#!/bin/ksh # File : cdot_chk_secu-baseline_setting.ksh # By : Maarten de Boer, 100427, 161005 (copy from chk_secu-baseline_setting.ksh) # Subject : Check security setting fro cDOT # set -x #(0.2) : Add M01 #(0.3),170523 : Mod M01, 0/0=100% #(0.4),170524 : Add M08 #(0.5),170530 : Add M03 non public IP & security login role config show, Add M07 #(0.6),170530 : Add M09 #(0.7),170601 : Mod. M08 & Add M14, M15 #(0.8),170601 : Add M16 & M07 #(0.9),170607 : Add --imi, check for clustername = hostname #(0.10),170609 : Mod's, Added CFG #(0.11),170621 : Mod's SDMGROUP, some checks PGM="`basename $0|cut -d\. -f1`" VER="0.11" TMP="/tmp/${PGM}.$$" WARN="/tmp/${PGM}.warn.$$" MAIL="" MAILFILE="${TMP}.mailfile" MAILTO="maarten.deboer@atos.net" HOSTNAME="`hostname|cut -d\. -f1`" CLUSTERS="${HOME}/etc/clusters" SSH="/usr/bin/ssh -n" DATI="`date +%Y-%m-%d_%H-%M`" ASC="/tmp/${PGM}_${DATI}_${HOSTNAME}.asc" SSH="/usr/bin/ssh -n" FILTER="[?]*" CFG="${HOME}/etc/${PGM}.cfg" LOG="${HOME}/log/${PGM}.log" MAXLOGSIZE=1024 # In K's IMI="" ###SDMMAIL="email@usd-prod.uk.atosorigin.com" ###SDMMAIL="prod-imi@gis.nl.ao-srv.com" #SDMMAIL="maarten.deboer@atos.net ESBIncident.it-solutions@atos.net" SDMMAIL="maarten.deboer@atos.net " SDMUSER="nl19471" SDMMSG="${TMP}.sdm" #SDMREPLYTO="maarten.deboer@atos.net" SDMREPLYTO="fsod@atos.net" SDMTYPE="Incident" SDMGROUP="NL.Storage.FSOD" #SDMGROUP="RO.Storage.FSOD" CSV="/tmp/${PGM}_${DATI}_${HOSTNAME}.csv" WARNCNT=0 # Warning count TTLCNT=0 # Total count TMPCSV="${TMP}.csv" CIFSWARN="/tmp/${PGM}.cifswarn.$$" EXCLUDES="${HOME}/etc/${PGM}.excludes" MAILPERCLUSTER="" # Needed for cDOT-CLI answers SELECT="nlnaf" # if not me (accourding to LOGNAME), then change some user related info #if [ "${LOGNAME}" != "nl19471" ]; then # MAILTO="fsod@atos.net" # SDMUSER="nldsm01" # SDMREPLYTO="fsod@atos.net" #fi # Functions SSHCMD() # 1: Filername 2:Command-string # When issue with connection to cluster, try the nodes (-01 & -02) # "There are no entries matching your query." => EC=255 # "no connection" is also EC=255 { TMPERR="/tmp/${PGM}.$$.err" /usr/bin/ssh -n ${1} "${2}" 2> ${TMPERR} EC=${?} # Check if "ssh: connect to host 10.192.109.202 port 22: Connection refused" If so (EC2=0), the 2nd grep 'Connection refused' ${TMPERR} EC2=${?} if [ ${EC} -ne 0 ] && [ ${EC2} -eq 0 ]; then sleep 2 /usr/bin/ssh -n ${1}-01 "${2}" 2> ${TMPERR} EC=${?} grep 'Connection refused' ${TMPERR} EC2=${?} if [ ${EC} -ne 0 ] && [ ${EC2} -eq 0 ]; then sleep 2 /usr/bin/ssh -n ${1}-02 "${2}" 2> ${TMPERR} EC=${?} grep 'Connection refused' ${TMPERR} EC2=${?} if [ ${EC} -ne 0 ] && [ ${EC2} -eq 0 ]; then sleep 2 /usr/bin/ssh -n ${1}-03 "${2}" 2> ${TMPERR} EC=${?} grep 'Connection refused' ${TMPERR} EC2=${?} if [ ${EC} -ne 0 ] && [ ${EC2} -eq 0 ]; then echo " EC=${EC} sleep 2 ..." sleep 2 /usr/bin/ssh -n ${1}-04 "${2}" 2> ${TMPERR} EC=${?} grep 'Connection refused' ${TMPERR} EC2=${?} if [ ${EC} -ne 0 ] && [ ${EC2} -eq 0 ]; then echo " EC=${EC} sleep 2 ..." sleep 2 /usr/bin/ssh -n ${1}-05 "${2}" 2> ${TMPERR} EC=${?} grep 'Connection refused' ${TMPERR} EC2=${?} if [ ${EC} -ne 0 ] && [ ${EC2} -eq 0 ]; then echo " EC=${EC} sleep 2 ..." sleep 2 /usr/bin/ssh -n ${1}-05 "${2}" 2> ${TMPERR} EC=${?} grep 'Connection refused' ${TMPERR} EC2=${?} if [ ${EC} -ne 0 ] && [ ${EC2} -eq 0 ]; then echo "`date` ${PGM} ERROR with communication to ${1}. Connection to -01 - -06 failed too."|tee -a ${LOG} fi # EC=0 & EC2=0 fi # -06 fi # -05 fi # -04 fi # -03 fi # -02 fi # -01 rm ${TMPERR} } CREATE_SDM_TICKET() # $1=Filer(CI), $2=SDMTYPE, $3=SDM-text { echo "@REQUESTTYPE: ${2}" > ${SDMMSG} echo "@REQUESTAREA: NL.Storage.StorageOnDemand" >> ${SDMMSG} echo "@SEVERITY: 4" >> ${SDMMSG} echo "@CI: ${1}" >> ${SDMMSG} echo "@ORGANISATION: AtosOrigin.Netherlands" >> ${SDMMSG} echo "@GROUP: ${SDMGROUP}" >> ${SDMMSG} echo "@REPLYTO: ${SDMREPLYTO}" >> ${SDMMSG} echo "@PROXYUSER: ${SDMUSER}" >> ${SDMMSG} cat ${3} >> ${SDMMSG} echo "[@${HOSTNAME}:${PGM} v${VER}]" >> ${SDMMSG} echo "@ENDOFSDMMESSAGE" >> ${SDMMSG} cat ${SDMMSG} | mailx -s "${SDMUSER}: WARNING; Security ${2} at ${1}." ${SDMMAIL} echo "`date` ${PGM}: Mailed to SDM-IMI (${SDMMAIL})"|tee -a ${LOG} } # Read CFG-file 1st. The options. So they can override the CFG VAR's if [ -f ${CFG} ]; then echo " Reading ${CFG} ..."|tee -a ${LOG} cat ${CFG}|grep -v ^#|while read LINE do echo ${LINE} ANSW=`echo ${LINE}|grep CLUSTERS|cut -d\= -f2` if [ "${ANSW}" != "" ]; then CLUSTERS="${ANSW}" fi ANSW=`echo ${LINE}|grep FILTER|cut -d\= -f2` if [ "${ANSW}" != "" ]; then FILTER="${ANSW}" fi ANSW=`echo ${LINE}|grep MAILTO|cut -d\= -f2` if [ "${ANSW}" != "" ]; then MAILTO="${ANSW}" fi ANSW=`echo ${LINE}|grep EXLUDES|cut -d\= -f2` if [ "${ANSW}" != "" ]; then EXLUDES="${ANSW}" fi done # cat fi # -f CFG USAGE() { echo "Usage: ${PGM} " echo " Version: ${VER}" echo " options :" echo " -e|--etc : Etc/filers-file (${CLUSTERS})" echo " -f : Filter filername (${FILTER})" echo " -h|--help : this Help" echo " -i|--imi : do send to sdm via IMI" echo " -m|--mail : do send Mail" echo " -V : show Version" echo " -x : set -x" echo " --mailto : change MAILTO address & do send mail (${MAILTO})" echo " --mpf : MailPerFiler (normaly all filers in 1 mail)" } ## MAIN # Check options if [ $# -eq 0 ]; then echo "No option(s) given. So not to know what to do. Exiting..."; echo; USAGE; exit 1 fi while [ $# -gt 0 ] do case $1 in -f) FILTER=$2; shift ;; -m | --mail) MAIL=1 ;; -e | --etc) CLUSTERS=$2; shift ;; --mailto) MAILTO=$2; MAIL=1; shift ;; --mpf) MAILPERCLUSTER=1;; -i | --imi) IMI=1;; -h | --help) USAGE; exit 1 ;; -V) echo "${PGM}: v${VER}"; exit 3 ;; -x) set -x ;; *) echo "Option ${1} not known. Exiting..."; echo; USAGE; exit 1 ;; esac shift done echo "`date` ${PGM} (v$VER) started (LOGNAME=${LOGNAME})."|tee -a $LOG echo "ETC=${ETC}" echo "EXCLUDES=${EXCLUDES}" echo "FILTER=${FILTER}" echo "MAIL=${MAIL}" echo "MAILTO=${MAILTO}" echo "MAILPERCLUSTER=${MAILPERCLUSTER}" echo "IMI=${IMI}" echo "SDMMAIL=${SDMMAIL}" echo "SDMREPLYTO=${SDMREPLYTO}" echo "SDMUSER=${SDMUSER}" touch ${TMP} ${TMP}.excludes ${SDMMSG} ${WARN} ${TMPCSV} ${CIFSWARN} # Check & move LOG-file if longer then max. LOGSIZE=`du -ka $LOG | cut -f1` if [ $LOGSIZE -ge $MAXLOGSIZE ]; then mv $LOG $LOG.old touch $LOG fi if [ ! -f ${EXCLUDES} ]; then echo "`date` No ${EXCLUDES} found. So NO excludes will be made."|tee -a ${LOG} else # Remove # from .excludes-file echo "`date` ${EXCLUDES} found. Will be used."|tee -a ${LOG} cat ${EXCLUDES} |grep -v ^# >> ${TMP}.excludes fi # {EXCLUDES} # Create header for .csv-file echo -n "# Host;" >> ${TMPCSV} echo -n "M01 - Enable secure access ;" >> ${TMPCSV} echo -n "M02 - Disable insecure and unneeded protocols ;" >> ${TMPCSV} echo -n "M03 - Controlled access to FSOD management components ;" >> ${TMPCSV} echo -n "M04 - Password Security ;" >> ${TMPCSV} echo -n "M05 - Password hardening ;" >> ${TMPCSV} echo -n "M06 - Autologout ;" >> ${TMPCSV} echo -n "M07 - Logging ;" >> ${TMPCSV} echo -n "M08 - Network Time Protocol (NTP);" >> ${TMPCSV} echo -n "M09 - Secure Network configuration ;" >> ${TMPCSV} echo -n "M10 - Login banner ;" >> ${TMPCSV} echo -n "M11 - Role-Based Access Control ;" >> ${TMPCSV} echo -n "M12 - No group account ;" >> ${TMPCSV} echo -n "M13 - CIFS ;" >> ${TMPCSV} echo -n "M14 - NFS ;" >> ${TMPCSV} echo -n "M15 - iSCSI ;" >> ${TMPCSV} echo -n "M16 - Access of root volume ;" >> ${TMPCSV} echo "" >> ${TMPCSV} # Start Checking (loop) #for CLUSTER in `cat ${CLUSTERS}|grep -v \^#|awk -F\; '{print $1}'|sort|grep "${FILTER}"` cat "${CLUSTERS}"|grep -v \^#|awk -F\; '{print $1}'|sort|grep "${FILTER}"|while read CLUSTER do # Check is hostname & Clustername are the same. Otherwise some check will fail. Because they have an extra `grep ${CLUSTER}` ANSW=`SSHCMD ${CLUSTER} "hostname"|grep ${CLUSTER}` if [ "${ANSW}" = "" ]; then echo " ERROR: Clustername (${CLUSTER}) and hostname are NOT the same. Exiting ..." |tee -a ${LOG} exit 4 fi echo "" | tee -a ${TMP} echo "* ${CLUSTER}" | tee -a ${TMP} echo "`date` ${PGM}: ${CLUSTER}."|tee -a $LOG echo -n "${CLUSTER};" >> ${TMPCSV} echo "+ M01 - Enable secure access" | tee -a ${TMP} WARNCNT=0 TTLCNT=0 # Start check # No applications like Telnet / Rsh should be available # Auth methode CNT=`SSHCMD ${CLUSTER} "security login show -fields application -application telnet"|tee -a ${TMP}|grep telnet|grep -v 'There are no entries matching your query'|wc -l` if [ ${CNT} -gt 0 ]; then echo "> NO telnet application allowed" >> ${TMP} echo "${CLUSTER}: NO telnet application allowed (security login show -fields application -application telnet) [M01]" >> ${WARN} let WARNCNT=${WARNCNT}+${CNT} fi let TTLCNT=${TTLCNT}+${CNT} CNT=`SSHCMD ${CLUSTER} "security login show -fields application -application rsh"|tee -a ${TMP}|grep rsh|grep -v 'There are no entries matching your query'|wc -l` if [ ${CNT} -gt 0 ]; then echo "> NO rsh application allowed" >> ${TMP} echo "${CLUSTER}: NO rsh application allowed (security login show -fields application -application rsh) [M01]" >> ${WARN} let WARNCNT=${WARNCNT}+${CNT} fi let TTLCNT=${TTLCNT}+${CNT} CNT=`SSHCMD ${CLUSTER} "security login show -fields authmethod -authmethod password"|grep password|tee -a ${TMP}|grep -v 'There are no entries matching your query'|wc -l` if [ ${CNT} -eq 0 ]; then echo "> NO password used" >> ${TMP} echo "${CLUSTER}: NO password used (security login show -fields authmethod -authmethod password) [M01]" >> ${WARN} let WARNCNT=${WARNCNT}+${CNT} fi let TTLCNT=${TTLCNT}+${CNT} CNT=`SSHCMD ${CLUSTER} "security login show -fields authmethod -authmethod publickey"|grep publickey|tee -a ${TMP}|grep -v 'There are no entries matching your query'|wc -l` if [ ${CNT} -eq 0 ]; then echo "> NO publickey used" >> ${TMP} echo "${CLUSTER}: NO publickey used (security login show -fields authmethod -authmethod publickey) [M01]" >> ${WARN} let WARNCNT=${WARNCNT}+${CNT} fi let TTLCNT=${TTLCNT}+${CNT} if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %"|tee -a ${TMP} echo -n "${PERC};" >> ${TMPCSV} echo "+ M02 - Disable insecure and unneeded protocols"|tee -a ${TMP} WARNCNT=0 TTLCNT=0 # Start check # Access on to the following "applications"; ssh, console, http, ontapi, service-processor. # SSH(v2) enabled # HTTP enabled # LDAP-SSL disabled CNT=`SSHCMD ${CLUSTER} "security login show -fields application -application ssh"|grep ssh|tee -a ${TMP}|grep -v 'There are no entries matching your query'|wc -l` if [ ${CNT} -eq 0 ]; then echo "> SSH should be used" >> ${TMP} echo "${CLUSTER}: SSH should be used (security login show -fields application -application ssh) [M02]" >> ${WARN} let WARNCNT=${WARNCNT}+${CNT} fi let TTLCNT=${TTLCNT}+${CNT} CNT=`SSHCMD ${CLUSTER} "security login show -fields application -application http"|grep http|tee -a ${TMP}|grep -v 'There are no entries matching your query'|wc -l` if [ ${CNT} -eq 0 ]; then echo "> HTTP should be used" >> ${TMP} echo "${CLUSTER}: HTTP should be used (security login show -fields application -application http) [M02]" >> ${WARN} let WARNCNT=${WARNCNT}+${CNT} fi let TTLCNT=${TTLCNT}+${CNT} if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %"|tee -a ${TMP} echo -n "${PERC};" >> ${TMPCSV} echo "+ M03 - Controlled access to FSOD management components"|tee -a ${TMP} WARNCNT=0 TTLCNT=0 # Check if Telnet & RSH are not used # SNMP is enabled # Mgt IF should be a non public IP-address CNT=`SSHCMD ${CLUSTER} "system service firewall policy show -service telnet -fields service"|tee -a ${TMP}|grep telnet|wc -l` if [ ${CNT} -gt 0 ]; then echo "> NO telnet service allowed" >> ${TMP} echo "${CLUSTER}: NO telnet service allowed (system service firewall policy show -service telnet -fields service) [M03]" >> ${WARN} let WARNCNT=${WARNCNT}+${CNT} fi let TTLCNT=${TTLCNT}+${CNT} CNT=`SSHCMD ${CLUSTER} "system service firewall policy show -service rsh -fields service"|tee -a ${TMP}|grep rsh|wc -l` if [ ${CNT} -gt 0 ]; then echo "> NO rsh service allowed" >> ${TMP} echo "${CLUSTER}: NO rsh service allowed (system service firewall policy show -service rsh -fields service) [M03]" >> ${WARN} let WARNCNT=${WARNCNT}+${CNT} fi let TTLCNT=${TTLCNT}+${CNT} CNT=`SSHCMD ${CLUSTER} "system service firewall policy show -service snmp -fields service"|grep ${CLUSTER}|tee -a ${TMP}|wc -l` if [ ${CNT} -eq 0 ]; then echo "> snmp service is needed" >> ${TMP} echo "${CLUSTER}: snmp service is needed (system service firewall policy show -service snmp -fields service) [M03]" >> ${WARN} let WARNCNT=${WARNCNT}+1 fi let TTLCNT=${TTLCNT}+${CNT} IPADDR=`SSHCMD ${CLUSTER} "network interface show -role cluster-mgmt -field address"|grep ${CLUSTER}|tee -a ${TMP}|awk '{print $3}'|head -1|egrep '10|172.16|192.168'` if [ "${IPADDR}" = "" ]; then echo "> Should be a non public IP-address (10.x.y.z|172.16.x.y|192.168.x.y)" >> ${TMP} echo "${CLUSTER}: Should be a non public IP-address (10.x.y.z|172.16.x.y|192.168.x.y) (network interface show -role cluster-mgmt -field address) = ${IPADDR} [M03]" >> ${WARN} let WARNCNT=${WARNCNT}+1 fi let TTLCNT=${TTLCNT}+${CNT} if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo -n "${PERC};" >> ${TMPCSV} echo "+ M04 - Password Security" | tee -a ${TMP} WARNCNT=0 TTLCNT=0 # Start check # security.passwd.lockout.numtries=4294967294 # security.passwd.rules.enable=on # security.passwd.rules.everyone=on # security.passwd.rules.minimum=8 # security.passwd.rules.minimum.alphabetic=2 # security.passwd.rules.minimum.digit=1 # security.passwd.rules.minimum.symbol=1 # security.passwd.firstlogin.enable=on # security.passwd.rules.history=5 #::> security login role config show -role admin -fields max-failed-login-attempts = 4294967294 #::> security login role config show -role admin -fields passwd-minlength = 8 #::> security login role config show -role admin -fields passwd-min-digits = 1 #::> security login role config show -role admin -fields passwd-alphanum = enabled #::> security login role config show -role admin -fields passwd-min-special-chars = 1 #::> security login role config show -role admin -fields require-initial-passwd-update = enable #::> security login role config show -role admin -fields disallowed-reuse = 5 CNT=`SSHCMD ${CLUSTER} "security login role config show -role admin -fields max-failed-login-attempts "|grep ${CLUSTER}|tee -a ${TMP}|awk '{print $3}'|wc -l` if [ ${CNT} -gt 4294967294 ]; then echo "> max-failed-login-attempts < 4294967294" >> ${TMP} echo "${CLUSTER}: max-failed-login-attempts < 4294967294 (security login role config show -role admin -fields max-failed-login-attempts) = ${CNT} [M04]" >> ${WARN} let WARNCNT=${WARNCNT}+1 fi let TTLCNT=${TTLCNT}+${CNT} CNT=`SSHCMD ${CLUSTER} "security login role config show -role admin -fields passwd-minlength"|grep ${CLUSTER}|tee -a ${TMP}|awk '{print $3}'|wc -l` if [ ${CNT} -ne 8 ]; then echo "> passwd-minlength <> 8" >> ${TMP} echo "${CLUSTER}: passwd-minlength <> 8 (security login role config show -role admin -fields passwd-minlength) = ${CNT} [M04]" >> ${WARN} let WARNCNT=${WARNCNT}+1 fi let TTLCNT=${TTLCNT}+${CNT} CNT=`SSHCMD ${CLUSTER} "security login role config show -role admin -fields passwd-min-digits"|grep ${CLUSTER}|tee -a ${TMP}|awk '{print $3}'|wc -l` if [ ${CNT} -ne 1 ]; then echo "> passwd-min-digits <> 1" >> ${TMP} echo "${CLUSTER}: passwd-min-digits <> 1 (security login role config show -role admin -fields passwd-min-digits) = ${CNT} [M04]" >> ${TMP} let WARNCNT=${WARNCNT}+1 fi let TTLCNT=${TTLCNT}+${CNT} CNT=`SSHCMD ${CLUSTER} "security login role config show -role admin -fields passwd-alphanum"|grep ${CLUSTER}|tee -a ${TMP}|grep enable|awk '{print $3}'|wc -l` if [ ${CNT} -ne 1 ]; then echo "> passwd-alphanum <> enabled" >> ${TMP} echo "${CLUSTER}: passwd-alphanum <> enabled (security login role config show -role admin -fields passwd-alphanum) = ${CNT} [M04]" >> ${WARN} let WARNCNT=${WARNCNT}+1 fi let TTLCNT=${TTLCNT}+${CNT} CNT=`SSHCMD ${CLUSTER} "security login role config show -role admin -fields passwd-min-special-chars"|grep ${CLUSTER}|tee -a ${TMP}|awk '{print $3}'|wc -l` if [ ${CNT} -ne 1 ]; then echo "> passwd-min-special-chars <> 1" >> ${TMP} echo "${CLUSTER}: passwd-min-special-chars <> 1 (security login role config show -role admin -fields passwd-min-special-chars) = ${CNT} [M04]" >> ${WARN} let WARNCNT=${WARNCNT}+1 fi let TTLCNT=${TTLCNT}+${CNT} CNT=`SSHCMD ${CLUSTER} "security login role config show -role admin -fields require-initial-passwd-update"|grep ${CLUSTER}|tee -a ${TMP}|grep enable|wc -l` if [ ${CNT} -ne 1 ]; then echo "> require-initial-passwd-update <> enabled" >> ${TMP} echo "${CLUSTER}: require-initial-passwd-update <> enabled (security login role config show -role admin -fields require-initial-passwd-update) = ${CNT} [M04]" >> ${WARN} let WARNCNT=${WARNCNT}+1 fi let TTLCNT=${TTLCNT}+${CNT} CNT=`SSHCMD ${CLUSTER} "security login role config show -role admin -fields disallowed-reuse"|grep ${CLUSTER}|tee -a ${TMP}|awk '{print $3}'|wc -l` if [ ${CNT} -ne 5 ]; then echo "> disallowed-reuse <> 5" >> ${TMP} echo "${CLUSTER}: disallowed-reuse <> 5 (security login role config show -role admin -fields disallowed-reuse) = ${CNT} [M04]" >> ${WARN} let WARNCNT=${WARNCNT}+1 fi let TTLCNT=${TTLCNT}+${CNT} if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo -n "${PERC};" >> ${TMPCSV} echo "+ M05 - Password hardening" | tee -a ${TMP} echo " An Query-ticket request (via IMI) will be send to SDM." | tee -a ${TMP} echo -n "NA;" >> ${TMPCSV} echo "+ M06 - Autologout" | tee -a ${TMP} WARNCNT=0 TTLCNT=0 # Start check # CLI timeout of 60 minutes MIN=`SSHCMD ${CLUSTER} "system timeout show"|grep minutes|tee -a ${TMP}|cut -d\: -f2|cut -d' ' -f2` if [ ${MIN} -ne 60 ]; then echo "> Timeout should be 60 minutes" >> ${TMP} echo "${CLUSTER}: Timeout should be 60 minutes (system timeout show) = ${MIN} [M06]" >> ${WARN} let WARNCNT=${WARNCNT}+1 fi let TTLCNT=${TTLCNT}+${CNT} if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo -n "${PERC};" >> ${TMPCSV} echo "+ M07 - Logging" | tee -a ${TMP} WARNCNT=0 TTLCNT=0 # Start check # At 9.1x the "set" requests are always recorded in /mroot/etc/log/mlog/audit.log (previous known as command-history.log) # So a check for the audit.log (1st) or command-history (2nd) will be sufficient. # $ ssh nlnaf106 'set diag; system node systemshell -node nlnaf106-01 -command ls -l /mroot/etc/log/mlog/audit.log'| grep audit.log # Get the node list 1st SSHCMD ${CLUSTER} "node show"|grep true|awk '{print $1}' | while read NODE REST do MODA=`date +%b' '%e` ANSW=`SSHCMD ${CLUSTER} "set diag; system node systemshell -node ${NODE} -command ls -l /mroot/etc/log/mlog/audit.log"|grep "audit.log"|tee -a ${TMP}|grep "${MODA}"` echo "" >> ${TMP} if [ "${ANSW}" = "" ]; then # If no audit.log, then check for command-hostory.log ANSW2=`SSHCMD ${CLUSTER} "set diag; system node systemshell -node ${NODE} -command ls -l /mroot/etc/log/mlog/command-history.log"|grep "command-history.log"|tee -a ${TMP}|grep "${MODA}"` echo "" >> ${TMP} if [ "${ANSW2}" = "" ]; then echo "> Not an audit.log or command-history.log from today at ${CLUSTER}/${NODE}" >> ${TMP} echo "${CLUSTER}: Not an audit.log or command-history.log from today at ${CLUSTER}/${NODE} (set diag; system node systemshell -node ${NODE} -command ls -l /mroot/etc/log/mlog/command-history.log) [M07]" >> ${WARN} let WARNCNT=${WARNCNT}+1 fi # ANSW2 fi # ANSW let TTLCNT=${TTLCNT}+1 done # NODE if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo -n "${PERC};" >> ${TMPCSV} echo "+ M08 - Network Time Protocol (NTP)" | tee -a ${TMP} WARNCNT=0 TTLCNT=0 # 3.8 Network Time Protocol (NTP) CNT=`SSHCMD ${CLUSTER} "cluster time-service ntp server show -instance"|grep 'NTP Server '|tee -a ${TMP}|wc -l` # Should have at least 2 servers. # Check is date is the same a server if [ ${CNT} -lt 2 ]; then echo "> Should have at least 2 NTP servers. " >> ${TMP} echo "${CLUSTER}: Should have at least 2 NTP servers. (cluster time-service ntp server show -instance) = ${CNT} [M08]" >> ${WARN} let WARNCNT=${WARNCNT}+1 fi let TTLCNT=${TTLCNT}+${CNT} YEAR=`date +%Y` # Thu Jun 01 07:25:28 2017 # date +%a' '%b' '%d' '%H:%M:%S' '%Y SDATE=`date +%a' '%b' '%d' '%H:%M:%S' '%Y` CDATE=`SSHCMD ${CLUSTER} "date -u"|grep ${YEAR}| head -1` echo " System-date=${SDATE}, Cluster-date=${CDATE}"|tee -a ${TMP} ANSW=`echo ${CDATE}|grep "${SDATE}"` if [ "${ANSW}" = "" ]; then # Not the same time. Check again SDATE=`date -u +%a' '%b' '%d' '%H:%M:%S' '%Y` CDATE=`SSHCMD ${CLUSTER} "date -u"|grep ${YEAR}| head -1` echo " 2nd System-date=${SDATE}, Cluster-date=${CDATE}"|tee -a ${TMP} ANSW2=`echo ${CDATE}|grep "${SDATE}"` if [ "${ANSW2}" = "" ]; then echo "> System-date & Cluster-date should be the same. " >> ${TMP} echo "${CLUSTER}: System-date (${SDATE}) & Cluster-date should be the same (${CDATE}) [M08]. " >> ${WARN} let WARNCNT=${WARNCNT}+1 fi # ANSW2 fi # ANSW let TTLCNT=${TTLCNT}+${CNT} if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo -n "${PERC};" >> ${TMPCSV} echo "+ M09 - Secure Network configuration" | tee -a ${TMP} WARNCNT=0 TTLCNT=0 # Start check PREFIX="nlnafs" for SVM in `SSHCMD ${CLUSTER} 'vserver show -field vserver -operational-state running'|grep ${PREFIX}|awk '{print $1}'|sort` do echo " - ${CLUSTER}/${SVM}:"|tee -a ${TMP} CUSTOMPART="`echo ${SVM}|sed -e 's/nlnafs//g'`" # Generate list of volumes which NOT belong to the SVM (vol.name = vfiler-name) SSHCMD ${CLUSTER} "vol show -vserver ${SVM} -state online -field volume"|grep ${SVM}|grep -v "${CUSTOMPART}_"|tee -a ${TMP}|awk '{print $2}'|while read VOLUME REST do echo "${VOLUME}" >> ${TMP} echo "${CLUSTER}/${SVM}: has wrong volume (vol show -vserver ${SVM} -state online -field volume) = ${VOLUME} [M09]" >> ${WARN} let WARNCNT=${WARNCNT}+1 done # QREE let TTLCNT=${TTLCNT}+1 done # SVM if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo -n "${PERC};" >> ${TMPCSV} echo "+ M10 - Login banner" | tee -a ${TMP} echo " The NetApp filer does not have a login banner" | tee -a ${TMP} echo -n "NA;" >> ${TMPCSV} echo "+ M11 - Role-Based Access Control" | tee -a ${TMP} echo " RBAC is not checked from this script" | tee -a ${TMP} echo -n "NA;" >> ${TMPCSV} echo "+ M12 - No group account" | tee -a ${TMP} echo " \"No group accounts\" is not checked from this script" | tee -a ${TMP} echo -n "NA;" >> ${TMPCSV} echo "+ M13 - CIFS" | tee -a ${TMP} WARNCNT=0 TTLCNT=0 # It is preferable to have for all CIFS shares Authenticated Users on 'Full Control'. # On request of the customer it can be "everyone / Full Control" # Local admin (the user administrator on vfiler) need to be disabled. # This user is created when CIFS is setup. And need to be disabled. Otherwise this user can access CIFS-shares. echo " Check CIFS shares at vserver for 'everyone / Full Control'" | tee -a ${TMP} echo "${CLUSTER}: These vfilers do have CIFS-share with 'everyone / Full Control'" > ${CIFSWARN} echo "Which is not advisable accourding to NLW-OC9-0025 FSOD Security Baseline Measures and Validation, M13 - CIFS" >> ${CIFSWARN} SSHCMD ${CLUSTER} 'vserver show -operational-state running -field vserver' |grep ${SELECT}|while read VSERVER REST do echo " - ${CLUSTER}/${VSERVER}:"|tee -a ${TMP}|tee -a ${CIFSWARN} # Check Shares SSHCMD ${CLUSTER} "vserver cifs share show -vserver ${VSERVER} -field share-name" |grep ${SELECT}|awk '{print $2}'| while read SHARE REST do echo " - ${CLUSTER}/${VSERVER}: ${SHARE} " let TTLCNT=${TTLCNT}+1 ANSW="`SSHCMD ${CLUSTER} \"vserver cifs share show -vserver ${VSERVER} -share-name ${SHARE} -field acl\" |grep ${SELECT}|grep everyone`" # if "everyone" (ANSW=not empty) then report if [ "${ANSW}" != "" ]; then EXCLUDE="`grep "${CLUSTER}/${VCLUSTER}:${SHARE}" ${TMP}.excludes`" ##echo "|${EXCLUDE}|" if [ "${EXCLUDE}" != "" ]; then echo " (${CLUSTER}/${VCLUSTER}:${SHARE}=Excluded & accepted."|tee -a ${TMP} else echo "> ${SHARE}=${ANSW}"|tee -a ${TMP}|tee -a ${CIFSWARN} echo "${CLUSTER}: ${SHARE}=${ANSW} (vserver cifs share show -vserver ${VSERVER} -field share-name) = not allowed. [M13]" >> ${WARN} let WARNCNT=${WARNCNT}+1 fi fi done # SHARE done # vserver if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo -n "${PERC};" >> ${TMPCSV} # Create a seperate SDM ticket for this filer when CIFS warnings has been found # When -u | --usd, send to SDM PER Filer (Filer=CI) if [ ${WARNCNT} -gt 0 ] && [ $IMI} ]; then CREATE_SDM_TICKET ${CLUSTER} "Incident" ${CIFSWARN} fi # [ -s ${WARNCNT} ] echo "+ M14 - NFS" | tee -a ${TMP} WARNCNT=0 TTLCNT=0 # Start check # ssh 'vserver nfs show -field mount-rootonly'|grep disabled # should be enabled # ssh 'vserver nfs show -field udp'| grep enabled # should be disabled # ssh 'vserver nfs show -field tcp'| grep disabled # should be enabled CNTALL=`SSHCMD ${CLUSTER} "vserver nfs show -field mount-rootonly"|egrep 'disabled|enabled'|wc -l` CNT=`SSHCMD ${CLUSTER} "vserver nfs show -field mount-rootonly"|grep disabled|tee -a ${TMP}|wc -l` if [ ${CNT} -gt 0 ]; then echo "> Mount-rootonly should be enabled" >> ${TMP} echo "${CLUSTER}: Mount-rootonly should be enabled (vserver nfs show -field mount-rootonly) = disabled [M14]" >> ${WARN} let WARNCNT=${WARNCNT}+${CNT} fi let TTLCNT=${TTLCNT}+${CNTALL} CNTALL=`SSHCMD ${CLUSTER} "vserver nfs show -field udp"|egrep 'disabled|enabled'|wc -l` CNT=`SSHCMD ${CLUSTER} "vserver nfs show -field udp"|grep enabled|tee -a ${TMP}|wc -l` if [ ${CNT} -gt 0 ]; then echo "> UDP should be disabled" >> ${TMP} echo "${CLUSTER}: UDP should be disabled (vserver nfs show -field udp) = enabled [M14]" >> ${WARN} let WARNCNT=${WARNCNT}+${CNT} fi let TTLCNT=${TTLCNT}+${CNTALL} CNTALL=`SSHCMD ${CLUSTER} "vserver nfs show -field tcp"|egrep 'disabled|enabled'|wc -l` CNT=`SSHCMD ${CLUSTER} "vserver nfs show -field tcp"|grep disabled|tee -a ${TMP}|wc -l` if [ ${CNT} -gt 0 ]; then echo "> TCP should be enabled" >> ${TMP} echo "${CLUSTER}: TCP should be enabled (vserver nfs show -field tcp) = disabled [M14]" >> ${WARN} let WARNCNT=${WARNCNT}+${CNT} fi let TTLCNT=${TTLCNT}+${CNTALL} if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo -n "${PERC};" >> ${TMPCSV} echo "+ M15 - iSCSI"|tee -a ${TMP} WARNCNT=0 TTLCNT=0 # Start check # echo " Will check if iSCSI is running and if there iSCSI LUNs are configured. " | tee -a ${TMP} # ANSW="`${SSH} ${FILER} iscsi status| grep 'iSCSI service is running'`" # Check is iSCSI is running, then check LUNS. If iSCSI is Enabled & NO LUNS, this is NOT OK ANSW=`SSHCMD ${CLUSTER} "vserver iscsi show"|tee -a ${TMP}|grep 'This table is currently empty'` if [ "${ANSW}" = "" ]; then # iSCSI is running. # check LUNsA ANSW2=`SSHCMD ${CLUSTER} "lun show"|tee -a ${TMP}|grep 'This table is currently empty'` if [ "${ANSW}" = "" ]; then echo "No LUNs found (at all SVMs), with iSCSI enabled. iSCSI should be disabled."|tee -a ${TMP} echo "${CLUSTER}: No LUNs found (at all SVMs), with iSCSI enabled. iSCSI should be disabled. [M15]"|tee -a ${WARN} let WARNCNT=${WARNCNT}+1 fi # ANSW2 fi # ANSW let TTLCNT=${TTLCNT}+1 if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo -n "${PERC};" >> ${TMPCSV} echo "+ M16 - Access of root volume" | tee -a ${TMP} WARNCNT=0 TTLCNT=0 # Start check SSHCMD ${CLUSTER} "node show"|grep true|awk '{print $1}' > ${TMP}.2 ANSW=`SSHCMD ${CLUSTER} "vserver export-policy rule show"|tee -a ${TMP}|grep -f ${TMP}.2` if [ "${ANSW}" != "" ]; then echo "> NO exports allowed at nodes" >> ${TMP} echo "${CLUSTER}: NO exports allowed at nodes (vserver export-policy rule show) [M16]" >> ${WARN} let WARNCNT=${WARNCNT}+1 fi let TTLCNT=${TTLCNT}+1 if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo -n "${PERC};" >> ${TMPCSV} # When -i | --imi, send to SDM (via IMI) PER Cluster (Cluster=CI) if [ ${IMI} ]; then if [ -s ${WARN} ]; then echo "" >> ${WARN} cp ${WARN} ${ASC} date | mailx -a ${ASC} -s ":${HOSTNAME}: Incident IMI message [${PGM} v${VER}]" ${MAILTO} CREATE_SDM_TICKET ${CLUSTER} "Incident" ${WARN} cp /dev/null ${WARN} fi # [ -s ${WARN} ] # Create SDM-query-tickets for "M05 - Password hardening" 4 times (every 3 month) a year # Must be AFTER the above SDM-ticket creating. Because ${WARN} is used to transport ticket Description MON="`date +%m`" if [ ${MON} = 01 ] || [ ${MON} = 04 ] || [ ${MON} = 07 ] || [ ${MON} = 10 ]; then echo "${CLUSTER}: Has the root / administrator password of the filer being changed?" >> ${WARN} echo "Accoording to the Atos Origin Password Policy, AOM-SEC-0001" >> ${WARN} echo "This request is made to fullfill NLW-OC9-0025 FSOD Security Baseline Measures and Validation, M05 - Password hardening" >> ${WARN} CREATE_SDM_TICKET ${CLUSTER} "Query" ${WARN} if [ ${MAILPERCLUSTER} ]; then cp ${WARN} ${ASC} date|mailx -a ${ASC} -s "@${HOSTNAME}: ${CLUSTER} Check security baseline settings report (.ASC) at `date +%Y-%m-%d_%H:%M:%S` [${PGM} v${VER}]" ${MAILTO} echo "`date` MailedPerFiler to ${MAILTO} "|tee -a ${LOG} fi # [ ${MAILPERCLUSTER} ] cp /dev/null ${WARN} fi # ${MON} fi # [ ${IMI} ] if [ ${MAILPERCLUSTER} ]; then cp ${WARN} ${ASC} date|mailx -a ${ASC} -s "@${HOSTNAME}: ${CLUSTER} Check security baseline settings report (.ASC) at `date +%Y-%m-%d_%H:%M:%S` [${PGM} v${VER}]" ${MAILTO} echo "`date` MailedPerFiler to ${MAILTO} "|tee -a ${LOG} cp /dev/null ${WARN} fi # [ ${MAILPERCLUSTER} ] echo " " >> ${TMPCSV} done # for CLUSTER ## Create SDM-query-tickets for "M07 - Logging" #if [ ${IMI} ]; then # echo "${HOSTNAME}: Has the monthly backup of FSOD auditlogfiles run correctly (without errors)?" >> ${WARN} # echo "This request is made to fullfill NLW-OC9-0025 FSOD Security Baseline Measures and Validation, M07 - Logging" >> ${WARN} #echo ${WARN} # CREATE_SDM_TICKET ${HOSTNAME} "Query" ${WARN} # cp /dev/null ${WARN} #fi # [ ${IMI} ] echo "#"|tee -a ${TMP} echo "# Output (${ASC}) from ${HOSTNAME} at `date +%Y-%m-%d_%H:%M:%S` of ${PGM} version ${VER}"|tee -a ${TMP} echo "# (etc)CLUSTERS=${CLUSTERS}, FILTER=${FILTER}, sentMAIL=${MAIL}, MAILTO=${MAILTO} MPF=${MAILPERCLUSTER} "|tee -a ${TMP} echo "# Ready at `date`"|tee -a ${TMP} # save the "output"(tmp) file to .out cp ${TMP} /tmp/${PGM}.out # Mail the info if [ ${MAIL} ]; then cp ${TMP} ${ASC} date|mailx -a ${ASC} -s "@${HOSTNAME}: Check cDOT security baseline settings report (.ASC) at `date +%Y-%m-%d_%H:%M:%S` [${PGM} v${VER}]" ${MAILTO} cp ${TMPCSV} ${CSV} date|mailx -a ${CSV} -s "@${HOSTNAME}: Check cDOT security baseline output sheet (.CSV) at `date +%Y-%m-%d_%H:%M:%S` [${PGM} v${VER}]" ${MAILTO} echo "`date` ${PGM}: Mailed (.ASC & .CSV) to ${MAILTO}."|tee -a ${LOG} fi # if [ ${MAIL} ] cp ${TMP} /tmp/${PGM}.asc cp ${TMPCSV} /tmp/${PGM}.csv # Cleanup rm ${TMP} ${TMP}.* echo "`date` ${PGM} (v$VER) finished."|tee -a $LOG exit 0