From: Rui Bernardino rui-p-bernardino@telecom.pt
Signed-off-by: Rui Bernardino rui-p-bernardino@telecom.pt --- Fedora/input/fixes/bash/sshd_disable_rhosts.sh | 1 + .../fixes/bash/sshd_do_not_permit_user_env.sh | 1 + .../input/fixes/bash/sshd_enable_warning_banner.sh | 1 + .../input/fixes/bash/sshd_use_approved_ciphers.sh | 1 + shared/fixes/bash/sshd_disable_rhosts.sh | 59 ++++++++++++++++++++ shared/fixes/bash/sshd_do_not_permit_user_env.sh | 59 ++++++++++++++++++++ shared/fixes/bash/sshd_enable_warning_banner.sh | 59 ++++++++++++++++++++ shared/fixes/bash/sshd_use_approved_ciphers.sh | 59 ++++++++++++++++++++ 8 files changed, 240 insertions(+), 0 deletions(-) create mode 120000 Fedora/input/fixes/bash/sshd_disable_rhosts.sh create mode 120000 Fedora/input/fixes/bash/sshd_do_not_permit_user_env.sh create mode 120000 Fedora/input/fixes/bash/sshd_enable_warning_banner.sh create mode 120000 Fedora/input/fixes/bash/sshd_use_approved_ciphers.sh create mode 100755 shared/fixes/bash/sshd_disable_rhosts.sh create mode 100755 shared/fixes/bash/sshd_do_not_permit_user_env.sh create mode 100755 shared/fixes/bash/sshd_enable_warning_banner.sh create mode 100755 shared/fixes/bash/sshd_use_approved_ciphers.sh
diff --git a/Fedora/input/fixes/bash/sshd_disable_rhosts.sh b/Fedora/input/fixes/bash/sshd_disable_rhosts.sh new file mode 120000 index 0000000..94579fe --- /dev/null +++ b/Fedora/input/fixes/bash/sshd_disable_rhosts.sh @@ -0,0 +1 @@ +../../../../shared/fixes/bash/sshd_disable_rhosts.sh \ No newline at end of file diff --git a/Fedora/input/fixes/bash/sshd_do_not_permit_user_env.sh b/Fedora/input/fixes/bash/sshd_do_not_permit_user_env.sh new file mode 120000 index 0000000..1e39646 --- /dev/null +++ b/Fedora/input/fixes/bash/sshd_do_not_permit_user_env.sh @@ -0,0 +1 @@ +../../../../shared/fixes/bash/sshd_do_not_permit_user_env.sh \ No newline at end of file diff --git a/Fedora/input/fixes/bash/sshd_enable_warning_banner.sh b/Fedora/input/fixes/bash/sshd_enable_warning_banner.sh new file mode 120000 index 0000000..a7707eb --- /dev/null +++ b/Fedora/input/fixes/bash/sshd_enable_warning_banner.sh @@ -0,0 +1 @@ +../../../../shared/fixes/bash/sshd_enable_warning_banner.sh \ No newline at end of file diff --git a/Fedora/input/fixes/bash/sshd_use_approved_ciphers.sh b/Fedora/input/fixes/bash/sshd_use_approved_ciphers.sh new file mode 120000 index 0000000..dfec454 --- /dev/null +++ b/Fedora/input/fixes/bash/sshd_use_approved_ciphers.sh @@ -0,0 +1 @@ +../../../../shared/fixes/bash/sshd_use_approved_ciphers.sh \ No newline at end of file diff --git a/shared/fixes/bash/sshd_disable_rhosts.sh b/shared/fixes/bash/sshd_disable_rhosts.sh new file mode 100755 index 0000000..6b96186 --- /dev/null +++ b/shared/fixes/bash/sshd_disable_rhosts.sh @@ -0,0 +1,59 @@ +#!/bin/bash -x + +#SSHD_CONFIG='/etc/ssh/sshd_config' +SSHD_CONFIG='sshd_config' +TOKEN='IgnoreRhosts' +VALUE='yes' + +# Obtain line number of first uncommented case-insensitive occurrence +of Match # block directive (possibly prefixed with whitespace) present +in $SSHD_CONFIG FIRST_MATCH_BLOCK=$(sed -n +'/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG) + +# Obtain line number of first uncommented case-insensitive occurence of +# Banner directive (possibly prefixed with whitespace) present in # +$SSHD_CONFIG FIRST_TOKEN=$(sed -n "|^[[:space:]]*$TOKEN[^\n]*|I{=;q}" +$SSHD_CONFIG) + +# Case: Match block directive not present in $SSHD_CONFIG if [ -z +"$FIRST_MATCH_BLOCK" ] then + + # Case: Banner directive not present in $SSHD_CONFIG yet + if [ -z "$FIRST_TOKEN" ] + then + # Append 'TOKEN VALUE' at the end of $SSHD_CONFIG + echo -e "\n$TOKEN $VALUE" >> $SSHD_CONFIG + + # Case: Banner directive present in $SSHD_CONFIG already + else + # Replace first uncommented case-insensitive occurrence + # of Banner directive + sed -i "$FIRST_TOKEN s|^[[:space:]]*${TOKEN}.*$|$TOKEN $VALUE|I" $SSHD_CONFIG + fi + +# Case: Match block directive present in $SSHD_CONFIG else + + # Case: Banner directive not present in $SSHD_CONFIG yet + if [ -z "$FIRST_TOKEN" ] + then + # Prepend 'TOKEN VALUE' before first uncommented + # case-insensitive occurrence of Match block directive + sed -i "$FIRST_MATCH_BLOCK + s|^([[:space:]]*Match[^\n]*)|$TOKEN $VALUE\n\1|I" $SSHD_CONFIG + + # Case: Banner directive present in $SSHD_CONFIG and placed + # before first Match block directive + elif [ "$FIRST_TOKEN" -lt "$FIRST_MATCH_BLOCK" ] + then + # Replace first uncommented case-insensitive occurrence + # of Banner directive + sed -i "$FIRST_TOKEN s|^[[:space:]]*${TOKEN}.*$|$TOKEN + $VALUE|I" $SSHD_CONFIG + + # Case: Banner directive present in $SSHD_CONFIG and placed + # after first Match block directive + else + # Prepend 'TOKEN VALUE' before first uncommented + # case-insensitive occurrence of Match block directive + sed -i "$FIRST_MATCH_BLOCK s|^([[:space:]]*Match[^\n]*)|$TOKEN $VALUE\n\1|I" $SSHD_CONFIG + fi +fi diff --git a/shared/fixes/bash/sshd_do_not_permit_user_env.sh b/shared/fixes/bash/sshd_do_not_permit_user_env.sh new file mode 100755 index 0000000..2079622 --- /dev/null +++ b/shared/fixes/bash/sshd_do_not_permit_user_env.sh @@ -0,0 +1,59 @@ +#!/bin/bash -x + +#SSHD_CONFIG='/etc/ssh/sshd_config' +SSHD_CONFIG='sshd_config' +TOKEN='PermitUserEnvironment' +VALUE='no' + +# Obtain line number of first uncommented case-insensitive occurrence +of Match # block directive (possibly prefixed with whitespace) present +in $SSHD_CONFIG FIRST_MATCH_BLOCK=$(sed -n +'/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG) + +# Obtain line number of first uncommented case-insensitive occurence of +# Banner directive (possibly prefixed with whitespace) present in # +$SSHD_CONFIG FIRST_TOKEN=$(sed -n "|^[[:space:]]*$TOKEN[^\n]*|I{=;q}" +$SSHD_CONFIG) + +# Case: Match block directive not present in $SSHD_CONFIG if [ -z +"$FIRST_MATCH_BLOCK" ] then + + # Case: Banner directive not present in $SSHD_CONFIG yet + if [ -z "$FIRST_TOKEN" ] + then + # Append 'TOKEN VALUE' at the end of $SSHD_CONFIG + echo -e "\n$TOKEN $VALUE" >> $SSHD_CONFIG + + # Case: Banner directive present in $SSHD_CONFIG already + else + # Replace first uncommented case-insensitive occurrence + # of Banner directive + sed -i "$FIRST_TOKEN s|^[[:space:]]*${TOKEN}.*$|$TOKEN $VALUE|I" $SSHD_CONFIG + fi + +# Case: Match block directive present in $SSHD_CONFIG else + + # Case: Banner directive not present in $SSHD_CONFIG yet + if [ -z "$FIRST_TOKEN" ] + then + # Prepend 'TOKEN VALUE' before first uncommented + # case-insensitive occurrence of Match block directive + sed -i "$FIRST_MATCH_BLOCK + s|^([[:space:]]*Match[^\n]*)|$TOKEN $VALUE\n\1|I" $SSHD_CONFIG + + # Case: Banner directive present in $SSHD_CONFIG and placed + # before first Match block directive + elif [ "$FIRST_TOKEN" -lt "$FIRST_MATCH_BLOCK" ] + then + # Replace first uncommented case-insensitive occurrence + # of Banner directive + sed -i "$FIRST_TOKEN s|^[[:space:]]*${TOKEN}.*$|$TOKEN + $VALUE|I" $SSHD_CONFIG + + # Case: Banner directive present in $SSHD_CONFIG and placed + # after first Match block directive + else + # Prepend 'TOKEN VALUE' before first uncommented + # case-insensitive occurrence of Match block directive + sed -i "$FIRST_MATCH_BLOCK s|^([[:space:]]*Match[^\n]*)|$TOKEN $VALUE\n\1|I" $SSHD_CONFIG + fi +fi diff --git a/shared/fixes/bash/sshd_enable_warning_banner.sh b/shared/fixes/bash/sshd_enable_warning_banner.sh new file mode 100755 index 0000000..1444bc2 --- /dev/null +++ b/shared/fixes/bash/sshd_enable_warning_banner.sh @@ -0,0 +1,59 @@ +#!/bin/bash -x + +#SSHD_CONFIG='/etc/ssh/sshd_config' +SSHD_CONFIG='sshd_config' +TOKEN='Banner' +VALUE='/etc/issue' + +# Obtain line number of first uncommented case-insensitive occurrence +of Match # block directive (possibly prefixed with whitespace) present +in $SSHD_CONFIG FIRST_MATCH_BLOCK=$(sed -n +'/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG) + +# Obtain line number of first uncommented case-insensitive occurence of +# Banner directive (possibly prefixed with whitespace) present in # +$SSHD_CONFIG FIRST_TOKEN=$(sed -n "|^[[:space:]]*$TOKEN[^\n]*|I{=;q}" +$SSHD_CONFIG) + +# Case: Match block directive not present in $SSHD_CONFIG if [ -z +"$FIRST_MATCH_BLOCK" ] then + + # Case: Banner directive not present in $SSHD_CONFIG yet + if [ -z "$FIRST_TOKEN" ] + then + # Append 'TOKEN VALUE' at the end of $SSHD_CONFIG + echo -e "\n$TOKEN $VALUE" >> $SSHD_CONFIG + + # Case: Banner directive present in $SSHD_CONFIG already + else + # Replace first uncommented case-insensitive occurrence + # of Banner directive + sed -i "$FIRST_TOKEN s|^[[:space:]]*${TOKEN}.*$|$TOKEN $VALUE|I" $SSHD_CONFIG + fi + +# Case: Match block directive present in $SSHD_CONFIG else + + # Case: Banner directive not present in $SSHD_CONFIG yet + if [ -z "$FIRST_TOKEN" ] + then + # Prepend 'TOKEN VALUE' before first uncommented + # case-insensitive occurrence of Match block directive + sed -i "$FIRST_MATCH_BLOCK + s|^([[:space:]]*Match[^\n]*)|$TOKEN $VALUE\n\1|I" $SSHD_CONFIG + + # Case: Banner directive present in $SSHD_CONFIG and placed + # before first Match block directive + elif [ "$FIRST_TOKEN" -lt "$FIRST_MATCH_BLOCK" ] + then + # Replace first uncommented case-insensitive occurrence + # of Banner directive + sed -i "$FIRST_TOKEN s|^[[:space:]]*${TOKEN}.*$|$TOKEN + $VALUE|I" $SSHD_CONFIG + + # Case: Banner directive present in $SSHD_CONFIG and placed + # after first Match block directive + else + # Prepend 'TOKEN VALUE' before first uncommented + # case-insensitive occurrence of Match block directive + sed -i "$FIRST_MATCH_BLOCK s|^([[:space:]]*Match[^\n]*)|$TOKEN $VALUE\n\1|I" $SSHD_CONFIG + fi +fi diff --git a/shared/fixes/bash/sshd_use_approved_ciphers.sh b/shared/fixes/bash/sshd_use_approved_ciphers.sh new file mode 100755 index 0000000..2e720be --- /dev/null +++ b/shared/fixes/bash/sshd_use_approved_ciphers.sh @@ -0,0 +1,59 @@ +#!/bin/bash -x + +#SSHD_CONFIG='/etc/ssh/sshd_config' +SSHD_CONFIG='sshd_config' +TOKEN='Ciphers' +VALUE='aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc' + +# Obtain line number of first uncommented case-insensitive occurrence +of Match # block directive (possibly prefixed with whitespace) present +in $SSHD_CONFIG FIRST_MATCH_BLOCK=$(sed -n +'/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG) + +# Obtain line number of first uncommented case-insensitive occurence of +# Banner directive (possibly prefixed with whitespace) present in # +$SSHD_CONFIG FIRST_TOKEN=$(sed -n "|^[[:space:]]*$TOKEN[^\n]*|I{=;q}" +$SSHD_CONFIG) + +# Case: Match block directive not present in $SSHD_CONFIG if [ -z +"$FIRST_MATCH_BLOCK" ] then + + # Case: Banner directive not present in $SSHD_CONFIG yet + if [ -z "$FIRST_TOKEN" ] + then + # Append 'TOKEN VALUE' at the end of $SSHD_CONFIG + echo -e "\n$TOKEN $VALUE" >> $SSHD_CONFIG + + # Case: Banner directive present in $SSHD_CONFIG already + else + # Replace first uncommented case-insensitive occurrence + # of Banner directive + sed -i "$FIRST_TOKEN s|^[[:space:]]*${TOKEN}.*$|$TOKEN $VALUE|I" $SSHD_CONFIG + fi + +# Case: Match block directive present in $SSHD_CONFIG else + + # Case: Banner directive not present in $SSHD_CONFIG yet + if [ -z "$FIRST_TOKEN" ] + then + # Prepend 'TOKEN VALUE' before first uncommented + # case-insensitive occurrence of Match block directive + sed -i "$FIRST_MATCH_BLOCK + s|^([[:space:]]*Match[^\n]*)|$TOKEN $VALUE\n\1|I" $SSHD_CONFIG + + # Case: Banner directive present in $SSHD_CONFIG and placed + # before first Match block directive + elif [ "$FIRST_TOKEN" -lt "$FIRST_MATCH_BLOCK" ] + then + # Replace first uncommented case-insensitive occurrence + # of Banner directive + sed -i "$FIRST_TOKEN s|^[[:space:]]*${TOKEN}.*$|$TOKEN + $VALUE|I" $SSHD_CONFIG + + # Case: Banner directive present in $SSHD_CONFIG and placed + # after first Match block directive + else + # Prepend 'TOKEN VALUE' before first uncommented + # case-insensitive occurrence of Match block directive + sed -i "$FIRST_MATCH_BLOCK s|^([[:space:]]*Match[^\n]*)|$TOKEN $VALUE\n\1|I" $SSHD_CONFIG + fi +fi -- 1.7.1
scap-security-guide@lists.fedorahosted.org