This script was initially written to inspect a Redhat or SuSE Linux host for PCI compliance. It will run on most Linux variants. It checks basic PCI (not everything) requirements to see if the operating system has been hardened or not. No host should be put on the network until it has been sufficiently hardened. This act of minimizing the host footprint to potential vulnerabilities isn't THE security solution but it's something we should ALL be doing. From your phone to wireless router at home to your PC or laptop. Every operating system, appliance and application can be hardened. Think of it as going to battle with the ability to shrink the size of your target so it's less susceptible to attack. If modern life was a dodgeball game having the ability to shrink your footprint on the gym floor is a whole lot better than getting plastered in the face with the ball!
Want a copy of the script? Email me.
Here's what the output looks like. Not every host will pass 100% but it should be your goal to see that they do.
------------------------------------------------
Checking this host for Security Compliance...
------------------------------------------------
FAIL: This system is NOT up to date with patches
FAIL: ssh_config is NOT set to use Protocol 2
PASS: sshd_config is configured appropriately
PASS: sysstat is configured appropriately
PASS: There are NO unnecessary services running
FAIL: There is NO firewall running
FAIL: TCP Wrappers is NOT configured
FAIL: Umask should be set to 027 globally
PASS: Sendmail is configured securely
PASS: Sendmail is configured securely
PASS: The GUI is OFF
FAIL: Consider updating sysctl.conf with IPv4 settings
FAIL: Syslog is NOT logging to AUTHPRIV facility
FAIL: Consider adding root and other system user accounts to ftpusers and turn OFF FTP!
FAIL: Consider adding nodev for all NON-root filesystems in fstab
FAIL: Consider setting nosuid for all removable media in fstab
PASS: Good, user mountable devices are disabled
Searching for world writable directories. This may take a while to complete...
PASS: This system as NO world-writable files
Searching for SUID/SGID files. This may take a while to complete...
PASS: This system has NO unnecessary SUID and/or SGID files
Searching for unowned files. This may take a while to complete...
PASS: This system has NO unowned files
PASS: This system has NO rhosts_auth in pam.d files
FAIL: Restrict cron and at to authorized users only
PASS: System accounts are locked
PASS: Found NO empty password(s) in /etc/shadow
FAIL: Password aging is NOT configured appropriately
PASS: This system is not using NIS for authentication files
PASS: Found no reference to . in PATH variable
Searching PATH for current working directories (.). This may take a while to complete...
PASS: Searching and found NO reference to . in PATH variable
PASS: Didn't find any .netrc file(s)
Searching login files. This may take some time depending on the system...
PASS: No loose umasks found in user profiles
PASS: Permissions on home directories/subdirectories are set properly (700)
PASS: Found only one UID 0 in /etc/passwd
FAIL: Found permissions on /etc/passwd greater than 444
No comments:
Post a Comment