[or-cvs] r20492: {projects} Commit more recent versions of scripts instead of old dirty (projects/misc-sysadmin)

mikeperry at seul.org mikeperry at seul.org
Mon Sep 7 03:09:50 UTC 2009 

Author: mikeperry
Date: 2009-09-06 23:09:49 -0400 (Sun, 06 Sep 2009)
New Revision: 20492

Added:
   projects/misc-sysadmin/harden-centos.sh
Modified:
   projects/misc-sysadmin/add-base-packages.sh
   projects/misc-sysadmin/centos-inventory.sh
Log:

Commit more recent versions of scripts instead of old dirty lies.



Modified: projects/misc-sysadmin/add-base-packages.sh
===================================================================
--- projects/misc-sysadmin/add-base-packages.sh	2009-09-07 00:13:43 UTC (rev 20491)
+++ projects/misc-sysadmin/add-base-packages.sh	2009-09-07 03:09:49 UTC (rev 20492)
@@ -12,16 +12,17 @@
 exit
 fi
 
-PACKAGES=logwatch.noarch screen logcheck
+PACKAGES="logwatch.noarch screen logcheck"
 yum -y install $PACKAGES
 # Make a list of all packages that will be removed
-# XXX TODO
+yum list installed *.i?86 >& /root/system-notes/$HOSTNAME-ix86-rpms.txt
 
 # Remove all non x86_64 packages
 yum -y remove *.i?86
 # Ensure they don't come back...
-echo 'exclude = *.i?86' >> /etc/yum.conf
+grep -v ^exclude /etc/yum.conf > /etc/yum.conf.stripped
+mv /etc/yum.conf.stripped /etc/yum.conf
+echo 'exclude = *.i?86 kernel*' >> /etc/yum.conf
 # Mark the kernel so that it does not ever update (vmware for the win)
-# XXX TODO
 
 touch /tmp/add-base-packages

Modified: projects/misc-sysadmin/centos-inventory.sh
===================================================================
--- projects/misc-sysadmin/centos-inventory.sh	2009-09-07 00:13:43 UTC (rev 20491)
+++ projects/misc-sysadmin/centos-inventory.sh	2009-09-07 03:09:49 UTC (rev 20492)
@@ -17,5 +17,8 @@
 yum list installed >> /root/system-notes/$HOSTNAME-centos-packages-installed.txt
 /sbin/ifconfig >> /root/system-notes/$HOSTNAME-network-information.txt
 uname -a >> /root/system-notes/$HOSTNAME-uname.txt
+find / -perm /4000 >& /root/system-notes/$HOSTNAME-suids.txt
+rpm -Va >& /root/system-notes/$HOSTNAME-rpm-verify.txt
 
+
 touch /tmp/centos-inventory

Added: projects/misc-sysadmin/harden-centos.sh
===================================================================
--- projects/misc-sysadmin/harden-centos.sh	                        (rev 0)
+++ projects/misc-sysadmin/harden-centos.sh	2009-09-07 03:09:49 UTC (rev 20492)
@@ -0,0 +1,176 @@
+#!/bin/bash -x
+#
+# harden-centos.sh by
+# Jacob Appelbaum <jacob at appelbaum.net>
+#
+# This is released under the same license as Tor
+#
+# Basically this automates the stuff I like from:
+# http://wiki.centos.org/HowTos/OS_Protection
+#
+# It also automates a few other things from other systems
+#
+
+if [ -f /tmp/harden-centos ]; then
+	echo "Already hardened!";
+	exit
+fi
+
+# Force passwords to expire
+echo "Passwords expire every 180 days"
+perl -npe 's/PASS_MAX_DAYS\s+99999/PASS_MAX_DAYS 180/' -i /etc/login.defs
+echo "Passwords may only be changed once a day"
+perl -npe 's/PASS_MIN_DAYS\s+0/PASS_MIN_DAYS 1/g' -i /etc/login.defs
+
+# We don't need no stinkin' MD5
+authconfig --passalgo=sha512 --update
+
+# Add a secure umask
+perl -npe 's/umask\s+0\d2/umask 077/g' -i /etc/bashrc
+perl -npe 's/umask\s+0\d2/umask 077/g' -i /etc/csh.cshrc
+
+# Configure a reasonable timeout for bash users
+echo "Idle users will be removed after 15 minutes"
+echo "readonly TMOUT=900" >> /etc/profile.d/os-security.sh
+echo "readonly HISTFILE" >> /etc/profile.d/os-security.sh
+chmod +x /etc/profile.d/os-security.sh
+
+# Remove wireless modules
+for i in $(find /lib/modules/`uname -r`/kernel/drivers/net/wireless -name "*.ko" -type f) ; do echo blacklist $i >> /etc/modprobe.d/blacklist-wireless ; done
+
+# Harden all services with TCP wrappers; allow ssh connections by default
+echo "ALL:ALL" >> /etc/hosts.deny
+echo "sshd:ALL" >> /etc/hosts.allow
+
+# Configure some sane default sysctls
+cat << 'EOF' > /etc/sysctl.conf
+#
+# This is a custom and semi-hardened sysctl.conf
+# by Jacob Appelbaum <jacob at appelbaum.net>
+#
+kernel.core_uses_pid = 1
+kernel.msgmax = 65536
+kernel.msgmnb = 65536
+kernel.printk = 4 4 1 7
+kernel.shmall = 4294967296
+kernel.shmmax = 68719476736
+kernel.sysrq = 0
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.all.accept_source_route = 0
+net.ipv4.conf.all.log_martians = 1
+net.ipv4.conf.all.rp_filter = 1
+net.ipv4.conf.all.secure_redirects = 0
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv4.conf.default.accept_source_route = 0
+net.ipv4.conf.default.forwarding=0
+net.ipv4.conf.default.rp_filter=1
+net.ipv4.conf.default.secure_redirects = 0
+net.ipv4.conf.default.send_redirects = 0
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+net.ipv4.ip_forward = 0
+net.ipv4.ip_local_port_range = 16384 65536
+net.ipv4.tcp_max_syn_backlog = 1280
+net.ipv4.tcp_syncookies = 1
+net.ipv4.tcp_timestamps = 0
+net.ipv6.conf.default.forwarding=0
+EOF
+sysctl -p /etc/sysctl.conf
+echo
+
+cp /etc/ssh/sshd_config /etc/ssh/sshd_config-default
+cat << 'EOF' > /etc/ssh/sshd_config
+# This is a hardened configuration for OpenSSH
+#
+# by Jacob Appelbaum <jacob at appelbaum.net>
+#
+Port 22
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 768
+
+# Logging
+SyslogFacility AUTHPRIV
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin no
+StrictModes yes
+
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile	%h/.ssh/authorized_keys
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Change to no to disable tunnelled clear text passwords
+PasswordAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+X11Forwarding no
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+UsePAM no
+
+# General crypto config stuff goes here
+Ciphers aes256-ctr,blowfish-cbc
+MACs hmac-sha1
+
+# Groups we care about allow access
+AllowGroups # XXX: customize for each rollout
+
+# Lets not become a generic port bounce
+AllowTcpForwarding no
+
+# misc
+Compression yes
+
+EOF
+
+/etc/init.d/sshd restart
+
+touch /tmp/harden-centos


Property changes on: projects/misc-sysadmin/harden-centos.sh
___________________________________________________________________
Added: svn:executable
   + *

More information about the tor-commits mailing list