Unix OS Shell Script Check HP-UX machine Security with standard CIS only(Not apply)

** Myteam
#!/usr/bin/ksh
LOGFILE=$PWD/$(uname -n).log
> $LOGFILE
echo "$(uname -n)|\c" >> $LOGFILE
cis13()
{
#1. Check program secure shell was installed.
swlist |grep -i "secure shell" > /dev/null
if [ $? = 0 ];then
    echo "$(swlist |grep -i "secure shell"|awk '{print $2"|"}')Yes\c">>$LOGFILE
else
    echo "||No">>$LOGFILE
fi
}
cis33()
{
#2. Check status services NIS,NIS+.
P1=$(grep "NIS_MASTER_SERVER=0" /etc/rc.config.d/namesvrs |grep -v "#"|cut -d "=" -f2)
if [ ${P1:=1} = 0 ];then
  echo "|Yes\c">>$LOGFILE
else
  echo "|No\c">>$LOGFILE
fi
P1=$(grep "NIS_SLAVE_SERVER=0" /etc/rc.config.d/namesvrs |grep -v "#"|cut -d "=" -f2)
if [ ${P1:=} = 0 ];then
  echo "|Yes\c">>$LOGFILE
else
  echo "|No\c">>$LOGFILE
fi
P1=$(grep "NIS_CLIENT=0" /etc/rc.config.d/namesvrs |grep -v "#"|cut -d "=" -f2)
if [ ${P1:=x} = 0 ];then
  echo "|Yes\c">>$LOGFILE
else
  echo "|No\c">>$LOGFILE
fi
P1=$(grep "NISPLUS_CLIENT=0" /etc/rc.config.d/namesvrs |grep -v "#"|cut -d "=" -f2)
if [ ${P1:=x} = 0 ];then
  echo "|Yes\c">>$LOGFILE
else
  echo "|No\c">>$LOGFILE
fi
P1=$(grep "NISPLUS_SERVER=0" /etc/rc.config.d/namesvrs |grep -v "#"|cut -d "=" -f2)
if [ ${P1:=x} = 0 ];then
  echo "|Yes\c">>$LOGFILE
else
  echo "|No\c">>$LOGFILE
fi
}
cis34()
{
# 3. Check printer Daemons (Nornal Disable)
if [ -f /etc/rc.config.d/tps ];then
  P1=$(cat /etc/rc.config.d/tps |grep "XPRINTSERVERS" |grep -v "#" |cut -d "=" -f2)
  if [ ${P1:=x} = x ];then
      echo "|Yes\c">>$LOGFILE
  else
      echo "|No\c">>$LOGFILE
  fi
fi
if [ -f /etc/rc.config.d/lp ];then
    P1=$(cat /etc/rc.config.d/lp |grep "LP=" |grep -v "#" |cut -d "=" -f2)
    if [ ${P1:=x} = x ];then
       echo "|No\c">>$LOGFILE
    else
       if [ ${P1} = 0 ];then
          echo "|Yes\c">>$LOGFILE  
       else
          echo "|No\c">>$LOGFILE  
       fi
    fi
fi
if [ -f /etc/rc.config.d/pd ];then
    P1=$(cat /etc/rc.config.d/pd |grep "PD_CLIENT=" |grep -v "#" |cut -d "=" -f2)
    if [ ${P1:=x} = x ];then
       echo "|No\c">>$LOGFILE
    else
       if [ ${P1} = 0 ];then
           echo "|Yes\c">>$LOGFILE
       else
           echo "|No\c">>$LOGFILE
       fi
    fi
fi
}
cis36()
{
#4. Check e-mail server
if [ -f /etc/rc.config.d/mailservs ];then
    P1=$(cat /etc/rc.config.d/mailservs |grep "SENDMAIL_SERVER=" |cut -d "=" -f2)
    if [ ${P1:=x} = x ];then
       echo "|No\c">>$LOGFILE
    else
       if [ ${P1} = 0 ];then
           echo "|Yes\c">>$LOGFILE
       else
           echo "|No\c">>$LOGFILE
       fi
    fi
fi
}
cis42()
{
#5. Check Network paramater
if [ -f /etc/rc.config.d/nddconf ];then
   P1=$(cat /etc/rc.config.d/nddconf |grep -v "#")
   if [ ${P1:=x} = x ];then
       echo "|No\c">>$LOGFILE
   else
       echo "|Yes\c">>$LOGFILE
   fi
fi

cis61()
{
#6. Check Trusted Mode
if [ -d /tcb ];then
   echo "|Yes\c">>$LOGFILE
else
   echo "|No\c">>$LOGFILE
fi
}
cis63()
{
#7. Prevent Syslog from accepting messages from the network
cat /etc/rc.config.d/syslogd |grep SYSLOGD |grep -v "#" |cut -d "=" -f 2 |grep "N" > /dev/null
if [ $? != 0 ];then
   echo "|No\c">>$LOGFILE
else
   echo "|Yes\c">>$LOGFILE
fi
}
cis64()
{
#8. Disable XDMCP port
if [ ! -f /etc/dt/config/Xconfig ];then
   echo "|No\c">>$LOGFILE
else
   echo "|Yes\c">>$LOGFILE
fi
}
cis65()
{
#9. Set default locking screensaver timeout
for file in /usr/dt/config/*/sys.resources
do 
   dir="$(dirname "$file" | sed 's|^/usr/|/etc/|')"
   if [ ! -f ${dir} ];then
      P1="No"
   fi
done
if [ ${P1:=x} = x ];then
   echo "|Yes\c">>$LOGFILE
else
   echo "|No\c">>$LOGFILE
fi
}
cis610()
{
#10. Disable "nobody" access for secure RPC
cat /etc/rc.config.d/namesvrs |grep "KEYSERV_OPTIONS" |grep -v "#" |cut -d "=" -f2 |grep "d" > /dev/null
if [ $? != 0 ];then
   echo "|No\c">>$LOGFILE
else
   echo "|Yes\c">>$LOGFILE
fi
}
cis73()
{
#11. Enable logging from inetd
cat /etc/rc.config.d/netdaemons |grep INETD_ARGS |grep -v "#" |grep "l"  > /dev/null
if [ $? != 0 ];then
   echo "|No\c">>$LOGFILE
else
   echo "|Yes\c">>$LOGFILE
fi
}
cis81()
{
#12. Block system account
for i in uucp nuuco adm asemon bin lp
do
P1=$(cat /etc/passwd |grep "^${i}:"|awk -F ":"  '{print $7}')
   if [ ${P1:=x} != "false" ];then
    P2="No"
   fi
done
   if [ ${P2:=x} = x ];then
     echo "|Yes\c">>$LOGFILE
   else
     echo "|No\c">>$LOGFILE
   fi
}
cis83()
{
#13. Test account security
# Password life time #
P1=$(/usr/lbin/getprdef  -p |awk '{print $3}'|cut -d "=" -f2 |cut -d "," -f1)
if [ ${P1:=x} = 100 ];then
    echo "|Yes\c">>$LOGFILE
else
    echo "|No\c">>$LOGFILE
fi
# Force password change #
P1=$(/usr/lbin/getprdef  -p |awk '{print $2}'|cut -d "=" -f2 |cut -d "," -f1)
if [ ${P1:=x} = 90 ];then
    echo "|Yes\c">>$LOGFILE
else
    echo "|No\c">>$LOGFILE
fi
# Password expires warning days #
P1=$(/usr/lbin/getprdef  -p |awk '{print $5}'|cut -d "=" -f2 |cut -d "," -f1)
if [ ${P1:=x} = 7 ];then
    echo "|Yes\c">>$LOGFILE
else
    echo "|No\c">>$LOGFILE
fi
# Preventpassword change #
P1=$(/usr/lbin/getprdef  -p |awk '{print $1}'|cut -d "=" -f2 |cut -d "," -f1)
if [ ${P1:=x} = 0 ];then
    echo "|Yes\c">>$LOGFILE
else
    echo "|No\c">>$LOGFILE
fi
# Terminal Tries login #
P1=$(/usr/lbin/getprdef  -t |awk '{print $2}'|cut -d "=" -f2 |cut -d "," -f1)
if [ ${P1:=x} = 10 ];then
    echo "|Yes\c">>$LOGFILE
else
    echo "|No\c">>$LOGFILE
fi
# Delay time out #
P1=$(/usr/lbin/getprdef  -t |awk '{print $3}'|cut -d "=" -f2 |cut -d "," -f1)
if [ ${P1:=x} = 2 ];then
    echo "|Yes\c">>$LOGFILE
else
    echo "|No\c">>$LOGFILE
fi
# Switch user tries #
P1=$(/usr/lbin/getprdef  -t |awk '{print $1}'|cut -d "=" -f2 |cut -d "," -f1)
if [ ${P1:=x} = 3 ];then
    echo "|Yes\c">>$LOGFILE
else
    echo "|No\c">>$LOGFILE
fi
# Login time out #
P1=$(/usr/lbin/getprdef  -t |awk '{print $4}'|cut -d "=" -f2 |cut -d "," -f1)
if [ ${P1:=x} = 0 ];then
    echo "|Yes">>$LOGFILE
else
    echo "|No">>$LOGFILE
fi
}
#---- Main Function ----#
cis13 #-1-#
cis33 #-2-#
cis34 #-3-#
cis36 #-4-#
cis42 #-5-#
cis61 #-6-#
cis63 #-7-#
cis64 #-8-#
cis65 #-9-#
cis610 #-10-#
cis73 #-11-#
cis81 #-12-#
cis83 #-13-#
cat $(uname -n).log
#---- Main Function ----#

0 comments:

Loading