Guide to the Secure Configuration of Red Hat Enterprise Linux 5

catalog, not a checklist, · ntpserver

gpgcheck=0
grep -R gpgcheck /etc/yum.repos.d/* /etc/yum.conf /root/rpmrc /usr/lib/rpm/redhat/rpmrc /usr/lib/rpm/rpmrc /etc/rpmrc 2>/dev/null | grep -v 'gpgcheck=1' | cut -d: -f1 | sort -u | while read YUM_FILE; do
	sed -i 's/gpgcheck=.*/gpgcheck=1/g' ${YUM_FILE}
done

# /usr/sbin/aide --init
# cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
# /usr/sbin/aide --check
/usr/sbin/aide --init
/bin/cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

05 4 * * * root /usr/sbin/aide --check
echo "/usr/sbin/aide --config=/etc/aide.conf --check" > /etc/cron.weekly/aide
chmod 700 /etc/cron.weekly/aide

# Generate a device file baseline
find / -type b -o -type c 2>/dev/null | sort  > /var/log/device-file-list
chmod 640 /var/log/device-file-list
chown root:root /var/log/device-file-list

# Generate a weekly cron job to check the device file baseline and report differences
cat > /etc/cron.weekly/baseline_checker.sh <<'STOP_HERE'
#!/bin/sh
echo "Baseline check started on $(date +"%m-%d-%Y") at $(date +"%H:%M:%S")" | tee -a /var/log/baseline.log
echo -e \\n | tee -a /var/log/baseline.log
echo "Gathering current baseline." | tee -a /var/log/baseline.log
echo -e \\n | tee -a /var/log/baseline.log
rm -f /tmp/*BASELINE.tmp /tmp/*list.tmp
find / -perm -4000 2>/dev/null | sort > /tmp/suid-file-list.tmp
find / -perm -2000 2>/dev/null | sort > /tmp/sgid-file-list.tmp
find / -type b -o -type c 2>/dev/null | sort  > /tmp/device-file-list.tmp
echo "Comparing the current baseline with the last known good configuration." | tee -a /var/log/baseline.log
echo -e \\n | tee -a /var/log/baseline.log
diff /var/log/suid-file-list /tmp/suid-file-list.tmp > /tmp/SUID_BASELINE.tmp
diff /var/log/sgid-file-list /tmp/sgid-file-list.tmp > /tmp/SGID_BASELINE.tmp
diff /var/log/device-file-list /tmp/device-file-list.tmp > /tmp/DEVICE_BASELINE.tmp
if [ -s /tmp/SUID_BASELINE.tmp ]; then
   if [ $(grep -c "^>" /tmp/SUID_BASELINE.tmp) != 0 ]; then
		echo "The following files were detected to have the suid bit added:" | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
		grep "^>" /tmp/SUID_BASELINE.tmp | awk '{ print $2 }' | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
	fi
	if [ $(grep -c "^<" /tmp/SUID_BASELINE.tmp) != 0 ]; then
		echo "The following files were detected to have the suid bit removed:" | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
		grep "^<" /tmp/SUID_BASELINE.tmp | awk '{ print $2 }' | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
	fi
fi
if [ -s /tmp/SGID_BASELINE.tmp ]; then
   if [ $(grep -c "^>" /tmp/SGID_BASELINE.tmp) != 0 ]; then
		echo "The following files were detected to have the sgid bit added:" | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
		grep "^>" /tmp/SGID_BASELINE.tmp | awk '{ print $2 }' | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
	fi
	if [ $(grep -c "^<" /tmp/SGID_BASELINE.tmp) != 0 ]; then
		echo "The following files were detected to have the sgid bit removed:" | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
		grep "^<" /tmp/SGID_BASELINE.tmp | awk '{ print $2 }' | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
	fi
fi
if [ -s /tmp/DEVICE_BASELINE.tmp ]; then
   if [ $(grep -c "^>" /tmp/DEVICE_BASELINE.tmp) != 0 ]; then
		echo "The following device files were detected to have been added:" | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
		grep "^>" /tmp/DEVICE_BASELINE.tmp | awk '{ print $2 }' | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
	fi
	if [ $(grep -c "^<" /tmp/DEVICE_BASELINE.tmp) != 0 ]; then
		echo "The following device files were detected to have removed:" | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
		grep "^<" /tmp/DEVICE_BASELINE.tmp | awk '{ print $2 }' | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
	fi
fi
rm -f /tmp/*BASELINE.tmp /tmp/*list.tmp
echo "Baseline check completed on $(date +"%m-%d-%Y") at $(date +"%H:%M:%S")" | tee -a /var/log/baseline.log
echo -e \\n | tee -a /var/log/baseline.log
echo "####################################################################" | tee -a /var/log/baseline.log
echo -e \\n | tee -a /var/log/baseline.log
chmod 640 /var/log/baseline.log
chown root:root /var/log/baseline.log
STOP_HERE
chmod 700 /etc/cron.weekly/baseline_checker.sh
chown root:root /etc/cron.weekly/baseline_checker.sh

# Generate a sgid file baseline
find / -perm -2000 -type f  2>/dev/null | sort > /var/log/sgid-file-list
chmod 640 /var/log/sgid-file-list
chown root:root /var/log/sgid-file-list

# Generate a weekly cron job to check the sgid file baseline and report differences
cat > /etc/cron.weekly/baseline_checker.sh <<'STOP_HERE'
#!/bin/sh
echo "Baseline check started on $(date +"%m-%d-%Y") at $(date +"%H:%M:%S")" | tee -a /var/log/baseline.log
echo -e \\n | tee -a /var/log/baseline.log
echo "Gathering current baseline." | tee -a /var/log/baseline.log
echo -e \\n | tee -a /var/log/baseline.log
rm -f /tmp/*BASELINE.tmp /tmp/*list.tmp
find / -perm -4000 2>/dev/null | sort > /tmp/suid-file-list.tmp
find / -perm -2000 2>/dev/null | sort > /tmp/sgid-file-list.tmp
find / -type b -o -type c 2>/dev/null | sort  > /tmp/device-file-list.tmp
echo "Comparing the current baseline with the last known good configuration." | tee -a /var/log/baseline.log
echo -e \\n | tee -a /var/log/baseline.log
diff /var/log/suid-file-list /tmp/suid-file-list.tmp > /tmp/SUID_BASELINE.tmp
diff /var/log/sgid-file-list /tmp/sgid-file-list.tmp > /tmp/SGID_BASELINE.tmp
diff /var/log/device-file-list /tmp/device-file-list.tmp > /tmp/DEVICE_BASELINE.tmp
if [ -s /tmp/SUID_BASELINE.tmp ]; then
   if [ $(grep -c "^>" /tmp/SUID_BASELINE.tmp) != 0 ]; then
		echo "The following files were detected to have the suid bit added:" | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
		grep "^>" /tmp/SUID_BASELINE.tmp | awk '{ print $2 }' | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
	fi
	if [ $(grep -c "^<" /tmp/SUID_BASELINE.tmp) != 0 ]; then
		echo "The following files were detected to have the suid bit removed:" | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
		grep "^<" /tmp/SUID_BASELINE.tmp | awk '{ print $2 }' | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
	fi
fi
if [ -s /tmp/SGID_BASELINE.tmp ]; then
   if [ $(grep -c "^>" /tmp/SGID_BASELINE.tmp) != 0 ]; then
		echo "The following files were detected to have the sgid bit added:" | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
		grep "^>" /tmp/SGID_BASELINE.tmp | awk '{ print $2 }' | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
	fi
	if [ $(grep -c "^<" /tmp/SGID_BASELINE.tmp) != 0 ]; then
		echo "The following files were detected to have the sgid bit removed:" | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
		grep "^<" /tmp/SGID_BASELINE.tmp | awk '{ print $2 }' | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
	fi
fi
if [ -s /tmp/DEVICE_BASELINE.tmp ]; then
   if [ $(grep -c "^>" /tmp/DEVICE_BASELINE.tmp) != 0 ]; then
		echo "The following device files were detected to have been added:" | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
		grep "^>" /tmp/DEVICE_BASELINE.tmp | awk '{ print $2 }' | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
	fi
	if [ $(grep -c "^<" /tmp/DEVICE_BASELINE.tmp) != 0 ]; then
		echo "The following device files were detected to have removed:" | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
		grep "^<" /tmp/DEVICE_BASELINE.tmp | awk '{ print $2 }' | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
	fi
fi
rm -f /tmp/*BASELINE.tmp /tmp/*list.tmp
echo "Baseline check completed on $(date +"%m-%d-%Y") at $(date +"%H:%M:%S")" | tee -a /var/log/baseline.log
echo -e \\n | tee -a /var/log/baseline.log
echo "####################################################################" | tee -a /var/log/baseline.log
echo -e \\n | tee -a /var/log/baseline.log
chmod 640 /var/log/baseline.log
chown root:root /var/log/baseline.log
STOP_HERE
chmod 700 /etc/cron.weekly/baseline_checker.sh
chown root:root /etc/cron.weekly/baseline_checker.sh

# Generate a suid file baseline
find / -perm -4000 -type f 2>/dev/null | sort > /var/log/suid-file-list
chmod 640 /var/log/suid-file-list
chown root:root /var/log/suid-file-list

# Generate a weekly cron job to check the suid file baseline and report differences
cat > /etc/cron.weekly/baseline_checker.sh <<'STOP_HERE'
#!/bin/sh
echo "Baseline check started on $(date +"%m-%d-%Y") at $(date +"%H:%M:%S")" | tee -a /var/log/baseline.log
echo -e \\n | tee -a /var/log/baseline.log
echo "Gathering current baseline." | tee -a /var/log/baseline.log
echo -e \\n | tee -a /var/log/baseline.log
rm -f /tmp/*BASELINE.tmp /tmp/*list.tmp
find / -perm -4000 2>/dev/null | sort > /tmp/suid-file-list.tmp
find / -perm -2000 2>/dev/null | sort > /tmp/sgid-file-list.tmp
find / -type b -o -type c 2>/dev/null | sort  > /tmp/device-file-list.tmp
echo "Comparing the current baseline with the last known good configuration." | tee -a /var/log/baseline.log
echo -e \\n | tee -a /var/log/baseline.log
diff /var/log/suid-file-list /tmp/suid-file-list.tmp > /tmp/SUID_BASELINE.tmp
diff /var/log/sgid-file-list /tmp/sgid-file-list.tmp > /tmp/SGID_BASELINE.tmp
diff /var/log/device-file-list /tmp/device-file-list.tmp > /tmp/DEVICE_BASELINE.tmp
if [ -s /tmp/SUID_BASELINE.tmp ]; then
   if [ $(grep -c "^>" /tmp/SUID_BASELINE.tmp) != 0 ]; then
		echo "The following files were detected to have the suid bit added:" | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
		grep "^>" /tmp/SUID_BASELINE.tmp | awk '{ print $2 }' | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
	fi
	if [ $(grep -c "^<" /tmp/SUID_BASELINE.tmp) != 0 ]; then
		echo "The following files were detected to have the suid bit removed:" | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
		grep "^<" /tmp/SUID_BASELINE.tmp | awk '{ print $2 }' | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
	fi
fi
if [ -s /tmp/SGID_BASELINE.tmp ]; then
   if [ $(grep -c "^>" /tmp/SGID_BASELINE.tmp) != 0 ]; then
		echo "The following files were detected to have the sgid bit added:" | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
		grep "^>" /tmp/SGID_BASELINE.tmp | awk '{ print $2 }' | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
	fi
	if [ $(grep -c "^<" /tmp/SGID_BASELINE.tmp) != 0 ]; then
		echo "The following files were detected to have the sgid bit removed:" | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
		grep "^<" /tmp/SGID_BASELINE.tmp | awk '{ print $2 }' | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
	fi
fi
if [ -s /tmp/DEVICE_BASELINE.tmp ]; then
   if [ $(grep -c "^>" /tmp/DEVICE_BASELINE.tmp) != 0 ]; then
		echo "The following device files were detected to have been added:" | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
		grep "^>" /tmp/DEVICE_BASELINE.tmp | awk '{ print $2 }' | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
	fi
	if [ $(grep -c "^<" /tmp/DEVICE_BASELINE.tmp) != 0 ]; then
		echo "The following device files were detected to have removed:" | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
		grep "^<" /tmp/DEVICE_BASELINE.tmp | awk '{ print $2 }' | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
	fi
fi
rm -f /tmp/*BASELINE.tmp /tmp/*list.tmp
echo "Baseline check completed on $(date +"%m-%d-%Y") at $(date +"%H:%M:%S")" | tee -a /var/log/baseline.log
echo -e \\n | tee -a /var/log/baseline.log
echo "####################################################################" | tee -a /var/log/baseline.log
echo -e \\n | tee -a /var/log/baseline.log
chmod 640 /var/log/baseline.log
chown root:root /var/log/baseline.log
STOP_HERE
chmod 700 /etc/cron.weekly/baseline_checker.sh
chown root:root /etc/cron.weekly/baseline_checker.sh

$ mount -t xfs | awk '{print $3}'
# find /lib/modules/`uname -r`/kernel/fs -type f -name '*.ko'
install usb-storage /bin/true
if [ -d /etc/modprobe.d/ ]; then
	echo "install usb-storage /bin/true" >> /etc/modprobe.d/disabled_modules.conf
else
	echo "install usb-storage /bin/true" >> /etc/modprobe.conf
fi

kernel /vmlinuz-VERSION ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet nousb
USB_KEYBOARD=$(grep 'Product=' /proc/bus/usb/devices 2>/dev/null| egrep -ic '(ps2 to usb adapter|keyboard|kvm|sc reader)')
if [ "${USB_KEYBOARD}" = "0" ]; then
	sed -i '/^[ |\t]*kernel/s/$/ nousb/' /boot/grub/grub.conf
# else
	# A USB keyboard was detected so this fix has been skipped.
fi

$ sudo chkconfig autofs off
#
# Disable autofs for all run levels
#
/sbin/chkconfig --level 0123456 autofs off

#
# Stop autofs if currently running
#
/sbin/service autofs stop 1>/dev/null

$ sudo chown root /etc/shadow 
chown root /etc/shadow
$ sudo chmod 0400 /etc/shadow
chmod 0400 /etc/shadow

setfacl --remove-all /etc/shadow
$ sudo chown root /etc/group 
chown root /etc/group

$ sudo chgrp root /etc/group 
chgrp root /etc/group

$ sudo chmod 644 /etc/group
chmod 0644 /etc/group

setfacl --remove-all /etc/group
$ sudo chown root /etc/gshadow 
chown root /etc/gshadow

$ sudo chgrp root /etc/gshadow 
chgrp root /etc/gshadow

$ sudo chmod 0400 /etc/gshadow
chmod 0400 /etc/gshadow

setfacl --remove-all /etc/gshadow
$ sudo chown root /etc/passwd 
chown root /etc/passwd

$ sudo chgrp root /etc/passwd 
chgrp root /etc/passwd

$ sudo chmod 0644 /etc/passwd
chmod 0644 /etc/passwd

setfacl --remove-all /etc/passwd
/lib
/lib64
/usr/lib
/usr/lib64

# chmod go-w FILE
find /lib /usr/lib -follow -perm -20 -o -perm -2 2>/dev/null | xargs chmod go-w

setfacl -RLb --remove-all /usr/lib/* /lib/*

/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin
# chmod go-w FILE
find /etc /bin /usr/bin /usr/lbin /usr/usb /sbin /usr/sbin -follow -perm -20 -o -perm -2 2>/dev/null | xargs chmod go-w

setfacl -RLb /etc /bin /usr/bin /usr/lbin /usr/usb /sbin /usr/sbin 2>/dev/null

/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin
# chown root FILE
find /bin/ \
/usr/bin/ \
/usr/local/bin/ \
/sbin/ \
/usr/sbin/ \
/usr/local/sbin/ \
/usr/libexec \
\! -user root -execdir chown root {} \;

/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin
# chown root FILE
find /etc /bin /usr/bin /usr/lbin /usr/usb /sbin /usr/sbin -follow -gid +499 2>/dev/null | xargs chown :root

$ sudo chown root /etc/aliases 
chown root /etc/postfix/aliases /etc/postfix/aliases.db /etc/aliases /etc/aliases.db 2>/dev/null
$ sudo chgrp root /etc/aliases 
chown :root /etc/postfix/aliases /etc/postfix/aliases.db /etc/aliases /etc/aliases.db 2>/dev/null
$ sudo chmod 0644 /etc/aliases
chmod 644 /etc/postfix/aliases /etc/postfix/aliases.db /etc/aliases /etc/aliases.db 2>/dev/null
setfacl --remove-all /etc/aliases /etc/aliases.db /etc/postfix/aliases /etc/postfix/aliases.db 2>/dev/null
$ sudo chown root /etc/aliases 
grep "/" /etc/aliases /etc/aliases.db | grep -v "#" | grep ^/ | sed 's/.*[\s|\t]\//\//' | xargs chown root
$ sudo chgrp root /etc/aliases 
grep "/" /etc/aliases /etc/aliases.db | grep -v "#" | grep ^/ | sed 's/.*[\s|\t]\//\//' | xargs chown :root
$ sudo chmod 0755 /etc/aliases
grep "/" /etc/aliases /etc/aliases.db | grep -v "#" | grep ^/ | sed 's/.*[\s|\t]\//\//' | xargs chmod 755
grep / /etc/aliases | grep -v "#" | sed s/^[^\/]*// | xargs setfacl --remove-all
$ sudo chown root /dev/audio 
chown root /dev/audio* /dev/snd/*
$ sudo chgrp root /dev/audio 
chown :root /dev/audio* /dev/snd/*
if [[ "`uname -r`" = "2.6.9"* ]]; then
	sed -i 's/\(^audio\*:[a-z]*:\)[a-z]*:/\1sys:/' /etc/udev/permissions.d/50-udev.permissions
elif [[ "`uname -r`" = "2.6.18"* ]]; then
	sed -i '/^<console>  [0-9]* <sound>/s/<sound>.*/<sound>      0600 root.root/' /etc/security/console.perms.d/50-default.perms
fi

$ sudo chmod 0660 /dev/audio
chmod 660 /dev/audio* /dev/snd/*
sed -i '/[audio|snd]/s/MODE="[0-9]*"/MODE="660"/' /etc/udev/rules.d/50-udev.rules
setfacl --remove-all /dev/audio* /dev/snd/* 2>/dev/null
$ sudo chown root /var/log/audit/audit.log 
if [ -e /etc/audit/auditd.conf ]; then
	grep ^log_file /etc/audit/auditd.conf | awk '{ print $3 }' | xargs chown root
if [ -e /etc/auditd.conf ]; then
	grep ^log_file /etc/auditd.conf | awk '{ print $3 }' | xargs chown root
fi

$ sudo chgrp root /var/log/audit/audit.log 
if [ -e /etc/audit/auditd.conf ]; then
	grep ^log_file /etc/audit/auditd.conf | awk '{ print $3 }' | xargs chown :root
if [ -e /etc/auditd.conf ]; then
	grep ^log_file /etc/auditd.conf | awk '{ print $3 }' | xargs chown :root
fi

# chmod 0755 /var/log/audit/
# chmod 0640 audit_file
if [ -e /etc/audit/auditd.conf ]; then
	grep ^log_file /etc/audit/auditd.conf | awk '{ print $3 }' | xargs chmod 640
elif [ -e /etc/auditd.conf ]; then
	grep ^log_file /etc/auditd.conf | awk '{ print $3 }' | xargs chmod 640
fi

if [ -e /etc/audit/auditd.conf ]; then
	grep "^log_file" /etc/audit/auditd.conf | sed s/^[^\/]*// | xargs setfacl --remove-all
elif [ -e /etc/auditd.conf ]; then
	grep "^log_file" /etc/auditd.conf | sed s/^[^\/]*// | xargs setfacl --remove-all
fi

$ sudo chown root /sbin/au* 
chown root /sbin/auditctl /sbin/auditd /sbin/ausearch /sbin/aureport /sbin/autrace /sbin/audispd
$ sudo chgrp root /sbin/au* 
chown :root /sbin/auditctl /sbin/auditd /sbin/ausearch /sbin/aureport /sbin/autrace /sbin/audispd
$ sudo chmod 0750 /sbin/au*
chmod 750 /sbin/auditctl /sbin/auditd /sbin/ausearch /sbin/aureport /sbin/autrace /sbin/audispd
setfacl --remove-all /sbin/auditctl /sbin/auditd /sbin/ausearch /sbin/aureport /sbin/autrace /sbin/audispd
$ sudo chown root /bin/traceroute 
chown root /bin/traceroute
$ sudo chgrp root /bin/traceroute 
chown :root /bin/traceroute
$ sudo chmod 0700 /bin/traceroute
chmod 700 /bin/traceroute

setfacl --remove-all /bin/traceroute
$ sudo chown root /var/crash 
grep path.*/ /etc/kdump.conf | awk '{ print $2 }' | chown root
$ sudo chgrp root /var/crash 
grep path.*/ /etc/kdump.conf | awk '{ print $2 }' | xargs chown :root
$ sudo chmod 0700 /var/crash
grep path.*/ /etc/kdump.conf | awk '{ print $2 }' | xargs chmod 700
grep path /etc/kdump.conf | grep -v "#" | awk '{ print $2 }' | xargs setfacl --remove-all
$ sudo chmod 0600 /var/log/cron
grep ^cron /etc/syslog.conf | awk '{ print $2 }' | xargs chmod 0600

grep cron /etc/syslog.conf | grep -v "#" | awk '{ print $2 }' | xargs setfacl --remove-all
$ sudo chown root /var/spool/cron 
chown root /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly /var/spool/cron 2>/dev/null
$ sudo chgrp root /var/spool/cron 
chown :root /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly /var/spool/cron 2>/dev/null
$ sudo chmod 0755 /var/spool/cron
chmod 755 /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly /var/spool/cron 2>/dev/null

setfacl --remove-all /etc/cron.d /etc/crontab /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly /var/spool/cron 2>/dev/null
$ sudo chown root /etc/cron* 
chown root /etc/crontab /etc/cron.d/* /var/spool/cron/* 2>/dev/null
$ sudo chgrp root /etc/cron* 
chown :root /etc/crontab /etc/cron.d/* /var/spool/cron/* 2>/dev/null
$ sudo chmod 0600 /etc/cron*
chmod 600 /etc/crontab /etc/cron.d/* /var/spool/cron/* 2>/dev/null
find /etc/cron.d /etc/crontab /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly /var/spool/cron  -type f 2>/dev/null | xargs setfacl --remove-all
$ sudo chmod 0700 /etc/cron*
chmod 0700 /etc/cron.daily/* /etc/cron.hourly/* /etc/cron.monthly/* /etc/cron.weekly/* 2>/dev/null
$ sudo chown root /etc/at.allow 
chown root /etc/at.allow
$ sudo chgrp root /etc/at.allow 
chown :root /etc/at.allow
$ sudo chmod 0600 /etc/at.allow
chmod 0600 /etc/at.allow

setfacl --remove-all /etc/at.allow
$ sudo chown root /etc/at.deny 
chown root /etc/at.deny
$ sudo chgrp root /etc/at.deny 
chown :root /etc/at.deny
$ sudo chmod 0600 /etc/at.deny
chmod 0600 /etc/at.deny

setfacl --remove-all /etc/at.deny
$ sudo chown root /etc/cron.allow 
chown root /etc/cron.allow
$ sudo chgrp root /etc/cron.allow 
chown :root /etc/cron.allow
$ sudo chmod 0600 /etc/cron.allow
chmod 0600 /etc/cron.allow

setfacl --remove-all /etc/cron.allow
$ sudo chown root /etc/cron.deny 
chown root /etc/cron.deny
$ sudo chgrp root /etc/cron.deny 
chown :root /etc/cron.deny
$ sudo chmod 0600 /etc/cron.deny
chmod 0600 /etc/cron.deny

setfacl --remove-all /etc/cron.deny
$ sudo chown root /etc/cups/printers.conf 
chown root /etc/cups/printers.conf
$ sudo chgrp root /etc/cups/printers.conf 
chown :root /etc/cups/printers.conf
$ sudo chmod 0644 /etc/cups/printers.conf
chmod 0644 /etc/cups/printers.conf

setfacl --remove-all /etc/cups/printers.conf
$ sudo chown root /etc/exports 
chown root /etc/exports
$ sudo chgrp root /etc/exports 
chown :root /etc/exports
$ sudo chmod 0644 /etc/exports
chmod 0644 /etc/exports

setfacl --remove-all /etc/exports
$ sudo chown root /etc/hosts 
chown root /etc/hosts
$ sudo chgrp root /etc/hosts 
chown :root /etc/hosts
$ sudo chmod 0644 /etc/hosts
chmod 0644 /etc/hosts

setfacl --remove-all /etc/hosts
$ sudo chown root /etc/ldap.conf 
chown root /etc/ldap.conf
$ sudo chgrp root /etc/ldap.conf 
chown :root /etc/ldap.conf
$ sudo chmod 0644 /etc/ldap.conf
chmod 0644 /etc/ldap.conf

setfacl --remove-all /etc/ldap.conf
$ sudo chmod 0600 /etc/news/infeed.conf
chmod 0600 /etc/news/infeed.conf

setfacl --remove-all /etc/news/infeed.conf
$ sudo chmod 0600 /etc/news/incoming.conf
chmod 0600 /etc/news/incoming.conf

setfacl --remove-all /etc/news/incoming.conf
setfacl --remove-all /etc/news/nnrp.access
$ sudo chmod 0600 /etc/news/passwd.nntp
chmod 0600 /etc/news/passwd.nntp

setfacl --remove-all /etc/news/passwd.nntp
$ sudo chown root /etc/nsswitch.conf 
chown root /etc/nsswitch.conf
$ sudo chgrp root /etc/nsswitch.conf 
chown :root /etc/nsswitch.conf
$ sudo chmod 0644 /etc/nsswitch.conf
chmod 0644 /etc/nsswitch.conf

setfacl --remove-all /etc/nsswitch.conf
$ sudo chown root /etc/ntp.conf 
chown root /etc/ntp.conf
$ sudo chgrp root /etc/ntp.conf 
chown :root /etc/ntp.conf
$ sudo chmod 0644 /etc/ntp.conf
chmod 0640 /etc/ntp.conf

setfacl --remove-all /etc/ntp.conf
$ sudo chown root /etc/resolv.conf 
chown root /etc/resolv.conf
$ sudo chgrp root /etc/resolv.conf 
chown :root /etc/resolv.conf
$ sudo chmod 0644 /etc/resolv.conf
chmod 0644 /etc/resolv.conf

setfacl --remove-all /etc/resolv.conf
$ sudo chown root /etc/samba/smb.conf 
chown root /etc/samba/smb.conf
$ sudo chgrp root /etc/samba/smb.conf 
chown :root /etc/samba/smb.conf
$ sudo chmod 0644 /etc/samba/smb.conf
chmod 0644 /etc/samba/smb.conf
setfacl --remove-all /etc/samba/smb.conf
$ sudo chown root /etc/samba/passdb.tdb 
chown root /etc/samba/passdb.tdb /etc/samba/secrets.tdb
$ sudo chgrp root /etc/samba/passdb.tdb 
chown :root /etc/samba/passdb.tdb /etc/samba/secrets.tdb
$ sudo chmod 0600 /etc/samba/passdb.tdb
chmod 0600 /etc/samba/passdb.tdb /etc/samba/secrets.tdb
setfacl --remove-all /etc/samba/passdb.tdb /etc/samba/secrets.tdb
$ sudo chown root /etc/securetty 
chown root /etc/securetty
$ sudo chgrp root /etc/securetty 
chown :root /etc/securetty
$ sudo chmod 0600 /etc/securetty
chmod 0600 /etc/securetty

$ sudo chown root /etc/access.conf 
chown root /etc/security/access.conf
$ sudo chgrp root /etc/access.conf 
chown :root /etc/security/access.conf
$ sudo chmod 0640 /etc/access.conf
chmod 0640 /etc/security/access.conf

setfacl --remove-all /etc/security/access.conf
$ sudo chown root /etc/services 
chown root /etc/services
$ sudo chgrp root /etc/services 
chown :root /etc/services
$ sudo chmod 0640 /etc/services
chmod 0644 /etc/services

setfacl --remove-all /etc/services
$ sudo chown root /etc/skel/* 
chown root /etc/skel/*
$ sudo chgrp root /etc/skel/* 
chown :root /etc/skel/*
$ sudo chmod 0640 /etc/skel/*
chmod 0644 /etc/skel/*
find /etc/skel 2>/dev/null | xargs setfacl --remove-all
$ sudo chown root /etc/sysctl.conf 
chown root /etc/sysctl.conf
$ sudo chgrp root /etc/sysctl.conf 
chown :root /etc/sysctl.conf
$ sudo chmod 0600 /etc/sysctl.conf
chmod 0600 /etc/sysctl.conf

setfacl --remove-all /etc/sysctl.conf
$ sudo chown root /etc/syslog.conf 
chown root /etc/syslog.conf
$ sudo chgrp root /etc/syslog.conf 
chown :root /etc/syslog.conf
$ sudo chmod 0640 /etc/syslog.conf
chmod 0640 /etc/syslog.conf

setfacl --remove-all /etc/syslog.conf
$ sudo chown root /etc/xinetd.conf 
chown root /etc/xinetd.conf
$ sudo chgrp root /etc/xinetd.conf 
chown :root /etc/xinetd.conf
$ sudo chmod 0640 /etc/xinetd.conf
chmod 0640 /etc/xinetd.conf /etc/xinetd.d/*
setfacl --remove-all /etc/xinetd.conf
$ sudo chmod 0640 /etc/xinet.d/
chmod 0755 /etc/xinet.d/*
find /etc/xinetd.d -type f 2>/dev/null | xargs setfacl --remove-all
$ sudo chown root /etc/exports 
cat /etc/exports | awk '{ print $1 }' | xargs chown root
$ sudo chgrp root /etc/exports 
cat /etc/exports | awk '{ print $1 }' | xargs chown :root
$ sudo chown root /etc/ftpusers 
$ sudo chgrp root /etc/ftpusers 
$ sudo chmod 0640 /etc/ftpusers
chmod 0640 /etc/ftpusers /etc/vsftpd.ftpusers /etc/vsftpd/ftpusers 2>/dev/null
setfacl --remove-all /etc/ftpusers /etc/vsftpd.ftpusers /etc/vsftpd/ftpusers
$ sudo chown root /etc/profile 
$ sudo chgrp root /etc/profile 
$ sudo chmod 0644 /etc/profile
chmod -R 0644 /etc/bashrc /etc/csh.cshrc /etc/csh.login /etc/csh.logout /etc/environment /etc/ksh.kshrc /etc/profile /etc/suid_profile /etc/profile.d 2>/dev/null
setfacl --remove-all /etc/bashrc /etc/csh.cshrc /etc/csh.login /etc/csh.logout /etc/environment /etc/ksh.kshrc /etc/profile /etc/suid_profile /etc/profile.d/*
echo mesg n | tee -a /etc/profile &>/dev/null

$ sudo chown root /home/* 
$ sudo chgrp root /home/* 
# ls -ld /home/USER
# chmod g-w /home/USER
# chmod o-rwx /home/USER
cut -d: -f6 /etc/passwd | sort -u | xargs setfacl --remove-all 2>/dev/null
$ sudo chown root /home/*/* 
$ sudo chgrp root /home/*/* 
$ sudo chmod 0750 /home/*/*
find /root /home/* -perm -1 -o -perm -2 -o -perm -4 -o -perm -20 2>/dev/null | xargs -I entry chmod o-rwx,g-w "entry"

find /home -type f 2>/dev/null | xargs setfacl --remove-all
$ sudo chown root tls_cacert 
grep -i '^tls_cacert' /etc/ldap.conf | grep -v "#" | awk '{ print $2 }' | xargs chown -R root
$ sudo chgrp root tls_cacert 
grep -i '^tls_cacert' /etc/ldap.conf | grep -v "#" | awk '{ print $2 }' | xargs chown -R :root
$ sudo chmod 0640 tls_cacert
KEY_PATH="`grep -i '^tls_cacert' /etc/ldap.conf | grep -v "#" | awk '{ print $2 }'`"
if [ -d "${KEY_PATH}" ]; then
	chmod 755 "${KEY_PATH}"
	chmod 644 "${KEY_PATH}"/*
elif [ -e "${KEY_PATH}" ]; then
	chmod 644 "${KEY_PATH}"
fi

grep -i '^tls_cacert' /etc/ldap.conf | grep -v "#" | awk '{ print $2 }' | xargs setfacl --remove-all
$ sudo chown root tls_cert 
grep -i '^tls_cert' /etc/ldap.conf | grep -v "#" | awk '{ print $2 }' | xargs chown -R root
$ sudo chgrp root tls_cert 
grep -i '^tls_cert' /etc/ldap.conf | grep -v "#" | awk '{ print $2 }' | xargs chown -R :root
$ sudo chmod 0640 tls_cert
grep -i '^tls_cert' /etc/ldap.conf | grep -v "#" | awk '{ print $2 }' | xargs chmod -R 644
grep -i '^tls_cert' /etc/ldap.conf | grep -v "#" | awk '{ print $2 }' | xargs setfacl --remove-all
$ sudo chown root tls_key 
grep -i '^tls_key' /etc/ldap.conf | grep -v "#" | awk '{ print $2 }' | xargs chown -R root
$ sudo chgrp root tls_key 
grep -i '^tls_key' /etc/ldap.conf | grep -v "#" | awk '{ print $2 }' | xargs chown -R :root
$ sudo chmod 0600 tls_key
grep -i '^tls_key' /etc/ldap.conf | grep -v "#" | awk '{ print $2 }' | xargs chmod -R 600	
grep -i '^tls_key' /etc/ldap.conf | grep -v "#" | awk '{ print $2 }' | xargs setfacl --remove-all
$ sudo chown root ~/.bashrc 
$ sudo chgrp root ~/.bashrc 
$ sudo chmod 0740 ~/.bashrc
find /root /home -maxdepth 2 -type f \( -perm -o+r -o -perm -o+w  -o -perm -o+x -o -perm -g+w -o -perm -g+x \) -a \( -name \.bashrc -o -name \.bash_login -o -name \.bash_logout -o -name \.bash_profile -o -name \.cshrc -o -name \.kshrc -o -name \.login -o -name \.logout -o -name \.profile -o -name \.env -o -name \.dtprofile -o -name \.dispatch -o -name \.emacs -o -name \.exrc \) 2>/dev/null | xargs chmod o-rwx,g-wx

cut -d: -f6 /etc/passwd | sort -u | xargs -n1 -IDIR find DIR -maxdepth 1 -name .bashrc -o -name .bash_login -o -name .bash_logout -o -name .bash_profile -o -name .cshrc -o -name .kshrc -o -name .login -o -name .logout -o -name .profile -o -name .env -o -name .dtprofile -o -name .dispatch -o -name .emacs -o -name .exrc 2>/dev/null | xargs setfacl --remove-all
$ sudo chmod 0644 /usr/share/man
setfacl -RLb /usr/share/man/* /usr/share/info/* /usr/share/infopage/*

$ sudo chmod 0640 *.mib
find / -name *.mib 2>/dev/null | xargs setfacl --remove-all
$ sudo chmod 0700 /root
grep ^root: /etc/passwd | awk -F: ' { print $6 }' | xargs -I entry chmod g-rwx,o-rwx "entry"

setfacl -RLb /root/*

$ sudo chown root /etc/rc* 
$ sudo chgrp root /etc/rc* 
$ sudo chmod 0755 /etc/rc*
find /etc/rc* /etc/init.d -type f 2>/dev/null | xargs setfacl --remove-all
$ sudo chown root /etc/shells 
$ sudo chgrp root /etc/shells 
$ sudo chmod 0755 /etc/shells
cat /etc/shells | xargs setfacl --remove-all
$ sudo chown root /var/log/mail.log 
$ sudo chmod 0644 /var/log/mail.log
egrep "(\*.crit|mail\.[^n][^/]*)" /etc/syslog.conf | sed 's/^[^/]*//' | xargs setfacl --remove-all
$ sudo chown root snmpd.conf 
$ sudo chgrp root snmpd.conf 
$ sudo chmod 0644 snmpd.conf
find / -name snmpd.conf 2>/dev/null | xargs chmod ugo-x,go-wr
find / -name snmpd.conf 2>/dev/null | xargs setfacl --remove-all
$ sudo chmod 0600 /etc/ssh/*key
$ sudo chmod 0644 /etc/ssh/*key.pub
$ sudo chmod 0755 /etc/xinetd.d/tftp
$ sudo chmod 0000 /usr/bin/ldd
chmod a-x /usr/bin/ldd

$ sudo chmod 0755 /usr/sbin/
setfacl -RLb /usr/sbin/*

$ sudo chmod 0640 /var/log/*
find /var/log -follow -type f ! -name wtmp 2>/dev/null | xargs chmod o-rwx,g-wx,u-x

# The following corrects the permission mask set for /var/log/rpmpkgs.
if [ -e /etc/cron.daily/rpm ]; then
	sed -i '/rpmpkgs/s/0644/0640/' /etc/cron.daily/rpm
fi

setfacl -RLb /var/log/*

$ sudo chown root /var/spool/at/ 
$ sudo chgrp root /var/spool/at/ 
$ sudo chmod 0755 /var/spool/at/
setfacl --remove-all /var/spool/at
$ sudo chown root /var/yp/* 
$ sudo chgrp root /var/yp/* 
$ sudo chmod 0755 /var/yp/*
setfacl -RLb /var/yp/*

$ sudo chmod 0600 .Xauthority
cut -d: -f6 /etc/passwd | sort -u | xargs -n1 -IDIR find DIR -maxdepth 1 -name .Xauthority -o -name .xauth 2>/dev/null | xargs setfacl --remove-all
# chmod +t DIR
find / /home /var /var/log /var/log/audit -xdev -perm -2 ! -perm -1000 -type d 2>/dev/null | xargs chmod o-w

find / /var /home -xdev -follow -type f -perm -002 2>/dev/null | xargs chmod o-w

find / /home /var /var/log /var/log/audit -xdev -nouser 2>/dev/null | xargs chown root

find / /home /var /var/log /var/log/audit -xdev -nogroup 2>/dev/null | xargs chown :root

*     hard   core    0
echo "*     hard   core    0" >> /etc/security/limits.conf

$ sudo sysctl -w kernel.exec-shield=1
kernel.exec-shield = 1
$ sudo sysctl -w kernel.randomize_va_space=1
kernel.randomize_va_space = 1
if [[ "`uname -r`" != "2.6.9"* ]]; then
	/sbin/sysctl -q -n -w kernel.randomize_va_space=1
	if grep --silent ^kernel.randomize_va_space /etc/sysctl.conf ; then
		sed -i 's/^kernel.randomize_va_space.*/kernel.randomize_va_space = 1/g' /etc/sysctl.conf
	else
		echo "" >> /etc/sysctl.conf
		echo "# Set kernel.randomize_va_space to 1 per security requirements" >> /etc/sysctl.conf
		echo "kernel.randomize_va_space = 1" >> /etc/sysctl.conf
	fi
fi

/sbin/sysctl -q -n -w kernel.exec-shield=1
if grep --silent ^kernel.exec-shield /etc/sysctl.conf ; then
	sed -i 's/^kernel.exec-shield.*/kernel.exec-shield = 1/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set kernel.exec-shield to 1 per security requirements" >> /etc/sysctl.conf
	echo "kernel.exec-shield = 1" >> /etc/sysctl.conf
fi

$ sudo sysctl -w kernel.exec-shield=1
kernel.exec-shield = 1
/sbin/sysctl -q -n -w kernel.exec-shield=1
if grep --silent ^kernel.exec-shield /etc/sysctl.conf ; then
	sed -i 's/^kernel.exec-shield.*/kernel.exec-shield = 1/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set kernel.exec-shield to 1 per security requirements" >> /etc/sysctl.conf
	echo "kernel.exec-shield = 1" >> /etc/sysctl.conf
fi

SELINUX=enforcing
SELINUXTYPE=targeted
selinux=0
enforcing=0
SELINUX=enforcing
SELINUXTYPE=targeted

var_selinux_policy_name="targeted"

if [ "`grep -c ^SELINUX= /etc/sysconfig/selinux`" = "0" ]; then
	echo SELINUX=enforcing >> /etc/sysconfig/selinux
else
	sed -i 's/^SELINUX=.*/SELINUX=enforcing/' /etc/sysconfig/selinux
fi

if [ "`grep -c ^SELINUX= /etc/selinux/config`" = "0" ]; then
	echo SELINUX=enforcing >> /etc/selinux/config
else
	sed -i 's/^SELINUX=.*/SELINUX=enforcing/' /etc/selinux/config
fi

if [ "`grep -c ^SELINUXTYPE= /etc/sysconfig/selinux`" = "0" ]; then
	echo SELINUXTYPE=${var_selinux_policy_name} >> /etc/sysconfig/selinux
else
	sed -i "s/^SELINUXTYPE=.*/SELINUXTYPE=${var_selinux_policy_name}/" /etc/sysconfig/selinux
fi

if [ "`grep -c ^SELINUXTYPE= /etc/selinux/config`" = "0" ]; then
	echo SELINUXTYPE=${var_selinux_policy_name} >> /etc/selinux/config
else
	sed -i "s/^SELINUXTYPE=.*/SELINUXTYPE=${var_selinux_policy_name}/" /etc/selinux/config
fi

/usr/bin/id shutdown &>/dev/null && /usr/sbin/userdel shutdown
/usr/bin/id halt &>/dev/null && /usr/sbin/userdel halt
/usr/bin/id reboot &>/dev/null && /usr/sbin/userdel reboot

/usr/bin/id ftp &>/dev/null && /usr/sbin/userdel ftp

/usr/bin/id games &>/dev/null && /usr/sbin/userdel games

/usr/bin/id gopher &>/dev/null && /usr/sbin/userdel gopher

/usr/bin/id news &>/dev/null && /usr/sbin/userdel news

vc/1
vc/2
vc/3
vc/4
echo tty1 > /etc/securetty

rm -rf `grep ^root: /etc/passwd | awk -F: '{ print $6 }'`/.mozilla
for UID0_USER in `cat /etc/passwd | cut -d: -f1,3 | grep :0$ | grep -v ^root: | cut -d: -f1`; do
	userdel -rf ${UID0_USER}
done

if [ "$(grep -c '#.*auth.*required.*pam_wheel.so' /etc/pam.d/su)" != "0" ]; then
	sed -i '/auth.*required.*pam_wheel.so/s/#//g' /etc/pam.d/su
else
	sed -i '/auth.*include/iauth\t\trequired\tpam_wheel.so use_uid' /etc/pam.d/su
fi

sed --follow-symlinks -i 's/\<nullok\>//g' /etc/pam.d/system-auth

# chage -M 180 -m 7 -W 7 USER
PASS_MIN_DAYS DAYS

var_accounts_minimum_age_login_defs="1"

grep -q ^PASS_MIN_DAYS /etc/login.defs && \
  sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS     $var_accounts_minimum_age_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]; then
    echo "PASS_MIN_DAYS      $var_accounts_minimum_age_login_defs" >> /etc/login.defs
fi

USERACCT=$(egrep -v "^\+|^#" /etc/passwd | cut -d":" -f1)
for SYS_USER in ${USERACCT}; do
	if [ $(grep -c ${SYS_USER} /etc/shadow) != 0 ]; then
		passwd -n $var_accounts_minimum_age_login_defs ${SYS_USER} &>/dev/null
	fi
done

PASS_MAX_DAYS DAYS

var_accounts_maximum_age_login_defs="60"

grep -q ^PASS_MAX_DAYS /etc/login.defs && \
  sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS     $var_accounts_maximum_age_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]; then
    echo "PASS_MAX_DAYS      $var_accounts_maximum_age_login_defs" >> /etc/login.defs
fi

USERACCT=$(egrep -v "^\+|^#" /etc/passwd | cut -d":" -f1)
for SYS_USER in ${USERACCT}; do
	if [ $(grep -c ${SYS_USER} /etc/shadow) != 0 ]; then
		passwd -x $var_accounts_maximum_age_login_defs ${SYS_USER} &>/dev/null
	fi
done

# chage -I NUM_DAYS USER
INACTIVE=NUM_DAYS

var_account_disable_post_pw_expiration="35"

if [ $(cat /etc/default/useradd | grep -c "^INACTIVE=") != 0 ]; then
	sed -i "s/^INACTIVE=.*/INACTIVE=${var_account_disable_post_pw_expiration}/" /etc/default/useradd
else
	echo INACTIVE=${var_account_disable_post_pw_expiration} >>/etc/default/useradd
fi

password requisite pam_cracklib.so try_first_pass retry=3
password required pam_cracklib.so try_first_pass retry=3 maxrepeat=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4
authconfig --updateall
if [ -e /etc/pam.d/system-auth-ac ]; then
	sed -i '/password.*include.*system-auth-ac/ipassword    required     pam_cracklib.so' /etc/pam.d/system-auth
else
	sed -i '/password.*unix.so/ipassword    required     pam_cracklib.so' /etc/pam.d/system-auth
fi

PASS_MIN_LEN 14

var_password_pam_cracklib_minlen="14"

if [ $(grep -c "minlen=" /etc/pam.d/system-auth) != 0 ]; then
	sed -i "s/minlen=[0-9]*/minlen=$var_password_pam_cracklib_minlen/" /etc/pam.d/system-auth
else
	sed -i "/password.*pam_cracklib.so/s/$/ minlen=$var_password_pam_cracklib_minlen/" /etc/pam.d/system-auth
fi
if [ -e /etc/pam.d/system-auth-ac ]; then
	if [ $(grep -c "minlen=" /etc/pam.d/system-auth-ac) != 0 ]; then
		sed -i "s/minlen=[0-9]*/minlen=$var_password_pam_cracklib_minlen/" /etc/pam.d/system-auth-ac
	else
		sed -i "/password.*pam_cracklib.so/s/$/ minlen=$var_password_pam_cracklib_minlen/" /etc/pam.d/system-auth-ac
	fi
fi

var_password_pam_cracklib_maxrepeat="3"

if [ $(grep -c "maxrepeat=" /etc/pam.d/system-auth) != 0 ]; then
	sed -i "s/maxrepeat=[0-9]*/maxrepeat=$var_password_pam_cracklib_maxrepeat/" /etc/pam.d/system-auth
else
	sed -i "/password.*pam_cracklib.so/s/$/ maxrepeat=$var_password_pam_cracklib_maxrepeat/" /etc/pam.d/system-auth
fi
if [ -e /etc/pam.d/system-auth-ac ]; then
	if [ $(grep -c "maxrepeat=" /etc/pam.d/system-auth-ac) != 0 ]; then
		sed -i "s/maxrepeat=[0-9]*/maxrepeat=$var_password_pam_cracklib_maxrepeat/" /etc/pam.d/system-auth-ac
	else
		sed -i "/password.*pam_cracklib.so/s/$/ maxrepeat=$var_password_pam_cracklib_maxrepeat/" /etc/pam.d/system-auth-ac
	fi
fi

var_password_pam_cracklib_dcredit="1"

if [ $(grep -c "dcredit=" /etc/pam.d/system-auth) != 0 ]; then
	sed -i "s/dcredit=[0-9]*/dcredit=$var_password_pam_cracklib_dcredit/" /etc/pam.d/system-auth
else
	sed -i "/password.*pam_cracklib.so/s/$/ dcredit=$var_password_pam_cracklib_dcredit/" /etc/pam.d/system-auth
fi
if [ -e /etc/pam.d/system-auth-ac ]; then
	if [ $(grep -c "dcredit=" /etc/pam.d/system-auth-ac) != 0 ]; then
		sed -i "s/dcredit=[0-9]*/dcredit=$var_password_pam_cracklib_dcredit/" /etc/pam.d/system-auth-ac
	else
		sed -i "/password.*pam_cracklib.so/s/$/ dcredit=$var_password_pam_cracklib_dcredit/" /etc/pam.d/system-auth-ac
	fi
fi

var_password_pam_cracklib_ucredit="1"

if [ $(grep -c "ucredit=" /etc/pam.d/system-auth) != 0 ]; then
	sed -i "s/ucredit=[0-9]*/ucredit=$var_password_pam_cracklib_ucredit/" /etc/pam.d/system-auth
else
	sed -i "/password.*pam_cracklib.so/s/$/ ucredit=$var_password_pam_cracklib_ucredit/" /etc/pam.d/system-auth
fi
if [ -e /etc/pam.d/system-auth-ac ]; then
	if [ $(grep -c "ucredit=" /etc/pam.d/system-auth-ac) != 0 ]; then
		sed -i "s/ucredit=[0-9]*/ucredit=$var_password_pam_cracklib_ucredit/" /etc/pam.d/system-auth-ac
	else
		sed -i "/password.*pam_cracklib.so/s/$/ ucredit=$var_password_pam_cracklib_ucredit/" /etc/pam.d/system-auth-ac
	fi
fi

var_password_pam_cracklib_ocredit="1"

if [ $(grep -c "ocredit=" /etc/pam.d/system-auth) != 0 ]; then
	sed -i "s/ocredit=[0-9]*/ucredit=$var_password_pam_cracklib_ocredit/" /etc/pam.d/system-auth
else
	sed -i "/password.*pam_cracklib.so/s/$/ ocredit=$var_password_pam_cracklib_ocredit/" /etc/pam.d/system-auth
fi
if [ -e /etc/pam.d/system-auth-ac ]; then
	if [ $(grep -c "ocredit=" /etc/pam.d/system-auth-ac) != 0 ]; then
		sed -i "s/ocredit=[0-9]*/ucredit=$var_password_pam_cracklib_ocredit/" /etc/pam.d/system-auth-ac
	else
		sed -i "/password.*pam_cracklib.so/s/$/ ocredit=$var_password_pam_cracklib_ocredit/" /etc/pam.d/system-auth-ac
	fi
fi

var_password_pam_cracklib_lcredit="1"

if [ $(grep -c "lcredit=" /etc/pam.d/system-auth) != 0 ]; then
	sed -i "s/lcredit=[0-9]*/lcredit=$var_password_pam_cracklib_lcredit/" /etc/pam.d/system-auth
else
	sed -i "/password.*pam_cracklib.so/s/$/ lcredit=$var_password_pam_cracklib_lcredit/" /etc/pam.d/system-auth
fi
if [ -e /etc/pam.d/system-auth-ac ]; then
	if [ $(grep -c "lcredit=" /etc/pam.d/system-auth-ac) != 0 ]; then
		sed -i "s/lcredit=[0-9]*/lcredit=$var_password_pam_cracklib_lcredit/" /etc/pam.d/system-auth-ac
	else
		sed -i "/password.*pam_cracklib.so/s/$/ lcredit=$var_password_pam_cracklib_lcredit/" /etc/pam.d/system-auth-ac
	fi
fi

var_password_pam_cracklib_difok="4"

if [ $(grep -c "difok=" /etc/pam.d/system-auth) != 0 ]; then
	sed -i "s/difok=[0-9]*/difok=$var_password_pam_cracklib_difok/" /etc/pam.d/system-auth
else
	sed -i "/password.*pam_cracklib.so/s/$/ difok=$var_password_pam_cracklib_difok/" /etc/pam.d/system-auth
fi
if [ -e /etc/pam.d/system-auth-ac ]; then
	if [ $(grep -c "difok=" /etc/pam.d/system-auth-ac) != 0 ]; then
		sed -i "s/difok=[0-9]*/difok=$var_password_pam_cracklib_difok/" /etc/pam.d/system-auth-ac
	else
		sed -i "/password.*pam_cracklib.so/s/$/ difok=$var_password_pam_cracklib_difok/" /etc/pam.d/system-auth-ac
	fi
fi

password sufficient pam_unix.so existing_options remember=24
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900

var_accounts_password_pam_tally_deny="3"

if [ $(grep auth.*required.*pam_tally2 /etc/pam.d/system-auth | grep -c "deny=") != 0 ]; then
	sed -i "/account.*required.*pam_tally/s/deny=[0-9]*/deny=${var_accounts_password_pam_tally_deny}/" /etc/pam.d/system-auth
elif [ $(grep -c "auth.*required.*pam_tally2" /etc/pam.d/system-auth) = 0 ]; then
	if [ $(grep -c "pam_tally.so" /etc/pam.d/system-auth) != 0 ]; then
		sed -i "s/pam_tally.so/pam_tally2.so/g" /etc/pam.d/system-auth
	elif [ $(grep -c "auth.*include.*system-auth-ac" /etc/pam.d/system-auth) != 0 ]; then
		sed -i 's/\(auth\s*include\s*system-auth-ac\)/auth        required     pam_tally2.so\n\1/' /etc/pam.d/system-auth
	elif [ $(grep -c "auth.*pam_unix.so" /etc/pam.d/system-auth) != 0 ]; then
		sed -i 's/\(auth.*pam_unix.so\)/auth        required     pam_tally2.so\n\1/' /etc/pam.d/system-auth
	elif [ $(grep -c "auth.*pam_deny.so" /etc/pam.d/system-auth) != 0 ]; then
		sed -i 's/\(auth.*pam_deny.so\)/auth        required     pam_tally2.so\n\1/' /etc/pam.d/system-auth
	else
		sed -i ':a;N;$!ba;s/\([\n]*[#]*[\s]*account\)/\nauth        required     pam_tally2.so\n\1/' /etc/pam.d/system-auth
	fi
	sed -i "/auth.*pam_tally/s/$/ deny=${var_accounts_password_pam_tally_deny}/" /etc/pam.d/system-auth
else
	sed -i "/auth.*pam_tally/s/$/ deny=${var_accounts_password_pam_tally_deny}/" /etc/pam.d/system-auth
fi
if [ ! -e /var/log/tallylog ]; then
	>/var/log/tallylog
fi
chmod 640 /var/log/tallylog
chown root:root /var/log/tallylog

if [ $(grep -c ^FAIL_DELAY /etc/login.defs) != 0 ]; then
	sed -i 's/^FAIL_DELAY.*[0-9]*/FAIL_DELAY 4/' /etc/login.defs
else
	echo "FAIL_DELAY 4" | tee -a /etc/login.defs &>/dev/null
fi

if [ $(grep -c pam_faildelay.so /etc/pam.d/system-auth) != 0 ]; then
	if [ $(grep -c pam_faildelay.so.*delay\= /etc/pam.d/system-auth) != 0 ]; then
		sed -i '/pam_faildelay.so/s/\(delay=\)[0-9]*/\14000000/' /etc/pam.d/system-auth
	else
		sed -i '/pam_faildelay.so/s/$/ delay=4000000/' /etc/pam.d/system-auth
	fi
else
	sed -i '/auth.*include.*system-auth-ac/iauth        optional     pam_faildelay.so delay=4000000' /etc/pam.d/system-auth
fi

password    sufficient    pam_unix.so sha512 other arguments...
if [ $(grep "password.*pam_unix.so" /etc/pam.d/system-auth | egrep -c '(descrypt|bigcrypt|md5|sha256)') != 0 ]; then
	sed -i '/password.*pam_unix.so/s/\(descrypt\|bigcrypt\|md5\|sha256\)/sha512/' /etc/pam.d/system-auth
else
	sed -i '/password.*pam_unix.so/s/$/ sha512/' /etc/pam.d/system-auth
fi
if [ -e /etc/pam.d/system-auth-ac ]; then
	if [ $(grep "password.*pam_unix.so" /etc/pam.d/system-auth-ac | egrep -c '(descrypt|bigcrypt|md5|sha256)') != 0 ]; then
		sed -i '/password.*pam_unix.so/s/\(descrypt\|bigcrypt\|md5\|sha256\)/sha512/' /etc/pam.d/system-auth-ac
	else
		sed -i '/password.*pam_unix.so/s/$/ sha512/' /etc/pam.d/system-auth-ac
	fi
fi
auth include system-auth-ac
account include system-auth-ac
password include system-auth-ac
session include system-auth-ac
cat > /etc/pam.d/system-auth-local <<'STOP_HERE'
auth        include      system-auth-ac
account     include      system-auth-ac
password    include      system-auth-ac
session     include      system-auth-ac
STOP_HERE
ln -sf /etc/pam.d/system-auth-local /etc/pam.d/system-auth

# echo $PATH
PATH=:/bin
PATH=/bin:
PATH=/bin::/sbin
LD_LIBRARY_PATH=:/lib
LD_LIBRARY_PATH=/lib:
LD_LIBRARY_PATH=/lib::/usr/lib
# ls -ld DIR
umask 077

var_accounts_user_umask="077"

egrep -li ^[[:blank:]]*umask `find /etc /root /home/* -maxdepth 1 -type f 2>/dev/null` | while read FILE; do
	sed -i "s/\([uU][mM][aA][sS][kK]\s*[=]*\s*\)[0-9]*/\1${var_accounts_user_umask}/" "${FILE}"
done

* hard maxlogins 10

max_concurrent_login_sessions_value="10"

if [ $(grep -v "#" /etc/security/limits.conf | grep -c "maxlogins") = "0" ]; then
	echo "* hard maxlogins ${max_concurrent_login_sessions_value}" >>/etc/security/limits.conf
else
	sed -i 's/.*maxlogins.*/* hard maxlogins ${max_concurrent_login_sessions_value}/' /etc/security/limits.conf
fi

$ sudo chown root /etc/grub.conf 
chown root /etc/grub.conf /boot/grub/grub.conf
$ sudo chgrp root /etc/grub.conf 
chown :root /etc/grub.conf
$ sudo chmod 600 /boot/grub/grub.conf
chmod 0600 /etc/grub.conf /boot/grub/grub.conf
setfacl --remove-all /etc/grub.conf /boot/grub/grub.conf
# /sbin/grub-md5-crypt
password --md5 password-hash
if [ -e /tmp/GRUB.TMP ]; then
	/sbin/grub-md5-crypt < /tmp/GRUB.TMP &> /tmp/GRUB.TMP.out
	md5crypt=`tail -n1 /tmp/GRUB.TMP.out`
	if [ -f /boot/grub/grub.conf ] && [ ! -h /boot/grub/grub.conf ]; then
		if [ "$(grep -c '^password' /boot/grub/grub.conf)" = "0" ]; then
			sed -i "/timeout/apassword --md5 ${md5crypt}" /boot/grub/grub.conf
		else
			sed -i "s/^password .*/password --md5 ${md5crypt}/" /boot/grub/grub.conf
		fi
	fi
	if [ -f /etc/grub.conf ] && [ ! -h /etc/grub.conf ]; then
		if [ "$(grep -c '^password' /etc/grub.conf)" = "0" ]; then
			sed -i "/timeout/apassword --md5 ${md5crypt}" /etc/grub.conf
		else
			sed -i "s/^password .*/password --md5 ${md5crypt}/" /etc/grub.conf
		fi
	fi
	rm -f /tmp/GRUB.TMP /tmp/GRUB.TMP.out
fi

# /sbin/grub-md5-crypt
password --md5 password-hash
if [ -e /tmp/GRUB.TMP ]; then
	/sbin/grub-md5-crypt < /tmp/GRUB.TMP &> /tmp/GRUB.TMP.out
	md5crypt=`tail -n1 /tmp/GRUB.TMP.out`
	if [ -f /boot/grub/grub.conf ] && [ ! -h /boot/grub/grub.conf ]; then
		if [ "$(grep -c '^password' /boot/grub/grub.conf)" = "0" ]; then
			sed -i "/timeout/apassword --md5 ${md5crypt}" /boot/grub/grub.conf
		else
			sed -i "s/^password .*/password --md5 ${md5crypt}/" /boot/grub/grub.conf
		fi
	fi
	if [ -f /etc/grub.conf ] && [ ! -h /etc/grub.conf ]; then
		if [ "$(grep -c '^password' /etc/grub.conf)" = "0" ]; then
			sed -i "/timeout/apassword --md5 ${md5crypt}" /etc/grub.conf
		else
			sed -i "s/^password .*/password --md5 ${md5crypt}/" /etc/grub.conf
		fi
	fi
	rm -f /tmp/GRUB.TMP /tmp/GRUB.TMP.out
fi

# gconftool-2 \
  --direct \
  --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
  --type int \
  --set /apps/gnome-screensaver/idle_delay 15
gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type int --set /apps/gnome-screensaver/idle_delay 15 &>/dev/null

# gconftool-2 --direct \
  --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
  --type bool \
  --set /apps/gnome-screensaver/idle_activation_enabled true
gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type bool --set /apps/gnome-screensaver/idle_activation_enabled true &>/dev/null

# gconftool-2 --direct \
  --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
  --type bool \
  --set /apps/gnome-screensaver/lock_enabled true
gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type bool --set /apps/gnome-screensaver/lock_enabled true &>/dev/null

~:S:wait:/sbin/sulogin
grep -q :S: /etc/inittab && \
  sed -i "s/.*:S:.*/~:S:wait:\/sbin\/sulogin/g" /etc/inittab
if ! [ $? -eq 0 ]; then
    echo "~:S:wait:/sbin/sulogin" >> /etc/inittab
fi

exec /sbin/shutdown -r now "Control-Alt-Delete pressed"
exec /usr/bin/logger -p security.info "Control-Alt-Delete pressed"
sed -i 's/^.*:ctrlaltdel:.*\(shutdown\|reboot\).*/ca:nil:ctrlaltdel:\/usr\/bin\/logger -p security.info "Ctrl-Alt-Del was pressed"/' /etc/inittab

sudo -u gdm gconftool-2 \
  --type bool \
  --set /apps/gdm/simple-greeter/banner_message_enable true
sudo -u gdm gconftool-2 \
  --type string \
  --set /apps/gdm/simple-greeter/banner_message_text \
  "Text of the warning banner here"

gui_login_banner_text="You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests[\s\n]+--[\s\n]+not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details."

gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type bool --set /apps/gdm/simple-greeter/banner_message_enable true &>/dev/null
gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type string --set /apps/gdm/simple-greeter/banner_message_text "$(echo $gui_login_banner_text | sed -e 's/\[\\s\\n\][+|*]/ /g' -e 's/\&amp;/\&/g' -e 's/\\//g' -e 's/ - /\n- /g')" &>/dev/null

system_login_banner_text="You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests[\s\n]+--[\s\n]+not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details."

echo $system_login_banner_text | sed -e 's/\[\\s\\n\][+|*]/ /g' -e 's/\&amp;/\&/g' -e 's/\\//g' -e 's/ - /\n- /g' >/etc/issue

banner_file=/etc/issue

ftp_login_banner_text="You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests[\s\n]+--[\s\n]+not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details."

if [ -e /etc/xinetd.d/gssftp ]; then
	if [ "`egrep -c '^(\s|\t)banner' /etc/xinetd.d/gssftp`" = "0" ]; then
		sed -i "/^}$/i\\\tbanner\t\t= /etc/issue" /etc/xinetd.d/gssftp
	else
		GSSFTP_BANNER_FILE="`egrep '^(\s|\t)banner' /etc/xinetd.d/gssftp | awk '{ print $3 }'`"
		echo $ftp_login_banner_text | sed -e 's/\[\\s\\n\][+|*]/ /g' -e 's/\&amp;/\&/g' -e 's/\\//g' -e 's/ - /\n- /g' >"${GSSFTP_BANNER_FILE}"
	fi
fi

if [ -e /etc/vsftpd/vsftpd.conf ]; then
	if [ "`egrep -c '^banner_file' /etc/vsftpd/vsftpd.conf`" = "0" ]; then
		echo "banner_file=/etc/issue" >> /etc/vsftpd/vsftpd.conf
	else
		VSFTPD_BANNER_FILE="`egrep '^banner_file' /etc/vsftpd/vsftpd.conf | awk -F= '{ print $2 }'`"
		echo $ftp_login_banner_text | sed -e 's/\[\\s\\n\][+|*]/ /g' -e 's/\&amp;/\&/g' -e 's/\\//g' -e 's/ - /\n- /g' >"${VSFTPD_BANNER_FILE}"
	fi
fi

$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.all.send_redirects = 0
/sbin/sysctl -q -n -w net.ipv4.conf.all.send_redirects=0
/sbin/sysctl -q -n -w net.ipv4.conf.default.send_redirects=0

if grep --silent ^net.ipv4.conf.all.send_redirects /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.conf.all.send_redirects.*/net.ipv4.conf.all.send_redirects = 0/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set net.ipv4.conf.all.send_redirects to 0 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf
fi

if grep --silent ^net.ipv4.conf.default.send_redirects /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.conf.default.send_redirects.*/net.ipv4.conf.default.send_redirects = 0/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set net.ipv4.conf.default.send_redirects to 0 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf
fi

$ sudo sysctl -w net.ipv4.ip_forward=0
net.ipv4.ip_forward = 0
#
# Set runtime for net.ipv4.ip_forward
#
/sbin/sysctl -q -n -w net.ipv4.ip_forward=0

#
# If net.ipv4.ip_forward present in /etc/sysctl.conf, change value to "0"
#	else, add "net.ipv4.ip_forward = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.ip_forward /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.ip_forward.*/net.ipv4.ip_forward = 0/g' /etc/sysctl.conf
else
	echo -e "\n# Set net.ipv4.ip_forward to 0 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv4.ip_forward = 0" >> /etc/sysctl.conf
fi

$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.all.accept_source_route = 0
/sbin/sysctl -q -n -w net.ipv4.conf.all.accept_source_route=0
/sbin/sysctl -q -n -w net.ipv4.conf.default.accept_source_route=0

if grep --silent ^net.ipv4.conf.all.accept_source_route /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.conf.all.accept_source_route.*/net.ipv4.conf.all.accept_source_route = 0/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set net.ipv4.conf.all.accept_source_route to 0 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf
fi

if grep --silent ^net.ipv4.conf.default.accept_source_route /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.conf.default.accept_source_route.*/net.ipv4.conf.default.accept_source_route = 0/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set net.ipv4.conf.default.accept_source_route to 0 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
fi

$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.accept_redirects = 0
/sbin/sysctl -q -n -w net.ipv4.conf.all.accept_redirects=0
/sbin/sysctl -q -n -w net.ipv4.conf.default.accept_redirects=0

if grep --silent ^net.ipv4.conf.all.accept_redirects /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.conf.all.accept_redirects.*/net.ipv4.conf.all.accept_redirects = 0/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set net.ipv4.conf.all.accept_redirects to 0 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
fi

if grep --silent ^net.ipv4.conf.default.accept_redirects /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.conf.default.accept_redirects.*/net.ipv4.conf.default.accept_redirects = 0/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set net.ipv4.conf.default.accept_redirects to 0 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.conf
fi

$ sudo sysctl -w net.ipv4.conf.all.log_martians=1
net.ipv4.conf.all.log_martians = 1
/sbin/sysctl -q -n -w net.ipv4.conf.all.log_martians=1
/sbin/sysctl -q -n -w net.ipv4.conf.default.log_martians=1

if grep --silent ^net.ipv4.conf.all.log_martians /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.conf.all.log_martians.*/net.ipv4.conf.all.log_martians = 1/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set net.ipv4.conf.all.log_martians to 1 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv4.conf.all.log_martians = 1" >> /etc/sysctl.conf
fi

if grep --silent ^net.ipv4.conf.default.log_martians /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.conf.default.log_martians.*/net.ipv4.conf.default.log_martians = 1/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set net.ipv4.conf.default.log_martians to 1 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv4.conf.default.log_martians = 1" >> /etc/sysctl.conf
fi

$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_echo_ignore_broadcasts = 1
#
# Set runtime for net.ipv4.icmp_echo_ignore_broadcasts
#
/sbin/sysctl -q -n -w net.ipv4.icmp_echo_ignore_broadcasts=1

#
# If net.ipv4.icmp_echo_ignore_broadcasts present in /etc/sysctl.conf, change value to "1"
#	else, add "net.ipv4.icmp_echo_ignore_broadcasts = 1" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.icmp_echo_ignore_broadcasts.*/net.ipv4.icmp_echo_ignore_broadcasts = 1/g' /etc/sysctl.conf
else
	echo -e "\n# Set net.ipv4.icmp_echo_ignore_broadcasts to 1 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.conf
fi

$ sudo sysctl -w net.ipv4.tcp_syncookies=1
net.ipv4.tcp_syncookies = 1
#
# Set runtime for net.ipv4.tcp_syncookies
#
/sbin/sysctl -q -n -w net.ipv4.tcp_syncookies=1

#
# If net.ipv4.tcp_syncookies present in /etc/sysctl.conf, change value to "1"
#	else, add "net.ipv4.tcp_syncookies = 1" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.tcp_syncookies /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.tcp_syncookies.*/net.ipv4.tcp_syncookies = 1/g' /etc/sysctl.conf
else
	echo -e "\n# Set net.ipv4.tcp_syncookies to 1 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
fi

$ sudo sysctl -w net.ipv4.max_syn_backlog=1280
net.ipv4.max_syn_backlog = 1280
#
# Set runtime for net.ipv4.tcp_max_syn_backlog
#
/sbin/sysctl -q -n -w net.ipv4.tcp_max_syn_backlog=1280

#
# If net.ipv4.tcp_max_syn_backlog present in /etc/sysctl.conf, change value to "1280"
#	else, add "net.ipv4.tcp_max_syn_backlog = 1280" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.tcp_max_syn_backlog /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.tcp_max_syn_backlog.*/net.ipv4.tcp_max_syn_backlog = 1280/g' /etc/sysctl.conf
else
	echo -e "\n# Set net.ipv4.tcp_max_syn_backlog to 1280 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv4.tcp_max_syn_backlog = 1280" >> /etc/sysctl.conf
fi

install net-pf-31 /bin/true
install bluetooth /bin/true
if [ -d /etc/modprobe.d/ ]; then
	echo "install bluetooth /bin/true" >> /etc/modprobe.d/disabled_modules.conf
else
	echo "install bluetooth /bin/true" >> /etc/modprobe.conf
fi

options ipv6 disable=1
if [ -d /etc/modprobe.d/ ]; then
	echo "install ipv6 /bin/true" >> /etc/modprobe.d/disabled_modules.conf
else
	echo "install ipv6 /bin/true" >> /etc/modprobe.conf
fi
chkconfig ip6tables off

NETWORKING_IPV6=no
if [ $(grep -c "^NETWORKING_IPV6" /etc/sysconfig/network) = 0 ]; then
	echo "NETWORKING_IPV6=no" | tee -a /etc/sysconfig/network &>/dev/null
else
	sed -i 's/NETWORKING_IPV6.*/NETWORKING_IPV6=no/' /etc/sysconfig/network
fi
chkconfig ip6tables off

IPV6_AUTOCONF=no
$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.all.accept_redirects = 0
#
# Set runtime for net.ipv6.conf.all.accept_redirects
#
if [ -e /proc/sys/net/ipv6/ ]; then
	/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_redirects=0
fi

#
# If net.ipv6.conf.all.accept_redirects present in /etc/sysctl.conf, change value to "0"
#	else, add "net.ipv6.conf.all.accept_redirects = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv6.conf.all.accept_redirects /etc/sysctl.conf ; then
	sed -i 's/^net.ipv6.conf.all.accept_redirects.*/net.ipv6.conf.all.accept_redirects = 0/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set net.ipv6.conf.all.accept_redirects to 0 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv6.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
fi

$ sudo sysctl -w net.ipv6.conf.all.forwarding=0
net.ipv6.conf.all.forwarding = 0
$ sudo sysctl -w net.ipv6.conf.default.forwarding=0
net.ipv6.conf.default.forwarding = 0
#
# Set runtime for net.ipv6.conf.all.forwarding
#
if [ -e /proc/sys/net/ipv6/ ]; then
	/sbin/sysctl -q -n -w net.ipv6.conf.all.forwarding=0
fi

#
# If net.ipv6.conf.all.forwarding present in /etc/sysctl.conf, change value to "0"
#	else, add "net.ipv6.conf.all.forwarding = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv6.conf.all.forwarding /etc/sysctl.conf ; then
	sed -i 's/^net.ipv6.conf.all.forwarding.*/net.ipv6.conf.all.forwarding = 0/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set net.ipv6.conf.all.forwarding to 0 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv6.conf.all.forwarding = 0" >> /etc/sysctl.conf
fi

#
# Set runtime for net.ipv6.conf.default.forwarding
#
if [ -e /proc/sys/net/ipv6/ ]; then
	/sbin/sysctl -q -n -w net.ipv6.conf.default.forwarding=0
fi
#
# If net.ipv6.conf.default.forwarding present in /etc/sysctl.conf, change value to "0"
#	else, add "net.ipv6.conf.default.forwarding = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv6.conf.default.forwarding /etc/sysctl.conf ; then
	sed -i 's/^net.ipv6.conf.default.forwarding.*/net.ipv6.conf.default.forwarding = 0/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set net.ipv6.conf.default.forwarding to 0 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv6.conf.default.forwarding = 0" >> /etc/sysctl.conf
fi

IPV6_DEFAULTGW=2001:0DB8::0001
# iptables -nL --line-numbers
# service iptables restart
Chain INPUT (policy ACCEPT)
num  target     prot opt source       destination
1    ACCEPT     all  --  0.0.0.0/0    0.0.0.0/0    state RELATED,ESTABLISHED 
2    ACCEPT     icmp --  0.0.0.0/0    0.0.0.0/0
3    ACCEPT     all  --  0.0.0.0/0    0.0.0.0/0
4    ACCEPT     tcp  --  0.0.0.0/0    0.0.0.0/0    state NEW tcp dpt:22 
5    REJECT     all  --  0.0.0.0/0    0.0.0.0/0    reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
num  target     prot opt source       destination
1    REJECT     all  --  0.0.0.0/0    0.0.0.0/0    reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source       destination
$ sudo chkconfig --level 2345 iptables on
#
# Enable iptables for all run levels
#
/sbin/chkconfig --level 0123456 iptables on

#
# Start iptables if not currently running
#
/sbin/service iptables start 1>/dev/null

-I INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
-I INPUT -p icmp -m icmp --icmp-type timestamp-reply -j DROP
if [ "$(egrep -c '(--icmp-type 14|timestamp-reply) -j DROP')" = "0" ]; then
	/sbin/iptables -I INPUT -p ICMP --icmp-type timestamp-reply -j DROP
fi
if [ "$(egrep -c '(--icmp-type 13|timestamp-request) -j DROP')" = "0" ]; then
	/sbin/iptables -I INPUT -p ICMP --icmp-type timestamp-request -j DROP
fi
/sbin/iptables-save > /etc/sysconfig/iptables
if [ "$(grep -c 'icmp-type 13' /etc/sysconfig/iptables)" != "0" ]; then
	sed -i 's/icmp-type 13/icmp-type timestamp-request/' /etc/sysconfig/iptables
fi
if [ "$(grep -c 'icmp-type 14' /etc/sysconfig/iptables)" != "0" ]; then
	sed -i 's/icmp-type 14/icmp-type timestamp-reply/' /etc/sysconfig/iptables
fi

:INPUT DROP [0:0]
/sbin/iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
/sbin/iptables-save > /etc/sysconfig/iptables
-A INPUT -p icmpv6 -d ff02::1 --icmpv6-type 128 -j DROP
if [ ! -e /etc/sysconfig/ip6tables ] || [ "$(grep -c ^ /etc/sysconfig/ip6tables)" -lt "5" ]; then
	echo -e "*filter\n:INPUT DROP [0:0]\n:FORWARD DROP [0:0]\n:OUTPUT ACCEPT [0:0]\nCOMMIT" | tee /etc/sysconfig/ip6tables &>/dev/null
	echo "-A INPUT -p icmpv6 -d ff02::1 --icmpv6-type 128 -j DROP" | tee -a /etc/sysconfig/ip6tables &>/dev/null 
else
	echo "-A INPUT -p icmpv6 -d ff02::1 --icmpv6-type 128 -j DROP" | tee -a /etc/sysconfig/ip6tables &>/dev/null 
fi

ALL: ALL
if [ ! -e /etc/hosts.allow ]; then
	>/etc/hosts.allow
	chmod 644 /etc/hosts.allow
	chown root:root /etc/hosts.allow
fi
if [ ! -e /etc/hosts.deny ]; then
	>/etc/hosts.deny
	chmod 644 /etc/hosts.deny
	chown root:root /etc/hosts.deny
fi
if [ ! -e /var/log/host.access ]; then
	>/var/log/host.access
	chmod 640 /var/log/host.access
	chown root:root /var/log/host.access
fi
if [ $(grep -c "ALL: ALL" /etc/hosts.deny) = 0 ]; then
	echo 'ALL: ALL: spawn /bin/echo Access denied on $(/bin/date) from %a for access to %d \(pid %p\)>>/var/log/host.access' | tee -a /etc/hosts.deny &>/dev/null
fi

# ip tun del tunnel
ip tunnel list | cut -d: -f1 | while read TUNNEL_INTERFACE; do ip tunnel del $TUNNEL_INTERFACE 2>/dev/null; done

# ip tun del tunnel
ip tunnel list | cut -d: -f1 | while read TUNNEL_INTERFACE; do ip tunnel del $TUNNEL_INTERFACE 2>/dev/null; done

# ps ax | grep -i miredo | grep -v grep | awk ' { print $1 }' | xargs kill
ps ax | grep -i miredo | grep -v grep | awk ' { print $1 }' | xargs kill

install dccp /bin/true
if [ -d /etc/modprobe.d/ ]; then
	echo "install dccp /bin/true" >> /etc/modprobe.d/disabled_modules.conf
	echo "install dccp_ipv4 /bin/true" >> /etc/modprobe.d/disabled_modules.conf
	echo "install dccp_ipv6 /bin/true" >> /etc/modprobe.d/disabled_modules.conf
else
	echo "install dccp /bin/true" >> /etc/modprobe.conf
	echo "install dccp_ipv4 /bin/true" >> /etc/modprobe.conf
	echo "install dccp_ipv6 /bin/true" >> /etc/modprobe.conf
fi

install sctp /bin/true
if [ -d /etc/modprobe.d/ ]; then
	echo "install sctp /bin/true" >> /etc/modprobe.d/disabled_modules.conf
else
	echo "install sctp /bin/true" >> /etc/modprobe.conf
fi

install rds /bin/true
if [ -d /etc/modprobe.d/ ]; then
	echo "install rds /bin/true" >> /etc/modprobe.d/disabled_modules.conf
else
	echo "install rds /bin/true" >> /etc/modprobe.conf
fi

install tipc /bin/true
if [ -d /etc/modprobe.d/ ]; then
	echo "install tipc /bin/true" >> /etc/modprobe.d/disabled_modules.conf
else
	echo "install tipc /bin/true" >> /etc/modprobe.conf
fi

install appletalk /bin/true
if [ -d /etc/modprobe.d/ ]; then
	echo "install appletalk /bin/true" >> /etc/modprobe.d/disabled_modules.conf
else
	echo "install appletalk /bin/true" >> /etc/modprobe.conf
fi

install bridge /bin/true
if [ -d /etc/modprobe.d/ ]; then
	echo "install bridge /bin/true" >> /etc/modprobe.d/disabled_modules.conf
else
	echo "install bridge /bin/true" >> /etc/modprobe.conf
fi

install ieee1394 /bin/true
if [ -d /etc/modprobe.d/ ]; then
	echo "install ieee1394 /bin/true" >> /etc/modprobe.d/disabled_modules.conf
else
	echo "install ieee1394 /bin/true" >> /etc/modprobe.conf
fi

*.* @loghost.example.com
*.* @@loghost.example.com
*.* :omrelp:loghost.example.com
$ModLoad imtcp.so
$InputTCPServerRun port
$ModLoad imudp.so
$InputUDPServerRun port
$ModLoad imrelp.so
$InputRELPServerRun port
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler \
  /var/log/boot.log /var/log/cron {
# rotate log files frequency
daily
type=AVC msg=audit(1226874073.147:96): avc:  denied  { getattr } for pid=2465 comm="httpd"
path="/var/www/html/file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0 
tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file

type=SYSCALL msg=audit(1226874073.147:96): arch=40000003 syscall=196 success=no exit=-13 
a0=b98df198 a1=bfec85dc a2=54dff4 a3=2008171 items=0 ppid=2463 pid=2465 auid=502 uid=48
gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=6 comm="httpd"
exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

space_left_action = ACTION
if [ -e /etc/audit/auditd.conf ]; then
	AUDITD_CONF_FILE="/etc/audit/auditd.conf"
elif [ -e /etc/auditd.conf ]; then
	AUDITD_CONF_FILE="/etc/auditd.conf"
else
	exit
fi

if [ "$(grep -v "#" ${AUDITD_CONF_FILE} | grep -c space_left_action)" != "0" ]; then
	sed -i 's/space_left_action.*/space_left_action = syslog/' ${AUDITD_CONF_FILE}
else
	echo "space_left_action = syslog">>${AUDITD_CONF_FILE}
fi

disk_error_action = ACTION
disk_full_action = ACTION

var_auditd_disk_error_action="syslog"

if [ -e /etc/audit/auditd.conf ]; then
	AUDITD_CONF_FILE="/etc/audit/auditd.conf"
elif [ -e /etc/auditd.conf ]; then
	AUDITD_CONF_FILE="/etc/auditd.conf"
else
	exit
fi

grep -q ^disk_error_action ${AUDITD_CONF_FILE} && \
  sed -i "s/disk_error_action.*/disk_error_action = $var_auditd_disk_error_action/g" ${AUDITD_CONF_FILE}
if ! [ $? -eq 0 ]; then
    echo "disk_error_action = $var_auditd_disk_error_action" >> ${AUDITD_CONF_FILE}
fi
grep -q ^disk_full_action ${AUDITD_CONF_FILE} && \
  sed -i "s/disk_full_action.*/disk_full_action = $var_auditd_disk_error_action/g" ${AUDITD_CONF_FILE}
if ! [ $? -eq 0 ]; then
    echo "disk_full_action = $var_auditd_disk_error_action" >> ${AUDITD_CONF_FILE}
fi

# service auditd restart

grep -q ^active /etc/audisp/plugins.d/syslog.conf && \
  sed -i "s/active.*/active = yes/g" /etc/audisp/plugins.d/syslog.conf
if ! [ $? -eq 0 ]; then
    echo "active = yes" >> /etc/audisp/plugins.d/syslog.conf
fi

# service auditd restart
# audit_time_rules
-a exit,always -F arch=b32 -S adjtimex -k audit_time_rules
# audit_time_rules
-a exit,always -F arch=b64 -S adjtimex -k audit_time_rules
-a exit,always -F arch=b64 -S adjtimex -S settimeofday -k audit_time_rules
if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k audit_time_rules"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S adjtimex '`" = "0" ]; then
	if [ "`uname -p`" != "x86_64" ]; then
		echo "-a exit,always -F arch=b32 -S adjtimex ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b64 -S adjtimex ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	fi
fi
service auditd restart 1>/dev/null

# audit_time_rules
-a exit,always -F arch=b32 -S settimeofday -k audit_time_rules
# audit_time_rules
-a exit,always -F arch=b64 -S settimeofday -k audit_time_rules
-a exit,always -F arch=b64 -S adjtimex -S settimeofday -k audit_time_rules
if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k audit_time_rules"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S settimeofday '`" = "0" ]; then
	if [ "`uname -p`" != "x86_64" ]; then
		echo "-a exit,always -F arch=b32 -S settimeofday ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b64 -S settimeofday ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	fi
fi
service auditd restart 1>/dev/null

# audit_time_rules
-a always,exit -F arch=b32 -S stime -k audit_time_rules
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k audit_time_rules
if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k audit_time_rules"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S stime '`" = "0" ]; then
	if [ "`uname -p`" != "x86_64" ]; then
		echo "-a exit,always -F arch=b32 -S stime ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
		# stime is not supported on 64-bit.
	fi
fi
service auditd restart 1>/dev/null

# time-change
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
# time-change
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
-a exit,always -F arch=b64 -S adjtimex -S settimeofday -k audit_time_rules
-a exit,always -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
    -a exit,always -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
    -a exit,always -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a exit,always -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
    -a exit,always -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
    -a exit,always -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a exit,always -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod
-a exit,always -F arch=b64 -S chmod  -F auid>=500 -F auid!=4294967295 -k perm_mod
if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k perm_mod"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S chmod '`" = "0" ]; then
	if [ "`uname -p`" = "x86_64" ]; then
		echo "-a exit,always -F arch=b64 -S chmod ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b32 -S chmod ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	fi
fi
service auditd restart 1>/dev/null

-a exit,always -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a exit,always -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod
if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k perm_mod"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S chown '`" = "0" ]; then
	if [ "`uname -p`" = "x86_64" ]; then
		echo "-a exit,always -F arch=b64 -S chown ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b32 -S chown ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	fi
fi
if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S chown32 '`" = "0" ]; then
	if [ "`uname -p`" = "x86_64" ]; then
		echo "-a exit,always -F arch=b64 -S chown32 ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b32 -S chown32 ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	fi
fi
service auditd restart 1>/dev/null

-a exit,always -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod
-a exit,always -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod
if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k perm_mod"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S fchmod '`" = "0" ]; then
	if [ "`uname -p`" = "x86_64" ]; then
		echo "-a exit,always -F arch=b64 -S fchmod ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b32 -S fchmod ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	fi
fi
service auditd restart 1>/dev/null

-a exit,always -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a exit,always -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k perm_mod"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S fchmodat '`" = "0" ]; then
	if [ "`uname -p`" = "x86_64" ]; then
		echo "-a exit,always -F arch=b64 -S fchmodat ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b32 -S fchmodat ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	fi
fi
service auditd restart 1>/dev/null

-a exit,always -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a exit,always -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod
if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k perm_mod"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S fchown '`" = "0" ]; then
	if [ "`uname -p`" = "x86_64" ]; then
		echo "-a exit,always -F arch=b64 -S fchown ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b32 -S fchown ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	fi
fi
if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S fchown32 '`" = "0" ]; then
	if [ "`uname -p`" = "x86_64" ]; then
		echo "-a exit,always -F arch=b64 -S fchown32 ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b32 -S fchown32 ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	fi
fi
service auditd restart 1>/dev/null

-a exit,always -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a exit,always -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod
if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k perm_mod"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S fchownat '`" = "0" ]; then
	if [ "`uname -p`" = "x86_64" ]; then
		echo "-a exit,always -F arch=b64 -S fchownat ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b32 -S fchownat ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	fi
fi
service auditd restart 1>/dev/null

-a exit,always -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a exit,always -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k perm_mod"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S fremovexattr '`" = "0" ]; then
	if [ "`uname -p`" = "x86_64" ]; then
		echo "-a exit,always -F arch=b64 -S fremovexattr ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b32 -S fremovexattr ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	fi
fi
service auditd restart 1>/dev/null

-a exit,always -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a exit,always -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k perm_mod"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S fsetxattr '`" = "0" ]; then
	if [ "`uname -p`" = "x86_64" ]; then
		echo "-a exit,always -F arch=b64 -S fsetxattr ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b32 -S fsetxattr ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	fi
fi
service auditd restart 1>/dev/null

-a exit,always -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a exit,always -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k perm_mod"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S lchown '`" = "0" ]; then
	if [ "`uname -p`" = "x86_64" ]; then
		echo "-a exit,always -F arch=b64 -S lchown ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b32 -S lchown ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	fi
fi
if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S lchown32 '`" = "0" ]; then
	if [ "`uname -p`" = "x86_64" ]; then
		echo "-a exit,always -F arch=b64 -S lchown32 ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b32 -S lchown32 ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	fi
fi
service auditd restart 1>/dev/null

-a exit,always -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a exit,always -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k perm_mod"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S lremovexattr '`" = "0" ]; then
	if [ "`uname -p`" = "x86_64" ]; then
		echo "-a exit,always -F arch=b64 -S lremovexattr ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b32 -S lremovexattr ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	fi
fi
service auditd restart 1>/dev/null

-a exit,always -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a exit,always -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k perm_mod"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S lsetxattr '`" = "0" ]; then
	if [ "`uname -p`" = "x86_64" ]; then
		echo "-a exit,always -F arch=b64 -S lsetxattr ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b32 -S lsetxattr ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	fi
fi
service auditd restart 1>/dev/null

-a exit,always -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a exit,always -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k perm_mod"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S removexattr '`" = "0" ]; then
	if [ "`uname -p`" = "x86_64" ]; then
		echo "-a exit,always -F arch=b64 -S removexattr ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b32 -S removexattr ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	fi
fi
service auditd restart 1>/dev/null

-a exit,always -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a exit,always -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k perm_mod"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S setxattr '`" = "0" ]; then
	if [ "`uname -p`" = "x86_64" ]; then
		echo "-a exit,always -F arch=b64 -S setxattr ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b32 -S setxattr ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	fi
fi
service auditd restart 1>/dev/null

# audit_account_creation
-w /usr/sbin/groupadd -p x -k audit_account_changes
-w /usr/sbin/useradd -p x -k audit_account_changes
-w /etc/group -p a -k audit_account_changes
-w /etc/passwd -p a -k audit_account_changes
-w /etc/gshadow -p a -k audit_account_changes
-w /etc/shadow -p a -k audit_account_changes

if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
else
	exit
fi

for FILE in /usr/sbin/useradd /usr/sbin/groupadd; do
	if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE}"`" = "0" ]; then
		echo "-w ${FILE} -p x -k audit_account_creation" >>${AUDIT_RULES_FILE}
	elif [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE} -p [wa]*x"`" = "0" ]; then
		SED_FILE="$(echo ${FILE} | sed 's/\//\\\//g')"
		if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE} -p "`" = "0" ]; then
			sed -i "s/\(-w ${SED_FILE}\)/\1 -p x/" ${AUDIT_RULES_FILE}
		else
			sed -i "s/\(-w ${SED_FILE} -p \)/\1x/" ${AUDIT_RULES_FILE}
		fi
	fi
done
for FILE in /etc/group /etc/passwd /etc/gshadow /etc/shadow; do
	if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE}"`" = "0" ]; then
		echo "-w ${FILE} -p a -k audit_account_creation" >>${AUDIT_RULES_FILE}
	elif [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE} -p [wx]*a"`" = "0" ]; then
		SED_FILE="$(echo ${FILE} | sed 's/\//\\\//g')"
		if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE} -p "`" = "0" ]; then
			sed -i "s/\(-w ${SED_FILE}\)/\1 -p a/" ${AUDIT_RULES_FILE}
		else
			sed -i "s/\(-w ${SED_FILE} -p \)/\1a/" ${AUDIT_RULES_FILE}
		fi
	fi
done
service auditd restart 1>/dev/null

# audit_account_disabling
-w /usr/bin/passwd -p x -k audit_account_disabling

if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w /usr/bin/passwd"`" = "0" ]; then
	echo "-w /usr/bin/passwd -p x -k audit_account_changes" >>${AUDIT_RULES_FILE}
elif [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w /usr/bin/passwd -p [wa]*x"`" = "0" ]; then
	if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w /usr/bin/passwd -p "`" = "0" ]; then
		sed -i "s/\(-w \/usr\/bin\/passwd\)/\1 -p x/" ${AUDIT_RULES_FILE}
	else
		sed -i "s/\(-w \/usr\/bin\/passwd -p \)/\1x/" ${AUDIT_RULES_FILE}
	fi
fi
service auditd restart 1>/dev/null

# audit_account_changes
-w /usr/sbin/groupmod -p x -k audit_account_changes
-w /usr/sbin/usermod -p x -k audit_account_changes
-w /etc/group -p w -k audit_account_changes
-w /etc/passwd -p w -k audit_account_changes
-w /etc/gshadow -p w -k audit_account_changes
-w /etc/shadow -p w -k audit_account_changes

if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
else
	exit
fi

for FILE in /usr/sbin/usermod /usr/sbin/groupmod; do
	if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE}"`" = "0" ]; then
		echo "-w ${FILE} -p x -k audit_account_changes" >>${AUDIT_RULES_FILE}
	elif [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE} -p [wa]*x"`" = "0" ]; then
		SED_FILE="$(echo ${FILE} | sed 's/\//\\\//g')"
		if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE} -p "`" = "0" ]; then
			sed -i "s/\(-w ${SED_FILE}\)/\1 -p x/" ${AUDIT_RULES_FILE}
		else
			sed -i "s/\(-w ${SED_FILE} -p \)/\1x/" ${AUDIT_RULES_FILE}
		fi
	fi
done
for FILE in /etc/group /etc/passwd /etc/gshadow /etc/shadow; do
	if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE}"`" = "0" ]; then
		echo "-w ${FILE} -p w -k audit_account_changes" >>${AUDIT_RULES_FILE}
	elif [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE} -p [xa]*w"`" = "0" ]; then
		SED_FILE="$(echo ${FILE} | sed 's/\//\\\//g')"
		if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE} -p "`" = "0" ]; then
			sed -i "s/\(-w ${SED_FILE}\)/\1 -p w/" ${AUDIT_RULES_FILE}
		else
			sed -i "s/\(-w ${SED_FILE} -p \)/\1w/" ${AUDIT_RULES_FILE}
		fi
	fi
done
service auditd restart 1>/dev/null

# audit_account_termination
-w /usr/sbin/groupdel -p x -k audit_account_termination
-w /usr/sbin/userdel -p x -k audit_account_termination

if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
else
	exit
fi

for FILE in /usr/sbin/userdel /usr/sbin/groupdel; do
	if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE}"`" = "0" ]; then
		echo "-w ${FILE} -p x -k audit_account_changes" >>${AUDIT_RULES_FILE}
	elif [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE} -p [wa]*x"`" = "0" ]; then
		SED_FILE="$(echo ${FILE} | sed 's/\//\\\//g')"
		if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE} -p "`" = "0" ]; then
			sed -i "s/\(-w ${SED_FILE}\)/\1 -p x/" ${AUDIT_RULES_FILE}
		else
			sed -i "s/\(-w ${SED_FILE} -p \)/\1x/" ${AUDIT_RULES_FILE}
		fi
	fi
done
service auditd restart 1>/dev/null

# audit_network_sethostname
-a exit,always -F arch=ARCH -S sethostname -k audit_network_modifications
if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k set_hostname"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`uname -p`" != "x86_64" ]; then
	echo "-a exit,always -F arch=b32 -S sethostname ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
else
	echo "-a exit,always -F arch=b64 -S sethostname ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
fi
service auditd restart 1>/dev/null

# audit_network_setdomainname
-a exit,always -F arch=ARCH -S setdomainname -k audit_network_modifications
if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k set_domainname"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`uname -p`" != "x86_64" ]; then
	echo "-a exit,always -F arch=b32 -S setdomainname ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
else
	echo "-a exit,always -F arch=b64 -S setdomainname ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
fi
service auditd restart 1>/dev/null

# audit_network_sethostname
-a exit,always -F arch=ARCH -S sched_setparam -k scheduler
if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k set_scheduler_parameters"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

# check for realtime capabilities
if [ `lsmod | grep -ic jiffies` = 0 ]; then
	if [ "`uname -p`" != "x86_64" ]; then
		echo "-a exit,always -F arch=b32 -S sched_setparam ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b64 -S sched_setparam ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	fi
fi
service auditd restart 1>/dev/null

# audit_network_sethostname
-a exit,always -F arch=ARCH -S sched_setscheduler -k scheduler
if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k set_scheduler_setting"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

# check for realtime capabilities
if [ `lsmod | grep -ic jiffies` = 0 ]; then
	if [ "`uname -p`" != "x86_64" ]; then
		echo "-a exit,always -F arch=b32 -S sched_setscheduler ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b64 -S sched_setscheduler ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	fi
fi
service auditd restart 1>/dev/null

-w /var/log/faillog -p wa -k logins 
-w /var/log/lastlog -p wa -k logins
if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
else
	exit
fi
for FILE in /var/log/faillog /var/log/lastlog; do
	if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE}"`" = "0" ]; then
		echo "-w ${FILE} -p wa -k audit_login_events" >>${AUDIT_RULES_FILE}
	elif [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE} -p [x]*\(wa\|aw\)"`" = "0" ]; then
		SED_FILE="$(echo ${FILE} | sed 's/\//\\\//g')"
		if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE} -p "`" = "0" ]; then
			sed -i "s/\(-w ${SED_FILE}\)/\1 -p wa/" ${AUDIT_RULES_FILE}
		else
			if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE} -p [xa]*w"`" = "0" ]; then
				sed -i "s/\(-w ${SED_FILE} -p \)/\1w/" ${AUDIT_RULES_FILE}
			fi
			if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE} -p [xw]*a"`" = "0" ]; then
				sed -i "s/\(-w ${SED_FILE} -p \)/\1a/" ${AUDIT_RULES_FILE}
			fi
		fi
	fi
done
service auditd restart 1>/dev/null

-w /etc/audit/audit.rules -p w -k audit_rules
if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${AUDIT_RULES_FILE}"`" = "0" ]; then
	echo "-w ${AUDIT_RULES_FILE} -p wa -k audit_rules_changes" >>${AUDIT_RULES_FILE}
elif [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${AUDIT_RULES_FILE} -p [x]*\(wa\|aw\)"`" = "0" ]; then
	if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${AUDIT_RULES_FILE} -p "`" = "0" ]; then
		sed -i "s/\(-w ${AUDIT_RULES_FILE}\)/\1 -p wa/" ${AUDIT_RULES_FILE}
	else
		if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${AUDIT_RULES_FILE} -p [xa]*w"`" = "0" ]; then
			sed -i "s/\(-w ${AUDIT_RULES_FILE} -p \)/\1w/" ${AUDIT_RULES_FILE}
		fi
		if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${AUDIT_RULES_FILE} -p [xw]*a"`" = "0" ]; then
			sed -i "s/\(-w ${AUDIT_RULES_FILE} -p \)/\1a/" ${AUDIT_RULES_FILE}
		fi
	fi
fi
service auditd restart 1>/dev/null

-a exit,always -F arch=ARCH -S creat -F success=0 -k access
-a exit,always -F arch=ARCH -S creat -F exit=-EPERM -k access
-a exit,always -F arch=ARCH -S creat -F exit=-EACCES -k access
if [ -e /etc/audit/audit.rules ]; then
	if [ "`grep " -S creat " /etc/audit/audit.rules | grep -v '#' | grep -c '\-F exit=-EACCES'`" = "0" ]; then
		if [ "`uname -p`" != "x86_64" ]; then
			echo "-a exit,always -F arch=b32 -S creat -F exit=-EACCES -k access" >>/etc/audit/audit.rules
		else
			echo "-a exit,always -F arch=b64 -S creat -F exit=-EACCES -k access" >>/etc/audit/audit.rules
		fi
	fi
	if [ "`grep " -S creat " /etc/audit/audit.rules | grep -v '#' | grep -c '\-F exit=-EPERM'`" = "0" ]; then
		if [ "`uname -p`" != "x86_64" ]; then
			echo "-a exit,always -F arch=b32 -S creat -F exit=-EPERM -k access" >>/etc/audit/audit.rules
		else
			echo "-a exit,always -F arch=b64 -S creat -F exit=-EPERM -k access" >>/etc/audit/audit.rules
		fi
	fi
elif [ -e /etc/audit.rules ]; then
	if [ "`grep " -S creat " /etc/audit.rules | grep -v '#' | grep -c '\success=0'`" = "0" ]; then
		if [ "`uname -p`" != "x86_64" ]; then
			echo "-a exit,always -F arch=b32 -S creat -F success=0" >>/etc/audit.rules
		else
			echo "-a exit,always -F arch=b64 -S creat -F success=0" >>/etc/audit.rules
		fi
	fi
else
	exit
fi
service auditd restart 1>/dev/null

-a exit,always -F arch=ARCH -S ftruncate -F success=0 -k access
-a exit,always -F arch=ARCH -S ftruncate -F exit=-EPERM -k access
-a exit,always -F arch=ARCH -S ftruncate -F exit=-EACCES -k access
if [ -e /etc/audit/audit.rules ]; then
	if [ "`grep " -S ftruncate " /etc/audit/audit.rules | grep -v '#' | grep -c '\-F exit=-EACCES'`" = "0" ]; then
		if [ "`uname -p`" != "x86_64" ]; then
			echo "-a exit,always -F arch=b32 -S ftruncate -F exit=-EACCES -k access" >>/etc/audit/audit.rules
		else
			echo "-a exit,always -F arch=b64 -S ftruncate -F exit=-EACCES -k access" >>/etc/audit/audit.rules
		fi
	fi
	if [ "`grep " -S ftruncate " /etc/audit/audit.rules | grep -v '#' | grep -c '\-F exit=-EPERM'`" = "0" ]; then
		if [ "`uname -p`" != "x86_64" ]; then
			echo "-a exit,always -F arch=b32 -S ftruncate -F exit=-EPERM -k access" >>/etc/audit/audit.rules
		else
			echo "-a exit,always -F arch=b64 -S ftruncate -F exit=-EPERM -k access" >>/etc/audit/audit.rules
		fi
	fi
elif [ -e /etc/audit.rules ]; then
	if [ "`grep " -S ftruncate " /etc/audit.rules | grep -v '#' | grep -c '\success=0'`" = "0" ]; then
		if [ "`uname -p`" != "x86_64" ]; then
			echo "-a exit,always -F arch=b32 -S ftruncate -F success=0" >>/etc/audit.rules
		else
			echo "-a exit,always -F arch=b64 -S ftruncate -F success=0" >>/etc/audit.rules
		fi
	fi
else
	exit
fi
service auditd restart 1>/dev/null

-a exit,always -F arch=ARCH -S open -F success=0 -k access
-a exit,always -F arch=ARCH -S open -F exit=-EPERM -k access
-a exit,always -F arch=ARCH -S open -F exit=-EACCES -k access
if [ -e /etc/audit/audit.rules ]; then
	if [ "`grep " -S open " /etc/audit/audit.rules | grep -v '#' | grep -c '\-F exit=-EACCES'`" = "0" ]; then
		if [ "`uname -p`" != "x86_64" ]; then
			echo "-a exit,always -F arch=b32 -S open -F exit=-EACCES -k access" >>/etc/audit/audit.rules
		else
			echo "-a exit,always -F arch=b64 -S open -F exit=-EACCES -k access" >>/etc/audit/audit.rules
		fi
	fi
	if [ "`grep " -S open " /etc/audit/audit.rules | grep -v '#' | grep -c '\-F exit=-EPERM'`" = "0" ]; then
		if [ "`uname -p`" != "x86_64" ]; then
			echo "-a exit,always -F arch=b32 -S open -F exit=-EPERM -k access" >>/etc/audit/audit.rules
		else
			echo "-a exit,always -F arch=b64 -S open -F exit=-EPERM -k access" >>/etc/audit/audit.rules
		fi
	fi
elif [ -e /etc/audit.rules ]; then
	if [ "`grep " -S open " /etc/audit.rules | grep -v '#' | grep -c '\success=0'`" = "0" ]; then
		if [ "`uname -p`" != "x86_64" ]; then
			echo "-a exit,always -F arch=b32 -S open -F success=0" >>/etc/audit.rules
		else
			echo "-a exit,always -F arch=b64 -S open -F success=0" >>/etc/audit.rules
		fi
	fi
else
	exit
fi
service auditd restart 1>/dev/null

-a exit,always -F arch=ARCH -S openat -F success=0 -k access
-a exit,always -F arch=ARCH -S openat -F exit=-EPERM -k access
-a exit,always -F arch=ARCH -S openat -F exit=-EACCES -k access
if [ -e /etc/audit/audit.rules ]; then
	if [ "`grep " -S openat " /etc/audit/audit.rules | grep -v '#' | grep -c '\-F exit=-EACCES'`" = "0" ]; then
		if [ "`uname -p`" != "x86_64" ]; then
			echo "-a exit,always -F arch=b32 -S openat -F exit=-EACCES -k access" >>/etc/audit/audit.rules
		else
			echo "-a exit,always -F arch=b64 -S openat -F exit=-EACCES -k access" >>/etc/audit/audit.rules
		fi
	fi
	if [ "`grep " -S openat " /etc/audit/audit.rules | grep -v '#' | grep -c '\-F exit=-EPERM'`" = "0" ]; then
		if [ "`uname -p`" != "x86_64" ]; then
			echo "-a exit,always -F arch=b32 -S openat -F exit=-EPERM -k access" >>/etc/audit/audit.rules
		else
			echo "-a exit,always -F arch=b64 -S openat -F exit=-EPERM -k access" >>/etc/audit/audit.rules
		fi
	fi
elif [ -e /etc/audit.rules ]; then
	if [ "`grep " -S openat " /etc/audit.rules | grep -v '#' | grep -c '\success=0'`" = "0" ]; then
		if [ "`uname -p`" != "x86_64" ]; then
			echo "-a exit,always -F arch=b32 -S openat -F success=0" >>/etc/audit.rules
		else
			echo "-a exit,always -F arch=b64 -S openat -F success=0" >>/etc/audit.rules
		fi
	fi
else
	exit
fi
service auditd restart 1>/dev/null

-a exit,always -F arch=ARCH -S truncate -F success=0 -k access
-a exit,always -F arch=ARCH -S truncate -F exit=-EPERM -k access
-a exit,always -F arch=ARCH -S truncate -F exit=-EACCES -k access
if [ -e /etc/audit/audit.rules ]; then
	if [ "`grep " -S truncate " /etc/audit/audit.rules | grep -v '#' | grep -c '\-F exit=-EACCES'`" = "0" ]; then
		if [ "`uname -p`" != "x86_64" ]; then
			echo "-a exit,always -F arch=b32 -S truncate -F exit=-EACCES -k access" >>/etc/audit/audit.rules
		else
			echo "-a exit,always -F arch=b64 -S truncate -F exit=-EACCES -k access" >>/etc/audit/audit.rules
		fi
	fi
	if [ "`grep " -S truncate " /etc/audit/audit.rules | grep -v '#' | grep -c '\-F exit=-EPERM'`" = "0" ]; then
		if [ "`uname -p`" != "x86_64" ]; then
			echo "-a exit,always -F arch=b32 -S truncate -F exit=-EPERM -k access" >>/etc/audit/audit.rules
		else
			echo "-a exit,always -F arch=b64 -S truncate -F exit=-EPERM -k access" >>/etc/audit/audit.rules
		fi
	fi
elif [ -e /etc/audit.rules ]; then
	if [ "`grep " -S truncate " /etc/audit.rules | grep -v '#' | grep -c '\success=0'`" = "0" ]; then
		if [ "`uname -p`" != "x86_64" ]; then
			echo "-a exit,always -F arch=b32 -S truncate -F success=0" >>/etc/audit.rules
		else
			echo "-a exit,always -F arch=b64 -S truncate -F success=0" >>/etc/audit.rules
		fi
	fi
else
	exit
fi
service auditd restart 1>/dev/null

-a exit,always -F arch=ARCH -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k delete"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S unlink '`" = "0" ]; then
	if [ "`uname -p`" != "x86_64" ]; then
		echo "-a exit,always -F arch=b32 -S unlink ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b64 -S unlink ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	fi
fi
service auditd restart 1>/dev/null

-a exit,always -F arch=ARCH -S rmdir -k delete
if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k delete"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S rmdir '`" = "0" ]; then
	if [ "`uname -p`" != "x86_64" ]; then
		echo "-a exit,always -F arch=b32 -S rmdir ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b64 -S rmdir ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	fi
fi
service auditd restart 1>/dev/null

-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a exit,always -F arch=ARCH -S init_module -S delete_module -k modules
if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k modules"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S init_module '`" = "0" ]; then
	if [ "`uname -p`" != "x86_64" ]; then
		echo "-a exit,always -F arch=b32 -S init_module ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b64 -S init_module ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	fi
fi
if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S delete_module '`" = "0" ]; then
	if [ "`uname -p`" != "x86_64" ]; then
		echo "-a exit,always -F arch=b32 -S delete_module ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b64 -S delete_module ${AUDIT_TAG}" >>${AUDIT_RULES_FILE}
	fi
fi

for FILE in /sbin/insmod /sbin/rmmod /sbin/modprobe; do
	if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE}"`" = "0" ]; then
		echo "-w ${FILE} -p x -k modules" >>${AUDIT_RULES_FILE}
	elif [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE} -p [wa]*x"`" = "0" ]; then
		SED_FILE="$(echo ${FILE} | sed 's/\//\\\//g')"
		if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE} -p "`" = "0" ]; then
			sed -i "s/\(-w ${SED_FILE}\)/\1 -p x/" ${AUDIT_RULES_FILE}
		else
			sed -i "s/\(-w ${SED_FILE} -p \)/\1x/" ${AUDIT_RULES_FILE}
		fi
	fi
done
service auditd restart 1>/dev/null

$ sudo chkconfig --level 2345 auditd on
#
# Enable auditd for all run levels
#
/sbin/chkconfig --level 0123456 auditd on

#
# Start auditd if not currently running
#
/sbin/service auditd start 1>/dev/null

kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1
if [ $(grep -v '#' /boot/grub/grub.conf | grep kernel | grep -c audit=) = 0 ]; then
	sed -i '/^[ |\t]*kernel/s/$/ audit=1/' /boot/grub/grub.conf
else
	sed -i '/^[ |\t]*kernel/s/audit=./audit=1/' /boot/grub/grub.conf
fi

$ sudo chkconfig xinetd off
#
# Disable xinetd for all run levels
#
/sbin/chkconfig --level 0123456 xinetd off

#
# Stop xinetd if currently running
#
/sbin/service xinetd stop 1>/dev/null

$ sudo chkconfig telnet off
#
# Disable telnetd for all run levels
#
/sbin/chkconfig --level 0123456 telnetd off

#
# Stop telnetd if currently running
#
/sbin/service telnetd stop 1>/dev/null

# yum erase rsh-server
yum -y remove rsh-server --disablerepo=* 1>/dev/null

include remove_rsh-server

class remove_rsh-server {
  package { 'rsh-server':
    ensure => 'purged',
  }
}

package -remove=rsh-server

$ sudo chkconfig rexec off
#
# Disable rexec for all run levels
#
/sbin/chkconfig --level 0123456 rexec off

#
# Stop rexec if currently running
#
/sbin/service rexec stop 1>/dev/null

$ sudo chkconfig rsh off
#
# Disable rsh for all run levels
#
/sbin/chkconfig --level 0123456 rsh off

#
# Stop rsh if currently running
#
/sbin/service rsh stop 1>/dev/null

$ sudo chkconfig rlogin off
#
# Disable rlogin for all run levels
#
/sbin/chkconfig --level 0123456 rlogin off

#
# Stop rlogin if currently running
#
/sbin/service rlogin stop 1>/dev/null

# rm /etc/hosts.equiv
$ rm ~/.rhosts
find -type f -name .rhosts -exec rm -f '{}' \;
rm /etc/hosts.equiv

# sed -i '/.*rhosts_auth.*/d' /etc/pam.d/*
sed -i '/.*rhosts_auth.*/d' /etc/pam.d/*

$ sudo chkconfig ypbind off
#
# Disable ypbind for all run levels
#
/sbin/chkconfig --level 0123456 ypbind off

#
# Stop ypbind if currently running
#
/sbin/service ypbind stop 1>/dev/null

$ sudo chkconfig tftp off
#
# Disable tftp for all run levels
#
/sbin/chkconfig --level 0123456 tftp off

#
# Stop tftp if currently running
#
/sbin/service tftp stop 1>/dev/null

server_args = -s /var/lib/tftpboot
$ sudo chkconfig kdump off
$ sudo chkconfig yum-updatesd off
#
# Disable yum-updatesd for all run levels
#
/sbin/chkconfig --level 0123456 yum-updatesd off

#
# Stop yum-updatesd if currently running
#
/sbin/service yum-updatesd stop 1>/dev/null

# rm /etc/cron.deny
# ls -1l /etc/cron.allow
# ls -1l /etc/cron.deny
if [ ! -e [/etc/cron.allow ]; then
	> /etc/cron.allow
	chown root:root /etc/cron.allow
	chmod 0600 /etc/cron.allow
fi
if [ ! -e [/etc/cron.deny ]; then
	SYS_USER=$(cat /etc/passwd | while read entry; do if [ "$(echo ${entry} | cut -d: -f3)" -lt "500" ]; then echo ${entry} | cut -d: -f1 ; fi; done)
	for USER in `echo $SYS_USER`; do
		if [ $(grep -c "^${USER}$" /etc/cron.deny) = 0 ]; then
			echo ${USER} | tee -a /etc/cron.deny &>/dev/null
		fi
	done
	chown root:root /etc/cron.deny
	chmod 0600 /etc/cron.deny
fi

# cat /etc/passwd | awk -F: '{ print $1"|"$3 }' | grep -v "^root|" | while read ENTRY; do 
if [ $(echo $ENTRY | cut -d"|" -f2) -lt 500 ];then 
if [ $(grep -c "$(echo $ENTRY | cut -d"|" -f1)" /etc/cron.deny) = 0 ] || 
[ $(grep -c "$(echo $ENTRY | cut -d"|" -f1)" /etc/cron.allow) != 0 ]; then 
echo $ENTRY | cut -d"|" -f1; fi; fi; done
SYS_USER=$(cat /etc/passwd | while read entry; do if [ "$(echo ${entry} | cut -d: -f3)" -lt "500" ]; then echo ${entry} | cut -d: -f1 ; fi; done)
for USER in `echo $SYS_USER`; do
	if [ $(grep -c "^${USER}$" /etc/cron.deny) = 0 ]; then
		echo ${USER} | tee -a /etc/cron.deny &>/dev/null
	fi
done

# rm /etc/at.deny
# ls -1l /etc/at.allow
# ls -1l /etc/at.deny
if [ ! -e [/etc/at.allow ]; then
	> /etc/at.allow
	chown root:root /etc/at.allow
	chmod 0600 /etc/at.allow
fi
if [ ! -e [/etc/at.deny ]; then
	SYS_USER=$(cat /etc/passwd | while read entry; do if [ "$(echo ${entry} | cut -d: -f3)" -lt "500" ]; then echo ${entry} | cut -d: -f1 ; fi; done)
	for USER in `echo $SYS_USER`; do
		if [ $(grep -c "^${USER}$" /etc/at.deny) = 0 ]; then
			echo ${USER} | tee -a /etc/at.deny &>/dev/null
		fi
	done
	chown root:root /etc/at.deny
	chmod 0600 /etc/at.deny
fi

# cat /etc/passwd | awk -F: '{ print $1"|"$3 }' | grep -v "^root|" | while read ENTRY; do 
if [ $(echo $ENTRY | cut -d"|" -f2) -lt 500 ];then 
if [ $(grep -c "$(echo $ENTRY | cut -d"|" -f1)" /etc/at.deny) = 0 ] || 
[ $(grep -c "$(echo $ENTRY | cut -d"|" -f1)" /etc/at.allow) != 0 ]; then 
echo $ENTRY | cut -d"|" -f1; fi; fi; done
SYS_USER=$(cat /etc/passwd | while read entry; do if [ "$(echo ${entry} | cut -d: -f3)" -lt "500" ]; then echo ${entry} | cut -d: -f1 ; fi; done)
for USER in `echo $SYS_USER`; do
	if [ $(grep -c "^${USER}$" /etc/at.deny) = 0 ]; then
		echo ${USER} | tee -a /etc/at.deny &>/dev/null
	fi
done

# ls -1l /etc/at.deny
# cat /etc/at.deny
SYS_USER=$(cat /etc/passwd | while read entry; do if [ "$(echo ${entry} | cut -d: -f3)" -lt "500" ]; then echo ${entry} | cut -d: -f1 ; fi; done)
for USER in `echo $SYS_USER`; do
	if [ $(grep -c "^${USER}$" /etc/at.deny) = 0 ]; then
		echo ${USER} | tee -a /etc/at.deny &>/dev/null
	fi
done
sed -i '/^$/d' /etc/at.deny

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s netwk/mask -m state --state NEW -p tcp --dport 22 -j ACCEPT
ListenAddress 10.10.2.1
MANAGEMENT_IP=$(/sbin/ifconfig | grep inet | grep -v 127.0.0.1 | cut -d: -f2 | awk '{ print $1}' | head -1)
if [ $(cat /etc/ssh/sshd_config | grep -ic "^ListenAddress") = "0" ]; then
	echo "ListenAddress ${MANAGEMENT_IP}" | tee -a /etc/ssh/sshd_config &>/dev/null
else
	sed -i "s/^ListenAddress.*/ListenAddress ${MANAGEMENT_IP}/" /etc/ssh/sshd_config
fi
service sshd restart 1>/dev/null
sshd:10.10.:spawn /bin/echo SSHD accessed on $(/bin/date) from %h>>/var/log/host.access
MANAGEMENT_IP=$(/sbin/ifconfig | grep inet | grep -v 127.0.0.1 | cut -d: -f2 | awk '{ print $1}' | head -1 | cut -d. -f1-2)
sed -i '/sshd/d' /etc/hosts.allow
echo "sshd: ${MANAGEMENT_IP}.: spawn /bin/echo SSHD accessed on \$(/bin/date) from %h>>/var/log/host.access" | tee -a /etc/hosts.allow &>/dev/null

Protocol 2
if [ $(cat /etc/ssh/sshd_config | grep -c "^Protocol") != "0" ]; then
	sed -i 's/^Protocol.*/Protocol 2/' /etc/ssh/sshd_config
else
	echo "Protocol 2">>/etc/ssh/sshd_config
fi
service sshd restart 1>/dev/null
PermitRootLogin no
grep -q ^PermitRootLogin /etc/ssh/sshd_config && \
  sed -i "s/PermitRootLogin.*/PermitRootLogin no/g" /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
    echo "PermitRootLogin no" >> /etc/ssh/sshd_config
fi
service sshd restart 1>/dev/null
Banner /etc/issue
grep -q ^Banner /etc/ssh/sshd_config && \
  sed -i "s/Banner.*/Banner \/etc\/issue/g" /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
    echo "Banner /etc/issue" >> /etc/ssh/sshd_config
fi
service sshd restart 1>/dev/null
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
grep -q ^Ciphers /etc/ssh/sshd_config && \
  sed -i "s/Ciphers.*/Ciphers aes128-ctr,aes192-ctr,aes256-ctr/g" /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
    echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr" >> /etc/ssh/sshd_config
fi
service sshd restart 1>/dev/null

Ciphers aes128-ctr,aes192-ctr,aes256-ctr
grep -q ^Ciphers /etc/ssh/sshd_config && \
  sed -i "s/Ciphers.*/Ciphers aes128-ctr,aes192-ctr,aes256-ctr/g" /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
    echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr" >> /etc/ssh/sshd_config
fi
/sbin/service sshd restart 1>/dev/null
Macs hmac-sha1
if [ $(cat /etc/ssh/sshd_config | grep -c "^MACs") = "0" ]; then
	echo "MACs hmac-sha1" | tee -a /etc/ssh/sshd_config &>/dev/null
else
	sed -i 's/^MACs.*/MACs hmac-sha1/' /etc/ssh/sshd_config
fi
service sshd restart 1>/dev/null
GSSAPIAuthentication no
if [ $(cat /etc/ssh/sshd_config | grep -c "^GSSAPIAuthentication") = "0" ]; then
	echo "GSSAPIAuthentication no" | tee -a /etc/ssh/sshd_config &>/dev/null
else
	sed -i 's/^GSSAPIAuthentication.*/GSSAPIAuthentication no/' /etc/ssh/sshd_config
fi
service sshd restart 1>/dev/null
PrintLastLog yes
if [ "$(grep -c '^session.*required.*pam_lastlog.so$' /etc/pam.d/sshd)" = "0" ]; then
	echo -e "session    required\tpam_lastlog.so" | tee -a /etc/pam.d/sshd &>/dev/null
elif [ "$(grep pam_lastlog /etc/pam.d/sshd | grep -c silent)" != "0" ]; then
	sed -i '/pam_lastlog/s/silent//' /etc/pam.d/sshd
fi
if [ $(cat /etc/ssh/sshd_config | grep -ic "^PrintLastLog") = "0" ]; then
	echo "PrintLastLog yes" | tee -a /etc/ssh/sshd_config &>/dev/null
else
	sed -i 's/^PrintLastLog.*/PrintLastLog yes/' /etc/ssh/sshd_config
fi
service sshd restart 1>/dev/null
AllowedUsers
AllowedGroups
echo "AllowGroups wheel" | tee -a /etc/ssh/sshd_config &>/dev/null
service sshd restart 1>/dev/null
KerberosAuthentication no
if [ $(cat /etc/ssh/sshd_config | grep -ic "^KerberosAuthentication") = "0" ]; then
	echo "KerberosAuthentication no" | tee -a /etc/ssh/sshd_config &>/dev/null
else
	sed -i 's/^KerberosAuthentication.*/KerberosAuthentication no/' /etc/ssh/sshd_config
fi
service sshd restart 1>/dev/null
StrictModes yes
if [ $(cat /etc/ssh/sshd_config | grep -c "^StrictModes") = "0" ]; then
	echo "StrictModes yes" | tee -a /etc/ssh/sshd_config &>/dev/null
else
	sed -i 's/^StrictModes.*/StrictModes yes/' /etc/ssh/sshd_config
fi
service sshd restart 1>/dev/null
UsePrivilegeSeparation yes
if [ $(cat /etc/ssh/sshd_config | grep -ic "^UsePrivilegeSeparation") = "0" ]; then
	echo "UsePrivilegeSeparation yes" | tee -a /etc/ssh/sshd_config &>/dev/null
else
	sed -i 's/^UsePrivilegeSeparation.*/UsePrivilegeSeparation yes/' /etc/ssh/sshd_config
fi
service sshd restart 1>/dev/null
RhostsRSAAuthentication no
if [ $(cat /etc/ssh/sshd_config | grep -ic "^RhostsRSAAuthentication") = "0" ]; then
	echo "RhostsRSAAuthentication no" | tee -a /etc/ssh/sshd_config &>/dev/null
else
	sed -i 's/^RhostsRSAAuthentication.*/RhostsRSAAuthentication no/' /etc/ssh/sshd_config
fi
service sshd restart 1>/dev/null
Compression no
Compression delayed
if [ $(cat /etc/ssh/sshd_config | grep -ic "^Compression") = "0" ]; then
	echo "Compression delayed" | tee -a /etc/ssh/sshd_config &>/dev/null
else
	sed -i 's/^Compression.*/Compression delayed/' /etc/ssh/sshd_config
fi
service sshd restart 1>/dev/null
Protocol 2
if [ $(cat /etc/ssh/ssh_config | grep -c "^Protocol") != "0" ]; then
	sed -i 's/^Protocol.*/Protocol 2/' /etc/ssh/ssh_config
else
	echo "Protocol 2">>/etc/ssh/ssh_config
fi

Ciphers aes128-ctr,aes192-ctr,aes256-ctr
grep -q ^Ciphers /etc/ssh/ssh_config && \
  sed -i "s/Ciphers.*/Ciphers aes128-ctr,aes192-ctr,aes256-ctr/g" /etc/ssh/ssh_config
if ! [ $? -eq 0 ]; then
    echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr" >> /etc/ssh/ssh_config
fi

Ciphers aes128-ctr,aes192-ctr,aes256-ctr
grep -q ^Ciphers /etc/ssh/ssh_config && \
  sed -i "s/Ciphers.*/Ciphers aes128-ctr,aes192-ctr,aes256-ctr/g" /etc/ssh/ssh_config
if ! [ $? -eq 0 ]; then
    echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr" >> /etc/ssh/ssh_config
fi

Macs hmac-sha1
if [ $(cat /etc/ssh/ssh_config | grep -c "^MACs") = "0" ]; then
	echo "MACs hmac-sha1" | tee -a /etc/ssh/ssh_config &>/dev/null
else
	sed -i 's/^MACs.*/MACs hmac-sha1/' /etc/ssh/ssh_config
fi

GSSAPIAuthentication no
if [ $(cat /etc/ssh/ssh_config | grep -c "^GSSAPIAuthentication") = "0" ]; then
	echo "GSSAPIAuthentication no" | tee -a /etc/ssh/ssh_config &>/dev/null
else
	sed -i 's/^GSSAPIAuthentication.*/GSSAPIAuthentication no/' /etc/ssh/ssh_config
fi

id:3:initdefault:
sed -i 's/.*:initdefault:.*/id:3:initdefault:/' /etc/inittab
BOOTPROTO=static
NETMASK=255.255.255.0
IPADDR=192.168.1.2
GATEWAY=192.168.1.1
sed -i 's/^BOOTPROTO=.*/BOOTPROTO="static"/' /etc/sysconfig/network-scripts/ifcfg-*
do-forward-updates false;
if [ -e /etc/dhclient.conf ]; then
	if [ $(grep -c "do-forward-updates false;" /etc/dhclient.conf) = 0 ]; then
		echo "do-forward-updates false;" | tee -a /etc/dhclient.conf &>/dev/null
	fi
else
	echo "do-forward-updates false;" | tee /etc/dhclient.conf &>/dev/null
fi

$ sudo chkconfig --level 2345 ntpd on
#
# Enable ntpd for all run levels
#
/sbin/chkconfig --level 0123456 ntpd on

#
# Start ntpd if not currently running
#
/sbin/service ntpd start 1>/dev/null

server ntpserver
server ntpserver
grep "mail\." /etc/syslog.conf
O LogLevel=9
# telnet localhost 25
# debug
500 error code of "command unrecognised"
550 error code of "access denied"
decode: |/usr/bin/uudecode
uudecode: |/usr/bin/uuencode -d
O PrivacyOptions=authwarnings,novrfy,noexpn,restrictqrun
>/etc/mail/helpfile

O PrivacyOptions=authwarnings,novrfy,noexpn,restrictqrun
# telnet localhost 25
# wiz
500 error code of "command unrecognised"
O SmtpGreetingMessage=$j Sendmail $v/$Z; $b
O SmtpGreetingMessage= Mail Server Ready ; $b
SENDMAIL_CONFIG=$(rpm -ql sendmail | grep sendmail.cf)
SENDMAIL_MAINCONF=$(rpm -ql sendmail | grep sendmail.mc)
if [ "$(rpm -q sendmail-cf &>/dev/null; echo $?)" = "0" ]; then
	if [ -e "${SENDMAIL_MAINCONF}" ]; then
		if [ "$(grep -c "^define(\`confSMTP_LOGIN_MSG" "${SENDMAIL_MAINCONF}")" = "0" ]; then
			sed -i "0,/^define/s/\(^define\)/define(\`confSMTP_LOGIN_MSG', \` Mail Server Ready ; $b')dnl\n\1/" "${SENDMAIL_MAINCONF}"
		elif [ "$(grep -c "^define(\`confSMTP_LOGIN_MSG', \` Mail Server Ready ; \$b')dnl" "${SENDMAIL_MAINCONF}")" = "0" ]; then
			sed -i "s/^define(\`confSMTP_LOGIN_MSG.*/define(\`confSMTP_LOGIN_MSG', \`Mail Server Ready ; \$b')dnl/" "${SENDMAIL_MAINCONF}"
		fi
		m4 "${SENDMAIL_MAINCONF}" > "${SENDMAIL_CONFIG}"
	fi
else
	sed -i 's/O SmtpGreetingMessage=.*/O SmtpGreetingMessage= Mail Server Ready ; $b/' "${SENDMAIL_CONFIG}"
fi
service sendmail restart 1>/dev/null

0 ForwardPath
# find / -name .forward
SENDMAIL_CONFIG=$(rpm -ql sendmail | grep sendmail.cf)
SENDMAIL_MAINCONF=$(rpm -ql sendmail | grep sendmail.mc)
if [ "$(rpm -q sendmail-cf &>/dev/null; echo $?)" = "0" ]; then
	if [ -e "${SENDMAIL_MAINCONF}" ]; then
		if [ "$(grep -c 'confFORWARD_PATH' "${SENDMAIL_MAINCONF}")" = "0" ]; then
			sed -i "0,/^define/s/\(^define\)/define(\`confFORWARD_PATH',\`')dnl\n\1/" "${SENDMAIL_MAINCONF}"
		elif [ "$(grep -c "define(\`confFORWARD_PATH',\`')dnl" "${SENDMAIL_MAINCONF}")" = "0" ]; then
			sed -i "s/define(\`confFORWARD.*/define(\`confFORWARD_PATH',\`')dnl/" "${SENDMAIL_MAINCONF}"
		fi
		m4 "${SENDMAIL_MAINCONF}" > "${SENDMAIL_CONFIG}"
	fi
else
	sed -i 's/O ForwardPath.*/O ForwardPath/' "${SENDMAIL_CONFIG}"
fi
service sendmail restart 1>/dev/null
for FILE in $(find /etc -name .forward -type f 2>/dev/null); do
	rm -f ${FILE}
done

O DaemonPortOptions=Port=smtp,Addr=127.0.0.1, Name=MTA
promiscuous_relay
inet_interfaces = localhost
smtpd_client_restrictions = reject
# rpm -q sendmail
8.13.8-8
# rpm -q postfix
2.3.3-6
ssl start_tls
if [ "$(cat /etc/ldap.conf | grep -c '^ssl ')" = "0" ]; then
	echo "ssl start_tls" | tee -a /etc/ldap.conf &>/dev/null
else
	sed -i 's/^ssl .*/ssl start_tls/' /etc/ldap.conf
fi
if [ "$(cat /etc/ldap.conf | grep -c '^tls_ciphers ')" = "0" ]; then
	echo "tls_ciphers TLSv1" | tee -a /etc/ldap.conf &>/dev/null
else
	sed -i 's/^tls_ciphers .*/tls_ciphers TLSv1/' /etc/ldap.conf
fi

tls_cert /etc/pki/tls/CA
tls_cert /etc/pki/tls/CA/cacert.pem
sed -i 's/ ldap//g' /etc/nsswitch.conf
tls_checkpeer yes
if [ $(cat /etc/ldap.conf | grep -c "^tls_checkpeer") = "0" ]; then
	echo "tls_checkpeer yes" | tee -a /etc/ldap.conf &>/dev/null
else
	sed -i 's/^tls_checkpeer.*/tls_checkpeer yes/' /etc/ldap.conf
fi

tls_crlcheck all
if [ $(cat /etc/ldap.conf | grep -c "^tls_crlcheck") = "0" ]; then
	echo "tls_crlcheck all" | tee -a /etc/ldap.conf &>/dev/null
else
	sed -i 's/^tls_crlcheck.*/tls_crlcheck all/' /etc/ldap.conf
fi

sed -i '/bindpw/d' /etc/ldap.conf
# yum erase portmap rpcbind
yum -y remove portmap rpcbind --disablerepo=* 1>/dev/null

$ sudo chkconfig rpcbind off
anonuid=-1
anongid=-1

$ sudo chkconfig vsftpd off
xferlog_enable=YES
xferlog_std_format=NO
log_ftp_protocol=YES
if [ -e /etc/xinetd.d/gssftp ]; then
	if [ "$(grep server_args /etc/xinetd.d/gssftp | grep -c " -l")" = "0" ]; then
		sed -i "/server_args/s/$/ -l/" /etc/xinetd.d/gssftp
	fi
fi
if [ -e /etc/vsftpd/vsftpd.conf ]; then
	if [ "$(grep -ic "^xferlog_enable=yes" /etc/vsftpd/vsftpd.conf)" = "0" ]; then
		sed -i "s/xferlog_enable.*/xferlog_enable=yes/" /etc/xinetd.d/gssftp
	fi
fi

if [ "$(rpm -q krb5-workstation &>/dev/null; echo $?)" = "0" ]; then
	if [ "$(grep server_args /etc/xinetd.d/gssftp | grep -v "#" | grep -c "\-u 077")" = "0" ]; then
		sed -i '/server_args/s/$/ -u 077/' /etc/xinetd.d/gssftp
	fi
fi
if [ "$(rpm -q vsftpd &>/dev/null; echo $?)" = "0" ]; then
	if [ "$(grep -c local_umask /etc/vsftpd/vsftpd.conf)" = "0" ]; then
		echo "local_umask=077" >> /etc/vsftpd/vsftpd.conf
	else
		sed -i '/local_umask/s/=.*/=077/' /etc/vsftpd/vsftpd.conf
	fi
	if [ "$(grep -c anon_umask /etc/vsftpd/vsftpd.conf)" = "0" ]; then
		echo "anon_umask=077" >> /etc/vsftpd/vsftpd.conf
	else
		sed -i '/anon_umask/s/=.*/=077/' /etc/vsftpd/vsftpd.conf
	fi
fi

SYS_USER=$(cat /etc/passwd | while read entry; do if [ "$(echo ${entry} | cut -d: -f3)" -lt "500" ]; then echo ${entry} | cut -d: -f1 ; fi; done)
if [ "$(rpm -q krb5-workstation &>/dev/null; echo $?)" = "0" ]; then
	if [ ! -e /etc/ftpusers ]; then
		>/etc/ftpusers
		chmod 0640 /etc/ftpusers
		chown root:root /etc/ftpusers
	fi
	for USER in `echo $SYS_USER`; do
		if [ $(grep -c "^${USER}$" /etc/ftpusers) = 0 ]; then
			echo ${USER} | tee -a /etc/ftpusers &>/dev/null
		fi
	done
fi
if [ "$(rpm -q vsftpd &>/dev/null; echo $?)" = "0" ]; then
	if [ ! -e /etc/vsftpd/ftpusers ]; then
		>/etc/vsftpd/ftpusers
		chmod 0640 /etc/vsftpd/ftpusers
		chown root:root /etc/vsftpd/ftpusers
	fi
	for USER in `echo $SYS_USER`; do
		if [ $(grep -c "^${USER}$" /etc/vsftpd/ftpusers) = 0 ]; then
			echo ${USER} | tee -a /etc/vsftpd/ftpusers &>/dev/null
		fi
	done
fi

SYS_USER=$(cat /etc/passwd | while read entry; do if [ "$(echo ${entry} | cut -d: -f3)" -lt "500" ]; then echo ${entry} | cut -d: -f1 ; fi; done)
if [ "$(rpm -q krb5-workstation &>/dev/null; echo $?)" = "0" ]; then
	if [ ! -e /etc/ftpusers ]; then
		>/etc/ftpusers
		chmod 0640 /etc/ftpusers
		chown root:root /etc/ftpusers
	fi
	for USER in `echo $SYS_USER`; do
		if [ $(grep -c "^${USER}$" /etc/ftpusers) = 0 ]; then
			echo ${USER} | tee -a /etc/ftpusers &>/dev/null
		fi
	done
fi
if [ "$(rpm -q vsftpd &>/dev/null; echo $?)" = "0" ]; then
	if [ ! -e /etc/vsftpd/ftpusers ]; then
		>/etc/vsftpd/ftpusers
		chmod 0640 /etc/vsftpd/ftpusers
		chown root:root /etc/vsftpd/ftpusers
	fi
	for USER in `echo $SYS_USER`; do
		if [ $(grep -c "^${USER}$" /etc/vsftpd/ftpusers) = 0 ]; then
			echo ${USER} | tee -a /etc/vsftpd/ftpusers &>/dev/null
		fi
	done
fi

# yum erase samba samba3x
yum -y remove samba-common --disablerepo=* 1>/dev/null

sed -i 's/\(^\[global\]$\)/\1\n\n\thosts allow = 127./' /etc/samba/smb.conf
sed -i '/^[#|;]/!s/\([ |\t]*security =\).*/\1 user/' /etc/samba/smb.conf
if [ "$(grep -c '^[ |\t]*encrypt passwords' /etc/samba/smb.conf)" = "0" ]; then
	sed -i 's/\(^\[global\]$\)/\1\n\n\tencrypt passwords = yes/' /etc/samba/smb.conf
else
	sed -i '/^[#|;]/!s/\(encrypt passwords =\).*/\1 yes/g' /etc/samba/smb.conf
fi

sed -i '/^[#|;]/!s/\(guest ok =\).*/\1 no/g' /etc/samba/smb.conf
# service snmpd restart
find / -xdev -name snmpd.conf 2>/dev/null | xargs sed -i '/.*\(v1\|v2c\|community\|com2sec\).*/s/^/#/'

# service snmpd restart
# createUser myuser SHA -l 0x0001020304050607080900010203040506070809 AES -l 0x00010203040506070809000102030405
# service snmpd restart
# createUser myuser SHA -l 0x0001020304050607080900010203040506070809 AES -l 0x00010203040506070809000102030405
# service snmpd restart

Profile Title	Upstream STIG for Red Hat Enterprise Linux 5 Server
Profile ID	xccdf_org.ssgproject.content_profile_stig-rhel5-server-upstream

Guide to the Secure Configuration of Red Hat Enterprise Linux 5

Revision History

Platforms

Table of Contents

Checklist

System Settingsgroup

Installing and Maintaining Softwaregroup

Disk Partitioninggroup

Ensure /tmp Located On Separate Partitionrule

Ensure /var Located On Separate Partitionrule

Ensure /var/log/audit Located On Separate Partitionrule

Ensure /home Located On Separate Partitionrule

Updating Softwaregroup

Ensure gpgcheck Enabled For All Yum Package Repositoriesrule

Software Integrity Checkinggroup

Verify Integrity with AIDEgroup

Build and Test AIDE Databaserule

Configure Periodic Execution of AIDErule

Additional Security Softwaregroup

Install Intrusion Detection Softwarerule

Install Virus Scanning Softwarerule

Create a Baseline For Device Filesrule

Create a Baseline For SGID Filesrule

Create a Baseline For SUID Filesrule

File Permissions and Masksgroup

Restrict Partition Mount Optionsgroup

Add nodev Option to Removable Media Partitionsrule

Add nosuid Option to Removable Media Partitionsrule

Restrict Dynamic Mounting and Unmounting of Filesystemsgroup

Disable Modprobe Loading of USB Storage Driverrule

Disable Kernel Support for USB via Bootloader Configurationrule

Disable the Automounterrule

Verify Permissions on Important Files and Directoriesgroup

Verify Permissions on Files with Local Account Information and Credentialsgroup

Verify User Who Owns shadow Filerule

Verify Permissions on shadow Filerule

Verify Extended ACLs on shadow Filerule

Verify User Who Owns group Filerule

Verify Group Who Owns group Filerule

Verify Permissions on group Filerule

Verify Extended ACLs on group Filerule

Verify User Who Owns gshadow Filerule

Verify Group Who Owns gshadow Filerule

Verify Permissions on gshadow Filerule

Verify Extended ACLs on gshadow Filerule

Verify User Who Owns passwd Filerule

Verify Group Who Owns passwd Filerule

Verify Permissions on passwd Filerule

Verify Extended ACLs on passwd Filerule

Verify File Permissions Within Some Important Directoriesgroup

Verify that Shared Library Files Have Restrictive Permissionsrule

Verify Extended ACLs on Shared Library Filesrule

Verify that System Executables Have Restrictive Permissionsrule

Verify Extended ACLs on Shared Binary Filesrule

Verify that System Executables Have Root User Ownershiprule

Verify that System Executables Have Root Group Ownershiprule

Verify User Who Owns aliases Filerule

Verify Group Who Owns aliases Filerule

Verify Permissions on aliases Filerule

Verify Extended ACLs on Aliasesrule

Verify User Who Owns aliases Filerule

Verify Group Who Owns aliases Filerule

Verify Permissions on aliases Filerule

Verify Extended ACLs on Aliases Filesrule

Verify User Who Owns Audio Device Filesrule

Verify Group Who Owns Audio Device Filesrule

Verify Permissions on Audio Device Filesrule

Verify Extended ACLs on Audio Device Filesrule

Verify User Who Owns Audit Log Filesrule

Verify Group Who Owns Audit Log Filesrule

Verify Permissions on Audit Log Filesrule

Verify Extended ACLs on Audit Log Filesrule

Verify User Who Owns Audit Tool Filesrule

Verify Group Who Owns Audit Tool Filesrule

Verify Permissions on Audit Tool Filesrule

Verify Extended ACLs on Audit Tool Filesrule

Verify User Who Owns Tracerouterule

Verify Group Who Owns Tracerouterule

Verify Permissions on Tracerouterule

Verify Extended ACLs on Tracerouterule