#!

/bin/sh

mkdir -p /root/neoclova/security/log/
LOG=/root/neoclova/security/log/securetty_check.txt
RHR=`grep -o '[0-9].[0-9]' /etc/redhat-release` # result 5.7 or 6.8
OSPKG=`cat /etc/redhat-release | awk '{print $1}'` # result CentOS or Red
OSVER=`echo ${RHR:0:1}` # result 5 or 6
echo "" > $LOG

# 1-1. Restrict root account remote access

# /etc/securetty : root access restriction file for Telnet connection
# If there is a *pts/x related setting in "/etc/securetty" file, it is necessary to
remove the pts/x related setting from "securetty" file
# because Allows root account access regardless of PAM module settings when pts /
x related setting exists
# auth required pam_securetty.so : This module ensures that if the user is trying
to log in as root, the tty on which the user is logging in is listed in the
/etc/securetty file, if that file exists.

cp -p /etc/securetty /etc/securetty.bak
cat << XYZ > /etc/securetty
console
tty1
tty2
tty3
XYZ

## 1-2. Set password complexity

# In version 5, all settings were made in system-auth, but in version 6, it was
subdivided.
# For example, not only system-auth, but also password-auth should be set.

# Redhat is described below.

# PAM modules for other remote services such as sshd and ftpd now include the
/etc/pam.d/password-auth file on Red Hat Enterprise Linux 6 instead of
/etc/pam.d/system-auth

# In addition, it is surprising that x-windows access is subject to password-auth.

# Also, password sshd and vsftpd access are applied at once, but there are also
detailed files that can be applied to each part.

if [ $OSVER -eq 5 ]
then

cp -p /etc/pam.d/system-auth /etc/pam.d/system-auth.bak
sed -i 's/password requisite pam_cracklib.so try_first_pass
retry=3/password requisite pam_cracklib.so try_first_pass retry=3 type=
lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1/g' /etc/pam.d/system-auth

elif [ $OSVER -eq 6 ]

then

cp -p /etc/pam.d/system-auth /etc/pam.d/system-auth.bak
sed -i 's/password requisite pam_cracklib.so try_first_pass retry=3
type=/password requisite pam_cracklib.so try_first_pass retry=3 type=
lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1/g' /etc/pam.d/system-auth
 cp -p /etc/pam.d/password-auth /etc/pam.d/password-auth.bak
sed -i 's/password requisite pam_cracklib.so try_first_pass retry=3
type=/password requisite pam_cracklib.so try_first_pass retry=3 type=
lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1/g' /etc/pam.d/password-auth

fi

## 1-3. Account lockout threshold setting

IMSI=`grep tally2.so /etc/pam.d/system-auth | wc -l`
if [ $IMSI -eq 0 ]
then
if [ $OSVER -eq 5 ]
then
cp -p /etc/pam.d/system-auth /etc/pam.d/system-auth.bak
perl -p -i -e '$.==5 and print "auth required pam_tally2.so
deny=5\n"' /etc/pam.d/system-auth
perl -p -i -e '$.==11 and print "account required
pam_tally2.so\n"' /etc/pam.d/system-auth

elif [ $OSVER -eq 6 ]

then

cp -p /etc/pam.d/system-auth /etc/pam.d/system-auth.bak
perl -p -i -e '$.==5 and print "auth required pam_tally2.so
deny=5\n"' /etc/pam.d/system-auth
perl -p -i -e '$.==12 and print "account required
pam_tally2.so\n"' /etc/pam.d/system-auth

cp -p /etc/pam.d/password-auth /etc/pam.d/password-auth.bak
perl -p -i -e '$.==5 and print "auth required
pam_tally2.so\n"' /etc/pam.d/password-auth
perl -p -i -e '$.==12 and print "account required
pam_tally2.so\n"' /etc/pam.d/password-auth

fi
fi

## 1-5. Prevent non-root UID 0

echo "" >> $LOG
echo "# /etc/passwd 0 uid check" >> $LOG
grep bash /etc/passwd |grep :x:0 | grep -v root >> $LOG
echo "" >> $LOG

## 1-7, 1-8,. 1-9 Password Setting

cp -p /etc/login.defs /etc/login.defs.bak
sed -i 's/PASS_MIN_LEN\t5/PASS_MIN_LEN\t8/g' /etc/login.defs
sed -i 's/PASS_MAX_DAYS\t99999/PASS_MAX_DAYS\t90/g' /etc/login.defs
sed -i 's/PASS_MIN_DAYS\t0/PASS_MIN_DAYS\t1/g' /etc/login.defs

## 1-14. User Shell check ( bash > false, nologin )

echo "" >> $LOG
echo "# bash -> false or nologin" >> $LOG
grep bash /etc/passwd | grep -v root >> $LOG
echo "" >> $LOG

## 1-15. Session Timeout Setting

mv /etc/profile /etc/profile.bak
IMSI=`grep TMOUT /etc/profile.bak | wc -l`
IMSI2=`grep TIMEOUT /etc/profile.bak | wc -l`

if [ $IMSI -eq 0 ] && [ $IMSI2 -eq 0 ]

then
cp -p /etc/profile.bak /etc/profile
echo "" >> /etc/profile
echo "TMOUT=14400" >> /etc/profile
echo "export TMOUT" >> /etc/profile
source /etc/profile

elif [ $IMSI -ge 1 ] && [ $IMSI2 -eq 0 ]

then
sed '/TMOUT/d' /etc/profile.bak > /etc/profile
echo "" >> /etc/profile
echo "TMOUT=14400" >> /etc/profile
echo "export TMOUT" >> /etc/profile
source /etc/profile

elif [ $IMSI -eq 0 ] && [ $IMSI2 -ge 1 ]

then
sed '/TIMEOUT/d' /etc/profile.bak > /etc/profile
echo "" >> /etc/profile
echo "TMOUT=14400" >> /etc/profile
echo "export TMOUT" >> /etc/profile
source /etc/profile

fi

## 2-2. File and Directory Owner Setting

echo ""
echo "# Nouser file check" >> $LOG
find / -nouser -print >> $LOG
echo "" >> $LOG

echo ""
echo "# Nogroup file check" >> $LOG
find / -nogroup -print >> $LOG
echo "" >> $LOG

## 2-5. /etc/hosts File Owner, Permission Setting

cp -p /etc/hosts /etc/hosts.bak
chown root /etc/hosts
chmod 600 /etc/hosts

## 2-6. xinetd.conf and xinetd.d Owner, Permission Setting

if [ $OSVER -eq 5 ]
then

cp /etc/xinetd.conf /etc/xinetd.conf.bak -p # xinetd.conf of rhel 5.x has 644

permission.
 chmod 600 /etc/xinetd.conf

cp /etc/xinetd.d/ /etc/xinetd.d.bak -rp

chmod 600 /etc/xinetd.d/*

elif [ $OSVER -eq 6 ]

then

cp /etc/xinetd.d/ /etc/xinetd.d.bak -rp

chmod 600 /etc/xinetd.d/*

fi

## 2-9. SUID, SGID check

echo "" >> $LOG
echo "# SUID" >> $LOG
find / -user root -type f -perm -04000 >> $LOG

echo "" >> $LOG

echo "# SGID" >> $LOG
find / -user root -type f -perm -02000 >> $LOG

## 2-10. Set up your system startup files and environment file owner and
permissions
for LINM in $(grep ^changhee /etc/passwd -n | awk -F: '{print $1}')
do
PWDUSR=`sed -n $LINM"p" /etc/passwd | awk -F: '{print $1}'`
HOMEDIR=`sed -n $LINM"p" /etc/passwd | awk -F: '{print $6}'`

for FILENAME in $(find $HOMEDIR -name '*bash*')

do
cp -arp $FILENAME $FILENAME.bak
chown $PWDUSR $FILENAME
chmod g-w,o-w $FILENAME
# OS Environment variable file immediately after
installation 644 or 600 (no write permission)

done

done

## 2-11. World writable file check

echo "" >> $LOG
echo "# World writeable file check!" >> $LOG
echo "" >> $LOG
find / -perm -2 -ls | grep -v lrwxrwxrwx | grep -v proc
echo "" >> $LOG

#for FILENAME in $(find / -perm -2 -ls)

#do
# chmod o-w $FILENAME
#done
## 2-12. Check device files that do not exist in /dev
echo "" >> $LOG
echo "" >> $LOG
echo "# Check device files that do not exist in /dev" >> $LOG
echo "" >> $LOG
find /dev -type f -exec ls -l {} \; >> $LOG

## 3-2. Anonymous FTP service disabled

cp -arp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.bak
sed -i "s/anonymous_enable=YES/anonymous_enable=NO/" /etc/vsftpd/vsftpd.conf

## 3-29. At File Owner and Permission Settings

if [ $OSVER -eq 5 ]
then

chown root /etc/at.deny

# at.deny of rhel 5 has 600 permission.

elif [ $OSVER -eq 6 ]

then

chown root /etc/at.deny

chmod 640 /etc/at.deny
# at.deny of rhel 6 has 644 permission.

fi

## 3-32. Provide warning message at logon

# /etc/motd is the message after login
# /etc/issue.net is a message that appears when you log in to Telnet (remote)
# /etc/issue is a message on console login
# If you create the contents of /etc/issue.net or /etc/issue but it does not work
if you log in using ssh,
# you need to modify the following items in /etc/ssh/sshd_config file.
# "Banner /etc/issue"

cp -arp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

cp -arp /etc/issue /etc/issue.bak
cp -arp /etc/issue.net /etc/issue.net.bak
cp -arp /etc/motd /etc/motd.bak

echo -e "Please prohibit unauthorized access! " > /etc/issue

echo -e "Please prohibit unauthorized access! " > /etc/issue.net
echo -e "Welcome! This is SPC Networks.\nHave a nice day! " > /etc/motd

# You should use ! " Instead of !" In the above echo -e statement.
# You can use \! To prevent bash from recognizing it as a special function, but \
is sometimes output.
# That is why ! " is recommended. (Use spacing)

if [ $OSVER -eq 6 ]
then
sed -i 's/\#Banner none/Banner \/etc\/issue/g' /etc/ssh/sshd_config

elif [ $OSVER -eq 5 ]

then
sed -i 's/\#Banner \/some\/path/Banner \/etc\/issue/g' /etc/ssh/sshd_config
fi

/usr/sbin/sshd stop
/usr/sbin/sshd start

################################################
############ 3.Daemon Arrangement ###########
################################################
for stop in $(chkconfig --list |awk '{print$1}' |cut -d : -f 1)
do
chkconfig $stop off
done

## RHEL6
daemon="acpid auditd udev-post haldaemon vsftpd sshd xinetd rsyslog snmpd sysstat
systemtap portreserve network messagebus kdump irqbalance ntpd crond hp-ams hp-asrd
hp-health hpsmhd tg3sd"
for start in $daemon
do
chkconfig $start on
done

################################################
########### 7.NTP ##########################
################################################
perl -pi -e 's/^server/#server/g' /etc/ntp.conf
echo "server 203.248.240.140" >> /etc/ntp.conf
echo "server 141.223.182.106" >> /etc/ntp.conf

################################################
############ 9.funact use add ##############
################################################
useradd -u 0 -g 0 -o funact
echo 'rPwjd009!' | passwd --stdin funact
echo "LANG=C" >> /home/funact/.bash_profile
echo "TERM=vt100" >> /home/funact/.bash_profile

################################################
############ 10.history time ###############
################################################
cat << EOF >> /etc/profile
HISTSIZE=5000
HISTTIMEFORMAT='%F %T '
export HISTSIZE HISTTIMEFORMAT
EOF