>From d43b1d02d295afdbf954af076668843845ae4325 Mon Sep 17 00:00:00 2001 From: Shawn Wells Date: Sat, 1 Jun 2013 17:15:22 -0400 Subject: [PATCH 0/4] Remediation Templates Some quick code demonistrating how to make remediation templates Shawn Wells (4): Added bash templates directory, added sample sysctl script - Makefile based off OVAL, same usage - CVS files point to OVAL dir, no need to duplicate (at some point, we should combine oval/bash template dirs) - Added sample sysctl script Added sysctl remediation scripts - Updated template to reflect proper naming of sysctl scripts Created remediation template: create_services_disabled.py - Based off OVAL services file Created service_*_disabled remediation scripts - Generated from template RHEL6/input/fixes/bash/service_abrtd_disabled.sh | 9 ++++ RHEL6/input/fixes/bash/service_acpid_disabled.sh | 9 ++++ RHEL6/input/fixes/bash/service_atd_disabled.sh | 9 ++++ RHEL6/input/fixes/bash/service_autofs_disabled.sh | 9 ++++ .../fixes/bash/service_avahi-daemon_disabled.sh | 9 ++++ .../input/fixes/bash/service_bluetooth_disabled.sh | 9 ++++ .../fixes/bash/service_certmonger_disabled.sh | 9 ++++ .../input/fixes/bash/service_cgconfig_disabled.sh | 9 ++++ RHEL6/input/fixes/bash/service_cgred_disabled.sh | 9 ++++ .../input/fixes/bash/service_cpuspeed_disabled.sh | 9 ++++ RHEL6/input/fixes/bash/service_cups_disabled.sh | 9 ++++ RHEL6/input/fixes/bash/service_dhcpd_disabled.sh | 9 ++++ RHEL6/input/fixes/bash/service_dovecot_disabled.sh | 9 ++++ .../input/fixes/bash/service_haldaemon_disabled.sh | 9 ++++ RHEL6/input/fixes/bash/service_httpd_disabled.sh | 9 ++++ RHEL6/input/fixes/bash/service_kdump_disabled.sh | 9 ++++ .../input/fixes/bash/service_mdmonitor_disabled.sh | 9 ++++ .../fixes/bash/service_messagebus_disabled.sh | 9 ++++ RHEL6/input/fixes/bash/service_named_disabled.sh | 9 ++++ .../fixes/bash/service_netconsole_disabled.sh | 9 ++++ RHEL6/input/fixes/bash/service_netfs_disabled.sh | 9 ++++ RHEL6/input/fixes/bash/service_nfs_disabled.sh | 9 ++++ RHEL6/input/fixes/bash/service_nfslock_disabled.sh | 9 ++++ RHEL6/input/fixes/bash/service_oddjobd_disabled.sh | 9 ++++ .../fixes/bash/service_portreserve_disabled.sh | 9 ++++ RHEL6/input/fixes/bash/service_qpidd_disabled.sh | 9 ++++ .../input/fixes/bash/service_quota_nld_disabled.sh | 9 ++++ RHEL6/input/fixes/bash/service_rdisc_disabled.sh | 9 ++++ RHEL6/input/fixes/bash/service_rhnsd_disabled.sh | 9 ++++ .../input/fixes/bash/service_rhsmcertd_disabled.sh | 9 ++++ RHEL6/input/fixes/bash/service_rpcgssd_disabled.sh | 9 ++++ .../input/fixes/bash/service_rpcidmapd_disabled.sh | 9 ++++ .../fixes/bash/service_rpcsvcgssd_disabled.sh | 9 ++++ .../input/fixes/bash/service_saslauthd_disabled.sh | 9 ++++ RHEL6/input/fixes/bash/service_smartd_disabled.sh | 9 ++++ RHEL6/input/fixes/bash/service_smb_disabled.sh | 9 ++++ RHEL6/input/fixes/bash/service_snmpd_disabled.sh | 9 ++++ RHEL6/input/fixes/bash/service_squid_disabled.sh | 9 ++++ RHEL6/input/fixes/bash/service_sshd_disabled.sh | 9 ++++ RHEL6/input/fixes/bash/service_sysstat_disabled.sh | 9 ++++ RHEL6/input/fixes/bash/service_tftp_disabled.sh | 9 ++++ RHEL6/input/fixes/bash/service_vsftpd_disabled.sh | 9 ++++ RHEL6/input/fixes/bash/service_xinetd_disabled.sh | 9 ++++ RHEL6/input/fixes/bash/service_ypbind_disabled.sh | 9 ++++ .../fixes/bash/set_sysctl_kernel_exec_shield.sh | 16 +++++++ .../bash/set_sysctl_kernel_randomize_va_space.sh | 16 +++++++ ...et_sysctl_net_ipv4_conf_all_accept_redirects.sh | 16 +++++++ ...sysctl_net_ipv4_conf_all_accept_source_route.sh | 16 +++++++ .../set_sysctl_net_ipv4_conf_all_log_martians.sh | 16 +++++++ .../bash/set_sysctl_net_ipv4_conf_all_rp_filter.sh | 16 +++++++ ...et_sysctl_net_ipv4_conf_all_secure_redirects.sh | 16 +++++++ .../set_sysctl_net_ipv4_conf_all_send_redirects.sh | 16 +++++++ ...ysctl_net_ipv4_conf_default_accept_redirects.sh | 16 +++++++ ...tl_net_ipv4_conf_default_accept_source_route.sh | 16 +++++++ .../set_sysctl_net_ipv4_conf_default_rp_filter.sh | 16 +++++++ ...ysctl_net_ipv4_conf_default_secure_redirects.sh | 16 +++++++ ..._sysctl_net_ipv4_conf_default_send_redirects.sh | 16 +++++++ ..._sysctl_net_ipv4_icmp_echo_ignore_broadcasts.sh | 16 +++++++ ...l_net_ipv4_icmp_ignore_bogus_error_responses.sh | 16 +++++++ .../fixes/bash/set_sysctl_net_ipv4_ip_forward.sh | 16 +++++++ .../bash/set_sysctl_net_ipv4_tcp_syncookies.sh | 16 +++++++ RHEL6/input/fixes/bash/templates/Makefile | 16 +++++++ .../bash/templates/create_services_disabled.py | 45 ++++++++++++++++++++ .../fixes/bash/templates/create_sysctl_bash.py | 35 +++++++++++++++ RHEL6/input/fixes/bash/templates/output/.gitignore | 2 + .../fixes/bash/templates/template_service_disabled | 9 ++++ RHEL6/input/fixes/bash/templates/template_sysctl | 16 +++++++ 67 files changed, 791 insertions(+), 0 deletions(-) create mode 100644 RHEL6/input/fixes/bash/service_abrtd_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_acpid_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_atd_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_autofs_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_avahi-daemon_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_bluetooth_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_certmonger_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_cgconfig_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_cgred_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_cpuspeed_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_cups_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_dhcpd_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_dovecot_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_haldaemon_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_httpd_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_kdump_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_mdmonitor_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_messagebus_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_named_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_netconsole_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_netfs_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_nfs_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_nfslock_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_oddjobd_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_portreserve_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_qpidd_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_quota_nld_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_rdisc_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_rhnsd_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_rhsmcertd_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_rpcgssd_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_rpcidmapd_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_rpcsvcgssd_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_saslauthd_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_smartd_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_smb_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_snmpd_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_squid_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_sshd_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_sysstat_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_tftp_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_vsftpd_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_xinetd_disabled.sh create mode 100644 RHEL6/input/fixes/bash/service_ypbind_disabled.sh create mode 100644 RHEL6/input/fixes/bash/set_sysctl_kernel_exec_shield.sh create mode 100644 RHEL6/input/fixes/bash/set_sysctl_kernel_randomize_va_space.sh create mode 100644 RHEL6/input/fixes/bash/set_sysctl_net_ipv4_conf_all_accept_redirects.sh create mode 100644 RHEL6/input/fixes/bash/set_sysctl_net_ipv4_conf_all_accept_source_route.sh create mode 100644 RHEL6/input/fixes/bash/set_sysctl_net_ipv4_conf_all_log_martians.sh create mode 100644 RHEL6/input/fixes/bash/set_sysctl_net_ipv4_conf_all_rp_filter.sh create mode 100644 RHEL6/input/fixes/bash/set_sysctl_net_ipv4_conf_all_secure_redirects.sh create mode 100644 RHEL6/input/fixes/bash/set_sysctl_net_ipv4_conf_all_send_redirects.sh create mode 100644 RHEL6/input/fixes/bash/set_sysctl_net_ipv4_conf_default_accept_redirects.sh create mode 100644 RHEL6/input/fixes/bash/set_sysctl_net_ipv4_conf_default_accept_source_route.sh create mode 100644 RHEL6/input/fixes/bash/set_sysctl_net_ipv4_conf_default_rp_filter.sh create mode 100644 RHEL6/input/fixes/bash/set_sysctl_net_ipv4_conf_default_secure_redirects.sh create mode 100644 RHEL6/input/fixes/bash/set_sysctl_net_ipv4_conf_default_send_redirects.sh create mode 100644 RHEL6/input/fixes/bash/set_sysctl_net_ipv4_icmp_echo_ignore_broadcasts.sh create mode 100644 RHEL6/input/fixes/bash/set_sysctl_net_ipv4_icmp_ignore_bogus_error_responses.sh create mode 100644 RHEL6/input/fixes/bash/set_sysctl_net_ipv4_ip_forward.sh create mode 100644 RHEL6/input/fixes/bash/set_sysctl_net_ipv4_tcp_syncookies.sh create mode 100644 RHEL6/input/fixes/bash/templates/Makefile create mode 100755 RHEL6/input/fixes/bash/templates/create_services_disabled.py create mode 100755 RHEL6/input/fixes/bash/templates/create_sysctl_bash.py create mode 100644 RHEL6/input/fixes/bash/templates/output/.gitignore create mode 100644 RHEL6/input/fixes/bash/templates/template_service_disabled create mode 100644 RHEL6/input/fixes/bash/templates/template_sysctl