RHEL 6 Hardening with scripts -- editing Config files
I created script to modify / edit config files, and make some necessary system configurations. The script throws errors like:
chown: 'cannot access /etc/grub.conf\r': no such file or directory
error: "invalid argument" setting key "net.ipv4.conf.all.send_redirects"
what is it I'm not doing right ?
#!/bin/bash # Title: RHEL 6 Hardening # Author: Oageng Escobar Baruti # Date: 24/08/2015 # # DESCRIPTION: MODIFY / CHANGE / UPDATE / CONFIGURE # # Configure File Systems touch /etc/modprobe.d/modprobe.conf echo "install cramfs /bin/true" >> /etc/modprobe.d/modprobe.conf echo "install freevxfs /bin/true" >> /etc/modprobe.d/modprobe.conf echo "install jffs2 /bin/true" >> /etc/modprobe.d/modprobe.conf echo "install hfs /bin/true" >> /etc/modprobe.d/modprobe.conf echo "install hfsplus /bin/true" >> /etc/modprobe.d/modprobe.conf echo "install squashfs /bin/true" >> /etc/modprobe.d/modprobe.conf echo "install udf /bin/true" >> /etc/modprobe.d/modprobe.conf # # sed -i.`date +%d%m%Y_%H:%M.%S` 's/gpgcheck=0/gpgcheck=1/g' /etc/yum.conf # # Configure SELinux sed -i.`date +%d%m%Y_%H:%M.%S` '/selinux=0/d' /etc/grub.conf sed -i.`date +%d%m%Y_%H:%M.%S` '/enforcing=0/d' /etc/grub.conf sed -i.`date +%d%m%Y_%H:%M.%S` 's/SELINUX=disabled/SELINUX=enforcing/g' /etc/selinux/config sed -i.`date +%d%m%Y_%H:%M.%S` 's/SELINUX=permissive/SELINUX=enforcing/g' /etc/selinux/config # # cp /etc/grub.conf /etc/grub.conf.`date +%d%m%Y_%H:%M.%S` chown root:root /etc/grub.conf chmod og-rwx /etc/grub.conf # # sed -i.`date +%d%m%Y_%H:%M.%S` "/SINGLE/s/sushell/sulogin/" /etc/sysconfig/init sed -i.`date +%d%m%Y_%H:%M.%S` 's/PROMPT=yes/PROMPT=no/g' /etc/sysconfig/init cp /etc/sysconfig/init /etc/sysconfig/init.`date +%d%m%Y_%H:%M.%S` echo "umask 027" >> /etc/sysconfig/init # # cp /etc/security/limits.conf /etc/security/limits.conf.`date +%d%m%Y_%H:%M.%S` echo "* hard core 0" >> /etc/security/limits.conf cp /etc/sysctl.conf /etc/sysctl.conf.`date +%d%m%Y_%H:%M.%S` echo "fs.suid_dumpable = 0" >> /etc/sysctl.conf echo "kernel.exec-shield = 1" >> /etc/sysctl.conf echo "kernel.randomize_va_space = 2" >> /etc/sysctl.conf echo "net.ipv4.conf.all.send_redirects=0" >> /etc/sysctl.conf echo "net.ipv4.conf.default.send_redirects=0" >> /etc/sysctl.conf echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf echo "net.ipv4.conf.all.accept_redirects=0" >> /etc/sysctl.conf echo "net.ipv4.conf.default.accept_redirects=0" >> /etc/sysctl.conf echo "net.ipv4.conf.all.secure_redirects=0" >> /etc/sysctl.conf echo "net.ipv4.conf.default.secure_redirects=0" >> /etc/sysctl.conf echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.conf echo "net.ipv4.icmp_ignore_bogus_error_responses=1" >> /etc/sysctl.conf echo "net.ipv4.conf.all.rp_filter=1" >> /etc/sysctl.conf echo "net.ipv6.conf.all.accept_ra=0" >> /etc/sysctl.conf echo "net.ipv6.conf.default.accept_ra=0" >> /etc/sysctl.conf echo "net.ipv6.conf.all.accept_redirects=0" >> /etc/sysctl.conf echo "net.ipv6.conf.default.accept_redirects=0" >> /etc/sysctl.conf sysctl -w net.ipv4.ip_forward=0 /sbin/sysctl -w net.ipv4.conf.all.send_redirects=0 /sbin/sysctl -w net.ipv4.conf.default.send_redirects=0 /sbin/sysctl -w net.ipv4.conf.all.accept_source_route=0 /sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0 /sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0 /sbin/sysctl -w net.ipv4.conf.all.secure_redirects=0 /sbin/sysctl -w net.ipv4.conf.default.secure_redirects=0 sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 /sbin/sysctl -w net.ipv4.conf.all.rp_filter=1 /sbin/sysctl -w net.ipv6.conf.all.accept_ra=0 /sbin/sysctl -w net.ipv6.conf.default.accept_ra=0 sysctl -w net.ipv6.conf.all.accept_redirects=0 sysctl -w net.ipv6.conf.default.accept_redirects=0 /sbin/sysctl -w net.ipv4.route.flush=1 /sbin/sysctl -w net.ipv6.route.flush=1 # # sed -i.`date +%d%m%Y_%H:%M.%S` 's/id:5:initdefault/id:3:initdefault/g' /etc/inittab # # sed -i.`date +%d%m%Y_%H:%M.%S` 's/NETWORKING_IPV6=yes/NETWORKING_IPV6=no/g' /etc/sysconfig/network sed -i.`date +%d%m%Y_%H:%M.%S` 's/IPV6INIT=yes/IPV6INIT=no/g' /etc/sysconfig/network touch /etc/modprobe.d/ipv6.conf echo "options ipv6 disable=1" >> /etc/modprobe.d/ipv6.conf # # touch /etc/hosts.allow chmod 644 /etc/hosts.allow touch /etc/hosts.deny chmod 644 /etc/hosts.deny # # # Disable Network Protocols echo "install dccp /bin/true" >> /etc/modprobe.d/modprobe.conf echo "install sctp /bin/true" >> /etc/modprobe.d/modprobe.conf echo "install rds /bin/true" >> /etc/modprobe.d/modprobe.conf echo "install tipc /bin/true" >> /etc/modprobe.d/modprobe.conf # # # System Maintenance /bin/chmod 644 /etc/passwd /bin/chmod 000 /etc/shadow /bin/chmod 000 /etc/gshadow chmod 644 /etc/group chown root:root /etc/passwd /bin/chown root:root /etc/shadow chown root:root /etc/gshadow /bin/chown root:root /etc/group usermod -g 0 root useradd -D -f 35 # #
Responses