Curious if anyone has any working/in process STIG automations for Unix/Linux? I've gotten about 10% of them done so far and don't have HP-UX to add into the files, so was kind of hoping to find anyone else doing the same thing or similar. Not having any problems per se, I just can't imagine I'm the only one doing this for when they stop being drafts :]
Cheers and thanks!
Edit: Example of one that I've done, so it's clear what I'm doing.
Code:
#!/bin/sh
#######################################################################################################
#
# Package : XCCDF Scripts
# description :
# filename : GEN001200.sh
# client_loc : /usr/local/scripts/xccdf/gen/
# platform : all
# owner : root|root
# perms : 0500
# host : all
#
# Company : XXXXXX
# Author : XXXXXX
# Revision : 1
#
#######################################################################################################
#######################################################################################################
#
# CHANGELOG
#
# Jun 13 2012 : First version
#
#######################################################################################################
#######################################################################################################
# XCCDF Definitions
#######################################################################################################
Group_ID='V-794'
Group_Title='GEN001200'
Rule_ID='SV-037205r1_rule'
Rule_Severity='CAT II'
Rule_Version='GEN001200'
Rule_Title='All system command files must have mode 0755 or less permissive.'
Rule_Fix_Text='Change the mode for system command files to 0755 or less permissive.'
#######################################################################################################
# Header Definitions/Initializations
#######################################################################################################
## Include generic header file
BASEDIR="$(echo $0 | sed -e "s=^\.\(.*\)=$(pwd)\1=g" -e "s/\/\.\//\//g" -e 's/\/[^\/]*\/[^\/]*$//g')"
HeaderRC="${BASEDIR}/xccdfrc.sh"
FuncRC="${BASEDIR}/xccdffn.sh"
if [ -z "${__HEADER_RC_DEF__}" ]; then
## RC file not defined, do so.
. ${HeaderRC}
## Rewrite the log functions to not go to a file.
## This would only need to be redefined when called alone, ergo no need for the logging to file.
logmessage() { echo "${Rule_Version}: $@"; }
logerror() { logmessage "Finding found!"; }
logsuccess() { echo "" >/dev/null 2>&1; }
logcmd() {
logmessage "Running CMD: $@"
eval $@
}
else
. ${FuncRC}
fi
## Check all values are defined before actually running anything.
CheckValues
#######################################################################################################
# Begin testing.
#######################################################################################################
DIRS="/etc /bin /usr/bin /usr/lbin /usr/ucb /usr/usb /sbin /usr/sbin"
errfiles=""
logmessage "Checking all relevant dirs for permission violations."
for dir in ${DIRS}; do
if [ -d "${dir}" ]; then
find ${dir} -type f -exec ls -l {} \; | while read file; do
# Grab the filename so we can report properly.
fn="$(echo $file | awk '{print $9}')"
# Get the file permissions into octal and separate it out.
perm="$(ConvertPermOctal $file | awk '{print $1}')"
relevantperm="$(echo $perm | sed 's/\(..\)\(..\)/\2/g')"
# Quick way to find a violation...
chkperm="$(echo $relevantperm | sed 's/.*[236].*$/yes/g')"
if [ "${chkperm}" = "yes" ]; then
logmessage "Investigate: (${perm}) ${fn}"
# The ending space is important as we're going to delimiter off it in the fix.
errfiles="${errfiles}${perm}:${fn} "
fi
done
fi
done
if [ ! -z "${errfiles}" ]; then
logerror
else
logsuccess
logmessage "Not a finding."
exit ${SUCCESS}
fi
#######################################################################################################
# Fix open issue if appropriate
#######################################################################################################
if [ $# -eq 1 ]; then
## Only perform actions for applicable flag(s).
case "$1" in
-F)
## We'll process fixes here, case statement for continuity and error catching.
logmessage "Performing fix in accordance with ${OS} specifications."
case "${OS}" in
"${OS_AIX}" | \
"${OS_SUN}" | \
"${OS_LNX}")
for i in ${errfiles}; do
owner="$(echo $i | cut -c2)"
group="$(echo $i | cut -c3)"
other="$(echo $i | cut -c4)"
file="$(echo $i | awk -F':' '{print $2}')"
perm="${owner}$(echo ${group}${other} | sed -e 's/2/0/g' -e 's/3/1/g' -e 's/6/4/g' -e 's/7/5/g')"
logmessage "Resolving File: ${file}: NewPerm: ${perm}"
logcmd "chmod ${perm} ${file}"
CheckCmdStatus
done
;;
*)
logmessage "OS Detection Failure: Exiting with error."
exit ${ERR_OSDETECT}
;;
esac
;;
*)
logmessage "Passed parameter invalid."
;;
esac
fi
exit ${SUCCESS}
Im trying to write an automation script using python. I expect this script to log in to a remote server, execute commands and get its output.
import pexpect
child=pexpect.spawn('ssh myuser@192.168.151.80')
child.expect('Password:')
child.sendline('mypassword')
get_output =... (4 Replies)
Hi, I wanted to automate the scp command where i do not want to enter the password each time. So thought of using expect command. Script is executing without any issues but files are not copied to remote server. Can any one help me?
Below is my shell script..
#!/bin/ksh
... (6 Replies)
Hello,
I am new to Mac OSX and shell scripting all together. I was wondering if anyone could help get me started in a few scenarios so that I would be able to automate checking a system against a STIG checklist. A STIG Checklist is a DoD Guideline for securing systems. Here is the first... (3 Replies)
Hi,
I want to do automation on UI using shellscript.
eg:
1) Drop down menu contains assign , investigate, closed.
now there is one id want assign it using assign tab then need to investigate it and lastly close. Sometimes the id can't assign to perticular user.
there are so many... (11 Replies)
my source folder is :/tmp/util
of server : pyxis-as2
and target folder is :/apps/prodapp/util/
of server : pyxis-db2
i am trying to do a copy from source to target through SCP
is there any way that I can kick shell script from pyxis-as2 once any single file get loaded into /tmp/util
... (5 Replies)
Hi All!
I need to automate the su command using expect script.Suppose I login as a user A , I need to change the user to oracle using the su oracle command and execute the command "sqlplus -ver".
I tried writing a expect script for the same , but can't figure out the reason it is not working.
... (1 Reply)
Hi All,
I need to run the same command on many servers. I am using ssh for the same. Following is the script that I am using to fire the same command on multiple machines.
#!/bin/bash
# Linux/UNIX box with ssh key based login
#SERVERS="iqmevrick,iqmango"
# SSH User name
USR="root"
#... (1 Reply)
