`
if [ -n "$val_maxrepeat" ]
then
case $val_maxrepeat in
passwd.MaxRepeat2) echo Maxrepeat OK ;;
*) echo Maxrepeat NOK ;;
esac
else
echo Maxrepeat NOK
grep -w 'passwd.MaxRepeat' /usr/lib/passwd/passwd.conf
fi
val_minrepeat=`grep -w 'passwd.MinPassword' /usr/lib/passwd/passwd.conf|sed -e 's/ //g'|sed -e 's/ //g'|grep -v ^\#`
if [ -n "$val_minrepeat" ]
then
case $val_minrepeat in
passwd.MinPassword8) echo Minrepeat OK ;;
*) echo Minrepeat NOK ;;
esac
else
echo Minrepeat NOK
grep -w 'passwd.MinPassword' /usr/lib/passwd/passwd.conf
fi
val_history_age=`grep -w 'passwd.History age' /usr/lib/passwd/passwd.conf|sed -e 's/ //g'|sed -e 's/ //g'|grep -v ^\#`
if [ -n "$val_history_age" ]
then
case $val_history_age in
passwd.Historyage30) echo History_age OK ;;
*) echo History_age NOK ;;
esac
else
echo History_age NOK
grep -w 'passwd.History age' /usr/lib/passwd/passwd.conf
fi
val_history_database=`grep -w 'passwd.History database file' /usr/lib/passwd/passwd.conf|sed -e 's/ //g'|sed -e 's/ //g'|grep -v ^\#`
if [ -n "$val_history_database" ]
then
case $val_history_database in
"passwd.Historydatabasefile/usr/lib/passwd/history") echo History_database OK ;;
*) echo History_database NOK ;;
esac
else
echo History_database NOK
grep -w 'passwd.History database file' /usr/lib/passwd/passwd.conf
fi
else
echo Archivo_passwd.conf NOK
fi
##################
# Revision IDLED #
##################
echo
proceso_idled=`ps -fea|grep idled|grep -v grep`
if [ -n "$proceso_idled" ]
then
if [ -f /etc/idled.cf ]
then
val_multiples=`cat /etc/idled.cf|sed -e 's/ //g'|sed -e 's/ //g'|grep -v ^\#|grep multiples`
if [ -n "$val_multiples" ]
then
case $val_multiples in
multiples3) echo IDLED_3 OK ;;
multiples5) echo IDLED_5 OK ;;
multiples10) echo IDLED_10 OK ;;
*) echo IDLED NOK
grep -w multiples /etc/idled.cf ;;
esac
else
echo IDLED NOK
grep -w multiples /etc/idled.cf
fi
val_timeout_tty=`cat /etc/idled.cf|sed -e 's/ //g'|sed -e 's/ //g'|grep -v ^\#|grep 'timeoutttyconsole'`
if [ -n "$val_timeout_tty" ]
then
case $val_timeout_tty in
timeoutttyconsole30) echo TIMEOUT_TTY_CONSOLE_30 OK ;;
timeoutttyconsole60) echo TIMEOUT_TTY_CONSOLE_60 OK ;;
*) echo TIMEOUT_TTY_CONSOLE NOK
grep -w 'timeout tty console' /etc/idled.cf ;;
esac
else
echo TIMEOUT_TTY_CONSOLE NOK
grep -w 'timeout tty console' /etc/idled.cf
fi
val_timeout_default=`cat /etc/idled.cf|sed -e 's/ //g'|sed -e 's/ //g'|grep -v ^\#|grep 'timeoutdefault'`
if [ -n "$val_timeout_default" ]
then
case $val_timeout_default in
timeoutdefault30) echo TIMEOUT_DEFAULT_30 OK ;;
timeoutdefault60) echo TIMEOUT_DEFAULT_60 OK ;;
timeoutdefault120) echo TIMEOUT_DEFAULT_120 OK ;;
*) echo TIMEOUT_DEFAULT NOK
grep -w 'timeout default' /etc/idled.cf ;;
esac
else
echo TIMEOUT_DEFAULT NOK
grep -w 'timeout default' /etc/idled.cf
fi
else
echo IDLED NOK
echo El archivo /etc/idled.cf no existe
fi
else
echo IDLED NOK
echo No esta el proceso activo
fi
if [ -f /etc/rc2.d/S95idled ]
then
echo RUN_CONTROL_SCRIPT_S95idled OK
else
echo RUN_CONTROL_SCRIPT_S95idled NOK
fi
#########################
# Revision POWER BROKER #
#########################
echo
if [ -f /usr/local/bin/pbrun ]
then
echo PBRUN OK
if [ -f /etc/inetd.conf ]
then
val_power_broker=`grep -ws pblocald /etc/inetd.conf|sed -e 's/ //g'|sed -e 's/ //g'|grep -v ^\#`
if [ -n "$val_power_broker" ]
then
echo PBLOCALD_INETD.CONF OK
else
echo PBLOCALD_INETD.CONF NOK
echo El parametro pblocald no esta configurado en el archivo /etc/inetd.conf
fi
else
echo PBLOCALD_INETD.CONF NOK
echo No existe el archivo /etc/inetd.conf
fi
if [ -f /etc/xinetd.d/pblocald ]
then
val_power_broker1=`grep -ws pblocald /etc/xinetd.d/pblocald|sed -e 's/ //g'|sed -e 's/ //g'|grep -v ^\#`
if [ -n "$val_power_broker1" ]
then
echo PBLOCALD_XINETD.D OK
else
echo PBLOCALD_XINETD.D NOK
echo El parametro pblocald no esta configurado en el archivo /etc/xinetd.d/pblocald
fi
else
echo PBLOCALD_XINETD.D NOK
echo No existe el archivo /etc/xinetd.d/pblocald
fi
else
echo PBRUN NOK
echo No existe el archivo /usr/local/bin/pbrun
fi
val_pbshell=`cat /etc/passwd | egrep -v "^daemon|^bin|^sys|^adm|^lp|^uucp|^nuucp|^smmsp|^listen|^gdm|^webservd|^nobody|^noaccess|^nobody4"|sed -e 's/ //g' | grep -v ^\#|cut -d: -f1`
for i in $val_pbshell
do
existe_pbshell=`grep $i /etc/passwd|grep pbshell`
if [ -n "$existe_pbshell" ]
then
echo $i tiene pbshell declarado en el /etc/passwd
else
case $i in
root) valor_profile=`cat /.profile|sed -e 's/ //g'|sed '/^[ ]*$/d'|awk '{if ( $0 == "pbstatus=\"-1\"" ) NUM=NR+1}
{if ( NUM == NR ) if ( $0 == "/usr/local/bin/pbrunsdpcheck") NUM=NR+1}
{if ( NUM == NR ) if ( $0 == "pbstatus=$?") NUM=NR+1}
{if ( NUM == NR ) if ( $0 == "if[$pbstatus-eq0]") NUM=NR+1}
{if ( NUM == NR ) if ( $0 == "then") NUM=NR+1}
{if ( NUM == NR ) if ( $0 == "exec/usr/local/bin/pbrunprofile") NUM=NR+1}
{if ( NUM == NR ) if ( $0 == "fi") print $0}'`
if [ -n "$valor_profile" ]
then
echo El script pbshell de root en profile ok
else
echo El script pbshell de root en profile nok
fi
;;
*) arch_profile=`grep $i /etc/passwd | cut -d: -f6`
if [ -f "$arch_profile/.profile" ]
then
valor_profile=`cat $arch_profile/.profile|sed -e 's/ //g'|sed '/^[ ]*$/d'|
awk '{if ( $0 == "pbstatus=\"-1\"" ) NUM=NR+1}
{if ( NUM == NR ) if ( $0 == "/usr/local/bin/pbrunsdpcheck") NUM=NR+1}
{if ( NUM == NR ) if ( $0 == "pbstatus=$?") NUM=NR+1}
{if ( NUM == NR ) if ( $0 == "if[$pbstatus-eq0]") NUM=NR+1}
{if ( NUM == NR ) if ( $0 == "then") NUM=NR+1}
{if ( NUM == NR ) if ( $0 == "exec/usr/local/bin/pbrunprofile") NUM=NR+1}
{if ( NUM == NR ) if ( $0 == "fi") print $0}'`
if [ -n "$valor_profile" ]
then
echo script pbshell de $i en profile ok
else
echo script pbshell de $i en profile nok
fi
fi
;;
esac
fi
done
###################
# Revision PAMLOG #
###################
echo
if [ -f /etc/syslog.conf ]
then
val_syslog=`cat /etc/syslog.conf|sed -e 's/ //g'|sed -e 's/ //g'|grep -s 'auth.info;auth.debug'|grep -v ^\#`
if [ -n "$val_syslog" ]
then
case $val_syslog in
"auth.info;auth.debug/var/log/pamlog") echo PAMLOG OK
if [ -f /var/log/pam.log ]
then
echo Archivo PAMLOG OK
else
if [ -f /var/log/pamlog ]
then
echo Archivo PAMLOG OK
else
echo Archivo PAMLOG NOK
echo "No existe el archivo /var/log/pamlog o /var/log/pam.log"
fi
fi ;;
"auth.info;auth.debug/var/log/pam.log") echo PAMLOG OK
if [ -f /var/log/pam.log ]
then
echo Archivo PAMLOG OK
else
if [ -f /var/log/pamlog ]
then
Fecha: 21.11.2012
Asunto: Re: Hardening Solaris 5.9
Aqui voy a incluir un poco de seguridad en Unix.
IP FILTER:
bash-3.00# vi /etc/ipf/ipf.conf
"/etc/ipf/ipf.conf" 38 lines, 1204 characters
#
# ipf.conf
#
# IP Filter rules to be loaded during startup
#
# See ipf(4) manpage for more information on
# IP Filter rules syntax.
#REGLAS DE ENTRADA
#Por default solo se permite el acceso al server de los sig puertos
#ssh, 7001, 7201, 7301 7002, 7202, 7303, telnet, http, https, 1158
block in log proto tcp
block in log proto udp
pass in quick proto icmp
pass in quick proto tcp from any to any port = 22
pass in quick proto tcp from any to any port = 80
#pass in quick proto tcp from any to any port = 23
pass in quick proto tcp from any to any port = 1158
pass in quick proto tcp from any to any port = 7001
pass in quick proto tcp from any to any port = 7002
pass in quick proto tcp from any to any port = 7201
pass in quick proto tcp from any to any port = 7202
pass in quick proto tcp from any to any port = 7301
pass in quick proto tcp from any to any port = 7302
pass in quick proto tcp from any to any port = 443
pass in quick proto tcp from any to any port = 8443
#REGLAS DE SALIDA
#SE PERMITE TODO EL TRAFICO de SALIDA
pass out quick proto tcp all flags S/SA keep state group 150
pass out quick proto udp all keep state group 150
pass out quick proto icmp all keep state group 150
Then load your rule set into ipfilter:
ipf -Fa -f /etc/ipf/ipf.conf
Novedades
Próximanente Información Completa
19.10.2012 22:09Etiquetas
La lista de etiquetas está vacía.