-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathstig_medium.sh
4158 lines (3390 loc) · 163 KB
/
stig_medium.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
#!/bin/bash
# Ensure the script is run as root
if [ "$(id -u)" -ne 0 ]; then
echo "This script must be run as root. Exiting."
exit 1
fi
LOGFILE="stig_medium.log"
# Make a new logfile
> "$LOGFILE"
# Function to log messages
log_message() {
local function_name=$1
local vuln_id=$2
local rule_id=$3
local message=$4
echo "$function_name: Vuln_ID: $vuln_id Rule_ID: $rule_id | $message" >> "$LOGFILE"
}
# Function to configure the system logon banner with the Standard Mandatory DOD Notice and Consent Banner
configure_logon_banner() {
local function_name="configure_logon_banner"
local vuln_id="V-261265"
local rule_id="SV-261265r996289"
local issue_file="/etc/issue"
local banner_text="You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
- The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
- At any time, the USG may inspect and seize data stored on this IS.
- Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
- This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
- Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
echo "$banner_text" | tee "$issue_file" > /dev/null
local current_banner
current_banner=$(cat "$issue_file")
if [[ "$current_banner" == "$banner_text" ]]; then
log_message "$function_name" "$vuln_id" "$rule_id" "Standard Mandatory DOD Notice and Consent Banner has been configured successfully in $issue_file."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to configure the Standard Mandatory DOD Notice and Consent Banner in $issue_file. This is a finding."
fi
}
# Function to restrict access to the kernel message buffer
restrict_kernel_message_buffer() {
local function_name="restrict_kernel_message_buffer"
local vuln_id="V-261269"
local rule_id="SV-261269r996301"
local sysctl_conf_file="/etc/sysctl.conf"
local sysctl_conf_dirs=("/run/sysctl.d/" "/etc/sysctl.d/" "/usr/local/lib/sysctl.d/" "/usr/lib/sysctl.d/" "/lib/sysctl.d/")
local kernel_param="kernel.dmesg_restrict = 1"
if grep -q "^kernel.dmesg_restrict" "$sysctl_conf_file"; then
sed -i 's/^kernel.dmesg_restrict.*/'"$kernel_param"'/' "$sysctl_conf_file"
else
echo "$kernel_param" | tee -a "$sysctl_conf_file"
fi
for dir in "${sysctl_conf_dirs[@]}"; do
if [[ -d "$dir" ]]; then
find "$dir" -type f -exec sed -i '/^kernel.dmesg_restrict/d' {} \;
fi
done
sysctl --system
local param_value
param_value=$(sysctl -n kernel.dmesg_restrict)
if [[ "$param_value" -eq 1 ]]; then
log_message "$function_name" "$vuln_id" "$rule_id" "Kernel message buffer access has been restricted successfully."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to restrict kernel message buffer access. This is a finding."
fi
}
# Function to disable the kdump service if kernel core dumps are not required
disable_kdump_service() {
local function_name="disable_kdump_service"
local vuln_id="V-261270"
local rule_id="SV-261270r996860"
local kdump_service_status
kdump_service_status=$(systemctl is-enabled kdump.service 2>/dev/null)
if [[ "$kdump_service_status" == "disabled" ]]; then
log_message "$function_name" "$vuln_id" "$rule_id" "kdump.service is already disabled."
else
systemctl disable kdump.service
kdump_service_status=$(systemctl is-enabled kdump.service 2>/dev/null)
if [[ "$kdump_service_status" == "disabled" ]]; then
log_message "$function_name" "$vuln_id" "$rule_id" "kdump.service has been disabled successfully."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to disable kdump.service. This is a finding."
fi
fi
}
# Function to configure ASLR
configure_aslr() {
local function_name="configure_aslr"
local vuln_id="V-261271"
local rule_id="SV-261271r996306"
local sysctl_conf_file="/etc/sysctl.d/99-stig.conf"
local kernel_param="kernel.randomize_va_space=2"
sysctl -w kernel.randomize_va_space=2
if grep -q "^kernel.randomize_va_space" "$sysctl_conf_file"; then
sed -i 's/^kernel.randomize_va_space.*/'"$kernel_param"'/' "$sysctl_conf_file"
else
echo "$kernel_param" | tee -a "$sysctl_conf_file"
fi
sysctl --system
local param_value
param_value=$(sysctl -n kernel.randomize_va_space)
if [[ "$param_value" -eq 2 ]]; then
log_message "$function_name" "$vuln_id" "$rule_id" "ASLR has been configured successfully."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to configure ASLR. This is a finding."
fi
}
# Function to configure kernel to prevent leaking of internal addresses
configure_kernel_address_leak_prevention() {
local function_name="configure_kernel_address_leak_prevention"
local vuln_id="V-261272"
local rule_id="SV-261272r996309"
local sysctl_conf_file="/etc/sysctl.d/99-stig.conf"
local kernel_param="kernel.kptr_restrict=1"
sysctl -w kernel.kptr_restrict=1
if grep -q "^kernel.kptr_restrict" "$sysctl_conf_file"; then
sed -i 's/^kernel.kptr_restrict.*/'"$kernel_param"'/' "$sysctl_conf_file"
else
echo "$kernel_param" | tee -a "$sysctl_conf_file"
fi
sysctl --system
local param_value
param_value=$(sysctl -n kernel.kptr_restrict)
if [[ "$param_value" -eq 1 ]]; then
log_message "$function_name" "$vuln_id" "$rule_id" "Kernel address leak prevention has been configured successfully."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to configure kernel address leak prevention. This is a finding."
fi
}
# Function to install applicable SLEM 5 patches and reboot
install_slem_patches() {
local function_name="install_slem_patches"
local vuln_id="V-261273"
local rule_id="SV-261273r996311"
zypper patch
if [[ $? -eq 0 ]]; then
log_message "$function_name" "$vuln_id" "$rule_id" "SLEM 5 patches have been installed successfully."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to install SLEM 5 patches. This is a finding."
fi
}
# Function to configure SLEM 5 to remove outdated software components after an update
configure_remove_outdated_software() {
local function_name="configure_remove_outdated_software"
local vuln_id="V-261275"
local rule_id="SV-261275r996314"
local zypp_conf_file="/etc/zypp/zypp.conf"
local config_line="solver.upgradeRemoveDroppedPackages = true"
if grep -q "^solver.upgradeRemoveDroppedPackages" "$zypp_conf_file"; then
sed -i 's/^solver.upgradeRemoveDroppedPackages.*/'"$config_line"'/' "$zypp_conf_file"
else
echo "$config_line" | tee -a "$zypp_conf_file"
fi
local config_applied
config_applied=$(grep "^solver.upgradeRemoveDroppedPackages" "$zypp_conf_file")
if [[ "$config_applied" == "$config_line" ]]; then
log_message "$function_name" "$vuln_id" "$rule_id" "Configured to remove outdated software components after an update in $zypp_conf_file."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to configure removal of outdated software components in $zypp_conf_file. This is a finding."
fi
}
# Function to install the kbd package to allow users to lock the console
install_kbd_package() {
local function_name="install_kbd_package"
local vuln_id="V-261276"
local rule_id="SV-261276r996316"
zypper in -y kbd
if [[ $? -eq 0 ]]; then
log_message "$function_name" "$vuln_id" "$rule_id" "kbd package has been installed successfully."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to install kbd package. This is a finding."
fi
}
# Function to configure /etc/fstab to use the nosuid option for NFS file systems
configure_fstab_nosuid_nfs() {
local function_name="configure_fstab_nosuid_nfs"
local vuln_id="V-261281"
local rule_id="SV-261281r996326"
if grep -q "nfs" /etc/fstab; then
sed -i '/nfs/s/defaults/defaults,nosuid/' /etc/fstab
mount -o remount -a
if grep -q "nfs" /etc/fstab | grep "nosuid"; then
log_message "$function_name" "$vuln_id" "$rule_id" "Configured /etc/fstab to use the nosuid option for NFS file systems."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to configure /etc/fstab to use the nosuid option for NFS file systems. This is a finding."
fi
else
log_message "$function_name" "$vuln_id" "$rule_id" "No NFS file systems found in /etc/fstab."
fi
}
# Function to configure /etc/fstab to use the noexec option for NFS file systems
configure_fstab_noexec_nfs() {
local function_name="configure_fstab_noexec_nfs"
local vuln_id="V-261282"
local rule_id="SV-261282r996328"
if grep -q "nfs" /etc/fstab; then
sed -i '/nfs/s/defaults/defaults,noexec/' /etc/fstab
mount -o remount -a
if grep -q "nfs" /etc/fstab | grep "noexec"; then
log_message "$function_name" "$vuln_id" "$rule_id" "Configured /etc/fstab to use the noexec option for NFS file systems."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to configure /etc/fstab to use the noexec option for NFS file systems. This is a finding."
fi
else
log_message "$function_name" "$vuln_id" "$rule_id" "No NFS file systems found in /etc/fstab."
fi
}
# Function to configure /etc/fstab to use the nosuid option for file systems associated with removable media
configure_fstab_nosuid_removable_media() {
local function_name="configure_fstab_nosuid_removable_media"
local vuln_id="V-261283"
local rule_id="SV-261283r996330"
if grep -q "removable" /etc/fstab; then
sed -i '/removable/s/defaults/defaults,nosuid/' /etc/fstab
mount -o remount -a
if grep -q "removable" /etc/fstab | grep "nosuid"; then
log_message "$function_name" "$vuln_id" "$rule_id" "Configured /etc/fstab to use the nosuid option for removable media file systems."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to configure /etc/fstab to use the nosuid option for removable media file systems. This is a finding."
fi
else
log_message "$function_name" "$vuln_id" "$rule_id" "No removable media file systems found in /etc/fstab."
fi
}
# Function to configure /etc/fstab to use the nosuid option for user home directories
configure_fstab_nosuid_home() {
local function_name="configure_fstab_nosuid_home"
local vuln_id="V-261285"
local rule_id="SV-261285r996838"
if grep -q "/home" /etc/fstab; then
sed -i '/\/home/s/defaults/defaults,nosuid/' /etc/fstab
mount -o remount /home
if grep -q "/home" /etc/fstab | grep "nosuid"; then
log_message "$function_name" "$vuln_id" "$rule_id" "Configured /etc/fstab to use the nosuid option for user home directories."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to configure /etc/fstab to use the nosuid option for user home directories. This is a finding."
fi
else
log_message "$function_name" "$vuln_id" "$rule_id" "No user home directories found in /etc/fstab."
fi
}
# Function to disable the ability to automount devices by stopping and disabling the autofs service
disable_automount() {
local function_name="disable_automount"
local vuln_id="V-261286"
local rule_id="SV-261286r996338"
systemctl stop autofs
if [[ $? -eq 0 ]]; then
log_message "$function_name" "$vuln_id" "$rule_id" "autofs service stopped successfully."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to stop autofs service. This is a finding."
return
fi
systemctl disable autofs
if [[ $? -eq 0 ]]; then
log_message "$function_name" "$vuln_id" "$rule_id" "autofs service disabled successfully."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to disable autofs service. This is a finding."
fi
}
# Function to configure the system commands to be protected from unauthorized access
protect_system_commands() {
local function_name="protect_system_commands"
local vuln_id="V-261287 & V-261288"
local rule_id="SV-261287r996341 & SV-261288r996344"
find -L /usr/local/bin /usr/local/sbin -perm /022 -type f -exec chmod 755 '{}' \;
find -L /bin /sbin /usr/bin /usr/sbin -perm /022 -type f -exec chmod 755 '{}' \;
if [[ $? -eq 0 ]]; then
log_message "$function_name" "$vuln_id" "$rule_id" "System commands have been protected from unauthorized access."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to protect system commands from unauthorized access. This is a finding."
fi
}
# Function to configure the library files to be protected from unauthorized access
protect_library_files() {
local function_name="protect_library_files"
local vuln_id="V-261289 & V-261290"
local rule_id="SV-261289r996347 & SV-261290r996350"
find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec chmod 755 '{}' \;
if [[ $? -eq 0 ]]; then
log_message "$function_name" "$vuln_id" "$rule_id" "Library files have been protected from unauthorized access."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to protect library files from unauthorized access. This is a finding."
fi
}
# Function to change the mode of local interactive user's home directories to 750
change_home_directory_permissions() {
local function_name="change_home_directory_permissions"
local vuln_id="V-261291"
local rule_id="SV-261291r996352"
local user_home_dirs
user_home_dirs=$(awk -F: '($3 >= 1000 && $7 != "/sbin/nologin" && $7 != "/bin/false") {print $6}' /etc/passwd)
for home_dir in $user_home_dirs; do
if [[ -d "$home_dir" ]]; then
chmod 750 "$home_dir"
local mode
mode=$(stat -c "%a" "$home_dir")
if [[ "$mode" == "750" ]]; then
log_message "$function_name" "$vuln_id" "$rule_id" "Changed permissions of $home_dir to 750."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to change permissions of $home_dir to 750. This is a finding."
fi
else
log_message "$function_name" "$vuln_id" "$rule_id" "Home directory $home_dir does not exist. This is a finding."
fi
done
}
# Function to set the mode of local initialization files to 740
set_init_file_permissions() {
local function_name="set_init_file_permissions"
local vuln_id="V-261292"
local rule_id="SV-261292r996354"
local user_home_dirs
user_home_dirs=$(awk -F: '($3 >= 1000 && $7 != "/sbin/nologin" && $7 != "/bin/false") {print $6}' /etc/passwd)
for home_dir in $user_home_dirs; do
if [[ -d "$home_dir" ]]; then
local init_files
init_files=$(find "$home_dir" -maxdepth 1 -name ".*" -type f)
for init_file in $init_files; do
chmod 740 "$init_file"
local mode
mode=$(stat -c "%a" "$init_file")
if [[ "$mode" == "740" ]]; then
log_message "$function_name" "$vuln_id" "$rule_id" "Changed permissions of $init_file to 740."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to change permissions of $init_file to 740. This is a finding."
fi
done
else
log_message "$function_name" "$vuln_id" "$rule_id" "Home directory $home_dir does not exist. This is a finding."
fi
done
}
# Function to set the mode of SSH daemon public host key files to 644
set_ssh_public_key_permissions() {
local function_name="set_ssh_public_key_permissions"
local vuln_id="V-261293"
local rule_id="SV-261293r996357"
local public_key_files
public_key_files=$(find /etc/ssh -type f -name "ssh_host*key.pub")
for key_file in $public_key_files; do
chmod 644 "$key_file"
local mode
mode=$(stat -c "%a" "$key_file")
if [[ "$mode" == "644" ]]; then
log_message "$function_name" "$vuln_id" "$rule_id" "Changed permissions of $key_file to 644."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to change permissions of $key_file to 644. This is a finding."
fi
done
}
# Function to set the mode of SSH daemon private host key files to 640
set_ssh_private_key_permissions() {
local function_name="set_ssh_private_key_permissions"
local vuln_id="V-261294"
local rule_id="SV-261294r996359"
local private_key_files
private_key_files=$(find /etc/ssh -type f -name "ssh_host*key" ! -name "*.pub")
for key_file in $private_key_files; do
chmod 640 "$key_file"
local mode
mode=$(stat -c "%a" "$key_file")
if [[ "$mode" == "640" ]]; then
log_message "$function_name" "$vuln_id" "$rule_id" "Changed permissions of $key_file to 640."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to change permissions of $key_file to 640. This is a finding."
fi
done
}
# Function to configure the library files to be owned by root
protect_library_files_ownership() {
local function_name="protect_library_files_ownership"
local vuln_id="V-261295"
local rule_id="SV-261295r996362"
find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type f -exec chown root '{}' \;
if [[ $? -eq 0 ]]; then
log_message "$function_name" "$vuln_id" "$rule_id" "Library files ownership set to root successfully."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to set library files ownership to root. This is a finding."
fi
}
# Function to configure the library files to be in the root group
protect_library_files_group() {
local function_name="protect_library_files_group"
local vuln_id="V-261296"
local rule_id="SV-261296r996365"
find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type f -exec chgrp root '{}' \;
if [[ $? -eq 0 ]]; then
log_message "$function_name" "$vuln_id" "$rule_id" "Library files group set to root successfully."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to set library files group to root. This is a finding."
fi
}
# Function to configure the library directories to be owned by root
protect_library_dirs_ownership() {
local function_name="protect_library_dirs_ownership"
local vuln_id="V-261297"
local rule_id="SV-261297r996368"
find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec chown root '{}' \;
if [[ $? -eq 0 ]]; then
log_message "$function_name" "$vuln_id" "$rule_id" "Library directories ownership set to root successfully."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to set library directories ownership to root. This is a finding."
fi
}
# Function to configure the library directories to be in the root group
protect_library_dirs_group() {
local function_name="protect_library_dirs_group"
local vuln_id="V-261298"
local rule_id="SV-261298r996371"
find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec chgrp root '{}' \;
if [[ $? -eq 0 ]]; then
log_message "$function_name" "$vuln_id" "$rule_id" "Library directories group set to root successfully."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to set library directories group to root. This is a finding."
fi
}
# Function to configure the system commands to be owned by root
protect_system_commands_ownership() {
local function_name="protect_system_commands_ownership"
local vuln_id="V-261299 & V-261300"
local rule_id="SV-261299r996373 & SV-261300r996375"
find -L /bin /sbin /usr/bin /usr/sbin ! -user root -type f -exec chown root '{}' \;
if [[ $? -eq 0 ]]; then
log_message "$function_name" "$vuln_id" "$rule_id" "System commands ownership set to root successfully."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to set system commands ownership to root. This is a finding."
fi
}
# Function to configure the system commands directories to be owned by root
protect_system_commands_directory_ownership() {
local function_name="protect_system_commands_directory_ownership"
local vuln_id="V-261301"
local rule_id="SV-261301r996377"
find -L /bin /sbin /usr/bin /usr/sbin ! -user root -type d -exec chown root '{}' \;
if [[ $? -eq 0 ]]; then
log_message "$function_name" "$vuln_id" "$rule_id" "System commands directories ownership set to root successfully."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to set system commands directories ownership to root. This is a finding."
fi
}
# Function to configure the system commands directories to be in the root group
protect_system_commands_directory_group() {
local function_name="protect_system_commands_directory_group"
local vuln_id="V-261302"
local rule_id="SV-261302r996380"
find -L /bin /sbin /usr/bin /usr/sbin ! -group root -type d -exec chgrp root '{}' \;
if [[ $? -eq 0 ]]; then
log_message "$function_name" "$vuln_id" "$rule_id" "System commands directories group set to root successfully."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to set system commands directories group to root. This is a finding."
fi
}
# Function to assign a valid user to unowned files and directories
assign_valid_user_to_unowned_files() {
local function_name="assign_valid_user_to_unowned_files"
local vuln_id="V-261303"
local rule_id="SV-261303r996382"
local unowned_files
unowned_files=$(find / -nouser)
for file in $unowned_files; do
chown root "$file"
local owner
owner=$(stat -c "%U" "$file")
if [[ "$owner" == "root" ]]; then
log_message "$function_name" "$vuln_id" "$rule_id" "Assigned root as owner to $file."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to assign owner to $file. This is a finding."
fi
done
}
# Function to assign a valid group to ungrouped files and directories
assign_valid_group_to_ungrouped_files() {
local function_name="assign_valid_group_to_ungrouped_files"
local vuln_id="V-261304"
local rule_id="SV-261304r996384"
local ungrouped_files
ungrouped_files=$(find / -nogroup)
for file in $ungrouped_files; do
chgrp root "$file"
local group
group=$(stat -c "%G" "$file")
if [[ "$group" == "root" ]]; then
log_message "$function_name" "$vuln_id" "$rule_id" "Assigned root as group to $file."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to assign group to $file. This is a finding."
fi
done
}
# Function to change the group owner of a local interactive user's home directory
change_home_directory_group() {
local function_name="change_home_directory_group"
local vuln_id="V-261305"
local rule_id="SV-261305r996387"
local user_home_dirs
user_home_dirs=$(awk -F: '($3 >= 1000 && $7 != "/sbin/nologin" && $7 != "/bin/false") {print $1 ":" $6}' /etc/passwd)
for user_home in $user_home_dirs; do
local user
local home_dir
IFS=: read -r user home_dir <<< "$user_home"
local group
group=$(id -gn "$user")
if [[ -d "$home_dir" ]]; then
chgrp "$group" "$home_dir"
local current_group
current_group=$(stat -c "%G" "$home_dir")
if [[ "$current_group" == "$group" ]]; then
log_message "$function_name" "$vuln_id" "$rule_id" "Changed group of $home_dir to $group."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to change group of $home_dir to $group. This is a finding."
fi
else
log_message "$function_name" "$vuln_id" "$rule_id" "Home directory $home_dir does not exist. This is a finding."
fi
done
}
# Function to change the group of world-writable directories to root
change_group_of_world_writable_directories() {
local function_name="change_group_of_world_writable_directories"
local vuln_id="V-261306"
local rule_id="SV-261306r996389"
local world_writable_dirs
world_writable_dirs=$(find / -type d -perm -002 2>/dev/null)
for dir in $world_writable_dirs; do
chgrp root "$dir"
local group
group=$(stat -c "%G" "$dir")
if [[ "$group" == "root" ]]; then
log_message "$function_name" "$vuln_id" "$rule_id" "Changed group of $dir to root."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to change group of $dir to root. This is a finding."
fi
done
}
# Function to set the sticky bit on world-writable directories
set_sticky_bit_on_world_writable_directories() {
local function_name="set_sticky_bit_on_world_writable_directories"
local vuln_id="V-261307"
local rule_id="SV-261307r996392"
local world_writable_dirs
world_writable_dirs=$(find / -type d -perm -002 2>/dev/null)
for dir in $world_writable_dirs; do
chmod 1777 "$dir"
local mode
mode=$(stat -c "%a" "$dir")
if [[ "$mode" == "1777" ]]; then
log_message "$function_name" "$vuln_id" "$rule_id" "Set sticky bit on $dir."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to set sticky bit on $dir. This is a finding."
fi
done
}
# Function to prevent unauthorized access to system error messages
prevent_unauthorized_access_to_error_messages() {
local function_name="prevent_unauthorized_access_to_error_messages"
local vuln_id="V-261308"
local rule_id="SV-261308r996395"
sed -i '/\/var\/log\/messages/d' /etc/permissions.local
echo "/var/log/messages root:root 640" | tee -a /etc/permissions.local
chkstat --set --system
local permissions
permissions=$(stat -c "%a" /var/log/messages)
local owner
owner=$(stat -c "%U:%G" /var/log/messages)
if [[ "$permissions" == "640" && "$owner" == "root:root" ]]; then
log_message "$function_name" "$vuln_id" "$rule_id" "Set permissions of /var/log/messages to root:root 640."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to set permissions of /var/log/messages to root:root 640. This is a finding."
fi
}
# Function to set permissions of log files to 640
set_log_files_permissions() {
local function_name="set_log_files_permissions"
local vuln_id="V-261309"
local rule_id="SV-261309r996398"
find /var/log -perm /137 ! -name '*[bw]tmp' ! -name '*lastlog' -type f -exec chmod 640 '{}' \;
local incorrect_permissions
incorrect_permissions=$(find /var/log -perm /137 ! -name '*[bw]tmp' ! -name '*lastlog' -type f)
if [[ -z "$incorrect_permissions" ]]; then
log_message "$function_name" "$vuln_id" "$rule_id" "Set permissions of all log files under /var/log to 640."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to set permissions of some log files under /var/log. This is a finding."
fi
}
# Function to configure firewalld and enable panic mode
configure_firewalld_and_panic_mode() {
local function_name="configure_firewalld_and_panic_mode"
local vuln_id="V-261310"
local rule_id="SV-261310r996401"
systemctl enable firewalld.service --now
if [[ $? -eq 0 ]]; then
log_message "$function_name" "$vuln_id" "$rule_id" "firewalld.service enabled and started successfully."
firewall-cmd --panic-on
log_message "$function_name" "$vuln_id" "$rule_id" "Firewall set to panic mode."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to enable and start firewalld.service. This is a finding."
fi
}
# Function to configure system clock to synchronize with an authoritative DOD time source
configure_clock_synchronization() {
local function_name="configure_clock_synchronization"
local vuln_id="V-261311"
local rule_id="SV-261311r996404"
local chrony_conf_file="/etc/chrony.conf"
local time_source="<time_source>" # Replace with the actual authoritative DOD time source
if grep -q "server $time_source maxpoll 16" "$chrony_conf_file"; then
log_message "$function_name" "$vuln_id" "$rule_id" "System clock already configured to synchronize with $time_source."
else
echo "server $time_source maxpoll 16" | tee -a "$chrony_conf_file"
systemctl restart chronyd
if grep -q "server $time_source maxpoll 16" "$chrony_conf_file"; then
log_message "$function_name" "$vuln_id" "$rule_id" "System clock configured to synchronize with $time_source successfully."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to configure system clock synchronization. This is a finding."
fi
fi
}
# Function to turn off promiscuous mode on network interfaces
turn_off_promiscuous_mode() {
local function_name="turn_off_promiscuous_mode"
local vuln_id="V-261312"
local rule_id="SV-261312r996406"
local network_interfaces
network_interfaces=$(ip link show | awk -F: '$0 !~ "lo|vir|wl|^[^0-9]"{print $2;getline}')
for interface in $network_interfaces; do
ip link set dev "$interface" promisc off
local promisc_mode
promisc_mode=$(ip link show "$interface" | grep -o "PROMISC")
if [[ -z "$promisc_mode" ]]; then
log_message "$function_name" "$vuln_id" "$rule_id" "Promiscuous mode turned off for $interface."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to turn off promiscuous mode for $interface. This is a finding."
fi
done
}
# Function to disable IPv4 source routing
disable_ipv4_source_routing() {
local function_name="disable_ipv4_source_routing"
local vuln_id="V-261313"
local rule_id="SV-261313r996409"
local sysctl_conf_file="/etc/sysctl.d/99-stig.conf"
local kernel_param="net.ipv4.conf.all.accept_source_route=0"
sysctl -w net.ipv4.conf.all.accept_source_route=0
if grep -q "^net.ipv4.conf.all.accept_source_route" "$sysctl_conf_file"; then
sed -i 's/^net.ipv4.conf.all.accept_source_route.*/'"$kernel_param"'/' "$sysctl_conf_file"
else
echo "$kernel_param" | tee -a "$sysctl_conf_file"
fi
sysctl --system
local param_value
param_value=$(sysctl -n net.ipv4.conf.all.accept_source_route)
if [[ "$param_value" -eq 0 ]]; then
log_message "$function_name" "$vuln_id" "$rule_id" "IPv4 source routing has been disabled successfully."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to disable IPv4 source routing. This is a finding."
fi
}
# Function to disable IPv4 default source routing
disable_ipv4_default_source_routing() {
local function_name="disable_ipv4_default_source_routing"
local vuln_id="V-261314"
local rule_id="SV-261314r996412"
local sysctl_conf_file="/etc/sysctl.d/99-stig.conf"
local kernel_param="net.ipv4.conf.default.accept_source_route=0"
sysctl -w net.ipv4.conf.default.accept_source_route=0
if grep -q "^net.ipv4.conf.default.accept_source_route" "$sysctl_conf_file"; then
sed -i 's/^net.ipv4.conf.default.accept_source_route.*/'"$kernel_param"'/' "$sysctl_conf_file"
else
echo "$kernel_param" | tee -a "$sysctl_conf_file"
fi
sysctl --system
local param_value
param_value=$(sysctl -n net.ipv4.conf.default.accept_source_route)
if [[ "$param_value" -eq 0 ]]; then
log_message "$function_name" "$vuln_id" "$rule_id" "IPv4 default source routing has been disabled successfully."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to disable IPv4 default source routing. This is a finding."
fi
}
# Function to configure SLEM 5 to not accept IPv4 ICMP redirect messages
disable_ipv4_icmp_redirects_all() {
local function_name="disable_ipv4_icmp_redirects_all"
local vuln_id="V-261315"
local rule_id="SV-261315r996415"
local sysctl_conf_file="/etc/sysctl.d/99-stig.conf"
local kernel_param="net.ipv4.conf.all.accept_redirects=0"
sysctl -w net.ipv4.conf.all.accept_redirects=0
if grep -q "^net.ipv4.conf.all.accept_redirects" "$sysctl_conf_file"; then
sed -i 's/^net.ipv4.conf.all.accept_redirects.*/'"$kernel_param"'/' "$sysctl_conf_file"
else
echo "$kernel_param" | tee -a "$sysctl_conf_file"
fi
sysctl --system
local param_value
param_value=$(sysctl -n net.ipv4.conf.all.accept_redirects)
if [[ "$param_value" -eq 0 ]]; then
log_message "$function_name" "$vuln_id" "$rule_id" "IPv4 ICMP redirects acceptance has been disabled successfully."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to disable IPv4 ICMP redirects acceptance. This is a finding."
fi
}
# Function to configure SLEM 5 to not accept IPv4 ICMP redirect messages by default
disable_ipv4_icmp_redirects_default() {
local function_name="disable_ipv4_icmp_redirects_default"
local vuln_id="V-261316"
local rule_id="SV-261316r996418"
local sysctl_conf_file="/etc/sysctl.d/99-stig.conf"
local kernel_param="net.ipv4.conf.default.accept_redirects=0"
sysctl -w net.ipv4.conf.default.accept_redirects=0
if grep -q "^net.ipv4.conf.default.accept_redirects" "$sysctl_conf_file"; then
sed -i 's/^net.ipv4.conf.default.accept_redirects.*/'"$kernel_param"'/' "$sysctl_conf_file"
else
echo "$kernel_param" | tee -a "$sysctl_conf_file"
fi
sysctl --system
local param_value
param_value=$(sysctl -n net.ipv4.conf.default.accept_redirects)
if [[ "$param_value" -eq 0 ]]; then
log_message "$function_name" "$vuln_id" "$rule_id" "IPv4 ICMP redirects acceptance by default has been disabled successfully."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to disable IPv4 ICMP redirects acceptance by default. This is a finding."
fi
}
# Function to configure SLEM 5 to not allow interfaces to perform IPv4 ICMP redirects
disable_ipv4_icmp_send_redirects_all() {
local function_name="disable_ipv4_icmp_send_redirects_all"
local vuln_id="V-261317"
local rule_id="SV-261317r996421"
local sysctl_conf_file="/etc/sysctl.d/99-stig.conf"
local kernel_param="net.ipv4.conf.all.send_redirects=0"
sysctl -w net.ipv4.conf.all.send_redirects=0
if grep -q "^net.ipv4.conf.all.send_redirects" "$sysctl_conf_file"; then
sed -i 's/^net.ipv4.conf.all.send_redirects.*/'"$kernel_param"'/' "$sysctl_conf_file"
else
echo "$kernel_param" | tee -a "$sysctl_conf_file"
fi
sysctl --system
local param_value
param_value=$(sysctl -n net.ipv4.conf.all.send_redirects)
if [[ "$param_value" -eq 0 ]]; then
log_message "$function_name" "$vuln_id" "$rule_id" "IPv4 ICMP redirects sending has been disabled successfully."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to disable IPv4 ICMP redirects sending. This is a finding."
fi
}
# Function to configure SLEM 5 to not allow interfaces to perform IPv4 ICMP redirects by default
disable_ipv4_icmp_send_redirects_default() {
local function_name="disable_ipv4_icmp_send_redirects_default"
local vuln_id="V-261318"
local rule_id="SV-261318r996424"
local sysctl_conf_file="/etc/sysctl.d/99-stig.conf"
local kernel_param="net.ipv4.conf.default.send_redirects=0"
sysctl -w net.ipv4.conf.default.send_redirects=0
if grep -q "^net.ipv4.conf.default.send_redirects" "$sysctl_conf_file"; then
sed -i 's/^net.ipv4.conf.default.send_redirects.*/'"$kernel_param"'/' "$sysctl_conf_file"
else
echo "$kernel_param" | tee -a "$sysctl_conf_file"
fi
sysctl --system
local param_value
param_value=$(sysctl -n net.ipv4.conf.default.send_redirects)
if [[ "$param_value" -eq 0 ]]; then
log_message "$function_name" "$vuln_id" "$rule_id" "IPv4 ICMP redirects sending by default has been disabled successfully."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to disable IPv4 ICMP redirects sending by default. This is a finding."
fi
}
# Function to configure SLEM 5 to not perform IPv4 packet forwarding
disable_ipv4_packet_forwarding() {
local function_name="disable_ipv4_packet_forwarding"
local vuln_id="V-261319"
local rule_id="SV-261319r996427"
local sysctl_conf_file="/etc/sysctl.d/99-stig.conf"
local kernel_param="net.ipv4.ip_forward=0"
sysctl -w net.ipv4.ip_forward=0
if grep -q "^net.ipv4.ip_forward" "$sysctl_conf_file"; then
sed -i 's/^net.ipv4.ip_forward.*/'"$kernel_param"'/' "$sysctl_conf_file"
else
echo "$kernel_param" | tee -a "$sysctl_conf_file"
fi
sysctl --system
local param_value
param_value=$(sysctl -n net.ipv4.ip_forward)
if [[ "$param_value" -eq 0 ]]; then
log_message "$function_name" "$vuln_id" "$rule_id" "IPv4 packet forwarding has been disabled successfully."
else
log_message "$function_name" "$vuln_id" "$rule_id" "Failed to disable IPv4 packet forwarding. This is a finding."
fi
}
# Function to configure SLEM 5 to use IPv4 TCP syncookies
configure_tcp_syncookies() {
local function_name="configure_tcp_syncookies"
local vuln_id="V-261320"
local rule_id="SV-261320r996861"
local sysctl_conf_file="/etc/sysctl.d/99-stig.conf"
local kernel_param="net.ipv4.tcp_syncookies=1"
sysctl -w net.ipv4.tcp_syncookies=1
if grep -q "^net.ipv4.tcp_syncookies" "$sysctl_conf_file"; then
sed -i 's/^net.ipv4.tcp_syncookies.*/'"$kernel_param"'/' "$sysctl_conf_file"
else
echo "$kernel_param" | tee -a "$sysctl_conf_file"
fi