Hardening Linux com shell [RESOLVIDO]

* O script deve ser executado como root
* Deve ser descompactado em /tmp/;

Description:

- Bloqueia a utilização de rlogin, rsh, rexec ou rcp sem o uso de passwd;
- Bloqueia a utilização de user e senha no arquivo de configuração netrc (usado por serviço de ftp);
- Muda o permissionamento de arquivos SUID (buffer overflow exploit/hijack de permissão root);
- Restringe alteração de logs por usuários comuns (permanece o owner);
- Bloqueia usuários de sistema não utilizados;
- Restringe a utilização do su;
- Contra-medida "SYN cookie" para o "SYN flood";
- Restrigne a utilização do GNU Compiler Collectino para g+o;
- Habilita o "ignore broadcast request" por ICMP;
- Habilita para que somente o owner do arquivo ou dir possa remover ou renomear arquivos em diretórios temporários;
- Desabilita o trap de cntrl+alt+del para shutdown;
- Habilita proteção contra o IP spoofing;
- Loga pacotes que não contém informações de origem;
- Restringe a utilização de serviços agendados (crontab+at) somente para o root;
- Previne a alteração da routing table utilizando ICMP redirect;
- Remove permissão de escrita de usuários comuns no diretório /etc;
- Adiciona restrição de valores umask defaults;
- Adiciona o disclaimer da organização;
- Aumenta a complexidade de passwd, adiciona um lockout threshold, lembra as últimas 10 alterações de senha e cria um controle de idade da senha;
- Configura permissão do logrotate (utmp).

Caio Ribeiro César
#CaiO

Segue o código!

#!/bin/bash

#CaiO

#Remove unnecessary SUID Files (hijack root using SUID privileges/buffer overflow)
/usr/bin/find / -type f \( -perm -004000 -o -perm -002000 \) -exec ls -lg {} \; 2>/dev/null >/tmp/suidfiles.txt
/bin/chmod -s /usr/bin/chsh /usr/bin/gpasswd /usr/bin/chfn /usr/bin/wall /usr/bin/screen /usr/bin/rcp /usr/bin/rsh /sbin/umount.nfs4 /sbin/mount.nfs /sbin/umount.nfs /sbin/mount.nfs4 /bin/ping /bin/ping6 /bin/umount /bin/mount

# Disable trusted relation
/bin/echo >/etc/hosts.equiv
/bin/echo >/etc/.netrc
/bin/echo >/etc/.rhosts
/bin/echo > ~/.rhosts
/bin/chmod 400 /etc/hosts.equiv
/bin/chmod 400 /etc/.netrc
/bin/chmod 400 /etc/.rhosts
/bin/chmod 400 ~/.rhosts

# Restrict read and write in the audit files
for a in /var/log/*; do [ -f $a ] && chmod 600 $a; [ -d $a ] && chmod 700 $a; done

# Lock system users passwords
/usr/sbin/usermod -L bin
/usr/sbin/usermod -L daemon
/usr/sbin/usermod -L adm
/usr/sbin/usermod -L lp
/usr/sbin/usermod -L mail
/usr/sbin/usermod -L news
/usr/sbin/usermod -L uucp
/usr/sbin/usermod -L operator
/usr/sbin/usermod -L games
/usr/sbin/usermod -L gopher
/usr/sbin/usermod -L rpm
/usr/sbin/usermod -L dbus
/usr/sbin/usermod -L avahi
/usr/sbin/usermod -L mailnull
/usr/sbin/usermod -L smmsp
/usr/sbin/usermod -L nscd
/usr/sbin/usermod -L haldaemon
/usr/sbin/usermod -L ntp
/usr/sbin/usermod -L pcap

# Restrict SU command
/bin/echo 'auth required pam_wheel.so use_uid' >> /etc/pam.d/su

# SYN floods (instead of using recent or limit)
count=`grep "net.ipv4.tcp_syncookies=1" /etc/sysctl.conf | wc -l`
if test ! $count -eq 0
then
echo
else
echo net.ipv4.tcp_syncookies=1 >>/etc/sysctl.conf
fi

# Restrict CC/GCC usr
/bin/chmod go-rwx /usr/bin/gcc

# Block Broadcast response
count=`grep "net.ipv4.icmp_/bin/echo_ignore_broadcasts=1" /etc/sysctl.conf | wc -l`
if test ! $count -eq 0
then
echo
else
echo net.ipv4.icmp_/bin/echo_ignore_broadcasts=1 >>/etc/sysctl.conf
fi

# Configure Sticky bit in temporary directories
/bin/chmod 1777 /var/tmp /tmp

# Restrict "Ctrl+Alt+Del" command
cat /etc/inittab | sed 's/ca::ctrlaltdel:/#ca::ctrlaltdel:/' >>/tmp/inittab.new
rm -f /etc/inittab
mv /tmp/inittab.new /etc/inittab

# Block interface spoof
count=`grep "net.ipv4.conf.all.rp_filter=1" /etc/sysctl.conf | wc -l`
if test ! $count -eq 0
then
echo
else
echo net.ipv4.conf.all.rp_filter=1 >>/etc/sysctl.conf
fi

# Block package routing between interfaces (still IP Spoofing)
count=`grep "net.ipv4.conf.all.forwarding=0" /etc/sysctl.conf | wc -l`
if test ! $count -eq 0
then
echo
else
echo net.ipv4.conf.all.forwarding=0 >>/etc/sysctl.conf
fi

# Block packages with source-route (still IP Spoofing)
count=`grep "net.ipv4.conf.all.accept_source_route=0" /etc/sysctl.conf | wc -l`
if test ! $count -eq 0
then
echo
else
echo net.ipv4.conf.all.accept_source_route=0 >>/etc/sysctl.conf
fi

# Log suspicious packages
count=`grep "net.ipv4.conf.all.log_martians=1" /etc/sysctl.conf | wc -l`
if test ! $count -eq 0
then
echo
else
echo net.ipv4.conf.all.log_martians=1 >>/etc/sysctl.conf
fi

# Restrict crontab access only for super users
/bin/echo root >/etc/cron.allow

# Restrict at only for super-users
/bin/echo root >/etc/at.allow

# Disable ICMP routing redirects
count=`grep "net.ipv4.conf.all.accept_redirects=0" /etc/sysctl.conf | wc -l`
if test ! $count -eq 0
then
echo
else
echo net.ipv4.conf.all.accept_redirects=0 >>/etc/sysctl.conf
fi

# Remove write permission to "others" in the directory /etc
/bin/chmod -fR o-w /etc/*

# Define restricted default umask
echo 'if [ `id -u` != 0 ]; then umask 027; else umask 077; fi' >> /etc/bashrc

# Apple Parameters Kernel Changes
/sbin/sysctl -p /etc/sysctl.conf

# Add disclaimer
/bin/echo "The information on this computer and network is the property of XXXXXXXXX and is protected by intellectual property rights.

Your activities will be monitored and logged, be aware that you must be assigned an account on this computer to access information and are only allowed
to access information defined by the information security team.
" >> /tmp/testediscl

# Enforce password history = 10 last passwords in system-auth-ac
# Password Complexity
# Account Lockout Threshold = 3 invalid login attempts
# Password aging controls
mv -f /tmp/baseline/system-auth-ac /etc/pam.d/
chown root.root /etc/pam.d/system-auth-ac
chmod 644 /etc/pam.d/system-auth-ac
mv -f /tmp/baseline/login.defs /etc/
chown root.root /etc/login.defs
chmod 644 /etc/login.defs

# Configure logrotate perm

mv -f /tmp/logrotate.conf /etc/
chown root.root /etc/logrotate.conf
chmod 644 /etc/logrotate.conf

Kra, se vc quiser postar isso como dica, o local correto não é por aki. Lá no final da página do site tem a linha "Contribuir com" e o link "dica". Clique nesse link e poste a sua dica.

Estes são os arquivos que ele faz referência na hora de mover e permission.

logrotate.conf [salve como um novo arquivo e adicione na pasta que vc criar]

# see "man logrotate" for details
# rotate log files weekly
weekly

# keep 4 weeks worth of backlogs
rotate 4

# create new (empty) log files after rotating old ones
create

# uncomment this if you want your log files compressed
#compress

# RPM packages drop log rotation information into this directory
include /etc/logrotate.d

# no packages own wtmp -- we'll rotate them here
/var/log/wtmp {
monthly
minsize 1M
create 0640 root utmp
rotate 1
}

# system-specific logs may be also be configured here.

/etc/logrotate.d {
monthly
minsize 1M
create 0600
rotate 1
}


------------------------

login.defs [mesma coisa]

# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
# QMAIL_DIR is for Qmail
#
#QMAIL_DIR Maildir
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail

# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 45
PASS_MIN_DAYS 2
PASS_MIN_LEN 8
PASS_WARN_AGE 7

#
# Min/max values for automatic uid selection in useradd
#
UID_MIN 500
UID_MAX 60000

#

------------------------


system-auth-ac [igual]

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
auth required pam_tally.so deny=3 unlock_time=60 magic_root

account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 difok=4 minlen=8 lcredit=0 ucredit=-1 dcredit=-1 ocredit=-1
password sufficient pam_unix.so remember=10 md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so