[or-cvs] r20490: {} This is a collection of scripts for administration of centos (in projects: . misc-sysadmin)

ioerror at seul.org ioerror at seul.org
Sun Sep 6 23:56:11 UTC 2009 

Author: ioerror
Date: 2009-09-06 19:56:11 -0400 (Sun, 06 Sep 2009)
New Revision: 20490

Added:
   projects/misc-sysadmin/
   projects/misc-sysadmin/add-base-packages.sh
   projects/misc-sysadmin/add-tor-users.sh
   projects/misc-sysadmin/centos-inventory.sh
   projects/misc-sysadmin/harden-centos.sh
   projects/misc-sysadmin/prep-centos.sh
Log:
This is a collection of scripts for administration of centos machines.


Added: projects/misc-sysadmin/add-base-packages.sh
===================================================================
--- projects/misc-sysadmin/add-base-packages.sh	                        (rev 0)
+++ projects/misc-sysadmin/add-base-packages.sh	2009-09-06 23:56:11 UTC (rev 20490)
@@ -0,0 +1,27 @@
+#!/bin/bash
+#
+# add-base-packages.sh by
+# Jacob Appelbaum <jacob at appelbaum.net>
+#
+# This is released under the same license as Tor
+#
+
+if [ -f /tmp/add-base-packages ];
+then
+echo "Already packaged!"
+exit
+fi
+
+PACKAGES=logwatch.noarch screen logcheck
+yum -y install $PACKAGES
+# Make a list of all packages that will be removed
+# XXX TODO
+
+# Remove all non x86_64 packages
+yum -y remove *.i?86
+# Ensure they don't come back...
+echo 'exclude = *.i?86' >> /etc/yum.conf
+# Mark the kernel so that it does not ever update (vmware for the win)
+# XXX TODO
+
+touch /tmp/add-base-packages

Added: projects/misc-sysadmin/add-tor-users.sh
===================================================================
--- projects/misc-sysadmin/add-tor-users.sh	                        (rev 0)
+++ projects/misc-sysadmin/add-tor-users.sh	2009-09-06 23:56:11 UTC (rev 20490)
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# add-tor-users.sh by
+# Jacob Appelbaum <jacob at appelbaum.net>
+#
+# This is released under the same license as Tor
+#
+if [ -f /tmp/add-tor-users ];
+then
+echo "Already added users!"
+exit
+fi
+
+USERS=arma ioerror mikeperry phobos
+for user in $USERS
+do
+	adduser $user
+done
+
+touch /tmp/add-tor-users

Added: projects/misc-sysadmin/centos-inventory.sh
===================================================================
--- projects/misc-sysadmin/centos-inventory.sh	                        (rev 0)
+++ projects/misc-sysadmin/centos-inventory.sh	2009-09-06 23:56:11 UTC (rev 20490)
@@ -0,0 +1,21 @@
+#!/bin/bash -x
+#
+# centos-inventory.sh by
+# Jacob Appelbaum <jacob at appelbaum.net>
+#
+# This is released under the same license as Tor
+#
+
+if [ -f /tmp/centos-inventory ];
+then
+echo "Already inventoried!"
+exit
+fi
+
+HOSTNAME=`hostname`;
+mkdir /root/system-notes/
+yum list installed >> /root/system-notes/$HOSTNAME-centos-packages-installed.txt
+/sbin/ifconfig >> /root/system-notes/$HOSTNAME-network-information.txt
+uname -a >> /root/system-notes/$HOSTNAME-uname.txt
+
+touch /tmp/centos-inventory

Added: projects/misc-sysadmin/harden-centos.sh
===================================================================
--- projects/misc-sysadmin/harden-centos.sh	                        (rev 0)
+++ projects/misc-sysadmin/harden-centos.sh	2009-09-06 23:56:11 UTC (rev 20490)
@@ -0,0 +1,177 @@
+#!/bin/bash -x
+#
+# harden-centos.sh by
+# Jacob Appelbaum <jacob at appelbaum.net>
+#
+# This is released under the same license as Tor
+#
+# Basically this automates the stuff I like from:
+# http://wiki.centos.org/HowTos/OS_Protection
+#
+# It also automates a few other things from other systems
+#
+
+if [ -f /tmp/harden-centos ]; then
+	echo "Already hardened!";
+	exit
+fi
+
+# Force passwords to expire
+echo "Passwords expire every 180 days"
+perl -npe 's/PASS_MAX_DAYS\s+99999/PASS_MAX_DAYS 180/' -i /etc/login.defs
+echo "Passwords may only be changed once a day"
+perl -npe 's/PASS_MIN_DAYS\s+0/PASS_MIN_DAYS 1/g' -i /etc/login.defs
+
+# We don't need no stinkin' MD5
+authconfig --passalgo=sha512 --update
+
+# Add a secure umask
+perl -npe 's/umask\s+0\d2/umask 077/g' -i /etc/bashrc
+perl -npe 's/umask\s+0\d2/umask 077/g' -i /etc/csh.cshrc
+
+# Configure a reasonable timeout for bash users
+echo "Idle users will be removed after 15 minutes"
+echo "readonly TMOUT=900" >> /etc/profile.d/os-security.sh
+echo "readonly HISTFILE" >> /etc/profile.d/os-security.sh
+chmod +x /etc/profile.d/os-security.sh
+
+# Remove wireless modules
+for i in $(find /lib/modules/`uname -r`/kernel/drivers/net/wireless -name "*.ko" -type f) ; do echo blacklist $i >> /etc/modprobe.d/blacklist-wireless ; done
+
+# Harden all services with TCP wrappers; allow ssh connections by default
+echo "ALL:ALL" >> /etc/hosts.deny
+echo "sshd:ALL" >> /etc/hosts.allow
+
+# Configure some sane default sysctls
+cat << 'EOF' > /etc/sysctl.conf
+#
+# This is a custom and semi-hardened sysctl.conf
+# by Jacob Appelbaum <jacob at appelbaum.net>
+#
+kernel.core_uses_pid = 1
+kernel.msgmax = 65536
+kernel.msgmnb = 65536
+kernel.printk = 4 4 1 7
+kernel.shmall = 4294967296
+kernel.shmmax = 68719476736
+kernel.sysrq = 0
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.all.accept_source_route = 0
+net.ipv4.conf.all.log_martians = 1
+net.ipv4.conf.all.rp_filter = 1
+net.ipv4.conf.all.secure_redirects = 0
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv4.conf.default.accept_source_route = 0
+net.ipv4.conf.default.forwarding=0
+net.ipv4.conf.default.rp_filter=1
+net.ipv4.conf.default.secure_redirects = 0
+net.ipv4.conf.default.send_redirects = 0
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+net.ipv4.ip_forward = 0
+net.ipv4.ip_local_port_range = 16384 65536
+net.ipv4.tcp_max_syn_backlog = 1280
+net.ipv4.tcp_syncookies = 1
+net.ipv4.tcp_timestamps = 0
+net.ipv6.conf.default.forwarding=0
+kernel.cap-bound = 0xFFFCFFFF
+EOF
+sysctl -p /etc/sysctl.conf
+echo
+
+cp /etc/ssh/sshd_config /etc/ssh/sshd_config-default
+cat << 'EOF' > /etc/ssh/sshd_config
+# This is a hardened configuration for OpenSSH
+#
+# by Jacob Appelbaum <jacob at appelbaum.net>
+#
+Port 22
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 768
+
+# Logging
+SyslogFacility AUTHPRIV
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin no
+StrictModes yes
+
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile	%h/.ssh/authorized_keys
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Change to no to disable tunnelled clear text passwords
+PasswordAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+X11Forwarding no
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+UsePAM no
+
+# General crypto config stuff goes here
+Ciphers aes256-ctr,blowfish-cbc
+MACs hmac-sha1
+
+# Groups we care about allow access
+AllowGroups cymru noc cams torproject
+
+# Lets not become a generic port bounce
+AllowTcpForwarding no
+
+# misc
+Compression yes
+
+EOF
+
+/etc/init.d/sshd restart
+
+touch /tmp/harden-centos

Added: projects/misc-sysadmin/prep-centos.sh
===================================================================
--- projects/misc-sysadmin/prep-centos.sh	                        (rev 0)
+++ projects/misc-sysadmin/prep-centos.sh	2009-09-06 23:56:11 UTC (rev 20490)
@@ -0,0 +1,48 @@
+#!/bin/bash -x
+#
+# prep-centos.sh by
+# Mike Perry <mikeperry at fscked.org>
+# Jacob Appelbaum <jacob at appelbaum.net>
+#
+# This is released under the same license as Tor
+#
+
+HOSTNAME=`hostname`
+echo "Attempting to prep $HOSTNAME..."
+if [ -f /tmp/prepped ];
+then
+echo "Already prepped!"
+exit
+fi
+
+yum clean metadata
+yum clean all
+
+yum -y install yum-cron
+/sbin/chkconfig --level 3 yum-cron on
+/etc/init.d/yum-cron stop
+/etc/init.d/yum-cron start
+
+/sbin/chkconfig --level 3 acpid off
+/etc/init.d/acpid stop
+/sbin/chkconfig --level 3 haldaemon off
+/etc/init.d/haldaemon stop
+/sbin/chkconfig --level 3 postfix off
+/etc/init.d/postfix stop
+/sbin/chkconfig --level 3 messagebus off
+/etc/init.d/messagebus stop
+/sbin/chkconfig --level 3 ntpd off
+/etc/init.d/ntpd stop
+
+# Enable a daily ntp sync
+echo "/usr/sbin/ntpd -u ntp:ntp -g -q" > /etc/cron.daily/ntpd
+chmod 755 /etc/cron.daily/ntpd
+
+/usr/bin/ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N "" >& /root/ssh-rsa1.out
+/usr/bin/ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N "" >& /root/ssh-dsa.out
+/usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N "" >& /root/rsa.out
+
+yum -y upgrade
+
+echo
+touch /tmp/prepped

More information about the tor-commits mailing list