RHEL 6 Hardening with scripts -- editing Config files

Latest response

I created script to modify / edit config files, and make some necessary system configurations. The script throws errors like:

chown: 'cannot access /etc/grub.conf\r': no such file or directory

error: "invalid argument" setting key "net.ipv4.conf.all.send_redirects"

what is it I'm not doing right ?

#!/bin/bash
# Title:    RHEL 6 Hardening
# Author:   Oageng Escobar Baruti
# Date:     24/08/2015
#
# DESCRIPTION: MODIFY / CHANGE / UPDATE / CONFIGURE
#
# Configure File Systems
touch /etc/modprobe.d/modprobe.conf
echo "install cramfs /bin/true" >> /etc/modprobe.d/modprobe.conf
echo "install freevxfs /bin/true" >> /etc/modprobe.d/modprobe.conf
echo "install jffs2 /bin/true" >> /etc/modprobe.d/modprobe.conf
echo "install hfs /bin/true" >> /etc/modprobe.d/modprobe.conf
echo "install hfsplus /bin/true" >> /etc/modprobe.d/modprobe.conf
echo "install squashfs /bin/true" >> /etc/modprobe.d/modprobe.conf
echo "install udf /bin/true" >> /etc/modprobe.d/modprobe.conf
#
#
sed -i.`date +%d%m%Y_%H:%M.%S` 's/gpgcheck=0/gpgcheck=1/g' /etc/yum.conf
#
# Configure SELinux
sed -i.`date +%d%m%Y_%H:%M.%S` '/selinux=0/d' /etc/grub.conf
sed -i.`date +%d%m%Y_%H:%M.%S` '/enforcing=0/d' /etc/grub.conf
sed -i.`date +%d%m%Y_%H:%M.%S` 's/SELINUX=disabled/SELINUX=enforcing/g' /etc/selinux/config
sed -i.`date +%d%m%Y_%H:%M.%S` 's/SELINUX=permissive/SELINUX=enforcing/g' /etc/selinux/config
#
#
cp /etc/grub.conf /etc/grub.conf.`date +%d%m%Y_%H:%M.%S`
chown root:root /etc/grub.conf
chmod og-rwx /etc/grub.conf
#
#
sed -i.`date +%d%m%Y_%H:%M.%S` "/SINGLE/s/sushell/sulogin/" /etc/sysconfig/init
sed -i.`date +%d%m%Y_%H:%M.%S` 's/PROMPT=yes/PROMPT=no/g' /etc/sysconfig/init
cp /etc/sysconfig/init /etc/sysconfig/init.`date +%d%m%Y_%H:%M.%S`
echo "umask 027" >> /etc/sysconfig/init
#
#
cp /etc/security/limits.conf /etc/security/limits.conf.`date +%d%m%Y_%H:%M.%S` 
echo "* hard core 0" >> /etc/security/limits.conf
cp /etc/sysctl.conf /etc/sysctl.conf.`date +%d%m%Y_%H:%M.%S`
echo "fs.suid_dumpable = 0" >> /etc/sysctl.conf
echo "kernel.exec-shield = 1" >> /etc/sysctl.conf
echo "kernel.randomize_va_space = 2" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects=0" >> /etc/sysctl.conf
echo "net.ipv4.conf.default.send_redirects=0" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_redirects=0" >> /etc/sysctl.conf
echo "net.ipv4.conf.default.accept_redirects=0" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.secure_redirects=0" >> /etc/sysctl.conf
echo "net.ipv4.conf.default.secure_redirects=0" >> /etc/sysctl.conf
echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.conf
echo "net.ipv4.icmp_ignore_bogus_error_responses=1" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.rp_filter=1" >> /etc/sysctl.conf
echo "net.ipv6.conf.all.accept_ra=0" >> /etc/sysctl.conf
echo "net.ipv6.conf.default.accept_ra=0" >> /etc/sysctl.conf
echo "net.ipv6.conf.all.accept_redirects=0" >> /etc/sysctl.conf
echo "net.ipv6.conf.default.accept_redirects=0" >> /etc/sysctl.conf
sysctl -w net.ipv4.ip_forward=0
/sbin/sysctl -w net.ipv4.conf.all.send_redirects=0
/sbin/sysctl -w net.ipv4.conf.default.send_redirects=0
/sbin/sysctl -w net.ipv4.conf.all.accept_source_route=0
/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0
/sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0
/sbin/sysctl -w net.ipv4.conf.all.secure_redirects=0
/sbin/sysctl -w net.ipv4.conf.default.secure_redirects=0
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
/sbin/sysctl -w net.ipv4.conf.all.rp_filter=1
/sbin/sysctl -w net.ipv6.conf.all.accept_ra=0
/sbin/sysctl -w net.ipv6.conf.default.accept_ra=0
sysctl -w net.ipv6.conf.all.accept_redirects=0
sysctl -w net.ipv6.conf.default.accept_redirects=0
/sbin/sysctl -w net.ipv4.route.flush=1
/sbin/sysctl -w net.ipv6.route.flush=1
#
#
sed -i.`date +%d%m%Y_%H:%M.%S` 's/id:5:initdefault/id:3:initdefault/g' /etc/inittab
#
#
sed -i.`date +%d%m%Y_%H:%M.%S` 's/NETWORKING_IPV6=yes/NETWORKING_IPV6=no/g' /etc/sysconfig/network
sed -i.`date +%d%m%Y_%H:%M.%S` 's/IPV6INIT=yes/IPV6INIT=no/g' /etc/sysconfig/network
touch /etc/modprobe.d/ipv6.conf
echo "options ipv6 disable=1" >> /etc/modprobe.d/ipv6.conf
#
#
touch /etc/hosts.allow
chmod 644 /etc/hosts.allow
touch /etc/hosts.deny
chmod 644 /etc/hosts.deny
#
#
# Disable Network Protocols
echo "install dccp /bin/true" >> /etc/modprobe.d/modprobe.conf
echo "install sctp /bin/true" >> /etc/modprobe.d/modprobe.conf
echo "install rds /bin/true" >> /etc/modprobe.d/modprobe.conf
echo "install tipc /bin/true" >> /etc/modprobe.d/modprobe.conf
#
#
# System Maintenance
/bin/chmod 644 /etc/passwd
/bin/chmod 000 /etc/shadow
/bin/chmod 000 /etc/gshadow
chmod 644 /etc/group
chown root:root /etc/passwd
/bin/chown root:root /etc/shadow
chown root:root /etc/gshadow
/bin/chown root:root /etc/group
usermod -g 0 root
useradd -D -f 35
#
#

Responses

This error message is very suspicious:

chown: 'cannot access /etc/grub.conf\r': no such file or directory

That "\r" is an extra character that shouldn't be there (carriage return, a.k.a. CTRL-M). Was the script file created or edited on a Windows system at some point, and perhaps saved with Windows-style line endings? (\r\n, [carriage return plus newline/linefeed] vs. Unix-standard \n only)

I'd really avoid the use of the sed -i method. That method breaks symlink-files like /etc/grub.conf. Before you use sed -i on any files, you'll want to use readlink to ensure that the file you're modifying is actually a real file and not a symlink.

Breaking some symlinks will cause real consternation down the road (e.g., the link from /etc/grub.conf to /boot/grub/grub.conf can cause reboot confusion after manual edits of one or audit issues after patch updates; similar for the link from /etc/sysconfig/selinux to /etc/selinux/config).

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.